From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f200.google.com (mail-wr0-f200.google.com [209.85.128.200]) by kanga.kvack.org (Postfix) with ESMTP id 63B846B0390 for ; Tue, 4 Apr 2017 16:13:39 -0400 (EDT) Received: by mail-wr0-f200.google.com with SMTP id o70so29539450wrb.11 for ; Tue, 04 Apr 2017 13:13:39 -0700 (PDT) Received: from mx2.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id a16si5530764wme.143.2017.04.04.13.13.37 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 04 Apr 2017 13:13:38 -0700 (PDT) Date: Tue, 4 Apr 2017 22:13:34 +0200 From: Michal Hocko Subject: Re: [PATCH] mm: Add additional consistency check Message-ID: <20170404201334.GV15132@dhcp22.suse.cz> References: <20170331164028.GA118828@beast> <20170404113022.GC15490@dhcp22.suse.cz> <20170404151600.GN15132@dhcp22.suse.cz> <20170404194220.GT15132@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Christoph Lameter Cc: Kees Cook , Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , linux-mm@kvack.org, linux-kernel@vger.kernel.org On Tue 04-04-17 14:58:06, Cristopher Lameter wrote: > On Tue, 4 Apr 2017, Michal Hocko wrote: > > > On Tue 04-04-17 14:13:06, Cristopher Lameter wrote: > > > On Tue, 4 Apr 2017, Michal Hocko wrote: > > > > > > > Yes, but we do not have to blow the kernel, right? Why cannot we simply > > > > leak that memory? > > > > > > Because it is a serious bug to attempt to free a non slab object using > > > slab operations. This is often the result of memory corruption, coding > > > errs etc. The system needs to stop right there. > > > > Why when an alternative is a memory leak? > > Because the slab allocators fail also in case you free an object multiple > times etc etc. Continuation is supported by enabling a special resiliency > feature via the kernel command line. The alternative is selectable but not > the default. I disagree! We should try to continue as long as we _know_ that the internal state of the allocator is still consistent and a further operation will not spread the corruption even more. This is clearly not the case for an invalid pointer to kfree. I can see why checking for an early allocator corruption is not always feasible and you can only detect after-the-fact but this is not the case here and putting your system down just because some buggy code is trying to free something it hasn't allocated is not really useful. I completely agree with Linus that we overuse BUG way too much and this is just another example of it. -- Michal Hocko SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org