From patchwork Wed Aug 17 12:15:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Torvald Riegel <triegel@redhat.com>
X-Patchwork-Id: 14700
Received: (qmail 83565 invoked by alias); 17 Aug 2016 12:15:51 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 83553 invoked by uid 89); 17 Aug 2016 12:15:50 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
	KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD,
	SPF_HELO_PASS autolearn=no version=3.3.2 spammy=acquire,
	sk:__glibc, INTERNAL, 1017
X-HELO: mx1.redhat.com
Message-ID: <1471436135.14544.96.camel@localhost.localdomain>
Subject: [PATCH Fix incorrect double-checked locking related to
	_res_hconf.initialized. [BZ #20477]
From: Torvald Riegel <triegel@redhat.com>
To: GLIBC Devel <libc-alpha@sourceware.org>
Cc: Florian Weimer <fweimer@redhat.com>
Date: Wed, 17 Aug 2016 14:15:35 +0200
Mime-Version: 1.0

_res_hconf.initialized was not suitable for use in a multi-threaded
environment due to the lack of atomics and memory barriers.  Use of it
was also unnecessary because _res_hconf_init did the right thing by
using __libc_once.  This patch fixes the glibc-internal uses by just
calling _res_hconf_init unconditionally, and switches to a release MO
atomic store for _res_hconf.initialized to fix the glibc side of the
synchronization problem (which will maintain backward compatibility, but
cannot fix the lack of acquire MO on any glibc-external loads).
    
        [BZ #20477]
        * resolv/res_hconf.c (do_init): Use atomic access.
        * resolv/res_hconf.h: Add comments.
        * nscd/aicache.c (addhstaiX): Call _res_hconf_init unconditionally.
        * nss/getXXbyYY_r.c (REENTRANT_NAME): Likewise.
        * sysdeps/posix/getaddrinfo.c (gaih_inet): Likewise.

commit 44d3ca295ade8cb11b1473a7009705f6ec99d9bf
Author: Torvald Riegel <triegel@redhat.com>
Date:   Wed Aug 17 13:56:11 2016 +0200

    Fix incorrect double-checked locking related to _res_hconf.initialized.
    
    _res_hconf.initialized was not suitable for use in a multi-threaded
    environment due to the lack of atomics and memory barriers.  Use of it was
    also unnecessary because _res_hconf_init did the right thing by using
    __libc_once.  This patch fixes the glibc-internal uses by just calling
    _res_hconf_init unconditionally, and switches to a release MO atomic store
    for _res_hconf.initialized to fix the glibc side of the synchronization
    problem (which will maintain backward compatibility, but cannot fix the
    lack of acquire MO on any glibc-external loads).
    
    	[BZ #20477]
    	* resolv/res_hconf.c (do_init): Use atomic access.
    	* resolv/res_hconf.h: Add comments.
    	* nscd/aicache.c (addhstaiX): Call _res_hconf_init unconditionally.
    	* nss/getXXbyYY_r.c (REENTRANT_NAME): Likewise.
    	* sysdeps/posix/getaddrinfo.c (gaih_inet): Likewise.

diff --git a/nscd/aicache.c b/nscd/aicache.c
index a2e6cf8..32c8f57 100644
--- a/nscd/aicache.c
+++ b/nscd/aicache.c
@@ -101,8 +101,7 @@ addhstaiX (struct database_dyn *db, int fd, request_header *req,
   nip = hosts_database;
 
   /* Initialize configurations.  */
-  if (__glibc_unlikely (!_res_hconf.initialized))
-    _res_hconf_init ();
+  _res_hconf_init ();
   if (__res_maybe_init (&_res, 0) == -1)
     no_more = 1;
 
diff --git a/nss/getXXbyYY_r.c b/nss/getXXbyYY_r.c
index 93af253..18d3ad6 100644
--- a/nss/getXXbyYY_r.c
+++ b/nss/getXXbyYY_r.c
@@ -274,8 +274,7 @@ INTERNAL (REENTRANT_NAME) (ADD_PARAMS, LOOKUP_TYPE *resbuf, char *buffer,
 	    }
 #endif /* need _res */
 #ifdef NEED__RES_HCONF
-	  if (!_res_hconf.initialized)
-	    _res_hconf_init ();
+	  _res_hconf_init ();
 #endif /* need _res_hconf */
 
 	  void *tmp_ptr = fct.l;
diff --git a/resolv/res_hconf.c b/resolv/res_hconf.c
index 5cd1289..093c268 100644
--- a/resolv/res_hconf.c
+++ b/resolv/res_hconf.c
@@ -348,7 +348,8 @@ do_init (void)
       arg_trimdomain_list (ENV_TRIM_OVERR, 1, envval);
     }
 
-  _res_hconf.initialized = 1;
+  /* See comments on the declaration of _res_hconf.  */
+  atomic_store_release (&_res_hconf.initialized, 1);
 }
 
 
diff --git a/resolv/res_hconf.h b/resolv/res_hconf.h
index b97734d..a3d23f3 100644
--- a/resolv/res_hconf.h
+++ b/resolv/res_hconf.h
@@ -25,6 +25,15 @@
 
 struct hconf
 {
+  /* We keep the INITIALIZED member only for backwards compatibility.  New
+     code should just call _res_hconf_init unconditionally.  For this field
+     to be used safely, users must ensure that either (1) a call to
+     _res_hconf_init happens-before any load from INITIALIZED, or (2) an
+     assignment of zero to INITIALIZED happens-before any load from it, and
+     these loads use acquire MO if the intent is to skip calling
+     _res_hconf_init if the load returns a nonzero value.  Such acquire MO
+     loads will then synchronize with the release MO store to INITIALIZED
+     in do_init in res_hconf.c; see pthread_once for more detail.  */
   int initialized;
   int unused1;
   int unused2[4];
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 574ce08..09fbc83 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -816,8 +816,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
 	  nip = __nss_hosts_database;
 
 	  /* Initialize configurations.  */
-	  if (__glibc_unlikely (!_res_hconf.initialized))
-	    _res_hconf_init ();
+	  _res_hconf_init ();
 	  if (__res_maybe_init (&_res, 0) == -1)
 	    no_more = 1;