From e39c08e0efab59507414281f2f1d4c5eea204a4f Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott@canonical.com>
Date: Mon, 13 Jan 2025 09:09:00 +0000
Subject: [PATCH 1/2] lxd/devlxd: Adds concurrent safe GetConnUcred function

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
---
 lxd/devlxd.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/devlxd.go b/lxd/devlxd.go
index 69e2a44e2f67..ccb4dac69ef2 100644
--- a/lxd/devlxd.go
+++ b/lxd/devlxd.go
@@ -439,6 +439,14 @@ func (m *ConnPidMapper) ConnStateHandler(conn net.Conn, state http.ConnState) {
 	}
 }
 
+// GetConnUcred returns a previously stored ucred associated to a connection.
+// Returns nil if no ucred found for the connection.
+func (m *ConnPidMapper) GetConnUcred(conn *net.UnixConn) *unix.Ucred {
+	m.mLock.Lock()
+	defer m.mLock.Unlock()
+	return pidMapper.m[conn]
+}
+
 var errPIDNotInContainer = errors.New("Process ID not found in container")
 
 func findContainerForPid(pid int32, s *state.State) (instance.Container, error) {

From 7323980138fb0f6ed4eb0dd325c329ce25329b99 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott@canonical.com>
Date: Mon, 13 Jan 2025 09:09:15 +0000
Subject: [PATCH 2/2] lxd/devlxd: Use concurrent safe pidMapper.GetConnUcred in
 hoistReq

Fixes #14706

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
---
 lxd/devlxd.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lxd/devlxd.go b/lxd/devlxd.go
index ccb4dac69ef2..ac57f7060112 100644
--- a/lxd/devlxd.go
+++ b/lxd/devlxd.go
@@ -308,8 +308,9 @@ func hoistReq(f func(*Daemon, instance.Instance, http.ResponseWriter, *http.Requ
 		request.SetCtxValue(r, request.CtxProtocol, auth.AuthenticationMethodDevLXD)
 
 		conn := ucred.GetConnFromContext(r.Context())
-		cred, ok := pidMapper.m[conn.(*net.UnixConn)]
-		if !ok {
+
+		cred := pidMapper.GetConnUcred(conn.(*net.UnixConn))
+		if cred == nil {
 			http.Error(w, errPIDNotInContainer.Error(), http.StatusInternalServerError)
 			return
 		}