On Tue, Jun 28, 2016 at 08:19:06AM +0200, Otto Moerbeek wrote:
> On Mon, Jun 27, 2016 at 09:33:40AM -0600, Ted Unangst wrote:
>
> > CVSROOT: /cvs
> > Module name: src
> > Changes by: t...@cvs.openbsd.org 2016/06/27 09:33:40
> >
> > Modified files:
> > lib/libc/stdlib: malloc.c
> >
> > Log message:
> > defer munmap to after unlocking malloc. this can (unfortunately) be an
> > expensive syscall, and we don't want to tie up other threads. there's no
> > need to hold the lock, so defer it to afterwards.
> > from Michael McConville
> > ok deraadt
>
> There's a race condtion here. The assignments to d_unmap_me and
> unmap_me_sz are not atomic. A thread leaving could call munmap(2) on
> partiallly assigned data.
>
> -Otto
Hmmm, maybe not, the assigments and reading are done while holding the
lock. Still, a double munmap could happen I suppose...
-Otto
