From: "Denis M. Karpov" <komlomal@gmail.com>
To: rppt@kernel.org, akpm@linux-foundation.org,
Liam.Howlett@oracle.com, ljs@kernel.org
Cc: vbabka@kernel.org, jannh@google.com, peterx@redhat.com,
pfalcato@suse.de, brauner@kernel.org, viro@zeniv.linux.org.uk,
jack@suse.cz, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Denis M . Karpov" <komlomal@gmail.com>
Subject: [RFC PATCH] userfaultfd: allow registration of ranges below mmap_min_addr
Date: Tue, 7 Apr 2026 11:14:42 +0300 [thread overview]
Message-ID: <20260407081442.6256-1-komlomal@gmail.com> (raw)
The current implementation of validate_range() in fs/userfaultfd.c
performs a hard check against mmap_min_addr without considering
capabilities, but the mmap() syscall uses security_mmap_addr()
which allows privileged processes (with CAP_SYS_RAWIO) to map below
mmap_min_addr. Furthermore, security_mmap_addr()->cap_mmap_addr() uses
dac_mmap_min_addr variable which can be changed with
/proc/sys/vm/mmap_min_addr.
Because userfaultfd uses a different check, UFFDIO_REGISTER may fail
with -EINVAL for valid memory areas that were successfully mapped
below mmap_min_addr even with appropriate capabilities.
This prevents apps like binary compilers from using UFFD for valid memory
regions mapped by application.
Replace the rigid mmap_min_addr check with security_mmap_addr() to align
userfaultfd with the standard kernel memory mapping security policy.
Signed-off-by: Denis M. Karpov <komlomal@gmail.com>
---
Initial RFC following the discussion on the [BUG] thread.
Link: https://lore.kernel.org/all/CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@mail.gmail.com/
---
fs/userfaultfd.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index bdc84e521..dbfe5b2a0 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1238,15 +1238,13 @@ static __always_inline int validate_unaligned_range(
return -EINVAL;
if (!len)
return -EINVAL;
- if (start < mmap_min_addr)
- return -EINVAL;
if (start >= task_size)
return -EINVAL;
if (len > task_size - start)
return -EINVAL;
if (start + len <= start)
return -EINVAL;
- return 0;
+ return security_mmap_addr(start);
}
static __always_inline int validate_range(struct mm_struct *mm,
--
2.47.3
next reply other threads:[~2026-04-07 8:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 8:14 Denis M. Karpov [this message]
2026-04-08 3:21 ` [RFC PATCH] userfaultfd: allow registration of ranges below mmap_min_addr Harry Yoo (Oracle)
2026-04-08 8:09 ` Denis M. Karpov
2026-04-09 2:51 ` Harry Yoo (Oracle)
2026-04-09 7:58 ` Lorenzo Stoakes
2026-04-08 12:36 ` Usama Arif
2026-04-09 8:01 ` Lorenzo Stoakes
2026-04-09 9:05 ` Denis M. Karpov
2026-04-09 10:52 ` Usama Arif
2026-05-05 10:10 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407081442.6256-1-komlomal@gmail.com \
--to=komlomal@gmail.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=peterx@redhat.com \
--cc=pfalcato@suse.de \
--cc=rppt@kernel.org \
--cc=vbabka@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.