From: "J. Bruce Fields" <bfields@fieldses.org>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-nfs@vger.kernel.org,
Trond Myklebust <Trond.Myklebust@netapp.com>,
security@kernel.org, Jeff Layton <jlayton@redhat.com>
Subject: Re: [PATCH] nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
Date: Fri, 4 Mar 2011 14:33:25 -0500 [thread overview]
Message-ID: <20110304193325.GB21260@fieldses.org> (raw)
In-Reply-To: <20110304184505.GB10083@hmsreliant.think-freely.org>
On Fri, Mar 04, 2011 at 01:45:06PM -0500, Neil Horman wrote:
> On Fri, Mar 04, 2011 at 12:13:21PM -0500, J. Bruce Fields wrote:
> > On Fri, Mar 04, 2011 at 11:44:13AM -0500, Neil Horman wrote:
> > > We can't create a buffer with kmalloc and free it later in the tcp
> > > ack path with put_page, so we need to either:
> >
> > But out of curiosity: why is there this rule?
> >
> Its an artifact the results from needing to free memory using a method
> in keeping with the way in which it was allocated. To use this bug as
> an example, the acl data was allocated by the VFS using kmalloc, which
> gets data from the slab. Even though this data is a size that is a
> multiple of a page, slab objects can be less than a page, and multiple
> objects can be stored in a single page. As such, anything allocated
> from the slab allocator needs to be freed by the slab allocator, so
> that object reference counts internally maintained by the slab can be
> kept accurate.
OK. I guess my naive mental model was that the slab allocator was
layered on top of the page allocator--so it got pages with alloc_pages()
or equivalent, then handed out pieces of them to people using the slab
allocator.
So I assumed the slab allocator would hold a reference to the page like
any other user would, in which case the tcp code could take a second
reference of its own.
--b.
next prev parent reply other threads:[~2011-03-04 19:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-04 16:44 [PATCH] nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab Neil Horman
2011-03-04 16:58 ` Christoph Hellwig
2011-03-04 17:13 ` J. Bruce Fields
2011-03-04 18:45 ` Neil Horman
2011-03-04 19:33 ` J. Bruce Fields [this message]
2011-03-04 19:48 ` [Security] " Linus Torvalds
2011-03-04 20:07 ` J. Bruce Fields
2011-03-04 20:30 ` Jeff Layton
2011-03-04 20:40 ` Trond Myklebust
[not found] ` <20110304153059.79374df7-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-03-04 21:04 ` J. Bruce Fields
2011-03-04 19:01 ` Trond Myklebust
2011-03-04 19:17 ` Neil Horman
2011-03-04 19:25 ` Trond Myklebust
2011-03-04 19:59 ` Neil Horman
2011-03-04 21:09 ` [PATCH] nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v2) Neil Horman
2011-03-04 21:25 ` Trond Myklebust
2011-03-05 0:26 ` [PATCH] nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3) Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110304193325.GB21260@fieldses.org \
--to=bfields@fieldses.org \
--cc=Trond.Myklebust@netapp.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).