| Message ID | 3ecdb956cbf6d1b46e36311ffe7f491ce186cdbc.1613390045.git.szabolcs.nagy@arm.com |
|---|---|
| State | Superseded |
| Delegated to: | Adhemerval Zanella Netto |
| Headers |
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
by sourceware.org (Postfix) with ESMTP id 9208D3950439;
Mon, 15 Feb 2021 12:01:13 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9208D3950439
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
s=default; t=1613390473;
bh=dSbZNESyxN5bmz3Eefvw1+7y07M7zOdH4Heke5QVGhk=;
h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=Q4js7vTFi5DJnv3tP+tadmDFSC6IUmYAetEXfKBjZH4tG+VO1oOLXI8Kq86AW7JtY
b/eb41O+wEvSaCLDUIxGew3B1bMM0nLqeALXaTGE7IjDuNSluWtGJ3bULHD8cPCGV4
+NUe9hbPO6w4ebIdLw/wXzDSgnd7G9uoAk5iJQ6I=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
(mail-db8eur05on2046.outbound.protection.outlook.com [40.107.20.46])
by sourceware.org (Postfix) with ESMTPS id 654773950433
for <libc-alpha@sourceware.org>; Mon, 15 Feb 2021 12:01:10 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 654773950433
Received: from AM6P191CA0066.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:7f::43)
by AM8PR08MB5731.eurprd08.prod.outlook.com (2603:10a6:20b:1c7::19) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Mon, 15 Feb
2021 12:01:06 +0000
Received: from VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com
(2603:10a6:209:7f:cafe::10) by AM6P191CA0066.outlook.office365.com
(2603:10a6:209:7f::43) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27 via Frontend
Transport; Mon, 15 Feb 2021 12:01:04 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified)
header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none
header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
63.35.35.123 as permitted sender) receiver=protection.outlook.com;
client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
VE1EUR03FT019.mail.protection.outlook.com (10.152.18.153) with
Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3846.25 via Frontend Transport; Mon, 15 Feb 2021 12:01:04 +0000
Received: ("Tessian outbound 28c96a6c9d2e:v71");
Mon, 15 Feb 2021 12:01:04 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: b8dfb3aebd67b90c
X-CR-MTA-TID: 64aa7808
Received: from ec21e88e4633.1
by 64aa7808-outbound-1.mta.getcheckrecipient.com id
B43AEA49-180F-47D9-BF52-F5DC653A8B5F.1;
Mon, 15 Feb 2021 12:00:54 +0000
Received: from FRA01-PR2-obe.outbound.protection.outlook.com
by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id
ec21e88e4633.1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
Mon, 15 Feb 2021 12:00:54 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IB8N0bqPVeH+qVtmjpZfwOg1n0XqCtdOTLnr1bpDrNVl7V20zXSgMXG72BHISbPBpNjGeNPdddF65rfji0sJ2goua74HTI5PITd5yi2RuNeK7kXgIlcSo0hY8kJHaJ9ZVbqri4QIfyZbQUtGbW+orlZ0Tl7ILD6yQPR7TAtZOGbW86szZeK5LCPFxx4r+trqFYQ8Oqz7dG0oMdgabGMn9Z/YF6A7lAlCqUDAsKCzpxepy4N4P0BkcFJq1lML2+8w4LaBQv/JqCWIFVKOkvUTDOILZsI7KgROPC5yoauUa6FctxO5bAVTbrsuJb5X0cAbg0qHU85HmE2z2ymqc740VQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=dSbZNESyxN5bmz3Eefvw1+7y07M7zOdH4Heke5QVGhk=;
b=L6oLkjZgvZVaoFgct9M/WhbRm9Z6em+oPk4/KJ/53n3CSy54Hl13uYYOR9C+9+IkZLqNSmvan2khqC9JWS70s0DOYjoIrJdz2SmCk1uGnWoXVO+nsGXTNcNrv9FDaYaM1ojy3eSlLaDm78glZWDXhWDNNq7ZnsUwBlFhUZNrHl9rLJdk3fIBpSzdVloeypzFecjno/vaJlODA88ee3wBrVH3stCkgefBRfDWX8CW/HEyoIskzyM4VZOyodMT5EtAjn209ollmW5Ei+luVDwBHWDKjoAVDhyIm2//yDuI2d+6TQ9az6UIgpTj/1ruj4q0UzCmnwXm/Nao1d/ONPLNjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
header.d=arm.com; arc=none
Authentication-Results-Original: sourceware.org; dkim=none (message not
signed) header.d=none;sourceware.org; dmarc=none action=none
header.from=arm.com;
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9)
by PR2PR08MB4874.eurprd08.prod.outlook.com (2603:10a6:101:1d::11) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.38; Mon, 15 Feb
2021 12:00:53 +0000
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com
([fe80::60f0:3773:69b8:e336]) by PA4PR08MB6320.eurprd08.prod.outlook.com
([fe80::60f0:3773:69b8:e336%2]) with mapi id 15.20.3846.042; Mon, 15 Feb 2021
12:00:53 +0000
To: libc-alpha@sourceware.org
Subject: [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after
free
Date: Mon, 15 Feb 2021 12:00:47 +0000
Message-Id:
<3ecdb956cbf6d1b46e36311ffe7f491ce186cdbc.1613390045.git.szabolcs.nagy@arm.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <cover.1613390045.git.szabolcs.nagy@arm.com>
References: <cover.1613390045.git.szabolcs.nagy@arm.com>
Content-Type: text/plain
X-Originating-IP: [217.140.106.49]
X-ClientProxiedBy: LO2P265CA0296.GBRP265.PROD.OUTLOOK.COM
(2603:10a6:600:a5::20) To PA4PR08MB6320.eurprd08.prod.outlook.com
(2603:10a6:102:e5::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (217.140.106.49) by
LO2P265CA0296.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a5::20) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3846.38 via Frontend Transport; Mon, 15 Feb 2021 12:00:52 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 1eb54b86-9043-4829-1620-08d8d1a95f1c
X-MS-TrafficTypeDiagnostic: PR2PR08MB4874:|AM8PR08MB5731:
X-Microsoft-Antispam-PRVS:
<AM8PR08MB57319C485F010BF38A035316ED889@AM8PR08MB5731.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
VgYv8Cf0DZt28LCZZJtOWh0MKNdi68dpwCyQ8Kvqaa9c1ikgE32zqyX9iZgHdTUXeMdyB8S2STzdNYCdtgc+RKRfaAwBSzRokEoG1+CaANqUVBTtt46y8M71tstzOIOCCS/ODh9lFf6fTk+U1UXeX8CYGF2gYSlohXO1sU6LQ0W5aluIyzQtPX3P5aOS5RfD4eomjEnWOnDWpKMvVVupAPuopL3OnZUAbAvt58RySkUPD2PgHEllvfClOminQgY20lOK8H7E0c3eMBIqpjs1g9lTAPZ5FIgu79kT3kgL5pHxyRugK8pYKU2ete9GFZe9pDgx6nzxUVgjSSwie4XDaOGSzIWcrJSVAQh/saawXWBfp3Dg7zyE0gtdJBWQlaIfpgbyScbtLnCMzui+KA8uGsV0EwjuaqKssPK/ixsaUv/uNVvFSk5V19nizvBSqoPPG1g9gUrrWOGFnNkeLVaPfKypJ4vLVBFrsbHVhDUQw1zIoE9pYXmyL5I5SLhf2+qlnZ5Xv5XJ3uMPvvunhZzs+SzAFDiTNkGrRXbVS0987QcaX6sqJdyHNFD9/1hyeEw50aqeeIr63R9mNspS58czjg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(4636009)(396003)(136003)(346002)(366004)(39850400004)(376002)(2616005)(16526019)(6506007)(6486002)(83380400001)(956004)(66946007)(2906002)(26005)(186003)(44832011)(69590400012)(8676002)(6512007)(66476007)(478600001)(5660300002)(52116002)(36756003)(66556008)(6666004)(316002)(6916009)(8936002)(86362001);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData:
WJopnhshQa7Nk+xQ8UVURrLdsl2xe21N2RI4Vtybf+10seALKehJncA6I0u/488iTNd1hxM0uN24x09MMtHa4dxmbzqUdkeOiKtCcSoIzwUMez134zyVrrRdHATYhhL7EDfFmEbNCkI/AeSATpnHWTxy+NSK+rE71Mg04rI1jH8xN1cWYvrT+VEiBQPQQxz6TFpBHPFIXt2QkEFMGkUtUeD+xn2+0YBURgQU/2uIIe2TyKEPxTA7gp/GcIhNLYS5ldTcQQA2XxgKuBoDiHIe1sbW/uTzGT9gF/bhVBS8UeQPxKyJgfgm+c8gVCxF+QfHopTR9vjd3/4DXOyDSTeapE9mLkjnc/RmPa0rhmfqYfTF6DJZyZB5qLrnLNq4BEdNYHNySFf5iFV4B7JOuIGRA4EFWqoFnpn2ydtbwE3rp1ODAkC3NqMqNvJA66eH5dhObmlW4Yosaef3/ONUKQ7Y8MyczJuSORg4X+hPn+nZ0K+Pq+5BMNODsGCiEIWWQDXw3KhK4ebBDQQ75CCj/TmJTO9puGn2Vay25AfKGbRX5al+Gc59JhggZ0Qa5ZX7Cy2T7AATWy5aWG5/JYNg+8VY9PgYDMvcvLc+ErvUzAEbdR5GxsU5zecZnjh5aHbkn5jUf81SwDFgkXSWOVqYmfy/Ivt7n7TWNM8IAf189lljGs2DMSpJaOrQUgVraw2oLTLcBn5OkOtOQjnisJ998VsdOxbA28u58QX+jLO72xwjHiKF3sOuZN+9t7z+gGUDnIdu6lFMUCyQZYjczymm7k1ZjdGX5vVrENmFfhHqQyIKpfUbawYODeMd1eywZIdCbK74ANwypUkyHiiWzeSQy34CJQYOiTTUAMlDJ31Qk0sgSWOuOuFUNLjsdayFLgi9Wa5IS/SYng2g8Q9u5yPFAWYaJBQmPohAvZJm1iFiwcfm5KEf4vLbCQfGT67I5lSNBGpQFg8lCzPKbw+IoNXK4czdfPpP6zv4L2mj3M4V8tjvbSKpyN/yEozBZSRdkpPMdhf7pOvRbdqxBLQT1YUGTB7dlEUgndZmhaDGEXeGJ6ZvYunOcg+wMhE5jqetyGDG/BKVYdRHJ4NwbXMrqWPNE6fp9VpJdPDvXvYoGhrqlIB1/CJDoG8ovL5G0vkg2ELGl9m3bvrWFE0IOYO23B/PA3jEDb1yEomT+/yYi287fRGL8vpYMPL7qeHu8i5p6uKv7ZuRQesoA6N0O+tRXw46gvnWAK2rKgsdU351k15lUWK20ISvegysnpHR5co5FVFpRGtxZ5z4nY92CD+sLA6xDdGXW986jYLmjkvVp8joCjShq4GDV/YLuJt3+ubI6aEUNnEs
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR2PR08MB4874
Original-Authentication-Results: sourceware.org;
dkim=none (message not signed)
header.d=none; sourceware.org;
dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
7fb693e2-e384-440e-97eb-08d8d1a95813
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
mb8qCo92pbPAZVFhiVjx1WMBniVS73l3O0OsRd3rkHzyddjBMR1kgHmKmg5C81eI2cIveWOLzomR0rzZ+bb57Ts1TYmOGkvas95ebFeXfwfEbG0wjpmEXejUiiBJ8xBwJ0CrlxyNSQg2bUehgiZSNzo4f64HHNa7MgEl5MjhFF/BsA+lFs5uVhqKCBChY6iJXiNkGiLj+or7/c/7mvBkCXoiWVOLK5NECm6RvSkFZpfoXK5/DlCDeI2VXnrv0CfWHeo/CoX7vQ8K2gWmx2udNUfRN0HV6mX8F9Xbp2kxyB/D4WhvaCpVWqG0S9MWWVHisK+OfTU06mohobf/GQ+2zwxl+H00rCFVA6F16NGmp6CeCa02+rM6sicEZLPESWtFQiP9C9E496cYe6tCKE3hmT+Gm6RxQmRCyUClToGif8X3+rAfGTMqEjH4JvMp8MjJrAsTcgNwcqw+rl9+9stNJDgSB4+uAyDfrohSbGeOFocGKc2g5waotgNzWrvgqFr1JsjXXXfTvnxotRElzc2uUb6WBaMxryC3siHcrJmU4LgV7gh6Ulfd6ZxZZ1rRwt6Qf+g4sy6P4fAPm/e8W2H1ixi4wM1auSh4bmZssJ87BdIjD0tZZnNaWjJcQTjdz1OaxJD3ppYHEIRyiKSMzdPb77IuReZXu+7X1fm7elme0+I5HE4yqaCYqw+svLQtn91X
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com;
PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
SFS:(4636009)(376002)(346002)(136003)(39850400004)(396003)(46966006)(36840700001)(2616005)(336012)(186003)(26005)(83380400001)(956004)(6486002)(6506007)(16526019)(44832011)(36756003)(316002)(8936002)(86362001)(6666004)(36860700001)(82310400003)(69590400012)(8676002)(356005)(5660300002)(82740400003)(81166007)(2906002)(6916009)(47076005)(478600001)(70206006)(6512007)(70586007);
DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2021 12:01:04.6956 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
1eb54b86-9043-4829-1620-08d8d1a95f1c
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource:
VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5731
X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP,
UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
<mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
<mailto:libc-alpha-request@sourceware.org?subject=subscribe>
From: Szabolcs Nagy via Libc-alpha <libc-alpha@sourceware.org>
Reply-To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>
|
| Series |
Dynamic TLS related data race fixes
|
|
Commit Message
Szabolcs Nagy
Feb. 15, 2021, noon UTC
map is not valid to access here because it can be freed by a concurrent dlclose, so don't check the modid. The map == 0 and map != 0 code paths can be shared (avoiding the dtv resize in case of map == 0 is just an optimization: larger dtv than necessary would be fine too). --- elf/dl-tls.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-)
Comments
On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: > map is not valid to access here because it can be freed by a > concurrent dlclose, so don't check the modid. Won't it be protected by the recursive GL(dl_load_lock) in such case? I think the concurrency issue is between dlopen and _dl_deallocate_tls called by pthread stack handling (nptl/allocatestack.c). Am I missing something here? > > The map == 0 and map != 0 code paths can be shared (avoiding > the dtv resize in case of map == 0 is just an optimization: > larger dtv than necessary would be fine too). > --- > elf/dl-tls.c | 21 +++++---------------- > 1 file changed, 5 insertions(+), 16 deletions(-) > > diff --git a/elf/dl-tls.c b/elf/dl-tls.c > index 24d00c14ef..f8b32b3ecb 100644 > --- a/elf/dl-tls.c > +++ b/elf/dl-tls.c > @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) > { > for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) > { > + size_t modid = total + cnt; > + > size_t gen = listp->slotinfo[cnt].gen; > > if (gen > new_gen) > @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) > > /* If there is no map this means the entry is empty. */ > struct link_map *map = listp->slotinfo[cnt].map; > - if (map == NULL) > - { > - if (dtv[-1].counter >= total + cnt) > - { > - /* If this modid was used at some point the memory > - might still be allocated. */ > - free (dtv[total + cnt].pointer.to_free); > - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; > - dtv[total + cnt].pointer.to_free = NULL; > - } > - > - continue; > - } > - > /* Check whether the current dtv array is large enough. */ > - size_t modid = map->l_tls_modid; > - assert (total + cnt == modid); > if (dtv[-1].counter < modid) > { > + if (map == NULL) > + continue; > + > /* Resize the dtv. */ > dtv = _dl_resize_dtv (dtv); > >
The 04/06/2021 16:40, Adhemerval Zanella wrote: > On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: > > map is not valid to access here because it can be freed by a > > concurrent dlclose, so don't check the modid. > > Won't it be protected by the recursive GL(dl_load_lock) in such case? > I think the concurrency issue is between dlopen and _dl_deallocate_tls > called by pthread stack handling (nptl/allocatestack.c). Am I missing > something here? _dl_update_slotinfo is called both with and without the dlopen lock held: during dynamic tls access the lock is not held (see the __tls_get_addr path) we cannot add a lock there because that would cause new deadlocks, dealing with this is the tricky part of the patchset. > > > > The map == 0 and map != 0 code paths can be shared (avoiding > > the dtv resize in case of map == 0 is just an optimization: > > larger dtv than necessary would be fine too). > > --- > > elf/dl-tls.c | 21 +++++---------------- > > 1 file changed, 5 insertions(+), 16 deletions(-) > > > > diff --git a/elf/dl-tls.c b/elf/dl-tls.c > > index 24d00c14ef..f8b32b3ecb 100644 > > --- a/elf/dl-tls.c > > +++ b/elf/dl-tls.c > > @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) > > { > > for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) > > { > > + size_t modid = total + cnt; > > + > > size_t gen = listp->slotinfo[cnt].gen; > > > > if (gen > new_gen) > > @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) > > > > /* If there is no map this means the entry is empty. */ > > struct link_map *map = listp->slotinfo[cnt].map; > > - if (map == NULL) > > - { > > - if (dtv[-1].counter >= total + cnt) > > - { > > - /* If this modid was used at some point the memory > > - might still be allocated. */ > > - free (dtv[total + cnt].pointer.to_free); > > - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; > > - dtv[total + cnt].pointer.to_free = NULL; > > - } > > - > > - continue; > > - } > > - > > /* Check whether the current dtv array is large enough. */ > > - size_t modid = map->l_tls_modid; > > - assert (total + cnt == modid); > > if (dtv[-1].counter < modid) > > { > > + if (map == NULL) > > + continue; > > + > > /* Resize the dtv. */ > > dtv = _dl_resize_dtv (dtv); > > > >
On 07/04/2021 05:01, Szabolcs Nagy wrote: > The 04/06/2021 16:40, Adhemerval Zanella wrote: >> On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: >>> map is not valid to access here because it can be freed by a >>> concurrent dlclose, so don't check the modid. >> >> Won't it be protected by the recursive GL(dl_load_lock) in such case? >> I think the concurrency issue is between dlopen and _dl_deallocate_tls >> called by pthread stack handling (nptl/allocatestack.c). Am I missing >> something here? > > > _dl_update_slotinfo is called both with and without > the dlopen lock held: during dynamic tls access > the lock is not held (see the __tls_get_addr path) Right, revising the patch I mapped the calls (not sure if it is fully complete): | _dl_open | __rtld_lock_lock_recursive (GL(dl_load_lock)); | dl_open_worker | update_tls_slotinfo | _dl_update_slotinfo | __rtld_lock_unlock_recursive (GL(dl_load_lock)); | __tls_get_addr | update_get_addr | _dl_update_slotinfo | rtld | _dl_resolve_conflicts | elf_machine_rela | TRY_STATIC_TLS | _dl_try_allocate_static_tls | _dl_update_slotinfo | | elf_machine_rela | CHECK_STATIC_TLS | _dl_allocate_static_tls | _dl_try_allocate_static_tls | _dl_update_slotinfo The rtld part should not matter, since it is done before thread is supported. > > we cannot add a lock there because that would cause > new deadlocks, dealing with this is the tricky part > of the patchset. I understand this patch from previous discussion about it. The part is confusing me is "because it can be freed by a concurrent dlclose". My understanding is '_dl_deallocate_tls' might be called in thread exit / deallocation without the GL(dl_load_lock) (which is a potential issue); what I can't see is how concurrent dlclose might trigger this issue (since it should be synchronized with dlopen through the lock). > >>> >>> The map == 0 and map != 0 code paths can be shared (avoiding >>> the dtv resize in case of map == 0 is just an optimization: >>> larger dtv than necessary would be fine too). >>> --- >>> elf/dl-tls.c | 21 +++++---------------- >>> 1 file changed, 5 insertions(+), 16 deletions(-) >>> >>> diff --git a/elf/dl-tls.c b/elf/dl-tls.c >>> index 24d00c14ef..f8b32b3ecb 100644 >>> --- a/elf/dl-tls.c >>> +++ b/elf/dl-tls.c >>> @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) >>> { >>> for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) >>> { >>> + size_t modid = total + cnt; >>> + >>> size_t gen = listp->slotinfo[cnt].gen; >>> >>> if (gen > new_gen) >>> @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) >>> >>> /* If there is no map this means the entry is empty. */ >>> struct link_map *map = listp->slotinfo[cnt].map; >>> - if (map == NULL) >>> - { >>> - if (dtv[-1].counter >= total + cnt) >>> - { >>> - /* If this modid was used at some point the memory >>> - might still be allocated. */ >>> - free (dtv[total + cnt].pointer.to_free); >>> - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; >>> - dtv[total + cnt].pointer.to_free = NULL; >>> - } >>> - >>> - continue; >>> - } >>> - >>> /* Check whether the current dtv array is large enough. */ >>> - size_t modid = map->l_tls_modid; >>> - assert (total + cnt == modid); >>> if (dtv[-1].counter < modid) >>> { >>> + if (map == NULL) >>> + continue; >>> + >>> /* Resize the dtv. */ >>> dtv = _dl_resize_dtv (dtv); >>> >>>
On 07/04/2021 11:28, Adhemerval Zanella wrote: > > > On 07/04/2021 05:01, Szabolcs Nagy wrote: >> The 04/06/2021 16:40, Adhemerval Zanella wrote: >>> On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: >>>> map is not valid to access here because it can be freed by a >>>> concurrent dlclose, so don't check the modid. >>> >>> Won't it be protected by the recursive GL(dl_load_lock) in such case? >>> I think the concurrency issue is between dlopen and _dl_deallocate_tls >>> called by pthread stack handling (nptl/allocatestack.c). Am I missing >>> something here? >> >> >> _dl_update_slotinfo is called both with and without >> the dlopen lock held: during dynamic tls access >> the lock is not held (see the __tls_get_addr path) > > > Right, revising the patch I mapped the calls (not sure if it is > fully complete): > > | _dl_open > | __rtld_lock_lock_recursive (GL(dl_load_lock)); > | dl_open_worker > | update_tls_slotinfo > | _dl_update_slotinfo > | __rtld_lock_unlock_recursive (GL(dl_load_lock)); > > | __tls_get_addr > | update_get_addr > | _dl_update_slotinfo > > | rtld > | _dl_resolve_conflicts > | elf_machine_rela > | TRY_STATIC_TLS > | _dl_try_allocate_static_tls > | _dl_update_slotinfo > | > | elf_machine_rela > | CHECK_STATIC_TLS > | _dl_allocate_static_tls > | _dl_try_allocate_static_tls > | _dl_update_slotinfo > > The rtld part should not matter, since it is done before thread > is supported. > >> >> we cannot add a lock there because that would cause >> new deadlocks, dealing with this is the tricky part >> of the patchset. > > I understand this patch from previous discussion about it. The > part is confusing me is "because it can be freed by a concurrent > dlclose". My understanding is '_dl_deallocate_tls' might be called > in thread exit / deallocation without the GL(dl_load_lock) (which > is a potential issue); what I can't see is how concurrent dlclose > might trigger this issue (since it should be synchronized with dlopen > through the lock). I think I got what you meant: the concurrency issues is not related to dlopen open, but rather to __tls_get_addr and dclose. Maybe making this explicit on the commit message.
On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: > map is not valid to access here because it can be freed by a > concurrent dlclose, so don't check the modid. > > The map == 0 and map != 0 code paths can be shared (avoiding > the dtv resize in case of map == 0 is just an optimization: > larger dtv than necessary would be fine too). Please extend a bit the patch description and add that __tls_get_addr is the public interface that show concurrency issues with dlclose. The patch looks ok, thanks. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> > --- > elf/dl-tls.c | 21 +++++---------------- > 1 file changed, 5 insertions(+), 16 deletions(-) > > diff --git a/elf/dl-tls.c b/elf/dl-tls.c > index 24d00c14ef..f8b32b3ecb 100644 > --- a/elf/dl-tls.c > +++ b/elf/dl-tls.c > @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) > { > for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) > { > + size_t modid = total + cnt; > + > size_t gen = listp->slotinfo[cnt].gen; > > if (gen > new_gen) > @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) > > /* If there is no map this means the entry is empty. */ > struct link_map *map = listp->slotinfo[cnt].map; > - if (map == NULL) > - { > - if (dtv[-1].counter >= total + cnt) > - { > - /* If this modid was used at some point the memory > - might still be allocated. */ > - free (dtv[total + cnt].pointer.to_free); > - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; > - dtv[total + cnt].pointer.to_free = NULL; > - } > - > - continue; > - } > - > /* Check whether the current dtv array is large enough. */ > - size_t modid = map->l_tls_modid; > - assert (total + cnt == modid); > if (dtv[-1].counter < modid) > { > + if (map == NULL) > + continue; > + > /* Resize the dtv. */ > dtv = _dl_resize_dtv (dtv); > >
diff --git a/elf/dl-tls.c b/elf/dl-tls.c index 24d00c14ef..f8b32b3ecb 100644 --- a/elf/dl-tls.c +++ b/elf/dl-tls.c @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) { for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) { + size_t modid = total + cnt; + size_t gen = listp->slotinfo[cnt].gen; if (gen > new_gen) @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) /* If there is no map this means the entry is empty. */ struct link_map *map = listp->slotinfo[cnt].map; - if (map == NULL) - { - if (dtv[-1].counter >= total + cnt) - { - /* If this modid was used at some point the memory - might still be allocated. */ - free (dtv[total + cnt].pointer.to_free); - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; - dtv[total + cnt].pointer.to_free = NULL; - } - - continue; - } - /* Check whether the current dtv array is large enough. */ - size_t modid = map->l_tls_modid; - assert (total + cnt == modid); if (dtv[-1].counter < modid) { + if (map == NULL) + continue; + /* Resize the dtv. */ dtv = _dl_resize_dtv (dtv);