The function kasan_populate_vmalloc() internally allocates a page using
a hardcoded GFP_KERNEL flag. This is not safe in contexts where non-blocking
allocation flags are required, such as GFP_ATOMIC or GFP_NOWAIT, for example
during atomic vmalloc paths.
This patch modifies kasan_populate_vmalloc() and its helpers to accept a
gfp_mask argument to use it for a page allocation. It allows the caller to
specify the correct allocation context.
Also, when non-blocking flags are used, memalloc_noreclaim_save/restore()
is used around apply_to_page_range() to suppress potential reclaim behavior
that may otherwise violate atomic constraints.
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
---
include/linux/kasan.h | 6 +++---
mm/kasan/shadow.c | 22 +++++++++++++++-------
mm/vmalloc.c | 4 ++--
3 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 890011071f2b..fe5ce9215821 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -562,7 +562,7 @@ static inline void kasan_init_hw_tags(void) { }
#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
void kasan_populate_early_vm_area_shadow(void *start, unsigned long size);
-int kasan_populate_vmalloc(unsigned long addr, unsigned long size);
+int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask);
void kasan_release_vmalloc(unsigned long start, unsigned long end,
unsigned long free_region_start,
unsigned long free_region_end,
@@ -574,7 +574,7 @@ static inline void kasan_populate_early_vm_area_shadow(void *start,
unsigned long size)
{ }
static inline int kasan_populate_vmalloc(unsigned long start,
- unsigned long size)
+ unsigned long size, gfp_t gfp_mask)
{
return 0;
}
@@ -610,7 +610,7 @@ static __always_inline void kasan_poison_vmalloc(const void *start,
static inline void kasan_populate_early_vm_area_shadow(void *start,
unsigned long size) { }
static inline int kasan_populate_vmalloc(unsigned long start,
- unsigned long size)
+ unsigned long size, gfp_t gfp_mask)
{
return 0;
}
diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
index d2c70cd2afb1..5edfc1f6b53e 100644
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages)
}
}
-static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
+static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask)
{
unsigned long nr_populated, nr_total = nr_pages;
struct page **page_array = pages;
while (nr_pages) {
- nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
+ nr_populated = alloc_pages_bulk(gfp_mask, nr_pages, pages);
if (!nr_populated) {
___free_pages_bulk(page_array, nr_total - nr_pages);
return -ENOMEM;
@@ -353,25 +353,33 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
return 0;
}
-static int __kasan_populate_vmalloc(unsigned long start, unsigned long end)
+static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask)
{
unsigned long nr_pages, nr_total = PFN_UP(end - start);
+ bool noblock = !gfpflags_allow_blocking(gfp_mask);
struct vmalloc_populate_data data;
+ unsigned int flags;
int ret = 0;
- data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO);
+ data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO);
if (!data.pages)
return -ENOMEM;
while (nr_total) {
nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0]));
- ret = ___alloc_pages_bulk(data.pages, nr_pages);
+ ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask);
if (ret)
break;
data.start = start;
+ if (noblock)
+ flags = memalloc_noreclaim_save();
+
ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE,
kasan_populate_vmalloc_pte, &data);
+ if (noblock)
+ memalloc_noreclaim_restore(flags);
+
___free_pages_bulk(data.pages, nr_pages);
if (ret)
break;
@@ -385,7 +393,7 @@ static int __kasan_populate_vmalloc(unsigned long start, unsigned long end)
return ret;
}
-int kasan_populate_vmalloc(unsigned long addr, unsigned long size)
+int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask)
{
unsigned long shadow_start, shadow_end;
int ret;
@@ -414,7 +422,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size)
shadow_start = PAGE_ALIGN_DOWN(shadow_start);
shadow_end = PAGE_ALIGN(shadow_end);
- ret = __kasan_populate_vmalloc(shadow_start, shadow_end);
+ ret = __kasan_populate_vmalloc(shadow_start, shadow_end, gfp_mask);
if (ret)
return ret;
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 25d09f753239..5bac15b09b03 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -2091,7 +2091,7 @@ static struct vmap_area *alloc_vmap_area(unsigned long size,
BUG_ON(va->va_start < vstart);
BUG_ON(va->va_end > vend);
- ret = kasan_populate_vmalloc(addr, size);
+ ret = kasan_populate_vmalloc(addr, size, gfp_mask);
if (ret) {
free_vmap_area(va);
return ERR_PTR(ret);
@@ -4832,7 +4832,7 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets,
/* populate the kasan shadow space */
for (area = 0; area < nr_vms; area++) {
- if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area]))
+ if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area], GFP_KERNEL))
goto err_free_shadow;
}
--
2.39.5On 07/04/25 at 05:25pm, Uladzislau Rezki (Sony) wrote:
......snip.......
> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
> index d2c70cd2afb1..5edfc1f6b53e 100644
> --- a/mm/kasan/shadow.c
> +++ b/mm/kasan/shadow.c
> @@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages)
> }
> }
>
> -static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> +static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask)
> {
> unsigned long nr_populated, nr_total = nr_pages;
> struct page **page_array = pages;
>
> while (nr_pages) {
> - nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
> + nr_populated = alloc_pages_bulk(gfp_mask, nr_pages, pages);
> if (!nr_populated) {
> ___free_pages_bulk(page_array, nr_total - nr_pages);
> return -ENOMEM;
> @@ -353,25 +353,33 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> return 0;
> }
>
> -static int __kasan_populate_vmalloc(unsigned long start, unsigned long end)
> +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask)
> {
> unsigned long nr_pages, nr_total = PFN_UP(end - start);
> + bool noblock = !gfpflags_allow_blocking(gfp_mask);
> struct vmalloc_populate_data data;
> + unsigned int flags;
> int ret = 0;
>
> - data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO);
> + data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO);
> if (!data.pages)
> return -ENOMEM;
>
> while (nr_total) {
> nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0]));
> - ret = ___alloc_pages_bulk(data.pages, nr_pages);
> + ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask);
> if (ret)
> break;
>
> data.start = start;
> + if (noblock)
> + flags = memalloc_noreclaim_save();
> +
> ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE,
> kasan_populate_vmalloc_pte, &data);
This series is a great enhancement, thanks.
When checking code, seems apply_to_page_range() will lead to page table
allocation which uses GFP_PGTABLE_KERNEL. Not sure if we need to handle
this either.
> + if (noblock)
> + memalloc_noreclaim_restore(flags);
> +
> ___free_pages_bulk(data.pages, nr_pages);
> if (ret)
> break;
...snip...
On 07/07/25 at 09:47am, Baoquan He wrote:
> On 07/04/25 at 05:25pm, Uladzislau Rezki (Sony) wrote:
> ......snip.......
> > diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
> > index d2c70cd2afb1..5edfc1f6b53e 100644
> > --- a/mm/kasan/shadow.c
> > +++ b/mm/kasan/shadow.c
> > @@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages)
> > }
> > }
> >
> > -static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> > +static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask)
> > {
> > unsigned long nr_populated, nr_total = nr_pages;
> > struct page **page_array = pages;
> >
> > while (nr_pages) {
> > - nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
> > + nr_populated = alloc_pages_bulk(gfp_mask, nr_pages, pages);
> > if (!nr_populated) {
> > ___free_pages_bulk(page_array, nr_total - nr_pages);
> > return -ENOMEM;
> > @@ -353,25 +353,33 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> > return 0;
> > }
> >
> > -static int __kasan_populate_vmalloc(unsigned long start, unsigned long end)
> > +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask)
> > {
> > unsigned long nr_pages, nr_total = PFN_UP(end - start);
> > + bool noblock = !gfpflags_allow_blocking(gfp_mask);
> > struct vmalloc_populate_data data;
> > + unsigned int flags;
> > int ret = 0;
> >
> > - data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO);
> > + data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO);
> > if (!data.pages)
> > return -ENOMEM;
> >
> > while (nr_total) {
> > nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0]));
> > - ret = ___alloc_pages_bulk(data.pages, nr_pages);
> > + ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask);
> > if (ret)
> > break;
> >
> > data.start = start;
> > + if (noblock)
> > + flags = memalloc_noreclaim_save();
> > +
> > ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE,
> > kasan_populate_vmalloc_pte, &data);
>
> This series is a great enhancement, thanks.
>
> When checking code, seems apply_to_page_range() will lead to page table
> allocation which uses GFP_PGTABLE_KERNEL. Not sure if we need to handle
> this either.
I am fool, didn't see the obvious added scope between
memalloc_noreclaim_save/srestore(). Please ignore this noise.
>
> > + if (noblock)
> > + memalloc_noreclaim_restore(flags);
> > +
> > ___free_pages_bulk(data.pages, nr_pages);
> > if (ret)
> > break;
> ...snip...
>
On Tue, Jul 08, 2025 at 09:15:19AM +0800, Baoquan He wrote:
> On 07/07/25 at 09:47am, Baoquan He wrote:
> > On 07/04/25 at 05:25pm, Uladzislau Rezki (Sony) wrote:
> > ......snip.......
> > > diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
> > > index d2c70cd2afb1..5edfc1f6b53e 100644
> > > --- a/mm/kasan/shadow.c
> > > +++ b/mm/kasan/shadow.c
> > > @@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages)
> > > }
> > > }
> > >
> > > -static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> > > +static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask)
> > > {
> > > unsigned long nr_populated, nr_total = nr_pages;
> > > struct page **page_array = pages;
> > >
> > > while (nr_pages) {
> > > - nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
> > > + nr_populated = alloc_pages_bulk(gfp_mask, nr_pages, pages);
> > > if (!nr_populated) {
> > > ___free_pages_bulk(page_array, nr_total - nr_pages);
> > > return -ENOMEM;
> > > @@ -353,25 +353,33 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages)
> > > return 0;
> > > }
> > >
> > > -static int __kasan_populate_vmalloc(unsigned long start, unsigned long end)
> > > +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask)
> > > {
> > > unsigned long nr_pages, nr_total = PFN_UP(end - start);
> > > + bool noblock = !gfpflags_allow_blocking(gfp_mask);
> > > struct vmalloc_populate_data data;
> > > + unsigned int flags;
> > > int ret = 0;
> > >
> > > - data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO);
> > > + data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO);
> > > if (!data.pages)
> > > return -ENOMEM;
> > >
> > > while (nr_total) {
> > > nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0]));
> > > - ret = ___alloc_pages_bulk(data.pages, nr_pages);
> > > + ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask);
> > > if (ret)
> > > break;
> > >
> > > data.start = start;
> > > + if (noblock)
> > > + flags = memalloc_noreclaim_save();
> > > +
> > > ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE,
> > > kasan_populate_vmalloc_pte, &data);
> >
> > This series is a great enhancement, thanks.
> >
> > When checking code, seems apply_to_page_range() will lead to page table
> > allocation which uses GFP_PGTABLE_KERNEL. Not sure if we need to handle
> > this either.
>
> I am fool, didn't see the obvious added scope between
> memalloc_noreclaim_save/srestore(). Please ignore this noise.
>
No worries :)
--
Uladzislau Rezki
© 2016 - 2026 Red Hat, Inc.