From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 562FEC43458 for ; Tue, 7 Jul 2026 12:47:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:CC:To:Subject:MIME-Version:Date: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=GQRdIed9FxvGoM8zGNvZRyfwCPAFp/XYSbDPrPh4wGc=; b=I2LpsssfhCxqyUDyna8axwqhzf /H1fVajJ+5yGQ9g0tlASx/2A/gDsM7yApwrDaOAUA6eoEALY3Sc3jSrq/D6FcJz9eJMRL7sjFPMNt ii4mOH3JzYJB/CTg20Hgh0pVsoHIt/Ud+9h9rgBptglKh4Md/KUkxAs1xa7YTQ+ozhHk45RlNvYaH DF28IoiiTe89YFcjpEMcenPe5ElDbsysTNpyzCN4UP9mT3OfEq8+O1puEuellzJZDc+pzOrQoAQSZ B/I4htHG1qUk/6uIpKlg6kLd26kQ/Bn0PhWqtMeJHKCnyJ+irGhGs0rQFa5effdJp97SmRI5V95KL samOI/cg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wh5Ck-0000000Ezbz-27zM; Tue, 07 Jul 2026 12:47:14 +0000 Received: from canpmsgout05.his.huawei.com ([113.46.200.220]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wh5Cf-0000000Eza9-473U for linux-arm-kernel@lists.infradead.org; Tue, 07 Jul 2026 12:47:13 +0000 dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=GQRdIed9FxvGoM8zGNvZRyfwCPAFp/XYSbDPrPh4wGc=; b=TALjfW1BXCDsVYIOhNk3xDerpRvOXDdd+5Jf3kCiH8Uud7hxIQjKLAouoCMgWOFAF91eJ47Ui FyYb89uMNUwkVanzjvQIlVXVF0N+AAggbf5hAK1QLB0zclikUafxeTFm16aMADo6qN3kOlRNEA9 gcyU6AJ7Dx7CgTwpSGADeuE= Received: from mail.maildlp.com (unknown [172.19.162.197]) by canpmsgout05.his.huawei.com (SkyGuard) with ESMTPS id 4gvgkQ55rmz12LDB; Tue, 7 Jul 2026 20:38:22 +0800 (CST) Received: from kwepemo200010.china.huawei.com (unknown [7.202.195.178]) by mail.maildlp.com (Postfix) with ESMTPS id 6223340579; Tue, 7 Jul 2026 20:47:02 +0800 (CST) Received: from [10.174.178.56] (10.174.178.56) by kwepemo200010.china.huawei.com (7.202.195.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.36; Tue, 7 Jul 2026 20:47:01 +0800 Message-ID: <5d00c0d4-89ab-40eb-ba50-6eafe4957f50@huawei.com> Date: Tue, 7 Jul 2026 20:47:00 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 1/2] ARM: mm: fix use-after-free in __do_user_fault() under CONFIG_DEBUG_USER To: Russell King CC: Xie Yuanbin , , , , , , , , , , , , , , , References: <20260626073048.3595106-2-xiqi2@huawei.com> <20260706133247.145485-1-xieyuanbin1@huawei.com> Content-Language: en-GB From: Qi Xi In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.178.56] X-ClientProxiedBy: kwepems100002.china.huawei.com (7.221.188.206) To kwepemo200010.china.huawei.com (7.202.195.178) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260707_054710_640313_4339BB05 X-CRM114-Status: GOOD ( 13.46 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 07/07/2026 19:57, Russell King wrote: > On Tue, Jul 07, 2026 at 07:48:12PM +0800, Qi Xi wrote: >> >> On 06/07/2026 21:32, Xie Yuanbin wrote: >>> On Fri, 26 Jun 2026 15:30:47 +0800, Qi Xi wrote: >>>> @@ -181,7 +181,9 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, >>>> pr_err("8<--- cut here ---\n"); >>>> pr_err("%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n", >>>> tsk->comm, sig, addr, fsr); >>>> + mmap_read_lock(tsk->mm); >>>> show_pte(KERN_ERR, tsk->mm, addr); >>>> + mmap_read_unlock(tsk->mm); >>>> show_regs(regs); >>>> } >>>> #endif >>> I found that this fix does not completely solve the problem. For a user >>> fault, the addr could also be a kernel address. For arm32/x86, the kernel >>> address space and user address space share the same pgd page table, >>> but the kernel address space's page table is not protected by >>> current->mm->mmap_lock. >>> >>> I have written a use case to construct and verify this point. When A user >>> program accesses a kernel address and triggers __do_user_fault(), >>> show_pte() will directly print the kernel page table. >>> >>> So, I suggest that: >>> ```c >>> if (user_mode(regs)) { >>> struct mm_struct *const pt_mm = addr >= TASK_SIZE ? >>> &init_mm : current->mm; >>> >>> mmap_read_lock(pt_mm); >>> show_pte(KERN_ALERT, pt_mm, addr); >>> mmap_read_unlock(pt_mm); >>> } else { >>> // .. keep nothing change >>> show_pte(KERN_ALERT, current->mm, addr); >>> } >>> ``` >>> >>> I have read this article: >>> Link: https://docs.kernel.org/mm/process_addrs.html >>> `mmap_read_lock(&init_mm)` should be able to ensure that the kernel >>> address's page tables can be traversed. But I'm not quite sure if >>> `mmap_read_lock(¤t->mm)` provides protection for user-space non-VMA >>> addresses? >> You're right. And I think the fix is to simply skip show_pte() for kernel >> addresses. > No. This information is useful debug for kernel oops. > For addr >= TASK_SIZE, concurrent munmap cannot free the kernel page tables. So there is no uaf risk, and show_pte() is still called without the lock as before. Does the following change look acceptable? if (user_mode(regs) && addr < TASK_SIZE) { mmap_read_lock(current->mm); show_pte(KERN_ALERT, current->mm, addr); mmap_read_unlock(current->mm); } else { // .. keep nothing change show_pte(KERN_ALERT, current->mm, addr); }