[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6ddb468a-3771-92a1-deb1-b07a954293a3@redhat.com>
Date: Mon, 2 Jan 2023 13:00:36 +0100
From: David Hildenbrand <david@...hat.com>
To: Suren Baghdasaryan <surenb@...gle.com>, akpm@...ux-foundation.org
Cc: hughd@...gle.com, hannes@...xchg.org, vincent.whitchurch@...s.com,
seanjc@...gle.com, rppt@...nel.org, shy828301@...il.com,
pasha.tatashin@...een.com, paul.gortmaker@...driver.com,
peterx@...hat.com, vbabka@...e.cz, Liam.Howlett@...cle.com,
ccross@...gle.com, willy@...radead.org, arnd@...db.de,
cgel.zte@...il.com, yuzhao@...gle.com, bagasdotme@...il.com,
suleiman@...gle.com, steven@...uorix.net, heftig@...hlinux.org,
cuigaosheng1@...wei.com, kirill@...temov.name,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org,
syzbot+91edf9178386a07d06a7@...kaller.appspotmail.com
Subject: Re: [PATCH 1/1] mm: fix vma->anon_name memory leak for anonymous
shmem VMAs
On 28.12.22 20:42, Suren Baghdasaryan wrote:
> free_anon_vma_name() is missing a check for anonymous shmem VMA which
> leads to a memory leak due to refcount not being dropped. Fix this by
> adding the missing check.
>
> Fixes: d09e8ca6cb93 ("mm: anonymous shared memory naming")
> Reported-by: syzbot+91edf9178386a07d06a7@...kaller.appspotmail.com
> Signed-off-by: Suren Baghdasaryan <surenb@...gle.com>
> ---
> include/linux/mm_inline.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h
> index e8ed225d8f7c..d650ca2c5d29 100644
> --- a/include/linux/mm_inline.h
> +++ b/include/linux/mm_inline.h
> @@ -413,7 +413,7 @@ static inline void free_anon_vma_name(struct vm_area_struct *vma)
> * Not using anon_vma_name because it generates a warning if mmap_lock
> * is not held, which might be the case here.
> */
> - if (!vma->vm_file)
> + if (!vma->vm_file || vma_is_anon_shmem(vma))
> anon_vma_name_put(vma->anon_name);
Wouldn't it be me more consistent to check for "vma->anon_name"?
That's what dup_anon_vma_name() checks. And it's safe now because
anon_name is no longer overloaded in vm_area_struct.
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists