Check for invalid handle values, callback code cleanup

Validate that Handles are also not `Invalid` (i.e., `uintptr - 1`),
since Win32 APIs may feasibly return either invalid or zero handles on
error.

Add a dedicated callback number counter atomic, since it doesn't need to
be protected by `callbackMapLock`.

Add debug logs with (un)registered notification number and compute
system/process details.

Add documentation on current `callbackMap` races.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

Author: helsaawy

internal/hcs/callback.go

@@ -18,7 +18,23 @@ import (
 )
 
 var (
-	nextCallback    uintptr
+	// TODO: refactor callback number to be a uint and not a uintptr
+
+	nextCallback callbackCounter
+
+	// `callbackMapLock` is used to protect the map itself, and not the values in the map.
+	// This causes a race condition with `(*notificationWatcherContext).handle`,
+	// where, if a computeSystem or process is closed immediately after it is opened, then
+	// the handle may not be updated with the result from
+	// `vmcompute.HcsRegister[ComputeSystem|Process]Callback` in `registerCallback` when
+	// `unregisterCallback` is called.
+	// Similarly with `(*notificationWatcherContext).channels`, if a `unregisterCallback`
+	// is called while `waitForNotification` or `notificationWatcher` are processing a notification,
+	// then the former may close the notification channels after the latter two have read
+	// (and retain a pointer to) the `notificationWatcherContext`, resulting in a send on a closed channel.
+	// TODO: use a per-context [RW]Mutex to fix the above scenarios.
+
+	// protected by [callbackMapLock].
 	callbackMap     = map[uintptr]*notificationWatcherContext{}
 	callbackMapLock = sync.RWMutex{}
 
@@ -156,7 +172,7 @@ func notificationWatcher(
 	callbackMapLock.RUnlock()
 
 	if callbackCtx == nil {
-		entry.WithField("callbackNumber", callbackNumber).Warn("Received notification for unknown callback number")
+		entry.WithField("callbackNumber", callbackNumber).Warn("received notification for unknown callback number")
 		return 0
 	}
 

internal/hcs/process.go

@@ -12,6 +12,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/sirupsen/logrus"
 	"go.opencensus.io/trace"
 
 	"github.com/Microsoft/hcsshim/internal/cow"
@@ -20,6 +21,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/vmcompute"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 )
 
 type Process struct {
@@ -97,7 +99,7 @@ func (process *Process) Signal(ctx context.Context, options interface{}) (bool,
 
 	operation := "hcs::Process::Signal"
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return false, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -122,7 +124,7 @@ func (process *Process) Kill(ctx context.Context) (bool, error) {
 
 	operation := "hcs::Process::Kill"
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return false, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -287,7 +289,7 @@ func (process *Process) ResizeConsole(ctx context.Context, width, height uint16)
 
 	operation := "hcs::Process::ResizeConsole"
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 	modifyRequest := hcsschema.ProcessModifyRequest{
@@ -339,7 +341,7 @@ func (process *Process) StdioLegacy() (_ io.WriteCloser, _ io.ReadCloser, _ io.R
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return nil, nil, nil, makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -388,7 +390,7 @@ func (process *Process) CloseStdin(ctx context.Context) (err error) {
 	process.handleLock.RLock()
 	defer process.handleLock.RUnlock()
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return makeProcessError(process, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -434,7 +436,7 @@ func (process *Process) CloseStdout(ctx context.Context) (err error) {
 	process.handleLock.Lock()
 	defer process.handleLock.Unlock()
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return nil
 	}
 
@@ -458,7 +460,7 @@ func (process *Process) CloseStderr(ctx context.Context) (err error) {
 	process.handleLock.Lock()
 	defer process.handleLock.Unlock()
 
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return nil
 	}
 
@@ -486,7 +488,7 @@ func (process *Process) Close() (err error) {
 	defer process.handleLock.Unlock()
 
 	// Don't double free this
-	if process.handle == 0 {
+	if winapi.IsInvalidHandle(process.handle) {
 		return nil
 	}
 
@@ -524,15 +526,21 @@ func (process *Process) Close() (err error) {
 }
 
 func (process *Process) registerCallback(ctx context.Context) error {
+	callbackNumber := nextCallback.Inc()
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"cid":            process.SystemID(),
+		"pid":            process.processID,
+		"callbackNumber": callbackNumber,
+	}).Debug("register process callback")
+
 	callbackContext := &notificationWatcherContext{
 		channels:  newProcessChannels(),
 		systemID:  process.SystemID(),
 		processID: process.processID,
 	}
 
 	callbackMapLock.Lock()
-	callbackNumber := nextCallback
-	nextCallback++
 	callbackMap[callbackNumber] = callbackContext
 	callbackMapLock.Unlock()
 
@@ -549,6 +557,12 @@ func (process *Process) registerCallback(ctx context.Context) error {
 func (process *Process) unregisterCallback(ctx context.Context) error {
 	callbackNumber := process.callbackNumber
 
+	log.G(ctx).WithFields(logrus.Fields{
+		"cid":            process.SystemID(),
+		"pid":            process.processID,
+		"callbackNumber": callbackNumber,
+	}).Debug("unregister process callback")
+
 	callbackMapLock.RLock()
 	callbackContext := callbackMap[callbackNumber]
 	callbackMapLock.RUnlock()
@@ -559,7 +573,7 @@ func (process *Process) unregisterCallback(ctx context.Context) error {
 
 	handle := callbackContext.handle
 
-	if handle == 0 {
+	if winapi.IsInvalidHandle(handle) {
 		return nil
 	}
 

internal/hcs/system.go

@@ -21,6 +21,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/timeout"
 	"github.com/Microsoft/hcsshim/internal/vmcompute"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 	"github.com/sirupsen/logrus"
 	"go.opencensus.io/trace"
 )
@@ -206,7 +207,7 @@ func (computeSystem *System) Start(ctx context.Context) (err error) {
 
 	// prevent starting an exited system because waitblock we do not recreate waitBlock
 	// or rerun waitBackground, so we have no way to be notified of it closing again
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -232,7 +233,7 @@ func (computeSystem *System) Shutdown(ctx context.Context) error {
 
 	operation := "hcs::System::Shutdown"
 
-	if computeSystem.handle == 0 || computeSystem.stopped() {
+	if winapi.IsInvalidHandle(computeSystem.handle) || computeSystem.stopped() {
 		return nil
 	}
 
@@ -254,7 +255,7 @@ func (computeSystem *System) Terminate(ctx context.Context) error {
 
 	operation := "hcs::System::Terminate"
 
-	if computeSystem.handle == 0 || computeSystem.stopped() {
+	if winapi.IsInvalidHandle(computeSystem.handle) || computeSystem.stopped() {
 		return nil
 	}
 
@@ -351,7 +352,7 @@ func (computeSystem *System) Properties(ctx context.Context, types ...schema1.Pr
 
 	operation := "hcs::System::Properties"
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -492,7 +493,7 @@ func (computeSystem *System) statisticsInProc(job *jobobject.JobObject) (*hcssch
 func (computeSystem *System) hcsPropertiesV2Query(ctx context.Context, types []hcsschema.PropertyType) (*hcsschema.Properties, error) {
 	operation := "hcs::System::PropertiesV2"
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -586,7 +587,7 @@ func (computeSystem *System) Pause(ctx context.Context) (err error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -614,7 +615,7 @@ func (computeSystem *System) Resume(ctx context.Context) (err error) {
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -647,7 +648,7 @@ func (computeSystem *System) Save(ctx context.Context, options interface{}) (err
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -665,7 +666,7 @@ func (computeSystem *System) createProcess(ctx context.Context, operation string
 	computeSystem.handleLock.RLock()
 	defer computeSystem.handleLock.RUnlock()
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return nil, nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -727,7 +728,7 @@ func (computeSystem *System) OpenProcess(ctx context.Context, pid int) (*Process
 
 	operation := "hcs::System::OpenProcess"
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
@@ -766,7 +767,7 @@ func (computeSystem *System) CloseCtx(ctx context.Context) (err error) {
 	defer computeSystem.handleLock.Unlock()
 
 	// Don't double free this
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return nil
 	}
 
@@ -789,14 +790,19 @@ func (computeSystem *System) CloseCtx(ctx context.Context) (err error) {
 }
 
 func (computeSystem *System) registerCallback(ctx context.Context) error {
+	callbackNumber := nextCallback.Inc()
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"cid":            computeSystem.id,
+		"callbackNumber": callbackNumber,
+	}).Debug("register computer system callback")
+
 	callbackContext := &notificationWatcherContext{
 		channels: newSystemChannels(),
 		systemID: computeSystem.id,
 	}
 
 	callbackMapLock.Lock()
-	callbackNumber := nextCallback
-	nextCallback++
 	callbackMap[callbackNumber] = callbackContext
 	callbackMapLock.Unlock()
 
@@ -814,6 +820,11 @@ func (computeSystem *System) registerCallback(ctx context.Context) error {
 func (computeSystem *System) unregisterCallback(ctx context.Context) error {
 	callbackNumber := computeSystem.callbackNumber
 
+	log.G(ctx).WithFields(logrus.Fields{
+		"cid":            computeSystem.id,
+		"callbackNumber": callbackNumber,
+	}).Debug("unregister computer system callback")
+
 	callbackMapLock.RLock()
 	callbackContext := callbackMap[callbackNumber]
 	callbackMapLock.RUnlock()
@@ -824,7 +835,7 @@ func (computeSystem *System) unregisterCallback(ctx context.Context) error {
 
 	handle := callbackContext.handle
 
-	if handle == 0 {
+	if winapi.IsInvalidHandle(handle) {
 		return nil
 	}
 
@@ -853,7 +864,7 @@ func (computeSystem *System) Modify(ctx context.Context, config interface{}) err
 
 	operation := "hcs::System::Modify"
 
-	if computeSystem.handle == 0 {
+	if winapi.IsInvalidHandle(computeSystem.handle) {
 		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 

internal/hcs/utils.go

@@ -5,21 +5,25 @@ package hcs
 import (
 	"context"
 	"io"
+	"sync/atomic"
 	"syscall"
 
+	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
+
 	"github.com/Microsoft/go-winio"
 	diskutil "github.com/Microsoft/go-winio/vhd"
+
 	"github.com/Microsoft/hcsshim/computestorage"
-	"github.com/pkg/errors"
-	"golang.org/x/sys/windows"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 )
 
 // makeOpenFiles calls winio.NewOpenFile for each handle in a slice but closes all the handles
 // if there is an error.
 func makeOpenFiles(hs []syscall.Handle) (_ []io.ReadWriteCloser, err error) {
 	fs := make([]io.ReadWriteCloser, len(hs))
 	for i, h := range hs {
-		if h != syscall.Handle(0) {
+		if !winapi.IsInvalidHandle(h) {
 			if err == nil {
 				fs[i], err = winio.NewOpenFile(windows.Handle(h))
 			}
@@ -62,3 +66,18 @@ func CreateNTFSVHD(ctx context.Context, vhdPath string, sizeGB uint32) (err erro
 
 	return nil
 }
+
+// TODO: move these to a dedicated `internal/sync` package
+
+type callbackCounter struct {
+	v atomic.Uintptr
+}
+
+func (c *callbackCounter) Inc() uintptr { return (&c.v).Add(1) }
+
+// noCopy prevents structs from being copied.
+// See: https://golang.org/issues/8005#issuecomment-190753527
+type noCopy struct{}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}

internal/hcs/waithelper.go

@@ -32,13 +32,14 @@ func waitForNotification(
 	timeout *time.Duration,
 ) error {
 	callbackMapLock.RLock()
-	if _, ok := callbackMap[callbackNumber]; !ok {
-		callbackMapLock.RUnlock()
+	callbackCtx, ok := callbackMap[callbackNumber]
+	callbackMapLock.RUnlock()
+
+	if !ok {
 		log.G(ctx).WithField("callbackNumber", callbackNumber).Error("failed to waitForNotification: callbackNumber does not exist in callbackMap")
 		return ErrHandleClose
 	}
-	channels := callbackMap[callbackNumber].channels
-	callbackMapLock.RUnlock()
+	channels := callbackCtx.channels
 
 	expectedChannel := channels[expectedNotification]
 	if expectedChannel == nil {

internal/winapi/doc.go

@@ -1,3 +1,5 @@
 // Package winapi contains various low-level bindings to Windows APIs. It can
 // be thought of as an extension to golang.org/x/sys/windows.
 package winapi
+
+//go:generate go tool github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go ./*.go