From owner-freebsd-current@FreeBSD.ORG Tue Sep 20 16:57:43 2005 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE35416A420 for ; Tue, 20 Sep 2005 16:57:43 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from fileserver.fields.utoronto.ca (fileserver.fields.utoronto.ca [128.100.216.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CAA043D5C for ; Tue, 20 Sep 2005 16:57:42 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from fields.fields.utoronto.ca (fields.localdomain [192.168.216.11]) by fileserver.fields.utoronto.ca (8.12.8/8.12.8/Fields 6.0) with ESMTP id j8KGvf0r023215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 20 Sep 2005 12:57:41 -0400 Received: from obsecurity.dyndns.org (localhost.localdomain [127.0.0.1]) by fields.fields.utoronto.ca (8.12.8/8.12.8/Fields WS 6.0) with ESMTP id j8KGvf6P007885 for ; Tue, 20 Sep 2005 12:57:41 -0400 Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E400851251; Tue, 20 Sep 2005 12:57:40 -0400 (EDT) Date: Tue, 20 Sep 2005 12:57:40 -0400 From: Kris Kennaway To: current@FreeBSD.org Message-ID: <20050920165740.GA60761@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: Subject: integer overflow in bufinit() on large-memory machines X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 16:57:44 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I have a sparc64 machine with 10GB of RAM that is hanging at boot in bufinit() (also seen on other sparc64 machines with more than this amount of RAM). Instrumenting the code shows that it's happening here: /* * To support extreme low-memory systems, make sure hidirtybuffers cannot * eat up all available buffer space. This occurs when our minimum cannot * be met. We try to size hidirtybuffers to 3/4 our buffer space assuming * BKVASIZE'd (8K) buffers. */ while (hidirtybuffers * BKVASIZE > 3 * hibufspace / 4) { hidirtybuffers >>= 1; } lodirtybuffers = hidirtybuffers / 2; because 3*hibufspace is overflowing the 32-bit int hibufspace (this code was added a few years ago by dillon). hidirtybuffers=18182 BKVASIZE=16384 hibufspace=1189625856 I tried making hibufspace into a long which allowed the system to boot, but the system panicked shortly afterwards while I was doing a cvs diff: > panic: vm_fault: fault on nofault entry, addr: 1e5884000 > db> wh > Tracing pid 42 tid 100037 td 0xfffff802b13c57c0 > panic() at panic+0x164 > vm_fault() at vm_fault+0x21c > trap_pfault() at trap_pfault+0x1a8 > trap() at trap+0x28c > -- fast data access mmu miss tar=0x1e5884000 %o7=0xc02b12d8 -- > bcopy() at bcopy+0x9c > ffs_sync() at ffs_sync+0x344 > sync_fsync() at sync_fsync+0x134 > VOP_FSYNC_APV() at VOP_FSYNC_APV+0xb4 > sync_vnode() at sync_vnode+0xfc > sched_sync() at sched_sync+0x24c > fork_exit() at fork_exit+0x94 > fork_trampoline() at fork_trampoline+0x8 and upon rebooting it seems that my disk has been destroyed: Boot device: disk File and args: >> FreeBSD/sparc64 boot block Boot path: /sbus@3,0/SUNW,fas@3,8800000/sd@0,0:a Boot loader: /boot/loader File /boot/loader not found Program terminated {0} ok I guess something else is really unhappy with hibufspace being that large (or maybe there is some other variable overflowing). Can anyone think of a solution? Kris --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDMD9TWry0BWjoQKURAjLWAKDGa8SfLaE7zBWTgNE0xN3FdXzpRgCfUVIV QA7F/0d3DXpqezywQ2tYeRA= =hteO -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--