Hi everyone,

I'm debugging some crashes in the KASAN quarantine, and I've noticed
that for certain objects something which I assumed to be invariant
does not hold.

In particular, my understanding was that for an object returned by
kmem_cache_zalloc(cache, gfp_flags) the value of
virt_to_page(object)->slab_cache must be always equal to |cache|.

However this isn't true for at least idr_free_cache in lib/idr.c
If I apply the attached patch, build a x86_64 kernel with defconfig,
and run the resulting kernel in QEMU, I get the following log:

[    0.007022] HERE: lib/idr.c:198 allocated ffff88001ddc8008 from
idr_layer_cache
[    0.007478] idr_layer_cache: ffff88001dc0b6c0, slab_cache: ffff88001dc0b6c0
[    0.007920] HERE: lib/idr.c:198 allocated ffff88001ddcf1a8 from
idr_layer_cache
[    0.008002] idr_layer_cache: ffff88001dc0b6c0, slab_cache:           (null)
[    0.008445] ------------[ cut here ]------------
[    0.008791] kernel BUG at lib/idr.c:200!

Am I misunderstanding the purpose of slab_cache in struct page, or is
there really a bug in initializing it?

Thanks,

-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg