From: George Kennedy <george.kennedy@oracle.com>
To: robert.moore@intel.com, erik.kaneda@intel.com,
rafael.j.wysocki@intel.com, lenb@kernel.org,
linux-acpi@vger.kernel.org, devel@acpica.org,
linux-kernel@vger.kernel.org, rppt@linux.ibm.com,
konrad.wilk@oracle.com, dan.carpenter@oracle.com,
dhaval.giani@oracle.com
Cc: george.kennedy@oracle.com
Subject: [PATCH 1/1] ACPI: fix acpi table use after free
Date: Wed, 3 Mar 2021 15:09:20 -0500 [thread overview]
Message-ID: <1614802160-29362-1-git-send-email-george.kennedy@oracle.com> (raw)
Since commit 7fef431be9c9 ("mm/page_alloc: place pages to tail
in __free_pages_core()") the following use after free occurs
intermittently when acpi tables are accessed.
BUG: KASAN: use-after-free in ibft_init+0x134/0xc49
Read of size 4 at addr ffff8880be453004 by task swapper/0/1
CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-7a7fd0d #1
Call Trace:
dump_stack+0xf6/0x158
print_address_description.constprop.9+0x41/0x60
kasan_report.cold.14+0x7b/0xd4
__asan_report_load_n_noabort+0xf/0x20
ibft_init+0x134/0xc49
do_one_initcall+0xc4/0x3e0
kernel_init_freeable+0x5af/0x66b
kernel_init+0x16/0x1d0
ret_from_fork+0x22/0x30
ACPI tables mapped via kmap() do not have their mapped pages
reserved and the pages can be "stolen" by the buddy allocator.
Use memblock_reserve() to reserve all the ACPI table pages.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
---
arch/x86/kernel/setup.c | 3 +--
drivers/acpi/acpica/tbinstal.c | 4 ++++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index d883176..97deea3 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1046,6 +1046,7 @@ void __init setup_arch(char **cmdline_p)
cleanup_highmap();
memblock_set_current_limit(ISA_END_ADDRESS);
+ acpi_boot_table_init();
e820__memblock_setup();
/*
@@ -1139,8 +1140,6 @@ void __init setup_arch(char **cmdline_p)
/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
- acpi_boot_table_init();
-
early_acpi_boot_init();
initmem_init();
diff --git a/drivers/acpi/acpica/tbinstal.c b/drivers/acpi/acpica/tbinstal.c
index 8d1e5b5..4e32b22 100644
--- a/drivers/acpi/acpica/tbinstal.c
+++ b/drivers/acpi/acpica/tbinstal.c
@@ -8,6 +8,7 @@
*****************************************************************************/
#include <acpi/acpi.h>
+#include <linux/memblock.h>
#include "accommon.h"
#include "actables.h"
@@ -58,6 +59,9 @@
new_table_desc->flags,
new_table_desc->pointer);
+ memblock_reserve(new_table_desc->address,
+ PAGE_ALIGN(new_table_desc->pointer->length));
+
acpi_tb_print_table_header(new_table_desc->address,
new_table_desc->pointer);
--
1.8.3.1
next reply other threads:[~2021-03-04 0:14 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-03 20:09 George Kennedy [this message]
2021-03-04 12:14 ` [PATCH 1/1] ACPI: fix acpi table use after free Rafael J. Wysocki
2021-03-04 12:14 ` [Devel] " Rafael J. Wysocki
2021-03-04 23:14 ` George Kennedy
2021-03-05 13:30 ` Rafael J. Wysocki
2021-03-05 13:30 ` [Devel] " Rafael J. Wysocki
2021-03-05 13:40 ` David Hildenbrand
2021-03-05 15:24 ` George Kennedy
2021-03-10 18:39 ` Rafael J. Wysocki
2021-03-10 18:39 ` [Devel] " Rafael J. Wysocki
2021-03-10 18:54 ` Rafael J. Wysocki
2021-03-10 18:54 ` [Devel] " Rafael J. Wysocki
2021-03-10 19:10 ` David Hildenbrand
2021-03-10 19:38 ` Mike Rapoport
2021-03-10 19:47 ` David Hildenbrand
2021-03-11 15:36 ` Rafael J. Wysocki
2021-03-11 15:36 ` [Devel] " Rafael J. Wysocki
2021-03-14 18:59 ` Mike Rapoport
2021-03-15 16:19 ` Rafael J. Wysocki
2021-03-15 16:19 ` [Devel] " Rafael J. Wysocki
2021-03-15 18:05 ` Rafael J. Wysocki
2021-03-15 18:05 ` [Devel] " Rafael J. Wysocki
2021-03-17 20:14 ` Rafael J. Wysocki
2021-03-17 20:14 ` [Devel] " Rafael J. Wysocki
2021-03-17 22:28 ` George Kennedy
2021-03-18 15:42 ` Rafael J. Wysocki
2021-03-18 15:42 ` [Devel] " Rafael J. Wysocki
2021-03-18 7:25 ` Mike Rapoport
2021-03-18 10:50 ` Rafael J. Wysocki
2021-03-18 10:50 ` [Devel] " Rafael J. Wysocki
2021-03-18 15:22 ` Rafael J. Wysocki
2021-03-18 15:22 ` [Devel] " Rafael J. Wysocki
2021-03-20 8:25 ` Mike Rapoport
2021-03-22 16:57 ` Rafael J. Wysocki
2021-03-22 16:57 ` [Devel] " Rafael J. Wysocki
2021-03-23 19:26 ` [PATCH] ACPI: tables: x86: Reserve memory occupied by ACPI tables Rafael J. Wysocki
2021-03-24 8:24 ` Mike Rapoport
2021-03-24 13:27 ` Rafael J. Wysocki
2021-03-24 13:49 ` George Kennedy
2021-03-24 15:42 ` George Kennedy
2021-03-24 15:44 ` Rafael J. Wysocki
2021-03-07 7:46 ` [PATCH 1/1] ACPI: fix acpi table use after free Mike Rapoport
2021-03-09 17:54 ` Mike Rapoport
2021-03-09 18:29 ` Rafael J. Wysocki
2021-03-09 18:29 ` [Devel] " Rafael J. Wysocki
2021-03-09 20:16 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1614802160-29362-1-git-send-email-george.kennedy@oracle.com \
--to=george.kennedy@oracle.com \
--cc=dan.carpenter@oracle.com \
--cc=devel@acpica.org \
--cc=dhaval.giani@oracle.com \
--cc=erik.kaneda@intel.com \
--cc=konrad.wilk@oracle.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael.j.wysocki@intel.com \
--cc=robert.moore@intel.com \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.