Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5017764rwr; Mon, 8 May 2023 16:51:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5N8pXqlZDL1nMoh1Vs2t0neH6Ad6wWTalkUsRiIDnlJy4drNVa7CJGBNDpT4QBfJ0KzfhB X-Received: by 2002:a17:90b:148d:b0:23f:b609:e707 with SMTP id js13-20020a17090b148d00b0023fb609e707mr12700991pjb.2.1683589887823; Mon, 08 May 2023 16:51:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683589887; cv=none; d=google.com; s=arc-20160816; b=wCkHfLaRiKfWTBveyxEfM4Ih84pmIWLo/KsrQb36A2sm3iA22Ld6Fh/02/oJDUd2VW LZBi2JANWJNfDcAEi705zv4xIiyCRc9jfWhFRJQdKQenSkLnYtesx+le1O/VaFPV2B2C hkdwQjmwQ4ynlE1UZT35q/KXIcwr9hNiB4swek0y5UOezc5VemKXgKw+34XAA3Gl9siB tVSjByof4wI/CUVficgH/7IBtp768paQm7LlbJ7a0duIzNs6fPsXedbyX7U0Br+C8IPj hACVnxtx9p6Utjh1lLrpQiKeoNCJM/EwbM2deuXmaQ0BM4bkhUa/0bC0Ed/afIaSNP8P MRRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=sHw0dcZ3TJiP+2hAhevqrsae4S2DerKf8toQzKblr+M=; b=E6EM84OH8bV5+0lFVf6pfA1U0AVtZlzj4bnbDwKi4mrQpxVJFIxEl1SWQ05UO2no9M diNNtl/1eJ7VQUFpZt+yRHDahALERoi5mOdG8bDzMtSLwosGjOjgb7TC6gIJRG1LwExO h7GziHdnE/xQDJMdgfA/sdgfzBc1tK7kyExS/VVig1kc42PaprSm+6pDBRdsAF87M5zP QptP8PsOelsHzT/Y7fd6brs9B5DD6ePeAuz5YKz96f/82ICJXBVa/Lh+2Aic1fkORWWY eTrVKH2WfL5mAhFaq18JcdF44IiwU2kSR9KwmPLwGRy/+DqsJSP0m2cqDqmCrkMEFBfN 0raQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BE5lzAd8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my8-20020a17090b4c8800b0025069d02778si5446678pjb.28.2023.05.08.16.51.13; Mon, 08 May 2023 16:51:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BE5lzAd8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230198AbjEHXh5 (ORCPT + 99 others); Mon, 8 May 2023 19:37:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229538AbjEHXh4 (ORCPT ); Mon, 8 May 2023 19:37:56 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B095A4C31 for ; Mon, 8 May 2023 16:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683589026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sHw0dcZ3TJiP+2hAhevqrsae4S2DerKf8toQzKblr+M=; b=BE5lzAd8cbG7vHq9FHaKq5UGpmTUWRQ+sLeqy9AI68FpfAGANn1oQafXdzXOxWSw/yHPTJ g+bQxcYYwxuEoD7srKjhp4Er3WqNSiogTMBSpaG2Ae9QZv0ST32oUT/kQSHYxt6NFjNTtH 6jtqpSud+ZUyw0n/ZMJoqlh8S2RGpBA= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-499-BYUymonFN1y6gwUR3qC0Hw-1; Mon, 08 May 2023 19:37:05 -0400 X-MC-Unique: BYUymonFN1y6gwUR3qC0Hw-1 Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-1ab0669d9c5so29679655ad.2 for ; Mon, 08 May 2023 16:37:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683589024; x=1686181024; h=content-transfer-encoding:in-reply-to:organization:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sHw0dcZ3TJiP+2hAhevqrsae4S2DerKf8toQzKblr+M=; b=ZCw0f0ve+a6nBOuXdJYSSjli6Fzc6pmkF7zFuBMqd6uHtsaVzdJB0alLgRrQR8Olmb MAdbfIOKagPUyo4rixJjvilYuvqM0mg7h7UVe7fEn2dhVL7Lj2AwgZRq4d2IDOvWouBW Rlh8jhSO92QvgE/P6dodcZJ7w7FNRrO/XMKzDKFhWZHuzZRc1K3HLrFABWyLQXliT229 tVMWGumsBdHVUlFPYrAJJAwZTDhq/rCmJcbUEYtYYYLR+iEpKbes4GQY9HcDMEbg+VBi qzjT1iHnxwbHsxR8nqW8JvGWm/aXMLPrKfDSkpe6JqOGwN+v6X4Uu+um0dPIOSNcxdZV SjGQ== X-Gm-Message-State: AC+VfDxZJu5QD0bulysQdE/DlrkGPE7SRNXPMRbw3oMfmEt8IgxnyiYN 2w5NqW9GroR5jJEzXx9ugEoWfeMVHK7eqgPDvHk3eN6bgs6Lwm7+XnCulwduJOO9rpGyGiMUSBI QoTa3xw3HSdb3sk5W74kvrN6/ X-Received: by 2002:a17:902:b94c:b0:1a9:8769:36b7 with SMTP id h12-20020a170902b94c00b001a9876936b7mr12204917pls.5.1683589024518; Mon, 08 May 2023 16:37:04 -0700 (PDT) X-Received: by 2002:a17:902:b94c:b0:1a9:8769:36b7 with SMTP id h12-20020a170902b94c00b001a9876936b7mr12204902pls.5.1683589024209; Mon, 08 May 2023 16:37:04 -0700 (PDT) Received: from ?IPV6:2001:4958:15a0:30:5835:5bd3:f0c8:e5ef? ([2001:4958:15a0:30:5835:5bd3:f0c8:e5ef]) by smtp.gmail.com with ESMTPSA id w11-20020a170902d70b00b001ac452bbe2asm26868ply.199.2023.05.08.16.37.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 May 2023 16:37:03 -0700 (PDT) Message-ID: <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> Date: Tue, 9 May 2023 01:37:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: usbdev_mmap causes type confusion in page_table_check To: Pasha Tatashin Cc: Matthew Wilcox , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> Content-Language: en-US From: David Hildenbrand Organization: Red Hat In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09.05.23 01:21, Pasha Tatashin wrote: >> For normal Kernel-MM operations, vm_normal_page() should be used to >> get "struct page" based on vma+addr+pte combination, but >> page_table_check does not use vma for its operation in order to >> strengthen the verification of no invalid page sharing. But, even I'm not sure if that's the right approach for this case here, though. >> vm_normal_page() can cause access to the "struct page" for VM_PFNMAP >> if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct >> page for a user mapped slab page. > > Only for !ARCH_HAS_PTE_SPECIAL case, otherwise NULL is returned. That would violate VM_PFNMAP semantics, though. I remember that there was a trick to it. Assuming we map /dev/mem, what stops a page we mapped and determined to be !anon to be freed and reused, such that we suddenly have an anon page mappped? In that case, we really don't want to look at the "struct page" ever, no? -- Thanks, David / dhildenb