From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19BB9C7EE22 for ; Mon, 8 May 2023 21:49:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 73A676B0096; Mon, 8 May 2023 17:49:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6C38D6B0098; Mon, 8 May 2023 17:49:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 563E4900002; Mon, 8 May 2023 17:49:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 434796B0096 for ; Mon, 8 May 2023 17:49:38 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 07FD0801D1 for ; Mon, 8 May 2023 21:49:38 +0000 (UTC) X-FDA: 80768430036.21.F1DDA8D Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by imf14.hostedemail.com (Postfix) with ESMTP id 438E7100005 for ; Mon, 8 May 2023 21:49:36 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b="ETJ34Wf/"; spf=pass (imf14.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.222.170 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683582576; a=rsa-sha256; cv=none; b=SVDCv4UJguDthVdfPCZYuuV/uxydwepJ6AKfc+50TuLL3U/pgHza8+1THHhK/2T/fuyzfl qc9ihRzlnlcSlnDYAx5Vd7egqSsfszOEb05JKoAGrb6gQzWTEg3DxtCSEyqJlPr1CC5Txu Y7OXcBrYjzTCbYWZQvUxhMZxyWZiRnc= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b="ETJ34Wf/"; spf=pass (imf14.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.222.170 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683582576; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=76y02SM/8YBAjir1rI9tRGqwIVfF1B8e2M4eCAK1AtnVVxq4KLnQTXDbapnsRTvzKtqfb1 GkC6HANdhMZGjLmY+nkUuNbd/JX+m8Y/S9UUoUzFXMQmHSfFCRyRR1uCoBfUNmxqU19qHw jX5dUVGFHSZ0aAJCZhlgAj68+YeEEq4= Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-75131c2997bso1967790485a.1 for ; Mon, 08 May 2023 14:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1683582575; x=1686174575; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=ETJ34Wf/9zLKeq59gMLCgQHLRI7YW6QtfbJup0HcbTCctOJQh8hMmvaYxxEVf/7l17 7xmIplHvezxEj1B81WZebQIMesvgjhhApaWWrdmQAGBU6594T5+Nfak7JtcFkHcYFzqy iVM6adANYtGxwDBm7yFGxCL1Kit8d0aktIGUHd7Hg2gJR+cjssaUv0RH5UKzo1RYIwFE xBhQHCDO4UfGJdrS89Baus4y656qCIF1ORPYUU83HiN8lelvHvaRcid379ZFRHMSVavv UWaNdQ0dwLnNu6AJ1PT1C3wyW5+dyCrsqijoL3Ni94sFqV9z1q10sIQqfes9anRtOQCB tVKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683582575; x=1686174575; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0DypN5RvXqLksPcW5ZvZG8k610j2dukEwh9kpzephRg=; b=UWuc9toCfKZ0EDt7t8VuYs5TzAK3chTnXi2V8HVLAbZ0Y28D+lwhqsvtbWx4CaCtU7 rWlDM5mi7xJGnWCpq6tteZhy/kAcyGzajBZEt/yPO9f5621UsqXOTWS0BqZgBvQgYZWY gRolmojBpTO0iCMaMvhW4zrNuacW3nEpSorvtcYm1RiQ5R1WnCIxDlx/6po0o8j9hfaL Bnsc8/YN+AM2ZaieYvb93ABnMZLZH/HXLlrSvAXR76hLOFnRM8WG90L9fScklf6bW8oB wkogZ8GjpN8K0rWceorsmL1LxrNcwEbHIbKzrNyFfQLkHnKwGw8ZQ/KJ2958FitaS5vc tB1Q== X-Gm-Message-State: AC+VfDwGa0ItuZubot2HrVXXe0EPCtKKWdxXsc+GFmQu+nM0Gukdf+rp ggy5xiID4qAQSxqdoLU7EEk4LaTBSsCVr7i64PkWLMXKdBtKP14tfw3RYQ== X-Google-Smtp-Source: ACHHUZ7zyXFkqgEsccPWkZHFOJor+dQhIH8qZ6gWsgckZggtSV9wyrSoA3DX33fkwKpQlFPhlzUoJmhPPcN2ZkvOapA= X-Received: by 2002:ac8:5c14:0:b0:3f2:1f63:2b24 with SMTP id i20-20020ac85c14000000b003f21f632b24mr18176160qti.2.1683582575351; Mon, 08 May 2023 14:49:35 -0700 (PDT) MIME-Version: 1.0 References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> In-Reply-To: From: Pasha Tatashin Date: Mon, 8 May 2023 14:48:59 -0700 Message-ID: Subject: Re: usbdev_mmap causes type confusion in page_table_check To: Matthew Wilcox Cc: Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 438E7100005 X-Stat-Signature: x6znkn3wtsqwfkfk6hcgu7ddz5wnptbc X-HE-Tag: 1683582576-706161 X-HE-Meta: U2FsdGVkX18zR/aq2+tQb1iW4Qm6pUv9w8+V2xpjQ6wOf6tWYFHkQr6CZRzNcf2yj8FUpk9mlQWPf66qp8IsydSQkOlxwAkSoARuZisD/fHetVVtzVZNgaKIBoTAFkC0ZyJFFvc+i1/v7PQ5MtD17K7a8oogZbn8hTOkqr8zM0HcUJmKF//iTt2iB1KEASktzx2AI2G5rpYdB8j/lVh77h9ySk15BPJeJT6irchtP2VU9PFico10Z9NSImRKO+ZgPbcjKX2QdksgxNKakwc6/q6nZt5UfG/4xGnGMy/Xqu4vUS1naKoJRSUEusNylvp+spMtZI0pzifDgFwX7gxmUIOyWW4UpDKPV4j3fd3N63tmW1JfK6A28xhByipCyTrFlNHkZWZhh/aLo7YAK+Po6+cfH3n/7xKscjJ1OW0Fw41ZWbGwCzdGVtFN6hkheGnkWpYab6s7rHhZF9shc/SI6M73blNqekqzCksS/6HVGehzneMh0snTdPoAyuqtAC5ae6QADGo7k+ogOnowVVHGKi2s0y5rpjwfn3Z2FVJC2l7MHCgfXn3vF5KIFDt3MPrLyhtLYtUFmnUvbM94BgUgFV51HwyIfE+u70kKTE1Qj8o6LVwW/oPIoy/LGM7fgblPGu+m3fm0ItR3JdF7jk93klICta8cR5Y0SexuQuJmGRZ1ULbP8X0+DeeJlDJXBiAZUc5ER7KX2/iTekY4AC4BhpWtbVmjUHn+2lZk3U3/Bi80HXCf6JRhRfqHOwWqkpQs6oFfieL+m+Tz3wNljZZYsKgSYLznvTiySTzgzGUZdx3/Sqebm6sBsE/2xkCNbffBcLyAmNADq6KsPhjqD9KdBmOTlhsyZCqi6OPox5nwDT8xh/AKg06OMQ2Pd7830LYwlpt45wdjLfbOLosTRwm63e2wWGVEu/rjskcNJ+JVMBG0jkuz4gacOmqQif0HIjBIIZuXE7W1tDlP66v5ov1 akBuv1JL ZrzmcjHJIFBs7OZTyWWWcxpeN5wHGjjpkybhKVY+BMTlV8Ae0pBWUy3HkpIFkYiwbygQB0dNTE7kBln2IoU1PT3kkSZeN64ZPQzDVtrWgTSUMUVYtrIBXVbjot9mdajnEajCf6TByNXeUJ17DG2kTbQijsmeVj47x/q7oq5awHnEnRr7sqN7N842jUvEHBqY3M1Q+5QpbYrsebZHZf3LmETYJY9cYar0hn62VJGlmsiggbuQrh5zp8yw78522WkZgkpXq5xreaaVZgPOI5WRw8rQ7Hdl386NMGc0OwaY5TrgOiWq5xaKT9JwXChpNL3YoxT6BxPPBBVLwsWpa8FQqZMKSHhxtoYPtSljXn+3BJwzFtcNXh30q0A4I2+gJOrm5BaOITwsInFK8IzYfEu5ljXbJ2g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 8, 2023 at 2:36=E2=80=AFPM Matthew Wilcox = wrote: > > On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > > > static void page_table_check_set(struct mm_struct *mm, unsigned long = addr, > > > unsigned long pfn, unsigned long pgc= nt, > > > bool rw) > > > { > > > // ... > > > anon =3D PageAnon(page); > > > for (i =3D 0; i < pgcnt; i++) { > > > // ... > > > if (anon) { > > > BUG_ON(atomic_read(&ptc->file_map_count)); > > > BUG_ON(atomic_inc_return(&ptc->anon_map_count= ) > 1 && rw); > > > } else { > > > BUG_ON(atomic_read(&ptc->anon_map_count)); > > > BUG_ON(atomic_inc_return(&ptc->file_map_count= ) < 0); > > > } > > > // ... > > > } > > > // ... > > > } > > > > > > This call to PageAnon is invalid for slab pages because slab reuses t= he bits > > > in struct page/folio to store its internal states, and the anonymity = bit only > > > exists in struct page/folio. As a result, the counters are incorrectl= y updated > > > and checked in page_table_check_set and page_table_check_clear, leadi= ng to the > > > bug being raised. > > > > We should change anon boolean to be: > > > > anon =3D !PageSlab(page) && PageAnon(page); > > No. Slab pages are not elegible for mapping into userspace. That's Sure, I can add BUG_ON(PageSlab(page)); to page_table_check_set. > all. There should be a BUG() for that. And I do mean BUG(), not > "return error to user". Something has gone horribly wrong, and it's > time to crash. It is just too easy to make slab available via remap_pfn_range(), but I do not think we want to add BUG() into the remap function, otherwise we will break devices such as /dev/mem. Pasha