diff options
author | Rich Felker <dalias@aerifal.cx> | 2017-10-13 23:00:34 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2017-10-13 23:00:34 -0400 |
commit | c1e27367a9b26b9baac0f37a12349fc36567c8b6 (patch) | |
tree | 88accade820f5d320b504b517b043b951fec583e /src | |
parent | 907476925fca05f24ebca5fcdc21f1e58ba7b313 (diff) | |
download | musl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.zip musl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.tar.gz musl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.tar.bz2 |
fix read-after-free type error in pthread_detach
calling __unlock on t->exitlock is not valid because __unlock reads
the waiters count after making the atomic store that could allow
pthread_exit to continue and unmap the thread's stack and the object t
points to. for now, inline the __unlock logic with an unconditional
futex wake operation so that the waiters count is not needed.
once __lock/__unlock have been made safe for self-synchronized
destruction, we could switch back to using them.
Diffstat (limited to 'src')
-rw-r--r-- | src/thread/pthread_detach.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/thread/pthread_detach.c b/src/thread/pthread_detach.c index ed77f74..1348260 100644 --- a/src/thread/pthread_detach.c +++ b/src/thread/pthread_detach.c @@ -9,7 +9,8 @@ static int __pthread_detach(pthread_t t) if (a_swap(t->exitlock, 1)) return __pthread_join(t, 0); t->detached = 2; - __unlock(t->exitlock); + a_store(t->exitlock, 0); + __wake(t->exitlock, 1, 1); return 0; } |