CVE-2023-53699

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: move memblock_allow_resize() after linear mapping is ready<br /> <br /> The initial memblock metadata is accessed from kernel image mapping. The<br /> regions arrays need to "reallocated" from memblock and accessed through<br /> linear mapping to cover more memblock regions. So the resizing should<br /> not be allowed until linear mapping is ready. Note that there are<br /> memblock allocations when building linear mapping.<br /> <br /> This patch is similar to 24cc61d8cb5a ("arm64: memblock: don&amp;#39;t permit<br /> memblock resizing until linear mapping is up").<br /> <br /> In following log, many memblock regions are reserved before<br /> create_linear_mapping_page_table(). And then it triggered reallocation<br /> of memblock.reserved.regions and memcpy the old array in kernel image<br /> mapping to the new array in linear mapping which caused a page fault.<br /> <br /> [ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6<br /> [ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000<br /> [ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae<br /> [ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c<br /> [ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128<br /> [ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff]<br /> [ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000<br /> [ 0.000000] Oops [#1]<br /> [ 0.000000] Modules linked in:<br /> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66<br /> [ 0.000000] Hardware name: riscv-virtio,qemu (DT)<br /> [ 0.000000] epc : __memcpy+0x60/0xf8<br /> [ 0.000000] ra : memblock_double_array+0x192/0x248<br /> [ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0<br /> [ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000<br /> [ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60<br /> [ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8<br /> [ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000<br /> [ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000<br /> [ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00<br /> [ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000<br /> [ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000<br /> [ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000<br /> [ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000<br /> [ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f<br /> [ 0.000000] [