On Tue, Apr 30, 2024 at 10:37:59AM +0200, Alexandre Ghiti wrote:
Hi Joel, Nam,
On 30/04/2024 09:31, Nam Cao wrote:
On Mon, Apr 29, 2024 at 02:52:30PM +0200, Joel Granados wrote:
On Thu, Apr 18, 2024 at 12:29:43PM +0200, Nam Cao wrote:
There is nothing preventing kernel memory allocators from allocating a page that overlaps with PTR_ERR(), except for architecture-specific code that setup memblock.
It was discovered that RISCV architecture doesn't setup memblock corectly, leading to a page overlapping with PTR_ERR() being allocated, and subsequently crashing the kernel (link in Close: )
The reported crash has nothing to do with PTR_ERR(): the last page (at address 0xfffff000) being allocated leads to an unexpected arithmetic overflow in ext4; but still, this page shouldn't be allocated in the first place.
Because PTR_ERR() is an architecture-independent thing, we shouldn't ask every single architecture to set this up. There may be other architectures beside RISCV that have the same problem.
Fix this one and for all by reserving the physical memory page that may be mapped to the last virtual memory page as part of low memory.
Unfortunately, this means if there is actual memory at this reserved location, that memory will become inaccessible. However, if this page is not reserved, it can only be accessed as high memory, so this doesn't matter if high memory is not supported. Even if high memory is supported, it is still only one page.
Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.... Signed-off-by: Nam Cao namcao@linutronix.de Cc: stable@vger.kernel.org # all versions
init/main.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/init/main.c b/init/main.c index 881f6230ee59..f8d2793c4641 100644 --- a/init/main.c +++ b/init/main.c @@ -900,6 +900,7 @@ void start_kernel(void) page_address_init(); pr_notice("%s", linux_banner); early_security_init();
- memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */ setup_arch(&command_line); setup_boot_config(); setup_command_line(command_line);
-- 2.39.2
I received a similar(ish) report recently https://lore.kernel.org/oe-kbuild-all/202404211031.J6l2AfJk-lkp@intel.com/ regarding RISC-V in init/mail.c. Here is the meat of the report in case you want to avoid going to the actual link:
This issue doesn't look like it has anything to do with this patch: this patch is about overlapping of dynamically allocated memory, while I think the issue is about overlapping sections during linking (maybe something wrong with riscv linker script?)
Also, FWIW, this patch is not going to be in mainline because of a regression.
Nonetheless, I will have a look at this later.
The config shows that it is a XIP kernel that comes with its own limitations (text is limited to 32MB for example), so I'm not surprised to see those overlaps.
We already discussed the removal of randconfig builds on XIP configs, but IIRC it is not possible.
I just tested this going back until "2023-09-20 602bf1830798 (HEAD) Merge branch 'for-6.7' into for-next [Petr Mladek]" and I still saw the overlapping errors.
Is this just something that happens always?
Best