[PATCH v4] riscv: mm: Fix the out of bound issue of vmemmap address
Björn Töpel
bjorn at kernel.org
Mon Dec 9 05:10:47 PST 2024
Xu Lu <luxu.kernel at bytedance.com> writes:
> In sparse vmemmap model, the virtual address of vmemmap is calculated as:
> ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).
> And the struct page's va can be calculated with an offset:
> (vmemmap + (pfn)).
>
> However, when initializing struct pages, kernel actually starts from the
> first page from the same section that phys_ram_base belongs to. If the
> first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then
> we get an va below VMEMMAP_START when calculating va for it's struct page.
>
> For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the
> first page in the same section is actually pfn 0x80000. During
> init_unavailable_range(), we will initialize struct page for pfn 0x80000
> with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is
> below VMEMMAP_START as well as PCI_IO_END.
>
> This commit fixes this bug by introducing a new variable
> 'vmemmap_start_pfn' which is aligned with memory section size and using
> it to calculate vmemmap address instead of phys_ram_base.
>
> Fixes: a11dd49dcb93 ("riscv: Sparse-Memory/vmemmap out-of-bounds fix")
> Signed-off-by: Xu Lu <luxu.kernel at bytedance.com>
Verified that the kernel is not trying to access vmemmap/struct pages
below VMEMMAP_START.
Tested-by: Björn Töpel <bjorn at rivosinc.com>
Reviewed-by: Björn Töpel <bjorn at rivosinc.com>
More information about the linux-riscv
mailing list