| Age | Commit message (Collapse) | Author |
|---|
|
ok visa@, claudio@
|
|
ok bluhm@
|
|
ok bluhm@
|
|
functions to pave way for more fine grained locking.
Suggested by, comments & OK mpi
|
|
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@
|
|
buffers.
This is one step towards unlocking TCP input path. Note that all the
functions asserting for the socket lock are not necessarilly MP-safe.
All the fields of 'struct socket' aren't protected.
Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to
tell when a filter needs to lock the underlying data structures. Logic
and name taken from NetBSD.
Tested by Hrvoje Popovski.
ok claudio@, bluhm@, mikeb@
|
|
Attach is quite a different thing to the other PRU functions and
this should make locking a bit simpler. This also removes the ugly
hack on how proto was passed to the attach function.
OK bluhm@ and mpi@ on a previous version
|
|
unix domain sockets.
This should prevent the multiple deadlock related to unix domain sockets.
Inputs from millert@ and bluhm@, ok bluhm@
|
|
This makes a (wrong) assert disappear and makes sure we hack to avoid a
recursion in the upcall case still work.
The real solution to this problem is to not grab the NET_LOCK() before
entering uipc_usrreq().
Issue reported by dtucker@
|
|
found by dtucker@
|
|
passing is checked. As the data type has changed in unp_internalize(),
the calculation has to be adapted in sosend().
Found by relayd regress test on i386.
OK millert@
|
|
Recursions are currently known and marked a XXXSMP.
Please report any assert to bugs@
|
|
pledged process. dup(2) and recvmsg(2) retain UF_PLEDGED from the original fd.
In pledge "exec" circumstances, exceve clears UF_PLEDGED on all the process's
fds.
In a pledge'd process, ioctl(2) can use this additional information to grant
access to ioctl's which are more sensitive or dive deeply into the kernel.
Developers will be encouraged to open such sensitive resources before calling
pledge(2), rather than afterwards. That matches the heading of privsep
development practices.
Future changes will introduce those ioctl(2) changes.
Lots of discussions with semarie guenther and benno.
|
|
struct file *, and then externalizes back to fd upon delivery.
Convert storage to array of struct fdpass, containing struct file *
(and soon something else). memcpy originally intended for alignment
purposes can be removed because CMSG_ALIGN is _ALIGN.
There is some anxiety over changing this code, but it reads easier.
ok mpi guenther kettenis
|
|
splsoftnet()/splx() until the known issues are fixed.
In other words, stop using a rwlock since it creates a deadlock when
chrome is used.
Issue reported by Dimitris Papastamos and kettenis@
ok visa@
|
|
to hold it during VFS operations as NFS might try to grab it.
Problem also reported by Siegfried Rudzio on bugs@.
ok visa@
|
|
work without assert.
ok visa@, bluhm@
|
|
swakeup
sowakeup
sowwakeup
unp_connect2
unp_connect
uipc_usrreq
soconnect
sys_connect
reported by stsp@, tb@ and RT Thrush
|
|
sosend <- NET_LOCK()
nfs_send
nfs_request
nfs_lookup
VOP_LOOKUP
vfs_lookup
namei
unp_connect
uipc_usrreq
soconnect <- NET_LOCK()
sys_connect
OK bluhm@ mpi@
|
|
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.
This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.
Inputs from and ok bluhm@, ok dlg@
|
|
NULL tests.
ok mpi@
|
|
not a pointer to it
|
|
in case sbappendcontrol() fails.
From Simon Mages; OK mikeb@
|
|
to the end of the defer structure. solves sizing and alignment concerns.
|
|
time investigating and arguing about whether a NULL fp is a bug or not,
but what has become clear is that NULL fps get passed to unp_discard
and have been for quite some time.
restore old accomodating behavior by checking for null in unp_gc.
ok deraadt kettenis
|
|
for chroot'd processes.
ok stefan semarie
|
|
|
|
torture tested on amd64, i386 and macppc
ok beck mpi stefan
"the change looks right" deraadt
|
|
|
|
|
|
pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.
It is expected for the caller to explicitly define the policy. It is a kernel
bug to not do so.
ok deraadt@
|
|
- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.
- makes pledge_fail call the responsability to the _check function. remove it
from caller.
- make proper use of (potential) returned error of _check() functions.
- adds pledge_kill() and pledge_protexec()
with and OK deraadt@
|
|
|
|
used less than "stdio" -- include all the "self" operations. Instead of
different defines, use regular PLEDGE_* in the "p_pledgenote" variable
(which indicates the operation subtype a system call is performing). Many
checks before easier to understand. p_pledgenote can often be passed
directly to ktrace, so that kdump says:
15565 test CALL pledge(0xa9a3f804c51,0)
15565 test STRU pledge request="stdio"
15565 test RET pledge 0
15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>)
15565 test NAMI "/tmp/testfile"
15565 test PLDG open, "wpath", errno 1 Operation not permitted
with help from semarie, ok guenther
|
|
in unp_internalize and unp_externalize.
ok kettenis guenther
|
|
is a RPATH|WPATH operation.
Discussed with doug and millert
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
|
|
{Free,Net}BSD
- when a socket is closed with fds in its input, defer closing them to
a task to avoid recursing. This eliminates the complicated extra
reference taking which had a 37 line(!) comment explanation
- move flags, counts, and links only needed for this from struct file to
struct unpcb
- document the flow of the mark/sweep collector
much help from claudio@ who made me explain the GC to him until we trusted it
ok claudio@ mpi@ deraadt@
|
|
The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.
Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther
|
|
tests reported an EMSGSIZE error although the sent message was not
too large. The way backpressure was implemented for unix domain
sockets confused the check in sosend().
Unix domain sockets append data only to the recv buffer. To report
the amount of content to the sender, the high watermark of the send
buffer was reduced. This happend for SOCK_STREAM and SOCK_SEQPACKET.
Sosend checks wether atomic chunks could ever fit into the send
buffer which is limited by the high watermark. This happens for
SOCK_DGRAM and SOCK_SEQPACKET. For SOCK_SEQPACKET the combination
of these mechanisms resulted in an EMSGSIZE error when the buffer
got filled. This also happened when space could be created by
reading from the other end in contradiction to the semantics of
EMSGSIZE.
Do not emulate a send buffer that has no space. It is better to
fill the buffer with fake data than to reduce its size. Thus the
high watermark always contains the real value. When disconnecting,
reset the counters. Otherwise the socket layer would try to flush
non existing data in the send buffer.
Tested by jeremy@ with a C program and the ruby tests.
OK markus@ jeremy@
|
|
and a count instead of calling the callback on each one, while also renders
the 'dispose' argument superfluous.
Move unp_*() prototypes from <sys/un.h> to <sys/unpcb.h>
ok claudio@ mpi@
|
|
compatibility with 4.3BSD in September 1989.
*Pick your own definition for "temporary".
ok bluhm@, claudio@, dlg@
|
|
a SLIST.
OK mpi@ benno@
|
|
|
|
ok doug tedu
|
|
when creating them: pipe2(), dup3(), accept4(), MSG_CMSG_CLOEXEC,
SOCK_CLOEXEC. Includes SOCK_NONBLOCK support.
ok matthew@
|
|
|
|
|
|
after discussions with beck deraadt kettenis.
|
