Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S269586AbUKASxG (ORCPT ); Mon, 1 Nov 2004 13:53:06 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S287887AbUKASxF (ORCPT ); Mon, 1 Nov 2004 13:53:05 -0500 Received: from vana.vc.cvut.cz ([147.32.240.58]:5248 "EHLO vana.vc.cvut.cz") by vger.kernel.org with ESMTP id S287422AbUKASgh (ORCPT ); Mon, 1 Nov 2004 13:36:37 -0500 Date: Mon, 1 Nov 2004 19:36:31 +0100 From: Petr Vandrovec To: linux-kernel@vger.kernel.org Subject: x86-64 numa: accessing memnodemap[] beyond its end Message-ID: <20041101183631.GA24023@vana.vc.cvut.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2894 Lines: 67 Hello, what prevents function below (arch/x86_64/mm/numa.c) from accessing memnodemap[] beyond its end? NODEMAPSIZE is 0xFF, so for first attempted bit shift 24 it attempts to access field 0x100000000 >> 24 = 0x100. Fortunately it survives as memnodemap[256] fortunately contains zero and not 0xFF or 0x01, but still it seems to me that some test for index overflow is missing here. Thanks, Petr Vandrovec u8 memnodemap[NODEMAPSIZE]; int __init compute_hash_shift(struct node *nodes) { int i; int shift = 24; u64 addr; /* When in doubt use brute force. */ while (shift < 48) { memset(memnodemap,0xff,sizeof(*memnodemap) * NODEMAPSIZE); for (i = 0; i < numnodes; i++) { if (nodes[i].start == nodes[i].end) continue; for (addr = nodes[i].start; addr < nodes[i].end; addr += (1UL << shift)) { if (memnodemap[addr >> shift] != 0xff && memnodemap[addr >> shift] != i) { printk(KERN_INFO "node %d shift %d addr %Lx conflict %d\n", i, shift, addr, memnodemap[addr>>shift]); goto next; } memnodemap[addr >> shift] = i; } } return shift; next: shift++; } memset(memnodemap,0,sizeof(*memnodemap) * NODEMAPSIZE); return -1; } Bootdata ok (command line is BOOT_IMAGE=2.6.10-1-424-64 ro root=801 ramdisk=0 video=matroxfb:vesa:0x11E,left:16,right:8,hslen:48,xres:1920,upper:2,vslen:4,lowe) Linux version 2.6.10-rc1-c2424 (root@vana) (gcc version 3.3.3 (Debian 20040401)) #2 SMP Mon Nov 1 15:43:42 CET 2004 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 0000000000100000 - 0000000040000000 (usable) BIOS-e820: 0000000100000000 - 0000000140000000 (usable) Scanning NUMA topology in Northbridge 24 Number of nodes 2 (10010) Node 0 MemBase 0000000000000000 Limit 000000003fffffff Node 1 MemBase 0000000100000000 Limit 000000013fffffff node 1 shift 24 addr 100000000 conflict 0 Using node hash shift of 25 Bootmem setup node 0 0000000000000000-000000003fffffff Bootmem setup node 1 0000000100000000-000000013fffffff P.S.: No, this setup does not come from standard BIOS. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/