]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
userfaultfd: allow registration of ranges below mmap_min_addr
authorDenis M. Karpov <komlomal@gmail.com>
Thu, 9 Apr 2026 10:33:45 +0000 (13:33 +0300)
committerAndrew Morton <akpm@linux-foundation.org>
Sat, 18 Apr 2026 07:10:56 +0000 (00:10 -0700)
The current implementation of validate_range() in fs/userfaultfd.c
performs a hard check against mmap_min_addr.  This is redundant because
UFFDIO_REGISTER operates on memory ranges that must already be backed by a
VMA.

Enforcing mmap_min_addr or capability checks again in userfaultfd is
unnecessary and prevents applications like binary compilers from using
UFFD for valid memory regions mapped by application.

Remove the redundant check for mmap_min_addr.

We started using UFFD instead of the classic mprotect approach in the
binary translator to track application writes.  During development, we
encountered this bug.  The translator cannot control where the translated
application chooses to map its memory and if the app requires a
low-address area, UFFD fails, whereas mprotect would work just fine.  I
believe this is a genuine logic bug rather than an improvement, and I
would appreciate including the fix in stable.

Link: https://lore.kernel.org/20260409103345.15044-1-komlomal@gmail.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Denis M. Karpov <komlomal@gmail.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
fs/userfaultfd.c

index bdc84e5219cde3623e9962983bbccbc5523cd3d8..4b53dc4a32664c6a9a38976361fda8c878d3e503 100644 (file)
@@ -1238,8 +1238,6 @@ static __always_inline int validate_unaligned_range(
                return -EINVAL;
        if (!len)
                return -EINVAL;
-       if (start < mmap_min_addr)
-               return -EINVAL;
        if (start >= task_size)
                return -EINVAL;
        if (len > task_size - start)