Bug 21046 - bug16159 seems to have happened again
Summary: bug16159 seems to have happened again
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: 2.17
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on: 21754
  Show dependency treegraph
Reported: 2017-01-13 02:27 UTC by Chen Wei
Modified: 2017-07-12 00:07 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-

more gdb info in attchment (4.48 KB, text/plain)
2017-01-13 02:27 UTC, Chen Wei

Note You need to log in before you can comment on or make changes to this bug.
Description Chen Wei 2017-01-13 02:27:25 UTC
Created attachment 9751 [details]
more gdb info in attchment

But recently, I met the deadlock problem again.
centOS 7.2 with glibc-2.17, which has already back ported the patch fff94fa(Avoid deadlock in malloc on backtrace (BZ #16159))
The main problem is the process does not abort, it hangs. M_CHECK_ACTION parameter is default value 3.
Backtrace from gdb is similar with BZ #16159, but different expection reason detected.
The 1st expection triggered by calling free func. The pointer to free is an address of array(calloc), and out-of-bounds access before.
So the 1st expection is "free(): invalid next size (normal)" and in malloc_printerr func malloc report the 2nd error
"malloc(): smallbin double linked list corrupted", then it hangs around in:
More details please see attachment
========================= hung thread bt info ==========================
(gdb) thr 20
[Switching to thread 20 (Thread 0x7fa5a8edc700 (LWP 193380))]
#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
94		jmp	6b
(gdb) bt
#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
#1  0x00007fa5b6e606dc in __GI___backtrace (array=array@entry=0x7fa5a8eda2b0, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#2  0x00007fa5b6dcb314 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fa5b6ed4e48 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#3  0x00007fa5b6dd1144 in malloc_printerr (action=<optimized out>, str=0x7fa5b6ed4fe0 "malloc(): smallbin double linked list corrupted", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5036
#4  0x00007fa5b6dd3f97 in _int_malloc (av=0x7fa588000020, bytes=7809933825095528041) at malloc.c:3396
#5  0x00007fa5b6dd6194 in __GI___libc_malloc (bytes=56) at malloc.c:2909
#6  0x00007fa5ba948238 in _dl_map_object_deps (map=map@entry=0x7fa5bab4a538, preloads=preloads@entry=0x0, npreloads=npreloads@entry=0, trace_mode=trace_mode@entry=0, open_mode=open_mode@entry=-2147483648) at dl-deps.c:515
#7  0x00007fa5ba94e89b in dl_open_worker (a=a@entry=0x7fa5a8edae98) at dl-open.c:269
#8  0x00007fa5ba94a1b4 in _dl_catch_error (objname=objname@entry=0x7fa5a8edae88, errstring=errstring@entry=0x7fa5a8edae90, mallocedp=mallocedp@entry=0x7fa5a8edae80, operate=operate@entry=0x7fa5ba94e700 <dl_open_worker>, 
    args=args@entry=0x7fa5a8edae98) at dl-error.c:177
#9  0x00007fa5ba94e1ab in _dl_open (file=0x7fa5b6ed13c6 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=2, argv=0x7ffcac68a628, env=0x7ffcac68a640) at dl-open.c:650
#10 0x00007fa5b6e86fd2 in do_dlopen (ptr=ptr@entry=0x7fa5a8edb0a0) at dl-libc.c:87
#11 0x00007fa5ba94a1b4 in _dl_catch_error (objname=0x7fa5a8edb080, errstring=0x7fa5a8edb090, mallocedp=0x7fa5a8edb070, operate=0x7fa5b6e86f90 <do_dlopen>, args=0x7fa5a8edb0a0) at dl-error.c:177
#12 0x00007fa5b6e87092 in dlerror_run (args=0x7fa5a8edb0a0, operate=0x7fa5b6e86f90 <do_dlopen>) at dl-libc.c:46
#13 __GI___libc_dlopen_mode (name=name@entry=0x7fa5b6ed13c6 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#14 0x00007fa5b6e605c5 in init () at ../sysdeps/x86_64/backtrace.c:52
#15 0x00007fa5b7123bb0 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:103
#16 0x00007fa5b6e606dc in __GI___backtrace (array=array@entry=0x7fa5a8edb360, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#17 0x00007fa5b6dcb314 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fa5b6ed4e48 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#18 0x00007fa5b6dd26d3 in malloc_printerr (ar_ptr=0x7fa588000020, ptr=<optimized out>, str=0x7fa5b6ed4e90 "free(): invalid next size (normal)", action=3) at malloc.c:5036
#19 _int_free (av=0x7fa588000020, p=<optimized out>, have_lock=0) at malloc.c:3856
Comment 1 Florian Weimer 2017-01-30 13:58:27 UTC
Please report this on https://bugzilla.redhat.com/, with a exact glibc version number.  This could be a problem with the downstream backport.

Please also include backtraces from all threads in the report.  Thanks.