From patchwork Thu Nov 13 17:19:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arjun Shankar X-Patchwork-Id: 124187 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B9F5A385800F for ; Thu, 13 Nov 2025 17:30:23 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTP id A89533858C5E for ; Thu, 13 Nov 2025 17:29:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A89533858C5E Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A89533858C5E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1763054991; cv=none; b=lobBXXFzK0y/ttRhRMCx6nji+7KTZ9pYv7/xPikkVPsPh6Ze9UC2Q341JOkBlLC4WoU4JB0uHeJ8PEfP9sVFZ9zmZ0GsvjRNlhKVc6UZq1WABwtimKrXa2ow7ytPmiITVje4Xp9ZjpBJuydF7rvnAWUR2bJ8RF6l28qHfGYpQvE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1763054991; c=relaxed/simple; bh=+58KBS35JjXY7f/jGrn8sv95IE+KdV9bO6zjU1FDmk0=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=RdT+B4/LGoOINjCRkKXoBPIHyDWC4ud8IXm/Kf0pdxb87mpa7t/YT8IWGjfeSrYVxZnX8LcQYwsmslQLjQJYgUVFxnY/E6uR2gfKVreKPR2W80ApixDckGc49AQVzRr4zi60MrAoeixO1NTQQgzP2xSXhn3zrhqCJX4L6kWiqbA= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1763054990; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=96oeKo7wbNVSQsqlqDkqrDoq1Uu8GCt3cDjZhjLRrt4=; b=XSbyqh7LQEpAFdjD/ChXAFFoRChOIw1OEjaKG81l/6VGPN83pdvHtlnRkLU2PtwWd/Wukt CIji1+OVgNIvmPvQYmgpb9kNpkX5XHwb5STA9wPcRktSfo0rces8jVcWrjaK3XQdFQXuqB d5V7P4+WVEQbC5Ca9/WKn0VcqDtmxPw= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-630-KLi9S05YN7eAYHWjD3waTg-1; Thu, 13 Nov 2025 12:29:45 -0500 X-MC-Unique: KLi9S05YN7eAYHWjD3waTg-1 X-Mimecast-MFC-AGG-ID: KLi9S05YN7eAYHWjD3waTg_1763054984 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-4777b03b90fso5588615e9.1 for ; Thu, 13 Nov 2025 09:29:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763054984; x=1763659784; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=96oeKo7wbNVSQsqlqDkqrDoq1Uu8GCt3cDjZhjLRrt4=; b=AX6np2VAdUEJVYkA4uQ+XRDFrNiXYP9UqWmh/3hBH0EPbxsnWT7bgsD9CxkR/NoPu7 ixFU65SonAIJ6uBACQcWCVW9aaTKW8pdpOQJCc/rJ+0/SJ8T/J9fYV2qBmVjE7yNnpni 9lEBmtftjvvu678u3kM/ReY5f9taWq6V/+FvUggKqgfnSIba9YQo/NjdQABy/KsJKpR1 qN+xdN58NyNa44Tp3CowWijFDGPfRnP1EO9MtBLcie99Z0FJZUyYHQfZk9lARvHwauH0 YR/hdlgQ0KmWNh/mmOsbB3DxSiBJfjgzjnlxqo0LCF+XpUIJvY3XwGEVX8yfBTvDRK1T Hfpg== X-Gm-Message-State: AOJu0YyIoXNIrwFUgOQEZtQy+2lOGl7P8lYtaixJOweYBgvxyvGz7i2j RTQNydB52X7/2cZEIc1s4CQtciR/jyDvTwYgU3hi1C48ROULS2q1+5cMtIjiA7WCagKCGaTBanL cyDR9Ar8x57qZI2vt6mEJlF3YldLpksJFRx/YFVBGCWgywAGBLb/4NYBzGzPnzuYpHcvVVeywcx goRp8+zSS5Z8+eSBDDXJ0wZ5kz2NXJTwr2pVXh7zbj0g== X-Gm-Gg: ASbGncuPDyW0KNYqPPJiPDtddsei40aPNT5DcKM8t9jdDOkXbc8YC8y7k1V/1JJaF/u sbeqvmATsW9yVqGP5ZTfPfT3MVnbTjW0wyM0g+3BcRq1NBtSp8U6GDCmwUK/sy9L/ZwotDEb4eh rGmdUsL3iBmAVc3/Kcf2zNbZWjS5gPGqSaafFYqH+NgkRUcxFQMK5azlO/AIaJJNI9qW6C89rB1 bsG6VBWbRwmaFB05sIGH8FyaI9xwlJH6FA8xfY/abndsK5Sb+TqWk3VaOxfDNGiIfBjBId4sEXr alap8u0gJ+FCJYnbsZFO9Dwk2ChwMXVX9YgcoSAamF63JOkk9nwyoRa9ex49Rzi8sbGUIlHH+4A QxBc7UjsRST1vTOPW6RZc4JqpKkvHOfomix6jh5qKn+jR21BYv9y7 X-Received: by 2002:a05:600c:3b14:b0:45d:d505:a1c3 with SMTP id 5b1f17b1804b1-4778feaa621mr2759755e9.37.1763054983756; Thu, 13 Nov 2025 09:29:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IFCSOINuaKEh5qwoKObKx5eL5YqDd3sEV9RE6xec6S4qffzVykEZKPbWY7IrDEVOs/QhAuyLg== X-Received: by 2002:a05:600c:3b14:b0:45d:d505:a1c3 with SMTP id 5b1f17b1804b1-4778feaa621mr2759515e9.37.1763054983278; Thu, 13 Nov 2025 09:29:43 -0800 (PST) Received: from x1ctwelve.redhat.com (ip-94-112-226-240.bb.vodafone.cz. [94.112.226.240]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4778c847bbasm45566145e9.1.2025.11.13.09.29.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Nov 2025 09:29:42 -0800 (PST) From: Arjun Shankar To: libc-alpha@sourceware.org Cc: Arjun Shankar Subject: [PATCH] malloc: Simplify tst-free-errno munmap failure test Date: Thu, 13 Nov 2025 18:19:24 +0100 Message-ID: <20251113172839.7912-1-arjun@redhat.com> X-Mailer: git-send-email 2.51.1 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: yCns-t8AUNpGvv7chqZXLhYGCaiXq_eMjurfZBtltWc_1763054984 X-Mimecast-Originator: redhat.com content-type: text/plain; charset="US-ASCII"; x-default=true X-Spam-Status: No, score=-11.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org The Linux specific test-case in tst-free-errno was backing up malloc metadata for a large mmap'd block, overwriting the block with its own mmap, then restoring malloc metadata and calling free to force an munmap failure. However, the backed up pages containing metadata can occasionally be overlapped by the overwriting mmap, leading to a metadata corruption. This commit replaces the test case with a simpler three block allocation, expecting the kernel to coalesce the VMAs, then cause a fragmentation to trigger the same failure. --- Context that won't go into the commit message: I caught this when investigating failures in a threaded copy of the test introduced by my patch being discussed here: https://inbox.sourceware.org/libc-alpha/20251110145716.3147101-1-arjun@redhat.com/ The -threaded-worker copy (which runs this test in an alternate thread while the main thread waits) frequently fails when firstpage_backup is overwritten by the MAP_FIXED mmap, leading to chunksize getting set to 0 and a subsequent abort upon free. I have tested this new version on an x86_64 Fedora 42 after reducing the VMA limit to 65536 (it's a lot higher these days) and the munmap failure is indeed triggered as expected. --- malloc/tst-free-errno.c | 80 ++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 45 deletions(-) diff --git a/malloc/tst-free-errno.c b/malloc/tst-free-errno.c index 1c50860e7e..944108dc7c 100644 --- a/malloc/tst-free-errno.c +++ b/malloc/tst-free-errno.c @@ -74,54 +74,44 @@ do_test (void) #if defined __linux__ if (xopen ("/proc/sys/vm/max_map_count", O_RDONLY, 0) >= 0) { - /* Preparations. */ - size_t pagesize = getpagesize (); - void *firstpage_backup = xmalloc (pagesize); - void *lastpage_backup = xmalloc (pagesize); - /* Allocate a large memory area, as a bumper, so that the MAP_FIXED - allocation later will not overwrite parts of the memory areas - allocated to ld.so or libc.so. */ - xmmap (NULL, 0x1000000, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1); - /* A file descriptor pointing to a regular file. */ - int fd = create_temp_file ("tst-free-errno", NULL); - if (fd < 0) - FAIL_EXIT1 ("cannot create temporary file"); - - /* Do a large memory allocation. */ + /* We expect the kernel to coalesce the VMAs for these large mallocs + (which will be mmap'd by malloc due to their size). */ size_t big_size = 0x3000000; - void * volatile ptr = xmalloc (big_size - 0x100); - char *ptr_aligned = (char *) ((uintptr_t) ptr & ~(pagesize - 1)); - /* This large memory allocation allocated a memory area - from ptr_aligned to ptr_aligned + big_size. - Enlarge this memory area by adding a page before and a page - after it. */ - memcpy (firstpage_backup, ptr_aligned, pagesize); - memcpy (lastpage_backup, ptr_aligned + big_size - pagesize, - pagesize); - xmmap (ptr_aligned - pagesize, pagesize + big_size + pagesize, - PROT_READ | PROT_WRITE, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1); - memcpy (ptr_aligned, firstpage_backup, pagesize); - memcpy (ptr_aligned + big_size - pagesize, lastpage_backup, - pagesize); + void * volatile block1 = xmalloc (big_size - 100); + void * volatile block2 = xmalloc (big_size - 100); + void * volatile block3 = xmalloc (big_size - 100); + + /* If block2 lands between block1 and block3, we can continue the test + since it depends on being able to free block2 to cause an munmap + failure. */ + if (((block1 > block2) && (block2 > block3)) + || ((block1 < block2) && (block2 < block3))) + { + /* We will map this fd repeatedly to consume VMA mappings. */ + int fd = create_temp_file ("tst-free-errno", NULL); + if (fd < 0) + FAIL_EXIT1 ("cannot create temporary file for mmap'ing"); - /* Now add as many mappings as we can. - Stop at 65536, in order not to crash the machine (in case the - limit has been increased by the system administrator). */ - for (int i = 0; i < 65536; i++) - if (mmap (NULL, pagesize, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0) - == MAP_FAILED) - break; - /* Now the number of VMAs of this process has hopefully attained - its limit. */ + /* Now add as many mappings as we can. + Stop at 65536, in order not to crash the machine (in case the + limit has been increased by the system administrator). */ + size_t pagesize = getpagesize (); + for (int i = 0; i < 65536; i++) + if (mmap (NULL, pagesize, PROT_READ, MAP_FILE | MAP_PRIVATE, + fd, 0) + == MAP_FAILED) + break; + /* Now the number of VMAs of this process has hopefully attained + its limit. */ - errno = 1789; - /* This call to free() is supposed to call - munmap (ptr_aligned, big_size); - which increases the number of VMAs by 1, which is supposed - to fail. */ - free (ptr); - TEST_VERIFY (get_errno () == 1789); + errno = 1789; + /* This call to free() is supposed to call munmap, which should + fail because the fragmentation of a bigger coalesced VMA will + lead to an increase in the number of VMAs which we already + maxed out. */ + free (block2); + TEST_VERIFY (get_errno () == 1789); + } } #endif