Re: [PATCH v2] tools/testing/nvdimm: Use per-DIMM device handle

Tue, 04 Nov 2025 12:04:36 -0800 

Alison Schofield wrote:
> KASAN reports a global-out-of-bounds access when running these nfit
> tests: clear.sh, pmem-errors.sh, pfn-meta-errors.sh, btt-errors.sh,
> daxdev-errors.sh, and inject-error.sh.
> 
> [] BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x769f/0x7840 [nfit_test]
> [] Read of size 4 at addr ffffffffc03ea01c by task ndctl/1215
> [] The buggy address belongs to the variable:
> [] handle+0x1c/0x1df4 [nfit_test]
> 
> nfit_test_search_spa() uses handle[nvdimm->id] to retrieve a device
> handle and triggers a KASAN error when it reads past the end of the
> handle array. It should not be indexing the handle array at all.
> 
> The correct device handle is stored in per-DIMM test data. Each DIMM
> has a struct nfit_mem that embeds a struct acpi_nfit_memdev that
> describes the NFIT device handle. Use that device handle here. 
> 
> Fixes: 10246dc84dfc ("acpi nfit: nfit_test supports translate SPA")
> Cc: <[email protected]>
> Signed-off-by: Alison Schofield <[email protected]>

Picked up
https://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git/commit/?h=libnvdimm-for-next

Thanks,
Ira

> ---
> 
> Changes in v2:
> - Use the correct handle in per-DIMM test data (Dan)
> - Update commit message and log
> - Update Fixes Tag
> 
> 
>  tools/testing/nvdimm/test/nfit.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/testing/nvdimm/test/nfit.c 
> b/tools/testing/nvdimm/test/nfit.c
> index cfd4378e2129..f87e9f251d13 100644
> --- a/tools/testing/nvdimm/test/nfit.c
> +++ b/tools/testing/nvdimm/test/nfit.c
> @@ -670,6 +670,7 @@ static int nfit_test_search_spa(struct nvdimm_bus *bus,
>               .addr = spa->spa,
>               .region = NULL,
>       };
> +     struct nfit_mem *nfit_mem;
>       u64 dpa;
>  
>       ret = device_for_each_child(&bus->dev, &ctx,
> @@ -687,8 +688,12 @@ static int nfit_test_search_spa(struct nvdimm_bus *bus,
>        */
>       nd_mapping = &nd_region->mapping[nd_region->ndr_mappings - 1];
>       nvdimm = nd_mapping->nvdimm;
> +     nfit_mem = nvdimm_provider_data(nvdimm);
> +     if (!nfit_mem)
> +             return -EINVAL;
>  
> -     spa->devices[0].nfit_device_handle = handle[nvdimm->id];
> +     spa->devices[0].nfit_device_handle =
> +             __to_nfit_memdev(nfit_mem)->device_handle;
>       spa->num_nvdimms = 1;
>       spa->devices[0].dpa = dpa;
>  
> 
> base-commit: 211ddde0823f1442e4ad052a2f30f050145ccada
> -- 
> 2.37.3
>

Reply via email to