From nobody Mon Feb  9 10:27:24 2026
Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7C4A4A1D
	for <linux-kernel@vger.kernel.org>; Mon, 27 Jan 2025 14:48:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.199.251.16
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1737989287; cv=none;
 b=UR29CdTlbc4gwcKMn+bAWpMzRUOj8Scnzo3CI8/5C69UlXHocwkB9kB3kQUVrdUuVN71Qo8b6SRyyr9WH1rTDxEUtgUHPtVi/0FJNLl3kr4YRUlM23MsHEk1vPRrhmNRUD7i7fLa4ntlU4ZTZRuSTTxUGi/mJAtQIZpyTspB6LA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1737989287; c=relaxed/simple;
	bh=PCQcc8SBNziqCKnNk8mwp1ozyrVteVvJ9f1zg0OUz4o=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=oUNjS06lFHFu28IvTVXjW4JS+1ktq5Fmh8mvK0O9L2vv6ec70KX4e89Df7LEqRsb/vOA5zdeO/7WD9b5Nu62jgbp3P6/amFb4k3jW/Yb/4OvMOZMTtIX+ckkMceATRQ1KECBf95LQy7WifeFUzwK9szlOxnJHSv5+/rHZCQfm6Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=aladdin.ru;
 spf=pass smtp.mailfrom=aladdin.ru; arc=none smtp.client-ip=91.199.251.16
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=aladdin.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=aladdin.ru
From: Daniil Dulov <d.dulov@aladdin.ru>
To: Andrew Morton <akpm@linux-foundation.org>
CC: Daniil Dulov <d.dulov@aladdin.ru>, "Liam R. Howlett"
	<Liam.Howlett@oracle.com>, Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>, "Matthew
 Wilcox (Oracle)" <willy@infradead.org>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>,
	<stable@vger.kernel.com>
Subject: [PATCH] mm/vma: Fix hugetlb accounting error in copy_vma()
Date: Mon, 27 Jan 2025 17:32:01 +0300
Message-ID: <20250127143201.45453-1-d.dulov@aladdin.ru>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: EXCH-2016-03.aladdin.ru (192.168.1.103) To
 EXCH-2016-01.aladdin.ru (192.168.1.101)
Content-Type: text/plain; charset="utf-8"

In copy_vma() allocation of maple tree nodes may fail. Since page accounting
takes place at the close() operation for hugetlb, it is called at the error
path against the new_vma to account pages of the vma that was not successfu=
lly
copied and that shares the page_counter with the original vma. Then, when t=
he
process is being terminated, vm_ops->close() is called once again against t=
he
original vma, which results in a page_counter underflow.

page_counter underflow: -1024 nr_pages=3D1024
WARNING: CPU: 1 PID: 1086 at mm/page_counter.c:55 page_counter_cancel+0xd6/=
0x130 mm/page_counter.c:55
Modules linked in:
CPU: 1 PID: 1086 Comm: syz-executor200 Not tainted 6.1.108-syzkaller-00078-=
g9ce77c16947b #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/=
2014
Call Trace:
 <TASK>
 page_counter_uncharge+0x2e/0x70 mm/page_counter.c:158
 hugetlb_cgroup_uncharge_counter+0xd2/0x420 mm/hugetlb_cgroup.c:430
 hugetlb_vm_op_close+0x435/0x700 mm/hugetlb.c:4886
 remove_vma+0x84/0x130 mm/mmap.c:140
 exit_mmap+0x32f/0x7a0 mm/mmap.c:3249
 __mmput+0x11e/0x430 kernel/fork.c:1199
 mmput+0x61/0x70 kernel/fork.c:1221
 exit_mm kernel/exit.c:565 [inline]
 do_exit+0xa4a/0x2790 kernel/exit.c:858
 do_group_exit+0xd0/0x2a0 kernel/exit.c:1021
 __do_sys_exit_group kernel/exit.c:1032 [inline]
 __se_sys_exit_group kernel/exit.c:1030 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1030
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
 </TASK>

Since there is no sense in vm accounting for a bad copy of vma, set vm_start
to be equal vm_end and vm_pgoff to be equal 0. Previously, a similar issue
has been fixed in __split_vma() in the same way [1].

[1]: https://lore.kernel.org/all/20220719201523.3561958-1-Liam.Howlett@orac=
le.com/T/

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree")
Cc: stable@vger.kernel.com
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
 mm/vma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/vma.c b/mm/vma.c
index bb2119e5a0d0..dbc68b7cd0ec 100644
--- a/mm/vma.c
+++ b/mm/vma.c
@@ -1772,6 +1772,9 @@ struct vm_area_struct *copy_vma(struct vm_area_struct=
 **vmap,
 	return new_vma;
=20
 out_vma_link:
+	/* Avoid vm accounting in close() operation */
+	new_vma->vm_start =3D new_vma->vm_end;
+	new_vma->vm_pgoff =3D 0;
 	vma_close(new_vma);
=20
 	if (new_vma->vm_file)
--=20
2.34.1