arch/arm64/kernel/kexec_image.c | 3 +++ arch/arm64/kernel/machine_kexec_file.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-)
Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
introduced the kexec_buf->random field to enable random placement of
kexec_buf.
However, this field was never properly initialized for kexec images
that do not need to be placed randomly, leading to the following UBSAN
warning:
[ +0.364528] ------------[ cut here ]------------
[ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
[ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
[ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
[ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
[ +0.000000] Call trace:
[ +0.000001] show_stack+0x24/0x40 (C)
[ +0.000006] __dump_stack+0x28/0x48
[ +0.000002] dump_stack_lvl+0x7c/0xb0
[ +0.000002] dump_stack+0x18/0x34
[ +0.000001] ubsan_epilogue+0x10/0x50
[ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
[ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
[ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
[ +0.000001] kexec_add_buffer+0xa8/0x178
[ +0.000002] image_load+0xf0/0x258
[ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
[ +0.000002] invoke_syscall+0x68/0xe8
[ +0.000001] el0_svc_common+0xb0/0xf8
[ +0.000002] do_el0_svc+0x28/0x48
[ +0.000001] el0_svc+0x40/0xe8
[ +0.000002] el0t_64_sync_handler+0x84/0x140
[ +0.000002] el0t_64_sync+0x1bc/0x1c0
To address this, initialise kexec_buf->random field properly.
Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
---
arch/arm64/kernel/kexec_image.c | 3 +++
arch/arm64/kernel/machine_kexec_file.c | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 532d72ea42ee..db6fb8c599a1 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -76,6 +76,9 @@ static void *image_load(struct kimage *image,
kbuf.buf_min = 0;
kbuf.buf_max = ULONG_MAX;
kbuf.top_down = false;
+#ifdef CONFIG_CRASH_DUMP
+ kbuf.random = false;
+#endif
kbuf.buffer = kernel;
kbuf.bufsz = kernel_len;
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 410060ebd86d..06f38866424a 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -94,7 +94,11 @@ int load_other_segments(struct kimage *image,
char *initrd, unsigned long initrd_len,
char *cmdline)
{
- struct kexec_buf kbuf = {};
+ struct kexec_buf kbuf = {
+#ifdef CONFIG_CRASH_DUMP
+ .random = false,
+#endif
+ };
void *dtb = NULL;
unsigned long initrd_load_addr = 0, dtb_len,
orig_segments = image->nr_segments;
--
LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}On Thu, Nov 27, 2025 at 06:26:44PM +0000, Yeoreum Yun wrote:
> Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> introduced the kexec_buf->random field to enable random placement of
> kexec_buf.
>
> However, this field was never properly initialized for kexec images
> that do not need to be placed randomly, leading to the following UBSAN
> warning:
>
> [ +0.364528] ------------[ cut here ]------------
> [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> [ +0.000000] Call trace:
> [ +0.000001] show_stack+0x24/0x40 (C)
> [ +0.000006] __dump_stack+0x28/0x48
> [ +0.000002] dump_stack_lvl+0x7c/0xb0
> [ +0.000002] dump_stack+0x18/0x34
> [ +0.000001] ubsan_epilogue+0x10/0x50
> [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> [ +0.000001] kexec_add_buffer+0xa8/0x178
> [ +0.000002] image_load+0xf0/0x258
> [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> [ +0.000002] invoke_syscall+0x68/0xe8
> [ +0.000001] el0_svc_common+0xb0/0xf8
> [ +0.000002] do_el0_svc+0x28/0x48
> [ +0.000001] el0_svc+0x40/0xe8
> [ +0.000002] el0t_64_sync_handler+0x84/0x140
> [ +0.000002] el0t_64_sync+0x1bc/0x1c0
>
> To address this, initialise kexec_buf->random field properly.
>
> Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
> arch/arm64/kernel/kexec_image.c | 3 +++
> arch/arm64/kernel/machine_kexec_file.c | 6 +++++-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 532d72ea42ee..db6fb8c599a1 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -76,6 +76,9 @@ static void *image_load(struct kimage *image,
> kbuf.buf_min = 0;
> kbuf.buf_max = ULONG_MAX;
> kbuf.top_down = false;
> +#ifdef CONFIG_CRASH_DUMP
> + kbuf.random = false;
> +#endif
>
> kbuf.buffer = kernel;
> kbuf.bufsz = kernel_len;
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index 410060ebd86d..06f38866424a 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
> @@ -94,7 +94,11 @@ int load_other_segments(struct kimage *image,
> char *initrd, unsigned long initrd_len,
> char *cmdline)
> {
> - struct kexec_buf kbuf = {};
> + struct kexec_buf kbuf = {
> +#ifdef CONFIG_CRASH_DUMP
> + .random = false,
> +#endif
> + };
This hunk is pointless.
Will
On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> introduced the kexec_buf->random field to enable random placement of
> kexec_buf.
>
> However, this field was never properly initialized for kexec images
> that do not need to be placed randomly, leading to the following UBSAN
> warning:
>
> [ +0.364528] ------------[ cut here ]------------
> [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> [ +0.000000] Call trace:
> [ +0.000001] show_stack+0x24/0x40 (C)
> [ +0.000006] __dump_stack+0x28/0x48
> [ +0.000002] dump_stack_lvl+0x7c/0xb0
> [ +0.000002] dump_stack+0x18/0x34
> [ +0.000001] ubsan_epilogue+0x10/0x50
> [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> [ +0.000001] kexec_add_buffer+0xa8/0x178
> [ +0.000002] image_load+0xf0/0x258
> [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> [ +0.000002] invoke_syscall+0x68/0xe8
> [ +0.000001] el0_svc_common+0xb0/0xf8
> [ +0.000002] do_el0_svc+0x28/0x48
> [ +0.000001] el0_svc+0x40/0xe8
> [ +0.000002] el0t_64_sync_handler+0x84/0x140
> [ +0.000002] el0t_64_sync+0x1bc/0x1c0
>
> To address this, initialise kexec_buf->random field properly.
>
> Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
Thanks, I'll add a cc:stable to this.
On 11/27/25 at 11:37am, Andrew Morton wrote:
> On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
>
> > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > introduced the kexec_buf->random field to enable random placement of
> > kexec_buf.
> >
> > However, this field was never properly initialized for kexec images
> > that do not need to be placed randomly, leading to the following UBSAN
> > warning:
> >
> > [ +0.364528] ------------[ cut here ]------------
> > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > [ +0.000000] Call trace:
> > [ +0.000001] show_stack+0x24/0x40 (C)
> > [ +0.000006] __dump_stack+0x28/0x48
> > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > [ +0.000002] dump_stack+0x18/0x34
> > [ +0.000001] ubsan_epilogue+0x10/0x50
> > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > [ +0.000002] image_load+0xf0/0x258
> > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > [ +0.000002] invoke_syscall+0x68/0xe8
> > [ +0.000001] el0_svc_common+0xb0/0xf8
> > [ +0.000002] do_el0_svc+0x28/0x48
> > [ +0.000001] el0_svc+0x40/0xe8
> > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> >
> > To address this, initialise kexec_buf->random field properly.
> >
> > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
>
> Thanks, I'll add a cc:stable to this.
This has been fixed in below series from Breno Leitao.
[PATCH 0/3] kexec: Fix invalid field access
https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
And Paul Walmsley said he has merged the series to riscv/linux.git.
While I can only see the patch for risc-v. The other two are missing.
95c54cd9c769 riscv: kexec: Initialize kexec_buf struct
On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> On 11/27/25 at 11:37am, Andrew Morton wrote:
> > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> >
> > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > introduced the kexec_buf->random field to enable random placement of
> > > kexec_buf.
> > >
> > > However, this field was never properly initialized for kexec images
> > > that do not need to be placed randomly, leading to the following UBSAN
> > > warning:
> > >
> > > [ +0.364528] ------------[ cut here ]------------
> > > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > [ +0.000000] Call trace:
> > > [ +0.000001] show_stack+0x24/0x40 (C)
> > > [ +0.000006] __dump_stack+0x28/0x48
> > > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > > [ +0.000002] dump_stack+0x18/0x34
> > > [ +0.000001] ubsan_epilogue+0x10/0x50
> > > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > > [ +0.000002] image_load+0xf0/0x258
> > > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > > [ +0.000002] invoke_syscall+0x68/0xe8
> > > [ +0.000001] el0_svc_common+0xb0/0xf8
> > > [ +0.000002] do_el0_svc+0x28/0x48
> > > [ +0.000001] el0_svc+0x40/0xe8
> > > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> > >
> > > To address this, initialise kexec_buf->random field properly.
> > >
> > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> >
> > Thanks, I'll add a cc:stable to this.
>
> This has been fixed in below series from Breno Leitao.
>
> [PATCH 0/3] kexec: Fix invalid field access
> https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
Right, these fixes are on 6.18 since day one.
Yeoreum is hitting another code path that I haven't fixed, it seems
(through image_load()).
That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
struct arm64_image_header *h;
u64 flags, value;
bool be_image, be_kernel;
- struct kexec_buf kbuf;
+ struct kexec_buf kbuf = {};
unsigned long text_offset, kernel_segment_number;
struct kexec_segment *kernel_segment;
int ret;
Thanks for fixing this new instance,
--breno
On Fri, 28 Nov 2025 05:55:05 -0800 Breno Leitao <leitao@debian.org> wrote:
>
> On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > >
> > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > introduced the kexec_buf->random field to enable random placement of
> > > > kexec_buf.
> > > >
> > > > However, this field was never properly initialized for kexec images
> > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > warning:
> > > >
> > > > [ +0.364528] ------------[ cut here ]------------
> > > > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > [ +0.000000] Call trace:
> > > > [ +0.000001] show_stack+0x24/0x40 (C)
> > > > [ +0.000006] __dump_stack+0x28/0x48
> > > > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > > > [ +0.000002] dump_stack+0x18/0x34
> > > > [ +0.000001] ubsan_epilogue+0x10/0x50
> > > > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > > > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > > > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > > > [ +0.000002] image_load+0xf0/0x258
> > > > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > > > [ +0.000002] invoke_syscall+0x68/0xe8
> > > > [ +0.000001] el0_svc_common+0xb0/0xf8
> > > > [ +0.000002] do_el0_svc+0x28/0x48
> > > > [ +0.000001] el0_svc+0x40/0xe8
> > > > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > > > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> > > >
> > > > To address this, initialise kexec_buf->random field properly.
> > > >
> > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > >
> > > Thanks, I'll add a cc:stable to this.
> >
> > This has been fixed in below series from Breno Leitao.
> >
> > [PATCH 0/3] kexec: Fix invalid field access
> > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
>
> Right, these fixes are on 6.18 since day one.
>
> Yeoreum is hitting another code path that I haven't fixed, it seems
> (through image_load()).
>
> That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
>
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> struct arm64_image_header *h;
> u64 flags, value;
> bool be_image, be_kernel;
> - struct kexec_buf kbuf;
> + struct kexec_buf kbuf = {};
> unsigned long text_offset, kernel_segment_number;
> struct kexec_segment *kernel_segment;
> int ret;
>
OK, I'll drop this patch, "arm64: kernel: initialize missing
kexec_buf->random field".
On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
>
> On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > >
> > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > introduced the kexec_buf->random field to enable random placement of
> > > > kexec_buf.
> > > >
> > > > However, this field was never properly initialized for kexec images
> > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > warning:
> > > >
> > > > [ +0.364528] ------------[ cut here ]------------
> > > > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > [ +0.000000] Call trace:
> > > > [ +0.000001] show_stack+0x24/0x40 (C)
> > > > [ +0.000006] __dump_stack+0x28/0x48
> > > > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > > > [ +0.000002] dump_stack+0x18/0x34
> > > > [ +0.000001] ubsan_epilogue+0x10/0x50
> > > > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > > > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > > > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > > > [ +0.000002] image_load+0xf0/0x258
> > > > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > > > [ +0.000002] invoke_syscall+0x68/0xe8
> > > > [ +0.000001] el0_svc_common+0xb0/0xf8
> > > > [ +0.000002] do_el0_svc+0x28/0x48
> > > > [ +0.000001] el0_svc+0x40/0xe8
> > > > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > > > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> > > >
> > > > To address this, initialise kexec_buf->random field properly.
> > > >
> > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > >
> > > Thanks, I'll add a cc:stable to this.
> >
> > This has been fixed in below series from Breno Leitao.
> >
> > [PATCH 0/3] kexec: Fix invalid field access
> > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
>
> Right, these fixes are on 6.18 since day one.
>
> Yeoreum is hitting another code path that I haven't fixed, it seems
> (through image_load()).
>
> That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
>
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> struct arm64_image_header *h;
> u64 flags, value;
> bool be_image, be_kernel;
> - struct kexec_buf kbuf;
> + struct kexec_buf kbuf = {};
> unsigned long text_offset, kernel_segment_number;
> struct kexec_segment *kernel_segment;
> int ret;
FWIW, I completey agree; your proposal is a much better solution.
From a quick scan, it looks like loongarch also has some more dodgy
instances:
| % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
| arch/arm64/kernel/kexec_image.c: struct kexec_buf kbuf;
| arch/loongarch/kernel/kexec_efi.c: struct kexec_buf kbuf;
| arch/loongarch/kernel/kexec_elf.c: struct kexec_buf kbuf;
| arch/loongarch/kernel/machine_kexec_file.c: struct kexec_buf kbuf;
| kernel/kexec_handover.c: struct kexec_buf scratch;
The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
struct assignment that'll happen to zero the 'random' field.
Mark.
On 11/28/25 at 02:01pm, Mark Rutland wrote:
> On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> >
> > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > >
> > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > kexec_buf.
> > > > >
> > > > > However, this field was never properly initialized for kexec images
> > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > warning:
> > > > >
> > > > > [ +0.364528] ------------[ cut here ]------------
> > > > > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > [ +0.000000] Call trace:
> > > > > [ +0.000001] show_stack+0x24/0x40 (C)
> > > > > [ +0.000006] __dump_stack+0x28/0x48
> > > > > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > > > > [ +0.000002] dump_stack+0x18/0x34
> > > > > [ +0.000001] ubsan_epilogue+0x10/0x50
> > > > > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > > > > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > > > > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > > > > [ +0.000002] image_load+0xf0/0x258
> > > > > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > > > > [ +0.000002] invoke_syscall+0x68/0xe8
> > > > > [ +0.000001] el0_svc_common+0xb0/0xf8
> > > > > [ +0.000002] do_el0_svc+0x28/0x48
> > > > > [ +0.000001] el0_svc+0x40/0xe8
> > > > > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > > > > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> > > > >
> > > > > To address this, initialise kexec_buf->random field properly.
> > > > >
> > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > >
> > > > Thanks, I'll add a cc:stable to this.
> > >
> > > This has been fixed in below series from Breno Leitao.
> > >
> > > [PATCH 0/3] kexec: Fix invalid field access
> > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> >
> > Right, these fixes are on 6.18 since day one.
> >
> > Yeoreum is hitting another code path that I haven't fixed, it seems
> > (through image_load()).
> >
> > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> >
> > --- a/arch/arm64/kernel/kexec_image.c
> > +++ b/arch/arm64/kernel/kexec_image.c
> > @@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > struct arm64_image_header *h;
> > u64 flags, value;
> > bool be_image, be_kernel;
> > - struct kexec_buf kbuf;
> > + struct kexec_buf kbuf = {};
> > unsigned long text_offset, kernel_segment_number;
> > struct kexec_segment *kernel_segment;
> > int ret;
>
> FWIW, I completey agree; your proposal is a much better solution.
Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.
>
> From a quick scan, it looks like loongarch also has some more dodgy
> instances:
In the latest mainline kernel, the problem on loongarch has gone.
>
> | % git grep 'struct kexec_buf\s[a-z_0-9]\+;'
> | arch/arm64/kernel/kexec_image.c: struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_efi.c: struct kexec_buf kbuf;
> | arch/loongarch/kernel/kexec_elf.c: struct kexec_buf kbuf;
> | arch/loongarch/kernel/machine_kexec_file.c: struct kexec_buf kbuf;
> | kernel/kexec_handover.c: struct kexec_buf scratch;
>
> The 'scratch' case in kernel/kexec_handover.c gets overwritten with a
> struct assignment that'll happen to zero the 'random' field.
>
> Mark.
>
On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote: > On 11/28/25 at 02:01pm, Mark Rutland wrote: > > FWIW, I completey agree; your proposal is a much better solution. > > Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64. Yeoreum, would you be ok doing the patch? If you are busy, I can do it. Thanks --breno
Hi Breno, > On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote: > > On 11/28/25 at 02:01pm, Mark Rutland wrote: > > > FWIW, I completey agree; your proposal is a much better solution. > > > > Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64. > > Yeoreum, would you be ok doing the patch? If you are busy, I can do it. Sorry to late answer. and Thanks for pointing this :) I'll send quickly spin 2 following your suggsetion. Thanks! -- Sincerely, Yeoreum Yun
On Mon, Dec 01, 2025 at 10:50:47AM +0800, Baoquan He wrote:
> On 11/28/25 at 02:01pm, Mark Rutland wrote:
> > On Fri, Nov 28, 2025 at 05:55:05AM -0800, Breno Leitao wrote:
> > >
> > > On Fri, Nov 28, 2025 at 08:17:21AM +0800, Baoquan He wrote:
> > > > On 11/27/25 at 11:37am, Andrew Morton wrote:
> > > > > On Thu, 27 Nov 2025 18:26:44 +0000 Yeoreum Yun <yeoreum.yun@arm.com> wrote:
> > > > >
> > > > > > Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > > > introduced the kexec_buf->random field to enable random placement of
> > > > > > kexec_buf.
> > > > > >
> > > > > > However, this field was never properly initialized for kexec images
> > > > > > that do not need to be placed randomly, leading to the following UBSAN
> > > > > > warning:
> > > > > >
> > > > > > [ +0.364528] ------------[ cut here ]------------
> > > > > > [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12
> > > > > > [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool')
> > > > > > [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full)
> > > > > > [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
> > > > > > [ +0.000000] Call trace:
> > > > > > [ +0.000001] show_stack+0x24/0x40 (C)
> > > > > > [ +0.000006] __dump_stack+0x28/0x48
> > > > > > [ +0.000002] dump_stack_lvl+0x7c/0xb0
> > > > > > [ +0.000002] dump_stack+0x18/0x34
> > > > > > [ +0.000001] ubsan_epilogue+0x10/0x50
> > > > > > [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0
> > > > > > [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0
> > > > > > [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0
> > > > > > [ +0.000001] kexec_add_buffer+0xa8/0x178
> > > > > > [ +0.000002] image_load+0xf0/0x258
> > > > > > [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718
> > > > > > [ +0.000002] invoke_syscall+0x68/0xe8
> > > > > > [ +0.000001] el0_svc_common+0xb0/0xf8
> > > > > > [ +0.000002] do_el0_svc+0x28/0x48
> > > > > > [ +0.000001] el0_svc+0x40/0xe8
> > > > > > [ +0.000002] el0t_64_sync_handler+0x84/0x140
> > > > > > [ +0.000002] el0t_64_sync+0x1bc/0x1c0
> > > > > >
> > > > > > To address this, initialise kexec_buf->random field properly.
> > > > > >
> > > > > > Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
> > > > >
> > > > > Thanks, I'll add a cc:stable to this.
> > > >
> > > > This has been fixed in below series from Breno Leitao.
> > > >
> > > > [PATCH 0/3] kexec: Fix invalid field access
> > > > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u
> > >
> > > Right, these fixes are on 6.18 since day one.
> > >
> > > Yeoreum is hitting another code path that I haven't fixed, it seems
> > > (through image_load()).
> > >
> > > That said, I think the fix should be similar to commit 04d3cd43700 ("arm64:
> > > kexec: initialize kexec_buf struct in load_other_segments()"). I.e:
> > >
> > > --- a/arch/arm64/kernel/kexec_image.c
> > > +++ b/arch/arm64/kernel/kexec_image.c
> > > @@ -41,7 +41,7 @@ static void *image_load(struct kimage *image,
> > > struct arm64_image_header *h;
> > > u64 flags, value;
> > > bool be_image, be_kernel;
> > > - struct kexec_buf kbuf;
> > > + struct kexec_buf kbuf = {};
> > > unsigned long text_offset, kernel_segment_number;
> > > struct kexec_segment *kernel_segment;
> > > int ret;
> >
> > FWIW, I completey agree; your proposal is a much better solution.
>
> Yes, maybe Yeoreum or Breno can post a new version to fix it on arm64.
Yep; I hope that Yeoreum will spin a v2 to that effect.
> > From a quick scan, it looks like loongarch also has some more dodgy
> > instances:
>
> In the latest mainline kernel, the problem on loongarch has gone.
Ah, yep, all the loongarch instances were fixed in v6.18-rc6 by commit:
df16b8956cae9700 ("LoongArch: kexec: Initialize the kexec_buf structure")
Mark.
Hi Baoquan, [...] > This has been fixed in below series from Breno Leitao. > > [PATCH 0/3] kexec: Fix invalid field access > https://lore.kernel.org/all/20250827-kbuf_all-v1-0-1df9882bb01a@debian.org/T/#u > > And Paul Walmsley said he has merged the series to riscv/linux.git. > While I can only see the patch for risc-v. The other two are missing. > > 95c54cd9c769 riscv: kexec: Initialize kexec_buf struct Thank to let me know. I missed those patchset :) -- Sincerely, Yeoreum Yun
© 2016 - 2025 Red Hat, Inc.