From owner-svn-src-all@FreeBSD.ORG Wed Feb 23 22:12:04 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AA4D106566C; Wed, 23 Feb 2011 22:12:04 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (unknown [IPv6:2a01:348:0:15:5d59:5c40:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id 897B48FC18; Wed, 23 Feb 2011 22:12:03 +0000 (UTC) Received: from muon.cran.org.uk (localhost [127.0.0.1]) by muon.cran.org.uk (Postfix) with ESMTP id C41D0E8C0C; Wed, 23 Feb 2011 22:12:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cran.org.uk; h=subject :from:to:cc:in-reply-to:references:content-type:date:message-id :mime-version; s=mail; bh=u0VbMArNTEVkKEZ5X9qW0UiSsEU=; b=ma45Vj NXRAL+Q9tvowizRr7kyw2dlTfyaTOT6wbuTFJH5JEC4VITSG/uUfWSTNeyVYz0ka 3kNdVbWwRqmuVM/WS6JkB8r/TsNqhXnqotUEvhHyvTPZ77sAQbD6nhgU/lMwIGYs y/WyFInentIXNizGMW+rXaoJsRdai185v/CFs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=cran.org.uk; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version; q=dns; s=mail; b=p6vAMfbS9S42hymRyk22wJOmc63GJNHl I2l/i5ayapGqD//vbSlIfEivWq7bPYmwOysG7LIC8aA8bR0Kg64+R8/T4/0Crv/p dYzZhsQbYi5CPkozvQFpIQuSxgZJT28DqLOMFfmJuyZ/vWucfkdXpMqCrYJsoU57 9ElcYoQav9g= Received: from [192.168.0.10] (client-86-31-236-253.oxfd.adsl.virginmedia.com [86.31.236.253]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by muon.cran.org.uk (Postfix) with ESMTPSA id 4F7E0E8BA7; Wed, 23 Feb 2011 22:12:00 +0000 (GMT) From: Bruce Cran To: Bruce Evans In-Reply-To: <20110224063233.Y1100@besplex.bde.org> References: <201102231028.p1NASbET045275@svn.freebsd.org> <20110224063233.Y1100@besplex.bde.org> Content-Type: multipart/mixed; boundary="=-JvNx3pbWdGVQz960ysnH" Date: Wed, 23 Feb 2011 22:11:56 +0000 Message-ID: <1298499116.9366.3.camel@core.nessbank> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Bruce Cran Subject: Re: svn commit: r218966 - head/sys/vm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2011 22:12:04 -0000 --=-JvNx3pbWdGVQz960ysnH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, 2011-02-24 at 08:23 +1100, Bruce Evans wrote: > The bug seems to have been overflow in this calculation. `start' and > `end' have type vm_offset_t and large style bugs (missing prefixes in > their names) so they are hard to grep for. When n is 32 bits int and > PAGE_SIZE is 2**12, the assignment to n overflows at a difference of 8TB, > but this probably can't happen (see above). swap_bcnt still has type > int; SWAP_META_PAGES is 1, 2, 4, 8 or 16; thus swp_bcount * SWAP_META_PAGES > may overflow at 2**31/16 = 128 M. If this doesn't overflow, but has its > maximal value of about 128 M, then multiplying it by "int n" may overflow > when n is just 32. Then, if nothing has overflowed, division by > object->size reduces to a relatively small count in pages. object->size > seems to have type vm_pindex_t which is 64 bits even on i386 (since it > is associated with vm_ooffset_t and not vm_offset_t, and vm_ooffset_t > must be 64 bits to support file of sizes >= 2GB although vm_pindex_t only > needs to be more than 32 bits to support files of sizes >= 8 TB (with > PAGE_SIZE = 2**12). object->size has even larger bugs than `start' and > `end', since it is more global. I've attached a patch which changes 'n' to be of type vm_ooffset_t. I think this should fix the overflow bug? -- Bruce Cran --=-JvNx3pbWdGVQz960ysnH Content-Disposition: attachment; filename="vm.diff" Content-Type: text/x-patch; name="vm.diff"; charset="us-ascii" Content-Transfer-Encoding: 7bit Index: swap_pager.c =================================================================== --- swap_pager.c (revision 218966) +++ swap_pager.c (working copy) @@ -2426,7 +2426,8 @@ vm_map_t map; vm_map_entry_t cur; vm_object_t object; - vm_offset_t count, n; + vm_ooffset_t n; + vm_offset_t count; map = &vmspace->vm_map; count = 0; --=-JvNx3pbWdGVQz960ysnH--