In condvar wait functions, set the holder back before restoring count
Before this fix, there is a racing condition. The previous owner thread
can get into the mutex without proper locking by passing the lock owner
check in mutex_lock function.
bug 5699382
Change-Id: Ib81330e2f3669e5f72b101f3da7abdb15d3ac993
diff --git a/dbus/dbus-sysdeps-pthread.c b/dbus/dbus-sysdeps-pthread.c
index 7073751..1483c24 100644
--- a/dbus/dbus-sysdeps-pthread.c
+++ b/dbus/dbus-sysdeps-pthread.c
@@ -248,8 +248,12 @@
pmutex->count = 0; /* allow other threads to lock */
PTHREAD_CHECK ("pthread_cond_wait", pthread_cond_wait (&pcond->cond, &pmutex->lock));
_dbus_assert (pmutex->count == 0);
- pmutex->count = old_count;
pmutex->holder = pthread_self(); /* other threads may have locked the mutex in the meantime */
+
+ /* The order of this line and the above line is important.
+ * See the comments below at the end of _dbus_pthread_condvar_wait_timeout
+ */
+ pmutex->count = old_count;
}
static dbus_bool_t
@@ -298,8 +302,13 @@
}
_dbus_assert (pmutex->count == 0);
- pmutex->count = old_count;
pmutex->holder = pthread_self(); /* other threads may have locked the mutex in the meantime */
+
+ /* restore to old count after setting the owner back to self,
+ * If reversing this line with above line, the previous owner thread could
+ * get into the mutex without proper locking by passing the lock owner check.
+ */
+ pmutex->count = old_count;
/* return true if we did not time out */
return result != ETIMEDOUT;
