fix crash from corrupted tls module list after failed dlopen

commit d56460c939c94a6c547abe8238f442b8de10bfbd introduced this
regression as part of splitting the tls module list out of the dso
list. the new code added to dlopen's failure path to undo the changes
adding the partially-loaded libraries reset the tls_tail pointer
correctly, but did not clear its link to the next list entry. thus, at
least until the next successful dlopen, the list was not terminated
but ended with an invalid next pointer, which __copy_tls attempted to
follow when a new thread was created.

patch by Mikael Vidstedt.

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index c689084..48dcd1c 100644 (file)
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1686,6 +1686,7 @@ void *dlopen(const char *file, int mode)
                }
                if (!orig_tls_tail) libc.tls_head = 0;
                tls_tail = orig_tls_tail;
+               if (tls_tail) tls_tail->next = 0;
                tls_cnt = orig_tls_cnt;
                tls_offset = orig_tls_offset;
                tls_align = orig_tls_align;