From 0bee8c2ac8ebdeb7c934b1c805ac82c432cae3ae Mon Sep 17 00:00:00 2001
From: metaneutrons <436979+metaneutrons@users.noreply.github.com>
Date: Thu, 7 May 2026 16:34:17 +0200
Subject: [PATCH 1/2] kernel/tlsf: Add double-free detection in tlsf_freevec

Check if a block is already marked free before freeing it again.
Double-frees corrupt the TLSF free-list and cause unpredictable
crashes later.

SMP-safe: check is after ObtainSemaphore (TOCTOU prevention).
Uses local BOOL for semaphore-protection check to avoid
duplicating the condition. Format string uses %lu with
(unsigned long) cast for portability on 64-bit.
---
 rom/kernel/tlsf.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/rom/kernel/tlsf.c b/rom/kernel/tlsf.c
index 510eb9971a3..4bb1a294fb4 100644
--- a/rom/kernel/tlsf.c
+++ b/rom/kernel/tlsf.c
@@ -672,9 +672,19 @@ void tlsf_freevec(struct MemHeaderExt * mhe, APTR ptr)
 
     fb = MEM_TO_BHDR(ptr);
 
-    if (((ULONG)(IPTR)mhe->mhe_MemHeader.mh_First) & MEMF_SEM_PROTECTED)
+    BOOL sem_protected = !!(((ULONG)(IPTR)mhe->mhe_MemHeader.mh_First) & MEMF_SEM_PROTECTED);
+    if (sem_protected)
         ObtainSemaphore((struct SignalSemaphore *)mhe->mhe_MemHeader.mh_Node.ln_Name);
 
+    /* Double-free detection (after semaphore for SMP safety) */
+    if (FREE_BLOCK(fb))
+    {
+        D(nbug("[Kernel:TLSF] DOUBLE FREE! ptr=%p size=%lu\n", ptr, (unsigned long)GET_SIZE(fb)));
+        if (sem_protected)
+            ReleaseSemaphore((struct SignalSemaphore *)mhe->mhe_MemHeader.mh_Node.ln_Name);
+        return;
+    }
+
     /* Mark block as free */
     SET_FREE_BLOCK(fb);
 
@@ -700,8 +710,10 @@ void tlsf_freevec(struct MemHeaderExt * mhe, APTR ptr)
         INSERT_FREE_BLOCK(tlsf, fb);
     }
 
-    if (((ULONG)(IPTR)mhe->mhe_MemHeader.mh_First) & MEMF_SEM_PROTECTED)
+    if (sem_protected)
         ReleaseSemaphore((struct SignalSemaphore *)mhe->mhe_MemHeader.mh_Node.ln_Name);
+
+
 }
 
 void tlsf_freemem(struct MemHeaderExt * mhe, APTR ptr, IPTR size)

From 98eab58ae9803aa215ad83c74f03e420557ea48c Mon Sep 17 00:00:00 2001
From: Fabian Schmieder <436979+metaneutrons@users.noreply.github.com>
Date: Sun, 10 May 2026 16:40:29 +0200
Subject: [PATCH 2/2] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 rom/kernel/tlsf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rom/kernel/tlsf.c b/rom/kernel/tlsf.c
index 4bb1a294fb4..0c2dcbfd162 100644
--- a/rom/kernel/tlsf.c
+++ b/rom/kernel/tlsf.c
@@ -679,7 +679,7 @@ void tlsf_freevec(struct MemHeaderExt * mhe, APTR ptr)
     /* Double-free detection (after semaphore for SMP safety) */
     if (FREE_BLOCK(fb))
     {
-        D(nbug("[Kernel:TLSF] DOUBLE FREE! ptr=%p size=%lu\n", ptr, (unsigned long)GET_SIZE(fb)));
+        D(nbug("[Kernel:TLSF] DOUBLE FREE! ptr=%p size=%llu\n", ptr, (unsigned long long)GET_SIZE(fb)));
         if (sem_protected)
             ReleaseSemaphore((struct SignalSemaphore *)mhe->mhe_MemHeader.mh_Node.ln_Name);
         return;