From: Juntong Deng <juntong.deng@outlook.com>
To: ryabinin.a.a@gmail.com, glider@google.com, andreyknvl@gmail.com,
dvyukov@google.com, vincenzo.frascino@arm.com,
akpm@linux-foundation.org
Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH v3] kasan: Improve free meta storage in Generic KASAN
Date: Thu, 23 Nov 2023 18:43:35 +0800 [thread overview]
Message-ID: <VI1P193MB0752282E559B37F12EB7982599B9A@VI1P193MB0752.EURP193.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <VI1P193MB0752675D6E0A2D16CE656F8299BAA@VI1P193MB0752.EURP193.PROD.OUTLOOK.COM>
On 2023/11/23 2:46, Juntong Deng wrote:
> Currently free meta can only be stored in object if the object is
> not smaller than free meta.
>
> After the improvement, when the object is smaller than free meta and
> SLUB DEBUG is not enabled, it is possible to store part of the free
> meta in the object, reducing the increased size of the red zone.
>
> Example:
>
> free meta size: 16 bytes
> alloc meta size: 16 bytes
> object size: 8 bytes
> optimal redzone size (object_size <= 64): 16 bytes
>
> Before improvement:
> actual redzone size = alloc meta size + free meta size = 32 bytes
>
> After improvement:
> actual redzone size = alloc meta size + (free meta size - object size)
> = 24 bytes
>
> Suggested-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
> ---
> V2 -> V3: When SLUB DEBUG is enabled, the previous free meta
> storage method continues to be used. Cancel the change to
> kasan_metadata_size().
>
> V1 -> V2: Make kasan_metadata_size() adapt to the improved
> free meta storage
>
> mm/kasan/generic.c | 39 +++++++++++++++++++++++++++++----------
> 1 file changed, 29 insertions(+), 10 deletions(-)
>
> diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
> index 4d837ab83f08..97713251053c 100644
> --- a/mm/kasan/generic.c
> +++ b/mm/kasan/generic.c
> @@ -361,6 +361,8 @@ void kasan_cache_create(struct kmem_cache *cache, unsigned int *size,
> {
> unsigned int ok_size;
> unsigned int optimal_size;
> + unsigned int rem_free_meta_size;
> + unsigned int orig_alloc_meta_offset;
>
> if (!kasan_requires_meta())
> return;
> @@ -394,6 +396,9 @@ void kasan_cache_create(struct kmem_cache *cache, unsigned int *size,
> /* Continue, since free meta might still fit. */
> }
>
> + ok_size = *size;
> + orig_alloc_meta_offset = cache->kasan_info.alloc_meta_offset;
> +
> /*
> * Add free meta into redzone when it's not possible to store
> * it in the object. This is the case when:
> @@ -401,23 +406,37 @@ void kasan_cache_create(struct kmem_cache *cache, unsigned int *size,
> * be touched after it was freed, or
> * 2. Object has a constructor, which means it's expected to
> * retain its content until the next allocation, or
> - * 3. Object is too small.
> + * 3. Object is too small and SLUB DEBUG is enabled. Avoid
> + * free meta that exceeds the object size corrupts the
> + * SLUB DEBUG metadata.
> * Otherwise cache->kasan_info.free_meta_offset = 0 is implied.
> + * If the object is smaller than the free meta and SLUB DEBUG
> + * is not enabled, it is still possible to store part of the
> + * free meta in the object.
> */
> - if ((cache->flags & SLAB_TYPESAFE_BY_RCU) || cache->ctor ||
> - cache->object_size < sizeof(struct kasan_free_meta)) {
> - ok_size = *size;
> -
> + if ((cache->flags & SLAB_TYPESAFE_BY_RCU) || cache->ctor) {
> cache->kasan_info.free_meta_offset = *size;
> *size += sizeof(struct kasan_free_meta);
> -
> - /* If free meta doesn't fit, don't add it. */
> - if (*size > KMALLOC_MAX_SIZE) {
> - cache->kasan_info.free_meta_offset = KASAN_NO_FREE_META;
> - *size = ok_size;
> + } else if (cache->object_size < sizeof(struct kasan_free_meta)) {
> + if (__slub_debug_enabled()) {
> + cache->kasan_info.free_meta_offset = *size;
> + *size += sizeof(struct kasan_free_meta);
> + } else {
> + rem_free_meta_size = sizeof(struct kasan_free_meta) -
> + cache->object_size;
> + *size += rem_free_meta_size;
> + if (cache->kasan_info.alloc_meta_offset != 0)
> + cache->kasan_info.alloc_meta_offset += rem_free_meta_size;
> }
> }
>
> + /* If free meta doesn't fit, don't add it. */
> + if (*size > KMALLOC_MAX_SIZE) {
> + cache->kasan_info.free_meta_offset = KASAN_NO_FREE_META;
> + cache->kasan_info.alloc_meta_offset = orig_alloc_meta_offset;
> + *size = ok_size;
> + }
> +
> /* Calculate size with optimal redzone. */
> optimal_size = cache->object_size + optimal_redzone(cache->object_size);
> /* Limit it with KMALLOC_MAX_SIZE (relevant for SLAB only). */
Can someone help to apply the new version of the patch to linux-next?
to replace the buggy version of the patch.
next prev parent reply other threads:[~2023-11-23 10:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-22 18:46 Juntong Deng
2023-11-23 10:43 ` Juntong Deng [this message]
2023-11-23 16:04 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1P193MB0752282E559B37F12EB7982599B9A@VI1P193MB0752.EURP193.PROD.OUTLOOK.COM \
--to=juntong.deng@outlook.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ryabinin.a.a@gmail.com \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox