Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: src



Module Name:    src
Committed By:   riastradh
Date:           Wed Jul  1 19:29:58 UTC 2026

Modified Files:
        src/libexec/ld.elf_so: load.c reloc.c rtld.c rtld.h search.c
        src/tests/libexec/ld.elf_so: t_dlclose_thread.c
        src/usr.bin/ldd: ldd.c ldd_elfxx.c

Log Message:
ld.elf_so(1): Resolve several races in dlopen/dlclose.

This is difficult because, although rtld generally has a single
exclusive lock, i.e., generally runs single-threaded itself, it can't
hold this lock while calling constructors/destructors (init/fini or
ifunc) -- if it did, then, for example, lazy symbol binding that
happens during the constructor/destructor would deadlock against
itself.

And whenever rtld drops the lock to call constructors/destructors,
any objects it is working on, during dlopen or dlclose, might have
been concurrently closed and invalidated by the time it gets the lock
again.

The key point is that anywhere we pass a sigset_t *mask parameter
during dlopen or dlclose, we might release the rtld lock to sleep and
then reacquire the lock.  And anywhere we might release and reacquire
the lock, any objects we hold may be invalidated -- unless we hold some
reference to prevent invalidation.  And any object we find in the list
of objects might be undergoing dlclose, waiting for destructors to
finish, so we have to be prepared to release and reacquire the lock to
wait until the destructors are done -- and then start over at the top.

Here is a (probably nonexhaustive) list of races that I encountered:

1. If thread A dlcloses foo.so, bringing the reference count to zero,
   and drops the rtld lock to call destructors, thread B dlopening
   foo.so can acquire a new reference and return it -- but then
   thread A will proceed to unmap and free foo.so while thread B
   thinks it has a good reference.

   => Resolution: Make dlopen refuse to acquire new references to
      objects with reference count zero -- instead, drop the rtld
      lock to wait until the object has been dlclosed, and then start
      over the lookup.

   Caveat: This means that the dlopen logic can drop the lock, and
   the rtld state can change, while dlopen is gathering references to
   objects, so we can't simply see whether new objects were added to
   the end of _rtld_objlist to find which ones need to be relocated.
   So...

2. If thread A dlopens foo.so and sleeps to wait for a previous
   dlclose to finish, and thread B concurrently dlopens bar.so and
   finishes relocating it before thread A continues, thread A might
   try to relocate all of the new objects since it started --
   including the ones that thread B just loaded and already
   relocated.

   => Resolution: Instead of checking whether _rtld_objtail has
      changed, store:

      (a) a global count of the number of objects pending relocation
          (_rtld_objrelocpending), so we can cheaply test whether
          there are any before iterating over the list; and

      (b) a per-object flag of whether it has been relocated yet
          (obj->relocated),

      so dlopen can check _rtld_objrelocpending to see whether it
      needs to do any relocations, and _rtld_relocate_objects can
      check _all_ objects and only relocate the ones that have yet to
      be relocated.

      Also, since _rtld_load_needed_objects in one thread may be
      interleaved with _rtld_call_init_functions in another thread,
      make sure to have _rtld_call_init_functions skip the objects
      that have yet to be relocated -- they can't be part of the DAG
      of dependencies of the objecteing dlopened (or else we would
      have passed through _rtld_relocate_objects), and if they
      haven't been relocated then the init/fini function pointers are
      unusable.

      We could alternatively store a queue of objects to be
      relocated, so _rtld_relocate_objects need not iterate over all
      objects when loading one or two objects into a process with
      zillions of existing ones, but this was quicker to implement
      for now.

3. If thread A is dlopening an object and loading dependencies, it goes
   through the list of _all_ objects' dependencies, even those that
   aren't relevant to the current dlopen.  In so doing, it may start
   loading the dependencies of some object foo.so that thread B wants
   to dlclose.  If foo.so depends on bar.so, and bar.so is concurrently
   closed by thread C, thread A may wait for that to happen so it can
   create a new incarnation of bar.so.  While thread A waits, thread B
   might unmap and free foo.so, leading to use-after-free in thread A
   when it finally wakes up.

   => Resolution: While a thread is loading an object's dependencies,
      make dlclose wait for that to finish before unmapping and
      freeing the object.  New reference count obj->neededrefcount
      for this -- having it separate from obj->refcount obviates the
      need for logic to GC newly-unreferenced objects in
      _rtld_load_needed_objects.  New state obj->neededwaiter to
      record a queue of waiters in dlclose.  (XXX Maybe that should
      be a global queue?  dlclose can reasonably wake up when any
      objects are no now-unreferenced and no longer being loaded.)

4. If thread A is dlclosing foo.so which depends on bar.so, and
   thread B is dlclosing bar.so but has dropped the rtld lock to run
   bar.so's destructors, thread A might get to the garbage-collection
   phase at the end of _rtld_unload_object -- and unmap and free
   bar.so before thread B has finished, because bar.so's reference
   count is zero and so it looks like garbage to _rtld_unmap_object.

   => Resolution: Store a flag obj->dlclosing, set when thread A's
      _rtld_unload_object is dropping the lock to call destructors,
      so thread B's _rtld_unload_object will not free and unmap obj
      during garbage collection.  This won't leak because thread B
      will rerun the garbage collection anyway.

5. (a) If thread A is dlclosing foo.so which depends on baz.so, and
       thread B is dlclosing bar.so which also depends on baz.so,
       both threads may try to call baz.so's destructors, possibly
       leading to double-destruction.  And either thread might free
       and unmap baz.so while the other one is still trying to call
       the destructors.

   (b) If thread A is dlopening foo.so and has dropped the lock to
       run constructors, and thread B dlopens foo.so, thread B won't
       run the constructors again (we already have a mechanism to
       prevent that) -- but it might return before constructors have
       finished running in thread A at all, and thus it may return a
       handle to the caller for a library whose constructors haven't
       finished initializing the library.

   => Resolution: New lock obj->initfinilock (implemented as a state
      variable under the rtld exclusive lock with sleep/wake using
      _lwp_park/unpark), taken across any calls to constructors or
      destructors with the exclusive lock dropped, in order to
      serialize calls to constructors and destructors even while the
      rtld exclusive lock is dropped.  This way:

      (a) If thread A is running destructors for bar.so as part of
          dlclose, thread B can skip garbage-collecting bar.so as
          part of dlclose -- it won't leak anything because thread A
          will eventually run garbage collection in
          _rtld_unload_object too.

      (b) If thread A is running constructors for foo.so, and thread
          B dlopens foo.so, it can wait until the constructors have
          finished in thread A before returning.

While here, sprinkle various reference count assertions.

PR lib/59751: dlclose is not MT-safe depending on the libraries
unloaded


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/libexec/ld.elf_so/load.c
cvs rdiff -u -r1.120 -r1.121 src/libexec/ld.elf_so/reloc.c
cvs rdiff -u -r1.224 -r1.225 src/libexec/ld.elf_so/rtld.c
cvs rdiff -u -r1.155 -r1.156 src/libexec/ld.elf_so/rtld.h
cvs rdiff -u -r1.27 -r1.28 src/libexec/ld.elf_so/search.c
cvs rdiff -u -r1.2 -r1.3 src/tests/libexec/ld.elf_so/t_dlclose_thread.c
cvs rdiff -u -r1.28 -r1.29 src/usr.bin/ldd/ldd.c
cvs rdiff -u -r1.8 -r1.9 src/usr.bin/ldd/ldd_elfxx.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index