Import glibc-2.34-21.fc35 from f35

* Mon Jan 24 2022 Florian Weimer <fweimer@redhat.com> - 2.34-21
- Sync with upstream branch release/2.34/master,
  commit 3438bbca90895d32825a52e31a77dc44d273c1c1:
- Linux: Detect user namespace support in io/tst-getcwd-smallbuff
- realpath: Avoid overwriting preexisting error
- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1
- tst-realpath-toolong: Fix hurd build
- CVE-2021-3998: realpath: ENAMETOOLONG for result larger than PATH_MAX
- stdlib: Fix formatting of tests list in Makefile
- stdlib: Sort tests in Makefile
- support: Add helpers to create paths longer than PATH_MAX
- powerpc: Fix unrecognized instruction errors with recent binutils
- x86: use default cache size if it cannot be determined [BZ #28784]
- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
- sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
- CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
- socket: Add the __sockaddr_un_set function
- Disable debuginfod in printer tests [BZ #28757]
- Update syscall lists for Linux 5.16

Resolves: #2032279
Resolves: #2032276

glibc-upstream-2.34-74.patch

@@ -0,0 +1,337 @@
+commit 705f1e4606aa78f4e861b4e3346725bf5f083a56
+Author: Joseph Myers <joseph@codesourcery.com>
+Date:   Thu Jan 13 22:18:13 2022 +0000
+
+    Update syscall lists for Linux 5.16
+    
+    Linux 5.16 has one new syscall, futex_waitv.  Update
+    syscall-names.list and regenerate the arch-syscall.h headers with
+    build-many-glibcs.py update-syscalls.
+    
+    Tested with build-many-glibcs.py.
+    
+    (cherry picked from commit 4997a533ae4b51ef66a6b68862b7578a7acb82df)
+
+diff --git a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
+index 74a809561a45edc4..9905ebedf298954c 100644
+--- a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
+@@ -62,6 +62,7 @@
+ #define __NR_fsync 82
+ #define __NR_ftruncate 46
+ #define __NR_futex 98
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
+index 6fc0a23504c3b53d..ee8085be69958b25 100644
+--- a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
+@@ -78,6 +78,7 @@
+ #define __NR_fsync 95
+ #define __NR_ftruncate 130
+ #define __NR_futex 394
++#define __NR_futex_waitv 559
+ #define __NR_futimesat 454
+ #define __NR_get_kernel_syms 309
+ #define __NR_get_mempolicy 430
+diff --git a/sysdeps/unix/sysv/linux/arc/arch-syscall.h b/sysdeps/unix/sysv/linux/arc/arch-syscall.h
+index 0c66762bf868a992..1b626d97705d545a 100644
+--- a/sysdeps/unix/sysv/linux/arc/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/arc/arch-syscall.h
+@@ -65,6 +65,7 @@
+ #define __NR_fsync 82
+ #define __NR_ftruncate64 46
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/arm/arch-syscall.h b/sysdeps/unix/sysv/linux/arm/arch-syscall.h
+index c41a864c6d530eb0..96ef8db9368e7de4 100644
+--- a/sysdeps/unix/sysv/linux/arm/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/arm/arch-syscall.h
+@@ -90,6 +90,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 240
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 326
+ #define __NR_get_mempolicy 320
+ #define __NR_get_robust_list 339
+diff --git a/sysdeps/unix/sysv/linux/csky/arch-syscall.h b/sysdeps/unix/sysv/linux/csky/arch-syscall.h
+index 863ffa3e0cd34d3e..96910154ed6a5c1b 100644
+--- a/sysdeps/unix/sysv/linux/csky/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/csky/arch-syscall.h
+@@ -70,6 +70,7 @@
+ #define __NR_ftruncate64 46
+ #define __NR_futex 98
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
+index 6cf27cd17c1ad0c0..36675fd48e6f50c5 100644
+--- a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
+@@ -87,6 +87,7 @@
+ #define __NR_ftruncate64 200
+ #define __NR_futex 210
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 279
+ #define __NR_get_mempolicy 261
+ #define __NR_get_robust_list 290
+diff --git a/sysdeps/unix/sysv/linux/i386/arch-syscall.h b/sysdeps/unix/sysv/linux/i386/arch-syscall.h
+index 2512508b7daa8ed2..c86ccbda4681066c 100644
+--- a/sysdeps/unix/sysv/linux/i386/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/i386/arch-syscall.h
+@@ -94,6 +94,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 240
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 299
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 275
+diff --git a/sysdeps/unix/sysv/linux/ia64/arch-syscall.h b/sysdeps/unix/sysv/linux/ia64/arch-syscall.h
+index 4a0c737369217367..d898bce404955ef0 100644
+--- a/sysdeps/unix/sysv/linux/ia64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/ia64/arch-syscall.h
+@@ -74,6 +74,7 @@
+ #define __NR_fsync 1051
+ #define __NR_ftruncate 1098
+ #define __NR_futex 1230
++#define __NR_futex_waitv 1473
+ #define __NR_futimesat 1285
+ #define __NR_get_mempolicy 1260
+ #define __NR_get_robust_list 1299
+diff --git a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
+index e310eb5075fb22d8..fe721b809076abeb 100644
+--- a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
+@@ -93,6 +93,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 235
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 292
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 269
+diff --git a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
+index b4ecad010c2a6abf..6e10c3661db96a1e 100644
+--- a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
+@@ -94,6 +94,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 240
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 299
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 275
+diff --git a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
+index 7e3d138ba969c57b..26a6d594a2222f15 100644
+--- a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
+@@ -93,6 +93,7 @@
+ #define __NR_ftruncate64 4212
+ #define __NR_futex 4238
+ #define __NR_futex_time64 4422
++#define __NR_futex_waitv 4449
+ #define __NR_futimesat 4292
+ #define __NR_get_kernel_syms 4130
+ #define __NR_get_mempolicy 4269
+diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
+index 7e9e232e5256bc89..83e0d49c5e3ca1bc 100644
+--- a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
+@@ -86,6 +86,7 @@
+ #define __NR_ftruncate 6075
+ #define __NR_futex 6194
+ #define __NR_futex_time64 6422
++#define __NR_futex_waitv 6449
+ #define __NR_futimesat 6255
+ #define __NR_get_kernel_syms 6170
+ #define __NR_get_mempolicy 6232
+diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
+index f9e7ef72b0aa1749..d6747c542f63202b 100644
+--- a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
+@@ -78,6 +78,7 @@
+ #define __NR_fsync 5072
+ #define __NR_ftruncate 5075
+ #define __NR_futex 5194
++#define __NR_futex_waitv 5449
+ #define __NR_futimesat 5251
+ #define __NR_get_kernel_syms 5170
+ #define __NR_get_mempolicy 5228
+diff --git a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
+index afd73fc1daca1fb4..4ee209bc4475ea7d 100644
+--- a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
+@@ -69,6 +69,7 @@
+ #define __NR_ftruncate64 46
+ #define __NR_futex 98
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
+index 0ac2992028eda27e..497299fbc47a708c 100644
+--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
+@@ -92,6 +92,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 221
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 290
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 260
+diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
+index c890bc644e14fe06..e840279f171b10b9 100644
+--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
+@@ -81,6 +81,7 @@
+ #define __NR_ftime 35
+ #define __NR_ftruncate 93
+ #define __NR_futex 221
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 290
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 260
+diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
+index cd336d755a42598a..73ef74c005e5a2bb 100644
+--- a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
+@@ -60,6 +60,7 @@
+ #define __NR_fsync 82
+ #define __NR_ftruncate64 46
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
+index 8edd21620bb4ef64..919a79ee91177459 100644
+--- a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
+@@ -62,6 +62,7 @@
+ #define __NR_fsync 82
+ #define __NR_ftruncate 46
+ #define __NR_futex 98
++#define __NR_futex_waitv 449
+ #define __NR_get_mempolicy 236
+ #define __NR_get_robust_list 100
+ #define __NR_getcpu 168
+diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
+index 1a4873f505765617..005c0ada7aab85a1 100644
+--- a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
+@@ -91,6 +91,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 238
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 292
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 269
+diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
+index 2af4607c1d36d173..9131fddcc16116e4 100644
+--- a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
+@@ -76,6 +76,7 @@
+ #define __NR_fsync 118
+ #define __NR_ftruncate 93
+ #define __NR_futex 238
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 292
+ #define __NR_get_kernel_syms 130
+ #define __NR_get_mempolicy 269
+diff --git a/sysdeps/unix/sysv/linux/sh/arch-syscall.h b/sysdeps/unix/sysv/linux/sh/arch-syscall.h
+index 7b422ce268ba14d0..d8fb041568ecb4da 100644
+--- a/sysdeps/unix/sysv/linux/sh/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/sh/arch-syscall.h
+@@ -90,6 +90,7 @@
+ #define __NR_ftruncate64 194
+ #define __NR_futex 240
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 299
+ #define __NR_get_mempolicy 275
+ #define __NR_get_robust_list 312
+diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
+index 77c3cc64f95ea7f3..2bc014fe6a1a1f4a 100644
+--- a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
+@@ -92,6 +92,7 @@
+ #define __NR_ftruncate64 84
+ #define __NR_futex 142
+ #define __NR_futex_time64 422
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 288
+ #define __NR_get_kernel_syms 223
+ #define __NR_get_mempolicy 304
+diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
+index 7ad50bc4ad6cef04..76dbbe595ffe868f 100644
+--- a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
+@@ -82,6 +82,7 @@
+ #define __NR_fsync 95
+ #define __NR_ftruncate 130
+ #define __NR_futex 142
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 288
+ #define __NR_get_kernel_syms 223
+ #define __NR_get_mempolicy 304
+diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list
+index 1a74d090b72f4d61..0bc2af37dfa1eeb5 100644
+--- a/sysdeps/unix/sysv/linux/syscall-names.list
++++ b/sysdeps/unix/sysv/linux/syscall-names.list
+@@ -21,8 +21,8 @@
+ # This file can list all potential system calls.  The names are only
+ # used if the installed kernel headers also provide them.
+ 
+-# The list of system calls is current as of Linux 5.15.
+-kernel 5.15
++# The list of system calls is current as of Linux 5.16.
++kernel 5.16
+ 
+ FAST_atomic_update
+ FAST_cmpxchg
+@@ -146,6 +146,7 @@ ftruncate
+ ftruncate64
+ futex
+ futex_time64
++futex_waitv
+ futimesat
+ get_kernel_syms
+ get_mempolicy
+diff --git a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
+index 3ce2a1fcfc1c15f2..28558279b48a1ef4 100644
+--- a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
+@@ -78,6 +78,7 @@
+ #define __NR_fsync 74
+ #define __NR_ftruncate 77
+ #define __NR_futex 202
++#define __NR_futex_waitv 449
+ #define __NR_futimesat 261
+ #define __NR_get_kernel_syms 177
+ #define __NR_get_mempolicy 239
+diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
+index 9e87e89baccc397c..c1ab8ec45e8b8fd3 100644
+--- a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
++++ b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
+@@ -74,6 +74,7 @@
+ #define __NR_fsync 1073741898
+ #define __NR_ftruncate 1073741901
+ #define __NR_futex 1073742026
++#define __NR_futex_waitv 1073742273
+ #define __NR_futimesat 1073742085
+ #define __NR_get_mempolicy 1073742063
+ #define __NR_get_robust_list 1073742355

glibc-upstream-2.34-75.patch

@@ -0,0 +1,53 @@
+commit 03e6e02e6a216cfb913f49b3be80d5088603864f
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Sun Jan 9 09:06:15 2022 -0800
+
+    Disable debuginfod in printer tests [BZ #28757]
+    
+    With gdb-11.1-6.fc35.x86_64, I got
+    
+    FAIL: nptl/test-cond-printers
+    FAIL: nptl/test-condattr-printers
+    FAIL: nptl/test-mutex-printers
+    FAIL: nptl/test-mutexattr-printers
+    FAIL: nptl/test-rwlock-printers
+    FAIL: nptl/test-rwlockattr-printers
+    
+    $ cat nptl/test-condattr-printers.out
+    Error: Response does not match the expected pattern.
+    Command: start
+    Expected pattern: main
+    Response:  Temporary breakpoint 1 at 0x11d5: file test-condattr-printers.c, line 43.
+    Starting program: /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/nptl/test-condattr-printers
+    
+    This GDB supports auto-downloading debuginfo from the following URLs:
+    https://debuginfod.fedoraproject.org/
+    Enable debuginfod for this session? (y or [n])
+    
+    Disable debuginfod to avoid GDB messages.  This fixes BZ #28757.
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+    (cherry picked from commit 7de501f9418bf099e7104b63b0e4423257981b14)
+
+diff --git a/scripts/test_printers_common.py b/scripts/test_printers_common.py
+index 34a3df6e6bd8b363..53b6d30d40ce2622 100644
+--- a/scripts/test_printers_common.py
++++ b/scripts/test_printers_common.py
+@@ -161,6 +161,17 @@ def init_test(test_bin, printer_files, printer_names):
+             printer files.
+     """
+ 
++    # Disable debuginfod to avoid GDB messages like:
++    #
++    # This GDB supports auto-downloading debuginfo from the following URLs:
++    # https://debuginfod.fedoraproject.org/
++    # Enable debuginfod for this session? (y or [n])
++    #
++    try:
++        test('set debuginfod enabled off')
++    except Exception:
++        pass
++
+     # Load all the pretty printer files.  We're assuming these are safe.
+     for printer_file in printer_files:
+         test('source {0}'.format(printer_file))

glibc-upstream-2.34-76.patch

@@ -0,0 +1,165 @@
+commit 5575daae5099e779bb860b566b4d608418a5b832
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    socket: Add the __sockaddr_un_set function
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit e368b12f6c16b6888dda99ba641e999b9c9643c8)
+
+diff --git a/include/sys/un.h b/include/sys/un.h
+index bdbee999806930f4..152afd9fc7426d8b 100644
+--- a/include/sys/un.h
++++ b/include/sys/un.h
+@@ -1 +1,13 @@
+ #include <socket/sys/un.h>
++
++#ifndef _ISOMAC
++
++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME.
++   Return 0 on success or -1 on failure (due to overlong PATHNAME).
++   The caller should always use sizeof (struct sockaddr_un) as the
++   socket address length, disregaring the length of PATHNAME.
++   Only concrete (non-abstract) pathnames are supported.  */
++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++  attribute_hidden;
++
++#endif /* _ISOMAC */
+diff --git a/socket/Makefile b/socket/Makefile
+index 375957601024c12e..c2de11d73ca1e324 100644
+--- a/socket/Makefile
++++ b/socket/Makefile
+@@ -29,13 +29,17 @@ headers	:= sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \
+ routines := accept bind connect getpeername getsockname getsockopt	\
+ 	    listen recv recvfrom recvmsg send sendmsg sendto		\
+ 	    setsockopt shutdown socket socketpair isfdtype opensock	\
+-	    sockatmark accept4 recvmmsg sendmmsg
++	    sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set
+ 
+ tests := \
+   tst-accept4 \
+   tst-sockopt \
+   # tests
+ 
++tests-internal := \
++  tst-sockaddr_un_set \
++  # tests-internal
++
+ tests-time64 := \
+   tst-sockopt-time64 \
+   # tests
+diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..0bd40dc34e3d7efc
+--- /dev/null
++++ b/socket/sockaddr_un_set.c
+@@ -0,0 +1,41 @@
++/* Set the sun_path member of struct sockaddr_un.
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++int
++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
++{
++  size_t name_length = strlen (pathname);
++
++  /* The kernel supports names of exactly sizeof (addr->sun_path)
++     bytes, without a null terminator, but userspace does not; see the
++     SUN_LEN macro.  */
++  if (name_length >= sizeof (addr->sun_path))
++    {
++      __set_errno (EINVAL);     /* Error code used by the kernel.  */
++      return -1;
++    }
++
++  addr->sun_family = AF_UNIX;
++  memcpy (addr->sun_path, pathname, name_length + 1);
++  return 0;
++}
+diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c
+new file mode 100644
+index 0000000000000000..29c2a81afda81b5e
+--- /dev/null
++++ b/socket/tst-sockaddr_un_set.c
+@@ -0,0 +1,62 @@
++/* Test the __sockaddr_un_set function.
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++/* Re-compile the function because the version in libc is not
++   exported.  */
++#include "sockaddr_un_set.c"
++
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  struct sockaddr_un sun;
++
++  memset (&sun, 0xcc, sizeof (sun));
++  __sockaddr_un_set (&sun, "");
++  TEST_COMPARE (sun.sun_family, AF_UNIX);
++  TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0);
++
++  memset (&sun, 0xcc, sizeof (sun));
++  TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0);
++  TEST_COMPARE_STRING (sun.sun_path, "/example");
++
++  {
++    char pathname[108];         /* Length of sun_path (ABI constant).  */
++    memset (pathname, 'x', sizeof (pathname));
++    pathname[sizeof (pathname) - 1] = '\0';
++    memset (&sun, 0xcc, sizeof (sun));
++    TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0);
++    TEST_COMPARE (sun.sun_family, AF_UNIX);
++    TEST_COMPARE_STRING (sun.sun_path, pathname);
++  }
++
++  {
++    char pathname[109];
++    memset (pathname, 'x', sizeof (pathname));
++    pathname[sizeof (pathname) - 1] = '\0';
++    memset (&sun, 0xcc, sizeof (sun));
++    errno = 0;
++    TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1);
++    TEST_COMPARE (errno, EINVAL);
++  }
++
++  return 0;
++}
++
++#include <support/test-driver.c>

glibc-upstream-2.34-77.patch

@@ -0,0 +1,33 @@
+commit 7b5d433fd097b8ed74e458eca33597290e07b974
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
+    
+    Processing an overlong pathname in the sunrpc clnt_create function
+    results in a stack-based buffer overflow.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 226b46770c82899b555986583294b049c6ec9b40)
+
+diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
+index 13ced8994e49d4ee..b44357cd88e60599 100644
+--- a/sunrpc/clnt_gen.c
++++ b/sunrpc/clnt_gen.c
+@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
+ 
+   if (strcmp (proto, "unix") == 0)
+     {
+-      memset ((char *)&sun, 0, sizeof (sun));
+-      sun.sun_family = AF_UNIX;
+-      strcpy (sun.sun_path, hostname);
++      if (__sockaddr_un_set (&sun, hostname) < 0)
++	{
++	  struct rpc_createerr *ce = &get_rpc_createerr ();
++	  ce->cf_stat = RPC_SYSTEMERROR;
++	  ce->cf_error.re_errno = errno;
++	  return NULL;
++	}
+       sock = RPC_ANYSOCK;
+       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
+       if (client == NULL)

glibc-upstream-2.34-78.patch

@@ -0,0 +1,82 @@
+commit 1081f1d3dd7c84ba3416b5198d47a4df2b70185d
+Author: Martin Sebor <msebor@redhat.com>
+Date:   Mon Jan 17 10:21:34 2022 +0100
+
+    sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit ef972a4c50014a16132b5c75571cfb6b30bef136)
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 7e5bbfd951b1e835..a4281b18d04c78e9 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -65,7 +65,8 @@ shared-only-routines = $(routines)
+ endif
+ 
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+-  tst-udp-nonblocking
++  tst-udp-nonblocking tst-bug22542
++
+ xtests := tst-getmyaddr
+ 
+ ifeq ($(have-thread-library),yes)
+@@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-udp-garbage: \
+   $(common-objpfx)linkobj/libc.so $(shared-thread-library)
+ 
++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so
++
+ else # !have-GLIBC_2.31
+ 
+ routines = $(routines-for-nss)
+diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c
+new file mode 100644
+index 0000000000000000..d6cd79787bdef21d
+--- /dev/null
++++ b/sunrpc/tst-bug22542.c
+@@ -0,0 +1,44 @@
++/* Test to verify that overlong hostname is rejected by clnt_create
++   and doesn't cause a buffer overflow (bug  22542).
++
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <rpc/clnt.h>
++#include <string.h>
++#include <support/check.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++
++static int
++do_test (void)
++{
++  /* Create an arbitrary hostname that's longer than fits in sun_path.  */
++  char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
++  memset (name, 'x', sizeof name - 1);
++  name [sizeof name - 1] = '\0';
++
++  errno = 0;
++  CLIENT *clnt = clnt_create (name, 0, 0, "unix");
++
++  TEST_VERIFY (clnt == NULL);
++  TEST_COMPARE (errno, EINVAL);
++  return 0;
++}
++
++#include <support/test-driver.c>

glibc-upstream-2.34-79.patch

@@ -0,0 +1,102 @@
+commit 6890b8a3ae40ab9d4c96024ab95b04816fcc8a4a
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 17 11:49:25 2022 +0100
+
+    CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
+    
+    The sunrpc function svcunix_create suffers from a stack-based buffer
+    overflow with overlong pathname arguments.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit f545ad4928fa1f27a3075265182b38a4f939a5f7)
+
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index a4281b18d04c78e9..6408ab5c073538e9 100644
+--- a/sunrpc/Makefile
++++ b/sunrpc/Makefile
+@@ -65,7 +65,7 @@ shared-only-routines = $(routines)
+ endif
+ 
+ tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
+-  tst-udp-nonblocking tst-bug22542
++  tst-udp-nonblocking tst-bug22542 tst-bug28768
+ 
+ xtests := tst-getmyaddr
+ 
+diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
+index 679fbe9cb69587bd..46f8d16fe94a3d4f 100644
+--- a/sunrpc/svc_unix.c
++++ b/sunrpc/svc_unix.c
+@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+   SVCXPRT *xprt;
+   struct unix_rendezvous *r;
+   struct sockaddr_un addr;
+-  socklen_t len = sizeof (struct sockaddr_in);
++  socklen_t len = sizeof (addr);
++
++  if (__sockaddr_un_set (&addr, path) < 0)
++    return NULL;
+ 
+   if (sock == RPC_ANYSOCK)
+     {
+@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
+ 	}
+       madesock = TRUE;
+     }
+-  memset (&addr, '\0', sizeof (addr));
+-  addr.sun_family = AF_UNIX;
+-  len = strlen (path) + 1;
+-  memcpy (addr.sun_path, path, len);
+-  len += sizeof (addr.sun_family);
+-
+   __bind (sock, (struct sockaddr *) &addr, len);
+ 
+   if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0
+diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c
+new file mode 100644
+index 0000000000000000..35a4b7b0b3d34350
+--- /dev/null
++++ b/sunrpc/tst-bug28768.c
+@@ -0,0 +1,42 @@
++/* Test to verify that long path is rejected by svcunix_create (bug 28768).
++   Copyright (C) 2022 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <rpc/svc.h>
++#include <shlib-compat.h>
++#include <string.h>
++#include <support/check.h>
++
++/* svcunix_create does not have a default version in linkobj/libc.so.  */
++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1);
++
++static int
++do_test (void)
++{
++  char pathname[109];
++  memset (pathname, 'x', sizeof (pathname));
++  pathname[sizeof (pathname) - 1] = '\0';
++
++  errno = 0;
++  TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL);
++  TEST_COMPARE (errno, EINVAL);
++
++  return 0;
++}
++
++#include <support/test-driver.c>

glibc-upstream-2.34-80.patch

@@ -0,0 +1,56 @@
+commit 1d401d1fccb85046402089268b94d86d822070e6
+Author: Aurelien Jarno <aurelien@aurel32.net>
+Date:   Mon Jan 17 19:41:40 2022 +0100
+
+    x86: use default cache size if it cannot be determined [BZ #28784]
+    
+    In some cases (e.g QEMU, non-Intel/AMD CPU) the cache information can
+    not be retrieved and the corresponding values are set to 0.
+    
+    Commit 2d651eb9265d ("x86: Move x86 processor cache info to
+    cpu_features") changed the behaviour in such case by defining the
+    __x86_shared_cache_size and __x86_data_cache_size variables to 0 instead
+    of using the default values. This cause an issue with the i686 SSE2
+    optimized bzero/routine which assumes that the cache size is at least
+    128 bytes, and otherwise tries to zero/set the whole address space minus
+    128 bytes.
+    
+    Fix that by restoring the original code to only update
+    __x86_shared_cache_size and __x86_data_cache_size variables if the
+    corresponding cache sizes are not zero.
+    
+    Fixes bug 28784
+    Fixes commit 2d651eb9265d
+    
+    Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
+    (cherry picked from commit c242fcce06e3102ca663b2f992611d0bda4f2668)
+
+diff --git a/sysdeps/x86/cacheinfo.h b/sysdeps/x86/cacheinfo.h
+index 41d2c81369840ada..63f36877e3f35d99 100644
+--- a/sysdeps/x86/cacheinfo.h
++++ b/sysdeps/x86/cacheinfo.h
+@@ -61,14 +61,20 @@ init_cacheinfo (void)
+   long int data = cpu_features->data_cache_size;
+   /* Round data cache size to multiple of 256 bytes.  */
+   data = data & ~255L;
+-  __x86_data_cache_size_half = data / 2;
+-  __x86_data_cache_size = data;
++  if (data > 0)
++    {
++      __x86_data_cache_size_half = data / 2;
++      __x86_data_cache_size = data;
++    }
+ 
+   long int shared = cpu_features->shared_cache_size;
+   /* Round shared cache size to multiple of 256 bytes.  */
+   shared = shared & ~255L;
+-  __x86_shared_cache_size_half = shared / 2;
+-  __x86_shared_cache_size = shared;
++  if (shared > 0)
++    {
++      __x86_shared_cache_size_half = shared / 2;
++      __x86_shared_cache_size = shared;
++    }
+ 
+   __x86_shared_non_temporal_threshold
+     = cpu_features->non_temporal_threshold;

glibc-upstream-2.34-81.patch

@@ -0,0 +1,64 @@
+commit 82b1acd9de9796298a230d7484f26fe9a7756d18
+Author: Paul A. Clarke <pc@us.ibm.com>
+Date:   Sat Sep 25 09:57:15 2021 -0500
+
+    powerpc: Fix unrecognized instruction errors with recent binutils
+    
+    Recent versions of binutils (with commit
+    b25f942e18d6ecd7ec3e2d2e9930eb4f996c258a) stopped preserving "sticky"
+    options across a base `.machine` directive, nullifying the use of
+    passing "-many" through GCC to the assembler.  As a result, some
+    instructions which were recognized even under older, more stringent
+    `.machine` directives become unrecognized instructions in that
+    context.
+    
+    In `sysdeps/powerpc/tst-set_ppr.c`, the use of the `mfppr32` extended
+    mnemonic became unrecognized, as the default compilation with GCC for
+    32bit powerpc adds a `.machine ppc` in the resulting assembly, so the
+    command line option `-Wa,-many` is essentially ignored, and the ISA 2.06
+    instructions and mnemonics, like `mfppr32`, are unrecognized.
+    
+    The compilation of `sysdeps/powerpc/tst-set_ppr.c` fails with:
+    Error: unrecognized opcode: `mfppr32'
+    
+    Add appropriate `.machine` directives in the assembly to bracket the
+    `mfppr32` instruction.
+    
+    Part of a 2019 fix (commit 9250e6610fdb0f3a6f238d2813e319a41fb7a810) to
+    the above test's Makefile to add `-many` to the compilation when GCC
+    itself stopped passing `-many` to the assember no longer has any effect,
+    so remove that.
+    
+    Reported-by: Joseph Myers <joseph@codesourcery.com>
+    (cherry picked from commit ee874f44fd55988808a4a162ef21bfa2cc8dc6f7)
+
+diff --git a/sysdeps/powerpc/Makefile b/sysdeps/powerpc/Makefile
+index 09860ffc0155d765..5e6cb07ce66decfa 100644
+--- a/sysdeps/powerpc/Makefile
++++ b/sysdeps/powerpc/Makefile
+@@ -61,11 +61,6 @@ ifeq ($(subdir),misc)
+ sysdep_headers += sys/platform/ppc.h
+ tests += test-gettimebase
+ tests += tst-set_ppr
+-
+-# This test is expected to run and exit with EXIT_UNSUPPORTED on
+-# processors that do not implement the Power ISA 2.06 or greater.
+-# But the test makes use of instructions from Power ISA 2.06 and 2.07.
+-CFLAGS-tst-set_ppr.c += -Wa,-many
+ endif
+ 
+ ifeq ($(subdir),wcsmbs)
+diff --git a/sysdeps/powerpc/tst-set_ppr.c b/sysdeps/powerpc/tst-set_ppr.c
+index 7684f5d6ea905c60..e80da15320635585 100644
+--- a/sysdeps/powerpc/tst-set_ppr.c
++++ b/sysdeps/powerpc/tst-set_ppr.c
+@@ -44,7 +44,8 @@ get_thread_priority (void)
+ {
+   /* Read the PPR.  */
+   ppr_t ppr;
+-  asm volatile (MFPPR" %0" : "=r"(ppr));
++  asm volatile (".machine push; .machine power7; "MFPPR" %0; .machine pop"
++		: "=r"(ppr));
+   /* Return the thread priority value.  */
+   return EXTRACT_THREAD_PRIORITY (ppr);
+ }

glibc-upstream-2.34-82.patch

@@ -0,0 +1,276 @@
+commit 062ff490c1467059f6cd64bb9c3d85f6cc6cf97a
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Tue Jan 18 13:29:36 2022 +0530
+
+    support: Add helpers to create paths longer than PATH_MAX
+    
+    Add new helpers support_create_and_chdir_toolong_temp_directory and
+    support_chdir_toolong_temp_directory to create and descend into
+    directory trees longer than PATH_MAX.
+    
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit fb7bff12e81c677a6622f724edd4d4987dd9d971)
+
+diff --git a/support/temp_file.c b/support/temp_file.c
+index c6df641876285bb2..e41128c2d43fe903 100644
+--- a/support/temp_file.c
++++ b/support/temp_file.c
+@@ -1,5 +1,6 @@
+ /* Temporary file handling for tests.
+-   Copyright (C) 1998-2021 Free Software Foundation, Inc.
++   Copyright (C) 1998-2022 Free Software Foundation, Inc.
++   Copyright The GNU Tools Authors.
+    This file is part of the GNU C Library.
+ 
+    The GNU C Library is free software; you can redistribute it and/or
+@@ -20,15 +21,17 @@
+    some 32-bit platforms. */
+ #define _FILE_OFFSET_BITS 64
+ 
++#include <support/check.h>
+ #include <support/temp_file.h>
+ #include <support/temp_file-internal.h>
+ #include <support/support.h>
+ 
++#include <errno.h>
+ #include <paths.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <unistd.h>
++#include <xunistd.h>
+ 
+ /* List of temporary files.  */
+ static struct temp_name_list
+@@ -36,14 +39,20 @@ static struct temp_name_list
+   struct temp_name_list *next;
+   char *name;
+   pid_t owner;
++  bool toolong;
+ } *temp_name_list;
+ 
+ /* Location of the temporary files.  Set by the test skeleton via
+    support_set_test_dir.  The string is not be freed.  */
+ static const char *test_dir = _PATH_TMP;
+ 
+-void
+-add_temp_file (const char *name)
++/* Name of subdirectories in a too long temporary directory tree.  */
++static char toolong_subdir[NAME_MAX + 1];
++static bool toolong_initialized;
++static size_t toolong_path_max;
++
++static void
++add_temp_file_internal (const char *name, bool toolong)
+ {
+   struct temp_name_list *newp
+     = (struct temp_name_list *) xcalloc (sizeof (*newp), 1);
+@@ -53,12 +62,19 @@ add_temp_file (const char *name)
+       newp->name = newname;
+       newp->next = temp_name_list;
+       newp->owner = getpid ();
++      newp->toolong = toolong;
+       temp_name_list = newp;
+     }
+   else
+     free (newp);
+ }
+ 
++void
++add_temp_file (const char *name)
++{
++  add_temp_file_internal (name, false);
++}
++
+ int
+ create_temp_file_in_dir (const char *base, const char *dir, char **filename)
+ {
+@@ -90,8 +106,8 @@ create_temp_file (const char *base, char **filename)
+   return create_temp_file_in_dir (base, test_dir, filename);
+ }
+ 
+-char *
+-support_create_temp_directory (const char *base)
++static char *
++create_temp_directory_internal (const char *base, bool toolong)
+ {
+   char *path = xasprintf ("%s/%sXXXXXX", test_dir, base);
+   if (mkdtemp (path) == NULL)
+@@ -99,16 +115,132 @@ support_create_temp_directory (const char *base)
+       printf ("error: mkdtemp (\"%s\"): %m", path);
+       exit (1);
+     }
+-  add_temp_file (path);
++  add_temp_file_internal (path, toolong);
+   return path;
+ }
+ 
+-/* Helper functions called by the test skeleton follow.  */
++char *
++support_create_temp_directory (const char *base)
++{
++  return create_temp_directory_internal (base, false);
++}
++
++static void
++ensure_toolong_initialized (void)
++{
++  if (!toolong_initialized)
++    FAIL_EXIT1 ("uninitialized toolong directory tree\n");
++}
++
++static void
++initialize_toolong (const char *base)
++{
++  long name_max = pathconf (base, _PC_NAME_MAX);
++  name_max = (name_max < 0 ? 64
++	      : (name_max < sizeof (toolong_subdir) ? name_max
++		 : sizeof (toolong_subdir) - 1));
++
++  long path_max = pathconf (base, _PC_PATH_MAX);
++  path_max = (path_max < 0 ? 1024
++	      : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX);
++
++  /* Sanity check to ensure that the test does not create temporary directories
++     in different filesystems because this API doesn't support it.  */
++  if (toolong_initialized)
++    {
++      if (name_max != strlen (toolong_subdir))
++	FAIL_UNSUPPORTED ("name_max: Temporary directories in different"
++			  " filesystems not supported yet\n");
++      if (path_max != toolong_path_max)
++	FAIL_UNSUPPORTED ("path_max: Temporary directories in different"
++			  " filesystems not supported yet\n");
++      return;
++    }
++
++  toolong_path_max = path_max;
++
++  size_t len = name_max;
++  memset (toolong_subdir, 'X', len);
++  toolong_initialized = true;
++}
++
++char *
++support_create_and_chdir_toolong_temp_directory (const char *basename)
++{
++  char *base = create_temp_directory_internal (basename, true);
++  xchdir (base);
++
++  initialize_toolong (base);
++
++  size_t sz = strlen (toolong_subdir);
++
++  /* Create directories and descend into them so that the final path is larger
++     than PATH_MAX.  */
++  for (size_t i = 0; i <= toolong_path_max / sz; i++)
++    {
++      int ret = mkdir (toolong_subdir, S_IRWXU);
++      if (ret != 0 && errno == ENAMETOOLONG)
++	FAIL_UNSUPPORTED ("Filesystem does not support creating too long "
++			  "directory trees\n");
++      else if (ret != 0)
++	FAIL_EXIT1 ("Failed to create directory tree: %m\n");
++      xchdir (toolong_subdir);
++    }
++  return base;
++}
+ 
+ void
+-support_set_test_dir (const char *path)
++support_chdir_toolong_temp_directory (const char *base)
+ {
+-  test_dir = path;
++  ensure_toolong_initialized ();
++
++  xchdir (base);
++
++  size_t sz = strlen (toolong_subdir);
++  for (size_t i = 0; i <= toolong_path_max / sz; i++)
++    xchdir (toolong_subdir);
++}
++
++/* Helper functions called by the test skeleton follow.  */
++
++static void
++remove_toolong_subdirs (const char *base)
++{
++  ensure_toolong_initialized ();
++
++  if (chdir (base) != 0)
++    {
++      printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n",
++	      base);
++      return;
++    }
++
++  /* Descend.  */
++  int levels = 0;
++  size_t sz = strlen (toolong_subdir);
++  for (levels = 0; levels <= toolong_path_max / sz; levels++)
++    if (chdir (toolong_subdir) != 0)
++      {
++	printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n",
++		toolong_subdir);
++	break;
++      }
++
++  /* Ascend and remove.  */
++  while (--levels >= 0)
++    {
++      if (chdir ("..") != 0)
++	{
++	  printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n");
++	  return;
++	}
++      if (remove (toolong_subdir) != 0)
++	{
++	  printf ("warning: could not remove subdirectory: %s: %m\n",
++		  toolong_subdir);
++	  return;
++	}
++    }
+ }
+ 
+ void
+@@ -123,6 +255,9 @@ support_delete_temp_files (void)
+ 	 around, to prevent PID reuse.)  */
+       if (temp_name_list->owner == pid)
+ 	{
++	  if (temp_name_list->toolong)
++	    remove_toolong_subdirs (temp_name_list->name);
++
+ 	  if (remove (temp_name_list->name) != 0)
+ 	    printf ("warning: could not remove temporary file: %s: %m\n",
+ 		    temp_name_list->name);
+@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f)
+       fprintf (f, ")\n");
+     }
+ }
++
++void
++support_set_test_dir (const char *path)
++{
++  test_dir = path;
++}
+diff --git a/support/temp_file.h b/support/temp_file.h
+index f3a7fb6f9ca44d19..a22964c6fa11abd2 100644
+--- a/support/temp_file.h
++++ b/support/temp_file.h
+@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char *base, const char *dir,
+    returns.  The caller should free this string.  */
+ char *support_create_temp_directory (const char *base);
+ 
++/* Create a temporary directory tree that is longer than PATH_MAX and schedule
++   it for deletion.  BASENAME is used as a prefix for the unique directory
++   name, which the function returns.  The caller should free this string.  */
++char *support_create_and_chdir_toolong_temp_directory (const char *basename);
++
++/* Change into the innermost directory of the directory tree BASE, which was
++   created using support_create_and_chdir_toolong_temp_directory.  */
++void support_chdir_toolong_temp_directory (const char *base);
++
+ __END_DECLS
+ 
+ #endif /* SUPPORT_TEMP_FILE_H */

glibc-upstream-2.34-83.patch

@@ -0,0 +1,121 @@
+commit 269eb9d930546ce57e83b56c44c430f154684a23
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Thu Jan 13 10:34:37 2022 +0530
+
+    stdlib: Sort tests in Makefile
+    
+    Put one test per line and sort them.
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 5b766603efa727c236a5f0cdcf09b71ff60b7584)
+
+diff --git a/stdlib/Makefile b/stdlib/Makefile
+index 7c15549cafa8e397..6a1c3580bd1648ee 100644
+--- a/stdlib/Makefile
++++ b/stdlib/Makefile
+@@ -65,30 +65,81 @@ aux =	grouping groupingwc tens_in_limb
+ static-only-routines = atexit at_quick_exit
+ 
+ test-srcs	:= tst-fmtmsg
+-tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
+-		   test-canon test-canon2 tst-strtoll tst-environ	    \
+-		   tst-xpg-basename tst-random tst-random2 tst-bsearch	    \
+-		   tst-limits tst-rand48 bug-strtod tst-setcontext	    \
+-		   tst-setcontext2 test-a64l tst-qsort testmb2              \
+-		   bug-strtod2 tst-atof1 tst-atof2 tst-strtod2		    \
+-		   tst-rand48-2 tst-makecontext tst-strtod5		    \
+-		   tst-qsort2 tst-makecontext2 tst-strtod6 tst-unsetenv1    \
+-		   tst-makecontext3 bug-getcontext bug-fmtmsg1		    \
+-		   tst-secure-getenv tst-strtod-overflow tst-strtod-round   \
+-		   tst-tininess tst-strtod-underflow tst-setcontext3	    \
+-		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \
+-		   tst-quick_exit tst-thread-quick_exit tst-width	    \
+-		   tst-width-stdint tst-strfrom tst-strfrom-locale	    \
+-		   tst-getrandom tst-atexit tst-at_quick_exit 		    \
+-		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
+-		   test-at_quick_exit-race test-cxa_atexit-race		    \
+-		   test-cxa_atexit-race2				    \
+-		   test-on_exit-race test-dlclose-exit-race 		    \
+-		   tst-makecontext-align test-bz22786 tst-strtod-nan-sign \
+-		   tst-swapcontext1 tst-setcontext4 tst-setcontext5 \
+-		   tst-setcontext6 tst-setcontext7 tst-setcontext8 \
+-		   tst-setcontext9 tst-bz20544 tst-canon-bz26341 \
+-		   tst-realpath
++tests		:=  bug-fmtmsg1 \
++		    bug-getcontext \
++		    bug-strtod \
++		    bug-strtod2 \
++		    test-a64l \
++		    test-at_quick_exit-race \
++		    test-atexit-race \
++		    test-bz22786 \
++		    test-canon \
++		    test-canon2 \
++		    test-cxa_atexit-race \
++		    test-cxa_atexit-race2 \
++		    test-dlclose-exit-race \
++		    test-on_exit-race \
++		    testdiv \
++		    testmb \
++		    testmb2 \
++		    testrand \
++		    testsort \
++		    tst-at_quick_exit \
++		    tst-atexit \
++		    tst-atof1 \
++		    tst-atof2 \
++		    tst-bsearch \
++		    tst-bz20544 \
++		    tst-canon-bz26341 \
++		    tst-cxa_atexit \
++		    tst-environ \
++		    tst-getrandom \
++		    tst-limits \
++		    tst-makecontext \
++		    tst-makecontext-align \
++		    tst-makecontext2 \
++		    tst-makecontext3 \
++		    tst-on_exit \
++		    tst-qsort \
++		    tst-qsort2 \
++		    tst-quick_exit \
++		    tst-rand48 \
++		    tst-rand48-2 \
++		    tst-random \
++		    tst-random2 \
++		    tst-realpath \
++		    tst-secure-getenv \
++		    tst-setcontext \
++		    tst-setcontext2 \
++		    tst-setcontext3 \
++		    tst-setcontext4 \
++		    tst-setcontext5 \
++		    tst-setcontext6 \
++		    tst-setcontext7 \
++		    tst-setcontext8 \
++		    tst-setcontext9 \
++		    tst-strfmon_l \
++		    tst-strfrom \
++		    tst-strfrom-locale \
++		    tst-strtod \
++		    tst-strtod-nan-locale \
++		    tst-strtod-nan-sign \
++		    tst-strtod-overflow \
++		    tst-strtod-round \
++		    tst-strtod-underflow \
++		    tst-strtod2 \
++		    tst-strtod5 \
++		    tst-strtod6 \
++		    tst-strtol \
++		    tst-strtol-locale \
++		    tst-strtoll \
++		    tst-swapcontext1 \
++		    tst-thread-quick_exit \
++		    tst-tininess \
++		    tst-unsetenv1 \
++		    tst-width \
++		    tst-width-stdint \
++		    tst-xpg-basename
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete

glibc-upstream-2.34-84.patch

@@ -0,0 +1,173 @@
+commit 73c362840c4efde45125a6c27bf41726397f4038
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Thu Jan 13 18:50:55 2022 +0530
+
+    stdlib: Fix formatting of tests list in Makefile
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+    (cherry picked from commit f9dab1b5f23d0fb008a56c7c6c8919adb49d3611)
+
+diff --git a/stdlib/Makefile b/stdlib/Makefile
+index 6a1c3580bd1648ee..9bb5c221e8be3288 100644
+--- a/stdlib/Makefile
++++ b/stdlib/Makefile
+@@ -65,81 +65,83 @@ aux =	grouping groupingwc tens_in_limb
+ static-only-routines = atexit at_quick_exit
+ 
+ test-srcs	:= tst-fmtmsg
+-tests		:=  bug-fmtmsg1 \
+-		    bug-getcontext \
+-		    bug-strtod \
+-		    bug-strtod2 \
+-		    test-a64l \
+-		    test-at_quick_exit-race \
+-		    test-atexit-race \
+-		    test-bz22786 \
+-		    test-canon \
+-		    test-canon2 \
+-		    test-cxa_atexit-race \
+-		    test-cxa_atexit-race2 \
+-		    test-dlclose-exit-race \
+-		    test-on_exit-race \
+-		    testdiv \
+-		    testmb \
+-		    testmb2 \
+-		    testrand \
+-		    testsort \
+-		    tst-at_quick_exit \
+-		    tst-atexit \
+-		    tst-atof1 \
+-		    tst-atof2 \
+-		    tst-bsearch \
+-		    tst-bz20544 \
+-		    tst-canon-bz26341 \
+-		    tst-cxa_atexit \
+-		    tst-environ \
+-		    tst-getrandom \
+-		    tst-limits \
+-		    tst-makecontext \
+-		    tst-makecontext-align \
+-		    tst-makecontext2 \
+-		    tst-makecontext3 \
+-		    tst-on_exit \
+-		    tst-qsort \
+-		    tst-qsort2 \
+-		    tst-quick_exit \
+-		    tst-rand48 \
+-		    tst-rand48-2 \
+-		    tst-random \
+-		    tst-random2 \
+-		    tst-realpath \
+-		    tst-secure-getenv \
+-		    tst-setcontext \
+-		    tst-setcontext2 \
+-		    tst-setcontext3 \
+-		    tst-setcontext4 \
+-		    tst-setcontext5 \
+-		    tst-setcontext6 \
+-		    tst-setcontext7 \
+-		    tst-setcontext8 \
+-		    tst-setcontext9 \
+-		    tst-strfmon_l \
+-		    tst-strfrom \
+-		    tst-strfrom-locale \
+-		    tst-strtod \
+-		    tst-strtod-nan-locale \
+-		    tst-strtod-nan-sign \
+-		    tst-strtod-overflow \
+-		    tst-strtod-round \
+-		    tst-strtod-underflow \
+-		    tst-strtod2 \
+-		    tst-strtod5 \
+-		    tst-strtod6 \
+-		    tst-strtol \
+-		    tst-strtol-locale \
+-		    tst-strtoll \
+-		    tst-swapcontext1 \
+-		    tst-thread-quick_exit \
+-		    tst-tininess \
+-		    tst-unsetenv1 \
+-		    tst-width \
+-		    tst-width-stdint \
+-		    tst-xpg-basename
++tests := \
++  bug-fmtmsg1 \
++  bug-getcontext \
++  bug-strtod \
++  bug-strtod2 \
++  test-a64l \
++  test-at_quick_exit-race \
++  test-atexit-race \
++  test-bz22786 \
++  test-canon \
++  test-canon2 \
++  test-cxa_atexit-race \
++  test-cxa_atexit-race2 \
++  test-dlclose-exit-race \
++  test-on_exit-race \
++  testdiv \
++  testmb \
++  testmb2 \
++  testrand \
++  testsort \
++  tst-at_quick_exit \
++  tst-atexit \
++  tst-atof1 \
++  tst-atof2 \
++  tst-bsearch \
++  tst-bz20544 \
++  tst-canon-bz26341 \
++  tst-cxa_atexit \
++  tst-environ \
++  tst-getrandom \
++  tst-limits \
++  tst-makecontext \
++  tst-makecontext-align \
++  tst-makecontext2 \
++  tst-makecontext3 \
++  tst-on_exit \
++  tst-qsort \
++  tst-qsort2 \
++  tst-quick_exit \
++  tst-rand48 \
++  tst-rand48-2 \
++  tst-random \
++  tst-random2 \
++  tst-realpath \
++  tst-secure-getenv \
++  tst-setcontext \
++  tst-setcontext2 \
++  tst-setcontext3 \
++  tst-setcontext4 \
++  tst-setcontext5 \
++  tst-setcontext6 \
++  tst-setcontext7 \
++  tst-setcontext8 \
++  tst-setcontext9 \
++  tst-strfmon_l \
++  tst-strfrom \
++  tst-strfrom-locale \
++  tst-strtod \
++  tst-strtod-nan-locale \
++  tst-strtod-nan-sign \
++  tst-strtod-overflow \
++  tst-strtod-round \
++  tst-strtod-underflow \
++  tst-strtod2 \
++  tst-strtod5 \
++  tst-strtod6 \
++  tst-strtol \
++  tst-strtol-locale \
++  tst-strtoll \
++  tst-swapcontext1 \
++  tst-thread-quick_exit \
++  tst-tininess \
++  tst-unsetenv1 \
++  tst-width \
++  tst-width-stdint \
++  tst-xpg-basename \
++# tests
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete

glibc-upstream-2.34-85.patch

@@ -0,0 +1,109 @@
+commit f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Thu Jan 13 11:28:36 2022 +0530
+
+    realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
+    
+    realpath returns an allocated string when the result exceeds PATH_MAX,
+    which is unexpected when its second argument is not NULL.  This results
+    in the second argument (resolved) being uninitialized and also results
+    in a memory leak since the caller expects resolved to be the same as the
+    returned value.
+    
+    Return NULL and set errno to ENAMETOOLONG if the result exceeds
+    PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.
+    
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb)
+
+diff --git a/stdlib/Makefile b/stdlib/Makefile
+index 9bb5c221e8be3288..a4ac30d1f6359561 100644
+--- a/stdlib/Makefile
++++ b/stdlib/Makefile
+@@ -109,6 +109,7 @@ tests := \
+   tst-random \
+   tst-random2 \
+   tst-realpath \
++  tst-realpath-toolong \
+   tst-secure-getenv \
+   tst-setcontext \
+   tst-setcontext2 \
+diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
+index 698f9ede25570ef2..7a23a51b3a395eb3 100644
+--- a/stdlib/canonicalize.c
++++ b/stdlib/canonicalize.c
+@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved,
+ 
+ error:
+   *dest++ = '\0';
+-  if (resolved != NULL && dest - rname <= get_path_max ())
+-    rname = strcpy (resolved, rname);
++  if (resolved != NULL)
++    {
++      if (dest - rname <= get_path_max ())
++	rname = strcpy (resolved, rname);
++      else
++	{
++	  failed = true;
++	  __set_errno (ENAMETOOLONG);
++	}
++    }
+ 
+ error_nomem:
+   scratch_buffer_free (&extra_buffer);
+diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c
+new file mode 100644
+index 0000000000000000..8bed772460b37571
+--- /dev/null
++++ b/stdlib/tst-realpath-toolong.c
+@@ -0,0 +1,49 @@
++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds
++   NAME_MAX.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <limits.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++
++#define BASENAME "tst-realpath-toolong."
++
++int
++do_test (void)
++{
++  char *base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++  char buf[PATH_MAX + 1];
++  const char *res = realpath (".", buf);
++
++  /* canonicalize.c states that if the real path is >= PATH_MAX, then
++     realpath returns NULL and sets ENAMETOOLONG.  */
++  TEST_VERIFY (res == NULL);
++  TEST_VERIFY (errno == ENAMETOOLONG);
++
++  free (base);
++  return 0;
++}
++
++#include <support/test-driver.c>

glibc-upstream-2.34-86.patch

@@ -0,0 +1,26 @@
+commit 8c8a71c85f2ed5cc90d08d82ce645513fc907cb6
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Mon Jan 24 10:57:09 2022 +0530
+
+    tst-realpath-toolong: Fix hurd build
+    
+    Define PATH_MAX to a constant if it isn't already defined, like in hurd.
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 976db046bc3a3738f69255ae00b0a09b8e77fd9c)
+
+diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c
+index 8bed772460b37571..4388890294374601 100644
+--- a/stdlib/tst-realpath-toolong.c
++++ b/stdlib/tst-realpath-toolong.c
+@@ -29,6 +29,10 @@
+ 
+ #define BASENAME "tst-realpath-toolong."
+ 
++#ifndef PATH_MAX
++# define PATH_MAX 1024
++#endif
++
+ int
+ do_test (void)
+ {

glibc-upstream-2.34-87.patch

@@ -0,0 +1,329 @@
+commit 472e799a5f2102bc0c3206dbd5a801765fceb39c
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Fri Jan 21 23:32:56 2022 +0530
+
+    getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
+    
+    No valid path returned by getcwd would fit into 1 byte, so reject the
+    size early and return NULL with errno set to ERANGE.  This change is
+    prompted by CVE-2021-3999, which describes a single byte buffer
+    underflow and overflow when all of the following conditions are met:
+    
+    - The buffer size (i.e. the second argument of getcwd) is 1 byte
+    - The current working directory is too long
+    - '/' is also mounted on the current working directory
+    
+    Sequence of events:
+    
+    - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
+      because the linux kernel checks for name length before it checks
+      buffer size
+    
+    - The code falls back to the generic getcwd in sysdeps/posix
+    
+    - In the generic func, the buf[0] is set to '\0' on line 250
+    
+    - this while loop on line 262 is bypassed:
+    
+        while (!(thisdev == rootdev && thisino == rootino))
+    
+      since the rootfs (/) is bind mounted onto the directory and the flow
+      goes on to line 449, where it puts a '/' in the byte before the
+      buffer.
+    
+    - Finally on line 458, it moves 2 bytes (the underflowed byte and the
+      '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
+    
+    - buf is returned on line 469 and errno is not set.
+    
+    This resolves BZ #28769.
+    
+    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+    Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e)
+
+diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
+index 13680026ffecbd51..b6984a382c3e1711 100644
+--- a/sysdeps/posix/getcwd.c
++++ b/sysdeps/posix/getcwd.c
+@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size)
+   size_t allocated = size;
+   size_t used;
+ 
++  /* A size of 1 byte is never useful.  */
++  if (allocated == 1)
++    {
++      __set_errno (ERANGE);
++      return NULL;
++    }
++
+ #if HAVE_MINIMALLY_WORKING_GETCWD
+   /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and
+      this is much slower than the system getcwd (at least on
+diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
+index d30d21898b402d1e..cdc01a3f023ec09a 100644
+--- a/sysdeps/unix/sysv/linux/Makefile
++++ b/sysdeps/unix/sysv/linux/Makefile
+@@ -342,7 +342,12 @@ sysdep_routines += xstatconv internal_statvfs \
+ 
+ sysdep_headers += bits/fcntl-linux.h
+ 
+-tests += tst-fallocate tst-fallocate64 tst-o_path-locks
++tests += \
++  tst-fallocate \
++  tst-fallocate64 \
++  tst-getcwd-smallbuff \
++  tst-o_path-locks \
++# tests
+ endif
+ 
+ ifeq ($(subdir),elf)
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+new file mode 100644
+index 0000000000000000..d460d6e7662dc5e4
+--- /dev/null
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -0,0 +1,241 @@
++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow
++   buffer when the CWD is too long and is also a mount target of /.  See bug
++   #28769 or CVE-2021-3999 for more context.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <fcntl.h>
++#include <intprops.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/mount.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <support/check.h>
++#include <support/temp_file.h>
++#include <support/xsched.h>
++#include <support/xunistd.h>
++
++static char *base;
++#define BASENAME "tst-getcwd-smallbuff"
++#define MOUNT_NAME "mpoint"
++static int sockfd[2];
++
++static void
++do_cleanup (void)
++{
++  support_chdir_toolong_temp_directory (base);
++  TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0);
++  free (base);
++}
++
++static void
++send_fd (const int sock, const int fd)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE (sizeof (int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  char ch = 'A';
++  ssize_t n;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  cmsg->cmsg_len = CMSG_LEN (sizeof (int));
++  cmsg->cmsg_level = SOL_SOCKET;
++  cmsg->cmsg_type = SCM_RIGHTS;
++  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++
++  TEST_VERIFY_EXIT (n == 1);
++}
++
++static int
++recv_fd (const int sock)
++{
++  struct msghdr msg = {0};
++  union
++    {
++      struct cmsghdr hdr;
++      char buf[CMSG_SPACE(sizeof(int))];
++    } cmsgbuf = {0};
++  struct cmsghdr *cmsg;
++  struct iovec vec;
++  ssize_t n;
++  char ch = '\0';
++  int fd = -1;
++
++  vec.iov_base = &ch;
++  vec.iov_len = 1;
++  msg.msg_iov = &vec;
++  msg.msg_iovlen = 1;
++
++  msg.msg_control = &cmsgbuf.buf;
++  msg.msg_controllen = sizeof (cmsgbuf.buf);
++
++  while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR);
++  if (n != 1 || ch != 'A')
++    return -1;
++
++  cmsg = CMSG_FIRSTHDR (&msg);
++  if (cmsg == NULL)
++    return -1;
++  if (cmsg->cmsg_type != SCM_RIGHTS)
++    return -1;
++  memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
++  if (fd < 0)
++    return -1;
++  return fd;
++}
++
++static int
++child_func (void * const arg)
++{
++  xclose (sockfd[0]);
++  const int sock = sockfd[1];
++  char ch;
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == '1');
++
++  if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL))
++    FAIL_EXIT1 ("mount failed: %m\n");
++  const int fd = xopen ("mpoint",
++			O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0);
++
++  send_fd (sock, fd);
++  xclose (fd);
++
++  TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
++  TEST_VERIFY_EXIT (ch == 'a');
++
++  xclose (sock);
++  return 0;
++}
++
++static void
++update_map (char * const mapping, const char * const map_file)
++{
++  const size_t map_len = strlen (mapping);
++
++  const int fd = xopen (map_file, O_WRONLY, 0);
++  xwrite (fd, mapping, map_len);
++  xclose (fd);
++}
++
++static void
++proc_setgroups_write (const long child_pid, const char * const str)
++{
++  const size_t str_len = strlen(str);
++
++  char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)];
++
++  snprintf (setgroups_path, sizeof (setgroups_path),
++	    "/proc/%ld/setgroups", child_pid);
++
++  const int fd = open (setgroups_path, O_WRONLY);
++
++  if (fd < 0)
++    {
++      TEST_VERIFY_EXIT (errno == ENOENT);
++      FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid);
++    }
++
++  xwrite (fd, str, str_len);
++  xclose(fd);
++}
++
++static char child_stack[1024 * 1024];
++
++int
++do_test (void)
++{
++  base = support_create_and_chdir_toolong_temp_directory (BASENAME);
++
++  xmkdir (MOUNT_NAME, S_IRWXU);
++  atexit (do_cleanup);
++
++  TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
++  pid_t child_pid = xclone (child_func, NULL, child_stack,
++			    sizeof (child_stack),
++			    CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD);
++
++  xclose (sockfd[1]);
++  const int sock = sockfd[0];
++
++  char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)];
++  char map_buf[sizeof ("0  1") + INT_STRLEN_BOUND (long)];
++
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid());
++  update_map (map_buf, map_path);
++
++  proc_setgroups_write ((long) child_pid, "deny");
++  snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map",
++	    (long) child_pid);
++  snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid());
++  update_map (map_buf, map_path);
++
++  TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1);
++  const int fd = recv_fd (sock);
++  TEST_VERIFY_EXIT (fd >= 0);
++  TEST_VERIFY_EXIT (fchdir (fd) == 0);
++
++  static char buf[2 * 10 + 1];
++  memset (buf, 'A', sizeof (buf));
++
++  /* Finally, call getcwd and check if it resulted in a buffer underflow.  */
++  char * cwd = getcwd (buf + sizeof (buf) / 2, 1);
++  TEST_VERIFY (cwd == NULL);
++  TEST_VERIFY (errno == ERANGE);
++
++  for (int i = 0; i < sizeof (buf); i++)
++    if (buf[i] != 'A')
++      {
++	printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]);
++	support_record_failure ();
++      }
++
++  TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1);
++  xclose (sock);
++  TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid);
++
++  return 0;
++}
++
++#define CLEANUP_HANDLER do_cleanup
++#include <support/test-driver.c>

glibc-upstream-2.34-88.patch

@@ -0,0 +1,28 @@
+commit d084965adc7baa8ea804427cccf973cea556d697
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Mon Jan 24 21:36:41 2022 +0530
+
+    realpath: Avoid overwriting preexisting error (CVE-2021-3998)
+    
+    Set errno and failure for paths that are too long only if no other error
+    occurred earlier.
+    
+    Related: BZ #28770
+    
+    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 84d2d0fe20bdf94feed82b21b4d7d136db471f03)
+
+diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
+index 7a23a51b3a395eb3..e2d4244fc7b8fa25 100644
+--- a/stdlib/canonicalize.c
++++ b/stdlib/canonicalize.c
+@@ -404,7 +404,7 @@ error:
+     {
+       if (dest - rname <= get_path_max ())
+ 	rname = strcpy (resolved, rname);
+-      else
++      else if (!failed)
+ 	{
+ 	  failed = true;
+ 	  __set_errno (ENAMETOOLONG);

glibc-upstream-2.34-89.patch

@@ -0,0 +1,47 @@
+commit 3438bbca90895d32825a52e31a77dc44d273c1c1
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Mon Jan 24 18:14:24 2022 +0100
+
+    Linux: Detect user namespace support in io/tst-getcwd-smallbuff
+    
+    Otherwise the test fails with certain container runtimes.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit 5b8e7980c5dabd9aaefeba4f0208baa8cf7653ee)
+
+diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+index d460d6e7662dc5e4..55362f6060a2b3be 100644
+--- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
+@@ -34,6 +34,7 @@
+ #include <sys/un.h>
+ #include <support/check.h>
+ #include <support/temp_file.h>
++#include <support/test-driver.h>
+ #include <support/xsched.h>
+ #include <support/xunistd.h>
+ 
+@@ -188,6 +189,23 @@ do_test (void)
+   xmkdir (MOUNT_NAME, S_IRWXU);
+   atexit (do_cleanup);
+ 
++  /* Check whether user namespaces are supported.  */
++  {
++    pid_t pid = xfork ();
++    if (pid == 0)
++      {
++	if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0)
++	  _exit (EXIT_UNSUPPORTED);
++	else
++	  _exit (0);
++      }
++    int status;
++    xwaitpid (pid, &status, 0);
++    TEST_VERIFY_EXIT (WIFEXITED (status));
++    if (WEXITSTATUS (status) != 0)
++      return WEXITSTATUS (status);
++  }
++
+   TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
+   pid_t child_pid = xclone (child_func, NULL, child_stack,
+ 			    sizeof (child_stack),

glibc.spec

@@ -148,7 +148,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 20%{?dist}
+Release: 21%{?dist}
 
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@@ -338,6 +338,22 @@ Patch138: glibc-rh2040657-9.patch
 Patch139: glibc-rh2040657-10.patch
 Patch140: glibc-rh2040657-11.patch
 Patch141: glibc-rh2040657-12.patch
+Patch142: glibc-upstream-2.34-74.patch
+Patch143: glibc-upstream-2.34-75.patch
+Patch144: glibc-upstream-2.34-76.patch
+Patch145: glibc-upstream-2.34-77.patch
+Patch146: glibc-upstream-2.34-78.patch
+Patch147: glibc-upstream-2.34-79.patch
+Patch148: glibc-upstream-2.34-80.patch
+Patch149: glibc-upstream-2.34-81.patch
+Patch150: glibc-upstream-2.34-82.patch
+Patch151: glibc-upstream-2.34-83.patch
+Patch152: glibc-upstream-2.34-84.patch
+Patch153: glibc-upstream-2.34-85.patch
+Patch154: glibc-upstream-2.34-86.patch
+Patch155: glibc-upstream-2.34-87.patch
+Patch156: glibc-upstream-2.34-88.patch
+Patch157: glibc-upstream-2.34-89.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2381,6 +2397,26 @@ fi
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
 
 %changelog
+* Mon Jan 24 2022 Florian Weimer <fweimer@redhat.com> - 2.34-21
+- Sync with upstream branch release/2.34/master,
+  commit 3438bbca90895d32825a52e31a77dc44d273c1c1:
+- Linux: Detect user namespace support in io/tst-getcwd-smallbuff
+- realpath: Avoid overwriting preexisting error
+- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1
+- tst-realpath-toolong: Fix hurd build
+- CVE-2021-3998: realpath: ENAMETOOLONG for result larger than PATH_MAX
+- stdlib: Fix formatting of tests list in Makefile
+- stdlib: Sort tests in Makefile
+- support: Add helpers to create paths longer than PATH_MAX
+- powerpc: Fix unrecognized instruction errors with recent binutils
+- x86: use default cache size if it cannot be determined [BZ #28784]
+- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
+- sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
+- CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
+- socket: Add the __sockaddr_un_set function
+- Disable debuginfod in printer tests [BZ #28757]
+- Update syscall lists for Linux 5.16
+
 * Wed Jan 19 2022 Florian Weimer <fweimer@redhat.com> - 2.34-20
 - More reliable CPU compatibility diagnostics (#2040657)