From patchwork Tue Nov  3 11:35:44 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 9521
Received: (qmail 67734 invoked by alias); 3 Nov 2015 11:35:48 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 67719 invoked by uid 89); 3 Nov 2015 11:35:48 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL, BAYES_00,
	SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
To: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Subject: [PATCH] malloc: Fix ptmalloc_lock_all/_int_new_arena deadlock [BZ
	#19182]
Message-ID: <56389C10.6060001@redhat.com>
Date: Tue, 3 Nov 2015 12:35:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.3.0
MIME-Version: 1.0

This is just a minimal change.  The fork handler lock acquisition has to
go away anyway if we make fork async-signal-safe (bug 4737).

2015-11-03  Florian Weimer  <fweimer@redhat.com>

	[BZ #19182]
	* malloc/arena.c (_int_new_arena): Do not acquire arena lock while
	list_lock is acquired.

diff --git a/malloc/arena.c b/malloc/arena.c
index 0f00afa..161902c 100644
--- a/malloc/arena.c
+++ b/malloc/arena.c
@@ -785,25 +785,26 @@ _int_new_arena (size_t size)
   set_head (top (a), (((char *) h + h->size) - ptr) | PREV_INUSE);
 
   LIBC_PROBE (memory_arena_new, 2, a, size);
   mstate replaced_arena = thread_arena;
   thread_arena = a;
   mutex_init (&a->mutex);
-  (void) mutex_lock (&a->mutex);
 
   (void) mutex_lock (&list_lock);
 
   detach_arena (replaced_arena);
 
   /* Add the new arena to the global list.  */
   a->next = main_arena.next;
   atomic_write_barrier ();
   main_arena.next = a;
 
   (void) mutex_unlock (&list_lock);
 
+  (void) mutex_lock (&a->mutex);
+
   return a;
 }
 
 
 static mstate
 get_free_list (void)