Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp1193844lqj; Mon, 3 Jun 2024 13:08:40 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW3Vh9QxMd1P9T7r1S3GStGUm4ixG21HcVNNzykBsJLhuvK+tD6mYsrI0NQpPaSePI772mWWI4xg9JOBE2vq3RPesQNkmx20JHLHkNWnw== X-Google-Smtp-Source: AGHT+IHPc2sj8lz4dIwjbi5739SNuK2M+qTphrK75V7BgPwQEDQUhwT9vvwTGtIr6kIp8nCo+/vB X-Received: by 2002:a17:906:fd0e:b0:a62:b679:3e7b with SMTP id a640c23a62f3a-a6821d646f2mr527871766b.61.1717445319989; Mon, 03 Jun 2024 13:08:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717445319; cv=pass; d=google.com; s=arc-20160816; b=tjF2ry8m2RYYZQZYy3aFeIiQ/ueR+zWsJBPcYtP0DtCn3f+OrCbXNklRaehs1BCQk4 hLdkDxQDd1spUyXqiC4LTKUZJEQD48TzZvuMw6a/kS8jT9NODMi+3CuPVIt8ryuuVAZX KgQ/taKQWri5aCPB6Solv8CkVryie6FpgSwDoH54dzpu2S1p1hiaBOzSNoZ9jW9aOp3p rhH5PDDk7hSAfm4NV8ezp63mlV6ye1dd6tg6luab/cc3LuRkdaymamhlx7D/3EGnk5bS fIDYbzxwGYcmS3kvms+zcN7FHCZ/8bOZ9/b5l02W99csOC+7Qi7QqV4anBfY0g/mQOSz RX/Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=PcR2bwlZQti/encT2nDoXfnro9OdenjYjbHAMNVXpYU=; fh=kYz93YTPSDJwurZoUbm7iGX0Z5+xjZ4Ox4kh+wM30yc=; b=tp87BIJ9epA5QWjC0KQ53JHOF/zd6XONvH4B/OCyAu2w+ZohZZT4d9hKlrSt5DkaTa XkllveFV8b/q9Gi1L3pvbn9dTA8YMCxL1Yp03cA8ukNrRVo8+ZSPgCb64wZDD/azR609 1Rb4j/sQUcqJaEj95PZnamStPsr9mOuiOzMmyPfqlmHBEKtnEWB1c089zqsLp3k+nByQ LVVYJ034mUg2haREh6mrNNEdMjMBlYQ6sXjiSOmFEqxzJxC8xSQk8NW97I7DxEazMvEt JL/ZvdzXpBdLdjejqsN3S+TJT0sR/Tt818PT9IKMTNH/AvP06uIsNc1NbB12PgpKcuOp 5lPQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=IWYq40oB; arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru dmarc=pass fromdomain=ispras.ru); spf=pass (google.com: domain of linux-kernel+bounces-199673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a68fa6ce6fdsi176164666b.424.2024.06.03.13.08.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 13:08:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-199673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=IWYq40oB; arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru dmarc=pass fromdomain=ispras.ru); spf=pass (google.com: domain of linux-kernel+bounces-199673-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 053511F26E5C for ; Mon, 3 Jun 2024 20:02:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7B46013B2AD; Mon, 3 Jun 2024 20:02:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="IWYq40oB" Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CC1D46A4; Mon, 3 Jun 2024 20:02:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717444954; cv=none; b=F0wk3INgurKel+LKp4DKPskOLU08b7VNVPlXtvV1wFpAUXvDQCjG0QbM9Z3rNPZ093Kwq3S2v+XNW8CQmDrNlhzq8oIRN5vJ1IORQJPvtkSPjYmvtbOzsRW3t+j3pY4jsH7UwP/ay4bozrMQZDR/BU7kdn2qA8sU5OgG5TDBvIY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717444954; c=relaxed/simple; bh=AYBltyibmcS4U4asfxC/o8WuJGFyFsZjjosU4fSNOks=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=GczYloGZjRroDsjzOAWfzpgEf5ST0aOhTdszo/qWy6K87MyMUduoqb2IMe54WM/mWOfTy3m9fT8hXkoUbjOR4Ora76QczFCRxpz4apjj74PEMibZqVWVmTfaejq3IFRnOt0+jBYIhjtW9vUR0iK8m5VeKtUnURdWExPgSyanXAQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=IWYq40oB; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Received: from fpc (unknown [5.228.116.47]) by mail.ispras.ru (Postfix) with ESMTPSA id 79F9C4076749; Mon, 3 Jun 2024 19:54:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 79F9C4076749 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1717444492; bh=PcR2bwlZQti/encT2nDoXfnro9OdenjYjbHAMNVXpYU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IWYq40oBY/kBriaYjrguGEQPgQHJNTs1L3nJCnOvYRDD7mfHqTd/QM68t0w45kGN3 kmLLTStm3qw64DiVhXnzKdUJ+c9eKCXGbsV3q//0igVRu5IlAlCCCdTXQxUpv7ooSD /tstzyUTlNyEJQyM7xBXImsSIegkTc+1KDWeHZyI= Date: Mon, 3 Jun 2024 22:54:47 +0300 From: Fedor Pchelkin To: David Hildenbrand Cc: Anastasia Belova , lvc-project@linuxtesting.org, linux-mm@kvack.org, Andrew Morton , linux-kernel@vger.kernel.org, Oscar Salvador , linux-hardening@vger.kernel.org Subject: Re: [PATCH] mm/memory_hotplug: prevent accessing by index=-1 Message-ID: <20240603-4f7a5fd957aa1f9cbc8d5f14-pchelkin@ispras.ru> References: <20240603112830.7432-1-abelova@astralinux.ru> <3c2b1b1e-c9b3-442e-8f7b-5c7518d3fbdb@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <3c2b1b1e-c9b3-442e-8f7b-5c7518d3fbdb@redhat.com> On Mon, 03. Jun 18:07, David Hildenbrand wrote: > On 03.06.24 13:28, Anastasia Belova wrote: > > nid may be equal to NUMA_NO_NODE=-1. Prevent accessing node_data > > array by invalid index with check for nid. > > > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > > > Fixes: e83a437faa62 ("mm/memory_hotplug: introduce "auto-movable" online policy") > > Signed-off-by: Anastasia Belova > > --- > > mm/memory_hotplug.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c > > index 431b1f6753c0..bb98ee8fe698 100644 > > --- a/mm/memory_hotplug.c > > +++ b/mm/memory_hotplug.c > > @@ -846,7 +846,7 @@ static bool auto_movable_can_online_movable(int nid, struct memory_group *group, > > unsigned long kernel_early_pages, movable_pages; > > struct auto_movable_group_stats group_stats = {}; > > struct auto_movable_stats stats = {}; > > - pg_data_t *pgdat = NODE_DATA(nid); > > + pg_data_t *pgdat = (nid != NUMA_NO_NODE) ? NODE_DATA(nid) : NULL; > > struct zone *zone; > > int i; > > > pgdat is never dereferenced when "nid == NUMA_NO_NODE". > > NODE_DATA is defined as > > arch/arm64/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[(nid)]) > arch/loongarch/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[(nid)]) > arch/mips/include/asm/mach-ip27/mmzone.h:#define NODE_DATA(n) (&__node_data[(n)]->pglist) > arch/mips/include/asm/mach-loongson64/mmzone.h:#define NODE_DATA(n) (__node_data[n]) > arch/powerpc/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[nid]) > arch/riscv/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[(nid)]) > arch/s390/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[nid]) > arch/sh/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[nid]) > arch/sparc/include/asm/mmzone.h:#define NODE_DATA(nid) (node_data[nid]) > arch/x86/include/asm/mmzone_32.h:#define NODE_DATA(nid) (node_data[nid]) > arch/x86/include/asm/mmzone_64.h:#define NODE_DATA(nid) (node_data[nid]) node_data array is declared as follows on most archs: struct pglist_data *node_data[MAX_NUMNODES]; It's an array of pointers to struct pglist_data. When doing node_data[-1], it is actually dereferencing something before the start of the array in order to obtain a pointer to struct pglist_data, isn't it? (C99, 6.5.2.1) The definition of the subscript operator [] is that E1[E2] is identical to (*((E1)+(E2))). > > Regarding architectures that's actually support memory hotplug, this is pure pointer arithmetic. > (it is for mips as well, just less obvious) Speaking in a dry language of C standard, pointer arithmetic with one before the first array element is also considered undefined behaviour: (C99, 6.5.6p8) "If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined." Although it doesn't ever crash and probably never won't give any problems, but who knows what the compiler optimisations would do with this. > > So how is that a real problem? Do we have a reproducer? This code looks to be executed with memory_hotplug.online_policy=auto-movable, I suppose it's not a real big problem due to the fact that node_data is a global variable as otherwise [-1] array access would lead to crashes.. I've triggered the code with node_data[-1] on kernel with UBSAN enabled, and no splats were observed. Is it due to that node_data is a global variable or I somehow managed to misuse UBSAN for catching oob access? Cc'ing linux-hardening. Nonetheless, maybe it'd be better to define pgdat inside the else-block in auto_movable_can_online_movable() where it's only used?