From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA60DC77B7F for ; Mon, 8 May 2023 21:52:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 58B4E900003; Mon, 8 May 2023 17:52:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 53B54900002; Mon, 8 May 2023 17:52:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 403DD900003; Mon, 8 May 2023 17:52:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2BAFE900002 for ; Mon, 8 May 2023 17:52:49 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id E032D1A0324 for ; Mon, 8 May 2023 21:52:48 +0000 (UTC) X-FDA: 80768438016.15.31391C5 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf23.hostedemail.com (Postfix) with ESMTP id 23570140014 for ; Mon, 8 May 2023 21:52:46 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=bzbCx8ug; spf=none (imf23.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683582767; a=rsa-sha256; cv=none; b=fBeKn0UWq8JXY0PlGtjq/8puV17tH3YM/buMgSkQUnZ76q597q1IddiYgbo5XTRF/34hw8 C+3rtkxToNH+cR1+SGYHa+4KdWua3JNew/m04H5pLV7XpGKCmV+ES/JokTGu3jo1iDUKoB Fx1lRH5u6+X95kY+0gtaeUf+YTZ1SBE= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=bzbCx8ug; spf=none (imf23.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683582767; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eRQGnZvNHAr7ZLmQ2c/n160+Xuj4wnfU8/X1ZrpT+os=; b=PNBCd8lAoGm+24j6+qHhQBoZajSt6m7kxM8QmzMIVe1bz8DIDDIO81S6T09zUXRZsERZIp 4ZmnCehNDSwdo6KgW1/0qx/iE5cVuoUjYuOxZuvras8F2J4eLYAjV+Iv+WaWvVAkhARe0e kbnvLRaljtGTBBCvyYqJpQE3maqDIp0= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description; bh=eRQGnZvNHAr7ZLmQ2c/n160+Xuj4wnfU8/X1ZrpT+os=; b=bzbCx8ugyvY+QOYywH7H37/+g2 L3UlTqZW4KEM6EjuOdAfAU9Clp7mjXnEOgUUQ52/5zLYoeSyG1mVamDlE4ZmxQBbkk5oAaHlr/YQD jcVjXjqh+lvf1A7HdoLOIt11lp6coTQeTsfl1lZMJ/tXzABh2bohq0wr4Br3GWKXwkFc01y1X0zOX aSvz7xjzo1gA1P96FZqIRKqmVblm40fIVzM11Fa8VoE3+27G7tS5PDYsfR7f8tATYEglIgJx40eVL 463E8gCJm4q5Nu8exndie2IYIGB8uVSEC/4SfWlYim5/J0N69aTSVni9d0c76uX+XYfhBHa0bwmYQ NaCs/FLw==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1pw8ma-00EXAU-Mn; Mon, 08 May 2023 21:52:36 +0000 Date: Mon, 8 May 2023 22:52:36 +0100 From: Matthew Wilcox To: Pasha Tatashin Cc: Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: usbdev_mmap causes type confusion in page_table_check Message-ID: References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspam-User: X-Stat-Signature: bqqfsnwp7kq7exjkz6iufi7kejptbeuw X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 23570140014 X-HE-Tag: 1683582766-282050 X-HE-Meta: U2FsdGVkX1/c2SnG5xE4HPJ6N1tyRr8GamByiA+6T992+R/wT2pSNf4JE9E3ZzFetce8FFQ8LSu6A2fAcCcjV9g5M5xALDgZEnq3ah9nHZvke4S1cTxlWEKBzDni9eg2wEhCLvYQS/YxPqKncYEMqMy34Cc60z8jb6uZGa7slQuJLImcENyncm/B+yicg6i17Uz64ifp/a8c+ER0HGtr01R19m2OxgAIRoQd00AY3LC/J6wsfq1eQ/ZmrsobAZRlBf64Pv+4OXZqFzTQT/ucW2zmqs30TtlU/ZDDoqV8C9PYGUyd7ZrtQu3DYAAfeVUAtGoOZPetssw6vKPbh9U/pA8TO4C3kA8IDNJwct0gmucA0Cj4g6Cwp4cii3HSn81wXU10BgBzTnEETFy88P8bUuLJ81fpvi80EYjN+bYhjWH/x//apvAHfy4Zod/MOCD/ux0YRfdJiDwCd1/wcnQmQdfDllh7RLATZ9i6VptZhY10aQEr++e4orRwaKG3lwLNOw+bkRA46Dv4HYkjERwJZhbhK3Wwuab+GexQNf24lzzXJJzCpbwfKQN2ffA/NaLD8AdoimJJLmZY7R82pey+OW2mgFPYOKXR+6ICiC5bpsnLpc2yVk5Qp8/wBEFmwxtmXkJoRhSlLE4b8bIPUMCW52il1QwUZUFdF6/TL8hOny5LgRwnaNKGTXYgj5J0oNY6vz3u9KOA7frPo0UJWiS+bd5KqMnIOvabkl+bWnj9ZV0o8sAZsgqvkqUJ/IvvMHOCuUDkRNx8pdZyUWpGVXOYuC0UmVFU4dBIZLsLcvAp7FOcR/a7lMYoJMg9tsvq7HNk5URNaIyPDoJdUM5tQTzU72XLomJ0LIvFg0Vp6v+M5GI9ePt61C5VroLE9qO03r9Y7G3b6UBMQdRoWbZl5QZBhrekc9gllxaFuLFDcDQMsVx1m32InVuZ1dI0KGestlJfUnwcWSnMFlA5x9o+OrT qZ1FLoiW DaiILtz3qTF6Upc8Zm2zC7YAjdo5tH2NFUdAsKF+WquWia7/usSY6rdsG1l/STBsjofhG2ZtetDZva1KPqNOwCv65Jv7Sbm60hk2wnAcfLAZUbPpGUY78tmCYdQ74BbalnEfW8vpF1JqOqa/XXA2CVMpJVmZN8zLwffSNVGugj3VAqTjqTl9JAHFWNYlAqIUp8buEgZwLZEVLRlIttJFniA9WDaxHhg2WjfPtESbiMWEM1xaHb4wWUsYxZGYayOT9m8Db0U5qIZ4PoJsWAhz6xW3KUvTCUCnR2a7/A1Xk/xMR4tlbNOz1WEYHLscQbzWYH75Qq/bG0J5wSEm9LEgxw2AT4g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 08, 2023 at 02:48:59PM -0700, Pasha Tatashin wrote: > On Mon, May 8, 2023 at 2:36 PM Matthew Wilcox wrote: > > > > On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > > > > static void page_table_check_set(struct mm_struct *mm, unsigned long addr, > > > > unsigned long pfn, unsigned long pgcnt, > > > > bool rw) > > > > { > > > > // ... > > > > anon = PageAnon(page); > > > > for (i = 0; i < pgcnt; i++) { > > > > // ... > > > > if (anon) { > > > > BUG_ON(atomic_read(&ptc->file_map_count)); > > > > BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw); > > > > } else { > > > > BUG_ON(atomic_read(&ptc->anon_map_count)); > > > > BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0); > > > > } > > > > // ... > > > > } > > > > // ... > > > > } > > > > > > > > This call to PageAnon is invalid for slab pages because slab reuses the bits > > > > in struct page/folio to store its internal states, and the anonymity bit only > > > > exists in struct page/folio. As a result, the counters are incorrectly updated > > > > and checked in page_table_check_set and page_table_check_clear, leading to the > > > > bug being raised. > > > > > > We should change anon boolean to be: > > > > > > anon = !PageSlab(page) && PageAnon(page); > > > > No. Slab pages are not elegible for mapping into userspace. That's > > Sure, I can add BUG_ON(PageSlab(page)); to page_table_check_set. > > > all. There should be a BUG() for that. And I do mean BUG(), not > > "return error to user". Something has gone horribly wrong, and it's > > time to crash. > > It is just too easy to make slab available via remap_pfn_range(), but > I do not think we want to add BUG() into the remap function, otherwise > we will break devices such as /dev/mem. Slab pages can't be mmaped. Really, no matter what interface you're using. page->_mapcount is necessarily incremented by mapping to userspace, and slab uses that space for its own purposes (and has for decades). It's similar for page tables and other allocations that use PageType.