From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F04CDC3DA6D for ; Fri, 23 May 2025 07:56:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 61C5C6B00B3; Fri, 23 May 2025 03:56:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5CCC36B00B8; Fri, 23 May 2025 03:56:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4BBDF6B00C6; Fri, 23 May 2025 03:56:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 2A53B6B00B3 for ; Fri, 23 May 2025 03:56:48 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id BF322121ADC for ; Fri, 23 May 2025 07:56:47 +0000 (UTC) X-FDA: 83473416054.18.2E25842 Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56]) by imf22.hostedemail.com (Postfix) with ESMTP id C319BC0008 for ; Fri, 23 May 2025 07:56:45 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=ctx1TFa0; spf=pass (imf22.hostedemail.com: domain of rcn@igalia.com designates 213.97.179.56 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747987006; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=vJipil0cqUzIO5C86s9nT5sWioLswuLrRSkBtn/rbWc=; b=Rw9xW7TN1JTCWWU/d1VD172EsPddSmsSdIFlVWH+OgAIzAAr6mwrgWpdYqRZDPoCfM/oqb A01JPmfp7k+NnWhs57ElN9krT959kdoDErqwxrZ61zli9W/dlOSDnPWDOghoTB6bUzstmr 26cfRH8PPrLkBC5Vm+rQHm9G3e47vDI= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=ctx1TFa0; spf=pass (imf22.hostedemail.com: domain of rcn@igalia.com designates 213.97.179.56 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747987006; a=rsa-sha256; cv=none; b=41JuMoRtru79vP8SU0/axDPbUK46u1UBkMYkxYF29hVzm59Hemq8zbCikmnjEjvR5E2Crp Z7JfQlwDucIb5e4g8CMQLWw8IyN65rDUT9FDMccCgvxMkpuGzfM0twrM0L00GjKCZJ0HV4 K+bbaisu0ts/QqMEG9Mqd28ffnYUyuo= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Cc:To:Message-Id:Content-Transfer-Encoding:Content-Type: MIME-Version:Subject:Date:From:Sender:Reply-To:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vJipil0cqUzIO5C86s9nT5sWioLswuLrRSkBtn/rbWc=; b=ctx1TFa098sAO70pCD4kM7Zwx2 tEVOM954qdunTTATCokfjyAj36gajiC0F8OAvEuM3ocfsfh7p0DMg5gBefJaIp2rYreWN20POdHLF fifkUbsDWzfQoIs7lNfWHNN8V1ItcYs98XVvcAaWHPzhlEeVeL8h/YEsGsYKIgtBiT1GBkGXCA4Vx oWv8gwCZvugND3LMvcRytWoixEpKx9VVWZNJM4LBF6ZOkLRgTCQpR7dLeEPfTWxxoOGsX6SaqalXf J/EBfX0dTt7Iusy3QC/xZMdqfPTE2djQAb/SUqdHp+AOCjnux1eGjS9dbQYNCPM4+HRMAUeb3IDLA /EAMwg6w==; Received: from 53.red-81-38-30.dynamicip.rima-tde.net ([81.38.30.53] helo=localhost.localdomain) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1uINGe-00C54C-BZ; Fri, 23 May 2025 09:56:36 +0200 From: =?utf-8?q?Ricardo_Ca=C3=B1uelo_Navarro?= Date: Fri, 23 May 2025 09:56:18 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Message-Id: <20250523-warning_in_page_counter_cancel-v1-1-b221eb61a402@igalia.com> X-B4-Tracking: v=1; b=H4sIACEqMGgC/x3NWwrCMBBG4a2UeTbQRqvBrYiEcfyNAzItE29Qu neDj9/LOQtVuKLSsVvI8daqkzUMm47kzlYQ9NpMsY9jP8Zt+LCbWslqeeaCLNPLnvAsbIJHQJL DwPvLTlKiFpkdN/3+B6fzuv4AICXyZ3AAAAA= X-Change-ID: 20250523-warning_in_page_counter_cancel-e8c71a6b4c88 To: Andrew Morton , "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , Pedro Falcato Cc: revest@google.com, kernel-dev@igalia.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, =?utf-8?q?Ricardo_Ca=C3=B1uelo_Navarro?= , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Rspam-User: X-Rspamd-Queue-Id: C319BC0008 X-Rspamd-Server: rspam09 X-Stat-Signature: w5ryhq9zjnxqfmnshe3gb6sunoed1511 X-HE-Tag: 1747987005-19097 X-HE-Meta: U2FsdGVkX18T64lFCs4yAy++zKY+DLBDkmps9kEyyeYQm15qCdUghAGkPjUfR6zcNr0qo3XMv5n32YXgWkOQAE3bF+M0vbklRD92ui3Kdd8DlszVe7ewgVQA0cFXwkI/IkCngUW7zqUk8yYOuEQzomsquQjMsL8jK5fkVm7wCr/9TyQObh12JPBn71xevZFxio3RzRqIiGGDvBlDc8YBgmFgpHg0Id5s81Fa1JSh/JIkTWge2ZN18RETh78CUP09/A/BAeUihXJBUmsw1KKsBQV71eCs4XgJYkusXTLq80PFi1y5bJwUDxlFVuVnrgzXX0mI4USJJDFvHJcsa+oYx+k8w+SlyhqtyXM4nRHMOodlLE7xXwnAxYflVgD1/sWvI1encRK8OgwREJMIp8fNaT5FuXhYOT/XEn1w2X0Bx6/1tXidLhymN2mex0pgw8lKTpifK3VFwoX7aOiMrpRd50wP4MVIZ4j8uVkjcIjAP7sJmDD1oN9JQidW+AqAIzL63uX5JjKgiuwlJ5lrOMDbuodOEuG1f62CyW3Lx+1MoO7n2GJWKMLCYpepHw7p9p8H1xpfEgbtaDISLYemsxRr2YUYyPrL6Rm/pyWRcsI8PhbJILB2txzdUumdfM/GRsGABFlBBXu3/LM5RPlkzYM+hM/uF4QjbYJg0rVdqDcfm3RUsAwnIlrKbFXWlvl5NMCfqa8MQyT2RFaTCGNqlRTN412Hx5l7bLKnyC86bIlPK+QFL4Hdp7+4AqgbT7yLPSLzYlhrPReLwH2JkjCgi5Qo3jsk98zjdJZUOECOoZ5oGAWYbIlJgJ1cmCE0DqA5jj4dpRcubdIJPA5ttUzkVm267EFhQCORYNDdF7VDXW0rKVtPfTGlMOGI1jWK9F9X9C+zJ7QZzvRZUskgkS0I8C7NaEO+hP11wgKRo2MSwjxCg5ij1+qIl53ZOnQTcMZAZjQ0/1MFbzjvgnchpzUWHLY 9BioT72H lIYSBYjKxRHTzQldgvbsJ828zE6AiTM03G9QR/N5kwdXFj2RS02AVH8VKWS3UBpKsE7sVU6z8RalNBUXQv0adXq3lohk1fPYtGzTXFSD56bEu9vSXMzXi6p+da2XlbiHHRfCGpOjoxSFSzuZyYSscKJkygasBnay2pT8VvzRwKa59I/Yam5JNSbV+5mm6++igdGKMN3PRISxOMw8UdoZx1IRLozythGuy8ePZUs8D02xhQv+agPYgetK6BDfj0qrkSsjvdl9o4SJahNVMrBSKFRuy+c3p+zURsYcz235VGb6ec/hQYDp010nmPK5SLQkCaYFE/+/i8rJULazmPthDN+8HiMGDSyh91HpjQALfRmH+w+ZU4RmYuRZXdUuxuEx4m0gUEkyR0s6HQi+8zGv3JMlj+ffd241N6qVfWyjY09pL/Jw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. The issue was reported by a private syzbot instance, see the error report log [1] and reproducer [2]. Possible duplicate of public syzbot report [3]. Signed-off-by: Ricardo CaƱuelo Navarro Cc: stable@vger.kernel.org # 6.12+ Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter_cancel.txt [1] Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter_cancel__repro.c [2] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [3] --- mm/vma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c885d3338d8d233583eb302d82bb80b..9d9f699ace977c9c869e5da5f88f12be183adcfb 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + if (is_vm_hugetlb_page(new_vma)) + clear_vma_resv_huge_pages(new_vma); vma_close(new_vma); if (new_vma->vm_file) --- base-commit: 94305e83eccb3120c921cd3a015cd74731140bac change-id: 20250523-warning_in_page_counter_cancel-e8c71a6b4c88