Linux s390 Architecture development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v7 02/22] dma-pool: fix page leak in atomic_pool_expand() cleanup
Date: Wed, 01 Jul 2026 06:08:25 +0000	[thread overview]
Message-ID: <20260701060826.5755F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701054926.825925-3-aneesh.kumar@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Medium] Pages allocated from CMA are incorrectly freed using `__free_pages()` instead of `dma_release_from_contiguous()`, permanently leaking CMA tracking capacity.
--

commit ede353d82bd6f31cd894661b3fa06b014104f3cc
Author: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>

dma-pool: fix page leak in atomic_pool_expand() cleanup
    
atomic_pool_expand() frees the allocated pages from the remove_mapping
error path only when CONFIG_DMA_DIRECT_REMAP is enabled. This patch ensures
the pages are always freed on failure paths by moving the __free_pages() call
outside the CONFIG_DMA_DIRECT_REMAP block.

> diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c
> index 2b2fbb7092429..b0303efbc1532 100644
> --- a/kernel/dma/pool.c
> +++ b/kernel/dma/pool.c

[ ... ]

> @@ -130,14 +133,15 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size,
>  				   1 << order);
>  	if (WARN_ON_ONCE(ret)) {
>  		/* Decrypt succeeded but encrypt failed, purposely leak */
> -		goto out;
> +		leak_pages = true;
>  	}
>  remove_mapping:
>  #ifdef CONFIG_DMA_DIRECT_REMAP
>  	dma_common_free_remap(addr, pool_size);
>  free_page:
> -	__free_pages(page, order);
>  #endif
> +	if (!leak_pages)
> +		__free_pages(page, order);
                ^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: Medium]
This is a pre-existing issue, but does this cleanup path correctly handle
pages allocated from CMA?

Looking at the allocation logic earlier in atomic_pool_expand():

	do {
		pool_size = 1 << (PAGE_SHIFT + order);
		if (cma_in_zone(gfp))
			page = dma_alloc_from_contiguous(NULL, 1 << order,
							 order, false);
		if (!page)
			page = alloc_pages(gfp | __GFP_NOWARN, order);
	} while (!page && order-- > 0);

If the page was allocated via dma_alloc_from_contiguous(), freeing it
directly with __free_pages() bypasses the CMA bitmap cleanup. This returns
the page to the buddy allocator but permanently reduces the memory available
for contiguous allocations.

Should this instead check if the page came from CMA and call
dma_release_from_contiguous() accordingly?

>  out:
>  	return ret;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701054926.825925-1-aneesh.kumar@kernel.org?part=2

  reply	other threads:[~2026-07-01  6:08 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  5:49 [PATCH v7 00/22] dma-mapping: Track shared DMA state through direct, pool and swiotlb paths Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 01/22] dma-direct: return struct page from dma_direct_alloc_from_pool() Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 02/22] dma-pool: fix page leak in atomic_pool_expand() cleanup Aneesh Kumar K.V (Arm)
2026-07-01  6:08   ` sashiko-bot [this message]
2026-07-01  5:49 ` [PATCH v7 03/22] iommu/dma: Check atomic pool allocation result directly Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 04/22] dma: free atomic pool pages by physical address Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 05/22] swiotlb: Preserve allocation virtual address for dynamic pools Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 06/22] s390: Expose protected virtualization through cc_platform_has() Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 07/22] dma-direct: swiotlb: handle swiotlb alloc/free outside __dma_direct_alloc_pages Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 08/22] coco: arm64: s390: powerpc: Mark secure guests with CC_ATTR_GUEST_MEM_ENCRYPT Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 09/22] dma-mapping: Add internal shared allocation attribute Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 10/22] dma-direct: use __DMA_ATTR_ALLOC_CC_SHARED in alloc/free paths Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 11/22] dma-pool: track decrypted atomic pools and select them via attrs Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 12/22] dma: swiotlb: pass mapping attributes by reference Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 13/22] dma: swiotlb: track pool encryption state and honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 14/22] dma-mapping: make dma_pgprot() honor __DMA_ATTR_ALLOC_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 15/22] dma-direct: pass attrs to dma_capable() for DMA_ATTR_CC_SHARED checks Aneesh Kumar K.V (Arm)
2026-07-01  6:14   ` sashiko-bot
2026-07-01  5:49 ` [PATCH v7 16/22] dma-direct: make dma_direct_map_phys() honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-01  6:14   ` sashiko-bot
2026-07-01  5:49 ` [PATCH v7 17/22] dma-direct: set decrypted flag for remapped DMA allocations Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 18/22] dma-direct: select DMA address encoding from __DMA_ATTR_ALLOC_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 19/22] dma-direct: rename ret to cpu_addr in alloc helpers Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 20/22] dma: swiotlb: free dynamic pools from process context Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 21/22] dma: swiotlb: handle set_memory_decrypted() failures Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 22/22] swiotlb: remove unused SWIOTLB_FORCE flag Aneesh Kumar K.V (Arm)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701060826.5755F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox