* [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path
@ 2026-06-04 12:27 hu.shengming
2026-06-05 5:59 ` Harry Yoo
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: hu.shengming @ 2026-06-04 12:27 UTC (permalink / raw)
To: vbabka, harry, akpm
Cc: hao.li, cl, rientjes, roman.gushchin, linux-mm, linux-kernel,
zhang.run, cai.qu
From: Shengming Hu <hu.shengming@zte.com.cn>
_kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
initial allocation fails. The retry currently reuses `size` as the
bucket selector and overwrites it with s->object_size + 1.
That value is later passed as the original allocation size to
__slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
successful retry this makes KASAN/slub-debug observe the retry bucket
selector rather than the caller requested size, potentially widening the
valid kmalloc range and hiding overflows.
Keep the caller requested size separately as orig_size and pass it to
the allocation/debug/KASAN paths. Continue using `size` as the retry cache
selector.
Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
---
Changes in v2:
- Use an explicit orig_size variable instead of bucket_size, as suggested
by Harry and Vlastimil.
- Link to v1: https://lore.kernel.org/all/20260603211011530GqLSXP_rgcuQdR47IGQLL@zte.com.cn/
---
mm/slub.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index 67abbbf68fc1..7e1a1fe5daaa 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5350,6 +5350,7 @@ EXPORT_SYMBOL(__kmalloc_noprof);
void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, int node)
{
gfp_t alloc_gfp = __GFP_NOWARN | __GFP_NOMEMALLOC | gfp_flags;
+ size_t orig_size = size;
struct kmem_cache *s;
bool can_retry = true;
void *ret;
@@ -5398,7 +5399,7 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, in
* kfence_alloc. Hence call __slab_alloc_node() (at most twice)
* and slab_post_alloc_hook() directly.
*/
- ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, size);
+ ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, orig_size);
/*
* It's possible we failed due to trylock as we preempted someone with
@@ -5422,9 +5423,9 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, in
success:
maybe_wipe_obj_freeptr(s, ret);
slab_post_alloc_hook(s, NULL, alloc_gfp, 1, &ret,
- slab_want_init_on_alloc(alloc_gfp, s), size);
+ slab_want_init_on_alloc(alloc_gfp, s), orig_size);
- ret = kasan_kmalloc(s, ret, size, alloc_gfp);
+ ret = kasan_kmalloc(s, ret, orig_size, alloc_gfp);
return ret;
}
EXPORT_SYMBOL_GPL(_kmalloc_nolock_noprof);
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path
2026-06-04 12:27 [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path hu.shengming
@ 2026-06-05 5:59 ` Harry Yoo
2026-06-05 7:27 ` Hao Li
2026-06-05 11:48 ` Vlastimil Babka (SUSE)
2 siblings, 0 replies; 4+ messages in thread
From: Harry Yoo @ 2026-06-05 5:59 UTC (permalink / raw)
To: hu.shengming, vbabka, akpm
Cc: hao.li, cl, rientjes, roman.gushchin, linux-mm, linux-kernel,
zhang.run, cai.qu
[-- Attachment #1.1: Type: text/plain, Size: 1280 bytes --]
On 6/4/26 9:27 PM, hu.shengming@zte.com.cn wrote:
> From: Shengming Hu <hu.shengming@zte.com.cn>
>
> _kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
> initial allocation fails. The retry currently reuses `size` as the
> bucket selector and overwrites it with s->object_size + 1.
>
> That value is later passed as the original allocation size to
> __slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
> successful retry this makes KASAN/slub-debug observe the retry bucket
> selector rather than the caller requested size, potentially widening the
> valid kmalloc range and hiding overflows.
>
> Keep the caller requested size separately as orig_size and pass it to
> the allocation/debug/KASAN paths. Continue using `size` as the retry cache
> selector.
>
> Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
> Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
> ---
> Changes in v2:
> - Use an explicit orig_size variable instead of bucket_size, as suggested
> by Harry and Vlastimil.
> - Link to v1: https://lore.kernel.org/all/20260603211011530GqLSXP_rgcuQdR47IGQLL@zte.com.cn/
>
> ---
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
--
Cheers,
Harry / Hyeonggon
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path
2026-06-04 12:27 [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path hu.shengming
2026-06-05 5:59 ` Harry Yoo
@ 2026-06-05 7:27 ` Hao Li
2026-06-05 11:48 ` Vlastimil Babka (SUSE)
2 siblings, 0 replies; 4+ messages in thread
From: Hao Li @ 2026-06-05 7:27 UTC (permalink / raw)
To: hu.shengming
Cc: vbabka, harry, akpm, cl, rientjes, roman.gushchin, linux-mm,
linux-kernel, zhang.run, cai.qu
On Thu, Jun 04, 2026 at 08:27:32PM +0800, hu.shengming@zte.com.cn wrote:
> From: Shengming Hu <hu.shengming@zte.com.cn>
>
> _kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
> initial allocation fails. The retry currently reuses `size` as the
> bucket selector and overwrites it with s->object_size + 1.
>
> That value is later passed as the original allocation size to
> __slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
> successful retry this makes KASAN/slub-debug observe the retry bucket
> selector rather than the caller requested size, potentially widening the
> valid kmalloc range and hiding overflows.
>
> Keep the caller requested size separately as orig_size and pass it to
> the allocation/debug/KASAN paths. Continue using `size` as the retry cache
> selector.
>
> Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
> Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
> ---
> Changes in v2:
> - Use an explicit orig_size variable instead of bucket_size, as suggested
> by Harry and Vlastimil.
> - Link to v1: https://lore.kernel.org/all/20260603211011530GqLSXP_rgcuQdR47IGQLL@zte.com.cn/
>
LGTM.
Reviewed-by: Hao Li <hao.li@linux.dev>
--
Thanks,
Hao
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path
2026-06-04 12:27 [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path hu.shengming
2026-06-05 5:59 ` Harry Yoo
2026-06-05 7:27 ` Hao Li
@ 2026-06-05 11:48 ` Vlastimil Babka (SUSE)
2 siblings, 0 replies; 4+ messages in thread
From: Vlastimil Babka (SUSE) @ 2026-06-05 11:48 UTC (permalink / raw)
To: hu.shengming, harry, akpm
Cc: hao.li, cl, rientjes, roman.gushchin, linux-mm, linux-kernel,
zhang.run, cai.qu
On 6/4/26 14:27, hu.shengming@zte.com.cn wrote:
> From: Shengming Hu <hu.shengming@zte.com.cn>
>
> _kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
> initial allocation fails. The retry currently reuses `size` as the
> bucket selector and overwrites it with s->object_size + 1.
>
> That value is later passed as the original allocation size to
> __slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
> successful retry this makes KASAN/slub-debug observe the retry bucket
> selector rather than the caller requested size, potentially widening the
> valid kmalloc range and hiding overflows.
>
> Keep the caller requested size separately as orig_size and pass it to
> the allocation/debug/KASAN paths. Continue using `size` as the retry cache
> selector.
>
> Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
> Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Merged to slab/for-next, thanks!
> ---
> Changes in v2:
> - Use an explicit orig_size variable instead of bucket_size, as suggested
> by Harry and Vlastimil.
> - Link to v1: https://lore.kernel.org/all/20260603211011530GqLSXP_rgcuQdR47IGQLL@zte.com.cn/
>
> ---
> mm/slub.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 67abbbf68fc1..7e1a1fe5daaa 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -5350,6 +5350,7 @@ EXPORT_SYMBOL(__kmalloc_noprof);
> void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, int node)
> {
> gfp_t alloc_gfp = __GFP_NOWARN | __GFP_NOMEMALLOC | gfp_flags;
> + size_t orig_size = size;
> struct kmem_cache *s;
> bool can_retry = true;
> void *ret;
> @@ -5398,7 +5399,7 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, in
> * kfence_alloc. Hence call __slab_alloc_node() (at most twice)
> * and slab_post_alloc_hook() directly.
> */
> - ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, size);
> + ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, orig_size);
>
> /*
> * It's possible we failed due to trylock as we preempted someone with
> @@ -5422,9 +5423,9 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_flags, in
> success:
> maybe_wipe_obj_freeptr(s, ret);
> slab_post_alloc_hook(s, NULL, alloc_gfp, 1, &ret,
> - slab_want_init_on_alloc(alloc_gfp, s), size);
> + slab_want_init_on_alloc(alloc_gfp, s), orig_size);
>
> - ret = kasan_kmalloc(s, ret, size, alloc_gfp);
> + ret = kasan_kmalloc(s, ret, orig_size, alloc_gfp);
> return ret;
> }
> EXPORT_SYMBOL_GPL(_kmalloc_nolock_noprof);
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-05 11:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 12:27 [PATCH v2] mm/slub: preserve original size in _kmalloc_nolock_noprof retry path hu.shengming
2026-06-05 5:59 ` Harry Yoo
2026-06-05 7:27 ` Hao Li
2026-06-05 11:48 ` Vlastimil Babka (SUSE)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox