On Mon, May 25, 2026 at 12:18:57PM +0000, [email protected] wrote:
> Thank you for your contribution! Sashiko AI review found 5 potential issue(s)
> to consider:
>
> New issues:
> - [High] UFFD RWP tracking is bypassed or causes an infinite loop
> during GUP FOLL_FORCE accesses on PROT_NONE VMAs.
Will fix in v5 by rejecting UFFDIO_REGISTER_MODE_RWP on PROT_NONE VMAs
in vma_can_userfault(), so this state can't be set up to begin with.
> - [High] Orphaned RWP-protected PTEs cause an unrecoverable infinite
> page fault loop in hugetlb_fault().
Fork goes through copy_hugetlb_page_range() with the pte_uffd gate I'm
adding for the 06/14 finding) the orphan state isn't produced.
> - [High] NUMA balancing silently strips userfaultfd RWP protection from
> adjacent PTEs within a large folio.
Confirmed. NUMA scanning already skips RWP-armed PTEs (the
pte_protnone() guard in change_pte_range()), so the two never coexist
on a given folio at apply time -- but numa_rebuild_large_mapping() is
the one place they can meet. Will fix in v5 by gating the rebuild on
pte_uffd():
+ if (pte_uffd(ptent))
+ continue;
> - [Medium] Missing feature capability check in userfaultfd_register
> allows enabling RWP without negotiating the feature.
The check is there -- mm/userfaultfd.c:
if (uffdio_register.mode & UFFDIO_REGISTER_MODE_RWP) {
if (!pgtable_supports_uffd() || VM_UFFD_RWP == VM_NONE)
goto out;
if (!(ctx->features & UFFD_FEATURE_RWP))
goto out;
vm_flags |= VM_UFFD_RWP;
}
> Pre-existing issues:
> - [High] Calling present-PTE accessors on potentially non-present swap or
> migration entries in must_wait() handlers.
Confirmed and pre-existing -- userfaultfd_must_wait() reads the PTE
locklessly and applies pte_write() / pte_protnone() / pte_uffd()
without checking pte_present(). The pre-patch pte_write() path has the
same shape on master. Will address in a separate fix.
> --
> Sashiko AI review ยท
> https://sashiko.dev/#/patchset/[email protected]?part=9
--
Kiryl Shutsemau / Kirill A. Shutemov
