* [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare @ 2026-05-29 3:27 Tao Liu 2026-06-25 23:17 ` Tao Liu 0 siblings, 1 reply; 6+ messages in thread From: Tao Liu @ 2026-05-29 3:27 UTC (permalink / raw) To: pjw, palmer, aou, alex; +Cc: linux-riscv, linux-kernel, Tao Liu A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare, where image->segment[i].buf might be NULL and copied unchecked. The NULL buf comes from security/integrity/ima/ima_kexec.c: ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), but kbuf.buffer is NULL. Fix this by simply adding a check before copy. Signed-off-by: Tao Liu <ltao@redhat.com> --- arch/riscv/kernel/machine_kexec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c index 2306ce3e5f22..d81d576f9cb5 100644 --- a/arch/riscv/kernel/machine_kexec.c +++ b/arch/riscv/kernel/machine_kexec.c @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) if (image->segment[i].memsz <= sizeof(fdt)) continue; + if (image->segment[i].buf == NULL) + continue; + if (image->file_mode) memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) -- 2.47.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare 2026-05-29 3:27 [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare Tao Liu @ 2026-06-25 23:17 ` Tao Liu 2026-06-26 8:04 ` Baoquan He 0 siblings, 1 reply; 6+ messages in thread From: Tao Liu @ 2026-06-25 23:17 UTC (permalink / raw) To: pjw, palmer, aou, alex; +Cc: linux-riscv, linux-kernel Kindly ping, any comments? Thanks, Tao Liu On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote: > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare, > where image->segment[i].buf might be NULL and copied unchecked. > > The NULL buf comes from security/integrity/ima/ima_kexec.c: > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), > but kbuf.buffer is NULL. > > Fix this by simply adding a check before copy. > > Signed-off-by: Tao Liu <ltao@redhat.com> > --- > arch/riscv/kernel/machine_kexec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c > index 2306ce3e5f22..d81d576f9cb5 100644 > --- a/arch/riscv/kernel/machine_kexec.c > +++ b/arch/riscv/kernel/machine_kexec.c > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) > if (image->segment[i].memsz <= sizeof(fdt)) > continue; > > + if (image->segment[i].buf == NULL) > + continue; > + > if (image->file_mode) > memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); > else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) > -- > 2.47.0 > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare 2026-06-25 23:17 ` Tao Liu @ 2026-06-26 8:04 ` Baoquan He 2026-06-26 8:38 ` Tao Liu 0 siblings, 1 reply; 6+ messages in thread From: Baoquan He @ 2026-06-26 8:04 UTC (permalink / raw) To: Tao Liu, kexec; +Cc: pjw, palmer, aou, alex, linux-riscv, linux-kernel Add kexec ML to CC. On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote: > > Kindly ping, any comments? > > Thanks, > Tao Liu > > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote: > > > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare, > > where image->segment[i].buf might be NULL and copied unchecked. > > > > The NULL buf comes from security/integrity/ima/ima_kexec.c: > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), > > but kbuf.buffer is NULL. > > > > Fix this by simply adding a check before copy. > > > > Signed-off-by: Tao Liu <ltao@redhat.com> > > --- > > arch/riscv/kernel/machine_kexec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c > > index 2306ce3e5f22..d81d576f9cb5 100644 > > --- a/arch/riscv/kernel/machine_kexec.c > > +++ b/arch/riscv/kernel/machine_kexec.c > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) > > if (image->segment[i].memsz <= sizeof(fdt)) > > continue; > > > > + if (image->segment[i].buf == NULL) > > + continue; > > + This is a good fix, maybe we can add code comments to explain it as below, just for reference. /* * Some segments (e.g. IMA) reserve space but have no buffer * loaded yet. Skip them as they cannot contain an FDT. */ And is there any other place where the similar issue exists? e.g on LoongArch? Other than above concerns, this patch looks good to me: Acked-by: Baoquan He <bhe@redhat.com> > > if (image->file_mode) > > memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); > > else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) > > -- > > 2.47.0 > > > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare 2026-06-26 8:04 ` Baoquan He @ 2026-06-26 8:38 ` Tao Liu 2026-06-27 22:38 ` Tao Liu 0 siblings, 1 reply; 6+ messages in thread From: Tao Liu @ 2026-06-26 8:38 UTC (permalink / raw) To: Baoquan He; +Cc: kexec, pjw, palmer, aou, alex, linux-riscv, linux-kernel Hi Baoquan, Glad to see your message again! Thanks for the Ack and the suggestion for the comment, I will add it in the next version. In the meantime, I will check if similar issue exists on LoongArch as well. Thanks, Tao Liu On Fri, Jun 26, 2026 at 8:04 PM Baoquan He <bhe@redhat.com> wrote: > > Add kexec ML to CC. > > On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote: > > > > Kindly ping, any comments? > > > > Thanks, > > Tao Liu > > > > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote: > > > > > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare, > > > where image->segment[i].buf might be NULL and copied unchecked. > > > > > > The NULL buf comes from security/integrity/ima/ima_kexec.c: > > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), > > > but kbuf.buffer is NULL. > > > > > > Fix this by simply adding a check before copy. > > > > > > Signed-off-by: Tao Liu <ltao@redhat.com> > > > --- > > > arch/riscv/kernel/machine_kexec.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c > > > index 2306ce3e5f22..d81d576f9cb5 100644 > > > --- a/arch/riscv/kernel/machine_kexec.c > > > +++ b/arch/riscv/kernel/machine_kexec.c > > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) > > > if (image->segment[i].memsz <= sizeof(fdt)) > > > continue; > > > > > > + if (image->segment[i].buf == NULL) > > > + continue; > > > + > > This is a good fix, maybe we can add code comments to explain it as > below, just for reference. > > /* > * Some segments (e.g. IMA) reserve space but have no buffer > * loaded yet. Skip them as they cannot contain an FDT. > */ > And is there any other place where the similar issue exists? e.g on LoongArch? > > Other than above concerns, this patch looks good to me: > > Acked-by: Baoquan He <bhe@redhat.com> > > > > if (image->file_mode) > > > memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); > > > else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) > > > -- > > > 2.47.0 > > > > > > > > > _______________________________________________ > > linux-riscv mailing list > > linux-riscv@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/linux-riscv > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare 2026-06-26 8:38 ` Tao Liu @ 2026-06-27 22:38 ` Tao Liu 2026-06-29 2:44 ` Baoquan He 0 siblings, 1 reply; 6+ messages in thread From: Tao Liu @ 2026-06-27 22:38 UTC (permalink / raw) To: Baoquan He; +Cc: kexec, pjw, palmer, aou, alex, linux-riscv, linux-kernel Hi Baoquan, On Fri, Jun 26, 2026 at 8:38 PM Tao Liu <ltao@redhat.com> wrote: > > Hi Baoquan, > > Glad to see your message again! > > Thanks for the Ack and the suggestion for the comment, I will add it > in the next version. > > In the meantime, I will check if similar issue exists on LoongArch as well. > > Thanks, > Tao Liu > > On Fri, Jun 26, 2026 at 8:04 PM Baoquan He <bhe@redhat.com> wrote: > > > > Add kexec ML to CC. > > > > On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@redhat.com> wrote: > > > > > > Kindly ping, any comments? > > > > > > Thanks, > > > Tao Liu > > > > > > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@redhat.com> wrote: > > > > > > > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare, > > > > where image->segment[i].buf might be NULL and copied unchecked. > > > > > > > > The NULL buf comes from security/integrity/ima/ima_kexec.c: > > > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), > > > > but kbuf.buffer is NULL. > > > > > > > > Fix this by simply adding a check before copy. > > > > > > > > Signed-off-by: Tao Liu <ltao@redhat.com> > > > > --- > > > > arch/riscv/kernel/machine_kexec.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c > > > > index 2306ce3e5f22..d81d576f9cb5 100644 > > > > --- a/arch/riscv/kernel/machine_kexec.c > > > > +++ b/arch/riscv/kernel/machine_kexec.c > > > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) > > > > if (image->segment[i].memsz <= sizeof(fdt)) > > > > continue; > > > > > > > > + if (image->segment[i].buf == NULL) > > > > + continue; > > > > + > > > > This is a good fix, maybe we can add code comments to explain it as > > below, just for reference. > > > > /* > > * Some segments (e.g. IMA) reserve space but have no buffer > > * loaded yet. Skip them as they cannot contain an FDT. > > */ > > And is there any other place where the similar issue exists? e.g on LoongArch? I have tested in LoongArch, it doesn't have the similar issue. The reason is, in arch/loongarch/kernel/machine_kexec.c:machine_kexec_prepare(), the unchecked memcpy() only happens for none kexec file load, however ima_add_kexec_buffer() requires kexec file load. So the condition isn't met. > > > > Other than above concerns, this patch looks good to me: > > > > Acked-by: Baoquan He <bhe@redhat.com> Thanks for your code review and suggestions! Thanks, Tao Liu > > > > > > if (image->file_mode) > > > > memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); > > > > else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) > > > > -- > > > > 2.47.0 > > > > > > > > > > > > > _______________________________________________ > > > linux-riscv mailing list > > > linux-riscv@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/linux-riscv > > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare 2026-06-27 22:38 ` Tao Liu @ 2026-06-29 2:44 ` Baoquan He 0 siblings, 0 replies; 6+ messages in thread From: Baoquan He @ 2026-06-29 2:44 UTC (permalink / raw) To: Tao Liu Cc: Baoquan He, kexec, pjw, palmer, aou, alex, linux-riscv, linux-kernel On 06/28/26 at 10:38am, Tao Liu wrote: ...... > > > /* > > > * Some segments (e.g. IMA) reserve space but have no buffer > > > * loaded yet. Skip them as they cannot contain an FDT. > > > */ > > > And is there any other place where the similar issue exists? e.g on LoongArch? > > I have tested in LoongArch, it doesn't have the similar issue. The > reason is, in arch/loongarch/kernel/machine_kexec.c:machine_kexec_prepare(), > the unchecked memcpy() only happens for none kexec file load, however > ima_add_kexec_buffer() requires kexec file load. So the condition > isn't met. OK, that's good, thanks for the effort. > > > > > > > Other than above concerns, this patch looks good to me: > > > > > > Acked-by: Baoquan He <bhe@redhat.com> > > Thanks for your code review and suggestions! > > Thanks, > Tao Liu > > > > > > > > > if (image->file_mode) > > > > > memcpy(&fdt, image->segment[i].buf, sizeof(fdt)); > > > > > else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt))) > > > > > -- > > > > > 2.47.0 > > > > > > > > > > > > > > > > > _______________________________________________ > > > > linux-riscv mailing list > > > > linux-riscv@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/linux-riscv > > > > > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-29 2:45 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-29 3:27 [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare Tao Liu 2026-06-25 23:17 ` Tao Liu 2026-06-26 8:04 ` Baoquan He 2026-06-26 8:38 ` Tao Liu 2026-06-27 22:38 ` Tao Liu 2026-06-29 2:44 ` Baoquan He
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox