From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2C365C7EE22
	for <linux-mm@archiver.kernel.org>; Mon,  8 May 2023 23:18:21 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A288C280002; Mon,  8 May 2023 19:18:20 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9D82B280001; Mon,  8 May 2023 19:18:20 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8A0FD280002; Mon,  8 May 2023 19:18:20 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 7689D280001
	for <linux-mm@kvack.org>; Mon,  8 May 2023 19:18:20 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 4DBE84017F
	for <linux-mm@kvack.org>; Mon,  8 May 2023 23:18:20 +0000 (UTC)
X-FDA: 80768653560.07.43B42EC
Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181])
	by imf25.hostedemail.com (Postfix) with ESMTP id 6A656A000A
	for <linux-mm@kvack.org>; Mon,  8 May 2023 23:18:17 +0000 (UTC)
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=soleen.com header.s=google header.b=YjCqBe4H;
	spf=pass (imf25.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.181 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1683587897;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=;
	b=pyMei3h6PfEGhWl+vtOl+flRO9y+P1Bd9TBOGR2aEHCFotYt6L5xYoGluc4wYnuCkyWVfp
	gL1L0eEFAm3nQTACHjYDOEQIOgNZN282dB9/wRh56J/xaeJcZ0eV3z7QT9inlURDBsw7DG
	4gAg3xqXF5bIZaoVpZBrj6X76aNmJqM=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683587897; a=rsa-sha256;
	cv=none;
	b=au9mulqkVCku3dybvP6C4LOVLdEhlnH38S224jBbfYvJRxnj4hPxJvAggXlWKkAk1sN3SM
	ZdpGRH9ZTDC58aQjBsDyrSplCQyJxp9IFhq/hlh+rtcJjjSYKiBFULG956axOyiB/biquN
	dKdII2uzMcexL3x6Ax533ClS/SB6+yQ=
ARC-Authentication-Results: i=1;
	imf25.hostedemail.com;
	dkim=pass header.d=soleen.com header.s=google header.b=YjCqBe4H;
	spf=pass (imf25.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.181 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com;
	dmarc=none
Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-3ef32014101so54531801cf.3
        for <linux-mm@kvack.org>; Mon, 08 May 2023 16:18:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=soleen.com; s=google; t=1683587896; x=1686179896;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=;
        b=YjCqBe4H69i+u3EZfBSFGDslkoVk6ESjXBUsfo3bBJcSijKdyGbUw2rlbiF4Q2kltk
         KYlkUZmDfdRgdBkm2/wANH/1CdBPWyMJLePwEwQFoDTAm1UG7q3rKk2ZC60QrK6k4BoU
         d2E8i133QbGfRKji4irFPihLHJxCeL2NjM9J8oS/4plNfSwcfO5N/T2fTfkPEcBRs8eL
         LcE1LKtZTG/XZC+HMRqgifG0sPiE7hg0M/qtLpTyXdf/5gNv72NwYnjnlw8pgRmj8Y+F
         D3Cwc0BfCR2L9/A7farDfLgxef2rt2KAjj7bHiQeBamifpkuK665mjRwFBAHat2RI1hM
         qcmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683587896; x=1686179896;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/T/3Ju9SHl8z4dLQUIePgnInKHbkru1zT7Bm+NgMbgE=;
        b=A1UqRAb1xVQGFYG/Gd6gs4i4v5OJ3B+XaYa5hrpm9ROd9J4v++DqTcGxOsFiGnyH1I
         oemZaHKJd52g1EjO+NHX8xghzwEB+z3WB97RDBzBzHSNqIRmXi8Pnd16kRCeyUMuaxt/
         R0G/EAApLTMmoonP/bsTcJaUglPgBDW/2w+Z1REbx5hclxAfASgJnoZXaI+vLnfe2QO+
         k4PdZTWlg2rR1ILwTJxtrjqWT6A45K0u6GbhWKfF1w11GpQ/fKIKfTERIJCjfGgKLOmp
         clMSuDUrZ3CZQcsAupOATpF/ICd1uNf/8h0IlX+tE6akCbyPRi3ngi34QHrWh9a76+JC
         i+xA==
X-Gm-Message-State: AC+VfDzwrI+hK7YN6sulRHJ4i3pwdAuy1T0t8EQS2JOvjI8IxyWef4J5
	ZTbuq0EWc6NpH+5bfeJ+nGgv4QcY+m7QW3AxKbt1Fg==
