Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()

Next message: Luis Augenstein: "Re: [PATCH 02/15] scripts/sbom: integrate script in make process"
Previous message: anthony.l.nguyen: "Re: [PATCH v2 4/4] drm/xe: switch xe_pagefault_queue_init() to using bitmap_weighted_or()"
In reply to: David Carlier: "[PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()"
Next in thread: David CARLIER: "Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Mon Mar 30 2026 - 16:48:50 EST

On Mon, 30 Mar 2026 21:29:09 +0100 David Carlier <devnexen@xxxxxxxxx> wrote:

> In mfill_copy_folio_retry(), all locks are dropped to retry
> copy_from_user() with page faults enabled. During this window, the VMA
> can be replaced entirely (e.g. munmap + mmap + UFFDIO_REGISTER by
> another thread), but the caller proceeds with a folio allocated from the
> original VMA's backing store.
>
> Checking ops alone is insufficient: the replacement VMA could be the
> same type (e.g. shmem -> shmem) with identical flags but a different
> backing inode. Take a snapshot of the VMA's inode and flags before
> dropping locks, and compare after re-acquiring them. If anything
> changed, bail out with -EAGAIN.

Thanks. What are the userspace-visible runtime effects of the bug?

If they're serious we might be looking at a cc:stable and a
Fixes: tag?