All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Morton <akpm@linux-foundation.org>
To: Manfred Spraul <manfred@colorfullife.com>
Cc: krh@redhat.com, stefanr@s5r6.in-berlin.de, dcm@acm.org,
	Nadia.Derbey@bull.net, linux1394-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org, paulmck@us.ibm.com
Subject: Re: [PATCH] lib/idr.c: Zero memory properly in idr_remove_all
Date: Tue, 13 Jan 2009 14:48:02 -0800	[thread overview]
Message-ID: <20090113144802.39dc4c23.akpm@linux-foundation.org> (raw)
In-Reply-To: <496BAD1C.5060201@colorfullife.com>

On Mon, 12 Jan 2009 21:50:36 +0100
Manfred Spraul <manfred@colorfullife.com> wrote:

> Kristian H__gsberg wrote:
> > On Mon, 2009-01-12 at 20:53 +0100, Manfred Spraul wrote:
> >   
> >> Kristian H__gsberg wrote:
> >>     
> >>>   The problem
> >>> isn't about returning un-zeroed-out objects to the kmem cache, the
> >>> problem is returning them to the idr free list.
> >>>   
> >>>       
> >> I think this is wrong:
> >> The slab allocator assumes that the objects that are given to 
> >> kmem_cache_free() are properly constructed.
> >> I.e.: No additional constructor is called prior to returning the object 
> >> from the next kmem_cache_alloc() call.
> >>     
> >
> > That's fine, the ctor associated with the kmem cache is called, and in
> > the case of idr, it does a memset().
> >   
> No.
> As I said, the construtor is not called.
> An object that is given to kmem_cache_free() must be properly constructed.
> kmem_cache_free() just adds the obj pointer to a list, the next 
> kmem_cache_alloc returns the pointer.
> 
> This is also documented in mm/slab.c:
>  * The memory is organized in caches, one cache for each object type.
>  * (e.g. inode_cache, dentry_cache, buffer_head, vm_area_struct)
>  * Each cache consists out of many slabs (they are small (usually one
>  * page long) and always contiguous), and each slab contains multiple
>  * initialized objects.
>  *
>  * This means, that your constructor is used only for newly allocated
>  * slabs and you must pass objects with the same initializations to
>  * kmem_cache_free.
>  *
> 
> If the idr code passes uninitialized objects to kmem_cache_free(), then 
> the next kmem_cache_alloc will return a bad object.
> 

None of this got us much closer to fixing the bug ;)

What do we think of just removing the constructor and using
kmem_cache_zalloc()?

--- a/lib/idr.c~a
+++ a/lib/idr.c
@@ -121,7 +121,7 @@ int idr_pre_get(struct idr *idp, gfp_t g
 {
 	while (idp->id_free_cnt < IDR_FREE_MAX) {
 		struct idr_layer *new;
-		new = kmem_cache_alloc(idr_layer_cache, gfp_mask);
+		new = kmem_cache_zalloc(idr_layer_cache, gfp_mask);
 		if (new == NULL)
 			return (0);
 		move_to_free_list(idp, new);
@@ -623,16 +623,10 @@ void *idr_replace(struct idr *idp, void 
 }
 EXPORT_SYMBOL(idr_replace);
 
-static void idr_cache_ctor(void *idr_layer)
-{
-	memset(idr_layer, 0, sizeof(struct idr_layer));
-}
-
 void __init idr_init_cache(void)
 {
 	idr_layer_cache = kmem_cache_create("idr_layer_cache",
-				sizeof(struct idr_layer), 0, SLAB_PANIC,
-				idr_cache_ctor);
+				sizeof(struct idr_layer), 0, SLAB_PANIC, NULL);
 }
 
 /**
_


  reply	other threads:[~2009-01-13 22:49 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-10  7:04 [PATCH] lib/idr.c: Zero memory properly in idr_remove_all David Moore
2009-01-10  9:03 ` Stefan Richter
2009-01-10  9:15   ` Andrew Morton
2009-01-10 10:05     ` Stefan Richter
2009-01-12 15:20       ` Kristian Høgsberg
2009-01-12 19:53         ` Manfred Spraul
2009-01-12 20:38           ` Kristian Høgsberg
2009-01-12 20:50             ` Manfred Spraul
2009-01-13 22:48               ` Andrew Morton [this message]
2009-01-14  2:51                 ` David Moore
2009-01-14  7:19                 ` Pekka Enberg
2009-01-14  8:17                   ` Andrew Morton
2009-01-14  8:59                     ` Stefan Richter
2009-01-14  9:22                       ` Andrew Morton
2009-01-14  9:48                         ` Stefan Richter
2009-01-14  9:52                           ` Stefan Richter
2009-01-14  9:02                     ` Pekka Enberg
2009-01-14 14:23                 ` Kristian Høgsberg
2009-01-14 16:21                   ` Stefan Richter
2009-01-14 16:33                     ` Kristian Høgsberg
2009-01-14 18:05                       ` Stefan Richter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090113144802.39dc4c23.akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=Nadia.Derbey@bull.net \
    --cc=dcm@acm.org \
    --cc=krh@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux1394-devel@lists.sourceforge.net \
    --cc=manfred@colorfullife.com \
    --cc=paulmck@us.ibm.com \
    --cc=stefanr@s5r6.in-berlin.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.