From: Gregory Price <gourry@gourry.net>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kernel-team@meta.com, rppt@kernel.org, peterx@redhat.com,
surenb@google.com, aarcange@redhat.com, stable@vger.kernel.org
Subject: Re: [PATCH] userfaultfd: preserve write protection across UFFDIO_MOVE
Date: Mon, 13 Apr 2026 01:36:29 -0400 [thread overview]
Message-ID: <adyA3X2k1GdzxOEZ@gourry-fedora-PF4VCD3F> (raw)
In-Reply-To: <20260412111807.42c3edf86d19528d7cb1bb7b@linux-foundation.org>
On Sun, Apr 12, 2026 at 11:18:07AM -0700, Andrew Morton wrote:
> On Thu, 9 Apr 2026 11:28:22 -0400 Gregory Price <gourry@gourry.net> wrote:
>
> > move_present_ptes() unconditionally makes the destination PTE writable,
> > dropping uffd-wp write-protection from the source PTE.
> >
> > The original intent was to follow mremap() behavior, but mremap()'s
> > move_ptes() preserves the source write state unconditionally.
> >
> > Modify uffd to preserve the source write state and check the uffd-wp
> > condition of the source before setting writable on the destination.
>
> Please can we have a description of the userspace-visible impact of the
> bug.
>
Simply:
UFFDIO_MOVE silently drops write protection from the source PTE when
moving pages to a destination, leading to missing write-protect faults
after the page has been moved.
I ran into this while futzing around with some user space management of
VM memory, and expecting a move to continue firing WP faults after.
But Sashiko actually made a useful (though obtuse) observation which
has made me realize _MOVE is actually ambiguous on what to do with
source region UFFD modes.
> > + if (pte_uffd_wp(orig_src_pte))
> > + orig_dst_pte = pte_mkuffd_wp(orig_dst_pte);
This line assumes the destination must have intended to be WP, and the
the result is essentially stale uffd wp bits in the opposite case (a
user not intending to carry over WP now carries it over).
tl;dr: this is more of a semantic change than I'd intended, and the
existing tests did not catch it.
The correct solution here is to make a UFFDIO_MOVE_MODE_WP flag to copy
the UFFDIO_COPY_MODE_WP pattern. Otherwise:
> (presently wondering if this is backward compatible)
Yes, you're right to wonder - this does break backward compatibilty.
Will come back around with UFFDIO_MOVE_MODE_WP.
~Gregory
prev parent reply other threads:[~2026-04-13 5:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 15:28 Gregory Price
2026-04-09 20:09 ` Suren Baghdasaryan
2026-04-10 7:55 ` Mike Rapoport
2026-04-12 18:18 ` Andrew Morton
2026-04-13 5:36 ` Gregory Price [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adyA3X2k1GdzxOEZ@gourry-fedora-PF4VCD3F \
--to=gourry@gourry.net \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=kernel-team@meta.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox