[PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined

Devicetree
 help / color / mirror / Atom feed

* [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined
@ 2026-06-03 15:27 Sang-Heon Jeon
  2026-06-03 15:36 ` sashiko-bot
  2026-06-03 22:49 ` Rob Herring
  0 siblings, 2 replies; 4+ messages in thread
From: Sang-Heon Jeon @ 2026-06-03 15:27 UTC (permalink / raw)
  To: robh, saravanak; +Cc: devicetree, Sang-Heon Jeon

On boot, fdt_scan_reserved_mem() saves each dynamically-placed
/reserved-memory subnode into a local array of size
MAX_RESERVED_REGIONS.

If the device tree declares more than MAX_RESERVED_REGIONS
dynamically-placed regions, fdt_scan_reserved_mem() writes past the
end of the local array.

Add a bounds check that logs an error and skips the excess regions,
restoring the original behavior.

Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
---
QEMU-based test results

- With 65(MAX_RESERVED_REGIONS + 1) dynamically-placed region DTB

1) AS-IS (before-fix)
[    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
[    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01

...

[    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
[    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
[    0.000000] OF: reserved mem: not enough space for all defined regions.
[    0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc1-00022-gcf5d7a55d3b6 #6 PREEMPT 
[    0.000000] Hardware name: linux,dummy-virt (DT)
[    0.000000] Call trace:
[    0.000000]  show_stack+0x18/0x24 (C)
[    0.000000]  dump_stack_lvl+0x34/0x8c
[    0.000000]  dump_stack+0x18/0x24
[    0.000000]  vpanic+0x47c/0x4dc
[    0.000000]  do_panic_on_target_cpu+0x0/0x1c
[    0.000000]  __stack_chk_fail+0x20/0x24
[    0.000000]  fdt_scan_reserved_mem+0x5f0/0x610
[    0.000000]  early_init_fdt_scan_reserved_mem+0x50/0x124
[    0.000000]  arm64_memblock_init+0x188/0x2b8
[    0.000000]  setup_arch+0x24c/0x5f4
[    0.000000]  start_kernel+0x70/0x848
[    0.000000]  __primary_switched+0x88/0x90
[    0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610 ]---

2) TO-BE (after-fix)
[    0.000000] OF: reserved mem: not enough space for all dynamic regions.
[    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
[    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01

...

[    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
[    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63

---
Hello,

I found a bug introduced by a previous patch, so I am sending this
fix as quickly as possible after testing. Although we are at the end
of the 7.1 -rc cycle, I do not want to rush this patch.

Thank you as always for the thoughtful review.

Best Regards,
Sang-Heon Jeon
---
 drivers/of/of_reserved_mem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index ce1d5530ec0f..4efd521adee0 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
 		err = __reserved_mem_reserve_reg(child, uname);
 		if (!err)
 			count++;
+
+		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
+			pr_err("not enough space for all dynamic regions.\n");
+			continue;
+		}
+
 		/*
 		 * Save the nodes for the dynamically-placed regions
 		 * into an array which will be used for allocation right
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined
  2026-06-03 15:27 [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined Sang-Heon Jeon
@ 2026-06-03 15:36 ` sashiko-bot
  2026-06-03 22:49 ` Rob Herring
  1 sibling, 0 replies; 4+ messages in thread
From: sashiko-bot @ 2026-06-03 15:36 UTC (permalink / raw)
  To: Sang-Heon Jeon; +Cc: devicetree, robh, conor+dt

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Misplaced bounds check causes false error logs and log spam for static regions.
--

commit 8912b72ed66a1803770dcfc16f2465a1f7651224
Author: Sang-Heon Jeon <ekffu200098@gmail.com>

of: reserved_mem: prevent OOB when too many dynamic regions are defined

This commit prevents an out-of-bounds write in fdt_scan_reserved_mem()
by adding a bounds check for the dynamic_nodes array. It logs an error
and skips excess dynamically-placed /reserved-memory subnodes when the 
limit of MAX_RESERVED_REGIONS is reached.

> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index 8d5777cb5d1b3..8bd565b2b71be 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -341,6 +341,12 @@ int __init fdt_scan_reserved_mem(void)
>  		err = __reserved_mem_reserve_reg(child, uname);
>  		if (!err)
>  			count++;
> +
> +		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
> +			pr_err("not enough space for all dynamic regions.\n");
> +			continue;
> +		}
> +

[Severity: Medium]
Does this bounds check incorrectly trigger for statically-placed regions?

Because this check happens unconditionally, if the system reaches
MAX_RESERVED_REGIONS dynamic nodes, any subsequent static nodes in the
device tree will also trigger this error message and be skipped by the
continue statement.

Should this bounds check be moved inside the block below that actually
determines if the node is a dynamic region?

drivers/of/of_reserved_mem.c:fdt_scan_reserved_mem() {
    ...
		/*
		 * Save the nodes for the dynamically-placed regions
		 * into an array which will be used for allocation right
		 * ...
		 */
		if (err == -ENOENT && of_get_flat_dt_prop(child, "size", NULL)) {
			dynamic_nodes[dynamic_nodes_cnt] = child;
			dynamic_nodes_cnt++;
		}
    ...
}

>  		/*
>  		 * Save the nodes for the dynamically-placed regions
>  		 * into an array which will be used for allocation right

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260603152709.941788-1-ekffu200098@gmail.com?part=1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined
  2026-06-03 15:27 [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined Sang-Heon Jeon
  2026-06-03 15:36 ` sashiko-bot
@ 2026-06-03 22:49 ` Rob Herring
  2026-06-04 11:28   ` Sang-Heon Jeon
  1 sibling, 1 reply; 4+ messages in thread
From: Rob Herring @ 2026-06-03 22:49 UTC (permalink / raw)
  To: Sang-Heon Jeon; +Cc: saravanak, devicetree

On Thu, Jun 04, 2026 at 12:27:09AM +0900, Sang-Heon Jeon wrote:
> On boot, fdt_scan_reserved_mem() saves each dynamically-placed
> /reserved-memory subnode into a local array of size
> MAX_RESERVED_REGIONS.
> 
> If the device tree declares more than MAX_RESERVED_REGIONS
> dynamically-placed regions, fdt_scan_reserved_mem() writes past the
> end of the local array.
> 
> Add a bounds check that logs an error and skips the excess regions,
> restoring the original behavior.
> 
> Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
> Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
> ---
> QEMU-based test results
> 
> - With 65(MAX_RESERVED_REGIONS + 1) dynamically-placed region DTB
> 
> 1) AS-IS (before-fix)
> [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> 
> ...
> 
> [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> [    0.000000] OF: reserved mem: not enough space for all defined regions.
> [    0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610
> [    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc1-00022-gcf5d7a55d3b6 #6 PREEMPT 
> [    0.000000] Hardware name: linux,dummy-virt (DT)
> [    0.000000] Call trace:
> [    0.000000]  show_stack+0x18/0x24 (C)
> [    0.000000]  dump_stack_lvl+0x34/0x8c
> [    0.000000]  dump_stack+0x18/0x24
> [    0.000000]  vpanic+0x47c/0x4dc
> [    0.000000]  do_panic_on_target_cpu+0x0/0x1c
> [    0.000000]  __stack_chk_fail+0x20/0x24
> [    0.000000]  fdt_scan_reserved_mem+0x5f0/0x610
> [    0.000000]  early_init_fdt_scan_reserved_mem+0x50/0x124
> [    0.000000]  arm64_memblock_init+0x188/0x2b8
> [    0.000000]  setup_arch+0x24c/0x5f4
> [    0.000000]  start_kernel+0x70/0x848
> [    0.000000]  __primary_switched+0x88/0x90
> [    0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610 ]---
> 
> 2) TO-BE (after-fix)
> [    0.000000] OF: reserved mem: not enough space for all dynamic regions.
> [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> 
> ...
> 
> [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> 
> ---
> Hello,
> 
> I found a bug introduced by a previous patch, so I am sending this
> fix as quickly as possible after testing. Although we are at the end
> of the 7.1 -rc cycle, I do not want to rush this patch.
> 
> Thank you as always for the thoughtful review.
> 
> Best Regards,
> Sang-Heon Jeon
> ---
>  drivers/of/of_reserved_mem.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> index ce1d5530ec0f..4efd521adee0 100644
> --- a/drivers/of/of_reserved_mem.c
> +++ b/drivers/of/of_reserved_mem.c
> @@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
>  		err = __reserved_mem_reserve_reg(child, uname);
>  		if (!err)
>  			count++;
> +
> +		if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
> +			pr_err("not enough space for all dynamic regions.\n");

It would be more useful to print the node name(s) that we skip.

Sashiko's analysis looks correct to me.

Rob

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined
  2026-06-03 22:49 ` Rob Herring
@ 2026-06-04 11:28   ` Sang-Heon Jeon
  0 siblings, 0 replies; 4+ messages in thread
From: Sang-Heon Jeon @ 2026-06-04 11:28 UTC (permalink / raw)
  To: Rob Herring; +Cc: saravanak, devicetree

On Thu, Jun 4, 2026 at 7:50 AM Rob Herring <robh@kernel.org> wrote:
>
> On Thu, Jun 04, 2026 at 12:27:09AM +0900, Sang-Heon Jeon wrote:
> > On boot, fdt_scan_reserved_mem() saves each dynamically-placed
> > /reserved-memory subnode into a local array of size
> > MAX_RESERVED_REGIONS.
> >
> > If the device tree declares more than MAX_RESERVED_REGIONS
> > dynamically-placed regions, fdt_scan_reserved_mem() writes past the
> > end of the local array.
> >
> > Add a bounds check that logs an error and skips the excess regions,
> > restoring the original behavior.
> >
> > Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
> > Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
> > ---
> > QEMU-based test results
> >
> > - With 65(MAX_RESERVED_REGIONS + 1) dynamically-placed region DTB
> >
> > 1) AS-IS (before-fix)
> > [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> > [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> >
> > ...
> >
> > [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> > [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> > [    0.000000] OF: reserved mem: not enough space for all defined regions.
> > [    0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610
> > [    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc1-00022-gcf5d7a55d3b6 #6 PREEMPT
> > [    0.000000] Hardware name: linux,dummy-virt (DT)
> > [    0.000000] Call trace:
> > [    0.000000]  show_stack+0x18/0x24 (C)
> > [    0.000000]  dump_stack_lvl+0x34/0x8c
> > [    0.000000]  dump_stack+0x18/0x24
> > [    0.000000]  vpanic+0x47c/0x4dc
> > [    0.000000]  do_panic_on_target_cpu+0x0/0x1c
> > [    0.000000]  __stack_chk_fail+0x20/0x24
> > [    0.000000]  fdt_scan_reserved_mem+0x5f0/0x610
> > [    0.000000]  early_init_fdt_scan_reserved_mem+0x50/0x124
> > [    0.000000]  arm64_memblock_init+0x188/0x2b8
> > [    0.000000]  setup_arch+0x24c/0x5f4
> > [    0.000000]  start_kernel+0x70/0x848
> > [    0.000000]  __primary_switched+0x88/0x90
> > [    0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: fdt_scan_reserved_mem+0x5f0/0x610 ]---
> >
> > 2) TO-BE (after-fix)
> > [    0.000000] OF: reserved mem: not enough space for all dynamic regions.
> > [    0.000000] OF: reserved mem: 0x000000043ffff000..0x000000043fffffff (4 KiB) map non-reusable rgn00
> > [    0.000000] OF: reserved mem: 0x000000043fffe000..0x000000043fffefff (4 KiB) map non-reusable rgn01
> >
> > ...
> >
> > [    0.000000] OF: reserved mem: 0x000000043ffc1000..0x000000043ffc1fff (4 KiB) map non-reusable rgn62
> > [    0.000000] OF: reserved mem: 0x000000043ffc0000..0x000000043ffc0fff (4 KiB) map non-reusable rgn63
> >
> > ---
> > Hello,
> >
> > I found a bug introduced by a previous patch, so I am sending this
> > fix as quickly as possible after testing. Although we are at the end
> > of the 7.1 -rc cycle, I do not want to rush this patch.
> >
> > Thank you as always for the thoughtful review.
> >
> > Best Regards,
> > Sang-Heon Jeon
> > ---
> >  drivers/of/of_reserved_mem.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
> > index ce1d5530ec0f..4efd521adee0 100644
> > --- a/drivers/of/of_reserved_mem.c
> > +++ b/drivers/of/of_reserved_mem.c
> > @@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
> >               err = __reserved_mem_reserve_reg(child, uname);
> >               if (!err)
> >                       count++;
> > +
> > +             if (dynamic_nodes_cnt == MAX_RESERVED_REGIONS) {
> > +                     pr_err("not enough space for all dynamic regions.\n");
>
> It would be more useful to print the node name(s) that we skip.

Sounds good. There is a similar log in fdt_init_reserved_mem_node().
How about printing node name there as well? If you agree, I can do it
here or in a separate patch, whatever you prefer.

> Sashiko's analysis looks correct to me.

You're right, I missed some cases. I'll fix it.

> Rob

Thanks for reviewing.

Best Regards,
Sang-Heon Jeon

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-04 11:29 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 15:27 [PATCH] of: reserved_mem: prevent OOB when too many dynamic regions are defined Sang-Heon Jeon
2026-06-03 15:36 ` sashiko-bot
2026-06-03 22:49 ` Rob Herring
2026-06-04 11:28   ` Sang-Heon Jeon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox