about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
...
* fix segfault in lutimes when tv argument is NULLÉrico Rolim2020-11-291-5/+7
| | | | | | | calling lutimes with tv=0 is valid if the application wants to set the timestamps to the current time. this commit makes it so the timespec struct is populated with values from tv only if tv != 0 and calls utimensat with times=0 if tv == 0.
* netinet/in.h: add IP_RECVERR_4884 from linux v5.9Szabolcs Nagy2020-11-291-0/+1
| | | | | | | see linux commit eba75c587e811d3249c8bd50d22bb2266ccd3c0f icmp: support rfc 4884
* sys/fanotify.h: add new FAN_* macros from linux v5.9Szabolcs Nagy2020-11-291-0/+4
| | | | | | | | | | | | | | | | | Update fanotify.h, see linux commit 929943b38daf817f2e6d303ea04401651fc3bc05 fanotify: add support for FAN_REPORT_NAME linux commit 83b7a59896dd24015a34b7f00027f0ff3747972f fanotify: add basic support for FAN_REPORT_DIR_FID linux commit 08b95c338e0c5a96e47f4ca314ea1e7580ecb5d7 fanotify: remove event FAN_DIR_MODIFY FAN_DIR_MODIFY that was new in v5.7 is now removed from linux uapi, but kept in musl, so we don't break api, linux cannot reuse the value anyway.
* bits/syscall.h: add __NR_close_range from linux v5.9Szabolcs Nagy2020-11-2916-0/+16
| | | | | | | | | | see linux commit 9b4feb630e8e9801603f3cab3a36369e3c1cf88d arch: wire-up close_range() linux commit 278a5fbaed89dacd04e9d052f4594ffd0e0585de open: add close_range()
* add missing personality valuesWilliam Woodruff2020-11-291-0/+3
| | | | | | | Adds two missing personality(2) personas: UNAME26 and FDPIC_FUNCPTRS. FDPIC_FUNCPTRS was also missing its corresponding PER_LINUX_FDPIC value.
* arm fabs and sqrt: support single-precision-only fpu variantsJinliang Li2020-11-292-2/+2
|
* fix typo in INSTALLÉrico Rolim2020-11-291-1/+1
| | | | "big-engian" should be "big-endian".
* work around linux bug in readlink syscall with zero buffer sizeRich Felker2020-11-232-3/+17
| | | | | | | | | | linux fails with EINVAL when a zero buffer size is passed to the syscall. this is non-conforming because POSIX already defines EINVAL with a significantly different meaning: the target is not a symlink. since the request is semantically valid, patch it up by using a dummy buffer of length one, and truncating the return value to zero if it succeeds.
* parse v3 or future-unknown zoneinfo file versions as v2+Rich Felker2020-11-221-1/+1
| | | | | | | | the v1 zoneinfo format with 32-bit time is deprecated. previously, the v2 parsing code was only used if an exact match for '2' was found in the version field of the header. this was already incorrect for v3 files (trivial differences from v2 that arguably didn't merit a new version number anyway) but also failed to be future-proof.
* explicitly prefer 64-bit/v2 zoneinfo tablesRich Felker2020-11-221-1/+1
| | | | | | | | | since commit 38143339646a4ccce8afe298c34467767c899f51, the condition sizeof(time_t) > 4 is always true, so there is no functional change being made here. but semantically, the 64-bit tables should always be preferred now, because upstream zic (zoneinfo compiler) has quietly switched to emitting empty 32-bit tables by default, and the resulting backwards-incompatible zoneinfo files will be encountered in the wild.
* fix regression in pthread_exitRich Felker2020-11-202-1/+3
| | | | | | | | | | | | | | | commit d26e0774a59bb7245b205bc8e7d8b35cc2037095 moved the detach state transition at exit before the thread list lock was taken. this inadvertently allowed pthread_join to race to take the thread list lock first, and proceed with unmapping of the exiting thread's memory. we could fix this by just revering the offending commit and instead performing __vm_wait unconditionally before taking the thread list lock, but that may be costly. instead, bring back the old DT_EXITING vs DT_EXITED state distinction that was removed in commit 8f11e6127fe93093f81a52b15bb1537edc3fc8af, and don't transition to DT_EXITED (a value of 0, which is what pthread_join waits for) until after the lock has been taken.
* rewrite wcsnrtombs to fix buffer overflow and other bugsRich Felker2020-11-191-27/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the original wcsnrtombs implementation, which has been largely untouched since 0.5.0, attempted to build input-length-limiting conversion on top of wcsrtombs, which only limits output length. as best I recall, this choice was made out of a mix of disdain over having yet another variant function to implement (added in POSIX 2008; not standard C) and preference not to switch things around and implement the wcsrtombs in terms of the more general new function, probably over namespace issues. the strategy employed was to impose output limits that would ensure the input limit wasn't exceeded, then finish up the tail character-at-a-time. unfortunately, none of that worked correctly. first, the logic in the wcsrtombs loop was wrong in that it could easily get stuck making no forward progress, by imposing an output limit too small to convert even one character. the character-at-a-time loop that followed was even worse. it made no effort to ensure that the converted multibyte character would fit in the remaining output space, only that there was a nonzero amount of output space remaining. it also employed an incorrect interpretation of wcrtomb's interface contract for converting the null character, thereby failing to act on end of input, and remaining space accounting was subject to unsigned wrap-around. together these errors allow unbounded overflow of the destination buffer, controlled by input length limit and input wchar_t string contents. given the extent to which this function was broken, it's plausible that most applications that would have been rendered exploitable were sufficiently broken not to be usable in the first place. however, it's also plausible that common (especially ASCII-only) inputs succeeded in the wcsrtombs loop, which mostly worked, while leaving the wildly erroneous code in the second loop exposed to particular non-ASCII inputs. CVE-2020-28928 has been assigned for this issue.
* protect destruction of process-shared mutexes against robust list racesRich Felker2020-11-191-1/+5
| | | | | | | | | | | | | | | after a non-normal-type process-shared mutex is unlocked, it's immediately available to another thread to lock, unlock, and destroy, but the first unlocking thread may still have a pointer to it in its robust_list pending slot. this means, on async process termination, the kernel may attempt to access and modify the memory that used to contain the mutex -- memory that may have been reused for some other purpose after the mutex was destroyed. setting up for this kind of race to occur is difficult to begin with, requiring dynamic use of shared memory maps, and actually hitting the race is very difficult even with a suitable setup. so this is mostly a theoretical fix, but in any case the cost is very low.
* pthread_exit: don't __vm_wait under thread list lockRich Felker2020-11-191-9/+15
| | | | | | | | | | | | | | | the __vm_wait operation can delay forward progress arbitrarily long if a thread holding the lock is interrupted by a signal. in a worst case this can deadlock. any critical section holding the thread list lock must respect lock ordering contracts and must not take any lock which is not AS-safe. to fix, move the determination of thread joinable/detached state to take place before the killlock and thread list lock are taken. this requires reverting the atomic state transition if we determine that the exiting thread is the last thread and must call exit, but that's easy to do since it's a single-threaded context with application signals blocked.
* lift child restrictions after multi-threaded forkRich Felker2020-11-1117-4/+170
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | as the outcome of Austin Group tracker issue #62, future editions of POSIX have dropped the requirement that fork be AS-safe. this allows but does not require implementations to synchronize fork with internal locks and give forked children of multithreaded parents a partly or fully unrestricted execution environment where they can continue to use the standard library (per POSIX, they can only portably use AS-safe functions). up until recently, taking this allowance did not seem desirable. however, commit 8ed2bd8bfcb4ea6448afb55a941f4b5b2b0398c0 exposed the extent to which applications and libraries are depending on the ability to use malloc and other non-AS-safe interfaces in MT-forked children, by converting latent very-low-probability catastrophic state corruption into predictable deadlock. dealing with the fallout has been a huge burden for users/distros. while it looks like most of the non-portable usage in applications could be fixed given sufficient effort, at least some of it seems to occur in language runtimes which are exposing the ability to run unrestricted code in the child as part of the contract with the programmer. any attempt at fixing such contracts is not just a technical problem but a social one, and is probably not tractable. this patch extends the fork function to take locks for all libc singletons in the parent, and release or reset those locks in the child, so that when the underlying fork operation takes place, the state protected by these locks is consistent and ready for the child to use. locking is skipped in the case where the parent is single-threaded so as not to interfere with legacy AS-safety property of fork in single-threaded programs. lock order is mostly arbitrary, but the malloc locks (including bump allocator in case it's used) must be taken after the locks on any subsystems that might use malloc, and non-AS-safe locks cannot be taken while the thread list lock is held, imposing a requirement that it be taken last.
* convert malloc use under libc-internal locks to use internal allocatorRich Felker2020-11-118-0/+41
| | | | | | | | | | | | | this change lifts undocumented restrictions on calls by replacement mallocs to libc functions that might take these locks, and sets the stage for lifting restrictions on the child execution environment after multithreaded fork. care is taken to #define macros to replace all four functions (malloc, calloc, realloc, free) even if not all of them will be used, using an undefined symbol name for the ones intended not to be used so that any inadvertent future use will be caught at compile time rather than directed to the wrong implementation.
* give libc access to its own malloc even if public malloc is interposedRich Felker2020-11-117-1/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allowing the application to replace malloc (since commit c9f415d7ea2dace5bf77f6518b6afc36bb7a5732) has brought multiple headaches where it's used from various critical sections in libc components. for example: - the thread-local message buffers allocated for dlerror can't be freed at thread exit time because application code would then run in the context of a non-existant thread. this was handled in commit aa5a9d15e09851f7b4a1668e9dbde0f6234abada by queuing them for free later. - the dynamic linker has to be careful not to pass memory allocated at early startup time (necessarily using its own malloc) to realloc or free after redoing relocations with the application and all libraries present. bugs in this area were fixed several times, at least in commits 0c5c8f5da6e36fe4ab704bee0cd981837859e23f and 2f1f51ae7b2d78247568e7fdb8462f3c19e469a4 and possibly others. - by calling the allocator from contexts where libc-internal locks are held, we impose undocumented requirements on alternate malloc implementations not to call into any libc function that might attempt to take these locks; if they do, deadlock results. - work to make fork of a multithreaded parent give the child an unrestricted execution environment is blocked by lock order issues as long as the application-provided allocator can be called with libc-internal locks held. these problems are all fixed by giving libc internals access to the original, non-replaced allocator, for use where needed. it can't be used everywhere, as some interfaces like str[n]dup, open_[w]memstream, getline/getdelim, etc. are required to provide the called memory obtained as if by (the public) malloc. and there are a number of libc interfaces that are "pure library" code, not part of some internal singleton, and where using the application's choice of malloc implementation is preferable -- things like glob, regex, etc. one might expect there to be significant cost to static-linked programs, pulling in two malloc implementations, one of them mostly-unused, if malloc is replaced. however, in almost all of the places where malloc is used internally, care has been taken already not to pull in realloc/free (i.e. to link with just the bump allocator). this size optimization carries over automatically. the newly-exposed internal allocator functions are obtained by renaming the actual definitions, then adding new wrappers around them with the public names. technically __libc_realloc and __libc_free could be aliases rather than needing a layer of wrapper, but this would almost surely break certain instrumentation (valgrind) and the size and performance difference is negligible. __libc_calloc needs to be handled specially since calloc is designed to work with either the internal or the replaced malloc. as a bonus, this change also eliminates the longstanding ugly dependency of the static bump allocator on order of object files in libc.a, by making it so there's only one definition of the malloc function and having it in the same source file as the bump allocator.
* drop use of getdelim/stdio in dynamic linkerRich Felker2020-11-111-5/+22
| | | | | | | | | | | | | | | | | | | | | | | | | the only place stdio was used here was for reading the ldso path file, taking advantage of getdelim to automatically allocate and resize the buffer. the motivation for use here was that, with shared libraries, stdio is already available anyway and free to use. this has long been a nuisance to users because getdelim's use of realloc here triggered a valgrind bug, but removing it doesn't really fix that; on some archs even calling the valgrind-interposed malloc at this point will crash. the actual motivation for this change is moving towards getting rid of use of application-provided malloc in parts of libc where it would be called with libc-internal locks held, leading to the possibility of deadlock if the malloc implementation doesn't follow unwritten rules about which libc functions are safe for it to call. since getdelim is required to produce a pointer as if by malloc (i.e. that can be passed to reallor or free), it necessarily must use the public malloc. instead of performing a realloc loop as the path file is read, first query its size with fstat and allocate only once. this produces slightly different truncation behavior when racing with writes to a file, but neither behavior is or could be made safe anyway; on a live system, ldso path files should be replaced by atomic rename only. the change should also reduce memory waste.
* dlerror: don't gratuitously hold freebuf_queue lock while freeingRich Felker2020-11-111-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | thread-local buffers allocated for dlerror need to be queued for free at a later time when the owning thread exits, since malloc may be replaced by application code and the exiting context is not valid to call application code from. the code to process queue of pending frees, introduced in commit aa5a9d15e09851f7b4a1668e9dbde0f6234abada, gratuitously held the lock for the entire duration of queue processing, updating the global queue pointer after each free, despite there being no logical requirement that all frees finish before another thread can access the queue. instead, immediately claim the whole queue for freeing and release the lock, then walk the list and perform frees without the lock held. the change is unlikely to make any meaningful difference to performance, but it eliminates one point where the allocator is called under an internal lock. since the allocator may be application-provided, such calls are undesirable because they allow application code to impede forward progress of libc functions in other threads arbitrarily long, and to induce deadlock if it calls a libc function that requires the same lock. the change also eliminates a lock ordering consideration that's an impediment upcoming work with multithreaded fork.
* fix vector types in aarch64 register file structuresRich Felker2020-11-112-3/+3
| | | | | | | | | | the ABI type for the vector registers in fpregset_t, struct fpsimd_context, and struct user_fpsimd_struct is __uint128_t, which was presumably originally not used because it's a nonstandard type, but its existence is mandated by the aarch64 psABI. use of the wrong type here broke software using these structures, and encouraged incorrect fixes with casts rather than reinterpretation of representation.
* fix erroneous pthread_cond_wait mutex waiter count logic due to typoRich Felker2020-10-301-1/+1
| | | | introduced in commit 27b2fc9d6db956359727a66c262f1e69995660aa.
* fix missing-wake regression in pthread_cond_waitRich Felker2020-10-301-0/+5
| | | | | | | | | | | | | | | the reasoning in commit 2d0bbe6c788938d1332609c014eeebc1dff966ac was not entirely correct. while it's true that setting the waiters flag ensures that the next unlock will perform a wake, it's possible that the wake is consumed by a mutex waiter that has no relationship with the condvar wait queue being processed, which then takes the mutex. when that thread subsequently unlocks, it sees no waiters, and leaves the rest of the condvar queue stuck. bring back the waiter count adjustment, but skip it for PI mutexes, for which a successful lock-after-waiting always sets the waiters bit. if future changes are made to bring this same waiters-bit contract to all lock types, this can be reverted.
* add support for SIGEV_THREAD_ID timersJames Y Knight2020-10-282-5/+19
| | | | | This is like SIGEV_SIGNAL, but targeted to a particular thread's tid, rather than the process.
* fix sem_close unmapping of still-referenced semaphoreRich Felker2020-10-281-3/+5
| | | | | | | | | | | | | sem_open is required to return the same sem_t pointer for all references to the same named semaphore when it's opened more than once in the same process. thus we keep a table of all the mapped semaphores and their reference counts. the code path for sem_close checked the reference count, but then proceeded to unmap the semaphore regardless of whether the count had reached zero. add an immediate unlock-and-return for the nonzero refcnt case so the property of performing the munmap syscall after releasing the lock can be preserved.
* refactor setxid return path to use __syscall_retRich Felker2020-10-271-14/+9
| | | | | this avoids some spurious negation and duplicated errno logic, and brings the code in line with the newly-added multithreaded setgroups.
* ldso: notify the debugger when we're doing a dlopenrcombs2020-10-271-2/+6
| | | | | Otherwise lldb doesn't notice the new library and stack traces containing it get cut off unhelpfully.
* fix setgroups behavior in multithreaded processRich Felker2020-10-271-1/+29
| | | | | | this function is outside the scope of the standards, but logically should behave like the set*id functions whose effects are process-global.
* avoid __synccall for setrlimit on kernels with prlimit syscallRich Felker2020-10-271-20/+17
| | | | | | resource limits have been process-wide since linux 2.6.10, and the prlimit syscall was added in 2.6.36, so prlimit can be assumed to set the resource limits correctly for the whole process.
* fix reintroduction of errno clobbering by atfork handlersRich Felker2020-10-261-0/+3
| | | | | | | | | | commit bd153422f28634bb6e53f13f80beb8289d405267 reintroduced the bug fixed in c21051e90cd27a0b26be0ac66950b7396a156ba1 by refactoring the __syscall_ret into _Fork where it once again runs before the atfork handlers are called. since _Fork is a public interface that sets errno, this can't be fixed the way it was fixed last time without making new internal interfaces. instead, just save errno, and restore it only on error to ensure that a value of 0 is never restored.
* fix pthread_cond_wait paired with with priority-inheritance mutexRich Felker2020-10-261-6/+5
| | | | | | | | | | | | | | | | | | | | | pthread_cond_wait arranged for requeued waiters to wake when the mutex is unlocked by temporarily adjusting the mutex's waiter count. commit 54ca677983d47529bab8752315ac1a2b49888870 broke this when introducing PI mutexes by repurposing the waiter count field of the mutex structure. since then, for PI mutexes, the waiter count adjustment was misinterpreted by the mutex locking code as indicating that the mutex is non a non-recoverable state. it would be possible to special-case PI mutexes here, but instead just drop all adjustment of the waiters count, and instead use the lock word waiters bit for all mutex types. since the mutex is either held by the caller or in unrecoverable state at the time the bit is set, it will necessarily still be set at the time of any subsequent valid unlock operation, and this will produce the desired effect of waking the next waiter. if waiter counts are entirely dropped at some point in the future this code should still work without modification.
* lift sigaction abort locking to fix posix_spawn child deadlockRich Felker2020-10-241-13/+16
| | | | | | | | | | | | | | | | | | commit 25ea9f712c30c32957de493d4711ee39d0bbb024 introduced a deadlock to the posix_spawn child whereby, if abort was called in the parent and ended up taking the abort lock to terminate the process, the __libc_sigaction calls in the child would wait forever to obtain a lock that would not be released. this could be fixed by having abort set the abort lock as the exit futex address, but it's cleaner to just remove the SIGABRT special handling from the internal __libc_sigaction and lift it to the public sigaction function. nothing but the posix_spawn child calls __libc_sigaction on SIGABRT, and since commit b7bc966522d73e1dc420b5ee6fc7a2e78099a08c the abort lock is held at the time of __clone, which precludes the child inheriting a kernel-level signal disposition inconsistent with the disposition on the abstract machine. this means it's fine to inspect and modify the disposition in the child without a lock.
* update crypt_blowfish to support $2b$ prefixJulien Ramseier2020-10-181-15/+23
| | | | | | | Merge changes from Solar Designer's crypt_blowfish v1.3. This makes crypt_blowfish fully compatible with OpenBSD's bcrypt by adding support for the $2b$ prefix (which behaves the same as crypt_blowfish's $2y$).
* remove unused weak definition of __tl_sync in membarrier.cRich Felker2020-10-141-5/+0
|
* move aio implementation details to a proper internal headerRich Felker2020-10-148-4/+14
| | | | | also fix the lack of declaration (and thus hidden visibility) in __stdio_close's use of __aio_close.
* remove long-unused struct __timer from pthread_impl.hRich Felker2020-10-141-5/+0
| | | | | commit 3990c5c6a40440cdb14746ac080d0ecf8d5d6733 removed the last reference.
* drop use of pthread_once in timer_createRich Felker2020-10-141-10/+7
| | | | | | | | this makes the code slightly smaller and eliminates timer_create from relevance to possible future changes to multithreaded fork. the barrier of a_store isn't technically needed here, but a_store is used anyway for internal consistency of the memory model.
* remove unused SIGTIMER handler in timer_createRich Felker2020-10-141-6/+1
| | | | | | | | | | | this was leftover from when the actual SIGEV_THREAD timer logic was in the signal handler. commit 5b74eed3b301e2227385f3bf26d3bb7c2d822cf8 replaced that with use of sigwaitinfo, with the actual signal left blocked, so the no-op signal handler was no longer serving any purpose. the signal disposition reset to SIG_DFL is still needed, however, in case we inherited SIG_IGN from a foreign-libc process.
* remove incorrect fflush from assert failure handlerRich Felker2020-10-141-1/+0
| | | | | | | assert is not specified to flush open stdio streams, and doing so can block indefinitely waiting for a lock already held or an output operation to a file that can't accept more output until an unsatisfiable condition is met.
* fix getgrouplist when nscd reports an empty listRich Felker2020-10-141-1/+2
| | | | | | | commit 500c6886c654fd45e4926990fee2c61d816be197 broke this by fixing the behavior of fread to conform to the C standard; getgroupslist was assuming the old behavior, that a request to read 1 member of length 0 would return 1, not 0.
* fix posix_spawn interaction with fork and abort by taking lockRich Felker2020-10-141-3/+13
| | | | | | | | | | | | | this change prevents the child created concurrently with abort from seeing the SIGABRT disposition change from SIG_IGN to SIG_DFL (other changes are not visible anyway) and prevents leaking the write end of the child pipe to children created by fork in another thread, which may block return of posix_spawn indefinitely if the forked child does not exit or exec. along with other changes, this suggests that __abort_lock should perhaps eventually be renamed to reflect that it's becoming a broader lock on related "process lifetime" state.
