From nobody Mon Jun 8 09:49:07 2026 Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1544D221FBD for ; Thu, 4 Jun 2026 01:53:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780538023; cv=none; b=sFPXLRlwYN9WeMzC5vSXO7pbnG+zquMk1vY4s8bsR3ULatRAtfk8t21ICnYeKk2DP7g3mha6/ALNoGeVIh0ywzQmps0c8mKBtGR6fBTTsyGOKVh08LF9lmbxMxd1iw/qgOzYTMqOz0Agqrfp01wWkNbHVudovW8cr2TFfGdw0W0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780538023; c=relaxed/simple; bh=PlXYwJVoZcAitcoMd6oDDEsPS233Fq9jXMltFsPIzFw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ijoSbfor5/DZCgMVAQGGPVHTj5WlpxqiDLydjSirMKq/grqNQJLRgZ1OqIcamTpmavWoudFWhS3omOmdTVqatu3xp5jxo2z/GuJRviFWepl4eRq7WKTy+59pFS7rj7nILHaidCASGuvAzVt7p9GaYT7GZGNVEgRqZ4FiErJpMgY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SxgBYSNm; arc=none smtp.client-ip=209.85.215.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SxgBYSNm" Received: by mail-pg1-f196.google.com with SMTP id 41be03b00d2f7-c85a2c012e5so67228a12.1 for ; Wed, 03 Jun 2026 18:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780538021; x=1781142821; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kfiZ5RhZBSGwt/42O+oDb/ZRmStHvMpcRtGY1P0Mxm0=; b=SxgBYSNmiZ6U+ki8Uk1OXzi0pgNPStDuuAByBeCa86D1KoIjvzeMn/xtaC1b/aHL9r X9dYKTjDkextjxKOEh+NTLDKfOFWjKYHpmd3TQdR8RdHzDfRLzTVKkb4Ur1Yb9Z2d+p5 gZqjAVC8cq8QwIt9YOPnDFd8tIbkamgUSyPpLOBMI5vi0ZjnYa4SSeWuvePCehejB56I MIkb9co5byNUoXV/mZScc5z6EUGdtmpoo3RUX7iW0NRfcZAF9eYz4TpHgTSyGXJNY+tW kWFtlqjbeFHSBQmE6ratdxUbC4ApRdHNuPoMLQ90rDmiBHH5hyB3X/bNNhX5oNmUUyJS WP4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780538021; x=1781142821; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kfiZ5RhZBSGwt/42O+oDb/ZRmStHvMpcRtGY1P0Mxm0=; b=KSSjtj3DvoSbW5Wso5PaFPvM8V2Q5T2Y0TU2cpzhitOcMzewIBgJznGRRtXel8QvQY dpnRzEtiUjy1UoayK5UCmyMxgMObXMWEqh+hnPX9Q3Z1cmndP2v6ADtcuUdXgV4q6wko YvwTanXTpGWLjPXduQz4K7cMgTFZ9zkSUO2ROrTFtuTcUSHFZRuI1+6x+e8cwUwUrT0W ZuxhnTJm74jQJkPODVVdHQjzDvpK3K1nvS/ZOBnIba9tSiaOQEOdNRScrn4Vvjo+tVVP K62uD0O/Uk3wwhXqpSqoLTmu6+M262DkdD9R3douvrcA2wG278ttkcnfhRfrp5dQ/LxH xZvQ== X-Forwarded-Encrypted: i=1; AFNElJ83fXOfKraerWBhu4hm7YaphoJWeDJKTDyq5iyZYPek79lDhSiB5tD4+pc+8aeH7duW+pptDrQz3bJKrQo=@vger.kernel.org X-Gm-Message-State: AOJu0YyuxgoAcx+wBN3q50wozi2OMzGXDcxKWaaYaXWMGS511WFEnxQa th/o6ALSLnDEXbKRqYt2WJILs+02xM0vz5S3N8M2sK+R35A21kx8pIUh X-Gm-Gg: Acq92OFelIF/BLfuC64o3+78rjJl0BxnVKHVg2bYDeMXtV/2EAoZvYeuzF4D5Wz13SE ndB7x1apQRTLBNt3s8Qk4NGj62vIPR+QpD3p9KuAnjEwU2uiP8G01qg5DRT2tmrFL5oOPoPBONs ryP5TUd+Lpy6fn1FbJ72ToOh1vPGk3ljcOwpek43Ehg0aqL59EoEi7Jny3yHfIRONN4aiEdmMcP /x4lVTOtGAJxFm/+fJT0qFPTgLmqwgwUk88qXgJBnmStv6Qt0IdcJzmm7YJJKt4+zXeBs+sxBFm 6ZNUF4c3JNdamiWFk9gz8kG4Dqo2MMMhmllmWknzkRkg3fyv97Z8nfZMlJYyQk66/FR6HjwbK1h 8+d2jxlBl7Ge7WCaYjvTxG2HTaDrvf/2Jw5InXMrXyKqSZMIJcw3r5JMxIuOnK9E/nWZCfJuOH/ zuhCHJCRIiMuhwB1VrHBow5lltnBX/LFJbTyZ+RWdcFpXlv5Y= X-Received: by 2002:a05:6a21:6e88:b0:3b3:1a00:1f4a with SMTP id adf61e73a8af0-3b497a4269fmr6178467637.43.1780538021233; Wed, 03 Jun 2026 18:53:41 -0700 (PDT) Received: from intel.company.local ([210.184.73.204]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df0a4b60sm3388969a12.15.2026.06.03.18.53.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 18:53:40 -0700 (PDT) From: Wandun Chen To: devicetree@vger.kernel.org, linux-kernel@vger.kernel.org Cc: robh@kernel.org, saravanak@kernel.org Subject: [PATCH v4] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails Date: Thu, 4 Jun 2026 09:53:32 +0800 Message-ID: <20260604015332.3669384-1-chenwandun1@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Wandun Chen The global pointer 'reserved_mem' continues to reference the reserved_mem_array which lives in __initdata if alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is exported for post-init use, that would dereference freed memory and trigger a use-after-free. So reset reserved_mem_count to 0 when alloc_reserved_mem_array() fails. Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate re= served_mem array") Signed-off-by: Wandun Chen --- v3 -> v4: 1. Move prints to 'fail' label. 2. Change return value from bool to int. --- drivers/of/of_reserved_mem.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c index 8d5777cb5d1b..deaea58c74f2 100644 --- a/drivers/of/of_reserved_mem.c +++ b/drivers/of/of_reserved_mem.c @@ -69,29 +69,32 @@ static int __init early_init_dt_alloc_reserved_memory_a= rch(phys_addr_t size, * the initial static array is copied over to this new array and * the new array is used from this point on. */ -static void __init alloc_reserved_mem_array(void) +static int __init alloc_reserved_mem_array(void) { struct reserved_mem *new_array; size_t alloc_size, copy_size, memset_size; + int ret; + + if (!total_reserved_mem_cnt) + return 0; =20 alloc_size =3D array_size(total_reserved_mem_cnt, sizeof(*new_array)); if (alloc_size =3D=3D SIZE_MAX) { - pr_err("Failed to allocate memory for reserved_mem array with err: %d", = -EOVERFLOW); - return; + ret =3D -EOVERFLOW; + goto fail; } =20 new_array =3D memblock_alloc(alloc_size, SMP_CACHE_BYTES); if (!new_array) { - pr_err("Failed to allocate memory for reserved_mem array with err: %d", = -ENOMEM); - return; + ret =3D -ENOMEM; + goto fail; } =20 copy_size =3D array_size(reserved_mem_count, sizeof(*new_array)); if (copy_size =3D=3D SIZE_MAX) { memblock_free(new_array, alloc_size); - total_reserved_mem_cnt =3D MAX_RESERVED_REGIONS; - pr_err("Failed to allocate memory for reserved_mem array with err: %d", = -EOVERFLOW); - return; + ret =3D -EOVERFLOW; + goto fail; } =20 memset_size =3D alloc_size - copy_size; @@ -100,6 +103,12 @@ static void __init alloc_reserved_mem_array(void) memset(new_array + reserved_mem_count, 0, memset_size); =20 reserved_mem =3D new_array; + return 0; + +fail: + pr_err("Failed to allocate memory for reserved_mem array with err: %d", r= et); + reserved_mem_count =3D 0; + return ret; } =20 static void fdt_init_reserved_mem_node(unsigned long node, const char *una= me, @@ -266,7 +275,8 @@ void __init fdt_scan_reserved_mem_late(void) } =20 /* Attempt dynamic allocation of a new reserved_mem array */ - alloc_reserved_mem_array(); + if (alloc_reserved_mem_array()) + return; =20 if (__reserved_mem_check_root(node)) { pr_err("Reserved memory: unsupported node format, ignoring\n"); --=20 2.43.0