[PATCH] pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]

From: Martin Kuchta <>

(cherry picked from commit 99ea93ca31795469d2a1f1570f17a5c39c2eb7e2)

2018-08-27 Martin Kuchta  <>
	   Torvald Riegel  <>

	[BZ #23538]
	* nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
	Update r to include the set wake-request flag if waiters are
	remaining after spinning.

diff --git a/NEWS b/NEWS
index 61ac02cd69..a868a652f7 100644
--- a/NEWS
+++ b/NEWS
@@ -146,6 +146,7 @@ The following bugs are resolved with this release:
   [23236] Harden function pointers in _IO_str_fields
   [23313] libio: Disable vtable validation in case of interposition
   [23349] Various glibc headers no longer compatible with <linux/time.h>
+  [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
   [23363] stdio-common/tst-printf.c has non-free license
   [23456] Wrong index_cpu_LZCNT
   [23459] COMMON_CPUID_INDEX_80000001 isn't populated for Intel processors
diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
index ffbbde4106..c99435e439 100644
--- a/nptl/pthread_cond_common.c
+++ b/nptl/pthread_cond_common.c
@@ -405,8 +405,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
 	  /* There is still a waiter after spinning.  Set the wake-request
 	     flag and block.  Relaxed MO is fine because this is just about
-	     this futex word.  */
-	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1);
+	     this futex word.
+	     Update r to include the set wake-request flag so that the upcoming
+	     futex_wait only blocks if the flag is still set (otherwise, we'd
+	     violate the basic client-side futex protocol).  */
+	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1;
 	  if ((r >> 1) > 0)
 	    futex_wait_simple (cond->__data.__g_refs + g1, r, private);

