From: "Denis M. Karpov" <komlomal@gmail.com>
To: peterx@redhat.com, akpm@linux-foundation.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: [BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO
Date: Fri, 3 Apr 2026 14:24:05 +0300 [thread overview]
Message-ID: <CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@mail.gmail.com> (raw)
Hello,
I am seeing an inconsistency between mmap() and userfaultfd's UFFDIO_REGISTER
logic regarding low memory addresses.
Kernel: 6.12.63+deb13-amd64 (Debian 6.12.63-1)
Description:
As root (or with CAP_SYS_RAWIO), it is possible to mmap() the low-address area
(below mmap_min_addr). However, UFFDIO_REGISTER fails with -EINVAL for these
same ranges. The issue appears to be in fs/userfaultfd.c:validate_range():
if (start < mmap_min_addr)
return -EINVAL;
While mmap() uses cap_mmap_addr() to allow privileged access to these areas,
userfaultfd performs a hard check against mmap_min_addr without considering
capabilities. This prevents binary translators/compilers from using UFFD on
valid memory areas mapped by the application.
Reproducer (must be run as root):
#include <stdio.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <linux/userfaultfd.h>
#include <fcntl.h>
#include <unistd.h>
#define SIZE 0x1000
int main()
{
void *data = mmap((void*)0x1000, SIZE, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
if ((long)data < 0) {
perror("map failed");
return 1;
}
int uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
if (uffd == -1) {
perror("syscall");
return 1;
}
struct uffdio_api uffdio_api;
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;
if (ioctl(uffd, UFFDIO_API, &uffdio_api)) {
perror("UFFDIO_API");
return 1;
}
if (uffdio_api.api != UFFD_API) {
fprintf(stderr, "UFFDIO_API error\n");
return 1;
}
struct uffdio_register uffdio_register;
uffdio_register.range.start = (unsigned long)data;
uffdio_register.range.len = SIZE;
uffdio_register.mode = UFFDIO_REGISTER_MODE_WP;
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) {
perror("ioctl(UFFDIO_REGISTER)");
return 1;
}
return 0;
}
next reply other threads:[~2026-04-03 11:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 11:24 Denis M. Karpov [this message]
2026-04-03 18:41 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADtiZd0tWysx5HMCUnOXfSHB7PXAuXg1Mh4eY_hUmH29S=sejg@mail.gmail.com' \
--to=komlomal@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox