From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA4E13DE45A for ; Fri, 24 Apr 2026 18:36:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777055805; cv=none; b=p5G3MDoChro24p/JdF3+o/AOsJGIQyNcgbg+2n4nUoSJTwKik7ATAd2MXOxLNsPtAgjf4SNk/Fx+QU9LVFNKNZDWYGnokGYd03DxJN+QSuwxz/u85UVpZdMC+CxO0DtxaQjJ/Df7RhNaXSFXKkdPz0Dm3zx1B/gWjYrkLN0+YK4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777055805; c=relaxed/simple; bh=NRILkI4IXqznEFtiJi86aNVnXrLdCSYRvlFoPHMGsUo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=lxkenLFggYjnenKcXe/hLj/BTyy0hRFLPTN7gfV7W2LFw+IoGPplVjdKoXCMghB8305hbc6J1HtD17+OLuH3fBSLQZnL1rYJtQPQoq7JXVfa7w52HxK4zD8jcTcVVh9LlIFkrjKUM5yuJoAHBJeuumS0QhgtUFezgnXgostAR0U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L4kuWygy; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L4kuWygy" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4891f625344so68920845e9.0 for ; Fri, 24 Apr 2026 11:36:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777055802; x=1777660602; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RtzXRmgTfVan0ice2PdMuqIMZoTm/AmJVZu03BcMZ80=; b=L4kuWygycs0n+ZNv6qQnsE+p3/lh/4X8YpcqeIoeIgKbCJib3t2gHtIxvyVeGj5ri4 1Ba8VEC1xa33KLFBtJQoV3/yRmhpwkzoML6Zzg/1RQq/Wo0/QapONU6Zec1CBYtfYumr Cv9WVucBLW0KTyoBWdLPkNM68IOzjh1tG1JWvr6eLKzrYTyMsO63YV3mtMiQraXSukMS qzMA0VRBae6tVNhTPteqCiXLPQawJw8pf0e5q0N/EAF9Ho8gb26YWYxsBXxIZsPHhFlg X00lDq9xQI3WrDqxlHljzVJPP3+k/HNXnE2ZwYr26Vizrwq7tc5bnNued3TR6vClJ1tV 0HqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777055802; x=1777660602; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RtzXRmgTfVan0ice2PdMuqIMZoTm/AmJVZu03BcMZ80=; b=kZCRkNZOZs/oYzPIu/OFnaSbtg+bF6SOdKRtSV5uOVFiXQOIyl9+IVlabmZS2Ld+Ql wKmD8q1kNprjARsbEvERLMlBue8cOSAKzTVWd7WtyzVO8/yvQGpNv+6cxKM9YBPO7bu0 j2azgYlCxzDlDlHa+puuDDnDQhZyxRhR5SMtj0qyuigdWoCCtrZdwjZzs+Im7vqqMCTe 9s/yez+AmcjbititHJ6WbZ/fS6d36EJr59Nlxr1dFhIUEKe+kGbsP84KKhZN4kRwwHS+ MK3KBehqJ5WBnVOBtlVFzORjdMATx6CasaBN5LT2Zuj/4sc8vsXCWgXR/uZJPAoixqnd Breg== X-Forwarded-Encrypted: i=1; AFNElJ/VYZQXOn0A8IrI/HTBTKxOeETD8K+Rl57fnEz+dOz0c0esblevTzlKEUGxIMLqIyowVK7zOvQ/0mVCT18=@vger.kernel.org X-Gm-Message-State: AOJu0YwjC3XrfpeODLuqU3d5xRbG+beCAymkNwbcOd39IP8C7soPZJKO McPrDlgPWi0dkp3CG+XvpaGPVCe+N9aPog4XIYPiWSUGbvwxdOPyHr/O X-Gm-Gg: AeBDietl77g6XPt6NLLHLSYJ5LTV1WNk6BEdBplx0OhNIZ3FmDXIrTQ2Zwj7wWYxMba rOjZ69yv8ovAWe0UhW6xIpyfmbbeXpqCngs63wL5m6KOil4O1k8XVE0CVKUYWBiSsNQ8VpxnhS8 JNIFlafggl+gGO9Psse5gcBIK+DO5wFbPaB0M2mg7SBizWSfc+9bBMZ9DLKsO4RNYjbemZhmZGE Dk88Y6emQsjGxHl06FioGN9xaHcXdnIgnKPWQBrH+3gjfKXMiKDf/lH44SChEBWotHEUNIIUoKK rfdHDzy4EgJOK4VRNWNQI766M96isZ5cHaSDSlFLKw18N2ePeym1OmgGLuSZwYQIC+sTdP5y1bx y9plq+d1IRDNAYbM0TVgdWNSEB3mmSs5bRCyXuJCmwR8ujPtnbpVsRVcb9d/ACFcRWvfHwCT8BR DA2jzH3/DY1bhU0LXvd11UPhGe4ZsE9AElZiFZN/qwqEZYwwtRWuqK/V89cCOlSb+UYkri618IL Qp2o/KRNZcWUIw8qaQLoQ== X-Received: by 2002:a05:600c:3055:b0:489:32b:ac0b with SMTP id 5b1f17b1804b1-489032bae49mr231940445e9.6.1777055802011; Fri, 24 Apr 2026 11:36:42 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb7b2716sm191182075e9.30.2026.04.24.11.36.