From 9d9b69b3732314d3900c104cd1d1bc54c2d057a7 Mon Sep 17 00:00:00 2001
From: Bryan Drewery <bdrewery@FreeBSD.org>
Date: Tue, 13 Dec 2016 18:05:14 +0000
Subject: [PATCH] Take write lock for rtld_bind before modifying obj_list in
 dl_iterate_phdr().

This avoids a race with readers such as dladdr(3)/dlinfo(3)/dlsym(3) and
the atexit(3) handler.  This race was introduced in r294373.

Reviewed by:	markj, kib, kan
MFC after:	2 weeks
Sponsored by:	Dell EMC Isilon
---
 libexec/rtld-elf/rtld.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index ce152f8157ff..ec33d87888d7 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -3549,7 +3549,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callback callback, void *param)
 	error = 0;
 
 	wlock_acquire(rtld_phdr_lock, &phdr_lockstate);
-	rlock_acquire(rtld_bind_lock, &bind_lockstate);
+	wlock_acquire(rtld_bind_lock, &bind_lockstate);
 	for (obj = globallist_curr(TAILQ_FIRST(&obj_list)); obj != NULL;) {
 		TAILQ_INSERT_AFTER(&obj_list, obj, &marker, next);
 		rtld_fill_dl_phdr_info(obj, &phdr_info);
@@ -3557,7 +3557,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callback callback, void *param)
 
 		error = callback(&phdr_info, sizeof phdr_info, param);
 
-		rlock_acquire(rtld_bind_lock, &bind_lockstate);
+		wlock_acquire(rtld_bind_lock, &bind_lockstate);
 		obj = globallist_next(&marker);
 		TAILQ_REMOVE(&obj_list, &marker, next);
 		if (error != 0) {