diff options
| author | Mike Rapoport (Microsoft) <rppt@kernel.org> | 2026-05-13 11:14:16 +0300 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2026-05-28 21:31:03 -0700 |
| commit | b60b13e1b3edcc0efd828a1346193f0e3b858e2a (patch) | |
| tree | 70166351a84a69ca455d58b3046248644d9afae1 /fs | |
| parent | 5cc4aa352a89bb9e13412e310cd2e60c66947ab3 (diff) | |
| download | linux-next-history-b60b13e1b3edcc0efd828a1346193f0e3b858e2a.tar.gz | |
userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing
Sashiko says:
mremap_userfaultfd_prep() increments ctx->mmap_changing to stall
concurrent operations, but mremap_userfaultfd_fail() does not
decrement it before dropping the context reference.
If an mremap operation fails, ctx->mmap_changing remains elevated. This
will causes subsequent userfaultfd operations like a UFFDIO_COPY to fail
with -EAGAIN.
Decrement ctx->mmap_changing in mremap_userfaultfd_fail().
Link: https://sashiko.dev/#/patchset/20260430113512.115938-1-rppt@kernel.org
Link: https://lore.kernel.org/20260513081416.495963-1-rppt@kernel.org
Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/userfaultfd.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 4b53dc4a32664..390e4b7d9cb9f 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -786,6 +786,8 @@ void mremap_userfaultfd_fail(struct vm_userfaultfd_ctx *vm_ctx) if (!ctx) return; + atomic_dec(&ctx->mmap_changing); + VM_WARN_ON_ONCE(atomic_read(&ctx->mmap_changing) < 0); userfaultfd_ctx_put(ctx); } |