diff options
author | Rich Felker <dalias@aerifal.cx> | 2015-03-04 09:29:39 -0500 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2015-03-30 01:55:19 -0400 |
commit | 99c10bf85f4ed893a6712e31da382a58afcbd1ea (patch) | |
tree | 7e785740a41b3b43accaabb4554e7c65f1f4a5e2 | |
parent | fdc39fac106fdb0df66c6fbc686b1b52159cc7df (diff) | |
download | musl-99c10bf85f4ed893a6712e31da382a58afcbd1ea.tar.gz musl-99c10bf85f4ed893a6712e31da382a58afcbd1ea.tar.bz2 musl-99c10bf85f4ed893a6712e31da382a58afcbd1ea.tar.xz musl-99c10bf85f4ed893a6712e31da382a58afcbd1ea.zip |
fix init race that could lead to deadlock in malloc init code
the malloc init code provided its own version of pthread_once type
logic, including the exact same bug that was fixed in pthread_once in
commit 0d0c2f40344640a2a6942dda156509593f51db5d.
since this code is called adjacent to expand_heap, which takes a lock,
there is no reason to have pthread_once-type initialization. simply
moving the init code into the interval where expand_heap already holds
its lock on the brk achieves the same result with much less
synchronization logic, and allows the buggy code to be eliminated
rather than just fixed.
(cherry picked from commit 7a81fe3710be0128d29071e76c5acbea3d84277b)
-rw-r--r-- | src/malloc/malloc.c | 53 |
1 files changed, 14 insertions, 39 deletions
diff --git a/src/malloc/malloc.c b/src/malloc/malloc.c index 7932a975..ed2285e7 100644 --- a/src/malloc/malloc.c +++ b/src/malloc/malloc.c @@ -154,11 +154,22 @@ void __dump_heap(int x) static struct chunk *expand_heap(size_t n) { + static int init; struct chunk *w; uintptr_t new; lock(mal.brk_lock); + if (!init) { + mal.brk = __brk(0); +#ifdef SHARED + mal.brk = mal.brk + PAGE_SIZE-1 & -PAGE_SIZE; +#endif + mal.brk = mal.brk + 2*SIZE_ALIGN-1 & -SIZE_ALIGN; + mal.heap = (void *)mal.brk; + init = 1; + } + if (n > SIZE_MAX - mal.brk - 2*PAGE_SIZE) goto fail; new = mal.brk + n + SIZE_ALIGN + PAGE_SIZE - 1 & -PAGE_SIZE; n = new - mal.brk; @@ -186,6 +197,9 @@ static struct chunk *expand_heap(size_t n) return area; } + w = MEM_TO_CHUNK(mal.heap); + w->psize = 0 | C_INUSE; + w = MEM_TO_CHUNK(new); w->psize = n | C_INUSE; w->csize = 0 | C_INUSE; @@ -203,44 +217,6 @@ fail: return 0; } -static int init_malloc(size_t n) -{ - static int init, waiters; - int state; - struct chunk *c; - - if (init == 2) return 0; - - while ((state=a_swap(&init, 1)) == 1) - __wait(&init, &waiters, 1, 1); - if (state) { - a_store(&init, 2); - return 0; - } - - mal.brk = __brk(0); -#ifdef SHARED - mal.brk = mal.brk + PAGE_SIZE-1 & -PAGE_SIZE; -#endif - mal.brk = mal.brk + 2*SIZE_ALIGN-1 & -SIZE_ALIGN; - - c = expand_heap(n); - - if (!c) { - a_store(&init, 0); - if (waiters) __wake(&init, 1, 1); - return -1; - } - - mal.heap = (void *)c; - c->psize = 0 | C_INUSE; - free(CHUNK_TO_MEM(c)); - - a_store(&init, 2); - if (waiters) __wake(&init, -1, 1); - return 1; -} - static int adjust_size(size_t *n) { /* Result of pointer difference must fit in ptrdiff_t. */ @@ -375,7 +351,6 @@ void *malloc(size_t n) for (;;) { uint64_t mask = mal.binmap & -(1ULL<<i); if (!mask) { - if (init_malloc(n) > 0) continue; c = expand_heap(n); if (!c) return 0; if (alloc_rev(c)) { |