From nobody Tue Apr 7 02:34:18 2026 Received: from mail-oo1-f74.google.com (mail-oo1-f74.google.com [209.85.161.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4BF433A9D3 for ; Mon, 16 Mar 2026 17:38:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773682725; cv=none; b=fWA8N01sZZDdXLoCWd/iysxNFdf5fb85wrxrkzuCEtUJ7Py8dHxCqCbqjFQy/wdvfQ8VaENBSfy8us8DKeZfLtmin05J9tQ/0S+yXjI4/kYEmbSY14t+x1T5TesYtDIKSvTJq/raZdp1F0c8BAN1pCF8R73f63NYSRYNKsJuDD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773682725; c=relaxed/simple; bh=Y5Dror4FKPUH5q80s3pVnhTuhPzamNw8q+Fc2BTnCyc=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=tS7PAEWtQaA1yYXoVhlV8jM7PjuRZVUP6n+KDnXi0QSqhO+RgvlrYUrpWwdUZYjMhbiYXpKKaxjNjHP6+Cvce+aOB5op3JorIQ6cKuf4PrJ5eedvlXqApyhMpnrI97+aXbD497xMh0t1PZGRZVAhbimxWMrdsESw8lur3+1GQLg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dSa1zpIQ; arc=none smtp.client-ip=209.85.161.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dSa1zpIQ" Received: by mail-oo1-f74.google.com with SMTP id 006d021491bc7-67bc30477a5so86772598eaf.2 for ; Mon, 16 Mar 2026 10:38:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1773682722; x=1774287522; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=mVyENlZI52oMTiLm5o12STurvmC1TDldb84Az1JZAKY=; b=dSa1zpIQXCRbbxwkGQYDgIPR+ocCaseFmkAKJPP14GZJx8nOz9VJwDVA7+ldOlNUn4 GJ10iXDWP/7Q98ZHWR+2fM1TqxOQL/BiaCusRfjn0fT72QoazHnvkEYMSVD9lBqJHZvC HpV4IOXvunu8KKoI4vra1Vovhsb9Ihe9WSGoOiznBzyw+ogYE51Lq64S+UUk9AbEdt2z TA+Iooe/x60O6+2Od1t7JbGBk2Rr/Di15hSeVQ9THW6ULgf+r7r/zjgZ1A3/BhwQub+9 jS0hgaoWxC9QPXX6ZqntcYKKYFHhR7/i15bfTe9b1GoIfs9GW+osiVjlusJ6vBpnjen2 Jw5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773682722; x=1774287522; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=mVyENlZI52oMTiLm5o12STurvmC1TDldb84Az1JZAKY=; b=foQ5rpK8sulxh3Wx3Z08WOJG2IwyC8ssyrJcVSbXNrPMVf6LCYU0i8n6iotYM0uzzn LWLXrw9GZ16tSFylYugOqGVKSgersJbHLeTb8DKaQGGzg4P9OYcdBHQ4848C/og429YC dFlZWiEyShabYd9ZRDrUrXBnUCVsMdJf7Rx1BkODtzPnhvuHTzlzB8kmrwUB5185Xe5W hxI+AwZA7yoTp4MTb7DADlWRwa3brAceqPmsk0bXwlXsekNsmBuKEVdtzK4wyioC6cfz eDKjNGNVtjFCGndqiqXkpnIa9vxkL5ffQgDrKNs78Pi2HhJJitsdDbHBPsy1B53edu1T cx2A== X-Forwarded-Encrypted: i=1; AJvYcCUB3mtkDc5j9UovNgoKBI4W9L8qdJ2l87Jb9HqrOy9XrUDmvE3N2tFz18Ej9CIiFPomclyg9Pp6YO21/Wc=@vger.kernel.org X-Gm-Message-State: AOJu0Yyr/679KP3j1zLWkM4y4C/XoQTVPHRxoWerikk68N4ovuSqs6kD PRGlEWFWyDNcqoM+hQq69WY1upBnCFeCUCmdFmx3KyoMHaYgxlD0wnPWhc8YDNxkP2BOQY3z/x9 9vOgh+w== X-Received: from ilbed12.prod.google.com ([2002:a05:6e02:480c:b0:4f7:2844:7b8a]) (user=avagin job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6820:2909:b0:662:fbd6:1849 with SMTP id 006d021491bc7-67bda98cb6dmr8942754eaf.4.1773682722483; Mon, 16 Mar 2026 10:38:42 -0700 (PDT) Date: Mon, 16 Mar 2026 17:38:28 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog Message-ID: <20260316173829.1126728-1-avagin@google.com> Subject: [PATCH] userfaultfd: fix lock leak in mfill_get_vma() From: Andrei Vagin To: Mike Rapoport , Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrei Vagin , syzbot+cf5ad2009a9bae03cb23@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In mfill_get_vma(), both the per-VMA lock (via uffd_mfill_lock()) and the map_changing_lock are acquired. However, state->vma was only assigned at the very end of the function. If any validation checks failed after lock acquisition but before this assignment, the function would jump to the out_unlock label and call mfill_put_vma(state). Since mfill_put_vma() only performs cleanup if state->vma is non-NULL, these error paths would leak both the per-VMA lock and the map_changing_lock. Fixes: akpm:userfaultfd-retry-copying-with-locks-dropped-in-mfill_atomic_pt= e_copy.patch Reported-by: syzbot+cf5ad2009a9bae03cb23@syzkaller.appspotmail.com Signed-off-by: Andrei Vagin --- mm/userfaultfd.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 9ffc80d0a51b..04f9e21fecf1 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -224,6 +224,7 @@ static int mfill_get_vma(struct mfill_state *state) * request the user to retry later */ down_read(&ctx->map_changing_lock); + state->vma =3D dst_vma; err =3D -EAGAIN; if (atomic_read(&ctx->mmap_changing)) goto out_unlock; @@ -246,7 +247,7 @@ static int mfill_get_vma(struct mfill_state *state) goto out_unlock; =20 if (is_vm_hugetlb_page(dst_vma)) - goto out; + return 0; =20 ops =3D vma_uffd_ops(dst_vma); if (!ops) @@ -256,8 +257,6 @@ static int mfill_get_vma(struct mfill_state *state) !ops->get_folio_noalloc) goto out_unlock; =20 -out: - state->vma =3D dst_vma; return 0; =20 out_unlock: --=20 2.53.0.851.ga537e3e6e9-goog