Re: [PATCH RESEND] userfaultfd: snapshot VMA state across UFFDIO_COPY retry

Next message: Maarten Lankhorst: "Re: [PATCH 6.18.y 0/5] drm/vkms: Backport generic vblank timer to fix ABBA deadlock"
Previous message: syzbot: "Forwarded: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove"
In reply to: Liam R. Howlett: "Re: [PATCH RESEND] userfaultfd: snapshot VMA state across UFFDIO_COPY retry"
Next in thread: Lorenzo Stoakes: "Re: [PATCH RESEND] userfaultfd: snapshot VMA state across UFFDIO_COPY retry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hildenbrand (Arm)

Date: Tue May 26 2026 - 08:49:57 EST

On 5/25/26 19:12, Liam R. Howlett wrote:
> On 26/05/20 04:38PM, David Hildenbrand (Arm) wrote:
>> On 5/20/26 16:12, Mike Rapoport wrote:
>>>
>>> Let me reiterate:
>>>
>>> A thread doing UFFDIO_COPY releases the VMA in mfill_copy_folio_retry(),
>>> re-gets the VMA and checks if the per-MM counter stayed the same.
>>>
>>> If another thread makes any change to VMA while mfill_copy_folio_retry()
>>> waits to re-get the VMA, the counter would be incremented by another
>>> thread. mfill_copy_folio_retry() will see the change after mfill_get_vma()
>>> and will bail out with -EAGAIN.
>>>
>>
>> Yeah.
>
> This isn't bulletproof anyways. The sequence count can wrap. So, if
> someone can replace the vma then cause the sequence counter wrap, then
> you can be fooled into thinking it's okay (we had this problem years ago
> with the vmacache using a 32 bit counter, iirc).

If you can get it to wrap for such short durations, then how would sequence
counters possibly work in any reasonable context?

--
Cheers,

David