bugfix: wrapped the ngx_cloexec in NGX_HAVE_FD_CLOEXEC preprocessor

patches/nginx-1.13.6-socket_cloexec.patch

@@ -1,8 +1,8 @@
 diff --git a/auto/unix b/auto/unix
-index 10835f6c..d5d5de6a 100644
+index 10835f6c..b5b33bb3 100644
 --- a/auto/unix
 +++ b/auto/unix
-@@ -990,3 +990,16 @@ ngx_feature_test='struct addrinfo *res;
+@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res;
                    if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1;
                    freeaddrinfo(res)'
  . auto/feature
@@ -11,19 +11,30 @@ index 10835f6c..d5d5de6a 100644
 +ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC"
 +ngx_feature_run=no
 +ngx_feature_incs="#include <sys/types.h>
++                  #include <sys/socket.h>"
++ngx_feature_path=
++ngx_feature_libs=
++ngx_feature_test="int fd;
++                  fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);"
++. auto/feature
++
++ngx_feature="FD_CLOEXEC support"
++ngx_feature_name="NGX_HAVE_FD_CLOEXEC"
++ngx_feature_run=no
++ngx_feature_incs="#include <sys/types.h>
 +                  #include <sys/socket.h>
 +                  #include <fcntl.h>"
 +ngx_feature_path=
 +ngx_feature_libs=
 +ngx_feature_test="int fd;
-+                  fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
++                  fd = socket(AF_INET, SOCK_STREAM, 0);
 +                  fcntl(fd, F_SETFD, FD_CLOEXEC);"
 +. auto/feature
 diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
-index 9a747589..56a8a955 100644
+index 9a747589..252c05cf 100644
 --- a/src/core/ngx_connection.c
 +++ b/src/core/ngx_connection.c
-@@ -450,7 +450,18 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
+@@ -450,8 +450,23 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
                  continue;
              }
  
@@ -33,48 +44,57 @@ index 9a747589..56a8a955 100644
 +
 +#else
              s = ngx_socket(ls[i].sockaddr->sa_family, ls[i].type, 0);
+ 
++#if (NGX_HAVE_FD_CLOEXEC)
 +            if (ngx_cloexec(s) == -1) {
 +                ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
 +                              ngx_cloexec_n " %V failed", &ls[i].addr_text);
 +                return NGX_ERROR;
 +            }
 +#endif
- 
++
++#endif
++
              if (s == (ngx_socket_t) -1) {
                  ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
+                               ngx_socket_n " %V failed", &ls[i].addr_text);
 diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
-index 77563709..0c542e90 100644
+index 77563709..5827b9d0 100644
 --- a/src/event/ngx_event_accept.c
 +++ b/src/event/ngx_event_accept.c
-@@ -62,7 +62,8 @@ ngx_event_accept(ngx_event_t *ev)
+@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev)
  
  #if (NGX_HAVE_ACCEPT4)
          if (use_accept4) {
 -            s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK);
 +            s = accept4(lc->fd, &sa.sockaddr, &socklen,
 +                        SOCK_NONBLOCK | SOCK_CLOEXEC);
++
          } else {
              s = accept(lc->fd, &sa.sockaddr, &socklen);
          }
-@@ -202,6 +203,13 @@ ngx_event_accept(ngx_event_t *ev)
+@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev)
                      ngx_close_accepted_connection(c);
                      return;
                  }
 +
++#if (NGX_HAVE_FD_CLOEXEC)
 +                if (ngx_cloexec(s) == -1) {
 +                    ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno,
 +                                  ngx_cloexec_n " failed");
 +                    ngx_close_accepted_connection(c);
 +                    return;
 +                }
++#endif
++
              }
          }
  
 diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c
-index c5bb8068..b4920655 100644
+index c5bb8068..484fb0bb 100644
 --- a/src/event/ngx_event_connect.c
 +++ b/src/event/ngx_event_connect.c
-@@ -38,7 +38,18 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
+@@ -38,8 +38,23 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
  
      type = (pc->type ? pc->type : SOCK_STREAM);
  
@@ -83,6 +103,8 @@ index c5bb8068..b4920655 100644
 +
 +#else
      s = ngx_socket(pc->sockaddr->sa_family, type, 0);
+ 
++#if (NGX_HAVE_FD_CLOEXEC)
 +    if (ngx_cloexec(s) == -1) {
 +        ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
 +                      ngx_cloexec_n " failed");
@@ -90,38 +112,31 @@ index c5bb8068..b4920655 100644
 +    }
 +#endif
 +
- 
++#endif
++
++
      ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d",
                     (type == SOCK_STREAM) ? "stream" : "dgram", s);
+ 
 diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h
-index fcc51533..74f90cc6 100644
+index fcc51533..d1eebf47 100644
 --- a/src/os/unix/ngx_socket.h
 +++ b/src/os/unix/ngx_socket.h
-@@ -38,6 +38,11 @@ int ngx_blocking(ngx_socket_t s);
+@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s);
  
  #endif
  
++#if (NGX_HAVE_FD_CLOEXEC)
++
 +#define ngx_cloexec(s)      fcntl(s, F_SETFD, FD_CLOEXEC)
 +#define ngx_cloexec_n       "fcntl(FD_CLOEXEC)"
 +
++/* at least FD_CLOEXEC is required to ensure connection fd is closed
++ * after execve */
 +#define HAVE_SOCKET_CLOEXEC_PATCH  1
++
++#endif
 +
  int ngx_tcp_nopush(ngx_socket_t s);
  int ngx_tcp_push(ngx_socket_t s);
  
-diff --git a/src/os/win32/ngx_socket.h b/src/os/win32/ngx_socket.h
-index a9e26c29..10e1d82d 100644
---- a/src/os/win32/ngx_socket.h
-+++ b/src/os/win32/ngx_socket.h
-@@ -31,6 +31,11 @@ int ngx_blocking(ngx_socket_t s);
- #define ngx_nonblocking_n   "ioctlsocket(FIONBIO)"
- #define ngx_blocking_n      "ioctlsocket(!FIONBIO)"
- 
-+#define ngx_cloexec(s)      1
-+#define ngx_cloexec_n       ""
-+
-+#define HAVE_SOCKET_CLOEXEC_PATCH  1
-+
- #define ngx_shutdown_socket    shutdown
- #define ngx_shutdown_socket_n  "shutdown()"
-