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Apr 2026 11:36:41 -0700 (PDT) From: David Carlier To: akpm@linux-foundation.org, rppt@kernel.org, peterx@redhat.com Cc: Liam.Howlett@oracle.com, ljs@kernel.org, vbabka@kernel.org, jannh@google.com, usama.arif@linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Carlier Subject: [PATCH v7] mm/userfaultfd: detect VMA type change after copy retry in mfill_copy_folio_retry() Date: Fri, 24 Apr 2026 19:36:38 +0100 Message-ID: <20260424183638.196227-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit mfill_copy_folio_retry() drops mmap_lock for the copy_from_user() call. During this window, the VMA can be replaced with a different type (e.g. hugetlb), making the caller's ops pointer stale. Subsequent use of the stale ops would dispatch into the wrong per-vma handlers. Capture the VMA's ops via vma_uffd_ops() before dropping the lock and compare against the current vma_uffd_ops() after re-acquiring it. Return -EAGAIN if they differ so the operation can be retried. This avoids comparing against the caller's ops which may have been overridden to anon_uffd_ops for MAP_PRIVATE file-backed mappings. Fixes: 6ab703034f14 ("userfaultfd: mfill_atomic(): remove retry logic") Reported-by: Usama Arif Closes: https://lore.kernel.org/all/20260410114809.3592720-1-usama.arif@linux.dev/ Acked-by: Mike Rapoport (Microsoft) Signed-off-by: David Carlier --- v7: (akpm review) - update Fixes: to the current mm-unstable hash - add Closes: link to Usama's report - drop "kernel crash" wording; no observed reproducer - align Reported-by address to usama.arif@linux.dev - carry Mike's Ack from v5 v6: capture ops via vma_uffd_ops() before dropping the lock so MAP_PRIVATE shmem (which overrides to anon_uffd_ops) no longer triggers spurious -EAGAIN (Usama). Drop unused ops parameter from mfill_copy_folio_retry(). v5: initial ops-compare approach. Tested under virtme-ng (DEBUG_VM, LOCKDEP, PROVE_LOCKING): uffd-unit-tests: 67 pass, 0 skip, 0 fail uffd-stress {anon,shmem,shmem-private}: 4 bounces each, clean mm/userfaultfd.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 885da1e56466..180bad42fc79 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -443,8 +443,10 @@ static int mfill_copy_folio_locked(struct folio *folio, unsigned long src_addr) return ret; } -static int mfill_copy_folio_retry(struct mfill_state *state, struct folio *folio) +static int mfill_copy_folio_retry(struct mfill_state *state, + struct folio *folio) { + const struct vm_uffd_ops *orig_ops = vma_uffd_ops(state->vma); unsigned long src_addr = state->src_addr; void *kaddr; int err; @@ -465,6 +467,14 @@ static int mfill_copy_folio_retry(struct mfill_state *state, struct folio *folio if (err) return err; + /* + * The VMA type may have changed while the lock was dropped + * (e.g. replaced with a hugetlb mapping), making the caller's + * ops pointer stale. + */ + if (vma_uffd_ops(state->vma) != orig_ops) + return -EAGAIN; + err = mfill_establish_pmd(state); if (err) return err; -- 2.53.0