Programs die when max_map_count is too large

Programs die when max_map_count is too large

[Jan Engelhardt]

Hi,


setting max_map_count to a value large enough results in programs dying 
at first try.
This is on 2.6.31.6.

15:59 borg:/proc/sys/vm # echo $[1<<31-1] >max_map_count 
15:59 borg:/proc/sys/vm # cat max_map_count
1073741824
15:59 borg:/proc/sys/vm # echo $[1<<31] >max_map_count 
15:59 borg:/proc/sys/vm # cat max_map_count
Killed


thanks,
Jan

Re: Programs die when max_map_count is too large

[Américo Wang]

On Thu, Nov 26, 2009 at 04:01:08PM +0100, Jan Engelhardt wrote:
>Hi,
>
>
>setting max_map_count to a value large enough results in programs dying 
>at first try.
>This is on 2.6.31.6.
>
>15:59 borg:/proc/sys/vm # echo $[1<<31-1] >max_map_count 
>15:59 borg:/proc/sys/vm # cat max_map_count
>1073741824
>15:59 borg:/proc/sys/vm # echo $[1<<31] >max_map_count 
>15:59 borg:/proc/sys/vm # cat max_map_count
>Killed
>

Hmm, a quick patch from me is below.

IMO, the problem is 'sysctl_max_map_count' is actually signed int,
while when writing to it, the value is treated as unsigned.

A better fix which I could imagine is to fix sysctl to understand
signed int's.

Just have a try, totally untested.


--------------->



Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>

---
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 84a524a..4161887 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -214,7 +214,7 @@ struct mm_struct {
 	pgd_t * pgd;
 	atomic_t mm_users;			/* How many users with user space? */
 	atomic_t mm_count;			/* How many references to "struct mm_struct" (users count as 1) */
-	int map_count;				/* number of VMAs */
+	unsigned int map_count;			/* number of VMAs */
 	struct rw_semaphore mmap_sem;
 	spinlock_t page_table_lock;		/* Protects page tables and some counters */
 
diff --git a/mm/mmap.c b/mm/mmap.c
index 73f5e4b..3adf2e7 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -85,7 +85,7 @@ EXPORT_SYMBOL(vm_get_page_prot);
 
 int sysctl_overcommit_memory = OVERCOMMIT_GUESS;  /* heuristic overcommit */
 int sysctl_overcommit_ratio = 50;	/* default is 50% */
-int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
+unsigned int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
 struct percpu_counter vm_committed_as;
 
 /*
diff --git a/mm/nommu.c b/mm/nommu.c
index 9876fa0..bf9ae62 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -65,7 +65,7 @@ unsigned long highest_memmap_pfn;
 struct percpu_counter vm_committed_as;
 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
 int sysctl_overcommit_ratio = 50; /* default is 50% */
-int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
+unsigned int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
 int heap_stack_gap = 0;
 

Re: Programs die when max_map_count is too large

[Alexey Dobriyan]

> IMO, the problem is 'sysctl_max_map_count' is actually signed int,
> while when writing to it, the value is treated as unsigned.

The problem is the loop in simple_strtoul(), some people were so afraid
to touch so they even came up with strict_* variants.

> A better fix which I could imagine is to fix sysctl to understand
> signed int's.

	-	int map_count;
	+	unsigned int map_count;

This is incomplete at least.

Re: Programs die when max_map_count is too large

[Américo Wang]

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

On Fri, Nov 27, 2009 at 12:48 AM, Alexey Dobriyan <adobriyan@gmail.com> wrote:
>> IMO, the problem is 'sysctl_max_map_count' is actually signed int,
>> while when writing to it, the value is treated as unsigned.
>
> The problem is the loop in simple_strtoul(), some people were so afraid
> to touch so they even came up with strict_* variants.
>
>> A better fix which I could imagine is to fix sysctl to understand
>> signed int's.
>
>        -       int map_count;
>        +       unsigned int map_count;
>
> This is incomplete at least.
>

Yeah, perhaps.

I got a better fix, but only for max_map_count. Please check it below.

(Sorr for attatching it, gmail's IMAP sucks.)

----------------->

Make negative values for 'max_map_count' invalid, they are meaningless.
And avoid overflow.

I already tested this.

Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>
-------

[-- Attachment #2: kernel-sysctl-max-map-count-overflow.diff --]
[-- Type: text/plain, Size: 392 bytes --]

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 0d949c5..212360e 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1245,7 +1245,8 @@ static struct ctl_table vm_table[] = {
 		.data		= &sysctl_max_map_count,
 		.maxlen		= sizeof(sysctl_max_map_count),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec
+		.proc_handler	= &proc_dointvec_minmax,
+		.extra1		= &zero,
 	},
 #else
 	{