Re: [PATCH v2] bootconfig: use memblock_free_late to free xbc memory to buddy
On Sat, Apr 13, 2024 at 09:21:38PM +0900, Masami Hiramatsu wrote: >Hi Qiang, > >I found xbc_free_mem() missed to check !addr. When I booted kernel without >bootconfig data but with "bootconfig" cmdline, I got a kernel crash below; > > >[2.394904] [ cut here ] >[2.396490] kernel BUG at arch/x86/mm/physaddr.c:28! >[2.398176] invalid opcode: [#1] PREEMPT SMP PTI >[2.399388] CPU: 7 PID: 1 Comm: swapper/0 Tainted: G N >6.9.0-rc3-4-g121fbb463836 #10 >[2.401579] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >1.15.0-1 04/01/2014 >[2.403247] RIP: 0010:__phys_addr+0x40/0x60 >[2.404196] Code: 48 2b 05 fb a4 3d 01 48 05 00 00 00 80 48 39 c7 72 17 0f >b6 0d ee 9e c0 01 48 89 c2 48 d3 ea 48 85 d2 75 05 c3 cc cc cc cc 90 <0f> 0b >48 03 05 e7 e2 9d 01 48 81 ff ff ff ff 1f 76 e8 90 0f6 >[2.407250] RSP: :c9013f18 EFLAGS: 00010287 >[2.407991] RAX: 7780 RBX: 81c17940 RCX: >008a >[2.408891] RDX: 008b RSI: 88800775f320 RDI: >8000 >[2.409727] RBP: R08: R09: > >[2.410555] R10: 888005028a60 R11: 008a R12: > >[2.411423] R13: R14: R15: > >[2.412155] FS: () GS:88807d9c() >knlGS: >[2.412970] CS: 0010 DS: ES: CR0: 80050033 >[2.413550] CR2: CR3: 02a48000 CR4: >06b0 >[2.414264] Call Trace: >[2.414520] >[2.414755] ? die+0x37/0x90 >[2.415062] ? do_trap+0xe3/0x110 >[2.415451] ? __phys_addr+0x40/0x60 >[2.415822] ? do_error_trap+0x9c/0x120 >[2.416215] ? __phys_addr+0x40/0x60 >[2.416573] ? __phys_addr+0x40/0x60 >[2.416968] ? exc_invalid_op+0x53/0x70 >[2.417358] ? __phys_addr+0x40/0x60 >[2.417709] ? asm_exc_invalid_op+0x1a/0x20 >[2.418122] ? __pfx_kernel_init+0x10/0x10 >[2.418569] ? __phys_addr+0x40/0x60 >[2.418960] _xbc_exit+0x74/0xc0 >[2.419374] kernel_init+0x3a/0x1c0 >[2.419764] ret_from_fork+0x34/0x50 >[2.420132] ? __pfx_kernel_init+0x10/0x10 >[2.420578] ret_from_fork_asm+0x1a/0x30 >[2.420973] >[2.421200] Modules linked in: >[2.421598] ---[ end trace ]--- >[2.422053] RIP: 0010:__phys_addr+0x40/0x60 >[2.422484] Code: 48 2b 05 fb a4 3d 01 48 05 00 00 00 80 48 39 c7 72 17 0f >b6 0d ee 9e c0 01 48 89 c2 48 d3 ea 48 85 d2 75 05 c3 cc cc cc cc 90 <0f> 0b >48 03 05 e7 e2 9d 01 48 81 ff ff ff ff 1f 76 e8 90 0f6 >[2.424294] RSP: :c9013f18 EFLAGS: 00010287 >[2.424769] RAX: 7780 RBX: 81c17940 RCX: >008a >[2.425378] RDX: 008b RSI: 88800775f320 RDI: >8000 >[2.425993] RBP: R08: R09: > >[2.426589] R10: 888005028a60 R11: 008a R12: > >[2.427156] R13: R14: R15: > >[2.427746] FS: () GS:88807d9c() >knlGS: >[2.428368] CS: 0010 DS: ES: CR0: 80050033 >[2.428820] CR2: CR3: 02a48000 CR4: >06b0 >[2.429373] Kernel panic - not syncing: Fatal exception >[2.429982] Kernel Offset: disabled >[2.430261] ---[ end Kernel panic - not syncing: Fatal exception ]--- > >Adding below patch fixed it. > >diff --git a/lib/bootconfig.c b/lib/bootconfig.c >index f9a45adc6307..8841554432d5 100644 >--- a/lib/bootconfig.c >+++ b/lib/bootconfig.c >@@ -65,7 +65,7 @@ static inline void __init xbc_free_mem(void *addr, size_t >size, bool early) > { > if (early) > memblock_free(addr, size); >- else >+ else if (addr) > memblock_free_late(__pa(addr), size); > } > >Can you update with this fix? Sure. > >Thank you, > > >On Fri, 12 Apr 2024 22:18:20 +0900 >Masami Hiramatsu (Google) wrote: > >> On Fri, 12 Apr 2024 18:49:41 +0800 >> qiang4.zh...@linux.intel.com wrote: >> >> > From: Qiang Zhang >> > >> > On the time to free xbc memory in xbc_exit(), memblock may has handed >> > over memory to buddy allocator. So it doesn't make sense to free memory >> > back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs >> > on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. >> > Following KASAN logs shows this case. >> > >> > This patch fixes the xbc memory free problem by calling memblock_free() >> > in early xbc init error rewind path and calling memblock_free_late() in >> > xbc exit path to free memory to buddy allocator. >> > >> > [9.410890] >> > == >> > [9.418962] BUG: KASAN: use-after-free in >> >
Re: [PATCH v2] bootconfig: use memblock_free_late to free xbc memory to buddy
Hi Qiang, I found xbc_free_mem() missed to check !addr. When I booted kernel without bootconfig data but with "bootconfig" cmdline, I got a kernel crash below; [2.394904] [ cut here ] [2.396490] kernel BUG at arch/x86/mm/physaddr.c:28! [2.398176] invalid opcode: [#1] PREEMPT SMP PTI [2.399388] CPU: 7 PID: 1 Comm: swapper/0 Tainted: G N 6.9.0-rc3-4-g121fbb463836 #10 [2.401579] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.403247] RIP: 0010:__phys_addr+0x40/0x60 [2.404196] Code: 48 2b 05 fb a4 3d 01 48 05 00 00 00 80 48 39 c7 72 17 0f b6 0d ee 9e c0 01 48 89 c2 48 d3 ea 48 85 d2 75 05 c3 cc cc cc cc 90 <0f> 0b 48 03 05 e7 e2 9d 01 48 81 ff ff ff ff 1f 76 e8 90 0f6 [2.407250] RSP: :c9013f18 EFLAGS: 00010287 [2.407991] RAX: 7780 RBX: 81c17940 RCX: 008a [2.408891] RDX: 008b RSI: 88800775f320 RDI: 8000 [2.409727] RBP: R08: R09: [2.410555] R10: 888005028a60 R11: 008a R12: [2.411423] R13: R14: R15: [2.412155] FS: () GS:88807d9c() knlGS: [2.412970] CS: 0010 DS: ES: CR0: 80050033 [2.413550] CR2: CR3: 02a48000 CR4: 06b0 [2.414264] Call Trace: [2.414520] [2.414755] ? die+0x37/0x90 [2.415062] ? do_trap+0xe3/0x110 [2.415451] ? __phys_addr+0x40/0x60 [2.415822] ? do_error_trap+0x9c/0x120 [2.416215] ? __phys_addr+0x40/0x60 [2.416573] ? __phys_addr+0x40/0x60 [2.416968] ? exc_invalid_op+0x53/0x70 [2.417358] ? __phys_addr+0x40/0x60 [2.417709] ? asm_exc_invalid_op+0x1a/0x20 [2.418122] ? __pfx_kernel_init+0x10/0x10 [2.418569] ? __phys_addr+0x40/0x60 [2.418960] _xbc_exit+0x74/0xc0 [2.419374] kernel_init+0x3a/0x1c0 [2.419764] ret_from_fork+0x34/0x50 [2.420132] ? __pfx_kernel_init+0x10/0x10 [2.420578] ret_from_fork_asm+0x1a/0x30 [2.420973] [2.421200] Modules linked in: [2.421598] ---[ end trace ]--- [2.422053] RIP: 0010:__phys_addr+0x40/0x60 [2.422484] Code: 48 2b 05 fb a4 3d 01 48 05 00 00 00 80 48 39 c7 72 17 0f b6 0d ee 9e c0 01 48 89 c2 48 d3 ea 48 85 d2 75 05 c3 cc cc cc cc 90 <0f> 0b 48 03 05 e7 e2 9d 01 48 81 ff ff ff ff 1f 76 e8 90 0f6 [2.424294] RSP: :c9013f18 EFLAGS: 00010287 [2.424769] RAX: 7780 RBX: 81c17940 RCX: 008a [2.425378] RDX: 008b RSI: 88800775f320 RDI: 8000 [2.425993] RBP: R08: R09: [2.426589] R10: 888005028a60 R11: 008a R12: [2.427156] R13: R14: R15: [2.427746] FS: () GS:88807d9c() knlGS: [2.428368] CS: 0010 DS: ES: CR0: 80050033 [2.428820] CR2: CR3: 02a48000 CR4: 06b0 [2.429373] Kernel panic - not syncing: Fatal exception [2.429982] Kernel Offset: disabled [2.430261] ---[ end Kernel panic - not syncing: Fatal exception ]--- Adding below patch fixed it. diff --git a/lib/bootconfig.c b/lib/bootconfig.c index f9a45adc6307..8841554432d5 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -65,7 +65,7 @@ static inline void __init xbc_free_mem(void *addr, size_t size, bool early) { if (early) memblock_free(addr, size); - else + else if (addr) memblock_free_late(__pa(addr), size); } Can you update with this fix? Thank you, On Fri, 12 Apr 2024 22:18:20 +0900 Masami Hiramatsu (Google) wrote: > On Fri, 12 Apr 2024 18:49:41 +0800 > qiang4.zh...@linux.intel.com wrote: > > > From: Qiang Zhang > > > > On the time to free xbc memory in xbc_exit(), memblock may has handed > > over memory to buddy allocator. So it doesn't make sense to free memory > > back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs > > on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. > > Following KASAN logs shows this case. > > > > This patch fixes the xbc memory free problem by calling memblock_free() > > in early xbc init error rewind path and calling memblock_free_late() in > > xbc exit path to free memory to buddy allocator. > > > > [9.410890] > > == > > [9.418962] BUG: KASAN: use-after-free in > > memblock_isolate_range+0x12d/0x260 > > [9.426850] Read of size 8 at addr 88845dd3 by task swapper/0/1 > > > > [9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U > >
Re: [PATCH v2] bootconfig: use memblock_free_late to free xbc memory to buddy
On Fri, 12 Apr 2024 18:49:41 +0800 qiang4.zh...@linux.intel.com wrote: > From: Qiang Zhang > > On the time to free xbc memory in xbc_exit(), memblock may has handed > over memory to buddy allocator. So it doesn't make sense to free memory > back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs > on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. > Following KASAN logs shows this case. > > This patch fixes the xbc memory free problem by calling memblock_free() > in early xbc init error rewind path and calling memblock_free_late() in > xbc exit path to free memory to buddy allocator. > > [9.410890] > == > [9.418962] BUG: KASAN: use-after-free in > memblock_isolate_range+0x12d/0x260 > [9.426850] Read of size 8 at addr 88845dd3 by task swapper/0/1 > > [9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U > 6.9.0-rc3-00208-g586b5dfb51b9 #5 > [9.446403] Hardware name: Intel Corporation RPLP LP5 > (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D- > Dec 28 2023 > [9.460789] Call Trace: > [9.463518] > [9.465859] dump_stack_lvl+0x53/0x70 > [9.469949] print_report+0xce/0x610 > [9.473944] ? __virt_addr_valid+0xf5/0x1b0 > [9.478619] ? memblock_isolate_range+0x12d/0x260 > [9.483877] kasan_report+0xc6/0x100 > [9.487870] ? memblock_isolate_range+0x12d/0x260 > [9.493125] memblock_isolate_range+0x12d/0x260 > [9.498187] memblock_phys_free+0xb4/0x160 > [9.502762] ? __pfx_memblock_phys_free+0x10/0x10 > [9.508021] ? mutex_unlock+0x7e/0xd0 > [9.512111] ? __pfx_mutex_unlock+0x10/0x10 > [9.516786] ? kernel_init_freeable+0x2d4/0x430 > [9.521850] ? __pfx_kernel_init+0x10/0x10 > [9.526426] xbc_exit+0x17/0x70 > [9.529935] kernel_init+0x38/0x1e0 > [9.533829] ? _raw_spin_unlock_irq+0xd/0x30 > [9.538601] ret_from_fork+0x2c/0x50 > [9.542596] ? __pfx_kernel_init+0x10/0x10 > [9.547170] ret_from_fork_asm+0x1a/0x30 > [9.551552] > > [9.555649] The buggy address belongs to the physical page: > [9.561875] page: refcount:0 mapcount:0 mapping: index:0x1 > pfn:0x45dd30 > [9.570821] flags: 0x200(node=0|zone=2) > [9.576271] page_type: 0x() > [9.580167] raw: 0200 ea0011774c48 ea0012ba1848 > > [9.588823] raw: 0001 > > [9.597476] page dumped because: kasan: bad access detected > > [9.605362] Memory state around the buggy address: > [9.610714] 88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 > [9.618786] 88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 > [9.626857] >88845dd3: ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ff ff > [9.634930]^ > [9.638534] 88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ff ff > [9.646605] 88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ff ff > [9.654675] > == > > Cc: sta...@vger.kernel.org > Signed-off-by: Qiang Zhang Looks good to me. Acked-by: Masami Hiramatsu (Google) Also, Fixes: 40caa127f3c7 ("init: bootconfig: Remove all bootconfig data when the init memory is removed") Let me pick this for bootconfig/fixes. Thanks! > --- > v2: > - add an early flag in xbc_free_mem() to free memory back to memblock in > xbc_init error path or put memory to buddy allocator in normal xbc_exit. > > --- > include/linux/bootconfig.h | 7 ++- > lib/bootconfig.c | 19 +++ > 2 files changed, 17 insertions(+), 9 deletions(-) > > diff --git a/include/linux/bootconfig.h b/include/linux/bootconfig.h > index e5ee2c694401..3f4b4ac527ca 100644 > --- a/include/linux/bootconfig.h > +++ b/include/linux/bootconfig.h > @@ -288,7 +288,12 @@ int __init xbc_init(const char *buf, size_t size, const > char **emsg, int *epos); > int __init xbc_get_info(int *node_size, size_t *data_size); > > /* XBC cleanup data structures */ > -void __init xbc_exit(void); > +void __init _xbc_exit(bool early); > + > +static inline void xbc_exit(void) > +{ > + _xbc_exit(false); > +} > > /* XBC embedded bootconfig data in kernel */ > #ifdef CONFIG_BOOT_CONFIG_EMBED > diff --git a/lib/bootconfig.c b/lib/bootconfig.c > index c59d26068a64..f9a45adc6307 100644 > --- a/lib/bootconfig.c > +++ b/lib/bootconfig.c > @@ -61,9 +61,12 @@ static inline void * __init xbc_alloc_mem(size_t size) > return memblock_alloc(size, SMP_CACHE_BYTES); > } > > -static inline void __init xbc_free_mem(void *addr, size_t size) > +static inline void __init xbc_free_mem(void *addr, size_t size, bool early) > { > - memblock_free(addr, size); > + if (early) > +
[PATCH v2] bootconfig: use memblock_free_late to free xbc memory to buddy
From: Qiang Zhang On the time to free xbc memory in xbc_exit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs shows this case. This patch fixes the xbc memory free problem by calling memblock_free() in early xbc init error rewind path and calling memblock_free_late() in xbc exit path to free memory to buddy allocator. [9.410890] == [9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 [9.426850] Read of size 8 at addr 88845dd3 by task swapper/0/1 [9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D- Dec 28 2023 [9.460789] Call Trace: [9.463518] [9.465859] dump_stack_lvl+0x53/0x70 [9.469949] print_report+0xce/0x610 [9.473944] ? __virt_addr_valid+0xf5/0x1b0 [9.478619] ? memblock_isolate_range+0x12d/0x260 [9.483877] kasan_report+0xc6/0x100 [9.487870] ? memblock_isolate_range+0x12d/0x260 [9.493125] memblock_isolate_range+0x12d/0x260 [9.498187] memblock_phys_free+0xb4/0x160 [9.502762] ? __pfx_memblock_phys_free+0x10/0x10 [9.508021] ? mutex_unlock+0x7e/0xd0 [9.512111] ? __pfx_mutex_unlock+0x10/0x10 [9.516786] ? kernel_init_freeable+0x2d4/0x430 [9.521850] ? __pfx_kernel_init+0x10/0x10 [9.526426] xbc_exit+0x17/0x70 [9.529935] kernel_init+0x38/0x1e0 [9.533829] ? _raw_spin_unlock_irq+0xd/0x30 [9.538601] ret_from_fork+0x2c/0x50 [9.542596] ? __pfx_kernel_init+0x10/0x10 [9.547170] ret_from_fork_asm+0x1a/0x30 [9.551552] [9.555649] The buggy address belongs to the physical page: [9.561875] page: refcount:0 mapcount:0 mapping: index:0x1 pfn:0x45dd30 [9.570821] flags: 0x200(node=0|zone=2) [9.576271] page_type: 0x() [9.580167] raw: 0200 ea0011774c48 ea0012ba1848 [9.588823] raw: 0001 [9.597476] page dumped because: kasan: bad access detected [9.605362] Memory state around the buggy address: [9.610714] 88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [9.618786] 88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [9.626857] >88845dd3: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [9.634930]^ [9.638534] 88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [9.646605] 88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [9.654675] == Cc: sta...@vger.kernel.org Signed-off-by: Qiang Zhang --- v2: - add an early flag in xbc_free_mem() to free memory back to memblock in xbc_init error path or put memory to buddy allocator in normal xbc_exit. --- include/linux/bootconfig.h | 7 ++- lib/bootconfig.c | 19 +++ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/include/linux/bootconfig.h b/include/linux/bootconfig.h index e5ee2c694401..3f4b4ac527ca 100644 --- a/include/linux/bootconfig.h +++ b/include/linux/bootconfig.h @@ -288,7 +288,12 @@ int __init xbc_init(const char *buf, size_t size, const char **emsg, int *epos); int __init xbc_get_info(int *node_size, size_t *data_size); /* XBC cleanup data structures */ -void __init xbc_exit(void); +void __init _xbc_exit(bool early); + +static inline void xbc_exit(void) +{ + _xbc_exit(false); +} /* XBC embedded bootconfig data in kernel */ #ifdef CONFIG_BOOT_CONFIG_EMBED diff --git a/lib/bootconfig.c b/lib/bootconfig.c index c59d26068a64..f9a45adc6307 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -61,9 +61,12 @@ static inline void * __init xbc_alloc_mem(size_t size) return memblock_alloc(size, SMP_CACHE_BYTES); } -static inline void __init xbc_free_mem(void *addr, size_t size) +static inline void __init xbc_free_mem(void *addr, size_t size, bool early) { - memblock_free(addr, size); + if (early) + memblock_free(addr, size); + else + memblock_free_late(__pa(addr), size); } #else /* !__KERNEL__ */ @@ -73,7 +76,7 @@ static inline void *xbc_alloc_mem(size_t size) return malloc(size); } -static inline void xbc_free_mem(void *addr, size_t size) +static inline void xbc_free_mem(void *addr, size_t size, bool early) { free(addr); } @@ -904,13 +907,13 @@ static int __init xbc_parse_tree(void) * If you need to reuse xbc_init() with new boot config, you can * use this. */