fix read-after-free type error in pthread_detach

calling __unlock on t->exitlock is not valid because __unlock reads
the waiters count after making the atomic store that could allow
pthread_exit to continue and unmap the thread's stack and the object t
points to. for now, inline the __unlock logic with an unconditional
futex wake operation so that the waiters count is not needed.

once __lock/__unlock have been made safe for self-synchronized
destruction, we could switch back to using them.

diff --git a/src/thread/pthread_detach.c b/src/thread/pthread_detach.c
index ed77f74d520bff3a16ef5e055f08bbf021fe91d4..134826078df3f7805ea5f2e3a85088108dfc3ef5 100644 (file)
--- a/src/thread/pthread_detach.c
+++ b/src/thread/pthread_detach.c
@@ -9,7 +9,8 @@ static int __pthread_detach(pthread_t t)
        if (a_swap(t->exitlock, 1))
                return __pthread_join(t, 0);
        t->detached = 2;
-       __unlock(t->exitlock);
+       a_store(t->exitlock, 0);
+       __wake(t->exitlock, 1, 1);
        return 0;
 }