Prefer close() to shutdown()

DemiMarie · DemiMarie · commit a3bbcb5f4314 · 2024-04-29T21:18:52.000-04:00
There is no need for stdin_fd and stdout_fd to be distinct file descriptors, so long as the code is careful to not close a file descriptor that is still in use. This extra care allows for close() to be used in preference to shutdown(), unless the same socket is being used for both stdin and stdout. close() has the advantage that it does not interfere with other users of the same file description, which allows the "was this inherited from another process?" hack to be eliminated. Instead, use the file descriptor number to determine whether blocking mode needs to be restored - it only needs to be restored for inherited file descriptors. To avoid lots of error-prone boilerplate, use a single function to close stdin_fd or stdout_fd, and wrap it with macros that select the right one to use. These macros also pass the correct argument for shutdown(2) and set the just-closed FD to -1, eliminating a nasty potential source of bugs. The function automatically chooses between close(2) and shutdown(2) based on whether the two file descriptor arguments it is passed are identical, ensuring that shutdown(2) is only used if needed. Furthermore, the function knows (based on the file descriptor number) if the file descriptor was inherited from another process, and therefore whether it needs to be restored to blocking mode. This also avoids making a file descriptor blocking while still in use. Since the code now knows if stdin and stdout use the same file descriptor, it can avoid setting the blocking flag on a file descriptor that is still in use, which could cause a deadlock. This works in every case except where both stdin and stdout are passed from a parent process and share a file description. git blame points to commit 0802df7 ("Factor out process_child_io"), but I suspect the actual bug dates back as far as the introduction of socket-based services in 76697e3 ("Working socket-based qrexec").
diff --git a/libqrexec/process_io.c b/libqrexec/process_io.c
@@ -40,45 +40,24 @@ static _Noreturn void handle_vchan_error(const char *op)
 /*
  * Closing the file descriptors:
  *
- * - Use shutdown(), except if this is a FD inherited from parent (detected by
- *   FD number)
- * - Restore blocking status, unless this is a duplicated stdio socket for
- *   stdout/stderr (in which case we can't restore it just for one FD, but we
- *   don't care, because we created it)
+ * - If this is a single socket used for both stdin and stdout, call shutdown()
+ *   to indicate that no more data will be sent or received.
+ * - Otherwise, restore the blocking status of the FD.
  */
-
-static void close_stdin(int fd, bool restore_block) {
+static void close_stdio(int fd, int other_fd, int direction) {
     if (fd == -1)
         return;
-
-    if (restore_block)
-        set_block(fd);
-
-    if (fd == 1) {
-        close(fd);
-    } else if (shutdown(fd, SHUT_WR) == -1) {
-        if (errno == ENOTSOCK)
-            close(fd);
-        else
-            PERROR("shutdown close_stdin");
-    }
-}
-
-static void close_stdout(int fd, bool restore_block) {
-    if (fd == -1)
+    if (fd == other_fd) {
+        /* Do not close the FD, as it is still in use. */
+        /* ENOTCONN can happen with TCP and is harmless */
+        if (shutdown(fd, direction) == -1 && errno != ENOTSOCK && errno != ENOTCONN)
+            PERROR("shutdown");
         return;
+    }
 
-    if (restore_block)
+    if (fd < 3)
         set_block(fd);
-
-    if (fd == 0) {
-        close(fd);
-    } else if (shutdown(fd, SHUT_RD) == -1) {
-        if (errno == ENOTSOCK)
-            close(fd);
-        else if (errno != ENOTCONN) /* can happen with TCP, harmless */
-            PERROR("shutdown close_stdout");
-    }
+    close(fd);
 }
 
 static void close_stderr(int fd) {
@@ -116,8 +95,6 @@ int process_io(const struct process_io_request *req) {
     pid_t local_status = -1;
     pid_t remote_status = -1;
     int stdout_msg_type = is_service ? MSG_DATA_STDOUT : MSG_DATA_STDIN;
-    bool use_stdio_socket = false;
-
     int ret;
     struct pollfd fds[FD_NUM];
     sigset_t pollmask;
@@ -133,11 +110,20 @@ int process_io(const struct process_io_request *req) {
     set_nonblock(stdin_fd);
     if (stdout_fd != stdin_fd)
         set_nonblock(stdout_fd);
-    else if ((stdout_fd = fcntl(stdin_fd, F_DUPFD_CLOEXEC, 3)) < 0)
-        abort(); // not worth handling running out of file descriptors
     if (stderr_fd >= 0)
         set_nonblock(stderr_fd);
 
+    /* Convenience macros that eliminate a ton of error-prone boilerplate */
+#define close_stdin() do {                      \
+    close_stdio(stdin_fd, stdout_fd, SHUT_WR);  \
+    stdin_fd = -1;                              \
+} while (0)
+#define close_stdout() do {                     \
+    close_stdio(stdout_fd, stdin_fd, SHUT_RD);  \
+    stdout_fd = -1;                             \
+} while (0)
+#pragma GCC poison close_stdio
+
     while(1) {
         /* React to SIGCHLD */
         if (*sigchld) {
@@ -147,10 +133,7 @@ int process_io(const struct process_io_request *req) {
                     local_status = 128 + WTERMSIG(status);
                 else
                     local_status = WEXITSTATUS(status);
-                if (stdin_fd >= 0) {
-                    close_stdin(stdin_fd, !use_stdio_socket);
-                    stdin_fd = -1;
-                }
+                close_stdin();
             }
             *sigchld = 0;
         }
@@ -193,24 +176,9 @@ int process_io(const struct process_io_request *req) {
         }
 
         /* child signaled desire to use single socket for both stdin and stdout */
-        if (sigusr1 && *sigusr1) {
-            if (stdout_fd != -1) {
-                do
-                    errno = 0;
-                while (dup3(stdin_fd, stdout_fd, O_CLOEXEC) &&
-                       (errno == EINTR || errno == EBUSY));
-                // other errors are fatal
-                if (errno) {
-                    PERROR("dup3");
-                    abort();
-                }
-            } else {
-                stdout_fd = fcntl(stdin_fd, F_DUPFD_CLOEXEC, 3);
-                // all errors are fatal
-                if (stdout_fd < 3)
-                    abort();
-            }
-            use_stdio_socket = true;
+        if (sigusr1 && *sigusr1 && stdin_fd != stdout_fd) {
+            close_stdout();
+            stdout_fd = stdin_fd;
             *sigusr1 = 0;
         }
 
@@ -263,10 +231,8 @@ int process_io(const struct process_io_request *req) {
             if (libvchan_wait(vchan) < 0)
                 handle_vchan_error("wait");
 
-        if (stdin_fd >= 0 && fds[FD_STDIN].revents & (POLLHUP | POLLERR)) {
-            close_stdin(stdin_fd, !use_stdio_socket);
-            stdin_fd = -1;
-        }
+        if (fds[FD_STDIN].revents & (POLLHUP | POLLERR))
+            close_stdin();
 
         /* handle_remote_data will check if any data is available */
         switch (handle_remote_data(
@@ -281,16 +247,14 @@ int process_io(const struct process_io_request *req) {
                 handle_vchan_error("read");
                 break;
             case REMOTE_EOF:
-                close_stdin(stdin_fd, !use_stdio_socket);
-                stdin_fd = -1;
+                close_stdin();
                 break;
             case REMOTE_EXITED:
                 /* Remote process exited, we don't need any more data from
                  * local FDs. However, don't exit yet, because there might
                  * still be some data in stdin_buf waiting to be flushed.
                  */
-                close_stdout(stdout_fd, !use_stdio_socket);
-                stdout_fd = -1;
+                close_stdout();
                 close_stderr(stderr_fd);
                 stderr_fd = -1;
                 break;
@@ -303,8 +267,7 @@ int process_io(const struct process_io_request *req) {
                     handle_vchan_error("send(handle_input stdout)");
                     break;
                 case REMOTE_EOF:
-                    close_stdout(stdout_fd, !use_stdio_socket);
-                    stdout_fd = -1;
+                    close_stdout();
                     break;
             }
         }
@@ -324,8 +287,8 @@ int process_io(const struct process_io_request *req) {
     }
     /* make sure that all the pipes/sockets are closed, so the child process
      * (if any) will know that the connection is terminated */
-    close_stdin(stdin_fd, true);
-    close_stdout(stdout_fd, true);
+    close_stdin();
+    close_stdout();
     close_stderr(stderr_fd);
 
     /* wait for local process, in case we exited early */
