From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5579B412276 for ; Tue, 7 Jul 2026 12:46:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783428393; cv=none; b=CwxEjCKHYeOGojWbSjw8L2rXgqK8qw+AItgmjhYyy0pGpSZWIK3pkhKrIa4B7+dME8IbYtprMOWOttVuoMAETyUmYqlopj93fwKGdsDj8+nNAi1X6wVm6OCVtCm4roRPgoODZwOhWrOj/ns6H/M/Y7h4vLq1QhxKEaYhVH1n1rw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783428393; c=relaxed/simple; bh=jQ8ODiwXb/I/Xra4egYP1UiDIl5LokyaxTVotk6zD7I=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=a1qynaoUsacGiptYN+3NSv8Pp7M+LEAxr5YTOsPGHVyIjrZNjgXwiwSRVlEuOMMHI+wAoNClr6GjSMxJddIcu8NDZoWrsNVi4zHm8nASU1E2FWR6qrF3H1NYXa1qho7WIcMLyuZbnZur4ESLP8dWYyZ9gRgZr7eeVBBcIH57k4U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Rjy0cnLi; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Rjy0cnLi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1AD181F000E9; Tue, 7 Jul 2026 12:46:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1783428390; bh=Ewdqf09/9A0MElDORLS07X9p5VzrfDnnvCn9V/hQNQs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Rjy0cnLisBi/mSGas37kSJEpI9VAejdyGuMOsAFnwpaMXWu6H9/WK70LPa1xkEoKZ 4b6kCyS0M3vkqr2+GfByl/DG/qJUwgrvZlSpddhx1d6XbaO2a551L70HBpSZG03924 pmeYYxEJs5qEqpzeMi1gJeqnHo3hpAnUwN1v3HYDCT4BxPgtzCDOoPmnYneUd4hK8c ryoIxcYXyJ0usBMe8qWST91pCaeYMq239IlRiwqiMdF5BtY+s3ruk4KM+ytwM8pxy1 cIu5giQhHvAzfe2yXvCGJ7/SWBx06xdh7lOYWHnBbh+m4HIxyvbotZ3iPD/E47iLyU eGiVf2Ev5yJSA== Date: Tue, 7 Jul 2026 13:46:19 +0100 From: Lorenzo Stoakes To: Xie Yuanbin Cc: xiqi2@huawei.com, akpm@linux-foundation.org, linux@armlinux.org.uk, david@kernel.org, liam@infradead.org, vbabka@kernel.org, rppt@kernel.org, surenb@google.com, mhocko@suse.com, linusw@kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, sunnanyong@huawei.com, linux-mm@kvack.org, lilinjie8@huawei.com, liaohua4@huawei.com Subject: Re: [PATCH v3 1/2] ARM: mm: fix use-after-free in __do_user_fault() under CONFIG_DEBUG_USER Message-ID: References: <20260626073048.3595106-2-xiqi2@huawei.com> <20260706133247.145485-1-xieyuanbin1@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260706133247.145485-1-xieyuanbin1@huawei.com> On Mon, Jul 06, 2026 at 09:32:47PM +0800, Xie Yuanbin wrote: > On Fri, 26 Jun 2026 15:30:47 +0800, Qi Xi wrote: > > @@ -181,7 +181,9 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, > > pr_err("8<--- cut here ---\n"); > > pr_err("%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n", > > tsk->comm, sig, addr, fsr); > > + mmap_read_lock(tsk->mm); > > show_pte(KERN_ERR, tsk->mm, addr); > > + mmap_read_unlock(tsk->mm); > > show_regs(regs); > > } > > #endif > > I found that this fix does not completely solve the problem. For a user > fault, the addr could also be a kernel address. For arm32/x86, the kernel > address space and user address space share the same pgd page table, > but the kernel address space's page table is not protected by > current->mm->mmap_lock. > > I have written a use case to construct and verify this point. When A user > program accesses a kernel address and triggers __do_user_fault(), > show_pte() will directly print the kernel page table. > > So, I suggest that: > ```c > if (user_mode(regs)) { > struct mm_struct *const pt_mm = addr >= TASK_SIZE ? > &init_mm : current->mm; > > mmap_read_lock(pt_mm); > show_pte(KERN_ALERT, pt_mm, addr); > mmap_read_unlock(pt_mm); > } else { > // .. keep nothing change > show_pte(KERN_ALERT, current->mm, addr); > } > ``` > > I have read this article: > Link: https://docs.kernel.org/mm/process_addrs.html > `mmap_read_lock(&init_mm)` should be able to ensure that the kernel > address's page tables can be traversed. But I'm not quite sure if I added a section specifically about this - https://docs.kernel.org/mm/process_addrs.html#traversing-non-vma-page-tables But note: "Since, aside from vmalloc and memory hot plug, kernel page tables are not torn down all that often - this usually suffices, however any caller of this functionality must ensure that any additionally required locks are acquired in advance." With the latter part being particularly important - you really need to be sure you aren't going to be raced on page table teardown by anything. However: * You're safe from vmalloc trying to install a huge page table (only way it removes intermediate page tables) since !HAVE_ARCH_HUGE_VMAP. * And since arm32 !ARCH_ENABLE_MEMORY_HOTPLUG you're safe from that too :) (Really I think you should be using walk_page_range_debug() here ultimately but that's a future refactor). BUT see below: > `mmap_read_lock(¤t->mm)` provides protection for user-space non-VMA > addresses? OK so this _does_ need addressing, and I covered it in the document: We also permit a truly unusual case is the traversal of non-VMA ranges in userland ranges, as provided for by walk_page_range_debug(). We must take great care in this case, as the munmap() implementation detaches VMAs under an mmap write lock before tearing down page tables under a downgraded mmap read lock. This means such an operation could race with this, and thus an mmap write lock is required. I.e. you need a write lock. So in conclusion the patch should be: diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index e62cc4be5a..1f2a85e1fa 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -181,7 +181,9 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, pr_err("8<--- cut here ---\n"); pr_err("%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n", tsk->comm, sig, addr, fsr); + mmap_write_lock(tsk->mm); show_pte(KERN_ERR, tsk->mm, addr); + mmap_write_unlock(tsk->mm); show_regs(regs); } #endif > > Also cc to mm maintainers: > Cc: David Hildenbrand > Cc: Lorenzo Stoakes > Cc: Liam R. Howlett > Cc: Vlastimil Babka > Cc: Mike Rapoport > Cc: Suren Baghdasaryan > Cc: Michal Hocko > Cc: Linus Walleij Thanks :) Cheers, Lorenzo