The patch titled Subject: x86/kexec: add a sanity check on previous kernel's ima kexec buffer has been added to the -mm mm-hotfixes-unstable branch. Its filename is x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch
This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...
This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days
------------------------------------------------------ From: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Subject: x86/kexec: add a sanity check on previous kernel's ima kexec buffer Date: Wed, 12 Nov 2025 11:30:02 -0800
When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic.
BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) ��� not-present page
Other architectures already validate the range with page_is_ram(), as done in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86.
Link: https://lkml.kernel.org/r/20251112193005.3772542-1-harshit.m.mogalapalli@ora... Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Reported-by: Paul Webb paul.x.webb@oracle.com Reviewed-by: Jonathan McDowell noodles@meta.com Cc: Alexander Graf graf@amazon.com Cc: Ard Biesheuvel ardb@kernel.org Cc: Borislav Betkov bp@alien8.de Cc: guoweikang guoweikang.kernel@gmail.com Cc: Henry Willard henry.willard@oracle.com Cc: "H. Peter Anvin" hpa@zytor.com Cc: Ingo Molnar mingo@redhat.com Cc: Jiri Bohac jbohac@suse.cz Cc: Joel Granados joel.granados@kernel.org Cc: Mike Rapoport rppt@kernel.org Cc: Mimi Zohar zohar@linux.ibm.com Cc: Sohil Mehta sohil.mehta@intel.com Cc: Sourabh Jain sourabhjain@linux.ibm.com Cc: Thomas Gleinxer tglx@linutronix.de Cc: Yifei Liu yifei.l.liu@oracle.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
arch/x86/kernel/setup.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
--- a/arch/x86/kernel/setup.c~x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer +++ a/arch/x86/kernel/setup.c @@ -439,9 +439,23 @@ int __init ima_free_kexec_buffer(void)
int __init ima_get_kexec_buffer(void **addr, size_t *size) { + unsigned long start_pfn, end_pfn; + if (!ima_kexec_buffer_size) return -ENOENT;
+ /* + * Calculate the PFNs for the buffer and ensure + * they are with in addressable memory. + */ + start_pfn = PFN_DOWN(ima_kexec_buffer_phys); + end_pfn = PFN_DOWN(ima_kexec_buffer_phys + ima_kexec_buffer_size - 1); + if (!pfn_range_is_mapped(start_pfn, end_pfn)) { + pr_warn("IMA buffer at 0x%llx, size = 0x%zx beyond memory\n", + ima_kexec_buffer_phys, ima_kexec_buffer_size); + return -EINVAL; + } + *addr = __va(ima_kexec_buffer_phys); *size = ima_kexec_buffer_size;
_
Patches currently in -mm which might be from harshit.m.mogalapalli@oracle.com are
x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch