Hi Paul,
On 01/02/2014 10:33 PM, Paul E. McKenney wrote:
From what I can see, the Linux-kernel's SLAB, SLOB, and SLUB memory
allocators would deal with the following sort of race:
A. CPU 0: r1 = kmalloc(...); ACCESS_ONCE(gp) = r1;
CPU 1: r2 = ACCESS_ONCE(gp); if (r2) kfree(r2);
However, my guess is that this should be considered an accident of the
current implementation rather than a feature. The reason for this is
that I cannot see how you would usefully do (A) above without also allowing
(B) and (C) below, both of which look to me to be quite destructive:
B. CPU 0: r1 = kmalloc(...); ACCESS_ONCE(shared_x) = r1;
CPU 1: r2 = ACCESS_ONCE(shared_x); if (r2) kfree(r2);
CPU 2: r3 = ACCESS_ONCE(shared_x); if (r3) kfree(r3);
This results in the memory being on two different freelists.
C. CPU 0: r1 = kmalloc(...); ACCESS_ONCE(shared_x) = r1;
CPU 1: r2 = ACCESS_ONCE(shared_x); r2->a = 1; r2->b = 2;
CPU 2: r3 = ACCESS_ONCE(shared_x); if (r3) kfree(r3);
CPU 3: r4 = kmalloc(...); r4->s = 3; r4->t = 4;
This results in the memory being used by two different CPUs,
each of which believe that they have sole access.
But I thought I should ask the experts.
So, am I correct that kernel hackers are required to avoid "drive-by"
kfree()s of kmalloc()ed memory?
So to be completely honest, I don't understand what is the race in (A)
that concerns the *memory allocator*. I also don't what the memory
allocator can do in (B) and (C) which look like double-free and
use-after-free, respectively, to me. :-)
Pekka
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>