This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
GNU C Library master sources branch master updated. glibc-2.18-694-gabc26e9

From: mkuvyrkov at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 23 Dec 2013 21:07:24 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.18-694-gabc26e9
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  abc26e998f74750850cc02f9c249ee794cbdd8e8 (commit)
       via  362b47fe09ca9a928d444c7e2f7992f7f61bfc3e (commit)
      from  b9bcbbcbe7afa94442d335811d4a1c1e0c0a1daf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=abc26e998f74750850cc02f9c249ee794cbdd8e8

commit abc26e998f74750850cc02f9c249ee794cbdd8e8
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:55:03 2013 +1300

    Restore accidentally deleted bug-fix entries in NEWS.
    
    	* NEWS: Restore accidentally deleted bug-fix entries.

diff --git a/ChangeLog b/ChangeLog
index f3ead2e..9528f88 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 2013-12-24  Maxim Kuvyrkov  <maxim@kugelworks.com>
+
+	* NEWS: Restore accidentally deleted bug-fix entries.
+
+2013-12-24  Maxim Kuvyrkov  <maxim@kugelworks.com>
 	    OndÅ?ej BÃlka  <neleai@seznam.cz>
 
 	[BZ #15073]
diff --git a/NEWS b/NEWS
index 90e6c65..f3c19d8 100644
--- a/NEWS
+++ b/NEWS
@@ -22,7 +22,8 @@ Version 2.19
   15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, 16037,
   16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, 16112,
   16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, 16214,
-  16245, 16356.
+  16245, 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337,
+  16338, 16356.
 
 * The public headers no longer use __unused nor __block.  This change is to
   support compiling programs that are derived from BSD sources and use

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=362b47fe09ca9a928d444c7e2f7992f7f61bfc3e

commit 362b47fe09ca9a928d444c7e2f7992f7f61bfc3e
Author: Maxim Kuvyrkov <maxim@kugelworks.com>
Date:   Tue Dec 24 09:44:50 2013 +1300

    Fix race in free() of fastbin chunk: BZ #15073
    
    Perform sanity check only if we have_lock.  Due to lockless nature of fastbins
    we need to be careful derefencing pointers to fastbin entries (chunksize(old)
    in this case) in multithreaded environments.
    
    The fix is to add have_lock to the if-condition checks.  The rest of the patch
    only makes code more readable.
    
    	* malloc/malloc.c (_int_free): Perform sanity check only if we
    	have_lock.

diff --git a/ChangeLog b/ChangeLog
index 667b3f1..f3ead2e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-12-24  Maxim Kuvyrkov  <maxim@kugelworks.com>
+	    OndÅ?ej BÃlka  <neleai@seznam.cz>
+
+	[BZ #15073]
+	* malloc/malloc.c (_int_free): Perform sanity check only if we
+        have_lock.
+
 2013-12-23  OndÅ?ej BÃlka  <neleai@seznam.cz>
 
 	[BZ #12986]
diff --git a/NEWS b/NEWS
index 5c76adc..90e6c65 100644
--- a/NEWS
+++ b/NEWS
@@ -12,17 +12,17 @@ Version 2.19
   156, 387, 431, 832, 926, 2801, 4772, 6786, 6787, 6807, 6810, 7003, 9954,
   10253, 10278, 11087, 11157, 11214, 12100, 12486, 12986, 13028, 13982,
   13985, 14029, 14032, 14120, 14143, 14155, 14547, 14699, 14752, 14876,
-  14910, 15004, 15048, 15089, 15128, 15218, 15268, 15277, 15308, 15362,
-  15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532, 15593, 15601,
-  15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723,
-  15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797,
-  15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855, 15856, 15857,
-  15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15901,
-  15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939, 15941, 15948,
-  15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, 16037, 16038,
-  16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, 16112, 16143,
-  16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, 16214, 16245,
-  16356.
+  14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268, 15277, 15308,
+  15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532, 15593,
+  15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681,
+  15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764,
+  15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855, 15856,
+  15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897,
+  15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939, 15941,
+  15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, 16037,
+  16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, 16112,
+  16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, 16214,
+  16245, 16356.
 
 * The public headers no longer use __unused nor __block.  This change is to
   support compiling programs that are derived from BSD sources and use
diff --git a/malloc/malloc.c b/malloc/malloc.c
index b1668b5..5e419ad 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3783,25 +3783,29 @@ _int_free(mstate av, mchunkptr p, int have_lock)
     unsigned int idx = fastbin_index(size);
     fb = &fastbin (av, idx);
 
-    mchunkptr fd;
-    mchunkptr old = *fb;
+    /* Atomically link P to its fastbin: P->FD = *FB; *FB = P;  */
+    mchunkptr old = *fb, old2;
     unsigned int old_idx = ~0u;
     do
       {
-	/* Another simple check: make sure the top of the bin is not the
-	   record we are going to add (i.e., double free).  */
+	/* Check that the top of the bin is not the record we are going to add
+	   (i.e., double free).  */
 	if (__builtin_expect (old == p, 0))
 	  {
 	    errstr = "double free or corruption (fasttop)";
 	    goto errout;
 	  }
-	if (old != NULL)
+	/* Check that size of fastbin chunk at the top is the same as
+	   size of the chunk that we are adding.  We can dereference OLD
+	   only if we have the lock, otherwise it might have already been
+	   deallocated.  See use of OLD_IDX below for the actual check.  */
+	if (have_lock && old != NULL)
 	  old_idx = fastbin_index(chunksize(old));
-	p->fd = fd = old;
+	p->fd = old2 = old;
       }
-    while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);
+    while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2)) != old2);
 
-    if (fd != NULL && __builtin_expect (old_idx != idx, 0))
+    if (have_lock && old != NULL && __builtin_expect (old_idx != idx, 0))
       {
 	errstr = "invalid fastbin entry (free)";
 	goto errout;

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |   11 +++++++++++
 NEWS            |   23 ++++++++++++-----------
 malloc/malloc.c |   20 ++++++++++++--------
 3 files changed, 35 insertions(+), 19 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]