On 12/12/24 07:25, Matthew Wilcox (Oracle) wrote: > If the caller of vmap() specifies VM_MAP_PUT_PAGES (currently only the > i915 driver), we will decrement nr_vmalloc_pages and MEMCG_VMALLOC in > vfree(). These counters are incremented by vmalloc() but not by vmap() > so this will cause an underflow. Check the VM_MAP_PUT_PAGES flag before > decrementing either counter. > > Fixes: b944afc9d64d (mm: add a VM_MAP_PUT_PAGES flag for vmap) > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx> > Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx> > --- > mm/vmalloc.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index f009b21705c1..5c88d0e90c20 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -3374,7 +3374,8 @@ void vfree(const void *addr) > struct page *page = vm->pages[i]; > > BUG_ON(!page); > - mod_memcg_page_state(page, MEMCG_VMALLOC, -1); > + if (!(vm->flags & VM_MAP_PUT_PAGES)) > + mod_memcg_page_state(page, MEMCG_VMALLOC, -1); > /* > * High-order allocs for huge vmallocs are split, so > * can be freed as an array of order-0 allocations > @@ -3382,7 +3383,8 @@ void vfree(const void *addr) > __free_page(page); > cond_resched(); > } > - atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); > + if (!(vm->flags & VM_MAP_PUT_PAGES)) > + atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages); > kvfree(vm->pages); > kfree(vm); > } I found another user kunit_iov_vector.c, but even it though it uses VM_MAP_PUT_PAGES, it does not call into vfree() (which I need to check for further bugs) Reviewed-by: Balbir Singh <balbirs@xxxxxxxxxx>
