leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
20b1e22d01
linux/drivers/firmware
History
Nicolai Stange 20b1e22d01 x86/efi: Don't allocate memmap through memblock after mm_init() 
With the following commit:

  4bc9f92e64 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")

...  efi_bgrt_init() calls into the memblock allocator through
efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init() has been called.

Indeed, KASAN reports a bad read access later on in efi_free_boot_services():

  BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c
            at addr ffff88022de12740
  Read of size 4 by task swapper/0/0
  page:ffffea0008b78480 count:0 mapcount:-127
  mapping:          (null) index:0x1 flags: 0x5fff8000000000()
  [...]
  Call Trace:
   dump_stack+0x68/0x9f
   kasan_report_error+0x4c8/0x500
   kasan_report+0x58/0x60
   __asan_load4+0x61/0x80
   efi_free_boot_services+0xae/0x24c
   start_kernel+0x527/0x562
   x86_64_start_reservations+0x24/0x26
   x86_64_start_kernel+0x157/0x17a
   start_cpu+0x5/0x14

The instruction at the given address is the first read from the memmap's
memory, i.e. the read of md->type in efi_free_boot_services().

Note that the writes earlier in efi_arch_mem_reserve() don't splat because
they're done through early_memremap()ed addresses.

So, after memblock is gone, allocations should be done through the "normal"
page allocator. Introduce a helper, efi_memmap_alloc() for this. Use
it from efi_arch_mem_reserve(), efi_free_boot_services() and, for the sake
of consistency, from efi_fake_memmap() as well.

Note that for the latter, the memmap allocations cease to be page aligned.
This isn't needed though.

Tested-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # v4.9
Cc: Dave Young <dyoung@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Mika Penttilä <mika.penttila@nextfour.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 4bc9f92e64 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
Link: http://lkml.kernel.org/r/20170105125130.2815-1-nicstange@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-07 08:58:07 +01:00
..
broadcom tree-wide: replace config_enabled() with IS_ENABLED() 2016-08-04 08:50:07 -04:00
efi x86/efi: Don't allocate memmap through memblock after mm_init() 2017-01-07 08:58:07 +01:00
google firmware-gsmi: Delete an unnecessary check before the function call "dma_pool_destroy" 2016-09-09 16:08:45 +01:00
meson firmware: Amlogic: Add secure monitor driver 2016-09-01 14:23:39 -07:00
tegra firmware: tegra: Add BPMP support 2016-11-18 14:33:43 +01:00
arm_scpi.c firmware: arm_scpi: add support for pre-v1.0 SCPI compatible 2016-11-17 16:31:20 +00:00
dcdbas.c dcdbas: Make use of smp_call_on_cpu() 2016-09-05 13:52:40 +02:00
dcdbas.h
dell_rbu.c
dmi_scan.c firmware: dmi_scan: Always show system identification string 2016-12-19 10:01:47 +01:00
dmi-id.c dmi-id: don't free dev structure after calling device_register 2016-09-08 10:35:50 +02:00
dmi-sysfs.c firmware: dmi_scan: add SBMIOS entry and DMI tables 2015-06-25 09:06:56 +02:00
edd.c [SCSI] edd: Treat "XPRS" host bus type the same as "PCI" 2011-10-31 13:26:19 +04:00
iscsi_ibft_find.c efi: Make 'efi_enabled' a function to query EFI facilities 2013-01-30 11:51:59 -08:00
iscsi_ibft.c ibft: Expose iBFT acpi header via sysfs 2016-05-16 11:14:29 -04:00
Kconfig Merge branch 'for-4.10-ti-sci-base' of https://github.com/t-kristo/linux-pm into next/drivers 2016-11-30 17:13:13 +01:00
Makefile Merge branch 'for-4.10-ti-sci-base' of https://github.com/t-kristo/linux-pm into next/drivers 2016-11-30 17:13:13 +01:00
memmap.c drivers/firmware/memmap.c: fix kernel-doc format 2015-06-25 17:00:41 -07:00
pcdp.c serial: 8250_early: Remove setup_early_serial8250_console() 2015-03-26 17:25:27 +01:00
pcdp.h
psci_checker.c drivers: psci: PSCI checker module 2016-11-25 23:25:52 +01:00
psci.c drivers: psci: Allow PSCI node to be disabled 2016-11-25 23:26:05 +01:00
qcom_scm-32.c firmware: qcom: scm: Expose PAS command 10 as reset-controller 2016-06-24 22:53:52 -05:00
qcom_scm-64.c firmware: qcom: scm: Expose PAS command 10 as reset-controller 2016-06-24 22:53:52 -05:00
qcom_scm.c firmware: qcom: scm: Return PTR_ERR when devm_clk_get fails 2016-11-23 11:03:00 -06:00
qcom_scm.h firmware: qcom: scm: Expose PAS command 10 as reset-controller 2016-06-24 22:53:52 -05:00
qemu_fw_cfg.c driver core update for 4.7-rc1 2016-05-20 21:26:15 -07:00
raspberrypi.c ARM: bcm2835: Add the Raspberry Pi firmware driver 2015-10-14 15:30:06 -07:00
scpi_pm_domain.c firmware: scpi: add device power domain support using genpd 2016-06-21 10:26:51 +01:00
ti_sci.c firmware: ti_sci: Add support for reboot core service 2016-10-27 12:09:12 +03:00
ti_sci.h firmware: ti_sci: Add support for reboot core service 2016-10-27 12:09:12 +03:00