projects / musl / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix use of uninitialized memory with application-provided thread stacks
[musl] / src / thread / pthread_create.c
1 #define _GNU_SOURCE
2 #include "pthread_impl.h"
3 #include "stdio_impl.h"
4 #include "libc.h"
5 #include <sys/mman.h>
6 #include <string.h>
7
8 static void dummy_0()
9 {
10 }
11 weak_alias(dummy_0, __acquire_ptc);
12 weak_alias(dummy_0, __release_ptc);
13 weak_alias(dummy_0, __pthread_tsd_run_dtors);
14 weak_alias(dummy_0, __do_private_robust_list);
15
16 _Noreturn void pthread_exit(void *result)
17 {
18         pthread_t self = __pthread_self();
19         sigset_t set;
20
21         self->result = result;
22
23         while (self->cancelbuf) {
24                 void (*f)(void *) = self->cancelbuf->__f;
25                 void *x = self->cancelbuf->__x;
26                 self->cancelbuf = self->cancelbuf->__next;
27                 f(x);
28         }
29
30         __pthread_tsd_run_dtors();
31
32         __lock(self->exitlock);
33
34         /* Mark this thread dead before decrementing count */
35         __lock(self->killlock);
36         self->dead = 1;
37
38         /* Block all signals before decrementing the live thread count.
39          * This is important to ensure that dynamically allocated TLS
40          * is not under-allocated/over-committed, and possibly for other
41          * reasons as well. */
42         __block_all_sigs(&set);
43
44         /* Wait to unlock the kill lock, which governs functions like
45          * pthread_kill which target a thread id, until signals have
46          * been blocked. This precludes observation of the thread id
47          * as a live thread (with application code running in it) after
48          * the thread was reported dead by ESRCH being returned. */
49         __unlock(self->killlock);
50
51         /* It's impossible to determine whether this is "the last thread"
52          * until performing the atomic decrement, since multiple threads
53          * could exit at the same time. For the last thread, revert the
54          * decrement and unblock signals to give the atexit handlers and
55          * stdio cleanup code a consistent state. */
56         if (a_fetch_add(&libc.threads_minus_1, -1)==0) {
57                 libc.threads_minus_1 = 0;
58                 __restore_sigs(&set);
59                 exit(0);
60         }
61
62         if (self->locale != &libc.global_locale) {
63                 a_dec(&libc.uselocale_cnt);
64                 if (self->locale->ctype_utf8)
65                         a_dec(&libc.bytelocale_cnt_minus_1);
66         }
67
68         __do_private_robust_list();
69
70         if (self->detached && self->map_base) {
71                 /* Detached threads must avoid the kernel clear_child_tid
72                  * feature, since the virtual address will have been
73                  * unmapped and possibly already reused by a new mapping
74                  * at the time the kernel would perform the write. In
75                  * the case of threads that started out detached, the
76                  * initial clone flags are correct, but if the thread was
77                  * detached later (== 2), we need to clear it here. */
78                 if (self->detached == 2) __syscall(SYS_set_tid_address, 0);
79
80                 /* The following call unmaps the thread's stack mapping
81                  * and then exits without touching the stack. */
82                 __unmapself(self->map_base, self->map_size);
83         }
84
85         for (;;) __syscall(SYS_exit, 0);
86 }
87
88 void __do_cleanup_push(struct __ptcb *cb)
89 {
90         if (!libc.has_thread_pointer) return;
91         struct pthread *self = __pthread_self();
92         cb->__next = self->cancelbuf;
93         self->cancelbuf = cb;
94 }
95
96 void __do_cleanup_pop(struct __ptcb *cb)
97 {
98         if (!libc.has_thread_pointer) return;
99         __pthread_self()->cancelbuf = cb->__next;
100 }
101
102 static int start(void *p)
103 {
104         pthread_t self = p;
105         if (self->startlock[0]) {
106                 __wait(self->startlock, 0, 1, 1);
107                 if (self->startlock[0]) {
108                         self->detached = 2;
109                         pthread_exit(0);
110                 }
111                 __restore_sigs(self->sigmask);
112         }
113         if (self->unblock_cancel)
114                 __syscall(SYS_rt_sigprocmask, SIG_UNBLOCK,
115                         SIGPT_SET, 0, _NSIG/8);
116         pthread_exit(self->start(self->start_arg));
117         return 0;
118 }
119
120 #define ROUND(x) (((x)+PAGE_SIZE-1)&-PAGE_SIZE)
121
122 /* pthread_key_create.c overrides this */
123 static volatile size_t dummy = 0;
124 weak_alias(dummy, __pthread_tsd_size);
125 static void *dummy_tsd[1] = { 0 };
126 weak_alias(dummy_tsd, __pthread_tsd_main);
127
128 static FILE *volatile dummy_file = 0;
129 weak_alias(dummy_file, __stdin_used);
130 weak_alias(dummy_file, __stdout_used);
131 weak_alias(dummy_file, __stderr_used);
132
133 static void init_file_lock(FILE *f)
134 {
135         if (f && f->lock<0) f->lock = 0;
136 }
137
138 void *__copy_tls(unsigned char *);
139
140 int pthread_create(pthread_t *restrict res, const pthread_attr_t *restrict attrp, void *(*entry)(void *), void *restrict arg)
141 {
142         int ret;
143         size_t size, guard;
144         struct pthread *self, *new;
145         unsigned char *map = 0, *stack = 0, *tsd = 0, *stack_limit;
146         unsigned flags = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND
147                 | CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS
148                 | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | CLONE_DETACHED;
149         int do_sched = 0;
150         pthread_attr_t attr = {0};
151
152         if (!libc.can_do_threads) return ENOSYS;
153         self = __pthread_self();
154         if (!libc.threaded) {
155                 for (FILE *f=libc.ofl_head; f; f=f->next)
156                         init_file_lock(f);
157                 init_file_lock(__stdin_used);
158                 init_file_lock(__stdout_used);
159                 init_file_lock(__stderr_used);
160                 __syscall(SYS_rt_sigprocmask, SIG_UNBLOCK, SIGPT_SET, 0, _NSIG/8);
161                 self->tsd = (void **)__pthread_tsd_main;
162                 libc.threaded = 1;
163         }
164         if (attrp) attr = *attrp;
165
166         __acquire_ptc();
167
168         if (attr._a_stackaddr) {
169                 size_t need = libc.tls_size + __pthread_tsd_size;
170                 size = attr._a_stacksize + DEFAULT_STACK_SIZE;
171                 stack = (void *)(attr._a_stackaddr & -16);
172                 stack_limit = (void *)(attr._a_stackaddr - size);
173                 /* Use application-provided stack for TLS only when
174                  * it does not take more than ~12% or 2k of the
175                  * application's stack space. */
176                 if (need < size/8 && need < 2048) {
177                         tsd = stack - __pthread_tsd_size;
178                         stack = tsd - libc.tls_size;
179                         memset(stack, 0, need);
180                 } else {
181                         size = ROUND(need);
182                         guard = 0;
183                 }
184         } else {
185                 guard = ROUND(DEFAULT_GUARD_SIZE + attr._a_guardsize);
186                 size = guard + ROUND(DEFAULT_STACK_SIZE + attr._a_stacksize
187                         + libc.tls_size +  __pthread_tsd_size);
188         }
189
190         if (!tsd) {
191                 if (guard) {
192                         map = mmap(0, size, PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0);
193                         if (map == MAP_FAILED) goto fail;
194                         if (mprotect(map+guard, size-guard, PROT_READ|PROT_WRITE)) {
195                                 munmap(map, size);
196                                 goto fail;
197                         }
198                 } else {
199                         map = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
200                         if (map == MAP_FAILED) goto fail;
201                 }
202                 tsd = map + size - __pthread_tsd_size;
203                 if (!stack) {
204                         stack = tsd - libc.tls_size;
205                         stack_limit = map + guard;
206                 }
207         }
208
209         new = __copy_tls(tsd - libc.tls_size);
210         new->map_base = map;
211         new->map_size = size;
212         new->stack = stack;
213         new->stack_size = stack - stack_limit;
214         new->start = entry;
215         new->start_arg = arg;
216         new->self = new;
217         new->tsd = (void *)tsd;
218         new->locale = &libc.global_locale;
219         if (attr._a_detach) {
220                 new->detached = 1;
221                 flags -= CLONE_CHILD_CLEARTID;
222         }
223         if (attr._a_sched) {
224                 do_sched = new->startlock[0] = 1;
225                 __block_app_sigs(new->sigmask);
226         }
227         new->unblock_cancel = self->cancel;
228         new->canary = self->canary;
229
230         a_inc(&libc.threads_minus_1);
231         ret = __clone(start, stack, flags, new, &new->tid, TP_ADJ(new), &new->tid);
232
233         __release_ptc();
234
235         if (do_sched) {
236                 __restore_sigs(new->sigmask);
237         }
238
239         if (ret < 0) {
240                 a_dec(&libc.threads_minus_1);
241                 if (map) munmap(map, size);
242                 return EAGAIN;
243         }
244
245         if (do_sched) {
246                 ret = __syscall(SYS_sched_setscheduler, new->tid,
247                         attr._a_policy, &attr._a_prio);
248                 a_store(new->startlock, ret<0 ? 2 : 0);
249                 __wake(new->startlock, 1, 1);
250                 if (ret < 0) return -ret;
251         }
252
253         *res = new;
254         return 0;
255 fail:
256         __release_ptc();
257         return EAGAIN;
258 }
musl