From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A55F6C3F2D7 for ; Wed, 4 Mar 2020 14:57:41 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 68E3A21775 for ; Wed, 4 Mar 2020 14:57:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="mQnbNT43" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 68E3A21775 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id F21506B0003; Wed, 4 Mar 2020 09:57:40 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id ED13D6B0005; Wed, 4 Mar 2020 09:57:40 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DE6686B0006; Wed, 4 Mar 2020 09:57:40 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0220.hostedemail.com [216.40.44.220]) by kanga.kvack.org (Postfix) with ESMTP id C5D566B0003 for ; Wed, 4 Mar 2020 09:57:40 -0500 (EST) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id A4F2F8249980 for ; Wed, 4 Mar 2020 14:57:39 +0000 (UTC) X-FDA: 76557983838.28.play96_7ce8cadd63241 X-HE-Tag: play96_7ce8cadd63241 X-Filterd-Recvd-Size: 4751 Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by imf38.hostedemail.com (Postfix) with ESMTP for ; Wed, 4 Mar 2020 14:57:38 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id DE1E822028; Wed, 4 Mar 2020 09:57:37 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Wed, 04 Mar 2020 09:57:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=RpoQ1huL7zGeKqGEJkj7F3VzgOoyyCAyMSmbqbd6H S4=; b=mQnbNT43lD4XXySmgRBs3C67DgNJTge1eoqVieRmgF7BvRYJjQXHaWN9R lA4ML7Bf7BtK7HnWgDRnktq2D9xg1Z+0WJI6clkJS1IzatYbeupRUhMtII7tekjI QwZx0Iztetua6mF33vJGinR1nrtfLUAvUotmezvGodcOX71DfyBGAAgjgtPuEFkt rCVbESvaCPu2FqxkARKlw8KEo0JVwJe/waKzmd5Xy4bzoLYkJFviuXZ3f8X41cGd tt4wviy5vszvyxpq9yIK1DagxSoLjnvsKWcnQd1dDy85/JREIAtvPnbFpaaiuVqp J86u+f7vopMc0/RJRYyUnQqipop/A== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtkedgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthejredttdefjeenucfhrhhomheprfgvkhhk rgcugfhnsggvrhhguceophgvnhgsvghrghesihhkihdrfhhiqeenucfkphepkeelrddvje drfeefrddujeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf rhhomhepphgvnhgsvghrghesihhkihdrfhhi X-ME-Proxy: Received: from [192.168.1.105] (89-27-33-173.bb.dnainternet.fi [89.27.33.173]) by mail.messagingengine.com (Postfix) with ESMTPA id BF4563280063; Wed, 4 Mar 2020 09:57:34 -0500 (EST) Subject: Re: SLUB: sysfs lets root force slab order below required minimum, causing memory corruption To: David Rientjes , Jann Horn Cc: Christoph Lameter , Pekka Enberg , Joonsoo Kim , Andrew Morton , Linux-MM , kernel list , Kees Cook , Matthew Garrett References: From: Pekka Enberg Message-ID: Date: Wed, 4 Mar 2020 16:57:33 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/4/20 3:26 AM, David Rientjes wrote: > On Wed, 4 Mar 2020, Jann Horn wrote: > >> Hi! >> >> FYI, I noticed that if you do something like the following as root, >> the system blows up pretty quickly with error messages about stuff >> like corrupt freelist pointers because SLUB actually allows root to >> force a page order that is smaller than what is required to store a >> single object: >> >> echo 0 > /sys/kernel/slab/task_struct/order >> >> The other SLUB debugging options, like red_zone, also look kind of >> suspicious with regards to races (either racing with other writes to >> the SLUB debugging options, or with object allocations). >> > > Thanks for the report, Jann. To address the most immediate issue, > allowing a smaller order than allowed, I think we'd need something like > this. > > I can propose it as a formal patch if nobody has any alternate > suggestions? > --- > mm/slub.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/slub.c b/mm/slub.c > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3598,7 +3598,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > */ > size = ALIGN(size, s->align); > s->size = size; > - if (forced_order >= 0) > + if (forced_order >= slab_order(size, 1, MAX_ORDER, 1)) > order = forced_order; > else > order = calculate_order(size); > Reviewed-by: Pekka Enberg