1 files changed, 6 insertions, 3 deletions

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index dee2c4fbb..8ad000497 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -472,9 +472,13 @@ func (l *Loader) Destroy() {
 	}
 	l.watchdog.Stop()
 
+	// Release all kernel resources. This is only safe after we can no longer
+	// save/restore.
+	l.k.Release()
+
 	// In the success case, stdioFDs and goferFDs will only contain
 	// released/closed FDs that ownership has been passed over to host FDs and
-	// gofer sessions. Close them here in case on failure.
+	// gofer sessions. Close them here in case of failure.
 	for _, fd := range l.root.stdioFDs {
 		_ = fd.Close()
 	}
@@ -899,7 +903,7 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
 	// Get the container MountNamespace from the Task. Try to acquire ref may fail
 	// in case it raced with task exit.
 	if kernel.VFS2Enabled {
-		// task.MountNamespace() does not take a ref, so we must do so ourselves.
+		// task.MountNamespaceVFS2() does not take a ref, so we must do so ourselves.
 		args.MountNamespaceVFS2 = tg.Leader().MountNamespaceVFS2()
 		if !args.MountNamespaceVFS2.TryIncRef() {
 			return 0, fmt.Errorf("container %q has stopped", args.ContainerID)
@@ -921,7 +925,6 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
 		root := args.MountNamespaceVFS2.Root()
 		ctx := vfs.WithRoot(l.k.SupervisorContext(), root)
 		defer args.MountNamespaceVFS2.DecRef(ctx)
-		defer root.DecRef(ctx)
 		envv, err := user.MaybeAddExecUserHomeVFS2(ctx, args.MountNamespaceVFS2, args.KUID, args.Envv)
 		if err != nil {
 			return 0, err