Re: [PATCH] sched/isolation: Don't free memblock allocated cpumasks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Breno Leitao <leitao@debian.org>
To: Waiman Long <longman@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	 Juri Lelli <juri.lelli@redhat.com>,
	Vincent Guittot <vincent.guittot@linaro.org>,
	 Dietmar Eggemann <dietmar.eggemann@arm.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	 Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
	 Valentin Schneider <vschneid@redhat.com>,
	K Prateek Nayak <kprateek.nayak@amd.com>,
	 Frederic Weisbecker <frederic@kernel.org>,
	Mike Rapoport <rppt@kernel.org>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sched/isolation: Don't free memblock allocated cpumasks
Date: Fri, 8 May 2026 07:19:06 -0700	[thread overview]
Message-ID: <af3vPJQaDnSvyHoF@gmail.com> (raw)
In-Reply-To: <20260505051821.1107133-1-longman@redhat.com>

On Tue, May 05, 2026 at 01:18:21AM -0400, Waiman Long wrote:
> One workaround for now to avoid these warning/bug
> messages is to keep the memblock allocated cpumasks even if they are
> no longer needed until the memblock subsystem is properly updated to
> handle memblock_free().

We just hit the same KASAN UAF from a different caller on a v7.1-rc3 boot,
which I think reinforces that the fix really needs to be in memblock rather
than in each subsystem.

In our case the offender is the IMA kexec buffer release path:

    [  113.498542] BUG: KASAN: use-after-free in memblock_isolate_range+0x208/0x8f0
    [  113.514206] Read of size 8 at addr ff11001824ba4000 by task swapper/0/1
    ...
    [  113.532258]  memblock_isolate_range+0x208/0x8f0
    [  113.532267]  memblock_phys_free+0x5f/0x300
    [  113.532274]  ima_free_kexec_buffer+0x1d/0x40
    [  113.532280]  ima_load_kexec_buffer+0xbf/0xf0
    [  113.532285]  ima_init+0x42/0xa0
    [  113.532287]  init_ima+0x5e/0x190
    [  113.532290]  security_initcall_late+0xad/0x210
    [  113.532301]  do_one_initcall+0x138/0x540

Same shape as your second trace: memblock_phys_free() reads
memblock.reserved.regions, which memblock_discard() has already returned
to the buddy allocator (the KASAN shadow shows the page as fully poisoned,
and pfn 0x1824ba4 has been reallocated). It then page-faults a moment later
on the same address.

ima_init runs as a security_initcall_late, so by the time
ima_free_kexec_buffer() calls memblock_phys_free() on the previous
kernel's measurement buffer, memblock has long been torn down on
configurations without CONFIG_ARCH_KEEP_MEMBLOCK 

This regression seems to come from commit 87ce9e83ab8b ("memblock, treewide: make
memblock_free() handle late freeing"), which dropped memblock_free_late()
and made memblock_phys_free() unconditionally call
memblock_remove_range(&memblock.reserved, ...) followed by an optional
__free_reserved_area().

next prev parent reply	other threads:[~2026-05-08 14:19 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-05  5:18 [PATCH] sched/isolation: Don't free memblock allocated cpumasks Waiman Long
2026-05-06 13:25 ` Valentin Schneider
2026-05-06 14:02   ` Waiman Long
2026-05-08 14:19 ` Breno Leitao [this message]
2026-05-10 14:45   ` Mike Rapoport
2026-05-10 15:02 ` Mike Rapoport
2026-05-11  4:55   ` Waiman Long
2026-05-11  8:34     ` Mike Rapoport
2026-05-11 21:36       ` Waiman Long
2026-05-12 13:40         ` Frederic Weisbecker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=af3vPJQaDnSvyHoF@gmail.com \
    --to=leitao@debian.org \
    --cc=bsegall@google.com \
    --cc=dietmar.eggemann@arm.com \
    --cc=frederic@kernel.org \
    --cc=juri.lelli@redhat.com \
    --cc=kprateek.nayak@amd.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=longman@redhat.com \
    --cc=mgorman@suse.de \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=rppt@kernel.org \
    --cc=vincent.guittot@linaro.org \
    --cc=vschneid@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.