kern/126158: [patch] [vm] integer overflow in vm_pageout.c

[Dmitry Tejblum]

>Number:         126158
>Category:       kern
>Synopsis:       [patch] [vm] integer overflow in vm_pageout.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 01 11:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Tejblum
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
OOO Yandex
>Environment:
System: FreeBSD purple.yandex.net 7.0-STABLE FreeBSD 7.0-STABLE #12: Fri Aug 1 15:11:21 MSD 2008 root at purple.yandex.net:/usr/src/sys/i386/compile/PURPLE i386


>Description:

The function vm_pageout_page_stats() compute 
(vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count
at the start. The intention is to compute (cnt.v_active_count / cnt.v_page_count)
fraction of vm_pageout_stats_max. But on machine with relatively large amount of memory,
vm_pageout_stats_max * cnt.v_active_count easily overflows 32-bit numbers. Say, on some our machines with 16G RAM,
cnt.v_active_count is about 3000000, and default value of vm_pageout_stats_max is about 100000.

>How-To-Repeat:

>Fix:



--- sys/vm/vm_pageout.c	2008-07-28 19:15:05.000000000 +0400
+++ sys/vm/vm_pageout.c	2008-08-01 15:10:40.000000000 +0400
@@ -1284,7 +1284,7 @@
 	pcount = cnt.v_active_count;
 	fullintervalcount += vm_pageout_stats_interval;
 	if (fullintervalcount < vm_pageout_full_stats_interval) {
-		tpcount = (vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count;
+		tpcount = ((int64_t)vm_pageout_stats_max * cnt.v_active_count) / cnt.v_page_count;
 		if (pcount > tpcount)
 			pcount = tpcount;
 	} else {
>Release-Note:
>Audit-Trail:
>Unformatted: