Patch "mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer" has been added to the 6.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 26 Aug 2023 21:57:00 +0200

This is a note to let you know that I've just added the patch titled

    mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From f0362a253606e2031f8d61c74195d4d6556e12a4 Mon Sep 17 00:00:00 2001
From: Rik van Riel <riel@xxxxxxxxxxx>
Date: Thu, 17 Aug 2023 13:57:59 -0400
Subject: mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer

From: Rik van Riel <riel@xxxxxxxxxxx>

commit f0362a253606e2031f8d61c74195d4d6556e12a4 upstream.

The code calling ima_free_kexec_buffer runs long after the memblock
allocator has already been torn down, potentially resulting in a use
after free in memblock_isolate_range.

With KASAN or KFENCE, this use after free will result in a BUG
from the idle task, and a subsequent kernel panic.

Switch ima_free_kexec_buffer over to memblock_free_late to avoid
that issue.

Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c")
Cc: stable@xxxxxxxxxx
Signed-off-by: Rik van Riel <riel@xxxxxxxxxxx>
Suggested-by: Mike Rappoport <rppt@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20230817135759.0888e5ef@xxxxxxxxxxxxxxxxxxxx
Signed-off-by: Rob Herring <robh@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/of/kexec.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/of/kexec.c
+++ b/drivers/of/kexec.c
@@ -184,7 +184,8 @@ int __init ima_free_kexec_buffer(void)
 	if (ret)
 		return ret;
 
-	return memblock_phys_free(addr, size);
+	memblock_free_late(addr, size);
+	return 0;
 }
 #endif
 


Patches currently in stable-queue which might be from riel@xxxxxxxxxxx are

queue-6.4/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch






