[PATCH v3] lib: xarray: free unused spare node in xas_create_range()

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Shardul Bankar <shardul.b@mpiricsoftware.com>
To: willy@infradead.org, linux-mm@kvack.org, akpm@linux-foundation.org
Cc: dev.jain@arm.com, david@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	shardulsb08@gmail.com, janak@mpiricsoftware.com,
	Shardul Bankar <shardul.b@mpiricsoftware.com>
Subject: [PATCH v3] lib: xarray: free unused spare node in xas_create_range()
Date: Mon,  1 Dec 2025 13:15:40 +0530	[thread overview]
Message-ID: <20251201074540.3576327-1-shardul.b@mpiricsoftware.com> (raw)
In-Reply-To: <7a31f01ac0d63788e5fbac15192c35229e1f980a.camel@mpiricsoftware.com>

xas_create_range() is typically called in a retry loop that uses
xas_nomem() to handle -ENOMEM errors. xas_nomem() may allocate a spare
xa_node and store it in xas->xa_alloc for use in the retry.

If the lock is dropped after xas_nomem(), another thread can expand the
xarray tree in the meantime. On the next retry, xas_create_range() can
then succeed without consuming the spare node stored in xas->xa_alloc.
If the function returns without freeing this spare node, it leaks.

xas_create_range() calls xas_create() multiple times in a loop for
different index ranges. A spare node that isn't needed for one range
iteration might be needed for the next, so we cannot free it after each
xas_create() call. We can only safely free it after xas_create_range()
completes.

Fix this by calling xas_destroy() at the end of xas_create_range() to
free any unused spare node. This makes the API safer by default and
prevents callers from needing to remember cleanup.

This fixes a memory leak in mm/khugepaged.c and potentially other
callers that use xas_nomem() with xas_create_range().

Link: https://syzkaller.appspot.com/bug?id=a274d65fc733448ed518ad15481ed575669dd98c
Fixes: cae106dd67b9 ("mm/khugepaged: refactor collapse_file control flow")
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
---
 v3:
 - Move fix from collapse_file() to xas_create_range() as suggested by Matthew Wilcox
 - Fix in library function makes API safer by default, preventing callers from needing
   to remember cleanup
 - Use shared cleanup label that both restore: and success: paths jump to
 - Clean up unused spare node on both success and error exit paths
 v2:
 - Call xas_destroy() on both success and failure
 - Explained retry semantics and xa_alloc / concurrency risk
 - Dropped cleanup_empty_nodes from previous proposal
 lib/xarray.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/xarray.c b/lib/xarray.c
index 9a8b4916540c..a924421c0c4c 100644
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -744,11 +744,17 @@ void xas_create_range(struct xa_state *xas)
 	xas->xa_shift = shift;
 	xas->xa_sibs = sibs;
 	xas->xa_index = index;
-	return;
+	goto cleanup;
+
 success:
 	xas->xa_index = index;
 	if (xas->xa_node)
 		xas_set_offset(xas);
+
+cleanup:
+	/* Free any unused spare node from xas_nomem() */
+	if (xas->xa_alloc)
+		xas_destroy(xas);
 }
 EXPORT_SYMBOL_GPL(xas_create_range);

-- 
2.34.1

next prev parent reply	other threads:[~2025-12-01  7:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-23 13:27 [PATCH] mm: khugepaged: fix memory leak in collapse_file rollback path Shardul Bankar
2025-11-23 14:49 ` Dev Jain
2025-11-24 10:02 ` David Hildenbrand (Red Hat)
2025-11-24 11:46   ` Dev Jain
2025-11-24 15:23     ` Shardul Bankar
2025-11-24 16:11       ` [PATCH v2] mm: khugepaged: fix memory leak in collapse_file xas retry loop Shardul Bankar
2025-11-24 16:21         ` Matthew Wilcox
2025-11-24 17:37           ` Shardul Bankar
2025-12-01  7:45             ` Shardul Bankar [this message]
2025-12-01  8:39               ` [PATCH v3] lib: xarray: free unused spare node in xas_create_range() David Hildenbrand (Red Hat)
2025-12-04 14:15                 ` Shardul Bankar
2025-12-04 21:15                   ` David Hildenbrand (Red Hat)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251201074540.3576327-1-shardul.b@mpiricsoftware.com \
    --to=shardul.b@mpiricsoftware.com \
    --cc=akpm@linux-foundation.org \
    --cc=david@kernel.org \
    --cc=dev.jain@arm.com \
    --cc=janak@mpiricsoftware.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=shardulsb08@gmail.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox