mm/slub: preserve original size in _kmalloc_nolock_noprof retry path

_kmalloc_nolock_noprof() retries from the next kmalloc bucket when the
initial allocation fails. The retry currently reuses `size` as the
bucket selector and overwrites it with s->object_size + 1.

That value is later passed as the original allocation size to
__slab_alloc_node(), slab_post_alloc_hook() and kasan_kmalloc(). On a
successful retry this makes KASAN/slub-debug observe the retry bucket
selector rather than the caller requested size, potentially widening the
valid kmalloc range and hiding overflows.

Keep the caller requested size separately as orig_size and pass it to
the allocation/debug/KASAN paths. Continue using `size` as the retry cache
selector.

Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Hao Li <hao.li@linux.dev>
Link: https://patch.msgid.link/202606042027323804pk3MRY42Jy7y42OHAhQZ@zte.com.cn
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>

diff --git a/mm/slub.c b/mm/slub.c
index 492128ae3af95e7abc9abff294cfb2e9df043431..ff83345d7f957b7edf6b7575faebc22e7ed08e07 100644 (file)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5359,6 +5359,7 @@ EXPORT_SYMBOL(__kmalloc_noprof);
 void *kmalloc_nolock_noprof(size_t size, gfp_t gfp_flags, int node)
 {
        gfp_t alloc_gfp = __GFP_NOWARN | __GFP_NOMEMALLOC | gfp_flags;
+       size_t orig_size = size;
        struct kmem_cache *s;
        bool can_retry = true;
        void *ret;
@@ -5407,7 +5408,7 @@ retry:
         * kfence_alloc. Hence call __slab_alloc_node() (at most twice)
         * and slab_post_alloc_hook() directly.
         */
-       ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, size);
+       ret = __slab_alloc_node(s, alloc_gfp, node, _RET_IP_, orig_size);
 
        /*
         * It's possible we failed due to trylock as we preempted someone with
@@ -5431,9 +5432,9 @@ retry:
 success:
        maybe_wipe_obj_freeptr(s, ret);
        slab_post_alloc_hook(s, NULL, alloc_gfp, 1, &ret,
-                            slab_want_init_on_alloc(alloc_gfp, s), size);
+                            slab_want_init_on_alloc(alloc_gfp, s), orig_size);
 
-       ret = kasan_kmalloc(s, ret, size, alloc_gfp);
+       ret = kasan_kmalloc(s, ret, orig_size, alloc_gfp);
        return ret;
 }
 EXPORT_SYMBOL_GPL(kmalloc_nolock_noprof);