Xen project Mailing List

Re: [PATCH v2 1/2] xen/page_alloc: verify buddy alignment in reserve_offlined_page()

From: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Date: Thu, 4 Jun 2026 11:43:15 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:In-Reply-To:From:Content-Language:References:Cc:To:Subject:User-Agent:MIME-Version:Date:Message-ID"

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>

Delivery-date: Thu, 04 Jun 2026 09:43:36 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 6/3/26 4:30 PM, Jan Beulich wrote:

On 03.06.2026 16:17, Bernhard Kaindl wrote:

reserve_offlined_page() fails to verify alignment when growing
buddies around offlined pages. Consequently, misaligned buddies
may be constructed from non-offlined page ranges and returned to
the free lists.

After a particular sequence of allocations and frees, pages
from such a misaligned buddy may be allocated more than once,
eventually triggering a Xen BUG() in alloc_heap_pages().

Fixes: e4865c2315 ('Page offline support in Xen side')
Signed-off-by: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>


Oleksii, thoughts towards 4.22?

I've waited for v2 of this patch series to R-Ack, I see patches

separately but they aren't grouped into one patch series for some reason.

Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> ~ Oleksii

Jan

---
v2:
- Updated the title for clarity.
- Bugfix isolated from the test case for backporting.
- Removed excess parentheses from the alignment check if() expression.
- Simplified the alignment check to use '& (1UL << cur_order)'. Because
   the covering buddy head is size-aligned, cur_head is also aligned to
   cur_order, making this reduction safe (verified against extended tests).
- Updated the inline code comment to accurately state that only the upper
   half of the next_order range is checked for offlined pages.
---
  xen/common/page_alloc.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 2c4ff2c34c70..2767376a710b 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -1202,6 +1202,11 @@ static int reserve_offlined_page(struct page_info *head)
              if ( (cur_head + (1 << next_order)) >= (head + ( 1 << 
head_order)) )
                  goto merge;

+ /* Do not grow to next_order if cur_head is not aligned to it. */

+            if ( mfn_x(page_to_mfn(cur_head)) & (1UL << cur_order) )
+                goto merge;
+
+            /* Check for offlined pages in upper half of next_order range. */
              for ( i = (1 << cur_order), pg = cur_head + (1 << cur_order );
                    i < (1 << next_order);
                    i++, pg++ )

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.