of: reserved_mem: avoid post-init UAF when alloc_reserved_mem_array() fails

The global pointer 'reserved_mem' continues to reference the
reserved_mem_array which lives in __initdata if
alloc_reserved_mem_array() fails. of_reserved_mem_lookup() is
exported for post-init use, that would dereference freed memory
and trigger a use-after-free.

So reset reserved_mem_count to 0 when alloc_reserved_mem_array()
fails.

Fixes: 00c9a452a235 ("of: reserved_mem: Add code to dynamically allocate reserved_mem array")
Signed-off-by: Wandun Chen <chenwandun@lixiang.com>
Link: https://patch.msgid.link/20260604015332.3669384-1-chenwandun1@gmail.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index ce1d5530ec0fbd7b1140ab168d5144fbdd49e03b..d918dc7f07fb9d95e212e1dbb54973e5f4d6efd1 100644 (file)
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -69,29 +69,32 @@ static int __init early_init_dt_alloc_reserved_memory_arch(phys_addr_t size,
  * the initial static array is copied over to this new array and
  * the new array is used from this point on.
  */
-static void __init alloc_reserved_mem_array(void)
+static int __init alloc_reserved_mem_array(void)
 {
        struct reserved_mem *new_array;
        size_t alloc_size, copy_size, memset_size;
+       int ret;
+
+       if (!total_reserved_mem_cnt)
+               return 0;
 
        alloc_size = array_size(total_reserved_mem_cnt, sizeof(*new_array));
        if (alloc_size == SIZE_MAX) {
-               pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
-               return;
+               ret = -EOVERFLOW;
+               goto fail;
        }
 
        new_array = memblock_alloc(alloc_size, SMP_CACHE_BYTES);
        if (!new_array) {
-               pr_err("Failed to allocate memory for reserved_mem array with err: %d", -ENOMEM);
-               return;
+               ret = -ENOMEM;
+               goto fail;
        }
 
        copy_size = array_size(reserved_mem_count, sizeof(*new_array));
        if (copy_size == SIZE_MAX) {
                memblock_free(new_array, alloc_size);
-               total_reserved_mem_cnt = MAX_RESERVED_REGIONS;
-               pr_err("Failed to allocate memory for reserved_mem array with err: %d", -EOVERFLOW);
-               return;
+               ret = -EOVERFLOW;
+               goto fail;
        }
 
        memset_size = alloc_size - copy_size;
@@ -100,6 +103,12 @@ static void __init alloc_reserved_mem_array(void)
        memset(new_array + reserved_mem_count, 0, memset_size);
 
        reserved_mem = new_array;
+       return 0;
+
+fail:
+       pr_err("Failed to allocate memory for reserved_mem array with err: %d", ret);
+       reserved_mem_count = 0;
+       return ret;
 }
 
 static void fdt_init_reserved_mem_node(unsigned long node, const char *uname,
@@ -267,7 +276,8 @@ void __init fdt_scan_reserved_mem_late(void)
        }
 
        /* Attempt dynamic allocation of a new reserved_mem array */
-       alloc_reserved_mem_array();
+       if (alloc_reserved_mem_array())
+               return;
 
        if (__reserved_mem_check_root(node)) {
                pr_err("Reserved memory: unsupported node format, ignoring\n");