6bc1e9cd84
semaphores. Specifically, semaphores are now represented as new file descriptor type that is set to close on exec. This removes the need for all of the manual process reference counting (and fork, exec, and exit event handlers) as the normal file descriptor operations handle all of that for us nicely. It is also suggested as one possible implementation in the spec and at least one other OS (OS X) uses this approach. Some bugs that were fixed as a result include: - References to a named semaphore whose name is removed still work after the sem_unlink() operation. Prior to this patch, if a semaphore's name was removed, valid handles from sem_open() would get EINVAL errors from sem_getvalue(), sem_post(), etc. This fixes that. - Unnamed semaphores created with sem_init() were not cleaned up when a process exited or exec'd. They were only cleaned up if the process did an explicit sem_destroy(). This could result in a leak of semaphore objects that could never be cleaned up. - On the other hand, if another process guessed the id (kernel pointer to 'struct ksem' of an unnamed semaphore (created via sem_init)) and had write access to the semaphore based on UID/GID checks, then that other process could manipulate the semaphore via sem_destroy(), sem_post(), sem_wait(), etc. - As part of the permission check (UID/GID), the umask of the proces creating the semaphore was not honored. Thus if your umask denied group read/write access but the explicit mode in the sem_init() call allowed it, the semaphore would be readable/writable by other users in the same group, for example. This includes access via the previous bug. - If the module refused to unload because there were active semaphores, then it might have deregistered one or more of the semaphore system calls before it noticed that there was a problem. I'm not sure if this actually happened as the order that modules are discovered by the kernel linker depends on how the actual .ko file is linked. One can make the order deterministic by using a single module with a mod_event handler that explicitly registers syscalls (and deregisters during unload after any checks). This also fixes a race where even if the sem_module unloaded first it would have destroyed locks that the syscalls might be trying to access if they are still executing when they are unloaded. XXX: By the way, deregistering system calls doesn't do any blocking to drain any threads from the calls. - Some minor fixes to errno values on error. For example, sem_init() isn't documented to return ENFILE or EMFILE if we run out of semaphores the way that sem_open() can. Instead, it should return ENOSPC in that case. Other changes: - Kernel semaphores now use a hash table to manage the namespace of named semaphores nearly in a similar fashion to the POSIX shared memory object file descriptors. Kernel semaphores can now also have names longer than 14 chars (up to MAXPATHLEN) and can include subdirectories in their pathname. - The UID/GID permission checks for access to a named semaphore are now done via vaccess() rather than a home-rolled set of checks. - Now that kernel semaphores have an associated file object, the various MAC checks for POSIX semaphores accept both a file credential and an active credential. There is also a new posixsem_check_stat() since it is possible to fstat() a semaphore file descriptor. - A small set of regression tests (using the ksem API directly) is present in src/tools/regression/posixsem. Reported by: kris (1) Tested by: kris Reviewed by: rwatson (lightly) MFC after: 1 month |
||
---|---|---|
.. | ||
acct | ||
aio | ||
atm | ||
audit/audit_pipe_ioctl | ||
bin | ||
ccd/layout | ||
doat | ||
environ | ||
ethernet/ethermulti | ||
execve | ||
fifo | ||
file | ||
fstest | ||
fsx | ||
gaithrstress | ||
geom | ||
geom_concat | ||
geom_eli | ||
geom_gate | ||
geom_gpt | ||
geom_mirror | ||
geom_nop | ||
geom_raid3 | ||
geom_shsec | ||
geom_stripe | ||
geom_uzip | ||
ia64 | ||
include/tgmath | ||
ipsec | ||
lib | ||
mac/mac_bsdextended | ||
mlock | ||
mqueue | ||
msdosfs | ||
net80211 | ||
netatalk/simple_send | ||
netinet | ||
netinet6 | ||
netipx | ||
nfsmmap | ||
p1003_1b | ||
pipe | ||
posixsem | ||
posixshm | ||
priv | ||
pthread | ||
redzone9 | ||
security | ||
sigqueue | ||
sockets | ||
sysvmsg | ||
sysvsem | ||
sysvshm | ||
tls | ||
tmpfs | ||
ufs/uprintf | ||
usr.bin | ||
usr.sbin | ||
geom_subr.sh | ||
README | ||
TODO |
$FreeBSD$ This directory is for regression test programs. A regression test program is one that will exercise a particular bit of the system to check that we have not reintroduced an old bug. Tests should be implemented in files with a .t extension. Each .t file can contain more than one test, and can be implemented in any scripting language -- /bin/sh, Perl... The test protocol is quite simple. At its most basic, each .t file should, when run, print a line in this format: 1..m where m is the number of tests that will be run. Each test should produce a single line of output. This line should start with one of ok n not ok n to indicate whether or not the test succeeded. 'n' is the test's number. Anything after this on the line (up to the first '#' if present) is considered to be the name of the test. Naming tests is optional, but encouraged. A test may be written which is conditional, and may need to be skipped. For example, the netatalk tests require 'options NETATALK' in the kernel. A test may be skipped by printing '# skip Reason for skipping' after the test name. For example, ok 1 - netatalk # skip 'options NETATALK' not compiled in A test may be flagged as 'todo'. This indicates that you expect the test to fail (perhaps because the necessary functionality hasn't been written yet). 'todo' tests are expected to fail, so when they start working the test framework can alert you to this happy occurence. Flag these tests with a '# TODO' comment after the test name not ok 1 - infiniteloop # TODO write test for an infinite loop This is modelled on the protocol followed by the Test::Harness Perl module (and therefore much of the automated testing carried out by the Perl community). More documentation can be found at: http://search.cpan.org/~petdance/Test-Harness-2.42/lib/Test/Harness.pm To run the tests and parse their output install the devel/p5-Test-Harness port. This includes the prove(1) command which is used to run the tests and collate the output. prove geom_concat # run all the tests in geom_concat prove -r lib # run all tests in lib/, and subdirectories prove -r -v lib # as above, with verbose output prove -r # run *all* the tests Tests that are for parts of the base system should go into a directory here which is the same as their path relative to src/, for example the uuencode(1) utility resides in src/usr.bin/uuencode so its regression test resides in src/tools/regression/usr.bin/uuencode. To avoid the pre-commit check program complaining about the lack of CVS keywords in test data files, use a .in suffix for input files and a .out suffix for output files. To execute individual regression tests for binaries that you are developing, add their directory in the path before running the tests. Example: cd /usr/src/tools/regression/usr.bin (PATH=/home/user/src/experimental/jot:$PATH ; make SUBDIR=jot) Please make a subdir per other regression test, and add a brief description to this file. acct Exercise the integer to float conversion used in acct(5) geom Some tests and an out-of-kernel simulator for the GEOM code ia64 ia64 specific regression tests nfsmmap Some tests to exercise some tricky cases in NFS and mmap p1003_1b Exercise 1003.1B scheduler pipe Pipe code regression test fsx General filesystem exerciser sysvmsg SysV IPC Message Queue Regression Utility sysvsem SysV IPC Semaphore Regression Utility sysvshm SysV IPC Shared Memory Regression Utility gaithrstress General threaded getaddrinfo(3) exerciser