kern/126158: [patch] [vm] integer overflow in vm_pageout.c
Dmitry Tejblum
tejblum at yandex-team.ru
Fri Aug 1 11:50:03 UTC 2008
>Number: 126158
>Category: kern
>Synopsis: [patch] [vm] integer overflow in vm_pageout.c
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 01 11:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Tejblum
>Release: FreeBSD 7.0-STABLE i386
>Organization:
OOO Yandex
>Environment:
System: FreeBSD purple.yandex.net 7.0-STABLE FreeBSD 7.0-STABLE #12: Fri Aug 1 15:11:21 MSD 2008 root at purple.yandex.net:/usr/src/sys/i386/compile/PURPLE i386
>Description:
The function vm_pageout_page_stats() compute
(vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count
at the start. The intention is to compute (cnt.v_active_count / cnt.v_page_count)
fraction of vm_pageout_stats_max. But on machine with relatively large amount of memory,
vm_pageout_stats_max * cnt.v_active_count easily overflows 32-bit numbers. Say, on some our machines with 16G RAM,
cnt.v_active_count is about 3000000, and default value of vm_pageout_stats_max is about 100000.
>How-To-Repeat:
>Fix:
--- sys/vm/vm_pageout.c 2008-07-28 19:15:05.000000000 +0400
+++ sys/vm/vm_pageout.c 2008-08-01 15:10:40.000000000 +0400
@@ -1284,7 +1284,7 @@
pcount = cnt.v_active_count;
fullintervalcount += vm_pageout_stats_interval;
if (fullintervalcount < vm_pageout_full_stats_interval) {
- tpcount = (vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count;
+ tpcount = ((int64_t)vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count;
if (pcount > tpcount)
pcount = tpcount;
} else {
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list