Recently, syzbot reported [1] ("kernel BUG in page_table_check_clear").
The root cause is that usbdev_mmap calls remap_pfn_range on kmalloc'ed
memory, which leads to type confusion between struct page and slab in
page_table_check. This series of patches fixes the usb side by avoiding
mapping slab pages into userspace, and fixes the mm side by enforcing
that all user-accessible pages are not slab pages. A more detailed
analysis and some discussion of how to fix the problem can also be found
in [1].
[1] https://lore.kernel.org/lkml/20230507135844.1231056-1-lrh2000@xxxxxxxxxx/T/
Changes since v1:
* Fix inconsistent coding styles. (Alan Stern)
* Relax !DEVMEM requirements to EXCLUSIVE_SYSTEM_RAM, which is
equivalent to !DEVMEM || STRICT_DEVMEM. (David Hildenbrand)
* A few random tweaks in commit messages and code comments, none of
them major.
Link to v1:
https://lore.kernel.org/lkml/20230510085527.57953-1-lrh2000@xxxxxxxxxx/T/
Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
Cc: David Hildenbrand <david@xxxxxxxxxx>
Cc: Pasha Tatashin <pasha.tatashin@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Ruihan Li (4):
usb: usbfs: Enforce page requirements for mmap
usb: usbfs: Use consistent mmap functions
mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM
mm: page_table_check: Ensure user pages are not slab pages
Documentation/mm/page_table_check.rst | 18 ++++++++++++
drivers/usb/core/buffer.c | 41 +++++++++++++++++++++++++++
drivers/usb/core/devio.c | 20 +++++++++----
include/linux/page-flags.h | 6 ++++
include/linux/usb/hcd.h | 5 ++++
mm/Kconfig.debug | 2 +-
mm/page_table_check.c | 6 ++++
7 files changed, 91 insertions(+), 7 deletions(-)
--
2.40.1
