The patch titled Subject: init: fix allocated page overlapping with PTR_ERR has been added to the -mm mm-hotfixes-unstable branch. Its filename is init-fix-allocated-page-overlapping-with-ptr_err.patch

This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...

This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days

------------------------------------------------------ From: Nam Cao namcao@linutronix.de Subject: init: fix allocated page overlapping with PTR_ERR Date: Thu, 18 Apr 2024 12:29:43 +0200

There is nothing preventing kernel memory allocators from allocating a page that overlaps with PTR_ERR(), except for architecture-specific code that setup memblock.

It was discovered that RISCV architecture doesn't setup memblock corectly, leading to a page overlapping with PTR_ERR() being allocated, and subsequently crashing the kernel (link in Close: )

The reported crash has nothing to do with PTR_ERR(): the last page (at address 0xfffff000) being allocated leads to an unexpected arithmetic overflow in ext4; but still, this page shouldn't be allocated in the first place.

Because PTR_ERR() is an architecture-independent thing, we shouldn't ask every single architecture to set this up. There may be other architectures beside RISCV that have the same problem.

Fix this once and for all by reserving the physical memory page that may be mapped to the last virtual memory page as part of low memory.

Unfortunately, this means if there is actual memory at this reserved location, that memory will become inaccessible. However, if this page is not reserved, it can only be accessed as high memory, so this doesn't matter if high memory is not supported. Even if high memory is supported, it is still only one page.

Closes: https://lore.kernel.org/linux-riscv/878r1ibpdn.fsf@all.your.base.are.belong.... Link: https://lkml.kernel.org/r/20240418102943.180510-1-namcao@linutronix.de Signed-off-by: Nam Cao namcao@linutronix.de Reported-by: Bj��rn T��pel bjorn@kernel.org Tested-by: Bj��rn T��pel bjorn@kernel.org Reviewed-by: Mike Rapoport (IBM) rppt@kernel.org Cc: Andreas Dilger adilger@dilger.ca Cc: Arnd Bergmann arnd@arndb.de Cc: Changbin Du changbin.du@huawei.com Cc: Christophe Leroy christophe.leroy@csgroup.eu Cc: Geert Uytterhoeven geert+renesas@glider.be Cc: Ingo Molnar mingo@kernel.org Cc: Krister Johansen kjlx@templeofstupid.com Cc: Luis Chamberlain mcgrof@kernel.org Cc: Nick Desaulniers ndesaulniers@google.com Cc: Stephen Rothwell sfr@canb.auug.org.au Cc: Tejun Heo tj@kernel.org Cc: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

init/main.c | 1 + 1 file changed, 1 insertion(+)

--- a/init/main.c~init-fix-allocated-page-overlapping-with-ptr_err +++ a/init/main.c @@ -900,6 +900,7 @@ void start_kernel(void) page_address_init(); pr_notice("%s", linux_banner); early_security_init(); + memblock_reserve(__pa(-PAGE_SIZE), PAGE_SIZE); /* reserve last page for ERR_PTR */ setup_arch(&command_line); setup_boot_config(); setup_command_line(command_line); _

Patches currently in -mm which might be from namcao@linutronix.de are

init-fix-allocated-page-overlapping-with-ptr_err.patch