Two bugs fixed wrt vm restartability.
. make sure pagetable data is only allocated
using dynamic data instead of static spare pages
(bootstrap pages). They are needed for bootstrap
but now repeat some of the initialization so only
dynamic data remains. This solves the problem of
physical addresses changing (as static pages are
re-allocated for the new instance) after update.
. pt_ptalloc has to be specified in bytes instead of
pde slot numbers. leaving pt_pt NULL causes mapping
transfers to fail because NULL happens to be mapped in
then and updates then happen there.
. added some sanity checks against the above happening.
The new state is that VM can update many times, but the system
isn't fully reliable afterwards yet.
Change-Id: I7313602c740cdae8590589132291116ed921aed7
. make arch-independent, and local to proc.c, reduce code duplication
. make vm_suspend public but unduplicated in proc.c
. ask VM for handling once, 2nd time SIGSEGV process
. remove debug printfs
. test case for bogus sendrec() address argument
Change-Id: I3893758910c01de60b8fe3e50edd594296a0b73e
Allow extra space for in-band metadata when allocating cache blocks.
Edited by David van Moolenbroek: since this effectively halves the
potential size of the typical file system cache, do this only when
compiling with instrumentation.
Change-Id: I0840af6420899ede2d5bb7539e79c0a456b5128d
Edited by David van Moolenbroek to deallocate the guard page as well.
Note that while the new approach is better in theory (previously, the
hole could end up being filled by another allocated page), guard page
protection is now broken in practice, because VM does not support
setting specific page permissions (in this case, PROT_NONE).
Change-Id: I882624f5d152d3ebe82fca649cbad85aa4931780
If arguments are provided, the services list to test is set from those,
instead of initializing it with every currently running service.
If such arguments are present, also skip LiveUpdate tests.
Change-Id: I14f874666a610072a5ff4a60516e59cf04dc9e31
VM used to call sendrec to send a boot-time RS_INIT reply to RS, but
RS could run into a pagefault at the same time, thus spawning a
message to VM, resulting in a deadlock. We resolve this situation by
making VM acknowledge RS_INIT asynchronously at boot time, while
retaining the synchronous sendrec for subsequent RS_INIT responses.
Change-Id: I3cb72d7f8d6b9bfdc59a85958ada739c37fa3bde
The following services have been updated to support stateful restarts:
- Drivers: tty
- Filesystems: isofs, mfs, pfs, libvtreefs-based file servers
- System servers: tty, ds, pm, vfs, vm
Change-Id: Ie84baa3ba1774047b3ae519808fe4116928edabb
Previously, RS would clean up dead services only when it is idle.
During shutdown, all services are marked with the 'exiting' flag,
and these flags lead RS to conclude it is not idle. Therefore, at
shutdown time, no services were cleaned up anymore, leading to
deadlock situations. For example, VFS could end up waiting for a
service that was already dead, or one driver could end up waiting
for an interrupt on a line shared with another dead driver.
While it may be possible to ignore RS_EXITING when checking idle
status, other flags may have the same ultimate effect. Therefore,
this patch skips the idle check altogether when in shutdown mode.
Change-Id: I071fa9545da1d43c5e5c2e0bc2b6c173e3bb57c3
While in a multicomponent live update that includes RS, the new RS
instance may receive heartbeat replies which, after a rollback, the
old RS instance will then never see. As a result, the rolled-back
RS instance may end up killing well-behaving services.
Change-Id: I0f0af283c33502d5d55b27e353b62aec2e301285
Add support for compact address layout. This feature can be enabled
through the ac_layout=1 boot option.
Change-Id: Ie20b808fce32b5c54d0a7e7210e0084a540e9613
Some select queries require a response from device drivers. If a
select call is nonblocking (with a zero timeout), the response to
the caller may have to be deferred until all involved drivers have
responded to the initial query. This is handled just fine.
However, if the select call has a timeout that is so short that it
triggers before all the involved drivers have responded, the
resulting alarm would be discarded, possibly resulting in the call
blocking forever. This fix changes the alarm handler such that if
the alarm triggers too early, the select call is further handled
as though it was nonblocking.
This fix resolves a test77 deadlock on really slow systems.
Change-Id: Ib487c8fe436802c3e11c57355ae0c8480721f06e
- ping(1) triggers warnings about unimplemented exceptions for select;
even if there could be a useful implementation (which is doubtful),
the warnings are not helping anyone right now;
- the clock_t data type has changed.
Change-Id: Ie5b1383e7657e8501f63bb4b9d255c6502567a15
Fix /dev/tty-related issues in tmux(1) by hardcoding the PTY major
in VFS in addition to the TTY major. Even though this is exactly
what we did NOT want to have to do, the actual fix for this issue
is going to take a little longer.
Change-Id: I24c75eaf688b9ebd28e931f2e445b8442cfdac78
The previous approach of storing pointers to messages structures for
thread-blocking sendrec operations relied on several assumptions,
which if violated could lead to odd cases of memory corruption.
With this patch, VFS resets pointers right after use, avoiding that
any dangling pointers are accidentally dereferenced later. This
approach was already used in some cases, but not all of them.
Change-Id: I752d994ea847b46228bd2ccf4e537deceb78fbaf
For dynamically linked executables, the interpreter is passed a
file descriptor of the binary being executed. To this end, VFS
opens the target executable, but opening the file fails if it is
not readable, even when it is executable. With this patch, when
opening the executable, it verifies the X bit rather than the R
bit on the file, thus allowing the execution of dynamically
linked binaries that are executable but not readable.
Add test86 to verify correctness.
Change-Id: If3514add6a33b33d52c05a0a627d757bff118d77
- do not use timers when there is only ever one timer;
- do not include kernel header files for no reason;
- do not reply to notifications ever.
Change-Id: I5817e22c1b46c4e30e5135069df318af0b4f87fd
This patch changes the prefetch API so that file systems must now
provide a set of block numbers, rather than a set of buffers. The
result is a leaner and more well-defined API; linear computation of
the range of blocks to prefetch; duplicates no longer interfering
with the prefetch process; guaranteed inclusion of the block needed
next into the prefetch range; and, limits and policy decisions better
established by libminixfs now actually being moved into libminixfs.
Change-Id: I7e44daf2d2d164bc5e2f1473ad717f3ff0f0a77f
- The lmfs_get_block*(3) API calls may now return an error. The idea
is to encourage a next generation of file system services to do a
better job at dealing with block read errors than the MFS-derived
implementations do. These existing file systems have been changed
to panic immediately upon getting a block read error, in order to
let unchecked errors cause corruption. Note that libbdev already
retries failing I/O operations a few times first.
- The libminixfs block device I/O module (bio.c) now deals properly
with end-of-file conditions on block devices. Since a device or
partition size may not be a multiple of the root file system's block
size, support for partial block retrival has been added, with a new
internal lmfs_get_partial_block(3) call. A new test program,
test85, tests the new handling of EOF conditions when reading,
writing, and memory-mapping a block device.
Change-Id: I05e35b6b8851488328a2679da635ebba0c6d08ce
This patch changes the libminixfs API and implementation such that the
library is at all times aware of how many total and used blocks there
are in the file system. This removes the last upcall of libminixfs
into file systems (fs_blockstats). In the process, make this part of
the libminixfs API a little prettier and more robust. Change file
systems accordingly. Since this change only adds to MFS being unable
to deal with zones and blocks having different sizes, fail to mount
such file systems immediately rather than triggering an assert later.
Change-Id: I078e589c7e1be1fa691cf391bf5dfddd1baf2c86
This removes an implicit requirement for the way the libminixfs API is
to be used, namely that a block is to be marked as dirty only once its
contents have been fully updated, within a single get_block/put_block
window. The requirement may not be appropriate for all file systems.
Change-Id: I6a129d51b1a5e9aec1572039dc7c1c82dd795db5
With this change, the lmfs_get_block*(3) functions allow the caller to
specify that it only wants the block if it is in the cache or the
secondary VM cache. If the block is not found there, the functions
return NULL. Previously, the PREFETCH method would be used to this
end instead, which was both abuse in name and less efficient.
Change-Id: Ieb5a15b67fa25d2008a8eeef9d126ac908fc2395
When VM asks a file system to provide a block to satisfy a page fault
on a file memory mapping, the file system previously had no way to
inform VM that the block is a hole, since there is no corresponding
block on the underlying device. To work around this, MFS and ext2
would actually allocate a block for the hole when asked by VM, which
not only defeats the point of holes in the first place, but also does
not work on read-only file systems. With this patch, a new libminixfs
call allows the file system to inform VM about holes. This issue does
raise the question as to whether the VM cache is using the right data
structures, since there are now two places where we have to fake a
device offset. This will have to be revisited in the future.
The patch changes file systems accordingly, and adds a test to test74.
Change-Id: Ib537d56b3f30a8eb05bc1f63c92b5c7428d18f4c
This patch employs one solution to resolve two independent but related
issues. Both issues are the result of one fundamental aspect of the
way VM's memory mapping works: VM uses its cache to map in blocks for
memory-mapped file regions, and for blocks already in the VM cache, VM
does not go to the file system before mapping them in. To preserve
consistency between the FS and VM caches, VM relies on being informed
about all updates to file contents through the block cache. The two
issues are both the result of VM not being properly informed about
such updates:
1. Once a file system provides libminixfs with an inode association
(inode number + inode offset) for a disk block, this association
is not broken until a new inode association is provided for it.
If a block is freed and reallocated as a metadata (non-inode)
block, its old association is maintained, and may be supplied to
VM's secondary cache. Due to reuse of inodes, it is possible
that the same inode association becomes valid for an actual file
block again. In that case, when that new file is memory-mapped,
under certain circumstances, VM may end up using the metadata
block to satisfy a page fault on the file, due to the stale inode
association. The result is a corrupted memory mapping, with the
application seeing data other than the current file contents
mapped in at the file block.
2. When a hole is created in a file, the underlying block is freed
from the device, but VM is not informed of this update, and thus,
if VM's cache contains the block with its previous inode
association, this block will remain there. As a result, if an
application subsequently memory-maps the file, VM will map in the
old block at the position of the hole, rather than an all-zeroes
block. Thus, again, the result is a corrupted memory mapping.
This patch resolves both issues by making the file system inform the
minixfs library about blocks being freed, so that libminixfs can
break the inode association for that block, both in its own cache and
in the VM cache. Since libminixfs does not know whether VM has the
block in its cache or not, it makes a call to VM for each block being
freed. Thus, this change introduces more calls to VM, but it solves
the correctness issues at hand; optimizations may be introduced
later. On the upside, all freed blocks are now marked as clean,
which should result in fewer blocks being written back to the device,
and the blocks are removed from the caches entirely, which should
result in slightly better cache usage.
This patch is necessary but not sufficient to resolve the situation
with respect to memory mapping of file holes in general. Therefore,
this patch extends test 74 with a (rather particular but effective)
test for the first issue, but not yet with a test for the second one.
This fixes#90.
Change-Id: Iad8b134d2f88a884f15d3fc303e463280749c467
There are currently no devices out there that require this change.
The change is merely needed to support subsequent changes.
Change-Id: I64214c5f46ff4a2260815d15c15e4a17709b9036
There is no reason to keep these tightly coupled data structures
separate. Moreover, there is no reason to have a union of file
descriptor and file pointer, since the second can be derived from
the first. The result are somewhat cleaner VFS internals.
Change-Id: I854da7d8291177878eecfc3077ef0a9e0cc82aaa
This barrier ensures that all fields of an asynchronously sent
message are properly initialized before the message is marked as
valid.
Change-Id: I7b9590c11c4e040c8f992f1dd2581e54201bf214
If an asynchronous message is delivered during an ipc_receive(2) call,
but a failure occurred while copying out the status to the sending
process, then the receiving process would be left in an inconsistent
state, leading to a kernel crash shortly after.
For now, we fix this by altogether ignoring errors while copying out
the status field to the sending process. While this resolves the
kernel crash, it is hardly ideal, since it will likely cause the same
message to be delivered repeatedly. It would be better to disable
asynchronous communication from the sender process altogether, but this
solution requires more changes and thus more testing.
Change-Id: Ib00bf01ad29cdd10a5dee731d4788254d9037a76
Previously, there was a tiny chance that tickdelay(3) would return
early or that it would fail to reinstate a previous alarm.
- sys_setalarm(2) now returns TMR_NEVER instead of 0 for the time
left if no previous alarm was set;
- sys_setalarm(2) now also returns the current time, to allow the
caller to determine whether it got an alarm notification for the
alarm it set or for a previous alarm that has just gone off;
- tickdelay(3) now makes use of these facilities.
Change-Id: Id4f8fe19a61ca8574f43131964e6f0317f613f49
The previous approach of including libraries through the parent
directory's Makefile.inc created linking issues, with libchardriver
not finding snprintf in certain cases. The new approach of including
libraries through the driver's only Makefile is the one used by all
other drivers.
Change-Id: I96e6308e12e54f0fce8ecf58bd061269860d4355
The primary reason for the import is a likely GPL taint of the
original MINIX3 syslogd. As a result, this import may still
have some rough edges.
Change-Id: I5c8d26eca10fc2dd50ecc9eab44a1d483cf068a9
- report correct number of bytes written;
- correctly return partial writes on failure;
- do not overwrite result if there is a pending read.
Change-Id: I92aeeaee1eccb47c2aa2b6666a2f560c3cb17f42
This resolves a problem with ioctl(NIOCGETHSTAT) hanging forever
as identified by Erik van der Kouwe, and possibly many other corner
cases.
Change-Id: I2350c882dc6a0862e16454ec6b6c320d78780bcd
This test connects to a remote HTTP server to retrieve files, using various
chunk sizes and concurrency settings to exercise the network stack. The test
is only performed is USENETWORK=yes. This test requires the following URLs to
remain available: http://test82.minix3.org/test1.txt and
http://test82.minix3.org/test2.bin. The former contains a 'Hello world'
message followed by a newline, the latter all 16-bit values in increasing
order, using big-endian notation.
Change-Id: I696106482fb1658f9657be2b6845a1b37a3d6172
These new tests are largely based on the code from test 56 (UDS). Common code
is moved into a separate file common-socket.c. In some instances the tests
are too strict for TCP/UDP sockets, which may not always react instantly to
whatever happens on the other side (even locally). For these cases, the
ignore_* fields in struct socket_test_info indicate that there needs to be
an exception. There are also tests where it seems the functionality of inet
is either incorrect or incomplete with regard to the POSIX standard. In these
cases, the bug_* fields are used to document the issues while avoiding
failure of the test.
Change-Id: Ia860deb4559d42608790451936b1aade866faebc
This patch introduces USENETWORK environment variable to determine whether to
use the network or not, instead of the unreliable ping test; set to 'yes' to
enable network usage.
Change-Id: I9e26fa95b5b990fd94f5978db8de0dd73496d314
Extended by David van Moolenbroek to continue using static buffers
for short inode names, so as to prevent important file system
services such as procfs from running out of memory at runtime.
Change-Id: I6f841741ee9944fc87dbdb78b5cdaa2abee9da76
Each /proc/service entry must have a unique label. With cloning,
multiple RS services may have the same label. Since we are not
actually interested in inactive services (for now), eliminate those
entries, leaving only the active service which will then indeed have
a unique label in the list. This resolves a procfs crash.
Change-Id: I0de7ef8fd186ab13f3e22e46416504fd981c09aa
Previously, procfs would retrieve the rproc and rprocpub tables from
RS in two separate calls. This allowed for a race condition where the
tables could change in between the calls, resulting in a panic in
procfs under certain circumstances. RS now implements a new method
for getsysinfo that allows the retrieval of both tables at once.
Change-Id: I5ec22d25898361270c90e805a43fc6d76ad9e29d
This patch adds support for Unix98 pseudo terminals, that is,
posix_openpt(3), grantpt(3), unlockpt(3), /dev/ptmx, and /dev/pts/.
The latter is implemented with a new pseudo file system, PTYFS.
In effect, this patch adds secure support for unprivileged pseudo
terminal allocation, allowing programs such as tmux(1) to be used by
non-root users as well. Test77 has been extended with new tests, and
no longer needs to run as root.
The new functionality is optional. To revert to the old behavior,
remove the "ptyfs" entry from /etc/fstab.
Technical nodes:
o The reason for not implementing the NetBSD /dev/ptm approach is that
implementing the corresponding ioctl (TIOCPTMGET) would require
adding a number of extremely hairy exceptions to VFS, including the
PTY driver having to create new file descriptors for its own device
nodes.
o PTYFS is required for Unix98 PTYs in order to avoid that the PTY
driver has to be aware of old-style PTY naming schemes and even has
to call chmod(2) on a disk-backed file system. PTY cannot be its
own PTYFS since a character driver may currently not also be a file
system. However, PTYFS may be subsumed into a DEVFS in the future.
o The Unix98 PTY behavior differs somewhat from NetBSD's, in that
slave nodes are created on ptyfs only upon the first call to
grantpt(3). This approach obviates the need to revoke access as
part of the grantpt(3) call.
o Shutting down PTY may leave slave nodes on PTYFS, but once PTY is
restarted, these leftover slave nodes will be removed before they
create a security risk. Unmounting PTYFS will make existing PTY
slaves permanently unavailable, and absence of PTYFS will block
allocation of new Unix98 PTYs until PTYFS is (re)mounted.
Change-Id: I822b43ba32707c8815fd0f7d5bb7a438f51421c1
As part of its built-in mmap emulation support for "none" file system
services, libfsdriver clears the VM cache upon exit. However, for
trivial file systems which do not even support reading from files, the
the VM cache need to be cleared either. With this patch, the VM cache
is cleared only when modified, so that such trivial file systems need
not be given CLEARCACHE permission.
Change-Id: I518c092443455302b9b9728f10a3f894d2c8036b
While putnode requests should always succeed, very simple file system
services may not care about reference counts and thus about putnode
requests at all. For this reason, we now default to an OK response if
no fdr_putnode implementation is given.
Change-Id: I01f6421abf4546a1f69d8c21900a92d6acc45745
The stat.st_ino field must always be filled with the inode number
given as part of the fdr_stat request anyway, so libfsdriver can
simply fill in the number and allow the file system not to bother.
Change-Id: Ia7a849d0b23dfc83010df0d48fa26e4225427694
Commit 723e513 erroneously removed a yield() call from VFS which was
necessary to get resumed pipe read/write threads to run before VFS
blocks on receive(). The removal caused those threads to run only
once VFS received another message, effectively slowing down activity
on pipes to a crawl in some cases.
Instead of readding the yield() call, this patch restructures the
get_work() code to go back through the main message loop even when no
new work is received, thus ensuring that newly started threads are
always activated without requiring a special case.
This fixes#65.
Change-Id: I59b7fb9e403d87dba1a5deecb04539cc37517742
kb_init() panics, if no keyboard controller is found during self-test.
Instead of panic, the driver should quit the init process and tell it the SEF .
Change-Id: Icdfb7125f5d4062f46cfbbdbbb9e54ac4b273642
This change requires a small patch to libc, in order to avoid that
libminc has to pull in a large chunk of libc just for mktime(3).
Change-Id: I48e598b3716eff626cac461f78a41e32334e6b28
Previously, services would obtain the user ID of "service" through
getpwnam(3). While this approach is conceptually better, it also
imposes linking against libc which in turn causes problems with
printf(3), which already led to PFS no longer dropping privileges at
all. For now, we hardcode SERVICE_UID and use that instead.
In the future, two changes should allow removal of SERVICE_UID again:
- "service edit" should cause RS to request that a service (such as
PFS) drop privileges through SEF, using the user ID resolved by
service(8), or something similar;
- a future devfs should make it possible for inet to start without
root privileges altogether.
Change-Id: Ie02a1e888cde325806fc0ae76909943ac42c9b96
For VFS, initialization is a special case for processing work: PFS
and the ramdisk MFS must be fully mounted before VFS can process any
other requests, in particular from init(8). This case was handled by
receiving reply messages only from the FS service being mounted, but
this effectively disallowed PFS from calling setuid(2) at startup.
This patch lets VFS receive all messages during the mounting process,
but defer processing any new requests. As a result, the FS services
have a bit more freedom in what they can do during startup.
Change-Id: I18275f458952a8d790736a9c9559b27bbef97b7b
This patch fixes two related issues:
- If a large (>PIPE_BUF) pipe write is processed partially, only to be
followed by a write error condition, then the process is left in an
incorrect state, possibly causing VFS to crash on a subsequent call.
- If such a partially processed large pipe write ends up resulting in
an EPIPE error, no corresponding SIGPIPE signal is generated.
The corrected behavior is tested in test68.
Change-Id: I5540e61ab6bcc60a31201485eda04bc49ece2ca8
From the termcap section of the GNU termutils manual:
"There is no way you can tell how much space is needed, so the convention
is to allocate a buffer 2048 characters long and assume that is enough.
(Formerly the convention was to allocate 1024 characters and assume that
was enough. But one day, for one kind of terminal, that was not
enough.)"
Change-Id: Ia5937366ae89e886dbaef7d180bee40669d0c488
As suggested in issue #43.
Historic Locations:
Prior to this commit
minix/commands/mined
Prior to commit 433d6423c3
commands
Change-Id: I374ab3ff0e3b9e47779fc21e80b47fda87698242
__STDC__ is used to mitigate the differences between K&R C and the
ANSI C standard. Nearly every compiler now supports ANSI C, so
there is no need to support non-standard compilers.
Change-Id: Ifc3381ecf1c43dfde9004bee48552d8b3ac4dcdc
* Remove undef NULL, EOF, getchar, putchar
* Rename putchar, getchar, _putchar, _getchar to putch, getch, _putch,
_getch to avoid conflict with libc functions.
* Rename UP() to UP1() (for UP 1 line) to avoid conflict with UP
definition in termcap.h. Rename DN1 LF1 RT1 for consistency.
* Add termcap.h for prototypes for tputs and friends.
* Add libterminfo references to Makefile
* Add return value to _putch() to make it work as tputs expects.
* Make putch() call _putch()
* Remove UNIX ifdefs and all code in the !UNIX branches.
closes#43
Change-Id: I0a6f7298aa8b12a74225badc88d3c236a02669ea
Removes the following man pages:
* awk.1x -- for a version of awk we no longer have
* kermit.1x -- seems gone altogether
* macros.1x -- not useful for anyone anymore
Moves the following man pages:
* mined.1x -- Moved to minix/commands/mined/mined.1
and reformatted to use the mdoc macros instead of the
Minix macros so that it displays properly.
Removes /usr/man/man1x from the directory tree.
closes#44
Change-Id: I59b8bd54cf5cba6d188e51e99a92b36e90c275c1
The escape sequences for the function keys used to be separated
out in older versions of Minix when they were different for m68k
and intel. Support for m68k was dropped and that code was
removed, leaving the ifdef i386. Since the sequences are the
same for i386 and arm, there is no need to keep the ifdef i386.
Change-Id: Id96a80bcb24da120efa63acc9b248d87fc347eac
It used to refer to several NIL_* definitions. Those were removed
in commit 6e25ad8b0a leaving the
comment with nothing to comment on.
Change-Id: I52221ae5d2c5216e82391b480cf2038ad723b8f0
Trying to boot Minix3 master on an appliance/sbc like ALIX fails, as
the service command throws an error. Making the rc script more robust
solves it.
Change-Id: I659043cbbaa2d67b70d6d6e5ab14fff8e1bba769