[PATCH] crash: fix crashkernel resource shrink

Baoquan He bhe at redhat.com
Sun Nov 2 18:54:50 PST 2025 

On 11/02/25 at 01:07am, Sourabh Jain wrote:
> When crashkernel is configured with a high reservation, shrinking its
> value below the low crashkernel reservation causes two issues:
> 
> 1. Invalid crashkernel resource objects
> 2. Kernel crash if crashkernel shrinking is done twice
> 
> For example, with crashkernel=200M,high, the kernel reserves 200MB of
> high memory and some default low memory (say 256MB). The reservation
> appears as:
> 
> cat /proc/iomem | grep -i crash
> af000000-beffffff : Crash kernel
> 433000000-43f7fffff : Crash kernel
> 
> If crashkernel is then shrunk to 50MB (echo 52428800 >
> /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:
> af000000-beffffff : Crash kernel
> 
> Instead, it should show 50MB:
> af000000-b21fffff : Crash kernel
> 
> Further shrinking crashkernel to 40MB causes a kernel crash with the
> following trace (x86):
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000038
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> <snip...>
> Call Trace: <TASK>
> ? __die_body.cold+0x19/0x27
> ? page_fault_oops+0x15a/0x2f0
> ? search_module_extables+0x19/0x60
> ? search_bpf_extables+0x5f/0x80
> ? exc_page_fault+0x7e/0x180
> ? asm_exc_page_fault+0x26/0x30
> ? __release_resource+0xd/0xb0
> release_resource+0x26/0x40
> __crash_shrink_memory+0xe5/0x110
> crash_shrink_memory+0x12a/0x190
> kexec_crash_size_store+0x41/0x80
> kernfs_fop_write_iter+0x141/0x1f0
> vfs_write+0x294/0x460
> ksys_write+0x6d/0xf0
> <snip...>
> 
> This happens because __crash_shrink_memory()/kernel/crash_core.c
> incorrectly updates the crashk_res resource object even when
> crashk_low_res should be updated.
> 
> Fix this by ensuring the correct crashkernel resource object is updated
> when shrinking crashkernel memory.
> 
> Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions")
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: Baoquan He <bhe at redhat.com>
> Cc: Zhen Lei <thunder.leizhen at huawei.com>
> Cc: kexec at lists.infradead.org
> Signed-off-by: Sourabh Jain <sourabhjain at linux.ibm.com>
> ---
>  kernel/crash_core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/crash_core.c b/kernel/crash_core.c
> index 3b1c43382eec..99dac1aa972a 100644
> --- a/kernel/crash_core.c
> +++ b/kernel/crash_core.c
> @@ -373,7 +373,7 @@ static int __crash_shrink_memory(struct resource *old_res,
>  		old_res->start = 0;
>  		old_res->end   = 0;
>  	} else {
> -		crashk_res.end = ram_res->start - 1;
> +		old_res->end = ram_res->start - 1;

It's a code bug, nice catch, thanks.

Acked-by: Baoquan He <bhe at redhat.com>

More information about the kexec mailing list