Merge pull request #22605 from yuwata/test-journal-send-fd-leaks

test-journal-send: fix fd leaks

coccinelle/timestamp-is-set.cocci

@@ -0,0 +1,73 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+@@
+expression x;
+constant USEC_INFINITY = USEC_INFINITY;
+/* We want to stick with the literal expression in the implementation of timestamp_is_set(), i.e. in time-util.c */
+position p : script:python() { p[0].file != "src/basic/time-util.h" };
+@@
+(
+- x > 0 && x < USEC_INFINITY
++ timestamp_is_set(x)
+|
+- x < USEC_INFINITY && x > 0
++ timestamp_is_set(x)
+|
+- x@p > 0 && x != USEC_INFINITY
++ timestamp_is_set(x)
+|
+- x != USEC_INFINITY && x > 0
++ timestamp_is_set(x)
+|
+- x != 0 && x < USEC_INFINITY
++ timestamp_is_set(x)
+|
+- x < USEC_INFINITY && x != 0
++ timestamp_is_set(x)
+|
+- x != 0 && x != USEC_INFINITY
++ timestamp_is_set(x)
+|
+- x != USEC_INFINITY && x != 0
++ timestamp_is_set(x)
+|
+- !IN_SET(x, 0, USEC_INFINITY)
++ timestamp_is_set(x)
+|
+- !IN_SET(x, USEC_INFINITY, 0)
++ timestamp_is_set(x)
+)
+@@
+expression x;
+constant USEC_INFINITY = USEC_INFINITY;
+@@
+(
+- x <= 0 || x >= USEC_INFINITY
++ !timestamp_is_set(x)
+|
+- x >= USEC_INFINITY || x <= 0
++ !timestamp_is_set(x)
+|
+- x <= 0 || x == USEC_INFINITY
++ !timestamp_is_set(x)
+|
+- x == USEC_INFINITY || x <= 0
++ !timestamp_is_set(x)
+|
+- x == 0 || x >= USEC_INFINITY
++ !timestamp_is_set(x)
+|
+- x >= USEC_INFINITY || x == 0
++ !timestamp_is_set(x)
+|
+- x == 0 || x == USEC_INFINITY
++ !timestamp_is_set(x)
+|
+- x == USEC_INFINITY || x == 0
++ !timestamp_is_set(x)
+|
+- IN_SET(x, 0, USEC_INFINITY)
++ !timestamp_is_set(x)
+|
+- IN_SET(x, USEC_INFINITY, 0)
++ !timestamp_is_set(x)
+)

man/homectl.xml

@@ -698,12 +698,12 @@
         done. If set to <literal>grow</literal> the home area is grown to the size configured via
         <option>--disk-size=</option> should it currently be smaller. If it already matches the configured
         size or is larger no operation is executed. If set to <literal>shrink-and-grow</literal> the home
-        area is also resized to the minimal size used disk space and file system constraints permit, during
+        area is also resized during logout to the minimal size the used disk space and file system
-        logout. This mode thus ensures that while a home area is activated it is sized to the configured
+        constraints permit. This mode thus ensures that while a home area is activated it is sized to the
-        size, but while deactivated it is compacted taking up only the minimal space possible. Note that if
+        configured size, but while deactivated it is compacted taking up only the minimal space possible.
-        the system is powered off abnormally or if the user otherwise not logged out cleanly the shrinking
+        Note that if the system is powered off abnormally or if the user otherwise not logged out cleanly the
-        operation will not take place, and the user has to re-login/logout again before it is executed
+        shrinking operation will not take place, and the user has to re-login/logout again before it is
-        again.</para></listitem>
+        executed again.</para></listitem>
       </varlistentry>
 
       <varlistentry>

man/integritytab.xml

@@ -50,7 +50,7 @@
     <literal>UUID=</literal> followed by the UUID,
     <literal>PARTUUID=</literal> followed by the partition UUID,
     <literal>LABEL=</literal> followed by the label,
-    <literal>PARTLABEL=</literal> followed by the partition label,
+    <literal>PARTLABEL=</literal> followed by the partition label.
     </para>
 
     <para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>

man/nss-resolve.xml

@@ -94,7 +94,7 @@
         <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
 
         <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
-        not be used by <filename>systemd-resolved</filename>.</para></listitem>
+        not be used by <command>systemd-resolved</command>.</para></listitem>
       </varlistentry>
     </variablelist>
 
@@ -121,7 +121,7 @@
         <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
 
         <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
-        network, i.e. either from local sources or the cache in <filename>systemd-resolved</filename>.
+        network, i.e. either from local sources or the cache in <command>systemd-resolved</command>.
         </para></listitem>
       </varlistentry>
     </variablelist>
@@ -130,8 +130,8 @@
   <refsect1>
     <title>Example</title>
 
-    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables <command>nss-resolve</command>
+    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
-    correctly:</para>
+    <command>nss-resolve</command> correctly:</para>
 
     <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd

man/os-release.xml

@@ -424,10 +424,10 @@
           <term><varname>PORTABLE_PREFIXES=</varname></term>
           <listitem><para>Takes a space-separated list of one or more valid prefix match strings for the
           <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> logic. This field
-          serves two purposes: it's informational, identifying portable service images as such (and thus
+          serves two purposes: it is informational, identifying portable service images as such (and thus
-          allowing them to be distinguished from other OS images, such as bootable system images); whenever a
+          allowing them to be distinguished from other OS images, such as bootable system images). In is also
-          portable service image is attached the specified or implied portable service prefix is checked
+          used when a portable service image is attached: the specified or implied portable service prefix is
-          against this list, to enforce restrictions how images may be attached to a
+          checked against the list specified here, to enforce restrictions how images may be attached to a
           system.</para></listitem>
         </varlistentry>
       </variablelist>

man/systemd-analyze.xml

@@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service
           </tgroup>
         </table>
 
-          <example>
+        <para>See example "JSON Policy" below.</para></listitem>
-          <title>JSON Policy</title>
-          <para>The JSON file passed as a path parameter to <option>--security-policy=</option>
-          has a top-level JSON object, with keys being the assessment test identifiers mentioned
-          above. The values in the file should be JSON objects with one or more of the
-          following fields: description_na (string), description_good (string), description_bad
-          (string), weight (unsigned integer), and range (unsigned integer). If any of these fields
-          corresponding to a specific id of the unit file is missing from the JSON object, the
-          default built-in field value corresponding to that same id is used for security analysis
-          as default. The weight and range fields are used in determining the overall exposure level
-          of the unit files: the value of each setting is assigned a badness score, which is multiplied
-          by the policy weight and divided by the policy range to determine the overall exposure that
-          the setting implies. The computed badness is summed across all settings in the unit file,
-          normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
-          By allowing users to manipulate these fields, the 'security' verb gives them the option to
-          decide for themself which ids are more important and hence should have a greater effect on
-          the exposure level. A weight of <literal>0</literal> means the setting will not be
-          checked.</para>
-
-          <programlisting>
-          {
-            "PrivateDevices":
-              {
-              "description_good": "Service has no access to hardware devices",
-              "description_bad": "Service potentially has access to hardware devices",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateMounts":
-              {
-              "description_good": "Service cannot install system mounts",
-              "description_bad": "Service may install system mounts",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateNetwork":
-              {
-              "description_good": "Service has no access to the host's network",
-              "description_bad": "Service has access to the host's network",
-              "weight": 2500,
-              "range": 1
-              },
-            "PrivateTmp":
-              {
-              "description_good": "Service has no access to other software's temporary files",
-              "description_bad": "Service has access to other software's temporary files",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateUsers":
-              {
-              "description_good": "Service does not have access to other users",
-              "description_bad": "Service has access to other users",
-              "weight": 1000,
-              "range": 1
-              }
-          }
-            </programlisting>
-          </example>
-        </listitem>
       </varlistentry>
 
-
       <varlistentry>
         <term><option>--json=<replaceable>MODE</replaceable></option></term>
 
@@ -1261,6 +1201,70 @@ $ systemd-analyze verify /tmp/source:alias.service
 
   <xi:include href="common-variables.xml" />
 
+  <refsect1>
+    <title>Examples</title>
+
+    <example>
+      <title>JSON Policy</title>
+
+      <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level
+      JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
+      should be JSON objects with one or more of the following fields: <option>description_na</option>
+      (string), <option>description_good</option> (string), <option>description_bad</option> (string),
+      <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of
+      these fields corresponding to a specific id of the unit file is missing from the JSON object, the
+      default built-in field value corresponding to that same id is used for security analysis as default.
+      The weight and range fields are used in determining the overall exposure level of the unit files: the
+      value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
+      by the policy range to determine the overall exposure that the setting implies. The computed badness is
+      summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the
+      overall exposure level of the unit.  By allowing users to manipulate these fields, the 'security' verb
+      gives them the option to decide for themself which ids are more important and hence should have a
+      greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be
+      checked.</para>
+
+      <programlisting>
+{
+  "PrivateDevices":
+    {
+    "description_good": "Service has no access to hardware devices",
+    "description_bad": "Service potentially has access to hardware devices",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateMounts":
+    {
+    "description_good": "Service cannot install system mounts",
+    "description_bad": "Service may install system mounts",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateNetwork":
+    {
+    "description_good": "Service has no access to the host's network",
+    "description_bad": "Service has access to the host's network",
+    "weight": 2500,
+    "range": 1
+    },
+  "PrivateTmp":
+    {
+    "description_good": "Service has no access to other software's temporary files",
+    "description_bad": "Service has access to other software's temporary files",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateUsers":
+    {
+    "description_good": "Service does not have access to other users",
+    "description_bad": "Service has access to other users",
+    "weight": 1000,
+    "range": 1
+    }
+}
+      </programlisting>
+    </example>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>
     <para>

man/systemd-integritysetup@.service.xml

@@ -56,7 +56,9 @@
         </term>
 
         <listitem><para>Create a block device <replaceable>volume</replaceable> using
-        <replaceable>device</replaceable>. See integritytab man page and
+        <replaceable>device</replaceable>. See
+        <citerefentry><refentrytitle>systemd-integritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        and
         <ulink url="https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html">
           Kernel dm-integrity</ulink> documentation for details.
         </para></listitem>

man/systemd-nspawn.xml

@@ -1646,8 +1646,8 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
       <title>Build and boot a minimal Fedora distribution in a container</title>
 
       <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \
-      --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \
+      --repo=fedora --repo=updates --setopt=install_weak_deps=False install \
-      systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack
+      passwd dnf fedora-release vim-minimal systemd systemd-networkd
 # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting>
 
       <para>This installs a minimal Fedora distribution into the

man/systemd-stub.xml

@@ -94,9 +94,12 @@
       then access them in this directory. This is supposed to be used to store auxiliary, encrypted,
       authenticated credentials for use with <varname>LoadCredentialEncrypted=</varname> in the UEFI System
       Partition. See
-      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      and
+      <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      for
       details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM
-      PCR 4 (if a TPM is present)</para></listitem>
+      PCR 4 (if a TPM is present).</para></listitem>
 
       <listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename>
       are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename>

man/systemd.exec.xml

@@ -1964,9 +1964,7 @@ RestrictFileSystems=ext4</programlisting>
               </row>
               <row>
                 <entry>@known</entry>
-                <entry>All known filesystems defined by the kernel. This list is defined statically in systemd based on a kernel
+                <entry>All known filesystems defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated.</entry>
-                version that was available when this systemd version was released. It will become progressively more
-                out-of-date as the kernel is updated.</entry>
               </row>
             </tbody>
           </tgroup>

man/systemd.link.xml

@@ -812,7 +812,7 @@
       <varlistentry>
         <term><varname>TransmitVLANSTAGHardwareAcceleration=</varname></term>
         <listitem>
-          <para>Takes a boolean. If set to true, transmit VLAN STAG HW acceleration is enabled.
+          <para>Takes a boolean. If set to true, transmit VLAN STAG hardware acceleration is enabled.
           When unset, the kernel's default will be used.</para>
         </listitem>
       </varlistentry>

man/systemd.network.xml

@@ -824,12 +824,11 @@ Table=1234</programlisting></para>
       <varlistentry>
         <term><varname>DHCPPrefixDelegation=</varname></term>
         <listitem>
-          <para>Takes a boolean value. When enabled, requests subnet prefixes acquired by a DHCPv6
+          <para>Takes a boolean value. When enabled, requests subnet prefixes on another link via the DHCPv6
-          client, or by a DHCPv4 client through the 6RD option  configured on another link. By default,
+          protocol or via the 6RD option in the DHCPv4 protocol. An address within each delegated prefix will
-          an address within each delegated prefix will be assigned, and the prefixes will be announced
+          be assigned, and the prefixes will be announced through IPv6 Router Advertisement if
-          through IPv6 Router Advertisement when <varname>IPv6SendRA=</varname> is enabled. Such
+          <varname>IPv6SendRA=</varname> is enabled. This behaviour can be configured in the
-          default settings can be configured in the [DHCPPrefixDelegation] section. Defaults to
+          [DHCPPrefixDelegation] section. Defaults to disabled.</para>
-          disabled.</para>
         </listitem>
       </varlistentry>
 
@@ -2305,7 +2304,7 @@ Table=1234</programlisting></para>
                   <citerefentry><refentrytitle>sd-id128</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
                   <citerefentry><refentrytitle>sd_id128_from_string</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
                   and
-                  <citerefentry><refentrytitle>sd_id128_get_machine</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+                  <citerefentry><refentrytitle>sd_id128_get_machine</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
                 </para>
                 <para>
                   Note that the <literal>prefixstable</literal> algorithm uses both the interface
@@ -3686,7 +3685,7 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
               <term><option>dst-host</option></term>
               <listitem><para>
                 Flows are defined only by destination address. Equivalent to the
-                <literal>srchost</literal> option for <command>tc qdisc</command> command. See also
+                <literal>dsthost</literal> option for <command>tc qdisc</command> command. See also
                 <citerefentry project='man-pages'><refentrytitle>tc-cake</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
               </para></listitem>
             </varlistentry>

man/systemd.nspawn.xml

@@ -202,7 +202,7 @@
         capabilities (see
         <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
         for details). The <varname>AmbientCapability=</varname> setting
-        specifies capability which will be passed to the started program
+        specifies capabilities which will be passed to the started program
         in the inheritable and ambient capability sets. This will grant
         these capabilities to this process. This setting correspond to
         the <option>--ambient-capability=</option> command line switch.

man/systemd.path.xml

@@ -190,16 +190,16 @@
         <term><varname>TriggerLimitIntervalSec=</varname></term>
         <term><varname>TriggerLimitBurst=</varname></term>
 
-        <listitem><para>Configures a limit on how often this path unit may be activated within a specific time
+        <listitem><para>Configures a limit on how often this path unit may be activated within a specific
-        interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
+        time interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of
-        interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
+        the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
-        <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
+        <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s. See
-        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
+        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
-        the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
+        details on the various time units understood. The <varname>TriggerLimitBurst=</varname> setting takes
-        value and specifies the number of permitted activations per time interval, and defaults to 200. Set either to
+        a positive integer value and specifies the number of permitted activations per time interval, and
-        0 to disable any form of trigger rate limiting. If the limit is hit, the unit is placed into a failure mode,
+        defaults to 200. Set either to 0 to disable any form of trigger rate limiting. If the limit is hit,
-        and will not watch the path(s) anymore until restarted. Note that this limit is enforced before the service
+        the unit is placed into a failure mode, and will not watch the path(s) anymore until restarted. Note
-        activation is enqueued.</para></listitem>
+        that this limit is enforced before the service activation is enqueued.</para></listitem>
       </varlistentry>
     </variablelist>
 

man/userdbctl.xml

@@ -74,10 +74,10 @@
       <varlistentry>
         <term><option>--json=</option><replaceable>FORMAT</replaceable></term>
 
-        <listitem><para>Selects JSON out mode (like <option>--output=json</option>) and selects the precise
+        <listitem><para>Selects JSON output mode (like <option>--output=json</option>) and selects the
-        display mode. Takes one of <literal>pretty</literal> or <literal>short</literal>. If
+        precise display mode. Takes one of <literal>pretty</literal> or <literal>short</literal>. If
-        <literal>pretty</literal> human-friendly whitespace and newlines are inserted in the output to make
+        <literal>pretty</literal>, human-friendly whitespace and newlines are inserted in the output to make
-        the JSON data more readable. If <literal>short</literal> all superfluous whitespace is
+        the JSON data more readable. If <literal>short</literal>, all superfluous whitespace is
         suppressed.</para></listitem>
       </varlistentry>
 

src/basic/fileio.c

@@ -1195,7 +1195,7 @@ int write_timestamp_file_atomic(const char *fn, usec_t n) {
         /* Creates a "timestamp" file, that contains nothing but a
          * usec_t timestamp, formatted in ASCII. */
 
-        if (n <= 0 || n >= USEC_INFINITY)
+        if (!timestamp_is_set(n))
                 return -ERANGE;
 
         xsprintf(ln, USEC_FMT "\n", n);
@@ -1216,7 +1216,7 @@ int read_timestamp_file(const char *fn, usec_t *ret) {
         if (r < 0)
                 return r;
 
-        if (t <= 0 || t >= (uint64_t) USEC_INFINITY)
+        if (!timestamp_is_set(t))
                 return -ERANGE;
 
         *ret = (usec_t) t;

src/basic/time-util.c

@@ -126,7 +126,7 @@ usec_t map_clock_usec(usec_t from, clockid_t from_clock, clockid_t to_clock) {
 dual_timestamp* dual_timestamp_from_realtime(dual_timestamp *ts, usec_t u) {
         assert(ts);
 
-        if (u == USEC_INFINITY || u == 0) {
+        if (!timestamp_is_set(u)) {
                 ts->realtime = ts->monotonic = u;
                 return ts;
         }
@@ -141,7 +141,7 @@ triple_timestamp* triple_timestamp_from_realtime(triple_timestamp *ts, usec_t u)
 
         assert(ts);
 
-        if (u == USEC_INFINITY || u == 0) {
+        if (!timestamp_is_set(u)) {
                 ts->realtime = ts->monotonic = ts->boottime = u;
                 return ts;
         }
@@ -349,7 +349,7 @@ char *format_timestamp_style(
                           1 + 1 +              /* space and shortest possible zone */
                           1))
                 return NULL; /* Not enough space even for the shortest form. */
-        if (t <= 0 || t == USEC_INFINITY)
+        if (!timestamp_is_set(t))
                 return NULL; /* Timestamp is unset */
 
         if (style == TIMESTAMP_UNIX) {
@@ -427,7 +427,7 @@ char *format_timestamp_relative(char *buf, size_t l, usec_t t) {
         const char *s;
         usec_t n, d;
 
-        if (t <= 0 || t == USEC_INFINITY)
+        if (!timestamp_is_set(t))
                 return NULL;
 
         n = now(CLOCK_REALTIME);

src/basic/xattr-util.c

@@ -199,7 +199,7 @@ int fd_setcrtime(int fd, usec_t usec) {
 
         assert(fd >= 0);
 
-        if (IN_SET(usec, 0, USEC_INFINITY))
+        if (!timestamp_is_set(usec))
                 usec = now(CLOCK_REALTIME);
 
         le = htole64((uint64_t) usec);

src/core/service.c

@@ -208,7 +208,7 @@ static void service_start_watchdog(Service *s) {
         assert(s);
 
         watchdog_usec = service_get_watchdog_usec(s);
-        if (IN_SET(watchdog_usec, 0, USEC_INFINITY)) {
+        if (!timestamp_is_set(watchdog_usec)) {
                 service_stop_watchdog(s);
                 return;
         }
@@ -279,7 +279,7 @@ static void service_extend_timeout(Service *s, usec_t extend_timeout_usec) {
 
         assert(s);
 
-        if (IN_SET(extend_timeout_usec, 0, USEC_INFINITY))
+        if (!timestamp_is_set(extend_timeout_usec))
                 return;
 
         extended = usec_add(now(CLOCK_MONOTONIC), extend_timeout_usec);

src/libsystemd-network/lldp-neighbor.c

@@ -334,7 +334,7 @@ void lldp_neighbor_start_ttl(sd_lldp_neighbor *n) {
 
                 /* Use the packet's timestamp if there is one known */
                 base = triple_timestamp_by_clock(&n->timestamp, clock_boottime_or_monotonic());
-                if (base <= 0 || base == USEC_INFINITY)
+                if (!timestamp_is_set(base))
                         base = now(clock_boottime_or_monotonic()); /* Otherwise, take the current time */
 
                 n->until = usec_add(base, n->ttl * USEC_PER_SEC);

src/libsystemd/meson.build

@@ -12,6 +12,7 @@ sd_journal_sources = files(
         'sd-journal/journal-file.h',
         'sd-journal/journal-internal.h',
         'sd-journal/journal-send.c',
+        'sd-journal/journal-send.h',
         'sd-journal/journal-vacuum.c',
         'sd-journal/journal-vacuum.h',
         'sd-journal/journal-verify.c',

src/libsystemd/sd-daemon/sd-daemon.c

@@ -641,7 +641,7 @@ _public_ int sd_watchdog_enabled(int unset_environment, uint64_t *usec) {
         r = safe_atou64(s, &u);
         if (r < 0)
                 goto finish;
-        if (u <= 0 || u >= USEC_INFINITY) {
+        if (!timestamp_is_set(u)) {
                 r = -EINVAL;
                 goto finish;
         }

src/libsystemd/sd-journal/journal-send.c

@@ -6,6 +6,9 @@
 #include <stddef.h>
 #include <sys/un.h>
 #include <unistd.h>
+#if HAVE_VALGRIND_VALGRIND_H
+#include <valgrind/valgrind.h>
+#endif
 
 #define SD_JOURNAL_SUPPRESS_LOCATION
 
@@ -14,8 +17,9 @@
 #include "alloc-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
-#include "io-util.h"
 #include "fileio.h"
+#include "io-util.h"
+#include "journal-send.h"
 #include "memfd-util.h"
 #include "socket-util.h"
 #include "stdio-util.h"
@@ -39,10 +43,10 @@
  * all its threads, and all its subprocesses. This means we need to
  * initialize it atomically, and need to operate on it atomically
  * never assuming we are the only user */
+static int fd_plus_one = 0;
 
 static int journal_fd(void) {
         int fd;
-        static int fd_plus_one = 0;
 
 retry:
         if (fd_plus_one > 0)
@@ -62,6 +66,24 @@ retry:
         return fd;
 }
 
+#if VALGRIND
+void close_journal_fd(void) {
+        /* Be nice to valgrind. This is not atomic. This must be used only in tests. */
+
+        if (!RUNNING_ON_VALGRIND)
+                return;
+
+        if (getpid() != gettid())
+                return;
+
+        if (fd_plus_one <= 0)
+                return;
+
+        safe_close(fd_plus_one - 1);
+        fd_plus_one = 0;
+}
+#endif
+
 _public_ int sd_journal_print(int priority, const char *format, ...) {
         int r;
         va_list ap;

src/libsystemd/sd-journal/journal-send.h

@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#if VALGRIND
+void close_journal_fd(void);
+#else
+static inline void close_journal_fd(void) {}
+#endif

src/libsystemd/sd-journal/journal-vacuum.c

@@ -64,15 +64,15 @@ static void patch_realtime(
         assert(realtime);
 
         x = timespec_load(&st->st_ctim);
-        if (x > 0 && x != USEC_INFINITY && x < *realtime)
+        if (timestamp_is_set(x) && x < *realtime)
                 *realtime = x;
 
         x = timespec_load(&st->st_atim);
-        if (x > 0 && x != USEC_INFINITY && x < *realtime)
+        if (timestamp_is_set(x) && x < *realtime)
                 *realtime = x;
 
         x = timespec_load(&st->st_mtim);
-        if (x > 0 && x != USEC_INFINITY && x < *realtime)
+        if (timestamp_is_set(x) && x < *realtime)
                 *realtime = x;
 
         /* Let's read the original creation time, if possible. Ideally we'd just query the creation time the

src/libsystemd/sd-journal/test-journal-send.c

@@ -5,7 +5,9 @@
 #include <unistd.h>
 
 #include "sd-journal.h"
+
 #include "fileio.h"
+#include "journal-send.h"
 #include "macro.h"
 #include "memory-util.h"
 
@@ -90,6 +92,10 @@ static void test_journal_send(void) {
         assert_se(sd_journal_sendv(graph2, 1) == 0);
         assert_se(sd_journal_sendv(message1, 1) == 0);
         assert_se(sd_journal_sendv(message2, 1) == 0);
+
+        /* The above syslog() opens a fd which is stored in libc, and the valgrind reports the fd is
+         * leaked when we do not call closelog(). */
+        closelog();
 }
 
 int main(int argc, char *argv[]) {
@@ -99,5 +105,6 @@ int main(int argc, char *argv[]) {
         /* Sleep a bit to make it easy for journald to collect metadata. */
         sleep(1);
 
+        close_journal_fd();
         return 0;
 }

src/login/loginctl.c

@@ -469,7 +469,7 @@ static int print_session_status_info(sd_bus *bus, const char *path, bool *new_li
         else
                 printf("%"PRIu32"\n", i.uid);
 
-        if (i.timestamp.realtime > 0 && i.timestamp.realtime < USEC_INFINITY)
+        if (timestamp_is_set(i.timestamp.realtime))
                 printf("\t   Since: %s; %s\n",
                        FORMAT_TIMESTAMP(i.timestamp.realtime),
                        FORMAT_TIMESTAMP_RELATIVE(i.timestamp.realtime));
@@ -592,7 +592,7 @@ static int print_user_status_info(sd_bus *bus, const char *path, bool *new_line)
         else
                 printf("%"PRIu32"\n", i.uid);
 
