In the Linux kernel, the following vulnerability has been resolved: riscv: fixed the reserved memory setup Currently, RISC-V sets up reserved memory using the “early” copy of the device tree. As a result, when trying to access a reserved memory region using of_reserved_mem_lookup(), the pointer to the reserved memory regions uses the early, pre-virtual-memory address, which causes a kernel panic when trying to use the buffer’s name: Unable to handle kernel paging requests at virtual address 00000000401c31ac Oops [#1] Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc: string+0x4a/0xea ra: vsnprintf+0x1e4/0x336 epc: ffffffff80335ea0 ra: ffffffff80338936 sp: ffffffff81203be0 gp: ffffffff812e0a98 tp: ffffffff8120de40 t0: 0000000000000000 t1: ffffffff81203e28 t2: 7265736572203a46 s0: ffffffff81203c20 s1: ffffffff81203e28 a0: ffffffff81203d22 a1: 0000000000000000 a2: ffffffff81203d08 a3: 0000000081203d21 a4: ffffffffffffffff a5: 00000000401c31ac a6: ffff0a00ffffff04 a7: ffffffffffffffff s2: ffffffff81203d08 s3: ffffffff81203d00 s4: 0000000000000008 s5: ffffffff000000ff s6: 0000000000ffffff s7: 00000000ffffff00 s8: ffffffff80d9821a s9: ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3: ffffffff812f3617 t4: ffffffff812f3617 t5: ffffffff812f3618 t6: ffffffff81203d08 Status: 0000000200000100 BadAddr: 00000000401c31ac Cause: 000000000000000d [] vsnprintf+0x1e4/0x336 [] vprintk_store+0xf6/0x344 [] vprintk_emit+0x56/0x192 [] vprintk_default+0x16/0x1e [] vprintk+0x72/0x80 [] _printk+0x36/0x50 [] print_reserved_mem+0x1c/0x24 [] paging_init+0x528/0x5bc [] setup_arch+0xd0/0x592 [] start_kernel+0x82/0x73c early_init_fdt_scan_reserved_mem() does not take any arguments, as it operates on initial_boot_params, which is populated by early_init_dt_verify(). In RISC-V, early_init_dt_verify() is called twice: once directly in setup_arch(), if CONFIG_BUILTIN_DTB is not enabled; and once indirectly, very early in the boot process, by parse_dtb(), when it calls early_init_dt_scan_nodes(). The first call to early_init_dt_scan_reserved_mem() uses dtb_early_va to set initial_boot_params, which is not available later in the boot process when early_init_fdt_scan_reserved_mem() is called. For example, in arm64, the corresponding call to early_init_dt_scan_nodes() uses fixmap addresses and does not face the same issue. Move early_init_fdt_scan_reserved_mem() further along the boot sequence, after the direct call to early_init_dt_verify() in setup_arch(), so that the function names use the correct virtual memory addresses. It is assumed that CONFIG_BUILTIN_DTB is not set; however, it should work equally in cases where it is set. Unflatted_and_copy_device_tree() also updates initial_boot_params.

Query Builder