From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-179.mta1.migadu.com (out-179.mta1.migadu.com [95.215.58.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE6FD3E6DE5 for ; Thu, 23 Apr 2026 12:34:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776947659; cv=none; b=Vme2OSiPmctjB8bBHGwlG06iJYSJQhavw2dJ7GZqPd6ecj1XwNlU92pmgIsBXYqUzEEuS4xECK9ka07c9AMrEsmfQx7db4O8we/W4C7mSQ728FOnDOBviQyLx005zuIW+yS8iRFOrgkWIA7Dw4eguJs56hGoaLffui+uETJ17NA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776947659; c=relaxed/simple; bh=vXEjnawX9Itp577tdZNtSMGh7pWI35aOJAOkYdfma7U=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=t9yT8wEMOAv408QetDiwR2DBDR1NCRsI2jtFGNxPc1FGI1pxZWC9IEOoyuFoYQmixqaFyIhrRPExburLnMR+bEa3R5xVPI4YJPbLIA/wBrxI/YFoZZ8Hiid6R6d4OXlov+Y52NO93DxaurDSZ4mqGYzYMBhlG8x1A1CdkPUFNIc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=l9X21ct7; arc=none smtp.client-ip=95.215.58.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="l9X21ct7" Content-Type: text/plain; charset=us-ascii DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1776947654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Lw49zwURroj4cNnSa8wLXSWhI5yryxe8VvIKls8yX7s=; b=l9X21ct7waizi915h79BbuDuGau1Z93SKDUm3rxRMbrJGUAaqEMlOwYvImdQpDAywOkq1b 7DS686VPF0wKsgRwF0xtHtANLNQFUVR9ubGe9ZJSbHxez84vmZtSE+OmDO2IWJNQqbhnYY DFRh+2d9ph8oyKsM7CW1J63XOari2lw= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\)) Subject: Re: [PATCH v5 v5 2/6] mm/memory_hotplug: Fix incorrect altmap passing in error path X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song In-Reply-To: <25aac60c-8510-4d92-85f3-368cfe9d83ef@kernel.org> Date: Thu, 23 Apr 2026 20:31:04 +0800 Cc: Muchun Song , Andrew Morton , Oscar Salvador , Michael Ellerman , Madhavan Srinivasan , Lorenzo Stoakes , "Liam R . Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , Nicholas Piggin , Christophe Leroy , aneesh.kumar@linux.ibm.com, joao.m.martins@oracle.com, linux-mm@kvack.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <139193CD-6D52-4114-82D1-3093B3F3C9E1@linux.dev> References: <20260423071911.1962859-1-songmuchun@bytedance.com> <20260423071911.1962859-3-songmuchun@bytedance.com> <25aac60c-8510-4d92-85f3-368cfe9d83ef@kernel.org> To: "David Hildenbrand (Arm)" X-Migadu-Flow: FLOW_OUT > On Apr 23, 2026, at 20:28, David Hildenbrand (Arm) = wrote: >=20 > On 4/23/26 14:18, Muchun Song wrote: >>=20 >>=20 >>> On Apr 23, 2026, at 18:38, David Hildenbrand (Arm) = wrote: >>>=20 >>> On 4/23/26 09:19, Muchun Song wrote: >>>> In create_altmaps_and_memory_blocks(), when arch_add_memory() = succeeds >>>> with memmap_on_memory enabled, the vmemmap pages are allocated from >>>> params.altmap. If create_memory_block_devices() subsequently fails, = the >>>> error path calls arch_remove_memory() with a NULL altmap instead of >>>> params.altmap. >>>>=20 >>>> This is a bug that could lead to memory corruption. Since altmap is >>>> NULL, vmemmap_free() falls back to freeing the vmemmap pages into = the >>>> system buddy allocator via free_pages() instead of the altmap. >>>> arch_remove_memory() then immediately destroys the physical linear >>>> mapping for this memory. This injects unowned pages into the buddy >>>> allocator, causing machine checks or memory corruption if the = system >>>> later attempts to allocate and use those freed pages. >>>>=20 >>>> Fix this by passing params.altmap to arch_remove_memory() in the = error >>>> path. >>>>=20 >>>> Fixes: 6b8f0798b85a ("mm/memory_hotplug: split memmap_on_memory = requests across memblocks") >>>> Signed-off-by: Muchun Song >>>> --- >>>> mm/memory_hotplug.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>=20 >>>> diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c >>>> index 2a943ec57c85..0bad2aed2bde 100644 >>>> --- a/mm/memory_hotplug.c >>>> +++ b/mm/memory_hotplug.c >>>> @@ -1468,7 +1468,7 @@ static int = create_altmaps_and_memory_blocks(int nid, struct memory_group *group, >>>> ret =3D create_memory_block_devices(cur_start, memblock_size, nid, >>>> params.altmap, group); >>>> if (ret) { >>>> - arch_remove_memory(cur_start, memblock_size, NULL); >>>> + arch_remove_memory(cur_start, memblock_size, params.altmap); >>>> kfree(params.altmap); >>>> goto out; >>>> } >>>=20 >>> Yeah, that's nasty. We should CC stable. >>=20 >> Make sense. >>=20 >>>=20 >>> Acked-by: David Hildenbrand (Arm) >>=20 >> Thanks. >>=20 >>>=20 >>>=20 >>>=20 >>> Should we extend the safety checks we already have on the other = path? >>=20 >> Better to have. >>=20 >>>=20 >>>=20 >>> diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c >>> index 2a943ec57c85..1c304468af08 100644 >>> --- a/mm/memory_hotplug.c >>> +++ b/mm/memory_hotplug.c >>> @@ -1402,6 +1402,12 @@ bool mhp_supports_memmap_on_memory(void) >>> } >>> EXPORT_SYMBOL_GPL(mhp_supports_memmap_on_memory); >>>=20 >>> +static void altmap_free(struct vmemmap_altmap *altmap) >>> +{ >>> + WARN(altmap->alloc, "Altmap not fully unmapped"); >>=20 >> Should we change it to WARN_ONCE? >=20 > Was debating with myself, and yes, I think so. >=20 >>=20 >>> + kfree(altmap); >>> +} >>> + >>> static void remove_memory_blocks_and_altmaps(u64 start, u64 size) >>> { >>> unsigned long memblock_size =3D memory_block_size_bytes(); >>> @@ -1426,10 +1432,7 @@ static void = remove_memory_blocks_and_altmaps(u64 start, u64 size) >>> remove_memory_block_devices(cur_start, memblock_size); >>>=20 >>> arch_remove_memory(cur_start, memblock_size, altmap); >>> - >>> - /* Verify that all vmemmap pages have actually been = freed. */ >>> - WARN(altmap->alloc, "Altmap not fully unmapped"); >>> - kfree(altmap); >>> + altmap_free(altmap); >>> } >>> } >>>=20 >>> @@ -1460,7 +1463,7 @@ static int = create_altmaps_and_memory_blocks(int nid, struct memory_group *group, >>> /* call arch's memory hotadd */ >>> ret =3D arch_add_memory(nid, cur_start, memblock_size, = ¶ms); >>> if (ret < 0) { >>> - kfree(params.altmap); >>> + altmap_free(params.altmap); >>> goto out; >>> } >>>=20 >>> @@ -1469,13 +1472,12 @@ static int = create_altmaps_and_memory_blocks(int nid, struct memory_group *group, >>> params.altmap, = group); >>> if (ret) { >>> arch_remove_memory(cur_start, memblock_size, = NULL); >>> - kfree(params.altmap); >>> + altmap_free(params.altmap); >>> goto out; >>> } >>> } >>>=20 >>> return 0; >>> -out: >>> if (ret && cur_start !=3D start) >>> remove_memory_blocks_and_altmaps(start, cur_start - = start); >>> return ret; >>>=20 >>>=20 >>> Maybe the helper should even go into altmap code? Not sure. >>=20 >> I think the current changes look great as they are. While I believe = this is valuable >> as a standalone cleanup, what do you think? > Makes sense. Could you do me the favor and follow up with that, on top = of the fixes? No problem. >=20 > --=20 > Cheers, >=20 > David