From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 935413AE6F3 for ; Tue, 7 Jul 2026 11:58:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783425510; cv=none; b=fGqWi1ZN1yQvm18Zmy3Z8U16Oe+xfR8ww0okqp/8BAKzDihzoDedp8THdVaAOSK4fCZZNqWUStLmTGD7jusiJo8mzU8GXAq7vsuqk9NKjypsyTOVyLHOeHuURWZy8v14AtIlciq4VaEbZUbtcmaZwkjIwIIpaPY6E2D9gPJ3d94= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783425510; c=relaxed/simple; bh=uhnBZZYUS0gxiPco5MPJvqPQvE42mUxK3us4tO7Nik8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=WEnzJlImqirLXJvEucd+IVlLa5IJMoSxCFUGvbJuXc3G59yDxmas7RcS5+qWNpPGWdxlrGrTwbvAu6MDLUYbE2nSG20SimFP9Q+EzB5rwDyemgNJVSM/65ag//Aw3XvcS2DiVIB437WWsaH9BVqGLa3NCCXBjYiTWjYMhYE1YlE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=CQap+tka; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="CQap+tka" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=stkx+vjsKdhX968mmJiOePHn7dujN6VJDWqehc4K6N4=; b=CQap+tkaox9/fVICER9FoFNvDu e//Xtvd6Qs1gsrYGHA+TRKpq5dBGjLojzL9FfGAqF+24spZ1aqVFVlU0uyeRXvH8QEY9XSUM1GI4+ sApiwFB89AG0Yy64xD4vHmmZimtSrgLMrpXzjSDE7Z4vyLLGQelEV1efYgpyRyGPfCGsaxfj08E9a nmWAe1pnoyFsQHl+gzgze0DQfQSp7FyDtz4+SLME7De/bvDvuu8whgrA8YE0p26g/XsMbHfVT6ne0 6Qs2eCUnsoJBmNA8dmndgy5vIf4dszJr+Wfw15tEDQSWyGoFlB0pm44BxnHSIeF7tENXo66tVldoG I323MjOQ==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:45516) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wh4Qu-000000000mm-2UGt; Tue, 07 Jul 2026 12:57:48 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.98.2) (envelope-from ) id 1wh4Qr-000000006gy-3vIs; Tue, 07 Jul 2026 12:57:45 +0100 Date: Tue, 7 Jul 2026 12:57:45 +0100 From: Russell King To: Qi Xi Cc: Xie Yuanbin , akpm@linux-foundation.org, david@kernel.org, ljs@kernel.org, liam@infradead.org, vbabka@kernel.org, rppt@kernel.org, surenb@google.com, mhocko@suse.com, linusw@kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, sunnanyong@huawei.com, linux-mm@kvack.org, lilinjie8@huawei.com, liaohua4@huawei.com Subject: Re: [PATCH v3 1/2] ARM: mm: fix use-after-free in __do_user_fault() under CONFIG_DEBUG_USER Message-ID: References: <20260626073048.3595106-2-xiqi2@huawei.com> <20260706133247.145485-1-xieyuanbin1@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: "Russell King,,," On Tue, Jul 07, 2026 at 07:48:12PM +0800, Qi Xi wrote: > > > On 06/07/2026 21:32, Xie Yuanbin wrote: > > On Fri, 26 Jun 2026 15:30:47 +0800, Qi Xi wrote: > > > @@ -181,7 +181,9 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, > > > pr_err("8<--- cut here ---\n"); > > > pr_err("%s: unhandled page fault (%d) at 0x%08lx, code 0x%03x\n", > > > tsk->comm, sig, addr, fsr); > > > + mmap_read_lock(tsk->mm); > > > show_pte(KERN_ERR, tsk->mm, addr); > > > + mmap_read_unlock(tsk->mm); > > > show_regs(regs); > > > } > > > #endif > > I found that this fix does not completely solve the problem. For a user > > fault, the addr could also be a kernel address. For arm32/x86, the kernel > > address space and user address space share the same pgd page table, > > but the kernel address space's page table is not protected by > > current->mm->mmap_lock. > > > > I have written a use case to construct and verify this point. When A user > > program accesses a kernel address and triggers __do_user_fault(), > > show_pte() will directly print the kernel page table. > > > > So, I suggest that: > > ```c > > if (user_mode(regs)) { > > struct mm_struct *const pt_mm = addr >= TASK_SIZE ? > > &init_mm : current->mm; > > > > mmap_read_lock(pt_mm); > > show_pte(KERN_ALERT, pt_mm, addr); > > mmap_read_unlock(pt_mm); > > } else { > > // .. keep nothing change > > show_pte(KERN_ALERT, current->mm, addr); > > } > > ``` > > > > I have read this article: > > Link: https://docs.kernel.org/mm/process_addrs.html > > `mmap_read_lock(&init_mm)` should be able to ensure that the kernel > > address's page tables can be traversed. But I'm not quite sure if > > `mmap_read_lock(¤t->mm)` provides protection for user-space non-VMA > > addresses? > You're right. And I think the fix is to simply skip show_pte() for kernel > addresses. No. This information is useful debug for kernel oops. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!