From: sashiko-bot@kernel.org
To: "Wandun Chen" <chenwandun1@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 08/10] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore
Date: Tue, 30 Jun 2026 09:04:12 +0000 [thread overview]
Message-ID: <20260630090412.6A4051F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630074715.4126796-9-chenwandun1@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Preexisting TOCTOU race in prepare_elf_headers() during memblock iteration can cause an out-of-bounds array write due to concurrent memory hotplug.
--
commit 66936af0a692eab34029fe4f8b5ede43875e861f
Author: Wandun Chen <chenwandun@lixiang.com>
Date: Tue Jun 30 07:47:12 2026 +0000
arm64: kdump: exclude non-dumpable reserved memory regions from vmcore
This commit excludes reserved memory regions from the vmcore unless they are
explicitly marked as dumpable. It uses device tree reservations to filter
out device firmware regions, reducing the size of the vmcore. The array
size is adjusted to accommodate these exclusions.
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index e31fabed378a5..1d65320c6ba48 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
[ ... ]
> @@ -51,6 +52,7 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
> nr_ranges = 2; /* for exclusion of crashkernel region */
> for_each_mem_range(i, &start, &end)
> nr_ranges++;
> + nr_ranges += of_reserved_mem_kdump_nr_ranges();
>
> cmem = kmalloc_flex(*cmem, ranges, nr_ranges);
> if (!cmem)
[Severity: High]
This isn't a bug introduced by this patch, but could this allocation lead to
an out-of-bounds write due to a time-of-check to time-of-use race?
In prepare_elf_headers(), the code counts the memory ranges with a first
for_each_mem_range() loop, allocates cmem based on that count, and then
populates cmem->ranges in a second for_each_mem_range() loop further down.
Because sys_kexec_file_load() does not hold the memory hotplug lock, a
concurrent memory hotplug operation could increase the number of ranges
between the two loops.
Since the second loop does not verify if cmem->nr_ranges exceeds
cmem->max_nr_ranges, could it write past the allocated array bounds?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630074715.4126796-1-chenwandun1@gmail.com?part=8
next prev parent reply other threads:[~2026-06-30 9:04 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 7:47 [PATCH v4 00/10] kdump: reduce vmcore size and capture time Wandun Chen
2026-06-30 7:47 ` [PATCH v4 01/10] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-06-30 11:05 ` Pratyush Yadav
2026-06-30 7:47 ` [PATCH v4 02/10] of: reserved_mem: dedup and relocate reserved-memory messages Wandun Chen
2026-06-30 7:47 ` [PATCH v4 03/10] of: reserved_mem: skip late scan when no regions are reserved Wandun Chen
2026-06-30 8:19 ` sashiko-bot
2026-06-30 7:47 ` [PATCH v4 04/10] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late() Wandun Chen
2026-06-30 7:47 ` [PATCH v4 05/10] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-06-30 7:47 ` [PATCH v4 06/10] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-06-30 7:47 ` [PATCH v4 07/10] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-06-30 11:06 ` Pratyush Yadav
2026-06-30 7:47 ` [PATCH v4 08/10] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-06-30 9:04 ` sashiko-bot [this message]
2026-06-30 11:06 ` Pratyush Yadav
2026-06-30 7:47 ` [PATCH v4 09/10] riscv: " Wandun Chen
2026-06-30 9:22 ` sashiko-bot
2026-06-30 11:12 ` Pratyush Yadav
2026-06-30 12:00 ` Wandun
2026-06-30 7:47 ` [PATCH v4 10/10] loongarch: " Wandun Chen
2026-06-30 9:37 ` sashiko-bot
2026-06-30 11:13 ` Pratyush Yadav
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630090412.6A4051F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=chenwandun1@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox