This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch, master, updated. glibc-2.10-157-gbec466d
- From: drepper at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 16 Jul 2009 16:55:42 -0000
- Subject: GNU C Library master sources branch, master, updated. glibc-2.10-157-gbec466d
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via bec466d922ee22b94ac0d00415fb605e136efe6e (commit)
from bea0ac1d8703091294fe5822d982591c849b5458 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sources.redhat.com/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bec466d922ee22b94ac0d00415fb605e136efe6e
commit bec466d922ee22b94ac0d00415fb605e136efe6e
Author: Ulrich Drepper <drepper@redhat.com>
Date: Thu Jul 16 09:54:34 2009 -0700
Fix race in corruption check.
With atomic fastbins the checks performed can race with concurrent
modifications of the arena. If we detect a problem re-do the test
after getting the lock.
diff --git a/ChangeLog b/ChangeLog
index 1e9df42..6ddf9a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2009-07-16 Ulrich Drepper <drepper@redhat.com>
+ Jakub Jelinek <jakub@redhat.com>
+
+ * malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for
+ corruption thread-safe.
+
2009-07-13 Jakub Jelinek <jakub@redhat.com>
* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 0c0182e..a459a2b 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4799,8 +4799,29 @@ _int_free(mstate av, mchunkptr p)
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
>= av->system_mem, 0))
{
- errstr = "free(): invalid next size (fast)";
- goto errout;
+#ifdef ATOMIC_FASTBINS
+ /* We might not have a lock at this point and concurrent modifications
+ of system_mem might have let to a false positive. Redo the test
+ after getting the lock. */
+ if (have_lock
+ || ({ assert (locked == 0);
+ mutex_lock(&av->mutex);
+ locked = 1;
+ chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
+ || chunksize (chunk_at_offset (p, size)) >= av->system_mem;
+ }))
+#endif
+ {
+ errstr = "free(): invalid next size (fast)";
+ goto errout;
+ }
+#ifdef ATOMIC_FASTBINS
+ if (! have_lock)
+ {
+ (void)mutex_unlock(&av->mutex);
+ locked = 0;
+ }
+#endif
}
if (__builtin_expect (perturb_byte, 0))
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
malloc/malloc.c | 25 +++++++++++++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources