In the Linux kernel, the following vulnerability has been resolved:
riscv: fix reserved memory setup
Currently, RISC-V sets up reserved memory using the "early" copy of the device tree. As a result, when trying to get a reserved memory region using ofreservedmem_lookup(), the pointer to reserved memory regions is using the early, pre-virtual-memory address which causes a kernel panic when trying to use the buffer's name:
Unable to handle kernel paging request at virtual address 00000000401c31ac Oops [#1] Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc : string+0x4a/0xea ra : vsnprintf+0x1e4/0x336 epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 t5 : ffffffff812f3618 t6 : ffffffff81203d08 status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d [<ffffffff80338936>] vsnprintf+0x1e4/0x336 [<ffffffff80055ae2>] vprintkstore+0xf6/0x344 [<ffffffff80055d86>] vprintkemit+0x56/0x192 [<ffffffff80055ed8>] vprintkdefault+0x16/0x1e [<ffffffff800563d2>] vprintk+0x72/0x80 [<ffffffff806813b2>] _printk+0x36/0x50 [<ffffffff8068af48>] printreservedmem+0x1c/0x24 [<ffffffff808057ec>] paginginit+0x528/0x5bc [<ffffffff808031ae>] setuparch+0xd0/0x592 [<ffffffff8080070e>] startkernel+0x82/0x73c
earlyinitfdtscanreservedmem() takes no arguments as it operates on initialbootparams, which is populated by earlyinitdtverify(). On RISC-V, earlyinitdtverify() is called twice. Once, directly, in setuparch() if CONFIGBUILTINDTB is not enabled and once indirectly, very early in the boot process, by parsedtb() when it calls earlyinitdtscan_nodes().
This first call uses dtbearlyva to set initialbootparams, which is not usable later in the boot process when earlyinitfdtscanreservedmem() is called. On arm64 for example, the corresponding call to earlyinitdtscan_nodes() uses fixmap addresses and doesn't suffer the same fate.
Move earlyinitfdtscanreservedmem() further along the boot sequence, after the direct call to earlyinitdtverify() in setuparch() so that the names use the correct virtual memory addresses. The above supposed that CONFIGBUILTINDTB was not set, but should work equally in the case where it is - unflattedandcopydevicetree() also updates initialboot_params.