On 13/12/2016 20:05, Bryan Drewery wrote:
> Author: bdrewery
> Date: Tue Dec 13 18:05:14 2016
> New Revision: 310025
> URL: https://svnweb.freebsd.org/changeset/base/310025
>
> Log:
> Take write lock for rtld_bind before modifying obj_list in
> dl_iterate_phdr().
What are typical callers of dl_iterate_phdr() ?
In what scenarios this bug would typically be hit?
Thank you!
> This avoids a race with readers such as dladdr(3)/dlinfo(3)/dlsym(3) and
> the atexit(3) handler. This race was introduced in r294373.
>
> Reviewed by: markj, kib, kan
> MFC after: 2 weeks
> Sponsored by: Dell EMC Isilon
>
> Modified:
> head/libexec/rtld-elf/rtld.c
>
> Modified: head/libexec/rtld-elf/rtld.c
> ==============================================================================
> --- head/libexec/rtld-elf/rtld.c Tue Dec 13 16:53:58 2016
> (r310024)
> +++ head/libexec/rtld-elf/rtld.c Tue Dec 13 18:05:14 2016
> (r310025)
> @@ -3549,7 +3549,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callbac
> error = 0;
>
> wlock_acquire(rtld_phdr_lock, &phdr_lockstate);
> - rlock_acquire(rtld_bind_lock, &bind_lockstate);
> + wlock_acquire(rtld_bind_lock, &bind_lockstate);
> for (obj = globallist_curr(TAILQ_FIRST(&obj_list)); obj != NULL;) {
> TAILQ_INSERT_AFTER(&obj_list, obj, &marker, next);
> rtld_fill_dl_phdr_info(obj, &phdr_info);
> @@ -3557,7 +3557,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callbac
>
> error = callback(&phdr_info, sizeof phdr_info, param);
>
> - rlock_acquire(rtld_bind_lock, &bind_lockstate);
> + wlock_acquire(rtld_bind_lock, &bind_lockstate);
> obj = globallist_next(&marker);
> TAILQ_REMOVE(&obj_list, &marker, next);
> if (error != 0) {
>
--
Andriy Gapon
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
