From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3113 invoked by alias); 9 Feb 2015 21:13:55 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 3021 invoked by uid 48); 9 Feb 2015 21:13:51 -0000 From: "carlos at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug nptl/14485] File corruption race condition in robust mutex unlocking Date: Mon, 09 Feb 2015 21:13:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nptl X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: carlos at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00120.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=14485 --- Comment #6 from Carlos O'Donell --- (In reply to Carlos O'Donell from comment #5) > (In reply to Rich Felker from comment #3) > > 1. Thread A unlocks the process-shared, robust mutex and is preempted after > > the mutex is removed from the robust list and atomically unlocked, but > > before it's removed from the list_op_pending field of the robust list header. > > > > 2. Thread B locks the mutex, and, knowing by program logic that it's the > > last user of the mutex, unlocks and unmaps it, allocates/maps something else > > that gets assigned the same address as the shared mutex mapping, and then > > exits. > > Isn't this undefined behaviour? You have not specified how you established a > happens-after relationship between the destruction of the mutex by Thread B > and the last use by Thread A. In this description you give it would seem to > me that Thread A is still not done, and that the "program logic" from Thread > B is destroying an in-use mutex and that results in undefined behaviour from > Thread A. Thread B fails to establish a happens-after the use of the mutex > from Thread A. If Thread B truly establishes a happens-after the unlock from > Thread A, is there a problem? I don't think there is. > > Did I get something wrong Rich? OK, I see what's wrong. This issue is about self-synchronizing vs. not-self-synchronizing. http://austingroupbugs.net/view.php?id=811 Given 811 has been accepted, I withdraw my complaint. Your example is valid, and we do have a problem. -- You are receiving this mail because: You are on the CC list for the bug.