Re: Linux inode.i_count overflow

Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Wed, 14 Jan 1998 17:49:34 +0000

> Member i_count in struct inode contains the usage count. It is of type
> unsigned short, which is only 16-bit long on i386. Unfortunately, it
> is not enough. You can make it overflow by mapping one file many
> times:

Making i_count unsigned long fixes this (Im sure its simple enough not to
need a patch). This should be in 2.0.34

> To fix this bug simply change the i_count type to unsigned long.

Yep. You might want to fix a few printk() calls to fix formatting of
error reports but that only causes a problem on machines where
sizeof(long)!=sizeof(int) - Alpha and Ultrasparc.

Bug#2

> typical Linux configuration. Although you can avoid users to eat
> resources this way by setting resource limits properly this effect can
> be considered to be a Linux bug. Linux is protected to avoid
> allocating all process slots by normal users. There are reserved
> MIN_TASKS_LEFT_FOR_ROOT slots for root. So there should be also
> protection to avoid allocating all memory by normal users.

This seems to be a generic Unix bug. I brought down our SGI with that
program, and netbsd also seems to jam solid. The general vulnerability
is going to be the same on all OS's (anyone got an NT port ?) or want
to make a summary table.

There is a good argument for limiting the number of individual maps per
process - but if its too low it will break stuff like emulators and
electric fence that use a lot of maps

Alan