On 2024/6/3 17:25, Vlastimil Babka wrote:
> On 5/28/24 9:16 AM, Chengming Zhou wrote:
>> The commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra
>> allocated kmalloc space than requested") will extend right redzone
>> when allocating for orig_size < object_size. So we can't overlay the
>> freepointer in the object space in this case.
>>
>> But the code looks like it forgot to check SLAB_RED_ZONE, since there
>> won't be extended right redzone if only orig_size enabled.
>>
>> Signed-off-by: Chengming Zhou <chengming.zhou@xxxxxxxxx>
>
> Seems OK.
>
>> ---
>> mm/slub.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/mm/slub.c b/mm/slub.c
>> index de57512734ac..b92d9a557852 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -5150,7 +5150,7 @@ static int calculate_sizes(struct kmem_cache *s)
>> */
>> s->inuse = size;
>>
>> - if (slub_debug_orig_size(s) ||
>> + if (((flags & SLAB_RED_ZONE) && slub_debug_orig_size(s)) ||
>> (flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
>> ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) ||
>
> Should we consolidate the two cases with flags & SLAB_RED_ZONE?
Yes, we can.
>
> Also below this is a comment that could also mention the slub_debug_orig_size().
Ok, will add.
Thanks.
>
>> s->ctor) {
>>
>
