On Mon, Oct 20 2025, Pasha Tatashin wrote:
It is invalid for KHO metadata or preserved memory regions to be located within the KHO scratch area, as this area is overwritten when the next kernel is loaded, and used early in boot by the next kernel. This can lead to memory corruption.
Adds checks to kho_preserve_* and KHO's internal metadata allocators (xa_load_or_alloc, new_chunk) to verify that the physical address of the memory does not overlap with any defined scratch region. If an overlap is detected, the operation will fail and a WARN_ON is triggered. To avoid performance overhead in production kernels, these checks are enabled only when CONFIG_KEXEC_HANDOVER_DEBUG is selected.
Signed-off-by: Pasha Tatashin pasha.tatashin@soleen.com
[...]
@@ -133,26 +135,26 @@ static struct kho_out kho_out = { static void *xa_load_or_alloc(struct xarray *xa, unsigned long index, size_t sz) {
- void *elm, *res;
- void *res = xa_load(xa, index);
- elm = xa_load(xa, index);
- if (elm)
return elm;
- if (res)
return res;- void *elm __free(kfree) = kzalloc(sz, GFP_KERNEL);
- elm = kzalloc(sz, GFP_KERNEL); if (!elm) return ERR_PTR(-ENOMEM);
- if (WARN_ON(kho_scratch_overlap(virt_to_phys(elm), sz)))
return ERR_PTR(-EINVAL);- res = xa_cmpxchg(xa, index, NULL, elm, GFP_KERNEL); if (xa_is_err(res))
res = ERR_PTR(xa_err(res));- if (res) {
kfree(elm);
return ERR_PTR(xa_err(res));- else if (res) return res;
- }
- return elm;
- return no_free_ptr(elm);
Super small nit: there exists return_ptr(p) which is a tiny bit neater IMO but certainly not worth doing a new revision over. So,
Reviewed-by: Pratyush Yadav pratyush@kernel.org
[...]