> >>> In my opinion, this patch can somehow help attacker exploit this kind of bugs >>> more reliable. > > Why do you think this makes races easier to win? > Sorry, not to make the races easier, but to make the exploitations more reliable. >> +Alexander Popov, who is the author of the double free check in >> SLAB_FREELIST_HARDENED. >> >> Ah, so as long as the double free happens in a user process context, >> you can retry triggering it until you succeed in winning the race to >> reallocate the object (without causing slab freelist corruption, as it >> would have had happened before SLAB_FREELIST_HARDENED). Nice idea! > > Do you see improvements that could be made here? > Could we use BUG_ON() only when panic_on_oops is set?
