public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "nszabolcs at gmail dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/18034] New: [aarch64] Lazy TLSDESC relocation has data race Date: Thu, 26 Feb 2015 12:08:00 -0000 [thread overview] Message-ID: <bug-18034-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=18034 Bug ID: 18034 Summary: [aarch64] Lazy TLSDESC relocation has data race Product: glibc Version: 2.21 Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: nszabolcs at gmail dot com CC: drepper.fsp at gmail dot com With lazy TLSDESC relocation the first TLS access writes memory: the TLS descriptor function pointer (td->entry) and its argument (td->arg), but these writes are not synchronized with concurrent reader threads. Some threads can observe the new entry, but not the new arg so wrong TLS offset is used by the TLS access. All the descriptor functions must have barriers or other load-load ordering guarantees before they access the TLSDESC argument in case of lazy initialization. The race is easy to trigger using a shared object that has a lot of static TLSDESC relocations and then accessing the TLS objects from several threads. (The bug was found by running glibc intl/tst-gettext6 test where threads access libc internal static TLS at thread exit.) This issue affects multi-threaded programs that access TLS through TLSDESC in a shared object loaded with lazy binding on any architecture with "weak memory model" (currently aarch64 and 32bit arm with -mtls-dialect=gnu2). Lazy binding and TLSDESC are the default on aarch64 and libc.so itself does TLS access, so essentially any multi-threaded program may crash at concurrent TLS access (which may happen in glibc at thread exit). (I reported this against aarch64 only because it is more critical there and the 32bit case will be easier to deal with separately once aarch64 is fixed.) -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2015-02-26 12:08 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-02-26 12:08 nszabolcs at gmail dot com [this message] 2015-02-26 12:16 ` [Bug libc/18034] " nszabolcs at gmail dot com 2015-02-26 12:17 ` nszabolcs at gmail dot com 2015-02-26 12:18 ` nszabolcs at gmail dot com 2015-03-02 10:38 ` fweimer at redhat dot com 2015-04-23 12:47 ` nszabolcs at gmail dot com 2015-06-17 12:18 ` cvs-commit at gcc dot gnu.org 2015-06-22 8:16 ` nszabolcs at gmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-18034-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).