[PATCH v2 1/3] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing
From: Mike Rapoport
Date: Fri May 01 2026 - 10:57:54 EST
From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
Sashiko says:
mremap_userfaultfd_prep() increments ctx->mmap_changing to stall
concurrent operations, but mremap_userfaultfd_fail() does not
decrement it before dropping the context reference.
If an mremap operation fails, ctx->mmap_changing remains elevated. This
will causes subsequent userfaultfd operations like a UFFDIO_COPY to fail
with -EAGAIN.
Decrement ctx->mmap_changing in mremap_userfaultfd_fail().
Link: https://sashiko.dev/#/patchset/20260430113512.115938-1-rppt@xxxxxxxxxx
Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
---
fs/userfaultfd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 4b53dc4a3266..ef963a58f1a1 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -786,6 +786,7 @@ void mremap_userfaultfd_fail(struct vm_userfaultfd_ctx *vm_ctx)
if (!ctx)
return;
+ atomic_dec(&ctx->mmap_changing);
userfaultfd_ctx_put(ctx);
}
--
2.53.0