From: Jann Horn <jannh@google.com>
To: Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Marco Elver <elver@google.com>,
Christoph Lameter <cl@gentwo.org>,
David Rientjes <rientjes@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Roman Gushchin <roman.gushchin@linux.dev>,
Harry Yoo <harry.yoo@oracle.com>
Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
Jann Horn <jannh@google.com>
Subject: [PATCH early RFC 4/4] mm/slub: Defer KCSAN hook on free to KASAN if available
Date: Mon, 04 Aug 2025 21:17:08 +0200 [thread overview]
Message-ID: <20250804-kasan-via-kcsan-v1-4-823a6d5b5f84@google.com> (raw)
In-Reply-To: <20250804-kasan-via-kcsan-v1-0-823a6d5b5f84@google.com>
SLUB calls __kcsan_check_access() in slab_free_hook() so that KCSAN has
an opportunity to detect racy use-after-free bugs, for example by
delaying the freeing a bit and watching for any other accesses to the
allocation.
When KASAN and KCSAN are active at the same time, and such a racy
use-after-free occurs that KCSAN can detect, it would be nice to also
get a full KASAN report. To make that possible, move the KCSAN hook
invocation after the point where KASAN has marked the object as freed in
KASAN builds.
Signed-off-by: Jann Horn <jannh@google.com>
---
mm/kasan/common.c | 5 +++++
mm/slub.c | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index ed4873e18c75..3492a6db191e 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -263,6 +263,11 @@ bool __kasan_slab_free(struct kmem_cache *cache, void *object, bool init,
poison_slab_object(cache, object, init, still_accessible);
+ if (!still_accessible) {
+ __kcsan_check_access(object, cache->object_size,
+ KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
+ }
+
/*
* If the object is put into quarantine, do not let slab put the object
* onto the freelist for now. The object's metadata is kept until the
diff --git a/mm/slub.c b/mm/slub.c
index 31e11ef256f9..144399aebdc6 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2311,8 +2311,13 @@ bool slab_free_hook(struct kmem_cache *s, void *x, bool init,
if (!(s->flags & SLAB_DEBUG_OBJECTS))
debug_check_no_obj_freed(x, s->object_size);
- /* Use KCSAN to help debug racy use-after-free. */
- if (!still_accessible)
+ /*
+ * Use KCSAN to help debug racy use-after-free.
+ * If KASAN is also enabled, this is instead done from KASAN when the
+ * object has already been marked as free, so that KCSAN's race-window
+ * widening can trigger a KASAN splat.
+ */
+ if (!IS_ENABLED(CONFIG_KASAN) && !still_accessible)
__kcsan_check_access(x, s->object_size,
KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
--
2.50.1.565.gc32cd1483b-goog
prev parent reply other threads:[~2025-08-04 19:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-04 19:17 [PATCH early RFC 0/4] running KASAN off of KCSAN's TSAN hooks Jann Horn
2025-08-04 19:17 ` [PATCH early RFC 1/4] kbuild: kasan,kcsan: refactor out enablement check Jann Horn
2025-08-04 19:17 ` [PATCH early RFC 2/4] kbuild: kasan: refactor open coded cflags for kasan test Jann Horn
2025-08-05 12:30 ` Marco Elver
2025-08-05 13:49 ` Jann Horn
2025-08-04 19:17 ` [PATCH early RFC 3/4] kasan: add support for running via KCSAN hooks Jann Horn
2025-08-04 19:17 ` Jann Horn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250804-kasan-via-kcsan-v1-4-823a6d5b5f84@google.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=cl@gentwo.org \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=harry.yoo@oracle.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=masahiroy@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=ryabinin.a.a@gmail.com \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox