Skip to content

Commit 804aa13

Browse files
labbotttorvalds
labbott
authored and
torvalds
committed
slub: fix/clean free_debug_processing return paths
Since commit 19c7ff9 ("slub: Take node lock during object free checks") check_object has been incorrectly returning success as it follows the out label which just returns the node. Thanks to refactoring, the out and fail paths are now basically the same. Combine the two into one and just use a single label. Credit to Mathias Krause for the original work which inspired this series Signed-off-by: Laura Abbott <labbott@fedoraproject.org> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <js1304@gmail.com> Cc: Kees Cook <keescook@chromium.org> Cc: Mathias Krause <minipli@googlemail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 282acb4 commit 804aa13

File tree

1 file changed

+10
-11
lines changed

1 file changed

+10
-11
lines changed

mm/slub.c

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1053,24 +1053,25 @@ static noinline int free_debug_processing(
10531053
void *object = head;
10541054
int cnt = 0;
10551055
unsigned long uninitialized_var(flags);
1056+
int ret = 0;
10561057

10571058
spin_lock_irqsave(&n->list_lock, flags);
10581059
slab_lock(page);
10591060

10601061
if (!check_slab(s, page))
1061-
goto fail;
1062+
goto out;
10621063

10631064
next_object:
10641065
cnt++;
10651066

10661067
if (!check_valid_pointer(s, page, object)) {
10671068
slab_err(s, page, "Invalid object pointer 0x%p", object);
1068-
goto fail;
1069+
goto out;
10691070
}
10701071

10711072
if (on_freelist(s, page, object)) {
10721073
object_err(s, page, object, "Object already free");
1073-
goto fail;
1074+
goto out;
10741075
}
10751076

10761077
if (!check_object(s, page, object, SLUB_RED_ACTIVE))
@@ -1087,7 +1088,7 @@ static noinline int free_debug_processing(
10871088
} else
10881089
object_err(s, page, object,
10891090
"page slab pointer corrupt.");
1090-
goto fail;
1091+
goto out;
10911092
}
10921093

10931094
if (s->flags & SLAB_STORE_USER)
@@ -1101,20 +1102,18 @@ static noinline int free_debug_processing(
11011102
object = get_freepointer(s, object);
11021103
goto next_object;
11031104
}
1105+
ret = 1;
1106+
11041107
out:
11051108
if (cnt != bulk_cnt)
11061109
slab_err(s, page, "Bulk freelist count(%d) invalid(%d)\n",
11071110
bulk_cnt, cnt);
11081111

11091112
slab_unlock(page);
11101113
spin_unlock_irqrestore(&n->list_lock, flags);
1111-
return 1;
1112-
1113-
fail:
1114-
slab_unlock(page);
1115-
spin_unlock_irqrestore(&n->list_lock, flags);
1116-
slab_fix(s, "Object at 0x%p not freed", object);
1117-
return 0;
1114+
if (!ret)
1115+
slab_fix(s, "Object at 0x%p not freed", object);
1116+
return ret;
11181117
}
11191118

11201119
static int __init setup_slub_debug(char *str)

0 commit comments

Comments
 (0)