calendarspec: day of month also needs to be reset when year is changed

Fixes #40260.

src/analyze/analyze-nvpcrs.c

@@ -27,10 +27,11 @@ static int add_nvpcr_to_table(Tpm2Context **c, Table *t, const char *name) {
                 r = tpm2_nvpcr_read(*c, /* session= */ NULL, name, &digest, &nv_index);
                 if (r < 0)
                         return log_error_errno(r, "Failed to read NvPCR '%s': %m", name);
-
+                if (r > 0) { /* set? */
                         h = hexmem(digest.iov_base, digest.iov_len);
                         if (!h)
                                 return log_oom();
+                }
         } else {
                 r = tpm2_nvpcr_get_index(name, &nv_index);
                 if (r < 0)

src/shared/calendarspec.c

@@ -1194,9 +1194,10 @@ static int tm_within_bounds(struct tm *tm, bool utc) {
          * other sub time units are already reset in find_next().
          */
         int cmp;
-        if ((cmp = CMP(t.tm_year, tm->tm_year)) != 0)
+        if ((cmp = CMP(t.tm_year, tm->tm_year)) != 0) {
                 t.tm_mon = 0;
-        else if ((cmp = CMP(t.tm_mon, tm->tm_mon)) != 0)
+                t.tm_mday = 1;
+        } else if ((cmp = CMP(t.tm_mon, tm->tm_mon)) != 0)
                 t.tm_mday = 1;
         else if ((cmp = CMP(t.tm_mday, tm->tm_mday)) != 0)
                 t.tm_hour = 0;

src/shared/switch-root.c

@@ -54,7 +54,7 @@ int switch_root(const char *new_root,
         if (new_root_fd < 0)
                 return log_error_errno(errno, "Failed to open target directory '%s': %m", new_root);
 
-        r = fds_are_same_mount(old_root_fd, new_root_fd);
+        r = fds_are_same_mount(old_root_fd, new_root_fd); /* checks if referenced inodes and mounts match */
         if (r < 0)
                 return log_error_errno(r, "Failed to check if old and new root directory/mount are the same: %m");
         if (r > 0) {
@@ -186,8 +186,8 @@ int switch_root(const char *new_root,
 
                 if (chdir(".") < 0)
                         return log_error_errno(errno, "Failed to change directory: %m");
-        }
 
+                /* Now empty the old root superblock */
                 if (istmp > 0) {
                         struct stat rb;
 
@@ -198,6 +198,11 @@ int switch_root(const char *new_root,
                          * it will stop at mount boundaries */
                         (void) rm_rf_children(TAKE_FD(old_root_fd), 0, &rb); /* takes possession of the dir fd, even on failure */
                 }
+        } else
+                /* NB: we don't bother with emptying the old root superblock here, under the assumption the
+                 * pivot_root() + umount() sufficiently detached from the superblock to the point we don't
+                 * need to empty it anymore */
+                log_debug("Pivoting root worked.");
 
         return 0;
 }

src/shared/tpm2-util.c

@@ -7474,6 +7474,21 @@ int tpm2_nvpcr_read(
         if (r < 0)
                 return r;
 
+        /* Check if the NvPCR is already anchored */
+        const char *anchor_fname = strjoina("/run/systemd/nvpcr/", name, ".anchor");
+        r = access_nofollow(anchor_fname, F_OK);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        return log_debug_errno(r, "Failed to check if '%s' exists: %m", anchor_fname);
+
+                /* valid, but not anchored */
+                *ret_value = (struct iovec) {};
+                if (ret_nv_index)
+                        *ret_nv_index = p.nv_index;
+
+                return 0;
+        }
+
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;
         r = tpm2_index_to_handle(
                         c,
@@ -7488,6 +7503,7 @@ int tpm2_nvpcr_read(
 
         log_debug("Successfully acquired handle to NV index 0x%" PRIx32 ".", p.nv_index);
 
+        if (r > 0) {
                 r = tpm2_read_nv_index(
                                 c,
                                 /* session= */ NULL,
@@ -7497,10 +7513,16 @@ int tpm2_nvpcr_read(
                 if (r < 0)
                         return r;
 
+                r = 1;
+        } else {
+                *ret_value = (struct iovec) {};
+                r = 0;
+        }
+
         if (ret_nv_index)
                 *ret_nv_index = p.nv_index;
 
-        return 0;
+        return r;
 #else /* HAVE_OPENSSL */
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
 #endif

src/test/test-calendarspec.c

@@ -219,6 +219,8 @@ TEST(calendar_spec_next) {
         test_next("Sun *-*-* 01:00:00 Europe/Dublin", "IST", 1616412478000000, 1617494400000000);
         /* Europe/Dublin TZ that moves DST backwards */
         test_next("hourly", "IST-1GMT-0,M10.5.0/1,M3.5.0/1", 1743292800000000, 1743296400000000);
+        /* Check when the year changes, see issue #40260 */
+        test_next("*-*-1/11 23:00:00 UTC", "", 1763938800000000, 1764630000000000);
 }
 
 TEST(calendar_spec_from_string) {