From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v16 07/10] LoongArch: kexec_file: Use crash_prepare_headers() helper to simplify code
Date: Mon, 08 Jun 2026 07:52:57 +0000 [thread overview]
Message-ID: <20260608075258.0F6D91F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608073459.3119290-8-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A time-of-check to time-of-use (TOCTOU) race condition exists between arch_get_system_nr_ranges() and arch_crash_populate_cmem() against concurrent memory hotplug, potentially causing a buffer overflow or Use-After-Free.
--
commit e15fd7173b2be430036c153dea51e26db1b14d57
Author: Jinjie Ruan <ruanjinjie@huawei.com>
LoongArch: kexec_file: Use crash_prepare_headers() helper to simplify code
This commit replaces prepare_elf_headers() with the generic
crash_prepare_headers() helper to simplify crash memory handling. It implements
arch_get_system_nr_ranges() to count memory ranges and
arch_crash_populate_cmem() to fill them.
> diff --git a/arch/loongarch/kernel/machine_kexec_file.c b/arch/loongarch/kernel/machine_kexec_file.c
> index 5584b798ba464..5412aa9f35687 100644
> --- a/arch/loongarch/kernel/machine_kexec_file.c
> +++ b/arch/loongarch/kernel/machine_kexec_file.c
[ ... ]
> +int arch_crash_populate_cmem(struct crash_mem *cmem)
> +{
> + phys_addr_t start, end;
> + uint64_t i;
>
> - cmem->max_nr_ranges = nr_ranges;
> - cmem->nr_ranges = 0;
> for_each_mem_range(i, &start, &end) {
> cmem->ranges[cmem->nr_ranges].start = start;
> cmem->ranges[cmem->nr_ranges].end = end - 1;
> cmem->nr_ranges++;
> }
[Severity: High]
This is a pre-existing issue, but is there a risk of a time-of-check to
time-of-use (TOCTOU) race condition here against concurrent memory hotplug?
Because sys_kexec_file_load() acquires kexec_mutex but does not hold memory
hotplug locks (e.g., mem_hotplug_begin()) or cpus_read_lock(), concurrent
memory hotplug events like add_memory_resource() could occur.
The generic crash_prepare_headers() separates counting and population:
kernel/crash_core.c:crash_prepare_headers() {
...
max_nr_ranges = arch_get_system_nr_ranges();
if (!max_nr_ranges)
return -ENOMEM;
cmem = alloc_cmem(max_nr_ranges);
...
ret = arch_crash_populate_cmem(cmem);
...
}
If memblock regions are added dynamically between the time max_nr_ranges is
calculated and the cmem->ranges array is populated in
arch_crash_populate_cmem(), won't the loop above iterate more times than
max_nr_ranges and blindly write out-of-bounds to the flexible ranges array?
Additionally, could a concurrent memblock_add_node() trigger a
memblock_double_array(), which reallocates the regions array and frees the
old one, resulting in a use-after-free while for_each_mem_range() is
traversing it?
> + return 0;
> }
>
> /*
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608073459.3119290-1-ruanjinjie@huawei.com?part=7
next prev parent reply other threads:[~2026-06-08 7:52 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 7:34 [PATCH v16 00/10] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 01/10] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:48 ` sashiko-bot
2026-06-08 8:05 ` Jinjie Ruan
2026-06-08 8:05 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 02/10] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 03/10] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 04/10] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:56 ` sashiko-bot
2026-06-08 8:07 ` Jinjie Ruan
2026-06-08 8:07 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 05/10] x86: " Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:47 ` sashiko-bot
2026-06-08 8:21 ` Jinjie Ruan
2026-06-08 8:21 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 06/10] riscv: " Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:54 ` sashiko-bot
2026-06-08 8:08 ` Jinjie Ruan
2026-06-08 8:08 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 07/10] LoongArch: " Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:52 ` sashiko-bot [this message]
2026-06-08 8:23 ` Jinjie Ruan
2026-06-08 8:23 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 08/10] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 8:48 ` Breno Leitao
2026-06-08 8:48 ` Breno Leitao
2026-06-08 7:34 ` [PATCH v16 09/10] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
2026-06-08 7:34 ` [PATCH v16 10/10] riscv: " Jinjie Ruan
2026-06-08 7:34 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608075258.0F6D91F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.