From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [1/2] ras: fix an off-by-one error in __find_elem() From: "Luck, Tony" Message-Id: <20190417015351.GA28490@agluck-desk> Date: Tue, 16 Apr 2019 18:53:51 -0700 To: Cong Wang Cc: Borislav Petkov , LKML , linux-edac@vger.kernel.org, Thomas Gleixner List-ID: T24gVHVlLCBBcHIgMTYsIDIwMTkgYXQgMDQ6NDc6NTVQTSAtMDcwMCwgQ29uZyBXYW5nIHdyb3Rl Ogo+IDIyOSBzdGF0aWMgdm9pZCBkZWxfZWxlbShzdHJ1Y3QgY2VfYXJyYXkgKmNhLCBpbnQgaWR4 KQo+IDIzMCB7Cj4gMjMxICAgICAgICAgLyogU2F2ZSB1cyBhIGZ1bmN0aW9uIGNhbGwgd2hlbiBk ZWxldGluZyB0aGUgbGFzdCBlbGVtZW50LiAqLwo+IDIzMiAgICAgICAgIGlmIChjYS0+biAtIChp ZHggKyAxKSkKPiAyMzMgICAgICAgICAgICAgICAgIG1lbW1vdmUoKHZvaWQgKikmY2EtPmFycmF5 W2lkeF0sCj4gMjM0ICAgICAgICAgICAgICAgICAgICAgICAgICh2b2lkICopJmNhLT5hcnJheVtp ZHggKyAxXSwKPiAyMzUgICAgICAgICAgICAgICAgICAgICAgICAgKGNhLT5uIC0gKGlkeCArIDEp KSAqIHNpemVvZih1NjQpKTsKPiAyMzYKPiAyMzcgICAgICAgICBjYS0+bi0tOwo+IDIzOCB9Cj4g Cj4gaWR4IGlzIGNhLT5uIGFuZCBjYS0+biBpcyBNQVhfRUxFTVMtMSwgdGhlbiB0aGUgYWJvdmUg aWYgc3RhdGVtZW50Cj4gYmVjb21lcyB0cnVlLCB0aGVyZWZvcmUgaWR4KzEgaXMgTUFYX0VMRU1T IHdoaWNoIGlzIGp1c3QgYmV5b25kCj4gdGhlIHZhbGlkIHJhbmdlLgoKSXMgdGhhdCByZWFsbHkg dGhlIG1lbW1vdmUoKSB3aGVyZSB3ZSBkaWU/ICBJdCBsb29rcyBsaWtlCml0IGhhcyBhIHNwZWNp YWwgY2FzZSBmb3IgZGVhbGluZyB3aXRoIHRoZSBsYXN0IGVsZW1lbnQuCgpCdXQgdGhpczoKCjI5 NiAgICAgICAgIHJldCA9IGZpbmRfZWxlbShjYSwgcGZuLCAmdG8pOwoyOTcgICAgICAgICBpZiAo cmV0IDwgMCkgewoyOTggICAgICAgICAgICAgICAgIC8qCjI5OSAgICAgICAgICAgICAgICAgICog U2hpZnQgcmFuZ2UgW3RvLWVuZF0gdG8gbWFrZSByb29tIGZvciBvbmUgbW9yZSBlbGVtZW50Lgoz MDAgICAgICAgICAgICAgICAgICAqLwozMDEgICAgICAgICAgICAgICAgIG1lbW1vdmUoKHZvaWQg KikmY2EtPmFycmF5W3RvICsgMV0sCjMwMiAgICAgICAgICAgICAgICAgICAgICAgICAodm9pZCAq KSZjYS0+YXJyYXlbdG9dLAozMDMgICAgICAgICAgICAgICAgICAgICAgICAgKGNhLT5uIC0gdG8p ICogc2l6ZW9mKHU2NCkpOwozMDQKCmxvb2tzIGxpa2UgaXQgYWxzbyBuZWVkcyBhIHNwZWNpYWwg Y2FzZSBmb3Igd2hlbiAidG8gPT0gIE1BWF9FTEVNUy0xIgood2UgZG9uJ3QgbmVlZCB0byBtZW1t b3ZlKS4KCi1Ub255Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB78BC10F14 for ; Wed, 17 Apr 2019 01:53:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 761DD21773 for ; Wed, 17 Apr 2019 01:53:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728237AbfDQBxx (ORCPT ); Tue, 16 Apr 2019 21:53:53 -0400 Received: from mga18.intel.com ([134.134.136.126]:20624 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728378AbfDQBxw (ORCPT ); Tue, 16 Apr 2019 21:53:52 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Apr 2019 18:53:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,360,1549958400"; d="scan'208";a="162257123" Received: from agluck-desk.sc.intel.com (HELO agluck-desk) ([10.3.52.160]) by fmsmga002.fm.intel.com with ESMTP; 16 Apr 2019 18:53:51 -0700 Date: Tue, 16 Apr 2019 18:53:51 -0700 From: "Luck, Tony" To: Cong Wang Cc: Borislav Petkov , LKML , linux-edac@vger.kernel.org, Thomas Gleixner Subject: Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem() Message-ID: <20190417015351.GA28490@agluck-desk> References: <20190416012001.5338-1-xiyou.wangcong@gmail.com> <20190416090726.GD27892@zn.tnic> <20190416221852.GA10781@agluck-desk> <20190416232833.GA17372@agluck-desk> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-edac-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-edac@vger.kernel.org Message-ID: <20190417015351.FuOh6mrCtmH-tThkLtv7wFKA2fqO2aPsZ8noJbmdIXY@z> On Tue, Apr 16, 2019 at 04:47:55PM -0700, Cong Wang wrote: > 229 static void del_elem(struct ce_array *ca, int idx) > 230 { > 231 /* Save us a function call when deleting the last element. */ > 232 if (ca->n - (idx + 1)) > 233 memmove((void *)&ca->array[idx], > 234 (void *)&ca->array[idx + 1], > 235 (ca->n - (idx + 1)) * sizeof(u64)); > 236 > 237 ca->n--; > 238 } > > idx is ca->n and ca->n is MAX_ELEMS-1, then the above if statement > becomes true, therefore idx+1 is MAX_ELEMS which is just beyond > the valid range. Is that really the memmove() where we die? It looks like it has a special case for dealing with the last element. But this: 296 ret = find_elem(ca, pfn, &to); 297 if (ret < 0) { 298 /* 299 * Shift range [to-end] to make room for one more element. 300 */ 301 memmove((void *)&ca->array[to + 1], 302 (void *)&ca->array[to], 303 (ca->n - to) * sizeof(u64)); 304 looks like it also needs a special case for when "to == MAX_ELEMS-1" (we don't need to memmove). -Tony