[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1064588: bookworm-pu: package glibc/2.36-9+deb12u5



Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glibc@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:glibc

[ Reason ]
The upstream stable branch got a few fixes in the last months, and this
update pulls them into the debian package.

[ Impact ]
In case the update isn't approved, systems will be left with a few
issues, and the differences with upstream will increase, which might
make next fixes more difficult to review.

[ Tests ]
The upstream fixes come with additional tests, which represent a
significant part of the diff.

[ Risks ]
The changes to do not affect critical part of the library, and come with
additional tests. The upstream changes have been in testing/sid for
about 3 weeks.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Please find below the changelog with additional explanations:

* debian/patches/git-updates.diff: update from upstream stable branch:
  - any/local-CVE-2023-4911.patch: upstreamed.
  - any/local-CVE-2023-6246.patch: upstreamed.
  - any/local-CVE-2023-6779.patch: upstreamed.
  - any/local-CVE-2023-6780.patch: upstreamed.

=> Those patches went upstream, with some additional tests.

  - Revert fix to always call destructors in reverse constructor order due
    to unforeseen application compatibility issues.

=> This fix introduced some regression, even if none have been reported to
   Debian, so they have been reverted to come back to the previous situation.

  - Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
    with unused TLS.

=> This issue affect the Mesa crocus driver that is shipped in bookworm, even
   if we haven't got any report on the Debian side. The fix is a very simple
   one liner. More details can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=29039

  - Fix the DTV field load on x32.

=> The testcase added for the above issue, uncovered an issue on x32. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31184

  - Fix the TCB field load on x32.

=> Debugging the above x32 issue, uncovered a similar bug. For
   stable architectures, this only affects the libc6-x32 package. More details
   can be found on the upstream BTS:
   https://sourceware.org/bugzilla/show_bug.cgi?id=31185

[ Other info ]
debian-boot is in Cc: as glibc has one udeb.
diff --git a/debian/changelog b/debian/changelog
index 8e1ee881..b708d99d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+glibc (2.36-9+deb12u5) bookworm; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - any/local-CVE-2023-4911.patch: upstreamed.
+    - any/local-CVE-2023-6246.patch: upstreamed.
+    - any/local-CVE-2023-6779.patch: upstreamed.
+    - any/local-CVE-2023-6780.patch: upstreamed.
+    - Revert fix to always call destructors in reverse constructor order due
+      to unforeseen application compatibility issues.
+    - Fix a DTV corruption due to a reuse of a TLS module ID following dlclose
+      with unused TLS.
+    - Fix the DTV field load on x32.
+    - Fix the TCB field load on x32.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Sat, 24 Feb 2024 16:49:22 +0100
+
 glibc (2.36-9+deb12u4) bookworm-security; urgency=medium
 
   * debian/patches/any/local-CVE-2023-6246.patch: Fix a heap buffer overflow
diff --git a/debian/patches/any/local-CVE-2023-4911.patch b/debian/patches/any/local-CVE-2023-4911.patch
deleted file mode 100644
index 4c4c2094..00000000
--- a/debian/patches/any/local-CVE-2023-4911.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar <siddhesh@redhat.com>
-Date: Mon, 11 Sep 2023 18:53:15 -0400
-Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
-
-The string parsing routine may end up writing beyond bounds of tunestr
-if the input tunable string is malformed, of the form name=name=val.
-This gets processed twice, first as name=name=val and next as name=val,
-resulting in tunestr being name=name=val:name=val, thus overflowing
-tunestr.
-
-Terminate the parsing loop at the first instance itself so that tunestr
-does not overflow.
----
-Changes from v1:
-
-- Also null-terminate tunestr before exiting.
-
- elf/dl-tunables.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
-index 8e7ee9df10..76cf8b9da3 100644
---- a/elf/dl-tunables.c
-+++ b/elf/dl-tunables.c
-@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
-       /* If we reach the end of the string before getting a valid name-value
- 	 pair, bail out.  */
-       if (p[len] == '\0')
--	{
--	  if (__libc_enable_secure)
--	    tunestr[off] = '\0';
--	  return;
--	}
-+	break;
- 
-       /* We did not find a valid name-value pair before encountering the
- 	 colon.  */
-@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
- 	    }
- 	}
- 
--      if (p[len] != '\0')
--	p += len + 1;
-+      /* We reached the end while processing the tunable string.  */
-+      if (p[len] == '\0')
-+	break;
-+
-+      p += len + 1;
-     }
-+
-+  /* Terminate tunestr before we leave.  */
-+  if (__libc_enable_secure)
-+    tunestr[off] = '\0';
- }
- #endif
- 
--- 
-2.41.0
-
diff --git a/debian/patches/any/local-CVE-2023-6246.patch b/debian/patches/any/local-CVE-2023-6246.patch
deleted file mode 100644
index 71ab8b41..00000000
--- a/debian/patches/any/local-CVE-2023-6246.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
-
-__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
-containing a long program name failed to update the required buffer
-size, leading to the allocation and overflow of a too-small buffer on
-the heap.  This commit fixes that.  It also adds a new regression test
-that uses glibc.malloc.check.
-
-Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
----
- misc/Makefile                                 |  8 ++-
- misc/syslog.c                                 | 50 +++++++++++++------
- misc/tst-syslog-long-progname.c               | 39 +++++++++++++++
- .../postclean.req                             |  0
- 4 files changed, 82 insertions(+), 15 deletions(-)
- create mode 100644 misc/tst-syslog-long-progname.c
- create mode 100644 misc/tst-syslog-long-progname.root/postclean.req
-
-diff --git a/misc/Makefile b/misc/Makefile
-index 42899c2b6c..c273ec6974 100644
---- a/misc/Makefile
-+++ b/misc/Makefile
-@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \
-   $(objpfx)tst-allocate_once-mem.out
- endif
- 
--tests-container := tst-syslog
-+tests-container := \
-+  tst-syslog \
-+  tst-syslog-long-progname \
-+  # tests-container
- 
- CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables
- CFLAGS-tsearch.c += $(uses-callbacks)
-@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out
- 	$(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \
- 	$(evaluate-test)
- 
-+tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \
-+			       LD_PRELOAD=libc_malloc_debug.so.0
-+
- $(objpfx)tst-select: $(librt)
- $(objpfx)tst-select-time64: $(librt)
- $(objpfx)tst-pselect: $(librt)
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 1b8cb722c5..814d224a1e 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -124,8 +124,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- {
-   /* Try to use a static buffer as an optimization.  */
-   char bufs[1024];
--  char *buf = NULL;
--  size_t bufsize = 0;
-+  char *buf = bufs;
-+  size_t bufsize;
-+
-   int msgoff;
-   int saved_errno = errno;
- 
-@@ -177,29 +178,50 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff)        \
-   "<%d>: %n", __pri, __msgoff
- 
--  int l;
-+  int l, vl;
-   if (has_ts)
-     l = __snprintf (bufs, sizeof bufs,
- 		    SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
-   else
-     l = __snprintf (bufs, sizeof bufs,
- 		    SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+
-+  char *pos;
-+  size_t len;
-+
-   if (0 <= l && l < sizeof bufs)
-     {
--      va_list apc;
--      va_copy (apc, ap);
-+      /* At this point, there is still a chance that we can print the
-+         remaining part of the log into bufs and use that.  */
-+      pos = bufs + l;
-+      len = sizeof (bufs) - l;
-+    }
-+  else
-+    {
-+      buf = NULL;
-+      /* We already know that bufs is too small to use for this log message.
-+         The next vsnprintf into bufs is used only to calculate the total
-+         required buffer length.  We will discard bufs contents and allocate
-+         an appropriately sized buffer later instead.  */
-+      pos = bufs;
-+      len = sizeof (bufs);
-+    }
- 
--      /* Restore errno for %m format.  */
--      __set_errno (saved_errno);
-+  {
-+    va_list apc;
-+    va_copy (apc, ap);
- 
--      int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc,
--                                     mode_flags);
--      if (0 <= vl && vl < sizeof bufs - l)
--        buf = bufs;
--      bufsize = l + vl;
-+    /* Restore errno for %m format.  */
-+    __set_errno (saved_errno);
- 
--      va_end (apc);
--    }
-+    vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
-+
-+    if (!(0 <= vl && vl < len))
-+      buf = NULL;
-+
-+    bufsize = l + vl;
-+    va_end (apc);
-+  }
- 
-   if (buf == NULL)
-     {
-diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c
-new file mode 100644
-index 0000000000..88f37a8a00
---- /dev/null
-+++ b/misc/tst-syslog-long-progname.c
-@@ -0,0 +1,39 @@
-+/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246)
-+   Copyright (C) 2023 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <syslog.h>
-+#include <string.h>
-+
-+extern char * __progname;
-+
-+static int
-+do_test (void)
-+{
-+  char long_progname[2048];
-+
-+  memset (long_progname, 'X', sizeof (long_progname) - 1);
-+  long_progname[sizeof (long_progname) - 1] = '\0';
-+
-+  __progname = long_progname;
-+
-+  syslog (LOG_INFO, "Hello, World!");
-+
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
-diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req
-new file mode 100644
-index 0000000000..e69de29bb2
--- 
-2.43.0
-
diff --git a/debian/patches/any/local-CVE-2023-6779.patch b/debian/patches/any/local-CVE-2023-6779.patch
deleted file mode 100644
index b9d018a6..00000000
--- a/debian/patches/any/local-CVE-2023-6779.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
-
-__vsyslog_internal used the return value of snprintf/vsnprintf to
-calculate buffer sizes for memory allocation.  If these functions (for
-any reason) failed and returned -1, the resulting buffer would be too
-small to hold output.  This commit fixes that.
-
-All snprintf/vsnprintf calls are checked for negative return values and
-the function silently returns upon encountering them.
----
- misc/syslog.c | 39 ++++++++++++++++++++++++++++-----------
- 1 file changed, 28 insertions(+), 11 deletions(-)
-
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 814d224a1e..53440e47ad 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -185,11 +185,13 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
-   else
-     l = __snprintf (bufs, sizeof bufs,
- 		    SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+  if (l < 0)
-+    goto out;
- 
-   char *pos;
-   size_t len;
- 
--  if (0 <= l && l < sizeof bufs)
-+  if (l < sizeof bufs)
-     {
-       /* At this point, there is still a chance that we can print the
-          remaining part of the log into bufs and use that.  */
-@@ -215,12 +217,15 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
-     __set_errno (saved_errno);
- 
-     vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
-+    va_end (apc);
-+
-+    if (vl < 0)
-+      goto out;
- 
--    if (!(0 <= vl && vl < len))
-+    if (vl >= len)
-       buf = NULL;
- 
-     bufsize = l + vl;
--    va_end (apc);
-   }
- 
-   if (buf == NULL)
-@@ -231,25 +236,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
- 	  /* Tell the cancellation handler to free this buffer.  */
- 	  clarg.buf = buf;
- 
-+	  int cl;
- 	  if (has_ts)
--	    __snprintf (buf, l + 1,
--			SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
-+	    cl = __snprintf (buf, l + 1,
-+			     SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
- 	  else
--	    __snprintf (buf, l + 1,
--			SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+	    cl = __snprintf (buf, l + 1,
-+			     SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
-+	  if (cl != l)
-+	    goto out;
- 
- 	  va_list apc;
- 	  va_copy (apc, ap);
--	  __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
--				mode_flags);
-+	  cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
-+				     mode_flags);
- 	  va_end (apc);
-+
-+	  if (cl != vl)
-+	    goto out;
- 	}
-       else
-         {
-+          int bl;
- 	  /* Nothing much to do but emit an error message.  */
--          bufsize = __snprintf (bufs, sizeof bufs,
--                                "out of memory[%d]", __getpid ());
-+          bl = __snprintf (bufs, sizeof bufs,
-+                           "out of memory[%d]", __getpid ());
-+          if (bl < 0 || bl >= sizeof bufs)
-+            goto out;
-+
-+          bufsize = bl;
-           buf = bufs;
-+          msgoff = 0;
-         }
-     }
- 
--- 
-2.43.0
-
diff --git a/debian/patches/any/local-CVE-2023-6780.patch b/debian/patches/any/local-CVE-2023-6780.patch
deleted file mode 100644
index 9ad99161..00000000
--- a/debian/patches/any/local-CVE-2023-6780.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-syslog: Fix integer overflow in __vsyslog_internal (CVE-2023-6780)
-
-__vsyslog_internal calculated a buffer size by adding two integers, but
-did not first check if the addition would overflow.  This commit fixes
-that.
----
- misc/syslog.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/misc/syslog.c b/misc/syslog.c
-index 53440e47ad..4af87f54fd 100644
---- a/misc/syslog.c
-+++ b/misc/syslog.c
-@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c	8.4 (Berkeley) 3/18/94";
- #include <sys/uio.h>
- #include <sys/un.h>
- #include <syslog.h>
-+#include <limits.h>
- 
- static int LogType = SOCK_DGRAM;	/* type of socket connection */
- static int LogFile = -1;		/* fd for log */
-@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
-     vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
-     va_end (apc);
- 
--    if (vl < 0)
-+    if (vl < 0 || vl >= INT_MAX - l)
-       goto out;
- 
-     if (vl >= len)
--- 
-2.43.0
-
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index cdb02b1d..f06f7672 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -68,10 +68,10 @@ index d1e139d03c..09c0cf8357 100644
  else	   					# -s
  verbose	:=
 diff --git a/NEWS b/NEWS
-index f61e521fc8..ae55ffb53a 100644
+index f61e521fc8..0f0ebce3f0 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,85 @@ See the end for copying conditions.
+@@ -5,6 +5,94 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -106,6 +106,11 @@ index f61e521fc8..ae55ffb53a 100644
 +  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
 +  AI_ALL and AI_V4MAPPED flags set.
 +
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
 +The following bugs are resolved with this release:
 +
 +  [12154] Do not fail DNS resolution for CNAMEs which are not host names
@@ -113,6 +118,7 @@ index f61e521fc8..ae55ffb53a 100644
 +  [24816] Fix tst-nss-files-hosts-long on single-stack hosts
 +  [27576] gmon: improve mcount overflow handling
 +  [28846] CMSG_NXTHDR may trigger -Wstrict-overflow warning
++  [29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS
 +  [29444] gmon: Fix allocated buffer overflow (bug 29444)
 +  [29864] libc: __libc_start_main() should obtain program headers
 +    address (_dl_phdr) from the auxv, not the ELF header.
@@ -149,10 +155,13 @@ index f61e521fc8..ae55ffb53a 100644
 +  [30305] x86_64: Fix asm constraints in feraiseexcept
 +  [30477] libc: [RISCV]: time64 does not work on riscv32
 +  [30515] _dl_find_object incorrectly returns 1 during early startup
-+  [30785] Always call destructors in reverse constructor order
++  [30745] Slight bug in cache info codes for x86
 +  [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with
 +    -D_FILE_OFFSET_BITS=64
 +  [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
++  [30843] potential use-after-free in getcanonname (CVE-2023-4806)
++  [31184] FAIL: elf/tst-tlsgap
++  [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
 +
  Version 2.36
  
@@ -501,7 +510,7 @@ index 0000000000..9e7ba10fa2
 +    DL_CALL_DT_FINI (map, ((void *) map->l_addr + fini->d_un.d_ptr));
 +}
 diff --git a/elf/dl-close.c b/elf/dl-close.c
-index bcd6e206e9..640bbd88c3 100644
+index bcd6e206e9..14deca2e2b 100644
 --- a/elf/dl-close.c
 +++ b/elf/dl-close.c
 @@ -36,11 +36,6 @@
@@ -548,126 +557,10 @@ index bcd6e206e9..640bbd88c3 100644
  void
  _dl_close_worker (struct link_map *map, bool force)
  {
-@@ -168,30 +138,31 @@ _dl_close_worker (struct link_map *map, bool force)
- 
-   bool any_tls = false;
-   const unsigned int nloaded = ns->_ns_nloaded;
--  struct link_map *maps[nloaded];
- 
--  /* Run over the list and assign indexes to the link maps and enter
--     them into the MAPS array.  */
-+  /* Run over the list and assign indexes to the link maps.  */
-   int idx = 0;
-   for (struct link_map *l = ns->_ns_loaded; l != NULL; l = l->l_next)
-     {
-       l->l_map_used = 0;
-       l->l_map_done = 0;
-       l->l_idx = idx;
--      maps[idx] = l;
-       ++idx;
-     }
-   assert (idx == nloaded);
- 
--  /* Keep track of the lowest index link map we have covered already.  */
--  int done_index = -1;
--  while (++done_index < nloaded)
-+  /* Keep marking link maps until no new link maps are found.  */
-+  for (struct link_map *l = ns->_ns_loaded; l != NULL; )
-     {
--      struct link_map *l = maps[done_index];
-+      /* next is reset to earlier link maps for remarking.  */
-+      struct link_map *next = l->l_next;
-+      int next_idx = l->l_idx + 1; /* next->l_idx, but covers next == NULL.  */
- 
-       if (l->l_map_done)
--	/* Already handled.  */
--	continue;
-+	{
-+	  /* Already handled.  */
-+	  l = next;
-+	  continue;
-+	}
- 
-       /* Check whether this object is still used.  */
-       if (l->l_type == lt_loaded
-@@ -201,7 +172,10 @@ _dl_close_worker (struct link_map *map, bool force)
- 	     acquire is sufficient and correct.  */
- 	  && atomic_load_acquire (&l->l_tls_dtor_count) == 0
- 	  && !l->l_map_used)
--	continue;
-+	{
-+	  l = next;
-+	  continue;
-+	}
- 
-       /* We need this object and we handle it now.  */
-       l->l_map_used = 1;
-@@ -228,8 +202,11 @@ _dl_close_worker (struct link_map *map, bool force)
- 			 already processed it, then we need to go back
- 			 and process again from that point forward to
- 			 ensure we keep all of its dependencies also.  */
--		      if ((*lp)->l_idx - 1 < done_index)
--			done_index = (*lp)->l_idx - 1;
-+		      if ((*lp)->l_idx < next_idx)
-+			{
-+			  next = *lp;
-+			  next_idx = next->l_idx;
-+			}
- 		    }
- 		}
- 
-@@ -249,54 +226,65 @@ _dl_close_worker (struct link_map *map, bool force)
- 		if (!jmap->l_map_used)
- 		  {
- 		    jmap->l_map_used = 1;
--		    if (jmap->l_idx - 1 < done_index)
--		      done_index = jmap->l_idx - 1;
-+		    if (jmap->l_idx < next_idx)
-+		      {
-+			  next = jmap;
-+			  next_idx = next->l_idx;
-+		      }
- 		  }
- 	      }
- 	  }
--    }
- 
--  /* Sort the entries.  We can skip looking for the binary itself which is
--     at the front of the search list for the main namespace.  */
--  _dl_sort_maps (maps, nloaded, (nsid == LM_ID_BASE), true);
-+      l = next;
-+    }
- 
--  /* Call all termination functions at once.  */
--  bool unload_any = false;
--  bool scope_mem_left = false;
--  unsigned int unload_global = 0;
--  unsigned int first_loaded = ~0;
--  for (unsigned int i = 0; i < nloaded; ++i)
-+  /* Call the destructors in reverse constructor order, and remove the
-+     closed link maps from the list.  */
-+  for (struct link_map **init_called_head = &_dl_init_called_list;
-+       *init_called_head != NULL; )
-     {
--      struct link_map *imap = maps[i];
--
--      /* All elements must be in the same namespace.  */
--      assert (imap->l_ns == nsid);
-+      struct link_map *imap = *init_called_head;
- 
--      if (!imap->l_map_used)
-+      /* _dl_init_called_list is global, to produce a global odering.
-+	 Ignore the other namespaces (and link maps that are still used).  */
-+      if (imap->l_ns != nsid || imap->l_map_used)
-+	init_called_head = &imap->l_init_called_next;
-+      else
- 	{
- 	  assert (imap->l_type == lt_loaded && !imap->l_nodelete_active);
- 
--	  /* Call its termination function.  Do not do it for
--	     half-cooked objects.  Temporarily disable exception
--	     handling, so that errors are fatal.  */
--	  if (imap->l_init_called)
+@@ -280,17 +250,7 @@ _dl_close_worker (struct link_map *map, bool force)
+ 	     half-cooked objects.  Temporarily disable exception
+ 	     handling, so that errors are fatal.  */
+ 	  if (imap->l_init_called)
 -	    {
 -	      /* When debugging print a message first.  */
 -	      if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_IMPCALLS,
@@ -679,88 +572,10 @@ index bcd6e206e9..640bbd88c3 100644
 -		  || imap->l_info[DT_FINI] != NULL)
 -		_dl_catch_exception (NULL, call_destructors, imap);
 -	    }
-+	  /* _dl_init_called_list is updated at the same time as
-+	     l_init_called.  */
-+	  assert (imap->l_init_called);
-+
-+	  if (imap->l_info[DT_FINI_ARRAY] != NULL
-+	      || imap->l_info[DT_FINI] != NULL)
 +	    _dl_catch_exception (NULL, _dl_call_fini, imap);
  
  #ifdef SHARED
  	  /* Auditing checkpoint: we remove an object.  */
- 	  _dl_audit_objclose (imap);
- #endif
-+	  /* Unlink this link map.  */
-+	  *init_called_head = imap->l_init_called_next;
-+	}
-+    }
-+
- 
-+  bool unload_any = false;
-+  bool scope_mem_left = false;
-+  unsigned int unload_global = 0;
-+
-+  /* For skipping un-unloadable link maps in the second loop.  */
-+  struct link_map *first_loaded = ns->_ns_loaded;
-+
-+  /* Iterate over the namespace to find objects to unload.  Some
-+     unloadable objects may not be on _dl_init_called_list due to
-+     dlopen failure.  */
-+  for (struct link_map *imap = first_loaded; imap != NULL; imap = imap->l_next)
-+    {
-+      if (!imap->l_map_used)
-+	{
- 	  /* This object must not be used anymore.  */
- 	  imap->l_removed = 1;
- 
-@@ -307,8 +295,8 @@ _dl_close_worker (struct link_map *map, bool force)
- 	    ++unload_global;
- 
- 	  /* Remember where the first dynamically loaded object is.  */
--	  if (i < first_loaded)
--	    first_loaded = i;
-+	  if (first_loaded == NULL)
-+	      first_loaded = imap;
- 	}
-       /* Else imap->l_map_used.  */
-       else if (imap->l_type == lt_loaded)
-@@ -444,8 +432,8 @@ _dl_close_worker (struct link_map *map, bool force)
- 	    imap->l_loader = NULL;
- 
- 	  /* Remember where the first dynamically loaded object is.  */
--	  if (i < first_loaded)
--	    first_loaded = i;
-+	  if (first_loaded == NULL)
-+	      first_loaded = imap;
- 	}
-     }
- 
-@@ -516,10 +504,11 @@ _dl_close_worker (struct link_map *map, bool force)
- 
-   /* Check each element of the search list to see if all references to
-      it are gone.  */
--  for (unsigned int i = first_loaded; i < nloaded; ++i)
-+  for (struct link_map *imap = first_loaded; imap != NULL; )
-     {
--      struct link_map *imap = maps[i];
--      if (!imap->l_map_used)
-+      if (imap->l_map_used)
-+	imap = imap->l_next;
-+      else
- 	{
- 	  assert (imap->l_type == lt_loaded);
- 
-@@ -730,7 +719,9 @@ _dl_close_worker (struct link_map *map, bool force)
- 	  if (imap == GL(dl_initfirst))
- 	    GL(dl_initfirst) = NULL;
- 
-+	  struct link_map *next = imap->l_next;
- 	  free (imap);
-+	  imap = next;
- 	}
-     }
- 
 diff --git a/elf/dl-find_object.c b/elf/dl-find_object.c
 index 4d5831b6f4..2e5b456c11 100644
 --- a/elf/dl-find_object.c
@@ -775,10 +590,10 @@ index 4d5831b6f4..2e5b456c11 100644
  
    /* Object not found.  */
 diff --git a/elf/dl-fini.c b/elf/dl-fini.c
-index 030b1fcbcd..50087a1bfc 100644
+index 030b1fcbcd..50ff94db16 100644
 --- a/elf/dl-fini.c
 +++ b/elf/dl-fini.c
-@@ -21,155 +21,71 @@
+@@ -21,11 +21,6 @@
  #include <ldsodefs.h>
  #include <elf-initfini.h>
  
@@ -790,122 +605,10 @@ index 030b1fcbcd..50087a1bfc 100644
  void
  _dl_fini (void)
  {
--  /* Lots of fun ahead.  We have to call the destructors for all still
--     loaded objects, in all namespaces.  The problem is that the ELF
--     specification now demands that dependencies between the modules
--     are taken into account.  I.e., the destructor for a module is
--     called before the ones for any of its dependencies.
--
--     To make things more complicated, we cannot simply use the reverse
--     order of the constructors.  Since the user might have loaded objects
--     using `dlopen' there are possibly several other modules with its
--     dependencies to be taken into account.  Therefore we have to start
--     determining the order of the modules once again from the beginning.  */
--
--  /* We run the destructors of the main namespaces last.  As for the
--     other namespaces, we pick run the destructors in them in reverse
--     order of the namespace ID.  */
-+  /* Call destructors strictly in the reverse order of constructors.
-+     This causes fewer surprises than some arbitrary reordering based
-+     on new (relocation) dependencies.  None of the objects are
-+     unmapped, so applications can deal with this if their DSOs remain
-+     in a consistent state after destructors have run.  */
-+
-+  /* Protect against concurrent loads and unloads.  */
-+  __rtld_lock_lock_recursive (GL(dl_load_lock));
-+
-+  /* Ignore objects which are opened during shutdown.  */
-+  struct link_map *local_init_called_list = _dl_init_called_list;
-+
-+  for (struct link_map *l = local_init_called_list; l != NULL;
-+       l = l->l_init_called_next)
-+      /* Bump l_direct_opencount of all objects so that they
-+	 are not dlclose()ed from underneath us.  */
-+      ++l->l_direct_opencount;
-+
-+  /* After this point, everything linked from local_init_called_list
-+     cannot be unloaded because of the reference counter update.  */
-+  __rtld_lock_unlock_recursive (GL(dl_load_lock));
-+
-+  /* Perform two passes: One for non-audit modules, one for audit
-+     modules.  This way, audit modules receive unload notifications
-+     for non-audit objects, and the destructors for audit modules
-+     still run.  */
- #ifdef SHARED
--  int do_audit = 0;
-- again:
-+  int last_pass = GLRO(dl_naudit) > 0;
-+  Lmid_t last_ns = -1;
-+  for (int do_audit = 0; do_audit <= last_pass; ++do_audit)
- #endif
--  for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns)
--    {
--      /* Protect against concurrent loads and unloads.  */
--      __rtld_lock_lock_recursive (GL(dl_load_lock));
--
--      unsigned int nloaded = GL(dl_ns)[ns]._ns_nloaded;
--      /* No need to do anything for empty namespaces or those used for
--	 auditing DSOs.  */
--      if (nloaded == 0
--#ifdef SHARED
--	  || GL(dl_ns)[ns]._ns_loaded->l_auditing != do_audit
--#endif
--	  )
--	__rtld_lock_unlock_recursive (GL(dl_load_lock));
--      else
--	{
--#ifdef SHARED
--	  _dl_audit_activity_nsid (ns, LA_ACT_DELETE);
--#endif
--
--	  /* Now we can allocate an array to hold all the pointers and
--	     copy the pointers in.  */
--	  struct link_map *maps[nloaded];
--
--	  unsigned int i;
--	  struct link_map *l;
--	  assert (nloaded != 0 || GL(dl_ns)[ns]._ns_loaded == NULL);
--	  for (l = GL(dl_ns)[ns]._ns_loaded, i = 0; l != NULL; l = l->l_next)
--	    /* Do not handle ld.so in secondary namespaces.  */
--	    if (l == l->l_real)
--	      {
--		assert (i < nloaded);
--
--		maps[i] = l;
--		l->l_idx = i;
--		++i;
--
--		/* Bump l_direct_opencount of all objects so that they
--		   are not dlclose()ed from underneath us.  */
--		++l->l_direct_opencount;
--	      }
--	  assert (ns != LM_ID_BASE || i == nloaded);
--	  assert (ns == LM_ID_BASE || i == nloaded || i == nloaded - 1);
--	  unsigned int nmaps = i;
--
--	  /* Now we have to do the sorting.  We can skip looking for the
--	     binary itself which is at the front of the search list for
--	     the main namespace.  */
--	  _dl_sort_maps (maps, nmaps, (ns == LM_ID_BASE), true);
--
--	  /* We do not rely on the linked list of loaded object anymore
--	     from this point on.  We have our own list here (maps).  The
--	     various members of this list cannot vanish since the open
--	     count is too high and will be decremented in this loop.  So
--	     we release the lock so that some code which might be called
--	     from a destructor can directly or indirectly access the
--	     lock.  */
--	  __rtld_lock_unlock_recursive (GL(dl_load_lock));
--
--	  /* 'maps' now contains the objects in the right order.  Now
--	     call the destructors.  We have to process this array from
--	     the front.  */
--	  for (i = 0; i < nmaps; ++i)
--	    {
--	      struct link_map *l = maps[i];
--
--	      if (l->l_init_called)
--		{
+@@ -116,38 +111,7 @@ _dl_fini (void)
+ 
+ 	      if (l->l_init_called)
+ 		{
 -		  /* Make sure nothing happens if we are called twice.  */
 -		  l->l_init_called = 0;
 -
@@ -938,54 +641,10 @@ index 030b1fcbcd..50087a1bfc 100644
 -			  (l, l->l_addr + l->l_info[DT_FINI]->d_un.d_ptr);
 -		    }
 -
-+    for (struct link_map *l = local_init_called_list; l != NULL;
-+	 l = l->l_init_called_next)
-+      {
- #ifdef SHARED
--		  /* Auditing checkpoint: another object closed.  */
--		  _dl_audit_objclose (l);
-+	if (GL(dl_ns)[l->l_ns]._ns_loaded->l_auditing != do_audit)
-+	  continue;
-+
-+	/* Avoid back-to-back calls of _dl_audit_activity_nsid for the
-+	   same namespace.  */
-+	if (last_ns != l->l_ns)
-+	  {
-+	    if (last_ns >= 0)
-+	      _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT);
-+	    _dl_audit_activity_nsid (l->l_ns, LA_ACT_DELETE);
-+	    last_ns = l->l_ns;
-+	  }
- #endif
--		}
- 
--	      /* Correct the previous increment.  */
--	      --l->l_direct_opencount;
--	    }
-+	/* There is no need to re-enable exceptions because _dl_fini
-+	   is not called from a context where exceptions are caught.  */
-+	_dl_call_fini (l);
- 
- #ifdef SHARED
--	  _dl_audit_activity_nsid (ns, LA_ACT_CONSISTENT);
-+	/* Auditing checkpoint: another object closed.  */
-+	_dl_audit_objclose (l);
- #endif
--	}
--    }
-+      }
- 
++		  _dl_call_fini (l);
  #ifdef SHARED
--  if (! do_audit && GLRO(dl_naudit) > 0)
--    {
--      do_audit = 1;
--      goto again;
--    }
-+  if (last_ns >= 0)
-+    _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT);
- 
-   if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_STATISTICS))
-     _dl_debug_printf ("\nruntime linker statistics:\n"
+ 		  /* Auditing checkpoint: another object closed.  */
+ 		  _dl_audit_objclose (l);
 diff --git a/elf/dl-hwcaps.c b/elf/dl-hwcaps.c
 index 6f161f6ad5..92eb53790e 100644
 --- a/elf/dl-hwcaps.c
@@ -1023,15 +682,10 @@ index 6f161f6ad5..92eb53790e 100644
      = malloc (*sz * sizeof (*result) + total);
    if (overall_result == NULL)
 diff --git a/elf/dl-init.c b/elf/dl-init.c
-index deefeb099a..77b2edd838 100644
+index deefeb099a..fca8e3a05e 100644
 --- a/elf/dl-init.c
 +++ b/elf/dl-init.c
-@@ -21,14 +21,19 @@
- #include <ldsodefs.h>
- #include <elf-initfini.h>
- 
-+struct link_map *_dl_init_called_list;
- 
+@@ -25,10 +25,14 @@
  static void
  call_init (struct link_map *l, int argc, char **argv, char **env)
  {
@@ -1048,70 +702,6 @@ index deefeb099a..77b2edd838 100644
  
    if (l->l_init_called)
      /* This object is all done.  */
-@@ -38,6 +43,21 @@ call_init (struct link_map *l, int argc, char **argv, char **env)
-      dependency.  */
-   l->l_init_called = 1;
- 
-+  /* Help an already-running dlclose: The just-loaded object must not
-+     be removed during the current pass.  (No effect if no dlclose in
-+     progress.)  */
-+  l->l_map_used = 1;
-+
-+  /* Record execution before starting any initializers.  This way, if
-+     the initializers themselves call dlopen, their ELF destructors
-+     will eventually be run before this object is destructed, matching
-+     that their ELF constructors have run before this object was
-+     constructed.  _dl_fini uses this list for audit callbacks, so
-+     register objects on the list even if they do not have a
-+     constructor.  */
-+  l->l_init_called_next = _dl_init_called_list;
-+  _dl_init_called_list = l;
-+
-   /* Check for object which constructors we do not run here.  */
-   if (__builtin_expect (l->l_name[0], 'a') == '\0'
-       && l->l_type == lt_executable)
-diff --git a/elf/dl-load.c b/elf/dl-load.c
-index 1ad0868dad..cb59c21ce7 100644
---- a/elf/dl-load.c
-+++ b/elf/dl-load.c
-@@ -1263,7 +1263,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
- 
-     /* Now process the load commands and map segments into memory.
-        This is responsible for filling in:
--       l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr
-+       l_map_start, l_map_end, l_addr, l_contiguous, l_phdr
-      */
-     errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
- 				  maplength, has_holes, loader);
-diff --git a/elf/dl-load.h b/elf/dl-load.h
-index f98d264e90..ebf7d74cd0 100644
---- a/elf/dl-load.h
-+++ b/elf/dl-load.h
-@@ -83,14 +83,11 @@ struct loadcmd
- 
- /* This is a subroutine of _dl_map_segments.  It should be called for each
-    load command, some time after L->l_addr has been set correctly.  It is
--   responsible for setting up the l_text_end and l_phdr fields.  */
-+   responsible for setting the l_phdr fields  */
- static __always_inline void
- _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header,
-                          const struct loadcmd *c)
- {
--  if (c->prot & PROT_EXEC)
--    l->l_text_end = l->l_addr + c->mapend;
--
-   if (l->l_phdr == 0
-       && c->mapoff <= header->e_phoff
-       && ((size_t) (c->mapend - c->mapstart + c->mapoff)
-@@ -103,7 +100,7 @@ _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header,
- 
- /* This is a subroutine of _dl_map_object_from_fd.  It is responsible
-    for filling in several fields in *L: l_map_start, l_map_end, l_addr,
--   l_contiguous, l_text_end, l_phdr.  On successful return, all the
-+   l_contiguous, l_phdr.  On successful return, all the
-    segments are mapped (or copied, or whatever) from the file into their
-    final places in the address space, with the correct page permissions,
-    and any bss-like regions already zeroed.  It returns a null pointer
 diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
 index 4c86dc694e..67fb2e31e2 100644
 --- a/elf/dl-lookup.c
@@ -1311,6 +901,54 @@ index 4af0b5b2ce..f45b630ba5 100644
  
    call_function_static_weak (_dl_find_object_init);
  
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 093cdddb7e..bf0ff0d9e8 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -160,6 +160,7 @@ _dl_assign_tls_modid (struct link_map *l)
+ 	      {
+ 		/* Mark the entry as used, so any dependency see it.  */
+ 		atomic_store_relaxed (&runp->slotinfo[result - disp].map, l);
++		atomic_store_relaxed (&runp->slotinfo[result - disp].gen, 0);
+ 		break;
+ 	      }
+ 
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8e7ee9df10..76cf8b9da3 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ #endif
+ 
 diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
 index e6a56b3070..9fa3b484cf 100644
 --- a/elf/dl-tunables.list
@@ -1334,34 +972,20 @@ index e6a56b3070..9fa3b484cf 100644
 +  }
  }
 diff --git a/elf/dso-sort-tests-1.def b/elf/dso-sort-tests-1.def
-index 5f7f18ef27..61dc54f8ae 100644
+index 5f7f18ef27..4bf9052db1 100644
 --- a/elf/dso-sort-tests-1.def
 +++ b/elf/dso-sort-tests-1.def
-@@ -53,14 +53,14 @@ tst-dso-ordering10: {}->a->b->c;soname({})=c
- output: b>a>{}<a<b
- 
- # Complex example from Bugzilla #15311, under-linked and with circular
--# relocation(dynamic) dependencies. While this is technically unspecified, the
--# presumed reasonable practical behavior is for the destructor order to respect
--# the static DT_NEEDED links (here this means the a->b->c->d order).
--# The older dynamic_sort=1 algorithm does not achieve this, while the DFS-based
--# dynamic_sort=2 algorithm does, although it is still arguable whether going
--# beyond spec to do this is the right thing to do.
--# The below expected outputs are what the two algorithms currently produce
--# respectively, for regression testing purposes.
-+# relocation(dynamic) dependencies. For both sorting algorithms, the
-+# destruction order is the reverse of the construction order, and
-+# relocation dependencies are not taken into account.
+@@ -64,3 +64,10 @@ output: b>a>{}<a<b
  tst-bz15311: {+a;+e;+f;+g;+d;%d;-d;-g;-f;-e;-a};a->b->c->d;d=>[ba];c=>a;b=>e=>a;c=>f=>b;d=>g=>c
--output(glibc.rtld.dynamic_sort=1): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[<a<c<d<g<f<b<e];}
--output(glibc.rtld.dynamic_sort=2): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[<g<f<a<b<c<d<e];}
-+output: {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[<g<f<e<a<b<c<d];}
+ output(glibc.rtld.dynamic_sort=1): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[<a<c<d<g<f<b<e];}
+ output(glibc.rtld.dynamic_sort=2): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[<g<f<a<b<c<d<e];}
 +
 +# Test that even in the presence of dependency loops involving dlopen'ed
 +# object, that object is initialized last (and not unloaded prematurely).
-+# Final destructor order is the opposite of constructor order.
++# Final destructor order is indeterminate due to the cycle.
 +tst-bz28937: {+a;+b;-b;+c;%c};a->a1;a->a2;a2->a;b->b1;c->a1;c=>a1
-+output: {+a[a2>a1>a>];+b[b1>b>];-b[<b<b1];+c[c>];%c(a1());}<c<a<a1<a2
++output(glibc.rtld.dynamic_sort=1): {+a[a2>a1>a>];+b[b1>b>];-b[<b<b1];+c[c>];%c(a1());}<a<a2<c<a1
++output(glibc.rtld.dynamic_sort=2): {+a[a2>a1>a>];+b[b1>b>];-b[<b<b1];+c[c>];%c(a1());}<a2<a<c<a1
 diff --git a/elf/elf.h b/elf/elf.h
 index 02a1b3f52f..014393f3cc 100644
 --- a/elf/elf.h
@@ -1394,44 +1018,10 @@ index ca00dd1fe2..3c5e273f2b 100644
  else						# -s
  verbose	:=
 diff --git a/elf/rtld.c b/elf/rtld.c
-index cbbaf4a331..dd45930ff7 100644
+index cbbaf4a331..3e771a93d8 100644
 --- a/elf/rtld.c
 +++ b/elf/rtld.c
-@@ -479,7 +479,6 @@ _dl_start_final (void *arg, struct dl_start_final_info *info)
-   GL(dl_rtld_map).l_real = &GL(dl_rtld_map);
-   GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start;
-   GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end;
--  GL(dl_rtld_map).l_text_end = (ElfW(Addr)) _etext;
-   /* Copy the TLS related data if necessary.  */
- #ifndef DONT_USE_BOOTSTRAP_MAP
- # if NO_TLS_OFFSET != 0
-@@ -1124,7 +1123,6 @@ rtld_setup_main_map (struct link_map *main_map)
-   bool has_interp = false;
- 
-   main_map->l_map_end = 0;
--  main_map->l_text_end = 0;
-   /* Perhaps the executable has no PT_LOAD header entries at all.  */
-   main_map->l_map_start = ~0;
-   /* And it was opened directly.  */
-@@ -1216,8 +1214,6 @@ rtld_setup_main_map (struct link_map *main_map)
- 	  allocend = main_map->l_addr + ph->p_vaddr + ph->p_memsz;
- 	  if (main_map->l_map_end < allocend)
- 	    main_map->l_map_end = allocend;
--	  if ((ph->p_flags & PF_X) && allocend > main_map->l_text_end)
--	    main_map->l_text_end = allocend;
- 
- 	  /* The next expected address is the page following this load
- 	     segment.  */
-@@ -1277,8 +1273,6 @@ rtld_setup_main_map (struct link_map *main_map)
-       = (char *) main_map->l_tls_initimage + main_map->l_addr;
-   if (! main_map->l_map_end)
-     main_map->l_map_end = ~0;
--  if (! main_map->l_text_end)
--    main_map->l_text_end = ~0;
-   if (! GL(dl_rtld_map).l_libname && GL(dl_rtld_map).l_name)
-     {
-       /* We were invoked directly, so the program might not have a
-@@ -2122,6 +2116,12 @@ dl_main (const ElfW(Phdr) *phdr,
+@@ -2122,6 +2122,12 @@ dl_main (const ElfW(Phdr) *phdr,
  	    if (l->l_faked)
  	      /* The library was not found.  */
  	      _dl_printf ("\t%s => not found\n",  l->l_libname->name);
@@ -1444,127 +1034,6 @@ index cbbaf4a331..dd45930ff7 100644
  	    else
  	      _dl_printf ("\t%s => %s (0x%0*Zx)\n",
  			  DSO_FILENAME (l->l_libname->name),
-diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h
-index c0807ea82b..415d5057c3 100644
---- a/elf/setup-vdso.h
-+++ b/elf/setup-vdso.h
-@@ -51,9 +51,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)),
- 		l->l_addr = ph->p_vaddr;
- 	      if (ph->p_vaddr + ph->p_memsz >= l->l_map_end)
- 		l->l_map_end = ph->p_vaddr + ph->p_memsz;
--	      if ((ph->p_flags & PF_X)
--		  && ph->p_vaddr + ph->p_memsz >= l->l_text_end)
--		l->l_text_end = ph->p_vaddr + ph->p_memsz;
- 	    }
- 	  else
- 	    /* There must be no TLS segment.  */
-@@ -62,7 +59,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)),
-       l->l_map_start = (ElfW(Addr)) GLRO(dl_sysinfo_dso);
-       l->l_addr = l->l_map_start - l->l_addr;
-       l->l_map_end += l->l_addr;
--      l->l_text_end += l->l_addr;
-       l->l_ld = (void *) ((ElfW(Addr)) l->l_ld + l->l_addr);
-       elf_get_dynamic_info (l, false, false);
-       _dl_setup_hash (l);
-diff --git a/elf/tst-audit23.c b/elf/tst-audit23.c
-index 4904cf1340..f40760bd70 100644
---- a/elf/tst-audit23.c
-+++ b/elf/tst-audit23.c
-@@ -98,6 +98,8 @@ do_test (int argc, char *argv[])
-     char *lname;
-     uintptr_t laddr;
-     Lmid_t lmid;
-+    uintptr_t cookie;
-+    uintptr_t namespace;
-     bool closed;
-   } objs[max_objs] = { [0 ... max_objs-1] = { .closed = false } };
-   size_t nobjs = 0;
-@@ -117,6 +119,9 @@ do_test (int argc, char *argv[])
-   size_t buffer_length = 0;
-   while (xgetline (&buffer, &buffer_length, out))
-     {
-+      *strchrnul (buffer, '\n') = '\0';
-+      printf ("info: subprocess output: %s\n", buffer);
-+
-       if (startswith (buffer, "la_activity: "))
- 	{
- 	  uintptr_t cookie;
-@@ -125,29 +130,26 @@ do_test (int argc, char *argv[])
- 			  &cookie);
- 	  TEST_COMPARE (r, 2);
- 
--	  /* The cookie identifies the object at the head of the link map,
--	     so we only add a new namespace if it changes from the previous
--	     one.  This works since dlmopen is the last in the test body.  */
--	  if (cookie != last_act_cookie && last_act_cookie != -1)
--	    TEST_COMPARE (last_act, LA_ACT_CONSISTENT);
--
- 	  if (this_act == LA_ACT_ADD && acts[nacts] != cookie)
- 	    {
-+	      /* The cookie identifies the object at the head of the
-+		 link map, so we only add a new namespace if it
-+		 changes from the previous one.  This works since
-+		 dlmopen is the last in the test body.  */
-+	      if (cookie != last_act_cookie && last_act_cookie != -1)
-+		TEST_COMPARE (last_act, LA_ACT_CONSISTENT);
-+
- 	      acts[nacts++] = cookie;
- 	      last_act_cookie = cookie;
- 	    }
--	  /* The LA_ACT_DELETE is called in the reverse order of LA_ACT_ADD
--	     at program termination (if the tests adds a dlclose or a library
--	     with extra dependencies this will need to be adapted).  */
-+	  /* LA_ACT_DELETE is called multiple times for each
-+	     namespace, depending on destruction order.  */
- 	  else if (this_act == LA_ACT_DELETE)
--	    {
--	      last_act_cookie = acts[--nacts];
--	      TEST_COMPARE (acts[nacts], cookie);
--	      acts[nacts] = 0;
--	    }
-+	    last_act_cookie = cookie;
- 	  else if (this_act == LA_ACT_CONSISTENT)
- 	    {
- 	      TEST_COMPARE (cookie, last_act_cookie);
-+	      last_act_cookie = -1;
- 
- 	      /* LA_ACT_DELETE must always be followed by an la_objclose.  */
- 	      if (last_act == LA_ACT_DELETE)
-@@ -179,6 +181,8 @@ do_test (int argc, char *argv[])
- 	  objs[nobjs].lname = lname;
- 	  objs[nobjs].laddr = laddr;
- 	  objs[nobjs].lmid = lmid;
-+	  objs[nobjs].cookie = cookie;
-+	  objs[nobjs].namespace = last_act_cookie;
- 	  objs[nobjs].closed = false;
- 	  nobjs++;
- 
-@@ -201,6 +205,12 @@ do_test (int argc, char *argv[])
- 	      if (strcmp (lname, objs[i].lname) == 0 && lmid == objs[i].lmid)
- 		{
- 		  TEST_COMPARE (objs[i].closed, false);
-+		  TEST_COMPARE (objs[i].cookie, cookie);
-+		  if (objs[i].namespace == -1)
-+		    /* No LA_ACT_ADD before the first la_objopen call.  */
-+		    TEST_COMPARE (acts[0], last_act_cookie);
-+		  else
-+		    TEST_COMPARE (objs[i].namespace, last_act_cookie);
- 		  objs[i].closed = true;
- 		  break;
- 		}
-@@ -209,11 +219,7 @@ do_test (int argc, char *argv[])
- 	  /* la_objclose should be called after la_activity(LA_ACT_DELETE) for
- 	     the closed object's namespace.  */
- 	  TEST_COMPARE (last_act, LA_ACT_DELETE);
--	  if (!seen_first_objclose)
--	    {
--	      TEST_COMPARE (last_act_cookie, cookie);
--	      seen_first_objclose = true;
--	    }
-+	  seen_first_objclose = true;
- 	}
-     }
- 
 diff --git a/elf/tst-auditmod28.c b/elf/tst-auditmod28.c
 index db7ba95abe..9e0a122c38 100644
 --- a/elf/tst-auditmod28.c
@@ -1746,6 +1215,97 @@ index 0000000000..70c71fe19c
 +}
 +
 +#include <support/test-driver.c>
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 88182b7b25..5e9e4c5756 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -52,6 +52,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -70,6 +72,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -84,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++	    off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -117,21 +128,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -139,9 +155,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
 diff --git a/elf/tst-ldconfig-p.sh b/elf/tst-ldconfig-p.sh
 new file mode 100644
 index 0000000000..ec937bf4ec
@@ -2472,22 +2032,20 @@ index 0000000000..00b1b93342
 @@ -0,0 +1 @@
 +#include <wcsmbs/bits/wchar2-decl.h>
 diff --git a/include/link.h b/include/link.h
-index 0ac82d7c77..4eb8fe0d96 100644
+index 0ac82d7c77..87966e8397 100644
 --- a/include/link.h
 +++ b/include/link.h
-@@ -253,8 +253,10 @@ struct link_map
-     /* Start and finish of memory map for this object.  l_map_start
-        need not be the same as l_addr.  */
-     ElfW(Addr) l_map_start, l_map_end;
--    /* End of the executable part of the mapping.  */
--    ElfW(Addr) l_text_end;
-+
+@@ -278,6 +278,10 @@ struct link_map
+     /* List of object in order of the init and fini calls.  */
+     struct link_map **l_initfini;
+ 
 +    /* Linked list of objects in reverse ELF constructor execution
 +       order.  Head of list is stored in _dl_init_called_list.  */
 +    struct link_map *l_init_called_next;
- 
-     /* Default array for 'l_scope'.  */
-     struct r_scope_elem *l_scope_mem[4];
++
+     /* List of the dependencies introduced through symbol binding.  */
+     struct link_map_reldeps
+       {
 diff --git a/include/resolv.h b/include/resolv.h
 index 3590b6f496..4dbbac3800 100644
 --- a/include/resolv.h
@@ -2801,6 +2359,32 @@ index 8be2d220f8..4a4d5aa6b2 100644
    const unsigned char *cp;
    const unsigned char *usrc;
  
+diff --git a/misc/Makefile b/misc/Makefile
+index ba8232a0e9..66e9ded8f9 100644
+--- a/misc/Makefile
++++ b/misc/Makefile
+@@ -115,7 +115,10 @@ tests-special += $(objpfx)tst-error1-mem.out \
+   $(objpfx)tst-allocate_once-mem.out
+ endif
+ 
+-tests-container := tst-syslog
++tests-container := \
++  tst-syslog \
++  tst-syslog-long-progname \
++  # tests-container
+ 
+ CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables
+ CFLAGS-tsearch.c += $(uses-callbacks)
+@@ -175,6 +178,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out
+ 	$(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \
+ 	$(evaluate-test)
+ 
++tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \
++			       LD_PRELOAD=libc_malloc_debug.so.0
++
+ $(objpfx)tst-select: $(librt)
+ $(objpfx)tst-select-time64: $(librt)
+ $(objpfx)tst-pselect: $(librt)
 diff --git a/misc/bits/syslog.h b/misc/bits/syslog.h
 index fd30dd3114..916d2b6f12 100644
 --- a/misc/bits/syslog.h
@@ -2890,10 +2474,30 @@ index d933fea104..3888153ed2 100644
  
  __END_DECLS
 diff --git a/misc/syslog.c b/misc/syslog.c
-index 554089bfc4..f67d4b58a4 100644
+index 554089bfc4..9336036666 100644
 --- a/misc/syslog.c
 +++ b/misc/syslog.c
-@@ -167,7 +167,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
+@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c	8.4 (Berkeley) 3/18/94";
+ #include <sys/uio.h>
+ #include <sys/un.h>
+ #include <syslog.h>
++#include <limits.h>
+ 
+ static int LogType = SOCK_DGRAM;	/* type of socket connection */
+ static int LogFile = -1;		/* fd for log */
+@@ -122,8 +123,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
+ {
+   /* Try to use a static buffer as an optimization.  */
+   char bufs[1024];
+-  char *buf = NULL;
+-  size_t bufsize = 0;
++  char *buf = bufs;
++  size_t bufsize;
++
+   int msgoff;
+   int saved_errno = errno;
+ 
+@@ -167,7 +169,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
  		  _nl_C_locobj_ptr);
  
  #define SYSLOG_HEADER(__pri, __timestamp, __msgoff, pid) \
@@ -2902,19 +2506,74 @@ index 554089bfc4..f67d4b58a4 100644
    __pri, __timestamp, __msgoff,                          \
    LogTag == NULL ? __progname : LogTag,                  \
    "[" + (pid == 0), pid, "]" + (pid == 0)
-@@ -193,28 +193,32 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
-       int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc,
-                                      mode_flags);
-       if (0 <= vl && vl < sizeof bufs - l)
+@@ -175,53 +177,95 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
+ #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff)        \
+   "<%d>: %n", __pri, __msgoff
+ 
+-  int l;
++  int l, vl;
+   if (has_ts)
+     l = __snprintf (bufs, sizeof bufs,
+ 		    SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
+   else
+     l = __snprintf (bufs, sizeof bufs,
+ 		    SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
+-  if (0 <= l && l < sizeof bufs)
++  if (l < 0)
++    goto out;
++
++  char *pos;
++  size_t len;
++
++  if (l < sizeof bufs)
+     {
+-      va_list apc;
+-      va_copy (apc, ap);
++      /* At this point, there is still a chance that we can print the
++         remaining part of the log into bufs and use that.  */
++      pos = bufs + l;
++      len = sizeof (bufs) - l;
++    }
++  else
++    {
++      buf = NULL;
++      /* We already know that bufs is too small to use for this log message.
++         The next vsnprintf into bufs is used only to calculate the total
++         required buffer length.  We will discard bufs contents and allocate
++         an appropriately sized buffer later instead.  */
++      pos = bufs;
++      len = sizeof (bufs);
++    }
+ 
+-      /* Restore errno for %m format.  */
+-      __set_errno (saved_errno);
++  {
++    va_list apc;
++    va_copy (apc, ap);
+ 
+-      int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc,
+-                                     mode_flags);
+-      if (0 <= vl && vl < sizeof bufs - l)
 -        {
 -          buf = bufs;
 -          bufsize = l + vl;
 -        }
-+        buf = bufs;
-+      bufsize = l + vl;
++    /* Restore errno for %m format.  */
++    __set_errno (saved_errno);
  
-       va_end (apc);
-     }
+-      va_end (apc);
+-    }
++    vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
++    va_end (apc);
++
++    if (vl < 0 || vl >= INT_MAX - l)
++      goto out;
++
++    if (vl >= len)
++      buf = NULL;
++
++    bufsize = l + vl;
++  }
  
    if (buf == NULL)
      {
@@ -2925,23 +2584,94 @@ index 554089bfc4..f67d4b58a4 100644
  	  /* Tell the cancellation handler to free this buffer.  */
  	  clarg.buf = buf;
  
++	  int cl;
  	  if (has_ts)
 -	    __snprintf (bufs, sizeof bufs,
-+	    __snprintf (buf, l + 1,
- 			SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
+-			SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
++	    cl = __snprintf (buf, l + 1,
++			     SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
  	  else
 -	    __snprintf (bufs, sizeof bufs,
-+	    __snprintf (buf, l + 1,
- 			SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
+-			SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
++	    cl = __snprintf (buf, l + 1,
++			     SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
++	  if (cl != l)
++	    goto out;
 +
 +	  va_list apc;
 +	  va_copy (apc, ap);
-+	  __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
-+				mode_flags);
++	  cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
++				     mode_flags);
 +	  va_end (apc);
++
++	  if (cl != vl)
++	    goto out;
  	}
        else
          {
++          int bl;
+ 	  /* Nothing much to do but emit an error message.  */
+-          bufsize = __snprintf (bufs, sizeof bufs,
+-                                "out of memory[%d]", __getpid ());
++          bl = __snprintf (bufs, sizeof bufs,
++                           "out of memory[%d]", __getpid ());
++          if (bl < 0 || bl >= sizeof bufs)
++            goto out;
++
++          bufsize = bl;
+           buf = bufs;
++          msgoff = 0;
+         }
+     }
+ 
+diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c
+new file mode 100644
+index 0000000000..88f37a8a00
+--- /dev/null
++++ b/misc/tst-syslog-long-progname.c
+@@ -0,0 +1,39 @@
++/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246)
++   Copyright (C) 2023 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <syslog.h>
++#include <string.h>
++
++extern char * __progname;
++
++static int
++do_test (void)
++{
++  char long_progname[2048];
++
++  memset (long_progname, 'X', sizeof (long_progname) - 1);
++  long_progname[sizeof (long_progname) - 1] = '\0';
++
++  __progname = long_progname;
++
++  syslog (LOG_INFO, "Hello, World!");
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req
+new file mode 100644
+index 0000000000..e69de29bb2
 diff --git a/misc/tst-syslog.c b/misc/tst-syslog.c
 index e550d15796..3560b518a2 100644
 --- a/misc/tst-syslog.c
@@ -8067,7 +7797,7 @@ index 909b208578..d66f0b9c45 100644
  	ldp	q2, q3, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*1]
  	ldp	q4, q5, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*2]
 diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
-index 050a3032de..ab8a7fbf84 100644
+index 050a3032de..c2627fced7 100644
 --- a/sysdeps/generic/ldsodefs.h
 +++ b/sysdeps/generic/ldsodefs.h
 @@ -105,6 +105,9 @@ typedef struct link_map *lookup_t;
@@ -8080,15 +7810,7 @@ index 050a3032de..ab8a7fbf84 100644
  /* On some architectures a pointer to a function is not just a pointer
     to the actual code of the function but rather an architecture
     specific descriptor. */
-@@ -1044,13 +1047,24 @@ extern int _dl_check_map_versions (struct link_map *map, int verbose,
- extern void _dl_init (struct link_map *main_map, int argc, char **argv,
- 		      char **env) attribute_hidden;
- 
-+/* List of ELF objects in reverse order of their constructor
-+   invocation.  */
-+extern struct link_map *_dl_init_called_list attribute_hidden;
-+
- /* Call the finalizer functions of all shared objects whose
+@@ -1048,9 +1051,16 @@ extern void _dl_init (struct link_map *main_map, int argc, char **argv,
     initializer functions have completed.  */
  extern void _dl_fini (void) attribute_hidden;
  
@@ -10745,6 +10467,37 @@ index 3c4480aba7..06f6c9663e 100644
  #define MOVBE_X86_ISA_LEVEL 3
  
  /* ISA level >= 2 guaranteed includes.  */
+diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S
+index 0db2cb4152..7619e743e1 100644
+--- a/sysdeps/x86_64/dl-tlsdesc.S
++++ b/sysdeps/x86_64/dl-tlsdesc.S
+@@ -61,7 +61,7 @@ _dl_tlsdesc_return:
+ _dl_tlsdesc_undefweak:
+ 	_CET_ENDBR
+ 	movq	8(%rax), %rax
+-	subq	%fs:0, %rax
++	sub	%fs:0, %RAX_LP
+ 	ret
+ 	cfi_endproc
+ 	.size	_dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak
+@@ -102,7 +102,7 @@ _dl_tlsdesc_dynamic:
+ 	/* Preserve call-clobbered registers that we modify.
+ 	   We need two scratch regs anyway.  */
+ 	movq	%rsi, -16(%rsp)
+-	movq	%fs:DTV_OFFSET, %rsi
++	mov	%fs:DTV_OFFSET, %RSI_LP
+ 	movq	%rdi, -8(%rsp)
+ 	movq	TLSDESC_ARG(%rax), %rdi
+ 	movq	(%rsi), %rax
+@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic:
+ 	addq	TLSDESC_MODOFF(%rdi), %rax
+ .Lret:
+ 	movq	-16(%rsp), %rsi
+-	subq	%fs:0, %rax
++	sub	%fs:0, %RAX_LP
+ 	movq	-8(%rsp), %rdi
+ 	ret
+ .Lslow:
 diff --git a/sysdeps/x86_64/fpu/fraiseexcpt.c b/sysdeps/x86_64/fpu/fraiseexcpt.c
 index 864f4777a2..23446ff4ac 100644
 --- a/sysdeps/x86_64/fpu/fraiseexcpt.c
diff --git a/debian/patches/series b/debian/patches/series
index 51dbb4dd..350fd9d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,8 +119,4 @@ any/local-test-install.diff
 any/local-cross.patch
 any/git-floatn-gcc-13-support.diff
 any/local-disable-tst-bz29951.diff
-any/local-CVE-2023-4911.patch
-any/local-CVE-2023-6246.patch
-any/local-CVE-2023-6779.patch
-any/local-CVE-2023-6780.patch
 any/local-qsort-memory-corruption.patch

Reply to: