[PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Tao Liu]

A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
where image->segment[i].buf might be NULL and copied unchecked.

The NULL buf comes from security/integrity/ima/ima_kexec.c:
ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
but kbuf.buffer is NULL.

Fix this by simply adding a check before copy.

Signed-off-by: Tao Liu <ltao@redhat.com>
---
 arch/riscv/kernel/machine_kexec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
index 2306ce3e5f22..d81d576f9cb5 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
 		if (image->segment[i].memsz <= sizeof(fdt))
 			continue;
 
+		if (image->segment[i].buf == NULL)
+			continue;
+
 		if (image->file_mode)
 			memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
 		else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
-- 
2.47.0

Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Tao Liu]

Kindly ping, any comments?

Thanks,
Tao Liu

On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote:
>
> A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
> where image->segment[i].buf might be NULL and copied unchecked.
>
> The NULL buf comes from security/integrity/ima/ima_kexec.c:
> ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> but kbuf.buffer is NULL.
>
> Fix this by simply adding a check before copy.
>
> Signed-off-by: Tao Liu <ltao@redhat.com>
> ---
>  arch/riscv/kernel/machine_kexec.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> index 2306ce3e5f22..d81d576f9cb5 100644
> --- a/arch/riscv/kernel/machine_kexec.c
> +++ b/arch/riscv/kernel/machine_kexec.c
> @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
>                 if (image->segment[i].memsz <= sizeof(fdt))
>                         continue;
>
> +               if (image->segment[i].buf == NULL)
> +                       continue;
> +
>                 if (image->file_mode)
>                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
>                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> --
> 2.47.0
>

Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Baoquan He]

Add kexec ML to CC.

On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote:
>
> Kindly ping, any comments?
>
> Thanks,
> Tao Liu
>
> On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote:
> >
> > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
> > where image->segment[i].buf might be NULL and copied unchecked.
> >
> > The NULL buf comes from security/integrity/ima/ima_kexec.c:
> > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> > but kbuf.buffer is NULL.
> >
> > Fix this by simply adding a check before copy.
> >
> > Signed-off-by: Tao Liu <ltao@redhat.com>
> > ---
> >  arch/riscv/kernel/machine_kexec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> > index 2306ce3e5f22..d81d576f9cb5 100644
> > --- a/arch/riscv/kernel/machine_kexec.c
> > +++ b/arch/riscv/kernel/machine_kexec.c
> > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
> >                 if (image->segment[i].memsz <= sizeof(fdt))
> >                         continue;
> >
> > +               if (image->segment[i].buf == NULL)
> > +                       continue;
> > +

This is a good fix, maybe we can add code comments to explain it as
below, just for reference.

               /*
                * Some segments (e.g. IMA) reserve space but have no buffer
                * loaded yet. Skip them as they cannot contain an FDT.
                */
And is there any other place where the similar issue exists? e.g on LoongArch?

Other than above concerns, this patch looks good to me:

Acked-by: Baoquan He <bhe@redhat.com>

> >                 if (image->file_mode)
> >                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> >                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > --
> > 2.47.0
> >
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
>

Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Tao Liu]

Hi Baoquan,

Glad to see your message again!

Thanks for the Ack and the suggestion for the comment, I will add it
in the next version.

In the meantime, I will check if similar issue exists on LoongArch as well.

Thanks,
Tao Liu

On Fri, Jun 26, 2026 at 8:04 PM Baoquan He <bhe@redhat.com> wrote:
>
> Add kexec ML to CC.
>
> On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote:
> >
> > Kindly ping, any comments?
> >
> > Thanks,
> > Tao Liu
> >
> > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote:
> > >
> > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
> > > where image->segment[i].buf might be NULL and copied unchecked.
> > >
> > > The NULL buf comes from security/integrity/ima/ima_kexec.c:
> > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> > > but kbuf.buffer is NULL.
> > >
> > > Fix this by simply adding a check before copy.
> > >
> > > Signed-off-by: Tao Liu <ltao@redhat.com>
> > > ---
> > >  arch/riscv/kernel/machine_kexec.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> > > index 2306ce3e5f22..d81d576f9cb5 100644
> > > --- a/arch/riscv/kernel/machine_kexec.c
> > > +++ b/arch/riscv/kernel/machine_kexec.c
> > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
> > >                 if (image->segment[i].memsz <= sizeof(fdt))
> > >                         continue;
> > >
> > > +               if (image->segment[i].buf == NULL)
> > > +                       continue;
> > > +
>
> This is a good fix, maybe we can add code comments to explain it as
> below, just for reference.
>
>                /*
>                 * Some segments (e.g. IMA) reserve space but have no buffer
>                 * loaded yet. Skip them as they cannot contain an FDT.
>                 */
> And is there any other place where the similar issue exists? e.g on LoongArch?
>
> Other than above concerns, this patch looks good to me:
>
> Acked-by: Baoquan He <bhe@redhat.com>
>
> > >                 if (image->file_mode)
> > >                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> > >                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > > --
> > > 2.47.0
> > >
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
> >
>

Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Tao Liu]

Hi Baoquan,

On Fri, Jun 26, 2026 at 8:38 PM Tao Liu <ltao@redhat.com> wrote:
>
> Hi Baoquan,
>
> Glad to see your message again!
>
> Thanks for the Ack and the suggestion for the comment, I will add it
> in the next version.
>
> In the meantime, I will check if similar issue exists on LoongArch as well.
>
> Thanks,
> Tao Liu
>
> On Fri, Jun 26, 2026 at 8:04 PM Baoquan He <bhe@redhat.com> wrote:
> >
> > Add kexec ML to CC.
> >
> > On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote:
> > >
> > > Kindly ping, any comments?
> > >
> > > Thanks,
> > > Tao Liu
> > >
> > > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote:
> > > >
> > > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
> > > > where image->segment[i].buf might be NULL and copied unchecked.
> > > >
> > > > The NULL buf comes from security/integrity/ima/ima_kexec.c:
> > > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> > > > but kbuf.buffer is NULL.
> > > >
> > > > Fix this by simply adding a check before copy.
> > > >
> > > > Signed-off-by: Tao Liu <ltao@redhat.com>
> > > > ---
> > > >  arch/riscv/kernel/machine_kexec.c | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> > > > index 2306ce3e5f22..d81d576f9cb5 100644
> > > > --- a/arch/riscv/kernel/machine_kexec.c
> > > > +++ b/arch/riscv/kernel/machine_kexec.c
> > > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
> > > >                 if (image->segment[i].memsz <= sizeof(fdt))
> > > >                         continue;
> > > >
> > > > +               if (image->segment[i].buf == NULL)
> > > > +                       continue;
> > > > +
> >
> > This is a good fix, maybe we can add code comments to explain it as
> > below, just for reference.
> >
> >                /*
> >                 * Some segments (e.g. IMA) reserve space but have no buffer
> >                 * loaded yet. Skip them as they cannot contain an FDT.
> >                 */
> > And is there any other place where the similar issue exists? e.g on LoongArch?

I have tested in LoongArch, it doesn't have the similar issue. The
reason is, in arch/loongarch/kernel/machine_kexec.c:machine_kexec_prepare(),
the unchecked memcpy() only happens for none kexec file load, however
ima_add_kexec_buffer() requires kexec file load. So the condition
isn't met.

> >
> > Other than above concerns, this patch looks good to me:
> >
> > Acked-by: Baoquan He <bhe@redhat.com>

Thanks for your code review and suggestions!

Thanks,
Tao Liu

> >
> > > >                 if (image->file_mode)
> > > >                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> > > >                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > > > --
> > > > 2.47.0
> > > >
> > >
> > >
> > > _______________________________________________
> > > linux-riscv mailing list
> > > linux-riscv@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/linux-riscv
> > >
> >

Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Baoquan He]

On 06/28/26 at 10:38am, Tao Liu wrote:
......
> > >                /*
> > >                 * Some segments (e.g. IMA) reserve space but have no buffer
> > >                 * loaded yet. Skip them as they cannot contain an FDT.
> > >                 */
> > > And is there any other place where the similar issue exists? e.g on LoongArch?
> 
> I have tested in LoongArch, it doesn't have the similar issue. The
> reason is, in arch/loongarch/kernel/machine_kexec.c:machine_kexec_prepare(),
> the unchecked memcpy() only happens for none kexec file load, however
> ima_add_kexec_buffer() requires kexec file load. So the condition
> isn't met.

OK, that's good, thanks for the effort.

> 
> > >
> > > Other than above concerns, this patch looks good to me:
> > >
> > > Acked-by: Baoquan He <bhe@redhat.com>
> 
> Thanks for your code review and suggestions!
> 
> Thanks,
> Tao Liu
> 
> > >
> > > > >                 if (image->file_mode)
> > > > >                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> > > > >                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > > > > --
> > > > > 2.47.0
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > linux-riscv mailing list
> > > > linux-riscv@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/linux-riscv
> > > >
> > >
>