Re: [PATCH 1/3] x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error

[Bjorn Helgaas <helgaas@kernel.org>]

On Mon, Oct 15, 2018 at 12:51:38PM +0800, Dave Young wrote:
> On 09/30/18 at 05:27pm, Dave Young wrote:
> > On 09/30/18 at 05:21pm, Dave Young wrote:
> > > On 09/27/18 at 09:21am, Bjorn Helgaas wrote:
> > > > From: Bjorn Helgaas <bhelgaas@google.com>
> > > > 
> > > > The only use of KEXEC_BACKUP_SRC_END is as an argument to
> > > > walk_system_ram_res():
> > > > 
> > > >   int crash_load_segments(struct kimage *image)
> > > >   {
> > > >     ...
> > > >     walk_system_ram_res(KEXEC_BACKUP_SRC_START, KEXEC_BACKUP_SRC_END,
> > > >                         image, determine_backup_region);
> > > > 
> > > > walk_system_ram_res() expects "start, end" arguments that are inclusive,
> > > > i.e., the range to be walked includes both the start and end addresses.
> > > 
> > > Looking at the function comment of find_next_iomem_res,  the res->end
> > > should be exclusive, am I missing something?
> > 
> > Oops,  you fix it in 2nd patch, I apparently miss that.
> > 
> > Since the fix of checking the end is in another patch, probably merge
> > these two patches so that they are in one patch to avoid break bisect. 
> 
> Not sure if above comment was missed, Boris, would you mind to fold the
> patch 1 and 2?

Sorry, I did miss this comment.

Patch 2 was for the very specific case of a single-byte resource at
the end address, which we probably never see in practice.

For patch 1, the find_next_iomem_res() function comment had
"[res->start.res->end)", but I think the code actually treated it as
"[res->start.res->end]", so the comment was inaccurate.

Before my patches we had:

  #define KEXEC_BACKUP_SRC_START  (0UL)
  #define KEXEC_BACKUP_SRC_END    (640 * 1024UL)    # 0xa0000

The intention is to search for system RAM resources that intersect
this region:

  [mem 0x0-0x9ffff]

The call is:

  walk_system_ram_res(KEXEC_BACKUP_SRC_START, KEXEC_BACKUP_SRC_END,
                      ..., determine_backup_region);
  walk_system_ram_res(0, 0xa0000, ..., determine_backup_region);

Assume iomem_resource contains this system RAM resource:

  [mem 0x90000-0xaffff]

In find_next_iomem_res(), the "res" input parameter is the region to
search:

  res->start = 0;                          # KEXEC_BACKUP_SRC_START
  res->end   = 0xa0000;                    # KEXEC_BACKUP_SRC_END

In one of the loop iterations we find the [mem 0x90000-0xaffff]
resource (p):

  p->start = 0x90000;
  p->end   = 0xaffff;

  if (p->start > end)                      # 0x90000 > 0xa0000? false
  if (p->end >= start && p->start < end)   # 0xaffff >= 0 ? true
                                           # 0x90000 < 0xa0000 ? true
    break;                                 # so we'll return part of "p"

  if (res->start < p->start)               # 0x0 < 0x90000 ? true
    res->start = 0x90000;                  # trim beginning to p->start
  if (res->end > p->end)                   # 0xa0000 > 0xaffff ? false

So find_next_iomem_res() returns with this:

  res->start = 0x90000;                    # trimmed to p->start
  res->end   = 0xa0000;                    # unchanged from input

  [mem 0x90000-0xa0000]                    # returned resource (res)

and we call determine_backup_region(res), which sets:

  image->arch.backup_src_start = 0x90000;
  image->arch.backup_src_sz = resource_size(res)  # 0xa0000 - 0x90000 + 1
                                                  # (0x10001)

This is incorrect.  What we wanted was the part of [mem 0x90000-0xaffff]
that intersects the first 640K, i.e., [mem 0x90000-0x9ffff], but what
we got was [mem 0x90000-0xa0000], which is one byte too long.

The resource returned find_next_iomem_res() always ends at the
"res->end" supplied as an input parameter *unless* the input res->end
is strictly greater than the p->end, when it is truncated to p->end.

Bottom line, I don't think patches 1 and 2 need to be folded together
because they fix different problems.

Bjorn