From: David Carlier <devnexen@gmail.com>
To: akpm@linux-foundation.org
Cc: muchun.song@linux.dev, david@kernel.org, almasrymina@google.com,
osalvador@suse.de, yuehaibing@huawei.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
David Carlier <devnexen@gmail.com>
Subject: [PATCH v2] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path
Date: Wed, 20 May 2026 00:05:03 +0100 [thread overview]
Message-ID: <20260519230503.121293-1-devnexen@gmail.com> (raw)
When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed.
If copy_user_large_folio() subsequently fails (e.g. -EHWPOISON when the
source page is hwpoisoned), folio_put() restores the global hugetlb pool
count through free_huge_folio(), but the per-VMA reservation map entry
is left marked consumed.
User-visible effect: on a UFFDIO_COPY into a private hugetlb VMA where
the resubmission path's copy fails, the reservation for that address is
leaked from the VMA's reserve map. A subsequent fault at the same
address takes the no-reservation path, and under hugetlb pool pressure
the task is SIGBUSed at an address it had previously reserved. One map
entry is leaked per occurrence.
Add the missing restore_reserve_on_error() call before folio_put(),
matching the first-attempt error path which already handles this
correctly.
Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults")
Cc: <stable@vger.kernel.org>
Signed-off-by: David Carlier <devnexen@gmail.com>
---
v2:
- Add user-visible effects paragraph in changelog (per akpm,
required for Cc: stable).
- Correct Fixes: tag to 1cb9dc4b475c (per Muchun) -- the failing
arm only exists since copy_user_large_folio() became int-returning.
Andrew, please drop the v1 currently queued as 270157aef0d1 in
mm-unstable.
v1: https://lore.kernel.org/all/20260322052120.14021-1-devnexen@gmail.com/
mm/hugetlb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 4b80b167cc9c..c6dee98840db 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -6270,6 +6270,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
folio_put(*foliop);
*foliop = NULL;
if (ret) {
+ restore_reserve_on_error(h, dst_vma, dst_addr, folio);
folio_put(folio);
goto out;
}
--
2.53.0
next reply other threads:[~2026-05-19 23:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 23:05 David Carlier [this message]
2026-05-20 2:48 ` [PATCH v2] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path Muchun Song
2026-05-20 4:49 ` [PATCH v3] mm/hugetlb: restore reservation on error in hugetlb folio copy paths David Carlier
2026-05-20 6:16 ` Muchun Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519230503.121293-1-devnexen@gmail.com \
--to=devnexen@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=almasrymina@google.com \
--cc=david@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.