This patch employs one solution to resolve two independent but related
issues. Both issues are the result of one fundamental aspect of the
way VM's memory mapping works: VM uses its cache to map in blocks for
memory-mapped file regions, and for blocks already in the VM cache, VM
does not go to the file system before mapping them in. To preserve
consistency between the FS and VM caches, VM relies on being informed
about all updates to file contents through the block cache. The two
issues are both the result of VM not being properly informed about
such updates:
1. Once a file system provides libminixfs with an inode association
(inode number + inode offset) for a disk block, this association
is not broken until a new inode association is provided for it.
If a block is freed and reallocated as a metadata (non-inode)
block, its old association is maintained, and may be supplied to
VM's secondary cache. Due to reuse of inodes, it is possible
that the same inode association becomes valid for an actual file
block again. In that case, when that new file is memory-mapped,
under certain circumstances, VM may end up using the metadata
block to satisfy a page fault on the file, due to the stale inode
association. The result is a corrupted memory mapping, with the
application seeing data other than the current file contents
mapped in at the file block.
2. When a hole is created in a file, the underlying block is freed
from the device, but VM is not informed of this update, and thus,
if VM's cache contains the block with its previous inode
association, this block will remain there. As a result, if an
application subsequently memory-maps the file, VM will map in the
old block at the position of the hole, rather than an all-zeroes
block. Thus, again, the result is a corrupted memory mapping.
This patch resolves both issues by making the file system inform the
minixfs library about blocks being freed, so that libminixfs can
break the inode association for that block, both in its own cache and
in the VM cache. Since libminixfs does not know whether VM has the
block in its cache or not, it makes a call to VM for each block being
freed. Thus, this change introduces more calls to VM, but it solves
the correctness issues at hand; optimizations may be introduced
later. On the upside, all freed blocks are now marked as clean,
which should result in fewer blocks being written back to the device,
and the blocks are removed from the caches entirely, which should
result in slightly better cache usage.
This patch is necessary but not sufficient to resolve the situation
with respect to memory mapping of file holes in general. Therefore,
this patch extends test 74 with a (rather particular but effective)
test for the first issue, but not yet with a test for the second one.
This fixes#90.
Change-Id: Iad8b134d2f88a884f15d3fc303e463280749c467
There are currently no devices out there that require this change.
The change is merely needed to support subsequent changes.
Change-Id: I64214c5f46ff4a2260815d15c15e4a17709b9036
There is no reason to keep these tightly coupled data structures
separate. Moreover, there is no reason to have a union of file
descriptor and file pointer, since the second can be derived from
the first. The result are somewhat cleaner VFS internals.
Change-Id: I854da7d8291177878eecfc3077ef0a9e0cc82aaa
The new syslogd(8) does not create log files that do not already
exist, and thus, we adopt the NetBSD way of creating them.
Change-Id: Icd7fdba362726696df6a52dd55c049fd2bfcc2d3
This barrier ensures that all fields of an asynchronously sent
message are properly initialized before the message is marked as
valid.
Change-Id: I7b9590c11c4e040c8f992f1dd2581e54201bf214
If an asynchronous message is delivered during an ipc_receive(2) call,
but a failure occurred while copying out the status to the sending
process, then the receiving process would be left in an inconsistent
state, leading to a kernel crash shortly after.
For now, we fix this by altogether ignoring errors while copying out
the status field to the sending process. While this resolves the
kernel crash, it is hardly ideal, since it will likely cause the same
message to be delivered repeatedly. It would be better to disable
asynchronous communication from the sender process altogether, but this
solution requires more changes and thus more testing.
Change-Id: Ib00bf01ad29cdd10a5dee731d4788254d9037a76
Previously, there was a tiny chance that tickdelay(3) would return
early or that it would fail to reinstate a previous alarm.
- sys_setalarm(2) now returns TMR_NEVER instead of 0 for the time
left if no previous alarm was set;
- sys_setalarm(2) now also returns the current time, to allow the
caller to determine whether it got an alarm notification for the
alarm it set or for a previous alarm that has just gone off;
- tickdelay(3) now makes use of these facilities.
Change-Id: Id4f8fe19a61ca8574f43131964e6f0317f613f49
The previous approach of including libraries through the parent
directory's Makefile.inc created linking issues, with libchardriver
not finding snprintf in certain cases. The new approach of including
libraries through the driver's only Makefile is the one used by all
other drivers.
Change-Id: I96e6308e12e54f0fce8ecf58bd061269860d4355
This is the combination of two NetBSD patches committed by Christos
Zoulas, based on the findings and Bitrig patch by Martin Natano.
The NetBSD log messages read:
From Martin Natano @bitrig: Use execve(2) instead of system to
apply patches that require rcs command execution instead system(3)
to avoid malicious filenames in patches causing bad things to
happen. In the process, lose SCCS support. It is not like we are
shipping sccs commands for that to work.
And:
Use absolute paths for RCS commands (Martin Natano)
Change-Id: Id44bd59a5a6bc6cd95d1e1fae468bd718cfff2db
The primary reason for the import is a likely GPL taint of the
original MINIX3 syslogd. As a result, this import may still
have some rough edges.
Change-Id: I5c8d26eca10fc2dd50ecc9eab44a1d483cf068a9
- report correct number of bytes written;
- correctly return partial writes on failure;
- do not overwrite result if there is a pending read.
Change-Id: I92aeeaee1eccb47c2aa2b6666a2f560c3cb17f42
This resolves a problem with ioctl(NIOCGETHSTAT) hanging forever
as identified by Erik van der Kouwe, and possibly many other corner
cases.
Change-Id: I2350c882dc6a0862e16454ec6b6c320d78780bcd
This test connects to a remote HTTP server to retrieve files, using various
chunk sizes and concurrency settings to exercise the network stack. The test
is only performed is USENETWORK=yes. This test requires the following URLs to
remain available: http://test82.minix3.org/test1.txt and
http://test82.minix3.org/test2.bin. The former contains a 'Hello world'
message followed by a newline, the latter all 16-bit values in increasing
order, using big-endian notation.
Change-Id: I696106482fb1658f9657be2b6845a1b37a3d6172
These new tests are largely based on the code from test 56 (UDS). Common code
is moved into a separate file common-socket.c. In some instances the tests
are too strict for TCP/UDP sockets, which may not always react instantly to
whatever happens on the other side (even locally). For these cases, the
ignore_* fields in struct socket_test_info indicate that there needs to be
an exception. There are also tests where it seems the functionality of inet
is either incorrect or incomplete with regard to the POSIX standard. In these
cases, the bug_* fields are used to document the issues while avoiding
failure of the test.
Change-Id: Ia860deb4559d42608790451936b1aade866faebc
This patch introduces USENETWORK environment variable to determine whether to
use the network or not, instead of the unreliable ping test; set to 'yes' to
enable network usage.
Change-Id: I9e26fa95b5b990fd94f5978db8de0dd73496d314
This fixes an issue when compiling with GCC 4.9.
For details, see: http://reviews.llvm.org/rL201729
Change-Id: Iaa522715798016f6edb433b01b02aa664fcb5d1c
Extended by David van Moolenbroek to continue using static buffers
for short inode names, so as to prevent important file system
services such as procfs from running out of memory at runtime.
Change-Id: I6f841741ee9944fc87dbdb78b5cdaa2abee9da76
Each /proc/service entry must have a unique label. With cloning,
multiple RS services may have the same label. Since we are not
actually interested in inactive services (for now), eliminate those
entries, leaving only the active service which will then indeed have
a unique label in the list. This resolves a procfs crash.
Change-Id: I0de7ef8fd186ab13f3e22e46416504fd981c09aa
Previously, procfs would retrieve the rproc and rprocpub tables from
RS in two separate calls. This allowed for a race condition where the
tables could change in between the calls, resulting in a panic in
procfs under certain circumstances. RS now implements a new method
for getsysinfo that allows the retrieval of both tables at once.
Change-Id: I5ec22d25898361270c90e805a43fc6d76ad9e29d
This patch adds support for Unix98 pseudo terminals, that is,
posix_openpt(3), grantpt(3), unlockpt(3), /dev/ptmx, and /dev/pts/.
The latter is implemented with a new pseudo file system, PTYFS.
In effect, this patch adds secure support for unprivileged pseudo
terminal allocation, allowing programs such as tmux(1) to be used by
non-root users as well. Test77 has been extended with new tests, and
no longer needs to run as root.
The new functionality is optional. To revert to the old behavior,
remove the "ptyfs" entry from /etc/fstab.
Technical nodes:
o The reason for not implementing the NetBSD /dev/ptm approach is that
implementing the corresponding ioctl (TIOCPTMGET) would require
adding a number of extremely hairy exceptions to VFS, including the
PTY driver having to create new file descriptors for its own device
nodes.
o PTYFS is required for Unix98 PTYs in order to avoid that the PTY
driver has to be aware of old-style PTY naming schemes and even has
to call chmod(2) on a disk-backed file system. PTY cannot be its
own PTYFS since a character driver may currently not also be a file
system. However, PTYFS may be subsumed into a DEVFS in the future.
o The Unix98 PTY behavior differs somewhat from NetBSD's, in that
slave nodes are created on ptyfs only upon the first call to
grantpt(3). This approach obviates the need to revoke access as
part of the grantpt(3) call.
o Shutting down PTY may leave slave nodes on PTYFS, but once PTY is
restarted, these leftover slave nodes will be removed before they
create a security risk. Unmounting PTYFS will make existing PTY
slaves permanently unavailable, and absence of PTYFS will block
allocation of new Unix98 PTYs until PTYFS is (re)mounted.
Change-Id: I822b43ba32707c8815fd0f7d5bb7a438f51421c1
As part of its built-in mmap emulation support for "none" file system
services, libfsdriver clears the VM cache upon exit. However, for
trivial file systems which do not even support reading from files, the
the VM cache need to be cleared either. With this patch, the VM cache
is cleared only when modified, so that such trivial file systems need
not be given CLEARCACHE permission.
Change-Id: I518c092443455302b9b9728f10a3f894d2c8036b