The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP
@ 2026-06-01  8:26 Jianhui Zhou
  2026-06-28 20:53 ` Andrew Morton
  2026-07-03  6:24 ` Mike Rapoport
  0 siblings, 2 replies; 3+ messages in thread
From: Jianhui Zhou @ 2026-06-01  8:26 UTC (permalink / raw)
  To: akpm, rppt, linux-mm
  Cc: peterx, linux-kernel, syzkaller-bugs, syzbot+18d274a59b87cf80e86d,
	Jianhui Zhou

UFFDIO_REGISTER can be issued on a range that is already registered in
the same userfaultfd context, replacing the VMA's userfaultfd tracking
mode.  For example, a range can be registered with
UFFDIO_REGISTER_MODE_WP and later re-registered with
UFFDIO_REGISTER_MODE_MISSING.

When the second registration removes VM_UFFD_WP, the VMA flags are
updated but existing uffd-wp state in page-table entries is left behind.
That stale state can survive in swap PTEs.  On swapin, do_swap_page()
restores _PAGE_UFFD_WP from the swap PTE and can then install a writable
PTE, triggering page_table_check:

  pte_uffd_wp(pte) && pte_write(pte)

Handle removal of WP mode through UFFDIO_REGISTER the same way as
UFFDIO_UNREGISTER: resolve the per-PTE uffd-wp state before dropping
VM_UFFD_WP from the VMA.

Also make the same-context fast path require an exact UFFD mode match.
The old subset check treats MISSING|WP -> MISSING as a no-op, even though
WP mode is being removed.

Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration")
Reported-by: syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=18d274a59b87cf80e86d
Signed-off-by: Jianhui Zhou <jianhuizzzzz@gmail.com>
---
 mm/userfaultfd.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 180bad42fc79..dc0b3eba768b 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -2153,13 +2153,21 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx,
 		 * userfaultfd and with the right tracking mode too.
 		 */
 		if (vma->vm_userfaultfd_ctx.ctx == ctx &&
-		    vma_test_all_mask(vma, vma_flags))
+		    (vma->vm_flags & __VM_UFFD_FLAGS) == vm_flags)
 			goto skip;
 
 		if (vma->vm_start > start)
 			start = vma->vm_start;
 		vma_end = min(end, vma->vm_end);
 
+		/*
+		 * Re-registering into the same userfaultfd can remove WP mode.
+		 * Clear any per-PTE uffd-wp state before dropping VM_UFFD_WP,
+		 * matching the UFFDIO_UNREGISTER cleanup semantics.
+		 */
+		if (userfaultfd_wp(vma) && !(vm_flags & VM_UFFD_WP))
+			uffd_wp_range(vma, start, vma_end - start, false);
+
 		new_vma_flags = vma->flags;
 		vma_flags_clear_mask(&new_vma_flags, __VMA_UFFD_FLAGS);
 		vma_flags_set_mask(&new_vma_flags, vma_flags);

base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP
  2026-06-01  8:26 [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP Jianhui Zhou
@ 2026-06-28 20:53 ` Andrew Morton
  2026-07-03  6:24 ` Mike Rapoport
  1 sibling, 0 replies; 3+ messages in thread
From: Andrew Morton @ 2026-06-28 20:53 UTC (permalink / raw)
  To: Jianhui Zhou
  Cc: rppt, linux-mm, peterx, linux-kernel, syzkaller-bugs,
	syzbot+18d274a59b87cf80e86d

On Mon,  1 Jun 2026 16:26:09 +0800 Jianhui Zhou <jianhuizzzzz@gmail.com> wrote:

> UFFDIO_REGISTER can be issued on a range that is already registered in
> the same userfaultfd context, replacing the VMA's userfaultfd tracking
> mode.  For example, a range can be registered with
> UFFDIO_REGISTER_MODE_WP and later re-registered with
> UFFDIO_REGISTER_MODE_MISSING.
> 
> When the second registration removes VM_UFFD_WP, the VMA flags are
> updated but existing uffd-wp state in page-table entries is left behind.
> That stale state can survive in swap PTEs.  On swapin, do_swap_page()
> restores _PAGE_UFFD_WP from the swap PTE and can then install a writable
> PTE, triggering page_table_check:
> 
>   pte_uffd_wp(pte) && pte_write(pte)
> 
> Handle removal of WP mode through UFFDIO_REGISTER the same way as
> UFFDIO_UNREGISTER: resolve the per-PTE uffd-wp state before dropping
> VM_UFFD_WP from the VMA.
> 
> Also make the same-context fast path require an exact UFFD mode match.
> The old subset check treats MISSING|WP -> MISSING as a no-op, even though
> WP mode is being removed.

Thanks.

> Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration")
> Reported-by: syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=18d274a59b87cf80e86d

So we have a WARN which can be triggered by unprivileged userspace.

The patch arrived during -rc6 when people were reviewing and testing
material for the next merge window, rather than looking at new changes.

> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -2153,13 +2153,21 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx,
>  		 * userfaultfd and with the right tracking mode too.
>  		 */
>  		if (vma->vm_userfaultfd_ctx.ctx == ctx &&
> -		    vma_test_all_mask(vma, vma_flags))
> +		    (vma->vm_flags & __VM_UFFD_FLAGS) == vm_flags)
>  			goto skip;
>  
>  		if (vma->vm_start > start)
>  			start = vma->vm_start;
>  		vma_end = min(end, vma->vm_end);
>  
> +		/*
> +		 * Re-registering into the same userfaultfd can remove WP mode.
> +		 * Clear any per-PTE uffd-wp state before dropping VM_UFFD_WP,
> +		 * matching the UFFDIO_UNREGISTER cleanup semantics.
> +		 */
> +		if (userfaultfd_wp(vma) && !(vm_flags & VM_UFFD_WP))
> +			uffd_wp_range(vma, start, vma_end - start, false);
> +
>  		new_vma_flags = vma->flags;
>  		vma_flags_clear_mask(&new_vma_flags, __VMA_UFFD_FLAGS);
>  		vma_flags_set_mask(&new_vma_flags, vma_flags);

I'll queue this for 7.3-rc1, with a cc:stable.  f45ec5ff16a7 was 6
years ago, so there's no rush here.

I don't know if this is the best fix, so I'll await reviewer input
before taking it any further.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP
  2026-06-01  8:26 [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP Jianhui Zhou
  2026-06-28 20:53 ` Andrew Morton
@ 2026-07-03  6:24 ` Mike Rapoport
  1 sibling, 0 replies; 3+ messages in thread
From: Mike Rapoport @ 2026-07-03  6:24 UTC (permalink / raw)
  To: Jianhui Zhou
  Cc: akpm, linux-mm, peterx, linux-kernel, syzkaller-bugs,
	syzbot+18d274a59b87cf80e86d

On Mon, Jun 01, 2026 at 04:26:09PM +0800, Jianhui Zhou wrote:
> UFFDIO_REGISTER can be issued on a range that is already registered in
> the same userfaultfd context, replacing the VMA's userfaultfd tracking
> mode.  For example, a range can be registered with
> UFFDIO_REGISTER_MODE_WP and later re-registered with
> UFFDIO_REGISTER_MODE_MISSING.
> 
> When the second registration removes VM_UFFD_WP, the VMA flags are
> updated but existing uffd-wp state in page-table entries is left behind.
> That stale state can survive in swap PTEs.  On swapin, do_swap_page()
> restores _PAGE_UFFD_WP from the swap PTE and can then install a writable
> PTE, triggering page_table_check:
> 
>   pte_uffd_wp(pte) && pte_write(pte)

Please explain where the check is triggered and what are the effects.
 
> Handle removal of WP mode through UFFDIO_REGISTER the same way as
> UFFDIO_UNREGISTER: resolve the per-PTE uffd-wp state before dropping
> VM_UFFD_WP from the VMA.
> 
> Also make the same-context fast path require an exact UFFD mode match.
> The old subset check treats MISSING|WP -> MISSING as a no-op, even though
> WP mode is being removed.
> 
> Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration")
> Reported-by: syzbot+18d274a59b87cf80e86d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=18d274a59b87cf80e86d
> Signed-off-by: Jianhui Zhou <jianhuizzzzz@gmail.com>
> ---
>  mm/userfaultfd.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index 180bad42fc79..dc0b3eba768b 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -2153,13 +2153,21 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx,
>  		 * userfaultfd and with the right tracking mode too.
>  		 */
>  		if (vma->vm_userfaultfd_ctx.ctx == ctx &&
> -		    vma_test_all_mask(vma, vma_flags))
> +		    (vma->vm_flags & __VM_UFFD_FLAGS) == vm_flags)

Please use new VMA flag APIs.

>  			goto skip;
>  
>  		if (vma->vm_start > start)
>  			start = vma->vm_start;
>  		vma_end = min(end, vma->vm_end);
>  
> +		/*
> +		 * Re-registering into the same userfaultfd can remove WP mode.
> +		 * Clear any per-PTE uffd-wp state before dropping VM_UFFD_WP,
> +		 * matching the UFFDIO_UNREGISTER cleanup semantics.
> +		 */
> +		if (userfaultfd_wp(vma) && !(vm_flags & VM_UFFD_WP))
> +			uffd_wp_range(vma, start, vma_end - start, false);
> +
>  		new_vma_flags = vma->flags;
>  		vma_flags_clear_mask(&new_vma_flags, __VMA_UFFD_FLAGS);
>  		vma_flags_set_mask(&new_vma_flags, vma_flags);
> 
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
> -- 
> 2.43.0
> 

-- 
Sincerely yours,
Mike.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03  6:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-01  8:26 [PATCH] mm/userfaultfd: clear uffd-wp PTE state when re-registering without WP Jianhui Zhou
2026-06-28 20:53 ` Andrew Morton
2026-07-03  6:24 ` Mike Rapoport

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox