From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98FE43DC4C6
	for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 10:51:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778669490; cv=none; b=Zp/gaFZLIk8l1gwO8Yzb4lryH6nksktPzyEDlE3VlElkDrpsusYSdE4oAqkpMY/9YbYoU77FCQVhP70nNjARogeNNGhNis8/cpu6LupAdT6mn7EsLsmYzLkgP+Op/gMdJ70YS99j+lbCYDomxye870IeeFpEewWIcFndyW8d8T0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778669490; c=relaxed/simple;
	bh=Hk7K/3RhXntXzFGSnl6ODU3AYCj5OMznpN84yMhYyDU=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sYpPvgzCd8TV9RYrRIZppyCy4jXNLaiE69AaJ8qJ2e42nWkokvaX6/FgnSzG4OC2tl5uNC15x7ar/RE7dYSJgVel9Bd3a+EnpVV8B/tZTglINWwsEi6JAvim5c3V2/J5g7qcmMWeWsZ26PjFH8P+AOAiVmd7+ttvoMGJiKrSwNY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=a2CFwc5O; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="a2CFwc5O"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3CCB8C2BCB7;
	Wed, 13 May 2026 10:51:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1778669490;
	bh=Hk7K/3RhXntXzFGSnl6ODU3AYCj5OMznpN84yMhYyDU=;
	h=From:To:Cc:Subject:Date:From;
	b=a2CFwc5OUZkzGcyd+bER54avul2DTMxBC1rbYHLhvReTOOHdFY3os6JRfHYa2zP97
	 LnNJiTBhpoLMOiK8w10cl2Q0bJB3c3LYUCgsj2/yp8xn/CmZnBph/vu3JSoxkmCiRF
	 k+bUySFaue039FUmv1QL0hjdNbqkC29wWXgEB5g5UqrlwmDoiq9MBWELdrShPqtHCt
	 qEoy1TcIxMDrVuPycaqEflvgKK/jN81p75rtEykC0rnQe/zC8Uf3JtOc9ITMD6RxhV
	 BLWy129v3FOjGhB9FMgb5TUNjVI1F7fgOY46oxmFxB4UhQOnwXrZMpleyNrBE6tkb0
	 9GxKw0cs+yddQ==
From: Mike Rapoport <rppt@kernel.org>
To: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Ben Segall <bsegall@google.com>,
	Breno Leitao <leitao@debian.org>,
	Dietmar Eggemann <dietmar.eggemann@arm.com>,
	Frederic Weisbecker <frederic@kernel.org>,
	Ingo Molnar <mingo@redhat.com>,
	Juri Lelli <juri.lelli@redhat.com>,
	"K Prateek Nayak" <kprateek.nayak@amd.com>,
	Mel Gorman <mgorman@suse.de>,
	Mike Rapoport <rppt@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Valentin Schneider <vschneid@redhat.com>,
	Vincent Guittot <vincent.guittot@linaro.org>,
	Waiman Long <longman@redhat.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] memblock: don't touch memblock arrays when memblock_free() is called late
Date: Wed, 13 May 2026 13:51:22 +0300
Message-ID: <20260513105122.502506-1-rppt@kernel.org>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: "Mike Rapoport (Microsoft)" <rppt@kernel.org>

When memblock_free() is called after memblock_discard() on architectures
that don't select ARCH_KEEP_MEMBLOCK, it tries to update memblock.reserved
that was already discarded and it causes use-after-free, for example

[    8.514775] BUG: KASAN: use-after-free in memblock_isolate_range+0x4ac/0x650
[    8.514775] Read of size 8 at addr ffff88a07fe6a000 by task swapper/0/1
[    8.514775] Call Trace:
[    8.514775]  <TASK>
[    8.514775]  kasan_report+0xb2/0x1b0
[    8.514775]  memblock_isolate_range+0x4ac/0x650
[    8.514775]  memblock_phys_free+0xc4/0x190
[    8.514775]  housekeeping_late_init+0x257/0x280
[    8.514775]  do_one_initcall+0xaa/0x470
[    8.514775]  do_initcalls+0x1b4/0x1f0
[    8.514775]  kernel_init_freeable+0x4b5/0x550
[    8.514775]  kernel_init+0x1c/0x150
[    8.514775]  ret_from_fork+0x5dc/0x8e0
[    8.514775]  ret_from_fork_asm+0x1a/0x30
[    8.514775]  </TASK>

Make sure memblock_free() updates memblock.reserved only when called early
enough or when ARCH_KEEP_MEMBLOCK is enabled.

Reported-by: Waiman Long <longman@redhat.com>
Reported-by: Breno Leitao <leitao@debian.org>
Closes: https://lore.kernel.org/all/20260505051821.1107133-1-longman@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Tested-by: Waiman Long <longman@redhat.com>
---
 mm/memblock.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mm/memblock.c b/mm/memblock.c
index a6a1c91e276d..ccd43f3abb82 100644
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -989,13 +989,15 @@ void __init_memblock memblock_free(void *ptr, size_t size)
 int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size)
 {
 	phys_addr_t end = base + size - 1;
-	int ret;
+	int ret = 0;
 
 	memblock_dbg("%s: [%pa-%pa] %pS\n", __func__,
 		     &base, &end, (void *)_RET_IP_);
 
 	kmemleak_free_part_phys(base, size);
-	ret = memblock_remove_range(&memblock.reserved, base, size);
+
+	if (!slab_is_available() || IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK))
+		ret = memblock_remove_range(&memblock.reserved, base, size);
 
 	if (slab_is_available())
 		__free_reserved_area(base, base + size, -1);

base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
-- 
2.53.0