155 lines
7.2 KiB
Diff
155 lines
7.2 KiB
Diff
|
From 8b0f54c9290564e8c27c9c8ac464cdcc2c659ad5 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||
|
|
Date: Sat, 6 Mar 2021 19:06:08 +0100
|
||
|
|
Subject: [PATCH 1/3] pid1: return varlink error on the right connection
|
||
|
|
|
||
|
|
---
|
||
|
|
src/core/core-varlink.c | 6 +++---
|
||
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c
|
||
|
|
index d695106658b..b3df8cd893c 100644
|
||
|
|
--- a/src/core/core-varlink.c
|
||
|
|
+++ b/src/core/core-varlink.c
|
||
|
|
@@ -142,7 +142,7 @@ static int vl_method_subscribe_managed_oom_cgroups(
|
||
|
|
/* We only take one subscriber for this method so return an error if there's already an existing one.
|
||
|
|
* This shouldn't happen since systemd-oomd is the only client of this method. */
|
||
|
|
if (FLAGS_SET(flags, VARLINK_METHOD_MORE) && m->managed_oom_varlink_request)
|
||
|
|
- return varlink_error(m->managed_oom_varlink_request, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL);
|
||
|
|
+ return varlink_error(link, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL);
|
||
|
|
|
||
|
|
r = json_build(&arr, JSON_BUILD_EMPTY_ARRAY);
|
||
|
|
if (r < 0)
|
||
|
|
@@ -188,6 +188,7 @@ static int vl_method_subscribe_managed_oom_cgroups(
|
||
|
|
if (!FLAGS_SET(flags, VARLINK_METHOD_MORE))
|
||
|
|
return varlink_reply(link, v);
|
||
|
|
|
||
|
|
+ assert(!m->managed_oom_varlink_request);
|
||
|
|
m->managed_oom_varlink_request = varlink_ref(link);
|
||
|
|
return varlink_notify(m->managed_oom_varlink_request, v);
|
||
|
|
}
|
||
|
|
@@ -475,8 +476,7 @@ void manager_varlink_done(Manager *m) {
|
||
|
|
assert(m);
|
||
|
|
|
||
|
|
/* Send the final message if we still have a subscribe request open. */
|
||
|
|
- if (m->managed_oom_varlink_request)
|
||
|
|
- m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request);
|
||
|
|
+ m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request);
|
||
|
|
|
||
|
|
m->varlink_server = varlink_server_unref(m->varlink_server);
|
||
|
|
}
|
||
|
|
|
||
|
|
From 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||
|
|
Date: Sun, 7 Mar 2021 16:42:35 +0100
|
||
|
|
Subject: [PATCH 2/3] varlink: avoid using dangling ref in
|
||
|
|
varlink_close_unref()
|
||
|
|
|
||
|
|
Fixes #18025, https://bugzilla.redhat.com/show_bug.cgi?id=1931034.
|
||
|
|
|
||
|
|
We drop the reference stored in Manager.managed_oom_varlink_request in two code paths:
|
||
|
|
vl_disconnect() which is installed as a disconnect callback, and in manager_varlink_done().
|
||
|
|
But we also make a disconnect from manager_varlink_done(). So we end up with the following
|
||
|
|
call stack:
|
||
|
|
|
||
|
|
(gdb) bt
|
||
|
|
0 vl_disconnect (s=0x112c7b0, link=0xea0070, userdata=0xe9bcc0) at ../src/core/core-varlink.c:414
|
||
|
|
1 0x00007f1366e9d5ac in varlink_detach_server (v=0xea0070) at ../src/shared/varlink.c:1210
|
||
|
|
2 0x00007f1366e9d664 in varlink_close (v=0xea0070) at ../src/shared/varlink.c:1228
|
||
|
|
3 0x00007f1366e9d6b5 in varlink_close_unref (v=0xea0070) at ../src/shared/varlink.c:1240
|
||
|
|
4 0x0000000000524629 in manager_varlink_done (m=0xe9bcc0) at ../src/core/core-varlink.c:479
|
||
|
|
5 0x000000000048ef7b in manager_free (m=0xe9bcc0) at ../src/core/manager.c:1357
|
||
|
|
6 0x000000000042602c in main (argc=5, argv=0x7fff439c43d8) at ../src/core/main.c:2909
|
||
|
|
|
||
|
|
When we enter vl_disconnect(), m->managed_oom_varlink_request.n_ref==1.
|
||
|
|
When we exit from vl_discconect(), m->managed_oom_varlink_request==NULL. But
|
||
|
|
varlink_close_unref() has a copy of the pointer in *v. When we continue executing
|
||
|
|
varlink_close_unref(), this pointer is dangling, and the call to varlink_unref()
|
||
|
|
is done with an invalid pointer.
|
||
|
|
---
|
||
|
|
src/shared/varlink.c | 33 +++++++++++++++++++++++++--------
|
||
|
|
1 file changed, 25 insertions(+), 8 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/shared/varlink.c b/src/shared/varlink.c
|
||
|
|
index 31128e02e06..6ed72075ba5 100644
|
||
|
|
--- a/src/shared/varlink.c
|
||
|
|
+++ b/src/shared/varlink.c
|
||
|
|
@@ -1206,8 +1206,9 @@ int varlink_close(Varlink *v) {
|
||
|
|
|
||
|
|
varlink_set_state(v, VARLINK_DISCONNECTED);
|
||
|
|
|
||
|
|
- /* Let's take a reference first, since varlink_detach_server() might drop the final (dangling) ref
|
||
|
|
- * which would destroy us before we can call varlink_clear() */
|
||
|
|
+ /* Let's take a reference first, since varlink_detach_server() might drop the final ref from the
|
||
|
|
+ * disconnect callback, which would invalidate the pointer we are holding before we can call
|
||
|
|
+ * varlink_clear(). */
|
||
|
|
varlink_ref(v);
|
||
|
|
varlink_detach_server(v);
|
||
|
|
varlink_clear(v);
|
||
|
|
@@ -1220,17 +1221,33 @@ Varlink* varlink_close_unref(Varlink *v) {
|
||
|
|
if (!v)
|
||
|
|
return NULL;
|
||
|
|
|
||
|
|
- (void) varlink_close(v);
|
||
|
|
+ /* A reference is given to us to be destroyed. But when calling varlink_close(), a callback might
|
||
|
|
+ * also drop a reference. We allow this, and will hold a temporary reference to the object to make
|
||
|
|
+ * sure that the object still exists when control returns to us. If there's just one reference
|
||
|
|
+ * remaining after varlink_close(), even though there were at least two right before, we'll handle
|
||
|
|
+ * that gracefully instead of crashing.
|
||
|
|
+ *
|
||
|
|
+ * In other words, this call drops the donated reference, but if the internal call to varlink_close()
|
||
|
|
+ * dropped a reference to, we don't drop the reference afain. This allows the caller to say:
|
||
|
|
+ * global_object->varlink = varlink_close_unref(global_object->varlink);
|
||
|
|
+ * even though there is some callback which has access to global_object and may drop the reference
|
||
|
|
+ * stored in global_object->varlink. Without this step, the same code would have to be written as:
|
||
|
|
+ * Varlink *t = TAKE_PTR(global_object->varlink);
|
||
|
|
+ * varlink_close_unref(t);
|
||
|
|
+ */
|
||
|
|
+ /* n_ref >= 1 */
|
||
|
|
+ varlink_ref(v); /* n_ref >= 2 */
|
||
|
|
+ varlink_close(v); /* n_ref >= 1 */
|
||
|
|
+ if (v->n_ref > 1)
|
||
|
|
+ v->n_ref--; /* n_ref >= 1 */
|
||
|
|
return varlink_unref(v);
|
||
|
|
}
|
||
|
|
|
||
|
|
Varlink* varlink_flush_close_unref(Varlink *v) {
|
||
|
|
- if (!v)
|
||
|
|
- return NULL;
|
||
|
|
+ if (v)
|
||
|
|
+ varlink_flush(v);
|
||
|
|
|
||
|
|
- (void) varlink_flush(v);
|
||
|
|
- (void) varlink_close(v);
|
||
|
|
- return varlink_unref(v);
|
||
|
|
+ return varlink_close_unref(v);
|
||
|
|
}
|
||
|
|
|
||
|
|
static int varlink_enqueue_json(Varlink *v, JsonVariant *m) {
|
||
|
|
|
||
|
|
From a19c1a4baaa1dadc80885e3ad41f19a6c6c450fd Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||
|
|
Date: Mon, 8 Mar 2021 09:21:25 +0100
|
||
|
|
Subject: [PATCH 3/3] oomd: "downgrade" level of message
|
||
|
|
|
||
|
|
PID1 already logs about the service being started, so this line isn't necessary
|
||
|
|
in normal use. Also, by the time it is emitted, the service has already
|
||
|
|
signalled readiness, so let's not say "starting" but "started".
|
||
|
|
---
|
||
|
|
src/oom/oomd.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/oom/oomd.c b/src/oom/oomd.c
|
||
|
|
index 674d53fdcfe..6e2a5889d1e 100644
|
||
|
|
--- a/src/oom/oomd.c
|
||
|
|
+++ b/src/oom/oomd.c
|
||
|
|
@@ -170,7 +170,7 @@ static int run(int argc, char *argv[]) {
|
||
|
|
|
||
|
|
notify_msg = notify_start(NOTIFY_READY, NOTIFY_STOPPING);
|
||
|
|
|
||
|
|
- log_info("systemd-oomd starting%s!", arg_dry_run ? " in dry run mode" : "");
|
||
|
|
+ log_debug("systemd-oomd started%s.", arg_dry_run ? " in dry run mode" : "");
|
||
|
|
|
||
|
|
r = sd_event_loop(m->event);
|
||
|
|
if (r < 0)
|