From patchwork Wed Nov 17 19:38:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mina Almasry X-Patchwork-Id: 12625291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7121C433F5 for ; Wed, 17 Nov 2021 19:38:51 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 51F676137B for ; Wed, 17 Nov 2021 19:38:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 51F676137B Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 612D16B0071; Wed, 17 Nov 2021 14:38:40 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 5C19E6B0073; Wed, 17 Nov 2021 14:38:40 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4886C6B0074; Wed, 17 Nov 2021 14:38:40 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0223.hostedemail.com [216.40.44.223]) by kanga.kvack.org (Postfix) with ESMTP id 38F536B0071 for ; Wed, 17 Nov 2021 14:38:40 -0500 (EST) Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id EB75318404003 for ; Wed, 17 Nov 2021 19:38:29 +0000 (UTC) X-FDA: 78819433980.23.7ACB9B9 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) by imf13.hostedemail.com (Postfix) with ESMTP id F307B105299A for ; Wed, 17 Nov 2021 19:38:28 +0000 (UTC) Received: by mail-pg1-f201.google.com with SMTP id t75-20020a63784e000000b002993a9284b0so1608874pgc.11 for ; Wed, 17 Nov 2021 11:38:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=vNIuXBteNkTcaESUx4SfgLhD0CMWa6CfwiyimngrrLk=; b=g8Rh3vZSu7yMZjhk33znZxzdH2tMXoZy1NbrUfwij3DPN0Du+eI8bHTYWDhkjV/uDn CLH/i8hyssGzxyjCiwmAVQWBdSulmf+0WDQhfjpcFhkQ7kHsbE8zCdL514DwjW0GSO1i q/XAsldvXRKG0L9d9IhFBFv9xGwCtjGGYX/UdGm9AmTt9T61apSv1K2+EcQ0sHKKnNFm GHnp4L7NhsbCXqSO2e2dz5/Szsvv+oNr02RvNCjqH8QRGLvHDBf8n4cCV6nIayg+FD1f sX5ZfxHiY+ZJdmOimk+J+yL8d1OR3g8wQTpTTwGemxOg/soCKZcoog3gpzIhgVJ0692J MGTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=vNIuXBteNkTcaESUx4SfgLhD0CMWa6CfwiyimngrrLk=; b=ZDOzKrWYj/XSqVvpf0ewsuog4QNnaYxHmmI+S6D332h5rwMHDon/oDxBNe5U90pG8Z nJcT6xBY9Bc49rm6JoefdFohDmt8CZRWRveZg8booON743hNbd2GTLE+tEkRwr32YL7I YgiUXq8CA7tPOtaqowXHOQNQCXDf3bAmSUiExzfUONJYtDDfz3LN2pJQhn7uPjyO+Sxi 2KYEA6yjFLCnskAhAW7ukTm9AOLxDZYCJUsucVmHUhZrX4sv9UumV+C3mJnP+qq0iahj d9Bus+vwQU172KtWlYrmA30uF6ZptiyNcfwvt9iTiVcfgyOtKHlomJdcrlNCXVOqCBak pYHQ== X-Gm-Message-State: AOAM5304T2HNOn/OK+81YfQ++zeGu/T2ldsUa9DjbxufHBRz0rmO4d07 sQ4dNHaXI25L87gxkVf2Dyw0+7vFSqjzdAq7TQ== X-Google-Smtp-Source: ABdhPJwKAP41N61uzvfkBbQYTcD4/ulbuSfavUCjZ5PZjL21wsVn8PMCZREVGmc8XeHp9qvTGqBvIb795H6PFrRb8Q== X-Received: from almasrymina.svl.corp.google.com ([2620:15c:2cd:202:ab13:f492:fd91:a37d]) (user=almasrymina job=sendgmr) by 2002:a17:902:a9cb:b0:143:d9ad:d154 with SMTP id b11-20020a170902a9cb00b00143d9add154mr11356115plr.6.1637177908287; Wed, 17 Nov 2021 11:38:28 -0800 (PST) Date: Wed, 17 Nov 2021 11:38:24 -0800 Message-Id: <20211117193825.378528-1-almasrymina@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.34.0.rc2.393.gf8c9666880-goog Subject: [PATCH v2] hugetlb, userfaultfd: Fix reservation restore on userfaultfd error From: Mina Almasry To: Mike Kravetz , Andrew Morton Cc: Mina Almasry , Wei Xu , stable@vger.kernel.org, James Houghton , linux-mm@kvack.org, linux-kernel@vger.kernel.org X-Rspamd-Queue-Id: F307B105299A X-Stat-Signature: nk8yg788z7zmnx38e7qswtor8xmkmxko Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=g8Rh3vZS; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of 3NFqVYQsKCFEt45tBAH516tz77z4x.v75416DG-553Etv3.7Az@flex--almasrymina.bounces.google.com designates 209.85.215.201 as permitted sender) smtp.mailfrom=3NFqVYQsKCFEt45tBAH516tz77z4x.v75416DG-553Etv3.7Az@flex--almasrymina.bounces.google.com X-Rspamd-Server: rspam02 X-HE-Tag: 1637177908-990529 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we bail out using "goto out_release_unlock;" in the cases where idx >= size, or !huge_pte_none(), the code will detect that new_pagecache_page == false, and so call restore_reserve_on_error(). In this case I see restore_reserve_on_error() delete the reservation, and the following call to remove_inode_hugepages() will increment h->resv_hugepages causing a 100% reproducible leak. We should treat the is_continue case similar to adding a page into the pagecache and set new_pagecache_page to true, to indicate that there is no reservation to restore on the error path, and we need not call restore_reserve_on_error(). Rename new_pagecache_page to page_in_pagecache to make that clear. Cc: Wei Xu Cc: stable@vger.kernel.org Fixes: c7b1850dfb41 ("hugetlb: don't pass page cache pages to restore_reserve_on_error") Signed-off-by: Mina Almasry Reported-by: James Houghton Reviewed-by: Mike Kravetz --- Changes in v2: - Renamed new_pagecache_page to page_in_pagecache - Removed unnecessary comment after the name update. - Cc: stable --- mm/hugetlb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) -- 2.34.0.rc2.393.gf8c9666880-goog diff --git a/mm/hugetlb.c b/mm/hugetlb.c index e09159c957e3..e7ebc4b355cf 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5734,13 +5734,14 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, int ret = -ENOMEM; struct page *page; int writable; - bool new_pagecache_page = false; + bool page_in_pagecache = false; if (is_continue) { ret = -EFAULT; page = find_lock_page(mapping, idx); if (!page) goto out; + page_in_pagecache = true; } else if (!*pagep) { /* If a page already exists, then it's UFFDIO_COPY for * a non-missing case. Return -EEXIST. @@ -5828,7 +5829,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, ret = huge_add_to_page_cache(page, mapping, idx); if (ret) goto out_release_nounlock; - new_pagecache_page = true; + page_in_pagecache = true; } ptl = huge_pte_lockptr(h, dst_mm, dst_pte); @@ -5892,7 +5893,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, if (vm_shared || is_continue) unlock_page(page); out_release_nounlock: - if (!new_pagecache_page) + if (!page_in_pagecache) restore_reserve_on_error(h, dst_vma, dst_addr, page); put_page(page); goto out;