If check_and_migrate_movable_pages() fails, typically with -ENOMEM, then
memfd_pin_folios() will leave pages pinned. Those are leaked forever,
and are visible to user space as a memory leak.
Fix this by unpinning the folios that try_grab_folio(FOLL_PIN) has
pinned, in such error cases.
Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios")
Suggested-by: David Hildenbrand <david@xxxxxxxxxx>
Cc: Alistair Popple <apopple@xxxxxxxxxx>
Cc: Vivek Kasireddy <vivek.kasireddy@xxxxxxxxx>
Cc: Jason Gunthorpe <jgg@xxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: Dave Airlie <airlied@xxxxxxxxxx>
Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Cc: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
Cc: Daniel Vetter <daniel.vetter@xxxxxxxx>
Cc: Hugh Dickins <hughd@xxxxxxxxxx>
Cc: Peter Xu <peterx@xxxxxxxxxx>
Cc: Dongwon Kim <dongwon.kim@xxxxxxxxx>
Cc: Junxiao Chang <junxiao.chang@xxxxxxxxx>
Cc: Arnd Bergmann <arnd@xxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Cc: Mike Kravetz <mike.kravetz@xxxxxxxxxx>
Cc: Oscar Salvador <osalvador@xxxxxxx>
Signed-off-by: John Hubbard <jhubbard@xxxxxxxxxx>
---
mm/gup.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 233c284e8e66..dc4906243b97 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -3719,12 +3719,10 @@ long memfd_pin_folios(struct file *memfd, loff_t start, loff_t end,
ret = check_and_migrate_movable_folios(nr_folios, folios);
} while (ret == -EAGAIN);
- memalloc_pin_restore(flags);
- return ret ? ret : nr_folios;
err:
memalloc_pin_restore(flags);
- unpin_folios(folios, nr_folios);
-
- return ret;
+ if (ret)
+ unpin_folios(folios, nr_folios);
+ return ret ? ret : nr_folios;
}
EXPORT_SYMBOL_GPL(memfd_pin_folios);
--
2.47.0
