From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FF8EC7EE22 for ; Mon, 8 May 2023 21:38:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234274AbjEHViC (ORCPT ); Mon, 8 May 2023 17:38:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233845AbjEHVhr (ORCPT ); Mon, 8 May 2023 17:37:47 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FF371BF1; Mon, 8 May 2023 14:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=sluKTgzIYnZt5qgmSic5hrYiEppZOIqLRDgvZHsGOvg=; b=J20RWy6/4iso/DH1JGHycdBG0r Z5Tjbp+CA/ex5lfSnUnNGDfA3i6ZZuNLeko++UyfbmKyIZAYT79WhIXzqkndFhBrmrJ4RIoeGXlHV ZxO9XFZEpzWDhmBJ2VmrDdTbzemFPmMjrA0N0DIho+cfVhw/UR+CAJ0s6JSQYbwk27vAB39yR/Q0W tkvIdHZ0/PjcqlSeV6Lz2ghIxHpPFrDWZpJacfqaDv6jGmtIJU34dCW5kpz4tD3vZUot2+W0emthM rThRBoBxnJoFzTuKfkuUZMonUDdPZWzEfNVoiFV63EkN5/cG9UltQxIyLIeAJQoKzgWVH784EiW/V hv1yQzgA==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1pw8XE-00EWN6-P4; Mon, 08 May 2023 21:36:44 +0000 Date: Mon, 8 May 2023 22:36:44 +0100 From: Matthew Wilcox To: Pasha Tatashin Cc: Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: usbdev_mmap causes type confusion in page_table_check Message-ID: References: <000000000000258e5e05fae79fc1@google.com> <20230507135844.1231056-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > > static void page_table_check_set(struct mm_struct *mm, unsigned long addr, > > unsigned long pfn, unsigned long pgcnt, > > bool rw) > > { > > // ... > > anon = PageAnon(page); > > for (i = 0; i < pgcnt; i++) { > > // ... > > if (anon) { > > BUG_ON(atomic_read(&ptc->file_map_count)); > > BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw); > > } else { > > BUG_ON(atomic_read(&ptc->anon_map_count)); > > BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0); > > } > > // ... > > } > > // ... > > } > > > > This call to PageAnon is invalid for slab pages because slab reuses the bits > > in struct page/folio to store its internal states, and the anonymity bit only > > exists in struct page/folio. As a result, the counters are incorrectly updated > > and checked in page_table_check_set and page_table_check_clear, leading to the > > bug being raised. > > We should change anon boolean to be: > > anon = !PageSlab(page) && PageAnon(page); No. Slab pages are not elegible for mapping into userspace. That's all. There should be a BUG() for that. And I do mean BUG(), not "return error to user". Something has gone horribly wrong, and it's time to crash.