Fix invalid madvise() during concurrent alloc/dealloc of MemoryDealer

Currently, madvise(MADV_REMOVE) is called after deallocation. Another thread might allocate (and even write) the same region between deallocation and madvise(), in which case the new thread will fail to read what it have written. So, call deallocate() after madvise(MADV_REMOVE). Bug: 5654596 Change-Id: I26f36cd6013de499090768a0ddc68206a4a68219
2011-12-15 03:53:24 +09:00 · 2011-12-15 03:53:24 +09:00 · c4cd5301d4
commit c4cd5301d4
parent b335110245
1 changed files with 5 additions and 1 deletions
--- a/libs/binder/MemoryDealer.cpp
+++ b/libs/binder/MemoryDealer.cpp
@ -180,7 +180,6 @@ Allocation::~Allocation()
        /* NOTE: it's VERY important to not free allocations of size 0 because
         * they're special as they don't have any record in the allocator
         * and could alias some real allocation (their offset is zero). */
-        mDealer->deallocate(freedOffset);

        // keep the size to unmap in excess
        size_t pagesize = getpagesize();
@ -216,6 +215,11 @@ Allocation::~Allocation()
            }
 #endif
        }
+
+        // This should be done after madvise(MADV_REMOVE), otherwise madvise()
+        // might kick out the memory region that's allocated and/or written
+        // right after the deallocation.
+        mDealer->deallocate(freedOffset);
    }
 }