everything was broken. strting with hsinit not even chaining
the itd's into a ring. followed by broken buffer pointer pages.
finally, the interrupt handler's read transaction length
calculation was completely bugged, using the *FRAME* index
to access descriptors csw[] fields and not reseting tdi->ndata
thru the loop.
minor stuff:
iso->data needs to be freed with ctlr->dmafree()
put ival in iso->ival so ctl message cannot override the endpoints
pollival and screw up deallocation.
we allow devether to create ethernet cards on attach. this is useull
for virtual cards like the sink driver, so we can create a sink
by simply: bind -a '#l2:sink ea=112233445566' /net
the detach routine was never called, so remove it from the few drivers
that attempted to implement it.
the only architecture dependence of devether was enabling interrupts,
which is now done at the end of the driver's reset() function now.
the wifi stack and dummy ethersink also go to port/.
do the IRQ2->IRQ9 hack for pc kernels in intrenabale(), so not
every caller of intrenable() has to be aware of it.
introducing the PFPU structue which allows the machine specific
code some flexibility on how to handle the FPU process state.
for example, in the pc and pc64 kernel, the FPsave structure is
arround 512 bytes. with avx512, it could grow up to 2K. instead
of embedding that into the Proc strucutre, it is more effective
to allocate it on first use of the fpu, as most processes do not
use simd or floating point in the first place. also, the FPsave
structure has special 16 byte alignment constraint, which further
favours dynamic allocation.
this gets rid of the memmoves in pc/pc64 kernels for the aligment.
there is also devproc, which is now checking if the fpsave area
is actually valid before reading it, avoiding debuggers to see
garbage data.
the Notsave structure is gone now, as it was not used on any
machine.
adjust to new aes_xts routines.
allow optional offset in the 4th argument where the encrypted
sectors start instead of hardcoding the 64K header area for
cryptsetup.
avoid allocating temporary buffer for cryptio() reads, we can
just decrypt in place there.
use sdmalloc() to allocate the temporary buffer for cryptio()
writes so that devsd wont need to allocate and copy in case
it didnt like our alignment.
do not duplicate the error reporting code, just use io()
that is what it is for.
allow 2*256 bit keys in addition to 2*128 bit keys.
with xhci, bandwidth allocations are handled by the controller
and there are various speed settings possible that currently
not exposed in the Udev. so just keep usbload() as it is for
usb2 and keep ep->load as zero for superspeed.
the problem is that segio doesnt check segment attributes
and it can't really in case of SG_FAULT which can be
inherited from pseg and toggle at any time.
so instead of returning -1 from fault into the fault$cputype
handler which then panics when fault happend kernel mode,
we jump into segio's waserror() block just like in the
demand load i/o error case (faulterror()).
make sure the loop terminates and doesnt get stuck at
name == aname. avoid memrchr() as it conflicts with
libc on unix (drawterm). declare namelenerror() as
static.
calculate alloc flag before waserror(), as compilers like
gcc will not notice the value changing later because
setjump() restores the old value due to callee-saves.
change is applies here to make it easier to merge with
drawterm.
thanks to aiju for debugging this; used to cause drawterm
memory leak until compiled with gcc -O0.
timerdel() did not make sure that the timer function
is not active (on another cpu). just acquiering the
Timer lock in the timer function only blocks the caller
of timerdel()/timeradd() but not the other way arround
(on a multiprocessor).
this changes the timer code to track activity of
the timer function, having timerdel() wait until
the timer has finished executing.
devmouse controls the screen blanking timeout, so move the
code there avoiding cross calls between modules. the only
function that needs to be provided is blankscreen(), which
gets called with drawlock locked.
the blank timeout is set thru /dev/mousectl now, so kernels
without devvga can set it.
blanking now only happens while /dev/mouse is read. so this
avoids accidentally blanking the screen on cpu servers that
do not have a mouse to unblank it.
introducing new ctrunc() function that invalidates any caches
for the passed in chan, invoked when handling wstat with a
specified file length or on file creation/truncation.
test program to reproduce the problem:
#include <u.h>
#include <libc.h>
#include <libsec.h>
void
main(int argc, char *argv[])
{
int fd;
Dir *d, nd;
fd = create("xxx", ORDWR, 0666);
write(fd, "1234", 4);
d = dirstat("xxx");
assert(d->length == 4);
nulldir(&nd);
nd.length = 0;
dirwstat("xxx", &nd);
d = dirstat("xxx");
assert(d->length == 0);
fd = open("xxx", OREAD);
assert(read(fd, (void*)&d, 4) == 0);
}
the assumption of only one producer ((abs)moustratrack()) is not true
for external mouse events from /dev/mousein, so protect the mouse state
and queue with ilock().
get rid of mousecreate(), just use devcreate().
reset cursor when all instances of /dev/mouse and /dev/cursor got closed,
instead of also considering /dev/mousectl. the reason is that kbdfs keeps
the mousectl file open. so exiting a program that has the cursor changed
will properly reset the cursor to arrow.
don't access user buffer while holding cursor spinlock! the memory access
can fault. theres also no lock needed there, we'r just copying *from* the
cursor memory.
fix use of strtol(), p will always be set, check for end of string.
keep pointer coordinates onscreen (off by one).
make lastms() function to get the last millisecond delta of last
call for resynchronization.
fix msg[3] buffer overflow in m5mouseputc().
get rid of mouseshifted logic, it is not used.
remove bl2mem(), it is broken. a fault while copying to memory
yields a partially freed block list. it can be simply replaced
by readblist() and freeblist(), which we also use for qcopy()
now.
remove mem2bl(), and handle putting back remainer from a short
read internally (splitblock()) avoiding the releasing and re-
acquiering of the ilock.
always attempt to free blocks outside of the ilock.
have qaddlist() return the number of bytes enqueued, which
avoids walking the block list twice.
remove unneeded waserror() block, loopoput is alled from
loopbackbwrite only so we will always get called with a
*single* block, so the concatblock() is not needed.
to avoid copying in padblock() when adding cryptographics macs to a block
in devtls/devssl/esp we reserve 16 extra bytes to the allocation.
remove qio ixsummary() function and add acid function qiostats() to
/sys/lib/acid/kernel
simplify iallocb(), remove iallocsummary() statitics.
given that devmnt will almost always write into a pipe
or a network connection, which supports te bwrite routine,
we can avoid the memory copy that would have been done by
devbwrite(). this also means the i/o buffer for writes
will get freed sooner without having to wait for the 9p
rpc to get a response, saving memory.
theres one case where we have to keep the rpc arround and
that is when we write to a cached file, as we want to update
the cache with the data that was written, but the user buffer
cannot be trusted to stay the same during the rpc.
devfs:
- fix memory leak in devfs leaking the aes key
- allocate aes-xts cipher state in secure memory
- actually check if the hexkey got fully parsed
cryptsetup:
- get rid of stupid "type YES" prompt
- use genrandom() to generate salts and keys
- rewrite cryptsetup to use common pbkdf2 and readcons routines
- fix alot of error handling and simplify the code
- move cryptsetup command to disk/cryptsetup
- update cryptsetup(8) manual page
we can encrypt the 256 bit chacha key on each invocation
making it hard to reconstruct previous outputs of the
generator given the current state (backtracking resiatance).
the kernels custom rand() and nrand() functions where not working
as specified in rand(2). now we just use libc's rand() and nrand()
functions but provide a custom lrand() impelmenting the xoroshiro128+
algorithm as proposed by aiju.
we now access the user buffer in randomread() outside of the lock,
only copying and advancing the chacha state under the lock. this
means we can use randomread() within the fault handling path now
without fearing deadlock. this also allows multiple readers to
generate random numbers in parallel.
we might wake up on a different cpu after the sleep so
delta from machX->ticks - machY->ticks can become negative
giving spurious timeouts. to avoid this always use the
same mach 0 tick counter for the delta.
the manpage states that capabilities time out after a minute,
so we add ticks field into the Caphash struct and record the
time when the capability was inserted. freeing old capabilities
is handled in trimcaps(), which makes room for one extra cap
and frees timed out ones.
we also limit the capuse write size to less than 1024 bytes to
prevent denial of service as we have to copy the user buffer.
(memory exhaustion).
we have to check the from user *before* attempting to remove
the capability! the wrong user shouldnt be able to change any
state. this fixes the memory leak of the caphash.
do the hash comparsion with tsmemcmp(), avoiding timing
side channels.
allocate the capabilities in secret memory pool to prevent
debugger access.
The kernel needs to keep cryptographic keys and cipher states
confidential. secalloc() allocates memory from the secret pool
which is protected from debuggers reading the memory thru devproc.
secfree() releases the memory, overriding the data with garbage.
the arm compiler can lift long->vlong casts on multiplcation
and convert 64x64->64 multiplication into a 32x32->64 one
with optional 64 bit accumulate.
- return distinct error message when attempting to create Globalseg with physseg name
- copy directory name to up->genbuf so it stays valid after we unlock(&glogalseglock)
- cleanup wstat() handling, allow changing uid
- make sure global segment size is below SEGMAXSIZE
- move isoverlap() check from globalsegattach() into segattach()
- remove Proc* argument from globalsegattach(), segattach() and isoverlap()
- make Physseg.attr and segattach attr parameter an int for consistency
to figure out what network connection a particular tls
conversation refers to, we add the path of the underlying
we send the encrypted tls traffic over in the status file,
example:
term% grep -n '^Chan:' '#a'/tls/*/status
#a/tls/0/status:7: Chan: /net/tcp/6/data
#a/tls/1/status:7: Chan: /net/tcp/0/data
access to the axi segment hangs the machine when the fpga
is not programmed yet. to prevent access, we introduce a
new SG_FAULT flag, that when set on the Segment.type or
Physseg.attr, causes the fault handler to immidiately
return with an error (as if the segment would not be mapped).
during programming, we temporarily set the SG_FAULT flag
on the axi physseg, flush all processes tlb's that have
the segment mapped and when programming is done, we clear
the flag again.
tsleep() used to cancel the timer with:
if(up->tt != nil)
timerdel(up);
which still can result in twakeup() to fire after tsleep()
returns (because we set Timer.tt to nil *before* we call the tfn).
in most cases, this is not an issue as the Rendez*
usually is just &up->sleep, but when it is dynamically allocated
or on the stack like in tsemacquire(), twakeup() will call
wakeup() on a potentially garbage Rendez structure!
to fix the race, we execute the wakup() with the Timer lock
held, and set p->trend to nil only after we called wakeup().
that way, the timerdel(); which unconditionally locks the Timer;
can act as a proper barrier and use up->trend == nil as the
condition if the timer has already fired.
for queue like non-seekable files, it is impossible to implement an
exportfs because one has to run the kernels devtab read() and write()
in separate processes, and that makes it impossible to maintain 9p message
order as the scheduler can come in and randomly schedule one process before
another.
so as soon as we have a transition from 9p -> syscalls, we'r screwed.
i currently see just two possibilities:
- introduce special file type like QTSEQ with strictly ordered i/o semantics
- fix all fileservers and exportfs to only do one outstanding i/o to QTSEQ files
which means maintaining a queue per fid
this doesnt propagate. so exporting slow 9p mount again will be limited
again by latency of the inner mount.
other option:
- return offset in Rread, so client can bring responses back into order. this
requires changing all fileservers and drivers to maintain such an per fid offset
and change the protocol to include it in the response, and also pass it to userspace
(new syscalls or pass it in TOS)
this only works for read pipelining, write is still screwed.
both options suck.
--
cinap
theres a bootstrap problem:
when /bin/init is run, it processes /lib/namespace where we might want to
mount or bind resources to /n or /mnt. but mntgen was run later in
cpurc/termrc so these mounts would be ignored.
we already have mntgen in bootfs, so we can provide these mountpoints early.
i keep the termrc/cpurc mntgens where they are, but ignore the error
prints. this way old kernels will continue to work.
introduce cpushutdown() function that does the common
operation of initiating shutdown, returning once all
cpu's got the message and are about to shutdown. this
avoids duplicated code which isnt really machine specific.
automatic reboot on panic only when *debug= is not set
and the machine is a cpu server or has no display,
otherwise just hang.
when opening a /env file ORCLOSE, and the process exits, envgrp() would
return nil can crash in envremove() because procexit will have set up->egrp
to nil before calling closefgrp().
the solution is to capture the environment on open, keeping a reference in
Chan.aux, so it doesnt matter on what process the close happens and a
env chan will always refer to its original environment group.
instead of checking addr+len >= addr, check len >= -addr so
that addr == 0 is never valid for len > 0 even if we decide
to have memory at the zero page so theres never any chance
user can pass in "nil" pointers.
put up some signs where we fall thru the switch cases in
fixfault()
sha256 is only defined for TLS1.2, however, technically, theres
no reason not to use it in TLS1.0/TLS1.1. the choice is up to
tlshand and pushtls, not the kernel.
instead of ordering the source mount list, order the new destination
list which has the advantage that we do not need to wlock the source
namespace, so copying can be done in parallel and we do not need the
copy forward pointer in the Mount structure.
the Mhead back pointer in the Mount strcture was unused, removed.
there was a race between cunmount() and walk() on Mhead.from as Mhead.from was
unconditionally freed when we cunmount(), but findmount might have already
returned the Mhead in walk(). we have to ensure that Mhead.from is not freed
before the Mhead itself (now done in putmhead() once the reference count of the
Mhead drops to zero).
the Mhead struct contained two unused locks, removing.
no need to hold Pgrp.ns lock in closegrp() as nobody can get to it (refcount
droped to zero).
avoid cclose() and freemount() while holding Mhead.lock or Pgrp.ns locks as
it might block on a hung up fileserver.
remove the debug prints...
cleanup: use nil for pointers, remove redundant nil checks before putmhead().