[ports/core-arm.git] / glibc / glibc-2.27-3.patch

diff --git a/ChangeLog b/ChangeLog
index f3fe2716b2..2f1e82b61c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,644 @@
+2018-11-27  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23927]
+	CVE-2018-19591
+	* sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid
+	descriptor leak in case of ENODEV error.
+
+2018-11-08  Alexandra Hájková  <ahajkova@redhat.com>
+
+	[BZ #17630]
+	* resolv/tst-resolv-network.c: Add test for getnetbyname.
+
+2018-11-05  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #22927]
+	* resolv/gai_misc.c (__gai_enqueue_request): Don't crash if
+	creating the first helper thread failed.
+
+2018-10-23  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #23709]
+	* sysdeps/x86/cpu-features.c (init_cpu_features): Set TSX bits
+	independently of other flags.
+
+2018-10-26  Szabolcs Nagy  <szabolcs.nagy@arm.com>
+
+	[BZ #23822]
+	* sysdeps/ia64/fpu/e_exp2f.S (exp2f): Use WEAK_LIBM_ENTRY.
+	* sysdeps/ia64/fpu/e_log2f.S (log2f): Likewise.
+	* sysdeps/ia64/fpu/e_exp2f.S (powf): Likewise.
+
+2018-10-25  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23562]
+	[BZ #23821]
+	XFAIL siginfo_t si_band conform test on sparc64.
+	* sysdeps/unix/sysv/linux/sparc/bits/siginfo-arch.h
+	(__SI_BAND_TYPE): Only override long int default type on sparc64.
+	* sysdeps/unix/sysv/linux/sparc/sparc64/Makefile
+	(conformtest-xfail-conds): Add sparc64-linux.
+	* conform/data/signal.h-data (siginfo_t): XFAIL si_band test on
+	sparc64.
+	* conform/data/sys/wait.h-data (siginfo_t): Likewise.
+
+2018-10-19  Ilya Yu. Malakhov  <malakhov@mcst.ru>
+
+	[BZ #23562]
+	* sysdeps/unix/sysv/linux/bits/types/siginfo_t.h
+	(struct siginfo_t): Use correct type for si_band.
+
+2018-10-17  Stefan Liebler  <stli@linux.ibm.com>
+
+	[BZ #23275]
+	* nptl/tst-mutex10.c: New File.
+	* nptl/Makefile (tests): Add tst-mutex10.
+	(tst-mutex10-ENV): New variable.
+	* sysdeps/unix/sysv/linux/s390/force-elision.h: (FORCE_ELISION):
+	Ensure that elision path is used if elision is available.
+	* sysdeps/unix/sysv/linux/powerpc/force-elision.h (FORCE_ELISION):
+	Likewise.
+	* sysdeps/unix/sysv/linux/x86/force-elision.h: (FORCE_ELISION):
+	Likewise.
+	* nptl/pthreadP.h (PTHREAD_MUTEX_TYPE, PTHREAD_MUTEX_TYPE_ELISION)
+	(PTHREAD_MUTEX_PSHARED): Use atomic_load_relaxed.
+	* nptl/pthread_mutex_consistent.c (pthread_mutex_consistent): Likewise.
+	* nptl/pthread_mutex_getprioceiling.c (pthread_mutex_getprioceiling):
+	Likewise.
+	* nptl/pthread_mutex_lock.c (__pthread_mutex_lock_full)
+	(__pthread_mutex_cond_lock_adjust): Likewise.
+	* nptl/pthread_mutex_setprioceiling.c (pthread_mutex_setprioceiling):
+	Likewise.
+	* nptl/pthread_mutex_timedlock.c (__pthread_mutex_timedlock): Likewise.
+	* nptl/pthread_mutex_trylock.c (__pthread_mutex_trylock): Likewise.
+	* nptl/pthread_mutex_unlock.c (__pthread_mutex_unlock_full): Likewise.
+	* sysdeps/nptl/bits/thread-shared-types.h (struct __pthread_mutex_s):
+	Add comments.
+	* nptl/pthread_mutex_destroy.c (__pthread_mutex_destroy):
+	Use atomic_load_relaxed and atomic_store_relaxed.
+	* nptl/pthread_mutex_init.c (__pthread_mutex_init):
+	Use atomic_store_relaxed.
+
+2018-09-28  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #23579]
+	* misc/tst-preadvwritev2-common.c (do_test_with_invalid_fd,
+	do_test_with_invalid_iov): New tests.
+	* misc/tst-preadvwritev2.c, misc/tst-preadvwritev64v2.c (do_test):
+	Call do_test_with_invalid_fd and do_test_with_invalid_iov.
+	* sysdeps/unix/sysv/linux/preadv2.c (preadv2): Use fallback code iff
+	errno is ENOSYS.
+	* sysdeps/unix/sysv/linux/preadv64v2.c (preadv64v2): Likewise.
+	* sysdeps/unix/sysv/linux/pwritev2.c (pwritev2): Likewise.
+	* sysdeps/unix/sysv/linux/pwritev64v2.c (pwritev64v2): Likewise.
+	* NEWS: Add bug fixed.
+
+2018-09-28  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22753]
+	* sysdeps/posix/preadv2.c (preadv2): Handle offset == -1.
+	* sysdeps/posix/preadv64v2.c (preadv64v2): Likewise.
+	* sysdeps/posix/pwritev2.c (pwritev2): Likewise.
+	* sysdeps/posix/pwritev64v2.c (pwritev64v2): Likweise.
+	* sysdeps/unix/sysv/linux/preadv2.c (preadv2): Likewise.
+	* sysdeps/unix/sysv/linux/preadv64v2.c (preadv64v2): Likewise.
+	* sysdeps/unix/sysv/linux/pwritev2.c (pwritev2): Likewise.
+	* sysdeps/unix/sysv/linux/pwritev64v2.c (pwritev64v2): Likweise.
+	* manual/llio.texi (Scatter-Gather): Mention offset -1.
+	* misc/tst-preadvwritev-common.c (do_test_without_offset): New.
+	* misc/tst-preadvwritev2.c (do_test): Call it.
+	* misc/tst-preadvwritev64v2.c (do_test): Likewise.
+	* NEWS: Add bug fixed.
+
+2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
+
+	* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
+	Increment size of new_argv by one.
+
+2018-08-27 Martin Kuchta  <martin.kuchta@netapp.com>
+	   Torvald Riegel  <triegel@redhat.com>
+
+	[BZ #23538]
+	* nptl/pthread_cond_common.c (__condvar_quiesce_and_switch_g1):
+	Update r to include the set wake-request flag if waiters are
+	remaining after spinning.
+
+2018-07-29  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #23459]
+	* sysdeps/x86/cpu-features.c (get_extended_indices): New
+	function.
+	(init_cpu_features): Call get_extended_indices for both Intel
+	and AMD CPUs.
+	* sysdeps/x86/cpu-features.h (COMMON_CPUID_INDEX_80000001):
+	Remove "for AMD" comment.
+
+2018-07-29  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #23456]
+	* sysdeps/x86/cpu-features.h (index_cpu_LZCNT): Set to
+	COMMON_CPUID_INDEX_80000001.
+
+2018-07-10  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23036]
+	* posix/regexec.c (check_node_accept_bytes): When comparing
+	weights, do not compare an extra byte after the end of the
+	weights.
+
+2018-06-29  Sylvain Lesage  <severo@rednegra.net>
+
+	[BZ #22996]
+	* localedata/locales/es_BO (LC_PAPER): Change to “copy "en_US"”.
+
+2018-07-06  Florian Weimer  <fweimer@redhat.com>
+
+	* conform/conformtest.pl (checknamespace): Escape literal braces
+	in regular expressions.
+
+2018-06-21  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23253]
+	* sysdeps/generic/math_private.h (default_libc_feholdsetround_ctx):
+	Renamed from libc_feholdsetround_ctx.
+	(default_libc_feresetround_ctx): Renamed from
+	libc_feresetround_ctx.
+	(default_libc_feholdsetround_noex_ctx): Renamed from
+	libc_feholdsetround_noex_ctx.
+	(default_libc_feresetround_noex_ctx): Renamed from
+	libc_feresetround_noex_ctx.
+	[!HAVE_RM_CTX] (libc_feholdsetround_ctx, libc_feresetround_ctx)
+	(libc_feholdsetround_noex_ctx, libc_feresetround_noex_ctx): Macros
+	forwardning to the old implementations under the new names.
+	* sysdeps/i386/fpu/fenv_private.h [__SSE_MATH__]
+	(libc_feholdexcept_setround_ctx, libc_fesetenv_ctx)
+	(libc_feupdateenv_ctx, libc_feholdsetround_ctx)
+	(libc_feresetround_ctx): Forward to default implements for i386
+	and MATH_SET_BOTH_ROUNDING_MODES.
+	* sysdeps/i386/Makefile [$(subdir) == math] (CFLAGS-e_gamma_r.c):
+	Add -DMATH_SET_BOTH_ROUNDING_MODES.
+
+2018-07-03  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23363]
+	* stdio-common/tst-printf.c (DEC, INT, UNS, fp_test): Remove.
+	* stdio-common/tst-printf.sh: Adjust expected output.
+	* LICENSES: Update.
+
+2018-06-26  Florian Weimer  <fweimer@redhat.com>
+
+	* libio/Makefile (tests-internal): Add tst-vtables,
+	tst-vtables-interposed.
+	* libio/tst-vtables.c: New file.
+	* libio/tst-vtables-common.c: Likewise.
+	* libio/tst-vtables-interposed.c: Likewise.
+
+2018-06-26  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23313]
+	* libio/vtables.c (check_stdfiles_vtables): New ELF constructor.
+
+2018-06-29  Daniel Alvarez  <dalvarez@redhat.com>
+	    Jakub Sitnicki  <jkbs@redhat.com>
+
+	[BZ #21812]
+	* sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs_internal): Retry
+	on NLM_F_DUMP_INTR.
+
+2018-06-28  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23349]
+	* time/bits/types/struct_timespec.h: Change header inclusion guard to
+	_STRUCT_TIMESPEC.
+
+2018-05-24  Gabriel F. T. Gomes  <gabriel@inconstante.eti.br>
+
+	[BZ #23171]
+	* math/math.h [C++] (iseqsig): Fix parameter type for the long
+	double version.
+
+2018-06-12  Carlos O'Donell  <carlos@redhat.com>
+	    Andreas Schwab  <schwab@suse.de>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+	    Florian Weimer <fweimer@redhat.com>
+
+	[BZ #23102]
+	[BZ #21942]
+	[BZ #18018]
+	[BZ #23259]
+	CVE-2011-0536
+	* elf/dl-dst.h: Remove DL_DST_COUNT.
+	* elf/dl-deps.c (expand_dst): Call _dl_dst_count.
+	* elf/dl-load.c (is_trusted_path_normalize): Don't handle colons.
+	(is_dst): Comment.  Support ELF gABI.
+	(_dl_dst_count): Comment.  Simplify and count DSTs.
+	(_dl_dst_substitute): Comment.  Support __libc_enable_secure handling.
+	(expand_dybamic_string_token): Comment. Call _dl_dst_count. Rename
+	locals.
+
+2018-06-12  Florian Weimer  <fweimer@redhat.com>
+
+	x86: Make strncmp usable from rtld.
+	* sysdeps/i386/i686/multiarch/strncmp-c.c: Only rename strncmp to
+	__strncmp_ia32 if in libc (and not in rtld).
+	* sysdeps/x86_64/multiarch/strncmp-sse2.S: Rename strcmp to
+	strncmp if not in libc (and not to __strncmp_sse2).
+
+2018-06-01  Florian Weimer  <fweimer@redhat.com>
+
+	* sysdeps/i386/i686/fpu/multiarch/libm-test-ulps: Update from master
+	branch, commit e02c026f38505cd474ff1bdaa88fc671804f5805.
+	* sysdeps/i386/fpu/libm-test-ulps: Likewise.
+
+2018-06-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #23264]
+	* include/unistd.h (__execvpex): New prototype.
+	* posix/Makefile (tests): Add tst-spawn4.
+	(tests-internal): Add tst-spawn4-compat.
+	* posix/execvpe.c (__execvpe_common, __execvpex): New functions.
+	* posix/tst-spawn4-compat.c: New file.
+	* posix/tst-spawn4.c: Likewise.
+	* sysdeps/unix/sysv/linux/spawni.c (__spawni): Do not interpret invalid
+	binaries as shell scripts.
+	* sysdeps/posix/spawni.c (__spawni): Likewise.
+	* NEWS: Add BZ#22264.
+
+2018-06-01  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23236]
+	* libio/strfile.h (struct _IO_str_fields): Rename members to
+	discourage their use and add comment.
+	(_IO_STR_DYNAMIC): Remove unused macro.
+	* libio/strops.c (_IO_str_init_static_internal): Do not use
+	callback pointers.  Call malloc and free.
+	(_IO_str_overflow): Do not use callback pointers.  Call malloc
+	and free.
+	(enlarge_userbuf): Likewise.
+	(_IO_str_finish): Call free.
+	* libio/wstrops.c (_IO_wstr_init_static): Initialize
+	_allocate_buffer_unused.
+	(_IO_wstr_overflow): Do not use callback pointers.  Call malloc
+	and free.
+	(enlarge_userbuf): Likewise.
+	(_IO_wstr_finish): Call free.
+	* debug/vasprintf_chk.c (__vasprintf_chk): Initialize
+	_allocate_buffer_unused, _free_buffer_unused.
+	* libio/memstream.c (__open_memstream): Likewise.
+	* libio/vasprintf.c (_IO_vasprintf): Likewise.
+	* libio/wmemstream.c (open_wmemstream): Likewise.
+
+2018-05-23  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #23196]
+	* string/test-memcpy.c (do_test1): New function.
+	(test_main): Call it.
+
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+2018-05-11  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23166]
+	* include/rpc/clnt.h (rpc_createerr): Declare hidden alias.
+	* include/rpc/svc.h (svc_pollfd, svc_max_pollfd, svc_fdset):
+	Likewise.
+	* sunrpc/rpc_common.c (svc_fdset, rpc_createerr, svc_pollfd)
+	(svc_max_pollfd): Add nocommon attribute and hidden alias.  Do not
+	export without --enable-obsolete-rpc.
+	* sunrpc/svcauth_des.c (svcauthdes_stats): Turn into compatibility
+	symbol.  This should not have been exported, ever.
+
+2018-05-11  Rafal Luzynski  <digitalfreak@lingonborough.com>
+
+	[BZ #23152]
+	* localedata/locales/gd_GB (abmon): Fix typo in May:
+	"Mhàrt" -> "Cèit".  Adjust the comment according to the change.
+
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	CVE-2018-11236
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
+2018-05-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #20419]
+	* elf/dl-load.c (open_verify): Fix stack overflow.
+	* elf/Makefile (tst-big-note): New test.
+	* elf/tst-big-note-lib.S: New.
+	* elf/tst-big-note.c: New.
+
+2018-05-04  Stefan Liebler  <stli@linux.vnet.ibm.com>
+
+	[BZ #23137]
+	* sysdeps/nptl/lowlevellock.h (lll_wait_tid):
+	Use atomic_load_acquire to load __tid.
+
+2018-04-24  Joseph Myers  <joseph@codesourcery.com>
+
+	* sysdeps/unix/sysv/linux/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): New enum value and macro.
+	* sysdeps/unix/sysv/linux/bits/ptrace-shared.h
+	(struct __ptrace_seccomp_metadata): New type.
+	* sysdeps/unix/sysv/linux/aarch64/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/arm/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/ia64/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/powerpc/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/s390/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/sparc/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/tile/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+	* sysdeps/unix/sysv/linux/x86/sys/ptrace.h
+	(PTRACE_SECCOMP_GET_METADATA): Likewise.
+
+2018-04-09  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23037]
+	* resolv/res_send.c (send_dg): Use designated initializers instead
+	of assignment to zero-initialize other fields of struct mmsghdr.
+
+2018-04-06  Andreas Schwab  <schwab@linux-m68k.org>
+
+	* manual/charset.texi (Converting a Character): Fix typo.
+
+2018-04-05  Florian Weimer  <fweimer@redhat.com>
+
+	* manual/examples/mbstouwcs.c (mbstouwcs): Fix loop termination,
+	integer overflow, memory leak on error, and indeterminate errno
+	value.  Add a null wide character to terminate the result string.
+	* manual/charset.texi (Converting a Character): Mention embedded
+	null bytes in the mbrtowc input string.  Explain what happens in
+	the -2 result case.  Do not claim that mbrtowc is simple or
+	obvious to use.  Adjust the description of the code example.  Use
+	@code, not @var, for concrete variables.
+
+2018-04-05  Florian Weimer  <fweimer@redhat.com>
+
+	* manual/examples/mbstouwcs.c: New file.
+	* manual/charset.texi (Converting a Character): Include it.
+
+2018-04-03  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #22947]
+	* bits/uio-ext.h (RWF_APPEND): New.
+	* sysdeps/unix/sysv/linux/bits/uio-ext.h (RWF_APPEND): Likewise.
+	* manual/llio.texi: Document RWF_APPEND.
+	* misc/tst-preadvwritev2-common.c (RWF_APPEND): New.
+	(RWF_SUPPORTED): Add RWF_APPEND.
+
+2018-03-27  Jesse Hathaway  <jesse@mbuki-mvuki.org>
+
+	* sysdeps/unix/sysv/linux/getlogin_r.c (__getlogin_r_loginuid): Return
+	early when linux sentinel value is set.
+
+2018-03-27  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23005]
+	* resolv/res_send.c (__res_context_send): Return ENOMEM if
+	allocation of private copy of nsaddr_list fails.
+
+2018-03-20  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #17343]
+	* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
+	possibly overflowing computations.
+
+2018-04-26  Aurelien Jarno  <aurelien@aurel32.net>
+
+	* signal/tst-sigaction.c: New file to test BZ #23069.
+	* signal/Makefile (tests): Fix indentation. Add tst-sigaction.
+
+2018-04-28  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #23069]
+	* sysdeps/unix/sysv/linux/riscv/kernel_sigaction.h: New file.
+
+2018-03-29  Florian Weimer  <fweimer@redhat.com>
+
+	* sysdeps/unix/sysv/linux/i386/tst-bz21269.c (do_test): Also
+	capture SIGBUS.
+
+2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
+	    Max Horn  <max@quendi.de>
+
+	[BZ #22644]
+	CVE-2017-18269
+	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
+	branch conditions.
+	* string/test-memmove.c (do_test2): New testcase.
+
+2018-02-22  Andrew Waterman <andrew@sifive.com>
+
+	[BZ # 22884]
+	* sysdeps/riscv/rvd/s_fmax.c (__fmax): Handle sNaNs correctly.
+	* sysdeps/riscv/rvd/s_fmin.c (__fmin): Likewise.
+	* sysdeps/riscv/rvf/s_fmaxf.c (__fmaxf): Likewise.
+	* sysdeps/riscv/rvf/s_fminf.c (__fminf): Likewise.
+
+2018-02-22  DJ Delorie  <dj@delorie.com>
+
+	* sysdeps/riscv/tls-macros.h: Do not initialize $gp.
+
+2018-03-16  Rafal Luzynski  <digitalfreak@lingonborough.com>
+
+	[BZ #22963]
+	* localedata/locales/cs_CZ (mon): Rename to...
+	(alt_mon): This.
+	(mon): Import from CLDR (genitive case).
+
+2018-03-16  Rafal Luzynski  <digitalfreak@lingonborough.com>
+
+	[BZ #22937]
+	* localedata/locales/el_CY (abmon): Rename to...
+	(ab_alt_mon): This.
+	(abmon): Import from CLDR (abbreviated genitive case).
+	* localedata/locales/el_GR (abmon): Rename to...
+	(ab_alt_mon): This.
+	(abmon): Import from CLDR (abbreviated genitive case).
+
+2018-03-16  Rafal Luzynski  <digitalfreak@lingonborough.com>
+
+	[BZ #22932]
+	* localedata/locales/lt_LT (abmon): Synchronize with CLDR.
+
+2018-03-16  Robert Buj  <robert.buj@gmail.com>
+
+	[BZ #22848]
+	* localedata/locales/ca_ES (abmon): Rename to...
+	(ab_alt_mon): This, then synchronize with CLDR (nominative case).
+	(mon): Rename to...
+	(alt_mon): This.
+	(abmon): Import from CLDR (genitive case, month names preceded by
+	"de" or "d’").
+	(mon): Likewise.
+	(abday): Synchronize with CLDR.
+	(d_t_fmt): Likewise.
+	(d_fmt): Likewise.
+	(am_pm): Likewise.
+
+	(LC_TIME): Improve indentation.
+	(LC_TELEPHONE): Likewise.
+	(LC_NAME): Likewise.
+	(LC_ADDRESS): Likewise.
+
+2018-03-12  Dmitry V. Levin  <ldv@altlinux.org>
+
+	* po/pt_BR.po: Update translations.
+
+2018-03-03  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #21269]
+	* sysdeps/unix/sysv/linux/i386/Makefile (tests): Add tst-bz21269.
+	* sysdeps/unix/sysv/linux/i386/sigaction.c (SET_SA_RESTORER): Clear
+	sa_restorer for vDSO case.
+	* sysdeps/unix/sysv/linux/i386/tst-bz21269.c: New file.
+
+2018-03-03  Andreas Schwab  <schwab@linux-m68k.org>
+
+	[BZ #22918]
+	* nss/nsswitch.h (DEFINE_DATABASE): Don't define __nss_*_database.
+	* nss/nsswitch.c (DEFINE_DATABASE): Define __nss_*_database here.
+	* nscd/gai.c (__nss_hosts_database): Readd definition.
+	* posix/tst-rfc3484.c (__nss_hosts_database): Likewise.
+	* posix/tst-rfc3484-3.c (__nss_hosts_database): Likewise.
+	* posix/tst-rfc3484-2.c (__nss_hosts_database): Likewise.
+
+2018-03-01  DJ Delorie  <dj@delorie.com>
+
+	[BZ #22342]
+	* nscd/netgroupcache.c (addinnetgrX): Include trailing NUL in
+	key value.
+
+2018-02-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22433]
+	[BZ #22807]
+	* sysdeps/unix/sysv/linux/powerpc/sys/ptrace.h (__ptrace_request): Add
+	PTRACE_GETREGS, PTRACE_SETREGS, PTRACE_GETFPREGS, PTRACE_SETFPREGS,
+	PTRACE_GETVRREGS, PTRACE_SETVRREGS, PTRACE_GETEVRREGS,
+	PTRACE_SETEVRREGS, PTRACE_GETREGS64, PTRACE_SETREGS64,
+	PTRACE_GET_DEBUGREG, PTRACE_SET_DEBUGREG, PTRACE_GETVSRREGS,
+	PTRACE_SETVSRREGS, and PTRACE_SINGLEBLOCK.
+
+2018-02-26  Tulio Magno Quites Machado Filho  <tuliom@linux.vnet.ibm.com>
+
+	* sysdeps/unix/sysv/linux/powerpc/sys/ptrace.h: Undefine Linux
+	macros used in __ptrace_request.
+
+2018-02-21  Mike FABIAN  <mfabian@redhat.com>
+
+	[BZ #22517]
+	* localedata/locales/et_EE (LC_COLLATE): add missing “reorder-end”
+
+2018-02-21  Rical Jasan  <ricaljasan@pacific.net>
+
+	* io/fcntl.h: Fix a typo in a comment.
+
+2018-02-20  Rical Jasan  <ricaljasan@pacific.net>
+
+	* manual/creature.texi (_ISOC99_SOURCE): Update the dated
+	description.
+
+	[BZ #16335]
+	* manual/creature.texi (_POSIX_C_SOURCE): Document special values
+	of 199606L, 200112L, and 200809L.
+	(_XOPEN_SOURCE): Document special values of 600 and 700.
+	(_ISOC11_SOURCE): Document macro.
+	(_ATFILE_SOURCE): Likewise.
+	(_FORTIFY_SOURCE): Likewise.
+
+2018-03-09  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #22919]
+	* sysdeps/unix/sysv/linux/sparc/sparc32/setcontext.S (__startcontext):
+	Add nop before __startcontext, add explaining comments.
+
+2018-03-07  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #22926]
+	* sysdeps/powerpc/powerpc32/sysdep.h (ABORT_TRANSACTION_IMPL): Define
+	empty for __SPE__.
+	* sysdeps/powerpc/sysdep.h (ABORT_TRANSACTION): Likewise.
+	* sysdeps/unix/sysv/linux/powerpc/elision-lock.c (__lll_lock_elision):
+	Do not build hardware transactional code for __SPE__.
+	* sysdeps/unix/sysv/linux/powerpc/elision-trylock.c
+	(__lll_trylock_elision): Likewise.
+	* sysdeps/unix/sysv/linux/powerpc/elision-unlock.c
+	(__lll_unlock_elision): Likewise.
+
+2018-02-19  Rical Jasan  <ricaljasan@pacific.net>
+
+	[BZ #6889]
+	* manual/filesys.texi (get_current_dir_name): Clarify behaviour.
+
+2018-02-16  Rical Jasan  <ricaljasan@pacific.net>
+
+	* manual/platform.texi (__riscv_flush_icache): Fix @deftypefun
+	syntax.
+
+2018-02-09  Rical Jasan  <ricaljasan@pacific.net>
+
+	* manual/creature.texi: Convert references to gcc.info to gcc.
+	* manual/stdio.texi: Likewise.
+	* manual/string.texi: Likewise.
+
+2018-02-18  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #22818]
+	* posix/tst-glob_lstat_compat.c [__alpha__] (glob): Access
+	the GLIBC_2.1 version.
+
+2018-02-02  Sean McKean  <smckean83@gmail.com>
+
+	[BZ #22735]
+	* time/time.h (clock): Reference CLOCKS_PER_SEC in comment.
+
+2018-02-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22433]
+	* sysdeps/unix/sysv/linux/aarch64/sys/ptrace.h (__ptrace_request):
+	Remove arm-specific PTRACE_GET_THREAD_AREA, PTRACE_GETHBPREGS,
+	and PTRACE_SETHBPREGS.
+
+2018-02-14  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	* sysdeps/sh/libm-test-ulps: Update.
+
+2018-02-09  DJ Delorie  <dj@redhat.com>
+
+	[BZ #22827]
+	* sysdeps/unix/sysv/linux/riscv/readelflib.c (process_elf_file): Use
+	64-bit ELF type for 64-bit ELF objects.
+
+2018-02-07  Igor Gnatenko  <ignatenko@redhat.com>
+
+	[BZ #22797]
+	* sysdeps/unix/sysv/linux/bits/mman-shared.h (pkey_get): Add
+	missing second underscore to parameter name.
+
+2018-02-05  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #22638]
+	* sysdeps/sparc/sparc32/start.S (_start): Check PIC instead of
+	SHARED.
+	* sysdeps/sparc/sparc64/start.S (_start): Likewise.
+
 2018-02-01  Dmitry V. Levin  <ldv@altlinux.org>
 
 	* version.h (RELEASE): Set to "stable".
@@ -710,7 +1351,9 @@
 2018-01-18  Arjun Shankar  <arjun@redhat.com>
 
 	[BZ #22343]
+	[BZ #22774]
 	CVE-2018-6485
+	CVE-2018-6551
 	* malloc/malloc.c (checked_request2size): call REQUEST_OUT_OF_RANGE
 	after padding.
 	(_int_memalign): check for integer overflow before calling
diff --git a/LICENSES b/LICENSES
index 80f7f14879..858076d9d3 100644
--- a/LICENSES
+++ b/LICENSES
@@ -441,15 +441,6 @@ Permission to use, copy, modify, and distribute this
 software is freely granted, provided that this notice
 is preserved.
 \f
-Part of stdio-common/tst-printf.c is copyright C E Chew:
-
-(C) Copyright C E Chew
-
-Feel free to copy, use and distribute this software provided:
-
-     1. you do not pretend that you wrote it
-     2. you leave this copyright notice intact.
-\f
 Various long double libm functions are copyright Stephen L. Moshier:
 
 Copyright 2001 by Stephen L. Moshier <moshier@na-net.ornl.gov>
diff --git a/NEWS b/NEWS
index a71c1038a8..e1a23f076b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,105 @@ See the end for copying conditions.
 Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
 using `glibc' in the "product" field.
 \f
+Version 2.27.1
+
+Major new features:
+
+* Nominative and genitive month names are now supported for the Catalan and
+  Czech languages.  The Catalan and Greek languages now support abbreviated
+  alternative month names.
+
+* Parsing of dynamic string tokens in DT_RPATH, DT_RUNPATH, DT_NEEDED,
+  DT_AUXILIARY, and DT_FILTER has been expanded to support the full
+  range of ELF gABI expressions including such constructs as
+  '$ORIGIN$ORIGIN' (if valid).  For SUID/GUID applications the rules
+  have been further restricted, and where in the past a dynamic string
+  token sequence may have been interpreted as a literal string it will
+  now cause a load failure.  These load failures were always considered
+  unspecified behaviour from the perspective of the dynamic loader, and
+  for safety are now load errors e.g. /foo/${ORIGIN}.so in DT_NEEDED
+  results in a load failure now.
+
+Security related changes:
+
+  CVE-2017-18269: An SSE2-based memmove implementation for the i386
+  architecture could corrupt memory.  Reported by Max Horn.
+
+  CVE-2018-11236: Very long pathname arguments to realpath function could
+  result in an integer overflow and buffer overflow.  Reported by Alexey
+  Izbyshev.
+
+  CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+  architecture could write beyond the target buffer, resulting in a buffer
+  overflow.  Reported by Andreas Schwab.
+
+  CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a
+  denial of service due to resource exhaustion when processing getaddrinfo
+  calls with crafted host names.  Reported by Guido Vranken.
+
+The following bugs are resolved with this release:
+
+  [6889] 'PWD' mentioned but not specified
+  [16335] Feature test macro documentation incomplete and out of date
+  [17343] Signed integer overflow in /stdlib/random_r.c
+  [18018] Additional $ORIGIN handling issues (CVE-2011-0536)
+  [20419] files with large allocated notes crash in open_verify
+  [21269] i386 sigaction sa_restorer handling is wrong
+  [21812] getifaddrs: Don't return ifa entries with NULL names
+  [21942] _dl_dst_substitute incorrectly handles $ORIGIN: with AT_SECURE=1
+  [22342] NSCD not properly caching netgroup
+  [22638] sparc: static binaries are broken if glibc is built by gcc
+    configured with --enable-default-pie
+  [22644] memmove-sse2-unaligned on 32bit x86 produces garbage when crossing
+    2GB threshold
+  [22735] Misleading typo in time.h source comment regarding CLOCKS_PER_SECOND
+  [22753] libc: preadv2/pwritev2 fallback code should handle offset=-1
+  [22786] Stack buffer overflow in realpath() if input size is close
+    to SSIZE_MAX
+  [22797] Linux: use reserved name __key in pkey_get
+  [22807] PTRACE_* constants missing for powerpc
+  [22818] posix/tst-glob_lstat_compat failure on alpha
+  [22827] RISC-V ELF64 parser mis-reads flag in ldconfig
+  [22848] ca_ES: update date definitions from CLDR
+  [22884] RISCV fmax/fmin handle signalling NANs incorrectly
+  [22918] multiple common of `__nss_shadow_database'
+  [22919] sparc32: backtrace yields infinite backtrace with makecontext
+  [22926] FTBFS on powerpcspe
+  [22927] libanl: properly cleanup if first helper thread creation failed
+  [22932] lt_LT: Update of abbreviated month names from CLDR required
+  [22937] Greek (el_GR, el_CY) locales actually need ab_alt_mon
+  [22947] FAIL: misc/tst-preadvwritev2
+  [22963] cs_CZ: Add alternative month names
+  [22996] localedata: change LC_PAPER to en_US in es_BO locale
+  [23005] Crash in __res_context_send after memory allocation failure
+  [23036] regexec: Fix off-by-one bug in weight comparison
+  [23037] initialize msg_flags to zero for sendmmsg() calls
+  [23069] sigaction broken on riscv64-linux-gnu
+  [23102] Incorrect parsing of consecutive $ variables in runpath entries
+  [23137] s390: pthread_join sometimes block indefinitely (on 31bit and libc
+    build with -Os)
+  [23152] gd_GB: Fix typo in "May" (abbreviated)
+  [23166] sunrpc: Remove stray exports without --enable-obsolete-rpc
+  [23171] Fix parameter type in C++ version of iseqsig
+  [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
+  [23236] Harden function pointers in _IO_str_fields
+  [23253] Set 387 and SSE2 rounding mode for tgamma on i386
+  [23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
+  [23264] libc: posix_spawnp wrongly executes ENOEXEC in non compat mode
+  [23313] libio: Disable vtable validation in case of interposition
+  [23349] Various glibc headers no longer compatible with <linux/time.h>
+  [23363] stdio-common/tst-printf.c has non-free license
+  [23456] Wrong index_cpu_LZCNT
+  [23459] COMMON_CPUID_INDEX_80000001 isn't populated for Intel processors
+  [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
+  [23562] signal: Use correct type for si_band in siginfo_t
+  [23579] libc: Errors misreported in preadv2
+  [23709] Fix CPU string flags for Haswell-type CPUs
+  [23821] si_band in siginfo_t has wrong type long int on sparc64
+  [23822] ia64 static libm.a is missing exp2f, log2f and powf symbols
+  [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
+
+\f
 Version 2.27
 
 Major new features:
@@ -262,6 +361,10 @@ Security related changes:
   an object size near the value of SIZE_MAX, would return a pointer to a
   buffer which is too small, instead of NULL.  Reported by Jakub Wilk.
 
+  CVE-2018-6551: The malloc function, when called with an object size near
+  the value of SIZE_MAX, would return a pointer to a buffer which is too
+  small, instead of NULL.
+
 The following bugs are resolved with this release:
 
   [866] glob: glob should match dangling symlinks
diff --git a/bits/uio-ext.h b/bits/uio-ext.h
index 8c15a05d9a..d5aa06fd08 100644
--- a/bits/uio-ext.h
+++ b/bits/uio-ext.h
@@ -28,5 +28,6 @@
 #define RWF_DSYNC	0x00000002 /* per-IO O_DSYNC.  */
 #define RWF_SYNC	0x00000004 /* per-IO O_SYNC.  */
 #define RWF_NOWAIT	0x00000008 /* per-IO nonblocking mode.  */
+#define RWF_APPEND	0x00000010 /* per-IO O_APPEND.  */
 
 #endif /* sys/uio_ext.h */
diff --git a/conform/conformtest.pl b/conform/conformtest.pl
index cb500f0e76..a4ef756105 100644
--- a/conform/conformtest.pl
+++ b/conform/conformtest.pl
@@ -367,7 +367,7 @@ while ($#headers >= 0) {
       s/^optional-//;
       $optional = 1;
     }
-    if (/^element *({([^}]*)}|([^{ ]*)) *({([^}]*)}|([^{ ]*)) *([A-Za-z0-9_]*) *(.*)/) {
+    if (/^element *(\{([^}]*)\}|([^{ ]*)) *(\{([^}]*)\}|([^{ ]*)) *([A-Za-z0-9_]*) *(.*)/) {
       my($struct) = "$2$3";
       my($type) = "$5$6";
       my($member) = "$7";
@@ -556,7 +556,7 @@ while ($#headers >= 0) {
 			"Symbol \"$symbol\" has not the right value.", $res,
 			$xfail);
       }
-    } elsif (/^type *({([^}]*)|([a-zA-Z0-9_]*))/) {
+    } elsif (/^type *(\{([^}]*)|([a-zA-Z0-9_]*))/) {
       my($type) = "$2$3";
       my($maybe_opaque) = 0;
 
@@ -586,7 +586,7 @@ while ($#headers >= 0) {
 		    ? "NOT AVAILABLE"
 		    : "Type \"$type\" not available."), $missing, $optional,
 		   $xfail);
-    } elsif (/^tag *({([^}]*)|([a-zA-Z0-9_]*))/) {
+    } elsif (/^tag *(\{([^}]*)|([a-zA-Z0-9_]*))/) {
       my($type) = "$2$3";
 
       # Remember that this name is allowed.
@@ -607,7 +607,7 @@ while ($#headers >= 0) {
 
       compiletest ($fnamebase, "Testing for type $type",
 		   "Type \"$type\" not available.", $missing, 0, $xfail);
-    } elsif (/^function *({([^}]*)}|([a-zA-Z0-9_]*)) [(][*]([a-zA-Z0-9_]*) ([(].*[)])/) {
+    } elsif (/^function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) [(][*]([a-zA-Z0-9_]*) ([(].*[)])/) {
       my($rettype) = "$2$3";
       my($fname) = "$4";
       my($args) = "$5";
@@ -644,7 +644,7 @@ while ($#headers >= 0) {
 		     "Function \"$fname\" has incorrect type.", $res, 0,
 		     $xfail);
       }
-    } elsif (/^function *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
+    } elsif (/^function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
       my($rettype) = "$2$3";
       my($fname) = "$4";
       my($args) = "$5";
@@ -681,7 +681,7 @@ while ($#headers >= 0) {
 		     "Function \"$fname\" has incorrect type.", $res, 0,
 		     $xfail);
       }
-    } elsif (/^variable *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) *(.*)/) {
+    } elsif (/^variable *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) *(.*)/) {
       my($type) = "$2$3";
       my($vname) = "$4";
       my($rest) = "$5";
@@ -713,7 +713,7 @@ while ($#headers >= 0) {
 
       compiletest ($fnamebase, "Test for type of variable $fname",
 		   "Variable \"$vname\" has incorrect type.", $res, 0, $xfail);
-    } elsif (/^macro-function *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
+    } elsif (/^macro-function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
       my($rettype) = "$2$3";
       my($fname) = "$4";
       my($args) = "$5";
@@ -812,11 +812,11 @@ while ($#headers >= 0) {
 
       s/^xfail(\[([^\]]*)\])?-//;
       s/^optional-//;
-      if (/^element *({([^}]*)}|([^ ]*)) *({([^}]*)}|([^ ]*)) *([A-Za-z0-9_]*) *(.*)/) {
+      if (/^element *(\{([^}]*)\}|([^ ]*)) *(\{([^}]*)\}|([^ ]*)) *([A-Za-z0-9_]*) *(.*)/) {
 	push @allow, $7;
       } elsif (/^(macro|constant|macro-constant|macro-int-constant) +([a-zA-Z0-9_]*) *(?:{([^}]*)} *)?(?:([>=<!]+) ([A-Za-z0-9_-]*))?/) {
 	push @allow, $2;
-      } elsif (/^(type|tag) *({([^}]*)|([a-zA-Z0-9_]*))/) {
+      } elsif (/^(type|tag) *(\{([^}]*)|([a-zA-Z0-9_]*))/) {
 	my($type) = "$3$4";
 
 	# Remember that this name is allowed.
@@ -827,13 +827,13 @@ while ($#headers >= 0) {
 	} else {
 	  push @allow, $type;
 	}
-      } elsif (/^function *({([^}]*)}|([a-zA-Z0-9_]*)) [(][*]([a-zA-Z0-9_]*) ([(].*[)])/) {
+      } elsif (/^function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) [(][*]([a-zA-Z0-9_]*) ([(].*[)])/) {
 	push @allow, $4;
-      } elsif (/^function *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
+      } elsif (/^function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
 	push @allow, $4;
-      } elsif (/^variable *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*)/) {
+      } elsif (/^variable *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*)/) {
 	push @allow, $4;
-      } elsif (/^macro-function *({([^}]*)}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
+      } elsif (/^macro-function *(\{([^}]*)\}|([a-zA-Z0-9_]*)) ([a-zA-Z0-9_]*) ([(].*[)])/) {
 	push @allow, $4;
       } elsif (/^symbol *([a-zA-Z0-9_]*) *([A-Za-z0-9_-]*)?/) {
 	push @allow, $1;
diff --git a/conform/data/signal.h-data b/conform/data/signal.h-data
index fa841cfdbe..88c1f5eba2 100644
--- a/conform/data/signal.h-data
+++ b/conform/data/signal.h-data
@@ -170,7 +170,8 @@ element siginfo_t pid_t si_pid
 element siginfo_t uid_t si_uid
 element siginfo_t {void*} si_addr
 element siginfo_t int si_status
-element siginfo_t long si_band
+// Bug 23821: si_band has type int on sparc64.
+xfail[sparc64-linux]-element siginfo_t long si_band
 #  endif
 #  ifndef XPG42
 element siginfo_t {union sigval} si_value
diff --git a/conform/data/sys/wait.h-data b/conform/data/sys/wait.h-data
index 559ebdf677..a6713461ea 100644
--- a/conform/data/sys/wait.h-data
+++ b/conform/data/sys/wait.h-data
@@ -44,7 +44,8 @@ element siginfo_t pid_t si_pid
 element siginfo_t uid_t si_uid
 element siginfo_t {void*} si_addr
 element siginfo_t int si_status
-element siginfo_t long si_band
+// Bug 23821: si_band has type int on sparc64.
+xfail[sparc64-linux]-element siginfo_t long si_band
 # ifndef XPG42
 element siginfo_t {union sigval} si_value
 # endif
diff --git a/debug/vasprintf_chk.c b/debug/vasprintf_chk.c
index a00ef771e6..3eb64617fd 100644
--- a/debug/vasprintf_chk.c
+++ b/debug/vasprintf_chk.c
@@ -55,8 +55,8 @@ __vasprintf_chk (char **result_ptr, int flags, const char *format,
   _IO_JUMPS (&sf._sbf) = &_IO_str_jumps;
   _IO_str_init_static_internal (&sf, string, init_string_size, string);
   sf._sbf._f._flags &= ~_IO_USER_BUF;
-  sf._s._allocate_buffer = (_IO_alloc_type) malloc;
-  sf._s._free_buffer = (_IO_free_type) free;
+  sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc;
+  sf._s._free_buffer_unused = (_IO_free_type) free;
 
   /* For flags > 0 (i.e. __USE_FORTIFY_LEVEL > 1) request that %n
      can only come from read-only format strings.  */
diff --git a/elf/Makefile b/elf/Makefile
index 2a432d8bee..2d8fe88aa6 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -187,7 +187,7 @@ tests += restest1 preloadtest loadfail multiload origtest resolvfail \
 	 tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \
 	 tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error tst-noload \
 	 tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \
-	 tst-debug1 tst-main1
+	 tst-debug1 tst-main1 tst-big-note
 #	 reldep9
 tests-internal += loadtest unload unload2 circleload1 \
 	 neededtest neededtest2 neededtest3 neededtest4 \
@@ -272,7 +272,9 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
 		tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \
 		tst-latepthreadmod $(tst-tls-many-dynamic-modules) \
 		tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin \
-		tst-main1mod tst-libc_dlvsym-dso
+		tst-main1mod tst-libc_dlvsym-dso \
+		tst-big-note-lib
+
 ifeq (yes,$(have-mtls-dialect-gnu2))
 tests += tst-gnu2-tls1
 modules-names += tst-gnu2-tls1mod
@@ -1446,3 +1448,5 @@ $(objpfx)tst-libc_dlvsym-static: $(common-objpfx)dlfcn/libdl.a
 tst-libc_dlvsym-static-ENV = \
   LD_LIBRARY_PATH=$(objpfx):$(common-objpfx):$(common-objpfx)dlfcn
 $(objpfx)tst-libc_dlvsym-static.out: $(objpfx)tst-libc_dlvsym-dso.so
+
+$(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
diff --git a/elf/dl-deps.c b/elf/dl-deps.c
index c975fcffd7..20b8e94f2e 100644
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@@ -100,7 +100,7 @@ struct list
   ({									      \
     const char *__str = (str);						      \
     const char *__result = __str;					      \
-    size_t __dst_cnt = DL_DST_COUNT (__str);				      \
+    size_t __dst_cnt = _dl_dst_count (__str);				      \
 									      \
     if (__dst_cnt != 0)							      \
       {									      \
diff --git a/elf/dl-dst.h b/elf/dl-dst.h
index 32de5d225a..859032be0d 100644
--- a/elf/dl-dst.h
+++ b/elf/dl-dst.h
@@ -18,19 +18,6 @@
 
 #include "trusted-dirs.h"
 
-/* Determine the number of DST elements in the name.  Only if IS_PATH is
-   nonzero paths are recognized (i.e., multiple, ':' separated filenames).  */
-#define DL_DST_COUNT(name) \
-  ({									      \
-    size_t __cnt = 0;							      \
-    const char *__sf = strchr (name, '$');				      \
-									      \
-    if (__glibc_unlikely (__sf != NULL))				      \
-      __cnt = _dl_dst_count (__sf);					      \
-									      \
-    __cnt; })
-
-
 #ifdef SHARED
 # define IS_RTLD(l) (l) == &GL(dl_rtld_map)
 #else
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 7554a99b5a..b20e2a46d0 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -122,12 +122,6 @@ is_trusted_path_normalize (const char *path, size_t len)
   if (len == 0)
     return false;
 
-  if (*path == ':')
-    {
-      ++path;
-      --len;
-    }
-
   char *npath = (char *) alloca (len + 2);
   char *wnp = npath;
   while (*path != '\0')
@@ -178,114 +172,165 @@ is_trusted_path_normalize (const char *path, size_t len)
   return false;
 }
 
+/* Given a substring starting at INPUT, just after the DST '$' start
+   token, determine if INPUT contains DST token REF, following the
+   ELF gABI rules for DSTs:
+
+   * Longest possible sequence using the rules (greedy).
 
+   * Must start with a $ (enforced by caller).
+
+   * Must follow $ with one underscore or ASCII [A-Za-z] (caller
+     follows these rules for REF) or '{' (start curly quoted name).
+
+   * Must follow first two characters with zero or more [A-Za-z0-9_]
+     (enforced by caller) or '}' (end curly quoted name).
+
+   If the sequence is a DST matching REF then the length of the DST
+   (excluding the $ sign but including curly braces, if any) is
+   returned, otherwise 0.  */
 static size_t
-is_dst (const char *start, const char *name, const char *str, int secure)
+is_dst (const char *input, const char *ref)
 {
-  size_t len;
   bool is_curly = false;
 
-  if (name[0] == '{')
+  /* Is a ${...} input sequence?  */
+  if (input[0] == '{')
     {
       is_curly = true;
-      ++name;
-    }
-
-  len = 0;
-  while (name[len] == str[len] && name[len] != '\0')
-    ++len;
-
-  if (is_curly)
-    {
-      if (name[len] != '}')
-	return 0;
-
-      /* Point again at the beginning of the name.  */
-      --name;
-      /* Skip over closing curly brace and adjust for the --name.  */
-      len += 2;
+      ++input;
     }
-  else if (name[len] != '\0' && name[len] != '/')
-    return 0;
 
-  if (__glibc_unlikely (secure)
-      && ((name[len] != '\0' && name[len] != '/')
-	  || (name != start + 1)))
+  /* Check for matching name, following closing curly brace (if
+     required), or trailing characters which are part of an
+     identifier.  */
+  size_t rlen = strlen (ref);
+  if (strncmp (input, ref, rlen) != 0
+      || (is_curly && input[rlen] != '}')
+      || ((input[rlen] >= 'A' && input[rlen] <= 'Z')
+	  || (input[rlen] >= 'a' && input[rlen] <= 'z')
+	  || (input[rlen] >= '0' && input[rlen] <= '9')
+	  || (input[rlen] == '_')))
     return 0;
 
-  return len;
+  if (is_curly)
+    /* Count the two curly braces.  */
+    return rlen + 2;
+  else
+    return rlen;
 }
 
-
+/* INPUT is the start of a DST sequence at the first '$' occurrence.
+   If there is a DST we call into _dl_dst_count to count the number of
+   DSTs.  We count all known DSTs regardless of __libc_enable_secure;
+   the caller is responsible for enforcing the security of the
+   substitution rules (usually _dl_dst_substitute).  */
 size_t
-_dl_dst_count (const char *name)
+_dl_dst_count (const char *input)
 {
-  const char *const start = name;
   size_t cnt = 0;
 
+  input = strchr (input, '$');
+
+  /* Most likely there is no DST.  */
+  if (__glibc_likely (input == NULL))
+    return 0;
+
   do
     {
       size_t len;
 
-      /* $ORIGIN is not expanded for SUID/GUID programs (except if it
-	 is $ORIGIN alone) and it must always appear first in path.  */
-      ++name;
-      if ((len = is_dst (start, name, "ORIGIN", __libc_enable_secure)) != 0
-	  || (len = is_dst (start, name, "PLATFORM", 0)) != 0
-	  || (len = is_dst (start, name, "LIB", 0)) != 0)
+      ++input;
+      /* All DSTs must follow ELF gABI rules, see is_dst ().  */
+      if ((len = is_dst (input, "ORIGIN")) != 0
+	  || (len = is_dst (input, "PLATFORM")) != 0
+	  || (len = is_dst (input, "LIB")) != 0)
 	++cnt;
 
-      name = strchr (name + len, '$');
+      /* There may be more than one DST in the input.  */
+      input = strchr (input + len, '$');
     }
-  while (name != NULL);
+  while (input != NULL);
 
   return cnt;
 }
 
-
+/* Process INPUT for DSTs and store in RESULT using the information
+   from link map L to resolve the DSTs. This function only handles one
+   path at a time and does not handle colon-separated path lists (see
+   fillin_rpath ()).  Lastly the size of result in bytes should be at
+   least equal to the value returned by DL_DST_REQUIRED.  Note that it
+   is possible for a DT_NEEDED, DT_AUXILIARY, and DT_FILTER entries to
+   have colons, but we treat those as literal colons here, not as path
+   list delimeters.  */
 char *
-_dl_dst_substitute (struct link_map *l, const char *name, char *result)
+_dl_dst_substitute (struct link_map *l, const char *input, char *result)
 {
-  const char *const start = name;
-
-  /* Now fill the result path.  While copying over the string we keep
-     track of the start of the last path element.  When we come across
-     a DST we copy over the value or (if the value is not available)
-     leave the entire path element out.  */
+  /* Copy character-by-character from input into the working pointer
+     looking for any DSTs.  We track the start of input and if we are
+     going to check for trusted paths, all of which are part of $ORIGIN
+     handling in SUID/SGID cases (see below).  In some cases, like when
+     a DST cannot be replaced, we may set result to an empty string and
+     return.  */
   char *wp = result;
-  char *last_elem = result;
+  const char *start = input;
   bool check_for_trusted = false;
 
   do
     {
-      if (__glibc_unlikely (*name == '$'))
+      if (__glibc_unlikely (*input == '$'))
 	{
 	  const char *repl = NULL;
 	  size_t len;
 
-	  ++name;
-	  if ((len = is_dst (start, name, "ORIGIN", __libc_enable_secure)) != 0)
+	  ++input;
+	  if ((len = is_dst (input, "ORIGIN")) != 0)
 	    {
-	      repl = l->l_origin;
+	      /* For SUID/GUID programs we normally ignore the path with
+		 $ORIGIN in DT_RUNPATH, or DT_RPATH.  However, there is
+		 one exception to this rule, and it is:
+
+		   * $ORIGIN appears as the first path element, and is
+		     the only string in the path or is immediately
+		     followed by a path separator and the rest of the
+		     path.
+
+		   * The path is rooted in a trusted directory.
+
+		 This exception allows such programs to reference
+		 shared libraries in subdirectories of trusted
+		 directories.  The use case is one of general
+		 organization and deployment flexibility.
+		 Trusted directories are usually such paths as "/lib64"
+		 or "/usr/lib64", and the usual RPATHs take the form of
+		 [$ORIGIN/../$LIB/somedir].  */
+	      if (__glibc_unlikely (__libc_enable_secure)
+		  && !(input == start + 1
+		       && (input[len] == '\0' || input[len] == '/')))
+		repl = (const char *) -1;
+	      else
+	        repl = l->l_origin;
+
 	      check_for_trusted = (__libc_enable_secure
 				   && l->l_type == lt_executable);
 	    }
-	  else if ((len = is_dst (start, name, "PLATFORM", 0)) != 0)
+	  else if ((len = is_dst (input, "PLATFORM")) != 0)
 	    repl = GLRO(dl_platform);
-	  else if ((len = is_dst (start, name, "LIB", 0)) != 0)
+	  else if ((len = is_dst (input, "LIB")) != 0)
 	    repl = DL_DST_LIB;
 
 	  if (repl != NULL && repl != (const char *) -1)
 	    {
 	      wp = __stpcpy (wp, repl);
-	      name += len;
+	      input += len;
 	    }
-	  else if (len > 1)
+	  else if (len != 0)
 	    {
-	      /* We cannot use this path element, the value of the
-		 replacement is unknown.  */
-	      wp = last_elem;
-	      break;
+	      /* We found a valid DST that we know about, but we could
+	         not find a replacement value for it, therefore we
+		 cannot use this path and discard it.  */
+	      *result = '\0';
+	      return result;
 	    }
 	  else
 	    /* No DST we recognize.  */
@@ -293,16 +338,26 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result)
 	}
       else
 	{
-	  *wp++ = *name++;
+	  *wp++ = *input++;
 	}
     }
-  while (*name != '\0');
+  while (*input != '\0');
 
   /* In SUID/SGID programs, after $ORIGIN expansion the normalized
-     path must be rooted in one of the trusted directories.  */
+     path must be rooted in one of the trusted directories.  The $LIB
+     and $PLATFORM DST cannot in any way be manipulated by the caller
+     because they are fixed values that are set by the dynamic loader
+     and therefore any paths using just $LIB or $PLATFORM need not be
+     checked for trust, the authors of the binaries themselves are
+     trusted to have designed this correctly.  Only $ORIGIN is tested in
+     this way because it may be manipulated in some ways with hard
+     links.  */
   if (__glibc_unlikely (check_for_trusted)
-      && !is_trusted_path_normalize (last_elem, wp - last_elem))
-    wp = last_elem;
+      && !is_trusted_path_normalize (result, wp - result))
+    {
+      *result = '\0';
+      return result;
+    }
 
   *wp = '\0';
 
@@ -310,13 +365,13 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result)
 }
 
 
-/* Return copy of argument with all recognized dynamic string tokens
-   ($ORIGIN and $PLATFORM for now) replaced.  On some platforms it
-   might not be possible to determine the path from which the object
-   belonging to the map is loaded.  In this case the path element
-   containing $ORIGIN is left out.  */
+/* Return a malloc allocated copy of INPUT with all recognized DSTs
+   replaced. On some platforms it might not be possible to determine the
+   path from which the object belonging to the map is loaded.  In this
+   case the path containing the DST is left out.  On error NULL
+   is returned.  */
 static char *
-expand_dynamic_string_token (struct link_map *l, const char *s)
+expand_dynamic_string_token (struct link_map *l, const char *input)
 {
   /* We make two runs over the string.  First we determine how large the
      resulting string is and then we copy it over.  Since this is no
@@ -326,22 +381,22 @@ expand_dynamic_string_token (struct link_map *l, const char *s)
   size_t total;
   char *result;
 
-  /* Determine the number of DST elements.  */
-  cnt = DL_DST_COUNT (s);
+  /* Determine the number of DSTs.  */
+  cnt = _dl_dst_count (input);
 
   /* If we do not have to replace anything simply copy the string.  */
   if (__glibc_likely (cnt == 0))
-    return __strdup (s);
+    return __strdup (input);
 
   /* Determine the length of the substituted string.  */
-  total = DL_DST_REQUIRED (l, s, strlen (s), cnt);
+  total = DL_DST_REQUIRED (l, input, strlen (input), cnt);
 
   /* Allocate the necessary memory.  */
   result = (char *) malloc (total + 1);
   if (result == NULL)
     return NULL;
 
-  return _dl_dst_substitute (l, s, result);
+  return _dl_dst_substitute (l, input, result);
 }
 
 
@@ -1469,6 +1524,7 @@ open_verify (const char *name, int fd,
       ElfW(Ehdr) *ehdr;
       ElfW(Phdr) *phdr, *ph;
       ElfW(Word) *abi_note;
+      ElfW(Word) *abi_note_malloced = NULL;
       unsigned int osversion;
       size_t maplength;
 
@@ -1640,10 +1696,25 @@ open_verify (const char *name, int fd,
 	      abi_note = (void *) (fbp->buf + ph->p_offset);
 	    else
 	      {
-		abi_note = alloca (size);
+		/* Note: __libc_use_alloca is not usable here, because
+		   thread info may not have been set up yet.  */
+		if (size < __MAX_ALLOCA_CUTOFF)
+		  abi_note = alloca (size);
+		else
+		  {
+		    /* There could be multiple PT_NOTEs.  */
+		    abi_note_malloced = realloc (abi_note_malloced, size);
+		    if (abi_note_malloced == NULL)
+		      goto read_error;
+
+		    abi_note = abi_note_malloced;
+		  }
 		__lseek (fd, ph->p_offset, SEEK_SET);
 		if (__libc_read (fd, (void *) abi_note, size) != size)
-		  goto read_error;
+		  {
+		    free (abi_note_malloced);
+		    goto read_error;
+		  }
 	      }
 
 	    while (memcmp (abi_note, &expected_note, sizeof (expected_note)))
@@ -1678,6 +1749,7 @@ open_verify (const char *name, int fd,
 
 	    break;
 	  }
+      free (abi_note_malloced);
     }
 
   return fd;
diff --git a/elf/tst-big-note-lib.S b/elf/tst-big-note-lib.S
new file mode 100644
index 0000000000..6b514a03cc
--- /dev/null
+++ b/elf/tst-big-note-lib.S
@@ -0,0 +1,26 @@
+/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This creates a .so with 8MiB PT_NOTE segment.
+   On a typical Linux system with 8MiB "ulimit -s", that was enough
+   to trigger stack overflow in open_verify.  */
+
+.pushsection .note.big,"a"
+.balign 4
+.fill 8*1024*1024, 1, 0
+.popsection
diff --git a/elf/tst-big-note.c b/elf/tst-big-note.c
new file mode 100644
index 0000000000..fcd2b0ed82
--- /dev/null
+++ b/elf/tst-big-note.c
@@ -0,0 +1,26 @@
+/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This file must be run from within a directory called "elf".  */
+
+int main (int argc, char *argv[])
+{
+  /* Nothing to do here: merely linking against tst-big-note-lib.so triggers
+     the bug.  */
+  return 0;
+}
diff --git a/include/rpc/clnt.h b/include/rpc/clnt.h
index a397023a93..80be0a9cec 100644
--- a/include/rpc/clnt.h
+++ b/include/rpc/clnt.h
@@ -28,6 +28,7 @@ libc_hidden_proto (clntudp_create)
 libc_hidden_proto (get_myaddress)
 libc_hidden_proto (clntunix_create)
 libc_hidden_proto (__libc_clntudp_bufcreate)
+libc_hidden_proto (rpc_createerr)
 
 # endif /* !_ISOMAC */
 #endif
diff --git a/include/rpc/svc.h b/include/rpc/svc.h
index 465bf4427d..40ba2546a9 100644
--- a/include/rpc/svc.h
+++ b/include/rpc/svc.h
@@ -3,6 +3,10 @@
 
 # ifndef _ISOMAC
 
+libc_hidden_proto (svc_pollfd)
+libc_hidden_proto (svc_max_pollfd)
+libc_hidden_proto (svc_fdset)
+
 libc_hidden_proto (xprt_register)
 libc_hidden_proto (xprt_unregister)
 libc_hidden_proto (svc_register)
diff --git a/include/unistd.h b/include/unistd.h
index 0f91b8babc..a171b00326 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -77,6 +77,8 @@ extern char *__getcwd (char *__buf, size_t __size) attribute_hidden;
 extern int __rmdir (const char *__path) attribute_hidden;
 extern int __execvpe (const char *file, char *const argv[],
 		      char *const envp[]) attribute_hidden;
+extern int __execvpex (const char *file, char *const argv[],
+		       char *const envp[]) attribute_hidden;
 
 /* Get the canonical absolute name of the named directory, and put it in SIZE
    bytes of BUF.  Returns NULL if the directory couldn't be determined or
diff --git a/io/fcntl.h b/io/fcntl.h
index 3d239e8f09..69a4394191 100644
--- a/io/fcntl.h
+++ b/io/fcntl.h
@@ -139,7 +139,7 @@ typedef __pid_t pid_t;
 # define SEEK_END	2	/* Seek from end of file.  */
 #endif	/* XPG */
 
-/* The constants AT_REMOVEDIR and AT_EACCESS have the same value.  AT_EASSESS
+/* The constants AT_REMOVEDIR and AT_EACCESS have the same value.  AT_EACCESS
    is meaningful only to faccessat, while AT_REMOVEDIR is meaningful only to
    unlinkat.  The two functions do completely different things and therefore,
    the flags can be allowed to overlap.  For example, passing AT_REMOVEDIR to
diff --git a/libio/Makefile b/libio/Makefile
index 918a86bb74..81bd1792a5 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -64,6 +64,9 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
 	tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
 	tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
 	tst-ftell-append tst-fputws tst-bz22415
+
+tests-internal = tst-vtables tst-vtables-interposed
+
 ifeq (yes,$(build-shared))
 # Add test-fopenloc only if shared library is enabled since it depends on
 # shared localedata objects.
diff --git a/libio/memstream.c b/libio/memstream.c
index d86befcc02..c5c7c2f6db 100644
--- a/libio/memstream.c
+++ b/libio/memstream.c
@@ -90,8 +90,8 @@ __open_memstream (char **bufloc, _IO_size_t *sizeloc)
   _IO_JUMPS_FILE_plus (&new_f->fp._sf._sbf) = &_IO_mem_jumps;
   _IO_str_init_static_internal (&new_f->fp._sf, buf, _IO_BUFSIZ, buf);
   new_f->fp._sf._sbf._f._flags &= ~_IO_USER_BUF;
-  new_f->fp._sf._s._allocate_buffer = (_IO_alloc_type) malloc;
-  new_f->fp._sf._s._free_buffer = (_IO_free_type) free;
+  new_f->fp._sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc;
+  new_f->fp._sf._s._free_buffer_unused = (_IO_free_type) free;
 
   new_f->fp.bufloc = bufloc;
   new_f->fp.sizeloc = sizeloc;
diff --git a/libio/strfile.h b/libio/strfile.h
index 68dfcbfe83..52a085e580 100644
--- a/libio/strfile.h
+++ b/libio/strfile.h
@@ -31,8 +31,11 @@ typedef void (*_IO_free_type) (void*);
 
 struct _IO_str_fields
 {
-  _IO_alloc_type _allocate_buffer;
-  _IO_free_type _free_buffer;
+  /* These members are preserved for ABI compatibility.  The glibc
+     implementation always calls malloc/free for user buffers if
+     _IO_USER_BUF or _IO_FLAGS2_USER_WBUF are not set.  */
+  _IO_alloc_type _allocate_buffer_unused;
+  _IO_free_type _free_buffer_unused;
 };
 
 /* This is needed for the Irix6 N32 ABI, which has a 64 bit off_t type,
@@ -52,10 +55,6 @@ typedef struct _IO_strfile_
   struct _IO_str_fields _s;
 } _IO_strfile;
 
-/* dynamic: set when the array object is allocated (or reallocated)  as
-   necessary to hold a character sequence that can change in length. */
-#define _IO_STR_DYNAMIC(FP) ((FP)->_s._allocate_buffer != (_IO_alloc_type)0)
-
 /* frozen: set when the program has requested that the array object not
    be altered, reallocated, or freed. */
 #define _IO_STR_FROZEN(FP) ((FP)->_f._IO_file_flags & _IO_USER_BUF)
diff --git a/libio/strops.c b/libio/strops.c
index ac995c830e..5fb38976e3 100644
--- a/libio/strops.c
+++ b/libio/strops.c
@@ -61,7 +61,7 @@ _IO_str_init_static_internal (_IO_strfile *sf, char *ptr, _IO_size_t size,
       fp->_IO_read_end = end;
     }
   /* A null _allocate_buffer function flags the strfile as being static. */
-  sf->_s._allocate_buffer = (_IO_alloc_type) 0;
+  sf->_s._allocate_buffer_unused = (_IO_alloc_type) 0;
 }
 
 void
@@ -103,8 +103,7 @@ _IO_str_overflow (_IO_FILE *fp, int c)
 	  _IO_size_t new_size = 2 * old_blen + 100;
 	  if (new_size < old_blen)
 	    return EOF;
-	  new_buf
-	    = (char *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size);
+	  new_buf = malloc (new_size);
 	  if (new_buf == NULL)
 	    {
 	      /*	  __ferror(fp) = 1; */
@@ -113,7 +112,7 @@ _IO_str_overflow (_IO_FILE *fp, int c)
 	  if (old_buf)
 	    {
 	      memcpy (new_buf, old_buf, old_blen);
-	      (*((_IO_strfile *) fp)->_s._free_buffer) (old_buf);
+	      free (old_buf);
 	      /* Make sure _IO_setb won't try to delete _IO_buf_base. */
 	      fp->_IO_buf_base = NULL;
 	    }
@@ -182,15 +181,14 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
 
   _IO_size_t newsize = offset + 100;
   char *oldbuf = fp->_IO_buf_base;
-  char *newbuf
-    = (char *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize);
+  char *newbuf = malloc (newsize);
   if (newbuf == NULL)
     return 1;
 
   if (oldbuf != NULL)
     {
       memcpy (newbuf, oldbuf, _IO_blen (fp));
-      (*((_IO_strfile *) fp)->_s._free_buffer) (oldbuf);
+      free (oldbuf);
       /* Make sure _IO_setb won't try to delete
 	 _IO_buf_base. */
       fp->_IO_buf_base = NULL;
@@ -346,7 +344,7 @@ void
 _IO_str_finish (_IO_FILE *fp, int dummy)
 {
   if (fp->_IO_buf_base && !(fp->_flags & _IO_USER_BUF))
-    (((_IO_strfile *) fp)->_s._free_buffer) (fp->_IO_buf_base);
+    free (fp->_IO_buf_base);
   fp->_IO_buf_base = NULL;
 
   _IO_default_finish (fp, 0);
diff --git a/libio/tst-vtables-common.c b/libio/tst-vtables-common.c
new file mode 100644
index 0000000000..dc8d89c195
--- /dev/null
+++ b/libio/tst-vtables-common.c
@@ -0,0 +1,511 @@
+/* Test for libio vtables and their validation.  Common code.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This test provides some coverage for how various stdio functions
+   use the vtables in FILE * objects.  The focus is mostly on which
+   functions call which methods, not so much on validating data
+   processing.  An initial series of tests check that custom vtables
+   do not work without activation through _IO_init.
+
+   Note: libio vtables are deprecated feature.  Do not use this test
+   as a documentation source for writing custom vtables.  See
+   fopencookie for a different way of creating custom stdio
+   streams.  */
+
+#include <stdbool.h>
+#include <string.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+#include <support/test-driver.h>
+#include <support/xunistd.h>
+
+/* Data shared between the test subprocess and the test driver in the
+   parent.  Note that *shared is reset at the start of the check_call
+   function.  */
+struct shared
+{
+  /* Expected file pointer for method calls.  */
+  FILE *fp;
+
+  /* If true, assume that a call to _IO_init is needed to enable
+     custom vtables.  */
+  bool initially_disabled;
+
+  /* Requested return value for the methods which have one.  */
+  int return_value;
+
+  /* A value (usually a character) recorded by some of the methods
+     below.  */
+  int value;
+
+  /* Likewise, for some data.  */
+  char buffer[16];
+  size_t buffer_length;
+
+  /* Total number of method calls.  */
+  unsigned int calls;
+
+  /* Individual method call counts.  */
+  unsigned int calls_finish;
+  unsigned int calls_overflow;
+  unsigned int calls_underflow;
+  unsigned int calls_uflow;
+  unsigned int calls_pbackfail;
+  unsigned int calls_xsputn;
+  unsigned int calls_xsgetn;
+  unsigned int calls_seekoff;
+  unsigned int calls_seekpos;
+  unsigned int calls_setbuf;
+  unsigned int calls_sync;
+  unsigned int calls_doallocate;
+  unsigned int calls_read;
+  unsigned int calls_write;
+  unsigned int calls_seek;
+  unsigned int calls_close;
+  unsigned int calls_stat;
+  unsigned int calls_showmanyc;
+  unsigned int calls_imbue;
+} *shared;
+
+/* Method implementations which increment the counters in *shared.  */
+
+static void
+log_method (FILE *fp, const char *name)
+{
+  if (test_verbose > 0)
+    printf ("info: %s (%p) called\n", name, fp);
+}
+
+static void
+method_finish (FILE *fp, int dummy)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_finish;
+}
+
+static int
+method_overflow (FILE *fp, int ch)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_overflow;
+  shared->value = ch;
+  return shared->return_value;
+}
+
+static int
+method_underflow (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_underflow;
+  return shared->return_value;
+}
+
+static int
+method_uflow (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_uflow;
+  return shared->return_value;
+}
+
+static int
+method_pbackfail (FILE *fp, int ch)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_pbackfail;
+  shared->value = ch;
+  return shared->return_value;
+}
+
+static size_t
+method_xsputn (FILE *fp, const void *data, size_t n)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_xsputn;
+
+  size_t to_copy = n;
+  if (n > sizeof (shared->buffer))
+    to_copy = sizeof (shared->buffer);
+  memcpy (shared->buffer, data, to_copy);
+  shared->buffer_length = to_copy;
+  return to_copy;
+}
+
+static size_t
+method_xsgetn (FILE *fp, void *data, size_t n)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_xsgetn;
+  return 0;
+}
+
+static off64_t
+method_seekoff (FILE *fp, off64_t offset, int dir, int mode)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_seekoff;
+  return shared->return_value;
+}
+
+static off64_t
+method_seekpos (FILE *fp, off64_t offset, int mode)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_seekpos;
+  return shared->return_value;
+}
+
+static FILE *
+method_setbuf (FILE *fp, char *buffer, ssize_t length)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_setbuf;
+  return fp;
+}
+
+static int
+method_sync (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_sync;
+  return shared->return_value;
+}
+
+static int
+method_doallocate (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_doallocate;
+  return shared->return_value;
+}
+
+static ssize_t
+method_read (FILE *fp, void *data, ssize_t length)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_read;
+  return shared->return_value;
+}
+
+static ssize_t
+method_write (FILE *fp, const void *data, ssize_t length)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_write;
+  return shared->return_value;
+}
+
+static off64_t
+method_seek (FILE *fp, off64_t offset, int mode)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_seek;
+  return shared->return_value;
+}
+
+static int
+method_close (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_close;
+  return shared->return_value;
+}
+
+static int
+method_stat (FILE *fp, void *buffer)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_stat;
+  return shared->return_value;
+}
+
+static int
+method_showmanyc (FILE *fp)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_showmanyc;
+  return shared->return_value;
+}
+
+static void
+method_imbue (FILE *fp, void *locale)
+{
+  log_method (fp, __func__);
+  TEST_VERIFY (fp == shared->fp);
+  ++shared->calls;
+  ++shared->calls_imbue;
+}
+
+/* Our custom vtable.  */
+
+static const struct _IO_jump_t jumps =
+{
+  JUMP_INIT_DUMMY,
+  JUMP_INIT (finish, method_finish),
+  JUMP_INIT (overflow, method_overflow),
+  JUMP_INIT (underflow, method_underflow),
+  JUMP_INIT (uflow, method_uflow),
+  JUMP_INIT (pbackfail, method_pbackfail),
+  JUMP_INIT (xsputn, method_xsputn),
+  JUMP_INIT (xsgetn, method_xsgetn),
+  JUMP_INIT (seekoff, method_seekoff),
+  JUMP_INIT (seekpos, method_seekpos),
+  JUMP_INIT (setbuf, method_setbuf),
+  JUMP_INIT (sync, method_sync),
+  JUMP_INIT (doallocate, method_doallocate),
+  JUMP_INIT (read, method_read),
+  JUMP_INIT (write, method_write),
+  JUMP_INIT (seek, method_seek),
+  JUMP_INIT (close, method_close),
+  JUMP_INIT (stat, method_stat),
+  JUMP_INIT (showmanyc, method_showmanyc),
+  JUMP_INIT (imbue, method_imbue)
+};
+
+/* Our file implementation.  */
+
+struct my_file
+{
+  FILE f;
+  const struct _IO_jump_t *vtable;
+};
+
+struct my_file
+my_file_create (void)
+{
+  return (struct my_file)
+    {
+      /* Disable locking, so that we do not have to set up a lock
+         pointer.  */
+      .f._flags =  _IO_USER_LOCK,
+
+      /* Copy the offset from the an initialized handle, instead of
+         figuring it out from scratch.  */
+      .f._vtable_offset = stdin->_vtable_offset,
+
+      .vtable = &jumps,
+    };
+}
+
+/* Initial tests which do not enable vtable compatibility.  */
+
+/* Inhibit GCC optimization of fprintf.  */
+typedef int (*fprintf_type) (FILE *, const char *, ...);
+static const volatile fprintf_type fprintf_ptr = &fprintf;
+
+static void
+without_compatibility_fprintf (void *closure)
+{
+  /* This call should abort.  */
+  fprintf_ptr (shared->fp, " ");
+  _exit (1);
+}
+
+static void
+without_compatibility_fputc (void *closure)
+{
+  /* This call should abort.  */
+  fputc (' ', shared->fp);
+  _exit (1);
+}
+
+static void
+without_compatibility_fgetc (void *closure)
+{
+  /* This call should abort.  */
+  fgetc (shared->fp);
+  _exit (1);
+}
+
+static void
+without_compatibility_fflush (void *closure)
+{
+  /* This call should abort.  */
+  fflush (shared->fp);
+  _exit (1);
+}
+
+/* Exit status after abnormal termination.  */
+static int termination_status;
+
+static void
+init_termination_status (void)
+{
+  pid_t pid = xfork ();
+  if (pid == 0)
+    abort ();
+  xwaitpid (pid, &termination_status, 0);
+
+  TEST_VERIFY (WIFSIGNALED (termination_status));
+  TEST_COMPARE (WTERMSIG (termination_status), SIGABRT);
+}
+
+static void
+check_for_termination (const char *name, void (*callback) (void *))
+{
+  struct my_file file = my_file_create ();
+  shared->fp = &file.f;
+  shared->return_value = -1;
+  shared->calls = 0;
+  struct support_capture_subprocess proc
+    = support_capture_subprocess (callback, NULL);
+  support_capture_subprocess_check (&proc, name, termination_status,
+                                    sc_allow_stderr);
+  const char *message
+    = "Fatal error: glibc detected an invalid stdio handle\n";
+  TEST_COMPARE_BLOB (proc.err.buffer, proc.err.length,
+                     message, strlen (message));
+  TEST_COMPARE (shared->calls, 0);
+  support_capture_subprocess_free (&proc);
+}
+
+/* The test with vtable validation disabled.  */
+
+/* This function does not have a prototype in libioP.h to prevent
+   accidental use from within the library (which would disable vtable
+   verification).  */
+void _IO_init (FILE *fp, int flags);
+
+static void
+with_compatibility_fprintf (void *closure)
+{
+  TEST_COMPARE (fprintf_ptr (shared->fp, "A%sCD", "B"), 4);
+  TEST_COMPARE (shared->calls, 3);
+  TEST_COMPARE (shared->calls_xsputn, 3);
+  TEST_COMPARE_BLOB (shared->buffer, shared->buffer_length,
+                     "CD", 2);
+}
+
+static void
+with_compatibility_fputc (void *closure)
+{
+  shared->return_value = '@';
+  TEST_COMPARE (fputc ('@', shared->fp), '@');
+  TEST_COMPARE (shared->calls, 1);
+  TEST_COMPARE (shared->calls_overflow, 1);
+  TEST_COMPARE (shared->value, '@');
+}
+
+static void
+with_compatibility_fgetc (void *closure)
+{
+  shared->return_value = 'X';
+  TEST_COMPARE (fgetc (shared->fp), 'X');
+  TEST_COMPARE (shared->calls, 1);
+  TEST_COMPARE (shared->calls_uflow, 1);
+}
+
+static void
+with_compatibility_fflush (void *closure)
+{
+  TEST_COMPARE (fflush (shared->fp), 0);
+  TEST_COMPARE (shared->calls, 1);
+  TEST_COMPARE (shared->calls_sync, 1);
+}
+
+/* Call CALLBACK in a subprocess, after setting up a custom file
+   object and updating shared->fp.  */
+static void
+check_call (const char *name, void (*callback) (void *),
+            bool initially_disabled)
+{
+  *shared = (struct shared)
+    {
+     .initially_disabled = initially_disabled,
+    };
+
+  /* Set up a custom file object.  */
+  struct my_file file = my_file_create ();
+  shared->fp = &file.f;
+  if (shared->initially_disabled)
+    _IO_init (shared->fp, file.f._flags);
+
+  if (test_verbose > 0)
+    printf ("info: calling test %s\n", name);
+  support_isolate_in_subprocess (callback, NULL);
+}
+
+/* Run the tests.  INITIALLY_DISABLED indicates whether custom vtables
+   are disabled when the test starts.  */
+static int
+run_tests (bool initially_disabled)
+{
+  /* The test relies on fatal error messages being printed to standard
+     error.  */
+  setenv ("LIBC_FATAL_STDERR_", "1", 1);
+
+  shared = support_shared_allocate (sizeof (*shared));
+  shared->initially_disabled = initially_disabled;
+  init_termination_status ();
+
+  if (initially_disabled)
+    {
+      check_for_termination ("fprintf", without_compatibility_fprintf);
+      check_for_termination ("fputc", without_compatibility_fputc);
+      check_for_termination ("fgetc", without_compatibility_fgetc);
+      check_for_termination ("fflush", without_compatibility_fflush);
+    }
+
+  check_call ("fprintf", with_compatibility_fprintf, initially_disabled);
+  check_call ("fputc", with_compatibility_fputc, initially_disabled);
+  check_call ("fgetc", with_compatibility_fgetc, initially_disabled);
+  check_call ("fflush", with_compatibility_fflush, initially_disabled);
+
+  support_shared_free (shared);
+  shared = NULL;
+
+  return 0;
+}
diff --git a/libio/tst-vtables-interposed.c b/libio/tst-vtables-interposed.c
new file mode 100644
index 0000000000..c8f4e8c7c3
--- /dev/null
+++ b/libio/tst-vtables-interposed.c
@@ -0,0 +1,37 @@
+/* Test for libio vtables and their validation.  Enabled through interposition.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Provide an interposed definition of the standard file handles with
+   our own vtable.  stdout/stdin/stderr will not work as a result, but
+   a succesful test does not print anything, so this is fine.  */
+static const struct _IO_jump_t jumps;
+#define _IO_file_jumps jumps
+#include "stdfiles.c"
+
+#include "tst-vtables-common.c"
+
+static int
+do_test (void)
+{
+  return run_tests (false);
+}
+
+/* Calling setvbuf in the test driver is not supported with our
+   interposed file handles.  */
+#define TEST_NO_SETVBUF
+#include <support/test-driver.c>
diff --git a/libio/tst-vtables.c b/libio/tst-vtables.c
new file mode 100644
index 0000000000..f16acf5d23
--- /dev/null
+++ b/libio/tst-vtables.c
@@ -0,0 +1,29 @@
+/* Test for libio vtables and their validation.  Initially disabled case.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include "libioP.h"
+
+#include "tst-vtables-common.c"
+
+static int
+do_test (void)
+{
+  return run_tests (true);
+}
+
+#include <support/test-driver.c>
diff --git a/libio/vasprintf.c b/libio/vasprintf.c
index 390a63d124..0bb217e46e 100644
--- a/libio/vasprintf.c
+++ b/libio/vasprintf.c
@@ -54,8 +54,8 @@ _IO_vasprintf (char **result_ptr, const char *format, _IO_va_list args)
   _IO_JUMPS (&sf._sbf) = &_IO_str_jumps;
   _IO_str_init_static_internal (&sf, string, init_string_size, string);
   sf._sbf._f._flags &= ~_IO_USER_BUF;
-  sf._s._allocate_buffer = (_IO_alloc_type) malloc;
-  sf._s._free_buffer = (_IO_free_type) free;
+  sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc;
+  sf._s._free_buffer_unused = (_IO_free_type) free;
   ret = _IO_vfprintf (&sf._sbf._f, format, args);
   if (ret < 0)
     {
diff --git a/libio/vtables.c b/libio/vtables.c
index 9fd4ccf642..9df75668c8 100644
--- a/libio/vtables.c
+++ b/libio/vtables.c
@@ -71,3 +71,19 @@ _IO_vtable_check (void)
 
   __libc_fatal ("Fatal error: glibc detected an invalid stdio handle\n");
 }
+
+/* Some variants of libstdc++ interpose _IO_2_1_stdin_ etc. and
+   install their own vtables directly, without calling _IO_init or
+   other functions.  Detect this by looking at the vtables values
+   during startup, and disable vtable validation in this case.  */
+#ifdef SHARED
+__attribute__ ((constructor))
+static void
+check_stdfiles_vtables (void)
+{
+  if (_IO_2_1_stdin_.vtable != &_IO_file_jumps
+      || _IO_2_1_stdout_.vtable != &_IO_file_jumps
+      || _IO_2_1_stderr_.vtable != &_IO_file_jumps)
+    IO_set_accept_foreign_vtables (&_IO_vtable_check);
+}
+#endif
diff --git a/libio/wmemstream.c b/libio/wmemstream.c
index c962071d26..f4c6e75246 100644
--- a/libio/wmemstream.c
+++ b/libio/wmemstream.c
@@ -92,8 +92,8 @@ open_wmemstream (wchar_t **bufloc, _IO_size_t *sizeloc)
   _IO_wstr_init_static (&new_f->fp._sf._sbf._f, buf,
 			_IO_BUFSIZ / sizeof (wchar_t), buf);
   new_f->fp._sf._sbf._f._flags2 &= ~_IO_FLAGS2_USER_WBUF;
-  new_f->fp._sf._s._allocate_buffer = (_IO_alloc_type) malloc;
-  new_f->fp._sf._s._free_buffer = (_IO_free_type) free;
+  new_f->fp._sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc;
+  new_f->fp._sf._s._free_buffer_unused = (_IO_free_type) free;
 
   new_f->fp.bufloc = bufloc;
   new_f->fp.sizeloc = sizeloc;
diff --git a/libio/wstrops.c b/libio/wstrops.c
index a3374a7b15..0839a70bfb 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -63,7 +63,7 @@ _IO_wstr_init_static (_IO_FILE *fp, wchar_t *ptr, _IO_size_t size,
       fp->_wide_data->_IO_read_end = end;
     }
   /* A null _allocate_buffer function flags the strfile as being static. */
-  (((_IO_strfile *) fp)->_s._allocate_buffer) = (_IO_alloc_type)0;
+  (((_IO_strfile *) fp)->_s._allocate_buffer_unused) = (_IO_alloc_type)0;
 }
 
 _IO_wint_t
@@ -95,9 +95,7 @@ _IO_wstr_overflow (_IO_FILE *fp, _IO_wint_t c)
 	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
 
-	  new_buf
-	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
-									* sizeof (wchar_t));
+	  new_buf = malloc (new_size * sizeof (wchar_t));
 	  if (new_buf == NULL)
 	    {
 	      /*	  __ferror(fp) = 1; */
@@ -106,7 +104,7 @@ _IO_wstr_overflow (_IO_FILE *fp, _IO_wint_t c)
 	  if (old_buf)
 	    {
 	      __wmemcpy (new_buf, old_buf, old_wblen);
-	      (*((_IO_strfile *) fp)->_s._free_buffer) (old_buf);
+	      free (old_buf);
 	      /* Make sure _IO_setb won't try to delete _IO_buf_base. */
 	      fp->_wide_data->_IO_buf_base = NULL;
 	    }
@@ -186,16 +184,14 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   wchar_t *oldbuf = wd->_IO_buf_base;
-  wchar_t *newbuf
-    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
-								* sizeof (wchar_t));
+  wchar_t *newbuf = malloc (newsize * sizeof (wchar_t));
   if (newbuf == NULL)
     return 1;
 
   if (oldbuf != NULL)
     {
       __wmemcpy (newbuf, oldbuf, _IO_wblen (fp));
-      (*((_IO_strfile *) fp)->_s._free_buffer) (oldbuf);
+      free (oldbuf);
       /* Make sure _IO_setb won't try to delete
 	 _IO_buf_base. */
       wd->_IO_buf_base = NULL;
@@ -357,7 +353,7 @@ void
 _IO_wstr_finish (_IO_FILE *fp, int dummy)
 {
   if (fp->_wide_data->_IO_buf_base && !(fp->_flags2 & _IO_FLAGS2_USER_WBUF))
-    (((_IO_strfile *) fp)->_s._free_buffer) (fp->_wide_data->_IO_buf_base);
+    free (fp->_wide_data->_IO_buf_base);
   fp->_wide_data->_IO_buf_base = NULL;
 
   _IO_wdefault_finish (fp, 0);
diff --git a/localedata/locales/ca_ES b/localedata/locales/ca_ES
index 914c066dab..f0d744d537 100644
--- a/localedata/locales/ca_ES
+++ b/localedata/locales/ca_ES
@@ -106,36 +106,67 @@ grouping             0;0
 END LC_NUMERIC
 
 LC_TIME
-abday   "dg";"dl";"dt";"dc";"dj";"dv";"ds"
-day     "diumenge";/
-        "dilluns";/
-        "dimarts";/
-        "dimecres";/
-        "dijous";/
-        "divendres";/
-        "dissabte"
-abmon   "gen";"feb";/
-        "mar";"abr";/
-        "mai";"jun";/
-        "jul";"ago";/
-        "set";"oct";/
-        "nov";"des"
-mon     "gener";/
-        "febrer";/
-        "mar<U00E7>";/
-        "abril";/
-        "maig";/
-        "juny";/
-        "juliol";/
-        "agost";/
-        "setembre";/
-        "octubre";/
-        "novembre";/
-        "desembre"
-d_t_fmt "%a %d %b %Y %T %Z"
-d_fmt   "%d//%m//%y"
-t_fmt   "%T"
-am_pm   "";""
+abday      "dg.";"dl.";"dt.";"dc.";"dj.";"dv.";"ds."
+day        "diumenge";/
+           "dilluns";/
+           "dimarts";/
+           "dimecres";/
+           "dijous";/
+           "divendres";/
+           "dissabte"
+ab_alt_mon "gen.";/
+           "febr.";/
+           "mar<U00E7>";/
+           "abr.";/
+           "maig";/
+           "juny";/
+           "jul.";/
+           "ag.";/
+           "set.";/
+           "oct.";/
+           "nov.";/
+           "des."
+abmon      "de gen.";/
+           "de febr.";/
+           "de mar<U00E7>";/
+           "d<U2019>abr.";/
+           "de maig";/
+           "de juny";/
+           "de jul.";/
+           "d<U2019>ag.";/
+           "de set.";/
+           "d<U2019>oct.";/
+           "de nov.";/
+           "de des."
+alt_mon    "gener";/
+           "febrer";/
+           "mar<U00E7>";/
+           "abril";/
+           "maig";/
+           "juny";/
+           "juliol";/
+           "agost";/
+           "setembre";/
+           "octubre";/
+           "novembre";/
+           "desembre"
+mon        "de gener";/
+           "de febrer";/
+           "de mar<U00E7>";/
+           "d<U2019>abril";/
+           "de maig";/
+           "de juny";/
+           "de juliol";/
+           "d<U2019>agost";/
+           "de setembre";/
+           "d<U2019>octubre";/
+           "de novembre";/
+           "de desembre"
+d_t_fmt    "%A, %-d %B de %Y, %T %Z"
+d_fmt      "%-d//%-m//%y"
+t_fmt      "%T"
+am_pm      "a. m.";/
+           "p. m."
 t_fmt_ampm ""
 week 7;19971130;4
 first_weekday 2
@@ -146,9 +177,9 @@ copy "i18n"
 END LC_PAPER
 
 LC_TELEPHONE
-tel_int_fmt    "+%c %a %l"
-int_prefix     "34"
-int_select     "00"
+tel_int_fmt  "+%c %a %l"
+int_prefix   "34"
+int_select   "00"
 END LC_TELEPHONE
 
 LC_MEASUREMENT
@@ -156,19 +187,19 @@ copy "i18n"
 END LC_MEASUREMENT
 
 LC_NAME
-name_fmt    "%d%t%g%t%m%t%f"
+name_fmt     "%d%t%g%t%m%t%f"
 END LC_NAME
 
 LC_ADDRESS
-postal_fmt    "%f%N%a%N%d%N%b%N%s %h %e %r%N%z %T%N%c%N"
+postal_fmt   "%f%N%a%N%d%N%b%N%s %h %e %r%N%z %T%N%c%N"
 country_name "Espanya"
-country_ab2 "ES"
-country_ab3 "ESP"
-country_num 724
-country_car    "E"
+country_ab2  "ES"
+country_ab3  "ESP"
+country_num  724
+country_car  "E"
 % català
 lang_name    "catal<U00E0>"
 lang_ab      "ca"
 lang_term    "cat"
-lang_lib    "cat"
+lang_lib     "cat"
 END LC_ADDRESS
diff --git a/localedata/locales/cs_CZ b/localedata/locales/cs_CZ
index f80d3e1b37..8f4c69e493 100644
--- a/localedata/locales/cs_CZ
+++ b/localedata/locales/cs_CZ
@@ -272,7 +272,7 @@ day		"Ned<U011B>le";/
 		"P<U00E1>tek";/
 		"Sobota"
 
-mon		"leden";/
+alt_mon		"leden";/
 		"<U00FA>nor";/
 		"b<U0159>ezen";/
 		"duben";/
@@ -334,6 +334,19 @@ abmon		"led";/
 %		"Nov";/
 %		"Dec"
 
+mon		"ledna";/
+		"<U00FA>nora";/
+		"b<U0159>ezna";/
+		"dubna";/
+		"kv<U011B>tna";/
+		"<U010D>ervna";/
+		"<U010D>ervence";/
+		"srpna";/
+		"z<U00E1><U0159><U00ED>";/
+		"<U0159><U00ED>jna";/
+		"listopadu";/
+		"prosince"
+
 week		7;19971130;4
 first_weekday	2
 
diff --git a/localedata/locales/el_CY b/localedata/locales/el_CY
index f27a74bb76..28055f335b 100644
--- a/localedata/locales/el_CY
+++ b/localedata/locales/el_CY
@@ -72,12 +72,18 @@ day     "<U039A><U03C5><U03C1><U03B9><U03B1><U03BA><U03AE>";/
         "<U03A0><U03AD><U03BC><U03C0><U03C4><U03B7>";/
         "<U03A0><U03B1><U03C1><U03B1><U03C3><U03BA><U03B5><U03C5><U03AE>";/
         "<U03A3><U03AC><U03B2><U03B2><U03B1><U03C4><U03BF>"
-abmon   "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
+ab_alt_mon "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
         "<U039C><U03AC><U03C1>";"<U0391><U03C0><U03C1>";/
         "<U039C><U03AC><U03B9>";"<U0399><U03BF><U03CD><U03BD>";/
         "<U0399><U03BF><U03CD><U03BB>";"<U0391><U03CD><U03B3>";/
         "<U03A3><U03B5><U03C0>";"<U039F><U03BA><U03C4>";/
         "<U039D><U03BF><U03AD>";"<U0394><U03B5><U03BA>"
+abmon   "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
+        "<U039C><U03B1><U03C1>";"<U0391><U03C0><U03C1>";/
+        "<U039C><U03B1><U0390>";"<U0399><U03BF><U03C5><U03BD>";/
+        "<U0399><U03BF><U03C5><U03BB>";"<U0391><U03C5><U03B3>";/
+        "<U03A3><U03B5><U03C0>";"<U039F><U03BA><U03C4>";/
+        "<U039D><U03BF><U03B5>";"<U0394><U03B5><U03BA>"
 alt_mon "<U0399><U03B1><U03BD><U03BF><U03C5><U03AC><U03C1><U03B9><U03BF><U03C2>";/
         "<U03A6><U03B5><U03B2><U03C1><U03BF><U03C5><U03AC><U03C1><U03B9><U03BF><U03C2>";/
         "<U039C><U03AC><U03C1><U03C4><U03B9><U03BF><U03C2>";/
diff --git a/localedata/locales/el_GR b/localedata/locales/el_GR
index a82ef8c6d9..7362492fbd 100644
--- a/localedata/locales/el_GR
+++ b/localedata/locales/el_GR
@@ -104,12 +104,18 @@ day     "<U039A><U03C5><U03C1><U03B9><U03B1><U03BA><U03AE>";/
         "<U03A0><U03AD><U03BC><U03C0><U03C4><U03B7>";/
         "<U03A0><U03B1><U03C1><U03B1><U03C3><U03BA><U03B5><U03C5><U03AE>";/
         "<U03A3><U03AC><U03B2><U03B2><U03B1><U03C4><U03BF>"
-abmon   "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
+ab_alt_mon "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
         "<U039C><U03AC><U03C1>";"<U0391><U03C0><U03C1>";/
         "<U039C><U03AC><U03B9>";"<U0399><U03BF><U03CD><U03BD>";/
         "<U0399><U03BF><U03CD><U03BB>";"<U0391><U03CD><U03B3>";/
         "<U03A3><U03B5><U03C0>";"<U039F><U03BA><U03C4>";/
         "<U039D><U03BF><U03AD>";"<U0394><U03B5><U03BA>"
+abmon   "<U0399><U03B1><U03BD>";"<U03A6><U03B5><U03B2>";/
+        "<U039C><U03B1><U03C1>";"<U0391><U03C0><U03C1>";/
+        "<U039C><U03B1><U0390>";"<U0399><U03BF><U03C5><U03BD>";/
+        "<U0399><U03BF><U03C5><U03BB>";"<U0391><U03C5><U03B3>";/
+        "<U03A3><U03B5><U03C0>";"<U039F><U03BA><U03C4>";/
+        "<U039D><U03BF><U03B5>";"<U0394><U03B5><U03BA>"
 alt_mon "<U0399><U03B1><U03BD><U03BF><U03C5><U03AC><U03C1><U03B9><U03BF><U03C2>";/
         "<U03A6><U03B5><U03B2><U03C1><U03BF><U03C5><U03AC><U03C1><U03B9><U03BF><U03C2>";/
         "<U039C><U03AC><U03C1><U03C4><U03B9><U03BF><U03C2>";/
diff --git a/localedata/locales/es_BO b/localedata/locales/es_BO
index 4202c5a0cf..5b6c6e2312 100644
--- a/localedata/locales/es_BO
+++ b/localedata/locales/es_BO
@@ -124,7 +124,7 @@ first_weekday 2
 END LC_TIME
 
 LC_PAPER
-copy "i18n"
+copy "en_US"
 END LC_PAPER
 
 LC_TELEPHONE
diff --git a/localedata/locales/et_EE b/localedata/locales/et_EE
index 9cb55b568f..bab7493c98 100644
--- a/localedata/locales/et_EE
+++ b/localedata/locales/et_EE
@@ -103,6 +103,8 @@ reorder-after <w>
 <U00FC> <u-diaresis>;<BAS>;<MIN>;IGNORE % ü
 <U00DC> <u-diaresis>;<BAS>;<CAP>;IGNORE % Ü
 
+reorder-end
+
 END LC_COLLATE
 
 LC_CTYPE
diff --git a/localedata/locales/gd_GB b/localedata/locales/gd_GB
index 676ee940c9..77d11e5977 100644
--- a/localedata/locales/gd_GB
+++ b/localedata/locales/gd_GB
@@ -66,12 +66,12 @@ mon           "Am Faoilleach";/
      "An D<U00E0>mhair";/
      "An t-Samhain";/
      "An D<U00F9>bhlachd"
-% Faoi, Gearr, Màrt, Gibl, Mhàrt, Ògmh, Iuch, Lùna, Sult, Dàmh, Samh, Dùbh
+% Faoi, Gearr, Màrt, Gibl, Cèit, Ògmh, Iuch, Lùna, Sult, Dàmh, Samh, Dùbh
 abmon         "Faoi";/
        "Gearr";/
        "M<U00E0>rt";/
        "Gibl";/
-       "Mh<U00E0>rt";/
+       "C<U00E8>it";/
        "<U00D2>gmh";/
        "Iuch";/
        "L<U00F9>na";/
diff --git a/localedata/locales/lt_LT b/localedata/locales/lt_LT
index c935fcf75e..bec67726e9 100644
--- a/localedata/locales/lt_LT
+++ b/localedata/locales/lt_LT
@@ -201,12 +201,12 @@ day       "Sekmadienis";/
           "Ketvirtadienis";/
           "Penktadienis";/
           "<U0160>e<U0161>tadienis"
-abmon     "Sau";"Vas";/
-          "Kov";"Bal";/
-          "Geg";"Bir";/
-          "Lie";"Rgp";/
-          "Rgs";"Spa";/
-          "Lap";"Grd"
+abmon     "saus.";"vas.";/
+          "kov.";"bal.";/
+          "geg.";"bir<U017E>.";/
+          "liep.";"rugp.";/
+          "rugs.";"spal.";/
+          "lapkr.";"gruod."
 alt_mon   "sausis";/
           "vasaris";/
           "kovas";/
diff --git a/manual/charset.texi b/manual/charset.texi
index 1867ace485..f6a980f6cb 100644
--- a/manual/charset.texi
+++ b/manual/charset.texi
@@ -643,8 +643,8 @@ and they also do not require it to be in the initial state.
 @cindex stateful
 The @code{mbrtowc} function (``multibyte restartable to wide
 character'') converts the next multibyte character in the string pointed
-to by @var{s} into a wide character and stores it in the wide character
-string pointed to by @var{pwc}.  The conversion is performed according
+to by @var{s} into a wide character and stores it in the location
+pointed to by @var{pwc}.  The conversion is performed according
 to the locale currently selected for the @code{LC_CTYPE} category.  If
 the conversion for the character set used in the locale requires a state,
 the multibyte string is interpreted in the state represented by the
@@ -652,7 +652,7 @@ object pointed to by @var{ps}.  If @var{ps} is a null pointer, a static,
 internal state variable used only by the @code{mbrtowc} function is
 used.
 
-If the next multibyte character corresponds to the NUL wide character,
+If the next multibyte character corresponds to the null wide character,
 the return value of the function is @math{0} and the state object is
 afterwards in the initial state.  If the next @var{n} or fewer bytes
 form a correct multibyte character, the return value is the number of
@@ -665,71 +665,59 @@ by @var{pwc} if @var{pwc} is not null.
 If the first @var{n} bytes of the multibyte string possibly form a valid
 multibyte character but there are more than @var{n} bytes needed to
 complete it, the return value of the function is @code{(size_t) -2} and
-no value is stored.  Please note that this can happen even if @var{n}
-has a value greater than or equal to @code{MB_CUR_MAX} since the input
-might contain redundant shift sequences.
+no value is stored in @code{*@var{pwc}}.  The conversion state is
+updated and all @var{n} input bytes are consumed and should not be
+submitted again.  Please note that this can happen even if @var{n} has a
+value greater than or equal to @code{MB_CUR_MAX} since the input might
+contain redundant shift sequences.
 
 If the first @code{n} bytes of the multibyte string cannot possibly form
 a valid multibyte character, no value is stored, the global variable
 @code{errno} is set to the value @code{EILSEQ}, and the function returns
 @code{(size_t) -1}.  The conversion state is afterwards undefined.
 
+As specified, the @code{mbrtowc} function could deal with multibyte
+sequences which contain embedded null bytes (which happens in Unicode
+encodings such as UTF-16), but @theglibc{} does not support such
+multibyte encodings.  When encountering a null input byte, the function
+will either return zero, or return @code{(size_t) -1)} and report a
+@code{EILSEQ} error.  The @code{iconv} function can be used for
+converting between arbitrary encodings.  @xref{Generic Conversion
+Interface}.
+
 @pindex wchar.h
 @code{mbrtowc} was introduced in @w{Amendment 1} to @w{ISO C90} and
 is declared in @file{wchar.h}.
 @end deftypefun
 
-Use of @code{mbrtowc} is straightforward.  A function that copies a
-multibyte string into a wide character string while at the same time
-converting all lowercase characters into uppercase could look like this
-(this is not the final version, just an example; it has no error
-checking, and sometimes leaks memory):
+A function that copies a multibyte string into a wide character string
+while at the same time converting all lowercase characters into
+uppercase could look like this:
 
 @smallexample
-wchar_t *
-mbstouwcs (const char *s)
-@{
-  size_t len = strlen (s);
-  wchar_t *result = malloc ((len + 1) * sizeof (wchar_t));
-  wchar_t *wcp = result;
-  wchar_t tmp[1];
-  mbstate_t state;
-  size_t nbytes;
-
-  memset (&state, '\0', sizeof (state));
-  while ((nbytes = mbrtowc (tmp, s, len, &state)) > 0)
-    @{
-      if (nbytes >= (size_t) -2)
-        /* Invalid input string.  */
-        return NULL;
-      *wcp++ = towupper (tmp[0]);
-      len -= nbytes;
-      s += nbytes;
-    @}
-  return result;
-@}
+@include mbstouwcs.c.texi
 @end smallexample
 
-The use of @code{mbrtowc} should be clear.  A single wide character is
-stored in @code{@var{tmp}[0]}, and the number of consumed bytes is stored
-in the variable @var{nbytes}.  If the conversion is successful, the
-uppercase variant of the wide character is stored in the @var{result}
-array and the pointer to the input string and the number of available
-bytes is adjusted.
-
-The only non-obvious thing about @code{mbrtowc} might be the way memory
-is allocated for the result.  The above code uses the fact that there
-can never be more wide characters in the converted result than there are
-bytes in the multibyte input string.  This method yields a pessimistic
-guess about the size of the result, and if many wide character strings
-have to be constructed this way or if the strings are long, the extra
-memory required to be allocated because the input string contains
-multibyte characters might be significant.  The allocated memory block can
-be resized to the correct size before returning it, but a better solution
-might be to allocate just the right amount of space for the result right
-away.  Unfortunately there is no function to compute the length of the wide
-character string directly from the multibyte string.  There is, however, a
-function that does part of the work.
+In the inner loop, a single wide character is stored in @code{wc}, and
+the number of consumed bytes is stored in the variable @code{nbytes}.
+If the conversion is successful, the uppercase variant of the wide
+character is stored in the @code{result} array and the pointer to the
+input string and the number of available bytes is adjusted.  If the
+@code{mbrtowc} function returns zero, the null input byte has not been
+converted, so it must be stored explicitly in the result.
+
+The above code uses the fact that there can never be more wide
+characters in the converted result than there are bytes in the multibyte
+input string.  This method yields a pessimistic guess about the size of
+the result, and if many wide character strings have to be constructed
+this way or if the strings are long, the extra memory required to be
+allocated because the input string contains multibyte characters might
+be significant.  The allocated memory block can be resized to the
+correct size before returning it, but a better solution might be to
+allocate just the right amount of space for the result right away.
+Unfortunately there is no function to compute the length of the wide
+character string directly from the multibyte string.  There is, however,
+a function that does part of the work.
 
 @deftypefun size_t mbrlen (const char *restrict @var{s}, size_t @var{n}, mbstate_t *@var{ps})
 @standards{ISO, wchar.h}
diff --git a/manual/creature.texi b/manual/creature.texi
index 96f8ee0a0c..fe7a7790a2 100644
--- a/manual/creature.texi
+++ b/manual/creature.texi
@@ -8,7 +8,7 @@ is controlled by which @dfn{feature test macros} you define.
 If you compile your programs using @samp{gcc -ansi}, you get only the
 @w{ISO C} library features, unless you explicitly request additional
 features by defining one or more of the feature macros.
-@xref{Invoking GCC,, GNU CC Command Options, gcc.info, The GNU CC Manual},
+@xref{Invoking GCC,, GNU CC Command Options, gcc, The GNU CC Manual},
 for more information about GCC options.@refill
 
 You should define these macros by using @samp{#define} preprocessor
@@ -61,13 +61,27 @@ If you define this macro to a value greater than or equal to @code{199309L},
 then the functionality from the 1993 edition of the POSIX.1b standard
 (IEEE Standard 1003.1b-1993) is made available.
 
+If you define this macro to a value greater than or equal to
+@code{199506L}, then the functionality from the 1995 edition of the
+POSIX.1c standard (IEEE Standard 1003.1c-1995) is made available.
+
+If you define this macro to a value greater than or equal to
+@code{200112L}, then the functionality from the 2001 edition of the
+POSIX standard (IEEE Standard 1003.1-2001) is made available.
+
+If you define this macro to a value greater than or equal to
+@code{200809L}, then the functionality from the 2008 edition of the
+POSIX standard (IEEE Standard 1003.1-2008) is made available.
+
 Greater values for @code{_POSIX_C_SOURCE} will enable future extensions.
 The POSIX standards process will define these values as necessary, and
 @theglibc{} should support them some time after they become standardized.
 The 1996 edition of POSIX.1 (ISO/IEC 9945-1: 1996) states that
 if you define @code{_POSIX_C_SOURCE} to a value greater than
 or equal to @code{199506L}, then the functionality from the 1996
-edition is made available.
+edition is made available.  In general, in @theglibc{}, bugfixes to
+the standards are included when specifying the base version; e.g.,
+POSIX.1-2004 will always be included with a value of @code{200112L}.
 @end defvr
 
 @defvr Macro _XOPEN_SOURCE
@@ -87,7 +101,10 @@ available which are necessary for the X/Open Unix brand.
 
 If the macro @code{_XOPEN_SOURCE} has the value @math{500} this includes
 all functionality described so far plus some new definitions from the
-Single Unix Specification, @w{version 2}.
+Single Unix Specification, @w{version 2}.  The value @math{600}
+(corresponding to the sixth revision) includes definitions from SUSv3,
+and using @math{700} (the seventh revision) includes definitions from
+SUSv4.
 @end defvr
 
 @defvr Macro _LARGEFILE_SOURCE
@@ -150,10 +167,14 @@ This macro was introduced as part of the Large File Support extension
 
 @defvr Macro _ISOC99_SOURCE
 @standards{GNU, (none)}
-Until the revised @w{ISO C} standard is widely adopted the new features
-are not automatically enabled.  @Theglibc{} nevertheless has a complete
-implementation of the new standard and to enable the new features the
-macro @code{_ISOC99_SOURCE} should be defined.
+If this macro is defined, features from ISO C99 are included.  Since
+these features are included by default, this macro is mostly relevant
+when the compiler uses an earlier language version.
+@end defvr
+
+@defvr Macro _ISOC11_SOURCE
+@standards{C11, (none)}
+If this macro is defined, ISO C11 extensions to ISO C99 are included.
 @end defvr
 
 @defvr Macro __STDC_WANT_LIB_EXT2__
@@ -209,6 +230,19 @@ enables those features even when the other options would otherwise
 cause them to be disabled.
 @end defvr
 
+@defvr Macro _ATFILE_SOURCE
+@standards{GNU, (none)}
+If this macro is defined, additional @code{*at} interfaces are
+included.
+@end defvr
+
+@defvr Macro _FORTIFY_SOURCE
+@standards{GNU, (none)}
+If this macro is defined to @math{1}, security hardening is added to
+various library functions.  If defined to @math{2}, even stricter
+checks are applied.
+@end defvr
+
 @defvr Macro _REENTRANT
 @defvrx Macro _THREAD_SAFE
 @standards{Obsolete, (none)}
diff --git a/manual/examples/mbstouwcs.c b/manual/examples/mbstouwcs.c
new file mode 100644
index 0000000000..c94e1fa790
--- /dev/null
+++ b/manual/examples/mbstouwcs.c
@@ -0,0 +1,53 @@
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wchar.h>
+
+/* Do not include the above headers in the example.
+*/
+wchar_t *
+mbstouwcs (const char *s)
+{
+  /* Include the null terminator in the conversion.  */
+  size_t len = strlen (s) + 1;
+  wchar_t *result = reallocarray (NULL, len, sizeof (wchar_t));
+  if (result == NULL)
+    return NULL;
+
+  wchar_t *wcp = result;
+  mbstate_t state;
+  memset (&state, '\0', sizeof (state));
+
+  while (true)
+    {
+      wchar_t wc;
+      size_t nbytes = mbrtowc (&wc, s, len, &state);
+      if (nbytes == 0)
+        {
+          /* Terminate the result string.  */
+          *wcp = L'\0';
+          break;
+        }
+      else if (nbytes == (size_t) -2)
+        {
+          /* Truncated input string.  */
+          errno = EILSEQ;
+          free (result);
+          return NULL;
+        }
+      else if (nbytes == (size_t) -1)
+        {
+          /* Some other error (including EILSEQ).  */
+          free (result);
+          return NULL;
+        }
+      else
+        {
+          /* A character was converted.  */
+          *wcp++ = towupper (wc);
+          len -= nbytes;
+          s += nbytes;
+        }
+    }
+  return result;
+}
diff --git a/manual/filesys.texi b/manual/filesys.texi
index ca77996902..cc70a6b7ee 100644
--- a/manual/filesys.texi
+++ b/manual/filesys.texi
@@ -147,19 +147,20 @@ necessarily enough space to contain the directory name.  That is why
 this function is deprecated.
 @end deftypefn
 
+@vindex PWD
 @deftypefun {char *} get_current_dir_name (void)
 @standards{GNU, unistd.h}
 @safety{@prelim{}@mtsafe{@mtsenv{}}@asunsafe{@ascuheap{}}@acunsafe{@acsmem{} @acsfd{}}}
 @c Besides getcwd, which this function calls as a fallback, it calls
 @c getenv, with the potential thread-safety issues that brings about.
-@vindex PWD
-This @code{get_current_dir_name} function is basically equivalent to
-@w{@code{getcwd (NULL, 0)}}.  The only difference is that the value of
-the @code{PWD} variable is returned if this value is correct.  This is a
-subtle difference which is visible if the path described by the
-@code{PWD} value is using one or more symbol links in which case the
-value returned by @code{getcwd} can resolve the symbol links and
-therefore yield a different result.
+The @code{get_current_dir_name} function is basically equivalent to
+@w{@code{getcwd (NULL, 0)}}, except the value of the @env{PWD}
+environment variable is first examined, and if it does in fact
+correspond to the current directory, that value is returned.  This is
+a subtle difference which is visible if the path described by the
+value in @env{PWD} is using one or more symbolic links, in which case
+the value returned by @code{getcwd} would resolve the symbolic links
+and therefore yield a different result.
 
 This function is a GNU extension.
 @end deftypefun
diff --git a/manual/llio.texi b/manual/llio.texi
index 642e56e710..82f03be2be 100644
--- a/manual/llio.texi
+++ b/manual/llio.texi
@@ -1251,9 +1251,13 @@ When the source file is compiled using @code{_FILE_OFFSET_BITS == 64} on a
 @c This is a syscall for Linux v4.6.  The sysdeps/posix fallback emulation
 @c is also MT-Safe since it calls preadv.
 
-This function is similar to the @code{preadv} function, with the difference
-it adds an extra @var{flags} parameter of type @code{int}.  The supported
-@var{flags} are dependent of the underlying system.  For Linux it supports:
+This function is similar to the @code{preadv} function, with the
+difference it adds an extra @var{flags} parameter of type @code{int}.
+Additionally, if @var{offset} is @math{-1}, the current file position
+is used and updated (like the @code{readv} function).
+
+The supported @var{flags} are dependent of the underlying system.  For
+Linux it supports:
 
 @vtable @code
 @item RWF_HIPRI
@@ -1271,6 +1275,9 @@ Per-IO synchronization as if the file was opened with @code{O_SYNC} flag.
 @item RWF_NOWAIT
 Use nonblocking mode for this operation; that is, this call to @code{preadv2}
 will fail and set @code{errno} to @code{EAGAIN} if the operation would block.
+
+@item RWF_APPEND
+Per-IO synchronization as if the file was opened with @code{O_APPEND} flag.
 @end vtable
 
 When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} the
@@ -1320,10 +1327,13 @@ When the source file is compiled using @code{_FILE_OFFSET_BITS == 64} on a
 @c This is a syscall for Linux v4.6.  The sysdeps/posix fallback emulation
 @c is also MT-Safe since it calls pwritev.
 
-This function is similar to the @code{pwritev} function, with the difference
-it adds an extra @var{flags} parameter of type @code{int}.  The supported
-@var{flags} are dependent of the underlying system and for Linux it supports
-the same ones as for @code{preadv2}.
+This function is similar to the @code{pwritev} function, with the
+difference it adds an extra @var{flags} parameter of type @code{int}.
+Additionally, if @var{offset} is @math{-1}, the current file position
+should is used and updated (like the @code{writev} function).
+
+The supported @var{flags} are dependent of the underlying system.  For
+Linux, the supported flags are the same as those for @code{preadv2}.
 
 When the source file is compiled with @code{_FILE_OFFSET_BITS == 64} the
 @code{pwritev2} function is in fact @code{pwritev64v2} and the type
diff --git a/manual/platform.texi b/manual/platform.texi
index b8721a0712..504addc956 100644
--- a/manual/platform.texi
+++ b/manual/platform.texi
@@ -123,7 +123,7 @@ when it is not allowed, the priority is set to medium.
 Cache management facilities specific to RISC-V systems that implement the Linux
 ABI are declared in @file{sys/cachectl.h}.
 
-@deftypefun {void} __riscv_flush_icache(void *@var{start}, void *@var{end}, unsigned long int @var{flags})
+@deftypefun {void} __riscv_flush_icache (void *@var{start}, void *@var{end}, unsigned long int @var{flags})
 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
 Enforce ordering between stores and instruction cache fetches.  The range of
 addresses over which ordering is enforced is specified by @var{start} and
diff --git a/manual/stdio.texi b/manual/stdio.texi
index 5d7b50c442..38be236991 100644
--- a/manual/stdio.texi
+++ b/manual/stdio.texi
@@ -1808,7 +1808,7 @@ verifies that the correct number and types of arguments are supplied.
 There is also a GNU C syntax to tell the compiler that a function you
 write uses a @code{printf}-style format string.
 @xref{Function Attributes, , Declaring Attributes of Functions,
-gcc.info, Using GNU CC}, for more information.
+gcc, Using GNU CC}, for more information.
 
 @node Table of Output Conversions
 @subsection Table of Output Conversions
@@ -2730,7 +2730,7 @@ This tells the compiler that @code{eprintf} uses a format string like
 the format string appears as the first argument;
 and the arguments to satisfy the format begin with the second.
 @xref{Function Attributes, , Declaring Attributes of Functions,
-gcc.info, Using GNU CC}, for more information.
+gcc, Using GNU CC}, for more information.
 
 @node Parsing a Template String
 @subsection Parsing a Template String
@@ -3478,7 +3478,7 @@ verifies that the correct number and types of arguments are supplied.
 There is also a GNU C syntax to tell the compiler that a function you
 write uses a @code{scanf}-style format string.
 @xref{Function Attributes, , Declaring Attributes of Functions,
-gcc.info, Using GNU CC}, for more information.
+gcc, Using GNU CC}, for more information.
 
 @node Table of Input Conversions
 @subsection Table of Input Conversions
@@ -4033,7 +4033,7 @@ know that a function uses a @code{scanf}-style format string.  Then it
 can check the number and types of arguments in each call to the
 function, and warn you when they do not match the format string.
 For details, see @ref{Function Attributes, , Declaring Attributes of Functions,
-gcc.info, Using GNU CC}.
+gcc, Using GNU CC}.
 
 @node EOF and Errors
 @section End-Of-File and Errors
diff --git a/manual/string.texi b/manual/string.texi
index ac02c6d85e..b07cfb4550 100644
--- a/manual/string.texi
+++ b/manual/string.texi
@@ -1087,7 +1087,7 @@ are often easier and safer automatic techniques that cause buffer
 overruns to reliably terminate a program, such as GCC's
 @option{-fcheck-pointer-bounds} and @option{-fsanitize=address}
 options.  @xref{Debugging Options,, Options for Debugging Your Program
-or GCC, gcc.info, Using GCC}.  Because truncation functions can mask
+or GCC, gcc, Using GCC}.  Because truncation functions can mask
 application bugs that would otherwise be caught by the automatic
 techniques, these functions should be used only when the application's
 underlying logic requires truncation.
diff --git a/math/math.h b/math/math.h
index 3c515f817f..0fcbd91366 100644
--- a/math/math.h
+++ b/math/math.h
@@ -1223,7 +1223,7 @@ template<> struct __iseqsig_type<double>
 
 template<> struct __iseqsig_type<long double>
 {
-  static int __call (double __x, double __y) throw ()
+  static int __call (long double __x, long double __y) throw ()
   {
 #  ifndef __NO_LONG_DOUBLE_MATH
     return __iseqsigl (__x, __y);
diff --git a/misc/tst-preadvwritev-common.c b/misc/tst-preadvwritev-common.c
index 560c8f89b6..b59a3de465 100644
--- a/misc/tst-preadvwritev-common.c
+++ b/misc/tst-preadvwritev-common.c
@@ -16,6 +16,7 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+#include <array_length.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <errno.h>
@@ -25,6 +26,7 @@
 
 #include <support/check.h>
 #include <support/temp_file.h>
+#include <support/xunistd.h>
 
 static char *temp_filename;
 static int temp_fd;
@@ -50,6 +52,42 @@ do_prepare (int argc, char **argv)
   pwritev (__fd, __iov, __iovcnt, __offset)
 #endif
 
+static __attribute__ ((unused)) void
+do_test_without_offset (void)
+{
+  xftruncate (temp_fd, 0);
+
+  xwrite (temp_fd, "123", 3);
+  xlseek (temp_fd, 2, SEEK_SET);
+  {
+    struct iovec iov[] =
+      {
+        { (void *) "abc", 3 },
+        { (void *) "xyzt", 4 },
+      };
+    TEST_COMPARE (PWRITEV (temp_fd, iov, array_length (iov), -1), 7);
+  }
+  TEST_COMPARE (xlseek (temp_fd, 0, SEEK_CUR), 9);
+
+  xlseek (temp_fd, 1, SEEK_SET);
+  char buf1[3];
+  char buf2[2];
+  {
+    struct iovec iov[] =
+      {
+        { buf1, sizeof (buf1) },
+        { buf2, sizeof (buf2) },
+      };
+    TEST_COMPARE (PREADV (temp_fd, iov, array_length (iov), -1),
+                  sizeof (buf1) + sizeof (buf2));
+    TEST_COMPARE (memcmp ("2ab", buf1, sizeof (buf1)), 0);
+    TEST_COMPARE (memcmp ("cx", buf2, sizeof (buf2)), 0);
+    TEST_COMPARE (xlseek (temp_fd, 0, SEEK_CUR), 6);
+  }
+
+  xftruncate (temp_fd, 0);
+}
+
 static int
 do_test_with_offset (off_t offset)
 {
diff --git a/misc/tst-preadvwritev2-common.c b/misc/tst-preadvwritev2-common.c
index 89fd0a3ff5..50b9da3fea 100644
--- a/misc/tst-preadvwritev2-common.c
+++ b/misc/tst-preadvwritev2-common.c
@@ -19,9 +19,6 @@
 #include <limits.h>
 #include <support/check.h>
 
-static void
-do_test_with_invalid_flags (void)
-{
 #ifndef RWF_HIPRI
 # define RWF_HIPRI 0
 #endif
@@ -34,7 +31,73 @@ do_test_with_invalid_flags (void)
 #ifndef RWF_NOWAIT
 # define RWF_NOWAIT 0
 #endif
-#define RWF_SUPPORTED	(RWF_HIPRI | RWF_DSYNC | RWF_SYNC | RWF_NOWAIT)
+#ifndef RWF_APPEND
+# define RWF_APPEND 0
+#endif
+#define RWF_SUPPORTED	(RWF_HIPRI | RWF_DSYNC | RWF_SYNC | RWF_NOWAIT \
+			 | RWF_APPEND)
+
+static void
+do_test_with_invalid_fd (void)
+{
+  char buf[256];
+  struct iovec iov = { buf, sizeof buf };
+
+  /* Check with flag being 0 to use the fallback code which calls pwritev
+     or writev.  */
+  TEST_VERIFY (preadv2 (-1, &iov, 1, -1, 0) == -1);
+  TEST_COMPARE (errno, EBADF);
+  TEST_VERIFY (pwritev2 (-1, &iov, 1, -1, 0) == -1);
+  TEST_COMPARE (errno, EBADF);
+
+  /* Same tests as before but with flags being different than 0.  Since
+     there is no emulation for any flag value, fallback code returns
+     ENOTSUP.  This is different running on a kernel with preadv2/pwritev2
+     support, where EBADF is returned).  */
+  TEST_VERIFY (preadv2 (-1, &iov, 1, 0, RWF_HIPRI) == -1);
+  TEST_VERIFY (errno == EBADF || errno == ENOTSUP);
+  TEST_VERIFY (pwritev2 (-1, &iov, 1, 0, RWF_HIPRI) == -1);
+  TEST_VERIFY (errno == EBADF || errno == ENOTSUP);
+}
+
+static void
+do_test_with_invalid_iov (void)
+{
+  {
+    char buf[256];
+    struct iovec iov;
+
+    iov.iov_base = buf;
+    iov.iov_len = (size_t)SSIZE_MAX + 1;
+
+    TEST_VERIFY (preadv2 (temp_fd, &iov, 1, 0, 0) == -1);
+    TEST_COMPARE (errno, EINVAL);
+    TEST_VERIFY (pwritev2 (temp_fd, &iov, 1, 0, 0) == -1);
+    TEST_COMPARE (errno, EINVAL);
+
+    /* Same as for invalid file descriptor tests, emulation fallback
+       first checks for flag value and return ENOTSUP.  */
+    TEST_VERIFY (preadv2 (temp_fd, &iov, 1, 0, RWF_HIPRI) == -1);
+    TEST_VERIFY (errno == EINVAL || errno == ENOTSUP);
+    TEST_VERIFY (pwritev2 (temp_fd, &iov, 1, 0, RWF_HIPRI) == -1);
+    TEST_VERIFY (errno == EINVAL || errno == ENOTSUP);
+  }
+
+  {
+    /* An invalid iovec buffer should trigger an invalid memory access
+       or an error (Linux for instance returns EFAULT).  */
+    struct iovec iov[IOV_MAX+1] = { 0 };
+
+    TEST_VERIFY (preadv2 (temp_fd, iov, IOV_MAX + 1, 0, RWF_HIPRI) == -1);
+    TEST_VERIFY (errno == EINVAL || errno == ENOTSUP);
+    TEST_VERIFY (pwritev2 (temp_fd, iov, IOV_MAX + 1, 0, RWF_HIPRI) == -1);
+    TEST_VERIFY (errno == EINVAL || errno == ENOTSUP);
+  }
+}
+
+static void
+do_test_with_invalid_flags (void)
+{
   /* Set the next bit from the mask of all supported flags.  */
   int invalid_flag = RWF_SUPPORTED != 0 ? __builtin_clz (RWF_SUPPORTED) : 2;
   invalid_flag = 0x1 << ((sizeof (int) * CHAR_BIT) - invalid_flag);
diff --git a/misc/tst-preadvwritev2.c b/misc/tst-preadvwritev2.c
index d8a9daf66a..cb58cbe41e 100644
--- a/misc/tst-preadvwritev2.c
+++ b/misc/tst-preadvwritev2.c
@@ -29,6 +29,9 @@ static int
 do_test (void)
 {
   do_test_with_invalid_flags ();
+  do_test_without_offset ();
+  do_test_with_invalid_fd ();
+  do_test_with_invalid_iov ();
 
   return do_test_with_offset (0);
 }
diff --git a/misc/tst-preadvwritev64v2.c b/misc/tst-preadvwritev64v2.c
index 2c656ae3d7..6a9de54c78 100644
--- a/misc/tst-preadvwritev64v2.c
+++ b/misc/tst-preadvwritev64v2.c
@@ -31,6 +31,9 @@ static int
 do_test (void)
 {
   do_test_with_invalid_flags ();
+  do_test_without_offset ();
+  do_test_with_invalid_fd ();
+  do_test_with_invalid_iov ();
 
   return do_test_with_offset (0);
 }
diff --git a/nptl/Makefile b/nptl/Makefile
index 6fc2c8bb6a..a3447addea 100644
--- a/nptl/Makefile
+++ b/nptl/Makefile
@@ -235,9 +235,9 @@ LDLIBS-tst-minstack-throw = -lstdc++
 
 tests = tst-attr1 tst-attr2 tst-attr3 tst-default-attr \
 	tst-mutex1 tst-mutex2 tst-mutex3 tst-mutex4 tst-mutex5 tst-mutex6 \
-	tst-mutex7 tst-mutex9 tst-mutex5a tst-mutex7a tst-mutex7robust \
-	tst-mutexpi1 tst-mutexpi2 tst-mutexpi3 tst-mutexpi4 tst-mutexpi5 \
-	tst-mutexpi5a tst-mutexpi6 tst-mutexpi7 tst-mutexpi7a \
+	tst-mutex7 tst-mutex9 tst-mutex10 tst-mutex5a tst-mutex7a \
+	tst-mutex7robust tst-mutexpi1 tst-mutexpi2 tst-mutexpi3 tst-mutexpi4 \
+	tst-mutexpi5 tst-mutexpi5a tst-mutexpi6 tst-mutexpi7 tst-mutexpi7a \
 	tst-mutexpi9 \
 	tst-spin1 tst-spin2 tst-spin3 tst-spin4 \
 	tst-cond1 tst-cond2 tst-cond3 tst-cond4 tst-cond5 tst-cond6 tst-cond7 \
@@ -730,6 +730,8 @@ $(objpfx)tst-compat-forwarder: $(objpfx)tst-compat-forwarder-mod.so
 # destroying a mutex.
 tst-mutex8-ENV = GLIBC_TUNABLES=glibc.elision.enable=0
 
+tst-mutex10-ENV = GLIBC_TUNABLES=glibc.elision.enable=1
+
 # The tests here better do not run in parallel
 ifneq ($(filter %tests,$(MAKECMDGOALS)),)
 .NOTPARALLEL:
diff --git a/nptl/pthreadP.h b/nptl/pthreadP.h
index 583515ff48..ff51f452c6 100644
--- a/nptl/pthreadP.h
+++ b/nptl/pthreadP.h
@@ -110,19 +110,23 @@ enum
 };
 #define PTHREAD_MUTEX_PSHARED_BIT 128
 
+/* See concurrency notes regarding __kind in struct __pthread_mutex_s
+   in sysdeps/nptl/bits/thread-shared-types.h.  */
 #define PTHREAD_MUTEX_TYPE(m) \
-  ((m)->__data.__kind & 127)
+  (atomic_load_relaxed (&((m)->__data.__kind)) & 127)
 /* Don't include NO_ELISION, as that type is always the same
    as the underlying lock type.  */
 #define PTHREAD_MUTEX_TYPE_ELISION(m) \
-  ((m)->__data.__kind & (127|PTHREAD_MUTEX_ELISION_NP))
+  (atomic_load_relaxed (&((m)->__data.__kind))	\
+   & (127 | PTHREAD_MUTEX_ELISION_NP))
 
 #if LLL_PRIVATE == 0 && LLL_SHARED == 128
 # define PTHREAD_MUTEX_PSHARED(m) \
-  ((m)->__data.__kind & 128)
+  (atomic_load_relaxed (&((m)->__data.__kind)) & 128)
 #else
 # define PTHREAD_MUTEX_PSHARED(m) \
-  (((m)->__data.__kind & 128) ? LLL_SHARED : LLL_PRIVATE)
+  ((atomic_load_relaxed (&((m)->__data.__kind)) & 128)	\
+   ? LLL_SHARED : LLL_PRIVATE)
 #endif
 
 /* The kernel when waking robust mutexes on exit never uses
diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
index 8e425eb01e..479e54febb 100644
--- a/nptl/pthread_cond_common.c
+++ b/nptl/pthread_cond_common.c
@@ -405,8 +405,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
 	{
 	  /* There is still a waiter after spinning.  Set the wake-request
 	     flag and block.  Relaxed MO is fine because this is just about
-	     this futex word.  */
-	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1);
+	     this futex word.
+
+	     Update r to include the set wake-request flag so that the upcoming
+	     futex_wait only blocks if the flag is still set (otherwise, we'd
+	     violate the basic client-side futex protocol).  */
+	  r = atomic_fetch_or_relaxed (cond->__data.__g_refs + g1, 1) | 1;
 
 	  if ((r >> 1) > 0)
 	    futex_wait_simple (cond->__data.__g_refs + g1, r, private);
diff --git a/nptl/pthread_mutex_consistent.c b/nptl/pthread_mutex_consistent.c
index 85b8e1a6cb..4fbd875430 100644
--- a/nptl/pthread_mutex_consistent.c
+++ b/nptl/pthread_mutex_consistent.c
@@ -23,8 +23,11 @@
 int
 pthread_mutex_consistent (pthread_mutex_t *mutex)
 {
-  /* Test whether this is a robust mutex with a dead owner.  */
-  if ((mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0
+  /* Test whether this is a robust mutex with a dead owner.
+     See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  if ((atomic_load_relaxed (&(mutex->__data.__kind))
+       & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0
       || mutex->__data.__owner != PTHREAD_MUTEX_INCONSISTENT)
     return EINVAL;
 
diff --git a/nptl/pthread_mutex_destroy.c b/nptl/pthread_mutex_destroy.c
index 5a22611541..713ea68496 100644
--- a/nptl/pthread_mutex_destroy.c
+++ b/nptl/pthread_mutex_destroy.c
@@ -27,12 +27,17 @@ __pthread_mutex_destroy (pthread_mutex_t *mutex)
 {
   LIBC_PROBE (mutex_destroy, 1, mutex);
 
-  if ((mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0
+  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  if ((atomic_load_relaxed (&(mutex->__data.__kind))
+       & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0
       && mutex->__data.__nusers != 0)
     return EBUSY;
 
-  /* Set to an invalid value.  */
-  mutex->__data.__kind = -1;
+  /* Set to an invalid value.  Relaxed MO is enough as it is undefined behavior
+     if the mutex is used after it has been destroyed.  But you can reinitialize
+     it with pthread_mutex_init.  */
+  atomic_store_relaxed (&(mutex->__data.__kind), -1);
 
   return 0;
 }
diff --git a/nptl/pthread_mutex_getprioceiling.c b/nptl/pthread_mutex_getprioceiling.c
index efa37b0d99..ee85949578 100644
--- a/nptl/pthread_mutex_getprioceiling.c
+++ b/nptl/pthread_mutex_getprioceiling.c
@@ -24,7 +24,9 @@
 int
 pthread_mutex_getprioceiling (const pthread_mutex_t *mutex, int *prioceiling)
 {
-  if (__builtin_expect ((mutex->__data.__kind
+  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  if (__builtin_expect ((atomic_load_relaxed (&(mutex->__data.__kind))
 			 & PTHREAD_MUTEX_PRIO_PROTECT_NP) == 0, 0))
     return EINVAL;
 
diff --git a/nptl/pthread_mutex_init.c b/nptl/pthread_mutex_init.c
index d8fe473728..5cf290c272 100644
--- a/nptl/pthread_mutex_init.c
+++ b/nptl/pthread_mutex_init.c
@@ -101,7 +101,7 @@ __pthread_mutex_init (pthread_mutex_t *mutex,
   memset (mutex, '\0', __SIZEOF_PTHREAD_MUTEX_T);
 
   /* Copy the values from the attribute.  */
-  mutex->__data.__kind = imutexattr->mutexkind & ~PTHREAD_MUTEXATTR_FLAG_BITS;
+  int mutex_kind = imutexattr->mutexkind & ~PTHREAD_MUTEXATTR_FLAG_BITS;
 
   if ((imutexattr->mutexkind & PTHREAD_MUTEXATTR_FLAG_ROBUST) != 0)
     {
@@ -111,17 +111,17 @@ __pthread_mutex_init (pthread_mutex_t *mutex,
 	return ENOTSUP;
 #endif
 
-      mutex->__data.__kind |= PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+      mutex_kind |= PTHREAD_MUTEX_ROBUST_NORMAL_NP;
     }
 
   switch (imutexattr->mutexkind & PTHREAD_MUTEXATTR_PROTOCOL_MASK)
     {
     case PTHREAD_PRIO_INHERIT << PTHREAD_MUTEXATTR_PROTOCOL_SHIFT:
-      mutex->__data.__kind |= PTHREAD_MUTEX_PRIO_INHERIT_NP;
+      mutex_kind |= PTHREAD_MUTEX_PRIO_INHERIT_NP;
       break;
 
     case PTHREAD_PRIO_PROTECT << PTHREAD_MUTEXATTR_PROTOCOL_SHIFT:
-      mutex->__data.__kind |= PTHREAD_MUTEX_PRIO_PROTECT_NP;
+      mutex_kind |= PTHREAD_MUTEX_PRIO_PROTECT_NP;
 
       int ceiling = (imutexattr->mutexkind
 		     & PTHREAD_MUTEXATTR_PRIO_CEILING_MASK)
@@ -145,7 +145,11 @@ __pthread_mutex_init (pthread_mutex_t *mutex,
      FUTEX_PRIVATE_FLAG FUTEX_WAKE.  */
   if ((imutexattr->mutexkind & (PTHREAD_MUTEXATTR_FLAG_PSHARED
 				| PTHREAD_MUTEXATTR_FLAG_ROBUST)) != 0)
-    mutex->__data.__kind |= PTHREAD_MUTEX_PSHARED_BIT;
+    mutex_kind |= PTHREAD_MUTEX_PSHARED_BIT;
+
+  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  atomic_store_relaxed (&(mutex->__data.__kind), mutex_kind);
 
   /* Default values: mutex not used yet.  */
   // mutex->__count = 0;	already done by memset
diff --git a/nptl/pthread_mutex_lock.c b/nptl/pthread_mutex_lock.c
index 1519c142bd..29cc143e6c 100644
--- a/nptl/pthread_mutex_lock.c
+++ b/nptl/pthread_mutex_lock.c
@@ -62,6 +62,8 @@ static int __pthread_mutex_lock_full (pthread_mutex_t *mutex)
 int
 __pthread_mutex_lock (pthread_mutex_t *mutex)
 {
+  /* See concurrency notes regarding mutex type which is loaded from __kind
+     in struct __pthread_mutex_s in sysdeps/nptl/bits/thread-shared-types.h.  */
   unsigned int type = PTHREAD_MUTEX_TYPE_ELISION (mutex);
 
   LIBC_PROBE (mutex_entry, 1, mutex);
@@ -350,8 +352,14 @@ __pthread_mutex_lock_full (pthread_mutex_t *mutex)
     case PTHREAD_MUTEX_PI_ROBUST_NORMAL_NP:
     case PTHREAD_MUTEX_PI_ROBUST_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
-	int robust = mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	int kind, robust;
+	{
+	  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	     in sysdeps/nptl/bits/thread-shared-types.h.  */
+	  int mutex_kind = atomic_load_relaxed (&(mutex->__data.__kind));
+	  kind = mutex_kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	  robust = mutex_kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	}
 
 	if (robust)
 	  {
@@ -502,7 +510,10 @@ __pthread_mutex_lock_full (pthread_mutex_t *mutex)
     case PTHREAD_MUTEX_PP_NORMAL_NP:
     case PTHREAD_MUTEX_PP_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	/* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	   in sysdeps/nptl/bits/thread-shared-types.h.  */
+	int kind = atomic_load_relaxed (&(mutex->__data.__kind))
+	  & PTHREAD_MUTEX_KIND_MASK_NP;
 
 	oldval = mutex->__data.__lock;
 
@@ -607,15 +618,18 @@ hidden_def (__pthread_mutex_lock)
 void
 __pthread_mutex_cond_lock_adjust (pthread_mutex_t *mutex)
 {
-  assert ((mutex->__data.__kind & PTHREAD_MUTEX_PRIO_INHERIT_NP) != 0);
-  assert ((mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0);
-  assert ((mutex->__data.__kind & PTHREAD_MUTEX_PSHARED_BIT) == 0);
+  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  int mutex_kind = atomic_load_relaxed (&(mutex->__data.__kind));
+  assert ((mutex_kind & PTHREAD_MUTEX_PRIO_INHERIT_NP) != 0);
+  assert ((mutex_kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) == 0);
+  assert ((mutex_kind & PTHREAD_MUTEX_PSHARED_BIT) == 0);
 
   /* Record the ownership.  */
   pid_t id = THREAD_GETMEM (THREAD_SELF, tid);
   mutex->__data.__owner = id;
 
-  if (mutex->__data.__kind == PTHREAD_MUTEX_PI_RECURSIVE_NP)
+  if (mutex_kind == PTHREAD_MUTEX_PI_RECURSIVE_NP)
     ++mutex->__data.__count;
 }
 #endif
diff --git a/nptl/pthread_mutex_setprioceiling.c b/nptl/pthread_mutex_setprioceiling.c
index 8594874f85..8306cabcf4 100644
--- a/nptl/pthread_mutex_setprioceiling.c
+++ b/nptl/pthread_mutex_setprioceiling.c
@@ -27,9 +27,10 @@ int
 pthread_mutex_setprioceiling (pthread_mutex_t *mutex, int prioceiling,
 			      int *old_ceiling)
 {
-  /* The low bits of __kind aren't ever changed after pthread_mutex_init,
-     so we don't need a lock yet.  */
-  if ((mutex->__data.__kind & PTHREAD_MUTEX_PRIO_PROTECT_NP) == 0)
+  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+     in sysdeps/nptl/bits/thread-shared-types.h.  */
+  if ((atomic_load_relaxed (&(mutex->__data.__kind))
+       & PTHREAD_MUTEX_PRIO_PROTECT_NP) == 0)
     return EINVAL;
 
   /* See __init_sched_fifo_prio.  */
diff --git a/nptl/pthread_mutex_timedlock.c b/nptl/pthread_mutex_timedlock.c
index 66efd3989f..40b559f517 100644
--- a/nptl/pthread_mutex_timedlock.c
+++ b/nptl/pthread_mutex_timedlock.c
@@ -53,6 +53,8 @@ __pthread_mutex_timedlock (pthread_mutex_t *mutex,
   /* We must not check ABSTIME here.  If the thread does not block
      abstime must not be checked for a valid value.  */
 
+  /* See concurrency notes regarding mutex type which is loaded from __kind
+     in struct __pthread_mutex_s in sysdeps/nptl/bits/thread-shared-types.h.  */
   switch (__builtin_expect (PTHREAD_MUTEX_TYPE_ELISION (mutex),
 			    PTHREAD_MUTEX_TIMED_NP))
     {
@@ -338,8 +340,14 @@ __pthread_mutex_timedlock (pthread_mutex_t *mutex,
     case PTHREAD_MUTEX_PI_ROBUST_NORMAL_NP:
     case PTHREAD_MUTEX_PI_ROBUST_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
-	int robust = mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	int kind, robust;
+	{
+	  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	     in sysdeps/nptl/bits/thread-shared-types.h.  */
+	  int mutex_kind = atomic_load_relaxed (&(mutex->__data.__kind));
+	  kind = mutex_kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	  robust = mutex_kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	}
 
 	if (robust)
 	  {
@@ -509,7 +517,10 @@ __pthread_mutex_timedlock (pthread_mutex_t *mutex,
     case PTHREAD_MUTEX_PP_NORMAL_NP:
     case PTHREAD_MUTEX_PP_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	/* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	   in sysdeps/nptl/bits/thread-shared-types.h.  */
+	int kind = atomic_load_relaxed (&(mutex->__data.__kind))
+	  & PTHREAD_MUTEX_KIND_MASK_NP;
 
 	oldval = mutex->__data.__lock;
 
diff --git a/nptl/pthread_mutex_trylock.c b/nptl/pthread_mutex_trylock.c
index 7de61f4f68..fa90c1d1e6 100644
--- a/nptl/pthread_mutex_trylock.c
+++ b/nptl/pthread_mutex_trylock.c
@@ -36,6 +36,8 @@ __pthread_mutex_trylock (pthread_mutex_t *mutex)
   int oldval;
   pid_t id = THREAD_GETMEM (THREAD_SELF, tid);
 
+  /* See concurrency notes regarding mutex type which is loaded from __kind
+     in struct __pthread_mutex_s in sysdeps/nptl/bits/thread-shared-types.h.  */
   switch (__builtin_expect (PTHREAD_MUTEX_TYPE_ELISION (mutex),
 			    PTHREAD_MUTEX_TIMED_NP))
     {
@@ -199,8 +201,14 @@ __pthread_mutex_trylock (pthread_mutex_t *mutex)
     case PTHREAD_MUTEX_PI_ROBUST_NORMAL_NP:
     case PTHREAD_MUTEX_PI_ROBUST_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
-	int robust = mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	int kind, robust;
+	{
+	  /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	     in sysdeps/nptl/bits/thread-shared-types.h.  */
+	  int mutex_kind = atomic_load_relaxed (&(mutex->__data.__kind));
+	  kind = mutex_kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	  robust = mutex_kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+	}
 
 	if (robust)
 	  /* Note: robust PI futexes are signaled by setting bit 0.  */
@@ -325,7 +333,10 @@ __pthread_mutex_trylock (pthread_mutex_t *mutex)
     case PTHREAD_MUTEX_PP_NORMAL_NP:
     case PTHREAD_MUTEX_PP_ADAPTIVE_NP:
       {
-	int kind = mutex->__data.__kind & PTHREAD_MUTEX_KIND_MASK_NP;
+	/* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	   in sysdeps/nptl/bits/thread-shared-types.h.  */
+	int kind = atomic_load_relaxed (&(mutex->__data.__kind))
+	  & PTHREAD_MUTEX_KIND_MASK_NP;
 
 	oldval = mutex->__data.__lock;
 
diff --git a/nptl/pthread_mutex_unlock.c b/nptl/pthread_mutex_unlock.c
index 9ea62943b7..68d04d5395 100644
--- a/nptl/pthread_mutex_unlock.c
+++ b/nptl/pthread_mutex_unlock.c
@@ -35,6 +35,8 @@ int
 attribute_hidden
 __pthread_mutex_unlock_usercnt (pthread_mutex_t *mutex, int decr)
 {
+  /* See concurrency notes regarding mutex type which is loaded from __kind
+     in struct __pthread_mutex_s in sysdeps/nptl/bits/thread-shared-types.h.  */
   int type = PTHREAD_MUTEX_TYPE_ELISION (mutex);
   if (__builtin_expect (type &
 		~(PTHREAD_MUTEX_KIND_MASK_NP|PTHREAD_MUTEX_ELISION_FLAGS_NP), 0))
@@ -222,13 +224,19 @@ __pthread_mutex_unlock_full (pthread_mutex_t *mutex, int decr)
       /* If the previous owner died and the caller did not succeed in
 	 making the state consistent, mark the mutex as unrecoverable
 	 and make all waiters.  */
-      if ((mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) != 0
+      /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	 in sysdeps/nptl/bits/thread-shared-types.h.  */
+      if ((atomic_load_relaxed (&(mutex->__data.__kind))
+	   & PTHREAD_MUTEX_ROBUST_NORMAL_NP) != 0
 	  && __builtin_expect (mutex->__data.__owner
 			       == PTHREAD_MUTEX_INCONSISTENT, 0))
       pi_notrecoverable:
        newowner = PTHREAD_MUTEX_NOTRECOVERABLE;
 
-      if ((mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP) != 0)
+      /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	 in sysdeps/nptl/bits/thread-shared-types.h.  */
+      if ((atomic_load_relaxed (&(mutex->__data.__kind))
+	   & PTHREAD_MUTEX_ROBUST_NORMAL_NP) != 0)
 	{
 	continue_pi_robust:
 	  /* Remove mutex from the list.
@@ -251,7 +259,10 @@ __pthread_mutex_unlock_full (pthread_mutex_t *mutex, int decr)
       /* Unlock.  Load all necessary mutex data before releasing the mutex
 	 to not violate the mutex destruction requirements (see
 	 lll_unlock).  */
-      int robust = mutex->__data.__kind & PTHREAD_MUTEX_ROBUST_NORMAL_NP;
+      /* See concurrency notes regarding __kind in struct __pthread_mutex_s
+	 in sysdeps/nptl/bits/thread-shared-types.h.  */
+      int robust = atomic_load_relaxed (&(mutex->__data.__kind))
+	& PTHREAD_MUTEX_ROBUST_NORMAL_NP;
       private = (robust
 		 ? PTHREAD_ROBUST_MUTEX_PSHARED (mutex)
 		 : PTHREAD_MUTEX_PSHARED (mutex));
diff --git a/nptl/tst-mutex10.c b/nptl/tst-mutex10.c
new file mode 100644
index 0000000000..e1113ca60a
--- /dev/null
+++ b/nptl/tst-mutex10.c
@@ -0,0 +1,109 @@
+/* Testing race while enabling lock elision.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <support/support.h>
+#include <support/xthread.h>
+
+static pthread_barrier_t barrier;
+static pthread_mutex_t mutex;
+static long long int iteration_count = 1000000;
+static unsigned int thread_count = 3;
+
+static void *
+thr_func (void *arg)
+{
+  long long int i;
+  for (i = 0; i < iteration_count; i++)
+    {
+      if ((uintptr_t) arg == 0)
+	{
+	  xpthread_mutex_destroy (&mutex);
+	  xpthread_mutex_init (&mutex, NULL);
+	}
+
+      xpthread_barrier_wait (&barrier);
+
+      /* Test if enabling lock elision works if it is enabled concurrently.
+	 There was a race in FORCE_ELISION macro which leads to either
+	 pthread_mutex_destroy returning EBUSY as the owner was recorded
+	 by pthread_mutex_lock - in "normal mutex" code path - but was not
+	 resetted in pthread_mutex_unlock - in "elision" code path.
+	 Or it leads to the assertion in nptl/pthread_mutex_lock.c:
+	 assert (mutex->__data.__owner == 0);
+	 Please ensure that the test is run with lock elision:
+	 export GLIBC_TUNABLES=glibc.elision.enable=1  */
+      xpthread_mutex_lock (&mutex);
+      xpthread_mutex_unlock (&mutex);
+
+      xpthread_barrier_wait (&barrier);
+    }
+  return NULL;
+}
+
+static int
+do_test (void)
+{
+  unsigned int i;
+  printf ("Starting %d threads to run %lld iterations.\n",
+	  thread_count, iteration_count);
+
+  pthread_t *threads = xmalloc (thread_count * sizeof (pthread_t));
+  xpthread_barrier_init (&barrier, NULL, thread_count);
+  xpthread_mutex_init (&mutex, NULL);
+
+  for (i = 0; i < thread_count; i++)
+    threads[i] = xpthread_create (NULL, thr_func, (void *) (uintptr_t) i);
+
+  for (i = 0; i < thread_count; i++)
+    xpthread_join (threads[i]);
+
+  xpthread_barrier_destroy (&barrier);
+  free (threads);
+
+  return EXIT_SUCCESS;
+}
+
+#define OPT_ITERATIONS	10000
+#define OPT_THREADS	10001
+#define CMDLINE_OPTIONS						\
+  { "iterations", required_argument, NULL, OPT_ITERATIONS },	\
+  { "threads", required_argument, NULL, OPT_THREADS },
+static void
+cmdline_process (int c)
+{
+  long long int arg = strtoll (optarg, NULL, 0);
+  switch (c)
+    {
+    case OPT_ITERATIONS:
+      if (arg > 0)
+	iteration_count = arg;
+      break;
+    case OPT_THREADS:
+      if (arg > 0 && arg < 100)
+	thread_count = arg;
+      break;
+    }
+}
+#define CMDLINE_PROCESS cmdline_process
+#define TIMEOUT 50
+#include <support/test-driver.c>
diff --git a/nscd/gai.c b/nscd/gai.c
index d081747797..576fd0045b 100644
--- a/nscd/gai.c
+++ b/nscd/gai.c
@@ -45,3 +45,6 @@
 #ifdef HAVE_LIBIDN
 # include <libidn/idn-stub.c>
 #endif
+
+/* Some variables normally defined in libc.  */
+service_user *__nss_hosts_database attribute_hidden;
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index b832c9315f..2f187b208c 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -480,7 +480,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 {
   const char *group = key;
   key = (char *) rawmemchr (key, '\0') + 1;
-  size_t group_len = key - group - 1;
+  size_t group_len = key - group;
   const char *host = *key++ ? key : NULL;
   if (host != NULL)
     key = (char *) rawmemchr (key, '\0') + 1;
diff --git a/nss/nsswitch.c b/nss/nsswitch.c
index d5e655974f..b0f0c11a3e 100644
--- a/nss/nsswitch.c
+++ b/nss/nsswitch.c
@@ -62,7 +62,7 @@ static service_library *nss_new_service (name_database *database,
 
 /* Declare external database variables.  */
 #define DEFINE_DATABASE(name)						      \
-  extern service_user *__nss_##name##_database attribute_hidden;	      \
+  service_user *__nss_##name##_database attribute_hidden;		      \
   weak_extern (__nss_##name##_database)
 #include "databases.def"
 #undef DEFINE_DATABASE
diff --git a/nss/nsswitch.h b/nss/nsswitch.h
index eccb535ef5..63573b9ebc 100644
--- a/nss/nsswitch.h
+++ b/nss/nsswitch.h
@@ -226,10 +226,10 @@ libc_hidden_proto (__nss_hostname_digits_dots)
 #define MAX_NR_ADDRS    48
 
 /* Prototypes for __nss_*_lookup2 functions.  */
-#define DEFINE_DATABASE(arg)				    \
-  service_user *__nss_##arg##_database attribute_hidden;    \
-  int __nss_##arg##_lookup2 (service_user **, const char *, \
-			     const char *, void **);	    \
+#define DEFINE_DATABASE(arg)						      \
+  extern service_user *__nss_##arg##_database attribute_hidden;		      \
+  int __nss_##arg##_lookup2 (service_user **, const char *,		      \
+			     const char *, void **);			      \
   libc_hidden_proto (__nss_##arg##_lookup2)
 #include "databases.def"
 #undef DEFINE_DATABASE
diff --git a/po/pt_BR.po b/po/pt_BR.po
index b7c1650957..d49d6ec279 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -1,4283 +1,7213 @@
-# Brazilian portuguese messages for glibc.