Last commit made on 2019-11-28
Get this branch:
git clone -b fw/no-symlinks

Branch merges

Branch information


Recent commits

6d6f77f... by Florian Weimer on 2019-11-28

Add --disable-major-minor-libraries configure option

This option can be used to increase compatibility with package managers.
The name was choosen to avoid confusion with all the different versions
(glibc release, soname versions, symbol versions).

This patch makes all uses of -$(version).so conditional on the new
$(major-minor-libraries) flag. The alternative install targets write
the implementation DSOs directly to the locations determined by their
sonames, skipping the creation of an intermediate symbolic link.

install-symbolic-link in Makerules is updated not to require the
$(symbolic-link-list) file because it may not exist in
--disable-major-minor-libraries mode.

I verified that by default, the install tree is the same as before
on x86_64-linux-gnu except for the changes in the manual.

1d809de... by Florian Weimer on 2019-11-28

Makerules: Remove lib-version, $(subdir-version)

Also clarify that the “versioned” term refers to the soname, not the glibc
version (which also ends up in the installed file name).

I verified on x86_64-linux-gnu that “make install” produces the same

21acb78... by Florian Weimer on 2019-11-28

nptl_db: Install libthread_db under a regular implementation name

Currently, the name is always It does not change
with the glibc version, like the other libraries.

GDB hard-codes (the soname), so this change does not
affect loading libthread_db.

Tested on x86_64-linux-gnu, in an environment where the nptl GDB tests
actually run.

e37c2cf... by Florian Weimer on 2019-10-31

Move _dl_open_check to its original place in dl_open_worker

This reverts the non-test change from commit d0093c5cefb7f7a4143f
("Call _dl_open_check after relocation [BZ #24259]"), given that
the underlying bug has been fixed properly in commit 61b74477fa7f63
("Remove all loaded objects if dlopen fails, ignoring NODELETE
[BZ #20839]").

Tested on x86-64-linux-gnu, with and without --enable-cet.

Change-Id: I995a6cfb89f25d2b0cf5e606428c2a93eb48fc33

a2e8aa0... by Florian Weimer on 2019-10-31

Block signals during the initial part of dlopen

Lazy binding in a signal handler that interrupts a dlopen sees
intermediate dynamic linker state. This has likely been always
unsafe, but with the new pending NODELETE state, this is clearly
incorrect. Other threads are excluded via the loader lock, but the
current thread is not. Blocking signals until right before ELF
constructors run is the safe thing to do.

Change-Id: Iad079080ebe7442c13313ba11dc2797953faef35

f63b738... by Florian Weimer on 2019-11-13

Remove all loaded objects if dlopen fails, ignoring NODELETE [BZ #20839]

This introduces a “pending NODELETE” state in the link map, which is
flipped to the persistent NODELETE state late in dlopen, via
activate_nodelete. During initial relocation, symbol binding
records pending NODELETE state only. dlclose ignores pending NODELETE
state. Taken together, this results that a partially completed dlopen
is rolled back completely because new NODELETE mappings are unloaded.

Tested on x86_64-linux-gnu and i386-linux-gnu.

Change-Id: Ib2a3d86af6f92d75baca65431d74783ee0dbc292

a509eb1... by Florian Weimer on 2019-11-27

Avoid late dlopen failure due to scope, TLS slotinfo updates [BZ #25112]

This change splits the scope and TLS slotinfo updates in dlopen into
two parts: one to resize the data structures, and one to actually apply
the update. The call to add_to_global_resize in dl_open_worker is moved
before the demarcation point at which no further memory allocations are

_dl_add_to_slotinfo is adjusted to make the list update optional. There
is some optimization possibility here because we could grow the slotinfo
list of arrays in a single call, one the largest TLS modid is known.

This commit does not fix the fatal meory allocation failure in
_dl_update_slotinfo. Ideally, this error during dlopen should be

The update order of scopes and TLS data structures is retained, although
it appears to be more correct to fully initialize TLS first, and then
expose symbols in the newly loaded objects via the scope update.

Tested on x86_64-linux-gnu.

Change-Id: I240c58387dabda3ca1bcab48b02115175fa83d6c

440b7f8... by Florian Weimer on 2019-10-31

Avoid late failure in dlopen in global scope update [BZ #25112]

The call to add_to_global in dl_open_worker happens after running ELF
constructors for new objects. At this point, proper recovery from
malloc failure would be quite complicated: We would have to run the
ELF destructors and close all opened objects, something that we
currently do not do.

Instead, this change splits add_to_global into two phases,
add_to_global_resize (which can raise an exception, called before ELF
constructors run), and add_to_global_update (which cannot, called
after ELF constructors). A complication arises due to recursive
dlopen: After the inner dlopen consumes some space, the pre-allocation
in the outer dlopen may no longer be sufficient. A new member in the
namespace structure, _ns_global_scope_pending_adds keeps track of the
maximum number of objects that need to be added to the global scope.
This enables the inner add_to_global_resize call to take into account
the needs of an outer dlopen.

Most code in the dynamic linker assumes that the number of global
scope entries fits into an unsigned int (matching the r_nlist member
of struct r_scop_elem). Therefore, change the type of
_ns_global_scope_alloc to unsigned int (from size_t), and add overflow

Change-Id: Ie08e2f318510d5a6a4bcb1c315f46791b5b77524

79e0cd7... by Florian Weimer on 2019-11-27

Lazy binding failures during dlopen/dlclose must be fatal [BZ #24304]

If a lazy binding failure happens during the execution of an ELF
constructor or destructor, the dynamic loader catches the error
and reports it using the dlerror mechanism. This is undesirable
because there could be other constructors and destructors that
need processing (which are skipped), and the process is in an
inconsistent state at this point. Therefore, we have to issue
a fatal dynamic loader error error and terminate the process.

Note that the _dl_catch_exception in _dl_open is just an inner catch,
to roll back some state locally. If called from dlopen, there is
still an outer catch, which is why calling _dl_init via call_dl_init
and a no-exception is required and cannot be avoiding by moving the
_dl_init call directly into _dl_open.

_dl_fini does not need changes because it does not install an error
handler, so errors are already fatal there.

Change-Id: I6b1addfe2e30f50a1781595f046f44173db9491a

446997f... by Florian Weimer on 2019-10-30

resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358]

This introduces a concept of trusted name servers, for which the
AD bit is passed through to applications. For untrusted name
servers (the default), the AD bit in responses are cleared, to
provide a safe default.

This approach is very similar to the one suggested by Pavel Šimerda
in <>.

The DNS test framework in support/ is enhanced with support for
setting the AD bit in responses.

Tested on x86_64-linux-gnu.

Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc