linux_android_with_fallback: avoid dlsym on musl

The dlsym-based getrandom detection added in commit 869a4f0
("linux_android: use libc::getrandom") assumes dynamic linking, which
means it never works properly on musl where static linking is the norm.
Add some conditional compilation to use `libc::getrandom` directly on
musl while retaining kernel support detection.

Author: tamird

.github/workflows/build.yml

@@ -128,6 +128,9 @@ jobs:
       - env:
           RUSTFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback
         run: cargo build --features=std
+      - env:
+          RUSTFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback_no_devurandom
+        run: cargo build --features=std
       - env:
           RUSTFLAGS: -Dwarnings --cfg getrandom_backend="rdrand"
         run: cargo build --features=std

.github/workflows/tests.yml

@@ -61,6 +61,10 @@ jobs:
           RUSTFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback
           RUSTDOCFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback
         run: cargo test --features=std
+      - env:
+          RUSTFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback_no_dev_urandom
+          RUSTDOCFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback_no_dev_urandom
+        run: cargo test --features=std
       - env:
           RUSTFLAGS: -Dwarnings --cfg getrandom_backend="rdrand"
           RUSTDOCFLAGS: -Dwarnings --cfg getrandom_backend="rdrand"

Cargo.toml

@@ -84,6 +84,7 @@ check-cfg = [
   'cfg(getrandom_backend, values("custom", "rdrand", "rndr", "linux_getrandom", "wasm_js"))',
   'cfg(getrandom_msan)',
   'cfg(getrandom_test_linux_fallback)',
+  'cfg(getrandom_test_linux_fallback_no_dev_urandom)',
   'cfg(getrandom_test_netbsd_fallback)',
 ]
 

src/backends/linux_android_with_fallback.rs

@@ -1,57 +1,55 @@
 //! Implementation for Linux / Android with `/dev/urandom` fallback
 use super::use_file;
 use crate::Error;
-use core::{
-    ffi::c_void,
-    mem::{self, MaybeUninit},
-    ptr::{self, NonNull},
-    sync::atomic::{AtomicPtr, Ordering},
-};
+use core::{ffi::c_void, mem::MaybeUninit, ptr};
 use use_file::util_libc;
 
+#[path = "../lazy.rs"]
+mod lazy;
+
 pub use crate::util::{inner_u32, inner_u64};
 
 type GetRandomFn = unsafe extern "C" fn(*mut c_void, libc::size_t, libc::c_uint) -> libc::ssize_t;
 
-/// Sentinel value which indicates that `libc::getrandom` either not available,
-/// or not supported by kernel.
-const NOT_AVAILABLE: NonNull<c_void> = unsafe { NonNull::new_unchecked(usize::MAX as *mut c_void) };
+#[cfg(not(target_env = "musl"))]
+#[cold]
+#[inline(never)]
+fn get_getrandom_fn() -> Option<GetRandomFn> {
+    static GETRANDOM_FN: lazy::LazyUsize = lazy::LazyUsize::new();
 
-static GETRANDOM_FN: AtomicPtr<c_void> = AtomicPtr::new(ptr::null_mut());
+    let raw_ptr = GETRANDOM_FN.unsync_init(|| {
+        static NAME: &[u8] = b"getrandom\0";
+        let name_ptr = NAME.as_ptr().cast::<libc::c_char>();
+        unsafe { libc::dlsym(libc::RTLD_DEFAULT, name_ptr) as usize }
+    }) as *mut c_void;
+
+    (!raw_ptr.is_null()).then(|| {
+        // note: `transmute` is currently the only way to convert a pointer into a function reference
+        unsafe { core::mem::transmute::<*mut c_void, GetRandomFn>(raw_ptr) }
+    })
+}
 
 #[cold]
 #[inline(never)]
-fn init() -> NonNull<c_void> {
-    static NAME: &[u8] = b"getrandom\0";
-    let name_ptr = NAME.as_ptr().cast::<libc::c_char>();
-    let raw_ptr = unsafe { libc::dlsym(libc::RTLD_DEFAULT, name_ptr) };
-    let res_ptr = match NonNull::new(raw_ptr) {
-        Some(fptr) => {
-            let getrandom_fn = unsafe { mem::transmute::<NonNull<c_void>, GetRandomFn>(fptr) };
-            let dangling_ptr = ptr::NonNull::dangling().as_ptr();
-            // Check that `getrandom` syscall is supported by kernel
-            let res = unsafe { getrandom_fn(dangling_ptr, 0, 0) };
-            if cfg!(getrandom_test_linux_fallback) {
-                NOT_AVAILABLE
-            } else if res.is_negative() {
-                match util_libc::last_os_error().raw_os_error() {
-                    Some(libc::ENOSYS) => NOT_AVAILABLE, // No kernel support
-                    // The fallback on EPERM is intentionally not done on Android since this workaround
-                    // seems to be needed only for specific Linux-based products that aren't based
-                    // on Android. See https://github.com/rust-random/getrandom/issues/229.
-                    #[cfg(target_os = "linux")]
-                    Some(libc::EPERM) => NOT_AVAILABLE, // Blocked by seccomp
-                    _ => fptr,
-                }
-            } else {
-                fptr
-            }
+fn check_getrandom(getrandom_fn: GetRandomFn) -> bool {
+    let dangling_ptr = ptr::NonNull::dangling().as_ptr();
+    // Check that `getrandom` syscall is supported by kernel
+    let res = unsafe { getrandom_fn(dangling_ptr, 0, 0) };
+    if cfg!(getrandom_test_linux_fallback) {
+        false
+    } else if res.is_negative() {
+        match util_libc::last_os_error().raw_os_error() {
+            Some(libc::ENOSYS) => false, // No kernel support
+            // The fallback on EPERM is intentionally not done on Android since this workaround
+            // seems to be needed only for specific Linux-based products that aren't based
+            // on Android. See https://github.com/rust-random/getrandom/issues/229.
+            #[cfg(target_os = "linux")]
+            Some(libc::EPERM) => false, // Blocked by seccomp
+            _ => true,
         }
-        None => NOT_AVAILABLE,
-    };
-
-    GETRANDOM_FN.store(res_ptr.as_ptr(), Ordering::Release);
-    res_ptr
+    } else {
+        true
+    }
 }
 
 // prevent inlining of the fallback implementation
@@ -62,23 +60,22 @@ fn use_file_fallback(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
 
 #[inline]
 pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
-    // Despite being only a single atomic variable, we still cannot always use
-    // Ordering::Relaxed, as we need to make sure a successful call to `init`
-    // is "ordered before" any data read through the returned pointer (which
-    // occurs when the function is called). Our implementation mirrors that of
-    // the one in libstd, meaning that the use of non-Relaxed operations is
-    // probably unnecessary.
-    let raw_ptr = GETRANDOM_FN.load(Ordering::Acquire);
-    let fptr = match NonNull::new(raw_ptr) {
-        Some(p) => p,
-        None => init(),
-    };
+    static GETRANDOM_GOOD: lazy::LazyBool = lazy::LazyBool::new();
+
+    cfg_if! {
+        if #[cfg(target_env = "musl")] {
+            let getrandom_fn = libc::getrandom;
+        } else {
+            let getrandom_fn = match get_getrandom_fn() {
+                Some(f) => f,
+                None => return use_file_fallback(dest),
+            };
+        }
+    }
 
-    if fptr == NOT_AVAILABLE {
+    if !GETRANDOM_GOOD.unsync_init(|| check_getrandom(getrandom_fn)) {
         use_file_fallback(dest)
     } else {
-        // note: `transmute` is currently the only way to convert a pointer into a function reference
-        let getrandom_fn = unsafe { mem::transmute::<NonNull<c_void>, GetRandomFn>(fptr) };
         util_libc::sys_fill_exact(dest, |buf| unsafe {
             getrandom_fn(buf.as_mut_ptr().cast(), buf.len(), 0)
         })

src/backends/use_file.rs

@@ -12,13 +12,19 @@ pub use crate::util::{inner_u32, inner_u64};
 #[path = "../util_libc.rs"]
 pub(super) mod util_libc;
 
-/// For all platforms, we use `/dev/urandom` rather than `/dev/random`.
-/// For more information see the linked man pages in lib.rs.
-///   - On Linux, "/dev/urandom is preferred and sufficient in all use cases".
-///   - On Redox, only /dev/urandom is provided.
-///   - On AIX, /dev/urandom will "provide cryptographically secure output".
-///   - On Haiku and QNX Neutrino they are identical.
-const FILE_PATH: &[u8] = b"/dev/urandom\0";
+cfg_if! {
+    if #[cfg(getrandom_test_linux_fallback_no_dev_urandom)] {
+        const FILE_PATH: &[u8] = b"/does/not/exist/lol\0";
+    } else {
+        /// For all platforms, we use `/dev/urandom` rather than `/dev/random`.
+        /// For more information see the linked man pages in lib.rs.
+        ///   - On Linux, "/dev/urandom is preferred and sufficient in all use cases".
+        ///   - On Redox, only /dev/urandom is provided.
+        ///   - On AIX, /dev/urandom will "provide cryptographically secure output".
+        ///   - On Haiku and QNX Neutrino they are identical.
+        const FILE_PATH: &[u8] = b"/dev/urandom\0";
+    }
+}
 
 // File descriptor is a "nonnegative integer", so we can safely use negative sentinel values.
 const FD_UNINIT: libc::c_int = -1;

src/lazy.rs

@@ -19,20 +19,20 @@ use core::sync::atomic::{AtomicUsize, Ordering};
 //      }
 // the effects of c() or writes to shared memory will not necessarily be
 // observed and additional synchronization methods may be needed.
-struct LazyUsize(AtomicUsize);
+pub(crate) struct LazyUsize(AtomicUsize);
 
 impl LazyUsize {
     // The initialization is not completed.
     const UNINIT: usize = usize::MAX;
 
-    const fn new() -> Self {
+    pub const fn new() -> Self {
         Self(AtomicUsize::new(Self::UNINIT))
     }
 
     // Runs the init() function at most once, returning the value of some run of
     // init(). Multiple callers can run their init() functions in parallel.
     // init() should always return the same value, if it succeeds.
-    fn unsync_init(&self, init: impl FnOnce() -> usize) -> usize {
+    pub fn unsync_init(&self, init: impl FnOnce() -> usize) -> usize {
         #[cold]
         fn do_init(this: &LazyUsize, init: impl FnOnce() -> usize) -> usize {
             let val = init();