From: Catalin Marinas <catalin.marinas@arm.com>
To: Jinjiang Tu <tujinjiang@huawei.com>
Cc: akpm@linux-foundation.org, david@kernel.org, will@kernel.org,
zengheng4@huawei.com, ryan.roberts@arm.com,
anshuman.khandual@arm.com, wangkefeng.wang@huawei.com,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org
Subject: Re: [PATCH v3] arm64: mm: fix pass user prot to ioremap_prot in generic_access_phys
Date: Fri, 30 Jan 2026 12:19:06 +0000 [thread overview]
Message-ID: <aXyhuq_DOd2pC_Fo@arm.com> (raw)
In-Reply-To: <20260130073807.99474-1-tujinjiang@huawei.com>
On Fri, Jan 30, 2026 at 03:38:07PM +0800, Jinjiang Tu wrote:
> Here is a syzkaller error log:
> [0000000020ffc000] pgd=080000010598d403, p4d=080000010598d403, pud=0800000125ddb403,
> pmd=080000007833c403, pte=01608000007fcfcf
> Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
> KASAN: probably user-memory-access in range [0x0000000475448000-0x0000000475448007]
> Mem abort info:
> ESR = 0x000000009600000f
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x0f: level 3 permission fault
> Data abort info:
> ISV = 0, ISS = 0x0000000f, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001244aa000
> [ffff80008ea89000] pgd=100000013ffff403, p4d=100000013ffff403, pud=100000013fffe403,
> pmd=100000010a453403, pte=01608000007fcfcf
> Internal error: Oops: 000000009600000f [#1] SMP
> Modules linked in: team
> CPU: 1 PID: 10840 Comm: syz.9.83 Kdump: loaded Tainted: G
> Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
> pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __memcpy_fromio+0x80/0xf8
> lr : generic_access_phys+0x20c/0x2b8
> sp : ffff8000a0507960
> x29: ffff8000a0507960 x28: 1ffff000140a0f44 x27: ffff00003833cfe0
> x26: 0000000000000000 x25: 0000000000001000 x24: 0010000000000001
> x23: ffff80008ea89000 x22: ffff00004ea63000 x21: 0000000000001000
> x20: ffff80008ea89000 x19: ffff00004ea62000 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000806f1e3c
> x14: ffff8000806f1d44 x13: 0000000041b58ab3 x12: ffff7000140a0f23
> x11: 1ffff000140a0f22 x10: ffff7000140a0f22 x9 : ffff800080579d24
> x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001
> x5 : ffff8000a0507910 x4 : ffff7000140a0f22 x3 : dfff800000000000
> x2 : 0000000000001000 x1 : ffff80008ea89000 x0 : ffff00004ea62000
> Call trace:
> __memcpy_fromio+0x80/0xf8
> generic_access_phys+0x20c/0x2b8
> __access_remote_vm+0x46c/0x5b8
> access_remote_vm+0x18/0x30
> environ_read+0x238/0x3e8
> vfs_read+0xe4/0x2b0
> ksys_read+0xcc/0x178
> __arm64_sys_read+0x4c/0x68
> invoke_syscall+0x68/0x1a0
> el0_svc_common.constprop.0+0x11c/0x150
> do_el0_svc+0x38/0x50
> el0_svc+0x50/0x258
> el0t_64_sync_handler+0xc0/0xc8
> el0t_64_sync+0x1a4/0x1a8
> Code: 91002339 aa1403f7 8b190276 d503201f (f94002f8)
>
> The local syzkaller first maps I/O address from /dev/mem to userspace,
> overiding the stack vma with MAP_FIXED flag. As a result, when reading
> /proc/$pid/environ, generic_access_phys() is called to access the region,
> which triggers a PAN permission-check fault and causes a kernel access
> fault.
>
> The root cause is that generic_access_phys() passes a user pte to
> ioremap_prot(), the user pte sets PTE_USER and PTE_NG bits. Consequently,
> any subsequent kernel-mode access to the remapped address raises a fault.
>
> To fix it, define arch_mk_kernel_prot() to convert user prot to kernel
> prot for arm64, and call arch_mk_kernel_prot() in generic_access_phys(),
> so that a user prot is passed to ioremap_prot().
>
> Fixes: 893dea9ccd08 ("arm64: Add HAVE_IOREMAP_PROT support")
> Signed-off-by: Zeng Heng <zengheng4@huawei.com>
> Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
That's not urgent for 6.19, it's just misuse of /dev/mem (aren't they
all) but it's worth fixing.
Thanks.
--
Catalin
next prev parent reply other threads:[~2026-01-30 12:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-30 7:38 [PATCH v3] arm64: mm: fix pass user prot to ioremap_prot in generic_access_phys Jinjiang Tu
2026-01-30 12:19 ` Catalin Marinas [this message]
2026-01-31 0:07 ` Jinjiang Tu
2026-02-02 14:55 ` Will Deacon
2026-02-03 3:38 ` Jinjiang Tu
2026-02-03 9:23 ` Will Deacon
2026-02-05 7:23 ` Jinjiang Tu
2026-02-05 14:31 ` Catalin Marinas
2026-02-05 17:36 ` Will Deacon
2026-02-05 18:25 ` Catalin Marinas
2026-02-06 12:08 ` Catalin Marinas
2026-02-09 12:02 ` Will Deacon
2026-02-18 16:22 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXyhuq_DOd2pC_Fo@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=david@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=ryan.roberts@arm.com \
--cc=tujinjiang@huawei.com \
--cc=wangkefeng.wang@huawei.com \
--cc=will@kernel.org \
--cc=zengheng4@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.