[PATCH v2] riscv: Fix a NULL pointer reference in machine_kexec_prepare
From: Tao Liu
Date: Sat Jun 27 2026 - 18:28:52 EST
A NULL pointer reference issue is noticed in riscv's machine_kexec_prepare,
where image->segment[i].buf might be NULL and copied unchecked.
The NULL buf comes from security/integrity/ima/ima_kexec.c:
ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
but kbuf.buffer is NULL.
Fix this by simply adding a check before copy.
Acked-by: Baoquan He <bhe@xxxxxxxxxx>
Signed-off-by: Tao Liu <ltao@xxxxxxxxxx>
---
v2 -> v1: add code comments as suggested by Baoquan.
link to v1: https://lore.kernel.org/linux-riscv/20260529032739.13264-2-ltao@xxxxxxxxxx/
---
arch/riscv/kernel/machine_kexec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
index 2306ce3e5f22..afc68f6a4aa1 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
if (image->segment[i].memsz <= sizeof(fdt))
continue;
+ /*
+ * Some segments (e.g. IMA) reserve space but have no buffer
+ * loaded yet. Skip them as they cannot contain an FDT.
+ */
+ if (image->segment[i].buf == NULL)
+ continue;
+
if (image->file_mode)
memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
--
2.54.0