sd-event: unpoison memory returned by epoll_pwait2() (#40464)

Fixes #40455

Alternative to #40463
Closes #40463

README

@@ -58,7 +58,8 @@ REQUIREMENTS:
         ⛔ Kernel versions below 5.10 ("minimum baseline") are not supported at all,
            and are missing required functionality as listed above.
 
-        Linux kernel ≥ 5.12 for idmapped mount
+        Linux kernel ≥ 5.11 for epoll_pwait2()
+                     ≥ 5.12 for idmapped mount (mount_setattr())
                      ≥ 5.14 for cgroup.kill and quotactl_fd()
 
         ⚠️ Kernel versions below 5.14 ("recommended baseline") have significant gaps

docs/CODING_STYLE.md

@@ -437,6 +437,16 @@ SPDX-License-Identifier: LGPL-2.1-or-later
   aren't, we are happy to use GNU or Linux APIs, and expect non-GNU
   implementations of libc to catch up with glibc.
 
+- Very often we pass a pair of file descriptor and a path to functions, which
+  are to be understood in combination. For example `openat()` style functions
+  typically take a directory fd and a filename relative to that as argument. In
+  other cases where operations operate relative to a root directory it makes
+  sense to have a pair of root path and root fd. Whenever possible the function
+  arguments should be in the order "fd first, path second" when the path shall
+  be understood relative to the fd. And an order "path first, fd second"
+  shall be used when the root path is the path of the referenced fd, i.e. two
+  references to the same object.
+
 ## Using C Constructs
 
 - Allocate local variables where it makes sense: at the top of the block, or at

src/libsystemd/sd-event/sd-event.c

@@ -4618,6 +4618,7 @@ static int process_epoll(sd_event *e, usec_t timeout, int64_t threshold, int64_t
                         return r;
 
                 m = (size_t) r;
+                msan_unpoison(e->event_queue, m * sizeof(struct epoll_event));
 
                 if (m < n_event_max)
                         break;
@@ -4636,19 +4637,17 @@ static int process_epoll(sd_event *e, usec_t timeout, int64_t threshold, int64_t
         if (threshold == INT64_MAX)
                 triple_timestamp_now(&e->timestamp);
 
-        for (size_t i = 0; i < m; i++) {
+        FOREACH_ARRAY(i, e->event_queue, m) {
 
-                if (e->event_queue[i].data.ptr == INT_TO_PTR(SOURCE_WATCHDOG))
+                if (i->data.ptr == INT_TO_PTR(SOURCE_WATCHDOG))
-                        r = flush_timer(e, e->watchdog_fd, e->event_queue[i].events, NULL);
+                        r = flush_timer(e, e->watchdog_fd, i->events, NULL);
                 else {
-                        WakeupType *t = e->event_queue[i].data.ptr;
+                        WakeupType *t = ASSERT_PTR(i->data.ptr);
 
                         switch (*t) {
 
                         case WAKEUP_EVENT_SOURCE: {
-                                sd_event_source *s = e->event_queue[i].data.ptr;
+                                sd_event_source *s = i->data.ptr;
-
-                                assert(s);
 
                                 if (s->priority > threshold)
                                         continue;
@@ -4658,15 +4657,15 @@ static int process_epoll(sd_event *e, usec_t timeout, int64_t threshold, int64_t
                                 switch (s->type) {
 
                                 case SOURCE_IO:
-                                        r = process_io(e, s, e->event_queue[i].events);
+                                        r = process_io(e, s, i->events);
                                         break;
 
                                 case SOURCE_CHILD:
-                                        r = process_pidfd(e, s, e->event_queue[i].events);
+                                        r = process_pidfd(e, s, i->events);
                                         break;
 
                                 case SOURCE_MEMORY_PRESSURE:
-                                        r = process_memory_pressure(s, e->event_queue[i].events);
+                                        r = process_memory_pressure(s, i->events);
                                         break;
 
                                 default:
@@ -4677,20 +4676,18 @@ static int process_epoll(sd_event *e, usec_t timeout, int64_t threshold, int64_t
                         }
 
                         case WAKEUP_CLOCK_DATA: {
-                                struct clock_data *d = e->event_queue[i].data.ptr;
+                                struct clock_data *d = i->data.ptr;
 
-                                assert(d);
+                                r = flush_timer(e, d->fd, i->events, &d->next);
-
-                                r = flush_timer(e, d->fd, e->event_queue[i].events, &d->next);
                                 break;
                         }
 
                         case WAKEUP_SIGNAL_DATA:
-                                r = process_signal(e, e->event_queue[i].data.ptr, e->event_queue[i].events, &min_priority);
+                                r = process_signal(e, i->data.ptr, i->events, &min_priority);
                                 break;
 
                         case WAKEUP_INOTIFY_DATA:
-                                r = event_inotify_data_read(e, e->event_queue[i].data.ptr, e->event_queue[i].events, threshold);
+                                r = event_inotify_data_read(e, i->data.ptr, i->events, threshold);
                                 break;
 
                         default:

src/shared/loop-util.c

@@ -431,10 +431,25 @@ static int loop_device_make_internal(
         int r, f_flags;
         struct stat st;
 
+        assert(fd >= 0);
+        assert(open_flags < 0 || IN_SET(open_flags, O_RDWR, O_RDONLY));
         assert(ret);
-        assert(IN_SET(open_flags, O_RDWR, O_RDONLY));
 
-        if (fstat(ASSERT_FD(fd), &st) < 0)
+        f_flags = fcntl(fd, F_GETFL);
+        if (f_flags < 0)
+                return -errno;
+
+        if (open_flags < 0) {
+                /* If open_flags is unset, initialize it from the open fd */
+                if (FLAGS_SET(f_flags, O_PATH))
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADFD), "Access mode of image file indicates O_PATH, cannot determine read/write flags.");
+
+                open_flags = f_flags & O_ACCMODE_STRICT;
+                if (!IN_SET(open_flags, O_RDWR, O_RDONLY))
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADFD), "Access mode of image file is write only (?)");
+        }
+
+        if (fstat(fd, &st) < 0)
                 return -errno;
 
         if (S_ISBLK(st.st_mode)) {
@@ -461,10 +476,6 @@ static int loop_device_make_internal(
                         return r;
         }
 
-        f_flags = fcntl(fd, F_GETFL);
-        if (f_flags < 0)
-                return -errno;
-
         if (FLAGS_SET(loop_flags, LO_FLAGS_DIRECT_IO) != FLAGS_SET(f_flags, O_DIRECT)) {
                 /* If LO_FLAGS_DIRECT_IO is requested, then make sure we have the fd open with O_DIRECT, as
                  * that's required. Conversely, if it's off require that O_DIRECT is off too (that's because

units/meson.build

@@ -43,9 +43,7 @@ units = [
           'file' : 'getty.target',
           'symlinks' : ['multi-user.target.wants/'],
         },
-        {
+        { 'file' : 'getty@.service.in' },
-          'file' : 'getty@.service.in',
-        },
         {
           'file' : 'graphical.target',
           'symlinks' : ['default.target'],