From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69EBA3FE660; Thu, 16 Jul 2026 13:49:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784209759; cv=none; b=tRtYdSKXivhosyvHADgeQTkvxekQDRpPrYC6iRfBFshQubWiNKivI6fcNdYybEG9XSPOrTAnzQAPLYO08BKUPLnwP8rbmlYpjp9ZFGinLqfZOgU8qWK3EMfoN0kKqpIOvHCjau2sAdO70DrLOzXw2AwBJni5gQRgV2X+5eyToUk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784209759; c=relaxed/simple; bh=C2vW+CDG0G7+Aqll2AzBFfRceHmkjL98MQjVZJCnNt8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rb2Ai7varwqv/kYfTjPE2oZSvFc+/6y+T94NWkpEanICQ2v+zjR13Wxr18q8xH0pMmNzP/9mHTsajGZiuhegzBPSchM5RfIu0SDZYrrD9R3Gs21GqhtaSdButCVXUfeRxY2Hn9LN8w4R/ZPoicf1LPFNKg6KI0MB9sZzCVk8cuw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=q3p49ksc; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="q3p49ksc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 41CB81F000E9; Thu, 16 Jul 2026 13:49:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784209754; bh=tSrUZYYQc1vzJa3odsfyX/uKq91LSeatZZfUYka0eb0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=q3p49kscFLZevSQKVA4u1oqH4rasnm2TdneHKBeblrWlfIegK0eH3guWx3Z02wVOe 2IbV9KQJ3a2RlTseVsU+BvQECu8LuSxHu9wvpa/TfM5AvE2H1p+qPMcVFmoQIEzMZP pR1tpkQKMT67wJXWsAMxN/1DLMiwMrkAsI0LzkVY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, "Harry Yoo (Oracle)" , Hao Li , "Vlastimil Babka (SUSE)" Subject: [PATCH 7.1 262/518] mm/slab: do not limit zeroing to orig_size when only red zoning is enabled Date: Thu, 16 Jul 2026 15:28:50 +0200 Message-ID: <20260716133053.553646440@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133047.772246337@linuxfoundation.org> References: <20260716133047.772246337@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vlastimil Babka (SUSE) commit 648927ceb84021a25a0fbd5673740956f318d534 upstream. When init (zeroing) on allocation is requested, for kmalloc() we generally have to zero the full object size even if a smaller size is requested, in order to provide krealloc()'s __GFP_ZERO guarantees. But if we track the requested size, krealloc() uses that information to do the right thing, so we can zero only the requested size. With red zoning also enabled, any extra size became part of the red zone, so it must not be zeroed and thus we must zero only the requested size. However the current check is imprecise, and will trigger also when only SLAB_RED_ZONE is enabled without SLAB_STORE_USER (which enables tracking the requested size). This means enabling red zoning alone can compromise krealloc()'s __GFP_ZERO contract. Fix this by using slub_debug_orig_size() instead, which is the exact check for whether the requested size is tracked. We don't need to care if red zoning is also enabled or not. Also update and expand the comment accordingly. Fixes: 9ce67395f5a0 ("mm/slub: only zero requested size of buffer for kzalloc when debug enabled") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260610-slab_alloc_flags-v2-1-7190909db118@kernel.org Reviewed-by: Harry Yoo (Oracle) Reviewed-by: Hao Li Signed-off-by: Vlastimil Babka (SUSE) Signed-off-by: Greg Kroah-Hartman --- mm/slub.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) --- a/mm/slub.c +++ b/mm/slub.c @@ -4537,15 +4537,17 @@ bool slab_post_alloc_hook(struct kmem_ca gfp_t init_flags = flags & gfp_allowed_mask; /* - * For kmalloc object, the allocated memory size(object_size) is likely - * larger than the requested size(orig_size). If redzone check is - * enabled for the extra space, don't zero it, as it will be redzoned - * soon. The redzone operation for this extra space could be seen as a - * replacement of current poisoning under certain debug option, and - * won't break other sanity checks. + * For kmalloc object, the allocated size (object_size) can be larger + * than the requested size (orig_size). We however need to zero the + * whole object_size to handle possible later krealloc() with + *__GFP_ZERO properly. + * + * But if we keep track of the requested size, krealloc() uses that + * information. Additionally if red zoning is enabled, the extra space + * is also red zone, so we should not overwrite it. So limit zeroing to + * orig_size if we track it. */ - if (kmem_cache_debug_flags(s, SLAB_STORE_USER | SLAB_RED_ZONE) && - (s->flags & SLAB_KMALLOC)) + if (slub_debug_orig_size(s)) zero_size = orig_size; /*