From: Rich Felker <dalias@aerifal.cx>
Date: Sat, 14 Oct 2017 03:00:34 +0000 (-0400)
Subject: fix read-after-free type error in pthread_detach
X-Git-Tag: v1.1.17~3
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c1e27367a9b26b9baac0f37a12349fc36567c8b6;p=oweals%2Fmusl.git

fix read-after-free type error in pthread_detach

calling __unlock on t->exitlock is not valid because __unlock reads
the waiters count after making the atomic store that could allow
pthread_exit to continue and unmap the thread's stack and the object t
points to. for now, inline the __unlock logic with an unconditional
futex wake operation so that the waiters count is not needed.

once __lock/__unlock have been made safe for self-synchronized
destruction, we could switch back to using them.
---

diff --git a/src/thread/pthread_detach.c b/src/thread/pthread_detach.c
index ed77f74d..13482607 100644
--- a/src/thread/pthread_detach.c
+++ b/src/thread/pthread_detach.c
@@ -9,7 +9,8 @@ static int __pthread_detach(pthread_t t)
 	if (a_swap(t->exitlock, 1))
 		return __pthread_join(t, 0);
 	t->detached = 2;
-	__unlock(t->exitlock);
+	a_store(t->exitlock, 0);
+	__wake(t->exitlock, 1, 1);
 	return 0;
 }