mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-31 16:38:12 +00:00
mm/huge_memory: Fix xarray node memory leak
If xas_split_alloc() fails to allocate the necessary nodes to complete the
xarray entry split, it sets the xa_state to -ENOMEM, which xas_nomem()
then interprets as "Please allocate more memory", not as "Please free
any unnecessary memory" (which was the intended outcome). It's confusing
to use xas_nomem() to free memory in this context, so call xas_destroy()
instead.
Reported-by: syzbot+9e27a75a8c24f3fe75c1@syzkaller.appspotmail.com
Fixes: 6b24ca4a1a
("mm: Use multi-index entries in the page cache")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
This commit is contained in:
parent
dcfa24ba68
commit
69a37a8ba1
3 changed files with 5 additions and 4 deletions
|
@ -1508,6 +1508,7 @@ void *xas_find_marked(struct xa_state *, unsigned long max, xa_mark_t);
|
||||||
void xas_init_marks(const struct xa_state *);
|
void xas_init_marks(const struct xa_state *);
|
||||||
|
|
||||||
bool xas_nomem(struct xa_state *, gfp_t);
|
bool xas_nomem(struct xa_state *, gfp_t);
|
||||||
|
void xas_destroy(struct xa_state *);
|
||||||
void xas_pause(struct xa_state *);
|
void xas_pause(struct xa_state *);
|
||||||
|
|
||||||
void xas_create_range(struct xa_state *);
|
void xas_create_range(struct xa_state *);
|
||||||
|
|
|
@ -264,9 +264,10 @@ static void xa_node_free(struct xa_node *node)
|
||||||
* xas_destroy() - Free any resources allocated during the XArray operation.
|
* xas_destroy() - Free any resources allocated during the XArray operation.
|
||||||
* @xas: XArray operation state.
|
* @xas: XArray operation state.
|
||||||
*
|
*
|
||||||
* This function is now internal-only.
|
* Most users will not need to call this function; it is called for you
|
||||||
|
* by xas_nomem().
|
||||||
*/
|
*/
|
||||||
static void xas_destroy(struct xa_state *xas)
|
void xas_destroy(struct xa_state *xas)
|
||||||
{
|
{
|
||||||
struct xa_node *next, *node = xas->xa_alloc;
|
struct xa_node *next, *node = xas->xa_alloc;
|
||||||
|
|
||||||
|
|
|
@ -2672,8 +2672,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
|
||||||
if (mapping)
|
if (mapping)
|
||||||
i_mmap_unlock_read(mapping);
|
i_mmap_unlock_read(mapping);
|
||||||
out:
|
out:
|
||||||
/* Free any memory we didn't use */
|
xas_destroy(&xas);
|
||||||
xas_nomem(&xas, 0);
|
|
||||||
count_vm_event(!ret ? THP_SPLIT_PAGE : THP_SPLIT_PAGE_FAILED);
|
count_vm_event(!ret ? THP_SPLIT_PAGE : THP_SPLIT_PAGE_FAILED);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue