From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 70491C001DF
	for <linux-mm@archiver.kernel.org>; Fri, 28 Jul 2023 16:36:43 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 050E88D0001; Fri, 28 Jul 2023 12:36:43 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F1C6A6B0074; Fri, 28 Jul 2023 12:36:42 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D95338D0001; Fri, 28 Jul 2023 12:36:42 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id C2B426B0071
	for <linux-mm@kvack.org>; Fri, 28 Jul 2023 12:36:42 -0400 (EDT)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 8CC3D1CA2FC
	for <linux-mm@kvack.org>; Fri, 28 Jul 2023 16:36:42 +0000 (UTC)
X-FDA: 81061574244.15.56C2E1A
Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49])
	by imf28.hostedemail.com (Postfix) with ESMTP id 9EFA1C0025
	for <linux-mm@kvack.org>; Fri, 28 Jul 2023 16:36:40 +0000 (UTC)
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20221208 header.b=SWPY2tUU;
	spf=pass (imf28.hostedemail.com: domain of groeck7@gmail.com designates 209.85.166.49 as permitted sender) smtp.mailfrom=groeck7@gmail.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1690562200;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=pwuk8n2meTmgvaIWDWJy7EuvwYQ64eRgecrm4y1w17k=;
	b=1ASpL8WQVbEN/iJF7hwg8yNoX8iFV5XczFZ8uHtWADrsjBLmg8rYM6jDHOPyerShFzGWNE
	1gb9Qfn5OcAqTX2ycSYpEgSn9uW+cL1ZqB044CawOUC84PU0tgYCnrWfCkqknvhUW/Elad
	XAbGhj8Ziq5geQlI2SNDs5TmvQaLS6g=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690562200; a=rsa-sha256;
	cv=none;
	b=szkZtXgI/RItP/MxH4+AuRHsHzjfZ0J6whnaP7BjvwLHXvWH3RytPdHISvzg0KNOeISj5j
	x/BN6scexU2Z2Wgh2JID+Fsq53QDfEVdml3DoJYDLS/KmV0EPhwyO/9gf2Um4Cb67yPxhd
	ZMpDCGX9HKfmQY6e7nbFjHiSQb3ArAo=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20221208 header.b=SWPY2tUU;
	spf=pass (imf28.hostedemail.com: domain of groeck7@gmail.com designates 209.85.166.49 as permitted sender) smtp.mailfrom=groeck7@gmail.com;
	dmarc=none
Received: by mail-io1-f49.google.com with SMTP id ca18e2360f4ac-79081d7e748so8239439f.3
        for <linux-mm@kvack.org>; Fri, 28 Jul 2023 09:36:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1690562199; x=1691166999;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pwuk8n2meTmgvaIWDWJy7EuvwYQ64eRgecrm4y1w17k=;
        b=SWPY2tUUJSQCZkOIDu9QqwbUhSi3TbL98uTaogGk+nOz8f8Po9HLZ8NRM0LaZtwU6J
         EVUt49ElZceER3ZEy8HzJSdGOS6ChufL8Zv6CoakN1k1buZeWHX6Pgv8n37d2LlChDc3
         7+bklvKaPGvdM0conpLDEavYCshJezTz/lWX2T0gVrpxrnUL00NdMSPhevX4yeegCW6Y
         tLaF4jWwFhZ10dA2ORGcbJ/Xg6G6ExcwmRgStwi12KylBDaSmQGSr9V4mtIGCFX4FFAs
         5qomrN9siD+SqIjpUYBRGqI+rnIG/tBGBVEd3v0Y952k9UuxN2mEUPchre7vOn7IxeAt
         eCyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690562199; x=1691166999;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pwuk8n2meTmgvaIWDWJy7EuvwYQ64eRgecrm4y1w17k=;
        b=KtqtgpGGslaRygM5gwpN4g3+A7G5qV3I8NOfVz0DQHiWdA/cOJD4YWD8/MUY7eHPOq
         PknjN3QXPXWlCAPyCrANqrRjobCfqMFyizi4Nn37bGuA6qz51N+DwxlBpsvqMTsYyxth
         I3K9nF7jo0hBNJb9p/LT2Ep8KFi2DrJXxwqknphJq1liZG0Y1+ep2X5yBiA1yD21b6Yd
         mAf7GR/ptJPfOOVifwm5nrDrDWKf5ykptbQgGpOi/OP0UaYn3XrvSXbg7LwBQepqBVwb
         x/msK0P9sFDhg7j81MVcpzN61eNLLanYzrZRm3Mttoz88fKsMBvwWMIpo7kk9FKm5LcO
         gurA==
X-Gm-Message-State: ABy/qLavx3mLuoIra7vvaySoNDMsOu+dfLCchHcSEuO+ig/+sb1Lw2L/
	Bvdt0DBh7kyax5IEOzERUjk=
X-Google-Smtp-Source: APBJJlFvd4z/Ast/aDVCxLeomNbM7cTmlFllJyS7UQgiejuKqm5RL1gN767xhggYfVHfqoo6IvWAjQ==
X-Received: by 2002:a92:cd8e:0:b0:348:8b32:976e with SMTP id r14-20020a92cd8e000000b003488b32976emr100916ilb.2.1690562198968;
        Fri, 28 Jul 2023 09:36:38 -0700 (PDT)
Received: from server.roeck-us.net ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c])
        by smtp.gmail.com with ESMTPSA id a14-20020a02ac0e000000b0042b67b12363sm1166913jao.37.2023.07.28.09.36.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Jul 2023 09:36:38 -0700 (PDT)
Date: Fri, 28 Jul 2023 09:36:37 -0700
From: Guenter Roeck <linux@roeck-us.net>
To: Rik van Riel <riel@surriel.com>
Cc: Mike Rapoport <rppt@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, kernel-team@meta.com
Subject: Re: [PATCH] mm,memblock: reset memblock.reserved to system init
 state to  prevent UAF
Message-ID: <fcb2fbc2-a26e-486f-b6e4-4574774f476f@roeck-us.net>
References: <20230719154137.732d8525@imladris.surriel.com>
 <8a48adce-3ad5-4793-8ca6-0b9f59e14665@roeck-us.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8a48adce-3ad5-4793-8ca6-0b9f59e14665@roeck-us.net>
X-Stat-Signature: fmc1i4m1b7remigjrwss9huhuz4qi8tb
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 9EFA1C0025
X-Rspam-User: 
X-HE-Tag: 1690562200-836693
X-HE-Meta: U2FsdGVkX1/s6g7aWtaQJEv1CGVFyLm1PJNs2zIxYg1W+o1FlrARC/mHF5qLbT5mfhJiSN2GtCgj3/SZ6qrQIfVGgu9gmOZnUsr4G8TbUV0D0hyIc6rAY9Iubwh2ZtXrz4tJsM4eVaLYCBtSqoFP0NvGCe8K9HACFwOdOHuiaH1eK+U3pGdOqXhrqoe/ibtsfY4RYVrUmQ5RHlX/M0P20hltSKHrxDXefYHFVP/aXRbyZHBTLaMBgVWGjI0R6RaCfn1kOanPPVEDreDpBDBqJNzSJ+65q8a1N8DhvHHQgEIITrBHGoI40sSvDJ9JyTXcD/dZKDO3O2n/nRS5tRHZy1VFAKBUokMaQrutnQaK3zCLcpouj7UaLsRY+2nFfByw8z5FQSRQzTliBZKfzjcJVzf8BZxfYAtAAcIT0dai0VpUnnUSpKWQyVjJXfnB9qe4nzHOQ0qRSdQpoQhjr57jT+TLenOviH3XLFcAMsb1tAB9wzKs5oP3hAKs9rvYqytUo50YiKWJ/tj8HzQyUOUrqhgV48ixNA+hCJXERS1wsgrQkTc2oEZEyM+g1fPVIplvfvdUUlgPw/1X9MRhWf0VOJaOnq9xvCz3WcF5tqfW3pPsaCTPIQOjW+Xeafq3X42ZFp17Fe6gc2/0AalZA9zdUPZZ5Cv0HPyGWVq17aw4AiABlS4yuqWXn3kj+XP/Io4RAeGN0H8J03DccyagsXGid0cQKpyfrZHM6Y8Ek9z8GOt5DZ8KsYQgUA3E+XKjAT2qA0j7WJibgEqReLnmClTABE688643r7k6Km4RmjCkL36b4ljZzT06eM/qUJ+jqAQRDZ4odJIH29H+q9hTsHvD4YYeAO7sX84Nah7G4pb3JGx8D0D2UJasQ65xP29QYsLk01LK2JZyrwdlpSG2aiJk8KnfjzEgSStxhhxvSt+cJU1ORWsQAWcX5i18ySfRIRx9dSGr0zGFLQwA+c3+Y3m
 cjpyQEaM
 pohlTGyJsCAHW+HOXj2nKpm4tHQw/t/3JarMuhzyL75ytG/biTipuZDV0gBdICZdVrjgxGyXTm18TD9j/gAYXpvYVpx+FJ4pnKkkMoLEey7QwdWCmZdpEtRXkWB8sONh2od5pC3wIh32q+JbqlBYhBcVtcVe0h3LYMLvBsKGhywpWZwq0t2dVatpgOSLlGSORfEOwko6my/XWSett7Nrd9hA76F6zOQvVdnF1EfJRkzGVsDVPNa98ChzlfYNQ+gdUoSlmOz2IZb6HaS+MqN8er8MHrLnTOtyQ9YyO0e5zHyLt7nNhkvEK0SHa6FFzClc3La7y3PBj16Ox2GA6Evel6MPnpUtjqjIwEF7UouDesZX8bkIRmxeEt2z2GYycKdD/KQFMi5+/gAmCjI2wmJuHpQtiwWnDQe3KrIRrf0y5T5tP6oRWaBqyz+f3eUWbA8SRQetbWIowNmApwJo3V7AlSxRyMO/LE3/5ZVc4mv2afVYpc6wkuHNtYBqZxVI6xrX1v/6YVLkkhF3dOrA=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Jul 28, 2023 at 09:09:09AM -0700, Guenter Roeck wrote:
> Hi,
> 
> On Wed, Jul 19, 2023 at 03:41:37PM -0400, Rik van Riel wrote:
> > The memblock_discard function frees the memblock.reserved.regions
> > array, which is good.
> > 
> > However, if a subsequent memblock_free (or memblock_phys_free) comes
> > in later, from for example ima_free_kexec_buffer, that will result in
> > a use after free bug in memblock_isolate_range.
> > 
> > When running a kernel with CONFIG_KASAN enabled, this will cause a
> > kernel panic very early in boot. Without CONFIG_KASAN, there is
> > a chance that memblock_isolate_range might scribble on memory
> > that is now in use by somebody else.
> > 
> > Avoid those issues by making sure that memblock_discard points
> > memblock.reserved.regions back at the static buffer.
> > 
> > If memblock_discard is called while there is still memory
> > in the memblock.reserved type, that will print a warning
> > in memblock_remove_region.
> > 
> > Signed-off-by: Rik van Riel <riel@surriel.com>
> 
> This patch results in the following WARNING backtrace when booting sparc
> or sparc64 images in qemu. Bisect log is attached.
> 

Follow-up: On sparc64, this patch also results in the following backtrace.

[    2.931808] BUG: scheduling while atomic: swapper/0/1/0x00000002
[    2.932865] no locks held by swapper/0/1.
[    2.933722] Modules linked in:
[    2.934627] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W          6.5.0-rc3+ #1
[    2.935604] Call Trace:
[    2.936315] [<00000000004a0610>] __schedule_bug+0x70/0x80
[    2.937174] [<0000000000f68f50>] switch_to_pc+0x598/0x8e8
[    2.937999] [<0000000000f69300>] schedule+0x60/0xe0
[    2.938811] [<0000000000f72d2c>] schedule_timeout+0x10c/0x1c0
[    2.939668] [<0000000000f69be0>] __wait_for_common+0xa0/0x1a0
[    2.940510] [<0000000000f69d98>] wait_for_completion_killable+0x18/0x40
[    2.941402] [<0000000000494dec>] __kthread_create_on_node+0xac/0x120
[    2.942259] [<0000000000494e80>] kthread_create_on_node+0x20/0x40
[    2.943023] [<0000000001b81348>] devtmpfs_init+0xb4/0x140
[    2.943777] [<0000000001b81068>] driver_init+0x10/0x60
[    2.944528] [<0000000001b56e4c>] kernel_init_freeable+0xd4/0x228
[    2.945300] [<0000000000f67404>] kernel_init+0x18/0x134
[    2.946026] [<00000000004060e8>] ret_from_fork+0x1c/0x2c
[    2.946757] [<0000000000000000>] 0x0
[    2.959537] devtmpfs: initialized

While that seemed unlikely (and I don't claim to understand it), I ran
bisect separately and confirmed that both tracebacks are gone after
reverting this patch.

Guenter