diff --git a/ChangeLog b/ChangeLog index fee6c0fd2d..39d44fd671 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2019-02-15 Florian Weimer + + [BZ #24211] + * nptl/pthread_join_common.c (__pthread_timedjoin_ex): Do not read + pd->result after the thread descriptor has been freed. + 2019-02-15 Joseph Myers * sunrpc/tst-svc_register.c (rpcbind_address): Remove qualifier diff --git a/nptl/pthread_join_common.c b/nptl/pthread_join_common.c index 6efe8efc3f..5224ee2110 100644 --- a/nptl/pthread_join_common.c +++ b/nptl/pthread_join_common.c @@ -145,6 +145,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, pthread_cleanup_pop (0); } + void *pd_result = pd->result; if (__glibc_likely (result == 0)) { /* We mark the thread as terminated and as joined. */ @@ -152,7 +153,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, /* Store the return value if the caller is interested. */ if (thread_return != NULL) - *thread_return = pd->result; + *thread_return = pd_result; /* Free the TCB. */ __free_tcb (pd); @@ -160,7 +161,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return, else pd->joinid = NULL; - LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result); + LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd_result); return result; }