Commit Graph

93 Commits

Author SHA1 Message Date
Konstantin Belousov
137cf3b682 Lock the semaphore identifier lock during semaphore initialization to
guarantee atomicity of the operation for other semaphore consumers.
In particular, this should guard against access to the semaphore with
not done or partially done MAC label assignment.

Reviewed by:	rwatson
MFC after:	1 month
2009-01-15 12:15:46 +00:00
Konstantin Belousov
90a017ba64 It seems that there are at least three issues with IPC_RMID operation
on SysV semaphores.

  The squeeze of the semaphore array in the kern_semctl() modifies
  sem_base for the semaphores with sem_base greater then sem_base of
  the removed semaphore, as well as the values of the semaphores,
  without locking their mutex. This can lead to (killable) hangs or
  unexpected behaviour of the processes performing any sem operations
  while other process does IPC_RMID.

  The semexit_myhook() eventhandler unlocks SEMUNDO_LOCK() while
  accessing *suptr. This allows for IPC_RMID for the sem id to be
  performed in parallel with undo hook referenced by the current undo
  structure. This leads to the panic("semexit - semid not allocated") [1].

  The semaphore creation is protected by Giant, while IPC_RMID is done
  while only semaphore mutex is held. This seems to result in invalid
  values for semtot, causing random ENOSPC error returns [2].

Redo the locking of the semaphores lifetime cycle. Delegate the
sem_mtx to the sole purpose of protecting semget() and
semctl(IPC_RMID). Introduce new sem_undo_mtx to protect SEM_UNDO
handling. Remove the Giant remnants from the code.
Note that  mac_sysvsem_check_semget() and mac_sysvsem_create() are
now called while sem_mtx is held, as well as mac_sysvsem_cleanup() [3].

When semaphore is removed, acquire semaphore locks for all semaphores
with sem_base that is going to be changed by squeeze of the sema
array. The lock order is not important there, because the region is
protected by sem_mtx.

Organize both used and free sem_undo structures into the lists,
protected by sem_undo_mtx. In semexit_myhook(), remove sem_undo
structure that is being processed, from used list, without putting it
onto the free to prevent modifications by other threads. This allows
for sem_undo_lock to be dropped to acquire individial semaphore locks
without violating lock order. Since IPC_RMID may no longer find this
sem_undo, do tolerate references to unallocated semaphores in undo
structure, and check sequential number to not undo unrelated semaphore
with the same id.

While there, convert functions definitions to ANSI C and fix small
style(9) glitches.

Reported by:	Omer Faruk Sen <omerfsen gmail com> [1], pho [2]
Reviewed by:	rwatson [3]
Tested by:	pho
MFC after:	1 month
2009-01-14 15:20:13 +00:00
Oleksandr Tymoshenko
23c8064e66 Renew semaphore's pointer after wakeup since during msleep
sem_base may have been modified by destroying one of semaphores
and semptr would not be valid in this case.

PR: kern/123731
2008-06-19 18:08:42 +00:00
Robert Watson
30d239bc4c Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
Konstantin Belousov
7aee5992a5 Relock the sema_mtxp unconditionally after copyin() for SETALL case in
kern_semctl. Otherwise, later mtx_unlock() can operate on unlocked mutex.

Submitted by:	rdivacky
MFC after:	3 days
Approved by:	re (kensmith)
2007-07-03 15:58:47 +00:00
Ed Maste
caa8943810 Avoid manipulating semu_list outside of the scope of SEMUNDO_LOCK(). This
would lead to an occasional hang with a cycle in semu_list.

X-Discussed-On: hackers@
2007-03-26 17:41:14 +00:00
Robert Watson
873fbcd776 Further system call comment cleanup:
- Remove also "MP SAFE" after prior "MPSAFE" pass. (suggested by bde)
- Remove extra blank lines in some cases.
- Add extra blank lines in some cases.
- Remove no-op comments consisting solely of the function name, the word
  "syscall", or the system call name.
- Add punctuation.
- Re-wrap some comments.
2007-03-05 13:10:58 +00:00
Robert Watson
0c14ff0eb5 Remove 'MPSAFE' annotations from the comments above most system calls: all
system calls now enter without Giant held, and then in some cases, acquire
Giant explicitly.

Remove a number of other MPSAFE annotations in the credential code and
tweak one or two other adjacent comments.
2007-03-04 22:36:48 +00:00
Robert Watson
aed5570872 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
Robert Watson
f50c4fd817 Remove MAC_DEBUG + MPRINTF debugging from System V IPC. This no longer
appears to be serving a useful purpose, as it was used during initial
development of MAC support for System V IPC.

MFC after:	1 month
Obtained from:	TrustedBSD Project
Suggested by:	Christopher dot Vance at SPARTA dot com
2006-09-20 13:40:00 +00:00
Konstantin Belousov
3097d55a39 Use proper format specifier for pointers in debug printfs (turned off
by default).

Approved by:	pjd (mentor)
MFC after:	2 weeks
2006-07-12 11:41:53 +00:00
John Baldwin
b1ee5b654d Rework kern_semctl a bit to always assume the UIO_SYSSPACE case. This
mostly consists of pushing a few copyin's and copyout's up into
__semctl() as all the other callers were already doing the UIO_SYSSPACE
case.  This also changes kern_semctl() to set the return value in a passed
in pointer to a register_t rather than td->td_retval[0] directly so that
callers can only set td->td_retval[0] if all the various copyout's succeed.

As a result of these changes, kern_semctl() no longer does copyin/copyout
(except for GETALL/SETALL) so simplify the locking to acquire the semakptr
mutex before the MAC check and hold it all the way until the end of the
big switch statement.  The GETALL/SETALL cases have to temporarily drop it
while they do copyin/malloc and copyout.  Also, simplify the SETALL case to
remove handling for a non-existent race condition.
2006-07-08 19:51:38 +00:00
John Baldwin
fe95c76276 Fix semctl(2) breakage from the previous commit. Previously __semctl() had
a local 'semid' variable which was the array index and used uap->semid
as the original IPC id.  During the kern_semctl() conversion those two
variables were collapsed into a single 'semid' variable breaking the
places that needed the original IPC ID.  To fix, add a new 'semidx'
variable to hold the array index and leave 'semid' unmolested as the IPC
id.  While I'm here, explicitly document that the (undocumented, at least
in semctl(2)) SEM_STAT command curiously expects an array index in the
'semid' parameter rather than an IPC id.

Submitted by:	maxim
2006-06-29 13:58:36 +00:00
John Baldwin
49d409a108 - Add a kern_semctl() helper function for __semctl(). It accepts a pointer
to a copied-in copy of the 'union semun' and a uioseg to indicate which
  memory space the 'buf' pointer of the union points to.  This is then used
  in linux_semctl() and svr4_sys_semctl() to eliminate use of the stackgap.
- Mark linux_ipc() and svr4_sys_semsys() MPSAFE.
2006-06-27 18:28:50 +00:00
Robert Watson
b37ffd3189 Move some functions and definitions from uipc_socket2.c to uipc_socket.c:
- Move sonewconn(), which creates new sockets for incoming connections on
  listen sockets, so that all socket allocate code is together in
  uipc_socket.c.

- Move 'maxsockets' and associated sysctls to uipc_socket.c with the
  socket allocation code.

- Move kern.ipc sysctl node to uipc_socket.c, add a SYSCTL_DECL() for it
  to sysctl.h and remove lots of scattered implementations in various
  IPC modules.

- Sort sodealloc() after soalloc() in uipc_socket.c for dependency order
  reasons.  Statisticize soalloc() and sodealloc() as they are now
  required only in uipc_socket.c, and are internal to the socket
  implementation.

After this change, socket allocation and deallocation is entirely
centralized in one file, and uipc_socket2.c consists entirely of socket
buffer manipulation and default protocol switch functions.

MFC after:	1 month
2006-06-10 14:34:07 +00:00
Robert Watson
3831e7d7f5 Gratuitous renaming of four System V Semaphore MAC Framework entry
points to convert _sema() to _sem() for consistency purposes with
respect to the other semaphore-related entry points:

mac_init_sysv_sema() -> mac_init_sysv_sem()
mac_destroy_sysv_sem() -> mac_destroy_sysv_sem()
mac_create_sysv_sema() -> mac_create_sysv_sem()
mac_cleanup_sysv_sema() -> mac_cleanup_sysv_sem()

Congruent changes are made to the policy interface to support this.

