From: Aleksandr Lyapunov <alyapunov@tarantool.org>
To: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>,
tarantool-patches@dev.tarantool.org, korablev@tarantool.org
Subject: Re: [Tarantool-patches] [PATCH small 1/1] lsregion: fix slab_unmap() called on malloced slab
Date: Tue, 19 May 2020 19:21:29 +0300 [thread overview]
Message-ID: <08e98cac-49e7-c3c0-616f-13818f6ccd2b@tarantool.org> (raw)
In-Reply-To: <c12798db852383743672787e38aa0e2f88844172.1589495493.git.v.shpilevoy@tarantool.org>
Thank for the patch! nice catch, lgtm!
On 5/15/20 1:31 AM, Vladislav Shpilevoy wrote:
> Lsregion allocates slabs using either
> - Slab_map() from slab arena, when allocation size is smaller,
> than slab size;
> - Using cached slab, stored in the lsregion as a protection from
> oscillation;
> - Using malloc(), when requested size is too big.
>
> Malloc() was used when allocation size was >= fixed slab size -
> meta size. However free() was used, when real slab size was >
> fixed slab size - meta size. So if an allocation was exactly of
> size 'fixed slab size - meta size', it was allocated using
> malloc(), but freed using slab_unmap(). That lead to a crash, if
> 'lucky'. But as it is a memory corruption, could lead to anything.
> ---
> Branch: http://github.com/tarantool/small/tree/gerold103/fix-lsregion-crash-or-leak
>
> This led to at least leaks in vinyl. Since it used lsregion very
> extensively for 0 level of LSM trees.
next prev parent reply other threads:[~2020-05-19 16:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 22:31 Vladislav Shpilevoy
2020-05-19 16:21 ` Aleksandr Lyapunov [this message]
2020-05-23 18:13 ` Konstantin Osipov
2020-05-24 14:06 ` Vladislav Shpilevoy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08e98cac-49e7-c3c0-616f-13818f6ccd2b@tarantool.org \
--to=alyapunov@tarantool.org \
--cc=korablev@tarantool.org \
--cc=tarantool-patches@dev.tarantool.org \
--cc=v.shpilevoy@tarantool.org \
--subject='Re: [Tarantool-patches] [PATCH small 1/1] lsregion: fix slab_unmap() called on malloced slab' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox