On Tue, 8 Sep 2015, Dmitry Vyukov wrote: > >> I would expect that this is illegal code. Is my understanding correct? > > > > This should work. It could be a problem if thread 1 is touching > > the object. > > What does make it work? The 2nd thread gets the pointer that the first allocated and frees it. If there is no more processing then fine. > There are clearly memory barriers missing when passing the object > between threads. The typical correct pattern is: Why? If thread 2 gets the pointer it frees it. Thats ok. > // thread 1 > smp_store_release(&p, kmalloc(8)); > > // thread 2 > void *r = smp_load_acquire(&p); // or READ_ONCE_CTRL > if (r) > kfree(r); > > Otherwise stores into the object in kmalloc can reach the object when > it is already freed, which is a use-after-free. Ok so there is more code executing in thread #1. That changes things. > > What does prevent the use-after-free? There is no access to p in the first thread. If there are such accesses then they are illegal. A user of slab allocators must ensure that there are no accesses after freeing the object. And since there is a thread that at random checks p and frees it when not NULL then no other thread would be allowed to touch the object. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>