Harden /proc/self oom and fdinfo nodes

procfs emulation now treats the OOM trio (oom_score_adj, legacy oom_adj,
read-only oom_score) as one process-wide adjustment with per-path read
and write semantics: legacy oom_adj scales to oom_score_adj on writes
(special-casing OOM_DISABLE -> SCORE_ADJ_MIN and OOM_ADJUST_MAX ->
SCORE_ADJ_MAX so the boundary intent survives the lossy multiply) and
back-clamps to [-17, 15] on reads; oom_score is read-only with a stub
zero. The OOM write path serializes the truncate+pwrite+lseek under a
new oom_write_lock and publishes the global atomic only after the
backing rewrite succeeds, so a partial-rewrite failure no longer leaves
the process-wide value diverged from a returned -1. Zero-length writes
short-circuit to success (matches Linux for proc nodes; sys_writev
previously hit -EINVAL in the parser). Stat reports st_size 0 for every
synthetic /proc file so callers that pre-size buffers from stat cannot
truncate (a 256-byte cap had silently chopped /proc/cpuinfo on hosts
with many CPUs; a 2-byte cap had reduced -1000 to -1 on oom_score_adj).

A new read-intercept path mirrors the write side. proc_intercept_read
and proc_intercept_readv let read/pread/readv/preadv on the OOM nodes
return the live atomic value rather than the per-open temp file
content, and sendfile/copy_file_range route through the same hook so
proc-source byte counts stay consistent with the value an immediately
following open would observe.

/proc/self/fdinfo gains type-specific lines for the special fd classes
elfuse implements: eventfd-count (16-char hex matching fs/eventfd.c),
sigmask (16-char hex), and timerfd clockid/ticks/it_value/it_interval.
The accessors live in src/syscall/fd.c (eventfd_fdinfo_snapshot,
signalfd_fdinfo_snapshot, timerfd_fdinfo_snapshot) and read state under
sfd_lock to prevent tearing across concurrent read/write/settime. The
per-fd lseek probe now uses fd_to_host_dup so a concurrent close+reopen
on another vCPU cannot redirect the probe to an unrelated host fd, and
errno is saved/restored across the ESPIPE-prone lseek so
non-seekable fds (sockets, pipes) do not pollute the caller's state.

/proc/self/fdinfo and /proc/self/fd no longer share one static backing
directory across opens. The previous design let a second open unlink
and recreate entries while a sibling thread iterated its dirfd; both
nodes now go through proc_open_fd_scratch, which mkdtemps a private
directory per open, populates it from a fresh fd-table snapshot, and
tracks the path in proc_scratch_dirs[] for atexit cleanup so the
previously-leaked backing dirs are reaped at process exit.

The unix-net visitor's buffer-tail margin grew from 128 to 256 bytes
to fit the longest possible row (54 fixed + 108 sun_path + newline);
the previous margin let the snprintf truncate the path and drop the
trailing newline. Eight explicit /proc/<pid>/X cases collapsed into
one general alias-and-recurse, so /proc/<our_pid>/maps,
/oom_score_adj, /limits, etc. now route through the matching
/proc/self handler.

Locked in by tests/test-tier-b.c (35 cases including oom write
persistence, out-of-range -EINVAL, oom_adj=15 -> 1000 scaling,
oom_score read-only and write-rejected, zero-length writev,
stat-size-zero, fdinfo eventfd-count hex, fdinfo sigmask, fdinfo
timerfd next expiry for periodic timers, concurrent fdinfo
enumeration, and a /proc/net/tcp sl-density regression that opens
non-TCP sockets before TCP listeners so the iterator visits rejected
sockets first; the post-fix dense sl=0,1,... output matches qemu
Linux ground truth, and a manual bug reintroduction confirms the
test catches the sparse-slot regression with sl=4 expected=0).
tests/test-io-opt.c adds sendfile and copy_file_range coverage for
the read-intercept path.

Author: jserv

src/runtime/procemu.c

@@ -12,6 +12,7 @@
 
 #include <stddef.h>
 #include <sys/stat.h>
+#include <sys/uio.h>
 #include "core/guest.h"
 
 /* Sentinel return value: path was not intercepted, caller should fall through
@@ -53,6 +54,24 @@ int proc_intercept_write(int guest_fd,
                          int use_pwrite,
                          ssize_t *written_out);
 
+/* Intercept reads from synthetic proc files that must reflect shared state on
+ * every read rather than the per-open temp-file snapshot.
+ * Returns 1 if handled (with *read_out set), 0 if not intercepted, or -1 on
+ * error with errno set.
+ */
+int proc_intercept_read(int guest_fd,
+                        void *buf,
+                        size_t count,
+                        int64_t offset,
+                        ssize_t *read_out);
+
+/* Vector form of proc_intercept_read for readv/preadv. */
+int proc_intercept_readv(int guest_fd,
+                         const struct iovec *iov,
+                         int iovcnt,
+                         int64_t offset,
+                         ssize_t *read_out);
+
 /* Get the /dev/shm emulation directory path (creating it on first call).
  * Used by sys_unlinkat to rewrite /dev/shm/<name> paths.
  */

src/runtime/procemu.h

@@ -116,6 +116,33 @@ static int timerfd_alloc(void)
     return sfd_alloc_slot(timerfd_state, TIMERFD_MAX, sizeof(timerfd_state[0]));
 }
 
+/* Called with sfd_lock held. Returns nanoseconds until the next expiration,
+ * or 0 when the timer is disarmed or a one-shot timer has already expired.
+ */
+static int64_t timerfd_remaining_ns_locked(int slot, int64_t now_ns)
+{
+    if (!timerfd_state[slot].armed)
+        return 0;
+
+    int64_t elapsed = now_ns - timerfd_state[slot].arm_time_ns;
+    if (elapsed < 0)
+        elapsed = 0;
+
+    if (timerfd_state[slot].interval_ns > 0) {
+        int64_t total = timerfd_state[slot].initial_ns;
+        if (elapsed >= total) {
+            int64_t since_first = elapsed - total;
+            int64_t interval = timerfd_state[slot].interval_ns;
+            int64_t remaining = interval - (since_first % interval);
+            return remaining == 0 ? interval : remaining;
+        }
+        return total - elapsed;
+    }
+
+    int64_t remaining = timerfd_state[slot].initial_ns - elapsed;
+    return remaining > 0 ? remaining : 0;
+}
+
 int64_t sys_timerfd_create(int clockid, int flags)
 {
     if (clockid != LINUX_CLOCK_REALTIME && clockid != LINUX_CLOCK_MONOTONIC)
@@ -203,8 +230,7 @@ int64_t sys_timerfd_settime(guest_t *g,
             struct timespec now;
             clock_gettime(CLOCK_MONOTONIC, &now);
             int64_t now_ns = now.tv_sec * NS_PER_SEC + now.tv_nsec;
-            int64_t elapsed = now_ns - timerfd_state[slot].arm_time_ns;
-            int64_t remaining = timerfd_state[slot].initial_ns - elapsed;
+            int64_t remaining = timerfd_remaining_ns_locked(slot, now_ns);
             if (remaining > 0) {
                 old.it_value_sec = remaining / NS_PER_SEC;
                 old.it_value_nsec = remaining % NS_PER_SEC;
@@ -319,27 +345,10 @@ int64_t sys_timerfd_gettime(guest_t *g, int fd, uint64_t curr_value_gva)
         its.it_interval_sec = timerfd_state[slot].interval_ns / NS_PER_SEC;
         its.it_interval_nsec = timerfd_state[slot].interval_ns % NS_PER_SEC;
 
-        /* Compute actual remaining time from arm time + initial value */
         struct timespec now;
         clock_gettime(CLOCK_MONOTONIC, &now);
         int64_t now_ns = now.tv_sec * NS_PER_SEC + now.tv_nsec;
-        int64_t elapsed = now_ns - timerfd_state[slot].arm_time_ns;
-        int64_t remaining;
-
-        if (timerfd_state[slot].interval_ns > 0) {
-            /* Repeating timer: remaining = interval - (elapsed % interval) */
-            int64_t total = timerfd_state[slot].initial_ns;
-            if (elapsed >= total) {
-                int64_t since_first = elapsed - total;
-                remaining = timerfd_state[slot].interval_ns -
-                            (since_first % timerfd_state[slot].interval_ns);
-            } else {
-                remaining = total - elapsed;
-            }
-        } else {
-            /* One-shot: remaining = initial - elapsed */
-            remaining = timerfd_state[slot].initial_ns - elapsed;
-        }
+        int64_t remaining = timerfd_remaining_ns_locked(slot, now_ns);
 
         if (remaining <= 0) {
             /* Timer already expired (one-shot) */
@@ -1073,3 +1082,62 @@ void signalfd_notify(int signum)
     }
     pthread_mutex_unlock(&sfd_lock);
 }
+
+/* /proc/self/fdinfo type-specific snapshots. Each takes sfd_lock to prevent
+ * tearing across concurrent read/write/settime; lock order is fd_lock(3)
+ * -> sfd_lock(5a), and these accessors take only sfd_lock so the procemu
+ * caller is free to drop fd_lock between fd_snapshot and the lookup here.
+ */
+
+bool eventfd_fdinfo_snapshot(int guest_fd, uint64_t *count_out)
+{
+    pthread_mutex_lock(&sfd_lock);
+    int slot = eventfd_find(guest_fd);
+    if (slot < 0) {
+        pthread_mutex_unlock(&sfd_lock);
+        return false;
+    }
+    *count_out = eventfd_state[slot].counter;
+    pthread_mutex_unlock(&sfd_lock);
+    return true;
+}
+
+bool signalfd_fdinfo_snapshot(int guest_fd, uint64_t *mask_out)
+{
+    pthread_mutex_lock(&sfd_lock);
+    int slot = signalfd_find(guest_fd);
+    if (slot < 0) {
+        pthread_mutex_unlock(&sfd_lock);
+        return false;
+    }
+    *mask_out = signalfd_state[slot].mask;
+    pthread_mutex_unlock(&sfd_lock);
+    return true;
+}
+
+bool timerfd_fdinfo_snapshot(int guest_fd,
+                             int *clockid_out,
+                             uint64_t *ticks_out,
+                             int64_t *value_ns_out,
+                             int64_t *interval_ns_out)
+{
+    pthread_mutex_lock(&sfd_lock);
+    int slot = timerfd_find(guest_fd);
+    if (slot < 0) {
+        pthread_mutex_unlock(&sfd_lock);
+        return false;
+    }
+    *clockid_out = timerfd_state[slot].clockid;
+    *ticks_out = timerfd_state[slot].expirations;
+    *interval_ns_out = timerfd_state[slot].interval_ns;
+    int64_t value_ns = 0;
+    if (timerfd_state[slot].armed) {
+        struct timespec now;
+        clock_gettime(CLOCK_MONOTONIC, &now);
+        int64_t now_ns = (int64_t) now.tv_sec * NS_PER_SEC + now.tv_nsec;
+        value_ns = timerfd_remaining_ns_locked(slot, now_ns);
+    }
+    *value_ns_out = value_ns;
+    pthread_mutex_unlock(&sfd_lock);
+    return true;
+}

src/syscall/fd.c

@@ -66,3 +66,15 @@ int64_t timerfd_read(int guest_fd,
  * writes a byte to make poll/epoll see readability.
  */
 void signalfd_notify(int signum);
+
+/* Snapshot per-fd state for /proc/self/fdinfo. Each accessor returns true when
+ * the guest_fd refers to a live instance of that special-fd type. The values
+ * are read under sfd_lock so concurrent read/write/settime cannot tear them.
+ */
+bool eventfd_fdinfo_snapshot(int guest_fd, uint64_t *count_out);
+bool signalfd_fdinfo_snapshot(int guest_fd, uint64_t *mask_out);
+bool timerfd_fdinfo_snapshot(int guest_fd,
+                             int *clockid_out,
+                             uint64_t *ticks_out,
+                             int64_t *value_ns_out,
+                             int64_t *interval_ns_out);

src/syscall/fd.h

@@ -70,7 +70,8 @@ static const char *proc_stateful_file_path(const char *path)
         return NULL;
 
     if (!strcmp(path, "/proc/self/oom_score_adj") ||
-        !strcmp(path, "/proc/self/oom_adj")) {
+        !strcmp(path, "/proc/self/oom_adj") ||
+        !strcmp(path, "/proc/self/oom_score")) {
         return path;
     }
 
@@ -86,6 +87,8 @@ static const char *proc_stateful_file_path(const char *path)
         return "/proc/self/oom_score_adj";
     if (!strcmp(endp, "/oom_adj"))
         return "/proc/self/oom_adj";
+    if (!strcmp(endp, "/oom_score"))
+        return "/proc/self/oom_score";
 
     return NULL;
 }

src/syscall/fs.c

@@ -479,6 +479,68 @@ static int64_t host_fd_ref_open_regular_io(int guest_fd, host_fd_ref_t *ref)
     return host_fd_ref_open_io(guest_fd, ref);
 }
 
+static int64_t proc_try_read_intercept(int fd,
+                                       int host_fd,
+                                       void *buf,
+                                       size_t count,
+                                       int64_t offset,
+                                       int use_pread)
+{
+    ssize_t intercepted = 0;
+    int handled = proc_intercept_read(fd, buf, count, offset, &intercepted);
+    if (handled < 0)
+        return linux_errno();
+    if (handled > 0) {
+        if (!use_pread &&
+            lseek(host_fd, offset + (int64_t) intercepted, SEEK_SET) < 0)
+            return linux_errno();
+        return intercepted;
+    }
+    return INT64_MIN;
+}
+
+static int64_t proc_try_readv_intercept(int fd,
+                                        int host_fd,
+                                        const struct iovec *iov,
+                                        int iovcnt,
+                                        int64_t offset,
+                                        int use_pread)
+{
+    ssize_t intercepted = 0;
+    int handled = proc_intercept_readv(fd, iov, iovcnt, offset, &intercepted);
+    if (handled < 0)
+        return linux_errno();
+    if (handled > 0) {
+        if (!use_pread &&
+            lseek(host_fd, offset + (int64_t) intercepted, SEEK_SET) < 0)
+            return linux_errno();
+        return intercepted;
+    }
+    return INT64_MIN;
+}
+
+static int64_t proc_try_copy_read_intercept(int fd,
+                                            int host_fd,
+                                            void *buf,
+                                            size_t count,
+                                            int64_t *offset_io,
+                                            int use_pread)
+{
+    int64_t offset = *offset_io;
+
+    if (!use_pread) {
+        offset = lseek(host_fd, 0, SEEK_CUR);
+        if (offset < 0)
+            return INT64_MIN;
+    }
+
+    int64_t intercepted =
+        proc_try_read_intercept(fd, host_fd, buf, count, offset, use_pread);
+    if (intercepted == INT64_MIN)
+        return INT64_MIN;
+    return intercepted;
+}
+
 static int64_t proc_try_writev_intercept(int fd,
                                          int host_fd,
                                          const struct iovec *iov,
@@ -613,6 +675,16 @@ int64_t sys_read(guest_t *g, int fd, uint64_t buf_gva, uint64_t count)
     if (count > avail)
         count = avail;
 
+    off_t offset = lseek(host_ref.fd, 0, SEEK_CUR);
+    if (offset >= 0) {
+        int64_t intercepted =
+            proc_try_read_intercept(fd, host_ref.fd, buf, count, offset, 0);
+        if (intercepted != INT64_MIN) {
+            host_fd_ref_close(&host_ref);
+            return intercepted;
+        }
+    }
+
     ssize_t ret = read(host_ref.fd, buf, count);
     host_fd_ref_close(&host_ref);
     return ret < 0 ? linux_errno() : ret;
@@ -642,6 +714,13 @@ int64_t sys_pread64(guest_t *g,
     if (count > avail)
         count = avail;
 
+    int64_t intercepted =
+        proc_try_read_intercept(fd, host_ref.fd, buf, count, offset, 1);
+    if (intercepted != INT64_MIN) {
+        host_fd_ref_close(&host_ref);
+        return intercepted;
+    }
+
     ssize_t ret = pread(host_ref.fd, buf, count, offset);
     host_fd_ref_close(&host_ref);
     return ret < 0 ? linux_errno() : ret;
@@ -832,6 +911,17 @@ int64_t sys_readv(guest_t *g, int fd, uint64_t iov_gva, int iovcnt)
         return err;
     }
 
+    off_t offset = lseek(host_ref.fd, 0, SEEK_CUR);
+    if (offset >= 0) {
+        int64_t intercepted = proc_try_readv_intercept(
+            fd, host_ref.fd, host_iov.iov, iovcnt, offset, 0);
+        if (intercepted != INT64_MIN) {
+            host_iov_free(&host_iov);
+            host_fd_ref_close(&host_ref);
+            return intercepted;
+        }
+    }
+
     ssize_t ret = readv(host_ref.fd, host_iov.iov, iovcnt);
     int64_t result = ret < 0 ? linux_errno() : ret;
     host_iov_free(&host_iov);
@@ -919,6 +1009,14 @@ int64_t sys_preadv(guest_t *g,
         return err;
     }
 
+    int64_t intercepted = proc_try_readv_intercept(
+        fd, host_ref.fd, host_iov.iov, iovcnt, offset, 1);
+    if (intercepted != INT64_MIN) {
+        host_iov_free(&host_iov);
+        host_fd_ref_close(&host_ref);
+        return intercepted;
+    }
+
     ssize_t ret = preadv(host_ref.fd, host_iov.iov, iovcnt, offset);
     int64_t result = ret < 0 ? linux_errno() : ret;
     host_iov_free(&host_iov);
@@ -1354,9 +1452,20 @@ int64_t sys_sendfile(guest_t *g,
         size_t chunk = remaining > sizeof(buf) ? sizeof(buf) : remaining;
         ssize_t nr;
         if (offset >= 0) {
-            nr = pread(in_ref.fd, buf, chunk, offset);
+            int64_t intercepted = proc_try_copy_read_intercept(
+                in_fd, in_ref.fd, buf, chunk, &offset, 1);
+            if (intercepted != INT64_MIN)
+                nr = intercepted;
+            else
+                nr = pread(in_ref.fd, buf, chunk, offset);
         } else {
-            nr = read(in_ref.fd, buf, chunk);
+            int64_t current = 0;
+            int64_t intercepted = proc_try_copy_read_intercept(
+                in_fd, in_ref.fd, buf, chunk, &current, 0);
+            if (intercepted != INT64_MIN)
+                nr = intercepted;
+            else
+                nr = read(in_ref.fd, buf, chunk);
         }
         if (nr < 0) {
             if (total > 0)
@@ -1443,9 +1552,20 @@ int64_t sys_copy_file_range(guest_t *g,
         size_t chunk = remaining > sizeof(buf) ? sizeof(buf) : remaining;
         ssize_t nr;
         if (off_in >= 0) {
-            nr = pread(in_ref.fd, buf, chunk, off_in);
+            int64_t intercepted = proc_try_copy_read_intercept(
+                fd_in, in_ref.fd, buf, chunk, &off_in, 1);
+            if (intercepted != INT64_MIN)
+                nr = intercepted;
+            else
+                nr = pread(in_ref.fd, buf, chunk, off_in);
         } else {
-            nr = read(in_ref.fd, buf, chunk);
+            int64_t current = 0;
+            int64_t intercepted = proc_try_copy_read_intercept(
+                fd_in, in_ref.fd, buf, chunk, &current, 0);
+            if (intercepted != INT64_MIN)
+                nr = intercepted;
+            else
+                nr = read(in_ref.fd, buf, chunk);
         }
         if (nr < 0) {
             if (total > 0)