[PATCH 7/9] mm: kmemleak: erase page->s_mem in slab_destroy

[George Prekas]

The field s_mem of struct page is initialized with the virtual address
of the page in function alloc_slabmgmt. If kmalloc allocates an object
that starts on this page, then kmemleak knows that this object has 2
references. On slab_destroy, s_mem should not continue referring to any
allocated object in the future.

Specifically, assume that initially the 4KB cache uses page[5] and its
s_mem = 0x5000. Then assume that this cache releases page[5] and the 8KB
cache allocates page[4] and page[5]. Subsequently, kmalloc returns an
8KB object at address 0x4000 which will have 3 references: the returned
pointer from kmalloc, page[4].s_mem = 0x4000, and page[5].s_mem. This
object can leak without detection.

Signed-off-by: George Prekas <george@xxxxxxxxxxxxx>
---
 mm/slab.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/slab.c b/mm/slab.c
index a927e1a285d1..aa5eb725ee9c 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -1611,6 +1611,9 @@ static void slab_destroy(struct kmem_cache *cachep, struct slab *slab)
 {
 	void *freelist;
 
+	/* Erase the page's virtual address from s_mem */
+	kmemleak_erase(&slab->s_mem);
+
 	freelist = slab->freelist;
 	slab_destroy_debugcheck(cachep, slab);
 	if (unlikely(cachep->flags & SLAB_TYPESAFE_BY_RCU))
-- 
2.37.1