From 98ef91b38e38289b8de07a77cad7a0c4208f0106 Mon Sep 17 00:00:00 2001
From: Cherry Zhang <cherryyz@google.com>
Date: Thu, 22 Apr 2021 13:45:19 -0400
Subject: [release-branch.go1.16] cmd/link: support more load commands on
 Mach-O

Fixes #49923.

Change-Id: I74dd9170a51cc93ce3ec5e5860c2eb2912f081f5
Reviewed-on: https://go-review.googlesource.com/c/go/+/312729
Trust: Cherry Zhang <cherryyz@google.com>
Run-TryBot: Cherry Zhang <cherryyz@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
(cherry picked from commit b6ff3c69d5fdf933f5265f95ae4bb12eaecc792f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/368835
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Trust: Heschi Kreinick <heschi@google.com>
---
 src/cmd/link/internal/ld/macho.go               |  4 ++++
 src/cmd/link/internal/ld/macho_combine_dwarf.go | 12 ++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/cmd/link/internal/ld/macho.go b/src/cmd/link/internal/ld/macho.go
index a9f4d87229..ac2103c91e 100644
--- a/src/cmd/link/internal/ld/macho.go
+++ b/src/cmd/link/internal/ld/macho.go
@@ -86,6 +86,8 @@ const (
 	MACHO_SUBCPU_ARMV7                   = 9
 	MACHO_CPU_ARM64                      = 1<<24 | 12
 	MACHO_SUBCPU_ARM64_ALL               = 0
+	MACHO_SUBCPU_ARM64_V8                = 1
+	MACHO_SUBCPU_ARM64E                  = 2
 	MACHO32SYMSIZE                       = 12
 	MACHO64SYMSIZE                       = 16
 	MACHO_X86_64_RELOC_UNSIGNED          = 0
@@ -176,6 +178,8 @@ const (
 	LC_VERSION_MIN_WATCHOS      = 0x30
 	LC_VERSION_NOTE             = 0x31
 	LC_BUILD_VERSION            = 0x32
+	LC_DYLD_EXPORTS_TRIE        = 0x80000033
+	LC_DYLD_CHAINED_FIXUPS      = 0x80000034
 )
 
