[PATCH v4 05/27] lmb: make LMB memory map persistent and global

Sughosh Ganu sughosh.ganu at linaro.org
Mon Sep 16 11:29:10 CEST 2024


On Mon, 16 Sept 2024 at 14:09, Vaishnav Achath <vaishnav.a at ti.com> wrote:
>
> Hi Sughosh,
>
> On 16/09/24 11:59, Sughosh Ganu wrote:
> > On Mon, 16 Sept 2024 at 11:22, Vaishnav Achath <vaishnav.a at ti.com> wrote:
> >>
> >> Hi Sughosh,
> >>
> >> On 26/08/24 17:29, Sughosh Ganu wrote:
> >>> The current LMB API's for allocating and reserving memory use a
> >>> per-caller based memory view. Memory allocated by a caller can then be
> >>> overwritten by another caller. Make these allocations and reservations
> >>> persistent using the alloced list data structure.
> >>>
> >>> Two alloced lists are declared -- one for the available(free) memory,
> >>> and one for the used memory. Once full, the list can then be extended
> >>> at runtime.
> >>>
> >>> Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> >>> Signed-off-by: Simon Glass <sjg at chromium.org>
> >>> [sjg: Optimise the logic to add a region in lmb_add_region_flags()]
> >>> [sjg: Use a stack to store pointer of lmb struct when running lmb tests]
> >>> ---
> >>> Changes since V3:
> >>> * Fix checkpatch warnings of spaces between function name and
> >>>     open parantheses.
> >>> * s/uint64_t/u64 as suggested by checkpatch.
> >>> * Remove unneccessary parantheses in lmb.c as suggested by checkpatch.
> >>> * Fix alignment in test/cmd/bdinfo.c as suggested by checkpatch.
> >>>
> >>>    arch/arc/lib/cache.c                 |   4 +-
> >>>    arch/arm/lib/stack.c                 |   4 +-
> >>>    arch/arm/mach-apple/board.c          |  17 +-
> >>>    arch/arm/mach-snapdragon/board.c     |  17 +-
> >>>    arch/arm/mach-stm32mp/dram_init.c    |   8 +-
> >>>    arch/arm/mach-stm32mp/stm32mp1/cpu.c |   6 +-
> >>>    arch/m68k/lib/bootm.c                |   7 +-
> >>>    arch/microblaze/lib/bootm.c          |   4 +-
> >>>    arch/mips/lib/bootm.c                |  11 +-
> >>>    arch/nios2/lib/bootm.c               |   4 +-
> >>>    arch/powerpc/cpu/mpc85xx/mp.c        |   4 +-
> >>>    arch/powerpc/include/asm/mp.h        |   4 +-
> >>>    arch/powerpc/lib/bootm.c             |  14 +-
> >>>    arch/riscv/lib/bootm.c               |   4 +-
> >>>    arch/sh/lib/bootm.c                  |   4 +-
> >>>    arch/x86/lib/bootm.c                 |   4 +-
> >>>    arch/xtensa/lib/bootm.c              |   4 +-
> >>>    board/xilinx/common/board.c          |   8 +-
> >>>    boot/bootm.c                         |  26 +-
> >>>    boot/bootm_os.c                      |   5 +-
> >>>    boot/image-board.c                   |  34 +-
> >>>    boot/image-fdt.c                     |  35 +-
> >>>    cmd/bdinfo.c                         |   6 +-
> >>>    cmd/booti.c                          |   2 +-
> >>>    cmd/bootz.c                          |   2 +-
> >>>    cmd/elf.c                            |   2 +-
> >>>    cmd/load.c                           |   7 +-
> >>>    drivers/iommu/apple_dart.c           |   8 +-
> >>>    drivers/iommu/sandbox_iommu.c        |  16 +-
> >>>    fs/fs.c                              |   7 +-
> >>
> >> In fs the reserved region is not being freed after read, while
> >> other loaders free them (cmd/load.c), this patch uncovers the issue
> >> since now other loaders cannot use the same memory location for load.
> >
> > The idea with the LMB memory is that it is not really an allocation,
> > but setting aside memory for use. Now there was a discussion earlier
> > on the mailing list if this is actually an allocation or not, but this
> > is what the functions have been called from it's early days. But the
> > way the code is designed now, even with the global and persistent
> > memory map, we have the LMB_NONE flag which is used to allow for the
> > same memory region to be re-allocated/re-reserved.
> >
>
> Understood, thanks for explaining, since the LMB memory map is now
> global, anytime you run these commands a region is marked reserved and
> it shows up in lmb_dump_all(), while it is not necessary to free them,
> there are callers which may error out without reclaiming the region,
> as long as these callers exist systems can break due to this change so a
> cleanup is needed.
>
> >> For example now someone cannot do:
> >>
> >> mmc load .. $loadaddr ...
> >> <do something with above contents>
> >> tftp $loadaddr ..
> >
> > The issue above is what I mentioned to Prasad in one of my earlier
> > replies to the patch that he had sent [1]. What can be done is to
> > unify the manner in which callers ask for LMB memory -- that would
> > mean changing the behaviour of the tftp code to use the logic used in
> > the fs_read_lmb_check() function. I believe this method of loading to
> > an address is more beneficial as it allows memory re-use.
> >
>
> As per my understanding, these checks were added in tftp/wget/fs loaders
> due to CVE-2018-18440, the intent is to only ensure that there is no
> overwrite to existing reserved regions, there is no need to reserve the
> current load buffer region, what fs_read_lmb_check() does not seem to be
> the right approach and scaling that does not seem right even though it
> fixes the problem being discussed.

The approach taken by fs_read_lmb_check() is inline with the current
expectation of how a memory region for loading an image is supposed to
behave. There was a long discussion on the mailing list [1] about
whether the LMB memory allocations are to be perceived as actual
allocations (one where an alloc is supposed to have a corresponding
free), and it was pointed out [2] that historically, that is not how a
LMB memory behaves. Hence this needs to be looked at a little
differently than the usual construct of "an allocation needs to have a
corresponding free".

-sughosh

[1] - https://lore.kernel.org/u-boot/CAFLszTicT2yzsm+KAjRyqzV3bt1_W2XYJaCExX-LHNZ6+tFUkA@mail.gmail.com/
[2] - https://lore.kernel.org/u-boot/20231229154307.GS2652760@bill-the-cat/


More information about the U-Boot mailing list