Motivated by 2026/dicectf/cornelslop I studied more into how the SLUB allocator works together with P.Howe .
Here is a useful flowchart on how kfree works, especially in regards to hitting the correct code-path for performing cross-cache exploitation.
(you may Right Click -> Open Image in New Tab; it’s an .svg)
(Verified for linux-stable v6.19.6)
Edit: We drew the flowchart by looking at linux-stable v6.12.69 source. Everything is still accurate for latest (v6.19.6) but man I wish we were looking at the latest version in the first place, some comments were added to the source code that make things much clearer!
To complete our understanding, we took the time to look at the implementation of kmalloc as well. Here is the flowchart which resulted from that:
While investigating this, we added clarifying comments to the SLUB source code like so
you can see them here if you’re interested.
We’ll see what the next kernel stable release (7.0) has in store for us (since it is getting rid of kmem_cache_cpu entierly in favour of sheaves).