Re: [PATCH] mm: khugepaged: free xarray nodes left behind by failed collapse_file()

From: Jinjiang Tu

Date: Wed Jun 17 2026 - 03:33:15 EST



在 2026/6/17 10:18, Matthew Wilcox 写道:
On Wed, Jun 17, 2026 at 10:00:59AM +0800, Jinjiang Tu wrote:
在 2026/6/16 23:29, Matthew Wilcox 写道:
On Tue, Jun 16, 2026 at 10:54:13AM -0400, Rik van Riel wrote:
syzkaller reproduces it trivially with MADV_COLLAPSE on a sparse shmem
mapping (collapse aborts with SCAN_TRUNCATED because the range is empty),
and also via slab fault injection, which forces xas_create_range() down
the xas_nomem() path before the same abort. kmemleak then reports the
576-byte struct xa_node objects allocated in xas_alloc()/xas_nomem().
I think the ways to produce this problem are sufficiently rare/unlikely
I can reproduce it easily with following steps. [1]
1) create file /tmp/test_madvise_collapse and ftruncate to 4MB size, and
then mmap the file
2) memset for the first 2MB
3) madvise(MADV_COLLAPSE) for the second 2MB
4) unlink the file
Yes, but is there a problem? That is, do we need to clear this up
before we get to clear_inode()?

A user cannot exhaust memory by continuously creating xa_node structures. So
it is enough to free empty  xa_nodes in clear_inode().

We shouldn't free empty xa_nodes in collapse_file() rollback path, because we
couldn't avoid a concurrent call of collapse_file(), which creates xa_nodes
for the same region and may use these nodes.