Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 09 Oct 2021 20:07:38 +0000
From:      bugzilla-noreply@freebsd.org
To:        threads@FreeBSD.org
Subject:   [Bug 254995] pthread_cond_timedwait() returns EDEADLK
Message-ID:  <bug-254995-13406-nJ3Yplsule@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-254995-13406@https.bugs.freebsd.org/bugzilla/>
References:  <bug-254995-13406@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254995

--- Comment #11 from Konstantin Belousov <kib@FreeBSD.org> ---
Better this one, handling malicious userspace

commit dc64dc0a431faeded1ea294489c4584d537bb01a
Author: Konstantin Belousov <kib@FreeBSD.org>
Date:   Sat Oct 9 22:46:08 2021 +0300

    umtx: Do not return spurious failures on unlock after suspend for normal or
PI mutexes

diff --git a/sys/kern/kern_umtx.c b/sys/kern/kern_umtx.c
index ea87259161c8..b06e121e58ec 100644
--- a/sys/kern/kern_umtx.c
+++ b/sys/kern/kern_umtx.c
@@ -1486,7 +1486,7 @@ do_unlock_normal(struct thread *td, struct umutex *m,
uint32_t flags, bool rb)
                if (error == -1)
                        return (EFAULT);
                if (error == 1) {
-                       error = thread_check_susp(td, false);
+                       error = thread_check_susp(td, true);
                        if (error != 0)
                                return (error);
                        goto again;
@@ -1523,7 +1523,7 @@ do_unlock_normal(struct thread *td, struct umutex *m,
uint32_t flags, bool rb)
        if (error == 1) {
                if (old != owner)
                        return (EINVAL);
-               error = thread_check_susp(td, false);
+               error = thread_check_susp(td, true);
                if (error != 0)
                        return (error);
                goto again;
@@ -2427,8 +2427,8 @@ do_unlock_pi(struct thread *td, struct umutex *m,
uint32_t flags, bool rb)
                new_owner |= UMUTEX_CONTESTED;
 again:
        error = casueword32(&m->m_owner, owner, &old, new_owner);
-       if (error == 1) {
-               error = thread_check_susp(td, false);
+       if (error == 1 && (old & ~UMUTEX_CONTESTED) == id) {
+               error = thread_check_susp(td, true);
                if (error == 0)
                        goto again;
        }

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254995-13406-nJ3Yplsule>