On Thu, May 28, 2026 at 1:43 PM Leon Hwang <[email protected]> wrote: > > On 25/5/26 15:21, Yuyang Huang wrote: > [...] > > > > Feel free to let us know your thoughts. > > > I believe this is a user space issue instead of a kernel bug. > > I tried to use mmap() memory as uattr that got -EFAULT instead of crash. > > [................] /* mmap() memory */ > ^ tail 40B as uattr > ^ 56B offset for copy_to_user() > > Thanks, > Leon >
Thanks for testing this! There are some discussion in the original thread: https://lore.kernel.org/all/CANP3RGfZTXM_u=e_atoompzxutoqj02nomkccr-ybzbom2s...@mail.gmail.com/ as follows, which might answer your question > > > If the uattr indeed has less than needed space, then for > > > if (copy_to_user(&uattr->query.revision, &revision, > > > sizeof(revision))) > > > return -EFAULT; > > > the kernel will return -EFAULT to user space. > > > > > > Maybe userspace didn't handle the return code properly and causing > > > user space corruption and segfaults. This shouldn't be a kernel issue. > > > Maybe I missed something? > > > > That's not how that works at all. > > > > copy_to_user() will only fail and thus EFAULT will only be returned if > > the memory area copy_to_user() is trying to copy into isn't > > owned/mapped by the user (or perhaps is read-only protected, not sure > > about this last one). > > > > Because memory is mapped in (at least) 4K pages, the memory after a > > user buffer is almost always still valid memory. It might be unused, > > or it might be something on the stack - like a return address, or it > > might be on the heap - metadata tracking, or a different memory > > allocation perhaps entirely. You might hit the same case as maze@ mentioned in the thread. To trigger -EFAULT, you likely positioned `uattr` at the very end of a mapped page immediately followed by a protected page Could you share the test program you created so we can verify? Please check the test program I shared earlier in the thread (where uattr is stored on the stack); the BPF syscall returned 0, but stack corruption occurred. If you think my test program contains a bug, feel free to let me know. Thanks, Yuyang
