[PATCH] arm64: kernel: initialize missing kexec_buf->random field

[PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Yeoreum Yun]

Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
introduced the kexec_buf->random field to enable random placement of
kexec_buf.

However, this field was never properly initialized for kexec images
that do not need to be placed randomly, leading to the following UBSAN
warning:

[  +0.364528] ------------[ cut here ]------------
[  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
[  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
[  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
[  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
[  +0.000000] Call trace:
[  +0.000001]  show_stack+0x24/0x40 (C)
[  +0.000006]  __dump_stack+0x28/0x48
[  +0.000002]  dump_stack_lvl+0x7c/0xb0
[  +0.000002]  dump_stack+0x18/0x34
[  +0.000001]  ubsan_epilogue+0x10/0x50
[  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
[  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
[  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
[  +0.000001]  kexec_add_buffer+0xa8/0x178
[  +0.000002]  image_load+0xf0/0x258
[  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
[  +0.000002]  invoke_syscall+0x68/0xe8
[  +0.000001]  el0_svc_common+0xb0/0xf8
[  +0.000002]  do_el0_svc+0x28/0x48
[  +0.000001]  el0_svc+0x40/0xe8
[  +0.000002]  el0t_64_sync_handler+0x84/0x140
[  +0.000002]  el0t_64_sync+0x1bc/0x1c0

To address this, initialise kexec_buf->random field properly.

Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
---
 arch/arm64/kernel/kexec_image.c        | 3 +++
 arch/arm64/kernel/machine_kexec_file.c | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 532d72ea42ee..db6fb8c599a1 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -76,6 +76,9 @@ static void *image_load(struct kimage *image,
 	kbuf.buf_min = 0;
 	kbuf.buf_max = ULONG_MAX;
 	kbuf.top_down = false;
+#ifdef CONFIG_CRASH_DUMP
+	kbuf.random = false;
+#endif

 	kbuf.buffer = kernel;
 	kbuf.bufsz = kernel_len;
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 410060ebd86d..06f38866424a 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -94,7 +94,11 @@ int load_other_segments(struct kimage *image,
 			char *initrd, unsigned long initrd_len,
 			char *cmdline)
 {
-	struct kexec_buf kbuf = {};
+	struct kexec_buf kbuf = {
+#ifdef CONFIG_CRASH_DUMP
+		.random = false,
+#endif
+	};
 	void *dtb = NULL;
 	unsigned long initrd_load_addr = 0, dtb_len,
 		      orig_segments = image->nr_segments;
--
LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Andrew Morton]

On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:

> Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> introduced the kexec_buf->random field to enable random placement of
> kexec_buf.
> 
> However, this field was never properly initialized for kexec images
> that do not need to be placed randomly, leading to the following UBSAN
> warning:
> 
> [  +0.364528] ------------[ cut here ]------------
> [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> [  +0.000000] Call trace:
> [  +0.000001]  show_stack+0x24/0x40 (C)
> [  +0.000006]  __dump_stack+0x28/0x48
> [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> [  +0.000002]  dump_stack+0x18/0x34
> [  +0.000001]  ubsan_epilogue+0x10/0x50
> [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> [  +0.000001]  kexec_add_buffer+0xa8/0x178
> [  +0.000002]  image_load+0xf0/0x258
> [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> [  +0.000002]  invoke_syscall+0x68/0xe8
> [  +0.000001]  el0_svc_common+0xb0/0xf8
> [  +0.000002]  do_el0_svc+0x28/0x48
> [  +0.000001]  el0_svc+0x40/0xe8
> [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> 
> To address this, initialise kexec_buf->random field properly.
> 
> Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")

Thanks, I'll add a cc:stable to this.

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Baoquan He]

On 11/27/25 at 11:37am, Andrew Morton wrote:
> On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> 
> > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > introduced the kexec_buf->random field to enable random placement of
> > kexec_buf.
> > 
> > However, this field was never properly initialized for kexec images
> > that do not need to be placed randomly, leading to the following UBSAN
> > warning:
> > 
> > [  +0.364528] ------------[ cut here ]------------
> > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > [  +0.000000] Call trace:
> > [  +0.000001]  show_stack+0x24/0x40 (C)
> > [  +0.000006]  __dump_stack+0x28/0x48
> > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > [  +0.000002]  dump_stack+0x18/0x34
> > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > [  +0.000002]  image_load+0xf0/0x258
> > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > [  +0.000002]  invoke_syscall+0x68/0xe8
> > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > [  +0.000002]  do_el0_svc+0x28/0x48
> > [  +0.000001]  el0_svc+0x40/0xe8
> > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > 
> > To address this, initialise kexec_buf->random field properly.
> > 
> > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> 
> Thanks, I'll add a cc:stable to this.

This has been fixed in below series from Breno Leitao.

[PATCH 0/3] kexec: Fix invalid field access
https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u

And Paul Walmsley said he has merged the series to riscv/linux.git.
While I can only see the patch for risc-v. The other two are missing.

95c54cd9c769 riscv: kexec: Initialize kexec_buf struct

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Yeoreum Yun]

Hi Baoquan,

[...]
> This has been fixed in below series from Breno Leitao.
>
> [PATCH 0/3] kexec: Fix invalid field access
> https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
>
> And Paul Walmsley said he has merged the series to riscv/linux.git.
> While I can only see the patch for risc-v. The other two are missing.
>
> 95c54cd9c769 riscv: kexec: Initialize kexec_buf struct

Thank to let me know. I missed those patchset :)

--
Sincerely,
Yeoreum Yun

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Breno Leitao]

On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> On 11/27/25 at 11:37am, Andrew Morton wrote:
> > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > 
> > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > introduced the kexec_buf->random field to enable random placement of
> > > kexec_buf.
> > > 
> > > However, this field was never properly initialized for kexec images
> > > that do not need to be placed randomly, leading to the following UBSAN
> > > warning:
> > > 
> > > [  +0.364528] ------------[ cut here ]------------
> > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > [  +0.000000] Call trace:
> > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > [  +0.000006]  __dump_stack+0x28/0x48
> > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > [  +0.000002]  dump_stack+0x18/0x34
> > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > [  +0.000002]  image_load+0xf0/0x258
> > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > [  +0.000001]  el0_svc+0x40/0xe8
> > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > 
> > > To address this, initialise kexec_buf->random field properly.
> > > 
> > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > 
> > Thanks, I'll add a cc:stable to this.
> 
> This has been fixed in below series from Breno Leitao.
> 
> [PATCH 0/3] kexec: Fix invalid field access
> https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u

Right, these fixes are on 6.18 since day one.

Yeoreum is hitting another code path that I haven't fixed, it seems
(through image_load()).

That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
kexec: initialize kexec_buf struct in load_other_segments()"). I.e:

	--- a/arch/arm64/kernel/kexec_image.c
	+++ b/arch/arm64/kernel/kexec_image.c
	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
		struct arm64_image_header *h;
		u64 flags, value;
		bool be_image, be_kernel;
	-       struct kexec_buf kbuf;
	+       struct kexec_buf kbuf = {};
		unsigned long text_offset, kernel_segment_number;
		struct kexec_segment *kernel_segment;
		int ret;

Thanks for fixing this new instance,
--breno

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Mark Rutland]

On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> 
> On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > 
> > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > introduced the kexec_buf->random field to enable random placement of
> > > > kexec_buf.
> > > > 
> > > > However, this field was never properly initialized for kexec images
> > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > warning:
> > > > 
> > > > [  +0.364528] ------------[ cut here ]------------
> > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > [  +0.000000] Call trace:
> > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > [  +0.000002]  image_load+0xf0/0x258
> > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > 
> > > > To address this, initialise kexec_buf->random field properly.
> > > > 
> > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > 
> > > Thanks, I'll add a cc:stable to this.
> > 
> > This has been fixed in below series from Breno Leitao.
> > 
> > [PATCH 0/3] kexec: Fix invalid field access
> > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> 
> Right, these fixes are on 6.18 since day one.
> 
> Yeoreum is hitting another code path that I haven't fixed, it seems
> (through image_load()).
> 
> That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> 
> 	--- a/arch/arm64/kernel/kexec_image.c
> 	+++ b/arch/arm64/kernel/kexec_image.c
> 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> 		struct arm64_image_header *h;
> 		u64 flags, value;
> 		bool be_image, be_kernel;
> 	-       struct kexec_buf kbuf;
> 	+       struct kexec_buf kbuf = {};
> 		unsigned long text_offset, kernel_segment_number;
> 		struct kexec_segment *kernel_segment;
> 		int ret;

FWIW, I completey agree; your proposal is a much better solution.

From a quick scan, it looks like loongarch also has some more dodgy
instances:

| % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
| arch/arm64/kernel/kexec_image.c:        struct kexec_buf kbuf;
| arch/loongarch/kernel/kexec_efi.c:      struct kexec_buf kbuf;
| arch/loongarch/kernel/kexec_elf.c:      struct kexec_buf kbuf;
| arch/loongarch/kernel/machine_kexec_file.c:     struct kexec_buf kbuf;
| kernel/kexec_handover.c:        struct kexec_buf scratch;

The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
struct assignment that'll happen to zero the 'random' field.

Mark.

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Baoquan He]

On 11/28/25 at 02:01pm, Mark Rutland wrote:
> On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> > 
> > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > > 
> > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > kexec_buf.
> > > > > 
> > > > > However, this field was never properly initialized for kexec images
> > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > warning:
> > > > > 
> > > > > [  +0.364528] ------------[ cut here ]------------
> > > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > [  +0.000000] Call trace:
> > > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > > [  +0.000002]  image_load+0xf0/0x258
> > > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > > 
> > > > > To address this, initialise kexec_buf->random field properly.
> > > > > 
> > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > 
> > > > Thanks, I'll add a cc:stable to this.
> > > 
> > > This has been fixed in below series from Breno Leitao.
> > > 
> > > [PATCH 0/3] kexec: Fix invalid field access
> > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> > 
> > Right, these fixes are on 6.18 since day one.
> > 
> > Yeoreum is hitting another code path that I haven't fixed, it seems
> > (through image_load()).
> > 
> > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> > 
> > 	--- a/arch/arm64/kernel/kexec_image.c
> > 	+++ b/arch/arm64/kernel/kexec_image.c
> > 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > 		struct arm64_image_header *h;
> > 		u64 flags, value;
> > 		bool be_image, be_kernel;
> > 	-       struct kexec_buf kbuf;
> > 	+       struct kexec_buf kbuf = {};
> > 		unsigned long text_offset, kernel_segment_number;
> > 		struct kexec_segment *kernel_segment;
> > 		int ret;
> 
> FWIW, I completey agree; your proposal is a much better solution.

Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.

> 
> From a quick scan, it looks like loongarch also has some more dodgy
> instances:

In the latest mainline kernel, the problem on loongarch has gone.

> 
> | % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
> | arch/arm64/kernel/kexec_image.c:        struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_efi.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_elf.c:      struct kexec_buf kbuf;
> | arch/loongarch/kernel/machine_kexec_file.c:     struct kexec_buf kbuf;
> | kernel/kexec_handover.c:        struct kexec_buf scratch;
> 
> The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
> struct assignment that'll happen to zero the 'random' field.
> 
> Mark.
> 

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Breno Leitao]

On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote:
> On 11/28/25 at 02:01pm, Mark Rutland wrote:
> > FWIW, I completey agree; your proposal is a much better solution.
> 
> Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.

Yeoreum, would you be ok doing the patch? If you are busy, I can do it.

Thanks
--breno

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Yeoreum Yun]

Hi Breno,

> On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote:
> > On 11/28/25 at 02:01pm, Mark Rutland wrote:
> > > FWIW, I completey agree; your proposal is a much better solution.
> >
> > Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.
>
> Yeoreum, would you be ok doing the patch? If you are busy, I can do it.

Sorry to late answer. and Thanks for pointing this :)
I'll send quickly spin 2 following your suggsetion.

Thanks!

--
Sincerely,
Yeoreum Yun

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Mark Rutland]

On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote:
> On 11/28/25 at 02:01pm, Mark Rutland wrote:
> > On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> > > 
> > > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > > > 
> > > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > > kexec_buf.
> > > > > > 
> > > > > > However, this field was never properly initialized for kexec images
> > > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > > warning:
> > > > > > 
> > > > > > [  +0.364528] ------------[ cut here ]------------
> > > > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > > [  +0.000000] Call trace:
> > > > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > > > [  +0.000002]  image_load+0xf0/0x258
> > > > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > > > 
> > > > > > To address this, initialise kexec_buf->random field properly.
> > > > > > 
> > > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > 
> > > > > Thanks, I'll add a cc:stable to this.
> > > > 
> > > > This has been fixed in below series from Breno Leitao.
> > > > 
> > > > [PATCH 0/3] kexec: Fix invalid field access
> > > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> > > 
> > > Right, these fixes are on 6.18 since day one.
> > > 
> > > Yeoreum is hitting another code path that I haven't fixed, it seems
> > > (through image_load()).
> > > 
> > > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> > > 
> > > 	--- a/arch/arm64/kernel/kexec_image.c
> > > 	+++ b/arch/arm64/kernel/kexec_image.c
> > > 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > > 		struct arm64_image_header *h;
> > > 		u64 flags, value;
> > > 		bool be_image, be_kernel;
> > > 	-       struct kexec_buf kbuf;
> > > 	+       struct kexec_buf kbuf = {};
> > > 		unsigned long text_offset, kernel_segment_number;
> > > 		struct kexec_segment *kernel_segment;
> > > 		int ret;
> > 
> > FWIW, I completey agree; your proposal is a much better solution.
> 
> Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.

Yep; I hope that Yeoreum will spin a v2 to that effect.

> > From a quick scan, it looks like loongarch also has some more dodgy
> > instances:
> 
> In the latest mainline kernel, the problem on loongarch has gone.

Ah, yep, all the loongarch instances were fixed in v6.18-rc6 by commit:

  df16b8956cae9700 ("LoongArch: kexec: Initialize the kexec_buf structure")

Mark.

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Andrew Morton]

On Fri, 28 Nov 2025 05:55:05 -0800 Breno Leitao <leitao@debian.org> wrote:

> 
> On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > 
> > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > introduced the kexec_buf->random field to enable random placement of
> > > > kexec_buf.
> > > > 
> > > > However, this field was never properly initialized for kexec images
> > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > warning:
> > > > 
> > > > [  +0.364528] ------------[ cut here ]------------
> > > > [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > [  +0.000000] Call trace:
> > > > [  +0.000001]  show_stack+0x24/0x40 (C)
> > > > [  +0.000006]  __dump_stack+0x28/0x48
> > > > [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> > > > [  +0.000002]  dump_stack+0x18/0x34
> > > > [  +0.000001]  ubsan_epilogue+0x10/0x50
> > > > [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> > > > [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> > > > [  +0.000001]  kexec_add_buffer+0xa8/0x178
> > > > [  +0.000002]  image_load+0xf0/0x258
> > > > [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> > > > [  +0.000002]  invoke_syscall+0x68/0xe8
> > > > [  +0.000001]  el0_svc_common+0xb0/0xf8
> > > > [  +0.000002]  do_el0_svc+0x28/0x48
> > > > [  +0.000001]  el0_svc+0x40/0xe8
> > > > [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> > > > [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> > > > 
> > > > To address this, initialise kexec_buf->random field properly.
> > > > 
> > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > 
> > > Thanks, I'll add a cc:stable to this.
> > 
> > This has been fixed in below series from Breno Leitao.
> > 
> > [PATCH 0/3] kexec: Fix invalid field access
> > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> 
> Right, these fixes are on 6.18 since day one.
> 
> Yeoreum is hitting another code path that I haven't fixed, it seems
> (through image_load()).
> 
> That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> 
> 	--- a/arch/arm64/kernel/kexec_image.c
> 	+++ b/arch/arm64/kernel/kexec_image.c
> 	@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> 		struct arm64_image_header *h;
> 		u64 flags, value;
> 		bool be_image, be_kernel;
> 	-       struct kexec_buf kbuf;
> 	+       struct kexec_buf kbuf = {};
> 		unsigned long text_offset, kernel_segment_number;
> 		struct kexec_segment *kernel_segment;
> 		int ret;
> 

OK, I'll drop this patch, "arm64: kernel: initialize missing
kexec_buf->random field".

Re: [PATCH] arm64: kernel: initialize missing kexec_buf->random field

[Will Deacon]

On Thu, Nov 27, 2025 at 06:26:44PM +0000, Yeoreum Yun wrote:
> Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> introduced the kexec_buf->random field to enable random placement of
> kexec_buf.
> 
> However, this field was never properly initialized for kexec images
> that do not need to be placed randomly, leading to the following UBSAN
> warning:
> 
> [  +0.364528] ------------[ cut here ]------------
> [  +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> [  +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> [  +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> [  +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> [  +0.000000] Call trace:
> [  +0.000001]  show_stack+0x24/0x40 (C)
> [  +0.000006]  __dump_stack+0x28/0x48
> [  +0.000002]  dump_stack_lvl+0x7c/0xb0
> [  +0.000002]  dump_stack+0x18/0x34
> [  +0.000001]  ubsan_epilogue+0x10/0x50
> [  +0.000002]  __ubsan_handle_load_invalid_value+0xc8/0xd0
> [  +0.000003]  locate_mem_hole_callback+0x28c/0x2a0
> [  +0.000003]  kexec_locate_mem_hole+0xf4/0x2f0
> [  +0.000001]  kexec_add_buffer+0xa8/0x178
> [  +0.000002]  image_load+0xf0/0x258
> [  +0.000001]  __arm64_sys_kexec_file_load+0x510/0x718
> [  +0.000002]  invoke_syscall+0x68/0xe8
> [  +0.000001]  el0_svc_common+0xb0/0xf8
> [  +0.000002]  do_el0_svc+0x28/0x48
> [  +0.000001]  el0_svc+0x40/0xe8
> [  +0.000002]  el0t_64_sync_handler+0x84/0x140
> [  +0.000002]  el0t_64_sync+0x1bc/0x1c0
> 
> To address this, initialise kexec_buf->random field properly.
> 
> Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
>  arch/arm64/kernel/kexec_image.c        | 3 +++
>  arch/arm64/kernel/machine_kexec_file.c | 6 +++++-
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 532d72ea42ee..db6fb8c599a1 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -76,6 +76,9 @@ static void *image_load(struct kimage *image,
>  	kbuf.buf_min = 0;
>  	kbuf.buf_max = ULONG_MAX;
>  	kbuf.top_down = false;
> +#ifdef CONFIG_CRASH_DUMP
> +	kbuf.random = false;
> +#endif
> 
>  	kbuf.buffer = kernel;
>  	kbuf.bufsz = kernel_len;
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index 410060ebd86d..06f38866424a 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
> @@ -94,7 +94,11 @@ int load_other_segments(struct kimage *image,
>  			char *initrd, unsigned long initrd_len,
>  			char *cmdline)
>  {
> -	struct kexec_buf kbuf = {};
> +	struct kexec_buf kbuf = {
> +#ifdef CONFIG_CRASH_DUMP
> +		.random = false,
> +#endif
> +	};

This hunk is pointless.

Will