From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.9 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EABAC3F2D7 for ; Wed, 4 Mar 2020 01:26:19 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 3012B20836 for ; Wed, 4 Mar 2020 01:26:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Km+SgZv6" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3012B20836 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AA46A6B0003; Tue, 3 Mar 2020 20:26:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A56186B0005; Tue, 3 Mar 2020 20:26:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 96A716B0006; Tue, 3 Mar 2020 20:26:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0195.hostedemail.com [216.40.44.195]) by kanga.kvack.org (Postfix) with ESMTP id 7C4F26B0003 for ; Tue, 3 Mar 2020 20:26:18 -0500 (EST) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 2F7871AA92 for ; Wed, 4 Mar 2020 01:26:18 +0000 (UTC) X-FDA: 76555939236.03.sleet24_19e254aaa0911 X-HE-Tag: sleet24_19e254aaa0911 X-Filterd-Recvd-Size: 4606 Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65]) by imf14.hostedemail.com (Postfix) with ESMTP for ; Wed, 4 Mar 2020 01:26:17 +0000 (UTC) Received: by mail-pj1-f65.google.com with SMTP id k36so146006pje.5 for ; Tue, 03 Mar 2020 17:26:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=gTBAmyoSju6V+iCObTAIv0pg/QQBxsssI2exHJW7aHo=; b=Km+SgZv6vmH4suVHHHRa6p38rIK68C91t5Y9K87WNgkBa2sgd2YuzMg1WCUdGQ+Ojb uVG8+WzmuXgmG25CLnimL4va2L6mPgBYqJdbP5Zvpnqyd9uACdDC0uRbgoo4WytiPXsY PF9QZOycFnpZ0S12q3ymDLOdYBjv/4On89jB41ZbfouzW/qqffsPfSkvRSLqTnQNp9Y9 QWPh0KLRcfKRHICHOSCiHOj8ovtejWZMsCfPWGFeeZzZWA/IY/C69gNTC/ubbKY0GCqo OLIQdX0iUDeXuJhAXPCzUl1l8XPK56xjF380e0aXLfZLK0lgsTpXh3NS4/9Az9twhK44 8Tfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=gTBAmyoSju6V+iCObTAIv0pg/QQBxsssI2exHJW7aHo=; b=jk4R/J8rljkxPtFVk3VPAjGYVhVJiz0Bpv9PVDMnJ53umjyJFEh8ZMto/VrbtgO8bt qUE9L9YQov6rHiSX90uhXKeR3fiH3fPSS1V/wIPEm1LxK3YeQCiQbOkSIWKxK4E9v0/F akVTmltA28NIdSKx7syfkISBcMIgf6JQyh6BL+iksmsjnucvQbHerNDToDnTZ0taZ5s4 +xefasvyeZz4PmlbypVEjDc6ZORUikCEBj9x+l5+cceHBe/ibpRokhVMaq4D3O/eMTwP MpUTDXfh/TKDTp4Pc9IW7YEIjTPcs0A6qGPIg8JEH9RWJMq1ZYkECyqO1Fz9iCgoQZqk rufA== X-Gm-Message-State: ANhLgQ2vD8VuKPrDuldGjzIkFHwUL1j9e9sWLk4O5z9cyqtonuixo+Jf +Vz5QXnejXQrJiqRsSVpFttdjA== X-Google-Smtp-Source: ADFU+vs1XsFffIfIld6bH+IcbAim5YS3vCLeR46wMo7dLCksbHbqckbqlzD2uNS1Xd2aRqGYpG8XBw== X-Received: by 2002:a17:90a:bd10:: with SMTP id y16mr413347pjr.138.1583285176369; Tue, 03 Mar 2020 17:26:16 -0800 (PST) Received: from [2620:15c:17:3:3a5:23a7:5e32:4598] ([2620:15c:17:3:3a5:23a7:5e32:4598]) by smtp.gmail.com with ESMTPSA id 5sm13648268pfw.179.2020.03.03.17.26.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2020 17:26:15 -0800 (PST) Date: Tue, 3 Mar 2020 17:26:14 -0800 (PST) From: David Rientjes X-X-Sender: rientjes@chino.kir.corp.google.com To: Jann Horn cc: Christoph Lameter , Pekka Enberg , Joonsoo Kim , Andrew Morton , Linux-MM , kernel list , Kees Cook , Matthew Garrett Subject: Re: SLUB: sysfs lets root force slab order below required minimum, causing memory corruption In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 4 Mar 2020, Jann Horn wrote: > Hi! > > FYI, I noticed that if you do something like the following as root, > the system blows up pretty quickly with error messages about stuff > like corrupt freelist pointers because SLUB actually allows root to > force a page order that is smaller than what is required to store a > single object: > > echo 0 > /sys/kernel/slab/task_struct/order > > The other SLUB debugging options, like red_zone, also look kind of > suspicious with regards to races (either racing with other writes to > the SLUB debugging options, or with object allocations). > Thanks for the report, Jann. To address the most immediate issue, allowing a smaller order than allowed, I think we'd need something like this. I can propose it as a formal patch if nobody has any alternate suggestions? --- mm/slub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c --- a/mm/slub.c +++ b/mm/slub.c @@ -3598,7 +3598,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) */ size = ALIGN(size, s->align); s->size = size; - if (forced_order >= 0) + if (forced_order >= slab_order(size, 1, MAX_ORDER, 1)) order = forced_order; else order = calculate_order(size);