OpenCloudOS-Kernel/drivers/firmware/efi
Nicolai Stange 20b1e22d01 x86/efi: Don't allocate memmap through memblock after mm_init()
With the following commit:

  4bc9f92e64 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")

...  efi_bgrt_init() calls into the memblock allocator through
efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init() has been called.

Indeed, KASAN reports a bad read access later on in efi_free_boot_services():

  BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c
            at addr ffff88022de12740
  Read of size 4 by task swapper/0/0
  page:ffffea0008b78480 count:0 mapcount:-127
  mapping:          (null) index:0x1 flags: 0x5fff8000000000()
  [...]
  Call Trace:
   dump_stack+0x68/0x9f
   kasan_report_error+0x4c8/0x500
   kasan_report+0x58/0x60
   __asan_load4+0x61/0x80
   efi_free_boot_services+0xae/0x24c
   start_kernel+0x527/0x562
   x86_64_start_reservations+0x24/0x26
   x86_64_start_kernel+0x157/0x17a
   start_cpu+0x5/0x14

The instruction at the given address is the first read from the memmap's
memory, i.e. the read of md->type in efi_free_boot_services().

Note that the writes earlier in efi_arch_mem_reserve() don't splat because
they're done through early_memremap()ed addresses.

So, after memblock is gone, allocations should be done through the "normal"
page allocator. Introduce a helper, efi_memmap_alloc() for this. Use
it from efi_arch_mem_reserve(), efi_free_boot_services() and, for the sake
of consistency, from efi_fake_memmap() as well.

Note that for the latter, the memmap allocations cease to be page aligned.
This isn't needed though.

Tested-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # v4.9
Cc: Dave Young <dyoung@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Mika Penttilä <mika.penttila@nextfour.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 4bc9f92e64 ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
Link: http://lkml.kernel.org/r/20170105125130.2815-1-nicstange@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-07 08:58:07 +01:00
..
libstub efi/libstub/arm*: Pass latest memory map to the kernel 2016-12-28 09:23:32 +01:00
test efi/efi_test: Use memdup_user() as a cleanup 2016-10-18 17:11:19 +02:00
Kconfig x86/efi: Retrieve and assign Apple device properties 2016-11-13 08:23:16 +01:00
Makefile x86/efi: Retrieve and assign Apple device properties 2016-11-13 08:23:16 +01:00
apple-properties.c x86/efi: Retrieve and assign Apple device properties 2016-11-13 08:23:16 +01:00
arm-init.c efi/arm*: Fix efi_init() error handling 2016-10-18 17:11:17 +02:00
arm-runtime.c arm64: dump: Make ptdump debugfs a separate option 2016-11-07 18:15:04 +00:00
capsule-loader.c efi/capsule: Allocate whole capsule into virtual memory 2016-08-11 13:55:36 +02:00
capsule.c efi/capsule: Allocate whole capsule into virtual memory 2016-08-11 13:55:36 +02:00
cper.c efi: Handle memory error structures produced based on old versions of standard 2015-07-15 13:30:38 +01:00
dev-path-parser.c efi: Add device path parser 2016-11-13 08:23:15 +01:00
efi-pstore.c Fix bug in module unloading. 2016-10-06 15:16:16 -07:00
efi.c efi: Add support for seeding the RNG from a UEFI config table 2016-11-13 08:23:14 +01:00
efibc.c efibc: Report more information in the error messages 2016-06-27 13:06:54 +02:00
efivars.c efi: Don't use spinlocks for efi vars 2016-09-09 16:08:42 +01:00
esrt.c efi/esrt: Use memremap not ioremap to access ESRT table in memory 2016-09-09 16:08:39 +01:00
fake_mem.c x86/efi: Don't allocate memmap through memblock after mm_init() 2017-01-07 08:58:07 +01:00
memattr.c efi: Implement generic support for the Memory Attributes table 2016-04-28 11:33:54 +02:00
memmap.c x86/efi: Don't allocate memmap through memblock after mm_init() 2017-01-07 08:58:07 +01:00
reboot.c efi: Add 'capsule' update support 2016-04-28 11:34:03 +02:00
runtime-map.c efi/runtime-map: Use efi.memmap directly instead of a copy 2016-09-09 16:08:36 +01:00
runtime-wrappers.c efi: Replace runtime services spinlock with semaphore 2016-09-09 16:08:43 +01:00
vars.c efi: Don't use spinlocks for efi vars 2016-09-09 16:08:42 +01:00