From 51da0dcf515bd63d44dd4c479147810b4f30a7f5 Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Thu, 2 Jul 2009 03:30:55 -0700 Subject: Fix possible race when freeing object in fast bin list. (cherry picked from commit 6cbbaa50aac809ad6e0692247876c82d58e466bf) --- malloc/malloc.c | 1 + 1 file changed, 1 insertion(+) (limited to 'malloc') diff --git a/malloc/malloc.c b/malloc/malloc.c index 0b9facefd4..703dcb56e7 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4802,6 +4802,7 @@ _int_free(mstate av, mchunkptr p) goto errout; } p->fd = fd = old; + atomic_full_barrier (); } while ((old = catomic_compare_and_exchange_val_acq (fb, p, fd)) != fd); #else -- cgit v1.2.3 From e875bad50a2247e6297c1b2306d87b3eb623a0be Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Thu, 16 Jul 2009 07:24:50 -0700 Subject: Use rel semantics of cas instead of acq semantics with full barrier before it in _int_free The following patch fixes catomic_compare_and_exchange_*_rel definitions (which were never used and weren't correct) and uses catomic_compare_and_exchange_val_rel in _int_free. Comparing to the pre-2009-07-02 --enable-experimental-malloc state the generated code should be identical on all arches other than ppc/ppc64 and on ppc/ppc64 should use lwsync instead of isync barrier. (cherry picked from commit bea0ac1d8703091294fe5822d982591c849b5458) --- malloc/malloc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'malloc') diff --git a/malloc/malloc.c b/malloc/malloc.c index 703dcb56e7..bd44dee7f4 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4802,9 +4802,8 @@ _int_free(mstate av, mchunkptr p) goto errout; } p->fd = fd = old; - atomic_full_barrier (); } - while ((old = catomic_compare_and_exchange_val_acq (fb, p, fd)) != fd); + while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd); #else /* Another simple check: make sure the top of the bin is not the record we are going to add (i.e., double free). */ -- cgit v1.2.3 From 475cfe06fa5de340302b2245e0a0a162d7350c32 Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Thu, 16 Jul 2009 09:54:34 -0700 Subject: Fix race in corruption check. With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock. (cherry picked from commit bec466d922ee22b94ac0d00415fb605e136efe6e) --- malloc/malloc.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'malloc') diff --git a/malloc/malloc.c b/malloc/malloc.c index bd44dee7f4..4b623e2200 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4779,8 +4779,29 @@ _int_free(mstate av, mchunkptr p) || __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0)) { - errstr = "free(): invalid next size (fast)"; - goto errout; +#ifdef ATOMIC_FASTBINS + /* We might not have a lock at this point and concurrent modifications + of system_mem might have let to a false positive. Redo the test + after getting the lock. */ + if (have_lock + || ({ assert (locked == 0); + mutex_lock(&av->mutex); + locked = 1; + chunk_at_offset (p, size)->size <= 2 * SIZE_SZ + || chunksize (chunk_at_offset (p, size)) >= av->system_mem; + })) +#endif + { + errstr = "free(): invalid next size (fast)"; + goto errout; + } +#ifdef ATOMIC_FASTBINS + if (! have_lock) + { + (void)mutex_unlock(&av->mutex); + locked = 0; + } +#endif } if (__builtin_expect (perturb_byte, 0)) -- cgit v1.2.3