All of lore.kernel.org
 help / color / mirror / Atom feed
From: Baoquan He <bhe@redhat.com>
To: Mark Rutland <mark.rutland@arm.com>,
	Yeoreum Yun <yeoreum.yun@arm.com>,
	Breno Leitao <leitao@debian.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	pjw@kernel.org, catalin.marinas@arm.com, will@kernel.org,
	coxu@redhat.com, linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field
Date: Mon, 1 Dec 2025 10:50:47 +0800	[thread overview]
Message-ID: <aS0Ch3hrYPDXomDC@MiWiFi-R3L-srv> (raw)
In-Reply-To: <aSmrUGnZp0UeTp1E@J2N7QTR9R3>

On 11/28/25 at 02:01pm, Mark Rutland wrote:
> On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> > 
> > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > > 
> > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > kexec_buf.
> > > > > 
> > > > > However, this field was never properly initialized for kexec images
> > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > warning:
> > > > > 
> > > > > [  +0.364528] ------------[ cut here ]------------
> > > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > [  +0.000000] Call trace:
> > > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > > [  +0.000002]  image_load+0xf0/0x258
> > > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > > 
> > > > > To address this, initialise kexec_buf->random field properly.
> > > > > 
> > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > 
> > > > Thanks, I'll add a cc:stable to this.
> > > 
> > > This has been fixed in below series from Breno Leitao.
> > > 
> > > [PATCH 0/3] kexec: Fix invalid field access
> > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> > 
> > Right, these fixes are on 6.18 since day one.
> > 
> > Yeoreum is hitting another code path that I haven't fixed, it seems
> > (through image_load()).
> > 
> > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> > 
> > 	--- a/arch/arm64/kernel/kexec_image.c
> > 	+++ b/arch/arm64/kernel/kexec_image.c
> > 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > 		struct arm64_image_header *h;
> > 		u64 flags, value;
> > 		bool be_image, be_kernel;
> > 	-       struct kexec_buf kbuf;
> > 	+       struct kexec_buf kbuf = {};
> > 		unsigned long text_offset, kernel_segment_number;
> > 		struct kexec_segment *kernel_segment;
> > 		int ret;
> 
> FWIW, I completey agree; your proposal is a much better solution.

Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.

> 
> From a quick scan, it looks like loongarch also has some more dodgy
> instances:

In the latest mainline kernel, the problem on loongarch has gone.

> 
> | % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
> | arch/arm64/kernel/kexec_image.c:        struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_efi.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_elf.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/machine_kexec_file.c:     struct kexec_buf kbuf;
> | kernel/kexec_handover.c:        struct kexec_buf scratch;
> 
> The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
> struct assignment that'll happen to zero the 'random' field.
> 
> Mark.
> 



  reply	other threads:[~2025-12-01  2:51 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-27 18:26 [PATCH] arm64: kernel: initialize missing kexec_buf->random field Yeoreum Yun
2025-11-27 19:37 ` Andrew Morton
2025-11-28  0:17   ` Baoquan He
2025-11-28  8:29     ` Yeoreum Yun
2025-11-28 13:55     ` Breno Leitao
2025-11-28 14:01       ` Mark Rutland
2025-12-01  2:50         ` Baoquan He [this message]
2025-12-01  9:53           ` Breno Leitao
2025-12-01 10:36             ` Yeoreum Yun
2025-12-01  9:54           ` Mark Rutland
2025-11-28 18:31       ` Andrew Morton
2025-11-28 12:16 ` Will Deacon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS0Ch3hrYPDXomDC@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=catalin.marinas@arm.com \
    --cc=coxu@redhat.com \
    --cc=leitao@debian.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=pjw@kernel.org \
    --cc=will@kernel.org \
    --cc=yeoreum.yun@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.