From: Breno Leitao <leitao@debian.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: corbet@lwn.net, skhan@linuxfoundation.org,
catalin.marinas@arm.com, will@kernel.org, chenhuacai@kernel.org,
kernel@xen0n.name, maddy@linux.ibm.com, mpe@ellerman.id.au,
npiggin@gmail.com, chleroy@kernel.org, pjw@kernel.org,
palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr,
tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, robh@kernel.org,
saravanak@kernel.org, akpm@linux-foundation.org, bhe@redhat.com,
rppt@kernel.org, pasha.tatashin@soleen.com, pratyush@kernel.org,
ruirui.yang@linux.dev, rdunlap@infradead.org, pmladek@suse.com,
dapeng1.mi@linux.intel.com, kees@kernel.org, elver@google.com,
kuba@kernel.org, ebiggers@kernel.org, lirongqing@baidu.com,
paulmck@kernel.org, sourabhjain@linux.ibm.com, coxu@redhat.com,
jbohac@suse.cz, ryan.roberts@arm.com, osandov@fb.com,
cfsworks@gmail.com, tangyouling@kylinos.cn,
ritesh.list@gmail.com, adityag@linux.ibm.com, guoren@kernel.org,
songshuaishuai@tinylab.org, kevin.brodsky@arm.com,
vishal.moola@gmail.com, junhui.liu@pigmoral.tech,
wangruikang@iscas.ac.cn, namcao@linutronix.de,
chao.gao@intel.com, seanjc@google.com,
fuqiang.wang@easystack.cn, ardb@kernel.org,
chenjiahao16@huawei.com, hbathini@linux.ibm.com,
takahiro.akashi@linaro.org, james.morse@arm.com,
lizhengyu3@huawei.com, x86@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v13 04/15] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
Date: Mon, 11 May 2026 05:30:54 -0700 [thread overview]
Message-ID: <agHL1zzC5bzgoCiJ@gmail.com> (raw)
In-Reply-To: <79c14bee-b1f5-4d70-8345-6582d6cf0128@huawei.com>
On Mon, May 11, 2026 at 07:30:44PM +0800, Jinjie Ruan wrote:
>
>
> On 5/11/2026 5:46 PM, Breno Leitao wrote:
> > On Mon, May 11, 2026 at 11:04:43AM +0800, Jinjie Ruan wrote:
> >> There is a race condition between the kexec_load() system call
> >> (crash kernel loading path) and memory hotplug operations that can
> >> lead to buffer overflow and potential kernel crash.
> >>
> >> During prepare_elf_headers(), the following steps occur:
> >> 1. The first for_each_mem_range() queries current System RAM memory ranges
> >> 2. Allocates buffer based on queried count
> >> 3. The 2st for_each_mem_range() populates ranges from memblock
> >>
> >> If memory hotplug occurs between step 1 and step 3, the number of ranges
> >> can increase, causing out-of-bounds write when populating cmem->ranges[].
> >>
> >> This happens because kexec_load() uses kexec_trylock (atomic_t) while
> >> memory hotplug uses device_hotplug_lock (mutex), so they don't serialize
> >> with each other.
> >>
> >> Add the explicit bounds checking to prevent out-of-bounds access.
> >
> > It seems you have a TOCTOU type of issue, and this seems to be shrinking
> > the window, but not fully solving it?
>
> Hi Breno,
>
> Thanks for your comments regarding the TOCTOU issue.
>
> You are correct that the current bounds checking only "shrinks the
> window" and prevents a kernel crash, but doesn't fully guarantee header
> consistency if a race occurs.
>
> In my local environment, this race is extremely difficult to reproduce,
> but it is theoretically possible.
>
> To address this properly for arm64, I am considering two steps:
>
> - For this patch: I will change the return value to -EAGAIN and keep the
> bounds check. This ensures that even if a race happens, the kernel
> remains safe (no OOB access), and user-space is notified to retry.
>
> - Long-term solution: A better way to solve this is to implement ARM64
> CRASH_HOTPLUG support (similar to x86). With crash hotplug, the kernel
> will automatically re-generate the crash headers whenever a memory
> hotplug event occurs. This makes the TOCTOU during the initial
> kexec_load less critical, as any transient inconsistency will be
> immediately corrected by the subsequent hotplug handler.
>
> Does it make sense to you to use this patch as a safety guard first, and
> then I (or someone else) follow up with the full CRASH_HOTPLUG support
> for arm64 as [1]?
It would be OK for me, but, make it explict that there is a TOCTOU
issue, that depends on CRASH_HOTPLUG.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Breno Leitao <leitao@debian.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: corbet@lwn.net, skhan@linuxfoundation.org,
catalin.marinas@arm.com, will@kernel.org, chenhuacai@kernel.org,
kernel@xen0n.name, maddy@linux.ibm.com, mpe@ellerman.id.au,
npiggin@gmail.com, chleroy@kernel.org, pjw@kernel.org,
palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr,
tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, robh@kernel.org,
saravanak@kernel.org, akpm@linux-foundation.org, bhe@redhat.com,
rppt@kernel.org, pasha.tatashin@soleen.com, pratyush@kernel.org,
ruirui.yang@linux.dev, rdunlap@infradead.org, pmladek@suse.com,
dapeng1.mi@linux.intel.com, kees@kernel.org, elver@google.com,
kuba@kernel.org, ebiggers@kernel.org, lirongqing@baidu.com,
paulmck@kernel.org, sourabhjain@linux.ibm.com, coxu@redhat.com,
jbohac@suse.cz, ryan.roberts@arm.com, osandov@fb.com,
cfsworks@gmail.com, tangyouling@kylinos.cn,
ritesh.list@gmail.com, adityag@linux.ibm.com, guoren@kernel.org,
songshuaishuai@tinylab.org, kevin.brodsky@arm.com,
vishal.moola@gmail.com, junhui.liu@pigmoral.tech,
wangruikang@iscas.ac.cn, namcao@linutronix.de,
chao.gao@intel.com, seanjc@google.com,
fuqiang.wang@easystack.cn, ardb@kernel.org,
chenjiahao16@huawei.com, hbathini@linux.ibm.com,
takahiro.akashi@linaro.org, james.morse@arm.com,
lizhengyu3@huawei.com, x86@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v13 04/15] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
Date: Mon, 11 May 2026 05:30:54 -0700 [thread overview]
Message-ID: <agHL1zzC5bzgoCiJ@gmail.com> (raw)
In-Reply-To: <79c14bee-b1f5-4d70-8345-6582d6cf0128@huawei.com>
On Mon, May 11, 2026 at 07:30:44PM +0800, Jinjie Ruan wrote:
>
>
> On 5/11/2026 5:46 PM, Breno Leitao wrote:
> > On Mon, May 11, 2026 at 11:04:43AM +0800, Jinjie Ruan wrote:
> >> There is a race condition between the kexec_load() system call
> >> (crash kernel loading path) and memory hotplug operations that can
> >> lead to buffer overflow and potential kernel crash.
> >>
> >> During prepare_elf_headers(), the following steps occur:
> >> 1. The first for_each_mem_range() queries current System RAM memory ranges
> >> 2. Allocates buffer based on queried count
> >> 3. The 2st for_each_mem_range() populates ranges from memblock
> >>
> >> If memory hotplug occurs between step 1 and step 3, the number of ranges
> >> can increase, causing out-of-bounds write when populating cmem->ranges[].
> >>
> >> This happens because kexec_load() uses kexec_trylock (atomic_t) while
> >> memory hotplug uses device_hotplug_lock (mutex), so they don't serialize
> >> with each other.
> >>
> >> Add the explicit bounds checking to prevent out-of-bounds access.
> >
> > It seems you have a TOCTOU type of issue, and this seems to be shrinking
> > the window, but not fully solving it?
>
> Hi Breno,
>
> Thanks for your comments regarding the TOCTOU issue.
>
> You are correct that the current bounds checking only "shrinks the
> window" and prevents a kernel crash, but doesn't fully guarantee header
> consistency if a race occurs.
>
> In my local environment, this race is extremely difficult to reproduce,
> but it is theoretically possible.
>
> To address this properly for arm64, I am considering two steps:
>
> - For this patch: I will change the return value to -EAGAIN and keep the
> bounds check. This ensures that even if a race happens, the kernel
> remains safe (no OOB access), and user-space is notified to retry.
>
> - Long-term solution: A better way to solve this is to implement ARM64
> CRASH_HOTPLUG support (similar to x86). With crash hotplug, the kernel
> will automatically re-generate the crash headers whenever a memory
> hotplug event occurs. This makes the TOCTOU during the initial
> kexec_load less critical, as any transient inconsistency will be
> immediately corrected by the subsequent hotplug handler.
>
> Does it make sense to you to use this patch as a safety guard first, and
> then I (or someone else) follow up with the full CRASH_HOTPLUG support
> for arm64 as [1]?
It would be OK for me, but, make it explict that there is a TOCTOU
issue, that depends on CRASH_HOTPLUG.
next prev parent reply other threads:[~2026-05-11 13:13 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 3:04 [PATCH v13 00/15] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 01/15] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 02/15] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 03/15] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-12 0:18 ` sashiko-bot
2026-05-11 3:04 ` [PATCH v13 04/15] arm64: kexec_file: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 9:46 ` Breno Leitao
2026-05-11 9:46 ` Breno Leitao
2026-05-11 11:30 ` Jinjie Ruan
2026-05-11 11:30 ` Jinjie Ruan
2026-05-11 12:30 ` Breno Leitao [this message]
2026-05-11 12:30 ` Breno Leitao
2026-05-19 12:42 ` Jinjie Ruan
2026-05-19 12:42 ` Jinjie Ruan
2026-05-12 0:45 ` sashiko-bot
2026-05-19 12:33 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 05/15] riscv: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 06/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 07/15] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 08/15] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-12 4:23 ` sashiko-bot
2026-05-11 3:04 ` [PATCH v13 09/15] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 10/15] x86/kexec: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-12 5:48 ` sashiko-bot
2026-05-11 3:04 ` [PATCH v13 11/15] riscv: kexec_file: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 12/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 13/15] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 14/15] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 15/15] riscv: " Jinjie Ruan
2026-05-11 3:04 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agHL1zzC5bzgoCiJ@gmail.com \
--to=leitao@debian.org \
--cc=adityag@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cfsworks@gmail.com \
--cc=chao.gao@intel.com \
--cc=chenhuacai@kernel.org \
--cc=chenjiahao16@huawei.com \
--cc=chleroy@kernel.org \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=ebiggers@kernel.org \
--cc=elver@google.com \
--cc=fuqiang.wang@easystack.cn \
--cc=guoren@kernel.org \
--cc=hbathini@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jbohac@suse.cz \
--cc=junhui.liu@pigmoral.tech \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevin.brodsky@arm.com \
--cc=kexec@lists.infradead.org \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lirongqing@baidu.com \
--cc=lizhengyu3@huawei.com \
--cc=loongarch@lists.linux.dev \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=namcao@linutronix.de \
--cc=npiggin@gmail.com \
--cc=osandov@fb.com \
--cc=palmer@dabbelt.com \
--cc=pasha.tatashin@soleen.com \
--cc=paulmck@kernel.org \
--cc=pjw@kernel.org \
--cc=pmladek@suse.com \
--cc=pratyush@kernel.org \
--cc=rdunlap@infradead.org \
--cc=ritesh.list@gmail.com \
--cc=robh@kernel.org \
--cc=rppt@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=ruirui.yang@linux.dev \
--cc=ryan.roberts@arm.com \
--cc=saravanak@kernel.org \
--cc=seanjc@google.com \
--cc=skhan@linuxfoundation.org \
--cc=songshuaishuai@tinylab.org \
--cc=sourabhjain@linux.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=tangyouling@kylinos.cn \
--cc=tglx@kernel.org \
--cc=vishal.moola@gmail.com \
--cc=wangruikang@iscas.ac.cn \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.