This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] malloc: Don't call tsd_setspecific before tsd_key_create

From: Roland Dreier <roland@purestorage.com>

Commit 2c9effe0e1e6 ("malloc: initial numa support") added a call from
ptmalloc_init() to "tsd_setspecific(arena_key, ..." (via
_int_new_arena()) before "tsd_key_create(&arena_key, ...". This leads to
corruption someone else's thread-local storage.

Fix this by moving the tsd_key_create() calls earlier.

Found while trying to run gcc AddressSanitizer.

JIRA: PURE-43504
https://codereviews.purestorage.com/r/23907/
Reviewed-by: Joern
---
 tpc/malloc2.13/arena.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tpc/malloc2.13/arena.h b/tpc/malloc2.13/arena.h
index fdb029e89669..e53076d213b2 100644
--- a/tpc/malloc2.13/arena.h
+++ b/tpc/malloc2.13/arena.h
@@ -272,6 +272,10 @@ static void ptmalloc_init(void)
 	main_arena.local_next = &main_arena;
 	main_arena.numa_node = -1;
 
+	mutex_init(&list_lock);
+	tsd_key_create(&cache_key, tcache_destroy);
+	tsd_key_create(&arena_key, NULL);
+
 	/* numa_node_count() can recurse into malloc().  Use main_arena
 	   for all numa nodes and set init_tid to allow recursion. */
 	for (i = 0; i < MAX_NUMA_NODES; i++) {
@@ -285,9 +289,6 @@ static void ptmalloc_init(void)
 		(void)mutex_unlock(&numa_arena[i]->mutex);
 	}
 
-	mutex_init(&list_lock);
-	tsd_key_create(&cache_key, tcache_destroy);
-	tsd_key_create(&arena_key, NULL);
 	tsd_setspecific(arena_key, (Void_t *) & main_arena);
 	thread_atfork(ptmalloc_lock_all, ptmalloc_unlock_all, ptmalloc_unlock_all2);
 
-- 
2.7.0.rc3
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]