fluencelabs/musl
1
0
Fork 0
mirror of https://github.com/fluencelabs/musl synced 2025-05-22 04:01:34 +00:00
Code Issues Projects Releases Wiki Activity

fix stdio lock dependency on read-after-free not faulting

Browse Source 
instead of using a waiters count, add a bit to the lock field
indicating that the lock may have waiters. threads which obtain the
lock after contending for it will perform a potentially-spurious wake
when they release the lock.
This commit is contained in:
Rich Felker 2018-04-17 23:59:41 -04:00
parent 502027540b
commit c21f750727
3 changed files with 24 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/stdio/__lockfile.c
View File

@ -1,28 +1,25 @@
#include "stdio_impl.h" #include "stdio_impl.h"
#include "pthread_impl.h" #include "pthread_impl.h"
#define MAYBE_WAITERS 0x40000000
int __lockfile(FILE *f) int __lockfile(FILE *f)
{ {
int owner, tid = __pthread_self()->tid; int owner = f->lock, tid = __pthread_self()->tid;
if (f->lock == tid) if ((owner & ~MAYBE_WAITERS) == tid)
return 0; return 0;
while ((owner = a_cas(&f->lock, 0, tid))) for (;;) {
__wait(&f->lock, &f->waiters, owner, 1); owner = a_cas(&f->lock, 0, tid);
if (!owner) return 1;
if (a_cas(&f->lock, owner, owner|MAYBE_WAITERS)==owner) break;
}
while ((owner = a_cas(&f->lock, 0, tid|MAYBE_WAITERS)))
__futexwait(&f->lock, owner, 1);
return 1; return 1;
} }
void __unlockfile(FILE *f) void __unlockfile(FILE *f)
{ {
a_store(&f->lock, 0); if (a_swap(&f->lock, 0) & MAYBE_WAITERS)
__wake(&f->lock, 1, 1);
/* The following read is technically invalid under situations
* of self-synchronized destruction. Another thread may have
* called fclose as soon as the above store has completed.
* Nonetheless, since FILE objects always live in memory
* obtained by malloc from the heap, it's safe to assume
* the dereferences below will not fault. In the worst case,
* a spurious syscall will be made. If the implementation of
* malloc changes, this assumption needs revisiting. */
if (f->waiters) __wake(&f->lock, 1, 1);
} }

6
src/stdio/flockfile.c
View File

@ -1,10 +1,14 @@
#include "stdio_impl.h" #include "stdio_impl.h"
#include "pthread_impl.h" #include "pthread_impl.h"
#define MAYBE_WAITERS 0x40000000
void flockfile(FILE *f) void flockfile(FILE *f)
{ {
while (ftrylockfile(f)) { while (ftrylockfile(f)) {
int owner = f->lock; int owner = f->lock;
if (owner) __wait(&f->lock, &f->waiters, owner, 1); if (!owner) continue;
a_cas(&f->lock, owner, owner|MAYBE_WAITERS);
__futexwait(&f->lock, owner|MAYBE_WAITERS, 1);
} }
} }

9
src/stdio/ftrylockfile.c
View File

@ -2,6 +2,8 @@
#include "pthread_impl.h" #include "pthread_impl.h"
#include <limits.h> #include <limits.h>
#define MAYBE_WAITERS 0x40000000
void __do_orphaned_stdio_locks() void __do_orphaned_stdio_locks()
{ {
FILE *f; FILE *f;
@ -22,14 +24,15 @@ int ftrylockfile(FILE *f)
{ {
pthread_t self = __pthread_self(); pthread_t self = __pthread_self();
int tid = self->tid; int tid = self->tid;
if (f->lock == tid) { int owner = f->lock;
if ((owner & ~MAYBE_WAITERS) == tid) {
if (f->lockcount == LONG_MAX) if (f->lockcount == LONG_MAX)
return -1; return -1;
f->lockcount++; f->lockcount++;
return 0; return 0;
} }
if (f->lock < 0) f->lock = 0; if (owner < 0) f->lock = owner = 0;
if (f->lock || a_cas(&f->lock, 0, tid)) if (owner || a_cas(&f->lock, 0, tid))
return -1; return -1;
f->lockcount = 1; f->lockcount = 1;
f->prev_locked = 0; f->prev_locked = 0;