The slab debugging code is supposed to poison freshly-allocated obejcts with
0x5a and freed ones with 0x6b, so we can distinguish use-uninitialised from
use-after-free.

It wasn't working right for recycled objects.  Fix.



 mm/slab.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

diff -puN mm/slab.c~2-slab-poison-fix mm/slab.c
--- 25/mm/slab.c~2-slab-poison-fix	2003-06-15 01:55:20.000000000 -0700
+++ 25-akpm/mm/slab.c	2003-06-15 01:55:20.000000000 -0700
@@ -1745,8 +1745,10 @@ cache_alloc_debugcheck_after(kmem_cache_
 
 	if (!objp)	
 		return objp;
-	if (cachep->flags & SLAB_POISON)
+	if (cachep->flags & SLAB_POISON) {
 		check_poison_obj(cachep, objp);
+ 		poison_obj(cachep, objp, POISON_BEFORE);
+	}
 	if (cachep->flags & SLAB_STORE_USER) {
 		objlen -= BYTES_PER_WORD;
 		*((void **)(objp+objlen)) = caller;

_