Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5064594rwr; Mon, 8 May 2023 17:44:01 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5uYJbZhk/vWQSLzS32B1qI5Cbe3Y2+m9FnTAvXQYKsMcrNWg4Xccfgcqg987/pl2KApDTq X-Received: by 2002:a05:6a21:920d:b0:eb:69b3:116c with SMTP id tl13-20020a056a21920d00b000eb69b3116cmr14356044pzb.52.1683593041332; Mon, 08 May 2023 17:44:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683593041; cv=none; d=google.com; s=arc-20160816; b=WVHYEhP3CoaEYs6ro93vq3hN9znbR/av+rK1aDTkkMd/iwBbV9/RB+SDbznQgZLkpt YtbTai9qXQmi9USmkZgmjfeV88IBhAcrUvpqIGucTBZd10pQHJp6nM//nJiICiTTTYxO NMNyNJX2M4Y2uJfuPZk/WTx3R+sVOahLIMgzJn+hcEQSBqOtj/jeKdq/vWa0pc8lgJAv GfBm0AMw+y/wNzCjuGHRwwfjTeNFeukI/DE/qCDjh3kUgB5gYbNb73YyH+v301BasgOu /WfxVItWvpnIdbKFZ+yp9ZhWtntDT/Rz3jirvNcX/EicAQwVxOgI04a7fATGTBKphSw3 jmTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=C5KDm4q5gEZaA4CaO6VfsLGZvYCSLpNoWc0FrRYUOGpDKYoSP4lqJlSx86Abays9fD ix8gSvDPQ0TTNAx8iE2J9OQRIW5DxsBby8+KLis52HuM3gDp+qoEHG2BjSaTOmfTDKVK wbySZwh8rKA84ZLzpCUW1I8XME1mCbNTXhcAJDCQ5vjf4Q7Gvw4OVedcJbGG82r1brGo HTI4PU0hYMMz3VpKNzZ5H57ovkdjXyMU8kuIA+4CP1fqz4/Jd1NSoxVysQV9LxTwFHC4 Xz/HDI6WJe4d4xiSrYd5x1E4znhlW/7m8rhtytgT7E6Jl2wIDCpIIqGitMGcxcUQ5IeB 2GJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=oel6LShh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b5-20020a62cf05000000b0063a149e3c85si1030311pfg.401.2023.05.08.17.43.48; Mon, 08 May 2023 17:44:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=oel6LShh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234039AbjEIAII (ORCPT + 99 others); Mon, 8 May 2023 20:08:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234025AbjEIAIE (ORCPT ); Mon, 8 May 2023 20:08:04 -0400 Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED52049DE for ; Mon, 8 May 2023 17:08:03 -0700 (PDT) Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-3ef33f12995so28935241cf.3 for ; Mon, 08 May 2023 17:08:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1683590883; x=1686182883; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=oel6LShhm/iI4Dhey/P2K7T9x4C89z7w74vBuLx6LwncjE6lK1uEj8Ofp7ahI/wflO W/rKYfZXgLLXIaXp8uNKfutQ2+UcEqWMGoetRxx2uexEZgHE3Cwy9wVRaBHrlq9ILcRJ ZS77AQfGPL7erDtAPnV8y7mTbnNjbTgmqGTjIlLRgThpCo3Y46OnarNGKBwUx5/5QNqW yu4bcqFX+pMIzb2klyqZ5YIJXEkW1Tu9dYix+tQzf+ATV7Gv+y8XsOK1zw0SwF1bZMMA zzYpFoveqTlVX5vbqYnQl5UnRjTsjwXAoBKRi4d07/CJTZHqfafREiXVD3htxvCC6MYR TF0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683590883; x=1686182883; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=Hjwp3nNWLkj0zavjpEBdb4f///9N74lLISVMEO4Z+NGjGpaR6/usY5rev2vjfMpw7B fd/meh0r8zQ78DlFWyZUBHP8USdgzo8HveD78hY2LtENFtB5ivlPDWgheuTZONkrEyKD 1HmUOOr7kNVj1PyCBd5H6uVpeuF+HKhRsRhHD/JwRRQuDEXzNTyhAQ39YAh21IF7nHSw nAeZirStoiUHeaAJ8ZvSa28n0BWdgERHrDadg+fuHEAIaQoiPA0CtyZotSt0suzTpXlk of2pdFnydkzbGGnc4jvwXG3nkpC9vL5DtXzZ46dMHFo378sf9axFTjQ/S4HrgNr9ubuv xINQ== X-Gm-Message-State: AC+VfDyg5Grb5PXZUVG2+ys13DZqd5S62rCrWMGkLaTWigVcEVqyGqT5 MNKTHJqPlc3SK6/6PEVLrdaWwZcotcBHIjtNO/AgEQ== X-Received: by 2002:a05:622a:1c7:b0:3f3:82c2:cffe with SMTP id t7-20020a05622a01c700b003f382c2cffemr13152140qtw.17.1683590883147; Mon, 08 May 2023 17:08:03 -0700 (PDT) MIME-Version: 1.0 References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> In-Reply-To: <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> From: Pasha Tatashin Date: Mon, 8 May 2023 17:07:26 -0700 Message-ID: Subject: Re: usbdev_mmap causes type confusion in page_table_check To: David Hildenbrand Cc: Matthew Wilcox , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 8, 2023 at 4:37=E2=80=AFPM David Hildenbrand = wrote: > > On 09.05.23 01:21, Pasha Tatashin wrote: > >> For normal Kernel-MM operations, vm_normal_page() should be used to > >> get "struct page" based on vma+addr+pte combination, but > >> page_table_check does not use vma for its operation in order to > >> strengthen the verification of no invalid page sharing. But, even > > I'm not sure if that's the right approach for this case here, though. > > >> vm_normal_page() can cause access to the "struct page" for VM_PFNMAP > >> if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct > >> page for a user mapped slab page. > > > > Only for !ARCH_HAS_PTE_SPECIAL case, otherwise NULL is returned. > > That would violate VM_PFNMAP semantics, though. I remember that there > was a trick to it. > > Assuming we map /dev/mem, what stops a page we mapped and determined to > be !anon to be freed and reused, such that we suddenly have an anon page > mappped? > > In that case, we really don't want to look at the "struct page" ever, no? Good point. page_table_check just does not work well /dev/mem. I am thinking of adding BUG_ON(PageSlab(page); and also "depends on !DEVMEM" for the PAGE_TABLE_CHECK config option. Pasha