From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma()
Date: Mon, 01 Jun 2026 10:15:53 +0000 [thread overview]
Message-ID: <20260601101553.93BF61F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601094805.2928614-7-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] kimage_load_cma_segment() leaves the trailing padding of CMA segments uninitialized, causing kexec purgatory SHA256 verification failures.
--
commit a9d6d83b4aab10c874e37c5a865249c7645d1e82
Author: Jinjie Ruan <ruanjinjie@huawei.com>
kexec: Extract kexec_free_segment_cma() from kimage_free_cma()
This patch extracts the single-pass CMA release logic into a dedicated exported
helper kexec_free_segment_cma(). It refactors the main kimage_free_cma() to
invoke this helper sequentially to maintain backward compatibility while
expanding single-slot flexibility.
> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> index a43d2da0fe3e7..9195f81e53c48 100644
> --- a/kernel/kexec_core.c
> +++ b/kernel/kexec_core.c
[ ... ]
> -static void kimage_free_cma(struct kimage *image)
> +void kexec_free_segment_cma(struct kimage *image, unsigned long idx)
> {
> - unsigned long i;
> + u32 nr_pages = image->segment[idx].memsz >> PAGE_SHIFT;
> + struct page *cma = image->segment_cma[idx];
[ ... ]
> + arch_kexec_pre_free_pages(page_address(cma), nr_pages);
> + dma_release_from_contiguous(NULL, cma, nr_pages);
> + image->segment_cma[idx] = NULL;
> +}
While reviewing this patch, I noticed a pre-existing issue in the related
kimage_load_cma_segment() function in the same file:
kernel/kexec_core.c:kimage_load_cma_segment() {
...
/* Then copy from source buffer to the CMA one */
while (mbytes) {
size_t uchunk, mchunk;
...
ptr += mchunk;
mbytes -= mchunk;
cond_resched();
}
/* Clear any remainder */
memset(ptr, 0, mbytes);
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does this memset actually clear
the trailing padding?
The while loop terminates when mbytes reaches 0, which translates the memset
to memset(ptr, 0, 0). Because kexec purgatory calculates the SHA256 digest of
the entire segment assuming the padding is zeroed, could the uninitialized
memory lead to a digest mismatch and cause kexec boot failures?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601094805.2928614-1-ruanjinjie@huawei.com?part=6
next prev parent reply other threads:[~2026-06-01 10:15 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 9:47 [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 01/23] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 02/23] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64() Jinjie Ruan
2026-06-01 10:00 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 05/23] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma() Jinjie Ruan
2026-06-01 10:15 ` sashiko-bot [this message]
2026-06-01 9:47 ` [PATCH v15 07/23] arm64: kexec_file: Fix CMA page leaks during segment placement retry loops Jinjie Ruan
2026-06-01 10:19 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 08/23] arm64: kexec_file: Fix image->elf_headers memory leak during retry loop Jinjie Ruan
2026-06-01 10:21 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 09/23] kexec: Fix UAF and Double Free in crash_load_dm_crypt_keys() Jinjie Ruan
2026-06-01 10:29 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 10/23] crash_core: Introduce CRASH_HOTPLUG_SAFETY_PADDING for memory hotplug safety Jinjie Ruan
2026-06-01 10:37 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 12/23] arm64: " Jinjie Ruan
2026-06-01 10:48 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 13/23] riscv: " Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 14/23] LoongArch: " Jinjie Ruan
2026-06-01 10:51 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 15/23] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-01 10:57 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 16/23] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 17/23] x86: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 18/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 19/23] LoongArch: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 20/23] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 21/23] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 22/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 23/23] arm64: crash: Add crash hotplug support Jinjie Ruan
2026-06-01 11:37 ` sashiko-bot
2026-06-01 13:40 ` [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Baoquan He
2026-06-02 1:43 ` Jinjie Ruan
2026-06-02 3:06 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601101553.93BF61F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox