From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E5B9C77B7D for ; Mon, 15 May 2023 16:29:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 87DCE900003; Mon, 15 May 2023 12:29:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 82D34900002; Mon, 15 May 2023 12:29:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 71C84900003; Mon, 15 May 2023 12:29:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 63383900002 for ; Mon, 15 May 2023 12:29:35 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 07AC71A05D8 for ; Mon, 15 May 2023 16:29:35 +0000 (UTC) X-FDA: 80793025110.18.D563BCA Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) by imf25.hostedemail.com (Postfix) with ESMTP id 04092A0006 for ; Mon, 15 May 2023 16:29:31 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b=BSYqYbQk; spf=pass (imf25.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.175 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684168172; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=7Lqy6JLi2NnOWzHaMCDewFJEZMH/EwF9uD9Bg04p4qkkg2jpuVDlf55tqAaPTlbuus/qpZ TJ/oqn++54FW47oWZxju9/RfxYo7KxvywkubYHgRjBGZPYMzo4v41syWj53kz1Yj/wigkS 0hsUAZBiRYGFKRKoJjjlXroKfKQ2o/A= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b=BSYqYbQk; spf=pass (imf25.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.175 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684168172; a=rsa-sha256; cv=none; b=rOSb3OpDYtcnY5XzUeToJ5OlNNVtH//pei/LqEOxBCBSA9RryzD78ufgqUfXPhUMXodJCK 58ZdYHUqLiMGbsqy3YOITCBBElIJwuk1sw1vIDcDTzDpSVg3DNt5VkV9Ei/g9gYSbEYcV1 QX24OzC2uqci2Uhoqz1cf2B9Vd1VI/8= Received: by mail-qt1-f175.google.com with SMTP id d75a77b69052e-3f389c21fe8so48014841cf.3 for ; Mon, 15 May 2023 09:29:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1684168171; x=1686760171; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=BSYqYbQkwHL4mrBWnucRzTipj5Nu9rzJUkmYfi+7daXIWIVb/LdX/qjEnp1naOjMMg 5VoOcDwTf+H/85Oc4oLDcHqMnjldw9Mx4KJye/cxPqhXGXlsf1dxpMyKBvW/0Gzv7+/7 C9XISfbGDjX1oVb1GwYTJz8FX+k2FidtLt29FZwA00ody7cNcjGFsjXfnyYyiCVbSuv+ KcXXJ0l52LOAFrGvr+9fRRFlnp4EPSl8jecoX/5wg+Cf1+bMkwIvR/v3YN+7xIl1+qCZ Zyo9u69TE+ROGOrxQ/GPHL84meiROlV1cvBx9MUC6UnMlO9igdszXzPnpEpXJwPdtWUr RVhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684168171; x=1686760171; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rHpcsyuraYipRh6JrDyCG/QY3q0OoJTJdMJOWndENCc=; b=FgSesZb0Oei668nTFu+eXVw8IVgWksfr9d17AYznGTUxQkFNnsaGds0wKPYK/5JrIn P21Q1MfK8e4pys0zUHcd0Bxb/tNx7FLFWGj8VsPPLyIlfKJZlJFEnjrJ/lJf94yd7BZK OCYkcGxw8jXLhjN+es158k7naMkZS602wzLsQ+4adMh0dAmb9kSV+xeE+ybCqsF6Flxe qq4+eYMuHoz2OOAmNdHj1GupSl2aWkKrOKoUCG7q0vmTnsEtQ3uC4jrJ2K0IRkO5ppkq vPI3drBiH7B3VtbKl47AGyiVWofeSvdUVifLA8VcLbgNmEwCcReNse9/3efyZ4IdGjCr xJcw== X-Gm-Message-State: AC+VfDzyQN7200u6n2BnF4OHeFUJX71vSKi5MaLTqsw3lDDXHJ5zcZfS 3Wxcl8rHYzeCiI58qhFCkRGooAmpb7PmoGmJUNNZCA== X-Google-Smtp-Source: ACHHUZ7W3rDE8/W5o/GHcHMti08Uun/DjbpZZVO5xumzi9ao3DNvSLLrAkbDQfclVBIYTxSm5L12X2SFgGLLPBIsg3I= X-Received: by 2002:a05:622a:492:b0:3f5:1de5:af48 with SMTP id p18-20020a05622a049200b003f51de5af48mr9837008qtx.5.1684168171050; Mon, 15 May 2023 09:29:31 -0700 (PDT) MIME-Version: 1.0 References: <20230515130958.32471-1-lrh2000@pku.edu.cn> <20230515130958.32471-5-lrh2000@pku.edu.cn> In-Reply-To: <20230515130958.32471-5-lrh2000@pku.edu.cn> From: Pasha Tatashin Date: Mon, 15 May 2023 12:28:54 -0400 Message-ID: Subject: Re: [PATCH v2 4/4] mm: page_table_check: Ensure user pages are not slab pages To: Ruihan Li Cc: linux-mm@kvack.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, David Hildenbrand , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Alan Stern , Greg Kroah-Hartman , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 04092A0006 X-Stat-Signature: rwoq8bjcm4yrjbcup54snht1d5y96aew X-HE-Tag: 1684168171-135836 X-HE-Meta: U2FsdGVkX1+eyVNhW2IbHybWR1ZGiYLe0e++vQeMQzNkzLjImCcyCpDxwKEqdTRkTgXydujMGk6cXjdbMuVS9Uo4jklr7uWn6UttmlcdtSpLpoPPCPf6XO9VTbdkcEqp72smmQaYAkCkPvGrtiPCGS1VhN38Kd8EDVgKsZ5G5KqNCRRv5d71GoZwcFMu4tcPYI+rv5qz6D1yMttLIIjR0X9bHD+dC1cJ0vKKsPa/c9kop+Zlm9bheqCIlYmW2KltrOfy9ZKJhyhd2sMCHPhdULS/lD7TyS6qKASTGCCpW4+CDBAMkS1GDvRu+AdtB4el8MKTuiKT5GfFaQ5X3kLsf5sFXLre5vnQQoHcQY2MSNHIn9HIMMuk+PVtzDLHikVlasNOhZA5lk4lvmO5jgHRF4LEi9oL1NMs2jrmE/dZ6ahtXEkjjFP7wFoztJF9gG6tdGMBBzrl6As6LvyE97ErdQMPOUwwrqnZ9lbCzvNVk2B9dpo/cgKX/t5TaAAhxDHeN6hdq8ey5EgNklyLnsGfzRUFArMkZA3IsRYh+IL02dgAFgehamNd1IebVZ0m27lPsu/5YepvvrHt9C00T0YlrQulzQlub2YYWFRvw6QU+KbOGvQSkSYroSXjD02VyatBRvRgdcDllxYZVdoXFtxS/68DdiUEcdsVL71RBSqXicCtd0uTce5P3eR9nhUNgHNsEvDORqBaUxcYW6/vAewo3+A1vj7fAqrQl5ChkeIFn+uToHisggGb3sVzTjN8oXikTs7NfoaA8MPtRVBVwyTXdwza3xVwXFifw4ROC1CoqOMquxJaDdk45S43jJe/O/ONaI3jzcklN5/4VTLkc3CiIHYiY7+7mADOx0Y0FMRmYP+M1/6gT+XtPi6e2AqdHDQslgt3TMBEf6xCEiBbMVRv0v0l3zkiyXUZnnZF1GiEDIkkff0lLf5I4ygT9IU3IqC8AvqxDV7fpNjBxzNfc02 xTBNLC+7 0yyHVRih4nHWr2SMx9gihrtwOs6wo6DavbPxFc44EyL3Vq5zwq/PuboD0GKaZvHnKjxWThNEfuWd2TbhI8g3auYp9bFeJxDLRt9wr85KWi5vQP86SG6U8BW8UYOYUK0sm+8H7E8iaTOKqeZUKv+63FjInKif7LMMfFowWXuAjEo99Qq6Nzvs1tmH9I2518SvO1O+IG/6kl55KxrRxyDI7+efpQEb6twmMuRHWZtvTX758mnol7QCCk2jVUXv7Y41YJtLXI7QVve6Cr0YQE+KwJogSpPVCirdvQY2EwaDhGejSIYPFxEdBSQhwTFg4TTwhFTErpt4Q5KVtgM2D3jAWzf+x1ra2kYVMA4+IqF4vTX3MwtFFiFUusfmrVSEJjLmDo3S9biEnBppjT18otTKcIJ4SkyWiwh4R3yK1Wgt6J4kNQ+YrDCa/glIeEY9IKtjFH4KlmKhQsyt1YvAAHDxB4CEWAjaJ/RZ5+Nx8pv6PRjFMB+U8jhSts5Xmdnx1UUw4eTkJOZNtr+TbCsR6OpBYIZ6ySU78rykarPvevpK5wDyXCpw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 15, 2023 at 9:10=E2=80=AFAM Ruihan Li wrot= e: > > The current uses of PageAnon in page table check functions can lead to > type confusion bugs between struct page and slab [1], if slab pages are > accidentally mapped into the user space. This is because slab reuses the > bits in struct page to store its internal states, which renders PageAnon > ineffective on slab pages. > > Since slab pages are not expected to be mapped into the user space, this > patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages > are not inadvertently mapped. Otherwise, there must be some bugs in the > kernel. > > Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.= com/ [1] > Fixes: df4e817b7108 ("mm: page table check") > Cc: # 5.17 > Signed-off-by: Ruihan Li Acked-by: Pasha Tatashin I would also update order in mm/memory.c static int validate_page_before_insert(struct page *page) { if (PageAnon(page) || PageSlab(page) || page_has_type(page)) It is not strictly a bug there, as it works by accident, but PageSlab() should go before PageAnon(), because without checking if this is PageSlab() we should not be testing for PageAnon(). Thanks you, Pasha