From 7779dbd2663269b465951189b4f43e70839bc073 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Tue, 14 Jun 2011 01:35:51 -0400 Subject: [PATCH] fix race condition in pthread_kill if thread id was reused by the kernel between the time pthread_kill read it from the userspace pthread_t object and the time of the tgkill syscall, a signal could be sent to the wrong thread. the tgkill syscall was supposed to prevent this race (versus the old tkill syscall) but it can't; it can only help in the case where the tid is reused in a different process, but not when the tid is reused in the same process. the only solution i can see is an extra lock to prevent threads from exiting while another thread is trying to pthread_kill them. it should be very very cheap in the non-contended case. --- src/internal/pthread_impl.h | 1 + src/thread/pthread_create.c | 2 ++ src/thread/pthread_kill.c | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/internal/pthread_impl.h b/src/internal/pthread_impl.h index 12f8ccfc..2089c857 100644 --- a/src/internal/pthread_impl.h +++ b/src/internal/pthread_impl.h @@ -46,6 +46,7 @@ struct pthread { int unblock_cancel; int delete_timer; locale_t locale; + int killlock; }; struct __timer { diff --git a/src/thread/pthread_create.c b/src/thread/pthread_create.c index c856c581..d60c2a4d 100644 --- a/src/thread/pthread_create.c +++ b/src/thread/pthread_create.c @@ -27,7 +27,9 @@ void __pthread_unwind_next(struct __ptcb *cb) __lock(&self->exitlock); /* Mark this thread dead before decrementing count */ + __lock(&self->killlock); self->dead = 1; + a_store(&self->killlock, 0); do n = libc.threads_minus_1; while (n && a_cas(&libc.threads_minus_1, n, n-1)!=n); diff --git a/src/thread/pthread_kill.c b/src/thread/pthread_kill.c index 36e9b6da..a24ecc20 100644 --- a/src/thread/pthread_kill.c +++ b/src/thread/pthread_kill.c @@ -2,5 +2,9 @@ int pthread_kill(pthread_t t, int sig) { - return -__syscall(SYS_tgkill, t->pid, t->tid, sig); + int r; + __lock(&t->killlock); + r = t->dead ? ESRCH : -__syscall(SYS_tgkill, t->pid, t->tid, sig); + a_store(&t->killlock, 0); + return r; } -- 2.25.1