From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 41416 invoked by alias); 27 Aug 2018 18:04:50 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 41400 invoked by uid 89); 27 Aug 2018 18:04:49 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.1 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 27 Aug 2018 18:04:48 +0000 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B266086674 for ; Mon, 27 Aug 2018 18:04:47 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-45.ams2.redhat.com [10.36.116.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7B80F179BA for ; Mon, 27 Aug 2018 18:04:47 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id C7773439B9CEA; Mon, 27 Aug 2018 20:04:46 +0200 (CEST) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.25 COMMITTED] pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20180827180446.C7773439B9CEA@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 27 Aug 2018 18:04:47 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-08/txt/msg00010.txt.bz2 From: Martin Kuchta (cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2) 2018-08-27 Martin Kuchta Torvald Riegel [BZ #23538] * nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1): Update r to include the set wake-request flag if waiters are remaining after spinning. diff --git a/NEWS b/NEWS index dafec5d82d..abe90d1422 100644 --- a/NEWS +++ b/NEWS @@ -84,6 +84,7 @@ The following bugs are resolved with this release: [22685] powerpc: Fix syscalls during early process initialization [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE [22774] malloc: Integer overflow in malloc (CVE-2018-6551) + [23538] pthread_cond_broadcast: Fix waiters-after-spinning case Version 2.25 diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c index 7c63ef9b89..886f0abcb3 100644 --- a/nptl/pthread_cond_common.c +++ b/nptl/pthread_cond_common.c @@ -406,8 +406,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq, { /* There is still a waiter after spinning. Set the wake-request flag and block. Relaxed MO is fine because this is just about - this futex word. */ - r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1); + this futex word. + + Update r to include the set wake-request flag so that the upcoming + futex_wait only blocks if the flag is still set (otherwise, we'd + violate the basic client-side futex protocol). */ + r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1; if ((r >> 1) > 0) futex_wait_simple (cond->__data.__g_refs + g1, r, private);