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
2005-06-07 05:03:28 +00:00
Robert Watson
8e37dd2bb9 Remove end-of-line tabs.
MFC after:	3 days
2005-04-18 11:51:10 +00:00
Sam Leffler
b53d6ac575 check copyin return value
Noticed by:	Coverity Prevent analysis tool
2005-03-19 04:34:23 +00:00
Christian S.J. Peron
84f85aedef Add much needed descriptions for a number of the IPC related sysctl OIDs.
This information will be very useful for people who are tuning applications
which have a dependence on IPC mechanisms.

The following OIDs were documented:

Message queues:
 kern.ipc.msgmax
 kern.ipc.msgmni
 kern.ipc.msgmnb
 kern.ipc.msgtlq
 kern.ipc.msgssz
 kern.ipc.msgseg

Semaphores:
 kern.ipc.semmap
 kern.ipc.semmni
 kern.ipc.semmns
 kern.ipc.semmnu
 kern.ipc.semmsl
 kern.ipc.semopm
 kern.ipc.semume
 kern.ipc.semusz
 kern.ipc.semvmx
 kern.ipc.semaem

Shared memory:
 kern.ipc.shmmax
 kern.ipc.shmmin
 kern.ipc.shmmni
 kern.ipc.shmseg
 kern.ipc.shmall
 kern.ipc.shm_use_phys
 kern.ipc.shm_allow_removed
 kern.ipc.shmsegs

These new descriptions can be viewed using sysctl -d

PR:		kern/65219
Submitted by:	Dan Nelson <dnelson at allantgroup dot com> (modified)
No objections:	developers@
Descriptions reviewed by: gnn
MFC after:	1 week
2005-02-12 01:22:39 +00:00
Robert Watson
a6009aa7c1 Invoke label initialization, creation, cleanup, and tear-down MAC
Framework entry points for System V IPC semaphores.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2005-01-22 19:04:17 +00:00
Warner Losh
9454b2d864 /* -> /*- for copyright notices, minor format tweaks as necessary 2005-01-06 23:35:40 +00:00
Robert Watson
53d0031d37 Correct two incorrectly merged changes introduced in sysv_sem.c:1.71:
return EINVAL rather than setting error, and don't free sops
unconditionally.  The first change was merged accidentally as part of
the larger set of changes to introduce MAC labels and access control,
and potentially lead to continued processing of a request even after
it was determined to be invalid.  The second change was due to changes
in the semaphore code since the original work was performed.

Pointed out by:	truckman
2004-11-13 08:06:40 +00:00
Robert Watson
921d05b90d Second of several commits to allow kernel System V IPC data structures
to be modified and extended without breaking the user space ABI:

Use _kernel variants on _ds structures for System V sempahores, message
queues, and shared memory.  When interfacing with userspace, export
only the _ds subsets of the _kernel data structures.  A lot of search
and replace.

Define the message structure in the _KERNEL portion of msg.h so that it
can be used by other kernel consumers, but not exposed to user space.

Submitted by:	Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, SPAWAR, McAfee Research
2004-11-12 13:23:47 +00:00
Poul-Henning Kamp
77409fe148 Add missing #include <sys/module.h> 2004-05-30 20:34:58 +00:00
Colin Percival
018e32c194 Adjust the number of processes waiting on a semaphore properly if we're
woken up in the middle of sleeping.

PR:		misc/64347
Reviewed by:	tjr
MFC after:	7 days
2004-03-17 09:37:13 +00:00
Tim J. Robbins
f5925b7436 Reduce the overhead of semop() by using the kernel stack instead of
malloc'd memory to store the operations array if it is small enough
to fit.
2003-12-19 13:07:17 +00:00
Tim J. Robbins
4d93f53e74 Initialize sequence numbers to 0 in seminit() instead of using whatever
garbage happens to be in memory. This did not seem to cause any problems
except making semaphore ID's unpredictable (and ugly in ipcs(1) output).
2003-11-15 11:56:53 +00:00
Tim J. Robbins
541c3b66b5 When there are no free sem_undo structs available in semu_alloc(), only
free one sem_undo with un_cnt == 0 instead of all of them. This is a
temporary workaround until the SLIST_FOREACH_PREVPTR loop gets fixed so
that it doesn't cause cycles in semu_list when removing multiple adjacent
items. It might be easier to just use (doubly-linked) LISTs here instead
of complicated SLIST code to achieve O(1) removals.

This bug manifested itself as a complete lockup under heavy semaphore use
by multiple processes with the SEM_UNDO flag set.

PR:		58984
2003-11-10 07:22:41 +00:00
Robert Watson
a2f88a8b7c Slight whitespace consistency improvement:
Trim trailing whitespace.
  Remove unmatched " " before ")".
2003-11-07 04:47:14 +00:00
Mike Silbersack
184dcdc7c8 Change all SYSCTLS which are readonly and have a related TUNABLE
from CTLFLAG_RD to CTLFLAG_RDTUN so that sysctl(8) can provide
more useful error messages.
2003-10-21 18:28:36 +00:00
Jacques Vidrine
01b9dc96e3 Update some argument-documenting comments to match reality.
Add an explicit range check to those same arguments to reduce risk of
cardiac arrest in future code readers.
2003-08-07 16:42:27 +00:00
David E. O'Brien
677b542ea2 Use __FBSDID(). 2003-06-11 00:56:59 +00:00
John Baldwin
75b8b3b25c Replace the at_fork, at_exec, and at_exit functions with the slightly more
flexible process_fork, process_exec, and process_exit eventhandlers.  This
reduces code duplication and also means that I don't have to go duplicate
the eventhandler locking three more times for each of at_fork, at_exec, and
at_exit.

Reviewed by:	phk, jake, almost complete silence on arch@
2003-03-24 21:15:35 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Tim J. Robbins
af7cbce89c Fix two fatal signedness errors introduced when i and j in semop()
were changed from int to size_t in the previous revision.

PR:		47625
2003-01-29 12:30:59 +00:00
Alfred Perlstein
3beb32709d Bring semop() closer the the opengroup standards.
PR: 47471
Submitted by: Craig Rodrigues <rodrigc@attbi.com>
2003-01-25 21:27:37 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Alfred Perlstein
871de19fab Don't leak memory in semop(2). (Fix a bug I introduced in rev 1.55.)
Detective work by: jake
2002-10-19 02:07:35 +00:00
Alfred Perlstein
149004e99d Make SYSVSEM mpsafe. Each semaphore set gets its own lock, however
there is a global lock over the undo structures because of the way
they are managed.

Switch to using SLIST instead of rolling our own linked list.

Fix several races where a permission check was done before a
copyin/copyout, if the copy happened to fault it may have been
possible to race for access to a semaphore set that one shouldn't
have access to.

Requested by: rwatson
Tested by: NetBSD regression suite.
2002-08-13 08:47:17 +00:00
Alfred Perlstein
4442e4a436 Cleanup:
Fix line wrapping.
Remove 'register'.
malloc(9) with M_WAITOK can't fail, so remove checks for that.
2002-08-05 05:16:09 +00:00
Alfred Perlstein
fd6d9be4f5 Cleanup:
Define a debug printf macro rather than wrapping all calls to printf
with #ifdefs.
2002-07-22 18:27:54 +00:00
Alfred Perlstein
2cc593fd8e Remove caddr_t. 2002-07-22 16:12:55 +00:00
Alfred Perlstein
4d77a549fe Remove __P. 2002-03-19 21:25:46 +00:00
Peter Wemm
3ba30c18a2 Pacify gcc-3.1+, initialize two variables to avoid -Wuninitialized
warnings.
2002-03-19 10:57:40 +00:00
Maxim Konovalov
cf11f48256 Fix a typo, unbreak the world.
Thanks to:	mux
Approved by:	ru
2002-03-06 12:28:51 +00:00
Maxim Konovalov
9dfd307b10 Maximum semid is seminfo.semmni not seminfo.semmsl.
PR:		kern/34979
Submitted by:	James Gritton <jamie@gritton.org>
Reviewed by:	alfred, ru
Approved by:	ru
MFC after:	1 week
2002-03-06 10:52:49 +00:00
John Baldwin
c6f55f33ea - Use td_ucred for jail checks.
- Move jail checks and some other checks involving constants and stack
  variables out from under Giant.  This isn't perfectly safe atm because
  jail_sysvipc_allowed is read w/o a lock meaning that its value could be
  stale.  This global variable will soon become a per-jail flag, however,
  at which time it will either not need a lock or will use the prison lock.
2002-03-05 18:57:36 +00:00
John Baldwin
4a7d6cd251 Fix Giant leakage in several error cases in __semctl(). 2002-02-27 19:12:14 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Robert Watson
b541b65d91 Rehash of 1.43: simply remove the comment, since it's highly redundant
and only partially correct.
2002-02-18 16:02:24 +00:00