Skip to content

[1.4] libct: close child fds on prepareCgroupFD error #4936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 16, 2025
Merged

[1.4] libct: close child fds on prepareCgroupFD error #4936

merged 2 commits into from
Oct 16, 2025

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Oct 15, 2025

Backport of #4930

The (*setns).start is supposed to close child fds once the child has started, or upon returning an error.
There was no code to return an error before calling start, but commit 5af4dd4 added it, together with
a bug -- child fds are not closed if prepareCgroupFD fails.

I'm not sure ifhow to add a good test case for it. Found when working on PR #4928 (which modified the code
to read the child logs even when start() fails).

Fixes: 5af4dd4 / PR #4812.

This PR also includes the refactoring of start to avoid similar problems in the future.

kolyshkin and others added 2 commits October 16, 2025 09:40
@kolyshkin @cyphar
libct: close child fds on prepareCgroupFD error
e8e22ae 
The (*setns).start is supposed to close child fds once the child has
started, or upon an error. Commit 5af4dd4 added a bug -- child fds
are not closed if prepareCgroupFD fails.

Fix by adding a missing call to closeChild.

I'm not sure how to write a good test case for it. Found when working
on PR 4928 (and tested in there).

Fixes: 5af4dd4
Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 4e26250)
Signed-off-by: Aleksa Sarai <[email protected]>
@kolyshkin @lifubang @cyphar
libct: refactor setnsProcess.start
42b405d 
Factor startWithCgroupFD out of start to reduce the start complexity.
This also implements a more future-proof way of calling p.comm.closeChild.

Co-authored-by: lifubang <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 871052b)
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar added this to the 1.4.0 milestone Oct 15, 2025
@cyphar cyphar added the backport/1.4-pr A backport PR to release-1.4 label Oct 15, 2025
kolyshkin
kolyshkin approved these changes Oct 15, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@lifubang lifubang merged commit 1984e2c into opencontainers:release-1.4 Oct 16, 2025
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lifubang lifubang lifubang approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees

No one assigned

Labels

backport/1.4-pr A backport PR to release-1.4

Projects

None yet

Milestone

1.4.0

Development

Successfully merging this pull request may close these issues.

3 participants

@cyphar @lifubang @kolyshkin