pthread_mutex_unlock potentially cause invalid access

public inbox for libc-ports@sourceware.org
 help / color / mirror / Atom feed

From: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
To: libc-alpha@sourceware.org, libc-ports@sourceware.org
Subject: pthread_mutex_unlock potentially cause invalid access
Date: Fri, 10 Feb 2012 14:43:00 -0000	[thread overview]
Message-ID: <20120210.234326.199788933.anemo@mba.ocn.ne.jp> (raw)

It seems pthread_mutex_unlock() potentially cause invalid access on
most platforms (except for i386 and x86_64).

# Resend with correct ML address.  Excuse me for duplication.

In nptl/pthread_mutex_unlock.c, lll_unlock() is called like this:
      lll_unlock (mutex->__data.__lock, PTHREAD_MUTEX_PSHARED (mutex));

And PTHREAD_MUTEX_PSHARED() is defined like this:
# define PTHREAD_MUTEX_PSHARED(m) \
  ((m)->__data.__kind & 128)

On most platforms, lll_unlock() is defined as a macro like this:
#define lll_unlock(lock, private) \
  ((void) ({						      \
    int *__futex = &(lock);				      \
    int __val = atomic_exchange_rel (__futex, 0);	      \
    if (__builtin_expect (__val > 1, 0))		      \
      lll_futex_wake (__futex, 1, private);		      \
  }))

Thus, the lll_unlock() call in pthread_mutex_unlock.c will be expanded as:
    int *__futex = &(mutex->__data.__lock);
    int __val = atomic_exchange_rel (__futex, 0);
    if (__builtin_expect (__val > 1, 0))		/* A */
      lll_futex_wake (__futex, 1, ((mutex)->__data.__kind & 128)); /* B */

On point "A", the mutex is actually unlocked, so other threads can
lock the mutex, unlock, destroy and free.  If the mutex was destroyed
and freed by other thread, reading '__kind' on point "B" is not valid.

Possible fix would be copying the 'private' argument to an internal
local variable before atomic_exchange_rel().  Is it an appropriate fix?

---
Atsushi Nemoto

next             reply	other threads:[~2012-02-10 14:43 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-10 14:43 Atsushi Nemoto [this message]
2012-02-10 21:16 ` Roland McGrath
  -- strict thread matches above, loose matches on Subject: below --
2012-02-10 14:28 Atsushi Nemoto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120210.234326.199788933.anemo@mba.ocn.ne.jp \
    --to=anemo@mba.ocn.ne.jp \
    --cc=libc-alpha@sourceware.org \
    --cc=libc-ports@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).