From: Philip Withnall <pwithnall@gnome.org>
Date: Wed, 22 Apr 2026 16:19:21 +0000 (+0100)
Subject: sysupdate: Prevent a possible invalid partial+pending state on an instance
X-Git-Tag: v260.2~204
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81bd2d80b95051eb7b51ce78a1b4a879e6377e2a;p=thirdparty%2Fsystemd.git

sysupdate: Prevent a possible invalid partial+pending state on an instance

If the resource code is recursing, it’s possible for one iteration to
set a partial flag, and then a recursive iteration to set a pending flag
(or vice-versa). It doesn’t make sense to have both set at the same time
for a specific instance, so make sure to clear the other flag when
setting one of them.

Add some assertions to make this invariant clearer and easier to debug
if it fails.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
(cherry picked from commit 0d02d0bc51f2fd431f81daa39a970d5dea279f29)
---

diff --git a/src/sysupdate/sysupdate-resource.c b/src/sysupdate/sysupdate-resource.c
index 3be0943e4c0..c138707a868 100644
--- a/src/sysupdate/sysupdate-resource.c
+++ b/src/sysupdate/sysupdate-resource.c
@@ -139,9 +139,11 @@ static int resource_load_from_directory_recursive(
                 if ((stripped = startswith(de->d_name, ".sysupdate.partial."))) {
                         de_d_name_stripped = stripped;
                         is_partial = true;
+                        is_pending = false;
                 } else if ((stripped = startswith(de->d_name, ".sysupdate.pending."))) {
                         de_d_name_stripped = stripped;
                         is_pending = true;
+                        is_partial = false;
                 } else
                         de_d_name_stripped = de->d_name;
 
@@ -192,6 +194,9 @@ static int resource_load_from_directory_recursive(
                 if (instance->metadata.mode == MODE_INVALID)
                         instance->metadata.mode = st.st_mode & 0775; /* mask out world-writability and suid and stuff, for safety */
 
+                /* Canât be both partial and pending. */
+                assert(!(is_partial && is_pending));
+
                 instance->is_partial = is_partial;
                 instance->is_pending = is_pending;
         }
@@ -309,6 +314,9 @@ static int resource_load_from_blockdev(Resource *rr) {
                 if (instance->metadata.read_only < 0)
                         instance->metadata.read_only = instance->partition_info.read_only;
 
+                /* Canât be both partial and pending. */
+                assert(!(is_partial && is_pending));
+
                 instance->is_partial = is_partial;
                 instance->is_pending = is_pending;
         }
diff --git a/src/sysupdate/sysupdate.c b/src/sysupdate/sysupdate.c
index 69848c3fcb7..77e379cf2a4 100644
--- a/src/sysupdate/sysupdate.c
+++ b/src/sysupdate/sysupdate.c
@@ -414,7 +414,10 @@ static int context_discover_update_sets_by_flag(Context *c, UpdateSetFlags flags
                                 extra_flags |= UPDATE_PROTECTED;
 
                         /* Partial or pending updates by definition are not incomplete, theyâre
-                         * partial/pending instead */
+                         * partial/pending instead. While an individual Instance cannot be both partial and
+                         * pending, an UpdateSet as a whole can contain both partial and pending instances. */
+                        assert(!match || !(match->is_partial && match->is_pending));
+
                         if (match && match->is_partial)
                                 extra_flags = (extra_flags | UPDATE_PARTIAL) & ~UPDATE_INCOMPLETE;