From: Pekka Enberg <penberg@cs.helsinki.fi>
To: akpm@osdl.org
Cc: manfred@colorfullife.com, linux-kernel@vger.kernel.org
Subject: [PATCH] slab: redzone double-free detection
Date: Thu, 27 Apr 2006 20:47:56 +0300 [thread overview]
Message-ID: <1146160076.11272.5.camel@localhost> (raw)
From: Pekka Enberg <penberg@cs.helsinki.fi>
This patch adds double-free detection to redzone verification when freeing
an object. As explained by Manfred, when we are freeing an object, both
redzones should be RED_ACTIVE. However, if both are RED_INACTIVE, we are
trying to free an object that was already free'd.
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---
slab.c | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/mm/slab.c b/mm/slab.c
index e6ef9bd..7d982c1 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2585,6 +2585,28 @@ static void kfree_debugcheck(const void
}
}
+static inline void verify_redzone_free(struct kmem_cache *cache, void *obj)
+{
+ unsigned long redzone1, redzone2;
+
+ redzone1 = *dbg_redzone1(cache, obj);
+ redzone2 = *dbg_redzone2(cache, obj);
+
+ /*
+ * Redzone is ok.
+ */
+ if (redzone1 == RED_ACTIVE && redzone2 == RED_ACTIVE)
+ return;
+
+ if (redzone1 == RED_INACTIVE && redzone2 == RED_INACTIVE)
+ slab_error(cache, "double free detected");
+ else
+ slab_error(cache, "memory outside object was overwritten");
+
+ printk(KERN_ERR "%p: redzone 1:0x%lx, redzone 2:0x%lx.\n",
+ obj, redzone1, redzone2);
+}
+
static void *cache_free_debugcheck(struct kmem_cache *cachep, void *objp,
void *caller)
{
@@ -2608,15 +2630,7 @@ static void *cache_free_debugcheck(struc
slabp = page_get_slab(page);
if (cachep->flags & SLAB_RED_ZONE) {
- if (*dbg_redzone1(cachep, objp) != RED_ACTIVE ||
- *dbg_redzone2(cachep, objp) != RED_ACTIVE) {
- slab_error(cachep, "double free, or memory outside"
- " object was overwritten");
- printk(KERN_ERR "%p: redzone 1:0x%lx, "
- "redzone 2:0x%lx.\n",
- objp, *dbg_redzone1(cachep, objp),
- *dbg_redzone2(cachep, objp));
- }
+ verify_redzone_free(cachep, objp);
*dbg_redzone1(cachep, objp) = RED_INACTIVE;
*dbg_redzone2(cachep, objp) = RED_INACTIVE;
}
next reply other threads:[~2006-04-27 17:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-27 17:47 Pekka Enberg [this message]
2006-04-27 18:46 ` [PATCH] slab: redzone double-free detection Manfred Spraul
2006-04-27 22:39 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1146160076.11272.5.camel@localhost \
--to=penberg@cs.helsinki.fi \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.