On Tue, 5 Jun 2018, Anton Eidelman wrote: > What I am still wondering about (and investigating), is how kernel_sendpage() > with slab payload results in slab payload on another socket RX. > Do you see how page ref-counting can be broken with extra references taken > on a slab page containing the fragments, and dropped when networking is > done with them? The slab allocators do not use page refcounting. The objects may be destroyed via poisioning etc if you use kfree() while still holding a refcount on the page. Even without poisoning the slab allocator may overwrite the object.
