Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()

Next message: SeongJae Park: "Re: (sashiko review) [PATCH v1 1/1] mm/damon: support MADV_COLLAPSE via DAMOS_COLLAPSE scheme action"
Previous message: Michal Luczaj: "Re: [PATCH bpf v3 5/5] bpf, sockmap: Adapt for af_unix-specific lock"
In reply to: David CARLIER: "Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()"
Next in thread: Peter Xu: "Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Mon Mar 30 2026 - 19:42:43 EST

On Mon, 30 Mar 2026 22:32:58 +0100 David CARLIER <devnexen@xxxxxxxxx> wrote:

> The userspace-visible effect is a kernel NULL pointer dereference. When
> a shared shmem VMA gets replaced by an anonymous VMA during the
> retry
> window, the stale ops->filemap_add() ends up calling
> shmem_mfill_filemap_add() which dereferences vma->vm_file via
> file_inode(). Since vm_file is NULL for anonymous mappings, this is a
> straight kernel oops.
>
> The window is particularly wide when copy_from_user() blocks on slow
> backing stores (FUSE, NFS) as it runs with page faults enabled.
>
> The Fixes target would be 56a3706fd7f9 ("shmem, userfaultfd:
> implement
> shmem uffd operations using vm_uffd_ops") but that's mm-unstable only,
> so no Cc: stable for now.

Ah, OK, thanks. I'll add a note to "shmem, userfaultfd: implement
shmem uffd operations using vm_uffd_ops" for now, let's see what Mike
thinks.