On Tue, Apr 16, 2019 at 04:18:57PM -0700, Cong Wang wrote: > > The problem case occurs when we've seen enough distinct > > errors that we have filled every entry, then we try to > > look up a pfn that is larger that any seen before. > > > > The loop: > > > > while (min < max) { > > ... > > } > > > > will terminate with "min" set to MAX_ELEMS. Then we > > execute: > > > > this_pfn = PFN(ca->array[min]); > > > > which references beyond the end of the space allocated > > for ca->array. > > Exactly.
Hmmm. But can we ever really have this happen? The call sequence to get here looks like: mutex_lock(&ce_mutex); if (ca->n == MAX_ELEMS) WARN_ON(!del_lru_elem_unlocked(ca)); ret = find_elem(ca, pfn, &to); I.e. if the array was all the way full, we delete one element before calling find_elem(). So when we get here: static int __find_elem(struct ce_array *ca, u64 pfn, unsigned int *to) { u64 this_pfn; int min = 0, max = ca->n; The biggest value "max" can have is MAX_ELEMS-1 -Tony