Skip to content

Commit 5d0b52b

Browse files
champtarchamptar
committed
sockerpair_unix: avoid double close(), set FD_CLOEXEC
We were calling the close() syscall multiple time with the same fd number, leading to random issues like closing containerd stream port. In newLaunchedPlugin() we have: sockets, _ := net.NewSocketPair() defer sockets.Close() conn, _ := sockets.LocalConn() peerFile := sockets.PeerFile() defer func() { peerFile.Close() if retErr != nil { conn.Close() } }() cmd.Start() so we were doing: close(local) (in LocalConn()) cmd.Start() close(peer) (peerFile.Close()) close(local) (sockets.Close()) close(peer) (sockets.Close()) If the NRI plugin that we launch with cmd.Start() is not cached or the system is a bit busy, cmd.Start() gives a large enough window for another goroutine to open a file that will get the same fd number as local was, thus being closed by accident. Fix the situation by storing os.Files instead of ints, so that closing multiple times just returns an error (that we ignore). Also set FD_CLOEXEC on the sockets so we don't leak them. Fixes 1da2cdf Signed-off-by: Etienne Champetier <[email protected]>
1 parent 6f5a4d2 commit 5d0b52b

3 files changed

Lines changed: 98 additions & 35 deletions

File tree

pkg/net/socketpair_cloexec_linux.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
//go:build linux
2+
3+
/*
4+
Copyright The containerd Authors.
5+
6+
Licensed under the Apache License, Version 2.0 (the "License");
7+
you may not use this file except in compliance with the License.
8+
You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing, software
13+
distributed under the License is distributed on an "AS IS" BASIS,
14+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15+
See the License for the specific language governing permissions and
16+
limitations under the License.
17+
*/
18+
19+
package net
20+
21+
import (
22+
"golang.org/x/sys/unix"
23+
)
24+
25+
func newSocketPairCLOEXEC() ([2]int, error) {
26+
return unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
27+
}

pkg/net/socketpair_cloexec_unix.go

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
//go:build !linux && !windows
2+
3+
/*
4+
Copyright The containerd Authors.
5+
6+
Licensed under the Apache License, Version 2.0 (the "License");
7+
you may not use this file except in compliance with the License.
8+
You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing, software
13+
distributed under the License is distributed on an "AS IS" BASIS,
14+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15+
See the License for the specific language governing permissions and
16+
limitations under the License.
17+
*/
18+
19+
package net
20+
21+
import (
22+
"syscall"
23+
24+
"golang.org/x/sys/unix"
25+
)
26+
27+
func newSocketPairCLOEXEC() ([2]int, error) {
28+
syscall.ForkLock.RLock()
29+
defer syscall.ForkLock.RUnlock()
30+
fds, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM, 0)
31+
if err != nil {
32+
return fds, err
33+
}
34+
unix.CloseOnExec(fds[0])
35+
unix.CloseOnExec(fds[1])
36+
37+
return fds, err
38+
}

pkg/net/socketpair_unix.go

Lines changed: 33 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -22,76 +22,74 @@ import (
2222
"fmt"
2323
"net"
2424
"os"
25-
26-
syscall "golang.org/x/sys/unix"
27-
)
28-
29-
const (
30-
local = 0
31-
peer = 1
3225
)
3326

34-
// SocketPair contains the file descriptors of a connected pair of sockets.
35-
type SocketPair [2]int
27+
// SocketPair contains the os.File of a connected pair of sockets.
28+
type SocketPair struct {
29+
local, peer *os.File
30+
}
3631

3732
// NewSocketPair returns a connected pair of sockets.
3833
func NewSocketPair() (SocketPair, error) {
39-
fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
34+
fds, err := newSocketPairCLOEXEC()
4035
if err != nil {
41-
return [2]int{-1, -1}, fmt.Errorf("failed to create socketpair: %w", err)
36+
return SocketPair{nil, nil}, fmt.Errorf("failed to create socketpair: %w", err)
4237
}
4338

44-
return fds, nil
39+
filename := fmt.Sprintf("socketpair-#%d:%d", fds[0], fds[1])
40+
41+
return SocketPair{
42+
os.NewFile(uintptr(fds[0]), filename+"[0]"),
43+
os.NewFile(uintptr(fds[1]), filename+"[1]"),
44+
}, nil
4545
}
4646

47-
// LocalFile returns the socketpair fd for local usage as an *os.File.
48-
func (fds SocketPair) LocalFile() *os.File {
49-
return os.NewFile(uintptr(fds[local]), fds.fileName()+"[0]")
47+
// LocalFile returns the local end of the socketpair as an *os.File.
48+
func (sp SocketPair) LocalFile() *os.File {
49+
return sp.local
5050
}
5151

52-
// PeerFile returns the socketpair fd for peer usage as an *os.File.
53-
func (fds SocketPair) PeerFile() *os.File {
54-
return os.NewFile(uintptr(fds[peer]), fds.fileName()+"[1]")
52+
// PeerFile returns the peer end of the socketpair as an *os.File.
53+
func (sp SocketPair) PeerFile() *os.File {
54+
return sp.peer
5555
}
5656

5757
// LocalConn returns a net.Conn for the local end of the socketpair.
58-
func (fds SocketPair) LocalConn() (net.Conn, error) {
59-
file := fds.LocalFile()
58+
// This closes LocalFile().
59+
func (sp SocketPair) LocalConn() (net.Conn, error) {
60+
file := sp.LocalFile()
6061
defer file.Close()
6162
conn, err := net.FileConn(file)
6263
if err != nil {
63-
return nil, fmt.Errorf("failed to create net.Conn for %s[0]: %w", fds.fileName(), err)
64+
return nil, fmt.Errorf("failed to create net.Conn for %s: %w", file.Name(), err)
6465
}
6566
return conn, nil
6667
}
6768

6869
// PeerConn returns a net.Conn for the peer end of the socketpair.
69-
func (fds SocketPair) PeerConn() (net.Conn, error) {
70-
file := fds.PeerFile()
70+
// This closes PeerFile().
71+
func (sp SocketPair) PeerConn() (net.Conn, error) {
72+
file := sp.PeerFile()
7173
defer file.Close()
7274
conn, err := net.FileConn(file)
7375
if err != nil {
74-
return nil, fmt.Errorf("failed to create net.Conn for %s[1]: %w", fds.fileName(), err)
76+
return nil, fmt.Errorf("failed to create net.Conn for %s: %w", file.Name(), err)
7577
}
7678
return conn, nil
7779
}
7880

7981
// Close closes both ends of the socketpair.
80-
func (fds SocketPair) Close() {
81-
fds.LocalClose()
82-
fds.PeerClose()
82+
func (sp SocketPair) Close() {
83+
sp.LocalClose()
84+
sp.PeerClose()
8385
}
8486

8587
// LocalClose closes the local end of the socketpair.
86-
func (fds SocketPair) LocalClose() {
87-
syscall.Close(fds[local])
88+
func (sp SocketPair) LocalClose() {
89+
sp.local.Close()
8890
}
8991

9092
// PeerClose closes the peer end of the socketpair.
91-
func (fds SocketPair) PeerClose() {
92-
syscall.Close(fds[peer])
93-
}
94-
95-
func (fds SocketPair) fileName() string {
96-
return fmt.Sprintf("socketpair-#%d:%d[0]", fds[local], fds[peer])
93+
func (sp SocketPair) PeerClose() {
94+
sp.peer.Close()
9795
}

0 commit comments

Comments
 (0)