From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9D127C54ED1
	for <linux-mm@archiver.kernel.org>; Sat, 24 May 2025 15:56:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 90CDC6B0082; Sat, 24 May 2025 11:56:29 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8BDB66B0083; Sat, 24 May 2025 11:56:29 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7AC676B0085; Sat, 24 May 2025 11:56:29 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 59CFF6B0082
	for <linux-mm@kvack.org>; Sat, 24 May 2025 11:56:29 -0400 (EDT)
Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id C2CD51D03CA
	for <linux-mm@kvack.org>; Sat, 24 May 2025 15:56:28 +0000 (UTC)
X-FDA: 83478253656.16.78D5E22
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	by imf04.hostedemail.com (Postfix) with ESMTP id AEB4540003
	for <linux-mm@kvack.org>; Sat, 24 May 2025 15:56:26 +0000 (UTC)
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b="Ii/rsp/Z";
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=7nhNc9O2;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b="Ii/rsp/Z";
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=7nhNc9O2;
	spf=pass (imf04.hostedemail.com: domain of pfalcato@suse.de designates 195.135.223.130 as permitted sender) smtp.mailfrom=pfalcato@suse.de;
	dmarc=pass (policy=none) header.from=suse.de
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1748102187;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Md7LilBukiXgKK/hq2lvUDoxKYej9i2gxt7lGIaJfvE=;
	b=Wjcs+5DR04l08iAA7f4QdkiuEevGUeXuP3/20A8e7E+r+LvrsgWbZvCVK6S/9J5L6oVP7+
	eSxT6RkmUSvn9BarixZ9gTB+btG808vqUlZmBuHrXjDvc05C0404DFsBy71bEjv0cMu36k
	AwVhNE6QrSyaFCtk5LknkfO+DkVa5wc=
ARC-Authentication-Results: i=1;
	imf04.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b="Ii/rsp/Z";
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=7nhNc9O2;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b="Ii/rsp/Z";
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=7nhNc9O2;
	spf=pass (imf04.hostedemail.com: domain of pfalcato@suse.de designates 195.135.223.130 as permitted sender) smtp.mailfrom=pfalcato@suse.de;
	dmarc=pass (policy=none) header.from=suse.de
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748102187; a=rsa-sha256;
	cv=none;
	b=p6cB7qmE8OG8fQ55j13Lk0aaeEpr9M1g/npPCPAyHmpWkfi9Iz3NoW0zAQpig2l36bpjQQ
	H83R3qtRWQacDvwe6LbOWWIpW9MuGMYsbDFs9fBZlbfdSDIbAaVns3ldIhRika/h42e7LD
	A82s7RiktUZiQdKQxCnKerWsC9uYG8w=
Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id C7FDA21A68;
	Sat, 24 May 2025 15:56:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1748102184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Md7LilBukiXgKK/hq2lvUDoxKYej9i2gxt7lGIaJfvE=;
	b=Ii/rsp/Zuq1wl9zl5H7QZL2xE/GHE6EAS1WqZb6RCvJ4Sg0xN4Klga/94THaUVwo4EQSXz
	AQiEkpaTFJJ/SDuinLSmcbGL6vLa0xYs6Xh7JgN3FnXlARM8vXnNmDjB2tmF7z977UkAdq
	/3tR48gf6+Lc+6TiMvCMh+daNF+uWug=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1748102184;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Md7LilBukiXgKK/hq2lvUDoxKYej9i2gxt7lGIaJfvE=;
	b=7nhNc9O2pI6Pbc2qexinLtDquSgLrBEq6Hym6l4e6tkuLi6EC1/HZQHug8HJ5gMkS7YH82
	xsKh9wrXHQiEbRDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1748102184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Md7LilBukiXgKK/hq2lvUDoxKYej9i2gxt7lGIaJfvE=;
	b=Ii/rsp/Zuq1wl9zl5H7QZL2xE/GHE6EAS1WqZb6RCvJ4Sg0xN4Klga/94THaUVwo4EQSXz
	AQiEkpaTFJJ/SDuinLSmcbGL6vLa0xYs6Xh7JgN3FnXlARM8vXnNmDjB2tmF7z977UkAdq
	/3tR48gf6+Lc+6TiMvCMh+daNF+uWug=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1748102184;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Md7LilBukiXgKK/hq2lvUDoxKYej9i2gxt7lGIaJfvE=;
	b=7nhNc9O2pI6Pbc2qexinLtDquSgLrBEq6Hym6l4e6tkuLi6EC1/HZQHug8HJ5gMkS7YH82
	xsKh9wrXHQiEbRDQ==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 0BED213894;
	Sat, 24 May 2025 15:56:23 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id DxG1OifsMWjsFwAAD6G6ig
	(envelope-from <pfalcato@suse.de>); Sat, 24 May 2025 15:56:23 +0000
Date: Sat, 24 May 2025 16:56:22 +0100
From: Pedro Falcato <pfalcato@suse.de>
To: "Liam R. Howlett" <Liam.Howlett@oracle.com>, 
	Ricardo =?utf-8?Q?Ca=C3=B1uelo?= Navarro <rcn@igalia.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Lorenzo Stoakes <lorenzo.stoakes@oracle.com>, Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>, 
	revest@google.com, kernel-dev@igalia.com, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, Oscar Salvador <osalvador@suse.de>
Subject: Re: [PATCH v2] mm: fix copy_vma() error handling for hugetlb mappings
Message-ID: <abcchquqkxhkxu6ydwbbqdkdl6rkpocqrycnftdcc65l3km3xa@bh76j4es2o4s>
References: <20250523-warning_in_page_counter_cancel-v2-1-b6df1a8cfefd@igalia.com>
 <fs2zd6syrdpyrsqkfmzjjz3y3rricscyr3bnx5trnr6p5nbhmy@l6zyiaccoknt>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <fs2zd6syrdpyrsqkfmzjjz3y3rricscyr3bnx5trnr6p5nbhmy@l6zyiaccoknt>
X-Stat-Signature: rabe9zqgzpykjjg738c9bbaes4x3r14p
X-Rspamd-Queue-Id: AEB4540003
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-HE-Tag: 1748102186-348105
X-HE-Meta: U2FsdGVkX1/2y2bnTxDF4exk1sDEnRgCD8F0grmUAYNXCXKr8+GsRqIm+18F3G0WQkoD19yshq2bfZC6rhh0olgJnRfMQRoEwT6QxpMU0C2mUfaZhlzQQ2xTTKWcw+qbbomIkATdjPPCvmJxXkl1qXAkdKNcROukOpeqVAaYp1XrntXnFcH5goh/sbBO2PqJmsh8tk/Ui9NHr3RvtPWEWc4kyC2bfGjCVCVfaEBBjHQpMbvvQfLymjoWebsL0tZ/KJOENBKJ5jdm/10plQdxUHTXxMO8GNkpFN6sSlSymhn/yPUXsXI9TtD8Z/F74K2ZJNdoss38qBa7ATeC2ftqwUH9TYS3Wvqb55bB6FxTvoLdaYSelUXoqB8nvfoU8WMda2/KtlN1N3z+UPsNBj7XpU/oBdTD16RzUqes1OVHxVh/i8kBhnoHcVbdKPgHPR1SZ+ebGNeQy3VRzwxiIO0Kr0w3ISNxBhyXaFq/5bzzUAuiwQ7dZH2DMDxKnMPfuMKocDOieRpvZD2ULvXp6PLEv5BcMaG13bb7IbFyvkSziweafIk+MEdhtw/k48eRtfc8lFD5sf1cuhBmTTGfNIHm8xNqhieEO8/lcN463foHmrrhWGynWw8jQ8GcwVH56cpAZjQetTFZoDkO8hv5IBZhHsaHip4ooWoIuFUSQbATy1njmkFnKf6nLftzSrIKnvfGIQ1hUZ4AbPv0MNA/tJvFsaKaREU3PhlgZpwWY5D21qyzIgOnZh2Ye+hBPKxfALw8CMk5PPIP99ntRRdNvyOoxJu838rCurREtulg+V0Gd4c36GnibUYq+aEJd2kw2t+C5lG1ajPy3GLLpvvWGXUGqppgZ/dnu8i0kmm7tVOGjygdL/663rg83we3aJVe7XtNThqx3WnGFlhAh8Uu2Qb34Y+g5rpkTKvTZV8JOpAy4iF+kM9XQbp17EF7Q/HhhLwQxyHnYGhNPKtDqSE2ztH
 cWQ26UwO
 Cyx5uJWd4xj5s1RXtMOT3cY0YQw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, May 23, 2025 at 01:45:47PM -0400, Liam R. Howlett wrote:
> * Ricardo Cañuelo Navarro <rcn@igalia.com> [250523 08:19]:
> > If, during a mremap() operation for a hugetlb-backed memory mapping,
> > copy_vma() fails after the source vma has been duplicated and
> > opened (ie. vma_link() fails), the error is handled by closing the new
> > vma. This updates the hugetlbfs reservation counter of the reservation
> > map which at this point is referenced by both the source vma and the new
> > copy. As a result, once the new vma has been freed and copy_vma()
> > returns, the reservation counter for the source vma will be incorrect.
> > 
> > This patch addresses this corner case by clearing the hugetlb private
> > page reservation reference for the new vma and decrementing the
> > reference before closing the vma, so that vma_close() won't update the
> > reservation counter. This is also what copy_vma_and_data() does with the
> > source vma if copy_vma() succeeds, so a helper function has been added
> > to do the fixup in both functions.
> > 
> > The issue was reported by a private syzbot instance and can be
> > reproduced using the C reproducer in [1]. It's also a possible duplicate
> > of public syzbot report [2]. The WARNING report is:
> > 
> > ============================================================
> > page_counter underflow: -1024 nr_pages=1024
> > WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
> > RIP: 0010:page_counter_cancel+0xf6/0x120
> > Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81
> > RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246
> > RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000
> > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> > RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a
> > R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000
> > R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400
> > FS:  0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0
> > Call Trace:
> >  <TASK>
> >  page_counter_uncharge+0x33/0x80
> >  hugetlb_cgroup_uncharge_counter+0xcb/0x120
> >  hugetlb_vm_op_close+0x579/0x960
> >  ? __pfx_hugetlb_vm_op_close+0x10/0x10
> >  remove_vma+0x88/0x130
> >  exit_mmap+0x71e/0xe00
> >  ? __pfx_exit_mmap+0x10/0x10
> >  ? __mutex_unlock_slowpath+0x22e/0x7f0
> >  ? __pfx_exit_aio+0x10/0x10
> >  ? __up_read+0x256/0x690
> >  ? uprobe_clear_state+0x274/0x290
> >  ? mm_update_next_owner+0xa9/0x810
> >  __mmput+0xc9/0x370
> >  exit_mm+0x203/0x2f0
> >  ? __pfx_exit_mm+0x10/0x10
> >  ? taskstats_exit+0x32b/0xa60
> >  do_exit+0x921/0x2740
> >  ? do_raw_spin_lock+0x155/0x3b0
> >  ? __pfx_do_exit+0x10/0x10
> >  ? __pfx_do_raw_spin_lock+0x10/0x10
> >  ? _raw_spin_lock_irq+0xc5/0x100
> >  do_group_exit+0x20c/0x2c0
> >  get_signal+0x168c/0x1720
> >  ? __pfx_get_signal+0x10/0x10
> >  ? schedule+0x165/0x360
> >  arch_do_signal_or_restart+0x8e/0x7d0
> >  ? __pfx_arch_do_signal_or_restart+0x10/0x10
> >  ? __pfx___se_sys_futex+0x10/0x10
> >  syscall_exit_to_user_mode+0xb8/0x2c0
> >  do_syscall_64+0x75/0x120
> >  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > RIP: 0033:0x422dcd
> > Code: Unable to access opcode bytes at 0x422da3.
> > RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> > RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd
> > RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec
> > RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720
> > R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0
> > R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000
> >  </TASK>
> > ============================================================
> > 
> > Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
> > Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter_cancel__repro.c [1]
> > Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2]
> 
> I don't like the fixup_ names, but not enough to hold this up (or look
> at it again..). I also don't love the idea of moving a hugetlb..
>

Maybe undo_ is better?

Anyway yeah, I agree it's not worth bikeshedding over. Though if there's a v3
for any reason (or widespread agreement), this could be fixed up (haha).

> This isn't the only call path for vma_link() that doesn't unwind the
> hugetlb case correctly, but probably the only one that may need it.. I
> would hope special mappings or __bprm_mm_init() wouldn't result in
> hugetlbs.
> 
> This seems sufficient until syzbot figures a way into those insane
> ideas.
> 
> One small nit below, but thanks for this.
> 
> Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>

Reviewed-by: Pedro Falcato <pfalcato@suse.de>

-- 
Pedro