[PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined

[PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined

[Sang-Heon Jeon]

On boot, fdt_scan_reserved_mem() saves each dynamically-placed
/reserved-memory subnode into a local array of size
MAX_RESERVED_REGIONS.

If the device tree declares more than MAX_RESERVED_REGIONS
dynamically-placed regions, fdt_scan_reserved_mem() writes past the
end of the local array.

Add a bounds check that logs an error and skips the excess regions,
restoring the original behavior.

Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
---
QEMU-based test results

- With 65(MAX_RESERVED_REGIONS + 1) dynamically-placed region DTB

1) AS-IS (before-fix)
[    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
[    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01

...

[    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
[    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
[    0.000000] OF: reserved mem: not enough space for all defined regions.
[    0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc1-00022-gcf5d7a55d3b6 #6 PREEMPT 
[    0.000000] Hardware name: linux,dummy-virt (DT)
[    0.000000] Call trace:
[    0.000000]  show_stack+0x18/0x24 (C)
[    0.000000]  dump_stack_lvl+0x34/0x8c
[    0.000000]  dump_stack+0x18/0x24
[    0.000000]  vpanic+0x47c/0x4dc
[    0.000000]  do_panic_on_target_cpu+0x0/0x1c
[    0.000000]  __stack_chk_fail+0x20/0x24
[    0.000000]  fdt_scan_reserved_mem+0x5f0/0x610
[    0.000000]  early_init_fdt_scan_reserved_mem+0x50/0x124
[    0.000000]  arm64_memblock_init+0x188/0x2b8
[    0.000000]  setup_arch+0x24c/0x5f4
[    0.000000]  start_kernel+0x70/0x848
[    0.000000]  __primary_switched+0x88/0x90
[    0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610 ]---

2) TO-BE (after-fix)
[    0.000000] OF: reserved mem: not enough space for all dynamic regions.
[    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
[    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01

...

[    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
[    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63

---
Hello,

I found a bug introduced by a previous patch, so I am sending this
fix as quickly as possible after testing. Although we are at the end
of the 7.1 -rc cycle, I do not want to rush this patch.

Thank you as always for the thoughtful review.

Best Regards,
Sang-Heon Jeon
---
 drivers/of/of_reserved_mem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index ce1d5530ec0f..4efd521adee0 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
 		err = __reserved_mem_reserve_reg(child, uname);
 		if (!err)
 			count++;
+
+		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
+			pr_err("not enough space for all dynamic regions.\n");
+			continue;
+		}
+
 		/*
 		 * Save the nodes for the dynamically-placed regions
 		 * into an array which will be used for allocation right
-- 
2.43.0

Re: [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Misplaced bounds check causes false error logs and log spam for static regions.
--

commit 8912b72ed66a1803770dcfc16f2465a1f7651224
Author: Sang-Heon Jeon <ekffu200098@gmail.com>

of: reserved_mem: prevent OOB when too many dynamic regions are defined

This commit prevents an out-of-bounds write in fdt_scan_reserved_mem()
by adding a bounds check for the dynamic_nodes array. It logs an error
and skips excess dynamically-placed /reserved-memory subnodes when the 
limit of MAX_RESERVED_REGIONS is reached.

> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index 8d5777cb5d1b3..8bd565b2b71be 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -341,6 +341,12 @@ int __init fdt_scan_reserved_mem(void)
>  		err = __reserved_mem_reserve_reg(child, uname);
>  		if (!err)
>  			count++;
> +
> +		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
> +			pr_err("not enough space for all dynamic regions.\n");
> +			continue;
> +		}
> +

[Severity: Medium]
Does this bounds check incorrectly trigger for statically-placed regions?

Because this check happens unconditionally, if the system reaches
MAX_RESERVED_REGIONS dynamic nodes, any subsequent static nodes in the
device tree will also trigger this error message and be skipped by the
continue statement.

Should this bounds check be moved inside the block below that actually
determines if the node is a dynamic region?

drivers/of/of_reserved_mem.c:fdt_scan_reserved_mem() {
    ...
		/*
		 * Save the nodes for the dynamically-placed regions
		 * into an array which will be used for allocation right
		 * ...
		 */
		if (err == -ENOENT && of_get_flat_dt_prop(child, "size", NULL)) {
			dynamic_nodes[dynamic_nodes_cnt] = child;
			dynamic_nodes_cnt++;
		}
    ...
}

>  		/*
>  		 * Save the nodes for the dynamically-placed regions
>  		 * into an array which will be used for allocation right

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260603152709.941788-1-ekffu200098@gmail.com?part=1

Re: [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined

[Rob Herring]

On Thu, Jun 04, 2026 at 12:27:09AM +0900, Sang-Heon Jeon wrote:
> On boot, fdt_scan_reserved_mem() saves each dynamically-placed
> /reserved-memory subnode into a local array of size
> MAX_RESERVED_REGIONS.
> 
> If the device tree declares more than MAX_RESERVED_REGIONS
> dynamically-placed regions, fdt_scan_reserved_mem() writes past the
> end of the local array.
> 
> Add a bounds check that logs an error and skips the excess regions,
> restoring the original behavior.
> 
> Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
> Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
> ---
> QEMU-based test results
> 
> - With 65(MAX_RESERVED_REGIONS + 1) dynamically-placed region DTB
> 
> 1) AS-IS (before-fix)
> [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> 
> ...
> 
> [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> [    0.000000] OF: reserved mem: not enough space for all defined regions.
> [    0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610
> [    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc1-00022-gcf5d7a55d3b6 #6 PREEMPT 
> [    0.000000] Hardware name: linux,dummy-virt (DT)
> [    0.000000] Call trace:
> [    0.000000]  show_stack+0x18/0x24 (C)
> [    0.000000]  dump_stack_lvl+0x34/0x8c
> [    0.000000]  dump_stack+0x18/0x24
> [    0.000000]  vpanic+0x47c/0x4dc
> [    0.000000]  do_panic_on_target_cpu+0x0/0x1c
> [    0.000000]  __stack_chk_fail+0x20/0x24
> [    0.000000]  fdt_scan_reserved_mem+0x5f0/0x610
> [    0.000000]  early_init_fdt_scan_reserved_mem+0x50/0x124
> [    0.000000]  arm64_memblock_init+0x188/0x2b8
> [    0.000000]  setup_arch+0x24c/0x5f4
> [    0.000000]  start_kernel+0x70/0x848
> [    0.000000]  __primary_switched+0x88/0x90
> [    0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610 ]---
> 
> 2) TO-BE (after-fix)
> [    0.000000] OF: reserved mem: not enough space for all dynamic regions.
> [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> 
> ...
> 
> [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> 
> ---
> Hello,
> 
> I found a bug introduced by a previous patch, so I am sending this
> fix as quickly as possible after testing. Although we are at the end
> of the 7.1 -rc cycle, I do not want to rush this patch.
> 
> Thank you as always for the thoughtful review.
> 
> Best Regards,
> Sang-Heon Jeon
> ---
>  drivers/of/of_reserved_mem.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index ce1d5530ec0f..4efd521adee0 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
>  		err = __reserved_mem_reserve_reg(child, uname);
>  		if (!err)
>  			count++;
> +
> +		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
> +			pr_err("not enough space for all dynamic regions.\n");

It would be more useful to print the node name(s) that we skip.

Sashiko's analysis looks correct to me.

Rob