* [PATCH v4] riscv: Prevent NULL pointer dereference in machine_kexec_prepare
@ 2026-07-03 11:15 Tao Liu
2026-07-03 14:38 ` Markus Elfring
0 siblings, 1 reply; 3+ messages in thread
From: Tao Liu @ 2026-07-03 11:15 UTC (permalink / raw)
To: pjw, palmer, aou, alex
Cc: linux-riscv, linux-kernel, kexec, bhe, zohar, roberto.sassu,
dmitry.kasatkin, eric.snowberg, linux-integrity, pratyush,
Markus.Elfring, kernel-janitors, jarkko, Tao Liu, stable,
Nutty Liu
A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare(),
where image->segment[i].buf might be NULL and copied unchecked.
The NULL buf comes from ima_add_kexec_buffer(), where kbuf is added by
kexec_add_buffer(), but kbuf.buffer is NULL, then it is copied without
a check in machine_kexec_prepare().
Relevant path:
kexec_file_load
-> kimage_file_alloc_init()
-> kimage_file_prepare_segments()
-> ima_add_kexec_buffer()
-> kexec_add_buffer()
-> machine_kexec_prepare()
-> memcpy()
Address this by adding a check before the data copy attempt.
Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/kexec/CAO7dBbVftLUhd2qrh7hmijTB3PEPfZAhykCGqEfrPoOcSrrj-w@mail.gmail.com/
Acked-by: Baoquan He <bhe@redhat.com>
Acked-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Signed-off-by: Tao Liu <ltao@redhat.com>
---
v4 -> v3: 1) Remove code comment.
2) Replace (buf == NULL) to (!buf).
3) Reword commit message.
link to v1: https://lore.kernel.org/linux-riscv/20260529032739.13264-2-ltao@redhat.com/
link to v2: https://lore.kernel.org/linux-riscv/20260627222602.23594-2-ltao@redhat.com/
link to v3: https://lore.kernel.org/linux-riscv/20260701025732.66330-2-ltao@redhat.com/
---
arch/riscv/kernel/machine_kexec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
index 2306ce3e5f22..738df176ff6f 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
if (image->segment[i].memsz <= sizeof(fdt))
continue;
+ if (!image->segment[i].buf)
+ continue;
+
if (image->file_mode)
memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
--
2.54.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v4] riscv: Prevent NULL pointer dereference in machine_kexec_prepare
2026-07-03 11:15 [PATCH v4] riscv: Prevent NULL pointer dereference in machine_kexec_prepare Tao Liu
@ 2026-07-03 14:38 ` Markus Elfring
2026-07-03 14:59 ` Pratyush Yadav
0 siblings, 1 reply; 3+ messages in thread
From: Markus Elfring @ 2026-07-03 14:38 UTC (permalink / raw)
To: Tao Liu, linux-riscv, kexec, linux-integrity, Albert Ou,
Alexandre Ghiti, Palmer Dabbelt, Paul Walmsley
Cc: kernel-janitors, LKML, Baoquan He, Dmitry Kasatkin, Eric Snowberg,
Jarkko Sakkinen, Mimi Zohar, Nutty Liu, Pratyush Yadav,
Roberto Sassu
> A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare(),
> where image->segment[i].buf might be NULL and copied unchecked.
…
Would it be helpful to append parentheses to a function name also in the summary phrase?
Why was such a hint not be taken into account from a previous suggestion?
Regards,
Markus
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v4] riscv: Prevent NULL pointer dereference in machine_kexec_prepare
2026-07-03 14:38 ` Markus Elfring
@ 2026-07-03 14:59 ` Pratyush Yadav
0 siblings, 0 replies; 3+ messages in thread
From: Pratyush Yadav @ 2026-07-03 14:59 UTC (permalink / raw)
To: Markus Elfring
Cc: Tao Liu, linux-riscv, kexec, linux-integrity, Albert Ou,
Alexandre Ghiti, Palmer Dabbelt, Paul Walmsley, kernel-janitors,
LKML, Baoquan He, Dmitry Kasatkin, Eric Snowberg, Jarkko Sakkinen,
Mimi Zohar, Nutty Liu, Pratyush Yadav, Roberto Sassu
On Fri, Jul 03 2026, Markus Elfring wrote:
>> A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare(),
>> where image->segment[i].buf might be NULL and copied unchecked.
> …
>
> Would it be helpful to append parentheses to a function name also in the summary phrase?
>
> Why was such a hint not be taken into account from a previous suggestion?
Oh come on, this is a really really minor nitpick. The fact that
machine_kexec_prepare is a function is fairly obvious when reading the
patch. In fact, the first sentence of the commit message uses the
parentheses.
So yes, it would have been nice to have them in the subject. But no,
this is not at all worth anyone's time to fix. Certainly not at all
worth a v5.
Please, let's not nitpick our contributors into giving up.
--
Regards,
Pratyush Yadav
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-03 15:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 11:15 [PATCH v4] riscv: Prevent NULL pointer dereference in machine_kexec_prepare Tao Liu
2026-07-03 14:38 ` Markus Elfring
2026-07-03 14:59 ` Pratyush Yadav
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox