From: Sourabh Jain <sourabhjain@linux.ibm.com>
To: Jinjie Ruan <ruanjinjie@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: corbet@lwn.net, skhan@linuxfoundation.org,
catalin.marinas@arm.com, will@kernel.org, chenhuacai@kernel.org,
kernel@xen0n.name, maddy@linux.ibm.com, mpe@ellerman.id.au,
npiggin@gmail.com, chleroy@kernel.org, pjw@kernel.org,
palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr,
tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, robh@kernel.org,
saravanak@kernel.org, bhe@redhat.com, vgoyal@redhat.com,
dyoung@redhat.com, rdunlap@infradead.org, peterz@infradead.org,
feng.tang@linux.alibaba.com, pawan.kumar.gupta@linux.intel.com,
dapeng1.mi@linux.intel.com, kees@kernel.org, elver@google.com,
paulmck@kernel.org, lirongqing@baidu.com, safinaskar@gmail.com,
rppt@kernel.org, ardb@kernel.org, leitao@debian.org,
jbohac@suse.cz, cfsworks@gmail.com, osandov@fb.com,
tangyouling@kylinos.cn, ritesh.list@gmail.com,
eajames@linux.ibm.com, songshuaishuai@tinylab.org,
kevin.brodsky@arm.com, samuel.holland@sifive.com,
vishal.moola@gmail.com, junhui.liu@pigmoral.tech,
coxu@redhat.com, liaoyuanhong@vivo.com,
fuqiang.wang@easystack.cn, x86@kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v9 0/5] arm64/riscv: Add support for crashkernel CMA reservation
Date: Tue, 24 Mar 2026 09:59:46 +0530 [thread overview]
Message-ID: <595e793d-adc3-4acb-af18-f0a3cf2d5e73@linux.ibm.com> (raw)
In-Reply-To: <4cfde40c-673a-12b0-dfc5-703d582d6ea9@huawei.com>
On 24/03/26 09:32, Jinjie Ruan wrote:
>
> On 2026/3/24 0:55, Andrew Morton wrote:
>> On Mon, 23 Mar 2026 15:27:40 +0800 Jinjie Ruan <ruanjinjie@huawei.com> wrote:
>>
>>> The crash memory allocation, and the exclude of crashk_res, crashk_low_res
>>> and crashk_cma memory are almost identical across different architectures,
>>> This patch set handle them in crash core in a general way, which eliminate
>>> a lot of duplication code.
>>>
>>> And add support for crashkernel CMA reservation for arm64 and riscv.
>> Thanks. AI review has completed and it asks questions:
>> https://sashiko.dev/#/patchset/20260323072745.2481719-1-ruanjinjie@huawei.com
> I believe it identified 4 valid issues:
>
> - The already discovered crashk_low_res not excluded bug in the existing
> RISC-V code.
>
> - An existing memory leak issue in the existing PowerPC code.
Yes and suggested approach to fix the issue looks good.
Which is basically replace return with goto out.
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index 898742a5205c..1426d2099bad 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -440,7 +440,7 @@ static void update_crash_elfcorehdr(struct kimage
*image, struct memory_notify *
ret = get_crash_memory_ranges(&cmem);
if (ret) {
pr_err("Failed to get crash mem range\n");
- return;
+ goto out;
}
/*
Are you planning to handle this in this patch series? Or do you want me
to send a separate fix patch?
>
> - The ordering issue of adding CMA ranges to "linux,usable-memory-range".
>
> - An existing concurrency issue. A Concurrent memory hotplug may occur
> between reading memblock and attempting to fill cmem during kexec_load()
> for almost all existing architectures,I'm not sure if this is a
> practical issue in reality..
>
> Race Condition Scenario
>
> Timeline:
> ---------------------------------------------------------------------
> T1: kexec_load() syscall starts
> T2: kexec_trylock() acquires kexec_lock
> T3: crash_prepare_headers() is called
> T4: arch_get_system_nr_ranges() queries memblock → finds 100 memory ranges
> T5: cmem = alloc_cmem(100) allocates buffer for 100 ranges
> T6: [RACE WINDOW] Another process triggers memory hotplug
> T7: add_memory() → lock_device_hotplug() → memblock_add_node()
> T8: New memory region added to memblock
> T9: arch_crash_populate_cmem() iterates: now finds 102 ranges
> T10: cmem->ranges[100] → OUT OF BOUNDS WRITE!
> T11: cmem->ranges[101] → OUT OF BOUNDS WRITE!
> T12: Kernel crash or memory corruption
>
> Why This Happens
>
> 1. Different locks used:
> - kexec_load() uses kexec_trylock (atomic_t)
> - Memory hotplug uses device_hotplug_lock (mutex)
> 2. No synchronization between these two operations
> 3. Time-of-check to time-of-use (TOCTOU) issue:
> - Step T4-T5: We query the number of ranges and allocate buffer
> - Step T6-T9: Memory hotplug adds new ranges between query and
> population
>
>
>
> Any comments or suggestions on the following approach?
>
>
> int crash_prepare_headers(...)
> {
> unsigned int max_nr_ranges;
> struct crash_mem *cmem;
> int ret;
>
> lock_device_hotplug();
>
> max_nr_ranges = arch_get_system_nr_ranges();
> // ...
> ret = arch_crash_populate_cmem(cmem);
> // ...
>
> unlock_device_hotplug();
> return ret;
> }
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Sourabh Jain <sourabhjain@linux.ibm.com>
To: Jinjie Ruan <ruanjinjie@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: corbet@lwn.net, skhan@linuxfoundation.org,
catalin.marinas@arm.com, will@kernel.org, chenhuacai@kernel.org,
kernel@xen0n.name, maddy@linux.ibm.com, mpe@ellerman.id.au,
npiggin@gmail.com, chleroy@kernel.org, pjw@kernel.org,
palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr,
tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, robh@kernel.org,
saravanak@kernel.org, bhe@redhat.com, vgoyal@redhat.com,
dyoung@redhat.com, rdunlap@infradead.org, peterz@infradead.org,
feng.tang@linux.alibaba.com, pawan.kumar.gupta@linux.intel.com,
dapeng1.mi@linux.intel.com, kees@kernel.org, elver@google.com,
paulmck@kernel.org, lirongqing@baidu.com, safinaskar@gmail.com,
rppt@kernel.org, ardb@kernel.org, leitao@debian.org,
jbohac@suse.cz, cfsworks@gmail.com, osandov@fb.com,
tangyouling@kylinos.cn, ritesh.list@gmail.com,
eajames@linux.ibm.com, songshuaishuai@tinylab.org,
kevin.brodsky@arm.com, samuel.holland@sifive.com,
vishal.moola@gmail.com, junhui.liu@pigmoral.tech,
coxu@redhat.com, liaoyuanhong@vivo.com,
fuqiang.wang@easystack.cn, x86@kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v9 0/5] arm64/riscv: Add support for crashkernel CMA reservation
Date: Tue, 24 Mar 2026 09:59:46 +0530 [thread overview]
Message-ID: <595e793d-adc3-4acb-af18-f0a3cf2d5e73@linux.ibm.com> (raw)
In-Reply-To: <4cfde40c-673a-12b0-dfc5-703d582d6ea9@huawei.com>
On 24/03/26 09:32, Jinjie Ruan wrote:
>
> On 2026/3/24 0:55, Andrew Morton wrote:
>> On Mon, 23 Mar 2026 15:27:40 +0800 Jinjie Ruan <ruanjinjie@huawei.com> wrote:
>>
>>> The crash memory allocation, and the exclude of crashk_res, crashk_low_res
>>> and crashk_cma memory are almost identical across different architectures,
>>> This patch set handle them in crash core in a general way, which eliminate
>>> a lot of duplication code.
>>>
>>> And add support for crashkernel CMA reservation for arm64 and riscv.
>> Thanks. AI review has completed and it asks questions:
>> https://sashiko.dev/#/patchset/20260323072745.2481719-1-ruanjinjie@huawei.com
> I believe it identified 4 valid issues:
>
> - The already discovered crashk_low_res not excluded bug in the existing
> RISC-V code.
>
> - An existing memory leak issue in the existing PowerPC code.
Yes and suggested approach to fix the issue looks good.
Which is basically replace return with goto out.
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index 898742a5205c..1426d2099bad 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -440,7 +440,7 @@ static void update_crash_elfcorehdr(struct kimage
*image, struct memory_notify *
ret = get_crash_memory_ranges(&cmem);
if (ret) {
pr_err("Failed to get crash mem range\n");
- return;
+ goto out;
}
/*
Are you planning to handle this in this patch series? Or do you want me
to send a separate fix patch?
>
> - The ordering issue of adding CMA ranges to "linux,usable-memory-range".
>
> - An existing concurrency issue. A Concurrent memory hotplug may occur
> between reading memblock and attempting to fill cmem during kexec_load()
> for almost all existing architectures,I'm not sure if this is a
> practical issue in reality..
>
> Race Condition Scenario
>
> Timeline:
> ---------------------------------------------------------------------
> T1: kexec_load() syscall starts
> T2: kexec_trylock() acquires kexec_lock
> T3: crash_prepare_headers() is called
> T4: arch_get_system_nr_ranges() queries memblock → finds 100 memory ranges
> T5: cmem = alloc_cmem(100) allocates buffer for 100 ranges
> T6: [RACE WINDOW] Another process triggers memory hotplug
> T7: add_memory() → lock_device_hotplug() → memblock_add_node()
> T8: New memory region added to memblock
> T9: arch_crash_populate_cmem() iterates: now finds 102 ranges
> T10: cmem->ranges[100] → OUT OF BOUNDS WRITE!
> T11: cmem->ranges[101] → OUT OF BOUNDS WRITE!
> T12: Kernel crash or memory corruption
>
> Why This Happens
>
> 1. Different locks used:
> - kexec_load() uses kexec_trylock (atomic_t)
> - Memory hotplug uses device_hotplug_lock (mutex)
> 2. No synchronization between these two operations
> 3. Time-of-check to time-of-use (TOCTOU) issue:
> - Step T4-T5: We query the number of ranges and allocate buffer
> - Step T6-T9: Memory hotplug adds new ranges between query and
> population
>
>
>
> Any comments or suggestions on the following approach?
>
>
> int crash_prepare_headers(...)
> {
> unsigned int max_nr_ranges;
> struct crash_mem *cmem;
> int ret;
>
> lock_device_hotplug();
>
> max_nr_ranges = arch_get_system_nr_ranges();
> // ...
> ret = arch_crash_populate_cmem(cmem);
> // ...
>
> unlock_device_hotplug();
> return ret;
> }
>
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2026-04-02 12:34 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 7:27 [PATCH v9 0/5] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 7:27 ` [PATCH v9 1/5] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 7:27 ` [PATCH v9 2/5] crash: Exclude crash kernel memory in crash core Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 7:27 ` [PATCH v9 3/5] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 7:27 ` [PATCH v9 4/5] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 10:20 ` Breno Leitao
2026-03-23 10:20 ` Breno Leitao
2026-03-23 11:17 ` Jinjie Ruan
2026-03-23 11:17 ` Jinjie Ruan
2026-03-23 16:42 ` Breno Leitao
2026-03-23 16:42 ` Breno Leitao
2026-03-23 7:27 ` [PATCH v9 5/5] riscv: " Jinjie Ruan
2026-03-23 7:27 ` Jinjie Ruan
2026-03-23 16:55 ` [PATCH v9 0/5] arm64/riscv: " Andrew Morton
2026-03-23 16:55 ` Andrew Morton
2026-03-24 4:02 ` Jinjie Ruan
2026-03-24 4:02 ` Jinjie Ruan
2026-03-24 4:29 ` Sourabh Jain [this message]
2026-03-24 4:29 ` Sourabh Jain
2026-03-24 6:14 ` Jinjie Ruan
2026-03-24 6:14 ` Jinjie Ruan
2026-03-24 6:35 ` Askar Safin
2026-03-24 6:35 ` Askar Safin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=595e793d-adc3-4acb-af18-f0a3cf2d5e73@linux.ibm.com \
--to=sourabhjain@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cfsworks@gmail.com \
--cc=chenhuacai@kernel.org \
--cc=chleroy@kernel.org \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=dyoung@redhat.com \
--cc=eajames@linux.ibm.com \
--cc=elver@google.com \
--cc=feng.tang@linux.alibaba.com \
--cc=fuqiang.wang@easystack.cn \
--cc=hpa@zytor.com \
--cc=jbohac@suse.cz \
--cc=junhui.liu@pigmoral.tech \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevin.brodsky@arm.com \
--cc=kexec@lists.infradead.org \
--cc=leitao@debian.org \
--cc=liaoyuanhong@vivo.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lirongqing@baidu.com \
--cc=loongarch@lists.linux.dev \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=osandov@fb.com \
--cc=palmer@dabbelt.com \
--cc=paulmck@kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=rdunlap@infradead.org \
--cc=ritesh.list@gmail.com \
--cc=robh@kernel.org \
--cc=rppt@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=safinaskar@gmail.com \
--cc=samuel.holland@sifive.com \
--cc=saravanak@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songshuaishuai@tinylab.org \
--cc=tangyouling@kylinos.cn \
--cc=tglx@kernel.org \
--cc=vgoyal@redhat.com \
--cc=vishal.moola@gmail.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.