From: Shardul Bankar <shardul.b@mpiricsoftware.com>
To: Dev Jain <dev.jain@arm.com>,
"David Hildenbrand (Red Hat)" <david@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com,
akpm@linux-foundation.org, lorenzo.stoakes@oracle.com,
ziy@nvidia.com, baolin.wang@linux.alibaba.com,
Liam.Howlett@oracle.com, npache@redhat.com,
ryan.roberts@arm.com, baohua@kernel.org, lance.yang@linux.dev,
janak@mpiricsoftware.com, shardulsb08@gmail.com
Subject: Re: [PATCH] mm: khugepaged: fix memory leak in collapse_file rollback path
Date: Mon, 24 Nov 2025 20:53:54 +0530 [thread overview]
Message-ID: <703387c8908a609c3de966574dfcf481c5a97216.camel@mpiricsoftware.com> (raw)
In-Reply-To: <9d4774ec-41d4-4c6f-899a-991187e58897@arm.com>
Hi David, Dev,
Thanks for the clarification, that really helped straighten things out.
On Mon, 2025-11-24 at 17:16 +0530, Dev Jain wrote:
>
> On 24/11/25 3:32 pm, David Hildenbrand (Red Hat) wrote:
> >
> > Do you mean that, if xas_create_range() failed, collapse_file()
> > will call xas_nomem() to preallocate memory?
Yes that's correct.
> > I don't immediately see how xas_create_range() would call
> > xas_nomem().
xas_create_range() indeed doesn't call xas_nomem() internally. The
control flow is:
xas_create_range(&xas)
-> xas_create()
-> may set XA_ERROR(-ENOMEM)
collapse_file() detects xas_error()
-> calls xas_nomem()
-> allocates a spare node and stores it in xas->xa_alloc
> >
> > Note that after we call xas_nomem(), we retry xas_create_range() -
> > - that previously failed to to -ENOMEM.
> >
> > So the assumption is that the xas_create_range() call would
> > consume that memory.
> >
> > I'm sure there is some corner case where it is not the case (some
> > concurrent action? not sure)
>
> Someone else can put slots in the xarray since we dropped the lock. I
> cannot prove this, but surely
> disproving this is harder : )
As Dev pointed out, after xas_nomem(), another thread may expand the
xarray while the lock is dropped. In that case, the next
xas_create_range() retry could succeed without consuming xa_alloc, so
xas_destroy() should clear the unused spare node. Calling xas_destroy()
on all exit paths therefore seems correct and safe.
> > Shouldn't we just call xas_destroy() in any case, also when
> > everything succeeded?
>
> Yeah you are right. We should probably do
> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
> index abe54f0043c7..0794a99c807f100644
> --- a/mm/khugepaged.c
> +++ b/mm/khugepaged.c
> @@ -1872,11 +1872,14 @@ staticintcollapse_file(struct mm_struct *mm,
> unsignedlongaddr,
> do {
> xas_lock_irq(&xas);
> xas_create_range(&xas);
> - if (!xas_error(&xas))
> + if (!xas_error(&xas)) {
> + xas_destroy(&xas);
> break;
> + }
> xas_unlock_irq(&xas);
> if (!xas_nomem(&xas, GFP_KERNEL)) {
> result = SCAN_FAIL;
> + xas_destroy(&xas);
> goto rollback;
> }
> } while (1);
I’ll prepare v2 implementing Dev’s suggestion and update the commit
message accordingly.
Thanks and Regards,
Shardul
next prev parent reply other threads:[~2025-11-24 15:24 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-23 13:27 Shardul Bankar
2025-11-23 14:49 ` Dev Jain
2025-11-24 10:02 ` David Hildenbrand (Red Hat)
2025-11-24 11:46 ` Dev Jain
2025-11-24 15:23 ` Shardul Bankar [this message]
2025-11-24 16:11 ` [PATCH v2] mm: khugepaged: fix memory leak in collapse_file xas retry loop Shardul Bankar
2025-11-24 16:21 ` Matthew Wilcox
2025-11-24 17:37 ` Shardul Bankar
2025-12-01 7:45 ` [PATCH v3] lib: xarray: free unused spare node in xas_create_range() Shardul Bankar
2025-12-01 8:39 ` David Hildenbrand (Red Hat)
2025-12-04 14:15 ` Shardul Bankar
2025-12-04 21:15 ` David Hildenbrand (Red Hat)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=703387c8908a609c3de966574dfcf481c5a97216.camel@mpiricsoftware.com \
--to=shardul.b@mpiricsoftware.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=janak@mpiricsoftware.com \
--cc=lance.yang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=npache@redhat.com \
--cc=ryan.roberts@arm.com \
--cc=shardulsb08@gmail.com \
--cc=syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox