mirror of
git://git.musl-libc.org/musl
synced 2024-12-12 09:45:45 +00:00
fix lost or delayed wakes in sem_post under certain race conditions
if sem_post is interrupted between clearing the waiters bit from the
semaphore value and performing the futex wait operation, subsequent
calls to sem_post will not perform a wake operation unless a new
waiter has arrived.
usually, this is at most a minor nuisance, since the original wake
operation will eventually happen. however, it's possible that the wake
is delayed indefinitely if interrupted by a signal handler, or that
the address the wake needs to be performed on is no longer mapped if
the semaphore was a process-shared one that has since been unmapped
but has a waiter on a different mapping of the same semaphore. this
can happen when another thread using the same mapping "steals the
post" atomically before actually becoming a second waiter, deduces
from success that it was the last user of the semaphore mapping, then
re-posts and unmaps the semaphore mapping. this scenario was described
in a report by Markus Wichmann.
instead of checking only the waiters bit, also check the waiter count
that was sampled before the atomic post operation, and perform the
wake if it's nonzero. this will not produce any additional wakes under
non-race conditions, since the waiters bit only becomes zero when
targeting a single waiter for wake. checking both was already the
behavior prior to commit 159d1f6c02
.
This commit is contained in:
parent
b09e3174a6
commit
882aedf6a1
@ -16,6 +16,6 @@ int sem_post(sem_t *sem)
|
||||
if (waiters <= 1)
|
||||
new &= ~0x80000000;
|
||||
} while (a_cas(sem->__val, val, new) != val);
|
||||
if (val<0) __wake(sem->__val, waiters>1 ? 1 : -1, priv);
|
||||
if (val<0 || waiters) __wake(sem->__val, waiters>1 ? 1 : -1, priv);
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user