| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260211004449.3731199-1-usama.arif@linux.dev>
Date: Tue, 10 Feb 2026 16:44:44 -0800
From: Usama Arif <usama.arif@...ux.dev>
To: Joshua Hahn <joshua.hahnjy@...il.com>
Cc: Usama Arif <usama.arif@...ux.dev>,
Andrew Morton <akpm@...ux-foundation.org>,
David Hildenbrand <david@...nel.org>,
Muchun Song <muchun.song@...ux.dev>,
Oscar Salvador <osalvador@...e.de>,
Wupeng Ma <mawupeng1@...wei.com>,
linux-kernel@...r.kernel.org,
linux-mm@...ck.org,
stable@...r.kernel.org,
kernel-team@...a.com
Subject: Re: [PATCH v2] mm/hugetlb: Restore failed global reservations to subpool
On Fri, 16 Jan 2026 15:40:36 -0500 Joshua Hahn <joshua.hahnjy@...il.com> wrote:
> Commit a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool")
> fixed an underflow error for hstate->resv_huge_pages caused by
> incorrectly attributing globally requested pages to the subpool's
> reservation.
>
> Unfortunately, this fix also introduced the opposite problem, which would
> leave spool->used_hpages elevated if the globally requested pages could
> not be acquired. This is because while a subpool's reserve pages only
> accounts for what is requested and allocated from the subpool, its
> "used" counter keeps track of what is consumed in total, both from the
> subpool and globally. Thus, we need to adjust spool->used_hpages in the
> other direction, and make sure that globally requested pages are
> uncharged from the subpool's used counter.
>
> Each failed allocation attempt increments the used_hpages counter by
> how many pages were requested from the global pool. Ultimately, this
> renders the subpool unusable, as used_hpages approaches the max limit.
>
> The issue can be reproduced as follows:
> 1. Allocate 4 hugetlb pages
> 2. Create a hugetlb mount with max=4, min=2
> 3. Consume 2 pages globally
> 4. Request 3 pages from the subpool (2 from subpool + 1 from global)
> 4.1 hugepage_subpool_get_pages(spool, 3) succeeds.
> used_hpages += 3
> 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left
> used_hpages -= 2
> 5. Subpool now has used_hpages = 1, despite not being able to
> successfully allocate any hugepages. It believes it can now only
> allocate 3 more hugepages, not 4.
>
> Repeating this process will ultimately render the subpool unable to
> allocate any hugepages, since it believes that it is using the maximum
> number of hugepages that the subpool has been allotted.
>
> The underflow issue that the original commit fixes still remains fixed
> as well.
>
> Fixes: a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool")
> Signed-off-by: Joshua Hahn <joshua.hahnjy@...il.com>
> Cc: stable@...r.kernel.org
> ---
> v1 --> v2
> - Moved "unsigned long flags" definition into the if statement it is used in
> - Separated fix patch from cleanup patches for easier backporting for stable.
>
> mm/hugetlb.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
Makes sense. Without this, used_hpages would keep on leaking if
hugetlb_acct_memory fails.
Acked-by: Usama Arif <usama.arif@...ux.dev>
>
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 5a147026633f..e48ff0c771f8 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6713,6 +6713,15 @@ long hugetlb_reserve_pages(struct inode *inode,
> */
> hugetlb_acct_memory(h, -gbl_resv);
> }
> + /* Restore used_hpages for pages that failed global reservation */
> + if (gbl_reserve && spool) {
> + unsigned long flags;
> +
> + spin_lock_irqsave(&spool->lock, flags);
> + if (spool->max_hpages != -1)
> + spool->used_hpages -= gbl_reserve;
> + unlock_or_release_subpool(spool, flags);
> + }
> out_uncharge_cgroup:
> hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h),
> chg * pages_per_huge_page(h), h_cg);
>
> base-commit: c1a60bf0f6df5c8a6cb6840a0d2fb0e9caf9f7cc
> --
> 2.47.3
>
Powered by blists - more mailing lists