From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DDAC25A33F
	for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 14:29:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778682554; cv=none; b=RBJF+QzeBRthvMxWhv5R/3u2Fyf0eZzWTEkXe7U6GGKYjbtRUxpW3PEep/fipSTV4fWA7dGz2/78cYmp5cN6g80HfyQFOx2tdILcw2f43JlGhSW3DUQCMdgPNU0QRyYO6LcP6YSDiySJAeFQAf2bmOcebSF/lTTt7Pm75IcIOyU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778682554; c=relaxed/simple;
	bh=edzZokcmT2eO0GQN6AXC/9EBqi6mYNQBmL8PuKLDZ4I=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=oAu4qfVid1sxdSG6J7cZc7FqlXjliMlndZyc+GLFMWJj7abdd1pR2G1UjG5E1Sm9qKUzFAg/K6x9tX83LGIMzATopLu2mpMC7mo5vFjEkIU6puOXjMa1HFrBCA+KHXsDxLYhxg0Q6D0QPf0XbublZQWM5phRW7bnRmFDuddlfwU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RZMLtdyM; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RZMLtdyM"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B162C19425;
	Wed, 13 May 2026 14:29:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1778682553;
	bh=edzZokcmT2eO0GQN6AXC/9EBqi6mYNQBmL8PuKLDZ4I=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=RZMLtdyMm3nuVmZJm1sQ2mrOKQBytY1fyUfcPTr9mKqGJDy2crUM929dzGpapfl00
	 uRmMsjkKFO+kWD5XLtGQgrXEk+vcx8XeGr+FTLdgzg4vNQnQ4PPjvwv9ULJQrR3DoY
	 9HyagXoEoM1E7ZPaLFjKjXNso2XWShZAQXeHIbLhEuaaQQZsb/9DuTTg1CiYTKTF1x
	 9VJs8UtLMO3OUgC1FADFrpQYiXLD4T8NNjjH4bgSMDfk2c2unuz0ffrJzFtKDZEEtc
	 V3CXYGWsR9Z60dVNKBgVI1gpJsQWv1al/9prcZrGvpt/EsIJIq2/YRmESdooSVAVLs
	 ajlzcDHah/ULw==
Date: Wed, 13 May 2026 17:29:04 +0300
From: Mike Rapoport <rppt@kernel.org>
To: Breno Leitao <leitao@debian.org>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	Ben Segall <bsegall@google.com>,
	Dietmar Eggemann <dietmar.eggemann@arm.com>,
	Frederic Weisbecker <frederic@kernel.org>,
	Ingo Molnar <mingo@redhat.com>, Juri Lelli <juri.lelli@redhat.com>,
	K Prateek Nayak <kprateek.nayak@amd.com>,
	Mel Gorman <mgorman@suse.de>, Peter Zijlstra <peterz@infradead.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Valentin Schneider <vschneid@redhat.com>,
	Vincent Guittot <vincent.guittot@linaro.org>,
	Waiman Long <longman@redhat.com>, linux-kernel@vger.kernel.org,
	kernel-team@meta.com
Subject: Re: [PATCH] memblock: don't touch memblock arrays when
 memblock_free() is called late
Message-ID: <agSKsPZH8J22kguc@kernel.org>
References: <20260513105122.502506-1-rppt@kernel.org>
 <agRyMXYfoww-7Z4X@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <agRyMXYfoww-7Z4X@gmail.com>

On Wed, May 13, 2026 at 05:47:34AM -0700, Breno Leitao wrote:
> On Wed, May 13, 2026 at 01:51:22PM +0300, Mike Rapoport wrote:
> > From: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
> > 
> > When memblock_free() is called after memblock_discard() on architectures
> > that don't select ARCH_KEEP_MEMBLOCK, it tries to update memblock.reserved
> > that was already discarded and it causes use-after-free, for example
> > 
> > [    8.514775] BUG: KASAN: use-after-free in memblock_isolate_range+0x4ac/0x650
> > [    8.514775] Read of size 8 at addr ffff88a07fe6a000 by task swapper/0/1
> > [    8.514775] Call Trace:
> > [    8.514775]  <TASK>
> > [    8.514775]  kasan_report+0xb2/0x1b0
> > [    8.514775]  memblock_isolate_range+0x4ac/0x650
> > [    8.514775]  memblock_phys_free+0xc4/0x190
> > [    8.514775]  housekeeping_late_init+0x257/0x280
> > [    8.514775]  do_one_initcall+0xaa/0x470
> > [    8.514775]  do_initcalls+0x1b4/0x1f0
> > [    8.514775]  kernel_init_freeable+0x4b5/0x550
> > [    8.514775]  kernel_init+0x1c/0x150
> > [    8.514775]  ret_from_fork+0x5dc/0x8e0
> > [    8.514775]  ret_from_fork_asm+0x1a/0x30
> > [    8.514775]  </TASK>
> > 
> > Make sure memblock_free() updates memblock.reserved only when called early
> > enough or when ARCH_KEEP_MEMBLOCK is enabled.
> > 
> > Reported-by: Waiman Long <longman@redhat.com>
> > Reported-by: Breno Leitao <leitao@debian.org>
> > Closes: https://lore.kernel.org/all/20260505051821.1107133-1-longman@redhat.com
> > Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> > Tested-by: Waiman Long <longman@redhat.com>
> 
> Tested-by: Breno Leitao <leitao@debian.org>

Thanks!
 
> Don't you want a Fixes: tag?

Right,
Fixes: 87ce9e83ab8b ("memblock, treewide: make memblock_free() handle late freeing")
 
> > @@ -989,13 +989,15 @@ void __init_memblock memblock_free(void *ptr, size_t size)
> >  int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size)
> >  {
> >  	phys_addr_t end = base + size - 1;
> > -	int ret;
> > +	int ret = 0;
> >  
> >  	memblock_dbg("%s: [%pa-%pa] %pS\n", __func__,
> >  		     &base, &end, (void *)_RET_IP_);
> >  
> >  	kmemleak_free_part_phys(base, size);
> > -	ret = memblock_remove_range(&memblock.reserved, base, size);
> > +
> > +	if (!slab_is_available() || IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK))
> > +		ret = memblock_remove_range(&memblock.reserved, base, size);
> >  
> >  	if (slab_is_available())
> >  		__free_reserved_area(base, base + size, -1);
> 
> given slab_is_available() is a cheap function, it is fine to call it
> switch in here.
> 
> Thanks for the fix!
> --breno
> 

-- 
Sincerely yours,
Mike.