On 3/4/25 07:38, Harry Yoo wrote:
> On Mon, Mar 03, 2025 at 05:28:05PM +0000, Matthew Wilcox (Oracle) wrote:
>> If a user calls p = kmalloc(1024); kfree(p); kfree(p); and 'p' was the
>> only object in the slab, we may free the slab after the first call to
>> kfree(). If we do, we clear PGTY_slab and the second call to kfree()
>> will call free_large_kmalloc(). That will leave a trace in the logs
>> ("object pointer: 0x%p"), but otherwise proceed to free the memory,
>> which is likely to corrupt the page allocator's metadata.
>>
>> Allocate a new page type for large kmalloc and mark the memory with it
>> while it's allocated. That lets us detect this double-free and return
>> without harming any data structures.
>>
>> Reported-by: Hannes Reinecke <hare@xxxxxxxx>
>> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
>> ---
>
> Looks good to me,
> Reviewed-by: Harry Yoo <harry.yoo@xxxxxxxxxx>
Added to slab/for-next, thanks!
