From: Johannes Weiner <hannes@cmpxchg.org>
To: Hugh Dickins <hugh@veritas.com>
Cc: Matt Mackall <mpm@selenic.com>,
Pekka Enberg <penberg@cs.helsinki.fi>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
David Vrabel <david.vrabel@csr.com>,
Andrew Morton <akpm@linux-foundation.org>,
Chas Williams <chas@cmf.nrl.navy.mil>,
Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Christoph Lameter <cl@linux-foundation.org>,
Nick Piggin <npiggin@suse.de>
Subject: Re: [patch 1/7] slab: introduce kzfree()
Date: Thu, 19 Feb 2009 20:48:51 +0100 [thread overview]
Message-ID: <20090219194851.GA2608@cmpxchg.org> (raw)
In-Reply-To: <Pine.LNX.4.64.0902191819060.28475@blonde.anvils>
On Thu, Feb 19, 2009 at 06:28:55PM +0000, Hugh Dickins wrote:
> On Thu, 19 Feb 2009, Matt Mackall wrote:
> > On Thu, 2009-02-19 at 16:34 +0000, Hugh Dickins wrote:
> > > On Thu, 19 Feb 2009, Pekka Enberg wrote:
> > > > On Thu, 2009-02-19 at 10:22 +0900, KOSAKI Motohiro wrote:
> > > > >
> > > > > poisonig is transparent feature from caller.
> > > > > but the caller of kzfree() know to fill memory and it should know.
> > > >
> > > > Debatable, sure, but doesn't seem like a big enough reason to make
> > > > kzfree() differ from kfree().
> > >
> > > There may be more important things for us to worry about,
> > > but I do strongly agree with KOSAKI-san on this.
> > >
> > > kzfree() already differs from kfree() by a "z": that "z" says please
> > > zero the buffer pointed to; "const" says it won't modify the buffer
> > > pointed to. What sense does kzfree(const void *) make? Why is
> > > keeping the declarations the same apart from the "z" desirable?
> > >
> > > By all means refuse to add kzfree(), but please don't add it with const.
> > >
> > > I can see that the "const" in kfree(const void *) is debatable
> > > [looks to see how userspace free() is defined: without a const],
> > > I can see that it might be nice to have some "goesaway" attribute
> > > for such pointers instead; but I don't see how you can argue for
> > > kzalloc(const void *).
> ^^^^^^^^^^^^^^^^^^^^^
> (Of course I meant to say "kzfree(const void *)" there.)
>
> >
> > This is what Linus said last time this came up:
> >
> > http://lkml.org/lkml/2008/1/16/227
>
> Thanks for that, I remember it now.
>
> Okay, that's some justification for kfree(const void *).
>
> But I fail to see it as a justification for kzfree(const void *):
> if someone has "const char *string = kmalloc(size)" and then
> wants that string zeroed before it is freed, then I think it's
> quite right to cast out the const when calling kzfree().
You could argue that the pointer passed to kzfree() points to an
abstract slab object and kzfree() uses this to find the memory of that
object which it then zeroes. The translation of course is a no-op as
the object pointer and the memory pointer coincide.
It depends on how transparent you want to make kzfree() for the
caller. Is it 'zero out and then free the object' or is it 'free the
object, but note that it contains security-sensitive data, so make
sure that it never gets into the hands of somebody else'?
No strong opinion from me, though, I can not say which one feels
better. I made it intuitively const, so I guess I would lean to the
more opaque version of the function.
> Hugh
Hannes
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-02-19 19:47 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-17 18:26 [patch 0/7] kzfree() v2 Johannes Weiner
2009-02-17 18:26 ` [patch 1/7] slab: introduce kzfree() Johannes Weiner
2009-02-17 20:06 ` Christoph Lameter
2009-02-18 10:50 ` David Vrabel
2009-02-18 10:54 ` Pekka Enberg
2009-02-19 1:22 ` KOSAKI Motohiro
2009-02-19 9:13 ` Pekka Enberg
2009-02-19 12:12 ` KOSAKI Motohiro
2009-02-19 16:34 ` Hugh Dickins
2009-02-19 18:02 ` Matt Mackall
2009-02-19 18:28 ` Hugh Dickins
2009-02-19 19:45 ` Pekka Enberg
2009-02-19 20:36 ` Hugh Dickins
2009-02-23 14:01 ` Nick Piggin
2009-02-23 14:51 ` Hugh Dickins
2009-02-23 15:07 ` Nick Piggin
2009-02-23 19:42 ` Andrew Morton
2009-02-19 19:48 ` Johannes Weiner [this message]
2009-02-17 18:26 ` [patch 2/7] crypto: use kzfree() Johannes Weiner
2009-02-20 4:53 ` Herbert Xu
2009-02-17 18:26 ` [patch 3/7] s390: " Johannes Weiner
2009-02-17 18:26 ` [patch 4/7] md: " Johannes Weiner
2009-02-17 18:26 ` [patch 5/7] usb: " Johannes Weiner
2009-02-18 10:51 ` David Vrabel
2009-02-17 18:26 ` [patch 6/7] cifs: " Johannes Weiner
2009-02-17 18:26 ` [patch 7/7] ecryptfs: " Johannes Weiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090219194851.GA2608@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=akpm@linux-foundation.org \
--cc=chas@cmf.nrl.navy.mil \
--cc=cl@linux-foundation.org \
--cc=david.vrabel@csr.com \
--cc=hugh@veritas.com \
--cc=johnpol@2ka.mipt.ru \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mpm@selenic.com \
--cc=npiggin@suse.de \
--cc=penberg@cs.helsinki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox