Your message dated Sat, 09 Feb 2019 21:47:22 +0000 with message-id <e1gsat4-0003fc...@fasolo.debian.org> and subject line Bug#904158: fixed in glibc 2.24-11+deb9u4 has caused the Debian Bug report #904158, regarding glibc: pthread_cond_wait() is broken in the pshared case to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: glibc Version: 2.24-11+deb9u3 Severity: important The short version is that pthread_cond_wait() is broken in the pshared case in glibc in Stretch. The version in Sid is not affected because that part received a large rewrite (that is why I use explicit the version Stretch for the report). The full explanation is attached as a patch. I also attached a testcase to verify. Please note that x86 has handwritten assembly code for the function which does not have the problem. All other architectures are using the generic C code and share the problem. On amdahl.d.o:~bigeasy/glibc you can try the following: |strace -f ../testcase |clone(child_stack=0xffff99483b10, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xffff994842d0, tls=0xffff994848f0, child_tidptr=0xffff994842d0) = 26581 |[pid 26581] futex(0xaaaada3d40fc, FUTEX_WAIT_REQUEUE_PI, 1, NULL, 0xaaaada3d40b8 <unfinished ...> |[pid 26579] clone(child_stack=0xffff98c83b10, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xffff98c842d0, tls=0xffff98c848f0, child_tidptr=0xffff98c842d0) = 26582 |[pid 26582] futex(0xaaaada3d40fc, FUTEX_WAIT_REQUEUE_PI, 2, NULL, 0xaaaada3d40b8 <unfinished ...> |[pid 26579] futex(0xaaaada3d40fc, FUTEX_WAKE_OP, 1, 1, 0xaaaada3d40f8, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 EINVAL (Invalid argument) |[pid 26579] futex(0xaaaada3d40fc, FUTEX_WAKE, 1) = -1 EINVAL (Invalid argument) As you see the two waiting threads do FUTEX_WAIT_REQUEUE_PI and the waker does FUTEX_WAKE* which is not valid. The program hangs at this point. With the patch attached: |LD_LIBRARY_PATH=x/lib/aarch64-linux-gnu/ strace -f ../testcase |child_stack=0xffff8edb6b10, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xffff8edb72d0, tls=0xffff8edb78f0, child_tidptr=0xffff8edb72d0) = 26660 |[pid 26660] futex(0xaaaae4e1c0fc, FUTEX_WAIT, 1, NULL <unfinished ...> |[pid 26659] clone(child_stack=0xffff8e5b6b10, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xffff8e5b72d0, tls=0xffff8e5b78f0, child_tidptr=0xffff8e5b72d0) = 26661 |[pid 26661] futex(0xaaaae4e1c0fc, FUTEX_WAIT, 2, NULL <unfinished ...> |[pid 26659] futex(0xaaaae4e1c0fc, FUTEX_WAKE_OP, 1, 1, 0xaaaae4e1c0f8, FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = 1 and so on, the program finishes. SebastianFrom: John Ogness <john.ogn...@linutronix.de> Date: Wed, 16 May 2018 22:34:41 +0200 Subject: [PATCH] condvar: do not use requeue for pshared condvars With commit e42a990eccb (Update.) condvars were changed to not store the mutex address when pshared. Instead, ~0l is stored. This value is checked for in USE_REQUEUE_PI() to determine if requeue should be used. pthread_cond_signal() and pthread_cond_broadcast() both use USE_REQUEUE_PI() with the mutex address stored on the condvar. However, pthread_cond_wait() and pthread_cond_timedwait() use USE_REQUEUE_PI() on the mutex address passed in from the caller (even though that address is *not* stored on the condvar in the pshared case). The result is that in the pshared case, the wait functions are using requeue and the wake functions are not! This is not allowed by the kernel (the waking futex call returns EINVAL). Modify the wait functions to use USE_REQUEUE_PI() on the mutex address stored on the condvar, thus mirroring the behavior of the wake functions. Signed-off-by: John Ogness <john.ogn...@linutronix.de> Acked-by: Sebastian Andrzej Siewior <bige...@linutronix.de> Reviewed-by: Kurt Kanzenbach <k...@linutronix.de> Signed-off-by: Kurt Kanzenbach <k...@linutronix.de> --- nptl/pthread_cond_timedwait.c | 4 +++- nptl/pthread_cond_wait.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/nptl/pthread_cond_timedwait.c b/nptl/pthread_cond_timedwait.c index 711a51de20..9e6a393a43 100644 --- a/nptl/pthread_cond_timedwait.c +++ b/nptl/pthread_cond_timedwait.c @@ -163,6 +163,8 @@ __pthread_cond_timedwait (pthread_cond_t *cond, pthread_mutex_t *mutex, to check just the former. */ #if (defined lll_futex_timed_wait_requeue_pi \ && defined __ASSUME_REQUEUE_PI) + pthread_mutex_t *mut = cond->__data.__mutex; + /* If pi_flag remained 1 then it means that we had the lock and the mutex but a spurious waker raced ahead of us. Give back the mutex before going into wait again. */ @@ -171,7 +173,7 @@ __pthread_cond_timedwait (pthread_cond_t *cond, pthread_mutex_t *mutex, __pthread_mutex_cond_lock_adjust (mutex); __pthread_mutex_unlock_usercnt (mutex, 0); } - pi_flag = USE_REQUEUE_PI (mutex); + pi_flag = USE_REQUEUE_PI (mut); if (pi_flag) { diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c index 3f62acc6bd..7a4313cda6 100644 --- a/nptl/pthread_cond_wait.c +++ b/nptl/pthread_cond_wait.c @@ -162,6 +162,8 @@ __pthread_cond_wait (pthread_cond_t *cond, pthread_mutex_t *mutex) #if (defined lll_futex_wait_requeue_pi \ && defined __ASSUME_REQUEUE_PI) + pthread_mutex_t *mut = cond->__data.__mutex; + /* If pi_flag remained 1 then it means that we had the lock and the mutex but a spurious waker raced ahead of us. Give back the mutex before going into wait again. */ @@ -170,7 +172,7 @@ __pthread_cond_wait (pthread_cond_t *cond, pthread_mutex_t *mutex) __pthread_mutex_cond_lock_adjust (mutex); __pthread_mutex_unlock_usercnt (mutex, 0); } - pi_flag = USE_REQUEUE_PI (mutex); + pi_flag = USE_REQUEUE_PI (mut); if (pi_flag) { -- 2.15.1#include <stdio.h> #include <string.h> #include <pthread.h> #include <sched.h> static pthread_t tid[3]; static volatile int tready[3]; static pthread_mutex_t m; static pthread_cond_t c; static void setup(void) { pthread_mutexattr_t mattr; pthread_condattr_t cattr; pthread_mutexattr_init(&mattr); pthread_mutexattr_setprotocol(&mattr, PTHREAD_PRIO_INHERIT); pthread_mutexattr_setpshared(&mattr, PTHREAD_PROCESS_SHARED); pthread_mutex_init(&m, &mattr); pthread_condattr_init(&cattr); pthread_condattr_setpshared(&cattr, PTHREAD_PROCESS_SHARED); pthread_cond_init(&c, &cattr); } static void *thread_main(void *arg) { unsigned long i = (unsigned long)arg; pthread_mutex_lock(&m); tready[i] = 1; pthread_cond_wait(&c, &m); tready[i] = 0; pthread_mutex_unlock(&m); return NULL; } static void wait_for(int count) { while (tready[0] + tready[1] + tready[2] != count) /* spin */; } int main(void) { setup(); printf("creating thread\n"); pthread_create(&tid[0], NULL, thread_main, (void *)0); printf("creating thread\n"); pthread_create(&tid[1], NULL, thread_main, (void *)1); printf("waiting for 2 running threads\n"); wait_for(2); pthread_mutex_lock(&m); printf("signaling for a thread to wake and shutdown\n"); pthread_cond_signal(&c); pthread_mutex_unlock(&m); printf("waiting for 1 running thread\n"); wait_for(1); printf("creating thread\n"); pthread_create(&tid[2], NULL, thread_main, (void *)2); printf("waiting for 2 running threads\n"); wait_for(2); pthread_mutex_lock(&m); printf("signaling for a thread to wake and shutdown\n"); pthread_cond_signal(&c); pthread_mutex_unlock(&m); printf("waiting for 1 running thread\n"); wait_for(1); pthread_mutex_lock(&m); printf("signaling for a thread to wake and shutdown\n"); pthread_cond_signal(&c); pthread_mutex_unlock(&m); printf("waiting for 0 running threads\n"); wait_for(0); printf("success\n"); pthread_join(tid[0], NULL); pthread_join(tid[1], NULL); pthread_join(tid[2], NULL); return 0; }
--- End Message ---
--- Begin Message ---Source: glibc Source-Version: 2.24-11+deb9u4 We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aure...@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 06 Feb 2019 22:17:41 +0100 Source: glibc Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 libc0.1-i686 libc0.3-i686 libc6-i686 Architecture: source Version: 2.24-11+deb9u4 Distribution: stretch Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aure...@debian.org> Description: glibc-doc - GNU C Library: Documentation glibc-source - GNU C Library: sources libc-bin - GNU C Library: Binaries libc-dev-bin - GNU C Library: Development binaries libc-l10n - GNU C Library: localization files libc0.1 - GNU C Library: Shared libraries libc0.1-dbg - GNU C Library: detached debugging symbols libc0.1-dev - GNU C Library: Development Libraries and Header Files libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64 libc0.1-i686 - transitional dummy package libc0.1-pic - GNU C Library: PIC archive library libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3 - GNU C Library: Shared libraries libc0.3-dbg - GNU C Library: detached debugging symbols libc0.3-dev - GNU C Library: Development Libraries and Header Files libc0.3-i686 - transitional dummy package libc0.3-pic - GNU C Library: PIC archive library libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3-xen - GNU C Library: Shared libraries [Xen version] libc6 - GNU C Library: Shared libraries libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64 libc6-dbg - GNU C Library: detached debugging symbols libc6-dev - GNU C Library: Development Libraries and Header Files libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64 libc6-i686 - transitional dummy package libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64 libc6-pic - GNU C Library: PIC archive library libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC libc6-udeb - GNU C Library: Shared libraries - udeb (udeb) libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64 libc6-xen - GNU C Library: Shared libraries [Xen version] libc6.1 - GNU C Library: Shared libraries libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized) libc6.1-dbg - GNU C Library: detached debugging symbols libc6.1-dev - GNU C Library: Development Libraries and Header Files libc6.1-pic - GNU C Library: PIC archive library libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb) locales - GNU C Library: National Language (locale) data [support] locales-all - GNU C Library: Precompiled locale data multiarch-support - Transitional package to ensure multiarch compatibility nscd - GNU C Library: Name Service Cache Daemon Closes: 710275 879500 879501 879955 884132 884133 884615 899070 899071 903554 904158 916925 Changes: glibc (2.24-11+deb9u4) stretch; urgency=medium . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670). Closes: #879501. - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671). Closes: #879500. - Fix a buffer overflow in glob with GLOB_TILDE in unescaping (CVE-2017-15804). Closes: #879955. - Fix a memory leak in ld.so (CVE-2017-1000408). Closes: #884132. - Fix a buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. - Fixes incorrect RPATH/RUNPATH handling for SUID binaries (CVE-2017-16997). Closes: #884615. - Fix a data corruption in SSE2-optimized memmove implementation for i386 (CVE-2017-18269). - Fix a stack-based buffer overflow in the realpath function (CVE-2018-11236). Closes: #899071. - Fix a buffer overflow in the AVX-512-optimized implementation of the mempcpy function (CVE-2018-11237). Closes: #899070. - Fix stack guard size accounting and reduce stack usage during unwinding to avoid segmentation faults on CPUs with AVX512-F. Closes: #903554. - Fix a use after free in pthread_create(). Closes: #916925. * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: check for postgresql in NSS check. Closes: #710275. . [ Sebastian Andrzej Siewior ] * patches/any/local-condvar-do-not-use-requeue-for-pshared-condvars.patch: patch to fix pthread_cond_wait() in the pshared case on non-x86. Closes: #904158. Checksums-Sha1: b39f25d60b68fd05c29621fe6b17121a07f6ac68 8386 glibc_2.24-11+deb9u4.dsc 337cc7011764cdb0d7b1d8ba58cb677c42103b43 1060620 glibc_2.24-11+deb9u4.debian.tar.xz ed61a67e2b4a34fc9daf0b85f4c8d76f77d0f707 7668 glibc_2.24-11+deb9u4_source.buildinfo Checksums-Sha256: 0cfc10b8f713f41c087476a0a9f6687b4ccb22c5652502bfe8e5c0798f8b097f 8386 glibc_2.24-11+deb9u4.dsc bcf78fb5157cd84d26cdc4b3366b1d5e92fc13609a465ac63ff322a5adac3cbc 1060620 glibc_2.24-11+deb9u4.debian.tar.xz 4d777a745a7c3a801203406c05f47fbf8de1b600c20caab4df0db1df2b89cce5 7668 glibc_2.24-11+deb9u4_source.buildinfo Files: 8aaa2c3a9525a21cbc347dafd83d30c9 8386 libs required glibc_2.24-11+deb9u4.dsc de1d8451f6c1306477ab263f30a657c5 1060620 libs required glibc_2.24-11+deb9u4.debian.tar.xz f17967e72c65ce195f6d49c720173ecf 7668 libs required glibc_2.24-11+deb9u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAlxbT9oACgkQE4jA+Jno M2swiA/9EIursIuqJK5Y3+lH8oMtziso1YilP34RICGUbqh3eywI+//3vskBDAHW bseZCvRGLV5EqaaW1djIL0iKu5Yz3kgnpdw6oP5Mc6cPL//6HrXm0+uDKp2CXviy YNXt/3/mdDPtzO9COJOK0G2G09uSs481iRqW71489JblD3edthwNyABzi0Tk81xh lksvlr9Cwf5Ppf+wBu78FEyDJHrOCsrWMz7AppuzESc8fz1aBMA8cH8JusFLwQpv LQVymnUb92e1SQq4qdxcEppeFtSiCUxv7EV7ML7zKg7VHYMxFqlzj8gRodjTr3dY WX57dpJPfzmq7FWz4kA3M3e3csS9wpv1+343CMnlz/x2bxBtVnysmZdobxQzPyJa 6bZgRw1Gg4PaZibUi51ksYXqNawujA+Pz05IyydYtQFDBCg3vOuQW6j3gqti/R2f xtKCtNA6WDN5qixtWPuusq+Z/HtfdO71DfNz6q+AlPXAzV2v4f6J19YZ4mVXuovu i07CzLQrNoWpWi0XngZmGm5eAHr234Dbqu6CrR/20NWh13sIhxO7j3haH3ymreu/ GlNpmdXue4kohe+jVFUqQ7FIJh40hD9bRWoyB4xd91VZNxJ/6M2HH+lzxQA4+t7v TpFE2QO+na3UcxUXxjVPUbLJ6qEQaYqglD1KMXG0yywSdK96PNw= =W9pv -----END PGP SIGNATURE-----
--- End Message ---