ipc/msgutil.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
System V message queues already allocate struct msg_msg from dedicated
kmem buckets, so user-controlled variable-sized message allocations do
not share generic kmalloc buckets.
Large messages allocate additional struct msg_msgseg objects for the
remaining payload. These allocations are also user-controlled in size
and contents, but still come from generic kmalloc-cg buckets.
Allocate msg_msgseg objects from a dedicated bucket set as well, so the
segmented payload path follows the same heap-isolation model as the
main msg_msg allocation.
The free path remains unchanged because these allocations are freed
with kfree(), matching the existing msg_msg bucket allocation.
Signed-off-by: Philipp Weber <kernel@phwe.de>
---
ipc/msgutil.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index e28f0cecb2ec..8aa8ac180317 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -40,6 +40,7 @@ struct msg_msgseg {
#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg))
static kmem_buckets *msg_buckets __ro_after_init;
+static kmem_buckets *msgseg_buckets __ro_after_init;
static int __init init_msg_buckets(void)
{
@@ -47,6 +48,10 @@ static int __init init_msg_buckets(void)
sizeof(struct msg_msg),
DATALEN_MSG, NULL);
+ msgseg_buckets = kmem_buckets_create("msg_msgseg", SLAB_ACCOUNT,
+ sizeof(struct msg_msgseg),
+ DATALEN_SEG, NULL);
+
return 0;
}
subsys_initcall(init_msg_buckets);
@@ -73,7 +78,8 @@ static struct msg_msg *alloc_msg(size_t len)
cond_resched();
alen = min(len, DATALEN_SEG);
- seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL_ACCOUNT);
+ seg = kmem_buckets_alloc(msgseg_buckets,
+ sizeof(*seg) + alen, GFP_KERNEL);
if (seg == NULL)
goto out_err;
*pseg = seg;
base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
--
2.53.0On 5/18/26 20:26, Philipp Weber wrote: > System V message queues already allocate struct msg_msg from dedicated > kmem buckets, so user-controlled variable-sized message allocations do > not share generic kmalloc buckets. > > Large messages allocate additional struct msg_msgseg objects for the > remaining payload. These allocations are also user-controlled in size > and contents, but still come from generic kmalloc-cg buckets. > > Allocate msg_msgseg objects from a dedicated bucket set as well, so the > segmented payload path follows the same heap-isolation model as the > main msg_msg allocation. > > The free path remains unchanged because these allocations are freed > with kfree(), matching the existing msg_msg bucket allocation. > > Signed-off-by: Philipp Weber <kernel@phwe.de> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
On Mon, 18 May 2026 20:26:31 +0200, Philipp Weber wrote:
> System V message queues already allocate struct msg_msg from dedicated
> kmem buckets, so user-controlled variable-sized message allocations do
> not share generic kmalloc buckets.
>
> Large messages allocate additional struct msg_msgseg objects for the
> remaining payload. These allocations are also user-controlled in size
> and contents, but still come from generic kmalloc-cg buckets.
>
> [...]
Applied to the kernel-7.2.misc branch of the vfs/vfs.git tree.
Patches in the kernel-7.2.misc branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: kernel-7.2.misc
[1/1] ipc/msg: Use dedicated slab buckets for msg_msgseg
https://git.kernel.org/vfs/vfs/c/6cedbc997a94
© 2016 - 2026 Red Hat, Inc.