[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190417015351.GA28490@agluck-desk>
Date: Tue, 16 Apr 2019 18:53:51 -0700
From: "Luck, Tony" <tony.luck@...el.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Borislav Petkov <bp@...en8.de>,
LKML <linux-kernel@...r.kernel.org>, linux-edac@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem()
On Tue, Apr 16, 2019 at 04:47:55PM -0700, Cong Wang wrote:
> 229 static void del_elem(struct ce_array *ca, int idx)
> 230 {
> 231 /* Save us a function call when deleting the last element. */
> 232 if (ca->n - (idx + 1))
> 233 memmove((void *)&ca->array[idx],
> 234 (void *)&ca->array[idx + 1],
> 235 (ca->n - (idx + 1)) * sizeof(u64));
> 236
> 237 ca->n--;
> 238 }
>
> idx is ca->n and ca->n is MAX_ELEMS-1, then the above if statement
> becomes true, therefore idx+1 is MAX_ELEMS which is just beyond
> the valid range.
Is that really the memmove() where we die? It looks like
it has a special case for dealing with the last element.
But this:
296 ret = find_elem(ca, pfn, &to);
297 if (ret < 0) {
298 /*
299 * Shift range [to-end] to make room for one more element.
300 */
301 memmove((void *)&ca->array[to + 1],
302 (void *)&ca->array[to],
303 (ca->n - to) * sizeof(u64));
304
looks like it also needs a special case for when "to == MAX_ELEMS-1"
(we don't need to memmove).
-Tony
Powered by blists - more mailing lists