Re: [PATCH v4] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails

Next message: Andy Shevchenko: "Re: [PATCH v16 05/14] lib: kstrtox: add kstrtoudec64() and kstrtodec64()"
Previous message: Nicolai Buchwitz: "Re: [PATCH net-next] net: bcmgenet: convert RX path to page_pool"
In reply to: Wandun Chen: "[PATCH v4] of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Rob Herring (Arm)

Date: Thu Jun 04 2026 - 15:44:58 EST

On Thu, 04 Jun 2026 09:53:32 +0800, Wandun Chen wrote:
> From: Wandun Chen <chenwandun@xxxxxxxxxxx>
>
> The global pointer 'reserved_mem' continues to reference the
> reserved_mem_array which lives in __initdata if
> alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is
> exported for post-init use, that would dereference freed memory
> and trigger a use-after-free.
>
> So reset reserved_mem_count to 0 when alloc_reserved_mem_array()
> fails.
>
> Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate reserved_mem array")
> Signed-off-by: Wandun Chen <chenwandun@xxxxxxxxxxx>
>
> ---
> v3 -> v4:
> 1. Move prints to 'fail' label.
> 2. Change return value from bool to int.
> ---
> drivers/of/of_reserved_mem.c | 28 +++++++++++++++++++---------
> 1 file changed, 19 insertions(+), 9 deletions(-)
>

Applied, thanks!