Re: [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Wandun <chenwandun1@gmail•com>
To: Rob Herring <robh@kernel•org>
Cc: linux-arm-kernel@lists•infradead.org,
	linux-kernel@vger•kernel.org, loongarch@lists•linux.dev,
	linux-riscv@lists•infradead.org, devicetree@vger•kernel.org,
	kexec@lists•infradead.org, iommu@lists•linux.dev,
	zhaomeijing@lixiang•com, catalin.marinas@arm•com,
	will@kernel•org, chenhuacai@kernel•org, kernel@xen0n•name,
	pjw@kernel•org, palmer@dabbelt•com, aou@eecs•berkeley.edu,
	alex@ghiti•fr, saravanak@kernel•org, akpm@linux-foundation•org,
	bhe@redhat•com, rppt@kernel•org, pasha.tatashin@soleen•com,
	pratyush@kernel•org, ruirui.yang@linux•dev,
	m.szyprowski@samsung•com, robin.murphy@arm•com,
	quic_obabatun@quicinc•com
Subject: Re: [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails
Date: Wed, 3 Jun 2026 14:44:13 +0800	[thread overview]
Message-ID: <79932afc-2e91-4a54-aff9-f550be784c36@gmail.com> (raw)
In-Reply-To: <20260602162450.GA442759-robh@kernel.org>



On 6/3/26 00:24, Rob Herring wrote:
> On Wed, May 27, 2026 at 11:29:09AM +0800, Wandun Chen wrote:
>> From: Wandun Chen <chenwandun@lixiang•com>
>>
>> The global pointer 'reserved_mem' continues to reference the
>> reserved_mem_array which lives in __initdata if
>> alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is
>> exported for post-init use, that would dereference freed memory
>> and trigger a use-after-free.
>>
>> So reset reserved_mem_count to 0 when alloc_reserved_mem_array()
>> fails.
>>
>> Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate reserved_mem array")
> Fixes should come first in a series.
Understood, will do in future submissions.
>
>> Signed-off-by: Wandun Chen <chenwandun@lixiang•com>
>> ---
>>   drivers/of/of_reserved_mem.c | 20 ++++++++++++++------
>>   1 file changed, 14 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
>> index 313cbc57aa45..6d479381ff1f 100644
>> --- a/drivers/of/of_reserved_mem.c
>> +++ b/drivers/of/of_reserved_mem.c
>> @@ -69,29 +69,31 @@ static int __init early_init_dt_alloc_reserved_memory_arch(phys_addr_t size,
>>    * the initial static array is copied over to this new array and
>>    * the new array is used from this point on.
>>    */
>> -static void __init alloc_reserved_mem_array(void)
>> +static bool __init alloc_reserved_mem_array(void)
>>   {
>>   	struct reserved_mem *new_array;
>>   	size_t alloc_size, copy_size, memset_size;
>>   
>> +	if (!total_reserved_mem_cnt)
>> +		return true;
>> +
>>   	alloc_size = array_size(total_reserved_mem_cnt, sizeof(*new_array));
>>   	if (alloc_size == SIZE_MAX) {
>>   		pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
>> -		return;
>> +		goto fail;
>>   	}
>>   
>>   	new_array = memblock_alloc(alloc_size, SMP_CACHE_BYTES);
>>   	if (!new_array) {
>>   		pr_err("Failed to allocate memory for reserved_mem array with err: %d", -ENOMEM);
>> -		return;
>> +		goto fail;
>>   	}
>>   
>>   	copy_size = array_size(reserved_mem_count, sizeof(*new_array));
>>   	if (copy_size == SIZE_MAX) {
>>   		memblock_free(new_array, alloc_size);
>> -		total_reserved_mem_cnt = MAX_RESERVED_REGIONS;
>>   		pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
> These prints could be moved to 'fail'. Perhaps instead of just printing
> an error value, you can return the error value instead of boolean.
Will do, consolidating pr_err() under 'fail' and changing the return type
to int.
>
> If you respin just this patch, I can pick it up for 7.2.
Before I respin, I'd like to flag a dependency:
patch 05/07 in this series build on the signature change introduced by this
patch ("the void -> bool return type change of alloc_reserved_mem_array()")

Could you let me know which of the following you'd prefer:
a) Take patch 03 alone via your tree as you suggested, after it lands, I'll
    respin the remaining patches of this series.

b) Keep patch 03 in the v4 respin of the full series, reordered to the front
    per your earlier comment.

Best regards,
Wandun
>
> Rob

next prev parent reply	other threads:[~2026-06-03  6:44 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-27  3:29 [PATCH v3 00/11] kdump: reduce vmcore size and capture time Wandun Chen
2026-05-27  3:29 ` [PATCH v3 01/11] of: reserved_mem: handle NULL name in of_reserved_mem_lookup() Wandun Chen
2026-05-27  3:29 ` [PATCH v3 02/11] kexec/crash: provide crash_exclude_mem_range() stub when CONFIG_CRASH_DUMP=n Wandun Chen
2026-05-27  3:29 ` [PATCH v3 03/11] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails Wandun Chen
2026-06-02 16:24   ` Rob Herring
2026-06-03  6:44     ` Wandun [this message]
2026-06-03 17:44       ` Rob Herring
2026-06-04  1:48         ` Wandun
2026-05-27  3:29 ` [PATCH v3 04/11] of: reserved_mem: zero total_reserved_mem_cnt if no valid /reserved-memory entry Wandun Chen
2026-05-27  3:29 ` [PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late() Wandun Chen
2026-05-27  3:29 ` [PATCH v3 06/11] of: reserved_mem: add dumpable flag to opt-in vmcore Wandun Chen
2026-05-27  3:29 ` [PATCH v3 07/11] of: reserved_mem: save /memreserve/ entries into the reserved_mem array Wandun Chen
2026-05-27  3:29 ` [PATCH v3 08/11] of: reserved_mem: add kdump helpers to exclude non-dumpable regions Wandun Chen
2026-05-27  3:29 ` [PATCH v3 09/11] arm64: kdump: exclude non-dumpable reserved memory regions from vmcore Wandun Chen
2026-05-29 15:08   ` Will Deacon
2026-05-30 16:25     ` Mike Rapoport
2026-06-01  5:00       ` Baoquan He
2026-06-02  9:34         ` Mike Rapoport
2026-05-27  3:29 ` [PATCH v3 10/11] riscv: " Wandun Chen
2026-05-27  3:29 ` [PATCH v3 11/11] loongarch: " Wandun Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=79932afc-2e91-4a54-aff9-f550be784c36@gmail.com \
    --to=chenwandun1@gmail$(echo .)com \
    --cc=akpm@linux-foundation$(echo .)org \
    --cc=alex@ghiti$(echo .)fr \
    --cc=aou@eecs$(echo .)berkeley.edu \
    --cc=bhe@redhat$(echo .)com \
    --cc=catalin.marinas@arm$(echo .)com \
    --cc=chenhuacai@kernel$(echo .)org \
    --cc=devicetree@vger$(echo .)kernel.org \
    --cc=iommu@lists$(echo .)linux.dev \
    --cc=kernel@xen0n$(echo .)name \
    --cc=kexec@lists$(echo .)infradead.org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-riscv@lists$(echo .)infradead.org \
    --cc=loongarch@lists$(echo .)linux.dev \
    --cc=m.szyprowski@samsung$(echo .)com \
    --cc=palmer@dabbelt$(echo .)com \
    --cc=pasha.tatashin@soleen$(echo .)com \
    --cc=pjw@kernel$(echo .)org \
    --cc=pratyush@kernel$(echo .)org \
    --cc=quic_obabatun@quicinc$(echo .)com \
    --cc=robh@kernel$(echo .)org \
    --cc=robin.murphy@arm$(echo .)com \
    --cc=rppt@kernel$(echo .)org \
    --cc=ruirui.yang@linux$(echo .)dev \
    --cc=saravanak@kernel$(echo .)org \
    --cc=will@kernel$(echo .)org \
    --cc=zhaomeijing@lixiang$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox