* [PATCH 1/4] scsi: target: file: use kmalloc() to allocate temporary protection buffer
2026-06-30 10:54 [PATCH 0/4] scsi: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
@ 2026-06-30 10:54 ` Mike Rapoport (Microsoft)
2026-07-01 6:58 ` Hannes Reinecke
2026-06-30 10:54 ` [PATCH 2/4] scsi: proc: use kmalloc() in proc writers Mike Rapoport (Microsoft)
` (2 subsequent siblings)
3 siblings, 1 reply; 16+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-06-30 10:54 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, Mike Rapoport,
linux-kernel, linux-mm, linux-scsi, target-devel
fd_do_prot_unmap() uses __get_free_page() to allocate a temporary buffer
that is used to invalidate protection info for the unmapped region by
filling with 0xff pattern.
This buffer can be allocated with kmalloc() as there's nothing special
about it to go directly to the page allocator.
kmalloc() provides a better API that does not require ugly casts and
kfree() does not need to know the size of the freed object.
Replace use of __get_free_page() with kmalloc().
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
drivers/target/target_core_file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
index 62ced9f5102f..ab9824a4852f 100644
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -516,7 +516,7 @@ fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
void *buf;
int rc;
- buf = (void *)__get_free_page(GFP_KERNEL);
+ buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!buf) {
pr_err("Unable to allocate FILEIO prot buf\n");
return -ENOMEM;
@@ -524,7 +524,7 @@ fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
rc = fd_do_prot_fill(cmd->se_dev, lba, nolb, buf, PAGE_SIZE);
- free_page((unsigned long)buf);
+ kfree(buf);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 1/4] scsi: target: file: use kmalloc() to allocate temporary protection buffer
2026-06-30 10:54 ` [PATCH 1/4] scsi: target: file: use kmalloc() to allocate temporary protection buffer Mike Rapoport (Microsoft)
@ 2026-07-01 6:58 ` Hannes Reinecke
0 siblings, 0 replies; 16+ messages in thread
From: Hannes Reinecke @ 2026-07-01 6:58 UTC (permalink / raw)
To: Mike Rapoport (Microsoft), Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, linux-kernel,
linux-mm, linux-scsi, target-devel
On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
> fd_do_prot_unmap() uses __get_free_page() to allocate a temporary buffer
> that is used to invalidate protection info for the unmapped region by
> filling with 0xff pattern.
>
> This buffer can be allocated with kmalloc() as there's nothing special
> about it to go directly to the page allocator.
>
> kmalloc() provides a better API that does not require ugly casts and
> kfree() does not need to know the size of the freed object.
>
> Replace use of __get_free_page() with kmalloc().
>
> Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> ---
> drivers/target/target_core_file.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
> index 62ced9f5102f..ab9824a4852f 100644
> --- a/drivers/target/target_core_file.c
> +++ b/drivers/target/target_core_file.c
> @@ -516,7 +516,7 @@ fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
> void *buf;
> int rc;
>
> - buf = (void *)__get_free_page(GFP_KERNEL);
> + buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
> if (!buf) {
> pr_err("Unable to allocate FILEIO prot buf\n");
> return -ENOMEM;
> @@ -524,7 +524,7 @@ fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
>
> rc = fd_do_prot_fill(cmd->se_dev, lba, nolb, buf, PAGE_SIZE);
>
> - free_page((unsigned long)buf);
> + kfree(buf);
>
> return rc;
> }
>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.com +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 2/4] scsi: proc: use kmalloc() in proc writers
2026-06-30 10:54 [PATCH 0/4] scsi: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
2026-06-30 10:54 ` [PATCH 1/4] scsi: target: file: use kmalloc() to allocate temporary protection buffer Mike Rapoport (Microsoft)
@ 2026-06-30 10:54 ` Mike Rapoport (Microsoft)
2026-06-30 11:19 ` sashiko-bot
` (2 more replies)
2026-06-30 10:54 ` [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory Mike Rapoport (Microsoft)
2026-06-30 10:54 ` [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
3 siblings, 3 replies; 16+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-06-30 10:54 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, Mike Rapoport,
linux-kernel, linux-mm, linux-scsi, target-devel
proc_scsi_host_write(), proc_scsi_write() and proc_scsi_devinfo_write()
allocate temporary buffers for /proc writes using __get_free_page().
These buffers can be allocated with kmalloc() as there's nothing special
about them to go directly to the page allocator.
kmalloc() provides a better API that does not require ugly casts and
kfree() does not need to know the size of the freed object.
Replace use of __get_free_page() with kmalloc().
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
drivers/scsi/scsi_devinfo.c | 4 ++--
drivers/scsi/scsi_proc.c | 9 +++++----
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
index 15ffbe93ac72..6dd342fe9a69 100644
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -691,7 +691,7 @@ static ssize_t proc_scsi_devinfo_write(struct file *file,
if (!buf || length>PAGE_SIZE)
return -EINVAL;
- if (!(buffer = (char *) __get_free_page(GFP_KERNEL)))
+ if (!(buffer = kmalloc(PAGE_SIZE, GFP_KERNEL)))
return -ENOMEM;
if (copy_from_user(buffer, buf, length)) {
err =-EFAULT;
@@ -708,7 +708,7 @@ static ssize_t proc_scsi_devinfo_write(struct file *file,
scsi_dev_info_list_add_str(buffer);
out:
- free_page((unsigned long)buffer);
+ kfree(buffer);
return err;
}
diff --git a/drivers/scsi/scsi_proc.c b/drivers/scsi/scsi_proc.c
index 1799dcae775c..fdc355d783da 100644
--- a/drivers/scsi/scsi_proc.c
+++ b/drivers/scsi/scsi_proc.c
@@ -28,6 +28,7 @@
#include <linux/mutex.h>
#include <linux/gfp.h>
#include <linux/uaccess.h>
+#include <linux/slab.h>
#include <scsi/scsi.h>
#include <scsi/scsi_device.h>
@@ -74,7 +75,7 @@ static ssize_t proc_scsi_host_write(struct file *file, const char __user *buf,
if (!shost->hostt->write_info)
return -EINVAL;
- page = (char *)__get_free_page(GFP_KERNEL);
+ page = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (page) {
ret = -EFAULT;
if (copy_from_user(page, buf, count))
@@ -82,7 +83,7 @@ static ssize_t proc_scsi_host_write(struct file *file, const char __user *buf,
ret = shost->hostt->write_info(shost, page, count);
}
out:
- free_page((unsigned long)page);
+ kfree(page);
return ret;
}
@@ -412,7 +413,7 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf,
if (!buf || length > PAGE_SIZE)
return -EINVAL;
- buffer = (char *)__get_free_page(GFP_KERNEL);
+ buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
@@ -467,7 +468,7 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf,
err = length;
out:
- free_page((unsigned long)buffer);
+ kfree(buffer);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 2/4] scsi: proc: use kmalloc() in proc writers
2026-06-30 10:54 ` [PATCH 2/4] scsi: proc: use kmalloc() in proc writers Mike Rapoport (Microsoft)
@ 2026-06-30 11:19 ` sashiko-bot
2026-07-01 6:58 ` Hannes Reinecke
2026-07-01 10:52 ` John Garry
2 siblings, 0 replies; 16+ messages in thread
From: sashiko-bot @ 2026-06-30 11:19 UTC (permalink / raw)
Cc: linux-scsi
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The buffer allocated for the SCSI host write_info callback is not zero-initialized or explicitly null-terminated before being passed to drivers. This causes drivers that use string-parsing functions like simple_strtoul() to read past the user-provided length into uninitialized memory.
--
commit 781e3d263bb9419478bfe3f51bf7dd6d8c93c647
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>
scsi: proc: use kmalloc() in proc writers
proc_scsi_host_write(), proc_scsi_write() and proc_scsi_devinfo_write()
allocate temporary buffers for /proc writes using __get_free_page().
This commit replaces the __get_free_page() calls with kmalloc().
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> diff --git a/drivers/scsi/scsi_proc.c b/drivers/scsi/scsi_proc.c
> index 1799dcae775c0..fdc355d783da3 100644
> --- a/drivers/scsi/scsi_proc.c
> +++ b/drivers/scsi/scsi_proc.c
[ ... ]
> @@ -74,7 +75,7 @@ static ssize_t proc_scsi_host_write(struct file *file, const char __user *buf,
> if (!shost->hostt->write_info)
> return -EINVAL;
>
> - page = (char *)__get_free_page(GFP_KERNEL);
> + page = kmalloc(PAGE_SIZE, GFP_KERNEL);
> if (page) {
> ret = -EFAULT;
> if (copy_from_user(page, buf, count))
> goto out;
> ret = shost->hostt->write_info(shost, page, count);
[Severity: High]
This is a pre-existing issue, but the buffer allocated for the SCSI host
write_info callback is not zero-initialized or explicitly null-terminated
before being passed to drivers.
If a user writes data to a SCSI host /proc file without appending a non-digit
character (like a newline or null terminator), driver callbacks that use
string parsing functions like simple_strtoul() will continue reading past
the user input into uninitialized memory.
For example, this can happen in drivers/scsi/imm.c:imm_write_info():
dev->mode = simple_strtoul(buffer + 5, NULL, 0);
Could we explicitly null-terminate the buffer or use kzalloc() here, so that
these string parsing functions don't read garbage data from uninitialized
memory?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630-b4-scsi-v1-0-494fb37ebe7b@kernel.org?part=2
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 2/4] scsi: proc: use kmalloc() in proc writers
2026-06-30 10:54 ` [PATCH 2/4] scsi: proc: use kmalloc() in proc writers Mike Rapoport (Microsoft)
2026-06-30 11:19 ` sashiko-bot
@ 2026-07-01 6:58 ` Hannes Reinecke
2026-07-01 10:52 ` John Garry
2 siblings, 0 replies; 16+ messages in thread
From: Hannes Reinecke @ 2026-07-01 6:58 UTC (permalink / raw)
To: Mike Rapoport (Microsoft), Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, linux-kernel,
linux-mm, linux-scsi, target-devel
On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
> proc_scsi_host_write(), proc_scsi_write() and proc_scsi_devinfo_write()
> allocate temporary buffers for /proc writes using __get_free_page().
>
> These buffers can be allocated with kmalloc() as there's nothing special
> about them to go directly to the page allocator.
>
> kmalloc() provides a better API that does not require ugly casts and
> kfree() does not need to know the size of the freed object.
>
> Replace use of __get_free_page() with kmalloc().
>
> Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> ---
> drivers/scsi/scsi_devinfo.c | 4 ++--
> drivers/scsi/scsi_proc.c | 9 +++++----
> 2 files changed, 7 insertions(+), 6 deletions(-)
>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.com +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/4] scsi: proc: use kmalloc() in proc writers
2026-06-30 10:54 ` [PATCH 2/4] scsi: proc: use kmalloc() in proc writers Mike Rapoport (Microsoft)
2026-06-30 11:19 ` sashiko-bot
2026-07-01 6:58 ` Hannes Reinecke
@ 2026-07-01 10:52 ` John Garry
2026-07-01 13:50 ` Mike Rapoport
2 siblings, 1 reply; 16+ messages in thread
From: John Garry @ 2026-07-01 10:52 UTC (permalink / raw)
To: Mike Rapoport (Microsoft), Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, linux-kernel,
linux-mm, linux-scsi, target-devel
On 30/06/2026 11:54, Mike Rapoport (Microsoft) wrote:
> if (!buf || length>PAGE_SIZE)
> return -EINVAL;
> - if (!(buffer = (char *) __get_free_page(GFP_KERNEL)))
> + if (!(buffer = kmalloc(PAGE_SIZE, GFP_KERNEL)))
> return -ENOMEM;
It would have been nice to use standard coding style checks for
allocation failures, i.e.
buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
> if (copy_from_user(buffer, buf
Regardless of that:
Reviewed-by: John Garry <john.g.garry@oracle.com>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/4] scsi: proc: use kmalloc() in proc writers
2026-07-01 10:52 ` John Garry
@ 2026-07-01 13:50 ` Mike Rapoport
0 siblings, 0 replies; 16+ messages in thread
From: Mike Rapoport @ 2026-07-01 13:50 UTC (permalink / raw)
To: John Garry
Cc: Martin K. Petersen, Brian King, James E.J. Bottomley,
Matthew Wilcox, linux-kernel, linux-mm, linux-scsi, target-devel
On Wed, Jul 01, 2026 at 11:52:21AM +0100, John Garry wrote:
> On 30/06/2026 11:54, Mike Rapoport (Microsoft) wrote:
> > if (!buf || length>PAGE_SIZE)
> > return -EINVAL;
> > - if (!(buffer = (char *) __get_free_page(GFP_KERNEL)))
> > + if (!(buffer = kmalloc(PAGE_SIZE, GFP_KERNEL)))
> > return -ENOMEM;
>
> It would have been nice to use standard coding style checks for allocation
> failures, i.e.
>
> buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
> if (!buffer)
> return -ENOMEM;
Sure.
> > if (copy_from_user(buffer, buf
>
>
> Regardless of that:
>
> Reviewed-by: John Garry <john.g.garry@oracle.com>
Thanks!
--
Sincerely yours,
Mike.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
2026-06-30 10:54 [PATCH 0/4] scsi: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
2026-06-30 10:54 ` [PATCH 1/4] scsi: target: file: use kmalloc() to allocate temporary protection buffer Mike Rapoport (Microsoft)
2026-06-30 10:54 ` [PATCH 2/4] scsi: proc: use kmalloc() in proc writers Mike Rapoport (Microsoft)
@ 2026-06-30 10:54 ` Mike Rapoport (Microsoft)
2026-06-30 11:28 ` sashiko-bot
2026-07-01 7:03 ` Hannes Reinecke
2026-06-30 10:54 ` [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
3 siblings, 2 replies; 16+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-06-30 10:54 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, Mike Rapoport,
linux-kernel, linux-mm, linux-scsi, target-devel
IPR dump machinery allocates memory to save adapter's crash dump using
__get_free_page().
This memory can be allocated with kmalloc() as there's nothing special
about it to go directly to the page allocator.
kmalloc() provides a better API that does not require ugly casts and
kfree() does not need to know the size of the freed object.
Replace use of __get_free_page() with kmalloc().
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
drivers/scsi/ipr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index d207e5e81afe..5a212bfdeec2 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -2893,7 +2893,7 @@ static int ipr_sdt_copy(struct ipr_ioa_cfg *ioa_cfg,
(ioa_dump->hdr.len + bytes_copied) < max_dump_size) {
if (ioa_dump->page_offset >= PAGE_SIZE ||
ioa_dump->page_offset == 0) {
- page = (__be32 *)__get_free_page(GFP_ATOMIC);
+ page = kmalloc(PAGE_SIZE, GFP_ATOMIC);
if (!page) {
ipr_trace;
@@ -3226,7 +3226,7 @@ static void ipr_release_dump(struct kref *kref)
spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
for (i = 0; i < dump->ioa_dump.next_page_index; i++)
- free_page((unsigned long) dump->ioa_dump.ioa_data[i]);
+ kfree(dump->ioa_dump.ioa_data[i]);
vfree(dump->ioa_dump.ioa_data);
kfree(dump);
--
2.53.0
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
2026-06-30 10:54 ` [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory Mike Rapoport (Microsoft)
@ 2026-06-30 11:28 ` sashiko-bot
2026-07-01 7:03 ` Hannes Reinecke
1 sibling, 0 replies; 16+ messages in thread
From: sashiko-bot @ 2026-06-30 11:28 UTC (permalink / raw)
Cc: linux-scsi
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] Switching from __get_free_page() to kmalloc() for bulk PAGE_SIZE allocations worsens memory fragmentation resilience and increases the likelihood of allocation failure.
Pre-existing issues:
- [High] Unnecessary use of GFP_ATOMIC in a fully sleepable context drains atomic memory reserves and causes large allocations to fail.
--
commit 031dbb9ad5b7614bab879909db8f301be9752516
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>
scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
This commit replaces __get_free_page() and free_page() with kmalloc() and
kfree() for allocating the IPR dump buffer. The goal is to provide a cleaner
API without requiring casts or tracking the allocation size during free.
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
> index d207e5e81afe0..5a212bfdeec2b 100644
> --- a/drivers/scsi/ipr.c
> +++ b/drivers/scsi/ipr.c
> @@ -2893,7 +2893,7 @@ static int ipr_sdt_copy(struct ipr_ioa_cfg *ioa_cfg,
> (ioa_dump->hdr.len + bytes_copied) < max_dump_size) {
> if (ioa_dump->page_offset >= PAGE_SIZE ||
> ioa_dump->page_offset == 0) {
> - page = (__be32 *)__get_free_page(GFP_ATOMIC);
> + page = kmalloc(PAGE_SIZE, GFP_ATOMIC);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
This is a pre-existing issue, but does this allocation actually need to use
GFP_ATOMIC?
Looking at ipr_sdt_copy(), the allocation happens in a loop that explicitly
yields the CPU by calling schedule() at the end of each iteration. No spinlocks
are held across the allocation (host_lock is acquired later). Since the context
appears to be fully sleepable, using GFP_ATOMIC to allocate up to 80MB of memory
unnecessarily drains emergency reserves, potentially starving actual atomic
contexts like interrupt handlers.
[Severity: High]
Does switching to kmalloc() for PAGE_SIZE chunks increase the likelihood of
allocation failures under memory fragmentation?
If memory debugging options like KASAN or SLUB debugging are enabled, the SLUB
allocator inflates the requested PAGE_SIZE with metadata. This pushes the
allocation into a larger size class (e.g., kmalloc-8k), requiring higher-order
page allocations (order-1 or more) from the page allocator. Since the
allocation still uses GFP_ATOMIC, which cannot sleep or wait for direct reclaim,
requesting order-1+ pages is far more likely to fail under memory fragmentation
compared to the original order-0 requests.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630-b4-scsi-v1-0-494fb37ebe7b@kernel.org?part=3
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
2026-06-30 10:54 ` [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory Mike Rapoport (Microsoft)
2026-06-30 11:28 ` sashiko-bot
@ 2026-07-01 7:03 ` Hannes Reinecke
2026-07-01 9:52 ` Mike Rapoport
1 sibling, 1 reply; 16+ messages in thread
From: Hannes Reinecke @ 2026-07-01 7:03 UTC (permalink / raw)
To: Mike Rapoport (Microsoft), Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, linux-kernel,
linux-mm, linux-scsi, target-devel
On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
> IPR dump machinery allocates memory to save adapter's crash dump using
> __get_free_page().
>
> This memory can be allocated with kmalloc() as there's nothing special
> about it to go directly to the page allocator.
>
> kmalloc() provides a better API that does not require ugly casts and
> kfree() does not need to know the size of the freed object.
>
> Replace use of __get_free_page() with kmalloc().
>
> Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> ---
> drivers/scsi/ipr.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
> index d207e5e81afe..5a212bfdeec2 100644
> --- a/drivers/scsi/ipr.c
> +++ b/drivers/scsi/ipr.c
> @@ -2893,7 +2893,7 @@ static int ipr_sdt_copy(struct ipr_ioa_cfg *ioa_cfg,
> (ioa_dump->hdr.len + bytes_copied) < max_dump_size) {
> if (ioa_dump->page_offset >= PAGE_SIZE ||
> ioa_dump->page_offset == 0) {
> - page = (__be32 *)__get_free_page(GFP_ATOMIC);
> + page = kmalloc(PAGE_SIZE, GFP_ATOMIC);
>
> if (!page) {
> ipr_trace;
> @@ -3226,7 +3226,7 @@ static void ipr_release_dump(struct kref *kref)
> spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
>
> for (i = 0; i < dump->ioa_dump.next_page_index; i++)
> - free_page((unsigned long) dump->ioa_dump.ioa_data[i]);
> + kfree(dump->ioa_dump.ioa_data[i]);
>
> vfree(dump->ioa_dump.ioa_data);
> kfree(dump);
>
I _think_ we can replace this with kvmalloc, and allocate the entire
dump buffer in one go. Once switched to kmalloc() it's kinda pointless
to allocate separate page-sized buffers here.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.com +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
2026-07-01 7:03 ` Hannes Reinecke
@ 2026-07-01 9:52 ` Mike Rapoport
2026-07-01 21:03 ` Brian King
0 siblings, 1 reply; 16+ messages in thread
From: Mike Rapoport @ 2026-07-01 9:52 UTC (permalink / raw)
To: Hannes Reinecke
Cc: Martin K. Petersen, Brian King, James E.J. Bottomley,
Matthew Wilcox, linux-kernel, linux-mm, linux-scsi, target-devel
On Wed, Jul 01, 2026 at 09:03:06AM +0200, Hannes Reinecke wrote:
> On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
> > IPR dump machinery allocates memory to save adapter's crash dump using
> > __get_free_page().
> >
> > This memory can be allocated with kmalloc() as there's nothing special
> > about it to go directly to the page allocator.
> >
> > kmalloc() provides a better API that does not require ugly casts and
> > kfree() does not need to know the size of the freed object.
> >
> > Replace use of __get_free_page() with kmalloc().
> >
> > Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> > Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> > ---
> > drivers/scsi/ipr.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
> > index d207e5e81afe..5a212bfdeec2 100644
> > --- a/drivers/scsi/ipr.c
> > +++ b/drivers/scsi/ipr.c
> > @@ -2893,7 +2893,7 @@ static int ipr_sdt_copy(struct ipr_ioa_cfg *ioa_cfg,
> > (ioa_dump->hdr.len + bytes_copied) < max_dump_size) {
> > if (ioa_dump->page_offset >= PAGE_SIZE ||
> > ioa_dump->page_offset == 0) {
> > - page = (__be32 *)__get_free_page(GFP_ATOMIC);
> > + page = kmalloc(PAGE_SIZE, GFP_ATOMIC);
> > if (!page) {
> > ipr_trace;
> > @@ -3226,7 +3226,7 @@ static void ipr_release_dump(struct kref *kref)
> > spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
> > for (i = 0; i < dump->ioa_dump.next_page_index; i++)
> > - free_page((unsigned long) dump->ioa_dump.ioa_data[i]);
> > + kfree(dump->ioa_dump.ioa_data[i]);
> > vfree(dump->ioa_dump.ioa_data);
> > kfree(dump);
> >
>
> I _think_ we can replace this with kvmalloc, and allocate the entire
> dump buffer in one go. Once switched to kmalloc() it's kinda pointless
> to allocate separate page-sized buffers here.
kmalloc() performance is on par with __get_free_page(), but kvmalloc()
would be slower if it falls back to vmalloc().
I'm not familiar with the driver to say if this could be an issue here.
> Cheers,
> Hannes
--
Sincerely yours,
Mike.
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory
2026-07-01 9:52 ` Mike Rapoport
@ 2026-07-01 21:03 ` Brian King
0 siblings, 0 replies; 16+ messages in thread
From: Brian King @ 2026-07-01 21:03 UTC (permalink / raw)
To: Mike Rapoport, Hannes Reinecke
Cc: Martin K. Petersen, Brian King, James E.J. Bottomley,
Matthew Wilcox, linux-kernel, linux-mm, linux-scsi, target-devel,
wenxiong
On 7/1/26 4:52 AM, Mike Rapoport wrote:
> On Wed, Jul 01, 2026 at 09:03:06AM +0200, Hannes Reinecke wrote:
>> On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
>>> IPR dump machinery allocates memory to save adapter's crash dump using
>>> __get_free_page().
>>>
>>> This memory can be allocated with kmalloc() as there's nothing special
>>> about it to go directly to the page allocator.
>>>
>>> kmalloc() provides a better API that does not require ugly casts and
>>> kfree() does not need to know the size of the freed object.
>>>
>>> Replace use of __get_free_page() with kmalloc().
>>>
>>> Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
>>> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
>>> ---
>>> drivers/scsi/ipr.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
>>> index d207e5e81afe..5a212bfdeec2 100644
>>> --- a/drivers/scsi/ipr.c
>>> +++ b/drivers/scsi/ipr.c
>>> @@ -2893,7 +2893,7 @@ static int ipr_sdt_copy(struct ipr_ioa_cfg *ioa_cfg,
>>> (ioa_dump->hdr.len + bytes_copied) < max_dump_size) {
>>> if (ioa_dump->page_offset >= PAGE_SIZE ||
>>> ioa_dump->page_offset == 0) {
>>> - page = (__be32 *)__get_free_page(GFP_ATOMIC);
>>> + page = kmalloc(PAGE_SIZE, GFP_ATOMIC);
>>> if (!page) {
>>> ipr_trace;
>>> @@ -3226,7 +3226,7 @@ static void ipr_release_dump(struct kref *kref)
>>> spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
>>> for (i = 0; i < dump->ioa_dump.next_page_index; i++)
>>> - free_page((unsigned long) dump->ioa_dump.ioa_data[i]);
>>> + kfree(dump->ioa_dump.ioa_data[i]);
>>> vfree(dump->ioa_dump.ioa_data);
>>> kfree(dump);
>>>
>>
>> I _think_ we can replace this with kvmalloc, and allocate the entire
>> dump buffer in one go. Once switched to kmalloc() it's kinda pointless
>> to allocate separate page-sized buffers here.
>
> kmalloc() performance is on par with __get_free_page(), but kvmalloc()
> would be slower if it falls back to vmalloc().
>
> I'm not familiar with the driver to say if this could be an issue here.
This code only runs when the adapter has hit a fatal error, so should be
extremely rare. The memory is getting allocated while the storage adapter
is in a failed state, so anything running on the system at the time could
be stalled until recovery is completed. This memory is allocated and should
be freed soon after the adapter recovers. In order for this code to
run, the iprdump daemon must be running, which will then read out the dump
after the adapter is recovered, and write it to disk, after which time, the
ipr driver will free the kernel memory.
Thanks,
Brian
--
Brian King
Power Linux I/O
IBM Linux Technology Center
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc()
2026-06-30 10:54 [PATCH 0/4] scsi: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
` (2 preceding siblings ...)
2026-06-30 10:54 ` [PATCH 3/4] scsi: ipr: use kmalloc() to allocate IPR dump buffer memory Mike Rapoport (Microsoft)
@ 2026-06-30 10:54 ` Mike Rapoport (Microsoft)
2026-06-30 11:37 ` sashiko-bot
2026-07-01 7:04 ` Hannes Reinecke
3 siblings, 2 replies; 16+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-06-30 10:54 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, Mike Rapoport,
linux-kernel, linux-mm, linux-scsi, target-devel
sym53c8xx_2 driver has an internal memory allocator for small
allocations of the driver structures. The backing memory for that
allocator is allocated with __get_free_pages().
This memory can be allocated with kmalloc() as there's nothing special
about it to go directly to the page allocator.
kmalloc() provides a better API that does not require ugly casts and
kfree() does not need to know the size of the freed object.
Performance difference between kmalloc() and __get_free_pages() is not
measurable as both allocators take an object/page from a per-CPU list for
fast path allocations.
For the slow path the performance is anyway determined by the amount of
reclaim involved rather than by what allocator is used.
Replace use of __get_free_pages() with kmalloc() and free_pages() with
kfree().
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
drivers/scsi/sym53c8xx_2/sym_hipd.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.h b/drivers/scsi/sym53c8xx_2/sym_hipd.h
index 9231a2899064..aa365e8ba66f 100644
--- a/drivers/scsi/sym53c8xx_2/sym_hipd.h
+++ b/drivers/scsi/sym53c8xx_2/sym_hipd.h
@@ -1110,9 +1110,9 @@ sym_build_sge(struct sym_hcb *np, struct sym_tblmove *data, u64 badd, int len)
*/
#define sym_get_mem_cluster() \
- (void *) __get_free_pages(GFP_ATOMIC, SYM_MEM_PAGE_ORDER)
+ kmalloc(PAGE_SIZE << SYM_MEM_PAGE_ORDER, GFP_ATOMIC)
#define sym_free_mem_cluster(p) \
- free_pages((unsigned long)p, SYM_MEM_PAGE_ORDER)
+ kfree(p)
/*
* Link between free memory chunks of a given size.
--
2.53.0
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc()
2026-06-30 10:54 ` [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
@ 2026-06-30 11:37 ` sashiko-bot
2026-07-01 7:04 ` Hannes Reinecke
1 sibling, 0 replies; 16+ messages in thread
From: sashiko-bot @ 2026-06-30 11:37 UTC (permalink / raw)
Cc: linux-scsi
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Replacing `__get_free_pages()` with `kmalloc()` breaks the driver's custom buddy allocator due to lost page-alignment guarantees, leading to memory leaks, free-list corruption, and kernel panics on `kfree()`.
--
commit 62e084c005e487c40de6e3803058c9fb57c50b32
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>
scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc()
This commit replaces __get_free_pages() with kmalloc() and free_pages() with
kfree() for the internal memory allocator in the sym53c8xx_2 driver.
Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.h b/drivers/scsi/sym53c8xx_2/sym_hipd.h
> index 9231a28990643..aa365e8ba66fc 100644
> --- a/drivers/scsi/sym53c8xx_2/sym_hipd.h
> +++ b/drivers/scsi/sym53c8xx_2/sym_hipd.h
> @@ -1110,9 +1110,9 @@ sym_build_sge(struct sym_hcb *np, struct sym_tblmove *data, u64 badd, int len)
> */
>
> #define sym_get_mem_cluster() \
> - (void *) __get_free_pages(GFP_ATOMIC, SYM_MEM_PAGE_ORDER)
> + kmalloc(PAGE_SIZE << SYM_MEM_PAGE_ORDER, GFP_ATOMIC)
[Severity: High]
Does this change break the driver's custom buddy allocator?
The custom allocator in drivers/scsi/sym53c8xx_2/sym_malloc.c relies strictly
on the page-alignment guarantees provided by __get_free_pages().
When ___sym_mfree() is called, it computes buddy addresses using bitwise
operations:
drivers/scsi/sym53c8xx_2/sym_malloc.c:___sym_mfree() {
...
b = a ^ s;
...
a = a & b;
...
M_FREE_MEM_CLUSTER((void *)a);
...
}
If kmalloc() returns an unaligned pointer (which can happen when
CONFIG_SLUB_DEBUG or KASAN is enabled), the XOR computation will yield an
incorrect buddy address.
Furthermore, the bitwise AND rounds the address down, losing any unaligned
offset provided by kmalloc(). When this rounded address is later passed to
kfree(), it can trigger a SLUB BUG or kernel panic because the pointer is
invalid.
Should this allocation remain page-aligned to satisfy the buddy allocator's
requirements?
> #define sym_free_mem_cluster(p) \
> - free_pages((unsigned long)p, SYM_MEM_PAGE_ORDER)
> + kfree(p)
>
> /*
> * Link between free memory chunks of a given size.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630-b4-scsi-v1-0-494fb37ebe7b@kernel.org?part=4
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc()
2026-06-30 10:54 ` [PATCH 4/4] scsi: sym53c8xx_2: replace __get_free_pages() with kmalloc() Mike Rapoport (Microsoft)
2026-06-30 11:37 ` sashiko-bot
@ 2026-07-01 7:04 ` Hannes Reinecke
1 sibling, 0 replies; 16+ messages in thread
From: Hannes Reinecke @ 2026-07-01 7:04 UTC (permalink / raw)
To: Mike Rapoport (Microsoft), Martin K. Petersen
Cc: Brian King, James E.J. Bottomley, Matthew Wilcox, linux-kernel,
linux-mm, linux-scsi, target-devel
On 6/30/26 12:54 PM, Mike Rapoport (Microsoft) wrote:
> sym53c8xx_2 driver has an internal memory allocator for small
> allocations of the driver structures. The backing memory for that
> allocator is allocated with __get_free_pages().
>
> This memory can be allocated with kmalloc() as there's nothing special
> about it to go directly to the page allocator.
>
> kmalloc() provides a better API that does not require ugly casts and
> kfree() does not need to know the size of the freed object.
>
> Performance difference between kmalloc() and __get_free_pages() is not
> measurable as both allocators take an object/page from a per-CPU list for
> fast path allocations.
>
> For the slow path the performance is anyway determined by the amount of
> reclaim involved rather than by what allocator is used.
>
> Replace use of __get_free_pages() with kmalloc() and free_pages() with
> kfree().
>
> Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> ---
> drivers/scsi/sym53c8xx_2/sym_hipd.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.h b/drivers/scsi/sym53c8xx_2/sym_hipd.h
> index 9231a2899064..aa365e8ba66f 100644
> --- a/drivers/scsi/sym53c8xx_2/sym_hipd.h
> +++ b/drivers/scsi/sym53c8xx_2/sym_hipd.h
> @@ -1110,9 +1110,9 @@ sym_build_sge(struct sym_hcb *np, struct sym_tblmove *data, u64 badd, int len)
> */
>
> #define sym_get_mem_cluster() \
> - (void *) __get_free_pages(GFP_ATOMIC, SYM_MEM_PAGE_ORDER)
> + kmalloc(PAGE_SIZE << SYM_MEM_PAGE_ORDER, GFP_ATOMIC)
> #define sym_free_mem_cluster(p) \
> - free_pages((unsigned long)p, SYM_MEM_PAGE_ORDER)
> + kfree(p)
>
> /*
> * Link between free memory chunks of a given size.
>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.com +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 16+ messages in thread