blockdev: Fix loopback device resource leak on signal interruption

gursewak1997 · gursewak1997 · commit 70c2b770e756 · 2025-07-10T22:43:21.000-07:00
This commit implements creating a signal-safe cleanup helper
for loopback devices to prevent resource leaks when bootc install
--via-loopback is interrupted by signals like SIGINT (Ctrl-C).

The solution uses an 'out-of-process drop' helper that:
- Forks a cleanup helper process when creating a loopback device
- Uses PR_SET_PDEATHSIG to detect when the parent process dies
- Masks most signals to avoid being killed accidentally
- Automatically cleans up leaked loopback devices if the parent dies
- Gracefully terminates when the parent performs normal cleanup

This prevents the common issue where interrupting bootc install
--via-loopback with Ctrl-C would leave /dev/loopN devices allocated
on the system.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/blockdev/Cargo.toml b/blockdev/Cargo.toml
@@ -13,13 +13,15 @@ anyhow = { workspace = true }
 bootc-utils = { path = "../utils" }
 camino = { workspace = true, features = ["serde1"] }
 fn-error-context = { workspace = true }
+libc = { workspace = true }
 regex = "1.10.4"
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tracing = { workspace = true }
 
 [dev-dependencies]
 indoc = "2.0.5"
+tempfile = { workspace = true }
 
 [lib]
 path = "src/blockdev.rs"
diff --git a/blockdev/src/blockdev.rs b/blockdev/src/blockdev.rs
@@ -181,6 +181,14 @@ pub fn partitions_of(dev: &Utf8Path) -> Result<PartitionTable> {
 
 pub struct LoopbackDevice {
     pub dev: Option<Utf8PathBuf>,
+    // Handle to the cleanup helper process
+    cleanup_handle: Option<LoopbackCleanupHandle>,
+}
+
+/// Handle to manage the cleanup helper process for loopback devices
+struct LoopbackCleanupHandle {
+    /// Process ID of the cleanup helper
+    helper_pid: u32,
 }
 
 impl LoopbackDevice {
@@ -208,7 +216,19 @@ impl LoopbackDevice {
             .run_get_string()?;
         let dev = Utf8PathBuf::from(dev.trim());
         tracing::debug!("Allocated loopback {dev}");
-        Ok(Self { dev: Some(dev) })
+
+        // Try to spawn cleanup helper process - if it fails, continue without it
+        let cleanup_handle = Self::spawn_cleanup_helper(dev.as_str())
+            .map_err(|e| {
+                tracing::warn!("Failed to spawn loopback cleanup helper: {}, continuing without signal protection", e);
+                e
+            })
+            .ok();
+
+        Ok(Self {
+            dev: Some(dev),
+            cleanup_handle,
+        })
     }
 
     // Access the path to the loopback block device.
@@ -217,13 +237,173 @@ impl LoopbackDevice {
         self.dev.as_deref().unwrap()
     }
 
+    /// Spawn a cleanup helper process that will clean up the loopback device
+    /// if the parent process dies unexpectedly
+    fn spawn_cleanup_helper(device_path: &str) -> Result<LoopbackCleanupHandle> {
+        let device_path = device_path.to_string();
+
+        // Fork the cleanup helper process
+        match unsafe { libc::fork() } {
+            -1 => anyhow::bail!("Failed to fork cleanup helper process"),
+            0 => {
+                // Child process - this will be the cleanup helper
+                // This function will not return
+                Self::cleanup_helper_main(device_path);
+            }
+            child_pid => {
+                // Parent process
+                Ok(LoopbackCleanupHandle {
+                    helper_pid: child_pid as u32,
+                })
+            }
+        }
+    }
+
+    /// Main function for the cleanup helper process
+    /// This function does not return - it either exits normally or via exec
+    fn cleanup_helper_main(device_path: String) -> ! {
+        // Close stdin, stdout, stderr and other inherited file descriptors
+        unsafe {
+            for fd in 0..=2 {
+                libc::close(fd);
+            }
+            // Redirect to /dev/null in case something tries to write
+            let null_fd = libc::open(b"/dev/null\0".as_ptr() as *const i8, libc::O_RDWR);
+            if null_fd >= 0 {
+                libc::dup2(null_fd, 0);
+                libc::dup2(null_fd, 1);
+                libc::dup2(null_fd, 2);
+                if null_fd > 2 {
+                    libc::close(null_fd);
+                }
+            }
+        }
+
+        // Set up death signal notification - we want to be notified when parent dies
+        unsafe {
+            if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGUSR1) != 0 {
+                std::process::exit(1);
+            }
+        }
+
+        // Mask most signals to avoid being killed accidentally
+        // But leave SIGUSR1 unmasked so we can receive the death notification
+        unsafe {
+            let mut sigset: libc::sigset_t = std::mem::zeroed();
+            libc::sigfillset(&mut sigset);
+            // Don't mask SIGKILL, SIGSTOP (can't be masked anyway), or our death signal
+            libc::sigdelset(&mut sigset, libc::SIGKILL);
+            libc::sigdelset(&mut sigset, libc::SIGSTOP);
+            libc::sigdelset(&mut sigset, libc::SIGUSR1); // We'll use SIGUSR1 as our death signal
+
+            if libc::pthread_sigmask(libc::SIG_SETMASK, &sigset, std::ptr::null_mut()) != 0 {
+                let err = std::io::Error::last_os_error();
+                tracing::error!("pthread_sigmask failed: {}", err);
+                std::process::exit(1);
+            }
+        }
+
+        // Wait for death signal or normal termination
+        let mut siginfo: libc::siginfo_t = unsafe { std::mem::zeroed() };
+        let sigset = {
+            let mut sigset: libc::sigset_t = unsafe { std::mem::zeroed() };
+            unsafe {
+                libc::sigemptyset(&mut sigset);
+                libc::sigaddset(&mut sigset, libc::SIGUSR1);
+                libc::sigaddset(&mut sigset, libc::SIGTERM); // Also listen for SIGTERM (normal cleanup)
+            }
+            sigset
+        };
+
+        // Wait for a signal
+        let result = unsafe {
+            let result = libc::sigwaitinfo(&sigset, &mut siginfo);
+            if result == -1 {
+                let err = std::io::Error::last_os_error();
+                tracing::error!("sigwaitinfo failed: {}", err);
+                std::process::exit(1);
+            }
+            result
+        };
+
+        if result > 0 {
+            if siginfo.si_signo == libc::SIGUSR1 {
+                // Parent died unexpectedly, clean up the loopback device
+                let status = std::process::Command::new("losetup")
+                    .args(["-d", &device_path])
+                    .status();
+
+                match status {
+                    Ok(exit_status) if exit_status.success() => {
+                        // Write to stderr since we closed stdout
+                        let _ = std::io::Write::write_all(
+                            &mut std::io::stderr(),
+                            format!("bootc: cleaned up leaked loopback device {}\n", device_path)
+                                .as_bytes(),
+                        );
+                        std::process::exit(0);
+                    }
+                    Ok(_) => {
+                        let _ = std::io::Write::write_all(
+                            &mut std::io::stderr(),
+                            format!(
+                                "bootc: failed to clean up loopback device {}\n",
+                                device_path
+                            )
+                            .as_bytes(),
+                        );
+                        std::process::exit(1);
+                    }
+                    Err(e) => {
+                        let _ = std::io::Write::write_all(
+                            &mut std::io::stderr(),
+                            format!(
+                                "bootc: error cleaning up loopback device {}: {}\n",
+                                device_path, e
+                            )
+                            .as_bytes(),
+                        );
+                        std::process::exit(1);
+                    }
+                }
+            } else if siginfo.si_signo == libc::SIGTERM {
+                // Normal cleanup signal from parent
+                std::process::exit(0);
+            }
+        }
+
+        // If we get here, something went wrong
+        std::process::exit(1);
+    }
+
     // Shared backend for our `close` and `drop` implementations.
     fn impl_close(&mut self) -> Result<()> {
         // SAFETY: This is the only place we take the option
         let Some(dev) = self.dev.take() else {
             tracing::trace!("loopback device already deallocated");
             return Ok(());
         };
+
+        // Kill the cleanup helper since we're cleaning up normally
+        if let Some(cleanup_handle) = self.cleanup_handle.take() {
+            // Kill the helper process since we're doing normal cleanup
+            unsafe {
+                if libc::kill(cleanup_handle.helper_pid as i32, libc::SIGTERM) != 0 {
+                    let err = std::io::Error::last_os_error();
+                    tracing::warn!("kill failed: {}", err);
+                }
+            }
+            // Wait for it to exit (non-blocking)
+            unsafe {
+                let mut status = 0;
+                if libc::waitpid(cleanup_handle.helper_pid as i32, &mut status, libc::WNOHANG) == -1
+                {
+                    let err = std::io::Error::last_os_error();
+                    tracing::warn!("waitpid failed: {}", err);
+                }
+            }
+        }
+
         Command::new("losetup").args(["-d", dev.as_str()]).run()
     }
 
@@ -389,4 +569,60 @@ mod test {
         );
         Ok(())
     }
+
+    #[test]
+    fn test_loopback_device_with_cleanup_helper() -> Result<()> {
+        // Only run this test if we have permissions and losetup is available
+        if !std::path::Path::new("/usr/bin/losetup").exists()
+            && !std::path::Path::new("/sbin/losetup").exists()
+        {
+            eprintln!("Skipping loopback test: losetup not found");
+            return Ok(());
+        }
+
+        // Check if we can run as root or have the necessary capabilities
+        if unsafe { libc::geteuid() } != 0 {
+            eprintln!("Skipping loopback test: requires root privileges");
+            return Ok(());
+        }
+
+        // Create a temporary file to use as the loopback backing store
+        let mut temp_file = tempfile::NamedTempFile::new()?;
+
+        // Write some data to make it a valid file
+        {
+            use std::io::Write;
+            // Create a 10MB file
+            let data = vec![0u8; 10 * 1024 * 1024];
+            temp_file.write_all(&data)?;
+            temp_file.flush()?;
+        }
+
+        // Convert to TempPath so we control when it gets deleted
+        let temp_path = temp_file.into_temp_path();
+
+        // Test creating and cleaning up a loopback device
+        let loopback = LoopbackDevice::new(&temp_path)?;
+        let device_path = loopback.path().to_string();
+
+        // Verify the device was created
+        assert!(device_path.starts_with("/dev/loop"));
+        assert!(std::path::Path::new(&device_path).exists());
+
+        // Verify we have a cleanup handle
+        assert!(
+            loopback.cleanup_handle.is_some(),
+            "Cleanup helper should be spawned"
+        );
+
+        // Explicitly close the loopback device to test cleanup
+        loopback.close()?;
+
+        // Give a moment for cleanup to happen
+        std::thread::sleep(std::time::Duration::from_millis(100));
+
+        // TempPath will be automatically deleted when dropped at end of scope
+
+        Ok(())
+    }
 }
