[BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO

[Denis M. Karpov]

Hello,
I am seeing an inconsistency between mmap() and userfaultfd's UFFDIO_REGISTER
logic regarding low memory addresses.
Kernel: 6.12.63+deb13-amd64 (Debian 6.12.63-1)
Description:
As root (or with CAP_SYS_RAWIO), it is possible to mmap() the low-address area
(below mmap_min_addr). However, UFFDIO_REGISTER fails with -EINVAL for these
same ranges. The issue appears to be in fs/userfaultfd.c:validate_range():
    if (start < mmap_min_addr)
        return -EINVAL;

While mmap() uses cap_mmap_addr() to allow privileged access to these areas,
userfaultfd performs a hard check against mmap_min_addr without considering
capabilities. This prevents binary translators/compilers from using UFFD on
valid memory areas mapped by the application.

Reproducer (must be run as root):
#include <stdio.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <linux/userfaultfd.h>
#include <fcntl.h>
#include <unistd.h>

#define SIZE 0x1000
int main()
{
    void *data = mmap((void*)0x1000, SIZE, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
    if ((long)data < 0) {
        perror("map failed");
        return 1;
    }

    int uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
    if (uffd == -1) {
        perror("syscall");
        return 1;
    }
    struct uffdio_api uffdio_api;
    uffdio_api.api = UFFD_API;
    uffdio_api.features = 0;
    if (ioctl(uffd, UFFDIO_API, &uffdio_api)) {
        perror("UFFDIO_API");
        return 1;
    }
    if (uffdio_api.api != UFFD_API) {
        fprintf(stderr, "UFFDIO_API error\n");
        return 1;
    }

    struct uffdio_register uffdio_register;
    uffdio_register.range.start = (unsigned long)data;
    uffdio_register.range.len = SIZE;
    uffdio_register.mode = UFFDIO_REGISTER_MODE_WP;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) {
        perror("ioctl(UFFDIO_REGISTER)");
        return 1;
    }
    return 0;
}