__nss_database_lookup and its callers incorrectly implement double-checked locking. There are data races and missing barriers.
I expect the correct fix is to remove the outer check and call __nss_database_lookup unconditionally. We can then implement correct double-checked locking within __nss_database_lookup, as a future optimization. I assume this is difficult to hit in practice (due to the limited number of chances per process), so I'm flagging this as security-.