X-Google-Smtp-Source: ACHHUZ6JYT/f+xJv653TO3g1x1rKedNi30qh/tkDkBep9kUsaxwnKE66YY9XdCW3vRn6BmH3IcrOLBUwksfg+O2m7Bs=
X-Received: by 2002:ac8:7e84:0:b0:3f0:a336:afc4 with SMTP id
 w4-20020ac87e84000000b003f0a336afc4mr15610437qtj.48.1683587896414; Mon, 08
 May 2023 16:18:16 -0700 (PDT)
MIME-Version: 1.0
References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn>
 <CA+CK2bBe2YKYM3rUTCnZ0RF=NFUR9VqO-QYn3ygPsFJWLY1MUA@mail.gmail.com>
 <ZFlrbDft1QfMyIDc@casper.infradead.org> <CA+CK2bDVjovwB9v-Zv4Fn7EUfp5FV2XK36iJKYKY7pYNOFfOGA@mail.gmail.com>
 <ZFlvJEfs1ufh1UUD@casper.infradead.org> <CA+CK2bDC-FVv1tZg9MDn-N735Ak3OAtdZPf+LEYM-JHsO90YcQ@mail.gmail.com>
 <fa1dac7a-406e-30ea-6aba-ded2e0e871fa@redhat.com>
In-Reply-To: <fa1dac7a-406e-30ea-6aba-ded2e0e871fa@redhat.com>
From: Pasha Tatashin <pasha.tatashin@soleen.com>
Date: Mon, 8 May 2023 16:17:39 -0700
Message-ID: <CA+CK2bAHbHHwLUoGJkz8n6mrM5dy7oMojeNksdVOMYn+qFYngA@mail.gmail.com>
Subject: Re: usbdev_mmap causes type confusion in page_table_check
To: David Hildenbrand <david@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>, Ruihan Li <lrh2000@pku.edu.cn>, 
	syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, 
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, 
	gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, 
	syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 6A656A000A
X-Stat-Signature: eegorobtcan5w9j78tdp98q63fuak9pj
X-Rspam-User: 
X-Rspamd-Server: rspam09
X-HE-Tag: 1683587897-467630
X-HE-Meta: U2FsdGVkX18xbTXFuFIfexOBuJy9/8Z0/H/nS1+VpBMAg1jiHjyvQeEe03leRlPGxXfPfl3oiNArf3TzxLWFnThxSsBKi+Bl7OAnVOKXYE3SIOKk8IDPCa/hsPedjH+EIv/lVX6K6ju1VbbqTVxarkJULeZnT0OpB9Dt83btfyBUBLQCd/VeknQXzu1hdRVflhoFqcy6ZTu25AuxkzSd1gmDEGeXR0NRhobSuah/9CRi2GkKL5QJ+7Y/EKPK8iL0/YDg4bFKXrC3LAROYyw4kOgLH/HmjXQnnGJ55a2u+A+FbGbj+46GJA3R8bqCOGFjTFiX8U6+iE3m/JCOvzjLmOaOm5UqDyhe9jEEs2SDQ+A5oM2pJZZau0zqMyI/tPitgAGPY21wrnrfl3V6M6/TJlOatBgFUAW4CSWxkT/m0pf/pQEktjMQBXf7XX74pR6TZWWI4ICz+mexqBpwCkcdzw0B9o2cy2WLOoYcDO/U6/kECMUEvuQykm0W4Y5sZ6GnWsyGsVQA6V28we6pEtAzlqmC/s/fu0gLlZOguUtrlm8oUxL5e7iypdJ6lL6ggwCGZcCvgcWmWF3y0xlAjPVmouimSfJjWuG9p6PKTbq1j5qKh+/gRJhdHip2DI5DoI09Yb0/3cLPOO6cCTJlfzh4kby1zEuhryIyKxT7BkWxUqzAg95x60yDXh9TjinOBd6smy5MQ4L47iikg5a80cVawvH9Zig8ueYJLZ6Ac/SUApSrAd3K42CbsBd+siTy+NnV8S3WiE2JoheCOWtSTQaniOUPbx70uSTpyiMaakH25HLQKeS7terAz5AIMC/uvIrKNnXqT8G/0xwWiL7U/Gkhh+rXIV4ZQipgyFQedQ/v+frsmDfJKvGENOWeIX7o2ozMaWtjiJ+wJ0ZCM/r5jdzkZdN0595gS4RIDk7ryJi0SJtdVHpdfiI7uoOEDUTUytWxUeDE+jv5Ra5d9/4A09N
 IQ7Qz9pz
 OxN8ZNngVE8u5lM6dt6QXGE/LAwXdv27wxkNnyXNdLnZ1NoEzXd+2FbBbG85cfly6dQr1dl8VSo3LXSgNfQCEA4kdQnz8XbrslflNiI3Zmz/G9OziIBwzJ7vEhYp27JbSuUrUiTrUF12mpWQ9IUHh25ZCYXzeKWgd6pbWKxTCmcoJDLm5HjTO/1TBY23/1HJoAy2aOs0Qhw4zgcq6lAV5Yf9Pkmxn6zuKztt4IKe8q2lAruxEuig5XHdifGDbww6icURvuplexsM9UNw0rWNt92iYMTmDR8ILgTGjQLVltoUCEpckxqOtkQ4pWlFQcNzRWVgm84RbQFH9eiIxV0c8r7EMc5qhkaFWF5XbeRQhifTxTeSGFlwkEUI+by1JrEzS6jeJ/CGSopy7iggMlxIw+9tM+O8Np3ZzY1Z2qV6JBDWGsWwsOgTQ8cf0cw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, May 8, 2023 at 3:46=E2=80=AFPM David Hildenbrand <david@redhat.com>=
 wrote:
>
> On 08.05.23 23:55, Pasha Tatashin wrote:
> > On Mon, May 8, 2023 at 2:52=E2=80=AFPM Matthew Wilcox <willy@infradead.=
org> wrote:
> >>
> >> On Mon, May 08, 2023 at 02:48:59PM -0700, Pasha Tatashin wrote:
> >>> On Mon, May 8, 2023 at 2:36=E2=80=AFPM Matthew Wilcox <willy@infradea=
d.org> wrote:
> >>>>
> >>>> On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote:
> >>>>>> static void page_table_check_set(struct mm_struct *mm, unsigned lo=
ng addr,
> >>>>>>                                   unsigned long pfn, unsigned long=
 pgcnt,
> >>>>>>                                   bool rw)
> >>>>>> {
> >>>>>>          // ...
> >>>>>>          anon =3D PageAnon(page);
> >>>>>>          for (i =3D 0; i < pgcnt; i++) {
> >>>>>>                  // ...
> >>>>>>                  if (anon) {
> >>>>>>                          BUG_ON(atomic_read(&ptc->file_map_count))=
;
> >>>>>>                          BUG_ON(atomic_inc_return(&ptc->anon_map_c=
ount) > 1 && rw);
> >>>>>>                  } else {
> >>>>>>                          BUG_ON(atomic_read(&ptc->anon_map_count))=
;
> >>>>>>                          BUG_ON(atomic_inc_return(&ptc->file_map_c=
ount) < 0);
> >>>>>>                  }
> >>>>>>                  // ...
> >>>>>>          }
> >>>>>>          // ...
> >>>>>> }
> >>>>>>
> >>>>>> This call to PageAnon is invalid for slab pages because slab reuse=
s the bits
> >>>>>> in struct page/folio to store its internal states, and the anonymi=
ty bit only
> >>>>>> exists in struct page/folio. As a result, the counters are incorre=
ctly updated
> >>>>>> and checked in page_table_check_set and page_table_check_clear, le=
ading to the
> >>>>>> bug being raised.
> >>>>>
> >>>>> We should change anon boolean to be:
> >>>>>
> >>>>> anon =3D !PageSlab(page) && PageAnon(page);
> >>>>
> >>>> No.  Slab pages are not elegible for mapping into userspace.  That's
> >>>
> >>> Sure, I can add BUG_ON(PageSlab(page)); to page_table_check_set.
> >>>
> >>>> all.  There should be a BUG() for that.  And I do mean BUG(), not
> >>>> "return error to user".  Something has gone horribly wrong, and it's
> >>>> time to crash.
> >>>
> >>>   It is just too easy to make slab available via remap_pfn_range(), b=
ut
> >>> I do not think we want to add BUG() into the remap function, otherwis=
e
> >>> we will break devices such as /dev/mem.
> >>
> >> Slab pages can't be mmaped.  Really, no matter what interface you're
> >> using.  page->_mapcount is necessarily incremented by mapping to
> >> userspace, and slab uses that space for its own purposes (and has
> >> for decades).  It's similar for page tables and other allocations that
> >> use PageType.
> >
> > Mapping random memory in /dev/mem can cause mapping slab pages in to
> > userspace, the page->_mapcount is not incremented (and other fields
> > are not accessed) in that case, as we are using VM_PFNMAP type VMA,
> > which does not access "struct page".
>
> We should be using vm_normal_page() to identify if we should be looking
> at the struct page or not, no?

For normal Kernel-MM operations, vm_normal_page() should be used to
get "struct page" based on vma+addr+pte combination, but
page_table_check does not use vma for its operation in order to
strengthen the verification of no invalid page sharing. But, even
vm_normal_page() can cause access to the "struct page" for VM_PFNMAP
if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct
page for a user mapped slab page.

Pasha

>
> --
> Thanks,
>
> David / dhildenb
>