Close donated files if containerManager.Start() fails

PiperOrigin-RevId: 220869535
Change-Id: I9917e5daf02499f7aab6e2aa4051c54ff4461b9a

2 files changed, 8 insertions, 2 deletions

diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
index 568aad117..7a1f42119 100644
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@@ -213,6 +213,12 @@ type StartArgs struct {
 func (cm *containerManager) Start(args *StartArgs, _ *struct{}) error {
 	log.Debugf("containerManager.Start: %+v", args)
 
+	defer func() {
+		for _, f := range args.FilePayload.Files {
+			f.Close()
+		}
+	}()
+
 	// Validate arguments.
 	if args == nil {
 		return errors.New("start missing arguments")
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 946ddfd47..d953bb783 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -515,7 +515,8 @@ func (l *Loader) createContainer(cid string) error {
 }
 
 // startContainer starts a child container. It returns the thread group ID of
-// the newly created process.
+// the newly created process. Caller owns 'files' and may close them after
+// this method returns.
 func (l *Loader) startContainer(k *kernel.Kernel, spec *specs.Spec, conf *Config, cid string, files []*os.File) error {
 	// Create capabilities.
 	caps, err := specutils.Capabilities(spec.Process.Capabilities)
@@ -553,7 +554,6 @@ func (l *Loader) startContainer(k *kernel.Kernel, spec *specs.Spec, conf *Config
 		if err != nil {
 			return fmt.Errorf("failed to dup file: %v", err)
 		}
-		f.Close()
 		ioFDs = append(ioFDs, fd)
 	}