[PATCH] malloc: return ZERO_SIZE_PTR for 0-byte allocations

Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> · Thu, 13 Mar 2025 09:56:58 +0100

Linux kmalloc doesn't return NULL on 0-byte allocations, but returns a
fixed ZERO_PSIZE_PTR constant, which triggers a NULL page exception when
dereferenced.

However, in barebox, allocator behavior differs:

 - glibc returns an unique pointer, but the standard also allows
   libc implementations to return NULL
 - tlsf returns NULL
 - dlmalloc returns a unique pointer
 - dummy malloc returns a unique pointer

Let's unify this discrepancy by doing something completely else and
returning a non-NULL non-unique pointer constant like Linux does.

The benefit of that is:

  - NULL return value always means out-of-memory
  - Accessing a zero sized allocation triggers a NULL page exception

This was noticed during porting of 9p2000 file system from Linux, which
does variable sized allocations and can end up allocating 0 bytes, but
expects that the allocation does not return NULL.

Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
 arch/sandbox/os/libc_malloc.c | 25 ++++++++++++++++++++++++-
 common/calloc.c               |  2 +-
 common/dlmalloc.c             | 16 +++++++++-------
 common/dummy_malloc.c         |  3 +++
 common/tlsf.c                 | 15 ++++++++++-----
 common/tlsf_malloc.c          |  9 ---------
 include/malloc.h              | 13 +++++++++++++
 test/self/malloc.c            |  3 ++-
 8 files changed, 62 insertions(+), 24 deletions(-)

diff --git a/arch/sandbox/os/libc_malloc.c b/arch/sandbox/os/libc_malloc.c
index dd0f8670ff71..bb4fb1c9ead4 100644
--- a/arch/sandbox/os/libc_malloc.c
+++ b/arch/sandbox/os/libc_malloc.c
@@ -6,6 +6,10 @@
 #include <stdlib.h>
 #include <malloc.h>
 
+#define ZERO_SIZE_PTR ((void *)16)
+
+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
+				(unsigned long)ZERO_SIZE_PTR)
 #define BAREBOX_ENOMEM 12
 #define BAREBOX_MALLOC_MAX_SIZE 0x40000000
 
@@ -19,6 +23,9 @@ void *barebox_memalign(size_t alignment, size_t bytes)
 {
 	void *mem = NULL;
 
+	if (!bytes)
+		return ZERO_SIZE_PTR;
+
 	if (alignment <= BAREBOX_MALLOC_MAX_SIZE && bytes <= BAREBOX_MALLOC_MAX_SIZE)
 		mem = memalign(alignment, bytes);
 	if (!mem)
@@ -29,9 +36,11 @@ void *barebox_memalign(size_t alignment, size_t bytes)
 
 void *barebox_malloc(size_t size)
 {
-
 	void *mem = NULL;
 
+	if (!size)
+		return ZERO_SIZE_PTR;
+
 	if (size <= BAREBOX_MALLOC_MAX_SIZE)
 		mem = malloc(size);
 	if (!mem)
@@ -42,11 +51,15 @@ void *barebox_malloc(size_t size)
 
 size_t barebox_malloc_usable_size(void *mem)
 {
+	if (ZERO_OR_NULL_PTR(mem))
+		return 0;
 	return malloc_usable_size(mem);
 }
 
 void barebox_free(void *ptr)
 {
+	if (ZERO_OR_NULL_PTR(ptr))
+		return;
 	free(ptr);
 }
 
@@ -54,6 +67,13 @@ void *barebox_realloc(void *ptr, size_t size)
 {
 	void *mem = NULL;
 
+	if (!size) {
+		barebox_free(ptr);
+		return ZERO_SIZE_PTR;
+	}
+	if (ZERO_OR_NULL_PTR(ptr))
+		ptr = NULL;
+
 	if (size <= BAREBOX_MALLOC_MAX_SIZE)
 		mem = realloc(ptr, size);
 	if (!mem)
@@ -67,6 +87,9 @@ void *barebox_calloc(size_t n, size_t elem_size)
 	size_t product;
 	void *mem = NULL;
 
+	if (!n || !elem_size)
+		return ZERO_SIZE_PTR;
+
 	if (!__builtin_mul_overflow(n, elem_size, &product) &&
 	    product <= BAREBOX_MALLOC_MAX_SIZE)
 		mem = calloc(n, elem_size);
diff --git a/common/calloc.c b/common/calloc.c
index 17cbd9beefee..ee9322509751 100644
--- a/common/calloc.c
+++ b/common/calloc.c
@@ -13,7 +13,7 @@ void *calloc(size_t n, size_t elem_size)
 	size_t size = size_mul(elem_size, n);
 	void *r = malloc(size);
 
-	if (r && !want_init_on_alloc())
+	if (!ZERO_OR_NULL_PTR(r) && !want_init_on_alloc())
 		memset(r, 0x0, size);
 
 	return r;
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 2b5723e127c4..c8e05ac68f2a 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -389,7 +389,7 @@
   returns a unique pointer for malloc(0), so does realloc(p, 0).
 */
 
-/*   #define REALLOC_ZERO_BYTES_FREES */
+#define REALLOC_ZERO_BYTES_FREES
 
 /*
   Define HAVE_MMAP to optionally make malloc() use mmap() to
@@ -1165,6 +1165,8 @@ void *dlmalloc(size_t bytes)
 	if (bytes > MALLOC_MAX_SIZE) {
 		errno = ENOMEM;
 		return NULL;
+	} else if (bytes == 0) {
+		return ZERO_SIZE_PTR;
 	}
 
 	nb = request2size(bytes); /* padded request size; */
@@ -1363,7 +1365,7 @@ void dlfree(void *mem)
 	mchunkptr fwd;		/* misc temp for linking */
 	int islr;		/* track whether merging with last_remainder */
 
-	if (!mem)		/* free(0) has no effect */
+	if (ZERO_OR_NULL_PTR(mem))		/* free(0) has no effect */
 		return;
 
 	p = mem2chunk(mem);
@@ -1431,7 +1433,7 @@ size_t dlmalloc_usable_size(void *mem)
 {
 	mchunkptr p;
 
-	if (!mem)
+	if (ZERO_OR_NULL_PTR(mem))
 		return 0;
 
 	p = mem2chunk(mem);
@@ -1495,7 +1497,7 @@ void *dlrealloc(void *oldmem, size_t bytes)
 #ifdef REALLOC_ZERO_BYTES_FREES
 	if (bytes == 0) {
 		dlfree(oldmem);
-		return NULL;
+		return ZERO_SIZE_PTR;
 	}
 #endif
 
@@ -1505,7 +1507,7 @@ void *dlrealloc(void *oldmem, size_t bytes)
 	}
 
 	/* realloc of null is supposed to be same as malloc */
-	if (!oldmem)
+	if (ZERO_OR_NULL_PTR(oldmem))
 		return dlmalloc(bytes);
 
 	newp = oldp = mem2chunk(oldmem);
@@ -1760,8 +1762,8 @@ void *dlcalloc(size_t n, size_t elem_size)
 
 	mem = dlmalloc(sz);
 
-	if (!mem)
-		return NULL;
+	if (ZERO_OR_NULL_PTR(mem))
+		return mem;
 	else {
 		p = mem2chunk(mem);
 
diff --git a/common/dummy_malloc.c b/common/dummy_malloc.c
index 4973f35650ab..956a54da0396 100644
--- a/common/dummy_malloc.c
+++ b/common/dummy_malloc.c
@@ -13,6 +13,9 @@ void *memalign(size_t alignment, size_t bytes)
 {
 	void *mem = NULL;
 
+	if (!bytes)
+		return ZERO_SIZE_PTR;
+
 	if (alignment <= MALLOC_MAX_SIZE && bytes <= MALLOC_MAX_SIZE)
 		mem = sbrk(bytes + alignment);
 	if (!mem) {
diff --git a/common/tlsf.c b/common/tlsf.c
index 146f1b7ebe81..5504453a9453 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -743,7 +743,7 @@ void tlsf_walk_pool(pool_t pool, tlsf_walker walker, void* user)
 size_t tlsf_block_size(void* ptr)
 {
 	size_t size = 0;
-	if (ptr)
+	if (likely(!ZERO_OR_NULL_PTR(ptr)))
 	{
 		const block_header_t* block = block_from_ptr(ptr);
 		size = block_size(block);
@@ -935,6 +935,8 @@ void* tlsf_malloc(tlsf_t tlsf, size_t size)
 	const size_t adjust = adjust_request_size(size, ALIGN_SIZE);
 	block_header_t* block;
 
+	if (!size)
+		return ZERO_SIZE_PTR;
 	if (!adjust)
 		return NULL;
 
@@ -961,12 +963,14 @@ void* tlsf_memalign(tlsf_t tlsf, size_t align, size_t size)
 
 	/*
 	** If alignment is less than or equals base alignment, we're done.
-	** If we requested 0 bytes, return null, as tlsf_malloc(0) does.
+	** If we requested 0 bytes, return ZERO_SIZE_PTR, as tlsf_malloc(0) does.
 	*/
 	const size_t aligned_size = (adjust && align > ALIGN_SIZE) ? size_with_gap : adjust;
 
 	block_header_t* block;
 
+	if (!size)
+		return ZERO_SIZE_PTR;
 	if (!adjust || !size_with_gap)
 		return NULL;
 
@@ -1008,7 +1012,7 @@ void* tlsf_memalign(tlsf_t tlsf, size_t align, size_t size)
 void tlsf_free(tlsf_t tlsf, void* ptr)
 {
 	/* Don't attempt to free a NULL pointer. */
-	if (ptr)
+	if (!ZERO_OR_NULL_PTR(ptr))
 	{
 		control_t* control = tlsf_cast(control_t*, tlsf);
 		block_header_t* block = block_from_ptr(ptr);
@@ -1042,12 +1046,13 @@ void* tlsf_realloc(tlsf_t tlsf, void* ptr, size_t size)
 	void* p = 0;
 
 	/* Zero-size requests are treated as free. */
-	if (ptr && size == 0)
+	if (size == 0)
 	{
 		tlsf_free(tlsf, ptr);
+		return ZERO_SIZE_PTR;
 	}
 	/* Requests with NULL pointers are treated as malloc. */
-	else if (!ptr)
+	else if (ZERO_OR_NULL_PTR(ptr))
 	{
 		p = tlsf_malloc(tlsf, size);
 	}
diff --git a/common/tlsf_malloc.c b/common/tlsf_malloc.c
index 1b9d9c7702c2..6a90ee47199f 100644
--- a/common/tlsf_malloc.c
+++ b/common/tlsf_malloc.c
@@ -17,12 +17,6 @@ extern tlsf_t tlsf_mem_pool;
 void *malloc(size_t bytes)
 {
 	void *mem;
-	/*
-	 * tlsf_malloc returns NULL for zero bytes, we instead want
-	 * to have a valid pointer.
-	 */
-	if (!bytes)
-		bytes = 1;
 
 	mem = tlsf_malloc(tlsf_mem_pool, bytes);
 	if (!mem)
@@ -40,9 +34,6 @@ EXPORT_SYMBOL(free);
 
 size_t malloc_usable_size(void *mem)
 {
-	if (!mem)
-		return 0;
-
 	return tlsf_block_size(mem);
 }
 EXPORT_SYMBOL(malloc_usable_size);
diff --git a/include/malloc.h b/include/malloc.h
index c38726342c08..0b74746360c0 100644
--- a/include/malloc.h
+++ b/include/malloc.h
@@ -8,6 +8,19 @@
 #define MALLOC_SHIFT_MAX	30
 #define MALLOC_MAX_SIZE		(1UL << MALLOC_SHIFT_MAX)
 
+/*
+ * ZERO_SIZE_PTR will be returned for zero sized kmalloc requests.
+ *
+ * Dereferencing ZERO_SIZE_PTR will lead to a distinct access fault.
+ *
+ * ZERO_SIZE_PTR can be passed to free though in the same way that NULL can.
+ * Both make free a no-op.
+ */
+#define ZERO_SIZE_PTR ((void *)16)
+
+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
+				(unsigned long)ZERO_SIZE_PTR)
+
 #if IN_PROPER
 void *malloc(size_t) __alloc_size(1);
 size_t malloc_usable_size(void *);
diff --git a/test/self/malloc.c b/test/self/malloc.c
index 79a32b5d97c7..52f9fc344c1a 100644
--- a/test/self/malloc.c
+++ b/test/self/malloc.c
@@ -122,7 +122,8 @@ static void test_malloc(void)
 	p = expect_alloc_ok(malloc(0));
 	tmp = expect_alloc_ok(malloc(0));
 
-	__expect_cond(p != tmp, true, "allocate distinct 0-size buffers", __func__, __LINE__);
+	__expect_cond(p == tmp, true, "allocate equal 0-size buffers", __func__, __LINE__);
+	__expect_cond(p == ZERO_SIZE_PTR, true, "get ZERO_SIZE_PTR for 0-size buffers", __func__, __LINE__);
 
 	free(p);
 	free(tmp);
-- 
2.39.5








