fix data race in timer_create with SIGEV_THREAD notification

in the timer thread start function, self->timer_id was accessed without synchronization; the timer thread could fail to see the store from the calling thread, resulting in timer_delete failing to delete the correct kernel-level timer. this fix is based on a patch by changdiankang, but with the load moved to after receiving the timer_delete signal rather than just after the start barrier, so as not to retain the possibility of data race with timer_delete.

fix data race in timer_create with SIGEV_THREAD notification
in the timer thread start function, self->timer_id was accessed without synchronization; the timer thread could fail to see the store from the calling thread, resulting in timer_delete failing to delete the correct kernel-level timer. this fix is based on a patch by changdiankang, but with the load moved to after receiving the timer_delete signal rather than just after the start barrier, so as not to retain the possibility of data race with timer_delete.
29bad49d · Rich Felker · 7d5c5706 · 29bad49d
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/time/timer_create.c src/time/timer_create.c +2 -2

未找到文件。
--- a/src/time/timer_create.c
+++ b/src/time/timer_create.c
 #include <time.h>
 #include <setjmp.h>
+#include <limits.h>
 #include "pthread_impl.h"

 struct ksigevent {
@@ -48,7 +49,6 @@ static void *start(void *arg)
 {
 	pthread_t self = __pthread_self();
 	struct start_args *args = arg;
-	int id = self->timer_id;
 	jmp_buf jb;

 	void (*notify)(union sigval) = args->sev->sigev_notify_function;
@@ -65,7 +65,7 @@ static void *start(void *arg)
 		}
 		if (self->timer_id < 0) break;
 	}
-	__syscall(SYS_timer_delete, id);
+	__syscall(SYS_timer_delete, self->timer_id & INT_MAX);
 	return 0;
 }