[SRU N][PATCH 0/1] Fix write-sealed memfd mappings which are read-only

Stefan Bader stefan.bader at canonical.com
Mon Jan 12 17:33:17 UTC 2026 

BugLink: https://bugs.launchpad.net/bugs/2138244

== SRU Justification ==

Impact:
This was found by kernel selftests after backporting changes which attempt to do this.

The relevant backport history for noble:linux is:

Ubuntu-6.8.0-98.98
5045339a33e8 selftests/memfd: add test for mapping write-sealed memfd read-only
Ubuntu-6.8.0-60.63
13ce5fc940ea mm: reinstate ability to map write-sealed memfd mappings read-only
Ubuntu-6.8.0-58.60 (used linux-6.6.y for backport)
ca868840feb4 mm: resolve faulty mmap_region() error path behaviour
v6.7 (part of rebase to 6.8)
158978945f31 mm: perform the mapping_map_writable() check after call_mmap()
28464bbb2ddc mm: update memfd seal write check to include F_SEAL_WRITE
e8e17ee90eaf mm: drop the assumption that VM_SHARED always implies writable

For Noble we followed upstream order but upstream stable picked one change out of that order and we used that when doing our backport. However that lost using is_shared_maywrite():

v6.6.103
5dd481868eb1 selftests/memfd: add test for mapping write-sealed memfd read-only
2e4179698f84 mm: reinstate ability to map write-sealed memfd mappings read-only
87a75f68eaba mm: update memfd seal write check to include F_SEAL_WRITE
17c5d49beb6c mm: drop the assumption that VM_SHARED always implies writable
             ^ Modifies the coded added in 6.6.63 but not picked into noble
               as is is already there (6.7)
v6.6.63
bdc136e2b05f mm: resolve faulty mmap_region() error path behaviour
             ^ Backport out of order is_shared_maywrite() is avoided

That resulted in the following subtle error when moving code:
...
- if (vma_is_shared_maywrite(vma)) {
...
+ if (file && (vm_flags & VM_SHARED)) {

Which results in the behavior reverting to the previous incorrect way.

Fix:
The fix is to fix up the one incorrectly backported line to use is_shared_maywrite(vm_flags) instead.

Testing:
ubuntu_kernel_selftests.memfd:memfd_test should not longer fail with:

09:21:12 DEBUG| [stdout] # memfd: SEAL-FUTURE-WRITE
09:21:12 DEBUG| [stdout] # memfd: SEAL-WRITE-MAP-READ
09:21:12 DEBUG| [stdout] # mmap() failed: Operation not permitted
09:21:12 DEBUG| [stdout] # /usr/bin/timeout: the monitored command dumped core
09:21:12 DEBUG| [stdout] # Aborted
09:21:12 DEBUG| [stdout] not ok 1 selftests: memfd: memfd_test # exit=134


Stefan Bader (1):
  UBUNTU: SAUCE: Fix read-only mapping of write-sealed pages

 mm/mmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0

More information about the kernel-team mailing list