patches/old/skbuff-use-mempool-kasan-hooks.patch - pub/scm/linux/kernel/git/akpm/25-new - Git at Google

 From: Andrey Konovalov <andreyknvl@google.com>
 Subject: skbuff: use mempool KASAN hooks
 Date: Tue, 19 Dec 2023 23:29:04 +0100

 Instead of using slab-internal KASAN hooks for poisoning and unpoisoning
 cached objects, use the proper mempool KASAN hooks.

 Also check the return value of kasan_mempool_poison_object to prevent
 double-free and invali-free bugs.

 Link: https://lkml.kernel.org/r/a3482c41395c69baa80eb59dbb06beef213d2a14.1703024586.git.andreyknvl@google.com
 Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
 Cc: Alexander Lobakin <alobakin@pm.me>
 Cc: Alexander Potapenko <glider@google.com>
 Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
 Cc: Breno Leitao <leitao@debian.org>
 Cc: Dmitry Vyukov <dvyukov@google.com>
 Cc: Evgenii Stepanov <eugenis@google.com>
 Cc: Marco Elver <elver@google.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 ---

  net/core/skbuff.c |   10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)

 --- a/net/core/skbuff.c~skbuff-use-mempool-kasan-hooks
 +++ a/net/core/skbuff.c
 @@ -337,7 +337,7 @@ static struct sk_buff *napi_skb_cache_ge
  	}

  	skb = nc->skb_cache[--nc->skb_count];
 -	kasan_unpoison_new_object(skbuff_cache, skb);
 +	kasan_mempool_unpoison_object(skb, kmem_cache_size(skbuff_cache));

  	return skb;
  }
 @@ -1309,13 +1309,15 @@ static void napi_skb_cache_put(struct sk
  	struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
  	u32 i;

 -	kasan_poison_new_object(skbuff_cache, skb);
 +	if (!kasan_mempool_poison_object(skb))
 +		return;
 +
  	nc->skb_cache[nc->skb_count++] = skb;

  	if (unlikely(nc->skb_count == NAPI_SKB_CACHE_SIZE)) {
  		for (i = NAPI_SKB_CACHE_HALF; i < NAPI_SKB_CACHE_SIZE; i++)
 -			kasan_unpoison_new_object(skbuff_cache,
 -						  nc->skb_cache[i]);
 +			kasan_mempool_unpoison_object(nc->skb_cache[i],
 +						kmem_cache_size(skbuff_cache));

  		kmem_cache_free_bulk(skbuff_cache, NAPI_SKB_CACHE_HALF,
  				     nc->skb_cache + NAPI_SKB_CACHE_HALF);
 _
	From: Andrey Konovalov <andreyknvl@google.com>
	Subject: skbuff: use mempool KASAN hooks
	Date: Tue, 19 Dec 2023 23:29:04 +0100

	Instead of using slab-internal KASAN hooks for poisoning and unpoisoning
	cached objects, use the proper mempool KASAN hooks.

	Also check the return value of kasan_mempool_poison_object to prevent
	double-free and invali-free bugs.

	Link: https://lkml.kernel.org/r/a3482c41395c69baa80eb59dbb06beef213d2a14.1703024586.git.andreyknvl@google.com
	Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
	Cc: Alexander Lobakin <alobakin@pm.me>
	Cc: Alexander Potapenko <glider@google.com>
	Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
	Cc: Breno Leitao <leitao@debian.org>
	Cc: Dmitry Vyukov <dvyukov@google.com>
	Cc: Evgenii Stepanov <eugenis@google.com>
	Cc: Marco Elver <elver@google.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	---

	net/core/skbuff.c \| 10 ++++++----
	1 file changed, 6 insertions(+), 4 deletions(-)

	--- a/net/core/skbuff.c~skbuff-use-mempool-kasan-hooks
	+++ a/net/core/skbuff.c
	@@ -337,7 +337,7 @@ static struct sk_buff *napi_skb_cache_ge
	}

	skb = nc->skb_cache[--nc->skb_count];
	- kasan_unpoison_new_object(skbuff_cache, skb);
	+ kasan_mempool_unpoison_object(skb, kmem_cache_size(skbuff_cache));

	return skb;
	}
	@@ -1309,13 +1309,15 @@ static void napi_skb_cache_put(struct sk
	struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
	u32 i;

	- kasan_poison_new_object(skbuff_cache, skb);
	+ if (!kasan_mempool_poison_object(skb))
	+ return;
	+
	nc->skb_cache[nc->skb_count++] = skb;

	if (unlikely(nc->skb_count == NAPI_SKB_CACHE_SIZE)) {
	for (i = NAPI_SKB_CACHE_HALF; i < NAPI_SKB_CACHE_SIZE; i++)
	- kasan_unpoison_new_object(skbuff_cache,
	- nc->skb_cache[i]);
	+ kasan_mempool_unpoison_object(nc->skb_cache[i],
	+ kmem_cache_size(skbuff_cache));

	kmem_cache_free_bulk(skbuff_cache, NAPI_SKB_CACHE_HALF,
	nc->skb_cache + NAPI_SKB_CACHE_HALF);
	_