From patchwork Mon Jan 27 14:32:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?0JTRg9C70L7QsiDQlNCw0L3QuNC40Ls=?= X-Patchwork-Id: 13951509 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 186D0C0218A for ; Mon, 27 Jan 2025 14:32:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7F9F2280152; Mon, 27 Jan 2025 09:32:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 782C3280148; Mon, 27 Jan 2025 09:32:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 622F6280152; Mon, 27 Jan 2025 09:32:51 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 4582D280148 for ; Mon, 27 Jan 2025 09:32:51 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id E303F801D9 for ; Mon, 27 Jan 2025 14:32:50 +0000 (UTC) X-FDA: 83053473300.09.F8BD7E1 Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16]) by imf15.hostedemail.com (Postfix) with ESMTP id 36913A000B for ; Mon, 27 Jan 2025 14:32:46 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of D.Dulov@aladdin.ru designates 91.199.251.16 as permitted sender) smtp.mailfrom=D.Dulov@aladdin.ru; dmarc=pass (policy=none) header.from=aladdin.ru ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737988369; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=/jgEO8TmSTyETOGU1Ua/t2tj7bjD8n0+aDB9Z/tlKGY=; b=dkxnzLy/BOI7sAAshxnKNvcaIGbQjMd7oWOgbc0apRdAn4buAeh/GzdbVkzMIdahf0ZxOA kk/IbZ5gvYakqldJsFQs1kpqk9r3CNTtBjzNR/YhWh4Lz6yq0XVArTpD3Moj8//wvQDeuO DtbfjtgYFymJ0puBSiFDeBF538UFpQo= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of D.Dulov@aladdin.ru designates 91.199.251.16 as permitted sender) smtp.mailfrom=D.Dulov@aladdin.ru; dmarc=pass (policy=none) header.from=aladdin.ru ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737988369; a=rsa-sha256; cv=none; b=KlQKDHj89E/jk0gS+y0toMS3QQPjjVaq5zIXXtB9oxBcqiRf+3dH+1AE7juHHwxiAhfFEt rcRirHrxYe7Di8SKPOjTkFjg7qpOYy5B2ZdQ7navzhBsEELeaEpyYWAvoL3EpV8EABNPos 5ubOb8S0XR80K74yYfwou1+jDWIfiTI= From: Daniil Dulov To: Andrew Morton CC: Daniil Dulov , "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , "Matthew Wilcox (Oracle)" , , , , Subject: [PATCH] mm/vma: Fix hugetlb accounting error in copy_vma() Date: Mon, 27 Jan 2025 17:32:01 +0300 Message-ID: <20250127143201.45453-1-d.dulov@aladdin.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.0.20.125] X-ClientProxiedBy: EXCH-2016-03.aladdin.ru (192.168.1.103) To EXCH-2016-01.aladdin.ru (192.168.1.101) X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 36913A000B X-Stat-Signature: yzi5wdynb1u4if4hmmponzoecz6tsnw5 X-Rspam-User: X-HE-Tag: 1737988366-879283 X-HE-Meta: U2FsdGVkX19bGK1MBqZXeQ0lkgY2IzBSEjwiX65QhsqrOA4yQay9PaCFyiRAMqoDwpaEYCI0IwFLcg6yK+UQewqS9fw0TMQgNS3OInioRgpra97+C0XtMwGuNYM9VerOgbsy4AFu51vzX46KI+udVLPds0QKBUDNY3hsknY7ayga2/Ea3ZCa4cP4/pEJ5b/ImkggJYaRGv38WGsu7RwI8FqL2GeDDo4izAVCzJathe8nhXio7t7Qy359DFb33t2hQeTvicUDLxwfF553fVDaN+jdJ3LDteutGWGRvJuVcixKcHqkrgP3S8ZQM6Z+mZBwjMZ8OUPTDYd4OV+BGamiMBJ+0efidkzy49ADDRjCnICrmF/04JmjLXOUk579d/PqYR4mHaIsKFKRoO/Eekjz4EOUqHUmiHteE51vgJTQw/8vKHELyJ0Y/kHcJCXdrTK6XkySDiYFamZvTOMMaUcJXygS/TdjZSU4Dte3VZkmFkSFmJ6I9EA334zbATb+nt+avKYPII75j61xAZioJ09jQ0AXn/K8feviTEPYVLk3SzUxJS9o8THN51j8p5DVBjBVxWZarOW8JPKF3OJO4qXOln2sAdxvo+8LkHl8IkYRQQFZIvO5C/SoFavS1wvEYUAILAiqeKuPAzE0nRBYI5BIsF/Pag5BeSlyYAogRaacD1dH/VcRiMcdz65+6yLWKTS6i5NgZsDMnWs6Pu1JwSXKYZ7xeyXOE9MVZbrut6N+Rb8PgJd1Z10EfDRlllpM7jMMBbAJ1QK65C3u9BDT57fMgpri2r32EYF2XVAvNQnfyxv4mrEkD3FBnMcG/bV2WdYCFz/Nvwlt+HE6aZ+2nitcMxKsx4CR74PBzzk28olzfr/OiPuaBFzM5tdmnQXB++LX20TWo+9uljvalVzGP7ukCNlfo79sTI/EnA3L4uwUgBol6uy/mmB7ea3PvIlOm9Imiu+H3mCXy80kbFCmdqP VrZ6FzK+ vtPQoORqRc1DaYXkoAQpm0T1iNY6iLspi1iPVW0ASYBhA2yMZi1RFQqxRL64dD1Y4EUswQgvJuZSvc92K4MqUjUFYGXXzsLYd9yJ+F2UQFp6twwgV7P/ane/d/B+hRrqp2bb91VJnd9DR9si/CkHYZ7A9geOdFgKyI12jEi7VQv8yiN1AYZLizMeIE7IFtd2OMRQy4FCvby3KHkmaflbFN/Pq097g0l6NfuvRfFYWVYBGnGJHpjJxo/M5CyZ2QbENClKySmQ/bsRhwretDvPI6OkuGIzpWoOLXeGLKdxH2fkygWv+AQ/Ygb4unDiOcOxoJ9CaA3AqHc5xNm/JwHT9nsOritS+05q4IO5QgoRYFZIR4BxadFFdvPipy+WOhNLPE9ZAHRy+8FRHiMn8ooTYbIsnhkpAJPMp5GpHy2fwt1JK3+Os4uV4kOrM7w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In copy_vma() allocation of maple tree nodes may fail. Since page accounting takes place at the close() operation for hugetlb, it is called at the error path against the new_vma to account pages of the vma that was not successfully copied and that shares the page_counter with the original vma. Then, when the process is being terminated, vm_ops->close() is called once again against the original vma, which results in a page_counter underflow. page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 1 PID: 1086 at mm/page_counter.c:55 page_counter_cancel+0xd6/0x130 mm/page_counter.c:55 Modules linked in: CPU: 1 PID: 1086 Comm: syz-executor200 Not tainted 6.1.108-syzkaller-00078-g9ce77c16947b #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: page_counter_uncharge+0x2e/0x70 mm/page_counter.c:158 hugetlb_cgroup_uncharge_counter+0xd2/0x420 mm/hugetlb_cgroup.c:430 hugetlb_vm_op_close+0x435/0x700 mm/hugetlb.c:4886 remove_vma+0x84/0x130 mm/mmap.c:140 exit_mmap+0x32f/0x7a0 mm/mmap.c:3249 __mmput+0x11e/0x430 kernel/fork.c:1199 mmput+0x61/0x70 kernel/fork.c:1221 exit_mm kernel/exit.c:565 [inline] do_exit+0xa4a/0x2790 kernel/exit.c:858 do_group_exit+0xd0/0x2a0 kernel/exit.c:1021 __do_sys_exit_group kernel/exit.c:1032 [inline] __se_sys_exit_group kernel/exit.c:1030 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1030 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Since there is no sense in vm accounting for a bad copy of vma, set vm_start to be equal vm_end and vm_pgoff to be equal 0. Previously, a similar issue has been fixed in __split_vma() in the same way [1]. [1]: https://lore.kernel.org/all/20220719201523.3561958-1-Liam.Howlett@oracle.com/T/ Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree") Cc: stable@vger.kernel.com Signed-off-by: Daniil Dulov --- mm/vma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/vma.c b/mm/vma.c index bb2119e5a0d0..dbc68b7cd0ec 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1772,6 +1772,9 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + /* Avoid vm accounting in close() operation */ + new_vma->vm_start = new_vma->vm_end; + new_vma->vm_pgoff = 0; vma_close(new_vma); if (new_vma->vm_file)