From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D4FDC77B75 for ; Mon, 15 May 2023 13:10:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 570F1900002; Mon, 15 May 2023 09:10:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 45BD190000B; Mon, 15 May 2023 09:10:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2AEE8900002; Mon, 15 May 2023 09:10:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 1617C90000B for ; Mon, 15 May 2023 09:10:19 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id D76E180BAA for ; Mon, 15 May 2023 13:10:18 +0000 (UTC) X-FDA: 80792522916.20.805DB0B Received: from zg8tndyumtaxlji0oc4xnzya.icoremail.net (zg8tndyumtaxlji0oc4xnzya.icoremail.net [46.101.248.176]) by imf10.hostedemail.com (Postfix) with ESMTP id BEA92C0004 for ; Mon, 15 May 2023 13:10:13 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=ox9S7sNS; spf=pass (imf10.hostedemail.com: domain of lrh2000@pku.edu.cn designates 46.101.248.176 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684156216; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=L+SQ0nmfGSPRi8glqTzv3fHgUPypuBnrsBZKLf4on5Y=; b=pQ4aONH6x/BZNVeO9ZGwtGdOoOND5PV5pOsXGmF/LkYLPCVhYXI/omr4QzXMY+b1EGx77/ 6/su/Wqa/2zxloG+Dp5vkjt5IKkhMPi72Atre4LaChoj7nUrKpNoZz2lR51GZz/SLInKeC Y0DH2cqYb4qyv0KBFCUv19Rx6IPY1As= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684156216; a=rsa-sha256; cv=none; b=mXhCo3Yvf7fq9gSwp//QZqs6NfWBr8W3G75Ugo9MayikJW21e6lrMx24RUSi1CTCwYCg7r hLFOfBUFRCuSLs5gyde7D+PQRU9QFvZiNySpiMeoW1d2pw6kOiSLQdUH8TMJUP7kSwgThC UlvF36DYHw9GNvQ5P37brfr0OiGO0ak= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=ox9S7sNS; spf=pass (imf10.hostedemail.com: domain of lrh2000@pku.edu.cn designates 46.101.248.176 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:In-Reply-To:References:MIME-Version: Content-Transfer-Encoding; bh=L+SQ0nmfGSPRi8glqTzv3fHgUPypuBnrsB ZKLf4on5Y=; b=ox9S7sNSOR+qIM/NofYQxW7bDUidbSTXFsfF5W//szZbyOtCdS Zx5RZyiJbOaHg5CnaOa7fFpoekGi458S3qVhX4jk9l9h2KWAPGvkA57DX64e6HkD QZsoMnu23gTA4M6u1BC6GpPdd7iAD65zNx3q2817kRszYNDYcsmlLlyt4= Received: from localhost.localdomain (unknown [10.7.98.243]) by front02 (Coremail) with SMTP id 54FpogAnLDgqL2JkVboyFA--.10053S6; Mon, 15 May 2023 21:10:08 +0800 (CST) From: Ruihan Li To: linux-mm@kvack.org, linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Pasha Tatashin , David Hildenbrand , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Alan Stern , Greg Kroah-Hartman , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages Date: Mon, 15 May 2023 21:09:58 +0800 Message-Id: <20230515130958.32471-5-lrh2000@pku.edu.cn> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230515130958.32471-1-lrh2000@pku.edu.cn> References: <20230515130958.32471-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:54FpogAnLDgqL2JkVboyFA--.10053S6 X-Coremail-Antispam: 1UD129KBjvJXoWxurWrCw4UAFyDWF48ZrW3Awb_yoW5Wr4Dpa 95u3W0krW5Ka4akw1kZ3ZayryrJFZ8G3yUCry7J3Wjv3ZxtFy0vF1jkr9ay3s8KrW7CFy5 AFZ8tr1j9rWDZ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBa1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2vYz4IE04k24V AvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xf McIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7 v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF 7I0E8cxan2IY04v7MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c x26w4UJr1UMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2Iq xVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42 IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1lIxAI cVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2js IEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUQZ23UUUUU= X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEMBVPy77495wAAsg X-Stat-Signature: ftjcp1xwmq4eq8q18a4kbwzfuhgfb3f6 X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: BEA92C0004 X-HE-Tag: 1684156213-144116 X-HE-Meta: U2FsdGVkX1+ryafYAS0cpWVA0GK0AlRfEDrFIK+qkE3EwktYb4lUAAndoM9QlnZ6umUYGwkNyYcr09nfY4lNhPmLfCalzb3nL/ak4XGryUjxoLDqzfqSKDyeLige/aPEpyCkvQm5YgKIofTf759liNxHtRQkHDPTKsLodsARf9+uxB6m/yh8c+RvaoTWXN9T6mH932HZLgt54riM4v9FsGu5G9Bd7sqjXoMOC/+RJqEzaREEZypirtiNGIHYWnhzZLi/MQZFp8Wwe0+jA+U5oTUelDXHN+medZXXENpaivl7qByvJfUat4ul+WUw+mmKNhgfHx2EqRaYbTKONyIuAqxRb16nGVkaU7Zylwh9Avb+puc/p9zkjV+DTgbO+ad5JH5ZD+QmbkgP6igjtIK1VI5c7PzOiOvp+DV+PYVjzLBotSX37Jn3khYRAY773rmT+qXVDPI64gtWlzB/m0FIYt+3v2cZz8tBFTWLVscIWKlktlgP6Tj4FEE1krTnO+08MWW9TuEz4HbEJwZ/BDQPo3tf9H12a6EQXbTbya0wm7NArgPqcbn4X5nu/FiFEgkabisMqnGlj7HX1UWa4TfrJYq4hW53cUe/+lwZbIIvbezDkLR6cJbqAtpGUzzhfLAPZ163Sm/4Nf2TOgZEbw9nPJ9oFCScQOzR0uScI94Abp+qI0XWPafV2Z/qQbo/GvHsgP1N/2eeiTfBXdS0h0BlhAKfNOUSfrQ31sXkYBIk8jaqKvEKF2XnRqBA1yhk2SqWhMC89N9FcgDocKAPVdG/v4bxYgz/3w5jgPboEOa65kSBj1Fh4c025DzJSMlcu6zlfNd7LtJ6gFgp1xwQyjPmmO0daO7YEDLK++oqrG+NqpWB7Z6n2GqkJmhF1KTWG/DJ81OvDq6EOzNXSkql29lJhQTcVoa+Cwv/OhG6MW0WMvIn8ZV4pWPHxkzvpUplk1bKBG3WlAq4rYI8trJJ0rT UX6cBEMl d8+Hia43dMPcwuq7+i2xLlZbdeRXl6FCwJwH4ut314GyY2eqqMIBMHzuvmaBSBz5Kte+qKfg6vMX02J52e6XzRCNklBBQTgPJCsJvsAmZ0mHc3b9WdCCtvaFKCWG1Ye+rFxXO6JRF0XJxkUD1KnCcwGEo9Z04Ny82QRwz/8FXVKPc0aWdABVmNfP/LBA1ZG254GmB9ok4c9DurmYewGuZZdMVmeA4MEjlg2Aru68JjRWYMTh4b+E20IVbuNjgn7ryiwWvxljnVKoSZIj/Z+7hcHAC3lXKe7cmqjLcZxdO1/22K8+6SSTWmhzsW/qY7flh9K86kbRQVsvYa3KrrBpXWN2gWZuXgLDporu5Eq7gq9c2RZQ1n88fg5J/t4lrGToKnXJEmZhnnESX2hkL3K4F0fROsxPyoZhBiym2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The current uses of PageAnon in page table check functions can lead to type confusion bugs between struct page and slab [1], if slab pages are accidentally mapped into the user space. This is because slab reuses the bits in struct page to store its internal states, which renders PageAnon ineffective on slab pages. Since slab pages are not expected to be mapped into the user space, this patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages are not inadvertently mapped. Otherwise, there must be some bugs in the kernel. Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1] Fixes: df4e817b7108 ("mm: page table check") Cc: # 5.17 Signed-off-by: Ruihan Li --- include/linux/page-flags.h | 6 ++++++ mm/page_table_check.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index 1c68d67b8..92a2063a0 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -617,6 +617,12 @@ PAGEFLAG_FALSE(VmemmapSelfHosted, vmemmap_self_hosted) * Please note that, confusingly, "page_mapping" refers to the inode * address_space which maps the page from disk; whereas "page_mapped" * refers to user virtual address space into which the page is mapped. + * + * For slab pages, since slab reuses the bits in struct page to store its + * internal states, the page->mapping does not exist as such, nor do these + * flags below. So in order to avoid testing non-existent bits, please + * make sure that PageSlab(page) actually evaluates to false before calling + * the following functions (e.g., PageAnon). See mm/slab.h. */ #define PAGE_MAPPING_ANON 0x1 #define PAGE_MAPPING_MOVABLE 0x2 diff --git a/mm/page_table_check.c b/mm/page_table_check.c index 25d8610c0..f2baf97d5 100644 --- a/mm/page_table_check.c +++ b/mm/page_table_check.c @@ -71,6 +71,8 @@ static void page_table_check_clear(struct mm_struct *mm, unsigned long addr, page = pfn_to_page(pfn); page_ext = page_ext_get(page); + + BUG_ON(PageSlab(page)); anon = PageAnon(page); for (i = 0; i < pgcnt; i++) { @@ -107,6 +109,8 @@ static void page_table_check_set(struct mm_struct *mm, unsigned long addr, page = pfn_to_page(pfn); page_ext = page_ext_get(page); + + BUG_ON(PageSlab(page)); anon = PageAnon(page); for (i = 0; i < pgcnt; i++) { @@ -133,6 +137,8 @@ void __page_table_check_zero(struct page *page, unsigned int order) struct page_ext *page_ext; unsigned long i; + BUG_ON(PageSlab(page)); + page_ext = page_ext_get(page); BUG_ON(!page_ext); for (i = 0; i < (1ul << order); i++) { -- 2.40.1