From 0db6d2782cfabb8ceb10052897e30ac084010894 Mon Sep 17 00:00:00 2001 From: Anatoly Burakov Date: Wed, 2 May 2018 16:38:16 +0100 Subject: [PATCH] malloc: avoid padding elements on page deallocation Currently, when deallocating pages, malloc will fixup other elements' headers if there is not enough space to store a full element in leftover space. This leads to race conditions because there are some functions that check for pad size with an unlocked heap, expecting pad size to be constant. Fix it by being more conservative and only freeing pages when there is enough space before and after the page to store a free element. Fixes: 1403f87d4fb8 ("malloc: enable memory hotplug support") Signed-off-by: Anatoly Burakov --- lib/librte_eal/common/malloc_elem.c | 51 ++--------------------------- lib/librte_eal/common/malloc_elem.h | 2 ++ lib/librte_eal/common/malloc_heap.c | 38 ++++++++++++++++++++- 3 files changed, 41 insertions(+), 50 deletions(-) diff --git a/lib/librte_eal/common/malloc_elem.c b/lib/librte_eal/common/malloc_elem.c index 0a86d347a0..9bfe9b9b4f 100644 --- a/lib/librte_eal/common/malloc_elem.c +++ b/lib/librte_eal/common/malloc_elem.c @@ -22,8 +22,6 @@ #include "malloc_elem.h" #include "malloc_heap.h" -#define MIN_DATA_SIZE (RTE_CACHE_LINE_SIZE) - /* * Initialize a general malloc_elem header structure */ @@ -476,27 +474,6 @@ malloc_elem_hide_region(struct malloc_elem *elem, void *start, size_t len) split_elem(elem, hide_end); malloc_elem_free_list_insert(hide_end); - } else if (len_after >= MALLOC_ELEM_HEADER_LEN) { - /* shrink current element */ - elem->size -= len_after; - memset(hide_end, 0, sizeof(*hide_end)); - - /* copy next element's data to our pad */ - memcpy(hide_end, next, sizeof(*hide_end)); - - /* pad next element */ - next->state = ELEM_PAD; - next->pad = len_after; - next->size -= len_after; - - /* next element busy, would've been merged otherwise */ - hide_end->pad = len_after; - hide_end->size += len_after; - - /* adjust pointers to point to our new pad */ - if (next->next) - next->next->prev = hide_end; - elem->next = hide_end; } else if (len_after > 0) { RTE_LOG(ERR, EAL, "Unaligned element, heap is probably corrupt\n"); return; @@ -515,32 +492,8 @@ malloc_elem_hide_region(struct malloc_elem *elem, void *start, size_t len) malloc_elem_free_list_insert(prev); } else if (len_before > 0) { - /* - * unlike with elements after current, here we don't - * need to pad elements, but rather just increase the - * size of previous element, copy the old header and set - * up trailer. - */ - void *trailer = RTE_PTR_ADD(prev, - prev->size - MALLOC_ELEM_TRAILER_LEN); - - memcpy(hide_start, elem, sizeof(*elem)); - hide_start->size = len; - - prev->size += len_before; - set_trailer(prev); - - /* update pointers */ - prev->next = hide_start; - if (next) - next->prev = hide_start; - - /* erase old trailer */ - memset(trailer, 0, MALLOC_ELEM_TRAILER_LEN); - /* erase old header */ - memset(elem, 0, sizeof(*elem)); - - elem = hide_start; + RTE_LOG(ERR, EAL, "Unaligned element, heap is probably corrupt\n"); + return; } } diff --git a/lib/librte_eal/common/malloc_elem.h b/lib/librte_eal/common/malloc_elem.h index 8f4aef8986..7331af9ca3 100644 --- a/lib/librte_eal/common/malloc_elem.h +++ b/lib/librte_eal/common/malloc_elem.h @@ -9,6 +9,8 @@ #include +#define MIN_DATA_SIZE (RTE_CACHE_LINE_SIZE) + /* dummy definition of struct so we can use pointers to it in malloc_elem struct */ struct malloc_heap; diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c index 633e306115..d6cf3af812 100644 --- a/lib/librte_eal/common/malloc_heap.c +++ b/lib/librte_eal/common/malloc_heap.c @@ -609,7 +609,7 @@ malloc_heap_free(struct malloc_elem *elem) void *start, *aligned_start, *end, *aligned_end; size_t len, aligned_len, page_sz; struct rte_memseg_list *msl; - unsigned int i, n_segs; + unsigned int i, n_segs, before_space, after_space; int ret; if (!malloc_elem_cookies_ok(elem) || elem->state != ELEM_BUSY) @@ -673,6 +673,42 @@ malloc_heap_free(struct malloc_elem *elem) if (n_segs == 0) goto free_unlock; + /* We're not done yet. We also have to check if by freeing space we will + * be leaving free elements that are too small to store new elements. + * Check if we have enough space in the beginning and at the end, or if + * start/end are exactly page aligned. + */ + before_space = RTE_PTR_DIFF(aligned_start, elem); + after_space = RTE_PTR_DIFF(end, aligned_end); + if (before_space != 0 && + before_space < MALLOC_ELEM_OVERHEAD + MIN_DATA_SIZE) { + /* There is not enough space before start, but we may be able to + * move the start forward by one page. + */ + if (n_segs == 1) + goto free_unlock; + + /* move start */ + aligned_start = RTE_PTR_ADD(aligned_start, page_sz); + aligned_len -= page_sz; + n_segs--; + } + if (after_space != 0 && after_space < + MALLOC_ELEM_OVERHEAD + MIN_DATA_SIZE) { + /* There is not enough space after end, but we may be able to + * move the end backwards by one page. + */ + if (n_segs == 1) + goto free_unlock; + + /* move end */ + aligned_end = RTE_PTR_SUB(aligned_end, page_sz); + aligned_len -= page_sz; + n_segs--; + } + + /* now we can finally free us some pages */ + rte_rwlock_write_lock(&mcfg->memory_hotplug_lock); /* -- 2.20.1