From: sashiko-bot@kernel.org
To: "Wandun Chen" <chenwandun1@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v3 10/11] riscv: kdump: exclude non-dumpable reserved memory regions from vmcore
Date: Wed, 27 May 2026 04:05:42 +0000 [thread overview]
Message-ID: <20260527040542.DB2F81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260527032917.3385849-11-chenwandun1@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A Time-of-Check to Time-of-Use (TOCTOU) race condition during memory hotplug can lead to an out-of-bounds heap write when populating the crash_mem array.
--
commit a3046cf8f5e5d648fc54675ac919081b37df020f
Author: Wandun Chen <chenwandun@lixiang.com>
riscv: kdump: exclude non-dumpable reserved memory regions from vmcore
This commit applies non-dumpable reserved memory filtering to RISC-V kdump
by dropping flagged regions from the elfcorehdr PT_LOAD segments. It
calculates the needed ranges and excludes them during ELF header preparation.
> diff --git a/arch/riscv/kernel/machine_kexec_file.c b/arch/riscv/kernel/machine_kexec_file.c
> index 54e2d9552e930..c359cf714c791 100644
> --- a/arch/riscv/kernel/machine_kexec_file.c
> +++ b/arch/riscv/kernel/machine_kexec_file.c
[ ... ]
> @@ -63,6 +64,7 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
>
> nr_ranges = 1; /* For exclusion of crashkernel region */
> walk_system_ram_res(0, -1, &nr_ranges, get_nr_ram_ranges_callback);
> + nr_ranges += of_reserved_mem_kdump_nr_ranges();
>
> cmem = kmalloc_flex(*cmem, ranges, nr_ranges);
[Severity: High]
This is a pre-existing issue, but could this sequence be susceptible to a race
condition during memory hotplug?
In prepare_elf_headers(), walk_system_ram_res() is called here to calculate
nr_ranges, and then called again later to populate the cmem->ranges array.
Because get_online_mems() is not held across these two calls, a new memory
region could be hot-added between them.
Since prepare_elf64_ram_headers_callback() lacks bounds checking and
unconditionally writes to cmem->ranges[cmem->nr_ranges], would a hot-add
event cause the second walk to exceed the newly allocated cmem->max_nr_ranges
and result in an out-of-bounds heap write?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260527032917.3385849-1-chenwandun1@gmail.com?part=10
next prev parent reply other threads:[~2026-05-27 4:05 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 3:29 [PATCH v3 00/11] kdump: reduce vmcore size and capture time Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 01/11] of: reserved_mem: handle NULL name in of_reserved_mem_lookup() Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 02/11] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-06-02 16:24 ` Rob Herring
2026-06-02 16:24 ` Rob Herring
2026-06-03 6:44 ` Wandun
2026-06-03 6:44 ` Wandun
2026-06-03 17:44 ` Rob Herring
2026-06-03 17:44 ` Rob Herring
2026-06-04 1:48 ` Wandun
2026-06-04 1:48 ` Wandun
2026-05-27 3:29 ` [PATCH v3 04/11] of: reserved_mem: zero total_reserved_mem_cnt if no valid /reserved-memory entry Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:53 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late() Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:21 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 06/11] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 07/11] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 08/11] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 09/11] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:10 ` sashiko-bot
2026-05-29 15:08 ` Will Deacon
2026-05-29 15:08 ` Will Deacon
2026-05-30 16:25 ` Mike Rapoport
2026-05-30 16:25 ` Mike Rapoport
2026-06-01 5:00 ` Baoquan He
2026-06-01 5:00 ` Baoquan He
2026-06-02 9:34 ` Mike Rapoport
2026-06-02 9:34 ` Mike Rapoport
2026-05-27 3:29 ` [PATCH v3 10/11] riscv: " Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:05 ` sashiko-bot [this message]
2026-05-27 3:29 ` [PATCH v3 11/11] loongarch: " Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:12 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527040542.DB2F81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=chenwandun1@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.