mm/kasan/kasan_test_c.c | 6 ++++++ 1 file changed, 6 insertions(+)
kmalloc_double_kzfree() would corrupt kernel memory when the just
freed memory were allocated by another thread before the second
call to kfree_sensitive().
This could not happen in GENERIC mode as it uses quarantine.
Signed-off-by: Wang Wensheng <wsw9603@163.com>
---
mm/kasan/kasan_test_c.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
index 32d06cbf6a31..02e43ccc9f21 100644
--- a/mm/kasan/kasan_test_c.c
+++ b/mm/kasan/kasan_test_c.c
@@ -874,6 +874,12 @@ static void kmalloc_double_kzfree(struct kunit *test)
char *ptr;
size_t size = 16;
+ /*
+ * Only generic KASAN uses quarantine, which could prevent the just freed
+ * memory from being allocated soon.
+ */
+ KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
+
ptr = kmalloc(size, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
--
2.43.0On Sun, May 17, 2026 at 9:17 AM Wang Wensheng <wsw9603@163.com> wrote: > > kmalloc_double_kzfree() would corrupt kernel memory when the just > freed memory were allocated by another thread before the second > call to kfree_sensitive(). > > This could not happen in GENERIC mode as it uses quarantine. Quite unfortunate to disable this test for HW_TAGS, but I don't see an easy way to resolve the issue otherwise. > > Signed-off-by: Wang Wensheng <wsw9603@163.com> > --- > mm/kasan/kasan_test_c.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c > index 32d06cbf6a31..02e43ccc9f21 100644 > --- a/mm/kasan/kasan_test_c.c > +++ b/mm/kasan/kasan_test_c.c > @@ -874,6 +874,12 @@ static void kmalloc_double_kzfree(struct kunit *test) > char *ptr; > size_t size = 16; > > + /* > + * Only generic KASAN uses quarantine, which could prevent the just freed > + * memory from being allocated soon. > + */ Let's reword this to: With the tag-based KASAN modes, if the memory happens to be reallocated between the two frees and the new allocation tag happens to match the old one, the second free will cause a memory corruption. Resolving https://bugzilla.kernel.org/show_bug.cgi?id=212177 would help to deal with this. With Generic KASAN, it's effectively impossible for the memory to get reallocated due to the quarantine. > + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); > + > ptr = kmalloc(size, GFP_KERNEL); > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > -- > 2.43.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/kasan-dev/20260517071713.353579-1-wsw9603%40163.com. With the comment rewording: Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
On 5/21/26 02:19, Andrey Konovalov wrote: > On Sun, May 17, 2026 at 9:17 AM Wang Wensheng <wsw9603@163.com> wrote: >> kmalloc_double_kzfree() would corrupt kernel memory when the just >> freed memory were allocated by another thread before the second >> call to kfree_sensitive(). >> >> This could not happen in GENERIC mode as it uses quarantine. > Quite unfortunate to disable this test for HW_TAGS, but I don't see an > easy way to resolve the issue otherwise. > >> Signed-off-by: Wang Wensheng <wsw9603@163.com> >> --- >> mm/kasan/kasan_test_c.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c >> index 32d06cbf6a31..02e43ccc9f21 100644 >> --- a/mm/kasan/kasan_test_c.c >> +++ b/mm/kasan/kasan_test_c.c >> @@ -874,6 +874,12 @@ static void kmalloc_double_kzfree(struct kunit *test) >> char *ptr; >> size_t size = 16; >> >> + /* >> + * Only generic KASAN uses quarantine, which could prevent the just freed >> + * memory from being allocated soon. >> + */ > Let's reword this to: > > With the tag-based KASAN modes, if the memory happens to be > reallocated between the two frees and the new allocation tag happens > to match the old one, the second free will cause a memory corruption. > Resolving https://bugzilla.kernel.org/show_bug.cgi?id=212177 would > help to deal with this. With Generic KASAN, it's effectively > impossible for the memory to get reallocated due to the quarantine. > Thanks for your nice comment. I have sent a second version. >> + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); >> + >> ptr = kmalloc(size, GFP_KERNEL); >> KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); >> >> -- >> 2.43.0 >> >> -- >> You received this message because you are subscribed to the Google Groups "kasan-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. >> To view this discussion visit https://groups.google.com/d/msgid/kasan-dev/20260517071713.353579-1-wsw9603%40163.com. > With the comment rewording: > > Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
© 2016 - 2026 Red Hat, Inc.