Add finalizer on AtomicRefCount to check for leaks.

PiperOrigin-RevId: 255711454

12 files changed, 38 insertions, 22 deletions

diff --git a/pkg/sentry/fs/dirent.go b/pkg/sentry/fs/dirent.go
index 28651e58b..fbca06761 100644
--- a/pkg/sentry/fs/dirent.go
+++ b/pkg/sentry/fs/dirent.go
@@ -229,11 +229,13 @@ func newDirent(inode *Inode, name string) *Dirent {
 	if inode != nil {
 		inode.MountSource.IncDirentRefs()
 	}
-	return &Dirent{
+	d := Dirent{
 		Inode:    inode,
 		name:     name,
 		children: make(map[string]*refs.WeakRef),
 	}
+	d.EnableLeakCheck("fs.Dirent")
+	return &d
 }
 
 // NewNegativeDirent returns a new root negative Dirent. Otherwise same as NewDirent.
diff --git a/pkg/sentry/fs/file.go b/pkg/sentry/fs/file.go
index 8e1f5674d..bb8117f89 100644
--- a/pkg/sentry/fs/file.go
+++ b/pkg/sentry/fs/file.go
@@ -130,14 +130,15 @@ type File struct {
 // to false respectively.
 func NewFile(ctx context.Context, dirent *Dirent, flags FileFlags, fops FileOperations) *File {
 	dirent.IncRef()
-	f := &File{
+	f := File{
 		UniqueID:       uniqueid.GlobalFromContext(ctx),
 		Dirent:         dirent,
 		FileOperations: fops,
 		flags:          flags,
 	}
 	f.mu.Init()
-	return f
+	f.EnableLeakCheck("fs.File")
+	return &f
 }
 
 // DecRef destroys the File when it is no longer referenced.
diff --git a/pkg/sentry/fs/file_overlay.go b/pkg/sentry/fs/file_overlay.go
index c6cbd5631..9820f0b13 100644
--- a/pkg/sentry/fs/file_overlay.go
+++ b/pkg/sentry/fs/file_overlay.go
@@ -347,13 +347,14 @@ func (*overlayFileOperations) ConfigureMMap(ctx context.Context, file *File, opt
 		// preventing us from saving a proper inode mapping for the
 		// file.
 		file.IncRef()
-		id := &overlayMappingIdentity{
+		id := overlayMappingIdentity{
 			id:          opts.MappingIdentity,
 			overlayFile: file,
 		}
+		id.EnableLeakCheck("fs.overlayMappingIdentity")
 
 		// Swap out the old MappingIdentity for the wrapped one.
-		opts.MappingIdentity = id
+		opts.MappingIdentity = &id
 		return nil
 	}
 
diff --git a/pkg/sentry/fs/gofer/handles.go b/pkg/sentry/fs/gofer/handles.go
index b87c4f150..27eeae3d9 100644
--- a/pkg/sentry/fs/gofer/handles.go
+++ b/pkg/sentry/fs/gofer/handles.go
@@ -79,11 +79,12 @@ func newHandles(ctx context.Context, file contextFile, flags fs.FileFlags) (*han
 		newFile.close(ctx)
 		return nil, err
 	}
-	h := &handles{
+	h := handles{
 		File: newFile,
 		Host: hostFile,
 	}
-	return h, nil
+	h.EnableLeakCheck("gofer.handles")
+	return &h, nil
 }
 
 type handleReadWriter struct {
diff --git a/pkg/sentry/fs/gofer/path.go b/pkg/sentry/fs/gofer/path.go
index b91386909..8c17603f8 100644
--- a/pkg/sentry/fs/gofer/path.go
+++ b/pkg/sentry/fs/gofer/path.go
@@ -145,16 +145,17 @@ func (i *inodeOperations) Create(ctx context.Context, dir *fs.Inode, name string
 	defer d.DecRef()
 
 	// Construct the new file, caching the handles if allowed.
-	h := &handles{
+	h := handles{
 		File: newFile,
 		Host: hostFile,
 	}
+	h.EnableLeakCheck("gofer.handles")
 	if iops.fileState.canShareHandles() {
 		iops.fileState.handlesMu.Lock()
-		iops.fileState.setSharedHandlesLocked(flags, h)
+		iops.fileState.setSharedHandlesLocked(flags, &h)
 		iops.fileState.handlesMu.Unlock()
 	}
-	return NewFile(ctx, d, name, flags, iops, h), nil
+	return NewFile(ctx, d, name, flags, iops, &h), nil
 }
 
 // CreateLink uses Create to create a symlink between oldname and newname.
diff --git a/pkg/sentry/fs/gofer/session.go b/pkg/sentry/fs/gofer/session.go
index 9f7660ed1..69d08a627 100644
--- a/pkg/sentry/fs/gofer/session.go
+++ b/pkg/sentry/fs/gofer/session.go
@@ -241,7 +241,7 @@ func Root(ctx context.Context, dev string, filesystem fs.Filesystem, superBlockF
 	}
 
 	// Construct the session.
-	s := &session{
+	s := session{
 		connID:          dev,
 		msize:           o.msize,
 		version:         o.version,
@@ -250,13 +250,14 @@ func Root(ctx context.Context, dev string, filesystem fs.Filesystem, superBlockF
 		superBlockFlags: superBlockFlags,
 		mounter:         mounter,
 	}
+	s.EnableLeakCheck("gofer.session")
 
 	if o.privateunixsocket {
 		s.endpoints = newEndpointMaps()
 	}
 
 	// Construct the MountSource with the session and superBlockFlags.
-	m := fs.NewMountSource(ctx, s, filesystem, superBlockFlags)
+	m := fs.NewMountSource(ctx, &s, filesystem, superBlockFlags)
 
 	// Given that gofer files can consume host FDs, restrict the number
 	// of files that can be held by the cache.
@@ -290,7 +291,7 @@ func Root(ctx context.Context, dev string, filesystem fs.Filesystem, superBlockF
 		return nil, err
 	}
 
-	sattr, iops := newInodeOperations(ctx, s, s.attach, qid, valid, attr, false)
+	sattr, iops := newInodeOperations(ctx, &s, s.attach, qid, valid, attr, false)
 	return fs.NewInode(ctx, iops, m, sattr), nil
 }
 
diff --git a/pkg/sentry/fs/gofer/session_state.go b/pkg/sentry/fs/gofer/session_state.go
index 29a79441e..d045e04ff 100644
--- a/pkg/sentry/fs/gofer/session_state.go
+++ b/pkg/sentry/fs/gofer/session_state.go
@@ -111,5 +111,4 @@ func (s *session) afterLoad() {
 			panic("failed to restore endpoint maps: " + err.Error())
 		}
 	}
-
 }
diff --git a/pkg/sentry/fs/host/socket.go b/pkg/sentry/fs/host/socket.go
index 7fedc88bc..44c4ee5f2 100644
--- a/pkg/sentry/fs/host/socket.go
+++ b/pkg/sentry/fs/host/socket.go
@@ -47,12 +47,12 @@ const maxSendBufferSize = 8 << 20
 //
 // +stateify savable
 type ConnectedEndpoint struct {
-	queue *waiter.Queue
-	path  string
-
 	// ref keeps track of references to a connectedEndpoint.
 	ref refs.AtomicRefCount
 
+	queue *waiter.Queue
+	path  string
+
 	// If srfd >= 0, it is the host FD that file was imported from.
 	srfd int `state:"wait"`
 
@@ -133,6 +133,8 @@ func NewConnectedEndpoint(ctx context.Context, file *fd.FD, queue *waiter.Queue,
 	// AtomicRefCounters start off with a single reference. We need two.
 	e.ref.IncRef()
 
+	e.ref.EnableLeakCheck("host.ConnectedEndpoint")
+
 	return &e, nil
 }
 
diff --git a/pkg/sentry/fs/inode.go b/pkg/sentry/fs/inode.go
index e4aae1135..f4ddfa406 100644
--- a/pkg/sentry/fs/inode.go
+++ b/pkg/sentry/fs/inode.go
@@ -86,12 +86,14 @@ type LockCtx struct {
 // NewInode takes a reference on msrc.
 func NewInode(ctx context.Context, iops InodeOperations, msrc *MountSource, sattr StableAttr) *Inode {
 	msrc.IncRef()
-	return &Inode{
+	i := Inode{
 		InodeOperations: iops,
 		StableAttr:      sattr,
 		Watches:         newWatches(),
 		MountSource:     msrc,
 	}
+	i.EnableLeakCheck("fs.Inode")
+	return &i
 }
 
 // DecRef drops a reference on the Inode.
diff --git a/pkg/sentry/fs/mount.go b/pkg/sentry/fs/mount.go
index 912495528..7a9692800 100644
--- a/pkg/sentry/fs/mount.go
+++ b/pkg/sentry/fs/mount.go
@@ -138,12 +138,14 @@ func NewMountSource(ctx context.Context, mops MountSourceOperations, filesystem
 	if filesystem != nil {
 		fsType = filesystem.Name()
 	}
-	return &MountSource{
+	msrc := MountSource{
 		MountSourceOperations: mops,
 		Flags:                 flags,
 		FilesystemType:        fsType,
 		fscache:               NewDirentCache(DefaultDirentCacheSize),
 	}
+	msrc.EnableLeakCheck("fs.MountSource")
+	return &msrc
 }
 
 // DirentRefs returns the current mount direntRefs.
diff --git a/pkg/sentry/fs/mounts.go b/pkg/sentry/fs/mounts.go
index 281364dfc..ce7ffeed2 100644
--- a/pkg/sentry/fs/mounts.go
+++ b/pkg/sentry/fs/mounts.go
@@ -181,12 +181,14 @@ func NewMountNamespace(ctx context.Context, root *Inode) (*MountNamespace, error
 		d: newRootMount(1, d),
 	}
 
-	return &MountNamespace{
+	mns := MountNamespace{
 		userns:  creds.UserNamespace,
 		root:    d,
 		mounts:  mnts,
 		mountID: 2,
-	}, nil
+	}
+	mns.EnableLeakCheck("fs.MountNamespace")
+	return &mns, nil
 }
 
 // UserNamespace returns the user namespace associated with this mount manager.
diff --git a/pkg/sentry/fs/tty/terminal.go b/pkg/sentry/fs/tty/terminal.go
index 8290f2530..b7cecb2ed 100644
--- a/pkg/sentry/fs/tty/terminal.go
+++ b/pkg/sentry/fs/tty/terminal.go
@@ -38,9 +38,11 @@ type Terminal struct {
 
 func newTerminal(ctx context.Context, d *dirInodeOperations, n uint32) *Terminal {
 	termios := linux.DefaultSlaveTermios
-	return &Terminal{
+	t := Terminal{
 		d:  d,
 		n:  n,
 		ld: newLineDiscipline(termios),
 	}
+	t.EnableLeakCheck("tty.Terminal")
+	return &t
 }