[BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO

[BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO

[Denis M. Karpov]

Hello,
I am seeing an inconsistency between mmap() and userfaultfd's UFFDIO_REGISTER
logic regarding low memory addresses.
Kernel: 6.12.63+deb13-amd64 (Debian 6.12.63-1)
Description:
As root (or with CAP_SYS_RAWIO), it is possible to mmap() the low-address area
(below mmap_min_addr). However, UFFDIO_REGISTER fails with -EINVAL for these
same ranges. The issue appears to be in fs/userfaultfd.c:validate_range():
    if (start < mmap_min_addr)
        return -EINVAL;

While mmap() uses cap_mmap_addr() to allow privileged access to these areas,
userfaultfd performs a hard check against mmap_min_addr without considering
capabilities. This prevents binary translators/compilers from using UFFD on
valid memory areas mapped by the application.

Reproducer (must be run as root):
#include <stdio.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <linux/userfaultfd.h>
#include <fcntl.h>
#include <unistd.h>

#define SIZE 0x1000
int main()
{
    void *data = mmap((void*)0x1000, SIZE, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
    if ((long)data < 0) {
        perror("map failed");
        return 1;
    }

    int uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
    if (uffd == -1) {
        perror("syscall");
        return 1;
    }
    struct uffdio_api uffdio_api;
    uffdio_api.api = UFFD_API;
    uffdio_api.features = 0;
    if (ioctl(uffd, UFFDIO_API, &uffdio_api)) {
        perror("UFFDIO_API");
        return 1;
    }
    if (uffdio_api.api != UFFD_API) {
        fprintf(stderr, "UFFDIO_API error\n");
        return 1;
    }

    struct uffdio_register uffdio_register;
    uffdio_register.range.start = (unsigned long)data;
    uffdio_register.range.len = SIZE;
    uffdio_register.mode = UFFDIO_REGISTER_MODE_WP;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) {
        perror("ioctl(UFFDIO_REGISTER)");
        return 1;
    }
    return 0;
}

Re: [BUG] userfaultfd: UFFDIO_REGISTER fails on low addresses despite CAP_SYS_RAWIO

[Peter Xu]

On Fri, Apr 03, 2026 at 02:24:05PM +0300, Denis M. Karpov wrote:
> Hello,

Hello, Denis,

> I am seeing an inconsistency between mmap() and userfaultfd's UFFDIO_REGISTER
> logic regarding low memory addresses.
> Kernel: 6.12.63+deb13-amd64 (Debian 6.12.63-1)
> Description:
> As root (or with CAP_SYS_RAWIO), it is possible to mmap() the low-address area
> (below mmap_min_addr). However, UFFDIO_REGISTER fails with -EINVAL for these
> same ranges. The issue appears to be in fs/userfaultfd.c:validate_range():
>     if (start < mmap_min_addr)
>         return -EINVAL;
> 
> While mmap() uses cap_mmap_addr() to allow privileged access to these areas,
> userfaultfd performs a hard check against mmap_min_addr without considering
> capabilities. This prevents binary translators/compilers from using UFFD on
> valid memory areas mapped by the application.

Indeed.  I believe the current behavior existed since Andrea introduced
userfaultfd, and it makes a lot of sense when starting from a stricter
semantics with a new system call like it.

When there's an explicit demand of using it under mmap_min_addr, I don't
see an issue why we can't consider enabling that, as long as we do at least
the same level of security check similarly to mmap() here.  So to me, it
looks all reasonable to replace that check with cap_mmap_addr().  I can't
think of any bad side effect except starting to enable your use case which
seems a valid one.

IMHO you prepare an RFC patch and copy some more people to collect
feedbacks.  I would suggest at least the ones listed in MEMORY MAPPING
section of the maintainers file.  Btw, Mike Rapoport is now the official
maintainer for userfaultfd, please remember to copy him too when sending.

PS: it's holiday window (Good Friday) so please expect delays for replies.

Thanks,

-- 
Peter Xu