Re: [RFC PATCH] userfaultfd: allow registration of ranges below mmap_min_addr
From: Usama Arif
Date: Wed Apr 08 2026 - 08:38:12 EST
On Tue, 7 Apr 2026 11:14:42 +0300 "Denis M. Karpov" <komlomal@xxxxxxxxx> wrote:
> The current implementation of validate_range() in fs/userfaultfd.c
> performs a hard check against mmap_min_addr without considering
> capabilities, but the mmap() syscall uses security_mmap_addr()
> which allows privileged processes (with CAP_SYS_RAWIO) to map below
> mmap_min_addr. Furthermore, security_mmap_addr()->cap_mmap_addr() uses
> dac_mmap_min_addr variable which can be changed with
> /proc/sys/vm/mmap_min_addr.
>
> Because userfaultfd uses a different check, UFFDIO_REGISTER may fail
> with -EINVAL for valid memory areas that were successfully mapped
> below mmap_min_addr even with appropriate capabilities.
>
> This prevents apps like binary compilers from using UFFD for valid memory
> regions mapped by application.
>
> Replace the rigid mmap_min_addr check with security_mmap_addr() to align
> userfaultfd with the standard kernel memory mapping security policy.
>
> Signed-off-by: Denis M. Karpov <komlomal@xxxxxxxxx>
>
> ---
> Initial RFC following the discussion on the [BUG] thread.
> Link: https://lore.kernel.org/all/CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@xxxxxxxxxxxxxx/
> ---
> fs/userfaultfd.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index bdc84e521..dbfe5b2a0 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1238,15 +1238,13 @@ static __always_inline int validate_unaligned_range(
> return -EINVAL;
> if (!len)
> return -EINVAL;
> - if (start < mmap_min_addr)
> - return -EINVAL;
> if (start >= task_size)
> return -EINVAL;
> if (len > task_size - start)
> return -EINVAL;
> if (start + len <= start)
> return -EINVAL;
> - return 0;
> + return security_mmap_addr(start);
Is this introducing an ABI change?
The old code returned -EINVAL when start was below mmap_min_addr.
The new code calls security_mmap_addr() which returns -EPERM when
the caller lacks CAP_SYS_RAWIO. Existing userspace callers checking
specifically for -EINVAL would see different behavior start is
below mmap_min_addr.
> }
>
> static __always_inline int validate_range(struct mm_struct *mm,
> --
> 2.47.3
>
>