On Wed, Jul 01 2026, Tao Liu wrote: > Hi Pratyush, > > On Mon, Jun 29, 2026 at 11:13 PM Pratyush Yadav <[email protected]> wrote: >> >> +Cc IMA maintainers >> >> On Fri, Jun 26 2026, Baoquan He wrote: >> >> > Add kexec ML to CC. >> > >> > On Fri, Jun 26, 2026 at 7:46 AM Tao Liu <[email protected]> wrote: >> >> >> >> Kindly ping, any comments? >> >> >> >> Thanks, >> >> Tao Liu >> >> >> >> On Fri, May 29, 2026 at 3:35 PM Tao Liu <[email protected]> wrote: >> >> > >> >> > A NULL pointer reference issue is noticed in riscv's >> >> > machine_kexec_prepare, >> >> > where image->segment[i].buf might be NULL and copied unchecked. >> >> > >> >> > The NULL buf comes from security/integrity/ima/ima_kexec.c: >> >> > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(), >> >> > but kbuf.buffer is NULL. >> >> > >> >> > Fix this by simply adding a check before copy. >> >> > >> >> > Signed-off-by: Tao Liu <[email protected]> >> >> > --- >> >> > arch/riscv/kernel/machine_kexec.c | 3 +++ >> >> > 1 file changed, 3 insertions(+) >> >> > >> >> > diff --git a/arch/riscv/kernel/machine_kexec.c >> >> > b/arch/riscv/kernel/machine_kexec.c >> >> > index 2306ce3e5f22..d81d576f9cb5 100644 >> >> > --- a/arch/riscv/kernel/machine_kexec.c >> >> > +++ b/arch/riscv/kernel/machine_kexec.c >> >> > @@ -41,6 +41,9 @@ machine_kexec_prepare(struct kimage *image) >> >> > if (image->segment[i].memsz <= sizeof(fdt)) >> >> > continue; >> >> > >> >> > + if (image->segment[i].buf == NULL) >> >> > + continue; >> >> > + >> > >> > This is a good fix, maybe we can add code comments to explain it as >> > below, just for reference. >> > >> > /* >> > * Some segments (e.g. IMA) reserve space but have no buffer >> > * loaded yet. Skip them as they cannot contain an FDT. >> > */ >> > And is there any other place where the similar issue exists? e.g on >> > LoongArch? >> > >> > Other than above concerns, this patch looks good to me: >> > >> > Acked-by: Baoquan He <[email protected]> >> >> Yeah, the patch LGTM to me too. >> >> Acked-by: Pratyush Yadav <[email protected]> >> >> Although I think IMA can make this a bit easier to understand. First, in >> ima_add_kexec_buffer() it should set kbuf.buffer to NULL and kbuf.bufsz >> to 0 explicitly instead of using kexec_buffer and kexec_buffer_size >> which are initialized to NULL and 0, but never updated. Using the >> variables here adds an extra level of indirection. >> >> Also, perhaps we should add a comment in ima_add_kexec_buffer() about >> how this all works, since where the IMA buffer lives and where it gets >> updated it fairly complicated and took me some time to piece together. > > Thanks for your patch review and suggestions! I agree with your point > on the IMA part, I was confused by the code too, e.g in > ima_add_kexec_buffer(): > > void *kexec_buffer = NULL; > kbuf.buffer = kexec_buffer; > ret = kexec_add_buffer(&kbuf); > if (ret) { > pr_err("Error passing over kexec measurement buffer.\n"); > vfree(kexec_buffer); > return; > } > > Do we need to vfree(kexec_buffer)? When kexec_buffer is NULL and seems > never get updated. > > I'm not familiar with IMA code, maybe there is a reason which I'm unaware > of...
I think it is just leftover from refactors. kexec_buffer used to point to an actual buffer at some point and refactors to the function left them always NULL but never removed them. -- Regards, Pratyush Yadav

