From: "Ni, Ruiyu" <ruiyu.ni@Intel.com>
To: Jian J Wang <jian.j.wang@intel.com>, edk2-devel@lists.01.org
Cc: Eric Dong <eric.dong@intel.com>, Star Zeng <star.zeng@intel.com>
Subject: Re: [PATCH] MdeModulePkg/Core: fix a logic hole in page free
Date: Fri, 19 Jan 2018 13:30:30 +0800 [thread overview]
Message-ID: <a6d827b0-fa75-370e-f649-2d9682e0dc99@Intel.com> (raw)
In-Reply-To: <20180118073843.3676-1-jian.j.wang@intel.com>
On 1/18/2018 3:38 PM, Jian J Wang wrote:
> This hole will cause page fault randomly. The root cause is that Guard
> page, which is just freed back to page pool but not yet cleared not-
> present attribute, will be allocated right away by internal function
> CoreFreeMemoryMapStack(). The solution to this issue is to clear the
> not-present attribute for freed Guard page before doing any free
> operation, instead of after those operation.
>
> The reason we didn't do this before is due to the fact that manipulating
> page attributes might cause memory allocation action which would cause a
> dead lock inside a memory allocation/free operation. So we always set or
> unset Guard page outside the memory lock. After a thorough analysis, we
> believe clearing a Guard page will not cause memory allocation because
> memory we're to manipulate was already manipulated before for sure.
> Therefore there should be no memory allocation occurring in this
> situation.
>
> Since we cleared Guard page not-present attribute before freeing instead
> of after freeing, the debug code to clear freed memory can now be restored
> to its original way (aka no checking and bypassing Guard page).
>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
> MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 15 +++++++++++++
> MdeModulePkg/Core/Dxe/Mem/Page.c | 40 ++++++-----------------------------
> MdeModulePkg/Core/Dxe/Mem/Pool.c | 10 +++++++--
> 3 files changed, 29 insertions(+), 36 deletions(-)
>
> diff --git a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
> index 0f035043e1..92753c7269 100644
> --- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
> +++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
> @@ -1127,11 +1127,26 @@ CoreConvertPagesWithGuard (
> IN EFI_MEMORY_TYPE NewType
> )
> {
> + UINT64 OldStart;
> + UINTN OldPages;
> +
> if (NewType == EfiConventionalMemory) {
> + OldStart = Start;
> + OldPages = NumberOfPages;
> +
> AdjustMemoryF (&Start, &NumberOfPages);
> if (NumberOfPages == 0) {
> return EFI_SUCCESS;
> }
> +
> + //
> + // It's safe to unset Guard page inside memory lock because there should
> + // be no memory allocation occurred in updating memory page attribute at
> + // this point. And unsetting Guard page before free will prevent Guard
> + // page just freed back to pool from being allocated right away before
> + // marking it usable (from non-present to present).
> + //
> + UnsetGuardForMemory (OldStart, OldPages);
> } else {
> AdjustMemoryA (&Start, &NumberOfPages);
> }
> diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c
> index db32d0f940..8d5d03a6d9 100644
> --- a/MdeModulePkg/Core/Dxe/Mem/Page.c
> +++ b/MdeModulePkg/Core/Dxe/Mem/Page.c
> @@ -900,42 +900,17 @@ CoreConvertPagesEx (
> //
> CoreAddRange (MemType, Start, RangeEnd, Attribute);
> if (ChangingType && (MemType == EfiConventionalMemory)) {
> + //
> + // Avoid calling DEBUG_CLEAR_MEMORY() for an address of 0 because this
> + // macro will ASSERT() if address is 0. Instead, CoreAddRange() guarantees
> + // that the page starting at address 0 is always filled with zeros.
> + //
> if (Start == 0) {
> - //
> - // Avoid calling DEBUG_CLEAR_MEMORY() for an address of 0 because this
> - // macro will ASSERT() if address is 0. Instead, CoreAddRange()
> - // guarantees that the page starting at address 0 is always filled
> - // with zeros.
> - //
> if (RangeEnd > EFI_PAGE_SIZE) {
> DEBUG_CLEAR_MEMORY ((VOID *)(UINTN) EFI_PAGE_SIZE, (UINTN) (RangeEnd - EFI_PAGE_SIZE + 1));
> }
> } else {
> - //
> - // If Heap Guard is enabled, the page at the top and/or bottom of
> - // this memory block to free might be inaccessible. Skipping them
> - // to avoid page fault exception.
> - //
> - UINT64 StartToClear;
> - UINT64 EndToClear;
> -
> - StartToClear = Start;
> - EndToClear = RangeEnd + 1;
> - if (PcdGet8 (PcdHeapGuardPropertyMask) & (BIT1|BIT0)) {
> - if (IsGuardPage(StartToClear)) {
> - StartToClear += EFI_PAGE_SIZE;
> - }
> - if (IsGuardPage (EndToClear - 1)) {
> - EndToClear -= EFI_PAGE_SIZE;
> - }
> - }
> -
> - if (EndToClear > StartToClear) {
> - DEBUG_CLEAR_MEMORY(
> - (VOID *)(UINTN)StartToClear,
> - (UINTN)(EndToClear - StartToClear)
> - );
> - }
> + DEBUG_CLEAR_MEMORY ((VOID *)(UINTN) Start, (UINTN) (RangeEnd - Start + 1));
> }
> }
>
> @@ -1513,9 +1488,6 @@ CoreInternalFreePages (
>
> Done:
> CoreReleaseMemoryLock ();
> - if (IsGuarded) {
> - UnsetGuardForMemory(Memory, NumberOfPages);
> - }
> return Status;
> }
>
> diff --git a/MdeModulePkg/Core/Dxe/Mem/Pool.c b/MdeModulePkg/Core/Dxe/Mem/Pool.c
> index 7464d8773a..df9a1d28df 100644
> --- a/MdeModulePkg/Core/Dxe/Mem/Pool.c
> +++ b/MdeModulePkg/Core/Dxe/Mem/Pool.c
> @@ -643,10 +643,16 @@ CoreFreePoolPagesWithGuard (
>
> AdjustMemoryF (&Memory, &NoPages);
> if (NoPages > 0) {
> + //
> + // It's safe to unset Guard page inside memory lock because there should
> + // be no memory allocation occurred in updating memory page attribute at
> + // this point. And unsetting Guard page before free will prevent Guard
> + // page just freed back to pool from being allocated right away before
> + // marking it usable (from non-present to present).
> + //
> + UnsetGuardForMemory (MemoryGuarded, NoPagesGuarded);
> CoreFreePoolPagesI (PoolType, Memory, NoPages);
> }
> -
> - UnsetGuardForMemory (MemoryGuarded, NoPagesGuarded);
> }
>
> /**
>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
--
Thanks,
Ray
prev parent reply other threads:[~2018-01-19 5:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-18 7:38 [PATCH] MdeModulePkg/Core: fix a logic hole in page free Jian J Wang
2018-01-18 9:46 ` Zeng, Star
2018-01-19 5:30 ` Ni, Ruiyu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a6d827b0-fa75-370e-f649-2d9682e0dc99@Intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox