Dmitry Kozlyuk 于2023年10月23日周一 04:22写道: > > 2023-09-22 16:12 (UTC+0800), Fengnan Chang: > > ping > > > > Fengnan Chang 于2023年9月12日周二 17:05写道: > > > > > > Let's look at this path: > > > malloc_elem_free > > > ->malloc_elem_join_adjacent_free > > > ->join_elem(elem, elem->next) > > > > > > 0. cur elem's pad > 0 > > > 1. data area memset in malloc_elem_free first. > > > 2. next elem is free, try to join cur elem and next. > > > 3. in join_elem, try to modify inner->size, this address had > > > memset in step 1, it casue the content of addrees become non-zero. > > > > > > If user call rte_zmalloc, and pick this elem, it can't get all > > > zero'd memory. > > malloc_elem_join_adjacent_free() always calls memset() after join_elem(), > for the next and the previous element respectively. when try to call join_elem() for the next element in malloc_elem_join_adjacent_free(), the memset is try to memset *next* element, but join_elem() is update *current* element's content, which shoudn't happen, it's two different element. > How to reproduce this bug? when I test this patch, https://patches.dpdk.org/project/dpdk/patch/20230831111937.60975-1-changfengnan@bytedance.com/ I have a case try to alloc 64/128/192 size object and free with 16 threads, after every alloc I'll check wheather all content is 0 or not. It's not easy to reproduce, you can have a try, it's easier to find this problem in code level.