e354a5
commit 17796419b5fd694348cceb65c3f77601faae082c
e354a5
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
e354a5
Date:   Tue Jul 7 10:49:11 2020 +0100
e354a5
e354a5
    rtld: Account static TLS surplus for audit modules
e354a5
    
e354a5
    The new static TLS surplus size computation is
e354a5
    
e354a5
      surplus_tls = 192 * (nns-1) + 144 * nns + 512
e354a5
    
e354a5
    where nns is controlled via the rtld.nns tunable. This commit
e354a5
    accounts audit modules too so nns = rtld.nns + audit modules.
e354a5
    
e354a5
    rtld.nns should only include the namespaces required by the
e354a5
    application, namespaces for audit modules are accounted on top
e354a5
    of that so audit modules don't use up the static TLS that is
e354a5
    reserved for the application. This allows loading many audit
e354a5
    modules without tuning rtld.nns or using up static TLS, and it
e354a5
    fixes
e354a5
    
e354a5
    FAIL: elf/tst-auditmany
e354a5
    
e354a5
    Note that DL_NNS is currently a hard upper limit for nns, and
e354a5
    if rtld.nns + audit modules go over the limit that's a fatal
e354a5
    error. By default rtld.nns is 4 which allows 12 audit modules.
e354a5
    
e354a5
    Counting the audit modules is based on existing audit string
e354a5
    parsing code, we cannot use GLRO(dl_naudit) before the modules
e354a5
    are actually loaded.
e354a5
e354a5
Conflicts:
e354a5
	elf/rtld.c
e354a5
	  (Caused by glibc-fedora-__libc_multiple_libcs.patch.)
e354a5
e354a5
diff --git a/csu/libc-tls.c b/csu/libc-tls.c
e354a5
index 08ed2b988b58ac6c..6f2a47dc86222407 100644
e354a5
--- a/csu/libc-tls.c
e354a5
+++ b/csu/libc-tls.c
e354a5
@@ -132,8 +132,8 @@ __libc_setup_tls (void)
e354a5
 	  break;
e354a5
 	}
e354a5
 
e354a5
-  /* Calculate the size of the static TLS surplus.  */
e354a5
-  _dl_tls_static_surplus_init ();
e354a5
+  /* Calculate the size of the static TLS surplus, with 0 auditors.  */
e354a5
+  _dl_tls_static_surplus_init (0);
e354a5
 
e354a5
   /* We have to set up the TCB block which also (possibly) contains
e354a5
      'errno'.  Therefore we avoid 'malloc' which might touch 'errno'.
e354a5
diff --git a/elf/dl-tls.c b/elf/dl-tls.c
e354a5
index ef57a21391bb36fa..cfda76f6de96df57 100644
e354a5
--- a/elf/dl-tls.c
e354a5
+++ b/elf/dl-tls.c
e354a5
@@ -49,7 +49,10 @@
e354a5
    that affects the size of the static TLS and by default it's small enough
e354a5
    not to cause problems with existing applications. The limit is not
e354a5
    enforced or checked: it is the user's responsibility to increase rtld.nns
e354a5
-   if more dlmopen namespaces are used.  */
e354a5
+   if more dlmopen namespaces are used.
e354a5
+
e354a5
+   Audit modules use their own namespaces, they are not included in rtld.nns,
e354a5
+   but come on top when computing the number of namespaces.  */
e354a5
 
e354a5
 /* Size of initial-exec TLS in libc.so.  */
e354a5
 #define LIBC_IE_TLS 192
e354a5
@@ -60,8 +63,11 @@
e354a5
 /* Size of additional surplus TLS, placeholder for TLS optimizations.  */
e354a5
 #define OPT_SURPLUS_TLS 512
e354a5
 
e354a5
+/* Calculate the size of the static TLS surplus, when the given
e354a5
+   number of audit modules are loaded.  Must be called after the
e354a5
+   number of audit modules is known and before static TLS allocation.  */
e354a5
 void
e354a5
-_dl_tls_static_surplus_init (void)
e354a5
+_dl_tls_static_surplus_init (size_t naudit)
e354a5
 {
e354a5
   size_t nns;
e354a5
 
e354a5
@@ -73,6 +79,11 @@ _dl_tls_static_surplus_init (void)
e354a5
 #endif
e354a5
   if (nns > DL_NNS)
e354a5
     nns = DL_NNS;
e354a5
+  if (DL_NNS - nns < naudit)
e354a5
+    _dl_fatal_printf ("Failed loading %lu audit modules, %lu are supported.\n",
e354a5
+		      (unsigned long) naudit, (unsigned long) (DL_NNS - nns));
e354a5
+  nns += naudit;
e354a5
+
e354a5
   GLRO(dl_tls_static_surplus) = ((nns - 1) * LIBC_IE_TLS
e354a5
 				 + nns * OTHER_IE_TLS
e354a5
 				 + OPT_SURPLUS_TLS);
e354a5
diff --git a/elf/rtld.c b/elf/rtld.c
e354a5
index a440741f4c1b3c91..67441ac6f252350e 100644
e354a5
--- a/elf/rtld.c
e354a5
+++ b/elf/rtld.c
e354a5
@@ -297,6 +297,23 @@ audit_list_next (struct audit_list *list)
e354a5
     }
e354a5
 }
e354a5
 
e354a5
+/* Count audit modules before they are loaded so GLRO(dl_naudit)
e354a5
+   is not yet usable.  */
e354a5
+static size_t
e354a5
+audit_list_count (struct audit_list *list)
e354a5
+{
e354a5
+  /* Restore the audit_list iterator state at the end.  */
e354a5
+  const char *saved_tail = list->current_tail;
e354a5
+  size_t naudit = 0;
e354a5
+
e354a5
+  assert (list->current_index == 0);
e354a5
+  while (audit_list_next (list) != NULL)
e354a5
+    naudit++;
e354a5
+  list->current_tail = saved_tail;
e354a5
+  list->current_index = 0;
e354a5
+  return naudit;
e354a5
+}
e354a5
+
e354a5
 /* Set nonzero during loading and initialization of executable and
e354a5
    libraries, cleared before the executable's entry point runs.  This
e354a5
    must not be initialized to nonzero, because the unused dynamic
e354a5
@@ -734,7 +751,7 @@ match_version (const char *string, struct link_map *map)
e354a5
 static bool tls_init_tp_called;
e354a5
 
e354a5
 static void *
e354a5
-init_tls (void)
e354a5
+init_tls (size_t naudit)
e354a5
 {
e354a5
   /* Number of elements in the static TLS block.  */
e354a5
   GL(dl_tls_static_nelem) = GL(dl_tls_max_dtv_idx);
e354a5
@@ -777,7 +794,7 @@ init_tls (void)
e354a5
   assert (i == GL(dl_tls_max_dtv_idx));
e354a5
 
e354a5
   /* Calculate the size of the static TLS surplus.  */
e354a5
-  _dl_tls_static_surplus_init ();
e354a5
+  _dl_tls_static_surplus_init (naudit);
e354a5
 
e354a5
   /* Compute the TLS offsets for the various blocks.  */
e354a5
   _dl_determine_tlsoffset ();
e354a5
@@ -1659,9 +1676,11 @@ ERROR: '%s': cannot process note segment.\n", _dl_argv[0]);
e354a5
   bool need_security_init = true;
e354a5
   if (audit_list.length > 0)
e354a5
     {
e354a5
+      size_t naudit = audit_list_count (&audit_list);
e354a5
+
e354a5
       /* Since we start using the auditing DSOs right away we need to
e354a5
 	 initialize the data structures now.  */
e354a5
-      tcbp = init_tls ();
e354a5
+      tcbp = init_tls (naudit);
e354a5
 
e354a5
       /* Initialize security features.  We need to do it this early
e354a5
 	 since otherwise the constructors of the audit libraries will
e354a5
@@ -1671,6 +1690,10 @@ ERROR: '%s': cannot process note segment.\n", _dl_argv[0]);
e354a5
       need_security_init = false;
e354a5
 
e354a5
       load_audit_modules (main_map, &audit_list);
e354a5
+
e354a5
+      /* The count based on audit strings may overestimate the number
e354a5
+	 of audit modules that got loaded, but not underestimate.  */
e354a5
+      assert (GLRO(dl_naudit) <= naudit);
e354a5
     }
e354a5
 
e354a5
   /* Keep track of the currently loaded modules to count how many
e354a5
@@ -1914,7 +1937,7 @@ ERROR: '%s': cannot process note segment.\n", _dl_argv[0]);
e354a5
      multiple threads (from a non-TLS-using libpthread).  */
e354a5
   bool was_tls_init_tp_called = tls_init_tp_called;
e354a5
   if (tcbp == NULL)
e354a5
-    tcbp = init_tls ();
e354a5
+    tcbp = init_tls (0);
e354a5
 
e354a5
   if (__glibc_likely (need_security_init))
e354a5
     /* Initialize security features.  But only if we have not done it
e354a5
diff --git a/manual/tunables.texi b/manual/tunables.texi
e354a5
index e092b8e81a18d739..e6a3e9a2cf5c959c 100644
e354a5
--- a/manual/tunables.texi
e354a5
+++ b/manual/tunables.texi
e354a5
@@ -241,9 +241,12 @@ Sets the number of supported dynamic link namespaces (see @code{dlmopen}).
e354a5
 Currently this limit can be set between 1 and 16 inclusive, the default is 4.
e354a5
 Each link namespace consumes some memory in all thread, and thus raising the
e354a5
 limit will increase the amount of memory each thread uses. Raising the limit
e354a5
-is useful when your application uses more than 4 dynamic linker audit modules
e354a5
-e.g. @env{LD_AUDIT}, or will use more than 4 dynamic link namespaces as created
e354a5
-by @code{dlmopen} with an lmid argument of @code{LM_ID_NEWLM}.
e354a5
+is useful when your application uses more than 4 dynamic link namespaces as
e354a5
+created by @code{dlmopen} with an lmid argument of @code{LM_ID_NEWLM}.
e354a5
+Dynamic linker audit modules are loaded in their own dynamic link namespaces,
e354a5
+but they are not accounted for in @code{glibc.rtld.nns}.  They implicitly
e354a5
+increase the per-thread memory usage as necessary, so this tunable does
e354a5
+not need to be changed to allow many audit modules e.g. via @env{LD_AUDIT}.
e354a5
 @end deftp
e354a5
 
e354a5
 @node Elision Tunables
e354a5
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
e354a5
index e54105848c3cb7d1..293f3ab5a496afdf 100644
e354a5
--- a/sysdeps/generic/ldsodefs.h
e354a5
+++ b/sysdeps/generic/ldsodefs.h
e354a5
@@ -1104,8 +1104,9 @@ extern size_t _dl_count_modids (void) attribute_hidden;
e354a5
 /* Calculate offset of the TLS blocks in the static TLS block.  */
e354a5
 extern void _dl_determine_tlsoffset (void) attribute_hidden;
e354a5
 
e354a5
-/* Calculate the size of the static TLS surplus.  */
e354a5
-void _dl_tls_static_surplus_init (void) attribute_hidden;
e354a5
+/* Calculate the size of the static TLS surplus, when the given
e354a5
+   number of audit modules are loaded.  */
e354a5
+void _dl_tls_static_surplus_init (size_t naudit) attribute_hidden;
e354a5
 
e354a5
 #ifndef SHARED
e354a5
 /* Set up the TCB for statically linked applications.  This is called