From: Rob Herring <robh@kernel.org>
To: Wandun Chen <chenwandun1@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, loongarch@lists.linux.dev,
linux-riscv@lists.infradead.org, devicetree@vger.kernel.org,
kexec@lists.infradead.org, iommu@lists.linux.dev,
zhaomeijing@lixiang.com, catalin.marinas@arm.com,
will@kernel.org, chenhuacai@kernel.org, kernel@xen0n.name,
pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu,
alex@ghiti.fr, saravanak@kernel.org, akpm@linux-foundation.org,
bhe@redhat.com, rppt@kernel.org, pasha.tatashin@soleen.com,
pratyush@kernel.org, ruirui.yang@linux.dev,
m.szyprowski@samsung.com, robin.murphy@arm.com,
quic_obabatun@quicinc.com
Subject: Re: [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails
Date: Tue, 2 Jun 2026 11:24:50 -0500 [thread overview]
Message-ID: <20260602162450.GA442759-robh@kernel.org> (raw)
In-Reply-To: <20260527032917.3385849-4-chenwandun1@gmail.com>
On Wed, May 27, 2026 at 11:29:09AM +0800, Wandun Chen wrote:
> From: Wandun Chen <chenwandun@lixiang.com>
>
> The global pointer 'reserved_mem' continues to reference the
> reserved_mem_array which lives in __initdata if
> alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is
> exported for post-init use, that would dereference freed memory
> and trigger a use-after-free.
>
> So reset reserved_mem_count to 0 when alloc_reserved_mem_array()
> fails.
>
> Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate reserved_mem array")
Fixes should come first in a series.
> Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
> ---
> drivers/of/of_reserved_mem.c | 20 ++++++++++++++------
> 1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index 313cbc57aa45..6d479381ff1f 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -69,29 +69,31 @@ static int __init early_init_dt_alloc_reserved_memory_arch(phys_addr_t size,
> * the initial static array is copied over to this new array and
> * the new array is used from this point on.
> */
> -static void __init alloc_reserved_mem_array(void)
> +static bool __init alloc_reserved_mem_array(void)
> {
> struct reserved_mem *new_array;
> size_t alloc_size, copy_size, memset_size;
>
> + if (!total_reserved_mem_cnt)
> + return true;
> +
> alloc_size = array_size(total_reserved_mem_cnt, sizeof(*new_array));
> if (alloc_size == SIZE_MAX) {
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
> - return;
> + goto fail;
> }
>
> new_array = memblock_alloc(alloc_size, SMP_CACHE_BYTES);
> if (!new_array) {
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -ENOMEM);
> - return;
> + goto fail;
> }
>
> copy_size = array_size(reserved_mem_count, sizeof(*new_array));
> if (copy_size == SIZE_MAX) {
> memblock_free(new_array, alloc_size);
> - total_reserved_mem_cnt = MAX_RESERVED_REGIONS;
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
These prints could be moved to 'fail'. Perhaps instead of just printing
an error value, you can return the error value instead of boolean.
If you respin just this patch, I can pick it up for 7.2.
Rob
WARNING: multiple messages have this Message-ID (diff)
From: Rob Herring <robh@kernel.org>
To: Wandun Chen <chenwandun1@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, loongarch@lists.linux.dev,
linux-riscv@lists.infradead.org, devicetree@vger.kernel.org,
kexec@lists.infradead.org, iommu@lists.linux.dev,
zhaomeijing@lixiang.com, catalin.marinas@arm.com,
will@kernel.org, chenhuacai@kernel.org, kernel@xen0n.name,
pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu,
alex@ghiti.fr, saravanak@kernel.org, akpm@linux-foundation.org,
bhe@redhat.com, rppt@kernel.org, pasha.tatashin@soleen.com,
pratyush@kernel.org, ruirui.yang@linux.dev,
m.szyprowski@samsung.com, robin.murphy@arm.com,
quic_obabatun@quicinc.com
Subject: Re: [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails
Date: Tue, 2 Jun 2026 11:24:50 -0500 [thread overview]
Message-ID: <20260602162450.GA442759-robh@kernel.org> (raw)
In-Reply-To: <20260527032917.3385849-4-chenwandun1@gmail.com>
On Wed, May 27, 2026 at 11:29:09AM +0800, Wandun Chen wrote:
> From: Wandun Chen <chenwandun@lixiang.com>
>
> The global pointer 'reserved_mem' continues to reference the
> reserved_mem_array which lives in __initdata if
> alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is
> exported for post-init use, that would dereference freed memory
> and trigger a use-after-free.
>
> So reset reserved_mem_count to 0 when alloc_reserved_mem_array()
> fails.
>
> Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate reserved_mem array")
Fixes should come first in a series.
> Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
> ---
> drivers/of/of_reserved_mem.c | 20 ++++++++++++++------
> 1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index 313cbc57aa45..6d479381ff1f 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -69,29 +69,31 @@ static int __init early_init_dt_alloc_reserved_memory_arch(phys_addr_t size,
> * the initial static array is copied over to this new array and
> * the new array is used from this point on.
> */
> -static void __init alloc_reserved_mem_array(void)
> +static bool __init alloc_reserved_mem_array(void)
> {
> struct reserved_mem *new_array;
> size_t alloc_size, copy_size, memset_size;
>
> + if (!total_reserved_mem_cnt)
> + return true;
> +
> alloc_size = array_size(total_reserved_mem_cnt, sizeof(*new_array));
> if (alloc_size == SIZE_MAX) {
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
> - return;
> + goto fail;
> }
>
> new_array = memblock_alloc(alloc_size, SMP_CACHE_BYTES);
> if (!new_array) {
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -ENOMEM);
> - return;
> + goto fail;
> }
>
> copy_size = array_size(reserved_mem_count, sizeof(*new_array));
> if (copy_size == SIZE_MAX) {
> memblock_free(new_array, alloc_size);
> - total_reserved_mem_cnt = MAX_RESERVED_REGIONS;
> pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
These prints could be moved to 'fail'. Perhaps instead of just printing
an error value, you can return the error value instead of boolean.
If you respin just this patch, I can pick it up for 7.2.
Rob
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2026-06-02 16:24 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 3:29 [PATCH v3 00/11] kdump: reduce vmcore size and capture time Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 01/11] of: reserved_mem: handle NULL name in of_reserved_mem_lookup() Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 02/11] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-06-02 16:24 ` Rob Herring [this message]
2026-06-02 16:24 ` Rob Herring
2026-06-03 6:44 ` Wandun
2026-06-03 6:44 ` Wandun
2026-06-03 17:44 ` Rob Herring
2026-06-03 17:44 ` Rob Herring
2026-06-04 1:48 ` Wandun
2026-06-04 1:48 ` Wandun
2026-05-27 3:29 ` [PATCH v3 04/11] of: reserved_mem: zero total_reserved_mem_cnt if no valid /reserved-memory entry Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:53 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late() Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:21 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 06/11] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 07/11] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 08/11] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 3:29 ` [PATCH v3 09/11] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:10 ` sashiko-bot
2026-05-29 15:08 ` Will Deacon
2026-05-29 15:08 ` Will Deacon
2026-05-30 16:25 ` Mike Rapoport
2026-05-30 16:25 ` Mike Rapoport
2026-06-01 5:00 ` Baoquan He
2026-06-01 5:00 ` Baoquan He
2026-06-02 9:34 ` Mike Rapoport
2026-06-02 9:34 ` Mike Rapoport
2026-05-27 3:29 ` [PATCH v3 10/11] riscv: " Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:05 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 11/11] loongarch: " Wandun Chen
2026-05-27 3:29 ` Wandun Chen
2026-05-27 4:12 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602162450.GA442759-robh@kernel.org \
--to=robh@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@kernel.org \
--cc=chenwandun1@gmail.com \
--cc=devicetree@vger.kernel.org \
--cc=iommu@lists.linux.dev \
--cc=kernel@xen0n.name \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=loongarch@lists.linux.dev \
--cc=m.szyprowski@samsung.com \
--cc=palmer@dabbelt.com \
--cc=pasha.tatashin@soleen.com \
--cc=pjw@kernel.org \
--cc=pratyush@kernel.org \
--cc=quic_obabatun@quicinc.com \
--cc=robin.murphy@arm.com \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
--cc=saravanak@kernel.org \
--cc=will@kernel.org \
--cc=zhaomeijing@lixiang.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.