[PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path
@ 2026-03-22  5:21 David Carlier
  2026-03-23 19:13 ` Andrew Morton
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: David Carlier @ 2026-03-22  5:21 UTC (permalink / raw)
  To: Muchun Song, Oscar Salvador, David Hildenbrand, Andrew Morton,
	YueHaibing, Mina Almasry
  Cc: linux-mm, David Carlier, stable

When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed. If
copy_user_large_folio() subsequently fails, folio_put() restores the global
hugetlb pool count through free_huge_folio(), but the per-VMA reservation
map entry is left in an inconsistent state.

Add the missing restore_reserve_on_error() call before folio_put(), matching
the first-attempt error path which already handles this correctly.

Fixes: 8cc5fcbb5be8 ("mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 mm/hugetlb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 88009cd2a846..d6ea11113f1d 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -6295,6 +6295,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
 		folio_put(*foliop);
 		*foliop = NULL;
 		if (ret) {
+			restore_reserve_on_error(h, dst_vma, dst_addr, folio);
 			folio_put(folio);
 			goto out;
 		}
-- 
2.53.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path
  2026-03-22  5:21 [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path David Carlier
@ 2026-03-23 19:13 ` Andrew Morton
  2026-03-28  0:35 ` Andrew Morton
  2026-04-04 12:59 ` Muchun Song
  2 siblings, 0 replies; 4+ messages in thread
From: Andrew Morton @ 2026-03-23 19:13 UTC (permalink / raw)
  To: David Carlier
  Cc: Muchun Song, Oscar Salvador, David Hildenbrand, YueHaibing,
	Mina Almasry, linux-mm, stable

On Sun, 22 Mar 2026 05:21:20 +0000 David Carlier <devnexen@gmail.com> wrote:

> When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
> hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed. If
> copy_user_large_folio() subsequently fails, folio_put() restores the global
> hugetlb pool count through free_huge_folio(), but the per-VMA reservation
> map entry is left in an inconsistent state.
> 
> Add the missing restore_reserve_on_error() call before folio_put(), matching
> the first-attempt error path which already handles this correctly.
> 
> ...
>
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6295,6 +6295,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
>  		folio_put(*foliop);
>  		*foliop = NULL;
>  		if (ret) {
> +			restore_reserve_on_error(h, dst_vma, dst_addr, folio);
>  			folio_put(folio);
>  			goto out;
>  		}

I guess we could goto out_release_nounlock here, although I'm not sure
that improves anything - keeping track of the value of
folio_in_pagecache is rather twisty.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path
  2026-03-22  5:21 [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path David Carlier
  2026-03-23 19:13 ` Andrew Morton
@ 2026-03-28  0:35 ` Andrew Morton
  2026-04-04 12:59 ` Muchun Song
  2 siblings, 0 replies; 4+ messages in thread
From: Andrew Morton @ 2026-03-28  0:35 UTC (permalink / raw)
  To: David Carlier
  Cc: Muchun Song, Oscar Salvador, David Hildenbrand, YueHaibing,
	Mina Almasry, linux-mm, stable

On Sun, 22 Mar 2026 05:21:20 +0000 David Carlier <devnexen@gmail.com> wrote:

> When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
> hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed. If
> copy_user_large_folio() subsequently fails, folio_put() restores the global
> hugetlb pool count through free_huge_folio(), but the per-VMA reservation
> map entry is left in an inconsistent state.
> 
> Add the missing restore_reserve_on_error() call before folio_put(), matching
> the first-attempt error path which already handles this correctly.

Could we please have some review here?

> Fixes: 8cc5fcbb5be8 ("mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY")
> Cc: stable@vger.kernel.org

And agreement that this is desirable.

Thanks.

> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 88009cd2a846..d6ea11113f1d 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6295,6 +6295,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
>  		folio_put(*foliop);
>  		*foliop = NULL;
>  		if (ret) {
> +			restore_reserve_on_error(h, dst_vma, dst_addr, folio);
>  			folio_put(folio);
>  			goto out;
>  		}
> -- 
> 2.53.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path
  2026-03-22  5:21 [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path David Carlier
  2026-03-23 19:13 ` Andrew Morton
  2026-03-28  0:35 ` Andrew Morton
@ 2026-04-04 12:59 ` Muchun Song
  2 siblings, 0 replies; 4+ messages in thread
From: Muchun Song @ 2026-04-04 12:59 UTC (permalink / raw)
  To: David Carlier
  Cc: Oscar Salvador, David Hildenbrand, Andrew Morton, YueHaibing,
	Mina Almasry, linux-mm, stable

> On Mar 22, 2026, at 13:21, David Carlier <devnexen@gmail.com> wrote:
> 
> When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
> hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed. If
> copy_user_large_folio() subsequently fails, folio_put() restores the global
> hugetlb pool count through free_huge_folio(), but the per-VMA reservation
> map entry is left in an inconsistent state.
> 
> Add the missing restore_reserve_on_error() call before folio_put(), matching
> the first-attempt error path which already handles this correctly.
> 
> Fixes: 8cc5fcbb5be8 ("mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY")

Hi David,

Thanks for this fix. The patch looks good to me and clearly solves the
reservation leak in the resubmission path of hugetlb_mfill_atomic_pte().

However, I'm a bit curious about the Fixes tag. While commit 8cc5fcbb5be8
did introduce this code structure and the retry path, it seems the bug
wasn't actually introduced there. At that time, copy_huge_page() returned
void, so the failure path simply did not exist.

Instead, looking at the git history, the failure branch `if (ret)` was
added later by commit 1cb9dc4b475c ("mm: hwpoison: support recovery from
HugePage copy-on-write faults"). It modified copy_user_large_folio() to
return an int and introduced error handling paths that unfortunately
missed restoring the reservations. Should the Fixes tag perhaps point to
1cb9dc4b475c instead?

Furthermore, if commit 1cb9dc4b475c is indeed the root cause, I noticed
it also introduced similar error handling paths in other places. For
example, in copy_hugetlb_page_range():

        ret = copy_user_large_folio(new_folio, pte_folio, addr, dst_vma);
        folio_put(pte_folio);
        if (ret) {
                folio_put(new_folio);
                break;
        }

Here, new_folio was allocated with alloc_hugetlb_folio(), which consumes
reservations. But if the copy fails, new_folio is freed via folio_put()
without calling restore_reserve_on_error() first.

Does this imply we might have similar reservation leaks in other error
paths touched by 1cb9dc4b475c? I'd love to hear your thoughts on this.

Thanks,
Muchun

> Cc: stable@vger.kernel.org
> Signed-off-by: David Carlier <devnexen@gmail.com>
> ---
> mm/hugetlb.c | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 88009cd2a846..d6ea11113f1d 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6295,6 +6295,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
> 	folio_put(*foliop);
> 	*foliop = NULL;
> 	if (ret) {
> + 		restore_reserve_on_error(h, dst_vma, dst_addr, folio);
> 		folio_put(folio);
> 		goto out;
> 	}
> -- 
> 2.53.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-04 13:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-22  5:21 [PATCH] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path David Carlier
2026-03-23 19:13 ` Andrew Morton
2026-03-28  0:35 ` Andrew Morton
2026-04-04 12:59 ` Muchun Song

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox