From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
To: Yadan Fan <ydfan@suse.com>
Cc: akpm@linux-foundation.org, rppt@kernel.org,
"Liam R. Howlett" <liam@infradead.org>,
catalin.marinas@arm.com, jiaxun.yang@flygoat.com,
paulburton@kernel.org, linux-mips@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] MIPS: mm: Fix out-of-bounds write in maar_res_walk()
Date: Mon, 15 Jun 2026 12:29:38 +0200 [thread overview]
Message-ID: <ai_UEmtkptfhUndW@alpha.franken.de> (raw)
In-Reply-To: <93172f19-9a73-4661-8dad-3dff800c2d54@suse.com>
On Tue, May 26, 2026 at 05:20:09PM +0800, Yadan Fan wrote:
> >From 8dda685e7d0d1653cfb2a93d0865a1fa5a561700 Mon Sep 17 00:00:00 2001
> From: Yadan Fan <ydfan@suse.com>
> Date: Mon, 25 May 2026 12:04:36 +0800
> Subject: [PATCH v3] MIPS: mm: Fix out-of-bounds write in maar_res_walk()
>
> maar_res_walk() uses wi->num_cfg as the index into the fixed-size
> wi->cfg array, but checks whether the array is full only after it has
> filled the selected entry. If walk_system_ram_range() reports more than
> 16 memory ranges, the overflow call writes one struct maar_config past
> the end of the array before WARN_ON() prevents num_cfg from advancing.
>
> Move the full-array check before taking the array slot and return non-zero
> when the scratch array is full, so walk_system_ram_range() terminates the
> walk instead of invoking the callback for further ranges.
>
> Fixes: a5718fe8f70f ("MIPS: mm: Drop boot_mem_map")
>
> Signed-off-by: Yadan Fan <ydfan@suse.com>
> ---
> Changes in v3:
> - Restore to use WARN_ON() with return -1 to stop
> walk_system_ram_range() walking further
>
> arch/mips/mm/init.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
applied to mips-next
Thomas.
--
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea. [ RFC1925, 2.3 ]
prev parent reply other threads:[~2026-06-15 10:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 9:20 [PATCH v3] MIPS: mm: Fix out-of-bounds write in maar_res_walk() Yadan Fan
2026-06-15 10:29 ` Thomas Bogendoerfer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ai_UEmtkptfhUndW@alpha.franken.de \
--to=tsbogend@alpha.franken.de \
--cc=akpm@linux-foundation.org \
--cc=catalin.marinas@arm.com \
--cc=jiaxun.yang@flygoat.com \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=paulburton@kernel.org \
--cc=rppt@kernel.org \
--cc=ydfan@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.