From schwidefsky@de.ibm.com Thu Sep 11 15:07:00 2008 From: schwidefsky@de.ibm.com (Martin Schwidefsky) Date: Thu, 11 Sep 2008 15:07:00 -0000 Subject: [PATCH] endless loop in __libc_fork Message-ID: <1221144185.14064.1.camel@localhost> Greetings, Christian Borntraeger found a bug in __libc_fork with a KVM stress on s390: pid_t __libc_fork (void) { ... /* Run all the registered preparation handlers. In reverse order. While doing this we build up a list of all the entries. */ struct fork_handler *runp; while ((runp = __fork_handlers) != NULL) { unsigned int oldval = runp->refcntr; if (oldval == 0) /* This means some other thread removed the list just after the pointer has been loaded. Try again. Either the list is empty or we can retry it. */ continue; ... } The (oldval == 0) check with the continue is translated to an endless loop on s390-64: 16: e3 60 10 00 00 04 lg %r6,0(%r1) 1c: b9 02 00 66 ltgr %r6,%r6 # runp != NULL check 20: b9 04 00 bf lgr %r11,%r15 24: 41 40 60 28 la %r4,40(%r6) 28: a7 74 00 9f jne 166 <__libc_fork+0x166> ... 166: 58 30 60 28 l %r3,40(%r6) > 16a: 12 33 ltr %r3,%r3 # oldval == 0 check > 16c: a7 84 ff ff je 16a <__libc_fork+0x16a> # endless loop Once you stumbled over the problem it is obvious that a memory barrier is missing here. See patch below. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin. -- 2008-09-11 Martin Schwidefsky * sysdeps/unix/sysv/linux/fork.c (__libc_fork): Add memory barrier to force runp->refcntr to be read from memory. diff -urpN libc/nptl/sysdeps/unix/sysv/linux/fork.c libc-s390/nptl/sysdeps/unix/sysv/linux/fork.c --- libc/nptl/sysdeps/unix/sysv/linux/fork.c 2007-08-07 13:09:01.000000000 +0200 +++ libc-s390/nptl/sysdeps/unix/sysv/linux/fork.c 2008-09-08 13:20:13.000000000 +0200 @@ -64,7 +64,11 @@ __libc_fork (void) struct fork_handler *runp; while ((runp = __fork_handlers) != NULL) { - unsigned int oldval = runp->refcntr; + unsigned int oldval; + + atomic_full_barrier(); + + oldval = runp->refcntr; if (oldval == 0) /* This means some other thread removed the list just after From schwab@suse.de Thu Sep 18 08:40:00 2008 From: schwab@suse.de (Andreas Schwab) Date: Thu, 18 Sep 2008 08:40:00 -0000 Subject: Unaligned addresses in resolver Message-ID: __libc_res_nsend can generate an unaligned address for the answer header. Andreas. 2008-09-18 Andreas Schwab * resolv/res_send.c (send_vc): Fix use of unaligned address. Properly handle partial reads. --- resolv/res_send.c 29 Jul 2008 10:01:10 +0200 1.58 +++ resolv/res_send.c 17 Sep 2008 18:07:56 +0200 @@ -734,11 +734,11 @@ send_vc(res_state statp, */ int recvresp1 = 0; int recvresp2 = buf2 == NULL; - read_len: - cp = ans; uint16_t rlen16; + read_len: + cp = (u_char *)&rlen16; len = sizeof(rlen16); - while ((n = TEMP_FAILURE_RETRY (read(statp->_vcsock, &rlen16, + while ((n = TEMP_FAILURE_RETRY (read(statp->_vcsock, cp, (int)len))) > 0) { cp += n; if ((len -= n) <= 0) @@ -778,8 +778,16 @@ send_vc(res_state statp, /* No buffer allocated for the first reply. We can try to use the rest of the user-provided buffer. */ +#ifdef _STRING_ARCH_unaligned *anssizp2 = orig_anssizp - resplen; *ansp2 = *ansp + resplen; +#else + int aligned_resplen + = ((resplen + __alignof__ (HEADER) - 1) + & (__alignof__ (HEADER) - 1)); + *anssizp2 = orig_anssizp - aligned_resplen; + *ansp2 = *ansp + aligned_resplen; +#endif } else { /* The first reply did not fit into the user-provided buffer. Maybe the second -- Andreas Schwab, SuSE Labs, schwab@suse.de SuSE Linux Products GmbH, Maxfeldstra??e 5, 90409 N??rnberg, Germany PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different."