Re: Memory allocator semantics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Feb 08, 2014 at 12:27:37PM +0200, Pekka Enberg wrote:
> Hi Paul,
> 
> On 01/02/2014 10:33 PM, Paul E. McKenney wrote:
> > From what I can see, the Linux-kernel's SLAB, SLOB, and SLUB memory
> >allocators would deal with the following sort of race:
> >
> >A.	CPU 0: r1 = kmalloc(...); ACCESS_ONCE(gp) = r1;
> >
> >	CPU 1: r2 = ACCESS_ONCE(gp); if (r2) kfree(r2);
> >
> >However, my guess is that this should be considered an accident of the
> >current implementation rather than a feature.  The reason for this is
> >that I cannot see how you would usefully do (A) above without also allowing
> >(B) and (C) below, both of which look to me to be quite destructive:
> >
> >B.	CPU 0: r1 = kmalloc(...);  ACCESS_ONCE(shared_x) = r1;
> >
> >         CPU 1: r2 = ACCESS_ONCE(shared_x); if (r2) kfree(r2);
> >
> >	CPU 2: r3 = ACCESS_ONCE(shared_x); if (r3) kfree(r3);
> >
> >	This results in the memory being on two different freelists.
> >
> >C.      CPU 0: r1 = kmalloc(...);  ACCESS_ONCE(shared_x) = r1;
> >
> >	CPU 1: r2 = ACCESS_ONCE(shared_x); r2->a = 1; r2->b = 2;
> >
> >	CPU 2: r3 = ACCESS_ONCE(shared_x); if (r3) kfree(r3);
> >
> >	CPU 3: r4 = kmalloc(...);  r4->s = 3; r4->t = 4;
> >
> >	This results in the memory being used by two different CPUs,
> >	each of which believe that they have sole access.
> >
> >But I thought I should ask the experts.
> >
> >So, am I correct that kernel hackers are required to avoid "drive-by"
> >kfree()s of kmalloc()ed memory?
> 
> So to be completely honest, I don't understand what is the race in
> (A) that concerns the *memory allocator*.  I also don't what the
> memory allocator can do in (B) and (C) which look like double-free
> and use-after-free, respectively, to me. :-)

>From what I can see, (A) works by accident, but is kind of useless because
you allocate and free the memory without touching it.  (B) and (C) are the
lightest touches I could imagine, and as you say, both are bad.  So I
believe that it is reasonable to prohibit (A).

Or is there some use for (A) that I am missing?

							Thanx, Paul

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]