Fix invalid madvise() during concurrent alloc/dealloc of MemoryDealer

Currently, madvise(MADV_REMOVE) is called after deallocation.
Another thread might allocate (and even write) the same region between
deallocation and madvise(), in which case the new thread will fail to read
what it have written.  So, call deallocate() after madvise(MADV_REMOVE).

Bug: 5654596
Change-Id: I26f36cd6013de499090768a0ddc68206a4a68219

1 files changed, 5 insertions, 1 deletions

diff --git a/libs/binder/MemoryDealer.cpp b/libs/binder/MemoryDealer.cpp
index 18669f7..fc3e31e 100644
--- a/libs/binder/MemoryDealer.cpp
+++ b/libs/binder/MemoryDealer.cpp
@@ -180,7 +180,6 @@ Allocation::~Allocation()
         /* NOTE: it's VERY important to not free allocations of size 0 because
          * they're special as they don't have any record in the allocator
          * and could alias some real allocation (their offset is zero). */
-        mDealer->deallocate(freedOffset);
 
         // keep the size to unmap in excess
         size_t pagesize = getpagesize();
@@ -216,6 +215,11 @@ Allocation::~Allocation()
             }
 #endif
         }
+
+        // This should be done after madvise(MADV_REMOVE), otherwise madvise()
+        // might kick out the memory region that's allocated and/or written
+        // right after the deallocation.
+        mDealer->deallocate(freedOffset);
     }
 }