Bug#1111969: bookworm-pu: package criu/3.17.1-2+deb12u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1111969: bookworm-pu: package criu/3.17.1-2+deb12u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 24 Aug 2025 16:41:41 +0200
Message-id: <[🔎] 175604650118.3519226.4472309326399306511.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1111969@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: criu@packages.debian.org, carnil@debian.org
Control: affects -1 + src:criu
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

[ Reason ]
There was a Linux upstream change, cf. #1110099 for the unblock
request for trixie, and #1110096 for the tracking bug in general,
which was breaking the restore functionality of mount namespaces
within CRIU. The issue is introduced due to a Linux kernel
change (a security fix, no CVE yet assigned), namely 12f147ddd6de
"do_change_type(): refuse to operate on unmounted/not ours mounts")
which got backported as well to all relevant stable series and so
landed in the end as well in the last bookworm update for src:linux.

[ Impact ]
Users for instance restoring containers will encounter the error:
"mnt-v2: Failed to make mount 476 slave: Invalid argument.".

[ Tests ]
Unfortunately we do not have the extensive tests running via
autopkgtests for criu in bookworm. But I did manually run the
tests before and after patching (and manually tewaking the environment
in the VM bootstraped to run the tests):

	./zdtm.py run --criu-bin=/usr/sbin/criu --crit-bin=/usr/bin/crit --keep-going -a -x apparmor_stacking -x fd01 -x netns_lock_iptables

with only two remaining failures, but we never did full run those and
one of the failing is the unpatched test for the rseq issue.

With unpatched criu the summary is:
################## 168 TEST(S) FAILED (TOTAL 197/SKIPPED 16) ###################
 * zdtm/static/socket-tcp-fin-wait1(uns)
 * zdtm/static/fpu03(ns)
 * zdtm/static/maps05(uns)
 * zdtm/static/tun_ns(uns)
 * zdtm/static/maps09(ns)
 * zdtm/static/socket-tcp6-last-ack(ns)
 * zdtm/static/scm04(uns)
 * zdtm/static/sockets01(ns)
 * zdtm/static/scm00(uns)
 * zdtm/static/socket_dgram_data(ns)
 * zdtm/static/session00(uns)
 * zdtm/static/sse20(uns)
 * zdtm/static/socket-tcp-listen(ns)
 * zdtm/static/socket-tcp4v6-local(uns)
 * zdtm/static/pipe02(ns)
 * zdtm/static/stopped02(ns)
 * zdtm/static/mntns_rw_ro_rw(uns)
 * zdtm/static/unhashed_proc(ns)
 * zdtm/static/tty03(uns)
 * zdtm/static/sk-unix-unconn(ns)
 * zdtm/static/socket-tcp-reseted(uns)
 * zdtm/static/posix_timers(uns)
 * zdtm/static/file_cloexec(uns)
 * zdtm/static/socket-tcp4v6-closing(uns)
 * zdtm/static/stopped01(uns)
 * zdtm/static/caps00(uns)
 * zdtm/static/futex-rl(uns)
 * zdtm/static/maps02(uns)
 * zdtm/static/stopped(uns)
 * zdtm/static/vdso02(ns)
 * zdtm/static/scm02(ns)
 * zdtm/static/sigaltstack(uns)
 * zdtm/static/maps10(ns)
 * zdtm/static/busyloop00(ns)
 * zdtm/static/sleeping00(ns)
 * zdtm/static/sk-netlink(ns)
 * zdtm/static/timerfd(ns)
 * zdtm/static/xids00(ns)
 * zdtm/static/socket-tcp-reuseport(uns)
 * zdtm/static/socket_aio(ns)
 * zdtm/static/socket-tcp-closed(uns)
 * zdtm/static/packet_sock(ns)
 * zdtm/static/fanotify00(ns)
 * zdtm/static/socket-tcp-syn-sent(ns)
 * zdtm/static/fpu00(uns)
 * zdtm/static/sockets01-seqpacket(uns)
 * zdtm/static/socket-dump-tcp-close(uns)
 * zdtm/static/dumpable02(ns)
 * zdtm/static/socket-tcp-skip-in-flight(uns)
 * zdtm/static/pipe00(ns)
 * zdtm/static/maps04(ns)
 * zdtm/static/mlock_setuid(ns)
 * zdtm/static/socket-tcp4v6-close-wait(ns)
 * zdtm/static/sched_policy00(ns)
 * zdtm/static/pid00(uns)
 * zdtm/static/socket-tcp4v6-fin-wait1(ns)
 * zdtm/static/sock_opts02(ns)
 * zdtm/static/scm01(uns)
 * zdtm/static/shm-mp(uns)
 * zdtm/static/socket_close_data(ns)
 * zdtm/static/netns-dev(uns)
 * zdtm/static/msgque(ns)
 * zdtm/static/tty02(uns)
 * zdtm/static/remap_dead_pid_root(ns)
 * zdtm/static/shm(ns)
 * zdtm/static/rlimits00(uns)
 * zdtm/static/socket_queues_seqpacket(ns)
 * zdtm/static/unbound_sock(ns)
 * zdtm/static/mountpoints(ns)
 * zdtm/static/pstree(ns)
 * zdtm/static/session01(uns)
 * zdtm/static/clean_mntns(ns)
 * zdtm/static/scm05(ns)
 * zdtm/static/wait00(uns)
 * zdtm/static/scm06(ns)
 * zdtm/static/stopped12(uns)
 * zdtm/static/fpu02(uns)
 * zdtm/static/ipc_namespace(ns)
 * zdtm/static/sock_filter01(uns)
 * zdtm/static/pipe01(ns)
 * zdtm/static/sockets02(uns)
 * zdtm/static/sockets_spair(ns)
 * zdtm/static/vdso01(uns)
 * zdtm/static/selfexe00(ns)
 * zdtm/static/pty03(uns)
 * zdtm/static/pthread01(ns)
 * zdtm/static/socket-tcp-close2(uns)
 * zdtm/static/socket-raw(ns)
 * zdtm/static/mmx00(ns)
 * zdtm/static/socket-tcp-close-wait(ns)
 * zdtm/static/vdso-proxy(uns)
 * zdtm/static/pty02(uns)
 * zdtm/static/socket-tcp-close0(uns)
 * zdtm/static/sockets02-seqpacket(uns)
 * zdtm/static/utsname(ns)
 * zdtm/static/socket-tcp-closed-last-ack(ns)
 * zdtm/static/fpu01(ns)
 * zdtm/static/socket6_udp(ns)
 * zdtm/static/pthread_timers(ns)
 * zdtm/static/socket-tcp-last-ack(ns)
 * zdtm/static/socket-tcp6-fin-wait1(ns)
 * zdtm/static/socket_listen(uns)
 * zdtm/static/sse00(ns)
 * zdtm/static/socket-tcp-local(uns)
 * zdtm/static/socket-tcp6-closing(ns)
 * zdtm/static/groups(uns)
 * zdtm/static/socket-tcp4v6-last-ack(ns)
 * zdtm/static/pty04(uns)
 * zdtm/static/vdso00(uns)
 * zdtm/static/socket-tcp-unconn(ns)
 * zdtm/static/pdeath_sig(ns)
 * zdtm/static/socket_listen6(ns)
 * zdtm/static/socket-tcp-close1(uns)
 * zdtm/static/sk-freebind(uns)
 * zdtm/static/socket-tcp6-local(uns)
 * zdtm/static/sched_prio00(ns)
 * zdtm/static/socket-tcp-fin-wait2(uns)
 * zdtm/static/sigpending(uns)
 * zdtm/static/sem(ns)
 * zdtm/static/scm03(uns)
 * zdtm/static/zombie00(ns)
 * zdtm/static/socket_queues(ns)
 * zdtm/static/socket-linger(ns)
 * zdtm/static/socket-tcp6-closed(uns)
 * zdtm/static/socket_listen4v6(uns)
 * zdtm/static/socket-tcp-closing(ns)
 * zdtm/static/sk-freebind-false(ns)
 * zdtm/static/socket_udp-broadcast(ns)
 * zdtm/static/netns(uns)
 * zdtm/static/dumpable01(ns)
 * zdtm/static/child_opened_proc(ns)
 * zdtm/static/epoll01(ns)
 * zdtm/static/packet_sock_mmap(uns)
 * zdtm/static/remap_dead_pid(uns)
 * zdtm/static/pty00(uns)
 * zdtm/static/futex(ns)
 * zdtm/static/packet_sock_spkt(uns)
 * zdtm/static/socket-tcp4v6-closed(uns)
 * zdtm/static/socket-tcp6-unconn(uns)
 * zdtm/static/sock_filter00(uns)
 * zdtm/static/zombie01(uns)
 * zdtm/static/epoll(uns)
 * zdtm/static/maps01(ns)
 * zdtm/static/socket-tcp6-close-wait(uns)
 * zdtm/static/sock_opts00(uns)
 * zdtm/static/socket-tcp6-fin-wait2(uns)
 * zdtm/static/socket-tcp-keepalive(ns)
 * zdtm/static/socket_udplite(ns)
 * zdtm/static/timers(uns)
 * zdtm/static/inotify_irmap(uns)
 * zdtm/static/sk-unix-unconn-seqpacket(ns)
 * zdtm/static/socket_udp(ns)
 * zdtm/static/mprotect00(uns)
 * zdtm/static/pty01(uns)
 * zdtm/static/rseq00(h)
 * zdtm/static/sockets_spair_seqpacket(ns)
 * zdtm/static/cow00(ns)
 * zdtm/static/sock_opts01(uns)
 * zdtm/static/scm03-seqpacket(uns)
 * zdtm/static/proc-self(ns)
 * zdtm/static/tty00(uns)
 * zdtm/static/pthread00(uns)
 * zdtm/static/signalfd00(ns)
 * zdtm/static/socket-tcpbuf6-local(uns)
 * zdtm/static/socket_udp_shutdown(uns)
 * zdtm/static/socket-tcp4v6-fin-wait2(ns)
 * zdtm/static/socket-tcpbuf-local(uns)
 * zdtm/static/eventfs00(ns)

With patched criu the summary is:
################### 2 TEST(S) FAILED (TOTAL 197/SKIPPED 16) ####################
 * zdtm/static/clean_mntns(ns)
 * zdtm/static/rseq00(h)

The situation generally is much better in trixie with criu, and
personally for cases where criu is used I would encourage to move to
trixie sooner, but with the patched criu at least things should be
back to ok again.

[ Risks ]
Patching the older code base, but with the test results I got some
confidence it is good.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Applied the upstream patch to deal with the LInux change and enter the
correct mount namespace before attempting to restore mount propagation
properties for a mount.

[ Other info ]
None, the change though was exposed in trixie now because the unblock
was thankfully been accepted last minute for the trixie release. No
regresssions reports so far.

Regards,
Salvatore

diff -Nru criu-3.17.1/debian/changelog criu-3.17.1/debian/changelog
--- criu-3.17.1/debian/changelog	2024-11-20 13:16:31.000000000 +0100
+++ criu-3.17.1/debian/changelog	2025-08-24 15:12:30.000000000 +0200
@@ -1,3 +1,10 @@
+criu (3.17.1-2+deb12u2) bookworm; urgency=medium
+
+  * mount-v2: enter the mount namesapce to propagation properties
+    (Closes: #1110096)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 24 Aug 2025 15:12:30 +0200
+
 criu (3.17.1-2+deb12u1) bookworm; urgency=medium
 
   * cr-restore: rseq: dynamically handle *libc with rseq (Closes: #1081683)
diff -Nru criu-3.17.1/debian/patches/mount-v2-enter-the-mount-namesapce-to-propagation-pr.patch criu-3.17.1/debian/patches/mount-v2-enter-the-mount-namesapce-to-propagation-pr.patch
--- criu-3.17.1/debian/patches/mount-v2-enter-the-mount-namesapce-to-propagation-pr.patch	1970-01-01 01:00:00.000000000 +0100
+++ criu-3.17.1/debian/patches/mount-v2-enter-the-mount-namesapce-to-propagation-pr.patch	2025-08-24 15:12:30.000000000 +0200
@@ -0,0 +1,101 @@
+From 570621a48a81664a37a97f38d0ed65c1c0f56110 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Fri, 25 Jul 2025 00:05:06 +0000
+Subject: [PATCH] mount-v2: enter the mount namesapce to propagation properties
+
+A kernel change (commit 12f147ddd6de, "do_change_type(): refuse to
+operate on unmounted/not ours mounts") modified how mount propagation
+properties can be changed. Previously, these properties could be changed
+from any mount namespace. Now, they can only be modified from the
+specific mount namespace where the target mount is actually mounted
+
+This commit addresses this new restriction by ensuring that CRIU enters the
+correct mount namespace before attempting to restore mount propagation
+properties (MS_SLAVE or MS_SHARED) for a mount.
+
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+---
+ criu/mount-v2.c | 37 +++++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/criu/mount-v2.c b/criu/mount-v2.c
+index 5d53e9a22682..cdebc831828a 100644
+--- a/criu/mount-v2.c
++++ b/criu/mount-v2.c
+@@ -927,8 +927,12 @@ static int move_mount_set_group(int src_id, char *source, int dst_id)
+ 
+ static int restore_one_sharing(struct sharing_group *sg, struct mount_info *target)
+ {
++	int nsfd = -1, orig_nsfd = -1, exit_code = -1;
+ 	char target_path[PATH_MAX];
+-	int target_fd;
++	int target_fd = -1;
++
++	if (!sg->master_id && !sg->shared_id)
++		return 0;
+ 
+ 	target_fd = fdstore_get(target->mnt_fd_id);
+ 	BUG_ON(target_fd < 0);
+@@ -943,8 +947,7 @@ static int restore_one_sharing(struct sharing_group *sg, struct mount_info *targ
+ 			first = get_first_mount(sg->parent);
+ 			if (move_mount_set_group(first->mnt_fd_id, NULL, target->mnt_fd_id)) {
+ 				pr_err("Failed to copy sharing from %d to %d\n", first->mnt_id, target->mnt_id);
+-				close(target_fd);
+-				return -1;
++				goto err;
+ 			}
+ 		} else {
+ 			/*
+@@ -956,16 +959,23 @@ static int restore_one_sharing(struct sharing_group *sg, struct mount_info *targ
+ 			 */
+ 			if (move_mount_set_group(-1, sg->source, target->mnt_fd_id)) {
+ 				pr_err("Failed to copy sharing from source %s to %d\n", sg->source, target->mnt_id);
+-				close(target_fd);
+-				return -1;
++				goto err;
+ 			}
+ 		}
++	}
++
++	nsfd = fdstore_get(target->nsid->mnt.nsfd_id);
++	if (nsfd < 0)
++		goto err;
++
++	if (switch_ns_by_fd(nsfd, &mnt_ns_desc, &orig_nsfd))
++		goto err;
+ 
++	if (sg->master_id) {
+ 		/* Convert shared_id to master_id */
+ 		if (mount(NULL, target_path, NULL, MS_SLAVE, NULL)) {
+ 			pr_perror("Failed to make mount %d slave", target->mnt_id);
+-			close(target_fd);
+-			return -1;
++			goto err;
+ 		}
+ 	}
+ 
+@@ -973,13 +983,16 @@ static int restore_one_sharing(struct sharing_group *sg, struct mount_info *targ
+ 	if (sg->shared_id) {
+ 		if (mount(NULL, target_path, NULL, MS_SHARED, NULL)) {
+ 			pr_perror("Failed to make mount %d shared", target->mnt_id);
+-			close(target_fd);
+-			return -1;
++			goto err;
+ 		}
+ 	}
+-	close(target_fd);
+-
+-	return 0;
++	exit_code = 0;
++err:
++	close_safe(&target_fd);
++	close_safe(&nsfd);
++	if (orig_nsfd >= 0 && restore_ns(orig_nsfd, &mnt_ns_desc))
++		exit_code = -1;
++	return exit_code;
+ }
+ 
+ static int restore_one_sharing_group(struct sharing_group *sg)
+-- 
+2.50.1
+
diff -Nru criu-3.17.1/debian/patches/series criu-3.17.1/debian/patches/series
--- criu-3.17.1/debian/patches/series	2024-11-20 13:16:31.000000000 +0100
+++ criu-3.17.1/debian/patches/series	2025-08-24 15:12:30.000000000 +0200
@@ -2,3 +2,4 @@
 mount-add-definition-for-FSOPEN_CLOEXEC.patch
 cr-restore-rseq-dynamically-handle-libc-with-rseq.patch
 cr-restore-rseq-use-glibc-specific-way-to-unregister.patch
+mount-v2-enter-the-mount-namesapce-to-propagation-pr.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package criu/3.17.1-2+deb12u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1111969: bookworm-pu: package criu/3.17.1-2+deb12u2
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1111969: criu 3.17.1-2+deb12u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package criu/3.17.1-2+deb12u2
Next by Date: Bug#1111969: bookworm-pu: package criu/3.17.1-2+deb12u2
Previous by thread: Processed: botan 2.19.3+dfsg-1+deb12u1 flagged for acceptance
Next by thread: Processed: bookworm-pu: package criu/3.17.1-2+deb12u2
Index(es):
- Date
- Thread