Re: [PATCH v4 09/14] mm/userfaultfd: add RWP fault delivery and expose UFFDIO_REGISTER_MODE_RWP

[Kiryl Shutsemau]

On Mon, May 25, 2026 at 12:18:57PM +0000, sashiko-bot@xxxxxxxxxx wrote:
> Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
> 
> New issues:
> - [High] UFFD RWP tracking is bypassed or causes an infinite loop
> during GUP FOLL_FORCE accesses on PROT_NONE VMAs.


Will fix in v5 by rejecting UFFDIO_REGISTER_MODE_RWP on PROT_NONE VMAs
in vma_can_userfault(), so this state can't be set up to begin with.

> - [High] Orphaned RWP-protected PTEs cause an unrecoverable infinite
> page fault loop in hugetlb_fault().

Fork goes through copy_hugetlb_page_range() with the pte_uffd gate I'm
adding for the 06/14 finding) the orphan state isn't produced.

> - [High] NUMA balancing silently strips userfaultfd RWP protection from adjacent PTEs within a large folio.

Confirmed. NUMA scanning already skips RWP-armed PTEs (the
pte_protnone() guard in change_pte_range()), so the two never coexist
on a given folio at apply time -- but numa_rebuild_large_mapping() is
the one place they can meet. Will fix in v5 by gating the rebuild on
pte_uffd():

      +       if (pte_uffd(ptent))
      +               continue;

> - [Medium] Missing feature capability check in userfaultfd_register
> allows enabling RWP without negotiating the feature.

The check is there -- mm/userfaultfd.c:

      if (uffdio_register.mode & UFFDIO_REGISTER_MODE_RWP) {
              if (!pgtable_supports_uffd() || VM_UFFD_RWP == VM_NONE)
                      goto out;
              if (!(ctx->features & UFFD_FEATURE_RWP))
                      goto out;
              vm_flags |= VM_UFFD_RWP;
      }

> Pre-existing issues:
> - [High] Calling present-PTE accessors on potentially non-present swap or migration entries in must_wait() handlers.

Confirmed and pre-existing -- userfaultfd_must_wait() reads the PTE
locklessly and applies pte_write() / pte_protnone() / pte_uffd()
without checking pte_present(). The pre-patch pte_write() path has the
same shape on master. Will address in a separate fix.

> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260525113737.1942478-1-kas@xxxxxxxxxx?part=9

-- 
  Kiryl Shutsemau / Kirill A. Shutemov