From nobody Sun Sep 26 12:26:43 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 05D6D17D431A for ; Sun, 26 Sep 2021 12:26:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HHQ4M6fXmz3rP4 for ; Sun, 26 Sep 2021 12:26:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C14D91DB87 for ; Sun, 26 Sep 2021 12:26:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18QCQhmt060957 for ; Sun, 26 Sep 2021 12:26:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18QCQhYV060956 for bugs@FreeBSD.org; Sun, 26 Sep 2021 12:26:43 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 258729] linprocfs regression: /compat/linux/proc/*/cwd wrongly points to calling process's cwd for all PIDs Date: Sun, 26 Sep 2021 12:26:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: damjan.jov@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258729 Damjan Jovanovic changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kib@FreeBSD.org, | |mjg@FreeBSD.org --- Comment #1 from Damjan Jovanovic --- This is the commit that caused the regression: ---snip--- commit 8d03b99b9dafe92896f405c79f846667637c0194 Author: Mateusz Guzik Date: Sun Mar 1 21:53:46 2020 +0000 fd: move vnodes out of filedesc into a dedicated structure The new structure is copy-on-write. With the assumption that path looku= ps are significantly more frequent than chdirs and chrooting this is a win. This provides stable root and jail root vnodes without the need to reference them on lookup, which in turn means less work on globally shared structures. Note this also happens to fix a bug where jail vnode was never referenc= ed, meaning subsequent access on lookup could run into use-after-free. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D23884 ---snip--- It changed linprocfs_doproccwd() from returning the cwd of the passed "stru= ct proc" (p), to returning the cwd of the calling thread (td) instead: ---snip--- static int linprocfs_doproccwd(PFS_FILL_ARGS) { - struct filedesc *fdp; - struct vnode *vp; + struct pwd *pwd; char *fullpath =3D "unknown"; char *freepath =3D NULL; - fdp =3D p->p_fd; - FILEDESC_SLOCK(fdp); - vp =3D fdp->fd_cdir; - if (vp !=3D NULL) - VREF(vp); - FILEDESC_SUNLOCK(fdp); - vn_fullpath(td, vp, &fullpath, &freepath); - if (vp !=3D NULL) - vrele(vp); + pwd =3D pwd_hold(td); + vn_fullpath(td, pwd->pwd_cdir, &fullpath, &freepath); sbuf_printf(sb, "%s", fullpath); if (freepath) free(freepath, M_TEMP); + pwd_drop(pwd); return (0); } ---snip--- This patch fixes it (although it still needs proper locking and possibly security checks): ---snip--- diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 79ffc4dfd5a..ee94268a4b6 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -1169,7 +1169,7 @@ linprocfs_doproccwd(PFS_FILL_ARGS) char *fullpath =3D "unknown"; char *freepath =3D NULL; - pwd =3D pwd_hold(td); + pwd =3D pwd_hold_pwddesc(p->p_pd); vn_fullpath(pwd->pwd_cdir, &fullpath, &freepath); sbuf_printf(sb, "%s", fullpath); if (freepath) ---snip--- Other functions may be similarly broken, eg. linprocfs_doprocroot() also lo= oks affected. Adding author and reviewer to CC. --=20 You are receiving this mail because: You are the assignee for the bug.=