aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rientjes <rientjes@google.com>2009-09-21 20:04:31 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-09-22 10:17:47 -0400
commit19da3dd157f8db6fe727ff268dab4791d55a6371 (patch)
tree4259074638b384e765c73542d74dd8f44750068b
parente6de3988aa52debb25a427d085061f3bf1181d54 (diff)
flex_array: poison free elements
Newly initialized flex_array's and/or flex_array_part's are now poisoned with a new poison value, FLEX_ARRAY_FREE. It's value is similar to POISON_FREE used in the various slab allocators, but is different to distinguish between flex array's poisoned kmem and slab allocator poisoned kmem. This will allow us to identify flex_array_part's that only contain free elements (and free them with an addition to the flex_array API). This could also be extended in the future to identify `get' uses on elements that have not been `put'. If __GFP_ZERO is passed for a part's gfp mask, the poisoning is avoided. These elements are considered to be in-use since they have been initialized. Signed-off-by: David Rientjes <rientjes@google.com> Cc: Dave Hansen <dave@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--include/linux/poison.h3
-rw-r--r--lib/flex_array.c15
2 files changed, 10 insertions, 8 deletions
diff --git a/include/linux/poison.h b/include/linux/poison.h
index 6729f7dcd60e..7fc194aef8c2 100644
--- a/include/linux/poison.h
+++ b/include/linux/poison.h
@@ -65,6 +65,9 @@
65#define MUTEX_DEBUG_INIT 0x11 65#define MUTEX_DEBUG_INIT 0x11
66#define MUTEX_DEBUG_FREE 0x22 66#define MUTEX_DEBUG_FREE 0x22
67 67
68/********** lib/flex_array.c **********/
69#define FLEX_ARRAY_FREE 0x6c /* for use-after-free poisoning */
70
68/********** security/ **********/ 71/********** security/ **********/
69#define KEY_DESTROY 0xbd 72#define KEY_DESTROY 0xbd
70 73
diff --git a/lib/flex_array.c b/lib/flex_array.c
index b68f99be4080..e22d0e9776aa 100644
--- a/lib/flex_array.c
+++ b/lib/flex_array.c
@@ -113,6 +113,8 @@ struct flex_array *flex_array_alloc(int element_size, unsigned int total,
113 return NULL; 113 return NULL;
114 ret->element_size = element_size; 114 ret->element_size = element_size;
115 ret->total_nr_elements = total; 115 ret->total_nr_elements = total;
116 if (elements_fit_in_base(ret) && !(flags & __GFP_ZERO))
117 memset(ret->parts[0], FLEX_ARRAY_FREE, bytes_left_in_base());
116 return ret; 118 return ret;
117} 119}
118 120
@@ -159,15 +161,12 @@ __fa_get_part(struct flex_array *fa, int part_nr, gfp_t flags)
159{ 161{
160 struct flex_array_part *part = fa->parts[part_nr]; 162 struct flex_array_part *part = fa->parts[part_nr];
161 if (!part) { 163 if (!part) {
162 /* 164 part = kmalloc(sizeof(struct flex_array_part), flags);
163 * This leaves the part pages uninitialized
164 * and with potentially random data, just
165 * as if the user had kmalloc()'d the whole.
166 * __GFP_ZERO can be used to zero it.
167 */
168 part = kmalloc(FLEX_ARRAY_PART_SIZE, flags);
169 if (!part) 165 if (!part)
170 return NULL; 166 return NULL;
167 if (!(flags & __GFP_ZERO))
168 memset(part, FLEX_ARRAY_FREE,
169 sizeof(struct flex_array_part));
171 fa->parts[part_nr] = part; 170 fa->parts[part_nr] = part;
172 } 171 }
173 return part; 172 return part;
@@ -228,7 +227,7 @@ int flex_array_clear(struct flex_array *fa, unsigned int element_nr)
228 return -EINVAL; 227 return -EINVAL;
229 } 228 }
230 dst = &part->elements[index_inside_part(fa, element_nr)]; 229 dst = &part->elements[index_inside_part(fa, element_nr)];
231 memset(dst, 0, fa->element_size); 230 memset(dst, FLEX_ARRAY_FREE, fa->element_size);
232 return 0; 231 return 0;
233} 232}
234 233