From: Wandun <chenwandun1@gmail.com>
To: Rob Herring <robh@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, loongarch@lists.linux.dev,
linux-riscv@lists.infradead.org, devicetree@vger.kernel.org,
kexec@lists.infradead.org, iommu@lists.linux.dev,
zhaomeijing@lixiang.com, catalin.marinas@arm.com,
will@kernel.org, chenhuacai@kernel.org, kernel@xen0n.name,
pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu,
alex@ghiti.fr, saravanak@kernel.org, akpm@linux-foundation.org,
bhe@redhat.com, rppt@kernel.org, pasha.tatashin@soleen.com,
pratyush@kernel.org, ruirui.yang@linux.dev,
m.szyprowski@samsung.com, robin.murphy@arm.com,
quic_obabatun@quicinc.com
Subject: Re: [PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late()
Date: Mon, 15 Jun 2026 11:33:34 +0800 [thread overview]
Message-ID: <894d7c33-8e14-4ba5-b774-14062ece39f2@gmail.com> (raw)
In-Reply-To: <20260612144122.GA974326-robh@kernel.org>
On 6/12/26 22:41, Rob Herring wrote:
> On Wed, May 27, 2026 at 11:29:11AM +0800, Wandun Chen wrote:
>> From: Wandun Chen <chenwandun@lixiang.com>
>>
>> Prepare for storing /memreserve/ entries in the reserved_mem array.
>> alloc_reserved_mem_array is skipped if the device tree lacks a
>> /reserved-memory node, pointer 'reserved_mem' continues to reference
>> the reserved_mem_array which lives in __initdata, storing
>> /memreserve/ entries into reserved_mem_array would result in metadata
>> loss, and an out-of-bounds memory access will occur if the device
>> tree contains more than MAX_RESERVED_REGIONS /memreserve/ entries.
>>
>> So split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late(),
>> and call alloc_reserved_mem_array() whether or not there is a
>> /reserved-memory node.
>>
>> No functional change.
>> The actual /memreserve/ population is added in a follow-up patch.
>>
>> Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
>> ---
>> drivers/of/fdt.c | 7 +++++--
>> drivers/of/of_private.h | 1 +
>> drivers/of/of_reserved_mem.c | 6 +-----
>> 3 files changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 82f7327c59ea..83a2a474831e 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -1284,8 +1284,11 @@ void __init unflatten_device_tree(void)
>> {
>> void *fdt = initial_boot_params;
>>
>> - /* Save the statically-placed regions in the reserved_mem array */
>> - fdt_scan_reserved_mem_late();
>> + /* Attempt dynamic allocation of a new reserved_mem array */
>> + if (fdt && alloc_reserved_mem_array()) {
>> + /* Save the statically-placed regions in the reserved_mem array */
>> + fdt_scan_reserved_mem_late();
>
> Can we make this just:
>
> alloc_reserved_mem_array();
> fdt_scan_reserved_mem_late();
>
> We already check !fdt in fdt_scan_reserved_mem_late().
Thanks for you review, Rob.
The reason I kept the fdt check is that total_reserved_mem_cnt is wrong
when fdt is NULL, early_init_fdt_scan_reserved_mem() returns early in
that case, so fdt_scan_reserved_mem() never runs, and
total_reserved_mem_cnt stays at MAX_RESERVED_REGIONS. Calling
alloc_reserved_mem_array() unconditionally would allocate unnecessarily
memory.
A better fix might be to make total_reserved_mem_cnt always correct, add
a !fdt check at the top of fdt_scan_reserved_mem() that sets
total_reserved_mem_cnt to 0, and let early_init_fdt_scan_reserved_mem()
call it even when initial_boot_params is NULL. Then
alloc_reserved_mem_array() could naturally skip allcation when that
count is 0, and we can drop the outer fdt guard.
There is still separate UAF issue (fixed in patch3) if we don't check
the return value of alloc_reserved_mem_array().
With the fdt_scan_reserved_mem() fix for total_reserved_mem_cnt, the
call site in unflatten_device_tree() becomes:
if (alloc_reserved_mem_array()) {
fdt_scan_reserved_mem_late();
}
How does that sound?
Best regards,
Wandun
>
> Rob
next prev parent reply other threads:[~2026-06-15 3:33 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 3:29 [PATCH v3 00/11] kdump: reduce vmcore size and capture time Wandun Chen
2026-05-27 3:29 ` [PATCH v3 01/11] of: reserved_mem: handle NULL name in of_reserved_mem_lookup() Wandun Chen
2026-05-27 3:29 ` [PATCH v3 02/11] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-05-27 3:29 ` [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails Wandun Chen
2026-06-02 16:24 ` Rob Herring
2026-06-03 6:44 ` Wandun
2026-06-03 17:44 ` Rob Herring
2026-06-04 1:48 ` Wandun
2026-05-27 3:29 ` [PATCH v3 04/11] of: reserved_mem: zero total_reserved_mem_cnt if no valid /reserved-memory entry Wandun Chen
2026-05-27 3:53 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late() Wandun Chen
2026-05-27 4:21 ` sashiko-bot
2026-06-12 14:41 ` Rob Herring
2026-06-15 3:33 ` Wandun [this message]
2026-05-27 3:29 ` [PATCH v3 06/11] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-05-27 3:29 ` [PATCH v3 07/11] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-05-27 3:29 ` [PATCH v3 08/11] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-05-27 3:29 ` [PATCH v3 09/11] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-05-27 4:10 ` sashiko-bot
2026-05-29 15:08 ` Will Deacon
2026-05-30 16:25 ` Mike Rapoport
2026-06-01 5:00 ` Baoquan He
2026-06-02 9:34 ` Mike Rapoport
2026-05-27 3:29 ` [PATCH v3 10/11] riscv: " Wandun Chen
2026-05-27 4:05 ` sashiko-bot
2026-05-27 3:29 ` [PATCH v3 11/11] loongarch: " Wandun Chen
2026-05-27 4:12 ` sashiko-bot
2026-06-11 2:09 ` [PATCH v3 00/11] kdump: reduce vmcore size and capture time Wandun
2026-06-11 3:09 ` Wandun
2026-06-11 12:03 ` Baoquan He
2026-06-12 7:28 ` Wandun
2026-06-12 14:42 ` Rob Herring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=894d7c33-8e14-4ba5-b774-14062ece39f2@gmail.com \
--to=chenwandun1@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=iommu@lists.linux.dev \
--cc=kernel@xen0n.name \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=loongarch@lists.linux.dev \
--cc=m.szyprowski@samsung.com \
--cc=palmer@dabbelt.com \
--cc=pasha.tatashin@soleen.com \
--cc=pjw@kernel.org \
--cc=pratyush@kernel.org \
--cc=quic_obabatun@quicinc.com \
--cc=robh@kernel.org \
--cc=robin.murphy@arm.com \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
--cc=saravanak@kernel.org \
--cc=will@kernel.org \
--cc=zhaomeijing@lixiang.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox