From: Dev Jain Date: Fri, 24 Oct 2025 16:52:21 +0000 (+0000) Subject: malloc: fix large tcache code to check for exact size match X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2b4b46a5235d83eea6d52b44e8c18be7c65f0d9;p=thirdparty%2Fglibc.git malloc: fix large tcache code to check for exact size match The tcache is used for allocation only if an exact match is found. In the large tcache code added in commit cbfd7988107b, we currently extract a chunk of size greater than or equal to the size we need, but don't check strict equality. This patch fixes that behaviour. Reviewed-by: Wilco Dijkstra --- diff --git a/malloc/malloc.c b/malloc/malloc.c index 3db0f65f37..1cdeb08437 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3268,7 +3268,8 @@ tcache_get (size_t tc_idx) } static __always_inline tcache_entry ** -tcache_location_large (size_t nb, size_t tc_idx, bool *mangled) +tcache_location_large (size_t nb, size_t tc_idx, + bool *mangled, tcache_entry **demangled_ptr) { tcache_entry **tep = &(tcache->entries[tc_idx]); tcache_entry *te = *tep; @@ -3280,6 +3281,7 @@ tcache_location_large (size_t nb, size_t tc_idx, bool *mangled) *mangled = true; } + *demangled_ptr = te; return tep; } @@ -3288,7 +3290,8 @@ tcache_put_large (mchunkptr chunk, size_t tc_idx) { tcache_entry **entry; bool mangled = false; - entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled); + tcache_entry *te; + entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled, &te); return tcache_put_n (chunk, tc_idx, entry, mangled); } @@ -3298,10 +3301,10 @@ tcache_get_large (size_t tc_idx, size_t nb) { tcache_entry **entry; bool mangled = false; - entry = tcache_location_large (nb, tc_idx, &mangled); + tcache_entry *te; + entry = tcache_location_large (nb, tc_idx, &mangled, &te); - if ((mangled && REVEAL_PTR (*entry) == NULL) - || (!mangled && *entry == NULL)) + if (te == NULL || nb != chunksize (mem2chunk (te))) return NULL; return tcache_get_n (tc_idx, entry, mangled);