[PATCH v3 05/11] of: reserved_mem: split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late()
Wandun
chenwandun1 at gmail.com
Sun Jun 14 20:33:34 PDT 2026
On 6/12/26 22:41, Rob Herring wrote:
> On Wed, May 27, 2026 at 11:29:11AM +0800, Wandun Chen wrote:
>> From: Wandun Chen <chenwandun at lixiang.com>
>>
>> Prepare for storing /memreserve/ entries in the reserved_mem array.
>> alloc_reserved_mem_array is skipped if the device tree lacks a
>> /reserved-memory node, pointer 'reserved_mem' continues to reference
>> the reserved_mem_array which lives in __initdata, storing
>> /memreserve/ entries into reserved_mem_array would result in metadata
>> loss, and an out-of-bounds memory access will occur if the device
>> tree contains more than MAX_RESERVED_REGIONS /memreserve/ entries.
>>
>> So split alloc_reserved_mem_array() from fdt_scan_reserved_mem_late(),
>> and call alloc_reserved_mem_array() whether or not there is a
>> /reserved-memory node.
>>
>> No functional change.
>> The actual /memreserve/ population is added in a follow-up patch.
>>
>> Signed-off-by: Wandun Chen <chenwandun at lixiang.com>
>> ---
>> drivers/of/fdt.c | 7 +++++--
>> drivers/of/of_private.h | 1 +
>> drivers/of/of_reserved_mem.c | 6 +-----
>> 3 files changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 82f7327c59ea..83a2a474831e 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -1284,8 +1284,11 @@ void __init unflatten_device_tree(void)
>> {
>> void *fdt = initial_boot_params;
>>
>> - /* Save the statically-placed regions in the reserved_mem array */
>> - fdt_scan_reserved_mem_late();
>> + /* Attempt dynamic allocation of a new reserved_mem array */
>> + if (fdt && alloc_reserved_mem_array()) {
>> + /* Save the statically-placed regions in the reserved_mem array */
>> + fdt_scan_reserved_mem_late();
>
> Can we make this just:
>
> alloc_reserved_mem_array();
> fdt_scan_reserved_mem_late();
>
> We already check !fdt in fdt_scan_reserved_mem_late().
Thanks for you review, Rob.
The reason I kept the fdt check is that total_reserved_mem_cnt is wrong
when fdt is NULL, early_init_fdt_scan_reserved_mem() returns early in
that case, so fdt_scan_reserved_mem() never runs, and
total_reserved_mem_cnt stays at MAX_RESERVED_REGIONS. Calling
alloc_reserved_mem_array() unconditionally would allocate unnecessarily
memory.
A better fix might be to make total_reserved_mem_cnt always correct, add
a !fdt check at the top of fdt_scan_reserved_mem() that sets
total_reserved_mem_cnt to 0, and let early_init_fdt_scan_reserved_mem()
call it even when initial_boot_params is NULL. Then
alloc_reserved_mem_array() could naturally skip allcation when that
count is 0, and we can drop the outer fdt guard.
There is still separate UAF issue (fixed in patch3) if we don't check
the return value of alloc_reserved_mem_array().
With the fdt_scan_reserved_mem() fix for total_reserved_mem_cnt, the
call site in unflatten_device_tree() becomes:
if (alloc_reserved_mem_array()) {
fdt_scan_reserved_mem_late();
}
How does that sound?
Best regards,
Wandun
>
> Rob
More information about the linux-arm-kernel
mailing list