Bug 208295

Copypasted from <https://lore.kernel.org/kernel-hardening/CAG_fn=VWwfpn6HNNm3V8woK7BcLgAJ9k8WYNghwxz7FF6+QZRg@mail.gmail.com/T/#m01f90bf7c5a7166c9ad716e43c79266ea7e03097>:

The slab allocator interface has two features that are problematic for
security testing and/or hardening:

 - constructor slabs: These things come with an object constructor
that doesn't run when an object is allocated, but instead when the
slab allocator grabs a new page from the page allocator. This is
problematic for use-after-free detection mechanisms such as HWASAN and
Memory Tagging, which can only do their job properly if the address of
an object is allowed to change every time the object is
freed/reallocated. (You can't change the address of an object without
reinitializing the entire object because e.g. an empty list_head
points to itself.)

 - RCU slabs: These things basically permit use-after-frees by design,
and stuff like ASAN/HWASAN/Memory Tagging essentially doesn't work on
them.


It would be nice to have a config flag or so that changes the SLUB
allocator's behavior such that these slabs can be instrumented
properly. Something like:

 - Let calculate_sizes() reserve space for an rcu_head on each object
in TYPESAFE_BY_RCU slabs, make kmem_cache_free() redirect to
call_rcu() for these slabs, and remove most of the other
special-casing, so that KASAN can instrument these slabs.
 - For all constructor slabs, let slab_post_alloc_hook() call the
->ctor() function on each allocated object, so that Memory Tagging and
HWASAN will work on them.