 const (
diff --git a/src/cmd/link/internal/ld/macho_combine_dwarf.go b/src/cmd/link/internal/ld/macho_combine_dwarf.go
index 77ee8a4d62..0015b7d756 100644
--- a/src/cmd/link/internal/ld/macho_combine_dwarf.go
+++ b/src/cmd/link/internal/ld/macho_combine_dwarf.go
@@ -222,11 +222,19 @@ func machoCombineDwarf(ctxt *Link, exef *os.File, exem *macho.File, dsym, outexe
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &macho.SymtabCmd{}, "Symoff", "Stroff")
 		case macho.LoadCmdDysymtab:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &macho.DysymtabCmd{}, "Tocoffset", "Modtaboff", "Extrefsymoff", "Indirectsymoff", "Extreloff", "Locreloff")
-		case LC_CODE_SIGNATURE, LC_SEGMENT_SPLIT_INFO, LC_FUNCTION_STARTS, LC_DATA_IN_CODE, LC_DYLIB_CODE_SIGN_DRS:
+		case LC_CODE_SIGNATURE, LC_SEGMENT_SPLIT_INFO, LC_FUNCTION_STARTS, LC_DATA_IN_CODE, LC_DYLIB_CODE_SIGN_DRS,
+			LC_DYLD_EXPORTS_TRIE, LC_DYLD_CHAINED_FIXUPS:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &linkEditDataCmd{}, "DataOff")
 		case LC_ENCRYPTION_INFO, LC_ENCRYPTION_INFO_64:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &encryptionInfoCmd{}, "CryptOff")
-		case macho.LoadCmdDylib, macho.LoadCmdThread, macho.LoadCmdUnixThread, LC_PREBOUND_DYLIB, LC_UUID, LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, LC_SOURCE_VERSION, LC_MAIN, LC_LOAD_DYLINKER, LC_LOAD_WEAK_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_ID_DYLIB, LC_SYMSEG, LC_LOADFVMLIB, LC_IDFVMLIB, LC_IDENT, LC_FVMFILE, LC_PREPAGE, LC_ID_DYLINKER, LC_ROUTINES, LC_SUB_FRAMEWORK, LC_SUB_UMBRELLA, LC_SUB_CLIENT, LC_SUB_LIBRARY, LC_TWOLEVEL_HINTS, LC_PREBIND_CKSUM, LC_ROUTINES_64, LC_LAZY_LOAD_DYLIB, LC_LOAD_UPWARD_DYLIB, LC_DYLD_ENVIRONMENT, LC_LINKER_OPTION, LC_LINKER_OPTIMIZATION_HINT, LC_VERSION_MIN_TVOS, LC_VERSION_MIN_WATCHOS, LC_VERSION_NOTE, LC_BUILD_VERSION:
+		case macho.LoadCmdDylib, macho.LoadCmdThread, macho.LoadCmdUnixThread,
+			LC_PREBOUND_DYLIB, LC_UUID, LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, LC_SOURCE_VERSION,
+			LC_MAIN, LC_LOAD_DYLINKER, LC_LOAD_WEAK_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_ID_DYLIB,
+			LC_SYMSEG, LC_LOADFVMLIB, LC_IDFVMLIB, LC_IDENT, LC_FVMFILE, LC_PREPAGE, LC_ID_DYLINKER,
+			LC_ROUTINES, LC_SUB_FRAMEWORK, LC_SUB_UMBRELLA, LC_SUB_CLIENT, LC_SUB_LIBRARY, LC_TWOLEVEL_HINTS,
+			LC_PREBIND_CKSUM, LC_ROUTINES_64, LC_LAZY_LOAD_DYLIB, LC_LOAD_UPWARD_DYLIB, LC_DYLD_ENVIRONMENT,
+			LC_LINKER_OPTION, LC_LINKER_OPTIMIZATION_HINT, LC_VERSION_MIN_TVOS, LC_VERSION_MIN_WATCHOS,
+			LC_VERSION_NOTE, LC_BUILD_VERSION:
 			// Nothing to update
 		default:
 			err = fmt.Errorf("unknown load command 0x%x (%s)", int(cmd.Cmd), cmd.Cmd)
-- 
cgit v1.2.3-54-g00ecf


From caced3b213e879b2af0508f5f6a2d3bb3d6ef2a9 Mon Sep 17 00:00:00 2001
From: Alex Rakoczy <alex@golang.org>
Date: Thu, 9 Dec 2021 12:13:04 +0000
Subject: Revert "[release-branch.go1.16] cmd/link: support more load commands
 on Mach-O"

This reverts commit 98ef91b38e38289b8de07a77cad7a0c4208f0106.

Reason for revert: Reducing risk for upcoming minor release.

Change-Id: Ic18609383384ebbb49d144bcb17131077de390c2
Reviewed-on: https://go-review.googlesource.com/c/go/+/370554
Run-TryBot: Alex Rakoczy <alex@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 src/cmd/link/internal/ld/macho.go               |  4 ----
 src/cmd/link/internal/ld/macho_combine_dwarf.go | 12 ++----------
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/src/cmd/link/internal/ld/macho.go b/src/cmd/link/internal/ld/macho.go
index ac2103c91e..a9f4d87229 100644
--- a/src/cmd/link/internal/ld/macho.go
+++ b/src/cmd/link/internal/ld/macho.go
@@ -86,8 +86,6 @@ const (
 	MACHO_SUBCPU_ARMV7                   = 9
 	MACHO_CPU_ARM64                      = 1<<24 | 12
 	MACHO_SUBCPU_ARM64_ALL               = 0
-	MACHO_SUBCPU_ARM64_V8                = 1
-	MACHO_SUBCPU_ARM64E                  = 2
 	MACHO32SYMSIZE                       = 12
 	MACHO64SYMSIZE                       = 16
 	MACHO_X86_64_RELOC_UNSIGNED          = 0
@@ -178,8 +176,6 @@ const (
 	LC_VERSION_MIN_WATCHOS      = 0x30
 	LC_VERSION_NOTE             = 0x31
 	LC_BUILD_VERSION            = 0x32
-	LC_DYLD_EXPORTS_TRIE        = 0x80000033
-	LC_DYLD_CHAINED_FIXUPS      = 0x80000034
 )
 
 const (
diff --git a/src/cmd/link/internal/ld/macho_combine_dwarf.go b/src/cmd/link/internal/ld/macho_combine_dwarf.go
index 0015b7d756..77ee8a4d62 100644
--- a/src/cmd/link/internal/ld/macho_combine_dwarf.go
+++ b/src/cmd/link/internal/ld/macho_combine_dwarf.go
@@ -222,19 +222,11 @@ func machoCombineDwarf(ctxt *Link, exef *os.File, exem *macho.File, dsym, outexe
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &macho.SymtabCmd{}, "Symoff", "Stroff")
 		case macho.LoadCmdDysymtab:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &macho.DysymtabCmd{}, "Tocoffset", "Modtaboff", "Extrefsymoff", "Indirectsymoff", "Extreloff", "Locreloff")
-		case LC_CODE_SIGNATURE, LC_SEGMENT_SPLIT_INFO, LC_FUNCTION_STARTS, LC_DATA_IN_CODE, LC_DYLIB_CODE_SIGN_DRS,
-			LC_DYLD_EXPORTS_TRIE, LC_DYLD_CHAINED_FIXUPS:
+		case LC_CODE_SIGNATURE, LC_SEGMENT_SPLIT_INFO, LC_FUNCTION_STARTS, LC_DATA_IN_CODE, LC_DYLIB_CODE_SIGN_DRS:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &linkEditDataCmd{}, "DataOff")
 		case LC_ENCRYPTION_INFO, LC_ENCRYPTION_INFO_64:
 			err = machoUpdateLoadCommand(reader, linkseg, linkoffset, &encryptionInfoCmd{}, "CryptOff")
-		case macho.LoadCmdDylib, macho.LoadCmdThread, macho.LoadCmdUnixThread,
-			LC_PREBOUND_DYLIB, LC_UUID, LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, LC_SOURCE_VERSION,
-			LC_MAIN, LC_LOAD_DYLINKER, LC_LOAD_WEAK_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_ID_DYLIB,
-			LC_SYMSEG, LC_LOADFVMLIB, LC_IDFVMLIB, LC_IDENT, LC_FVMFILE, LC_PREPAGE, LC_ID_DYLINKER,
-			LC_ROUTINES, LC_SUB_FRAMEWORK, LC_SUB_UMBRELLA, LC_SUB_CLIENT, LC_SUB_LIBRARY, LC_TWOLEVEL_HINTS,
-			LC_PREBIND_CKSUM, LC_ROUTINES_64, LC_LAZY_LOAD_DYLIB, LC_LOAD_UPWARD_DYLIB, LC_DYLD_ENVIRONMENT,
-			LC_LINKER_OPTION, LC_LINKER_OPTIMIZATION_HINT, LC_VERSION_MIN_TVOS, LC_VERSION_MIN_WATCHOS,
-			LC_VERSION_NOTE, LC_BUILD_VERSION:
+		case macho.LoadCmdDylib, macho.LoadCmdThread, macho.LoadCmdUnixThread, LC_PREBOUND_DYLIB, LC_UUID, LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, LC_SOURCE_VERSION, LC_MAIN, LC_LOAD_DYLINKER, LC_LOAD_WEAK_DYLIB, LC_REEXPORT_DYLIB, LC_RPATH, LC_ID_DYLIB, LC_SYMSEG, LC_LOADFVMLIB, LC_IDFVMLIB, LC_IDENT, LC_FVMFILE, LC_PREPAGE, LC_ID_DYLINKER, LC_ROUTINES, LC_SUB_FRAMEWORK, LC_SUB_UMBRELLA, LC_SUB_CLIENT, LC_SUB_LIBRARY, LC_TWOLEVEL_HINTS, LC_PREBIND_CKSUM, LC_ROUTINES_64, LC_LAZY_LOAD_DYLIB, LC_LOAD_UPWARD_DYLIB, LC_DYLD_ENVIRONMENT, LC_LINKER_OPTION, LC_LINKER_OPTIMIZATION_HINT, LC_VERSION_MIN_TVOS, LC_VERSION_MIN_WATCHOS, LC_VERSION_NOTE, LC_BUILD_VERSION:
 			// Nothing to update
 		default:
 			err = fmt.Errorf("unknown load command 0x%x (%s)", int(cmd.Cmd), cmd.Cmd)
-- 
cgit v1.2.3-54-g00ecf


From 44a3fb49d99cc8a4de4925b69650f97bb07faf1d Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Wed, 8 Dec 2021 18:05:11 -0500
Subject: [release-branch.go1.16] syscall: fix ForkLock spurious close(0) on
 pipe failure

Pipe (and therefore forkLockPipe) does not make any guarantees
about the state of p after a failed Pipe(p). Avoid that assumption
and the too-clever goto, so that we don't accidentally Close a real fd
if the failed pipe leaves p[0] or p[1] set >= 0.

Updates #50057
Fixes CVE-2021-44717

Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291270
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/370514
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
---
 src/syscall/exec_unix.go | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/src/syscall/exec_unix.go b/src/syscall/exec_unix.go
index 1f49c78ef9..290dd383ec 100644
--- a/src/syscall/exec_unix.go
+++ b/src/syscall/exec_unix.go
@@ -152,9 +152,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
 		sys = &zeroSysProcAttr
 	}
 
-	p[0] = -1
-	p[1] = -1
-
 	// Convert args to C form.
 	argv0p, err := BytePtrFromString(argv0)
 	if err != nil {
@@ -204,14 +201,17 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
 
 	// Allocate child status pipe close on exec.
 	if err = forkExecPipe(p[:]); err != nil {
-		goto error
+		ForkLock.Unlock()
+		return 0, err
 	}
 
 	// Kick off child.
 	pid, err1 = forkAndExecInChild(argv0p, argvp, envvp, chroot, dir, attr, sys, p[1])
 	if err1 != 0 {
-		err = Errno(err1)
-		goto error
+		Close(p[0])
+		Close(p[1])
+		ForkLock.Unlock()
+		return 0, Errno(err1)
 	}
 	ForkLock.Unlock()
 
@@ -243,14 +243,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
 
 	// Read got EOF, so pipe closed on exec, so exec succeeded.
 	return pid, nil
-
-error:
-	if p[0] >= 0 {
-		Close(p[0])
-		Close(p[1])
-	}
-	ForkLock.Unlock()
-	return 0, err
 }
 
 // Combination of fork and exec, careful to be thread safe.
-- 
cgit v1.2.3-54-g00ecf


From 99950270f3cf52cccc6966d8668ff21b573bb6f5 Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Wed, 8 Dec 2021 18:06:41 -0500
Subject: [release-branch.go1.16] syscall: avoid writing to p when Pipe(p)
 fails

Generally speaking Go functions make no guarantees
about what has happened to result parameters on error,
and Pipe is no exception: callers should avoid looking at
p if Pipe returns an error.

However, we had a bug in which ForkExec was using the
content of p after a failed Pipe, and others may too.
As a robustness fix, make Pipe avoid writing to p on failure.

Updates #50057

Change-Id: Ie8955025dbd20702fabadc9bbe1d1a5ac0f36305
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291271
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/370515
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
---
 src/syscall/syscall_aix.go           |  6 ++++--
 src/syscall/syscall_darwin.go        |  6 ++++--
 src/syscall/syscall_dragonfly.go     |  7 +++++--
 src/syscall/syscall_freebsd.go       |  6 ++++--
 src/syscall/syscall_linux_386.go     | 12 ++++++++----
 src/syscall/syscall_linux_amd64.go   | 12 ++++++++----
 src/syscall/syscall_linux_arm.go     | 12 ++++++++----
 src/syscall/syscall_linux_arm64.go   | 12 ++++++++----
 src/syscall/syscall_linux_mips64x.go | 12 ++++++++----
 src/syscall/syscall_linux_mipsx.go   | 13 +++++++++----
 src/syscall/syscall_linux_ppc64x.go  | 12 ++++++++----
 src/syscall/syscall_linux_riscv64.go | 12 ++++++++----
 src/syscall/syscall_linux_s390x.go   | 12 ++++++++----
 src/syscall/syscall_netbsd.go        |  6 ++++--
 src/syscall/syscall_openbsd.go       |  6 ++++--
 src/syscall/syscall_plan9.go         |  6 ++++--
 src/syscall/syscall_solaris.go       |  4 +++-
 17 files changed, 105 insertions(+), 51 deletions(-)

diff --git a/src/syscall/syscall_aix.go b/src/syscall/syscall_aix.go
index 9c6afba442..db289fd39c 100644
--- a/src/syscall/syscall_aix.go
+++ b/src/syscall/syscall_aix.go
@@ -64,8 +64,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe(&pp)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_darwin.go b/src/syscall/syscall_darwin.go
index afdadbf894..2d4aa5867e 100644
--- a/src/syscall/syscall_darwin.go
+++ b/src/syscall/syscall_darwin.go
@@ -93,8 +93,10 @@ func Pipe(p []int) (err error) {
 	}
 	var q [2]int32
 	err = pipe(&q)
-	p[0] = int(q[0])
-	p[1] = int(q[1])
+	if err == nil {
+		p[0] = int(q[0])
+		p[1] = int(q[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_dragonfly.go b/src/syscall/syscall_dragonfly.go
index 0988fe4608..b3be59d02d 100644
--- a/src/syscall/syscall_dragonfly.go
+++ b/src/syscall/syscall_dragonfly.go
@@ -96,8 +96,11 @@ func Pipe(p []int) (err error) {
 	if len(p) != 2 {
 		return EINVAL
 	}
-	p[0], p[1], err = pipe()
-	return
+	r, w, err := pipe()
+	if err == nil {
+		p[0], p[1] = r, w
+	}
+	return err
 }
 
 //sys	extpread(fd int, p []byte, flags int, offset int64) (n int, err error)
diff --git a/src/syscall/syscall_freebsd.go b/src/syscall/syscall_freebsd.go
index 7c7b89aab9..ad904d6981 100644
--- a/src/syscall/syscall_freebsd.go
+++ b/src/syscall/syscall_freebsd.go
@@ -105,8 +105,10 @@ func Pipe2(p []int, flags int) error {
 	}
 	var pp [2]_C_int
 	err := pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return err
 }
 
diff --git a/src/syscall/syscall_linux_386.go b/src/syscall/syscall_linux_386.go
index ed52647403..f08007b278 100644
--- a/src/syscall/syscall_linux_386.go
+++ b/src/syscall/syscall_linux_386.go
@@ -30,8 +30,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe(&pp)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -43,8 +45,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_amd64.go b/src/syscall/syscall_linux_amd64.go
index 5df3f796d1..896117adc8 100644
--- a/src/syscall/syscall_linux_amd64.go
+++ b/src/syscall/syscall_linux_amd64.go
@@ -118,8 +118,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe(&pp)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -131,8 +133,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_arm.go b/src/syscall/syscall_linux_arm.go
index 4a3729f898..8f21f17d6f 100644
--- a/src/syscall/syscall_linux_arm.go
+++ b/src/syscall/syscall_linux_arm.go
@@ -34,8 +34,10 @@ func Pipe(p []int) (err error) {
 	if err == ENOSYS {
 		err = pipe(&pp)
 	}
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -47,8 +49,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_arm64.go b/src/syscall/syscall_linux_arm64.go
index f575c84c93..bfa7be96aa 100644
--- a/src/syscall/syscall_linux_arm64.go
+++ b/src/syscall/syscall_linux_arm64.go
@@ -152,8 +152,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, 0)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -165,8 +167,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_mips64x.go b/src/syscall/syscall_linux_mips64x.go
index ab25b7be6f..bb69b1dffb 100644
--- a/src/syscall/syscall_linux_mips64x.go
+++ b/src/syscall/syscall_linux_mips64x.go
@@ -108,8 +108,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, 0)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -121,8 +123,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_mipsx.go b/src/syscall/syscall_linux_mipsx.go
index 377946fc92..99a3fad401 100644
--- a/src/syscall/syscall_linux_mipsx.go
+++ b/src/syscall/syscall_linux_mipsx.go
@@ -119,8 +119,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -130,8 +132,11 @@ func Pipe(p []int) (err error) {
 	if len(p) != 2 {
 		return EINVAL
 	}
-	p[0], p[1], err = pipe()
-	return
+	r, w, err := pipe()
+	if err == nil {
+		p[0], p[1] = r, w
+	}
+	return err
 }
 
 //sys	mmap2(addr uintptr, length uintptr, prot int, flags int, fd int, pageOffset uintptr) (xaddr uintptr, err error)
diff --git a/src/syscall/syscall_linux_ppc64x.go b/src/syscall/syscall_linux_ppc64x.go
index 45bf667407..639d5c64ab 100644
--- a/src/syscall/syscall_linux_ppc64x.go
+++ b/src/syscall/syscall_linux_ppc64x.go
@@ -87,8 +87,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, 0)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -100,8 +102,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_riscv64.go b/src/syscall/syscall_linux_riscv64.go
index 2a0fe64d25..dd48f7c8db 100644
--- a/src/syscall/syscall_linux_riscv64.go
+++ b/src/syscall/syscall_linux_riscv64.go
@@ -155,8 +155,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, 0)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -168,8 +170,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_linux_s390x.go b/src/syscall/syscall_linux_s390x.go
index 0f6f6277bb..08e66136b8 100644
--- a/src/syscall/syscall_linux_s390x.go
+++ b/src/syscall/syscall_linux_s390x.go
@@ -80,8 +80,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, 0)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
@@ -93,8 +95,10 @@ func Pipe2(p []int, flags int) (err error) {
 	}
 	var pp [2]_C_int
 	err = pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_netbsd.go b/src/syscall/syscall_netbsd.go
index fc13b706b5..0754bad5ac 100644
--- a/src/syscall/syscall_netbsd.go
+++ b/src/syscall/syscall_netbsd.go
@@ -112,8 +112,10 @@ func Pipe2(p []int, flags int) error {
 	}
 	var pp [2]_C_int
 	err := pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return err
 }
 
diff --git a/src/syscall/syscall_openbsd.go b/src/syscall/syscall_openbsd.go
index 5a5ba5a51b..18eafe3521 100644
--- a/src/syscall/syscall_openbsd.go
+++ b/src/syscall/syscall_openbsd.go
@@ -72,8 +72,10 @@ func Pipe2(p []int, flags int) error {
 	}
 	var pp [2]_C_int
 	err := pipe2(&pp, flags)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return err
 }
 
diff --git a/src/syscall/syscall_plan9.go b/src/syscall/syscall_plan9.go
index d16cad45d8..6a8ab97dc6 100644
--- a/src/syscall/syscall_plan9.go
+++ b/src/syscall/syscall_plan9.go
@@ -198,8 +198,10 @@ func Pipe(p []int) (err error) {
 	}
 	var pp [2]int32
 	err = pipe(&pp)
-	p[0] = int(pp[0])
-	p[1] = int(pp[1])
+	if err == nil {
+		p[0] = int(pp[0])
+		p[1] = int(pp[1])
+	}
 	return
 }
 
diff --git a/src/syscall/syscall_solaris.go b/src/syscall/syscall_solaris.go
index daa4b88a71..7640aac25b 100644
--- a/src/syscall/syscall_solaris.go
+++ b/src/syscall/syscall_solaris.go
@@ -55,7 +55,9 @@ func Pipe(p []int) (err error) {
 	if e1 != 0 {
 		err = Errno(e1)
 	}
-	p[0], p[1] = int(r0), int(w0)
+	if err == nil {
+		p[0], p[1] = int(r0), int(w0)
+	}
 	return
 }
 
-- 
cgit v1.2.3-54-g00ecf


From d0aebe3e74fe14799f97ddd3f01129697c6a290a Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 9 Dec 2021 06:13:31 -0500
Subject: [release-branch.go1.16] net/http: update bundled
 golang.org/x/net/http2

Pull in security fix

    a5309b3 http2: cap the size of the server's canonical header cache

Updates #50058
Fixes CVE-2021-44716

Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 src/go.mod                |  2 +-
 src/go.sum                |  4 ++--
 src/net/http/h2_bundle.go | 10 +++++++++-
 src/vendor/modules.txt    |  2 +-
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/go.mod b/src/go.mod
index 1040d0506f..977370d265 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -4,7 +4,7 @@ go 1.16
 
 require (
 	golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897
-	golang.org/x/net v0.0.0-20211201233224-64539c132272
+	golang.org/x/net v0.0.0-20211209100217-a5309b321dca
 	golang.org/x/sys v0.0.0-20201204225414-ed752295db88 // indirect
 	golang.org/x/text v0.3.4 // indirect
 )
diff --git a/src/go.sum b/src/go.sum
index 6e22abb20a..1032a50518 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 h1:pLI5jrR7OSLijeIDcmRxNmw2api+jEfxLoykJVice/E=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20211201233224-64539c132272 h1:yz7zX5EMX9IFSUDQtHpohPOP+fh7w1Me4FH/El1jctU=
-golang.org/x/net v0.0.0-20211201233224-64539c132272/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 735f1b5eac..6a0c1acf5f 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4373,7 +4373,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
 		sc.canonHeader = make(map[string]string)
 	}
 	cv = CanonicalHeaderKey(v)
-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}
 	return cv
 }
 
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 652d4d07d2..a37d539508 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/subtle
 golang.org/x/crypto/poly1305
-# golang.org/x/net v0.0.0-20211201233224-64539c132272
+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
 ## explicit
 golang.org/x/net/dns/dnsmessage
 golang.org/x/net/http/httpguts
-- 
cgit v1.2.3-54-g00ecf


From f1f3923d2e3a0952c698d2901fc052046fa4af3d Mon Sep 17 00:00:00 2001
From: Alexander Rakoczy <alex@golang.org>
Date: Thu, 9 Dec 2021 08:13:46 -0500
Subject: [release-branch.go1.16] go1.16.12

Change-Id: I336b7203a30b17c738f1711dc4dc7654a3d17ed8
Reviewed-on: https://go-review.googlesource.com/c/go/+/370556
Trust: Alex Rakoczy <alex@golang.org>
Run-TryBot: Alex Rakoczy <alex@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 70b41b833d..ea4f57eb63 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.16.11
\ No newline at end of file
+go1.16.12
\ No newline at end of file
-- 
cgit v1.2.3-54-g00ecf