[PATCH] kasan/test: only do kmalloc_double_kzfree for generic mode

1 view

Skip to first unread message

Wang Wensheng

unread,

May 17, 2026, 3:17:57 AM (3 days ago) May 17

to ryabin...@gmail.com, gli...@google.com, andre...@gmail.com, dvy...@google.com, vincenzo...@arm.com, ak...@linux-foundation.org, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, wsw...@163.com

kmalloc_double_kzfree() would corrupt kernel memory when the just
freed memory were allocated by another thread before the second
call to kfree_sensitive().

This could not happen in GENERIC mode as it uses quarantine.

Signed-off-by: Wang Wensheng <wsw...@163.com>
---
mm/kasan/kasan_test_c.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
index 32d06cbf6a31..02e43ccc9f21 100644
--- a/mm/kasan/kasan_test_c.c
+++ b/mm/kasan/kasan_test_c.c
@@ -874,6 +874,12 @@ static void kmalloc_double_kzfree(struct kunit *test)
char *ptr;
size_t size = 16;

+ /*
+ * Only generic KASAN uses quarantine, which could prevent the just freed
+ * memory from being allocated soon.
+ */
+ KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
+
ptr = kmalloc(size, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);

--
2.43.0

Andrey Konovalov

unread,

2:19 PM (1 hour ago) 2:19 PM

to Wang Wensheng, ryabin...@gmail.com, gli...@google.com, dvy...@google.com, vincenzo...@arm.com, ak...@linux-foundation.org, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org

On Sun, May 17, 2026 at 9:17 AM Wang Wensheng <wsw...@163.com> wrote:
>
> kmalloc_double_kzfree() would corrupt kernel memory when the just
> freed memory were allocated by another thread before the second
> call to kfree_sensitive().
>
> This could not happen in GENERIC mode as it uses quarantine.

Quite unfortunate to disable this test for HW_TAGS, but I don't see an
easy way to resolve the issue otherwise.

>
> Signed-off-by: Wang Wensheng <wsw...@163.com>
> ---
> mm/kasan/kasan_test_c.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> index 32d06cbf6a31..02e43ccc9f21 100644
> --- a/mm/kasan/kasan_test_c.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -874,6 +874,12 @@ static void kmalloc_double_kzfree(struct kunit *test)
> char *ptr;
> size_t size = 16;
>
> + /*
> + * Only generic KASAN uses quarantine, which could prevent the just freed
> + * memory from being allocated soon.
> + */

Let's reword this to:

With the tag-based KASAN modes, if the memory happens to be
reallocated between the two frees and the new allocation tag happens
to match the old one, the second free will cause a memory corruption.
Resolving https://bugzilla.kernel.org/show_bug.cgi?id=212177 would
help to deal with this. With Generic KASAN, it's effectively
impossible for the memory to get reallocated due to the quarantine.

> + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
> +
> ptr = kmalloc(size, GFP_KERNEL);
> KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
>
> --
> 2.43.0
>

> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/kasan-dev/20260517071713.353579-1-wsw9603%40163.com.

With the comment rewording:

Reviewed-by: Andrey Konovalov <andre...@gmail.com>

Reply all

Reply to author

Forward

0 new messages