--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:lxc
[ Reason ]
Fix two bugs affecting the version of lxc in trixie:
* Cherry-pick upstream fix for data corruption during heavy IO on PTS
* Update lxc-default-with-nesting apparmor profile
[ Impact ]
Users running lxc in trixie currently encounter small but annoying
bugs. The apparmor profile update in particular will resolve may issues
with running hardened systemd services within unprivilged containers.
[ Tests ]
The PTS data corruption patch has been heavily tested upstream, and
I've personally tested/verified the apparmor profile update.
[ Risks ]
Minor/none -- one targeted fix cherry-picked from the upstream git repo
and a simple apparmor profile update.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Two patches as outlined above.
[ Other info ]
The source debdiff is attached.
diff -Nru lxc-6.0.4/debian/changelog lxc-6.0.4/debian/changelog
--- lxc-6.0.4/debian/changelog 2025-12-26 19:02:22.000000000 +0000
+++ lxc-6.0.4/debian/changelog 2026-03-02 19:05:00.000000000 +0000
@@ -1,3 +1,10 @@
+lxc (1:6.0.4-4+deb13u2) trixie; urgency=medium
+
+ * Cherry-pick upstream fix for data corruption during heavy IO on PTS
+ * Update lxc-default-with-nesting apparmor profile (Closes: #1111087)
+
+ -- Mathias Gibbens <[email protected]> Mon, 02 Mar 2026 19:05:00 +0000
+
lxc (1:6.0.4-4+deb13u1) trixie; urgency=medium
[ Frost ]
diff -Nru lxc-6.0.4/debian/patches/0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch lxc-6.0.4/debian/patches/0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch
--- lxc-6.0.4/debian/patches/0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch 2025-12-26 19:02:22.000000000 +0000
+++ lxc-6.0.4/debian/patches/0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch 2026-03-02 19:05:00.000000000 +0000
@@ -9,22 +9,26 @@
It's only added in nesting profile as it could pose security risks on
privileged containers.
+mount options=(rw,rbind) -> /run/systemd/mount-rootfs/,
+mount options=(rw,rbind) -> /run/systemd/mount-rootfs/**,
mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
---
- config/apparmor/profiles/lxc-default-with-nesting | 4 ++++
- 1 file changed, 4 insertions(+)
+ config/apparmor/profiles/lxc-default-with-nesting | 6 ++++++
+ 1 file changed, 6 insertions(+)
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
-index cd198be..01562a9 100644
+index cd198be..55b17c8 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
-@@ -10,6 +10,10 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
+@@ -10,6 +10,12 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
++ mount options=(rw,rbind) -> /run/systemd/mount-rootfs/,
++ mount options=(rw,rbind) -> /run/systemd/mount-rootfs/**,
+ mount options=(rw,rbind) -> /run/systemd/unit-root/,
+ mount options=(rw,rbind) -> /run/systemd/unit-root/**,
+ mount options=(rw,rshared) -> /,
diff -Nru lxc-6.0.4/debian/patches/0105-cherry-pick-fix-heavy-io-pts.patch lxc-6.0.4/debian/patches/0105-cherry-pick-fix-heavy-io-pts.patch
--- lxc-6.0.4/debian/patches/0105-cherry-pick-fix-heavy-io-pts.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-6.0.4/debian/patches/0105-cherry-pick-fix-heavy-io-pts.patch 2026-03-02 19:05:00.000000000 +0000
@@ -0,0 +1,335 @@
+From 4cb9884ed7d3ca98ccd9bf2abbd508255b4e1fb7 Mon Sep 17 00:00:00 2001
+From: DreamConnected <[email protected]>
+Date: Sun, 26 Oct 2025 13:28:13 +0800
+Subject: [PATCH 1/2] lxc/{terminal, file_utils}: ensure complete data writes
+ in ptx/peer io handlers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previously, lxc_write_nointr could return without writing all data
+when write() returned EAGAIN/EWOULDBLOCK due to buffer full conditions.
+
+This change:
+- Implements a loop to continue writing until all data is sent
+- Handles EINTR, EAGAIN, and EWOULDBLOCK errors appropriately
+- Uses poll() to wait for fd to become ready when blocked
+- Maintains backward compatibility while fixing partial write issues
+
+Signed-off-by: DreamConnected <[email protected]>
+[ alex ]
+- introduce a separate helper lxc_write_all and use it only in ptx/peer
+ io handlers
+- cleanup the code a bit
+Signed-off-by: Alexander Mikhalitsyn <[email protected]>
+---
+ src/lxc/file_utils.c | 86 ++++++++++++++++++++++++++++++++++++++++++++
+ src/lxc/file_utils.h | 2 ++
+ src/lxc/terminal.c | 4 +--
+ 3 files changed, 90 insertions(+), 2 deletions(-)
+
+diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c
+index e8bf9321b0..ea54939f30 100644
+--- a/src/lxc/file_utils.c
++++ b/src/lxc/file_utils.c
+@@ -11,6 +11,7 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#include <poll.h>
+
+ #include "file_utils.h"
+ #include "macro.h"
+@@ -147,6 +148,91 @@ ssize_t lxc_read_try_buf_at(int dfd, const char *path, void *buf, size_t count)
+ return ret;
+ }
+
++static int __lxc_wait_for_io_ready(int fd, int event, int timeout_ms)
++{
++ int ret;
++ struct pollfd pfd = {
++ .fd = fd,
++ .events = event,
++ .revents = 0
++ };
++
++ do {
++ ret = poll(&pfd, 1, timeout_ms);
++ } while (ret < 0 && errno == EINTR);
++
++ if (ret < 0)
++ return -errno;
++
++ if (ret == 0)
++ return -ETIMEDOUT;
++
++ if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
++ if (pfd.revents & POLLERR)
++ return -EPIPE;
++ if (pfd.revents & POLLHUP)
++ return -EPIPE;
++ if (pfd.revents & POLLNVAL)
++ return -EBADF;
++ }
++
++ if (!(pfd.revents & event))
++ return -EAGAIN;
++
++ return ret;
++}
++
++ssize_t lxc_write_all(int fd, const void *buf, size_t count)
++{
++ ssize_t left_to_write = count;
++ const char *ptr = buf;
++ int flags;
++
++ flags = fcntl(fd, F_GETFL);
++ if (flags < 0)
++ return ret_set_errno(-1, errno);
++
++ /* only non-blocking fds are allowed */
++ if (!(flags & O_NONBLOCK))
++ return ret_set_errno(-1, EINVAL);
++
++ while (left_to_write > 0) {
++ int ret = write(fd, ptr, left_to_write);
++
++ if (ret > 0) {
++ left_to_write -= ret;
++ ptr += ret;
++ continue;
++ }
++
++ if (ret == 0)
++ break;
++
++ /* ret < 0 */
++ if (errno == EINTR)
++ continue;
++
++ if (errno == EAGAIN) {
++ int pret = __lxc_wait_for_io_ready(fd, POLLOUT, 5000);
++
++ /* we've got an event on fd */
++ if (pret > 0)
++ continue;
++
++ if (pret == -ETIMEDOUT)
++ break;
++
++ if (pret < 0)
++ return ret_set_errno(-1, -pret);
++ }
++
++ /* some other error */
++ return ret_set_errno(-1, errno);
++ }
++
++ return count - left_to_write;
++}
++
+ ssize_t lxc_write_nointr(int fd, const void *buf, size_t count)
+ {
+ ssize_t ret;
+diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h
+index 4fcaa47855..7d277dad33 100644
+--- a/src/lxc/file_utils.h
++++ b/src/lxc/file_utils.h
+@@ -35,6 +35,8 @@ __hidden extern int lxc_read_from_file(const char *filename, void *buf, size_t c
+ __access_w(2, 3);
+
+ /* send and receive buffers completely */
++__hidden extern ssize_t lxc_write_all(int fd, const void *buf, size_t count) __access_r(2, 3);
++
+ __hidden extern ssize_t lxc_write_nointr(int fd, const void *buf, size_t count) __access_r(2, 3);
+
+ __hidden extern ssize_t lxc_pwrite_nointr(int fd, const void *buf, size_t count, off_t offset)
+diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c
+index 86fe785b6c..d066c2b9ee 100644
+--- a/src/lxc/terminal.c
++++ b/src/lxc/terminal.c
+@@ -338,7 +338,7 @@ static int lxc_terminal_ptx_io(struct lxc_terminal *terminal)
+ w_rbuf = w_log = 0;
+ /* write to peer first */
+ if (terminal->peer >= 0)
+- w = lxc_write_nointr(terminal->peer, buf, r);
++ w = lxc_write_all(terminal->peer, buf, r);
+
+ /* write to terminal ringbuffer */
+ if (terminal->buffer_size > 0)
+@@ -375,7 +375,7 @@ static int lxc_terminal_peer_io(struct lxc_terminal *terminal)
+ return -1;
+ }
+
+- w = lxc_write_nointr(terminal->ptx, buf, r);
++ w = lxc_write_all(terminal->ptx, buf, r);
+ if (w != r)
+ WARN("Short write on terminal r:%d != w:%d", r, w);
+
+
+From 97bd7699c79493f32fcee0f976b6c397cf0f0ad5 Mon Sep 17 00:00:00 2001
+From: Alexander Mikhalitsyn <[email protected]>
+Date: Wed, 21 Jan 2026 18:20:30 +0100
+Subject: [PATCH 2/2] tests/lxc-attach: ensure no data corruption happens
+ during heavy IO on pts
+
+Signed-off-by: Alexander Mikhalitsyn <[email protected]>
+---
+ src/tests/lxc-test-lxc-attach | 65 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 61 insertions(+), 4 deletions(-)
+
+diff --git a/src/tests/lxc-test-lxc-attach b/src/tests/lxc-test-lxc-attach
+index 49289df5d3..720545f994 100755
+--- a/src/tests/lxc-test-lxc-attach
++++ b/src/tests/lxc-test-lxc-attach
+@@ -58,6 +58,7 @@ for i in $(seq 1 100); do
+ if [ "$attach" != "busy" ]; then
+ FAIL "lxc-attach -n busy -- hostname"
+ fi
++ rm -f "${ATTACH_LOG}"
+ done
+
+ # stdin --> /dev/null
+@@ -67,6 +68,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- hostname < /dev/null
+ if [ "$attach" != "busy" ]; then
+ FAIL "lxc-attach -n busy -- hostname < /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> attached to pty
+ # stdout --> /dev/null
+@@ -75,6 +77,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- hostname > /dev/null
+ if [ -n "$attach" ]; then
+ FAIL "lxc-attach -n busy -- hostname > /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> attached to pty
+ # stdout --> attached to pty
+@@ -83,6 +86,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- hostname 2> /dev/null
+ if [ "$attach" != "busy" ]; then
+ FAIL "lxc-attach -n busy -- hostname 2> /dev/null < /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> /dev/null
+ # stdout --> attached to pty
+@@ -91,6 +95,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- hostname 2> /dev/null
+ if [ "$attach" != "busy" ]; then
+ FAIL "lxc-attach -n busy -- hostname 2> /dev/null < /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # Use a synthetic reproducer in container to produce output on stderr. stdout on
+ # the host gets redirect to /dev/null. We should still be able to receive
+@@ -104,6 +109,7 @@ attach=$( ( lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- sh -c 'hostname >&
+ if [ "$attach" != "busy" ]; then
+ FAIL "lxc-attach -n busy -- sh -c 'hostname >&2' > /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # Use a synthetic reproducer in container to produce output on stderr. stderr on
+ # the host gets redirect to /dev/null. We should not receive output on stderr on
+@@ -116,7 +122,7 @@ attach=$( ( lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- sh -c 'hostname >&
+ if [ -n "$attach" ]; then
+ FAIL "lxc-attach -n busy -- sh -c 'hostname >&2' 2> /dev/null"
+ fi
+-
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> attached to pty
+ # stdout --> /dev/null
+@@ -126,7 +132,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- sh -c 'rm 2>&1' > /de
+ if [ -n "$attach" ]; then
+ FAIL "lxc-attach -n busy -- sh -c 'rm 2>&1' > /dev/null"
+ fi
+-
++rm -f "${ATTACH_LOG}"
+
+ # - stdin --> attached to pty
+ # - stdout --> attached to pty
+@@ -136,6 +142,7 @@ attach=$(lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- sh -c 'rm 2>&1' 2> /d
+ if [ -z "$attach" ]; then
+ FAIL "lxc-attach -n busy -- sh -c 'rm 2>&1' 2> /dev/null"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> $in
+ # stdout --> attached to pty
+@@ -144,6 +151,7 @@ attach=$(echo hostname | lxc-attach -n busy -l trace -o "${ATTACH_LOG}" -- || FA
+ if [ "$attach" != "busy" ]; then
+ FAIL "echo hostname | lxc-attach -n busy --"
+ fi
++rm -f "${ATTACH_LOG}"
+
+ # stdin --> attached to pty
+ # stdout --> $out
+@@ -158,7 +166,7 @@ if [ "$outcontent" != "OUT" ] || [ "$errcontent" != "ERR" ]; then
+ FAIL "lxc-attach -n busy -- sh -c 'echo OUT; echo ERR >&2' > $out 2> $err"
+ fi
+
+-rm -f $out $err
++rm -f $out $err "${ATTACH_LOG}"
+
+ # stdin --> $in
+ # stdout --> $out
+@@ -174,8 +182,57 @@ if [ "$outcontent" != "busy" ] || [ -z "$errcontent" ]; then
+ FAIL "echo 'hostname; rm' | lxc-attach -n busy > $out 2> $err"
+ fi
+
+-rm -f $out $err
++rm -f $out $err "${ATTACH_LOG}"
++
++#
++# This testcase covers cases like:
++# https://github.com/lxc/lxc/issues/4546
++# https://discuss.linuxcontainers.org/t/lxc-attach-long-output-stops-suddenly-possible-bug/22031
++# https://discuss.linuxcontainers.org/t/fixing-forgejo-runners-lxc-logging/25918
++#
++# Idea is simple, we simulate a heavy IO and write relatively large amount of data to overfill
++# pts device buffers, then ensure data integrity.
++#
++# We need to use "script" tool to allocate TTYs properly, otherwise we don't go into a
++# problematic LXC code-path we want to cover.
++#
++# Also, I had to introduce two synthetic sleeps: one before issuing commands to busybox shell inside
++# a container and another one after.
++#
++# First one is needed, because LXC looses some pieces of terminal device input during
++# lxc-attach command initialization because of tcsetattr(fd, TCSAFLUSH, &newtios) call
++# (see https://github.com/lxc/lxc/blob/5d9839bc1316fa185d8c29b90982684b32e3dfa7/src/lxc/terminal.c#L523)
++# I would replace TCSAFLUSH with TCSANOW to avoid TTY buffer flush (and I tested that it helps),
++# but taking into account that this code is here since 2010
++# (see https://github.com/lxc/lxc/commit/e0dc0de76ed1ad9e284a37bd01268227d4eae8c9)
++# I decided to keep it like it is for now (FIXME?).
++#
++# Second sleep is needed because of a bug in busybox, unfortunately, without this sleep,
++# busybox fails to react on the host pipe write-end closure (after full command submission)
++# and continues to poll infinitely. This sleep makes pipe closure even to be separated from
++# a heavy IO and avoids this bug.
++#
++
++# Check test dependencies
++command -v script >/dev/null 2>&1 || { echo "'script' command is missing" >&2; exit 1; }
++busybox dd --help >/dev/null 2>&1 || FAIL "missing busybox's dd applet"
++busybox hexdump --help >/dev/null 2>&1 || FAIL "missing busybox's hexdump applet"
++busybox tee --help >/dev/null 2>&1 || FAIL "missing busybox's tee applet"
++
++out=$(mktemp /tmp/out_XXXX)
++BS=1000000
++( sleep 3; echo "echo DATASTART ; dd if=/dev/urandom bs=$BS count=1 status=none | hexdump | tee /root/large-data.txt ; echo DATAEND" ; sleep 1 ) | \
++ script -q -e -c "lxc-attach -n busy -l trace -o \"${ATTACH_LOG}\"" | \
++ sed -n '/DATASTART/,/DATAEND/{/DATASTART/d;/DATAEND/d;s/[\r\n]*$//;p}' > $out
++
++[ $(stat -c%s $out) -gt $BS ] || FAIL "generated file size is too small"
++cmp -s /var/lib/lxc/busy/rootfs/root/large-data.txt $out || FAIL "data corruption detected"
++
++md5sum /var/lib/lxc/busy/rootfs/root/large-data.txt $out
++ls -lah /var/lib/lxc/busy/rootfs/root/large-data.txt
++rm -f /var/lib/lxc/busy/rootfs/root/large-data.txt $out "${ATTACH_LOG}"
+
++# Cleanup stage
+ lxc-destroy -n busy -f
+ rm -f "${ATTACH_LOG}" || true
+
diff -Nru lxc-6.0.4/debian/patches/series lxc-6.0.4/debian/patches/series
--- lxc-6.0.4/debian/patches/series 2025-12-26 19:02:22.000000000 +0000
+++ lxc-6.0.4/debian/patches/series 2026-03-02 19:05:00.000000000 +0000
@@ -7,3 +7,4 @@
0102-cherry-pick-apparmor-generation.patch
0103-cherry-pick-fix-dbus-reboots.patch
0104-Add-lxc-net-as-dependency-in-sysvinit-script.patch
+0105-cherry-pick-fix-heavy-io-pts.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
