From: Harry Yoo <harry.yoo@oracle.com>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: "Mike Rapoport (Microsoft)" <rppt@kernel.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Axel Rasmussen <axelrasmussen@google.com>,
Baolin Wang <baolin.wang@linux.alibaba.com>,
David Hildenbrand <david@kernel.org>,
Hugh Dickins <hughd@google.com>,
James Houghton <jthoughton@google.com>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Michal Hocko <mhocko@suse.com>,
Muchun Song <muchun.song@linux.dev>,
Nikita Kalyazin <kalyazin@amazon.com>,
Oscar Salvador <osalvador@suse.de>,
Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Shuah Khan <shuah@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Edward Adam Davis <eadavis@qq.com>,
kvm@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [PATCH v2 4/15] userfaultfd: introduce mfill_get_vma() and mfill_put_vma()
Date: Mon, 16 Mar 2026 17:36:08 +0900 [thread overview]
Message-ID: <abfA-AR--cvpcz5v@hyeyoo> (raw)
In-Reply-To: <CADhLXY5ydBZL5gUQZCJnSTgc=8U0Xhaj_BtvgdBtPSmWh3NTEA@mail.gmail.com>
On Mon, Mar 16, 2026 at 01:35:38PM +0530, Deepanshu Kartikey wrote:
> On Mon, Mar 16, 2026 at 1:19 PM Harry Yoo <harry.yoo@oracle.com> wrote:
> >
> > > It seems there's another attempt to fix the syzbot report from
> > > Deepanshu Kartikey [2], which I didn't take a deeper look.
> > >
> > > At first look [2] looks a bit wrong way to fix to me though,
> > > because it allows operating only on a single VMA nothing should really split
> > > or shrink the VMA if somebody is holding the VMA lock in read mode
> > > (and the validation of the range is done while holding the lock).
> > >
> > > [2] https://lore.kernel.org/linux-mm/20260316070039.549506-1-kartikey406@gmail.com
> > >
>
> Harry,
>
> You are correct that once vm_refcnt > 0, nobody can split the VMA.
> However the split can happen in the race window BEFORE vm_refcnt++
> in vma_start_read(), and CHECK 2 can miss this if mmap_write_unlock()
> completes before CHECK 2 runs.
>
> Here is the exact race:
>
> vma_start_read():
>
> /* CHECK 1 */
> if (READ_ONCE(vma->vm_lock_seq) == READ_ONCE(mm->mm_lock_seq.sequence))
> goto err;
>
> /*
> * RACE WINDOW: vm_refcnt is still 0 here!
> * UFFDIO_UNREGISTER can run:
> *
> * mmap_write_lock() -> mm_lock_seq = 11
> * vma_start_write(vma) -> vm_lock_seq = 11
> * __split_vma() -> vma->vm_end = 0x4ca000
> * mmap_write_unlock() -> mm_lock_seq = 12
> *
> * writer completes entirely before vm_refcnt++!
> */
>
> __refcount_inc_not_zero_limited_acquire(&vma->vm_refcnt, ...);
> /* vm_refcnt = 1 now, but vma->vm_end already modified! */
It is true that vma->vm_end might have changed before acquiring the vma lock,
but it doesn't matter as long as you verify the range after acquiring
the lock, no? (that's what uffd_mfill_lock() does)
You're not really supposed to read vma->vm_end before acquiring
the vma lock and use the value because nothing guarantees that
the VMA is stable until the lock is acquired.
Or am I still missing something?
> /* CHECK 2 */
> if (unlikely(vma->vm_lock_seq == raw_read_seqcount(&mm->mm_lock_seq)))
> /*
> * vm_lock_seq(11) == mm_lock_seq(12)?
> * NO! writer already finished and unlocked!
> * mm_lock_seq incremented to 12 (even=unlocked)
> * CHECK 2 MISSES the race!
> */
> return vma;
> /*
> * returns split vma with vm_end=0x4ca000
> * but vm_refcnt=1 (lock held)
> */
--
Cheers,
Harry / Hyeonggon
next prev parent reply other threads:[~2026-03-16 8:37 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 17:18 [PATCH v2 00/15] mm, kvm: allow uffd support in guest_memfd Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 01/15] userfaultfd: introduce mfill_copy_folio_locked() helper Mike Rapoport
2026-03-20 11:58 ` David Hildenbrand (Arm)
2026-03-06 17:18 ` [PATCH v2 02/15] userfaultfd: introduce struct mfill_state Mike Rapoport
2026-03-20 12:43 ` David Hildenbrand (Arm)
2026-03-22 10:03 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 03/15] userfaultfd: introduce mfill_get_pmd() helper Mike Rapoport
2026-03-20 12:55 ` David Hildenbrand (Arm)
2026-03-22 10:22 ` Mike Rapoport
2026-03-30 15:21 ` David Hildenbrand (Arm)
2026-03-06 17:18 ` [PATCH v2 04/15] userfaultfd: introduce mfill_get_vma() and mfill_put_vma() Mike Rapoport
[not found] ` <abe1FHyYinvfLYnw@hyeyoo>
2026-03-16 7:48 ` [PATCH v2 4/15] " Harry Yoo
2026-03-16 8:05 ` Deepanshu Kartikey
2026-03-16 8:36 ` Harry Yoo [this message]
2026-03-16 8:52 ` Deepanshu Kartikey
2026-03-06 17:18 ` [PATCH v2 05/15] userfaultfd: retry copying with locks dropped in mfill_atomic_pte_copy() Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 06/15] userfaultfd: move vma_can_userfault out of line Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 07/15] userfaultfd: introduce vm_uffd_ops Mike Rapoport
2026-03-11 18:49 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 08/15] shmem, userfaultfd: use a VMA callback to handle UFFDIO_CONTINUE Mike Rapoport
2026-03-26 23:43 ` James Houghton
2026-03-27 0:26 ` Andrew Morton
2026-03-27 7:12 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 09/15] userfaultfd: introduce vm_uffd_ops->alloc_folio() Mike Rapoport
2026-03-27 0:07 ` James Houghton
2026-03-27 7:17 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 10/15] shmem, userfaultfd: implement shmem uffd operations using vm_uffd_ops Mike Rapoport
2026-03-27 1:13 ` James Houghton
2026-03-27 7:46 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 11/15] userfaultfd: mfill_atomic(): remove retry logic Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 12/15] mm: generalize handling of userfaults in __do_fault() Mike Rapoport
2026-03-27 1:55 ` James Houghton
2026-03-27 11:31 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 13/15] KVM: guest_memfd: implement userfaultfd operations Mike Rapoport
2026-03-27 2:33 ` James Houghton
2026-03-27 11:47 ` Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 14/15] KVM: selftests: test userfaultfd minor for guest_memfd Mike Rapoport
2026-03-06 17:18 ` [PATCH v2 15/15] KVM: selftests: test userfaultfd missing " Mike Rapoport
2026-03-06 22:21 ` [PATCH v2 00/15] mm, kvm: allow uffd support in guest_memfd Andrew Morton
2026-03-26 23:23 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abfA-AR--cvpcz5v@hyeyoo \
--to=harry.yoo@oracle.com \
--cc=Liam.Howlett@oracle.com \
--cc=aarcange@redhat.com \
--cc=axelrasmussen@google.com \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=eadavis@qq.com \
--cc=hughd@google.com \
--cc=jthoughton@google.com \
--cc=kalyazin@amazon.com \
--cc=kartikey406@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.