This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.23/master updated. glibc-2.23-68-g6bf10d1


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.23/master has been updated
       via  6bf10d196d2935195ed46a52466f97c517dd6075 (commit)
      from  cacad9315ebcf5a0c067950500cc7c31b442af22 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6bf10d196d2935195ed46a52466f97c517dd6075

commit 6bf10d196d2935195ed46a52466f97c517dd6075
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Tue May 17 10:45:48 2016 +0200

    Fix tst-cancel17/tst-cancelx17, which sometimes segfaults while exiting.
    
    The testcase tst-cancel[x]17 ends sometimes with a segmentation fault.
    This happens in one of 10000 cases. Then the real testcase has already
    exited with success and returned from do_test(). The segmentation fault
    occurs after returning from main in _dl_fini().
    
    In those cases, the aio_read(&a) was not canceled because the read
    request was already in progress. In the meanwhile aio_write(ap) wrote
    something to the pipe and the read request is able to read the
    requested byte.
    The read request hasn't finished before returning from do_test().
    After it finishes, it writes the return value and error code from the
    read syscall to the struct aiocb a, which lies on the stack of do_test.
    The stack of the subsequent function call of _dl_fini or _dl_sort_fini,
    which is inlined in _dl_fini is corrupted.
    
    In case of S390, it reads a zero and decrements it by 1:
    unsigned int k = nmaps - 1;
    struct link_map **runp = maps[k]->l_initfini;
    The load from unmapped memory leads to the segmentation fault.
    The stack corruption also happens on other architectures.
    I saw them e.g. on x86 and ppc, too.
    
    This patch adds an aio_suspend call to ensure, that the read request
    is finished before returning from do_test().
    
    ChangeLog:
    
    	* nptl/tst-cancel17.c (do_test): Wait for finishing aio_read(&a).
    
    (cherry picked from commit b3a810d0d3d5c6ce7ddfb61321cd7971808ca703)

diff --git a/ChangeLog b/ChangeLog
index 0219113..488381c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2016-05-17  Stefan Liebler  <stli@linux.vnet.ibm.com>
+
+	* nptl/tst-cancel17.c (do_test): Wait for finishing aio_read(&a).
+
 2016-06-27  Aurelien Jarno  <aurelien@aurel32.net>
 
 	* sysdeps/mips/tst-mode-switch-1.c (main): Converted to ...
diff --git a/nptl/tst-cancel17.c b/nptl/tst-cancel17.c
index fb89292..eedd28e 100644
--- a/nptl/tst-cancel17.c
+++ b/nptl/tst-cancel17.c
@@ -333,6 +333,22 @@ do_test (void)
 
   puts ("early cancellation succeeded");
 
+  if (ap == &a2)
+    {
+      /* The aio_read(&a) was not canceled because the read request was
+	 already in progress. In the meanwhile aio_write(ap) wrote something
+	 to the pipe and the read request either has already been finished or
+	 is able to read the requested byte.
+	 Wait for the read request before returning from this function because
+	 the return value and error code from the read syscall will be written
+	 to the struct aiocb a, which lies on the stack of this function.
+	 Otherwise the stack from subsequent function calls - e.g. _dl_fini -
+	 will be corrupted, which can lead to undefined behaviour like a
+	 segmentation fault.  */
+      const struct aiocb *l[1] = { &a };
+      TEMP_FAILURE_RETRY (aio_suspend(l, 1, NULL));
+    }
+
   return 0;
 }
 

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog           |    4 ++++
 nptl/tst-cancel17.c |   16 ++++++++++++++++
 2 files changed, 20 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]