From: Mike Rapoport <rppt@kernel.org>
To: Jianhui Zhou <jianhuizzzzz@gmail.com>
Cc: akpm@linux-foundation.org, linux-mm@kvack.org, peterx@redhat.com,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com
Subject: Re: [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP
Date: Fri, 3 Jul 2026 09:24:17 +0300 [thread overview]
Message-ID: <akdVkekOyiE2rtnl@kernel.org> (raw)
In-Reply-To: <20260601082609.170076-1-jianhuizzzzz@gmail.com>
On Mon, Jun 01, 2026 at 04:26:09PM +0800, Jianhui Zhou wrote:
> UFFDIO_REGISTER can be issued on a range that is already registered in
> the same userfaultfd context, replacing the VMA's userfaultfd tracking
> mode. For example, a range can be registered with
> UFFDIO_REGISTER_MODE_WP and later re-registered with
> UFFDIO_REGISTER_MODE_MISSING.
>
> When the second registration removes VM_UFFD_WP, the VMA flags are
> updated but existing uffd-wp state in page-table entries is left behind.
> That stale state can survive in swap PTEs. On swapin, do_swap_page()
> restores _PAGE_UFFD_WP from the swap PTE and can then install a writable
> PTE, triggering page_table_check:
>
> pte_uffd_wp(pte) && pte_write(pte)
Please explain where the check is triggered and what are the effects.
> Handle removal of WP mode through UFFDIO_REGISTER the same way as
> UFFDIO_UNREGISTER: resolve the per-PTE uffd-wp state before dropping
> VM_UFFD_WP from the VMA.
>
> Also make the same-context fast path require an exact UFFD mode match.
> The old subset check treats MISSING|WP -> MISSING as a no-op, even though
> WP mode is being removed.
>
> Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration")
> Reported-by: syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=18d274a59b87cf80e86d
> Signed-off-by: Jianhui Zhou <jianhuizzzzz@gmail.com>
> ---
> mm/userfaultfd.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index 180bad42fc79..dc0b3eba768b 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -2153,13 +2153,21 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx,
> * userfaultfd and with the right tracking mode too.
> */
> if (vma->vm_userfaultfd_ctx.ctx == ctx &&
> - vma_test_all_mask(vma, vma_flags))
> + (vma->vm_flags & __VM_UFFD_FLAGS) == vm_flags)
Please use new VMA flag APIs.
> goto skip;
>
> if (vma->vm_start > start)
> start = vma->vm_start;
> vma_end = min(end, vma->vm_end);
>
> + /*
> + * Re-registering into the same userfaultfd can remove WP mode.
> + * Clear any per-PTE uffd-wp state before dropping VM_UFFD_WP,
> + * matching the UFFDIO_UNREGISTER cleanup semantics.
> + */
> + if (userfaultfd_wp(vma) && !(vm_flags & VM_UFFD_WP))
> + uffd_wp_range(vma, start, vma_end - start, false);
> +
> new_vma_flags = vma->flags;
> vma_flags_clear_mask(&new_vma_flags, __VMA_UFFD_FLAGS);
> vma_flags_set_mask(&new_vma_flags, vma_flags);
>
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
> --
> 2.43.0
>
--
Sincerely yours,
Mike.
prev parent reply other threads:[~2026-07-03 6:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 8:26 [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP Jianhui Zhou
2026-06-28 20:53 ` Andrew Morton
2026-07-03 6:24 ` Mike Rapoport [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akdVkekOyiE2rtnl@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=jianhuizzzzz@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox