The patch titled
slab: verify pointers before free
has been removed from the -mm tree. Its filename is
slab-verify-pointers-before-free.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
Subject: slab: verify pointers before free
From: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
Passing an invalid pointer to kfree() and kmem_cache_free() is likely to
cause bad memory corruption or even take down the whole system because the
bad pointer is likely reused immediately due to the per-CPU caches. Until
now, we don't do any verification for this if CONFIG_DEBUG_SLAB is
disabled.
As suggested by Linus, add PageSlab check to page_to_cache() and
page_to_slab() to verify pointers passed to kfree(). Also, move the
stronger check from cache_free_debugcheck() to kmem_cache_free() to ensure
the passed pointer actually belongs to the cache we're about to free the
object.
For page_to_cache() and page_to_slab(), the assertions should have
virtually no extra cost (two instructions, no data cache pressure) and for
kmem_cache_free() the overhead should be minimal.
Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Cc: Christoph Lameter <clameter@xxxxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
mm/slab.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff -puN mm/slab.c~slab-verify-pointers-before-free mm/slab.c
--- a/mm/slab.c~slab-verify-pointers-before-free
+++ a/mm/slab.c
@@ -592,6 +592,7 @@ static inline struct kmem_cache *page_ge
{
if (unlikely(PageCompound(page)))
page = (struct page *)page_private(page);
+ BUG_ON(!PageSlab(page));
return (struct kmem_cache *)page->lru.next;
}
@@ -604,6 +605,7 @@ static inline struct slab *page_get_slab
{
if (unlikely(PageCompound(page)))
page = (struct page *)page_private(page);
+ BUG_ON(!PageSlab(page));
return (struct slab *)page->lru.prev;
}
@@ -2669,15 +2671,6 @@ static void *cache_free_debugcheck(struc
kfree_debugcheck(objp);
page = virt_to_page(objp);
- if (page_get_cache(page) != cachep) {
- printk(KERN_ERR "mismatch in kmem_cache_free: expected "
- "cache %p, got %p\n",
- page_get_cache(page), cachep);
- printk(KERN_ERR "%p is %s.\n", cachep, cachep->name);
- printk(KERN_ERR "%p is %s.\n", page_get_cache(page),
- page_get_cache(page)->name);
- WARN_ON(1);
- }
slabp = page_get_slab(page);
if (cachep->flags & SLAB_RED_ZONE) {
@@ -3393,6 +3386,8 @@ void kmem_cache_free(struct kmem_cache *
{
unsigned long flags;
+ BUG_ON(virt_to_cache(objp) != cachep);
+
local_irq_save(flags);
__cache_free(cachep, objp);
local_irq_restore(flags);
_
Patches currently in -mm which might be from penberg@xxxxxxxxxxxxxx are
origin.patch
git-gfs2.patch
slab-leaks3-default-y.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
