From: David Rientjes <rientjes@google.com>
To: Jann Horn <jannh@google.com>
Cc: Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Matthew Garrett <mjg59@google.com>
Subject: Re: SLUB: sysfs lets root force slab order below required minimum, causing memory corruption
Date: Tue, 3 Mar 2020 17:26:14 -0800 (PST) [thread overview]
Message-ID: <alpine.DEB.2.21.2003031724400.77561@chino.kir.corp.google.com> (raw)
In-Reply-To: <CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com>
On Wed, 4 Mar 2020, Jann Horn wrote:
> Hi!
>
> FYI, I noticed that if you do something like the following as root,
> the system blows up pretty quickly with error messages about stuff
> like corrupt freelist pointers because SLUB actually allows root to
> force a page order that is smaller than what is required to store a
> single object:
>
> echo 0 > /sys/kernel/slab/task_struct/order
>
> The other SLUB debugging options, like red_zone, also look kind of
> suspicious with regards to races (either racing with other writes to
> the SLUB debugging options, or with object allocations).
>
Thanks for the report, Jann. To address the most immediate issue,
allowing a smaller order than allowed, I think we'd need something like
this.
I can propose it as a formal patch if nobody has any alternate
suggestions?
---
mm/slub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3598,7 +3598,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
*/
size = ALIGN(size, s->align);
s->size = size;
- if (forced_order >= 0)
+ if (forced_order >= slab_order(size, 1, MAX_ORDER, 1))
order = forced_order;
else
order = calculate_order(size);
next prev parent reply other threads:[~2020-03-04 1:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-04 0:23 SLUB: sysfs lets root force slab order below required minimum, causing memory corruption Jann Horn
2020-03-04 0:23 ` Jann Horn
2020-03-04 1:26 ` David Rientjes [this message]
2020-03-04 1:26 ` David Rientjes
2020-03-04 2:22 ` Kees Cook
2020-03-04 17:26 ` Vlastimil Babka
2020-03-04 20:39 ` David Rientjes
2020-03-04 20:39 ` David Rientjes
2020-03-08 19:34 ` Christopher Lameter
2020-03-08 19:34 ` Christopher Lameter
2020-03-04 14:57 ` Pekka Enberg
2020-03-04 13:17 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.2003031724400.77561@chino.kir.corp.google.com \
--to=rientjes@google.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mjg59@google.com \
--cc=penberg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.