runtime: LockOSThread locked thread cloned and state inherited

[parsley42]

What version of Go are you using (go version)?

$ go version
go version go1.11.4 linux/amd64

Does this issue reproduce with the latest release?

1.11.4 is currently the latest release

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/parse/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/parse/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build285473962=/tmp/go-build -gno-record-gcc-switches"

What did you do?

This behavior was noted as part of much larger program that runs as a setuid (non-root) binary so can't be reproduced on play.golang.org. The program makes heavy use of runtime.LockOSThread and syscall.SYS_SETRESUID to drop privileges by setting r=e=suid=(original ruid). However, I'm getting occasional failures in calls that explicitly set raised privileges:
Error: Privileged setresuid(1) call failed for 'incoming message': 1; thread 1459 r/e/suid: 56486/56486/56486
This shows that thread 1459 was cloned from a fully drop-privileged thread.

What did you expect to see?

New worker threads not being cloned from threads locked with LockOSThread

What did you see instead?

Threads cloned from LockOSThread altered-threads that carried over state, in this case irrevocably dropped privileges

[ianlancetaylor]

Thanks. This is almost certainly #28979 which will be fixed in the upcoming 1.11.5 and 1.12 releases.

[parsley42]

Indeed, that's it. I'll re-check w/ 1.11.5, thanks!