[PATCH v2] mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page

Next message: Ratheesh Kannoth: "[PATCH v4 net 05/10] octeontx2-af: npc: cn20k: Clear MCAM entries by index and key width"
Previous message: Ratheesh Kannoth: "[PATCH v4 net 03/10] octeontx2-af: npc: cn20k: Propagate errors in defrag MCAM alloc rollback"
Next in thread: David Hildenbrand (Arm): "Re: [PATCH v2] mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sunny Patel

Date: Mon Apr 27 2026 - 02:38:23 EST

When migrate_vma_insert_huge_pmd_page() jumps to unlock_abort due
to a PMD check failure, the pgtable allocated earlier via
pte_alloc_one() is never freed, causing a memory leak.

Add a pte_free() call in the unlock_abort error path to release
the pgtable before returning.Also included before goto abort in the
folio check path.

Signed-off-by: Sunny Patel <nueralspacetech@xxxxxxxxx>
---

Changes in v2:
- Added pte_free() before goto abort in the folio_is_zone_device()
check path. The lock is not taken at this point so goto unlock_abort would be incorrect here.
- v1 only fixed the unlock_abort path, this version fixes both
leak locations.

mm/migrate_device.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/mm/migrate_device.c b/mm/migrate_device.c
index fbfe5715f635..7e132196856b 100644
--- a/mm/migrate_device.c
+++ b/mm/migrate_device.c
@@ -840,6 +840,7 @@ static int migrate_vma_insert_huge_pmd_page(struct migrate_vma *migrate,
} else {
if (folio_is_zone_device(folio) &&
!folio_is_device_coherent(folio)) {
+ pte_free(vma->vm_mm, pgtable);
goto abort;
}
entry = folio_mk_pmd(folio, vma->vm_page_prot);
@@ -893,6 +894,7 @@ static int migrate_vma_insert_huge_pmd_page(struct migrate_vma *migrate,

unlock_abort:
spin_unlock(ptl);
+ pte_free(vma->vm_mm, pgtable);
abort:
for (i = 0; i < HPAGE_PMD_NR; i++)
src[i] &= ~MIGRATE_PFN_MIGRATE;
--
2.43.0