From: Suren Baghdasaryan <surenb@google.com>
To: Harry Yoo <harry.yoo@oracle.com>
Cc: akpm@linux-foundation.org, vbabka@suse.cz, andreyknvl@gmail.com,
cl@linux.com, dvyukov@google.com, glider@google.com,
hannes@cmpxchg.org, linux-mm@kvack.org, mhocko@kernel.org,
muchun.song@linux.dev, rientjes@google.com,
roman.gushchin@linux.dev, ryabinin.a.a@gmail.com,
shakeel.butt@linux.dev, vincenzo.frascino@arm.com,
yeoreum.yun@arm.com, tytso@mit.edu, adilger.kernel@dilger.ca,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH V3 5/7] mm/memcontrol,alloc_tag: handle slabobj_ext access under KASAN poison
Date: Tue, 28 Oct 2025 16:03:22 -0700 [thread overview]
Message-ID: <CAJuCfpG=Lb4WhYuPkSpdNO4Ehtjm1YcEEK0OM=3g9i=LxmpHSQ@mail.gmail.com> (raw)
In-Reply-To: <20251027122847.320924-6-harry.yoo@oracle.com>
On Mon, Oct 27, 2025 at 5:29 AM Harry Yoo <harry.yoo@oracle.com> wrote:
>
> In the near future, slabobj_ext may reside outside the allocated slab
> object range within a slab, which could be reported as an out-of-bounds
> access by KASAN. To prevent false positives, explicitly disable KASAN
> and KMSAN checks when accessing slabobj_ext.
Hmm. This is fragile IMO. Every time someone accesses slabobj_ext they
should remember to call
metadata_access_enable/metadata_access_disable.
Have you considered replacing slab_obj_ext() function with
get_slab_obj_ext()/put_slab_obj_ext()? get_slab_obj_ext() can call
metadata_access_enable() and return slabobj_ext as it does today.
put_slab_obj_ext() will simple call metadata_access_disable(). WDYT?
>
> While an alternative approach could be to unpoison slabobj_ext,
> out-of-bounds accesses outside the slab allocator are generally more
> common.
>
> Move metadata_access_enable()/disable() helpers to mm/slab.h so that
> it can be used outside mm/slub.c. Wrap accesses to slabobj_ext metadata
> in memcg and alloc_tag code with these helpers.
>
> Call kasan_reset_tag() in slab_obj_ext() before returning the address to
> prevent SW or HW tag-based KASAN from reporting false positives.
>
> Suggested-by: Andrey Konovalov <andreyknvl@gmail.com>
> Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
> ---
> mm/memcontrol.c | 15 ++++++++++++---
> mm/slab.h | 24 +++++++++++++++++++++++-
> mm/slub.c | 33 +++++++++++++--------------------
> 3 files changed, 48 insertions(+), 24 deletions(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 2a9dc246e802..38e6e9099ff5 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -2570,17 +2570,22 @@ struct mem_cgroup *mem_cgroup_from_obj_folio(struct folio *folio, void *p)
> struct slabobj_ext *obj_ext;
> struct slab *slab;
> unsigned int off;
> + struct mem_cgroup *memcg;
>
> slab = folio_slab(folio);
> obj_exts = slab_obj_exts(slab);
> if (!obj_exts)
> return NULL;
>
> + metadata_access_enable();
> off = obj_to_index(slab->slab_cache, slab, p);
> obj_ext = slab_obj_ext(slab, obj_exts, off);
> - if (obj_ext->objcg)
> - return obj_cgroup_memcg(obj_ext->objcg);
> -
> + if (obj_ext->objcg) {
> + memcg = obj_cgroup_memcg(obj_ext->objcg);
> + metadata_access_disable();
> + return memcg;
> + }
> + metadata_access_disable();
> return NULL;
> }
>
> @@ -3197,9 +3202,11 @@ bool __memcg_slab_post_alloc_hook(struct kmem_cache *s, struct list_lru *lru,
>
> obj_exts = slab_obj_exts(slab);
> off = obj_to_index(s, slab, p[i]);
> + metadata_access_enable();
> obj_ext = slab_obj_ext(slab, obj_exts, off);
> obj_cgroup_get(objcg);
> obj_ext->objcg = objcg;
> + metadata_access_disable();
> }
>
> return true;
> @@ -3210,6 +3217,7 @@ void __memcg_slab_free_hook(struct kmem_cache *s, struct slab *slab,
> {
> size_t obj_size = obj_full_size(s);
>
> + metadata_access_enable();
> for (int i = 0; i < objects; i++) {
> struct obj_cgroup *objcg;
> struct slabobj_ext *obj_ext;
> @@ -3226,6 +3234,7 @@ void __memcg_slab_free_hook(struct kmem_cache *s, struct slab *slab,
> slab_pgdat(slab), cache_vmstat_idx(s));
> obj_cgroup_put(objcg);
> }
> + metadata_access_disable();
> }
>
> /*
> diff --git a/mm/slab.h b/mm/slab.h
> index 22ee28cb55e1..13f4ca65cb42 100644
> --- a/mm/slab.h
> +++ b/mm/slab.h
> @@ -591,10 +591,14 @@ static inline struct slabobj_ext *slab_obj_ext(struct slab *slab,
> unsigned long obj_exts,
> unsigned int index)
> {
> + struct slabobj_ext *obj_ext;
> +
> VM_WARN_ON_ONCE(!slab_obj_exts(slab));
> VM_WARN_ON_ONCE(obj_exts != slab_obj_exts(slab));
>
> - return (struct slabobj_ext *)(obj_exts + slab_get_stride(slab) * index);
> + obj_ext = (struct slabobj_ext *)(obj_exts +
> + slab_get_stride(slab) * index);
> + return kasan_reset_tag(obj_ext);
> }
>
> int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
> @@ -625,6 +629,24 @@ static inline enum node_stat_item cache_vmstat_idx(struct kmem_cache *s)
> NR_SLAB_RECLAIMABLE_B : NR_SLAB_UNRECLAIMABLE_B;
> }
>
> +/*
> + * slub is about to manipulate internal object metadata. This memory lies
> + * outside the range of the allocated object, so accessing it would normally
> + * be reported by kasan as a bounds error. metadata_access_enable() is used
> + * to tell kasan that these accesses are OK.
> + */
> +static inline void metadata_access_enable(void)
> +{
> + kasan_disable_current();
> + kmsan_disable_current();
> +}
> +
> +static inline void metadata_access_disable(void)
> +{
> + kmsan_enable_current();
> + kasan_enable_current();
> +}
> +
> #ifdef CONFIG_MEMCG
> bool __memcg_slab_post_alloc_hook(struct kmem_cache *s, struct list_lru *lru,
> gfp_t flags, size_t size, void **p);
> diff --git a/mm/slub.c b/mm/slub.c
> index 4383740a4d34..13acc9437ef5 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -973,24 +973,6 @@ static slab_flags_t slub_debug;
> static char *slub_debug_string;
> static int disable_higher_order_debug;
>
> -/*
> - * slub is about to manipulate internal object metadata. This memory lies
> - * outside the range of the allocated object, so accessing it would normally
> - * be reported by kasan as a bounds error. metadata_access_enable() is used
> - * to tell kasan that these accesses are OK.
> - */
> -static inline void metadata_access_enable(void)
> -{
> - kasan_disable_current();
> - kmsan_disable_current();
> -}
> -
> -static inline void metadata_access_disable(void)
> -{
> - kmsan_enable_current();
> - kasan_enable_current();
> -}
> -
> /*
> * Object debugging
> */
> @@ -2042,9 +2024,11 @@ static inline void mark_objexts_empty(struct slabobj_ext *obj_exts)
> struct slabobj_ext *ext = slab_obj_ext(obj_exts_slab,
> slab_exts, offs);
>
> + metadata_access_enable();
> /* codetag should be NULL */
> WARN_ON(ext->ref.ct);
> set_codetag_empty(&ext->ref);
> + metadata_access_disable();
> }
> }
>
> @@ -2245,8 +2229,11 @@ __alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags)
> * If other users appear then mem_alloc_profiling_enabled()
> * check should be added before alloc_tag_add().
> */
> - if (likely(obj_ext))
> + if (likely(obj_ext)) {
> + metadata_access_enable();
> alloc_tag_add(&obj_ext->ref, current->alloc_tag, s->size);
> + metadata_access_disable();
> + }
> }
>
> static inline void
> @@ -2272,11 +2259,13 @@ __alloc_tagging_slab_free_hook(struct kmem_cache *s, struct slab *slab, void **p
> if (!obj_exts)
> return;
>
> + metadata_access_enable();
> for (i = 0; i < objects; i++) {
> unsigned int off = obj_to_index(s, slab, p[i]);
>
> alloc_tag_sub(&slab_obj_ext(slab, obj_exts, off)->ref, s->size);
> }
> + metadata_access_disable();
> }
>
> static inline void
> @@ -2394,8 +2383,12 @@ bool memcg_slab_post_charge(void *p, gfp_t flags)
> if (obj_exts) {
> off = obj_to_index(s, slab, p);
> obj_ext = slab_obj_ext(slab, obj_exts, off);
> - if (unlikely(obj_ext->objcg))
> + metadata_access_enable();
> + if (unlikely(obj_ext->objcg)) {
> + metadata_access_disable();
> return true;
> + }
> + metadata_access_disable();
> }
>
> return __memcg_slab_post_alloc_hook(s, NULL, flags, 1, &p);
> --
> 2.43.0
>
next prev parent reply other threads:[~2025-10-28 23:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 12:28 [RFC PATCH V3 0/7] mm/slab: reduce slab accounting memory overhead by allocating slabobj_ext metadata within unused slab space Harry Yoo
2025-10-27 12:28 ` [RFC PATCH V3 1/7] mm/slab: allow specifying freepointer offset when using constructor Harry Yoo
2025-10-28 17:43 ` Suren Baghdasaryan
2025-10-29 7:10 ` Harry Yoo
2025-10-30 14:35 ` Vlastimil Babka
2025-10-27 12:28 ` [RFC PATCH V3 2/7] ext4: specify the free pointer offset for ext4_inode_cache Harry Yoo
2025-10-28 17:22 ` Suren Baghdasaryan
2025-10-28 17:25 ` Suren Baghdasaryan
2025-10-27 12:28 ` [RFC PATCH V3 3/7] mm/slab: abstract slabobj_ext access via new slab_obj_ext() helper Harry Yoo
2025-10-28 17:55 ` Suren Baghdasaryan
2025-10-29 8:49 ` Harry Yoo
2025-10-29 15:24 ` Suren Baghdasaryan
2025-10-30 1:26 ` Harry Yoo
2025-10-30 5:03 ` Suren Baghdasaryan
2025-10-27 12:28 ` [RFC PATCH V3 4/7] mm/slab: use stride to access slabobj_ext Harry Yoo
2025-10-28 20:10 ` Suren Baghdasaryan
2025-10-27 12:28 ` [RFC PATCH V3 5/7] mm/memcontrol,alloc_tag: handle slabobj_ext access under KASAN poison Harry Yoo
2025-10-28 23:03 ` Suren Baghdasaryan [this message]
2025-10-29 8:06 ` Harry Yoo
2025-10-29 15:28 ` Suren Baghdasaryan
2025-10-27 12:28 ` [RFC PATCH V3 6/7] mm/slab: save memory by allocating slabobj_ext array from leftover Harry Yoo
2025-10-29 3:07 ` Suren Baghdasaryan
2025-10-29 7:59 ` Harry Yoo
2025-10-29 18:37 ` Suren Baghdasaryan
2025-10-30 0:40 ` Harry Yoo
2025-10-30 16:33 ` Vlastimil Babka
2025-10-29 18:45 ` Andrey Ryabinin
2025-10-30 1:11 ` Harry Yoo
2025-10-27 12:28 ` [RFC PATCH V3 7/7] mm/slab: place slabobj_ext metadata in unused space within s->size Harry Yoo
2025-10-29 3:19 ` Suren Baghdasaryan
2025-10-29 18:19 ` Andrey Ryabinin
2025-10-30 0:51 ` Harry Yoo
2025-10-30 12:41 ` Yeoreum Yun
2025-10-30 16:39 ` [RFC PATCH V3 0/7] mm/slab: reduce slab accounting memory overhead by allocating slabobj_ext metadata within unused slab space Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJuCfpG=Lb4WhYuPkSpdNO4Ehtjm1YcEEK0OM=3g9i=LxmpHSQ@mail.gmail.com' \
--to=surenb@google.com \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hannes@cmpxchg.org \
--cc=harry.yoo@oracle.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=muchun.song@linux.dev \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=ryabinin.a.a@gmail.com \
--cc=shakeel.butt@linux.dev \
--cc=tytso@mit.edu \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
--cc=yeoreum.yun@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox