arena_tcache_fill_small can corrupt the tcache
valtteri at rahkonen.fi
valtteri at rahkonen.fi
Thu Nov 14 02:20:02 PST 2013
On Wed, 13 Nov 2013, Jason Evans wrote:
> On Nov 12, 2013, at 11:34 PM, valtteri at rahkonen.fi wrote:
>> It seems that there is a thread cache memory in case of memory has run
>> out or process hits to the memory limit. Basically the
>> arena_tcache_fill_small will start to fill the thread cache from the
>> end and if memory allocation fails before all cache entries have been
>> filled the earlier thread cache entries will contain old pointers given
>> already to the program. Now when new allocations are made the memory is
>> given twice causing memory corruption. Also the new memory allocated
>> and placed after tbin->ncached index is leaked.
>>
>> There is really simple fix for this i.e. start to fill the tcache from
>> the beginning. Attached patch fixes this problem that way i.e. one
>> liner fix for the issue. I'm not totally sure if you want to use that
>> because this brakes the low region using first that was with the
>> original implementation, but on the other hand this gives first memory
>> that was allocated from existing arenas, so this approach might be
>> better in that sense.
>
> Yikes. As you guessed, I want to fix this by memmove()ing the valid pointers on failure rather than by reversing the insertion order. If you have time to modify your patch, great; otherwise I'll make sure to integrate a fix prior to the next release.
>
> Thanks,
> Jason
Hi Jason,
Sure, changed the patch to move the filled cache to the beginning of the
thread cache.
Best regards,
Valtteri
--
Valtteri Rahkonen
valtteri at rahkonen.fi
http://www.rahkonen.fi
+358 40 5077041
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jemalloc2.diff
Type: text/x-diff
Size: 423 bytes
Desc:
URL: <http://jemalloc.net/mailman/jemalloc-discuss/attachments/20131114/c37df18b/attachment.diff>
More information about the jemalloc-discuss
mailing list