Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2298274rwd; Mon, 15 May 2023 09:41:33 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ48SPL27FRC9/jm3NMN+a2GAZFdI8NNzMusBuMrWrb+woJNiuC4yUITuJ2OO6bcHDGLUcri X-Received: by 2002:a17:902:bf4a:b0:1a1:a800:96a7 with SMTP id u10-20020a170902bf4a00b001a1a80096a7mr33627908pls.8.1684168892802; Mon, 15 May 2023 09:41:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684168892; cv=none; d=google.com; s=arc-20160816; b=sW0eabXqKiM5qYqGeNTuD3uybEU6type8l+FMfIxuuYaqnHTTr5HXpdH02iQp3/j4H Wg1g9JJ+IY0+2WqpAVmKKfbCSHge8ioTC/o42YV0tivZsP44kveNZr0fweT7Hj8uQslc 5Eis6a1ngVF8pE/ENT1wBzzYazyHrrAwY+9dbkQatMp4CoZPjBf47K1usm2qJbnQ330r lM89rGMaEclFXJomT4e9d6qslUkTcf+cQpT7Pa6w5W4C+rICQf/th3linHHot4GYpTD2 NWURfRrzOPtJEktr3zE4YxPWKxNsqk1hHwkUbv2TZLkete7KLFjlX49yNR7nGxBfTAjy Nwjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=Nte9q8QLETJSqpBkB+hZLVRYhHTcboRs7w1dsoodCe15PwH9RNdY1UjdGrVnO/LyS2 h3/PS3jO70j3fXoaEgaObBdjV+op+kEWU9KyFErL4S9eJgcKuBZZmjxQiwIBB06iZyXe JzRX3LWvfEI/rb53csOjNDYiDsMGw3jz2vMTSz0vM2XFAj9tXl7Dna5nsEhZM26Uy4vk uh/IOPqL5IYevr7dC79SbvN2SvmpMiETiLf0VIJxJb5qiRi+/K/21dIFboY5bDFAwnBN GsXsCgoDxJYdqBhcAefhl9g664w1GGTX/H5cbN8LMi+nXduj9pzMvsZfg8clevBBO/Z8 Pp0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=BSYqYbQk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j3-20020a170903028300b001a66c2f479asi2491148plr.219.2023.05.15.09.41.20; Mon, 15 May 2023 09:41:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@soleen.com header.s=google header.b=BSYqYbQk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242699AbjEOQ3e (ORCPT + 99 others); Mon, 15 May 2023 12:29:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242436AbjEOQ3d (ORCPT ); Mon, 15 May 2023 12:29:33 -0400 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E34CB127 for ; Mon, 15 May 2023 09:29:31 -0700 (PDT) Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-3f42b4da6e5so31009071cf.2 for ; Mon, 15 May 2023 09:29:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1684168171; x=1686760171; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=BSYqYbQkwHL4mrBWnucRzTipj5Nu9rzJUkmYfi+7daXIWIVb/LdX/qjEnp1naOjMMg 5VoOcDwTf+H/85Oc4oLDcHqMnjldw9Mx4KJye/cxPqhXGXlsf1dxpMyKBvW/0Gzv7+/7 C9XISfbGDjX1oVb1GwYTJz8FX+k2FidtLt29FZwA00ody7cNcjGFsjXfnyYyiCVbSuv+ KcXXJ0l52LOAFrGvr+9fRRFlnp4EPSl8jecoX/5wg+Cf1+bMkwIvR/v3YN+7xIl1+qCZ Zyo9u69TE+ROGOrxQ/GPHL84meiROlV1cvBx9MUC6UnMlO9igdszXzPnpEpXJwPdtWUr RVhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684168171; x=1686760171; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=C2/2d99OOm8RL1RQbl6mmVnhRR2U9L4KHrLp9hX1zgjcrADNCqwS/OaGtEJseAvFyy B3dfgatqz8TGXUtt//wsAKDt7OgMkeomqSzwNzfLC2/k3KTxPr1rVr2dvjYUuluseugT OLzf4BT72mCU2CTTG0wzhuDu7fz4hx7hDS3SOAEufubI2/DLu5In+6VTVvTafncOwmmK B3dCHixV0ap2aJIPskNalSmbzD35TR2mg+aHBCL2+hRpVHcJOBUPiAg87L6QtKwOhaS+ 1BkUxJc9jDq+Tdnf7QBy7+5lKhB2LQh+ZlPFsBt1h37WFsj9s6PTk3QrLMXd9iO+E1UZ s7nw== X-Gm-Message-State: AC+VfDyvjTw2A0OuV0yrZsTA/04tm04X/VfnUm6EkaEyFocXgOo4+Ss6 kEIzStizV7JAZPKQYiYFgpeA52Oc0og+1MYH70NgBw== X-Received: by 2002:a05:622a:492:b0:3f5:1de5:af48 with SMTP id p18-20020a05622a049200b003f51de5af48mr9837008qtx.5.1684168171050; Mon, 15 May 2023 09:29:31 -0700 (PDT) MIME-Version: 1.0 References: <20230515130958.32471-1-lrh2000@pku.edu.cn> <20230515130958.32471-5-lrh2000@pku.edu.cn> In-Reply-To: <20230515130958.32471-5-lrh2000@pku.edu.cn> From: Pasha Tatashin Date: Mon, 15 May 2023 12:28:54 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages To: Ruihan Li Cc: linux-mm@kvack.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, David Hildenbrand , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Alan Stern , Greg Kroah-Hartman , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 15, 2023 at 9:10=E2=80=AFAM Ruihan Li wrot= e: > > The current uses of PageAnon in page table check functions can lead to > type confusion bugs between struct page and slab [1], if slab pages are > accidentally mapped into the user space. This is because slab reuses the > bits in struct page to store its internal states, which renders PageAnon > ineffective on slab pages. > > Since slab pages are not expected to be mapped into the user space, this > patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages > are not inadvertently mapped. Otherwise, there must be some bugs in the > kernel. > > Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.= com/ [1] > Fixes: df4e817b7108 ("mm: page table check") > Cc: # 5.17 > Signed-off-by: Ruihan Li Acked-by: Pasha Tatashin I would also update order in mm/memory.c static int validate_page_before_insert(struct page *page) { if (PageAnon(page) || PageSlab(page) || page_has_type(page)) It is not strictly a bug there, as it works by accident, but PageSlab() should go before PageAnon(), because without checking if this is PageSlab() we should not be testing for PageAnon(). Thanks you, Pasha