Bug#904158: marked as done (glibc: pthread_cond_wait() is broken in the pshared case)

[Debian Bug Tracking System]

Your message dated Sat, 09 Feb 2019 21:47:22 +0000
with message-id <e1gsat4-0003fc...@fasolo.debian.org>
and subject line Bug#904158: fixed in glibc 2.24-11+deb9u4
has caused the Debian Bug report #904158,
regarding glibc: pthread_cond_wait() is broken in the pshared case
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
904158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904158
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: glibc
Version: 2.24-11+deb9u3
Severity: important

The short version is that pthread_cond_wait() is broken in the pshared
case in glibc in Stretch. The version in Sid is not affected because
that part received a large rewrite (that is why I use explicit the
version Stretch for the report).

The full explanation is attached as a patch. I also attached a testcase
to verify. Please note that x86 has handwritten assembly code for the
function which does not have the problem. All other architectures are
using the generic C code and share the problem.
On amdahl.d.o:~bigeasy/glibc you can try the following:

|strace -f ../testcase 
|clone(child_stack=0xffff99483b10, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0xffff994842d0, tls=0xffff994848f0, child_tidptr=0xffff994842d0) 
= 26581
|[pid 26581] futex(0xaaaada3d40fc, FUTEX_WAIT_REQUEUE_PI, 1, NULL, 
0xaaaada3d40b8 <unfinished ...>
|[pid 26579] clone(child_stack=0xffff98c83b10, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0xffff98c842d0, tls=0xffff98c848f0, child_tidptr=0xffff98c842d0) 
= 26582
|[pid 26582] futex(0xaaaada3d40fc, FUTEX_WAIT_REQUEUE_PI, 2, NULL, 
0xaaaada3d40b8 <unfinished ...>
|[pid 26579] futex(0xaaaada3d40fc, FUTEX_WAKE_OP, 1, 1, 0xaaaada3d40f8, 
FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = -1 EINVAL (Invalid argument)
|[pid 26579] futex(0xaaaada3d40fc, FUTEX_WAKE, 1) = -1 EINVAL (Invalid argument)

As you see the two waiting threads do FUTEX_WAIT_REQUEUE_PI and the
waker does FUTEX_WAKE* which is not valid. The program hangs at this
point.
With the patch attached:
|LD_LIBRARY_PATH=x/lib/aarch64-linux-gnu/ strace -f ../testcase 
|child_stack=0xffff8edb6b10, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0xffff8edb72d0, tls=0xffff8edb78f0, child_tidptr=0xffff8edb72d0) 
= 26660
|[pid 26660] futex(0xaaaae4e1c0fc, FUTEX_WAIT, 1, NULL <unfinished ...>
|[pid 26659] clone(child_stack=0xffff8e5b6b10, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0xffff8e5b72d0, tls=0xffff8e5b78f0, child_tidptr=0xffff8e5b72d0) 
= 26661
|[pid 26661] futex(0xaaaae4e1c0fc, FUTEX_WAIT, 2, NULL <unfinished ...>
|[pid 26659] futex(0xaaaae4e1c0fc, FUTEX_WAKE_OP, 1, 1, 0xaaaae4e1c0f8, 
FUTEX_OP_SET<<28|0<<12|FUTEX_OP_CMP_GT<<24|0x1) = 1
and so on, the program finishes.

Sebastian

From: John Ogness <john.ogn...@linutronix.de>
Date: Wed, 16 May 2018 22:34:41 +0200
Subject: [PATCH] condvar: do not use requeue for pshared condvars

With commit e42a990eccb (Update.) condvars were changed to not
store the mutex address when pshared. Instead, ~0l is stored.
This value is checked for in USE_REQUEUE_PI() to determine if
requeue should be used.

pthread_cond_signal() and pthread_cond_broadcast() both use
USE_REQUEUE_PI() with the mutex address stored on the condvar.

However, pthread_cond_wait() and pthread_cond_timedwait() use
USE_REQUEUE_PI() on the mutex address passed in from the caller
(even though that address is *not* stored on the condvar in the
pshared case). The result is that in the pshared case, the
wait functions are using requeue and the wake functions are
not! This is not allowed by the kernel (the waking futex call
returns EINVAL).

Modify the wait functions to use USE_REQUEUE_PI() on the mutex
address stored on the condvar, thus mirroring the behavior of
the wake functions.

Signed-off-by: John Ogness <john.ogn...@linutronix.de>
Acked-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
Reviewed-by: Kurt Kanzenbach <k...@linutronix.de>
Signed-off-by: Kurt Kanzenbach <k...@linutronix.de>
---
 nptl/pthread_cond_timedwait.c | 4 +++-
 nptl/pthread_cond_wait.c      | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/nptl/pthread_cond_timedwait.c b/nptl/pthread_cond_timedwait.c
index 711a51de20..9e6a393a43 100644
--- a/nptl/pthread_cond_timedwait.c
+++ b/nptl/pthread_cond_timedwait.c
@@ -163,6 +163,8 @@ __pthread_cond_timedwait (pthread_cond_t *cond, pthread_mutex_t *mutex,
    to check just the former.  */
 #if (defined lll_futex_timed_wait_requeue_pi \
      && defined __ASSUME_REQUEUE_PI)
+      pthread_mutex_t *mut = cond->__data.__mutex;
+
       /* If pi_flag remained 1 then it means that we had the lock and the mutex
 	 but a spurious waker raced ahead of us.  Give back the mutex before
 	 going into wait again.  */
@@ -171,7 +173,7 @@ __pthread_cond_timedwait (pthread_cond_t *cond, pthread_mutex_t *mutex,
 	  __pthread_mutex_cond_lock_adjust (mutex);
 	  __pthread_mutex_unlock_usercnt (mutex, 0);
 	}
-      pi_flag = USE_REQUEUE_PI (mutex);
+      pi_flag = USE_REQUEUE_PI (mut);
 
       if (pi_flag)
 	{
diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
index 3f62acc6bd..7a4313cda6 100644
--- a/nptl/pthread_cond_wait.c
+++ b/nptl/pthread_cond_wait.c
@@ -162,6 +162,8 @@ __pthread_cond_wait (pthread_cond_t *cond, pthread_mutex_t *mutex)
 
 #if (defined lll_futex_wait_requeue_pi \
      && defined __ASSUME_REQUEUE_PI)
+      pthread_mutex_t *mut = cond->__data.__mutex;
+
       /* If pi_flag remained 1 then it means that we had the lock and the mutex
 	 but a spurious waker raced ahead of us.  Give back the mutex before
 	 going into wait again.  */
@@ -170,7 +172,7 @@ __pthread_cond_wait (pthread_cond_t *cond, pthread_mutex_t *mutex)
 	  __pthread_mutex_cond_lock_adjust (mutex);
 	  __pthread_mutex_unlock_usercnt (mutex, 0);
 	}
-      pi_flag = USE_REQUEUE_PI (mutex);
+      pi_flag = USE_REQUEUE_PI (mut);
 
       if (pi_flag)
 	{
-- 
2.15.1


#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sched.h>

static pthread_t tid[3];
static volatile int tready[3];
static pthread_mutex_t m;
static pthread_cond_t c;

static void setup(void)
{
	pthread_mutexattr_t mattr;
	pthread_condattr_t cattr;

	pthread_mutexattr_init(&mattr);
	pthread_mutexattr_setprotocol(&mattr, PTHREAD_PRIO_INHERIT);
	pthread_mutexattr_setpshared(&mattr, PTHREAD_PROCESS_SHARED);
	pthread_mutex_init(&m, &mattr);

	pthread_condattr_init(&cattr);
	pthread_condattr_setpshared(&cattr, PTHREAD_PROCESS_SHARED);
	pthread_cond_init(&c, &cattr);
}

static void *thread_main(void *arg)
{
	unsigned long i = (unsigned long)arg;

	pthread_mutex_lock(&m);
	tready[i] = 1;
	pthread_cond_wait(&c, &m);
	tready[i] = 0;
	pthread_mutex_unlock(&m);

	return NULL;
}

static void wait_for(int count)
{
	while (tready[0] + tready[1] + tready[2] != count)
		/* spin */;
}

int main(void)
{
	setup();

	printf("creating thread\n");
	pthread_create(&tid[0], NULL, thread_main, (void *)0);
	printf("creating thread\n");
	pthread_create(&tid[1], NULL, thread_main, (void *)1);
	printf("waiting for 2 running threads\n");
	wait_for(2);

	pthread_mutex_lock(&m);
	printf("signaling for a thread to wake and shutdown\n");
	pthread_cond_signal(&c);
	pthread_mutex_unlock(&m);
	printf("waiting for 1 running thread\n");
	wait_for(1);

	printf("creating thread\n");
	pthread_create(&tid[2], NULL, thread_main, (void *)2);
	printf("waiting for 2 running threads\n");
	wait_for(2);

	pthread_mutex_lock(&m);
	printf("signaling for a thread to wake and shutdown\n");
	pthread_cond_signal(&c);
	pthread_mutex_unlock(&m);
	printf("waiting for 1 running thread\n");
	wait_for(1);

	pthread_mutex_lock(&m);
	printf("signaling for a thread to wake and shutdown\n");
	pthread_cond_signal(&c);
	pthread_mutex_unlock(&m);
	printf("waiting for 0 running threads\n");
	wait_for(0);

	printf("success\n");

	pthread_join(tid[0], NULL);
	pthread_join(tid[1], NULL);
	pthread_join(tid[2], NULL);

	return 0;
}

--- End Message ---

--- Begin Message ---

Source: glibc
Source-Version: 2.24-11+deb9u4

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 904...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aure...@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Feb 2019 22:17:41 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales 
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic 
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev 
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc 
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 libc0.1-i686 libc0.3-i686 
libc6-i686
Architecture: source
Version: 2.24-11+deb9u4
Distribution: stretch
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aure...@debian.org>
Description:
 glibc-doc  - GNU C Library: Documentation
 glibc-source - GNU C Library: sources
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc-l10n  - GNU C Library: localization files
 libc0.1    - GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - transitional dummy package
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - transitional dummy package
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - GNU C Library: Shared libraries [Xen version]
 libc6      - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for 
ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
 libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
 libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - transitional dummy package
 libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
 libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
 libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6-x32  - GNU C Library: X32 ABI Shared libraries for AMD64
 libc6-xen  - GNU C Library: Shared libraries [Xen version]
 libc6.1    - GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: detached debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 710275 879500 879501 879955 884132 884133 884615 899070 899071 903554 
904158 916925
Changes:
 glibc (2.24-11+deb9u4) stretch; urgency=medium
 .
   [ Aurelien Jarno ]
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - Fix buffer overflow in glob with GLOB_TILDE (CVE-2017-15670).  Closes:
       #879501.
     - Fix memory leak in glob with GLOB_TILDE (CVE-2017-15671).  Closes:
       #879500.
     - Fix a buffer overflow in glob with GLOB_TILDE in unescaping
       (CVE-2017-15804).  Closes: #879955.
     - Fix a memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
     - Fix a buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
     - Fixes incorrect RPATH/RUNPATH handling for SUID binaries
       (CVE-2017-16997).  Closes: #884615.
     - Fix a data corruption in SSE2-optimized memmove implementation for
       i386 (CVE-2017-18269).
     - Fix a stack-based buffer overflow in the realpath function
       (CVE-2018-11236).  Closes: #899071.
     - Fix a buffer overflow in the AVX-512-optimized implementation of the
       mempcpy function (CVE-2018-11237).  Closes: #899070.
     - Fix stack guard size accounting and reduce stack usage during
       unwinding to avoid segmentation faults on CPUs with AVX512-F.  Closes:
       #903554.
     - Fix a use after free in pthread_create().  Closes: #916925.
   * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: check for
     postgresql in NSS check.  Closes: #710275.
 .
   [ Sebastian Andrzej Siewior ]
   * patches/any/local-condvar-do-not-use-requeue-for-pshared-condvars.patch:
     patch to fix pthread_cond_wait() in the pshared case on non-x86.  Closes:
     #904158.
Checksums-Sha1:
 b39f25d60b68fd05c29621fe6b17121a07f6ac68 8386 glibc_2.24-11+deb9u4.dsc
 337cc7011764cdb0d7b1d8ba58cb677c42103b43 1060620 
glibc_2.24-11+deb9u4.debian.tar.xz
 ed61a67e2b4a34fc9daf0b85f4c8d76f77d0f707 7668 
glibc_2.24-11+deb9u4_source.buildinfo
Checksums-Sha256:
 0cfc10b8f713f41c087476a0a9f6687b4ccb22c5652502bfe8e5c0798f8b097f 8386 
glibc_2.24-11+deb9u4.dsc
 bcf78fb5157cd84d26cdc4b3366b1d5e92fc13609a465ac63ff322a5adac3cbc 1060620 
glibc_2.24-11+deb9u4.debian.tar.xz
 4d777a745a7c3a801203406c05f47fbf8de1b600c20caab4df0db1df2b89cce5 7668 
glibc_2.24-11+deb9u4_source.buildinfo
Files:
 8aaa2c3a9525a21cbc347dafd83d30c9 8386 libs required glibc_2.24-11+deb9u4.dsc
 de1d8451f6c1306477ab263f30a657c5 1060620 libs required 
glibc_2.24-11+deb9u4.debian.tar.xz
 f17967e72c65ce195f6d49c720173ecf 7668 libs required 
glibc_2.24-11+deb9u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAlxbT9oACgkQE4jA+Jno
M2swiA/9EIursIuqJK5Y3+lH8oMtziso1YilP34RICGUbqh3eywI+//3vskBDAHW
bseZCvRGLV5EqaaW1djIL0iKu5Yz3kgnpdw6oP5Mc6cPL//6HrXm0+uDKp2CXviy
YNXt/3/mdDPtzO9COJOK0G2G09uSs481iRqW71489JblD3edthwNyABzi0Tk81xh
lksvlr9Cwf5Ppf+wBu78FEyDJHrOCsrWMz7AppuzESc8fz1aBMA8cH8JusFLwQpv
LQVymnUb92e1SQq4qdxcEppeFtSiCUxv7EV7ML7zKg7VHYMxFqlzj8gRodjTr3dY
WX57dpJPfzmq7FWz4kA3M3e3csS9wpv1+343CMnlz/x2bxBtVnysmZdobxQzPyJa
6bZgRw1Gg4PaZibUi51ksYXqNawujA+Pz05IyydYtQFDBCg3vOuQW6j3gqti/R2f
xtKCtNA6WDN5qixtWPuusq+Z/HtfdO71DfNz6q+AlPXAzV2v4f6J19YZ4mVXuovu
i07CzLQrNoWpWi0XngZmGm5eAHr234Dbqu6CrR/20NWh13sIhxO7j3haH3ymreu/
GlNpmdXue4kohe+jVFUqQ7FIJh40hD9bRWoyB4xd91VZNxJ/6M2HH+lzxQA4+t7v
TpFE2QO+na3UcxUXxjVPUbLJ6qEQaYqglD1KMXG0yywSdK96PNw=
=W9pv
-----END PGP SIGNATURE-----

--- End Message ---