From nobody Mon Jun  8 07:39:06 2026
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [160.30.148.35])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CED0406260
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jun 2026 12:27:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=160.30.148.35
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780576072; cv=none;
 b=TPfBVQois/UvvnjvyFa3p/vhqtgdpiB3x8oKLZOvcvTLqQsOkZPK00KMPdaIzjhgMjJNyVuPaDcAcOU5sPzmQIw2P+VvHvlc8pUgWyA5/56n3kXJopVhauwPmvdQ8VVlyC6Zk0ifQrE5Zg4+CrXKObDNuD9Xps1SltoZpXQ/SIc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780576072; c=relaxed/simple;
	bh=p69ZmGC69ogHTn+UFjiOpre+lEiQPcioyccz2x3DAV4=;
	h=Message-ID:Date:Mime-Version:From:To:Cc:Subject:Content-Type;
 b=WuQjRm8c26u3lyBdNb5NAa+j1KJZGOAY87sdQfeWJP69REqb7qZH5NTYadfC8fB1IUd2JcVr25yFm1hPRb2stVXpw4lNe/ajyshva8Sp+2ysyPOZ3CA3EUB+83v95py5SMWeRr2rUY/jS/SnQQV+KqOGpVO7o59sAzWOnvhrvi4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=zte.com.cn;
 spf=pass smtp.mailfrom=zte.com.cn; arc=none smtp.client-ip=160.30.148.35
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=zte.com.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=zte.com.cn
Received: from mse-fl2.zte.com.cn (unknown [10.5.228.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mxhk.zte.com.cn (FangMail) with ESMTPS id 4gWP3J4xs7z8XrrZ;
	Thu, 04 Jun 2026 20:27:40 +0800 (CST)
Received: from xaxapp01.zte.com.cn ([10.88.99.176])
	by mse-fl2.zte.com.cn with SMTP id 654CRToK075263;
	Thu, 4 Jun 2026 20:27:29 +0800 (+08)
	(envelope-from hu.shengming@zte.com.cn)
Received: from mapi (xaxapp04[null])
	by mapi (Zmail) with MAPI id mid32;
	Thu, 4 Jun 2026 20:27:32 +0800 (CST)
X-Zmail-TransId: 2afb6a216f34b2f-c53ad
X-Mailer: Zmail v1.0
Message-ID: <202606042027323804pk3MRY42Jy7y42OHAhQZ@zte.com.cn>
Date: Thu, 4 Jun 2026 20:27:32 +0800 (CST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
From: <hu.shengming@zte.com.cn>
To: <vbabka@kernel.org>, <harry@kernel.org>, <akpm@linux-foundation.org>
Cc: <hao.li@linux.dev>, <cl@gentwo.org>, <rientjes@google.com>,
        <roman.gushchin@linux.dev>, <linux-mm@kvack.org>,
        <linux-kernel@vger.kernel.org>, <zhang.run@zte.com.cn>,
        <cai.qu@zte.com.cn>
Subject: 
 =?UTF-8?B?W1BBVENIIHYyXSBtbS9zbHViOiBwcmVzZXJ2ZSBvcmlnaW5hbCBzaXplIGluIF9rbWFsbG9jX25vbG9ja19ub3Byb2YgcmV0cnkgcGF0aA==?=
X-MAIL: mse-fl2.zte.com.cn 654CRToK075263
X-TLS: YES
X-ENVELOPE-SENDER: hu.shengming@zte.com.cn
X-SOURCE-IP: 10.5.228.133 unknown Thu, 04 Jun 2026 20:27:40 +0800
X-CLEAN: YES
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 6A216F3C.002/4gWP3J4xs7z8XrrZ
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Shengming Hu <hu.shengming@zte.com.cn>

_kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
initial allocation fails. The retry currently reuses `size` as the
bucket selector and overwrites it with s->object_size + 1.

That value is later passed as the original allocation size to
__slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
successful retry this makes KASAN/slub-debug observe the retry bucket
selector rather than the caller requested size, potentially widening the
valid kmalloc range and hiding overflows.

Keep the caller requested size separately as orig_size and pass it to
the allocation/debug/KASAN paths. Continue using `size` as the retry cache
selector.

Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Reviewed-by: Hao Li <hao.li@linux.dev>
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
---
Changes in v2:
- Use an explicit orig_size variable instead of bucket_size, as suggested
  by Harry and Vlastimil.
- Link to v1: https://lore.kernel.org/all/20260603211011530GqLSXP_rgcuQdR47=
IGQLL@zte.com.cn/

---
 mm/slub.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index 67abbbf68fc1..7e1a1fe5daaa 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5350,6 +5350,7 @@ EXPORT_SYMBOL(__kmalloc_noprof);
 void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, token), gfp_t gfp_fla=
gs, int node)
 {
 	gfp_t alloc_gfp =3D __GFP_NOWARN | __GFP_NOMEMALLOC | gfp_flags;
+	size_t orig_size =3D size;
 	struct kmem_cache *s;
 	bool can_retry =3D true;
 	void *ret;
@@ -5398,7 +5399,7 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, =
token), gfp_t gfp_flags, in
 	 * kfence_alloc. Hence call __slab_alloc_node() (at most twice)
 	 * and slab_post_alloc_hook() directly.
 	 */
-	ret =3D __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, size);
+	ret =3D __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, orig_size);

 	/*
 	 * It's possible we failed due to trylock as we preempted someone with
@@ -5422,9 +5423,9 @@ void *_kmalloc_nolock_noprof(DECL_TOKEN_PARAMS(size, =
token), gfp_t gfp_flags, in
 success:
 	maybe_wipe_obj_freeptr(s, ret);
 	slab_post_alloc_hook(s, NULL, alloc_gfp, 1, &ret,
-			     slab_want_init_on_alloc(alloc_gfp, s), size);
+			     slab_want_init_on_alloc(alloc_gfp, s), orig_size);

-	ret =3D kasan_kmalloc(s, ret, size, alloc_gfp);
+	ret =3D kasan_kmalloc(s, ret, orig_size, alloc_gfp);
 	return ret;
 }
 EXPORT_SYMBOL_GPL(_kmalloc_nolock_noprof);
--=20
2.25.1