On Wed, 26 Jul 2017, Kees Cook wrote: > >> What happens if, instead of BUG_ON, we do: > >> > >> if (unlikely(WARN_RATELIMIT(object == fp, "double-free detected")) > >> return; > > > > This may work for the free fastpath but the set_freepointer function is > > use in multiple other locations. Maybe just add this to the fastpath > > instead of to this fucnction? > > Do you mean do_slab_free()?
Yes inserting these lines into do_slab_free() would simple ignore the double free operation in the fast path and that would be safe. Although in either case we are adding code to the fastpath...
