On Tue, Jun 23, 2020 at 10:16:19AM +0200, Ard Biesheuvel wrote:
> On Tue, 23 Jun 2020 at 10:13, Will Deacon <will@xxxxxxxxxx> wrote:
> > On Mon, Jun 22, 2020 at 11:27:19AM +0200, Ard Biesheuvel wrote:
> > > diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h
> > > index a45366c3909b..18dcef4e6764 100644
> > > --- a/arch/arm64/include/asm/acpi.h
> > > +++ b/arch/arm64/include/asm/acpi.h
> > > @@ -50,9 +50,9 @@ pgprot_t __acpi_get_mem_attribute(phys_addr_t addr);
> > > static inline void __iomem *acpi_os_ioremap(acpi_physical_address phys,
> > > acpi_size size)
> > > {
> > > - /* For normal memory we already have a cacheable mapping. */
> > > + /* Don't allow access to kernel memory from AML code */
> > > if (memblock_is_map_memory(phys))
> > > - return (void __iomem *)__phys_to_virt(phys);
> > > + return NULL;
> >
> > I wonder if it would be better to poison this so that if we do see reports
> > of AML crashes we'll know straight away that it tried to access memory
> > mapped by the linear region, as opposed to some other NULL dereference.
> >
>
> We could just add a WARN_ONCE() here, no?
Yeah, or that, or a firmware taint. Just something to distinguish this
from other NULL pointer derefs.
> > Anyway, no objections to the idea. Be good for some of the usual ACPI
> > suspects to check this doesn't blow up immediately, though.
> >
>
> Indeed, hence the RFC. Jason does have a point regarding the range
> check, so I will try to do something about that and send a v2.
Ok, I'll keep an eye out for it.
Will
