Hello community, here is the log from the commit of package ebtables for openSUSE:Factory checked in at 2019-03-04 09:16:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ebtables (Old) and /work/SRC/openSUSE:Factory/.ebtables.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ebtables" Mon Mar 4 09:16:13 2019 rev:42 rq:680740 version:2.0.10.4 Changes: -------- --- /work/SRC/openSUSE:Factory/ebtables/ebtables.changes 2018-09-18 11:42:30.707968538 +0200 +++ /work/SRC/openSUSE:Factory/.ebtables.new.28833/ebtables.changes 2019-03-04 09:16:20.844644469 +0100 @@ -1,0 +2,8 @@ +Fri Feb 22 14:04:30 UTC 2019 - MichaĆ Rostecki <[email protected]> + +- Add upstream patches which improve handling stale locks. + (boo#1126094) + * 0001-Use-flock-for-concurrent-option.patch + * 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch + +------------------------------------------------------------------- New: ---- 0001-Use-flock-for-concurrent-option.patch 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ebtables.spec ++++++ --- /var/tmp/diff_new_pack.kJ4Eva/_old 2019-03-04 09:16:21.760644304 +0100 +++ /var/tmp/diff_new_pack.kJ4Eva/_new 2019-03-04 09:16:21.760644304 +0100 @@ -1,7 +1,7 @@ # # spec file for package ebtables # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -40,6 +40,9 @@ Patch3: 0001-fix-compilation-warning.patch # PATCH-FIX-SUSE-ONLY Patch4: include-linux-if.patch +# PATCH-FIX-UPSTREAM boo#1126094 +Patch5: 0001-Use-flock-for-concurrent-option.patch +Patch6: 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch BuildRequires: linux-glibc-devel >= 2.6.20 BuildRequires: sed BuildRequires: systemd-rpm-macros @@ -64,6 +67,8 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save} mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save} ++++++ 0001-Use-flock-for-concurrent-option.patch ++++++ >From f401e3ec8358069f2407ae39ecb8b7ba1a6fbcc6 Mon Sep 17 00:00:00 2001 From: Phil Sutter <[email protected]> Date: Fri, 6 Oct 2017 12:48:50 +0200 Subject: [PATCH 1/2] Use flock() for --concurrent option The previous locking mechanism was not atomic, hence it was possible that a killed ebtables process would leave the lock file in place which in turn made future ebtables processes wait indefinitely for the lock to become free. Fix this by using flock(). This also simplifies code quite a bit because there is no need for a custom signal handler or an __exit routine anymore. Signed-off-by: Phil Sutter <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> --- ebtables.c | 8 -------- libebtc.c | 49 +++++-------------------------------------------- 2 files changed, 5 insertions(+), 52 deletions(-) diff --git a/ebtables.c b/ebtables.c index 62f1ba8..f7dfccf 100644 --- a/ebtables.c +++ b/ebtables.c @@ -528,12 +528,6 @@ void ebt_early_init_once() ebt_iterate_targets(merge_target); } -/* signal handler, installed when the option --concurrent is specified. */ -static void sighandler(int signum) -{ - exit(-1); -} - /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */ int do_command(int argc, char *argv[], int exec_style, struct ebt_u_replace *replace_) @@ -1047,8 +1041,6 @@ big_iface_length: strcpy(replace->filename, optarg); break; case 13 : /* concurrent */ - signal(SIGINT, sighandler); - signal(SIGTERM, sighandler); use_lockfd = 1; break; case 1 : diff --git a/libebtc.c b/libebtc.c index 17ba8f2..76dd9d7 100644 --- a/libebtc.c +++ b/libebtc.c @@ -31,6 +31,7 @@ #include "include/ethernetdb.h" #include <unistd.h> #include <fcntl.h> +#include <sys/file.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> @@ -137,58 +138,18 @@ void ebt_list_extensions() #define LOCKDIR "/var/lib/ebtables" #define LOCKFILE LOCKDIR"/lock" #endif -static int lockfd = -1, locked; int use_lockfd; /* Returns 0 on success, -1 when the file is locked by another process * or -2 on any other error. */ static int lock_file() { - int try = 0; - int ret = 0; - sigset_t sigset; - -tryagain: - /* the SIGINT handler will call unlock_file. To make sure the state - * of the variable locked is correct, we need to temporarily mask the - * SIGINT interrupt. */ - sigemptyset(&sigset); - sigaddset(&sigset, SIGINT); - sigprocmask(SIG_BLOCK, &sigset, NULL); - lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600); - if (lockfd < 0) { - if (errno == EEXIST) - ret = -1; - else if (try == 1) - ret = -2; - else { - if (mkdir(LOCKDIR, 00700)) - ret = -2; - else { - try = 1; - goto tryagain; - } - } - } else { - close(lockfd); - locked = 1; - } - sigprocmask(SIG_UNBLOCK, &sigset, NULL); - return ret; -} + int fd = open(LOCKFILE, O_CREAT, 00600); -void unlock_file() -{ - if (locked) { - remove(LOCKFILE); - locked = 0; - } + if (fd < 0) + return -2; + return flock(fd, LOCK_EX); } -void __attribute__ ((destructor)) onexit() -{ - if (use_lockfd) - unlock_file(); -} /* Get the table from the kernel or from a binary file * init: 1 = ask the kernel for the initial contents of a table, i.e. the * way it looks when the table is insmod'ed -- 2.20.1 ++++++ 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch ++++++ >From 8d9665967e3ea039d720cbf80c26240f1ec1a795 Mon Sep 17 00:00:00 2001 From: Phil Sutter <[email protected]> Date: Mon, 15 Jan 2018 16:27:31 +0100 Subject: [PATCH 2/2] Fix locking if LOCKDIR does not exist The previous conversion to using flock() missed a crucial bit of code which tries to create LOCKDIR once in case opening the lock failed - This patch reestablishes the old behaviour. Reported-by: Tangchen (UVP) <[email protected]> Fixes: 6a826591878db ("Use flock() for --concurrent option") Signed-off-by: Phil Sutter <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> --- libebtc.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libebtc.c b/libebtc.c index 76dd9d7..7349b27 100644 --- a/libebtc.c +++ b/libebtc.c @@ -143,10 +143,16 @@ int use_lockfd; * or -2 on any other error. */ static int lock_file() { - int fd = open(LOCKFILE, O_CREAT, 00600); - - if (fd < 0) - return -2; + int fd, try = 0; + +retry: + fd = open(LOCKFILE, O_CREAT, 00600); + if (fd < 0) { + if (try == 1 || mkdir(LOCKDIR, 00700)) + return -2; + try = 1; + goto retry; + } return flock(fd, LOCK_EX); } -- 2.20.1
