From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B3DD339872 for ; Wed, 1 Apr 2026 07:49:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775029777; cv=none; b=A4LyhsoZYEj0gJ7yeCIQurBpTLFQxUyBWF3DhDzmIztw6ft2ElvBm2M27a8EMpGKUlT3dMlPB54IYFzAvn4gTjb6uSxuY6Vul4yFVv27wmZwO/q8QYH9ESc9L3WcoY+MhOEuP/AnqYkrJqcdo/Psyy5YJz5e8KqPeAfXiMRTbgE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775029777; c=relaxed/simple; bh=KXrcAabRXu64p61zi0r/SiEB+D1HpCqdbity0mmwBtc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=nhJX56ygmp6XIaNVeZkr0KsVaV6q6BPb3hiAuE3y066VuCIdedm6CBdHbsdvlGFLRbcOF9XQC6b1uKBNrIpiVzxXIJcgInzNhARDXrJWVAbPyjUp9QWeXpHOCtY7NJQPSGNB3fuJ5nnHJLGImtvfz9dQF0cr2RvJCJnKXDciW9k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WVmXq4Md; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WVmXq4Md" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9691C4CEF7; Wed, 1 Apr 2026 07:49:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775029776; bh=KXrcAabRXu64p61zi0r/SiEB+D1HpCqdbity0mmwBtc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WVmXq4Mds92NLhisdW5zIPu95ypbyDQ5cW7sYnZ7ymo0YlW7BzXrBQpUeXlhC/qsk MblqDdXhREK80qPF34v2Kbw8Q21xXmxzphPaVnu2fn/ahpcEGRFmJ9iDn7YdqiPBh1 +xd8Aavr8LoJZKPgA/64FkWmAevt8V7iQGNXRTuoedmkSqXL10uzrfrH8otepZGZLs fxe7H7piYA0MCvI8R0DtxMfC43MNiSQ6TzXYVfSz6h94G4KI6uZe8b0c8XkzNL7Bke UPCNshClzH1MkpNjrymmG/npAbTxpRGt6mw2VjHCyQUlmwOnw2TTbDRswi7VCXrSWM UWwY+v2RUf+rg== Date: Wed, 1 Apr 2026 10:49:30 +0300 From: Mike Rapoport To: Andrew Morton Cc: David Carlier , Peter Xu , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka Subject: Re: [PATCH v4] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry() Message-ID: References: <20260331134158.622084-1-devnexen@gmail.com> <20260331200148.cc0c95deaf070579a68af041@linux-foundation.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260331200148.cc0c95deaf070579a68af041@linux-foundation.org> Hi Andrew, On Tue, Mar 31, 2026 at 08:01:48PM -0700, Andrew Morton wrote: > On Tue, 31 Mar 2026 14:41:58 +0100 David Carlier wrote: > > > In mfill_copy_folio_retry(), all locks are dropped to retry > > copy_from_user() with page faults enabled. During this window, the VMA > > can be replaced entirely (e.g. munmap + mmap + UFFDIO_REGISTER by > > another thread), but the caller proceeds with a folio allocated from the > > original VMA's backing store. What does "folio allocated from the original VMA's backing store" exactly mean? Why is this a problem? > > Checking ops alone is insufficient: the replacement VMA could be the > > same type (e.g. shmem -> shmem) with identical flags but a different > > backing inode. Take a snapshot of the VMA's file and flags before > > dropping locks, and compare after re-acquiring them. If anything > > changed, bail out with -EINVAL. > > > > Use get_file()/fput() rather than ihold()/iput() to hold the file > > reference across the lock-dropped window, avoiding potential deadlocks > > from filesystem eviction under mmap_lock. > > Thanks, I've queued this as a squashable fix against mm-unstable's > "shmem, userfaultfd: implement shmem uffd operations using vm_uffd_ops > ongoing". First, this a pre-existing and TBH quite theoretical bug and it was there since the very beginning, so it should not be added as a fixup for the uffd+guestmemfd series. Second, I have reservations about vma_snapshot implementation. What invariant does it exactly enforce? > I've fumbled the ball on your [2/2] unlikely() fix ;). Please resend that > after -rc1. This one should go the same route IMO. -- Sincerely yours, Mike.