> So a kmalloc(62) would get upped to 66, so we allocate from size-128 > and put the number 62 at bytes 124-127 and we poison bytes 62-123?
Hmmm... We are going rapidly here. This is a patch that I am testing right now. It right adjust the object and the patch is manageable: SLUB mm-only: Right align kmalloc objects to trigger overwrite detection Right align kmalloc objects if they are less than the full kmalloc slab size. This will move the object to be flush with the end of the object in order to allow the easy detection of writes / reads after the end of the kmalloc object. Without slub_debug overwrites will destroy the free pointer of the next object or the next object. Read will yield garbage that is likely zero. With slub_debug redzone checks will be triggered. Reads will read redzone poison. This patch is only for checking things out. There are issues: 1. Alignment of kmalloc objects may now be different. In particular objects whose size is not a multiple of wordsize may be not word alignmed. 2. __kmalloc and kfree need to touch an additional cacheline in struct kmem_cache thereby reducing performance. 3. An object allocated via kmalloc may no longer be freed via kmem_cache_free. So we need to figure out some may to make this configurable. Preferably runtime configurable. Signed-off-by: Christoph Lameter <[EMAIL PROTECTED]> --- include/linux/slub_def.h | 22 +++++++++++++++++++--- mm/slub.c | 11 ++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) Index: slub/include/linux/slub_def.h =================================================================== --- slub.orig/include/linux/slub_def.h 2007-06-01 15:56:42.000000000 -0700 +++ slub/include/linux/slub_def.h 2007-06-01 16:00:03.000000000 -0700 @@ -120,6 +120,19 @@ static inline struct kmem_cache *kmalloc return &kmalloc_caches[index]; } +static inline unsigned long kmalloc_size(size_t size) +{ + int index = kmalloc_index(size); + + if (index >= KMALLOC_SHIFT_LOW) + return 1 << index; + + if (index == 2) + return 192; + return 96; +} + + #ifdef CONFIG_ZONE_DMA #define SLUB_DMA __GFP_DMA #else @@ -135,7 +148,8 @@ static inline void *kmalloc(size_t size, if (!s) return NULL; - return kmem_cache_alloc(s, flags); + return kmem_cache_alloc(s, flags) + + kmalloc_size(size) - size; } else return __kmalloc(size, flags); } @@ -148,7 +162,8 @@ static inline void *kzalloc(size_t size, if (!s) return NULL; - return kmem_cache_zalloc(s, flags); + return kmem_cache_zalloc(s, flags) + + kmalloc_size(size) - size; } else return __kzalloc(size, flags); } @@ -159,7 +174,8 @@ extern void *__kmalloc_node(size_t size, static inline void *kmalloc_node(size_t size, gfp_t flags, int node) { if (__builtin_constant_p(size) && !(flags & SLUB_DMA)) { - struct kmem_cache *s = kmalloc_slab(size); + struct kmem_cache *s = kmalloc_slab(size) + + kmalloc_size(size) - size; if (!s) return NULL; Index: slub/mm/slub.c =================================================================== --- slub.orig/mm/slub.c 2007-06-01 15:51:05.000000000 -0700 +++ slub/mm/slub.c 2007-06-01 16:15:21.000000000 -0700 @@ -2283,9 +2283,10 @@ static struct kmem_cache *get_slab(size_ void *__kmalloc(size_t size, gfp_t flags) { struct kmem_cache *s = get_slab(size, flags); + int offset = size - s->size; if (s) - return slab_alloc(s, flags, -1, __builtin_return_address(0)); + return slab_alloc(s, flags, -1, __builtin_return_address(0)) + offset; return NULL; } EXPORT_SYMBOL(__kmalloc); @@ -2294,9 +2295,10 @@ EXPORT_SYMBOL(__kmalloc); void *__kmalloc_node(size_t size, gfp_t flags, int node) { struct kmem_cache *s = get_slab(size, flags); + int offset = size - s->size; if (s) - return slab_alloc(s, flags, node, __builtin_return_address(0)); + return slab_alloc(s, flags, node, __builtin_return_address(0)) + offset; return NULL; } EXPORT_SYMBOL(__kmalloc_node); @@ -2337,6 +2339,7 @@ void kfree(const void *x) { struct kmem_cache *s; struct page *page; + unsigned long addr = (unsigned long) x; if (!x) return; @@ -2344,7 +2347,9 @@ void kfree(const void *x) page = virt_to_head_page(x); s = page->slab; - slab_free(s, page, (void *)x, __builtin_return_address(0)); + addr &= ~((unsigned long)s->size - 1); + + slab_free(s, page, (void *)addr, __builtin_return_address(0)); } EXPORT_SYMBOL(kfree); - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/