mm/cma: fix reserved page leak on activation failure

If cma_activate_area() fails after allocating only part of the range
bitmaps, the cleanup path still has to release the reserved pages when
CMA_RESERVE_PAGES_ON_ERROR is clear.

That is still worth doing even in this __init path.  A bitmap_zalloc()
failure does not necessarily mean the system cannot make further progress:
freeing the reserved CMA pages can return a substantial amount of memory
to the buddy allocator and may relieve the temporary memory shortage that
caused the allocation failure in the first place.

However, the cleanup path currently uses the bitmap-freeing bound for page
release as well.  That is only correct for ranges whose bitmap allocation
already succeeded.  The failed range and all later ranges still keep their
reserved pages, so a partial bitmap allocation failure can permanently
leak them.

Fix this by releasing reserved pages for all ranges.  Use the saved
early_pfn[] value for ranges whose bitmap allocation already succeeded and
for the failed range, and use cmr->early_pfn for later ranges whose bitmap
allocation was never attempted.

Link: https://lore.kernel.org/20260523060123.2207992-1-songmuchun@bytedance.com
Fixes: c009da4258f9 ("mm, cma: support multiple contiguous ranges, if requested")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: Usama Arif <usama.arif@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Frank van der Linden <fvdl@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/cma.c b/mm/cma.c
index c7ca567f4c5ce4fa86fc01ad55261f39c9fa2478..a13ce4999b39f6e0579ccdc473e88a23725a4873 100644 (file)
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -188,10 +188,13 @@ cleanup:
 
        /* Expose all pages to the buddy, they are useless for CMA. */
        if (!test_bit(CMA_RESERVE_PAGES_ON_ERROR, &cma->flags)) {
-               for (r = 0; r < allocrange; r++) {
+               for (r = 0; r < cma->nranges; r++) {
+                       unsigned long start_pfn;
+
                        cmr = &cma->ranges[r];
+                       start_pfn = r <= allocrange ? early_pfn[r] : cmr->early_pfn;
                        end_pfn = cmr->base_pfn + cmr->count;
-                       for (pfn = early_pfn[r]; pfn < end_pfn; pfn++)
+                       for (pfn = start_pfn; pfn < end_pfn; pfn++)
                                free_reserved_page(pfn_to_page(pfn));
                }
        }