RFC: PATCHES: Properly handle reference to protected data on x86

RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

Protected symbol means that it can't be pre-emptied.  It
doesn't mean its address won't be external.  This is true
for pointer to protected function.  With copy relocation,
address of protected data defined in the shared library may
also be external.  We only know that for sure at run-time.
Here are patches for glibc, binutils and GCC to handle it
properly.

Any comments?

Thanks.

-- 
H.J.

[-- Attachment #2: 0001-Add-default_binds_local_p_2-and-use-it-for-x86.patch --]
[-- Type: text/x-patch, Size: 3321 bytes --]

From 8fae9be1d8eb4bb49075331473727cd2daebb0a3 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 4 Mar 2015 14:44:06 -0800
Subject: [PATCH] Add default_binds_local_p_2 and use it for x86

With copy relocation, address of protected data defined in the shared
library may be external.  In this case, TARGET_BINDS_LOCAL_P should
return false.
---
 gcc/config/i386/i386.c |  3 +++
 gcc/output.h           |  1 +
 gcc/varasm.c           | 18 +++++++++++++++---
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index ab8f03a..41a487a 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -51878,6 +51878,9 @@ ix86_initialize_bounds (tree var, tree lb, tree ub, tree *stmts)
 #if TARGET_MACHO
 #undef TARGET_BINDS_LOCAL_P
 #define TARGET_BINDS_LOCAL_P darwin_binds_local_p
+#else
+#undef TARGET_BINDS_LOCAL_P
+#define TARGET_BINDS_LOCAL_P default_binds_local_p_2
 #endif
 #if TARGET_DLLIMPORT_DECL_ATTRIBUTES
 #undef TARGET_BINDS_LOCAL_P
diff --git a/gcc/output.h b/gcc/output.h
index 217d979..53e47d0 100644
--- a/gcc/output.h
+++ b/gcc/output.h
@@ -586,6 +586,7 @@ extern void default_asm_output_anchor (rtx);
 extern bool default_use_anchors_for_symbol_p (const_rtx);
 extern bool default_binds_local_p (const_tree);
 extern bool default_binds_local_p_1 (const_tree, int);
+extern bool default_binds_local_p_2 (const_tree);
 extern void default_globalize_label (FILE *, const char *);
 extern void default_globalize_decl_name (FILE *, tree);
 extern void default_emit_unwind_label (FILE *, tree, int, int);
diff --git a/gcc/varasm.c b/gcc/varasm.c
index 8173207..87ac646 100644
--- a/gcc/varasm.c
+++ b/gcc/varasm.c
@@ -6803,7 +6803,8 @@ resolution_local_p (enum ld_plugin_symbol_resolution resolution)
 }
 
 static bool
-default_binds_local_p_2 (const_tree exp, bool shlib, bool weak_dominate)
+default_binds_local_p_3 (const_tree exp, bool shlib, bool weak_dominate,
+			 bool extern_protected_data)
 {
   /* A non-decl is an entry in the constant pool.  */
   if (!DECL_P (exp))
@@ -6849,6 +6850,9 @@ default_binds_local_p_2 (const_tree exp, bool shlib, bool weak_dominate)
      or if we have a definition for the symbol.  We cannot infer visibility
      for undefined symbols.  */
   if (DECL_VISIBILITY (exp) != VISIBILITY_DEFAULT
+      && (TREE_CODE (exp) == FUNCTION_DECL
+	  || !extern_protected_data
+	  || DECL_VISIBILITY (exp) != VISIBILITY_PROTECTED)
       && (DECL_VISIBILITY_SPECIFIED (exp) || defined_locally))
     return true;
 
@@ -6884,13 +6888,21 @@ default_binds_local_p_2 (const_tree exp, bool shlib, bool weak_dominate)
 bool
 default_binds_local_p (const_tree exp)
 {
-  return default_binds_local_p_2 (exp, flag_shlib != 0, true);
+  return default_binds_local_p_3 (exp, flag_shlib != 0, true, false);
+}
+
+/* Similar to default_binds_local_p, but protected data may be
+   external.  */
+bool
+default_binds_local_p_2 (const_tree exp)
+{
+  return default_binds_local_p_3 (exp, flag_shlib != 0, true, true);
 }
 
 bool
 default_binds_local_p_1 (const_tree exp, int shlib)
 {
-  return default_binds_local_p_2 (exp, shlib != 0, false);
+  return default_binds_local_p_3 (exp, shlib != 0, false, false);
 }
 
 /* Return true when references to DECL must bind to current definition in
-- 
1.9.3


[-- Attachment #3: 0001-Add-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-to-x86.patch --]
[-- Type: text/x-patch, Size: 8772 bytes --]

From 6b99fe3f78ceb55b37641a23bbbf59eacb406d21 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 4 Mar 2015 10:24:25 -0800
Subject: [PATCH] Add ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA to x86

With copy relocation, address of protected data defined in the shared
library may be external.   When there is a relocation against the
protected data symbol within the shared library, we need to check if we
should the definion in the executable copied from this protected data.
This patch adds ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA and defines it
for x86.  If ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA isn't 0, do_lookup_x
will skip the data definion in the executable from copy reloc.
---
 elf/dl-lookup.c               | 61 ++++++++++++++++++++++++++++++++++++++++++-
 sysdeps/generic/ldsodefs.h    | 12 ++++++++-
 sysdeps/i386/dl-lookupcfg.h   |  4 +++
 sysdeps/i386/dl-machine.h     |  8 ++++--
 sysdeps/x86_64/dl-lookupcfg.h |  4 +++
 sysdeps/x86_64/dl-machine.h   |  8 ++++--
 6 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
index 5fa76ba..11cb44b 100644
--- a/elf/dl-lookup.c
+++ b/elf/dl-lookup.c
@@ -463,6 +463,59 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
       if (sym != NULL)
 	{
 	found_it:
+	  /* When UNDEF_MAP is NULL, which indicates we are called from
+	     do_lookup_x on relocation against protected data, we skip
+	     the data definion in the executable from copy reloc.  */
+	  if (ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA
+	      && undef_map == NULL
+	      && map->l_type == lt_executable
+	      && type_class == ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA)
+	    {
+	      const ElfW(Sym) *s;
+	      unsigned int i;
+
+#if ! ELF_MACHINE_NO_RELA
+	      if (map->l_info[DT_RELA] != NULL
+		  && map->l_info[DT_RELASZ] != NULL
+		  && map->l_info[DT_RELASZ]->d_un.d_val != 0)
+		{
+		  const ElfW(Rela) *rela
+		    = (const ElfW(Rela) *) D_PTR (map, l_info[DT_RELA]);
+		  unsigned int rela_count
+		    = map->l_info[DT_RELASZ]->d_un.d_val / sizeof (*rela);
+
+		  for (i = 0; i < rela_count; i++, rela++)
+		    if (elf_machine_type_class (ELFW(R_TYPE) (rela->r_info))
+			== ELF_RTYPE_CLASS_COPY)
+		      {
+			s = &symtab[ELFW(R_SYM) (rela->r_info)];
+			if (!strcmp (strtab + s->st_name, undef_name))
+			  goto skip;
+		      }
+		}
+#endif
+#if ! ELF_MACHINE_NO_REL
+	      if (map->l_info[DT_REL] != NULL
+		  && map->l_info[DT_RELSZ] != NULL
+		  && map->l_info[DT_RELSZ]->d_un.d_val != 0)
+		{
+		  const ElfW(Rel) *rel
+		    = (const ElfW(Rel) *) D_PTR (map, l_info[DT_REL]);
+		  unsigned int rel_count
+		    = map->l_info[DT_RELSZ]->d_un.d_val / sizeof (*rel);
+
+		  for (i = 0; i < rel_count; i++, rel++)
+		    if (elf_machine_type_class (ELFW(R_TYPE) (rel->r_info))
+			== ELF_RTYPE_CLASS_COPY)
+		      {
+			s = &symtab[ELFW(R_SYM) (rel->r_info)];
+			if (!strcmp (strtab + s->st_name, undef_name))
+			  goto skip;
+		      }
+		}
+#endif
+	    }
+
 	  switch (ELFW(ST_BIND) (sym->st_info))
 	    {
 	    case STB_WEAK:
@@ -494,6 +547,7 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
 	    }
 	}
 
+skip:
       /* If this current map is the one mentioned in the verneed entry
 	 and we have not found a weak entry, it is a bug.  */
       if (symidx == STN_UNDEF && version != NULL && version->filename != NULL
@@ -844,7 +898,12 @@ _dl_lookup_symbol_x (const char *undef_name, struct link_map *undef_map,
 	  for (scope = symbol_scope; *scope != NULL; i = 0, ++scope)
 	    if (do_lookup_x (undef_name, new_hash, &old_hash, *ref,
 			     &protected_value, *scope, i, version, flags,
-			     skip_map, ELF_RTYPE_CLASS_PLT, NULL) != 0)
+			     skip_map,
+			     (ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA
+			      && ELFW(ST_TYPE) ((*ref)->st_info) == STT_OBJECT
+			      && type_class == ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA)
+			     ? ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA
+			     : ELF_RTYPE_CLASS_PLT, NULL) != 0)
 	      break;
 
 	  if (protected_value.s != NULL && protected_value.m != undef_map)
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index d738988..7a0fe8d 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -105,13 +105,23 @@ typedef struct link_map *lookup_t;
    satisfied by any symbol in the executable.  Some architectures do
    not support copy relocations.  In this case we define the macro to
    zero so that the code for handling them gets automatically optimized
-   out.  */
+   out.  ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA means address of protected
+   data defined in the shared library may be external, i.e., due to copy
+   relocation.  */
 #define ELF_RTYPE_CLASS_PLT 1
 #ifndef DL_NO_COPY_RELOCS
 # define ELF_RTYPE_CLASS_COPY 2
 #else
 # define ELF_RTYPE_CLASS_COPY 0
 #endif
+/* If DL_EXTERN_PROTECTED_DATA is defined, address of protected data
+   defined in the shared library may be external, i.e., due to copy
+   relocation.   */
+#ifdef DL_EXTERN_PROTECTED_DATA
+# define ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA 4
+#else
+# define ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA 0
+#endif
 
 /* ELF uses the PF_x macros to specify the segment permissions, mmap
    uses PROT_xxx.  In most cases the three macros have the values 1, 2,
diff --git a/sysdeps/i386/dl-lookupcfg.h b/sysdeps/i386/dl-lookupcfg.h
index 9310296..310f261 100644
--- a/sysdeps/i386/dl-lookupcfg.h
+++ b/sysdeps/i386/dl-lookupcfg.h
@@ -20,6 +20,10 @@
 
 #include_next <dl-lookupcfg.h>
 
+/* Address of protected data defined in the shared library may be
+   external due to copy relocation.   */
+#define DL_EXTERN_PROTECTED_DATA
+
 struct link_map;
 
 extern void internal_function _dl_unmap (struct link_map *map);
diff --git a/sysdeps/i386/dl-machine.h b/sysdeps/i386/dl-machine.h
index 7eb4666..a8a90f1 100644
--- a/sysdeps/i386/dl-machine.h
+++ b/sysdeps/i386/dl-machine.h
@@ -206,13 +206,17 @@ _dl_start_user:\n\
    TLS variable, so undefined references should not be allowed to
    define the value.
    ELF_RTYPE_CLASS_NOCOPY iff TYPE should not be allowed to resolve to one
-   of the main executable's symbols, as for a COPY reloc.  */
+   of the main executable's symbols, as for a COPY reloc.
+   ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA iff TYPE describes relocation may
+   against protected data whose address be external due to copy relocation.
+ */
 # define elf_machine_type_class(type) \
   ((((type) == R_386_JMP_SLOT || (type) == R_386_TLS_DTPMOD32		      \
      || (type) == R_386_TLS_DTPOFF32 || (type) == R_386_TLS_TPOFF32	      \
      || (type) == R_386_TLS_TPOFF || (type) == R_386_TLS_DESC)		      \
     * ELF_RTYPE_CLASS_PLT)						      \
-   | (((type) == R_386_COPY) * ELF_RTYPE_CLASS_COPY))
+   | (((type) == R_386_COPY) * ELF_RTYPE_CLASS_COPY)			      \
+   | (((type) == R_386_GLOB_DAT) * ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA))
 
 /* A reloc type used for ld.so cmdline arg lookups to reject PLT entries.  */
 #define ELF_MACHINE_JMP_SLOT	R_386_JMP_SLOT
diff --git a/sysdeps/x86_64/dl-lookupcfg.h b/sysdeps/x86_64/dl-lookupcfg.h
index 9310296..310f261 100644
--- a/sysdeps/x86_64/dl-lookupcfg.h
+++ b/sysdeps/x86_64/dl-lookupcfg.h
@@ -20,6 +20,10 @@
 
 #include_next <dl-lookupcfg.h>
 
+/* Address of protected data defined in the shared library may be
+   external due to copy relocation.   */
+#define DL_EXTERN_PROTECTED_DATA
+
 struct link_map;
 
 extern void internal_function _dl_unmap (struct link_map *map);
diff --git a/sysdeps/x86_64/dl-machine.h b/sysdeps/x86_64/dl-machine.h
index 6aa01e6..fd79275 100644
--- a/sysdeps/x86_64/dl-machine.h
+++ b/sysdeps/x86_64/dl-machine.h
@@ -170,7 +170,10 @@ _dl_start_user:\n\
    TLS variable, so undefined references should not be allowed to
    define the value.
    ELF_RTYPE_CLASS_NOCOPY iff TYPE should not be allowed to resolve to one
-   of the main executable's symbols, as for a COPY reloc.  */
+   of the main executable's symbols, as for a COPY reloc.
+   ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA iff TYPE describes relocation may
+   against protected data whose address be external due to copy relocation.
+ */
 #define elf_machine_type_class(type)					      \
   ((((type) == R_X86_64_JUMP_SLOT					      \
      || (type) == R_X86_64_DTPMOD64					      \
@@ -178,7 +181,8 @@ _dl_start_user:\n\
      || (type) == R_X86_64_TPOFF64					      \
      || (type) == R_X86_64_TLSDESC)					      \
     * ELF_RTYPE_CLASS_PLT)						      \
-   | (((type) == R_X86_64_COPY) * ELF_RTYPE_CLASS_COPY))
+   | (((type) == R_X86_64_COPY) * ELF_RTYPE_CLASS_COPY)			      \
+   | (((type) == R_X86_64_GLOB_DAT) * ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA))
 
 /* A reloc type used for ld.so cmdline arg lookups to reject PLT entries.  */
 #define ELF_MACHINE_JMP_SLOT	R_X86_64_JUMP_SLOT
-- 
1.9.3


[-- Attachment #4: 0001-Add-extern_protected_data-and-set-it-for-x86.patch --]
[-- Type: text/x-patch, Size: 6110 bytes --]

From ced505c47a961691e3f1e252ba5ea2aec4152397 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 4 Mar 2015 08:57:30 -0800
Subject: [PATCH] Add extern_protected_data and set it for x86

With copy relocation, address of protected data defined in the shared
library may be external.  This patch adds extern_protected_data and
changes _bfd_elf_symbol_refs_local_p to return false for protecteddata
if extern_protected_data is true.
---
 bfd/elf-bfd.h                       | 4 ++++
 bfd/elf32-i386.c                    | 1 +
 bfd/elf64-x86-64.c                  | 1 +
 bfd/elflink.c                       | 9 ++++++---
 bfd/elfxx-target.h                  | 6 +++++-
 ld/testsuite/ld-i386/protected3.d   | 3 ++-
 ld/testsuite/ld-i386/protected3.s   | 3 ++-
 ld/testsuite/ld-x86-64/protected3.d | 3 ++-
 ld/testsuite/ld-x86-64/protected3.s | 3 ++-
 9 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index 156eec7..13c32e0 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -1359,6 +1359,10 @@ struct elf_backend_data
      in length rather than sec->size in length, if sec->rawsize is
      non-zero and smaller than sec->size.  */
   unsigned caches_rawsize : 1;
+
+  /* Address of protected data defined in the shared library may be
+     external, i.e., due to copy relocation.   */
+  unsigned extern_protected_data : 1;
 };
 
 /* Information about reloc sections associated with a bfd_elf_section_data
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 3f16fc1..52f4d33 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -5292,6 +5292,7 @@ elf_i386_add_symbol_hook (bfd * abfd,
 #define elf_backend_want_plt_sym	0
 #define elf_backend_got_header_size	12
 #define elf_backend_plt_alignment	4
+#define elf_backend_extern_protected_data 1
 
 /* Support RELA for objdump of prelink objects.  */
 #define elf_info_to_howto		      elf_i386_info_to_howto_rel
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index a4974ce..74d1d06 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -5868,6 +5868,7 @@ static const struct bfd_elf_special_section
 #define elf_backend_got_header_size	    (GOT_ENTRY_SIZE*3)
 #define elf_backend_rela_normal		    1
 #define elf_backend_plt_alignment           4
+#define elf_backend_extern_protected_data   1
 
 #define elf_info_to_howto		    elf_x86_64_info_to_howto
 
diff --git a/bfd/elflink.c b/bfd/elflink.c
index ec1e4df..6ee6499 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -2671,7 +2671,9 @@ _bfd_elf_adjust_dynamic_copy (struct bfd_link_info *info,
   /* Increment the size of DYNBSS to make room for the symbol.  */
   dynbss->size += h->size;
 
-  if (h->protected_def)
+  /* No error if extern_protected_data is true.  */
+  if (h->protected_def
+      && !get_elf_backend_data (dynbss->owner)->extern_protected_data)
     {
       info->callbacks->einfo
 	(_("%P: copy reloc against protected `%T' is invalid\n"),
@@ -2835,8 +2837,9 @@ _bfd_elf_symbol_refs_local_p (struct elf_link_hash_entry *h,
 
   bed = get_elf_backend_data (hash_table->dynobj);
 
-  /* STV_PROTECTED non-function symbols are local.  */
-  if (!bed->is_function_type (h->type))
+  /* If extern_protected_data is false, STV_PROTECTED non-function
+     symbols are local.  */
+  if (!bed->extern_protected_data && !bed->is_function_type (h->type))
     return TRUE;
 
   /* Function pointer equality tests may require that STV_PROTECTED
diff --git a/bfd/elfxx-target.h b/bfd/elfxx-target.h
index 211c0a1..9760db4 100644
--- a/bfd/elfxx-target.h
+++ b/bfd/elfxx-target.h
@@ -117,6 +117,9 @@
 #ifndef elf_backend_caches_rawsize
 #define elf_backend_caches_rawsize 0
 #endif
+#ifndef elf_backend_extern_protected_data
+#define elf_backend_extern_protected_data 0
+#endif
 #ifndef elf_backend_stack_align
 #define elf_backend_stack_align 16
 #endif
@@ -801,7 +804,8 @@ static struct elf_backend_data elfNN_bed =
   elf_backend_want_dynbss,
   elf_backend_want_p_paddr_set_to_zero,
   elf_backend_default_execstack,
-  elf_backend_caches_rawsize
+  elf_backend_caches_rawsize,
+  elf_backend_extern_protected_data
 };
 
 /* Forward declaration for use when initialising alternative_target field.  */
diff --git a/ld/testsuite/ld-i386/protected3.d b/ld/testsuite/ld-i386/protected3.d
index aafa2d8..47ab4e1 100644
--- a/ld/testsuite/ld-i386/protected3.d
+++ b/ld/testsuite/ld-i386/protected3.d
@@ -8,6 +8,7 @@
 Disassembly of section .text:
 
 0+[a-f0-9]+ <bar>:
-[ 	]*[a-f0-9]+:	8b 81 [a-f0-9][a-f0-9] [a-f0-9][a-f0-9] 00 00    	mov    0x[a-f0-9]+\(%ecx\),%eax
+[ 	]*[a-f0-9]+:	8b 81 [a-f0-9][a-f0-9] [a-f0-9][a-f0-9] ff ff    	mov    -0x[a-f0-9]+\(%ecx\),%eax
+[ 	]*[a-f0-9]+:	8b 00                	mov    \(%eax\),%eax
 [ 	]*[a-f0-9]+:	c3                   	ret    
 #pass
diff --git a/ld/testsuite/ld-i386/protected3.s b/ld/testsuite/ld-i386/protected3.s
index 7a605a2..4dd2115 100644
--- a/ld/testsuite/ld-i386/protected3.s
+++ b/ld/testsuite/ld-i386/protected3.s
@@ -10,6 +10,7 @@ foo:
 .globl bar
 	.type	bar, @function
 bar:
-	movl	foo@GOTOFF(%ecx), %eax
+	movl	foo@GOT(%ecx), %eax
+	movl	(%eax), %eax
 	ret
 	.size	bar, .-bar
diff --git a/ld/testsuite/ld-x86-64/protected3.d b/ld/testsuite/ld-x86-64/protected3.d
index 22a36ac..d8f09da 100644
--- a/ld/testsuite/ld-x86-64/protected3.d
+++ b/ld/testsuite/ld-x86-64/protected3.d
@@ -8,6 +8,7 @@
 Disassembly of section .text:
 
 0+[a-f0-9]+ <bar>:
-[ 	]*[a-f0-9]+:	8b 05 ([0-9a-f]{2} ){4} *	mov    0x[a-f0-9]+\(%rip\),%eax        # [a-f0-9]+ <foo>
+[ 	]*[a-f0-9]+:	48 8b 05 ([0-9a-f]{2} ){4} *	mov    0x[a-f0-9]+\(%rip\),%rax        # [a-f0-9]+ <_DYNAMIC\+0x[a-f0-9]+>
+[ 	]*[a-f0-9]+:	8b 00                	mov    \(%rax\),%eax
 [ 	]*[a-f0-9]+:	c3                   	retq *
 #pass
diff --git a/ld/testsuite/ld-x86-64/protected3.s b/ld/testsuite/ld-x86-64/protected3.s
index e4af6e7..7538050 100644
--- a/ld/testsuite/ld-x86-64/protected3.s
+++ b/ld/testsuite/ld-x86-64/protected3.s
@@ -10,6 +10,7 @@ foo:
 .globl bar
 	.type	bar, @function
 bar:
-	movl	foo(%rip), %eax
+	movq	foo@GOTPCREL(%rip), %rax
+	movl	(%rax), %eax
 	ret
 	.size	bar, .-bar
-- 
1.9.3

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Alan Modra]

On Wed, Mar 04, 2015 at 03:26:10PM -0800, H.J. Lu wrote:
> Protected symbol means that it can't be pre-emptied.  It
> doesn't mean its address won't be external.  This is true
> for pointer to protected function.  With copy relocation,
> address of protected data defined in the shared library may
> also be external.  We only know that for sure at run-time.
> Here are patches for glibc, binutils and GCC to handle it
> properly.
> 
> Any comments?

I'd like to see this pass some more tests.  For example

reference in non-PIC exe to var x
protected visibility definition of x in libA
protected visibility definition of x in libB

I suspect you don't have this case correct, but congratulations if you
do!  Assuming libA is first on the breadth first search for libraries,
then exe and libA ought to use the same x, but libB have its own x.

In fact it would be good to prove that all variations of either a
reference, a default visibility definition or a protected visibility
definition worked in the exe plus two libs case.

-- 
Alan Modra
Australia Development Lab, IBM

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Szabolcs Nagy]

On 04/03/15 23:26, H.J. Lu wrote:
> Protected symbol means that it can't be pre-emptied.  It
> doesn't mean its address won't be external.  This is true
> for pointer to protected function.  With copy relocation,
> address of protected data defined in the shared library may
> also be external.  We only know that for sure at run-time.
> Here are patches for glibc, binutils and GCC to handle it
> properly.
> 
> Any comments?
> 

i think this fixes
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=55012

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Thu, Mar 5, 2015 at 8:19 PM, Alan Modra <amodra@gmail.com> wrote:
> On Wed, Mar 04, 2015 at 03:26:10PM -0800, H.J. Lu wrote:
>> Protected symbol means that it can't be pre-emptied.  It
>> doesn't mean its address won't be external.  This is true
>> for pointer to protected function.  With copy relocation,
>> address of protected data defined in the shared library may
>> also be external.  We only know that for sure at run-time.
>> Here are patches for glibc, binutils and GCC to handle it
>> properly.
>>
>> Any comments?
>
> I'd like to see this pass some more tests.  For example
>
> reference in non-PIC exe to var x
> protected visibility definition of x in libA
> protected visibility definition of x in libB
>
> I suspect you don't have this case correct, but congratulations if you
> do!  Assuming libA is first on the breadth first search for libraries,
> then exe and libA ought to use the same x, but libB have its own x.

I believe my new testcases on hjl/pr17711 branch at

https://sourceware.org/git/?p=glibc.git;a=summary

covers those and they work correctly.

> In fact it would be good to prove that all variations of either a
> reference, a default visibility definition or a protected visibility
> definition worked in the exe plus two libs case.
>

You can git my branch a try on PPC.  If PPC uses copy
relocation, it shouldn't be too hard to update PPC to make
it work.


-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Joseph Myers]

On Wed, 4 Mar 2015, H.J. Lu wrote:

> Protected symbol means that it can't be pre-emptied.  It
> doesn't mean its address won't be external.  This is true
> for pointer to protected function.  With copy relocation,
> address of protected data defined in the shared library may
> also be external.  We only know that for sure at run-time.
> Here are patches for glibc, binutils and GCC to handle it
> properly.
> 
> Any comments?

I don't see any testcases in the glibc patch; it seems critical to have 
sufficient testcases to make it easy for architecture maintainers to tell 
if there is an issue for their architecture (and the testcases need to 
have clear comments explaining any requirements on GCC and binutils for 
them to work - that is, comments referring to committed patches or 
releases rather than to anything uncommitted).

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Fri, Mar 6, 2015 at 10:29 AM, Joseph Myers <joseph@codesourcery.com> wrote:
> On Wed, 4 Mar 2015, H.J. Lu wrote:
>
>> Protected symbol means that it can't be pre-emptied.  It
>> doesn't mean its address won't be external.  This is true
>> for pointer to protected function.  With copy relocation,
>> address of protected data defined in the shared library may
>> also be external.  We only know that for sure at run-time.
>> Here are patches for glibc, binutils and GCC to handle it
>> properly.
>>
>> Any comments?
>
> I don't see any testcases in the glibc patch; it seems critical to have
> sufficient testcases to make it easy for architecture maintainers to tell
> if there is an issue for their architecture (and the testcases need to
> have clear comments explaining any requirements on GCC and binutils for
> them to work - that is, comments referring to committed patches or
> releases rather than to anything uncommitted).
>

https://sourceware.org/ml/libc-alpha/2015-03/msg00231.html

-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Alan Modra]

On Fri, Mar 06, 2015 at 05:04:56AM -0800, H.J. Lu wrote:
> On Thu, Mar 5, 2015 at 8:19 PM, Alan Modra <amodra@gmail.com> wrote:
> > On Wed, Mar 04, 2015 at 03:26:10PM -0800, H.J. Lu wrote:
> >> Protected symbol means that it can't be pre-emptied.  It
> >> doesn't mean its address won't be external.  This is true
> >> for pointer to protected function.  With copy relocation,
> >> address of protected data defined in the shared library may
> >> also be external.  We only know that for sure at run-time.
> >> Here are patches for glibc, binutils and GCC to handle it
> >> properly.
> >>
> >> Any comments?
> >
> > I'd like to see this pass some more tests.  For example
> >
> > reference in non-PIC exe to var x
> > protected visibility definition of x in libA
> > protected visibility definition of x in libB
> >
> > I suspect you don't have this case correct, but congratulations if you
> > do!  Assuming libA is first on the breadth first search for libraries,
> > then exe and libA ought to use the same x, but libB have its own x.
> 
> I believe my new testcases on hjl/pr17711 branch at
> 
> https://sourceware.org/git/?p=glibc.git;a=summary
> 
> covers those and they work correctly.

The test that I see in commit 9ea148bb does not.  Please notice that
I'm asking you about two protected definitions in the libraries, not
one protected and one with default visibility.

-- 
Alan Modra
Australia Development Lab, IBM

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Fri, Mar 6, 2015 at 4:15 PM, Alan Modra <amodra@gmail.com> wrote:
> On Fri, Mar 06, 2015 at 05:04:56AM -0800, H.J. Lu wrote:
>> On Thu, Mar 5, 2015 at 8:19 PM, Alan Modra <amodra@gmail.com> wrote:
>> > On Wed, Mar 04, 2015 at 03:26:10PM -0800, H.J. Lu wrote:
>> >> Protected symbol means that it can't be pre-emptied.  It
>> >> doesn't mean its address won't be external.  This is true
>> >> for pointer to protected function.  With copy relocation,
>> >> address of protected data defined in the shared library may
>> >> also be external.  We only know that for sure at run-time.
>> >> Here are patches for glibc, binutils and GCC to handle it
>> >> properly.
>> >>
>> >> Any comments?
>> >
>> > I'd like to see this pass some more tests.  For example
>> >
>> > reference in non-PIC exe to var x
>> > protected visibility definition of x in libA
>> > protected visibility definition of x in libB
>> >
>> > I suspect you don't have this case correct, but congratulations if you
>> > do!  Assuming libA is first on the breadth first search for libraries,
>> > then exe and libA ought to use the same x, but libB have its own x.
>>
>> I believe my new testcases on hjl/pr17711 branch at
>>
>> https://sourceware.org/git/?p=glibc.git;a=summary
>>
>> covers those and they work correctly.
>
> The test that I see in commit 9ea148bb does not.  Please notice that
> I'm asking you about two protected definitions in the libraries, not
> one protected and one with default visibility.

My patch extends my work for protected function pointer to
cover protected data.  There is no reason why it shouldn't work.
I updated the testcase to

commit 88af4693bd32e3658206b73c121de9a36c510f6b

Please check it out.

-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Alan Modra]

On Fri, Mar 06, 2015 at 05:03:21PM -0800, H.J. Lu wrote:
> I updated the testcase to

Thanks, that's good to see.

-- 
Alan Modra
Australia Development Lab, IBM

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Sat, Mar 7, 2015 at 4:00 AM, Alan Modra <amodra@gmail.com> wrote:
> On Fri, Mar 06, 2015 at 05:03:21PM -0800, H.J. Lu wrote:
>> I updated the testcase to
>
> Thanks, that's good to see.
>

Did you make it to work on PPC?

-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Thu, Mar 5, 2015 at 6:39 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Wed, Mar 4, 2015 at 3:26 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> Protected symbol means that it can't be pre-emptied.  It
>> doesn't mean its address won't be external.  This is true
>> for pointer to protected function.  With copy relocation,
>> address of protected data defined in the shared library may
>> also be external.  We only know that for sure at run-time.
>> Here are patches for glibc, binutils and GCC to handle it
>> properly.
>>
>> Any comments?
>
> This is the binutils patch I checked in.  It basically reverted
> the change for
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=15228
>
> on x86.  Copy relocations against protected symbols should
> work.
>
> --
> H.J.
> ---
> bfd/
>
> PR ld/pr15228
> PR ld/pr17709
> * elf-bfd.h (elf_backend_data): Add extern_protected_data.
> * elf32-i386.c (elf_backend_extern_protected_data): New.
> Defined to 1.
> * elf64-x86-64.c (elf_backend_extern_protected_data): Likewise.
> * elflink.c (_bfd_elf_adjust_dynamic_copy): Don't error on
> copy relocs against protected symbols if extern_protected_data
> is true.
> (_bfd_elf_symbol_refs_local_p): Don't return true on protected
> non-function symbols if extern_protected_data is true.
> * elfxx-target.h (elf_backend_extern_protected_data): New.
> Default to 0.
> (elfNN_bed): Initialize extern_protected_data with
> elf_backend_extern_protected_data.
>
> ld/testsuite/
>
> PR ld/pr15228
> PR ld/pr17709
> * ld-i386/i386.exp (i386tests): Add a test for PR ld/17709.
> * ld-i386/pr17709-nacl.rd: New file.
> * ld-i386/pr17709.rd: Likewise.
> * ld-i386/pr17709a.s: Likewise.
> * ld-i386/pr17709b.s: Likewise.
> * ld-i386/protected3.d: Updated.
> * ld-i386/protected3.s: Likewise.
> * ld-x86-64/pr17709-nacl.rd: New file.
> * ld-x86-64/pr17709.rd: Likewise.
> * ld-x86-64/pr17709a.s: Likewise.
> * ld-x86-64/pr17709b.s: Likewise.
> * ld-x86-64/protected3.d: Updated.
> * ld-x86-64/protected3.s: Likewise.
> * ld-x86-64/x86-64.exp (x86_64tests): Add a test for PR ld/17709.

I back ported it to 2.25 branch.

-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

On Thu, Mar 5, 2015 at 9:32 AM, Rich Felker <dalias@libc.org> wrote:
> On Thu, Mar 05, 2015 at 06:39:10AM -0800, H.J. Lu wrote:
>> On Wed, Mar 4, 2015 at 3:26 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> > Protected symbol means that it can't be pre-emptied.  It
>> > doesn't mean its address won't be external.  This is true
>> > for pointer to protected function.  With copy relocation,
>> > address of protected data defined in the shared library may
>> > also be external.  We only know that for sure at run-time.
>> > Here are patches for glibc, binutils and GCC to handle it
>> > properly.
>> >
>> > Any comments?
>>
>> This is the binutils patch I checked in.  It basically reverted
>> the change for
>>
>> https://sourceware.org/bugzilla/show_bug.cgi?id=15228
>>
>> on x86.  Copy relocations against protected symbols should
>> work.
>
> Does it actually work now though? Last I checked gcc was generating
> wrong code too -- GOT-relative accesses rather than accessing them
> through the GOT. If that's the case, ld has no way to fix the problem.
>

You need to apply both my GCC and glibc patches in

https://gcc.gnu.org/ml/gcc-patches/2015-03/msg00257.html

-- 
H.J.

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[Rich Felker]

On Thu, Mar 05, 2015 at 06:39:10AM -0800, H.J. Lu wrote:
> On Wed, Mar 4, 2015 at 3:26 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> > Protected symbol means that it can't be pre-emptied.  It
> > doesn't mean its address won't be external.  This is true
> > for pointer to protected function.  With copy relocation,
> > address of protected data defined in the shared library may
> > also be external.  We only know that for sure at run-time.
> > Here are patches for glibc, binutils and GCC to handle it
> > properly.
> >
> > Any comments?
> 
> This is the binutils patch I checked in.  It basically reverted
> the change for
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=15228
> 
> on x86.  Copy relocations against protected symbols should
> work.

Does it actually work now though? Last I checked gcc was generating
wrong code too -- GOT-relative accesses rather than accessing them
through the GOT. If that's the case, ld has no way to fix the problem.

Rich

Re: RFC: PATCHES: Properly handle reference to protected data on x86

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

On Wed, Mar 4, 2015 at 3:26 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> Protected symbol means that it can't be pre-emptied.  It
> doesn't mean its address won't be external.  This is true
> for pointer to protected function.  With copy relocation,
> address of protected data defined in the shared library may
> also be external.  We only know that for sure at run-time.
> Here are patches for glibc, binutils and GCC to handle it
> properly.
>
> Any comments?

This is the binutils patch I checked in.  It basically reverted
the change for

https://sourceware.org/bugzilla/show_bug.cgi?id=15228

on x86.  Copy relocations against protected symbols should
work.

-- 
H.J.
---
bfd/

PR ld/pr15228
PR ld/pr17709
* elf-bfd.h (elf_backend_data): Add extern_protected_data.
* elf32-i386.c (elf_backend_extern_protected_data): New.
Defined to 1.
* elf64-x86-64.c (elf_backend_extern_protected_data): Likewise.
* elflink.c (_bfd_elf_adjust_dynamic_copy): Don't error on
copy relocs against protected symbols if extern_protected_data
is true.
(_bfd_elf_symbol_refs_local_p): Don't return true on protected
non-function symbols if extern_protected_data is true.
* elfxx-target.h (elf_backend_extern_protected_data): New.
Default to 0.
(elfNN_bed): Initialize extern_protected_data with
elf_backend_extern_protected_data.

ld/testsuite/

PR ld/pr15228
PR ld/pr17709
* ld-i386/i386.exp (i386tests): Add a test for PR ld/17709.
* ld-i386/pr17709-nacl.rd: New file.
* ld-i386/pr17709.rd: Likewise.
* ld-i386/pr17709a.s: Likewise.
* ld-i386/pr17709b.s: Likewise.
* ld-i386/protected3.d: Updated.
* ld-i386/protected3.s: Likewise.
* ld-x86-64/pr17709-nacl.rd: New file.
* ld-x86-64/pr17709.rd: Likewise.
* ld-x86-64/pr17709a.s: Likewise.
* ld-x86-64/pr17709b.s: Likewise.
* ld-x86-64/protected3.d: Updated.
* ld-x86-64/protected3.s: Likewise.
* ld-x86-64/x86-64.exp (x86_64tests): Add a test for PR ld/17709.

[-- Attachment #2: 0001-Add-extern_protected_data-and-set-it-for-x86.patch --]
[-- Type: text/x-patch, Size: 14270 bytes --]

From ca3fe95e469b9daec153caa2c90665f5daaec2b5 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Thu, 5 Mar 2015 06:34:39 -0800
Subject: [PATCH] Add extern_protected_data and set it for x86

With copy relocation, address of protected data defined in the shared
library may be external.  This patch adds extern_protected_data and
changes _bfd_elf_symbol_refs_local_p to return false for protected data
if extern_protected_data is true.

bfd/

	PR ld/pr15228
	PR ld/pr17709
	* elf-bfd.h (elf_backend_data): Add extern_protected_data.
	* elf32-i386.c (elf_backend_extern_protected_data): New.
	Defined to 1.
	* elf64-x86-64.c (elf_backend_extern_protected_data): Likewise.
	* elflink.c (_bfd_elf_adjust_dynamic_copy): Don't error on
	copy relocs against protected symbols if extern_protected_data
	is true.
	(_bfd_elf_symbol_refs_local_p): Don't return true on protected
	non-function symbols if extern_protected_data is true.
	* elfxx-target.h (elf_backend_extern_protected_data): New.
	Default to 0.
	(elfNN_bed): Initialize extern_protected_data with
	elf_backend_extern_protected_data.

ld/testsuite/

	PR ld/pr15228
	PR ld/pr17709
	* ld-i386/i386.exp (i386tests): Add a test for PR ld/17709.
	* ld-i386/pr17709-nacl.rd: New file.
	* ld-i386/pr17709.rd: Likewise.
	* ld-i386/pr17709a.s: Likewise.
	* ld-i386/pr17709b.s: Likewise.
	* ld-i386/protected3.d: Updated.
	* ld-i386/protected3.s: Likewise.
	* ld-x86-64/pr17709-nacl.rd: New file.
	* ld-x86-64/pr17709.rd: Likewise.
	* ld-x86-64/pr17709a.s: Likewise.
	* ld-x86-64/pr17709b.s: Likewise.
	* ld-x86-64/protected3.d: Updated.
	* ld-x86-64/protected3.s: Likewise.
	* ld-x86-64/x86-64.exp (x86_64tests): Add a test for PR ld/17709.
---
 bfd/ChangeLog                          | 18 ++++++++++++++++++
 bfd/elf-bfd.h                          |  4 ++++
 bfd/elf32-i386.c                       |  1 +
 bfd/elf64-x86-64.c                     |  1 +
 bfd/elflink.c                          |  9 ++++++---
 bfd/elfxx-target.h                     |  6 +++++-
 ld/testsuite/ChangeLog                 | 19 +++++++++++++++++++
 ld/testsuite/ld-i386/i386.exp          |  4 ++++
 ld/testsuite/ld-i386/pr17709-nacl.rd   |  4 ++++
 ld/testsuite/ld-i386/pr17709.rd        |  4 ++++
 ld/testsuite/ld-i386/pr17709a.s        |  8 ++++++++
 ld/testsuite/ld-i386/pr17709b.s        |  5 +++++
 ld/testsuite/ld-i386/protected3.d      |  3 ++-
 ld/testsuite/ld-i386/protected3.s      |  3 ++-
 ld/testsuite/ld-x86-64/pr17709-nacl.rd |  4 ++++
 ld/testsuite/ld-x86-64/pr17709.rd      |  4 ++++
 ld/testsuite/ld-x86-64/pr17709a.s      |  8 ++++++++
 ld/testsuite/ld-x86-64/pr17709b.s      |  5 +++++
 ld/testsuite/ld-x86-64/protected3.d    |  3 ++-
 ld/testsuite/ld-x86-64/protected3.s    |  3 ++-
 ld/testsuite/ld-x86-64/x86-64.exp      |  4 ++++
 21 files changed, 112 insertions(+), 8 deletions(-)
 create mode 100644 ld/testsuite/ld-i386/pr17709-nacl.rd
 create mode 100644 ld/testsuite/ld-i386/pr17709.rd
 create mode 100644 ld/testsuite/ld-i386/pr17709a.s
 create mode 100644 ld/testsuite/ld-i386/pr17709b.s
 create mode 100644 ld/testsuite/ld-x86-64/pr17709-nacl.rd
 create mode 100644 ld/testsuite/ld-x86-64/pr17709.rd
 create mode 100644 ld/testsuite/ld-x86-64/pr17709a.s
 create mode 100644 ld/testsuite/ld-x86-64/pr17709b.s

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 3f8cc86..f29dec5 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,21 @@
+2015-03-05  H.J. Lu  <hongjiu.lu@intel.com>
+
+	PR ld/pr15228
+	PR ld/pr17709
+	* elf-bfd.h (elf_backend_data): Add extern_protected_data.
+	* elf32-i386.c (elf_backend_extern_protected_data): New.
+	Defined to 1.
+	* elf64-x86-64.c (elf_backend_extern_protected_data): Likewise.
+	* elflink.c (_bfd_elf_adjust_dynamic_copy): Don't error on
+	copy relocs against protected symbols if extern_protected_data
+	is true.
+	(_bfd_elf_symbol_refs_local_p): Don't return true on protected
+	non-function symbols if extern_protected_data is true.
+	* elfxx-target.h (elf_backend_extern_protected_data): New.
+	Default to 0.
+	(elfNN_bed): Initialize extern_protected_data with
+	elf_backend_extern_protected_data.
+
 2015-03-05  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/18025
diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index 156eec7..13c32e0 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -1359,6 +1359,10 @@ struct elf_backend_data
      in length rather than sec->size in length, if sec->rawsize is
      non-zero and smaller than sec->size.  */
   unsigned caches_rawsize : 1;
+
+  /* Address of protected data defined in the shared library may be
+     external, i.e., due to copy relocation.   */
+  unsigned extern_protected_data : 1;
 };
 
 /* Information about reloc sections associated with a bfd_elf_section_data
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 3f16fc1..52f4d33 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -5292,6 +5292,7 @@ elf_i386_add_symbol_hook (bfd * abfd,
 #define elf_backend_want_plt_sym	0
 #define elf_backend_got_header_size	12
 #define elf_backend_plt_alignment	4
+#define elf_backend_extern_protected_data 1
 
 /* Support RELA for objdump of prelink objects.  */
 #define elf_info_to_howto		      elf_i386_info_to_howto_rel
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index a4974ce..74d1d06 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -5868,6 +5868,7 @@ static const struct bfd_elf_special_section
 #define elf_backend_got_header_size	    (GOT_ENTRY_SIZE*3)
 #define elf_backend_rela_normal		    1
 #define elf_backend_plt_alignment           4
+#define elf_backend_extern_protected_data   1
 
 #define elf_info_to_howto		    elf_x86_64_info_to_howto
 
diff --git a/bfd/elflink.c b/bfd/elflink.c
index ec1e4df..6ee6499 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -2671,7 +2671,9 @@ _bfd_elf_adjust_dynamic_copy (struct bfd_link_info *info,
   /* Increment the size of DYNBSS to make room for the symbol.  */
   dynbss->size += h->size;
 
-  if (h->protected_def)
+  /* No error if extern_protected_data is true.  */
+  if (h->protected_def
+      && !get_elf_backend_data (dynbss->owner)->extern_protected_data)
     {
       info->callbacks->einfo
 	(_("%P: copy reloc against protected `%T' is invalid\n"),
@@ -2835,8 +2837,9 @@ _bfd_elf_symbol_refs_local_p (struct elf_link_hash_entry *h,
 
   bed = get_elf_backend_data (hash_table->dynobj);
 
-  /* STV_PROTECTED non-function symbols are local.  */
-  if (!bed->is_function_type (h->type))
+  /* If extern_protected_data is false, STV_PROTECTED non-function
+     symbols are local.  */
+  if (!bed->extern_protected_data && !bed->is_function_type (h->type))
     return TRUE;
 
   /* Function pointer equality tests may require that STV_PROTECTED
diff --git a/bfd/elfxx-target.h b/bfd/elfxx-target.h
index 211c0a1..9760db4 100644
--- a/bfd/elfxx-target.h
+++ b/bfd/elfxx-target.h
@@ -117,6 +117,9 @@
 #ifndef elf_backend_caches_rawsize
 #define elf_backend_caches_rawsize 0
 #endif
+#ifndef elf_backend_extern_protected_data
+#define elf_backend_extern_protected_data 0
+#endif
 #ifndef elf_backend_stack_align
 #define elf_backend_stack_align 16
 #endif
@@ -801,7 +804,8 @@ static struct elf_backend_data elfNN_bed =
   elf_backend_want_dynbss,
   elf_backend_want_p_paddr_set_to_zero,
   elf_backend_default_execstack,
-  elf_backend_caches_rawsize
+  elf_backend_caches_rawsize,
+  elf_backend_extern_protected_data
 };
 
 /* Forward declaration for use when initialising alternative_target field.  */
diff --git a/ld/testsuite/ChangeLog b/ld/testsuite/ChangeLog
index acd6d81..b7defad 100644
--- a/ld/testsuite/ChangeLog
+++ b/ld/testsuite/ChangeLog
@@ -1,3 +1,22 @@
+2015-03-05  H.J. Lu  <hongjiu.lu@intel.com>
+
+	PR ld/pr15228
+	PR ld/pr17709
+	* ld-i386/i386.exp (i386tests): Add a test for PR ld/17709.
+	* ld-i386/pr17709-nacl.rd: New file.
+	* ld-i386/pr17709.rd: Likewise.
+	* ld-i386/pr17709a.s: Likewise.
+	* ld-i386/pr17709b.s: Likewise.
+	* ld-i386/protected3.d: Updated.
+	* ld-i386/protected3.s: Likewise.
+	* ld-x86-64/pr17709-nacl.rd: New file.
+	* ld-x86-64/pr17709.rd: Likewise.
+	* ld-x86-64/pr17709a.s: Likewise.
+	* ld-x86-64/pr17709b.s: Likewise.
+	* ld-x86-64/protected3.d: Updated.
+	* ld-x86-64/protected3.s: Likewise.
+	* ld-x86-64/x86-64.exp (x86_64tests): Add a test for PR ld/17709.
+
 2015-03-04  Richard Sandiford  <richard.sandiford@arm.com>
 
 	PR gas/17843
diff --git a/ld/testsuite/ld-i386/i386.exp b/ld/testsuite/ld-i386/i386.exp
index 4fc2359..3fdd39c 100644
--- a/ld/testsuite/ld-i386/i386.exp
+++ b/ld/testsuite/ld-i386/i386.exp
@@ -191,6 +191,10 @@ set i386tests {
      "--32" {pr17306b.s} {} ""}
     {"PR ld/17306 (2)" "-melf_i386 -shared -Bsymbolic --just-symbols=tmpdir/pr17306b.o" ""
      "--32" {pr17306a.s} {} "libpr17306.so"}
+    {"PR ld/17709 (1)" "-melf_i386 -shared" ""
+     "--32" {pr17709a.s} {} "libpr17709.so"}
+    {"PR ld/17709 (2)" "-melf_i386 tmpdir/libpr17709.so" ""
+     "--32" {pr17709b.s} {{readelf -r pr17709.rd}} "pr17709"}
 }
 
 # So as to avoid rewriting every last test case here in a nacl variant,
diff --git a/ld/testsuite/ld-i386/pr17709-nacl.rd b/ld/testsuite/ld-i386/pr17709-nacl.rd
new file mode 100644
index 0000000..ac9d174
--- /dev/null
+++ b/ld/testsuite/ld-i386/pr17709-nacl.rd
@@ -0,0 +1,4 @@
+
+Relocation section '.rel\..*' at offset .* contains 1 entries:
+ Offset     Info    Type            Sym\.Value  Sym\. Name
+[0-9a-f ]+R_386_COPY +[0-9a-f]+ +foo
diff --git a/ld/testsuite/ld-i386/pr17709.rd b/ld/testsuite/ld-i386/pr17709.rd
new file mode 100644
index 0000000..ac9d174
--- /dev/null
+++ b/ld/testsuite/ld-i386/pr17709.rd
@@ -0,0 +1,4 @@
+
+Relocation section '.rel\..*' at offset .* contains 1 entries:
+ Offset     Info    Type            Sym\.Value  Sym\. Name
+[0-9a-f ]+R_386_COPY +[0-9a-f]+ +foo
diff --git a/ld/testsuite/ld-i386/pr17709a.s b/ld/testsuite/ld-i386/pr17709a.s
new file mode 100644
index 0000000..8750f5e
--- /dev/null
+++ b/ld/testsuite/ld-i386/pr17709a.s
@@ -0,0 +1,8 @@
+	.protected	foo
+.globl foo
+	.data
+	.align 4
+	.type	foo, @object
+	.size	foo, 4
+foo:
+	.long	1
diff --git a/ld/testsuite/ld-i386/pr17709b.s b/ld/testsuite/ld-i386/pr17709b.s
new file mode 100644
index 0000000..c57f404
--- /dev/null
+++ b/ld/testsuite/ld-i386/pr17709b.s
@@ -0,0 +1,5 @@
+	.text
+	.globl	_start
+	.type	_start, @function
+_start:
+	movl	foo, %eax
diff --git a/ld/testsuite/ld-i386/protected3.d b/ld/testsuite/ld-i386/protected3.d
index aafa2d8..47ab4e1 100644
--- a/ld/testsuite/ld-i386/protected3.d
+++ b/ld/testsuite/ld-i386/protected3.d
@@ -8,6 +8,7 @@
 Disassembly of section .text:
 
 0+[a-f0-9]+ <bar>:
-[ 	]*[a-f0-9]+:	8b 81 [a-f0-9][a-f0-9] [a-f0-9][a-f0-9] 00 00    	mov    0x[a-f0-9]+\(%ecx\),%eax
+[ 	]*[a-f0-9]+:	8b 81 [a-f0-9][a-f0-9] [a-f0-9][a-f0-9] ff ff    	mov    -0x[a-f0-9]+\(%ecx\),%eax
+[ 	]*[a-f0-9]+:	8b 00                	mov    \(%eax\),%eax
 [ 	]*[a-f0-9]+:	c3                   	ret    
 #pass
diff --git a/ld/testsuite/ld-i386/protected3.s b/ld/testsuite/ld-i386/protected3.s
index 7a605a2..4dd2115 100644
--- a/ld/testsuite/ld-i386/protected3.s
+++ b/ld/testsuite/ld-i386/protected3.s
@@ -10,6 +10,7 @@ foo:
 .globl bar
 	.type	bar, @function
 bar:
-	movl	foo@GOTOFF(%ecx), %eax
+	movl	foo@GOT(%ecx), %eax
+	movl	(%eax), %eax
 	ret
 	.size	bar, .-bar
diff --git a/ld/testsuite/ld-x86-64/pr17709-nacl.rd b/ld/testsuite/ld-x86-64/pr17709-nacl.rd
new file mode 100644
index 0000000..f1baa38
--- /dev/null
+++ b/ld/testsuite/ld-x86-64/pr17709-nacl.rd
@@ -0,0 +1,4 @@
+
+Relocation section '.rela\..*' at offset .* contains 1 entries:
+ +Offset +Info +Type +Symbol's Value +Symbol's Name \+ Addend
+[0-9a-f ]+R_X86_64_COPY+[0-9a-f ]+ +foo \+ 0
diff --git a/ld/testsuite/ld-x86-64/pr17709.rd b/ld/testsuite/ld-x86-64/pr17709.rd
new file mode 100644
index 0000000..f1baa38
--- /dev/null
+++ b/ld/testsuite/ld-x86-64/pr17709.rd
@@ -0,0 +1,4 @@
+
+Relocation section '.rela\..*' at offset .* contains 1 entries:
+ +Offset +Info +Type +Symbol's Value +Symbol's Name \+ Addend
+[0-9a-f ]+R_X86_64_COPY+[0-9a-f ]+ +foo \+ 0
diff --git a/ld/testsuite/ld-x86-64/pr17709a.s b/ld/testsuite/ld-x86-64/pr17709a.s
new file mode 100644
index 0000000..8750f5e
--- /dev/null
+++ b/ld/testsuite/ld-x86-64/pr17709a.s
@@ -0,0 +1,8 @@
+	.protected	foo
+.globl foo
+	.data
+	.align 4
+	.type	foo, @object
+	.size	foo, 4
+foo:
+	.long	1
diff --git a/ld/testsuite/ld-x86-64/pr17709b.s b/ld/testsuite/ld-x86-64/pr17709b.s
new file mode 100644
index 0000000..c57f404
--- /dev/null
+++ b/ld/testsuite/ld-x86-64/pr17709b.s
@@ -0,0 +1,5 @@
+	.text
+	.globl	_start
+	.type	_start, @function
+_start:
+	movl	foo, %eax
diff --git a/ld/testsuite/ld-x86-64/protected3.d b/ld/testsuite/ld-x86-64/protected3.d
index 22a36ac..d8f09da 100644
--- a/ld/testsuite/ld-x86-64/protected3.d
+++ b/ld/testsuite/ld-x86-64/protected3.d
@@ -8,6 +8,7 @@
 Disassembly of section .text:
 
 0+[a-f0-9]+ <bar>:
-[ 	]*[a-f0-9]+:	8b 05 ([0-9a-f]{2} ){4} *	mov    0x[a-f0-9]+\(%rip\),%eax        # [a-f0-9]+ <foo>
+[ 	]*[a-f0-9]+:	48 8b 05 ([0-9a-f]{2} ){4} *	mov    0x[a-f0-9]+\(%rip\),%rax        # [a-f0-9]+ <_DYNAMIC\+0x[a-f0-9]+>
+[ 	]*[a-f0-9]+:	8b 00                	mov    \(%rax\),%eax
 [ 	]*[a-f0-9]+:	c3                   	retq *
 #pass
diff --git a/ld/testsuite/ld-x86-64/protected3.s b/ld/testsuite/ld-x86-64/protected3.s
index e4af6e7..7538050 100644
--- a/ld/testsuite/ld-x86-64/protected3.s
+++ b/ld/testsuite/ld-x86-64/protected3.s
@@ -10,6 +10,7 @@ foo:
 .globl bar
 	.type	bar, @function
 bar:
-	movl	foo(%rip), %eax
+	movq	foo@GOTPCREL(%rip), %rax
+	movl	(%rax), %eax
 	ret
 	.size	bar, .-bar
diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp
index 9bb08bd..43427be 100644
--- a/ld/testsuite/ld-x86-64/x86-64.exp
+++ b/ld/testsuite/ld-x86-64/x86-64.exp
@@ -144,6 +144,10 @@ set x86_64tests {
      "--64" {pr17306b.s} {} ""}
     {"PR ld/17306 (2)" "-melf_x86_64 -shared -Bsymbolic --just-symbols=tmpdir/pr17306b.o" ""
      "--64" {pr17306a.s} {} "libpr17306.so"}
+    {"PR ld/17709 (1)" "-melf_x86_64 -shared" ""
+     "--64" {pr17709a.s} {} "libpr17709.so"}
+    {"PR ld/17709 (2)" "-melf_x86_64 tmpdir/libpr17709.so" ""
+     "--64" {pr17709b.s} {{readelf -rW pr17709.rd}} "pr17709"}
 }
 
 # So as to avoid rewriting every last test case here in a nacl variant,
-- 
2.1.0