Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2751524pxb; Tue, 9 Mar 2021 09:56:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJy2lEFQVo3Rfx4b1G0zRLpZbKFftjJlteDG1Q/+l3Sx6X+ERUE1fW57A7v51Sm9N+uBPw4/ X-Received: by 2002:a17:906:ecf3:: with SMTP id qt19mr21351820ejb.467.1615312583824; Tue, 09 Mar 2021 09:56:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615312583; cv=none; d=google.com; s=arc-20160816; b=Fj3muubD4J9V5Qk4p2s+PkIwaRX2NXkpZ+8psatp9Icd2282f0S9a1KerYGok20Ivp 2sCX8beU8r0LLlc9keEVEwL6YxL9DUXCNhPM+f/COKCowBnFIcDXwCPsH7z7PzCsp3V9 zhZfsosb5ty8In2fIkan5CtZLCxkaJL1+/05JUEHIzO5JLcIoA+3jtI/894dS9VVWUGR pIMDWEnJltRBPuS2hIRojSn/m0/XOh+b+FGd4LYH4NB9lOK0nfKPc2OXPxADomdAR03Z ak2re0rEAruqXG4+BZfd4zLzvepUO1IzRVveX/y1d58pQaH+SFNkXStKArp3lCmITd/M L6qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=b9K8DVL60ariE8FoWoox5S7uTRkZZZrvKhNQe7qdncs=; b=YLa302sqEXri1vtptKIDC0E4z1GwGFvUZ7E3A/ZF7+KeUOBamUz/fH7l8qTICI/sZp 5aJUfyQrcsF4BP4oXthMuIC4o+elh+ZIZjHDPLzn3sjf7gyF0J7IE7Nsrrt4JwO5MOfp 5yU2HNEN83SHzQwQ2f+86cK21Fi+/nMTF5sgve+Q7RQw+IjBgqIU9JXFbzDIAVojsxh7 w1SxlKTOFfZX0RPnnUiBQOXvsVw2SzYqR6G6NDp+eWfTozbWZP3zSZHAytO32VFdQXtZ RZIqteI+cu3Xu0dwuxuPg5uSxeMPRG0mcgSk84Bnvyeo1jS++XAlmPUW1YSA9HzgqIQs 6hrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=VGcg4ORZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n2si10544947ejl.444.2021.03.09.09.56.00; Tue, 09 Mar 2021 09:56:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=VGcg4ORZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230303AbhCIRyv (ORCPT + 99 others); Tue, 9 Mar 2021 12:54:51 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41332 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231631AbhCIRyl (ORCPT ); Tue, 9 Mar 2021 12:54:41 -0500 Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 129HXoZd056462; Tue, 9 Mar 2021 12:54:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=pp1; bh=b9K8DVL60ariE8FoWoox5S7uTRkZZZrvKhNQe7qdncs=; b=VGcg4ORZHWQazQ1FF5fXjbW4WcElNm9c5O1EsdD8OyXyuPjdLwk+yhnMn7Lzil85aRDF IErn/6Bgde77eta/QXw615PdiinjsvOU0aKS3w4x3q4FRWJEnbzkno/+0kObGMqCA/Gs +B7+VYMBCLkkSAABDguCbQHUvwr2faO4/6fxC4KYbq8iNzpgIy9IH9ftth1m1uIVH0kL e+D26+C7wm2CfAMabxYOEykZtWDh32bg9HzPiMAYamgNn1V90L8Qt7W9ldzkQbRErTVa PK6yqN9tTGk3z02wVvl3FT/jcbTVcU4SihZFXlJ+iORnpTwjH9hmUk8lwhrUDo86ZIzE 2Q== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 375wfm0y07-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 Mar 2021 12:54:27 -0500 Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 129HY6UP056836; Tue, 9 Mar 2021 12:54:26 -0500 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 375wfm0xyf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 Mar 2021 12:54:26 -0500 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.43/8.16.0.43) with SMTP id 129HmsXV022977; Tue, 9 Mar 2021 17:54:23 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma04ams.nl.ibm.com with ESMTP id 3768n1g98h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 Mar 2021 17:54:23 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 129HsKtp39322016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 Mar 2021 17:54:21 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B692EA405F; Tue, 9 Mar 2021 17:54:20 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E08FA4054; Tue, 9 Mar 2021 17:54:18 +0000 (GMT) Received: from linux.ibm.com (unknown [9.145.23.212]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Tue, 9 Mar 2021 17:54:18 +0000 (GMT) Date: Tue, 9 Mar 2021 19:54:16 +0200 From: Mike Rapoport To: "Rafael J. Wysocki" Cc: George Kennedy , David Hildenbrand , Robert Moore , Erik Kaneda , Rafael Wysocki , Len Brown , ACPI Devel Maling List , "open list:ACPI COMPONENT ARCHITECTURE (ACPICA)" , Linux Kernel Mailing List , Konrad Rzeszutek Wilk , Dan Carpenter , Dhaval Giani , Andrew Morton , Vlastimil Babka , Oscar Salvador , Wei Yang , Pankaj Gupta , Michal Hocko Subject: Re: [PATCH 1/1] ACPI: fix acpi table use after free Message-ID: References: <1614802160-29362-1-git-send-email-george.kennedy@oracle.com> <9c3bc1b2-bb8d-194d-6faf-e4d7d346dc9b@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-03-09_14:2021-03-08,2021-03-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103090084 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 07, 2021 at 09:46:22AM +0200, Mike Rapoport wrote: > Hello Rafael, > > On Fri, Mar 05, 2021 at 02:30:07PM +0100, Rafael J. Wysocki wrote: > > On Fri, Mar 5, 2021 at 12:14 AM George Kennedy wrote: > > > > > The ibft table, for example, is mapped in via acpi_map() and kmap(). The > > > page for the ibft table is not reserved, so it can end up on the freelist. > > > > You appear to be saying that it is not sufficient to kmap() a page in > > order to use it safely. It is also necessary to reserve it upfront, > > for example with the help of memblock_reserve(). Is that correct? If > > so, is there an alternative way to reserve a page frame? > > Like David said in the other reply, if a BIOS does not mark the memory that > contains an ACPI table as used (e.g. reserved or ACPI data), we need to > make sure the kernel knows that such memory is in use and an early call to > memblock_reserve() is exactly what we need here. > George had this issue with iBFT, but in general this could be any table > that a buggy BIOS forgot to mark as ACPI data. BTW, I wonder is there a fundamental reason to use ioremap() to access ACPI tables at all? In the end, they reside in RAM and, apparently, they live at the same DIMM as neighboring "normal memory" so why cannot we just map them normally as read-only not executable? > > > >> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c > > > >> index d883176..97deea3 100644 > > > >> --- a/arch/x86/kernel/setup.c > > > >> +++ b/arch/x86/kernel/setup.c > > > >> @@ -1046,6 +1046,7 @@ void __init setup_arch(char **cmdline_p) > > > >> cleanup_highmap(); > > > >> > > > >> memblock_set_current_limit(ISA_END_ADDRESS); > > > >> + acpi_boot_table_init(); > > > > This cannot be moved before the acpi_table_upgrade() invocation AFAICS. > > > > > > > > Why exactly do you want to move it? > > > > > > Want to make sure there are slots for memblock_reserve() to be able to > > > reserve the page. > > > > Well, that may not require reordering the initialization this way. > > The memory that is used by the firmware should be reserved before memblock > allocations are allowed so that ACPI tables won't get trampled by some > random allocation. > > On x86 this essentially means that the early reservations need to be > complete before the call to e820__memblock_setup(). > > We probably need more precise refactoring of ACPI init than simply moving > acpi_boot_table_init() earlier. > > > > >> e820__memblock_setup(); > > > >> > > -- > Sincerely yours, > Mike. -- Sincerely yours, Mike.