Re: [RFC PATCH] userfaultfd: allow registration of ranges below mmap_min_addr

From: Usama Arif

Date: Thu Apr 09 2026 - 06:53:20 EST



On 09/04/2026 09:01, Lorenzo Stoakes wrote:
> On Wed, Apr 08, 2026 at 05:36:59AM -0700, Usama Arif wrote:
>> On Tue, 7 Apr 2026 11:14:42 +0300 "Denis M. Karpov" <komlomal@xxxxxxxxx> wrote:
>>
>>> The current implementation of validate_range() in fs/userfaultfd.c
>>> performs a hard check against mmap_min_addr without considering
>>> capabilities, but the mmap() syscall uses security_mmap_addr()
>>> which allows privileged processes (with CAP_SYS_RAWIO) to map below
>>> mmap_min_addr. Furthermore, security_mmap_addr()->cap_mmap_addr() uses
>>> dac_mmap_min_addr variable which can be changed with
>>> /proc/sys/vm/mmap_min_addr.
>>>
>>> Because userfaultfd uses a different check, UFFDIO_REGISTER may fail
>>> with -EINVAL for valid memory areas that were successfully mapped
>>> below mmap_min_addr even with appropriate capabilities.
>>>
>>> This prevents apps like binary compilers from using UFFD for valid memory
>>> regions mapped by application.
>>>
>>> Replace the rigid mmap_min_addr check with security_mmap_addr() to align
>>> userfaultfd with the standard kernel memory mapping security policy.
>>>
>>> Signed-off-by: Denis M. Karpov <komlomal@xxxxxxxxx>
>>>
>>> ---
>>> Initial RFC following the discussion on the [BUG] thread.
>>> Link: https://lore.kernel.org/all/CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@xxxxxxxxxxxxxx/
>>> ---
>>> fs/userfaultfd.c | 4 +---
>>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>>
>>> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
>>> index bdc84e521..dbfe5b2a0 100644
>>> --- a/fs/userfaultfd.c
>>> +++ b/fs/userfaultfd.c
>>> @@ -1238,15 +1238,13 @@ static __always_inline int validate_unaligned_range(
>>> return -EINVAL;
>>> if (!len)
>>> return -EINVAL;
>>> - if (start < mmap_min_addr)
>>> - return -EINVAL;
>>> if (start >= task_size)
>>> return -EINVAL;
>>> if (len > task_size - start)
>>> return -EINVAL;
>>> if (start + len <= start)
>>> return -EINVAL;
>>> - return 0;
>>> + return security_mmap_addr(start);
>>
>> Is this introducing an ABI change?
>>
>> The old code returned -EINVAL when start was below mmap_min_addr.
>> The new code calls security_mmap_addr() which returns -EPERM when
>> the caller lacks CAP_SYS_RAWIO. Existing userspace callers checking
>> specifically for -EINVAL would see different behavior start is
>> below mmap_min_addr.
>
> You mean API change? :) we don't guarantee ABI for kernel stuff anyway.
>

Ah no, I meant ABI, I hope :)

The return value of validate_unaligned_range() flows directly back to the
ioctl() return value, which is visible to userspace. The error code a program
sees from ioctl(fd, UFFDIO_REGISTER, ...) changes from -EINVAL to -EPERM for
the same input, right? Its probably not an issue, but we would need to update
https://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html
right?