Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-09 22:50:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

flex_array: poison free elements

Browse Source 
Newly initialized flex_array's and/or flex_array_part's are now poisoned
with a new poison value, FLEX_ARRAY_FREE.  It's value is similar to
POISON_FREE used in the various slab allocators, but is different to
distinguish between flex array's poisoned kmem and slab allocator poisoned
kmem.

This will allow us to identify flex_array_part's that only contain free
elements (and free them with an addition to the flex_array API).  This
could also be extended in the future to identify `get' uses on elements
that have not been `put'.

If __GFP_ZERO is passed for a part's gfp mask, the poisoning is avoided.
These elements are considered to be in-use since they have been
initialized.

Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
David Rientjes 2009-09-21 17:04:31 -07:00 committed by Linus Torvalds
parent e6de3988aa
commit 19da3dd157
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/linux/poison.h
View File

@ -65,6 +65,9 @@
#define MUTEX_DEBUG_INIT 0x11 #define MUTEX_DEBUG_INIT 0x11
#define MUTEX_DEBUG_FREE 0x22 #define MUTEX_DEBUG_FREE 0x22
/********** lib/flex_array.c **********/
#define FLEX_ARRAY_FREE 0x6c /* for use-after-free poisoning */
/********** security/ **********/ /********** security/ **********/
#define KEY_DESTROY 0xbd #define KEY_DESTROY 0xbd

15
lib/flex_array.c
View File

@ -113,6 +113,8 @@ struct flex_array *flex_array_alloc(int element_size, unsigned int total,
return NULL; return NULL;
ret->element_size = element_size; ret->element_size = element_size;
ret->total_nr_elements = total; ret->total_nr_elements = total;
if (elements_fit_in_base(ret) && !(flags & __GFP_ZERO))
memset(ret->parts[0], FLEX_ARRAY_FREE, bytes_left_in_base());
return ret; return ret;
} }
@ -159,15 +161,12 @@ __fa_get_part(struct flex_array *fa, int part_nr, gfp_t flags)
{ {
struct flex_array_part *part = fa->parts[part_nr]; struct flex_array_part *part = fa->parts[part_nr];
if (!part) { if (!part) {
/* part = kmalloc(sizeof(struct flex_array_part), flags);
* This leaves the part pages uninitialized
* and with potentially random data, just
* as if the user had kmalloc()'d the whole.
* __GFP_ZERO can be used to zero it.
*/
part = kmalloc(FLEX_ARRAY_PART_SIZE, flags);
if (!part) if (!part)
return NULL; return NULL;
if (!(flags & __GFP_ZERO))
memset(part, FLEX_ARRAY_FREE,
sizeof(struct flex_array_part));
fa->parts[part_nr] = part; fa->parts[part_nr] = part;
} }
return part; return part;
@ -228,7 +227,7 @@ int flex_array_clear(struct flex_array *fa, unsigned int element_nr)
return -EINVAL; return -EINVAL;
} }
dst = &part->elements[index_inside_part(fa, element_nr)]; dst = &part->elements[index_inside_part(fa, element_nr)];
memset(dst, 0, fa->element_size); memset(dst, FLEX_ARRAY_FREE, fa->element_size);
return 0; return 0;
} }