From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8866CC43334
	for <linux-mm@archiver.kernel.org>; Tue, 12 Jul 2022 12:51:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 148B594006B; Tue, 12 Jul 2022 08:51:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0F896940063; Tue, 12 Jul 2022 08:51:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F035794006B; Tue, 12 Jul 2022 08:51:04 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id DFC02940063
	for <linux-mm@kvack.org>; Tue, 12 Jul 2022 08:51:04 -0400 (EDT)
Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay12.hostedemail.com (Postfix) with ESMTP id A56E6120145
	for <linux-mm@kvack.org>; Tue, 12 Jul 2022 12:51:04 +0000 (UTC)
X-FDA: 79678432848.17.51693B4
Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46])
	by imf01.hostedemail.com (Postfix) with ESMTP id 4E8D940036
	for <linux-mm@kvack.org>; Tue, 12 Jul 2022 12:51:04 +0000 (UTC)
Received: by mail-lf1-f46.google.com with SMTP id bu42so13829531lfb.0
        for <linux-mm@kvack.org>; Tue, 12 Jul 2022 05:51:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Dar9xPCP0T8sKNILKIgEn4rxc26k/YVLrGayncNYO94=;
        b=Ph/bTfm3Cmf9TYNEjTgKgZSFxWd4afIMXyQYaFjDG/kjR09YmvxRd9J/ilL6IFUeV8
         0LQZ04PGCw/PtZOPeMA1tgqtAv6fJx+pZFkTrdBJ+rpBweZDx7ulW/LIJxVJy3Tb+y2u
         WqALeL65b6b3TjgGkfpW4zpB4L33umf031d4hOyNEN1Nx/A+Oj/5Gb/Xlwqj2dNtePan
         DnHsDKuLyCNv+HVE2sF1vVSBEOQ7CCM2jz8Wxw9PtkzEOjLm9pjy9LMhwQ5GinC4+H7k
         kcbeHvXJOG3z7D0Pm5oBfhHOHrdpvJe4eI1YeBbpiVRbS3VZAK5kXzthvgHwQSn5meFu
         fEsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Dar9xPCP0T8sKNILKIgEn4rxc26k/YVLrGayncNYO94=;
        b=yvCSpm+FGVt8AtQO8abxIsJJGVw/GZ1zoT/wZclDOoLDDTA0eKAqMuX7YuaCHo8Sci
         PEYVktMzPH00PHByaQHc6ot7MPhYAivRsZTdFXIcBzykveBqvHjSJLixjMkx9Hk47jK1
         qQ3tbB0fuwLp5305UV4sOOiLKkxJTuxC7V/MkB9Posk4sAk8Jy57rCUg/22+NoRbUZwT
         fJCwKBCIndXlKzPIl/14w6e4GpeorUcr0tosDvMon49FWkQC/8UTu/+/kHnaYZC0+ISm
         mQbiwkU9KuINx+lwlgTaRwQ1XziejolbL9YWB0azC7fgBFp+kHha8tdI8pCDH4tcxuqT
         VQWw==
X-Gm-Message-State: AJIora9VwCPB0LRQecZ/dkpdGXwdMqVKv2FtqQDaTV4OOVL77Fe18nyn
	0R+VI1xc0Rhz4S3UGbV0H5CXU8wo7RYRkZscAadluA==
X-Google-Smtp-Source: AGRyM1vU+TK0XWzHEN4FlxEp1aK/EkHICV4PZe4YQ79JeHGfIso1GuEHiWsRJy6lGMbVk179ksnn1WaPet3TYvaXI/g=
X-Received: by 2002:a05:6512:10c3:b0:47f:a97e:35c with SMTP id
 k3-20020a05651210c300b0047fa97e035cmr14547822lfg.417.1657630262386; Tue, 12
 Jul 2022 05:51:02 -0700 (PDT)
MIME-Version: 1.0
References: <000000000000eb2d6c05e35a0d73@google.com> <20220711133808.d86400ce9960febcb0fd537b@linux-foundation.org>
 <YsyMQ2jzOICVbCda@casper.infradead.org> <CACT4Y+bL3aM-cVeYSLU7az1x2Yj1vH7GaQSq=Z-BGc5Vk1Vi4w@mail.gmail.com>
 <Ys1r06szkVi3QEai@casper.infradead.org>
In-Reply-To: <Ys1r06szkVi3QEai@casper.infradead.org>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Tue, 12 Jul 2022 14:50:50 +0200
Message-ID: <CACT4Y+Z44fS04StzMh+sfUWo-k5sjYf3VGhhK2ppkHP=9RZQEw@mail.gmail.com>
Subject: Re: [syzbot] memory leak in xas_create
To: Matthew Wilcox <willy@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>, 
	syzbot <syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com>, 
	linux-kernel@vger.kernel.org, linux-mm@kvack.org, 
	syzkaller-bugs@googlegroups.com, "Zach O'Keefe" <zokeefe@google.com>, 
	Yang Shi <shy828301@gmail.com>, Liam Howlett <liam.howlett@oracle.com>
Content-Type: text/plain; charset="UTF-8"
ARC-Authentication-Results: i=1;
	imf01.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b="Ph/bTfm3";
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf01.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.46 as permitted sender) smtp.mailfrom=dvyukov@google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1657630264;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Dar9xPCP0T8sKNILKIgEn4rxc26k/YVLrGayncNYO94=;
	b=nbKQB8Pay7GqB2y3Y10/qAeFILW5Ynv/OnJiBEGvgVyUMKJqiPr7N8Sc0b+zTgtc4GTC+B
	WiNpTBmv8m4avrFiGBzQKkdHA/XM4j/zPmAn6ttSrkIwn4MOpdlj7jFt9VjZB5RvBPwxHO
	ltXihCSFfZS0irOxUz1KTtB6PZMe7mk=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657630264; a=rsa-sha256;
	cv=none;
	b=hTYvZp2q7D/VUN3gdo2Mz6xtz2kgzeKhMhkfqWz3j0tTAt5JM1+nZZHw9DbrMMW0mMTmrn
	zC/lVdGFcpSHMZQ1Z6LR6W4jB89ruxjFNR6pHNCP3Zsqp+TNmWBT6je8igFpYUhXcUX2iu
	Ur3fWP2XvoT5MCEX7X43Osk4Ix9FgVg=
Authentication-Results: imf01.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b="Ph/bTfm3";
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf01.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.46 as permitted sender) smtp.mailfrom=dvyukov@google.com
X-Rspamd-Server: rspam06
X-Rspam-User: 
X-Stat-Signature: yxzxb831go8bsfbnnt3grrpt84ac84ed
X-Rspamd-Queue-Id: 4E8D940036
X-HE-Tag: 1657630264-721820
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, 12 Jul 2022 at 14:40, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Tue, Jul 12, 2022 at 08:54:28AM +0200, Dmitry Vyukov wrote:
> > On Mon, 11 Jul 2022 at 22:47, Matthew Wilcox <willy@infradead.org> wrote:
> > >
> > > On Mon, Jul 11, 2022 at 01:38:08PM -0700, Andrew Morton wrote:
> > > > On Sat, 09 Jul 2022 00:13:23 -0700 syzbot <syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > syzbot found the following issue on:
> > > > >
> > > > > HEAD commit:    c1084b6c5620 Merge tag 'soc-fixes-5.19-2' of git://git.ker..
> > > > > git tree:       upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14967ccc080000
> > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=916233b7694a38ff
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=a785d07959bc94837d51
> > > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=122ae834080000
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+a785d07959bc94837d51@syzkaller.appspotmail.com
> > > > >
> > > > > 2022/07/05 05:22:17 executed programs: 828
> > > > > 2022/07/05 05:22:23 executed programs: 846
> > > > > 2022/07/05 05:22:30 executed programs: 866
> > > > > 2022/07/05 05:22:37 executed programs: 875
> > > > > BUG: memory leak
> > > >
> > > > Thanks.  Presumably due to khugepaged changes.
> > >
> > > Huh, I was expecting it to be something I'd messed up.  I've been
> > > looking at it today, but no luck figuring it out so far.
> > >
> > > > Can we expect a bisection search?
> > >
> > > We only have a syz reproducer so far, and if I understand correctly,
> > > it's probably because this is a flaky test (because it's trying to
> > > find something that's a race condition).
> > >
> > > I expect a bisection search to go badly wrong if this is true.
> >
> > Is it possible that parts of xas are not freed on the error paths?
> > I don't immediately see where anything is freed on these error paths:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/xarray.c?id=c1084b6c5620a743f86947caca66d90f24060f56#n681
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/xarray.c?id=c1084b6c5620a743f86947caca66d90f24060f56#n721
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/khugepaged.c?id=c1084b6c5620a743f86947caca66d90f24060f56#n1675
>
> There's nothing to free; if a node is allocated, then it's stored in
> the tree where it can later be found and reused.

What I was thinking of is:

The leaked memory is allocated with:
xas_create_range(&xas);
here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/khugepaged.c?id=c1084b6c5620a743f86947caca66d90f24060f56#n1670

So I assumed the nodes stored in the xas object, which is local to the
collapse_file() function.

So if we do "goto out" here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/khugepaged.c?id=c1084b6c5620a743f86947caca66d90f24060f56#n1676

There does not seem to be anything that frees anything stored in the xas:

out:
    VM_BUG_ON(!list_empty(&pagelist));
    if (!IS_ERR_OR_NULL(*hpage))
        mem_cgroup_uncharge(page_folio(*hpage));
    /* TODO: tracepoints */
}