NetBSD Problem Report #31557

From ura@hiru.aoba.yokohama.jp  Tue Oct 11 18:23:04 2005
Return-Path: <ura@hiru.aoba.yokohama.jp>
Received: from hazuki.hiru.aoba.yokohama.jp (uzuki.hiru.aoba.yokohama.jp [211.11.227.114])
	by narn.netbsd.org (Postfix) with ESMTP id 53FF763B878
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 11 Oct 2005 18:23:03 +0000 (UTC)
Message-Id: <20051011182246.56C9A1C8891@hazuki.hiru.aoba.yokohama.jp>
Date: Wed, 12 Oct 2005 03:22:46 +0900 (JST)
From: ura@hiru.aoba.yokohama.jp
Reply-To: ura@hiru.aoba.yokohama.jp
To: gnats-bugs@netbsd.org
Subject: vmstat(1) shows bogus values when the member of 'sturct uvmexp' is bigger than INT_MAX
X-Send-Pr-Version: 3.9-

>Number:         31557
>Category:       bin
>Synopsis:       vmstat(1) shows bogus values when the member of 'sturct uvmexp' is bigger than INT_MAX
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 11 18:24:00 +0000 2005
>Last-Modified:  Sun Mar 20 04:40:00 +0000 2016
>Originator:     URA Hiroshi
>Release:        NetBSD 2.0_STABLE
>Organization:
>Environment:
System: NetBSD hazuki.hiru.aoba.yokohama.jp 2.0_STABLE NetBSD 2.0_STABLE (GATEWAY) #5: Tue Feb 1 17:23:06 JST 2005 ura@hazuki.hiru.aoba.yokohama.jp:/usr/src/sys/arch/i386/compile/GATEWAY i386
Architecture: i386
Machine: i386
>Description:
vmstat(1) shows bogus values when the member of 'sturct uvmexp'
(i.e. uvmexp.faults, uvmexp.intrs, uvmexp.syscalls, and so on)
is bigger than INT_MAX.

Running 'vmstat -s' produces:
2385609202 software interrupts
2501490599 system calls

On i386, Two above values are bigger then INT_MAX because INT_MAX
is 2147483647(0x7fffffff). At this time, vmstat(1) show bogus values.

 $ vmstat
 procs    memory      page                       disks      faults      cpu
 r b w    avm    fre  flt  re  pi   po   fr   sr f0 m0 w0   in   sy  cs us sy id
 0 8 0 575976   7700   31   0   0    0    0    0  0  0  1 4294967139 4294967147  52  0  1 99

>How-To-Repeat:
Run 'vmstat', observe that the member of 'sturct uvmexp' is bigger
than INT_MAX.

>Fix:
It seems that the members of 'struct uvmexp' should be 'unsigned int'
instead of 'int'.

>Audit-Trail:
From: Andreas Gustafsson <gson@gson.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/31557: vmstat(1) shows bogus values when the member of 'sturct uvmexp' is bigger than INT_MAX
Date: Fri, 18 Mar 2016 15:15:31 +0200

 This issue still exists in 7.0.  On amd64, after 15 days of uptime:

   guido ~ $ vmstat -s | grep 1844
   18446744073377659897 pagealloc zero wanted and not avail
   18446744071575073291 pagealloc desired color not avail
   18446744073651766539 pagealloc local cpu avail
   18446744071668371373 pagealloc local cpu not avail
   18446744073295453023 faults relock (18446744073295759792 ok)
   18446744073251079458 neighbour object page faults
   18446744073294704034 unlocked pager get faults

 -- 
 Andreas Gustafsson, gson@gson.org

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/31557: vmstat(1) shows bogus values when the member of
 'sturct uvmexp' is bigger than INT_MAX
Date: Sun, 20 Mar 2016 04:36:40 +0000

 On Fri, Mar 18, 2016 at 01:20:01PM +0000, Andreas Gustafsson wrote:
  > From: Andreas Gustafsson <gson@gson.org>
  > To: gnats-bugs@NetBSD.org
  > Cc: 
  > Subject: Re: bin/31557: vmstat(1) shows bogus values when the member of 'sturct uvmexp' is bigger than INT_MAX
  > Date: Fri, 18 Mar 2016 15:15:31 +0200
  > 
  >  This issue still exists in 7.0.  On amd64, after 15 days of uptime:
  >  
  >    guido ~ $ vmstat -s | grep 1844
  >    18446744073377659897 pagealloc zero wanted and not avail
  >    18446744071575073291 pagealloc desired color not avail
  >    18446744073651766539 pagealloc local cpu avail
  >    18446744071668371373 pagealloc local cpu not avail
  >    18446744073295453023 faults relock (18446744073295759792 ok)
  >    18446744073251079458 neighbour object page faults
  >    18446744073294704034 unlocked pager get faults

 The problem is that everything in struct uvmexp_sysctl is 64 bits wide
 (explicit int64_t) but many of the source values in the real struct
 uvmexp, including the ones that lead to these prints, are of type
 "int", so that (a) they overflow and then (b) get sign-extended on the
 way out of the kernel. (And then vmstat prints all the signed int64_t
 values as unsigned.)

 One could insert the correct casting in sysctl_vm_uvmexp2 (in
 uvm_meter.c) but this will only prevent the sign extension, not the
 overflows. Given that signed integer overflows are formally UB, this
 should really be fixed properly by widening offending members of
 struct uvmexp.

 The problem with *that* is that IIRC there are still kmem grovelers
 that will break; they aren't all using the sysctl and struct
 uvmexp_sysctl yet. (There are a few of these in third-party code in
 pkgsrc, too; they all ought to be patched.)

 I think a good first step would be to hide struct uvmexp from userland
 and fix what that breaks...

 -- 
 David A. Holland
 dholland@netbsd.org

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.