public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/5220] New: timer_delete race
@ 2007-10-25 20:40 jsm28 at gcc dot gnu dot org
2007-10-25 20:41 ` [Bug libc/5220] " jsm28 at gcc dot gnu dot org
2007-10-28 19:27 ` drepper at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: jsm28 at gcc dot gnu dot org @ 2007-10-25 20:40 UTC (permalink / raw)
To: glibc-bugs
There is a race between timer_delete freeing memory and the timers helper thread
accessing that memory.
Suppose a timer uses signal delivery to the helper thread. The following
sequence of events happens:
1. The timer signals the helper thread, so the following code starts executing.
if (si.si_code == SI_TIMER)
{
struct timer *tk = (struct timer *) si.si_ptr;
struct thread_start_data *td = malloc (sizeof (*td));
/* There is not much we can do if the allocation fails. */
if (td != NULL)
{
/* That is the signal we are waiting for. */
2. timer_delete is called on the timer and frees the associated memory.
struct timer *kt = (struct timer *) timerid;
/* Delete the kernel timer object. */
int res = INLINE_SYSCALL (timer_delete, 1, kt->ktimerid);
if (res == 0)
{
# ifndef __ASSUME_POSIX_TIMERS
/* We know the syscall support is available. */
__no_posix_timers = 1;
# endif
/* Free the memory. */
(void) free (kt);
3. Some other thread reuses that freed memory.
4. The helper thread accesses the memory that was just freed and reused.
td->thrfunc = tk->thrfunc;
td->sival = tk->sival;
I think that timer_delete needs to allow for the helper thread to process any
pending signals for this timer before freeing the memory; doing otherwise is
problematic for reliable use of timers, and POSIX says the disposition of
pending signals for a deleted timer is unspecified, not undefined, which I
interpret as requiring them to be safely delivered or not delivered at all
rather than involving undefined behavior.
I'll attach a patch for this race, though I'm not sure it's a particularly good
approach for fixing it.
--
Summary: timer_delete race
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: jsm28 at gcc dot gnu dot org
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=5220
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-10-28 19:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-10-25 20:40 [Bug libc/5220] New: timer_delete race jsm28 at gcc dot gnu dot org
2007-10-25 20:41 ` [Bug libc/5220] " jsm28 at gcc dot gnu dot org
2007-10-28 19:27 ` drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).