From nobody Mon May 25 01:17:37 2026
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DEB6371049
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 06:10:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779257442; cv=none;
 b=QNUW9LQnbUUfp+4vfO0VDQ9RDWa5y6nDWasy6xg/PgBo68vCgTzwVwONHRopbK/lm+HRZbm0Wj9Z/tgF3bdzVDepQT80UjM5Ej/k2EfHSlCMfbnd2qvCGs6nt2DkbtD/xArby9tbs+bXA0yptRMfC7v7Aq5Rebs3wiBJKWSK+JU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779257442; c=relaxed/simple;
	bh=fFYQJipjM3WwkoLgwB541hy+4ODEPwuCXTJWH8gDdKI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=qkQFfaL+SrXz1SIzTkU37m+ewxlBjl1FqeDY3bl+LSS8wTvkttGhAX8FU7tqe5LgOpipKB3YjrQ6I/hJi/OKxIo3xDI8ckopFbRm6V/N5LrM3kiDA5IoflxoFbg+DPr9vcYLImUGYUZmUeGOauvfHfv8ZlzcyS6tQZjRIF5ZG2g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=k0bzJuMJ; arc=none smtp.client-ip=209.85.210.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="k0bzJuMJ"
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-83ef1d17904so4384965b3a.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 May 2026 23:10:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1779257440; x=1779862240;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=LW0VfZXiprYSkuoGkQTwqFtv8G4oHaP68qS1kw1Altg=;
        b=k0bzJuMJ81yyd+euiNT5NkKpx8Je+p3hkIqCTor/gocisrY8/iSS1LzLUJ8heuQErU
         QxyrTFlkGgbQ13U37Y3yCLnT+ajgTzCwT2X0lD+WoetpDaVEf/nBhzVS55Ridt8XQlY/
         qlSRE5wQKApuTzLQYLwTfuqWHKHrJJn8GIFWDFZYtwgDXMaQGQFwxgJ0e16KKTwrmGpq
         DIhvRiJEpwejq1uPUHEZEQov/n+IRUSS3qaxG5TEdRSjIMrY2Bo1hHBQEcC1YqRC8np7
         Fvd1/PV8+WWwgwzeWxImQUtBQuixQkXd2NLcYM6JqeU+WF//GN06ZE1CqwtQ6DRsLzKg
         u6YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779257440; x=1779862240;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LW0VfZXiprYSkuoGkQTwqFtv8G4oHaP68qS1kw1Altg=;
        b=tABXasOOoXET83Nvzd81Ur/CU1cjhRqC6QfmFlJ1bfeKIrC0ro4OvAQOrZnynLZbAS
         ue+guUzy5VWUcI6zPzY+9CVPirckX4lq4ER3ijqsAAkKuv+E9jfrwOalamhml2S7qhFE
         aKyhrGLi/lWrrrBsuXC2ZUyPI9ABg1F1zLEWmA6e0sULqRtWQNBg4iSmVc0a13vKkp5k
         os6jcfgWDj7Tz9fbOl9N7gmPFOmBWxvXOzmARW0jbQd612E2Wn1jnWQsDM76gG2AEhhJ
         set2DinUQW5mThRA8Mgq5byA3NK59F18h+dLnyNVVmLQpxprsYv95D6j6riiI4ALF5FV
         Uf4Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ+esXWgZ5ViMwhl2AvibzRl4fZJSqJ3N7MNx6ULjsPETe2DH9xzwJV0zKI/PIUxz4hpu0nyyU/6rRvBF74=@vger.kernel.org
X-Gm-Message-State: AOJu0YxvpdhutF25yR5vEI7CB/r7Xe7mgT+MWMIeeSfHHOlnwgLAZqF2
	emELOPLcKcuiFhXL9/gbv8PSdPnepRgN2SHBYlCklJag7BHd02tAZliwn3MJjKJMg70=
X-Gm-Gg: Acq92OFkYkJvSN2pgSORef1AWgrWSdUuoi7dAfIJH50lfTC52Mk5jIN8fOFBz6SxBNt
	0d3xddbIe7HHmBmN74vPesBOLGgN54IY5L5MzcUNaG01ItsvskT6Hu4SupD1xJu+IOzyiGfgL9l
	uwCCpDqeIRwGmKMcQNkqmLy2YSvPVI85Nv+OHmWvPP/yfV58Rs0s2FA0sT2Relph3jdhwrAjcp3
	YxJyFR5E24tWePxsldhH51n5JmRtE2fYCKL4nmSO6cXC0GGxs1TF2XDlvlTtUVzpoBiK04bkEHp
	Vn8nW6cUS16zRHJKbZftaCjffeyk0s7i4ixFcygq4A0nuZLyH4eYYdAsOpj/oqoEBDPt7GNLi4i
	iwiLcPnjrM729/tL1ubBq34AuUc//++A8rIboSnOAt8X7IjbpQ934qsCZ8Yoofmdh2N5oq5TSfg
	ww9Tx/BE8lvBoIOk409ESe3MuNS35+LlJnW08OWZAZVtXLfO1DhbJ65MI=
X-Received: by 2002:a05:6a00:2908:b0:82a:6461:6d15 with SMTP id
 d2e1a72fcca58-83f33f166f9mr23571904b3a.46.1779257440250;
        Tue, 19 May 2026 23:10:40 -0700 (PDT)
Received: from n232-176-004.byted.org ([36.110.163.103])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-83f19c78844sm19049950b3a.47.2026.05.19.23.10.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 May 2026 23:10:39 -0700 (PDT)
From: Muchun Song <songmuchun@bytedance.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@kernel.org>,
	linux-mm@kvack.org
Cc: Lorenzo Stoakes <ljs@kernel.org>,
	"Liam R. Howlett" <liam@infradead.org>,
	Vlastimil Babka <vbabka@kernel.org>,
	Mike Rapoport <rppt@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	Frank van der Linden <fvdl@google.com>,
	Stefan Strogin <stefan.strogin@gmail.com>,
	Dmitry Safonov <0x7f454c46@gmail.com>,
	Michal Nazarewicz <mina86@mina86.com>,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Muchun Song <songmuchun@bytedance.com>,
	muchun.song@linux.dev
Subject: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas
Date: Wed, 20 May 2026 14:10:25 +0800
Message-ID: <20260520061025.3971821-1-songmuchun@bytedance.com>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

cma_activate_area() can fail after allocating range bitmaps. Its cleanup
path frees those bitmaps, but only clears cma->count and
cma->available_count. It leaves cma->nranges and each range's count in
place, so cma_debugfs_init() can still register debugfs files for an area
that never activated successfully.

That exposes two problems. Reading the bitmap file can make debugfs walk a
freed range bitmap and trigger an invalid memory access. Reading maxchunk
can also take cma->lock even though that lock is initialized only on the
successful activation path.

Fix this by creating debugfs entries only for CMA areas that reached
CMA_ACTIVATED.

Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if reque=
sted")
Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
Cc: stable@vger.kernel.org
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
---
 mm/cma_debug.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/cma_debug.c b/mm/cma_debug.c
index 5ae38f5abbcc..523ba4a0f9f7 100644
--- a/mm/cma_debug.c
+++ b/mm/cma_debug.c
@@ -205,7 +205,8 @@ static int __init cma_debugfs_init(void)
 	cma_debugfs_root =3D debugfs_create_dir("cma", NULL);
=20
 	for (i =3D 0; i < cma_area_count; i++)
-		cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
+		if (test_bit(CMA_ACTIVATED, &cma_areas[i].flags))
+			cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
=20
 	return 0;
 }

base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
--=20
2.54.0