[PATCH 0/1] mm/userfaultfd: fix UFFDIO_COPY retry private/shared VMA panic

[Michael Bommarito <michael.bommarito@gmail.com>]

Hi,

mfill_copy_folio_retry() drops the destination VMA lock before
copy_from_user() and reacquires it afterwards.  Commit 292411fda25b
("mm/userfaultfd: detect VMA type change after copy retry in
mfill_copy_folio_retry()") added a comparison of vma_uffd_ops() across
that window, but the comparison is not tight enough for private/shared
shmem swaps: both private and shared shmem VMAs expose shmem_uffd_ops
through vm_ops, while UFFDIO_COPY into a MAP_PRIVATE file-backed VMA
overrides the effective copy ops to anon_uffd_ops at
mfill_atomic_pte_copy() time.

If the destination is replaced from MAP_PRIVATE shmem to MAP_SHARED
shmem during the retry, vma_uffd_ops() still compares equal across
the window, the override flip is not detected, and the stale
anonymous folio is installed into the new shared shmem VMA.
mfill_atomic_install_pte() sees a folio without page-cache mapping,
calls folio_add_new_anon_rmap(), and __folio_set_anon() reaches
BUG_ON(!anon_vma) because the new shared shmem VMA has no anon_vma.

Reproducer (UML+KASAN, 7.1-rc2-00002-g8d90b09e6741, unprivileged uid
65534 with vm.unprivileged_userfaultfd=1):

  pre-fix:
    PROCESS_UID=65534 EUID=65534
    DST_INITIAL=MAP_PRIVATE_SHMEM addr=0x40041000
    SRC_INITIAL=UFFD_MISSING_ANON addr=0x40042000
    SOURCE_USERFAULT addr=0x40042000 flags=0x0
    DST_REPLACED_WITH_SHARED=ok
    DST_REREGISTERED_AFTER_REMAP=ok
    SOURCE_RESOLVED=ok
    BUG: failure at mm/rmap.c:1468/__folio_set_anon()!
    Kernel panic - not syncing: BUG!

  post-fix:
    DST_UFFDIO_COPY_IOCTL_RET=-1 errno=11 copy=-11
    RETRY_RESULT=-11
    (no BUG / WARN / KASAN signal in dmesg)

The patch introduces a vma_uffd_copy_ops() helper that applies the
MAP_PRIVATE override inline.  mfill_copy_folio_retry() now compares both
the raw vma_uffd_ops() and the effective copy ops across the dropped-lock
window: the raw comparison preserves 292411fda25b's VMA-type replacement
guard, while the effective comparison catches the private/shared shmem
override flip.  The mfill_atomic_pte_copy() call site goes through the
same helper, preserving today's semantics.  Because the override is
applied on both sides, a stable MAP_PRIVATE shmem VMA returns
&anon_uffd_ops on both effective-copy checks and the comparison still
succeeds, so the change does not reintroduce the spurious -EAGAIN that
v5/v6 of 292411fda25b's series triggered on MAP_PRIVATE shmem (see that
series's v6 changelog).

A separate concern from Peter Xu's review of v1 of 292411fda25b's
series -- replacement with a different shmem VMA carrying the same
flags but a different inode -- is out of scope here and is also
unaddressed by 292411fda25b.

Testing.

  - x86_64 UML build with KASAN clean.
  - Reproducer above: pre-fix panics deterministically on the first
    iteration; post-fix returns -EAGAIN with empty dmesg.
  - tools/testing/selftests/mm/uffd-stress {anon,shmem,shmem-private}
    16M / 4 cpus, 4 bounces each, KASAN-silent on stock and patched.
  - tools/testing/selftests/mm/uffd-unit-tests on stock and patched:
    identical pass / skip profile through the events block; both
    hit the same pre-existing UML arch limitation in the
    "poison on anon" case at arch/um/kernel/trap.c:198, unrelated
    to this patch.
  - scripts/checkpatch.pl --strict clean.

Fixes: 292411fda25b ("mm/userfaultfd: detect VMA type change after copy retry in mfill_copy_folio_retry()")

Michael Bommarito (1):
  mm/userfaultfd: validate effective UFFDIO_COPY ops after retry

 mm/userfaultfd.c | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)

--
2.46.0