From: Florian Weimer Date: Fri, 15 Feb 2019 18:09:00 +0000 (+0100) Subject: nptl: Fix invalid Systemtap probe in pthread_join [BZ #24211] X-Git-Tag: upstream/2.30~347 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bc10e22c90e42613bd5dafb77b80a9ea1759dd1b;p=external%2Fglibc.git nptl: Fix invalid Systemtap probe in pthread_join [BZ #24211] After commit f1ac7455831546e5dca0ed98fe8af2686fae7ce6 ("arm: Use "nr" constraint for Systemtap probes [BZ #24164]"), we load pd->result into a register in the probe below: /* Free the TCB. */ __free_tcb (pd); } else pd->joinid = NULL; LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result); However, at this point, the thread descriptor has been freed. If the thread stack does not fit into the thread stack cache, the memory will have been unmapped, and the program will crash in the probe. --- diff --git a/ChangeLog b/ChangeLog index fee6c0f..39d44fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2019-02-15 Florian Weimer + + [BZ #24211] + * nptl/pthread_join_common.c (__pthread_timedjoin_ex): Do not read + pd->result after the thread descriptor has been freed. + 2019-02-15 Joseph Myers * sunrpc/tst-svc_register.c (rpcbind_address): Remove qualifier diff --git a/nptl/pthread_join_common.c b/nptl/pthread_join_common.c index 6efe8ef..5224ee2 100644 --- a/nptl/pthread_join_common.c +++ b/nptl/pthread_join_common.c @@ -145,6 +145,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, pthread_cleanup_pop (0); } + void *pd_result = pd->result; if (__glibc_likely (result == 0)) { /* We mark the thread as terminated and as joined. */ @@ -152,7 +153,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, /* Store the return value if the caller is interested. */ if (thread_return != NULL) - *thread_return = pd->result; + *thread_return = pd_result; /* Free the TCB. */ __free_tcb (pd); @@ -160,7 +161,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, else pd->joinid = NULL; - LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result); + LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd_result); return result; }