nptl: Fix invalid Systemtap probe in pthread_join [BZ #24211]

After commit f1ac745583 ("arm: Use "nr"
constraint for Systemtap probes [BZ #24164]"), we load pd->result into
a register in the probe below:

      /* Free the TCB.  */
      __free_tcb (pd);
    }
  else
    pd->joinid = NULL;

  LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result);

However, at this point, the thread descriptor has been freed.  If the
thread stack does not fit into the thread stack cache, the memory will
have been unmapped, and the program will crash in the probe.

ChangeLog

@@ -1,3 +1,9 @@
+2019-02-15  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #24211]
+	* nptl/pthread_join_common.c (__pthread_timedjoin_ex): Do not read
+	pd->result after the thread descriptor has been freed.
+
 2019-02-15  Joseph Myers  <joseph@codesourcery.com>
 
 	* sunrpc/tst-svc_register.c (rpcbind_address): Remove qualifier

nptl/pthread_join_common.c

@@ -145,6 +145,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
       pthread_cleanup_pop (0);
     }
 
+  void *pd_result = pd->result;
   if (__glibc_likely (result == 0))
     {
       /* We mark the thread as terminated and as joined.  */
@@ -152,7 +153,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
 
       /* Store the return value if the caller is interested.  */
       if (thread_return != NULL)
-	*thread_return = pd->result;
+	*thread_return = pd_result;
 
       /* Free the TCB.  */
       __free_tcb (pd);
@@ -160,7 +161,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
   else
     pd->joinid = NULL;
 
-  LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result);
+  LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd_result);
 
   return result;
 }