From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: Ruihan Li <lrh2000@pku.edu.cn>
Cc: linux-mm@kvack.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org,
David Hildenbrand <david@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Hellwig <hch@infradead.org>,
Alan Stern <stern@rowland.harvard.edu>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages
Date: Mon, 15 May 2023 12:28:54 -0400 [thread overview]
Message-ID: <CA+CK2bBD_fdmz1fFjB8MXBGMHf4jzRWeBRirH3HdWRLqY7cmtw@mail.gmail.com> (raw)
In-Reply-To: <20230515130958.32471-5-lrh2000@pku.edu.cn>
On Mon, May 15, 2023 at 9:10 AM Ruihan Li <lrh2000@pku.edu.cn> wrote:
>
> The current uses of PageAnon in page table check functions can lead to
> type confusion bugs between struct page and slab [1], if slab pages are
> accidentally mapped into the user space. This is because slab reuses the
> bits in struct page to store its internal states, which renders PageAnon
> ineffective on slab pages.
>
> Since slab pages are not expected to be mapped into the user space, this
> patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages
> are not inadvertently mapped. Otherwise, there must be some bugs in the
> kernel.
>
> Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1]
> Fixes: df4e817b7108 ("mm: page table check")
> Cc: <stable@vger.kernel.org> # 5.17
> Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com>
I would also update order in mm/memory.c
static int validate_page_before_insert(struct page *page)
{
if (PageAnon(page) || PageSlab(page) || page_has_type(page))
It is not strictly a bug there, as it works by accident, but
PageSlab() should go before PageAnon(), because without checking if
this is PageSlab() we should not be testing for PageAnon().
Thanks you,
Pasha
next prev parent reply other threads:[~2023-05-15 16:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230515130958.32471-1-lrh2000@pku.edu.cn>
2023-05-15 13:09 ` [PATCH v2 1/4] usb: usbfs: Enforce page requirements for mmap Ruihan Li
2023-05-15 14:07 ` Alan Stern
2023-05-17 6:22 ` Christoph Hellwig
2023-05-15 13:09 ` [PATCH v2 2/4] usb: usbfs: Use consistent mmap functions Ruihan Li
2023-05-15 16:07 ` David Laight
2023-05-16 11:42 ` Ruihan Li
2023-05-15 13:09 ` [PATCH v2 3/4] mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM Ruihan Li
2023-05-15 16:36 ` Pasha Tatashin
2023-05-16 12:55 ` David Hildenbrand
2023-05-15 13:09 ` [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages Ruihan Li
2023-05-15 16:28 ` Pasha Tatashin [this message]
2023-05-16 11:51 ` Ruihan Li
2023-05-16 12:54 ` David Hildenbrand
2023-05-16 14:14 ` Pasha Tatashin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+CK2bBD_fdmz1fFjB8MXBGMHf4jzRWeBRirH3HdWRLqY7cmtw@mail.gmail.com \
--to=pasha.tatashin@soleen.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=lrh2000@pku.edu.cn \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox