summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-06-17udev: don't close FDs before dropping them from epollDavid Herrmann
Make sure we never close fds before we drop their related event-source. This will cause horrible disruptions if the fd-num is re-used by someone else. Under normal conditions, this should not cause any problems as the close() will drop the fd from the epoll-set automatically. However, this changes if you have any child processes with a copy of that fd. This fixes issue #163. Background: If you create an epoll-set via epoll_create() (lets call it 'EFD') you can add file-descriptors to it to watch for events. Whenever you call EPOLL_CTL_ADD on a file-descriptor you want to watch, the kernel looks up the attached "struct file" pointer, that this FD refers to. This combination of the FD-number and the "struct file" pointer is used as key to link it into the epoll-set (EFD). This means, if you duplicate your file-descriptor, you can watch this file-descriptor, too (because the duplicate will have a different FD-number, hence, the combination of FD-number and "struct file" is different as before). If you want to stop watching an FD, you use EPOLL_CTL_DEL and pass the FD to the kernel. The kernel again looks up your file-descriptor in your FD-table to find the linked "struct file". This FD-number and "struct file" combination is then dropped from the epoll-set (EFD). Last, but not least: If you close a file-descriptor that is linked to an epoll-set, the kernel does *NOTHING* regarding the epoll-set. This is a vital observation! Because this means, your epoll_wait() calls will still return the metadata you used to watch/subscribe your file-descriptor to events. There is one exception to this rule: If the file-descriptor that you just close()ed was the last FD that referred to the underlying "struct file", then _all_ epoll-set watches/subscriptions are destroyed. Hence, if you never dup()ed your FD, then a simple close() will also unsubscribe it from any epoll-set. With this in mind, lets look at fork(): Assume you have an epoll-set (EFD) and a bunch of FDs subscribed to events on that EFD. If you now call fork(), the new process gets a copy of your file-descriptor table. This means, the whole table is copied and the "struct file" reference of each FD is increased by 1. It is important to notice that the FD-numbers in the child are exactly the same as in the parent (eg., FD #5 in the child refers to the same "struct file" as FD #5 in the parent). This means, if the child calls EPOLL_CTL_DEL on an FD, the kernel will look up the linked "struct file" and drop the FD-number and "struct file" combination from the epoll-set (EFD). However, this will effectively drop the subscription that was installed by the parent. To sum up: even though the child gets a duplicate of the EFD and all FDs, the subscriptions in the EFD are *NOT* duplicated! Now, with this in mind, lets look at what udevd does: Udevd has a bunch of file-descriptors that it watches in its sd-event main-loop. Whenever a uevent is received, the event is dispatched on its workers. If no suitable worker is present, a new worker is fork()ed to handle the event. Inside of this worker, we try to free all resources we inherited. However, the fork() call is done from a call-stack that is never rewinded. Therefore, this call stack might own references that it drops once it is left. Those references we cannot deduce from the fork()'ed process; effectively causing us to leak objects in the worker (eg., the call to sd_event_dispatch() that dispatched our uevent owns a reference to the sd_event object it used; and drops it again once the function is left). (Another example is udev_monitor_ref() for each 'worker' that is also inherited by all children; thus keeping the udev-monitor and the uevent-fd alive in all children (which is the real cause for bug #163)) (The extreme variant is sd_event_source_unref(), which explicitly keeps event-sources alive, if they're currently dispatched, knowing that the dispatcher will free the event once done. But if the dispatcher is in the parent, the child will never ever free that object, thus leaking it) This is usually not an issue. However, if such an object has a file-descriptor embedded, this FD is left open and never closed in the child. In manager_exit(), if we now destroy an object (i.e., close its embedded file-descriptor) before we destroy its related sd_event_source, then sd-event will not be able to drop the FD from the epoll-set (EFD). This is, because the FD is no longer valid at the time we call EPOLL_CTL_DEL. Hence, the kernel cannot figure out the linked "struct file" and thus cannot remove the FD-number plus "struct file" combination; effectively leaving the subscription in the epoll-set. Since we leak the uevent-fd in the children, they retain a copy of the FD pointing to the same "struct file". Thus, the EFD-subscription are not automatically removed by close() (as described above). Therefore, the main daemon will still get its metadata back on epoll_watch() whenever an event occurs (even though it already freed the metadata). This then causes the free-after-use bug described in #163. This patch fixes the order in which we destruct objects and related sd-event-sources. Some open questions remain: * Why does source_io_unregister() not warn on EPOLL_CTL_DEL failures? This really needs to be turned into an assert_return(). * udevd really should not leak file-descriptors into its children. Fixing this would *not* have prevented this bug, though (since the child-setup is still async). It's non-trivial to fix this, though. The stack-context of the caller cannot be rewinded, so we cannot figure out temporary refs. Maybe it's time to exec() the udev-workers? * Why does the kernel not copy FD-subscriptions across fork()? Or at least drop subscriptions if you close() your FD (it uses the FD-number as key, so it better subscribe to it)? Or it better used FD+"struct file_table*"+"struct file*" as key to not allow the childen to share the subscription table.. *sigh* Seems like we have to live with that API forever.
2015-06-16Merge pull request #218 from poettering/dual-timestamp-nullDaniel Mack
everywhere: actually make use of DUAL_TIMESTAMP_NULL macro
2015-06-16Merge pull request #219 from poettering/logind-dockedDaniel Mack
logind: expose "Docked" bool as property on the bus
2015-06-16logind: cast close() call to (void)Lennart Poettering
2015-06-16logind: expose "Docked" bool as property on the busLennart Poettering
We know the state anyway, let's expose it in the bus. It's useful for debugging at least, but it might be useful for DEs too.
2015-06-16everywhere: actually make use of DUAL_TIMESTAMP_NULL macroLennart Poettering
Let's use it as initializer where appropriate.
2015-06-16update TODOLennart Poettering
2015-06-15Merge pull request #214 from poettering/signal-rework-2Lennart Poettering
everywhere: port everything to sigprocmask_many() and friends
2015-06-15Merge pull request #212 from poettering/gc-machine-snapshotsLennart Poettering
automatically remove old machine shapshots at boot
2015-06-15everywhere: port everything to sigprocmask_many() and friendsLennart Poettering
This ports a lot of manual code over to sigprocmask_many() and friends. Also, we now consistly check for sigprocmask() failures with assert_se(), since the call cannot realistically fail unless there's a programming error. Also encloses a few sd_event_add_signal() calls with (void) when we ignore the return values for it knowingly.
2015-06-15Merge pull request #209 from crrodriguez/masterKay Sievers
buildsys: missing SECCOMP_CFLAGS in various places
2015-06-15tmpfiles: automatically remove old machine snapshots at bootLennart Poettering
Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf
2015-06-15tmpfiles: make sure "R" lines also remove subvolumesLennart Poettering
2015-06-15util: when creating temporary file names, allow including extra id string in itLennart Poettering
This adds a "char *extra" parameter to tempfn_xxxxxx(), tempfn_random(), tempfn_ranomd_child(). If non-NULL this string is included in the middle of the newly created file name. This is useful for being able to distuingish the kind of temporary file when we see one. This also adds tests for the three call. For now, we don't make use of this at all, but port all users over.
2015-06-15buildsys: missing SECCOMP_CFLAGS in various placesCristian Rodríguez
libcore, systemd and nspawn fail to build when seccomp headers are not in the include path.
2015-06-15Merge pull request #208 from poettering/btrfs-rec-snapshotLennart Poettering
btrfs-util: when snapshotting make sure we don't descent into subvolu…
2015-06-15btrfs-util: when snapshotting make sure we don't descent into subvolumes we ↵Lennart Poettering
just created We already had a safety check in place that we don't end up descending to the original subvolume again, but we also should avoid descending in the newly created one. This is particularly important if we make a snapshot below its source, like we do in "systemd-nspawn --ephemeral -D /". Closes https://bugs.freedesktop.org/show_bug.cgi?id=90803
2015-06-15Merge pull request #154 from dmedri/masterDaniel Mack
Italian .po updates
2015-06-15Merge pull request #202 from victorenator/l10n-beDaniel Mack
l10n: Add Belarusian translation
2015-06-15Merge pull request #206 from zonque/firewall-renameDaniel Mack
firewall: rename fw-util.[ch] → firewall-util.[ch]
2015-06-15firewall: rename fw-util.[ch] → firewall-util.[ch]Daniel Mack
The names fw-util.[ch] are too ambiguous, better rename the files to firewall-util.[ch]. Also rename the test accordingly.
2015-06-15Merge pull request #180 from ronnychevalier/rc/coverity_cid_1304686Lennart Poettering
login: fix potential null pointer dereference
2015-06-15man: document that ExecStop= needs a synchronous toolLennart Poettering
As requested in #199.
2015-06-15man: document that SIGCONT always follows SIGTERMLennart Poettering
As requested in #199.
