From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F0323A75A3
	for <linux-kernel@vger.kernel.org>; Tue,  7 Apr 2026 10:17:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775557065; cv=none; b=eDNoTJ3EGlBQ8VTPqP5hEIuNoHcYfHIqCe5KsKfqPeL/CmN8aBaQEmMKbYMakBvtNridog6fcSda+lawohgzGylBSiOLeBTjZWkNqrejoMgu0s3gP8xZqryaAgzJxbBIt2FG7VVXhn0yyUTAzbthxYAnINsScO6vZQ3rystybnY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775557065; c=relaxed/simple;
	bh=lgmUHC8bbxhLI5c9z3qLpA40C1UvYhk9kzrDrO1WA2Q=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=K278lmSmixl87B8Z/y+BI2D54F0UofNfsN6JM7exDS5Drz/WwPf5V0fpBrIb7wxFS1utAWS2QA9rlIJUUILgB7dd8taB719lMCGyC8zghVfXtX9VpkWOTRlb3TfvWadMZHjWzVgLUwIWBa3JxRzQuGiXz7KZVWqMNhbxpwLfmUA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OTdJze/U; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OTdJze/U"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC9E6C4AF0B;
	Tue,  7 Apr 2026 10:17:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1775557064;
	bh=lgmUHC8bbxhLI5c9z3qLpA40C1UvYhk9kzrDrO1WA2Q=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=OTdJze/Uz2eFB7urIDq6to9bV2bSJ+ysctHnftxxSl18KpLrCFljWanYegNhtvdkz
	 vC7VgiYMfTF7+qPAvjzrM3RimM8VouU34fItpasx5TJkni63dDBcf5lUP3amcjC/KJ
	 ElXFT4djp0GyO0/PUte8LFzC/k840N9fTa8bZgaohIyHKBRMVQdelm050LKQu9YXZh
	 GH/jpMLsAUmmba6rQcgRVkQ4+18HwXtmGRGHOqylkrc0oPMmKssA8iisn408mBQRKq
	 811f4OsTPtFz200J3pHabTlzwWcdz7avHJ6TxRJDA13goEAkPNtx+/CsgkzjZz3wc2
	 NJXKrPGmw2rWQ==
Date: Tue, 7 Apr 2026 11:17:40 +0100
From: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>, 
	David Carlier <devnexen@gmail.com>, Peter Xu <peterx@redhat.com>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, "Liam R. Howlett" <Liam.Howlett@oracle.com>, 
	Vlastimil Babka <vbabka@kernel.org>
Subject: Re: [PATCH v4] mm/userfaultfd: detect VMA replacement after copy
 retry in mfill_copy_folio_retry()
Message-ID: <adTZf_Du8vTnTGGO@lucifer>
References: <20260331134158.622084-1-devnexen@gmail.com>
 <20260331200148.cc0c95deaf070579a68af041@linux-foundation.org>
 <aczOCqrCx7Xd5HIF@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aczOCqrCx7Xd5HIF@kernel.org>

On Wed, Apr 01, 2026 at 10:49:30AM +0300, Mike Rapoport wrote:
> Hi Andrew,
>
> On Tue, Mar 31, 2026 at 08:01:48PM -0700, Andrew Morton wrote:
> > On Tue, 31 Mar 2026 14:41:58 +0100 David Carlier <devnexen@gmail.com> wrote:
> >
> > > In mfill_copy_folio_retry(), all locks are dropped to retry
> > > copy_from_user() with page faults enabled. During this window, the VMA
> > > can be replaced entirely (e.g. munmap + mmap + UFFDIO_REGISTER by
> > > another thread), but the caller proceeds with a folio allocated from the
> > > original VMA's backing store.
>
> What does "folio allocated from the original VMA's backing store" exactly
> mean? Why is this a problem?
>
> > > Checking ops alone is insufficient: the replacement VMA could be the
> > > same type (e.g. shmem -> shmem) with identical flags but a different
> > > backing inode. Take a snapshot of the VMA's file and flags before
> > > dropping locks, and compare after re-acquiring them. If anything
> > > changed, bail out with -EINVAL.
> > >
> > > Use get_file()/fput() rather than ihold()/iput() to hold the file
> > > reference across the lock-dropped window, avoiding potential deadlocks
> > > from filesystem eviction under mmap_lock.
> >
> > Thanks, I've queued this as a squashable fix against mm-unstable's
> > "shmem, userfaultfd: implement shmem uffd operations using vm_uffd_ops
> > ongoing".
>
> First, this a pre-existing and TBH quite theoretical bug and it was there
> since the very beginning, so it should not be added as a fixup for the
> uffd+guestmemfd series.
>
> Second, I have reservations about vma_snapshot implementation. What
> invariant does it exactly enforce?

Yeah me too.

Unfortunately my bandwidth is a bit limited at the moment, but if you're
comparing VMAs like this it seems something is fundamentally broken.

We should definitely at least delay this until next cycle for consideration I
think until we can figure out a sensible approach.

>
> > I've fumbled the ball on your [2/2] unlikely() fix ;).  Please resend that
> > after -rc1.
>
> This one should go the same route IMO.

Agreed, let's delay until next cycle please.

>
> --
> Sincerely yours,
> Mike.

Thanks, Lorenzo