{"id":2215679,"url":"http://patchwork.ozlabs.org/api/patches/2215679/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260325025904.2811960-9-ruanjinjie@huawei.com/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<20260325025904.2811960-9-ruanjinjie@huawei.com>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/20260325025904.2811960-9-ruanjinjie@huawei.com/","date":"2026-03-25T02:59:04","name":"[v10,8/8] crash: Fix race condition between crash kernel loading and memory hotplug","commit_ref":null,"pull_url":null,"state":"handled-elsewhere","archived":false,"hash":"47194c9bbf1c0811b7ef776df32e43c8a44323b3","submitter":{"id":84791,"url":"http://patchwork.ozlabs.org/api/people/84791/?format=json","name":"Jinjie Ruan","email":"ruanjinjie@huawei.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260325025904.2811960-9-ruanjinjie@huawei.com/mbox/","series":[{"id":497378,"url":"http://patchwork.ozlabs.org/api/series/497378/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=497378","date":"2026-03-25T02:58:56","name":"[v10,1/8] riscv: kexec_file: Fix crashk_low_res not exclude bug","version":10,"mbox":"http://patchwork.ozlabs.org/series/497378/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215679/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/2215679/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <linuxppc-dev+bounces-18757-incoming=patchwork.ozlabs.org@lists.ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=xqNJJTRY;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=112.213.38.117; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-18757-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=113.46.200.217","lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=huawei.com","lists.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=xqNJJTRY;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=huawei.com\n (client-ip=113.46.200.217; helo=canpmsgout02.his.huawei.com;\n envelope-from=ruanjinjie@huawei.com; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgWnV6Z6Rz1y1G\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 13:58:38 +1100 (AEDT)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4fgWmd4glCz30MZ;\n\tWed, 25 Mar 2026 13:57:53 +1100 (AEDT)","from canpmsgout02.his.huawei.com (canpmsgout02.his.huawei.com\n [113.46.200.217])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4fgWmc2TcPz30D3\n\tfor <linuxppc-dev@lists.ozlabs.org>; Wed, 25 Mar 2026 13:57:52 +1100 (AEDT)","from mail.maildlp.com (unknown [172.19.163.0])\n\tby canpmsgout02.his.huawei.com (SkyGuard) with ESMTPS id 4fgWdn6WXHzcb0r;\n\tWed, 25 Mar 2026 10:51:57 +0800 (CST)","from dggpemf500011.china.huawei.com (unknown [7.185.36.131])\n\tby mail.maildlp.com (Postfix) with ESMTPS id 3FA2840561;\n\tWed, 25 Mar 2026 10:57:49 +0800 (CST)","from huawei.com (10.90.53.73) by dggpemf500011.china.huawei.com\n (7.185.36.131) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 25 Mar\n 2026 10:57:46 +0800"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1774407473;\n\tcv=none;\n b=Jck+XNqzrEMEKVqIXnKsPLw2OMDJrdi4HjhB1HFRjqavuiOX6rL2PH2K+ZbXpLj0MQmzXDjJnk1mqMeVtK7NWPUsDCuz0aEk6qM4R30mzEWLMK22Zbch4Z6h42eN24WyJZ63cbB1jIsc0mVP9nEtl8dgMU2FObV1zJkyYLIhErIEdFGvT/3Vks4py9f9m1kEbSvVYUnAf3xuWOmcm/HYUSffjBalAqiiVq8aq5XZsI0PU/aG3frUzFel3on8d4Y+jFD5ZFgCZKO8xnYHUX2blnKxiIvf/N3MSG0PFrt29o/5Z4Y1+rn7MB1XP3qchBlLig/4Q0kwo1oLoNy66aUT/Q==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1774407473; c=relaxed/relaxed;\n\tbh=8E4spcrmYqVzYUlBqOGzHHrelMM+VkOSD8iaO6+byhw=;\n\th=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version:Content-Type;\n b=eWJN//sM9HS03R0lERWNk5Nj4utHi9r2eqUMEX4XGk3hsdH+WsedB5p4wjeS3KuNwFrzae/BGyIDpg7EjmW71m9oR5nCE4PzxJu7a6VY83YBSRZqBKCjU2BoxzoE3Bb+3srX5mg/zTGuJ7U2LT04ApWeAoXAa6i6BXs/jilJuIuwRF21ASbZUiqPFFC/kp6HEHpO8FMGL67scF45CPoZhhLPwdONNr7AkO8usivXS4Cy4ad2qARIKIA4jWcFkhPKPl1PuK8cqy9a2BWxOC2oBgcoYCRl7wqp3FDyWZKVF1xLUGYsIzbIc5cPkXseHbbrROW64g0a64yp6UUtHrllAg==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=huawei.com;\n dkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=xqNJJTRY; dkim-atps=neutral;\n spf=pass (client-ip=113.46.200.217; helo=canpmsgout02.his.huawei.com;\n envelope-from=ruanjinjie@huawei.com;\n receiver=lists.ozlabs.org) smtp.mailfrom=huawei.com","dkim-signature":"v=1; a=rsa-sha256; d=huawei.com; s=dkim;\n\tc=relaxed/relaxed; q=dns/txt;\n\th=From;\n\tbh=8E4spcrmYqVzYUlBqOGzHHrelMM+VkOSD8iaO6+byhw=;\n\tb=xqNJJTRYyggCzXZzuIVa391GmVhP2M1AywiTzUCVIdevfMWk2W0+G2iNIudjPzgYPiCgaIuhE\n\t5THdqWRaQk7mWGN7AJ7Xy8EnMOPizyjjR001GpeKPLFi3V5PkCr2VJzvHZC7VITILAKNTbQjTE4\n\tda7qaeuWWHQjW0U1XLO75kc=","From":"Jinjie Ruan <ruanjinjie@huawei.com>","To":"<corbet@lwn.net>, <skhan@linuxfoundation.org>, <catalin.marinas@arm.com>,\n\t<will@kernel.org>, <chenhuacai@kernel.org>, <kernel@xen0n.name>,\n\t<maddy@linux.ibm.com>, <mpe@ellerman.id.au>, <npiggin@gmail.com>,\n\t<chleroy@kernel.org>, <pjw@kernel.org>, <palmer@dabbelt.com>,\n\t<aou@eecs.berkeley.edu>, <alex@ghiti.fr>, <tglx@kernel.org>,\n\t<mingo@redhat.com>, <bp@alien8.de>, <dave.hansen@linux.intel.com>,\n\t<hpa@zytor.com>, <robh@kernel.org>, <saravanak@kernel.org>,\n\t<akpm@linux-foundation.org>, <bhe@redhat.com>, <vgoyal@redhat.com>,\n\t<dyoung@redhat.com>, <rdunlap@infradead.org>, <peterz@infradead.org>,\n\t<pawan.kumar.gupta@linux.intel.com>, <feng.tang@linux.alibaba.com>,\n\t<dapeng1.mi@linux.intel.com>, <kees@kernel.org>, <elver@google.com>,\n\t<paulmck@kernel.org>, <lirongqing@baidu.com>, <ruanjinjie@huawei.com>,\n\t<rppt@kernel.org>, <ardb@kernel.org>, <leitao@debian.org>, <osandov@fb.com>,\n\t<cfsworks@gmail.com>, <tangyouling@kylinos.cn>, <sourabhjain@linux.ibm.com>,\n\t<ritesh.list@gmail.com>, <eajames@linux.ibm.com>,\n\t<songshuaishuai@tinylab.org>, <kevin.brodsky@arm.com>,\n\t<samuel.holland@sifive.com>, <vishal.moola@gmail.com>,\n\t<junhui.liu@pigmoral.tech>, <coxu@redhat.com>, <liaoyuanhong@vivo.com>,\n\t<jbohac@suse.cz>, <fuqiang.wang@easystack.cn>, <guoren@kernel.org>,\n\t<chenjiahao16@huawei.com>, <hbathini@linux.ibm.com>, <james.morse@arm.com>,\n\t<takahiro.akashi@linaro.org>, <lizhengyu3@huawei.com>, <x86@kernel.org>,\n\t<linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,\n\t<linux-arm-kernel@lists.infradead.org>, <loongarch@lists.linux.dev>,\n\t<linuxppc-dev@lists.ozlabs.org>, <linux-riscv@lists.infradead.org>,\n\t<devicetree@vger.kernel.org>, <kexec@lists.infradead.org>","Subject":"[PATCH v10 8/8] crash: Fix race condition between crash kernel\n loading and memory hotplug","Date":"Wed, 25 Mar 2026 10:59:04 +0800","Message-ID":"<20260325025904.2811960-9-ruanjinjie@huawei.com>","X-Mailer":"git-send-email 2.34.1","In-Reply-To":"<20260325025904.2811960-1-ruanjinjie@huawei.com>","References":"<20260325025904.2811960-1-ruanjinjie@huawei.com>","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"<linuxppc-dev.lists.ozlabs.org>","List-Help":"<mailto:linuxppc-dev+help@lists.ozlabs.org>","List-Owner":"<mailto:linuxppc-dev+owner@lists.ozlabs.org>","List-Post":"<mailto:linuxppc-dev@lists.ozlabs.org>","List-Archive":"<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>","List-Subscribe":"<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>","List-Unsubscribe":"<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>","Precedence":"list","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Content-Type":"text/plain","X-Originating-IP":"[10.90.53.73]","X-ClientProxiedBy":"kwepems100001.china.huawei.com (7.221.188.238) To\n dggpemf500011.china.huawei.com (7.185.36.131)","X-Spam-Status":"No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"There is a race condition between the kexec_load() system call\n(crash kernel loading path) and memory hotplug operations that can lead\nto buffer overflow and potential kernel crash.\n\nDuring crash_prepare_headers(), the following steps occur:\n1. arch_get_system_nr_ranges() queries current memory ranges from memblock\n2. alloc_cmem() allocates buffer based on queried count\n3. arch_crash_populate_cmem() populates ranges from memblock\n\nIf memory hotplug occurs between step 1 and step 3, the number of ranges\ncan increase, causing out-of-bounds write when populating cmem->ranges[].\n\nThis happens because kexec_load() uses kexec_trylock (atomic_t) while\nmemory hotplug uses device_hotplug_lock (mutex), so they don't serialize\nwith each other.\n\nFix by adding lock_device_hotplug()/unlock_device_hotplug() around the\ncritical section in crash_prepare_headers(). The lock is only acquired\nwhen CONFIG_MEMORY_HOTPLUG is enabled to avoid overhead on systems without\nhotplug support.\n\nFixes: dd5f726076cc (\"kexec: support for kexec on panic using new system call\")\nFixes: 3751e728cef2 (\"arm64: kexec_file: add crash dump support\")\nFixes: 8acea455fafa (\"RISC-V: Support for kexec_file on panic\")\nFixes: 1bcca8620a91 (\"LoongArch: Add crash dump support for kexec_file\")\nSigned-off-by: Jinjie Ruan <ruanjinjie@huawei.com>\n---\n kernel/crash_core.c | 24 ++++++++++++++++++++----\n 1 file changed, 20 insertions(+), 4 deletions(-)","diff":"diff --git a/kernel/crash_core.c b/kernel/crash_core.c\nindex 300d44ad5471..f01d03d42c67 100644\n--- a/kernel/crash_core.c\n+++ b/kernel/crash_core.c\n@@ -326,15 +326,25 @@ int crash_prepare_headers(int need_kernel_map, void **addr, unsigned long *sz,\n \tstruct crash_mem *cmem;\n \tint ret;\n \n+\tif (IS_ENABLED(CONFIG_MEMORY_HOTPLUG))\n+\t\tlock_device_hotplug();\n+\n \tmax_nr_ranges = arch_get_system_nr_ranges();\n-\tif (!max_nr_ranges)\n-\t\treturn -ENOMEM;\n+\tif (!max_nr_ranges) {\n+\t\tret = -ENOMEM;\n+\t\tgoto unlock;\n+\t}\n \n \tcmem = alloc_cmem(max_nr_ranges);\n-\tif (!cmem)\n-\t\treturn -ENOMEM;\n+\tif (!cmem) {\n+\t\tret = -ENOMEM;\n+\t\tgoto unlock;\n+\t}\n \n \tret = arch_crash_populate_cmem(cmem);\n+\tif (IS_ENABLED(CONFIG_MEMORY_HOTPLUG))\n+\t\tunlock_device_hotplug();\n+\n \tif (ret)\n \t\tgoto out;\n \n@@ -355,6 +365,12 @@ int crash_prepare_headers(int need_kernel_map, void **addr, unsigned long *sz,\n out:\n \tkvfree(cmem);\n \treturn ret;\n+\n+unlock:\n+\tif (IS_ENABLED(CONFIG_MEMORY_HOTPLUG))\n+\t\tunlock_device_hotplug();\n+\n+\treturn ret;\n }\n \n /**\n","prefixes":["v10","8/8"]}