Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v17 04/10] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code
Date: Mon, 29 Jun 2026 10:31:09 +0000	[thread overview]
Message-ID: <20260629103109.894551F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629094746.191843-5-ruanjinjie@huawei.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] A Time-of-Check to Time-of-Use (TOCTOU) race condition in arch_crash_populate_cmem() causes a heap buffer overflow in the flexible array cmem->ranges.
- [High] Memory leak of the vmalloc'd ELF headers buffer in the fallback retry loop of image_load().
--

commit 8b7f92744f5c8fa93faeb43fb72b1a59dcc427a4
Author: Jinjie Ruan <ruanjinjie@huawei.com>

arm64: kexec_file: Use crash_prepare_headers() helper to simplify code

This patch refactors the kexec_file code to use the newly introduced
crash_prepare_headers() helper, replacing prepare_elf_headers(). It
implements arch_get_system_nr_ranges() and arch_crash_populate_cmem()
to traverse memblock ranges and populate crash memory structures.

> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index e31fabed378a5..b019b31df48cb 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c

[ ... ]

> +int arch_crash_populate_cmem(struct crash_mem *cmem)
> +{
> +	phys_addr_t start, end;
> +	u64 i;
>  
> -	cmem->max_nr_ranges = nr_ranges;
> -	cmem->nr_ranges = 0;
>  	for_each_mem_range(i, &start, &end) {
>  		cmem->ranges[cmem->nr_ranges].start = start;
>  		cmem->ranges[cmem->nr_ranges].end = end - 1;
>  		cmem->nr_ranges++;

[Severity: High]
This is a pre-existing issue, but is it possible for memory hotplug events
to add new memblock regions concurrently?

If a concurrent memory hotplug event adds regions between the first
pass in arch_get_system_nr_ranges() and this second pass in
arch_crash_populate_cmem(), this loop blindly increments cmem->nr_ranges
without bounding it against cmem->max_nr_ranges.

Could this lead to an out-of-bounds write to the cmem->ranges array?

>  	}
>  
> -	/* Exclude crashkernel region */

[ ... ]

> @@ -109,7 +93,7 @@ int load_other_segments(struct kimage *image,
>  	void *headers;
>  	unsigned long headers_sz;
>  	if (image->type == KEXEC_TYPE_CRASH) {
> -		ret = prepare_elf_headers(&headers, &headers_sz);
> +		ret = crash_prepare_headers(true, &headers, &headers_sz, NULL);

[Severity: High]
This isn't a bug introduced by this patch, but does this leak the vmalloc'd
headers buffer if a subsequent step in load_other_segments() fails?

If a later operation (like placing the initrd or dtb via kexec_add_buffer)
fails, the function jumps to out_err:

out_err:
	image->nr_segments = orig_segments;
	kvfree(dtb);
	return ret;

This doesn't free headers or clear image->elf_headers. The caller,
image_load(), catches this failure and loops to retry load_other_segments()
in a new memory hole. 

On the retry, a new headers buffer is allocated here, overwriting the
previous pointer in image->elf_headers and permanently leaking the old buffer.

>  		if (ret) {
>  			pr_err("Preparing elf core header failed\n");
>  			goto out_err;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629094746.191843-1-ruanjinjie@huawei.com?part=4

  reply	other threads:[~2026-06-29 10:31 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  9:47 [PATCH v17 00/10] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 01/10] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-29  9:58   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 02/10] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 03/10] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-29 10:19   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 04/10] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-29 10:31   ` sashiko-bot [this message]
2026-06-29  9:47 ` [PATCH v17 05/10] x86/crash: " Jinjie Ruan
2026-06-29 10:41   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 06/10] riscv: kexec_file: " Jinjie Ruan
2026-06-29 10:53   ` sashiko-bot
2026-06-29 11:28   ` Guo Ren
2026-06-29  9:47 ` [PATCH v17 07/10] LoongArch: " Jinjie Ruan
2026-06-29 11:06   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 08/10] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 09/10] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 10/10] riscv: " Jinjie Ruan
2026-06-29 11:33   ` sashiko-bot
2026-06-30 15:49 ` [PATCH v17 00/10] arm64/riscv: " Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629103109.894551F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=ruanjinjie@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox