| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
single_thread_set() is modified to explicitly indicated when waiting until
sibling threads are parked is required. This is obviously not required if
a traced thread is switching away from a CPU after handling a STOP signal.
ok claudio@
|
| |
|
|
|
|
| |
Kill SINGLE_PTRACE and use SINGLE_SUSPEND which has almost the same semantic.
This diff did not properly kill SINGLE_PTRACE and broke RAMDISK kernels.
|
| |
|
|
|
|
|
|
| |
single_thread_set() is modified to explicitly indicated when waiting until
sibling threads are parked is required. This is obviously not required if
a traced thread is switching away from a CPU after handling a STOP signal.
ok claudio@
|
| |
|
|
|
|
|
| |
Use the SCHED_LOCK() to ensure `ps_thread' isn't being modified by a sibling
when entering tsleep(9) w/o KERNEL_LOCK().
ok visa@
|
| |
|
|
|
| |
We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.
|
| |
|
|
|
|
| |
This allows us to unlock getppid(2).
ok mpi@
|
| |
|
|
|
|
| |
This will soon be used by select(2) and poll(2).
ok anton@, visa@
|
| |
|
|
|
|
|
| |
Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.
From and ok claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that EXIT_NORMAL only runs once by guarding it with PS_EXITING.
It was previously possible for EXIT_NORMAL to be run twice, depending on
which thread called exit() and the order in which the threads were torn
down. This is due to the P_HASSIBLING() check triggering the last thread
to run EXIT_NORMAL, even though it may have already been run via an exit()
call.
ok kettenis@ visa@
|
| |
|
|
|
|
|
|
| |
If we fold the for-loop iterating over each interval timer into the
helper function the result is slightly tidier than what we have now.
Rename the helper function "cancel_all_itimers".
Based on input from millert@ and kettenis@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During _exit(2) and sometimes during execve(2) we need to cancel any
active per-process interval timers. We don't currently do this in an
MP-safe way. Both syscalls ignore the locking assumptions documented
in proc.h.
The easiest way to make them MP-safe is to use setitimer(), just like
the getitimer(2) and setitimer(2) syscalls do. To make things a bit
cleaner I have added a helper function, cancelitimer(), so the callers
don't need to fuss with an itimerval struct.
While we're here we can remove the splclock/splx dance from execve(2).
It is no longer necessary.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This ensures that the conditions checked are still in force. The sleep
breaks atomicity, allowing another thread to alter the state.
single_thread_set() should return immediately after sleep when called
from dowait4() because there is no guarantee that the process pr still
exists. When called from single_thread_set(), the process is that of
the calling thread, which prevents process pr from disappearing.
OK anton@, mpi@, claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
reparented to a debugger process.
Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.
Logic comes from FreeBSD pointed out by guenther@.
While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.
ok visa@
|
| |
|
|
|
|
|
|
|
|
| |
This shows that atomic_* operations should not be necessery to write
to this field unlike with the process one.
The advantage of using a somewhat-unique prefix for struct member is
moot when multiple definitions use the same prefix :o)
From Amit Kulkarni, ok claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a traced process _exit(2)s, its (tracing) parent tries to give it
back to the old parent. In the case where the old parent is the same
as the tracing parent, there's no need to do this dance, so simply
remove it from the list of zombies and free its descriptors.
Fix a double report via wait(2) exposed by recent changes in make and
newly imported ptrace(2) regression from NetBSD & FreeBSD.
Diagnosed with help from espie@ & guenther@.
ok claudio@, visa@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a traced process _exit(2)s, its (tracing) parent tries to give it
back to the old parent. In the case where the old parent is the same
as the tracing parent, there's no need to do this dance, so simply
remove it from the list of zombies and free its descriptors.
Fix a double report via wait(2) exposed by recent changes in make and
newly imported ptrace(2) regression from NetBSD.
Diagnosed with espie@ and guenther@, ok claudio@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
|
|
|
|
| |
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))
ok mpi@
|
| |
|
|
| |
The new way needs more thought.
|
| |
|
|
|
|
|
|
| |
This eliminates a forced context switch to the idle proc. In addition,
sched_exit() no longer needs to sum proc runtime because mi_switch()
will do it.
OK mpi@ a while ago
|
| |
|
|
|
|
|
|
|
|
| |
of resource limit structs has been done between processes. By applying
copy-on-write also between threads, threads can read rlimits in
a nearly lock-free manner.
Inspired by code in DragonFly BSD and FreeBSD.
OK mpi@, agreement from jmatthew@ and anton@
|
| |
|
|
|
|
|
|
| |
When the main thread of a MT process dies, it doesn't matter at which
priority it gets awaken to do the lasts cleanups. Not using PUSER makes
it easier to understand the existing scheduler logic.
ok visa@
|
| |
|
|
|
|
|
|
|
| |
It currently creates a lock ordering problem because SCHED_LOCK() is taken
by hardclock(). That means the "priorities" of a thread should be moved
out of the SCHED_LOCK() first in order to make progress.
Reported-by: syzbot+8e4863b3dde88eb706dc@syzkaller.appspotmail.com
via anton@ as well as by kettenis@
|
| |
|
|
|
|
|
| |
Note that hardclock(9) still increments p_{u,s,i}ticks without holding a
lock.
ok visa@, cheloha@
|
| |
|
|
|
|
|
|
|
|
| |
does not block the signal. If all threads block the signal, we
delivered it to the main thread. This does not conform to POSIX.
If any thread unblocks the signal, it should be delivered immediately
to this thread.
Mark such signals pending at the process instead of a single thread.
Then any thread can handle it later.
OK kettenis@ guenther@
|
| |
|
|
|
| |
level up.
ok guenther mpi visa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ptsignal() has to be called with the kernel lock held. As ensuring the
locking in mi_switch() is not easy, and deferring the signaling using
the task API is not possible because of lock order issues in
mi_switch(), move the CPU time checking into a periodic timer where
the kernel can be locked without issues.
With this change, each process has a dedicated resource check timer.
The timer gets activated only when a CPU time limit is set. Because the
checking is not done as frequently as before, some precision is lost.
Use of timers adapted from FreeBSD.
OK tedu@
Reported-by: syzbot+2f5d62256e3280634623@syzkaller.appspotmail.com
|
| |
|
|
|
|
|
|
|
| |
It centralizes IO signal privilege checking and makes possible to revoke
a registration when the target process or process group is deleted.
Adapted from FreeBSD.
OK kettenis@ mpi@ guenther@
|
| |
|
|
|
|
|
| |
race between the reaper and unveil_removevnode() that would trigger a
KASSERT. At least as far as I can tell. Pointed out by semarie@
ok beck@, deraadt@
|
| |
|
|
|
|
|
|
|
| |
thread basis instead of process. The decision to enable on process made
development easier initially but could lead to non-deterministic results for
processes with more than one thread. This behavior matches the implementation
found on both Linux and FreeBSD.
With help and ok mpi@ visa@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pseudo-device, get rid of the option. Enabling kcov now requires the following
line to be added to the kernel config:
pseudo-device kcov 1
This is how pseudo devices are enabled in general. A side-effect of this change
is that dev/kcov.c will no longer be compiled by default.
Prodded by deraadt@; ok mpi@ visa@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
with the syzkaller kernel fuzzer. So far, 8 distinct panics have been found and
fixed. This effort will continue.
kcov is limited to architectures using Clang as their default compiler and is
not enabled by default.
With help from mpi@, thanks!
ok kettenis@ mpi@ visa@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
passing the main function directly to kthread_create(9). The start_*
functions are mere stepping stones nowadays and can be pruned.
They used to contain more logic in the pre-kthread era.
While here, set `cleanerproc' and `syncerproc' during the thread
creation rather than expect the threads to set the proc pointer.
Also, rename `sched_sync' to `syncer_thread' to reduce confusion
with the scheduler-related functions.
OK kettenis@, deraadt@, mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.
Still needs to send the unveil's across forks and execs before
fully enabling.
Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@
|
| |
|
|
|
|
| |
Part of the larger 'proctreelk' diff from guenther@
No functional change, ok benno@, tedu@
|
| |
|
|
| |
ok millert@ krw@
|
| |
|
|
|
|
| |
WITNESS checking as (our) witness code isn't smart enough to let that by.
ok visa@
|
| |
|
|
|
| |
being brewed.
ok beck
|
| |
|
|
| |
Go-ahead from kettenis@, guenther@, deraadt@
|
| |
|
|
| |
ok mpi@ dlg@
|
| |
|
|
|
|
| |
initial thread
ok jsing@ kettenis@
|
| | |
|
| |
|
|
|
|
|
| |
Note that without locking a thread cannot claim that it is part
of a multi-threaded process using this macro.
Suggested by miod@, ok guenther@
|
| |
|
|
|
|
| |
them in sys/proc.h has been removed with compat_linux
diff from Michal Mazurek (akfaew (at) jasminek.net)
|
| |
|
|
|
|
| |
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.
|
| |
|
|
| |
ok deraadt@ miod@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.
Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther
|
mpi
claudio
mvs
jsing
cheloha
visa
guenther
bluhm
tedu
kettenis
anton
beck
deraadt