提交 92f8396b 编写于 作者: R Rich Felker

fix potential race condition in detached threads

after the thread unmaps its own stack/thread structure, the kernel,
performing child tid clear and futex wake, could clobber a new mapping
made at the same location as the just-removed thread's tid field.
disable kernel clearing of child tid to prevent this.
上级 a03f69d4
...@@ -36,6 +36,8 @@ void pthread_exit(void *result) ...@@ -36,6 +36,8 @@ void pthread_exit(void *result)
if (!n) exit(0); if (!n) exit(0);
if (self->detached && self->map_base) { if (self->detached && self->map_base) {
if (self->detached == 2)
__syscall(SYS_set_tid_address, 0);
__syscall(SYS_rt_sigprocmask, SIG_BLOCK, (uint64_t[]){-1},0,8); __syscall(SYS_rt_sigprocmask, SIG_BLOCK, (uint64_t[]){-1},0,8);
__unmapself(self->map_base, self->map_size); __unmapself(self->map_base, self->map_size);
} }
...@@ -87,6 +89,7 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo ...@@ -87,6 +89,7 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo
size_t guard = DEFAULT_GUARD_SIZE; size_t guard = DEFAULT_GUARD_SIZE;
struct pthread *self = pthread_self(), *new; struct pthread *self = pthread_self(), *new;
unsigned char *map, *stack, *tsd; unsigned char *map, *stack, *tsd;
unsigned flags = 0x7d8f00;
if (!self) return ENOSYS; if (!self) return ENOSYS;
if (!libc.threaded) { if (!libc.threaded) {
...@@ -121,7 +124,10 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo ...@@ -121,7 +124,10 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo
new->start_arg = arg; new->start_arg = arg;
new->self = new; new->self = new;
new->tsd = (void *)tsd; new->tsd = (void *)tsd;
if (attr) new->detached = attr->_a_detach; if (attr && attr->_a_detach) {
new->detached = 1;
flags -= 0x200000;
}
new->unblock_cancel = self->cancel; new->unblock_cancel = self->cancel;
new->canary = self->canary ^ (uintptr_t)&new; new->canary = self->canary ^ (uintptr_t)&new;
stack = (void *)new; stack = (void *)new;
...@@ -129,7 +135,7 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo ...@@ -129,7 +135,7 @@ int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(vo
__synccall_lock(); __synccall_lock();
a_inc(&libc.threads_minus_1); a_inc(&libc.threads_minus_1);
ret = __clone(start, stack, 0x7d8f00, new, &new->tid, new, &new->tid); ret = __clone(start, stack, flags, new, &new->tid, new, &new->tid);
__synccall_unlock(); __synccall_unlock();
......
...@@ -5,7 +5,7 @@ int pthread_detach(pthread_t t) ...@@ -5,7 +5,7 @@ int pthread_detach(pthread_t t)
/* Cannot detach a thread that's already exiting */ /* Cannot detach a thread that's already exiting */
if (a_swap(&t->exitlock, 1)) if (a_swap(&t->exitlock, 1))
return pthread_join(t, 0); return pthread_join(t, 0);
t->detached = 1; t->detached = 2;
t->exitlock = 0; a_store(&t->exitlock, 0);
return 0; return 0;
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册