Patch "x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 24 Sep 2023 15:32:53 -0400

This is a note to let you know that I've just added the patch titled

    x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bede0195795fe8ad13b79013f1f52fe8ef5db04c
Author: Rik van Riel <riel@xxxxxxxxxxx>
Date:   Thu Aug 17 13:55:58 2023 -0400

    x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()
    
    [ Upstream commit 34cf99c250d5cd2530b93a57b0de31d3aaf8685b ]
    
    The code calling ima_free_kexec_buffer() runs long after the memblock
    allocator has already been torn down, potentially resulting in a use
    after free in memblock_isolate_range().
    
    With KASAN or KFENCE, this use after free will result in a BUG
    from the idle task, and a subsequent kernel panic.
    
    Switch ima_free_kexec_buffer() over to memblock_free_late() to avoid
    that bug.
    
    Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c")
    Suggested-by: Mike Rappoport <rppt@xxxxxxxxxx>
    Signed-off-by: Rik van Riel <riel@xxxxxxxxxxx>
    Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230817135558.67274c83@xxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index fd975a4a52006..aa0df37c1fe72 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -359,15 +359,11 @@ static void __init add_early_ima_buffer(u64 phys_addr)
 #if defined(CONFIG_HAVE_IMA_KEXEC) && !defined(CONFIG_OF_FLATTREE)
 int __init ima_free_kexec_buffer(void)
 {
-	int rc;
-
 	if (!ima_kexec_buffer_size)
 		return -ENOENT;
 
-	rc = memblock_phys_free(ima_kexec_buffer_phys,
-				ima_kexec_buffer_size);
-	if (rc)
-		return rc;
+	memblock_free_late(ima_kexec_buffer_phys,
+			   ima_kexec_buffer_size);
 
 	ima_kexec_buffer_phys = 0;
 	ima_kexec_buffer_size = 0;






