Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package systemd for openSUSE:Factory checked in at 2026-06-29 17:30:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/systemd (Old) and /work/SRC/openSUSE:Factory/.systemd.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "systemd" Mon Jun 29 17:30:14 2026 rev:470 rq:1361320 version:260.2 Changes: -------- --- /work/SRC/openSUSE:Factory/systemd/systemd.changes 2026-06-10 15:46:20.451780237 +0200 +++ /work/SRC/openSUSE:Factory/.systemd.new.11887/systemd.changes 2026-06-29 17:30:55.283182403 +0200 @@ -1,0 +2,6 @@ +Tue Jun 23 08:55:51 UTC 2026 - Franck Bui <[email protected]> + +- Temporarily add 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch until + upstream releases it (bsc#1254924) + +------------------------------------------------------------------- @@ -6,0 +13,5 @@ + +------------------------------------------------------------------- +Wed May 27 10:49:45 UTC 2026 - Luca Boccassi <[email protected]> + +- Enable BPF CO-RE programs via linux-bpf-devel build dependency New: ---- 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch ----------(New B)---------- New: - Temporarily add 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch until upstream releases it (bsc#1254924) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ systemd.spec ++++++ --- /var/tmp/diff_new_pack.sU4xck/_old 2026-06-29 17:30:59.499325828 +0200 +++ /var/tmp/diff_new_pack.sU4xck/_new 2026-06-29 17:30:59.507326100 +0200 @@ -89,6 +89,9 @@ %if %{without bootstrap} BuildRequires: bpftool BuildRequires: clang +%ifnarch %{ix86} %{arm} +BuildRequires: linux-bpf-devel +%endif # python is only required for generating systemd.directives.xml BuildRequires: python3-base >= 3.9.0 BuildRequires: python3-lxml @@ -240,6 +243,7 @@ %if %{without upstream} Patch: 0001-Drop-or-soften-some-upstream-warnings.patch Patch: 1001-units-drop-Before-sockets.target-from-networkd-resol.patch +Patch: 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch # The patches listed below are in quarantine. Normally, all changes must be # pushed to upstream first and then cherry-picked into the SUSE git @@ -739,6 +743,12 @@ -Dldconfig=false \ -Dsmack=false \ -Dvmlinux-h=disabled \ +%if %{without bootstrap} +%ifnarch %{ix86} %{arm} + -Dvmlinux-h=provided \ + -Dvmlinux-h-path=/usr/include/bpf/vmlinux.h \ +%endif +%endif -Dxenctrl=disabled \ -Dxkbcommon=disabled \ \ ++++++ 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch ++++++ >From 39e2a4323bf8a9d28bc71508edc4d34f3937e23c Mon Sep 17 00:00:00 2001 From: Roman Vinogradov <[email protected]> Date: Thu, 11 Jun 2026 14:21:55 +0000 Subject: [PATCH] nss-systemd: avoid ELF TLS for recursion guard libnss_systemd currently uses a thread_local recursion guard to avoid re-entering nss-systemd during NSS lookups. Since libnss_systemd.so.2 is loaded lazily by glibc, accessing ELF TLS may trigger dynamic TLS allocation in __tls_get_addr(). Under allocation failure conditions, glibc terminates the process from the dynamic loader instead of allowing the NSS module to return a normal failure. Replace the recursion guard with POSIX thread-specific data to preserve the same per-thread semantics while avoiding ELF TLS in the NSS module. Note that pthread_setspecific() may still allocate internally on first use per thread. The key improvement is that any such failure is returned as a normal error code rather than terminating the process from inside the dynamic loader. Related: #42559 (cherry picked from commit 19bd80e29a02b4f8c9543370eb4a16c014d497f3) [fbui: fixes bsc#1254924] --- src/nss-systemd/nss-systemd.c | 57 ++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 7 deletions(-) diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c index 6ed97f31a6..d69c018d04 100644 --- a/src/nss-systemd/nss-systemd.c +++ b/src/nss-systemd/nss-systemd.c @@ -4,7 +4,6 @@ #include <nss.h> #include <pthread.h> #include <string.h> -#include <threads.h> #include "alloc-util.h" #include "env-util.h" @@ -1066,28 +1065,72 @@ enum nss_status _nss_systemd_initgroups_dyn( return any ? NSS_STATUS_SUCCESS : NSS_STATUS_NOTFOUND; } -static thread_local unsigned _blocked = 0; +/* Note that we intentionally use POSIX thread-specific data instead of a plain thread_local variable. + * A thread_local in this lazily-loaded DSO uses a dynamic TLS model by default and may require + * a dynamic TLS allocation. If that allocation fails, glibc calls _exit() from the dynamic linker, + * making the failure unrecoverable. Using pthread_key_t avoids ELF TLS entirely and lets any such + * failure propagate as a normal error instead of terminating the process. */ +static pthread_once_t nss_blocked_key_once = PTHREAD_ONCE_INIT; +static pthread_key_t nss_blocked_key; +static int nss_blocked_key_error; + +static void nss_blocked_key_init(void) { + /* NULL destructor: the per-thread value is a plain integer counter encoded as void*, + * not a heap allocation, so nothing needs to be freed at thread exit. + * No pthread_key_delete: this library is linked with -z nodelete and always opened with + * RTLD_NODELETE, so it is never unloaded and the key exists for the process lifetime. */ + nss_blocked_key_error = pthread_key_create(&nss_blocked_key, NULL); +} + +static int nss_blocked_key_ensure(void) { + int r; + + r = pthread_once(&nss_blocked_key_once, nss_blocked_key_init); + if (r != 0) + return -r; + + if (nss_blocked_key_error != 0) + return -nss_blocked_key_error; + + return 0; +} _public_ int _nss_systemd_block(bool b) { + int r; + uintptr_t blocked; + + r = nss_blocked_key_ensure(); + if (r < 0) + return r; + + blocked = (uintptr_t) pthread_getspecific(nss_blocked_key); /* This blocks recursively: it's blocked for as many times this function is called with `true` until * it is called an equal time with `false`. */ if (b) { - if (_blocked >= UINT_MAX) + if (blocked >= UINTPTR_MAX) return -EOVERFLOW; - _blocked++; + blocked++; } else { - if (_blocked <= 0) + if (blocked == 0) return -EOVERFLOW; - _blocked--; + blocked--; } + r = pthread_setspecific(nss_blocked_key, (void*) blocked); + /* Ignore failure on the unblock path: callers may assert on it. */ + if (r != 0 && b) + return -r; + return b; /* Return what is passed in, i.e. the new state from the PoV of the caller */ } _public_ bool _nss_systemd_is_blocked(void) { - return _blocked > 0; + if (nss_blocked_key_ensure() < 0) + return false; + + return (uintptr_t) pthread_getspecific(nss_blocked_key) > 0; } -- 2.51.0 ++++++ files.experimental ++++++ --- /var/tmp/diff_new_pack.sU4xck/_old 2026-06-29 17:31:00.059344879 +0200 +++ /var/tmp/diff_new_pack.sU4xck/_new 2026-06-29 17:31:00.075345423 +0200 @@ -139,7 +139,13 @@ %{_mandir}/man8/systemd-pcrosseparator.service.8.gz %endif %if %{with sd_boot} +%if %{with upstream} +%{_mandir}/man8/systemd-pcrphase-factory-reset.service.8.gz +%endif %{_mandir}/man8/systemd-pcrphase-initrd.service.8.gz +%if %{with upstream} +%{_mandir}/man8/systemd-pcrphase-storage-target-mode.service.8.gz +%endif %{_mandir}/man8/systemd-pcrphase-sysinit.service.8.gz %{_mandir}/man8/systemd-pcrphase.service.8.gz %{_mandir}/man8/systemd-pcrproduct.service.8.gz ++++++ files.udev ++++++ --- /var/tmp/diff_new_pack.sU4xck/_old 2026-06-29 17:31:00.331354132 +0200 +++ /var/tmp/diff_new_pack.sU4xck/_new 2026-06-29 17:31:00.335354269 +0200 @@ -317,6 +317,9 @@ %{_udevhwdbdir}/70-analyzers.hwdb %{_udevhwdbdir}/70-av-production.hwdb %{_udevhwdbdir}/70-cameras.hwdb +%if %{with upstream} +%{_udevhwdbdir}/70-debug-appliance.hwdb +%endif %{_udevhwdbdir}/70-hardware-wallets.hwdb %{_udevhwdbdir}/70-joystick.hwdb %{_udevhwdbdir}/70-lights.hwdb @@ -327,6 +330,9 @@ %{_udevhwdbdir}/70-software-radio.hwdb %{_udevhwdbdir}/70-sound-card.hwdb %{_udevhwdbdir}/70-touchpad.hwdb +%if %{with upstream} +%{_udevhwdbdir}/70-vsock.hwdb +%endif %{_udevhwdbdir}/80-ieee1394-unit-function.hwdb %{_udevhwdbdir}/82-net-auto-link-local.hwdb %endif
