From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64()
Date: Mon, 01 Jun 2026 10:00:39 +0000 [thread overview]
Message-ID: <20260601100039.B12111F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601094805.2928614-4-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] FDT Buffer Under-allocation due to logic error in kexec_extra_fdt_size_ppc64()
--
commit 78687759639490ab63d0d6924f151d698ff15bbc
Author: Jinjie Ruan <ruanjinjie@huawei.com>
powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64()
This commit adds an early return to kexec_extra_fdt_size_ppc64() to prevent
a NULL pointer dereference if the rmem pointer is not allocated.
> diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
> index 8c72e12ea44e5..fdeedf102c38e 100644
> --- a/arch/powerpc/kexec/file_load_64.c
> +++ b/arch/powerpc/kexec/file_load_64.c
> @@ -649,6 +649,9 @@ unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image, struct crash_mem *
> struct device_node *dn;
> unsigned int cpu_nodes = 0, extra_size = 0;
>
> + if (!rmem)
> + return 0;
> +
[Severity: High]
Does this early return improperly short-circuit the rest of the FDT extra
size calculation for independent components when no reserved memory regions
are present?
The get_reserved_memory_ranges() function can legitimately return 0 with a
NULL rmem on platforms lacking reserved memory regions. Returning 0 here
entirely bypasses other size estimations, such as plpks passwords,
hotplugged CPU nodes, and especially kdump_extra_fdt_size_ppc64().
Because kdump_extra_fdt_size_ppc64() calculates linux,drconf-usable-memory
entries which can exceed 32KB on systems with large hotpluggable memory
configurations, the baseline 4KB extra space cannot accommodate this missing
size. This could lead to FDT setup failing with -FDT_ERR_NOSPACE during
setup_new_fdt_ppc64() and prevent kexec/kdump from successfully loading.
Would it be better to conditionally guard only the rmem->nr_ranges access
further down in the function instead of returning early?
> // Budget some space for the password blob. There's already extra space
> // for the key name
> if (plpks_is_available())
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601094805.2928614-1-ruanjinjie@huawei.com?part=3
next prev parent reply other threads:[~2026-06-01 10:00 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 9:47 [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 01/23] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 02/23] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64() Jinjie Ruan
2026-06-01 10:00 ` sashiko-bot [this message]
2026-06-01 9:47 ` [PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 05/23] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma() Jinjie Ruan
2026-06-01 10:15 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 07/23] arm64: kexec_file: Fix CMA page leaks during segment placement retry loops Jinjie Ruan
2026-06-01 10:19 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 08/23] arm64: kexec_file: Fix image->elf_headers memory leak during retry loop Jinjie Ruan
2026-06-01 10:21 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 09/23] kexec: Fix UAF and Double Free in crash_load_dm_crypt_keys() Jinjie Ruan
2026-06-01 10:29 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 10/23] crash_core: Introduce CRASH_HOTPLUG_SAFETY_PADDING for memory hotplug safety Jinjie Ruan
2026-06-01 10:37 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 12/23] arm64: " Jinjie Ruan
2026-06-01 10:48 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 13/23] riscv: " Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 14/23] LoongArch: " Jinjie Ruan
2026-06-01 10:51 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 15/23] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-01 10:57 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 16/23] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 17/23] x86: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 18/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 19/23] LoongArch: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 20/23] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 21/23] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 22/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 23/23] arm64: crash: Add crash hotplug support Jinjie Ruan
2026-06-01 11:37 ` sashiko-bot
2026-06-01 13:40 ` [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Baoquan He
2026-06-02 1:43 ` Jinjie Ruan
2026-06-02 3:06 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601100039.B12111F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox