From: Jinjiang Tu <tujinjiang@huawei.com>
To: "David Hildenbrand (Red Hat)" <david@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Matthew Wilcox <willy@infradead.org>, <ziy@nvidia.com>,
<lorenzo.stoakes@oracle.com>, <baolin.wang@linux.alibaba.com>,
<Liam.Howlett@oracle.com>, <npache@redhat.com>,
<ryan.roberts@arm.com>, <dev.jain@arm.com>, <baohua@kernel.org>,
<lance.yang@linux.dev>, <linux-mm@kvack.org>,
<linux-fsdevel@vger.kernel.org>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: Re: [bug report] memory leak of xa_node in collapse_file() when rollbacks
Date: Thu, 18 Dec 2025 20:35:19 +0800 [thread overview]
Message-ID: <51703066-abe5-4d85-8f6e-25bf0e4f470f@huawei.com> (raw)
In-Reply-To: <32e4658f-d23b-4bae-9053-acdd5277bb17@kernel.org>
在 2025/12/18 19:51, David Hildenbrand (Red Hat) 写道:
> On 12/18/25 12:45, Jinjiang Tu wrote:
>> I encountered a memory leak issue caused by xas_create_range().
>>
>> collapse_file() calls xas_create_range() to pre-create all slots needed.
>> If collapse_file() finally fails, these pre-created slots are empty
>> nodes
>> and aren't destroyed.
>>
>> I can reproduce it with following steps.
>> 1) create file /tmp/test_madvise_collapse and ftruncate to 4MB size,
>> and then mmap the file
>> 2) memset for the first 2MB
>> 3) madvise(MADV_COLLAPSE) for the second 2MB
>> 4) unlink the file
>>
>> in 3), collapse_file() calls xas_create_range() to expand xarray
>> depth, and fails to collapse
>> due to the whole 2M region is empty, the code is as following:
>>
>> collapse_file()
>> for (index = start; index < end;) {
>> xas_set(&xas, index);
>> folio = xas_load(&xas);
>>
>> VM_BUG_ON(index != xas.xa_index);
>> if (is_shmem) {
>> if (!folio) {
>> /*
>> * Stop if extent has been truncated or
>> * hole-punched, and is now completely
>> * empty.
>> */
>> if (index == start) {
>> if (!xas_next_entry(&xas, end - 1)) {
>> result = SCAN_TRUNCATED;
>> goto xa_locked;
>> }
>> }
>> ...
>> }
>>
>>
>> collapse_file() rollback path doesn't destroy the pre-created empty
>> nodes.
>>
>> When the file is deleted, shmem_evict_inode()->shmem_truncate_range()
>> traverses
>> all entries and calls xas_store(xas, NULL) to delete, if the leaf
>> xa_node that
>> stores deleted entry becomes emtry, xas_store() will automatically
>> delete the empty
>> node and delete it's parent is empty too, until parent node isn't
>> empty. shmem_evict_inode()
>> won't traverse the empty nodes created by xas_create_range() due to
>> these nodes doesn't store
>> any entries. As a result, these empty nodes are leaked.
>>
>> At first, I tried to destory the empty nodes when collapse_file()
>> goes to rollback path. However,
>> collapse_file() only holds xarray lock and may release the lock, so
>> we couldn't prevent concurrent
>> call of collapse_file(), so the deleted empty nodes may be needed by
>> other collapse_file() calls.
>>
>> IIUC, xas_create_range() is used to guarantee the xas_store(&xas,
>> new_folio); succeeds. Could we
>> remove xas_create_range() call and just rollback when we fail to
>> xas_store?
>
> Hi,
>
> thanks for the report.
>
> Is that what [1] is fixing?
>
> [1]
> https://lore.kernel.org/linux-mm/20251204142625.1763372-1-shardul.b@mpiricsoftware.com/
>
>
the allocation stack of the leaked xa_node is as follows:
unreferenced object 0xffff0000d4d9fd98 (size 576):
comm "test_filemap", pid 8220, jiffies 4294957272 (age 659.036s)
hex dump (first 32 bytes):
00 08 00 00 00 00 00 00 88 54 75 dc 00 00 ff ff .........Tu.....
a0 7d db d6 00 00 ff ff b0 fd d9 d4 00 00 ff ff .}..............
backtrace:
kmemleak_alloc+0xb8/0xd8
kmem_cache_alloc_lru+0x308/0x558
xas_alloc+0xb4/0xd0
xas_create+0xf4/0x1f8
xas_create_range+0xd0/0x158
collapse_file+0x13c/0x11e0
hpage_collapse_scan_file+0x1e0/0x488
madvise_collapse+0x174/0x650
madvise_vma_behavior+0x334/0x520
do_madvise+0x1bc/0x388
__arm64_sys_madvise+0x2c/0x48
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
it is allocated by xas_create_range(), not xas_nomem(). So it isn't the same issue.
prev parent reply other threads:[~2025-12-18 12:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 11:45 Jinjiang Tu
2025-12-18 11:51 ` David Hildenbrand (Red Hat)
2025-12-18 12:18 ` Jinjiang Tu
2025-12-18 12:49 ` David Hildenbrand (Red Hat)
2025-12-18 13:11 ` Jinjiang Tu
2025-12-25 4:15 ` Shardul Bankar
2025-12-27 1:24 ` Jinjiang Tu
2025-12-30 21:03 ` David Hildenbrand (Red Hat)
2025-12-31 6:29 ` Jinjiang Tu
2025-12-18 12:35 ` Jinjiang Tu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51703066-abe5-4d85-8f6e-25bf0e4f470f@huawei.com \
--to=tujinjiang@huawei.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=lance.yang@linux.dev \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=npache@redhat.com \
--cc=ryan.roberts@arm.com \
--cc=wangkefeng.wang@huawei.com \
--cc=willy@infradead.org \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox