From: Andrew Morton <akpm@linux-foundation.org>
To: Anindya Roy <anindyaandy1904@gmail.com>
Cc: rppt@kernel.org, david@kernel.org, ljs@kernel.org,
security@kernel.org, linux-mm@kvack.org, lokeshgidra@google.com
Subject: Re: [SECURITY] mm/userfaultfd: cross-inode page cache injection via mfill_copy_folio_retry()
Date: Sat, 2 May 2026 02:40:12 -0700 [thread overview]
Message-ID: <20260502024012.30be89b2549bb18a1a1d0ddc@linux-foundation.org> (raw)
In-Reply-To: <CAMyZbw_ppC7F98+5huwmGjz03UGv8L8MoU9zL2_YYDU=fA3Qxw@mail.gmail.com>
On Sat, 2 May 2026 13:50:02 +0530 Anindya Roy <anindyaandy1904@gmail.com> wrote:
> Hello,
>
> I would like to report a vulnerability in the Linux kernel userfaultfd
> implementation that allows cross-inode page cache injection due to VMA
> replacement during the UFFDIO_COPY retry path.
>
> *Summary:*
>
> A local unprivileged attacker can inject controlled data into the page
> cache of a different shmem/memfd/tmpfs inode than originally targeted.
>
> This occurs because mfill_copy_folio_retry() drops all locks, allowing the
> destination VMA to be replaced, but does not verify that the underlying
> file (vm_file) remains the same when execution resumes.
>
> As a result, a folio allocated for one inode can be inserted into another
> inode’s page cache.
>
> *Affected component:*
>
> File: mm/userfaultfd.c
> Function: mfill_copy_folio_retry()
Thanks.
> *Affected versions:*
>
> Introduced by: f5f035a72423
Only in 7.1-rc1, fortunately.
May I ask how you found this?
Annoyingly, Sashiko found it:
: If the locks are dropped during the retry, can the anonymous VMA be
: replaced by a different type of VMA (such as hugetlb or shared shmem)
: at the same address?
:
: mfill_get_vma() accepts these VMAs and returns 0. When execution
: resumes in mfill_atomic_pte_copy(), it proceeds to
: mfill_atomic_install_pte() using the newly populated state->vma.
:
: For a hugetlb VMA, mfill_establish_pmd() will allocate a standard 4KB
: PMD into a hugepage page table hierarchy. For a shared shmem VMA,
:
: folio_add_new_anon_rmap() will be called on a shared file-backed VMA.
: Could this sequence cause page table corruption or kernel crashes?
We must have simply failed to look :(
It claims to have found other things:
https://sashiko.dev/#/patchset/20260402041156.1377214-6-rppt@kernel.org
>
> ...
>
next prev parent reply other threads:[~2026-05-02 9:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-02 8:20 [SECURITY] mm/userfaultfd: cross-inode page cache injection via mfill_copy_folio_retry() Anindya Roy
2026-05-02 9:40 ` Andrew Morton [this message]
2026-05-02 10:15 ` Anindya Roy
2026-05-02 19:26 ` Mike Rapoport
2026-05-04 12:53 ` Anindya Roy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260502024012.30be89b2549bb18a1a1d0ddc@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=anindyaandy1904@gmail.com \
--cc=david@kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=lokeshgidra@google.com \
--cc=rppt@kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox