[PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas

Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
@ 2026-05-20  6:10 Muchun Song
  2026-05-20  6:28 ` Mike Rapoport
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Muchun Song @ 2026-05-20  6:10 UTC (permalink / raw)
  To: Andrew Morton, David Hildenbrand, linux-mm
  Cc: Lorenzo Stoakes, Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
	Suren Baghdasaryan, Michal Hocko, Frank van der Linden,
	Stefan Strogin, Dmitry Safonov, Michal Nazarewicz, linux-kernel,
	stable, Muchun Song, muchun.song

cma_activate_area() can fail after allocating range bitmaps. Its cleanup
path frees those bitmaps, but only clears cma->count and
cma->available_count. It leaves cma->nranges and each range's count in
place, so cma_debugfs_init() can still register debugfs files for an area
that never activated successfully.

That exposes two problems. Reading the bitmap file can make debugfs walk a
freed range bitmap and trigger an invalid memory access. Reading maxchunk
can also take cma->lock even though that lock is initialized only on the
successful activation path.

Fix this by creating debugfs entries only for CMA areas that reached
CMA_ACTIVATED.

Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
Cc: stable@vger.kernel.org
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
---
 mm/cma_debug.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/cma_debug.c b/mm/cma_debug.c
index 5ae38f5abbcc..523ba4a0f9f7 100644
--- a/mm/cma_debug.c
+++ b/mm/cma_debug.c
@@ -205,7 +205,8 @@ static int __init cma_debugfs_init(void)
 	cma_debugfs_root = debugfs_create_dir("cma", NULL);

 	for (i = 0; i < cma_area_count; i++)
-		cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
+		if (test_bit(CMA_ACTIVATED, &cma_areas[i].flags))
+			cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);

 	return 0;
 }

base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
  2026-05-20  6:10 [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas Muchun Song
@ 2026-05-20  6:28 ` Mike Rapoport
  2026-05-20  7:27 ` Oscar Salvador (SUSE)
  2026-05-20  8:19 ` David Hildenbrand (Arm)
  2 siblings, 0 replies; 6+ messages in thread
From: Mike Rapoport @ 2026-05-20  6:28 UTC (permalink / raw)
  To: Muchun Song
  Cc: Andrew Morton, David Hildenbrand, linux-mm, Lorenzo Stoakes,
	Liam R. Howlett, Vlastimil Babka, Suren Baghdasaryan,
	Michal Hocko, Frank van der Linden, Stefan Strogin,
	Dmitry Safonov, Michal Nazarewicz, linux-kernel, stable,
	muchun.song

On Wed, May 20, 2026 at 02:10:25PM +0800, Muchun Song wrote:
> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
> path frees those bitmaps, but only clears cma->count and
> cma->available_count. It leaves cma->nranges and each range's count in
> place, so cma_debugfs_init() can still register debugfs files for an area
> that never activated successfully.
> 
> That exposes two problems. Reading the bitmap file can make debugfs walk a
> freed range bitmap and trigger an invalid memory access. Reading maxchunk
> can also take cma->lock even though that lock is initialized only on the
> successful activation path.
> 
> Fix this by creating debugfs entries only for CMA areas that reached
> CMA_ACTIVATED.
> 
> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>

Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>

> ---
>  mm/cma_debug.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/cma_debug.c b/mm/cma_debug.c
> index 5ae38f5abbcc..523ba4a0f9f7 100644
> --- a/mm/cma_debug.c
> +++ b/mm/cma_debug.c
> @@ -205,7 +205,8 @@ static int __init cma_debugfs_init(void)
>  	cma_debugfs_root = debugfs_create_dir("cma", NULL);
>  
>  	for (i = 0; i < cma_area_count; i++)
> -		cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
> +		if (test_bit(CMA_ACTIVATED, &cma_areas[i].flags))
> +			cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
>  
>  	return 0;
>  }
> 
> base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
> -- 
> 2.54.0
> 
> 

-- 
Sincerely yours,
Mike.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
  2026-05-20  6:10 [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas Muchun Song
  2026-05-20  6:28 ` Mike Rapoport
@ 2026-05-20  7:27 ` Oscar Salvador (SUSE)
  2026-05-20  7:37   ` Muchun Song
  2026-05-20  8:19 ` David Hildenbrand (Arm)
  2 siblings, 1 reply; 6+ messages in thread
From: Oscar Salvador (SUSE) @ 2026-05-20  7:27 UTC (permalink / raw)
  To: Muchun Song
  Cc: Andrew Morton, David Hildenbrand, linux-mm, Lorenzo Stoakes,
	Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
	Suren Baghdasaryan, Michal Hocko, Frank van der Linden,
	Stefan Strogin, Dmitry Safonov, Michal Nazarewicz, linux-kernel,
	stable, muchun.song

On Wed, May 20, 2026 at 02:10:25PM +0800, Muchun Song wrote:
> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
> path frees those bitmaps, but only clears cma->count and
> cma->available_count. It leaves cma->nranges and each range's count in
> place, so cma_debugfs_init() can still register debugfs files for an area
> that never activated successfully.
> 
> That exposes two problems. Reading the bitmap file can make debugfs walk a
> freed range bitmap and trigger an invalid memory access. Reading maxchunk
> can also take cma->lock even though that lock is initialized only on the
> successful activation path.
> 
> Fix this by creating debugfs entries only for CMA areas that reached
> CMA_ACTIVATED.
> 
> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>

For the change:

Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>

About Fixes, does this mean that before c009da4258f9 ("mm, cma: support
multiple contiguous ranges, if requested"), this was already triggerable
after 2e32b947606d?
 

-- 
Oscar Salvador
SUSE Labs


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
  2026-05-20  7:27 ` Oscar Salvador (SUSE)
@ 2026-05-20  7:37   ` Muchun Song
  0 siblings, 0 replies; 6+ messages in thread
From: Muchun Song @ 2026-05-20  7:37 UTC (permalink / raw)
  To: Oscar Salvador (SUSE)
  Cc: Muchun Song, Andrew Morton, David Hildenbrand, linux-mm,
	Lorenzo Stoakes, Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
	Suren Baghdasaryan, Michal Hocko, Frank van der Linden,
	Stefan Strogin, Dmitry Safonov, Michal Nazarewicz, linux-kernel,
	stable



> On May 20, 2026, at 15:27, Oscar Salvador (SUSE) <osalvador@kernel.org> wrote:
> 
> On Wed, May 20, 2026 at 02:10:25PM +0800, Muchun Song wrote:
>> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
>> path frees those bitmaps, but only clears cma->count and
>> cma->available_count. It leaves cma->nranges and each range's count in
>> place, so cma_debugfs_init() can still register debugfs files for an area
>> that never activated successfully.
>> 
>> That exposes two problems. Reading the bitmap file can make debugfs walk a
>> freed range bitmap and trigger an invalid memory access. Reading maxchunk
>> can also take cma->lock even though that lock is initialized only on the
>> successful activation path.
>> 
>> Fix this by creating debugfs entries only for CMA areas that reached
>> CMA_ACTIVATED.
>> 
>> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
>> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> 
> For the change:
> 
> Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
> 
> About Fixes, does this mean that before c009da4258f9 ("mm, cma: support
> multiple contiguous ranges, if requested"), this was already triggerable
> after 2e32b947606d?

c009da4258f9 introduced the invalid access to bitmap file. 2e32b947606d introduced
the invalid access to cma->lock.

This change applies to both issues. So I added two Fixes tags.

Thanks.

> 
> 
> -- 
> Oscar Salvador
> SUSE Labs




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
  2026-05-20  6:10 [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas Muchun Song
  2026-05-20  6:28 ` Mike Rapoport
  2026-05-20  7:27 ` Oscar Salvador (SUSE)
@ 2026-05-20  8:19 ` David Hildenbrand (Arm)
  2026-05-20  8:28   ` Muchun Song
  2 siblings, 1 reply; 6+ messages in thread
From: David Hildenbrand (Arm) @ 2026-05-20  8:19 UTC (permalink / raw)
  To: Muchun Song, Andrew Morton, linux-mm
  Cc: Lorenzo Stoakes, Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
	Suren Baghdasaryan, Michal Hocko, Frank van der Linden,
	Stefan Strogin, Dmitry Safonov, Michal Nazarewicz, linux-kernel,
	stable, muchun.song

On 5/20/26 08:10, Muchun Song wrote:
> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
> path frees those bitmaps, but only clears cma->count and
> cma->available_count. It leaves cma->nranges and each range's count in
> place, so cma_debugfs_init() can still register debugfs files for an area
> that never activated successfully.
> 
> That exposes two problems. Reading the bitmap file can make debugfs walk a
> freed range bitmap and trigger an invalid memory access. Reading maxchunk
> can also take cma->lock even though that lock is initialized only on the
> successful activation path.
> 
> Fix this by creating debugfs entries only for CMA areas that reached
> CMA_ACTIVATED.
> 
> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> ---

Acked-by: David Hildenbrand (Arm) <david@kernel.org>

cma_sysfs_init() also traverses all cma_area_count. Does it make sense to expose
them there?

-- 
Cheers,

David


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
  2026-05-20  8:19 ` David Hildenbrand (Arm)
@ 2026-05-20  8:28   ` Muchun Song
  0 siblings, 0 replies; 6+ messages in thread
From: Muchun Song @ 2026-05-20  8:28 UTC (permalink / raw)
  To: David Hildenbrand (Arm)
  Cc: Muchun Song, Andrew Morton, linux-mm, Lorenzo Stoakes,
	Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
	Suren Baghdasaryan, Michal Hocko, Frank van der Linden,
	Stefan Strogin, Dmitry Safonov, Michal Nazarewicz, linux-kernel,
	stable



> On May 20, 2026, at 16:19, David Hildenbrand (Arm) <david@kernel.org> wrote:
> 
> On 5/20/26 08:10, Muchun Song wrote:
>> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
>> path frees those bitmaps, but only clears cma->count and
>> cma->available_count. It leaves cma->nranges and each range's count in
>> place, so cma_debugfs_init() can still register debugfs files for an area
>> that never activated successfully.
>> 
>> That exposes two problems. Reading the bitmap file can make debugfs walk a
>> freed range bitmap and trigger an invalid memory access. Reading maxchunk
>> can also take cma->lock even though that lock is initialized only on the
>> successful activation path.
>> 
>> Fix this by creating debugfs entries only for CMA areas that reached
>> CMA_ACTIVATED.
>> 
>> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
>> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
>> ---
> 
> Acked-by: David Hildenbrand (Arm) <david@kernel.org>

Thanks.

> 
> cma_sysfs_init() also traverses all cma_area_count. Does it make sense to expose
> them there?

It is better to hide them from users. A separate cleanup patch is better since
there is no critical issue when accessing those sysfs files.

Thanks,
Muhcun

> 
> -- 
> Cheers,
> 
> David




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-05-20  8:29 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20  6:10 [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas Muchun Song
2026-05-20  6:28 ` Mike Rapoport
2026-05-20  7:27 ` Oscar Salvador (SUSE)
2026-05-20  7:37   ` Muchun Song
2026-05-20  8:19 ` David Hildenbrand (Arm)
2026-05-20  8:28   ` Muchun Song

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox