From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [musl] doubt about fork
Date: Fri, 3 Apr 2020 12:29:58 -0400 [thread overview]
Message-ID: <20200403162958.GC11469@brightrain.aerifal.cx> (raw)
In-Reply-To: <20200403092854.GY14278@port70.net>
On Fri, Apr 03, 2020 at 11:28:54AM +0200, Szabolcs Nagy wrote:
> * guolongqiang <guolongqiang@huawei.com> [2020-04-03 06:37:44 +0000]:
> > Hello,
> > I have a problem about multi threads fork. The implement of fork not lock such as stdio file,
> > __thread_list_lock, or other global mutexs in musl libc before syscall of SYS_clone, this will
> > cause dead lock in child. Is this a bug?
>
> the standard is pretty clear that the child after fork
> in a multi-threaded process can only do async-signal-safe
> operations, anything that may lock is not as-safe.
>
> https://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html
Note that future editions of POSIX might change this by removing the
requirement that fork be AS-safe and adding _fork (I may be
misremembering the name but it's something like that) to be AS-safe.
So it's possible this could change in the future. But for now, indeed,
what you can do in the child if a multithreaded process forks is
extremely limited.
As an aside, musl will continue to track the standards, but personally
I'm against any such "improvements" to fork because I'm against fork
itself. Use of fork without immediate exec (that could be replaced by
posix_spawn or vfork) makes software incompatible with a MMU-less
environment and significantly harms security/hardening properties --
all potentially secret data from the parent that hasn't been scrubbed
leaks into the child where it might be disclosed later, and the child
lacks independent ASLR from the parent (see the classic Android Zygote
issue that completely undermined ASLR). It also significantly harms
memory usage accounting and performance by requiring that all of the
parent's memory usage continue to be charged against the child too
even if the child will not use most of it, and by converting all
writable pages in both the parent and child to copy-on-write (making
next access fault). Modern designs should serialize whatever data the
child is actually intending to use and spawn/exec a child that
deserializes it.
Rich
prev parent reply other threads:[~2020-04-03 16:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-03 6:37 guolongqiang
2020-04-03 9:28 ` Szabolcs Nagy
2020-04-03 16:29 ` Rich Felker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200403162958.GC11469@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).