Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp3994261ybf;
        Tue, 3 Mar 2020 17:28:02 -0800 (PST)
X-Google-Smtp-Source: ADFU+vv6LkoX9LxnVKznODy8QUwOXyU+k/Mj3ItqiOq6N/k1GShBE3UegIqN7mFN+SCmRsOk47pZ
X-Received: by 2002:aca:170f:: with SMTP id j15mr214305oii.95.1583285282496;
        Tue, 03 Mar 2020 17:28:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583285282; cv=none;
        d=google.com; s=arc-20160816;
        b=k00QXntQWCniY2Bd81D/QrgDmvvmUu/NnqaEPB+ZXKIfL7QgnfIf8jgU5fasToBC2R
         3/0DRW8AVx8NsgAIW/xV0Gd78WL6Xxy1Mli168BP5pnniEXHQ0QipgdHmyexzqqqg7wF
         kRh2r/NI9H2SiTFksxnJWhkezfLEIKBLCECk1g8e7h2I689pHIIHEZYdWnxnG+IipF8d
         jODdIbn5ceuMn3XDKKtgR/RPdUThlbxH0TthwUX32XR7nO7/P12XHl8r8/Fvh+vYsZaP
         V4yfveZAgHycgLqzOMIWa+DxJI2N+gw+QRY53JE7UEDshlnsk0SaoxDgd2GjbG9DxR+e
         iOyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature;
        bh=gTBAmyoSju6V+iCObTAIv0pg/QQBxsssI2exHJW7aHo=;
        b=ytCx/L1ptxAykNpap4GPbL20oE8IMdoOBYdEPgv1pcPQ1q0bWyn311Vv2+dP6r5LHo
         2JDQaZwrDXVEer0p+BgSEktLF+oW7W+g6QUkWxNTuPWjdnAMeBHp/CILDJF6bD7Bzc2y
         5+suPpJQzZB779pvhlqBuugtJVADiwlGyQqcuc1IsYpEjCI0mErRF7Vxzc44homxSgbQ
         iFus64TSzTxZ3ZjUkLqhW1BU+n5i/Yae4rrf9+G/68YE/N9b3pcT6JpQNJx5ntFn7AzT
         qn6gHSCWFIPLiL/YEvmXonKxOo4uZMSqWvtRbj557M/SFlCsW3nuJiQuozmt6Jo8gBeq
         3qlQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Km+SgZv6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u12si281723oiv.13.2020.03.03.17.27.51;
        Tue, 03 Mar 2020 17:28:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Km+SgZv6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387454AbgCDB0R (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Tue, 3 Mar 2020 20:26:17 -0500
Received: from mail-pj1-f65.google.com ([209.85.216.65]:38424 "EHLO
        mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728079AbgCDB0R (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Mar 2020 20:26:17 -0500
Received: by mail-pj1-f65.google.com with SMTP id a16so150020pju.3
        for <linux-kernel@vger.kernel.org>; Tue, 03 Mar 2020 17:26:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:from:to:cc:subject:in-reply-to:message-id:references
         :user-agent:mime-version;
        bh=gTBAmyoSju6V+iCObTAIv0pg/QQBxsssI2exHJW7aHo=;
        b=Km+SgZv6vmH4suVHHHRa6p38rIK68C91t5Y9K87WNgkBa2sgd2YuzMg1WCUdGQ+Ojb
         uVG8+WzmuXgmG25CLnimL4va2L6mPgBYqJdbP5Zvpnqyd9uACdDC0uRbgoo4WytiPXsY
         PF9QZOycFnpZ0S12q3ymDLOdYBjv/4On89jB41ZbfouzW/qqffsPfSkvRSLqTnQNp9Y9
         QWPh0KLRcfKRHICHOSCiHOj8ovtejWZMsCfPWGFeeZzZWA/IY/C69gNTC/ubbKY0GCqo
         OLIQdX0iUDeXuJhAXPCzUl1l8XPK56xjF380e0aXLfZLK0lgsTpXh3NS4/9Az9twhK44
         8Tfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id
         :references:user-agent:mime-version;
        bh=gTBAmyoSju6V+iCObTAIv0pg/QQBxsssI2exHJW7aHo=;
        b=DG7xW2taB9/ImGvuMdPeNFfI1i9Hl5G337vvfVusMoihcGJZ7jaagxPJQdnnsMnStK
         wJ1lhG2+UcUt3xcJW+hN667KlKNhJ4WfE31yPB6c0wcuuhdAN5RvqgHGzTkkZ3ohcZXF
         scoLn/MWhQ3hvFL+buGAlgag7S7noRe2iTboBBxdAlqmgxHqgnEkfvwdCEmrdVBJuIpe
         RFCtymlpwN+OOVy4pZG8EAVxmmmmAz58wlaANIv4D+5C2UJoMfvsT928GHpI9+gadzxk
         4Bj/E1ZxnQiOaLcpw/gT7d4rAMrQtnbPJt4kHiw9sAxlQlM4RUkDH2F7rAETOZvQiN4i
         Lymw==
X-Gm-Message-State: ANhLgQ2cuCBJCQ6B28M8YgWB0VoAXzEDfkP5YyvkTBXPCDnXE9K4CH0h
        shiKbMP0KyBbzsyTomxpd7+6CQ==
X-Received: by 2002:a17:90a:bd10:: with SMTP id y16mr413347pjr.138.1583285176369;
        Tue, 03 Mar 2020 17:26:16 -0800 (PST)
Received: from [2620:15c:17:3:3a5:23a7:5e32:4598] ([2620:15c:17:3:3a5:23a7:5e32:4598])
        by smtp.gmail.com with ESMTPSA id 5sm13648268pfw.179.2020.03.03.17.26.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Mar 2020 17:26:15 -0800 (PST)
Date:   Tue, 3 Mar 2020 17:26:14 -0800 (PST)
From:   David Rientjes <rientjes@google.com>
X-X-Sender: rientjes@chino.kir.corp.google.com
To:     Jann Horn <jannh@google.com>
cc:     Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linux-MM <linux-mm@kvack.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Matthew Garrett <mjg59@google.com>
Subject: Re: SLUB: sysfs lets root force slab order below required minimum,
 causing memory corruption
In-Reply-To: <CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com>
Message-ID: <alpine.DEB.2.21.2003031724400.77561@chino.kir.corp.google.com>
References: <CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 4 Mar 2020, Jann Horn wrote:

> Hi!
> 
> FYI, I noticed that if you do something like the following as root,
> the system blows up pretty quickly with error messages about stuff
> like corrupt freelist pointers because SLUB actually allows root to
> force a page order that is smaller than what is required to store a
> single object:
> 
>     echo 0 > /sys/kernel/slab/task_struct/order
> 
> The other SLUB debugging options, like red_zone, also look kind of
> suspicious with regards to races (either racing with other writes to
> the SLUB debugging options, or with object allocations).
> 

Thanks for the report, Jann.  To address the most immediate issue, 
allowing a smaller order than allowed, I think we'd need something like 
this.

I can propose it as a formal patch if nobody has any alternate 
suggestions?
---
 mm/slub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/slub.c b/mm/slub.c
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3598,7 +3598,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 */
 	size = ALIGN(size, s->align);
 	s->size = size;
-	if (forced_order >= 0)
+	if (forced_order >= slab_order(size, 1, MAX_ORDER, 1))
 		order = forced_order;
 	else
 		order = calculate_order(size);