Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp4922850rwr; Mon, 8 May 2023 15:03:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5JBsYqqBdNQnkjBMGLvYk8BXj1adQkuGXfo7JWHzSrBSwT7gQ+SmSjWnbFN6z8Jc3MmqXa X-Received: by 2002:a17:90b:3ece:b0:24e:3413:c7ff with SMTP id rm14-20020a17090b3ece00b0024e3413c7ffmr19874252pjb.7.1683583398943; Mon, 08 May 2023 15:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683583398; cv=none; d=google.com; s=arc-20160816; b=oAaqq6pBJFgCA5baUGTgXmTfSv8h/zE/LRqYbMdPdL/dVA01uwgzU8FPmSUbalxa1Q uJOqBA+pwldiUp/7AVpzupQK62NIoF9YaCE0SlSf0d6tG2e0eAOMiSyAH2Xy+e34bclq eHDGuPESEfYWRBscW7VYQtYSeZuNic21gP67+CxKGwPqiZCfR2d5s1sX2SMz/KrK0JQv iP6HbvcP5ideIqSNxy/vKfacbMJ1jCfk/2SDrhNcIB1yxuCXrE1w0EbAplijDBtTRbvB j3WD9ZPWyXTZ3YnMuTNUI7XGpRV5teVBG/z1uOJ7qRb+nnaZEepZl8a6TouAD5KZJNqU 1JeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=CWSO3OxowJozH25EDQCt5tUo1fJE6g4JCHSUR1ZmVHcmfQU4+oO2FxkBhf1lgBmsdt YkNSSLls53K4NFAwa3KP0ZHpNJNhugTgphq9Xu+39cStIDiu3YJMYxIKoYbDDsU7yrSY TYnVpY7HLMUbw+o6cpNcOq4UJ9TGUDZYmJS1Goly/83KzX4iMchGnbRp3IUYaGCOQFgl KegcLFdRqE0F+ikuSragC5fmdSdbPU+zv7oQFyyXymQiSIltHQ+V+sGV994XVrw1a1SS NJRgGJ5N9g62Io9ZX2EesrM6i0oZKIao1pTJpG7PU991erthhnVDg6JhgiAFDbpoohNg 6MAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b="ETJ34Wf/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l20-20020a639854000000b005302f7ebd3esi1463471pgo.800.2023.05.08.15.03.06; Mon, 08 May 2023 15:03:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b="ETJ34Wf/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233995AbjEHVtk (ORCPT + 99 others); Mon, 8 May 2023 17:49:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233701AbjEHVti (ORCPT ); Mon, 8 May 2023 17:49:38 -0400 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33FB84EDF for ; Mon, 8 May 2023 14:49:36 -0700 (PDT) Received: by mail-qk1-x72f.google.com with SMTP id af79cd13be357-75131c2997bso1967790285a.1 for ; Mon, 08 May 2023 14:49:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1683582575; x=1686174575; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=ETJ34Wf/9zLKeq59gMLCgQHLRI7YW6QtfbJup0HcbTCctOJQh8hMmvaYxxEVf/7l17 7xmIplHvezxEj1B81WZebQIMesvgjhhApaWWrdmQAGBU6594T5+Nfak7JtcFkHcYFzqy iVM6adANYtGxwDBm7yFGxCL1Kit8d0aktIGUHd7Hg2gJR+cjssaUv0RH5UKzo1RYIwFE xBhQHCDO4UfGJdrS89Baus4y656qCIF1ORPYUU83HiN8lelvHvaRcid379ZFRHMSVavv UWaNdQ0dwLnNu6AJ1PT1C3wyW5+dyCrsqijoL3Ni94sFqV9z1q10sIQqfes9anRtOQCB tVKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683582575; x=1686174575; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=Vqp6zLgekLoOpfwkF0qXQ6F8LfXtH8BS1v4TDWaBIEd6W2RVjUaI4Jr95VFkUeKz+b RdWq56uDNWVn1zohQ1HNEKLcep70fg+8nf4PnQIWwmXOTOzanEcmoG0STPCEMSmTiRGH wVkG6BO9rSQGXXTY4o3yJBlBwZXW42k+LiTVudf8DOhPWfl4qOvEiRuCf1pYg8N4Julg RYB8H6qdJX/KQHUltqwgQTJLHpsrGXXjL/H4b/RLw85hX2rjegZEXF/UwPImbRjJTB84 bNbYJ+WAf1Th4s+TPztxLgr7zHchY8frw43vlCkus+KA3fvG2e8aZdmJC41BMJncaCYK RvLg== X-Gm-Message-State: AC+VfDy51Xki13TQQtgZS58UEjjF5YYtlTLBTR3FO5WKDWoIbjr/BZOJ MOfOYCq8QupdP8wz2pwZqGWQ9ZDiQYBG7HXz1zK5yw== X-Received: by 2002:ac8:5c14:0:b0:3f2:1f63:2b24 with SMTP id i20-20020ac85c14000000b003f21f632b24mr18176160qti.2.1683582575351; Mon, 08 May 2023 14:49:35 -0700 (PDT) MIME-Version: 1.0 References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> In-Reply-To: From: Pasha Tatashin Date: Mon, 8 May 2023 14:48:59 -0700 Message-ID: Subject: Re: usbdev_mmap causes type confusion in page_table_check To: Matthew Wilcox Cc: Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 8, 2023 at 2:36=E2=80=AFPM Matthew Wilcox = wrote: > > On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > > > static void page_table_check_set(struct mm_struct *mm, unsigned long = addr, > > > unsigned long pfn, unsigned long pgc= nt, > > > bool rw) > > > { > > > // ... > > > anon =3D PageAnon(page); > > > for (i =3D 0; i < pgcnt; i++) { > > > // ... > > > if (anon) { > > > BUG_ON(atomic_read(&ptc->file_map_count)); > > > BUG_ON(atomic_inc_return(&ptc->anon_map_count= ) > 1 && rw); > > > } else { > > > BUG_ON(atomic_read(&ptc->anon_map_count)); > > > BUG_ON(atomic_inc_return(&ptc->file_map_count= ) < 0); > > > } > > > // ... > > > } > > > // ... > > > } > > > > > > This call to PageAnon is invalid for slab pages because slab reuses t= he bits > > > in struct page/folio to store its internal states, and the anonymity = bit only > > > exists in struct page/folio. As a result, the counters are incorrectl= y updated > > > and checked in page_table_check_set and page_table_check_clear, leadi= ng to the > > > bug being raised. > > > > We should change anon boolean to be: > > > > anon =3D !PageSlab(page) && PageAnon(page); > > No. Slab pages are not elegible for mapping into userspace. That's Sure, I can add BUG_ON(PageSlab(page)); to page_table_check_set. > all. There should be a BUG() for that. And I do mean BUG(), not > "return error to user". Something has gone horribly wrong, and it's > time to crash. It is just too easy to make slab available via remap_pfn_range(), but I do not think we want to add BUG() into the remap function, otherwise we will break devices such as /dev/mem. Pasha