All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mike Rapoport <rppt@kernel.org>
To: kernel test robot <oliver.sang@intel.com>
Cc: oe-lkp@lists.linux.dev, lkp@intel.com
Subject: Re: [rppt:free-late/v0.3] [memblock, treewide]  bbe3478393: KASAN:use-after-free_in_memblock_isolate_range
Date: Fri, 20 Mar 2026 15:32:45 +0200	[thread overview]
Message-ID: <ab1MfZARoEV4scVe@kernel.org> (raw)
In-Reply-To: <202603200841.b2d24d21-lkp@intel.com>

Hello,

On Fri, Mar 20, 2026 at 03:53:54PM +0800, kernel test robot wrote:
> 
> Hello,
> 
> kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on:
> 
> commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing")
> https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3
> 
> in testcase: ltp
> version: 
> with following parameters:
> 
> 	test: uevent
> 
> 
> config: x86_64-rhel-9.4-ltp
> compiler: gcc-14
> test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory
> 
> (please refer to attached dmesg/kmsg for entire log/backtrace)
> 
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com

Thanks for the report!

The patch below fixes the issue for me, I'd appreciate if you can verify it
on your setup as well:


diff --git a/mm/memblock.c b/mm/memblock.c
index 780e70d4971a..3e21d6135789 100644
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -985,15 +985,18 @@ void __init_memblock memblock_free(void *ptr, size_t size)
 int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size)
 {
 	phys_addr_t end = base + size - 1;
+	int ret;
 
 	memblock_dbg("%s: [%pa-%pa] %pS\n", __func__,
 		     &base, &end, (void *)_RET_IP_);
 
 	kmemleak_free_part_phys(base, size);
+	ret = memblock_remove_range(&memblock.reserved, base, size);
+
 	if (slab_is_available())
 		__free_reserved_area(base, base + size, -1);
 
-	return memblock_remove_range(&memblock.reserved, base, size);
+	return ret;
 }
 
 int __init_memblock __memblock_reserve(phys_addr_t base, phys_addr_t size,

-- 
Sincerely yours,
Mike.

  reply	other threads:[~2026-03-20 13:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-20  7:53 [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range kernel test robot
2026-03-20 13:32 ` Mike Rapoport [this message]
2026-03-23  2:28   ` Oliver Sang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab1MfZARoEV4scVe@kernel.org \
    --to=rppt@kernel.org \
    --cc=lkp@intel.com \
    --cc=oe-lkp@lists.linux.dev \
    --cc=oliver.sang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.