Ubuntu
systemd package

Merge ~slyon/ubuntu/+source/systemd:slyon/revert-resolved-segfault into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal

  1. Git
  2. lp:~slyon/ubuntu/+source/systemd
  3. slyon/revert-resolved-segfault
  4. Merge into ubuntu-focal
Proposed by Lukas Märdian
Status: Rejected
Rejected by: Lukas Märdian
Proposed branch: ~slyon/ubuntu/+source/systemd:slyon/revert-resolved-segfault
Merge into: ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal
Diff against target: 208 lines (+10/-173)
3 files modified
debian/changelog (+10/-0)
debian/patches/series (+0/-1)
dev/null (+0/-172)
Reviewer Review Type Date Requested Status
Lukas Märdian Disapprove
Dan Streetman Pending
Review via email: mp+408816@code.launchpad.net

Commit message

revert/remove resolved-disable-event-sources-before-unreffing-them.patch

    This did not fix the root-cause of the segfault but rather moved it to a
    slightly different location in the code. (LP: #1943982)
    File: debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch

Description of the change

revert/remove resolved-disable-event-sources-before-unreffing-them.patch

    This did not fix the root-cause of the segfault but rather moved it to a
    slightly different location in the code. (LP: #1943982)
    File: debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch

To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) wrote :

Actually, looking at the numbers of the new and old crash reports, I think we should let this update in as it seems to improve the situation, even if it is not providing a final fix for the root cause.

https://errors.ubuntu.com/problem/c4e5be3f1c7af9483993c7e6007b9325ab5b78cd (new)
https://errors.ubuntu.com/problem/bb0ce4ff8e6ef86041cfb5647b792823a20b44f7 (old)

As can be seen, the old crash does not happen anymore as of systemd 247.3-3ubuntu3.5/6 (Hirsute) and systemd 245.4-4ubuntu3.12/13 (Focal), but is instead replaced by the new (slightly different, but same root-cause crash). Not a single crash report of this type since the systemd SRU hit hirsute-updates (and started phasing for focal-updates) a week ago on 2021-09-15.

Additionally, we observed only 4 crashes (up to now) on Hirsute (where it's fully phased), whereas there have been 974 crash reports of the old crash in total. This is evidence that the new crash does happen less often, thus improves the situation overall, even though not fixing the root cause. It also supports the statement made by the original bug reporter in https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1934221/comments/34 that the crash still happens, but less frequent.

With the old crash not happening anymore and the new crash happening less frequent, I think we should ask the release team to manually approve/phase this SRU, as it improves the overall situation.

Revision history for this message
Lukas Märdian (slyon) wrote :

SRU team (RAOF) agreed, so I'm closing this one.

review: Disapprove

Unmerged commits

a75d319... by Lukas Märdian

update changelog

87fd092... by Lukas Märdian

revert/remove resolved-disable-event-sources-before-unreffing-them.patch

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 98be76e..303329c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
1systemd (245.4-4ubuntu3.14) UNRELEASED; urgency=medium
2
3 * revert/remove resolved-disable-event-sources-before-unreffing-them.patch
4 This did not fix the root-cause of the segfault but rather moved it to a
5 slightly different location in the code. (LP: #1943982)
6 File: debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch
7 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=87fd092cbe40be455ef99e6dbd4cef50272da1da
8
9 -- Lukas Märdian <slyon@ubuntu.com> Fri, 17 Sep 2021 16:52:06 +0200
10
1systemd (245.4-4ubuntu3.13) focal; urgency=medium11systemd (245.4-4ubuntu3.13) focal; urgency=medium
212
3 * d/p/dell-clamshell-accel-location-base-with-sku.patch:13 * d/p/dell-clamshell-accel-location-base-with-sku.patch:
diff --git a/debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch b/debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch
4deleted file mode 10064414deleted file mode 100644
index fa9b484..0000000
--- a/debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch
+++ /dev/null
@@ -1,172 +0,0 @@
1From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
2Date: Tue, 20 Jul 2021 11:44:01 +0200
3Subject: resolved: disable event sources before unreffing them
4Origin: upstream, https://github.com/systemd/systemd/commit/97935302283729c9206b84f5e00b1aff0f78ad19
5Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1934221
6Reviewed-by: Lukas Märdian <slyon@ubuntu.com>
7
8We generally operate on the assumption that a source is "gone" as soon
9as we unref it. This is generally true because we have the only reference.
10But if something else holds the reference, our unref doesn't really stop
11the source and it could fire again.
12
13In particular, on_query_timeout() is called with DnsQuery* as userdata, and
14it calls dns_query_stop() which invalidates that pointer. If it was ever
15called again, we'd be accessing already-freed memory.
16
17I don't see what would hold the reference. sd-event takes a temporary reference,
18but on the sd_event object, not on the individual sources. And our sources
19are non-floating, so there is no reference from the sd_event object to the
20sources.
21
22For #18427.
23---
24 src/resolve/resolved-dns-query.c | 2 +-
25 src/resolve/resolved-dns-scope.c | 8 ++++----
26 src/resolve/resolved-dns-stream.c | 4 ++--
27 src/resolve/resolved-dns-stub.c | 4 ++--
28 src/resolve/resolved-dns-transaction.c | 4 ++--
29 src/resolve/resolved-llmnr.c | 8 ++++----
30 src/resolve/resolved-mdns.c | 4 ++--
31 7 files changed, 17 insertions(+), 17 deletions(-)
32
33diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
34index 4a41921..614cc32 100644
35--- a/src/resolve/resolved-dns-query.c
36+++ b/src/resolve/resolved-dns-query.c
37@@ -333,7 +333,7 @@ static void dns_query_stop(DnsQuery *q) {
38
39 assert(q);
40
41- q->timeout_event_source = sd_event_source_unref(q->timeout_event_source);
42+ q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
43
44 LIST_FOREACH(candidates_by_query, c, q->candidates)
45 dns_query_candidate_stop(c);
46diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
47index d7e7b5a..4701736 100644
48--- a/src/resolve/resolved-dns-scope.c
49+++ b/src/resolve/resolved-dns-scope.c
50@@ -110,9 +110,9 @@ DnsScope* dns_scope_free(DnsScope *s) {
51 hashmap_free(s->transactions_by_key);
52
53 ordered_hashmap_free_with_destructor(s->conflict_queue, dns_resource_record_unref);
54- sd_event_source_unref(s->conflict_event_source);
55+ sd_event_source_disable_unref(s->conflict_event_source);
56
57- sd_event_source_unref(s->announce_event_source);
58+ sd_event_source_disable_unref(s->announce_event_source);
59
60 dns_cache_flush(&s->cache);
61 dns_zone_flush(&s->zone);
62@@ -998,7 +998,7 @@ static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata
63 assert(es);
64 assert(scope);
65
66- scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
67+ scope->conflict_event_source = sd_event_source_disable_unref(scope->conflict_event_source);
68
69 for (;;) {
70 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
71@@ -1204,7 +1204,7 @@ static int on_announcement_timeout(sd_event_source *s, usec_t usec, void *userda
72
73 assert(s);
74
75- scope->announce_event_source = sd_event_source_unref(scope->announce_event_source);
76+ scope->announce_event_source = sd_event_source_disable_unref(scope->announce_event_source);
77
78 (void) dns_scope_announce(scope, false);
79 return 0;
80diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c
81index 2a10694..d46302e 100644
82--- a/src/resolve/resolved-dns-stream.c
83+++ b/src/resolve/resolved-dns-stream.c
84@@ -17,8 +17,8 @@
85 static void dns_stream_stop(DnsStream *s) {
86 assert(s);
87
88- s->io_event_source = sd_event_source_unref(s->io_event_source);
89- s->timeout_event_source = sd_event_source_unref(s->timeout_event_source);
90+ s->io_event_source = sd_event_source_disable_unref(s->io_event_source);
91+ s->timeout_event_source = sd_event_source_disable_unref(s->timeout_event_source);
92 s->fd = safe_close(s->fd);
93
94 /* Disconnect us from the server object if we are now not usable anymore */
95diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
96index ce994a7..851a78a 100644
97--- a/src/resolve/resolved-dns-stub.c
98+++ b/src/resolve/resolved-dns-stub.c
99@@ -577,8 +577,8 @@ int manager_dns_stub_start(Manager *m) {
100 void manager_dns_stub_stop(Manager *m) {
101 assert(m);
102
103- m->dns_stub_udp_event_source = sd_event_source_unref(m->dns_stub_udp_event_source);
104- m->dns_stub_tcp_event_source = sd_event_source_unref(m->dns_stub_tcp_event_source);
105+ m->dns_stub_udp_event_source = sd_event_source_disable_unref(m->dns_stub_udp_event_source);
106+ m->dns_stub_tcp_event_source = sd_event_source_disable_unref(m->dns_stub_tcp_event_source);
107
108 m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd);
109 m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd);
110diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
111index 2f3fb68..5e29275 100644
112--- a/src/resolve/resolved-dns-transaction.c
113+++ b/src/resolve/resolved-dns-transaction.c
114@@ -59,14 +59,14 @@ static void dns_transaction_close_connection(DnsTransaction *t) {
115 t->stream = dns_stream_unref(t->stream);
116 }
117
118- t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source);
119+ t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
120 t->dns_udp_fd = safe_close(t->dns_udp_fd);
121 }
122
123 static void dns_transaction_stop_timeout(DnsTransaction *t) {
124 assert(t);
125
126- t->timeout_event_source = sd_event_source_unref(t->timeout_event_source);
127+ t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
128 }
129
130 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
131diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c
132index 61e5034..5ffa984 100644
133--- a/src/resolve/resolved-llmnr.c
134+++ b/src/resolve/resolved-llmnr.c
135@@ -11,16 +11,16 @@
136 void manager_llmnr_stop(Manager *m) {
137 assert(m);
138
139- m->llmnr_ipv4_udp_event_source = sd_event_source_unref(m->llmnr_ipv4_udp_event_source);
140+ m->llmnr_ipv4_udp_event_source = sd_event_source_disable_unref(m->llmnr_ipv4_udp_event_source);
141 m->llmnr_ipv4_udp_fd = safe_close(m->llmnr_ipv4_udp_fd);
142
143- m->llmnr_ipv6_udp_event_source = sd_event_source_unref(m->llmnr_ipv6_udp_event_source);
144+ m->llmnr_ipv6_udp_event_source = sd_event_source_disable_unref(m->llmnr_ipv6_udp_event_source);
145 m->llmnr_ipv6_udp_fd = safe_close(m->llmnr_ipv6_udp_fd);
146
147- m->llmnr_ipv4_tcp_event_source = sd_event_source_unref(m->llmnr_ipv4_tcp_event_source);
148+ m->llmnr_ipv4_tcp_event_source = sd_event_source_disable_unref(m->llmnr_ipv4_tcp_event_source);
149 m->llmnr_ipv4_tcp_fd = safe_close(m->llmnr_ipv4_tcp_fd);
150
151- m->llmnr_ipv6_tcp_event_source = sd_event_source_unref(m->llmnr_ipv6_tcp_event_source);
152+ m->llmnr_ipv6_tcp_event_source = sd_event_source_disable_unref(m->llmnr_ipv6_tcp_event_source);
153 m->llmnr_ipv6_tcp_fd = safe_close(m->llmnr_ipv6_tcp_fd);
154 }
155
156diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c
157index 921720f..15c3263 100644
158--- a/src/resolve/resolved-mdns.c
159+++ b/src/resolve/resolved-mdns.c
160@@ -15,10 +15,10 @@
161 void manager_mdns_stop(Manager *m) {
162 assert(m);
163
164- m->mdns_ipv4_event_source = sd_event_source_unref(m->mdns_ipv4_event_source);
165+ m->mdns_ipv4_event_source = sd_event_source_disable_unref(m->mdns_ipv4_event_source);
166 m->mdns_ipv4_fd = safe_close(m->mdns_ipv4_fd);
167
168- m->mdns_ipv6_event_source = sd_event_source_unref(m->mdns_ipv6_event_source);
169+ m->mdns_ipv6_event_source = sd_event_source_disable_unref(m->mdns_ipv6_event_source);
170 m->mdns_ipv6_fd = safe_close(m->mdns_ipv6_fd);
171 }
172
diff --git a/debian/patches/series b/debian/patches/series
index 9da13cd..800d12f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -146,7 +146,6 @@ lp1891215/0003-fs-util-rename-conservative_rename-conservative_rena.patch
146lp1891215/0004-fs-util-make-sure-conservative_renameat-properly-det.patch146lp1891215/0004-fs-util-make-sure-conservative_renameat-properly-det.patch
147lp1914740-network-enable-DHCP-broadcast-flag-if-required-by-in.patch147lp1914740-network-enable-DHCP-broadcast-flag-if-required-by-in.patch
148lp1934981-correct-suspend-then-sleep-string.patch148lp1934981-correct-suspend-then-sleep-string.patch
149lp1934221-resolved-disable-event-sources-before-unreffing-them.patch
150CVE-2020-13529.patch149CVE-2020-13529.patch
151CVE-2021-33910.patch150CVE-2021-33910.patch
152lp1937117/0001-revert-lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch151lp1937117/0001-revert-lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch

Subscribers

People subscribed via source and target branches