* Re: [RFC PATCH] userfaultfd: allow registration of ranges below mmap_min_addr
[not found] ` <408fc657-94a2-4832-b5cd-7013c002403d@linux.dev>
@ 2026-05-05 10:10 ` Lorenzo Stoakes
0 siblings, 0 replies; only message in thread
From: Lorenzo Stoakes @ 2026-05-05 10:10 UTC (permalink / raw)
To: Usama Arif
Cc: Denis M. Karpov, rppt, akpm, Liam.Howlett, vbabka, jannh, peterx,
pfalcato, brauner, viro, jack, linux-mm, linux-fsdevel,
linux-kernel
On Thu, Apr 09, 2026 at 11:52:12AM +0100, Usama Arif wrote:
>
>
> On 09/04/2026 09:01, Lorenzo Stoakes wrote:
> > On Wed, Apr 08, 2026 at 05:36:59AM -0700, Usama Arif wrote:
> >> On Tue, 7 Apr 2026 11:14:42 +0300 "Denis M. Karpov" <komlomal@gmail.com> wrote:
> >>
> >>> The current implementation of validate_range() in fs/userfaultfd.c
> >>> performs a hard check against mmap_min_addr without considering
> >>> capabilities, but the mmap() syscall uses security_mmap_addr()
> >>> which allows privileged processes (with CAP_SYS_RAWIO) to map below
> >>> mmap_min_addr. Furthermore, security_mmap_addr()->cap_mmap_addr() uses
> >>> dac_mmap_min_addr variable which can be changed with
> >>> /proc/sys/vm/mmap_min_addr.
> >>>
> >>> Because userfaultfd uses a different check, UFFDIO_REGISTER may fail
> >>> with -EINVAL for valid memory areas that were successfully mapped
> >>> below mmap_min_addr even with appropriate capabilities.
> >>>
> >>> This prevents apps like binary compilers from using UFFD for valid memory
> >>> regions mapped by application.
> >>>
> >>> Replace the rigid mmap_min_addr check with security_mmap_addr() to align
> >>> userfaultfd with the standard kernel memory mapping security policy.
> >>>
> >>> Signed-off-by: Denis M. Karpov <komlomal@gmail.com>
> >>>
> >>> ---
> >>> Initial RFC following the discussion on the [BUG] thread.
> >>> Link: https://lore.kernel.org/all/CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@mail.gmail.com/
> >>> ---
> >>> fs/userfaultfd.c | 4 +---
> >>> 1 file changed, 1 insertion(+), 3 deletions(-)
> >>>
> >>> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> >>> index bdc84e521..dbfe5b2a0 100644
> >>> --- a/fs/userfaultfd.c
> >>> +++ b/fs/userfaultfd.c
> >>> @@ -1238,15 +1238,13 @@ static __always_inline int validate_unaligned_range(
> >>> return -EINVAL;
> >>> if (!len)
> >>> return -EINVAL;
> >>> - if (start < mmap_min_addr)
> >>> - return -EINVAL;
> >>> if (start >= task_size)
> >>> return -EINVAL;
> >>> if (len > task_size - start)
> >>> return -EINVAL;
> >>> if (start + len <= start)
> >>> return -EINVAL;
> >>> - return 0;
> >>> + return security_mmap_addr(start);
> >>
> >> Is this introducing an ABI change?
> >>
> >> The old code returned -EINVAL when start was below mmap_min_addr.
> >> The new code calls security_mmap_addr() which returns -EPERM when
> >> the caller lacks CAP_SYS_RAWIO. Existing userspace callers checking
> >> specifically for -EINVAL would see different behavior start is
> >> below mmap_min_addr.
> >
> > You mean API change? :) we don't guarantee ABI for kernel stuff anyway.
> >
>
> Ah no, I meant ABI, I hope :)
>
> The return value of validate_unaligned_range() flows directly back to the
> ioctl() return value, which is visible to userspace. The error code a program
> sees from ioctl(fd, UFFDIO_REGISTER, ...) changes from -EINVAL to -EPERM for
> the same input, right? Its probably not an issue, but we would need to update
> https://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html
> right?
Ah right I see, yeah just a doc change then :)
Cheers, Lorenzo
^ permalink raw reply [flat|nested] only message in thread