From patchwork Mon Oct 29 19:10:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masayoshi Mizuma X-Patchwork-Id: 10660153 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DAEB413BF for ; Mon, 29 Oct 2018 19:11:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D8EBE29FD1 for ; Mon, 29 Oct 2018 19:11:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B6ED929FCB; Mon, 29 Oct 2018 19:11:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EB77F29FAD for ; Mon, 29 Oct 2018 19:11:12 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 5707F21184E83; Mon, 29 Oct 2018 12:11:12 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::843; helo=mail-qt1-x843.google.com; envelope-from=msys.mizuma@gmail.com; receiver=linux-nvdimm@lists.01.org Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C19AF2117D292 for ; Mon, 29 Oct 2018 12:11:10 -0700 (PDT) Received: by mail-qt1-x843.google.com with SMTP id i15-v6so10641326qtr.0 for ; Mon, 29 Oct 2018 12:11:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UPOrm1WjT7IjGHwggpDrXiEMuIdYCFKPEg9wrdFZ/Hs=; b=FGqWe2YzO3zT+ilxn9Cgk8trmkmFikdzTBP7z+qgfF2eksmW9lO0yyyHgZGTG0LJgJ A6tsD+K9WazWiRp7dVxVvguG7FuQ8KwT6fVf27vl08U6UWzgO7vVcRK7Xy28xTZ+vAnj 3QD0DgOTw+D4xWTxIwHCRmbaitpGou5WK9geNUOdZFjwCVz7nZlGHoZO3raJ1u7dEp7D hTir4XHWt3BARKrGUccwJtV3/0MEDglFmTigHPm8jtO9AtWEq0BKLAjWDOC0nyrjMk9q dbvbACPspeKYu548Kb9qlPVyquf5ub+PwV039slOFJg3yzyycmySqf0Y06IksphN7YTw 8NNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UPOrm1WjT7IjGHwggpDrXiEMuIdYCFKPEg9wrdFZ/Hs=; b=ajA5I8cQJHEGx1FjydGMNPZlS2R7maxwT7lGQbLeAz8bkt4RGNudREeHLwivNHmiY0 dgrDcNwyDfxMQnw5wjgWzyhlCeCItYLxamiX40Sf0JyhxNx+aQMr4zpPqw9T+VRsPxmt FscPCyLiCx1ihhYyBh8LqtIVcnXFzE5UToGBkmHL/gc1zfsINqI6IfhcHhwKZe6pAy/H L2Wk3NQn2jw7lzo1ZolZJtUAWRRO22b3CRPBPiQPeW62OP3NU6VwSNq3966tMAuvWU6F gfJtyTaD1xtrjwL5haxG0VkflCcs7qiD2GWDdpfq6tCCZbrD3145FCZ7l20lHqB6b/pr 3MEw== X-Gm-Message-State: AGRZ1gK/bP+tUTV48pzlzdQJs9A8MwRvHRY1wZZ5L3lobODq7mHxL9QL ZOxmCzhO/S8LlNBco44XpKxZ/wc= X-Google-Smtp-Source: AJdET5dHVy3dZAydCX0Eii+MfdTn6Vn8k/LKNpGS2KKXT3hWClxOX2mi0S9MDdHJKJ+7hD1u0Y81Eg== X-Received: by 2002:a0c:ad8f:: with SMTP id w15mr14013470qvc.146.1540840269758; Mon, 29 Oct 2018 12:11:09 -0700 (PDT) Received: from gabell.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id b5-v6sm13337893qkf.4.2018.10.29.12.11.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Oct 2018 12:11:09 -0700 (PDT) From: Masayoshi Mizuma To: linux-nvdimm@lists.01.org Subject: [PATCH] tools/testing/nvdimm: Fix the index for dimm devices. Date: Mon, 29 Oct 2018 15:10:54 -0400 Message-Id: <20181029191054.7694-1-msys.mizuma@gmail.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Masayoshi Mizuma MIME-Version: 1.0 Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP From: Masayoshi Mizuma KASAN reports following global out of bounds access while nfit_test is being loaded. The out of bound access happens the following reference to dimm_fail_cmd_flags[dimm]. 'dimm' is over than the index value, NUM_DCR (==5). --- static int override_return_code(int dimm, unsigned int func, int rc) { if ((1 << func) & dimm_fail_cmd_flags[dimm]) { dimm_fail_cmd_flags[] definition: static unsigned long dimm_fail_cmd_flags[NUM_DCR]; --- 'dimm' is the return value of get_dimm(), and get_dimm() returns the index of handle[] array. The handle[] has 7 index, and the index #0 to #4 is for nfit_test.0 and #5, #6 is for nfit_test.1. NUM_DCR is only for nfit_test.0. Let's add for nfit_test.1. KASAN report: ================================================================== BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x47bb/0x55b0 [nfit_test] Read of size 8 at addr ffffffffc10cbbe8 by task kworker/u41:0/8 ... Call Trace: dump_stack+0xea/0x1b0 ? dump_stack_print_info.cold.0+0x1b/0x1b ? kmsg_dump_rewind_nolock+0xd9/0xd9 print_address_description+0x65/0x22e ? nfit_test_ctl+0x47bb/0x55b0 [nfit_test] kasan_report.cold.6+0x92/0x1a6 nfit_test_ctl+0x47bb/0x55b0 [nfit_test] ... The buggy address belongs to the variable: dimm_fail_cmd_flags+0x28/0xffffffffffffa440 [nfit_test] ================================================================== Signed-off-by: Masayoshi Mizuma --- tools/testing/nvdimm/test/nfit.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c index 9527d47a1070..38f066ce2f47 100644 --- a/tools/testing/nvdimm/test/nfit.c +++ b/tools/testing/nvdimm/test/nfit.c @@ -104,6 +104,8 @@ enum { NUM_PM = 3, NUM_DCR = 5, + NUM_DCR_ALL = NUM_DCR + 2, /* 5 DCRs for test.0, 2 DCRs for test.1 */ + NUM_HINTS = 8, NUM_BDW = NUM_DCR, NUM_SPA = NUM_PM + NUM_DCR + NUM_BDW, @@ -140,8 +142,8 @@ static u32 handle[] = { [6] = NFIT_DIMM_HANDLE(1, 0, 0, 0, 1), }; -static unsigned long dimm_fail_cmd_flags[NUM_DCR]; -static int dimm_fail_cmd_code[NUM_DCR]; +static unsigned long dimm_fail_cmd_flags[NUM_DCR_ALL]; +static int dimm_fail_cmd_code[NUM_DCR_ALL]; static const struct nd_intel_smart smart_def = { .flags = ND_INTEL_SMART_HEALTH_VALID @@ -205,7 +207,7 @@ struct nfit_test { unsigned long deadline; spinlock_t lock; } ars_state; - struct device *dimm_dev[NUM_DCR]; + struct device *dimm_dev[NUM_DCR_ALL]; struct nd_intel_smart *smart; struct nd_intel_smart_threshold *smart_threshold; struct badrange badrange; @@ -2680,7 +2682,7 @@ static int nfit_test_probe(struct platform_device *pdev) u32 nfit_handle = __to_nfit_memdev(nfit_mem)->device_handle; int i; - for (i = 0; i < NUM_DCR; i++) + for (i = 0; i < NUM_DCR_ALL; i++) if (nfit_handle == handle[i]) dev_set_drvdata(nfit_test->dimm_dev[i], nfit_mem);