Re: [PATCH] mm/cma_debug: fix invalid accesses for inactive CMA areas

[Mike Rapoport]

On Wed, May 20, 2026 at 02:10:25PM +0800, Muchun Song wrote:
> cma_activate_area() can fail after allocating range bitmaps. Its cleanup
> path frees those bitmaps, but only clears cma->count and
> cma->available_count. It leaves cma->nranges and each range's count in
> place, so cma_debugfs_init() can still register debugfs files for an area
> that never activated successfully.
> 
> That exposes two problems. Reading the bitmap file can make debugfs walk a
> freed range bitmap and trigger an invalid memory access. Reading maxchunk
> can also take cma->lock even though that lock is initialized only on the
> successful activation path.
> 
> Fix this by creating debugfs entries only for CMA areas that reached
> CMA_ACTIVATED.
> 
> Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
> Fixes: 2e32b947606d ("mm: cma: add functions to get region pages counters")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx>

Acked-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>

> ---
>  mm/cma_debug.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/cma_debug.c b/mm/cma_debug.c
> index 5ae38f5abbcc..523ba4a0f9f7 100644
> --- a/mm/cma_debug.c
> +++ b/mm/cma_debug.c
> @@ -205,7 +205,8 @@ static int __init cma_debugfs_init(void)
>  	cma_debugfs_root = debugfs_create_dir("cma", NULL);
>  
>  	for (i = 0; i < cma_area_count; i++)
> -		cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
> +		if (test_bit(CMA_ACTIVATED, &cma_areas[i].flags))
> +			cma_debugfs_add_one(&cma_areas[i], cma_debugfs_root);
>  
>  	return 0;
>  }
> 
> base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
> -- 
> 2.54.0
> 
> 

-- 
Sincerely yours,
Mike.