From nobody Mon Jun 8 22:51:55 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4055F290DBB for ; Tue, 26 May 2026 01:43:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779759794; cv=none; b=HLSR2t+cLdsgwC8nukaaJ81WSiZyS+ROQUeVfnuRdz0aSF9oJaKehbqp2uPstkaIOcenfGaM7SPDCgPlPIJhvQveHhPeig7fD2v+eP56T03pYkTKXmBFMpbOlgjq7jXt6U5S9RXMQnIVgwu3+EchDMq8YmWf2YVJYXwpuGy7WPg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779759794; c=relaxed/simple; bh=VI0zks62ggJ5bvW95gYdfr9+mtw6zW6UrSfv2UUKqdo=; h=Message-ID:Date:MIME-Version:From:Subject:To:Cc:Content-Type; b=S3GFdYPsT1c1cTTKPNVnSyQW7Hv4dQrleO8D0BG/5tysWIAQ4/2CEDl3Hn0qSTyKsJSLwRfW9OUSNNT4a8SzQSGxDW3XnGLW8B6jPfc6UYaPUCk2FEHSDGoqzhjSCj8IvQzmq07NLI+jKjzlGg+8E9DpC10p129zd4YJEigNTBc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=O8IZWhwe; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="O8IZWhwe" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4903d5c67bfso22473185e9.1 for ; Mon, 25 May 2026 18:43:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1779759790; x=1780364590; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:from:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=j59hUSTZurEDKvIQbdcrfyIgjdV/+zUjcYg0DUWUwo0=; b=O8IZWhwe1LbawKQ7KRk0VbecEbgbcrkOc9cC2jaI807TggmbOBhCtXDz4nfL0hfjel GAFjwTqz4HleHA60KvHNiLVTuRRACiLh0ci9OmnLQDX7zITNviG1v6ofvVeKC+eAcdk9 Su9/ey/8juPPzy1ZUnuQppnB/mlTqXqGzuS3edon417siEfsh35IGN2Y6jIR9K48Cosa 90Z9UytV6A4KVzQnuZI0mz4xoa6GE0kHczI3QmisI0lPNi4lsKnMfComAeSpTuTHv8J1 cV9nxhh/GWHc9o499crxhmW9McZs0DJlcfoPaV5eAE+n5+FfBqS6JYGT923HKBUFeIZq X1bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779759790; x=1780364590; h=content-transfer-encoding:cc:to:subject:from:content-language :user-agent:mime-version:date:message-id:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=j59hUSTZurEDKvIQbdcrfyIgjdV/+zUjcYg0DUWUwo0=; b=mN/NYbfptx1U1vEbfvvYwKvsMCA6AMqnnAVHDmtzwhjgn12L71oexPAoxVklPK6SsD mKbU6e147Fzqn/KtuYFZFAsWd2IULqhe1jNYyW3b++eudFqvhvMVJ6xguGVYsHzeHlxW T5E6VZGII1qgcwSN0pnSj6OnBd4U78YplhGDS9ZAkLxMiRK8vgYR5Gzvzy4zMeAXGRX7 ypf4wahkHGoE9ZhYS/V/Nxc1C7pdNAJKjHQJR15QjNQOa6j9DbkWYfOAoRLaxx81N90Q QWL9V5PWYL0soiORlvtLkyD2lK06S97pRnsq44FQWogCcyVBl75YefJ/zJA2qF2mNvt9 xUng== X-Forwarded-Encrypted: i=1; AFNElJ+2s++M3cAVNtQL7fRbhMIlvT3WORzieK/Sa5OOGziL47NUowIeb3lBkNAFBjNiv1oE0I+exfRkHHZbO+w=@vger.kernel.org X-Gm-Message-State: AOJu0Ywx6FZmjBO5Y9t7ub40npTXRrXFq5zSiY/sQby5ZMgTF9ATAAud So/3vxHEYD3FqJ/SHIaFbNBDpGGHk/VcxaWNPxsqZ0eZAZWZdLwFVr3HLt+0OucGs80= X-Gm-Gg: Acq92OEXwgy3rtjbf7deFsIAiz4whrE9kL5nfyGcafR9rC3tkqGytqpLTfM6znfAauZ ISfJ2Z3t6InINduUrrayb1ibV7mBbcLuYmbaMYVTIeuy9q0Gx84xx7tuY9E96xTa5bf6t/pNnFR 4jLfrBvAcrLv5zbpyAK1/5TpC2JcD+w5aTKBSGzPFW13VSgB+sZeD8TWc1U1fPwjCSQOHVSel3L qQfe2/hn0rd2oLy0M4mxjEEO7YTICy5aB646uY3+j6MHjGFNt+s28ix0Ycq/DU5HmaoZVKRfX/L kq4uf4nmjvbs1VcSqcjaZ8w1jFDivWKyNa5tiuzrBE9FSsH/pPXtSlHIaCia6b+BAjTjWR88KuK lKiLW8+2faa+w2epC7xf81SkGpB46VL704Sm52fggcEz/++nm5tqQEusn/7/PuSoj4knx3HRdOF JonrQmhQBiaBstnjMAtjqxeqxbvO4huCxb4Q/9MNRw5GwlX/n2Ik66BHuT2TL5mv5rJuU8cwAuo 8btsUnQzMA= X-Received: by 2002:a05:600c:444b:b0:48f:e3e7:3d39 with SMTP id 5b1f17b1804b1-490424aa04fmr276878725e9.11.1779759790398; Mon, 25 May 2026 18:43:10 -0700 (PDT) Received: from [10.202.80.174] ([202.127.77.110]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84165009761sm12764683b3a.60.2026.05.25.18.43.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 May 2026 18:43:08 -0700 (PDT) Message-ID: Date: Tue, 26 May 2026 09:42:46 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Yadan Fan Subject: [PATCH v2] MIPS: mm: Fix out-of-bounds write in maar_res_walk() To: tsbogend@alpha.franken.de Cc: akpm@linux-foundation.org, rppt@kernel.org, "Liam R. Howlett" , catalin.marinas@arm.com, jiaxun.yang@flygoat.com, paulburton@kernel.org, linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, ydfan@suse.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From 6496b7e4d61ce77ff3723054f807888f1bffddc4 Mon Sep 17 00:00:00 2001 From: Yadan Fan Date: Mon, 25 May 2026 12:04:36 +0800 Subject: [PATCH] MIPS: mm: Fix out-of-bounds write in maar_res_walk() maar_res_walk() uses wi->num_cfg as the index into the fixed-size wi->cfg array, but checks whether the array is full only after it has filled the selected entry. If walk_system_ram_range() reports more than 16 memory ranges, the overflow call writes one struct maar_config past the end of the array before WARN_ON() prevents num_cfg from advancing. Move the full-array check before taking the array slot and use WARN_ON_ONCE(), since the guard now runs before every later range once the scratch array is full. After the array fills, further ranges are ignored instead of attempting to store them. The previous code effectively tried to keep overwriting an out-of-bounds slot, which could not preserve those ranges safely. Fixes: a5718fe8f70f ("MIPS: mm: Drop boot_mem_map") Signed-off-by: Yadan Fan --- Changes in v2: =C2=A0=C2=A0- Use WARN_ON_ONCE() for the full-array guard. =C2=A0=C2=A0- Update the commit log to state that later ranges are ignored = once the =C2=A0=C2=A0=C2=A0=C2=A0scratch array is full, instead of claiming unchange= d behavior. arch/mips/mm/init.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c index 55b25e85122a..4b7db3f7c8a7 100644 --- a/arch/mips/mm/init.c +++ b/arch/mips/mm/init.c @@ -272,9 +272,15 @@ static int maar_res_walk(unsigned long start_pfn, unsi= gned long nr_pages, void *data) { struct maar_walk_info *wi =3D data; - struct maar_config *cfg =3D &wi->cfg[wi->num_cfg]; + struct maar_config *cfg; unsigned int maar_align; =20 + /* Ensure we don't overflow the cfg array */ + if (WARN_ON_ONCE(wi->num_cfg >=3D ARRAY_SIZE(wi->cfg))) + return 0; + + cfg =3D &wi->cfg[wi->num_cfg]; + /* MAAR registers hold physical addresses right shifted by 4 bits */ maar_align =3D BIT(MIPS_MAAR_ADDR_SHIFT + 4); =20 @@ -283,9 +289,7 @@ static int maar_res_walk(unsigned long start_pfn, unsig= ned long nr_pages, cfg->upper =3D ALIGN_DOWN(PFN_PHYS(start_pfn + nr_pages), maar_align) - 1; cfg->attrs =3D MIPS_MAAR_S; =20 - /* Ensure we don't overflow the cfg array */ - if (!WARN_ON(wi->num_cfg >=3D ARRAY_SIZE(wi->cfg))) - wi->num_cfg++; + wi->num_cfg++; =20 return 0; } --=20 2.51.0