Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c4cd5301 authored by Ji-Hwan Lee's avatar Ji-Hwan Lee
Browse files

Fix invalid madvise() during concurrent alloc/dealloc of MemoryDealer 

Currently, madvise(MADV_REMOVE) is called after deallocation.
Another thread might allocate (and even write) the same region between
deallocation and madvise(), in which case the new thread will fail to read
what it have written.  So, call deallocate() after madvise(MADV_REMOVE).

Bug: 5654596
Change-Id: I26f36cd6013de499090768a0ddc68206a4a68219
parent b3351102

libs/binder/MemoryDealer.cpp

+5 −1
Original line number Diff line number Diff line
@@ -180,7 +180,6 @@ Allocation::~Allocation() 
        /* NOTE: it's VERY important to not free allocations of size 0 because

         * they're special as they don't have any record in the allocator

         * and could alias some real allocation (their offset is zero). */

        mDealer->deallocate(freedOffset);



        // keep the size to unmap in excess

        size_t pagesize = getpagesize();
@@ -216,6 +215,11 @@ Allocation::~Allocation() 
            }

#endif

        }



        // This should be done after madvise(MADV_REMOVE), otherwise madvise()

        // might kick out the memory region that's allocated and/or written

        // right after the deallocation.

        mDealer->deallocate(freedOffset);

    }

}