Linux-RISC-V Archive mirror
 help / color / mirror / Atom feed

From: Nam Cao <namcao@linutronix.de>
To: "Mike Rapoport" <rppt@kernel.org>,
	"Andreas Dilger" <adilger@dilger.ca>,
	"Björn Töpel" <bjorn@kernel.org>,
	linux-riscv@lists.infradead.org,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"ndesaulniers @ google . com" <ndesaulniers@google.com>,
	"Luis Chamberlain" <mcgrof@kernel.org>,
	"Ingo Molnar" <mingo@kernel.org>,
	"Christophe Leroy" <christophe.leroy@csgroup.eu>,
	"Tejun Heo" <tj@kernel.org>,
	"Krister Johansen" <kjlx@templeofstupid.com>,
	"Changbin Du" <changbin.du@huawei.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Geert Uytterhoeven" <geert+renesas@glider.be>,
	linux-kernel@vger.kernel.org
Cc: Nam Cao <namcao@linutronix.de>, stable@vger.kernel.org
Subject: [PATCH] init: fix allocated page overlapping with PTR_ERR
Date: Thu, 18 Apr 2024 12:29:43 +0200	[thread overview]
Message-ID: <20240418102943.180510-1-namcao@linutronix.de> (raw)

There is nothing preventing kernel memory allocators from allocating a
page that overlaps with PTR_ERR(), except for architecture-specific
code that setup memblock.

It was discovered that RISCV architecture doesn't setup memblock
corectly, leading to a page overlapping with PTR_ERR() being allocated,
and subsequently crashing the kernel (link in Close: )

The reported crash has nothing to do with PTR_ERR(): the last page
(at address 0xfffff000) being allocated leads to an unexpected
arithmetic overflow in ext4; but still, this page shouldn't be
allocated in the first place.

Because PTR_ERR() is an architecture-independent thing, we shouldn't
ask every single architecture to set this up. There may be other
architectures beside RISCV that have the same problem.

Fix this one and for all by reserving the physical memory page that
may be mapped to the last virtual memory page as part of low memory.

Unfortunately, this means if there is actual memory at this reserved
location, that memory will become inaccessible. However, if this page
is not reserved, it can only be accessed as high memory, so this
doesn't matter if high memory is not supported. Even if high memory is
supported, it is still only one page.

Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.to.us
Signed-off-by: Nam Cao <namcao@linutronix.de>
Cc: <stable@vger.kernel.org> # all versions
---
 init/main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init/main.c b/init/main.c
index 881f6230ee59..f8d2793c4641 100644
--- a/init/main.c
+++ b/init/main.c
@@ -900,6 +900,7 @@ void start_kernel(void)
 	page_address_init();
 	pr_notice("%s", linux_banner);
 	early_security_init();
+	memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */
 	setup_arch(&command_line);
 	setup_boot_config();
 	setup_command_line(command_line);
-- 
2.39.2


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

next             reply	other threads:[~2024-04-18 10:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-18 10:29 Nam Cao [this message]
2024-04-18 10:54 ` [PATCH] init: fix allocated page overlapping with PTR_ERR Mike Rapoport
2024-04-18 11:12 ` Nam Cao
2024-04-18 12:41   ` Björn Töpel
2024-04-18 13:01     ` Nam Cao
2024-04-18 13:07       ` Nam Cao
     [not found] ` <CGME20240429125236eucas1p24219f2d332e0267794a2f87dea9f39c4@eucas1p2.samsung.com>
2024-04-29 12:52   ` Joel Granados
2024-04-30  7:31     ` Nam Cao
2024-04-30  8:37       ` Alexandre Ghiti
2024-04-30 13:35         ` Joel Granados
2024-04-30 15:42         ` Joel Granados
2024-05-10  6:35           ` Nam Cao

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:881f6230ee5 dfblob:f8d2793c464
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240418102943.180510-1-namcao@linutronix.de \
    --to=namcao@linutronix.de \
    --cc=adilger@dilger.ca \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=bjorn@kernel.org \
    --cc=changbin.du@huawei.com \
    --cc=christophe.leroy@csgroup.eu \
    --cc=geert+renesas@glider.be \
    --cc=kjlx@templeofstupid.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=mcgrof@kernel.org \
    --cc=mingo@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=rppt@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).