flex_array: poison free elements

Newly initialized flex_array's and/or flex_array_part's are now poisoned
with a new poison value, FLEX_ARRAY_FREE.  It's value is similar to
POISON_FREE used in the various slab allocators, but is different to
distinguish between flex array's poisoned kmem and slab allocator poisoned
kmem.

This will allow us to identify flex_array_part's that only contain free
elements (and free them with an addition to the flex_array API).  This
could also be extended in the future to identify `get' uses on elements
that have not been `put'.

If __GFP_ZERO is passed for a part's gfp mask, the poisoning is avoided.
These elements are considered to be in-use since they have been
initialized.

Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/include/linux/poison.h b/include/linux/poison.h
index 6729f7dcd60e66cc0116878ad640256a7061bbfe..7fc194aef8c23cc8bfe1ac4a98be55486a8b9d64 100644 (file)
--- a/include/linux/poison.h
+++ b/include/linux/poison.h
@@ -65,6 +65,9 @@
 #define MUTEX_DEBUG_INIT       0x11
 #define MUTEX_DEBUG_FREE       0x22
 
+/********** lib/flex_array.c **********/
+#define FLEX_ARRAY_FREE        0x6c    /* for use-after-free poisoning */
+
 /********** security/ **********/
 #define KEY_DESTROY            0xbd
 

diff --git a/lib/flex_array.c b/lib/flex_array.c
index b68f99be4080283ab6c0b1e0c5d630330640cbb4..e22d0e9776aa604e8742dbb4314816e62e7d8d4b 100644 (file)
--- a/lib/flex_array.c
+++ b/lib/flex_array.c
@@ -113,6 +113,8 @@ struct flex_array *flex_array_alloc(int element_size, unsigned int total,
                return NULL;
        ret->element_size = element_size;
        ret->total_nr_elements = total;
+       if (elements_fit_in_base(ret) && !(flags & __GFP_ZERO))
+               memset(ret->parts[0], FLEX_ARRAY_FREE, bytes_left_in_base());
        return ret;
 }
 
@@ -159,15 +161,12 @@ __fa_get_part(struct flex_array *fa, int part_nr, gfp_t flags)
 {
        struct flex_array_part *part = fa->parts[part_nr];
        if (!part) {
-               /*
-                * This leaves the part pages uninitialized
-                * and with potentially random data, just
-                * as if the user had kmalloc()'d the whole.
-                * __GFP_ZERO can be used to zero it.
-                */
-               part = kmalloc(FLEX_ARRAY_PART_SIZE, flags);
+               part = kmalloc(sizeof(struct flex_array_part), flags);
                if (!part)
                        return NULL;
+               if (!(flags & __GFP_ZERO))
+                       memset(part, FLEX_ARRAY_FREE,
+                               sizeof(struct flex_array_part));
                fa->parts[part_nr] = part;
        }
        return part;
@@ -228,7 +227,7 @@ int flex_array_clear(struct flex_array *fa, unsigned int element_nr)
                        return -EINVAL;
        }
        dst = &part->elements[index_inside_part(fa, element_nr)];
-       memset(dst, 0, fa->element_size);
+       memset(dst, FLEX_ARRAY_FREE, fa->element_size);
        return 0;
 }