From: Matthew Wilcox <willy@infradead.org>
To: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Ruihan Li <lrh2000@pku.edu.cn>,
syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: usbdev_mmap causes type confusion in page_table_check
Date: Mon, 8 May 2023 22:36:44 +0100 [thread overview]
Message-ID: <ZFlrbDft1QfMyIDc@casper.infradead.org> (raw)
In-Reply-To: <CA+CK2bBe2YKYM3rUTCnZ0RF=NFUR9VqO-QYn3ygPsFJWLY1MUA@mail.gmail.com>
On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote:
> > static void page_table_check_set(struct mm_struct *mm, unsigned long addr,
> > unsigned long pfn, unsigned long pgcnt,
> > bool rw)
> > {
> > // ...
> > anon = PageAnon(page);
> > for (i = 0; i < pgcnt; i++) {
> > // ...
> > if (anon) {
> > BUG_ON(atomic_read(&ptc->file_map_count));
> > BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw);
> > } else {
> > BUG_ON(atomic_read(&ptc->anon_map_count));
> > BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0);
> > }
> > // ...
> > }
> > // ...
> > }
> >
> > This call to PageAnon is invalid for slab pages because slab reuses the bits
> > in struct page/folio to store its internal states, and the anonymity bit only
> > exists in struct page/folio. As a result, the counters are incorrectly updated
> > and checked in page_table_check_set and page_table_check_clear, leading to the
> > bug being raised.
>
> We should change anon boolean to be:
>
> anon = !PageSlab(page) && PageAnon(page);
No. Slab pages are not elegible for mapping into userspace. That's
all. There should be a BUG() for that. And I do mean BUG(), not
"return error to user". Something has gone horribly wrong, and it's
time to crash.
next prev parent reply other threads:[~2023-05-08 21:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 0:46 [syzbot] [mm?] kernel BUG in page_table_check_clear syzbot
2023-05-07 13:58 ` usbdev_mmap causes type confusion in page_table_check Ruihan Li
2023-05-08 21:27 ` Pasha Tatashin
2023-05-08 21:36 ` Matthew Wilcox [this message]
2023-05-08 21:48 ` Pasha Tatashin
2023-05-08 21:52 ` Matthew Wilcox
2023-05-08 21:55 ` Pasha Tatashin
2023-05-08 22:46 ` David Hildenbrand
2023-05-08 23:17 ` Pasha Tatashin
2023-05-08 23:21 ` Pasha Tatashin
2023-05-08 23:37 ` David Hildenbrand
2023-05-09 0:07 ` Pasha Tatashin
2023-05-09 1:18 ` Ruihan Li
2023-05-08 21:37 ` David Hildenbrand
2023-05-09 13:25 ` Christoph Hellwig
2023-05-09 14:01 ` Greg KH
2023-05-10 13:17 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFlrbDft1QfMyIDc@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=lrh2000@pku.edu.cn \
--cc=pasha.tatashin@soleen.com \
--cc=syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.