From nobody Sun May 24 19:34:45 2026 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76C0330F957 for ; Fri, 22 May 2026 06:27:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779431230; cv=none; b=CdtXDXUsFo7VJbOzWFQ47vuf6K27p04aIeTTYFzl3uZ+EbmTpF/cq/TgjadHpgke+4oCTFI4y/rrX1vdjHfwumxeZuc2Zs7DV22G5Jy0F1jp7SYUV6gsardF0CD59edfXn0jD/l4YD71H/HZRxr6oQCxaeEv9Kz3YCBCxMtdi6w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779431230; c=relaxed/simple; bh=qkE9eLDNCvElBpBJpSA9Pv7dV1uNeBwAPHBmQOSWzaU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Wqr8xw6NPxO1sWxQk4StMfiFkux/lZgBBmihSRp/oYPEIRl4h3q9/QeOoCbm7gqbwWmHoOsVeXBX/6NZL/HMGn2UBRPMHKGqYDtUvRdqYEC1IFEXetfCfL2YjCWmHsrmu8QkzCC+r2xbJxkS+Y1id0ySNoENA5HUKf4NF2sNZYw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=cud0EFLF; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="cud0EFLF" Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2be1dd4af34so54681645ad.1 for ; Thu, 21 May 2026 23:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1779431227; x=1780036027; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=YdtJYhJK7/PxyZ+XkjgH1lwtc20KzI5A/QEO0gs3i1k=; b=cud0EFLF1LyAQao+gTpH2AeyISamt3ufAgHAA1sUHzm1ZSLp1/VIQDerYJRi+kmMDV m8l3ROsKmX/3L0NfJPa8lFpWYmP+WK6s0aUOB/QdI7gcKO9+8AXRhYxePMxX2rvRjmqG GZPeq7HZdKtdMi0bur9XN58x8QqmhPn+BhxWop3jj6ntrXNt0Tf1KXYIONLZ1m6k1NAI rc8CCLKJ/0oBD9YDyep/RP9ZNxk5tSzZZ3H8xeYbM3x+WDyq3QwuQkRQI8kFbGl6kn/Y HC4xa8LR4fYRytAUZz02T1P6yYOXLDE9/51T3E3OMN2huj31rQPRvTDA1n2sZxnXdI0N GSpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779431227; x=1780036027; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YdtJYhJK7/PxyZ+XkjgH1lwtc20KzI5A/QEO0gs3i1k=; b=ZBWU2A9IsYzoFEl6G2uhc55ZOJ5raziYPxm8jhAvFATsRVFQyxzm7XVyQhL485BRne nZgj2b9ck4hbYwiIDt0FXAe+DTEHKJ6e2774XmE0eshSUf7Efrr1mpEbmKkF6L5JxuHX HI6Vn5GBAB6OaWAqp2/WeJ5kuOycTULVdFsIhYFI6JLik9xrABiKjjT+c7JcXE8qhn++ 5fTq+mSEzrpGtCcksFWd0uS+9Sgrk9MZMvOxlPzPD0L9aAVM/mZLEc9MAed3LqSITnc7 a2QoO47wFHKDh37zCp3wbgEYBzvxeVI0o7u8Xchjxit/XUG2bSTJc4Pxi0TSm2nzxpQX HgPQ== X-Forwarded-Encrypted: i=1; AFNElJ8WNXlYjUGhcbneQghomSuom41HUhhJqDZ5wreCBIMxnF980tPNlwU7SBsNjHQHxFLC27kD86ZhSb3XxrA=@vger.kernel.org X-Gm-Message-State: AOJu0YxP1rf+58/e++d0AlHzNtXS1vjjPuxJKLqCJj7jfdO103GwfD9x PpBNwAqEkSEbQSpWCLfVubsMAL5GqyYykdUBCZ8g3aFuVhdfq3pg+EdN3MUo/dBWISk= X-Gm-Gg: Acq92OF5pLuUUSpQEmrQHg/kSgn4rPLc8QXsYPfyxs6fjiJB1uyPP1zoBivCHEWqJVr iGPtSWkIjplDKFuDBkSqqW3bGylYrhTuSbTCVoqVW5kwvkGmgJ0v5iXyZ3m39NMZZUqWqAnNA8v NfI/uCC4K3MJ9Yie2vbrjqoKmfafgnAtD7lYr4H/BFYk1vHpHZXasPSKtmukojAZXJAFRWKVFOS kOrFggjMJEDAjNNVg1RzsLxPZvMSKErGKFUAzVo+lQ4a1E35P0X+mq7gpbf1q3pebMObt4capHE J1UbhI5qMgQi8lQdx5FzyRkoGgK3BSrcxnfxf4rULadjTFs8lpmuIXO3711NTfRnAs2EQELtRyf AAPViGiqxb0sJGU5oJcENFKHCdQ4FCFDUZ/TZOZZwe+s9L2IZes/WyhBA4qxEPCUGI2kL4GbhxJ disf5HNrDxeP2q0e++e6T0XU5QJUaZlNQGWL3uD0sag3A= X-Received: by 2002:a17:903:3887:b0:2b2:ec46:dfd4 with SMTP id d9443c01a7336-2beb05e290dmr22751115ad.22.1779431226532; Thu, 21 May 2026 23:27:06 -0700 (PDT) Received: from n232-176-004.byted.org ([36.110.163.98]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58ff106sm5045035ad.74.2026.05.21.23.27.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 23:27:06 -0700 (PDT) From: Muchun Song To: Andrew Morton , David Hildenbrand Cc: Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , Frank van der Linden , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muchun Song , muchun.song@linux.dev Subject: [PATCH] mm/cma: fix reserved page leak on activation failure Date: Fri, 22 May 2026 14:26:58 +0800 Message-ID: <20260522062658.4095405-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If cma_activate_area() fails after allocating only part of the range bitmaps, its cleanup path frees the bitmaps for the ranges below allocrange and then releases reserved pages using the same bound. That bound is only correct for bitmap freeing. Pages in ranges that did not reach bitmap allocation are still reserved and should also be returned to the buddy when CMA_RESERVE_PAGES_ON_ERROR is clear. As a result, a partial bitmap allocation failure can permanently leak the reserved pages from the failed range and all later ranges. Fix this by releasing reserved pages for all ranges. For ranges whose bitmap allocation succeeded, use the early_pfn[] snapshot saved before the bitmap pointer overwrote the union field. For later ranges, continue to use cmr->early_pfn directly. Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if reque= sted") Cc: stable@vger.kernel.org Signed-off-by: Muchun Song --- mm/cma.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mm/cma.c b/mm/cma.c index c7ca567f4c5c..a30075507d41 100644 --- a/mm/cma.c +++ b/mm/cma.c @@ -188,10 +188,13 @@ static void __init cma_activate_area(struct cma *cma) =20 /* Expose all pages to the buddy, they are useless for CMA. */ if (!test_bit(CMA_RESERVE_PAGES_ON_ERROR, &cma->flags)) { - for (r =3D 0; r < allocrange; r++) { + for (r =3D 0; r < cma->nranges; r++) { + unsigned long start_pfn; + cmr =3D &cma->ranges[r]; + start_pfn =3D r < allocrange ? early_pfn[r] : cmr->early_pfn; end_pfn =3D cmr->base_pfn + cmr->count; - for (pfn =3D early_pfn[r]; pfn < end_pfn; pfn++) + for (pfn =3D start_pfn; pfn < end_pfn; pfn++) free_reserved_page(pfn_to_page(pfn)); } } base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83 --=20 2.54.0