Re: [PATCH v14 02/17] powerpc/crash: Fix possible memory leak in... | linux-devicetree

[PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 01/17] riscv: kexec_file: Fix crashk_low_res not exclude bug · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 03/17] powerpc/crash: sort crash memory ranges before preparing elfcorehdr · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 02/17] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 02/17] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() · sashiko-bot@kernel.org · 2026-05-25
Re: [PATCH v14 02/17] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() · Jinjie Ruan <hidden> · 2026-05-26
[PATCH v14 04/17] arm64: kexec: Fix image->elf_headers memory leak during retry loop · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 04/17] arm64: kexec: Fix image->elf_headers memory leak during retry loop · sashiko-bot@kernel.org · 2026-05-25
[PATCH v14 05/17] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 06/17] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers() · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 06/17] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers() · sashiko-bot@kernel.org · 2026-05-25
[PATCH v14 07/17] riscv: kexec_file: Fix potential buffer overflow in prepare_elf_headers() · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 07/17] riscv: kexec_file: Fix potential buffer overflow in prepare_elf_headers() · sashiko-bot@kernel.org · 2026-05-25
[PATCH v14 08/17] LoongArch: kexec: Fix potential buffer overflow in prepare_elf_headers() · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 09/17] crash: Add crash_prepare_headers() to exclude crash kernel memory · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 10/17] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 10/17] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code · sashiko-bot@kernel.org · 2026-05-25
[PATCH v14 11/17] x86/kexec: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 12/17] riscv: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 13/17] LoongArch: kexec: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 15/17] arm64: kexec: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 14/17] crash: Use crash_exclude_core_ranges() on powerpc · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 16/17] riscv: kexec: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-25
[PATCH v14 17/17] arm64/crash: Add crash hotplug support · Jinjie Ruan <hidden> · 2026-05-25
Re: [PATCH v14 17/17] arm64/crash: Add crash hotplug support · sashiko-bot@kernel.org · 2026-05-25
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Huacai Chen <chenhuacai@kernel.org> · 2026-05-25
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Mike Rapoport <rppt@kernel.org> · 2026-05-25
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Huacai Chen <chenhuacai@kernel.org> · 2026-05-25
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-28
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-28
Re: [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-05-28

Re: [PATCH v14 02/17] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr()

From: sashiko-bot@kernel.org
Date: 2026-05-25 09:22:08

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Missing NULL check on `rmem` before accessing `rmem->nr_ranges` causes a NULL pointer dereference in `kexec_extra_fdt_size_ppc64()`.
- [Critical] `__merge_memory_ranges()` incorrectly shrinks overlapping memory ranges, causing critical memory regions to be lost.
--

commit 4efbfe4b6923f71ffba2342131a0178fa07349c0
Author: Jinjie Ruan [off-list ref]

powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr()

This commit fixes a memory leak in update_crash_elfcorehdr() by ensuring
allocated memory from get_crash_memory_ranges() is freed if an error occurs.
It updates the code to jump to the out label to properly free the memory.

quoted hunk ↗ jump to hunk

diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index e6539f213b3d1..a520f851c3a6b 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c

@@ -502,7 +502,7 @@ static void update_crash_elfcorehdr(struct kimage *image, struct memory_notify *
 	ret = get_crash_memory_ranges(&cmem);
 	if (ret) {
 		pr_err("Failed to get crash mem range\n");
-		return;
+		goto out;
 	}
 
 	/*

[Severity: Critical]
This is a pre-existing issue, but does kexec_extra_fdt_size_ppc64()
dereference a NULL pointer if rmem is NULL?

If get_reserved_memory_ranges(&rmem) returns 0 without allocating memory for
rmem (e.g., when there are no matching device tree nodes), rmem remains NULL
when passed to kexec_extra_fdt_size_ppc64():

arch/powerpc/kexec/elf_64.c:elf64_load() {
	...
	ret = get_reserved_memory_ranges(&rmem);
	if (ret)
		goto out;

	fdt = of_kexec_alloc_and_setup_fdt(image, initrd_load_addr,
					   initrd_len, cmdline,
					   kexec_extra_fdt_size_ppc64(image, rmem));
	...
}

Inside kexec_extra_fdt_size_ppc64(), there is no check before accessing
rmem->nr_ranges:

arch/powerpc/kexec/file_load_64.c:kexec_extra_fdt_size_ppc64() {
	...
	/* Consider extra space for reserved memory ranges if any */
	if (rmem->nr_ranges > 0)
		extra_size += (unsigned int)(rmem->nr_ranges * sizeof(u64));
	...
}

Could this lead to a NULL pointer dereference and a kernel panic during
the kexec device tree preparation?


[Severity: Critical]
This isn't a bug introduced by this patch, but does __merge_memory_ranges()
incorrectly shrink overlapping memory ranges?

When merging memory ranges, the code unconditionally assigns ranges[i].end
to ranges[idx].end without using max(), and compares the start against
ranges[i-1].end rather than ranges[idx].end:

arch/powerpc/kexec/ranges.c:__merge_memory_ranges() {
	...
	for (i = 1; i < mem_rngs->nr_ranges; i++) {
		if (ranges[i].start <= (ranges[i-1].end + 1))
			ranges[idx].end = ranges[i].end;
		else {
	...
}

If a smaller memory range is completely subsumed by a larger one, could this
assignment shrink the end boundary of the merged range?

Would this truncate valid memory blocks from the kexec exclude lists,
potentially allowing the new kernel to overwrite the running kernel's memory
and causing data corruption or crashes?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260525084932.934910-1-ruanjinjie@huawei.com?part=2

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help