{"id":"CVE-2022-49851","summary":"riscv: fix reserved memory setup","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix reserved memory setup\n\nCurrently, RISC-V sets up reserved memory using the \"early\" copy of the\ndevice tree. As a result, when trying to get a reserved memory region\nusing of_reserved_mem_lookup(), the pointer to reserved memory regions\nis using the early, pre-virtual-memory address which causes a kernel\npanic when trying to use the buffer's name:\n\n Unable to handle kernel paging request at virtual address 00000000401c31ac\n Oops [#1]\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1\n Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)\n epc : string+0x4a/0xea\n  ra : vsnprintf+0x1e4/0x336\n epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0\n  gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000\n  t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20\n  s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000\n  a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff\n  a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff\n  s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008\n  s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00\n  s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002\n  s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617\n  t5 : ffffffff812f3618 t6 : ffffffff81203d08\n status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d\n [\u003cffffffff80338936\u003e] vsnprintf+0x1e4/0x336\n [\u003cffffffff80055ae2\u003e] vprintk_store+0xf6/0x344\n [\u003cffffffff80055d86\u003e] vprintk_emit+0x56/0x192\n [\u003cffffffff80055ed8\u003e] vprintk_default+0x16/0x1e\n [\u003cffffffff800563d2\u003e] vprintk+0x72/0x80\n [\u003cffffffff806813b2\u003e] _printk+0x36/0x50\n [\u003cffffffff8068af48\u003e] print_reserved_mem+0x1c/0x24\n [\u003cffffffff808057ec\u003e] paging_init+0x528/0x5bc\n [\u003cffffffff808031ae\u003e] setup_arch+0xd0/0x592\n [\u003cffffffff8080070e\u003e] start_kernel+0x82/0x73c\n\nearly_init_fdt_scan_reserved_mem() takes no arguments as it operates on\ninitial_boot_params, which is populated by early_init_dt_verify(). On\nRISC-V, early_init_dt_verify() is called twice. Once, directly, in\nsetup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,\nvery early in the boot process, by parse_dtb() when it calls\nearly_init_dt_scan_nodes().\n\nThis first call uses dtb_early_va to set initial_boot_params, which is\nnot usable later in the boot process when\nearly_init_fdt_scan_reserved_mem() is called. On arm64 for example, the\ncorresponding call to early_init_dt_scan_nodes() uses fixmap addresses\nand doesn't suffer the same fate.\n\nMove early_init_fdt_scan_reserved_mem() further along the boot sequence,\nafter the direct call to early_init_dt_verify() in setup_arch() so that\nthe names use the correct virtual memory addresses. The above supposed\nthat CONFIG_BUILTIN_DTB was not set, but should work equally in the case\nwhere it is - unflatted_and_copy_device_tree() also updates\ninitial_boot_params.","modified":"2026-04-02T08:28:00.316977Z","published":"2025-05-01T14:10:06.274Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49851.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/50e63dd8ed92045eb70a72d7ec725488320fb68b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/518e49f0590de66555503aabe199ba8d3f2e24ac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/93598deb101540c4f9e7de15099ea8255b965fc2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94ab8f88feb75e3b1486102c0c9c550f37d9d137"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49851.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49851"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"922b0375fc93fb1a20c5617e37c389c26bbccb70"},{"fixed":"94ab8f88feb75e3b1486102c0c9c550f37d9d137"},{"fixed":"518e49f0590de66555503aabe199ba8d3f2e24ac"},{"fixed":"93598deb101540c4f9e7de15099ea8255b965fc2"},{"fixed":"50e63dd8ed92045eb70a72d7ec725488320fb68b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"f18ed5bee7bb8a0e99e1c7e7d45e0e51d3497248"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49851.json"}}],"schema_version":"1.7.5"}