runc:symc some patches

(cherry picked from commit 6b3b6fb7d12f8699fd427a6001bf78e0937e1984)

git-commit

@@ -1 +1 @@
-47a4bc111c776c9d4942d021420450e8c89b403e
+d3c42c5e018eaf9bb30b5180356834037e12a91c

patch/0046-runc-Fix-File-to-Close.patch

@@ -0,0 +1,40 @@
+From 329422245586df752a020d3887cb0ee83cab7f59 Mon Sep 17 00:00:00 2001
+From: "hang.jiang" <hang.jiang@daocloud.io>
+Date: Fri, 1 Sep 2023 16:17:13 +0800
+Subject: [PATCH 1/4] Fix File to Close
+
+Reference:https://github.com/opencontainers/runc/commit/937ca107c3d22da77eb8e8030f2342253b980980
+
+Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
+---
+ libcontainer/cgroups/fs/paths.go | 1 +
+ update.go                        | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/libcontainer/cgroups/fs/paths.go b/libcontainer/cgroups/fs/paths.go
+index 1092331b..2cb970a3 100644
+--- a/libcontainer/cgroups/fs/paths.go
++++ b/libcontainer/cgroups/fs/paths.go
+@@ -83,6 +83,7 @@ func tryDefaultCgroupRoot() string {
+ 	if err != nil {
+ 		return ""
+ 	}
++	defer dir.Close()
+ 	names, err := dir.Readdirnames(1)
+ 	if err != nil {
+ 		return ""
+diff --git a/update.go b/update.go
+index 9ce5a2e8..6d582ddd 100644
+--- a/update.go
++++ b/update.go
+@@ -174,6 +174,7 @@ other options are ignored.
+ 				if err != nil {
+ 					return err
+ 				}
++				defer f.Close()
+ 			}
+ 			err = json.NewDecoder(f).Decode(&r)
+ 			if err != nil {
+-- 
+2.27.0
+

patch/0047-runc-Fix-tmpfs-mode-opts-when-dir-already-exists.patch

@@ -0,0 +1,65 @@
+From 6594fe86b84fa69fd44172694d9495b37e5c653a Mon Sep 17 00:00:00 2001
+From: Brian Goff <cpuguy83@gmail.com>
+Date: Thu, 22 Jun 2023 21:35:19 +0000
+Subject: [PATCH 2/4] Fix tmpfs mode opts when dir already exists
+
+When a directory already exists (or after a container is restarted) the
+perms of the directory being mounted to were being used even when a
+different permission is set on the tmpfs mount options.
+
+This prepends the original directory perms to the mount options.
+If the perms were already set in the mount opts then those perms will
+win.
+This eliminates the need to perform a chmod after mount entirely.
+
+Reference:https://github.com/opencontainers/runc/commit/9fa8b9de3e74c306db186494187fb789f0fdab4d
+
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+---
+ libcontainer/rootfs_linux.go | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 8ce09f6f..8749114b 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -467,11 +467,16 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ 		}
+ 		return label.SetFileLabel(dest, mountLabel)
+ 	case "tmpfs":
+-		stat, err := os.Stat(dest)
+-		if err != nil {
++		if stat, err := os.Stat(dest); err != nil {
+ 			if err := os.MkdirAll(dest, 0o755); err != nil {
+ 				return err
+ 			}
++		} else {
++			dt := fmt.Sprintf("mode=%04o", stat.Mode())
++			if m.Data != "" {
++				dt = dt + "," + m.Data
++			}
++			m.Data = dt
+ 		}
+ 
+ 		if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
+@@ -480,16 +485,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ 			err = mountPropagate(m, rootfs, mountLabel, nil)
+ 		}
+ 
+-		if err != nil {
+-			return err
+-		}
+-
+-		if stat != nil {
+-			if err = os.Chmod(dest, stat.Mode()); err != nil {
+-				return err
+-			}
+-		}
+-		return nil
++		return err
+ 	case "bind":
+ 		if err := prepareBindMount(m, rootfs, mountFd); err != nil {
+ 			return err
+-- 
+2.27.0
+

patch/0048-runc-Fix-undefined-behavior.patch

@@ -0,0 +1,68 @@
+From 04ee021566aa241792914782a68a8ba30383e738 Mon Sep 17 00:00:00 2001
+From: Kazuki Hasegawa <nanasi880@gmail.com>
+Date: Tue, 28 Mar 2023 19:54:11 +0900
+Subject: [PATCH 3/4] Fix undefined behavior.
+
+Do not accept setjmp return value as variable.
+
+Reference:https://github.com/opencontainers/runc/commit/6053aea46f18f86a3e1cdb0f18a1094079af4aeb
+
+Signed-off-by: Kazuki Hasegawa <nanasi880@gmail.com>
+---
+ libcontainer/nsenter/nsexec.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 52e4521c..96bf5b7d 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -958,8 +958,7 @@ void nsexec(void)
+ 	 * -- Aleksa "what has my life come to?" Sarai
+ 	 */
+ 
+-	current_stage = setjmp(env);
+-	switch (current_stage) {
++	switch (setjmp(env)) {
+ 		/*
+ 		 * Stage 0: We're in the parent. Our job is just to create a new child
+ 		 *          (stage 1: STAGE_CHILD) process and write its uid_map and
+@@ -973,6 +972,7 @@ void nsexec(void)
+ 			bool stage1_complete, stage2_complete;
+ 
+ 			/* For debugging. */
++			current_stage = STAGE_PARENT;
+ 			prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
+ 			write_log(DEBUG, "~> nsexec stage-0");
+ 
+@@ -1130,6 +1130,9 @@ void nsexec(void)
+ 			pid_t stage2_pid = -1;
+ 			enum sync_t s;
+ 
++			/* For debugging. */
++			current_stage = STAGE_CHILD;
++
+ 			/* We're in a child and thus need to tell the parent if we die. */
+ 			syncfd = sync_child_pipe[0];
+ 			if (close(sync_child_pipe[1]) < 0)
+@@ -1310,6 +1313,9 @@ void nsexec(void)
+ 			 */
+ 			enum sync_t s;
+ 
++			/* For debugging. */
++			current_stage = STAGE_INIT;
++
+ 			/* We're in a child and thus need to tell the parent if we die. */
+ 			syncfd = sync_grandchild_pipe[0];
+ 			if (close(sync_grandchild_pipe[1]) < 0)
+@@ -1365,7 +1371,7 @@ void nsexec(void)
+ 		}
+ 		break;
+ 	default:
+-		bail("unknown stage '%d' for jump value", current_stage);
++		bail("unexpected jump value");
+ 	}
+ 
+ 	/* Should never be reached. */
+-- 
+2.27.0
+

patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch

@@ -0,0 +1,48 @@
+From 43397368ee7fd991b8b9cc496055d09413158293 Mon Sep 17 00:00:00 2001
+From: Rodrigo Campos <rodrigoca@microsoft.com>
+Date: Fri, 27 Jan 2023 18:38:30 +0100
+Subject: [PATCH 4/4] nsexec: Check for errors in write_log()
+
+First, check if strdup() fails and error out.
+
+While we are there, the else case was missing brackets, as we only need
+to check ret in the else case. Fix that too
+
+Reference:https://github.com/opencontainers/runc/commit/5ce511d6a65809be3fc58f8e2df585abb9c616d6
+
+Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
+---
+ libcontainer/nsenter/nsexec.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 96bf5b7d..1dfd8613 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -168,15 +168,17 @@ static void write_log(int level, const char *format, ...)
+ 
+ 	message = escape_json_string(message);
+ 
+-	if (current_stage == STAGE_SETUP)
++	if (current_stage == STAGE_SETUP) {
+ 		stage = strdup("nsexec");
+-	else
++		if (stage == NULL)
++			goto out;
++	} else {
+ 		ret = asprintf(&stage, "nsexec-%d", current_stage);
+-	if (ret < 0) {
+-		stage = NULL;
+-		goto out;
++		if (ret < 0) {
++			stage = NULL;
++			goto out;
++		}
+ 	}
+-
+ 	ret = asprintf(&json, "{\"level\":\"%s\", \"msg\": \"%s[%d]: %s\"}\n",
+ 		       level_str[level], stage, getpid(), message);
+ 	if (ret < 0) {
+-- 
+2.27.0
+

patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch

@@ -0,0 +1,25 @@
+From 16f5b342ffb42d90e8d7421328709cdc0c3e94d9 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 21 Dec 2023 19:51:44 +0800
+Subject: [PATCH] runc:increase the number of cgroup deletion retries
+
+---
+ libcontainer/cgroups/utils.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go
+index b32af4e..00191c2 100644
+--- a/libcontainer/cgroups/utils.go
++++ b/libcontainer/cgroups/utils.go
+@@ -268,7 +268,7 @@ func RemovePath(path string) error {
+ // If after all there are not removed cgroups - appropriate error will be
+ // returned.
+ func RemovePaths(paths map[string]string) (err error) {
+-	const retries = 5
++	const retries = 10
+ 	delay := 10 * time.Millisecond
+ 	for i := 0; i < retries; i++ {
+ 		if i != 0 {
+-- 
+2.33.0
+

runc.spec

@@ -3,7 +3,7 @@
 
 Name: docker-runc
 Version: 1.1.3
-Release: 21
+Release: 22
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Thu Dec 21 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-22
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync some patches
+
 * Fri Dec 8 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-21
 - Type:bugfix
 - CVE:NA

series.conf

@@ -43,3 +43,8 @@ patch/0042-runc-Handle-kmem.limit_in_bytes-removal.patch
 patch/0043-runc-fix-update-rt-runtime-us-and-rt-period-us-faile.patch
 patch/0044-runc-delete-do-not-ignore-error-from-destroy.patch
 patch/0045-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch
+patch/0046-runc-Fix-File-to-Close.patch
+patch/0047-runc-Fix-tmpfs-mode-opts-when-dir-already-exists.patch
+patch/0048-runc-Fix-undefined-behavior.patch
+patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch
+patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch