Fix gconv module reference counter overflow in swscanf and swprintf families

Resolves: RHEL-145156
2026-06-04 11:49:13 +02:00 · 2026-06-04 11:49:13 +02:00 · beeb5b354b
commit beeb5b354b
parent 381936891b
5 changed files with 643 additions and 0 deletions
--- a/glibc-RHEL-145156-1.patch
+++ b/glibc-RHEL-145156-1.patch
@ -0,0 +1,206 @@
+commit 0981c03c2752b5f12ede24e6e696d5a29f7c6396
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Wed Apr 29 15:53:51 2026 +0200
+
+    libio: Fix gconv module reference counter overflow in swscanf
+
+    The swscanf family of functions creates a wide-oriented FILE stream
+    on the stack. Initialization of this stream invokes `_IO_fwide`, which
+    clones the global locale's gconv transformation steps via
+    `__wcsmbs_clone_conv`. This increments the reference counter (`__counter`)
+    of the gconv module.
+
+    Because the FILE stream is stack-allocated, `fclose` cannot be called,
+    and so `__gconv_release_step` is never invoked. The counter leaks,
+    eventually hitting the 32-bit integer overflow limit and aborting the
+    process.
+
+    To resolve this, we introduce `_IO_wstrfile_fclose_stack`, a dedicated
+    cleanup function for stack-allocated FILE streams. This function invokes
+    `_IO_FINISH` and correctly releases the gconv steps via
+    `__gconv_release_step` without attempting to `free` the FILE pointer.
+    This cleanup function is then hooked into all variants of swscanf right
+    before they return.
+
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+Conflicts:
+	sysdeps/ieee754/ldbl-opt/nldbl-compat.c
+	  (isoc23 variants not present downstream)
+	sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc23_swscanf.c
+	  (not present downstream)
+	sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc23_vswscanf.c
+	  (not present downstream)
+	wcsmbs/isoc23_swscanf.c
+	  (not present downstream)
+	wcsmbs/isoc23_vswscanf.c
+	  (not present downstream)
+
+diff --git a/libio/iofwide.c b/libio/iofwide.c
+index a7f29fa0b9693cc3..972f154365e88bb3 100644
+--- a/libio/iofwide.c
+++ b/libio/iofwide.c
+@@ -257,3 +257,18 @@ __libio_codecvt_length (struct _IO_codecvt *codecvt, __mbstate_t *statep,
+ 
+   return result;
+ }
+
+void
+_IO_wstrfile_fclose_stack (FILE *fp)
+{
+  _IO_FINISH (fp);
+  if (fp->_mode > 0)
+    {
+      struct _IO_codecvt *cc = fp->_codecvt;
+
+      __libc_lock_lock (__gconv_lock);
+      __gconv_release_step (cc->__cd_in.step);
+      __gconv_release_step (cc->__cd_out.step);
+      __libc_lock_unlock (__gconv_lock);
+    }
+}
+diff --git a/libio/iovswscanf.c b/libio/iovswscanf.c
+index 35bddc0daeca917f..284c61615ebddd47 100644
+--- a/libio/iovswscanf.c
+++ b/libio/iovswscanf.c
+@@ -38,6 +38,8 @@ __vswscanf (const wchar_t *string, const wchar_t *format, va_list args)
+   _IO_strfile sf;
+   struct _IO_wide_data wd;
+   FILE *f = _IO_strfile_readw (&sf, &wd, string);
+-  return __vfwscanf_internal (f, format, args, 0);
+  int done = __vfwscanf_internal (f, format, args, 0);
+  _IO_wstrfile_fclose_stack (f);
+  return done;
+ }
+ ldbl_weak_alias (__vswscanf, vswscanf)
+diff --git a/libio/libioP.h b/libio/libioP.h
+index 50570f89de5a7010..76fd7853dc087bf9 100644
+--- a/libio/libioP.h
+++ b/libio/libioP.h
+@@ -594,6 +594,7 @@ extern FILE* _IO_new_file_fopen (FILE *, const char *, const char *,
+ 				     int);
+ extern void _IO_no_init (FILE *, int, int, struct _IO_wide_data *,
+ 			 const struct _IO_jump_t *) __THROW;
+extern void _IO_wstrfile_fclose_stack (FILE *) attribute_hidden;
+ extern void _IO_new_file_init_internal (struct _IO_FILE_plus *)
+   __THROW attribute_hidden;
+ extern FILE* _IO_new_file_setbuf (FILE *, char *, ssize_t);
+diff --git a/libio/swscanf.c b/libio/swscanf.c
+index 88a19144342cdc38..cb3795599c6f70c6 100644
+--- a/libio/swscanf.c
+++ b/libio/swscanf.c
+@@ -37,7 +37,7 @@ __swscanf (const wchar_t *s, const wchar_t *format, ...)
+   va_start (arg, format);
+   done = __vfwscanf_internal (f, format, arg, 0);
+   va_end (arg);
+-
+  _IO_wstrfile_fclose_stack (f);
+   return done;
+ }
+ ldbl_strong_alias (__swscanf, swscanf)
+diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c
+index ef8c1317dcd7f5e5..96bf2ac3559186e7 100644
+--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c
+++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c
+@@ -34,7 +34,7 @@ ___ieee128_isoc99_swscanf (const wchar_t *string, const wchar_t *format, ...)
+   va_start (ap, format);
+   done = __vfwscanf_internal (fp, format, ap, mode_flags);
+   va_end (ap);
+-
+  _IO_wstrfile_fclose_stack (fp);
+   return done;
+ }
+ strong_alias (___ieee128_isoc99_swscanf, __isoc99_swscanfieee128)
+diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c
+index f77bb64638a4717f..8fa10ee2e22e238f 100644
+--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c
+++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c
+@@ -27,6 +27,8 @@ ___ieee128_isoc99_vswscanf (wchar_t *string, const wchar_t *format, va_list ap)
+   struct _IO_wide_data wd;
+   FILE *fp = _IO_strfile_readw (&sf, &wd, string);
+   int mode_flags = SCANF_ISOC99_A | SCANF_LDBL_USES_FLOAT128;
+-  return __vfwscanf_internal (fp, format, ap, mode_flags);
+  int done = __vfwscanf_internal (fp, format, ap, mode_flags);
+  _IO_wstrfile_fclose_stack (fp);
+  return done;
+ }
+ strong_alias (___ieee128_isoc99_vswscanf, __isoc99_vswscanfieee128)
+diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c
+index 04ee5419200298b1..509eaa663d0a9a33 100644
+--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c
+++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c
+@@ -34,7 +34,7 @@ ___ieee128_swscanf (const wchar_t *string, const wchar_t *format, ...)
+   done = __vfwscanf_internal (fp, format, ap,
+ 			      SCANF_LDBL_USES_FLOAT128);
+   va_end (ap);
+-
+  _IO_wstrfile_fclose_stack (fp);
+   return done;
+ }
+ strong_alias (___ieee128_swscanf, __swscanfieee128)
+diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c
+index 7aebc5f1c12939b6..18aa6deaacdde682 100644
+--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c
+++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c
+@@ -27,6 +27,8 @@ ___ieee128_vswscanf (const wchar_t *string, const wchar_t *format,
+   _IO_strfile sf;
+   struct _IO_wide_data wd;
+   FILE *fp = _IO_strfile_readw (&sf, &wd, string);
+-  return __vfwscanf_internal (fp, format, ap, SCANF_LDBL_USES_FLOAT128);
+  int done = __vfwscanf_internal (fp, format, ap, SCANF_LDBL_USES_FLOAT128);
+  _IO_wstrfile_fclose_stack (fp);
+  return done;
+ }
+ strong_alias (___ieee128_vswscanf, __vswscanfieee128)
+diff --git a/sysdeps/ieee754/ldbl-opt/nldbl-compat.c b/sysdeps/ieee754/ldbl-opt/nldbl-compat.c
+index a6c5c49ecb151bf5..81d53a4cf30acb89 100644
+--- a/sysdeps/ieee754/ldbl-opt/nldbl-compat.c
+++ b/sysdeps/ieee754/ldbl-opt/nldbl-compat.c
+@@ -388,7 +388,9 @@ __nldbl_vswscanf (const wchar_t *s, const wchar_t *fmt, va_list ap)
+   struct _IO_wide_data wd;
+   FILE *f = _IO_strfile_readw (&sf, &wd, s);
+ 
+-  return __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL);
+  int ret = __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL);
+  _IO_wstrfile_fclose_stack (f);
+  return ret;
+ }
+ libc_hidden_def (__nldbl_vswscanf)
+ 
+@@ -952,7 +954,9 @@ __nldbl___isoc99_vswscanf (const wchar_t *s, const wchar_t *fmt, va_list ap)
+   struct _IO_wide_data wd;
+   FILE *f = _IO_strfile_readw (&sf, &wd, s);
+ 
+-  return __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL | SCANF_ISOC99_A);
+  int ret = __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL | SCANF_ISOC99_A);
+  _IO_wstrfile_fclose_stack (f);
+  return ret;
+ }
+ libc_hidden_def (__nldbl___isoc99_vswscanf)
+ 
+diff --git a/wcsmbs/isoc99_swscanf.c b/wcsmbs/isoc99_swscanf.c
+index bb6d8f2035d8e4a4..3fda1f7be695b31e 100644
+--- a/wcsmbs/isoc99_swscanf.c
+++ b/wcsmbs/isoc99_swscanf.c
+@@ -32,6 +32,6 @@ __isoc99_swscanf (const wchar_t *s, const wchar_t *format, ...)
+   va_start (arg, format);
+   done = __vfwscanf_internal (f, format, arg, SCANF_ISOC99_A);
+   va_end (arg);
+-
+  _IO_wstrfile_fclose_stack (f);
+   return done;
+ }
+diff --git a/wcsmbs/isoc99_vswscanf.c b/wcsmbs/isoc99_vswscanf.c
+index 3cd0a28c21ffa36f..1df90438416d3bb7 100644
+--- a/wcsmbs/isoc99_vswscanf.c
+++ b/wcsmbs/isoc99_vswscanf.c
+@@ -33,6 +33,8 @@ __isoc99_vswscanf (const wchar_t *string, const wchar_t *format, va_list args)
+   _IO_strfile sf;
+   struct _IO_wide_data wd;
+   FILE *f = _IO_strfile_readw (&sf, &wd, string);
+-  return __vfwscanf_internal (f, format, args, SCANF_ISOC99_A);
+  int done = __vfwscanf_internal (f, format, args, SCANF_ISOC99_A);
+  _IO_wstrfile_fclose_stack (f);
+  return done;
+ }
+ libc_hidden_def (__isoc99_vswscanf)
--- a/glibc-RHEL-145156-2.patch
+++ b/glibc-RHEL-145156-2.patch
@ -0,0 +1,57 @@
+libio: Fix gconv module reference counter overflow in vswprintf
+
+The vswprintf family of functions (swprintf, vswprintf and their
+fortified/ldbl-compat wrappers) creates a wide-oriented FILE stream
+on the stack via _IO_no_init with _IO_wstrn_jumps, then calls
+_IO_fwide which clones the gconv transformation steps via
+__wcsmbs_clone_conv, incrementing the __counter reference counter.
+
+Because the FILE is stack-allocated, fclose is never called, and the
+counter is never decremented. In a long-running process calling
+swprintf repeatedly with a non-builtin locale (e.g. en_US.UTF-8),
+the counter eventually overflows, triggering a fatal abort.
+
+This is the same class of bug fixed upstream for swscanf in commit
+0981c03c2752b5f12ede24e6e696d5a29f7c6396. Upstream resolved the
+swprintf path architecturally by reworking the printf subsystem to
+use struct __wprintf_buffer instead of FILE * (commit 118816de3383),
+eliminating the _IO_fwide call entirely. That rework is too large
+to backport to glibc 2.34.
+
+Instead, apply the same pattern as the swscanf fix: call
+_IO_wstrfile_fclose_stack after __vfwprintf_internal returns to
+release the gconv steps before the stack FILE goes out of scope.
+All ldbl-compat wrappers (ieee128, nldbl) call __vswprintf_internal,
+so they are covered by this single change.
+
+Note: _IO_wstrfile_fclose_stack calls _IO_FINISH which invokes
+_IO_wstr_finish, and that NULLs out _IO_buf_base. Therefore the
+cleanup must happen after the overflow check (which compares
+_IO_buf_base against overflow_buf) and after string termination
+(which dereferences _IO_write_ptr).
+
+diff --git a/libio/vswprintf.c b/libio/vswprintf.c
+index b7036f1480733ac6..accbb8516f860680 100644
+--- a/libio/vswprintf.c
+++ b/libio/vswprintf.c
+@@ -111,13 +111,17 @@ __vswprintf_internal (wchar_t *string, size_t maxlen, const wchar_t *format,
+   ret = __vfwprintf_internal ((FILE *) &sf.f._sbf, format, args, mode_flags);
+ 
+   if (sf.f._sbf._f._wide_data->_IO_buf_base == sf.overflow_buf)
+-    /* ISO C99 requires swprintf/vswprintf to return an error if the
+-       output does not fit in the provided buffer.  */
+-    return -1;
+    {
+      /* ISO C99 requires swprintf/vswprintf to return an error if the
+	 output does not fit in the provided buffer.  */
+      _IO_wstrfile_fclose_stack ((FILE *) &sf.f._sbf);
+      return -1;
+    }
+ 
+   /* Terminate the string.  */
+   *sf.f._sbf._f._wide_data->_IO_write_ptr = '\0';
+ 
+  _IO_wstrfile_fclose_stack ((FILE *) &sf.f._sbf);
+   return ret;
+ }
+ 
--- a/glibc-RHEL-145156-3.patch
+++ b/glibc-RHEL-145156-3.patch
@ -0,0 +1,123 @@
+commit 1cc165baed20b6589ef2f2c8c0e0415139bbb151
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Wed Apr 29 13:26:38 2026 +0200
+
+    test: Add gconv refcount leak test for swscanf
+
+    Add a new internal test, `tst-wcsmbs-clone-overflow`, to verify correct
+    gconv module reference counting. The Makefile is updated to include this
+    test in the `tests-internal` list and ensure it runs with generated locales.
+
+    This test specifically checks that the `__counter` for `gconv_fcts->towc`
+    does not leak references when `swscanf` is used with a stack-allocated
+    wide character stream. It ensures that `_IO_wstrfile_fclose_stack`
+    properly decrements the module reference counter, preventing a module
+    from staying loaded indefinitely due to unreleased references.
+
+    Assisted-by: LLM
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+Conflicts:
+	wcsmbs/Makefile
+	  (test-c8rtomb, test-mbrtoc8, tst-wscanf-to_inpunct not present
+	  downstream)
+	wcsmbs/tst-wcsmbs-clone-overflow.c
+	  (struct lc_ctype_data not present downstream; use
+	  loc->private.ctype directly instead)
+
+diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile
+index 0e5fe909a83c7a13..f74b06d9749eaa02 100644
+--- a/wcsmbs/Makefile
+++ b/wcsmbs/Makefile
+@@ -59,6 +59,12 @@ tests := tst-wcstof wcsmbs-tst1 tst-wcsnlen tst-btowc tst-mbrtowc \
+ # This test runs for a long time.
+ xtests += test-wcsncmp-nonarray
+ 
+tests-internal += \
+  tst-wcsmbs-clone-overflow
+
+tests-static += \
+  tst-wcsmbs-clone-overflow
+
+ 
+ include ../Rules
+ 
+@@ -77,6 +83,7 @@ $(objpfx)tst-wcstol-locale.out: $(gen-locales)
+ $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales)
+ $(objpfx)tst-c16-surrogate.out: $(gen-locales)
+ $(objpfx)tst-c32-state.out: $(gen-locales)
+$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales)
+ endif
+ 
+ $(objpfx)tst-wcstod-round: $(libm)
+diff --git a/wcsmbs/tst-wcsmbs-clone-overflow.c b/wcsmbs/tst-wcsmbs-clone-overflow.c
+new file mode 100644
+index 0000000000000000..412e1c54085c68d5
+--- /dev/null
+++ b/wcsmbs/tst-wcsmbs-clone-overflow.c
+@@ -0,0 +1,65 @@
+/* Test for gconv module reference counter leak.
+   Copyright (C) 2026 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <locale.h>
+#include <stdio.h>
+#include <wchar.h>
+#include <support/check.h>
+#include <support/support.h>
+
+/* Internal headers for accessing the gconv structures.  */
+#include <locale/localeinfo.h>
+#include <iconv/gconv_int.h>
+#include <wcsmbs/wcsmbsload.h>
+
+static int
+do_test (void)
+{
+  if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL)
+    FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated");
+
+  wchar_t buf[32] = L"123";
+  int j;
+
+  /* First iteration initializes the gconv functions internally.  */
+  if (swscanf (buf, L"%d", &j) < 1)
+    FAIL_EXIT1 ("swscanf failed");
+
+  /* Retrieve the current gconv_fcts from the LC_CTYPE locale data.  */
+  struct __locale_data *loc = _NL_CURRENT_DATA (LC_CTYPE);
+  const struct gconv_fcts *fcts = loc->private.ctype;
+
+  TEST_VERIFY_EXIT (fcts != NULL);
+  TEST_VERIFY_EXIT (fcts->towc != NULL);
+
+  /* Capture the reference counter.  */
+  int initial_counter = fcts->towc->__counter;
+
+  /* Perform a second iteration of swscanf. If the stack-allocated FILE
+     leaks the gconv reference, the counter will increment.  */
+  if (swscanf (buf, L"%d", &j) < 1)
+    FAIL_EXIT1 ("swscanf failed");
+
+  /* The counter should be unchanged, as _IO_wstrfile_fclose_stack should
+     have decremented it correctly.  */
+  TEST_COMPARE (fcts->towc->__counter, initial_counter);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
--- a/glibc-RHEL-145156-4.patch
+++ b/glibc-RHEL-145156-4.patch
@ -0,0 +1,146 @@
+commit 9ef37798fa7dc2b10926742e3f3bd304a17a9ad1
+Author: Frédéric Bérat <fberat@redhat.com>
+Date:   Tue May 26 13:29:57 2026 +0200
+
+    test: Fix and stabilize tst-wcsmbs-clone-overflow test
+
+    The test tst-wcsmbs-clone-overflow was initially added to tests-static.
+    However, this causes the test to be unstable because gconv modules
+    dynamically load libc.so. Any discrepancy between the statically linked
+    version and the dynamically loaded one can lead to a crash.
+
+    By removing the test from tests-static, it relies on dynamic linking,
+    safely bypassing the dlopen crash. Since the test is now dynamically
+    linked, it cannot use the internal thread-local symbol
+    _NL_CURRENT_DATA(LC_CTYPE) because _nl_current_LC_CTYPE is hidden in
+    libc.so, leading to undefined references. Thus, the test now uses
+    newlocale and uselocale, safely extracting the locale data from the
+    returned locale_t object.
+
+    Furthermore, using newlocale requires the gconv-modules configuration to
+    be built and available so that the ISO8859-1.so module can be
+    dynamically loaded. Otherwise, glibc falls back to the built-in C locale
+    conversions, leaving __shlib_handle as NULL and silently bypassing the
+    reference counter increment.
+    A new Makefile fragment, gen-gconv-modules.mk, is introduced to ensure
+    the gconv-modules are built before the test runs, and an explicit check
+    for __shlib_handle != NULL is added to the test.
+
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Conflicts:
+	wcsmbs/Makefile
+	  (test-c8rtomb, test-mbrtoc8, tst-wscanf-to_inpunct not present
+	  downstream)
+	wcsmbs/tst-wcsmbs-clone-overflow.c
+	  (struct lc_ctype_data not present downstream; use
+	  loc->private.ctype directly instead)
+
+diff --git a/gen-gconv-modules.mk b/gen-gconv-modules.mk
+new file mode 100644
+index 0000000000000000..046721a7a7bf460c
+--- /dev/null
+++ b/gen-gconv-modules.mk
+@@ -0,0 +1,6 @@
+# defines target $(gen-gconv-modules) that ensures gconv-modules are available
+
+gen-gconv-modules := $(common-objpfx)iconvdata/gconv-modules
+
+$(gen-gconv-modules):
+	$(MAKE) -C ../iconvdata subdir=iconvdata $@
+diff --git a/localedata/Makefile b/localedata/Makefile
+index 56de42e9262decd3..0cc02c430d96d804 100644
+--- a/localedata/Makefile
+++ b/localedata/Makefile
+@@ -204,7 +204,7 @@ install-others := $(addprefix $(inst_i18ndir)/, \
+ 			      $(locales))
+ endif
+ 
+-tests: $(objdir)/iconvdata/gconv-modules
+tests: $(gen-gconv-modules)
+ 
+ tests-static += tst-langinfo-newlocale-static tst-langinfo-setlocale-static
+ 
+@@ -315,6 +315,7 @@ LOCALES := \
+ 	$(NULL)
+ 
+ include ../gen-locales.mk
+include ../gen-gconv-modules.mk
+ 
+ $(objpfx)tst-iconv-math-trans.out: $(gen-locales)
+ endif
+@@ -486,6 +487,3 @@ $(objpfx)mtrace-tst-leaks.out: $(objpfx)tst-leaks.out
+ 
+ bug-setlocale1-ENV-only = LOCPATH=$(objpfx) LC_CTYPE=de_DE.UTF-8
+ bug-setlocale1-static-ENV-only = $(bug-setlocale1-ENV-only)
+-
+-$(objdir)/iconvdata/gconv-modules:
+-	$(MAKE) -C ../iconvdata subdir=iconvdata $@
+diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile
+index f74b06d9749eaa02..bb03d92576700a99 100644
+--- a/wcsmbs/Makefile
+++ b/wcsmbs/Makefile
+@@ -62,16 +62,13 @@ xtests += test-wcsncmp-nonarray
+ tests-internal += \
+   tst-wcsmbs-clone-overflow
+ 
+-tests-static += \
+-  tst-wcsmbs-clone-overflow
+-
+-
+ include ../Rules
+ 
+ ifeq ($(run-built-tests),yes)
+ LOCALES := de_DE.ISO-8859-1 de_DE.UTF-8 en_US.ANSI_X3.4-1968 hr_HR.ISO-8859-2 \
+ 	   ja_JP.EUC-JP zh_TW.EUC-TW tr_TR.UTF-8 tr_TR.ISO-8859-9
+ include ../gen-locales.mk
+include ../gen-gconv-modules.mk
+ 
+ $(objpfx)tst-btowc.out: $(gen-locales)
+ $(objpfx)tst-c16c32-1.out: $(gen-locales)
+@@ -83,7 +80,7 @@ $(objpfx)tst-wcstol-locale.out: $(gen-locales)
+ $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales)
+ $(objpfx)tst-c16-surrogate.out: $(gen-locales)
+ $(objpfx)tst-c32-state.out: $(gen-locales)
+-$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales)
+$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) $(gen-gconv-modules)
+ endif
+ 
+ $(objpfx)tst-wcstod-round: $(libm)
+diff --git a/wcsmbs/tst-wcsmbs-clone-overflow.c b/wcsmbs/tst-wcsmbs-clone-overflow.c
+index 412e1c54085c68d5..6d8b643f48aa7775 100644
+--- a/wcsmbs/tst-wcsmbs-clone-overflow.c
+++ b/wcsmbs/tst-wcsmbs-clone-overflow.c
+@@ -30,8 +30,11 @@
+ static int
+ do_test (void)
+ {
+-  if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL)
+-    FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated");
+  locale_t loc_obj = newlocale (LC_ALL_MASK, "de_DE.ISO-8859-1", NULL);
+  if (loc_obj == NULL)
+    FAIL_EXIT1 ("newlocale failed, check if de_DE.ISO-8859-1 is generated");
+
+  uselocale (loc_obj);
+ 
+   wchar_t buf[32] = L"123";
+   int j;
+@@ -41,7 +44,7 @@ do_test (void)
+     FAIL_EXIT1 ("swscanf failed");
+ 
+   /* Retrieve the current gconv_fcts from the LC_CTYPE locale data.  */
+-  struct __locale_data *loc = _NL_CURRENT_DATA (LC_CTYPE);
+  struct __locale_data *loc = loc_obj->__locales[LC_CTYPE];
+   const struct gconv_fcts *fcts = loc->private.ctype;
+ 
+   TEST_VERIFY_EXIT (fcts != NULL);
+@@ -50,6 +53,9 @@ do_test (void)
+   /* Capture the reference counter.  */
+   int initial_counter = fcts->towc->__counter;
+ 
+  if (fcts->towc->__shlib_handle == NULL)
+    FAIL_EXIT1 ("__shlib_handle is NULL!");
+
+   /* Perform a second iteration of swscanf. If the stack-allocated FILE
+      leaks the gconv reference, the counter will increment.  */
+   if (swscanf (buf, L"%d", &j) < 1)
--- a/glibc-RHEL-145156-5.patch
+++ b/glibc-RHEL-145156-5.patch
@ -0,0 +1,111 @@
+test: Add gconv refcount leak test for swprintf
+
+Add a new internal test, tst-wcsmbs-clone-overflow-swprintf, to verify
+correct gconv module reference counting for the swprintf path.
+
+This is the swprintf counterpart to tst-wcsmbs-clone-overflow (which
+tests swscanf).  The vswprintf/swprintf family creates a wide-oriented
+stack-allocated FILE stream via _IO_no_init and _IO_fwide, which clones
+the gconv transformation steps.  This test verifies that the __counter
+for gconv_fcts->towc does not leak references after swprintf returns,
+confirming that _IO_wstrfile_fclose_stack properly releases the gconv
+steps.
+
+diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile
+index bb03d92576700a99..252630457146de35 100644
+--- a/wcsmbs/Makefile
+++ b/wcsmbs/Makefile
+@@ -60,7 +60,8 @@ tests := tst-wcstof wcsmbs-tst1 tst-wcsnlen tst-btowc tst-mbrtowc \
+ xtests += test-wcsncmp-nonarray
+ 
+ tests-internal += \
+-  tst-wcsmbs-clone-overflow
+  tst-wcsmbs-clone-overflow \
+  tst-wcsmbs-clone-overflow-swprintf
+ 
+ include ../Rules
+ 
+@@ -81,6 +82,7 @@ $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales)
+ $(objpfx)tst-c16-surrogate.out: $(gen-locales)
+ $(objpfx)tst-c32-state.out: $(gen-locales)
+ $(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) $(gen-gconv-modules)
+$(objpfx)tst-wcsmbs-clone-overflow-swprintf.out: $(gen-locales) $(gen-gconv-modules)
+ endif
+ 
+ $(objpfx)tst-wcstod-round: $(libm)
+diff --git a/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c b/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c
+new file mode 100644
+index 0000000000000000..daccb08e6352a943
+--- /dev/null
+++ b/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c
+@@ -0,0 +1,70 @@
+/* Test for gconv module reference counter leak in swprintf.
+   Copyright (C) 2026 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <locale.h>
+#include <stdio.h>
+#include <wchar.h>
+#include <support/check.h>
+#include <support/support.h>
+
+/* Internal headers for accessing the gconv structures.  */
+#include <locale/localeinfo.h>
+#include <iconv/gconv_int.h>
+#include <wcsmbs/wcsmbsload.h>
+
+static int
+do_test (void)
+{
+  locale_t loc_obj = newlocale (LC_ALL_MASK, "de_DE.ISO-8859-1", NULL);
+  if (loc_obj == NULL)
+    FAIL_EXIT1 ("newlocale failed, check if de_DE.ISO-8859-1 is generated");
+
+  uselocale (loc_obj);
+
+  wchar_t buf[32];
+
+  /* First iteration initializes the gconv functions internally.  */
+  if (swprintf (buf, sizeof (buf) / sizeof (buf[0]), L"%d", 123) < 0)
+    FAIL_EXIT1 ("swprintf failed");
+
+  /* Retrieve the current gconv_fcts from the LC_CTYPE locale data.  */
+  struct __locale_data *loc = loc_obj->__locales[LC_CTYPE];
+  const struct gconv_fcts *fcts = loc->private.ctype;
+
+  TEST_VERIFY_EXIT (fcts != NULL);
+  TEST_VERIFY_EXIT (fcts->towc != NULL);
+
+  /* Capture the reference counter.  */
+  int initial_counter = fcts->towc->__counter;
+
+  if (fcts->towc->__shlib_handle == NULL)
+    FAIL_EXIT1 ("__shlib_handle is NULL!");
+
+  /* Perform a second iteration of swprintf.  If the stack-allocated FILE
+     leaks the gconv reference, the counter will increment.  */
+  if (swprintf (buf, sizeof (buf) / sizeof (buf[0]), L"%d", 456) < 0)
+    FAIL_EXIT1 ("swprintf failed");
+
+  /* The counter should be unchanged, as _IO_wstrfile_fclose_stack should
+     have decremented it correctly.  */
+  TEST_COMPARE (fcts->towc->__counter, initial_counter);
+
+  return 0;
+}
+
+#include <support/test-driver.c>