From: Dmitry Vyukov <dvyukov@google.com>
To: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Andrey Konovalov <andreyknvl@google.com>,
Alexander Potapenko <glider@google.com>,
Paul McKenney <paulmck@linux.vnet.ibm.com>
Subject: Re: Is it OK to pass non-acquired objects to kfree?
Date: Tue, 8 Sep 2015 21:24:46 +0200 [thread overview]
Message-ID: <CACT4Y+bvaJ6cC_=A1VGx=cT_bkB-teXNud0Wgt33E1AtBYNTSg@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.11.1509081205120.25526@east.gentwo.org>
On Tue, Sep 8, 2015 at 7:09 PM, Christoph Lameter <cl@linux.com> wrote:
> On Tue, 8 Sep 2015, Dmitry Vyukov wrote:
>
>> >> I would expect that this is illegal code. Is my understanding correct?
>> >
>> > This should work. It could be a problem if thread 1 is touching
>> > the object.
>>
>> What does make it work?
>
> The 2nd thread gets the pointer that the first allocated and frees it.
> If there is no more processing then fine.
>
>> There are clearly memory barriers missing when passing the object
>> between threads. The typical correct pattern is:
>
> Why? If thread 2 gets the pointer it frees it. Thats ok.
>
>> // thread 1
>> smp_store_release(&p, kmalloc(8));
>>
>> // thread 2
>> void *r = smp_load_acquire(&p); // or READ_ONCE_CTRL
>> if (r)
>> kfree(r);
>>
>> Otherwise stores into the object in kmalloc can reach the object when
>> it is already freed, which is a use-after-free.
>
> Ok so there is more code executing in thread #1. That changes things.
>>
>> What does prevent the use-after-free?
>
> There is no access to p in the first thread. If there are such accesses
> then they are illegal. A user of slab allocators must ensure that there
> are no accesses after freeing the object. And since there is a thread
> that at random checks p and frees it when not NULL then no other thread
> would be allowed to touch the object.
But the memory allocator itself (kmalloc/kfree) generally reads and
writes the object (e.g. storing object size in header before object,
writing redzone in debug mode, reading and checking redzone in debug
mode, building freelist using first word of the object, etc). There is
no different between user accesses and memory allocator accesses just
before returning the object from kmalloc and right after accepting the
object in kfree.
--
Dmitry Vyukov, Software Engineer, dvyukov@google.com
Google Germany GmbH, Dienerstraße 12, 80331, München
Geschäftsführer: Graham Law, Christine Elizabeth Flores
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat
sind, leiten Sie diese bitte nicht weiter, informieren Sie den
Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
This e-mail is confidential. If you are not the right addressee please
do not forward it, please inform the sender, and please erase this
e-mail including any attachments. Thanks.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-08 19:25 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-08 7:51 Dmitry Vyukov
2015-09-08 14:13 ` Christoph Lameter
2015-09-08 14:41 ` Dmitry Vyukov
2015-09-08 15:13 ` Christoph Lameter
2015-09-08 15:23 ` Dmitry Vyukov
2015-09-08 15:33 ` Christoph Lameter
2015-09-08 15:37 ` Dmitry Vyukov
2015-09-08 17:09 ` Christoph Lameter
2015-09-08 19:24 ` Dmitry Vyukov [this message]
2015-09-09 14:02 ` Christoph Lameter
2015-09-09 14:19 ` Dmitry Vyukov
2015-09-09 14:36 ` Christoph Lameter
2015-09-09 15:30 ` Dmitry Vyukov
2015-09-09 15:44 ` Christoph Lameter
2015-09-09 16:09 ` Dmitry Vyukov
2015-09-09 17:56 ` Christoph Lameter
2015-09-09 18:44 ` Paul E. McKenney
2015-09-09 19:01 ` Christoph Lameter
2015-09-09 20:36 ` Paul E. McKenney
2015-09-09 23:23 ` Store Buffers (was Re: Is it OK to pass non-acquired objects to kfree?) Christoph Lameter
2015-09-10 0:08 ` Paul E. McKenney
2015-09-10 0:21 ` Christoph Lameter
2015-09-10 1:10 ` Paul E. McKenney
2015-09-10 1:47 ` Christoph Lameter
2015-09-10 7:38 ` Vlastimil Babka
2015-09-10 16:37 ` Christoph Lameter
2015-09-10 7:22 ` Vlastimil Babka
2015-09-10 16:36 ` Christoph Lameter
2015-09-09 23:31 ` Is it OK to pass non-acquired objects to kfree? Christoph Lameter
2015-09-10 9:55 ` Dmitry Vyukov
2015-09-10 10:42 ` Jesper Dangaard Brouer
2015-09-10 12:08 ` Dmitry Vyukov
2015-09-10 13:37 ` Eric Dumazet
2015-09-10 12:47 ` Vlastimil Babka
2015-09-10 13:17 ` Dmitry Vyukov
2015-09-10 17:13 ` Paul E. McKenney
2015-09-10 17:21 ` Paul E. McKenney
2015-09-10 17:26 ` Dmitry Vyukov
2015-09-10 17:44 ` Paul E. McKenney
2015-09-10 18:01 ` Christoph Lameter
2015-09-10 18:11 ` Dmitry Vyukov
2015-09-10 18:13 ` Christoph Lameter
2015-09-10 18:26 ` Dmitry Vyukov
2015-09-10 18:56 ` Paul E. McKenney
2015-09-10 22:00 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+bvaJ6cC_=A1VGx=cT_bkB-teXNud0Wgt33E1AtBYNTSg@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=cl@linux.com \
--cc=glider@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox