Re: [PATCH 2/7] LoongArch: kho: strip stale kho_handover= from reused cmdline

[Pratyush Yadav <pratyush@kernel.org>]

On Mon, May 25 2026, George Guo wrote:

> From: George Guo <guodongtai@kylinos.cn>
>
> When kexec is invoked with --reuse-cmdline after a liveupdate boot, the
> running kernel's command line already contains a kho_handover= parameter
> from the previous kexec load.  load_other_segments() prepends a fresh
> kho_handover= for the new handover FDT but then appends the original
> cmdline verbatim, resulting in two kho_handover= entries:
>
>   kho_handover=0x4000@<new_fdt>,... kho_handover=0x4000@<stale_fdt>,...
>
> early_param() calls early_parse_kho() for each occurrence in order, so
> kho_populate() is invoked twice and the second call overwrites the first
> with the stale FDT address.  The stale address no longer holds a valid
> KHO FDT, causing __kho_radix_walk_tree() to dereference a garbage
> pointer and panic early in mm_core_init().
>
> Fix this by adding the new kho_handover= to the cmdline prefix first,
> then stripping any stale kho_handover= tokens from the appended original
> cmdline portion, so only the freshly generated entry survives.
>
> Signed-off-by: George Guo <guodongtai@kylinos.cn>
> ---
>  arch/loongarch/kernel/machine_kexec_file.c | 35 ++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
>
> diff --git a/arch/loongarch/kernel/machine_kexec_file.c b/arch/loongarch/kernel/machine_kexec_file.c
> index ddf4d0e0e7fd..ffaedd055e62 100644
> --- a/arch/loongarch/kernel/machine_kexec_file.c
> +++ b/arch/loongarch/kernel/machine_kexec_file.c
> @@ -71,6 +71,37 @@ static void cmdline_add_kho(struct kimage *image, unsigned long *cmdline_tmplen,
>  	    image->kho.scratch->bufsz,    (u64)image->kho.scratch->mem);
>  	*cmdline_tmplen += n;
>  }
> +
> +/*
> + * Remove all "kho_handover=..." tokens from cmdline.  Needed when
> + * --reuse-cmdline is used: the running kernel's cmdline already carries a
> + * stale kho_handover= from the previous kexec load; without removal the new
> + * kernel sees two entries and kho_populate() ends up using the wrong (stale)
> + * FDT address.
> + */
> +static void cmdline_remove_kho(char *cmdline)
> +{
> +	const char *key = "kho_handover=";
> +	size_t key_len = strlen(key);
> +	char *p = cmdline;
> +
> +	while ((p = strstr(p, key)) != NULL) {
> +		char *start = p;
> +		char *end;
> +
> +		/* Only match at a token boundary */
> +		if (start != cmdline && *(start - 1) != ' ') {
> +			p += key_len;
> +			continue;
> +		}
> +		end = start + key_len;
> +		while (*end && *end != ' ')
> +			end++;
> +		while (*end == ' ')
> +			end++;
> +		memmove(start, end, strlen(end) + 1);
> +	}
> +}

Ugh, modifying the commandline supplied by userspace feels odd... Can
you at all do this via device tree?

If not, would it make more sense to reject kexec_load if command line
has kho_handover= and teach kexec-tools to strip it on its side?

>  #endif
>  
>  #ifdef CONFIG_CRASH_DUMP
> @@ -249,6 +280,10 @@ int load_other_segments(struct kimage *image,
>  	}
>  
>  	memcpy(modified_cmdline + cmdline_tmplen, cmdline, cmdline_len);
> +#ifdef CONFIG_KEXEC_HANDOVER
> +	/* Strip stale kho_handover= that --reuse-cmdline may have carried over */
> +	cmdline_remove_kho(modified_cmdline + cmdline_tmplen);
> +#endif
>  	cmdline = modified_cmdline;
>  	image->arch.cmdline_ptr = (unsigned long)cmdline;

-- 
Regards,
Pratyush Yadav