Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5016950rwr; Mon, 8 May 2023 16:50:25 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ftuAMdksY7NxGn1AvSGzW/KM4vUn1LkgkKvdT+OzugtuUpngqktStjKMinDlDvk/6qHHa X-Received: by 2002:a17:902:d4c6:b0:1ac:8ad0:1707 with SMTP id o6-20020a170902d4c600b001ac8ad01707mr3253092plg.1.1683589824835; Mon, 08 May 2023 16:50:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683589824; cv=none; d=google.com; s=arc-20160816; b=nwck0SnzX1n8YN6Te84BZYlb3C4sRDvqEOIGsuI4kOmtbg70oSH8R9w6wl4Aa/n98T M+DBLeEsAJvIBGsOOW8NfmuwXLf25sVa5+GT7L/vBoGjdr8SSnI/pOsiqTfUz5+KT5Eh GK4GT9VUUP+YfX9fBb93maYWx9tTn8ekpTlHQjJFQdnRDJJa1Py5y5xb8eF48YM/kQgf J6EwmXuHcFVLB71WXNELeX2tZVNUgzuFc2sY3x1Gaj0Uh0fL7Q1oLJK9abeu+XUCfVQh FrqodOWLc55WTOxiHLYSxsud1JHIVjoRWBPLwr19HU0ODxaZHi9TvYQOwUntu8NCnQPA xUsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=; b=XPpDZGruRespIrkCMk/kkal65lUmyafdw8YQ0vgCEDJRtvonjrmJ2mOrLoSkDMPV+Q qopnBAvU4OUyldrHwIKHaJjULqFPuVA/6lgRIV88yJj5loaMZB3H0RTwgDE9BJVZVO2Y o3dL60i3bzJJYof7t+ewvbP0lPTFqrBke1eQYT/UiDm0hflDNudFMd+JZYc4FY1dRyK/ arCbrX8cCtJGMx8QIjBd8aHo/TpC8wuy0H5Gd5mF8S0Y/mNWocyCbJPROeREE0gtERbW nm26EIP7TzM4/LV1TOcKYYHOJ1U9KF3OqRo7bKaO91LZUk8sJE5L1pxmH0WyOaGPo2t3 uzMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=YjCqBe4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h6-20020a170902f54600b001a96b56099fsi112343plf.404.2023.05.08.16.50.10; Mon, 08 May 2023 16:50:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=YjCqBe4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233098AbjEHXS1 (ORCPT + 99 others); Mon, 8 May 2023 19:18:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44786 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230022AbjEHXS0 (ORCPT ); Mon, 8 May 2023 19:18:26 -0400 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C42AC5FD2 for ; Mon, 8 May 2023 16:18:17 -0700 (PDT) Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-3ef2f81a96cso54588021cf.0 for ; Mon, 08 May 2023 16:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1683587896; x=1686179896; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=; b=YjCqBe4H69i+u3EZfBSFGDslkoVk6ESjXBUsfo3bBJcSijKdyGbUw2rlbiF4Q2kltk KYlkUZmDfdRgdBkm2/wANH/1CdBPWyMJLePwEwQFoDTAm1UG7q3rKk2ZC60QrK6k4BoU d2E8i133QbGfRKji4irFPihLHJxCeL2NjM9J8oS/4plNfSwcfO5N/T2fTfkPEcBRs8eL LcE1LKtZTG/XZC+HMRqgifG0sPiE7hg0M/qtLpTyXdf/5gNv72NwYnjnlw8pgRmj8Y+F D3Cwc0BfCR2L9/A7farDfLgxef2rt2KAjj7bHiQeBamifpkuK665mjRwFBAHat2RI1hM qcmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683587896; x=1686179896; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=; b=WKvL8jbqa8avHycO6ZVE86ru5jIIitWNbUNAMKJHFSIgXPXneAdu5YCaPHTpExMl46 1LlY9tICrsFLH5SdiugMpaS1GY+vfenvvuLKNAVSqGgsUEJDgj10FcSsrpRMN4MLCuDs Y76EvyzAXsf3ccNl6wJYbRc48ApsZHZlWHPE0X0XDoVDOwV2Hamms0E8n4ix3MpV9Dh3 MOcFZ4/vYgUR8DLWGXLrD2xVMnLSSs7Zn/d3tI4W6UaMXhrOnpxqfx/TlQ4yX0Lw+eWd rYgVvHC1PVw9i6Gk/tkaxcm1HszEIIORhvd+8d4KjCFT8dJHRqthvRMX7RfngDDgxEIr cL9w== X-Gm-Message-State: AC+VfDzNSAPEJKWha8vGhB9TUuY7elA9qjrt2li6y3mEmk0g2TpSRc6S cCzuIP8oipuYWxyqGOXiBZWFqHoGkHBpDe8Wqlga9w== X-Received: by 2002:ac8:7e84:0:b0:3f0:a336:afc4 with SMTP id w4-20020ac87e84000000b003f0a336afc4mr15610437qtj.48.1683587896414; Mon, 08 May 2023 16:18:16 -0700 (PDT) MIME-Version: 1.0 References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> In-Reply-To: From: Pasha Tatashin Date: Mon, 8 May 2023 16:17:39 -0700 Message-ID: Subject: Re: usbdev_mmap causes type confusion in page_table_check To: David Hildenbrand Cc: Matthew Wilcox , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 8, 2023 at 3:46=E2=80=AFPM David Hildenbrand = wrote: > > On 08.05.23 23:55, Pasha Tatashin wrote: > > On Mon, May 8, 2023 at 2:52=E2=80=AFPM Matthew Wilcox wrote: > >> > >> On Mon, May 08, 2023 at 02:48:59PM -0700, Pasha Tatashin wrote: > >>> On Mon, May 8, 2023 at 2:36=E2=80=AFPM Matthew Wilcox wrote: > >>>> > >>>> On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > >>>>>> static void page_table_check_set(struct mm_struct *mm, unsigned lo= ng addr, > >>>>>> unsigned long pfn, unsigned long= pgcnt, > >>>>>> bool rw) > >>>>>> { > >>>>>> // ... > >>>>>> anon =3D PageAnon(page); > >>>>>> for (i =3D 0; i < pgcnt; i++) { > >>>>>> // ... > >>>>>> if (anon) { > >>>>>> BUG_ON(atomic_read(&ptc->file_map_count))= ; > >>>>>> BUG_ON(atomic_inc_return(&ptc->anon_map_c= ount) > 1 && rw); > >>>>>> } else { > >>>>>> BUG_ON(atomic_read(&ptc->anon_map_count))= ; > >>>>>> BUG_ON(atomic_inc_return(&ptc->file_map_c= ount) < 0); > >>>>>> } > >>>>>> // ... > >>>>>> } > >>>>>> // ... > >>>>>> } > >>>>>> > >>>>>> This call to PageAnon is invalid for slab pages because slab reuse= s the bits > >>>>>> in struct page/folio to store its internal states, and the anonymi= ty bit only > >>>>>> exists in struct page/folio. As a result, the counters are incorre= ctly updated > >>>>>> and checked in page_table_check_set and page_table_check_clear, le= ading to the > >>>>>> bug being raised. > >>>>> > >>>>> We should change anon boolean to be: > >>>>> > >>>>> anon =3D !PageSlab(page) && PageAnon(page); > >>>> > >>>> No. Slab pages are not elegible for mapping into userspace. That's > >>> > >>> Sure, I can add BUG_ON(PageSlab(page)); to page_table_check_set. > >>> > >>>> all. There should be a BUG() for that. And I do mean BUG(), not > >>>> "return error to user". Something has gone horribly wrong, and it's > >>>> time to crash. > >>> > >>> It is just too easy to make slab available via remap_pfn_range(), b= ut > >>> I do not think we want to add BUG() into the remap function, otherwis= e > >>> we will break devices such as /dev/mem. > >> > >> Slab pages can't be mmaped. Really, no matter what interface you're > >> using. page->_mapcount is necessarily incremented by mapping to > >> userspace, and slab uses that space for its own purposes (and has > >> for decades). It's similar for page tables and other allocations that > >> use PageType. > > > > Mapping random memory in /dev/mem can cause mapping slab pages in to > > userspace, the page->_mapcount is not incremented (and other fields > > are not accessed) in that case, as we are using VM_PFNMAP type VMA, > > which does not access "struct page". > > We should be using vm_normal_page() to identify if we should be looking > at the struct page or not, no? For normal Kernel-MM operations, vm_normal_page() should be used to get "struct page" based on vma+addr+pte combination, but page_table_check does not use vma for its operation in order to strengthen the verification of no invalid page sharing. But, even vm_normal_page() can cause access to the "struct page" for VM_PFNMAP if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct page for a user mapped slab page. Pasha > > -- > Thanks, > > David / dhildenb >