From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from out-177.mta1.migadu.com (out-177.mta1.migadu.com [95.215.58.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1107BC8EB
	for <linux-kernel@vger.kernel.org>; Sun, 26 Apr 2026 03:48:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.177
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777175303; cv=none; b=YETewzzAaZUHsW7my/Xr+nE8hNZyngycZeu3XGSZEcfqTzXW+DigquSRtU4keiA32nKps74M8P2VaIGlGRRqaa9fTBc1rrsGkITRJEMVuJp7+UaQHWUgHyvdu3u238uKwmES/QQD73blMrg6L+gYPBfbdpZ1gb0nHURazx1XQ0M=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777175303; c=relaxed/simple;
	bh=lcS7JaqGwJ497LreffQ0ao0uDlYtZYR7BEGgRMdi/YE=;
	h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:
	 Message-Id:References:To; b=g3PVqnY2p7mmNvQOHpB459VP+s5b76GiilkUqYVqkGZkFLkKtutAHuIlSCHSh6CeZVE+Veh8psCQamC519Fqmi5FZo6tDCBGr/XxxA0HVCRwCjX6B66ihZEJTN+WDdsTIhHW1tU0Q2+cL9whfoEwJcveJZVQgG8WIHRfjV+7LuY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=tQZK4OVc; arc=none smtp.client-ip=95.215.58.177
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="tQZK4OVc"
Content-Type: text/plain;
	charset=us-ascii
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1777175299;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=RqS6gZujVhVH7dyMmrmi96pcqvl7A5E/GN8Ruxz9Z4Y=;
	b=tQZK4OVc0LJMZu8x0fXqZUXzuDih6jYV0aDLlga0krfuXkeaH5E0N3p8ykaeYP3hogzGlX
	omT3dOQdXc6SU7heQJTrwhBMIqGzrRDh11OO6wjQXz89Gi+ljHs1xvcVxjFvgvuSpXRP2H
	jCHWi41JS4f2GHzWLh7MRjt91vyC9XM=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
Subject: Re: [PATCH] mm/hugetlb: fix hugetlb cgroup rsvd charge/uncharge
 mismatch
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Muchun Song <muchun.song@linux.dev>
In-Reply-To: <20260328065534.346053-1-kartikey406@gmail.com>
Date: Sun, 26 Apr 2026 11:47:26 +0800
Cc: osalvador@suse.de,
 david@kernel.org,
 akpm@linux-foundation.org,
 mike.kravetz@oracle.com,
 linux-kernel@vger.kernel.org,
 linux-mm@kvack.org,
 syzbot+226c1f947186f8fef796@syzkaller.appspotmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <9CC5F017-AE6A-4EB0-9099-B4DA5E93EA85@linux.dev>
References: <20260328065534.346053-1-kartikey406@gmail.com>
To: Deepanshu Kartikey <kartikey406@gmail.com>
X-Migadu-Flow: FLOW_OUT



> On Mar 28, 2026, at 14:55, Deepanshu Kartikey <kartikey406@gmail.com> =
wrote:
>=20
> In alloc_hugetlb_folio(), a single h_cg pointer is used for both
> the rsvd and non-rsvd hugetlb cgroup charges. When map_chg is set,
> hugetlb_cgroup_charge_cgroup_rsvd() stores the charged cgroup in
> h_cg, but the immediately following hugetlb_cgroup_charge_cgroup()
> overwrites h_cg with the non-rsvd cgroup pointer.
>=20
> As a result, hugetlb_cgroup_commit_charge_rsvd() stores the wrong
> (non-rsvd) cgroup pointer into the folio's rsvd slot.
>=20
> When the folio is later freed, free_huge_folio() unconditionally
> calls both hugetlb_cgroup_uncharge_folio() and
> hugetlb_cgroup_uncharge_folio_rsvd(). The rsvd uncharge reads back
> the wrong cgroup from the folio and decrements a counter that was
> never charged for that cgroup, causing a page_counter underflow:
>=20
>  page_counter underflow: -512 nr_pages=3D512
>  WARNING: mm/page_counter.c:61 at page_counter_cancel
>=20
> Fix this by introducing a separate h_cg_rsvd pointer exclusively
> for the rsvd charge path, keeping the rsvd and non-rsvd charges
> fully independent through their charge, commit, and error uncharge
> paths.
>=20
> Fixes: 08cf9faf7558 ("hugetlb_cgroup: support noreserve mappings")
> Reported-by: syzbot+226c1f947186f8fef796@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3D226c1f947186f8fef796
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>

Reviewed-by: Muchun Song <muchun.song@linux.dev>

Thanks.