Re: [BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO

[Peter Xu]

On Fri, Apr 03, 2026 at 02:24:05PM +0300, Denis M. Karpov wrote:
> Hello,

Hello, Denis,

> I am seeing an inconsistency between mmap() and userfaultfd's UFFDIO_REGISTER
> logic regarding low memory addresses.
> Kernel: 6.12.63+deb13-amd64 (Debian 6.12.63-1)
> Description:
> As root (or with CAP_SYS_RAWIO), it is possible to mmap() the low-address area
> (below mmap_min_addr). However, UFFDIO_REGISTER fails with -EINVAL for these
> same ranges. The issue appears to be in fs/userfaultfd.c:validate_range():
>     if (start < mmap_min_addr)
>         return -EINVAL;
> 
> While mmap() uses cap_mmap_addr() to allow privileged access to these areas,
> userfaultfd performs a hard check against mmap_min_addr without considering
> capabilities. This prevents binary translators/compilers from using UFFD on
> valid memory areas mapped by the application.

Indeed.  I believe the current behavior existed since Andrea introduced
userfaultfd, and it makes a lot of sense when starting from a stricter
semantics with a new system call like it.

When there's an explicit demand of using it under mmap_min_addr, I don't
see an issue why we can't consider enabling that, as long as we do at least
the same level of security check similarly to mmap() here.  So to me, it
looks all reasonable to replace that check with cap_mmap_addr().  I can't
think of any bad side effect except starting to enable your use case which
seems a valid one.

IMHO you prepare an RFC patch and copy some more people to collect
feedbacks.  I would suggest at least the ones listed in MEMORY MAPPING
section of the maintainers file.  Btw, Mike Rapoport is now the official
maintainer for userfaultfd, please remember to copy him too when sending.

PS: it's holiday window (Good Friday) so please expect delays for replies.

Thanks,

-- 
Peter Xu