From 40fd67a5303214be8a6aeb30e4f30735dcaf3094 Mon Sep 17 00:00:00 2001
From: y00316549 <yangshukui@huawei.com>
Date: Thu, 11 Jan 2018 20:16:18 +0800
Subject: [PATCH] Security: fix mem leak in containerd

Change-Id: I79df63093835a28ff23074ebc0f75fffac592e66
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
(cherry picked from commit 64456eccb7443ab68b1b5cf0c33be51fdfe5e346)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 supervisor/delete.go     | 7 +++++--
 supervisor/exit.go       | 1 +
 supervisor/supervisor.go | 8 ++++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/supervisor/delete.go b/supervisor/delete.go
index 26cf1bb..9cf517f 100644
--- a/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/delete.go
+++ b/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/delete.go
@@ -27,11 +27,14 @@ func (s *Supervisor) delete(t *DeleteTask) error {
 			t.Process.Wait()
 		}
 		if !t.NoEvent {
-			execMap := s.getExecSyncMap(t.ID)
 			go func() {
 				// Wait for all exec processe events to be sent (we seem
 				// to sometimes receive them after the init event)
-				for _, ch := range execMap {
+				for {
+					ch := s.getExecSyncOneChannel(t.ID)
+					if ch == nil {
+						break
+					}
 					<-ch
 				}
 				s.deleteExecSyncMap(t.ID)
diff --git a/supervisor/exit.go b/supervisor/exit.go
index 2bce31e..537927b 100644
--- a/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/exit.go
+++ b/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/exit.go
@@ -89,6 +89,7 @@ func (s *Supervisor) execExit(t *ExecExitTask) error {
 			PID:       t.PID,
 			Status:    t.Status,
 		})
+		s.deleteExecSyncChannel(t.ID, t.PID)
 		close(synCh)
 	}()
 	return nil
diff --git a/supervisor/supervisor.go b/supervisor/supervisor.go
index e21ae7b..bbb001c 100644
--- a/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/supervisor.go
+++ b/containerd-9c53e35c39f214b128beed3dfb670ccf751c4173/supervisor/supervisor.go
@@ -479,10 +479,14 @@ func (s *Supervisor) getExecSyncChannel(containerID, pid string) chan struct{} {
 	return ch
 }
 
-func (s *Supervisor) getExecSyncMap(containerID string) map[string]chan struct{} {
+func (s *Supervisor) getExecSyncOneChannel(containerID string) chan struct{} {
 	s.containerExecSyncLock.Lock()
 	defer s.containerExecSyncLock.Unlock()
-	return s.containerExecSync[containerID]
+
+	for _, ch := range s.containerExecSync[containerID] {
+		return ch
+	}
+	return nil
 }
 
 func (s *Supervisor) deleteExecSyncMap(containerID string) {