Add linux POSIX message queue support (Ricardo Branco)

Move proc_lock into the data segment. It was dynamically allocated because
at the time we had mutex_obj_alloc() but not __cacheline_aligned.

Add ACL support for FFS. From FreeBSD.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entr

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

show more ...

Prevent O_EXEC for mq_open(2), and O_EXEC with a writable fd for open(2).

mq_send1: fix argument validation and reject too large lengths early.
Discovered by Andy Nguyen.

Handle p->p_mqueue_cnt in a symmetric manner.

While this change does mean that each open mqd_t counts against the
limit, it also means that p_mqueue_cnt will never wrap below 0.

Discovered by the R

Handle p->p_mqueue_cnt in a symmetric manner.

While this change does mean that each open mqd_t counts against the
limit, it also means that p_mqueue_cnt will never wrap below 0.

Discovered by the Rust nix crate test suite. It opens the same mq twice
(once for writes, once for reads), and then proceeds to close each of
them, which resulted in p_mqueue_cnt wrapping to (u_int)-1, preventing
the process from opening any more mqueues, and all subsequent
mq(3)-related tests to fail.

show more ...

Avoid undefined behavior in mq_send1()

Do not shift a signed integer causing change of the signed bit.

sys/kern/sys_mqueue.c:881:23, left shift of 1 by 31 places cannot be represented in type 'int'

Avoid undefined behavior in mq_send1()

Do not shift a signed integer causing change of the signed bit.

sys/kern/sys_mqueue.c:881:23, left shift of 1 by 31 places cannot be represented in type 'int'

Detected with Kernel Undefined Behavior Sanitizer.

Reported by <Harry Pantazis>

show more ...

Avoid undefined behavior in mq_recv1()

Do not shift a signed integer causing change of the signed bit.

sys/kern/sys_mqueue.c:712:24, left shift of 1 by 31 places cannot be represented in type 'int'

Avoid undefined behavior in mq_recv1()

Do not shift a signed integer causing change of the signed bit.

sys/kern/sys_mqueue.c:712:24, left shift of 1 by 31 places cannot be represented in type 'int'

Detected with Kernel Undefined Behavior Sanitizer.

Reported by <Harry Pantazis>

show more ...

add fo_name so we can identify the fileops in a simple way.

CID 1308958: Fix reversed arguments in copyin(9)

Make mqueue_get public, rearrange mq_open into a helper function that can
be called from compat code, adapt mqueue_create accordingly.

Try not to use f_data, use f_{vnode,socket,pipe,mqueue,kqueue,ksem} to get
a correctly typed pointer.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicat

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

show more ...

Centralize the computation of struct timespec to the int timo.
Make lwp_park take the regular arguments for specifying what kind
of timeout we supply like clock_nanosleep(), namely clockid_t and flag

Centralize the computation of struct timespec to the int timo.
Make lwp_park take the regular arguments for specifying what kind
of timeout we supply like clock_nanosleep(), namely clockid_t and flags.

show more ...

Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the follow

Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.

show more ...

Add missing <sys/atomic.h> include.

- Move some checks into mqueue_get() and avoid some duplication.
- Simplify message queue descriptor unlinking and closure operations.
- Update proc_t::p_mqueue_cnt atomically. Inherit it on fork().

- Move some checks into mqueue_get() and avoid some duplication.
- Simplify message queue descriptor unlinking and closure operations.
- Update proc_t::p_mqueue_cnt atomically. Inherit it on fork().
- Use separate allocation for the name of message queue.

show more ...

mq_poll_fop: return only those events which are polled.

Get rid of SYSCTL_SETUP.

We want the sysctl variables also when mqueue(3) is loaded as a module.

If a multithreaded app closes an fd while another thread is blocked in
read/write/accept, then the expectation is that the blocked thread will
exit and the close complete.
Since only one fd is affect

If a multithreaded app closes an fd while another thread is blocked in
read/write/accept, then the expectation is that the blocked thread will
exit and the close complete.
Since only one fd is affected, but many fd can refer to the same file,
the close code can only request the fs code unblock with ERESTART.
Fixed for pipes and sockets, ERESTART will only be generated after such
a close - so there should be no change for other programs.
Also rename fo_abort() to fo_restart() (this used to be fo_drain()).
Fixes PR/26567

show more ...

fix some security critical bugs:
-an invalid signal number passed to mq_notify(2) could crash the kernel
on delivery -- add a boundary check
-mq_receive(2) from an empty queue crashed the kernel by

fix some security critical bugs:
-an invalid signal number passed to mq_notify(2) could crash the kernel
on delivery -- add a boundary check
-mq_receive(2) from an empty queue crashed the kernel by NULL dereference
in timeout calculation -- handle the NULL case
-likewise for mq_send(2) to a full queue
-a user could set mq_maxmsg (the maximal number of messages in a queue)
to a huge value on mq_open(O_CREAT) and later use up all kernel
memory by mq_send(2) -- add a sysctl'able limit which defaults
to 16*mq_def_maxmsg

(mq_notify(2) should get some more checks, and SIGEV_* values other
than SIGEV_SIGNAL should be handled somehow, but this doesn't look
security critical)

show more ...

Rename fo_drain() to fo_abort(), 'drain' is used to mean 'wait for output
do drain' in many places, whereas fo_drain() was called in order to force
blocking read()/write() etc calls to return to user

Rename fo_drain() to fo_abort(), 'drain' is used to mean 'wait for output
do drain' in many places, whereas fo_drain() was called in order to force
blocking read()/write() etc calls to return to userspace so that a close()
call from a different thread can complete.
In the sockets code comment out the broken code in the inner function,
it was being called from compat code.

show more ...

- Move inittimeleft() and gettimeleft() to subr_time.c, where they belong.
- Move abstimeout2timo() there too and export. Use it in lwp_park().

mq_timedsend/mq_timedreceive: timeout value is absolute, not relative.
While here, drop unecessary (since fdesc API changes) lwp_t arguments.

Bug reported by Stathis Kamperis, thanks!