Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp3944662ybf; Tue, 3 Mar 2020 16:24:23 -0800 (PST) X-Google-Smtp-Source: ADFU+vsTFr55qTK5oCjXteLU6rCqeZgalzrNMHcZahrbJFMdlQ9VfqoSJt46457pmjMmvBOcGDu4 X-Received: by 2002:a05:6830:1284:: with SMTP id z4mr351756otp.291.1583281463289; Tue, 03 Mar 2020 16:24:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583281463; cv=none; d=google.com; s=arc-20160816; b=jagmyB5FiS+xhvKHs7M4h9tiIDXKwmFYQg2KeddMS8sWO5HJPl/Rel8gnIxSdGNICD 31gV2qP6+jcIHrtfXphKn9/ubW+NPmfY1iE62pXP/6Yv0tAJUc8pT4KDZ+jsiwwP65qs gkTCM2440F8JuDz+36reCP6/5/sX5N8HQ3QxU7MWRU1K9YwonnavAyoKdl0BNjELXzAF 4oHwmFqItY9mdEH0DIvAelXD40GmbCfA51TfQe1L1ToiASm/sd5QQX55JfP4/yaXSmHF MchVNW1nvFIQRCs2G932zvCak872TuX8tQ6l9WaeTv8Myplqs+hTLmr9Ia2j+Xlw73Ax 1rGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=HRI/UCetIuEw6fsNtr1gF3bvRaS3a3x9kBHEepTcA9E=; b=Peh+eXXXsUjB9rUXNFXDcLL+yL4sqJd6HO60+JJbZmq+GTirbeTgV2GExAVlt+2bXW Tzb8sLi5ADyzxf424B8I3xSl1tXf/gcDOGt1qRKivCi3EAODkSE+wT7vDhW/V1IU5+qs rz5em3KU5NuvC+WjgzLwQy5bQTs6qSx7/qBItHVFK+6sJKrH8prY1FLMS2TdHLv/hOtr g1xjs1qW3lWqccXJ6HFoNafg+Bver86AxI1j367W3lbc7Itm5DgEi0wVJLRpWQhzLzF6 LRls3zBiGCaO9PkNXtrOA1FjKEZKYRhNLJGdb1ajr9sutCcCZqydMaoRkYk1jK/oRnQs ky9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZrHN3aiC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z3si191243oib.164.2020.03.03.16.24.11; Tue, 03 Mar 2020 16:24:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZrHN3aiC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728032AbgCDAXp (ORCPT + 99 others); Tue, 3 Mar 2020 19:23:45 -0500 Received: from mail-ot1-f47.google.com ([209.85.210.47]:46668 "EHLO mail-ot1-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727823AbgCDAXo (ORCPT ); Tue, 3 Mar 2020 19:23:44 -0500 Received: by mail-ot1-f47.google.com with SMTP id g96so267531otb.13 for ; Tue, 03 Mar 2020 16:23:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=HRI/UCetIuEw6fsNtr1gF3bvRaS3a3x9kBHEepTcA9E=; b=ZrHN3aiC0qKtz2ZiKMVRxXepRZIBShrajfzWKJKlpCVaRqrwSvMO9db0zUltv4I/Oq mMJ+ooreI1P4VJfBawRJ7aXw586KoZhEVRgk5UjEQhM68ChKCr7CXAYErMqv9DgriHNR gGxwHEvCXVE3Q0Ei0VTipQQHs+05dw3d4ZGe5MtJ1uBtsW0nF9rZH1+a4+SmGnkDqc97 aXO1pvnJ+T5FM41OOEsLqnt9wCsAre5WxpzBuWDgKD1R1uZ5sgzA3kmv/3qks21QhE9k NikiBNx6oLnkIXUiKGA5U8FXKvd437Aq3XTOYmgCfZUkCCMHemUqKyXuyo/u0k342c8c ZTJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=HRI/UCetIuEw6fsNtr1gF3bvRaS3a3x9kBHEepTcA9E=; b=mXN40jjbMT5HG05kEVgyRrgE2LiuVoj+jPHy0OrezJT+XC2yKzYYoSHzhDa/YmL088 7JFaRq2Fz1Ao2YIcmAr7d4BCslIdyOgsn5qtsFRXl6tw2UYjRB9MWrWXbG+WNtiaiqWx cIV/P0ZZgyYWgB8BTUWWrOv5063jcFfyQTGzHNAsG9N0a/+JXBXSM/cXz3+++mHVfTBc gQLM09iV/zd1nCENg0HxyBF8lmPKxdGzvUBFQdIkp4f0M0VyrhGZLVvMJIIHcnyvR+nP YEgZiQbU9FxFLPLCq7xS3SIeLgAAQp2S64U8ymSeQPwWXcMhc2UVdJ+8gI0HSTrW/vkX tgZA== X-Gm-Message-State: ANhLgQ39X/bCFvgVNhZUyQUdlGiMrk/Hwh+1mMtg1v4n82zHTxz6/zcL nBZkHmPfF45swmGlrMHDWvaw0Kr7e8ysJIQrLmfz+A== X-Received: by 2002:a9d:5e8b:: with SMTP id f11mr409896otl.110.1583281423538; Tue, 03 Mar 2020 16:23:43 -0800 (PST) MIME-Version: 1.0 From: Jann Horn Date: Wed, 4 Mar 2020 01:23:17 +0100 Message-ID: Subject: SLUB: sysfs lets root force slab order below required minimum, causing memory corruption To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton Cc: Linux-MM , kernel list , Kees Cook , Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! FYI, I noticed that if you do something like the following as root, the system blows up pretty quickly with error messages about stuff like corrupt freelist pointers because SLUB actually allows root to force a page order that is smaller than what is required to store a single object: echo 0 > /sys/kernel/slab/task_struct/order The other SLUB debugging options, like red_zone, also look kind of suspicious with regards to races (either racing with other writes to the SLUB debugging options, or with object allocations).