From a9e8f8959217486bb50a604c91982922f55cfac6 Mon Sep 17 00:00:00 2001 From: dongshengyuan <545258830@qq.com> Date: Thu, 25 Jun 2026 16:01:42 +0800 Subject: [PATCH 1/3] sd-journal: fix memzero size in data hash table setup journal_file_setup_data_hash_table() allocates s * sizeof(HashItem) bytes for the hash table but then only zeroes s bytes, leaving 15/16 of the entries uninitialized. This corrupts the hash chain in any newly created journal file. The adjacent journal_file_setup_field_hash_table() already uses the correct size. Signed-off-by: dongshengyuan --- src/libsystemd/sd-journal/journal-file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c index bd8a4348bda..2207b47abfe 100644 --- a/src/libsystemd/sd-journal/journal-file.c +++ b/src/libsystemd/sd-journal/journal-file.c @@ -1301,7 +1301,7 @@ static int journal_file_setup_data_hash_table(JournalFile *f) { if (r < 0) return r; - memzero(o->hash_table.items, s); + memzero(o->hash_table.items, s * sizeof(HashItem)); f->header->data_hash_table_offset = htole64(p + offsetof(Object, hash_table.items)); f->header->data_hash_table_size = htole64(s * sizeof(HashItem)); From 3daf3e19dad83495e32a6656f851b8caf112ce4f Mon Sep 17 00:00:00 2001 From: dongshengyuan <545258830@qq.com> Date: Thu, 25 Jun 2026 16:40:05 +0800 Subject: [PATCH 2/3] core: fix fd leak in exec_shared_runtime_deserialize_one The userns/netns/ipcns fdpairs were declared as plain int arrays without _cleanup_close_pair_. If exec_shared_runtime_add() fails (e.g. OOM on hashmap_ensure_put), the already-opened fds are leaked. Since exec_shared_runtime_add() uses TAKE_FD on success, the array entries are reset to -1 after ownership transfer, so adding _cleanup_close_pair_ is safe and closes the fds only when they were never consumed. Signed-off-by: dongshengyuan --- src/core/execute.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/core/execute.c b/src/core/execute.c index c2e8bc82b7d..4240e01d0be 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2748,7 +2748,8 @@ int exec_shared_runtime_deserialize_compat(Unit *u, const char *key, const char int exec_shared_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) { _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL; char *id = NULL; - int r, userns_fdpair[] = {-1, -1}, netns_fdpair[] = {-1, -1}, ipcns_fdpair[] = {-1, -1}; + _cleanup_close_pair_ int userns_fdpair[] = EBADF_PAIR, netns_fdpair[] = EBADF_PAIR, ipcns_fdpair[] = EBADF_PAIR; + int r; const char *p, *v = ASSERT_PTR(value); size_t n; From 68b59ca74fc53e1f2115d6e35244f350c7336ef5 Mon Sep 17 00:00:00 2001 From: dongshengyuan <545258830@qq.com> Date: Thu, 25 Jun 2026 16:40:28 +0800 Subject: [PATCH 3/3] systemctl: fix continue placement in clean-or-freeze error handling When sd_bus_call() fails, the continue was inside the 'if (ret == EXIT_SUCCESS)' guard, so only the first failure skipped adding the unit to the job waiter. On the second and subsequent failures, the unit was still passed to bus_wait_for_units_add_unit() despite no job being started, causing bus_wait_for_units_run() to hang indefinitely. Move continue outside the guard so any failure skips the waiter registration. The guard still prevents ret from being overwritten by a later error code. Signed-off-by: dongshengyuan --- src/systemctl/systemctl-clean-or-freeze.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/systemctl/systemctl-clean-or-freeze.c b/src/systemctl/systemctl-clean-or-freeze.c index dfaff2adbcf..1022fd0d12f 100644 --- a/src/systemctl/systemctl-clean-or-freeze.c +++ b/src/systemctl/systemctl-clean-or-freeze.c @@ -83,10 +83,9 @@ int verb_clean_or_freeze(int argc, char *argv[], uintptr_t _data, void *userdata r = sd_bus_call(bus, m, 0, &error, NULL); if (r < 0) { log_error_errno(r, "Failed to %s unit %s: %s", argv[0], *name, bus_error_message(&error, r)); - if (ret == EXIT_SUCCESS) { + if (ret == EXIT_SUCCESS) ret = r; - continue; - } + continue; } if (w) {