* [PATCH 1/2] x86/efi: don't allocate memmap through memblock after mm_init()
@ 2016-12-21 18:28 Nicolai Stange
2016-12-21 18:28 ` [PATCH 2/2] efi: efi_mem_reserve(): don't reserve " Nicolai Stange
0 siblings, 1 reply; 4+ messages in thread
From: Nicolai Stange @ 2016-12-21 18:28 UTC (permalink / raw)
To: Matt Fleming
Cc: Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
x86, linux-efi, linux-kernel, Nicolai Stange
With commit 4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid
copying image data"), efi_bgrt_init() calls into the memblock allocator
through efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init()
has been called.
Indeed, KASAN reports a bad read access later on in
efi_free_boot_services():
BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c
at addr ffff88022de12740
Read of size 4 by task swapper/0/0
page:ffffea0008b78480 count:0 mapcount:-127
mapping: (null) index:0x1 flags: 0x5fff8000000000()
[...]
Call Trace:
dump_stack+0x68/0x9f
kasan_report_error+0x4c8/0x500
kasan_report+0x58/0x60
__asan_load4+0x61/0x80
efi_free_boot_services+0xae/0x24c
start_kernel+0x527/0x562
x86_64_start_reservations+0x24/0x26
x86_64_start_kernel+0x157/0x17a
start_cpu+0x5/0x14
The instruction at the given address is the first read from the memmap's
memory, i.e. the read of md->type in efi_free_boot_services().
Note that the writes earlier in efi_arch_mem_reserve() don't splat because
they're done through early_memremap()ed addresses.
So, after memblock is gone, allocations should be done through the "normal"
page allocator. Introduce a helper, efi_memmap_alloc() for this. Use
it from efi_arch_mem_reserve() and from efi_free_boot_services() as well.
Fixes: 4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
---
arch/x86/platform/efi/quirks.c | 4 ++--
drivers/firmware/efi/memmap.c | 38 ++++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 1 +
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
index 10aca63a50d7..30031d5293c4 100644
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -214,7 +214,7 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
new_size = efi.memmap.desc_size * num_entries;
- new_phys = memblock_alloc(new_size, 0);
+ new_phys = efi_memmap_alloc(num_entries);
if (!new_phys) {
pr_err("Could not allocate boot services memmap\n");
return;
@@ -355,7 +355,7 @@ void __init efi_free_boot_services(void)
}
new_size = efi.memmap.desc_size * num_entries;
- new_phys = memblock_alloc(new_size, 0);
+ new_phys = efi_memmap_alloc(num_entries);
if (!new_phys) {
pr_err("Failed to allocate new EFI memmap\n");
return;
diff --git a/drivers/firmware/efi/memmap.c b/drivers/firmware/efi/memmap.c
index f03ddecd232b..78686443cb37 100644
--- a/drivers/firmware/efi/memmap.c
+++ b/drivers/firmware/efi/memmap.c
@@ -9,6 +9,44 @@
#include <linux/efi.h>
#include <linux/io.h>
#include <asm/early_ioremap.h>
+#include <linux/memblock.h>
+#include <linux/slab.h>
+
+static phys_addr_t __init __efi_memmap_alloc_early(unsigned long size)
+{
+ return memblock_alloc(size, 0);
+}
+
+static phys_addr_t __init __efi_memmap_alloc_late(unsigned long size)
+{
+ unsigned int order = get_order(size);
+ struct page *p = alloc_pages(GFP_KERNEL, order);
+
+ if (!p)
+ return 0;
+
+ return PFN_PHYS(page_to_pfn(p));
+}
+
+/**
+ * efi_memmap_alloc - Allocate memory for the EFI memory map
+ * @num_entries: Number of entries in the allocated map.
+ *
+ * Depending on whether mm_init() has already been invoked or not,
+ * either memblock or "normal" page allocation is used.
+ *
+ * Returns the physical address of the allocated memory map on
+ * success, zero on failure.
+ */
+phys_addr_t __init efi_memmap_alloc(unsigned int num_entries)
+{
+ unsigned long size = num_entries * efi.memmap.desc_size;
+
+ if (slab_is_available())
+ return __efi_memmap_alloc_late(size);
+
+ return __efi_memmap_alloc_early(size);
+}
/**
* __efi_memmap_init - Common code for mapping the EFI memory map
diff --git a/include/linux/efi.h b/include/linux/efi.h
index a07a476178cd..0c5420208c40 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -950,6 +950,7 @@ static inline efi_status_t efi_query_variable_store(u32 attributes,
#endif
extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr);
+extern phys_addr_t __init efi_memmap_alloc(unsigned int num_entries);
extern int __init efi_memmap_init_early(struct efi_memory_map_data *data);
extern int __init efi_memmap_init_late(phys_addr_t addr, unsigned long size);
extern void __init efi_memmap_unmap(void);
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] efi: efi_mem_reserve(): don't reserve through memblock after mm_init()
2016-12-21 18:28 [PATCH 1/2] x86/efi: don't allocate memmap through memblock after mm_init() Nicolai Stange
@ 2016-12-21 18:28 ` Nicolai Stange
2016-12-21 18:45 ` Mika Penttilä
0 siblings, 1 reply; 4+ messages in thread
From: Nicolai Stange @ 2016-12-21 18:28 UTC (permalink / raw)
To: Matt Fleming
Cc: Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
x86, linux-efi, linux-kernel, Nicolai Stange
Before invoking the arch specific handler, efi_mem_reserve() reserves
the given memory region through memblock.
efi_mem_reserve() can get called after mm_init() though -- through
efi_bgrt_init(), for example. After mm_init(), memblock is dead and should
not be used anymore.
Let efi_mem_reserve() check whether memblock is dead and not do the
reservation if so. Emit a warning from the generic efi_arch mem_reserve()
in this case: if the architecture doesn't provide any other means of
registering the region as reserved, the operation would be a nop.
Fixes: 4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
---
drivers/firmware/efi/efi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 92914801e388..12b2e3a6d73f 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -403,7 +403,10 @@ u64 __init efi_mem_desc_end(efi_memory_desc_t *md)
return end;
}
-void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
+void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size)
+{
+ WARN(slab_is_available(), "efi_mem_reserve() has no effect");
+}
/**
* efi_mem_reserve - Reserve an EFI memory region
@@ -419,7 +422,7 @@ void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
*/
void __init efi_mem_reserve(phys_addr_t addr, u64 size)
{
- if (!memblock_is_region_reserved(addr, size))
+ if (slab_is_available() && !memblock_is_region_reserved(addr, size))
memblock_reserve(addr, size);
/*
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] efi: efi_mem_reserve(): don't reserve through memblock after mm_init()
2016-12-21 18:28 ` [PATCH 2/2] efi: efi_mem_reserve(): don't reserve " Nicolai Stange
@ 2016-12-21 18:45 ` Mika Penttilä
2016-12-22 10:26 ` Nicolai Stange
0 siblings, 1 reply; 4+ messages in thread
From: Mika Penttilä @ 2016-12-21 18:45 UTC (permalink / raw)
To: Nicolai Stange, Matt Fleming
Cc: Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
x86, linux-efi, linux-kernel
On 21.12.2016 20:28, Nicolai Stange wrote:
> Before invoking the arch specific handler, efi_mem_reserve() reserves
> the given memory region through memblock.
>
> efi_mem_reserve() can get called after mm_init() though -- through
> efi_bgrt_init(), for example. After mm_init(), memblock is dead and should
> not be used anymore.
>
> Let efi_mem_reserve() check whether memblock is dead and not do the
> reservation if so. Emit a warning from the generic efi_arch mem_reserve()
> in this case: if the architecture doesn't provide any other means of
> registering the region as reserved, the operation would be a nop.
>
> Fixes: 4bc9f92e64c8 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
> Signed-off-by: Nicolai Stange <nicstange@gmail.com>
> ---
> drivers/firmware/efi/efi.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 92914801e388..12b2e3a6d73f 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -403,7 +403,10 @@ u64 __init efi_mem_desc_end(efi_memory_desc_t *md)
> return end;
> }
>
> -void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
> +void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size)
> +{
> + WARN(slab_is_available(), "efi_mem_reserve() has no effect");
> +}
>
> /**
> * efi_mem_reserve - Reserve an EFI memory region
> @@ -419,7 +422,7 @@ void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
> */
> void __init efi_mem_reserve(phys_addr_t addr, u64 size)
> {
> - if (!memblock_is_region_reserved(addr, size))
> + if (slab_is_available() && !memblock_is_region_reserved(addr, size))
> memblock_reserve(addr, size);
Maybe !slab_is_available() ?
>
--Mika
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] efi: efi_mem_reserve(): don't reserve through memblock after mm_init()
2016-12-21 18:45 ` Mika Penttilä
@ 2016-12-22 10:26 ` Nicolai Stange
0 siblings, 0 replies; 4+ messages in thread
From: Nicolai Stange @ 2016-12-22 10:26 UTC (permalink / raw)
To: Mika Penttilä
Cc: Nicolai Stange, Matt Fleming, Ard Biesheuvel, Thomas Gleixner,
Ingo Molnar, H. Peter Anvin, x86, linux-efi, linux-kernel
Mika Penttilä <mika.penttila@nextfour.com> writes:
> On 21.12.2016 20:28, Nicolai Stange wrote:
>> /**
>> * efi_mem_reserve - Reserve an EFI memory region
>> @@ -419,7 +422,7 @@ void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
>> */
>> void __init efi_mem_reserve(phys_addr_t addr, u64 size)
>> {
>> - if (!memblock_is_region_reserved(addr, size))
>> + if (slab_is_available() && !memblock_is_region_reserved(addr, size))
>> memblock_reserve(addr, size);
> Maybe !slab_is_available() ?
You're right, thanks for catching this!
Fixed in v2 at http://lkml.kernel.org/r/20161222102340.2689-2-nicstange@gmail.com
Thanks,
Nicolai
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-12-22 10:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-21 18:28 [PATCH 1/2] x86/efi: don't allocate memmap through memblock after mm_init() Nicolai Stange
2016-12-21 18:28 ` [PATCH 2/2] efi: efi_mem_reserve(): don't reserve " Nicolai Stange
2016-12-21 18:45 ` Mika Penttilä
2016-12-22 10:26 ` Nicolai Stange
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).