• Nicolai Stange's avatar
    x86/efi: Don't allocate memmap through memblock after mm_init() · 20b1e22d
    Nicolai Stange authored
    With the following commit:
    
      4bc9f92e ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
    
    ...  efi_bgrt_init() calls into the memblock allocator through
    efi_mem_reserve() => efi_arch_mem_reserve() *after* mm_init() has been called.
    
    Indeed, KASAN reports a bad read access later on in efi_free_boot_services():
    
      BUG: KASAN: use-after-free in efi_free_boot_services+0xae/0x24c
                at addr ffff88022de12740
      Read of size 4 by task swapper/0/0
      page:ffffea0008b78480 count:0 mapcount:-127
      mapping:          (null) index:0x1 flags: 0x5fff8000000000()
      [...]
      Call Trace:
       dump_stack+0x68/0x9f
       kasan_report_error+0x4c8/0x500
       kasan_report+0x58/0x60
       __asan_load4+0x61/0x80
       efi_free_boot_services+0xae/0x24c
       start_kernel+0x527/0x562
       x86_64_start_reservations+0x24/0x26
       x86_64_start_kernel+0x157/0x17a
       start_cpu+0x5/0x14
    
    The instruction at the given address is the first read from the memmap's
    memory, i.e. the read of md->type in efi_free_boot_services().
    
    Note that the writes earlier in efi_arch_mem_reserve() don't splat because
    they're done through early_memremap()ed addresses.
    
    So, after memblock is gone, allocations should be done through the "normal"
    page allocator. Introduce a helper, efi_memmap_alloc() for this. Use
    it from efi_arch_mem_reserve(), efi_free_boot_services() and, for the sake
    of consistency, from efi_fake_memmap() as well.
    
    Note that for the latter, the memmap allocations cease to be page aligned.
    This isn't needed though.
    Tested-by: default avatarDan Williams <dan.j.williams@intel.com>
    Signed-off-by: default avatarNicolai Stange <nicstange@gmail.com>
    Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Cc: <stable@vger.kernel.org> # v4.9
    Cc: Dave Young <dyoung@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Matt Fleming <matt@codeblueprint.co.uk>
    Cc: Mika Penttilä <mika.penttila@nextfour.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-efi@vger.kernel.org
    Fixes: 4bc9f92e ("x86/efi-bgrt: Use efi_mem_reserve() to avoid copying image data")
    Link: http://lkml.kernel.org/r/20170105125130.2815-1-nicstange@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    20b1e22d
fake_mem.c 3.5 KB