Re: [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
On Tue, Jan 28, 2014 at 10:24 AM, Dave Jones wrote: > On Tue, Jan 28, 2014 at 05:05:16PM +0800, Tang Chen wrote: > > The following path will cause array out of bound. > > > > memblock_add_region() will always set nid in memblock.reserved to > MAX_NUMNODES. > > In numa_register_memblks(), after we set all nid to correct valus in > memblock.reserved, > > we called setup_node_data(), and used memblock_alloc_nid() to allocate > memory, with > > nid set to MAX_NUMNODES. > > > > The nodemask_t type can be seen as a bit array. And the index is 0 ~ > MAX_NUMNODES-1. > > > > After that, when we call node_set() in numa_clear_kernel_node_hotplug(), > the nodemask_t > > got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. > > > > See below: > > > > numa_init() > > |---> numa_register_memblks() > > | |---> memblock_set_node(memory) set correct nid in > memblock.memory > > | |---> memblock_set_node(reserved)set correct nid in > memblock.reserved > > | |.. > > | |---> setup_node_data() > > | |---> memblock_alloc_nid()here, nid is set to > MAX_NUMNODES (1024) > > |.. > > |---> numa_clear_kernel_node_hotplug() > > |---> node_set() here, we have an index 1024, > and overflowed > > > > This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix > this problem. > > > > Reported-by: Dave Jones > > Signed-off-by: Tang Chen > > Tested-by: Gu Zheng > > --- > > arch/x86/mm/numa.c | 19 +++ > > 1 file changed, 11 insertions(+), 8 deletions(-) > > This does seem to solve the problem (In conjunction with David's variant of > the other patch). Is this (and the first in the series) going to land in Linus' tree soon? I don't see them in -rc1 and people are still hitting the early oops Dave did without this. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
On Tue, Jan 28, 2014 at 10:24 AM, Dave Jones da...@redhat.com wrote: On Tue, Jan 28, 2014 at 05:05:16PM +0800, Tang Chen wrote: The following path will cause array out of bound. memblock_add_region() will always set nid in memblock.reserved to MAX_NUMNODES. In numa_register_memblks(), after we set all nid to correct valus in memblock.reserved, we called setup_node_data(), and used memblock_alloc_nid() to allocate memory, with nid set to MAX_NUMNODES. The nodemask_t type can be seen as a bit array. And the index is 0 ~ MAX_NUMNODES-1. After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the nodemask_t got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. See below: numa_init() |--- numa_register_memblks() | |--- memblock_set_node(memory) set correct nid in memblock.memory | |--- memblock_set_node(reserved)set correct nid in memblock.reserved | |.. | |--- setup_node_data() | |--- memblock_alloc_nid()here, nid is set to MAX_NUMNODES (1024) |.. |--- numa_clear_kernel_node_hotplug() |--- node_set() here, we have an index 1024, and overflowed This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this problem. Reported-by: Dave Jones da...@redhat.com Signed-off-by: Tang Chen tangc...@cn.fujitsu.com Tested-by: Gu Zheng guz.f...@cn.fujitsu.com --- arch/x86/mm/numa.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) This does seem to solve the problem (In conjunction with David's variant of the other patch). Is this (and the first in the series) going to land in Linus' tree soon? I don't see them in -rc1 and people are still hitting the early oops Dave did without this. josh -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
On Tue, Jan 28, 2014 at 05:05:16PM +0800, Tang Chen wrote: > The following path will cause array out of bound. > > memblock_add_region() will always set nid in memblock.reserved to > MAX_NUMNODES. > In numa_register_memblks(), after we set all nid to correct valus in > memblock.reserved, > we called setup_node_data(), and used memblock_alloc_nid() to allocate > memory, with > nid set to MAX_NUMNODES. > > The nodemask_t type can be seen as a bit array. And the index is 0 ~ > MAX_NUMNODES-1. > > After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the > nodemask_t > got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. > > See below: > > numa_init() > |---> numa_register_memblks() > | |---> memblock_set_node(memory) set correct nid in > memblock.memory > | |---> memblock_set_node(reserved)set correct nid in > memblock.reserved > | |.. > | |---> setup_node_data() > | |---> memblock_alloc_nid()here, nid is set to > MAX_NUMNODES (1024) > |.. > |---> numa_clear_kernel_node_hotplug() > |---> node_set() here, we have an index 1024, > and overflowed > > This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this > problem. > > Reported-by: Dave Jones > Signed-off-by: Tang Chen > Tested-by: Gu Zheng > --- > arch/x86/mm/numa.c | 19 +++ > 1 file changed, 11 insertions(+), 8 deletions(-) This does seem to solve the problem (In conjunction with David's variant of the other patch). Dave -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
The following path will cause array out of bound. memblock_add_region() will always set nid in memblock.reserved to MAX_NUMNODES. In numa_register_memblks(), after we set all nid to correct valus in memblock.reserved, we called setup_node_data(), and used memblock_alloc_nid() to allocate memory, with nid set to MAX_NUMNODES. The nodemask_t type can be seen as a bit array. And the index is 0 ~ MAX_NUMNODES-1. After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the nodemask_t got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. See below: numa_init() |---> numa_register_memblks() | |---> memblock_set_node(memory) set correct nid in memblock.memory | |---> memblock_set_node(reserved) set correct nid in memblock.reserved | |.. | |---> setup_node_data() | |---> memblock_alloc_nid() here, nid is set to MAX_NUMNODES (1024) |.. |---> numa_clear_kernel_node_hotplug() |---> node_set()here, we have an index 1024, and overflowed This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this problem. Reported-by: Dave Jones Signed-off-by: Tang Chen Tested-by: Gu Zheng --- arch/x86/mm/numa.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c index 00c9f09..a183b43 100644 --- a/arch/x86/mm/numa.c +++ b/arch/x86/mm/numa.c @@ -493,14 +493,6 @@ static int __init numa_register_memblks(struct numa_meminfo *mi) struct numa_memblk *mb = >blk[i]; memblock_set_node(mb->start, mb->end - mb->start, , mb->nid); - - /* -* At this time, all memory regions reserved by memblock are -* used by the kernel. Set the nid in memblock.reserved will -* mark out all the nodes the kernel resides in. -*/ - memblock_set_node(mb->start, mb->end - mb->start, - , mb->nid); } /* @@ -571,6 +563,17 @@ static void __init numa_clear_kernel_node_hotplug(void) nodes_clear(numa_kernel_nodes); + /* +* At this time, all memory regions reserved by memblock are +* used by the kernel. Set the nid in memblock.reserved will +* mark out all the nodes the kernel resides in. +*/ + for (i = 0; i < numa_meminfo.nr_blks; i++) { + struct numa_memblk *mb = _meminfo.blk[i]; + memblock_set_node(mb->start, mb->end - mb->start, + , mb->nid); + } + /* Mark all kernel nodes. */ for (i = 0; i < type->cnt; i++) node_set(type->regions[i].nid, numa_kernel_nodes); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
The following path will cause array out of bound. memblock_add_region() will always set nid in memblock.reserved to MAX_NUMNODES. In numa_register_memblks(), after we set all nid to correct valus in memblock.reserved, we called setup_node_data(), and used memblock_alloc_nid() to allocate memory, with nid set to MAX_NUMNODES. The nodemask_t type can be seen as a bit array. And the index is 0 ~ MAX_NUMNODES-1. After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the nodemask_t got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. See below: numa_init() |--- numa_register_memblks() | |--- memblock_set_node(memory) set correct nid in memblock.memory | |--- memblock_set_node(reserved) set correct nid in memblock.reserved | |.. | |--- setup_node_data() | |--- memblock_alloc_nid() here, nid is set to MAX_NUMNODES (1024) |.. |--- numa_clear_kernel_node_hotplug() |--- node_set()here, we have an index 1024, and overflowed This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this problem. Reported-by: Dave Jones da...@redhat.com Signed-off-by: Tang Chen tangc...@cn.fujitsu.com Tested-by: Gu Zheng guz.f...@cn.fujitsu.com --- arch/x86/mm/numa.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c index 00c9f09..a183b43 100644 --- a/arch/x86/mm/numa.c +++ b/arch/x86/mm/numa.c @@ -493,14 +493,6 @@ static int __init numa_register_memblks(struct numa_meminfo *mi) struct numa_memblk *mb = mi-blk[i]; memblock_set_node(mb-start, mb-end - mb-start, memblock.memory, mb-nid); - - /* -* At this time, all memory regions reserved by memblock are -* used by the kernel. Set the nid in memblock.reserved will -* mark out all the nodes the kernel resides in. -*/ - memblock_set_node(mb-start, mb-end - mb-start, - memblock.reserved, mb-nid); } /* @@ -571,6 +563,17 @@ static void __init numa_clear_kernel_node_hotplug(void) nodes_clear(numa_kernel_nodes); + /* +* At this time, all memory regions reserved by memblock are +* used by the kernel. Set the nid in memblock.reserved will +* mark out all the nodes the kernel resides in. +*/ + for (i = 0; i numa_meminfo.nr_blks; i++) { + struct numa_memblk *mb = numa_meminfo.blk[i]; + memblock_set_node(mb-start, mb-end - mb-start, + memblock.reserved, mb-nid); + } + /* Mark all kernel nodes. */ for (i = 0; i type-cnt; i++) node_set(type-regions[i].nid, numa_kernel_nodes); -- 1.8.3.1 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
On Tue, Jan 28, 2014 at 05:05:16PM +0800, Tang Chen wrote: The following path will cause array out of bound. memblock_add_region() will always set nid in memblock.reserved to MAX_NUMNODES. In numa_register_memblks(), after we set all nid to correct valus in memblock.reserved, we called setup_node_data(), and used memblock_alloc_nid() to allocate memory, with nid set to MAX_NUMNODES. The nodemask_t type can be seen as a bit array. And the index is 0 ~ MAX_NUMNODES-1. After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the nodemask_t got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1]. See below: numa_init() |--- numa_register_memblks() | |--- memblock_set_node(memory) set correct nid in memblock.memory | |--- memblock_set_node(reserved)set correct nid in memblock.reserved | |.. | |--- setup_node_data() | |--- memblock_alloc_nid()here, nid is set to MAX_NUMNODES (1024) |.. |--- numa_clear_kernel_node_hotplug() |--- node_set() here, we have an index 1024, and overflowed This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this problem. Reported-by: Dave Jones da...@redhat.com Signed-off-by: Tang Chen tangc...@cn.fujitsu.com Tested-by: Gu Zheng guz.f...@cn.fujitsu.com --- arch/x86/mm/numa.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) This does seem to solve the problem (In conjunction with David's variant of the other patch). Dave -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/