Re: [PATCH] mm/hugetlb: fix hugetlb cgroup rsvd charge/uncharge mismatch

[Andrew Morton]

On Sat, 28 Mar 2026 12:25:34 +0530 Deepanshu Kartikey <kartikey406@xxxxxxxxx> wrote:

> In alloc_hugetlb_folio(), a single h_cg pointer is used for both
> the rsvd and non-rsvd hugetlb cgroup charges. When map_chg is set,
> hugetlb_cgroup_charge_cgroup_rsvd() stores the charged cgroup in
> h_cg, but the immediately following hugetlb_cgroup_charge_cgroup()
> overwrites h_cg with the non-rsvd cgroup pointer.
> 
> As a result, hugetlb_cgroup_commit_charge_rsvd() stores the wrong
> (non-rsvd) cgroup pointer into the folio's rsvd slot.
> 
> When the folio is later freed, free_huge_folio() unconditionally
> calls both hugetlb_cgroup_uncharge_folio() and
> hugetlb_cgroup_uncharge_folio_rsvd(). The rsvd uncharge reads back
> the wrong cgroup from the folio and decrements a counter that was
> never charged for that cgroup, causing a page_counter underflow:
> 
>   page_counter underflow: -512 nr_pages=512
>   WARNING: mm/page_counter.c:61 at page_counter_cancel
> 
> Fix this by introducing a separate h_cg_rsvd pointer exclusively
> for the rsvd charge path, keeping the rsvd and non-rsvd charges
> fully independent through their charge, commit, and error uncharge
> paths.

Thanks.

> Fixes: 08cf9faf7558 ("hugetlb_cgroup: support noreserve mappings")

Merged in 2020!

Could reviewers please give consideration to whether we should backport
this?

> Reported-by: syzbot+226c1f947186f8fef796@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=226c1f947186f8fef796
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>

This doesn't seem super-urgent so for now I'll park it in my pile to
revisit after 7.1-rc1.