On Tue, 25 Jul 2017, Kees Cook wrote:
> > @@ -290,6 +290,10 @@ static inline void set_freepointer(struct kmem_cache
> > *s,
> > void *object, void *fp)
> > {
> > unsigned long freeptr_addr = (unsigned long)object + s->offset;
> >
> > +#ifdef CONFIG_SLAB_FREELIST_HARDENED
> > + BUG_ON(object == fp); /* naive detection of double free or
> > corruption */
> > +#endif
> > +
> > *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);
>
> What happens if, instead of BUG_ON, we do:
>
> if (unlikely(WARN_RATELIMIT(object == fp, "double-free detected"))
> return;
This may work for the free fastpath but the set_freepointer function is
use in multiple other locations. Maybe just add this to the fastpath
instead of to this fucnction?
