From b2b4b46a5235d83eea6d52b44e8c18be7c65f0d9 Mon Sep 17 00:00:00 2001 From: Dev Jain Date: Fri, 24 Oct 2025 16:52:21 +0000 Subject: [PATCH] malloc: fix large tcache code to check for exact size match The tcache is used for allocation only if an exact match is found. In the large tcache code added in commit cbfd7988107b, we currently extract a chunk of size greater than or equal to the size we need, but don't check strict equality. This patch fixes that behaviour. Reviewed-by: Wilco Dijkstra --- malloc/malloc.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 3db0f65f37..1cdeb08437 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3268,7 +3268,8 @@ tcache_get (size_t tc_idx) } static __always_inline tcache_entry ** -tcache_location_large (size_t nb, size_t tc_idx, bool *mangled) +tcache_location_large (size_t nb, size_t tc_idx, + bool *mangled, tcache_entry **demangled_ptr) { tcache_entry **tep = &(tcache->entries[tc_idx]); tcache_entry *te = *tep; @@ -3280,6 +3281,7 @@ tcache_location_large (size_t nb, size_t tc_idx, bool *mangled) *mangled = true; } + *demangled_ptr = te; return tep; } @@ -3288,7 +3290,8 @@ tcache_put_large (mchunkptr chunk, size_t tc_idx) { tcache_entry **entry; bool mangled = false; - entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled); + tcache_entry *te; + entry = tcache_location_large (chunksize (chunk), tc_idx, &mangled, &te); return tcache_put_n (chunk, tc_idx, entry, mangled); } @@ -3298,10 +3301,10 @@ tcache_get_large (size_t tc_idx, size_t nb) { tcache_entry **entry; bool mangled = false; - entry = tcache_location_large (nb, tc_idx, &mangled); + tcache_entry *te; + entry = tcache_location_large (nb, tc_idx, &mangled, &te); - if ((mangled && REVEAL_PTR (*entry) == NULL) - || (!mangled && *entry == NULL)) + if (te == NULL || nb != chunksize (mem2chunk (te))) return NULL; return tcache_get_n (tc_idx, entry, mangled);