From: Russ Cox <rsc@swtch.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] aux/acidleak pool pathology
Date: Thu, 21 May 2009 10:19:02 -0700 [thread overview]
Message-ID: <dd6fe68a0905211019p3c45859cm457c70dc3828198c@mail.gmail.com> (raw)
In-Reply-To: <c158eebe60d9c26e17e89c7b935e2cef@quanstro.net>
On Thu, May 21, 2009 at 9:54 AM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Thu May 21 12:39:00 EDT 2009, rsc@swtch.com wrote:
>> > obviously the Brdline loop in main is reallocating data and block
>> > so they don't fit in their previous buckets and pool sbrk's more
>> > memory. it would seem that pool is missing the fact that
>>
>> It's probably a combination of data and block growing together
>> along with the occasional estrdup that is causing the fragmentation.
>> You should rewrite both of the reallocs to double the array when
>> they outgrow the current one instead of growing by a fixed amount.
>> The fixed amount is nice because it avoids the extra variable
>> tracking the maximum size of the array, but it's a terrible algorithm.
>
> in this simple case, that is an fine solution. but i also see similar
> behavior with upas/fs, especially when opening and closing multiple
> mailboxes. i was actually trying to debug a case where upas/fs has
> sbrk'd 800mb but had not had an active set >43mb when i ran across
> this behavior.
all allocators have fragmentation and reuse problems.
some are better than others, but they all do.
linear reallocs are always a bad idea; the worse
part is requiring the array to be contiguous in the
first place, but you can't qsort a linked list.
if upas/fs is allocating arbitrarily large buffers,
then its allocation behavior is broken too.
> more importantly, since pool is used in the kernel, i would imagine
> that a determined attacker could force the kernel to "run out" of
> memory in a similar fashion. perhaps by dd'ing large chunks and
> small chunks from /dev/zero. maybe there's a simple reason this can't
> happen that i'm missing. but i don't currently see it.
if the kernel can be forced to allocate an arbitrarily
large chunk of data, that's the bug to fix, not the
allocator behavior. it probably can, in its handling
of strings like user names and large paths passed
to open. /dev/zero doesn't allocate at all.
russ
next prev parent reply other threads:[~2009-05-21 17:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-21 16:06 erik quanstrom
2009-05-21 16:35 ` Russ Cox
2009-05-21 16:54 ` erik quanstrom
2009-05-21 16:57 ` erik quanstrom
2009-05-21 17:19 ` Russ Cox [this message]
2009-05-21 18:04 ` erik quanstrom
2009-05-21 18:49 ` Russ Cox
2009-05-22 2:13 ` erik quanstrom
2009-05-22 16:52 ` Joel C. Salomon
2009-05-22 17:13 ` erik quanstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd6fe68a0905211019p3c45859cm457c70dc3828198c@mail.gmail.com \
--to=rsc@swtch.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).