From nobody Tue Feb 10 12:42:39 2026
Received: from out203-205-221-191.mail.qq.com (out203-205-221-191.mail.qq.com
 [203.205.221.191])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6EE5341C92
	for <linux-kernel@vger.kernel.org>; Wed,  1 Jan 2025 13:54:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=203.205.221.191
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735739666; cv=none;
 b=IUH0z+5Dm77lAXZrGjzCqT5uwwB0SYIwS7qO/CDfWZU8BM2iS24xQHDT3oiISTzoXx57rDRnB3XZy/1++uhFISZEa8TJk7jrLpBtV9MkZ1rNKPqUt8KCH3/lHsZQlWrjQIWq8XcsU7vl46nLEf1oezs6THa7osFqfcflskCFhKw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735739666; c=relaxed/simple;
	bh=LT/zRRccA9HOZv/391i9F0OSQVpjbjokc7ywLlhc5lM=;
	h=Message-ID:From:To:Cc:Subject:Date:MIME-Version;
 b=SfgHvhgoLWIOlEMBDLuPjqMY+RYQhwhwyd7gh2tOHn02XHHFybak0MZyCUipGBYh45SmEtz3SNjjLCx+vyR0fB5N/AFaU9kxcqtLwIXBfcqHk+vGHohYc0fdMOcy91snJ8+/Lqg8M3WNlEJObP8adqBHTKBPAicXenwtmMIoT3M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=PRiwyfSn;
 arc=none smtp.client-ip=203.205.221.191
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="PRiwyfSn"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1735739353; bh=wlPSfGowuSxisVWORw8U9es5Jtd2GSCWBo90oQ4tsZA=;
	h=From:To:Cc:Subject:Date;
	b=PRiwyfSnzkKc5eaDUNeAMjlB4r4HTd+o4BJdvMB7mP1HrR8sWV7R6tkeMksu7FZJn
	 wrV8fe/BWk0u/611LOwkLWlyL22BJTZ/EiWUR05jOZKMOfeb0jZFEV/74iRAEdl9zi
	 YRp/NUxHm2PmbzhNM5lZmZcN3LrcWS5+qRx+GKiw=
Received: from Dev.. ([219.142.145.136])
	by newxmesmtplogicsvrszb21-0.qq.com (NewEsmtp) with SMTP
	id C4A31ECD; Wed, 01 Jan 2025 21:49:10 +0800
X-QQ-mid: xmsmtpt1735739350tqmqbpcow
Message-ID: <tencent_3BD5C192A0E62121DE44D1A05A9C9ECB7C06@qq.com>
X-QQ-XMAILINFO: M07Ulnfy3VHK61trHbsuzGhw6PyT/pz9Urjle47VIkGSZQsOfnzw8hHCvDW9Vr
	 ThT+nHaEfRSZtplHUH3HfKBlhRd+TlD9KrkXAEVz74+C0QLMWogI2jUD3RlUeU+AyiaYTHWYrh9x
	 uJj2WyxtUEPkOHlyG+DChH88W44kxVDnbci9dzReLOqMTuNk1EWsMCKRKn8gTVrPNbwkav0TBwN5
	 giP01u41nplHWGkT+ZDd8OnXl4wJkVjKyq08ljTasw7PfdAxGSaR1C3RyEmhSm1drarLXei3D8WI
	 fTtP4AeC513pV8r5UvM59ya//4oD+oa3xk1YZD58Qa2qs/0j003kj9m5Sd0SJv7d0X1uI0MOMN/d
	 q7pGrYGu84aQqrHyIoOtfjFjxa+RRHuJpQGL2t9Mdj5JdkxcUc6PMKSWUMAnQAqH8JI0K8eSeIb9
	 vkIWZOFOo6eIcZH2xNtMdtPGGGIRKWJAdDLSXiyYmY9WHErQfXTHAdl08OeU8IXmyPFBoy3agAN2
	 /TWLwo3Qbc5XZm2QYD0pcWR0okh+839Lcawrk9sp5DJ+2YBe619Fi/406dgfxGfgWaGOAxKlBXvL
	 sQeUvu+Xa4ztCdRs75wgAWHXESP73UKfV+DeSNLtp9zQEsb1hj1WXhxeOfYKzAEdVcqVfsvn4HFu
	 SMnix4GnLLiHRvvMuG/5clIKSfJyLt8GkI/6RtkPkbsH5ecmq8zwjJw13NzjHft7ISnSbUWA6HEQ
	 Ef+jdj4kzILhyYpJnGCAW8q8Gw8ltqf1ndruRSK4d+vQb5sXtJtRg/qhhMZ3saRHyOMNoDXFI5UG
	 /OR0TJ5AMmbKLFCV2D4uRD97zPfbZT7dZhMzflhDAafk+9/TmG7iE7eOzaeOO2gte2kYNdc/2KHg
	 s1mMb2QxbSlXXDcmQbjG9K+neD5O0ZwrZjxSAqyd//mNHhVbjygb8MSe5BNvC/wPJzkavnx1hKEf
	 6cHHsxH96TYkdkPoFgzlBxci2ksTz6M5Szy/4LewWh53zEJPd6CT287HGctndSJidWW0g4FRTmcu
	 r9u5Tm3oeOkOR9aWJlRS19AhTEEMk=
X-QQ-XMRINFO: Mp0Kj//9VHAxr69bL5MkOOs=
From: kingdix10@qq.com
To: akpm@linux-foundation.org,
	andriy.shevchenko@linux.intel.com,
	ilpo.jarvinen@linux.intel.com,
	bhelgaas@google.com,
	mika.westerberg@linux.intel.com,
	huang.ying.caritas@gmail.com,
	jhubbard@nvidia.com,
	peterz@infradead.org
Cc: linux-kernel@vger.kernel.org,
	King Dix <kingdix10@qq.com>
Subject: [PATCH] resource: use kstrdup_const to prevent wild pointer issues
Date: Wed,  1 Jan 2025 21:49:08 +0800
X-OQ-MSGID: <20250101134908.15852-1-kingdix10@qq.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: King Dix <kingdix10@qq.com>

When a stack string variable is passed during the request resource
operation, it causes an oops problem when executing cat /proc/iomem.

In the original code, in functions like __request_region_locked, the name
member of the resource structure was directly assigned the stack string
pointer without proper memory management.

This fix changes the assignment of res->name to use kstrdup_const for
string copying, ensuring the correct storage and release of the string
and thus avoiding potential memory errors and oops issues.

Signed-off-by: King Dix <kingdix10@qq.com>
---
 kernel/resource.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index b7c0e24d9398..87d22741c066 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -168,8 +168,10 @@ static void free_resource(struct resource *res)
 	 * buddy and trying to be smart and reusing them eventually in
 	 * alloc_resource() overcomplicates resource handling.
 	 */
-	if (res && PageSlab(virt_to_head_page(res)))
+	if (res && PageSlab(virt_to_head_page(res))) {
+		kfree_const(res->name);
 		kfree(res);
+	}
 }
=20
 static struct resource *alloc_resource(gfp_t flags)
@@ -1098,7 +1100,7 @@ __reserve_region_with_split(struct resource *root, re=
source_size_t start,
 	if (!res)
 		return;
=20
-	res->name =3D name;
+	res->name =3D kstrdup_const(name, GFP_ATOMIC);
 	res->start =3D start;
 	res->end =3D end;
 	res->flags =3D type | IORESOURCE_BUSY;
@@ -1133,7 +1135,7 @@ __reserve_region_with_split(struct resource *root, re=
source_size_t start,
 					free_resource(res);
 					break;
 				}
-				next_res->name =3D name;
+				next_res->name =3D kstrdup_const(name, GFP_ATOMIC);
 				next_res->start =3D conflict->end + 1;
 				next_res->end =3D end;
 				next_res->flags =3D type | IORESOURCE_BUSY;
@@ -1261,7 +1263,7 @@ static int __request_region_locked(struct resource *r=
es, struct resource *parent
 {
 	DECLARE_WAITQUEUE(wait, current);
=20
-	res->name =3D name;
+	res->name =3D kstrdup_const(name, GFP_KERNEL);
 	res->start =3D start;
 	res->end =3D start + n - 1;
=20
@@ -1474,7 +1476,7 @@ void release_mem_region_adjustable(resource_size_t st=
art, resource_size_t size)
 					goto retry;
 				}
 			}
-			new_res->name =3D res->name;
+			new_res->name =3D kstrdup_const(res->name, GFP_ATOMIC);
 			new_res->start =3D end + 1;
 			new_res->end =3D res->end;
 			new_res->flags =3D res->flags;
@@ -1978,7 +1980,7 @@ get_free_mem_region(struct device *dev, struct resour=
ce *base,
 		} else {
 			res->start =3D addr;
 			res->end =3D addr + size - 1;
-			res->name =3D name;
+			res->name =3D kstrdup_const(name, GFP_KERNEL);
 			res->desc =3D desc;
 			res->flags =3D IORESOURCE_MEM;
=20
--=20
2.43.0