From: "Zi Yan" <ziy@nvidia.com>
To: "Ketan" <ketan.kishore@oss.qualcomm.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Vlastimil Babka" <vbabka@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Michal Hocko" <mhocko@suse.com>,
"Brendan Jackman" <jackmanb@google.com>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Luiz Capitulino" <luizcap@redhat.com>,
"David Hildenbrand" <david@kernel.org>
Cc: <kernel@oss.qualcomm.com>, <stable@vger.kernel.org>,
<linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
"Matthew Wilcox" <willy@infradead.org>,
"Lorenzo Stoakes" <ljs@kernel.org>,
"Liam R. Howlett" <liam@infradead.org>,
"Mike Rapoport" <rppt@kernel.org>
Subject: Re: [PATCH v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
Date: Mon, 22 Jun 2026 12:14:30 -0400 [thread overview]
Message-ID: <DJFPMRCQLFCR.26LI8DHU9YSJO@nvidia.com> (raw)
In-Reply-To: <20260622-page_ext-v2-1-135d4cfbc42f@oss.qualcomm.com>
On Mon Jun 22, 2026 at 10:14 AM EDT, Ketan wrote:
> The page_ext iteration API does not validate if the PFN still
> belongs to a valid section while advancing the iterator. When
> dynamically adding memory in the hotplug path, it can lead to a
> NULL pointer dereference during page_ext_lookup at the boundary
> of the last valid section when iterator count equals __pgcount.
>
> The for_each_page_ext() macro calls page_ext_iter_next() as its
> loop increment. for_each_page_ext() does a
> "__page_ext = page_ext_iter_next(&__iter)" at the end. This
> causes page_ext_iter_next() to increment iter->index past
> __pgcount and call page_ext_lookup(start_pfn + __pgcount).
> During memory hotplug (online), the PFN at start_pfn + __pgcount
> may belong to a section that has not yet been initialized,
> causing page_ext_lookup() to trigger a NULL pointer dereference.
>
> [ 14.555124][ T846] Call trace:
> [ 14.555125][ T846] lookup_page_ext+0x6c/0x108 (P)
> [ 14.555127][ T846] page_ext_lookup+0x30/0x3c
> [ 14.555129][ T846] __reset_page_owner+0x11c/0x260
> [ 14.571201][ T846] __free_pages_ok+0x5e8/0x8e0
> [ 14.571204][ T846] __free_pages_core+0x78/0xf0
> [ 14.571206][ T846] generic_online_page+0x14/0x24
> [ 14.597782][ T846] online_pages+0x178/0x30c
> [ 14.597784][ T846] memory_block_change_state+0x284/0x32c
> [ 14.597787][ T846] memory_subsys_online+0x4c/0x64
> [ 14.597789][ T846] device_online+0x88/0xb0
> [ 14.597791][ T846] online_memory_block+0x30/0x40
> [ 14.597793][ T846] walk_memory_blocks+0xac/0xe8
> [ 14.597794][ T846] add_memory_resource+0x280/0x298
> [ 14.656161][ T846] add_memory+0x60/0x98
>
> Move the iteration boundary enforcement inside the iterator
> functions, so callers cannot inadvertently access beyond the
> requested range.
>
> Fixes: 9039b9096ea2 ("mm: page_owner: use new iteration API")
> Cc: stable@vger.kernel.org
> Suggested-by: David Hildenbrand <david@redhat.com>
> Suggested-by: Matthew Wilcox <willy@infradead.org>
> Signed-off-by: Ketan Kishore <ketan.kishore@oss.qualcomm.com>
> ---
> Changes in v2:
> - Incorporated comments from David and Matthew to check for invalid PFN
> in page_ext iterator rather than checking for NULL section in
> page_ext_lookup.
> - Minor improvement in commit description to include the issue with
> page_ext_iter_next
> - Link to v1: https://patch.msgid.link/20260617-page_ext-v1-1-37ad802b1a38@oss.qualcomm.com
>
> To: Andrew Morton <akpm@linux-foundation.org>
> To: David Hildenbrand <david@kernel.org>
> To: Lorenzo Stoakes <ljs@kernel.org>
> To: "Liam R. Howlett" <liam@infradead.org>
> To: Vlastimil Babka <vbabka@kernel.org>
> To: Mike Rapoport <rppt@kernel.org>
> To: Suren Baghdasaryan <surenb@google.com>
> To: Michal Hocko <mhocko@suse.com>
> To: Luiz Capitulino <luizcap@redhat.com>
> Cc: kernel@oss.qualcomm.com
> Cc: linux-mm@kvack.org
> Cc: linux-kernel@vger.kernel.org
> ---
> include/linux/page_ext.h | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
LGTM. Thanks.
Acked-by: Zi Yan <ziy@nvidia.com>
--
Best Regards,
Yan, Zi
next prev parent reply other threads:[~2026-06-22 16:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 14:14 [PATCH v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access Ketan
2026-06-22 14:20 ` David Hildenbrand (Arm)
2026-06-22 16:14 ` Zi Yan [this message]
2026-06-22 17:01 ` [syzbot ci] " syzbot ci
2026-06-22 19:36 ` [syzbot ci] " Zi Yan
2026-06-22 19:45 ` Ketan Kishore
2026-06-22 20:24 ` [syzbot ci] " syzbot ci
2026-06-22 19:44 ` [PATCH v2] " Zi Yan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJFPMRCQLFCR.26LI8DHU9YSJO@nvidia.com \
--to=ziy@nvidia.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=hannes@cmpxchg.org \
--cc=jackmanb@google.com \
--cc=kernel@oss.qualcomm.com \
--cc=ketan.kishore@oss.qualcomm.com \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=luizcap@redhat.com \
--cc=mhocko@suse.com \
--cc=rppt@kernel.org \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.