From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v15 23/23] arm64: crash: Add crash hotplug support
Date: Mon, 01 Jun 2026 11:37:18 +0000 [thread overview]
Message-ID: <20260601113718.8BF2D1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601094805.2928614-24-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Critical] During `kexec_file_load`, the system will read out of bounds from the `vzalloc` allocated `image->elf_headers` buffer, potentially causing a kernel panic by hitting a vmap guard page.
Pre-existing issues:
- [High] Lockless iteration of `memblock.memory` via `for_each_mem_range` during `kexec_file_load` races with memory hotplug, potentially causing a Use-After-Free.
--
commit 5a09c245ca3b9b38d052bf46687cba4c0372f7eb
Author: Jinjie Ruan <ruanjinjie@huawei.com>
arm64: crash: Add crash hotplug support
This commit adds crash hotplug support for arm64. It allows the architecture
to selectively update the kdump image components (like elfcorehdr) during
memory hotplug events without reloading the entire kdump image.
Link: https://lore.kernel.org/all/20240529133446.28446-1-Jonathan.Cameron@huawei.com/
> diff --git a/arch/arm64/kernel/crash.c b/arch/arm64/kernel/crash.c
> new file mode 100644
> index 0000000000000..5882b9b5a90e8
> --- /dev/null
> +++ b/arch/arm64/kernel/crash.c
[ ... ]
> +int arch_crash_populate_cmem(struct crash_mem *cmem)
> +{
> + phys_addr_t start, end;
> + u64 i;
> +
> + for_each_mem_range(i, &start, &end) {
[Severity: High]
This is a pre-existing issue, but does this lockless iteration of
memblock ranges race with memory hotplug?
When invoked via the sys_kexec_file_load() path, it appears no locks
protecting memory hotplug (such as mem_hotplug_lock) are held.
If a concurrent memory hotplug event occurs, couldn't memblock_add_node()
dynamically resize the memblock.memory.regions array via
memblock_double_array() (which calls kfree() on the old array), resulting
in a use-after-free here?
[ ... ]
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 93c36a3aa618e..21f38de7a8b6a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
[ ... ]
> @@ -92,16 +93,32 @@ static void *image_load(struct kimage *image,
> #ifdef CONFIG_CRASH_DUMP
> if (image->type == KEXEC_TYPE_CRASH) {
> /* load elf core header */
> - unsigned long headers_sz;
> + unsigned long headers_sz, pnum = 0;
> void *headers;
>
> - ret = crash_prepare_headers(true, &headers, &headers_sz, NULL);
> + ret = crash_prepare_headers(true, &headers, &headers_sz, &pnum);
> if (ret) {
> pr_err("Preparing elf core header failed\n");
> return ERR_PTR(ret);
> }
> image->elf_headers = headers;
> image->elf_headers_sz = headers_sz;
> +
> +#ifdef CONFIG_CRASH_HOTPLUG
> + /*
> + * The elfcorehdr segment size accounts for VMCOREINFO, kernel_map
> + * maximum CPUs and maximum memory ranges.
> + */
> + if (IS_ENABLED(CONFIG_MEMORY_HOTPLUG))
> + pnum = 2 + num_possible_cpus() + CONFIG_CRASH_MAX_MEMORY_RANGES;
> + else
> + pnum += 2 + num_possible_cpus();
> +
> + if (pnum < (unsigned long)PN_XNUM)
> + image->elf_headers_sz = max(pnum_hdr_sz(pnum), headers_sz);
[ ... ]
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index d0f73eb3f856f..0016001f4d005 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
[ ... ]
> @@ -98,6 +66,12 @@ int load_other_segments(struct kimage *image,
> kbuf.bufsz = image->elf_headers_sz;
> kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
> kbuf.memsz = image->elf_headers_sz;
[Severity: Critical]
Will this cause an out-of-bounds read during the segment copy?
In arch/arm64/kernel/kexec_image.c:image_load(), image->elf_headers_sz
is artificially inflated beyond the actual allocated size (headers_sz) to
accommodate future hotpluggable CPUs and memory regions.
By setting kbuf.bufsz to this inflated size here, when the generic
kimage_load_segment() executes, it will use segment->bufsz to determine
how many bytes to copy from the source buffer.
Since the copy size now exceeds the vzalloc'd allocation size, won't this
cause the kernel to read into unmapped vmap guard pages and trigger a
panic?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601094805.2928614-1-ruanjinjie@huawei.com?part=23
next prev parent reply other threads:[~2026-06-01 11:37 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 9:47 [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 01/23] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 02/23] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64() Jinjie Ruan
2026-06-01 10:00 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges() Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 05/23] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma() Jinjie Ruan
2026-06-01 10:15 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 07/23] arm64: kexec_file: Fix CMA page leaks during segment placement retry loops Jinjie Ruan
2026-06-01 10:19 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 08/23] arm64: kexec_file: Fix image->elf_headers memory leak during retry loop Jinjie Ruan
2026-06-01 10:21 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 09/23] kexec: Fix UAF and Double Free in crash_load_dm_crypt_keys() Jinjie Ruan
2026-06-01 10:29 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 10/23] crash_core: Introduce CRASH_HOTPLUG_SAFETY_PADDING for memory hotplug safety Jinjie Ruan
2026-06-01 10:37 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 12/23] arm64: " Jinjie Ruan
2026-06-01 10:48 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 13/23] riscv: " Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 14/23] LoongArch: " Jinjie Ruan
2026-06-01 10:51 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 15/23] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-01 10:57 ` sashiko-bot
2026-06-01 9:47 ` [PATCH v15 16/23] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-01 9:47 ` [PATCH v15 17/23] x86: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 18/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 19/23] LoongArch: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 20/23] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 21/23] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 22/23] riscv: " Jinjie Ruan
2026-06-01 9:48 ` [PATCH v15 23/23] arm64: crash: Add crash hotplug support Jinjie Ruan
2026-06-01 11:37 ` sashiko-bot [this message]
2026-06-01 13:40 ` [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601113718.8BF2D1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox