Re: [PATCH] lib/idr.c: Zero memory properly in idr_remove_all

[Manfred Spraul <manfred@colorfullife.com>]

Kristian Høgsberg wrote:
> On Mon, 2009-01-12 at 20:53 +0100, Manfred Spraul wrote:
>   
>> Kristian Høgsberg wrote:
>>     
>>>   The problem
>>> isn't about returning un-zeroed-out objects to the kmem cache, the
>>> problem is returning them to the idr free list.
>>>   
>>>       
>> I think this is wrong:
>> The slab allocator assumes that the objects that are given to 
>> kmem_cache_free() are properly constructed.
>> I.e.: No additional constructor is called prior to returning the object 
>> from the next kmem_cache_alloc() call.
>>     
>
> That's fine, the ctor associated with the kmem cache is called, and in
> the case of idr, it does a memset().
>   
No.
As I said, the construtor is not called.
An object that is given to kmem_cache_free() must be properly constructed.
kmem_cache_free() just adds the obj pointer to a list, the next 
kmem_cache_alloc returns the pointer.

This is also documented in mm/slab.c:
 * The memory is organized in caches, one cache for each object type.
 * (e.g. inode_cache, dentry_cache, buffer_head, vm_area_struct)
 * Each cache consists out of many slabs (they are small (usually one
 * page long) and always contiguous), and each slab contains multiple
 * initialized objects.
 *
 * This means, that your constructor is used only for newly allocated
 * slabs and you must pass objects with the same initializations to
 * kmem_cache_free.
 *

If the idr code passes uninitialized objects to kmem_cache_free(), then 
the next kmem_cache_alloc will return a bad object.

--
    Manfred