diff options
| author | Jason Evans <jasone@canonware.com> | 2014-10-05 20:05:10 (GMT) |
|---|---|---|
| committer | Jason Evans <jasone@canonware.com> | 2014-10-05 20:05:10 (GMT) |
| commit | f11a6776c78a09059f8418b718c996a065b33fca (patch) | |
| tree | 1064c4396690034cafa5368480dbc1214a61397d /src | |
| parent | e9a3fa2e091a48df272e6a7d5d3e92b1a12c489b (diff) | |
| download | jemalloc-f11a6776c78a09059f8418b718c996a065b33fca.zip jemalloc-f11a6776c78a09059f8418b718c996a065b33fca.tar.gz jemalloc-f11a6776c78a09059f8418b718c996a065b33fca.tar.bz2 | |
Fix OOM-related regression in arena_tcache_fill_small().
Fix an OOM-related regression in arena_tcache_fill_small() that caused
cache corruption that would almost certainly expose the application to
undefined behavior, usually in the form of an allocation request
returning an already-allocated region, or somewhat less likely, a freed
region that had already been returned to the arena, thus making it
available to the arena for any purpose.
This regression was introduced by
9c43c13a35220c10d97a886616899189daceb359 (Reverse tcache fill order.),
and was present in all releases from 2.2.0 through 3.6.0.
This resolves #98.
Diffstat (limited to 'src')
| -rw-r--r-- | src/arena.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/arena.c b/src/arena.c index 79fea72..c223946 100644 --- a/src/arena.c +++ b/src/arena.c @@ -1330,8 +1330,19 @@ arena_tcache_fill_small(arena_t *arena, tcache_bin_t *tbin, size_t binind, ptr = arena_run_reg_alloc(run, &arena_bin_info[binind]); else ptr = arena_bin_malloc_hard(arena, bin); - if (ptr == NULL) + if (ptr == NULL) { + /* + * OOM. tbin->avail isn't yet filled down to its first + * element, so the successful allocations (if any) must + * be moved to the base of tbin->avail before bailing + * out. + */ + if (i > 0) { + memmove(tbin->avail, &tbin->avail[nfill - i], + i * sizeof(void *)); + } break; + } if (config_fill && unlikely(opt_junk)) { arena_alloc_junk_small(ptr, &arena_bin_info[binind], true); |