On Fri, Oct 01, 2021 at 03:29:29PM +0200, Andrey Konovalov wrote: > On Fri, Oct 1, 2021 at 4:42 AM Matthew Wilcox (Oracle) > <willy@xxxxxxxxxxxxx> wrote: > > > > If an object is allocated on a tail page of a multi-page slab, kasan > > will get the wrong tagbecause page->s_mem is NULL for tail pages. > > Interesting. Is this a known property of tail pages? Why does this > happen? I failed to find this exception in the code. Yes, it's a known property of tail pages. kmem_getpages() calls __alloc_pages_node() which returns a pointer to the head page. All the tail pages are initialised to point to the head page. Then in alloc_slabmgmt(), we set ->s_mem of the head page, but we never set ->s_mem of the tail pages. Instead, we rely on people always passing in the head page. I have a patch in the works to change the type from struct page to struct slab so you can't make this mistake. That was how I noticed this problem. > The tag value won't really be "wrong", just unexpected. But if s_mem > is indeed NULL for tail pages, your fix makes sense. > > > I'm not quite sure what the user-visible effect of this might be. > > Everything should work, as long as tag values are assigned > consistently based on the object address. OK, maybe this doesn't need to be backported then? Actually, why subtract s_mem in the first place? Can we just avoid that for all tag calculations?
