From: Radostin Stoyanov <rstoyanov1@gmail.com>
To: musl@lists.openwall.com, Rich Felker <dalias@aerifal.cx>, nsz@port70.net
Cc: "Andrei Vagin (C)" <avagin@gmail.com>, gorcunov@gmail.com
Subject: Re: Re: seccomp causes pthread_join() to hang
Date: Wed, 26 Jun 2019 14:43:31 +0100 [thread overview]
Message-ID: <deb2c0ab-cf15-51e3-d208-293542d3fd48@gmail.com> (raw)
In-Reply-To: <20190626112528.GO16415@port70.net>
On 26/06/2019 12:25, Szabolcs Nagy wrote:
> * Radostin Stoyanov <rstoyanov1@gmail.com> [2019-06-26 08:30:34 +0100]:
>> On 26/06/2019 00:26, Rich Felker wrote:
>>> Any configuration
>>> that results in a thread being terminated out from under the process
>>> has all sorts of extremely dangerous conditions with memory/locks
>>> being left in inconsistent state, tid reuse while the application
>>> thinks the old thread is still alive, etc., and fundamentally can't be
>>> supported. What you're seeing is exposure of a serious existing
>>> problem with this seccomp usage, not a regression.
>> I wrote "Regression: Yes" because this bug was recently introduced and it
>> does not occur in previous versions.
>>
>> IMHO causing pthread_join() to hang when a thread has been terminated is not
>> expected behaviour, at least because the man page for pthread_join(3)
>> states:
> the point is that if *any* libc api is used in the killed thread
> or a libc api is used to create that thread fundamentally breaks
> assumptions the c runtime may rely on and thus *any* libc call
> after the kill is undefined.
>
> so it's not just pthread_join that's broken but *everything*.
>
> this affects glibc too and old musl too, even if you may only
> observe the particlar pthread_join problem with a current musl.
>
> if the killed thread was in a signal handler that interrupted
> arbitrary libc operation then it obviously breaks everything,
> but even without that the libc will hold onto thread specific
> internal state and whenever that is used it can cause problems
> (in case of musl it is used in pthread_join, glibc uses it e.g.
> for set*id operations)
Thank you for the explanation Rich and Szabolcs!
The test case we have for CRIU is essentially loading a seccomp filter,
performing a checkpoint/restore and then verifies that the seccomp
filter was restored.
Assuming that behaviour of pthread_join is undefined when the thread has
been terminated by seccomp, we can refactor the test case to work around
the issue.
Radostin
next prev parent reply other threads:[~2019-06-26 13:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-25 23:18 Radostin Stoyanov
2019-06-25 23:26 ` Rich Felker
2019-06-26 7:30 ` Radostin Stoyanov
2019-06-26 11:25 ` Szabolcs Nagy
2019-06-26 13:43 ` Radostin Stoyanov [this message]
2019-06-26 15:33 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=deb2c0ab-cf15-51e3-d208-293542d3fd48@gmail.com \
--to=rstoyanov1@gmail.com \
--cc=avagin@gmail.com \
--cc=dalias@aerifal.cx \
--cc=gorcunov@gmail.com \
--cc=musl@lists.openwall.com \
--cc=nsz@port70.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).