Re: [PATCH RFC 01/15] mm/slab: always zero only requested size on alloc

[Vlastimil Babka (SUSE)]

On 6/9/26 11:17, Vlastimil Babka (SUSE) wrote:
> When zeroing on alloc is requested (by __GFP_ZERO or the init_on_alloc
> parameter), we have been trying to zero the whole kmalloc bucket size
> and not just requested size, if possible.
> 
> This probably comes from the past where ksize() could be used to
> discover the bucket size and use it opportunistically beyond the
> requested size. This is now forbidden and enabling debugging such as
> KASAN or slab's red zoning would catch this misuse. Therefore, nobody
> can be relying on __GFP_ZERO zeroing beyond requested size.

Well, Sashiko says I'm wrong because krealloc() might be used later and then
the initially unused part might become used and we won't clear it because we
don't (unless slab debugging is enabled) know the original requested size
anymore. So we have to keep zeroing the full s->object_size in the cases we
currently do that.

> Theoretically it might still improve hardening in case of unintended
> accesses beond requested size accessing some sensitive data from a
> previous allocation. But then, init_on_free is probably used also for
> hardening and would have cleared that.
> 
> So the usefullness of zeroing beyond requested size is practically none
> nowadays. The disadvantages for doing it are:
> 
> - Interaction with KFENCE, which perfoms the zeroing on its own because
>   it has its own redzone beyond requested size. As a consequence
>   slab_post_alloc_hook() has an 'init' parameter which has to be
>   evaluated in all callers (via slab_want_init_on_alloc()).
> 
>   For kfence allocations in slab_alloc_node() this evaluation is subtly
>   skipped over in order to do the right thing. Other callers (i.e.
>   kmem_cache_alloc_bulk_noprof()) evaluate it unconditionally even if
>   they do end up with a kfence allocation. This is only subtly not a
>   problem, as those are not kmalloc allocations and are using
>   s->object_size as requested size, so it doesn't interfere with kfence's
>   redzone. There's just a unnecessary double zeroing (in both kfence and
>   slab_post_alloc_hook()), but it's all very fragile and contradicts the
>   comment in kfence_guarded_alloc().
> 
> - Interaction with slab's redzoning where we have to limit the zeroing
>   to requested size.
> 
> We can make the code much more simple by always zeroing only up to the
> requested size. Move slab_want_init_on_alloc() call to
> slab_post_alloc_hook(), removing the parameter. Remove the red zone
> handling.
> 
> For kfence's zeroing code, update the comment. We could remove it
> completely, but due to possible interactions with KASAN, there are
> configurations where neither slab or KASAN would zero the object,
> so simply do it in kfence. At worst the zeroing will happen twice, but
> kfence allocations are rare by design so the cost is negligible.
> 
> Signed-off-by: Vlastimil Babka (SUSE) <vbabka@xxxxxxxxxx>