[Tarantool-patches] [PATCH small 1/1] lsregion: fix slab_unmap() called on malloced slab
Aleksandr Lyapunov
alyapunov at tarantool.org
Tue May 19 19:21:29 MSK 2020
Thank for the patch! nice catch, lgtm!
On 5/15/20 1:31 AM, Vladislav Shpilevoy wrote:
> Lsregion allocates slabs using either
> - Slab_map() from slab arena, when allocation size is smaller,
> than slab size;
> - Using cached slab, stored in the lsregion as a protection from
> oscillation;
> - Using malloc(), when requested size is too big.
>
> Malloc() was used when allocation size was >= fixed slab size -
> meta size. However free() was used, when real slab size was >
> fixed slab size - meta size. So if an allocation was exactly of
> size 'fixed slab size - meta size', it was allocated using
> malloc(), but freed using slab_unmap(). That lead to a crash, if
> 'lucky'. But as it is a memory corruption, could lead to anything.
> ---
> Branch: http://github.com/tarantool/small/tree/gerold103/fix-lsregion-crash-or-leak
>
> This led to at least leaks in vinyl. Since it used lsregion very
> extensively for 0 level of LSM trees.
More information about the Tarantool-patches
mailing list