| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
It only really supports ports_len > INIT_PORT_BOOTSTRAP,
ports_type == MACH_MSG_TYPE_COPY_SEND, fds_type == MACH_MSG_TYPE_COPY_SEND.
Make that explicit, and remove the branches that tried to handle the other
cases.
|
| |
|
|
|
| |
Since this port is never given out to anyone but the kernel,
our clients can't spoof a dead-name notification this way.
|
| |
|
|
|
|
| |
libports will start requesting dead-name notifications on its own.
As we handle all notifications, both ones we have requested and ones
libports has, distinguish between the two handlers by the port.
|
| |
|
|
|
|
|
|
|
|
| |
We do not impement most of the mach_notify_* () routines. Explicitly return
an error code so that our caller knows to properly deallocate all resources
the messages may carry.
Even though we don't expect to receive some of the notifications from the kernel
as we never sign up for them, we can always receive spoofed notifications from
our clients, so don't abort in that case.
|
| |
|
|
|
|
| |
We can't use it to *request* notifications here, since we need to use
a custom per-display port (and not libports' notify_port), but we can
still use it to *cancel* notifications with a lot less boilerplate.
|
| |
|
|
|
| |
Since this port is never given out to anyone but the kernel,
our clients can't spoof a dead-name notification this way.
|
| |
|
|
|
|
| |
We do not impement most of the mach_notify_* () routines. Explicitly return
an error code so that our caller knows to properly deallocate all resources
the messages may carry.
|
| |
|
|
|
|
| |
Since the implementation in libmachdev was just forwarding calls
to the corresponding libports functions, we might as well just use
ports_notify_server_routine () directly.
|
| |
|
|
| |
This logic is obviously broken, let's disable it for now.
|
| | |
|
| |
|
|
|
| |
Namely, ports_request_dead_name_notification () where we can,
and the libports notify port when we have to pass it to libfshelp.
|
| | |
|
| |
|
|
| |
We can simply override proc_dead_name () to handle dead-name notifications.
|
| | |
|
| |
|
|
| |
We can simply override proc_dead_name () to handle dead-name notifications.
|
| | |
|
| |
|
|
|
| |
This significantly cuts down the boilerplate of
requesting dead-name notifications.
|
| | |
|
| |
|
|
|
|
|
| |
This notify port will be used to request & receive Mach notifications.
While it is present in the bucket much like any other port, it is not
counted in ports_count_bucket () and is not exposed to the user
callback in ports_bucket_iterate ().
|
| |
|
|
|
|
|
| |
No-senders notifications are directed to the port that no longer has any
senders left. Since any client can easily spoof such a notification, we have to
treat the notification as just a hint and verify whether there are, in fact,
any senders, and only call ports_no_senders () if there actually are none left.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mach_port_destroy () is a dangerous API that has to be used with extreme care.
Namely, it destroys not one user reference, but *all* user references that a
task has for a port name. Different parts of a program may all keep separate
references on a port without coordinating it with each other (which is the
whole idea behind reference counting). If one part of a program decides to
destroy a port with mach_port_destroy () without informing others, others may
still believe they hold a reference and will continue to use the name as if it
still refered to the now-destroyed port right. This consitutes a port
use-after-free, even if their use is also deallocating their reference.
In the particular case of the proc server, this manifested itself as
S_proc_reassign () destroying all user references to the task port right before
the task port right is deallocated again in the dead-name notification handler.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ports_get_right () expects the caller to make a send, not a send-once,
right from the returned receive right, and increments the expected make-send
count accordingly. The kernel, however, does not increment the make-send
count when a send-once right is being made.
The result can be described as a "no-senders leak": libports' idea of the
current make-send count always stays one step ahead of it actual value (or
several steps ahead, if the process is repeated), which makes libports
ignore *all* the subsequent no-senders notifications for the port as outdated.
|
| |
|
|
| |
Thus avoiding two RPCs.
|
| |
|
|
|
| |
We cannot properly detect when to release the ro_proxy, so let's just not
cache it.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
A pager will now maintain a port to a read-only memory object proxy
for itself, and let the users access it with pager_get_ro_port ().
|
| | |
|
| |
|
|
|
|
|
|
| |
A node keeps a weak reference on the pager as long as
diskfs_node_disknode (node)->pager points to it. A pager keeps a light
reference on the node as long as the UPI is alive.
This is the same way it's done in ext2fs.
|
| |
|
|
|
| |
So users get a "Cannot exec a shared library directly" error message instead
of a segfault.
|
| | |
|
| |
|
|
|
|
|
|
| |
Making libpager use several workers allows it to queue several requests to
the disk (e.g. for different processes faulting data) rather than waiting
for them sequentially.
* libpager/demuxer.c (WORKER_COUNT): Set to 10.
|
| |
|
|
|
|
|
| |
This makes rumpdisk multithreaded as much as the root filesystem pager
will request.
Message-Id: <20220227091013.33112-4-damien@zamaudio.com>
|
| |
|
|
|
|
| |
This will allow callers to manage their own server routine.
Message-Id: <20220227091013.33112-3-damien@zamaudio.com>
|
| |
|
|
| |
Message-Id: <20220227091013.33112-2-damien@zamaudio.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
pci_control_port is not a port info
so calling deref on it is invalid.
There seems no reason to have a device_close
for the pci device currently so remove it.
TESTED via booting a rump disk
Message-Id: <20220227075155.30750-1-damien@zamaudio.com>
|
| |
|
|
|
|
| |
TESTED to boot off a rump based disk
Message-Id: <20220227002655.23300-1-damien@zamaudio.com>
|
| |
|
|
|
|
|
| |
The RPC stub will not read it on error anyway.
* rumpdisk/block-rump.c (rumpdisk_device_write, rumpdisk_device_read):
Do not set the number of bytes when returning an error.
|
| |
|
|
|
|
|
| |
gcc would complain that dummy_read is unused
* rumpdisk/block-rump.c (rumpdisk_device_write): Mark dummy_read with
attribute unused.
|
| |
|
|
|
|
|
|
|
|
|
| |
store_read takes a look at the size to determine whether to fill the
provided buffer or not. Even if providing a null buffer we should set
the size to 0.
* defpager/defpager.c (pager_read_page): Initialize nread to 0.
* storeio/dev.c (buffered_rw): Initialize amount to 0.
* fatfs/fat.c (fat_read_sblock): Initialize read to the size of the boot
sector. Reuse it as such.
|
| |
|
|
|
| |
This is needed when using a rumpdisk-based root disk. Otherwise fsck
does not properly detect when it is mounted.
|
| |
|
|
|
| |
We have always been using the Linux value, coming from the Linux glue
code.
|
| |
|
|
|
| |
When starting a libmachdev translator after bootstrap, we still want the
translator to be notified by startup, to properly flush buffers etc.
|
| |
|
|
| |
argz_append does not actually support this.
|
| |
|
|
|
| |
After deleting an option, we have to let the loop continue from there
instead of skipping another option.
|
| |
|
|
|
|
|
| |
Unaligned accesses need a copy into an aligned buffer.
Accesses larger than a page currently have to be split into pages, otherwise
_bus_dmamap_load_buffer assumes coherent physical allocations.
|
| |
|
|
|
|
|
| |
Reading the man page for mmap, MAP_FIXED needs to be removed,
because we do not want the mapping to be placed at 0.
Message-Id: <20220212215736.28433-1-damien@zamaudio.com>
|
| |
|
|
|
|
| |
* startup/startup.c (S_io_restrict_auth): Cast const uid_t * pointer to
uid_t * when using it in struct idvec which always uses a uid_t* even
when reading it.
|
