_tls_used offsets the start of the tls section by adding 1 to _tls_start.
I feel this is incorrect in two respects. The first is that _tls_start is defined as a char so adding 1 only increments by 1 byte.
Second secrel32 generates an offset from the start of the section. By offsetting from _tls_start the secrel32 offset becomes invalid and has the potential to allow access to invalid memory.
I also see no reason _tls_used should be placed in the TLS section. Other compilers treat is as read only and place it in .rdata.
See the included patch for my suggested changes.