This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: pthread_mutex_unlock potentially cause invalid access

From: "Carlos O'Donell" <carlos at systemhalted dot org>
To: KOSAKI Motohiro <kosaki dot motohiro at gmail dot com>
Cc: Atsushi Nemoto <anemo at mba dot ocn dot ne dot jp>, libc-alpha at sources dot redhat dot com
Date: Mon, 13 Feb 2012 10:28:49 -0500
Subject: Re: pthread_mutex_unlock potentially cause invalid access
References: <20120210.232755.62246932.anemo@mba.ocn.ne.jp><CADZpyiwzOhRH5Kc=c4UW6iN-5bqZy+ffiTESco4v=L8oVGAxfQ@mail.gmail.com><20120213.220152.96132428.anemo@mba.ocn.ne.jp><CADZpyiy5FGmDhjjeBjY8Br8nKDq6y8N6CJzox-YS4p2Yp9PeDQ@mail.gmail.com><CAHGf_=pjLBoESnQTw+Q9OoEn4r=fHsMinTLdD5aZY_AB=sVF3A@mail.gmail.com>

On Mon, Feb 13, 2012 at 10:02 AM, KOSAKI Motohiro
<kosaki.motohiro@gmail.com> wrote:
>>> ? ?obj_done(struct obj *op)
>>> ? ?{
>>> ? ? ? ?pthread_mutex_lock(&op->om);
>>> ? ? ? ?if (--op->refcnt == 0) {
>>> ? ? ? ? ? ?pthread_mutex_unlock(&op->om);
>>> ? ?(A) ? ? pthread_mutex_destroy(&op->om);
>>> ? ?(B) ? ? free(op);
>>> ? ? ? ?} else
>>> ? ?(C) ? ? pthread_mutex_unlock(&op->om);
>>> ? ?}
>>>
>>> ? ?In this case obj is reference counted and obj_done() is called
>>> ? ?whenever a reference to the object is dropped. Implementations are
>>> ? ?required to allow an object to be destroyed and freed and potentially
>>> ? ?unmapped (for example, lines A and B) immediately after the object is
>>> ? ?unlocked (line C).
>>> ------------------------------------------------------------------------
>>>
>>> In this example, (A) and (B) can be executed in middle of (C) execution.
>>> Thus, problem can be happen even on a fully conforming program, no?
>>
>> No. (A) and (B) can not be executed in the middle of (C).
>
> It can.
> Look again, lll_unlock() call atomic_exchange_rel() _before_
> (mutex)->__data dereference.
>
>> ? int *__futex = &(mutex->__data.__lock);
>> ? int __val = atomic_exchange_rel (__futex, 0);
>> ? if (__builtin_expect (__val > 1, 0)) ? ? ? ? ? ? ? ?/* A */
>> ? ? lll_futex_wake (__futex, 1, ((mutex)->__data.__kind & 128)); /* B */
>
>
> 1) Thread-1) atomic_exchange_rel(0)
> 2) preempt
> 3) Thread-2) call mutex_lock(). (ok, it's success)
> 4) Thread-2) call mutex_unlock()
> 5) Thread-2) call mutex_destroy()
> 6) Thread-2) free(mutex)
> 7) preempt
> 8) Thread-3) ?reuse memory of the mutex
> 9) preempt
> 10) Thread-1) dereference (mutex)->__data__.__kind
>
> I don't think this example code makes much sense. but it is a part of
> the standard. I believe people suspect libc honor the standard.

Excellent, *this* makes sense and I now agree that there is a problem.

Nemoto-san could you please file a bug report and tag it with
glibc_2.15 keyword so I can backport this to 2.15?

As you suggest the fix is to copy __kind to a local variable.

I like Jakub's first suggestion to fix this in the generic code and
pass down the local/automatic to the call to
lll_unlock/lll_robust_unlock.

Needing to change all of the target code would be more work.

Cheers,
Carlos.

Follow-Ups:
- Re: pthread_mutex_unlock potentially cause invalid access
  - From: Atsushi Nemoto

References:
- Re: pthread_mutex_unlock potentially cause invalid access
  - From: Carlos O'Donell
- Re: pthread_mutex_unlock potentially cause invalid access
  - From: Atsushi Nemoto
- Re: pthread_mutex_unlock potentially cause invalid access
  - From: Carlos O'Donell
- Re: pthread_mutex_unlock potentially cause invalid access
  - From: KOSAKI Motohiro

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]