[rpm/f18] - fix build-time double-free on file capability processing (#956190) - check for stale locks when op

Panu Matilainen pmatilai at fedoraproject.org
Mon Aug 26 08:48:04 UTC 2013 

commit fdb7b534920a0a22965af8e98ba4f2361c2dab7c
Author: Panu Matilainen <pmatilai at redhat.com>
Date:   Mon Aug 26 11:44:02 2013 +0300

    - fix build-time double-free on file capability processing (#956190)
    - check for stale locks when opening write-cursors (#860500)
    - serialize BDB environment open/close (#924417)

 rpm-4.10.x-caps-double-free.patch |   13 ++++
 rpm-4.10.x-cursor-failchk.patch   |   58 +++++++++++++++
 rpm-4.10.x-db-serialize.patch     |  139 +++++++++++++++++++++++++++++++++++++
 rpm.spec                          |   14 ++++-
 4 files changed, 223 insertions(+), 1 deletions(-)
---
diff --git a/rpm-4.10.x-caps-double-free.patch b/rpm-4.10.x-caps-double-free.patch
new file mode 100644
index 0000000..d8d80d5
--- /dev/null
+++ b/rpm-4.10.x-caps-double-free.patch
@@ -0,0 +1,13 @@
+diff --git a/build/files.c b/build/files.c
+index 30061cf..df1eedf 100644
+--- a/build/files.c
++++ b/build/files.c
+@@ -1481,7 +1481,7 @@ static rpmRC addFile(FileList fl, const char * diskPath,
+ 	}
+ 
+ 	if (fl->currentCaps) {
+-	    flp->caps = fl->currentCaps;
++	    flp->caps = xstrdup(fl->currentCaps);
+ 	} else {
+ 	    flp->caps = xstrdup("");
+ 	}
diff --git a/rpm-4.10.x-cursor-failchk.patch b/rpm-4.10.x-cursor-failchk.patch
new file mode 100644
index 0000000..c5ecc03
--- /dev/null
+++ b/rpm-4.10.x-cursor-failchk.patch
@@ -0,0 +1,58 @@
+commit 918b2892b46036ac46f07c3156ed78b45e4e2ee2
+Author: Panu Matilainen <pmatilai at redhat.com>
+Date:   Tue Feb 5 10:11:19 2013 +0200
+
+    Check for stale db locks when opening write-cursors
+    
+    - During long-running transactions its entirely possible for some
+      other player to come and go leaving stale locks behind and cause
+      the transaction to get stuck until the cavalry comes along in the
+      form of somebody else opening the rpmdb, clearing the blockage.
+    - Presumably dbenv->failchk() is not entirely free of cost so we only
+      do this for writes which are way more critical and also more prone to
+      getting stuck.
+    - dbenv->failchk() could return DB_RUNRECOVER in which case we should
+      abort everything but we lack a mechanism to do it... just add
+      a reminder comment for now.
+    
+    (cherry picked from commit 29e7c4b3bd1e67f9de1eaaf9fecf82cae281a7e6)
+
+diff --git a/lib/backend/db3.c b/lib/backend/db3.c
+index bbf9577..ed2a5f8 100644
+--- a/lib/backend/db3.c
++++ b/lib/backend/db3.c
+@@ -244,7 +244,7 @@ dbiCursor dbiCursorInit(dbiIndex dbi, unsigned int flags)
+ 	DB * db = dbi->dbi_db;
+ 	DBC * cursor;
+ 	int cflags;
+-	int rc;
++	int rc = 0;
+ 	uint32_t eflags = db_envflags(db);
+ 	
+        /* DB_WRITECURSOR requires CDB and writable db */
+@@ -255,8 +255,23 @@ dbiCursor dbiCursorInit(dbiIndex dbi, unsigned int flags)
+ 	} else
+ 	    cflags = 0;
+ 
+-	rc = db->cursor(db, NULL, &cursor, cflags);
+-	rc = cvtdberr(dbi, "db->cursor", rc, _debug);
++	/*
++	 * Check for stale locks which could block writes "forever".
++	 * XXX: Should we also do this on reads? Reads are less likely
++	 *      to get blocked so it seems excessive...
++	 * XXX: On DB_RUNRECOVER, we should abort everything. Now
++	 *      we'll just fail to open a cursor again and again and again.
++	 */
++	if (cflags & DB_WRITECURSOR) {
++	    DB_ENV *dbenv = db->get_env(db);
++	    rc = dbenv->failchk(dbenv, 0);
++	    rc = cvtdberr(dbi, "dbenv->failchk", rc, _debug);
++	}
++
++	if (rc == 0) {
++	    rc = db->cursor(db, NULL, &cursor, cflags);
++	    rc = cvtdberr(dbi, "db->cursor", rc, _debug);
++	}
+ 
+ 	if (rc == 0) {
+ 	    dbc = xcalloc(1, sizeof(*dbc));
diff --git a/rpm-4.10.x-db-serialize.patch b/rpm-4.10.x-db-serialize.patch
new file mode 100644
index 0000000..a98684c
--- /dev/null
+++ b/rpm-4.10.x-db-serialize.patch
@@ -0,0 +1,139 @@
+commit 7e291848bcaea13b3d973901703ec3c760195335
+Author: Panu Matilainen <pmatilai at redhat.com>
+Date:   Tue May 28 08:56:22 2013 +0300
+
+    Serialize BDB environment open/close (RhBug:924417 etc)
+    
+    - Introduce Yet Another Broken Lock[*] to serialize BDB environment open:
+      otherwise we can end up calling dbenv->failchk() while another process
+      is just joining the environment, leading to transient "Thread died in..."
+      DB_RUNRECOVER errors. Also prevents races on chrooted operations where
+      we remove the entire environment on close.
+    - This should also make it possible to handle at least some cases of
+      real DB_RUNRECOVER errors by just nuking the environment but that's
+      another topic...
+    
+      [*] YABL as this is nowhere near foolproof or sufficient for all
+          the possible variants, but better than not having it...
+    
+    (cherry picked from commit ad874d60e3804f1bcd64f3510e1e2dfbf81456cd)
+
+diff --git a/lib/backend/db3.c b/lib/backend/db3.c
+index ed2a5f8..f46c9ff 100644
+--- a/lib/backend/db3.c
++++ b/lib/backend/db3.c
+@@ -57,10 +57,42 @@ static uint32_t db_envflags(DB * db)
+     return eflags;
+ }
+ 
++/*
++ * Try to acquire db environment open/close serialization lock.
++ * Return the open, locked fd on success, -1 on failure.
++ */
++static int serialize_env(const char *dbhome)
++{
++    char *lock_path = rstrscat(NULL, dbhome, "/.dbenv.lock", NULL);
++    mode_t oldmask = umask(022);
++    int fd = open(lock_path, (O_RDWR|O_CREAT), 0644);
++    umask(oldmask);
++
++    if (fd >= 0) {
++	int rc;
++	struct flock info;
++	memset(&info, 0, sizeof(info));
++	info.l_type = F_WRLCK;
++	info.l_whence = SEEK_SET;
++	do {
++	    rc = fcntl(fd, F_SETLKW, &info);
++	} while (rc == -1 && errno == EINTR);
++	    
++	if (rc == -1) {
++	    close(fd);
++	    fd = -1;
++	}
++    }
++
++    free(lock_path);
++    return fd;
++}
++
+ static int db_fini(rpmdb rdb, const char * dbhome)
+ {
+     DB_ENV * dbenv = rdb->db_dbenv;
+     int rc;
++    int lockfd = -1;
+     uint32_t eflags = 0;
+ 
+     if (dbenv == NULL)
+@@ -72,6 +104,9 @@ static int db_fini(rpmdb rdb, const char * dbhome)
+     }
+ 
+     (void) dbenv->get_open_flags(dbenv, &eflags);
++    if (!(eflags & DB_PRIVATE))
++	lockfd = serialize_env(dbhome);
++
+     rc = dbenv->close(dbenv, 0);
+     rc = dbapi_err(rdb, "dbenv->close", rc, _debug);
+ 
+@@ -89,6 +124,10 @@ static int db_fini(rpmdb rdb, const char * dbhome)
+ 	rpmlog(RPMLOG_DEBUG, "removed  db environment %s\n", dbhome);
+ 
+     }
++
++    if (lockfd >= 0)
++	close(lockfd);
++
+     return rc;
+ }
+ 
+@@ -122,6 +161,7 @@ static int db_init(rpmdb rdb, const char * dbhome)
+     DB_ENV *dbenv = NULL;
+     int rc, xx;
+     int retry_open = 2;
++    int lockfd = -1;
+     struct dbConfig_s * cfg = &rdb->cfg;
+     /* This is our setup, thou shall not have other setups before us */
+     uint32_t eflags = (DB_CREATE|DB_INIT_MPOOL|DB_INIT_CDB);
+@@ -176,6 +216,24 @@ static int db_init(rpmdb rdb, const char * dbhome)
+     }
+ 
+     /*
++     * Serialize shared environment open (and clock) via fcntl() lock.
++     * Otherwise we can end up calling dbenv->failchk() while another
++     * process is joining the environment, leading to transient
++     * DB_RUNRECOVER errors. Also prevents races wrt removing the
++     * environment (eg chrooted operation). Silently fall back to
++     * private environment on failure to allow non-privileged queries
++     * to "work", broken as it might be.
++     */
++    if (!(eflags & DB_PRIVATE)) {
++	lockfd = serialize_env(dbhome);
++	if (lockfd < 0) {
++	    eflags |= DB_PRIVATE;
++	    retry_open--;
++	    rpmlog(RPMLOG_DEBUG, "serialize failed, using private dbenv\n");
++	}
++    }
++
++    /*
+      * Actually open the environment. Fall back to private environment
+      * if we dont have permission to join/create shared environment or
+      * system doesn't support it..
+@@ -208,6 +266,8 @@ static int db_init(rpmdb rdb, const char * dbhome)
+     rdb->db_dbenv = dbenv;
+     rdb->db_opens = 1;
+ 
++    if (lockfd >= 0)
++	close(lockfd);
+     return 0;
+ 
+ errxit:
+@@ -216,6 +276,8 @@ errxit:
+ 	xx = dbenv->close(dbenv, 0);
+ 	xx = dbapi_err(rdb, "dbenv->close", xx, _debug);
+     }
++    if (lockfd >= 0)
++	close(lockfd);
+     return rc;
+ }
+ 
diff --git a/rpm.spec b/rpm.spec
index aa89828..59513f0 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -21,7 +21,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}1%{?dist}
+Release: %{?snapver:0.%{snapver}.}2%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.10.x/%{name}-%{srcver}.tar.bz2
@@ -45,6 +45,9 @@ Patch5: rpm-4.9.90-armhfp.patch
 Patch6: rpm-4.9.0-armhfp-logic.patch
 
 # Patches already in upstream
+Patch100: rpm-4.10.x-caps-double-free.patch
+Patch101: rpm-4.10.x-cursor-failchk.patch
+Patch102: rpm-4.10.x-db-serialize.patch
 
 # These are not yet upstream
 Patch301: rpm-4.6.0-niagara.patch
@@ -218,6 +221,10 @@ packages on a system.
 %patch3 -p1 -b .no-man-dirs
 %patch4 -p1 -b .use-gpg2
 
+%patch100 -p1 -b .caps-double-free
+%patch101 -p1 -b .cursor-failchk
+%patch102 -p1 -b .db-serialize
+
 %patch301 -p1 -b .niagara
 %patch302 -p1 -b .geode
 %patch304 -p1 -b .ldflags
@@ -448,6 +455,11 @@ exit 0
 %doc COPYING doc/librpm/html/*
 
 %changelog
+* Mon Aug 26 2013 Panu Matilainen <pmatilai at redhat.com> - 4.10.3.1-2
+- fix build-time double-free on file capability processing (#956190)
+- check for stale locks when opening write-cursors (#860500)
+- serialize BDB environment open/close (#924417)
+
 * Wed Feb 06 2013 Panu Matilainen <pmatilai at redhat.com> - 4.10.3.1-1
 - update to 4.10.3.1 (http://rpm.org/wiki/Releases/4.10.3.1)

More information about the scm-commits mailing list