From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from out30-131.freemail.mail.aliyun.com (out30-131.freemail.mail.aliyun.com [115.124.30.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE9691C2AA
	for <linux-kernel@vger.kernel.org>; Mon, 27 Apr 2026 01:43:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.131
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777254188; cv=none; b=EcB6ezSmd7X/sI9Oqec9nwh670uZyYaZEQqdqx8SsMxt6iA5fIkSyOpWC43BEupwvNKvkku8poeIBEcgQEYCGa7PIGVp4F/MfHprXgvxMhmecUzdgQjNH//U1Ayl7u5GzneeEh+yAYgQTk1s2XPG9FPskKMtwx7i1K1rhUVNTEU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777254188; c=relaxed/simple;
	bh=fYvIgaDzsw7SUn56416Fnng5MjtZ/PgJ8zkRC7N9Dnk=;
	h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID:
	 MIME-Version:Content-Type; b=Jf9Eo5G0EEhlJkgD0GR2zzJpsbZNAkYt6wJLj7f40VxsCxxQTIjWSaTd2pLcCotnS33tHJAhftUIslDKyK5wFS6dL0n/YlfIVq0HZNuLMee21pnk4adTYQiCRr0YHQ5He9PRhBWoKkznFhMMgtnMmjBeWJ4StEPVXYs6qoQ6Gog=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=bf4Nngqs; arc=none smtp.client-ip=115.124.30.131
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="bf4Nngqs"
DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=linux.alibaba.com; s=default;
	t=1777254178; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type;
	bh=ePqS8q5Is8xzOptDw0ODHvqxS5RXYp2DBozEtMHv32c=;
	b=bf4NngqspTK1IXcL9RwPFMF8W1VAZdl1CEL1PaIN19r9bAOt+If23X5gFoZe0+x4MQWo3NCbph0sIVyQBq4h+jl8lueokv/jUlCowAwm0s/emsSXZrugW6rWCIUpRlq/2Cj8Vc++CCYM/hcSWRRJLRw7Vp9AkbcOjO1YigZxEd4=
X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033037026112;MF=ying.huang@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0X1i.oX8_1777254163;
Received: from DESKTOP-5N7EMDA(mailfrom:ying.huang@linux.alibaba.com fp:SMTPD_---0X1i.oX8_1777254163 cluster:ay36)
          by smtp.aliyun-inc.com;
          Mon, 27 Apr 2026 09:42:57 +0800
From: "Huang, Ying" <ying.huang@linux.alibaba.com>
To: Sunny Patel <nueralspacetech@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,  David Hildenbrand
 <david@kernel.org>,  Zi Yan <ziy@nvidia.com>,  Matthew Brost
 <matthew.brost@intel.com>,  Joshua Hahn <joshua.hahnjy@gmail.com>,  Rakie
 Kim <rakie.kim@sk.com>,  Byungchul Park <byungchul@sk.com>,  Gregory Price
 <gourry@gourry.net>,  Alistair Popple <apopple@nvidia.com>,
  linux-mm@kvack.org,  linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/migrate_device: fix pgtable leak in
 migrate_vma_insert_huge_pmd_page
In-Reply-To: <20260425134453.23769-1-nueralspacetech@gmail.com> (Sunny Patel's
	message of "Sat, 25 Apr 2026 19:14:48 +0530")
References: <20260425134453.23769-1-nueralspacetech@gmail.com>
Date: Mon, 27 Apr 2026 09:42:42 +0800
Message-ID: <87fr4hw54d.fsf@DESKTOP-5N7EMDA>
User-Agent: Gnus/5.13 (Gnus v5.13)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ascii

Hi, Sunny,

Thanks for working on this!

Sunny Patel <nueralspacetech@gmail.com> writes:

> When migrate_vma_insert_huge_pmd_page() jumps to unlock_abort due
> to a PMD check failure, the pgtable allocated earlier via
> pte_alloc_one() is never freed, causing a memory leak.
>
> Add a pte_free() call in the unlock_abort error path to release
> the pgtable before returning.
>
> Signed-off-by: Sunny Patel <nueralspacetech@gmail.com>
> ---
>  mm/migrate_device.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/mm/migrate_device.c b/mm/migrate_device.c
> index fbfe5715f635..457bab5c7c31 100644
> --- a/mm/migrate_device.c
> +++ b/mm/migrate_device.c
> @@ -893,6 +893,7 @@ static int migrate_vma_insert_huge_pmd_page(struct migrate_vma *migrate,
>  
>  unlock_abort:
>  	spin_unlock(ptl);
> +	pte_free(vma->vm_mm, pgtable);
>  abort:
>  	for (i = 0; i < HPAGE_PMD_NR; i++)
>  		src[i] &= ~MIGRATE_PFN_MIGRATE;

Is it better to use guard based automatic memory freeing?

And check whether guard can help unlock case too?

---
Best Regards,
Huang, Ying