linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
From: Baoquan He <bhe@redhat.com>
To: Mark Rutland <mark.rutland@arm.com>,
	Yeoreum Yun <yeoreum.yun@arm.com>,
	Breno Leitao <leitao@debian.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	pjw@kernel.org, catalin.marinas@arm.com, will@kernel.org,
	coxu@redhat.com, linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field
Date: Mon, 1 Dec 2025 10:50:47 +0800	[thread overview]
Message-ID: <aS0Ch3hrYPDXomDC@MiWiFi-R3L-srv> (raw)
In-Reply-To: <aSmrUGnZp0UeTp1E@J2N7QTR9R3>

On 11/28/25 at 02:01pm, Mark Rutland wrote:
> On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> > 
> > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > > 
> > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > kexec_buf.
> > > > > 
> > > > > However, this field was never properly initialized for kexec images
> > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > warning:
> > > > > 
> > > > > [  +0.364528] ------------[ cut here ]------------
> > > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > [  +0.000000] Call trace:
> > > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > > [  +0.000002]  image_load+0xf0/0x258
> > > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > > 
> > > > > To address this, initialise kexec_buf->random field properly.
> > > > > 
> > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > 
> > > > Thanks, I'll add a cc:stable to this.
> > > 
> > > This has been fixed in below series from Breno Leitao.
> > > 
> > > [PATCH 0/3] kexec: Fix invalid field access
> > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> > 
> > Right, these fixes are on 6.18 since day one.
> > 
> > Yeoreum is hitting another code path that I haven't fixed, it seems
> > (through image_load()).
> > 
> > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> > 
> > 	--- a/arch/arm64/kernel/kexec_image.c
> > 	+++ b/arch/arm64/kernel/kexec_image.c
> > 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > 		struct arm64_image_header *h;
> > 		u64 flags, value;
> > 		bool be_image, be_kernel;
> > 	-       struct kexec_buf kbuf;
> > 	+       struct kexec_buf kbuf = {};
> > 		unsigned long text_offset, kernel_segment_number;
> > 		struct kexec_segment *kernel_segment;
> > 		int ret;
> 
> FWIW, I completey agree; your proposal is a much better solution.

Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.

> 
> From a quick scan, it looks like loongarch also has some more dodgy
> instances:

In the latest mainline kernel, the problem on loongarch has gone.

> 
> | % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
> | arch/arm64/kernel/kexec_image.c:        struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_efi.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_elf.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/machine_kexec_file.c:     struct kexec_buf kbuf;
> | kernel/kexec_handover.c:        struct kexec_buf scratch;
> 
> The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
> struct assignment that'll happen to zero the 'random' field.
> 
> Mark.
> 



  reply	other threads:[~2025-12-01  2:51 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-27 18:26 [PATCH] arm64: kernel: initialize missing kexec_buf->random field Yeoreum Yun
2025-11-27 19:37 ` Andrew Morton
2025-11-28  0:17   ` Baoquan He
2025-11-28  8:29     ` Yeoreum Yun
2025-11-28 13:55     ` Breno Leitao
2025-11-28 14:01       ` Mark Rutland
2025-12-01  2:50         ` Baoquan He [this message]
2025-12-01  9:53           ` Breno Leitao
2025-12-01 10:36             ` Yeoreum Yun
2025-12-01  9:54           ` Mark Rutland
2025-11-28 18:31       ` Andrew Morton
2025-11-28 12:16 ` Will Deacon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS0Ch3hrYPDXomDC@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=catalin.marinas@arm.com \
    --cc=coxu@redhat.com \
    --cc=leitao@debian.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=pjw@kernel.org \
    --cc=will@kernel.org \
    --cc=yeoreum.yun@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).