From nobody Tue Dec  2 01:04:11 2025
Received: from sender3-of-o55.zoho.com (sender3-of-o55.zoho.com
 [136.143.184.55])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1384BC8CE
	for <linux-kernel@vger.kernel.org>; Sun, 23 Nov 2025 13:28:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.184.55
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763904493; cv=pass;
 b=gUvNh/i18e+ZgMRrFH3znV3o2din8M57I6FnTiATBGo0M4EpCh8c8RVk2/VZX18IqQ862cIVG5raa5zD7DWlthBZK4rSMMy5ABFKu8afmh9jBQ5r1BteGhRqOaClMNnAmcCJ0V9Qjoxkkg4DCPX6gBY1nP17GSP7AqudX2bAu7Y=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763904493; c=relaxed/simple;
	bh=OAK96FAzXRisu2a6MOZwI261J1jQ0TkR+IEsd1ck88w=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=ns3WJHOT15ECFdTmVkwIZj6JTIKFtrgtl5N9JDpRlokqU2xzl3s21MJio8XTXrLgI1sKPP3og7QFnJ0Wjy89Bn69kzDaFJ53faGA/qhlOOeHHR0Q20EubcD8dpAHfgxfYeukrIhGKI4X6qD/E5fMnfqzgm0at17bEzmMS60ZkmI=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com;
 spf=pass smtp.mailfrom=mpiricsoftware.com;
 dkim=pass (1024-bit key) header.d=mpiricsoftware.com
 header.i=shardul.b@mpiricsoftware.com header.b=ECX/9Qks;
 arc=pass smtp.client-ip=136.143.184.55
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=mpiricsoftware.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=mpiricsoftware.com
 header.i=shardul.b@mpiricsoftware.com header.b="ECX/9Qks"
ARC-Seal: i=1; a=rsa-sha256; t=1763904459; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dKCZOky5DTPQCCdJmO4uJEd2D87LxCHbV1Hj1niOq4imoazWQYETiXyBH3CUItguPbNZoLycTM7tUE6dRi8zRqJl8cBCaZpl0UafY/TP/d9IdgfIR0u9+aqdxRa3eQ8A4y6Qv5eazgz7ZbjLqAW8HCT3r3W5dthQC11J0+a4P40=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1763904459;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=z4sx3QAQovEdKwkSldY/iP/zggzig89C+MwICVRnPPA=;
	b=CSLznKNllvidbFG5M6hSuImdprxL7CQOuA7zc7O3izqXlBAok/4ig7XYCQnag3b3ln1qBuIZn6kR511XX89Wz2IjQAXtM4Irysw4D8kX3g37oZIOz8oyv8i1HWI8tvNAYf6U9keBTwkA3BY2EkK+Zp02/Cd76ReTPQu+dBI7pWo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=mpiricsoftware.com;
	spf=pass  smtp.mailfrom=shardul.b@mpiricsoftware.com;
	dmarc=pass header.from=<shardul.b@mpiricsoftware.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1763904459;
	s=mpiric; d=mpiricsoftware.com; i=shardul.b@mpiricsoftware.com;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:MIME-Version:Content-Transfer-Encoding:Reply-To;
	bh=z4sx3QAQovEdKwkSldY/iP/zggzig89C+MwICVRnPPA=;
	b=ECX/9Qks5EKECsuvXHwYYXd+vwCjZd5mYkEf+kQ9SO0kLT42zhKvWjPeqktrHoAD
	ERl53Aa/+Zt4Pa3V8pebSeWbDZouQaUZmp25HoE43vOzQQDgugxl+u4U62Jhb1wOdTA
	v6QZmjhyfPVj9MxEBtyBh/zYAaVMCkvTRSNEKCjE=
Received: by mx.zohomail.com with SMTPS id 1763904457627667.1956568921231;
	Sun, 23 Nov 2025 05:27:37 -0800 (PST)
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
To: shardulsb08@gmail.com
Cc: linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com,
	akpm@linux-foundation.org,
	david@kernel.org,
	lorenzo.stoakes@oracle.com,
	ziy@nvidia.com,
	baolin.wang@linux.alibaba.com,
	Liam.Howlett@oracle.com,
	npache@redhat.com,
	ryan.roberts@arm.com,
	dev.jain@arm.com,
	baohua@kernel.org,
	lance.yang@linux.dev,
	janak@mpiricsoftware.com,
	shardul.b@mpiricsoftware.com
Subject: [PATCH] mm: khugepaged: fix memory leak in collapse_file rollback
 path
Date: Sun, 23 Nov 2025 18:57:27 +0530
Message-Id: <20251123132727.3262731-1-shardul.b@mpiricsoftware.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

When collapse_file() fails after xas_create_range() succeeds, the
rollback path does not clean up pre-allocated XArray nodes stored in
xas->xa_alloc. These nodes are allocated by xas_nomem() when
xas_create() fails with GFP_NOWAIT and need to be freed.

The leak occurs because:
1. xas_create_range() may call xas_nomem() which allocates a node
   and stores it in xas->xa_alloc
2. If the collapse operation fails later, the rollback path jumps
   to the 'rollback:' label
3. The rollback path cleans up folios but does not call xas_destroy()
   to free the pre-allocated nodes in xas->xa_alloc

Fix this by calling xas_destroy(&xas) at the beginning of the rollback
path to free any pre-allocated nodes. This is safe because xas_destroy()
only frees nodes in xas->xa_alloc that were never inserted into the
XArray tree.

Note: This fixes the leak of pre-allocated nodes. A separate fix will
be needed to clean up empty nodes that were inserted into the tree by
xas_create_range() but never populated.

Link: https://syzkaller.appspot.com/bug?id=3Da274d65fc733448ed518ad15481ed5=
75669dd98c
Fixes: cae106dd67b9 ("mm/khugepaged: refactor collapse_file control flow")
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
---
 mm/khugepaged.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index abe54f0043c7..f2fe7924afa0 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -2230,6 +2230,7 @@ static int collapse_file(struct mm_struct *mm, unsign=
ed long addr,
 	goto out;
=20
 rollback:
+	xas_destroy(&xas);
 	/* Something went wrong: roll back page cache changes */
 	if (nr_none) {
 		xas_lock_irq(&xas);
--=20
2.34.1