From 8835cf3bed1888fc0110b0c59dbf2ce1288a7a8c Mon Sep 17 00:00:00 2001
From: Jason Evans <jasone@canonware.com>
Date: Fri, 3 Jun 2016 19:25:13 -0700
Subject: Fix locking order reversal in arena_reset().

---
 src/arena.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/arena.c b/src/arena.c
index 32e1915..7dcf12d 100644
--- a/src/arena.c
+++ b/src/arena.c
@@ -917,20 +917,28 @@ arena_reset(tsd_t *tsd, arena_t *arena)
 
 	/* Bins. */
 	for (i = 0; i < NBINS; i++) {
-		extent_t *slab, *next;
+		extent_t *slab;
 		arena_bin_t *bin = &arena->bins[i];
 		malloc_mutex_lock(tsd_tsdn(tsd), &bin->lock);
 		if (bin->slabcur != NULL) {
-			arena_slab_dalloc(tsd_tsdn(tsd), arena, bin->slabcur);
+			slab = bin->slabcur;
 			bin->slabcur = NULL;
+			malloc_mutex_unlock(tsd_tsdn(tsd), &bin->lock);
+			arena_slab_dalloc(tsd_tsdn(tsd), arena, slab);
+			malloc_mutex_lock(tsd_tsdn(tsd), &bin->lock);
 		}
 		while ((slab = extent_heap_remove_first(&bin->slabs_nonfull)) !=
-		    NULL)
+		    NULL) {
+			malloc_mutex_unlock(tsd_tsdn(tsd), &bin->lock);
 			arena_slab_dalloc(tsd_tsdn(tsd), arena, slab);
+			malloc_mutex_lock(tsd_tsdn(tsd), &bin->lock);
+		}
 		for (slab = qr_next(&bin->slabs_full, qr_link); slab !=
-		    &bin->slabs_full; slab = next) {
-			next = qr_next(slab, qr_link);
+		    &bin->slabs_full; slab = qr_next(&bin->slabs_full,
+		    qr_link)) {
+			malloc_mutex_unlock(tsd_tsdn(tsd), &bin->lock);
 			arena_slab_dalloc(tsd_tsdn(tsd), arena, slab);
+			malloc_mutex_lock(tsd_tsdn(tsd), &bin->lock);
 		}
 		if (config_stats) {
 			bin->stats.curregs = 0;
-- 
cgit v0.12