--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: criu@packages.debian.org, carnil@debian.org
Control: affects -1 + src:criu
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package criu
I realize this is coming now quite during a fragile moment for the
trixie release, with the last unblock requests accepted tomorrow
latest.
[ Reason ]
Today there was a criu/4.1.1 upstream release fixing an important
issue breaking the restore functionality of mount namespaces within
CRIU, which for instance would as well affect users which try to
restore a container. The issue is introduced due to a Linux kernel
change (a security fix, no CVE yet assigned), namely 12f147ddd6de
"do_change_type(): refuse to operate on unmounted/not ours mounts")
which got backported as well to all relevant stable series.
Debian bug: https://bugs.debian.org/1110096
The 4.1.1 is a bugfix release on top of 4.1 with that bugfix, so I
would prefer to take 4.1.1 instread of cherry-picking the commit if
possible. The upstream changes contain as well one single change to
test suite makefile to remove an unused compiler argument.
[ Impact ]
Users for instance restoring containers will encounter the error:
"mnt-v2: Failed to make mount 476 slave: Invalid argument.".
[ Tests ]
Did run the autopkgtest suite with the updated 4.1.1 package. Before
the update with the current trixie kernel 6.12.38-1 various test
indeed fail with the mentioned error. With the update criu package
those are resolved.
In my local autopkgtests the tests passed:
888s integration-tests PASS
888s autodep8-python3 PASS (superficial)
[ Risks ]
Direct upstream change for this targeted critical compatibility issue.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
How do you like me to proceed? I have not uploaded anything yet
waiting for your guidance. If the time is gone for updates, I thin
kthis should go into the first trixie point release and would prepare
a separate update (basically a rebuild of 4.1.1-1 as 4.1.1~deb13u1,
but users updating to trixie will encounter that issue).
unblock criu/4.1.1-1
Regards,
Salvatore
diff -Nru criu-4.1/Makefile.versions criu-4.1.1/Makefile.versions
--- criu-4.1/Makefile.versions 2025-03-25 22:31:33.000000000 +0100
+++ criu-4.1.1/Makefile.versions 2025-07-29 18:10:08.000000000 +0200
@@ -2,7 +2,7 @@
# CRIU version.
CRIU_VERSION_MAJOR := 4
CRIU_VERSION_MINOR := 1
-CRIU_VERSION_SUBLEVEL :=
+CRIU_VERSION_SUBLEVEL := 1
CRIU_VERSION_EXTRA :=
CRIU_VERSION_NAME := CRISCV
CRIU_VERSION := $(CRIU_VERSION_MAJOR)$(if $(CRIU_VERSION_MINOR),.$(CRIU_VERSION_MINOR))$(if $(CRIU_VERSION_SUBLEVEL),.$(CRIU_VERSION_SUBLEVEL))$(if $(CRIU_VERSION_EXTRA),.$(CRIU_VERSION_EXTRA))
diff -Nru criu-4.1/criu/mount-v2.c criu-4.1.1/criu/mount-v2.c
--- criu-4.1/criu/mount-v2.c 2025-03-25 22:31:33.000000000 +0100
+++ criu-4.1.1/criu/mount-v2.c 2025-07-29 18:10:08.000000000 +0200
@@ -927,8 +927,12 @@
static int restore_one_sharing(struct sharing_group *sg, struct mount_info *target)
{
+ int nsfd = -1, orig_nsfd = -1, exit_code = -1;
char target_path[PATH_MAX];
- int target_fd;
+ int target_fd = -1;
+
+ if (!sg->master_id && !sg->shared_id)
+ return 0;
target_fd = fdstore_get(target->mnt_fd_id);
BUG_ON(target_fd < 0);
@@ -943,8 +947,7 @@
first = get_first_mount(sg->parent);
if (move_mount_set_group(first->mnt_fd_id, NULL, target->mnt_fd_id)) {
pr_err("Failed to copy sharing from %d to %d\n", first->mnt_id, target->mnt_id);
- close(target_fd);
- return -1;
+ goto err;
}
} else {
/*
@@ -956,16 +959,23 @@
*/
if (move_mount_set_group(-1, sg->source, target->mnt_fd_id)) {
pr_err("Failed to copy sharing from source %s to %d\n", sg->source, target->mnt_id);
- close(target_fd);
- return -1;
+ goto err;
}
}
+ }
+
+ nsfd = fdstore_get(target->nsid->mnt.nsfd_id);
+ if (nsfd < 0)
+ goto err;
+ if (switch_ns_by_fd(nsfd, &mnt_ns_desc, &orig_nsfd))
+ goto err;
+
+ if (sg->master_id) {
/* Convert shared_id to master_id */
if (mount(NULL, target_path, NULL, MS_SLAVE, NULL)) {
pr_perror("Failed to make mount %d slave", target->mnt_id);
- close(target_fd);
- return -1;
+ goto err;
}
}
@@ -973,13 +983,16 @@
if (sg->shared_id) {
if (mount(NULL, target_path, NULL, MS_SHARED, NULL)) {
pr_perror("Failed to make mount %d shared", target->mnt_id);
- close(target_fd);
- return -1;
+ goto err;
}
}
- close(target_fd);
-
- return 0;
+ exit_code = 0;
+err:
+ close_safe(&target_fd);
+ close_safe(&nsfd);
+ if (orig_nsfd >= 0 && restore_ns(orig_nsfd, &mnt_ns_desc))
+ exit_code = -1;
+ return exit_code;
}
static int restore_one_sharing_group(struct sharing_group *sg)
diff -Nru criu-4.1/debian/changelog criu-4.1.1/debian/changelog
--- criu-4.1/debian/changelog 2025-03-27 23:23:08.000000000 +0100
+++ criu-4.1.1/debian/changelog 2025-07-29 20:37:31.000000000 +0200
@@ -1,3 +1,11 @@
+criu (4.1.1-1) unstable; urgency=medium
+
+ * New upstream version 4.1.1
+ - mount-v2: enter the mount namesapce to propagation properties
+ (Closes: #1110096)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 29 Jul 2025 20:37:31 +0200
+
criu (4.1-1) unstable; urgency=medium
* Upload to unstable
diff -Nru criu-4.1/test/zdtm/Makefile.inc criu-4.1.1/test/zdtm/Makefile.inc
--- criu-4.1/test/zdtm/Makefile.inc 2025-03-25 22:31:33.000000000 +0100
+++ criu-4.1.1/test/zdtm/Makefile.inc 2025-07-29 18:10:08.000000000 +0200
@@ -76,7 +76,7 @@
%.d: %.c
$(E) " DEP " $@
- $(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -MM -MP -c $< -o $@
+ $(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -MM -MP $< -o $@
%.o: %.c | %.d
$(E) " CC " $@
--- End Message ---