From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37A9F3A4520 for ; Wed, 20 May 2026 11:09:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779275351; cv=none; b=kWesOQlJQv5qQYSihshaFv0CchHTo2lK9/1JAda8di69m3eLKrl4hQcLgN7rG9Cb+2P3c8/8HNKbjHNFKAMzI0zvlFs5TqNk4bj1lHh4YPle6rJcPU9BBLefH6hbgg6ChCw+KU3f9gmmoKdTn+SvXCDG/lCf+AhtsYsZWmc8zXM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779275351; c=relaxed/simple; bh=B/S/Zqb04JR/uTRAZABGMU0+deq7wwPa+mLLFH6SN4M=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=BP5Kag+VTUmOha9Ual6NYyMu8Q+vL8wyD8anTgXQaW8tDQ9q3dxyWJzUGMxI0MWQ0UInR3lMrayY+NjA37y2YdzRsO/v5gZXYxKGqZfDRoD+uhOw39U7Et/phBaztqHwS/BAZndX7cCwZdJHpiscaB++PvA1TznSRBQFNASGWEk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=n9yPpEuK; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="n9yPpEuK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 231891F000E9; Wed, 20 May 2026 11:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779275349; bh=/AmAToeJMLl6GYJuSWjIXFkgZ0kJr6j/0C2wPvk8IoA=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=n9yPpEuKohrpXagwvQGRn28wrrEc5IUDv/vPJLPbJm4UxNK0nyExGh8yDbc0kPhcy vS3rGYO4yR1DVVQ+KUreUF99Mf0dfGADimQHQg+e4Ge/2vjuddIAxsTGluM2ash6dC SRrR27TL8xZlkXoiXFOP6MwLePKTMNe7eVJabTggLH8av7XicjnpTOoaLfW+WgJoI8 VA4yoM073+zOgQsHBv1kvrks/XUh1xNCVlLxGjInveILBA0NiPzvzFGRoHSUkiM/Ve DllD52imWrjMeCMNfZ7M9v+Wdrn6BbXdPTLUlHOXu4vI5eZfnTzhXEC5B8jHQe0FEm XqoYmfDWUcKDw== Message-ID: Date: Wed, 20 May 2026 13:09:04 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH RESEND] userfaultfd: snapshot VMA state across UFFDIO_COPY retry To: Mike Rapoport , Andrew Morton Cc: David Carlier , Heechan Kang , "Liam R. Howlett" , Lorenzo Stoakes , Michael Bommarito , Peter Xu , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20260519052516.3315196-1-rppt@kernel.org> From: "David Hildenbrand (Arm)" Content-Language: en-US Autocrypt: addr=david@kernel.org; keydata= xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzS5EYXZpZCBIaWxk ZW5icmFuZCAoQ3VycmVudCkgPGRhdmlkQGtlcm5lbC5vcmc+wsGQBBMBCAA6AhsDBQkmWAik AgsJBBUKCQgCFgICHgUCF4AWIQQb2cqtc1xMOkYN/MpN3hD3AP+DWgUCaYJt/AIZAQAKCRBN 3hD3AP+DWriiD/9BLGEKG+N8L2AXhikJg6YmXom9ytRwPqDgpHpVg2xdhopoWdMRXjzOrIKD g4LSnFaKneQD0hZhoArEeamG5tyo32xoRsPwkbpIzL0OKSZ8G6mVbFGpjmyDLQCAxteXCLXz ZI0VbsuJKelYnKcXWOIndOrNRvE5eoOfTt2XfBnAapxMYY2IsV+qaUXlO63GgfIOg8RBaj7x 3NxkI3rV0SHhI4GU9K6jCvGghxeS1QX6L/XI9mfAYaIwGy5B68kF26piAVYv/QZDEVIpo3t7 /fjSpxKT8plJH6rhhR0epy8dWRHk3qT5tk2P85twasdloWtkMZ7FsCJRKWscm1BLpsDn6EQ4 jeMHECiY9kGKKi8dQpv3FRyo2QApZ49NNDbwcR0ZndK0XFo15iH708H5Qja/8TuXCwnPWAcJ DQoNIDFyaxe26Rx3ZwUkRALa3iPcVjE0//TrQ4KnFf+lMBSrS33xDDBfevW9+Dk6IISmDH1R HFq2jpkN+FX/PE8eVhV68B2DsAPZ5rUwyCKUXPTJ/irrCCmAAb5Jpv11S7hUSpqtM/6oVESC 3z/7CzrVtRODzLtNgV4r5EI+wAv/3PgJLlMwgJM90Fb3CB2IgbxhjvmB1WNdvXACVydx55V7 LPPKodSTF29rlnQAf9HLgCphuuSrrPn5VQDaYZl4N/7zc2wcWM7BTQRVy5+RARAA59fefSDR 9nMGCb9LbMX+TFAoIQo/wgP5XPyzLYakO+94GrgfZjfhdaxPXMsl2+o8jhp/hlIzG56taNdt VZtPp3ih1AgbR8rHgXw1xwOpuAd5lE1qNd54ndHuADO9a9A0vPimIes78Hi1/yy+ZEEvRkHk /kDa6F3AtTc1m4rbbOk2fiKzzsE9YXweFjQvl9p+AMw6qd/iC4lUk9g0+FQXNdRs+o4o6Qvy iOQJfGQ4UcBuOy1IrkJrd8qq5jet1fcM2j4QvsW8CLDWZS1L7kZ5gT5EycMKxUWb8LuRjxzZ 3QY1aQH2kkzn6acigU3HLtgFyV1gBNV44ehjgvJpRY2cC8VhanTx0dZ9mj1YKIky5N+C0f21 zvntBqcxV0+3p8MrxRRcgEtDZNav+xAoT3G0W4SahAaUTWXpsZoOecwtxi74CyneQNPTDjNg azHmvpdBVEfj7k3p4dmJp5i0U66Onmf6mMFpArvBRSMOKU9DlAzMi4IvhiNWjKVaIE2Se9BY FdKVAJaZq85P2y20ZBd08ILnKcj7XKZkLU5FkoA0udEBvQ0f9QLNyyy3DZMCQWcwRuj1m73D sq8DEFBdZ5eEkj1dCyx+t/ga6x2rHyc8Sl86oK1tvAkwBNsfKou3v+jP/l14a7DGBvrmlYjO 59o3t6inu6H7pt7OL6u6BQj7DoMAEQEAAcLBfAQYAQgAJgIbDBYhBBvZyq1zXEw6Rg38yk3e EPcA/4NaBQJonNqrBQkmWAihAAoJEE3eEPcA/4NaKtMQALAJ8PzprBEXbXcEXwDKQu+P/vts IfUb1UNMfMV76BicGa5NCZnJNQASDP/+bFg6O3gx5NbhHHPeaWz/VxlOmYHokHodOvtL0WCC 8A5PEP8tOk6029Z+J+xUcMrJClNVFpzVvOpb1lCbhjwAV465Hy+NUSbbUiRxdzNQtLtgZzOV Zw7jxUCs4UUZLQTCuBpFgb15bBxYZ/BL9MbzxPxvfUQIPbnzQMcqtpUs21CMK2PdfCh5c4gS sDci6D5/ZIBw94UQWmGpM/O1ilGXde2ZzzGYl64glmccD8e87OnEgKnH3FbnJnT4iJchtSvx yJNi1+t0+qDti4m88+/9IuPqCKb6Stl+s2dnLtJNrjXBGJtsQG/sRpqsJz5x1/2nPJSRMsx9 5YfqbdrJSOFXDzZ8/r82HgQEtUvlSXNaXCa95ez0UkOG7+bDm2b3s0XahBQeLVCH0mw3RAQg r7xDAYKIrAwfHHmMTnBQDPJwVqxJjVNr7yBic4yfzVWGCGNE4DnOW0vcIeoyhy9vnIa3w1uZ 3iyY2Nsd7JxfKu1PRhCGwXzRw5TlfEsoRI7V9A8isUCoqE2Dzh3FvYHVeX4Us+bRL/oqareJ CIFqgYMyvHj7Q06kTKmauOe4Nf0l0qEkIuIzfoLJ3qr5UyXc2hLtWyT9Ir+lYlX9efqh7mOY qIws/H2t In-Reply-To: <20260519052516.3315196-1-rppt@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/19/26 07:25, Mike Rapoport wrote: > From: "Mike Rapoport (Microsoft)" > > mfill_copy_folio_retry() drops the VMA lock for copy_from_user() and > reacquires it afterwards. The destination VMA can be replaced during that > window. > > The existing check compares vma_uffd_ops() before and after the retry, but > if a shmem VMA with MAP_SHARED is replaced with a shmem VMA with > MAP_PRIVATE (or vice versa) the replacement goes undetected. > > The change from MAP_PRIVATE to MAP_SHARED will treat the folio allocated > with shmem_alloc_folio() as anonymous and this will cause BUG() when > mfill_atomic_install_pte() will try to folio_add_new_anon_rmap(). > > The change from MAP_SHARED to MAP_PRIVATE allows injection of folios into > the page cache of the original VMA. > > Introduce helpers for more comprehensive comparison of VMA state: > - vma_snapshot_get() to save the relevant VMA state into a struct > vma_snapshot (original uffd_ops, actual uffd_ops, relevant VMA flags, > vm_file and pgoff) before dropping the lock > - vma_snapshot_changed() to compare the saved state with the state of the > VMA acquired after retaking the locks > - vma_snapshot_put() to release vm_file pinning. > > Use DEFINE_FREE() cleanup to wrap vma_snapshot_put() to avoid complicating > error handling paths in mfill_copy_folio_retry(). > > Add vma_uffd_copy_ops() to avoid code duplication when original ops of > shmem VMA with MAP_PRIVATE are replaced with anon_uffd_ops. > > Fixes: 292411fda25b ("mm/userfaultfd: detect VMA type change after copy retry in mfill_copy_folio_retry()") > Fixes: 6ab703034f14 ("userfaultfd: mfill_atomic(): remove retry logic") > Tested-by: Heechan Kang > Suggested-by: Peter Xu > Co-developed-by: David Carlier > Signed-off-by: David Carlier > Co-developed-by: Michael Bommarito > Signed-off-by: Michael Bommarito > Signed-off-by: Mike Rapoport (Microsoft) > --- > mm/userfaultfd.c | 99 ++++++++++++++++++++++++++++++++++++++---------- > 1 file changed, 79 insertions(+), 20 deletions(-) > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c > index 180bad42fc79..b70b84776a79 100644 > --- a/mm/userfaultfd.c > +++ b/mm/userfaultfd.c > @@ -14,6 +14,8 @@ > #include > #include > #include > +#include > +#include > #include > #include > #include "internal.h" > @@ -69,6 +71,24 @@ static const struct vm_uffd_ops *vma_uffd_ops(struct vm_area_struct *vma) > return vma->vm_ops ? vma->vm_ops->uffd_ops : NULL; > } > > +static const struct vm_uffd_ops *vma_uffd_copy_ops(struct vm_area_struct *vma) > +{ > + const struct vm_uffd_ops *ops = vma_uffd_ops(vma); > + > + if (!ops) > + return NULL; > + > + /* > + * UFFDIO_COPY fills MAP_PRIVATE file-backed mappings as anonymous > + * memory. This is an effective ops override, so retry validation must > + * compare the override result, not just vma->vm_ops->uffd_ops. > + */ > + if (!(vma->vm_flags & VM_SHARED)) > + return &anon_uffd_ops; > + > + return ops; > +} > + > static __always_inline > bool validate_dst_vma(struct vm_area_struct *dst_vma, unsigned long dst_end) > { > @@ -443,14 +463,70 @@ static int mfill_copy_folio_locked(struct folio *folio, unsigned long src_addr) > return ret; > } > > +#define VMA_SNAPSHOT_FLAGS append_vma_flags(__VMA_UFFD_FLAGS, VMA_SHARED_BIT) > + > +struct vma_snapshot { > + const struct vm_uffd_ops *copy_ops; > + const struct vm_uffd_ops *ops; > + struct file *file; > + vma_flags_t flags; > + pgoff_t pgoff; > +}; As this is all uffd specific, I wonder whether that should be "struct uffd_vma_snapshot"/"vma_uffd_snapshot" etc. >From a high level, this LGTM. I wish we could identify relevant VMA changes more easily. Like, using a per-MM sequence counter that we simply increment on any VMA changes. -- Cheers, David