* fix unintended observability of SIGABRT disposition reset via sigactionRich Felker2020-10-141-9/+8
| | | | | | | | | | | the existing abort locking logic in sigaction only accounted for attempts to change the disposition, not attempts to observe the change made by abort. unfortunately the change is still observable in at least one other place: inheritance of signal dispositions across exec and posix_spawn. fixing these is a separate task and it's not even clear whether a complete fix is possible.
* implement _Fork and refactor fork using itRich Felker2020-10-143-9/+16
| | | | | | | the _Fork interface is defined for future issue of POSIX as the outcome of Austin Group issue 62, which drops the AS-safety requirement for fork, and provides an AS-safe replacement that does not run the registered atfork handlers.
* rename fork source fileRich Felker2020-10-141-0/+0
| | | | | this is in preparation for implementing _Fork from POSIX-future, factored as a separate commit to improve readability of history.
* ldso: use pthread_t rather than kernel tid to track ctor visitorRich Felker2020-10-141-3/+3
| | | | | | | | commit 188759bbee057aa94db2bbb7cf7f5855f3b9ab53 documented the intent to allow recursive dlopen based on tracking ctor_visitor, but used a kernel tid rather than the pthread_t to identify the caller. as a result, it would not behave as intended under fork by a ctor, where the child tid would not match.
* fix stale lock when allocation of ctor queue fails during dlopenRich Felker2020-10-141-1/+2
| | | | | | | | | | queue_ctors should not be called with the init_fini_lock held, since it may longjmp out on allocation failure. this introduces a minor TOCTOU race with p->constructed, but one already exists further down anyway, and by design it's okay to run through the queue more than once anyway. the only reason we bother to check p->constructed at all is to avoid spurious failure of dlopen when the library is already fully loaded and constructed.
* drop use of pthread_once in mutexattr kernel support testsRich Felker2020-10-142-21/+18
| | | | | | | | this makes the code slightly smaller and eliminates these functions from relevance to possible future changes to multithreaded fork. the barrier of a_store isn't technically needed here, but a_store is used anyway for internal consistency of the memory model.
* fix missing synchronization of fork with abortRich Felker2020-10-141-0/+3
| | | | | | | | | if the multithreaded parent forked while another thread was calling sigaction for SIGABRT or calling abort, the child could inherit a lock state in which future calls to abort will deadlock, or in which the disposition for SIGABRT has already been reset to SIG_DFL. this is nonconforming since abort is AS-safe and permitted to be called concurrently with fork or in the MT-forked child.
* move __abort_lock to its own file and drop pointless weak_alias trickRich Felker2020-10-144-8/+5
| | | | | | | | the dummy definition of __abort_lock in sigaction.c was performing exactly the same role that putting the lock in its own source file could and should have been used to achieve. while we're moving it, give it a proper declaration.
* fix fork of processes with active async io contextsRich Felker2020-09-283-0/+19
| | | | | | | | | | | | | | previously, if a file descriptor had aio operations pending in the parent before fork, attempting to close it in the child would attempt to cancel a thread belonging to the parent. this could deadlock, fail, or crash the whole process of the cancellation signal handler was not yet installed in the parent. in addition, further use of aio from the child could malfunction or deadlock. POSIX specifies that async io operations are not inherited by the child on fork, so clear the entire aio fd map in the child, and take the aio map lock (with signals blocked) across the fork so that the lock is kept in a consistent state.
* avoid set*id/setrlimit misbehavior and hang in vforked/cloned childRich Felker2020-09-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | taking the deprecated/dropped vfork spec strictly, doing pretty much anything but execve in the child is wrong and undefined. however, these are commonly needed operations to setup the child state before exec, and historical implementations tolerated them. for single-threaded parents, these operations already worked as expected in the vforked child. however, due to the need for __synccall to synchronize id/resource limit changes among all threads, calling these functions in the vforked child of a multithreaded parent caused a misdirected broadcast signaling of all threads in the parent. these signals could kill the parent entirely if the synccall signal handler had never been installed in the parent, or could be ignored if it had, or could signal/kill one or more utterly wrong processes if the parent already terminated (due to vfork semantics, only possible via fatal signal) and the parent tids were recycled. in any case, the expected number of semaphore posts would never happen, so the child would permanently hang (with all signals blocked) waiting for them. to mitigate this, and also make the normal usage case work as intended, treat the condition where the caller's actual tid does not match the tid in its thread structure as single-threaded, and bypass the entire synccall broadcast operation.