Emergency backport of this change prior to upstream acceptance:

Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 26 07:13:00 2021 +0200

    nptl: Install SIGSETXID handler with SA_ONSTACK [BZ #27914]
    
    The signal is sent to all threads, some of which may have switched
    to very small stacks.  If they have also installed an alternate
    signal stack, SA_ONSTACK makes this work.  The Go runtime needs this:
    
      runtime: C.setuid/C.setgid smashes Go stack
      <https://github.com/golang/go/issues/9400>

    Doing this for SIGCANCEL is less obviously beneficial and needs further
    testing.

diff --git a/nptl/pthread_create.c b/nptl/pthread_create.c
index 5680687efe7089da..b7073a828549d24c 100644
--- a/nptl/pthread_create.c
+++ b/nptl/pthread_create.c
@@ -83,9 +83,12 @@ late_init (void)
       (void) __libc_sigaction (SIGCANCEL, &sa, NULL);
     }
 
-  /* Install the handle to change the threads' uid/gid.  */
+  /* Install the handle to change the threads' uid/gid.  Use
+     SA_ONSTACK because the signal may be sent to threads that are
+     running with custom stacks.  (This is less likely for
+     SIGCANCEL.)  */
   sa.sa_sigaction = __nptl_setxid_sighandler;
-  sa.sa_flags = SA_SIGINFO | SA_RESTART;
+  sa.sa_flags = SA_ONSTACK | SA_SIGINFO | SA_RESTART;
   (void) __libc_sigaction (SIGSETXID, &sa, NULL);
 
   /* The parent process might have left the signals blocked.  Just in