Take write lock for rtld_bind before modifying obj_list in dl_iterate_phdr().

This avoids a race with readers such as dladdr(3)/dlinfo(3)/dlsym(3) and
the atexit(3) handler.  This race was introduced in r294373.

Reviewed by:	markj, kib, kan
MFC after:	2 weeks
Sponsored by:	Dell EMC Isilon

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index ce152f8157fff9fbf486b1b7d95a8d52e3fa4d07..ec33d87888d713debabd2cbc93afa9ff17910962 100644 (file)
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -3549,7 +3549,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callback callback, void *param)
        error = 0;
 
        wlock_acquire(rtld_phdr_lock, &phdr_lockstate);
-       rlock_acquire(rtld_bind_lock, &bind_lockstate);
+       wlock_acquire(rtld_bind_lock, &bind_lockstate);
        for (obj = globallist_curr(TAILQ_FIRST(&obj_list)); obj != NULL;) {
                TAILQ_INSERT_AFTER(&obj_list, obj, &marker, next);
                rtld_fill_dl_phdr_info(obj, &phdr_info);
@@ -3557,7 +3557,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callback callback, void *param)
 
                error = callback(&phdr_info, sizeof phdr_info, param);
 
-               rlock_acquire(rtld_bind_lock, &bind_lockstate);
+               wlock_acquire(rtld_bind_lock, &bind_lockstate);
                obj = globallist_next(&marker);
                TAILQ_REMOVE(&obj_list, &marker, next);
                if (error != 0) {