[PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64()

Next message: Jinjie Ruan: "[PATCH v15 18/23] riscv: kexec_file: Use crash_prepare_headers() helper to simplify code"
Previous message: CL Wang: "[PATCH v4 1/3] dt-bindings: dmaengine: Add support for ATCDMAC300 DMA engine"
In reply to: Jinjie Ruan: "[PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges()"
Next in thread: Jinjie Ruan: "[PATCH v15 18/23] riscv: kexec_file: Use crash_prepare_headers() helper to simplify code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jinjie Ruan

Date: Mon Jun 01 2026 - 06:13:45 EST

A static Sashiko AI review identified a potential NULL pointer dereference
in kexec_extra_fdt_size_ppc64().

When get_reserved_memory_ranges() successfully returns 0 on platforms
without any reserved memory regions, the allocated 'rmem' pointer remains
NULL. Passing this unallocated pointer directly to
kexec_extra_fdt_size_ppc64() leads to a kernel panic when evaluating
'rmem->nr_ranges'.

Fix this by adding a defensive NULL pointer check at the beginning of
kexec_extra_fdt_size_ppc64(), returning 0 extra space immediately if
no reserved memory structure exists.

Cc: Sourabh Jain <sourabhjain@xxxxxxxxxxxxx>
Cc: Hari Bathini <hbathini@xxxxxxxxxxxxx>
Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 0d3ff067331e ("powerpc/kexec_file: fix extra size calculation for kexec FDT")
Signed-off-by: Jinjie Ruan <ruanjinjie@xxxxxxxxxx>
---
arch/powerpc/kexec/file_load_64.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 8c72e12ea44e..fdeedf102c38 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -649,6 +649,9 @@ unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image, struct crash_mem *
struct device_node *dn;
unsigned int cpu_nodes = 0, extra_size = 0;

+ if (!rmem)
+ return 0;
+
// Budget some space for the password blob. There's already extra space
// for the key name
if (plpks_is_available())
--
2.34.1