Re: [PATCH v2 1/3] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing
From: Mike Rapoport
Date: Mon May 11 2026 - 06:52:40 EST
On Mon, May 11, 2026 at 11:15:34AM +0200, David Hildenbrand (Arm) wrote:
> On 5/1/26 16:54, Mike Rapoport wrote:
> > From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
> >
> > Sashiko says:
> >
> > mremap_userfaultfd_prep() increments ctx->mmap_changing to stall
> > concurrent operations, but mremap_userfaultfd_fail() does not
> > decrement it before dropping the context reference.
> >
> > If an mremap operation fails, ctx->mmap_changing remains elevated. This
> > will causes subsequent userfaultfd operations like a UFFDIO_COPY to fail
> > with -EAGAIN.
> >
>
> Sounds like we should CC stable?
Yes.
> > Decrement ctx->mmap_changing in mremap_userfaultfd_fail().
> >
> > Link: https://sashiko.dev/#/patchset/20260430113512.115938-1-rppt@xxxxxxxxxx
> > Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")
> > Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> > ---
> > fs/userfaultfd.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> > index 4b53dc4a3266..ef963a58f1a1 100644
> > --- a/fs/userfaultfd.c
> > +++ b/fs/userfaultfd.c
> > @@ -786,6 +786,7 @@ void mremap_userfaultfd_fail(struct vm_userfaultfd_ctx *vm_ctx)
> > if (!ctx)
> > return;
> >
> > + atomic_dec(&ctx->mmap_changing);
>
> I'll note that other users have a
>
> VM_WARN_ON_ONCE(atomic_read(&ctx->mmap_changing) < 0);
>
> In there. Likely we should do the same?
Yeah, we could.
> --
> Cheers,
>
> David
--
Sincerely yours,
Mike.