From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 304EDC3F2D1 for ; Wed, 4 Mar 2020 00:23:46 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E653B208C3 for ; Wed, 4 Mar 2020 00:23:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZrHN3aiC" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E653B208C3 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6DB1E6B0003; Tue, 3 Mar 2020 19:23:45 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 68BFE6B0032; Tue, 3 Mar 2020 19:23:45 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 579DC6B0036; Tue, 3 Mar 2020 19:23:45 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0186.hostedemail.com [216.40.44.186]) by kanga.kvack.org (Postfix) with ESMTP id 3D5CC6B0003 for ; Tue, 3 Mar 2020 19:23:45 -0500 (EST) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 07815180AD802 for ; Wed, 4 Mar 2020 00:23:45 +0000 (UTC) X-FDA: 76555781568.15.chair81_3dd01299a0641 X-HE-Tag: chair81_3dd01299a0641 X-Filterd-Recvd-Size: 3181 Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) by imf43.hostedemail.com (Postfix) with ESMTP for ; Wed, 4 Mar 2020 00:23:44 +0000 (UTC) Received: by mail-ot1-f49.google.com with SMTP id a20so329754otl.0 for ; Tue, 03 Mar 2020 16:23:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=HRI/UCetIuEw6fsNtr1gF3bvRaS3a3x9kBHEepTcA9E=; b=ZrHN3aiC0qKtz2ZiKMVRxXepRZIBShrajfzWKJKlpCVaRqrwSvMO9db0zUltv4I/Oq mMJ+ooreI1P4VJfBawRJ7aXw586KoZhEVRgk5UjEQhM68ChKCr7CXAYErMqv9DgriHNR gGxwHEvCXVE3Q0Ei0VTipQQHs+05dw3d4ZGe5MtJ1uBtsW0nF9rZH1+a4+SmGnkDqc97 aXO1pvnJ+T5FM41OOEsLqnt9wCsAre5WxpzBuWDgKD1R1uZ5sgzA3kmv/3qks21QhE9k NikiBNx6oLnkIXUiKGA5U8FXKvd437Aq3XTOYmgCfZUkCCMHemUqKyXuyo/u0k342c8c ZTJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=HRI/UCetIuEw6fsNtr1gF3bvRaS3a3x9kBHEepTcA9E=; b=h2whnLvjCNRlqeIbZBlcAK+DK8vzR8KGVJtB5fO5woB3gAM05z7wV4brZ8o/b9qHpJ +ngHmNlOSnBNm5AXCjqec8AiV09XqjiHM4ukBgKMcs1t95YWucy4m8iCc+ukT/zRt8pG LgKlolw++QdAsX1tuTaJUUOcCra0VHYX1fhbFuGkHHK1VuXDcxmOfCzERx8eybciMuEX rP0M2wVPXT2IW8C6IyWWKhajK1E8WHcJkux3lfEUWyBb03UfuzswKJrslczhcpSgw2AS VvzLXzIcytbbuJ/LDwJ1xwDtaGETTK6yOOIV7tM9dNoOiDXpSONvtpkVaSJ85bDoOg9O 3uvA== X-Gm-Message-State: ANhLgQ1bLvzCRJRYRMwahPfKzizQZwK7uQ67QM1Ti0OggQYZHXUE4Ifu GvK/eH363v9q47ZAUs1yMZtokiM1R/vU6jQcWHLLVg== X-Google-Smtp-Source: ADFU+vvIohn7Qz0HBRoIIEdmpGWQfjX0kxm4uACoCe0vWQpOTFM/KmLIFOaUpZccyY80QE6+/hTs0rDxFCiqcc0R+QQ= X-Received: by 2002:a9d:5e8b:: with SMTP id f11mr409896otl.110.1583281423538; Tue, 03 Mar 2020 16:23:43 -0800 (PST) MIME-Version: 1.0 From: Jann Horn Date: Wed, 4 Mar 2020 01:23:17 +0100 Message-ID: Subject: SLUB: sysfs lets root force slab order below required minimum, causing memory corruption To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton Cc: Linux-MM , kernel list , Kees Cook , Matthew Garrett Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000136, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi! FYI, I noticed that if you do something like the following as root, the system blows up pretty quickly with error messages about stuff like corrupt freelist pointers because SLUB actually allows root to force a page order that is smaller than what is required to store a single object: echo 0 > /sys/kernel/slab/task_struct/order The other SLUB debugging options, like red_zone, also look kind of suspicious with regards to races (either racing with other writes to the SLUB debugging options, or with object allocations).