From nobody Mon Feb 9 08:31:36 2026 Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE7E5DDC5 for ; Tue, 23 Dec 2025 09:26:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.3 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766482002; cv=none; b=pmhRcd3cbtsXfeXbRRHMb1Zr24yqaV9UkbjziZRJRajbq7X+1HUXh03exrPuzVolE7diVdTO2EmX74ZS80sqnNVOwZinrK53Pg0RhBWUxRYo2dET5qF7n6CU0vo92wtX09suZb49JS+3pyl7P0mpNBuRzqe6E+/kbWMb5FjFdjE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766482002; c=relaxed/simple; bh=LrrVD58umvRMmLWlbXP4Fbwy2U0BF5j8E4Xd8LKclUg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Q4bN5glp/zCkH38m1uN4O26ISDk+xGBpAq9j4jYUH8cpqJli7HThx9L+7XtR1CE6Jd7rAWGQehx6FuWgwNH5rk5lsSW3YkuGt7uf1QMePZwS1CdFjKE3WXVV5fEmKgAarpm/WonTW4PdUt6B9g2dH2eDW53iuMDD4+bUZLEWYFI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=EeWtkoTB; arc=none smtp.client-ip=220.197.31.3 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="EeWtkoTB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=ZK 8R8OMQQPBM9Sk2yhDwBWgXjBTzZb4hyFfIAYWogfw=; b=EeWtkoTBb7MspO+ZjJ o41GPtbDaOJb5wvH+RTUaEVPT2oJLie+GJs3pzW+7u7iDfPhCRZkvR9WTJg6ZIHL cIbwZYwqoH89ml+dy2E5kfF7zQ+WdpqIW+fSDPRqjCC1DHAONwkka2aeocvaLaHN 6nwSkpGX1Bf7fWHeAwxw4X3II= Received: from ubuntu24-z.. (unknown []) by gzsmtp3 (Coremail) with SMTP id PigvCgB3S+YIYEpprVv2Ig--.130S2; Tue, 23 Dec 2025 17:25:31 +0800 (CST) From: ranxiaokai627@163.com To: akpm@linux-foundation.org, vbabka@suse.cz, surenb@google.com, mhocko@suse.com, jackmanb@google.com, hannes@cmpxchg.org, ziy@nvidia.com, david@kernel.org, luizcap@redhat.com Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, ran.xiaokai@zte.com.cn, ranxiaokai627@163.com Subject: [PATCH] mm/page_owner: fix prematurely released rcu_read_lock() Date: Tue, 23 Dec 2025 09:25:26 +0000 Message-ID: <20251223092526.140566-1-ranxiaokai627@163.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: PigvCgB3S+YIYEpprVv2Ig--.130S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxWw4kuF15Xw18tw4xGr4kWFg_yoW5AFWfpa 42k3srG3WUJ3W3X347Wr4vkr15AFn5tr40yFy7K3yjqa12ywnxtryjga4DZry5KryUXrs5 Jrs5ZF1qvFn8JFDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pRHv3UUUUUU= X-CM-SenderInfo: xudq5x5drntxqwsxqiywtou0bp/xtbCxgsHU2lKYAtXOAAA3+ Content-Type: text/plain; charset="utf-8" From: Ran Xiaokai In CONFIG_SPARSEMEM systems, page_ext uses RCU to synchronize with memory hotplug operations, ensuring page_ext memory won't be freed due to MEM_OFFLINE during page_ext data access. Since page_owner is part of page_ext, rcu_read_lock() must be held continuously throughout the entire page_owner access period and should not be released midway. Otherwise, it may cause the use-after-free issue. The sequence is like this: CPU0 CPU1 __folio_copy_owner(): MEM_OFFLINE: page_ext =3D page_ext_get(&old->page); old_page_owner =3D ... page_ext_put(page_ext); page_ext =3D page_ext_get(&newfolio->page); new_page_owner =3D ... page_ext_put(page_ext); __invalidate_page_ext(pfn); synchronize_rcu(); __free_page_ext(pfn); old_page_owner->pid new_page_owner->order ---> access to freed area Fixes: 3a812bed3d32a ("mm: page_owner: use new iteration API") Signed-off-by: Ran Xiaokai --- mm/page_owner.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/mm/page_owner.c b/mm/page_owner.c index b6a394a130ec..5d6860e54be7 100644 --- a/mm/page_owner.c +++ b/mm/page_owner.c @@ -375,24 +375,25 @@ void __split_page_owner(struct page *page, int old_or= der, int new_order) void __folio_copy_owner(struct folio *newfolio, struct folio *old) { struct page_ext *page_ext; + struct page_ext *old_page_ext, *new_page_ext; struct page_ext_iter iter; struct page_owner *old_page_owner; struct page_owner *new_page_owner; depot_stack_handle_t migrate_handle; =20 - page_ext =3D page_ext_get(&old->page); - if (unlikely(!page_ext)) + old_page_ext =3D page_ext_get(&old->page); + if (unlikely(!old_page_ext)) return; =20 - old_page_owner =3D get_page_owner(page_ext); - page_ext_put(page_ext); + old_page_owner =3D get_page_owner(old_page_ext); =20 - page_ext =3D page_ext_get(&newfolio->page); - if (unlikely(!page_ext)) + new_page_ext =3D page_ext_get(&newfolio->page); + if (unlikely(!new_page_ext)) { + page_ext_put(old_page_ext); return; + } =20 - new_page_owner =3D get_page_owner(page_ext); - page_ext_put(page_ext); + new_page_owner =3D get_page_owner(new_page_ext); =20 migrate_handle =3D new_page_owner->handle; __update_page_owner_handle(&newfolio->page, old_page_owner->handle, @@ -414,12 +415,12 @@ void __folio_copy_owner(struct folio *newfolio, struc= t folio *old) * for the new one and the old folio otherwise there will be an imbalance * when subtracting those pages from the stack. */ - rcu_read_lock(); for_each_page_ext(&old->page, 1 << new_page_owner->order, page_ext, iter)= { old_page_owner =3D get_page_owner(page_ext); old_page_owner->handle =3D migrate_handle; } - rcu_read_unlock(); + page_ext_put(new_page_ext); + page_ext_put(old_page_ext); } =20 void pagetypeinfo_showmixedcount_print(struct seq_file *m, --=20 2.25.1