fix(port): plug mp-pool retain and fd/buffer leaks in IPC reply paths

[andypost]

Summary

Fixes latent leaks in the cert/script/socket/access-log IPC reply paths, all reachable when nxt_port_msg_alloc() (or the RPC stream-id pool) hits malloc failure inside the port machinery. Pre-existing in upstream Unit; identified during review of #6.

The fix is intentionally narrow — no new helper, no protocol changes — so it's a clean candidate to forward to freeunitorg/freeunit after review here.

Leak A — sender side: unbalanced nxt_mp_retain

nxt_cert_store_get / nxt_script_store_get issued nxt_mp_retain(mp) before nxt_port_socket_write. Failure paths between the retain and a successful send (stream alloc failure, socket_write failure) left mp->retain permanently incremented. The buffer's completion handler — the only thing that calls nxt_mp_release — never runs in those paths. Since nxt_mp_destroy gates on if (mp->retain == 0) (src/nxt_mp.c:302), the entire pool stays resident.

Concrete impact: mp is the router_temp_conf mem pool — owns the entire pending config (sockets, bundles, routes, app refs). One unbalanced retain pins the whole config until process exit.

Fix: move nxt_mp_retain to after successful socket_write, matching the existing correct pattern in nxt_router_access_log_reopen (src/nxt_router_access_log.c:579). Buffer completion is dispatched via nxt_work_queue_add and runs only after the current handler returns, so retaining synchronously after the send is race-free.

Leak B — receiver side: fd not closed when send fails

nxt_cert_store_get_handler, nxt_script_store_get_handler, nxt_main_port_socket_handler, and nxt_main_port_access_log_handler all reply to RPC requests with NXT_PORT_MSG_CLOSE_FD. Inside the port layer the fd is closed by nxt_port_msg_close_fd() at three sites (nxt_port_socket.c:455, :519, :1361). The hole: when nxt_port_msg_alloc inside nxt_port_msg_chk_insert returns NXT_ERROR, the message never enters port->messages and nxt_port_error_handler never sees it. The (void) cast on the call meant the handler couldn't react even if the return signaled failure.

Concrete impact: a leaked file descriptor in the privileged main process, one per failure. Cert PEM, script blob, listening socket, or access-log file — visible in /proc/$PID/fd, accumulates over reload churn, eventually hits RLIMIT_NOFILE. The socket-listen reply additionally leaked a small diagnostic buffer from the engine mem_pool.

Fix: capture the nxt_port_socket_write return value; on != NXT_OK close the fd explicitly using the appropriate closer (nxt_socket_close for the listening socket, nxt_file_close for the access-log file, nxt_fd_close for the cert/script handlers — see comment-thread on nxt_file_close's %FN UAF risk after nxt_free(file.name)). Run out->completion_handler(...) on the diagnostic buffer in the socket-listen path.

Files changed

File	Change
src/nxt_cert.c	move retain after socket_write; close fd on receiver send failure
src/nxt_script.c	move retain after socket_write; close fd on receiver send failure
src/nxt_main_process.c	close listening socket + reclaim diagnostic buffer in nxt_main_port_socket_handler; close access-log file in nxt_main_port_access_log_handler
CHANGES	bugfix note

+84 / −10 across 4 files. No protocol or config-surface changes.

Test plan

• Configure clean (./configure --openssl && ./configure python)
• Full build clean
• pytest test/test_tls.py test/test_tls_sni.py — 29 passed (TLS reload paths exercise cert_store_get sender side)
• pytest test/test_configuration.py test/test_access_log.py test/test_tls.py — 63 passed; 2 pre-existing IPv6 environment failures ([::1]:8082 — Address family not supported by protocol), confirmed unrelated by re-running on stock master via git stash.

A deterministic test for the leak paths themselves would need malloc-failure injection (LD_PRELOAD shim or AddressSanitizer with allocator hooks) — deferred. The triggers are rare in practice; the fix is small enough to review on inspection.

Upstream

Both leak shapes live in upstream code (freeunitorg/freeunit); after merging here the same diff should be forwarded upstream. PR #6 (OCSP stapling) inherits the same shapes for its OCSP twin functions and has been rebased onto this pattern in commit 52c9b54.

---

Generated by Claude Code

[gemini-code-assist]

Code Review

This pull request addresses memory pool and file descriptor leaks in the IPC and reply paths by deferring memory retention and ensuring resources are closed if port writing fails. The review feedback identifies several critical issues: missing initialization of b->data which would lead to crashes in completion handlers, potential buffer leaks when socket writes fail, and inconsistent use of file closing APIs where nxt_file_close should be preferred over nxt_fd_close.

[andypost]

During the pedantic audit of PR #7 (P1 graceful-shutdown plumbing) I caught two leak findings — one is the same pattern your gemini-review thread on src/nxt_main_process.c:1184 already flagged, and one is unrelated upstream baggage. Recording them here so neither is lost between PRs.

1. Buffer-leak pattern extends to three additional sites (same shape as gemini's review comment)

The gemini review thread on nxt_main_process.c:1184 correctly flags that when nxt_port_socket_write(... b) returns non-OK, the engine-mem_pool-backed buffer is never released by anyone — it leaks until process exit because no completion handler ever runs.

The same pattern is now in three new sites introduced by PR #7:

• src/nxt_runtime.c:511 — nxt_runtime_stop_app_processes() cascade
• src/nxt_runtime.c:533 — nxt_runtime_stop_all_processes() cascade
• src/nxt_application.c:716 — nxt_proto_quit_children() cascade

All three call (void) nxt_port_socket_write(... NXT_PORT_MSG_QUIT, ..., b) where b is a 1-byte buffer allocated from task->thread->engine->mem_pool via nxt_runtime_quit_buf(). The (void) cast discards the failure indicator, so the same leak shape applies — though the blast radius is small (≤1 byte per failed send, only on the QUIT cascade during shutdown, mem_pool is destroyed at process exit).

When PR #8 generalises the "free-on-send-failure" pattern (or once the gemini suggestion lands as committed code), it would be cleanest to do the same audit across git grep "(void) nxt_port_socket_write" so all in-tree sites get the same treatment, including these three. Worth a follow-up rather than scope creep into PR #8.

If you want to handle it directly in PR #8, the simplest shape that matches your existing fix:

b = nxt_runtime_quit_buf(task, rt->quit_mode);

if (nxt_port_socket_write(task, port, NXT_PORT_MSG_QUIT, -1, 0, 0, b) != NXT_OK
    && b != NULL)
{
    b->completion_handler(task, b, b->parent);
}

(Mirrors the gemini suggestion on nxt_main_process.c:1184. The b != NULL guard is required because nxt_runtime_quit_buf returns NULL on the NORMAL fast-exit path by design — no allocation, nothing to release.)

Not blocking PR #7; happy to do a follow-up either here or on a separate port-quit-cascade-leaks branch once PR #8 lands and establishes the pattern.

2. Pre-existing 136-byte LeakSanitizer finding in nxt_var_index_init

While running PR #7's tests under ASan I caught this leak, which reproduces on plain origin/master with no PR #7 or PR #8 changes — different subsystem, different cause:

==13218==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 136 byte(s) in 1 object(s) allocated from:
    #1 nxt_memalign           src/nxt_malloc.c:134
    #2 nxt_var_index_init     src/nxt_var.c:296
    #3 nxt_runtime_create     src/nxt_runtime.c:134
    #4 main                   src/nxt_main.c:27

nxt_var_index_init allocates a hash structure during nxt_runtime_create and never frees it. Out of scope for this PR (different file, different subsystem) but worth filing as its own issue / branch — useful when the lifecycle work in PR #7 + later phases enables ASan-clean shutdown. I haven't checked whether this is a true leak (lifetime-of-process allocation) or a missing teardown, but it does fail LeakSanitizer: detect_leaks=1 on a clean run.

---

Let me know if you'd prefer the three QUIT-cascade sites folded into PR #8 or kept as a follow-up.

---

Generated by Claude Code

[andypost]

from #6 and #7 fix.md

[andypost]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses memory pool retention leaks and file descriptor leaks within the certificate, script, and configuration store IPC paths. The fixes involve delaying memory pool retention until after successful hand-off to the port machinery and implementing explicit cleanup for file descriptors and buffers when port write operations fail. Review feedback suggests simplifying a conditional check in nxt_main_port_socket_handler by removing a redundant flag check, as the file descriptor's validity already implies the necessary state in that context.

[andypost]

/gemini review

[gemini-code-assist]

Code Review

This pull request fixes memory pool leaks and file descriptor/buffer leaks in the certificate, script, and access-log IPC paths. The changes ensure that memory pools are only retained after successful handoff to the port machinery and that file descriptors and buffers are explicitly closed or reclaimed if nxt_port_socket_write fails. I have no feedback to provide as the review comments were purely explanatory and did not identify any additional issues.

[andypost]

promoted upstream freeunitorg#56

[andypost]

Caught during the pedantic audit of PR #12 (P3 write-path Pattern D′ — sibling fix family to PR #8). Same subsystem (src/nxt_port_socket.c), same "port IPC accounting" theme, so flagging here rather than opening a separate issue.

Finding: nxt_port_queue_read_handler leaks queue->nitems on two suspend-message error paths

nxt_port_queue_read_handler (src/nxt_port_socket.c:812) maintains the queue->nitems counter as a reader-semaphore: it does nxt_atomic_fetch_add(&queue->nitems, 1) at function entry (:830), and the function relies on exactly one matching -1 on every return path.

The matched paths are:

• :885 — if (n < 0 && !port->socket.read_ready) early return ✅
• (P3 PR fix(io): generalize PR #54 write-path contract to non-TLS sites (P3) #12) :922 — b == NULL OOM teardown ✅

The two unbalanced exits are inside the if (n > 0) suspend-message block:

// :962 — suspend-message smsg alloc failure
smsg = nxt_mp_alloc(port->mem_pool, sizeof(nxt_port_recv_msg_t));
if (nxt_slow_path(smsg == NULL)) {
    nxt_alert(task, "port{%d,%d} %d: suspend message failed", ...);
    return;          // <-- nitems leak: never decremented
}

// :974 — "too many suspend messages"
} else {
    if (nxt_slow_path(smsg->size != 0)) {
        nxt_alert(task, "port{%d,%d} %d: too many suspend messages", ...);
        return;      // <-- nitems leak: never decremented
    }
}

Impact

queue->nitems is consulted by nxt_port_queue_send to decide whether the receiver is awake (it backs the wake-up notify; see the notify parameter at :194 and the port->queue != NULL && type != _NXT_PORT_MSG_READ_QUEUE branch in nxt_port_socket_write2). A leaked +1 means future senders see the receiver as "always still busy" and skip the wake-up notify for as long as the leaked count persists.

Triggers are rare in practice — nxt_mp_alloc failure on the port mem_pool, or a port->socket_msg already populated with a nonzero size when we try to suspend a new one. But when triggered, a single occurrence permanently degrades the wake-up signaling for that port, manifesting as occasional dropped/delayed messages that look like upstream timing flakes.

Suggested fix shape

Same shape as :885 and :922:

if (nxt_slow_path(smsg == NULL)) {
    nxt_alert(...);
    nxt_atomic_fetch_add(&queue->nitems, -1);
    return;
}
...
if (nxt_slow_path(smsg->size != 0)) {
    nxt_alert(...);
    nxt_atomic_fetch_add(&queue->nitems, -1);
    return;
}

Scope question

Pre-existing in upstream — predates PR #8 and PR #12 by years. Two options:

1. Fold into PR fix(port): plug mp-pool retain and fd/buffer leaks in IPC reply paths #8 — same subsystem, same accounting class, same fix shape. Adds ~4 lines.
2. Separate follow-up PR — keeps PR fix(port): plug mp-pool retain and fd/buffer leaks in IPC reply paths #8 narrowly focused on the cert/script/conf-store IPC, lets this land independently with its own deterministic regression discussion.

I lean (1) since it's literally the same accounting pattern PR #8 establishes and your branch already owns this file. Happy to push the diff if you prefer.

---

Generated by Claude Code