[PATCH v3 0/2] powerpc/crash: backup region offset update to eflcorehdr

[PATCH v3 0/2] powerpc/crash: backup region offset update to eflcorehdr

[Sourabh Jain]

On a kernel crash, purgatory copies the first 64 KB of the crashed
kernel memory to the backup memory region reserved within crashkernel
memory for the kdump kernel. This ensures that the capture kernel can
use the first 64 KB of memory to place the exception vectors and other
required data.

However, in the elfcorehdr prepared using the kexec_file_load syscall,
or the one recreated during a memory hotplug event, the offset of the
program header representing the first 64 KB of memory is set to 0,
whereas it should point to the backup region.

This has not caused issues so far because the first 64 KB is usually
identical in both the crashed and capture kernels. However, this is
only an assumption and is not guaranteed to always hold true.

Therefore, update the offset of the program header representing the
first 64 KB of the crashed kernel memory in the elfcorehdr prepared for
the kdump kernel.

Testing:
=======

Git Tree: https://github.com/sourabhjains/linux/commits/kdump-backup-region-offset/

The above tree contains an additional patch that introduces a new sysfs
interface to dump the kdump elfcorehdr to the dmesg/console.

$> cat /sys/kernel/kexec/crash_elfcorehdr_print 
ELF Program Header Summary:
  Total Program Headers: 13 (0xd)
  PT_LOAD segments:      4 (0x4)
  PT_NOTE segments:      9 (0x9)

Program Headers:
Index Type               Offset             VirtAddr           PhysAddr     FileSize     MemSize  Flags   
================================================================================
0x0   PT_NOTE            0x3fd966400        0x0                0x3fd966400        0x218              0x218              ---
0x1   PT_NOTE            0x3fd996400        0x0                0x3fd996400        0x218              0x218              ---
0x2   PT_NOTE            0x3fd9c6400        0x0                0x3fd9c6400        0x218              0x218              ---
0x3   PT_NOTE            0x3fd9f6400        0x0                0x3fd9f6400        0x218              0x218              ---
0x4   PT_NOTE            0x3fda26400        0x0                0x3fda26400        0x218              0x218              ---
0x5   PT_NOTE            0x3fda56400        0x0                0x3fda56400        0x218              0x218              ---
0x6   PT_NOTE            0x3fda86400        0x0                0x3fda86400        0x218              0x218              ---
0x7   PT_NOTE            0x3fdab6400        0x0                0x3fdab6400        0x218              0x218              ---
0x8   PT_NOTE            0xa2c0000          0x0                0xa2c0000          0x10024            0x10024            ---
0x9   PT_LOAD            0x1af40000         0xc000000000000000 0x0                0x10000            0x10000            RWX
0xa   PT_LOAD            0x10000            0xc000000000010000 0x10000            0x17ff0000         0x17ff0000         RWX
0xb   PT_LOAD            0x2ec70000         0xc00000002ec70000 0x2ec70000         0x1390000          0x1390000          RWX
0xc   PT_LOAD            0x58000000         0xc000000058000000 0x58000000         0x3a8000000        0x3a8000000        RWX

So, once kdump is successfully loaded using the kexec command,
for example:

$ kexec --initrd=/boot/initramfs-`uname -r`.img /boot/vmlinuz-`uname -r` --append="`cat /proc/cmdline`" -pds

Running cat /sys/kernel/kexec/crash_elfcorehdr_print prints the
elfcorehdr in the above format. The offset of the program header
representing the first 64 KB can be easily observed.

Changlog:

v1:
https://lore.kernel.org/all/20260303134722.2814049-1-sourabhjain@linux.ibm.com/

v2:
https://lore.kernel.org/all/20260307052102.944952-1-sourabhjain@linux.ibm.com/
 - Fix build error: 'struct kimage' has no member named 'arch'
   How?
   Define ARCH_HAS_KIMAGE_ARCH and struct kimage_arch when
   CONFIG_KEXEC_FILE or CONFIG_CRASH_DUMP is enabled so that
   kimage->arch.backup_start is available with the kexec_load syscall.

v3:
- Fix a typo in a commit message 01/02
- Add a comment for a helper function in 02/02
- Add Reviewed-by tag
- No functional changes

Cc: Hari Bathini <hbathini@linux.ibm.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Shivang Upadhyay <shivangu@linux.ibm.com>
Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: Aditya Gupta <adityag@linux.ibm.com>

Sourabh Jain (2):
  powerpc/crash: fix backup region offset update to elfcorehdr
  powerpc/crash: Update backup region offset in elfcorehdr on memory
    hotplug

 arch/powerpc/include/asm/kexec.h  | 14 +++++--
 arch/powerpc/kexec/crash.c        | 64 +++++++++++++++++++++++++++++++
 arch/powerpc/kexec/file_load_64.c | 29 +-------------
 3 files changed, 76 insertions(+), 31 deletions(-)

-- 
2.52.0

[PATCH v3 1/2] powerpc/crash: fix backup region offset update to elfcorehdr

[Sourabh Jain]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 2398 bytes --]

update_backup_region_phdr() in file_load_64.c iterates over all the
program headers in the kdump kernel’s elfcorehdr and updates the
p_offset of the program header whose physical address starts at 0.

However, the loop logic is incorrect because the program header pointer
is not updated during iteration. Since elfcorehdr typically contains
PT_NOTE entries first, the PT_LOAD program header with physical address
0 is never reached. As a result, its p_offset is not updated to point to
the backup region.

Because of this behavior, the capture kernel exports the first 64 KB of
the crashed kernel’s memory at offset 0, even though that memory
actually lives in the backup region. When a crash happens, purgatory
copies the first 64 KB of the crashed kernel’s memory into the backup
region so the capture kernel can safely use it.

This has not caused problems so far because the first 64 KB is usually
identical in both the crashed and capture kernels. However, this is
just an assumption and is not guaranteed to always hold true.

Fix update_backup_region_phdr() to correctly update the p_offset of the
program header with a starting physical address of 0 by correcting the
logic used to iterate over the program headers.

Fixes: cb350c1f1f86 ("powerpc/kexec_file: Prepare elfcore header for crashing kernel")
Cc: Hari Bathini <hbathini@linux.ibm.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Shivang Upadhyay <shivangu@linux.ibm.com>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
---
 arch/powerpc/kexec/file_load_64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index e7ef8b2a2554..e631cf2eda2c 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -391,7 +391,7 @@ static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
 	unsigned int i;
 
 	phdr = (Elf64_Phdr *)(ehdr + 1);
-	for (i = 0; i < ehdr->e_phnum; i++) {
+	for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
 		if (phdr->p_paddr == BACKUP_SRC_START) {
 			phdr->p_offset = image->arch.backup_start;
 			kexec_dprintk("Backup region offset updated to 0x%lx\n",
-- 
2.52.0

[PATCH v3 2/2] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug

[Sourabh Jain]

When elfcorehdr is prepared for kdump, the program header representing
the first 64 KB of memory is expected to have its offset point to the
backup region. This is required because purgatory copies the first 64 KB
of the crashed kernel memory to this backup region following a kernel
crash. This allows the capture kernel to use the first 64 KB of memory
to place the exception vectors and other required data.

When elfcorehdr is recreated due to memory hotplug, the offset of
the program header representing the first 64 KB is not updated.
As a result, the capture kernel exports the first 64 KB at offset
0, even though the data actually resides in the backup region.

Fix this by calling sync_backup_region_phdr() to update the program
header offset in the elfcorehdr created during memory hotplug.

sync_backup_region_phdr() works for images loaded via the
kexec_file_load syscall. However, it does not work for kexec_load,
because image->arch.backup_start is not initialized in that case.
So introduce machine_kexec_post_load() to process the elfcorehdr
prepared by kexec-tools and initialize image->arch.backup_start for
kdump images loaded via kexec_load syscall.

Rename update_backup_region_phdr() to sync_backup_region_phdr() and
extend it to synchronize the backup region offset between the kdump
image and the ELF core header. The helper now supports updating either
the kdump image from the ELF program header or updating the ELF program
header from the kdump image, avoiding code duplication.

Define ARCH_HAS_KIMAGE_ARCH and struct kimage_arch when
CONFIG_KEXEC_FILE or CONFIG_CRASH_DUMP is enabled so that
kimage->arch.backup_start is available with the kexec_load system call.

This patch depends on the patch titled
"powerpc/crash: fix backup region offset update to elfcorehdr".

Fixes: 849599b702ef ("powerpc/crash: add crash memory hotplug support")
Cc: Hari Bathini <hbathini@linux.ibm.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Shivang Upadhyay <shivangu@linux.ibm.com>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
---
 arch/powerpc/include/asm/kexec.h  | 14 +++++--
 arch/powerpc/kexec/crash.c        | 64 +++++++++++++++++++++++++++++++
 arch/powerpc/kexec/file_load_64.c | 29 +-------------
 3 files changed, 76 insertions(+), 31 deletions(-)

diff --git a/arch/powerpc/include/asm/kexec.h b/arch/powerpc/include/asm/kexec.h
index bd4a6c42a5f3..e02710d6a2e1 100644
--- a/arch/powerpc/include/asm/kexec.h
+++ b/arch/powerpc/include/asm/kexec.h
@@ -66,11 +66,9 @@ void relocate_new_kernel(unsigned long indirection_page, unsigned long reboot_co
 			 unsigned long start_address) __noreturn;
 void kexec_copy_flush(struct kimage *image);
 
-#ifdef CONFIG_KEXEC_FILE
-extern const struct kexec_file_ops kexec_elf64_ops;
 
+#if defined(CONFIG_KEXEC_FILE) || defined(CONFIG_CRASH_DUMP)
 #define ARCH_HAS_KIMAGE_ARCH
-
 struct kimage_arch {
 	struct crash_mem *exclude_ranges;
 
@@ -78,6 +76,10 @@ struct kimage_arch {
 	void *backup_buf;
 	void *fdt;
 };
+#endif
+
+#ifdef CONFIG_KEXEC_FILE
+extern const struct kexec_file_ops kexec_elf64_ops;
 
 char *setup_kdump_cmdline(struct kimage *image, char *cmdline,
 			  unsigned long cmdline_len);
@@ -145,6 +147,10 @@ int arch_crash_hotplug_support(struct kimage *image, unsigned long kexec_flags);
 
 unsigned int arch_crash_get_elfcorehdr_size(void);
 #define crash_get_elfcorehdr_size arch_crash_get_elfcorehdr_size
+
+int machine_kexec_post_load(struct kimage *image);
+#define machine_kexec_post_load machine_kexec_post_load
+
 #endif /* CONFIG_CRASH_HOTPLUG */
 
 extern int crashing_cpu;
@@ -159,6 +165,8 @@ extern void default_machine_crash_shutdown(struct pt_regs *regs);
 extern void crash_kexec_prepare(void);
 extern void crash_kexec_secondary(struct pt_regs *regs);
 
+extern void sync_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr,
+				    bool phdr_to_kimage);
 static inline bool kdump_in_progress(void)
 {
 	return crashing_cpu >= 0;
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index a325c1c02f96..e6539f213b3d 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -27,6 +27,7 @@
 #include <asm/debug.h>
 #include <asm/interrupt.h>
 #include <asm/kexec_ranges.h>
+#include <asm/crashdump-ppc64.h>
 
 /*
  * The primary CPU waits a while for all secondary CPUs to enter. This is to
@@ -399,7 +400,68 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
 		ppc_md.kexec_cpu_down(1, 0);
 }
 
+#ifdef CONFIG_CRASH_DUMP
+/**
+ * sync_backup_region_phdr - synchronize backup region offset between
+ *			    kexec image and ELF core header.
+ * @image: Kexec image.
+ * @ehdr: ELF core header.
+ * @phdr_to_kimage: If true, read the offset from the ELF program header
+ *		    and update the kimage backup region. If false, update
+ *		    the ELF program header offset from the kimage backup
+ *		    region.
+ *
+ * Note: During kexec_load, this is called with phdr_to_kimage = true. For
+ * kexec_file_load and ELF core header recreation during memory hotplug
+ * events, it is called with phdr_to_kimage = false.
+ *
+ * Returns nothing.
+ */
+void sync_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr, bool phdr_to_kimage)
+{
+	Elf64_Phdr *phdr;
+	unsigned int i;
+
+	phdr = (Elf64_Phdr *)(ehdr + 1);
+	for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
+		if (phdr->p_paddr == BACKUP_SRC_START) {
+			if (phdr_to_kimage)
+				image->arch.backup_start = phdr->p_offset;
+			else
+				phdr->p_offset = image->arch.backup_start;
+
+			kexec_dprintk("Backup region offset updated to 0x%lx\n",
+				      image->arch.backup_start);
+			return;
+		}
+	}
+}
+#endif /* CONFIG_CRASH_DUMP */
+
 #ifdef CONFIG_CRASH_HOTPLUG
+
+int machine_kexec_post_load(struct kimage *image)
+{
+	int i;
+	unsigned long mem;
+	unsigned char *ptr;
+
+	if (image->type != KEXEC_TYPE_CRASH)
+		return 0;
+
+	if (image->file_mode)
+		return 0;
+
+	for (i = 0; i < image->nr_segments; i++) {
+		mem = image->segment[i].mem;
+		ptr = (char *)__va(mem);
+
+		if (ptr && memcmp(ptr, ELFMAG, SELFMAG) == 0)
+			sync_backup_region_phdr(image, (Elf64_Ehdr *) ptr, true);
+	}
+	return 0;
+}
+
 #undef pr_fmt
 #define pr_fmt(fmt) "crash hp: " fmt
 
@@ -474,6 +536,8 @@ static void update_crash_elfcorehdr(struct kimage *image, struct memory_notify *
 		goto out;
 	}
 
+	sync_backup_region_phdr(image, (Elf64_Ehdr *) elfbuf, false);
+
 	ptr = __va(mem);
 	if (ptr) {
 		/* Temporarily invalidate the crash image while it is replaced */
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index e631cf2eda2c..502976a1823d 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -374,33 +374,6 @@ static int load_backup_segment(struct kimage *image, struct kexec_buf *kbuf)
 	return 0;
 }
 
-/**
- * update_backup_region_phdr - Update backup region's offset for the core to
- *                             export the region appropriately.
- * @image:                     Kexec image.
- * @ehdr:                      ELF core header.
- *
- * Assumes an exclusive program header is setup for the backup region
- * in the ELF headers
- *
- * Returns nothing.
- */
-static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
-{
-	Elf64_Phdr *phdr;
-	unsigned int i;
-
-	phdr = (Elf64_Phdr *)(ehdr + 1);
-	for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
-		if (phdr->p_paddr == BACKUP_SRC_START) {
-			phdr->p_offset = image->arch.backup_start;
-			kexec_dprintk("Backup region offset updated to 0x%lx\n",
-				      image->arch.backup_start);
-			return;
-		}
-	}
-}
-
 static unsigned int kdump_extra_elfcorehdr_size(struct crash_mem *cmem)
 {
 #if defined(CONFIG_CRASH_HOTPLUG) && defined(CONFIG_MEMORY_HOTPLUG)
@@ -445,7 +418,7 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
 	}
 
 	/* Fix the offset for backup region in the ELF header */
-	update_backup_region_phdr(image, headers);
+	sync_backup_region_phdr(image, headers, false);
 
 	kbuf->buffer = headers;
 	kbuf->mem = KEXEC_BUF_MEM_UNKNOWN;
-- 
2.52.0

Re: [PATCH v3 1/2] powerpc/crash: fix backup region offset update to elfcorehdr

[Hari Bathini]

On 12/03/26 2:00 pm, Sourabh Jain wrote:
> update_backup_region_phdr() in file_load_64.c iterates over all the
> program headers in the kdump kernel’s elfcorehdr and updates the
> p_offset of the program header whose physical address starts at 0.
> 
> However, the loop logic is incorrect because the program header pointer
> is not updated during iteration. Since elfcorehdr typically contains
> PT_NOTE entries first, the PT_LOAD program header with physical address
> 0 is never reached. As a result, its p_offset is not updated to point to
> the backup region.
> 
> Because of this behavior, the capture kernel exports the first 64 KB of
> the crashed kernel’s memory at offset 0, even though that memory
> actually lives in the backup region. When a crash happens, purgatory
> copies the first 64 KB of the crashed kernel’s memory into the backup
> region so the capture kernel can safely use it.
> 
> This has not caused problems so far because the first 64 KB is usually
> identical in both the crashed and capture kernels. However, this is
> just an assumption and is not guaranteed to always hold true.
> 
> Fix update_backup_region_phdr() to correctly update the p_offset of the
> program header with a starting physical address of 0 by correcting the
> logic used to iterate over the program headers.
> 

Thanks for fixing this.
Looks good to me.

Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>

> Fixes: cb350c1f1f86 ("powerpc/kexec_file: Prepare elfcore header for crashing kernel")
> Cc: Hari Bathini <hbathini@linux.ibm.com>
> Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
> Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
> Cc: Michael Ellerman <mpe@ellerman.id.au>
> Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
> Cc: Shivang Upadhyay <shivangu@linux.ibm.com>
> Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
> Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
> ---
>   arch/powerpc/kexec/file_load_64.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
> index e7ef8b2a2554..e631cf2eda2c 100644
> --- a/arch/powerpc/kexec/file_load_64.c
> +++ b/arch/powerpc/kexec/file_load_64.c
> @@ -391,7 +391,7 @@ static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
>   	unsigned int i;
>   
>   	phdr = (Elf64_Phdr *)(ehdr + 1);
> -	for (i = 0; i < ehdr->e_phnum; i++) {
> +	for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
>   		if (phdr->p_paddr == BACKUP_SRC_START) {
>   			phdr->p_offset = image->arch.backup_start;
>   			kexec_dprintk("Backup region offset updated to 0x%lx\n",

Re: [PATCH v3 1/2] powerpc/crash: fix backup region offset update to elfcorehdr

[Sourabh Jain]

On 12/03/26 14:06, Hari Bathini wrote:
>
>
> On 12/03/26 2:00 pm, Sourabh Jain wrote:
>> update_backup_region_phdr() in file_load_64.c iterates over all the
>> program headers in the kdump kernel’s elfcorehdr and updates the
>> p_offset of the program header whose physical address starts at 0.
>>
>> However, the loop logic is incorrect because the program header pointer
>> is not updated during iteration. Since elfcorehdr typically contains
>> PT_NOTE entries first, the PT_LOAD program header with physical address
>> 0 is never reached. As a result, its p_offset is not updated to point to
>> the backup region.
>>
>> Because of this behavior, the capture kernel exports the first 64 KB of
>> the crashed kernel’s memory at offset 0, even though that memory
>> actually lives in the backup region. When a crash happens, purgatory
>> copies the first 64 KB of the crashed kernel’s memory into the backup
>> region so the capture kernel can safely use it.
>>
>> This has not caused problems so far because the first 64 KB is usually
>> identical in both the crashed and capture kernels. However, this is
>> just an assumption and is not guaranteed to always hold true.
>>
>> Fix update_backup_region_phdr() to correctly update the p_offset of the
>> program header with a starting physical address of 0 by correcting the
>> logic used to iterate over the program headers.
>>
>
> Thanks for fixing this.
> Looks good to me.
>
> Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>

Thanks for the review Hari.

- Sourabh Jain

Re: [PATCH v3 0/2] powerpc/crash: backup region offset update to eflcorehdr

[Madhavan Srinivasan]

On Thu, 12 Mar 2026 14:00:48 +0530, Sourabh Jain wrote:
> On a kernel crash, purgatory copies the first 64 KB of the crashed
> kernel memory to the backup memory region reserved within crashkernel
> memory for the kdump kernel. This ensures that the capture kernel can
> use the first 64 KB of memory to place the exception vectors and other
> required data.
> 
> However, in the elfcorehdr prepared using the kexec_file_load syscall,
> or the one recreated during a memory hotplug event, the offset of the
> program header representing the first 64 KB of memory is set to 0,
> whereas it should point to the backup region.
> 
> [...]

Applied to powerpc/next.

[1/2] powerpc/crash: fix backup region offset update to elfcorehdr
      https://git.kernel.org/powerpc/c/789335cacdf37da93bb7c70322dff8c7e82881df
[2/2] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug
      https://git.kernel.org/powerpc/c/f53b24d1fa263f56155213eabab734c18d884aff

cheers