Emit NT_GNU_ABI_TAG PT_NOTE so dynamic glibc binds

The synthetic vDSO at AT_SYSINFO_EHDR already carries DT_HASH,
LINUX_2.6.39 symbol versioning, and five __kernel_* trampolines, but
glibc 2.41's dynamic-linker vDSO probe rejected the page for lack of an
NT_GNU_ABI_TAG note: every dynamically-linked guest fell back to SVC
for clock_gettime, gettimeofday, and clock_getres. PR #34 measured
1006 ns/op against an 18 ns/op OrbStack reference, a 56x gap the
TODO Tier D P1 entry tracked as the highest-leverage single fix.

This adds the note. To avoid moving VVAR (0x0B0), TEXT_OFF_SIGRET
(0x0E0, exported in vdso.h for signal.c), or any trampoline / section
offset, the program-header table relocates from 0x040 to 0x6B0 (after
the section-header area). The reclaimed 0x040 window now holds the
32-byte NT_GNU_ABI_TAG:

  namesz : 4   ("GNU\0")
  descsz : 16
  type   : NT_GNU_ABI_TAG (1)
  name   : "GNU\0"
  desc   : { ELF_NOTE_OS_LINUX (0), 2, 6, 39 }

The descriptor's minimum kernel ABI (2.6.39) matches the LINUX_2.6.39
symbol version already exposed through DT_VERDEF, so a glibc that
honors the version also honors the note. PT_LOAD continues to cover
the whole page so the relocated PHDR table and the note both stay
mapped at runtime.

Validation, dynamically-linked glibc 2.41 binary built from the
cross-toolchain sysroot at /opt/toolchain/aarch64-linux-gnu (same
toolchain PR #34 used for the baseline):

  libc  clock_gettime  :   6.97 ns/op   (was 1006 ns/op pre-fix)
  direct vDSO call     :   6.24 ns/op   (dlsym function-pointer)
  raw   SVC syscall    : 2047.01 ns/op
  libc/vDSO ratio = 1.12x -- libc IS using the vDSO

The 0.7 ns libc-vs-direct gap is glibc's dl_sysinfo_dso dispatch, not
an SVC fallback. libc clock_gettime now beats the OrbStack reference
(18 ns/op) by ~2.6x. gettimeofday and clock_getres land on the
trampolines through the same probe path:

  libc gettimeofday    :   7.5 ns/op    (vDSO REALTIME anchor reuse)
  libc clock_getres    :   4.9 ns/op    (constant-resolution path)

readelf parses the page cleanly: e_phnum=3, e_phoff=0x6B0, three
PHDRs (PT_LOAD covering the whole page, PT_DYNAMIC at 0x420 size
0x90, PT_NOTE at 0x40 size 0x20), and `readelf -n` decodes the note as
"GNU NT_GNU_ABI_TAG OS: Linux, ABI: 2.6.39". No region overlaps;
total page usage 0x758 / 0x1000.

Static vDSO bench unchanged at 6 ns/op for the time fast paths; the
PHDR relocation only shifts where the dynamic linker looks for the
table and does not touch any code the trampolines execute. test-signal
explicit run passes, confirming the unchanged TEXT_OFF_SIGRET=0xE0
trampoline still drives the libc __restore_rt path.

Author: jserv

src/core/elf.h

@@ -45,6 +45,7 @@
 #define PT_LOAD 1
 #define PT_DYNAMIC 2
 #define PT_INTERP 3
+#define PT_NOTE 4
 
 /* Program header flags */
 #define PF_X 1

src/core/vdso.c

@@ -119,12 +119,38 @@ static uint8_t *vdso_host_page(guest_t *g)
  *   [2] __kernel_clock_gettime
  *   [3] __kernel_gettimeofday
  *   [4] __kernel_getcpu
+ *
+ * Page layout (4 KiB):
+ *   0x000  EHDR
+ *   0x040  NT_GNU_ABI_TAG note (32 B)
+ *   0x0B0  vvar (seqlock counter, attention, anchor pairs)
+ *   0x0E0  rt_sigreturn trampoline
+ *   0x0EC  clock_getres / clock_gettime / gettimeofday / getcpu trampolines
+ *   ...    dynstr / dynsym / hash / versym / verdef / dynamic / shdr
+ *   0x4B0  section header table (8 entries)
+ *   0x6B0  program header table (3 entries: PT_LOAD, PT_DYNAMIC, PT_NOTE)
+ *
+ * The PHDR table sits at the bottom of the structural area so that the
+ * 4-byte-aligned NT_GNU_ABI_TAG note can occupy the old PHDR window and
+ * glibc 2.41's dynamic-linker vDSO probe finds the expected note without
+ * any of the trampoline / section offsets shifting.
  */
 
-/* Offsets within the 4KiB page */
+/* Offsets within the 4KiB page.
+ *
+ * The PHDR table now sits past the SHDR area at 0x6B0 (the EHDR's e_phoff
+ * field follows it there). This leaves the old PHDR slot at 0x040 free for
+ * the NT_GNU_ABI_TAG note data that glibc 2.41 expects to find via the
+ * PT_NOTE entry, without disturbing VVAR (0xB0), SIGRET (0xE0), or any of
+ * the trampoline / section offsets. PT_LOAD still maps the whole page so
+ * the note is loaded with the rest.
+ */
 #define VDSO_OFF_EHDR 0x000
-#define VDSO_OFF_PHDR 0x040
-#define VDSO_OFF_PHDR1 0x078
+/* NT_GNU_ABI_TAG note data lives at the old PHDR slot; 32 bytes fits
+ * comfortably inside the 112-byte gap up to VVAR.
+ */
+#define VDSO_OFF_NOTE 0x040
+#define VDSO_NOTE_SIZE 0x20
 
 /* vvar at fixed offset; host writes the wall-clock anchor on first
  * clock_gettime SVC, after the guest trampoline has stored its own
@@ -240,6 +266,16 @@ static uint8_t *vdso_host_page(guest_t *g)
 
 /* 8 * 64 = 512, 0x4B0 + 512 = 0x6B0 (fits in 4 KiB) */
 
+/* Program header table sits after the section headers so the old PHDR
+ * window at 0x040 can host the NT_GNU_ABI_TAG note data. Three entries
+ * (PT_LOAD, PT_DYNAMIC, PT_NOTE) at 56 bytes each end at 0x758, leaving
+ * the rest of the page reserved for future growth.
+ */
+#define VDSO_OFF_PHDR 0x6B0
+#define VDSO_OFF_PHDR1 (VDSO_OFF_PHDR + 0x38)
+#define VDSO_OFF_PHDR2 (VDSO_OFF_PHDR1 + 0x38)
+#define VDSO_PHDR_TABLE_END (VDSO_OFF_PHDR2 + 0x38)
+
 #define VDSO_NUM_SYMS 5
 #define HASH_NCHAIN (VDSO_NUM_SYMS + 1)
 #define HASH_NBUCKET 1
@@ -248,6 +284,41 @@ static uint8_t *vdso_host_page(guest_t *g)
 #define VERDEF_SIZE (sizeof(elf64_verdef_t) + sizeof(elf64_verdaux_t))
 #define VDSO_NUM_DYN 9
 
+/* NT_GNU_ABI_TAG note. glibc 2.41's vDSO setup expects this entry to be
+ * present alongside the dynamic symbol table; without it the dynamic
+ * linker still maps the page but skips the per-symbol fast-path lookup,
+ * forcing the dynamically-linked guest into the SVC tail of every
+ * trampoline. The note layout matches what the upstream Linux kernel
+ * emits from arch/arm64/kernel/vdso/note.S:
+ *
+ *   namesz : 4   (uint32, "GNU\0")
+ *   descsz : 16  (uint32, four-word descriptor)
+ *   type   : 1   (NT_GNU_ABI_TAG)
+ *   name   : "GNU\0"
+ *   desc   : { 0 (Linux), major, minor, sublevel } as uint32 each
+ *
+ * The desc declares the minimum supported kernel ABI. 2.6.39 matches the
+ * LINUX_2.6.39 symbol version already exposed through DT_VERDEF -- both
+ * say "this vDSO speaks the 2.6.39 ABI" -- so a glibc that accepts the
+ * symbol version also accepts the note.
+ */
+#define NT_GNU_ABI_TAG 1
+#define ELF_NOTE_OS_LINUX 0
+#define VDSO_NOTE_KERNEL_MAJOR 2
+#define VDSO_NOTE_KERNEL_MINOR 6
+#define VDSO_NOTE_KERNEL_SUBLEVEL 39
+
+typedef struct {
+    uint32_t namesz;
+    uint32_t descsz;
+    uint32_t type;
+    char name[4]; /* "GNU\0" */
+    uint32_t desc[4];
+} elf64_note_gnu_abi_tag_t;
+
+_Static_assert(sizeof(elf64_note_gnu_abi_tag_t) == VDSO_NOTE_SIZE,
+               "GNU ABI tag note must match VDSO_NOTE_SIZE");
+
 /* .dynstr data */
 static const char dynstr_data[] =
     "\0__kernel_rt_sigreturn"
@@ -899,12 +970,31 @@ uint64_t vdso_build(guest_t *g)
     ehdr->e_flags = 0;
     ehdr->e_ehsize = sizeof(elf64_ehdr_t);
     ehdr->e_phentsize = sizeof(elf64_phdr_t);
-    ehdr->e_phnum = 2;
+    ehdr->e_phnum = 3;
     ehdr->e_shentsize = sizeof(elf64_shdr_t);
     ehdr->e_shnum = 8;
     ehdr->e_shstrndx = 2;
     _Static_assert(VDSO_OFF_SHDR + 8 * sizeof(elf64_shdr_t) <= VDSO_SIZE,
                    "vDSO sections overflow the 4 KiB page");
+    _Static_assert(VDSO_PHDR_TABLE_END <= VDSO_SIZE,
+                   "vDSO program headers overflow the 4 KiB page");
+    _Static_assert(VDSO_OFF_NOTE + VDSO_NOTE_SIZE <= VDSO_OFF_VVAR,
+                   "GNU ABI tag note must not encroach on vvar");
+
+    /* NT_GNU_ABI_TAG note. PT_LOAD covers the whole page so the note is
+     * already mapped; PT_NOTE simply tags this offset for the dynamic
+     * linker's vDSO probe.
+     */
+    elf64_note_gnu_abi_tag_t *note =
+        (elf64_note_gnu_abi_tag_t *) (page + VDSO_OFF_NOTE);
+    note->namesz = sizeof(note->name);
+    note->descsz = sizeof(note->desc);
+    note->type = NT_GNU_ABI_TAG;
+    memcpy(note->name, "GNU", sizeof(note->name));
+    note->desc[0] = ELF_NOTE_OS_LINUX;
+    note->desc[1] = VDSO_NOTE_KERNEL_MAJOR;
+    note->desc[2] = VDSO_NOTE_KERNEL_MINOR;
+    note->desc[3] = VDSO_NOTE_KERNEL_SUBLEVEL;
 
     /* Program header 0: PT_LOAD. */
     elf64_phdr_t *phdr0 = (elf64_phdr_t *) (page + VDSO_OFF_PHDR);
@@ -928,6 +1018,17 @@ uint64_t vdso_build(guest_t *g)
     phdr1->p_memsz = VDSO_NUM_DYN * sizeof(elf64_dyn_t);
     phdr1->p_align = 8;
 
+    /* Program header 2: PT_NOTE pointing at the NT_GNU_ABI_TAG above. */
+    elf64_phdr_t *phdr2 = (elf64_phdr_t *) (page + VDSO_OFF_PHDR2);
+    phdr2->p_type = PT_NOTE;
+    phdr2->p_flags = PF_R;
+    phdr2->p_offset = VDSO_OFF_NOTE;
+    phdr2->p_vaddr = VDSO_OFF_NOTE;
+    phdr2->p_paddr = VDSO_OFF_NOTE;
+    phdr2->p_filesz = VDSO_NOTE_SIZE;
+    phdr2->p_memsz = VDSO_NOTE_SIZE;
+    phdr2->p_align = 4;
+
     /* Text trampolines. rt_sigreturn keeps the 12-byte SVC pattern; the
      * other four entries are fast paths (CNTVCT for clock_gettime /
      * gettimeofday; arithmetic for clock_getres / getcpu) with their own

tests/test-vdso.c

@@ -169,6 +169,40 @@ static void test_vdso(void)
     EXPECT(ehdr->e_machine == EM_AARCH64, "vDSO e_machine");
     EXPECT(ehdr->e_type == ET_DYN, "vDSO e_type");
 
+    /* NT_GNU_ABI_TAG note. glibc 2.41's vDSO probe expects a Linux ABI tag
+     * note alongside the dynamic symbol table; walk every PT_NOTE segment
+     * the EHDR advertises and confirm exactly one entry matches the
+     * (name="GNU", type=NT_GNU_ABI_TAG, desc[0]=Linux) shape with a
+     * minimum-kernel descriptor that is at least 2.6.39 (matching the
+     * LINUX_2.6.39 symbol version this vDSO exports).
+     */
+    const Elf64_Phdr *probe_phdr =
+        (const Elf64_Phdr *) ((const uint8_t *) ehdr + ehdr->e_phoff);
+    int gnu_abi_tag_count = 0;
+    for (int i = 0; i < ehdr->e_phnum; i++) {
+        if (probe_phdr[i].p_type != PT_NOTE)
+            continue;
+        const uint8_t *note_base =
+            (const uint8_t *) ehdr + probe_phdr[i].p_offset;
+        uint32_t namesz = *(const uint32_t *) (note_base + 0);
+        uint32_t descsz = *(const uint32_t *) (note_base + 4);
+        uint32_t type = *(const uint32_t *) (note_base + 8);
+        const char *name = (const char *) (note_base + 12);
+        if (type != 1 /* NT_GNU_ABI_TAG */ || namesz != 4 || descsz != 16)
+            continue;
+        if (memcmp(name, "GNU\0", 4) != 0)
+            continue;
+        const uint32_t *desc = (const uint32_t *) (note_base + 12 + 4);
+        EXPECT(desc[0] == 0, "NT_GNU_ABI_TAG OS == Linux");
+        uint32_t k = (desc[1] << 24) | (desc[2] << 16) | (desc[3] << 8);
+        uint32_t want = (2 << 24) | (6 << 16) | (39 << 8);
+        EXPECT(k >= want, "NT_GNU_ABI_TAG kernel ABI >= 2.6.39");
+        gnu_abi_tag_count++;
+    }
+    EXPECT(gnu_abi_tag_count == 1,
+           "exactly one PT_NOTE carrying NT_GNU_ABI_TAG");
+    printf("vDSO NT_GNU_ABI_TAG: count=%d\n", gnu_abi_tag_count);
+
     vdso_t v;
     EXPECT(parse_vdso(ehdr, &v) == 0, "vDSO dynamic section parse");
     if (!v.symtab || !v.strtab || !v.hash)