From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4F0B6C54E90
	for <linux-mm@archiver.kernel.org>; Sun, 25 May 2025 06:33:10 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 601256B007B; Sun, 25 May 2025 02:33:09 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5B1B66B0083; Sun, 25 May 2025 02:33:09 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4A07D6B0085; Sun, 25 May 2025 02:33:09 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 2B79A6B007B
	for <linux-mm@kvack.org>; Sun, 25 May 2025 02:33:09 -0400 (EDT)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id A007A161B9B
	for <linux-mm@kvack.org>; Sun, 25 May 2025 06:33:08 +0000 (UTC)
X-FDA: 83480462856.26.0A7C741
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	by imf06.hostedemail.com (Postfix) with ESMTP id 5997E180002
	for <linux-mm@kvack.org>; Sun, 25 May 2025 06:33:06 +0000 (UTC)
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=jATYJdyA;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=pWakeYi1;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=jATYJdyA;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=pWakeYi1;
	spf=pass (imf06.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.131 as permitted sender) smtp.mailfrom=osalvador@suse.de;
	dmarc=pass (policy=none) header.from=suse.de
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1748154786;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=8RjHHGqSB4eHlq5L3HKciHLIzSzNnPIHC/XuF5r4tJU=;
	b=pjT8uZPN7Ki1I+V9rg6SUNESNeepdDCqYviXCvBTdzqjsnvSkFIqWDc57Fxexezr7zFbem
	Qj2rZzPK7WTPaO+MRSu3GoaNWHOn6wlEJ0wNdQI+dmphZzS84CZ8PCIPOeWx1hL2ewAvSc
	a5N/Pa8gIbuoXDnxuSuKpMTmUoR7Nfo=
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=jATYJdyA;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=pWakeYi1;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=jATYJdyA;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=pWakeYi1;
	spf=pass (imf06.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.131 as permitted sender) smtp.mailfrom=osalvador@suse.de;
	dmarc=pass (policy=none) header.from=suse.de
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748154786; a=rsa-sha256;
	cv=none;
	b=dPCo7pt+VftevzgfoRhpZ1Pgk3HLGOWNpiKEppTzXTIOZ+L7hatjchdWfGr+xgKIOJI3TU
	CyElv/VXtRucablLRKpbMz9aXgMxwZcX9A2vY5GHSAkgNAPZ05Xs0Q34SXQedXLjuaEyOK
	WOY6Tqci0MoZjk1JklxkiZmvtvLUBb0=
Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id 308451F7B1;
	Sun, 25 May 2025 06:33:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1748154783; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8RjHHGqSB4eHlq5L3HKciHLIzSzNnPIHC/XuF5r4tJU=;
	b=jATYJdyA9iueG+TbdkiPNKsplqgrG8dvvxPsr4qozyEba8qeSySi24KhLzZq95VRY2XdHD
	hYGpfpAaVN60Lf0m90PyO5xCCkIgTlCrqNH5/jbBvdl+66Nqwc1kmA+4UbZi+o8xMNjIK0
	83nAb0EbscEMd4LValBtf2OIAWioPd4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1748154783;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8RjHHGqSB4eHlq5L3HKciHLIzSzNnPIHC/XuF5r4tJU=;
	b=pWakeYi16yD52z+znmc5iOsKNC9tp8HFQyIGd6Hxc52sDvIN1LaUgnkXEwEwHPXbkxIpX1
	9XDtiLz0OUkjzXCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1748154783; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8RjHHGqSB4eHlq5L3HKciHLIzSzNnPIHC/XuF5r4tJU=;
	b=jATYJdyA9iueG+TbdkiPNKsplqgrG8dvvxPsr4qozyEba8qeSySi24KhLzZq95VRY2XdHD
	hYGpfpAaVN60Lf0m90PyO5xCCkIgTlCrqNH5/jbBvdl+66Nqwc1kmA+4UbZi+o8xMNjIK0
	83nAb0EbscEMd4LValBtf2OIAWioPd4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1748154783;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8RjHHGqSB4eHlq5L3HKciHLIzSzNnPIHC/XuF5r4tJU=;
	b=pWakeYi16yD52z+znmc5iOsKNC9tp8HFQyIGd6Hxc52sDvIN1LaUgnkXEwEwHPXbkxIpX1
	9XDtiLz0OUkjzXCw==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8A36D1386D;
	Sun, 25 May 2025 06:33:02 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id 7+6nHp65Mmi6WAAAD6G6ig
	(envelope-from <osalvador@suse.de>); Sun, 25 May 2025 06:33:02 +0000
Date: Sun, 25 May 2025 08:32:56 +0200
From: Oscar Salvador <osalvador@suse.de>
To: Ricardo =?iso-8859-1?Q?Ca=F1uelo?= Navarro <rcn@igalia.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>,
	Pedro Falcato <pfalcato@suse.de>, revest@google.com,
	kernel-dev@igalia.com, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] mm: fix copy_vma() error handling for hugetlb mappings
Message-ID: <aDK5mGfiRxBREBc0@localhost.localdomain>
References: <20250523-warning_in_page_counter_cancel-v2-1-b6df1a8cfefd@igalia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20250523-warning_in_page_counter_cancel-v2-1-b6df1a8cfefd@igalia.com>
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 5997E180002
X-Stat-Signature: 85nkk8nzcg3gt6f51upu7xh1h1445f3f
X-Rspam-User: 
X-HE-Tag: 1748154786-659140
X-HE-Meta: U2FsdGVkX19PRSPlqee3Ge6ShLoewbldWaGfItUsW6GhenglOJpjOD9hXVsavvWluxiLVqjgs57+CmmRKrkjh8ggJxpdytq1eD6ZTZeh27jg2WrN8ifL3JSEGqDBcKtlvS9Tetk7ZK1xXEz9agCCkIwYIsrWYpO4Mp1kfjbiFSBqftgtShjeKh4WG0M1uTPSULGYdvItUbnqx26IPAiuyNbriZjaFxsac0z+ck2sEghAGFGyM8oLSAvmv04OBZdE/Gjmte31cf/qVudGy214mNr4+F6LbMgztIxlPLvnsvltD7xcTSfs31kbohpAzxyazw7v5X3U/a6PTdn7F4rl/IA5fPGBl7NlyIYSAIq1+vJ1obSW1DXaUOUJ33FqxU8XbFIfzZOh9mLVrZZgKoA+vlP9zuH2z/sUXfyZBZjkqRkApnSB9ysUMzhaFmLr5+JgqVRZGpdF9D5L70aoN4GqrdXC6tdG6z/1J9SP54K51g30GTCG3lblpEtfb73Wr924fZTtkA2WpPvxRV28/4+twa7OYgftPo/f3ziM83M3EjyTn1OlAMA+iSox7TnSTW7FmwTX5puyNTJYU1oDANdVjNU7gAlZnUCDIWh+bYxPSEta4sCo+uoKhJuJJi2nzF6bYtJOKS6ViHzZjyarVUODJ/zCVEFtbA9h9B431Pfkaax76FTdT/KgG0e5jxsU8n2WRov4lL4ksYWvCmUWpb8IbbrE0AaZYm6s+G27VBxR5m+EJbL3fCPm2Ls6SHOqSn11809LcRWEavh1nDzfK+c2hEQFDqjpdCyDGlGHPy3q68CyPkKSLYpdXO4abhQB4x1cMNZDGVDGoEp5yCmjuwVv7hrhPGaLL6BIFIgNr62uIRyw1ylc867/B8jojzVy1DQoOS7WJk7pOJokHm2nyEwVZBYt6x7ZJa/pkfFXgbMDXC58aSTONKRuvgZjk2xs9v7MoqBNSEosWfkGGOguXqz
 dC+ZfDwH
 jEXaAoiq0Dh+xP9LtpjTEzS1dJ44UvuqinICbztOaYRVrki/Dmug5DlBINrBb5yQxS1uiOCzhAUOUZyq1WdALRrSNCDQwEeOnlD/XKCgY4/ekXG9zAx6fi0Lo5hOXUTSPbQFo2Qwxr9q83nIy+TBhG5p/0HKwbLnedOtcy1cCMj5/AKc5h387j8WasqL8lPW6+lap390ZzwwOpjRuHNiVvFFGXO0/3n9WyB85xunlN7HA4VOy1TFChBWc7lQRKM6cOSsTSdM2K3gbRZ3higVzoWYB+o2nBi5TTZa/HDDvzuHMjRUHPWTadgqmrpzHhr0u9U11WEFJm8Bdh8qFgB70m6V/YFEH+J8It+0ivZNxzT+jXVvr5OZtQ7hc0QVyI0pRZkkoxR8WKLQYRNpzmK1Yhtduo6y3msF87Q+2A97Sz8PBBcSr5uCVrL/6+PBK9nTSlioSexxBALiBIci+g6GPHUgVLQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, May 23, 2025 at 02:19:10PM +0200, Ricardo Cañuelo Navarro wrote:
> If, during a mremap() operation for a hugetlb-backed memory mapping,
> copy_vma() fails after the source vma has been duplicated and
> opened (ie. vma_link() fails), the error is handled by closing the new
> vma. This updates the hugetlbfs reservation counter of the reservation
> map which at this point is referenced by both the source vma and the new
> copy. As a result, once the new vma has been freed and copy_vma()
> returns, the reservation counter for the source vma will be incorrect.
> 
> This patch addresses this corner case by clearing the hugetlb private
> page reservation reference for the new vma and decrementing the
> reference before closing the vma, so that vma_close() won't update the
> reservation counter. This is also what copy_vma_and_data() does with the
> source vma if copy_vma() succeeds, so a helper function has been added
> to do the fixup in both functions.
> 
> The issue was reported by a private syzbot instance and can be
> reproduced using the C reproducer in [1]. It's also a possible duplicate
> of public syzbot report [2]. The WARNING report is:
> 
... 
> Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter_cancel__repro.c [1]
> Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2]

Reviewed-by: Oscar Salvador <osalvador@suse.de>


-- 
Oscar Salvador
SUSE Labs