From nobody Mon Jun  8 07:26:03 2026
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [160.30.148.35])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69E62480DF0
	for <linux-kernel@vger.kernel.org>; Wed,  3 Jun 2026 13:05:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=160.30.148.35
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780491935; cv=none;
 b=a9N2q6L2NU8du1+uOO22n91+7UAg13xH0zV73iCWZ6GK1DfbHn538ww7ff3KXcWXmnaG1julComsukKbVdzyuvow8AcUA4GFoYfis8MW1kuWEtjOSP1T0T2QDl5eHuHTJvuHbz+w5OoThluEHVr51c6JV3cWQJq13hMK5Wrzc3s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780491935; c=relaxed/simple;
	bh=cWLx61V4OiES0msr2EiKNXgglL4dCUso0SgyURiSp5U=;
	h=Message-ID:Date:Mime-Version:From:To:Cc:Subject:Content-Type;
 b=Xazaf8VvJeoWV0S2GOEvspuy62dUJtlR29Ls5Ww0C1vSdzwS/FhVtgXuRweWhp4k8z/C+oNCKSTzQZdRYmHTdsm0EkhRmXPHErvWvSQFV2DYLXvDPJFxc3Ouhw0D1isQgTrUSQnxWTYk6ZlKUevcl9CmptTIcwZhGDAmIH9tvjQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=zte.com.cn;
 spf=pass smtp.mailfrom=zte.com.cn; arc=none smtp.client-ip=160.30.148.35
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=zte.com.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=zte.com.cn
Received: from mse-fl1.zte.com.cn (unknown [10.5.228.132])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mxhk.zte.com.cn (FangMail) with ESMTPS id 4gVnxQ1pTHz8XrrJ;
	Wed, 03 Jun 2026 21:05:30 +0800 (CST)
Received: from xaxapp02.zte.com.cn ([10.88.97.241])
	by mse-fl1.zte.com.cn with SMTP id 653D5O50070885;
	Wed, 3 Jun 2026 21:05:24 +0800 (+08)
	(envelope-from hu.shengming@zte.com.cn)
Received: from mapi (xaxapp05[null])
	by mapi (Zmail) with MAPI id mid32;
	Wed, 3 Jun 2026 21:05:27 +0800 (CST)
X-Zmail-TransId: 2afc6a202697ae7-409e4
X-Mailer: Zmail v1.0
Message-ID: <20260603210527431ZrTTKiFTGmLH-rs42OdIP@zte.com.cn>
Date: Wed, 3 Jun 2026 21:05:27 +0800 (CST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
From: <hu.shengming@zte.com.cn>
To: <vbabka@kernel.org>, <harry@kernel.org>, <akpm@linux-foundation.org>
Cc: <hao.li@linux.dev>, <cl@gentwo.org>, <rientjes@google.com>,
        <roman.gushchin@linux.dev>, <linux-mm@kvack.org>,
        <linux-kernel@vger.kernel.org>, <zhang.run@zte.com.cn>,
        <cai.qu@zte.com.cn>
Subject: 
 =?UTF-8?B?bW0vc2x1YjogcHJlc2VydmUgb3JpZ2luYWwgc2l6ZSBpbiBfa21hbGxvY19ub2xvY2tfbm9wcm9mIHJldHJ5IHBhdGg=?=
X-MAIL: mse-fl1.zte.com.cn 653D5O50070885
X-TLS: YES
X-ENVELOPE-SENDER: hu.shengming@zte.com.cn
X-SOURCE-IP: 10.5.228.132 unknown Wed, 03 Jun 2026 21:05:30 +0800
X-CLEAN: YES
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 6A20269A.000/4gVnxQ1pTHz8XrrJ
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Shengming Hu <hu.shengming@zte.com.cn>

_kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
initial allocation fails. The retry currently reuses `size` as the
bucket selector and overwrites it with s->object_size + 1.

That value is later passed as the original allocation size to
__slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
successful retry this makes KASAN/slub-debug observe the retry bucket
selector rather than the caller requested size, potentially widening the
valid kmalloc range and hiding overflows.

Keep a separate `bucket_size` for choosing the retry cache and preserve
`size`.

Fixes: <af92793e52c3> ("slab: Introduce kmalloc_nolock() and kfree_nolock()=
")
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
---
 mm/slub.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index 67abbbf68fc1..6a2b3ade3611 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5350,6 +5350,7 @@ EXPORT_SYMBOL(__kmalloc_noprof);
 void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_fla=
gs, int node)
 {
 	gfp_t alloc_gfp =3D __GFP_NOWARN | __GFP_NOMEMALLOC | gfp_flags;
+	size_t bucket_size =3D size;
 	struct kmem_cache *s;
 	bool can_retry =3D true;
 	void *ret;
@@ -5372,9 +5373,9 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, =
token), gfp_t gfp_flags, in
 		return NULL;

 retry:
-	if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
+	if (unlikely(bucket_size > KMALLOC_MAX_CACHE_SIZE))
 		return NULL;
-	s =3D kmalloc_slab(size, NULL, alloc_gfp, PASS_TOKEN_PARAM(token));
+	s =3D kmalloc_slab(bucket_size, NULL, alloc_gfp, PASS_TOKEN_PARAM(token));

 	if (!(s->flags & __CMPXCHG_DOUBLE) && !kmem_cache_debug(s))
 		/*
@@ -5408,7 +5409,7 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, =
token), gfp_t gfp_flags, in
 	 */
 	if (!ret && can_retry) {
 		/* pick the next kmalloc bucket */
-		size =3D s->object_size + 1;
+		bucket_size =3D s->object_size + 1;
 		/*
 		 * Another alternative is to
 		 * if (memcg) alloc_gfp &=3D ~__GFP_ACCOUNT;
--=20
2.25.1