Re: [PATCH v2 6/8] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Wandun Chen" <chenwandun1@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 6/8] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore
Date: Wed, 20 May 2026 12:02:02 +0000	[thread overview]
Message-ID: <20260520120203.20B7F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260520091844.592753-7-chenwandun@lixiang.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Lockless traversal of `memblock.memory` combined with a Time-of-Check to Time-of-Use (TOCTOU) pattern can cause an out-of-bounds array write if memory hotplug runs concurrently.
--

commit 9b53a1de1ee9b0da26c3c33056f291e1bba1171e
Author: Wandun Chen <chenwandun1@gmail.com>

arm64: kdump: exclude non-dumpable reserved memory regions from vmcore

Reserved memory regions are excluded from vmcore by default unless marked
dumpable. This patch honors the dumpable flag to filter out device firmware
regions reserved via device tree to reduce vmcore size.

> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index e31fabed378a5..1d65320c6ba48 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
[ ... ]
> @@ -51,6 +52,7 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
>  	nr_ranges = 2; /* for exclusion of crashkernel region */
>  	for_each_mem_range(i, &start, &end)
>  		nr_ranges++;

[Severity: High]
This is a pre-existing issue, but can this lockless traversal of
memblock.memory result in an out-of-bounds write if memory hotplug runs
concurrently?

The prepare_elf_headers() function iterates over memblock.memory twice:
first here to count the regions for sizing the cmem allocation, and then
later to populate cmem->ranges. This runs during the kexec_file_load
syscall which holds kexec_mutex but not memory hotplug locks like
device_hotplug_lock.

If a memory hotplug operation (e.g., via sysfs) occurs between the two
loops, memblock_add_node() could resize memblock.memory.regions via
memblock_double_array(). This would free the old array and increase the
region count.

Could this cause the second loop to iterate over a freed array and write
past the end of the allocated cmem->ranges array?

> +	nr_ranges += of_reserved_mem_kdump_nr_ranges();
>  
>  	cmem = kmalloc_flex(*cmem, ranges, nr_ranges);
>  	if (!cmem)

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520091844.592753-1-chenwandun@lixiang.com?part=6

next prev parent reply	other threads:[~2026-05-20 12:02 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20  9:18 [PATCH v2 0/8] kdump: reduce vmcore size and capture time Wandun Chen
2026-05-20  9:18 ` [PATCH v2 1/8] of: reserved_mem: handle NULL name in of_reserved_mem_lookup() Wandun Chen
2026-05-20  9:18 ` [PATCH v2 2/8] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-05-20  9:18 ` [PATCH v2 3/8] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-05-20  9:53   ` Marek Szyprowski
2026-05-20  9:18 ` [PATCH v2 4/8] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-05-20 10:37   ` sashiko-bot
2026-05-20  9:18 ` [PATCH v2 5/8] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-05-20 11:03   ` sashiko-bot
2026-05-20  9:18 ` [PATCH v2 6/8] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-05-20 12:02   ` sashiko-bot [this message]
2026-05-20  9:18 ` [PATCH v2 7/8] riscv: " Wandun Chen
2026-05-20 12:34   ` sashiko-bot
2026-05-20  9:18 ` [PATCH v2 8/8] loongarch: " Wandun Chen
2026-05-20 13:10   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520120203.20B7F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=chenwandun1@gmail.com \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox