mm/slab.c: Always redzone after constructor is called.

From: Daniel Santos
Date: Fri Feb 10 2012 - 19:16:22 EST

Next message: Robert Richter: "[PATCH] perf/x86-ibs: Precise event sampling with IBS for AMD CPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If a cache is created with (SLAB_POISON | SLAB_RED_ZONE) and a
constructor, the redzone is not checked immediately after the
constructor is called (if SLAB_POISON is not specified, it is).
Although it does appear that an overwritten red zone will get detected
when the object is freed, it wont isolate the buffer overrun to the
constructor.
---
mm/slab.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/mm/slab.c b/mm/slab.c
index 1a618b2..9baa287 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3265,8 +3265,18 @@ static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,
}
#endif
objp += obj_offset(cachep);
- if (cachep->ctor && cachep->flags & SLAB_POISON)
+ if (cachep->ctor && cachep->flags & SLAB_POISON) {
cachep->ctor(objp);
+ if (cachep->flags & SLAB_RED_ZONE) {
+ void * origp = objp - obj_offset(cachep);
+ if (*dbg_redzone2(cachep, origp) != RED_ACTIVE)
+ slab_error(cachep, "constructor overwrote the"
+ " end of an object");
+ if (*dbg_redzone1(cachep, origp) != RED_ACTIVE)
+ slab_error(cachep, "constructor overwrote the"
+ " start of an object");
+ }
+ }
if (ARCH_SLAB_MINALIGN &&
((unsigned long)objp & (ARCH_SLAB_MINALIGN-1))) {
printk(KERN_ERR "0x%p: not aligned to ARCH_SLAB_MINALIGN=%d\n",
--
1.7.3.4

--------------040400020105070103000504--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert Richter: "[PATCH] perf/x86-ibs: Precise event sampling with IBS for AMD CPUs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]