Re: [PATCH 1/1] ACPI: fix acpi table use after free

From: Mike Rapoport <rppt@linux.ibm.com>
To: David Hildenbrand <david@redhat.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>,
	George Kennedy <george.kennedy@oracle.com>,
	Robert Moore <robert.moore@intel.com>,
	Erik Kaneda <erik.kaneda@intel.com>,
	Rafael Wysocki <rafael.j.wysocki@intel.com>,
	Len Brown <lenb@kernel.org>,
	ACPI Devel Maling List <linux-acpi@vger.kernel.org>,
	"open list:ACPI COMPONENT ARCHITECTURE (ACPICA)"
	<devel@acpica.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Dhaval Giani <dhaval.giani@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Vlastimil Babka <vbabka@suse.cz>,
	Oscar Salvador <osalvador@suse.de>,
	Wei Yang <richard.weiyang@linux.alibaba.com>,
	Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Michal Hocko <mhocko@suse.com>
Subject: Re: [PATCH 1/1] ACPI: fix acpi table use after free
Date: Wed, 10 Mar 2021 21:38:39 +0200	[thread overview]
Message-ID: <YEkgP0G94uQBGDa9@linux.ibm.com> (raw)
In-Reply-To: <e8593eae-40b8-bc9a-78db-529d28d2be88@redhat.com>

On Wed, Mar 10, 2021 at 08:10:42PM +0100, David Hildenbrand wrote:
> 
> > > > Memory gets allocated and used in a different order, which seems to have
> > > > exposed (yet another) latent BUG.
> > > 
> > > Well, you can call it that, or you can say that things worked under
> > > certain assumptions regarding the memory allocation order which are
> > > not met any more.

Regardless of the assumptions in the page allocator we had a page used by
the firmware on a free list, which is a bug.

> > > > The same could be reproduced via zone shuffling with a little luck.
> > > 
> > > But nobody does that in practice.
> > > 
> 
> Dan will most certainly object. And I don't know what makes you speak in
> absolute words here.
> 
> > > This would be relatively straightforward to address if ACPICA was not
> > > involved in it, but unfortunately that's not the case.
> > > 
> > > Changing this part of ACPICA is risky, because such changes may affect
> > > other OSes using it, so that requires some serious consideration.
> > > Alternatively, the previous memory allocation order in Linux could be
> > > restored.
> > 
> > Of course, long-term this needs to be addressed in the ACPI
> > initialization code, because it clearly is not robust enough, but in
> > the meantime there's practical breakage observable in the field, so
> > what can be done about that?
> 
> *joke* enable zone shuffling.
> 
> No seriously, fix the latent BUG. What again is problematic about excluding
> these pages from the page allcoator, for example, via memblock_reserve()?
> 
> @Mike?

There is some care that should be taken to make sure we get the order
right, but I don't see a fundamental issue here.

If I understand correctly, Rafael's concern is about changing the parts of
ACPICA that should be OS agnostic, so I think we just need another place to
call memblock_reserve() rather than acpi_tb_install_table_with_override().

Since the reservation should be done early in x86::setup_arch() (and
probably in arm64::setup_arch()) we might just have a function that parses
table headers and reserves them, similarly to how we parse the tables
during KASLR setup.

-- 
Sincerely yours,
Mike.