[PATCH v3 1/2] ARM: mm: fix use-after-free in __do_user_fault() under CONFIG_DEBUG_USER
Xie Yuanbin
xieyuanbin1 at huawei.com
Tue Jul 7 07:04:05 PDT 2026
On Tue, 7 Jul 2026 14:20:19 +0100, Lorenzo Stoakes wrote:
> Well the whole reason you're faulting here might be because a userland process
> did that right? The page tables should tell you (presumably on ARM32 :)
>
> And I hate to repeat myself, maybe you didn't read the whole thread but... just
> use mmap_write_lock(), this isn't necessary?
>
> What is this trying to achieve?
>
> You're not in a hotpath, why are you bothering to conditionally take/not take
> the lock?
I think it is not the same thing as the previous discussion regarding
which locks are needed for `show_pte()`.
Now, for this bug, we have two places that need to be fixed:
1. __do_user_fault()->show_pte();
2. do_DataAbort()->show_pte();
For the first one, it must be a user fault, the judgment of
user_mode(regs) can be omitted.
For the second one, it may be a user fault or a kernel fault. If it is
a kernel fault, it also means that this is a kernel oops.
For kernel oops, according to Russell's opinion, we do not need to fix
this bug, which means we do not need to acquire any locks, because the
kernel may die soon. However, show_pte() still needs to be retained
because it is useful for debugging the kernel.
For user faults, we need to fix it:
1. For user space addr (addr < TASK_SIZE), we need to acquire
current->mm's write lock, before show_pte(), I understand it now.
2. For kernel space addr (addr >= TASK_SIZE), maybe we can omit
show_pte()? After all, user-mode programs can access any kernel address
to trigger user faults, but we dump the page tables of kernel
addresses, would that be inappropriate,
(e.g., posing potential security risks)?
More information about the linux-arm-kernel
mailing list