Re: [PATCH 0/1] mm/userfaultfd: fix UFFDIO_COPY retry private/shared VMA panic

Next message: Michael S. Tsirkin: "Re: [PATCH v7 09/31] mm: use folio_zero_user for user pages in post_alloc_hook"
Previous message: David Yang: "Re: [PATCH net-next v3 2/2] net: dsa: yt921x: Add port TBF support"
In reply to: Michael Bommarito: "[PATCH 1/1] mm/userfaultfd: validate effective UFFDIO_COPY ops after retry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mike Rapoport

Date: Thu May 14 2026 - 14:00:17 EST

Hi,

On Wed, May 13, 2026 at 08:54:39PM -0400, Michael Bommarito wrote:
> Hi,
>
> mfill_copy_folio_retry() drops the destination VMA lock before
> copy_from_user() and reacquires it afterwards. Commit 292411fda25b
> ("mm/userfaultfd: detect VMA type change after copy retry in
> mfill_copy_folio_retry()") added a comparison of vma_uffd_ops() across
> that window, but the comparison is not tight enough for private/shared
> shmem swaps: both private and shared shmem VMAs expose shmem_uffd_ops
> through vm_ops, while UFFDIO_COPY into a MAP_PRIVATE file-backed VMA
> overrides the effective copy ops to anon_uffd_ops at
> mfill_atomic_pte_copy() time.
>
> A separate concern from Peter Xu's review of v1 of 292411fda25b's
> series -- replacement with a different shmem VMA carrying the same
> flags but a different inode -- is out of scope here and is also
> unaddressed by 292411fda25b.

Thanks for the patch!

I'd prefer to deal with all the issues at once and I added vma_snapshot
suggested by Peter on top of you changes.