From 131a8501116b1e9f0ac71aeeb513094be5f99b99 Mon Sep 17 00:00:00 2001 From: Szabolcs Nagy Date: Mon, 3 Oct 2022 11:58:09 +0100 Subject: malloc: Don't use __libc_free for tcache cleanup __libc_free must only be used for memory given out by __libc_malloc and similar public apis, but tcache stores a cache of already freed pointers and itself is allocated using internal malloc apis. Strong double free detection in __libc_free breaks tcache_thread_shutdown, so use a cut down version of free to reset tcache entries. --- malloc/malloc.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) (limited to 'malloc/malloc.c') diff --git a/malloc/malloc.c b/malloc/malloc.c index 701adbebca..7ada0e5ae0 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3205,6 +3205,35 @@ tcache_get (size_t tc_idx) return (void *) e; } +/* Cut down __libc_free for cleaning up tcache entries. */ +static void +tcache_libc_free (void *mem) +{ + int err = errno; + mchunkptr p = mem2chunk(mem); + if (chunk_is_mmapped (p)) + { + /* See if the dynamic brk/mmap threshold needs adjusting. + Dumped fake mmapped chunks do not affect the threshold. */ + if (!mp_.no_dyn_threshold + && chunksize_nomask (p) > mp_.mmap_threshold + && chunksize_nomask (p) <= DEFAULT_MMAP_THRESHOLD_MAX) + { + mp_.mmap_threshold = chunksize (p); + mp_.trim_threshold = 2 * mp_.mmap_threshold; + LIBC_PROBE (memory_mallopt_free_dyn_thresholds, 2, + mp_.mmap_threshold, mp_.trim_threshold); + } + munmap_chunk (p); + } + else + { + mstate ar_ptr = arena_for_chunk (p); + _int_free (ar_ptr, p, 0); + } + __set_errno (err); +} + static void tcache_thread_shutdown (void) { @@ -3230,11 +3259,11 @@ tcache_thread_shutdown (void) malloc_printerr ("tcache_thread_shutdown(): " "unaligned tcache chunk detected"); tcache_tmp->entries[i] = REVEAL_PTR (e->next); - __libc_free (e); + tcache_libc_free (e); } } - __libc_free (tcache_tmp); + tcache_libc_free (tcache_tmp); } static void -- cgit v1.2.3-70-g09d2