about summary refs log tree commit diff
path: root/elf
Commit message (Collapse)AuthorAgeFilesLines
* elf: Initialize GLRO(dl_lazy) before relocating libc in dynamic startupFlorian Weimer2023-12-081-3/+3
| | | | | | | | | | | GLRO(dl_lazy) is used to set the parameters for the early _dl_relocate_object call, so the consider_profiling setting has to be applied before the call. Fixes commit 78ca44da0160a0b442f0ca1f253e3360f044b2ec ("elf: Relocate libc.so early during startup and dlmopen (bug 31083)"). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Fix wrong break removal from 8ee878592cAdhemerval Zanella2023-12-071-0/+1
| | | | Reported-by: Alexander Monakov <amonakov@ispras.ru>
* elf: Refactor process_envvarsAdhemerval Zanella2023-12-051-48/+84
| | | | | | | | | | It splits between process_envvars_secure and process_envvars_default, with the former used to process arguments for __libc_enable_secure. It does not have any semantic change, just simplify the code so there is no need to handle __libc_enable_secure on each len switch. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binariesAdhemerval Zanella2023-12-052-4/+8
| | | | | | | | To avoid any environment variable to change setuid binaries semantics. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore loader debug env vars for setuidAdhemerval Zanella2023-12-052-8/+18
| | | | | | | | | | | | | Loader already ignores LD_DEBUG, LD_DEBUG_OUTPUT, and LD_TRACE_LOADED_OBJECTS. Both LD_WARN and LD_VERBOSE are similar to LD_DEBUG, in the sense they enable additional checks and debug information, so it makes sense to disable them. Also add both LD_VERBOSE and LD_WARN on filtered environment variables for setuid binaries. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Add a way to check if tunable is set (BZ 27069)Adhemerval Zanella2023-11-295-0/+71
| | | | | | | | | | | The patch adds two new macros, TUNABLE_GET_DEFAULT and TUNABLE_IS_INITIALIZED, here the former get the default value with a signature similar to TUNABLE_GET, while the later returns whether the tunable was set by the environment variable. Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com> Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org>
* elf: Fix TLS modid reuse generation assignment (BZ 29039)Hector Martin2023-11-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | _dl_assign_tls_modid() assigns a slotinfo entry for a new module, but does *not* do anything to the generation counter. The first time this happens, the generation is zero and map_generation() returns the current generation to be used during relocation processing. However, if a slotinfo entry is later reused, it will already have a generation assigned. If this generation has fallen behind the current global max generation, then this causes an obsolete generation to be assigned during relocation processing, as map_generation() returns this generation if nonzero. _dl_add_to_slotinfo() eventually resets the generation, but by then it is too late. This causes DTV updates to be skipped, leading to NULL or broken TLS slot pointers and segfaults. Fix this by resetting the generation to zero in _dl_assign_tls_modid(), so it behaves the same as the first time a slot is assigned. _dl_add_to_slotinfo() will still assign the correct static generation later during module load, but relocation processing will no longer use an obsolete generation. Note that slotinfo entry (aka modid) reuse typically happens after a dlclose and only TLS access via dynamic tlsdesc is affected. Because tlsdesc is optimized to use the optional part of static TLS, dynamic tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls tunable to a large enough value, or by LD_PRELOAD-ing the affected modules. Fixes bug 29039. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
* elf: Relocate libc.so early during startup and dlmopen (bug 31083)Florian Weimer2023-11-277-2/+118
| | | | | | | This makes it more likely that objects without dependencies can use IFUNC resolvers in libc.so. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Introduce the _dl_open_relocate_one_object functionFlorian Weimer2023-11-271-39/+47
| | | | | | It is extracted from dl_open_worker_begin. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: In _dl_relocate_object, skip processing if object is relocatedFlorian Weimer2023-11-271-3/+3
| | | | | | | This is just a minor optimization. It also makes it more obvious that _dl_relocate_object can be called multiple times. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secureAdhemerval Zanella2023-11-211-1/+8
| | | | | To make explicit why __libc_enable_secure is not checked. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for staticAdhemerval Zanella2023-11-211-16/+16
| | | | | | | It mimics the ld.so behavior. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove any_debug from dl_main_stateAdhemerval Zanella2023-11-212-6/+1
| | | | | Its usage can be implied by the GLRO(dl_debug_mask). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove LD_PROFILE for static binariesAdhemerval Zanella2023-11-215-25/+16
| | | | | | | | | | | The _dl_non_dynamic_init does not parse LD_PROFILE, which does not enable profile for dlopen objects. Since dlopen is deprecated for static objects, it is better to remove the support. It also allows to trim down libc.a of profile support. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Ignore LD_PROFILE for setuid binariesAdhemerval Zanella2023-11-213-6/+17
| | | | | | | | | | | | | | | | | | Loader does not ignore LD_PROFILE in secure-execution mode (different than man-page states [1]), rather it uses a different path (/var/profile) and ignore LD_PROFILE_OUTPUT. Allowing secure-execution profiling is already a non good security boundary, since it enables different code paths and extra OS access by the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile file might also be acceded in a racy manner since the file name does not use any process-specific information (such as pid, timing, etc.). Another side-effect is it forces lazy binding even on libraries that might be with DF_BIND_NOW. [1] https://man7.org/linux/man-pages/man8/ld.so.8.html Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Emit warning if tunable is ill-formattedAdhemerval Zanella2023-11-211-0/+6
| | | | | | | So caller knows that the tunable will be ignored. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Fix _dl_debug_vdprintf to work before self-relocationAdhemerval Zanella2023-11-211-2/+14
| | | | | | | | | | | | | The strlen might trigger and invalid GOT entry if it used before the process is self-relocated (for instance on dl-tunables if any error occurs). For i386, _dl_writev with PIE requires to use the old 'int $0x80' syscall mode because the calling the TLS register (gs) is not yet initialized. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not parse ill-formatted stringsAdhemerval Zanella2023-11-212-16/+45
| | | | | | | | | | | Instead of ignoring ill-formatted tunable strings, first, check all the tunable definitions are correct and then set each tunable value. It means that partially invalid strings, like "key1=value1:key2=key2=value' or 'key1=value':key2=value2=value2' do not enable 'key1=value1'. It avoids possible user-defined errors in tunable definitions. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Do not process invalid tunable formatAdhemerval Zanella2023-11-212-7/+21
| | | | | | | | | | | Tunable definitions with more than one '=' on are parsed and enabled, and any subsequent '=' are ignored. It means that tunables in the form 'tunable=tunable=value' or 'tunable=value=value' are handled as 'tunable=value'. These inputs are likely user input errors, which should not be accepted. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Add all malloc tunable to unsecvarsAdhemerval Zanella2023-11-213-58/+79
| | | | | | | | | | | | | | | | | | | | | | | | Some environment variables allow alteration of allocator behavior across setuid boundaries, where a setuid program may ignore the tunable, but its non-setuid child can read it and adjust the memory allocator behavior accordingly. Most library behavior tunings is limited to the current process and does not bleed in scope; so it is unclear how pratical this misfeature is. If behavior change across privilege boundaries is desirable, it would be better done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. The patch as fixes tst-env-setuid, where it fail if any unsecvars is set. It also adds a dynamic test, although it requires --enable-hardcoded-path-in-tests so kernel correctly sets the setuid bit (using the loader command directly would require to set the setuid bit on the loader itself, which is not a usual deployment). Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Checked on x86_64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Ignore GLIBC_TUNABLES for setuid/setgid binariesAdhemerval Zanella2023-11-216-135/+297
