Fix a couple threading issues

Clarify reconfigure runs on the dispatch thread and no other thread walks the plugin conf while that happens.

Mark enqueue as a single producer function so that thread analysis understands only 1 thread ever calls enqueue.

Use atomics for the flush variable.

Author: stevegrubb

audisp/audispd.c

@@ -221,6 +221,12 @@ static int reconfigure(void)
 	conf_llist tmp_plugin;
 	lnode *tpconf;
 
+	/*
+	 * reconfigure() executes on the dispatcher thread after the event
+	 * loop returns.  No other thread walks plugin_conf while this runs,
+	 * so we can rebuild the list in place without additional locking.
+	 */
+
 	if (need_queue_depth_change) {
 		need_queue_depth_change = 0;
 		increase_queue_depth(daemon_config.q_depth);

audisp/queue.c

@@ -42,7 +42,9 @@
  * the index alone does not guarantee exclusive access to a ring buffer entry.
  * A compare‑exchange or other reservation mechanism (or simply a mutex) is
  * required to make the queue race‑free. However, auditd is the only producer
- * and audisp is the only consumer, so the queue is safe in practice.
+ * and audisp is the only consumer, so the queue is safe in practice. The
+ * enqueue() entry point is annotated with AUDIT_SINGLE_PRODUCER_FUNC to make
+ * this contract visible to thread-safety tooling.
  */
 
 static volatile event_t **q;
@@ -223,7 +225,7 @@ static int do_overflow_action(struct disp_conf *config)
  * when processing is suspended, and
  * -1 on other errors
  */
-int enqueue(event_t *e, struct disp_conf *config)
+AUDIT_SINGLE_PRODUCER_FUNC int enqueue(event_t *e, struct disp_conf *config)
 {
 	unsigned int n, retry_cnt = 0;
 

common/common.h

@@ -42,6 +42,9 @@
 #ifndef __wur
 # define __wur
 #endif
+#ifndef __has_attribute
+# define __has_attribute(x) 0
+#endif
 
 /* Wrapper macros for optional atomics
  * Note: ATOMIC_INT and ATOMIC_UNSIGNED are defined in config.h */
@@ -55,6 +58,12 @@
 #  define AUDIT_ATOMIC_LOAD(var) (var)
 #endif
 
+#if __has_attribute(no_thread_safety_analysis)
+#  define AUDIT_SINGLE_PRODUCER_FUNC __attribute__((no_thread_safety_analysis))
+#else
+#  define AUDIT_SINGLE_PRODUCER_FUNC
+#endif
+
 // Used in auditd-event.c and audisp.c to size buffers for formatting
 #define FORMAT_BUF_LEN (MAX_AUDIT_MESSAGE_LENGTH + _POSIX_HOST_NAME_MAX)
 

src/auditd-event.c

@@ -93,7 +93,11 @@ static off_t log_size = 0;
 static pthread_t flush_thread;
 static pthread_mutex_t flush_lock;
 static pthread_cond_t do_flush;
-static volatile int flush;
+#ifdef HAVE_ATOMIC
+static ATOMIC_INT flush;
+#else
+static volatile ATOMIC_INT flush;
+#endif
 static auparse_state_t *au = NULL;
 
 /* Local definitions */
@@ -236,14 +240,14 @@ static void *flush_thread_main(void *arg)
 		// In the event that the logging thread requests another
 		// flush before the first completes, this simply turns
 		// into a loop of fsyncs.
-		while (flush == 0) {
+		while (AUDIT_ATOMIC_LOAD(flush) == 0) {
 			pthread_cond_wait(&do_flush, &flush_lock);
 			if (AUDIT_ATOMIC_LOAD(stop)) {
 				pthread_mutex_unlock(&flush_lock);
 				return NULL;
 			}
 		}
-		flush = 0;
+		AUDIT_ATOMIC_STORE(flush, 0);
 		pthread_mutex_unlock(&flush_lock);
 
 		if (log_fd >= 0)
@@ -258,7 +262,7 @@ static void init_flush_thread(void)
 {
 	pthread_mutex_init(&flush_lock, NULL);
 	pthread_cond_init(&do_flush, NULL);
-	flush = 0;
+	AUDIT_ATOMIC_STORE(flush, 0);
 	pthread_create(&flush_thread, NULL, flush_thread_main, NULL);
 	pthread_detach(flush_thread);
 }
@@ -671,7 +675,7 @@ void handle_event(struct auditd_event *e)
 						}
 					} else {
 						pthread_mutex_lock(&flush_lock);
-						flush = 1;
+						AUDIT_ATOMIC_STORE(flush, 1);
 						pthread_cond_signal(&do_flush);
 						pthread_mutex_unlock(
 								   &flush_lock);