On Mon, Mar 09 2015, David Rientjes <rientjes@xxxxxxxxxx> wrote:
> Mempools keep elements in a reserved pool for contexts in which
> allocation may not be possible. When an element is allocated from the
> reserved pool, its memory contents is the same as when it was added to
> the reserved pool.
>
> Because of this, elements lack any free poisoning to detect
> use-after-free errors.
>
> This patch adds free poisoning for elements backed by the slab allocator.
> This is possible because the mempool layer knows the object size of each
> element.
>
> When an element is added to the reserved pool, it is poisoned with
> POISON_FREE. When it is removed from the reserved pool, the contents are
> checked for POISON_FREE. If there is a mismatch, a warning is emitted to
> the kernel log.
>
> +
> +static void poison_slab_element(mempool_t *pool, void *element)
> +{
> + if (pool->alloc == mempool_alloc_slab ||
> + pool->alloc == mempool_kmalloc) {
> + size_t size = ksize(element);
> + u8 *obj = element;
> +
> + memset(obj, POISON_FREE, size - 1);
> + obj[size - 1] = POISON_END;
> + }
> +}
Maybe a stupid question, but what happens if the underlying slab
allocator has non-trivial ->ctor?
Rasmus
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>