2015-06-15man: clarify overriding semantics of systemd-gpt-auto-generatorLennart Poettering
Specifically: /etc/fstab overrides the units itself, but not the deps. See #168.
2015-06-15Merge pull request #205 from endocode/iaguis/seccomp-v2Lennart Poettering
nspawn: make seccomp loading errors non-fatal
2015-06-15hwdb: Update database of Bluetooth company identifiersMarcel Holtmann
2015-06-15nspawn: make seccomp loading errors non-fatalIago López Galeiras
seccomp_load returns -EINVAL when seccomp support is not enabled in the kernel [1]. This should be a debug log, not an error that interrupts nspawn. If the seccomp filter can't be set and audit is enabled, the user will get an error message anyway. [1]: http://man7.org/linux/man-pages/man2/prctl.2.html
2015-06-15login: fix potential null pointer dereferenceRonny Chevalier
Fix CID 1304686: Dereference after null check (FORWARD_NULL) However, this commit does not fix any bug in logind. It helps to keep the elect_display_compare() function generic.
2015-06-15sysv-generator test: always log to consoleMartin Pitt
Set $SYSTEMD_LOG_TARGET so that the output always goes to stdout/stderr. This fixes running the test as root, as that logged to the journal previously. https://github.com/systemd/systemd/issues/195
2015-06-15update TODOLennart Poettering
2015-06-15update TODOLennart Poettering
2015-06-15l10n: Add Belarusian translationViktar Vauchkevich
2015-06-14Merge pull request #201 from mbiebl/drop-include_prefixKay Sievers
build-sys: Drop include_prefix
2015-06-14build-sys: Drop include_prefixMichael Biebl
Appears to be unused and a leftover from the udev merge.
2015-06-14Merge pull request #144 from teg/udev-spawn-log-less-2Kay Sievers
udevd: event - don't log about failures of spawn processes when this …
2015-06-14Merge pull request #200 from kaysievers/wipKay Sievers
build-sys: include libsystemd-journal and libudev in libshared
2015-06-14build-sys: include libsystemd-journal and libudev in libsharedKay Sievers
2015-06-14Merge pull request #196 from dvdhrm/bus-map-propsTom Gundersen
tree-wide: fix memory leaks in users of bus_map_all_properties()
2015-06-14Merge pull request #198 from ivuk/fix_typo_timesyncd_confTom Gundersen
Fix typos in man/timesyncd.conf.xml
2015-06-14Merge pull request #192 from phomes/masterTom Gundersen
test-netlink-manual: typo fix
2015-06-14Fix typos in man/timesyncd.conf.xmlIgor Vuk
2015-06-14tree-wide: fix memory leaks in users of bus_map_all_properties()David Herrmann
If you use bus_map_all_properties(), you must be aware that it might touch output variables even though it may fail. This is, because we parse many different bus-properties and cannot tell how to clean them up, in case we fail deep down in the parser. Fix all callers of bus_map_all_properties() to correctly cleanup any context structures at all times.
2015-06-14hwdb: add support for Alienware graphics amplifierMario Limonciello
Unplugging and plugging in the cable will create various scancodes on the keyboard controller. Userspace within X should be able to interact with these to show interesting messages. Assign them to generic prog1/prog2. (David: add comment to hwdb explaining that these keycodes are reserved)
2015-06-14man: don't mention '/run' in hwdb.manDavid Herrmann
We do not support '/run' for hwdb files. Drop it from the man-pages so people don't accidentally use it. This was reported by: Peter Hutterer <peter.hutterer@who-t.net>
2015-06-14test-netlink-manual: typo fixThomas Hindoe Paaboel Andersen
No functional change, but looked weird.
2015-06-14Merge pull request #178 from utezduyar/man-sd_bus_message_get_credsDavid Herrmann
Improve the documentation of bus credentials by mentioning send-time metadata. This needs more love, we should really clarify metadata details here. However, this is still better than nothing, so it's fine.
2015-06-14Merge pull request #183 from ssahani/netDavid Herrmann
Improve tun/tap logging by using the new log_*errno*() functions that set 'errno' explicitly. Also fix a bunch of incorrect errno/r confusions.
2015-06-14Merge pull request #191 from kaysievers/resolvDavid Herrmann
build-sys: merge convenience library libresolve
2015-06-14Merge pull request #189 from teg/rtnl-renameDavid Herrmann
Rename sd_rtnl to sd_netlink to prepare for further netlink-protocol support. Anything rtnl specific still uses the sd_rtnl prefix, but the generic parts (including the bus and message objects) are now called sd_netlink.