[PATCH v4 0/3] crash: Fix crash memory reserve exceed system memory bug

[PATCH v4 0/3] crash: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

On x86_32, arm32 and riscv32, the crash memory reserve may exceed system
memory and display "reserved ok", fix it.

changes in v4:
- Update the warn info to align with parse_crashkernel_mem().
- Rebased on the "ARM: Use generic interface to simplify crashkernel
  reservation" patch.
- Also fix for riscv32.
- Update the commit message.

changes in v3:
- Handle the check in reserve_crashkernel() Baoquan suggested.
- Split x86_32 and arm32.
- Add Suggested-by.
- Drop the wrong fix tag.

changes in v2:
- Also fix for x86_32.
- Update the fix method.
- Peel off the other two patches.
- Update the commit message.

Jinjie Ruan (3):
  x86/kexec: Fix crash memory reserve exceed system memory bug
  ARM: Fix crash memory reserve exceed system memory bug
  riscv: kdump: Fix crash memory reserve exceed system memory bug

 arch/arm/kernel/setup.c | 5 +++++
 arch/riscv/mm/init.c    | 5 +++++
 arch/x86/kernel/setup.c | 5 +++++
 3 files changed, 15 insertions(+)

-- 
2.34.1

[PATCH v4 1/3] x86/kexec: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

On x86_32 Qemu machine with 1GB memory, the cmdline "crashkernel=4G" is ok
as below:
	crashkernel reserved: 0x0000000020000000 - 0x0000000120000000 (4096 MB)

The cause is that the crash_size is parsed and printed with "unsigned long
long" data type which is 8 bytes but allocated used with "phys_addr_t"
which is 4 bytes in memblock_phys_alloc_range().

Fix it by checking if the crash_size is greater than system RAM size and
warn out as parse_crashkernel_mem() do it if so as Baoquan suggested.

After this patch, it fails and there is no above confusing reserve
success info.

Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Suggested-by: Baoquan He <bhe@redhat.com>
---
v4:
- Update the warn info to align with parse_crashkernel_mem().
- Update the commit message.
v3:
- Handle the check in arch_reserve_crashkernel() Baoquan suggested.
- Split x86_32 and arm32.
- Add Suggested-by.
- Drop the wrong fix tag.
v2:
- Also fix for x86_32.
- Update the fix method.
- Peel off the other two patches.
- Update the commit message.
---
 arch/x86/kernel/setup.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 5d34cad9b7b1..77b937dbd98c 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -482,6 +482,11 @@ static void __init arch_reserve_crashkernel(void)
 	if (ret)
 		return;
 
+	if (crash_size >= memblock_phys_mem_size()) {
+		pr_warn("Crashkernel: invalid size.");
+		return;
+	}
+
 	if (xen_pv_domain()) {
 		pr_info("Ignoring crashkernel for a Xen PV domain\n");
 		return;
-- 
2.34.1

[PATCH v4 2/3] ARM: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

Similar with x86_32, on Qemu vexpress-a9 with 1GB memory, the crash kernel
"crashkernel=4G" is ok as below:
	Reserving 4096MB of memory at 2432MB for crashkernel (System RAM: 1024MB)

The cause is that the crash_size is parsed and printed with "unsigned long
long" data type which is 8 bytes but allocated used with "phys_addr_t"
which is 4 bytes in memblock_phys_alloc_range().

Fix it by checking if the crash_size is greater than system RAM size and
warn out as parse_crashkernel_mem() do it if so as Baoquan suggested.

After this patch, it fails and there is no above confusing reserve
success info.

Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Suggested-by: Baoquan He <bhe@redhat.com>
---
v4:
- Update the warn info to align with parse_crashkernel_mem().
- Rebased on the "ARM: Use generic interface to simplify crashkernel
  reservation" patch.
- Update the commit message.
v3:
- Handle the check in reserve_crashkernel() Baoquan suggested.
- Split x86_32 and arm32.
- Add Suggested-by.
- Drop the wrong fix tag.
v2:
- Also fix for x86_32.
- Update the fix method.
- Peel off the other two patches.
- Update the commit message.
---
 arch/arm/kernel/setup.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
index fc0ada003f6d..aea320dcac41 100644
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -1005,6 +1005,11 @@ static void __init arch_reserve_crashkernel(void)
 	if (ret || !crash_size)
 		return;
 
+	if (crash_size >= total_mem) {
+		pr_warn("Crashkernel: invalid size.");
+		return;
+	}
+
 	reserve_crashkernel_generic(boot_command_line, crash_size, crash_base, low_size, high);
 
 	if (arm_has_idmap_alias()) {
-- 
2.34.1

Re: [PATCH v4 2/3] ARM: Fix crash memory reserve exceed system memory bug

[Russell King (Oracle)]

On Mon, Jul 22, 2024 at 11:57:00AM +0800, Jinjie Ruan wrote:
> Similar with x86_32, on Qemu vexpress-a9 with 1GB memory, the crash kernel
> "crashkernel=4G" is ok as below:
> 	Reserving 4096MB of memory at 2432MB for crashkernel (System RAM: 1024MB)
> 
> The cause is that the crash_size is parsed and printed with "unsigned long
> long" data type which is 8 bytes but allocated used with "phys_addr_t"
> which is 4 bytes in memblock_phys_alloc_range().
> 
> Fix it by checking if the crash_size is greater than system RAM size and
> warn out as parse_crashkernel_mem() do it if so as Baoquan suggested.
> 
> After this patch, it fails and there is no above confusing reserve
> success info.
> 
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Suggested-by: Baoquan He <bhe@redhat.com>

Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>

Thanks!

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

[PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
crash kernel "crashkernel=4G" is ok as below:
	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)

The cause is that the crash_size is parsed and printed with "unsigned long
long" data type which is 8 bytes but allocated used with "phys_addr_t"
which is 4 bytes in memblock_phys_alloc_range().

Fix it by checking if the crash_size is greater than system RAM size and
warn out as parse_crashkernel_mem() do it if so.

After this patch, it fails and there is no above confusing reserve
success info.

Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
 arch/riscv/mm/init.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index bfa2dea95354..5d66a4937fcd 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
 	if (ret)
 		return;
 
+	if (crash_size >= memblock_phys_mem_size()) {
+		pr_warn("Crashkernel: invalid size.");
+		return;
+	}
+
 	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
 				    low_size, high);
 }
-- 
2.34.1

Re: [PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Mike Rapoport]

Hi,

On Mon, Jul 22, 2024 at 11:57:01AM +0800, Jinjie Ruan wrote:
> Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
> crash kernel "crashkernel=4G" is ok as below:
> 	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)
> 
> The cause is that the crash_size is parsed and printed with "unsigned long
> long" data type which is 8 bytes but allocated used with "phys_addr_t"
> which is 4 bytes in memblock_phys_alloc_range().
> 
> Fix it by checking if the crash_size is greater than system RAM size and
> warn out as parse_crashkernel_mem() do it if so.
> 
> After this patch, it fails and there is no above confusing reserve
> success info.
> 
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>  arch/riscv/mm/init.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
> index bfa2dea95354..5d66a4937fcd 100644
> --- a/arch/riscv/mm/init.c
> +++ b/arch/riscv/mm/init.c
> @@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
>  	if (ret)
>  		return;
>  
> +	if (crash_size >= memblock_phys_mem_size()) {
> +		pr_warn("Crashkernel: invalid size.");
> +		return;
> +	}
> +

What the point of adding three identical checks right after the call to
parse_crashkernel()?

This check should be there and parse_crashkernel() should return error in
this case.

>  	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
>  				    low_size, high);
>  }
> -- 
> 2.34.1
> 

-- 
Sincerely yours,
Mike.

Re: [PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

On 2024/7/22 14:38, Mike Rapoport wrote:
> Hi,
> 
> On Mon, Jul 22, 2024 at 11:57:01AM +0800, Jinjie Ruan wrote:
>> Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
>> crash kernel "crashkernel=4G" is ok as below:
>> 	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)
>>
>> The cause is that the crash_size is parsed and printed with "unsigned long
>> long" data type which is 8 bytes but allocated used with "phys_addr_t"
>> which is 4 bytes in memblock_phys_alloc_range().
>>
>> Fix it by checking if the crash_size is greater than system RAM size and
>> warn out as parse_crashkernel_mem() do it if so.
>>
>> After this patch, it fails and there is no above confusing reserve
>> success info.
>>
>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> ---
>>  arch/riscv/mm/init.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>> index bfa2dea95354..5d66a4937fcd 100644
>> --- a/arch/riscv/mm/init.c
>> +++ b/arch/riscv/mm/init.c
>> @@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
>>  	if (ret)
>>  		return;
>>  
>> +	if (crash_size >= memblock_phys_mem_size()) {
>> +		pr_warn("Crashkernel: invalid size.");
>> +		return;
>> +	}
>> +
> 
> What the point of adding three identical checks right after the call to
> parse_crashkernel()?

Maybe you are right, the original version checks in parse_crashkernel
(), but there's a problem.

> 
> This check should be there and parse_crashkernel() should return error in
> this case.

Thank you very much, I'll fix it like this in v5.

> 
>>  	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
>>  				    low_size, high);
>>  }
>> -- 
>> 2.34.1
>>
> 

Re: [PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

On 2024/7/22 14:38, Mike Rapoport wrote:
> Hi,
> 
> On Mon, Jul 22, 2024 at 11:57:01AM +0800, Jinjie Ruan wrote:
>> Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
>> crash kernel "crashkernel=4G" is ok as below:
>> 	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)
>>
>> The cause is that the crash_size is parsed and printed with "unsigned long
>> long" data type which is 8 bytes but allocated used with "phys_addr_t"
>> which is 4 bytes in memblock_phys_alloc_range().
>>
>> Fix it by checking if the crash_size is greater than system RAM size and
>> warn out as parse_crashkernel_mem() do it if so.
>>
>> After this patch, it fails and there is no above confusing reserve
>> success info.
>>
>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> ---
>>  arch/riscv/mm/init.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>> index bfa2dea95354..5d66a4937fcd 100644
>> --- a/arch/riscv/mm/init.c
>> +++ b/arch/riscv/mm/init.c
>> @@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
>>  	if (ret)
>>  		return;
>>  
>> +	if (crash_size >= memblock_phys_mem_size()) {
>> +		pr_warn("Crashkernel: invalid size.");
>> +		return;
>> +	}
>> +
> 
> What the point of adding three identical checks right after the call to
> parse_crashkernel()?
> 
> This check should be there and parse_crashkernel() should return error in
> this case.

Hi, Mike

How about the folling rough patch?

--- a/kernel/crash_reserve.c
+++ b/kernel/crash_reserve.c
@@ -313,7 +313,7 @@ int __init parse_crashkernel(char *cmdline,
        if (high && ret == -ENOENT) {
                ret = __parse_crashkernel(cmdline, 0, crash_size,
                                crash_base, suffix_tbl[SUFFIX_HIGH]);
-               if (ret || !*crash_size)
+               if (ret || !*crash_size || crash_size >= system_ram)
                        return -EINVAL;

                /*
@@ -332,7 +332,7 @@ int __init parse_crashkernel(char *cmdline,
                *high = true;
        }
 #endif
-       if (!*crash_size)
+       if (!*crash_size || crash_size >= system_ram)
                ret = -EINVAL;


> 
>>  	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
>>  				    low_size, high);
>>  }
>> -- 
>> 2.34.1
>>
> 

Re: [PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Mike Rapoport]

On Mon, Jul 22, 2024 at 03:08:29PM +0800, Jinjie Ruan wrote:
> 
> 
> On 2024/7/22 14:38, Mike Rapoport wrote:
> > Hi,
> > 
> > On Mon, Jul 22, 2024 at 11:57:01AM +0800, Jinjie Ruan wrote:
> >> Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
> >> crash kernel "crashkernel=4G" is ok as below:
> >> 	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)
> >>
> >> The cause is that the crash_size is parsed and printed with "unsigned long
> >> long" data type which is 8 bytes but allocated used with "phys_addr_t"
> >> which is 4 bytes in memblock_phys_alloc_range().
> >>
> >> Fix it by checking if the crash_size is greater than system RAM size and
> >> warn out as parse_crashkernel_mem() do it if so.
> >>
> >> After this patch, it fails and there is no above confusing reserve
> >> success info.
> >>
> >> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> >> ---
> >>  arch/riscv/mm/init.c | 5 +++++
> >>  1 file changed, 5 insertions(+)
> >>
> >> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
> >> index bfa2dea95354..5d66a4937fcd 100644
> >> --- a/arch/riscv/mm/init.c
> >> +++ b/arch/riscv/mm/init.c
> >> @@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
> >>  	if (ret)
> >>  		return;
> >>  
> >> +	if (crash_size >= memblock_phys_mem_size()) {
> >> +		pr_warn("Crashkernel: invalid size.");
> >> +		return;
> >> +	}
> >> +
> > 
> > What the point of adding three identical checks right after the call to
> > parse_crashkernel()?
> > 
> > This check should be there and parse_crashkernel() should return error in
> > this case.
> 
> Hi, Mike
> 
> How about the folling rough patch?
> 
> --- a/kernel/crash_reserve.c
> +++ b/kernel/crash_reserve.c
> @@ -313,7 +313,7 @@ int __init parse_crashkernel(char *cmdline,
>         if (high && ret == -ENOENT) {
>                 ret = __parse_crashkernel(cmdline, 0, crash_size,
>                                 crash_base, suffix_tbl[SUFFIX_HIGH]);
> -               if (ret || !*crash_size)
> +               if (ret || !*crash_size || crash_size >= system_ram)
>                         return -EINVAL;
> 
>                 /*
> @@ -332,7 +332,7 @@ int __init parse_crashkernel(char *cmdline,
>                 *high = true;
>         }
>  #endif
> -       if (!*crash_size)
> +       if (!*crash_size || crash_size >= system_ram)
>                 ret = -EINVAL;
> 

Why no simply

diff --git a/kernel/crash_reserve.c b/kernel/crash_reserve.c
index 5b2722a93a48..64312709877d 100644
--- a/kernel/crash_reserve.c
+++ b/kernel/crash_reserve.c
@@ -336,6 +336,9 @@ int __init parse_crashkernel(char *cmdline,
 	if (!*crash_size)
 		ret = -EINVAL;
 
+	if (*crash_size >= system_ram)
+		ret = -EINVAL;
+
 	return ret;
 }
 
 
> > 
> >>  	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
> >>  				    low_size, high);
> >>  }
> >> -- 
> >> 2.34.1
> >>
> > 

-- 
Sincerely yours,
Mike.

Re: [PATCH v4 3/3] riscv: kdump: Fix crash memory reserve exceed system memory bug

[Jinjie Ruan]

On 2024/7/22 15:23, Mike Rapoport wrote:
> On Mon, Jul 22, 2024 at 03:08:29PM +0800, Jinjie Ruan wrote:
>>
>>
>> On 2024/7/22 14:38, Mike Rapoport wrote:
>>> Hi,
>>>
>>> On Mon, Jul 22, 2024 at 11:57:01AM +0800, Jinjie Ruan wrote:
>>>> Similar with x86_32, on Riscv32 Qemu "virt" machine with 1GB memory, the
>>>> crash kernel "crashkernel=4G" is ok as below:
>>>> 	crashkernel reserved: 0x00000000bf400000 - 0x00000001bf400000 (4096 MB)
>>>>
>>>> The cause is that the crash_size is parsed and printed with "unsigned long
>>>> long" data type which is 8 bytes but allocated used with "phys_addr_t"
>>>> which is 4 bytes in memblock_phys_alloc_range().
>>>>
>>>> Fix it by checking if the crash_size is greater than system RAM size and
>>>> warn out as parse_crashkernel_mem() do it if so.
>>>>
>>>> After this patch, it fails and there is no above confusing reserve
>>>> success info.
>>>>
>>>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>>> ---
>>>>  arch/riscv/mm/init.c | 5 +++++
>>>>  1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>>>> index bfa2dea95354..5d66a4937fcd 100644
>>>> --- a/arch/riscv/mm/init.c
>>>> +++ b/arch/riscv/mm/init.c
>>>> @@ -1381,6 +1381,11 @@ static void __init arch_reserve_crashkernel(void)
>>>>  	if (ret)
>>>>  		return;
>>>>  
>>>> +	if (crash_size >= memblock_phys_mem_size()) {
>>>> +		pr_warn("Crashkernel: invalid size.");
>>>> +		return;
>>>> +	}
>>>> +
>>>
>>> What the point of adding three identical checks right after the call to
>>> parse_crashkernel()?
>>>
>>> This check should be there and parse_crashkernel() should return error in
>>> this case.
>>
>> Hi, Mike
>>
>> How about the folling rough patch?
>>
>> --- a/kernel/crash_reserve.c
>> +++ b/kernel/crash_reserve.c
>> @@ -313,7 +313,7 @@ int __init parse_crashkernel(char *cmdline,
>>         if (high && ret == -ENOENT) {
>>                 ret = __parse_crashkernel(cmdline, 0, crash_size,
>>                                 crash_base, suffix_tbl[SUFFIX_HIGH]);
>> -               if (ret || !*crash_size)
>> +               if (ret || !*crash_size || crash_size >= system_ram)
>>                         return -EINVAL;
>>
>>                 /*
>> @@ -332,7 +332,7 @@ int __init parse_crashkernel(char *cmdline,
>>                 *high = true;
>>         }
>>  #endif
>> -       if (!*crash_size)
>> +       if (!*crash_size || crash_size >= system_ram)
>>                 ret = -EINVAL;
>>
> 
> Why no simply
> 
> diff --git a/kernel/crash_reserve.c b/kernel/crash_reserve.c
> index 5b2722a93a48..64312709877d 100644
> --- a/kernel/crash_reserve.c
> +++ b/kernel/crash_reserve.c
> @@ -336,6 +336,9 @@ int __init parse_crashkernel(char *cmdline,
>  	if (!*crash_size)
>  		ret = -EINVAL;
>  
> +	if (*crash_size >= system_ram)
> +		ret = -EINVAL;
> +
>  	return ret;

This is good, thank you!

>  }
>  
>  
>>>
>>>>  	reserve_crashkernel_generic(cmdline, crash_size, crash_base,
>>>>  				    low_size, high);
>>>>  }
>>>> -- 
>>>> 2.34.1
>>>>
>>>
>