Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp622963rwd; Tue, 16 May 2023 05:57:26 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5XRYxf9/zlY2XY3B+iEEpDvgeeEKDslxxFKnFRGJxbm6GMrYt/ovKH1lFes+VgIXFviF2e X-Received: by 2002:a05:6a20:160a:b0:103:558c:513 with SMTP id l10-20020a056a20160a00b00103558c0513mr27621076pzj.57.1684241846160; Tue, 16 May 2023 05:57:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684241846; cv=none; d=google.com; s=arc-20160816; b=VnoRE0gp5Axk/rLrLJf4JRiDNSRiEYnZNcC5uS2ZHRjmNnGJLCn/Qa8tGZVfx+UWs3 SW4JWbVqpHOkQjKHXyy8ioidEDaR4RjcYpo+aSmwv4xylK7MGO83V/2kous3RJ/Hs0Ye Kj5O3Qqby1kHKXZ4jMkPhWHGA57xdDKhciZpBP4Tt6vMqZkTzTrbuk+tojl8bOVlaIuT 11zGSR4Rk+Tq8QgVXVjlKscLVWDfarAdqWfEvDpQMpWOMGBuPFwfQuiJdtyINMbqI+Ze 7ddgyqxrR/+HDknTfZsOQPjFaDdEiAI9dB6ZI6KvKZg2s/3BXesSgUiQAuNgV1RjCAkE xcXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=z1qCVHKGyMmBkvSwj8jD8xadePPBV5y07Cbb6BpzJk0=; b=M0x6fkeQOHK0aVIZl9MByZEvnHvU4t5iDCMScNrIncLN4PX0VsmoqV3AxBhBncEVNv RAqwVOWHyuV7sIgYG99FvaqTZt5sHge8aB5TAbMyoXUhQ9pOFJjzb/zi9Dnkuy373i2k TQme+WIkC6gRC7wkodsITkKGbTCtLh7rDwUSHYwM+4cCa0Xql888IM47Vgs9fT0YD5lb DiBObpsleBWKicDvF+yAJZlrGguXC77RlWC+zDKzie4x3NQDz0Ii5VsntAZFDdRhbtYQ y7AqblYU2tF2XbqpWWfugLyn1CdD0Erdj5Tx+r3L0KbsNzdXwFm3lrhsIgZA16fWa9dX nsKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Zgwm51tO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q4-20020a638c44000000b0050e60e36393si17880154pgn.776.2023.05.16.05.57.13; Tue, 16 May 2023 05:57:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Zgwm51tO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233273AbjEPMzW (ORCPT + 99 others); Tue, 16 May 2023 08:55:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233282AbjEPMzJ (ORCPT ); Tue, 16 May 2023 08:55:09 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9D5710E9 for ; Tue, 16 May 2023 05:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684241649; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z1qCVHKGyMmBkvSwj8jD8xadePPBV5y07Cbb6BpzJk0=; b=Zgwm51tOF6qF5R+L7vYQrrmPDCPvxlhgrTSgAssf6ss2DSDANa6855eACrWq2kUWPtYHV0 HOrsdjBtOaGXNSj48IjbHVqPCUWiSC1wJ00q3ei9qF9fXnUJAHwjGpRED3lKH/6s86V4fa FP1+M+s8/oHX5TyC2NwcrSm9Bau4+aQ= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-490-RW7tYTAkNYWZfoHTgdVyfA-1; Tue, 16 May 2023 08:54:07 -0400 X-MC-Unique: RW7tYTAkNYWZfoHTgdVyfA-1 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-3f433a2308bso19053715e9.0 for ; Tue, 16 May 2023 05:54:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684241647; x=1686833647; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=z1qCVHKGyMmBkvSwj8jD8xadePPBV5y07Cbb6BpzJk0=; b=LAMU9HSCTIdz6BDVwPvkZE6pF7q88m8qQDWrtoTcGNK/45erYTBCuD2zgGkuvjUYtj nJ1jd5pL7VU8WXFks8gUKf+9TfzKh5uV/yJyPp/8kBzou3+rPRObUZhncsxieHOMuANi /jKRsjKhY51SCM/D2y1rDBkcxKiaksWsIiRIZIUtu4FBXSApUKK1vzWjEqq+WzpeFtdN QP9ucSxQudZfX/MZqHuzuoOb3T5Ij9SR0WGXnCevxH+w2+WcZcSXAt1PPrjArST28ltm hCILSKYncKpHHk0BMfmdLSLJIFuB8EEKEi9lonQsRaat4mBBspPuGdfZnefLMTYQJKUC 4i3g== X-Gm-Message-State: AC+VfDyCLOx2L3Alo49eR10pZN+1noZKIzQtkoSFSMycAPIFme/aAgZ5 JGZzSZRUuzSXRsPxqn8ShGFbB1guQbaJElHUZFzcnJblUqFqbojTZVEtzZGHGIQ+LvGfrPrrh46 Ikgw/aMlC6gg5eVoIDKvOaUrO/Me7LiAL X-Received: by 2002:adf:feca:0:b0:2fb:92c7:b169 with SMTP id q10-20020adffeca000000b002fb92c7b169mr29878253wrs.10.1684241646773; Tue, 16 May 2023 05:54:06 -0700 (PDT) X-Received: by 2002:adf:feca:0:b0:2fb:92c7:b169 with SMTP id q10-20020adffeca000000b002fb92c7b169mr29878230wrs.10.1684241646425; Tue, 16 May 2023 05:54:06 -0700 (PDT) Received: from ?IPV6:2003:cb:c74f:2500:1e3a:9ee0:5180:cc13? (p200300cbc74f25001e3a9ee05180cc13.dip0.t-ipconnect.de. [2003:cb:c74f:2500:1e3a:9ee0:5180:cc13]) by smtp.gmail.com with ESMTPSA id w12-20020a05600c474c00b003f07ef4e3e0sm34062325wmo.0.2023.05.16.05.54.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 May 2023 05:54:06 -0700 (PDT) Message-ID: Date: Tue, 16 May 2023 14:54:04 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages Content-Language: en-US To: Ruihan Li , Pasha Tatashin Cc: linux-mm@kvack.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Matthew Wilcox , Andrew Morton , Christoph Hellwig , Alan Stern , Greg Kroah-Hartman , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, stable@vger.kernel.org References: <20230515130958.32471-1-lrh2000@pku.edu.cn> <20230515130958.32471-5-lrh2000@pku.edu.cn> From: David Hildenbrand Organization: Red Hat In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16.05.23 13:51, Ruihan Li wrote: > On Mon, May 15, 2023 at 12:28:54PM -0400, Pasha Tatashin wrote: >> >> On Mon, May 15, 2023 at 9:10 AM Ruihan Li wrote: >>> >>> The current uses of PageAnon in page table check functions can lead to >>> type confusion bugs between struct page and slab [1], if slab pages are >>> accidentally mapped into the user space. This is because slab reuses the >>> bits in struct page to store its internal states, which renders PageAnon >>> ineffective on slab pages. >>> >>> Since slab pages are not expected to be mapped into the user space, this >>> patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages >>> are not inadvertently mapped. Otherwise, there must be some bugs in the >>> kernel. >>> >>> Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com >>> Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1] >>> Fixes: df4e817b7108 ("mm: page table check") >>> Cc: # 5.17 >>> Signed-off-by: Ruihan Li >> >> Acked-by: Pasha Tatashin >> >> I would also update order in mm/memory.c >> static int validate_page_before_insert(struct page *page) >> { >> if (PageAnon(page) || PageSlab(page) || page_has_type(page)) >> >> It is not strictly a bug there, as it works by accident, but >> PageSlab() should go before PageAnon(), because without checking if >> this is PageSlab() we should not be testing for PageAnon(). > > Right. Perhaps it would be better to send another patch for this > separately. Probably not really worth it IMHO. With PageSlab() we might have PageAnon() false-positives. Either will take the same path here ... On a related note, stable_page_flags() checks PageKsm()/PageAnon() without caring about PageSlab(). At least it's just a debugging interface and will indicate KPF_SLAB in any case as well ... -- Thanks, David / dhildenb