pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]
Commit Message
From: Martin Kuchta <martin.kuchta@netapp.com>
(cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)
2018-08-27 Martin Kuchta <martin.kuchta@netapp.com>
Torvald Riegel <triegel@redhat.com>
[BZ #23538]
* nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
Update r to include the set wake-request flag if waiters are
remaining after spinning.
Comments
* Florian Weimer:
> From: Martin Kuchta <martin.kuchta@netapp.com>
>
> (cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)
>
> 2018-08-27 Martin Kuchta <martin.kuchta@netapp.com>
> Torvald Riegel <triegel@redhat.com>
>
> [BZ #23538]
> * nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
> Update r to include the set wake-request flag if waiters are
> remaining after spinning.
>
> diff --git a/NEWS b/NEWS
> index dafec5d82d..abe90d1422 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -84,6 +84,7 @@ The following bugs are resolved with this release:
> [22685] powerpc: Fix syscalls during early process initialization
> [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
> [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
> + [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
>
> Version 2.25
Sorry, script malfunction. This should have gone to libc-stable as a
committed patch.
@@ -84,6 +84,7 @@ The following bugs are resolved with this release:
[22685] powerpc: Fix syscalls during early process initialization
[22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
[22774] malloc: Integer overflow in malloc (CVE-2018-6551)
+ [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
Version 2.25
@@ -406,8 +406,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
{
/* There is still a waiter after spinning. Set the wake-request
flag and block. Relaxed MO is fine because this is just about
- this futex word. */
- r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1);
+ this futex word.
+
+ Update r to include the set wake-request flag so that the upcoming
+ futex_wait only blocks if the flag is still set (otherwise, we'd
+ violate the basic client-side futex protocol). */
+ r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1;
if ((r >> 1) > 0)
futex_wait_simple (cond->__data.__g_refs + g1, r, private);