[merged mm-hotfixes-stable] init-fix-allocated-page-overlapping-with-ptr_err.patch removed from -mm tree

[merged mm-hotfixes-stable] init-fix-allocated-page-overlapping-with-ptr_err.patch removed from -mm tree

[Andrew Morton]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3217 bytes --]


The quilt patch titled
     Subject: init: fix allocated page overlapping with PTR_ERR
has been removed from the -mm tree.  Its filename was
     init-fix-allocated-page-overlapping-with-ptr_err.patch

This patch was dropped because it was merged into the mm-hotfixes-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------
From: Nam Cao <namcao@linutronix.de>
Subject: init: fix allocated page overlapping with PTR_ERR
Date: Thu, 18 Apr 2024 12:29:43 +0200

There is nothing preventing kernel memory allocators from allocating a
page that overlaps with PTR_ERR(), except for architecture-specific code
that setup memblock.

It was discovered that RISCV architecture doesn't setup memblock corectly,
leading to a page overlapping with PTR_ERR() being allocated, and
subsequently crashing the kernel (link in Close: )

The reported crash has nothing to do with PTR_ERR(): the last page (at
address 0xfffff000) being allocated leads to an unexpected arithmetic
overflow in ext4; but still, this page shouldn't be allocated in the first
place.

Because PTR_ERR() is an architecture-independent thing, we shouldn't ask
every single architecture to set this up.  There may be other
architectures beside RISCV that have the same problem.

Fix this once and for all by reserving the physical memory page that may
be mapped to the last virtual memory page as part of low memory.

Unfortunately, this means if there is actual memory at this reserved
location, that memory will become inaccessible.  However, if this page is
not reserved, it can only be accessed as high memory, so this doesn't
matter if high memory is not supported.  Even if high memory is supported,
it is still only one page.

Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.to.us
Link: https://lkml.kernel.org/r/20240418102943.180510-1-namcao@linutronix.de
Signed-off-by: Nam Cao <namcao@linutronix.de>
Reported-by: Björn Töpel <bjorn@kernel.org>
Tested-by: Björn Töpel <bjorn@kernel.org>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Andreas Dilger <adilger@dilger.ca>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Changbin Du <changbin.du@huawei.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Krister Johansen <kjlx@templeofstupid.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Tejun Heo <tj@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 init/main.c |    1 +
 1 file changed, 1 insertion(+)

--- a/init/main.c~init-fix-allocated-page-overlapping-with-ptr_err
+++ a/init/main.c
@@ -900,6 +900,7 @@ void start_kernel(void)
 	page_address_init();
 	pr_notice("%s", linux_banner);
 	early_security_init();
+	memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */
 	setup_arch(&command_line);
 	setup_boot_config();
 	setup_command_line(command_line);
_

Patches currently in -mm which might be from namcao@linutronix.de are

Re: [merged mm-hotfixes-stable] init-fix-allocated-page-overlapping-with-ptr_err.patch removed from -mm tree

[Nam Cao]

On Wed, Apr 24, 2024 at 07:35:25PM -0700, Andrew Morton wrote:
> The quilt patch titled
>      Subject: init: fix allocated page overlapping with PTR_ERR
> has been removed from the -mm tree.  Its filename was
>      init-fix-allocated-page-overlapping-with-ptr_err.patch
> 
> This patch was dropped because it was merged into the mm-hotfixes-stable branch
> of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Please drop this patch. It causes a regression:
https://lore.kernel.org/r/202404221524.4954a009-oliver.sang@intel.com/

Best regards,
Nam

> 
> ------------------------------------------------------
> From: Nam Cao <namcao@linutronix.de>
> Subject: init: fix allocated page overlapping with PTR_ERR
> Date: Thu, 18 Apr 2024 12:29:43 +0200
> 
> There is nothing preventing kernel memory allocators from allocating a
> page that overlaps with PTR_ERR(), except for architecture-specific code
> that setup memblock.
> 
> It was discovered that RISCV architecture doesn't setup memblock corectly,
> leading to a page overlapping with PTR_ERR() being allocated, and
> subsequently crashing the kernel (link in Close: )
> 
> The reported crash has nothing to do with PTR_ERR(): the last page (at
> address 0xfffff000) being allocated leads to an unexpected arithmetic
> overflow in ext4; but still, this page shouldn't be allocated in the first
> place.
> 
> Because PTR_ERR() is an architecture-independent thing, we shouldn't ask
> every single architecture to set this up.  There may be other
> architectures beside RISCV that have the same problem.
> 
> Fix this once and for all by reserving the physical memory page that may
> be mapped to the last virtual memory page as part of low memory.
> 
> Unfortunately, this means if there is actual memory at this reserved
> location, that memory will become inaccessible.  However, if this page is
> not reserved, it can only be accessed as high memory, so this doesn't
> matter if high memory is not supported.  Even if high memory is supported,
> it is still only one page.
> 
> Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.to.us
> Link: https://lkml.kernel.org/r/20240418102943.180510-1-namcao@linutronix.de
> Signed-off-by: Nam Cao <namcao@linutronix.de>
> Reported-by: Björn Töpel <bjorn@kernel.org>
> Tested-by: Björn Töpel <bjorn@kernel.org>
> Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
> Cc: Andreas Dilger <adilger@dilger.ca>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Changbin Du <changbin.du@huawei.com>
> Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
> Cc: Geert Uytterhoeven <geert+renesas@glider.be>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: Krister Johansen <kjlx@templeofstupid.com>
> Cc: Luis Chamberlain <mcgrof@kernel.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> 
>  init/main.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> --- a/init/main.c~init-fix-allocated-page-overlapping-with-ptr_err
> +++ a/init/main.c
> @@ -900,6 +900,7 @@ void start_kernel(void)
>  	page_address_init();
>  	pr_notice("%s", linux_banner);
>  	early_security_init();
> +	memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */
>  	setup_arch(&command_line);
>  	setup_boot_config();
>  	setup_command_line(command_line);
> _
> 
> Patches currently in -mm which might be from namcao@linutronix.de are
> 
>