From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Carlos O'Donell <carlos@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>,
Joseph Myers <joseph@codesourcery.com>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
libc-alpha@sourceware.org
Subject: [RFC PATCH glibc 03/13] nptl: Start new threads with all signals blocked [BZ #25098]
Date: Mon, 6 Jan 2020 10:57:03 -0500 [thread overview]
Message-ID: <20200106155713.397-4-mathieu.desnoyers@efficios.com> (raw)
In-Reply-To: <20200106155713.397-1-mathieu.desnoyers@efficios.com>
From: Florian Weimer <fweimer@redhat.com>
New threads inherit the signal mask from the current thread. This
means that signal handlers can run on the newly created thread
immediately after the kernel has created the userspace thread, even
before glibc has initialized the TCB. Consequently, new threads can
observe uninitialized ctype data, among other things.
To address this, block all signals before starting the thread, and
pass the original signal mask to the start routine wrapper. On the
new thread, first perform all thread initialization, and then unblock
signals.
The cost of doing this is two rt_sigprocmask system calls on the old
thread, and one rt_sigprocmask system call on the new thread. (If
there was a way to clone a new thread with a signals disabled, this
could be brought down to one system call each.) The thread descriptor
increases in size, too, and sigset_t is fairly large. This increase
could be brought down by reusing space the in the descriptor which is
not needed before running user code, or by switching to an internal
sigset_t definition which only covers the signals supported by the
kernel definition. (Part of the thread descriptor size increase is
already offset by reduced stack usage in the thread start wrapper
routine after this commit.)
-----
nptl/descr.h | 10 +++++++---
nptl/pthread_create.c | 47 +++++++++++++++++++++++++----------------------
2 files changed, 32 insertions(+), 25 deletions(-)
---
nptl/descr.h | 10 ++++++---
nptl/pthread_create.c | 47 +++++++++++++++++++++++--------------------
2 files changed, 32 insertions(+), 25 deletions(-)
diff --git a/nptl/descr.h b/nptl/descr.h
index d3f863aa18..70d76bc63b 100644
--- a/nptl/descr.h
+++ b/nptl/descr.h
@@ -332,9 +332,8 @@ struct pthread
/* True if thread must stop at startup time. */
bool stopped_start;
- /* The parent's cancel handling at the time of the pthread_create
- call. This might be needed to undo the effects of a cancellation. */
- int parent_cancelhandling;
+ /* Formerly used for dealing with cancellation. */
+ int parent_cancelhandling_unsed;
/* Lock to synchronize access to the descriptor. */
int lock;
@@ -391,6 +390,11 @@ struct pthread
/* Resolver state. */
struct __res_state res;
+ /* Signal mask for the new thread. Used during thread startup to
+ restore the signal mask. (Threads are launched with all signals
+ masked.) */
+ sigset_t sigmask;
+
/* Indicates whether is a C11 thread created by thrd_creat. */
bool c11;
diff --git a/nptl/pthread_create.c b/nptl/pthread_create.c
index 5682c9c2c0..b220ec526b 100644
--- a/nptl/pthread_create.c
+++ b/nptl/pthread_create.c
@@ -369,7 +369,6 @@ __free_tcb (struct pthread *pd)
}
}
-
/* Local function to start thread and handle cleanup.
createthread.c defines the macro START_THREAD_DEFN to the
declaration that its create_thread function will refer to, and
@@ -385,10 +384,6 @@ START_THREAD_DEFN
/* Initialize pointers to locale data. */
__ctype_init ();
- /* Allow setxid from now onwards. */
- if (__glibc_unlikely (atomic_exchange_acq (&pd->setxid_futex, 0) == -2))
- futex_wake (&pd->setxid_futex, 1, FUTEX_PRIVATE);
-
#ifdef __NR_set_robust_list
# ifndef __ASSUME_SET_ROBUST_LIST
if (__set_robust_list_avail >= 0)
@@ -402,19 +397,6 @@ START_THREAD_DEFN
}
#endif
- /* If the parent was running cancellation handlers while creating
- the thread the new thread inherited the signal mask. Reset the
- cancellation signal mask. */
- if (__glibc_unlikely (pd->parent_cancelhandling & CANCELING_BITMASK))
- {
- INTERNAL_SYSCALL_DECL (err);
- sigset_t mask;
- __sigemptyset (&mask);
- __sigaddset (&mask, SIGCANCEL);
- (void) INTERNAL_SYSCALL (rt_sigprocmask, err, 4, SIG_UNBLOCK, &mask,
- NULL, _NSIG / 8);
- }
-
/* This is where the try/finally block should be created. For
compilers without that support we do use setjmp. */
struct pthread_unwind_buf unwind_buf;
@@ -436,6 +418,12 @@ START_THREAD_DEFN
unwind_buf.priv.data.prev = NULL;
unwind_buf.priv.data.cleanup = NULL;
+ __libc_signal_restore_set (&pd->sigmask);
+
+ /* Allow setxid from now onwards. */
+ if (__glibc_unlikely (atomic_exchange_acq (&pd->setxid_futex, 0) == -2))
+ futex_wake (&pd->setxid_futex, 1, FUTEX_PRIVATE);
+
if (__glibc_likely (! not_first_call))
{
/* Store the new cleanup handler info. */
@@ -726,10 +714,6 @@ __pthread_create_2_1 (pthread_t *newthread, const pthread_attr_t *attr,
CHECK_THREAD_SYSINFO (pd);
#endif
- /* Inform start_thread (above) about cancellation state that might
- translate into inherited signal state. */
- pd->parent_cancelhandling = THREAD_GETMEM (THREAD_SELF, cancelhandling);
-
/* Determine scheduling parameters for the thread. */
if (__builtin_expect ((iattr->flags & ATTR_FLAG_NOTINHERITSCHED) != 0, 0)
&& (iattr->flags & (ATTR_FLAG_SCHED_SET | ATTR_FLAG_POLICY_SET)) != 0)
@@ -775,6 +759,21 @@ __pthread_create_2_1 (pthread_t *newthread, const pthread_attr_t *attr,
ownership of PD (see CONCURRENCY NOTES above). */
bool stopped_start = false; bool thread_ran = false;
+ /* Block all signals, so that the new thread starts out with
+ signals disabled. This avoids race conditions in the thread
+ startup. */
+ sigset_t original_sigmask;
+ __libc_signal_block_all (&original_sigmask);
+
+ /* Conceptually, the new thread needs to inherit the signal mask of
+ this thread. Therefore, it needs to restore the saved signal
+ mask of this thread, so save it in the startup information. */
+ pd->sigmask = original_sigmask;
+
+ /* Reset the cancellation signal mask in case this thread is running
+ cancellation. */
+ __sigdelset (&pd->sigmask, SIGCANCEL);
+
/* Start the thread. */
if (__glibc_unlikely (report_thread_creation (pd)))
{
@@ -817,6 +816,10 @@ __pthread_create_2_1 (pthread_t *newthread, const pthread_attr_t *attr,
retval = create_thread (pd, iattr, &stopped_start,
STACK_VARIABLES_ARGS, &thread_ran);
+ /* Return to the previous signal mask, after creating the new
+ thread. */
+ __libc_signal_restore_set (&original_sigmask);
+
if (__glibc_unlikely (retval != 0))
{
if (thread_ran)
--
2.17.1
next prev parent reply other threads:[~2020-01-06 15:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-06 15:57 [RFC PATCH glibc 00/13] Restartable Sequences enablement Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 01/13] Introduce <elf_machine_sym_no_match.h> Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 02/13] Implement __libc_early_init Mathieu Desnoyers
2020-01-06 15:57 ` Mathieu Desnoyers [this message]
2020-01-06 15:57 ` [RFC PATCH glibc 04/13] Linux: Add tables with system call numbers Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 05/13] Linux: Use system call tables during build Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 06/13] build-many-glibcs.py: Introduce LinuxHeadersPolicyForBuild Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 07/13] build-many-glibcs.py: Introduce glibc build policy classes Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 08/13] build-many-glibcs.py: Implement update-syscalls command Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 09/13] glibc: Perform rseq(2) registration at C startup and thread creation (v13) Mathieu Desnoyers
2020-01-07 12:23 ` Florian Weimer
2020-01-07 20:44 ` Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 10/13] glibc: sched_getcpu(): use rseq cpu_id TLS on Linux (v5) Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 11/13] support record failure: allow use from constructor Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 12/13] support: implement xpthread key create/delete (v3) Mathieu Desnoyers
2020-01-06 15:57 ` [RFC PATCH glibc 13/13] rseq registration tests (v7) Mathieu Desnoyers
2020-01-07 12:25 ` [RFC PATCH glibc 00/13] Restartable Sequences enablement Florian Weimer
2020-01-07 20:45 ` Mathieu Desnoyers
-- strict thread matches above, loose matches on Subject: below --
2019-12-20 21:36 Mathieu Desnoyers
2019-12-20 21:36 ` [RFC PATCH glibc 03/13] nptl: Start new threads with all signals blocked [BZ #25098] Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200106155713.397-4-mathieu.desnoyers@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).