From: Marco Elver <elver@google.com>
To: "Harry Yoo (Oracle)" <harry@kernel.org>
Cc: Vlastimil Babka <vbabka@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Hao Li <hao.li@linux.dev>, Christoph Lameter <cl@gentwo.org>,
David Rientjes <rientjes@google.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, stable@vger.kernel.org,
Vitaly Wool <vitaly.wool@konsulko.se>,
Uladzislau Rezki <urezki@gmail.com>,
Danilo Krummrich <dakr@kernel.org>,
Lorenzo Stoakes <ljs@kernel.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Alice Ryhl <aliceryhl@google.com>,
rust-for-linux@vger.kernel.org
Subject: Re: [PATCH] slub: fix data loss and overflow in krealloc()
Date: Fri, 17 Apr 2026 11:05:09 +0200 [thread overview]
Message-ID: <CANpmjNPMxDkzvVnD9pXy1YBTO4n-abQZ+if6XdDj-u4dnfks5A@mail.gmail.com> (raw)
In-Reply-To: <aeG6RG41sgZuerYa@hyeyoo>
On Fri, 17 Apr 2026 at 06:42, Harry Yoo (Oracle) <harry@kernel.org> wrote:
>
> [+Cc relevant folks]
>
> On Thu, Apr 16, 2026 at 03:25:07PM +0200, Marco Elver wrote:
> > Commit 2cd8231796b5 ("mm/slub: allow to set node and align in
> > k[v]realloc") introduced the ability to force a reallocation if the
> > original object does not satisfy new alignment or NUMA node, even when
> > the object is being shrunk.
> >
> > This introduced two bugs in the reallocation fallback path:
> >
> > 1. Data loss during NUMA migration: The jump to 'alloc_new' happens
> > before 'ks' and 'orig_size' are initialized. As a result, the
> > memcpy() in the 'alloc_new' block would copy 0 bytes into the new
> > allocation.
>
> Ouch.
>
> > 2. Buffer overflow during shrinking: When shrinking an object while
> > forcing a new alignment, 'new_size' is smaller than the old size.
> > However, the memcpy() used the old size ('orig_size ?: ks'), leading
> > to an out-of-bounds write.
>
> Right. before the commit we didn't reallocate when the size is smaller.
>
> > The same overflow bug exists in the kvrealloc() fallback path, where the
> > old bucket size ksize(p) is copied into the new buffer without being
> > bounded by the new size.
> >
> > A simple reproducer:
> >
> > // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW
> > while (1) {
> > void *p = kmalloc(128, GFP_KERNEL);
> > p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);
> > kfree(p);
> > }
> >
> > demonstrates the issue:
> >
> > ==================================================================
> > BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130
> >
> > Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):
> > memcpy_orig+0x68/0x130
> > krealloc_node_align_noprof+0x1c8/0x340
> > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > ...
> >
> > kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64
> >
> > allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):
> > krealloc_node_align_noprof+0x19c/0x340
> > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > ...
> > ==================================================================
> >
> > Fix it by moving the old size calculation to the top of __do_krealloc()
> > and bounding all copy lengths by the new allocation size.
> >
> > Fixes: 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc")
> > Cc: <stable@vger.kernel.org>
> > Reported-by: https://sashiko.dev/#/patchset/20260415143735.2974230-1-elver%40google.com
> > Signed-off-by: Marco Elver <elver@google.com>
> > ---
>
> Looks good to me, but I think we still have a similar issue in
> vrealloc_node_align_noprof()? (goto need_realloc; due to NUMA mismatch
> but the new size is smaller)
Good find.
That's a separate patch, though, since it's in the vmalloc subsystem
(it's also not confidence-inspiring that vrealloc_node_align_noprof
has a bunch of TODOs sprinkled all over...).
Since you found that, do you want to claim it?
Also by the looks of it slub and vmalloc patches go through different
trees these days per MAINTAINERS.
Thanks,
-- Marco
next prev parent reply other threads:[~2026-04-17 9:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 13:25 Marco Elver
2026-04-17 4:42 ` Harry Yoo (Oracle)
2026-04-17 9:05 ` Marco Elver [this message]
2026-04-17 9:21 ` Harry Yoo (Oracle)
2026-04-17 9:11 ` Vlastimil Babka (SUSE)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANpmjNPMxDkzvVnD9pXy1YBTO4n-abQZ+if6XdDj-u4dnfks5A@mail.gmail.com \
--to=elver@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=aliceryhl@google.com \
--cc=cl@gentwo.org \
--cc=dakr@kernel.org \
--cc=hao.li@linux.dev \
--cc=harry@kernel.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rust-for-linux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=urezki@gmail.com \
--cc=vbabka@kernel.org \
--cc=vitaly.wool@konsulko.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox