pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]

(cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)

3 files changed, 15 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index b9e732a192..ef83777833 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-08-27 Martin Kuchta  <martin.kuchta@netapp.com>
+	   Torvald Riegel  <triegel@redhat.com>
+
+	[BZ #23538]
+	* nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
+	Update r to include the set wake-request flag if waiters are
+	remaining after spinning.
+
 2018-08-03  DJ Delorie  <dj@redhat.com>
 
 	* sysdeps/riscv/rvf/math_private.h (libc_feholdexcept_setround_riscv):
diff --git a/NEWS b/NEWS
index 873cf8f64f..3073712cba 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ The following bugs are resolved with this release:
 
   [23497] readdir64@GLIBC_2.1 cannot parse the kernel directory stream
   [23521] nss_files aliases database file stream leak
+  [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
 
 
 Version 2.28
diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
index 8e425eb01e..479e54febb 100644
--- a/nptl/pthread_cond_common.c
+++ b/nptl/pthread_cond_common.c
@@ -405,8 +405,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
 	{
 	  /* There is still a waiter after spinning.  Set the wake-request
 	     flag and block.  Relaxed MO is fine because this is just about
-	     this futex word.  */
-	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1);
+	     this futex word.
+
+	     Update r to include the set wake-request flag so that the upcoming
+	     futex_wait only blocks if the flag is still set (otherwise, we'd
+	     violate the basic client-side futex protocol).  */
+	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1;
 
 	  if ((r >> 1) > 0)
 	    futex_wait_simple (cond->__data.__g_refs + g1, r, private);