[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/1] xen/efi: Config parsing: Free the same page count as allocated.

  • To: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 22 Apr 2026 08:48:59 +0200
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:From:Content-Language:References:Cc:To:Subject:User-Agent:MIME-Version:Date:Message-ID"
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Wed, 22 Apr 2026 06:49:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21.04.2026 18:13, Bernhard Kaindl wrote:
> When reading the config file or the config section, we may need to append
> a terminating NUL byte to the config buffer if the last byte is not a
> control character.
> 
> This may cause an additional page to be allocated by efi_bs->AllocatePages()
> if the config file or config section size is a multiple of the page size.
> 
> For this case, increment file->size by one so the number of pages to be
> freed by efi_bs->FreePages() is the same as the number of pages allocated
> by efi_bs->AllocatePages() when the additional byte is allocated.
> 
> I moved the dcache flush after the NUL termination so the flushed range
> covers the final buffer contents.
> 
> I didn't add a dcache flush for the copied cfg buffer in read_section():
> that buffer is created by memcpy() and then consumed only by normal CPU
> reads in the EFI loader, so there is no non-coherent producer or other
> observer that would require cache maintenance.
> 
> Fixes: df75f77092c1 ("EFI: avoid OOB config file reads")
> Signed-off-by: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
> 
> ----
> PS: The same fix applies to its backport to 4.21 and other branches,
> for example:
> 
> stable-4.21:
> Fixes: feb99494bf59 ("EFI: avoid OOB config file reads")
> 
> stable-4.20:
> Fixes: 05b8f716aa32 ("EFI: avoid OOB config file reads")
> 
> PPS: A review using GPT-5.4 (just a data point for review) confirms what
> I've found by manual code inspection:
> 
>> The fix in boot.c:882-886 and boot.c:913-928 is consistent with the existing
>> free sites at boot.c:790-797, boot.c:1564-1567, and boot.c:1638-1641: Once 
>> the
>> config buffer gets an extra terminating byte, using the incremented size for
>> PFN_UP during FreePages is the right fix.
>>
>> I also checked the parser helpers at boot.c:584-641; they already operate on
>> a bounded buffer and treat NUL/control bytes as terminators, so the synthetic
>> extra byte does not create an obvious parsing regression.

To avoid something non-obvious was why I deliberately left file->size
un-incremented. But yes, I failed to recall that ->FreePages() takes a
size.

> --- a/xen/common/efi/boot.c
> +++ b/xen/common/efi/boot.c
> @@ -858,7 +858,8 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, 
> CHAR16 *name,
>      what = L"Allocation";
>      file->addr = min(1UL << (32 + PAGE_SHIFT),
>                       HYPERVISOR_VIRT_END - DIRECTMAP_VIRT_START);
> -    /* For config files allocate an extra byte to put a NUL there. */
> +
> +    /* For config file buffers, allocate space for the terminating NUL byte 
> */
>      ret = efi_bs->AllocatePages(AllocateMaxAddress, EfiLoaderData,
>                                  PFN_UP(size + (file == &cfg)), &file->addr);
>      if ( EFI_ERROR(ret) )

I don't really see why this or the other comment you alter would need
touching. But of course it'll be the EFI maintainers to judge.

> @@ -877,10 +878,12 @@ static bool __init read_file(EFI_FILE_HANDLE 
> dir_handle, CHAR16 *name,
>  
>      FileHandle->Close(FileHandle);
>  
> -    efi_arch_flush_dcache_area(file->ptr, file->size);
> -
>      if ( file == &cfg )
> -        file->str[file->size] = 0;
> +    {
> +        file->str[file->size] = 0; /* NUL-terminate the config data buffer. 
> */
> +        file->size += 1;           /* Free the same page count as allocated. 
> */

_If_ we want to go with incrementing file->size, then I don't see why
it can't be done using the increment operator. That specifically exists
as a shorthand for "+= 1".

As indicated above, I'm not convinced though that we really want to
alter file->size. I'd instead add 1 in the few instances of
"efi_bs->FreePages(cfg.addr, PFN_UP(cfg.size))". Sadly the adding of 1
is conditional in read_section(), so maybe a "need_to_increment"
boolean wants adding next to the need_to_free one? Then a small helper
function may be warranted for those few instances of freeing cfg.addr.

> +    }
> +    efi_arch_flush_dcache_area(file->ptr, file->size);

A separating blank line wants maintaining here. But is this change
really needed at all? Besides being unrelated to the purpose of the
patch, the flushing - aiui - exists so that buffers handed on to
domains (Dom0) are in proper state. The config file isn't exposed to
Dom0, though. (Furthermore I question the effectiveness of this flush:
Speculation and prefetching can easily lead to the data being brought
back into the cache. Such flushing likely requires unmapping first,
and the concept of "unmapping" is a questionable one in the first
place while still running in boot services context. Cc-ing the Arm
maintainers for possible input.)

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.