From: Jann Horn Date: Tue, 24 Mar 2026 21:35:12 +0000 (+0100) Subject: slab,rcu: disable KVFREE_RCU_BATCHED for strict grace period X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17a9399a61c9ce89771de588f6df43a8ec91f535;p=thirdparty%2Fkernel%2Fstable.git slab,rcu: disable KVFREE_RCU_BATCHED for strict grace period Disable CONFIG_KVFREE_RCU_BATCHED in CONFIG_RCU_STRICT_GRACE_PERIOD builds so that kernel fuzzers have an easier time finding use-after-free involving kfree_rcu(). The intent behind CONFIG_RCU_STRICT_GRACE_PERIOD is that RCU should invoke callbacks and free objects as soon as possible (at a large performance cost) so that kernel fuzzers and such have an easier time detecting use-after-free bugs in objects with RCU lifetime. CONFIG_KVFREE_RCU_BATCHED is a performance optimization that queues RCU-freed objects in ways that CONFIG_RCU_STRICT_GRACE_PERIOD can't expedite; for example, the following testcase doesn't trigger a KASAN splat when CONFIG_KVFREE_RCU_BATCHED is enabled: ``` struct foo_struct { struct rcu_head rcu; int a; }; struct foo_struct *foo = kmalloc(sizeof(*foo), GFP_KERNEL | __GFP_NOFAIL | __GFP_ZERO); pr_info("%s: calling kfree_rcu()\n", __func__); kfree_rcu(foo, rcu); msleep(10); pr_info("%s: start UAF access\n", __func__); READ_ONCE(foo->a); pr_info("%s: end UAF access\n", __func__); ``` Signed-off-by: Jann Horn Acked-by: David Rientjes Reviewed-by: Joel Fernandes Acked-by: Harry Yoo (Oracle) Link: https://patch.msgid.link/20260324-kasan-kfree-rcu-v1-1-ac58a7a13d03@google.com Signed-off-by: Vlastimil Babka (SUSE) --- diff --git a/mm/Kconfig b/mm/Kconfig index ebd8ea353687..67a72fe89186 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -172,6 +172,7 @@ config SLUB config KVFREE_RCU_BATCHED def_bool y depends on !SLUB_TINY && !TINY_RCU + depends on !RCU_STRICT_GRACE_PERIOD config SLUB_TINY bool "Configure for minimal memory footprint"