In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: restore reservation on error in hugetlb folio copy paths

Two sites in mm/hugetlb.c allocate a hugetlb folio via
alloc_hugetlb_folio() (consuming a VMA reservation) and then call
copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c
("mm: hwpoison: support recovery from HugePage copy-on-write faults") and
can now fail (e.g.  -EHWPOISON on a hwpoisoned source page).  On the
failure path, folio_put() restores the global hugetlb pool count through
free_huge_folio(), but the per-VMA reservation map entry is left marked
consumed:

  - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
  - copy_hugetlb_page_range() fork-time CoW path when
    hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
    folio under fork)

User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the
resubmission copy fails, the reservation for that address is leaked from
the VMA's reserve map.  A subsequent fault at the same address takes the
no-reservation path, and under hugetlb pool pressure the task is SIGBUSed
at an address it had previously reserved.  The fork-time CoW path leaks
the same way in the child VMA's reserve map, though it requires the much
rarer combination of pinned hugetlb anon page + hwpoisoned source.

Add the missing restore_reserve_on_error() call before folio_put() on both
error paths.

https://git.kernel.org/stable/c/40c81856e622a9dc59294a90d169ac07ea25b0b0

https://git.kernel.org/stable/c/45e33d43243d71d089af42f5077b8213cee6610f

https://git.kernel.org/stable/c/8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38

https://git.kernel.org/stable/c/c72469ac0f274bde3f0df60a4584e14a123d0aa6

https://git.kernel.org/stable/c/e47bf16af3c45470ea32f2241fa69aefe0dd61bd

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["mm/hugetlb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1cb9dc4b475c7418f925ab0c97b6750007d9f52e","lessThan":"8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38","versionType":"git","status":"affected"},{"version":"1cb9dc4b475c7418f925ab0c97b6750007d9f52e","lessThan":"e47bf16af3c45470ea32f2241fa69aefe0dd61bd","versionType":"git","status":"affected"},{"version":"1cb9dc4b475c7418f925ab0c97b6750007d9f52e","lessThan":"c72469ac0f274bde3f0df60a4584e14a123d0aa6","versionType":"git","status":"affected"},{"version":"1cb9dc4b475c7418f925ab0c97b6750007d9f52e","lessThan":"45e33d43243d71d089af42f5077b8213cee6610f","versionType":"git","status":"affected"},{"version":"1cb9dc4b475c7418f925ab0c97b6750007d9f52e","lessThan":"40c81856e622a9dc59294a90d169ac07ea25b0b0","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["mm/hugetlb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]