Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v17 05/10] x86/crash: Use crash_prepare_headers() helper to simplify code
Date: Mon, 29 Jun 2026 10:41:31 +0000	[thread overview]
Message-ID: <20260629104132.1F4151F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629094746.191843-6-ruanjinjie@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] A TOCTOU race condition with concurrent memory hotplug events can cause an out-of-bounds array write in `prepare_elf64_ram_headers_callback()`.
--

commit cd182ef6162a3474e9e6717a10d9147468938990
Author: Jinjie Ruan <ruanjinjie@huawei.com>

x86/crash: Use crash_prepare_headers() helper to simplify code
    
This commit simplifies the x86 crash code by replacing the existing
prepare_elf_headers() with the newly introduced crash_prepare_headers()
helper function. It implements the three required architecture-specific
callbacks to pre-count, collect, and exclude memory ranges.

> diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
> index cd796818d94d9..cb2ce7acfec45 100644
> --- a/arch/x86/kernel/crash.c
> +++ b/arch/x86/kernel/crash.c

[ ... ]

> @@ -177,49 +169,16 @@ static struct crash_mem *fill_up_crash_elf_data(void)
>  	 * But in order to lest the low 1M could be changed in the future,
>  	 * (e.g. [start, 1M]), add a extra slot.
>  	 */
> -	nr_ranges += 3 + crashk_cma_cnt;
> -	cmem = vzalloc(struct_size(cmem, ranges, nr_ranges));
> -	if (!cmem)
> -		return NULL;
> -
> -	cmem->max_nr_ranges = nr_ranges;
> +	unsigned int nr_ranges = 3 + crashk_cma_cnt;
>  
> -	return cmem;
> +	walk_system_ram_res(0, -1, &nr_ranges, get_nr_ram_ranges_callback);
> +	return nr_ranges;
>  }

[ ... ]

> @@ -233,35 +192,9 @@ static int prepare_elf64_ram_headers_callback(struct resource *res, void *arg)
>  	return 0;
>  }
>  
> -/* Prepare elf headers. Return addr and size */
> -static int prepare_elf_headers(void **addr, unsigned long *sz,
> -			       unsigned long *nr_mem_ranges)
> +int arch_crash_populate_cmem(struct crash_mem *cmem)
>  {
> +	return walk_system_ram_res(0, -1, cmem, prepare_elf64_ram_headers_callback);
> +}

[Severity: High]
This is a pre-existing issue, but could concurrent memory hotplug events
cause an out-of-bounds array write here?

In kernel/crash_core.c:crash_prepare_headers(), we first count the ranges
and allocate memory, then later populate it:

	max_nr_ranges = arch_get_system_nr_ranges();
	if (!max_nr_ranges)
		return -ENOMEM;

	cmem = alloc_cmem(max_nr_ranges);
	if (!cmem)
		return -ENOMEM;

	ret = arch_crash_populate_cmem(cmem);

Since mem_hotplug_lock isn't held during this sequence, a concurrent memory
hotplug event (like ACPI memory hot-add) can execute add_memory_resource()
and insert new System RAM resources into the iomem resource tree between the
count and the population steps.

If the number of newly added resources exceeds the padding added in
arch_get_system_nr_ranges(), prepare_elf64_ram_headers_callback()
can blindly write past the allocated bounds of cmem->ranges:

	cmem->ranges[cmem->nr_ranges].start = res->start;
	cmem->ranges[cmem->nr_ranges].end = res->end;
	cmem->nr_ranges++;

It doesn't appear to check against cmem->max_nr_ranges before incrementing
cmem->nr_ranges. Does this need an explicit bounds check or synchronization
to prevent potential heap corruption?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629094746.191843-1-ruanjinjie@huawei.com?part=5

  reply	other threads:[~2026-06-29 10:41 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  9:47 [PATCH v17 00/10] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 01/10] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-29  9:58   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 02/10] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 03/10] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-29 10:19   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 04/10] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-29 10:31   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 05/10] x86/crash: " Jinjie Ruan
2026-06-29 10:41   ` sashiko-bot [this message]
2026-06-29  9:47 ` [PATCH v17 06/10] riscv: kexec_file: " Jinjie Ruan
2026-06-29 10:53   ` sashiko-bot
2026-06-29 11:28   ` Guo Ren
2026-06-29  9:47 ` [PATCH v17 07/10] LoongArch: " Jinjie Ruan
2026-06-29 11:06   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 08/10] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 09/10] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 10/10] riscv: " Jinjie Ruan
2026-06-29 11:33   ` sashiko-bot
2026-06-30 15:49 ` [PATCH v17 00/10] arm64/riscv: " Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629104132.1F4151F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=ruanjinjie@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox