From: Pratyush Yadav <ptyadav@amazon.de>
To: Mike Rapoport <rppt@kernel.org>
Cc: <linux-kernel@vger.kernel.org>, Alexander Graf <graf@amazon.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Arnd Bergmann <arnd@arndb.de>,
Ashish Kalra <ashish.kalra@amd.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Borislav Petkov <bp@alien8.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
"David Woodhouse" <dwmw2@infradead.org>,
Eric Biederman <ebiederm@xmission.com>,
"Ingo Molnar" <mingo@redhat.com>,
James Gowans <jgowans@amazon.com>,
Jonathan Corbet <corbet@lwn.net>,
Krzysztof Kozlowski <krzk@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
Rob Herring <robh+dt@kernel.org>, Rob Herring <robh@kernel.org>,
Saravana Kannan <saravanak@google.com>,
"Stanislav Kinsburskii" <skinsburskii@linux.microsoft.com>,
Steven Rostedt <rostedt@goodmis.org>,
Thomas Gleixner <tglx@linutronix.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
Usama Arif <usama.arif@bytedance.com>,
Will Deacon <will@kernel.org>, <devicetree@vger.kernel.org>,
<kexec@lists.infradead.org>,
<linux-arm-kernel@lists.infradead.org>,
<linux-doc@vger.kernel.org>, <linux-mm@kvack.org>,
<x86@kernel.org>
Subject: Re: [PATCH v4 06/14] kexec: Add KHO parsing support
Date: Mon, 10 Mar 2025 16:20:01 +0000 [thread overview]
Message-ID: <mafs0zfhs97ta.fsf@amazon.de> (raw)
In-Reply-To: <20250206132754.2596694-7-rppt@kernel.org>
Hi Mike,
On Thu, Feb 06 2025, Mike Rapoport wrote:
[...]
> @@ -444,7 +576,141 @@ static void kho_reserve_scratch(void)
> kho_enable = false;
> }
>
> +/*
> + * Scan the DT for any memory ranges and make sure they are reserved in
> + * memblock, otherwise they will end up in a weird state on free lists.
> + */
> +static void kho_init_reserved_pages(void)
> +{
> + const void *fdt = kho_get_fdt();
> + int offset = 0, depth = 0, initial_depth = 0, len;
> +
> + if (!fdt)
> + return;
> +
> + /* Go through the mem list and add 1 for each reference */
> + for (offset = 0;
> + offset >= 0 && depth >= initial_depth;
> + offset = fdt_next_node(fdt, offset, &depth)) {
> + const struct kho_mem *mems;
> + u32 i;
> +
> + mems = fdt_getprop(fdt, offset, "mem", &len);
> + if (!mems || len & (sizeof(*mems) - 1))
> + continue;
> +
> + for (i = 0; i < len; i += sizeof(*mems)) {
> + const struct kho_mem *mem = &mems[i];
i goes from 0 to len in steps of 16, but you use it to dereference an
array of type struct kho_mem. So you end up only looking at only one of
every 16 mems and do an out of bounds access. I found this when testing
the memfd patches and any time the file was more than 1 page, it started
to crash randomly.
Below patch should fix that:
---- 8< ----
diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
index c26753d613cbc..40d1d8ac68d44 100644
--- a/kernel/kexec_handover.c
+++ b/kernel/kexec_handover.c
@@ -685,13 +685,15 @@ static void kho_init_reserved_pages(void)
offset >= 0 && depth >= initial_depth;
offset = fdt_next_node(fdt, offset, &depth)) {
const struct kho_mem *mems;
- u32 i;
+ u32 i, nr_mems;
mems = fdt_getprop(fdt, offset, "mem", &len);
if (!mems || len & (sizeof(*mems) - 1))
continue;
- for (i = 0; i < len; i += sizeof(*mems)) {
+ nr_mems = len / sizeof(*mems);
+
+ for (i = 0; i < nr_mems; i++) {
const struct kho_mem *mem = &mems[i];
memblock_reserve(mem->addr, mem->size);
---- >8 ----
[...]
--
Regards,
Pratyush Yadav
next prev parent reply other threads:[~2025-03-10 17:50 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-06 13:27 [PATCH v4 00/14] kexec: introduce Kexec HandOver (KHO) Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 01/14] mm/mm_init: rename init_reserved_page to init_deferred_page Mike Rapoport
2025-02-18 14:59 ` Wei Yang
2025-02-19 7:13 ` Mike Rapoport
2025-02-20 8:36 ` Wei Yang
2025-02-20 14:54 ` Mike Rapoport
2025-02-25 7:40 ` Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 02/14] memblock: add MEMBLOCK_RSRV_KERN flag Mike Rapoport
2025-02-18 15:50 ` Wei Yang
2025-02-19 7:24 ` Mike Rapoport
2025-02-23 0:22 ` Wei Yang
2025-03-10 9:51 ` Wei Yang
2025-03-11 5:27 ` Mike Rapoport
2025-03-11 13:41 ` Wei Yang
2025-03-12 5:22 ` Mike Rapoport
2025-02-24 1:31 ` Wei Yang
2025-02-25 7:46 ` Mike Rapoport
2025-02-26 2:09 ` Wei Yang
2025-03-10 7:56 ` Wei Yang
2025-03-10 8:28 ` Mike Rapoport
2025-03-10 9:42 ` Wei Yang
2025-02-26 1:53 ` Changyuan Lyu
2025-03-13 15:41 ` Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 03/14] memblock: Add support for scratch memory Mike Rapoport
2025-02-24 2:50 ` Wei Yang
2025-02-25 7:47 ` Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 04/14] memblock: introduce memmap_init_kho_scratch() Mike Rapoport
2025-02-24 3:02 ` Wei Yang
2025-02-06 13:27 ` [PATCH v4 05/14] kexec: Add Kexec HandOver (KHO) generation helpers Mike Rapoport
2025-02-10 20:22 ` Jason Gunthorpe
2025-02-10 20:58 ` Pasha Tatashin
2025-02-11 12:49 ` Jason Gunthorpe
2025-02-11 16:14 ` Pasha Tatashin
2025-02-11 16:37 ` Jason Gunthorpe
2025-02-12 15:23 ` Jason Gunthorpe
2025-02-12 16:39 ` Mike Rapoport
2025-02-12 17:43 ` Jason Gunthorpe
2025-02-23 18:51 ` Mike Rapoport
2025-02-24 14:28 ` Jason Gunthorpe
2025-02-12 12:29 ` Thomas Weißschuh
2025-02-06 13:27 ` [PATCH v4 06/14] kexec: Add KHO parsing support Mike Rapoport
2025-02-10 20:50 ` Jason Gunthorpe
2025-03-10 16:20 ` Pratyush Yadav [this message]
2025-03-10 17:08 ` Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 07/14] kexec: Add KHO support to kexec file loads Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 08/14] kexec: Add config option for KHO Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 09/14] kexec: Add documentation " Mike Rapoport
2025-02-10 19:26 ` Jason Gunthorpe
2025-02-06 13:27 ` [PATCH v4 10/14] arm64: Add KHO support Mike Rapoport
2025-02-09 10:38 ` Krzysztof Kozlowski
2025-02-06 13:27 ` [PATCH v4 11/14] x86/setup: use memblock_reserve_kern for memory used by kernel Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 12/14] x86: Add KHO support Mike Rapoport
2025-02-24 7:13 ` Wei Yang
2025-02-24 14:36 ` Mike Rapoport
2025-02-25 0:00 ` Wei Yang
2025-02-06 13:27 ` [PATCH v4 13/14] memblock: Add KHO support for reserve_mem Mike Rapoport
2025-02-10 16:03 ` Rob Herring
2025-02-12 16:30 ` Mike Rapoport
2025-02-17 4:04 ` Wei Yang
2025-02-19 7:25 ` Mike Rapoport
2025-02-06 13:27 ` [PATCH v4 14/14] Documentation: KHO: Add memblock bindings Mike Rapoport
2025-02-09 10:29 ` Krzysztof Kozlowski
2025-02-09 15:10 ` Mike Rapoport
2025-02-09 15:23 ` Krzysztof Kozlowski
2025-02-09 20:41 ` Mike Rapoport
2025-02-09 20:49 ` Krzysztof Kozlowski
2025-02-09 20:50 ` Krzysztof Kozlowski
2025-02-10 19:15 ` Jason Gunthorpe
2025-02-10 19:27 ` Krzysztof Kozlowski
2025-02-10 20:20 ` Jason Gunthorpe
2025-02-12 16:00 ` Mike Rapoport
2025-02-07 0:29 ` [PATCH v4 00/14] kexec: introduce Kexec HandOver (KHO) Andrew Morton
2025-02-07 1:28 ` Pasha Tatashin
2025-02-08 1:38 ` Baoquan He
2025-02-08 8:41 ` Mike Rapoport
2025-02-08 11:13 ` Baoquan He
2025-02-09 0:23 ` Pasha Tatashin
2025-02-09 3:07 ` Baoquan He
2025-02-07 8:06 ` Mike Rapoport
2025-02-09 10:33 ` Krzysztof Kozlowski
2025-02-07 4:50 ` Andrew Morton
2025-02-07 8:01 ` Mike Rapoport
2025-02-08 23:39 ` Cong Wang
2025-02-09 0:13 ` Pasha Tatashin
2025-02-09 1:00 ` Cong Wang
2025-02-09 0:51 ` Cong Wang
2025-02-17 3:19 ` RuiRui Yang
2025-02-19 7:32 ` Mike Rapoport
2025-02-19 12:49 ` Dave Young
2025-02-19 13:54 ` Alexander Graf
2025-02-20 1:49 ` Dave Young
2025-02-20 16:43 ` Alexander Gordeev
2025-02-23 17:54 ` Mike Rapoport
2025-02-26 20:08 ` Pratyush Yadav
2025-02-28 20:20 ` Mike Rapoport
2025-02-28 23:04 ` Pratyush Yadav
2025-03-02 9:52 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=mafs0zfhs97ta.fsf@amazon.de \
--to=ptyadav@amazon.de \
--cc=akpm@linux-foundation.org \
--cc=anthony.yznaga@oracle.com \
--cc=arnd@arndb.de \
--cc=ashish.kalra@amd.com \
--cc=benh@kernel.crashing.org \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jgowans@amazon.com \
--cc=kexec@lists.infradead.org \
--cc=krzk@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=pasha.tatashin@soleen.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=robh+dt@kernel.org \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=saravanak@google.com \
--cc=skinsburskii@linux.microsoft.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=usama.arif@bytedance.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.