Merge pull request #2349 from brauner/2018-05-24/prevent_fd_leak

lxccontainer: fix fd leaks when sending signals

Merge pull request #2349 from brauner/2018-05-24/prevent_fd_leak
12697380 · Stéphane Graber · GitHub · b3365b93 · c0b48eff · 12697380
Unverified Commit 12697380 authored May 24, 2018 by Stéphane Graber Committed by GitHub May 24, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 23 deletions

confile.c src/lxc/confile.c +12 -14

lxccontainer.c src/lxc/lxccontainer.c +20 -8

start.c src/lxc/start.c +9 -1

No files found.
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -2431,40 +2431,38 @@ signed long lxc_config_parse_arch(const char *arch)
 		char *name;
 		unsigned long per;
 	} pername[] = {
-	    { "x86",       PER_LINUX32 },
+	    { "arm",       PER_LINUX32 },
-	    { "linux32",   PER_LINUX32 },
+	    { "armel",     PER_LINUX32 },
+	    { "armhf",     PER_LINUX32 },
+	    { "armv7l",    PER_LINUX32 },
+	    { "athlon",    PER_LINUX32 },
 	    { "i386",      PER_LINUX32 },
 	    { "i486",      PER_LINUX32 },
 	    { "i586",      PER_LINUX32 },
 	    { "i686",      PER_LINUX32 },
-	    { "athlon",    PER_LINUX32 },
+	    { "linux32",   PER_LINUX32 },
 	    { "mips",      PER_LINUX32 },
 	    { "mipsel",    PER_LINUX32 },
 	    { "ppc",       PER_LINUX32 },
-	    { "arm",       PER_LINUX32 },
-	    { "armv7l",    PER_LINUX32 },
-	    { "armhf",     PER_LINUX32 },
-	    { "armel",     PER_LINUX32 },
 	    { "powerpc",   PER_LINUX32 },
-	    { "linux64",   PER_LINUX   },
+	    { "x86",       PER_LINUX32 },
-	    { "x86_64",    PER_LINUX   },
 	    { "amd64",     PER_LINUX   },
+	    { "arm64",     PER_LINUX   },
+	    { "linux64",   PER_LINUX   },
 	    { "mips64",    PER_LINUX   },
 	    { "mips64el",  PER_LINUX   },
 	    { "ppc64",     PER_LINUX   },
-	    { "ppc64le",   PER_LINUX   },
 	    { "ppc64el",   PER_LINUX   },
+	    { "ppc64le",   PER_LINUX   },
 	    { "powerpc64", PER_LINUX   },
 	    { "s390x",     PER_LINUX   },
-	    { "aarch64",   PER_LINUX   },
+	    { "x86_64",    PER_LINUX   },
-	    { "arm64",     PER_LINUX   },
 	};
 	size_t len = sizeof(pername) / sizeof(pername[0]);
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < len; i++)
 		if (!strcmp(pername[i].name, arch))
 			return pername[i].per;
-	}
 #endif
 	return -1;

--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1893,24 +1893,30 @@ static bool lxcapi_create(struct lxc_container *c, const char *t,
 static bool do_lxcapi_reboot(struct lxc_container *c)
 {
+	int ret;
 	pid_t pid;
 	int rebootsignal = SIGINT;
 	if (!c)
 		return false;
 	if (!do_lxcapi_is_running(c))
 		return false;
 	pid = do_lxcapi_init_pid(c);
 	if (pid <= 0)
 		return false;
 	if (c->lxc_conf && c->lxc_conf->rebootsignal)
 		rebootsignal = c->lxc_conf->rebootsignal;
-	if (kill(pid, rebootsignal) < 0) {
-		WARN("Could not send signal %d to pid %d.", rebootsignal, pid);
+	ret = kill(pid, rebootsignal);
+	if (ret < 0) {
+		WARN("Failed to send signal %d to pid %d", rebootsignal, pid);
 		return false;
 	}
-	return true;
+	return true;
 }
 WRAP_API(bool, lxcapi_reboot)
@@ -1958,15 +1964,18 @@ static bool do_lxcapi_reboot2(struct lxc_container *c, int timeout)
 	/* Send reboot signal to container. */
 	killret = kill(pid, rebootsignal);
 	if (killret < 0) {
-		WARN("Could not send signal %d to pid %d", rebootsignal, pid);
 		if (state_client_fd >= 0)
 			close(state_client_fd);
+		WARN("Failed to send signal %d to pid %d", rebootsignal, pid);
 		return false;
 	}
 	TRACE("Sent signal %d to pid %d", rebootsignal, pid);
-	if (timeout == 0)
+	if (timeout == 0) {
+		if (state_client_fd >= 0)
+			close(state_client_fd);
 		return true;
+	}
 	ret = lxc_cmd_sock_rcv_state(state_client_fd, timeout);
 	close(state_client_fd);
@@ -1986,7 +1995,7 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout)
 {
 	int killret, ret;
 	pid_t pid;
-	int haltsignal = SIGPWR, state_client_fd = -1;
+	int haltsignal = SIGPWR, state_client_fd = -EBADF;
 	lxc_state_t states[MAX_STATE] = {0};
 	if (!c)
@@ -2028,15 +2037,18 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout)
 	/* Send shutdown signal to container. */
 	killret = kill(pid, haltsignal);
 	if (killret < 0) {
-		WARN("Could not send signal %d to pid %d", haltsignal, pid);
 		if (state_client_fd >= 0)
 			close(state_client_fd);
+		WARN("Failed to send signal %d to pid %d", haltsignal, pid);
 		return false;
 	}
 	TRACE("Sent signal %d to pid %d", haltsignal, pid);
-	if (timeout == 0)
+	if (timeout == 0) {
+		if (state_client_fd >= 0)
+			close(state_client_fd);
 		return true;
+	}
 	ret = lxc_cmd_sock_rcv_state(state_client_fd, timeout);
 	close(state_client_fd);

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1486,8 +1486,16 @@ static inline int do_share_ns(void *arg)
 			continue;
 		ret = setns(handler->nsfd[i], 0);
-		if (ret < 0)
+		if (ret < 0) {
+			/*
+			 * Note that joining a user and/or mount namespace
+			 * requires the process is not multithreaded otherwise
+			 * setns() will fail here.
+			 */
+			SYSERROR("Failed to inherit %s namespace",
+				 ns_info[i].proc_name);
 			return -1;
+		}
 		DEBUG("Inherited %s namespace", ns_info[i].proc_name);
 	}