From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Mike Kravetz <mike.kravetz@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-mm@kvack.org
Subject: [PATCH AUTOSEL 4.9 23/28] hugetlbfs: fix memory leak for resv_map
Date: Wed, 24 Apr 2019 10:50:07 -0400 [thread overview]
Message-ID: <20190424145012.30886-23-sashal@kernel.org> (raw)
In-Reply-To: <20190424145012.30886-1-sashal@kernel.org>
From: Mike Kravetz <mike.kravetz@oracle.com>
[ Upstream commit 58b6e5e8f1addd44583d61b0a03c0f5519527e35 ]
When mknod is used to create a block special file in hugetlbfs, it will
allocate an inode and kmalloc a 'struct resv_map' via resv_map_alloc().
inode->i_mapping->private_data will point the newly allocated resv_map.
However, when the device special file is opened bd_acquire() will set
inode->i_mapping to bd_inode->i_mapping. Thus the pointer to the
allocated resv_map is lost and the structure is leaked.
Programs to reproduce:
mount -t hugetlbfs nodev hugetlbfs
mknod hugetlbfs/dev b 0 0
exec 30<> hugetlbfs/dev
umount hugetlbfs/
resv_map structures are only needed for inodes which can have associated
page allocations. To fix the leak, only allocate resv_map for those
inodes which could possibly be associated with page allocations.
Link: http://lkml.kernel.org/r/20190401213101.16476-1-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Reported-by: Yufen Yu <yuyufen@huawei.com>
Suggested-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hugetlbfs/inode.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 001487b230b5..4acc677ac8fb 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -746,11 +746,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
umode_t mode, dev_t dev)
{
struct inode *inode;
- struct resv_map *resv_map;
+ struct resv_map *resv_map = NULL;
- resv_map = resv_map_alloc();
- if (!resv_map)
- return NULL;
+ /*
+ * Reserve maps are only needed for inodes that can have associated
+ * page allocations.
+ */
+ if (S_ISREG(mode) || S_ISLNK(mode)) {
+ resv_map = resv_map_alloc();
+ if (!resv_map)
+ return NULL;
+ }
inode = new_inode(sb);
if (inode) {
@@ -782,8 +788,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
break;
}
lockdep_annotate_inode_mutex_key(inode);
- } else
- kref_put(&resv_map->refs, resv_map_release);
+ } else {
+ if (resv_map)
+ kref_put(&resv_map->refs, resv_map_release);
+ }
return inode;
}
--
2.19.1
next prev parent reply other threads:[~2019-04-24 14:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 14:49 [PATCH AUTOSEL 4.9 01/28] HID: logitech: check the return value of create_singlethread_workqueue Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 02/28] HID: debug: fix race condition with between rdesc_show() and device removal Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 03/28] rtc: sh: Fix invalid alarm warning for non-enabled alarm Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 04/28] batman-adv: Reduce claim hash refcnt only for removed entry Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 05/28] batman-adv: Reduce tt_local " Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 06/28] batman-adv: Reduce tt_global " Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 07/28] igb: Fix WARN_ONCE on runtime suspend Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 08/28] fm10k: Fix a potential NULL pointer dereference Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 09/28] net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 10/28] bonding: show full hw address in sysfs for slave entries Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 11/28] net: stmmac: don't overwrite discard_frame status Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 12/28] net: stmmac: fix dropping of multi-descriptor RX frames Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 13/28] net: stmmac: don't log oversized frames Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 14/28] jffs2: fix use-after-free on symlink traversal Sasha Levin
2019-04-24 14:49 ` Sasha Levin
2019-04-24 14:49 ` [PATCH AUTOSEL 4.9 15/28] debugfs: " Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 16/28] rtc: da9063: set uie_unsupported when relevant Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 17/28] vfio/pci: use correct format characters Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 18/28] scsi: core: add new RDAC LENOVO/DE_Series device Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 19/28] scsi: storvsc: Fix calculation of sub-channel count Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 20/28] net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 21/28] net: hns: Use NAPI_POLL_WEIGHT for hns driver Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 22/28] net: hns: Fix WARNING when remove HNS driver with SMMU enabled Sasha Levin
2019-04-24 14:50 ` Sasha Levin [this message]
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 24/28] sh: fix multiple function definition build errors Sasha Levin
2019-04-24 14:50 ` Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 25/28] kernel/sysctl.c: fix out-of-bounds access when setting file-max Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 26/28] xsysace: Fix error handling in ace_setup Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 27/28] ARM: orion: don't use using 64-bit DMA masks Sasha Levin
2019-04-24 14:50 ` [PATCH AUTOSEL 4.9 28/28] ARM: iop: " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190424145012.30886-23-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.