Bug 566712 - If pthread_create fails in aio_write, requests linked list is corrupted
Summary: If pthread_create fails in aio_write, requests linked list is corrupted
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc
Version: 5.4
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Andreas Schwab
QA Contact: qe-baseos-tools
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks: 589869 589870 589871
TreeView+ depends on / blocked
 
Reported: 2010-02-19 14:18 UTC by Bryn M. Reeves
Modified: 2018-10-27 14:17 UTC (History)
6 users (show)

(edit)
Submitting an AIO (Asynchronous Input/Output) write request requires a creation of a helper thread to handle the request. If the creation of this thread failed, a corruption of the glibc internal data structures could occur. This resulted in a crash when the next AIO request was submitted. This update corrects this issue by making sure the internal data structures remain consistent.
Clone Of:
: 577198 (view as bug list)
(edit)
Last Closed: 2011-01-14 00:04:03 UTC


Attachments (Terms of Use)
Re-diff of upstream commit (2.54 KB, patch)
2010-02-19 14:40 UTC, Bryn M. Reeves
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0109 normal SHIPPED_LIVE glibc bug fix and enhancement update 2011-01-12 17:29:09 UTC

Description Bryn M. Reeves 2010-02-19 14:18:40 UTC
Description of problem:
When one calls aio_write, it internally calls __aio_enqueue_request, which will in turn call aio_create_helper_thread.  If thread creation fails, the newly created request (newp in the code) will still be in the requests linked list, but it will be freed later in __aio_enqueue_request.

A subsequent call to aio_write will cause a segmentation fault.

Version-Release number of selected component (if applicable):
glibc-2.5-*.el5

How reproducible:
100%

Steps to Reproduce:
There's a test case from Neil Vachharajani in upstream bugzilla:

http://sources.redhat.com/bugzilla/attachment.cgi?id=4198&action=view

  
Actual results:
If compiled -DCRASH the program segfaults.

Expected results:
If compiled -DCRASH the program does not segfault.

Additional info:
http://sources.redhat.com/bugzilla/show_bug.cgi?id=10643

Comment 2 Bryn M. Reeves 2010-02-19 14:40:21 UTC
Created attachment 395111 [details]
Re-diff of upstream commit

Straightforward re-diff of the upstream commit for RHEL5's glibc.

Comment 4 Bryn M. Reeves 2010-02-19 16:08:26 UTC
Test case in comment #1 with glibc-2.5-42.el5_4.2:

[root@pe1950-2 ~]# ./main 
aio_write() err
Segmentation fault

Test case in comment #1 with glibc-2.5-47.0.it479313.x86_64 (inc. patch from comment #2):

[root@pe1950-2 ~]# ./main 
aio_write() err
aio_write() err

Comment 8 Bryn M. Reeves 2010-04-01 11:04:59 UTC
One point that was not very clear in the original report of this problem is that there are two similar (but different) bugs here; one affects librt and the other librtkaio. The reproducer is effective for both bugs when linked against the appropriate library.

E.g.:

gcc test.c -lrt               # librt test case
gcc test.c -lrtkaio -lpthread # librtkaio test case

With the patched libc from comment #4 the 2nd test case still fails:

# ./aio_write 
aio_write() err
Segmentation fault (core dumped)

Core was generated by `./aio_write'.
Program terminated with signal 11, Segmentation fault.
[New process 30342]
#0  0x0000000000401fd3 in __aio_enqueue_request_ctx ()
(gdb) bt
#0  0x0000000000401fd3 in __aio_enqueue_request_ctx ()
#1  0x0000000000401295 in aio_write ()
#2  0x0000000000401128 in do_aio_write (fd=3, buf=0x7fff5fde0cd0 "Goodbye World\n", len=14, offset=12) at aio_write.c:28
#3  0x0000000000401263 in main () at aio_write.c:51

Comment 14 Bryn M. Reeves 2010-05-07 16:09:42 UTC
I still haven't had time to take a look at librtkaio - the problem there seems virtually identical (list corruption on failed pthread_create) and is probably very quick to fix for someone who knows the code.

Comment 18 Martin Prpič 2010-12-02 11:18:25 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Submitting an AIO (Asynchronous Input/Output) write request requires a creation of a helper thread to handle the request. If the creation of this thread failed, a corruption of the glibc internal data structures could occur. This resulted in a crash when the next AIO request was submitted. This update corrects this issue by making sure the internal data structures remain consistent.

Comment 20 errata-xmlrpc 2011-01-14 00:04:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0109.html


Note You need to log in before you can comment on or make changes to this bug.