| Message ID | 20230701072837.1994253-1-linmiaohe@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp10897550vqr;
Sat, 1 Jul 2023 01:05:58 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7QZPL1O4GSAh2CkpAEWmNnWwNEegeXhz0yIEuH88WjTUwXBcQ9QS/l/XwjZ/j+pkdqGn9p
X-Received: by 2002:a05:6a20:394d:b0:127:8833:cce3 with SMTP id
r13-20020a056a20394d00b001278833cce3mr4068495pzg.8.1688198758472;
Sat, 01 Jul 2023 01:05:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688198758; cv=none;
d=google.com; s=arc-20160816;
b=xZZckABhExVHsCSlsXmi/yIvuiEYIpQXPJR4n5wE8wOsSE29P/2UJzPz04HqJK8aLR
Q97TYdXUWhcv/WBgfz8MrgrEFBwlaoukzF6hppYUQ2YDYRUj9S06BJqq6wFmAaWOzjD/
Zzrq2tCdS54juCLEInJOLKRu1KYYbiF3YKLLlMLtqsvQhlI8T5BgJ6/ZxqvD7n3JQI5E
uSKfvq+hJKccH0bQjQ5Szn08q8tsMKpfPWDET8Yyhf350F6DNaDPeLeAiZZvMivudRn4
uzRc3aJi66wifXoZeHJiANaiojTUrAfsee34x4oyWP1DeDj4Owx0A3LCPz8teH5Vep9Y
v+Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=KAM55iUfe+YQBA/wn3l0jspOCq+DXYKe25TYxny2d/E=;
fh=kP0L7jzW604qIlwIWwCV4xHGxfeYL9qfthvX96QEubA=;
b=uySUswyB+1NzsCojrHb/V23H+TEZ/D2Ky5CKfp1GhKPA9VkaL/hfFtpglv/g3MjiTD
cl2w0fchZskJy4u3/340J9s44rPkV6t6dhie59pL5P6TxrOP5xDDudRLne4Epi8hY+/6
oIAS2NHHOF6dV0tblj1LpxO9KiXRYlDhEP3PlNKhaVLvzuZuDT1DHWcutcKTpmLznKTu
jYBbBzOmpuVDE+Y5OjD2+X4caaIZKwc13z58UC5BH+taTvqV4kNUIlsF+4pSb1aUghnX
pfXGI2deYXrmS9+dk4yf1kYgKVt4rtAVZo8/zA/XJANESzSP2f21O1m2koRQiR0hMwli
qakQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
i11-20020a170902cf0b00b001b53913a63asi15150956plg.31.2023.07.01.01.05.43;
Sat, 01 Jul 2023 01:05:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229641AbjGAH2a (ORCPT <rfc822;nicolai.engesland@gmail.com>
+ 99 others); Sat, 1 Jul 2023 03:28:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59806 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229531AbjGAH22 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 1 Jul 2023 03:28:28 -0400
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C418A136
for <linux-kernel@vger.kernel.org>;
Sat, 1 Jul 2023 00:28:26 -0700 (PDT)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55])
by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4QtNy90p05ztQSD;
Sat, 1 Jul 2023 15:25:37 +0800 (CST)
Received: from huawei.com (10.174.151.185) by canpemm500002.china.huawei.com
(7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Sat, 1 Jul
2023 15:28:24 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
<linmiaohe@huawei.com>
Subject: [PATCH] mm: memory-failure: fix potential page refcnt leak in
memory_failure()
Date: Sat, 1 Jul 2023 15:28:37 +0800
Message-ID: <20230701072837.1994253-1-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.174.151.185]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1770204701479194878?=
X-GMAIL-MSGID: =?utf-8?q?1770204701479194878?=
|
| Series |
mm: memory-failure: fix potential page refcnt leak in memory_failure()
|
|
Commit Message
Miaohe Lin
July 1, 2023, 7:28 a.m. UTC
put_ref_page() is not called to drop extra refcnt when comes from madvise
in the case pfn is valid but pgmap is NULL leading to page refcnt leak.
Fixes: 1e8aaedb182d ("mm,memory_failure: always pin the page in madvise_inject_error")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
---
mm/memory-failure.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Comments
On Sat, Jul 01, 2023 at 03:28:37PM +0800, Miaohe Lin wrote: > put_ref_page() is not called to drop extra refcnt when comes from madvise > in the case pfn is valid but pgmap is NULL leading to page refcnt leak. Is this test scenario realistic one? I don't think that we can call madvise() for such a device memory page. If this is the case, this issue can be thought as potentioal one (so no need to send to stable). > > Fixes: 1e8aaedb182d ("mm,memory_failure: always pin the page in madvise_inject_error") > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> Anyway, the patch looks good to me. Thanks you. Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com> > --- > mm/memory-failure.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/mm/memory-failure.c b/mm/memory-failure.c > index e245191e6b04..65e2d4c5b50d 100644 > --- a/mm/memory-failure.c > +++ b/mm/memory-failure.c > @@ -2080,8 +2080,6 @@ static int memory_failure_dev_pagemap(unsigned long pfn, int flags, > { > int rc = -ENXIO; > > - put_ref_page(pfn, flags); > - > /* device metadata space is not recoverable */ > if (!pgmap_pfn_valid(pgmap, pfn)) > goto out; > @@ -2157,6 +2155,7 @@ int memory_failure(unsigned long pfn, int flags) > > if (pfn_valid(pfn)) { > pgmap = get_dev_pagemap(pfn, NULL); > + put_ref_page(pfn, flags); > if (pgmap) { > res = memory_failure_dev_pagemap(pfn, flags, > pgmap); > -- > 2.33.0 > > >
On 2023/7/3 14:37, Naoya Horiguchi wrote: > On Sat, Jul 01, 2023 at 03:28:37PM +0800, Miaohe Lin wrote: >> put_ref_page() is not called to drop extra refcnt when comes from madvise >> in the case pfn is valid but pgmap is NULL leading to page refcnt leak. > > Is this test scenario realistic one? I don't think that we can call madvise() for > such a device memory page. If this is the case, this issue can be thought as > potentioal one (so no need to send to stable). This is a theoretical problem. If pagemap can ever be NULL after page refcnt is increased, this would occur. I think it's not needed to send to stable too. > >> >> Fixes: 1e8aaedb182d ("mm,memory_failure: always pin the page in madvise_inject_error") >> Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> > > Anyway, the patch looks good to me. Thanks you. > > Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com> Thanks for your review and comment.
diff --git a/mm/memory-failure.c b/mm/memory-failure.c index e245191e6b04..65e2d4c5b50d 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2080,8 +2080,6 @@ static int memory_failure_dev_pagemap(unsigned long pfn, int flags, { int rc = -ENXIO; - put_ref_page(pfn, flags); - /* device metadata space is not recoverable */ if (!pgmap_pfn_valid(pgmap, pfn)) goto out; @@ -2157,6 +2155,7 @@ int memory_failure(unsigned long pfn, int flags) if (pfn_valid(pfn)) { pgmap = get_dev_pagemap(pfn, NULL); + put_ref_page(pfn, flags); if (pgmap) { res = memory_failure_dev_pagemap(pfn, flags, pgmap);