From nobody Tue Jun 23 06:16:26 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77EF3C4167D for ; Wed, 9 Mar 2022 16:21:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235850AbiCIQSp (ORCPT ); Wed, 9 Mar 2022 11:18:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235769AbiCIQJK (ORCPT ); Wed, 9 Mar 2022 11:09:10 -0500 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69E36141479; Wed, 9 Mar 2022 08:06:40 -0800 (PST) Date: Wed, 09 Mar 2022 16:06:10 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1646841971; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p9XDSOfBkJW9KT2uV7flb2vyVjv+XayBbqoN39U7/is=; b=sT2qn68SSRkHaABdLML8H0qWnrjD8vKOQsHzvB/Pf081ac5Pk3BscVsz1EiFwA4seZWeAr 6IfcEmsLZPEH4UvhclXPuEK3MAkAgDTqAMJ3aE7MH7W8wd/+DGxPPNMvTIb6TVaihDYsLP tDjRHhFthWlpKZHPW1obn9wvJ6lx48IvHkZ/4DYsDXqoKRP3uehlUsafTNKOfn50g9rYQK ITVaNEsFlJ/n7sPmqM2MpzNjYrsTeNMUpZiNeTKlJS6DKGmSRRgqaQjrbClU6JmSpwfCrI HaPRW1MqLVCzB420TafJ858AdDD3XSXcGBfvHPI2NN2ZkCZjP6XBy9awXBe03Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1646841971; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p9XDSOfBkJW9KT2uV7flb2vyVjv+XayBbqoN39U7/is=; b=KdWWqc+OH6DG5f3Oyj0xNKtrHRqDzBbUhEma/kUV7eXwBBaNhz+fOEuDYqGdxqojeUUDWW we4NN9sOET20REAQ== From: "tip-bot2 for Ross Philipson" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/urgent] x86/boot: Fix memremap of setup_indirect structures Cc: Ross Philipson , Borislav Petkov , Daniel Kiper , , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <1645668456-22036-2-git-send-email-ross.philipson@oracle.com> References: <1645668456-22036-2-git-send-email-ross.philipson@oracle.com> MIME-Version: 1.0 Message-ID: <164684197045.16921.8900620444174308462.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 7228918b34615ef6317edcd9a058a057bc54aa32 Gitweb: https://git.kernel.org/tip/7228918b34615ef6317edcd9a058a057b= c54aa32 Author: Ross Philipson AuthorDate: Wed, 23 Feb 2022 21:07:35 -05:00 Committer: Borislav Petkov CommitterDate: Wed, 09 Mar 2022 12:49:44 +01:00 x86/boot: Fix memremap of setup_indirect structures As documented, the setup_indirect structure is nested inside the setup_data structures in the setup_data list. The code currently accesses the fields inside the setup_indirect structure but only the sizeof(struct setup_data) is being memremapped. No crash occurred but this is just due to how the area is remapped under the covers. Properly memremap both the setup_data and setup_indirect structures in these cases before accessing them. Fixes: b3c72fc9a78e ("x86/boot: Introduce setup_indirect") Signed-off-by: Ross Philipson Signed-off-by: Borislav Petkov Reviewed-by: Daniel Kiper Cc: Link: https://lore.kernel.org/r/1645668456-22036-2-git-send-email-ross.phil= ipson@oracle.com --- arch/x86/kernel/e820.c | 41 ++++++++++++++------ arch/x86/kernel/kdebugfs.c | 37 +++++++++++++----- arch/x86/kernel/ksysfs.c | 77 +++++++++++++++++++++++++++++-------- arch/x86/kernel/setup.c | 34 ++++++++++++---- arch/x86/mm/ioremap.c | 24 ++++++++++-- 5 files changed, 166 insertions(+), 47 deletions(-) diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c index bc0657f..f267205 100644 --- a/arch/x86/kernel/e820.c +++ b/arch/x86/kernel/e820.c @@ -995,8 +995,10 @@ early_param("memmap", parse_memmap_opt); */ void __init e820__reserve_setup_data(void) { + struct setup_indirect *indirect; struct setup_data *data; - u64 pa_data; + u64 pa_data, pa_next; + u32 len; =20 pa_data =3D boot_params.hdr.setup_data; if (!pa_data) @@ -1004,6 +1006,14 @@ void __init e820__reserve_setup_data(void) =20 while (pa_data) { data =3D early_memremap(pa_data, sizeof(*data)); + if (!data) { + pr_warn("e820: failed to memremap setup_data entry\n"); + return; + } + + len =3D sizeof(*data); + pa_next =3D data->next; + e820__range_update(pa_data, sizeof(*data)+data->len, E820_TYPE_RAM, E820= _TYPE_RESERVED_KERN); =20 /* @@ -1015,18 +1025,27 @@ void __init e820__reserve_setup_data(void) sizeof(*data) + data->len, E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); =20 - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) { - e820__range_update(((struct setup_indirect *)data->data)->addr, - ((struct setup_indirect *)data->data)->len, - E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); - e820__range_update_kexec(((struct setup_indirect *)data->data)->addr, - ((struct setup_indirect *)data->data)->len, - E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); + if (data->type =3D=3D SETUP_INDIRECT) { + len +=3D data->len; + early_memunmap(data, sizeof(*data)); + data =3D early_memremap(pa_data, len); + if (!data) { + pr_warn("e820: failed to memremap indirect setup_data\n"); + return; + } + + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) { + e820__range_update(indirect->addr, indirect->len, + E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); + e820__range_update_kexec(indirect->addr, indirect->len, + E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); + } } =20 - pa_data =3D data->next; - early_memunmap(data, sizeof(*data)); + pa_data =3D pa_next; + early_memunmap(data, len); } =20 e820__update_table(e820_table); diff --git a/arch/x86/kernel/kdebugfs.c b/arch/x86/kernel/kdebugfs.c index 64b6da9..e2e89be 100644 --- a/arch/x86/kernel/kdebugfs.c +++ b/arch/x86/kernel/kdebugfs.c @@ -88,11 +88,13 @@ create_setup_data_node(struct dentry *parent, int no, =20 static int __init create_setup_data_nodes(struct dentry *parent) { + struct setup_indirect *indirect; struct setup_data_node *node; struct setup_data *data; - int error; + u64 pa_data, pa_next; struct dentry *d; - u64 pa_data; + int error; + u32 len; int no =3D 0; =20 d =3D debugfs_create_dir("setup_data", parent); @@ -112,12 +114,29 @@ static int __init create_setup_data_nodes(struct dent= ry *parent) error =3D -ENOMEM; goto err_dir; } - - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) { - node->paddr =3D ((struct setup_indirect *)data->data)->addr; - node->type =3D ((struct setup_indirect *)data->data)->type; - node->len =3D ((struct setup_indirect *)data->data)->len; + pa_next =3D data->next; + + if (data->type =3D=3D SETUP_INDIRECT) { + len =3D sizeof(*data) + data->len; + memunmap(data); + data =3D memremap(pa_data, len, MEMREMAP_WB); + if (!data) { + kfree(node); + error =3D -ENOMEM; + goto err_dir; + } + + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) { + node->paddr =3D indirect->addr; + node->type =3D indirect->type; + node->len =3D indirect->len; + } else { + node->paddr =3D pa_data; + node->type =3D data->type; + node->len =3D data->len; + } } else { node->paddr =3D pa_data; node->type =3D data->type; @@ -125,7 +144,7 @@ static int __init create_setup_data_nodes(struct dentry= *parent) } =20 create_setup_data_node(d, no, node); - pa_data =3D data->next; + pa_data =3D pa_next; =20 memunmap(data); no++; diff --git a/arch/x86/kernel/ksysfs.c b/arch/x86/kernel/ksysfs.c index d0a1912..257892f 100644 --- a/arch/x86/kernel/ksysfs.c +++ b/arch/x86/kernel/ksysfs.c @@ -91,26 +91,41 @@ static int get_setup_data_paddr(int nr, u64 *paddr) =20 static int __init get_setup_data_size(int nr, size_t *size) { - int i =3D 0; + u64 pa_data =3D boot_params.hdr.setup_data, pa_next; + struct setup_indirect *indirect; struct setup_data *data; - u64 pa_data =3D boot_params.hdr.setup_data; + int i =3D 0; + u32 len; =20 while (pa_data) { data =3D memremap(pa_data, sizeof(*data), MEMREMAP_WB); if (!data) return -ENOMEM; + pa_next =3D data->next; + if (nr =3D=3D i) { - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) - *size =3D ((struct setup_indirect *)data->data)->len; - else + if (data->type =3D=3D SETUP_INDIRECT) { + len =3D sizeof(*data) + data->len; + memunmap(data); + data =3D memremap(pa_data, len, MEMREMAP_WB); + if (!data) + return -ENOMEM; + + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) + *size =3D indirect->len; + else + *size =3D data->len; + } else { *size =3D data->len; + } =20 memunmap(data); return 0; } =20 - pa_data =3D data->next; + pa_data =3D pa_next; memunmap(data); i++; } @@ -120,9 +135,11 @@ static int __init get_setup_data_size(int nr, size_t *= size) static ssize_t type_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { + struct setup_indirect *indirect; + struct setup_data *data; int nr, ret; u64 paddr; - struct setup_data *data; + u32 len; =20 ret =3D kobj_to_setup_data_nr(kobj, &nr); if (ret) @@ -135,10 +152,20 @@ static ssize_t type_show(struct kobject *kobj, if (!data) return -ENOMEM; =20 - if (data->type =3D=3D SETUP_INDIRECT) - ret =3D sprintf(buf, "0x%x\n", ((struct setup_indirect *)data->data)->ty= pe); - else + if (data->type =3D=3D SETUP_INDIRECT) { + len =3D sizeof(*data) + data->len; + memunmap(data); + data =3D memremap(paddr, len, MEMREMAP_WB); + if (!data) + return -ENOMEM; + + indirect =3D (struct setup_indirect *)data->data; + + ret =3D sprintf(buf, "0x%x\n", indirect->type); + } else { ret =3D sprintf(buf, "0x%x\n", data->type); + } + memunmap(data); return ret; } @@ -149,9 +176,10 @@ static ssize_t setup_data_data_read(struct file *fp, char *buf, loff_t off, size_t count) { + struct setup_indirect *indirect; + struct setup_data *data; int nr, ret =3D 0; u64 paddr, len; - struct setup_data *data; void *p; =20 ret =3D kobj_to_setup_data_nr(kobj, &nr); @@ -165,10 +193,27 @@ static ssize_t setup_data_data_read(struct file *fp, if (!data) return -ENOMEM; =20 - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) { - paddr =3D ((struct setup_indirect *)data->data)->addr; - len =3D ((struct setup_indirect *)data->data)->len; + if (data->type =3D=3D SETUP_INDIRECT) { + len =3D sizeof(*data) + data->len; + memunmap(data); + data =3D memremap(paddr, len, MEMREMAP_WB); + if (!data) + return -ENOMEM; + + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) { + paddr =3D indirect->addr; + len =3D indirect->len; + } else { + /* + * Even though this is technically undefined, return + * the data as though it is a normal setup_data struct. + * This will at least allow it to be inspected. + */ + paddr +=3D sizeof(*data); + len =3D data->len; + } } else { paddr +=3D sizeof(*data); len =3D data->len; diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index f7a132e..90d7e17 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -369,21 +369,41 @@ static void __init parse_setup_data(void) =20 static void __init memblock_x86_reserve_range_setup_data(void) { + struct setup_indirect *indirect; struct setup_data *data; - u64 pa_data; + u64 pa_data, pa_next; + u32 len; =20 pa_data =3D boot_params.hdr.setup_data; while (pa_data) { data =3D early_memremap(pa_data, sizeof(*data)); + if (!data) { + pr_warn("setup: failed to memremap setup_data entry\n"); + return; + } + + len =3D sizeof(*data); + pa_next =3D data->next; + memblock_reserve(pa_data, sizeof(*data) + data->len); =20 - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) - memblock_reserve(((struct setup_indirect *)data->data)->addr, - ((struct setup_indirect *)data->data)->len); + if (data->type =3D=3D SETUP_INDIRECT) { + len +=3D data->len; + early_memunmap(data, sizeof(*data)); + data =3D early_memremap(pa_data, len); + if (!data) { + pr_warn("setup: failed to memremap indirect setup_data\n"); + return; + } =20 - pa_data =3D data->next; - early_memunmap(data, sizeof(*data)); + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) + memblock_reserve(indirect->addr, indirect->len); + } + + pa_data =3D pa_next; + early_memunmap(data, len); } } =20 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index 026031b..ab666c4 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -615,6 +615,7 @@ static bool memremap_is_efi_data(resource_size_t phys_a= ddr, static bool memremap_is_setup_data(resource_size_t phys_addr, unsigned long size) { + struct setup_indirect *indirect; struct setup_data *data; u64 paddr, paddr_next; =20 @@ -627,6 +628,10 @@ static bool memremap_is_setup_data(resource_size_t phy= s_addr, =20 data =3D memremap(paddr, sizeof(*data), MEMREMAP_WB | MEMREMAP_DEC); + if (!data) { + pr_warn("failed to memremap setup_data entry\n"); + return false; + } =20 paddr_next =3D data->next; len =3D data->len; @@ -636,10 +641,21 @@ static bool memremap_is_setup_data(resource_size_t ph= ys_addr, return true; } =20 - if (data->type =3D=3D SETUP_INDIRECT && - ((struct setup_indirect *)data->data)->type !=3D SETUP_INDIRECT) { - paddr =3D ((struct setup_indirect *)data->data)->addr; - len =3D ((struct setup_indirect *)data->data)->len; + if (data->type =3D=3D SETUP_INDIRECT) { + memunmap(data); + data =3D memremap(paddr, sizeof(*data) + len, + MEMREMAP_WB | MEMREMAP_DEC); + if (!data) { + pr_warn("failed to memremap indirect setup_data\n"); + return false; + } + + indirect =3D (struct setup_indirect *)data->data; + + if (indirect->type !=3D SETUP_INDIRECT) { + paddr =3D indirect->addr; + len =3D indirect->len; + } } =20 memunmap(data);