Bug 20340

Summary: Crash with SIGEV_THREAD and small interval.
Product: glibc Reporter: Carlos O'Donell <carlos>
Component: nptlAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: adhemerval.zanella, drepper.fsp, fweimer
Priority: P2 Flags: fweimer: security-
Version: 2.24   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Carlos O'Donell 2016-07-08 20:59:45 UTC
As reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1352124

The following program crashes.

cat >> test.c <<EOF
#include <signal.h>
#include <time.h>
#include <limits.h>
#include <unistd.h>
#include <stdio.h>

static void sigev_notify(union sigval arg) {}

int main() {
    timer_t timerid;
    static struct sigevent sevp = {
        .sigev_notify = SIGEV_THREAD,
        .sigev_notify_function = sigev_notify
    };

    timer_create(CLOCK_MONOTONIC, &sevp, &timerid);

    static const struct itimerspec new_value = {
        .it_interval = {
            .tv_sec = 0,
            .tv_nsec = 1000
        },
        .it_value = {
            .tv_sec = 0,
            .tv_nsec = 1000
        }
    };

    timer_settime(&timerid, 0, &new_value, NULL);

    sleep(UINT_MAX);
}
EOF

BUILD=/home/carlos/build/glibc
gcc -Wl,--dynamic-linker=$BUILD/elf/ld.so -Wl,-rpath=$BUILD:$BUILD/nptl:$BUILD/rt -lpthread -lrt -g3 -O0 -o test test.c

I can reproduce this on master.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __pthread_create_2_1 (newthread=newthread@entry=0x7faad3185e28, attr=attr@entry=0x1bfd148, 
    start_routine=start_routine@entry=0x7faad2b48c00 <timer_sigev_thread>, arg=<optimized out>) at pthread_create.c:713
713	      if (pd->stopped_start)
[Current thread is 1 (LWP 12099)]

It appears the entire thread descriptor is pointing at invalid memory.

Given the small timer interval we are very very quickly creating and exiting threads so there might be reaping issue here or a stack reuse issue with the stack cache. Either way we should not segfault and we should handle this gracefully.
Comment 1 Adhemerval Zanella 2021-05-27 00:26:20 UTC
Carlos, I am almost sure this is related BZ#20116 (timer_create uses detached thread for each SIGEV_THREAD).
Comment 2 Adhemerval Zanella 2021-06-10 01:33:50 UTC
I can't reproduce it on master (2.34 devel) anymore and it does seems to be the detached pthread concurrent issue fixed on 20116.

*** This bug has been marked as a duplicate of bug 20116 ***