Re: [PATCH v2] userfaultfd: prevent registration of special VMAs

Next message: phucduc . bui: "[PATCH v2 0/4] ASoC: Intel: Convert locking to guard()/scoped_guard()"
Previous message: Ma Ke: "[PATCH v2] drm/i915/dsi: fix i2c adapter reference leak in i2c_adapter_lookup()"
In reply to: Mike Rapoport: "[PATCH v2] userfaultfd: prevent registration of special VMAs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hildenbrand (Arm)

Date: Thu Jun 18 2026 - 07:07:05 EST

On 6/18/26 11:50, Mike Rapoport wrote:
> From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
>
> Vova Tokarev says:
>
> userfaultfd allows registration on shadow stack VMAs. With userfaultfd
> access, you can register on the shadow stack, discard a page ... and
> inject a page with chosen return addresses via UFFDIO_COPY.
>
> Update vma_can_userfault() to reject VM_SHADOW_STACK.
>
> While on it, also reject VM_SPECIAL so that if a driver would implement
> vm_uffd_ops, it wouldn't be possible to register special VMAs with
> userfaultfd.
>
> Since VM_SPECIAL includes VM_DONTEXPAND which is set but hugetlb,
> exclude hugetlb VMAs from the check for VM_SPECIAL.
>
> Reported-by: vova tokarev <vladimirelitokarev@xxxxxxxxx>
> Fixes: 54007f818206 ("mm: Introduce VM_SHADOW_STACK for shadow stack memory")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> ---

Thanks Mike

Acked-by: David Hildenbrand (Arm) <david@xxxxxxxxxx>

--
Cheers,

David