Re: Fix pthread_create on some devices failing to initialize guard area

[Rich Felker <dalias@libc.org>]

On Fri, Jan 20, 2017 at 11:45:09AM -0800, Eric Hassold wrote:
> Hi All,
> 
> While deploying test static executable across farm of different
> embedded systems, found out that pthread_create() is failing
> systematically on some (very few) arm-linux devices whenever non
> null stack guard is enabled (that is, also when calling
> pthread_create with default - i.e. null - attributes since default
> is a one page of guard). One of those device is for example a
> Marvell Armada 375 running Linux 3.10.39. Same test code, built with
> alternative libc implementations (glibc, uClibc) works as expected
> on those devices.
> 
> 
> Issue
> 
> This occurs because of call to mprotect() in pthread_create fails.
> In current implementation, if guard size is non null, memory for
> (guard + stack + ...) is first allocated (mmap'ed) with no
> accessibility (PROT_NONE), then mprotect() is called to re-enable
> read/write access to (memory + guardsize). Since call to mprotect()
> systematically fails in this scenario (returning error code EINVAL),
> it is impossible to create thread.

Failure is ignored and the memory is assumed to be writable in this
case, since EINVAL is assumed to imply no MMU. Is this assumption
wrong in your case, and if so, can you explain why?

> Patch
> 
> In proposed patch (attached below), memory for (guard + stack + ...)
> is first mmap'ed with read/write accessibility, then guard area is
> protected by calling mprotect() with PROT_NONE on guardsize first
> bytes of returned memory. This call to mprotect() to remove all
> accessibility on guard area, with guard area being at beginning of
> previously mmap'ed memory, works correctly on those platforms having
> issue with current implementation. Incidentally, this makes the
> logic more concise to handle both cases (with or without guard) is a
> more consistent way, and handle systems with partial/invalid page
> protection implementation (e.g. mprotect() returning ENOSYS) more
> gracefully since the stack is explicitly created with read/write
> access.

This doesn't work correctly on normal systems with mmu, because the
size of the guard pages is accounted against commit charge. Linux
should, but AFAIK doesn't, subtract it from commit charge once it's
changed to PROT_NONE without having been dirtied, but even if this bug
is fixed on the kernel side, there would still be a moment where
excess commit charge is consumed and thus where pthread_create might
spuriously fail or cause allocations in other processes/threads to
fail.

If the kernel is not allocating actually-usable address ranges for
PROT_NONE on all nommu systems, I think the only solution is to handle
EINVAL from mprotect by going back and re-doing the mmap with
PROT_READ|PROT_WRITE. Do you have any better ideas?

Rich