Fixed
Created: Oct 22, 2025
Updated: Oct 26, 2025
Resolved Date: Oct 26, 2025
Found In Version: 10.23.30.1
Fix Version: 10.23.30.2
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]riscv: move memblock_allow_resize() after linear mapping is ready[EOL][EOL]The initial memblock metadata is accessed from kernel image mapping. The[EOL]regions arrays need to "reallocated" from memblock and accessed through[EOL]linear mapping to cover more memblock regions. So the resizing should[EOL]not be allowed until linear mapping is ready. Note that there are[EOL]memblock allocations when building linear mapping.[EOL][EOL]This patch is similar to 24cc61d8cb5a ("arm64: memblock: don't permit[EOL]memblock resizing until linear mapping is up").[EOL][EOL]In following log, many memblock regions are reserved before[EOL]create_linear_mapping_page_table(). And then it triggered reallocation[EOL]of memblock.reserved.regions and memcpy the old array in kernel image[EOL]mapping to the new array in linear mapping which caused a page fault.[EOL][EOL][ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[EOL][ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000[EOL][ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae[EOL][ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c[EOL][ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128[EOL][ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff][EOL][ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000[EOL][ 0.000000] Oops [#1][EOL][ 0.000000] Modules linked in:[EOL][ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66[EOL][ 0.000000] Hardware name: riscv-virtio,qemu (DT)[EOL][ 0.000000] epc : __memcpy+0x60/0xf8[EOL][ 0.000000] ra : memblock_double_array+0x192/0x248[EOL][ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0[EOL][ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000[EOL][ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60[EOL][ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8[EOL][ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000[EOL][ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000[EOL][ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00[EOL][ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000[EOL][ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000[EOL][ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000[EOL][ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000[EOL][ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f[EOL][ 0.000000] [<fff[EOL]---truncated---
