Re: [PATCH] mm/hugetlb: fix hugetlb cgroup rsvd charge/uncharge mismatch

Next message: DaeMyung Kang: "Re: [PATCH 1/2] ntfs: fix NULL dereference in ntfs_index_walk_down()"
Previous message: Hsiu Che Yu: "[PATCH] rust: alloc: add doc test for `Vec::from_elem`"
In reply to: Andrew Morton: "Re: [PATCH] mm/hugetlb: fix hugetlb cgroup rsvd charge/uncharge mismatch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muchun Song

Date: Sat Apr 25 2026 - 23:48:31 EST

> On Mar 28, 2026, at 14:55, Deepanshu Kartikey <kartikey406@xxxxxxxxx> wrote:
>
> In alloc_hugetlb_folio(), a single h_cg pointer is used for both
> the rsvd and non-rsvd hugetlb cgroup charges. When map_chg is set,
> hugetlb_cgroup_charge_cgroup_rsvd() stores the charged cgroup in
> h_cg, but the immediately following hugetlb_cgroup_charge_cgroup()
> overwrites h_cg with the non-rsvd cgroup pointer.
>
> As a result, hugetlb_cgroup_commit_charge_rsvd() stores the wrong
> (non-rsvd) cgroup pointer into the folio's rsvd slot.
>
> When the folio is later freed, free_huge_folio() unconditionally
> calls both hugetlb_cgroup_uncharge_folio() and
> hugetlb_cgroup_uncharge_folio_rsvd(). The rsvd uncharge reads back
> the wrong cgroup from the folio and decrements a counter that was
> never charged for that cgroup, causing a page_counter underflow:
>
> page_counter underflow: -512 nr_pages=512
> WARNING: mm/page_counter.c:61 at page_counter_cancel
>
> Fix this by introducing a separate h_cg_rsvd pointer exclusively
> for the rsvd charge path, keeping the rsvd and non-rsvd charges
> fully independent through their charge, commit, and error uncharge
> paths.
>
> Fixes: 08cf9faf7558 ("hugetlb_cgroup: support noreserve mappings")
> Reported-by: syzbot+226c1f947186f8fef796@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=226c1f947186f8fef796
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>

Reviewed-by: Muchun Song <muchun.song@xxxxxxxxx>

Thanks.