x86/mm: Fix overflow in __cpa_addr() - kernel - saturneric's kernel source tree

diff options

author	Rik van Riel <[email protected]>	2025-10-06 03:48:05 +0000
committer	Dave Hansen <[email protected]>	2025-10-13 20:55:48 +0000
commit	f25785f9b088ed65089dd0d0034da52858417839 (patch)
tree	8352a68f1011067e76ea08bbc3c4b15eeb8e7fe8 /tools/lib/traceevent/plugins/plugin_function.c
parent	x86/resctrl: Fix miscount of bandwidth event when reactivating previously una... (diff)
download	kernel-f25785f9b088ed65089dd0d0034da52858417839.tar.gz kernel-f25785f9b088ed65089dd0d0034da52858417839.zip

x86/mm: Fix overflow in __cpa_addr()

The change to have cpa_flush() call flush_kernel_pages() introduced a bug where __cpa_addr() can access an address one larger than the largest one in the cpa->pages array. KASAN reports the issue like this: BUG: KASAN: slab-out-of-bounds in __cpa_addr arch/x86/mm/pat/set_memory.c:309 [inline] BUG: KASAN: slab-out-of-bounds in __cpa_addr+0x1d3/0x220 arch/x86/mm/pat/set_memory.c:306 Read of size 8 at addr ffff88801f75e8f8 by task syz.0.17/5978 This bug could cause cpa_flush() to not properly flush memory, which somehow never showed any symptoms in my tests, possibly because cpa_flush() is called so rarely, but could potentially cause issues for other people. Fix the issue by directly calculating the flush end address from the start address. Fixes: 86e6815b316e ("x86/mm: Change cpa_flush() to call flush_kernel_range() directly") Reported-by: [email protected] Signed-off-by: Rik van Riel <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Kiryl Shutsemau <[email protected]> Link: https://lore.kernel.org/all/[email protected]/

Diffstat (limited to 'tools/lib/traceevent/plugins/plugin_function.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: