hugetlb: fix hugetlb cgroup refcounting during mremap

minhbq-99 · torvalds · commit afe041c2d0fe · 2021-11-20T10:35:54.000-08:00
When hugetlb_vm_op_open() is called during copy_vma(), we may take the reference to resv_map->css. Later, when clearing the reservation pointer of old_vma after transferring it to new_vma, we forget to drop the reference to resv_map->css. This leads to a reference leak of css. Fixes this by adding a check to drop reservation css reference in clear_vma_resv_huge_pages() Link: https://lkml.kernel.org/r/20211113154412.91134-1-minhquangbui99@gmail.com Fixes: 550a7d6 ("mm, hugepages: add mremap() support for hugepage backed vma") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com> Reviewed-by: Mina Almasry <almasrymina@google.com> Cc: Miaohe Lin <linmiaohe@huawei.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Muchun Song <songmuchun@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/include/linux/hugetlb_cgroup.h b/include/linux/hugetlb_cgroup.h
@@ -128,6 +128,13 @@ static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(
 		css_get(resv_map->css);
 }
 
+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(
+						struct resv_map *resv_map)
+{
+	if (resv_map->css)
+		css_put(resv_map->css);
+}
+
 extern int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
 					struct hugetlb_cgroup **ptr);
 extern int hugetlb_cgroup_charge_cgroup_rsvd(int idx, unsigned long nr_pages,
@@ -211,6 +218,11 @@ static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(
 {
 }
 
+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(
+						struct resv_map *resv_map)
+{
+}
+
 static inline int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
 					       struct hugetlb_cgroup **ptr)
 {
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
@@ -1037,8 +1037,10 @@ void clear_vma_resv_huge_pages(struct vm_area_struct *vma)
 	 */
 	struct resv_map *reservations = vma_resv_map(vma);
 
-	if (reservations && is_vma_resv_set(vma, HPAGE_RESV_OWNER))
+	if (reservations && is_vma_resv_set(vma, HPAGE_RESV_OWNER)) {
+		resv_map_put_hugetlb_cgroup_uncharge_info(reservations);
 		kref_put(&reservations->refs, resv_map_release);
+	}
 
 	reset_vma_resv_huge_pages(vma);
 }

Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,13 @@ static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(`
`128`	`128`	`css_get(resv_map->css);`
`129`	`129`	`}`
`130`	`130`
	`131`	`+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(`
	`132`	`+ struct resv_map *resv_map)`
	`133`	`+{`
	`134`	`+ if (resv_map->css)`
	`135`	`+ css_put(resv_map->css);`
	`136`	`+}`
	`137`	`+`
`131`	`138`	`extern int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,`
`132`	`139`	`struct hugetlb_cgroup **ptr);`
`133`	`140`	`extern int hugetlb_cgroup_charge_cgroup_rsvd(int idx, unsigned long nr_pages,`
`@@ -211,6 +218,11 @@ static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(`
`211`	`218`	`{`
`212`	`219`	`}`
`213`	`220`
	`221`	`+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(`
	`222`	`+ struct resv_map *resv_map)`
	`223`	`+{`
	`224`	`+}`
	`225`	`+`
`214`	`226`	`static inline int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,`
`215`	`227`	`struct hugetlb_cgroup **ptr)`
`216`	`228`	`{`