elf: Do not scrub AT_RANDOM to a constant when reseeding fails (BZ 34197)
_dl_reseed_random zeroed the AT_RANDOM bytes before refilling them with
getrandom (GRND_NONBLOCK). That call is best-effort and can write nothing
(e.g. before the kernel entropy pool is initialized early at boot), leaving
the 16 bytes as a constant zero.
Since the value is exposed through getauxval (AT_RANDOM), this traded a
potential guard leak for a guaranteed predictable value.
Drop the memset and overwrite the bytes in place instead. The generic
version now just drops the pointer (it is not used anywhere).
elf: Scrub and reseed the AT_RANDOM bytes after deriving the guards (BZ 34197)
Once the pointer and stack guards have been derived from AT_RANDOM, scrub
the bytes and refill them with new random data unrelated to the guards.
On Linux, it uses getrandom syscall (as for tcache_key_initialize), and
fallback to zero the memory if the syscall is not avaiable.
This keeps AT_RANDOM useful to applications while ensuring those bytes no
longer reveal the guards.
The work is done by _dl_reseed_random, called once the guards are in place
and before any ELF constructor can observe AT_RANDOM: in security_init for
the dynamic loader and in __libc_start_main for statically linked programs.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
Consolidate dl-osinfo.h into the generic implementation
The generic and the Linux _dl_setup_stack_chk_guard and
_dl_setup_pointer_guard are identical when the kernel provides the
AT_RANDOM auxiliary vector, which is always the case on the supported
Linux kernels; the generic version only adds a fallback for a missing
AT_RANDOM. Remove the Linux-specific dl-osinfo.h and use the generic
one for all targets.
The removed header pulled in <dl-sysdep.h>, which is what transitively
declared __libc_enable_secure for dl-parse_auxv.h; include <unistd.h>
there directly so it no longer relies on that. Include <string.h> in
the generic header so it is self-contained.
Consolidate the C pointer guard and align the assembly implementations
The per-architecture pointer_guard.h files all implemented some variant
of C PTR_MANGLE/PTR_DEMANGLE: the i386 and x86_64 versions did an
exclusive-or by the guard followed by a rotate left by
2 * sizeof (uintptr_t) + 1 bits (9 on 32-bit, 17 on 64-bit), while the
other targets did the exclusive-or only. The assembly macros likewise
rotated on i386 and x86_64 but not on the other targets.
Consolidate everything to use XOR + rotate uniformly: collapse the
per-architecture C headers into a single generic implementation, and
add the matching rotate to the assembly implementations that lacked it.
Targets with an assembly rotate instruction (aarch64, arm, loongarch,
powerpc, s390, csky) just add it. Those without one (alpha, sparc, sh)
synthesize the rotation: alpha and sparc with a shift/shift/or sequence,
which needs an extra scratch register added to the PTR_MANGLE/PTR_DEMANGLE
macros, sh with single-bit rotates, which needs no scratch. The s390
__longjmp and ____longjmp_chk demangle the return address and stack
pointer in C, so update those too.
Checked with setjmp, ptrguard and longjmp_chk tests for all supported
ABIs that can run under qemu (all but csky), and with builds for all
supported ABIs.
Remove the jmp_buf stack pointer demangle on ABIs that do not mangle it
arc, m68k, microblaze, mips, and riscv store the raw stack pointer in
setjmp, while their jmpbuf-unwind.h applies PTR_DEMANGLE to it in
_jmpbuf_sp. This is currently harmless because these ABIs use the
generic pointer_guard.h, where the C PTR_DEMANGLE is a no-op.
Move the assembly PTR_MANGLE/PTR_DEMANGLE definitions out of each
pointer_guard.h into a new sibling pointer_guard-asm.h, guarded by
__ASSEMBLER__. pointer_guard.h now includes pointer_guard-asm.h and
keeps only the C definitions.
No functional change: the .S and .c files still include pointer_guard.h
and get the same macros, and <pointer_guard-asm.h> resolves per-arch
through the usual sysdeps include path.
i386, powerpc, s390, sh and sparc fell back to the generic no-op
pointer_guard.h in ld.so, so the loader's own setjmp/longjmp and mangled
function pointers were left unprotected (the other targets already
mangle in rtld). ld.so is position-independent and sets up
__pointer_chk_guard_local early in dl_main, so the loader can reach it
the same way a statically linked program does:
- powerpc, s390, sh, sparc: select __pointer_chk_guard_local for
IS_IN (rtld) and reuse the existing PIC guard load.
- i386: load it via @GOTOFF off a GOT pointer set up with LOAD_PIC_REG
in the caller-provided scratch register
(ld.so does not keep the GOT in %ebx at the setjmp/longjmp entry).
- s390: drop the IS_IN (rtld) "#undef PTR_DEMANGLE" in __longjmp.c so
the loader's longjmp demangles to match its setjmp.
Checked on x86_64-linux-gnu, aarch64-linux-gnu, i686-linux-gnu, and
armv7a-linux-gnueabihf. I also run elf and setjmp checks on qemu
loongarch64, powerpc64, powerpc64le, and s390x systems.
Consolidate pointer guard to use a relro variable instead of the TCB
For the targets that still read the pointer guard from the thread
descriptor (i386, x86_64, powerpc, s390, sparc, and sh), mangle and
demangle pointers using the module-local __pointer_chk_guard_local (in
ld.so and static binaries) or the global __pointer_chk_guard provided by
the dynamic loader (in shared objects), matching the scheme already used
by aarch64, alpha, arm, csky and loongarch.
On i386 the guard is no longer reachable as a single %gs-relative memory
operand, so the assembly PTR_MANGLE/PTR_DEMANGLE PIC variants need a
register to hold the GOT pointer and the guard address.
This removes the dependency on the TCB pointer_guard slot: drop
THREAD_{GET,SET,COPY}_POINTER_GUARD and the POINTER_GUARD tcb-offset,
and point the POINTER_CHK_GUARD test macro at the relro variable. The
tcbhead_t slot is kept (renamed to an unused reserved field, except on
s390 which reused the stack guard) to preserve the ABI. s390 gains a
distinct pointer guard rather than aliasing the stack guard.
Checked on x86_64-linux-gnu, aarch64-linux-gnu, i686-linux-gnu, and
armv7a-linux-gnueabihf. I also run elf and setjmp checks on qemu
loongarch64, powerpc64, powerpc64le, and s390x systems.
elf: Propagate the pointer guard to ld.so loaded via static dlopen (BZ 34196)
The static-dlopen does not initialize the pointer guard for ABIs that
define THREAD_SET_POINTER_GUARD. Besides not properly guard the
pointer if a libc.so symbol is called, this can lead to setjmp
failures (a jmp_buf set up by the loaded libc.so.6 cannot be restored
by the static program's __longjmp, and vice versa).
Seed the just-mapped loader's __pointer_chk_guard from the program's
__pointer_chk_guard_local in __rtld_static_init, next to the other
runtime values copied there.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
It syncs with CORE-MATH commit 887cab6f. The new tests are from
the CORE-MATH acosh worst-cases inputs that trigger the FE_TOWARDZERO
issue with the previous implementation, along with the hard-to-round
cases from CORE-MATH commits 72febed6 and ce9e99f6.
Checked on x86_64-linux-gnu, x86_64-linux-gnu with --disable-multi-arch
(so soft FMA implementation is used), i686-linux-gnu (which uses its
own acosh implementation), aarch64-linux-gnu, and
armv7a-linux-gnueabihf.
Reviewed-by: Paul Zimmermann <Paul.Zimmermann@inria.fr>
Michael Ford [Wed, 10 Jun 2026 15:24:50 +0000 (17:24 +0200)]
inet: Remove unused STATIC_NSS define
The --enable-static-nss configuration adds -DSTATIC_NSS to CFLAGS for
the inet subdirectory, but no source file has referenced the STATIC_NSS
macro for quite some time. So remove the dead define.
Signed-off-by: Michael Ford <fanquake@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Michael Ford [Thu, 11 Jun 2026 13:58:04 +0000 (15:58 +0200)]
nss: Remove <gnu/lib-names.h> include from nsswitch.c
nsswitch.c no longer references any of the *_SO macros provided by
<gnu/lib-names.h>. The only consumer, __nss_shlib_revision, moved to
nss_module.c as part of the NSS reorganization in glibc 2.33 (and
nss_module.c includes the header unconditionally), but the guarded
include was left behind.
Signed-off-by: Michael Ford <fanquake@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
_dl_runtime_resolve and _dl_runtime_profile only preserved the integer
argument registers (r0-r3) across the inner call to _dl_fixup /
_dl_profile_fixup. Two related ABI requirements demand more:
* Under AAPCS-VFP, d0-d7 hold the caller's double arguments to the
function being resolved. Recent GCC emits VFP instructions inside
the fixup routines, clobbering them, so the resolved function sees
corrupted arguments (BZ 34144).
* Per RTABI32, the __aeabi_mem* helpers (and similar runtime helpers
reachable through the dynamic linker) must only corrupt integer
core registers. IFUNC resolvers, audit modules, and interposed
malloc invoked during symbol resolution may also use VFP, even on
softfp ABI builds (BZ 15792).
Save all call-clobbered VFP state -- d0-d15 unconditionally, d16-d31
when HWCAP_ARM_VFPD32 is set, and fpscr -- around the inner fixup
call. Whether VFP is usable is a property of the hardware, not of
the ABI glibc was built with, so the decision is gated on AT_HWCAP at
runtime in both hardfp and softfp builds; hardfp builds will always
find HWCAP_ARM_VFP set, while softfp builds running on a non-VFP CPU
correctly skip the save.
For _dl_runtime_profile the save area is slipped in just before the
bl to _dl_profile_fixup; the outgoing framesizep argument is
recomputed to account for the extra frame, and both the fast path
(no audit framesize) and the slow path (audit wraps with
pltenter/pltexit) traverse the restore before splitting.
aarch64: Fix static PIE CPU feature detection (BZ 34205)
ARCH_INIT_CPU_FEATURES is called from __libc_start_main before
_dl_relocate_static_pie, so any code it runs must not rely on
relocations being applied yet. Two issues break this under static PIE:
1. The cpu_list table held 'const char *name' members, whose
addresses are not link-time constants under PIE and thus require
base-relative relocations that are not yet in place. Replace the
array of structs with a flat NUL-separated name string and a
parallel midr array, removing the pointer relocations.
2. tunable_strcmp pulls in memcmp, which is an IFUNC and is likewise
unresolved at this point. Redirect memcmp to __memcmp_generic in
the aarch64 dl-symbol-redir-ifunc.h and include it from
csu/libc-start.c.
Sana Kazi [Mon, 15 Jun 2026 14:37:59 +0000 (16:37 +0200)]
nptl: open threads comm with O_WRONLY|O_CLOEXEC
pthread_setname_np opens the thread's comm file using O_RDWR, but the
function only ever writes to it. This causes two distinct problems:
1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec,
so it remains open across fork+exec. A child process that audits
its inherited file-descriptor set will encounter an unexpected /proc
fd it did not open and may treat this as a security violation and
abort.
2. Unnecessary O_RDWR: requesting read+write access when only write
access is needed can cause open() to fail under security policies
that permit writing to /proc/<tid>/comm but deny reading it.
Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC
Similarly, updated pthread_getname_np to use O_CLOEXEC.
Yury Khrustalev [Tue, 26 May 2026 10:19:53 +0000 (11:19 +0100)]
malloc: aarch64: Add ifuncs for malloc functions
Introduce ifuncs and resolvers for functions pertinent to the
malloc interface on the AArch64 target: malloc, calloc, free,
realloc, memalign, valloc, pvalloc, posix_memalign, aligned_alloc,
free_sized, free_aligned_sized, malloc_usable_size.
A target can define the USE_MULTIARCH_MALLOC macro. In this case
it must provide alternative aliases for the malloc functions that
point to the ifuncs.
This implementation respects the --disable-multi-arch configure
flag. If multi-arch support is disabled, the generic aliases
are used on aarch64.
This patch contains aarch64-specific resolvers. At this moment they
return core implementations but in the future they can be changed
to support for features, e.g. to handle memory tagging.
Fabian Rast [Thu, 11 Jun 2026 12:30:37 +0000 (14:30 +0200)]
rtld: cache cpuid results on the stack for intel
dl_init_cacheinfo retrieves various information about cache
sizes, using the cpuid instruction on x86.
Previously, the same cpuid leaves were queried multiple times.
This behavior caused intel_check_word to prominently show up in
profiles of dynamic loader startup on the Intel(R) Xeon(R) Gold 6430.
The big performance impact could not be reproduced on other Intel cpus.
This patch reduces the number of cpuid queries on startup
by caching their results on the stack for reuse when searching for a
different cache size value.
This approach does not change the overall design of
the cache enumeration code (repeated calls to handle_* functions).
The values are cached on the stack instead of globally (e.g.
in the cpu_features global) because they are never needed after
early initialization.
The cache is only active for Intel cpus, because it has not yet
been shown through benchmarks that it meaningfully improves performance
for other processors.
Signed-off-by: Fabian Rast <fabian.rast@tum.de> Reviewed-by: Sunil K Pandey <skpgkp2@gmail.com>
Joseph Myers [Wed, 10 Jun 2026 18:49:53 +0000 (18:49 +0000)]
Fix -Wconstant-logical-operand error for Hurd
Building for Hurd with GCC mainline produces an error in pt-block.c
(here MSG_OPTIONS is a macro that may be defined before pt-block.c is
included by another source file):
In file included from ../sysdeps/mach/htl/pt-block-intr.c:6:
../sysdeps/mach/htl/pt-block.c: In function '__pthread_block_intr':
../sysdeps/mach/htl/pt-block.c:49:42: error: use of logical '&&' with constant operand '1024' [-Werror=constant-logical-operand]
49 | if ((MSG_OPTIONS & MACH_RCV_INTERRUPT) && err == MACH_RCV_INTERRUPTED)
| ^~
../sysdeps/mach/htl/pt-block.c:49:42: note: use '&' for bitwise operation
49 | if ((MSG_OPTIONS & MACH_RCV_INTERRUPT) && err == MACH_RCV_INTERRUPTED)
| ^~
| &
Fix this, and a similar error in pt-timedblock.c, with an explicit != 0.
Tested with build-many-glibcs.py (compilers and glibcs builds) for
i686-gnu and x86_64-gnu.
Joseph Myers [Wed, 10 Jun 2026 16:33:27 +0000 (16:33 +0000)]
Fix -Werror=constant-logical-operand errors in soft-fp
Building for sparc64-linux-gnu with GCC mainline produces a series of
-Werror=constant-logical-operand errors in soft-fp code, relating to
calls to _FP_TO_INT where rsigned is -1 not 0 or 1. Use explicit != 0
in the soft-fp code to avoid these errors.
Tested with build-many-glibcs.py (compilers and glibcs builds) for
sparc64-linux-gnu with GCC mainline.
Joseph Myers [Wed, 10 Jun 2026 14:01:34 +0000 (14:01 +0000)]
Fix -Wconstant-logical-operand error in tst-printf-format-skeleton.c
Building the glibc testsuite with GCC mainline fails with:
In file included from tst-printf-format-skeleton-double.c:33,
from tst-printf-format-p-double.c:20:
tst-printf-format-skeleton.c: In function 'do_test':
tst-printf-format-skeleton.c:308:12: error: use of logical '&&' with constant operand '53' [-Werror=constant-logical-operand]
308 | if (PREC && printf ("prec:%i\n", PREC) < 0)
| ^~
tst-printf-format-skeleton.c:308:12: note: use '&' for bitwise operation
308 | if (PREC && printf ("prec:%i\n", PREC) < 0)
| ^~
| &
cc1: all warnings being treated as errors
Fix this using an explicit "!= 0". Tested with build-many-glibcs.py
for aarch64-linux-gnu.
Zihong Yao [Tue, 9 Jun 2026 03:27:54 +0000 (03:27 +0000)]
riscv: Keep __memcmpeq alias with RVV memcmp
Commit 2efc702628 replaces the generic RISC-V memcmp, which also exports
__memcmpeq.
A dedicated RISC-V __memcmpeq implementation is expected in a later patch,
which is still under review. Keep the alias here so this patch does not
temporarily drop the existing __memcmpeq ABI.
Tested on a Muse-Pi board with GCC 15.2.0 using `--with-arch=rv64g_zca_zcd --with-abi=lp64d`
and `CFLAGS="-march=rv64g_zca_zcd -mabi=lp64d -O2"`. Full make check was
run for both multiarch and non-multiarch builds.
This also fixes the string/inl-tester link failure caused by the missing
__memcmpeq symbol.
In both runs, the only FAILs are the unchanged cospi/sinpi/tanpi math test
failures.
Signed-off-by: Zihong Yao <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Florian Weimer [Tue, 9 Jun 2026 05:28:02 +0000 (07:28 +0200)]
iconv: Suppress intermediate errors with //TRANSLIT (bug 34236)
When tentatively converting characters on behalf of
__gconv_transliterate, do not create a persistent error. Just
produce a local error, and rely on __gconv_transliterate to
produce the error if all transliteration options are exhausted.
This fixes transliteration of “½” to ASCII, which cannot use the
“ 1⁄2 ” alternative. Eventually, the “ 1/2 ” alternative is chosen,
but the error sticks. Therefore, iconv exited with status 1 before
this change.
Adjust iconv/tst-iconv_prog.sh to test both C and en_US.UTF-8 locales.
This requires changing the way the ICONV template is defined, so that
run_program_env is evaluated multiple times.
Josef Johansson [Mon, 8 Jun 2026 15:32:27 +0000 (17:32 +0200)]
nscd: Typo in comment
Fixes: https://sourceware.org/bugzilla/show_bug.cgi?id=34240 Signed-off-by: Josef Johansson <josef@oderland.se> Reviewed-by: Florian Weimer <fweimer@redhat.com>
Bug: https://bugs.gentoo.org/976773
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31901
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=34210 Tested-by: Andreas K. Hüttel <dilfridge@gentoo.org> Reported-by: Eli Schwartz <eschwartz@gentoo.org> Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org>
elf: Set up TLS slotinfo for dlopen'd modules before relocation (BZ 34170)
An IFUNC resolver in a DSO that is being loaded by dlopen is allowed
to read its own TLS storage during the resolver call. After af34b1376a3 ("elf: Initialize static TLS before relocation processing
(BZ 34164)") that works for the initial-exec model on every supported
architecture.
However, it does not work for the dynamic-TLS path (on both -mtls-dialect mode,
if the ABI supports both). Both lookup paths index the calling thread's
DTV by the new module's l_tls_modid and, on miss, walk
GL(dl_tls_dtv_slotinfo_list) to discover the module and lazily allocate
its TLS block. The just-loaded DSO is however not yet in that list when
its resolver fires, so the lookup faults inside dlopen. This is the
direct dlopen analog of BZ 34164.
The solution is to reorder dl_open_worker_begin so the slotinfo install
happens before the relocation pass. The new order is:
1. resize_scopes, resize_tls_slotinfo, add_to_global_resize
(unchanged, still recoverable).
2. update_tls_slotinfo: register the new modules in slotinfo, bump
dl_tls_generation, initialise their static TLS images.
3. Relocate the new objects. IFUNC resolvers can now read their
own DSO's __thread storage via any TLS model.
4. Demarcation point.
5. update_scopes, _dl_find_object_update.
Checked on aarch64-linux-gnu and x86_64-linux-gnu.
Simplify _int_free_chunk() and always lock if needed. Use
_int_free_merge_chunk() for cases that assume the arena has been locked
instead. Move the errno save/restore to _int_free_maybe_trim().
Yao Zihong [Fri, 5 Jun 2026 00:39:31 +0000 (19:39 -0500)]
riscv: Add RVV strrchr for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of strrchr for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__strrchr_vector) is added
alongside the generic fallback (__strrchr_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling strrchr().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
Yao Zihong [Fri, 5 Jun 2026 00:37:35 +0000 (19:37 -0500)]
riscv: Add RVV strchr for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of strchr for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__strchr_vector) is added
alongside the generic fallback (__strchr_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling strchr().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
Yao Zihong [Fri, 5 Jun 2026 00:34:33 +0000 (19:34 -0500)]
riscv: Add RVV memchr for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of memchr for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__memchr_vector) is added
alongside the generic fallback (__memchr_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling memchr().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
Yao Zihong [Fri, 5 Jun 2026 00:25:00 +0000 (19:25 -0500)]
riscv: Add RVV memccpy for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of memccpy for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__memccpy_vector) is added
alongside the generic fallback (__memccpy_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling memccpy().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
Yao Zihong [Thu, 4 Jun 2026 23:28:06 +0000 (18:28 -0500)]
riscv: Add RVV memcmp for both multiarch and non-multiarch builds
This patch adds an RVV-optimized implementation of memcmp for RISC-V and
enables it for both multiarch (IFUNC) and non-multiarch builds.
The implementation integrates Hau Hsu's 2023 RVV work under a unified
ifunc-based framework. A vectorized version (__memcmp_vector) is added
alongside the generic fallback (__memcmp_generic). The runtime resolver
selects the RVV variant when RISCV_HWPROBE_KEY_IMA_EXT_0 reports vector
support (RVV).
Currently, the resolver still selects the RVV variant even when the RVV
extension is disabled via prctl(). As a consequence, any process that
has RVV disabled via prctl() will receive SIGILL when calling memcmp().
Co-authored-by: Hau Hsu <hau.hsu@sifive.com> Co-authored-by: Jerry Shih <jerry.shih@sifive.com> Signed-off-by: Yao Zihong <zihong.plct@isrc.iscas.ac.cn> Reviewed-by: Peter Bergner <bergner@tenstorrent.com>
The default maximum arenas is 8 times the number of cores in a 64-bit system.
Since modern CPUs have many cores and big servers have 256 cores, this results
in excessive number of arenas, which wastes memory. Limit the number of arenas
to max (8, ncores) which is less extreme. In the future the limit should be
lowered further for large systems.
Adam Yi [Mon, 18 May 2026 03:21:47 +0000 (11:21 +0800)]
resolv: reset _u._ext.nscount in __res_iclose [BZ #34154]
__res_iclose, when called with FREE_ADDR=true, frees and NULLs every
statp->_u._ext.nsaddrs[ns] but does not reset statp->_u._ext.nscount.
This breaks the invariant relied on by __res_context_send's cache
validation loop in resolv/res_send.c:293-312: when _u._ext.nscount
is non-zero, every _u._ext.nsaddrs[ns] corresponding to
statp->nsaddr_list[ns].sin_family != 0 is expected to be non-NULL.
res_init unconditionally calls __res_iclose(&_res, true) before
__res_vinit, so any __res_vinit failure (for example,
fopen("/etc/resolv.conf") returning EMFILE under file-descriptor
exhaustion, or any allocation failure in __resolv_conf_load,
__resolv_conf_allocate, or __resolv_conf_attach before
update_from_conf runs) leaves _u._ext.nscount non-zero with all
_u._ext.nsaddrs[] NULL. The next name lookup walks the validation
loop and dereferences NULL in sock_eq. A DNS lookup may fail after
a failed res_init, but it should not segfault.
Reset _u._ext.nscount = 0 alongside the existing __resolv_conf_detach
call. The next __res_context_send call then re-enters its init
block (res_send.c:316-335) and repopulates _u._ext.nsaddrs[] from
statp->nsaddr_list[], which __res_iclose leaves untouched. This
also lets support/resolv_test.c drop its now-redundant manual reset
after __res_iclose(&_res, true).
Add a regression test that drops RLIMIT_NOFILE so fopen of
/etc/resolv.conf fails with EMFILE inside __res_vinit, then verifies
the subsequent gethostbyname does not crash.
Signed-off-by: Adam Yi <ayi@janestreet.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Wilco Dijkstra [Tue, 10 Mar 2026 15:47:26 +0000 (15:47 +0000)]
malloc: Improve documentation of malloc tunables
Update default for tcache_count tunable. Remove existing documentation and
mention removal of fastbins in mxfast tunable. Improve wording of hugetlb
tunable, including default for AArch64.
Wilco Dijkstra [Tue, 2 Jun 2026 14:07:05 +0000 (14:07 +0000)]
malloc: Minor cleanups
Merge request2size into checked_request2size. Improve interface of
clear_memory. Fix incorrect use of __glibc_unlikely in __libc_calloc.
Fix missing tabs.
arm: Fix main-in-dso with non-BFD linkers (BZ 34098)
Commit c2d6afb4a010 changed the PIC && !SHARED path of start.S (used by
crt1.o and rcrt1.o) to load main via a R_ARM_REL32 data relocation. When
main is provided by a shared object, BFD ld synthesizes a canonical PLT
entry for it, but other linkers (e.g. mold) do not, producing a broken
binary that crashes at startup.
Follow the aarch64 approach and reference main through a local __wrap_main
that tail-calls it with a branch relocation, which every linker turns into
a PLT entry.
Checked on armv7a-linux-gnueabihf with and without --enable-default-pie.
elf: Fix tst-ifunc-tls-init with --disable-default-pie
The test failed with --disable-default-pie because its primary check read
the resolver's diagnostic side effect before the resolver had run.
In a non-PIE executable the references to the IFUNC (fptr and ifunc_tls)
are satisfied through a canonical IPLT entry in the executable itself.
Under the default lazy binding that IPLT is resolved on first use, not
during startup relocation, so the resolver had not yet run when
'check_sentinel' inspected that value. With a PIE executable
(or LD_BIND_NOW=1) the resolver runs eagerly at startup and the check
passed. The dlopen path was unaffected because dlopen resolves the
data relocation eagerly.
This is a test ordering issue: the resolver always reads the initial-exec
TLS correctly whenever it runs, so the BZ 34164 fix is not involved.
Reorder test_tls_ifunc so that fptr/ifunc_tls force the IFUNC to be
resolved before the last_seen_sentinel value is inspected.
Checked on x86_64-linux-gnu and i686-linux-gnu with --disable-default-pie.
Sachin Monga [Tue, 2 Jun 2026 05:44:41 +0000 (00:44 -0500)]
powerpc64le: Add optimized __memcmpeq for POWER10
__memcmpeq (added in glibc 2.35) was previously an alias to memcmp on
POWER10 via strong_alias. However, in the multiarch IFUNC path, this
caused __memcmpeq to resolve to the generic C memcmp.c implementation
rather than the optimized POWER10 memcmp.S, leaving a significant
performance gap.
Unlike memcmp, __memcmpeq only needs to return zero or nonzero with
no requirement on the sign or magnitude for unequal inputs, allowing
a simpler and faster implementation.
Performance on POWER10 :
1) __memcmpeq (generic) -> __memcmpeq_power10
The primary motivation - __memcmpeq was resolving to generic C
in the multiarch path.
- Small data (< 8B to < 512B) : ~52% - 82% improvement.
- Bulk (< 16MB to < 256MB) : ~25% - 32% improvement.
- Large (1GB) : ~33% improvement
2) memcmp_power10 (optimized .S) -> __memcmpeq_power10:
Comparing dedicated __memcmpeq against the optimized memcmp
it previously aliased to.
- Small data (< 8B to < 256B) : No improvement observed.
Real-world workloads predominantly operate on larger buffers
- >= 512B : ~9% improvement.
- 16MB - 128MB : ~25% - 32% improvement.
- 256MB : ~3% improvement.
- Large (1GB) : On par.
arm: Redirect memcpy to __memcpy_arm for loader/static init code
After "elf: Initialize TCB and stack-protector before static IFUNC
resolvers (BZ 20680, BZ 27582, BZ 28817)", early loader and static
initialization code may run before the IFUNC resolvers are processed.
The armv7-a supports memcpy, so add a dl-symbol-redir-ifunc.h to
redirect the memcpy to to __memcpy_arm implementation.
Yury Khrustalev [Thu, 21 May 2026 10:51:57 +0000 (11:51 +0100)]
malloc: aarch64: Remove broken memory tagging
Remove the --enable-memory-tagging configure option along with
all associated variables and macros.
Removing the glibc.mem.tagging tunable.
Remove the memory-tagging makefile variable.
Remove the USE_MTAG macro definition and code that is conditionally
compiled when this macro is defined.
As a result, we change 'mtag_mmap_flags' to 'extra_mmap_prot' that
is now always defined. Change of the name due to this being used
as part of PROT options in mmap syscalls rather than part of flags.
Remove 'mtag_enabled' that would become compile-time false. Also
remove any code that would never be compiled when 'mtag_enabled'
is false.
Remove AArch64-specific code pertinent to memory tagging, that is
currently broken, from the core malloc implementation. We keep
the assembly code, since we are going to need it in the future. to
preserve Git history.
math: Fix non-narrowing test build with arg-format conditions
auto-libm-test-in shares inputs between narrowing and non-narrowing
functions, and some carry arg-format conditions (e.g. "arg-ibm128").
When auto-libm-test-out-fma is regenerated, gen-libm-test.py turns these
into TEST_COND_arg_ibm128, which expands via ARG_MANT_DIG to ARG_PREFIX.
ARG_PREFIX is only defined for TEST_NARROW, so the non-narrowing fma test
failed to build with "ARG_PREFIX_MANT_DIG undeclared".
Define TEST_COND_arg_ibm128 to 0 when ARG_FLOAT is not defined, mirroring
the existing guard for TEST_COND_ibm128_libgcc; in the non-narrowing case
there is no separate argument format, so the condition is always false.
Muhammad Kamran [Thu, 28 May 2026 09:29:33 +0000 (09:29 +0000)]
aarch64: Use build attributes for asm feature marking
When the compiler defines __ARM_BUILDATTR64_FV, emit AArch64
feature-and-bits build attributes for BTI, PAC, and GCS from sysdep.h
instead of a GNU property note. Keep the GNU property note as the
fallback for older toolchains.
Mirror the same marking logic in elf/tst-asm-helper.h so custom test
DSOs and assembly tests that cannot include sysdep.h get consistent
feature marking.
Martin Coufal [Tue, 26 May 2026 11:15:27 +0000 (13:15 +0200)]
misc: add a new test for gethostname
Add a simple test that runs in a UTS namespace: checks gethostname
after various sethostname values (including empty and HOST_NAME_MAX),
verifies ENAMETOOLONG when the buffer is too small for a maximal name,
EINVAL when sethostname is given a name longer than HOST_NAME_MAX.
Frédéric Bérat [Tue, 26 May 2026 11:29:57 +0000 (13:29 +0200)]
test: Fix and stabilize tst-wcsmbs-clone-overflow test
The test tst-wcsmbs-clone-overflow was initially added to tests-static.
However, this causes the test to be unstable because gconv modules
dynamically load libc.so. Any discrepancy between the statically linked
version and the dynamically loaded one can lead to a crash.
By removing the test from tests-static, it relies on dynamic linking,
safely bypassing the dlopen crash. Since the test is now dynamically
linked, it cannot use the internal thread-local symbol
_NL_CURRENT_DATA(LC_CTYPE) because _nl_current_LC_CTYPE is hidden in
libc.so, leading to undefined references. Thus, the test now uses
newlocale and uselocale, safely extracting the locale data from the
returned locale_t object.
Furthermore, using newlocale requires the gconv-modules configuration to
be built and available so that the ISO8859-1.so module can be
dynamically loaded. Otherwise, glibc falls back to the built-in C locale
conversions, leaving __shlib_handle as NULL and silently bypassing the
reference counter increment.
A new Makefile fragment, gen-gconv-modules.mk, is introduced to ensure
the gconv-modules are built before the test runs, and an explicit check
for __shlib_handle != NULL is added to the test.
math: Fix fma alignment when exponent difference is exactly 64 (BZ 34183)
When d (the exponent difference between z and x*y) is exactly 64,
the alignment path shifts z left by 64 bits via (zhi = nz.m, zlo = 0)
and decrements d to 0, then takes the inner 'if (d < 64)' branch
which evaluates 'rhi << (64 - d)' with d == 0. A shift by 64 of a
64-bit value is UB in C.
Add the explicit 'if (d == 0)' empty branch (present in the
original musl implementation).
Checked on x86_64-linux-gnu with --disable-multi-arch and
arm-linux-gnueabihf.
support: Skip malloc hugetlb={1,2} variants when kernel cannot honor them
The malloc test variants run with GLIBC_TUNABLES=glibc.malloc.hugetlb=1
exercise transparent huge pages via MADV_HUGEPAGE, which is only
meaningful when /sys/kernel/mm/transparent_hugepage/enabled is set to
'madvise' ('always' makes the madvise redundant and 'never' makes it
ineffective). The hugetlb=2 variants rely on MAP_HUGETLB, which
requires a positive /proc/sys/vm/nr_hugepages. On systems that do not
satisfy these prerequisites - including any non-Linux target - those
runs only consume CPU time in this case.
Add support/support_check_hugetlb.{c,h} exposing:
- support_thp_is_madvise: true iff THP is in 'madvise' mode;
- support_hugepages_reserved: true iff nr_hugepages > 0;
- support_check_malloc_hugetlb: inspects GLIBC_TUNABLES and calls
FAIL_UNSUPPORTED when the requested hugetlb mode cannot be honored.
Gate the check at compile time so only the variant binaries pay for
it.
relocation loop (applies relocations to .tdata in DSO memory)
_dl_allocate_tls_init copies relocated .tdata -> main thread TLS
to a new order:
_dl_allocate_tls_init copies unrelocated .tdata -> main thread TLS
relocation loop (relocates .tdata in DSO memory, but the TLS block
has stale copies)
This broke file-scope thread-local initialised with the address of a
function (for instance the cache structs in libmpfr).
Fix it by splitting ELF_DYNAMIC_RELOCATE inside
_dl_relocate_object_no_relro into the non-IRELATIVE and IRELATIVE
sub-passes (similar as done on static-pie startup by b75ad99d45b)
and call _dl_init_static_tls between them. By the time the IFUNC
pass fires, .tdata is fully relocated.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Samuel Thibault [Tue, 26 May 2026 21:07:12 +0000 (23:07 +0200)]
Hurd: restore some SIOC ioctls
We do not define struct ifreq_short and ifreq_int, but we do
define _IOT_ifreq_short and _IOT_ifreq_int, and need these for
sysdeps/gnu/ifaddrs.c and sysdeps/mach/hurd/if_index.c
Stefan Liebler [Thu, 21 May 2026 12:07:24 +0000 (14:07 +0200)]
s390: Enabling lint-makefiles
The s390 specific Makefiles were adjusted to match the required format
for scripts/lint-makefiles.sh / scripts/sort-makefile-lines.py.
Afterwards the lines were sorted by those scripts.
And the testcase lint-makefiles is passing. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Diego Nieto Cid [Wed, 20 May 2026 22:49:27 +0000 (23:49 +0100)]
hurd: let the root user raise its priority
Check for task_max_priority RPC
* config.h.in: add #undef for HAVE_MACH_TASK_MAX_PRIORITY.
* sysdeps/mach/configure.ac: use mach_RPC_CHECK to check for
task_max_priority RPC in mach_host.defs.
* sysdeps/mach/configure: regenerate file.
Use task_max_priority when setpriority is called by root
* sysdeps/mach/hurd/setpriority.c: clamp the prio argument
to the range [-NZERO, NZERO-1] and use task_max_priority
when called by root.
Message-ID: <8e806c83d8d7b59b2894b4944e4ad82477ecc3cd.1779316637.git.dnietoc@gmail.com>
Etienne Brateau [Mon, 25 May 2026 21:11:42 +0000 (23:11 +0200)]
hurd: add validations in msync
POSIX specs specify that invalid flags shall return EINVAL and that
ENOMEM shall be returned in case of address outside of address space or
when one or more pages are not mapped.
Diego Nieto Cid [Mon, 25 May 2026 20:56:42 +0000 (22:56 +0200)]
hurd: clamp the setpriority prio argument to the range [-NZERO, NZERO-1]
The Open Group Base Specifications Issue 8
getpriority ( https://pubs.opengroup.org/onlinepubs/9799919799/ )
<< The nice value is in the range [0,2*{NZERO} -1], while the
return value for getpriority() and the third parameter for
setpriority() are in the range [-{NZERO},{NZERO} -1]. >>
So given that NZERO is defined to 20, we shall use it to clamp to the range
specified by POSIX.
That range is then mapped to something similar to [0, 2*{NZERO}-1], as
specified by POSIX, through the usage of the macro NICE_TO_MACH_PRIORITY
and MACH_PRIORITY_TO_NICE. (i.e. [5, 45] )
intl: Fix tst-gettext under inherited LC_* environment
The final block of tst-gettext unsets LC_ALL plus LC_MESSAGES, LC_CTYPE,
LC_TIME and LC_NUMERIC, sets LANG=existing-locale, and then expects
setlocale (LC_ALL, "") to resolve every category through LANG. Any
other LC_* category inherited from the invoking shell (e.g. LC_PAPER,
LC_MONETARY) still takes precedence over LANG, and if it points to a
locale that is not under the test's LOCPATH the setlocale call fails
with ENOENT.
Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
nptl: Skip tst-pthread-gdb-attach{, -static} on env mismatches
The test previously failed with confusing diagnostics in two situations
that are properties of the runtime environment rather than of glibc:
1. find_gdb only checked access(X_OK), which is true for directories
too. A 'gdb' directory ahead of /usr/bin in PATH (e.g. one holding
gdb python helpers) was therefore returned as the gdb executable,
and the subsequent execl failed with errno != ENOENT, causing the
test to fail with `numeric comparison failure ... status 256'.
2. The in-tree libthread_db.so.1 is built with -z mark-plt and
therefore carries a versioned dependency on
GLIBC_ABI_DT_X86_64_PLT in libc.so (see BZ #33212). When the
system gdb is linked against a libc older than 2.41, that version
is not provided and gdb's dlopen of the in-tree libthread_db.so.1
fails. Thread debugging is then disabled, the gdb script's
`thread 1' / `thread 2' commands fail, gdb exits non-zero, and the
test reports a generic status mismatch.
Two changes:
* Require S_ISREG in find_gdb so a directory named 'gdb' on PATH is
skipped, falling through to the next candidate.
* Before running the real gdb scenario, run a minimal probe script
that triggers libthread_db loading (set debug libthread-db 1; set
libthread-db-search-path; file /proc/self/exe; start). If the
probe output contains `dlopen failed', mark the test UNSUPPORTED
with a clear message instead of letting the real run fail. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Matt Turner [Sat, 23 May 2026 16:53:05 +0000 (12:53 -0400)]
alpha: fix setrlimit compat symbol for negative rlim values besides -1
Old alpha glibc defined rlim_t as signed long, making RLIM_INFINITY
equal to LONG_MAX (0x7ffffffffffffffful). The compat symbol
__old_setrlimit64 (setrlimit@GLIBC_2.0 and setrlimit64@GLIBC_2.1) was
introduced in 0d0bc784ca [BZ #22648] to translate this old RLIM_INFINITY
to the kernel's RLIM64_INFINITY (ULONG_MAX) before the prlimit64
syscall, using an exact equality check.
Because old rlim_t was signed, any value a caller treats as negative
(e.g. -2 = 0xfffffffffffffffe unsigned) is also an "infinity or beyond"
value in the old ABI. Such values are >= OLD_RLIM64_INFINITY and
should be translated to RLIM64_INFINITY; passing them through unchanged
causes prlimit64 to treat them as large finite limits, resulting in
unexpected failures (EPERM or silent truncation).
Change the equality check to >= OLD_RLIM64_INFINITY in
__old_setrlimit64 so that all values the old signed-rlim_t ABI would
interpret as infinity-or-more are correctly mapped to RLIM64_INFINITY.
No change is made to __old_getrlimit64: prlimit64 returns only exact
RLIM64_INFINITY for unlimited resources, so the existing equality
check against RLIM64_INFINITY is correct and mirrors the kernel's own
rlim64_is_infinity() logic.
Fixes: 0d0bc784ca ("Alpha: Add wrappers to get/setrlimit64 to fix
RLIM64_INFINITY constant [BZ #22648]") Fixes: https://sourceware.org/bugzilla/show_bug.cgi?id=30992 Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Matt Turner [Sat, 23 May 2026 20:18:27 +0000 (16:18 -0400)]
sh: reload r3 after arg evaluation in INTERNAL_SYSCALL [BZ #34167]
r3 is caller-saved. When a function call appears in the args list
(e.g. INTERNAL_SYSCALL_CALL(tgkill, __getpid(), tid, sig)),
SUBSTITUTE_ARGS evaluates __getpid() before r3 is reloaded, leaving
r3=20 (__NR_getpid) instead of __NR_tgkill=270. The trapa then
dispatches the wrong syscall and the signal is silently dropped.
Fix: declare r3 uninitialised, expand SUBSTITUTE_ARGS (all function
calls happen here), then assign the syscall number to r3 with no
intervening calls before the trapa. Applies to both INTERNAL_SYSCALL
and INTERNAL_SYSCALL_NCS.
signal/tst-raise is a regression test for this bug: raise() calls
tgkill(__getpid(), tid, sig), which triggers the clobber. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
elf: Initialize TCB and stack-protector before static IFUNC resolvers (BZ 20680, BZ 27582, BZ 28817)
In static linking the IFUNC IPLT (apply_irel for non-PIE, the IRELATIVE
phase inside _dl_relocate_static_pie for static-pie) ran before
__libc_setup_tls and before _dl_setup_stack_chk_guard. When a resolver
is compiled with -fstack-protector(-all) its prologue loads the canary
from the TCB (TCB-canary ABIs: x86_64, i386, powerpc, s390) or from
__stack_chk_guard (global-var ABIs). On the former the resolver
crashed reading an unmapped TCB; on the latter it loaded a zero canary
(no crash, but the check is ineffective). The same applies to a
resolver that reads any thread-local: it crashes on TCB-canary ABIs and
observes a zero-filled slot on the others (BZ 20680). The pointer
guard has the same problem (e.g. resolvers that register an atexit
handler).
Reorder csu/libc-start.c so that ARCH_SETUP_TLS, the stack-protector
canary and the pointer guard are set up before any IFUNC resolver
runs. For static-pie this requires splitting the existing
_dl_relocate_static_pie into two phases so the TCB/canary setup can be
interleaved between the non-IRELATIVE and IRELATIVE passes.
The historical ARCH_SETUP_IREL / ARCH_APPLY_IREL split (introduced for
powerpc so its IFUNC resolvers could read TCB fields like hwcap and
at_platform) is no longer required: TLS is now set up before either
macro runs. ARCH_APPLY_IREL is removed, ARCH_SETUP_IREL does the work
uniformly on every arch, and the powerpc-specific libc-start.h becomes
redundant.
__libc_setup_tls reaches memcpy / mempcpy via _dl_allocate_tls_init in
elf/dl-tls.c, so it requires update ABI specific dl-symbol-redir-ifunc.h
with memcpy/memmove.
Tests added (each fails pre-fix on TCB-canary ABIs with SIGSEGV; the
static-protector variants additionally fail on global-var ABIs with a
"resolver_canary != main_canary" diagnostic):
Checked on aarch64-linux-gnu, arm-linux-gnueabihf, x86_64-linux-gnu,
and i686-linux-gnu
I also ran the ELF tests on qemu system for loongarch64-linux-gnuf64,
powerpc-linux-gnu, powerpc-linux-gnu-power4, powerpc-linux-gnu-soft,
powerpc64-linux-gnu, powerpc64le-linux-gnu, riscv64-linux-gnu, and
s390x-linux-gnu. Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
elf: Initialize static TLS before relocation processing (BZ 34164)
An IFUNC resolver firing during dynamic linker relocation reads its
DSO's __thread storage from a zero-filled slot: init_tls() allocates
the static TLS block zero-filled, but .tdata is not copied in until
the trailing _dl_allocate_tls_init at the end of dl_main, long after
the per-object phase 2 resolvers from commit 63b31c05a8a901 have run.
A resolver that *writes* TLS is even worse off -- the write is
clobbered by that same trailing copy.
dl_main (elf/rtld.c): populate the DTV slotinfo, bump
dl_tls_generation, and call _dl_allocate_tls_init right after
init_tls(), before the relocation loop.
_dl_try_allocate_static_tls (elf/dl-reloc.c): drop the
"defer-if-not-relocated" branch and always run _dl_init_static_tls
inline, so a CHECK_STATIC_TLS allocation triggered mid-relocation
initialises the slot before the same object's phase 2 fires.
The new tests cheks some scenarios:
elf/tst-ifunc-tls-init resolver reads its DSO's IE TLS.
elf/tst-ifunc-tls-init-dlopen same, via dlopen.
elf/tst-ifunc-tls-write resolver write to TLS must survive
to main.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
Wilco Dijkstra [Fri, 8 May 2026 11:06:23 +0000 (11:06 +0000)]
string: Improve test-memchr page cross checks
The tests for memchr attempt to check for accidental overreads that cross a
page. However they weren't done at the end of a page and don't check for the
case where we match right at the end. Add buf1_size/buf2_size to make finding
end of buffer easier.
Thomas Daubney [Mon, 18 May 2026 16:20:53 +0000 (16:20 +0000)]
Vectorise special cases for SVE log1p(f)
This patch adds vectorised special cases for the SVE log functions
log1p and log1pf.
When built with GCC-15 and executed on a Neoverse V2 platform, the
following benchmarking throughput uplifts were measured:
log1pf -> 285% speed-up (4.85 ns/element to 1.26 ns/element)
log1p -> 117% speed-up (8.25 ns/element to 3.80 ns/element)
Note that the numbers here are for the special case path only and that
the fast path performance has been maintained. These changes have also
maintained the same level of accuracy as before.
Rocket Ma [Thu, 21 May 2026 03:22:38 +0000 (20:22 -0700)]
stdio-common: Optimize scanf %ms series array expansion
* stdio-common/vfscanf-internal.c: If user explicitly set the maximum
size of the string, respect it when reading characters. Instead of
always expanding exponentially, try to expand array to the exact size
user requested when `user_size < current_size * 2`.
Signed-off-by: Rocket Ma <marocketbd@gmail.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Thomas Daubney [Fri, 8 May 2026 15:58:11 +0000 (15:58 +0000)]
Vectorise special cases for SVE inverse hyperbolics
This patch adds vectorised special cases for the SVE inverse hyperbolic
functions atanh, acosh and asinh for single precision floats. It also
moves the commonly used inf and nan bit values into the sv_log1pf_inline
data struct for resuse.
When built with GCC-15 and executed on a Neoverse V2 platform, the
following benchmarking throughput uplifts were measured:
atanh -> 215% speed-up (5.51 ns/element to 1.75 ns/element)
acosh -> 152% speed-up (4.63 ns/element to 1.84 ns/element)
asinh -> 51% speed-up (5.00 ns/element to 3.31 ns/element)
Note that the numbers here are for the special case path only and that
the fast path performance has been maintained. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
zombie12138 [Wed, 6 May 2026 05:38:01 +0000 (22:38 -0700)]
x86: Fix non-temporal memset unreachable on AMD Zen 3/4/5
On AMD Zen 3/4/5 with ERMS, the non-temporal memset path is unreachable
because rep_stosb_threshold is set to SIZE_MAX (vectorized loop is faster
than ERMS on these CPUs), but the non-temporal code path is nested inside
the rep_stosb branch.
The existing rescue logic at the Avoid_STOSB check only covers the case
where the CPU lacks ERMS hardware support. It does not cover AMD Zen 3+
where ERMS is supported but deliberately unused for performance reasons.
Extend the condition to also lower rep_stosb_threshold when:
- The user has not explicitly set x86_rep_stosb_threshold (respect tunables)
- rep_stosb_threshold is higher than memset_non_temporal_threshold (NT gated)
This makes the non-temporal path reachable for large memset operations,
providing ~2x speedup on pre-faulted buffers larger than L3 cache.
Tested on AMD Ryzen 7 8745HS (Zen 4):
- Pre-faulted 64MB memset: 2.02 ms -> 0.94 ms (2.15x faster)
- First-touch 64MB memset: 19.3 ms -> 21.3 ms (11% regression, expected:
kernel clear_page cache warming bypassed by NT stores)
* sysdeps/x86/dl-cacheinfo.h (dl_init_cacheinfo): Extend
rep_stosb_threshold lowering condition to cover AMD Zen 3/4/5
where ERMS is supported but stosb is disabled via threshold.
Xiang Gao [Fri, 8 May 2026 06:04:10 +0000 (14:04 +0800)]
libio: Ignore doallocate for open_memstream and open_wmemstream [BZ #34019]
setvbuf (stream, NULL, _IOFBF, 0) takes a special path in
_IO_setvbuf: if the byte-oriented buffer base is NULL, it calls
_IO_DOALLOCATE and returns without invoking the stream setbuf hook.
For open_wmemstream, the byte-oriented buffer base is NULL although
the wide result buffer has already been initialized in _wide_data.
As a result, this path calls _IO_wdefault_doallocate, which may
replace the wide buffer managed by open_wmemstream.
Install an open_wmemstream-specific doallocate hook that leaves
the growable result buffer unchanged. Add a regression test for this
path.
Install a narrow memstream doallocate hook as well. It keeps both
memstream vtables consistent (generic stdio allocation must not
replace the growable result buffer).
Xiang Gao [Fri, 8 May 2026 06:04:09 +0000 (14:04 +0800)]
libio: Ignore setbuf for open_memstream and open_wmemstream [BZ #34019]
open_memstream and open_wmemstream manage an internal growable buffer.
The default setbuf hook can reset that buffer, breaking the assumptions
used by the string stream overflow paths.
Install setbuf hooks that leave the internal buffer unchanged, and add
regression test cases for the narrow and wide cases, based on the
reproducer in BZ #34019.
Checked on x86_64 with no regression in the libio tests.
xiejiamei [Sat, 9 May 2026 07:56:28 +0000 (07:56 +0000)]
x86: Lower non-temporal copy threshold for Hygon
Benchmarks on Hygon processors show that the default non-temporal
threshold is higher than ideal for large copy workloads. As a result,
memcpy and memmove may continue to use the temporal copy path for
longer than is beneficial, increasing cache pollution and reducing
throughput for large copies.
Lower the copy non-temporal threshold to 3/8 of the shared cache size
per thread on Hygon. This allows the non-temporal copy path to be
selected earlier while leaving the memset non-temporal threshold
unchanged.
Signed-off-by: xiejiamei <xiejiamei@hygon.cn> Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Daan De Meyer [Mon, 18 May 2026 07:39:33 +0000 (07:39 +0000)]
elf: Don't crash in dlsym when tail-called from a constructor [BZ #34156]
If a shared library's constructor calls dlsym and discards the result,
the compiler is free to lower the call to a tail jump. The dynamic
linker then resolves the apparent caller to ld.so's own link map, which
has no l_scope, and crashes in _dl_lookup_symbol_x dereferencing the
NULL scope pointer.
Tail-call optimization is a legal C transformation and there is no way
for the dynamic linker to recover the real caller from the elided frame.
Detect the situation by its observable effect -- a link map with no
l_scope -- and fall back to the main program's link map, the same
treatment used when the caller's address is otherwise unrecognized.
The check is written against l->l_scope rather than against _dl_rtld_map
directly because dl-sym-post.h is also compiled into libc.so, where
_dl_rtld_map is not visible (it lives only in ld.so).
Add dlfcn/tst-dlsym-ctor exercising the pattern. Without the fix the
test SIGSEGVs during dlopen; with the fix dlopen returns cleanly.
Signed-off-by: Daan De Meyer <daan@amutable.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Avinal Kumar [Mon, 18 May 2026 10:18:00 +0000 (15:48 +0530)]
SHARED-FILES: Update gettext sync record
Update the gettext section to reflect the 2026 sync with GNU
gettext 1.0 (through commit 2ebbdd0e2). Add intl/eval-plural.h
which was missing from the shared files list.
Avinal Kumar [Mon, 18 May 2026 10:14:52 +0000 (15:44 +0530)]
intl: Fix undefined pointer behaviour
In _nl_find_msg (dcigettext.c), outbuf was computed as
freemem + sizeof(size_t) before checking whether freemem_size is
large enough. When freemem is NULL (initial state), this is
undefined behaviour i.e arithmetic on a null pointer. Move the
outbuf assignment after the size check where freemem is guaranteed
to be a valid allocation.
In read_alias_file (localealias.c), after realloc the old
string_space pointer is dangling. The expression
new_pool - string_space subtracts a valid pointer from a dangling
one, which is undefined behaviour per ISO C 23.
Rewrite as new_pool + (map[i].alias - string_space) so both
operands of the subtraction point into the same (old) object
before string_space is reassigned.
Based on GNU gettext commits 695429040 and 2ebbdd0e2.
Original author: Bruno Haible <bruno@clisp.org>
In file included from zic.c:16:
private.h:849:1: error: static declaration of ‘mempcpy’ follows non-static declaration
849 | mempcpy(void *restrict s1, void const *restrict s2, size_t n)
| ^~~~~~~
In file included from ../include/string.h:60,
from private.h:222:
../string/string.h:432:14: note: previous declaration of ‘mempcpy’ with type [...]
432 | extern void *mempcpy (void *__restrict __dest,
| ^~~~~~~
The libc-symbols.h already defined some HAVE_*, but timezone files are
built with -D_ISOMAC. Remove its usage and only define _ and N_
macros if not already defined.
Checked on x86_64-linux-gnu and with a build-many-glibcs.py build for
i686-gnu. Reviewed-by: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Paul Eggert <eggert@cs.ucla.edu>
elf: Use dl_scratch_buffer for LD_LIBRARY_PATH copy in _dl_init_paths
_dl_init_paths used strdupa to make a mutable copy of LD_LIBRARY_PATH
for fillin_rpath to tokenize. The env block is attacker-controllable
and Linux allows individual variables up to MAX_ARG_STRLEN (32 *
PAGE_SIZE = 128 KB), so the strdupa can push tens of KB onto the
loader's startup stack on top of the env block that already sits on
the initial stack. With a reduced RLIMIT_STACK the doubled copy
overflows before main () is reached.
Replace the strdupa with a dl_scratch_buffer: short paths stay in
the 256-byte inline area, longer ones spill to anonymous mmap (malloc
is not yet available during _dl_init_paths). Two follow-on changes
make the new scratch lifetime safe against _dl_signal_error:
* Count entries directly off the const LD_LIBRARY_PATH and allocate
__rtld_env_path_list.dirs *before* the scratch is live. That way
the larger of the two heap allocations the loader controls signals
its OOM with no scratch to leak.
* Convert fillin_rpath to return bool instead of calling
_dl_signal_error internally on per-entry malloc failure. Its
only caller in the LLP path now frees the scratch first and then
signals the error from a clean state. decompose_rpath, the other
caller, is updated symmetrically. This also fixes a pre-existing
leak in fillin_rpath's OOM path, where the to_free heap copy from
expand_dynamic_string_token was not released before the
_dl_signal_error.
Checked on x86_64-linux-gnu, aarch64-linux-gnu, and i686-linux-gnu.
elf: Use dl_scratch_buffer for DST expansion in _dl_map_object_deps
The expand_dst macro in _dl_map_object_deps performs an unbounded
alloca via DL_DST_REQUIRED, which scales with the link map's
l_origin length plus the count of dynamic-string tokens in the
input string. When a DT_NEEDED entry carries several DSTs and the
link map sits in a deep directory, the resulting allocation grows
to several kilobytes -- enough to overflow a PTHREAD_STACK_MIN
thread that calls dlopen.
Convert the macro to a static function that draws from a caller-
owned dl_scratch_buffer, so oversized expansions land on the heap
(or anonymous mmap during early startup) instead of the stack.
The scratch buffer is reused across DT_NEEDED, DT_AUXILIARY, and
DT_FILTER entries of the same map and freed once dependency
expansion completes.
A new regression test, tst-dst-needed-minstack, builds a wrapper
library that inherits a five-DST SONAME from a leaf module,
deploys it under a deep temporary directory, and dlopens it from
a PTHREAD_STACK_MIN thread. Without the fix the dlopen overflows
the thread stack and crashes; with the fix the dlopen returns
cleanly (with or without a successful load).
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
elf: Replace alloca with dl_scratch_buffer in _dl_load_cache_lookup
The alloca added by commit ccdb048d ("Fix recursive dlopen") to
snapshot the matched cache entry before __strdup runs through
interposable malloc is sized by best_len, which can reach PATH_MAX.
On PTHREAD_STACK_MIN threads that's enough to overflow the stack
mid-dlopen.
Use dl_scratch_buffer with DL_SCRATCH_NO_MALLOC: short entries stay
in the 256-byte inline area, longer ones spill to anonymous mmap
rather than to interposable malloc. The recursive-dlopen invariant
is preserved.
New container test elf/tst-dl-cache-long-path constructs a ~3.4 KB
deep directory, populates ld.so.cache with that entry, and dlopens
from a PTHREAD_STACK_MIN thread under deliberate stack pressure;
reliably SIGSEGVs against the alloca-based code and passes with the
fix.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
elf: Replace alloca/VLA with dl_scratch_buffer in dl-load.c
is_trusted_path_normalize, print_search_path, and open_path used
alloca or a VLA to hold a path scratch buffer sized by user-controlled
inputs (an RPATH directory length, or
max_dirnamelen + max_capstrlen + namelen). On the worst case that
consumes up to PATH_MAX bytes of stack per call, which can overflow a
PTHREAD_STACK_MIN-sized stack mid-dlopen when combined with the
loader's other on-stack scratch (struct filebuf, etc.).
Replace those allocations with dl_scratch_buffer. As a small cleanup,
print_search_path now takes the scratch buffer from its caller
(open_path's buffer is already large enough --
max_dirnamelen + max_capstrlen + namelen with namelen >= 1 covers the
max_dirnamelen + max_capstrlen + 1 print_search_path requires), so
LD_DEBUG=libs no longer pays for an extra allocation per open_path
invocation.
A new test elf/tst-dl-path-buf exercises the relevant paths -- dlopen
via DT_RPATH, open_path failure cleanup, dlopen with an over-long
name, dlopen from a PTHREAD_STACK_MIN thread.
Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.
projects / thirdparty / glibc.git / log
