From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55467 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753772AbcHRIbP (ORCPT ); Thu, 18 Aug 2016 04:31:15 -0400 Subject: Patch "arm64: mm: avoid fdt_check_header() before the FDT is fully mapped" has been added to the 4.7-stable tree To: ard.biesheuvel@linaro.org, gregkh@linuxfoundation.org, mark.rutland@arm.com, will.deacon@arm.com, zijun_hu@htc.com Cc: , From: Date: Thu, 18 Aug 2016 10:30:54 +0200 Message-ID: <14715090548208@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled arm64: mm: avoid fdt_check_header() before the FDT is fully mapped to the 4.7-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: arm64-mm-avoid-fdt_check_header-before-the-fdt-is-fully-mapped.patch and it can be found in the queue-4.7 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 04a848106193b134741672f7e4e444b50c70b631 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Mon, 1 Aug 2016 13:29:31 +0200 Subject: arm64: mm: avoid fdt_check_header() before the FDT is fully mapped From: Ard Biesheuvel commit 04a848106193b134741672f7e4e444b50c70b631 upstream. As reported by Zijun, the fdt_check_header() call in __fixmap_remap_fdt() is not safe since it is not guaranteed that the FDT header is mapped completely. Due to the minimum alignment of 8 bytes, the only fields we can assume to be mapped are 'magic' and 'totalsize'. Since the OF layer is in charge of validating the FDT image, and we are only interested in making reasonably sure that the size field contains a meaningful value, replace the fdt_check_header() call with an explicit comparison of the magic field's value against the expected value. Reported-by: Zijun Hu Acked-by: Mark Rutland Signed-off-by: Ard Biesheuvel Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- arch/arm64/mm/mmu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -748,9 +748,9 @@ void *__init __fixmap_remap_fdt(phys_add /* * Check whether the physical FDT address is set and meets the minimum * alignment requirement. Since we are relying on MIN_FDT_ALIGN to be - * at least 8 bytes so that we can always access the size field of the - * FDT header after mapping the first chunk, double check here if that - * is indeed the case. + * at least 8 bytes so that we can always access the magic and size + * fields of the FDT header after mapping the first chunk, double check + * here if that is indeed the case. */ BUILD_BUG_ON(MIN_FDT_ALIGN < 8); if (!dt_phys || dt_phys % MIN_FDT_ALIGN) @@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_add create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base, SWAPPER_BLOCK_SIZE, prot); - if (fdt_check_header(dt_virt) != 0) + if (fdt_magic(dt_virt) != FDT_MAGIC) return NULL; *size = fdt_totalsize(dt_virt); Patches currently in stable-queue which might be from ard.biesheuvel@linaro.org are queue-4.7/arm64-only-select-arm64_module_plts-if-modules-y.patch queue-4.7/arm64-vmlinux.lds-make-__rela_offset-and-__dynsym_offset-absolute.patch queue-4.7/arm64-mm-avoid-fdt_check_header-before-the-fdt-is-fully-mapped.patch