fluencelabs/musl
1
0
Fork 0
mirror of https://github.com/fluencelabs/musl synced 2025-07-02 08:01:58 +00:00
Code Issues Projects Releases Wiki Activity

fix extremely rare but dangerous race condition in robust mutexes

Browse Source 
if new shared mappings of files/devices/shared memory can be made
between the time a robust mutex is unlocked and its subsequent removal
from the pending slot in the robustlist header, the kernel can
inadvertently corrupt data in the newly-mapped pages when the process
terminates. i am fixing the bug by using the same global vm lock
mechanism that was used to fix the race condition with unmapping
barriers after pthread_barrier_wait returns.
This commit is contained in:
Rich Felker
2012-08-17 17:13:53 -04:00
parent 11458e5b09
commit da8d0fc4fa
3 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/thread/pthread_barrier_wait.c
View File

@ -1,22 +1,7 @@
#include "pthread_impl.h" #include "pthread_impl.h"
static int vmlock[2]; void __vm_lock_impl(int);
void __vm_unlock_impl(void);
void __vm_lock(int inc)
{
for (;;) {
int v = vmlock[0];
if (inc*v < 0) __wait(vmlock, vmlock+1, v, 1);
else if (a_cas(vmlock, v, v+inc)==v) break;
}
}
void __vm_unlock(void)
{
int inc = vmlock[0]>0 ? -1 : 1;
if (a_fetch_add(vmlock, inc)==-inc && vmlock[1])
__wake(vmlock, -1, 1);
}
static int pshared_barrier_wait(pthread_barrier_t *b) static int pshared_barrier_wait(pthread_barrier_t *b)
{ {
@ -41,7 +26,7 @@ static int pshared_barrier_wait(pthread_barrier_t *b)
__wait(&b->_b_count, &b->_b_waiters2, v, 0); __wait(&b->_b_count, &b->_b_waiters2, v, 0);
} }
__vm_lock(+1); __vm_lock_impl(+1);
/* Ensure all threads have a vm lock before proceeding */ /* Ensure all threads have a vm lock before proceeding */
if (a_fetch_add(&b->_b_count, -1)==1-limit) { if (a_fetch_add(&b->_b_count, -1)==1-limit) {
@ -62,7 +47,7 @@ static int pshared_barrier_wait(pthread_barrier_t *b)
if (v==INT_MIN+1 || (v==1 && w)) if (v==INT_MIN+1 || (v==1 && w))
__wake(&b->_b_lock, 1, 0); __wake(&b->_b_lock, 1, 0);
__vm_unlock(); __vm_unlock_impl();
return ret; return ret;
} }

8
src/thread/pthread_mutex_unlock.c
View File

@ -1,5 +1,8 @@
#include "pthread_impl.h" #include "pthread_impl.h"
void __vm_lock_impl(int);
void __vm_unlock_impl(void);
int pthread_mutex_unlock(pthread_mutex_t *m) int pthread_mutex_unlock(pthread_mutex_t *m)
{ {
pthread_t self; pthread_t self;
@ -20,11 +23,14 @@ int pthread_mutex_unlock(pthread_mutex_t *m)
self->robust_list.pending = &m->_m_next; self->robust_list.pending = &m->_m_next;
*(void **)m->_m_prev = m->_m_next; *(void **)m->_m_prev = m->_m_next;
if (m->_m_next) ((void **)m->_m_next)[-1] = m->_m_prev; if (m->_m_next) ((void **)m->_m_next)[-1] = m->_m_prev;
__vm_lock_impl(+1);
} }
} }
cont = a_swap(&m->_m_lock, 0); cont = a_swap(&m->_m_lock, 0);
if (robust) if (robust) {
self->robust_list.pending = 0; self->robust_list.pending = 0;
__vm_unlock_impl();
}
if (waiters || cont<0) if (waiters || cont<0)
__wake(&m->_m_lock, 1, 0); __wake(&m->_m_lock, 1, 0);
return 0; return 0;

22
src/thread/vmlock.c Normal file
View File

@ -0,0 +1,22 @@
#include "pthread_impl.h"
static int vmlock[2];
void __vm_lock(int inc)
{
for (;;) {
int v = vmlock[0];
if (inc*v < 0) __wait(vmlock, vmlock+1, v, 1);
else if (a_cas(vmlock, v, v+inc)==v) break;
}
}
void __vm_unlock(void)
{
int inc = vmlock[0]>0 ? -1 : 1;
if (a_fetch_add(vmlock, inc)==-inc && vmlock[1])
__wake(vmlock, -1, 1);
}
weak_alias(__vm_lock, __vm_lock_impl);
weak_alias(__vm_unlock, __vm_unlock_impl);