Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package systemd for openSUSE:Factory checked 
in at 2026-06-29 17:30:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/systemd (Old)
 and      /work/SRC/openSUSE:Factory/.systemd.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "systemd"

Mon Jun 29 17:30:14 2026 rev:470 rq:1361320 version:260.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/systemd/systemd.changes  2026-06-10 
15:46:20.451780237 +0200
+++ /work/SRC/openSUSE:Factory/.systemd.new.11887/systemd.changes       
2026-06-29 17:30:55.283182403 +0200
@@ -1,0 +2,6 @@
+Tue Jun 23 08:55:51 UTC 2026 - Franck Bui <[email protected]>
+
+- Temporarily add 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch 
until
+  upstream releases it (bsc#1254924)
+
+-------------------------------------------------------------------
@@ -6,0 +13,5 @@
+
+-------------------------------------------------------------------
+Wed May 27 10:49:45 UTC 2026 - Luca Boccassi <[email protected]>
+
+- Enable BPF CO-RE programs via linux-bpf-devel build dependency

New:
----
  1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch

----------(New B)----------
  New:
- Temporarily add 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch until
  upstream releases it (bsc#1254924)
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ systemd.spec ++++++
--- /var/tmp/diff_new_pack.sU4xck/_old  2026-06-29 17:30:59.499325828 +0200
+++ /var/tmp/diff_new_pack.sU4xck/_new  2026-06-29 17:30:59.507326100 +0200
@@ -89,6 +89,9 @@
 %if %{without bootstrap}
 BuildRequires:  bpftool
 BuildRequires:  clang
+%ifnarch %{ix86} %{arm}
+BuildRequires:  linux-bpf-devel
+%endif
 # python is only required for generating systemd.directives.xml
 BuildRequires:  python3-base >= 3.9.0
 BuildRequires:  python3-lxml
@@ -240,6 +243,7 @@
 %if %{without upstream}
 Patch:          0001-Drop-or-soften-some-upstream-warnings.patch
 Patch:          1001-units-drop-Before-sockets.target-from-networkd-resol.patch
+Patch:          1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch
 
 # The patches listed below are in quarantine. Normally, all changes must be
 # pushed to upstream first and then cherry-picked into the SUSE git
@@ -739,6 +743,12 @@
         -Dldconfig=false \
         -Dsmack=false \
         -Dvmlinux-h=disabled \
+%if %{without bootstrap}
+%ifnarch %{ix86} %{arm}
+        -Dvmlinux-h=provided \
+        -Dvmlinux-h-path=/usr/include/bpf/vmlinux.h \
+%endif
+%endif
         -Dxenctrl=disabled \
         -Dxkbcommon=disabled \
         \

++++++ 1002-nss-systemd-avoid-ELF-TLS-for-recursion-guard.patch ++++++
>From 39e2a4323bf8a9d28bc71508edc4d34f3937e23c Mon Sep 17 00:00:00 2001
From: Roman Vinogradov <[email protected]>
Date: Thu, 11 Jun 2026 14:21:55 +0000
Subject: [PATCH] nss-systemd: avoid ELF TLS for recursion guard

libnss_systemd currently uses a thread_local recursion guard to
avoid re-entering nss-systemd during NSS lookups.
Since libnss_systemd.so.2 is loaded lazily by glibc, accessing ELF TLS
may trigger dynamic TLS allocation in __tls_get_addr(). Under allocation
failure conditions, glibc terminates the process from the dynamic loader
instead of allowing the NSS module to return a normal failure.
Replace the recursion guard with POSIX thread-specific data to preserve the
same per-thread semantics while avoiding ELF TLS in the NSS module.
Note that pthread_setspecific() may still allocate internally on first use
per thread. The key improvement is that any such failure is returned
as a normal error code rather than terminating the process from inside
the dynamic loader.

Related: #42559
(cherry picked from commit 19bd80e29a02b4f8c9543370eb4a16c014d497f3)

[fbui: fixes bsc#1254924]
---
 src/nss-systemd/nss-systemd.c | 57 ++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 7 deletions(-)

diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
index 6ed97f31a6..d69c018d04 100644
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@@ -4,7 +4,6 @@
 #include <nss.h>
 #include <pthread.h>
 #include <string.h>
-#include <threads.h>
 
 #include "alloc-util.h"
 #include "env-util.h"
@@ -1066,28 +1065,72 @@ enum nss_status _nss_systemd_initgroups_dyn(
         return any ? NSS_STATUS_SUCCESS : NSS_STATUS_NOTFOUND;
 }
 
-static thread_local unsigned _blocked = 0;
+/* Note that we intentionally use POSIX thread-specific data instead of a 
plain thread_local variable.
+ * A thread_local in this lazily-loaded DSO uses a dynamic TLS model by 
default and may require
+ * a dynamic TLS allocation. If that allocation fails, glibc calls _exit() 
from the dynamic linker,
+ * making the failure unrecoverable. Using pthread_key_t avoids ELF TLS 
entirely and lets any such
+ * failure propagate as a normal error instead of terminating the process. */
+static pthread_once_t nss_blocked_key_once = PTHREAD_ONCE_INIT;
+static pthread_key_t nss_blocked_key;
+static int nss_blocked_key_error;
+
+static void nss_blocked_key_init(void) {
+        /* NULL destructor: the per-thread value is a plain integer counter 
encoded as void*,
+         * not a heap allocation, so nothing needs to be freed at thread exit.
+         * No pthread_key_delete: this library is linked with -z nodelete and 
always opened with
+         * RTLD_NODELETE, so it is never unloaded and the key exists for the 
process lifetime. */
+        nss_blocked_key_error = pthread_key_create(&nss_blocked_key, NULL);
+}
+
+static int nss_blocked_key_ensure(void) {
+        int r;
+
+        r = pthread_once(&nss_blocked_key_once, nss_blocked_key_init);
+        if (r != 0)
+                return -r;
+
+        if (nss_blocked_key_error != 0)
+                return -nss_blocked_key_error;
+
+        return 0;
+}
 
 _public_ int _nss_systemd_block(bool b) {
+        int r;
+        uintptr_t blocked;
+
+        r = nss_blocked_key_ensure();
+        if (r < 0)
+                return r;
+
+        blocked = (uintptr_t) pthread_getspecific(nss_blocked_key);
 
         /* This blocks recursively: it's blocked for as many times this 
function is called with `true` until
          * it is called an equal time with `false`. */
 
         if (b) {
-                if (_blocked >= UINT_MAX)
+                if (blocked >= UINTPTR_MAX)
                         return -EOVERFLOW;
 
-                _blocked++;
+                blocked++;
         } else {
-                if (_blocked <= 0)
+                if (blocked == 0)
                         return -EOVERFLOW;
 
-                _blocked--;
+                blocked--;
         }
 
+        r = pthread_setspecific(nss_blocked_key, (void*) blocked);
+        /* Ignore failure on the unblock path: callers may assert on it. */
+        if (r != 0 && b)
+                return -r;
+
         return b; /* Return what is passed in, i.e. the new state from the PoV 
of the caller */
 }
 
 _public_ bool _nss_systemd_is_blocked(void) {
-        return _blocked > 0;
+        if (nss_blocked_key_ensure() < 0)
+                return false;
+
+        return (uintptr_t) pthread_getspecific(nss_blocked_key) > 0;
 }
-- 
2.51.0


++++++ files.experimental ++++++
--- /var/tmp/diff_new_pack.sU4xck/_old  2026-06-29 17:31:00.059344879 +0200
+++ /var/tmp/diff_new_pack.sU4xck/_new  2026-06-29 17:31:00.075345423 +0200
@@ -139,7 +139,13 @@
 %{_mandir}/man8/systemd-pcrosseparator.service.8.gz
 %endif
 %if %{with sd_boot}
+%if %{with upstream}
+%{_mandir}/man8/systemd-pcrphase-factory-reset.service.8.gz
+%endif
 %{_mandir}/man8/systemd-pcrphase-initrd.service.8.gz
+%if %{with upstream}
+%{_mandir}/man8/systemd-pcrphase-storage-target-mode.service.8.gz
+%endif
 %{_mandir}/man8/systemd-pcrphase-sysinit.service.8.gz
 %{_mandir}/man8/systemd-pcrphase.service.8.gz
 %{_mandir}/man8/systemd-pcrproduct.service.8.gz

++++++ files.udev ++++++
--- /var/tmp/diff_new_pack.sU4xck/_old  2026-06-29 17:31:00.331354132 +0200
+++ /var/tmp/diff_new_pack.sU4xck/_new  2026-06-29 17:31:00.335354269 +0200
@@ -317,6 +317,9 @@
 %{_udevhwdbdir}/70-analyzers.hwdb
 %{_udevhwdbdir}/70-av-production.hwdb
 %{_udevhwdbdir}/70-cameras.hwdb
+%if %{with upstream}
+%{_udevhwdbdir}/70-debug-appliance.hwdb
+%endif
 %{_udevhwdbdir}/70-hardware-wallets.hwdb
 %{_udevhwdbdir}/70-joystick.hwdb
 %{_udevhwdbdir}/70-lights.hwdb
@@ -327,6 +330,9 @@
 %{_udevhwdbdir}/70-software-radio.hwdb
 %{_udevhwdbdir}/70-sound-card.hwdb
 %{_udevhwdbdir}/70-touchpad.hwdb
+%if %{with upstream}
+%{_udevhwdbdir}/70-vsock.hwdb
+%endif
 %{_udevhwdbdir}/80-ieee1394-unit-function.hwdb
 %{_udevhwdbdir}/82-net-auto-link-local.hwdb
 %endif

Reply via email to