From c17d9b75b636e2db164ec4213252b06cfb474924 Mon Sep 17 00:00:00 2001
From: Ji-Hwan Lee <jihwan@google.com>
Date: Thu, 15 Dec 2011 03:53:24 +0900
Subject: Fix invalid madvise() during concurrent alloc/dealloc of MemoryDealer

Currently, madvise(MADV_REMOVE) is called after deallocation.
Another thread might allocate (and even write) the same region between
deallocation and madvise(), in which case the new thread will fail to read
what it have written.  So, call deallocate() after madvise(MADV_REMOVE).

Bug: 5654596
Change-Id: I26f36cd6013de499090768a0ddc68206a4a68219
---
 libs/binder/MemoryDealer.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'libs')

diff --git a/libs/binder/MemoryDealer.cpp b/libs/binder/MemoryDealer.cpp
index 18669f7..fc3e31e 100644
--- a/libs/binder/MemoryDealer.cpp
+++ b/libs/binder/MemoryDealer.cpp
@@ -180,7 +180,6 @@ Allocation::~Allocation()
         /* NOTE: it's VERY important to not free allocations of size 0 because
          * they're special as they don't have any record in the allocator
          * and could alias some real allocation (their offset is zero). */
-        mDealer->deallocate(freedOffset);
 
         // keep the size to unmap in excess
         size_t pagesize = getpagesize();
@@ -216,6 +215,11 @@ Allocation::~Allocation()
             }
 #endif
         }
+
+        // This should be done after madvise(MADV_REMOVE), otherwise madvise()
+        // might kick out the memory region that's allocated and/or written
+        // right after the deallocation.
+        mDealer->deallocate(freedOffset);
     }
 }
 
-- 
cgit v1.1