From: Mike Rapoport <rppt@kernel.org>
To: David Carlier <devnexen@gmail.com>
Cc: Peter Xu <peterx@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Lorenzo Stoakes <ljs@kernel.org>
Subject: Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()
Date: Tue, 31 Mar 2026 14:56:34 +0300 [thread overview]
Message-ID: <acu2cpUBS0ahkgkx@kernel.org> (raw)
In-Reply-To: <20260330202909.136776-1-devnexen@gmail.com>
(added VMA folks)
Hi,
On Mon, Mar 30, 2026 at 09:29:09PM +0100, David Carlier wrote:
> In mfill_copy_folio_retry(), all locks are dropped to retry
> copy_from_user() with page faults enabled. During this window, the VMA
> can be replaced entirely (e.g. munmap + mmap + UFFDIO_REGISTER by
> another thread), but the caller proceeds with a folio allocated from the
> original VMA's backing store.
Is it possible at all that after all that dance vma pointer will remain the
same?
> Checking ops alone is insufficient: the replacement VMA could be the
> same type (e.g. shmem -> shmem) with identical flags but a different
> backing inode. Take a snapshot of the VMA's inode and flags before
> dropping locks, and compare after re-acquiring them. If anything
> changed, bail out with -EAGAIN.
>
> Suggested-by: Peter Xu <peterx@redhat.com>
> Signed-off-by: David Carlier <devnexen@gmail.com>
Sashiko has comments and they seem quite relevant to me:
https://sashiko.dev/#/patchset/20260330214948.148349-1-devnexen%40gmail.com
> ---
> mm/userfaultfd.c | 64 ++++++++++++++++++++++++++++++++++++++++++------
> 1 file changed, 57 insertions(+), 7 deletions(-)
...
> + if (vma_snapshot_changed(state->vma, &s)) {
> + err = -EAGAIN;
Whatever we do verify the VMA this should not be EAGAIN. EINVAL or ENOENT
like mfill_get_vma() returns seem more appropriate.
> + goto out;
> + }
--
Sincerely yours,
Mike.
next prev parent reply other threads:[~2026-03-31 11:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 20:29 [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry() David Carlier
2026-03-30 20:40 ` Andrew Morton
2026-03-30 21:27 ` David CARLIER
2026-03-30 21:32 ` David CARLIER
2026-03-30 23:42 ` Andrew Morton
2026-03-30 20:51 ` Peter Xu
2026-03-31 11:56 ` Mike Rapoport [this message]
2026-03-31 12:07 ` David CARLIER
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acu2cpUBS0ahkgkx@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=devnexen@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=peterx@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.