From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v2,1/2] ras: fix an off-by-one error in __find_elem() From: Cong Wang Message-Id: Date: Tue, 16 Apr 2019 16:16:08 -0700 To: Borislav Petkov Cc: LKML , linux-edac@vger.kernel.org, Tony Luck , Thomas Gleixner List-ID: T24gVHVlLCBBcHIgMTYsIDIwMTkgYXQgMjo0NiBQTSBCb3Jpc2xhdiBQZXRrb3YgPGJwQGFsaWVu OC5kZT4gd3JvdGU6Cj4KPiBPbiBUdWUsIEFwciAxNiwgMjAxOSBhdCAwMjozMzo1MFBNIC0wNzAw LCBDb25nIFdhbmcgd3JvdGU6Cj4gPiBjZV9hcnIuYXJyYXlbXSBpcyBhbHdheXMgd2l0aGluIHRo ZSByYW5nZSBbMCwgY2VfYXJyLm4tMV0uCj4gPiBIb3dldmVyLCB0aGUgYmluYXJ5IHNlYXJjaCBj b2RlIGluIF9fZmluZF9lbGVtKCkgdXNlcyBjZV9hcnIubgo+ID4gYXMgdGhlIG1heGltdW0gaW5k ZXgsIHdoaWNoIGNvdWxkIGxlYWQgdG8gYW4gb2ZmLWJ5LW9uZQo+ID4gb3V0LW9mLWJvdW5kIGFj Y2VzcyByaWdodCBhZnRlciB0aGUgd2hpbGUgbG9vcC4gSW4gdGhpcyBjYXNlLAo+ID4gd2Ugc2hv dWxkIG5vdCBldmVuIHJlYWQgaXQsIGp1c3QgcmV0dXJuIC1FTk9LRVkgaW5zdGVhZC4KPiA+Cj4g PiBOb3RlLCB0aGlzIGNvdWxkIGNhdXNlIGEga2VybmVsIGNyYXNoIGlmIGNlX2Fyci5uIGlzIGV4 YWN0bHkKPiA+IE1BWF9FTEVNUy4KPgo+ICJDb3VsZCBjYXVzZSI/Cj4KPiBJJ20gc3RpbGwgd2Fp dGluZyBmb3IgYSBkZW1vbnN0cmF0aW9uLiBZb3UgY2FuIGJ1aWxkIGEgY2FzZSB0aHJvdWdoCj4g d3JpdGluZyB2YWx1ZXMgaW4gdGhlIGRlYnVnZnMgbm9kZXMgSSBwb2ludGVkIHlvdSBhdCBvciBl dmVuIHdpdGggYQo+IHBhdGNoIG9udG9wIHByZXBhcmluZyB0aGUgZXhhY3QgY29uZGl0aW9ucyBm b3IgaXQgdG8gY3Jhc2guIEFuZCB0aGVuCj4gZ2l2ZSBtZSB0aGF0ICJyZWNpcGUiIHRvIHRyaWdn ZXIgaXQgaGVyZSBpbiBhIFZNLgoKSXQgaXMgYWN0dWFsbHkgZmFpcmx5IGVhc3k6CgoxKSBGaWxs IHRoZSB3aG9sZSBwYWdlIHdpdGggUEZOJ3M6CmZvciBpIGluIGBzZXEgMCA1MTFgOyBkbyBlY2hv ICRpID4+IC9zeXMva2VybmVsL2RlYnVnL3Jhcy9jZWMvcGZuOyBkb25lCgoyKSBTZXQgdGhyZXNo IHRvIDEgaW4gb3JkZXIgdG8gdHJpZ2dlciB0aGUgZGVsZXRpb246CmVjaG8gMSA+IC9zeXMva2Vy bmVsL2RlYnVnL3Jhcy9jZWMvY291bnRfdGhyZXNob2xkCgozKSBSZXBlYXRlZGx5IGFkZCBhbmQg cmVtb3ZlIHRoZSBsYXN0IGVsZW1lbnQ6CmVjaG8gNTEyID4+IC9zeXMva2VybmVsL2RlYnVnL3Jh cy9jZWMvcGZuCih1bnRpbCB5b3UgZ2V0IGEgY3Jhc2guKQoKSW4gY2FzZSB5b3Ugc3RpbGwgZG9u J3QgZ2V0IGl0LCBoZXJlIGl0IGlzOgoKWyAgIDU3LjczMjU5M10gQlVHOiB1bmFibGUgdG8gaGFu ZGxlIGtlcm5lbCBwYWdpbmcgcmVxdWVzdCBhdCBmZmZmOWM2NjdiY2EwMDAwClsgICA1Ny43MzQ5 OTRdICNQRiBlcnJvcjogW1BST1RdIFtXUklURV0KWyAgIDU3LjczNTg5MV0gUEdEIDc1NjAxMDY3 IFA0RCA3NTYwMTA2NyBQVUQgNzU2MDUwNjcgUE1EIDdiY2ExMDYzIFBURQo4MDAwMDAwMDdiY2Ew MDYxClsgICA1Ny43Mzc3MDJdIE9vcHM6IDAwMDMgWyMxXSBTTVAgUFRJClsgICA1Ny43Mzg1MzNd IENQVTogMCBQSUQ6IDY0OSBDb21tOiBiYXNoIE5vdCB0YWludGVkIDUuMS4wLXJjNSsgIzU2MQpb ICAgNTcuNzM5OTY1XSBIYXJkd2FyZSBuYW1lOiBRRU1VIFN0YW5kYXJkIFBDIChpNDQwRlggKyBQ SUlYLCAxOTk2KSwKQklPUyA/LTIwMTgwNzI0XzE5MjQxMi1idWlsZGh3LTA3LnBoeDIuZmVkb3Jh cHJvamVjdC5vcmctMS5mYzI5CjA0LzAxLzIwMTQKWyAgIDU3Ljc0Mjg5Ml0gUklQOiAwMDEwOl9f bWVtbW92ZSsweDU3LzB4MWEwClsgICA1Ny43NDM4NTNdIENvZGU6IDAwIDcyIDA1IDQwIDM4IGZl IDc0IDNiIDQ4IDgzIGVhIDIwIDQ4IDgzIGVhIDIwCjRjIDhiIDFlIDRjIDhiIDU2IDA4IDRjIDhi IDRlIDEwIDRjIDhiIDQ2IDE4IDQ4IDhkIDc2IDIwIDRjIDg5IDFmIDRjCjg5IDU3IDA4IDw0Yz4g ODkgNGYgMTAgNGMgODkgNDcgMTggNDggOGQgN2YgMjAgNzMgZDQgNDggODMgYzIgMjAgZTkgYTIK MDAgMDAKWyAgIDU3Ljc0ODE1MF0gUlNQOiAwMDE4OmZmZmZiZTJlYzBjOGJkZjggRUZMQUdTOiAw MDAxMDIwNgpbICAgNTcuNzQ5MzcxXSBSQVg6IGZmZmY5YzY2N2E1YzFmZjAgUkJYOiAwMDAwMDAw MDAwMDAwMDAxIFJDWDogMDAwMDAwMDAwMDAwMGZmOApbICAgNTcuNzUxMDE4XSBSRFg6IDAwMDAw MDA3ZmU5MjFmYjggUlNJOiBmZmZmOWM2NjdiY2EwMDE4IFJESTogZmZmZjljNjY3YmM5ZmZmMApb ICAgNTcuNzUyNjc0XSBSQlA6IDAwMDAwMDAwMDAwMDAyMDAgUjA4OiAwMDAwMDAwMDAwMDAwMDAw IFIwOTogMDAwMDAxNWMwMDAwMDAwMApbICAgNTcuNzU0MzI1XSBSMTA6IDAwMDAwMDAwMDAwNDAw MDEgUjExOiA1YTVhNWE1YTVhNWE1YTVhIFIxMjogMDAwMDAwMDAwMDAwMDAwNApbICAgNTcuNzU1 OTc2XSBSMTM6IGZmZmY5YzY2NzE3ODc3NzggUjE0OiBmZmZmOWM2NjcxNzg3NzI4IFIxNTogZmZm ZjljNjY3MTc4Nzc1MApbICAgNTcuNzU3NjMxXSBGUzogIDAwMDA3ZjMzY2EyOTQ3NDAoMDAwMCkg R1M6ZmZmZjljNjY3ZDgwMDAwMCgwMDAwKQprbmxHUzowMDAwMDAwMDAwMDAwMDAwClsgICA1Ny43 NTk2ODldIENTOiAgMDAxMCBEUzogMDAwMCBFUzogMDAwMCBDUjA6IDAwMDAwMDAwODAwNTAwMzMK WyAgIDU3Ljc2MTAyM10gQ1IyOiBmZmZmOWM2NjdiY2EwMDAwIENSMzogMDAwMDAwMDA3MDYxZTAw MCBDUjQ6IDAwMDAwMDAwMDAwNDA2ZjAKWyAgIDU3Ljc2MjY4MV0gQ2FsbCBUcmFjZToKWyAgIDU3 Ljc2MzI3NV0gIGRlbF9lbGVtLmNvbnN0cHJvcC4xKzB4MzkvMHg0MApbICAgNTcuNzY0MjYwXSAg Y2VjX2FkZF9lbGVtKzB4MWU0LzB4MjExClsgICA1Ny43NjUxMjldICBzaW1wbGVfYXR0cl93cml0 ZSsweGEyLzB4YzMKWyAgIDU3Ljc2NjA1N10gIGRlYnVnZnNfYXR0cl93cml0ZSsweDQ1LzB4NWMK WyAgIDU3Ljc2NzAwNV0gIGZ1bGxfcHJveHlfd3JpdGUrMHg0Yi8weDY1ClsgICA1Ny43Njc5MTFd ICA/IGZ1bGxfcHJveHlfcG9sbCsweDUwLzB4NTAKWyAgIDU3Ljc2ODg0NF0gIHZmc193cml0ZSsw eGI4LzB4ZjUKWyAgIDU3Ljc2OTYxM10gIGtzeXNfd3JpdGUrMHg2Yi8weGI4ClsgICA1Ny43NzA0 MDddICBkb19zeXNjYWxsXzY0KzB4NTcvMHg2NQpbICAgNTcuNzcxMjQ5XSAgZW50cnlfU1lTQ0FM TF82NF9hZnRlcl9od2ZyYW1lKzB4NDkvMHhiZQoKSSB3aWxsIGxlYXZlIGl0IGFzIGEgaG9tZXdv cmsgZm9yIGV4cGxhaW5pbmcgd2h5IHRoZSBjcmFzaCBpcyBpbnNpZGUKbWVtbW92ZSgpLiA7KQoK VGhhbmtzLgo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B99C9C10F13 for ; Tue, 16 Apr 2019 23:16:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 78F3F21773 for ; Tue, 16 Apr 2019 23:16:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FfRQwrdQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728306AbfDPXQW (ORCPT ); Tue, 16 Apr 2019 19:16:22 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:39833 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728237AbfDPXQV (ORCPT ); Tue, 16 Apr 2019 19:16:21 -0400 Received: by mail-pl1-f193.google.com with SMTP id a96so11065250pla.6; Tue, 16 Apr 2019 16:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SJrdIOnMZscAX3/lUO7sU8M0Yhf+BeHX0BuUUJgATp4=; b=FfRQwrdQnaM0FXPdkha6ruAJA2Vv0gqqHk8SCEtsf0Z3m5+fSOvlfcmzTam5quIfTw DILB7M+Fs7Sr64MnSSmkeTJZXL8rcHl2iFAayFzLTToEQiSy3a7LKzzHG4dEP9iZAE3Q kBp2MmuzbAAOOq6WaN9pVhAfHOjrpWxZqVFHzqPK1Arj8RwUzxOGJ5DdxoxXrjl3vRO3 22dTaKWaQiwzqIfgPtQBDOXTmuVEMzfQqTdmr2i2sVLr52j0hln7Iy2AyRUHJ09hDUR6 GaNSMjrETd6anOT6BW4U0IJ3HSogJU1yb/j0ctJFVgjXnw+nGirD0ll27KKOhJPiZTYC tOCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SJrdIOnMZscAX3/lUO7sU8M0Yhf+BeHX0BuUUJgATp4=; b=WELsBKT/Qdcumxau7+pJ+Tx1JT3IpcbPxpY1j2Irt8ExmrP/IXIRbh8NRREBjrUZ7O p0mmKSCV59h52Fd6UL13SNbwNVN5bUry1cq5k2qFYdaTBb2j98ZnCLlFfUcM6eh87wGw gaVHGSRkzx6KWCgr8AJhopUzLDfHa1OSh28OnNxp1GjVPmDfjxr6xpRUfbQuUgXwLPe4 r26Y3kRh42JqnJpd9biZrlR8lqrcjkm3vr5EoOBuqsq4P7IfxL35xTQoGBwPDD0U2uD3 m73s6asU4iQQVSgMyGhsnpHfpAzq1DWNe+Gw8d9gpt/lY5x3YOp0Jc9PZHha3ip5RIbu V9nQ== X-Gm-Message-State: APjAAAXMznaDwjfgs5qS17fD7tIUCm+At2SoN+NDjmIS1ZhUBeSmIAm/ FGoEw9WM8ULY/yvkQqdZwtinvWLocxCBjhKplrE2UWZc X-Google-Smtp-Source: APXvYqx0nrC7rPCkGRTUFuYDfHJ0Whe745e75S26fT/nd1jMODEQF5PZ81sQg6puaH4+Ve5LW/aPvKtJa+G3eUdRRBE= X-Received: by 2002:a17:902:9a89:: with SMTP id w9mr86279265plp.126.1555456580630; Tue, 16 Apr 2019 16:16:20 -0700 (PDT) MIME-Version: 1.0 References: <20190416213351.28999-1-xiyou.wangcong@gmail.com> <20190416214634.GP31772@zn.tnic> In-Reply-To: <20190416214634.GP31772@zn.tnic> From: Cong Wang Date: Tue, 16 Apr 2019 16:16:08 -0700 Message-ID: Subject: Re: [PATCH v2 1/2] ras: fix an off-by-one error in __find_elem() To: Borislav Petkov Cc: LKML , linux-edac@vger.kernel.org, Tony Luck , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Sender: linux-edac-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-edac@vger.kernel.org Message-ID: <20190416231608.Yyflm-kf_Pwpe-xNzUeaEkvgCjPeG8irX9o4tRgKSrs@z> On Tue, Apr 16, 2019 at 2:46 PM Borislav Petkov wrote: > > On Tue, Apr 16, 2019 at 02:33:50PM -0700, Cong Wang wrote: > > ce_arr.array[] is always within the range [0, ce_arr.n-1]. > > However, the binary search code in __find_elem() uses ce_arr.n > > as the maximum index, which could lead to an off-by-one > > out-of-bound access right after the while loop. In this case, > > we should not even read it, just return -ENOKEY instead. > > > > Note, this could cause a kernel crash if ce_arr.n is exactly > > MAX_ELEMS. > > "Could cause"? > > I'm still waiting for a demonstration. You can build a case through > writing values in the debugfs nodes I pointed you at or even with a > patch ontop preparing the exact conditions for it to crash. And then > give me that "recipe" to trigger it here in a VM. It is actually fairly easy: 1) Fill the whole page with PFN's: for i in `seq 0 511`; do echo $i >> /sys/kernel/debug/ras/cec/pfn; done 2) Set thresh to 1 in order to trigger the deletion: echo 1 > /sys/kernel/debug/ras/cec/count_threshold 3) Repeatedly add and remove the last element: echo 512 >> /sys/kernel/debug/ras/cec/pfn (until you get a crash.) In case you still don't get it, here it is: [ 57.732593] BUG: unable to handle kernel paging request at ffff9c667bca0000 [ 57.734994] #PF error: [PROT] [WRITE] [ 57.735891] PGD 75601067 P4D 75601067 PUD 75605067 PMD 7bca1063 PTE 800000007bca0061 [ 57.737702] Oops: 0003 [#1] SMP PTI [ 57.738533] CPU: 0 PID: 649 Comm: bash Not tainted 5.1.0-rc5+ #561 [ 57.739965] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014 [ 57.742892] RIP: 0010:__memmove+0x57/0x1a0 [ 57.743853] Code: 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f 4c 89 57 08 <4c> 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 [ 57.748150] RSP: 0018:ffffbe2ec0c8bdf8 EFLAGS: 00010206 [ 57.749371] RAX: ffff9c667a5c1ff0 RBX: 0000000000000001 RCX: 0000000000000ff8 [ 57.751018] RDX: 00000007fe921fb8 RSI: ffff9c667bca0018 RDI: ffff9c667bc9fff0 [ 57.752674] RBP: 0000000000000200 R08: 0000000000000000 R09: 0000015c00000000 [ 57.754325] R10: 0000000000040001 R11: 5a5a5a5a5a5a5a5a R12: 0000000000000004 [ 57.755976] R13: ffff9c6671787778 R14: ffff9c6671787728 R15: ffff9c6671787750 [ 57.757631] FS: 00007f33ca294740(0000) GS:ffff9c667d800000(0000) knlGS:0000000000000000 [ 57.759689] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.761023] CR2: ffff9c667bca0000 CR3: 000000007061e000 CR4: 00000000000406f0 [ 57.762681] Call Trace: [ 57.763275] del_elem.constprop.1+0x39/0x40 [ 57.764260] cec_add_elem+0x1e4/0x211 [ 57.765129] simple_attr_write+0xa2/0xc3 [ 57.766057] debugfs_attr_write+0x45/0x5c [ 57.767005] full_proxy_write+0x4b/0x65 [ 57.767911] ? full_proxy_poll+0x50/0x50 [ 57.768844] vfs_write+0xb8/0xf5 [ 57.769613] ksys_write+0x6b/0xb8 [ 57.770407] do_syscall_64+0x57/0x65 [ 57.771249] entry_SYSCALL_64_after_hwframe+0x49/0xbe I will leave it as a homework for explaining why the crash is inside memmove(). ;) Thanks.