-        if (i.timestamp.realtime > 0 && i.timestamp.realtime < USEC_INFINITY)
+        if (timestamp_is_set(i.timestamp.realtime))
                 printf("\t   Since: %s; %s\n",
                        FORMAT_TIMESTAMP(i.timestamp.realtime),
                        FORMAT_TIMESTAMP_RELATIVE(i.timestamp.realtime));

src/login/logind-user.c

@@ -856,7 +856,7 @@ void user_update_last_session_timer(User *u) {
         assert(!u->timer_event_source);
 
         user_stop_delay = user_get_stop_delay(u);
-        if (IN_SET(user_stop_delay, 0, USEC_INFINITY))
+        if (!timestamp_is_set(user_stop_delay))
                 return;
 
         if (sd_event_get_state(u->manager->event) == SD_EVENT_FINISHED) {

src/machine/machinectl.c

@@ -850,11 +850,11 @@ static void print_image_status_info(sd_bus *bus, ImageStatusInfo *i) {
                i->read_only ? "read-only" : "writable",
                i->read_only ? ansi_normal() : "");
 
-        if (i->crtime > 0 && i->crtime < USEC_INFINITY)
+        if (timestamp_is_set(i->crtime))
                 printf("\t Created: %s; %s\n",
                        FORMAT_TIMESTAMP(i->crtime), FORMAT_TIMESTAMP_RELATIVE(i->crtime));
 
-        if (i->mtime > 0 && i->mtime < USEC_INFINITY)
+        if (timestamp_is_set(i->mtime))
                 printf("\tModified: %s; %s\n",
                        FORMAT_TIMESTAMP(i->mtime), FORMAT_TIMESTAMP_RELATIVE(i->mtime));
 

src/resolve/resolved-dns-query.c

@@ -737,18 +737,9 @@ int dns_query_go(DnsQuery *q) {
 
         LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
                 DnsScopeMatch match;
-                const char *name;
-
-                name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
-                if (!name)
-                        continue;
-
-                match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
-                if (match < 0) {
-                        log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
-                        continue;
-                }
 
+                match = dns_scope_good_domain(s, q);
+                assert(match >= 0);
                 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
                                       * that matches this well */
                         found = match;
@@ -773,18 +764,9 @@ int dns_query_go(DnsQuery *q) {
 
         LIST_FOREACH(scopes, s, first->scopes_next) {
                 DnsScopeMatch match;
-                const char *name;
-
-                name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
-                if (!name)
-                        continue;
-
-                match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
-                if (match < 0) {
-                        log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
-                        continue;
-                }
 
+                match = dns_scope_good_domain(s, q);
+                assert(match >= 0);
                 if (match < found)
                         continue;
 

src/resolve/resolved-dns-scope.c

@@ -584,11 +584,13 @@ static DnsScopeMatch match_subnet_reverse_lookups(
 
 DnsScopeMatch dns_scope_good_domain(
                 DnsScope *s,
-                int ifindex,
+                DnsQuery *q) {
-                uint64_t flags,
-                const char *domain) {
 
+        DnsQuestion *question;
         DnsSearchDomain *d;
+        const char *domain;
+        uint64_t flags;
+        int ifindex;
 
         /* This returns the following return values:
          *
@@ -602,7 +604,18 @@ DnsScopeMatch dns_scope_good_domain(
          */
 
         assert(s);
-        assert(domain);
+        assert(q);
+
+        question = dns_query_question_for_protocol(q, s->protocol);
+        if (!question)
+                return DNS_SCOPE_NO;
+
+        domain = dns_question_first_name(question);
+        if (!domain)
+                return DNS_SCOPE_NO;
+
+        ifindex = q->ifindex;
+        flags = q->flags;
 
         /* Checks if the specified domain is something to look up on this scope. Note that this accepts
          * non-qualified hostnames, i.e. those without any search path suffixed. */
@@ -613,10 +626,6 @@ DnsScopeMatch dns_scope_good_domain(
         if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0)
                 return DNS_SCOPE_NO;
 
-        /* Never resolve empty name. */
-        if (dns_name_is_empty(domain))
-                return DNS_SCOPE_NO;
-
         /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on
          * synthesized RRs for these. */
         if (is_localhost(domain) ||
@@ -639,6 +648,22 @@ DnsScopeMatch dns_scope_good_domain(
                 DnsScopeMatch m;
                 int n_best = -1;
 
+                if (dns_name_is_empty(domain)) {
+                        DnsResourceKey *t;
+                        bool found = false;
+
+                        /* Refuse empty name if only A and/or AAAA records are requested. */
+
+                        DNS_QUESTION_FOREACH(t, question)
+                                if (!IN_SET(t->type, DNS_TYPE_A, DNS_TYPE_AAAA)) {
+                                        found = true;
+                                        break;
+                                }
+
+                        if (!found)
+                                return DNS_SCOPE_NO;
+                }
+
                 /* Never route things to scopes that lack DNS servers */
                 if (!dns_scope_get_dns_server(s))
                         return DNS_SCOPE_NO;

src/resolve/resolved-dns-scope.h

@@ -10,7 +10,7 @@ typedef struct DnsScope DnsScope;
 #include "resolved-dns-cache.h"
 #include "resolved-dns-dnssec.h"
 #include "resolved-dns-packet.h"
-
+#include "resolved-dns-query.h"
 #include "resolved-dns-search-domain.h"
 #include "resolved-dns-server.h"
 #include "resolved-dns-stream.h"
@@ -76,7 +76,7 @@ int dns_scope_emit_udp(DnsScope *s, int fd, int af, DnsPacket *p);
 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address);
 int dns_scope_socket_udp(DnsScope *s, DnsServer *server);
 
-DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain);
+DnsScopeMatch dns_scope_good_domain(DnsScope *s, DnsQuery *q);
 bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key);
 
 DnsServer *dns_scope_get_dns_server(DnsScope *s);

src/systemctl/systemctl-show.c

@@ -421,7 +421,7 @@ static void print_status_info(
                     STRPTR_IN_SET(i->active_state, "activating")          ? i->inactive_exit_timestamp :
                                                                             i->active_exit_timestamp;
 
-        if (timestamp > 0 && timestamp < USEC_INFINITY) {
+        if (timestamp_is_set(timestamp)) {
                 printf(" since %s; %s\n",
                        FORMAT_TIMESTAMP_STYLE(timestamp, arg_timestamp_style),
                        FORMAT_TIMESTAMP_RELATIVE(timestamp));
@@ -455,7 +455,7 @@ static void print_status_info(
                 dual_timestamp_get(&nw);
                 next_elapse = calc_next_elapse(&nw, &next);
 
-                if (next_elapse > 0 && next_elapse < USEC_INFINITY)
+                if (timestamp_is_set(next_elapse))
                         printf("    Trigger: %s; %s\n",
                                FORMAT_TIMESTAMP_STYLE(next_elapse, arg_timestamp_style),
                                FORMAT_TIMESTAMP_RELATIVE(next_elapse));

src/udev/udev-builtin-input_id.c

@@ -167,6 +167,7 @@ static bool test_pointers(sd_device *dev,
         bool finger_but_no_pen = false;
         bool has_mouse_button = false;
         bool is_mouse = false;
+        bool is_abs_mouse = false;
         bool is_touchpad = false;
         bool is_touchscreen = false;
         bool is_tablet = false;
@@ -231,7 +232,7 @@ static bool test_pointers(sd_device *dev,
                 else if (has_mouse_button)
                         /* This path is taken by VMware's USB mouse, which has
                          * absolute axes, but no touch/pressure button. */
-                        is_mouse = true;
+                        is_abs_mouse = true;
                 else if (has_touch || is_direct)
                         is_touchscreen = true;
                 else if (has_joystick_axes_or_buttons)
@@ -263,7 +264,7 @@ static bool test_pointers(sd_device *dev,
 
         if (is_pointing_stick)
                 udev_builtin_add_property(dev, test, "ID_INPUT_POINTINGSTICK", "1");
-        if (is_mouse)
+        if (is_mouse || is_abs_mouse)
                 udev_builtin_add_property(dev, test, "ID_INPUT_MOUSE", "1");
         if (is_touchpad)
                 udev_builtin_add_property(dev, test, "ID_INPUT_TOUCHPAD", "1");
@@ -276,7 +277,7 @@ static bool test_pointers(sd_device *dev,
         if (is_tablet_pad)
                 udev_builtin_add_property(dev, test, "ID_INPUT_TABLET_PAD", "1");
 
-        return is_tablet || is_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick;
+        return is_tablet || is_mouse || is_abs_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick;
 }
 
 /* key like devices */