gh-114944: Fix race between _PyParkingLot_Park and _PyParkingLot_UnparkAll when handling interrupts (#114945)

mpage · web-flow · commit c32bae529047 · 2024-02-05T13:48:37.000-08:00
Fix race between `_PyParkingLot_Park` and `_PyParkingLot_UnparkAll` when handling interrupts

There is a potential race when `_PyParkingLot_UnparkAll` is executing in
one thread and another thread is unblocked because of an interrupt in
`_PyParkingLot_Park`. Consider the following scenario:

1. Thread T0 is blocked[^1] in `_PyParkingLot_Park` on address `A`.
2. Thread T1 executes `_PyParkingLot_UnparkAll` on address `A`. It
   finds the `wait_entry` for `T0` and unlinks[^2] its list node.
3. Immediately after (2), T0 is woken up due to an interrupt. It
   then segfaults trying to unlink[^3] the node that was previously
   unlinked in (2).

To fix this we mark each waiter as unparking before releasing the bucket
lock. `_PyParkingLot_Park` will wait to handle the coming wakeup, and not
attempt to unlink the node, when this field is set. `_PyParkingLot_Unpark`
does this already, presumably to handle this case.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-02-03-01-48-38.gh-issue-114944.4J5ELD.rst b/Misc/NEWS.d/next/Core and Builtins/2024-02-03-01-48-38.gh-issue-114944.4J5ELD.rst
@@ -0,0 +1 @@
+Fixes a race between ``PyParkingLot_Park`` and ``_PyParkingLot_UnparkAll``.
diff --git a/Python/parking_lot.c b/Python/parking_lot.c
@@ -244,6 +244,7 @@ dequeue(Bucket *bucket, const void *address)
         if (wait->addr == (uintptr_t)address) {
             llist_remove(node);
             --bucket->num_waiters;
+            wait->is_unparking = true;
             return wait;
         }
     }
@@ -262,6 +263,7 @@ dequeue_all(Bucket *bucket, const void *address, struct llist_node *dst)
             llist_remove(node);
             llist_insert_tail(dst, node);
             --bucket->num_waiters;
+            wait->is_unparking = true;
         }
     }
 }
@@ -337,8 +339,6 @@ _PyParkingLot_Unpark(const void *addr, _Py_unpark_fn_t *fn, void *arg)
     _PyRawMutex_Lock(&bucket->mutex);
     struct wait_entry *waiter = dequeue(bucket, addr);
     if (waiter) {
-        waiter->is_unparking = true;
-
         int has_more_waiters = (bucket->num_waiters > 0);
         fn(arg, waiter->park_arg, has_more_waiters);
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixes a race between ``PyParkingLot_Park`` and ``_PyParkingLot_UnparkAll``.
Original file line number	Diff line number	Diff line change
`@@ -244,6 +244,7 @@ dequeue(Bucket bucket, const void address)`
`244`	`244`	`if (wait->addr == (uintptr_t)address) {`
`245`	`245`	`llist_remove(node);`
`246`	`246`	`--bucket->num_waiters;`
	`247`	`+ wait->is_unparking = true;`
`247`	`248`	`return wait;`
`248`	`249`	`}`
`249`	`250`	`}`
`@@ -262,6 +263,7 @@ dequeue_all(Bucket bucket, const void address, struct llist_node *dst)`
`262`	`263`	`llist_remove(node);`
`263`	`264`	`llist_insert_tail(dst, node);`
`264`	`265`	`--bucket->num_waiters;`
	`266`	`+ wait->is_unparking = true;`
`265`	`267`	`}`
`266`	`268`	`}`
`267`	`269`	`}`
`@@ -337,8 +339,6 @@ _PyParkingLot_Unpark(const void addr, _Py_unpark_fn_t fn, void *arg)`
`337`	`339`	`_PyRawMutex_Lock(&bucket->mutex);`
`338`	`340`	`struct wait_entry *waiter = dequeue(bucket, addr);`
`339`	`341`	`if (waiter) {`
`340`		`- waiter->is_unparking = true;`
`341`		`-`
`342`	`342`	`int has_more_waiters = (bucket->num_waiters > 0);`
`343`	`343`	`fn(arg, waiter->park_arg, has_more_waiters);`
`344`	`344`	`}`