Copypasted from <https://lore.kernel.org/kernel-hardening/CAG_fn=VWwfpn6HNNm3V8woK7BcLgAJ9k8WYNghwxz7FF6+QZRg@mail.gmail.com/T/#m01f90bf7c5a7166c9ad716e43c79266ea7e03097>: The slab allocator interface has two features that are problematic for security testing and/or hardening: - constructor slabs: These things come with an object constructor that doesn't run when an object is allocated, but instead when the slab allocator grabs a new page from the page allocator. This is problematic for use-after-free detection mechanisms such as HWASAN and Memory Tagging, which can only do their job properly if the address of an object is allowed to change every time the object is freed/reallocated. (You can't change the address of an object without reinitializing the entire object because e.g. an empty list_head points to itself.) - RCU slabs: These things basically permit use-after-frees by design, and stuff like ASAN/HWASAN/Memory Tagging essentially doesn't work on them. It would be nice to have a config flag or so that changes the SLUB allocator's behavior such that these slabs can be instrumented properly. Something like: - Let calculate_sizes() reserve space for an rcu_head on each object in TYPESAFE_BY_RCU slabs, make kmem_cache_free() redirect to call_rcu() for these slabs, and remove most of the other special-casing, so that KASAN can instrument these slabs. - For all constructor slabs, let slab_post_alloc_hook() call the ->ctor() function on each allocated object, so that Memory Tagging and HWASAN will work on them.
Just for the bug record, quoting Jann's message in the linked thread: > I've implemented this first part now and sent it out for review: > https://lore.kernel.org/lkml/20230825211426.3798691-1-jannh@google.com/T/ Referring to "Let calculate_sizes() reserve space...".
Update: Jann added support for KASAN checking of RCU slabs in [1] via CONFIG_SLUB_RCU_DEBUG. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b8c8ba73c68bb3c3e9dad22f488b86c540c839f9