From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) by kanga.kvack.org (Postfix) with ESMTP id 59DF36B0038 for ; Wed, 2 Dec 2015 14:50:30 -0500 (EST) Received: by pacdm15 with SMTP id dm15so49452252pac.3 for ; Wed, 02 Dec 2015 11:50:30 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81]) by mx.google.com with ESMTPS id a79si6562572pfj.84.2015.12.02.11.50.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Dec 2015 11:50:29 -0800 (PST) Subject: Re: [PATCH] mm/hugetlb resv map memory leak for placeholder entries References: <1449024761-11280-1-git-send-email-mike.kravetz@oracle.com> From: Mike Kravetz Message-ID: <565F4B73.9010903@oracle.com> Date: Wed, 2 Dec 2015 11:50:11 -0800 MIME-Version: 1.0 In-Reply-To: <1449024761-11280-1-git-send-email-mike.kravetz@oracle.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Dmitry Vyukov , Andrew Morton , Naoya Horiguchi , Hillf Danton , David Rientjes , "Kirill A. Shutemov" , Dave Hansen , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Greg Thelen Cc: Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet , syzkaller , stable@vger.kernel.org, "[4.3]"@kvack.org On 12/01/2015 06:52 PM, Mike Kravetz wrote: > Dmitry Vyukov reported the following memory leak > > unreferenced object 0xffff88002eaafd88 (size 32): > comm "a.out", pid 5063, jiffies 4295774645 (age 15.810s) > hex dump (first 32 bytes): > 28 e9 4e 63 00 88 ff ff 28 e9 4e 63 00 88 ff ff (.Nc....(.Nc.... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [< inline >] kmalloc include/linux/slab.h:458 > [] region_chg+0x2d4/0x6b0 mm/hugetlb.c:398 > [] __vma_reservation_common+0x2c3/0x390 mm/hugetlb.c:1791 > [< inline >] vma_needs_reservation mm/hugetlb.c:1813 > [] alloc_huge_page+0x19e/0xc70 mm/hugetlb.c:1845 > [< inline >] hugetlb_no_page mm/hugetlb.c:3543 > [] hugetlb_fault+0x7a1/0x1250 mm/hugetlb.c:3717 > [] follow_hugetlb_page+0x339/0xc70 mm/hugetlb.c:3880 > [] __get_user_pages+0x542/0xf30 mm/gup.c:497 > [] populate_vma_page_range+0xde/0x110 mm/gup.c:919 > [] __mm_populate+0x1c7/0x310 mm/gup.c:969 > [] do_mlock+0x291/0x360 mm/mlock.c:637 > [< inline >] SYSC_mlock2 mm/mlock.c:658 > [] SyS_mlock2+0x4b/0x70 mm/mlock.c:648 > > Dmitry identified a potential memory leak in the routine region_chg, > where a region descriptor is not free'ed on an error path. > > However, the root cause for the above memory leak resides in region_del. > In this specific case, a "placeholder" entry is created in region_chg. The > associated page allocation fails, and the placeholder entry is left in the > reserve map. This is "by design" as the entry should be deleted when the > map is released. The bug is in the region_del routine which is used to > delete entries within a specific range (and when the map is released). > region_del did not handle the case where a placeholder entry exactly matched > the start of the range range to be deleted. In this case, the entry would > not be deleted and leaked. The fix is to take these special placeholder > entries into account in region_del. > > The region_chg error path leak is also fixed. > > Fixes: feba16e25a57 ("add region_del() to delete a specific range of entries") > Cc: stable@vger.kernel.org [4.3] > Signed-off-by: Mike Kravetz > Reported-by: Dmitry Vyukov > --- > mm/hugetlb.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/mm/hugetlb.c b/mm/hugetlb.c > index 1101ccd94..ba07014 100644 > --- a/mm/hugetlb.c > +++ b/mm/hugetlb.c > @@ -372,8 +372,10 @@ retry_locked: > spin_unlock(&resv->lock); > > trg = kmalloc(sizeof(*trg), GFP_KERNEL); > - if (!trg) > + if (!trg) { > + kfree(nrg); > return -ENOMEM; > + } > > spin_lock(&resv->lock); > list_add(&trg->link, &resv->region_cache); > @@ -483,7 +485,13 @@ static long region_del(struct resv_map *resv, long f, long t) > retry: > spin_lock(&resv->lock); > list_for_each_entry_safe(rg, trg, head, link) { > - if (rg->to <= f) > + /* > + * file_region ranges are normally of the form [from, to). > + * However, there may be a "placeholder" entry in the map > + * which is of the form (from, to) with from == to. Check > + * for placeholder entries as well. > + */ > + if (rg->to <= f && rg->to != rg->from) That check is not sufficient/correct. It will allow placeholder entries BEFORE the range to be deleted to fall through. This would result in modifications of those placeholder entries to create bogus/bad entries of the form [from, to) where from > to. A V2 of the patch with a more specific check will be sent shortly. -- Mike Kravetz > continue; > if (rg->from >= t) > break; > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org