Message ID | 1398850798-5648-1-git-send-email-yangyingliang@huawei.com |
---|---|
State | Committed |
Headers |
Return-Path: <x14307373@homiemail-mx20.g.dreamhost.com> X-Original-To: siddhesh@wilcox.dreamhost.com Delivered-To: siddhesh@wilcox.dreamhost.com Received: from homiemail-mx20.g.dreamhost.com (mx2.sub5.homie.mail.dreamhost.com [208.113.200.128]) by wilcox.dreamhost.com (Postfix) with ESMTP id 1B0EE36007C for <siddhesh@wilcox.dreamhost.com>; Wed, 30 Apr 2014 02:40:33 -0700 (PDT) Received: by homiemail-mx20.g.dreamhost.com (Postfix, from userid 14307373) id ADBAD4153C147; Wed, 30 Apr 2014 02:40:32 -0700 (PDT) X-Original-To: glibc@patchwork.siddhesh.in Delivered-To: x14307373@homiemail-mx20.g.dreamhost.com Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by homiemail-mx20.g.dreamhost.com (Postfix) with ESMTPS id 8C38D41527CF6 for <glibc@patchwork.siddhesh.in>; Wed, 30 Apr 2014 02:40:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type; q=dns; s=default; b=GOheLIXe3u+DPLmS WPczWcUae7XOpoTFhZxu40oG0j5PIxmKUVLQ4FlyU34mfmBQ22shW2g2FvuCJ2OP 7Up4eGFnuVcB+EABPai1kUlGvfUcjfOrxZXXCmqSMR5jOKyRuxU8atp2bqNl9qTp xDty7EdMBmIMP1WeYwF8tefoGnQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type; s=default; bh=lBcoZRLAuYeQFgJeVltfG4 8rRAU=; b=sGB7phTly6WKvUTC8mWX8dUDBN8pf7Z8gfh6MtpRdzRKVjsB2SI/cd 62DpXPSB8fwlAKpXoeacHbfk523u3j15lbhKLT+l+4h+pt2XDYHfTURBhG9kYrCr p0ql2w9cA9YpQYgGuK1V19hfNfq47klnkE01RIA86YpyET0v6Fsx0= Received: (qmail 5112 invoked by alias); 30 Apr 2014 09:40:30 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <libc-alpha.sourceware.org> List-Unsubscribe: <mailto:libc-alpha-unsubscribe-glibc=patchwork.siddhesh.in@sourceware.org> List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org> List-Archive: <http://sourceware.org/ml/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs> Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 5091 invoked by uid 89); 30 Apr 2014 09:40:30 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, RCVD_IN_DNSWL_LOW, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 X-HELO: szxga02-in.huawei.com From: Yang Yingliang <yangyingliang@huawei.com> To: <libc-alpha@sourceware.org> CC: <siddhesh@redhat.com>, <yangyingliang@huawei.com> Subject: [PATCH] Fix lll_unlock twice in pthread_cond_broadcast Date: Wed, 30 Apr 2014 17:39:58 +0800 Message-ID: <1398850798-5648-1-git-send-email-yangyingliang@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-CFilter-Loop: Reflected X-DH-Original-To: glibc@patchwork.siddhesh.in |
Commit Message
Yang Yingliang
April 30, 2014, 9:39 a.m. UTC
lll_unlock() will be called again if it goes to "wake_all" in pthread_cond_broadcast(). This may make another thread which is waiting for lock in pthread_cond_timedwait() unlock. So there are more than one threads get the lock, it will break the shared data. It's introduced by commit 8313cb997d2d("FUTEX_*_REQUEUE_PI support for non-x86 code") --- nptl/pthread_cond_broadcast.c | 1 + 1 file changed, 1 insertion(+)
Comments
On Wed, Apr 30, 2014 at 05:39:58PM +0800, Yang Yingliang wrote: > lll_unlock() will be called again if it goes to "wake_all" > in pthread_cond_broadcast(). This may make another thread > which is waiting for lock in pthread_cond_timedwait() unlock. > So there are more than one threads get the lock, it will break > the shared data. > > It's introduced by commit 8313cb997d2d("FUTEX_*_REQUEUE_PI support > for non-x86 code") Thanks for the patch. It looks good to me and is quite small (and hence won't need a copyright assignment), so I'll pushed it. For any significant changes you intend to post in future, please consider assigning copyright of your contributions in glibc to the FSF. Thanks, Siddhesh > --- > nptl/pthread_cond_broadcast.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c > index ed30e7c60bc7..7c6c9ea9a2d5 100644 > --- a/nptl/pthread_cond_broadcast.c > +++ b/nptl/pthread_cond_broadcast.c > @@ -81,6 +81,7 @@ __pthread_cond_broadcast (cond) > > wake_all: > lll_futex_wake (&cond->__data.__futex, INT_MAX, pshared); > + return 0; > } > > /* We are done. */ > -- > 1.8.0 > >
On 04/30/2014 11:39 AM, Yang Yingliang wrote: > lll_unlock() will be called again if it goes to "wake_all" > in pthread_cond_broadcast(). This may make another thread > which is waiting for lock in pthread_cond_timedwait() unlock. > So there are more than one threads get the lock, it will break > the shared data. > > It's introduced by commit 8313cb997d2d("FUTEX_*_REQUEUE_PI support for non-x86 code") Is there a bug for this? Lack of mutual exclusion could be a potential security issue. Can this happen with regular mutexes/condition variables?
diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c index ed30e7c60bc7..7c6c9ea9a2d5 100644 --- a/nptl/pthread_cond_broadcast.c +++ b/nptl/pthread_cond_broadcast.c @@ -81,6 +81,7 @@ __pthread_cond_broadcast (cond) wake_all: lll_futex_wake (&cond->__data.__futex, INT_MAX, pshared); + return 0; } /* We are done. */