From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E327C40758F for ; Wed, 13 May 2026 12:47:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778676480; cv=none; b=PRI2+gDm0dx/E7aIfHYJzpyRLX//JmNcTwGU19ND5G49VdrMi1EW4zwjPhQZOgwTF5XHSORNVnnBARHyU9u+IBRjxgenEqOOMR5M7TehRmN31xAMQqtZNXjhoZogNUHG+ypp7j4p6YIGUmVJ+HIEkZMtgAKjecmR1BJcsVYG2aw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778676480; c=relaxed/simple; bh=kL/NX15XQJ7KGb5a8P7AsbYHcjghgJxEHWd4PFExs4A=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=GX4M/OTqKV8bEn1q0HbdFSOPqBpG3rODB5XymZT7a7lW5CdmMc00EkG05U8XtFIpscu/FD4GZGRDqKxlFRZKTWdNotPtgZ/6TViaKeqFtxOfWJCzpZ5nVtBnuDclcnK/hUv9ZHQ1NhbXeudVlIJlMd/y8iRbrTvev0/pP6s8+sw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=CnxzSyFG; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="CnxzSyFG" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=SoX8HrZgG3zuuSTZ16Qog1KVMM0PxB5QZZVwYcLIDGY=; b=CnxzSyFGF5KjTYXDn/b6pOxcTG BfzmflF8/NWcXCph16qyZh9DZ5vIMyhnXAVEuKrMhbb8cvUTRQHs30Tf5/GGtDSSWKBDvYxrnYjg8 /z6xrlroBjF9MYgvAxUveNZXLWUtc02LkfFXnvAdrp26hglwnsB86KyhoDbS8pa0ANxMoIsqMikIx ohTjHzt20drYxAGhMux+AfyW9YMpsziPE8rNd0KAs8P3KBui3UgBACzCkVBLTE8WFuTD1bdY4a1vp KcLNfWHjFiUhbiJSfRZGxHwko0VcljZaXLoUiO/wOjFiYquoulzy86dJS/WiFc83rTs1yhYCDipTC t6Mma23g==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wN900-003AZx-0N; Wed, 13 May 2026 12:47:40 +0000 Date: Wed, 13 May 2026 05:47:34 -0700 From: Breno Leitao To: Mike Rapoport Cc: linux-mm@kvack.org, Andrew Morton , Ben Segall , Dietmar Eggemann , Frederic Weisbecker , Ingo Molnar , Juri Lelli , K Prateek Nayak , Mel Gorman , Peter Zijlstra , Steven Rostedt , Valentin Schneider , Vincent Guittot , Waiman Long , linux-kernel@vger.kernel.org, kernel-team@meta.com Subject: Re: [PATCH] memblock: don't touch memblock arrays when memblock_free() is called late Message-ID: References: <20260513105122.502506-1-rppt@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260513105122.502506-1-rppt@kernel.org> X-Debian-User: leitao On Wed, May 13, 2026 at 01:51:22PM +0300, Mike Rapoport wrote: > From: "Mike Rapoport (Microsoft)" > > When memblock_free() is called after memblock_discard() on architectures > that don't select ARCH_KEEP_MEMBLOCK, it tries to update memblock.reserved > that was already discarded and it causes use-after-free, for example > > [ 8.514775] BUG: KASAN: use-after-free in memblock_isolate_range+0x4ac/0x650 > [ 8.514775] Read of size 8 at addr ffff88a07fe6a000 by task swapper/0/1 > [ 8.514775] Call Trace: > [ 8.514775] > [ 8.514775] kasan_report+0xb2/0x1b0 > [ 8.514775] memblock_isolate_range+0x4ac/0x650 > [ 8.514775] memblock_phys_free+0xc4/0x190 > [ 8.514775] housekeeping_late_init+0x257/0x280 > [ 8.514775] do_one_initcall+0xaa/0x470 > [ 8.514775] do_initcalls+0x1b4/0x1f0 > [ 8.514775] kernel_init_freeable+0x4b5/0x550 > [ 8.514775] kernel_init+0x1c/0x150 > [ 8.514775] ret_from_fork+0x5dc/0x8e0 > [ 8.514775] ret_from_fork_asm+0x1a/0x30 > [ 8.514775] > > Make sure memblock_free() updates memblock.reserved only when called early > enough or when ARCH_KEEP_MEMBLOCK is enabled. > > Reported-by: Waiman Long > Reported-by: Breno Leitao > Closes: https://lore.kernel.org/all/20260505051821.1107133-1-longman@redhat.com > Signed-off-by: Mike Rapoport (Microsoft) > Tested-by: Waiman Long Tested-by: Breno Leitao Don't you want a Fixes: tag? > @@ -989,13 +989,15 @@ void __init_memblock memblock_free(void *ptr, size_t size) > int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size) > { > phys_addr_t end = base + size - 1; > - int ret; > + int ret = 0; > > memblock_dbg("%s: [%pa-%pa] %pS\n", __func__, > &base, &end, (void *)_RET_IP_); > > kmemleak_free_part_phys(base, size); > - ret = memblock_remove_range(&memblock.reserved, base, size); > + > + if (!slab_is_available() || IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK)) > + ret = memblock_remove_range(&memblock.reserved, base, size); > > if (slab_is_available()) > __free_reserved_area(base, base + size, -1); given slab_is_available() is a cheap function, it is fine to call it switch in here. Thanks for the fix! --breno