https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113874
--- Comment #21 from H.J. Lu <hjl.tools at gmail dot com> --- (In reply to Florian Weimer from comment #20) > (In reply to H.J. Lu from comment #19) > > (In reply to Florian Weimer from comment #9) > > > (In reply to H.J. Lu from comment #7) > > > > > The __tls_get_addr call with the default approach potentially needs > > > > > to solve > > > > > the same problem, doesn't it? > > > > > > > > Isn't __tls_get_addr called via the PLT entry? > > > > > > I'm not sure if that matters? Even if the lazy binding trampoline is > > > active, > > > it won't protect the actual call. > > > > Non-GNU2 TLS has > > > > 0000000000004000 0000000100000007 R_X86_64_JUMP_SLOT 0000000000000000 > > __tls_get_addr + 1010 > > > > which calls _dl_runtime_resolve with lazy binding. _dl_runtime_resolve > > preserves all caller-saved registers. > > The dynamic linker preserves register contents during lazy binding and > restores them before calling __tls_get_addr, so it doesn't help with > __tls_get_addr register usage itself. And lazy binding happens only once per > process and object, while we need to protect the first call on every thread. Only called from _dl_tlsdesc_dynamic isn't protected. My glibc patch: https://patchwork.sourceware.org/project/glibc/list/?series=30800 fixes it.