From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932496AbcKHJx7 (ORCPT ); Tue, 8 Nov 2016 04:53:59 -0500 Received: from mx2.suse.de ([195.135.220.15]:53214 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752604AbcKHJxz (ORCPT ); Tue, 8 Nov 2016 04:53:55 -0500 Date: Tue, 8 Nov 2016 10:53:52 +0100 From: Jan Kara To: Johannes Weiner Cc: Andrew Morton , Linus Torvalds , Jan Kara , "Kirill A. Shutemov" , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: Re: [PATCH 1/6] mm: khugepaged: fix radix tree node leak in shmem collapse error path Message-ID: <20161108095352.GH32353@quack2.suse.cz> References: <20161107190741.3619-1-hannes@cmpxchg.org> <20161107190741.3619-2-hannes@cmpxchg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161107190741.3619-2-hannes@cmpxchg.org> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 07-11-16 14:07:36, Johannes Weiner wrote: > The radix tree counts valid entries in each tree node. Entries stored > in the tree cannot be removed by simpling storing NULL in the slot or > the internal counters will be off and the node never gets freed again. > > When collapsing a shmem page fails, restore the holes that were filled > with radix_tree_insert() with a proper radix tree deletion. > > Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") > Reported-by: Jan Kara > Signed-off-by: Johannes Weiner > --- > mm/khugepaged.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/mm/khugepaged.c b/mm/khugepaged.c > index 728d7790dc2d..eac6f0580e26 100644 > --- a/mm/khugepaged.c > +++ b/mm/khugepaged.c > @@ -1520,7 +1520,8 @@ static void collapse_shmem(struct mm_struct *mm, > if (!nr_none) > break; > /* Put holes back where they were */ > - radix_tree_replace_slot(slot, NULL); > + radix_tree_delete(&mapping->page_tree, > + iter.index); Hum, but this is inside radix_tree_for_each_slot() iteration. And radix_tree_delete() may end up freeing nodes resulting in invalidating current slot pointer and the iteration code will do use-after-free. Honza -- Jan Kara SUSE Labs, CR