| | | | | | | | | | | | | | | | | | | | The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Add GLIBC_TUNABLES to unsecvarsAdhemerval Zanella2023-11-211-28/+4
| | | | | | | | | | | | setuid/setgid process now ignores any glibc tunables, and filters out all environment variables that might changes its behavior. This patch also adds GLIBC_TUNABLES, so any spawned process by setuid/setgid processes should set tunable explicitly. Checked on x86_64-linux-gnu. Reviewed-by: Florian Weimer <fweimer@redhat.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* elf: Remove /etc/suid-debug supportAdhemerval Zanella2023-11-212-18/+1
| | | | | | | | | | | | | | | | Since malloc debug support moved to a different library (libc_malloc_debug.so), the glibc.malloc.check requires preloading the debug library to enable it. It means that suid-debug support has not been working since 2.34. To restore its support, it would require to add additional information and parsing to where to find libc_malloc_debug.so. It is one thing less that might change AT_SECURE binaries' behavior due to environment configurations. Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* ldconfig: Fixes for skipping temporary files.Florian Weimer2023-11-201-4/+15
| | | | | | | | | | | Arguments to a memchr call were swapped, causing incorrect skipping of files. Files related to dpkg have different names: they actually end in .dpkg-new and .dpkg-tmp, not .tmp as I mistakenly assumed. Fixes commit 2aa0974d2573441bffd59 ("elf: ldconfig should skip temporary files created by package managers").
* nptl: Rename tst-execstack to tst-execstack-threadsFlorian Weimer2023-11-201-1/+6
| | | | | | | So that the test is harder to confuse with elf/tst-execstack (although the tests are supposed to be the same). Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Fix force_first handling in dlclose (bug 30981)Florian Weimer2023-11-163-13/+29
| | | | | | | | | | | | | The force_first parameter was ineffective because the dlclose'd object was not necessarily the first in the maps array. Also enable force_first handling unconditionally, regardless of namespace. The initial object in a namespace should be destructed first, too. The _dl_sort_maps_dfs function had early returns for relocation dependency processing which broke force_first handling, too, and this is fixed in this change as well. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Handle non-directory name in search path (BZ 31035)Adhemerval Zanella2023-11-165-3/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The open_path stops if a relative path in search path contains a component that is a non directory (for instance, if the component is an existing file). For instance: $ cat > lib.c <<EOF > void foo (void) {} > EOF $ gcc -shared -fPIC -o lib.so lib.c $ cat > main.c <<EOF extern void foo (); int main () { foo (); return 0; } EOF $ gcc -o main main.c lib.so $ LD_LIBRARY_PATH=. ./main $ LD_LIBRARY_PATH=non-existing/path:. ./main $ LD_LIBRARY_PATH=$(pwd)/main:. ./main $ LD_LIBRARY_PATH=./main:. ./main ./main: error while loading shared libraries: lib.so: cannot open shared object file: No such file or directory The invalid './main' should be ignored as a non-existent one, instead as a valid but non accessible file. Absolute paths do not trigger this issue because their status are initialized as 'unknown' and open_path check if this is a directory. Checked on x86_64-linux-gnu. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
* test: Run the tst-tls-allocation-failure-static-patched with test-wrapper.Yanzhang Wang2023-11-131-1/+1
| | | | If we use cross test with ssh, this test needs to be ran on the remote.
* elf: Add glibc.mem.decorate_maps tunableAdhemerval Zanella2023-11-072-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PR_SET_VMA_ANON_NAME support is only enabled through a configurable kernel switch, mainly because assigning a name to a anonymous virtual memory area might prevent that area from being merged with adjacent virtual memory areas. For instance, with the following code: void *p1 = mmap (NULL, 1024 * 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); void *p2 = mmap (p1 + (1024 * 4096), 1024 * 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); The kernel will potentially merge both mappings resulting in only one segment of size 0x800000. If the segment is names with PR_SET_VMA_ANON_NAME with different names, it results in two mappings. Although this will unlikely be an issue for pthread stacks and malloc arenas (since for pthread stacks the guard page will result in a PROT_NONE segment, similar to the alignment requirement for the arena block), it still might prevent the mmap memory allocated for detail malloc. There is also another potential scalability issue, where the prctl requires to take the mmap global lock which is still not fully fixed in Linux [1] (for pthread stacks and arenas, it is mitigated by the stack cached and the arena reuse). So this patch disables anonymous mapping annotations as default and add a new tunable, glibc.mem.decorate_maps, can be used to enable it. [1] https://lwn.net/Articles/906852/ Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* malloc: Decorate malloc mapsAdhemerval Zanella2023-11-073-0/+42
| | | | | | | | | | | | | | | Add anonymous mmap annotations on loader malloc, malloc when it allocates memory with mmap, and on malloc arena. The /proc/self/maps will now print: [anon: glibc: malloc arena] [anon: glibc: malloc] [anon: glibc: loader malloc] On arena allocation, glibc annotates only the read/write mapping. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reviewed-by: DJ Delorie <dj@redhat.com>
* nptl: Decorate thread stack on pthread_createAdhemerval Zanella2023-11-072-0/+163
| | | | | | | | | | | | | | | | | | | | | | | | | | | Linux 4.5 removed thread stack annotations due to the complexity of computing them [1], and Linux added PR_SET_VMA_ANON_NAME on 5.17 as a way to name anonymous virtual memory areas. This patch adds decoration on the stack created and used by pthread_create, for glibc crated thread stack the /proc/self/maps will now show: [anon: glibc: pthread stack: <tid>] And for user-provided stacks: [anon: glibc: pthread user stack: <tid>] The guard page is not decorated, and the mapping name is cleared when the thread finishes its execution (so the cached stack does not have any name associated). Checked on x86_64-linux-gnu aarch64 aarch64-linux-gnu. [1] https://github.com/torvalds/linux/commit/65376df582174ffcec9e6471bf5b0dd79ba05e4a Co-authored-by: Ian Rogers <irogers@google.com> Reviewed-by: DJ Delorie <dj@redhat.com>
* linux: Sync Linux 6.6 elf.hAdhemerval Zanella2023-11-031-0/+5
| | | | | | It adds NT_X86_SHSTK (2fab02b25ae7cf5), NT_RISCV_CSR/NT_RISCV_VECTOR (9300f00439743c4), and NT_LOONGARCH_HW_BREAK/NT_LOONGARCH_HW_WATCH (1a69f7a161a78ae).
* crypt: Remove libcrypt supportAdhemerval Zanella2023-10-302-44/+0
| | | | | | | | | | | | | | | | | | All the crypt related functions, cryptographic algorithms, and make requirements are removed, with only the exception of md5 implementation which is moved to locale folder since it is required by localedef for integrity protection (libc's locale-reading code does not check these, but localedef does generate them). Besides thec code itself, both internal documentation and the manual is also adjusted. This allows to remove both --enable-crypt and --enable-nss-crypt configure options. Checked with a build for all affected ABIs. Co-authored-by: Zack Weinberg <zack@owlfolio.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: ldconfig should skip temporary files created by package managersFlorian Weimer2023-10-201-12/+27
| | | | | | | This avoids crashes due to partially written files, after a package update is interrupted. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Add NT_PPC_DEXCR and NT_PPC_HASHKEYR from Linux 6.5 to elf.hJoseph Myers2023-10-191-0/+2
| | | | | | | Linux 6.5 adds constants NT_PPC_DEXCR and NT_PPC_HASHKEYR. Add these to glibc's elf.h. Tested for x86_64.
* elf: Do not print the cache entry if --inhibit-cache is usedAdhemerval Zanella2023-10-181-1/+2
| | | | | So --help informs the correct shared library search path. Reviewed-by: Florian Weimer <fweimer@redhat.com>
* Revert "elf: Always call destructors in reverse constructor order (bug 30785)"Florian Weimer2023-10-185-171/+173
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 6985865bc3ad5b23147ee73466583dd7fdf65892. Reason for revert: The commit changes the order of ELF destructor calls too much relative to what applications expect or can handle. In particular, during process exit and _dl_fini, after the revert commit, we no longer call the destructors of the main program first; that only happens after some dlopen'ed objects have been destructed. This robs applications of an opportunity to influence destructor order by calling dlclose explicitly from the main program's ELF destructors. A couple of different approaches involving reverse constructor order were tried, and none of them worked really well. It seems we need to keep the dependency sorting in _dl_fini. There is also an ambiguity regarding nested dlopen calls from ELF constructors: Should those destructors run before or after the object that called dlopen? Commit 6985865bc3ad5b2314 used reverse order of the start of ELF constructor calls for destructors, but arguably using completion of constructors is more correct. However, that alone is not sufficient to address application compatibility issues (it does not change _dl_fini ordering at all).
* Revert "elf: Fix compile error with -DNDEBUG [BZ #18755]"Florian Weimer2023-10-181-1/+1
| | | | | | This reverts commit 964d15a007d7fb1258f2ad7c8cf4afcfb9a65719. Reason for revert: Conflicts with revert of commit 6985865bc3ad5b23147.
* tunables: Terminate if end of input is reached (CVE-2023-4911)Siddhesh Poyarekar2023-10-022-15/+39
| | | | | | | | | | | | | | | | | The string parsing routine may end up writing beyond bounds of tunestr if the input tunable string is malformed, of the form name=name=val. This gets processed twice, first as name=name=val and next as name=val, resulting in tunestr being name=name=val:name=val, thus overflowing tunestr. Terminate the parsing loop at the first instance itself so that tunestr does not overflow. This also fixes up tst-env-setuid-tunables to actually handle failures correct and add new tests to validate the fix for this CVE. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* elf: Fix compile error with -DNDEBUG [BZ #18755]Qingqing Li2023-09-271-1/+1
| | | | | | | | | | | | | Compilation fails when building with -DNDEBUG after commit a3189f66a5f2fe86568286fa025fa153be04c6c0. Here is the error: dl-close.c: In function ‘_dl_close_worker’: dl-close.c:140:22: error: unused variable ‘nloaded’ [-Werror=unused-variable] 140 | const unsigned int nloaded = ns->_ns_nloaded; Add __attribute_maybe_unused__ for‘nloaded’to fix it. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* MIPS: Add relocation typesYing Huang2023-09-271-1/+59
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* MIPS: Add new section type SHT_MIPS_ABIFLAGSYing Huang2023-09-271-0/+1
| | | | Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* MIPS: Add ELF file header flagsYing Huang2023-09-271-1/+47
| | | | | | | | | | | Now binutils use some E_MIPS_* macros and EF_MIPS_* macros, it is difficult to decide which style macro we should use when we want to add new ELF file header flags. IRIX used to use EF_MIPS_* macros and in elf/elf.h there also has comments "The following are unofficial names and should not be used". So we should use EF_MIPS_* to keep same style with the beginning. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: dl-lookup: Remove unused alloca.h includeJoe Simmons-Talbott2023-09-211-1/+0
|
* elf: Remove unused l_text_end field from struct link_mapFlorian Weimer2023-09-084-16/+3
| | | | | | | | | | | | | It is a left-over from commit 52a01100ad011293197637e42b5be1a479a2 ("elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]"). When backporting commmit 6985865bc3ad5b23147ee73466583dd7fdf65892 ("elf: Always call destructors in reverse constructor order (bug 30785)"), we can move the l_init_called_next field to this place, so that the internal GLIBC_PRIVATE ABI does not change. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* elf: Always call destructors in reverse constructor order (bug 30785)Florian Weimer2023-09-085-173/+171
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current implementation of dlclose (and process exit) re-sorts the link maps before calling ELF destructors. Destructor order is not the reverse of the constructor order as a result: The second sort takes relocation dependencies into account, and other differences can result from ambiguous inputs, such as cycles. (The force_first handling in _dl_sort_maps is not effective for dlclose.) After the changes in this commit, there is still a required difference due to dlopen/dlclose ordering by the application, but the previous discrepancies went beyond that. A new global (namespace-spanning) list of link maps, _dl_init_called_list, is updated right before ELF constructors are called from _dl_init. In dl_close_worker, the maps variable, an on-stack variable length array, is eliminated. (VLAs are problematic, and dlclose should not call malloc because it cannot readily deal with malloc failure.) Marking still-used objects uses the namespace list directly, with next and next_idx replacing the done_index variable. After marking, _dl_init_called_list is used to call the destructors of now-unused maps in reverse destructor order. These destructors can call dlopen. Previously, new objects do not have l_map_used set. This had to change: There is no copy of the link map list anymore, so processing would cover newly opened (and unmarked) mappings, unloading them. Now, _dl_init (indirectly) sets l_map_used, too. (dlclose is handled by the existing reentrancy guard.) After _dl_init_called_list traversal, two more loops follow. The processing order changes to the original link map order in the namespace. Previously, dependency order was used. The difference should not matter because relocation dependencies could already reorder link maps in the old code. The changes to _dl_fini remove the sorting step and replace it with a traversal of _dl_init_called_list. The l_direct_opencount decrement outside the loader lock is removed because it appears incorrect: the counter manipulation could race with other dynamic loader operations. tst-audit23 needs adjustments to the changes in LA_ACT_DELETE notifications. The new approach for checking la_activity should make it clearer that la_activty calls come in pairs around namespace updates. The dependency sorting test cases need updates because the destructor order is always the opposite order of constructor order, even with relocation dependencies or cycles present. There is a future cleanup opportunity to remove the now-constant force_first and for_fini arguments from the _dl_sort_maps function. Fixes commit 1df71d32fe5f5905ffd5d100e5e9ca8ad62 ("elf: Implement force_first handling in _dl_sort_maps_dfs (bug 28937)"). Reviewed-by: DJ Delorie <dj@redhat.com>
* elf: Fix slow tls access after dlopen [BZ #19924]Szabolcs Nagy2023-09-014-63/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In short: __tls_get_addr checks the global generation counter and if the current dtv is older then _dl_update_slotinfo updates dtv up to the generation of the accessed module. So if the global generation is newer than generation of the module then __tls_get_addr keeps hitting the slow dtv update path. The dtv update path includes a number of checks to see if any update is needed and this already causes measurable tls access slow down after dlopen. It may be possible to detect up-to-date dtv faster. But if there are many modules loaded (> TLS_SLOTINFO_SURPLUS) then this requires at least walking the slotinfo list. This patch tries to update the dtv to the global generation instead, so after a dlopen the tls access slow path is only hit once. The modules with larger generation than the accessed one were not necessarily synchronized before, so additional synchronization is needed. This patch uses acquire/release synchronization when accessing the generation counter. Note: in the x86_64 version of dl-tls.c the generation is only loaded once, since relaxed mo is not faster than acquire mo load. I have not benchmarked this. Tested by Adhemerval Zanella on aarch64, powerpc, sparc, x86 who reported that it fixes the performance issue of bug 19924. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Check that --list-diagnostics output has the expected syntaxFlorian Weimer2023-08-252-0/+312
| | | | | | | | | | Parts of elf/tst-rtld-list-diagnostics.py have been copied from scripts/tst-ld-trace.py. The abnf module is entirely optional and used to verify the ABNF grammar as included in the manual. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* elf: Do not run constructors for proxy objectsFlorian Weimer2023-08-221-2/+6
| | | | | Otherwise, the ld.so constructor runs for each audit namespace and each dlmopen namespace.
* LoongArch: elf: Add new LoongArch reloc types 109 into elf.hcaiyinyu2023-08-141-0/+1
| | | | | These reloc types are generated by GNU assembler >= 2.41 for relaxation support.