From: David CARLIER <devnexen@gmail.com>
To: Mike Rapoport <rppt@kernel.org>
Cc: Peter Xu <peterx@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Lorenzo Stoakes <ljs@kernel.org>
Subject: Re: [PATCH v2] mm/userfaultfd: detect VMA replacement after copy retry in mfill_copy_folio_retry()
Date: Tue, 31 Mar 2026 13:07:58 +0100 [thread overview]
Message-ID: <CA+XhMqxDqrWaOTCE2YKLu8FQPCiVkOxLBOQyVpZe2KxdHFKAoA@mail.gmail.com> (raw)
In-Reply-To: <acu2cpUBS0ahkgkx@kernel.org>
Hi Mike,
▎ Is it possible at all that after all that dance vma pointer will
remain
▎ the same?
Yes, VMA structs are slab-allocated so after munmap frees the old
VMA
and mmap allocates a new one, SLUB can hand back the same address.
The
pointer matches but it's a different VMA — which is exactly why the
snapshot is needed.
▎ This isn't a bug, but struct vm_area_struct uses vm_flags, not
flags.
▎ Will this cause a compilation error?
This is a false positive from Sashiko. vm_area_struct has a union at
include/linux/mm_types.h:956-960:
union {
const vm_flags_t vm_flags;
vma_flags_t flags;
};
Peter explicitly asked to use vma_flags_t / vma->flags since
vm_flags_t
is being deprecated (see vma_flags_to_legacy()).
▎ If the original VMA was file-backed (s->inode is non-NULL), but is
▎ concurrently replaced by an anonymous VMA during the lock-dropped
▎ window, vma->vm_file will be NULL. Does accessing
▎ vma->vm_file->f_inode here cause a NULL pointer dereference?
Good catch, this is a real bug. Will fix with a vm_file NULL guard.
▎ Filesystem eviction paths often acquire locks (like i_rwsem) that
▎ invert with the mmap lock. Can this cause an AB-BA deadlock? Should
▎ this take a reference to the struct file via get_file() and
release it
▎ with fput() instead, which defers destruction safely?
Valid concern. I'll switch to get_file()/fput() which defers the
destruction safely.
▎ Whatever we do verify the VMA this should not be EAGAIN. EINVAL or
▎ ENOENT like mfill_get_vma() returns seem more appropriate.
Agreed, will change to -EINVAL to match mfill_get_vma()'s validation
failures.
Will send a v2 with all three fixes later on.
Cheers !
prev parent reply other threads:[~2026-03-31 12:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 20:29 David Carlier
2026-03-30 20:40 ` Andrew Morton
2026-03-30 21:27 ` David CARLIER
2026-03-30 21:32 ` David CARLIER
2026-03-30 23:42 ` Andrew Morton
2026-03-30 20:51 ` Peter Xu
2026-03-31 11:56 ` Mike Rapoport
2026-03-31 12:07 ` David CARLIER [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+XhMqxDqrWaOTCE2YKLu8FQPCiVkOxLBOQyVpZe2KxdHFKAoA@mail.gmail.com \
--to=devnexen@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox