KASAN vs realloc
From: Maciej Żenczykowski
Date: Tue Jan 06 2026 - 07:42:59 EST
We've got internal reports (b/467571011 - from CC'ed Samsung
developer) that kasan realloc is broken for sizes that are not a
multiple of the granule. This appears to be triggered during Android
bootup by some ebpf program loading operations (a struct is 88 bytes
in size, which is a multiple of 8, but not 16, which is the granule
size).
(this is on 6.18 with
https://lore.kernel.org/all/38dece0a4074c43e48150d1e242f8242c73bf1a5.1764874575.git.m.wieczorretman@xxxxx/
already included)
joonki.min@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx summarized it as
"When newly requested size is not bigger than allocated size and old
size was not 16 byte aligned, it failed to unpoison extended area."
and *very* rough comment:
Right. "size - old_size" is not guaranteed 16-byte alignment in this case.
I think we may unpoison 16-byte alignment size, but it allowed more
than requested :(
I'm not sure that's right approach.
if (size <= alloced_size) {
- kasan_unpoison_vmalloc(p + old_size, size - old_size,
+ kasan_unpoison_vmalloc(p + old_size, round_up(size -
old_size, KASAN_GRANULE_SIZE),
KASAN_VMALLOC_PROT_NORMAL |
KASAN_VMALLOC_VM_ALLOC |
KASAN_VMALLOC_KEEP_TAG);
/*
* No need to zero memory here, as unused memory will have
* already been zeroed at initial allocation time or during
* realloc shrink time.
*/
- vm->requested_size = size;
+ vm->requested_size = round_up(size, KASAN_GRANULE_SIZE);
my personal guess is that
But just above the code you quoted in mm/vmalloc.c I see:
if (size <= old_size) {
...
kasan_poison_vmalloc(p + size, old_size - size);
is also likely wrong?? Considering:
mm/kasan/shadow.c
void __kasan_poison_vmalloc(const void *start, unsigned long size)
{
if (!is_vmalloc_or_module_addr(start))
return;
size = round_up(size, KASAN_GRANULE_SIZE);
kasan_poison(start, size, KASAN_VMALLOC_INVALID, false);
}
This doesn't look right - if start isn't a multiple of the granule.
--
Maciej Żenczykowski, Kernel Networking Developer @ Google