Skip to content

[1.4] fix fd leaks and detect them as comprehensively as possible #5034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AkihiroSuda merged 5 commits into from
Nov 26, 2025
Merged

[1.4] fix fd leaks and detect them as comprehensively as possible #5034

AkihiroSuda merged 5 commits into from
Nov 26, 2025
+222 −64

Conversation

@lifubang
Copy link
Member

@lifubang lifubang commented Nov 20, 2025
edited
Loading

backport: #5026

Fix: #5021
Fix: #5007
Close: #5022
Close: #5024

Without deferring the closure of this file descriptor, starting a container with a very large number of devices can hit the RLIMIT_NOFILE limit.

@lifubang lifubang added the backport/1.4-pr A backport PR to release-1.4 label Nov 20, 2025
@cyphar cyphar added this to the 1.4.0 milestone Nov 20, 2025
@cyphar cyphar mentioned this pull request Nov 20, 2025
Closed
13 tasks
@cyphar cyphar changed the title [1.4] detect file descriptor leaks as comprehensively as possible [1.4] fix fd leaks and detect them as comprehensively as possible Nov 20, 2025
lifubang and others added 5 commits November 20, 2025 11:53
@lifubang @cyphar
ci: detect file descriptor leaks as comprehensively as possible
9f84cce 
Co-authored-by: Aleksa Sarai <[email protected]>
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit ba7f46d)
Signed-off-by: lifubang <[email protected]>
@lifubang
libct: always close m.dstFile in mountToRootfs
612dbb9 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit e027288)
Signed-off-by: lifubang <[email protected]>
@lifubang
libct: add a defer fd close in createDeviceNode
0ec8f1a 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit 9a5e626)
Signed-off-by: lifubang <[email protected]>
@lifubang
bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1
f52ffd1 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit 0127cc6)
Signed-off-by: lifubang <[email protected]>
@lifubang
integration: verify syscall compatibility after seccomp enforcement
e675743 
Signed-off-by: lifubang <[email protected]>
(cherry picked from commit d870650)
Signed-off-by: lifubang <[email protected]>
@lifubang lifubang force-pushed the ci-detect-fdleak-try-best-1.4 branch from 4e0fea6 to e675743 Compare November 20, 2025 11:53
@AkihiroSuda AkihiroSuda merged commit ffc11bc into opencontainers:release-1.4 Nov 26, 2025
37 checks passed
@lifubang lifubang mentioned this pull request Nov 26, 2025
Merged
@cyphar cyphar mentioned this pull request Nov 27, 2025
Merged
smallprogram added a commit to smallprogram/openwrt_packages that referenced this pull request Jan 29, 2026
@smallprogram
runc: bump to 1.4.0
c58c1d2 
cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43)
cgroups: retry DBus connection when it fails with EAGAIN.(opencontainers/cgroups#45)
cgroups: improve cpuacct.usage_all resilience when parsing data from patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,opencontainers/cgroups#50)
libct: close child fds on prepareCgroupFD error. (opencontainers/runc#4936)
libct: fix mips compilation. (opencontainers/runc#4962, opencontainers/runc#4967)
When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our CVE-2025-52881 mitigation patches. (opencontainers/runc#4971, opencontainers/runc#4976)
Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (opencontainers/runc#5007, opencontainers/runc#5021, opencontainers/runc#5034)
The "hallucination" helpers added as part of the CVE-2025-52881 mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink users. (opencontainers/runc#4985)
Signed-off-by: David Mandy <[email protected]>
@smallprogram smallprogram mentioned this pull request Jan 29, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@rata rata Awaiting requested review from rata

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees

No one assigned

Labels

backport/1.4-pr A backport PR to release-1.4

Projects

None yet

Milestone

1.4.0

Development

Successfully merging this pull request may close these issues.

3 participants

@lifubang @cyphar @AkihiroSuda