From: Catalin Marinas <catalin.marinas@arm.com>
To: Jinjiang Tu <tujinjiang@huawei.com>
Cc: akpm@linux-foundation.org, david@kernel.org, will@kernel.org,
zengheng4@huawei.com, ryan.roberts@arm.com,
anshuman.khandual@arm.com, wangkefeng.wang@huawei.com,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org
Subject: Re: [PATCH v3] arm64: mm: fix pass user prot to ioremap_prot in generic_access_phys
Date: Fri, 30 Jan 2026 12:19:06 +0000 [thread overview]
Message-ID: <aXyhuq_DOd2pC_Fo@arm.com> (raw)
In-Reply-To: <20260130073807.99474-1-tujinjiang@huawei.com>
On Fri, Jan 30, 2026 at 03:38:07PM +0800, Jinjiang Tu wrote:
> Here is a syzkaller error log:
> [0000000020ffc000] pgd=080000010598d403, p4d=080000010598d403, pud=0800000125ddb403,
> pmd=080000007833c403, pte=01608000007fcfcf
> Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
> KASAN: probably user-memory-access in range [0x0000000475448000-0x0000000475448007]
> Mem abort info:
> ESR = 0x000000009600000f
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x0f: level 3 permission fault
> Data abort info:
> ISV = 0, ISS = 0x0000000f, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001244aa000
> [ffff80008ea89000] pgd=100000013ffff403, p4d=100000013ffff403, pud=100000013fffe403,
> pmd=100000010a453403, pte=01608000007fcfcf
> Internal error: Oops: 000000009600000f [#1] SMP
> Modules linked in: team
> CPU: 1 PID: 10840 Comm: syz.9.83 Kdump: loaded Tainted: G
> Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
> pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __memcpy_fromio+0x80/0xf8
> lr : generic_access_phys+0x20c/0x2b8
> sp : ffff8000a0507960
> x29: ffff8000a0507960 x28: 1ffff000140a0f44 x27: ffff00003833cfe0
> x26: 0000000000000000 x25: 0000000000001000 x24: 0010000000000001
> x23: ffff80008ea89000 x22: ffff00004ea63000 x21: 0000000000001000
> x20: ffff80008ea89000 x19: ffff00004ea62000 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000806f1e3c
> x14: ffff8000806f1d44 x13: 0000000041b58ab3 x12: ffff7000140a0f23
> x11: 1ffff000140a0f22 x10: ffff7000140a0f22 x9 : ffff800080579d24
> x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001
> x5 : ffff8000a0507910 x4 : ffff7000140a0f22 x3 : dfff800000000000
> x2 : 0000000000001000 x1 : ffff80008ea89000 x0 : ffff00004ea62000
> Call trace:
> __memcpy_fromio+0x80/0xf8
> generic_access_phys+0x20c/0x2b8
> __access_remote_vm+0x46c/0x5b8
> access_remote_vm+0x18/0x30
> environ_read+0x238/0x3e8
> vfs_read+0xe4/0x2b0
> ksys_read+0xcc/0x178
> __arm64_sys_read+0x4c/0x68
> invoke_syscall+0x68/0x1a0
> el0_svc_common.constprop.0+0x11c/0x150
> do_el0_svc+0x38/0x50
> el0_svc+0x50/0x258
> el0t_64_sync_handler+0xc0/0xc8
> el0t_64_sync+0x1a4/0x1a8
> Code: 91002339 aa1403f7 8b190276 d503201f (f94002f8)
>
> The local syzkaller first maps I/O address from /dev/mem to userspace,
> overiding the stack vma with MAP_FIXED flag. As a result, when reading
> /proc/$pid/environ, generic_access_phys() is called to access the region,
> which triggers a PAN permission-check fault and causes a kernel access
> fault.
>
> The root cause is that generic_access_phys() passes a user pte to
> ioremap_prot(), the user pte sets PTE_USER and PTE_NG bits. Consequently,
> any subsequent kernel-mode access to the remapped address raises a fault.
>
> To fix it, define arch_mk_kernel_prot() to convert user prot to kernel
> prot for arm64, and call arch_mk_kernel_prot() in generic_access_phys(),
> so that a user prot is passed to ioremap_prot().
>
> Fixes: 893dea9ccd08 ("arm64: Add HAVE_IOREMAP_PROT support")
> Signed-off-by: Zeng Heng <zengheng4@huawei.com>
> Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
That's not urgent for 6.19, it's just misuse of /dev/mem (aren't they
all) but it's worth fixing.
Thanks.
--
Catalin
next prev parent reply other threads:[~2026-01-30 12:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-30 7:38 Jinjiang Tu
2026-01-30 12:19 ` Catalin Marinas [this message]
2026-01-31 0:07 ` Jinjiang Tu
2026-02-02 14:55 ` Will Deacon
2026-02-03 3:38 ` Jinjiang Tu
2026-02-03 9:23 ` Will Deacon
2026-02-05 7:23 ` Jinjiang Tu
2026-02-05 14:31 ` Catalin Marinas
2026-02-05 17:36 ` Will Deacon
2026-02-05 18:25 ` Catalin Marinas
2026-02-06 12:08 ` Catalin Marinas
2026-02-09 12:02 ` Will Deacon
2026-02-18 16:22 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXyhuq_DOd2pC_Fo@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=david@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=ryan.roberts@arm.com \
--cc=tujinjiang@huawei.com \
--cc=wangkefeng.wang@huawei.com \
--cc=will@kernel.org \
--cc=zengheng4@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox