From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1234BC7EE25 for ; Mon, 8 May 2023 21:37:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8EC636B0089; Mon, 8 May 2023 17:37:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 89E746B008A; Mon, 8 May 2023 17:37:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 78BE36B008C; Mon, 8 May 2023 17:37:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 66E926B0089 for ; Mon, 8 May 2023 17:37:05 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 2B11D1C6EB0 for ; Mon, 8 May 2023 21:37:05 +0000 (UTC) X-FDA: 80768398410.03.3FB72F3 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf05.hostedemail.com (Postfix) with ESMTP id 534A7100003 for ; Mon, 8 May 2023 21:37:02 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b="J20RWy6/"; spf=none (imf05.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683581823; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sluKTgzIYnZt5qgmSic5hrYiEppZOIqLRDgvZHsGOvg=; b=ituN1J9TdJC4yXzG38mrBgSXttS8xoisFNbs9YUCOSyX/1Ld8X4WxOIBsIfBRohvI87eBx k6SPP91mu40njJuoSbwysZcJ5pSIH+kqi6aoY3MUi28qvKcIli+kLuTjJ8dgmi1EIv1P/7 CeXNqWdRIHUmI+l1lFCX9WZKB07FIo4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683581823; a=rsa-sha256; cv=none; b=X+7b9dJy9iCYOT9yoJTTfpT7SF1NF6OxBNHPafj5FdLojPUBe3iwvjq6NaaV8zL6QJ7gt0 xyX+Tb2aFv+3EdIgFDSL4VYpnUhBFslZswGHPEvXmRzkNbcjVI7aZeNEZKC2frxNp31Wtq FmcTG9kr9UiAufPhGFJeWG9grBMjkME= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b="J20RWy6/"; spf=none (imf05.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=sluKTgzIYnZt5qgmSic5hrYiEppZOIqLRDgvZHsGOvg=; b=J20RWy6/4iso/DH1JGHycdBG0r Z5Tjbp+CA/ex5lfSnUnNGDfA3i6ZZuNLeko++UyfbmKyIZAYT79WhIXzqkndFhBrmrJ4RIoeGXlHV ZxO9XFZEpzWDhmBJ2VmrDdTbzemFPmMjrA0N0DIho+cfVhw/UR+CAJ0s6JSQYbwk27vAB39yR/Q0W tkvIdHZ0/PjcqlSeV6Lz2ghIxHpPFrDWZpJacfqaDv6jGmtIJU34dCW5kpz4tD3vZUot2+W0emthM rThRBoBxnJoFzTuKfkuUZMonUDdPZWzEfNVoiFV63EkN5/cG9UltQxIyLIeAJQoKzgWVH784EiW/V hv1yQzgA==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1pw8XE-00EWN6-P4; Mon, 08 May 2023 21:36:44 +0000 Date: Mon, 8 May 2023 22:36:44 +0100 From: Matthew Wilcox To: Pasha Tatashin Cc: Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: usbdev_mmap causes type confusion in page_table_check Message-ID: References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Stat-Signature: gxbtbuwnn7ka41kbs5jdzturx4mcrxwd X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 534A7100003 X-Rspam-User: X-HE-Tag: 1683581822-440093 X-HE-Meta: U2FsdGVkX1/E73dzwsYTkgtLzjS94qiUu5jPPqeM4ylUayD49tLC6Ik9brKZ9ALOUM7+Lytt8Qs9AiMUGSR+EexntXxJzgqNbNBt6GGM+y3TojJnO7QIr190Qykd1nmyTG1UJe97GZiwL8pFOIZgjgjyAiNwali/bHAK3uG8v9caFH3fwzGIPJ0NTjl9kBgiBVHrcfs14JyFnSzj+D79jR3w3FjOmOLk3Ay1hyK/XEmmTgg/u+kDNAJkogBzujF+unfFtU21nVoAwIkAzCS8t0N+15C9kdGlj1B9TVO5VU49imSWXuREmGU7p2NiylILfFCXsr0gjMnzmplL0zt0JRdyS0/T/pYS3HJd7zEmc1vwSwLNPGgLXnlHHzuNdzG9DGCkdBtZ/HB6ocg3wg95BgX16GQyPPaIsz74tSUnw/MbwCC1/guvxQHs6GAyKHPQEBrwIzrHJOI7TbbNXboMXQWORJscBAjtJCVt1xV6TiGMgIU5teB2uZs97tgVpoU93qO2FAfGa0y1+egwNnUwh9Y+/6OZ8TsmRh1LJBvh+dTFPnwHFddR11VXWtdc/k5J5uPo9pUCR0mNNLFS+nzDVNy3d/Q3iww87XoiJ0ZIhgEC+4URcMaHvq/Zf8E8W6bNKxW6eZEUAGmwx37goo5u5CMuRiRTKJxPAtTFCzxT9WanmohhT7HVq/B32lX2nXSSn/txPa3b5wlPL+8cBWZBwalnF+IJ7wQNvHJ14sjqFEnxloJz/kbjSQBGqh1P7B/EeutFDcIhYfLl1swJzocqxRtU4skV5KWXXM0YCc/+U/dJRuY6EaJ3s9Waod0tM1BKvI6565glSLIgniDpAs5tNHeCqAKAJvrunFT3YW41INJNlXd8vWrkpLntB5CxPhzs080OZmCfKps6O05HwiTQAn8u1PSTm1gg4i6HF6UewVfd2IQvGI9Jpn4BTdAvB2KWPvUmzQ5SYDevuEF3HlB tRbHFrrM k0y67TUaKofGR7o8T5LAQwQJHXqUjgCnbQF9D7kmGJ8RLsE7sgJLy8Kj2sdniIw9eYkitp6BlH938oRYF2LGtcO+zTosSAa+9faen4V/Be8Eooh08zXjbEZ5SwlgKT9Fkr2ZttmyiaCv33oaQaqF1Q00NKOpAfSQwk/kFirxa/Qx+Dewzjair2HHSvfjUwkKKMvwn7XTXN1DGgHX/vTT1uEhRArNhUJtt8Oa0uA5BY3To92pcFTI59YsReZA2BjfYehurp9z9ttivcGnfhUnVBV6zPw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000069, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > > static void page_table_check_set(struct mm_struct *mm, unsigned long addr, > > unsigned long pfn, unsigned long pgcnt, > > bool rw) > > { > > // ... > > anon = PageAnon(page); > > for (i = 0; i < pgcnt; i++) { > > // ... > > if (anon) { > > BUG_ON(atomic_read(&ptc->file_map_count)); > > BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw); > > } else { > > BUG_ON(atomic_read(&ptc->anon_map_count)); > > BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0); > > } > > // ... > > } > > // ... > > } > > > > This call to PageAnon is invalid for slab pages because slab reuses the bits > > in struct page/folio to store its internal states, and the anonymity bit only > > exists in struct page/folio. As a result, the counters are incorrectly updated > > and checked in page_table_check_set and page_table_check_clear, leading to the > > bug being raised. > > We should change anon boolean to be: > > anon = !PageSlab(page) && PageAnon(page); No. Slab pages are not elegible for mapping into userspace. That's all. There should be a BUG() for that. And I do mean BUG(), not "return error to user". Something has gone horribly wrong, and it's time to crash.