On Tue, Sep 8, 2015 at 5:33 PM, Christoph Lameter <cl@xxxxxxxxx> wrote: > On Tue, 8 Sep 2015, Dmitry Vyukov wrote: > >> Yes, this is a case of use-after-free bug. But the use-after-free can >> happen only due to memory access reordering in a multithreaded >> environment. >> OK, here is a simpler code snippet: >> >> void *p; // = NULL >> >> // thread 1 >> p = kmalloc(8); >> >> // thread 2 >> void *r = READ_ONCE(p); >> if (r != NULL) >> kfree(r); >> >> I would expect that this is illegal code. Is my understanding correct? > > This should work. It could be a problem if thread 1 is touching > the object. What does make it work? There are clearly memory barriers missing when passing the object between threads. The typical correct pattern is: // thread 1 smp_store_release(&p, kmalloc(8)); // thread 2 void *r = smp_load_acquire(&p); // or READ_ONCE_CTRL if (r) kfree(r); Otherwise stores into the object in kmalloc can reach the object when it is already freed, which is a use-after-free. What does prevent the use-after-free? -- Dmitry Vyukov, Software Engineer, dvyukov@xxxxxxxxxx Google Germany GmbH, Dienerstraße 12, 80331, München Geschäftsführer: Graham Law, Christine Elizabeth Flores Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href