[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#978157: marked as done (buster-pu: package iproute2/4.20.0-2+deb10u1)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #978157,
regarding buster-pu: package iproute2/4.20.0-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
978157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978157
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: formorer@debian.org

Dear release team,

I would like to do a bugfix upload of iproute2 to buster-proposed-
updates. This would be the first upload for this source package, so
waiting for feedback before uploading.

The version would backport 3 bug fixes, which have been fixed in the
latest upstream release, and which were reported on Debian Buster by
users. They make some subcommands unusable or downright dangerous.

The first two are about fixing invalid json output - these bugs make
the affected subcommands output unusable, as consumers need valid
formatted json:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961278
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972784

The third bug is about a nasty race condition - if "ip netns add foo"
is used concurrently, it might get in a loop and create thousands of
mount points on the system, causing a self-dos.
The reporter found the issue when using the command in startup scripts
executed at boot.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949235

The fixes were validated by the reporters as well.

The source debdiff is attached.

Thank you!

-- 
Kind regards,
Luca Boccassi

diff -Nru iproute2-4.20.0/debian/changelog iproute2-4.20.0/debian/changelog
--- iproute2-4.20.0/debian/changelog	2019-01-10 20:04:14.000000000 +0000
+++ iproute2-4.20.0/debian/changelog	2020-12-03 18:42:49.000000000 +0000
@@ -1,3 +1,15 @@
+iproute2 (4.20.0-2+deb10u1) buster; urgency=medium
+
+  * Backport ip-route-print-route-type-in-JSON-output.patch. Fixes bug in
+    json output, backported from upstream. (Closes: #961278)
+  * Backport tc-mqprio-json-ify-output.patch. Fixes bug in json output,
+    backported from upstream. (Closes: #972784)
+  * Backport ip-netns-use-flock-when-setting-up-run-netns.patch. Fixes
+    race condition that DOSes the system when using ip netns add at boot.
+    (Closes: #949235)
+
+ -- Luca Boccassi <bluca@debian.org>  Thu, 03 Dec 2020 18:42:49 +0000
+
 iproute2 (4.20.0-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru iproute2-4.20.0/debian/gbp.conf iproute2-4.20.0/debian/gbp.conf
--- iproute2-4.20.0/debian/gbp.conf	2019-01-09 15:03:12.000000000 +0000
+++ iproute2-4.20.0/debian/gbp.conf	2020-12-03 18:42:49.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = master
+debian-branch = buster
 upstream-branch = upstream
 pristine-tar = True
 compression = xz
diff -Nru iproute2-4.20.0/debian/.gitlab-ci.yml iproute2-4.20.0/debian/.gitlab-ci.yml
--- iproute2-4.20.0/debian/.gitlab-ci.yml	2019-01-09 15:03:12.000000000 +0000
+++ iproute2-4.20.0/debian/.gitlab-ci.yml	2020-12-03 18:42:49.000000000 +0000
@@ -1,17 +1,8 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-    extends: .build-unstable
-
-reprotest:
-    extends: .test-reprotest
-
-lintian:
-    extends: .test-lintian
-
-autopkgtest:
-    extends: .test-autopkgtest
-
-piuparts:
-    extends: .test-piuparts
-
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'buster'
+  SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch
--- iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch	1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch	2020-12-03 18:42:49.000000000 +0000
@@ -0,0 +1,86 @@
+Origin: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=975c4944e8d57b9f51960611e2bc2c0da6cd6864
+Bug-Debian: https://bugs.debian.org/949235
+Description: ip/netns: use flock when setting up /run/netns
+ If multiple ip processes are ran at the same time to set up
+ separate network namespaces, and it is the first time so /run/netns
+ has to be set up first, and they end up doing it at the same time,
+ the processes might enter a recursive loop creating thousands of
+ mount points, which might crash the system depending on resources
+ available.
+ Try to take a flock on /run/netns before doing the mount() dance, to
+ ensure this cannot happen. But do not try too hard, and if it fails
+ continue after printing a warning, to avoid introducing regressions.
+--- a/ip/ipnetns.c
++++ b/ip/ipnetns.c
+@@ -1,5 +1,6 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ #define _ATFILE_SOURCE
++#include <sys/file.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+@@ -645,6 +646,7 @@
+ 	char netns_path[PATH_MAX];
+ 	const char *name;
+ 	int fd;
++	int lock;
+ 	int made_netns_run_dir_mount = 0;
+ 
+ 	if (argc < 1) {
+@@ -663,12 +665,37 @@
+ 	 * namespace file in one namespace will unmount the network namespace
+ 	 * file in all namespaces allowing the network namespace to be freed
+ 	 * sooner.
++	 * These setup steps need to happen only once, as if multiple ip processes
++	 * try to attempt the same operation at the same time, the mountpoints will
++	 * be recursively created multiple times, eventually causing the system
++	 * to lock up. For example, this has been observed when multiple netns
++	 * namespaces are created in parallel at boot. See:
++	 * https://bugs.debian.org/949235
++	 * Try to take an exclusive file lock on the top level directory to ensure
++	 * this cannot happen, but proceed nonetheless if it cannot happen for any
++	 * reason.
+ 	 */
++	lock = open(NETNS_RUN_DIR, O_RDONLY|O_DIRECTORY, 0);
++	if (lock < 0) {
++		fprintf(stderr, "Cannot open netns runtime directory \"%s\": %s\n",
++			NETNS_RUN_DIR, strerror(errno));
++		return -1;
++	}
++	if (flock(lock, LOCK_EX) < 0) {
++		fprintf(stderr, "Warning: could not flock netns runtime directory \"%s\": %s\n",
++			NETNS_RUN_DIR, strerror(errno));
++		close(lock);
++		lock = -1;
++	}
+ 	while (mount("", NETNS_RUN_DIR, "none", MS_SHARED | MS_REC, NULL)) {
+ 		/* Fail unless we need to make the mount point */
+ 		if (errno != EINVAL || made_netns_run_dir_mount) {
+ 			fprintf(stderr, "mount --make-shared %s failed: %s\n",
+ 				NETNS_RUN_DIR, strerror(errno));
++			if (lock != -1) {
++				flock(lock, LOCK_UN);
++				close(lock);
++			}
+ 			return -1;
+ 		}
+ 
+@@ -676,10 +703,18 @@
+ 		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_BIND | MS_REC, NULL)) {
+ 			fprintf(stderr, "mount --bind %s %s failed: %s\n",
+ 				NETNS_RUN_DIR, NETNS_RUN_DIR, strerror(errno));
++			if (lock != -1) {
++				flock(lock, LOCK_UN);
++				close(lock);
++			}
+ 			return -1;
+ 		}
+ 		made_netns_run_dir_mount = 1;
+ 	}
++	if (lock != -1) {
++		flock(lock, LOCK_UN);
++		close(lock);
++	}
+ 
+ 	/* Create the filesystem state */
+ 	fd = open(netns_path, O_RDONLY|O_CREAT|O_EXCL, 0);
diff -Nru iproute2-4.20.0/debian/patches/ip-route-print-route-type-in-JSON-output.patch iproute2-4.20.0/debian/patches/ip-route-print-route-type-in-JSON-output.patch
--- iproute2-4.20.0/debian/patches/ip-route-print-route-type-in-JSON-output.patch	1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.20.0/debian/patches/ip-route-print-route-type-in-JSON-output.patch	2020-12-03 18:42:49.000000000 +0000
@@ -0,0 +1,16 @@
+Origin: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=073661773872709518d35d4d093f3a715281f21d
+Bug-Debian: https://bugs.debian.org/961278
+Description: ip route: print route type in JSON output
+ ip route generates an invalid JSON if the route type has to be printed,
+ eg. when detailed mode is active, or the type is different that unicast:
+--- a/ip/iproute.c
++++ b/ip/iproute.c
+@@ -766,7 +766,7 @@
+ 
+ 	if ((r->rtm_type != RTN_UNICAST || show_details > 0) &&
+ 	    (!filter.typemask || (filter.typemask & (1 << r->rtm_type))))
+-		print_string(PRINT_ANY, NULL, "%s ",
++		print_string(PRINT_ANY, "type", "%s ",
+ 			     rtnl_rtntype_n2a(r->rtm_type, b1, sizeof(b1)));
+ 
+ 	color = COLOR_NONE;
diff -Nru iproute2-4.20.0/debian/patches/series iproute2-4.20.0/debian/patches/series
--- iproute2-4.20.0/debian/patches/series	2019-01-09 15:03:12.000000000 +0000
+++ iproute2-4.20.0/debian/patches/series	2020-12-03 18:42:49.000000000 +0000
@@ -1,2 +1,5 @@
 0001-Add-moo-feature.patch
 0004-sync-iptables-header.patch
+ip-route-print-route-type-in-JSON-output.patch
+tc-mqprio-json-ify-output.patch
+ip-netns-use-flock-when-setting-up-run-netns.patch
diff -Nru iproute2-4.20.0/debian/patches/tc-mqprio-json-ify-output.patch iproute2-4.20.0/debian/patches/tc-mqprio-json-ify-output.patch
--- iproute2-4.20.0/debian/patches/tc-mqprio-json-ify-output.patch	1970-01-01 01:00:00.000000000 +0100
+++ iproute2-4.20.0/debian/patches/tc-mqprio-json-ify-output.patch	2020-12-03 18:42:49.000000000 +0000
@@ -0,0 +1,80 @@
+Origin: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=755b1c584eeed60767f79fafb935f6ec1f8a4b75
+Bug-Debian: https://bugs.debian.org/972784
+Description: tc/mqprio: json-ify output
+--- a/tc/q_mqprio.c
++++ b/tc/q_mqprio.c
+@@ -234,13 +234,19 @@
+ 
+ 	qopt = RTA_DATA(opt);
+ 
+-	fprintf(f, " tc %u map ", qopt->num_tc);
++	print_uint(PRINT_ANY, "tc", "tc %u ", qopt->num_tc);
++	open_json_array(PRINT_ANY, is_json_context() ? "map" : "map ");
+ 	for (i = 0; i <= TC_PRIO_MAX; i++)
+-		fprintf(f, "%u ", qopt->prio_tc_map[i]);
+-	fprintf(f, "\n             queues:");
+-	for (i = 0; i < qopt->num_tc; i++)
+-		fprintf(f, "(%u:%u) ", qopt->offset[i],
+-			qopt->offset[i] + qopt->count[i] - 1);
++		print_uint(PRINT_ANY, NULL, "%u ", qopt->prio_tc_map[i]);
++	close_json_array(PRINT_ANY, "");
++	open_json_array(PRINT_ANY, is_json_context() ? "queues" : "\n             queues:");
++	for (i = 0; i < qopt->num_tc; i++) {
++		open_json_array(PRINT_JSON, NULL);
++		print_uint(PRINT_ANY, NULL, "(%u:", qopt->offset[i]);
++		print_uint(PRINT_ANY, NULL, "%u) ", qopt->offset[i] + qopt->count[i] - 1);
++		close_json_array(PRINT_JSON, NULL);
++	}
++	close_json_array(PRINT_ANY, "");
+ 
+ 	if (len > 0) {
+ 		struct rtattr *tb[TCA_MQPRIO_MAX + 1];
+@@ -253,18 +259,18 @@
+ 			__u16 *mode = RTA_DATA(tb[TCA_MQPRIO_MODE]);
+ 
+ 			if (*mode == TC_MQPRIO_MODE_CHANNEL)
+-				fprintf(f, "\n             mode:channel");
++				print_string(PRINT_ANY, "mode", "\n             mode:%s", "channel");
+ 		} else {
+-			fprintf(f, "\n             mode:dcb");
++			print_string(PRINT_ANY, "mode", "\n             mode:%s", "dcb");
+ 		}
+ 
+ 		if (tb[TCA_MQPRIO_SHAPER]) {
+ 			__u16 *shaper = RTA_DATA(tb[TCA_MQPRIO_SHAPER]);
+ 
+ 			if (*shaper == TC_MQPRIO_SHAPER_BW_RATE)
+-				fprintf(f, "\n             shaper:bw_rlimit");
++				print_string(PRINT_ANY, "shaper", "\n             shaper:%s", "bw_rlimit");
+ 		} else {
+-			fprintf(f, "\n             shaper:dcb");
++			print_string(PRINT_ANY, "shaper", "\n             shaper:%s", "dcb");
+ 		}
+ 
+ 		if (tb[TCA_MQPRIO_MIN_RATE64]) {
+@@ -278,9 +284,10 @@
+ 					return -1;
+ 				*(min++) = rta_getattr_u64(r);
+ 			}
+-			fprintf(f, "	min_rate:");
++			open_json_array(PRINT_ANY, is_json_context() ? "min_rate" : "	min_rate:");
+ 			for (i = 0; i < qopt->num_tc; i++)
+-				fprintf(f, "%s ", sprint_rate(min_rate64[i], b1));
++				print_string(PRINT_ANY, NULL, "%s ", sprint_rate(min_rate64[i], b1));
++			close_json_array(PRINT_ANY, "");
+ 		}
+ 
+ 		if (tb[TCA_MQPRIO_MAX_RATE64]) {
+@@ -294,9 +301,10 @@
+ 					return -1;
+ 				*(max++) = rta_getattr_u64(r);
+ 			}
+-			fprintf(f, "	max_rate:");
++			open_json_array(PRINT_ANY, is_json_context() ? "max_rate" : "	max_rate:");
+ 			for (i = 0; i < qopt->num_tc; i++)
+-				fprintf(f, "%s ", sprint_rate(max_rate64[i], b1));
++				print_string(PRINT_ANY, NULL, "%s ", sprint_rate(max_rate64[i], b1));
++			close_json_array(PRINT_ANY, "");
+ 		}
+ 	}
+ 	return 0;

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: