diff options
| author | Nicolai Stange <nicstange@gmail.com> | 2017-01-05 07:51:29 -0500 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2017-01-07 02:58:07 -0500 |
| commit | 20b1e22d01a4b0b11d3a1066e9feb04be38607ec (patch) | |
| tree | 614e00a43b1e0d6af54685d52e12b106bc5cae23 | |
| parent | abfb7b686a3e5be27bf81db62f9c5c895b76f5d1 (diff) | |
x86/efi: Don't allocate memmap through memblock after mm_init()
With the following commit:
4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
... efi_bgrt_init() calls into the memblock allocator through
efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init() has been called.
Indeed, KASAN reports a bad read access later on in efi_free_boot_services():
BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c
at addr ffff88022de12740
Read of size 4 by task swapper/0/0
page:ffffea0008b78480 count:0 mapcount:-127
mapping: (null) index:0x1 flags: 0x5fff8000000000()
[...]
Call Trace:
dump_stack+0x68/0x9f
kasan_report_error+0x4c8/0x500
kasan_report+0x58/0x60
__asan_load4+0x61/0x80
efi_free_boot_services+0xae/0x24c
start_kernel+0x527/0x562
x86_64_start_reservations+0x24/0x26
x86_64_start_kernel+0x157/0x17a
start_cpu+0x5/0x14
The instruction at the given address is the first read from the memmap's
memory, i.e. the read of md->type in efi_free_boot_services().
Note that the writes earlier in efi_arch_mem_reserve() don't splat because
they're done through early_memremap()ed addresses.
So, after memblock is gone, allocations should be done through the "normal"
page allocator. Introduce a helper, efi_memmap_alloc() for this. Use
it from efi_arch_mem_reserve(), efi_free_boot_services() and, for the sake
of consistency, from efi_fake_memmap() as well.
Note that for the latter, the memmap allocations cease to be page aligned.
This isn't needed though.
Tested-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # v4.9
Cc: Dave Young <dyoung@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Mika Penttilä <mika.penttila@nextfour.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
Link: http://lkml.kernel.org/r/20170105125130.2815-1-nicstange@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | arch/x86/platform/efi/quirks.c | 4 | ||||
| -rw-r--r-- | drivers/firmware/efi/fake_mem.c | 3 | ||||
| -rw-r--r-- | drivers/firmware/efi/memmap.c | 38 | ||||
| -rw-r--r-- | include/linux/efi.h | 1 |
4 files changed, 42 insertions, 4 deletions
diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index 10aca63a50d7..30031d5293c4 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c | |||
| @@ -214,7 +214,7 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size) | |||
| 214 | 214 | ||
| 215 | new_size = efi.memmap.desc_size * num_entries; | 215 | new_size = efi.memmap.desc_size * num_entries; |
| 216 | 216 | ||
| 217 | new_phys = memblock_alloc(new_size, 0); | 217 | new_phys = efi_memmap_alloc(num_entries); |
| 218 | if (!new_phys) { | 218 | if (!new_phys) { |
| 219 | pr_err("Could not allocate boot services memmap\n"); | 219 | pr_err("Could not allocate boot services memmap\n"); |
| 220 | return; | 220 | return; |
| @@ -355,7 +355,7 @@ void __init efi_free_boot_services(void) | |||
| 355 | } | 355 | } |
| 356 | 356 | ||
| 357 | new_size = efi.memmap.desc_size * num_entries; | 357 | new_size = efi.memmap.desc_size * num_entries; |
| 358 | new_phys = memblock_alloc(new_size, 0); | 358 | new_phys = efi_memmap_alloc(num_entries); |
| 359 | if (!new_phys) { | 359 | if (!new_phys) { |
| 360 | pr_err("Failed to allocate new EFI memmap\n"); | 360 | pr_err("Failed to allocate new EFI memmap\n"); |
| 361 | return; | 361 | return; |
diff --git a/drivers/firmware/efi/fake_mem.c b/drivers/firmware/efi/fake_mem.c index 520a40e5e0e4..6c7d60c239b5 100644 --- a/drivers/firmware/efi/fake_mem.c +++ b/drivers/firmware/efi/fake_mem.c | |||
| @@ -71,8 +71,7 @@ void __init efi_fake_memmap(void) | |||
| 71 | } | 71 | } |
| 72 | 72 | ||
| 73 | /* allocate memory for new EFI memmap */ | 73 | /* allocate memory for new EFI memmap */ |
| 74 | new_memmap_phy = memblock_alloc(efi.memmap.desc_size * new_nr_map, | 74 | new_memmap_phy = efi_memmap_alloc(new_nr_map); |
| 75 | PAGE_SIZE); | ||
| 76 | if (!new_memmap_phy) | 75 | if (!new_memmap_phy) |
| 77 | return; | 76 | return; |
| 78 | 77 | ||
diff --git a/drivers/firmware/efi/memmap.c b/drivers/firmware/efi/memmap.c index f03ddecd232b..78686443cb37 100644 --- a/drivers/firmware/efi/memmap.c +++ b/drivers/firmware/efi/memmap.c | |||
| @@ -9,6 +9,44 @@ | |||
| 9 | #include <linux/efi.h> | 9 | #include <linux/efi.h> |
| 10 | #include <linux/io.h> | 10 | #include <linux/io.h> |
| 11 | #include <asm/early_ioremap.h> | 11 | #include <asm/early_ioremap.h> |
| 12 | #include <linux/memblock.h> | ||
| 13 | #include <linux/slab.h> | ||
| 14 | |||
| 15 | static phys_addr_t __init __efi_memmap_alloc_early(unsigned long size) | ||
| 16 | { | ||
| 17 | return memblock_alloc(size, 0); | ||
| 18 | } | ||
| 19 | |||
| 20 | static phys_addr_t __init __efi_memmap_alloc_late(unsigned long size) | ||
| 21 | { | ||
| 22 | unsigned int order = get_order(size); | ||
| 23 | struct page *p = alloc_pages(GFP_KERNEL, order); | ||
| 24 | |||
| 25 | if (!p) | ||
| 26 | return 0; | ||
| 27 | |||
| 28 | return PFN_PHYS(page_to_pfn(p)); | ||
| 29 | } | ||
| 30 | |||
| 31 | /** | ||
| 32 | * efi_memmap_alloc - Allocate memory for the EFI memory map | ||
| 33 | * @num_entries: Number of entries in the allocated map. | ||
| 34 | * | ||
| 35 | * Depending on whether mm_init() has already been invoked or not, | ||
| 36 | * either memblock or "normal" page allocation is used. | ||
| 37 | * | ||
| 38 | * Returns the physical address of the allocated memory map on | ||
| 39 | * success, zero on failure. | ||
| 40 | */ | ||
| 41 | phys_addr_t __init efi_memmap_alloc(unsigned int num_entries) | ||
| 42 | { | ||
| 43 | unsigned long size = num_entries * efi.memmap.desc_size; | ||
| 44 | |||
| 45 | if (slab_is_available()) | ||
| 46 | return __efi_memmap_alloc_late(size); | ||
| 47 | |||
| 48 | return __efi_memmap_alloc_early(size); | ||
| 49 | } | ||
| 12 | 50 | ||
| 13 | /** | 51 | /** |
| 14 | * __efi_memmap_init - Common code for mapping the EFI memory map | 52 | * __efi_memmap_init - Common code for mapping the EFI memory map |
diff --git a/include/linux/efi.h b/include/linux/efi.h index a07a476178cd..0c5420208c40 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h | |||
| @@ -950,6 +950,7 @@ static inline efi_status_t efi_query_variable_store(u32 attributes, | |||
| 950 | #endif | 950 | #endif |
| 951 | extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr); | 951 | extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr); |
| 952 | 952 | ||
| 953 | extern phys_addr_t __init efi_memmap_alloc(unsigned int num_entries); | ||
| 953 | extern int __init efi_memmap_init_early(struct efi_memory_map_data *data); | 954 | extern int __init efi_memmap_init_early(struct efi_memory_map_data *data); |
| 954 | extern int __init efi_memmap_init_late(phys_addr_t addr, unsigned long size); | 955 | extern int __init efi_memmap_init_late(phys_addr_t addr, unsigned long size); |
| 955 | extern void __init efi_memmap_unmap(void); | 956 | extern void __init efi_memmap_unmap(void); |