[Bug malloc/15073] New: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[Bug malloc/15073] New: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[jpieper at jaybridge dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

             Bug #: 15073
           Summary: Race condition using ATOMIC_FASTBINS in _int_free
                    causes crash or heap corruption
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: malloc
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jpieper@jaybridge.com
    Classification: Unclassified


Created attachment 6833
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6833
Reproduction recipe

I reported the following bug in ubuntu's libc about 6 months ago where the
ATOMIC_FASTBINS feature can crash or cause heap corruption.

https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1020210

I'm pasting the content of that problem here and will attach the reproduction
recipe.  Unfortunately, the reproduction recipe is only reliable with the exact
version of eglibc in ubuntu, given enough time to build an arbitrary version, I
should be able to create one that works with any version.

----

We have an application which makes heavy allocation and de-allocation demands
from multiple threads. We run this application continuously on many servers,
and once every several CPU months or years, we were getting a crash in
_int_free that did not look like vanilla heap corruption. I believe I have
narrowed it down to a race condition in _int_free due to the ATOMIC_FASTBINS
feature. Basically, in the lockless FASTBIN _int_free path, a chunk is pulled
into a local variable with the intent to add it to the fastbins list. However,
the heap consolidation/trim code can race with this, and can coalesce the
entire block and/or give it back to the OS before _int_free has a chance to try
and store it into the fastbins list.

The problem is very challenging to reproduce in situ, but using gdb I have a
recipe which demonstrates the crash 100% of the time on my 12.04 x64 system
running eglibc 2.15. It relies on malloc_trim, although in our in situ data,
the consolidation is triggered as a result of a normal free. malloc_trim is
just easier to control.

While I am not a glibc developer, I could not see any easy ways to fix the
situation shy of disabling ATOMIC_FASTBINS.

I am attaching the reproduction source. Other pertinent information follows:

> jpieper@calculon:~/downloads$ lsb_release -rd
> Description:	Ubuntu 12.04 LTS
> Release:	12.04

> jpieper@calculon:~/downloads$ apt-cache policy libc6
> libc6:
> Installed: 2.15-0ubuntu10
> Candidate: 2.15-0ubuntu10
> Version table:
> *** 2.15-0ubuntu10 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
> 100 /var/lib/dpkg/status

What I expect: I expect the attached application, when run using the gdb script
in the comments, to complete with no failures.
What happened: A SIGSEGV after the final continue.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[ngallaher+sources at deepthought dot org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

Nate Gallaher <ngallaher+sources at deepthought dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ngallaher+sources at
                   |                            |deepthought dot org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[siddhesh at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

Siddhesh Poyarekar <siddhesh at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |siddhesh at redhat dot com

--- Comment #1 from Siddhesh Poyarekar <siddhesh at redhat dot com> 2013-04-16 14:30:41 UTC ---
I can't reproduce this on Fedora 17 x86_64 (glibc-2.15 + patches).  Can you
reproduce this with vanilla glibc?  Also, can you reproduce this with newer
versions of eglibc.  glibc-2.15 had ATOMIC_FASTBINS removed, i.e. made into an
implicit option, so there's no way to disable it.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[sources at fatlxception dot no-ip.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

Brad Martin <sources at fatlxception dot no-ip.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sources at fatlxception dot
                   |                            |no-ip.org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[siddhesh at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

Siddhesh Poyarekar <siddhesh at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[nate+sourceware at jaybridge dot com]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 4057 bytes --]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Nate Gallaher <nate+sourceware at jaybridge dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nate+sourceware at jaybridge dot c
                   |                            |om

--- Comment #2 from Nate Gallaher <nate+sourceware at jaybridge dot com> ---
I was able to reproduce this bug on Fedora 19, x86_64.

Reproduction required a slight modification of the recipe: the breakpoint in
malloc.c needs to happen at line 3865.  This line will continue to change as
new versions of the library are released.

Required packages: glibc-debuginfo boost-devel boost-thread gcc-c++

[testuser@localhost ~]$ yum info glibc
Loaded plugins: auto-update-debuginfo, langpacks, refresh-packagekit
Installed Packages
Name        : glibc
Arch        : x86_64
Version     : 2.17
Release     : 18.fc19

[testuser@localhost ~]$ cat /etc/redhat-release 
Fedora release 19 (Schrödinger’s Cat)

[testuser@localhost ~]$ cat gdb_script 
break main
r
set scheduler-locking on
break 54
break 59
break 60
c
break malloc.c:3865
c
thread 2
c
c
thread 1
c
[testuser@localhost ~]$

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-19926-listarch-glibc-bugs=sources.redhat.com@sourceware.org Tue Oct 22 21:11:59 2013
Return-Path: <glibc-bugs-return-19926-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 30473 invoked by alias); 22 Oct 2013 21:11:59 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 30421 invoked by uid 48); 22 Oct 2013 21:11:56 -0000
From: "nate+sourceware at jaybridge dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption
Date: Tue, 22 Oct 2013 21:11:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: malloc
X-Bugzilla-Version: 2.15
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: nate+sourceware at jaybridge dot com
X-Bugzilla-Status: WAITING
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created
Message-ID: <bug-15073-131-gKMC7ccwkr@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15073-131@http.sourceware.org/bugzilla/>
References: <bug-15073-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-10/txt/msg00285.txt.bz2
Content-length: 637

https://sourceware.org/bugzilla/show_bug.cgi?id\x15073

Nate Gallaher <nate+sourceware at jaybridge dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6833|0                           |1
        is obsolete|                            |

--- Comment #4 from Nate Gallaher <nate+sourceware at jaybridge dot com> ---
Created attachment 7250
  --> https://sourceware.org/bugzilla/attachment.cgi?idr50&actioníit
Trusty Tahr Reproduction Recipe

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[nate+sourceware at jaybridge dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #3 from Nate Gallaher <nate+sourceware at jaybridge dot com> ---
I can reproduce this on the Ubuntu Trusty Tahr amd64 daily snapshot:
(d6856805ca67b41eac70213736c198eb *trusty-desktop-amd64.iso)

This confirms the bug's existence up through eglibc 2.17-93ubuntu4. I have
attached an updated recipe for this target.

testuser@trusty:~$ apt-cache policy libc6
libc6:
  Installed: 2.17-93ubuntu4
  Candidate: 2.17-93ubuntu4

testuser@trusty:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Trusty Tahr (development branch)
Release: 14.04
Codename: trusty

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

--- Comment #5 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Nate Gallaher from comment #4)
> Created attachment 7250 [details]
> Trusty Tahr Reproduction Recipe

On glibc master the test does not produce a SIGSEGV and can be continued and
exits normally.

It would really help if you could describe in detail what you think is the race
condition between malloc_trim and the fastbin implementation?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[neleai at seznam dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
                 CC|                            |neleai at seznam dot cz

--- Comment #6 from Ondrej Bilka <neleai at seznam dot cz> ---
Carlos, this is faster to debug on paper than trying debug optimized program.

For minimal example what is wrong I could trigger assert for unoptimized
version of malloc. In optimized version you need go to assembly to see where
gcc scheduled loads.

Idea is simple, while we free one chunk then a chunk on top of fastbin could be
in other thread allocated, resized and then returned back into top of fastbin
to trigger assertion or seqfault when trim unmaps corresponding page.

A program is following,

#include <stdlib.h>
#include <pthread.h>

void * freea (void *p)
{  
  free (p); // 1
}

int main ()
{
  pthread_t x;
  char *u, *v;
  u = malloc (16);
  pthread_create (&x, NULL, freea, u);

  v = malloc (16); 
  free (v); // 2

  malloc_trim (0);
  v = malloc (512); // 3
  free (v);

  malloc_trim (0);
  v = malloc (16);  
  free (v); // 4
}

First step into free 1 until you get to this fragment.

Here run free 2 so v gets into top of fastbin.

    unsigned int idx = fastbin_index(size); // 32 >> 4 = 2
    fb = &fastbin (av, idx);

    mchunkptr fd;
    mchunkptr old = *fb; // v
    unsigned int old_idx = ~0u;
    do
      {
        /* Another simple check: make sure the top of the bin is not the
           record we are going to add (i.e., double free).  */
        if (__builtin_expect (old == p, 0))
          {
            errstr = "double free or corruption (fasttop)";
            goto errout;
          }

Now here run step 3 where v is chunk of size 528 


        if (old != NULL)
          old_idx = fastbin_index(chunksize(old)); // 528 >> 4 = 33
        p->fd = fd = old;

And continue by step 4 which returns v into top of fastbin. which is same state
as at 2.

      }
    while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);

And as 33 != 2 we cause an error.

    if (fd != NULL && __builtin_expect (old_idx != idx, 0))
      {
        errstr = "invalid fastbin entry (free)";
        goto errout;
      }

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |maxim.kuvyrkov at gmail dot com

--- Comment #7 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
[For the benefit of Carlos and other developers]

There are two patches for this bug posted to libc-alpha@, one from Ondrej and
one from myself.

The attached Trusty Tahr reproduction testcase has line numbers for GDB
breakpoints wrong, and one has to correct them to get the failure.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #7250|0                           |1
        is obsolete|                            |

--- Comment #8 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Created attachment 7331
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7331&action=edit
Trusty reproduction testcase

Fixed trusty testcase.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  abc26e998f74750850cc02f9c249ee794cbdd8e8 (commit)
       via  362b47fe09ca9a928d444c7e2f7992f7f61bfc3e (commit)
      from  b9bcbbcbe7afa94442d335811d4a1c1e0c0a1daf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=abc26e998f74750850cc02f9c249ee794cbdd8e8

commit abc26e998f74750850cc02f9c249ee794cbdd8e8
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:55:03 2013 +1300

    Restore accidentally deleted bug-fix entries in NEWS.

        * NEWS: Restore accidentally deleted bug-fix entries.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=362b47fe09ca9a928d444c7e2f7992f7f61bfc3e

commit 362b47fe09ca9a928d444c7e2f7992f7f61bfc3e
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |   11 +++++++++++
 NEWS            |   23 ++++++++++++-----------
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 35 insertions(+), 19 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #10 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed by the above commit.

Real credit goes to Josh Pieper, whose carefully prepared testcase made it
possible to investigate and fix the bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #11 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed on trunk only.  I've pinged release managers to merge the fix to 2.15
onwards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, 2.15 has been created
        at  9875bb22212391e39d9d2c29b4b5d5e9e1f83beb (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9875bb22212391e39d9d2c29b4b5d5e9e1f83beb

commit 9875bb22212391e39d9d2c29b4b5d5e9e1f83beb
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

    Conflicts:

        ChangeLog
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, 2.15 has been deleted
       was  9875bb22212391e39d9d2c29b4b5d5e9e1f83beb

- Log -----------------------------------------------------------------
9875bb22212391e39d9d2c29b4b5d5e9e1f83beb Fix race in free() of fastbin chunk:
BZ #15073
-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.15/master has been updated
       via  9875bb22212391e39d9d2c29b4b5d5e9e1f83beb (commit)
      from  53fa2b6063a484e19a6c48c4efff00a6491c0f4e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9875bb22212391e39d9d2c29b4b5d5e9e1f83beb

commit 9875bb22212391e39d9d2c29b4b5d5e9e1f83beb
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

    Conflicts:

        ChangeLog
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    7 +++++++
 NEWS            |    2 +-
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 20 insertions(+), 9 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #15 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed in 2.15.1

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #17 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed in 2.16.1

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #16 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.16/master has been updated
       via  c972bcc9ebdb5c2601b6b34001c7450e7a0b5ea3 (commit)
      from  02eff8c4f82241c0843d47cb58c4355eb4f5d9e9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c972bcc9ebdb5c2601b6b34001c7450e7a0b5ea3

commit c972bcc9ebdb5c2601b6b34001c7450e7a0b5ea3
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

    Conflicts:

        ChangeLog
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    7 +++++++
 NEWS            |    2 +-
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 20 insertions(+), 9 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #18 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.17/master has been updated
       via  3db0119ef56decc402827d5b84774fa4487f6cd4 (commit)
      from  15256e58adc62d8d62c03b2b3ba526b468758702 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3db0119ef56decc402827d5b84774fa4487f6cd4

commit 3db0119ef56decc402827d5b84774fa4487f6cd4
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

    Conflicts:

        ChangeLog
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    7 +++++++
 NEWS            |    2 +-
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 20 insertions(+), 9 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #20 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.18/master has been updated
       via  8b43a2274a593ce91e673db1cfac6e808134bc84 (commit)
      from  ca0dd6386ed2b5c5c6ca392547628a1228432ae0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b43a2274a593ce91e673db1cfac6e808134bc84

commit 8b43a2274a593ce91e673db1cfac6e808134bc84
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073

    Perform sanity check only if we have_lock.  Due to lockless nature of
fastbins
    we need to be careful derefencing pointers to fastbin entries
(chunksize(old)
    in this case) in multithreaded environments.

    The fix is to add have_lock to the if-condition checks.  The rest of the
patch
    only makes code more readable.

        * malloc/malloc.c (_int_free): Perform sanity check only if we
        have_lock.

    Conflicts:

        ChangeLog
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    7 +++++++
 NEWS            |    2 +-
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 20 insertions(+), 9 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

--- Comment #19 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed in 2.17.1.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[maxim.kuvyrkov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #21 from Maxim Kuvyrkov <maxim.kuvyrkov at gmail dot com> ---
Fixed on 2.18.1.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/15073] Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15073

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.