Bug 12674 - sem_post/sem_wait race causing sem_post to return EINVAL
Summary: sem_post/sem_wait race causing sem_post to return EINVAL
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: nptl (show other bugs)
Version: unspecified
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on: 17980
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-14 06:33 UTC by Don Hatch
Modified: 2024-12-10 08:30 UTC (History)
15 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments
the test program, to be run in gdb as described (998 bytes, text/x-csrc)
2011-04-14 06:33 UTC, Don Hatch
Details
EC2 test program (408 bytes, text/x-csrc)
2012-02-10 16:28 UTC, Kevin Dempsey
Details
A simpler test program (301 bytes, text/x-csrc)
2013-09-13 20:14 UTC, Michael Ballantyne
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Don Hatch 2011-04-14 06:33:17 UTC
Created attachment 5671 [details]
the test program, to be run in gdb as described

There appears to be a race in the implementation of sem_post/sem_wait on AMD64
(nptl/sysdeps/unix/sysv/linux/x86_64/sem_post.S in the source code)
which sometimes causes sem_post to access freed memory
and to fail with EINVAL.

In a nutshell, if sem_post happens to go to sleep
right after it increments sem->value
but before it looks at sem->nwaiters,
another thread can sail through a sem_wait without blocking
and destroy the semaphore,
so that when the sem_post thread wakes up and looks at sem->nwaiters,
it is looking at already-freed (and possibly unmapped) memory.

The bug was originally filed as gentoo bug 93366
( http://bugs.gentoo.org/show_bug.cgi?id=93366 ).

It's extremely hard to reproduce,
and I don't have a simple program that can demonstrate the problem reliably
by just running it (for less than a million years).
But it can be reproduced consistently 
either by hacking up the sem_post source code
and adding a sleep() at a crucial point,
or by carefully stopping and resuming the threads
in a debugger with thread-specific breakpoints.
I'll include instructions for doing the latter using gdb >=7.1.

We're observing the problem on an AMD64 machine
running RHEL5.3 Linux,
with glibc-2.5-34.el5_3.1
and gcc-4.1.2-44.el5,
which I know is ancient 
but I also downloaded the most current glibc source code today
and compiled the sem_post.S and sem_wait.S from it,
and I can still reproduce the problem using those.


Here are the instructions for reproducing the problem
using gdb 7.1 or 7.2 on the attached program
(gdb 7.0.1 and earlier fail with a supposed syntax error
on the "b *(sem_post+18) thread 3").


% gcc -Wall -g semtest.c -lpthread -o semtest
% gdb ./semtest

    # per http://sourceware.org/gdb/onlinedocs/gdb/Non_002dStop-Mode.html ...
    # Enable the async interface.
    set target-async 1
    # If using the CLI, pagination breaks non-stop.
    set pagination off
    # Finally, turn it on!
    set non-stop on 

    b waiter
    b poster
    r
        # thread 2 stops in waiter
        # thread 3 stops in poster

    t 2
    b sem_wait thread 2 
    c
        # thread 2 (waiter) stops at the beginning of sem_wait(varsem)

    disas sem_post 
        # look for the "cmpq $0x0,0x8(%rdi)" and put a breakpoint there.
        # in older versions it's sem_post+4;
        # in newer versions it's sem_post+18.
    t 3
    b *(sem_post+18) thread 3    <-- or sem_post+4 or whatever
    c
        # thread 3 (poster) stops at the breakpoint inside sem_post,
        # after incrementing varsem->value (4-byte value 0 bytes into the object)
        # but before looking at varsem->nwaiters (8-byte value 8 bytes into the object)

    t 2
    b free thread 2
    c
        # thread 2 (waiter) sails through the sem_wait without blocking,
        # calls sem_destroy(varsem),
        # trashes the memory,
        # and stops at the beginning of free

    t 3
    c
        # thread 3 (poster) resumes in the middle of sem_post,
        # looks at varsem->nwaiters and sees it's nonzero (trash)
        # so it makes the FUTEX_WAKE syscall which returns EINVAL,
        # the program exits with error message
        # "sem_post() in poster: Invalid argument"



I hope I am not overinflating this bug's severity by calling
it "critical" ("major" would feel more appropriate to me,
but there seems to be no "major" option, only "normal" and "critical").
Although failure is rare,
we are about to be forced to implement our own semaphores
rather than using the posix semaphores because of this bug,
so it does seem rather severe.
Comment 1 Ulrich Drepper 2011-04-17 03:49:43 UTC
Why would this at all be a bug?  The fact that the sem_wait succeeds doesn't indicate at all that the semaphore is unused and destroying an unused semaphore is of course completely illegal.  Your code is wrong in assuming what it does.  You have to wait for the sem_post call to also return before destroying the semaphore.
Comment 2 Don Hatch 2011-04-18 19:25:40 UTC
(In reply to comment #1)
> Why would this at all be a bug?  The fact that the sem_wait succeeds doesn't
> indicate at all that the semaphore is unused and destroying an unused semaphore
> is of course completely illegal.  Your code is wrong in assuming what it does. 
> You have to wait for the sem_post call to also return before destroying the
> semaphore.

Hi Ulrich,
Thanks for looking at this.

We're not completely confident that this usage is legal...
but we're not convinced yet that it's illegal either.

In our program, the sem_post itself is intended to indicate to the waiting thread that it's safe to destroy the semaphore
(and, in a real program, to destroy some associated resource as well).
If the waiter thread has to wait for the sem_post call to return, as you say,
what would be a mechanism for doing that?  Another semaphore?
Would you agree that then either the semaphore,
or the semaphore-that-protects-the-semaphore, etc.
would need to be an object that persists significantly longer
than the resources being protected?
Maybe this is a reasonable or necessary
restriction, but it's a significant one,
and if it's intentional, it would be very helpful to have it documented.

Various manual pages I've seen which come close to mentioning it,
and which seem to me to (weakly) to imply my usage is legal, are:

sem_destroy man page from my RHEL5.3 distribution (man-pages-2.39-12.el5):
"Destroying  a  semaphore  that other processes or threads are currently
blocked on (in sem_wait(3)) produces undefined behaviour."
(doesn't mention sem_post, but it seems like this would be
the appropriate place to mention it if it's illegal,
and the fact that it doesn't mention it seems to imply it's legal).

Various other sem_destroy man pages, such as the one from
Open Group Base Specifications (http://pubs.opengroup.org/onlinepubs/009695399/functions/sem_destroy.html) say:
"It is safe to destroy an initialized semaphore upon which no threads are currently blocked. The effect of destroying a semaphore upon which other threads are currently blocked is undefined."
(the most literal reading of this implies that in my case,
it's safe to destroy the semaphore, since it's certainly
the case that no threads are currently blocked on it).

The pthread_mutex_destroy man page (from man-pages-2.39-12.el5):
"It shall be safe to destroy an  initialized  mutex  that  is  unlocked.
Attempting to destroy a locked mutex results in undefined behavior."
(again, a literal reading of this implies my usage is safe.
of course this is talking about mutexes, not semaphores,
but I imagine all the same limitations and considerations apply).

The pthread_cond_destroy man page (from man-pages-2.39-12.el5):
"It shall be safe to destroy  an  initialized  condition  variable  upon which  no threads are currently blocked. Attempting to destroy a condition variable upon which other threads are currently blocked results in undefined behavior."
(my comment on this would be the same as for pthread_mutex above)

Unfortunately I don't have access to the pthreads standard...
does it take a definite position on this?  If it does,
it would be great to have that clarification added to all these man pages
so that future programmers will have no doubts about it.

Thanks,
Don Hatch
Comment 3 Don Hatch 2011-04-19 00:04:29 UTC
Upon further reading,
I see that the pthread_mutex_destroy man page
and the pthread_cond_destroy man page
both explicitly say that doing the analogous thing
to a mutex or condition variable is legal.

From the same pthread_mutex_destroy man page
that I quoted earlier (from man-pages-2.39-12.el5):
"A mutex can be destroyed immediately after it is unlocked. For example, consider the following code: [...]  In this case obj is reference counted and obj_done() is called whenever a reference to the object is dropped.  Implementations are required  to allow an object to be destroyed and freed and potentially unmapped (for example, lines A and B) immediately after the object is unlocked  (line C)."

From the same pthread_cond_destroy man page
that I quoted earlier (from man-pages-2.39-12.el5):
"A condition variable can be destroyed immediately after all the threads that are blocked on it are awakened. For example, consider the  following code: [...] In  this  example,  the  condition variable and its list element may be freed (line B) immediately after all threads waiting for it  are  awakened (line A), since the mutex and the code ensure that no other thread can touch the element to be deleted.

So if it's really the case that
posix semaphores don't provide the same guarantee
(or even if the spec says they do but the current implementation doesn't),
I think we can get that guarantee by implementing our own semaphores
in terms of mutexes and/or condition variables
(that is assuming the implementation of mutexes and condition variables
really does conform to the above quoted passages).
Comment 4 Ulrich Drepper 2011-04-19 11:25:39 UTC
There cannot be any question that it is illegal.  You pass a pointer to the semaphore to sem_post and just because it is half-finished and a sem_wait succeeds this doesn't mean the call must be done.  As I said, only when the sem_post call also returns is the semaphore unused.
Comment 5 Don Hatch 2011-04-19 22:06:36 UTC
(In reply to comment #4)
> There cannot be any question that it is illegal.  You pass a pointer to the
> semaphore to sem_post and just because it is half-finished and a sem_wait
> succeeds this doesn't mean the call must be done.  As I said, only when the
> sem_post call also returns is the semaphore unused.

Hi Ulrich,

Sorry if it seems I am belaboring this.
I understand your assertion; it's the same thing you said
in your first reply (Comment 1), right?
But it's not clear to me on what basis you are making this assertion.
Is it based on the spec,
or are you stating what you believe to be common sense and obvious?

If it is from the spec, please say so (quoting the relevant passage if possible)
and that will end the discussion.
(And I will open a bug report against the man page,
asking for it to be amended to include the clarifying passage from the spec.)

But if you are arguing from common sense, then I think you are certainly wrong
about it being obvious or the only reasonable interpretation.
One could equally well say from common sense
"you pass to mutex_unlock a pointer to the mutex and just because it is
half-finished and a subsequent mutex lock-and-unlock in another thread succeeds
this doesn't mean the call must be done... only when the first mutex_unlock
call also returns is the mutex unused"...
and yet the spec very explicitly disagrees
(as I quoted from the man page, which I assume is taken from the spec).
Similarly for condition variables.
All this leads me to believe that it was likely the intent of the spec authors
to say that, in general,
it is legal and legitimate usage to destroy any lock-like object
as soon as it is released for the last time by another thread
(which is always *before* the releasing function literally returns in that
other thread).
So it is on that basis that I say I believe it may be the intent of the spec
that my usage is legal, contrary to your assertion.

If you are still sure this is not the case,
would you please elaborate on your reasoning?

Thanks.
Comment 6 Pat 2011-08-04 04:48:18 UTC
Ulrich does not understand your question because he is assuming you are an idiot.

In particular, he is not reading your bug report carefully enough to recognize that the behavior you have identified is a fundamental race rendering semaphores useless.

It is a pretty simple question, really.  Given a semaphore initialized to zero, one thread that makes one call to sem_wait, and another that makes one call to sem_post.  Which thread can safely destroy the semaphore?

Obviously, the thread calling sem_post cannot destroy the semaphore because it cannot know that sem_wait has returned.

You have shown that the one calling sem_wait cannot destroy it either because of this broken implementation.

So neither thread can destroy the semaphore without adding some additional synchronization mechanism.  Ulrich says the behavior is not broken, which as you rightly point out is ludicrous.  But that's Ulrich for you.
Comment 7 Rich Felker 2011-08-07 18:08:55 UTC
After reading this bug report and followup comments, I have identified and fixed the corresponding bug in musl's implementation of POSIX semaphores. The fix is very easy and the same approach could easily be used to fix glibc/NPTL. There is not yet a release with the fix, but you can see the commit/diff in our git repository at:

http://git.etalabs.net/cgi-bin/gitweb.cgi?p=musl;a=commitdiff;h=88c4e720317845a8e01aee03f142ba82674cd23d;hp=88798393cab009ce78fe498051072db71ba9d035

The basic idea is that a waiter stores a flag that it's waiting in the atomic semaphore value field, in addition to incrementing the waiter count. This way sem_post can see "old" waiters by examining the waiters count *before* atomically upping the semaphore value, and can see a "last minute" waiter in the old semaphore value when it atomically replaces it with compare-and-swap.

The same approach works for fixing the corresponding bug in mutexes and rwlocks. Note that a similar bug also exists for barriers, and I have a clean solution for non-process-shared barriers, but no solution for process-shared barriers that's not subject to failure cases.
Comment 8 Kevin Dempsey 2012-02-10 16:26:32 UTC
We have been getting the same problem on an Amazon EC2 instance running a Fedora 8 (2.6.21.7-5.fc8 kernel-xen) based image with glibc.i686 2.7-2, using the nosegneg variant. The program aborts when sem_post() returns an error and has been averaging one failure every three months.

Having seen this bug report, I have been testing with a program based on the original reporters source. On an EC2 instance I have not had it run for more than 4 hours before failing (I have not seen a failure on bare metal). When a failure does occur the strace output shows the futex() syscall has been made with an invalid operation:
12072 futex(0x9152098, 0x1010101 /* FUTEX_??? */, 1) = -1 ENOSYS (Function not implemented)
presumably because the PRIVATE field has been overwritten.

From the glibc source repository it appears that this race was introduced when the change was made to make sem_post() only call FUTEX_WAKE when there are threads waiting. In fact, with the test program forced to use the old implementation (using .symver) I haven't had it fail.

If the value and nwaiters were next to each other then they could both be accessed atomically using cmpxchg8b (on i586 and later). Perhaps then somebody skilled in the art could eliminate the race condition?
Comment 9 Kevin Dempsey 2012-02-10 16:28:04 UTC
Created attachment 6206 [details]
EC2 test program
Comment 10 Carlos O'Donell 2012-02-16 15:25:45 UTC
Reviewing...
Comment 11 Piotr 2013-01-12 00:40:20 UTC
Hi, 

Just checking in to see if anyone has had a chance to look into this one at all. Many thanks in advance.

Piotr
Comment 12 Piotr 2013-01-24 16:51:15 UTC
(In reply to comment #11)
> Hi, 
> 
> Just checking in to see if anyone has had a chance to look into this one at
> all. Many thanks in advance.
> 
> Piotr

Can anyone comment on this one, please?

Thanks

Piotr
Comment 13 Michael Ballantyne 2013-09-13 20:14:51 UTC
Created attachment 7196 [details]
A simpler test program
Comment 14 Michael Ballantyne 2013-09-13 20:21:02 UTC
I've also run into this bug. Appears to be the cause of random failures in our scientific computing framework's parallel back end that have kept us from declaring it production ready for quite some time.

I reproduced in debian jessie with eglibc 2.17.

I've attached an even simpler test-case for purposes of reproducing in gdb (simple.c). Gdb instructions below.

set target-async 1
set pagination off
set non-stop on
b poster
b sem_wait
r

disas sem_post

# half-finish the sem-post
b *(sem_post+18) thread 2
t 2
c

# run the sem_wait, destroy, and trash memory
b free thread 1
t 1
c

# finish the sem_post and get an error
t 2
c
Comment 15 Carlos O'Donell 2013-09-13 20:27:03 UTC
I'm not looking at this right now, but someone should review this if we want a change in 2.19 which is open now.
Comment 16 Rich Felker 2013-09-14 16:47:09 UTC
The cause of the EINVAL is that

    orl     PRIVATE(%rdi), %esi

is being performed after the semaphore value is changed. To be correct, nothing can be read from the semaphore value after the atomic instruction which changes the semaphore value. Moving the check for number of waiters to before the atomic operation, however, introduces a race condition which is even worse. There are ways around this, such as the approach we use in musl (having both a waiters counter and a new-waiter flag on the atomic so that the waiters count can be read first), but such approaches would be fairly invasive and would require careful review.

I think we could fix the most common manifestation of this bug simply by moving the load of the PRIVATE field to take place before the atomic instruction. With that change, the only observably incorrect behavior possible would be invalid memory access (SIGSEGV or SIGBUS) if the storage for the semaphore was actually unmapped (munmap or negative sbrk). This is still a possibility, and thus still a bug which should be fixed, but it's much less likely/common than the EINVAL issue that was actually reported.
Comment 17 Torvald Riegel 2013-12-20 17:49:56 UTC
This is conceptually related to Bug 13690, whose resolution depends on the outcome of a POSIX request for clarification.  The same kind of wording that needs to be clarified for that bug is not present in the semaphore specification, but it's essentially the same question of when POSIX synchronization objects can be safely destroyed.  Therefore, I think it's good to wait for a result of the clarification request.
Comment 18 Jackie Rosen 2014-02-16 18:28:56 UTC Comment hidden (spam)
Comment 19 Kevin Dempsey 2014-06-20 12:24:20 UTC
Now that the austin group have clarified the expected behaviour of mutexes (http://austingroupbugs.net/view.php?id=811) can progress be made on fixing this?
Comment 20 Torvald Riegel 2014-06-20 18:30:03 UTC
That's already work in progress.
Comment 21 Sourceware Commits 2015-01-21 05:57:03 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  042e1521c794a945edc43b5bfa7e69ad70420524 (commit)
      from  a8db092ec0c6742a9d41e1715946e90d4edfeec1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=042e1521c794a945edc43b5bfa7e69ad70420524

commit 042e1521c794a945edc43b5bfa7e69ad70420524
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Wed Jan 21 00:46:16 2015 -0500

    Fix semaphore destruction (bug 12674).
    
    This commit fixes semaphore destruction by either using 64b atomic
    operations (where available), or by using two separate fields when only
    32b atomic operations are available.  In the latter case, we keep a
    conservative estimate of whether there are any waiting threads in one
    bit of the field that counts the number of available tokens, thus
    allowing sem_post to atomically both add a token and determine whether
    it needs to call futex_wake.
    
    See:
    https://sourceware.org/ml/libc-alpha/2014-12/msg00155.html

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                         |   52 +++
 NEWS                                              |   25 +-
 nptl/DESIGN-sem.txt                               |   46 --
 nptl/Makefile                                     |    5 +-
 nptl/sem_getvalue.c                               |   26 +-
 nptl/sem_init.c                                   |   35 +-
 nptl/sem_open.c                                   |    9 +-
 nptl/sem_post.c                                   |   67 +++-
 nptl/sem_timedwait.c                              |   96 +----
 nptl/sem_trywait.c                                |   50 ---
 nptl/sem_wait.c                                   |  101 ++---
 nptl/sem_waitcommon.c                             |  467 +++++++++++++++++++++
 nptl/structsem.sym                                |   12 -
 nptl/tst-sem11.c                                  |    9 +-
 nptl/tst-sem13.c                                  |   18 +-
 sysdeps/nptl/internaltypes.h                      |   24 +-
 sysdeps/unix/sysv/linux/alpha/sem_post.c          |    5 -
 sysdeps/unix/sysv/linux/i386/i486/sem_post.S      |  150 -------
 sysdeps/unix/sysv/linux/i386/i486/sem_timedwait.S |  327 --------------
 sysdeps/unix/sysv/linux/i386/i486/sem_trywait.S   |   67 ---
 sysdeps/unix/sysv/linux/i386/i486/sem_wait.S      |  343 ---------------
 sysdeps/unix/sysv/linux/i386/i586/sem_post.S      |   19 -
 sysdeps/unix/sysv/linux/i386/i586/sem_timedwait.S |   19 -
 sysdeps/unix/sysv/linux/i386/i586/sem_trywait.S   |   19 -
 sysdeps/unix/sysv/linux/i386/i586/sem_wait.S      |   19 -
 sysdeps/unix/sysv/linux/i386/i686/sem_post.S      |   19 -
 sysdeps/unix/sysv/linux/i386/i686/sem_timedwait.S |   19 -
 sysdeps/unix/sysv/linux/i386/i686/sem_trywait.S   |   19 -
 sysdeps/unix/sysv/linux/i386/i686/sem_wait.S      |   19 -
 sysdeps/unix/sysv/linux/powerpc/sem_post.c        |   71 ----
 sysdeps/unix/sysv/linux/x86_64/sem_post.S         |   75 ----
 sysdeps/unix/sysv/linux/x86_64/sem_timedwait.S    |  380 -----------------
 sysdeps/unix/sysv/linux/x86_64/sem_trywait.S      |   47 --
 sysdeps/unix/sysv/linux/x86_64/sem_wait.S         |  176 --------
 34 files changed, 732 insertions(+), 2103 deletions(-)
 delete mode 100644 nptl/DESIGN-sem.txt
 delete mode 100644 nptl/sem_trywait.c
 create mode 100644 nptl/sem_waitcommon.c
 delete mode 100644 nptl/structsem.sym
 delete mode 100644 sysdeps/unix/sysv/linux/alpha/sem_post.c
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i486/sem_post.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i486/sem_timedwait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i486/sem_trywait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i486/sem_wait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i586/sem_post.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i586/sem_timedwait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i586/sem_trywait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i586/sem_wait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i686/sem_post.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i686/sem_timedwait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i686/sem_trywait.S
 delete mode 100644 sysdeps/unix/sysv/linux/i386/i686/sem_wait.S
 delete mode 100644 sysdeps/unix/sysv/linux/powerpc/sem_post.c
 delete mode 100644 sysdeps/unix/sysv/linux/x86_64/sem_post.S
 delete mode 100644 sysdeps/unix/sysv/linux/x86_64/sem_timedwait.S
 delete mode 100644 sysdeps/unix/sysv/linux/x86_64/sem_trywait.S
 delete mode 100644 sysdeps/unix/sysv/linux/x86_64/sem_wait.S
Comment 22 Carlos O'Donell 2015-01-21 05:59:45 UTC
Fixed by commit 042e1521c794a945edc43b5bfa7e69ad70420524
Comment 23 Sourceware Commits 2015-02-06 15:33:44 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The annotated tag, glibc-2.21 has been created
        at  dee233133daf497cdb3a507a7da9d88414820a1f (tag)
   tagging  4e42b5b8f89f0e288e68be7ad70f9525aebc2cff (commit)
  replaces  glibc-2.20
 tagged by  Carlos O'Donell
        on  Fri Feb 6 01:42:58 2015 -0500

- Log -----------------------------------------------------------------
The GNU C Library
=================

The GNU C Library version 2.21 is now available.

The GNU C Library is used as *the* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C11 and POSIX.1-2008.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library webpage is at http://www.gnu.org/software/libc/

Packages for the 2.21 release may be downloaded from:
        http://ftpmirror.gnu.org/libc/
        http://ftp.gnu.org/gnu/libc/

The mirror list is at http://www.gnu.org/order/ftp.html

NEWS for version 2.21
=====================

* The following bugs are resolved with this release:

  6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
  15215, 15378, 15884, 16009, 16418, 16191, 16469, 16576, 16617, 16618,
  16619, 16657, 16740, 16857, 17192, 17266, 17273, 17344, 17363, 17370,
  17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508, 17522, 17555,
  17570, 17571, 17572, 17573, 17574, 17582, 17583, 17584, 17585, 17589,
  17594, 17601, 17608, 17616, 17625, 17630, 17633, 17634, 17635, 17647,
  17653, 17657, 17658, 17664, 17665, 17668, 17682, 17702, 17717, 17719,
  17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
  17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797,
  17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
  17892.

* CVE-2015-1472 Under certain conditions wscanf can allocate too little
  memory for the to-be-scanned arguments and overflow the allocated
  buffer.  The implementation now correctly computes the required buffer
  size when using malloc.

* A new semaphore algorithm has been implemented in generic C code for all
  machines. Previous custom assembly implementations of semaphore were
  difficult to reason about or ensure that they were safe. The new version
  of semaphore supports machines with 64-bit or 32-bit atomic operations.
  The new semaphore algorithm is used by sem_init, sem_open, sem_post,
  sem_wait, sem_timedwait, sem_trywait, and sem_getvalue.

* Port to Altera Nios II has been contributed by Mentor Graphics.

* Optimized strcpy, stpcpy, strncpy, stpncpy, strcmp, and strncmp
  implementations for powerpc64/powerpc64le.
  Implemented by Adhemerval Zanella (IBM).

* Added support for TSX lock elision of pthread mutexes on powerpc32, powerpc64
  and powerpc64le.  This may improve lock scaling of existing programs on
  HTM capable systems.  The lock elision code is only enabled with
  --enable-lock-elision=yes.  Also, the TSX lock elision implementation for
  powerpc will issue a transaction abort on every syscall to avoid side
  effects being visible outside transactions.

* Optimized strcpy, stpcpy, strchrnul and strrchr implementations for
  AArch64.  Contributed by ARM Ltd.

* i386 memcpy functions optimized with SSE2 unaligned load/store.

* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
  under certain input conditions resulting in the execution of a shell for
  command substitution when the applicaiton did not request it. The
  implementation now checks WRDE_NOCMD immediately before executing the
  shell and returns the error WRDE_CMDSUB as expected.

* CVE-2012-3406 printf-style functions could run into a stack overflow when
  processing format strings with a large number of format specifiers.

* CVE-2014-9402 The nss_dns implementation of getnetbyname could run into an
  infinite loop if the DNS response contained a PTR record of an unexpected
  format.

* The minimum GCC version that can be used to build this version of the GNU
  C Library is GCC 4.6.  Older GCC versions, and non-GNU compilers, can
  still be used to compile programs using the GNU C Library.

* The GNU C Library is now built with -Werror by default.  This can be
  disabled by configuring with --disable-werror.

* New locales: tu_IN, bh_IN, raj_IN, ce_RU.

* The obsolete sigvec function has been removed.  This was the original
  4.2BSD interface that inspired the POSIX.1 sigaction interface, which
  programs have been using instead for about 25 years.  Of course, ABI
  compatibility for old binaries using sigvec remains intact.

* Merged gettext 0.19.3 into the intl subdirectory.  This fixes building
  with newer versions of bison.

* Support for MIPS o32 FPXX, FP64A and FP64 ABI Extensions.
  The original MIPS o32 hard-float ABI requires an FPU where double-precision
  registers overlay two consecutive single-precision registers.  MIPS32R2
  introduced a new FPU mode (FR=1) where double-precision registers extend the
  corresponding single-precision registers which is incompatible with the
  o32 hard-float ABI.  The MIPS SIMD ASE and the MIPSR6 architecture both
  require the use of FR=1 making a transition necessary.  New o32 ABI
  extensions enable users to migrate over time from the original o32 ABI
  through to the updated o32 FP64 ABI.  To achieve this the dynamic linker now
  tracks the ABI of any loaded object and verifies that new objects are
  compatible.  Mode transitions will also be requested as required and
  unsupportable objects will be rejected.  The ABI checks include both soft and
  hard float ABIs for o32, n32 and n64.

  GCC 5 with GNU binutils 2.25 onwards:
  It is strongly recommended that all o32 system libraries are built using the
  new o32 FPXX ABI (-mfpxx) to facilitate the transition as this is compatible
  with the original and all new o32 ABI extensions.  Configure a MIPS GCC
  compiler using --with-fp-32=xx to set this by default.

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Adhemerval Zanella
Alan Hayward
Alexandre Oliva
Allan McRae
Anders Kaseorg
Andreas Krebbel
Andreas Schwab
Andrew Pinski
Andrew Senkevich
Anton Blanchard
Arjun Shankar
Aurelien Jarno
Bram
Brooks Moses
Carlos O'Donell
Chris Metcalf
Chung-Lin Tang
David Holsgrove
David S. Miller
Eric Biggers
Florian Weimer
Gratian Crisan
H.J. Lu
J. Brown
James Lemke
Jeff Law
Jose E. Marchesi
Joseph Myers
Kaz Kojima
Kostya Serebryany
Leonhard Holz
Ma Shimiao
Maciej W. Rozycki
Marcus Shawcroft
Marek Polacek
Martin Sebor
Matthew Fortune
Mike Frysinger
Ondřej Bílka
Paul Eggert
Paul Pluzhnikov
Petar Jovanovic
Pravin Satpute
Rajalakshmi Srinivasaraghavan
Rasmus Villemoes
Renlin Li
Richard Earnshaw
Richard Henderson
Roland McGrath
Ryan Cumming
Samuel Thibault
Siddhesh Poyarekar
Stefan Liebler
Steve Ellcey
Tatiana Udalova
Tim Lammens
Tom de Vries
Torvald Riegel
Vladimir A. Nazarenko
Wilco Dijkstra
Will Newton
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJU1GKVAAoJECXvCkNsKkr/4IYIAMfU5+NN2z44R2SeRlH+bSZG
rGCF7rUzUOY+ePVNdgOH2cUKfxuLyMU6aao/IVQ863VHW1Ct/x2goVU22oqnVmvP
FeElVxZyzx7iCqipqyaobj0Fm/b563/4yQ+BEOjH39Sj5Ii5kY6PcQQslMJWIH5R
/nHmO048ZAlx/vGWTczAR50HOW1z8H1gilWm8SBkq2BJ8UndhSXCVpThCdMGfeBF
NUxUl2aSt3eghA0SWD3WgRzRR0vU9RHuNQ5k5ggjjRPtipa8DP04t0Bk7/QiLhj1
M2upSS7r4ceZZuFGX8oYVn3f0lTajpOOeuX7SBnKIgQ8cDXtSHST6yPMAbsJRB4=
=odoa
-----END PGP SIGNATURE-----

Adhemerval Zanella (35):
      PowerPC: multiarch bzero cleanup for PPC64
      PowerPC: memset optimization for POWER8/PPC64
      powerpc: remove linux lowlevellock.h
      powerpc: Fix encoding of POWER8 instruction
      powerpc: Simplify encoding of POWER8 instruction
      libio: Refactor tst-fmemopen to use test-skeleton.c
      powerpc: Fix missing barriers in atomic_exchange_and_add_{acq,rel}
      powerpc: Add powerpc64 strspn optimization
      powerpc: Add powerpc64 strcspn optimization
      powerpc: Add powerpc64 strpbrk optimization
      libio: Fix buffer overrun in tst-ftell-active-handler
      libio: Fix variable aligment in tst-ftell-active-handler
      powerpc: Fix lgammal_r overflow warnings
      Fix __sendmmsg prototype guards
      stdio-common: Include <libc-internal.h> in some tests
      Function declaration cleanup
      mips: Fix __libc_pread prototype
      powerpc: Fix compiler warning on some syscalls
      powerpc: Add the lock elision using HTM
      powerpc: Add adaptive elision to rwlocks
      powerpc: abort transaction in syscalls
      powerpc: Fix Copyright dates and CL entry
      Add x86 32 bit vDSO time function support
      powerpc: Optimized st{r,p}cpy for POWER8/PPC64
      powerpc: Optimized strcat for POWER8/PPC64
      powerpc: Optimized strncat for POWER7/PPC64
      powerpc: Optimized st{r,p}ncpy for POWER8/PPC64
      powerpc: Optimized strcmp for POWER8/PPC64
      powerpc: Optimized strncmp for POWER8/PPC64
      powerpc: Fix POWER7/PPC64 performance regression on LE
      BZ #16418: Fix powerpc get_clockfreq raciness
      powerpc: Fix ifuncmain6pie failure with GCC 4.9
      powerpc: Fix powerpc64 build failure with binutils 2.22
      powerpc: Fix fsqrt build in libm [BZ#16576]
      powerpc: Fix fesetexceptflag [BZ#17885]

Alan Hayward (1):
      [AArch64] Add ipc.h.

Alexandre Oliva (6):
      Require check-safety.sh to pass; wish for check that all fns are documented
      manual: cuserid is mtasurace if not passed a string
      ctermid: return string literal, document MT-Safety pitfall
      BZ#14498: fix infinite loop in nss_db_getservbyname
      BZ#16469: don't drop trailing dot in res_nquerydomain(..., name, NULL, ...)
      BZ#16469: resolv: skip leading dot in domain to search

Allan McRae (5):
      Open development for 2.21
      Update Russian translation
      Update French translation
      stdio-common/Makefile: readd bug26 testcase
      Label CVE-2014-9402 in NEWS

Anders Kaseorg (2):
      manual: Remove incorrect claim that qsort() can be stabilized
      manual: Correct guarantee about pointers compared by qsort()

Andreas Krebbel (2):
      stdlib/longlong.h: Add __udiv_w_sdiv prototype.
      iconv: Suppress array out of bounds warning.

Andreas Schwab (20):
      Handle zero prefix length in getifaddrs (BZ #17371)
      Fix misdetected Slow_SSE4_2 cpu feature bit (bug 17501)
      Don't error out writing a multibyte character to an unbuffered stream (bug 17522)
      Remove unused include
      m68k: don't expect PLT reference to __tls_get_addr
      Don't touch user-controlled stdio locks in forked child (bug 12847)
      Update NEWS
      Remove duplication from gconv-modules
      Properly handle forced elision in pthread_mutex_trylock (bug 16657)
      Remove obsolete comment
      Constify string parameters
      Fix printf format error
      Fix changelog typo
      m68k: remove @PLTPC from _dl_init call
      Remove 17581 from NEWS
      m68k: force inlining bswap functions
      m68k: fix missing definition of __feraiseexcept
      m68k/coldfire: avoid warning about volatile register variables
      ia64: avoid set-but-not-used warning
      Include <signal.h> in sysdeps/nptl/allocrtsig.c

Andrew Pinski (1):
      AArch64: Reformat inline-asm in elf_machine_load_address

Andrew Senkevich (4):
      Update minimal required bunutils version to 2.22
      i386: memcpy functions with SSE2 unaligned load/store
      i386: Fix build by GCC 5.0
      Remove duplicated -frounding-math

Anton Blanchard (1):
      powerpc: Fix __arch_compare_and_exchange_bool_64_rel

Arjun Shankar (6):
      New test for ftime
      Write errors to stdout and not stderr in nptl/tst-setuid3.c
      Modify several tests to use test-skeleton.c
      Modify stdio-common/tst-fseek.c to use test-skeleton.c
      Modify stdlib/tst-bsearch.c to use test-skeleton.c
      Modify libio/tst-fopenloc.c to use test-skeleton.c

Aurelien Jarno (2):
      resolv: improve comments about nserv and nservall
      resolv: fix rotate option

Bram (1):
      Fix segmentation fault when LD_LIBRARY_PATH contains only non-existings paths

Brooks Moses (1):
      sysdeps/x86_64/start.S doesn't have a .size elf directive for _start.

Carlos O'Donell (22):
      HPPA: Transition to new non-addon NPTL.
      HPPA: Add c++-types.data.
      Correctly size profiling reloc table (bug 17411)
      hppa: Make __SIGRTMIN 32 (ABI break).
      elf/dl-load.c: Use __strdup.
      manual/llio.texi: Add Linux-specific comments for write().
      Run check-localpltk/textrel/execstack over ld.so.
      manual/llio.texi: Comment on write atomicity.
      CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
      Expand comments in elf/ldconfig.c (search_dir)
      Use ALIGN_UP in nptl/nptl-init.c
      Fix indenting in bits/ioctl-types.h.
      Update libc.pot:
      Regenerate INSTALL.
      Fix semaphore destruction (bug 12674).
      Fix recursive dlopen.
      tst-getpw: Rewrite.
      Update copyright year to 2015 for new files.
      hppa: Remove warnings and fix conformance errors.
      glibc 2.21 pre-release update.
      hppa: Sync with pthread.h.
      Update version.h and include/features.h for 2.21 release

Chris Metcalf (32):
      tile: remove linux lowlevellock.h
      tilegx: optimize string copy_byte() internal function
      tilegx: provide optimized strnlen, strstr, and strcasestr
      tile: add support for _SC_LEVEL*CACHE* sysconf() queries
      tile: optimize memcmp
      tile: make the prolog of clone() more conformant
      tile: add clock_gettime support via vDSO
      tile: fix copyright header blocks in just-committed files
      tile: add inhibit_loop_to_libcall to string functions
      math: increase timeout for math/atest-*.c
      iconvdata/tst-loading: bump up timeout to 10s
      tilegx: fix strstr to build and link better
      tile: provide localplt.data with __tls_get_addr optional
      tile: remove localplt.data and use generic one again.
      tile: separate ffsll from ffs
      Update NEWS and ChangeLog with two tile bug fixes.
      tilegx: remove implicit boolean conversion in strstr.
      Fix namespace conformance issue with Bessel functions.
      NEWS: mention bug fix for 17747.
      tilegx: enable wordsize-64 support for ieee745 dbl-64.
      tilegx32: avoid a a -Werror warning from unwinding
      tilegx: fix sysdep.h to avoid a redefinition warning
      linux/clock_settime: remove unnecessary vDSO definitions
      tile: add no-op fe*() routines for libc internal use
      posix/Makefile: use $(objpfx) for files in before-compile.
      tile: prefer inlines to macros in math_private.h.
      Fix a couple of -Wundef warnings.
      Fix some warnings in the absence of FP round/exception support
      lround: provide cast for wordsize-64 version if needed
      tile: check error properly for vDSO calls
      posix/regcomp: initialize union structure tag to avoid warning
      tilegx32: set __HAVE_64B_ATOMICS to 0

Chung-Lin Tang (4):
      Add Nios II definitions to elf/elf.h.
      Remove divide from _ELF_DYNAMIC_DO_RELOC in elf/dynamic-link.h.
      Commit nios2 port to master.
      Function name typo error in non-PIC case, fixed in this patch.

David Holsgrove (3):
      MicroBlaze: Fix integer-pointer conversion warning
      MicroBlaze: Fix volatile-register-var warning in READ_THREAD_POINTER
      MicroBlaze: Avoid pointer to integer conversion warning

David S. Miller (6):
      Fix sparc build.
      Fix array bounds warnings in elf_get_dyanmic_info() on sparc with gcc-4.6
      Fix soft-fp build warning on sparc about strict aliasing.
      Fix scanf15.c testsuite build on sparc.
      Fix sparc semaphore implementation after recent changes.
      Fix two bugs in sparc atomics.

Eric Biggers (1):
      setenv fix memory leak when setting large, duplicate string (BZ #17658)

Florian Weimer (6):
      Turn on -Werror=implicit-function-declaration
      malloc: additional unlink hardening for non-small bins [BZ #17344]
      Complete the removal of __gconv_translit_find
      Update NEWS for bug 17608
      Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
      iconvdata/run-iconv-test.sh: Actually test iconv modules

Gratian Crisan (1):
      arm: Re-enable PI futex support for ARM kernels >= 3.14.3

H.J. Lu (27):
      Require autoconf 2.69
      Resize DTV if the current DTV isn't big enough
      Mention fix for PR 13862
      Replace 1L with (mp_limb_t) 1
      Compile s_llround.c with -Wno-error for x32 build
      Replace -Wno-error with -fno-builtin-lround
      Remove @PLT from "call _dl_init@PLT" in _dl_start_user
      Add hidden __tls_get_addr/___tls_get_addr alias
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld/%lu with %jd/%ju and cast to intmax_t/uintmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Replace %ld with %jd and cast to intmax_t
      Mention fix for BZ #17732
      Mention i386 memcpy with SSE2 unaligned load/store
      Don't check PI_STATIC_AND_HIDDEN in i386 dl-machine.h
      Define CLOCKS_PER_SEC type to the type clock_t
      Mention bug fix for BZ #17806
      Use uint64_t and (uint64_t) 1 for 64-bit int
      Also use uint64_t in __new_sem_wait_fast
      Treat model numbers 0x4a/0x4d as Silvermont
      Also treat model numbers 0x5a/0x5d as Silvermont
      Use AVX unaligned memcpy only if AVX2 is available

J. Brown (1):
      Recognize recent x86 CPUs in string.h

James Lemke (2):
      Fix for test "malloc_usable_size: expected 7 but got 11"
      Fix for test "malloc_usable_size: expected 7 but got 11"

Jeff Law (1):
      CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]

Jose E. Marchesi (1):
      Fix sparc struct fpu definition.

Joseph Myers (141):
      Add new Linux 3.16 constants to netinet/udp.h.
      Move architecture-specific shlib-versions entries to sysdeps files.
      Move OS-specific shlib-versions entries to sysdeps files.
      Use %ifdef in sysdeps/unix/sysv/linux/powerpc/powerpc64/shlib-versions.
      Remove configuration name patterns from shlib-versions.
      Remove bitrotten --enable-oldest-abi (bug 6652).
      soft-fp: Correct _FP_TO_INT formatting.
      soft-fp: Fix comment formatting.
      Move some setrlimit definitions to syscalls.list (bug 14138).
      Clean up gnu/lib-names.h generation (bug 14171).
      Remove shlib-versions entries redundant with DEFAULT entries.
      Run tst-ld-sse-use.sh with bash.
      Move some *at definitions to syscalls.list (bug 14138).
      Move execve to syscalls.list (bug 14138).
      Move some chown / lchown / fchown definitions to syscalls.list (bug 14138).
      Support and use mixed compat/non-compat aliases in syscalls.list.
      Don't use INTUSE with __adjtimex (bug 14132).
      soft-fp: Remove FP_CLEAR_EXCEPTIONS.
      soft-fp: Make extensions of subnormals from XFmode to TFmode signal underflow if traps enabled.
      soft-fp: Refactor exception handling for comparisons.
      soft-fp: Fix _FP_TO_INT latent bug in overflow handling.
      soft-fp: Add FP_DENORM_ZERO.
      Remove stray *_internal aliases (bug 14132).
      Don't use INTDEF/INTUSE with __cxa_atexit (bug 14132).
      soft-fp: Support more precise "invalid" exceptions.
      soft-fp: Support rsigned == 2 in _FP_TO_INT.
      soft-fp: Use parentheses around macro arguments.
      Don't use INTVARDEF/INTUSE with __libc_enable_secure (bug 14132).
      Remove CANCEL-FCT-WAIVE and CANCEL-FILE-WAIVE.
      conformtest: clean up POSIX expections for sys/utsname.h, sys/wait.h.
      Move readv and writev definitions to syscalls.list (bug 14138).
      Don't use INTDEF with __ldexpf (bug 14132).
      Don't use INTDEF for powerpc32 compat symbols (bug 14132).
      Move some chown / lchown / fchown definitions to syscalls.list (bug 14138).
      Move get*id and getgroups definitions to syscalls.list (bug 14138).
      Move setfsgid/setfsuid definitions to syscalls.list (bug 14138).
      Don't use INTDEF/INTUSE in unwind-dw2-fde.c (bug 14132).
      Remove __libc_creat function name.
      Remove __libc_readv and __libc_writev function names.
      Move powerpc64 pread/pwrite definitions to syscalls.list (bug 14138).
      Add bug 15215 to NEWS; move bug 17344 to correct version's list in NEWS.
      Remove __libc_pselect alias.
      Update autoconf version requirement in install.texi.
      Make aclocal.m4 comment mention updating install.texi for autoconf version.
      Remove __libc_nanosleep function name.
      soft-fp: Add _FP_TO_INT_ROUND.
      Don't use INTDEF/INTUSE with _dl_argv (bug 14132).
      Don't use INTDEF/INTUSE with _dl_init (bug 14132).
      Don't use INTDEF/INTUSE with _dl_mcount (bug 14132).
      Remove INTDEF / INTUSE / INTVARDEF (bug 14132).
      Remove __libc_waitpid function name.
      Fix tzfile.c namespace (bug 17583).
      Fix __getcwd rewinddir namespace (bug 17584).
      Fix malloc_info namespace (bug 17570).
      Fix qsort_r namespace (bug 17571).
      Fix x86_64 rawmemchr namespace (bug 17572).
      Fix stpcpy / mempcpy namespace (bug 17573).
      Fix __printf_fp wmemset namespace (bug 17574).
      Fix __get_nprocs fgets_unlocked namespace (bug 17582).
      Fix locale memmem namespace (bug 17585).
      Fix localealias.c fgets_unlocked namespace (bug 17589).
      Add tests for namespace for static linking.
      Fix strtoll / strtoull namespace for 32-bit (bug 17594).
      Use prototype definition for __strtol.
      Fix build of C mempcpy and stpcpy.
      Require GCC 4.6 or later to build glibc.
      Only declare __sigpause in installed signal.h when necessary.
      Remove ARM __GNUC_PREREQ(4,4) conditionals.
      Remove x86_64 __GNUC_PREREQ (4, 6) conditional.
      Fix libm mpone, mptwo namespace (bug 17616).
      Fix perror fileno namespace (bug 17633).
      Fix warning in posix/bug-regex31.c.
      Fix warning in stdio-common/tst-printf-round.c.
      Fix warning in setjmp/jmpbug.c.
      Fix test-strchr.c warnings for wide string testing.
      Remove TEST_IFUNC, tests-ifunc and *-ifunc.c tests.
      Fix warnings in fwscanf / rewind tests.
      FIx ldbl-128ibm frexpl for 32-bit systems (bug 16619, bug 16740).
      Fix sysdeps/unix/sysv/linux/arm/libc-do-syscall.S warning.
      Fix nptl/tst-cancel-self-cancelstate.c warning.
      Fix sysdeps/mips/__longjmp.c warning.
      Avoid warnings for unused results in nscd/connections.c.
      Fix nss/tst-nss-test1.c format warning.
      Fix stdio-common/tst-fmemopen.c format warnings.
      Fix dlfcn/failtestmod.c warning.
      Fix libio/bug-ungetwc1.c warning.
      Avoid deprecated sigblock in misc/tst-pselect.c.
      Make linknamespace tests check only relevant libraries.
      Fix elf/tst-unique4lib.cc warning.
      Fix fgets_unlocked namespace issues (bug 17664).
      Remove excess declarations from unistd.h for XPG3/XPG4 (bug 17665).
      Fix warning in posix/tst-getopt_long1.c.
      Fix -Waddress warnings in nptl/tst-mutex1.c.
      Fix warning in nptl/tst-stack4.c.
      Fix getifaddrs, freeifaddrs namespace (bug 17668).
      Remove some linknamespace test XFAILs.
      Fix linknamespace getdate_err handling.
      Fix linknamespace h_errno handling.
      Fix pthreads getrlimit, gettimeofday namespace (bug 17682).
      Add macros for diagnostic control, use for scanf %a tests.
      Disable -Wdiv-by-zero for some tests in stdio-common/tst-unlockedio.c.
      Disable -Wdeprecated-declarations for register_printf_function calls in tst-printfsz.c.
      Use -Werror by default, add --disable-werror.
      Fix tst-ftell-active-handler.c warning.
      Fix strftime wcschr namespace (bug 17634).
      Fix MIPS sigaction build.
      Fix MIPS waitid build.
      Clean up localedata tests printf formats, don't use -Wno-format.
      Add more headers to include/ for conform tests.
      Move semaphore.h to sysdeps/pthread/.
      Remove some semaphore.h linknamespace XFAILs.
      Fix resolver if_* namespace (bug 17717).
      Fix x86_64 memrchr namespace (bug 17719).
      Fix resolver inet_* namespace (bug 17722).
      Fix profil_counter namespace (bug 17725).
      Fix resolver bind, getsockname namespace (bug 17733).
      Split __kernel_standard* functions (fixes bug 17724).
      Make __ASSUME_UTIMES hppa-specific.
      Fix libm feraiseexcept namespace (bug 17723).
      Clean up powerpc fegetround / __fegetround inlines.
      Fix libm fegetenv namespace (bug 17748).
      Update copyright dates with scripts/update-copyrights.
      Update copyright dates not handled by scripts/update-copyrights.
      Use single year in copyright notice in banner in ntpl/version.c.
      Fix MIPS bits/fcntl.h namespace (bug 17780).
      Fix MIPS sa_flags type (bug 17781).
      Fix MIPS TIOCSER_TEMT namespace (bug 17782).
      Fix libm fegetround namespace (bug 17748).
      Fix wordsize-64 posix_fadvise64, posix_fallocate64 namespace (bug 17777).
      Fix isblank / isascii / toascii namespace (bug 17635).
      Fix ARM posix_fadvise64 namespace (bug 17793).
      Fix MIPS n64 posix_fadvise namespace (bug 17796).
      Fix libm feholdexcept namespace (bug 17748).
      Fix libm fesetenv namespace (bug 17748).
      Fix libm fesetround namespace (bug 17748).
      Fix libm feupdateenv namespace (bug 17748).
      Fix ldbl-96 scalblnl for subnormal arguments (bug 17834).
      Fix ldbl-96 scalblnl underflowing results (bug 17803).
      Fix powerpc-nofpu fesetenv namespace (bug 17748).
      soft-fp: Use __label__ for all labels within macros.
      Disable 64-bit atomics for MIPS n32.

Kaz Kojima (1):
      * Fix SH specific compiler warnings which are for integer-pointer

Kostya Serebryany (3):
      remove nested function hack_digit
      remove nested functions from elf/dl-deps.c
      remove nested functions from elf/dl-load.c

Leonhard Holz (4):
      strcoll: improve performance by removing the cache (#15884)
      Fix tst-strcoll-overflow returning before timeout (BZ #17506)
      Speed up strcoll by inlining
      Fix memory handling in strxfrm_l [BZ #16009]

Ma Shimiao (1):
      manual: fix addmntent's MT-Safety race annotation

Maciej W. Rozycki (1):
      MIPS: Avoid a dangling `vfork@GLIBC_2.0' reference

Marcus Shawcroft (1):
      Fix ChangeLog formatting of previous commit.

Marek Polacek (1):
      Fix tst_wcscpy.c test.

Martin Sebor (1):
      Clarify math/README.libm-test. Add "How to read the test output."

Matthew Fortune (5):
      Add a hook to enable load-time inspection of program headers
      Add support for MIPS O32 FPXX and .MIPS.abiflags
      Fix MIPS variable PAGE_SIZE bug (16191)
      NEWS for MIPS ABIs
      MicroBlaze: Fix BZ17791 - Remove fixed page size macros and others

Mike Frysinger (1):
      arm: drop EABI check

Ondřej Bílka (8):
      Sync recvmmsg prototype with kernel usage.
      Fix typo in changelog.
      Return allocated array instead of unallocated.
      Simplify strncat.
      Clean up check_pf allocation pattern. addresses
      Add changelog
      Suppress warning in string/tester.c for gcc 4.9
      Revert "Suppress warning in string/tester.c for gcc 4.9"

Paul Eggert (1):
      fnmatch: work around GCC compiler warning bug with uninit var

Paul Pluzhnikov (1):
      CVE-2015-1472: wscanf allocates too little memory

Petar Jovanovic (1):
      mips: Do not use jal to reach __libc_start_main

Pravin Satpute (2):
      New locale ce_RU (BZ #17192)
      New locale raj_IN (#16857)

Rajalakshmi Srinivasaraghavan (3):
      powerpc: strtok{_r} optimization for powerpc64
      powerpc: POWER7 strcpy optimization for unaligned strings
      powerpc: Optimize POWER7 strcmp trailing checks

Rasmus Villemoes (1):
      Fix prototype of eventfd.

Renlin Li (1):
      [AArch64] End frame record chain correctly.

Richard Earnshaw (5):
      [AArch64] Add optimized strchrnul.
      [AArch64] Fix strchrnul clobbering v15
      * string/stpcpy.c (__stpcpy): Rewrite using strlen and memcpy.
      AArch64 optimized implementation of strrchr.
      AArch64: Optimized implementations of strcpy and stpcpy.

Richard Henderson (2):
      alpha: Fix soft-fp breakage
      Add -Wno-trampolines as needed

Roland McGrath (62):
      Move findidx nested functions to top-level.
      Don't use a nested function in rpmatch.
      Minor cleanup in ld-ctype.c
      Minor cleanup in locale.c
      Remove unnecessarily nested function in do_lookup_unique.
      BZ#17460: Fix buffer overrun in nscd --help.
      Remove sysdeps/arm/soft-fp directory.
      Fix NPTL build error when missing __NR_set_robust_list.
      NPTL: Conditionalize more uses of SIGCANCEL and SIGSETXID.
      NPTL: Conditionalize direct futex syscall uses.
      NPTL: Clean up THREAD_SYSINFO macros.
      Remove obsolete TLS_DEFINE_INIT_TP fallback.
      Make internal lock-init macros return void.
      NPTL: Add some missing #include's
      NPTL: Clean up gratuitous Linuxism in libpthread.so entry point.
      Tiny refactoring in fts to eliminate a warning.
      Avoid local PLT reference in __nptl_main.
      ARM: Use movw/movt more when available
      Rework some nscd code not to use variable-length struct types.
      Prototypify htonl and htons definitions.
      Rework compiler version check in configure.
      Clean up wchar_t conversion code in iconv program.
      Clean up internal ctype.h header.
      BZ#17496: Fix gnu/lib-names.h dependency.
      NPTL: Move __libc_multiple_threads_ptr defn to nptl-init.c
      Remove sigvec.
      NPTL: Refactor createthread.c
      NPTL: Move Linux-specific createthread.c to sysdeps.
      NPTL: Add stub createthread.c
      Test that pthread_create diagnoses invalid scheduling parameters.
      NPTL: Don't (re)validate sched_priority in pthread_create.
      NPTL: Refactor scheduler setup in pthread_create.
      NPTL: Conditionalize asynchronous cancellation support on [SIGCANCEL].
      NPTL: Use __libc_fatal in unwind.c.
      NPTL: Fix pthread_create regression from default-sched.h refactoring.
      De-warning a few stubs.
      Fix -Wformat-security warnings in posix/regexbug1.c
      Eliminate -Wno-format from printf/scanf tests.
      Suppress -Wformat-security in tst-error1.c.
      Refactor shm_{open,unlink} code to separate Linux-specific directory choice from POSIX-generic code.
      Fix NPTL build for !__ASSUME_SET_ROBUST_LIST case.
      NPTL: Add stubs for Linux-only extension functions.
      NPTL: Refactor named semaphore code to use shm-directory.h
      Use pragmas rather than makefiles for necessary options for unwind code.
      Revert "Use pragmas rather than makefiles for necessary options for unwind code."
      Use PTR_MANGLE on libgcc unwinder function pointers.
      Remove explicit inline on malloc perturb functions.
      Fix stub __if_freenameindex build error.
      NPTL: Remove gratuitous Linuxisms from gai_misc.h.
      NPTL: Move fork state variables to initializer files.
      ARM: Consolidate with generic unwinder wrapper code
      NPTL: Refactor cpu_set_t validation to be sysdeps-controlled
      Add stub sys/procfs.h file
      NPTL: Fixed missed conditionalization of setxid hooey.
      NPTL: Fix generic pthread_sigmask.
      Fix copyright year on new stub sys/procfs.h file.
      Clean up allocrtsig code.
      Some #include cleanup in aio/timer code.
      Fix shm-directory.h #include.
      Remove some references to bcopy/bcmp/bzero.
      Add missing libc_hidden_def to stub getrlimit64.
      Add missing libc_hidden_weak to stub if_nameindex, if_freenameindex.

Ryan Cumming (1):
      Define CLOCK_TAI on Linux (bug 17608)

Samuel Thibault (1):
      hurd: Fix dlopening libraries from static programs

Siddhesh Poyarekar (53):
      Return failure in getnetgrent only when all netgroups have been searched (#17363)
      Enhance tst-xmmymm.sh to detect zmm register usage in ld.so (BZ #16194)
      Fix typo in macro names in sysconf.c
      Add correct variable names for _POSIX_IPV6 and _POSIX_RAW_SOCKETS
      Remove _POSIX_REGEX_VERSION
      Revert to defining __extern_inline only for gcc-4.3+ (BZ #17266)
      Add NEWS entry for previous commit
      Fix memory leak in error path of do_ftell_wide (BZ #17370)
      Make __extern_always_inline usable on clang++ again
      Assume that all _[PS]C_* and _CS_* macros are always defined
      Include .interp section only for libc.so
      Remove CFLAGS for interp.c
      Fix infinite loop in check_pf (BZ #12926)
      Fix up incorrect formatting in last commit
      Fix stack alignment when loader is invoked directly
      Use GOT instead of GOT12 all over
      Add new macro IN_MODULE to identify module in which source is built
      Fix -Wundef warning in SHLIB_COMPAT
      Auto-generate libc-modules.h
      Use MODULE_NAME in stap-probe instead of IN_LIB
      Remove IN_LIB
      Define IN_MODULE for translation units that define NOT_IN_libc
      Remove IS_IN_libc
      Remove IS_IN_ldconfig
      Remove IS_IN_nscd
      Remove IS_IN_libdl
      Remove IS_IN_librt
      Remove IS_IN_libpthread
      Remove IS_IN_libm
      Remove IS_IN_rtld
      Remove last place for definition of IS_IN_* macros
      Remove NOT_IN_libc
      Use IS_IN internally only
      Don't use __warn_memset_zero_len for gcc-5.0 or newer
      Update NEWS for previous two commits
      ftell: seek to end only when there are unflushed bytes (BZ #17647)
      tst-ftell-active-handler: Open file with O_TRUNC for w modes
      Reset cached offset when reading to end of stream (BZ #17653)
      Fix up function definition style
      Fix date in ChangeLog
      Fix another typo in the ChangeLog
      Fix 'array subscript is above array bounds' warning in res_send.c
      Fix the 'array subscript is above array bounds' warning correctly
      Remove Wundef warnings for specification macros
      Add _POSIX namespace SYSCONF macros to posix-conf-vars.list
      Use posix-conf-vars.list to generate spec array
      Make type for spec variable size as size_t
      Use one-dimension arrays in gen-posix-conf-vars.awk
      Remove uses of sprintf in gen-posix-conf-vars.awk
      Fix typo in ChangeLog
      [s390] Define a __tls_get_addr macro to avoid declaring it again
      Initialize nscd stats data [BZ #17892]
      Fix up ChangeLog formatting

Stefan Liebler (13):
      S/390: Get rid of warning: the comparision will always evaluate as false.
      S/390: Get rid of warning unused variable in dl-machine.h.
      S/390: Add SystemTap probes to longjmp and setjmp.
      S/390: dl-machine.h: Use numbered labels in inline assembly.
      Add missing include of libc-internal.h.
      S/390: Get rid of assembler warning value truncated.
      Get rid of warning inlining failed in call to maybe_swap_uint32
      Get rid of warning comparision will always evaluate as true
      resolv: Suppress maybe uninitialized warning
      Get rid of format warning in tst-widetext.c.
      Get rid of format warning in bug-vfprintf-nargs.c.
      S390: Get rid of linknamespace failures for string functions.
      S390: Get rid of linknamespace failures for utmp functions.

Steve Ellcey (19):
      Modify ABI tests in MIPS preconfigure.
      Put mips preconfigure code inside mips* case statement.
      * sysdeps/mips/strcmp.S: New.
      Remove extra whitespace from end of line.
      2014-12-10  Steve Ellcey  <sellcey@imgtec.com>
      2014-12-11  Steve Ellcey  <sellcey@imgtec.com>
      * sysdeps/mips/dl-trampoline.c: Modify switch expression to have
      2014-12-17  Steve Ellcey  <sellcey@imgtec.com>
      2014-12-19  Steve Ellcey  <sellcey@imgtec.com>
      2014-12-19  Steve Ellcey  <sellcey@imgtec.com>
      Remove trailing white space.
      Add missing ChangeLog entries from Friday (Dec 19, 2014).
      Remove trailing whitespace.
      2014-12-22  Steve Ellcey  <sellcey@imgtec.com>
      Fix preprocessor indentation in sysdeps/mips/memcpy.S.
      2015-01-05  Steve Ellcey  <sellcey@imgtec.com>
      2015-01-05  Steve Ellcey  <sellcey@imgtec.com>
      2015-01-05  Steve Ellcey  <sellcey@imgtec.com>
      Merge branch 'master' of ssh://sourceware.org/git/glibc

Tatiana Udalova (1):
      New Bhilodi and Tulu locales (BZ #17475)

Tim Lammens (1):
      Fix memory leak in libio/wfileops.c do_ftell_wide [BZ #17370]

Tom de Vries (1):
      Fix crossreference to nonexistent node BSD Handler

Torvald Riegel (24):
      pthread_once: Clean up constants.
      pthread_once: Add fast path and remove x86 variants.
      Fix SPARC atomic_write_barrier.
      powerpc: Change atomic_write_barrier to have release semantics.
      Add arch-specific configuration for C11 atomics support.
      Add atomic operations similar to those provided by C11.
      Add tests for C11-like atomic operations.
      Use C11 atomics in pthread_once.
      microblaze: 64b atomic operations are not supported.
      Fix synchronization of TPP min/max priorities.
      Remove custom pthread_once implementation on sh.
      Remove custom pthread_once implementation on s390.
      Fix nptl/tst-mutex5.c: Do not skip tests if elision is enabled.
      Fix nptl/tst-sem4: always start with a fresh semaphore.
      Add comments for the generic lowlevellock implementation.
      Fix warning in elf/tst-unique4lib.cc.
      Fix warning in misc/tst-mntent2.c.
      Ignore warning in string/tester.c.
      sh: Remove custom lowlevellock, barrier, condvar, and rwlock implementations.
      Use generic lowlevellock-futex.h in x86_64 lowlevellock.h.
      i386: Move futex functions from lowlevellock.h to lowlevellock-futex.h.
      MicroBlaze: Remove custom pthread_once implementation on microblaze.
      MicroBlaze: Remove custom lowlevellock.h.
      Fix wake-up in sysdeps/nptl/fork.c.

Vladimir A. Nazarenko (1):
      Fix incorrect mount table entry parsing in __getmntent_r

Wilco Dijkstra (18):
      Remove spaces.
      Remove an unused include.
      Cleanup fesetexceptflag to use the same logic as the ARM version. No functional changes.
      Cleanup feclearexcept to use the same logic as the ARM version. No functional changes.
      Cleanup fedisableexcept to use the same logic as the ARM version. No functional changes.
      Cleanup feenableexcept to use the same logic as the ARM version. No functional changes.
      Call get_rounding_mode rather than duplicating functionality.
      Call libc_feholdexcept_aarch64 from math_private.h rather than duplicating functionality.
      Call libc_fetestexcept_aarch64 from math_private.h rather than duplicating functionality.
      This patch improves strcat performance by using strlen and strcpy. Strlen has a fast C
      This patch improves strncat performance by using strlen. Strlen has a fast C implementation, so
      Improve strcpy performance.
      Improve performance of strncpy.
      Fix typo.
      Call libc_fesetround_aarch64.
      Call libc_fetestexcept_aarch64.
      Optimize to reduce FPCR/FPSR accesses.
      Optimize to avoid an unnecessary FPCR read.

Will Newton (10):
      ARM: Don't define _SYS_AUXV_H in sysdep.h
      Allow cross-building of tests
      stdlib/tst-strtod-round.c: Fix build on ARM
      benchtests: Add malloc microbenchmark
      AArch64: Update relocations for ILP32
      AArch64: Use ELF macros rather than Elf64 throughout
      intl: Merge with gettext version 0.19.3
      Bump required version of texinfo to 4.7
      Require bison 2.7 or newer for regenerating intl/plural.y
      ARM: Remove configure check for binutils 2.21 for ARMv7

-----------------------------------------------------------------------