From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1368 invoked by alias); 28 Nov 2017 14:10:20 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 1354 invoked by uid 89); 28 Nov 2017 14:10:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KB_WAM_FROM_NAME_SINGLEWORD,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KB_WAM_FROM_NAME_SINGLEWORD,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: hapkido.dreamhost.com Received: from hapkido.dreamhost.com (HELO hapkido.dreamhost.com) (66.33.216.122) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 28 Nov 2017 14:10:14 +0000 Received: from homiemail-a52.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by hapkido.dreamhost.com (Postfix) with ESMTP id EDE3A8D430 for ; Tue, 28 Nov 2017 06:10:12 -0800 (PST) Received: from homiemail-a52.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTP id D31446000631; Tue, 28 Nov 2017 06:10:12 -0800 (PST) Received: from devel.in.reserved-bit.com (unknown [202.189.238.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTPSA id BBB896000630; Tue, 28 Nov 2017 06:10:11 -0800 (PST) From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Wilco Dijkstra Subject: [PATCH 06/10] Fix deadlock in _int_free consistency check Date: Sun, 01 Jan 2017 00:00:00 -0000 Message-Id: <1511878186-31499-7-git-send-email-siddhesh@sourceware.org> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1511878186-31499-1-git-send-email-siddhesh@sourceware.org> References: <1511878186-31499-1-git-send-email-siddhesh@sourceware.org> X-SW-Source: 2017-11/txt/msg00033.txt.bz2 From: Wilco Dijkstra This patch fixes a deadlock in the fastbin consistency check. If we fail the fast check due to concurrent modifications to the next chunk or system_mem, we should not lock if we already have the arena lock. Simplify the check to make it obviously correct. * malloc/malloc.c (_int_free): Fix deadlock bug in consistency check. (cherry-pick d74e6f6c0de55fc588b1ac09c88eb0fb8b8600af) --- ChangeLog | 4 ++++ malloc/malloc.c | 21 ++++++++++++--------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d536c9a..49b720f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2017-10-19 Wilco Dijkstra + + * malloc/malloc.c (_int_free): Fix deadlock bug in consistency check. + 2017-08-31 Florian Weimer * malloc/malloc.c (_int_free): Remove locked variable and related diff --git a/malloc/malloc.c b/malloc/malloc.c index 3608b34..44996e0 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4148,17 +4148,20 @@ _int_free (mstate av, mchunkptr p, int have_lock) || __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0)) { + bool fail = true; /* We might not have a lock at this point and concurrent modifications - of system_mem might have let to a false positive. Redo the test - after getting the lock. */ - if (!have_lock - || ({ __libc_lock_lock (av->mutex); - chunksize_nomask (chunk_at_offset (p, size)) <= 2 * SIZE_SZ - || chunksize (chunk_at_offset (p, size)) >= av->system_mem; - })) + of system_mem might result in a false positive. Redo the test after + getting the lock. */ + if (!have_lock) + { + __libc_lock_lock (av->mutex); + fail = (chunksize_nomask (chunk_at_offset (p, size)) <= 2 * SIZE_SZ + || chunksize (chunk_at_offset (p, size)) >= av->system_mem); + __libc_lock_unlock (av->mutex); + } + + if (fail) malloc_printerr ("free(): invalid next size (fast)"); - if (! have_lock) - __libc_lock_unlock (av->mutex); } free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); -- 2.7.5