pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]

(cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)

3 files changed, 15 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 6b5cfbab55..7349a33b11 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-08-27 Martin Kuchta  <martin.kuchta@netapp.com>
+	   Torvald Riegel  <triegel@redhat.com>
+
+	[BZ #23538]
+	* nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
+	Update r to include the set wake-request flag if waiters are
+	remaining after spinning.
+
 2018-01-19  Tulio Magno Quites Machado Filho  <tuliom@linux.vnet.ibm.com>
 
 	[BZ #22685]
diff --git a/NEWS b/NEWS
index dafec5d82d..abe90d1422 100644
--- a/NEWS
+++ b/NEWS
@@ -84,6 +84,7 @@ The following bugs are resolved with this release:
   [22685] powerpc: Fix syscalls during early process initialization
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
   [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
+  [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
 
 Version 2.25
 
diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
index 7c63ef9b89..886f0abcb3 100644
--- a/nptl/pthread_cond_common.c
+++ b/nptl/pthread_cond_common.c
@@ -406,8 +406,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
 	{
 	  /* There is still a waiter after spinning.  Set the wake-request
 	     flag and block.  Relaxed MO is fine because this is just about
-	     this futex word.  */
-	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1);
+	     this futex word.
+
+	     Update r to include the set wake-request flag so that the upcoming
+	     futex_wait only blocks if the flag is still set (otherwise, we'd
+	     violate the basic client-side futex protocol).  */
+	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1;
 
 	  if ((r >> 1) > 0)
 	    futex_wait_simple (cond->__data.__g_refs + g1, r, private);