From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 248F1C77B75 for ; Tue, 9 May 2023 00:08:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2C12E280005; Mon, 8 May 2023 20:08:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 27115280001; Mon, 8 May 2023 20:08:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1122E280005; Mon, 8 May 2023 20:08:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 01458280001 for ; Mon, 8 May 2023 20:08:06 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id AFEC1406ED for ; Tue, 9 May 2023 00:08:06 +0000 (UTC) X-FDA: 80768778972.26.54D049C Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com [209.85.160.178]) by imf09.hostedemail.com (Postfix) with ESMTP id E7869140003 for ; Tue, 9 May 2023 00:08:03 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b=oel6LShh; spf=pass (imf09.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.178 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683590884; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=NHWWj9rJGXHFCtX1nBdXegppXOBDLV4wDzCKfvenAw1iPcJYILooym5dR4wTjnBRv6sY9E rHCW041fqP+9Y/qYTZQBbT+J+d0FLx2PyNGlRSMiACHvB1DMG11Jm47xPse+IxGV1z4EW7 nwOpL3FB4ofYNkNL1DKnWZm7U12W7zo= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683590884; a=rsa-sha256; cv=none; b=2inObO1Zprv0LQbcl+0rt1id6NvrNdtacKFPdAel7m3Fc/UUCsQR/DfXebqRaz/XsMsE6+ TcsaJAkp4E9lMfsdgyGZjHHEkjqzAA4Ve856R+1RBFc6Jt2XPbh3LzG9BJNFBBrJ5gUoYw bmIpV657rCmv5L1RpBYdh+WzR3BuWxE= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b=oel6LShh; spf=pass (imf09.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.160.178 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none Received: by mail-qt1-f178.google.com with SMTP id d75a77b69052e-3f38956ffdbso13755791cf.1 for ; Mon, 08 May 2023 17:08:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1683590883; x=1686182883; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=oel6LShhm/iI4Dhey/P2K7T9x4C89z7w74vBuLx6LwncjE6lK1uEj8Ofp7ahI/wflO W/rKYfZXgLLXIaXp8uNKfutQ2+UcEqWMGoetRxx2uexEZgHE3Cwy9wVRaBHrlq9ILcRJ ZS77AQfGPL7erDtAPnV8y7mTbnNjbTgmqGTjIlLRgThpCo3Y46OnarNGKBwUx5/5QNqW yu4bcqFX+pMIzb2klyqZ5YIJXEkW1Tu9dYix+tQzf+ATV7Gv+y8XsOK1zw0SwF1bZMMA zzYpFoveqTlVX5vbqYnQl5UnRjTsjwXAoBKRi4d07/CJTZHqfafREiXVD3htxvCC6MYR TF0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683590883; x=1686182883; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kmbOgrH0rb5ijhbY2Wor2EVPZmT7RKPzPHW01oN7clM=; b=CQCDKEF7oecf2q2FDZ3oKPumnK8y2ROsi4BletFQXwwnOftJrvKEPBCdyDtLD2zfjg hECUEW/bzmaHpRu8n4n2WkWBjb1aYgCqnrp9Lw+KgPcX9/NFhiDm3fAaWYewKtOUyYIa 31buY4pL97iWniVVDqNbBmHYHG5ifbMuRqiHmhr6BjgfyktMbv7sGMLLFv2/+v8emdjq omFVzXtsFx+Uam+U2ObVjoVQfpwcAiNt65bgqLrrDlvN8QFB29DiyZwdhH6+gl26puLy aoBedcry1XtUZIEZ9xKJKSKBbjwh4qrNYLTqWNXaJADLppy5LjBr4MztSl2VkhhwPwqj YoPw== X-Gm-Message-State: AC+VfDzQH4rX11T9zeoE0wsebSS0kWa1tp3ZnlysjMDa47zZAjV3TtOa hQbKtqHHOUfhSElj7/G1G8XNcKpp1gNOaxLMEjJFXQ== X-Google-Smtp-Source: ACHHUZ7V31jQo9MHkZ1H0Z5NarnpPjrrOBFHuW+TlbkAKUCWg2n3pFrZkPrCkNYVsNuGi2lUpCUhwgnz68eyQoyheHA= X-Received: by 2002:a05:622a:1c7:b0:3f3:82c2:cffe with SMTP id t7-20020a05622a01c700b003f382c2cffemr13152140qtw.17.1683590883147; Mon, 08 May 2023 17:08:03 -0700 (PDT) MIME-Version: 1.0 References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> In-Reply-To: <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> From: Pasha Tatashin Date: Mon, 8 May 2023 17:07:26 -0700 Message-ID: Subject: Re: usbdev_mmap causes type confusion in page_table_check To: David Hildenbrand Cc: Matthew Wilcox , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: E7869140003 X-Stat-Signature: kph4mkzcrc1ko58zcxhdskdqsgks378q X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1683590883-67038 X-HE-Meta: U2FsdGVkX1+QoXdqOUMe+CBRoCGwa80iynhPL74+b52qcFufqqFEDfT0yk1HcNipuv2IwUVIqsoQW0CfrqaZsSsHIBIq23gOsL4p4Mpy9Dq0+fSaGvddFyT4ujxHCh13x8Qfo/pG4EYQk0U9XfWnMvvhMiCl86TJkAXDCMvDkXR9ca6U2gHXj4zob/7NYn4Hv7kneVzcKNWxQt2HAoAqPg0Ni5/jSTjD6cuPV3+lf9Kb0Ggwp4UCCd1MhltGjklUlgR3El+iASu4LFGWFwMHw3RG1QKpbOjZDetsVf3XvNodUweueWoIC6pVzekkLD2N5KG6CF/Oz7ewGq5LcUiqE9E4qWz7t6Igc6W/oZ81iKupFi8734QAJ6FdFEi+q0LTcxRE5rdqC5jdz4P70/KbrPzqafHrq98gCJ2R7m2G99KuWt1Q2Yg9H4RDlEgNg+yYWA/5P7M56mpyxxRl4EFYxFE5KsiWEpvlmQ6DsCvUZRNwzba5oNtsgzfGJ6p5upzX3Hird+V9g+OwTdCiX1LYcwZoucFoH/iPi7y/Rc19jlMH+VnDCh5MoY02c35Z30Xo5tN2i3nRnwmab+m7lqprzWs1BLvDdXPagTj6dkoqfzAp4XjnOoV3qQwzVezxeT7h2B2aDWV/HicmcNraBJto1sC6G2wUngCn0lT5QOG3mZgJS5ghxHiopQZF3LVf9gQs1mwSQN3Dq8Rx5r9Gh4swFcwl6sF80C3O9h9qRPxTG4kDkQoBDb9b28Qfv/NbNnhOvzRnjKSuNBVy03mf2wuGoIbWkgaMBpbMGgmNY8d6ZjqbUl8pBcBN4j/Mlo7ciT0pFDvPFeZDocdv41zGUvUn7iPxzWdZ85DpefluJj7I+29bWqtgOhM3wmzFAdhndeGvkLgMiu9vTp8YZ8MLxaJZCsRT84uBarld0LMYefxggoAJuMvSr1V3O8txxmPkFvAlaYzYomexbqLgvbg6EUB WicsVbDF w1VJxSz4wVu0Ynuj/HoNFZSqMVL6BfwqapByWWAqt5c893g8O181v6fFccQy3y51XHJ1f+pV/rEO+riwtHWkcG0/u2dCx8LaY0LzO5Bh6NMYkeueK71JA4z3Tyw1e39zlMNw+tf5NOFggwbK7FGvD2oqZycGEYmA0HKv548t982eO6g6GsV4DT1PiIIKiLhBfv7qFo53oeLQnKia9QrU2bMw15PkjxxZaCSb23JERENP9E52aLLnwHwCqFe/Xgk8V+tY3XKTt+/EyUlWhzCydOgHcPBU1KxjNCsTSODzu5/oRg21q3kJrqJ/Mi/WclnCVVXSuunyQfRodO+r+PhxkE9EXCN5Rg6JwwC4AK3r4WjETAPUTg+sUUhEuyg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000277, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 8, 2023 at 4:37=E2=80=AFPM David Hildenbrand = wrote: > > On 09.05.23 01:21, Pasha Tatashin wrote: > >> For normal Kernel-MM operations, vm_normal_page() should be used to > >> get "struct page" based on vma+addr+pte combination, but > >> page_table_check does not use vma for its operation in order to > >> strengthen the verification of no invalid page sharing. But, even > > I'm not sure if that's the right approach for this case here, though. > > >> vm_normal_page() can cause access to the "struct page" for VM_PFNMAP > >> if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct > >> page for a user mapped slab page. > > > > Only for !ARCH_HAS_PTE_SPECIAL case, otherwise NULL is returned. > > That would violate VM_PFNMAP semantics, though. I remember that there > was a trick to it. > > Assuming we map /dev/mem, what stops a page we mapped and determined to > be !anon to be freed and reused, such that we suddenly have an anon page > mappped? > > In that case, we really don't want to look at the "struct page" ever, no? Good point. page_table_check just does not work well /dev/mem. I am thinking of adding BUG_ON(PageSlab(page); and also "depends on !DEVMEM" for the PAGE_TABLE_CHECK config option. Pasha