From: sashiko-bot@kernel.org
To: "Kiryl Shutsemau" <kirill@shutemov.name>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v5 03/18] userfaultfd: gate must_wait writability check on pte_present()
Date: Tue, 26 May 2026 13:44:07 +0000 [thread overview]
Message-ID: <20260526134407.92F481F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260526130509.2748441-4-kirill@shutemov.name>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] userfaultfd_must_wait() and userfaultfd_huge_must_wait() cause a thread to sleep infinitely if it encounters a poison marker.
--
commit bd3d83c0669b044a367277284d21f8c9e82fd131
Author: Kiryl Shutsemau (Meta) <kas@kernel.org>
userfaultfd: gate must_wait writability check on pte_present()
This commit gates the writability checks in userfaultfd_must_wait() and
userfaultfd_huge_must_wait() on pte_present() to avoid incorrectly
evaluating random offset bits from swap or migration entries as present
PTE flags.
Cc: stable@vger.kernel.org
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index 35b206cc9aa6f..f6d2a1c67019e 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -2535,6 +2535,15 @@ static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx,
> /* UFFD PTE markers require userspace to resolve the fault. */
> if (pte_is_uffd_marker(pte))
> return true;
[Severity: High]
This is a pre-existing issue, but does this logic cause a thread to sleep
infinitely if it encounters a poison marker?
When a missing fault is resolved by userspace using UFFDIO_POISON, a
PTE_MARKER_POISONED swap entry is installed and the waitqueue is woken up.
If the faulting thread is preempted and misses this wakeup (i.e., it is not
yet on the waitqueue), it will later add itself to the waitqueue and call
userfaultfd_huge_must_wait() to check if the fault was resolved.
Because pte_is_uffd_marker() returns true for poison markers, this
returns true and the thread stays asleep indefinitely. Shouldn't this return
false for poison markers so the thread can retry the fault and receive
a VM_FAULT_HWPOISON -> SIGBUS?
> + /*
> + * Concurrent migration may have replaced the present PTE with a
> + * non-marker swap entry between fault delivery and this lockless
[ ... ]
> @@ -2621,6 +2630,17 @@ static inline bool userfaultfd_must_wait(struct userfaultfd_ctx *ctx,
> /* UFFD PTE markers require userspace to resolve the fault. */
> if (pte_is_uffd_marker(ptent))
> goto out;
[Severity: High]
This is a pre-existing issue, but similarly here, does returning true via
the goto out for a poison marker cause an indefinite hang if the thread
missed the UFFDIO_POISON wakeup?
> + /*
> + * Concurrent swap-out / migration may have replaced the present PTE
> + * with a non-marker swap entry between fault delivery and this
> + * lockless re-check. pte_write() on a swap entry decodes random
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260526130509.2748441-1-kirill@shutemov.name?part=3
next prev parent reply other threads:[~2026-05-26 13:44 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 13:04 [PATCH v5 00/18] userfaultfd: working set tracking for VM guest memory Kiryl Shutsemau
2026-05-26 13:04 ` [PATCH v5 01/18] fs/proc/task_mmu: fix make_uffd_wp_huge_pte() prot-update race Kiryl Shutsemau
2026-05-26 13:46 ` sashiko-bot
2026-05-26 13:04 ` [PATCH v5 02/18] mm/huge_memory: preserve pmd_swp_uffd_wp on device-private PMD downgrade Kiryl Shutsemau
2026-05-26 13:43 ` sashiko-bot
2026-05-26 13:04 ` [PATCH v5 03/18] userfaultfd: gate must_wait writability check on pte_present() Kiryl Shutsemau
2026-05-26 13:44 ` sashiko-bot [this message]
2026-05-26 13:04 ` [PATCH v5 04/18] mm: skip out-of-range bits in mk_vma_flags() Kiryl Shutsemau
2026-05-29 14:00 ` Lorenzo Stoakes
2026-05-29 16:09 ` Kiryl Shutsemau
2026-06-01 9:37 ` Lorenzo Stoakes
2026-05-30 16:52 ` Mike Rapoport
2026-06-01 7:42 ` Lorenzo Stoakes
2026-05-26 13:04 ` [PATCH v5 05/18] mm: decouple protnone helpers from CONFIG_NUMA_BALANCING Kiryl Shutsemau
2026-05-26 13:04 ` [PATCH v5 06/18] mm: rename uffd-wp PTE bit macros to uffd Kiryl Shutsemau
2026-05-26 13:04 ` [PATCH v5 07/18] mm: rename uffd-wp PTE accessors " Kiryl Shutsemau
2026-05-26 13:29 ` sashiko-bot
2026-05-26 13:04 ` [PATCH v5 08/18] mm: add VM_UFFD_RWP VMA flag Kiryl Shutsemau
2026-05-26 14:37 ` sashiko-bot
2026-05-29 7:24 ` Lorenzo Stoakes
2026-05-29 13:07 ` Kiryl Shutsemau
2026-05-29 14:00 ` Lorenzo Stoakes
2026-05-26 13:04 ` [PATCH v5 09/18] mm: add MM_CP_UFFD_RWP change_protection() flag Kiryl Shutsemau
2026-05-26 14:07 ` sashiko-bot
2026-05-29 1:19 ` SeongJae Park
2026-05-26 13:04 ` [PATCH v5 10/18] mm: preserve RWP marker across PTE rewrites Kiryl Shutsemau
2026-05-26 14:15 ` sashiko-bot
2026-05-26 13:04 ` [PATCH v5 11/18] mm: handle VM_UFFD_RWP in khugepaged, rmap, and GUP Kiryl Shutsemau
2026-05-26 15:04 ` sashiko-bot
2026-05-26 13:05 ` [PATCH v5 12/18] userfaultfd: add UFFDIO_REGISTER_MODE_RWP and UFFDIO_RWPROTECT plumbing Kiryl Shutsemau
2026-05-26 14:45 ` sashiko-bot
2026-05-26 13:05 ` [PATCH v5 13/18] mm/userfaultfd: add RWP fault delivery and expose UFFDIO_REGISTER_MODE_RWP Kiryl Shutsemau
2026-05-26 14:33 ` sashiko-bot
2026-05-26 13:05 ` [PATCH v5 14/18] mm/pagemap: add PAGE_IS_ACCESSED for RWP tracking Kiryl Shutsemau
2026-05-26 14:37 ` sashiko-bot
2026-05-26 13:05 ` [PATCH v5 15/18] userfaultfd: add UFFD_FEATURE_RWP_ASYNC for async fault resolution Kiryl Shutsemau
2026-05-26 13:05 ` [PATCH v5 16/18] userfaultfd: add UFFDIO_SET_MODE for runtime sync/async toggle Kiryl Shutsemau
2026-05-26 15:07 ` sashiko-bot
2026-05-26 13:05 ` [PATCH v5 17/18] selftests/mm: add userfaultfd RWP tests Kiryl Shutsemau
2026-05-26 13:05 ` [PATCH v5 18/18] Documentation/userfaultfd: document RWP working set tracking Kiryl Shutsemau
2026-05-26 14:51 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526134407.92F481F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox