about summary refs log tree commit diff
path: root/hurd
Commit message (Collapse)AuthorAgeFilesLines
* Update hurd/hurdselect.c to be more portable.Flavio Cruz2023-05-062-21/+15
| | | | | | | | | | | Summary of changes: - Use BAD_TYPECHECK to perform type checking in a cleaner way. BAD_TYPECHECK is moved into sysdeps/mach/rpc.h to avoid duplication. - Remove assertions for mach_msg_type_t since those won't work for x86_64. - Update message structs to use mach_msg_type_t directly. - Use designated initializers. Message-Id: <ZFa+roan3ioo0ONM@jupiter.tail36e24.ts.net>
* Update hurd/intr-msg.c to be more portableFlavio Cruz2023-05-051-13/+21
| | | | | | | | | | | | | Summary of the changes: - Introduce BAD_TYPECHECK from MiG to make it simpler to do type checking. - Replace int type with mach_msg_type_t. This assumes that mach_msg_type_t is always the same size as int which is not true for x86_64. - Calculate the size and align using PTR_ALIGN_UP, which is a bit cleaner and similar to what we do elsewhere. - Define mach_msg_type_t to check using designated initializers. Message-Id: <ZFMvrIkvoCSxqB/C@jupiter.tail36e24.ts.net>
* hurd: Replace reply port with a dead name on failed interruptionSergey Bugaev2023-05-012-3/+13
| | | | | | | | | | | | | If we're trying to interrupt an interruptible RPC, but the server fails to respond to our __interrupt_operation () call, we instead destroy the reply port we were expecting the reply to the RPC on. Instead of deallocating the name completely, replace it with a dead name, so the name won't get reused for some other right, and deallocate it in _hurd_intr_rpc_mach_msg once we return from the signal handler. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429201822.2605207-4-bugaevc@gmail.com>
* hurd: Mark error functions as __COLDSergey Bugaev2023-04-292-5/+5
| | | | | | | | This should hopefully hint the compiler that they are unlikely to be called. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131223.2507236-2-bugaevc@gmail.com>
* hurd: Fix FS_RETRY_MAGICAL "machtype" handlingSergey Bugaev2023-04-291-7/+4
| | | | | | | | | | | | | | | | | We need to set file_name, not update retryname. This is what the other branches do. Before this change, any attempt to access such a file would segfault due to file_name being unset: $ settrans -ac /tmp/my-machtype /hurd/magic machtype $ cat /tmp/my-machtype Segmentation fault Checked on i686-gnu. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-7-bugaevc@gmail.com>
* hurd: Respect existing FD_CLOEXEC in S_msg_set_fdSergey Bugaev2023-04-291-1/+7
| | | | | | | | | If the process has set the close-on-exec flag for the file descriptor, it expects the file descriptor to get closed on exec, even if we replace what the file descriptor refers to. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-6-bugaevc@gmail.com>
* hurd: Don't leak the auth port in msg* RPCsSergey Bugaev2023-04-291-9/+58
| | | | | | | | | | | | | | | | | | | | | The leak can be easily reproduced (and observed) using the portinfo tool: $ portinfo -v $$ | grep task 36: send task(1577)(self) (refs: 127) $ portinfo -v $$ | grep task 36: send task(1577)(self) (refs: 253) $ portinfo -v $$ | grep task 36: send task(1577)(self) (refs: 379) $ portinfo -v $$ | grep task 36: send task(1577)(self) (refs: 505) $ portinfo -v $$ | grep task 36: send task(1577)(self) (refs: 631) Checked on i686-gnu. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-5-bugaevc@gmail.com>
* hurd: Mark various conditions as unlikelySergey Bugaev2023-04-292-7/+7
| | | | | Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-3-bugaevc@gmail.com>
* hurd: Move libc_hidden_def's aroundSergey Bugaev2023-04-291-4/+5
| | | | | | | | | | | | | Each libc_hidden_def should be placed immediately next to its function, not in some random unrelated place. No functional change. Fixes: 653d74f12abea144219af00400ed1f1ac5dfa79f "hurd: Global signal disposition" Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-2-bugaevc@gmail.com>
* hurd: Simplify _hurd_critical_section_lock a bitSergey Bugaev2023-04-291-13/+6
| | | | | | | | This block of code was doing exactly what _hurd_self_sigstate does; so just call that and let it do its job. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230429131354.2507443-1-bugaevc@gmail.com>
* hurd: Avoid leaking task & thread portsSergey Bugaev2023-04-181-0/+6
| | | | Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
* hurd: Simplify _S_catch_exception_raiseSergey Bugaev2023-04-181-7/+1
| | | | | | | | _hurd_thread_sigstate () already handles finding an existing sigstate before allocating a new one, so just use that. Bonus: this will only lock the _hurd_siglock once. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
* hurd: Run init_pids () before init_dtable ()Sergey Bugaev2023-04-171-9/+9
| | | | | | | | | | | | | | | | | | | | | | Much as the comment says, things on _hurd_subinit assume that _hurd_pid is already initialized by the time _hurd_subinit is run, so _hurd_proc_subinit has to run before it. Specifically, init_dtable () calls _hurd_port2fd (), which uses _hurd_pid and _hurd_pgrp to set up ctty handling. With _hurd_subinit running before _hurd_proc_subinit, ctty setup was broken: 13<--33(pid1255)->term_getctty () = 0 4<--39(pid1255) task16(pid1255)->mach_port_deallocate (pn{ 10}) = 0 13<--33(pid1255)->term_open_ctty (0 0) = 0x40000016 (Invalid argument) Fix this by running the _hurd_proc_subinit hook in the correct place -- just after _hurd_portarray is set up (so the proc server port is available in its usual place) and just before running _hurd_subinit. Fixes 1ccbb9258eed0f667edf459a28ba23a805549b36 ("hurd: Notify the proc server later during initialization"). Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
* hurd: Avoid extra ctty RPCs in init_dtable ()Sergey Bugaev2023-04-171-7/+39
| | | | | | | | | | | | | | | | | It is common to have (some of) stdin, stdout and stderr point to the very same port. We were making the ctty RPCs that _hurd_port2fd () does for each one of them separately: 1. term_getctty () 2. mach_port_deallocate () 3. term_open_ctty () Instead, let's detect this case and duplicate the ctty port we already have. This means we do 1 RPC instead of 3 (and create a single protid on the server side) if the file is our ctty, and no RPCs instead of 1 if it's not. A clear win! Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
* hurd: Remove __hurd_local_reply_portSergey Bugaev2023-04-141-7/+0
| | | | | | | | | | | | | | | | | | Now that the signal code no longer accesses it, the only real user of it was mig-reply.c, so move the logic for managing the port there. If we're in SHARED and outside of rtld, we know that __LIBC_NO_TLS () always evaluates to 0, and a TLS reply port will always be used, not __hurd_reply_port0. Still, the compiler does not see that __hurd_reply_port0 is never used due to its address being taken. To deal with this, explicitly compile out __hurd_reply_port0 when we know we won't use it. Also, instead of accessing the port via THREAD_SELF->reply_port, this uses THREAD_GETMEM and THREAD_SETMEM directly, avoiding possible miscompilations. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
* hurd: Improve reply port handling when exiting signal handlersSergey Bugaev2023-04-101-13/+11
| | | | | | | | | | | | | | | | | If we're doing signals, that means we've already got the signal thread running, and that implies TLS having been set up. So we know that __hurd_local_reply_port will resolve to THREAD_SELF->reply_port, and can access that directly using the THREAD_GETMEM and THREAD_SETMEM macros. This avoids potential miscompilations, and should also be a tiny bit faster. Also, use mach_port_mod_refs () and not mach_port_destroy () to destroy the receive right. mach_port_destroy () should *never* be used on mach_task_self (); this can easily lead to port use-after-free vulnerabilities if the task has any other references to the same port. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-26-bugaevc@gmail.com>
* hurd: Do not declare local variables volatileSergey Bugaev2023-04-101-1/+1
| | | | | | | | | | | | | | These are just regular local variables that are not accessed in any funny ways, not even though a pointer. There's absolutely no reason to declare them volatile. It only ends up hurting the quality of the generated machine code. If anything, it would make sense to decalre sigsp as *pointing* to volatile memory (volatile void *sigsp), but evidently that's not needed either. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230403115621.258636-2-bugaevc@gmail.com>
* hurd: Microoptimize _hurd_self_sigstate ()Sergey Bugaev2023-04-031-3/+5
| | | | | | | | | When THREAD_GETMEM is defined with inline assembly, the compiler may not optimize away the two reads of _hurd_sigstate. Help it out a little bit by only reading it once. This also makes for a slightly cleaner code. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-32-bugaevc@gmail.com>
* hurd: Fix _hurd_setup_sighandler () signatureSergey Bugaev2023-04-031-5/+5
| | | | | Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-10-bugaevc@gmail.com>
* hurd: Disable O_TRUNC and FS_RETRY_MAGICAL in rtldSergey Bugaev2023-04-031-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | hurd/lookup-retry.c is compiled into rtld, the dynamic linker/loader. To avoid pulling in file_set_size, file_utimens, tty/ctty stuff, more string/memory code (memmove, strncpy, strcpy), and more strtoul/itoa code, compile out support for O_TRUNC and FS_RETRY_MAGICAL when building hurd/lookup-retry.c for rtld. None of that functionality is useful to rtld during startup anyway. Keep support for FS_RETRY_MAGICAL("/"), since that does not pull in much, and is required for following absolute symlinks. The large number of extra code being pulled into rtld was noticed by reviewing librtld.map & elf/librtld.os.map in the build tree. It is worth noting that once libc.so is loaded, the real __open, __stat, etc. replace the minimal versions used initially by rtld -- this is especially important in the Hurd port, where the minimal rtld versions do not use the dtable and just pass real Mach port names as fds. Thus, once libc.so is loaded, rtld will gain access to the full __hurd_file_name_lookup_retry () version, complete with FS_RETRY_MAGICAL support, which is important in case the program decides to dlopen ("/proc/self/fd/...") or some such. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-9-bugaevc@gmail.com>
* hurd: Fix file name in #errorSergey Bugaev2023-04-031-1/+1
| | | | | Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-8-bugaevc@gmail.com>
* hurd: Swap around two function callsSergey Bugaev2023-04-031-4/+4
| | | | | | | | | | ...to keep `sigexc' port initialization in one place, and match what the comments say. No functional change. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-7-bugaevc@gmail.com>
* hurd: Remove __hurd_threadvar_stack_{offset,mask}Sergey Bugaev2023-04-032-20/+0
| | | | | | | | | | | Noone is or should be using __hurd_threadvar_stack_{offset,mask}, we have proper TLS now. These two remaining variables are never set to anything other than zero, so any code that would try to use them as described would just dereference a zero pointer and crash. So remove them entirely. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230319151017.531737-6-bugaevc@gmail.com>
* hurd: Make exception subcode a longSergey Bugaev2023-04-033-4/+5
| | | | | | | On EXC_BAD_ACCESS, exception subcode is used to pass the faulting memory address, so it needs to be (at least) pointer-sized. Thus, make it into a long. This matches the corresponding change in GNU Mach. Message-Id: <20230319151017.531737-5-bugaevc@gmail.com>
* Remove set-hooks.h from generic includesAdhemerval Zanella Netto2023-03-271-0/+96
| | | | | | | | | | | | | | The hooks mechanism uses symbol sets for running lists of functions, which requires either extra linker directives to provide any hardening (such as RELRO) or additional code (such as pointer obfuscation via mangling with random value). Currently only hurd uses set-hooks.h so we remove it from the generic includes. The generic implementation uses direct function calls which provide hardening and good code generation, observability and debugging without the need for extra linking options or special code handling. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* hurd: Fix some broken indentationSergey Bugaev2023-03-021-50/+51
| | | | | | | Also, fix a couple of typos. No functional change. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230301162355.426887-2-bugaevc@gmail.com>
* hurd: Remove the ecx kludgeSergey Bugaev2023-03-021-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "We don't need it any more" The INTR_MSG_TRAP macro in intr-msg.h used to play little trick with the stack pointer: it would temporarily save the "real" stack pointer into ecx, while setting esp to point to just before the message buffer, and then invoke the mach_msg trap. This way, INTR_MSG_TRAP reused the on-stack arguments laid out for the containing call of _hurd_intr_rpc_mach_msg (), passing them to the mach_msg trap directly. This, however, required special support in hurdsig.c and trampoline.c, since they now had to recognize when a thread is inside the piece of code where esp doesn't point to the real tip of the stack, and handle this situation specially. Commit 1d20f33ff4fb634310f27493b7b87d0b20f4a0b0 has removed the actual temporary change of esp by actually re-pushing mach_msg arguments onto the stack, and popping them back at end. It did not, however, deal with the rest of "the ecx kludge" code in other files, resulting in potential crashes if a signal arrives in the middle of pushing arguments onto the stack. Fix that by removing "the ecx kludge". Instead, when we want a thread to skip the RPC, but cannot make just make it jump to after the trap since it's not done adjusting the stack yet, set the SYSRETURN register to MACH_SEND_INTERRUPTED (as we do anyway), and rely on the thread itself for detecting this case and skipping the RPC. This simplifies things somewhat and paves the way for a future x86_64 port of this code. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230301162355.426887-1-bugaevc@gmail.com>
* hurd: Use proper integer typesSergey Bugaev2023-02-201-3/+3
| | | | | | | | Fix a few more cases of build errors caused by mismatched types. This is a continuation of f4315054b46d5e58b44a709a51943fb73f846afb. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230218203717.373211-3-bugaevc@gmail.com>
* hurd: Fix unwinding over INTR_MSG_TRAP in shared tooSamuel Thibault2023-02-141-0/+1
| | | | | This follows 63550530d98d ("hurd: Fix unwinding over INTR_MSG_TRAP"), for the shared library case.
* hurd: Fix xattr error valueSergey Bugaev2023-02-121-1/+1
| | | | | | | This does not seem like it is supposed to return negative error codes. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230212111044.610942-5-bugaevc@gmail.com>
* mach, hurd: Cast through uintptr_tSergey Bugaev2023-02-124-9/+17
| | | | | | | | | | | | | | | | When casting between a pointer and an integer of a different size, GCC emits a warning (which is escalated to a build failure by -Werror). Indeed, if what you start with is a pointer, which you then cast to a shorter integer and then back again, you're going to cut off some bits of the pointer. But if you start with an integer (such as mach_port_t), then cast it to a longer pointer (void *), and then back to a shorter integer, you are fine. To keep GCC happy, cast through an intermediary uintptr_t, which is always the same size as a pointer. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230212111044.610942-4-bugaevc@gmail.com>
* hurd: Use mach_msg_type_number_t where appropriateSergey Bugaev2023-02-124-5/+5
| | | | | | | | | | It has been decided that on x86_64, mach_msg_type_number_t stays 32-bit. Therefore, it's not possible to use mach_msg_type_number_t interchangeably with size_t, in particular this breaks when a pointer to a variable is passed to a MIG routine. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230212111044.610942-3-bugaevc@gmail.com>
* hurd: Fix unwinding over INTR_MSG_TRAPSamuel Thibault2023-02-091-0/+3
| | | | | | | | | | We used to use .cfi_adjust_cfa_offset around %esp manipulation asm instructions to fix unwinding, but when building glibc with -fno-omit-frame-pointer this is bogus since in that case %ebp is the CFA and does not move. Instead, let's force -fno-omit-frame-pointer when building intr-msg.c so that %ebp can always be used and no .cfi_adjust_cfa_offset is needed.
* Remove support setting custom demuxers during signal handling.Flavio Cruz2023-02-011-17/+0
| | | | | We seem to call only into the exception and message server routines. Message-Id: <Y9dpRZs3QYk2oZm+@jupiter.tail36e24.ts.net>
* hurd: Implement O_TMPFILESergey Bugaev2023-02-011-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a flag that causes open () to create a new, unnamed file in the same filesystem as the given directory. The file descriptor can be simply used in the creating process as a temporary file, or shared with children processes via fork (), or sent over a Unix socket. The file can be left anonymous, in which case it will be deleted from the backing file system once all copies of the file descriptor are closed, or given a permanent name with a linkat () call, such as the following: int fd = open ("/tmp", O_TMPFILE | O_RDWR, 0700); /* Do something with the file... */ linkat (fd, "", AT_FDCWD, "/tmp/filename", AT_EMPTY_PATH); In between creating the file and linking it to the file system, it is possible to set the file content, mode, ownership, author, and other attributes, so that the file visibly appears in the file system (perhaps replacing another file) atomically, with all of its attributes already set up. The Hurd support for O_TMPFILE directly exposes the dir_mkfile RPC to user programs. Previously, dir_mkfile was used by glibc internally, in particular for implementing tmpfile (), but not exposed to user programs through a Unix-level API. O_TMPFILE was initially introduced by Linux. This implementation is intended to be compatible with the Linux implementation, except that the O_EXCL flag is not given the special meaning when used together with O_TMPFILE, unlike on Linux. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230130125216.6254-3-bugaevc@gmail.com>
* hurd: Consolidate file_name_lookup implementationSergey Bugaev2023-02-012-24/+37
| | | | | | | | | | | Instead of __file_name_lookup_at delegating to __file_name_lookup in simple cases, make __file_name_lookup_at deal with both cases, and have __file_name_lookup simply wrap __file_name_lookup_at. This factorizes handling the empy name case. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230130125216.6254-2-bugaevc@gmail.com>
* Update copyright dates with scripts/update-copyrightsJoseph Myers2023-01-0688-88/+88
|
* hurd hurdstartup: Initialize remaining fields of hurd_startup_dataSamuel Thibault2023-01-021-0/+5
| | | | | In case we don't have a bootstrap port or __exec_startup_get_info failed, we should avoid leaking uninitialized fields of data.
* hurd _S_msg_add_auth: Initialize new arrays to 0Samuel Thibault2023-01-021-6/+9
| | | | | If make_list fails, they would be undefined, and freeup with free uninitialized pointers.
* Use PTR_MANGLE and PTR_DEMANGLE unconditionally in C sourcesFlorian Weimer2022-10-181-2/+0
| | | | | | | | | | | | | | | | | In the future, this will result in a compilation failure if the macros are unexpectedly undefined (due to header inclusion ordering or header inclusion missing altogether). Assembler sources are more difficult to convert. In many cases, they are hand-optimized for the mangling and no-mangling variants, which is why they are not converted. sysdeps/s390/s390-32/__longjmp.c and sysdeps/s390/s390-64/__longjmp.c are special: These are C sources, but most of the implementation is in assembler, so the PTR_DEMANGLE macro has to be undefined in some cases, to match the assembler style. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Introduce <pointer_guard.h>, extracted from <sysdep.h>Florian Weimer2022-10-181-1/+1
| | | | | | | | | | | | | | This allows us to define a generic no-op version of PTR_MANGLE and PTR_DEMANGLE. In the future, we can use PTR_MANGLE and PTR_DEMANGLE unconditionally in C sources, avoiding an unintended loss of hardening due to missing include files or unlucky header inclusion ordering. In i386 and x86_64, we can avoid a <tls.h> dependency in the C code by using the computed constant from <tcb-offsets.h>. <sysdep.h> no longer includes these definitions, so there is no cyclic dependency anymore when computing the <tcb-offsets.h> constants. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Use atomic_exchange_release/acquireWilco Dijkstra2022-09-261-1/+1
| | | | | | | Rename atomic_exchange_rel/acq to use atomic_exchange_release/acquire since these map to the standard C11 atomic builtins. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* hurd: Fix vm_size_t incoherenciesSamuel Thibault2022-08-296-7/+8
| | | | | | | In gnumach, 3e1702a65fb3 ("add rpc_versions for vm types") changed the type of vm_size_t, making it always a unsigned long. This made it incompatible on x86 with size_t. Even if we may want to revert it to unsigned int, it's better to fix the types of parameters according to the .defs files.
* Replace {u}int_fast{16|32} with {u}int32_tNoah Goldstein2022-04-131-1/+1
| | | | | | | | | On 32-bit machines this has no affect. On 64-bit machines {u}int_fast{16|32} are set as {u}int64_t which is often not ideal. Particularly x86_64 this change both saves code size and may save instruction cost. Full xcheck passes on x86_64.
* hurd: Make RPC input array parameters constSamuel Thibault2022-01-163-10/+10
| | | | | This follows mig's cf4bcc3f1435 ("Also add const qualifiers on server side")
* hurd: optimize exec cleanupSamuel Thibault2022-01-161-12/+14
| | | | | When ports are nul we do not need to request their deallocation. It is also useless to look for them in portnames.
* hurd: Fix exec() leak on proc_task2proc failureSamuel Thibault2022-01-151-2/+2
| | | | env is allocated after args, so should be freed before it.
* hurd: nuke all unknown ports on execSamuel Thibault2022-01-041-7/+39
| | | | | | | Ports which are not in the ports table or dtable will not make sense for the new program, so we can nuke them. Actually we shall, otherwise we would be leaking various ports, for instance the file_t of the executed program itself.
* hurd: Fix auth port leakSamuel Thibault2022-01-041-5/+8
| | | | | | If access() was used before exec, _hurd_id.rid_auth would cache an "effective" auth port. We do not want this to leak into the executed program.
* hurd: Implement _S_msg_get_dtableSamuel Thibault2022-01-021-4/+47
| | | | This will be needed for implementing lsof.