From patchwork Thu Oct 19 17:26:03 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
X-Patchwork-Id: 23698
Received: (qmail 60128 invoked by alias); 19 Oct 2017 17:26:09 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 59734 invoked by uid 89); 19 Oct 2017 17:26:08 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.2 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2 spammy=
X-HELO: EUR03-AM5-obe.outbound.protection.outlook.com
From: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
To: DJ Delorie <dj@redhat.com>
CC: "fweimer@redhat.com" <fweimer@redhat.com>, "libc-alpha@sourceware.org"
	<libc-alpha@sourceware.org>, nd <nd@arm.com>
Subject: Re: [PATCH 4/5] Fix deadlock in _int_free consistency check
Date: Thu, 19 Oct 2017 17:26:03 +0000
Message-ID: 
 <DB6PR0801MB2053ED07AAD33C2B722D174283420@DB6PR0801MB2053.eurprd08.prod.outlook.com>
References: 
 <DB6PR0801MB2053410F55AC389F6D1C12E8834C0@DB6PR0801MB2053.eurprd08.prod.outlook.com>
	(message from Wilco Dijkstra on Tue, 17 Oct 2017 10:49:17
	+0000),<xnfuah63ml.fsf@greed.delorie.com>
In-Reply-To: <xnfuah63ml.fsf@greed.delorie.com>
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6PR0801MB2054;
	6:wzgt4wK/oMnyCcKkcM/WgVVoJqm965OR2dykm2AXO9e13LRqi35hP3a4pWhw5CwpWXhE1PBRQiEA3nv2UwW8S1nq4ZjLfaS/dg31CZP/hrki8V99Trw00qWQGU4o1lIsd66tQ9R4mRnf+azSqTgs4Iml5ncMw5MSqsfg31qVTJn8V1cNpCvzDdoRXUFc9BS+10+azXsq3m8hpClWvedGvx/137WCqfp/KgFO+e4GwnPKlQjDCpIHqmDsvIbYYf1FmT+JrFfjvvJ5YGJ55lg8ILZxu7kSJAhOJGEq+FEtlIjln7kNeQ9cHJZ8qgX62YNfyzJAS0Qs4EVIyOD1fDrEfQ==;
	5:Q3yyGmzQ7kJgdNvLyIiHgP3Cgnsr60A+TaAUxmBX0K/aZe8zMxsV4seGxgCJ5ILwhEJ+PeEZIhTVrJdwrkfzZetky9JIOYN7RJn2oTeOFqFEnhXEqP26PNPzzKF5jc7lJfHHci98Opncb2/a0/3CLg==;
	24:mzRyn/E2s2GqhxzgxahC89wzRMU7AjqRSQsb176dzo3QWF2nAx/DA5qrSvx/Atvmj7YJ0zk7mb1n1UHPArRtmJyUoepo6PzUCJZhqAUn9HI=;
	7:667epqh6E3jNsnLzfDHX3Pl3r+kP8TfYNAqs7rtWpo9NhAMaPvmdVgd+oIqHQjiDrJzxAjT+5tHL1zI4+4IAY3IlYrW/3nd0GUumt1CrBMsQ32VlbHnGX97cP8WxK7FbbfGXgxza6SVAaseB1N0foe9AUp2rOQ8RsaE4s58pULl+HX8on/KAVYVkk3npVjT4P2FG709hD6MLvM8kd++TeIwJdJ4Xo+4Q4FLee8cl4e0=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c2fd09ad-3a43-4ab2-7f89-08d517167953
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(22001)(2017030254172)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229)(201703131423095);
	SRVR:DB6PR0801MB2054;
x-ms-traffictypediagnostic: DB6PR0801MB2054:
nodisclaimer: True
x-exchange-antispam-report-test: UriScan:(180628864354917);
x-microsoft-antispam-prvs: 
 <DB6PR0801MB205482F96825C8F2668CEFB783420@DB6PR0801MB2054.eurprd08.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
	RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(3002001)(93006095)(93001095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123555025)(20161123560025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);
	SRVR:DB6PR0801MB2054; BCL:0; PCL:0;
	RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
	SRVR:DB6PR0801MB2054;
x-forefront-prvs: 0465429B7F
x-forefront-antispam-report: SFV:NSPM;
	SFS:(10009020)(6009001)(346002)(376002)(39860400002)(199003)(189002)(6506006)(105586002)(6436002)(6246003)(189998001)(4326008)(99286003)(9686003)(53936002)(33656002)(55016002)(106356001)(2900100001)(6916009)(2950100002)(66066001)(86362001)(7696004)(229853002)(5660300001)(102836003)(6116002)(3846002)(3660700001)(3280700002)(316002)(2906002)(8676002)(14454004)(97736004)(8936002)(54906003)(81156014)(81166006)(76176999)(101416001)(5250100002)(50986999)(54356999)(7736002)(305945005)(74316002)(478600001)(25786009)(72206003)(68736007);
	DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB2054;
	H:DB6PR0801MB2053.eurprd08.prod.outlook.com; FPR:; SPF:None;
	PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate
	permitted sender hosts)
authentication-results: spf=none (sender IP is )
	smtp.mailfrom=Wilco.Dijkstra@arm.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2017 17:26:03.4715
	(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2054

OK, I've committed this:

Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Thu Oct 19 18:19:55 2017 +0100

    Fix deadlock in _int_free consistency check
    
    This patch fixes a deadlock in the fastbin consistency check.
    If we fail the fast check due to concurrent modifications to
    the next chunk or system_mem, we should not lock if we already
    have the arena lock.  Simplify the check to make it obviously
    correct.
    
        * malloc/malloc.c (_int_free): Fix deadlock bug in consistency check.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 784f401b02f7d812936c013632478445ce0773b1..f9054dcea039fc1ecb2456c5c63057ede7a57bfa 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4171,17 +4171,20 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
 			     >= av->system_mem, 0))
       {
+	bool fail = true;
 	/* We might not have a lock at this point and concurrent modifications
-	   of system_mem might have let to a false positive.  Redo the test
-	   after getting the lock.  */
-	if (!have_lock
-	    || ({ __libc_lock_lock (av->mutex);
-		  chunksize_nomask (chunk_at_offset (p, size)) <= 2 * SIZE_SZ
-		  || chunksize (chunk_at_offset (p, size)) >= av->system_mem;
-	        }))
+	   of system_mem might result in a false positive.  Redo the test after
+	   getting the lock.  */
+	if (!have_lock)
+	  {
+	    __libc_lock_lock (av->mutex);
+	    fail = (chunksize_nomask (chunk_at_offset (p, size)) <= 2 * SIZE_SZ
+		    || chunksize (chunk_at_offset (p, size)) >= av->system_mem);
+	    __libc_lock_unlock (av->mutex);
+	  }
+
+	if (fail)
 	  malloc_printerr ("free(): invalid next size (fast)");
-	if (! have_lock)
-	  __libc_lock_unlock (av->mutex);
       }
 
     free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);