On Thu, Dec 4, 2025 at 2:00 PM Jiayuan Chen jiayuan.chen@linux.dev wrote:
December 3, 2025 at 23:18, "Andrey Konovalov" <andreyknvl@gmail.com mailto:andreyknvl@gmail.com?to=%22Andrey%20Konovalov%22%20%3Candreyknvl%40gmail.com%3E > wrote:
From: Jiayuan Chen jiayuan.chen@linux.dev Subject: mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Date: Fri, 28 Nov 2025 19:15:14 +0800
Hi Jiayuan,
Please CC kasan-dev@googlegroups.com when sending KASAN patches.
Sorry about that. I missed it.
Syzkaller reported a memory out-of-bounds bug [1]. This patch fixes two issues:
- In vrealloc, we were missing the KASAN_VMALLOC_VM_ALLOC flag when
unpoisoning the extended region. This flag is required to correctly associate the allocation with KASAN's vmalloc tracking.
Note: In contrast, vzalloc (via __vmalloc_node_range_noprof) explicitly sets KASAN_VMALLOC_VM_ALLOC and calls kasan_unpoison_vmalloc() with it. vrealloc must behave consistently — especially when reusing existing vmalloc regions — to ensure KASAN can track allocations correctly.
- When vrealloc reuses an existing vmalloc region (without allocating new
pages), KASAN previously generated a new tag, which broke tag-based memory access tracking. We now add a 'reuse_tag' parameter to __kasan_unpoison_vmalloc() to preserve the original tag in such cases.
I think we actually could assign a new tag to detect accesses through the old pointer. Just gotta retag the whole region with this tag. But this is a separate thing; filed https://bugzilla.kernel.org/show_bug.cgi?id=220829 for this.
Thank you for your advice. I tested the following modification, and it works.
if (size <= alloced_size) {
kasan_unpoison_vmalloc(p + old_size, size - old_size,KASAN_VMALLOC_PROT_NORMAL);
p = kasan_unpoison_vmalloc(p, size,KASAN_VMALLOC_PROT_NORMAL | KASAN_VMALLOC_VM_ALLOC); /* * No need to zero memory here, as unused memory will have * already been zeroed at initial allocation time or during * realloc shrink time. */ vm->requested_size = size; return (void *)p; }[...]
Would be good to have tests for vrealloc too. Filed https://bugzilla.kernel.org/show_bug.cgi?id=220830 for this.
Thanks, I will add test for vrealloc in kasan_test_c.c.
Awesome!
But as mentioned in the other thread, let's first implement a standalone fix for the original issue (that can be backported) and all these extra additions can come as separate patches on top.
Thank you!