From: Bernhard Kaindl <bernhard.kaindl@citrix.com>
To: xen-devel@lists.xenproject.org
Cc: "Bernhard Kaindl" <bernhard.kaindl@citrix.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Anthony PERARD" <anthony.perard@vates.tech>,
"Michal Orzel" <michal.orzel@amd.com>,
"Jan Beulich" <jbeulich@suse.com>,
"Julien Grall" <julien@xen.org>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Stefano Stabellini" <sstabellini@kernel.org>
Subject: [PATCH v2 0/2] xen/mm: Ensure page offlining only creates properly aligned buddies
Date: Wed, 3 Jun 2026 15:17:25 +0100 [thread overview]
Message-ID: <cover.1780495548.git.bernhard.kaindl@citrix.com> (raw)
This series fixes a bug in reserve_offlined_page() where growing
buddies around offlined pages may create misaligned buddies and
return them to the free lists.
For example, pages may be offlined following an MCE caused by faulty RAM.
Once a misaligned buddy has been placed on a free list, a particular
sequence of allocations and frees may cause the same page to be allocated
more than once, eventually triggering a Xen BUG() in alloc_heap_pages().
As requested for backporting the fix, the first patch adds the alignment
check while the second patch now adds the regression test for this issue.
As minimal example, consider an order-2 buddy (4 pages) with this layout:
+---------------+-----------------+-----------------+----------------+
| head page | tail page 1 | tail page 2 | tail page 3 |
+---------------+-----------------+-----------------+----------------+
reserve_offline_page() then merges unaligned tail pages:
+---------------+-----------------+-----------------+----------------+
| offlined page | head page with a tail page | single page |
+---------------+-----------------+-----------------+----------------+
When a single page is allocated from this buddy, MFN 7 is allocated:
MFN 4 MFN 5 MFN 6 MFN 7
+---------------+-----------------+-----------------+----------------+
| offlined page | head page tail page | allocated page |
+---------------+-----------------+-----------------+----------------+
If MFN 7 is freed, the predecessor merge in free_heap_pages() kicks in,
merging MFN 7 with its naturally aligned predecessor page at MFN 6:
MFN 4 MFN 5 MFN 6 MFN 7
+---------------+-----------------+-----------------+
| offlined page | head page tail page |
+---------------+-----------------+-----------------+----------------+
| head page tail page |
+-----------------+----------------+
The next allocations would allocate MFN 7 again and MFN 6 as well:
MFN 4 MFN 5 MFN 6 MFN 7
+---------------+-----------------+-----------------+
| offlined page | head page tail page | <- BUG() on alloc
+---------------+-----------------+-----------------+----------------+
| in-use page | in-use page |
+-----------------+----------------+
When the next page from this buddy is allocated, get_free_page() returns
the buddy head MFN 5. An order-0 allocation splits page 6, or an order-1
allocation allocates the whole unaligned buddy. alloc_heap_page()
catches the attempt to allocate MFN 6 for a second time as a bug:
pg[0] MFN 842adc c=0x4000000000000000 o=0 v=0 t=0
Xen BUG at common/page_alloc.c:1324
You can pull this series with the regression test environment to run it:
https://lists.xen.org/archives/html/xen-devel/2026-05/msg01163.html
git pull git@gitlab.com:bernhardkaindl/xen.git offline-unaligned-buddies-v2
make -C tools/tests/native TARGETS=offline-unaligned test
Fixes: e4865c2315 ('Page offline support in Xen side')
Signed-off-by: Bernhard Kaindl <bernhard.kaindl@citrix.com>
Bernhard Kaindl (2):
xen/page_alloc: verify buddy alignment in reserve_offlined_page()
tools/tests: Regression test checking unaligned pages after offlining
tools/tests/native/offline-unaligned.c | 60 ++++++++++++++++++++++++++
xen/common/page_alloc.c | 5 +++
2 files changed, 65 insertions(+)
create mode 100644 tools/tests/native/offline-unaligned.c
--
2.39.5
next reply other threads:[~2026-06-03 14:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 14:17 Bernhard Kaindl [this message]
2026-06-03 14:17 ` [PATCH v2 1/2] xen/page_alloc: verify buddy alignment in reserve_offlined_page() Bernhard Kaindl
2026-06-03 14:30 ` Jan Beulich
2026-06-04 9:43 ` Oleksii Kurochko
2026-06-03 14:17 ` [PATCH v2 2/2] tools/tests: Regression test checking unaligned pages after offlining Bernhard Kaindl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1780495548.git.bernhard.kaindl@citrix.com \
--to=bernhard.kaindl@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.