NetBSD Problem Report #44658

From  Tue Mar  1 15:36:33 2011
Return-Path: <>
Received: from ( [])
	by (Postfix) with ESMTP id 49E2B63B8CE
	for <>; Tue,  1 Mar 2011 15:36:33 +0000 (UTC)
Message-Id: <>
Date: Tue,  1 Mar 2011 15:36:32 +0000 (UTC)
From: Taylor R Campbell <>
Reply-To: Taylor R Campbell <>
Subject: spurious chroot escape warning
X-Send-Pr-Version: 3.95

>Number:         44658
>Category:       kern
>Synopsis:       spurious chroot escape warning
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dholland
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 01 15:40:00 +0000 2011
>Last-Modified:  Wed Aug 10 05:44:12 +0000 2011
>Originator:     Taylor R Campbell <>
>Release:        NetBSD 5.99.47
System: NetBSD oberon.local 5.99.47 NetBSD 5.99.47 (RIAMONODEBUG) #31: Mon Feb 28 05:14:15 UTC 2011 riastradh@smalltalk.local:/home/riastradh/netbsd/current/obj/sys/arch/i386/compile/RIAMONODEBUG i386
Architecture: i386
Machine: i386

	I have been observing chroot escape warnings under the
	following circumstances:

		Process A is chrooted in /chroot0, and has a cwd of

		Process B is chrooted in /chroot/chroot1, and rmdirs
		/chroot0/chroot1/a/b and /chroot0/chroot1/a.

		When process A chdirs to .., the kernel warns that it
		has escaped its chroot.

	I believe the nested chroot and the pair of processes is a red
	herring, and that it is sufficient for process A to have a
	chroot of /chroot and a cwd of /chroot/a/b and to rmdir
	/chroot/a/b and chdir to .., but I haven't correctly tested
	this hypothesis.  The last time I tried, NetBSD helpfully
	alerted me to PR kern/44657.  Fortunately, bulk builds are
	reasonably happy to pick up approximately where they left off.




	I believe the problem is that lookup_once in vfs_lookup.c calls
	vn_isunder to decide whether to warn, and vn_isunder correctly
	ascertains that the process's cwd is not under the process's
	root, because it is not, in fact, under *any* root, having been
	deleted.  So if lookup_once suppressed the warning if the
	directory has a link count under 2, or, more expensively (and
	probably unnecessarily), checked vn_isunder(dp, rootvnode), I
	think the spurious warning would go away.



Responsible-Changed-From-To: kern-bug-people->dholland
Responsible-Changed-When: Tue, 01 Mar 2011 17:36:06 +0000
mine (and interacts heavily with patches in the queue)

From: "David A. Holland" <>
Subject: PR/44658 CVS commit: src/sys/kern
Date: Tue, 9 Aug 2011 23:46:06 +0000

 Module Name:	src
 Committed By:	dholland
 Date:		Tue Aug  9 23:46:05 UTC 2011

 Modified Files:
 	src/sys/kern: vfs_lookup.c

 Log Message:
 Fail namei immediately if searchdir is unlinked / has been rmdir'd.
 Do this by checking if v_size == 0. Should fix PR 44658 (and PR 32661).

 To generate a diff of this commit:
 cvs rdiff -u -r1.186 -r1.187 src/sys/kern/vfs_lookup.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-When: Wed, 10 Aug 2011 00:09:39 +0000
Should be fixed, please give it a try.

State-Changed-From-To: feedback->open
State-Changed-When: Wed, 10 Aug 2011 05:44:12 +0000
Fix broke nullfs.


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.