Re: [PATCH v2 4/15] userfaultfd: introduce mfill_get_vma() and mfill_put_vma()

[Harry Yoo <harry.yoo@oracle.com>]

[Adding missing mailing lists to Cc that I omitted by mistake]

On Mon, Mar 16, 2026 at 04:45:24PM +0900, Harry Yoo wrote:
> On Fri, Mar 06, 2026 at 07:18:04PM +0200, Mike Rapoport (Microsoft) wrote:
> > Split the code that finds, locks and verifies VMA from mfill_atomic()
> > into a helper function.
> > 
> > This function will be used later during refactoring of
> > mfill_atomic_pte_copy().
> > 
> > Add a counterpart mfill_put_vma() helper that unlocks the VMA and
> > releases map_changing_lock.
> > 
> > Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> > ---
> 
> Apparently this patch seems to have two issues...
> Fortunately, it did not land mainline yet and can be addressed.
> 
> Deepanshu and Edward sent fixes, but it should be fixed
> as part of v3 (if Mike plans to do so) or as a fix-up on patch 4.
> 
> Please keep in mind that my understanding of this patchset is limited.
> I'm just doing some mechanical analysis.
> 
> >  mm/userfaultfd.c | 124 ++++++++++++++++++++++++++++-------------------
> >  1 file changed, 73 insertions(+), 51 deletions(-)
> > 
> > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > index 224b55804f99..baff11e83101 100644
> > --- a/mm/userfaultfd.c
> > +++ b/mm/userfaultfd.c
> > @@ -157,6 +157,73 @@ static void uffd_mfill_unlock(struct vm_area_struct *vma)
> >  }
> >  #endif
> >  
> > +static void mfill_put_vma(struct mfill_state *state)
> > +{
> > +	up_read(&state->ctx->map_changing_lock);
> > +	uffd_mfill_unlock(state->vma);
> > +	state->vma = NULL;
> > +}
> > +
> > +static int mfill_get_vma(struct mfill_state *state)
> > +{
> > +	struct userfaultfd_ctx *ctx = state->ctx;
> > +	uffd_flags_t flags = state->flags;
> > +	struct vm_area_struct *dst_vma;
> > +	int err;
> > +
> > +	/*
> > +	 * Make sure the vma is not shared, that the dst range is
> > +	 * both valid and fully within a single existing vma.
> > +	 */
> > +	dst_vma = uffd_mfill_lock(ctx->mm, state->dst_start, state->len);
> > +	if (IS_ERR(dst_vma))
> > +		return PTR_ERR(dst_vma);
> 
> state->len is always initialized to zero in patch 2.
> syzbot triggered a warning in folio_add_new_anon_rmap(),
> which appears to be due to failing to verify the range
> in uffd_mfill_lock() (at least syzbot says it's fixed [1]).
> 
> [1] https://lore.kernel.org/linux-mm/69b7a9fd.a00a0220.3b25d1.0023.GAE@google.com
> 
> It seems there's another attempt to fix the syzbot report from
> Deepanshu Kartikey [2], which I didn't take a deeper look.
> 
> At first look [2] looks a bit wrong way to fix to me though,
> because it allows operating only on a single VMA nothing should really split
> or shrink the VMA if somebody is holding the VMA lock in read mode
> (and the validation of the range is done while holding the lock).
> 
> [2] https://lore.kernel.org/linux-mm/20260316070039.549506-1-kartikey406@gmail.com
> 
> > +	/*
> > +	 * If memory mappings are changing because of non-cooperative
> > +	 * operation (e.g. mremap) running in parallel, bail out and
> > +	 * request the user to retry later
> > +	 */
> > +	down_read(&ctx->map_changing_lock);
> > +	err = -EAGAIN;
> > +	if (atomic_read(&ctx->mmap_changing))
> > +		goto out_unlock;
> > +
> > +	err = -EINVAL;
> > +
> > +	/*
> > +	 * shmem_zero_setup is invoked in mmap for MAP_ANONYMOUS|MAP_SHARED but
> > +	 * it will overwrite vm_ops, so vma_is_anonymous must return false.
> > +	 */
> > +	if (WARN_ON_ONCE(vma_is_anonymous(dst_vma) &&
> > +	    dst_vma->vm_flags & VM_SHARED))
> > +		goto out_unlock;
> > +
> > +	/*
> > +	 * validate 'mode' now that we know the dst_vma: don't allow
> > +	 * a wrprotect copy if the userfaultfd didn't register as WP.
> > +	 */
> > +	if ((flags & MFILL_ATOMIC_WP) && !(dst_vma->vm_flags & VM_UFFD_WP))
> > +		goto out_unlock;
> > +
> > +	if (is_vm_hugetlb_page(dst_vma))
> > +		goto out;
> > +
> > +	if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma))
> > +		goto out_unlock;
> > +	if (!vma_is_shmem(dst_vma) &&
> > +	    uffd_flags_mode_is(flags, MFILL_ATOMIC_CONTINUE))
> > +		goto out_unlock;
> 
> In case of error, mfill_put_vma() is supposed to unlock appropriate
> locks but state->vma is not set, so it does nothing.
> 
> Pointed out by Edward Adam Davis [3]
> [3] https://lore.kernel.org/linux-mm/tencent_C43C1BB425D6BA16BB6533FC9E001BC64B08@qq.com
> 
> I think, this should probably be fine in patch 4, but patch 5 adds
> `if (!state->vma) return;`, leading to unreleased locks on error paths.
> 
> > +
> > +out:
> > +	state->vma = dst_vma;
> > +	return 0;
> > +
> > +out_unlock:
> > +	mfill_put_vma(state);
> > +	return err;
> > +}
> > +
> >  static pmd_t *mm_alloc_pmd(struct mm_struct *mm, unsigned long address)
> >  {
> >  	pgd_t *pgd;

-- 
Cheers,
Harry / Hyeonggon