548bcb
commit 40ebfd016ad284872f434bdd76dbe9c708db4d6b
548bcb
Author: Florian Weimer <fweimer@redhat.com>
548bcb
Date:   Fri Jun 25 08:09:08 2021 +0200
548bcb
548bcb
    elf: Disable most of TLS modid gaps processing [BZ #27135]
548bcb
    
548bcb
    Revert "elf: Fix DTV gap reuse logic [BZ #27135]"
548bcb
    
548bcb
    This reverts commit 572bd547d57a39b6cf0ea072545dc4048921f4c3.
548bcb
    
548bcb
    It turns out that the _dl_next_tls_modid in _dl_map_object_from_fd keeps
548bcb
    returning the same modid over and over again if there is a gap and
548bcb
    more than TLS-using module is loaded in one dlopen call.  This corrupts
548bcb
    TLS data structures.  The bug is still present after a revert, but
548bcb
    empirically it is much more difficult to trigger (because it involves a
548bcb
    dlopen failure).
548bcb
548bcb
diff --git a/elf/dl-close.c b/elf/dl-close.c
548bcb
index 41cb6c58491c364b..7d2dc2272cd643f5 100644
548bcb
--- a/elf/dl-close.c
548bcb
+++ b/elf/dl-close.c
548bcb
@@ -88,11 +88,7 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
548bcb
       /* If this is not the last currently used entry no need to look
548bcb
 	 further.  */
548bcb
       if (idx != GL(dl_tls_max_dtv_idx))
548bcb
-	{
548bcb
-	  /* There is an unused dtv entry in the middle.  */
548bcb
-	  GL(dl_tls_dtv_gaps) = true;
548bcb
-	  return true;
548bcb
-	}
548bcb
+	return true;
548bcb
     }
548bcb
 
548bcb
   while (idx - disp > (disp == 0 ? 1 + GL(dl_tls_static_nelem) : 0))
548bcb
diff --git a/elf/dl-open.c b/elf/dl-open.c
548bcb
index 54727402750f4c0c..a67fb3aee40860e1 100644
548bcb
--- a/elf/dl-open.c
548bcb
+++ b/elf/dl-open.c
548bcb
@@ -896,6 +896,16 @@ no more namespaces available for dlmopen()"));
548bcb
 	 state if relocation failed, for example.  */
548bcb
       if (args.map)
548bcb
 	{
548bcb
+	  /* Maybe some of the modules which were loaded use TLS.
548bcb
+	     Since it will be removed in the following _dl_close call
548bcb
+	     we have to mark the dtv array as having gaps to fill the
548bcb
+	     holes.  This is a pessimistic assumption which won't hurt
548bcb
+	     if not true.  There is no need to do this when we are
548bcb
+	     loading the auditing DSOs since TLS has not yet been set
548bcb
+	     up.  */
548bcb
+	  if ((mode & __RTLD_AUDIT) == 0)
548bcb
+	    GL(dl_tls_dtv_gaps) = true;
548bcb
+
548bcb
 	  _dl_close_worker (args.map, true);
548bcb
 
548bcb
 	  /* All l_nodelete_pending objects should have been deleted
548bcb
diff --git a/elf/dl-tls.c b/elf/dl-tls.c
548bcb
index bacb4101e2e2c4e5..801eafad3961573c 100644
548bcb
--- a/elf/dl-tls.c
548bcb
+++ b/elf/dl-tls.c
548bcb
@@ -187,7 +187,10 @@ _dl_next_tls_modid (void)
548bcb
 size_t
548bcb
 _dl_count_modids (void)
548bcb
 {
548bcb
-  /* The count is the max unless dlclose or failed dlopen created gaps.  */
548bcb
+  /* It is rare that we have gaps; see elf/dl-open.c (_dl_open) where
548bcb
+     we fail to load a module and unload it leaving a gap.  If we don't
548bcb
+     have gaps then the number of modids is the current maximum so
548bcb
+     return that.  */
548bcb
   if (__glibc_likely (!GL(dl_tls_dtv_gaps)))
548bcb
     return GL(dl_tls_max_dtv_idx);
548bcb