Commit d82776a1 authored by Peter Xu's avatar Peter Xu Committed by Suren Baghdasaryan
Browse files

BACKPORT: mm/userfaultfd: fix uninitialized output field for -EAGAIN race 

While discussing some userfaultfd relevant issues recently, Andrea noticed
a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s.

Quote from Andrea, explaining how -EAGAIN was processed, and how this
should fix it (taking example of UFFDIO_COPY ioctl):

  The "mmap_changing" and "stale pmd" conditions are already reported as
  -EAGAIN written in the copy field, this does not change it. This change
  removes the subnormal case that left copy.copy uninitialized and required
  apps to explicitly set the copy field to get deterministic
  behavior (which is a requirement contrary to the documentation in both
  the manpage and source code). In turn there's no alteration to backwards
  compatibility as result of this change because userland will find the
  copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN
  and sometime uninitialized.

  Even then the change only can make a difference to non cooperative users
  of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not
  true for the vast majority of apps using userfaultfd or this unintended
  uninitialized field may have been noticed sooner.

Meanwhile, since this bug existed for years, it also almost affects all
ioctl()s that was introduced later.  Besides UFFDIO_ZEROPAGE, these also
get affected in the same way:

  - UFFDIO_CONTINUE
  - UFFDIO_POISON
  - UFFDIO_MOVE

This patch should have fixed all of them.

Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com


Fixes: df2cc96e ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")
Fixes: f6191471 ("userfaultfd: add UFFDIO_CONTINUE ioctl")
Fixes: fc71884a ("mm: userfaultfd: add new UFFDIO_POISON ioctl")
Fixes: adef4406 ("userfaultfd: UFFDIO_MOVE uABI")
Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
Reported-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
Suggested-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 95567729)
[surenb: skip userfaultfd_poison() and userfaultfd_move() changes as
they do not exist in this kernel version]

Bug: 445614412
Test: atest vts_linux_kselftest_arm_64:mm_uffd_unit_tests_arm_64#mm_uffd_unit_tests_arm_64 -- --abi arm64-v8a
Change-Id: I0f584c2f0bed3e132a7983de77137db8547dd405
Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
parent cc5d9e19
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment