From patchwork Tue Nov 16 23:57:32 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mina Almasry <almasrymina@google.com>
X-Patchwork-Id: 12623309
Return-Path: <SRS0=fDmo=QD=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F1EE2C433F5
	for <linux-mm@archiver.kernel.org>; Tue, 16 Nov 2021 23:58:11 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id A26B861BFE
	for <linux-mm@archiver.kernel.org>; Tue, 16 Nov 2021 23:58:11 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A26B861BFE
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 03FA16B0071; Tue, 16 Nov 2021 18:58:01 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F31216B0072; Tue, 16 Nov 2021 18:58:00 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DD2266B0073; Tue, 16 Nov 2021 18:58:00 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0033.hostedemail.com
 [216.40.44.33])
	by kanga.kvack.org (Postfix) with ESMTP id CBA866B0071
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 18:58:00 -0500 (EST)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 809D718155829
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 23:57:50 +0000 (UTC)
X-FDA: 78816458658.27.3E2D234
Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com
 [209.85.219.201])
	by imf17.hostedemail.com (Postfix) with ESMTP id 2189BF0001C2
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 23:57:49 +0000 (UTC)
Received: by mail-yb1-f201.google.com with SMTP id
 l28-20020a25b31c000000b005c27dd4987bso1000029ybj.18
        for <linux-mm@kvack.org>; Tue, 16 Nov 2021 15:57:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=8bO0KCHRSML2A1UfF7jI1msTxa4rXNv8MPzTspo5eQc=;
        b=qgSUqqjNfpooMKYy+ZO5eI4Dxo+MU4PIfe6TYCXqjMtDe/tGQ2dHeZy875qGRcQgnE
         4mwRmpPqEUcQxNorS1J1W6Pt78XG0ylUViPD5F7S1Co8fEXh2UKKx5G+QGS+4NIY47+9
         fPZ9seGU+F1/5kt0M6DpaR8m7RNxOu9hr3LIy25IEbZu0RUUbPIKyTj4L+bPsQohAP+R
         fHtIQ0HtpalpJCTSo6CX3znp7T4bAspoM7CVFTEuqLjxO+fCsfp51ikMOf4c5eIxc2Tl
         rUkWON9gojSl/uZ9dMLGP7mRrWPh/N+N+pKmzMhq9WJdLOu1FtZuG7XMr05NXn7zDUFS
         Ms0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=8bO0KCHRSML2A1UfF7jI1msTxa4rXNv8MPzTspo5eQc=;
        b=I3Va/XOwTtNhS99GWUsV3B+kvkH9At5rgjpjTsYWpMFIaVTxv25mo5TTs8PkyvLaXd
         G2MZSS6QWRPUWJyGUZsIyQMwiVRJLQgZl3ZmqmC9Uh50vIalZHOvQ4NjHy4KNml+9Cbr
         aQyQR4Qdkg/WQj5TBsABu6DkBsDPoJ4dZOn/R8I9lqww8QSPZxwaogO55K60r0yL4lgx
         sCcnIcEmb9LUuKtsgPgsEbA5hVXzO5F2rp0fnN/q1qYsjkLLdsO4a+winuBvih5nQMdC
         2qrT44jqTDeBeHlQgktqwcC/CcM/qgireVbcl+9GYhjEdg+6chrnDOcE6f9obeQAoxFB
         tWqg==
X-Gm-Message-State: AOAM533RDYZ7+wJdsccrJywXiR4y/6XPZ1W5Duh4mn93hNQPycOnubGQ
	f7nKAYoVKX8xN4ZxN5FZzN3uQ3ZZ07ZH2U/S8g==
X-Google-Smtp-Source: 
 ABdhPJy0FOjjb3Wfu3wrPIV5N5uIgLuURT5zkD72spCH1d2hwxgWUdx3XO7e6HYZvNWC65HMXULRPVrRJfPbMs6sJw==
X-Received: from almasrymina.svl.corp.google.com
 ([2620:15c:2cd:202:e2dc:cbcc:c7b9:5537])
 (user=almasrymina job=sendgmr) by 2002:a25:1c5:: with SMTP id
 188mr12542328ybb.292.1637107069314; Tue, 16 Nov 2021 15:57:49 -0800 (PST)
Date: Tue, 16 Nov 2021 15:57:32 -0800
Message-Id: <20211116235733.3774702-1-almasrymina@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.34.0.rc1.387.gb447b232ab-goog
Subject: [PATCH v1] hugetlb, userfaultfd: Fix reservation restore on
 userfaultfd error
From: Mina Almasry <almasrymina@google.com>
To: Mike Kravetz <mike.kravetz@oracle.com>,
 Andrew Morton <akpm@linux-foundation.org>
Cc: Mina Almasry <almasrymina@google.com>, Wei Xu <weixugc@google.com>,
	James Houghton <jthoughton@google.com>, linux-mm@kvack.org,
 linux-kernel@vger.kernel.org
X-Stat-Signature: iorgjhrd9ugte9gnzir3x4wjiwzkmfio
X-Rspamd-Queue-Id: 2189BF0001C2
X-Rspamd-Server: rspam07
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=qgSUqqjN;
	spf=pass (imf17.hostedemail.com: domain of
 3fUWUYQsKCGwKVWKcbiWSXKQYYQVO.MYWVSXeh-WWUfKMU.YbQ@flex--almasrymina.bounces.google.com
 designates 209.85.219.201 as permitted sender)
 smtp.mailfrom=3fUWUYQsKCGwKVWKcbiWSXKQYYQVO.MYWVSXeh-WWUfKMU.YbQ@flex--almasrymina.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-HE-Tag: 1637107069-497561
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we
bail out using "goto out_release_unlock;" in the cases where idx >=
size, or !huge_pte_none(), the code will detect that new_pagecache_page
== false, and so call restore_reserve_on_error().
In this case I see restore_reserve_on_error() delete the reservation,
and the following call to remove_inode_hugepages() will increment
h->resv_hugepages causing a 100% reproducible leak.

We should treat the is_continue case similar to adding a page into the
pagecache and set new_pagecache_page to true, to indicate that there is
no reservation to restore on the error path, and we need not call
restore_reserve_on_error().

Cc: Wei Xu <weixugc@google.com>

Fixes: c7b1850dfb41 ("hugetlb: don't pass page cache pages to restore_reserve_on_error")
Signed-off-by: Mina Almasry <almasrymina@google.com>
Reported-by: James Houghton <jthoughton@google.com>
---
 mm/hugetlb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--
2.34.0.rc1.387.gb447b232ab-goog

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index e09159c957e3..25a7a3d84607 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5741,6 +5741,14 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
 		page = find_lock_page(mapping, idx);
 		if (!page)
 			goto out;
+		/*
+		 * Set new_pagecache_page to true, as we've added a page to the
+		 * pagecache, but userfaultfd hasn't set up a mapping for this
+		 * page yet. If we bail out before setting up the mapping, we
+		 * want to indicate to restore_reserve_on_error() that we've
+		 * added the page to the page cache.
+		 */
+		new_pagecache_page = true;
 	} else if (!*pagep) {
 		/* If a page already exists, then it's UFFDIO_COPY for
 		 * a non-missing case. Return -EEXIST.