From: Rob Herring <robh@kernel.org>
To: Wandun <chenwandun1@gmail.com>
Cc: sashiko-reviews@lists.linux.dev, devicetree@vger.kernel.org,
conor+dt@kernel.org
Subject: Re: [PATCH 1/2] of: reserved_mem: avoid stack buffer overflow in fdt_scan_reserved_mem()
Date: Thu, 4 Jun 2026 14:30:41 -0500 [thread overview]
Message-ID: <20260604193041.GA1057262-robh@kernel.org> (raw)
In-Reply-To: <757480ae-2d7d-40e9-9900-edd14ed3b3ac@gmail.com>
On Thu, Jun 04, 2026 at 05:18:09PM +0800, Wandun wrote:
>
>
> On 6/4/26 15:45, sashiko-bot@kernel.org wrote:
> > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> > - [Medium] The newly added bounds check for `dynamic_nodes_cnt` is placed outside the block that evaluates whether a node is actually a dynamically-placed region, leading to spurious error logs.
> > --
> >
> > commit 6a79f526de5e1185b7c79fb469545f4094fb402f
> > Author: Wandun Chen <chenwandun@lixiang.com>
> >
> > of: reserved_mem: avoid stack buffer overflow in fdt_scan_reserved_mem()
> >
> > This commit adds bounds checking on dynamic_nodes_cnt to prevent a
> > potential stack buffer overflow in fdt_scan_reserved_mem().
> >
> > Link: https://sashiko.dev/#/patchset/20260604015332.3669384-1-chenwandun1%40gmail.com?part=1 [1]
> >
> > > diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> > > --- a/drivers/of/of_reserved_mem.c
> > > +++ b/drivers/of/of_reserved_mem.c
> > [ ... ]
> >
> > > @@ -341,6 +341,12 @@ int __init fdt_scan_reserved_mem(void)
> > > err = __reserved_mem_reserve_reg(child, uname);
> > > if (!err)
> > > count++;
> > > +
> > > + if (dynamic_nodes_cnt >= MAX_RESERVED_REGIONS) {
> > > + pr_err_once("Reserved memory: reached MAX_RESERVED_REGIONS(%d)\n",
> > > + MAX_RESERVED_REGIONS);
> > > + continue;
> > > + }
> > [Severity: Medium]
> > Will this bounds check trigger spurious error logs for statically-placed
> > regions?
> Yes, it indeed, will fix in v2.
I now have the same change (and same problems) in another submission:
https://lore.kernel.org/all/20260603152709.941788-1-ekffu200098@gmail.com/
See my comment there.
Rob
next prev parent reply other threads:[~2026-06-04 19:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 7:36 [PATCH 0/2] of: reserved_mem: fix stack overflow and make dynamic reserved region configurable Wandun Chen
2026-06-04 7:36 ` [PATCH 1/2] of: reserved_mem: avoid stack buffer overflow in fdt_scan_reserved_mem() Wandun Chen
2026-06-04 7:45 ` sashiko-bot
2026-06-04 9:18 ` Wandun
2026-06-04 19:30 ` Rob Herring [this message]
2026-06-05 2:10 ` Wandun
2026-06-04 7:36 ` [PATCH 2/2] of: reserved_mem: add config to extend dynamic reserved memory regions Wandun Chen
2026-06-04 7:44 ` sashiko-bot
2026-06-04 19:33 ` Rob Herring
2026-06-05 2:21 ` Wandun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604193041.GA1057262-robh@kernel.org \
--to=robh@kernel.org \
--cc=chenwandun1@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.