From d1a308e897e05574734943f8a5458942d9d2b9e5 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Mar 2021 17:46:46 -0800 Subject: [PATCH 01/38] Disable resolved cache via config snippet (#1933433) --- nocache.conf | 2 ++ systemd.spec | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 nocache.conf diff --git a/nocache.conf b/nocache.conf new file mode 100644 index 0000000..25d5429 --- /dev/null +++ b/nocache.conf @@ -0,0 +1,2 @@ +[Resolve] +Cache=no diff --git a/systemd.spec b/systemd.spec index c5c415e..b0ec646 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc2 -Release: 5%{?dist} +Release: 6%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -64,6 +64,9 @@ Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh +# Disable resolved caching to workaround #1933433 +Source100: nocache.conf + %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -557,6 +560,9 @@ touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state # Install yum protection fragment install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf +# Install resolved cache disable fragment +install -Dm0644 -t %{buildroot}%{pkgdir}/resolved.conf.d %{SOURCE100} + install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} # Restore systemd-user pam config from before "removal of Fedora-specific bits" @@ -952,6 +958,9 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Mar 12 2021 Adam Williamson - 248~rc2-6 +- Disable resolved cache via config snippet (#1933433) + * Thu Mar 11 2021 Zbigniew Jędrzejewski-Szmek - 248~rc2-5 - Fix crash in pid1 during daemon-reexec (#1931034) From 9f7a97dd7f34dfa03d1d5f5f274d34aef2f35cc5 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 16 Mar 2021 14:58:01 -0700 Subject: [PATCH 02/38] Backport PR #19009 to fix CNAME redirect resolving some more (#1933433) One small rediff tweak needed. --- 19009-rediff.patch | 593 +++++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 8 +- 2 files changed, 600 insertions(+), 1 deletion(-) create mode 100644 19009-rediff.patch diff --git a/19009-rediff.patch b/19009-rediff.patch new file mode 100644 index 0000000..e816f84 --- /dev/null +++ b/19009-rediff.patch @@ -0,0 +1,593 @@ +From 1499a0a99a0765b4b1b56f56d6712324e740911f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 20:47:28 +0100 +Subject: [PATCH 01/12] resolved: add new helper dns_answer_min_ttl() + +--- + src/resolve/resolved-dns-answer.c | 19 +++++++++++++++++++ + src/resolve/resolved-dns-answer.h | 2 ++ + 2 files changed, 21 insertions(+) + +diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c +index a667ab5ede4..5fbff81c255 100644 +--- a/src/resolve/resolved-dns-answer.c ++++ b/src/resolve/resolved-dns-answer.c +@@ -963,3 +963,22 @@ void dns_answer_randomize(DnsAnswer *a) { + SWAP_TWO(a->items[i], a->items[k]); + } + } ++ ++uint32_t dns_answer_min_ttl(DnsAnswer *a) { ++ uint32_t ttl = UINT32_MAX; ++ DnsResourceRecord *rr; ++ ++ /* Return the smallest TTL of all RRs in this answer */ ++ ++ DNS_ANSWER_FOREACH(rr, a) { ++ /* Don't consider OPT (where the TTL field is used for other purposes than an actual TTL) */ ++ ++ if (dns_type_is_pseudo(rr->key->type) || ++ dns_class_is_pseudo(rr->key->class)) ++ continue; ++ ++ ttl = MIN(ttl, rr->ttl); ++ } ++ ++ return ttl; ++} +diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h +index 7d19eee4e2b..447da5d6cc3 100644 +--- a/src/resolve/resolved-dns-answer.h ++++ b/src/resolve/resolved-dns-answer.h +@@ -87,6 +87,8 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f); + + void dns_answer_randomize(DnsAnswer *a); + ++uint32_t dns_answer_min_ttl(DnsAnswer *a); ++ + DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref); + + #define _DNS_ANSWER_FOREACH(q, kk, a) \ + +From 3b7006cb44dd2860cb1b2e652e318d196dddf312 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 20:47:53 +0100 +Subject: [PATCH 02/12] resolved: rebreak a few comments + +--- + src/resolve/resolved-dns-cache.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 0bf320df880..23612a5c353 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -320,11 +320,9 @@ static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t t + + ttl = MIN(rr->ttl, nsec_ttl); + if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) { +- /* If this is a SOA RR, and it is requested, clamp to +- * the SOA's minimum field. This is used when we do +- * negative caching, to determine the TTL for the +- * negative caching entry. See RFC 2308, Section +- * 5. */ ++ /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used ++ * when we do negative caching, to determine the TTL for the negative caching entry. See RFC ++ * 2308, Section 5. */ + + if (ttl > rr->soa.minimum) + ttl = rr->soa.minimum; +@@ -337,8 +335,7 @@ static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t t + if (rr->expiry != USEC_INFINITY) { + usec_t left; + +- /* Make use of the DNSSEC RRSIG expiry info, if we +- * have it */ ++ /* Make use of the DNSSEC RRSIG expiry info, if we have it */ + + left = LESS_BY(rr->expiry, now(CLOCK_REALTIME)); + if (u > left) +@@ -785,9 +782,8 @@ int dns_cache_put( + if (r > 0) + return 0; + +- /* But not if it has a matching CNAME/DNAME (the negative +- * caching will be done on the canonical name, not on the +- * alias) */ ++ /* But not if it has a matching CNAME/DNAME (the negative caching will be done on the canonical name, ++ * not on the alias) */ + r = dns_answer_find_cname_or_dname(answer, key, NULL, NULL); + if (r < 0) + goto fail; +@@ -803,8 +799,7 @@ int dns_cache_put( + if (r == 0 && !weird_rcode) + return 0; + if (r > 0) { +- /* Refuse using the SOA data if it is unsigned, but the key is +- * signed */ ++ /* Refuse using the SOA data if it is unsigned, but the key is signed */ + if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) && + (flags & DNS_ANSWER_AUTHENTICATED) == 0) + return 0; + +From 77db3caee36d0241bf2153f56579a9fb952962f1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 20:48:18 +0100 +Subject: [PATCH 03/12] resolved: use dns_answer_isempty() where appropriate + +--- + src/resolve/resolved-dns-cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 23612a5c353..8edbd5fee94 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -693,7 +693,7 @@ int dns_cache_put( + * short time.) */ + + if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) { +- if (dns_answer_size(answer) <= 0) { ++ if (dns_answer_isempty(answer)) { + if (key) { + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; + + +From b12058e8f96a9b490e2b1ce98f81ced182add577 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 20:48:35 +0100 +Subject: [PATCH 04/12] resolved: fix indentation + +--- + src/resolve/resolved-dns-cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 8edbd5fee94..09fb8e2c883 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -808,7 +808,7 @@ int dns_cache_put( + if (cache_mode == DNS_CACHE_MODE_NO_NEGATIVE) { + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; + log_debug("Not caching negative entry for: %s, cache mode set to no-negative", +- dns_resource_key_to_string(key, key_str, sizeof key_str)); ++ dns_resource_key_to_string(key, key_str, sizeof key_str)); + return 0; + } + + +From f6d80c361d6a51972d4df264a190bf01ef7af624 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 21:15:30 +0100 +Subject: [PATCH 05/12] resolved: drop unnecessary local variable + +--- + src/resolve/resolved-dns-cache.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 09fb8e2c883..0f40e0e40f4 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -416,7 +416,7 @@ static int dns_cache_put_positive( + _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL; + DnsCacheItem *existing; + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; +- int r, k; ++ int r; + + assert(c); + assert(rr); +@@ -430,9 +430,9 @@ static int dns_cache_put_positive( + + /* New TTL is 0? Delete this specific entry... */ + if (rr->ttl <= 0) { +- k = dns_cache_remove_by_rr(c, rr); ++ r = dns_cache_remove_by_rr(c, rr); + log_debug("%s: %s", +- k > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", ++ r > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", + dns_resource_key_to_string(rr->key, key_str, sizeof key_str)); + return 0; + } + +From b974211acbe419170fc56a317a1d55d07c7cb686 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 21:18:32 +0100 +Subject: [PATCH 06/12] resolved: take shortest TTL of all of RRs in answer as + cache lifetime + +We nowadays cache full answer RRset combinations instead of just the +exact matching rrset. This means we should not cache RRs that are not +immediate answers to our question for longer then their own RRs. Or in +other words: let's determine the shortest TTL of all RRs in the whole +answer, and use that as cache lifetime. +--- + src/resolve/resolved-dns-cache.c | 60 +++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 16 deletions(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 0f40e0e40f4..db2361ae363 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -312,13 +312,19 @@ static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) { + return NULL; + } + +-static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t timestamp, bool use_soa_minimum) { ++static usec_t calculate_until( ++ DnsResourceRecord *rr, ++ uint32_t min_ttl, ++ uint32_t nsec_ttl, ++ usec_t timestamp, ++ bool use_soa_minimum) { ++ + uint32_t ttl; + usec_t u; + + assert(rr); + +- ttl = MIN(rr->ttl, nsec_ttl); ++ ttl = MIN(min_ttl, nsec_ttl); + if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) { + /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used + * when we do negative caching, to determine the TTL for the negative caching entry. See RFC +@@ -351,6 +357,7 @@ static void dns_cache_item_update_positive( + DnsResourceRecord *rr, + DnsAnswer *answer, + DnsPacket *full_packet, ++ uint32_t min_ttl, + uint64_t query_flags, + bool shared_owner, + DnssecResult dnssec_result, +@@ -387,7 +394,7 @@ static void dns_cache_item_update_positive( + dns_packet_unref(i->full_packet); + i->full_packet = full_packet; + +- i->until = calculate_until(rr, UINT32_MAX, timestamp, false); ++ i->until = calculate_until(rr, min_ttl, UINT32_MAX, timestamp, false); + i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS; + i->shared_owner = shared_owner; + i->dnssec_result = dnssec_result; +@@ -414,8 +421,9 @@ static int dns_cache_put_positive( + const union in_addr_union *owner_address) { + + _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL; +- DnsCacheItem *existing; + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; ++ DnsCacheItem *existing; ++ uint32_t min_ttl; + int r; + + assert(c); +@@ -428,8 +436,15 @@ static int dns_cache_put_positive( + if (dns_type_is_pseudo(rr->key->type)) + return 0; + ++ /* Determine the minimal TTL of all RRs in the answer plus the one by the main RR we are supposed to ++ * cache. Since we cache whole answers to questions we should never return answers where only some ++ * RRs are still valid, hence find the lowest here */ ++ min_ttl = dns_answer_min_ttl(answer); ++ if (rr) ++ min_ttl = MIN(min_ttl, rr->ttl); ++ + /* New TTL is 0? Delete this specific entry... */ +- if (rr->ttl <= 0) { ++ if (min_ttl <= 0) { + r = dns_cache_remove_by_rr(c, rr); + log_debug("%s: %s", + r > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", +@@ -446,6 +461,7 @@ static int dns_cache_put_positive( + rr, + answer, + full_packet, ++ min_ttl, + query_flags, + shared_owner, + dnssec_result, +@@ -473,7 +489,7 @@ static int dns_cache_put_positive( + .rr = dns_resource_record_ref(rr), + .answer = dns_answer_ref(answer), + .full_packet = dns_packet_ref(full_packet), +- .until = calculate_until(rr, (uint32_t) -1, timestamp, false), ++ .until = calculate_until(rr, min_ttl, (uint32_t) -1, timestamp, false), + .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, + .shared_owner = shared_owner, + .dnssec_result = dnssec_result, +@@ -575,9 +591,12 @@ static int dns_cache_put_negative( + .full_packet = dns_packet_ref(full_packet), + }; + ++ /* Determine how long to cache this entry. In case we have some RRs in the answer use the lowest TTL ++ * of any of them. Typically that's the SOA's TTL, which is OK, but could possibly be lower because ++ * of some other RR. Let's better take the lowest option here than a needlessly high one */ + i->until = + i->type == DNS_CACHE_RCODE ? timestamp + CACHE_TTL_STRANGE_RCODE_USEC : +- calculate_until(soa, nsec_ttl, timestamp, true); ++ calculate_until(soa, dns_answer_min_ttl(answer), nsec_ttl, timestamp, true); + + if (i->type == DNS_CACHE_NXDOMAIN) { + /* NXDOMAIN entries should apply equally to all types, so we use ANY as +@@ -1046,21 +1065,30 @@ int dns_cache_lookup( + DnsAnswerItem *item; + + DNS_ANSWER_FOREACH_ITEM(item, j->answer) { +- r = answer_add_clamp_ttl(&answer, item->rr, item->ifindex, item->flags, item->rrsig, query_flags, j->until, current); ++ r = answer_add_clamp_ttl( ++ &answer, ++ item->rr, ++ item->ifindex, ++ item->flags, ++ item->rrsig, ++ query_flags, ++ j->until, ++ current); + if (r < 0) + return r; + } + } + + } else if (j->rr) { +- r = answer_add_clamp_ttl(&answer, +- j->rr, +- j->ifindex, +- FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, +- NULL, +- query_flags, +- j->until, +- current); ++ r = answer_add_clamp_ttl( ++ &answer, ++ j->rr, ++ j->ifindex, ++ FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, ++ NULL, ++ query_flags, ++ j->until, ++ current); + if (r < 0) + return r; + } + +From a1acc6e332b05f6a5167bf9d0bc0657794e1342c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 21:18:52 +0100 +Subject: [PATCH 07/12] resolved: let's tweak how we calculate TTL left +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When responding from DNS cache, let's slightly tweak how the TTL is +lowered: as before let's round down when converting from our internal µs +to the external seconds. (This is preferable, since records should +better be cached too short instead of too long.) Let's avoid rounding +down to zero though, since that has special semantics in many cases (in +particular mDNS). Let's just use 1s in that case. +--- + src/resolve/resolved-dns-cache.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index db2361ae363..9b2e7115c0a 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -937,9 +937,18 @@ static int answer_add_clamp_ttl( + assert(rr); + + if (FLAGS_SET(query_flags, SD_RESOLVED_CLAMP_TTL)) { ++ uint32_t left_ttl; ++ ++ /* Let's determine how much time is left for this cache entry. Note that we round down, but ++ * clamp this to be 1s at minimum, since we usually want records to remain cached better too ++ * short a time than too long a time, but otoh don't want to return 0 ever, since that has ++ * special semantics in various contexts — in particular in mDNS */ ++ ++ left_ttl = MAX(1U, LESS_BY(until, current) / USEC_PER_SEC); ++ + patched = dns_resource_record_ref(rr); + +- r = dns_resource_record_clamp_ttl(&patched, LESS_BY(until, current) / USEC_PER_SEC); ++ r = dns_resource_record_clamp_ttl(&patched, left_ttl); + if (r < 0) + return r; + +@@ -947,7 +956,7 @@ static int answer_add_clamp_ttl( + + if (rrsig) { + patched_rrsig = dns_resource_record_ref(rrsig); +- r = dns_resource_record_clamp_ttl(&patched_rrsig, LESS_BY(until, current) / USEC_PER_SEC); ++ r = dns_resource_record_clamp_ttl(&patched_rrsig, left_ttl); + if (r < 0) + return r; + + +From c4d98c3acc5901fad4a9a8e2ecd7cf9ad7b8ecb0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 21:36:42 +0100 +Subject: [PATCH 08/12] resolved: use DNS_ANSWER_MASK_SECTIONS where + appropriate + +--- + src/resolve/resolved-dns-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 8e781dd7389..f8d4767e536 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -275,7 +275,7 @@ static int dns_stub_collect_answer_by_section( + dns_type_is_dnssec(item->rr->key->type)) + continue; + +- if (((item->flags ^ section) & (DNS_ANSWER_SECTION_ANSWER|DNS_ANSWER_SECTION_AUTHORITY|DNS_ANSWER_SECTION_ADDITIONAL)) != 0) ++ if (((item->flags ^ section) & DNS_ANSWER_MASK_SECTIONS) != 0) + continue; + + r = reply_add_with_rrsig( + +From 567aa5c87b4a177cd4a6ef3ed8d6814839a4ffd8 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 22:14:43 +0100 +Subject: [PATCH 09/12] resolved: show TTLs in answer dump + +--- + src/resolve/resolved-dns-answer.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c +index 5fbff81c255..a032ac157e0 100644 +--- a/src/resolve/resolved-dns-answer.c ++++ b/src/resolve/resolved-dns-answer.c +@@ -879,9 +879,8 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f) { + } + + fputs(t, f); +- +- if (item->ifindex != 0 || item->rrsig || item->flags != 0) +- fputs("\t;", f); ++ fputs("\t;", f); ++ fprintf(f, " ttl=%" PRIu32, item->rr->ttl); + + if (item->ifindex != 0) + fprintf(f, " ifindex=%i", item->ifindex); + +From 1414b67e0d9515c23221cecbb5323d45ea2020b1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 22:15:06 +0100 +Subject: [PATCH 10/12] resolved: add helper for dumping DnsQuestion, similar + to what we have for DnsAnswer + +--- + src/resolve/resolved-dns-question.c | 18 ++++++++++++++++++ + src/resolve/resolved-dns-question.h | 2 ++ + 2 files changed, 20 insertions(+) + +diff --git a/src/resolve/resolved-dns-question.c b/src/resolve/resolved-dns-question.c +index 047170899db..ef409326304 100644 +--- a/src/resolve/resolved-dns-question.c ++++ b/src/resolve/resolved-dns-question.c +@@ -445,3 +445,21 @@ int dns_question_new_service( + + return 0; + } ++ ++/* ++ * This function is not used in the code base, but is useful when debugging. Do not delete. ++ */ ++void dns_question_dump(DnsQuestion *question, FILE *f) { ++ DnsResourceKey *k; ++ ++ if (!f) ++ f = stdout; ++ ++ DNS_QUESTION_FOREACH(k, question) { ++ char buf[DNS_RESOURCE_KEY_STRING_MAX]; ++ ++ fputc('\t', f); ++ fputs(dns_resource_key_to_string(k, buf, sizeof(buf)), f); ++ fputc('\n', f); ++ } ++} +diff --git a/src/resolve/resolved-dns-question.h b/src/resolve/resolved-dns-question.h +index a6444b0baf9..8f9a84c82d9 100644 +--- a/src/resolve/resolved-dns-question.h ++++ b/src/resolve/resolved-dns-question.h +@@ -33,6 +33,8 @@ int dns_question_is_equal(DnsQuestion *a, DnsQuestion *b); + + int dns_question_cname_redirect(DnsQuestion *q, const DnsResourceRecord *cname, DnsQuestion **ret); + ++void dns_question_dump(DnsQuestion *q, FILE *f); ++ + const char *dns_question_first_name(DnsQuestion *q); + + static inline size_t dns_question_size(DnsQuestion *q) { + +From a7c0291c104cdd9d5ae2fe3c5855273bbadae13e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 22:15:18 +0100 +Subject: [PATCH 11/12] resolved: match CNAME replies to right question + +Previously by mistake we'd always match every single reply we get in a +CNAME chain to the original question from the stub client. That's +broken, we need to test it against the CNAME query we are currently +looking at. + +The effect of this incorrect matching was that we'd assign the RRs to +the wrong section since we'd assume they'd be auxiliary answers instead +of primary answers. + +Fixes: #18972 +--- + src/resolve/resolved-dns-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index f8d4767e536..b6d14b9305e 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -761,7 +761,7 @@ static void dns_stub_query_complete(DnsQuery *q) { + * and keep adding all RRs in the CNAME chain. */ + r = dns_stub_assign_sections( + q, +- q->request_packet->question, ++ dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), + dns_stub_reply_with_edns0_do(q)); + if (r < 0) { + log_debug_errno(r, "Failed to assign sections: %m"); + +From b1eea703e01da1e280e179fb119449436a0c9b8e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 15 Mar 2021 23:26:46 +0100 +Subject: [PATCH 12/12] resolved: don't flush answer RRs on CNAME redirect too + early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When doing a CNAME/DNAME redirect let's first check if the answer we +already have fully answers the redirected question already. If so, let's +use that. If not, let's properly restart things. + +This simply removes one call to dns_answer_reset() that was placed too +early: instead of resetting when we detect a CNAME/DNAME redirect, do so +only after checking if the answer we already have doesn't match the +reply, and then decide to *actually* follow it. Or in other words: rely +on the dns_answer_reset() call in dns_query_go() which we'll call to +actually begin with the redirected question. + +This fixes an optimization path which was broken back in 7820b320eaa608748f66f8105621640cf80e483a. + +(This doesn't really matter as much as one might think, since our cache +stepped in anyway and answered the questions before going back to the +network. However, this adds noise if RRs with very short TTLs are cached +– which some CDNs do – and is of course relavant when people turn off +the local cache.) +--- + src/resolve/resolved-dns-query.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index aa9d65d4a82..e4386c402ac 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -1019,7 +1019,9 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) + q->question_utf8 = TAKE_PTR(nq_utf8); + + dns_query_unref_candidates(q); +- dns_query_reset_answer(q); ++ ++ /* Note that we do *not* reset the answer here, because the answer we previously got might already ++ * include everything we need, let's check that first */ + + q->state = DNS_TRANSACTION_NULL; + +@@ -1069,8 +1071,7 @@ int dns_query_process_cname(DnsQuery *q) { + if (r < 0) + return r; + +- /* Let's see if the answer can already answer the new +- * redirected question */ ++ /* Let's see if the answer can already answer the new redirected question */ + r = dns_query_process_cname(q); + if (r != DNS_QUERY_NOMATCH) + return r; diff --git a/systemd.spec b/systemd.spec index b0ec646..58ddd6c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc2 -Release: 6%{?dist} +Release: 7%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -80,6 +80,9 @@ Patch0000: https://github.com/systemd/systemd/pull/18892.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1931034 Patch0001: https://github.com/systemd/systemd/pull/18915.patch +# https://github.com/systemd/systemd/pull/19009 +# Fixes more CNAME issues in stub resolver (#1933433) +Patch0002: 19009.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -958,6 +961,9 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Mar 16 2021 Adam Williamson - 248~rc2-7 +- Backport PR #19009 to fix CNAME redirect resolving some more (#1933433) + * Fri Mar 12 2021 Adam Williamson - 248~rc2-6 - Disable resolved cache via config snippet (#1933433) From ea846d49e60d862994a82ef36f63f6f04688bdfa Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 16 Mar 2021 15:25:07 -0700 Subject: [PATCH 03/38] Helps to rename the patch in the spec too --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 58ddd6c..4907e75 100644 --- a/systemd.spec +++ b/systemd.spec @@ -82,7 +82,7 @@ Patch0000: https://github.com/systemd/systemd/pull/18892.patch Patch0001: https://github.com/systemd/systemd/pull/18915.patch # https://github.com/systemd/systemd/pull/19009 # Fixes more CNAME issues in stub resolver (#1933433) -Patch0002: 19009.patch +Patch0002: 19009-rediff.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 From 5a69ce9999024eba3b809fd2417e581f8c303b1d Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 16 Mar 2021 16:00:11 -0700 Subject: [PATCH 04/38] Drop the resolved cache disablement config snippet --- nocache.conf | 2 -- systemd.spec | 11 ++++------- 2 files changed, 4 insertions(+), 9 deletions(-) delete mode 100644 nocache.conf diff --git a/nocache.conf b/nocache.conf deleted file mode 100644 index 25d5429..0000000 --- a/nocache.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -Cache=no diff --git a/systemd.spec b/systemd.spec index 4907e75..4196d1b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc2 -Release: 7%{?dist} +Release: 8%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -64,9 +64,6 @@ Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh -# Disable resolved caching to workaround #1933433 -Source100: nocache.conf - %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -563,9 +560,6 @@ touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state # Install yum protection fragment install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf -# Install resolved cache disable fragment -install -Dm0644 -t %{buildroot}%{pkgdir}/resolved.conf.d %{SOURCE100} - install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} # Restore systemd-user pam config from before "removal of Fedora-specific bits" @@ -961,6 +955,9 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Mar 16 2021 Adam Williamson - 248~rc2-8 +- Drop the resolved cache disablement config snippet + * Tue Mar 16 2021 Adam Williamson - 248~rc2-7 - Backport PR #19009 to fix CNAME redirect resolving some more (#1933433) From 31f95873936f3485dd379411ed5539114c31c2b4 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 18 Mar 2021 23:37:39 +0900 Subject: [PATCH 05/38] Version 248-rc2 --- ...consistency-checks-when-logind-is-no.patch | 169 ----- ...o-not-fail-if-the-fd_is_mount_point-.patch | 70 --- 0001-test-path-util-ignore-test-failure.patch | 33 - 18892.patch | 495 --------------- 18915.patch | 154 ----- 19009-rediff.patch | 593 ------------------ ...a94790eecfc808335b759355a4005d66f6e3.patch | 102 --- sources | 2 +- systemd.spec | 16 +- 9 files changed, 6 insertions(+), 1628 deletions(-) delete mode 100644 0001-test-login-skip-consistency-checks-when-logind-is-no.patch delete mode 100644 0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch delete mode 100644 0001-test-path-util-ignore-test-failure.patch delete mode 100644 18892.patch delete mode 100644 18915.patch delete mode 100644 19009-rediff.patch delete mode 100644 9cc6a94790eecfc808335b759355a4005d66f6e3.patch diff --git a/0001-test-login-skip-consistency-checks-when-logind-is-no.patch b/0001-test-login-skip-consistency-checks-when-logind-is-no.patch deleted file mode 100644 index aed3a27..0000000 --- a/0001-test-login-skip-consistency-checks-when-logind-is-no.patch +++ /dev/null @@ -1,169 +0,0 @@ -From aee1d734a5034d47005a339ec5b2b39583795039 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 16 Dec 2020 15:56:44 +0100 -Subject: [PATCH] test-login: skip consistency checks when logind is not active -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There are two ways in swich sd_login_* functions acquire data: -some are derived from the cgroup path, but others use the data serialized -by logind. - -When the tests are executed under Fedora's mock, without systemd-spawn -but instead in a traditional chroot, test-login gets confused: -the "outside" cgroup path is visible, so sd_pid_get_unit() and -sd_pid_get_session() work, but sd_session_is_active() and other functions -that need logind data fail. - -Such a buildroot setup is fairly bad, but it can be encountered in the wild, so -let's just skip the tests in that case. - -/* Information printed is from the live system */ -sd_pid_get_unit(0, …) → "session-237.scope" -sd_pid_get_user_unit(0, …) → "n/a" -sd_pid_get_slice(0, …) → "user-1000.slice" -sd_pid_get_session(0, …) → "237" -sd_pid_get_owner_uid(0, …) → 1000 -sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope" -sd_uid_get_display(1000, …) → "(null)" -sd_uid_get_sessions(1000, …) → [0] "" -sd_uid_get_seats(1000, …) → [0] "" -Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting. ---- - src/libsystemd/sd-login/test-login.c | 98 +++++++++++++++------------- - 1 file changed, 52 insertions(+), 46 deletions(-) - -diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c -index 5b2ff93e1c..f762b8475b 100644 ---- a/src/libsystemd/sd-login/test-login.c -+++ b/src/libsystemd/sd-login/test-login.c -@@ -112,68 +112,74 @@ static void test_login(void) { - - if (session) { - r = sd_session_is_active(session); -- assert_se(r >= 0); -- log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r)); -+ if (r == -ENXIO) -+ log_notice("sd_session_is_active failed with ENXIO, it seems logind is not running."); -+ else { -+ /* All those tests will fail with ENXIO, so let's skip them. */ - -- r = sd_session_is_remote(session); -- assert_se(r >= 0); -- log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r)); -+ assert_se(r >= 0); -+ log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r)); - -- r = sd_session_get_state(session, &state); -- assert_se(r == 0); -- log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state); -+ r = sd_session_is_remote(session); -+ assert_se(r >= 0); -+ log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r)); - -- assert_se(sd_session_get_uid(session, &u) >= 0); -- log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u); -- assert_se(u == u2); -+ r = sd_session_get_state(session, &state); -+ assert_se(r == 0); -+ log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state); - -- assert_se(sd_session_get_type(session, &type) >= 0); -- log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type); -+ assert_se(sd_session_get_uid(session, &u) >= 0); -+ log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u); -+ assert_se(u == u2); - -- assert_se(sd_session_get_class(session, &class) >= 0); -- log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class); -+ assert_se(sd_session_get_type(session, &type) >= 0); -+ log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type); - -- r = sd_session_get_display(session, &display); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display)); -+ assert_se(sd_session_get_class(session, &class) >= 0); -+ log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class); - -- r = sd_session_get_remote_user(session, &remote_user); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_remote_user(\"%s\") → \"%s\"", -- session, strna(remote_user)); -+ r = sd_session_get_display(session, &display); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display)); - -- r = sd_session_get_remote_host(session, &remote_host); -- assert_se(IN_SET(r, 0, -ENODATA)); -- log_info("sd_session_get_remote_host(\"%s\") → \"%s\"", -- session, strna(remote_host)); -+ r = sd_session_get_remote_user(session, &remote_user); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_remote_user(\"%s\") → \"%s\"", -+ session, strna(remote_user)); - -- r = sd_session_get_seat(session, &seat); -- if (r >= 0) { -- assert_se(seat); -+ r = sd_session_get_remote_host(session, &remote_host); -+ assert_se(IN_SET(r, 0, -ENODATA)); -+ log_info("sd_session_get_remote_host(\"%s\") → \"%s\"", -+ session, strna(remote_host)); - -- log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat); -+ r = sd_session_get_seat(session, &seat); -+ if (r >= 0) { -+ assert_se(seat); -+ -+ log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat); - - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wdeprecated-declarations" -- r = sd_seat_can_multi_session(seat); -+ r = sd_seat_can_multi_session(seat); - #pragma GCC diagnostic pop -- assert_se(r == 1); -- log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r)); -+ assert_se(r == 1); -+ log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r)); - -- r = sd_seat_can_tty(seat); -- assert_se(r >= 0); -- log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r)); -+ r = sd_seat_can_tty(seat); -+ assert_se(r >= 0); -+ log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r)); - -- r = sd_seat_can_graphical(seat); -- assert_se(r >= 0); -- log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r)); -- } else { -- log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session); -- assert_se(r == -ENODATA); -+ r = sd_seat_can_graphical(seat); -+ assert_se(r >= 0); -+ log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r)); -+ } else { -+ log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session); -+ assert_se(r == -ENODATA); -+ } -+ -+ assert_se(sd_uid_get_state(u, &state2) == 0); -+ log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2); - } -- -- assert_se(sd_uid_get_state(u, &state2) == 0); -- log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2); - } - - if (seat) { -@@ -214,7 +220,7 @@ static void test_login(void) { - assert_se(sd_get_seats(NULL) == r); - - r = sd_seat_get_active(NULL, &t, NULL); -- assert_se(IN_SET(r, 0, -ENODATA)); -+ assert_se(IN_SET(r, 0, -ENODATA, -ENXIO)); - log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t)); - free(t); - diff --git a/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch b/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch deleted file mode 100644 index 932cd5a..0000000 --- a/0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 2e9d763e7cbeb33954bbe3f96fd94de2cd62edf7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 12 Nov 2020 14:28:24 +0100 -Subject: [PATCH] test-path-util: do not fail if the fd_is_mount_point check - fails - -This test fails on i686 and ppc64le in koji: -/* test_path */ -Assertion 'fd_is_mount_point(fd, "/", 0) > 0' failed at src/test/test-path-util.c:85, function test_path(). Aborting. - -I guess some permission error is the most likely. ---- - src/test/test-path-util.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c -index f4f8d0550b..be428334f3 100644 ---- a/src/test/test-path-util.c -+++ b/src/test/test-path-util.c -@@ -40,8 +40,6 @@ static void test_path_simplify(const char *in, const char *out, const char *out_ - } - - static void test_path(void) { -- _cleanup_close_ int fd = -1; -- - log_info("/* %s */", __func__); - - test_path_compare("/goo", "/goo", 0); -@@ -80,10 +78,6 @@ static void test_path(void) { - assert_se(streq(basename("/aa///file..."), "file...")); - assert_se(streq(basename("file.../"), "")); - -- fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); -- assert_se(fd >= 0); -- assert_se(fd_is_mount_point(fd, "/", 0) > 0); -- - test_path_simplify("aaa/bbb////ccc", "aaa/bbb/ccc", "aaa/bbb/ccc"); - test_path_simplify("//aaa/.////ccc", "/aaa/./ccc", "/aaa/ccc"); - test_path_simplify("///", "/", "/"); -@@ -120,6 +114,22 @@ static void test_path(void) { - assert_se(!path_equal_ptr(NULL, "/a")); - } - -+static void test_path_is_mountpoint(void) { -+ _cleanup_close_ int fd = -1; -+ int r; -+ -+ log_info("/* %s */", __func__); -+ -+ fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); -+ assert_se(fd >= 0); -+ -+ r = fd_is_mount_point(fd, "/", 0); -+ if (r < 0) -+ log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m"); -+ else -+ assert_se(r == 1); -+} -+ - static void test_path_equal_root(void) { - /* Nail down the details of how path_equal("/", ...) works. */ - -@@ -714,6 +724,7 @@ int main(int argc, char **argv) { - - test_print_paths(); - test_path(); -+ test_path_is_mountpoint(); - test_path_equal_root(); - test_find_executable_full(); - test_find_executable(argv[0]); diff --git a/0001-test-path-util-ignore-test-failure.patch b/0001-test-path-util-ignore-test-failure.patch deleted file mode 100644 index 86c410c..0000000 --- a/0001-test-path-util-ignore-test-failure.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e8bca4ba55f855260eda684a16e8feb5f20b1deb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 12 Nov 2020 15:06:12 +0100 -Subject: [PATCH] test-path-util: ignore test failure - ---- - src/test/test-path-util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c -index be428334f3..207c659b8b 100644 ---- a/src/test/test-path-util.c -+++ b/src/test/test-path-util.c -@@ -120,14 +120,17 @@ static void test_path_is_mountpoint(void) { - - log_info("/* %s */", __func__); - -+ (void) system("uname -a"); -+ (void) system("mountpoint /"); -+ - fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY); - assert_se(fd >= 0); - - r = fd_is_mount_point(fd, "/", 0); - if (r < 0) - log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m"); -- else -- assert_se(r == 1); -+ else if (r == 0) -+ log_warning("/ is not a mountpoint?"); - } - - static void test_path_equal_root(void) { diff --git a/18892.patch b/18892.patch deleted file mode 100644 index 675aaf1..0000000 --- a/18892.patch +++ /dev/null @@ -1,495 +0,0 @@ -From e0ae456a554d0fce250f9a009c561b97f20c41f8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:47:45 +0100 -Subject: [PATCH 1/6] dns-query: export CNAME_MAX, so that we can use it in - other files, too -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's rename it a bit, to be more explanatory while exporting it. - -(And let's bump the CNAME limit to 16 — 8 just sounded so little) ---- - src/resolve/resolved-dns-query.c | 3 +-- - src/resolve/resolved-dns-query.h | 2 ++ - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 7554d1e82f4..aa9d65d4a82 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -10,7 +10,6 @@ - #include "resolved-etc-hosts.h" - #include "string-util.h" - --#define CNAME_MAX 8 - #define QUERIES_MAX 2048 - #define AUXILIARY_QUERIES_MAX 64 - -@@ -977,7 +976,7 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) - assert(q); - - q->n_cname_redirects++; -- if (q->n_cname_redirects > CNAME_MAX) -+ if (q->n_cname_redirects > CNAME_REDIRECT_MAX) - return -ELOOP; - - r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); -diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h -index ea296167b61..5d12171b0a1 100644 ---- a/src/resolve/resolved-dns-query.h -+++ b/src/resolve/resolved-dns-query.h -@@ -145,3 +145,5 @@ static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) { - dns_query_fully_confidential(q)) | - (q->answer_query_flags & (SD_RESOLVED_FROM_MASK|SD_RESOLVED_SYNTHETIC)); - } -+ -+#define CNAME_REDIRECT_MAX 16 - -From d29958261a3df80f5cf0e98b1cd307790a92b13b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:48:43 +0100 -Subject: [PATCH 2/6] resolved: tighten checks in - dns_resource_record_get_cname_target() - -Let's refuse to consider CNAME/DNAME replies matching for RR types where -that is not really conceptually allow (i.e. on CNAME/DNAME lookups -themselves). - -(And add a similar check to dns_resource_key_match_cname_or_dname() too, -which implements a smilar match) ---- - src/resolve/resolved-dns-rr.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c -index 823117e5c92..7e76e0c6cc0 100644 ---- a/src/resolve/resolved-dns-rr.c -+++ b/src/resolve/resolved-dns-rr.c -@@ -244,6 +244,9 @@ int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsRe - if (cname->class != key->class && key->class != DNS_CLASS_ANY) - return 0; - -+ if (!dns_type_may_redirect(key->type)) -+ return 0; -+ - if (cname->type == DNS_TYPE_CNAME) - r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname)); - else if (cname->type == DNS_TYPE_DNAME) -@@ -1743,9 +1746,16 @@ int dns_resource_record_get_cname_target(DnsResourceKey *key, DnsResourceRecord - assert(key); - assert(cname); - -+ /* Checks if the RR `cname` is a CNAME/DNAME RR that matches the specified `key`. If so, returns the -+ * target domain. If not, returns -EUNATCH */ -+ - if (key->class != cname->key->class && key->class != DNS_CLASS_ANY) - return -EUNATCH; - -+ if (!dns_type_may_redirect(key->type)) /* This key type is not subject to CNAME/DNAME redirection? -+ * Then let's refuse right-away */ -+ return -EUNATCH; -+ - if (cname->key->type == DNS_TYPE_CNAME) { - r = dns_name_equal(dns_resource_key_name(key), - dns_resource_key_name(cname->key)); - -From 4838dc4f2be1d29da9ce9a930c48717a4491d70e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 17:53:31 +0100 -Subject: [PATCH 3/6] resolved: handle multiple CNAME redirects in a single - reply from upstream - -www.netflix.com responds with a chain of CNAMEs in the same packet. -Let's handle that properly (so far we only followed CNAMEs a single step -when in the same packet) - -Fixes: #18819 ---- - src/resolve/resolved-dns-stub.c | 105 +++++++++++++++++--------------- - 1 file changed, 57 insertions(+), 48 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index c2734e57b9b..c3a28d390a4 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -162,79 +162,88 @@ static int dns_stub_collect_answer_by_question( - bool with_rrsig) { /* Add RRSIG RR matching each RR */ - - _cleanup_(dns_resource_key_unrefp) DnsResourceKey *redirected_key = NULL; -+ unsigned n_cname_redirects = 0; - DnsAnswerItem *item; - int r; - - assert(reply); - -- /* Copies all RRs from 'answer' into 'reply', if they match 'question'. */ -+ /* Copies all RRs from 'answer' into 'reply', if they match 'question'. There might be direct and -+ * indirect matches (i.e. via CNAME/DNAME). If they have an indirect one, remember where we need to -+ * go, and restart the loop */ -+ -+ for (;;) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *next_redirected_key = NULL; -+ -+ DNS_ANSWER_FOREACH_ITEM(item, answer) { -+ DnsResourceKey *k = NULL; -+ -+ if (redirected_key) { -+ /* There was a redirect in this packet, let's collect all matching RRs for the redirect */ -+ r = dns_resource_key_match_rr(redirected_key, item->rr, NULL); -+ if (r < 0) -+ return r; -+ -+ k = redirected_key; -+ } else if (question) { -+ /* We have a question, let's see if this RR matches it */ -+ r = dns_question_matches_rr(question, item->rr, NULL); -+ if (r < 0) -+ return r; -+ -+ k = question->keys[0]; -+ } else -+ r = 1; /* No question, everything matches */ - -- DNS_ANSWER_FOREACH_ITEM(item, answer) { -- if (question) { -- r = dns_question_matches_rr(question, item->rr, NULL); -- if (r < 0) -- return r; - if (r == 0) { - _cleanup_free_ char *target = NULL; - - /* OK, so the RR doesn't directly match. Let's see if the RR is a matching - * CNAME or DNAME */ - -- r = dns_resource_record_get_cname_target( -- question->keys[0], -- item->rr, -- &target); -+ assert(k); -+ -+ r = dns_resource_record_get_cname_target(k, item->rr, &target); - if (r == -EUNATCH) - continue; /* Not a CNAME/DNAME or doesn't match */ - if (r < 0) - return r; - -- dns_resource_key_unref(redirected_key); -+ /* Oh, wow, this is a redirect. Let's remember where this points, and store -+ * it in 'next_redirected_key'. Once we finished iterating through the rest -+ * of the RR's we'll start again, with the redirected RR key. */ -+ -+ n_cname_redirects++; -+ if (n_cname_redirects > CNAME_REDIRECT_MAX) /* don't loop forever */ -+ return -ELOOP; -+ -+ dns_resource_key_unref(next_redirected_key); - - /* There can only be one CNAME per name, hence no point in storing more than one here */ -- redirected_key = dns_resource_key_new(question->keys[0]->class, question->keys[0]->type, target); -- if (!redirected_key) -+ next_redirected_key = dns_resource_key_new(k->class, k->type, target); -+ if (!next_redirected_key) - return -ENOMEM; - } -- } - -- /* Mask the section info, we want the primary answers to always go without section info, so -- * that it is added to the answer section when we synthesize a reply. */ -+ /* Mask the section info, we want the primary answers to always go without section info, so -+ * that it is added to the answer section when we synthesize a reply. */ - -- r = reply_add_with_rrsig( -- reply, -- item->rr, -- item->ifindex, -- item->flags & ~DNS_ANSWER_MASK_SECTIONS, -- item->rrsig, -- with_rrsig); -- if (r < 0) -- return r; -- } -- -- if (!redirected_key) -- return 0; -- -- /* This is a CNAME/DNAME answer. In this case also append where the redirections point to to the main -- * answer section */ -- -- DNS_ANSWER_FOREACH_ITEM(item, answer) { -+ r = reply_add_with_rrsig( -+ reply, -+ item->rr, -+ item->ifindex, -+ item->flags & ~DNS_ANSWER_MASK_SECTIONS, -+ item->rrsig, -+ with_rrsig); -+ if (r < 0) -+ return r; -+ } - -- r = dns_resource_key_match_rr(redirected_key, item->rr, NULL); -- if (r < 0) -- return r; -- if (r == 0) -- continue; -+ if (!next_redirected_key) -+ break; - -- r = reply_add_with_rrsig( -- reply, -- item->rr, -- item->ifindex, -- item->flags & ~DNS_ANSWER_MASK_SECTIONS, -- item->rrsig, -- with_rrsig); -- if (r < 0) -- return r; -+ dns_resource_key_unref(redirected_key); -+ redirected_key = TAKE_PTR(next_redirected_key); - } - - return 0; - -From 39005e187095062718621880e5d8ad707ac8fe8f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 18:01:27 +0100 -Subject: [PATCH 4/6] resolved: split out helper that checks whether we shall - reply with EDNS0 DO - -Just some refactoring, no actual code changes. ---- - src/resolve/resolved-dns-stub.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index c3a28d390a4..b4df5837aad 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -561,6 +561,19 @@ static int dns_stub_send( - return 0; - } - -+static int dns_stub_reply_with_edns0_do(DnsQuery *q) { -+ assert(q); -+ -+ /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification -+ * ourselves, or consider the data fully authenticated because we generated it locally, or the client -+ * set cd */ -+ -+ return DNS_PACKET_DO(q->request_packet) && -+ (q->answer_dnssec_result >= 0 || /* we did proper DNSSEC validation … */ -+ dns_query_fully_authenticated(q) || /* … or we considered it authentic otherwise … */ -+ DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ -+} -+ - static int dns_stub_send_reply( - DnsQuery *q, - int rcode) { -@@ -571,14 +584,7 @@ static int dns_stub_send_reply( - - assert(q); - -- /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification -- * ourselves, or consider the data fully authenticated because we generated it locally, or -- * the client set cd */ -- edns0_do = -- DNS_PACKET_DO(q->request_packet) && -- (q->answer_dnssec_result >= 0 || /* we did proper DNSSEC validation … */ -- dns_query_fully_authenticated(q) || /* … or we considered it authentic otherwise … */ -- DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ -+ edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */ - - r = dns_stub_assign_sections( - q, - -From b97fc57178932689bdcb9030e1e2bf299d49ce0b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 16:50:04 +0100 -Subject: [PATCH 5/6] resolved: fully follow CNAMEs in the DNS stub after all - -In 2f4d8e577ca7bc51fb054b8c2c8dd57c2e188a41 I argued that following -CNAMEs in the stub is not necessary anymore. However, I think it' better -to revert to the status quo ante and follow it after all, given it is -easy for us and makes sure our D-Bus/varlink replies are more similar to -our DNS stub replies that way, and we save clients potential roundtrips. - -Hence, whenever we hit a CNAME/DNAME redirect, let's restart the query -like we do for the D-Bus/Varlink case, and collect replies as we go. ---- - src/resolve/resolved-dns-stub.c | 38 +++++++++++++++++++++++---------- - 1 file changed, 27 insertions(+), 11 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index b4df5837aad..85c4eda469c 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -586,13 +586,6 @@ static int dns_stub_send_reply( - - edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */ - -- r = dns_stub_assign_sections( -- q, -- q->request_packet->question, -- edns0_do); -- if (r < 0) -- return log_debug_errno(r, "Failed to assign sections: %m"); -- - r = dns_stub_make_reply_packet( - &reply, - DNS_PACKET_PAYLOAD_SIZE_MAX(q->request_packet), -@@ -743,13 +736,37 @@ static void dns_stub_query_complete(DnsQuery *q) { - } - } - -- /* Note that we don't bother with following CNAMEs here. We propagate the authoritative/additional -- * sections from the upstream answer however, hence if the upstream server collected that information -- * already we don't have to collect it ourselves anymore. */ -+ /* Take all data from the current reply, and merge it into the three reply sections we are building -+ * up. We do this before processing CNAME redirects, so that we gradually build up our sections, and -+ * and keep adding all RRs in the CNAME chain. */ -+ r = dns_stub_assign_sections( -+ q, -+ q->request_packet->question, -+ dns_stub_reply_with_edns0_do(q)); -+ if (r < 0) { -+ log_debug_errno(r, "Failed to assign sections: %m"); -+ dns_query_free(q); -+ return; -+ } - - switch (q->state) { - - case DNS_TRANSACTION_SUCCESS: -+ r = dns_query_process_cname(q); -+ if (r == -ELOOP) { /* CNAME loop, let's send what we already have */ -+ log_debug_errno(r, "Detected CNAME loop, returning what we already have."); -+ (void) dns_stub_send_reply(q, q->answer_rcode); -+ break; -+ } -+ if (r < 0) { -+ log_debug_errno(r, "Failed to process CNAME: %m"); -+ break; -+ } -+ if (r == DNS_QUERY_RESTARTED) -+ return; -+ -+ _fallthrough_; -+ - case DNS_TRANSACTION_RCODE_FAILURE: - (void) dns_stub_send_reply(q, q->answer_rcode); - break; -@@ -888,7 +905,6 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea - r = dns_query_new(m, &q, p->question, p->question, NULL, 0, - SD_RESOLVED_PROTOCOLS_ALL| - SD_RESOLVED_NO_SEARCH| -- SD_RESOLVED_NO_CNAME| - (DNS_PACKET_DO(p) ? SD_RESOLVED_REQUIRE_PRIMARY : 0)| - SD_RESOLVED_CLAMP_TTL); - if (r < 0) { - -From 5d7da51ee1d27e86a0487a4b2abc3cfb0ed44c23 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Mar 2021 18:20:59 +0100 -Subject: [PATCH 6/6] resolved: when synthesizing stub replies from multiple - upstream packet, let's avoid RR duplicates - -If we synthesize a stub reply from multiple upstream packet (i.e. a -series of CNAME/DNAME redirects), it might happen that we add the same -RR to a different reply section at a different CNAME/DNAME redirect -chain element. Let's clean this up once we are about to send the reply -message to the client: let's remove sections from "lower-priority" -sections when they are already listed in a "higher-priority" section. ---- - src/resolve/resolved-dns-answer.c | 25 +++++++++++++++++++++++++ - src/resolve/resolved-dns-answer.h | 1 + - src/resolve/resolved-dns-stub.c | 20 ++++++++++++++++++++ - 3 files changed, 46 insertions(+) - -diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c -index ce3cbce308d..a667ab5ede4 100644 ---- a/src/resolve/resolved-dns-answer.c -+++ b/src/resolve/resolved-dns-answer.c -@@ -640,6 +640,31 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) { - return 1; - } - -+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *prev = NULL; -+ DnsAnswerItem *item; -+ int r; -+ -+ /* Removes all items from '*a' that have a matching key in 'b' */ -+ -+ DNS_ANSWER_FOREACH_ITEM(item, b) { -+ -+ if (prev && dns_resource_key_equal(item->rr->key, prev)) /* Skip this one, we already looked at it */ -+ continue; -+ -+ r = dns_answer_remove_by_key(a, item->rr->key); -+ if (r < 0) -+ return r; -+ -+ /* Let's remember this entry's RR key, to optimize the loop a bit: if we have an RRset with -+ * more than one item then we don't need to remove the key multiple times */ -+ dns_resource_key_unref(prev); -+ prev = dns_resource_key_ref(item->rr->key); -+ } -+ -+ return 0; -+} -+ - int dns_answer_copy_by_key( - DnsAnswer **a, - DnsAnswer *source, -diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h -index c2fd0c078f4..7d19eee4e2b 100644 ---- a/src/resolve/resolved-dns-answer.h -+++ b/src/resolve/resolved-dns-answer.h -@@ -68,6 +68,7 @@ int dns_answer_reserve_or_clone(DnsAnswer **a, size_t n_free); - - int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key); - int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr); -+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b); - - int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); - int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 85c4eda469c..8e781dd7389 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -574,6 +574,24 @@ static int dns_stub_reply_with_edns0_do(DnsQuery *q) { - DNS_PACKET_CD(q->request_packet)); /* … or client set CD */ - } - -+static void dns_stub_suppress_duplicate_section_rrs(DnsQuery *q) { -+ /* If we follow a CNAME/DNAME chain we might end up populating our sections with redundant RRs -+ * because we built up the sections from multiple reply packets (one from each CNAME/DNAME chain -+ * element). E.g. it could be that an RR that was included in the first reply's additional section -+ * ends up being relevant as main answer in a subsequent reply in the chain. Let's clean this up, and -+ * remove everything in the "higher priority" sections from the "lower priority" sections. -+ * -+ * Note that this removal matches by RR keys instead of the full RRs. This is because RRsets should -+ * always end up in one section fully or not at all, but never be split among sections. -+ * -+ * Specifically: we remove ANSWER section RRs from the AUTHORITATIVE and ADDITIONAL sections, as well -+ * as AUTHORITATIVE section RRs from the ADDITIONAL section. */ -+ -+ dns_answer_remove_by_answer_keys(&q->reply_authoritative, q->reply_answer); -+ dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_answer); -+ dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_authoritative); -+} -+ - static int dns_stub_send_reply( - DnsQuery *q, - int rcode) { -@@ -594,6 +612,8 @@ static int dns_stub_send_reply( - if (r < 0) - return log_debug_errno(r, "Failed to build reply packet: %m"); - -+ dns_stub_suppress_duplicate_section_rrs(q); -+ - r = dns_stub_add_reply_packet_body( - reply, - q->reply_answer, diff --git a/18915.patch b/18915.patch deleted file mode 100644 index 534b5bf..0000000 --- a/18915.