Author: H.J. Lu
Author Date: 2025-01-03 21:43:21 UTC

loongarch: Provide stpcpy in stpcpy-aligned.S for rtld [BZ #32512]

When stpcpy-aligned.S is used in rtld, provide stpcpy as a weak alias of
__stpcpy. This fixes BZ #32512.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>

Author: John David Anglin
Author Date: 2024-12-22 14:58:02 UTC

hppa: Simplify handling of sanity check errors in clone.S.

This simplifies the handling of sanity check errors in clone.S.
Adjusted a couple of comments to reflect current code.

Signed-off-by: John David Anglin <dave.anglin@bell.net>

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Florian Weimer
Author Date: 2024-12-17 17:12:03 UTC

x86: Avoid integer truncation with large cache sizes (bug 32470)

Some hypervisors report 1 TiB L3 cache size. This results
in some variables incorrectly getting zeroed, causing crashes
in memcpy/memmove because invariants are violated.

(cherry picked from commit 61c3450db96dce96ad2b24b4f0b548e6a46d68e5)

Author: Adhemerval Zanella
Author Date: 2022-03-08 20:31:08 UTC

nptl: x86_64: Use same code for CURRENT_STACK_FRAME and stackinfo_get_sp

Cherry-picked by scw@google.com from 8cd559cf5afe3894f92c2be6f972e1a4e38c56ca
with local modifications (different file path and not use macros introduced in
01bd62517cc242ae503aaa7002e9e94551803e4d). This fixes UB and code
removal when building with clang.

It avoids the possible warning of uninitialized 'frame' variable when
building with clang:

  ../sysdeps/nptl/jmp-unwind.c:27:42: error: variable 'frame' is
  uninitialized when used here [-Werror,-Wuninitialized]
    __pthread_cleanup_upto (env->__jmpbuf, CURRENT_STACK_FRAME);

The resulting code is similar to CURRENT_STACK_FRAME.

Checked on x86_64-linux-gnu.

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Alex Butler
Author Date: 2020-06-16 12:44:24 UTC

aarch64: MTE compatible strncmp

Add support for MTE to strncmp. Regression tested with xcheck and benchmarked
with glibc's benchtests on the Cortex-A53, Cortex-A72, and Neoverse N1.

The existing implementation assumes that any access to the pages in which the
string resides is safe. This assumption is not true when MTE is enabled. This
patch updates the algorithm to ensure that accesses remain within the bounds
of an MTE tag (16-byte chunks) and improves overall performance.

Co-authored-by: Branislav Rankov <branislav.rankov@arm.com>
Co-authored-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
(cherry picked from commit 03e1378f94173fc192a81e421457198f7b8a34a0)

Author: Adhemerval Zanella
Author Date: 2024-09-13 14:11:56 UTC

sparc: Fix restartable syscalls (BZ 32173)

The commit 'sparc: Use Linux kABI for syscall return'
(86c5d2cf0ce046279baddc7faa27da71f1a89fde) did not take into account
a subtle sparc syscall kABI constraint. For syscalls that might block
indefinitely, on an interrupt (like SIGCONT) the kernel will set the
instruction pointer to just before the syscall:

arch/sparc/kernel/signal_64.c
476 static void do_signal(struct pt_regs *regs, unsigned long orig_i0)
477 {
[...]
525 if (restart_syscall) {
526 switch (regs->u_regs[UREG_I0]) {
527 case ERESTARTNOHAND:
528 case ERESTARTSYS:
529 case ERESTARTNOINTR:
530 /* replay the system call when we are done */
531 regs->u_regs[UREG_I0] = orig_i0;
532 regs->tpc -= 4;
533 regs->tnpc -= 4;
534 pt_regs_clear_syscall(regs);
535 fallthrough;
536 case ERESTART_RESTARTBLOCK:
537 regs->u_regs[UREG_G1] = __NR_restart_syscall;
538 regs->tpc -= 4;
539 regs->tnpc -= 4;
540 pt_regs_clear_syscall(regs);
541 }

However, on a SIGCONT it seems that 'g1' register is being clobbered after the
syscall returns. Before 86c5d2cf0ce046279, the 'g1' was always placed jus
before the 'ta' instruction which then reloads the syscall number and restarts
the syscall.

On master, where 'g1' might be placed before 'ta':

  $ cat test.c
  #include <unistd.h>

  int main ()
  {
    pause ();
  }
  $ gcc test.c -o test
  $ strace -f ./t
  [...]
  ppoll(NULL, 0, NULL, NULL, 0

On another terminal

  $ kill -STOP 2262828

  $ strace -f ./t
  [...]
  --- SIGSTOP {si_signo=SIGSTOP, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  --- stopped by SIGSTOP ---

And then

  $ kill -CONT 2262828

Results in:

  --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  restart_syscall(<... resuming interrupted ppoll ...>) = -1 EINTR (Interrupted system call)

Where the expected behaviour would be:

  $ strace -f ./t
  [...]
  ppoll(NULL, 0, NULL, NULL, 0) = ? ERESTARTNOHAND (To be restarted if no handler)
  --- SIGSTOP {si_signo=SIGSTOP, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  --- stopped by SIGSTOP ---
  --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  ppoll(NULL, 0, NULL, NULL, 0

Just moving the 'g1' setting near the syscall asm is not suffice,
the compiler might optimize it away (as I saw on cancellation.c by
trying this fix). Instead, I have change the inline asm to put the
'g1' setup in ithe asm block. This would require to change the asm
constraint for INTERNAL_SYSCALL_NCS, since the syscall number is not
constant.

Checked on sparc64-linux-gnu.

Reported-by: René Rebe <rene@exactcode.de>
Tested-by: Sam James <sam@gentoo.org>
Reviewed-by: Sam James <sam@gentoo.org>
(cherry picked from commit 2c1903cbbac0022153a67776f474c221250ad6ed)

Author: Adhemerval Zanella
Author Date: 2024-09-13 14:11:56 UTC

sparc: Fix restartable syscalls (BZ 32173)

The commit 'sparc: Use Linux kABI for syscall return'
(86c5d2cf0ce046279baddc7faa27da71f1a89fde) did not take into account
a subtle sparc syscall kABI constraint. For syscalls that might block
indefinitely, on an interrupt (like SIGCONT) the kernel will set the
instruction pointer to just before the syscall:

arch/sparc/kernel/signal_64.c
476 static void do_signal(struct pt_regs *regs, unsigned long orig_i0)
477 {
[...]
525 if (restart_syscall) {
526 switch (regs->u_regs[UREG_I0]) {
527 case ERESTARTNOHAND:
528 case ERESTARTSYS:
529 case ERESTARTNOINTR:
530 /* replay the system call when we are done */
531 regs->u_regs[UREG_I0] = orig_i0;
532 regs->tpc -= 4;
533 regs->tnpc -= 4;
534 pt_regs_clear_syscall(regs);
535 fallthrough;
536 case ERESTART_RESTARTBLOCK:
537 regs->u_regs[UREG_G1] = __NR_restart_syscall;
538 regs->tpc -= 4;
539 regs->tnpc -= 4;
540 pt_regs_clear_syscall(regs);
541 }

However, on a SIGCONT it seems that 'g1' register is being clobbered after the
syscall returns. Before 86c5d2cf0ce046279, the 'g1' was always placed jus
before the 'ta' instruction which then reloads the syscall number and restarts
the syscall.

On master, where 'g1' might be placed before 'ta':

  $ cat test.c
  #include <unistd.h>

  int main ()
  {
    pause ();
  }
  $ gcc test.c -o test
  $ strace -f ./t
  [...]
  ppoll(NULL, 0, NULL, NULL, 0

On another terminal

  $ kill -STOP 2262828

  $ strace -f ./t
  [...]
  --- SIGSTOP {si_signo=SIGSTOP, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  --- stopped by SIGSTOP ---

And then

  $ kill -CONT 2262828

Results in:

  --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  restart_syscall(<... resuming interrupted ppoll ...>) = -1 EINTR (Interrupted system call)

Where the expected behaviour would be:

  $ strace -f ./t
  [...]
  ppoll(NULL, 0, NULL, NULL, 0) = ? ERESTARTNOHAND (To be restarted if no handler)
  --- SIGSTOP {si_signo=SIGSTOP, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  --- stopped by SIGSTOP ---
  --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=2521813, si_uid=8289} ---
  ppoll(NULL, 0, NULL, NULL, 0

Just moving the 'g1' setting near the syscall asm is not suffice,
the compiler might optimize it away (as I saw on cancellation.c by
trying this fix). Instead, I have change the inline asm to put the
'g1' setup in ithe asm block. This would require to change the asm
constraint for INTERNAL_SYSCALL_NCS, since the syscall number is not
constant.

Checked on sparc64-linux-gnu.

Reported-by: René Rebe <rene@exactcode.de>
Tested-by: Sam James <sam@gentoo.org>
Reviewed-by: Sam James <sam@gentoo.org>
(cherry picked from commit 2c1903cbbac0022153a67776f474c221250ad6ed)

Author: Szabolcs Nagy
Author Date: 2024-08-28 10:00:19 UTC

aarch64: use __alloc_gcs in makecontext

Author: Adhemerval Zanella
Author Date: 2024-09-26 17:14:35 UTC

[v8] vgetrandom Linux support

* Added __getrandom_early_init to handle multiples libc.so. The
  second loaded libc.so will always fallback to syscall.
* Move the vgetrandom parameters to libc.so.
* Remove the internal sys/random.h in favor of getrandom-internal.h.
* Refactor the reserve pointer macros in factor inline functions
  and added some comments.
* Remove the use of __get_nprocs(), instead starts with one page
  only for the opaque states.
* Use atomic_thread_fence_seq_cst instead of atomic_store_relaxed
  for fork synchronization.
* Align opaque state to L1D cache size to avoid false sharing.

Author: Adhemerval Zanella
Author Date: 2024-07-08 19:38:10 UTC

elf: Add support for GNU_PROPERTY_NO_MEMORY_SEAL

The GNU_PROPERTY_NO_MEMORY_SEAL is a GNU property per module instructing
the glibc not to seal the object PT_LOAD. It can be used for any reason
the modules require to seal not to be enabled (i.e., on Firefox hack to
bypass the dynamic loader and enable DT_RELR on older glibc [1]). In
this case, it is up to the module to apply memory sealing itself.

The sealing is applied by default, and it is always enforced with
glibc.rtld.seal=2.

Checked on aarch64-linux-gnu, x86_64-linux-gnu, and
powerpc64le-linux-gnu.

[1] https://glandium.org/blog/?p=4297

Author: Stefan Liebler
Author Date: 2024-07-11 09:28:53 UTC

s390x: Fix segfault in wcsncmp [BZ #31934]

The z13/vector-optimized wcsncmp implementation segfaults if n=1
and there is only one character (equal on both strings) before
the page end. Then it loads and compares one character and misses
to check n again. The following load fails.

This patch removes the extra load and compare of the first character
and just start with the loop which uses vector-load-to-block-boundary.
This code-path also checks n.

With this patch both tests are passing:
- the simplified one mentioned in the bugzilla 31934
- the full one in Florian Weimer's patch:
"manual: Document a GNU extension for strncmp/wcsncmp"
(https://patchwork.sourceware.org/project/glibc/patch/874j9eml6y.fsf@oldenburg.str.redhat.com/):
On s390x-linux-gnu (z16), the new wcsncmp test fails due to bug 31934.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

(cherry picked from commit 9b7651410375ec8848a1944992d663d514db4ba7)

Author: Stefan Liebler
Author Date: 2024-07-11 09:28:53 UTC

s390x: Fix segfault in wcsncmp [BZ #31934]

The z13/vector-optimized wcsncmp implementation segfaults if n=1
and there is only one character (equal on both strings) before
the page end. Then it loads and compares one character and misses
to check n again. The following load fails.

This patch removes the extra load and compare of the first character
and just start with the loop which uses vector-load-to-block-boundary.
This code-path also checks n.

With this patch both tests are passing:
- the simplified one mentioned in the bugzilla 31934
- the full one in Florian Weimer's patch:
"manual: Document a GNU extension for strncmp/wcsncmp"
(https://patchwork.sourceware.org/project/glibc/patch/874j9eml6y.fsf@oldenburg.str.redhat.com/):
On s390x-linux-gnu (z16), the new wcsncmp test fails due to bug 31934.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

(cherry picked from commit 9b7651410375ec8848a1944992d663d514db4ba7)

Author: Florian Weimer
Author Date: 2024-07-02 11:19:13 UTC

elf: Handle ld.so with LOAD segment gaps in _dl_find_object (bug 31943)

Author: Szabolcs Nagy
Author Date: 2024-02-14 15:06:40 UTC

doc: Add plain text readme for using GCS

TODO: this is just for the arm/gcs branch while it is being developed

Author: Adhemerval Zanella
Author Date: 2023-07-31 15:44:37 UTC

stdlib: Make abort AS-safe (BZ 26275)

The recursive lock used on abort does not synchronize with new
process creation (either by fork-like interfaces or posix_spawn
ones), nor it is reinitialized after fork.

Also, the SIGABRT unblock before raise shows another race-condition,
where a fork or posix_spawn call by another thread just after
the recursive lock release and before the SIGABRT raise might create
programs with a non-expected signal mask.

To fix the AS-safe, the raise is issues without changing the process
signal mask, and an AS-safe lock is used if a SIGABRT is installed or
the process is blocked or ignored. The the signal mask change removal,
there is no need to use a recursive lock. The lock is also on
both _Fork and posix_spawn, to avoid the spawn process to see the
abort handler as SIG_DFL.

The posix_spawn possible issue is if caller sets a SIG_IGN for
SIGABRT, calls abort, and another thread issues posix_spawn just
after the sigaction returns. With default options (not setting
POSIX_SPAWN_SETSIGDEF), the process can still see SIG_DFL for
SIGABRT, where it should be SIG_IGN.

The fallback is also simplified, there is no nned to use a loop of
ABORT_INSTRUCTION after _exit (if the syscall does not terminate the
process, the system is really broken).

Checked on x86_64-linux-gnu and aarch64-linux-gnu.

Author: Zack Weinberg
Author Date: 2018-04-03 22:26:44 UTC

Avoid cancellable I/O primitives in ld.so.

Neither the <dlfcn.h> entry points, nor lazy symbol resolution, nor
initial shared library load-up, are cancellation points, so ld.so
should exclusively use I/O primitives that are not cancellable. We
currently achieve this by having the cancellation hooks compile as
no-ops when IS_IN(rtld); this patch changes to using exclusively
_nocancel primitives in the source code instead, which makes the
intent clearer and significantly reduces the amount of code compiled
under IS_IN(rtld) as well as IS_IN(libc) -- in particular,
elf/Makefile no longer thinks we require a copy of unwind.c in
rtld-libc.a. (The older mechanism is preserved as a backstop.)

The bulk of the change is splitting up the files that define the
_nocancel I/O functions, so they don't also define the variants that
*are* cancellation points; after which, the existing logic for picking
out the bits of libc that need to be recompiled as part of ld.so Just
Works. I did this for all of the _nocancel functions, not just the
ones used by ld.so, for consistency.

fcntl was a little tricky because it's only a cancellation point for
certain opcodes (F_SETLKW(64), which can block), and the existing
__fcntl_nocancel wasn't applying the FCNTL_ADJUST_CMD hook, which
strikes me as asking for trouble, especially as the only nontrivial
definition of FCNTL_ADJUST_CMD (for powerpc64) changes F_*LK* opcodes.
To fix this, fcntl_common moves to fcntl_nocancel.c along with
__fcntl_nocancel, and changes its name to the extern (but hidden)
symbol __fcntl_nocancel_adjusted, so that regular fcntl can continue
calling it. __fcntl_nocancel now applies FCNTL_ADJUST_CMD; so that
both both fcntl.c and fcntl_nocancel.c can see it, the only nontrivial
definition moves from sysdeps/u/s/l/powerpc/powerpc64/fcntl.c to
.../powerpc64/sysdep.h and becomes entirely a macro, instead of a macro
that calls an inline function.

The nptl version of libpthread also changes a little, because its
"compat-routines" formerly included files that defined all the
_nocancel functions it uses; instead of continuing to duplicate them,
I exported the relevant ones from libc.so as GLIBC_PRIVATE. Since the
Linux fcntl.c calls a function defined by fcntl_nocancel.c, it can no
longer be used from libpthread.so; instead, introduce a custom
forwarder, pt-fcntl.c, and export __libc_fcntl from libc.so as
GLIBC_PRIVATE. The nios2-linux ABI doesn't include a copy of vfork()
in libpthread, and it was handling that by manipulating
libpthread-routines in .../linux/nios2/Makefile; it is cleaner to do
what other such ports do, and have a pt-vfork.S that defines no symbols.

Right now, it appears that Hurd does not implement _nocancel I/O, so
sysdeps/generic/not-cancel.h will forward everything back to the
regular functions. This changed the names of some of the functions
that sysdeps/mach/hurd/dl-sysdep.c needs to interpose.

 * elf/dl-load.c, elf/dl-misc.c, elf/dl-profile.c, elf/rtld.c
 * sysdeps/unix/sysv/linux/dl-sysdep.c
 Include not-cancel.h. Use __close_nocancel instead of __close,
 __open64_nocancel instead of __open, __read_nocancel instead of
 __libc_read, and __write_nocancel instead of __libc_write.

 * csu/check_fds.c (check_one_fd)
 * sysdeps/posix/fdopendir.c (__fdopendir)
 * sysdeps/posix/opendir.c (__alloc_dir): Use __fcntl_nocancel
        instead of __fcntl and/or __libc_fcntl.

 * sysdeps/unix/sysv/linux/pthread_setname.c (pthread_setname_np)
 * sysdeps/unix/sysv/linux/pthread_getname.c (pthread_getname_np)
        * sysdeps/unix/sysv/linux/i386/smp.h (is_smp_system):
 Use __open64_nocancel instead of __open_nocancel.

 * sysdeps/unix/sysv/linux/not-cancel.h: Move all of the
 hidden_proto declarations to the end and issue them if either
 IS_IN(libc) or IS_IN(rtld).
 * sysdeps/unix/sysv/linux/Makefile [subdir=io] (sysdep_routines):
 Add close_nocancel, fcntl_nocancel, nanosleep_nocancel,
 open_nocancel, open64_nocancel, openat_nocancel, pause_nocancel,
 read_nocancel, waitpid_nocancel, write_nocancel.

        * io/Versions [GLIBC_PRIVATE]: Add __libc_fcntl,
        __fcntl_nocancel, __open64_nocancel, __write_nocancel.
        * posix/Versions: Add __nanosleep_nocancel, __pause_nocancel.

        * nptl/pt-fcntl.c: New file.
        * nptl/Makefile (pthread-compat-wrappers): Remove fcntl.
        (libpthread-routines): Add pt-fcntl.
        * include/fcntl.h (__fcntl_nocancel_adjusted): New function.
        (__libc_fcntl): Remove attribute_hidden.
 * sysdeps/unix/sysv/linux/fcntl.c (__libc_fcntl): Call
 __fcntl_nocancel_adjusted, not fcntl_common.
        (__fcntl_nocancel): Move to new file fcntl_nocancel.c.
 (fcntl_common): Rename to __fcntl_nocancel_adjusted; also move
 to fcntl_nocancel.c.
 * sysdeps/unix/sysv/linux/fcntl_nocancel.c: New file.
 * sysdeps/unix/sysv/linux/powerpc/powerpc64/fcntl.c: Remove file.
 * sysdeps/unix/sysv/linux/powerpc/powerpc64/sysdep.h:
 Define FCNTL_ADJUST_CMD here, as a self-contained macro.

 * sysdeps/unix/sysv/linux/close.c: Move __close_nocancel to...
 * sysdeps/unix/sysv/linux/close_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/nanosleep.c: Move __nanosleep_nocancel to...
 * sysdeps/unix/sysv/linux/nanosleep_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/open.c: Move __open_nocancel to...
 * sysdeps/unix/sysv/linux/open_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/open64.c: Move __open64_nocancel to...
 * sysdeps/unix/sysv/linux/open64_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/openat.c: Move __openat_nocancel to...
 * sysdeps/unix/sysv/linux/openat_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/openat64.c: Move __openat64_nocancel to...
 * sysdeps/unix/sysv/linux/openat64_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/pause.c: Move __pause_nocancel to...
 * sysdeps/unix/sysv/linux/pause_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/read.c: Move __read_nocancel to...
 * sysdeps/unix/sysv/linux/read_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/waitpid.c: Move __waitpid_nocancel to...
 * sysdeps/unix/sysv/linux/waitpid_nocancel.c: ...this new file.
 * sysdeps/unix/sysv/linux/write.c: Move __write_nocancel to...
 * sysdeps/unix/sysv/linux/write_nocancel.c: ...this new file.

        * sysdeps/unix/sysv/linux/nios2/Makefile: Don't override
        libpthread-routines.
        * sysdeps/unix/sysv/linux/nios2/pt-vfork.S: New file which
        defines nothing.

        * sysdeps/mach/hurd/dl-sysdep.c: Define __read instead of
        __libc_read, and __write instead of __libc_write. Define
        __open64 in addition to __open.

(cherry picked from commit 329ea513b451ae8322aa7a24ed84da13992af2dd)

Author: Florian Weimer
Author Date: 2024-05-30 12:33:52 UTC

WIP observations from an XSAVE size mismatch kernel issue

Author: Florian Weimer
Author Date: 2024-05-31 10:26:43 UTC

x86_64: Use shadow stack for backtrace implementation

Test failures:

FAIL: debug/tst-backtrace4
FAIL: misc/tst-sigcontext-get_pc

The return address of signal handlers is not on the shadow stack.

Author: Adhemerval Zanella
Author Date: 2024-04-23 19:45:59 UTC

linux: Add openat2 (BZ 31664)

It was added on Linux 5.6, as an extension of openat. Different
than other open-like function, the kernel only provides the LFS
variant (so files larger than 4GB always succeed, as other functions
with offset larget than off_t). Similar to other open function,
the new symbol is a cancellable entrypoint.

The testcase added only stress some of the syscall provided
functionalities and it is based on existent kernel selftest. Since
the prototype does not use variadic arguments, there is no need to
add fortify wrapper to catch wrong usages.

Checked on x86_64-linux-gnu.

Author: Adhemerval Zanella
Author Date: 2024-04-18 19:27:11 UTC

x86: Fix bsearch for compiler that do not define __USE_EXTERN_INLINES

The bsearch is called early during process initialization on Intel
platform, before TCB has been set up; and if compiler does not
enable __extern_inline it might call the symbol which might use an
invalid thread-pointer.

Expand the bsearch implementation from stdlib-bsearch.h with a
different name.

Checked on x86_64-linux-gnu with Intel chip.

Author: Adhemerval Zanella
Author Date: 2020-04-13 21:09:20 UTC

linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

It allows to obtain the expected entry offset on telldir and set
it correctly on seekdir on platforms where long int is smaller
than off64_t.

On such cases opendir creates a map entry between the DIR d_off
offset and the returned long int (the telldir return value).
seekdir will then set the correct offset from the internal list
using the telldir as the list key.

It also removes the overflow check on readdir and the returned value
will be truncated by the non-LFS off_t size. As Joseph has noted
in BZ #23960 comment #22, d_off is an opaque value and since
telldir/seekdir works regardless of the returned dirent d_off value.

Finally it removes the requirement to check for overflow values on
telldir (BZ #24050).

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc-linux-gnu,
and arm-linux-gnueabihf.

Author: Adhemerval Zanella
Author Date: 2023-12-27 13:21:24 UTC

mips: Implement roundevenf with hardware floating-point rounding instruction

Author: Zack Weinberg
Author Date: 2023-09-21 18:58:05 UTC

Remove all of the remaining libcrypt code.

Completing the removal of libcrypt, delete all of its actual code.
This patch contains only file removals:

git rm -r crypt
git rm include/crypt.h
git rm $(find sysdeps -name libcrypt.abilist)
git rm $(find sysdeps -name fips-private.h)
git rm $(find sysdeps -name 'md5-*' -o -name 'sha256-*' -o -name 'sha512-*')

For this patch (not the earlier ones, I'd still be waiting) I ran the
complete testsuite and found no *new* failures. 26 tests are failing
on my machine due to probable environment issues, but they were all
failing on trunk before I started making changes, and none of them
appear to have anything to do with this patchset.

Author: Adhemerval Zanella
Author Date: 2023-09-06 16:47:35 UTC

stdio: Remove __printf_fp_buffer_2 alloca usage

And replace with a scratch_buffer.

Author: Florian Weimer
Author Date: 2023-07-06 17:24:33 UTC

Test case for bug 30619

Author: Adhemerval Zanella
Author Date: 2023-06-19 17:11:58 UTC

linux: Do not spawn a new thread for SIGEV_THREAD (BZ 30558)

Author: Adhemerval Zanella
Author Date: 2023-04-03 18:50:35 UTC

loongarch: Fix Race conditions in pthread cancellation [BZ#12683]

By adding the required syscall_cancel.S.

Checked against a build and make check run-built-tests=no for
loongarch64-linux-gnu-lp64d.

Author: Szabolcs Nagy
Author Date: 2023-04-04 15:39:34 UTC

cheri: malloc: exact capability check in free/realloc

Capability narrowing uses a lookup table from an address to the
internally used wide capability. Keep the narrow capability in the
table instead of just the address and check it. This allows free
and realloc to check their input and only accept capabilities
exactly matching what was returned by malloc.

When a user adds restrictions on top of malloc returned capabilities
(e.g. narrower bounds), realloc could bypass those restrictions when
it simply looked up the internal wide capability for the address.

Author: Florian Weimer
Author Date: 2022-08-18 06:49:55 UTC

libio: Convert __vswprintf_internal to buffers (bug 27857)

Always null-terminate the buffer and set E2BIG if the buffer is too
small. This fixes bug 27857.

Author: Szabolcs Nagy
Author Date: 2022-11-22 13:36:29 UTC

morello README: typo and wording fixes

Author: Carlos Eduardo Seo
Author Date: 2022-08-08 19:09:37 UTC

cheri: stdio-common: Add test for %#p printf modifier

Testcase for printing capabilities.

Author: Stefan Liebler
Author Date: 2021-06-28 11:01:07 UTC

s390x: Update math: redirect roundeven function

After recent commit
447954a206837b5f153869cfeeeab44631c3fac9
"math: redirect roundeven function", building on
s390x fails with:
Error: symbol `__roundevenl' is already defined

Similar to aarch64/riscv fix, this patch redirects target
specific functions for s390x:
commit 3213ed770cbc5821920d16caa93c85e92dd7b9f6
"Update math: redirect roundeven function"

(cherry picked from commit 259a17cc98058d2576511201f85d28cb5d9de2a2)

Author: Carlos Eduardo Seo
Author Date: 2020-11-13 19:33:07 UTC

TODO(drop): aarch64: morello: CPU feature detection for Morello

Initial detection of Arm Morello architecture from the HWCAP2 bit and CPU
identification from MIDR_EL0.

TODO: not needed?
- lp64 does not have to detect
- purecap can assume morello

Author: Florian Weimer
Author Date: 2022-05-17 09:38:29 UTC

locale: localdef input files are now encoded in UTF-8

Author: Szabolcs Nagy
Author Date: 2021-12-30 17:08:36 UTC

aarch64: Move ld.so _start to separate file and drop _dl_skip_args

A separate asm file is easier to maintain than a macro that expands to
inline asm.

The RTLD_START macro is only needed now because _dl_start is local in
rtld.c, but _start has to call it, if _dl_start was made hidden then it
could be empty.

_dl_skip_args is no longer needed.

---
v4:
- adjust commit message about _dl_skip_args.
v3:
- mention _dl_skip_args
v2:
- fix typo in commit message.

Author: Szabolcs Nagy
Author Date: 2021-12-30 17:08:36 UTC

aarch64: Move ld.so _start to separate file and drop _dl_skip_args

A separate asm file is easier to maintain than a macro that expands to
inline asm.

The RTLD_START macro is only needed now because _dl_start is local in
rtld.c, but _start has to call it, if _dl_start was made hidden then it
could be empty.

_dl_skip_args is no longer needed.

---
v4:
- adjust commit message about _dl_skip_args.
v3:
- mention _dl_skip_args
v2:
- fix typo in commit message.

Author: Szabolcs Nagy
Author Date: 2021-12-30 17:08:36 UTC

aarch64: Move ld.so _start to separate file and drop _dl_skip_args

A separate asm file is easier to maintain than a macro that expands to
inline asm.

The RTLD_START macro is only needed now because _dl_start is local in
rtld.c, but _start has to call it, if _dl_start was made hidden then it
could be empty.

_dl_skip_args is no longer needed.

---
v4:
- adjust commit message about _dl_skip_args.
v3:
- mention _dl_skip_args
v2:
- fix typo in commit message.

Author: Raoni Fassina Firmino
Author Date: 2022-04-01 20:05:01 UTC

Merge branch release/2.32/master into ibm/2.32/master

Author: Szabolcs Nagy
Author Date: 2022-02-02 14:03:58 UTC

Fix elf/tst-audit25a with default bind now toolchains

This test relies on lazy binding for the executable so request that
explicitly in case the toolchain defaults to bind now.

(cherry picked from commit 80a08d0faa9b224019f895800c4d97de4e23e1aa)

Author: Fangrui Song
Author Date: 2022-03-09 01:17:05 UTC

elf: Support DT_RELR relative relocation format [BZ #27924]

PIE and shared objects usually have many relative relocations. In
2017/2018, SHT_RELR/DT_RELR was proposed on
https://groups.google.com/g/generic-abi/c/bX460iggiKg/m/GxjM0L-PBAAJ
("Proposal for a new section type SHT_RELR") and is a pre-standard. RELR
usually takes 3% or smaller space than R_*_RELATIVE relocations. The
virtual memory size of a mostly statically linked PIE is typically 5~10%
smaller.

This patch adds ELF_DYNAMIC_DO_RELR to ELF_DYNAMIC_RELOCATE.
ELF_DYNAMIC_DO_RELR is ordered before ELF_DYNAMIC_DO_REL[A] so that ifunc
resolvers that require relocated got entries have them relocated. This is
needed for ppc64 according to Alan Modra.

Author: Raoni Fassina Firmino
Author Date: 2022-02-25 13:57:31 UTC

Merge branch release/2.30/master into ibm/2.30/master

Author: Siddhesh Poyarekar
Author Date: 2022-01-19 04:13:26 UTC

getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE. This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:

- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory

Sequence of events:

- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
  because the linux kernel checks for name length before it checks
  buffer size

- The code falls back to the generic getcwd in sysdeps/posix

- In the generic func, the buf[0] is set to '\0' on line 250

- this while loop on line 262 is bypassed:

    while (!(thisdev == rootdev && thisino == rootino))

  since the rootfs (/) is bind mounted onto the directory and the flow
  goes on to line 449, where it puts a '/' in the byte before the
  buffer.

- Finally on line 458, it moves 2 bytes (the underflowed byte and the
  '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

- buf is returned on line 469 and errno is not set.

This resolves BZ #28769.

Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Author: Fangrui Song
Author Date: 2021-10-11 05:32:12 UTC

elf: Remove Intel MPX support (lazy PLT, ld.so profile, and LD_AUDIT)

Intel MPX failed to gain wide adoption and has been deprecated for a
while. GCC 9.1 removed Intel MPX support. Linux kernel removed MPX in
2019.

This patch removes the support code from the dynamic loader.

Author: Carlos-0
Author Date: 2021-07-29 05:27:56 UTC

Add generic C.UTF-8 locale (Bug 17318)

We add a new C.UTF-8 locale. This locale is not builtin to glibc, but
is provided as a distinct locale. The locale provides full support
for UTF-8 and this includes full code point sorting via strcmp-based
collation.

The collation uses a new keyword 'strcmp_collation' which drops all
collation rules and generates an empty zero rules collation to enable
strcmp usage in collation. This ensures that we get full code point
sorting for C.UTF-8 with a minimal 92 bytes of overhead (LC_COLLATE
structure information).

The new locale is added to SUPPORTED. Minimal test data for specific
code points (minus those not supported by collate-test) is provided
in C.UTF-8.in, and this verifies code point sorting is working
reasonably across the range. The locale was tested manually with the
full set of code points without failure.

The locale is harmonized with locales already shipping in Gentoo,
Debian, Ubuntu, Fedora, CentOS Stream, and RHEL. A new tst-iconv9 test
is added which verifies the C.UTF-8 locale is generally usable.

Testing for fnmatch, regexec, and recomp is provided by extending
bug-regex1, bugregex19, bug-regex4, bug-regex6, transbug, tst-fnmatch,
tst-regcomp-truncated, and tst-regex to use C.UTF-8.

Tested on x86_64 or i686 without regression.

Author: Szabolcs Nagy
Author Date: 2021-02-16 12:55:13 UTC

RFC elf: Fix slow tls access after dlopen [BZ #19924]

In short: __tls_get_addr checks the global generation counter,
_dl_update_slotinfo updates up to the generation of the accessed
module. If the global generation is newer than geneneration of the
module then __tls_get_addr keeps hitting the slow path that updates
the dtv.

Possible approaches i can see:

1. update to global generation instead of module,
2. check the module generation in the fast path.

This patch is 1.: it needs additional sync (load acquire) so the
slotinfo list is up to date with the observed global generation.

Approach 2. would require walking the slotinfo list at all times.
I don't know how to make that fast with many modules.

Note: in the x86_64 version of dl-tls.c the generation is only loaded
once, since relaxed mo is not faster than acquire mo load.

I have not benchmarked this yet.

Author: Szabolcs Nagy
Author Date: 2021-03-15 11:44:32 UTC

malloc: Ensure mtag code path in checked_request2size is cold

This is a workaround (hack) for a gcc optimization issue (PR 99551).
Without this the generated code may evaluate the expression in the
cold path which causes performance regression for small allocations
in the memory tagging disabled (common) case.

Author: Szabolcs Nagy
Author Date: 2021-02-09 17:59:11 UTC

aarch64: Optimize __libc_mtag_tag_zero_region

This is a target hook for memory tagging, the original was a naive
implementation. Uses the same algorithm as __libc_mtag_tag_region,
but with instructions that also zero the memory. This was not
benchmarked on real cpu, but expected to be faster than the naive
implementation.

Author: Andreas Schwab
Author Date: 2021-02-21 21:22:29 UTC

aarch64: Update ILP32 abilists for glibc 2.33

Author: Tulio Magno Quites Machado Filho
Author Date: 2020-10-02 13:18:48 UTC

powerpc64: Stop assuming new processors have VSX

VSX has been available on IBM POWER since POWER7. All IBM processors
compliant with POWER ISAs 2.07, 3.0 and 3.1 also support VSX.
This patch aims to remove a barrier for new processors as they start to
support Linux on powerpc64 while not having support for all the altivec
and vsx instructions.

Author: Szabolcs Nagy
Author Date: 2021-02-11 13:24:47 UTC

elf: Remove lazy tlsdesc relocation related code

Remove generic tlsdesc code related to lazy tlsdesc processing since
lazy tlsdesc relocation is no longer supported. This includes removing
GL(dl_load_lock) from _dl_make_tlsdesc_dynamic which is only called at
load time when that lock is already held.

Added a documentation comment too.

Author: Tulio Magno Quites Machado Filho
Author Date: 2021-02-13 21:49:56 UTC

Merge branch release/2.28/master into ibm/2.28/master

Author: Szabolcs Nagy
Author Date: 2021-01-06 11:31:04 UTC

Make libc symbols hidden in static PIE

Hidden visibility can avoid indirections and RELATIVE relocs in
static PIE libc.

The check should use IS_IN_LIB instead of IS_IN(libc) since all
symbols are defined locally in static PIE and the optimization is
useful in all libraries not just libc. However the test system
links objects from libcrypt.a into dynamic linked test binaries
where hidden visibility does not work. I think mixing static and
shared libc components in the same binary should not be supported
usage, but to be safe only use hidden in libc.a.

On some targets (i386) this optimization cannot be applied because
hidden visibility PIE ifunc functions don't work, so it is gated by
NO_HIDDEN_EXTERN_FUNC_IN_PIE.

From -static-pie linked 'int main(){}' this shaves off 71 relative
relocs on aarch64 and reduces code size by about 2k.

Author: Fangrui Song
Author Date: 2021-01-12 07:56:32 UTC

Unconditionally define __stack_chk_guard [BZ #26817]

__stack_chk_guard is currently unavailable on architectures which define
THREAD_SET_STACK_GUARD, so {gcc,clang} -fstack-protector
-mstack-protector-guard=global will fail to link due to the undefined
symbol.

Define __stack_chk_guard to make -mstack-protector-guard=global compiled
user programs work. `#define THREAD_SET_STACK_GUARD` code is moved
outside of `#ifndef __ASSEMBLER__` so that cpp can preprocess
elf/Versions.

Author: Richard Earnshaw
Author Date: 2020-12-18 19:00:49 UTC

aarch64: Add aarch64-specific files for memory tagging support

This final patch provides the architecture-specific implementation of
the memory-tagging support hooks for aarch64.

Author: Szabolcs Nagy
Author Date: 2020-12-01 10:13:18 UTC

aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831]

Re-mmap executable segments if possible instead of using mprotect
to add PROT_BTI. This allows using BTI protection with security
policies that prevent mprotect with PROT_EXEC.

If the fd of the ELF module is not available because it was kernel
mapped then mprotect is used and failures are ignored. To protect
the main executable even when mprotect is filtered the linux kernel
 will have to be changed to add PROT_BTI to it.

The delayed failure reporting is mainly needed because currently
_dl_process_gnu_properties does not propagate failures such that
the required cleanups happen. Using the link_map_machine struct for
error propagation is not ideal, but this seemed to be the least
intrusive solution.

Fixes bug 26831.

Author: Szabolcs Nagy
Author Date: 2020-10-28 18:10:23 UTC

aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831]

Re-mmap executable segments if possible instead of using mprotect
to add PROT_BTI. This allows using BTI protection with security
policies that prevent mprotect with PROT_EXEC.

If the fd of the ELF module is not available because it was kernel
mapped then mprotect is used and failures are ignored. To protect
the main executable even when mprotect is filtered the linux kernel
will have to be changed to add PROT_BTI to it.

Computing the mapping bounds follows _dl_map_object_from_fd more
closely now.

The delayed failure reporting is mainly needed because currently
_dl_process_gnu_properties does not propagate failures such that
the required cleanups happen. Using the link_map_machine struct for
error propagation is not ideal, but this seemed to be the least
intrusive solution.

Fixes bug 26831.

Author: Richard Earnshaw
Author Date: 2020-11-20 17:20:10 UTC

aarch64: Add aarch64-specific files for memory tagging support

This final patch provides the architecture-specific implementation of
the memory-tagging support hooks for aarch64.

Author: Alexandra Hájková
Author Date: 2020-04-27 14:52:38 UTC

 Linux: Add execveat system call wrapper

Author: Szabolcs Nagy
Author Date: 2020-06-11 17:19:40 UTC

aarch64: add NEWS entry about branch protection support

This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.

Author: Szabolcs Nagy
Author Date: 2020-06-11 17:19:40 UTC

aarch64: add NEWS entry about branch protection support

This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.

Author: Szabolcs Nagy
Author Date: 2020-06-11 17:19:40 UTC

aarch64: add NEWS entry about branch protection support

This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.

Author: Szabolcs Nagy
Author Date: 2020-06-11 17:19:40 UTC

aarch64: add NEWS entry about branch protection support

This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.

Author: Alistair Francis
Author Date: 2020-04-08 21:43:47 UTC

Revert "Add IPPROTO_ETHERNET and IPPROTO_MPTCP from Linux 5.6 to netinet/in.h."

This reverts commit f9ac84f92f151e07586c55e14ed628d493a5929d.

Author: Tulio Magno Quites Machado Filho
Author Date: 2020-03-20 21:24:51 UTC

Merge branch release/2.26/master into ibm/2.26/master

Author: Bert Tenjy
Author Date: 2020-02-13 17:55:31 UTC

PPC64: Attach SIMD attribute to cosf, sin, sinf function declarations.

These changes were mistakenly left out of the patches that added SIMD
versions of these functions to libmvec.

Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>

Author: Florian Weimer
Author Date: 2020-02-12 12:40:26 UTC

Linux: Work around kernel bugs in chmod on /proc/self/fd paths

It appears that the ability to change symbolic link modes through such
paths is unintended. On several file systems, the operation fails with
EOPNOTSUPP, even though the symbolic link permissions are updated.
The expected behavior is a failure to update the permissions, without
file system changes.

Author: Florian Weimer
Author Date: 2020-02-12 14:36:03 UTC

nss_nisplus: Use NSS_DECLARE_MODULE_FUNCTIONS

Author: Florian Weimer
Author Date: 2020-02-09 16:07:07 UTC

microblaze: vfork syscall number is always available

Due to the built-in tables, __NR_vfork is always defined, so the
fork-based fallback code is never used.

(It appears that the vfork system call was wired up when the port was
contributed to the kernel.)

Author: Alistair Francis
Author Date: 2020-01-17 05:49:34 UTC

WIP

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Author: Zack Weinberg
Author Date: 2019-06-11 17:05:02 UTC

Rename sys/ucontext.h to bits/ucontext.h.

sys/ucontext.h is effectively a bits header. Its contents are
extremely system-specific, and it’s strongly associated with a
specific public header (ucontext.h) that provides a superset of its
definitions, but there are other public headers that also require some
of its definitions. This patch therefore moves it into the bits/
namespace and adjusts all the headers that refer to it. In case there
are external users, a stub is added that includes ucontext.h.

Most of the fallout changes are trivial, but aarch64, ia64 and riscv
need a little more work. aarch64 sys/ucontext.h (now bits/ucontext.h)
was including sys/procfs.h for the definition of elf_greg_t etc;
the simplest fix is to have it include bits/procfs.h instead (and then
that needs to include sys/user.h for user_regs_struct). This is not
ideal but fixing it properly would require disentangling all of the
debugger interface headers which is more than I’m up for at the moment.

ia64 bits/ptrace.h and bits/procfs.h were both including
bits/sigcontext.h, which is only licensed to be included from
signal.h. (I’m not sure how this ever worked, or why it broke with
this patch and not some previous one.) This is fixed by creating
another single-type header, bits/types/__ia64_fpreg.h, which provides
the only thing they need from bits/sigcontext.h.

s/u/s/l/riscv/makecontext.c was defining makecontext with a function
head that didn’t agree with its official prototype (in ucontext.h);
formerly that file did not include ucontext.h, only sys/ucontext.h,
so we were getting away with it, but it’s still wrong. Making the
function head match the prototype actually simplifies the code.

 * sysdeps/generic/sys/ucontext.h: Move to top level bits/ucontext.h.
 Adjust multiple inclusion guard.
 * sysdeps/arm/sys/ucontext.h: Move to sysdeps/arm/bits/ucontext.h.
 Adjust multiple inclusion guard.
 * sysdeps/i386/sys/ucontext.h: Similarly.
 * sysdeps/m68k/sys/ucontext.h: Similarly.
 * sysdeps/mips/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/aarch64/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/alpha/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/arm/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/csky/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/hppa/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/ia64/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/m68k/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/microblaze/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/mips/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/nios2/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/powerpc/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/riscv/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/s390/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/sh/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/sparc/sys/ucontext.h: Similarly.
 * sysdeps/unix/sysv/linux/x86/sys/ucontext.h: Similarly.
 * stdlib/Makefile: Install bits/ucontext.h.

 * stdlib/sys/ucontext.h: New backward compatibility stub header,
 includes ucontext.h.
 * include/sys/ucontext.h: New wrapper.

 * sysdeps/unix/sysv/linux/aarch64/bits/procfs.h: Allow inclusion
 by bits/ucontext.h as well as sys/procfs.h. Include sys/user.h.
 * sysdeps/unix/sysv/linux/aarch64/bits/ucontext.h: Include
 bits/procfs.h instead of sys/procfs.h.

 * sysdeps/unix/sysv/linux/ia64/bits/types/__ia64_fpreg.h:
 New file, contents factored out of ia64/bits/sigcontext.h and
 ia64/bits/ucontext.h.
 * sysdeps/unix/sysv/linux/ia64/Makefile:
 Install bits/types/__ia64_fpreg.h. Merge subdir=misc blocks.
 * sysdeps/unix/sysv/linux/ia64/bits/sigcontext.h
 * sysdeps/unix/sysv/linux/ia64/bits/ucontext.h:
 Include bits/types/__ia64_fpreg.h for struct ia64_fpreg.

 * sysdeps/unix/sysv/linux/ia64/bits/procfs.h:
 Include bits/types/__ia64_fpreg.h for struct ia64_fpreg.
 Don’t include bits/sigcontext.h or bits/ucontext.h.
 * sysdeps/unix/sysv/linux/ia64/sys/ptrace.h:
 Don’t include bits/sigcontext.h.

 * sysdeps/unix/sysv/linux/riscv/makecontext.c: Include
 ucontext.h, not sys/ucontext.h. Correct function head to match
 prototype in ucontext.h. Use va_arg to retrieve all arguments
 past argc.

 * sysdeps/unix/sysv/linux/s390/tst-ptrace-singleblock.c:
 Sort list of includes.

 * signal/signal.h, stdlib/ucontext.h
 * sysdeps/unix/sysv/linux/alpha/bits/procfs-prregset.h
 * sysdeps/unix/sysv/linux/ia64/sys/ptrace.h
 * sysdeps/unix/sysv/linux/riscv/bits/procfs.h
 * sysdeps/unix/sysv/linux/s390/bits/procfs.h:
 Include bits/ucontext.h, not sys/ucontext.h.

 * sysdeps/unix/sysv/linux/aarch64/sigcontextinfo.h
 * sysdeps/unix/sysv/linux/arm/sigcontextinfo.h
 * sysdeps/unix/sysv/linux/nios2/sigcontextinfo.h
 * sysdeps/unix/sysv/linux/riscv/sigcontextinfo.h:
 Include signal.h, not sys/ucontext.h.

 * sysdeps/unix/sysv/linux/arm/register-dump.h
 * sysdeps/unix/sysv/linux/csky/register-dump.h:
 Include ucontext.h, not sys/ucontext.h.

 * sysdeps/unix/sysv/linux/aarch64/ucontext_i.sym
 * sysdeps/unix/sysv/linux/alpha/ucontext-offsets.sym
 * sysdeps/unix/sysv/linux/arm/ucontext_i.sym
 * sysdeps/unix/sysv/linux/csky/abiv2/ucontext_i.sym
 * sysdeps/unix/sysv/linux/hppa/ucontext_i.sym
 * sysdeps/unix/sysv/linux/i386/ucontext_i.sym
 * sysdeps/unix/sysv/linux/ia64/sigcontext-offsets.sym
 * sysdeps/unix/sysv/linux/m68k/m680x0/ucontext_i.sym
 * sysdeps/unix/sysv/linux/powerpc/powerpc32/ucontext_i.sym
 * sysdeps/unix/sysv/linux/powerpc/powerpc64/ucontext_i.sym
 * sysdeps/unix/sysv/linux/mips/ucontext_i.sym
 * sysdeps/unix/sysv/linux/nios2/ucontext_i.sym
 * sysdeps/unix/sysv/linux/riscv/ucontext_i.sym
 * sysdeps/unix/sysv/linux/s390/ucontext_i.sym
 * sysdeps/unix/sysv/linux/sh/sh3/ucontext_i.sym
 * sysdeps/unix/sysv/linux/sh/sh4/ucontext_i.sym
 * sysdeps/unix/sysv/linux/sparc/sparc32/ucontext_i.sym
 * sysdeps/unix/sysv/linux/x86_64/ucontext_i.sym:
 Include stddef.h and signal.h; don’t include any other headers.

 * scripts/check-obsolete-constructs.py (HEADER_ALLOWED_INCLUDES)
 (SYSDEP_ALLOWED_INCLUDES): Update.

Author: Zack Weinberg
Author Date: 2019-08-19 17:51:25 UTC

Warn when gettimeofday is called with non-null tzp argument.

Since there are no known uses of gettimeofday's vestigial "get time
zone" feature that are not bugs, add a fortify-style wrapper inline to
sys/time.h that issues a warning whenever gettimeofday is called with
a second argument that is not a compile-time null pointer
constant.

At present this is only possible with GCC; clang does not implement
attribute((warning)). The wrapper is only activated when __OPTIMIZE__
is defined because it throws false positives when optimization is off,
even though it's an always-inline function.

An oversight in the implementation of __builtin_constant_p causes it
to fail to detect compile-time *pointer* constants unless they are
cast to an integer of a different size. (Loss of data in this cast is
harmless; the overall expression is still constant if and only if the
original pointer was.) This is GCC bug 95514. Thanks to
Kamil Cukrowski <kamilcukrowski@gmail.com> for the workaround.
As a precaution, I added a static assertion to debug/warning-nop.c to
make sure that the cast _is_ casting to an integer of a different
size; this is too unlikely a scenario to be worth checking in the
public header, but if someone ever adds a port where short is the
same size as intptr_t, we'll still catch it.

Author: Gabriel F. T. Gomes
Author Date: 2019-07-11 14:48:28 UTC

RFC: powerpc64le: Enable support for IEEE long double

Not for glibc-2.31 - Do not commit!

No changes since v3.

Changes since v2:

  - Added definition of LDBL_IBM128_COMPAT_VERSION and
    LDBL_IBM128_VERSION (moved from a previous commit).

Changes since v1:

  - Use __LONG_DOUBLE_USES_FLOAT128 directly.

-- 8< --
On platforms where long double may have two different formats, i.e.: the
same format as double (64-bits) or something else (128-bits), building
with -mlong-double-128 is the default and function calls in the user
program match the name of the function in Glibc. When building with
-mlong-double-64, Glibc installed headers redirect such calls to the
appropriate function.

This patch adds similar redirections to be used by user code builds in
IEEE long double mode (-mabi=ieeelongdouble). It also skips some uses
of libc_hidden_proto in internal headers, because they also produce
redirections, causing a redirection conflict.

PS: Missing NEWS entry.

Author: Vineet Gupta
Author Date: 2019-11-07 23:24:05 UTC

build-many-glibcs.py: Enable ARC hard float builds

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>

Author: Florian Weimer
Author Date: 2019-12-03 08:26:03 UTC

WIP dlopen NODELETE test

Author: Florian Weimer
Author Date: 2019-11-29 15:37:58 UTC

elf: Do not run IFUNC resolvers for LD_DEBUG=unused [BZ #24214]

This commit adds missing skip_ifunc checks to aarch64, arm, i386,
sparc, and x86_64. A new test case ensures that IRELATIVE IFUNC
resolvers do not run in various diagnostic modes of the dynamic
loader.

Tested on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu,
s390-linux-gnu, s390x-linux-gnu, powerpc64le-linux-gnu. Built with
build-many-glibcs.py.

Author: Florian Weimer
Author Date: 2019-11-22 21:10:42 UTC

libio: Disable vtable validation for pre-2.1 interposed handles [BZ #25203]

Commit c402355dfa7807b8e0adb27c009135a7e2b9f1b0 ("libio: Disable
vtable validation in case of interposition [BZ #23313]") only covered
the interposable glibc 2.1 handles, in libio/stdfiles.c. The
parallel code in libio/oldstdfiles.c needs similar detection logic.

Fixes (again) commit db3476aff19b75c4fdefbe65fcd5f0a90588ba51
("libio: Implement vtable verification [BZ #20191]").

Change-Id: Ief6f9f17e91d1f7263421c56a7dc018f4f595c21
(cherry picked from commit cb61630ed712d033f54295f776967532d3f4b46a)

Author: Florian Weimer
Author Date: 2019-11-22 21:10:42 UTC

libio: Disable vtable validation for pre-2.1 interposed handles [BZ #25203]

Commit c402355dfa7807b8e0adb27c009135a7e2b9f1b0 ("libio: Disable
vtable validation in case of interposition [BZ #23313]") only covered
the interposable glibc 2.1 handles, in libio/stdfiles.c. The
parallel code in libio/oldstdfiles.c needs similar detection logic.

Fixes (again) commit db3476aff19b75c4fdefbe65fcd5f0a90588ba51
("libio: Implement vtable verification [BZ #20191]").

Change-Id: Ief6f9f17e91d1f7263421c56a7dc018f4f595c21
(cherry picked from commit cb61630ed712d033f54295f776967532d3f4b46a)

Author: Florian Weimer
Author Date: 2019-10-11 14:11:21 UTC

Implement __libc_early_init

This function is defined in libc.so, and the dynamic loader calls
right after relocation has been finished, before any ELF constructors
or the preinit function is invoked. It is also used in the static
build for initializing parts of the static libc.

To locate __libc_early_init, a direct symbol lookup function is used,
_dl_lookup_direct. It does not search the entire symbol scope and
consults merely a single link map. This function could also be used
to implement lookups in the vDSO (as an optimization).

A per-namespace variable (libc_map) is added for locating libc.so,
to avoid repeated traversals of the search scope. It is similar to
GL(dl_initfirst). An alternative would have been to thread a context
argument from _dl_open down to _dl_map_object_from_fd (where libc.so
is identified). This could have avoided the global variable, but
the change would be larger as a result. It would not have been
possible to use this to replace GL(dl_initfirst) because that global
variable is used to pass the function pointer past the stack switch
from dl_main to the main program. Replacing that requires adding
a new argument to _dl_init, which in turn needs changes to the
architecture-specific libc.so startup code written in assembler.

__libc_early_init should not be used to replace _dl_var_init (as
it exists today on some architectures). Instead, _dl_lookup_direct
should be used to look up a new variable symbol in libc.so, and
that should then be initialized from the dynamic loader, immediately
after the object has been loaded in _dl_map_object_from_fd (before
relocation is run). This way, more IFUNC resolvers which depend on
these variables will work.

Author: Florian Weimer
Author Date: 2019-11-28 11:57:25 UTC

Add --disable-major-minor-libraries configure option

This option can be used to increase compatibility with package managers.
The name was choosen to avoid confusion with all the different versions
(glibc release, soname versions, symbol versions).

This patch makes all uses of -$(version).so conditional on the new
$(major-minor-libraries) flag. The alternative install targets write
the implementation DSOs directly to the locations determined by their
sonames, skipping the creation of an intermediate symbolic link.

install-symbolic-link in Makerules is updated not to require the
$(symbolic-link-list) file because it may not exist in
--disable-major-minor-libraries mode.

I verified that by default, the install tree is the same as before
on x86_64-linux-gnu except for the changes in the manual.

Author: Florian Weimer
Author Date: 2019-11-26 13:48:56 UTC

x86: Assume --enable-cet if GCC defaults to CET [BZ #25225]

This links in CET support if GCC defaults to CET. Otherwise, __CET__
is defined, yet CET functionality is not compiled and linked into the
dynamic loader, resulting in a linker failure due to undefined
references to _dl_cet_check and _dl_open_check.

Author: Marcin Kościelnicki
Author Date: 2019-11-20 23:20:15 UTC

rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]

The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").

(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)

Author: Florian Weimer
Author Date: 2019-11-11 15:09:32 UTC

WIP mul64 dlsym optimization

Change-Id: I4caf4f14deb7a106c17e3ca89bdff5cd89f9541b

Author: Florian Weimer
Author Date: 2019-11-03 10:39:56 UTC

Redefine _IO_iconv_t to store a single gconv step pointer [BZ #25097]

libio can only deal with gconv conversions which consist of a single
step. Not using __gconv_info simplifies the data structures somewhat.

This eliminates a new GCC 10 warning about subscribing an inner
zero-length array.

Tested on x86_64-linux-gnu with mainline GCC. Built with
build-many-glibcs.py, also with mainline GCC. Due to GCC PR 92039,
there are failures left on 32-bit architectures with float128 support.

Change-Id: I8b4c489b619a53154712ff32e1b6f13bb92d4203

Author: Florian Weimer
Author Date: 2019-11-02 20:40:26 UTC

Properly initialize audit cookie for the dynamic loader [BZ #25157]

The l_audit array is indexed by audit module, not audit function.

Author: Florian Weimer
Author Date: 2019-10-28 18:49:46 UTC

Remove all loaded objects if dlopen fails [BZ #20839]

Author: Florian Weimer
Author Date: 2019-10-29 11:23:48 UTC

Introduce DL_LOOKUP_FOR_RELOCATE flag for _dl_lookup_symbol_x

This will allow changes in dependency processing during non-lazy
binding, for more precise processing of NODELETE objects: During
initial relocation in dlopen, the fate of NODELETE objects is still
unclear, so objects which are depended upon by NODELETE objects
cannot immediately be marked as NODELETE.

Author: Stan Shebs
Author Date: 2019-08-14 17:20:07 UTC

Forestall a filesystem bug while building shlib.lds by using a temp file

Author: Szabolcs Nagy
Author Date: 2019-08-01 13:47:11 UTC

aarch64: Update ILP32 abilists for glibc 2.30

This will need to be merged with the initial ilp32 abilist commit.

2019-08-01 Szabolcs Nagy <szabolcs.nagy@arm.com>

 * sysdeps/unix/sysv/linux/aarch64/ilp32/libc.abilist: Update.
 * sysdeps/unix/sysv/linux/aarch64/ilp32/libpthread.abilist: Update.

Author: Zack Weinberg
Author Date: 2019-07-27 23:26:23 UTC

Remove access to legacy time zone support in gettimeofday etc.

gettimeofday and ftime are not quite fully implementable on systems
that only provide a primitive equivalent to clock_gettime, because
they can also report information about a system-wide time zone. This
mechanism has been deprecated for many years because it can only be
configured on a system-wide basis, and because it only supports the
simplest kinds of daylight-savings rules, but we’ve supported it on a
best-effort basis until now. This patch removes our support for it:

 * The type 'struct timezone' is still declared as a complete type in
   <sys/time.h>, but code that uses its fields (tz_minuteswest and
   tz_dsttime) will not compile.

 * Similarly, code that uses the 'timezone' and 'dstflag' fields of
   struct timeb will not compile anymore. (This is a willful
   violation of the older iterations of XPG that included
   sys/timeb.h; the relevant conformance tests are XFAILed.)

 * Old binaries that pass a non-NULL 'tzp' pointer to gettimeofday
   will always receive a 'struct timezone' whose tz_minuteswest and
   tz_dsttime fields are zero (as if the system were operating on UTC).

 * Similarly, old binaries that call ftime will always receive a
   'struct timeb' whose timezone and dstflag fields are zero.

 * If the 'tzp' argument to settimeofday is not NULL, the call will fail
   and set errno to ENOSYS. (This was already the case on the Hurd.)

 * glibc will always pass a second argument of NULL when invoking a
   kernel-provided gettimeofday.

 * On Alpha, the compat symbols gettimeofday@GLIBC_2.0 and
   settimeofday@GLIBC_2.0 (which used 32-bit time_t) now convert
   their arguments and call system primitives that use 64-bit time_t,
   instead of invoking legacy “osf” system calls.

ChangeLog:

 * time/sys/time.h (struct timezone): Remove tz_minuteswest
 and tz_dsttime fields; replace with padding to preserve the size.
 * time/sys/timeb.h (struct timeb): Remove timezone and dstflag
 fields; replace with padding to preserve the size.
 * conform/Makefile: XFAIL tests because struct timeb is no longer
 fully conformant with Unix98.

 * sysdeps/posix/gettimeofday.c
 * sysdeps/unix/sysv/linux/gettimeofday.c
 * sysdeps/unix/sysv/linux/aarch64/gettimeofday.c
 * sysdeps/unix/sysv/linux/powerpc/gettimeofday.c
 * sysdeps/unix/sysv/linux/x86/gettimeofday.c
 (gettimeofday): When ‘tz’ argument is not NULL, just clear it.
 Always pass a null pointer as the second argument to a
 gettimeofday (v)syscall.

 * sysdeps/unix/bsd/ftime.c: Unconditionally clear the memory that
 was formerly the ‘timezone’ and ‘dstflag’ fields of struct timeb.

 * sysdeps/unix/syscalls.list: Remove entry for settimeofday.
 * sysdeps/unix/settimeofday.c: New file.
 (settimeofday): Fail with ENOSYS if ‘tz’ argument is not NULL.

 * sysdeps/unix/sysv/linux/alpha/syscalls.list: Remove entries for
        osf_gettimeofday, osf_settimeofday, and settimeofday.
 * sysdeps/unix/sysv/linux/alpha/osf_gettimeofday.c:
 New file. Call the 64-bit gettimeofday, then convert to a
 32-bit struct timeval. On overflow, saturate the struct timeval
 and fail with EOVERFLOW.
 * sysdeps/unix/sysv/linux/alpha/osf_settimeofday.c: New file.
        Convert to a 64-bit struct timeval and call 64-bit settimeofday.
        Fail with ENOSYS if ‘tz’ argument is not NULL.

 * sunrpc/auth_des.c, sunrpc/auth_unix.c
 * sysdeps/posix/time.c, sysdeps/unix/stime.c:
 Remove unnecessary casts of NULL.

 * sysdeps/unix/sysv/linux/powerpc/time.c (time_syscall):
 Use (void *)0 instead of NULL when passing a null pointer
 as an untyped argument.

 * manual/time.texi: Remove documentation of fields of
 struct timezone. Revise text to further emphasize that
 the second argument to gettimeofday/settimeofday should
 always be a null pointer.

Author: Florian Weimer
Author Date: 2019-07-25 10:48:41 UTC

Linux: Move getdents64 to <dirent.h>

This matches the location of the declaration in musl.