On Mon, Jul 25, 2022 at 12:00:35PM +0100, Peter Maydell wrote: > For handling guest POSIX timers, we currently use an array > g_posix_timers[], whose entries are a host timer_t value, or 0 for > "this slot is unused". When the guest calls the timer_create syscall > we look through the array for a slot containing 0, and use that for > the new timer. > > This scheme assumes that host timer_t values can never be zero. This > is unfortunately not a valid assumption -- for some host libc > versions, timer_t values are simply indexes starting at 0. When > using this kind of host libc, the effect is that the first and second > timers end up sharing a slot, and so when the guest tries to operate > on the first timer it changes the second timer instead.
For sake of historical record, could you mention here which specific libc impl / version highlights the problem. > > Rework the timer allocation code, so that: > * the 'slot in use' indication uses a separate array from the > host timer_t array > * we grab the free slot atomically, to avoid races when multiple > threads call timer_create simultaneously > * releasing an allocated slot is abstracted out into a new > free_host_timer_slot() function called in the correct places > > This fixes: > * problems on hosts where timer_t 0 is valid > * the FIXME in next_free_host_timer() about locking > * bugs in the error paths in timer_create where we forgot to release > the slot we grabbed, or forgot to free the host timer > > Reported-by: Jon Alduan <jon.ald...@gmail.com> > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > linux-user/syscall.c | 24 ++++++++++++++++-------- > 1 file changed, 16 insertions(+), 8 deletions(-) With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|