From nobody Mon Jun  8 09:49:07 2026
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com
 [209.85.216.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0ED83394461
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jun 2026 07:36:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.66
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780558584; cv=none;
 b=qv0CgxCcjbcrft0V8K18aeahOxPes1ySfdaXPMBnuc0T/jVXk7Jiw3JgUTdYs1u/8pSLXkdWUgFwc84Gs2PttaqD8SrnMc2EXYWIzPEiU/oFUMYaBFwRN9FbHbnU8ihFVU1/f+xIoaLDhY3Y4uXXwl/OfLZTARvJ4xLKl6uQdpY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780558584; c=relaxed/simple;
	bh=2GKa5PPIBCTWD+KU0rCbkGneABKAAjN8/JrM3XwKr9c=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=FolXds7bmLhQ15I+Ezw24LFsZLPRoj7JvOVArcNEATFdb0WCdZ/nuuSSgDaxJw5YLT4Yfq3elKeXQJCHXW8dOHo0Ma2GypZ+qQFM375/RhfZAEqbvZx7RoV43/Q1IVMSI1HPNG55omfYzpCZa08LAxxGD2TN7XUjjcNoqdm0GEI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kosiz9Oq; arc=none smtp.client-ip=209.85.216.66
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kosiz9Oq"
Received: by mail-pj1-f66.google.com with SMTP id
 98e67ed59e1d1-36ad15213fbso267979a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Jun 2026 00:36:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780558582; x=1781163382;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=O7G6x2SUs/bASORWJDIcXZXWcW31O5jTR1XJ9NK25Xg=;
        b=kosiz9OqmkoYDToOAGVg6VAq9JkZEhzH8LVxYrPM7sQE5n5wD8PnGi469Qarqv0QiR
         L1CUeR3/O9e/L+xppnPNfJHynyUmbVooyNLnlZdrgniDkJzV7GxtI5Yj5EYPqLj+u7yJ
         j424ViewtcNz95DDTaYXscESiuIvs1JnqaEZbqeYT//NOqThe7eCXxiZJZNOnRCYnDdq
         tWDAOQr6/zNSsvHTYmd9W8SHuRLcA2jr2+nOblr5DrUIc8iiz7X7r7TSaMPQc7oVdBor
         M0OrnkWmA1meZGlY6iywN8DotMfnot+Ndilt9JYCzfZFXz8bylkfFxLkosOU/xOXVg7F
         33Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780558582; x=1781163382;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=O7G6x2SUs/bASORWJDIcXZXWcW31O5jTR1XJ9NK25Xg=;
        b=WdMmf9FS8tO+xFsQANmfQGc7irQvbYAUot4rComt8fClYeK9h+50wx+uuX0U/zsDEM
         jrbfZWOT8mMCEqed7KcA049uP01UHI1xlzkNMzES6Y7b6uBdETaTC3nIL4C3JeHFQozp
         53IAGre67UYDlteZfeq5fu45Iuad1w9yXPFkmhpTO6ECPmo8ad5knjFRC8IlxKQcp5zT
         GY2Izid/ZiqwdlJna1qXsaIPC4u+8+OJ2y0dlErNWLi6yh3B0eodT2YZ4MGZqdit89Ht
         8P55c+BtrkNG0Hv6nKHHNQltq7/ZkvCKlk6b2Xu8VJ5TRDNZgSp5vDoe7PQ6Tvys2U+H
         05dg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+zwEhmnOX/PaqEIdjpprkFLW4FO4wOJ0tjONy5TinWBrkc13H934ucAJrF2LaKTmHO+JVbLANHOpiAA88=@vger.kernel.org
X-Gm-Message-State: AOJu0YzHBVpmDJQ1DV5LUZ17BYjsDy60uOcySQYEKwQTJbmlnivfRQY7
	RiHBRSaJHviVat+JfOHHtTtUUJep/8QgO5tCfohmTi5HygTVN6zfOhir
X-Gm-Gg: Acq92OH1InKEnzcm79V4HY1AjH1ABjtmKcOUWw8M+4B5f2BN7ePr3MgCWtCOC1eO7yi
	/Fbc4CHIFm9964DnsOyPhIJCjeLl+RR0l/KzVTdRUiThkJ/tmut2htzygJjtIw0W0jaZ5+YA7wY
	rYcvBFIKoe9Tkz7o3r23svZyUJNeUwI6Ry+gSbWKiM27PYxMrQmh8zE2SLZ3fDrarm7/nqUkwTT
	t/TsIJ00Fy0cVLBRf/GiQNtM5vhxk6d4unT3orjXltU2J3pySL2n94GuNy8Xrdqt0H99BzKbmgG
	hpsU1adxDZFO8E0alXasiAUm2VFaow8fFBsvzkPKSh1P+TAVT3Im0YlIw4uZR7kU13E0EayiVLX
	MVndsgtm/qdjkpd8qvLV+9ZJfWwufy8YRFq7aLw/QjH+zZByhiYsqPgdnmZBEw6xghERuBPfqv1
	0PNF7dLszhWZ756llOsxo6y2pm8aKScuiZzBd8H70Fi2IT+VatlMSDenGpqw==
X-Received: by 2002:a17:90b:540c:b0:368:a27f:9083 with SMTP id
 98e67ed59e1d1-36e30e1435bmr6984123a91.7.1780558582113;
        Thu, 04 Jun 2026 00:36:22 -0700 (PDT)
Received: from intel.company.local ([210.184.73.204])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6dba8521sm2063074a91.15.2026.06.04.00.36.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Jun 2026 00:36:21 -0700 (PDT)
From: Wandun Chen <chenwandun1@gmail.com>
To: devicetree@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: robh@kernel.org,
	saravanak@kernel.org
Subject: [PATCH 1/2] of: reserved_mem: avoid stack buffer overflow in
 fdt_scan_reserved_mem()
Date: Thu,  4 Jun 2026 15:36:10 +0800
Message-ID: <20260604073611.3954433-2-chenwandun1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260604073611.3954433-1-chenwandun1@gmail.com>
References: <20260604073611.3954433-1-chenwandun1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Wandun Chen <chenwandun@lixiang.com>

Sashiko found a potential stack buffer overflow in fdt_scan_reserved_mem()
due to missing bounds checking on dynamic_nodes_cnt [1].

Fix this by adding bounds check.

Link: https://sashiko.dev/#/patchset/20260604015332.3669384-1-chenwandun1%4=
0gmail.com?part=3D1 [1]
Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
---
 drivers/of/of_reserved_mem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index ce1d5530ec0f..27dc98aa9bf9 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
 		err =3D __reserved_mem_reserve_reg(child, uname);
 		if (!err)
 			count++;
+
+		if (dynamic_nodes_cnt >=3D MAX_RESERVED_REGIONS) {
+			pr_err_once("Reserved memory: reached MAX_RESERVED_REGIONS(%d)\n",
+				    MAX_RESERVED_REGIONS);
+			continue;
+		}
 		/*
 		 * Save the nodes for the dynamically-placed regions
 		 * into an array which will be used for allocation right
--=20
2.43.0
From nobody Mon Jun  8 09:49:07 2026
Received: from mail-pj1-f68.google.com (mail-pj1-f68.google.com
 [209.85.216.68])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58425391E49
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jun 2026 07:36:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.68
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780558587; cv=none;
 b=SWpVhtP/RGBvDHpYIm1xgoC9+K3RK1R6lQq57IUpwAWYSOxXs+Ddxaru8P5V3VD2S4G82yCfPRVAkjIliQG+bWWAGM2huzmNPFrkh5LuXlhVtfEkHsukgk78KJlyYLv0d3VXnLCZVC6+Ur0G6rZgdG+MZ5iF6AG/S21wCs/TUvo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780558587; c=relaxed/simple;
	bh=3rYL9qOpVCsvIK8Kbi4sBzHi54F4ciTpK0z+WeThbFA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=IwNwX0nMLuv0FP8NQHRNS8210MjS8xHHs66BOXACwar4BeqornYId9BlsZqH4fNjWuQtAsvKAANrUFyW2eicfkIhpSNfk1HVXrLX7iSu7uIpSsK+bXWJwt/rRBq0tHJGJhrbs56Hp20hoqM4kqxMF+u7+0c/EPbo3IjIpBsfQNY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=mkkPWIaa; arc=none smtp.client-ip=209.85.216.68
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="mkkPWIaa"
Received: by mail-pj1-f68.google.com with SMTP id
 98e67ed59e1d1-36d98b9aa9aso340880a91.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Jun 2026 00:36:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780558585; x=1781163385;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nEtdXsuD5Nrz8FHS82McGmz9z9OmZzMDe1FxkZDAsP0=;
        b=mkkPWIaaw2wo+xPrT2btXWXZiVtG6JJ3rYg+iDIKB4186s0Wf6zW1q/ig3vCoQa9yy
         7svPoNtYnRjoJZ9n7hzNGP6aHJpKCg/hMGZiI8/aH3XKxxfUKI3OrYa12GjoSd+BaONA
         7uW4IJ/ttNI8QGbHWkxzEFGL+DRHWxnual2XVi/f6uS0UMbCDc9IW9GjlV1JEehja15V
         GMtDCUIIYBxG4E7WSLLVsr7BkzdbgJPLXWX8Hue2rYJtNoj0zd/rY4VZn3OhfsVWhUuD
         TEjMUA/zwD7DrqEU/oFj3p/33ijkJJRhbQjpxnPNgFWGW9iMH4WtoY+kNrE6RnLPgjpS
         Ny7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780558585; x=1781163385;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nEtdXsuD5Nrz8FHS82McGmz9z9OmZzMDe1FxkZDAsP0=;
        b=Y14elVDM523l89DlNNo/dMEj4JtJ1T4F/nCZ0PmptiTJioDLSAPf01lrkvLHVTy6EZ
         ELDxGM4hfV6WCLPRGGOGvTIxSNu7XHrzvHwgwF41Yf5mrCiTb5csmslWpo/Gf0AsvMbD
         ZlOZ/ShlSVAhdY5/v6VOuNiSmzmXaf1Kod1F072HmpZEh30E6uJ2Dmh48rmXfnZooBP6
         982aDozHIKmqMNlA5jz8QXmJhCn4slutgIehG8RDE2q+zJKHQTU3+UL8T1X3TpxpqvB+
         +2olWCsbRzV6RamGQ4tpkQRqhaigjNyMay6DMaATFWqk6gnc3JnCNZcb7HAGtaMRjHhr
         LWxA==
X-Forwarded-Encrypted: i=1;
 AFNElJ+sIRgannTCRP8VsGADieb6Wrq6rNEkO7P8MxymYdsFXy6F+VOv3QC1W5PZfXQyILnZ0eiiuuWCfu3YGVs=@vger.kernel.org
X-Gm-Message-State: AOJu0YzQ7/teSQYj/l6QTGhE4h81RTEr0X43kwpcQY+2Bg5ijLhtedS0
	mecqTotat9H99SfzWa2A2pj935NRryKe9KRJyeVuyzGSQzWZmoHJM0Vb
X-Gm-Gg: Acq92OHibEDMhdvrrB7HrpBICupsMr+ZDCq4KNwpGdKh2KWKIkUysKlNfD/sFaiWy5t
	YqDHroMbDAHc5UruMZGl/wMeKOzW4bP7pb1IsuFAbu+hmEQZ4YvfVl9QiZ5pdV63z3BLzfePf4u
	GSBp6L02sWCuNar3lZplg+QtpyR2VasTsSiIdjeDPLrLids0Wk+WAkFOs3QoawsVlIArTrSnOF2
	spK8u4A4FWpFQK1veh/LHuWoBxkTjx0+EWbabRkDMYobY/Y14rVUahvKmLhQkz2YKWe/Sxk+0yb
	fRBUW2mjaTQClqhaLr/Wk8AVvUaigsbjrGc1LCoTeBbEf2K/xWrPIEM9JdH9P5evBShHxvzLHBX
	0Un5SRfDN35F5WzXhZGY7nVz8eNOlUqnfBSmxCyn95hYkenxdnUp8ySePAC1Wwy5EoyuAnFGzYL
	LkjjaHWDw8W7+5JclhKZgC5KayEK0OzL+61KZUUNbaUz9/d0i+6DUFhC1tZA==
X-Received: by 2002:a17:90b:4ac7:b0:36b:8873:d96d with SMTP id
 98e67ed59e1d1-36e32b3baefmr6361065a91.11.1780558585552;
        Thu, 04 Jun 2026 00:36:25 -0700 (PDT)
Received: from intel.company.local ([210.184.73.204])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6dba8521sm2063074a91.15.2026.06.04.00.36.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Jun 2026 00:36:25 -0700 (PDT)
From: Wandun Chen <chenwandun1@gmail.com>
To: devicetree@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: robh@kernel.org,
	saravanak@kernel.org
Subject: [PATCH 2/2] of: reserved_mem: add config to extend dynamic reserved
 memory regions
Date: Thu,  4 Jun 2026 15:36:11 +0800
Message-ID: <20260604073611.3954433-3-chenwandun1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260604073611.3954433-1-chenwandun1@gmail.com>
References: <20260604073611.3954433-1-chenwandun1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Wandun Chen <chenwandun@lixiang.com>

Nowadays, the dynamic reserved memory regions is 64 by default, If
the count of reserved memory regions defined in DTS bigger than 64,
only 64 reserved memory can be handled properly.

So add a config to configure the actual dynamic reserved memory
regions count instead of modify the code.

Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
---
 drivers/of/Kconfig           | 11 +++++++++++
 drivers/of/of_private.h      |  2 +-
 drivers/of/of_reserved_mem.c |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/of/Kconfig b/drivers/of/Kconfig
index 50697cc3b07e..d6496ec3765c 100644
--- a/drivers/of/Kconfig
+++ b/drivers/of/Kconfig
@@ -99,6 +99,17 @@ config OF_IRQ
 config OF_RESERVED_MEM
 	def_bool OF_EARLY_FLATTREE
=20
+config OF_RESERVED_MEM_DYNAMIC_REGIONS
+	int "Maximum count of the dynamic reserved memory regions"
+	depends on OF_RESERVED_MEM
+	default 64
+	range 1 256
+	help
+	  Allows to define proper dynamic reserved memory regions number
+	  according to DTS configuration.
+
+	  If unsure, leave the default value "64".
+
 config OF_RESOLVE
 	bool
=20
diff --git a/drivers/of/of_private.h b/drivers/of/of_private.h
index 0ae16da066e2..6ad00798f39d 100644
--- a/drivers/of/of_private.h
+++ b/drivers/of/of_private.h
@@ -9,7 +9,7 @@
  */
=20
 #define FDT_ALIGN_SIZE 8
-#define MAX_RESERVED_REGIONS    64
+#define MAX_RESERVED_REGIONS	CONFIG_OF_RESERVED_MEM_DYNAMIC_REGIONS
=20
 /**
  * struct alias_prop - Alias property in 'aliases' node
diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index 27dc98aa9bf9..d1680fc4fb38 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -348,7 +348,7 @@ int __init fdt_scan_reserved_mem(void)
 			count++;
=20
 		if (dynamic_nodes_cnt >=3D MAX_RESERVED_REGIONS) {
-			pr_err_once("Reserved memory: reached MAX_RESERVED_REGIONS(%d)\n",
+			pr_err_once("Reserved memory: reached MAX_RESERVED_REGIONS(%d), try exp=
anding CONFIG_OF_RESERVED_MEM_DYNAMIC_REGIONS.\n",
 				    MAX_RESERVED_REGIONS);
 			continue;
 		}
--=20
2.43.0