[PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in... | linuxppc-dev

[PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 02/23] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 01/23] riscv: kexec_file: Fix crashk_low_res not exclude bug · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 05/23] powerpc/crash: sort crash memory ranges before preparing elfcorehdr · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 07/23] arm64: kexec_file: Fix CMA page leaks during segment placement retry loops · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 08/23] arm64: kexec_file: Fix image->elf_headers memory leak during retry loop · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 09/23] kexec: Fix UAF and Double Free in crash_load_dm_crypt_keys() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 10/23] crash_core: Introduce CRASH_HOTPLUG_SAFETY_PADDING for memory hotplug safety · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 12/23] arm64: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 13/23] riscv: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 14/23] LoongArch: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 15/23] crash: Add crash_prepare_headers() to exclude crash kernel memory · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 16/23] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 17/23] x86: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 19/23] LoongArch: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 18/23] riscv: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 20/23] powerpc/kexec_file: Use crash_exclude_core_ranges() helper · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 21/23] arm64: kexec_file: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 22/23] riscv: kexec_file: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 23/23] arm64: crash: Add crash hotplug support · Jinjie Ruan <hidden> · 2026-06-01
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Baoquan He <baoquan.he@linux.dev> · 2026-06-01
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-02
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Baoquan He <baoquan.he@linux.dev> · 2026-06-02

COLD23d

Revisions (14)

2026-02-04 v3 [diff vs current]
2026-02-09 v4 [diff vs current]
2026-02-12 v5 [diff vs current]
2026-02-24 v6 [diff vs current]
2026-02-26 v7 [diff vs current]
2026-03-02 v8 [diff vs current]
2026-03-23 v9 [diff vs current]
2026-03-25 v10 [diff vs current]
2026-03-28 v11 [diff vs current]
2026-04-02 v12 [diff vs current]
2026-05-11 v13 [diff vs current]
2026-05-25 v14 [diff vs current]
2026-06-01 v15 current
2026-06-08 v16 [diff vs current]

[PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64()

From: Jinjie Ruan <hidden>
Date: 2026-06-01 09:48:53
Also in: kexec, linux-devicetree, linux-doc, linux-riscv, lkml, loongarch
Subsystem: linux for powerpc (32-bit and 64-bit), the rest · Maintainers: Madhavan Srinivasan, Michael Ellerman, Linus Torvalds

A static Sashiko AI review identified a potential NULL pointer dereference
in kexec_extra_fdt_size_ppc64().

When get_reserved_memory_ranges() successfully returns 0 on platforms
without any reserved memory regions, the allocated 'rmem' pointer remains
NULL. Passing this unallocated pointer directly to
kexec_extra_fdt_size_ppc64() leads to a kernel panic when evaluating
'rmem->nr_ranges'.

Fix this by adding a defensive NULL pointer check at the beginning of
kexec_extra_fdt_size_ppc64(), returning 0 extra space immediately if
no reserved memory structure exists.

Cc: Sourabh Jain <redacted>
Cc: Hari Bathini <hbathini@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: stable@vger.kernel.org
Fixes: 0d3ff067331e ("powerpc/kexec_file: fix extra size calculation for kexec FDT")
Signed-off-by: Jinjie Ruan <redacted>
---
 arch/powerpc/kexec/file_load_64.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 8c72e12ea44e..fdeedf102c38 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c

@@ -649,6 +649,9 @@ unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image, struct crash_mem *
 	struct device_node *dn;
 	unsigned int cpu_nodes = 0, extra_size = 0;
 
+	if (!rmem)
+		return 0;
+
 	// Budget some space for the password blob. There's already extra space
 	// for the key name
 	if (plpks_is_available())

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help