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 8b0f54c9290564e8c27c9c8ac464cdcc2c659ad5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 6 Mar 2021 19:06:08 +0100 -Subject: [PATCH 1/3] pid1: return varlink error on the right connection - ---- - src/core/core-varlink.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c -index d695106658b..b3df8cd893c 100644 ---- a/src/core/core-varlink.c -+++ b/src/core/core-varlink.c -@@ -142,7 +142,7 @@ static int vl_method_subscribe_managed_oom_cgroups( - /* We only take one subscriber for this method so return an error if there's already an existing one. - * This shouldn't happen since systemd-oomd is the only client of this method. */ - if (FLAGS_SET(flags, VARLINK_METHOD_MORE) && m->managed_oom_varlink_request) -- return varlink_error(m->managed_oom_varlink_request, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL); -+ return varlink_error(link, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL); - - r = json_build(&arr, JSON_BUILD_EMPTY_ARRAY); - if (r < 0) -@@ -188,6 +188,7 @@ static int vl_method_subscribe_managed_oom_cgroups( - if (!FLAGS_SET(flags, VARLINK_METHOD_MORE)) - return varlink_reply(link, v); - -+ assert(!m->managed_oom_varlink_request); - m->managed_oom_varlink_request = varlink_ref(link); - return varlink_notify(m->managed_oom_varlink_request, v); - } -@@ -475,8 +476,7 @@ void manager_varlink_done(Manager *m) { - assert(m); - - /* Send the final message if we still have a subscribe request open. */ -- if (m->managed_oom_varlink_request) -- m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request); -+ m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request); - - m->varlink_server = varlink_server_unref(m->varlink_server); - } - -From 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 7 Mar 2021 16:42:35 +0100 -Subject: [PATCH 2/3] varlink: avoid using dangling ref in - varlink_close_unref() - -Fixes #18025, https://bugzilla.redhat.com/show_bug.cgi?id=1931034. - -We drop the reference stored in Manager.managed_oom_varlink_request in two code paths: -vl_disconnect() which is installed as a disconnect callback, and in manager_varlink_done(). -But we also make a disconnect from manager_varlink_done(). So we end up with the following -call stack: - -(gdb) bt - 0 vl_disconnect (s=0x112c7b0, link=0xea0070, userdata=0xe9bcc0) at ../src/core/core-varlink.c:414 - 1 0x00007f1366e9d5ac in varlink_detach_server (v=0xea0070) at ../src/shared/varlink.c:1210 - 2 0x00007f1366e9d664 in varlink_close (v=0xea0070) at ../src/shared/varlink.c:1228 - 3 0x00007f1366e9d6b5 in varlink_close_unref (v=0xea0070) at ../src/shared/varlink.c:1240 - 4 0x0000000000524629 in manager_varlink_done (m=0xe9bcc0) at ../src/core/core-varlink.c:479 - 5 0x000000000048ef7b in manager_free (m=0xe9bcc0) at ../src/core/manager.c:1357 - 6 0x000000000042602c in main (argc=5, argv=0x7fff439c43d8) at ../src/core/main.c:2909 - -When we enter vl_disconnect(), m->managed_oom_varlink_request.n_ref==1. -When we exit from vl_discconect(), m->managed_oom_varlink_request==NULL. But -varlink_close_unref() has a copy of the pointer in *v. When we continue executing -varlink_close_unref(), this pointer is dangling, and the call to varlink_unref() -is done with an invalid pointer. ---- - src/shared/varlink.c | 33 +++++++++++++++++++++++++-------- - 1 file changed, 25 insertions(+), 8 deletions(-) - -diff --git a/src/shared/varlink.c b/src/shared/varlink.c -index 31128e02e06..6ed72075ba5 100644 ---- a/src/shared/varlink.c -+++ b/src/shared/varlink.c -@@ -1206,8 +1206,9 @@ int varlink_close(Varlink *v) { - - varlink_set_state(v, VARLINK_DISCONNECTED); - -- /* Let's take a reference first, since varlink_detach_server() might drop the final (dangling) ref -- * which would destroy us before we can call varlink_clear() */ -+ /* Let's take a reference first, since varlink_detach_server() might drop the final ref from the -+ * disconnect callback, which would invalidate the pointer we are holding before we can call -+ * varlink_clear(). */ - varlink_ref(v); - varlink_detach_server(v); - varlink_clear(v); -@@ -1220,17 +1221,33 @@ Varlink* varlink_close_unref(Varlink *v) { - if (!v) - return NULL; - -- (void) varlink_close(v); -+ /* A reference is given to us to be destroyed. But when calling varlink_close(), a callback might -+ * also drop a reference. We allow this, and will hold a temporary reference to the object to make -+ * sure that the object still exists when control returns to us. If there's just one reference -+ * remaining after varlink_close(), even though there were at least two right before, we'll handle -+ * that gracefully instead of crashing. -+ * -+ * In other words, this call drops the donated reference, but if the internal call to varlink_close() -+ * dropped a reference to, we don't drop the reference afain. This allows the caller to say: -+ * global_object->varlink = varlink_close_unref(global_object->varlink); -+ * even though there is some callback which has access to global_object and may drop the reference -+ * stored in global_object->varlink. Without this step, the same code would have to be written as: -+ * Varlink *t = TAKE_PTR(global_object->varlink); -+ * varlink_close_unref(t); -+ */ -+ /* n_ref >= 1 */ -+ varlink_ref(v); /* n_ref >= 2 */ -+ varlink_close(v); /* n_ref >= 1 */ -+ if (v->n_ref > 1) -+ v->n_ref--; /* n_ref >= 1 */ - return varlink_unref(v); - } - - Varlink* varlink_flush_close_unref(Varlink *v) { -- if (!v) -- return NULL; -+ if (v) -+ varlink_flush(v); - -- (void) varlink_flush(v); -- (void) varlink_close(v); -- return varlink_unref(v); -+ return varlink_close_unref(v); - } - - static int varlink_enqueue_json(Varlink *v, JsonVariant *m) { - -From a19c1a4baaa1dadc80885e3ad41f19a6c6c450fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 8 Mar 2021 09:21:25 +0100 -Subject: [PATCH 3/3] oomd: "downgrade" level of message - -PID1 already logs about the service being started, so this line isn't necessary -in normal use. Also, by the time it is emitted, the service has already -signalled readiness, so let's not say "starting" but "started". ---- - src/oom/oomd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/oom/oomd.c b/src/oom/oomd.c -index 674d53fdcfe..6e2a5889d1e 100644 ---- a/src/oom/oomd.c -+++ b/src/oom/oomd.c -@@ -170,7 +170,7 @@ static int run(int argc, char *argv[]) { - - notify_msg = notify_start(NOTIFY_READY, NOTIFY_STOPPING); - -- log_info("systemd-oomd starting%s!", arg_dry_run ? " in dry run mode" : ""); -+ log_debug("systemd-oomd started%s.", arg_dry_run ? " in dry run mode" : ""); - - r = sd_event_loop(m->event); - if (r < 0) diff --git a/19009-rediff.patch b/19009-rediff.patch deleted file mode 100644 index e816f84..0000000 --- a/19009-rediff.patch +++ /dev/null @@ -1,593 +0,0 @@ -From 1499a0a99a0765b4b1b56f56d6712324e740911f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 20:47:28 +0100 -Subject: [PATCH 01/12] resolved: add new helper dns_answer_min_ttl() - ---- - src/resolve/resolved-dns-answer.c | 19 +++++++++++++++++++ - src/resolve/resolved-dns-answer.h | 2 ++ - 2 files changed, 21 insertions(+) - -diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c -index a667ab5ede4..5fbff81c255 100644 ---- a/src/resolve/resolved-dns-answer.c -+++ b/src/resolve/resolved-dns-answer.c -@@ -963,3 +963,22 @@ void dns_answer_randomize(DnsAnswer *a) { - SWAP_TWO(a->items[i], a->items[k]); - } - } -+ -+uint32_t dns_answer_min_ttl(DnsAnswer *a) { -+ uint32_t ttl = UINT32_MAX; -+ DnsResourceRecord *rr; -+ -+ /* Return the smallest TTL of all RRs in this answer */ -+ -+ DNS_ANSWER_FOREACH(rr, a) { -+ /* Don't consider OPT (where the TTL field is used for other purposes than an actual TTL) */ -+ -+ if (dns_type_is_pseudo(rr->key->type) || -+ dns_class_is_pseudo(rr->key->class)) -+ continue; -+ -+ ttl = MIN(ttl, rr->ttl); -+ } -+ -+ return ttl; -+} -diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h -index 7d19eee4e2b..447da5d6cc3 100644 ---- a/src/resolve/resolved-dns-answer.h -+++ b/src/resolve/resolved-dns-answer.h -@@ -87,6 +87,8 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f); - - void dns_answer_randomize(DnsAnswer *a); - -+uint32_t dns_answer_min_ttl(DnsAnswer *a); -+ - DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref); - - #define _DNS_ANSWER_FOREACH(q, kk, a) \ - -From 3b7006cb44dd2860cb1b2e652e318d196dddf312 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 20:47:53 +0100 -Subject: [PATCH 02/12] resolved: rebreak a few comments - ---- - src/resolve/resolved-dns-cache.c | 19 +++++++------------ - 1 file changed, 7 insertions(+), 12 deletions(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index 0bf320df880..23612a5c353 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -320,11 +320,9 @@ static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t t - - ttl = MIN(rr->ttl, nsec_ttl); - if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) { -- /* If this is a SOA RR, and it is requested, clamp to -- * the SOA's minimum field. This is used when we do -- * negative caching, to determine the TTL for the -- * negative caching entry. See RFC 2308, Section -- * 5. */ -+ /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used -+ * when we do negative caching, to determine the TTL for the negative caching entry. See RFC -+ * 2308, Section 5. */ - - if (ttl > rr->soa.minimum) - ttl = rr->soa.minimum; -@@ -337,8 +335,7 @@ static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t t - if (rr->expiry != USEC_INFINITY) { - usec_t left; - -- /* Make use of the DNSSEC RRSIG expiry info, if we -- * have it */ -+ /* Make use of the DNSSEC RRSIG expiry info, if we have it */ - - left = LESS_BY(rr->expiry, now(CLOCK_REALTIME)); - if (u > left) -@@ -785,9 +782,8 @@ int dns_cache_put( - if (r > 0) - return 0; - -- /* But not if it has a matching CNAME/DNAME (the negative -- * caching will be done on the canonical name, not on the -- * alias) */ -+ /* But not if it has a matching CNAME/DNAME (the negative caching will be done on the canonical name, -+ * not on the alias) */ - r = dns_answer_find_cname_or_dname(answer, key, NULL, NULL); - if (r < 0) - goto fail; -@@ -803,8 +799,7 @@ int dns_cache_put( - if (r == 0 && !weird_rcode) - return 0; - if (r > 0) { -- /* Refuse using the SOA data if it is unsigned, but the key is -- * signed */ -+ /* Refuse using the SOA data if it is unsigned, but the key is signed */ - if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) && - (flags & DNS_ANSWER_AUTHENTICATED) == 0) - return 0; - -From 77db3caee36d0241bf2153f56579a9fb952962f1 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 20:48:18 +0100 -Subject: [PATCH 03/12] resolved: use dns_answer_isempty() where appropriate - ---- - src/resolve/resolved-dns-cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index 23612a5c353..8edbd5fee94 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -693,7 +693,7 @@ int dns_cache_put( - * short time.) */ - - if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) { -- if (dns_answer_size(answer) <= 0) { -+ if (dns_answer_isempty(answer)) { - if (key) { - char key_str[DNS_RESOURCE_KEY_STRING_MAX]; - - -From b12058e8f96a9b490e2b1ce98f81ced182add577 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 20:48:35 +0100 -Subject: [PATCH 04/12] resolved: fix indentation - ---- - src/resolve/resolved-dns-cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index 8edbd5fee94..09fb8e2c883 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -808,7 +808,7 @@ int dns_cache_put( - if (cache_mode == DNS_CACHE_MODE_NO_NEGATIVE) { - char key_str[DNS_RESOURCE_KEY_STRING_MAX]; - log_debug("Not caching negative entry for: %s, cache mode set to no-negative", -- dns_resource_key_to_string(key, key_str, sizeof key_str)); -+ dns_resource_key_to_string(key, key_str, sizeof key_str)); - return 0; - } - - -From f6d80c361d6a51972d4df264a190bf01ef7af624 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 21:15:30 +0100 -Subject: [PATCH 05/12] resolved: drop unnecessary local variable - ---- - src/resolve/resolved-dns-cache.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index 09fb8e2c883..0f40e0e40f4 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -416,7 +416,7 @@ static int dns_cache_put_positive( - _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL; - DnsCacheItem *existing; - char key_str[DNS_RESOURCE_KEY_STRING_MAX]; -- int r, k; -+ int r; - - assert(c); - assert(rr); -@@ -430,9 +430,9 @@ static int dns_cache_put_positive( - - /* New TTL is 0? Delete this specific entry... */ - if (rr->ttl <= 0) { -- k = dns_cache_remove_by_rr(c, rr); -+ r = dns_cache_remove_by_rr(c, rr); - log_debug("%s: %s", -- k > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", -+ r > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", - dns_resource_key_to_string(rr->key, key_str, sizeof key_str)); - return 0; - } - -From b974211acbe419170fc56a317a1d55d07c7cb686 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 21:18:32 +0100 -Subject: [PATCH 06/12] resolved: take shortest TTL of all of RRs in answer as - cache lifetime - -We nowadays cache full answer RRset combinations instead of just the -exact matching rrset. This means we should not cache RRs that are not -immediate answers to our question for longer then their own RRs. Or in -other words: let's determine the shortest TTL of all RRs in the whole -answer, and use that as cache lifetime. ---- - src/resolve/resolved-dns-cache.c | 60 +++++++++++++++++++++++--------- - 1 file changed, 44 insertions(+), 16 deletions(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index 0f40e0e40f4..db2361ae363 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -312,13 +312,19 @@ static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) { - return NULL; - } - --static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t timestamp, bool use_soa_minimum) { -+static usec_t calculate_until( -+ DnsResourceRecord *rr, -+ uint32_t min_ttl, -+ uint32_t nsec_ttl, -+ usec_t timestamp, -+ bool use_soa_minimum) { -+ - uint32_t ttl; - usec_t u; - - assert(rr); - -- ttl = MIN(rr->ttl, nsec_ttl); -+ ttl = MIN(min_ttl, nsec_ttl); - if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) { - /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used - * when we do negative caching, to determine the TTL for the negative caching entry. See RFC -@@ -351,6 +357,7 @@ static void dns_cache_item_update_positive( - DnsResourceRecord *rr, - DnsAnswer *answer, - DnsPacket *full_packet, -+ uint32_t min_ttl, - uint64_t query_flags, - bool shared_owner, - DnssecResult dnssec_result, -@@ -387,7 +394,7 @@ static void dns_cache_item_update_positive( - dns_packet_unref(i->full_packet); - i->full_packet = full_packet; - -- i->until = calculate_until(rr, UINT32_MAX, timestamp, false); -+ i->until = calculate_until(rr, min_ttl, UINT32_MAX, timestamp, false); - i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS; - i->shared_owner = shared_owner; - i->dnssec_result = dnssec_result; -@@ -414,8 +421,9 @@ static int dns_cache_put_positive( - const union in_addr_union *owner_address) { - - _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL; -- DnsCacheItem *existing; - char key_str[DNS_RESOURCE_KEY_STRING_MAX]; -+ DnsCacheItem *existing; -+ uint32_t min_ttl; - int r; - - assert(c); -@@ -428,8 +436,15 @@ static int dns_cache_put_positive( - if (dns_type_is_pseudo(rr->key->type)) - return 0; - -+ /* Determine the minimal TTL of all RRs in the answer plus the one by the main RR we are supposed to -+ * cache. Since we cache whole answers to questions we should never return answers where only some -+ * RRs are still valid, hence find the lowest here */ -+ min_ttl = dns_answer_min_ttl(answer); -+ if (rr) -+ min_ttl = MIN(min_ttl, rr->ttl); -+ - /* New TTL is 0? Delete this specific entry... */ -- if (rr->ttl <= 0) { -+ if (min_ttl <= 0) { - r = dns_cache_remove_by_rr(c, rr); - log_debug("%s: %s", - r > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", -@@ -446,6 +461,7 @@ static int dns_cache_put_positive( - rr, - answer, - full_packet, -+ min_ttl, - query_flags, - shared_owner, - dnssec_result, -@@ -473,7 +489,7 @@ static int dns_cache_put_positive( - .rr = dns_resource_record_ref(rr), - .answer = dns_answer_ref(answer), - .full_packet = dns_packet_ref(full_packet), -- .until = calculate_until(rr, (uint32_t) -1, timestamp, false), -+ .until = calculate_until(rr, min_ttl, (uint32_t) -1, timestamp, false), - .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, - .shared_owner = shared_owner, - .dnssec_result = dnssec_result, -@@ -575,9 +591,12 @@ static int dns_cache_put_negative( - .full_packet = dns_packet_ref(full_packet), - }; - -+ /* Determine how long to cache this entry. In case we have some RRs in the answer use the lowest TTL -+ * of any of them. Typically that's the SOA's TTL, which is OK, but could possibly be lower because -+ * of some other RR. Let's better take the lowest option here than a needlessly high one */ - i->until = - i->type == DNS_CACHE_RCODE ? timestamp + CACHE_TTL_STRANGE_RCODE_USEC : -- calculate_until(soa, nsec_ttl, timestamp, true); -+ calculate_until(soa, dns_answer_min_ttl(answer), nsec_ttl, timestamp, true); - - if (i->type == DNS_CACHE_NXDOMAIN) { - /* NXDOMAIN entries should apply equally to all types, so we use ANY as -@@ -1046,21 +1065,30 @@ int dns_cache_lookup( - DnsAnswerItem *item; - - DNS_ANSWER_FOREACH_ITEM(item, j->answer) { -- r = answer_add_clamp_ttl(&answer, item->rr, item->ifindex, item->flags, item->rrsig, query_flags, j->until, current); -+ r = answer_add_clamp_ttl( -+ &answer, -+ item->rr, -+ item->ifindex, -+ item->flags, -+ item->rrsig, -+ query_flags, -+ j->until, -+ current); - if (r < 0) - return r; - } - } - - } else if (j->rr) { -- r = answer_add_clamp_ttl(&answer, -- j->rr, -- j->ifindex, -- FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, -- NULL, -- query_flags, -- j->until, -- current); -+ r = answer_add_clamp_ttl( -+ &answer, -+ j->rr, -+ j->ifindex, -+ FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, -+ NULL, -+ query_flags, -+ j->until, -+ current); - if (r < 0) - return r; - } - -From a1acc6e332b05f6a5167bf9d0bc0657794e1342c Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 21:18:52 +0100 -Subject: [PATCH 07/12] resolved: let's tweak how we calculate TTL left -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When responding from DNS cache, let's slightly tweak how the TTL is -lowered: as before let's round down when converting from our internal µs -to the external seconds. (This is preferable, since records should -better be cached too short instead of too long.) Let's avoid rounding -down to zero though, since that has special semantics in many cases (in -particular mDNS). Let's just use 1s in that case. ---- - src/resolve/resolved-dns-cache.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index db2361ae363..9b2e7115c0a 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -937,9 +937,18 @@ static int answer_add_clamp_ttl( - assert(rr); - - if (FLAGS_SET(query_flags, SD_RESOLVED_CLAMP_TTL)) { -+ uint32_t left_ttl; -+ -+ /* Let's determine how much time is left for this cache entry. Note that we round down, but -+ * clamp this to be 1s at minimum, since we usually want records to remain cached better too -+ * short a time than too long a time, but otoh don't want to return 0 ever, since that has -+ * special semantics in various contexts — in particular in mDNS */ -+ -+ left_ttl = MAX(1U, LESS_BY(until, current) / USEC_PER_SEC); -+ - patched = dns_resource_record_ref(rr); - -- r = dns_resource_record_clamp_ttl(&patched, LESS_BY(until, current) / USEC_PER_SEC); -+ r = dns_resource_record_clamp_ttl(&patched, left_ttl); - if (r < 0) - return r; - -@@ -947,7 +956,7 @@ static int answer_add_clamp_ttl( - - if (rrsig) { - patched_rrsig = dns_resource_record_ref(rrsig); -- r = dns_resource_record_clamp_ttl(&patched_rrsig, LESS_BY(until, current) / USEC_PER_SEC); -+ r = dns_resource_record_clamp_ttl(&patched_rrsig, left_ttl); - if (r < 0) - return r; - - -From c4d98c3acc5901fad4a9a8e2ecd7cf9ad7b8ecb0 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 21:36:42 +0100 -Subject: [PATCH 08/12] resolved: use DNS_ANSWER_MASK_SECTIONS where - appropriate - ---- - src/resolve/resolved-dns-stub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 8e781dd7389..f8d4767e536 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -275,7 +275,7 @@ static int dns_stub_collect_answer_by_section( - dns_type_is_dnssec(item->rr->key->type)) - continue; - -- if (((item->flags ^ section) & (DNS_ANSWER_SECTION_ANSWER|DNS_ANSWER_SECTION_AUTHORITY|DNS_ANSWER_SECTION_ADDITIONAL)) != 0) -+ if (((item->flags ^ section) & DNS_ANSWER_MASK_SECTIONS) != 0) - continue; - - r = reply_add_with_rrsig( - -From 567aa5c87b4a177cd4a6ef3ed8d6814839a4ffd8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 22:14:43 +0100 -Subject: [PATCH 09/12] resolved: show TTLs in answer dump - ---- - src/resolve/resolved-dns-answer.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c -index 5fbff81c255..a032ac157e0 100644 ---- a/src/resolve/resolved-dns-answer.c -+++ b/src/resolve/resolved-dns-answer.c -@@ -879,9 +879,8 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f) { - } - - fputs(t, f); -- -- if (item->ifindex != 0 || item->rrsig || item->flags != 0) -- fputs("\t;", f); -+ fputs("\t;", f); -+ fprintf(f, " ttl=%" PRIu32, item->rr->ttl); - - if (item->ifindex != 0) - fprintf(f, " ifindex=%i", item->ifindex); - -From 1414b67e0d9515c23221cecbb5323d45ea2020b1 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 22:15:06 +0100 -Subject: [PATCH 10/12] resolved: add helper for dumping DnsQuestion, similar - to what we have for DnsAnswer - ---- - src/resolve/resolved-dns-question.c | 18 ++++++++++++++++++ - src/resolve/resolved-dns-question.h | 2 ++ - 2 files changed, 20 insertions(+) - -diff --git a/src/resolve/resolved-dns-question.c b/src/resolve/resolved-dns-question.c -index 047170899db..ef409326304 100644 ---- a/src/resolve/resolved-dns-question.c -+++ b/src/resolve/resolved-dns-question.c -@@ -445,3 +445,21 @@ int dns_question_new_service( - - return 0; - } -+ -+/* -+ * This function is not used in the code base, but is useful when debugging. Do not delete. -+ */ -+void dns_question_dump(DnsQuestion *question, FILE *f) { -+ DnsResourceKey *k; -+ -+ if (!f) -+ f = stdout; -+ -+ DNS_QUESTION_FOREACH(k, question) { -+ char buf[DNS_RESOURCE_KEY_STRING_MAX]; -+ -+ fputc('\t', f); -+ fputs(dns_resource_key_to_string(k, buf, sizeof(buf)), f); -+ fputc('\n', f); -+ } -+} -diff --git a/src/resolve/resolved-dns-question.h b/src/resolve/resolved-dns-question.h -index a6444b0baf9..8f9a84c82d9 100644 ---- a/src/resolve/resolved-dns-question.h -+++ b/src/resolve/resolved-dns-question.h -@@ -33,6 +33,8 @@ int dns_question_is_equal(DnsQuestion *a, DnsQuestion *b); - - int dns_question_cname_redirect(DnsQuestion *q, const DnsResourceRecord *cname, DnsQuestion **ret); - -+void dns_question_dump(DnsQuestion *q, FILE *f); -+ - const char *dns_question_first_name(DnsQuestion *q); - - static inline size_t dns_question_size(DnsQuestion *q) { - -From a7c0291c104cdd9d5ae2fe3c5855273bbadae13e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 22:15:18 +0100 -Subject: [PATCH 11/12] resolved: match CNAME replies to right question - -Previously by mistake we'd always match every single reply we get in a -CNAME chain to the original question from the stub client. That's -broken, we need to test it against the CNAME query we are currently -looking at. - -The effect of this incorrect matching was that we'd assign the RRs to -the wrong section since we'd assume they'd be auxiliary answers instead -of primary answers. - -Fixes: #18972 ---- - src/resolve/resolved-dns-stub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index f8d4767e536..b6d14b9305e 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -761,7 +761,7 @@ static void dns_stub_query_complete(DnsQuery *q) { - * and keep adding all RRs in the CNAME chain. */ - r = dns_stub_assign_sections( - q, -- q->request_packet->question, -+ dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), - dns_stub_reply_with_edns0_do(q)); - if (r < 0) { - log_debug_errno(r, "Failed to assign sections: %m"); - -From b1eea703e01da1e280e179fb119449436a0c9b8e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 15 Mar 2021 23:26:46 +0100 -Subject: [PATCH 12/12] resolved: don't flush answer RRs on CNAME redirect too - early -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When doing a CNAME/DNAME redirect let's first check if the answer we -already have fully answers the redirected question already. If so, let's -use that. If not, let's properly restart things. - -This simply removes one call to dns_answer_reset() that was placed too -early: instead of resetting when we detect a CNAME/DNAME redirect, do so -only after checking if the answer we already have doesn't match the -reply, and then decide to *actually* follow it. Or in other words: rely -on the dns_answer_reset() call in dns_query_go() which we'll call to -actually begin with the redirected question. - -This fixes an optimization path which was broken back in 7820b320eaa608748f66f8105621640cf80e483a. - -(This doesn't really matter as much as one might think, since our cache -stepped in anyway and answered the questions before going back to the -network. However, this adds noise if RRs with very short TTLs are cached -– which some CDNs do – and is of course relavant when people turn off -the local cache.) ---- - src/resolve/resolved-dns-query.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index aa9d65d4a82..e4386c402ac 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -1019,7 +1019,9 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) - q->question_utf8 = TAKE_PTR(nq_utf8); - - dns_query_unref_candidates(q); -- dns_query_reset_answer(q); -+ -+ /* Note that we do *not* reset the answer here, because the answer we previously got might already -+ * include everything we need, let's check that first */ - - q->state = DNS_TRANSACTION_NULL; - -@@ -1069,8 +1071,7 @@ int dns_query_process_cname(DnsQuery *q) { - if (r < 0) - return r; - -- /* Let's see if the answer can already answer the new -- * redirected question */ -+ /* Let's see if the answer can already answer the new redirected question */ - r = dns_query_process_cname(q); - if (r != DNS_QUERY_NOMATCH) - return r; diff --git a/9cc6a94790eecfc808335b759355a4005d66f6e3.patch b/9cc6a94790eecfc808335b759355a4005d66f6e3.patch deleted file mode 100644 index e709085..0000000 --- a/9cc6a94790eecfc808335b759355a4005d66f6e3.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 9cc6a94790eecfc808335b759355a4005d66f6e3 Mon Sep 17 00:00:00 2001 -From: "Jonathan G. Underwood" -Date: Tue, 22 Dec 2020 20:04:52 +0000 -Subject: [PATCH] cryptsetup: add support for workqueue options - -This commit adds support for disabling the read and write -workqueues with the new crypttab options no-read-workqueue -and no-write-workqueue. These correspond to the cryptsetup -options --perf-no_read_workqueue and --perf-no_write_workqueue -respectively. ---- - man/crypttab.xml | 19 +++++++++++++++++++ - src/cryptsetup/cryptsetup.c | 12 ++++++++++++ - src/shared/cryptsetup-util.h | 8 ++++++++ - 3 files changed, 39 insertions(+) - -diff --git a/man/crypttab.xml b/man/crypttab.xml -index 2062a5b8e70..72fe2e692da 100644 ---- a/man/crypttab.xml -+++ b/man/crypttab.xml -@@ -342,6 +342,25 @@ - - - -+ -+ -+ -+ Bypass dm-crypt internal workqueue and process read requests synchronously. The -+ default is to queue these requests and process them asynchronously. -+ -+ This requires kernel 5.9 or newer. -+ -+ -+ -+ -+ -+ Bypass dm-crypt internal workqueue and process write requests synchronously. The -+ default is to queue these requests and process them asynchronously. -+ -+ This requires kernel 5.9 or newer. -+ -+ -+ - - - -diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c -index 7b21a7457a1..65cbd1aec83 100644 ---- a/src/cryptsetup/cryptsetup.c -+++ b/src/cryptsetup/cryptsetup.c -@@ -60,6 +60,8 @@ static bool arg_verify = false; - static bool arg_discards = false; - static bool arg_same_cpu_crypt = false; - static bool arg_submit_from_crypt_cpus = false; -+static bool arg_no_read_workqueue = false; -+static bool arg_no_write_workqueue = false; - static bool arg_tcrypt_hidden = false; - static bool arg_tcrypt_system = false; - static bool arg_tcrypt_veracrypt = false; -@@ -236,6 +238,10 @@ static int parse_one_option(const char *option) { - arg_same_cpu_crypt = true; - else if (streq(option, "submit-from-crypt-cpus")) - arg_submit_from_crypt_cpus = true; -+ else if (streq(option, "no-read-workqueue")) -+ arg_no_read_workqueue = true; -+ else if (streq(option, "no-write-workqueue")) -+ arg_no_write_workqueue = true; - else if (streq(option, "luks")) - arg_type = ANY_LUKS; - /* since cryptsetup 2.3.0 (Feb 2020) */ -@@ -1352,6 +1358,12 @@ static uint32_t determine_flags(void) { - if (arg_submit_from_crypt_cpus) - flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS; - -+ if (arg_no_read_workqueue) -+ flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE; -+ -+ if (arg_no_write_workqueue) -+ flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE; -+ - #ifdef CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF - /* Try to decrease the risk of OOM event if memory hard key derivation function is in use */ - /* https://gitlab.com/cryptsetup/cryptsetup/issues/446/ */ -diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h -index fa2d2f65f3c..afac5cd46bd 100644 ---- a/src/shared/cryptsetup-util.h -+++ b/src/shared/cryptsetup-util.h -@@ -7,6 +7,14 @@ - #if HAVE_LIBCRYPTSETUP - #include - -+/* These next two are defined in libcryptsetup.h from cryptsetup version 2.3.4 forwards. */ -+#ifndef CRYPT_ACTIVATE_NO_READ_WORKQUEUE -+#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24) -+#endif -+#ifndef CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE -+#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25) -+#endif -+ - extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags); - #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY - extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags); diff --git a/sources b/sources index e0ddaa0..b4d0e31 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248-rc2.tar.gz) = e637bdf781dc87c83f0e45f65a1060189279e2cdabd2c53e3ff8155d321ca9cafb8be1010e0899c0ed6cf42dc1834b756d98bca0b7443e02c83bfacdee4ce256 +SHA512 (systemd-248-rc4.tar.gz) = 022e8aabdc84c45ea06928c7b373c13f99d78fd808d9c07d3cd79dae5a2356f70d012eafbc749a588ddfcc2b1d0155f65f33ee240c4f15190d16f784803ffeac diff --git a/systemd.spec b/systemd.spec index 4196d1b..bad15af 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,8 +20,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248~rc2 -Release: 8%{?dist} +Version: 248~rc4 +Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -72,15 +72,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Backports of patches from upstream (0000–0499) -# https://bugzilla.redhat.com/show_bug.cgi?id=1933433 -Patch0000: https://github.com/systemd/systemd/pull/18892.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=1931034 -Patch0001: https://github.com/systemd/systemd/pull/18915.patch -# https://github.com/systemd/systemd/pull/19009 -# Fixes more CNAME issues in stub resolver (#1933433) -Patch0002: 19009-rediff.patch - # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0500: use-bfq-scheduler.patch @@ -955,6 +946,9 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Mar 18 2021 Yu Watanabe - 248~rc4-1 +- Latest upstream prelease. + * Tue Mar 16 2021 Adam Williamson - 248~rc2-8 - Drop the resolved cache disablement config snippet From 150cd4ca7fe16c0948026cb269346d3e31aafa99 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 19 Mar 2021 01:19:04 +0900 Subject: [PATCH 06/38] Disable epoll2_pwait2() for 32bit archs --- ...372cd734d9e3e125a42b12a9e71caf1632a6.patch | 36 +++++++++++++++++++ systemd.spec | 2 ++ 2 files changed, 38 insertions(+) create mode 100644 4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch diff --git a/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch b/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch new file mode 100644 index 0000000..6062599 --- /dev/null +++ b/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch @@ -0,0 +1,36 @@ +From 4cbb372cd734d9e3e125a42b12a9e71caf1632a6 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 11 Mar 2021 21:49:44 +0100 +Subject: [PATCH] syscall: disable epoll_pwait2() for now on 32bit + +Alternative to #18973. +--- + src/basic/missing_syscall.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 13843248045..8158a75a78d 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -407,6 +407,13 @@ static inline int missing_epoll_pwait2( + const sigset_t *sigset) { + + # if defined(__NR_epoll_pwait2) && HAVE_LINUX_TIME_TYPES_H ++# if __SIZEOF_LONG__ == 4 ++// Someone with an interest in 32bit systems, please have a look at this, and figure out why this hangs on 32bit systems. ++// My educated guess: might be because of issues with the __kernel_timespec translation or because of incorrectly sized sigset_t array. ++# pragma message "epoll_pwait2() appears to be broken on 32bit archs, someone please have a look!" ++ errno = ENOSYS; ++ return -1; ++# else + if (timeout) { + /* Convert from userspace timespec to kernel timespec */ + struct __kernel_timespec ts = { +@@ -417,6 +424,7 @@ static inline int missing_epoll_pwait2( + return syscall(__NR_epoll_pwait2, fd, events, maxevents, &ts, sigset, sigset ? KERNEL_NSIG_BYTES : 0); + } else + return syscall(__NR_epoll_pwait2, fd, events, maxevents, NULL, sigset, sigset ? KERNEL_NSIG_BYTES : 0); ++# endif + # else + errno = ENOSYS; + return -1; diff --git a/systemd.spec b/systemd.spec index bad15af..990dcb6 100644 --- a/systemd.spec +++ b/systemd.spec @@ -71,6 +71,8 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif # Backports of patches from upstream (0000–0499) +# https://github.com/systemd/systemd/pull/18975 +Patch0502: https://github.com/systemd/systemd/pull/18975/commits/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 From 23388c4b7f95243123d30f0b20135e0f0854be1d Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 19 Mar 2021 02:10:21 +0900 Subject: [PATCH 07/38] Drop #pragma message from patch --- ...h => 2ad2a50a832140edfb49a95384e35bcf7a034acf.patch | 10 +++++----- systemd.spec | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) rename 4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch => 2ad2a50a832140edfb49a95384e35bcf7a034acf.patch (71%) diff --git a/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch b/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch similarity index 71% rename from 4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch rename to 2ad2a50a832140edfb49a95384e35bcf7a034acf.patch index 6062599..ec79c44 100644 --- a/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch +++ b/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch @@ -1,4 +1,4 @@ -From 4cbb372cd734d9e3e125a42b12a9e71caf1632a6 Mon Sep 17 00:00:00 2001 +From 2ad2a50a832140edfb49a95384e35bcf7a034acf Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 11 Mar 2021 21:49:44 +0100 Subject: [PATCH] syscall: disable epoll_pwait2() for now on 32bit @@ -9,7 +9,7 @@ Alternative to #18973. 1 file changed, 8 insertions(+) diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 13843248045..8158a75a78d 100644 +index 13843248045..8bbe4d28847 100644 --- a/src/basic/missing_syscall.h +++ b/src/basic/missing_syscall.h @@ -407,6 +407,13 @@ static inline int missing_epoll_pwait2( @@ -17,9 +17,9 @@ index 13843248045..8158a75a78d 100644 # if defined(__NR_epoll_pwait2) && HAVE_LINUX_TIME_TYPES_H +# if __SIZEOF_LONG__ == 4 -+// Someone with an interest in 32bit systems, please have a look at this, and figure out why this hangs on 32bit systems. -+// My educated guess: might be because of issues with the __kernel_timespec translation or because of incorrectly sized sigset_t array. -+# pragma message "epoll_pwait2() appears to be broken on 32bit archs, someone please have a look!" ++ /* Someone with an interest in 32bit systems, please have a look at this, and figure out why ++ * this hangs on 32bit systems. My educated guess: might be because of issues with the ++ * __kernel_timespec translation or because of incorrectly sized sigset_t array. */ + errno = ENOSYS; + return -1; +# else diff --git a/systemd.spec b/systemd.spec index 990dcb6..40218fe 100644 --- a/systemd.spec +++ b/systemd.spec @@ -71,8 +71,8 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif # Backports of patches from upstream (0000–0499) -# https://github.com/systemd/systemd/pull/18975 -Patch0502: https://github.com/systemd/systemd/pull/18975/commits/4cbb372cd734d9e3e125a42b12a9e71caf1632a6.patch +# https://github.com/systemd/systemd/pull/19042 +Patch0502: https://github.com/systemd/systemd/pull/19042/commits/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 From 21a3bf90b9f5d0876ff798595a8a0dcc80367ea5 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 19 Mar 2021 03:55:54 +0900 Subject: [PATCH 08/38] Disable epoll_pwait2() in sd-event --- ...-do-not-use-epoll_pwait2-tentatively.patch | 35 ++++++++++++++++++ ...a50a832140edfb49a95384e35bcf7a034acf.patch | 36 ------------------- systemd.spec | 5 +-- 3 files changed, 38 insertions(+), 38 deletions(-) create mode 100644 0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch delete mode 100644 2ad2a50a832140edfb49a95384e35bcf7a034acf.patch diff --git a/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch b/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch new file mode 100644 index 0000000..4baf338 --- /dev/null +++ b/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch @@ -0,0 +1,35 @@ +From 829e2b5cd552c5ea33a8ccc43e118ba87bbda206 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 19 Mar 2021 04:13:59 +0900 +Subject: [PATCH] sd-event: do not use epoll_pwait2() tentatively + +--- + src/libsystemd/sd-event/sd-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 8f74b14101..14bed4f854 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -3808,8 +3808,9 @@ static int epoll_wait_usec( + int maxevents, + usec_t timeout) { + +- static bool epoll_pwait2_absent = false; + int r, msec; ++#if 0 ++ static bool epoll_pwait2_absent = false; + + /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not */ + +@@ -3829,6 +3830,7 @@ static int epoll_wait_usec( + + epoll_pwait2_absent = true; + } ++#endif + + if (timeout == USEC_INFINITY) + msec = -1; +-- +2.30.2 + diff --git a/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch b/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch deleted file mode 100644 index ec79c44..0000000 --- a/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2ad2a50a832140edfb49a95384e35bcf7a034acf Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 11 Mar 2021 21:49:44 +0100 -Subject: [PATCH] syscall: disable epoll_pwait2() for now on 32bit - -Alternative to #18973. ---- - src/basic/missing_syscall.h | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 13843248045..8bbe4d28847 100644 ---- a/src/basic/missing_syscall.h -+++ b/src/basic/missing_syscall.h -@@ -407,6 +407,13 @@ static inline int missing_epoll_pwait2( - const sigset_t *sigset) { - - # if defined(__NR_epoll_pwait2) && HAVE_LINUX_TIME_TYPES_H -+# if __SIZEOF_LONG__ == 4 -+ /* Someone with an interest in 32bit systems, please have a look at this, and figure out why -+ * this hangs on 32bit systems. My educated guess: might be because of issues with the -+ * __kernel_timespec translation or because of incorrectly sized sigset_t array. */ -+ errno = ENOSYS; -+ return -1; -+# else - if (timeout) { - /* Convert from userspace timespec to kernel timespec */ - struct __kernel_timespec ts = { -@@ -417,6 +424,7 @@ static inline int missing_epoll_pwait2( - return syscall(__NR_epoll_pwait2, fd, events, maxevents, &ts, sigset, sigset ? KERNEL_NSIG_BYTES : 0); - } else - return syscall(__NR_epoll_pwait2, fd, events, maxevents, NULL, sigset, sigset ? KERNEL_NSIG_BYTES : 0); -+# endif - # else - errno = ENOSYS; - return -1; diff --git a/systemd.spec b/systemd.spec index 40218fe..32a3414 100644 --- a/systemd.spec +++ b/systemd.spec @@ -71,8 +71,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif # Backports of patches from upstream (0000–0499) -# https://github.com/systemd/systemd/pull/19042 -Patch0502: https://github.com/systemd/systemd/pull/19042/commits/2ad2a50a832140edfb49a95384e35bcf7a034acf.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -81,6 +79,9 @@ Patch0500: use-bfq-scheduler.patch # https://github.com/systemd/systemd/pull/17050 Patch0501: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch +# https://github.com/systemd/systemd/pull/18973 +Patch0502: 0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif From 6be6901c7d855e56ef606af8034df03b7b88fe27 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Mar 2021 17:46:46 -0800 Subject: [PATCH 09/38] Disable resolved cache via config snippet (#1940715) --- nocache.conf | 2 ++ systemd.spec | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 nocache.conf diff --git a/nocache.conf b/nocache.conf new file mode 100644 index 0000000..25d5429 --- /dev/null +++ b/nocache.conf @@ -0,0 +1,2 @@ +[Resolve] +Cache=no diff --git a/systemd.spec b/systemd.spec index 32a3414..7eec651 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc4 -Release: 1%{?dist} +Release: 2%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -64,6 +64,9 @@ Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh +# Disable resolved caching to workaround #1933433 +Source100: nocache.conf + %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -554,6 +557,9 @@ touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state # Install yum protection fragment install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf +# Install resolved cache disable fragment +install -Dm0644 -t %{buildroot}%{pkgdir}/resolved.conf.d %{SOURCE100} + install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} # Restore systemd-user pam config from before "removal of Fedora-specific bits" @@ -949,6 +955,9 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Mar 19 2021 Adam Williamson - 248~rc4-2 +- Disable resolved cache via config snippet (#1940715) + * Thu Mar 18 2021 Yu Watanabe - 248~rc4-1 - Latest upstream prelease. From fc9b7c65df80849315f8412b602709a5e2ea396a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Mar 2021 01:24:40 +0100 Subject: [PATCH 10/38] Tweak changelog --- systemd.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 7eec651..aff77a5 100644 --- a/systemd.spec +++ b/systemd.spec @@ -959,7 +959,11 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net - Disable resolved cache via config snippet (#1940715) * Thu Mar 18 2021 Yu Watanabe - 248~rc4-1 -- Latest upstream prelease. +- Latest upstream prelease, see + https://github.com/systemd/systemd/blob/v248-rc4/NEWS. +- A bunch of documentation updates, correctness fixes, and systemd-networkd + features. +- Resolves #1933137, #1935084, #1933873, #1931181, #1933335, #1935062, #1927148. * Tue Mar 16 2021 Adam Williamson - 248~rc2-8 - Drop the resolved cache disablement config snippet From 9bbbaa81972523606e7c99490e0fb2c839e30f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Mar 2021 01:08:51 +0100 Subject: [PATCH 11/38] A few more patches --- ...-do-not-use-epoll_pwait2-tentatively.patch | 35 -- ...7eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch | 36 ++ 19075.patch | 415 ++++++++++++++++++ 19079.patch | 178 ++++++++ 19080.patch | 67 +++ ...3f70ebe035323f4f079028a262669a2bbbf6.patch | 55 +++ ...afae96c72564cd4cd766555845f17e3c12a9.patch | 85 ++++ systemd.spec | 27 +- 8 files changed, 859 insertions(+), 39 deletions(-) delete mode 100644 0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch create mode 100644 0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch create mode 100644 19075.patch create mode 100644 19079.patch create mode 100644 19080.patch create mode 100644 5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch create mode 100644 f9b3afae96c72564cd4cd766555845f17e3c12a9.patch diff --git a/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch b/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch deleted file mode 100644 index 4baf338..0000000 --- a/0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 829e2b5cd552c5ea33a8ccc43e118ba87bbda206 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 19 Mar 2021 04:13:59 +0900 -Subject: [PATCH] sd-event: do not use epoll_pwait2() tentatively - ---- - src/libsystemd/sd-event/sd-event.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 8f74b14101..14bed4f854 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -3808,8 +3808,9 @@ static int epoll_wait_usec( - int maxevents, - usec_t timeout) { - -- static bool epoll_pwait2_absent = false; - int r, msec; -+#if 0 -+ static bool epoll_pwait2_absent = false; - - /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not */ - -@@ -3829,6 +3830,7 @@ static int epoll_wait_usec( - - epoll_pwait2_absent = true; - } -+#endif - - if (timeout == USEC_INFINITY) - msec = -1; --- -2.30.2 - diff --git a/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch b/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch new file mode 100644 index 0000000..5c5317f --- /dev/null +++ b/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch @@ -0,0 +1,36 @@ +From 0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d Mon Sep 17 00:00:00 2001 +From: Sergey Bugaev +Date: Mon, 22 Mar 2021 18:31:12 +0300 +Subject: [PATCH] log: protect errno in log_open() + +Commit 0b1f3c768ce1bd1490a5e53f539976dcef8ca765 has introduced log_open() +calls after exec fails post-fork. However, the log_open() call itself could +change the value of errno, which, for me, manifested in: + +$ coredumpctl gdb +... +Failed to invoke gdb: Success + +Fix this by using PROTECT_ERRNO in log_open(). +--- + src/basic/log.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/basic/log.c b/src/basic/log.c +index c8cca96bca4..0e6023cff22 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -252,6 +252,13 @@ int log_open(void) { + + /* Do not call from library code. */ + ++ /* This function is often called in preparation for being able ++ * to log. Let's make sure we don't clobber errno, so that a call ++ * to a logging function immediately following a log_open() call ++ * can still easily reference an error that happened immediately ++ * before the log_open() call. */ ++ PROTECT_ERRNO; ++ + /* If we don't use the console we close it here, to not get + * killed by SAK. If we don't use syslog we close it here so + * that we are not confused by somebody deleting the socket in diff --git a/19075.patch b/19075.patch new file mode 100644 index 0000000..10f391e --- /dev/null +++ b/19075.patch @@ -0,0 +1,415 @@ +From 169615c9a8cdc54d748d4dfc8279be9b3c2bec44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 21 Mar 2021 20:59:32 +0100 +Subject: [PATCH 1/5] shared/calendarspec: abort calculation after 1000 + iterations + +We have a bug where we seem to enter an infinite loop when running in the +Europe/Dublin timezone. The timezone is "special" because it has negative SAVE +values. The handling of this should obviously be fixed, but let's use a +belt-and-suspenders approach, and gracefully fail if we fail to find an answer +within a specific number of attempts. The code in this function is rather +complex, and it's hard to rule out another bug in the future. +--- + src/shared/calendarspec.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c +index 4f68a570b52..feb43efdcda 100644 +--- a/src/shared/calendarspec.c ++++ b/src/shared/calendarspec.c +@@ -1210,6 +1210,10 @@ static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) { + return (weekdays_bits & (1 << k)); + } + ++/* A safety valve: if we get stuck in the calculation, return an error. ++ * C.f. https://bugzilla.redhat.com/show_bug.cgi?id=1941335. */ ++#define MAX_CALENDAR_ITERATIONS 1000 ++ + static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { + struct tm c; + int tm_usec; +@@ -1223,7 +1227,7 @@ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { + c = *tm; + tm_usec = *usec; + +- for (;;) { ++ for (unsigned iteration = 0; iteration < MAX_CALENDAR_ITERATIONS; iteration++) { + /* Normalize the current date */ + (void) mktime_or_timegm(&c, spec->utc); + c.tm_isdst = spec->dst; +@@ -1320,6 +1324,14 @@ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { + *usec = tm_usec; + return 0; + } ++ ++ /* It seems we entered an infinite loop. Let's gracefully return an error instead of hanging or ++ * aborting. This code is also exercised when timers.target is brought up during early boot, so ++ * aborting here is problematic and hard to diagnose for users. */ ++ _cleanup_free_ char *s = NULL; ++ (void) calendar_spec_to_string(spec, &s); ++ return log_warning_errno(SYNTHETIC_ERRNO(EDEADLK), ++ "Infinite loop in calendar calculation: %s", strna(s)); + } + + static int calendar_spec_next_usec_impl(const CalendarSpec *spec, usec_t usec, usec_t *ret_next) { + +From 462f15d92d35f812d7d77edd486ca63236cffe83 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 22 Mar 2021 09:20:47 +0100 +Subject: [PATCH 2/5] shared/calendarspec: constify parameter and simplify + assignments to variable + +The scope of start & stop is narrowed down, and they are assigned only once. +No functional change, but I think the code is easier to read this way. +Also add a comment to make the code easier to read. +--- + src/shared/calendarspec.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c +index feb43efdcda..5c666412946 100644 +--- a/src/shared/calendarspec.c ++++ b/src/shared/calendarspec.c +@@ -1101,7 +1101,7 @@ int calendar_spec_from_string(const char *p, CalendarSpec **spec) { + return 0; + } + +-static int find_end_of_month(struct tm *tm, bool utc, int day) { ++static int find_end_of_month(const struct tm *tm, bool utc, int day) { + struct tm t = *tm; + + t.tm_mon++; +@@ -1114,28 +1114,39 @@ static int find_end_of_month(struct tm *tm, bool utc, int day) { + return t.tm_mday; + } + +-static int find_matching_component(const CalendarSpec *spec, const CalendarComponent *c, +- struct tm *tm, int *val) { +- const CalendarComponent *p = c; +- int start, stop, d = -1; ++static int find_matching_component( ++ const CalendarSpec *spec, ++ const CalendarComponent *c, ++ const struct tm *tm, /* tm is only used for end-of-month calculations */ ++ int *val) { ++ ++ int d = -1, r; + bool d_set = false; +- int r; + + assert(val); + ++ /* Finds the *earliest* matching time specified by one of the CalendarCompoment items in chain c. ++ * If no matches can be found, returns -ENOENT. ++ * Otherwise, updates *val to the matching time. 1 is returned if *val was changed, 0 otherwise. ++ */ ++ + if (!c) + return 0; + ++ bool end_of_month = spec->end_of_month && c == spec->day; ++ + while (c) { +- start = c->start; +- stop = c->stop; ++ int start, stop; + +- if (spec->end_of_month && p == spec->day) { +- start = find_end_of_month(tm, spec->utc, start); +- stop = find_end_of_month(tm, spec->utc, stop); ++ if (end_of_month) { ++ start = find_end_of_month(tm, spec->utc, c->start); ++ stop = find_end_of_month(tm, spec->utc, c->stop); + + if (stop > 0) + SWAP_TWO(start, stop); ++ } else { ++ start = c->start; ++ stop = c->stop; + } + + if (start >= *val) { + +From f035bb1b7a5900439640f267db881c60d042e450 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 22 Mar 2021 11:10:22 +0100 +Subject: [PATCH 3/5] test-calendarspec: print offending line in output + +The output is rather long at this makes it easier to jump to the right place. +Also use normal output routines and set_unset_env() to make things more +compact. +--- + src/test/test-calendarspec.c | 48 +++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 26 deletions(-) + +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index 01ec7f87704..152ce879f8a 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -2,11 +2,11 @@ + + #include "alloc-util.h" + #include "calendarspec.h" ++#include "env-util.h" + #include "errno-util.h" + #include "string-util.h" +-#include "util.h" + +-static void test_one(const char *input, const char *output) { ++static void _test_one(int line, const char *input, const char *output) { + CalendarSpec *c; + _cleanup_free_ char *p = NULL, *q = NULL; + usec_t u; +@@ -16,13 +16,13 @@ static void test_one(const char *input, const char *output) { + assert_se(calendar_spec_from_string(input, &c) >= 0); + + assert_se(calendar_spec_to_string(c, &p) >= 0); +- printf("\"%s\" → \"%s\"\n", input, p); ++ log_info("line %d: \"%s\" → \"%s\"", line, input, p); + + assert_se(streq(p, output)); + + u = now(CLOCK_REALTIME); + r = calendar_spec_next_usec(c, u, &u); +- printf("Next: %s\n", r < 0 ? strerror_safe(r) : format_timestamp(buf, sizeof(buf), u)); ++ log_info("Next: %s", r < 0 ? strerror_safe(r) : format_timestamp(buf, sizeof buf, u)); + calendar_spec_free(c); + + assert_se(calendar_spec_from_string(p, &c) >= 0); +@@ -31,8 +31,9 @@ static void test_one(const char *input, const char *output) { + + assert_se(streq(q, p)); + } ++#define test_one(input, output) _test_one(__LINE__, input, output) + +-static void test_next(const char *input, const char *new_tz, usec_t after, usec_t expect) { ++static void _test_next(int line, const char *input, const char *new_tz, usec_t after, usec_t expect) { + CalendarSpec *c; + usec_t u; + char *old_tz; +@@ -43,22 +44,19 @@ static void test_next(const char *input, const char *new_tz, usec_t after, usec_ + if (old_tz) + old_tz = strdupa(old_tz); + +- if (new_tz) { +- char *colon_tz; ++ if (new_tz) ++ new_tz = strjoina(":", new_tz); + +- colon_tz = strjoina(":", new_tz); +- assert_se(setenv("TZ", colon_tz, 1) >= 0); +- } else +- assert_se(unsetenv("TZ") >= 0); ++ assert_se(set_unset_env("TZ", new_tz, true) == 0); + tzset(); + + assert_se(calendar_spec_from_string(input, &c) >= 0); + +- printf("\"%s\"\n", input); ++ log_info("line %d: \"%s\" new_tz=%s", line, input, strnull(new_tz)); + + u = after; + r = calendar_spec_next_usec(c, after, &u); +- printf("At: %s\n", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US)); ++ log_info("At: %s", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US)); + if (expect != USEC_INFINITY) + assert_se(r >= 0 && u == expect); + else +@@ -66,12 +64,10 @@ static void test_next(const char *input, const char *new_tz, usec_t after, usec_ + + calendar_spec_free(c); + +- if (old_tz) +- assert_se(setenv("TZ", old_tz, 1) >= 0); +- else +- assert_se(unsetenv("TZ") >= 0); ++ assert_se(set_unset_env("TZ", old_tz, true) == 0); + tzset(); + } ++#define test_next(input, new_tz, after, expect) _test_next(__LINE__, input,new_tz,after,expect) + + static void test_timestamp(void) { + char buf[FORMAT_TIMESTAMP_MAX]; +@@ -83,12 +79,12 @@ static void test_timestamp(void) { + + x = now(CLOCK_REALTIME); + +- assert_se(format_timestamp_style(buf, sizeof(buf), x, TIMESTAMP_US)); +- printf("%s\n", buf); ++ assert_se(format_timestamp_style(buf, sizeof buf, x, TIMESTAMP_US)); ++ log_info("%s", buf); + assert_se(calendar_spec_from_string(buf, &c) >= 0); + assert_se(calendar_spec_to_string(c, &t) >= 0); + calendar_spec_free(c); +- printf("%s\n", t); ++ log_info("%s", t); + + assert_se(parse_timestamp(t, &y) >= 0); + assert_se(y == x); +@@ -104,11 +100,11 @@ static void test_hourly_bug_4031(void) { + n = now(CLOCK_REALTIME); + assert_se((r = calendar_spec_next_usec(c, n, &u)) >= 0); + +- printf("Now: %s (%"PRIu64")\n", format_timestamp_style(buf, sizeof buf, n, TIMESTAMP_US), n); +- printf("Next hourly: %s (%"PRIu64")\n", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US), u); ++ log_info("Now: %s (%"PRIu64")", format_timestamp_style(buf, sizeof buf, n, TIMESTAMP_US), n); ++ log_info("Next hourly: %s (%"PRIu64")", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US), u); + + assert_se((r = calendar_spec_next_usec(c, u, &w)) >= 0); +- printf("Next hourly: %s (%"PRIu64")\n", r < 0 ? strerror_safe(r) : format_timestamp_style(zaf, sizeof zaf, w, TIMESTAMP_US), w); ++ log_info("Next hourly: %s (%"PRIu64")", r < 0 ? strerror_safe(r) : format_timestamp_style(zaf, sizeof zaf, w, TIMESTAMP_US), w); + + assert_se(n < u); + assert_se(u <= n + USEC_PER_HOUR); +@@ -209,13 +205,13 @@ int main(int argc, char* argv[]) { + test_next("2017-08-06 9..17/2:00 UTC", "", 1502029800000000, 1502031600000000); + test_next("2016-12-* 3..21/6:00 UTC", "", 1482613200000001, 1482634800000000); + test_next("2017-09-24 03:30:00 Pacific/Auckland", "", 12345, 1506177000000000); +- // Due to daylight saving time - 2017-09-24 02:30:00 does not exist ++ /* Due to daylight saving time - 2017-09-24 02:30:00 does not exist */ + test_next("2017-09-24 02:30:00 Pacific/Auckland", "", 12345, -1); + test_next("2017-04-02 02:30:00 Pacific/Auckland", "", 12345, 1491053400000000); +- // Confirm that even though it's a time change here (backward) 02:30 happens only once ++ /* Confirm that even though it's a time change here (backward) 02:30 happens only once */ + test_next("2017-04-02 02:30:00 Pacific/Auckland", "", 1491053400000000, -1); + test_next("2017-04-02 03:30:00 Pacific/Auckland", "", 12345, 1491060600000000); +- // Confirm that timezones in the Spec work regardless of current timezone ++ /* Confirm that timezones in the Spec work regardless of current timezone */ + test_next("2017-09-09 20:42:00 Pacific/Auckland", "", 12345, 1504946520000000); + test_next("2017-09-09 20:42:00 Pacific/Auckland", "EET", 12345, 1504946520000000); + + +From 47b0b65766229a18921a3ce831ef708ef408a34c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 22 Mar 2021 11:29:35 +0100 +Subject: [PATCH 4/5] test-calendarspec: do not convert timezone "" to ":" + +I *think* it doesn't actually make any difference, because ":" will be ignored. +437f48a471f51ac9dd2697ee3b848a71b4f101df added prefixing with ":", but didn't +take into account the fact that we also use "" with a different meaning than +NULL here. But let's restore the original behaviour of specifying the empty +string. +--- + src/test/test-calendarspec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index 152ce879f8a..c62e6860cf9 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -44,7 +44,7 @@ static void _test_next(int line, const char *input, const char *new_tz, usec_t a + if (old_tz) + old_tz = strdupa(old_tz); + +- if (new_tz) ++ if (!isempty(new_tz)) + new_tz = strjoina(":", new_tz); + + assert_se(set_unset_env("TZ", new_tz, true) == 0); + +From 129cb6e249bef30dc33e08f98f0b27a6de976f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 22 Mar 2021 12:51:47 +0100 +Subject: [PATCH 5/5] shared/calendarspec: when mktime() moves us backwards, + jump forward +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When trying to calculate the next firing of 'Sun *-*-* 01:00:00', we'd fall +into an infinite loop, because mktime() moves us "backwards": + +Before this patch: +tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 +tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 +tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 +... + +We rely on mktime() normalizing the time. The man page does not say that it'll +move the time forward, but our algorithm relies on this. So let's catch this +case explicitly. + +With this patch: +$ TZ=Europe/Dublin faketime 2021-03-21 build/systemd-analyze calendar --iterations=5 'Sun *-*-* 01:00:00' +Normalized form: Sun *-*-* 01:00:00 + Next elapse: Sun 2021-03-21 01:00:00 GMT + (in UTC): Sun 2021-03-21 01:00:00 UTC + From now: 59min left + Iter. #2: Sun 2021-04-04 01:00:00 IST + (in UTC): Sun 2021-04-04 00:00:00 UTC + From now: 1 weeks 6 days left <---- note the 2 week jump here + Iter. #3: Sun 2021-04-11 01:00:00 IST + (in UTC): Sun 2021-04-11 00:00:00 UTC + From now: 2 weeks 6 days left + Iter. #4: Sun 2021-04-18 01:00:00 IST + (in UTC): Sun 2021-04-18 00:00:00 UTC + From now: 3 weeks 6 days left + Iter. #5: Sun 2021-04-25 01:00:00 IST + (in UTC): Sun 2021-04-25 00:00:00 UTC + From now: 1 months 4 days left + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1941335. +--- + src/shared/calendarspec.c | 19 +++++++++++-------- + src/test/test-calendarspec.c | 3 +++ + test/test-functions | 1 + + 3 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c +index 5c666412946..bf24d8d5bbb 100644 +--- a/src/shared/calendarspec.c ++++ b/src/shared/calendarspec.c +@@ -1195,15 +1195,18 @@ static int tm_within_bounds(struct tm *tm, bool utc) { + return negative_errno(); + + /* Did any normalization take place? If so, it was out of bounds before */ +- bool good = t.tm_year == tm->tm_year && +- t.tm_mon == tm->tm_mon && +- t.tm_mday == tm->tm_mday && +- t.tm_hour == tm->tm_hour && +- t.tm_min == tm->tm_min && +- t.tm_sec == tm->tm_sec; +- if (!good) ++ int cmp = CMP(t.tm_year, tm->tm_year) ?: ++ CMP(t.tm_mon, tm->tm_mon) ?: ++ CMP(t.tm_mday, tm->tm_mday) ?: ++ CMP(t.tm_hour, tm->tm_hour) ?: ++ CMP(t.tm_min, tm->tm_min) ?: ++ CMP(t.tm_sec, tm->tm_sec); ++ ++ if (cmp < 0) ++ return -EDEADLK; /* Refuse to go backward */ ++ if (cmp > 0) + *tm = t; +- return good; ++ return cmp == 0; + } + + static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) { +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index c62e6860cf9..4f1d0f64d57 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -214,6 +214,9 @@ int main(int argc, char* argv[]) { + /* Confirm that timezones in the Spec work regardless of current timezone */ + test_next("2017-09-09 20:42:00 Pacific/Auckland", "", 12345, 1504946520000000); + test_next("2017-09-09 20:42:00 Pacific/Auckland", "EET", 12345, 1504946520000000); ++ /* Check that we don't start looping if mktime() moves us backwards */ ++ test_next("Sun *-*-* 01:00:00 Europe/Dublin", "", 1616412478000000, 1617494400000000); ++ test_next("Sun *-*-* 01:00:00 Europe/Dublin", "IST", 1616412478000000, 1617494400000000); + + assert_se(calendar_spec_from_string("test", &c) < 0); + assert_se(calendar_spec_from_string(" utc", &c) < 0); +diff --git a/test/test-functions b/test/test-functions +index d7f7967e2ff..6b94058fd36 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1340,6 +1340,7 @@ install_zoneinfo() { + inst_any /usr/share/zoneinfo/Asia/Vladivostok + inst_any /usr/share/zoneinfo/Australia/Sydney + inst_any /usr/share/zoneinfo/Europe/Berlin ++ inst_any /usr/share/zoneinfo/Europe/Dublin + inst_any /usr/share/zoneinfo/Europe/Kiev + inst_any /usr/share/zoneinfo/Pacific/Auckland + inst_any /usr/share/zoneinfo/Pacific/Honolulu diff --git a/19079.patch b/19079.patch new file mode 100644 index 0000000..0f5c23e --- /dev/null +++ b/19079.patch @@ -0,0 +1,178 @@ +From 4cba52cc7a2191d0b38e605801c60d8648bc67e2 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Mar 2021 18:27:36 +0100 +Subject: [PATCH 1/2] resolved: propagate correct error variable + +--- + src/resolve/resolved-dns-query.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index e4386c402ac..c5805111d21 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -982,12 +982,12 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) + r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); + if (r < 0) + return r; +- else if (r > 0) ++ if (r > 0) + log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna)); + + k = dns_question_is_equal(q->question_idna, q->question_utf8); + if (k < 0) +- return r; ++ return k; + if (k > 0) { + /* Same question? Shortcut new question generation */ + nq_utf8 = dns_question_ref(nq_idna); +@@ -996,7 +996,7 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) + k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8); + if (k < 0) + return k; +- else if (k > 0) ++ if (k > 0) + log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8)); + } + + +From 1a71fe4ee5248140f2395a7daedfad8f8b9ad291 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Mar 2021 18:27:46 +0100 +Subject: [PATCH 2/2] resolved: don't accept responses to query unless they + completely answer our questions + +When we checking if the responses we collected for a DnsQuery are +sufficient to complete it we previously only check if one of the +collected response RRs matches at least one of the question RR keys. + +This changes the logic to require that there must be at least one +response RR matched *each* of the question RR keys before considering +the answer complete. + +Otherwise we might end up accepting an A reply as complete answer for an +A/AAAA query and vice versa, but we want to make sure we wait until we +get a reply on both types before returning this to the user in all +cases. + +This has been broken for basically forever, but didn't surface until +b1eea703e01da1e280e179fb119449436a0c9b8e since until then we'd basically +ignore the auxiliary RRs included in CNAME/DNAME replies. Once that +commit was made we'd start using the auxiliary RRs included in +CNAME/DNAME replies but those typically included only A or only AAAA +which we then took for complete. + +Fixe: #19049 +--- + src/resolve/resolved-dns-query.c | 55 ++++++++++++++++++++++++++++---- + src/resolve/resolved-dns-query.h | 9 +++++- + 2 files changed, 56 insertions(+), 8 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index c5805111d21..8bc06079830 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -433,6 +433,14 @@ int dns_query_new( + } else { + bool good = false; + ++ /* This (primarily) checks two things: ++ * ++ * 1. That the question is not empty ++ * 2. That all RR keys in the question objects are for the same domain ++ * ++ * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for ++ * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */ ++ + if (dns_question_size(question_utf8) > 0) { + r = dns_question_is_valid_for_query(question_utf8); + if (r < 0) +@@ -1032,6 +1040,8 @@ int dns_query_process_cname(DnsQuery *q) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL; + DnsQuestion *question; + DnsResourceRecord *rr; ++ bool full_match = true; ++ DnsResourceKey *k; + int r; + + assert(q); +@@ -1041,13 +1051,44 @@ int dns_query_process_cname(DnsQuery *q) { + + question = dns_query_question_for_protocol(q, q->answer_protocol); + +- DNS_ANSWER_FOREACH(rr, q->answer) { +- r = dns_question_matches_rr(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); +- if (r < 0) +- return r; +- if (r > 0) +- return DNS_QUERY_MATCH; /* The answer matches directly, no need to follow cnames */ ++ /* Small reminder: our question will consist of one or more RR keys that match in name, but not in ++ * record type. Specifically, when we do an address lookup the question will typically consist of one ++ * A and one AAAA key lookup for the same domain name. When we get a response from a server we need ++ * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME ++ * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant ++ * type. ++ * ++ * Hence we first check of the answers we collected are sufficient to answer all our questions ++ * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's ++ * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or ++ * the AAAA query.*/ ++ ++ DNS_QUESTION_FOREACH(k, question) { ++ bool match = false; ++ ++ DNS_ANSWER_FOREACH(rr, q->answer) { ++ r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); ++ if (r < 0) ++ return r; ++ if (r > 0) { ++ match = true; /* Yay, we found an RR that matches the key we are looking for */ ++ break; ++ } ++ } ++ ++ if (!match) { ++ /* Hmm. :-( there's no response for this key. This doesn't match. */ ++ full_match = false; ++ break; ++ } ++ } + ++ if (full_match) ++ return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */ ++ ++ /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that ++ * matches any of our questions. */ ++ DNS_ANSWER_FOREACH(rr, q->answer) { + r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); + if (r < 0) + return r; +@@ -1056,7 +1097,7 @@ int dns_query_process_cname(DnsQuery *q) { + } + + if (!cname) +- return DNS_QUERY_NOMATCH; /* No match and no cname to follow */ ++ return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */ + + if (q->flags & SD_RESOLVED_NO_CNAME) + return -ELOOP; +diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h +index 5d12171b0a1..5d96cc06f84 100644 +--- a/src/resolve/resolved-dns-query.h ++++ b/src/resolve/resolved-dns-query.h +@@ -45,7 +45,14 @@ struct DnsQuery { + * that even on classic DNS some labels might use UTF8 encoding. Specifically, DNS-SD service names + * (in contrast to their domain suffixes) use UTF-8 encoding even on DNS. Thus, the difference + * between these two fields is mostly relevant only for explicit *hostname* lookups as well as the +- * domain suffixes of service lookups. */ ++ * domain suffixes of service lookups. ++ * ++ * Note that questions may consist of multiple RR keys at once, but they must be for the same domain ++ * name. This is used for A+AAAA and TXT+SRV lookups: we'll allocate a single DnsQuery object for ++ * them instead of two separate ones. That allows us minor optimizations with response handling: ++ * CNAME/DNAMEs of the first reply we get can already be used to follow the CNAME/DNAME chain for ++ * both, and we can take benefit of server replies that oftentimes put A responses into AAAA queries ++ * and vice versa (in the additional section). */ + DnsQuestion *question_idna; + DnsQuestion *question_utf8; + diff --git a/19080.patch b/19080.patch new file mode 100644 index 0000000..c8e1db4 --- /dev/null +++ b/19080.patch @@ -0,0 +1,67 @@ +From fce5b2ac2a51b9ecbfb258ff7e62f4e67a38d4c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 12 Mar 2021 10:20:38 +0100 +Subject: [PATCH] sd-event: disable epoll_pwait2 for now + +This reverts the gist of commit 798445ab84cff51bde7fcf936f0fb19c37cf858c. + +Unfortunately the new syscall causes test-event to hang. 32 bit architectures +seem affected: i686 and arm32 in fedora koji. 32 bit build of test-event hangs +reliably under valgrind: + +$ PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig meson build-32 -Dc_args=-m32 -Dc_link_args=-m32 -Dcpp_args=-m32 -Dcpp_link_args=-m32 && ninja -C build-32 test-event && valgrind build/test-event + +If I set epoll_pwait2_absent=true, so the new function is never called, then +the issue does not reproduce. It seems to be strictly tied to the syscall. + +On amd64, the syscall is not used, at least with the kernel that Fedora +provides. The kernel patch 58169a52ebc9a733aeb5bea857bc5daa71a301bb says: + + For timespec, only support this new interface on 2038 aware platforms + that define __kernel_timespec_t. So no CONFIG_COMPAT_32BIT_TIME. + +And Fedora sets CONFIG_COMPAT_32BIT_TIME=y. I expect most other distros will too. + +On amd64: epoll_wait_usec: epoll_pwait2: ret=-1 / errno=38 +On i686 (same kernel): epoll_wait_usec: epoll_pwait2: ret=2 / errno=0 + +Is this some kind of emulation? Anyway, it seems that this is what is going wrong. + +So let's disable the syscall until it becomes more widely available and the +kinks have been ironed out. + +Fixes test-event issue in #19052. +--- + src/libsystemd/sd-event/sd-event.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 8f74b141015..b76b0623fe3 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -3808,10 +3808,15 @@ static int epoll_wait_usec( + int maxevents, + usec_t timeout) { + +- static bool epoll_pwait2_absent = false; + int r, msec; ++#if 0 ++ static bool epoll_pwait2_absent = false; + +- /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not */ ++ /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not. ++ * ++ * FIXME: this is temporarily disabled until epoll_pwait2() becomes more widely available. ++ * See https://github.com/systemd/systemd/pull/18973 and ++ * https://github.com/systemd/systemd/issues/19052. */ + + if (!epoll_pwait2_absent && timeout != USEC_INFINITY) { + struct timespec ts; +@@ -3829,6 +3834,7 @@ static int epoll_wait_usec( + + epoll_pwait2_absent = true; + } ++#endif + + if (timeout == USEC_INFINITY) + msec = -1; diff --git a/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch b/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch new file mode 100644 index 0000000..9e737ea --- /dev/null +++ b/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch @@ -0,0 +1,55 @@ +From 5cdb3f70ebe035323f4f079028a262669a2bbbf6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 19 Mar 2021 06:26:53 +0900 +Subject: [PATCH] udev: do not try to assign invalid ifname + +Fixes #19038. +--- + src/udev/net/link-config.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c +index f06ecd455df..31e5d0cd673 100644 +--- a/src/udev/net/link-config.c ++++ b/src/udev/net/link-config.c +@@ -441,8 +441,6 @@ static int link_config_apply_rtnl_settings(sd_netlink **rtnl, const link_config + + static int link_config_generate_new_name(const link_config_ctx *ctx, const link_config *config, sd_device *device, const char **ret_name) { + unsigned name_type = NET_NAME_UNKNOWN; +- const char *new_name = NULL; +- NamePolicy policy; + int r; + + assert(ctx); +@@ -460,7 +458,8 @@ static int link_config_generate_new_name(const link_config_ctx *ctx, const link_ + + if (ctx->enable_name_policy && config->name_policy) + for (NamePolicy *p = config->name_policy; *p != _NAMEPOLICY_INVALID; p++) { +- policy = *p; ++ const char *new_name = NULL; ++ NamePolicy policy = *p; + + switch (policy) { + case NAMEPOLICY_KERNEL: +@@ -496,16 +495,13 @@ static int link_config_generate_new_name(const link_config_ctx *ctx, const link_ + default: + assert_not_reached("invalid policy"); + } +- if (ifname_valid(new_name)) +- break; ++ if (ifname_valid(new_name)) { ++ log_device_debug(device, "Policy *%s* yields \"%s\".", name_policy_to_string(policy), new_name); ++ *ret_name = new_name; ++ return 0; ++ } + } + +- if (new_name) { +- log_device_debug(device, "Policy *%s* yields \"%s\".", name_policy_to_string(policy), new_name); +- *ret_name = new_name; +- return 0; +- } +- + if (config->name) { + log_device_debug(device, "Policies didn't yield a name, using specified Name=%s.", config->name); + *ret_name = config->name; diff --git a/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch b/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch new file mode 100644 index 0000000..9bbab91 --- /dev/null +++ b/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch @@ -0,0 +1,85 @@ +From f9b3afae96c72564cd4cd766555845f17e3c12a9 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 19 Mar 2021 10:36:48 +0100 +Subject: [PATCH] repart: make sure to grow partition table after growing + backing loopback file + +This fixes the --size= switch, i.e. where we grow a disk image: after +growing it we need to expand the partition table so that its idea of the +the medium size matches the new reality. Otherwise our disk size +calculations in the subsequent steps might still use the original +ungrown size. + +(This used to work, I guess this was borked when libfdisk learnt the +concept of "minimized" partition tables) +--- + src/partition/repart.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index be16f5a067b..7b6201efa83 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -3977,6 +3977,40 @@ static int find_root(char **ret, int *ret_fd) { + return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "Failed to discover root block device."); + } + ++static int resize_pt(int fd) { ++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; ++ _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL; ++ int r; ++ ++ /* After resizing the backing file we need to resize the partition table itself too, so that it takes ++ * possession of the enlarged backing file. For this it suffices to open the device with libfdisk and ++ * immediately write it again, with no changes. */ ++ ++ c = fdisk_new_context(); ++ if (!c) ++ return log_oom(); ++ ++ xsprintf(procfs_path, "/proc/self/fd/%i", fd); ++ r = fdisk_assign_device(c, procfs_path, 0); ++ if (r < 0) ++ return log_error_errno(r, "Failed to open device '%s': %m", procfs_path); ++ ++ r = fdisk_has_label(c); ++ if (r < 0) ++ return log_error_errno(r, "Failed to determine whether disk '%s' has a disk label: %m", procfs_path); ++ if (r == 0) { ++ log_debug("Not resizing partition table, as there currently is none."); ++ return 0; ++ } ++ ++ r = fdisk_write_disklabel(c); ++ if (r < 0) ++ return log_error_errno(r, "Failed to write resized partition table: %m"); ++ ++ log_info("Resized partition table."); ++ return 1; ++} ++ + static int resize_backing_fd(const char *node, int *fd) { + char buf1[FORMAT_BYTES_MAX], buf2[FORMAT_BYTES_MAX]; + _cleanup_close_ int writable_fd = -1; +@@ -4029,6 +4063,10 @@ static int resize_backing_fd(const char *node, int *fd) { + /* Fallback to truncation, if fallocate() is not supported. */ + log_debug("Backing file system does not support fallocate(), falling back to ftruncate()."); + } else { ++ r = resize_pt(writable_fd); ++ if (r < 0) ++ return r; ++ + if (st.st_size == 0) /* Likely regular file just created by us */ + log_info("Allocated %s for '%s'.", buf2, node); + else +@@ -4042,6 +4080,10 @@ static int resize_backing_fd(const char *node, int *fd) { + return log_error_errno(errno, "Failed to grow '%s' from %s to %s by truncation: %m", + node, buf1, buf2); + ++ r = resize_pt(writable_fd); ++ if (r < 0) ++ return r; ++ + if (st.st_size == 0) /* Likely regular file just created by us */ + log_info("Sized '%s' to %s.", node, buf2); + else diff --git a/systemd.spec b/systemd.spec index aff77a5..052e16d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc4 -Release: 2%{?dist} +Release: 3%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -74,6 +74,20 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif # Backports of patches from upstream (0000–0499) +# +# Any patches which are "in preparation" upstream should be listed +# here, rather than in the next section. Packit CI will drop any +# patches in this range before applying upstream pull requests. + +# https://bugzilla.redhat.com/show_bug.cgi?id=1941335 +Patch0001: https://github.com/systemd/systemd/pull/19075.patch + +Patch0002: https://github.com/systemd/systemd/pull/19079.patch +Patch0003: https://github.com/systemd/systemd/pull/19080.patch + +Patch0004: https://github.com/systemd/systemd/commit/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch +Patch0005: https://github.com/systemd/systemd/commit/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch +Patch0006: https://github.com/systemd/systemd/commit/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -82,9 +96,6 @@ Patch0500: use-bfq-scheduler.patch # https://github.com/systemd/systemd/pull/17050 Patch0501: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch -# https://github.com/systemd/systemd/pull/18973 -Patch0502: 0001-sd-event-do-not-use-epoll_pwait2-tentatively.patch - %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -955,6 +966,14 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Mon Mar 22 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-3 +- Fix hang when processing timers during DST switch in Europe/Dublin timezone (#1941335) +- Fix returning combined IPv4/IPv6 responses from systemd-resolved cache (#1940715) + (But note that the disablement of caching added previously is + retained until we can do more testing.) +- Minor fix to interface naming by udev +- Fix for systemd-repart --size + * Fri Mar 19 2021 Adam Williamson - 248~rc4-2 - Disable resolved cache via config snippet (#1940715) From 8fa9ec3db6982554f41ce2d7be91cab24c753195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 24 Mar 2021 11:46:41 +0100 Subject: [PATCH 12/38] Revert patch that seems to cause problems with dns resolution --- ...gracefully-handle-with-packets-with-.patch | 55 +++++++++++++++++++ systemd.spec | 8 ++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0001-Revert-resolved-gracefully-handle-with-packets-with-.patch diff --git a/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch b/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch new file mode 100644 index 0000000..2e93c5e --- /dev/null +++ b/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch @@ -0,0 +1,55 @@ +From 9ac47d37a59142a66ac13f58bef197117ff53141 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 24 Mar 2021 11:42:39 +0100 +Subject: [PATCH] Revert "resolved: gracefully handle with packets with too + large RR count" + +This reverts commit 18674159ebbf622a9e6e5a45cc36b38f74dae315. + +There are multiple reports that this breaks lookups for people, and reverting +this commit, even on the main branch (approx. v248-rc4), fixes the issue. + +https://github.com/systemd/systemd/issues/18917#issuecomment-799421587 +https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb +--- + src/resolve/resolved-dns-packet.c | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index abc978ab83..15c8123f6a 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -2271,18 +2271,6 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { + bool cache_flush = false; + size_t start; + +- if (p->rindex == p->size) { +- /* If we reached the end of the packet already, but there are still more RRs +- * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's +- * apparently a common bug in routers. Let's however suppress OPT support in this +- * case, so that we force the rest of the logic into lowest DNS baseline support. Or +- * to say this differently: if the DNS server doesn't even get the RR counts right, +- * it's highly unlikely it gets EDNS right. */ +- log_debug("More resource records declared in packet than included, suppressing OPT."); +- bad_opt = true; +- break; +- } +- + r = dns_packet_read_rr(p, &rr, &cache_flush, &start); + if (r < 0) + return r; +@@ -2382,10 +2370,8 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { + previous = dns_resource_record_ref(rr); + } + +- if (bad_opt) { ++ if (bad_opt) + p->opt = dns_resource_record_unref(p->opt); +- p->opt_start = p->opt_size = SIZE_MAX; +- } + + *ret_answer = TAKE_PTR(answer); + +-- +2.30.2 + diff --git a/systemd.spec b/systemd.spec index 052e16d..722876d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc4 -Release: 3%{?dist} +Release: 4%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -89,6 +89,8 @@ Patch0004: https://github.com/systemd/systemd/commit/5cdb3f70ebe035323f4f07 Patch0005: https://github.com/systemd/systemd/commit/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch Patch0006: https://github.com/systemd/systemd/commit/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch +Patch0007: 0001-Revert-resolved-gracefully-handle-with-packets-with-.patch + # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0500: use-bfq-scheduler.patch @@ -966,6 +968,10 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-4 +- Revert patch that seems to cause problems with dns resolution + (see comments on https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb) + * Mon Mar 22 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-3 - Fix hang when processing timers during DST switch in Europe/Dublin timezone (#1941335) - Fix returning combined IPv4/IPv6 responses from systemd-resolved cache (#1940715) From 2f9207f8a337fb0b9087af74357bc688949c1d83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 26 Mar 2021 16:31:37 +0100 Subject: [PATCH 13/38] Make sure not to lose systemd-networkd enablement when upgrading from F32 --- systemd.spec | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 722876d..9826369 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc4 -Release: 4%{?dist} +Release: 5%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -914,7 +914,20 @@ getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2 getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || : %post networkd -%systemd_post systemd-networkd.service systemd-networkd-wait-online.service +# systemd-networkd was split out in systemd-246.6-2. +# Ideally, we would have a trigger scriptlet to record enablement +# state when upgrading from systemd <= systemd-246.6-1. But, AFAICS, +# rpm doesn't allow us to trigger on another package, short of +# querying the rpm database ourselves, which seems risky. For rpm, +# systemd and systemd-networkd are completely unrelated. So let's use +# a hack to detect if an old systemd version is currently present in +# the file system. +# https://bugzilla.redhat.com/show_bug.cgi?id=1943263 +if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then + echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd." +else + %systemd_post systemd-networkd.service systemd-networkd-wait-online.service +fi %preun networkd %systemd_preun systemd-networkd.service systemd-networkd-wait-online.service @@ -968,6 +981,10 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-5 +- Do not preset systemd-networkd.service and systemd-networkd-wait-online.service + on upgrades from before systemd-networkd was split out (#1943263) + * Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-4 - Revert patch that seems to cause problems with dns resolution (see comments on https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb) From 79283705f1b4be0164aad2e5b7f61b411a01de93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 26 Mar 2021 17:51:05 +0100 Subject: [PATCH 14/38] Move nss-myhostname before nss-mdns4 --- systemd.spec | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/systemd.spec b/systemd.spec index 9826369..987ba7d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -811,10 +811,16 @@ function mod_nss() { ' "$1" &>/dev/null || : # Add nss-resolve to hosts - grep -E -q '^hosts:.* resolve' "$1" || - sed -i.bak -r -e ' - s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files\3 resolve [!UNAVAIL=return] myhostname dns/ + if grep -E -q '^hosts:.* resolve' "$1"; then + sed -i.bak -r -e ' + s/^(hosts):(.*) files( .*) myhostname dns/\1:\2 files myhostname\3 dns/ ' "$1" &>/dev/null || : + + else + sed -i.bak -r -e ' + s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files myhostname\3 resolve [!UNAVAIL=return] dns/ + ' "$1" &>/dev/null || : + fi fi } @@ -984,6 +990,7 @@ fi * Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-5 - Do not preset systemd-networkd.service and systemd-networkd-wait-online.service on upgrades from before systemd-networkd was split out (#1943263) +- In nsswitch.conf, move nss-myhostname to the front, before nss-mdns4 (#1943199) * Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-4 - Revert patch that seems to cause problems with dns resolution From e0eaddab6b3344369894d550bc3eb4b10a700bf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 30 Mar 2021 12:10:33 +0200 Subject: [PATCH 15/38] owner-check: make sending of mails optional --- owner-check.sh | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/owner-check.sh b/owner-check.sh index 7086238..3273a3f 100755 --- a/owner-check.sh +++ b/owner-check.sh @@ -1,7 +1,11 @@ #!/bin/bash set -e -[ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1 } +verb="$1" + +[ "$verb" = "-s" ] && do_send=1 || do_send= + +[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; } header= from=systemd-maint@fedoraproject.org @@ -11,26 +15,39 @@ port=587 for user in "$@"; do echo "checking $user…" - t=$(git shortlog --all --author $user --since "@{$time}" | wc -l) + + p=$(git log -1 --all --author "$user") + if [ -z "$p" ]; then + echo "No commits from $user, check spelling" + exit 1 + fi + + t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l) if [ $t != 0 ]; then echo "$t commits in the last two years, OK" + echo continue fi + echo "$p" | head -n6 + echo ".. adding to list" + if [ -z "$header" ]; then echo '$USER$;$EMAIL$' >.mail.list header=done fi echo "$user;$user@fedoraproject.org" >>.mail.list + echo done [ -z "$header" ] && exit 0 +[ -n "$do_send" ] || exit 0 echo "Sending mails…" set -x -massmail -F $from \ - -C $from \ +massmail -F "$from" \ + -C "$from" \ -S 'write access to the fedora systemd package' \ - -z $server -u $login -P $port \ + -z "$server" -u "$login" -P "$port" \ .mail.list Date: Tue, 30 Mar 2021 08:55:58 +0000 Subject: [PATCH 16/38] Increase oomd user memory pressure limit to 50% for 20s (#1941170) There isn't really a one size fits all policy since pressure can change a lot based on whether you have flash or spinning disks (and your swap configuration as well). But let's be a bit more conservative here. --- 10-oomd-defaults.conf | 2 +- 10-oomd-user-service-defaults.conf | 2 +- systemd.spec | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/10-oomd-defaults.conf b/10-oomd-defaults.conf index 3660cd2..0254657 100644 --- a/10-oomd-defaults.conf +++ b/10-oomd-defaults.conf @@ -1,2 +1,2 @@ [OOM] -DefaultMemoryPressureDurationSec=10s +DefaultMemoryPressureDurationSec=20s diff --git a/10-oomd-user-service-defaults.conf b/10-oomd-user-service-defaults.conf index 6e71de7..94d5c87 100644 --- a/10-oomd-user-service-defaults.conf +++ b/10-oomd-user-service-defaults.conf @@ -1,3 +1,3 @@ [Service] ManagedOOMMemoryPressure=kill -ManagedOOMMemoryPressureLimit=10% +ManagedOOMMemoryPressureLimit=50% diff --git a/systemd.spec b/systemd.spec index 987ba7d..f5b2ce9 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248~rc4 -Release: 5%{?dist} +Release: 6%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -987,6 +987,9 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Mar 30 2021 Anita Zhang - 248~rc4-6 +- Increase oomd user memory pressure limit to 50% (#1941170) + * Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-5 - Do not preset systemd-networkd.service and systemd-networkd-wait-online.service on upgrades from before systemd-networkd was split out (#1943263) From a37b05db35831cf874fdfd05e5fc010560ce6e18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 31 Mar 2021 09:55:50 +0200 Subject: [PATCH 17/38] Version 248 --- ...gracefully-handle-with-packets-with-.patch | 55 --- ...7eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch | 36 -- 19075.patch | 415 ------------------ 19079.patch | 178 -------- 19080.patch | 67 --- ...3f70ebe035323f4f079028a262669a2bbbf6.patch | 55 --- ...afae96c72564cd4cd766555845f17e3c12a9.patch | 85 ---- sources | 2 +- systemd.spec | 22 +- 9 files changed, 10 insertions(+), 905 deletions(-) delete mode 100644 0001-Revert-resolved-gracefully-handle-with-packets-with-.patch delete mode 100644 0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch delete mode 100644 19075.patch delete mode 100644 19079.patch delete mode 100644 19080.patch delete mode 100644 5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch delete mode 100644 f9b3afae96c72564cd4cd766555845f17e3c12a9.patch diff --git a/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch b/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch deleted file mode 100644 index 2e93c5e..0000000 --- a/0001-Revert-resolved-gracefully-handle-with-packets-with-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 9ac47d37a59142a66ac13f58bef197117ff53141 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 24 Mar 2021 11:42:39 +0100 -Subject: [PATCH] Revert "resolved: gracefully handle with packets with too - large RR count" - -This reverts commit 18674159ebbf622a9e6e5a45cc36b38f74dae315. - -There are multiple reports that this breaks lookups for people, and reverting -this commit, even on the main branch (approx. v248-rc4), fixes the issue. - -https://github.com/systemd/systemd/issues/18917#issuecomment-799421587 -https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb ---- - src/resolve/resolved-dns-packet.c | 16 +--------------- - 1 file changed, 1 insertion(+), 15 deletions(-) - -diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c -index abc978ab83..15c8123f6a 100644 ---- a/src/resolve/resolved-dns-packet.c -+++ b/src/resolve/resolved-dns-packet.c -@@ -2271,18 +2271,6 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { - bool cache_flush = false; - size_t start; - -- if (p->rindex == p->size) { -- /* If we reached the end of the packet already, but there are still more RRs -- * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's -- * apparently a common bug in routers. Let's however suppress OPT support in this -- * case, so that we force the rest of the logic into lowest DNS baseline support. Or -- * to say this differently: if the DNS server doesn't even get the RR counts right, -- * it's highly unlikely it gets EDNS right. */ -- log_debug("More resource records declared in packet than included, suppressing OPT."); -- bad_opt = true; -- break; -- } -- - r = dns_packet_read_rr(p, &rr, &cache_flush, &start); - if (r < 0) - return r; -@@ -2382,10 +2370,8 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { - previous = dns_resource_record_ref(rr); - } - -- if (bad_opt) { -+ if (bad_opt) - p->opt = dns_resource_record_unref(p->opt); -- p->opt_start = p->opt_size = SIZE_MAX; -- } - - *ret_answer = TAKE_PTR(answer); - --- -2.30.2 - diff --git a/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch b/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch deleted file mode 100644 index 5c5317f..0000000 --- a/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d Mon Sep 17 00:00:00 2001 -From: Sergey Bugaev -Date: Mon, 22 Mar 2021 18:31:12 +0300 -Subject: [PATCH] log: protect errno in log_open() - -Commit 0b1f3c768ce1bd1490a5e53f539976dcef8ca765 has introduced log_open() -calls after exec fails post-fork. However, the log_open() call itself could -change the value of errno, which, for me, manifested in: - -$ coredumpctl gdb -... -Failed to invoke gdb: Success - -Fix this by using PROTECT_ERRNO in log_open(). ---- - src/basic/log.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/basic/log.c b/src/basic/log.c -index c8cca96bca4..0e6023cff22 100644 ---- a/src/basic/log.c -+++ b/src/basic/log.c -@@ -252,6 +252,13 @@ int log_open(void) { - - /* Do not call from library code. */ - -+ /* This function is often called in preparation for being able -+ * to log. Let's make sure we don't clobber errno, so that a call -+ * to a logging function immediately following a log_open() call -+ * can still easily reference an error that happened immediately -+ * before the log_open() call. */ -+ PROTECT_ERRNO; -+ - /* If we don't use the console we close it here, to not get - * killed by SAK. If we don't use syslog we close it here so - * that we are not confused by somebody deleting the socket in diff --git a/19075.patch b/19075.patch deleted file mode 100644 index 10f391e..0000000 --- a/19075.patch +++ /dev/null @@ -1,415 +0,0 @@ -From 169615c9a8cdc54d748d4dfc8279be9b3c2bec44 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 21 Mar 2021 20:59:32 +0100 -Subject: [PATCH 1/5] shared/calendarspec: abort calculation after 1000 - iterations - -We have a bug where we seem to enter an infinite loop when running in the -Europe/Dublin timezone. The timezone is "special" because it has negative SAVE -values. The handling of this should obviously be fixed, but let's use a -belt-and-suspenders approach, and gracefully fail if we fail to find an answer -within a specific number of attempts. The code in this function is rather -complex, and it's hard to rule out another bug in the future. ---- - src/shared/calendarspec.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c -index 4f68a570b52..feb43efdcda 100644 ---- a/src/shared/calendarspec.c -+++ b/src/shared/calendarspec.c -@@ -1210,6 +1210,10 @@ static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) { - return (weekdays_bits & (1 << k)); - } - -+/* A safety valve: if we get stuck in the calculation, return an error. -+ * C.f. https://bugzilla.redhat.com/show_bug.cgi?id=1941335. */ -+#define MAX_CALENDAR_ITERATIONS 1000 -+ - static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { - struct tm c; - int tm_usec; -@@ -1223,7 +1227,7 @@ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { - c = *tm; - tm_usec = *usec; - -- for (;;) { -+ for (unsigned iteration = 0; iteration < MAX_CALENDAR_ITERATIONS; iteration++) { - /* Normalize the current date */ - (void) mktime_or_timegm(&c, spec->utc); - c.tm_isdst = spec->dst; -@@ -1320,6 +1324,14 @@ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) { - *usec = tm_usec; - return 0; - } -+ -+ /* It seems we entered an infinite loop. Let's gracefully return an error instead of hanging or -+ * aborting. This code is also exercised when timers.target is brought up during early boot, so -+ * aborting here is problematic and hard to diagnose for users. */ -+ _cleanup_free_ char *s = NULL; -+ (void) calendar_spec_to_string(spec, &s); -+ return log_warning_errno(SYNTHETIC_ERRNO(EDEADLK), -+ "Infinite loop in calendar calculation: %s", strna(s)); - } - - static int calendar_spec_next_usec_impl(const CalendarSpec *spec, usec_t usec, usec_t *ret_next) { - -From 462f15d92d35f812d7d77edd486ca63236cffe83 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 22 Mar 2021 09:20:47 +0100 -Subject: [PATCH 2/5] shared/calendarspec: constify parameter and simplify - assignments to variable - -The scope of start & stop is narrowed down, and they are assigned only once. -No functional change, but I think the code is easier to read this way. -Also add a comment to make the code easier to read. ---- - src/shared/calendarspec.c | 33 ++++++++++++++++++++++----------- - 1 file changed, 22 insertions(+), 11 deletions(-) - -diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c -index feb43efdcda..5c666412946 100644 ---- a/src/shared/calendarspec.c -+++ b/src/shared/calendarspec.c -@@ -1101,7 +1101,7 @@ int calendar_spec_from_string(const char *p, CalendarSpec **spec) { - return 0; - } - --static int find_end_of_month(struct tm *tm, bool utc, int day) { -+static int find_end_of_month(const struct tm *tm, bool utc, int day) { - struct tm t = *tm; - - t.tm_mon++; -@@ -1114,28 +1114,39 @@ static int find_end_of_month(struct tm *tm, bool utc, int day) { - return t.tm_mday; - } - --static int find_matching_component(const CalendarSpec *spec, const CalendarComponent *c, -- struct tm *tm, int *val) { -- const CalendarComponent *p = c; -- int start, stop, d = -1; -+static int find_matching_component( -+ const CalendarSpec *spec, -+ const CalendarComponent *c, -+ const struct tm *tm, /* tm is only used for end-of-month calculations */ -+ int *val) { -+ -+ int d = -1, r; - bool d_set = false; -- int r; - - assert(val); - -+ /* Finds the *earliest* matching time specified by one of the CalendarCompoment items in chain c. -+ * If no matches can be found, returns -ENOENT. -+ * Otherwise, updates *val to the matching time. 1 is returned if *val was changed, 0 otherwise. -+ */ -+ - if (!c) - return 0; - -+ bool end_of_month = spec->end_of_month && c == spec->day; -+ - while (c) { -- start = c->start; -- stop = c->stop; -+ int start, stop; - -- if (spec->end_of_month && p == spec->day) { -- start = find_end_of_month(tm, spec->utc, start); -- stop = find_end_of_month(tm, spec->utc, stop); -+ if (end_of_month) { -+ start = find_end_of_month(tm, spec->utc, c->start); -+ stop = find_end_of_month(tm, spec->utc, c->stop); - - if (stop > 0) - SWAP_TWO(start, stop); -+ } else { -+ start = c->start; -+ stop = c->stop; - } - - if (start >= *val) { - -From f035bb1b7a5900439640f267db881c60d042e450 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 22 Mar 2021 11:10:22 +0100 -Subject: [PATCH 3/5] test-calendarspec: print offending line in output - -The output is rather long at this makes it easier to jump to the right place. -Also use normal output routines and set_unset_env() to make things more -compact. ---- - src/test/test-calendarspec.c | 48 +++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 26 deletions(-) - -diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c -index 01ec7f87704..152ce879f8a 100644 ---- a/src/test/test-calendarspec.c -+++ b/src/test/test-calendarspec.c -@@ -2,11 +2,11 @@ - - #include "alloc-util.h" - #include "calendarspec.h" -+#include "env-util.h" - #include "errno-util.h" - #include "string-util.h" --#include "util.h" - --static void test_one(const char *input, const char *output) { -+static void _test_one(int line, const char *input, const char *output) { - CalendarSpec *c; - _cleanup_free_ char *p = NULL, *q = NULL; - usec_t u; -@@ -16,13 +16,13 @@ static void test_one(const char *input, const char *output) { - assert_se(calendar_spec_from_string(input, &c) >= 0); - - assert_se(calendar_spec_to_string(c, &p) >= 0); -- printf("\"%s\" → \"%s\"\n", input, p); -+ log_info("line %d: \"%s\" → \"%s\"", line, input, p); - - assert_se(streq(p, output)); - - u = now(CLOCK_REALTIME); - r = calendar_spec_next_usec(c, u, &u); -- printf("Next: %s\n", r < 0 ? strerror_safe(r) : format_timestamp(buf, sizeof(buf), u)); -+ log_info("Next: %s", r < 0 ? strerror_safe(r) : format_timestamp(buf, sizeof buf, u)); - calendar_spec_free(c); - - assert_se(calendar_spec_from_string(p, &c) >= 0); -@@ -31,8 +31,9 @@ static void test_one(const char *input, const char *output) { - - assert_se(streq(q, p)); - } -+#define test_one(input, output) _test_one(__LINE__, input, output) - --static void test_next(const char *input, const char *new_tz, usec_t after, usec_t expect) { -+static void _test_next(int line, const char *input, const char *new_tz, usec_t after, usec_t expect) { - CalendarSpec *c; - usec_t u; - char *old_tz; -@@ -43,22 +44,19 @@ static void test_next(const char *input, const char *new_tz, usec_t after, usec_ - if (old_tz) - old_tz = strdupa(old_tz); - -- if (new_tz) { -- char *colon_tz; -+ if (new_tz) -+ new_tz = strjoina(":", new_tz); - -- colon_tz = strjoina(":", new_tz); -- assert_se(setenv("TZ", colon_tz, 1) >= 0); -- } else -- assert_se(unsetenv("TZ") >= 0); -+ assert_se(set_unset_env("TZ", new_tz, true) == 0); - tzset(); - - assert_se(calendar_spec_from_string(input, &c) >= 0); - -- printf("\"%s\"\n", input); -+ log_info("line %d: \"%s\" new_tz=%s", line, input, strnull(new_tz)); - - u = after; - r = calendar_spec_next_usec(c, after, &u); -- printf("At: %s\n", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US)); -+ log_info("At: %s", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US)); - if (expect != USEC_INFINITY) - assert_se(r >= 0 && u == expect); - else -@@ -66,12 +64,10 @@ static void test_next(const char *input, const char *new_tz, usec_t after, usec_ - - calendar_spec_free(c); - -- if (old_tz) -- assert_se(setenv("TZ", old_tz, 1) >= 0); -- else -- assert_se(unsetenv("TZ") >= 0); -+ assert_se(set_unset_env("TZ", old_tz, true) == 0); - tzset(); - } -+#define test_next(input, new_tz, after, expect) _test_next(__LINE__, input,new_tz,after,expect) - - static void test_timestamp(void) { - char buf[FORMAT_TIMESTAMP_MAX]; -@@ -83,12 +79,12 @@ static void test_timestamp(void) { - - x = now(CLOCK_REALTIME); - -- assert_se(format_timestamp_style(buf, sizeof(buf), x, TIMESTAMP_US)); -- printf("%s\n", buf); -+ assert_se(format_timestamp_style(buf, sizeof buf, x, TIMESTAMP_US)); -+ log_info("%s", buf); - assert_se(calendar_spec_from_string(buf, &c) >= 0); - assert_se(calendar_spec_to_string(c, &t) >= 0); - calendar_spec_free(c); -- printf("%s\n", t); -+ log_info("%s", t); - - assert_se(parse_timestamp(t, &y) >= 0); - assert_se(y == x); -@@ -104,11 +100,11 @@ static void test_hourly_bug_4031(void) { - n = now(CLOCK_REALTIME); - assert_se((r = calendar_spec_next_usec(c, n, &u)) >= 0); - -- printf("Now: %s (%"PRIu64")\n", format_timestamp_style(buf, sizeof buf, n, TIMESTAMP_US), n); -- printf("Next hourly: %s (%"PRIu64")\n", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US), u); -+ log_info("Now: %s (%"PRIu64")", format_timestamp_style(buf, sizeof buf, n, TIMESTAMP_US), n); -+ log_info("Next hourly: %s (%"PRIu64")", r < 0 ? strerror_safe(r) : format_timestamp_style(buf, sizeof buf, u, TIMESTAMP_US), u); - - assert_se((r = calendar_spec_next_usec(c, u, &w)) >= 0); -- printf("Next hourly: %s (%"PRIu64")\n", r < 0 ? strerror_safe(r) : format_timestamp_style(zaf, sizeof zaf, w, TIMESTAMP_US), w); -+ log_info("Next hourly: %s (%"PRIu64")", r < 0 ? strerror_safe(r) : format_timestamp_style(zaf, sizeof zaf, w, TIMESTAMP_US), w); - - assert_se(n < u); - assert_se(u <= n + USEC_PER_HOUR); -@@ -209,13 +205,13 @@ int main(int argc, char* argv[]) { - test_next("2017-08-06 9..17/2:00 UTC", "", 1502029800000000, 1502031600000000); - test_next("2016-12-* 3..21/6:00 UTC", "", 1482613200000001, 1482634800000000); - test_next("2017-09-24 03:30:00 Pacific/Auckland", "", 12345, 1506177000000000); -- // Due to daylight saving time - 2017-09-24 02:30:00 does not exist -+ /* Due to daylight saving time - 2017-09-24 02:30:00 does not exist */ - test_next("2017-09-24 02:30:00 Pacific/Auckland", "", 12345, -1); - test_next("2017-04-02 02:30:00 Pacific/Auckland", "", 12345, 1491053400000000); -- // Confirm that even though it's a time change here (backward) 02:30 happens only once -+ /* Confirm that even though it's a time change here (backward) 02:30 happens only once */ - test_next("2017-04-02 02:30:00 Pacific/Auckland", "", 1491053400000000, -1); - test_next("2017-04-02 03:30:00 Pacific/Auckland", "", 12345, 1491060600000000); -- // Confirm that timezones in the Spec work regardless of current timezone -+ /* Confirm that timezones in the Spec work regardless