Date: Sun, 26 Sep 2021 12:26:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 258729] linprocfs regression: /compat/linux/proc/*/cwd wrongly points to calling process's cwd for all PIDs Message-ID: <bug-258729-227-fxNcgZizMO@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-258729-227@https.bugs.freebsd.org/bugzilla/> References: <bug-258729-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258729 Damjan Jovanovic <damjan.jov@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kib@FreeBSD.org, | |mjg@FreeBSD.org --- Comment #1 from Damjan Jovanovic <damjan.jov@gmail.com> --- This is the commit that caused the regression: ---snip--- commit 8d03b99b9dafe92896f405c79f846667637c0194 Author: Mateusz Guzik <mjg@FreeBSD.org> Date: Sun Mar 1 21:53:46 2020 +0000 fd: move vnodes out of filedesc into a dedicated structure The new structure is copy-on-write. With the assumption that path looku= ps are significantly more frequent than chdirs and chrooting this is a win. This provides stable root and jail root vnodes without the need to reference them on lookup, which in turn means less work on globally shared structures. Note this also happens to fix a bug where jail vnode was never referenc= ed, meaning subsequent access on lookup could run into use-after-free. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D23884 ---snip--- It changed linprocfs_doproccwd() from returning the cwd of the passed "stru= ct proc" (p), to returning the cwd of the calling thread (td) instead: ---snip--- static int linprocfs_doproccwd(PFS_FILL_ARGS) { - struct filedesc *fdp; - struct vnode *vp; + struct pwd *pwd; char *fullpath =3D "unknown"; char *freepath =3D NULL; - fdp =3D p->p_fd; - FILEDESC_SLOCK(fdp); - vp =3D fdp->fd_cdir; - if (vp !=3D NULL) - VREF(vp); - FILEDESC_SUNLOCK(fdp); - vn_fullpath(td, vp, &fullpath, &freepath); - if (vp !=3D NULL) - vrele(vp); + pwd =3D pwd_hold(td); + vn_fullpath(td, pwd->pwd_cdir, &fullpath, &freepath); sbuf_printf(sb, "%s", fullpath); if (freepath) free(freepath, M_TEMP); + pwd_drop(pwd); return (0); } ---snip--- This patch fixes it (although it still needs proper locking and possibly security checks): ---snip--- diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 79ffc4dfd5a..ee94268a4b6 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -1169,7 +1169,7 @@ linprocfs_doproccwd(PFS_FILL_ARGS) char *fullpath =3D "unknown"; char *freepath =3D NULL; - pwd =3D pwd_hold(td); + pwd =3D pwd_hold_pwddesc(p->p_pd); vn_fullpath(pwd->pwd_cdir, &fullpath, &freepath); sbuf_printf(sb, "%s", fullpath); if (freepath) ---snip--- Other functions may be similarly broken, eg. linprocfs_doprocroot() also lo= oks affected. Adding author and reviewer to CC. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258729-227-fxNcgZizMO>