Fix race in corruption check.
With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock.
This commit is contained in:
parent
bea0ac1d87
commit
bec466d922
@ -1,3 +1,9 @@
|
||||
2009-07-16 Ulrich Drepper <drepper@redhat.com>
|
||||
Jakub Jelinek <jakub@redhat.com>
|
||||
|
||||
* malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for
|
||||
corruption thread-safe.
|
||||
|
||||
2009-07-13 Jakub Jelinek <jakub@redhat.com>
|
||||
|
||||
* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch
|
||||
|
@ -4799,8 +4799,29 @@ _int_free(mstate av, mchunkptr p)
|
||||
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
|
||||
>= av->system_mem, 0))
|
||||
{
|
||||
errstr = "free(): invalid next size (fast)";
|
||||
goto errout;
|
||||
#ifdef ATOMIC_FASTBINS
|
||||
/* We might not have a lock at this point and concurrent modifications
|
||||
of system_mem might have let to a false positive. Redo the test
|
||||
after getting the lock. */
|
||||
if (have_lock
|
||||
|| ({ assert (locked == 0);
|
||||
mutex_lock(&av->mutex);
|
||||
locked = 1;
|
||||
chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
|
||||
|| chunksize (chunk_at_offset (p, size)) >= av->system_mem;
|
||||
}))
|
||||
#endif
|
||||
{
|
||||
errstr = "free(): invalid next size (fast)";
|
||||
goto errout;
|
||||
}
|
||||
#ifdef ATOMIC_FASTBINS
|
||||
if (! have_lock)
|
||||
{
|
||||
(void)mutex_unlock(&av->mutex);
|
||||
locked = 0;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (__builtin_expect (perturb_byte, 0))
|
||||
|
Loading…
x
Reference in New Issue
Block a user