This article explores the SLAB memory allocator, focusing on the DEBUG functionality of SLUB and how it helps detect out-of-bounds (oob) and use-after-free memory issues. The article is structured as follows: 1. Introduction 2. SLUB DEBUG Function 3. Object Layout 4. Principle of SLUB DEBUG 5. Slabinfo In my work, I often encounter strange problems caused by out-of-bound access. Why are these issues so difficult to trace? Over half a year of experience has shown me that many problems stem from such memory errors—especially when drivers provided by IC manufacturers contain hidden bugs. For example, crashes caused by out-of-bound access can be very challenging to diagnose. These problems often require extensive testing, and even with panic logs, you might not find any clues. Why is this the case? Imagine that driver A allocates memory using kmalloc(), which is based on kmem_cache. If it overwrites data in an adjacent object, and driver B uses that object to store address data, then when B accesses this address, it will crash. This situation makes it seem like the problem is in B, but the real culprit is A. It's like being killed by a knife without knowing who did it. Out-of-bound access doesn't always cause a crash. I once faced a strange issue where two global arrays, used by modules C and D respectively, were stored together in memory. When both modules were active, module C displayed incorrect names, while D was fine. After removing D, C's name became correct. Checking the System.map file revealed that D had written beyond its allocated space. This kind of issue can be time-consuming to debug without proper tools and may leave no clues at all. To locate such problems, we need debugging methods like SLUB DEBUG for detecting out-of-bound issues and KASAN for more comprehensive checks. This article focuses on the principles of SLUB DEBUG and how it helps identify such problems. The principle of SLUB DEBUG is straightforward. It adds extra memory at the end of each allocation, fills it with a specific value (magic number), and checks if this area is modified. This extra memory is called the Redzone. The idea is simple: if the Redzone changes, it indicates an out-of-bound access. Note: The code analysis in this article is based on Linux kernel version 4.15.0-rc3. 2. SLUB DEBUG Function SLUB DEBUG can detect issues like out-of-bound access and use-after-free. 2.1 How to Enable the Function Reconfigure the kernel options to enable the following: CONFIG_SLUB=y CONFIG_SLUB_DEBUG=y CONFIG_SLUB_DEBUG_ON=y 2.2 How to Use To use SLUB DEBUG, you need the slabinfo command. Unlike KASAN, which detects issues dynamically, SLUB DEBUG requires manual triggering via slabinfo. You can compile the slabinfo tool using the following command for ARM64 architecture: aarch64-linux-gnu-gcc -o slabinfo slabinfo.c After booting the system, run 'slabinfo -v' to trigger SLUB detection. The output is logged to syslog, and you can check for error messages related to memory issues. 3. Object Layout When CONFIG_SLUB_DEBUG_ON is enabled, several flags (such as SLAB_RED_ZONE, SLAB_POISON, etc.) are added when creating a kmem_cache. These flags change the layout of objects managed by the SLUB allocator. The object layout includes red zones, padding, and other areas designed to detect memory issues. 3.1 What is the Purpose of the Red Zone? The Red zone is placed after the object and is filled with a magic number. If this area is modified, it indicates an out-of-bound access. The check_object() function also verifies the validity of the free pointer, ensuring that the linked list structure remains intact. 3.2 What is the Purpose of Padding? Padding is a reserved area filled with 0x5a. If this area is changed, it indicates that the object's padding has been overwritten, possibly due to a large out-of-bound access. 3.3 What is the Purpose of Red_left_pad? Red_left_pad is used to detect left out-of-bound access. When initializing the slab cache, the layout is adjusted to ensure that the red_left_pad can detect such issues effectively. 4. Principle of SLUB DEBUG SLUB DEBUG works by filling special areas with magic numbers and checking them during allocation and deallocation. This approach allows it to detect various types of memory errors. 4.1 Magic Numbers Magic numbers used in SLUB DEBUG include SLUB_RED_INACTIVE, SLUB_RED_ACTIVE, POISON_INUSE, POISON_FREE, and POISON_END. Each serves a specific purpose in detecting different types of memory issues. 4.2 Slab Cache Pool Filling When the SLUB allocator allocates memory for a slab cache pool, it fills the entire block with POISON_INUSE. The init_object() function then initializes the free object with appropriate magic numbers. 4.3 Free Object Layout Free objects are initialized with specific values, including SLUB_RED_INACTIVE in the red zone and POISON_FREE in the object itself. The last byte is filled with POISON_END. 4.4 Allocated Object Layout When an object is allocated, it is initialized with SLUB_RED_ACTIVE in the red zone and POISON_FREE in the object. The same padding and POISON_END are used to detect potential issues. 4.5 Detecting Out-of-Bound Bugs An out-of-bound access to the 33rd element of a 32-byte allocation will modify the red zone, triggering a detection during kfree(). The free_consistency_checks() function checks the red zone and reports any changes. 4.6 Detecting Use-After-Free Bugs Use-after-free bugs are detected using the slabinfo tool. The 'slabinfo -v' command triggers a check of all released objects, ensuring they are filled with the correct magic numbers. 5. Slabinfo The slabinfo tool is located in the tools/vm directory. Its execution flow involves traversing all slabs and validating their contents. The validate_store() function writes '1' to the /sys/kernel/slab/ Barium titanate lead-free piezoelectric ceramics are important basic materials for the development of modern science and technology, which was widely used in the manufacture of ultrasonic transducers, underwater acoustic transducers, electroacoustic transducers, ceramic filters, ceramic transformers, ceramic frequency discriminators, high voltage generators, infrared detectors, surface acoustic wave devices, electro-optic devices, ignition and detonation devices, and piezoelectric gyroscope and so on. Application:  ocean, fishery, scientific research, mine detection, daily life and other fields. Piezoelectric Ring,Lead Free Piezoelectric Ring,Piezo Electric Ring,Lead Free Piezo Rings Zibo Yuhai Electronic Ceramic Co., Ltd. , https://www.yhpiezo.com