Re: [PATCH] userfaultfd: prevent registration of special VMAs

[David Hildenbrand (Arm)]

On 6/17/26 21:40, Mike Rapoport wrote:
> From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
> 
> Vova Tokarev says:
> 
>   userfaultfd allows registration on shadow stack VMAs.  With userfaultfd
>   access, you can register on the shadow stack, discard a page ... and
>   inject a page with chosen return addresses via UFFDIO_COPY.
> 
> Update vma_can_userfault() to reject VM_SHADOW_STACK.
> 
> While on it, also reject VM_IO, VM_MIXEDMAP and VM_PFNMAP so that if a
> driver would implement vm_uffd_ops, it wouldn't be possible to register
> special VMAs with userfaultfd.
> 
> Reported-by: vova tokarev <vladimirelitokarev@xxxxxxxxx>
> Fixes: 54007f818206 ("mm: Introduce VM_SHADOW_STACK for shadow stack memory")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> ---
>  mm/userfaultfd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index 246af12bf801..b8d2d87ce8d7 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -2111,7 +2111,8 @@ static bool vma_can_userfault(struct vm_area_struct *vma, vm_flags_t vm_flags,
>  {
>  	const struct vm_uffd_ops *ops = vma_uffd_ops(vma);
>  
> -	if (vma->vm_flags & VM_DROPPABLE)
> +	if (vma->vm_flags & (VM_DROPPABLE | VM_IO | VM_MIXEDMAP | VM_PFNMAP |
> +			     VM_SHADOW_STACK))

I'm sure you considered VM_SPECIAL, which additionally includes VM_DONTEXPAND.

Would that be better, or what was the reason to allow VM_DONTEXPAND?

-- 
Cheers,

David