of current timezone */ - test_next("2017-09-09 20:42:00 Pacific/Auckland", "", 12345, 1504946520000000); - test_next("2017-09-09 20:42:00 Pacific/Auckland", "EET", 12345, 1504946520000000); - - -From 47b0b65766229a18921a3ce831ef708ef408a34c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 22 Mar 2021 11:29:35 +0100 -Subject: [PATCH 4/5] test-calendarspec: do not convert timezone "" to ":" - -I *think* it doesn't actually make any difference, because ":" will be ignored. -437f48a471f51ac9dd2697ee3b848a71b4f101df added prefixing with ":", but didn't -take into account the fact that we also use "" with a different meaning than -NULL here. But let's restore the original behaviour of specifying the empty -string. ---- - src/test/test-calendarspec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c -index 152ce879f8a..c62e6860cf9 100644 ---- a/src/test/test-calendarspec.c -+++ b/src/test/test-calendarspec.c -@@ -44,7 +44,7 @@ static void _test_next(int line, const char *input, const char *new_tz, usec_t a - if (old_tz) - old_tz = strdupa(old_tz); - -- if (new_tz) -+ if (!isempty(new_tz)) - new_tz = strjoina(":", new_tz); - - assert_se(set_unset_env("TZ", new_tz, true) == 0); - -From 129cb6e249bef30dc33e08f98f0b27a6de976f6f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 22 Mar 2021 12:51:47 +0100 -Subject: [PATCH 5/5] shared/calendarspec: when mktime() moves us backwards, - jump forward -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When trying to calculate the next firing of 'Sun *-*-* 01:00:00', we'd fall -into an infinite loop, because mktime() moves us "backwards": - -Before this patch: -tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 -tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 -tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00 -... - -We rely on mktime() normalizing the time. The man page does not say that it'll -move the time forward, but our algorithm relies on this. So let's catch this -case explicitly. - -With this patch: -$ TZ=Europe/Dublin faketime 2021-03-21 build/systemd-analyze calendar --iterations=5 'Sun *-*-* 01:00:00' -Normalized form: Sun *-*-* 01:00:00 - Next elapse: Sun 2021-03-21 01:00:00 GMT - (in UTC): Sun 2021-03-21 01:00:00 UTC - From now: 59min left - Iter. #2: Sun 2021-04-04 01:00:00 IST - (in UTC): Sun 2021-04-04 00:00:00 UTC - From now: 1 weeks 6 days left <---- note the 2 week jump here - Iter. #3: Sun 2021-04-11 01:00:00 IST - (in UTC): Sun 2021-04-11 00:00:00 UTC - From now: 2 weeks 6 days left - Iter. #4: Sun 2021-04-18 01:00:00 IST - (in UTC): Sun 2021-04-18 00:00:00 UTC - From now: 3 weeks 6 days left - Iter. #5: Sun 2021-04-25 01:00:00 IST - (in UTC): Sun 2021-04-25 00:00:00 UTC - From now: 1 months 4 days left - -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1941335. ---- - src/shared/calendarspec.c | 19 +++++++++++-------- - src/test/test-calendarspec.c | 3 +++ - test/test-functions | 1 + - 3 files changed, 15 insertions(+), 8 deletions(-) - -diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c -index 5c666412946..bf24d8d5bbb 100644 ---- a/src/shared/calendarspec.c -+++ b/src/shared/calendarspec.c -@@ -1195,15 +1195,18 @@ static int tm_within_bounds(struct tm *tm, bool utc) { - return negative_errno(); - - /* Did any normalization take place? If so, it was out of bounds before */ -- bool good = t.tm_year == tm->tm_year && -- t.tm_mon == tm->tm_mon && -- t.tm_mday == tm->tm_mday && -- t.tm_hour == tm->tm_hour && -- t.tm_min == tm->tm_min && -- t.tm_sec == tm->tm_sec; -- if (!good) -+ int cmp = CMP(t.tm_year, tm->tm_year) ?: -+ CMP(t.tm_mon, tm->tm_mon) ?: -+ CMP(t.tm_mday, tm->tm_mday) ?: -+ CMP(t.tm_hour, tm->tm_hour) ?: -+ CMP(t.tm_min, tm->tm_min) ?: -+ CMP(t.tm_sec, tm->tm_sec); -+ -+ if (cmp < 0) -+ return -EDEADLK; /* Refuse to go backward */ -+ if (cmp > 0) - *tm = t; -- return good; -+ return cmp == 0; - } - - static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) { -diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c -index c62e6860cf9..4f1d0f64d57 100644 ---- a/src/test/test-calendarspec.c -+++ b/src/test/test-calendarspec.c -@@ -214,6 +214,9 @@ int main(int argc, char* argv[]) { - /* Confirm that timezones in the Spec work regardless of current timezone */ - test_next("2017-09-09 20:42:00 Pacific/Auckland", "", 12345, 1504946520000000); - test_next("2017-09-09 20:42:00 Pacific/Auckland", "EET", 12345, 1504946520000000); -+ /* Check that we don't start looping if mktime() moves us backwards */ -+ test_next("Sun *-*-* 01:00:00 Europe/Dublin", "", 1616412478000000, 1617494400000000); -+ test_next("Sun *-*-* 01:00:00 Europe/Dublin", "IST", 1616412478000000, 1617494400000000); - - assert_se(calendar_spec_from_string("test", &c) < 0); - assert_se(calendar_spec_from_string(" utc", &c) < 0); -diff --git a/test/test-functions b/test/test-functions -index d7f7967e2ff..6b94058fd36 100644 ---- a/test/test-functions -+++ b/test/test-functions -@@ -1340,6 +1340,7 @@ install_zoneinfo() { - inst_any /usr/share/zoneinfo/Asia/Vladivostok - inst_any /usr/share/zoneinfo/Australia/Sydney - inst_any /usr/share/zoneinfo/Europe/Berlin -+ inst_any /usr/share/zoneinfo/Europe/Dublin - inst_any /usr/share/zoneinfo/Europe/Kiev - inst_any /usr/share/zoneinfo/Pacific/Auckland - inst_any /usr/share/zoneinfo/Pacific/Honolulu diff --git a/19079.patch b/19079.patch deleted file mode 100644 index 0f5c23e..0000000 --- a/19079.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 4cba52cc7a2191d0b38e605801c60d8648bc67e2 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Mar 2021 18:27:36 +0100 -Subject: [PATCH 1/2] resolved: propagate correct error variable - ---- - src/resolve/resolved-dns-query.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index e4386c402ac..c5805111d21 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -982,12 +982,12 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) - r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); - if (r < 0) - return r; -- else if (r > 0) -+ if (r > 0) - log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna)); - - k = dns_question_is_equal(q->question_idna, q->question_utf8); - if (k < 0) -- return r; -+ return k; - if (k > 0) { - /* Same question? Shortcut new question generation */ - nq_utf8 = dns_question_ref(nq_idna); -@@ -996,7 +996,7 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) - k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8); - if (k < 0) - return k; -- else if (k > 0) -+ if (k > 0) - log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8)); - } - - -From 1a71fe4ee5248140f2395a7daedfad8f8b9ad291 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Mar 2021 18:27:46 +0100 -Subject: [PATCH 2/2] resolved: don't accept responses to query unless they - completely answer our questions - -When we checking if the responses we collected for a DnsQuery are -sufficient to complete it we previously only check if one of the -collected response RRs matches at least one of the question RR keys. - -This changes the logic to require that there must be at least one -response RR matched *each* of the question RR keys before considering -the answer complete. - -Otherwise we might end up accepting an A reply as complete answer for an -A/AAAA query and vice versa, but we want to make sure we wait until we -get a reply on both types before returning this to the user in all -cases. - -This has been broken for basically forever, but didn't surface until -b1eea703e01da1e280e179fb119449436a0c9b8e since until then we'd basically -ignore the auxiliary RRs included in CNAME/DNAME replies. Once that -commit was made we'd start using the auxiliary RRs included in -CNAME/DNAME replies but those typically included only A or only AAAA -which we then took for complete. - -Fixe: #19049 ---- - src/resolve/resolved-dns-query.c | 55 ++++++++++++++++++++++++++++---- - src/resolve/resolved-dns-query.h | 9 +++++- - 2 files changed, 56 insertions(+), 8 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index c5805111d21..8bc06079830 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -433,6 +433,14 @@ int dns_query_new( - } else { - bool good = false; - -+ /* This (primarily) checks two things: -+ * -+ * 1. That the question is not empty -+ * 2. That all RR keys in the question objects are for the same domain -+ * -+ * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for -+ * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */ -+ - if (dns_question_size(question_utf8) > 0) { - r = dns_question_is_valid_for_query(question_utf8); - if (r < 0) -@@ -1032,6 +1040,8 @@ int dns_query_process_cname(DnsQuery *q) { - _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL; - DnsQuestion *question; - DnsResourceRecord *rr; -+ bool full_match = true; -+ DnsResourceKey *k; - int r; - - assert(q); -@@ -1041,13 +1051,44 @@ int dns_query_process_cname(DnsQuery *q) { - - question = dns_query_question_for_protocol(q, q->answer_protocol); - -- DNS_ANSWER_FOREACH(rr, q->answer) { -- r = dns_question_matches_rr(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); -- if (r < 0) -- return r; -- if (r > 0) -- return DNS_QUERY_MATCH; /* The answer matches directly, no need to follow cnames */ -+ /* Small reminder: our question will consist of one or more RR keys that match in name, but not in -+ * record type. Specifically, when we do an address lookup the question will typically consist of one -+ * A and one AAAA key lookup for the same domain name. When we get a response from a server we need -+ * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME -+ * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant -+ * type. -+ * -+ * Hence we first check of the answers we collected are sufficient to answer all our questions -+ * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's -+ * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or -+ * the AAAA query.*/ -+ -+ DNS_QUESTION_FOREACH(k, question) { -+ bool match = false; -+ -+ DNS_ANSWER_FOREACH(rr, q->answer) { -+ r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); -+ if (r < 0) -+ return r; -+ if (r > 0) { -+ match = true; /* Yay, we found an RR that matches the key we are looking for */ -+ break; -+ } -+ } -+ -+ if (!match) { -+ /* Hmm. :-( there's no response for this key. This doesn't match. */ -+ full_match = false; -+ break; -+ } -+ } - -+ if (full_match) -+ return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */ -+ -+ /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that -+ * matches any of our questions. */ -+ DNS_ANSWER_FOREACH(rr, q->answer) { - r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); - if (r < 0) - return r; -@@ -1056,7 +1097,7 @@ int dns_query_process_cname(DnsQuery *q) { - } - - if (!cname) -- return DNS_QUERY_NOMATCH; /* No match and no cname to follow */ -+ return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */ - - if (q->flags & SD_RESOLVED_NO_CNAME) - return -ELOOP; -diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h -index 5d12171b0a1..5d96cc06f84 100644 ---- a/src/resolve/resolved-dns-query.h -+++ b/src/resolve/resolved-dns-query.h -@@ -45,7 +45,14 @@ struct DnsQuery { - * that even on classic DNS some labels might use UTF8 encoding. Specifically, DNS-SD service names - * (in contrast to their domain suffixes) use UTF-8 encoding even on DNS. Thus, the difference - * between these two fields is mostly relevant only for explicit *hostname* lookups as well as the -- * domain suffixes of service lookups. */ -+ * domain suffixes of service lookups. -+ * -+ * Note that questions may consist of multiple RR keys at once, but they must be for the same domain -+ * name. This is used for A+AAAA and TXT+SRV lookups: we'll allocate a single DnsQuery object for -+ * them instead of two separate ones. That allows us minor optimizations with response handling: -+ * CNAME/DNAMEs of the first reply we get can already be used to follow the CNAME/DNAME chain for -+ * both, and we can take benefit of server replies that oftentimes put A responses into AAAA queries -+ * and vice versa (in the additional section). */ - DnsQuestion *question_idna; - DnsQuestion *question_utf8; - diff --git a/19080.patch b/19080.patch deleted file mode 100644 index c8e1db4..0000000 --- a/19080.patch +++ /dev/null @@ -1,67 +0,0 @@ -From fce5b2ac2a51b9ecbfb258ff7e62f4e67a38d4c8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 12 Mar 2021 10:20:38 +0100 -Subject: [PATCH] sd-event: disable epoll_pwait2 for now - -This reverts the gist of commit 798445ab84cff51bde7fcf936f0fb19c37cf858c. - -Unfortunately the new syscall causes test-event to hang. 32 bit architectures -seem affected: i686 and arm32 in fedora koji. 32 bit build of test-event hangs -reliably under valgrind: - -$ PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig meson build-32 -Dc_args=-m32 -Dc_link_args=-m32 -Dcpp_args=-m32 -Dcpp_link_args=-m32 && ninja -C build-32 test-event && valgrind build/test-event - -If I set epoll_pwait2_absent=true, so the new function is never called, then -the issue does not reproduce. It seems to be strictly tied to the syscall. - -On amd64, the syscall is not used, at least with the kernel that Fedora -provides. The kernel patch 58169a52ebc9a733aeb5bea857bc5daa71a301bb says: - - For timespec, only support this new interface on 2038 aware platforms - that define __kernel_timespec_t. So no CONFIG_COMPAT_32BIT_TIME. - -And Fedora sets CONFIG_COMPAT_32BIT_TIME=y. I expect most other distros will too. - -On amd64: epoll_wait_usec: epoll_pwait2: ret=-1 / errno=38 -On i686 (same kernel): epoll_wait_usec: epoll_pwait2: ret=2 / errno=0 - -Is this some kind of emulation? Anyway, it seems that this is what is going wrong. - -So let's disable the syscall until it becomes more widely available and the -kinks have been ironed out. - -Fixes test-event issue in #19052. ---- - src/libsystemd/sd-event/sd-event.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 8f74b141015..b76b0623fe3 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -3808,10 +3808,15 @@ static int epoll_wait_usec( - int maxevents, - usec_t timeout) { - -- static bool epoll_pwait2_absent = false; - int r, msec; -+#if 0 -+ static bool epoll_pwait2_absent = false; - -- /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not */ -+ /* A wrapper that uses epoll_pwait2() if available, and falls back to epoll_wait() if not. -+ * -+ * FIXME: this is temporarily disabled until epoll_pwait2() becomes more widely available. -+ * See https://github.com/systemd/systemd/pull/18973 and -+ * https://github.com/systemd/systemd/issues/19052. */ - - if (!epoll_pwait2_absent && timeout != USEC_INFINITY) { - struct timespec ts; -@@ -3829,6 +3834,7 @@ static int epoll_wait_usec( - - epoll_pwait2_absent = true; - } -+#endif - - if (timeout == USEC_INFINITY) - msec = -1; diff --git a/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch b/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch deleted file mode 100644 index 9e737ea..0000000 --- a/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 5cdb3f70ebe035323f4f079028a262669a2bbbf6 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 19 Mar 2021 06:26:53 +0900 -Subject: [PATCH] udev: do not try to assign invalid ifname - -Fixes #19038. ---- - src/udev/net/link-config.c | 18 +++++++----------- - 1 file changed, 7 insertions(+), 11 deletions(-) - -diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c -index f06ecd455df..31e5d0cd673 100644 ---- a/src/udev/net/link-config.c -+++ b/src/udev/net/link-config.c -@@ -441,8 +441,6 @@ static int link_config_apply_rtnl_settings(sd_netlink **rtnl, const link_config - - static int link_config_generate_new_name(const link_config_ctx *ctx, const link_config *config, sd_device *device, const char **ret_name) { - unsigned name_type = NET_NAME_UNKNOWN; -- const char *new_name = NULL; -- NamePolicy policy; - int r; - - assert(ctx); -@@ -460,7 +458,8 @@ static int link_config_generate_new_name(const link_config_ctx *ctx, const link_ - - if (ctx->enable_name_policy && config->name_policy) - for (NamePolicy *p = config->name_policy; *p != _NAMEPOLICY_INVALID; p++) { -- policy = *p; -+ const char *new_name = NULL; -+ NamePolicy policy = *p; - - switch (policy) { - case NAMEPOLICY_KERNEL: -@@ -496,16 +495,13 @@ static int link_config_generate_new_name(const link_config_ctx *ctx, const link_ - default: - assert_not_reached("invalid policy"); - } -- if (ifname_valid(new_name)) -- break; -+ if (ifname_valid(new_name)) { -+ log_device_debug(device, "Policy *%s* yields \"%s\".", name_policy_to_string(policy), new_name); -+ *ret_name = new_name; -+ return 0; -+ } - } - -- if (new_name) { -- log_device_debug(device, "Policy *%s* yields \"%s\".", name_policy_to_string(policy), new_name); -- *ret_name = new_name; -- return 0; -- } -- - if (config->name) { - log_device_debug(device, "Policies didn't yield a name, using specified Name=%s.", config->name); - *ret_name = config->name; diff --git a/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch b/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch deleted file mode 100644 index 9bbab91..0000000 --- a/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch +++ /dev/null @@ -1,85 +0,0 @@ -From f9b3afae96c72564cd4cd766555845f17e3c12a9 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 19 Mar 2021 10:36:48 +0100 -Subject: [PATCH] repart: make sure to grow partition table after growing - backing loopback file - -This fixes the --size= switch, i.e. where we grow a disk image: after -growing it we need to expand the partition table so that its idea of the -the medium size matches the new reality. Otherwise our disk size -calculations in the subsequent steps might still use the original -ungrown size. - -(This used to work, I guess this was borked when libfdisk learnt the -concept of "minimized" partition tables) ---- - src/partition/repart.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - -diff --git a/src/partition/repart.c b/src/partition/repart.c -index be16f5a067b..7b6201efa83 100644 ---- a/src/partition/repart.c -+++ b/src/partition/repart.c -@@ -3977,6 +3977,40 @@ static int find_root(char **ret, int *ret_fd) { - return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "Failed to discover root block device."); - } - -+static int resize_pt(int fd) { -+ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; -+ _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL; -+ int r; -+ -+ /* After resizing the backing file we need to resize the partition table itself too, so that it takes -+ * possession of the enlarged backing file. For this it suffices to open the device with libfdisk and -+ * immediately write it again, with no changes. */ -+ -+ c = fdisk_new_context(); -+ if (!c) -+ return log_oom(); -+ -+ xsprintf(procfs_path, "/proc/self/fd/%i", fd); -+ r = fdisk_assign_device(c, procfs_path, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to open device '%s': %m", procfs_path); -+ -+ r = fdisk_has_label(c); -+ if (r < 0) -+ return log_error_errno(r, "Failed to determine whether disk '%s' has a disk label: %m", procfs_path); -+ if (r == 0) { -+ log_debug("Not resizing partition table, as there currently is none."); -+ return 0; -+ } -+ -+ r = fdisk_write_disklabel(c); -+ if (r < 0) -+ return log_error_errno(r, "Failed to write resized partition table: %m"); -+ -+ log_info("Resized partition table."); -+ return 1; -+} -+ - static int resize_backing_fd(const char *node, int *fd) { - char buf1[FORMAT_BYTES_MAX], buf2[FORMAT_BYTES_MAX]; - _cleanup_close_ int writable_fd = -1; -@@ -4029,6 +4063,10 @@ static int resize_backing_fd(const char *node, int *fd) { - /* Fallback to truncation, if fallocate() is not supported. */ - log_debug("Backing file system does not support fallocate(), falling back to ftruncate()."); - } else { -+ r = resize_pt(writable_fd); -+ if (r < 0) -+ return r; -+ - if (st.st_size == 0) /* Likely regular file just created by us */ - log_info("Allocated %s for '%s'.", buf2, node); - else -@@ -4042,6 +4080,10 @@ static int resize_backing_fd(const char *node, int *fd) { - return log_error_errno(errno, "Failed to grow '%s' from %s to %s by truncation: %m", - node, buf1, buf2); - -+ r = resize_pt(writable_fd); -+ if (r < 0) -+ return r; -+ - if (st.st_size == 0) /* Likely regular file just created by us */ - log_info("Sized '%s' to %s.", node, buf2); - else diff --git a/sources b/sources index b4d0e31..1650fb4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248-rc4.tar.gz) = 022e8aabdc84c45ea06928c7b373c13f99d78fd808d9c07d3cd79dae5a2356f70d012eafbc749a588ddfcc2b1d0155f65f33ee240c4f15190d16f784803ffeac +SHA512 (systemd-248.tar.gz) = 486f6ac6c2897a2aac97a59306091a03fd50768340407401e1f088ea5b21c67dae726bff4cbe53cec6b89a8f0ee72205b340165a4fe3a3c16cff6d176506c6e0 diff --git a/systemd.spec b/systemd.spec index f5b2ce9..8ccc637 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,8 +20,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248~rc4 -Release: 6%{?dist} +Version: 248 +Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -79,17 +79,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # here, rather than in the next section. Packit CI will drop any # patches in this range before applying upstream pull requests. -# https://bugzilla.redhat.com/show_bug.cgi?id=1941335 -Patch0001: https://github.com/systemd/systemd/pull/19075.patch - -Patch0002: https://github.com/systemd/systemd/pull/19079.patch -Patch0003: https://github.com/systemd/systemd/pull/19080.patch - -Patch0004: https://github.com/systemd/systemd/commit/5cdb3f70ebe035323f4f079028a262669a2bbbf6.patch -Patch0005: https://github.com/systemd/systemd/commit/f9b3afae96c72564cd4cd766555845f17e3c12a9.patch -Patch0006: https://github.com/systemd/systemd/commit/0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d.patch - -Patch0007: 0001-Revert-resolved-gracefully-handle-with-packets-with-.patch # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -987,6 +976,13 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Wed Mar 31 2021 Zbigniew Jędrzejewski-Szmek - 248-1 +- Latest upstream release, see + https://github.com/systemd/systemd/blob/v248/NEWS. +- The changes since -rc4 are rather small, various fixes all over the place. + A fix to how systemd-oomd selects a candidate to kill, and more debug logging + to make this more transparent. + * Tue Mar 30 2021 Anita Zhang - 248~rc4-6 - Increase oomd user memory pressure limit to 50% (#1941170) From b57fc8887ec62a3db3db9dbd68fb3495a3e2c5c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 31 Mar 2021 10:03:27 +0200 Subject: [PATCH 18/38] Mark README files as doc /etc/rc.d/init.d/README was marked as %config(noreplace), which seems to be a clear bug. But this primarily affects new README files in all the .d directories. --- split-files.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/split-files.py b/split-files.py index 26e0551..ab9147a 100644 --- a/split-files.py +++ b/split-files.py @@ -136,6 +136,8 @@ for file in files(buildroot): prefix += ' ' elif file.is_dir() and not file.is_symlink(): prefix = '%dir ' + elif 'README' in n: + prefix = '%doc ' elif n.startswith('/etc'): prefix = '%config(noreplace) ' else: From 97102a82f5868bf314aa09b23b9301f244bea1ab Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 6 Apr 2021 13:40:25 -0700 Subject: [PATCH 19/38] Re-enable resolved caching, hope all major bugs are fixed Signed-off-by: Adam Williamson --- nocache.conf | 2 -- systemd.spec | 11 ++++------- 2 files changed, 4 insertions(+), 9 deletions(-) delete mode 100644 nocache.conf diff --git a/nocache.conf b/nocache.conf deleted file mode 100644 index 25d5429..0000000 --- a/nocache.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -Cache=no diff --git a/systemd.spec b/systemd.spec index 8ccc637..8cc4f2f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248 -Release: 1%{?dist} +Release: 2%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -64,9 +64,6 @@ Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh -# Disable resolved caching to workaround #1933433 -Source100: nocache.conf - %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -559,9 +556,6 @@ touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state # Install yum protection fragment install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf -# Install resolved cache disable fragment -install -Dm0644 -t %{buildroot}%{pkgdir}/resolved.conf.d %{SOURCE100} - install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} # Restore systemd-user pam config from before "removal of Fedora-specific bits" @@ -976,6 +970,9 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Apr 06 2021 Adam Williamson - 248-2 +- Re-enable resolved caching, we hope all major bugs are resolved now + * Wed Mar 31 2021 Zbigniew Jędrzejewski-Szmek - 248-1 - Latest upstream release, see https://github.com/systemd/systemd/blob/v248/NEWS. From b4562b21c95aa3ff95bf038b3611b3a3efddd03b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 6 May 2021 15:30:22 +0200 Subject: [PATCH 20/38] Version 248.1 --- sources | 2 +- systemd.spec | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 1650fb4..481c0c8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.tar.gz) = 486f6ac6c2897a2aac97a59306091a03fd50768340407401e1f088ea5b21c67dae726bff4cbe53cec6b89a8f0ee72205b340165a4fe3a3c16cff6d176506c6e0 +SHA512 (systemd-248.1.tar.gz) = ee80222cf04d150ff16d095f6669b31ef62122cf586a6e76ee4862e2b8d041e5b0d3e9273fb36356cd60fa14ba2014d588c604cfdb6d9646c8ad03e8b8d12d6d diff --git a/systemd.spec b/systemd.spec index 8cc4f2f..04211c0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,7 +1,7 @@ #global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} -#global stable 1 +%global stable 1 # We ship a .pc file but don't want to have a dep on pkg-config. We # strip the automatically generated dep here and instead co-own the @@ -20,8 +20,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248 -Release: 2%{?dist} +Version: 248.1 +Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -970,6 +970,10 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu May 6 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 +- Latest stable version: a long list of minor correctness fixes all around + (#1955475,#911766) + * Tue Apr 06 2021 Adam Williamson - 248-2 - Re-enable resolved caching, we hope all major bugs are resolved now From 875c4804652276f895b531b9314148093731680f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 6 May 2021 15:30:27 +0200 Subject: [PATCH 21/38] Pull in tpm2-tss dependency --- systemd.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/systemd.spec b/systemd.spec index 04211c0..9e350af 100644 --- a/systemd.spec +++ b/systemd.spec @@ -126,6 +126,9 @@ BuildRequires: libmicrohttpd-devel BuildRequires: libxkbcommon-devel BuildRequires: iptables-devel BuildRequires: pkgconfig(libfido2) +BuildRequires: pkgconfig(tss2-esys) +BuildRequires: pkgconfig(tss2-rc) +BuildRequires: pkgconfig(tss2-mu) BuildRequires: libxslt BuildRequires: docbook-style-xsl BuildRequires: pkgconfig @@ -440,6 +443,7 @@ CONFIGURE_OPTS=( -Defi=true -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} -Dtpm=true + -Dtpm2=true -Dhwdb=true -Dsysusers=true -Dstandalone-binaries=true @@ -973,6 +977,7 @@ fi * Thu May 6 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 - Latest stable version: a long list of minor correctness fixes all around (#1955475,#911766) +- Enable tpm2-tss dependency (#1949505) * Tue Apr 06 2021 Adam Williamson - 248-2 - Re-enable resolved caching, we hope all major bugs are resolved now From f25e352386c45e47d5abec0ec858eea610c349ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 7 May 2021 12:47:07 +0200 Subject: [PATCH 22/38] Correct file modes for %ghosted files /var/log/btmp was changed in https://github.com/systemd/systemd/commit/f6e64b78cc, but never adjusted here. --- systemd.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/systemd.spec b/systemd.spec index 9e350af..10ae609 100644 --- a/systemd.spec +++ b/systemd.spec @@ -611,11 +611,11 @@ python3 %{SOURCE2} %buildroot < - 248.1-1 +- Adjust modes of some %%ghost files (#1956059) + * Thu May 6 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 - Latest stable version: a long list of minor correctness fixes all around (#1955475,#911766) From 3ea1617381d753a18687c2851220e5b271418abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 7 May 2021 15:01:53 +0200 Subject: [PATCH 23/38] Version 248.2 --- sources | 2 +- systemd.spec | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/sources b/sources index 481c0c8..af53de3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.1.tar.gz) = ee80222cf04d150ff16d095f6669b31ef62122cf586a6e76ee4862e2b8d041e5b0d3e9273fb36356cd60fa14ba2014d588c604cfdb6d9646c8ad03e8b8d12d6d +SHA512 (systemd-248.2.tar.gz) = b72d31f93a5ec21a013a67b293fccb028af9c8d69d0577ed2448c4855673e48268041520a44a656cc200bb15baa3c4d34d01d03e900abd37515f771a66893a9c diff --git a/systemd.spec b/systemd.spec index 10ae609..814b1ec 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.1 +Version: 248.2 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -974,12 +974,13 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog -* Fri May 7 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 +* Fri May 7 2021 Zbigniew Jędrzejewski-Szmek - 248.2-1 +- Pull in some more patches from upstream (#1944646, #1885090, #1941340) - Adjust modes of some %%ghost files (#1956059) * Thu May 6 2021 Zbigniew Jędrzejewski-Szmek - 248.1-1 - Latest stable version: a long list of minor correctness fixes all around - (#1955475,#911766) + (#1955475, #911766, #1958167, #1952919) - Enable tpm2-tss dependency (#1949505) * Tue Apr 06 2021 Adam Williamson - 248-2 From 9cd5d4bae2914ce78d1e97b23126aa8765be57dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 15 May 2021 18:59:15 +0200 Subject: [PATCH 24/38] Version 248.3 --- sources | 2 +- systemd.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sources b/sources index af53de3..993683e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.2.tar.gz) = b72d31f93a5ec21a013a67b293fccb028af9c8d69d0577ed2448c4855673e48268041520a44a656cc200bb15baa3c4d34d01d03e900abd37515f771a66893a9c +SHA512 (systemd-248.3.tar.gz) = 8e7ff0d5e63cc933e4dc23f7e0bef9707fde90396605eb8822d34de90d7abe8fd37e5739e33b657868218aa7281147cc944c096c007324c3e6fb54d833a83485 diff --git a/systemd.spec b/systemd.spec index 814b1ec..e9b60e4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.2 +Version: 248.3 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -974,6 +974,10 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Sat May 15 2021 Zbigniew Jędrzejewski-Szmek - 248.3-1 +- A fix for resolved crashes (#1946386, #1960227, #1950241) +- Some minor fixes for documentation, systemd-networkd, systemd-run, bootctl. + * Fri May 7 2021 Zbigniew Jędrzejewski-Szmek - 248.2-1 - Pull in some more patches from upstream (#1944646, #1885090, #1941340) - Adjust modes of some %%ghost files (#1956059) From 0c3bd956df81fb942d7c1a6830611058e7aaf640 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 12 Jul 2021 14:07:26 +0200 Subject: [PATCH 25/38] Version 248.4 --- sources | 2 +- systemd.spec | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 993683e..8027b80 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.3.tar.gz) = 8e7ff0d5e63cc933e4dc23f7e0bef9707fde90396605eb8822d34de90d7abe8fd37e5739e33b657868218aa7281147cc944c096c007324c3e6fb54d833a83485 +SHA512 (systemd-248.4.tar.gz) = 23d422b3e93b86a46219a7127fb363cd6acea4479e1ce51d9303fdcafcc69c71bd3f7e2acfa163ffa2372b3ff40a031846abaf65fc99603739bd718f399f92fd diff --git a/systemd.spec b/systemd.spec index e9b60e4..032e32d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.3 +Version: 248.4 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -974,6 +974,12 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Mon Jul 12 2021 Zbigniew Jędrzejewski-Szmek - 248.4-1 +- Assorted fixes (some systemd-resolved crashes, invalid + systemd-tmpfiles assertion, etc.) +- systemd-networkd workaround for TALOS-2020-1142, CVE-2020-13529. +- A big update of hardware descriptions. + * Sat May 15 2021 Zbigniew Jędrzejewski-Szmek - 248.3-1 - A fix for resolved crashes (#1946386, #1960227, #1950241) - Some minor fixes for documentation, systemd-networkd, systemd-run, bootctl. From b26a003707e806cc4ec5e77b4985b0bea99a06f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 20 Jul 2021 09:40:19 +0200 Subject: [PATCH 26/38] Add sfdisk to BuildRequires https://bugzilla.redhat.com/show_bug.cgi?id=1983450 --- systemd.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 032e32d..642b2c4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -102,8 +102,9 @@ BuildRequires: audit-libs-devel BuildRequires: cryptsetup-devel %endif BuildRequires: dbus-devel +BuildRequires: /usr/sbin/sfdisk # /usr/bin/getfacl is needed by test-acl-util -BuildRequires: acl +BuildRequires: /usr/bin/getfacl BuildRequires: libacl-devel BuildRequires: gobject-introspection-devel BuildRequires: libblkid-devel From 824e26065fb4f0bfff3bea804318cffe2f7f6ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 20 Jul 2021 15:23:52 +0200 Subject: [PATCH 27/38] Version 248.5 --- sources | 2 +- systemd.spec | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 8027b80..63e8b32 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.4.tar.gz) = 23d422b3e93b86a46219a7127fb363cd6acea4479e1ce51d9303fdcafcc69c71bd3f7e2acfa163ffa2372b3ff40a031846abaf65fc99603739bd718f399f92fd +SHA512 (systemd-248.5.tar.gz) = 38cdb31e2e5ba1186154da06368b0b467c452368f3dd667d7ef0fb907d314545f903ea9ade3550bf057e9e487d4fdb16a0fa5bce1d0134d2e17223c0795f55cf diff --git a/systemd.spec b/systemd.spec index 642b2c4..e98b815 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.4 +Version: 248.5 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -975,6 +975,12 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Jul 20 2021 Zbigniew Jędrzejewski-Szmek - 248.5-1 +- Various minor documentation and correctness fixes. +- CVE-2021-33910, #1984020: an unchecked stack allocation could be used to + crash systemd and cause the system to reboot by creating a very long + fuse mountpoint path. + * Mon Jul 12 2021 Zbigniew Jędrzejewski-Szmek - 248.4-1 - Assorted fixes (some systemd-resolved crashes, invalid systemd-tmpfiles assertion, etc.) From c8bfad3a3189635183e7c04fcd8ef282cc66c1a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 22 Jul 2021 13:16:16 +0200 Subject: [PATCH 28/38] Add gids for input, render, sgx --- systemd.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index e98b815..4f2e266 100644 --- a/systemd.spec +++ b/systemd.spec @@ -651,9 +651,10 @@ getent group cdrom &>/dev/null || groupadd -r -g 11 cdrom &>/dev/null || : getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || : -getent group input &>/dev/null || groupadd -r input &>/dev/null || : +getent group input &>/dev/null || groupadd -r -g 104 input &>/dev/null || : getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : -getent group render &>/dev/null || groupadd -r render &>/dev/null || : +getent group render &>/dev/null || groupadd -r -g 105 render &>/dev/null || : +getent group sgx &>/dev/null || groupadd -r -g 106 sgx &>/dev/null || : getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : @@ -975,6 +976,11 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Jul 22 2021 Zbigniew Jędrzejewski-Szmek - 248.6-1 +- Create 'sgx' group (and also use soft-static uids for input and render, + see https://pagure.io/setup/c/df3194a7295c2ca3cfa923981b046f4bd2754825 + and https://pagure.io/packaging-committee/issue/1078 (#1965815) + * Tue Jul 20 2021 Zbigniew Jędrzejewski-Szmek - 248.5-1 - Various minor documentation and correctness fixes. - CVE-2021-33910, #1984020: an unchecked stack allocation could be used to From 8fdf7d7a6d8256c8963af22ea217495eab1fc014 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 23 Jul 2021 17:36:53 +0200 Subject: [PATCH 29/38] Version 248.6 --- sources | 2 +- systemd.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 63e8b32..939a65e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.5.tar.gz) = 38cdb31e2e5ba1186154da06368b0b467c452368f3dd667d7ef0fb907d314545f903ea9ade3550bf057e9e487d4fdb16a0fa5bce1d0134d2e17223c0795f55cf +SHA512 (systemd-248.6.tar.gz) = 35a9d4a9ae04423959c71ad0175d04a1792b9ab39897a497776b93cea166de58b8fb111207c104c0e747d3ffbd85480d8b0cab38e3dc0defbbf09b15211954ce diff --git a/systemd.spec b/systemd.spec index 4f2e266..adaf2e7 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.5 +Version: 248.6 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -980,6 +980,9 @@ fi - Create 'sgx' group (and also use soft-static uids for input and render, see https://pagure.io/setup/c/df3194a7295c2ca3cfa923981b046f4bd2754825 and https://pagure.io/packaging-committee/issue/1078 (#1965815) +- Various bugfixes (#1963428, #1975564) +- Fix for a regression introduced in the previous release with + sd-event abort (#1984651) * Tue Jul 20 2021 Zbigniew Jędrzejewski-Szmek - 248.5-1 - Various minor documentation and correctness fixes. From 8a5ca3abed79cbdc2ac9b4c46b531416ea002d82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 6 Aug 2021 16:40:10 +0200 Subject: [PATCH 30/38] Version 248.7 --- sources | 2 +- systemd.spec | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 939a65e..555a0ba 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.6.tar.gz) = 35a9d4a9ae04423959c71ad0175d04a1792b9ab39897a497776b93cea166de58b8fb111207c104c0e747d3ffbd85480d8b0cab38e3dc0defbbf09b15211954ce +SHA512 (systemd-248.7.tar.gz) = 1c4f0713e5e813563cd24b764c4fabc59b70a77d51dc6c2caeb9709b6f14fef2837e05d59122ad7db29f771be365f1cd707b16ef73b22abe0b3b5350a5373d5c diff --git a/systemd.spec b/systemd.spec index adaf2e7..1f73787 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.6 +Version: 248.7 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -976,6 +976,12 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Aug 6 2021 Zbigniew Jędrzejewski-Szmek - 248.7-1 +- Latest bugfix release: improved compatibility with latest glibc, + various small documentation fixes, and fixes for systemd-networkd bridging, + other minor fixes. +- systemctl set-property accepts glob patterns now (#1986258) + * Thu Jul 22 2021 Zbigniew Jędrzejewski-Szmek - 248.6-1 - Create 'sgx' group (and also use soft-static uids for input and render, see https://pagure.io/setup/c/df3194a7295c2ca3cfa923981b046f4bd2754825 From 0f3ca3f72095f7acc72d6cf2a77e21a793c02fd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 12 Oct 2021 19:02:24 +0200 Subject: [PATCH 31/38] Version 248.8 --- sources | 2 +- systemd.spec | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 555a0ba..d3292bb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.7.tar.gz) = 1c4f0713e5e813563cd24b764c4fabc59b70a77d51dc6c2caeb9709b6f14fef2837e05d59122ad7db29f771be365f1cd707b16ef73b22abe0b3b5350a5373d5c +SHA512 (systemd-248.8.tar.gz) = 1ff855602e13fce1d7ddef1f152a7634030816cd352f12e6f66cdb8333f7d9ce7ee98bd4dd52888556c1f01b9974ba6cfcc0d1b1fd98e557edf52a2422193db0 diff --git a/systemd.spec b/systemd.spec index 1f73787..3410f87 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.7 +Version: 248.8 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -976,6 +976,13 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.8-1 +- Latest bugfix release: fix for systemctl enable, documentation, + systemd-networkd, -coredump, -timesyncd, -udev, -nspawn, -oomd, + -repart, -resolved, systemd itself, seccomp filters, bootctl, + journalctl, TPM2, sd-event, sd-journal, nss-systemd, compatibility + with the latest kernels. + * Fri Aug 6 2021 Zbigniew Jędrzejewski-Szmek - 248.7-1 - Latest bugfix release: improved compatibility with latest glibc, various small documentation fixes, and fixes for systemd-networkd bridging, From b159982e3824380ebd0fd6773c4a4cbf7d28bd98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 13 Oct 2021 11:57:57 +0200 Subject: [PATCH 32/38] Version 248.9 --- sources | 2 +- systemd.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sources b/sources index d3292bb..c03f53a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.8.tar.gz) = 1ff855602e13fce1d7ddef1f152a7634030816cd352f12e6f66cdb8333f7d9ce7ee98bd4dd52888556c1f01b9974ba6cfcc0d1b1fd98e557edf52a2422193db0 +SHA512 (systemd-248.9.tar.gz) = 7fbeab6fe7f60c9eb62dd0457226a783a0398579c22142e7897a533ce4d97f654754ffd0dc8dd6102990e5b7095e54ea446e5bc06abb18faa3a04ae820900e36 diff --git a/systemd.spec b/systemd.spec index 3410f87..a207108 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.8 +Version: 248.9 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -976,6 +976,10 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.9-1 +- Rebuild of 248.8 with one patch removed (causing #2013386) and one patch + added (for #1998488). + * Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.8-1 - Latest bugfix release: fix for systemctl enable, documentation, systemd-networkd, -coredump, -timesyncd, -udev, -nspawn, -oomd, From 2af6bbac8f6ccb3f8604d70ae47b9eb5056ab843 Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Tue, 16 Nov 2021 16:36:58 +0000 Subject: [PATCH 33/38] sysusers/provides: parse and output static IDs This adds support for parsing static UIDs and GIDs from sysusers.d fragments, and automatically forwarding them to the generated 'Provides' entries. It will allow inspecting users/groups with static IDs directly from package metadata: ``` $ rpm --query --provides --package gdm-41.0-3.fc36.x86_64.rpm [...] group(gdm) = 42 user(gdm) = 42 ``` --- sysusers.prov | 41 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/sysusers.prov b/sysusers.prov index a6eda5d..f12e929 100755 --- a/sysusers.prov +++ b/sysusers.prov @@ -1,5 +1,40 @@ #!/bin/bash +process_u() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Single shared static ID. + echo "user($1) = $2" + echo "group($1) = $2" + elif [[ $2 == *:* ]]; then + # UID:. + uid=$(echo $2 | cut -d':' -f1 -) + group=$(echo $2 | cut -d':' -f2 -) + if [ ! -z "${group##*[!0-9]*}" ]; then + # UID:GID. + echo "user($1) = ${uid}" + echo "group($1) = ${group}" + else + # UID:. + echo "user($1) = ${uid}" + echo "group(${group})" + fi + else + # Dynamic (or something else uninteresting). + echo "user($1)" + echo "group($1)" + fi +} + +process_g() { + if [ ! -z "${2##*[!0-9]*}" ]; then + # Static GID. + echo "group($1) = $2" + else + # Dynamic (or something else uninteresting). + echo "group($1)" + fi +} + parse() { while read line; do [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue @@ -8,12 +43,10 @@ parse() { set -- $line case "$1" in ('u') - echo "user($2)" - echo "group($2)" - # TODO: user:group support + process_u "$2" "$3" ;; ('g') - echo "group($2)" + process_g "$2" "$3" ;; ('m') echo "user($2)" From af26d4b0fc0e0dd5121967dfb0d884e24b03b675 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 24 Nov 2021 10:00:32 +0100 Subject: [PATCH 34/38] %ghost /var/lib/{machines,portables} (cherry picked from commit d1ad6b189de8e5022b86dfe9239ffbe0edc1cd9e) (cherry picked from commit 548de6590497fca115c61e2b532e9e68797ae49e) --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index a207108..2d40ca1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -948,6 +948,7 @@ fi %ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants +%ghost %dir %attr(0700,-,-) /var/lib/portables %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd %files libs -f .file-list-libs @@ -962,6 +963,7 @@ fi %files udev -f .file-list-udev %files container -f .file-list-container +%ghost %dir %attr(0700,-,-) /var/lib/machines %files journal-remote -f .file-list-remote From 0bc76983d323cf353b6303aff71682fe6d4773bf Mon Sep 17 00:00:00 2001 From: David Tardon Date: Thu, 20 May 2021 16:52:27 +0200 Subject: [PATCH 35/38] Fix ELF dependencies on 32-bit architectures (cherry picked from commit b5ae705da9816de1f0419b4267daef48ce5f592c) --- systemd.spec | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/systemd.spec b/systemd.spec index 2d40ca1..2045ac8 100644 --- a/systemd.spec +++ b/systemd.spec @@ -12,6 +12,11 @@ %global system_unit_dir %{pkgdir}/system %global user_unit_dir %{pkgdir}/user +%if 0%{?__isa_bits} == 64 +%global elf_bits (64bit) +%global elf_suffix ()%{elf_bits} +%endif + # Bootstrap may be needed to break intercircular dependencies with # cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. %bcond_with bootstrap @@ -192,14 +197,14 @@ Conflicts: %{name}-standalone-sysusers < %{version}-%{release}^ Obsoletes: %{name}-standalone-sysusers < %{version}-%{release}^ # Recommends to replace normal Requires deps for stuff that is dlopen()ed -Recommends: libcryptsetup.so.12()(64bit) -Recommends: libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit) -Recommends: libidn2.so.0()(64bit) -Recommends: libidn2.so.0(IDN2_0.0.0)(64bit) -Recommends: libpcre2-8.so.0()(64bit) -Recommends: libpwquality.so.1()(64bit) -Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)(64bit) -Recommends: libqrencode.so.4()(64bit) +Recommends: libcryptsetup.so.12%{?elf_suffix} +Recommends: libcryptsetup.so.12(CRYPTSETUP_2.0)%{?elf_bits} +Recommends: libidn2.so.0%{?elf_suffix} +Recommends: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} +Recommends: libpcre2-8.so.0%{?elf_suffix} +Recommends: libpwquality.so.1%{?elf_suffix} +Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits} +Recommends: libqrencode.so.4%{?elf_suffix} %description systemd is a system and service manager that runs as PID 1 and starts From 30f0e9e8e622c58a7eceb272b398f6c4d7f355fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 Dec 2021 23:10:44 +0100 Subject: [PATCH 36/38] Add Recommends for dlopened libs and move files into subpackages (cherry picked from commit b24b99d669ecd2465f291139fbc85b7da26c1249) (cherry picked from commit 52e7bf289211b424c39528d526ab4168e24f0ca8) --- split-files.py | 19 ++++++++++++++++--- systemd.spec | 23 +++++++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/split-files.py b/split-files.py index ab9147a..156e869 100644 --- a/split-files.py +++ b/split-files.py @@ -84,6 +84,7 @@ for file in files(buildroot): o = o_networkd elif '.so.' in n: o = o_libs + elif re.search(r'''udev(?!\.pc)| hwdb| bootctl| @@ -97,6 +98,7 @@ for file in files(buildroot): random-seed| modules-load| timesync| + crypttab| cryptsetup| kmod| quota| @@ -109,17 +111,27 @@ for file in files(buildroot): repart| gpt-auto| volatile-root| - verity-setup| + veritysetup| + integritysetup| + integritytab| remount-fs| /boot$| /boot/efi| /kernel/| /kernel$| - /modprobe.d - ''', n, re.X): + /modprobe.d| + binfmt| + sysctl| + coredump| + homed|home1| + portabled|portable1 + ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because + # they can be used to interact with remote daemons. Also, the user could be + # confused if those user-facing binaries are not available. o = o_udev elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): o = o_oomd_defaults + elif n.endswith('.standalone'): if 'tmpfiles' in n: o = o_standalone_tmpfiles @@ -127,6 +139,7 @@ for file in files(buildroot): o = o_standalone_sysusers else: assert False, 'Found .standalone not belonging to known packages' + else: o = o_rest diff --git a/systemd.spec b/systemd.spec index 2045ac8..55f458b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -205,6 +205,12 @@ Recommends: libpcre2-8.so.0%{?elf_suffix} Recommends: libpwquality.so.1%{?elf_suffix} Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits} Recommends: libqrencode.so.4%{?elf_suffix} +Recommends: libbpf.so.0%{?elf_suffix} +Recommends: libbpf.so.0(LIBBPF_0.4.0)%{?elf_bits} + +# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home +Recommends: libcryptsetup.so.12%{?elf_suffix} +Recommends: libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits} %description systemd is a system and service manager that runs as PID 1 and starts @@ -290,6 +296,17 @@ Provides: udev = %{version} Provides: udev%{_isa} = %{version} Obsoletes: udev < 183 +# Recommends to replace normal Requires deps for stuff that is dlopen()ed +# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home +Recommends: libcryptsetup.so.12%{?elf_suffix} +Recommends: libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits} + +# used by home, cryptsetup, cryptenroll +Recommends: libfido2.so.1%{?elf_suffix} +Recommends: libtss2-esys.so.0%{?elf_suffix} +Recommends: libtss2-mu.so.0%{?elf_suffix} +Recommends: libtss2-rc.so.0%{?elf_suffix} + # https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9 Suggests: systemd-bootchart # https://bugzilla.redhat.com/show_bug.cgi?id=1408878 @@ -308,6 +325,9 @@ This package contains systemd-udev and the rules and hardware database needed to manage device nodes. This package is necessary on physical machines and in virtual machines, but not in containers. +It also contains tools to manage encrypted home areas and secrets bound to the +machine. + %package container # Name is the same as in Debian Summary: Tools for containers and VMs @@ -983,6 +1003,9 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.9-1 +- Add missing requirements for libfido2 and libtss2 (#1975827) + * Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek - 248.9-1 - Rebuild of 248.8 with one patch removed (causing #2013386) and one patch added (for #1998488). From 18382109a50fe6e1a39fc47ecbf6597f4824ec50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 13 Jan 2022 11:57:02 +0100 Subject: [PATCH 37/38] Version 248.10 --- sources | 2 +- systemd.spec | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/sources b/sources index c03f53a..3aae160 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-248.9.tar.gz) = 7fbeab6fe7f60c9eb62dd0457226a783a0398579c22142e7897a533ce4d97f654754ffd0dc8dd6102990e5b7095e54ea446e5bc06abb18faa3a04ae820900e36 +SHA512 (systemd-248.10.tar.gz) = b3cd0183a28d1b0b25f0e601dbe0a62933bbc67cd24df56a03503561cb3b7517d93c5bb3597161971f23c9daa7eb04deee8c0ed97c61d0cffa2aaafb891034ad diff --git a/systemd.spec b/systemd.spec index 55f458b..ee55904 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.9 +Version: 248.10 Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -1003,6 +1003,23 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.10-1 +- Latest upstream bugfix release: fixes for the manager, sd-boot, + systemd-networkd, systemd-resolved, systemd-journald, systemd-homed, + unusual protocols are disabled in systemd-importd, utmp entries, nss + modules, VirtualBox virtualization detection, various documentation + updates +- Users logged in locally get access to media nodes (webcams and such). +- Make systemd-xdg-autostart-service ignore missing condition check binary + (related to #2038750, but does not fix it) +- Allow mprotect(2), arch_prctl(2) in @default seccomp filter +- Fix sysusers without /proc (#2036217) +- Ordering of various units during early boot and shutdown is adjusted to fix + some corner cases +- Maximum numbers of files are bumped for /dev and /tmp +- CVE-2021-3997, #2039383: systemd-tmpfiles would exhaust the stack and crash + during excessive recursion on a very deeply nested directory structure + * Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.9-1 - Add missing requirements for libfido2 and libtss2 (#1975827) From 23ee798cbd923f9e44444460c5994aa73f027082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 10 Feb 2022 17:52:26 +0100 Subject: [PATCH 38/38] Add Conflicts for older systemd and systemd-udev versions --- systemd.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/systemd.spec b/systemd.spec index ee55904..e972fee 100644 --- a/systemd.spec +++ b/systemd.spec @@ -184,6 +184,8 @@ Provides: system-setup-keyboard = 0.9 Obsoletes: systemd-sysv < 206 # self-obsoletes so that dnf will install new subpackages on upgrade (#1260394) Obsoletes: %{name} < 246.6-2 +# https://bugzilla.redhat.com/show_bug.cgi?id=2051019 +Conflicts: %{name}-udev < %{version}-%{release} Provides: systemd-sysv = 206 Conflicts: initscripts < 9.56.1 %if 0%{?fedora} @@ -295,6 +297,8 @@ Obsoletes: systemd < 245.6-1 Provides: udev = %{version} Provides: udev%{_isa} = %{version} Obsoletes: udev < 183 +# https://bugzilla.redhat.com/show_bug.cgi?id=2051019 +Conflicts: %{name} < %{version}-%{release} # Recommends to replace normal Requires deps for stuff that is dlopen()ed # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home @@ -1003,6 +1007,10 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 248.10-1 +- Add Conflicts for older systemd and systemd-udev versions to fix issue with + files being moved between subpackages (rhbz#2051019) + * Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek - 248.10-1 - Latest upstream bugfix release: fixes for the manager, sd-boot, systemd-networkd, systemd-resolved, systemd-journald, systemd-homed,