public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "nszabolcs at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18034] New: [aarch64] Lazy TLSDESC relocation has data race
Date: Thu, 26 Feb 2015 12:08:00 -0000 [thread overview]
Message-ID: <bug-18034-131@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=18034
Bug ID: 18034
Summary: [aarch64] Lazy TLSDESC relocation has data race
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: nszabolcs at gmail dot com
CC: drepper.fsp at gmail dot com
With lazy TLSDESC relocation the first TLS access writes memory: the TLS
descriptor function pointer (td->entry) and its argument (td->arg), but these
writes are not synchronized with concurrent reader threads. Some threads can
observe the new entry, but not the new arg so wrong TLS offset is used by the
TLS access. All the descriptor functions must have barriers or other load-load
ordering guarantees before they access the TLSDESC argument in case of lazy
initialization.
The race is easy to trigger using a shared object that has a lot of static
TLSDESC relocations and then accessing the TLS objects from several threads.
(The bug was found by running glibc intl/tst-gettext6 test where threads access
libc internal static TLS at thread exit.)
This issue affects multi-threaded programs that access TLS through TLSDESC in a
shared object loaded with lazy binding on any architecture with "weak memory
model" (currently aarch64 and 32bit arm with -mtls-dialect=gnu2).
Lazy binding and TLSDESC are the default on aarch64 and libc.so itself does TLS
access, so essentially any multi-threaded program may crash at concurrent TLS
access (which may happen in glibc at thread exit).
(I reported this against aarch64 only because it is more critical there and the
32bit case will be easier to deal with separately once aarch64 is fixed.)
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2015-02-26 12:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-26 12:08 nszabolcs at gmail dot com [this message]
2015-02-26 12:16 ` [Bug libc/18034] " nszabolcs at gmail dot com
2015-02-26 12:17 ` nszabolcs at gmail dot com
2015-02-26 12:18 ` nszabolcs at gmail dot com
2015-03-02 10:38 ` fweimer at redhat dot com
2015-04-23 12:47 ` nszabolcs at gmail dot com
2015-06-17 12:18 ` cvs-commit at gcc dot gnu.org
2015-06-22 8:16 ` nszabolcs at gmail dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-18034-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).