From owner-freebsd-threads@freebsd.org Tue Aug 25 03:21:04 2015 Return-Path: Delivered-To: freebsd-threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A1419C2D3D for ; Tue, 25 Aug 2015 03:21:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46E3D13DC for ; Tue, 25 Aug 2015 03:21:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7P3L4gb051701 for ; Tue, 25 Aug 2015 03:21:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-threads@FreeBSD.org Subject: [Bug 202636] race in lib/libc/nls/msgcat.c Date: Tue, 25 Aug 2015 03:21:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: henry.hu.sh@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 03:21:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202636 Bug ID: 202636 Summary: race in lib/libc/nls/msgcat.c Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: threads Assignee: freebsd-threads@FreeBSD.org Reporter: henry.hu.sh@gmail.com Tracing from crashing xfdesktop, I found that the following program crashes= in seconds (in environment, set LANG=3Dzh_CN.UTF-8): #include #include #include #include #include #include void* work(void *arg) { while (1) { nl_catd catd =3D catopen("libc", NL_CAT_LOCALE); catgets(catd, 1, 2, "No such file or directory"); catclose(catd); } } int main() { setlocale(LC_MESSAGES, ""); pthread_t thr1, thr2, thr3, thr4; pthread_create(&thr1, NULL, &work, NULL); pthread_create(&thr2, NULL, &work, NULL); pthread_create(&thr3, NULL, &work, NULL); pthread_create(&thr4, NULL, &work, NULL); pthread_join(thr1, NULL); pthread_join(thr2, NULL); pthread_join(thr3, NULL); pthread_join(thr4, NULL); } It always crashes somewhere in catgets: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 801016000 (LWP 101899/test)] catgets (catd=3D0x801615170, set_id=3D1, msg_id=3D2, s=3D0x400a9b "No such = file or directory") at /usr/src/lib/libc/nls/msgcat.c:280 280 u =3D ntohl((u_int32_t)cat_hdr->__nsets) - 1; and it looks like that catd is freed: (gdb) p *catd $2 =3D {__data =3D 0x5a5a5a5a5a5a5a5a, __size =3D 1515870810} After a closer look, it looks like that the increments to np->refcount is r= acy. See https://svnweb.freebsd.org/base/head/lib/libc/nls/msgcat.c?annotate=3D2= 78530. It is only protected by a read lock, so multiple threads may change the refcount at the same time, thus it is a race condition and may corrupt the refcount field.=20 Proposed fix: Index: lib/libc/nls/msgcat.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- lib/libc/nls/msgcat.c (=E7=89=88=E6=9C=AC 287028) +++ lib/libc/nls/msgcat.c (=E5=B7=A5=E4=BD=9C=E5=89=AF=E6=9C=AC) @@ -141,7 +141,7 @@ } /* Try to get it from the cache first */ - RLOCK(NLERR); + WLOCK(NLERR); SLIST_FOREACH(np, &cache, list) { if ((strcmp(np->name, name) =3D=3D 0) && ((lang !=3D NULL && np->lang !=3D NULL && @@ -376,7 +376,7 @@ * One more try in cache; if it was not found by name, * it might still be found by absolute path. */ - RLOCK(NLERR); + WLOCK(NLERR); SLIST_FOREACH(np, &cache, list) { if ((np->path !=3D NULL) && (strcmp(np->path, path) =3D=3D = 0)) { np->refcount++; This patch fixes the case in catopen(). This also changes the access in load_msgcat(), which also seems to be incorrect. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-threads@freebsd.org Fri Aug 28 07:13:05 2015 Return-Path: Delivered-To: freebsd-threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF6BB9C40E8 for ; Fri, 28 Aug 2015 07:13:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC44DE76 for ; Fri, 28 Aug 2015 07:13:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7S7D5R6022724 for ; Fri, 28 Aug 2015 07:13:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-threads@FreeBSD.org Subject: [Bug 200992] proccess won't die in thread_suspend_switch Date: Fri, 28 Aug 2015 07:13:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hselasky@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 07:13:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200992 Hans Petter Selasky changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hselasky@FreeBSD.org --- Comment #12 from Hans Petter Selasky --- Please use a mutex protected callout to handle this! And all the corner cases will go away. See projects/hps_head . --HPS -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-threads@freebsd.org Fri Aug 28 07:30:29 2015 Return-Path: Delivered-To: freebsd-threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E7579C4824 for ; Fri, 28 Aug 2015 07:30:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1AA596A6 for ; Fri, 28 Aug 2015 07:30:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7S7USnv050949 for ; Fri, 28 Aug 2015 07:30:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-threads@FreeBSD.org Subject: [Bug 200992] proccess won't die in thread_suspend_switch Date: Fri, 28 Aug 2015 07:30:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kib@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 07:30:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200992 --- Comment #13 from Konstantin Belousov --- (In reply to Hans Petter Selasky from comment #12) This is an layer that makes the locks work, there is no mutexes which you can lock safely. Even if the callout KPI is extended to support interlocking with spinlock, this would still not provide anything to the case, because the only natural spinlock there is thread lock, which is not real spinlock and useless for the interlocking pattern. The case there is inherently racy, similar to how locks implementations are racy due to the nature of the code, and must be correctly supported. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-threads@freebsd.org Fri Aug 28 08:10:00 2015 Return-Path: Delivered-To: freebsd-threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 273499C3E25 for ; Fri, 28 Aug 2015 08:10:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1354FDFE for ; Fri, 28 Aug 2015 08:10:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7S89xCY054905 for ; Fri, 28 Aug 2015 08:09:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-threads@FreeBSD.org Subject: [Bug 200992] proccess won't die in thread_suspend_switch Date: Fri, 28 Aug 2015 08:10:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hselasky@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 08:10:00 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200992 --- Comment #14 from Hans Petter Selasky --- (In reply to Konstantin Belousov from comment #13) Hi, You can always use a spinlock there, though -current doesn't support passing spinlocks to callouts, while projects/hps_head does. --HPS -- You are receiving this mail because: You are the assignee for the bug.