From: David Hildenbrand <david@redhat.com>
To: Suren Baghdasaryan <surenb@google.com>, akpm@linux-foundation.org
Cc: hughd@google.com, hannes@cmpxchg.org,
vincent.whitchurch@axis.com, seanjc@google.com, rppt@kernel.org,
shy828301@gmail.com, pasha.tatashin@soleen.com,
paul.gortmaker@windriver.com, peterx@redhat.com, vbabka@suse.cz,
Liam.Howlett@Oracle.com, ccross@google.com, willy@infradead.org,
arnd@arndb.de, cgel.zte@gmail.com, yuzhao@google.com,
bagasdotme@gmail.com, suleiman@google.com, steven@liquorix.net,
heftig@archlinux.org, cuigaosheng1@huawei.com,
kirill@shutemov.name, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
syzbot+91edf9178386a07d06a7@syzkaller.appspotmail.com
Subject: Re: [PATCH 1/1] mm: fix vma->anon_name memory leak for anonymous shmem VMAs
Date: Mon, 2 Jan 2023 13:00:36 +0100 [thread overview]
Message-ID: <6ddb468a-3771-92a1-deb1-b07a954293a3@redhat.com> (raw)
In-Reply-To: <20221228194249.170354-1-surenb@google.com>
On 28.12.22 20:42, Suren Baghdasaryan wrote:
> free_anon_vma_name() is missing a check for anonymous shmem VMA which
> leads to a memory leak due to refcount not being dropped. Fix this by
> adding the missing check.
>
> Fixes: d09e8ca6cb93 ("mm: anonymous shared memory naming")
> Reported-by: syzbot+91edf9178386a07d06a7@syzkaller.appspotmail.com
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> ---
> include/linux/mm_inline.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h
> index e8ed225d8f7c..d650ca2c5d29 100644
> --- a/include/linux/mm_inline.h
> +++ b/include/linux/mm_inline.h
> @@ -413,7 +413,7 @@ static inline void free_anon_vma_name(struct vm_area_struct *vma)
> * Not using anon_vma_name because it generates a warning if mmap_lock
> * is not held, which might be the case here.
> */
> - if (!vma->vm_file)
> + if (!vma->vm_file || vma_is_anon_shmem(vma))
> anon_vma_name_put(vma->anon_name);
Wouldn't it be me more consistent to check for "vma->anon_name"?
That's what dup_anon_vma_name() checks. And it's safe now because
anon_name is no longer overloaded in vm_area_struct.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2023-01-02 12:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-28 19:42 Suren Baghdasaryan
2023-01-02 12:00 ` David Hildenbrand [this message]
2023-01-03 19:53 ` Suren Baghdasaryan
2023-01-04 9:04 ` David Hildenbrand
2023-01-04 18:24 ` Suren Baghdasaryan
2023-01-05 0:06 ` Suren Baghdasaryan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ddb468a-3771-92a1-deb1-b07a954293a3@redhat.com \
--to=david@redhat.com \
--cc=Liam.Howlett@Oracle.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bagasdotme@gmail.com \
--cc=ccross@google.com \
--cc=cgel.zte@gmail.com \
--cc=cuigaosheng1@huawei.com \
--cc=hannes@cmpxchg.org \
--cc=heftig@archlinux.org \
--cc=hughd@google.com \
--cc=kirill@shutemov.name \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=paul.gortmaker@windriver.com \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=shy828301@gmail.com \
--cc=steven@liquorix.net \
--cc=suleiman@google.com \
--cc=surenb@google.com \
--cc=syzbot+91edf9178386a07d06a7@syzkaller.appspotmail.com \
--cc=vbabka@suse.cz \
--cc=vincent.whitchurch@axis.com \
--cc=willy@infradead.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox