1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

20774 Commits

Author SHA1 Message Date
David Herrmann
ab7854df73 udev: don't close FDs before dropping them from epoll
Make sure we never close fds before we drop their related event-source.
This will cause horrible disruptions if the fd-num is re-used by someone
else. Under normal conditions, this should not cause any problems as the
close() will drop the fd from the epoll-set automatically. However, this
changes if you have any child processes with a copy of that fd.

This fixes issue #163.

Background:
        If you create an epoll-set via epoll_create() (lets call it 'EFD')
        you can add file-descriptors to it to watch for events. Whenever
        you call EPOLL_CTL_ADD on a file-descriptor you want to watch, the
        kernel looks up the attached "struct file" pointer, that this FD
        refers to. This combination of the FD-number and the "struct file"
        pointer is used as key to link it into the epoll-set (EFD).

        This means, if you duplicate your file-descriptor, you can watch
        this file-descriptor, too (because the duplicate will have a
        different FD-number, hence, the combination of FD-number and
        "struct file" is different as before).

        If you want to stop watching an FD, you use EPOLL_CTL_DEL and pass
        the FD to the kernel. The kernel again looks up your
        file-descriptor in your FD-table to find the linked "struct file".
        This FD-number and "struct file" combination is then dropped from
        the epoll-set (EFD).

        Last, but not least: If you close a file-descriptor that is linked
        to an epoll-set, the kernel does *NOTHING* regarding the
        epoll-set. This is a vital observation! Because this means, your
        epoll_wait() calls will still return the metadata you used to
        watch/subscribe your file-descriptor to events.
        There is one exception to this rule: If the file-descriptor that
        you just close()ed was the last FD that referred to the underlying
        "struct file", then _all_ epoll-set watches/subscriptions are
        destroyed. Hence, if you never dup()ed your FD, then a simple
        close() will also unsubscribe it from any epoll-set.

        With this in mind, lets look at fork():
                Assume you have an epoll-set (EFD) and a bunch of FDs
                subscribed to events on that EFD. If you now call fork(),
                the new process gets a copy of your file-descriptor table.
                This means, the whole table is copied and the "struct
                file" reference of each FD is increased by 1. It is
                important to notice that the FD-numbers in the child are
                exactly the same as in the parent (eg., FD #5 in the child
                refers to the same "struct file" as FD #5 in the parent).

                This means, if the child calls EPOLL_CTL_DEL on an FD, the
                kernel will look up the linked "struct file" and drop the
                FD-number and "struct file" combination from the epoll-set
                (EFD). However, this will effectively drop the
                subscription that was installed by the parent.

                To sum up: even though the child gets a duplicate of the
                EFD and all FDs, the subscriptions in the EFD are *NOT*
                duplicated!

Now, with this in mind, lets look at what udevd does:
        Udevd has a bunch of file-descriptors that it watches in its
        sd-event main-loop. Whenever a uevent is received, the event is
        dispatched on its workers. If no suitable worker is present, a new
        worker is fork()ed to handle the event. Inside of this worker, we
        try to free all resources we inherited. However, the fork() call
        is done from a call-stack that is never rewinded. Therefore, this
        call stack might own references that it drops once it is left.
        Those references we cannot deduce from the fork()'ed process;
        effectively causing us to leak objects in the worker (eg., the
        call to sd_event_dispatch() that dispatched our uevent owns a
        reference to the sd_event object it used; and drops it again once
        the function is left).

        (Another example is udev_monitor_ref() for each 'worker' that is
         also inherited by all children; thus keeping the udev-monitor and
         the uevent-fd alive in all children (which is the real cause for
         bug #163))

        (The extreme variant is sd_event_source_unref(), which explicitly
         keeps event-sources alive, if they're currently dispatched,
         knowing that the dispatcher will free the event once done. But
         if the dispatcher is in the parent, the child will never ever
         free that object, thus leaking it)

        This is usually not an issue. However, if such an object has a
        file-descriptor embedded, this FD is left open and never closed in
        the child.

In manager_exit(), if we now destroy an object (i.e., close its embedded
file-descriptor) before we destroy its related sd_event_source, then
sd-event will not be able to drop the FD from the epoll-set (EFD). This
is, because the FD is no longer valid at the time we call EPOLL_CTL_DEL.
Hence, the kernel cannot figure out the linked "struct file" and thus
cannot remove the FD-number plus "struct file" combination; effectively
leaving the subscription in the epoll-set.
Since we leak the uevent-fd in the children, they retain a copy of the FD
pointing to the same "struct file". Thus, the EFD-subscription are not
automatically removed by close() (as described above). Therefore, the main
daemon will still get its metadata back on epoll_watch() whenever an event
occurs (even though it already freed the metadata). This then causes the
free-after-use bug described in #163.

This patch fixes the order in which we destruct objects and related
sd-event-sources. Some open questions remain:

 * Why does source_io_unregister() not warn on EPOLL_CTL_DEL failures?
   This really needs to be turned into an assert_return().

 * udevd really should not leak file-descriptors into its children. Fixing
   this would *not* have prevented this bug, though (since the child-setup
   is still async).
   It's non-trivial to fix this, though. The stack-context of the caller
   cannot be rewinded, so we cannot figure out temporary refs. Maybe it's
   time to exec() the udev-workers?

 * Why does the kernel not copy FD-subscriptions across fork()?
   Or at least drop subscriptions if you close() your FD (it uses the
   FD-number as key, so it better subscribe to it)?
   Or it better used
         FD+"struct file_table*"+"struct file*"
   as key to not allow the childen to share the subscription table..
   *sigh*
   Seems like we have to live with that API forever.
2015-06-17 00:31:57 +02:00
Daniel Mack
5630aab1a8 Merge pull request #218 from poettering/dual-timestamp-null
everywhere: actually make use of DUAL_TIMESTAMP_NULL macro
2015-06-16 11:03:27 +02:00
Daniel Mack
1a770c60ee Merge pull request #219 from poettering/logind-docked
logind: expose "Docked" bool as property on the bus
2015-06-16 11:02:40 +02:00
Lennart Poettering
4fba57963b logind: cast close() call to (void) 2015-06-16 01:55:20 +02:00
Lennart Poettering
148560792a logind: expose "Docked" bool as property on the bus
We know the state anyway, let's expose it in the bus. It's useful for
debugging at least, but it might be useful for DEs too.
2015-06-16 01:11:10 +02:00
Lennart Poettering
5cb14b3742 everywhere: actually make use of DUAL_TIMESTAMP_NULL macro
Let's use it as initializer where appropriate.
2015-06-16 01:08:12 +02:00
Lennart Poettering
5febf10c1c update TODO 2015-06-16 01:02:52 +02:00
Lennart Poettering
86b85cf440 Merge pull request #214 from poettering/signal-rework-2
everywhere: port everything to sigprocmask_many() and friends
2015-06-15 20:35:18 +02:00
Lennart Poettering
78ed65ac8d Merge pull request #212 from poettering/gc-machine-snapshots
automatically remove old machine shapshots at boot
2015-06-15 20:33:35 +02:00
Lennart Poettering
72c0a2c255 everywhere: port everything to sigprocmask_many() and friends
This ports a lot of manual code over to sigprocmask_many() and friends.

Also, we now consistly check for sigprocmask() failures with
assert_se(), since the call cannot realistically fail unless there's a
programming error.

Also encloses a few sd_event_add_signal() calls with (void) when we
ignore the return values for it knowingly.
2015-06-15 20:13:23 +02:00
Kay Sievers
dd5da693ab Merge pull request #209 from crrodriguez/master
buildsys: missing SECCOMP_CFLAGS in various places
2015-06-15 19:56:23 +02:00
Lennart Poettering
770b5ce4fc tmpfiles: automatically remove old machine snapshots at boot
Remove old temporary snapshots, but only at boot. Ideally we'd have
"self-destroying" btrfs snapshots that go away if the last last
reference to it does. To mimic a scheme like this at least remove the
old snapshots on fresh boots, where we know they cannot be referenced
anymore. Note that we actually remove all temporary files in
/var/lib/machines/ at boot, which should be safe since the directory has
defined semantics. In the root directory (where systemd-nspawn
--ephemeral places snapshots) we are more strict, to avoid removing
unrelated temporary files.

This also splits out nspawn/container related tmpfiles bits into a new
tmpfiles snippet to systemd-nspawn.conf
2015-06-15 19:28:55 +02:00
Lennart Poettering
1b26f09eb0 tmpfiles: make sure "R" lines also remove subvolumes 2015-06-15 19:28:55 +02:00
Lennart Poettering
14bcf25c8b util: when creating temporary file names, allow including extra id string in it
This adds a "char *extra" parameter to tempfn_xxxxxx(), tempfn_random(),
tempfn_ranomd_child(). If non-NULL this string is included in the middle
of the newly created file name. This is useful for being able to
distuingish the kind of temporary file when we see one.

This also adds tests for the three call.

For now, we don't make use of this at all, but port all users over.
2015-06-15 19:28:55 +02:00
Cristian Rodríguez
e1ada21e92 buildsys: missing SECCOMP_CFLAGS in various places
libcore, systemd and nspawn fail to build when seccomp headers
are not in the include path.
2015-06-15 13:36:51 -03:00
Lennart Poettering
a4c8a59951 Merge pull request #208 from poettering/btrfs-rec-snapshot
btrfs-util: when snapshotting make sure we don't descent into subvolu…
2015-06-15 18:11:48 +02:00
Lennart Poettering
90578cbd71 btrfs-util: when snapshotting make sure we don't descent into subvolumes we just created
We already had a safety check in place that we don't end up descending
to the original subvolume again, but we also should avoid descending in
the newly created one.

This is particularly important if we make a snapshot below its source,
like we do in "systemd-nspawn --ephemeral -D /".

Closes https://bugs.freedesktop.org/show_bug.cgi?id=90803
2015-06-15 18:11:11 +02:00
Daniel Mack
0c33502bed Merge pull request #154 from dmedri/master
Italian .po updates
2015-06-15 14:43:15 +02:00
Daniel Mack
e5a774bbfa Merge pull request #202 from victorenator/l10n-be
l10n: Add Belarusian translation
2015-06-15 14:17:38 +02:00
Daniel Mack
036fe527a9 Merge pull request #206 from zonque/firewall-rename
firewall: rename fw-util.[ch] → firewall-util.[ch]
2015-06-15 14:15:57 +02:00
Daniel Mack
12c2884c55 firewall: rename fw-util.[ch] → firewall-util.[ch]
The names fw-util.[ch] are too ambiguous, better rename the files to
firewall-util.[ch]. Also rename the test accordingly.
2015-06-15 14:08:02 +02:00
Lennart Poettering
f430b07b72 Merge pull request #180 from ronnychevalier/rc/coverity_cid_1304686
login: fix potential null pointer dereference
2015-06-15 12:22:19 +02:00
Lennart Poettering
cceb20c75c man: document that ExecStop= needs a synchronous tool
As requested in #199.
2015-06-15 12:06:02 +02:00
Lennart Poettering
e8c5393631 man: document that SIGCONT always follows SIGTERM
As requested in #199.
2015-06-15 12:05:57 +02:00
Lennart Poettering
c6355b313e man: clarify overriding semantics of systemd-gpt-auto-generator
Specifically: /etc/fstab overrides the units itself, but not the deps.

See #168.
2015-06-15 11:49:26 +02:00
Lennart Poettering
5feece76fb Merge pull request #205 from endocode/iaguis/seccomp-v2
nspawn: make seccomp loading errors non-fatal
2015-06-15 11:45:48 +02:00
Marcel Holtmann
bdfcbe2262 hwdb: Update database of Bluetooth company identifiers 2015-06-15 11:28:15 +02:00
Iago López Galeiras
9b1cbdc6e1 nspawn: make seccomp loading errors non-fatal
seccomp_load returns -EINVAL when seccomp support is not enabled in the
kernel [1]. This should be a debug log, not an error that interrupts nspawn.
If the seccomp filter can't be set and audit is enabled, the user will
get an error message anyway.

[1]: http://man7.org/linux/man-pages/man2/prctl.2.html
2015-06-15 10:55:31 +02:00
Ronny Chevalier
b9460fdc8b login: fix potential null pointer dereference
Fix CID 1304686: Dereference after null check (FORWARD_NULL)

However, this commit does not fix any bug in logind. It helps to keep
the elect_display_compare() function generic.
2015-06-15 10:22:32 +02:00
Martin Pitt
6b7d32add4 sysv-generator test: always log to console
Set $SYSTEMD_LOG_TARGET so that the output always goes to stdout/stderr. This
fixes running the test as root, as that logged to the journal previously.

https://github.com/systemd/systemd/issues/195
2015-06-15 08:59:44 +02:00
Lennart Poettering
63432f5d95 update TODO 2015-06-15 00:41:10 +02:00
Lennart Poettering
0bea2e3dde update TODO 2015-06-15 00:15:20 +02:00
Viktar Vauchkevich
a220f3583c l10n: Add Belarusian translation 2015-06-15 00:13:43 +03:00
Kay Sievers
a611e82166 Merge pull request #201 from mbiebl/drop-include_prefix
build-sys: Drop include_prefix
2015-06-14 20:58:04 +02:00
Michael Biebl
38ed9e3c22 build-sys: Drop include_prefix
Appears to be unused and a leftover from the udev merge.
2015-06-14 20:49:14 +02:00
Kay Sievers
15daf6a834 Merge pull request #144 from teg/udev-spawn-log-less-2
udevd: event - don't log about failures of spawn processes when this …
2015-06-14 20:19:54 +02:00
Kay Sievers
7258e9704f Merge pull request #200 from kaysievers/wip
build-sys: include libsystemd-journal and libudev in libshared
2015-06-14 20:17:19 +02:00
Kay Sievers
9afc1aacfe build-sys: include libsystemd-journal and libudev in libshared 2015-06-14 20:03:44 +02:00
Tom Gundersen
83cb143817 Merge pull request #196 from dvdhrm/bus-map-props
tree-wide: fix memory leaks in users of bus_map_all_properties()
2015-06-14 19:35:30 +02:00
Tom Gundersen
7171ebcf2f Merge pull request #198 from ivuk/fix_typo_timesyncd_conf
Fix typos in man/timesyncd.conf.xml
2015-06-14 18:47:41 +02:00
Tom Gundersen
0b30332770 Merge pull request #192 from phomes/master
test-netlink-manual: typo fix
2015-06-14 18:46:54 +02:00
Igor Vuk
e26cb3b79a Fix typos in man/timesyncd.conf.xml 2015-06-14 18:28:55 +02:00
David Herrmann
e7e55dbdc3 tree-wide: fix memory leaks in users of bus_map_all_properties()
If you use bus_map_all_properties(), you must be aware that it might
touch output variables even though it may fail. This is, because we parse
many different bus-properties and cannot tell how to clean them up, in
case we fail deep down in the parser.

Fix all callers of bus_map_all_properties() to correctly cleanup any
context structures at all times.
2015-06-14 15:08:52 +02:00
Mario Limonciello
aa75494ad5 hwdb: add support for Alienware graphics amplifier
Unplugging and plugging in the cable will create various scancodes
on the keyboard controller.

Userspace within X should be able to interact with these to show
interesting messages. Assign them to generic prog1/prog2.

(David: add comment to hwdb explaining that these keycodes are reserved)
2015-06-14 14:32:19 +02:00
David Herrmann
01856799a3 man: don't mention '/run' in hwdb.man
We do not support '/run' for hwdb files. Drop it from the man-pages so
people don't accidentally use it.

This was reported by: Peter Hutterer <peter.hutterer@who-t.net>
2015-06-14 14:26:31 +02:00
Thomas Hindoe Paaboel Andersen
19fcba36e4 test-netlink-manual: typo fix
No functional change, but looked weird.
2015-06-14 13:57:35 +02:00
David Herrmann
e7f25cf7d9 Merge pull request #178 from utezduyar/man-sd_bus_message_get_creds
Improve the documentation of bus credentials by mentioning send-time metadata. This needs more love, we should really clarify metadata details here. However, this is still better than nothing, so it's fine.
2015-06-14 13:22:44 +02:00
David Herrmann
485e590a61 Merge pull request #183 from ssahani/net
Improve tun/tap logging by using the new log_*errno*() functions that set 'errno' explicitly. Also fix a bunch of incorrect errno/r confusions.
2015-06-14 13:16:47 +02:00
David Herrmann
f3a8f45b21 Merge pull request #191 from kaysievers/resolv
build-sys: merge convenience library libresolve
2015-06-14 13:09:06 +02:00
David Herrmann
6113cec066 Merge pull request #189 from teg/rtnl-rename
Rename sd_rtnl to sd_netlink to prepare for further netlink-protocol support. Anything rtnl specific still uses the sd_rtnl prefix, but the generic parts (including the bus and message objects) are now called sd_netlink.
2015-06-14 13:07:20 +02:00