• Ken Chen's avatar
    fix leaky resv_huge_pages when cpuset is in use · ace4bd29
    Ken Chen authored
    The internal hugetlb resv_huge_pages variable can permanently leak nonzero
    value in the error path of hugetlb page fault handler when hugetlb page is
    used in combination of cpuset.  The leaked count can permanently trap N
    number of hugetlb pages in unusable "reserved" state.
    
    Steps to reproduce the bug:
    
      (1) create two cpuset, user1 and user2
      (2) reserve 50 htlb pages in cpuset user1
      (3) attempt to shmget/shmat 50 htlb page inside cpuset user2
      (4) kernel oom the user process in step 3
      (5) ipcrm the shm segment
    
    At this point resv_huge_pages will have a count of 49, even though
    there are no active hugetlbfs file nor hugetlb shared memory segment
    in the system.  The leak is permanent and there is no recovery method
    other than system reboot. The leaked count will hold up all future use
    of that many htlb pages in all cpusets.
    
    The culprit is that the error path of alloc_huge_page() did not
    properly undo the change it made to resv_huge_page, causing
    inconsistent state.
    Signed-off-by: default avatarKen Chen <kenchen@google.com>
    Cc: David Gibson <david@gibson.dropbear.id.au>
    Cc: Adam Litke <agl@us.ibm.com>
    Cc: Martin Bligh <mbligh@google.com>
    Acked-by: default avatarDavid Gibson <dwg@au1.ibm.com>
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    ace4bd29
hugetlb.c 19.4 KB