Re: [PATCH] userfaultfd: prevent registration of special VMAs
From: Mike Rapoport
Date: Thu Jun 18 2026 - 04:44:55 EST
On Thu, Jun 18, 2026 at 11:34:12AM +0300, Mike Rapoport wrote:
> On Thu, Jun 18, 2026 at 10:19:17AM +0200, David Hildenbrand (Arm) wrote:
> > On 6/17/26 21:40, Mike Rapoport wrote:
> > > From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
> > >
> > > Vova Tokarev says:
> > >
> > > userfaultfd allows registration on shadow stack VMAs. With userfaultfd
> > > access, you can register on the shadow stack, discard a page ... and
> > > inject a page with chosen return addresses via UFFDIO_COPY.
> > >
> > > Update vma_can_userfault() to reject VM_SHADOW_STACK.
> > >
> > > While on it, also reject VM_IO, VM_MIXEDMAP and VM_PFNMAP so that if a
> > > driver would implement vm_uffd_ops, it wouldn't be possible to register
> > > special VMAs with userfaultfd.
> > >
> > > Reported-by: vova tokarev <vladimirelitokarev@xxxxxxxxx>
> > > Fixes: 54007f818206 ("mm: Introduce VM_SHADOW_STACK for shadow stack memory")
> > > Cc: <stable@xxxxxxxxxxxxxxx>
> > > Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> > > ---
> > > mm/userfaultfd.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > index 246af12bf801..b8d2d87ce8d7 100644
> > > --- a/mm/userfaultfd.c
> > > +++ b/mm/userfaultfd.c
> > > @@ -2111,7 +2111,8 @@ static bool vma_can_userfault(struct vm_area_struct *vma, vm_flags_t vm_flags,
> > > {
> > > const struct vm_uffd_ops *ops = vma_uffd_ops(vma);
> > >
> > > - if (vma->vm_flags & VM_DROPPABLE)
> > > + if (vma->vm_flags & (VM_DROPPABLE | VM_IO | VM_MIXEDMAP | VM_PFNMAP |
> > > + VM_SHADOW_STACK))
> >
> > I'm sure you considered VM_SPECIAL, which additionally includes VM_DONTEXPAND.
> >
> > Would that be better, or what was the reason to allow VM_DONTEXPAND?
>
> By itself VM_DONTEXPAND won't matter, as uffd can't resize a VMA.
> But thinking more about it, it's better to make vma_can_userfault() more
> restrictive and just use VM_SPECIAL.
Ah, hugetlb sets VM_DONTEXPAND, so it must me excluded to allow uffd with
hugetlb.
--
Sincerely yours,
Mike.