From nobody Tue Dec 2 00:25:32 2025 Received: from sender3-of-o55.zoho.com (sender3-of-o55.zoho.com [136.143.184.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D405314B6A for ; Mon, 24 Nov 2025 16:12:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.184.55 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764000748; cv=pass; b=oeub0raM+XK3gFo0k0HgTvD8jZwUuHnvvXgMrRyzCNqJynqdfgFzbt4O6j++7mKrkjzuvRymmWmy10YuiWKxLKotkh7QXJ2zZtel0fZBvy814MMdsjj+eLDb2Q9a9HPHZscvlZc4hn4TB3LZoGHhdHkatcIEOXPXBDbioUQ3MB4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764000748; c=relaxed/simple; bh=LqXg290aT+ifj5p3BUU7iKxmTURJc2BCNldraFMeh7A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Rx40SzXNO6tYOhn7oba4gsGI6BF5SVo3ZiXR4FqFyBBgm39CMxDfvXgltAME0Eke/ldGCxZMIo4EYufvucMY/wDLo+rJ0gy60ScZix7z9pwIkGhBRvGEXrKiDTg9E7GkwAIHORvfueah1heo0Eg0m5+3h8orFl2mDY8ay/h2OXQ= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com; spf=pass smtp.mailfrom=mpiricsoftware.com; dkim=pass (1024-bit key) header.d=mpiricsoftware.com header.i=shardul.b@mpiricsoftware.com header.b=KZNv80RP; arc=pass smtp.client-ip=136.143.184.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mpiricsoftware.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mpiricsoftware.com header.i=shardul.b@mpiricsoftware.com header.b="KZNv80RP" ARC-Seal: i=1; a=rsa-sha256; t=1764000723; cv=none; d=zohomail.com; s=zohoarc; b=BzIOdzUKWIkEnzY4GTl/s/ksHKbba/ShARt1e1tdNJDhv0l7qMdLtYTcOb2BmOJ4cMeDoah5ZeoYE1wYLSCvvYnXx74NhcOvjr+Q+RbeijxeOaxOxyP0HFZg41a9Tb2r2PX938w7TdCr251I2DZ69cbL5JaknYH6h4ttSsAaa/8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764000723; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=2EdBP1XqtHyMX0ny76Q3jYc9Yy634St8QHi/DxGItwc=; b=BST2ERv9kICJH/q1jmISFupc+RtXfVan8G9WrPBVwAmmMdLA1JsA8Q+OvROrOKXhsAl4fGfaOQ7ZfeJ5eofsr/ViNo3ZWT5nmzo1NYGBx0sRfIVOgmcq3stO8tAzcH/tjz1AA/vbHOprtr49IjN5lYQB3PxdSXrzyQKk9QvG7ow= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=mpiricsoftware.com; spf=pass smtp.mailfrom=shardul.b@mpiricsoftware.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1764000723; s=mpiric; d=mpiricsoftware.com; i=shardul.b@mpiricsoftware.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=2EdBP1XqtHyMX0ny76Q3jYc9Yy634St8QHi/DxGItwc=; b=KZNv80RPi7uab3yqYDUczxIMtzB7tzKMHePs8oKMJ2gt5KiRFmjaFy9AjEUz463M WILnT+o+kElPzxUxP7NYe55mVQ719+s8D/3rpUbdvUY2IMTIq4Wbtgoom34KDCb7wQG kyUpmU8e+S/q4AxGoyB6XhhqkE49WJ+oFUu/Z184= Received: by mx.zohomail.com with SMTPS id 176400071990975.64503086294087; Mon, 24 Nov 2025 08:11:59 -0800 (PST) From: Shardul Bankar To: linux-mm@kvack.org, dev.jain@arm.com, david@kernel.org Cc: linux-kernel@vger.kernel.org, syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com, akpm@linux-foundation.org, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, baohua@kernel.org, lance.yang@linux.dev, janak@mpiricsoftware.com, shardul.b@mpiricsoftware.com, shardulsb08@gmail.com Subject: [PATCH v2] mm: khugepaged: fix memory leak in collapse_file xas retry loop Date: Mon, 24 Nov 2025 21:41:49 +0530 Message-Id: <20251124161149.1302507-1-shardul.b@mpiricsoftware.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <703387c8908a609c3de966574dfcf481c5a97216.camel@mpiricsoftware.com> References: <703387c8908a609c3de966574dfcf481c5a97216.camel@mpiricsoftware.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset="utf-8" collapse_file() uses xas_create_range() in a retry loop that calls xas_nomem() on -ENOMEM and then retries. xas_nomem() may allocate a spare xa_node and store it in xas->xa_alloc. If the lock is dropped after xas_nomem(), another thread can expand the xarray tree in the meantime. On the next retry, xas_create_range() can then succeed trivially without consuming the node stored in xas->xa_alloc. If we then either succeed or give up and go to the rollback path without calling xas_destroy(), that spare node leaks. Fix this by calling xas_destroy(&xas) in both the success case (!xas_error(&xas)) and the failure case where xas_nomem() returns false and we abort. xas_destroy() will free any unused spare node in xas->xa_alloc and is a no-op if there is nothing left to free. Link: https://syzkaller.appspot.com/bug?id=3Da274d65fc733448ed518ad15481ed5= 75669dd98c Fixes: cae106dd67b9 ("mm/khugepaged: refactor collapse_file control flow") Signed-off-by: Shardul Bankar --- v2: - Call xas_destroy() on both success and failure - Explained retry semantics and xa_alloc / concurrency risk - Dropped cleanup_empty_nodes from previous proposal mm/khugepaged.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index abe54f0043c7..0794a99c807f 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1872,11 +1872,14 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, do { xas_lock_irq(&xas); xas_create_range(&xas); - if (!xas_error(&xas)) + if (!xas_error(&xas)) { + xas_destroy(&xas); break; + } xas_unlock_irq(&xas); if (!xas_nomem(&xas, GFP_KERNEL)) { result =3D SCAN_FAIL; + xas_destroy(&xas); goto rollback; } } while (1); --=20 2.34.1