Commit 7e46c2aae47d3284d4eb0845ddcc3951e987d681 synced the accurate ECN
additions but encoded the trailing bitfield word of struct tcp_info
incorrectly as two uint16_t fields (tcpi_accecn_fail_mode and
tcpi_accecn_opt_seen), omitting tcpi_ecn_mode and tcpi_options2. Restore
the kernel layout:
The overall structure size is unchanged. Also add the TCPI_ECN_MODE_*
and TCP_ACCECN_* value constants for these fields, introduced together
with them by Linux commit 4fa4ac5e5848 (Linux 7.0).
s390: Prevent hoisting the thread-pointer read in THREAD_SET_STACK_GUARD (BZ 34297)
THREAD_SET_STACK_GUARD reads the thread pointer via THREAD_SELF
(__builtin_thread_pointer), which the compiler treats as invariant. In the
static startup path the thread pointer is installed by the __libc_setup_tls
call that immediately precedes the guard store, so the read must stay below
it. The existing barrier only clobbered the access registers a0/a1, which
creates no dependency on the call, so the compiler could move the whole
barrier and read above __libc_setup_tls.
This is sensitive to instruction scheduling and recent TLS startup
changes exposed it on s390x.
Add a "memory" clobber to the barrier so it is tied to the call's memory
effects and cannot be hoisted above it. The macro is shared with the
dynamic loader, so both startup paths are covered.
I checked on s390x-linux-gnu build for arch5, arch8, arch9, and arch11
by running the elf tests on qemu system (kernel 6.1.0).
Yao Zihong [Fri, 3 Jul 2026 21:59:53 +0000 (21:59 +0000)]
riscv: Add RVV strncpy for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of strncpy for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__strncpy_vector) is added
alongside the generic fallback (__strncpy_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling strncpy().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
Yao Zihong [Thu, 2 Jul 2026 03:45:24 +0000 (03:45 +0000)]
riscv: Add RVV stpncpy for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of stpncpy for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__stpncpy_vector) is added
alongside the generic fallback (__stpncpy_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling stpncpy().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
at random since they use tst-thp-align which dlopens tst-thp-size-mod.so,
but tst-thp-size-mod.so dependency is missing. Add the missing dependency
to fix BZ #34351.
Linux 6.18 adds the uprobe syscall (x86_64 only), Linux 6.19 adds listns,
and Linux 7.0 adds rseq_slice_yield. Linux 7.0 also wires up clone3 on
sparc and memfd_secret on loongarch. Update syscall-names.list and
regenerate the arch-syscall.h headers with build-many-glibcs.py
update-syscalls.
The pidfd_info interface was extended to report coredump information:
* PIDFD_INFO_SUPPORTED_MASK, along with the supported_mask field, so
userspace can check which flags the running kernel supports (commit dfd78546c95330db2252e0d7e937a15ab5eddb4e, Linux 6.19).
The struct pidfd_info is extended accordingly and PIDFD_INFO_SIZE_VER1,
PIDFD_INFO_SIZE_VER2, and PIDFD_INFO_SIZE_VER3 are added to reflect the
new struct sizes.
x86: Remove unused VZEROUPPER_SHORT_RETURN macro from memset
The VZEROUPPER_SHORT_RETURN macro in memset-vec-unaligned-erms.S has had
no users since commit e59ced238482 ("x86: Optimize
memset-vec-unaligned-erms.S") removed its last invocation, leaving both
the VEC_SIZE > 16 definition and the "rep; ret" fallback definition in
place. Remove the two now-dead definitions.
Makerules: run test-container helper through the built loader
The tests-container rule launches support/test-container, which is always
dynamically linked, through $(test-via-rtld-prefix). That prefix is empty
for tests listed in tests-static/xtests-static, so for a static container
test the helper ran under the system loader/libc instead of the newly
built one.
Makerules: add 'make check-parallel' to run tests without serialization
The default 'make check' serializes the timing-sensitive test runs: the
threading (nptl, or htl on Hurd) and realtime (rt) subdirectories run
with .NOTPARALLEL and are ordered after the rest of the test run, so they
are not perturbed by competing machine load.
Add a check-parallel (and xcheck-parallel) variant for when that is not
wanted -- an idle machine, or a run where the extra throughput is worth
the risk of flakiness in the timing-sensitive tests (check the
libc-alpha discussion [1] for more context why this approach was proposed).
A new serialize-tests flag (default yes, defined in Makeconfig) gates both
the per-subdirectory .NOTPARALLEL and the top-level run-time ordering;
check-parallel just runs the suite with serialize-tests=no, so every test
program builds and runs at full concurrency in a single pass.
'make check' and its default behavior are unchanged.
Run check-installed-headers concurrently for each header
The check-installed-headers-c/-cxx tests ran one script invocation per
subdirectory over all of its installed headers, performing about 80
compiler invocations per header serially.
Give each header its own intermediate target so the compiler
invocations parallelize under the make jobserver, recording the
per-header script exit status next to the output. The .out target
concatenates the per-header outputs in the original $(headers) order
and fails if any recorded status is non-zero, so both the .out contents
(verified byte-identical for all 76 files) and the tests.sum results
are unchanged.
Results on a x86_64 machine [1] from a make check with run-built-tests=no
show neutral results, and on aarch64 machine [2] it improves from 241.574s
to 182.405.
[1] Ryzen 5900x, 12c/24t, gcc 16.1.1, binutils 2.26, and GNU make 4.3
[2] N1, 80c, gcc 15.1.1, binutils 2.25, GNU make 4.3
Makefile: Do not install the container testroot if not running tests
Every subdirectory tests target depends on
$(objpfx)testroot.pristine/install.stamp, whose recipe performs a full
DESTDIR installation (about 12s and 154MB on x86_64). The testroot is
only consumed by the container tests, which do not run when
run-built-tests is no, so skip it entirely in that case.
This saves about 10s on x86_64 [1] and 30s on aarch64 [2].
[1] Ryzen 5900x, 12c/24t, gcc 16.1.1, binutils 2.26, and GNU make 4.3
[2] N1, 80c, gcc 15.1.1, binutils 2.25, GNU make 4.3
Makefile: Do not force elf last for the others and tests passes
The requirement that the elf subdirectory comes last in the
subdirectory ordering stems from its lib pass: the rtld link consumes
$(common-objpfx)libc_pic.a, which aggregates every other
subdirectory's objects.
The others, tests, and xtests classes have no such dependency: everything
they consume from other subdirectories is provided by the pass barriers
(others after lib, tests after others). Keep elf last only for the
object-building classes and let its others and tests sub-makes run
concurrently with the other subdirectories.
With elf no longer forced last for those classes, the Depend edges
pointing to elf (e.g. support/Depend) no longer create a cycle there,
so honor them instead of dropping them.
This improves the make check with run-built-tests=no, specially on
machine with many cores. Results on a x86_64 machine [1] it improves
from 190s to 181s, while on a aarch64 machine [2] it improves from
298.726s to 243.098s.
Build results remain bit-identical and the tests.sum failure sets are
unchanged.
[1] Ryzen 5900x, 12c/24t, gcc 16.1.1, binutils 2.26, and GNU make 4.3
[2] N1, 80c, gcc 15.1.1, binutils 2.25, GNU make 4.3
Makefile: Run the subdirectory recursion in parallel
The top-level makefile was marked .NOTPARALLEL and ran the
per-subdirectory sub-makes strictly one at a time in the topological
order computed by scripts/gen-sorted.awk. Only the compilations inside
a single subdirectory could run in parallel, so on wide machines every
subdirectory's compile tail and link steps left most cores idle, once
per subdirectory per pass.
Drop .NOTPARALLEL and encode the ordering the serial recursion relied
on as explicit dependencies between the per-subdirectory targets:
* The subdirectories that generate shared files in $(common-objpfx)
consumed by the rest of the build without explicit dependencies run
serially, in their sorted order, before the rest fan out: csu
provides the tree-wide gen-as-const headers, and on Hurd the mach
and hurd directories generate the MiG RPC headers (every other
subdirectory otherwise runs a nested make in hurd/ to create them,
racing under parallel recursion; see sysdeps/mach/hurd/Makefile).
The first of them also materializes the other shared generated files
(abi-versions.h, sysd-syscalls, before-compile headers).
* The edges requested by the Depend files (now emitted by
gen-sorted.awk as subdir-deps-*) are preserved. Edges pointing to
elf are dropped, as the sorted list already overrides them by
forcing elf last.
* The tests and xtests classes only run the per-directory test
programs, which are mutually independent once the others pass has
built the tree. They therefore carry only the others pass barrier
below and none of the csu-first or Depend edges (+ordered_parallel_-
subdir_targets excludes them); otherwise "make subdir/tests" would
also run the tests of every subdirectory reachable through those
edges, rather than just the requested one.
* elf stays last: its rtld link consumes $(common-objpfx)libc_pic.a,
which aggregates every other subdirectory's objects, and its
rtld-Rules recursion compiles into the other subdirectories' object
directories.
* Pass barriers replace the implicit pass ordering: others after lib
(a subdirectory others sub-make would otherwise race to link
libc.so itself), tests/xtests after others, and the testroot
install behind others.
* The threading (nptl, or htl on Hurd) and realtime (rt) tests are
timing-sensitive and were previously shielded from system load by
the global .NOTPARALLEL. With the recursion now parallel, a full
test run ('make check'/'tests', run-built-tests=yes) orders them
after the rest of the test run and one group at a time -- the
threading subdirectory, then rt -- and each serializes its own run
via a .NOTPARALLEL in its Makefile. A targeted 'make subdir/tests'
is not ordered.
The serialization (the per-subdirectory .NOTPARALLEL and the ordering
above) constrains only the test run, not the build of the test
programs; but building and running a subdirectory's tests are fused
in its sub-make, so under run-built-tests=yes the serialized
subdirectories would also build their test programs serially. To
avoid that, the top-level 'make check' (in Makerules) now runs two
passes: it builds every test program with run-built-tests=no, where
the recursion is fully parallel and none of the serialization
applies, and then runs the tests with run-built-tests=yes. 'make
tests' and a subdirectory's own 'check' stay single pass.
* The subdirectory-built files that the top-level libc.so and
linkobj/libc_pic.a rules list as prerequisites (elf/ld.so,
interp.os, sofini.os, sunrpc/librpc_compat_pic.a, and on Hurd
mach/libmachuser_pic.a and hurd/libhurduser_pic.a, from which the
lib*user-link.so inputs of libc.so are built) get order-only edges
on the corresponding sub-make with an explicit empty recipe. A
prerequisite-only rule would trigger an implicit rule search and
this level would compile them itself in the wrong context.
* The install, clean, abi, and stubs target classes keep the
previous total order via a serial dependency chain.
* The elf DSO sorting test recipes, run when make remakes the
included generated makefiles at parse time, create the elf object
directory before writing into it; the serial recursion no longer
guarantees another rule created it first.
* catgets builds locale-specific message catalogs (and tst-catgets
reads one) by running gencat under de_DE.ISO-8859-1, hr_HR.ISO-8859-2
and ja_JP.SJIS, but never declared those locales as prerequisites: it
relied on localedata running before it in the serial order. Under
the parallel recursion gencat could run before localedata generated
the locale, fall back to C, and fail. catgets/Makefile now pulls the
locales in via gen-locales.mk, like the other subdirectories that use
locales in their tests.
Results on a x86_64 machine [1] with default configuration [3]: a
from-scratch build improves from 78.728s to 61s, and check with
run-built-tests=no from 374s to 190s.
On a 80-core aarch64 machine [2] with default configuration [3]: a
from-scratch build improves from 105.251s to 56.703s, and check with
run-built-tests=no from 886.183s to 298.726s.
Build results are unchanged: all 8919 built objects, archives, and
shared objects are bit-identical to the serial build across 7 clean
parallel builds, the installed tree layout is identical, and the
tests.sum failure sets are identical. i686-gnu was verified with
repeated from-scratch builds.
[1] Ryzen 5900x, 12c/24t, gcc 16.1.1, binutils 2.26, and GNU make 4.3
[2] N1, 80c, gcc 15.1.1, binutils 2.25, GNU make 4.3
[3] --enable-stack-protector=all --enable-bind-now=yes --enable-profile=yes
--enable-fortify-source=2 --enable-hardcoded-path-in-tests
scripts/gen-sorted.awk: Also emit the subdirectory dependency edges
gen-sorted.awk collects the inter-subdirectory dependencies from the
Depend files and the sysdeps Subdirs 'first' directives, but only uses
them to compute the flattened sorted-subdirs list.
This change also emit the raw edges as subdir-deps-<dir> make variables
so the parent makefile can express the same ordering as explicit
dependencies between the per-subdirectory recursion targets and run
independent subdirectories in parallel.
For instance, on x86_64-linux-gnu build the 'sysd-sorted' now shows:
Sam James [Thu, 2 Jul 2026 23:33:33 +0000 (00:33 +0100)]
intl: create correct directory in tst-translit.sh
Depending on parallelism, it's possible for domaindir/existing-locale/LC_MESSAGES
to have not been created yet:
```
msgfmt: error while opening "build/intl/domaindir/existing-locale/LC_MESSAGES/translit.mo" for writing: No such file or directory
make[2]: Leaving directory 'src/intl'
FAIL: intl/tst-translit
original exit status 1
cat: build/intl/tst-translit.out: No such file or directory
make[1]: *** [Makefile:944: test] Error 1
```
If so, the following msgfmt call will fail. Fix the typo in the mkdir call.
Arguably we should split these test preparations to avoid producing binaries
we know won't PASS because their support data is missing.
DJ Delorie [Fri, 26 Jun 2026 03:30:39 +0000 (23:30 -0400)]
Add system-wide tunables: Filters
Add support for [proc:*] syntax where * matches /proc/self/exe
(fallback: argv[0] unless AT_SECURE). Tunables after such a
line are limited to matching processes.
Note that this filter is reset when including a file or at
end of file.
If the filename starts with a slash (example: [proc:/bin/foo]) the
full path must match. If not (example: [proc:foo]) the basename is
matched.
Add support for filtering out AT_SECURE or non-AT_SECURE binaries:
DJ Delorie [Tue, 30 Jun 2026 20:49:42 +0000 (16:49 -0400)]
Add system-wide tunables: cache ld.so.cache
The purpose of this change is twofold:
1. The ld.so.cache is cached in memory and only re-read if/when
it changes on disk. This allows us to have much more intensive
security checks in the future, without impacting performance as
much. It also allows for cases where the cache is corrupted -
we continue using the last valid one.
2. We break out the load/check logic so that the cache can be
loaded independently of the library lookup, such as for
code that only needs to look at the extensions.
DJ Delorie [Fri, 26 Jun 2026 03:30:39 +0000 (23:30 -0400)]
Add system-wide tunables: ldconfig part
Adds support for reading /etc/tunables.conf
The file contains one line per tunable, like this:
glibc.foo.bar=14
glibc.malloc.more=0
Additionally, each line can be prefixed with a single word or character
that controls overridability by the GLIBC_TUNABLES env var:
overridable glibc.foo=0
+glibc.foo=0
^ May be overridden (the default)
nonoverridable glibc.foo=0
-glibc.foo=0
^ May not be overridden
The tunable cache format allows for a filter to be assigned to
each tunable, to be used at program start to decide if a tunable
applies to that program. No such filters have yet been specified.
The cache format also stores a pre-parsed value for the tunable, and
the ID of the tunable, to improve load-time performance.
Both ld.so and malloc track kernel THP mode and THP page size when THP
in ld.so is enabled by
GLIBC_TUNABLES=glibc.elf.thp=1
and THP in malloc is enabled by
GLIBC_TUNABLES=glibc.malloc.hugetlb=1
But DL_MAP_DEFAULT_THP_PAGESIZE and MALLOC_DEFAULT_THP_PAGESIZE may be
different when they are defined in <hugepages.h>.
If THP in ld.so is enabled, change malloc to use kernel THP mode from
ld.so, instead of calling __get_thp_mode, and use THP page size from
ld.so if it came from __get_thp_size. This avoids calling __get_thp_mode
and __get_thp_size again, which are quite expensive:
1. Initialize mp_.thp_mode and GL(dl_thp_mode) to thp_mode_unknown.
2. Set mp_.thp_mode to GL(dl_thp_mode) if GL(dl_thp_mode) isn't
thp_mode_unknown. Otherwise call __get_thp_mode to set mp_.thp_mode.
3. GL(dl_elf_thp_pagesize) is set to DL_MAP_DEFAULT_THP_PAGESIZE without
calling __get_thp_size and THP page size for malloc may be different from
THP page size for ld.so. Set mp_.thp_pagesize to GL(dl_elf_thp_pagesize)
if DL_MAP_DEFAULT_THP_PAGESIZE is defined. Otherwise call __get_thp_size
to set mp_.thp_pagesize.
4. THP page size in malloc is capped to MAX_THP_PAGESIZE. If THP page
size is above MAX_THP_PAGESIZE, THP in malloc is disabled.
These result in when glibc.elf.thp is set to 1, malloc uses the actual
kernel THP mode instead of defaulting to madvise mode and madvise_thp
will stop issuing MADV_HUGEPAGE if kernel THP mode is always.
When scanf parses special floating-point inputs like "nan", "inf", it
may read one extra character to check whether the input still matches
the expected word.
If that extra character does not match, the conversion should fail, but
the character has already been read from the stream. Some error paths
did not push it back before reporting the conversion error, so later input
started at the wrong position.
Fix this by keeping EOF and width errors separate from character mismatch
errors. Push the character back before calling conv_error for mismatch
errors.
Add narrow and wide scanf tests using the same test body. The test cases
focus on the paths changed by this patch: mismatches while matching "nan",
"nan(...)", "inf", and "infinity".
Tested on x86_64 Fedora 42.
The following tests passed without regressions:
make test t=stdio-common/tst-scanf-bz34208
make test t=stdio-common/tst-wscanf-bz34208
make subdirs="stdio-common libio" check
Michael Ford [Thu, 25 Jun 2026 09:21:16 +0000 (10:21 +0100)]
nss: Remove --enable-static-nss configure option
Since the NSS reorganization in glibc 2.33 the --enable-static-nss
option no longer changes the build: the files and dns services are built
into libc unconditionally, and there is no longer any mechanism to bake
the remaining services into libc.a. After removing the dead
-DSTATIC_NSS define and the <gnu/lib-names.h> include (commits 82b710c1900944ea122a3880f542215948fc023d and 21694014388ad278aa03241800d1f0c0a7127ad1), the option's only remaining
effect was to define DO_STATIC_NSS, which suppresses the static link
warnings on the NSS interface functions in libc.a.
With DO_STATIC_NSS gone, nss_interface_function emits the static link
warning unconditionally; static_nss and build-static-nss are removed
along with the configure option.
tst-nss-static, previously built only when build-static-nss was set, is
now added to tests-static unconditionally so the static NSS path retains
test coverage.
Signed-off-by: Michael Ford <fanquake@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Add a new section to the Dynamic Linker chapter describing the
STT_GNU_IFUNC mechanism: the resolver calling convention for each
supported architecture, when resolvers run, and the functionality
supported in resolvers (TLS access, stack protector, cross-object
references) along with the remaining restrictions, reflecting the
recent ordering fixes (BZ 20680, BZ 23240, BZ 28817, BZ 34164,
BZ 34170). Also cross-reference it from the hardening section.
Sachin Monga [Thu, 18 Jun 2026 10:34:04 +0000 (05:34 -0500)]
ppc64le: Restore optimized memchr for power10 [BZ #34300]
Restore the POWER10 memchr implementation reverted in commit a7877bb6685300f159fa095c9f50b22b112cddb8 [BZ #33059], addressing the
actual cause:
The non-volatile vector register v20 used as the
zero vector (M_VREG_ZERO) is replaced with the volatile register v17.
Additionally, the assembler workaround used earlier for the
instructions lxvp and vextractbm is replaced with actual
instructions.
The RISC-V libthread_db THREAD_SELF descriptor currently assumes 64-bit
general-register slots:
REGISTER (64, 64, 4 * 8, ...)
That is correct for RV64, where tp/x4 is at byte offset 4 * 8 in the
general register set. On RV32, general-register slots are 32-bit wide,
so tp/x4 is at byte offset 4 * 4.
Using the RV64 layout on RV32 makes libthread_db read the wrong thread
pointer value and prevents GDB from enabling pthread-aware thread
debugging.
Use a helper macro to pass the RISC-V register size into the
DB_THREAD_SELF definition.
Signed-off-by: Shengwen Cheng <shengwen1997.tw@gmail.com> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
H.J. Lu [Tue, 23 Jun 2026 00:10:05 +0000 (08:10 +0800)]
thp: Limit THP code padding to 2 * THP page size
Since R_ARC_S25W_PCREL range is limited, 32MB THP code padding leads to
relocation overflow:
.../support/libsupport_nonshared.a(support_test_main.oS):
in function `support_test_main':
.../support/support_test_main.c:396:(.text+0x650): relocation truncated to fit: R_ARC_S25W_PCREL_PLT against symbol `atexit' defined in .text section in
../glibc/libc_nonshared.a(atexit.oS)
.../install/compilers/arc-linux-gnu/arc-glibc-linux-gnu/bin/ld: final link failed
collect2: error: ld returned 1 exit status
Limit THP code padding to 2 * THP page size to avoid R_ARC_S25W_PCREL
relocation overflow.
Tested natively for Linux/x86-64 and Linux/i686 as well as with
build-many-glibcs.py for arc-linux-gnu.
This fixes BZ #34311
Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
hppa: Fix missing call to __feraiseexcept (BZ 34306)
The feupdateenv function is supposed to raise exceptions after
installing the environment represented by its envp argument.
This was accidentally missed on hppa.
The failure to raise exceptions was noticed by the failure of
the math/test-narrowing-trap test.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Sergey Kolosov [Mon, 22 Jun 2026 18:15:44 +0000 (20:15 +0200)]
resolv: Add test for gethostbyname_r unaligned buffer [BZ #18287]
Add a test for the buffer overflow in gethostbyname_r (Bug 18287), which
occurs when alignment padding is not subtracted from the remaining buffer
length.
The test uses binary search to find the exact required buffer size
for a mocked DNS response. It then tests all pointer misalignments
(1-7 bytes) using a custom 0xAA guard region. This guarantees
deterministic detection of out-of-bounds writes, avoiding false
negatives caused by malloc chunk rounding.
Justus Winter [Thu, 15 Aug 2013 08:43:35 +0000 (10:43 +0200)]
Define _PATH_MOUNTED as "/etc/mtab"
Change the definition of _PATH_MOUNTED to "/etc/mtab". This is the
value used on Linux, and BSD also uses /etc/mtab.
The change is motivated by the fact that on Debian /etc/mtab is a
symbolic link to /proc/mounts. This patch adjusts the macro for
non-linux systems such as Hurd. Changing this using
sysdeps/mach/hurd/paths.h causes build problems because
/usr/include/hurd/paths.h is shadowed by this file. This change is
proposed in the hope that aligning the non-linux targets with the
glibc for Linux is perceived as a good thing while fixing this problem
on Debian/Hurd along the way.
The parse_tilde function previously used strndupa to allocate memory
for the parsed username on the stack, and since the input is
user-defined, this can lead to a stack overflow.
This patch fixes the issue by replacing strndupa with scratch_buffer,
by reusing the buffer used in the __getpwnam_r call.
The new “tst-wordexp-tilde.c” test is a test-container to avoid using
system-defined NSS modules.
Yao Zihong [Sun, 21 Jun 2026 03:54:22 +0000 (22:54 -0500)]
riscv: Add RVV memmove for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of memmove for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__memmove_vector) is added
alongside the generic fallback (__memmove_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling memmove().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
H.J. Lu [Mon, 13 Apr 2026 00:23:05 +0000 (08:23 +0800)]
elf: Support THP segment load with madvise enabled THP
The current THP segment load approach works only when THP is enabled
with always in the kernel. If THP is enabled with madvise in the
kernel, to enable THP segment load in an application, madvise should
be called with MADV_HUGEPAGE on all THP eligible PT_LOAD segments:
1. Define DL_MAP_DEFAULT_THP_PAGESIZE in hugepages.h and default it to 0.
If DL_MAP_DEFAULT_THP_PAGESIZE is defined, assume kernel THP madvise mode.
If kernel THP mode is always or never, there is an extra madvise call
which has no impact. DL_MAP_DEFAULT_THP_PAGESIZE is defined for x86-64
and 64-bit loongarch.
2. Update _dl_map_segment_align to support madvise THP mode. This fixes
BZ #34079.
3. Call _dl_executable_postprocess in rtld_setup_main_map for dynamic
executables and in LIBC_START_MAIN for static executables, which calls
madvise with MADV_HUGEPAGE on all THP eligible PT_LOAD segments in
executable. This fixes BZ #34080 for both dynamic and static executables.
4. Call _dl_postprocess_loadcmd_extra in _dl_postprocess_loadcmd, which
calls madvise with MADV_HUGEPAGE on all THP eligible PT_LOAD segments
when loading an object after they have been mapped in. This fixes
BZ #34080 for shared objects.
5. Set the maximum page alignment on THP tests to THP page size as the
default maximum page alignment may be smaller than THP page size.
6. Add tests to verify that large executable PT_LOAD segments in
executables are mapped at addresses aligned to THP page size when the
kernel is configured to use THP in "always" mode or "madvise" mode by
inspecting /proc/self/maps to check that the mapping address is aligned
to THP page size reported by the kernel. Also verify that madvise is
called with MADV_HUGEPAGE when the glibc tunable glibc.elf.thp=1 is used
and madvise isn't called with MADV_HUGEPAGE when the glibc tunable
glibc.elf.thp=0 is used.
Skip these tests if THP page size cannot be determined or if THP is not
enabled in "always" mode nor "madvise" mode.
Quote WANG Rui <wangrui@loongson.cn>:
From benchmarking a clang build of the Linux kernel on x86_64 with
your patch in THP madvise mode, I observed that iTLB misses were
reduced, similar to what we see in THP always mode.
NB: Some THP tests fail on arm due to limitations of arm32 kABI:
Remove unused THREAD_SET_POINTER_GUARD and THREAD_COPY_POINTER_GUARD
Commit a5ec880f808ee7268d985bed4f961799bdc0a4bf ("Consolidate pointer
guard to use a relro variable instead of the TCB") moved the pointer
guard to the module-local relro variable __pointer_chk_guard_local and
dropped the THREAD_{SET,COPY}_POINTER_GUARD macros, which are no longer
defined by any target.
Florian Weimer [Fri, 19 Jun 2026 16:22:20 +0000 (18:22 +0200)]
resolv: Fix buffer overreads in ns_sprintrrf (CVE-2026-6238)
Check that the RDATA payload does not require more than RDATALEN
bytes while processing it. The fixes cover A6, LOC records.
(CERT, TKEY, TSIG were fixed before, by switching to the generic
formatter.)
A6 record handling was introduced in commit 91633816430e7ec5a19fe3ff510a7c4822a9557e ("* resolv/ns_print.c
(ns_sprintrrf): Handle ns_t_a6 and ns_t_opt."), which went into glibc
2.7.
This fixes bug 34069.
Reviewed-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Florian Weimer [Fri, 19 Jun 2026 16:22:20 +0000 (18:22 +0200)]
resolv: Fix ns_sprintrrf formatting of class, type values (bug 34289)
The p_class and p_type results could overwrite each other if both
were unknown. Format unknown values with CLASS and TYPE prefixes,
as in RFC 3597. Handle A6 separately because it cannot be added
to __p_type_syms for ABI reasons.
Reviewed-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Florian Weimer [Fri, 19 Jun 2026 16:22:20 +0000 (18:22 +0200)]
Update GLIBC-SA-2026-0012 to mention A6 records
It turns out there is a missing inner length check in it, too.
Also fix the vulnerable commit. It predates the glibc 2.0 release
because the old stream-based formatting code in resolv/res_debug.c had
the same bug in its LOC handling.
Reviewed-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
elf: Do not scrub AT_RANDOM to a constant when reseeding fails (BZ 34197)
_dl_reseed_random zeroed the AT_RANDOM bytes before refilling them with
getrandom (GRND_NONBLOCK). That call is best-effort and can write nothing
(e.g. before the kernel entropy pool is initialized early at boot), leaving
the 16 bytes as a constant zero.
Since the value is exposed through getauxval (AT_RANDOM), this traded a
potential guard leak for a guaranteed predictable value.
Drop the memset and overwrite the bytes in place instead. The generic
version now just drops the pointer (it is not used anywhere).
elf: Scrub and reseed the AT_RANDOM bytes after deriving the guards (BZ 34197)
Once the pointer and stack guards have been derived from AT_RANDOM, scrub
the bytes and refill them with new random data unrelated to the guards.
On Linux, it uses getrandom syscall (as for tcache_key_initialize), and
fallback to zero the memory if the syscall is not avaiable.
This keeps AT_RANDOM useful to applications while ensuring those bytes no
longer reveal the guards.
The work is done by _dl_reseed_random, called once the guards are in place
and before any ELF constructor can observe AT_RANDOM: in security_init for
the dynamic loader and in __libc_start_main for statically linked programs.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
Consolidate dl-osinfo.h into the generic implementation
The generic and the Linux _dl_setup_stack_chk_guard and
_dl_setup_pointer_guard are identical when the kernel provides the
AT_RANDOM auxiliary vector, which is always the case on the supported
Linux kernels; the generic version only adds a fallback for a missing
AT_RANDOM. Remove the Linux-specific dl-osinfo.h and use the generic
one for all targets.
The removed header pulled in <dl-sysdep.h>, which is what transitively
declared __libc_enable_secure for dl-parse_auxv.h; include <unistd.h>
there directly so it no longer relies on that. Include <string.h> in
the generic header so it is self-contained.
Consolidate the C pointer guard and align the assembly implementations
The per-architecture pointer_guard.h files all implemented some variant
of C PTR_MANGLE/PTR_DEMANGLE: the i386 and x86_64 versions did an
exclusive-or by the guard followed by a rotate left by
2 * sizeof (uintptr_t) + 1 bits (9 on 32-bit, 17 on 64-bit), while the
other targets did the exclusive-or only. The assembly macros likewise
rotated on i386 and x86_64 but not on the other targets.
Consolidate everything to use XOR + rotate uniformly: collapse the
per-architecture C headers into a single generic implementation, and
add the matching rotate to the assembly implementations that lacked it.
Targets with an assembly rotate instruction (aarch64, arm, loongarch,
powerpc, s390, csky) just add it. Those without one (alpha, sparc, sh)
synthesize the rotation: alpha and sparc with a shift/shift/or sequence,
which needs an extra scratch register added to the PTR_MANGLE/PTR_DEMANGLE
macros, sh with single-bit rotates, which needs no scratch. The s390
__longjmp and ____longjmp_chk demangle the return address and stack
pointer in C, so update those too.
Checked with setjmp, ptrguard and longjmp_chk tests for all supported
ABIs that can run under qemu (all but csky), and with builds for all
supported ABIs.
Remove the jmp_buf stack pointer demangle on ABIs that do not mangle it
arc, m68k, microblaze, mips, and riscv store the raw stack pointer in
setjmp, while their jmpbuf-unwind.h applies PTR_DEMANGLE to it in
_jmpbuf_sp. This is currently harmless because these ABIs use the
generic pointer_guard.h, where the C PTR_DEMANGLE is a no-op.
Move the assembly PTR_MANGLE/PTR_DEMANGLE definitions out of each
pointer_guard.h into a new sibling pointer_guard-asm.h, guarded by
__ASSEMBLER__. pointer_guard.h now includes pointer_guard-asm.h and
keeps only the C definitions.
No functional change: the .S and .c files still include pointer_guard.h
and get the same macros, and <pointer_guard-asm.h> resolves per-arch
through the usual sysdeps include path.
i386, powerpc, s390, sh and sparc fell back to the generic no-op
pointer_guard.h in ld.so, so the loader's own setjmp/longjmp and mangled
function pointers were left unprotected (the other targets already
mangle in rtld). ld.so is position-independent and sets up
__pointer_chk_guard_local early in dl_main, so the loader can reach it
the same way a statically linked program does:
- powerpc, s390, sh, sparc: select __pointer_chk_guard_local for
IS_IN (rtld) and reuse the existing PIC guard load.
- i386: load it via @GOTOFF off a GOT pointer set up with LOAD_PIC_REG
in the caller-provided scratch register
(ld.so does not keep the GOT in %ebx at the setjmp/longjmp entry).
- s390: drop the IS_IN (rtld) "#undef PTR_DEMANGLE" in __longjmp.c so
the loader's longjmp demangles to match its setjmp.
Checked on x86_64-linux-gnu, aarch64-linux-gnu, i686-linux-gnu, and
armv7a-linux-gnueabihf. I also run elf and setjmp checks on qemu
loongarch64, powerpc64, powerpc64le, and s390x systems.
Consolidate pointer guard to use a relro variable instead of the TCB
For the targets that still read the pointer guard from the thread
descriptor (i386, x86_64, powerpc, s390, sparc, and sh), mangle and
demangle pointers using the module-local __pointer_chk_guard_local (in
ld.so and static binaries) or the global __pointer_chk_guard provided by
the dynamic loader (in shared objects), matching the scheme already used
by aarch64, alpha, arm, csky and loongarch.
On i386 the guard is no longer reachable as a single %gs-relative memory
operand, so the assembly PTR_MANGLE/PTR_DEMANGLE PIC variants need a
register to hold the GOT pointer and the guard address.
This removes the dependency on the TCB pointer_guard slot: drop
THREAD_{GET,SET,COPY}_POINTER_GUARD and the POINTER_GUARD tcb-offset,
and point the POINTER_CHK_GUARD test macro at the relro variable. The
tcbhead_t slot is kept (renamed to an unused reserved field, except on
s390 which reused the stack guard) to preserve the ABI. s390 gains a
distinct pointer guard rather than aliasing the stack guard.
Checked on x86_64-linux-gnu, aarch64-linux-gnu, i686-linux-gnu, and
armv7a-linux-gnueabihf. I also run elf and setjmp checks on qemu
loongarch64, powerpc64, powerpc64le, and s390x systems.
elf: Propagate the pointer guard to ld.so loaded via static dlopen (BZ 34196)
The static-dlopen does not initialize the pointer guard for ABIs that
define THREAD_SET_POINTER_GUARD. Besides not properly guard the
pointer if a libc.so symbol is called, this can lead to setjmp
failures (a jmp_buf set up by the loaded libc.so.6 cannot be restored
by the static program's __longjmp, and vice versa).
Seed the just-mapped loader's __pointer_chk_guard from the program's
__pointer_chk_guard_local in __rtld_static_init, next to the other
runtime values copied there.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
It syncs with CORE-MATH commit 887cab6f. The new tests are from
the CORE-MATH acosh worst-cases inputs that trigger the FE_TOWARDZERO
issue with the previous implementation, along with the hard-to-round
cases from CORE-MATH commits 72febed6 and ce9e99f6.
Checked on x86_64-linux-gnu, x86_64-linux-gnu with --disable-multi-arch
(so soft FMA implementation is used), i686-linux-gnu (which uses its
own acosh implementation), aarch64-linux-gnu, and
armv7a-linux-gnueabihf.
Reviewed-by: Paul Zimmermann <Paul.Zimmermann@inria.fr>
Michael Ford [Wed, 10 Jun 2026 15:24:50 +0000 (17:24 +0200)]
inet: Remove unused STATIC_NSS define
The --enable-static-nss configuration adds -DSTATIC_NSS to CFLAGS for
the inet subdirectory, but no source file has referenced the STATIC_NSS
macro for quite some time. So remove the dead define.
Signed-off-by: Michael Ford <fanquake@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Michael Ford [Thu, 11 Jun 2026 13:58:04 +0000 (15:58 +0200)]
nss: Remove <gnu/lib-names.h> include from nsswitch.c
nsswitch.c no longer references any of the *_SO macros provided by
<gnu/lib-names.h>. The only consumer, __nss_shlib_revision, moved to
nss_module.c as part of the NSS reorganization in glibc 2.33 (and
nss_module.c includes the header unconditionally), but the guarded
include was left behind.
Signed-off-by: Michael Ford <fanquake@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
_dl_runtime_resolve and _dl_runtime_profile only preserved the integer
argument registers (r0-r3) across the inner call to _dl_fixup /
_dl_profile_fixup. Two related ABI requirements demand more:
* Under AAPCS-VFP, d0-d7 hold the caller's double arguments to the
function being resolved. Recent GCC emits VFP instructions inside
the fixup routines, clobbering them, so the resolved function sees
corrupted arguments (BZ 34144).
* Per RTABI32, the __aeabi_mem* helpers (and similar runtime helpers
reachable through the dynamic linker) must only corrupt integer
core registers. IFUNC resolvers, audit modules, and interposed
malloc invoked during symbol resolution may also use VFP, even on
softfp ABI builds (BZ 15792).
Save all call-clobbered VFP state -- d0-d15 unconditionally, d16-d31
when HWCAP_ARM_VFPD32 is set, and fpscr -- around the inner fixup
call. Whether VFP is usable is a property of the hardware, not of
the ABI glibc was built with, so the decision is gated on AT_HWCAP at
runtime in both hardfp and softfp builds; hardfp builds will always
find HWCAP_ARM_VFP set, while softfp builds running on a non-VFP CPU
correctly skip the save.
For _dl_runtime_profile the save area is slipped in just before the
bl to _dl_profile_fixup; the outgoing framesizep argument is
recomputed to account for the extra frame, and both the fast path
(no audit framesize) and the slow path (audit wraps with
pltenter/pltexit) traverse the restore before splitting.
aarch64: Fix static PIE CPU feature detection (BZ 34205)
ARCH_INIT_CPU_FEATURES is called from __libc_start_main before
_dl_relocate_static_pie, so any code it runs must not rely on
relocations being applied yet. Two issues break this under static PIE:
1. The cpu_list table held 'const char *name' members, whose
addresses are not link-time constants under PIE and thus require
base-relative relocations that are not yet in place. Replace the
array of structs with a flat NUL-separated name string and a
parallel midr array, removing the pointer relocations.
2. tunable_strcmp pulls in memcmp, which is an IFUNC and is likewise
unresolved at this point. Redirect memcmp to __memcmp_generic in
the aarch64 dl-symbol-redir-ifunc.h and include it from
csu/libc-start.c.
Sana Kazi [Mon, 15 Jun 2026 14:37:59 +0000 (16:37 +0200)]
nptl: open threads comm with O_WRONLY|O_CLOEXEC
pthread_setname_np opens the thread's comm file using O_RDWR, but the
function only ever writes to it. This causes two distinct problems:
1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec,
so it remains open across fork+exec. A child process that audits
its inherited file-descriptor set will encounter an unexpected /proc
fd it did not open and may treat this as a security violation and
abort.
2. Unnecessary O_RDWR: requesting read+write access when only write
access is needed can cause open() to fail under security policies
that permit writing to /proc/<tid>/comm but deny reading it.
Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC
Similarly, updated pthread_getname_np to use O_CLOEXEC.
Yury Khrustalev [Tue, 26 May 2026 10:19:53 +0000 (11:19 +0100)]
malloc: aarch64: Add ifuncs for malloc functions
Introduce ifuncs and resolvers for functions pertinent to the
malloc interface on the AArch64 target: malloc, calloc, free,
realloc, memalign, valloc, pvalloc, posix_memalign, aligned_alloc,
free_sized, free_aligned_sized, malloc_usable_size.
A target can define the USE_MULTIARCH_MALLOC macro. In this case
it must provide alternative aliases for the malloc functions that
point to the ifuncs.
This implementation respects the --disable-multi-arch configure
flag. If multi-arch support is disabled, the generic aliases
are used on aarch64.
This patch contains aarch64-specific resolvers. At this moment they
return core implementations but in the future they can be changed
to support for features, e.g. to handle memory tagging.
Fabian Rast [Thu, 11 Jun 2026 12:30:37 +0000 (14:30 +0200)]
rtld: cache cpuid results on the stack for intel
dl_init_cacheinfo retrieves various information about cache
sizes, using the cpuid instruction on x86.
Previously, the same cpuid leaves were queried multiple times.
This behavior caused intel_check_word to prominently show up in
profiles of dynamic loader startup on the Intel(R) Xeon(R) Gold 6430.
The big performance impact could not be reproduced on other Intel cpus.
This patch reduces the number of cpuid queries on startup
by caching their results on the stack for reuse when searching for a
different cache size value.
This approach does not change the overall design of
the cache enumeration code (repeated calls to handle_* functions).
The values are cached on the stack instead of globally (e.g.
in the cpu_features global) because they are never needed after
early initialization.
The cache is only active for Intel cpus, because it has not yet
been shown through benchmarks that it meaningfully improves performance
for other processors.
Signed-off-by: Fabian Rast <fabian.rast@tum.de> Reviewed-by: Sunil K Pandey <skpgkp2@gmail.com>
Joseph Myers [Wed, 10 Jun 2026 18:49:53 +0000 (18:49 +0000)]
Fix -Wconstant-logical-operand error for Hurd
Building for Hurd with GCC mainline produces an error in pt-block.c
(here MSG_OPTIONS is a macro that may be defined before pt-block.c is
included by another source file):
In file included from ../sysdeps/mach/htl/pt-block-intr.c:6:
../sysdeps/mach/htl/pt-block.c: In function '__pthread_block_intr':
../sysdeps/mach/htl/pt-block.c:49:42: error: use of logical '&&' with constant operand '1024' [-Werror=constant-logical-operand]
49 | if ((MSG_OPTIONS & MACH_RCV_INTERRUPT) && err == MACH_RCV_INTERRUPTED)
| ^~
../sysdeps/mach/htl/pt-block.c:49:42: note: use '&' for bitwise operation
49 | if ((MSG_OPTIONS & MACH_RCV_INTERRUPT) && err == MACH_RCV_INTERRUPTED)
| ^~
| &
Fix this, and a similar error in pt-timedblock.c, with an explicit != 0.
Tested with build-many-glibcs.py (compilers and glibcs builds) for
i686-gnu and x86_64-gnu.
Joseph Myers [Wed, 10 Jun 2026 16:33:27 +0000 (16:33 +0000)]
Fix -Werror=constant-logical-operand errors in soft-fp
Building for sparc64-linux-gnu with GCC mainline produces a series of
-Werror=constant-logical-operand errors in soft-fp code, relating to
calls to _FP_TO_INT where rsigned is -1 not 0 or 1. Use explicit != 0
in the soft-fp code to avoid these errors.
Tested with build-many-glibcs.py (compilers and glibcs builds) for
sparc64-linux-gnu with GCC mainline.
Joseph Myers [Wed, 10 Jun 2026 14:01:34 +0000 (14:01 +0000)]
Fix -Wconstant-logical-operand error in tst-printf-format-skeleton.c
Building the glibc testsuite with GCC mainline fails with:
In file included from tst-printf-format-skeleton-double.c:33,
from tst-printf-format-p-double.c:20:
tst-printf-format-skeleton.c: In function 'do_test':
tst-printf-format-skeleton.c:308:12: error: use of logical '&&' with constant operand '53' [-Werror=constant-logical-operand]
308 | if (PREC && printf ("prec:%i\n", PREC) < 0)
| ^~
tst-printf-format-skeleton.c:308:12: note: use '&' for bitwise operation
308 | if (PREC && printf ("prec:%i\n", PREC) < 0)
| ^~
| &
cc1: all warnings being treated as errors
Fix this using an explicit "!= 0". Tested with build-many-glibcs.py
for aarch64-linux-gnu.
Zihong Yao [Tue, 9 Jun 2026 03:27:54 +0000 (03:27 +0000)]
riscv: Keep __memcmpeq alias with RVV memcmp
Commit 2efc702628 replaces the generic RISC-V memcmp, which also exports
__memcmpeq.
A dedicated RISC-V __memcmpeq implementation is expected in a later patch,
which is still under review. Keep the alias here so this patch does not
temporarily drop the existing __memcmpeq ABI.
Tested on a Muse-Pi board with GCC 15.2.0 using `--with-arch=rv64g_zca_zcd --with-abi=lp64d`
and `CFLAGS="-march=rv64g_zca_zcd -mabi=lp64d -O2"`. Full make check was
run for both multiarch and non-multiarch builds.
This also fixes the string/inl-tester link failure caused by the missing
__memcmpeq symbol.
In both runs, the only FAILs are the unchanged cospi/sinpi/tanpi math test
failures.
Signed-off-by: Zihong Yao <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Florian Weimer [Tue, 9 Jun 2026 05:28:02 +0000 (07:28 +0200)]
iconv: Suppress intermediate errors with //TRANSLIT (bug 34236)
When tentatively converting characters on behalf of
__gconv_transliterate, do not create a persistent error. Just
produce a local error, and rely on __gconv_transliterate to
produce the error if all transliteration options are exhausted.
This fixes transliteration of “½” to ASCII, which cannot use the
“ 1⁄2 ” alternative. Eventually, the “ 1/2 ” alternative is chosen,
but the error sticks. Therefore, iconv exited with status 1 before
this change.
Adjust iconv/tst-iconv_prog.sh to test both C and en_US.UTF-8 locales.
This requires changing the way the ICONV template is defined, so that
run_program_env is evaluated multiple times.