From: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Carlier <devnexen@gmail.com>, Peter Xu <peterx@redhat.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@kernel.org>
Subject: Re: [PATCH v4] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()
Date: Tue, 7 Apr 2026 11:17:40 +0100 [thread overview]
Message-ID: <adTZf_Du8vTnTGGO@lucifer> (raw)
In-Reply-To: <aczOCqrCx7Xd5HIF@kernel.org>
On Wed, Apr 01, 2026 at 10:49:30AM +0300, Mike Rapoport wrote:
> Hi Andrew,
>
> On Tue, Mar 31, 2026 at 08:01:48PM -0700, Andrew Morton wrote:
> > On Tue, 31 Mar 2026 14:41:58 +0100 David Carlier <devnexen@gmail.com> wrote:
> >
> > > In mfill_copy_folio_retry(), all locks are dropped to retry
> > > copy_from_user() with page faults enabled. During this window, the VMA
> > > can be replaced entirely (e.g. munmap + mmap + UFFDIO_REGISTER by
> > > another thread), but the caller proceeds with a folio allocated from the
> > > original VMA's backing store.
>
> What does "folio allocated from the original VMA's backing store" exactly
> mean? Why is this a problem?
>
> > > Checking ops alone is insufficient: the replacement VMA could be the
> > > same type (e.g. shmem -> shmem) with identical flags but a different
> > > backing inode. Take a snapshot of the VMA's file and flags before
> > > dropping locks, and compare after re-acquiring them. If anything
> > > changed, bail out with -EINVAL.
> > >
> > > Use get_file()/fput() rather than ihold()/iput() to hold the file
> > > reference across the lock-dropped window, avoiding potential deadlocks
> > > from filesystem eviction under mmap_lock.
> >
> > Thanks, I've queued this as a squashable fix against mm-unstable's
> > "shmem, userfaultfd: implement shmem uffd operations using vm_uffd_ops
> > ongoing".
>
> First, this a pre-existing and TBH quite theoretical bug and it was there
> since the very beginning, so it should not be added as a fixup for the
> uffd+guestmemfd series.
>
> Second, I have reservations about vma_snapshot implementation. What
> invariant does it exactly enforce?
Yeah me too.
Unfortunately my bandwidth is a bit limited at the moment, but if you're
comparing VMAs like this it seems something is fundamentally broken.
We should definitely at least delay this until next cycle for consideration I
think until we can figure out a sensible approach.
>
> > I've fumbled the ball on your [2/2] unlikely() fix ;). Please resend that
> > after -rc1.
>
> This one should go the same route IMO.
Agreed, let's delay until next cycle please.
>
> --
> Sincerely yours,
> Mike.
Thanks, Lorenzo
prev parent reply other threads:[~2026-04-07 10:17 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 13:41 [PATCH v4] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry() David Carlier
2026-04-01 3:01 ` Andrew Morton
2026-04-01 7:49 ` Mike Rapoport
2026-04-01 8:06 ` David CARLIER
2026-04-01 15:23 ` Peter Xu
2026-04-01 18:34 ` David CARLIER
2026-04-01 19:22 ` Peter Xu
2026-04-01 20:05 ` David CARLIER
2026-04-02 4:02 ` Mike Rapoport
2026-04-02 5:59 ` David CARLIER
2026-04-02 13:29 ` Peter Xu
2026-04-09 11:20 ` Mike Rapoport
2026-04-10 15:10 ` Peter Xu
2026-04-02 3:58 ` Mike Rapoport
2026-04-02 13:42 ` Peter Xu
2026-04-09 11:31 ` Mike Rapoport
2026-04-10 15:26 ` Peter Xu
2026-04-12 15:46 ` Mike Rapoport
2026-04-13 12:53 ` Peter Xu
2026-04-07 10:17 ` Lorenzo Stoakes (Oracle) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adTZf_Du8vTnTGGO@lucifer \
--to=ljs@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=devnexen@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.