Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 555858

Summary: race between AIO and setresuid()
Product: Red Hat Enterprise Linux 5 Reporter: Jon Thomas <jthomas>
Component: glibcAssignee: Andreas Schwab <schwab>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: fweimer, jeder, rwheeler
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-22 17:43:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reproducer none

Description Jon Thomas 2010-01-15 18:47:00 UTC 
Created attachment 384683 [details]
reproducer

The race condition is in setresuid(), which in glibc tries to be
 smart about threads and change the euid of threads when the euid of
 the main program changes. The problem is that this makes setresuid()
 non-atomic, which means that if an IO completes during the complex
 series of system calls that setresuid() becomes, then the thread
 completing the IO may get -1/EPERM back from the rt_sigqueueinfo()
 call that it uses to notify its parent of the completing IO. In that
 case two things happen:

   1) the signal is never delivered, so the caller never is told that
   the IO has completed

   2) if the caller polls for completion using aio_error() then it
   will see a -1/EPERM result, rather than the real result of the IO

How reproducible:
use the attached tool

Steps to Reproduce:
# gcc -o aio_uid -lrt aio_uid.c
[root]# ./aio_uid /tmp/foo
Timed out waiting for IO (AIO race)

Actual results:
tool fails

Expected results:
tool runs w/o stopping with an error
as when using setreuid() instead of setresuid()
# gcc -o aio_uid -lrt aio_uid.c -DUSE_SETREUID
# ./aio_uid /tmp/foo
.... runs for a while w/o errors

Additional info:
more comments are in the header of the tool
Comment 5 Andreas Schwab 2010-02-22 17:43:42 UTC 

*** This bug has been marked as a duplicate of bug 459901 ***