Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <202207100715.TBIYQ4fc-lkp@intel.com> <CAHbLzkoFjZoX0WFy9YaOO1rEC+=yyytgDimapeTEyuNyMNTHLg@mail.gmail.com>
 <Ys7Vjt5QXz8XK1LZ@google.com>
In-Reply-To: <Ys7Vjt5QXz8XK1LZ@google.com>
From:   Yang Shi <shy828301@gmail.com>
Date:   Wed, 13 Jul 2022 12:04:41 -0700
Message-ID: <CAHbLzkq4QJ0exWDxaSfAJ0sW0GmrwbDg1w1oEi00i9rKa8UZQA@mail.gmail.com>
Subject: Re: [akpm-mm:mm-unstable 284/293] mm/khugepaged.c:2409
 madvise_collapse() warn: possible memory leak of 'cc'
To:     "Zach O'Keefe" <zokeefe@google.com>
Cc:     Dan Carpenter <dan.carpenter@oracle.com>, kbuild@lists.01.org,
        kernel test robot <lkp@intel.com>, kbuild-all@lists.01.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linux Memory Management List <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Wed, Jul 13, 2022 at 7:24 AM Zach O'Keefe <zokeefe@google.com> wrote:
>
> On Jul 12 10:02, Yang Shi wrote:
> > On Tue, Jul 12, 2022 at 5:36 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > >
> > > tree:   https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable
> > > head:   0e9f775fb0b4adf1a4ef50ea156ead09a0fc5194
> > > commit: 9f626ffb1d1c5c26b4a8e0fdffec784a5f773274 [284/293] mm/madvise: introduce MADV_COLLAPSE sync hugepage collapse
> > > config: i386-randconfig-m021 (https://download.01.org/0day-ci/archive/20220710/202207100715.TBIYQ4fc-lkp@intel.com/config)
> > > compiler: gcc-11 (Debian 11.3.0-3) 11.3.0
> > >
> > > If you fix the issue, kindly add following tag where applicable
> > > Reported-by: kernel test robot <lkp@intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > smatch warnings:
> > > mm/khugepaged.c:2409 madvise_collapse() warn: possible memory leak of 'cc'
> > >
> > > vim +/cc +2409 mm/khugepaged.c
> > >
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2387  int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev,
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2388                 unsigned long start, unsigned long end)
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2389  {
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2390    struct collapse_control *cc;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2391    struct mm_struct *mm = vma->vm_mm;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2392    unsigned long hstart, hend, addr;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2393    int thps = 0, last_fail = SCAN_FAIL;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2394    bool mmap_locked = true;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2395
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2396    BUG_ON(vma->vm_start > start);
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2397    BUG_ON(vma->vm_end < end);
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2398
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2399    cc = kmalloc(sizeof(*cc), GFP_KERNEL);
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2400    if (!cc)
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2401            return -ENOMEM;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2402    cc->is_khugepaged = false;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2403    cc->last_target_node = NUMA_NO_NODE;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2404
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2405    *prev = vma;
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2406
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2407    /* TODO: Support file/shmem */
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06  2408    if (!vma->anon_vma || !vma_is_anonymous(vma))
> > > 9f626ffb1d1c5c Zach O'Keefe 2022-07-06 @2409            return -EINVAL;
> >
> > It seems better to move the cc kmalloc after the anonymous vma check?
> >
>
> Agreed - something I only noticed when fixing this. I've cleaned up some
> ordering here, now looks like:
>
> ---8<---
>         BUG_ON(vma->vm_start > start);
>         BUG_ON(vma->vm_end < end);
>
>         *prev = vma;
>
>         /* TODO: Support file/shmem */
>         if (!vma->anon_vma || !vma_is_anonymous(vma))
>                 return -EINVAL;
>
>         if (!hugepage_vma_check(vma, vma->vm_flags, false, false, false))
>                 return -EINVAL;
>
>         cc = kmalloc(sizeof(*cc), GFP_KERNEL);
>         if (!cc)
>                 return -ENOMEM;
>         cc->is_khugepaged = false;
>         cc->last_target_node = NUMA_NO_NODE;
>
>         mmgrab(mm);
>         lru_add_drain_all();
>
>         hstart = (start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
>         hend = end & HPAGE_PMD_MASK;
>
>         for (addr = hstart; addr < hend; addr += HPAGE_PMD_SIZE) {
> ---8<---
> out_nolock:
>         mmap_assert_locked(mm);
>         mmdrop(mm);
>         kfree(cc);
> ---8<---

Looks good to me.

>
> > >
> > > kfree(cc);?
> > >
> > >
> > > --
> > > 0-DAY CI Kernel Test Service
> > > https://01.org/lkp
> > >
> > >