2023-09-22 16:12 (UTC+0800), Fengnan Chang: > ping > > Fengnan Chang <changfeng...@bytedance.com> 于2023年9月12日周二 17:05写道: > > > > Let's look at this path: > > malloc_elem_free > > ->malloc_elem_join_adjacent_free > > ->join_elem(elem, elem->next) > > > > 0. cur elem's pad > 0 > > 1. data area memset in malloc_elem_free first. > > 2. next elem is free, try to join cur elem and next. > > 3. in join_elem, try to modify inner->size, this address had > > memset in step 1, it casue the content of addrees become non-zero. > > > > If user call rte_zmalloc, and pick this elem, it can't get all > > zero'd memory.
malloc_elem_join_adjacent_free() always calls memset() after join_elem(), for the next and the previous element respectively. How to reproduce this bug?
