public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail
@ 2021-02-25 15:12 nsz at gcc dot gnu.org
2021-02-25 15:58 ` [Bug malloc/27468] " nsz at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: nsz at gcc dot gnu.org @ 2021-02-25 15:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27468
Bug ID: 27468
Summary: aarch64: realloc crash with heap tagging: FAIL:
malloc/tst-malloc-thread-fail
Product: glibc
Version: 2.33
Status: NEW
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: nsz at gcc dot gnu.org
Target Milestone: ---
on aarch64 with MTE i sometimes see
FAIL: malloc/tst-malloc-thread-fail
when heap tagging is enabled (GLIBC_TUNABLES=glibc.mem.tagging=3)
it seems to be caused by a rare code path in realloc that calls
_int_free without clearing the tags on the user allocation.
p->fd should be untagged, but it has user tag in
Thread 2 "a.out" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xfffff7e19150 (LWP 14605)]
0x0000fffff7e90ba0 in _int_free (av=<optimized out>, p=0xfffff0037020,
have_lock=0) at malloc.c:4508
4508 p->fd = PROTECT_PTR (&p->fd, old);
(gdb) bt
#0 0x0000fffff7e90ba0 in _int_free (av=<optimized out>, p=0xfffff0037020,
have_lock=0) at malloc.c:4508
#1 0x0000fffff7e94fc4 [PAC] in __GI___libc_realloc (
oldmem=0x100fffff0037030, bytes=144) at malloc.c:3450
#2 0x0000000000400edc [PAC] in allocate () at b.c:45
#3 allocate_thread (closure=<optimized out>) at b.c:62
#4 0x0000fffff7f9edcc [PAC] in start_thread (arg=0xfffffffffa9f)
at pthread_create.c:473
#5 0x0000fffff7eecb9c [PAC] in thread_start ()
at ../sysdeps/unix/sysv/linux/aarch64/clone.S:77
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/27468] aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail
2021-02-25 15:12 [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail nsz at gcc dot gnu.org
@ 2021-02-25 15:58 ` nsz at gcc dot gnu.org
2021-03-26 11:18 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: nsz at gcc dot gnu.org @ 2021-02-25 15:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27468
Szabolcs Nagy <nsz at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |nsz at gcc dot gnu.org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/27468] aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail
2021-02-25 15:12 [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail nsz at gcc dot gnu.org
2021-02-25 15:58 ` [Bug malloc/27468] " nsz at gcc dot gnu.org
@ 2021-03-26 11:18 ` cvs-commit at gcc dot gnu.org
2021-03-29 8:46 ` cvs-commit at gcc dot gnu.org
2021-03-29 8:53 ` nsz at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-26 11:18 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27468
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42cc96066b22ba065db11096c78881a55e45def4
commit 42cc96066b22ba065db11096c78881a55e45def4
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
Fixes bug 27468.
Reviewed-by: DJ Delorie <dj@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/27468] aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail
2021-02-25 15:12 [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail nsz at gcc dot gnu.org
2021-02-25 15:58 ` [Bug malloc/27468] " nsz at gcc dot gnu.org
2021-03-26 11:18 ` cvs-commit at gcc dot gnu.org
@ 2021-03-29 8:46 ` cvs-commit at gcc dot gnu.org
2021-03-29 8:53 ` nsz at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-29 8:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27468
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.33/master branch has been updated by Szabolcs Nagy
<nsz@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=98bb18f52a7c576e6068f4b42dea5b24fa6fd81e
commit 98bb18f52a7c576e6068f4b42dea5b24fa6fd81e
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
Fixes bug 27468.
Reviewed-by: DJ Delorie <dj@redhat.com>
(cherry picked from commit 42cc96066b22ba065db11096c78881a55e45def4)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/27468] aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail
2021-02-25 15:12 [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail nsz at gcc dot gnu.org
` (2 preceding siblings ...)
2021-03-29 8:46 ` cvs-commit at gcc dot gnu.org
@ 2021-03-29 8:53 ` nsz at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: nsz at gcc dot gnu.org @ 2021-03-29 8:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27468
Szabolcs Nagy <nsz at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Host| |aarch64
Resolution|--- |FIXED
Status|NEW |RESOLVED
Target Milestone|--- |2.34
--- Comment #3 from Szabolcs Nagy <nsz at gcc dot gnu.org> ---
fixed for 2.34
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-03-29 8:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-25 15:12 [Bug malloc/27468] New: aarch64: realloc crash with heap tagging: FAIL: malloc/tst-malloc-thread-fail nsz at gcc dot gnu.org
2021-02-25 15:58 ` [Bug malloc/27468] " nsz at gcc dot gnu.org
2021-03-26 11:18 ` cvs-commit at gcc dot gnu.org
2021-03-29 8:46 ` cvs-commit at gcc dot gnu.org
2021-03-29 8:53 ` nsz at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).