Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare

[Tao Liu]

Hi Baoquan,

Glad to see your message again!

Thanks for the Ack and the suggestion for the comment, I will add it
in the next version.

In the meantime, I will check if similar issue exists on LoongArch as well.

Thanks,
Tao Liu

On Fri, Jun 26, 2026 at 8:04 PM Baoquan He <bhe@xxxxxxxxxx> wrote:
>
> Add kexec ML to CC.
>
> On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <ltao@xxxxxxxxxx> wrote:
> >
> > Kindly ping, any comments?
> >
> > Thanks,
> > Tao Liu
> >
> > On Fri, May 29, 2026 at 3:35 PM Tao Liu <ltao@xxxxxxxxxx> wrote:
> > >
> > > A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
> > > where image->segment[i].buf might be NULL and copied unchecked.
> > >
> > > The NULL buf comes from security/integrity/ima/ima_kexec.c:
> > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> > > but kbuf.buffer is NULL.
> > >
> > > Fix this by simply adding a check before copy.
> > >
> > > Signed-off-by: Tao Liu <ltao@xxxxxxxxxx>
> > > ---
> > >  arch/riscv/kernel/machine_kexec.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> > > index 2306ce3e5f22..d81d576f9cb5 100644
> > > --- a/arch/riscv/kernel/machine_kexec.c
> > > +++ b/arch/riscv/kernel/machine_kexec.c
> > > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image)
> > >                 if (image->segment[i].memsz <= sizeof(fdt))
> > >                         continue;
> > >
> > > +               if (image->segment[i].buf == NULL)
> > > +                       continue;
> > > +
>
> This is a good fix, maybe we can add code comments to explain it as
> below, just for reference.
>
>                /*
>                 * Some segments (e.g. IMA) reserve space but have no buffer
>                 * loaded yet. Skip them as they cannot contain an FDT.
>                 */
> And is there any other place where the similar issue exists? e.g on LoongArch?
>
> Other than above concerns, this patch looks good to me:
>
> Acked-by: Baoquan He <bhe@xxxxxxxxxx>
>
> > >                 if (image->file_mode)
> > >                         memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> > >                 else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > > --
> > > 2.47.0
> > >
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@xxxxxxxxxxxxxxxxxxx
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
> >
>