Re: [PATCH v3] mm/hugetlb: restore reservation on error in hugetlb folio copy paths

[Muchun Song]

> On May 20, 2026, at 12:49, David Carlier <devnexen@xxxxxxxxx> wrote:
> 
> Two sites in mm/hugetlb.c allocate a hugetlb folio via
> alloc_hugetlb_folio() (consuming a VMA reservation) and then call
> copy_user_large_folio(), which became int-returning in commit
> 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage
> copy-on-write faults") and can now fail (e.g. -EHWPOISON on a
> hwpoisoned source page). On the failure path, folio_put() restores
> the global hugetlb pool count through free_huge_folio(), but the
> per-VMA reservation map entry is left marked consumed:
> 
>  - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
>  - copy_hugetlb_page_range() fork-time CoW path when
>    hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
>    folio under fork)
> 
> User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where
> the resubmission copy fails, the reservation for that address is
> leaked from the VMA's reserve map. A subsequent fault at the same
> address takes the no-reservation path, and under hugetlb pool
> pressure the task is SIGBUSed at an address it had previously
> reserved. The fork-time CoW path leaks the same way in the child
> VMA's reserve map, though it requires the much rarer combination
> of pinned hugetlb anon page + hwpoisoned source.
> 
> Add the missing restore_reserve_on_error() call before folio_put()
> on both error paths.
> 
> Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: David Carlier <devnexen@xxxxxxxxx>

Reviewed-by: Muchun Song <muchun.song@xxxxxxxxx>

Thanks.