From: syzbot <syzbot+e24a2e34fad0efbac047@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mm/userfaultfd: re-validate vma in mfill_atomic() loop under CONFIG_PER_VMA_LOCK
Date: Sun, 15 Mar 2026 19:02:18 -0700 [thread overview]
Message-ID: <69b764aa.a00a0220.3b25d1.0020.GAE@google.com> (raw)
In-Reply-To: <69b703e6.050a0220.248e02.0101.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mm/userfaultfd: re-validate vma in mfill_atomic() loop under CONFIG_PER_VMA_LOCK
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Under CONFIG_PER_VMA_LOCK, mfill_atomic() holds only a per-VMA read
lock (vma_start_read) across its page-by-page copy loop. Unlike
mmap_read_lock, this does not prevent a concurrent mmap_write_lock()
from splitting the vma mid-loop via UFFDIO_UNREGISTER.
When the vma is split, vm_end of state.vma is shrunk in place. On the
next iteration, mfill_atomic_install_pte() calls folio_add_new_anon_rmap()
with state.dst_addr >= vma->vm_end, triggering the sanity check:
address < vma->vm_start || address + (nr << 12) > vma->vm_end
WARNING: mm/rmap.c:1682 folio_add_new_anon_rmap+0x5fe/0x14b0
Fix this by checking on each loop iteration whether state.dst_addr
has fallen outside state.vma. If so, release the stale vma, update
dst_start and len to reflect the current position, and re-lookup the
vma via mfill_get_vma().
Reported-by: syzbot+e24a2e34fad0efbac047@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e24a2e34fad0efbac047
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
mm/userfaultfd.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..519be02fad38 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -910,8 +910,17 @@ static __always_inline ssize_t mfill_atomic(struct userfaultfd_ctx *ctx,
while (state.src_addr < src_start + len) {
VM_WARN_ON_ONCE(state.dst_addr >= dst_start + len);
+ if (state.dst_addr < state.vma->vm_start ||
+ state.dst_addr >= state.vma->vm_end) {
+ mfill_put_vma(&state);
+ state.dst_start = state.dst_addr;
+ state.len = dst_start + len - state.dst_addr;
+ err = mfill_get_vma(&state);
+ if (err)
+ break;
+ }
- err = mfill_get_pmd(&state);
+ err = mfill_get_pmd(&state);
if (err)
break;
--
2.43.0
next prev parent reply other threads:[~2026-03-16 2:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 19:09 [syzbot] [mm?] WARNING in folio_add_new_anon_rmap syzbot
2026-03-16 2:02 ` syzbot [this message]
2026-03-16 5:11 ` Forwarded: [PATCH] mm/userfaultfd: validate dst_addr after re-acquiring VMA lock in mfill_copy_folio_retry syzbot
2026-03-16 6:19 ` [syzbot] [mm?] WARNING in folio_add_new_anon_rmap Harry Yoo
2026-03-16 6:58 ` syzbot
2026-03-16 11:01 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69b764aa.a00a0220.3b25d1.0020.GAE@google.com \
--to=syzbot+e24a2e34fad0efbac047@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.