diff options
Diffstat (limited to 'mm/slab.c')
| -rw-r--r-- | mm/slab.c | 367 | 
1 files changed, 230 insertions, 137 deletions
| diff --git a/mm/slab.c b/mm/slab.c index 4765c97ce690..8fc762c178bd 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -390,36 +390,26 @@ static void **dbg_userword(struct kmem_cache *cachep, void *objp)  #endif -#define OBJECT_FREE (0) -#define OBJECT_ACTIVE (1) -  #ifdef CONFIG_DEBUG_SLAB_LEAK -static void set_obj_status(struct page *page, int idx, int val) +static inline bool is_store_user_clean(struct kmem_cache *cachep)  { -	int freelist_size; -	char *status; -	struct kmem_cache *cachep = page->slab_cache; - -	freelist_size = cachep->num * sizeof(freelist_idx_t); -	status = (char *)page->freelist + freelist_size; -	status[idx] = val; +	return atomic_read(&cachep->store_user_clean) == 1;  } -static inline unsigned int get_obj_status(struct page *page, int idx) +static inline void set_store_user_clean(struct kmem_cache *cachep)  { -	int freelist_size; -	char *status; -	struct kmem_cache *cachep = page->slab_cache; - -	freelist_size = cachep->num * sizeof(freelist_idx_t); -	status = (char *)page->freelist + freelist_size; +	atomic_set(&cachep->store_user_clean, 1); +} -	return status[idx]; +static inline void set_store_user_dirty(struct kmem_cache *cachep) +{ +	if (is_store_user_clean(cachep)) +		atomic_set(&cachep->store_user_clean, 0);  }  #else -static inline void set_obj_status(struct page *page, int idx, int val) {} +static inline void set_store_user_dirty(struct kmem_cache *cachep) {}  #endif @@ -480,9 +470,6 @@ static size_t calculate_freelist_size(int nr_objs, size_t align)  	size_t freelist_size;  	freelist_size = nr_objs * sizeof(freelist_idx_t); -	if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) -		freelist_size += nr_objs * sizeof(char); -  	if (align)  		freelist_size = ALIGN(freelist_size, align); @@ -495,10 +482,7 @@ static int calculate_nr_objs(size_t slab_size, size_t buffer_size,  	int nr_objs;  	size_t remained_size;  	size_t freelist_size; -	int extra_space = 0; -	if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) -		extra_space = sizeof(char);  	/*  	 * Ignore padding for the initial guess. The padding  	 * is at most @align-1 bytes, and @buffer_size is at @@ -507,7 +491,7 @@ static int calculate_nr_objs(size_t slab_size, size_t buffer_size,  	 * into the memory allocation when taking the padding  	 * into account.  	 */ -	nr_objs = slab_size / (buffer_size + idx_size + extra_space); +	nr_objs = slab_size / (buffer_size + idx_size);  	/*  	 * This calculated number will be either the right @@ -1670,6 +1654,14 @@ static void kmem_rcu_free(struct rcu_head *head)  }  #if DEBUG +static bool is_debug_pagealloc_cache(struct kmem_cache *cachep) +{ +	if (debug_pagealloc_enabled() && OFF_SLAB(cachep) && +		(cachep->size % PAGE_SIZE) == 0) +		return true; + +	return false; +}  #ifdef CONFIG_DEBUG_PAGEALLOC  static void store_stackinfo(struct kmem_cache *cachep, unsigned long *addr, @@ -1703,6 +1695,23 @@ static void store_stackinfo(struct kmem_cache *cachep, unsigned long *addr,  	}  	*addr++ = 0x87654321;  } + +static void slab_kernel_map(struct kmem_cache *cachep, void *objp, +				int map, unsigned long caller) +{ +	if (!is_debug_pagealloc_cache(cachep)) +		return; + +	if (caller) +		store_stackinfo(cachep, objp, caller); + +	kernel_map_pages(virt_to_page(objp), cachep->size / PAGE_SIZE, map); +} + +#else +static inline void slab_kernel_map(struct kmem_cache *cachep, void *objp, +				int map, unsigned long caller) {} +  #endif  static void poison_obj(struct kmem_cache *cachep, void *addr, unsigned char val) @@ -1733,11 +1742,9 @@ static void dump_line(char *data, int offset, int limit)  	if (bad_count == 1) {  		error ^= POISON_FREE;  		if (!(error & (error - 1))) { -			printk(KERN_ERR "Single bit error detected. Probably " -					"bad RAM.\n"); +			printk(KERN_ERR "Single bit error detected. Probably bad RAM.\n");  #ifdef CONFIG_X86 -			printk(KERN_ERR "Run memtest86+ or a similar memory " -					"test tool.\n"); +			printk(KERN_ERR "Run memtest86+ or a similar memory test tool.\n");  #else  			printk(KERN_ERR "Run a memory test tool.\n");  #endif @@ -1781,6 +1788,9 @@ static void check_poison_obj(struct kmem_cache *cachep, void *objp)  	int size, i;  	int lines = 0; +	if (is_debug_pagealloc_cache(cachep)) +		return; +  	realobj = (char *)objp + obj_offset(cachep);  	size = cachep->object_size; @@ -1846,24 +1856,14 @@ static void slab_destroy_debugcheck(struct kmem_cache *cachep,  		void *objp = index_to_obj(cachep, page, i);  		if (cachep->flags & SLAB_POISON) { -#ifdef CONFIG_DEBUG_PAGEALLOC -			if (cachep->size % PAGE_SIZE == 0 && -					OFF_SLAB(cachep)) -				kernel_map_pages(virt_to_page(objp), -					cachep->size / PAGE_SIZE, 1); -			else -				check_poison_obj(cachep, objp); -#else  			check_poison_obj(cachep, objp); -#endif +			slab_kernel_map(cachep, objp, 1, 0);  		}  		if (cachep->flags & SLAB_RED_ZONE) {  			if (*dbg_redzone1(cachep, objp) != RED_INACTIVE) -				slab_error(cachep, "start of a freed object " -					   "was overwritten"); +				slab_error(cachep, "start of a freed object was overwritten");  			if (*dbg_redzone2(cachep, objp) != RED_INACTIVE) -				slab_error(cachep, "end of a freed object " -					   "was overwritten"); +				slab_error(cachep, "end of a freed object was overwritten");  		}  	}  } @@ -1945,16 +1945,13 @@ static size_t calculate_slab_order(struct kmem_cache *cachep,  			break;  		if (flags & CFLGS_OFF_SLAB) { -			size_t freelist_size_per_obj = sizeof(freelist_idx_t);  			/*  			 * Max number of objs-per-slab for caches which  			 * use off-slab slabs. Needed to avoid a possible  			 * looping condition in cache_grow().  			 */ -			if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) -				freelist_size_per_obj += sizeof(char);  			offslab_limit = size; -			offslab_limit /= freelist_size_per_obj; +			offslab_limit /= sizeof(freelist_idx_t);   			if (num > offslab_limit)  				break; @@ -2179,7 +2176,19 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)  		else  			size += BYTES_PER_WORD;  	} -#if FORCED_DEBUG && defined(CONFIG_DEBUG_PAGEALLOC) +#endif + +	kasan_cache_create(cachep, &size, &flags); + +	size = ALIGN(size, cachep->align); +	/* +	 * We should restrict the number of objects in a slab to implement +	 * byte sized index. Refer comment on SLAB_OBJ_MIN_SIZE definition. +	 */ +	if (FREELIST_BYTE_INDEX && size < SLAB_OBJ_MIN_SIZE) +		size = ALIGN(SLAB_OBJ_MIN_SIZE, cachep->align); + +#if DEBUG  	/*  	 * To activate debug pagealloc, off-slab management is necessary  	 * requirement. In early phase of initialization, small sized slab @@ -2187,14 +2196,14 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)  	 * to check size >= 256. It guarantees that all necessary small  	 * sized slab is initialized in current slab initialization sequence.  	 */ -	if (!slab_early_init && size >= kmalloc_size(INDEX_NODE) && +	if (debug_pagealloc_enabled() && (flags & SLAB_POISON) && +		!slab_early_init && size >= kmalloc_size(INDEX_NODE) &&  		size >= 256 && cachep->object_size > cache_line_size() && -		ALIGN(size, cachep->align) < PAGE_SIZE) { -		cachep->obj_offset += PAGE_SIZE - ALIGN(size, cachep->align); +		size < PAGE_SIZE) { +		cachep->obj_offset += PAGE_SIZE - size;  		size = PAGE_SIZE;  	}  #endif -#endif  	/*  	 * Determine if the slab management is 'on' or 'off' slab. @@ -2203,20 +2212,13 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)  	 * SLAB_NOLEAKTRACE to avoid recursive calls into kmemleak)  	 */  	if (size >= OFF_SLAB_MIN_SIZE && !slab_early_init && -	    !(flags & SLAB_NOLEAKTRACE)) +	    !(flags & SLAB_NOLEAKTRACE)) {  		/*  		 * Size is large, assume best to place the slab management obj  		 * off-slab (should allow better packing of objs).  		 */  		flags |= CFLGS_OFF_SLAB; - -	size = ALIGN(size, cachep->align); -	/* -	 * We should restrict the number of objects in a slab to implement -	 * byte sized index. Refer comment on SLAB_OBJ_MIN_SIZE definition. -	 */ -	if (FREELIST_BYTE_INDEX && size < SLAB_OBJ_MIN_SIZE) -		size = ALIGN(SLAB_OBJ_MIN_SIZE, cachep->align); +	}  	left_over = calculate_slab_order(cachep, size, cachep->align, flags); @@ -2237,15 +2239,6 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)  	if (flags & CFLGS_OFF_SLAB) {  		/* really off slab. No need for manual alignment */  		freelist_size = calculate_freelist_size(cachep->num, 0); - -#ifdef CONFIG_PAGE_POISONING -		/* If we're going to use the generic kernel_map_pages() -		 * poisoning, then it's going to smash the contents of -		 * the redzone and userword anyhow, so switch them off. -		 */ -		if (size % PAGE_SIZE == 0 && flags & SLAB_POISON) -			flags &= ~(SLAB_RED_ZONE | SLAB_STORE_USER); -#endif  	}  	cachep->colour_off = cache_line_size(); @@ -2261,7 +2254,19 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)  	cachep->size = size;  	cachep->reciprocal_buffer_size = reciprocal_value(size); -	if (flags & CFLGS_OFF_SLAB) { +#if DEBUG +	/* +	 * If we're going to use the generic kernel_map_pages() +	 * poisoning, then it's going to smash the contents of +	 * the redzone and userword anyhow, so switch them off. +	 */ +	if (IS_ENABLED(CONFIG_PAGE_POISONING) && +		(cachep->flags & SLAB_POISON) && +		is_debug_pagealloc_cache(cachep)) +		cachep->flags &= ~(SLAB_RED_ZONE | SLAB_STORE_USER); +#endif + +	if (OFF_SLAB(cachep)) {  		cachep->freelist_cache = kmalloc_slab(freelist_size, 0u);  		/*  		 * This is a possibility for one of the kmalloc_{dma,}_caches. @@ -2480,17 +2485,14 @@ static inline void set_free_obj(struct page *page,  	((freelist_idx_t *)(page->freelist))[idx] = val;  } -static void cache_init_objs(struct kmem_cache *cachep, -			    struct page *page) +static void cache_init_objs_debug(struct kmem_cache *cachep, struct page *page)  { +#if DEBUG  	int i;  	for (i = 0; i < cachep->num; i++) {  		void *objp = index_to_obj(cachep, page, i); -#if DEBUG -		/* need to poison the objs? */ -		if (cachep->flags & SLAB_POISON) -			poison_obj(cachep, objp, POISON_FREE); +		kasan_init_slab_obj(cachep, objp);  		if (cachep->flags & SLAB_STORE_USER)  			*dbg_userword(cachep, objp) = NULL; @@ -2503,26 +2505,46 @@ static void cache_init_objs(struct kmem_cache *cachep,  		 * cache which they are a constructor for.  Otherwise, deadlock.  		 * They must also be threaded.  		 */ -		if (cachep->ctor && !(cachep->flags & SLAB_POISON)) +		if (cachep->ctor && !(cachep->flags & SLAB_POISON)) { +			kasan_unpoison_object_data(cachep, +						   objp + obj_offset(cachep));  			cachep->ctor(objp + obj_offset(cachep)); +			kasan_poison_object_data( +				cachep, objp + obj_offset(cachep)); +		}  		if (cachep->flags & SLAB_RED_ZONE) {  			if (*dbg_redzone2(cachep, objp) != RED_INACTIVE) -				slab_error(cachep, "constructor overwrote the" -					   " end of an object"); +				slab_error(cachep, "constructor overwrote the end of an object");  			if (*dbg_redzone1(cachep, objp) != RED_INACTIVE) -				slab_error(cachep, "constructor overwrote the" -					   " start of an object"); +				slab_error(cachep, "constructor overwrote the start of an object");  		} -		if ((cachep->size % PAGE_SIZE) == 0 && -			    OFF_SLAB(cachep) && cachep->flags & SLAB_POISON) -			kernel_map_pages(virt_to_page(objp), -					 cachep->size / PAGE_SIZE, 0); -#else -		if (cachep->ctor) -			cachep->ctor(objp); +		/* need to poison the objs? */ +		if (cachep->flags & SLAB_POISON) { +			poison_obj(cachep, objp, POISON_FREE); +			slab_kernel_map(cachep, objp, 0, 0); +		} +	}  #endif -		set_obj_status(page, i, OBJECT_FREE); +} + +static void cache_init_objs(struct kmem_cache *cachep, +			    struct page *page) +{ +	int i; +	void *objp; + +	cache_init_objs_debug(cachep, page); + +	for (i = 0; i < cachep->num; i++) { +		/* constructor could break poison info */ +		if (DEBUG == 0 && cachep->ctor) { +			objp = index_to_obj(cachep, page, i); +			kasan_unpoison_object_data(cachep, objp); +			cachep->ctor(objp); +			kasan_poison_object_data(cachep, objp); +		} +  		set_free_obj(page, i, i);  	}  } @@ -2548,6 +2570,11 @@ static void *slab_get_obj(struct kmem_cache *cachep, struct page *page,  	WARN_ON(page_to_nid(virt_to_page(objp)) != nodeid);  #endif +#if DEBUG +	if (cachep->flags & SLAB_STORE_USER) +		set_store_user_dirty(cachep); +#endif +  	return objp;  } @@ -2564,8 +2591,8 @@ static void slab_put_obj(struct kmem_cache *cachep, struct page *page,  	/* Verify double free bug */  	for (i = page->active; i < cachep->num; i++) {  		if (get_free_obj(page, i) == objnr) { -			printk(KERN_ERR "slab: double free detected in cache " -					"'%s', objp %p\n", cachep->name, objp); +			printk(KERN_ERR "slab: double free detected in cache '%s', objp %p\n", +			       cachep->name, objp);  			BUG();  		}  	} @@ -2650,6 +2677,7 @@ static int cache_grow(struct kmem_cache *cachep,  	slab_map_pages(cachep, page, freelist); +	kasan_poison_slab(page);  	cache_init_objs(cachep, page);  	if (gfpflags_allow_blocking(local_flags)) @@ -2726,27 +2754,19 @@ static void *cache_free_debugcheck(struct kmem_cache *cachep, void *objp,  		*dbg_redzone1(cachep, objp) = RED_INACTIVE;  		*dbg_redzone2(cachep, objp) = RED_INACTIVE;  	} -	if (cachep->flags & SLAB_STORE_USER) +	if (cachep->flags & SLAB_STORE_USER) { +		set_store_user_dirty(cachep);  		*dbg_userword(cachep, objp) = (void *)caller; +	}  	objnr = obj_to_index(cachep, page, objp);  	BUG_ON(objnr >= cachep->num);  	BUG_ON(objp != index_to_obj(cachep, page, objnr)); -	set_obj_status(page, objnr, OBJECT_FREE);  	if (cachep->flags & SLAB_POISON) { -#ifdef CONFIG_DEBUG_PAGEALLOC -		if ((cachep->size % PAGE_SIZE)==0 && OFF_SLAB(cachep)) { -			store_stackinfo(cachep, objp, caller); -			kernel_map_pages(virt_to_page(objp), -					 cachep->size / PAGE_SIZE, 0); -		} else { -			poison_obj(cachep, objp, POISON_FREE); -		} -#else  		poison_obj(cachep, objp, POISON_FREE); -#endif +		slab_kernel_map(cachep, objp, 0, caller);  	}  	return objp;  } @@ -2868,20 +2888,11 @@ static inline void cache_alloc_debugcheck_before(struct kmem_cache *cachep,  static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,  				gfp_t flags, void *objp, unsigned long caller)  { -	struct page *page; -  	if (!objp)  		return objp;  	if (cachep->flags & SLAB_POISON) { -#ifdef CONFIG_DEBUG_PAGEALLOC -		if ((cachep->size % PAGE_SIZE) == 0 && OFF_SLAB(cachep)) -			kernel_map_pages(virt_to_page(objp), -					 cachep->size / PAGE_SIZE, 1); -		else -			check_poison_obj(cachep, objp); -#else  		check_poison_obj(cachep, objp); -#endif +		slab_kernel_map(cachep, objp, 1, 0);  		poison_obj(cachep, objp, POISON_INUSE);  	}  	if (cachep->flags & SLAB_STORE_USER) @@ -2890,8 +2901,7 @@ static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,  	if (cachep->flags & SLAB_RED_ZONE) {  		if (*dbg_redzone1(cachep, objp) != RED_INACTIVE ||  				*dbg_redzone2(cachep, objp) != RED_INACTIVE) { -			slab_error(cachep, "double free, or memory outside" -						" object was overwritten"); +			slab_error(cachep, "double free, or memory outside object was overwritten");  			printk(KERN_ERR  				"%p: redzone 1:0x%llx, redzone 2:0x%llx\n",  				objp, *dbg_redzone1(cachep, objp), @@ -2901,8 +2911,6 @@ static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,  		*dbg_redzone2(cachep, objp) = RED_ACTIVE;  	} -	page = virt_to_head_page(objp); -	set_obj_status(page, obj_to_index(cachep, page, objp), OBJECT_ACTIVE);  	objp += obj_offset(cachep);  	if (cachep->ctor && cachep->flags & SLAB_POISON)  		cachep->ctor(objp); @@ -3366,6 +3374,16 @@ free_done:  static inline void __cache_free(struct kmem_cache *cachep, void *objp,  				unsigned long caller)  { +	/* Put the object into the quarantine, don't touch it for now. */ +	if (kasan_slab_free(cachep, objp)) +		return; + +	___cache_free(cachep, objp, caller); +} + +void ___cache_free(struct kmem_cache *cachep, void *objp, +		unsigned long caller) +{  	struct array_cache *ac = cpu_cache_get(cachep);  	check_irq_off(); @@ -3406,6 +3424,7 @@ void *kmem_cache_alloc(struct kmem_cache *cachep, gfp_t flags)  {  	void *ret = slab_alloc(cachep, flags, _RET_IP_); +	kasan_slab_alloc(cachep, ret, flags);  	trace_kmem_cache_alloc(_RET_IP_, ret,  			       cachep->object_size, cachep->size, flags); @@ -3434,6 +3453,7 @@ kmem_cache_alloc_trace(struct kmem_cache *cachep, gfp_t flags, size_t size)  	ret = slab_alloc(cachep, flags, _RET_IP_); +	kasan_kmalloc(cachep, ret, size, flags);  	trace_kmalloc(_RET_IP_, ret,  		      size, cachep->size, flags);  	return ret; @@ -3457,6 +3477,7 @@ void *kmem_cache_alloc_node(struct kmem_cache *cachep, gfp_t flags, int nodeid)  {  	void *ret = slab_alloc_node(cachep, flags, nodeid, _RET_IP_); +	kasan_slab_alloc(cachep, ret, flags);  	trace_kmem_cache_alloc_node(_RET_IP_, ret,  				    cachep->object_size, cachep->size,  				    flags, nodeid); @@ -3475,6 +3496,7 @@ void *kmem_cache_alloc_node_trace(struct kmem_cache *cachep,  	ret = slab_alloc_node(cachep, flags, nodeid, _RET_IP_); +	kasan_kmalloc(cachep, ret, size, flags);  	trace_kmalloc_node(_RET_IP_, ret,  			   size, cachep->size,  			   flags, nodeid); @@ -3487,11 +3509,15 @@ static __always_inline void *  __do_kmalloc_node(size_t size, gfp_t flags, int node, unsigned long caller)  {  	struct kmem_cache *cachep; +	void *ret;  	cachep = kmalloc_slab(size, flags);  	if (unlikely(ZERO_OR_NULL_PTR(cachep)))  		return cachep; -	return kmem_cache_alloc_node_trace(cachep, flags, node, size); +	ret = kmem_cache_alloc_node_trace(cachep, flags, node, size); +	kasan_kmalloc(cachep, ret, size, flags); + +	return ret;  }  void *__kmalloc_node(size_t size, gfp_t flags, int node) @@ -3525,6 +3551,7 @@ static __always_inline void *__do_kmalloc(size_t size, gfp_t flags,  		return cachep;  	ret = slab_alloc(cachep, flags, caller); +	kasan_kmalloc(cachep, ret, size, flags);  	trace_kmalloc(caller, ret,  		      size, cachep->size, flags); @@ -3998,8 +4025,7 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)  		unsigned long node_frees = cachep->node_frees;  		unsigned long overflows = cachep->node_overflow; -		seq_printf(m, " : globalstat %7lu %6lu %5lu %4lu " -			   "%4lu %4lu %4lu %4lu %4lu", +		seq_printf(m, " : globalstat %7lu %6lu %5lu %4lu %4lu %4lu %4lu %4lu %4lu",  			   allocs, high, grown,  			   reaped, errors, max_freeable, node_allocs,  			   node_frees, overflows); @@ -4104,15 +4130,34 @@ static void handle_slab(unsigned long *n, struct kmem_cache *c,  						struct page *page)  {  	void *p; -	int i; +	int i, j; +	unsigned long v;  	if (n[0] == n[1])  		return;  	for (i = 0, p = page->s_mem; i < c->num; i++, p += c->size) { -		if (get_obj_status(page, i) != OBJECT_ACTIVE) +		bool active = true; + +		for (j = page->active; j < c->num; j++) { +			if (get_free_obj(page, j) == i) { +				active = false; +				break; +			} +		} + +		if (!active) +			continue; + +		/* +		 * probe_kernel_read() is used for DEBUG_PAGEALLOC. page table +		 * mapping is established when actual object allocation and +		 * we could mistakenly access the unmapped object in the cpu +		 * cache. +		 */ +		if (probe_kernel_read(&v, dbg_userword(c, p), sizeof(v)))  			continue; -		if (!add_caller(n, (unsigned long)*dbg_userword(c, p))) +		if (!add_caller(n, v))  			return;  	}  } @@ -4148,21 +4193,31 @@ static int leaks_show(struct seq_file *m, void *p)  	if (!(cachep->flags & SLAB_RED_ZONE))  		return 0; -	/* OK, we can do it */ +	/* +	 * Set store_user_clean and start to grab stored user information +	 * for all objects on this cache. If some alloc/free requests comes +	 * during the processing, information would be wrong so restart +	 * whole processing. +	 */ +	do { +		set_store_user_clean(cachep); +		drain_cpu_caches(cachep); -	x[1] = 0; +		x[1] = 0; -	for_each_kmem_cache_node(cachep, node, n) { +		for_each_kmem_cache_node(cachep, node, n) { -		check_irq_on(); -		spin_lock_irq(&n->list_lock); +			check_irq_on(); +			spin_lock_irq(&n->list_lock); + +			list_for_each_entry(page, &n->slabs_full, lru) +				handle_slab(x, cachep, page); +			list_for_each_entry(page, &n->slabs_partial, lru) +				handle_slab(x, cachep, page); +			spin_unlock_irq(&n->list_lock); +		} +	} while (!is_store_user_clean(cachep)); -		list_for_each_entry(page, &n->slabs_full, lru) -			handle_slab(x, cachep, page); -		list_for_each_entry(page, &n->slabs_partial, lru) -			handle_slab(x, cachep, page); -		spin_unlock_irq(&n->list_lock); -	}  	name = cachep->name;  	if (x[0] == x[1]) {  		/* Increase the buffer size */ @@ -4228,6 +4283,36 @@ static int __init slab_proc_init(void)  module_init(slab_proc_init);  #endif +#ifdef CONFIG_HARDENED_USERCOPY +/* + * Rejects objects that are incorrectly sized. + * + * Returns NULL if check passes, otherwise const char * to name of cache + * to indicate an error. + */ +const char *__check_heap_object(const void *ptr, unsigned long n, +				struct page *page) +{ +	struct kmem_cache *cachep; +	unsigned int objnr; +	unsigned long offset; + +	/* Find and validate object. */ +	cachep = page->slab_cache; +	objnr = obj_to_index(cachep, page, (void *)ptr); +	BUG_ON(objnr >= cachep->num); + +	/* Find offset within object. */ +	offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep); + +	/* Allow address range falling entirely within object size. */ +	if (offset <= cachep->object_size && n <= cachep->object_size - offset) +		return NULL; + +	return cachep->name; +} +#endif /* CONFIG_HARDENED_USERCOPY */ +  /**   * ksize - get the actual amount of memory allocated for a given object   * @objp: Pointer to the object @@ -4242,10 +4327,18 @@ module_init(slab_proc_init);   */  size_t ksize(const void *objp)  { +	size_t size; +  	BUG_ON(!objp);  	if (unlikely(objp == ZERO_SIZE_PTR))  		return 0; -	return virt_to_cache(objp)->object_size; +	size = virt_to_cache(objp)->object_size; +	/* We assume that ksize callers could use the whole allocated area, +	 * so we need to unpoison this area. +	 */ +	kasan_krealloc(objp, size, GFP_NOWAIT); + +	return size;  }  EXPORT_SYMBOL(ksize); | 
