Fix invalid madvise() during concurrent alloc/dealloc of MemoryDealer
Currently, madvise(MADV_REMOVE) is called after deallocation.
Another thread might allocate (and even write) the same region between
deallocation and madvise(), in which case the new thread will fail to read
what it have written. So, call deallocate() after madvise(MADV_REMOVE).
Bug: 5654596
Change-Id: I26f36cd6013de499090768a0ddc68206a4a68219
diff --git a/libs/binder/MemoryDealer.cpp b/libs/binder/MemoryDealer.cpp
index 18669f7..fc3e31e 100644
--- a/libs/binder/MemoryDealer.cpp
+++ b/libs/binder/MemoryDealer.cpp
@@ -180,7 +180,6 @@
/* NOTE: it's VERY important to not free allocations of size 0 because
* they're special as they don't have any record in the allocator
* and could alias some real allocation (their offset is zero). */
- mDealer->deallocate(freedOffset);
// keep the size to unmap in excess
size_t pagesize = getpagesize();
@@ -216,6 +215,11 @@
}
#endif
}
+
+ // This should be done after madvise(MADV_REMOVE), otherwise madvise()
+ // might kick out the memory region that's allocated and/or written
+ // right after the deallocation.
+ mDealer->deallocate(freedOffset);
}
}