mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 20b1e22d01
			
		
	
	
		20b1e22d01
		
	
	
	
	
		
			
			With the following commit:4bc9f92e64("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data") ... efi_bgrt_init() calls into the memblock allocator through efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init() has been called. Indeed, KASAN reports a bad read access later on in efi_free_boot_services(): BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c at addr ffff88022de12740 Read of size 4 by task swapper/0/0 page:ffffea0008b78480 count:0 mapcount:-127 mapping: (null) index:0x1 flags: 0x5fff8000000000() [...] Call Trace: dump_stack+0x68/0x9f kasan_report_error+0x4c8/0x500 kasan_report+0x58/0x60 __asan_load4+0x61/0x80 efi_free_boot_services+0xae/0x24c start_kernel+0x527/0x562 x86_64_start_reservations+0x24/0x26 x86_64_start_kernel+0x157/0x17a start_cpu+0x5/0x14 The instruction at the given address is the first read from the memmap's memory, i.e. the read of md->type in efi_free_boot_services(). Note that the writes earlier in efi_arch_mem_reserve() don't splat because they're done through early_memremap()ed addresses. So, after memblock is gone, allocations should be done through the "normal" page allocator. Introduce a helper, efi_memmap_alloc() for this. Use it from efi_arch_mem_reserve(), efi_free_boot_services() and, for the sake of consistency, from efi_fake_memmap() as well. Note that for the latter, the memmap allocations cease to be page aligned. This isn't needed though. Tested-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Nicolai Stange <nicstange@gmail.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: <stable@vger.kernel.org> # v4.9 Cc: Dave Young <dyoung@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Matt Fleming <matt@codeblueprint.co.uk> Cc: Mika Penttilä <mika.penttila@nextfour.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Fixes:4bc9f92e64("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data") Link: http://lkml.kernel.org/r/20170105125130.2815-1-nicstange@gmail.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
		
			
				
	
	
		
			142 lines
		
	
	
		
			3.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			142 lines
		
	
	
		
			3.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * fake_mem.c
 | |
|  *
 | |
|  * Copyright (C) 2015 FUJITSU LIMITED
 | |
|  * Author: Taku Izumi <izumi.taku@jp.fujitsu.com>
 | |
|  *
 | |
|  * This code introduces new boot option named "efi_fake_mem"
 | |
|  * By specifying this parameter, you can add arbitrary attribute to
 | |
|  * specific memory range by updating original (firmware provided) EFI
 | |
|  * memmap.
 | |
|  *
 | |
|  *  This program is free software; you can redistribute it and/or modify it
 | |
|  *  under the terms and conditions of the GNU General Public License,
 | |
|  *  version 2, as published by the Free Software Foundation.
 | |
|  *
 | |
|  *  This program is distributed in the hope it will be useful, but WITHOUT
 | |
|  *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 | |
|  *  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
 | |
|  *  more details.
 | |
|  *
 | |
|  *  You should have received a copy of the GNU General Public License along with
 | |
|  *  this program; if not, see <http://www.gnu.org/licenses/>.
 | |
|  *
 | |
|  *  The full GNU General Public License is included in this distribution in
 | |
|  *  the file called "COPYING".
 | |
|  */
 | |
| 
 | |
| #include <linux/kernel.h>
 | |
| #include <linux/efi.h>
 | |
| #include <linux/init.h>
 | |
| #include <linux/memblock.h>
 | |
| #include <linux/types.h>
 | |
| #include <linux/sort.h>
 | |
| #include <asm/efi.h>
 | |
| 
 | |
| #define EFI_MAX_FAKEMEM CONFIG_EFI_MAX_FAKE_MEM
 | |
| 
 | |
| static struct efi_mem_range fake_mems[EFI_MAX_FAKEMEM];
 | |
| static int nr_fake_mem;
 | |
| 
 | |
| static int __init cmp_fake_mem(const void *x1, const void *x2)
 | |
| {
 | |
| 	const struct efi_mem_range *m1 = x1;
 | |
| 	const struct efi_mem_range *m2 = x2;
 | |
| 
 | |
| 	if (m1->range.start < m2->range.start)
 | |
| 		return -1;
 | |
| 	if (m1->range.start > m2->range.start)
 | |
| 		return 1;
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| void __init efi_fake_memmap(void)
 | |
| {
 | |
| 	int new_nr_map = efi.memmap.nr_map;
 | |
| 	efi_memory_desc_t *md;
 | |
| 	phys_addr_t new_memmap_phy;
 | |
| 	void *new_memmap;
 | |
| 	int i;
 | |
| 
 | |
| 	if (!nr_fake_mem)
 | |
| 		return;
 | |
| 
 | |
| 	/* count up the number of EFI memory descriptor */
 | |
| 	for (i = 0; i < nr_fake_mem; i++) {
 | |
| 		for_each_efi_memory_desc(md) {
 | |
| 			struct range *r = &fake_mems[i].range;
 | |
| 
 | |
| 			new_nr_map += efi_memmap_split_count(md, r);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	/* allocate memory for new EFI memmap */
 | |
| 	new_memmap_phy = efi_memmap_alloc(new_nr_map);
 | |
| 	if (!new_memmap_phy)
 | |
| 		return;
 | |
| 
 | |
| 	/* create new EFI memmap */
 | |
| 	new_memmap = early_memremap(new_memmap_phy,
 | |
| 				    efi.memmap.desc_size * new_nr_map);
 | |
| 	if (!new_memmap) {
 | |
| 		memblock_free(new_memmap_phy, efi.memmap.desc_size * new_nr_map);
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	for (i = 0; i < nr_fake_mem; i++)
 | |
| 		efi_memmap_insert(&efi.memmap, new_memmap, &fake_mems[i]);
 | |
| 
 | |
| 	/* swap into new EFI memmap */
 | |
| 	early_memunmap(new_memmap, efi.memmap.desc_size * new_nr_map);
 | |
| 
 | |
| 	efi_memmap_install(new_memmap_phy, new_nr_map);
 | |
| 
 | |
| 	/* print new EFI memmap */
 | |
| 	efi_print_memmap();
 | |
| }
 | |
| 
 | |
| static int __init setup_fake_mem(char *p)
 | |
| {
 | |
| 	u64 start = 0, mem_size = 0, attribute = 0;
 | |
| 	int i;
 | |
| 
 | |
| 	if (!p)
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	while (*p != '\0') {
 | |
| 		mem_size = memparse(p, &p);
 | |
| 		if (*p == '@')
 | |
| 			start = memparse(p+1, &p);
 | |
| 		else
 | |
| 			break;
 | |
| 
 | |
| 		if (*p == ':')
 | |
| 			attribute = simple_strtoull(p+1, &p, 0);
 | |
| 		else
 | |
| 			break;
 | |
| 
 | |
| 		if (nr_fake_mem >= EFI_MAX_FAKEMEM)
 | |
| 			break;
 | |
| 
 | |
| 		fake_mems[nr_fake_mem].range.start = start;
 | |
| 		fake_mems[nr_fake_mem].range.end = start + mem_size - 1;
 | |
| 		fake_mems[nr_fake_mem].attribute = attribute;
 | |
| 		nr_fake_mem++;
 | |
| 
 | |
| 		if (*p == ',')
 | |
| 			p++;
 | |
| 	}
 | |
| 
 | |
| 	sort(fake_mems, nr_fake_mem, sizeof(struct efi_mem_range),
 | |
| 	     cmp_fake_mem, NULL);
 | |
| 
 | |
| 	for (i = 0; i < nr_fake_mem; i++)
 | |
| 		pr_info("efi_fake_mem: add attr=0x%016llx to [mem 0x%016llx-0x%016llx]",
 | |
| 			fake_mems[i].attribute, fake_mems[i].range.start,
 | |
| 			fake_mems[i].range.end);
 | |
| 
 | |
| 	return *p == '\0' ? 0 : -EINVAL;
 | |
| }
 | |
| 
 | |
| early_param("efi_fake_mem", setup_fake_mem);
 |