All of lore.kernel.org
 help / color / mirror / Atom feed
* 5.4.y, 4.14.y, 4.19.y [PATCH] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
@ 2021-04-30 19:03 George Kennedy
  2021-05-04 11:06 ` Rafael J. Wysocki
  0 siblings, 1 reply; 3+ messages in thread
From: George Kennedy @ 2021-04-30 19:03 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Dhaval Giani, Konrad Rzeszutek Wilk, stable, Rafael J. Wysocki,
	Linux ACPI, Mike Rapoport, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, x86 Maintainers

commit 6998a8800d73116187aad542391ce3b2dd0f9e30 upstream.

Upstream commit 6998a8800d73116187aad542391ce3b2dd0f9e30 along with 
upstream commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a (ACPI: tables: 
x86: Reserve memory occupied by ACPI tables) fixes the following issue.

Mounting an iSCSI volume during boot causes the following crash with a 
KASAN enabled kernel:

[   17.239703] iscsi: registered transport (iser)
[   17.241038] OPA Virtual Network Driver - v1.0
[   17.242833] iBFT detected.
[   17.243593] 
==================================================================
[   17.243615] BUG: KASAN: use-after-free in ibft_init+0x134/0xab7
[   17.243615] Read of size 4 at addr ffff8880be451004 by task swapper/0/1
[   17.243615]
[   17.243615] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 
4.19.190-rc1-1bd8f1c #1
[   17.243615] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS 0.0.0 02/06/2015
[   17.243615] Call Trace:
[   17.243615]  dump_stack+0xb3/0xf0
[   17.243615]  ? ibft_init+0x134/0xab7
[   17.243615]  print_address_description+0x71/0x239
[   17.243615]  ? ibft_init+0x134/0xab7
[   17.243615]  kasan_report.cold.6+0x242/0x2fe
[   17.243615]  __asan_report_load_n_noabort+0x14/0x20
[   17.243615]  ibft_init+0x134/0xab7
[   17.243615]  ? dcdrbu_init+0x1e6/0x225
[   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
[   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
[   17.243615]  do_one_initcall+0xb6/0x3a0
[   17.243615]  ? perf_trace_initcall_level+0x430/0x430
[   17.243615]  ? kasan_unpoison_shadow+0x35/0x50
[   17.243615]  kernel_init_freeable+0x54d/0x64d
[   17.243615]  ? start_kernel+0x7e9/0x7e9
[   17.243615]  ? __switch_to_asm+0x41/0x70
[   17.243615]  ? kasan_check_read+0x11/0x20
[   17.243615]  ? rest_init+0xdc/0xdc
[   17.243615]  kernel_init+0x16/0x180
[   17.243615]  ? rest_init+0xdc/0xdc
[   17.243615]  ret_from_fork+0x35/0x40
[   17.243615]
[   17.243615] The buggy address belongs to the page:
[   17.243615] page:ffffea0002f91440 count:0 mapcount:0 
mapping:0000000000000000 index:0x1
[   17.243615] flags: 0xfffffc0000000()
[   17.243615] raw: 000fffffc0000000 ffffea0002df9708 ffffea0002f91408 
0000000000000000
[   17.243615] raw: 0000000000000001 0000000000000000 00000000ffffffff 
0000000000000000
[   17.243615] page dumped because: kasan: bad access detected
[   17.243615]
[   17.243615] Memory state around the buggy address:
[   17.243615]  ffff8880be450f00: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]  ffff8880be450f80: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615] >ffff8880be451000: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]                    ^
[   17.243615]  ffff8880be451080: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]  ffff8880be451100: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615] 
==================================================================


Patch

commit 6998a8800d73116187aad542391ce3b2dd0f9e30
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Tue Apr 13 16:01:00 2021 +0200

     ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()

     Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by
     ACPI tables") attempted to address an issue with reserving the memory
     occupied by ACPI tables, but it broke the initrd-based table override
     mechanism relied on by multiple users.

     To restore the initrd-based ACPI table override functionality, move
     the acpi_boot_table_init() invocation in setup_arch() on x86 after
     the acpi_table_upgrade() one.

     Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by 
ACPI tables")
     Reported-by: Hans de Goede <hdegoede@redhat.com>
     Tested-by: Hans de Goede <hdegoede@redhat.com>
     Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 5ecd69a..ccab6cf 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1045,9 +1045,6 @@ void __init setup_arch(char **cmdline_p)

      cleanup_highmap();

-    /* Look for ACPI tables and reserve memory occupied by them. */
-    acpi_boot_table_init();
-
      memblock_set_current_limit(ISA_END_ADDRESS);
      e820__memblock_setup();

@@ -1132,6 +1129,8 @@ void __init setup_arch(char **cmdline_p)
      reserve_initrd();

      acpi_table_upgrade();
+    /* Look for ACPI tables and reserve memory occupied by them. */
+    acpi_boot_table_init();

      vsmp_init();

Thank you,
George

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: 5.4.y, 4.14.y, 4.19.y [PATCH] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
  2021-04-30 19:03 5.4.y, 4.14.y, 4.19.y [PATCH] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() George Kennedy
@ 2021-05-04 11:06 ` Rafael J. Wysocki
  0 siblings, 0 replies; 3+ messages in thread
From: Rafael J. Wysocki @ 2021-05-04 11:06 UTC (permalink / raw)
  To: George Kennedy
  Cc: Greg Kroah-Hartman, Dhaval Giani, Konrad Rzeszutek Wilk, Stable,
	Rafael J. Wysocki, Linux ACPI, Mike Rapoport, Thomas Gleixner,
	Ingo Molnar, Borislav Petkov, x86 Maintainers

On Fri, Apr 30, 2021 at 9:03 PM George Kennedy
<george.kennedy@oracle.com> wrote:
>
> commit 6998a8800d73116187aad542391ce3b2dd0f9e30 upstream.
>
> Upstream commit 6998a8800d73116187aad542391ce3b2dd0f9e30 along with
> upstream commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a (ACPI: tables:
> x86: Reserve memory occupied by ACPI tables) fixes the following issue.

Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

> Mounting an iSCSI volume during boot causes the following crash with a
> KASAN enabled kernel:
>
> [   17.239703] iscsi: registered transport (iser)
> [   17.241038] OPA Virtual Network Driver - v1.0
> [   17.242833] iBFT detected.
> [   17.243593]
> ==================================================================
> [   17.243615] BUG: KASAN: use-after-free in ibft_init+0x134/0xab7
> [   17.243615] Read of size 4 at addr ffff8880be451004 by task swapper/0/1
> [   17.243615]
> [   17.243615] CPU: 2 PID: 1 Comm: swapper/0 Not tainted
> 4.19.190-rc1-1bd8f1c #1
> [   17.243615] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 0.0.0 02/06/2015
> [   17.243615] Call Trace:
> [   17.243615]  dump_stack+0xb3/0xf0
> [   17.243615]  ? ibft_init+0x134/0xab7
> [   17.243615]  print_address_description+0x71/0x239
> [   17.243615]  ? ibft_init+0x134/0xab7
> [   17.243615]  kasan_report.cold.6+0x242/0x2fe
> [   17.243615]  __asan_report_load_n_noabort+0x14/0x20
> [   17.243615]  ibft_init+0x134/0xab7
> [   17.243615]  ? dcdrbu_init+0x1e6/0x225
> [   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
> [   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
> [   17.243615]  do_one_initcall+0xb6/0x3a0
> [   17.243615]  ? perf_trace_initcall_level+0x430/0x430
> [   17.243615]  ? kasan_unpoison_shadow+0x35/0x50
> [   17.243615]  kernel_init_freeable+0x54d/0x64d
> [   17.243615]  ? start_kernel+0x7e9/0x7e9
> [   17.243615]  ? __switch_to_asm+0x41/0x70
> [   17.243615]  ? kasan_check_read+0x11/0x20
> [   17.243615]  ? rest_init+0xdc/0xdc
> [   17.243615]  kernel_init+0x16/0x180
> [   17.243615]  ? rest_init+0xdc/0xdc
> [   17.243615]  ret_from_fork+0x35/0x40
> [   17.243615]
> [   17.243615] The buggy address belongs to the page:
> [   17.243615] page:ffffea0002f91440 count:0 mapcount:0
> mapping:0000000000000000 index:0x1
> [   17.243615] flags: 0xfffffc0000000()
> [   17.243615] raw: 000fffffc0000000 ffffea0002df9708 ffffea0002f91408
> 0000000000000000
> [   17.243615] raw: 0000000000000001 0000000000000000 00000000ffffffff
> 0000000000000000
> [   17.243615] page dumped because: kasan: bad access detected
> [   17.243615]
> [   17.243615] Memory state around the buggy address:
> [   17.243615]  ffff8880be450f00: ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff
> [   17.243615]  ffff8880be450f80: ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff
> [   17.243615] >ffff8880be451000: ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff
> [   17.243615]                    ^
> [   17.243615]  ffff8880be451080: ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff
> [   17.243615]  ffff8880be451100: ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff
> [   17.243615]
> ==================================================================
>
>
> Patch
>
> commit 6998a8800d73116187aad542391ce3b2dd0f9e30
> Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> Date:   Tue Apr 13 16:01:00 2021 +0200
>
>      ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
>
>      Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by
>      ACPI tables") attempted to address an issue with reserving the memory
>      occupied by ACPI tables, but it broke the initrd-based table override
>      mechanism relied on by multiple users.
>
>      To restore the initrd-based ACPI table override functionality, move
>      the acpi_boot_table_init() invocation in setup_arch() on x86 after
>      the acpi_table_upgrade() one.
>
>      Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by
> ACPI tables")
>      Reported-by: Hans de Goede <hdegoede@redhat.com>
>      Tested-by: Hans de Goede <hdegoede@redhat.com>
>      Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
>
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index 5ecd69a..ccab6cf 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -1045,9 +1045,6 @@ void __init setup_arch(char **cmdline_p)
>
>       cleanup_highmap();
>
> -    /* Look for ACPI tables and reserve memory occupied by them. */
> -    acpi_boot_table_init();
> -
>       memblock_set_current_limit(ISA_END_ADDRESS);
>       e820__memblock_setup();
>
> @@ -1132,6 +1129,8 @@ void __init setup_arch(char **cmdline_p)
>       reserve_initrd();
>
>       acpi_table_upgrade();
> +    /* Look for ACPI tables and reserve memory occupied by them. */
> +    acpi_boot_table_init();
>
>       vsmp_init();
>
> Thank you,
> George

^ permalink raw reply	[flat|nested] 3+ messages in thread
* 5.4.y, 4.14.y, 4.19.y [PATCH] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
@ 2021-04-30 19:05 George Kennedy
  0 siblings, 0 replies; 3+ messages in thread
From: George Kennedy @ 2021-04-30 19:05 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Dhaval Giani, Konrad Rzeszutek Wilk, stable, Rafael J. Wysocki,
	Linux ACPI, Mike Rapoport, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, x86 Maintainers

commit 6998a8800d73116187aad542391ce3b2dd0f9e30 upstream.

Upstream commit 6998a8800d73116187aad542391ce3b2dd0f9e30 along with 
upstream commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a (ACPI: tables: 
x86: Reserve memory occupied by ACPI tables) fixes the following issue.

Mounting an iSCSI volume during boot causes the following crash with a 
KASAN enabled kernel:

[   17.239703] iscsi: registered transport (iser)
[   17.241038] OPA Virtual Network Driver - v1.0
[   17.242833] iBFT detected.
[   17.243593] 
==================================================================
[   17.243615] BUG: KASAN: use-after-free in ibft_init+0x134/0xab7
[   17.243615] Read of size 4 at addr ffff8880be451004 by task swapper/0/1
[   17.243615]
[   17.243615] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 
4.19.190-rc1-1bd8f1c #1
[   17.243615] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS 0.0.0 02/06/2015
[   17.243615] Call Trace:
[   17.243615]  dump_stack+0xb3/0xf0
[   17.243615]  ? ibft_init+0x134/0xab7
[   17.243615]  print_address_description+0x71/0x239
[   17.243615]  ? ibft_init+0x134/0xab7
[   17.243615]  kasan_report.cold.6+0x242/0x2fe
[   17.243615]  __asan_report_load_n_noabort+0x14/0x20
[   17.243615]  ibft_init+0x134/0xab7
[   17.243615]  ? dcdrbu_init+0x1e6/0x225
[   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
[   17.243615]  ? ibft_check_initiator_for+0x14a/0x14a
[   17.243615]  do_one_initcall+0xb6/0x3a0
[   17.243615]  ? perf_trace_initcall_level+0x430/0x430
[   17.243615]  ? kasan_unpoison_shadow+0x35/0x50
[   17.243615]  kernel_init_freeable+0x54d/0x64d
[   17.243615]  ? start_kernel+0x7e9/0x7e9
[   17.243615]  ? __switch_to_asm+0x41/0x70
[   17.243615]  ? kasan_check_read+0x11/0x20
[   17.243615]  ? rest_init+0xdc/0xdc
[   17.243615]  kernel_init+0x16/0x180
[   17.243615]  ? rest_init+0xdc/0xdc
[   17.243615]  ret_from_fork+0x35/0x40
[   17.243615]
[   17.243615] The buggy address belongs to the page:
[   17.243615] page:ffffea0002f91440 count:0 mapcount:0 
mapping:0000000000000000 index:0x1
[   17.243615] flags: 0xfffffc0000000()
[   17.243615] raw: 000fffffc0000000 ffffea0002df9708 ffffea0002f91408 
0000000000000000
[   17.243615] raw: 0000000000000001 0000000000000000 00000000ffffffff 
0000000000000000
[   17.243615] page dumped because: kasan: bad access detected
[   17.243615]
[   17.243615] Memory state around the buggy address:
[   17.243615]  ffff8880be450f00: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]  ffff8880be450f80: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615] >ffff8880be451000: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]                    ^
[   17.243615]  ffff8880be451080: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615]  ffff8880be451100: ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff
[   17.243615] 
==================================================================


Patch

commit 6998a8800d73116187aad542391ce3b2dd0f9e30
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Tue Apr 13 16:01:00 2021 +0200

     ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()

     Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by
     ACPI tables") attempted to address an issue with reserving the memory
     occupied by ACPI tables, but it broke the initrd-based table override
     mechanism relied on by multiple users.

     To restore the initrd-based ACPI table override functionality, move
     the acpi_boot_table_init() invocation in setup_arch() on x86 after
     the acpi_table_upgrade() one.

     Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by 
ACPI tables")
     Reported-by: Hans de Goede <hdegoede@redhat.com>
     Tested-by: Hans de Goede <hdegoede@redhat.com>
     Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 5ecd69a..ccab6cf 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1045,9 +1045,6 @@ void __init setup_arch(char **cmdline_p)

      cleanup_highmap();

-    /* Look for ACPI tables and reserve memory occupied by them. */
-    acpi_boot_table_init();
-
      memblock_set_current_limit(ISA_END_ADDRESS);
      e820__memblock_setup();

@@ -1132,6 +1129,8 @@ void __init setup_arch(char **cmdline_p)
      reserve_initrd();

      acpi_table_upgrade();
+    /* Look for ACPI tables and reserve memory occupied by them. */
+    acpi_boot_table_init();

      vsmp_init();

Thank you,
George

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-04 11:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-30 19:03 5.4.y, 4.14.y, 4.19.y [PATCH] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() George Kennedy
2021-05-04 11:06 ` Rafael J. Wysocki
2021-04-30 19:05 George Kennedy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.