Re: [PATCH v2] mm/hugetlb: restore reservation on error in hugetlb_mfill_atomic_pte() resubmission path

From: Muchun Song

Date: Tue May 19 2026 - 22:49:07 EST



> On May 20, 2026, at 07:05, David Carlier <devnexen@xxxxxxxxx> wrote:
>
> When the resubmission path in hugetlb_mfill_atomic_pte() allocates a new
> hugetlb folio via alloc_hugetlb_folio(), a VMA reservation is consumed.
> If copy_user_large_folio() subsequently fails (e.g. -EHWPOISON when the
> source page is hwpoisoned), folio_put() restores the global hugetlb pool
> count through free_huge_folio(), but the per-VMA reservation map entry
> is left marked consumed.
>
> User-visible effect: on a UFFDIO_COPY into a private hugetlb VMA where
> the resubmission path's copy fails, the reservation for that address is
> leaked from the VMA's reserve map. A subsequent fault at the same
> address takes the no-reservation path, and under hugetlb pool pressure
> the task is SIGBUSed at an address it had previously reserved. One map
> entry is leaked per occurrence.
>
> Add the missing restore_reserve_on_error() call before folio_put(),
> matching the first-attempt error path which already handles this
> correctly.
>
> Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: David Carlier <devnexen@xxxxxxxxx>
> ---
> v2:
> - Add user-visible effects paragraph in changelog (per akpm,
> required for Cc: stable).
> - Correct Fixes: tag to 1cb9dc4b475c (per Muchun) -- the failing
> arm only exists since copy_user_large_folio() became int-returning.
>
> Andrew, please drop the v1 currently queued as 270157aef0d1 in
> mm-unstable.
>
> v1: https://lore.kernel.org/all/20260322052120.14021-1-devnexen@xxxxxxxxx/
>
> mm/hugetlb.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 4b80b167cc9c..c6dee98840db 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6270,6 +6270,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_pte,
> folio_put(*foliop);
> * foliop = NULL;
> if (ret) {
> + restore_reserve_on_error(h, dst_vma, dst_addr, folio);

I think you should fix the same problem in copy_hugetlb_page_range()
within this patch as well since both are introduced by the same commit.

Muchun,
Thanks.

> folio_put(folio);
> goto out;
> }
> --
> 2.53.0
>