Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4502485ybf;
        Wed, 4 Mar 2020 05:18:24 -0800 (PST)
X-Google-Smtp-Source: ADFU+vv+LxAogmXAvl++2MEVBGhy2yczjZ7ZSxG4ceK2wG4V0f9l5yQDcyGlD88IlhuU4zMdP3fc
X-Received: by 2002:a05:6830:1be4:: with SMTP id k4mr2174918otb.263.1583327904412;
        Wed, 04 Mar 2020 05:18:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583327904; cv=none;
        d=google.com; s=arc-20160816;
        b=o5FZ6XwLuWqubv1ago/dGITw9oKLm5BRSTjzCVCIffJGXsA9xVIT6MoRYfTimw8O1s
         JPpiYDbaAK0Kqw7yJvkbaxaivFx+pgflpkFGrctiK0aegJxYX4zUoZ1CZX1NoQGd43yB
         E5ANMXfIziCgRjQK2kkwQfHbfHF979rloauY/RCkrvLxA5aiKNIj++EmoK7N/6pC9POX
         uiAafDg3jq7Ks1JbUaa9d04bIO1OLWmYmD7uAhHa9TXF2uINc4FBN3dUQC1d2C1n1QR3
         DWxBYCM2JDhl2sQfJP+5WPn9jT9t4oOxe5u2I47DhV/k+SJ9hupnYM4DLIAsY7Eumj8O
         X2kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=IHGK3AKMHnX+lnOJOHxzKor/rZrYLDV19nPlZsNQvi4=;
        b=mmRGmEVQOxmJKb5mnZTu6GkDo28t+bB/1mjn9+doRpZM+czJ5Ab0QZnuNE9BOnWLYw
         aFWxe27orAigQCuREDREEU3q6ghp4k228tBhDCjQm1bsArWD/RhPmBONFkScJb+9BX5J
         RzbHFOa1M0AKdz50PU+40ke2fN7ZaUijSGYVOPxdN5feD+AvN0jxldpLXSR6L2hQNjDg
         qMSJRMfPwM+hIHvE5vVuPr4IpwR/fSCacKLGDUjnS3WJcf3MI+Ig7jF4/a40NYyaoerf
         yTEZEpJkH4ZyvRJWOrdamzvkWP+cw04lR9Y7tHOH7+p4iJ/WziQAF1KWjg//WEd+JtdD
         ITWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k194si1195985oib.251.2020.03.04.05.18.12;
        Wed, 04 Mar 2020 05:18:24 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388146AbgCDNRJ (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 4 Mar 2020 08:17:09 -0500
Received: from mx2.suse.de ([195.135.220.15]:46286 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388094AbgCDNRI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Mar 2020 08:17:08 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id D2757AFF0;
        Wed,  4 Mar 2020 13:17:06 +0000 (UTC)
Subject: Re: SLUB: sysfs lets root force slab order below required minimum,
 causing memory corruption
To:     Jann Horn <jannh@google.com>, Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>
Cc:     Linux-MM <linux-mm@kvack.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Matthew Garrett <mjg59@google.com>
References: <CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com>
From:   Vlastimil Babka <vbabka@suse.cz>
Message-ID: <fa479222-5b7a-6f9a-aab0-4e3a8873e3c3@suse.cz>
Date:   Wed, 4 Mar 2020 14:17:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 3/4/20 1:23 AM, Jann Horn wrote:
> Hi!
> 
> FYI, I noticed that if you do something like the following as root,
> the system blows up pretty quickly with error messages about stuff
> like corrupt freelist pointers because SLUB actually allows root to
> force a page order that is smaller than what is required to store a
> single object:
> 
>     echo 0 > /sys/kernel/slab/task_struct/order
> 
> The other SLUB debugging options, like red_zone, also look kind of
> suspicious with regards to races (either racing with other writes to
> the SLUB debugging options, or with object allocations).

Yeah I also wondered last week that there seems to be no sychronization with
alloc/free activity. Increasing order is AFAICS also dangerous with freelist
randomization:

https://lore.kernel.org/linux-mm/d3acc069-a5c6-f40a-f95c-b546664bc4ee@suse.cz/