backport patches from glibc upstream 2.38 branch

LoongArch-Delete-excessively-allocated-memory.patch

@@ -0,0 +1,109 @@
+From 44f757a6364a546359809d48c76b3debd26e77d4 Mon Sep 17 00:00:00 2001
+From: caiyinyu <caiyinyu@loongson.cn>
+Date: Thu, 26 Oct 2023 17:27:21 +0800
+Subject: [PATCH 1/9] LoongArch: Delete excessively allocated memory.
+
+Backported from glibc 2.39 development.
+---
+ sysdeps/loongarch/dl-trampoline.h | 68 +++++++++++++++----------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/sysdeps/loongarch/dl-trampoline.h b/sysdeps/loongarch/dl-trampoline.h
+index 02375286f8..99fcacab76 100644
+--- a/sysdeps/loongarch/dl-trampoline.h
++++ b/sysdeps/loongarch/dl-trampoline.h
+@@ -19,9 +19,9 @@
+ /* Assembler veneer called from the PLT header code for lazy loading.
+    The PLT header passes its own args in t0-t2.  */
+ #ifdef USE_LASX
+-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZXREG) & ALMASK))
++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZXREG) & ALMASK))
+ #elif defined USE_LSX
+-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZVREG) & ALMASK))
++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZVREG) & ALMASK))
+ #elif !defined __loongarch_soft_float
+ # define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG) & ALMASK))
+ #else
+@@ -44,23 +44,23 @@ ENTRY (_dl_runtime_resolve)
+ 	REG_S	a7, sp, 8*SZREG
+ 
+ #ifdef USE_LASX
+-	xvst	xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG
+-	xvst	xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG
+-	xvst	xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG
+-	xvst	xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG
+-	xvst	xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG
+-	xvst	xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG
+-	xvst	xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG
+-	xvst	xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG
++	xvst	xr0, sp, 9*SZREG + 0*SZXREG
++	xvst	xr1, sp, 9*SZREG + 1*SZXREG
++	xvst	xr2, sp, 9*SZREG + 2*SZXREG
++	xvst	xr3, sp, 9*SZREG + 3*SZXREG
++	xvst	xr4, sp, 9*SZREG + 4*SZXREG
++	xvst	xr5, sp, 9*SZREG + 5*SZXREG
++	xvst	xr6, sp, 9*SZREG + 6*SZXREG
++	xvst	xr7, sp, 9*SZREG + 7*SZXREG
+ #elif defined USE_LSX
+-	vst	vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG
+-	vst	vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG
+-	vst	vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG
+-	vst	vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG
+-	vst	vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG
+-	vst	vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG
+-	vst	vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG
+-	vst	vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG
++	vst	vr0, sp, 9*SZREG + 0*SZVREG
++	vst	vr1, sp, 9*SZREG + 1*SZVREG
++	vst	vr2, sp, 9*SZREG + 2*SZVREG
++	vst	vr3, sp, 9*SZREG + 3*SZVREG
++	vst	vr4, sp, 9*SZREG + 4*SZVREG
++	vst	vr5, sp, 9*SZREG + 5*SZVREG
++	vst	vr6, sp, 9*SZREG + 6*SZVREG
++	vst	vr7, sp, 9*SZREG + 7*SZVREG
+ #elif !defined __loongarch_soft_float
+ 	FREG_S	fa0, sp, 9*SZREG + 0*SZFREG
+ 	FREG_S	fa1, sp, 9*SZREG + 1*SZFREG
+@@ -92,23 +92,23 @@ ENTRY (_dl_runtime_resolve)
+ 	REG_L	a7, sp, 8*SZREG
+ 
+ #ifdef USE_LASX
+-	xvld	xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG
+-	xvld	xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG
+-	xvld	xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG
+-	xvld	xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG
+-	xvld	xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG
+-	xvld	xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG
+-	xvld	xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG
+-	xvld	xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG
++	xvld	xr0, sp, 9*SZREG + 0*SZXREG
++	xvld	xr1, sp, 9*SZREG + 1*SZXREG
++	xvld	xr2, sp, 9*SZREG + 2*SZXREG
++	xvld	xr3, sp, 9*SZREG + 3*SZXREG
++	xvld	xr4, sp, 9*SZREG + 4*SZXREG
++	xvld	xr5, sp, 9*SZREG + 5*SZXREG
++	xvld	xr6, sp, 9*SZREG + 6*SZXREG
++	xvld	xr7, sp, 9*SZREG + 7*SZXREG
+ #elif defined USE_LSX
+-	vld	vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG
+-	vld	vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG
+-	vld	vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG
+-	vld	vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG
+-	vld	vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG
+-	vld	vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG
+-	vld	vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG
+-	vld	vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG
++	vld	vr0, sp, 9*SZREG + 0*SZVREG
++	vld	vr1, sp, 9*SZREG + 1*SZVREG
++	vld	vr2, sp, 9*SZREG + 2*SZVREG
++	vld	vr3, sp, 9*SZREG + 3*SZVREG
++	vld	vr4, sp, 9*SZREG + 4*SZVREG
++	vld	vr5, sp, 9*SZREG + 5*SZVREG
++	vld	vr6, sp, 9*SZREG + 6*SZVREG
++	vld	vr7, sp, 9*SZREG + 7*SZVREG
+ #elif !defined __loongarch_soft_float
+ 	FREG_L	fa0, sp, 9*SZREG + 0*SZFREG
+ 	FREG_L	fa1, sp, 9*SZREG + 1*SZFREG
+-- 
+2.33.0
+

NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch

@@ -0,0 +1,27 @@
+From d25e2c8d5cb0778ae87ad43b1f4c301abe5a932b Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 23 Dec 2023 06:24:41 -0800
+Subject: [PATCH 6/9] NEWS: Mention bug fixes for 29039/30694/30709/30721
+
+---
+ NEWS | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 6fbb8a9e1d..db4d6c8373 100644
+--- a/NEWS
++++ b/NEWS
+@@ -31,6 +31,10 @@ Security related changes:
+ 
+ The following bugs are resolved with this release:
+ 
++  [29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS
++  [30694] The iconv program no longer tells the user which given encoding name was wrong
++  [30709] nscd fails to build with cleanup handler if built with -fexceptions
++  [30721] x86_64: Fix build with --disable-multiarch
+   [30723] posix_memalign repeatedly scans long bin lists
+   [30789] sem_open will fail on multithreaded scenarios when semaphore
+     file doesn't exist (O_CREAT)
+-- 
+2.33.0
+

NEWS-Mention-bug-fixes-for-30745-30843.patch

@@ -0,0 +1,30 @@
+From 27339a3eb8f987eebae72b854af80256c1588ebd Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 23 Dec 2023 06:27:50 -0800
+Subject: [PATCH 7/9] NEWS: Mention bug fixes for 30745/30843
+
+---
+ NEWS | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index db4d6c8373..905230b838 100644
+--- a/NEWS
++++ b/NEWS
+@@ -36,11 +36,13 @@ The following bugs are resolved with this release:
+   [30709] nscd fails to build with cleanup handler if built with -fexceptions
+   [30721] x86_64: Fix build with --disable-multiarch
+   [30723] posix_memalign repeatedly scans long bin lists
++  [30745] Slight bug in cache info codes for x86
+   [30789] sem_open will fail on multithreaded scenarios when semaphore
+     file doesn't exist (O_CREAT)
+   [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with
+     -D_FILE_OFFSET_BITS=64
+   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
++  [30843] potential use-after-free in getcanonname (CVE-2023-4806)
+   [31184] FAIL: elf/tst-tlsgap
+   [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
+ 
+-- 
+2.33.0
+

elf-Add-TLS-modid-reuse-test-for-bug-29039.patch

@@ -0,0 +1,210 @@
+From 0de9082ed8d8f149ca87d569a73692046e236c18 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 29 Nov 2023 11:31:37 +0000
+Subject: [PATCH 3/9] elf: Add TLS modid reuse test for bug 29039
+
+This is a minimal regression test for bug 29039 which only affects
+targets with TLSDESC and a reproducer requires that
+
+1) Have modid gaps (closed modules) with old generation.
+2) Update a DTV to a newer generation (needs a newer dlopen).
+3) But do not update the closed gap entry in that DTV.
+4) Reuse the modid gap for a new module (another dlopen).
+5) Use dynamic TLSDESC in that new module with old generation (bug).
+6) Access TLS via this TLSDESC and the now outdated DTV.
+
+However step (3) in practice rarely happens: during DTV update the
+entries for closed modids are initialized to "unallocated" and then
+dynamic TLSDESC calls __tls_get_addr independently of its generation.
+The only exception to this is DTV setup at thread creation (gaps are
+initialized to NULL instead of unallocated) or DTV resize where the
+gap entries are outside the previous DTV array (again NULL instead
+of unallocated, and this requires loading > DTV_SURPLUS modules).
+
+So the bug can only cause NULL (+ offset) dereference, not use after
+free. And the easiest way to get (3) is via thread creation.
+
+Note that step (5) requires that the newly loaded module has larger
+TLS than the remaining optional static TLS. And for (6) there cannot
+be other TLS access or dlopen in the thread that updates the DTV.
+
+Tested on aarch64-linux-gnu.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+(cherry picked from commit 980450f12685326729d63ff72e93a996113bf073)
+
+Conflict: This adapt the context elf/Makefile due to BZ 31035.
+---
+ elf/Makefile          | 15 +++++++
+ elf/tst-tlsgap-mod0.c |  2 +
+ elf/tst-tlsgap-mod1.c |  2 +
+ elf/tst-tlsgap-mod2.c |  2 +
+ elf/tst-tlsgap.c      | 92 +++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 113 insertions(+)
+ create mode 100644 elf/tst-tlsgap-mod0.c
+ create mode 100644 elf/tst-tlsgap-mod1.c
+ create mode 100644 elf/tst-tlsgap-mod2.c
+ create mode 100644 elf/tst-tlsgap.c
+
+diff --git a/elf/Makefile b/elf/Makefile
+index 00ac7430..711f96fe 100644
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -460,6 +460,7 @@ tests += \
+   tst-tls21 \
+   tst-tlsalign \
+   tst-tlsalign-extern \
++  tst-tlsgap \
+   tst-unique1 \
+   tst-unique2 \
+   tst-unwind-ctor \
+@@ -885,6 +886,9 @@ modules-names += \
+   tst-tls20mod-bad \
+   tst-tls21mod \
+   tst-tlsalign-lib \
++  tst-tlsgap-mod0 \
++  tst-tlsgap-mod1 \
++  tst-tlsgap-mod2 \
+   tst-tlsmod1 \
+   tst-tlsmod10 \
+   tst-tlsmod11 \
+@@ -3002,3 +3006,14 @@ $(objpfx)tst-non-directory-path.out: tst-non-directory-path.sh \
+ 	    '$(test-wrapper-env)' '$(run_program_env)' \
+ 		    '$(rpath-link)' $(objpfx) > $@; \
+ 	$(evaluate-test)
++
++$(objpfx)tst-tlsgap: $(shared-thread-library)
++$(objpfx)tst-tlsgap.out: \
++  $(objpfx)tst-tlsgap-mod0.so \
++  $(objpfx)tst-tlsgap-mod1.so \
++  $(objpfx)tst-tlsgap-mod2.so
++ifeq (yes,$(have-mtls-dialect-gnu2))
++CFLAGS-tst-tlsgap-mod0.c += -mtls-dialect=gnu2
++CFLAGS-tst-tlsgap-mod1.c += -mtls-dialect=gnu2
++CFLAGS-tst-tlsgap-mod2.c += -mtls-dialect=gnu2
++endif
+diff --git a/elf/tst-tlsgap-mod0.c b/elf/tst-tlsgap-mod0.c
+new file mode 100644
+index 00000000..1478b0be
+--- /dev/null
++++ b/elf/tst-tlsgap-mod0.c
+@@ -0,0 +1,2 @@
++int __thread tls0;
++int *f0(void) { return &tls0; }
+diff --git a/elf/tst-tlsgap-mod1.c b/elf/tst-tlsgap-mod1.c
+new file mode 100644
+index 00000000..b10fc370
+--- /dev/null
++++ b/elf/tst-tlsgap-mod1.c
+@@ -0,0 +1,2 @@
++int __thread tls1[100]; /* Size > glibc.rtld.optional_static_tls / 2.  */
++int *f1(void) { return tls1; }
+diff --git a/elf/tst-tlsgap-mod2.c b/elf/tst-tlsgap-mod2.c
+new file mode 100644
+index 00000000..166c27d7
+--- /dev/null
++++ b/elf/tst-tlsgap-mod2.c
+@@ -0,0 +1,2 @@
++int __thread tls2;
++int *f2(void) { return &tls2; }
+diff --git a/elf/tst-tlsgap.c b/elf/tst-tlsgap.c
+new file mode 100644
+index 00000000..49328850
+--- /dev/null
++++ b/elf/tst-tlsgap.c
+@@ -0,0 +1,92 @@
++/* TLS modid gap reuse regression test for bug 29039.
++   Copyright (C) 2023 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <stdio.h>
++#include <dlfcn.h>
++#include <pthread.h>
++#include <support/xdlfcn.h>
++#include <support/xthread.h>
++#include <support/check.h>
++
++static void *mod[3];
++#define MOD(i) "tst-tlsgap-mod" #i ".so"
++static const char *modname[3] = { MOD(0), MOD(1), MOD(2) };
++#undef MOD
++
++static void
++open_mod (int i)
++{
++  mod[i] = xdlopen (modname[i], RTLD_LAZY);
++  printf ("open %s\n", modname[i]);
++}
++
++static void
++close_mod (int i)
++{
++  xdlclose (mod[i]);
++  mod[i] = NULL;
++  printf ("close %s\n", modname[i]);
++}
++
++static void
++access_mod (int i, const char *sym)
++{
++  int *(*f) (void) = xdlsym (mod[i], sym);
++  int *p = f ();
++  printf ("access %s: %s() = %p\n", modname[i], sym, p);
++  TEST_VERIFY_EXIT (p != NULL);
++  ++*p;
++}
++
++static void *
++start (void *arg)
++{
++  /* The DTV generation is at the last dlopen of mod0 and the
++     entry for mod1 is NULL.  */
++
++  open_mod (1); /* Reuse modid of mod1. Uses dynamic TLS.  */
++
++  /* DTV is unchanged: dlopen only updates the DTV to the latest
++     generation if static TLS is allocated for a loaded module.
++
++     With bug 29039, the TLSDESC relocation in mod1 uses the old
++     dlclose generation of mod1 instead of the new dlopen one so
++     DTV is not updated on TLS access.  */
++
++  access_mod (1, "f1");
++
++  return arg;
++}
++
++static int
++do_test (void)
++{
++  open_mod (0);
++  open_mod (1);
++  open_mod (2);
++  close_mod (0);
++  close_mod (1); /* Create modid gap at mod1.  */
++  open_mod (0); /* Reuse modid of mod0, bump generation count.  */
++
++  /* Create a thread where DTV of mod1 is NULL.  */
++  pthread_t t = xpthread_create (NULL, start, NULL);
++  xpthread_join (t);
++  return 0;
++}
++
++#include <support/test-driver.c>
+-- 
+2.33.0
+

elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch

@@ -0,0 +1,53 @@
+From ccdc4cba07684fe1397e1f5f134a0a827af98c04 Mon Sep 17 00:00:00 2001
+From: Hector Martin <marcan@marcan.st>
+Date: Tue, 28 Nov 2023 15:23:07 +0900
+Subject: [PATCH 2/9] elf: Fix TLS modid reuse generation assignment (BZ 29039)
+
+_dl_assign_tls_modid() assigns a slotinfo entry for a new module, but
+does *not* do anything to the generation counter. The first time this
+happens, the generation is zero and map_generation() returns the current
+generation to be used during relocation processing. However, if
+a slotinfo entry is later reused, it will already have a generation
+assigned. If this generation has fallen behind the current global max
+generation, then this causes an obsolete generation to be assigned
+during relocation processing, as map_generation() returns this
+generation if nonzero. _dl_add_to_slotinfo() eventually resets the
+generation, but by then it is too late. This causes DTV updates to be
+skipped, leading to NULL or broken TLS slot pointers and segfaults.
+
+Fix this by resetting the generation to zero in _dl_assign_tls_modid(),
+so it behaves the same as the first time a slot is assigned.
+_dl_add_to_slotinfo() will still assign the correct static generation
+later during module load, but relocation processing will no longer use
+an obsolete generation.
+
+Note that slotinfo entry (aka modid) reuse typically happens after a
+dlclose and only TLS access via dynamic tlsdesc is affected. Because
+tlsdesc is optimized to use the optional part of static TLS, dynamic
+tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls
+tunable to a large enough value, or by LD_PRELOAD-ing the affected
+modules.
+
+Fixes bug 29039.
+
+Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+(cherry picked from commit 3921c5b40f293c57cb326f58713c924b0662ef59)
+---
+ elf/dl-tls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 99b83ca696..1f6f820819 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -154,6 +154,7 @@ _dl_assign_tls_modid (struct link_map *l)
+ 	      {
+ 		/* Mark the entry as used, so any dependency see it.  */
+ 		atomic_store_relaxed (&runp->slotinfo[result - disp].map, l);
++		atomic_store_relaxed (&runp->slotinfo[result - disp].gen, 0);
+ 		break;
+ 	      }
+ 
+-- 
+2.33.0
+

getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch

@@ -0,0 +1,36 @@
+From ae1e5217021e43e1f2de443d26e87ea3adfb221c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 6 Dec 2023 14:48:22 +0100
+Subject: [PATCH 8/9] getaddrinfo: translate ENOMEM to EAI_MEMORY (bug 31163)
+
+When __resolv_context_get returns NULL due to out of memory, translate it
+to a return value of EAI_MEMORY.
+
+(cherry picked from commit 5eabdb6a6ac1599d23dd5966a37417215950245f)
+---
+ sysdeps/posix/getaddrinfo.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 13082305d3..da573bea24 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -616,7 +616,14 @@ get_nss_addresses (const char *name, const struct addrinfo *req,
+      function variant.  */
+   res_ctx = __resolv_context_get ();
+   if (res_ctx == NULL)
+-    no_more = 1;
++    {
++      if (errno == ENOMEM)
++	{
++	  result = -EAI_MEMORY;
++	  goto out;
++	}
++      no_more = 1;
++    }
+ 
+   while (!no_more)
+     {
+-- 
+2.33.0
+

glibc.spec

@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	15
+Release: 	16
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -119,6 +119,15 @@ Patch30: 0003-Revert-elf-Move-l_init_called_next-to-old-place-of-l.patch
 Patch31: sysdeps-sem_open-Clear-O_CREAT-when-semaphore-file-i.patch
 Patch32: elf-Fix-wrong-break-removal-from-8ee878592c.patch
 Patch33: backport-elf-Handle-non-directory-name-in-search-path-BZ-3103.patch
+Patch34: LoongArch-Delete-excessively-allocated-memory.patch
+Patch35: elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch
+Patch36: elf-Add-TLS-modid-reuse-test-for-bug-29039.patch
+Patch37: x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch
+Patch38: x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch
+Patch39: NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch
+Patch40: NEWS-Mention-bug-fixes-for-30745-30843.patch
+Patch41: getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch
+Patch42: libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch 
@@ -1332,6 +1341,9 @@ fi
 %endif
 
 %changelog
+* Wed Jan 3 Qingqing Li <liqingqing3@huawei.com> - 2.38-16
+- backport patches from glibc upstream 2.38 branch
+
 * Thu Dec 14 shixuantong <shixuantong1@huawei.com> - 2.38-15
 - elf: Handle non-directory name in search path (BZ 31035)
 

libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch

@@ -0,0 +1,48 @@
+From cfe121910013a46e2477562282c56ae8062089aa Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 2 Jan 2024 14:36:17 +0100
+Subject: [PATCH 9/9] libio: Check remaining buffer size in _IO_wdo_write (bug
+ 31183)
+
+The multibyte character needs to fit into the remaining buffer space,
+not the already-written buffer space.  Without the fix, we were never
+moving the write pointer from the start of the buffer, always using
+the single-character fallback buffer.
+
+Fixes commit 04b76b5aa8b2d1d19066e42dd1 ("Don't error out writing
+a multibyte character to an unbuffered stream (bug 17522)").
+
+(cherry picked from commit ecc7c3deb9f347649c2078fcc0f94d4cedf92d60)
+---
+ NEWS             | 1 +
+ libio/wfileops.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 905230b838..6768c2da6f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -43,6 +43,7 @@ The following bugs are resolved with this release:
+     -D_FILE_OFFSET_BITS=64
+   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
+   [30843] potential use-after-free in getcanonname (CVE-2023-4806)
++  [31183] Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix
+   [31184] FAIL: elf/tst-tlsgap
+   [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
+ 
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index f16f6db1c3..9ab8f2e7f3 100644
+--- a/libio/wfileops.c
++++ b/libio/wfileops.c
+@@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do)
+ 	  char mb_buf[MB_LEN_MAX];
+ 	  char *write_base, *write_ptr, *buf_end;
+ 
+-	  if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf))
++	  if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf))
+ 	    {
+ 	      /* Make sure we have room for at least one multibyte
+ 		 character.  */
+-- 
+2.33.0
+

x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch

@@ -0,0 +1,68 @@
+From 35ea7549751d4f13a28c732e6ad68204f5e60a06 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Wed, 20 Dec 2023 16:31:43 -0800
+Subject: [PATCH 4/9] x86-64: Fix the dtv field load for x32 [BZ #31184]
+
+On x32, I got
+
+FAIL: elf/tst-tlsgap
+
+$ gdb elf/tst-tlsgap
+...
+open tst-tlsgap-mod1.so
+
+Thread 2 "tst-tlsgap" received signal SIGSEGV, Segmentation fault.
+[Switching to LWP 2268754]
+_dl_tlsdesc_dynamic () at ../sysdeps/x86_64/dl-tlsdesc.S:108
+108		movq	(%rsi), %rax
+(gdb) p/x $rsi
+$4 = 0xf7dbf9005655fb18
+(gdb)
+
+This is caused by
+
+_dl_tlsdesc_dynamic:
+        _CET_ENDBR
+        /* Preserve call-clobbered registers that we modify.
+           We need two scratch regs anyway.  */
+        movq    %rsi, -16(%rsp)
+        movq    %fs:DTV_OFFSET, %rsi
+
+Since the dtv field in TCB is a pointer, %fs:DTV_OFFSET is a 32-bit
+location, not 64-bit.  Load the dtv field to RSI_LP instead of rsi.
+This fixes BZ #31184.
+
+(cherry picked from commit 3502440397bbb840e2f7223734aa5cc2cc0e29b6)
+---
+ NEWS                        | 1 +
+ sysdeps/x86_64/dl-tlsdesc.S | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 5ac488bf9b..71057e4793 100644
+--- a/NEWS
++++ b/NEWS
+@@ -37,6 +37,7 @@ The following bugs are resolved with this release:
+   [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with
+     -D_FILE_OFFSET_BITS=64
+   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
++  [31184] FAIL: elf/tst-tlsgap
+ 
+ 
+ Version 2.38
+diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S
+index 5593897e29..c4823547d7 100644
+--- a/sysdeps/x86_64/dl-tlsdesc.S
++++ b/sysdeps/x86_64/dl-tlsdesc.S
+@@ -102,7 +102,7 @@ _dl_tlsdesc_dynamic:
+ 	/* Preserve call-clobbered registers that we modify.
+ 	   We need two scratch regs anyway.  */
+ 	movq	%rsi, -16(%rsp)
+-	movq	%fs:DTV_OFFSET, %rsi
++	mov	%fs:DTV_OFFSET, %RSI_LP
+ 	movq	%rdi, -8(%rsp)
+ 	movq	TLSDESC_ARG(%rax), %rdi
+ 	movq	(%rsi), %rax
+-- 
+2.33.0
+

x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch

@@ -0,0 +1,69 @@
+From 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Wed, 20 Dec 2023 19:42:12 -0800
+Subject: [PATCH 5/9] x86-64: Fix the tcb field load for x32 [BZ #31185]
+
+_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
+via the tcb field in TCB:
+
+_dl_tlsdesc_undefweak:
+        _CET_ENDBR
+        movq    8(%rax), %rax
+        subq    %fs:0, %rax
+        ret
+
+_dl_tlsdesc_dynamic:
+	...
+        subq    %fs:0, %rax
+        movq    -8(%rsp), %rdi
+        ret
+
+Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
+not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
+_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
+returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
+fixes BZ #31185.
+
+(cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)
+---
+ NEWS                        | 1 +
+ sysdeps/x86_64/dl-tlsdesc.S | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 71057e4793..6fbb8a9e1d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -38,6 +38,7 @@ The following bugs are resolved with this release:
+     -D_FILE_OFFSET_BITS=64
+   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
+   [31184] FAIL: elf/tst-tlsgap
++  [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
+ 
+ 
+ Version 2.38
+diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S
+index c4823547d7..4579424bf7 100644
+--- a/sysdeps/x86_64/dl-tlsdesc.S
++++ b/sysdeps/x86_64/dl-tlsdesc.S
+@@ -61,7 +61,7 @@ _dl_tlsdesc_return:
+ _dl_tlsdesc_undefweak:
+ 	_CET_ENDBR
+ 	movq	8(%rax), %rax
+-	subq	%fs:0, %rax
++	sub	%fs:0, %RAX_LP
+ 	ret
+ 	cfi_endproc
+ 	.size	_dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak
+@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic:
+ 	addq	TLSDESC_MODOFF(%rdi), %rax
+ .Lret:
+ 	movq	-16(%rsp), %rsi
+-	subq	%fs:0, %rax
++	sub	%fs:0, %RAX_LP
+ 	movq	-8(%rsp), %rdi
+ 	ret
+ .Lslow:
+-- 
+2.33.0
+