From 57767b80329ceade67302aed4fd9760ed5f3d644 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 22 Dec 2014 21:40:55 +0100 Subject: [PATCH] BUG/MEDIUM: memory: fix freeing logic in pool_gc2() There's a long-standing bug in pool_gc2(). It tries to protect the pool against releasing of too many entries but the formula is wrong as it compares allocated to minavail instead of (allocated-used) to minavail. Under memory contention, it ends up releasing more than what is granted by minavail and causes trouble to the dynamic buffer allocator. This bug is in fact major by itself, but since minavail has never been used till now, there is no impact at least in mainline. A backport to 1.5 is desired anyway in case any future backport or out-of-tree patch relies on this. --- src/memory.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/memory.c b/src/memory.c index 1e62259cbc..fcd7679314 100644 --- a/src/memory.c +++ b/src/memory.c @@ -142,8 +142,7 @@ void pool_gc2() //qfprintf(stderr, "Flushing pool %s\n", entry->name); next = entry->free_list; while (next && - entry->allocated > entry->minavail && - entry->allocated > entry->used) { + (int)(entry->allocated - entry->used) > (int)entry->minavail) { temp = next; next = *(void **)temp; entry->allocated--;