From: "Ashish Singhal" <ashishsingha@nvidia.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Laszlo Ersek <lersek@redhat.com>, Leif Lindholm <leif@nuviainc.com>
Subject: Re: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when freeing page tables
Date: Wed, 25 Mar 2020 15:47:39 +0000 [thread overview]
Message-ID: <MW3PR12MB4457778D45F0D166EF873391BACE0@MW3PR12MB4457.namprd12.prod.outlook.com> (raw)
In-Reply-To: <20200325152940.1492-2-ard.biesheuvel@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 3464 bytes --]
Reviewed-by: Ashish Singhal <ashishsingha@nvidia.com>
Tested-by: Ashish Singhal <ashishsingha@nvidia.com>
________________________________
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Sent: Wednesday, March 25, 2020 9:29 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; Ashish Singhal <ashishsingha@nvidia.com>
Subject: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when freeing page tables
External email: Use caution opening links or attachments
FreePageTablesRecursive () traverses the page table tree depth first
to free all pages that it finds, without taking into account the
level at which it is operating.
Since TT_TYPE_TABLE_ENTRY aliases TT_TYPE_BLOCK_ENTRY_LEVEL3, we cannot
distinguish table entries from block entries unless we take the level
into account, and so we may be dereferencing garbage if we happen to
try and free a hierarchy of page tables that has level 3 pages in it.
Let's fix this by passing the level into FreePageTablesRecursive (),
and limit the recursion to levels < 3.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
index a43d468b73ca..d78918cf7ba8 100644
--- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
+++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
@@ -142,15 +142,21 @@ ReplaceTableEntry (
STATIC
VOID
FreePageTablesRecursive (
- IN UINT64 *TranslationTable
+ IN UINT64 *TranslationTable,
+ IN UINTN Level
)
{
UINTN Index;
- for (Index = 0; Index < TT_ENTRY_COUNT; Index++) {
- if ((TranslationTable[Index] & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) {
- FreePageTablesRecursive ((VOID *)(UINTN)(TranslationTable[Index] &
- TT_ADDRESS_MASK_BLOCK_ENTRY));
+ ASSERT (Level <= 3);
+
+ if (Level < 3) {
+ for (Index = 0; Index < TT_ENTRY_COUNT; Index++) {
+ if ((TranslationTable[Index] & TT_TYPE_MASK) == TT_TYPE_TABLE_ENTRY) {
+ FreePageTablesRecursive ((VOID *)(UINTN)(TranslationTable[Index] &
+ TT_ADDRESS_MASK_BLOCK_ENTRY),
+ Level + 1);
+ }
}
}
FreePages (TranslationTable, 1);
@@ -254,7 +260,7 @@ UpdateRegionMappingRecursive (
// possible for existing table entries, since we cannot revert the
// modifications we made to the subhierarchy it represents.)
//
- FreePageTablesRecursive (TranslationTable);
+ FreePageTablesRecursive (TranslationTable, Level + 1);
}
return Status;
}
--
2.17.1
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
[-- Attachment #2: Type: text/html, Size: 6857 bytes --]
next prev parent reply other threads:[~2020-03-25 15:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 15:29 [PATCH v3 0/3] ArmPkg/ArmMmuLib AARCH64: correctness fix Ard Biesheuvel
2020-03-25 15:29 ` [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when freeing page tables Ard Biesheuvel
2020-03-25 15:47 ` Ashish Singhal [this message]
2020-03-26 10:22 ` Leif Lindholm
2020-03-26 10:25 ` Ard Biesheuvel
2020-03-25 15:29 ` [PATCH v3 2/3] ArmPkg/ArmMmuLib AARCH64: use helpers to determine table entry types Ard Biesheuvel
2020-03-25 15:47 ` Ashish Singhal
2020-03-25 15:29 ` [PATCH v3 3/3] ArmPkg/ArmMmuLib AARCH64: preserve attributes when replacing a table entry Ard Biesheuvel
2020-03-25 15:47 ` Ashish Singhal
2020-03-25 15:48 ` [PATCH v3 0/3] ArmPkg/ArmMmuLib AARCH64: correctness fix Ashish Singhal
2020-03-25 19:49 ` [edk2-devel] " Laszlo Ersek
2020-03-26 10:35 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW3PR12MB4457778D45F0D166EF873391BACE0@MW3PR12MB4457.namprd12.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox