[malloc] Avoid immediately clobbering reference count when freeing memory

Rearrange the fields in struct memory_block (without altering MIN_MEMBLOCK_SIZE) so that the "count" field of a reference-counted object is left intact when the memory containing the object is freed. This allows for the possibility of detecting reference-counting errors such as double-freeing. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2010-11-05 22:37:00 +00:00 · 2010-11-05 22:37:00 +00:00 · 13e4b9ec49
commit 13e4b9ec49
parent 6e41f2cf18
1 changed files with 14 additions and 2 deletions
--- a/src/core/malloc.c
+++ b/src/core/malloc.c
@ -25,6 +25,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/io.h>
 #include <ipxe/list.h>
 #include <ipxe/init.h>
+#include <ipxe/refcnt.h>
 #include <ipxe/malloc.h>

 /** @file
@ -35,10 +36,21 @@ FILE_LICENCE ( GPL2_OR_LATER );

 /** A free block of memory */
 struct memory_block {
-	/** List of free blocks */
-	struct list_head list;
 	/** Size of this block */
 	size_t size;
+	/** Padding
+	 *
+	 * This padding exists to cover the "count" field of a
+	 * reference counter, in the common case where a reference
+	 * counter is the first element of a dynamically-allocated
+	 * object.  It avoids clobbering the "count" field as soon as
+	 * the memory is freed, and so allows for the possibility of
+	 * detecting reference counting errors.
+	 */
+	char pad[ offsetof ( struct refcnt, count ) +
+		  sizeof ( ( ( struct refcnt * ) NULL )->count ) ];
+	/** List of free blocks */
+	struct list_head list;
 };

 #define MIN_MEMBLOCK_SIZE \