diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..ce031732cb39 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 1ba84061aeadaef10680925bb3299b435fa59ff8 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 055/112] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index e5564f339095..cf24f74e01de 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + |