UML was panicing in the case of failures of libc calls which shouldn't happen.
This is an overreaction since a failure from libc doesn't normally mean that
kernel data structures are in an unknown state. Instead, the current process
should just be killed if there is no way to recover.
The case that prompted this was a failure of PTRACE_SETREGS restoring the same
state that was read by PTRACE_GETREGS. It appears that when a process tries
to load a bogus value into a segment register, it segfaults (as expected) and
the value is actually loaded and is seen by PTRACE_GETREGS (not expected).
This case is fixed by forcing a fatal SIGSEGV on the process so that it
immediately dies. fatal_sigsegv was added for this purpose. It was declared
as noreturn, so in order to pursuade gcc that it actually does not return, I
added a call to os_dump_core (and declared it noreturn) so that I get a core
file if somehow the process survives.
All other calls in arch/um/os-Linux/skas/process.c got the same treatment,
with failures causing the process to die instead of a kernel panic, with some
exceptions.
userspace_tramp exits with status 1 if anything goes wrong there. That will
cause start_userspace to return an error. copy_context_skas0 and
map_stub_pages also now return errors instead of panicing. Callers of thes
functions were changed to check for errors and do something appropriate.
Usually that's to return an error to their callers.
check_skas3_ptrace_faultinfo just exits since that's too early to do anything
else.
save_registers, restore_registers, and init_registers now return status
instead of panicing on failure, with their callers doing something
appropriate.
There were also duplicate declarations of save_registers and restore_registers
in os.h - these are gone.
I noticed and fixed up some whitespace damage.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The calculation of CONFIG_STUB_CODE and CONFIG_STUB_DATA didn't take into
account anything but 3G/1G and 2G/2G, leaving the other vmsplits out in the
cold.
I'd rather not duplicate the four known host vmsplit cases for each of these
symbols. I'd also like to calculate them based on the highest userspace
address.
The Kconfig language seems not to allow calculation of hex constants, so I
moved this to as-layout.h. CONFIG_STUB_CODE, CONFIG_STUB_DATA, and
CONFIG_STUB_START are now gone. In their place are STUB_CODE, STUB_DATA, and
STUB_START in as-layout.h.
i386 and x86_64 seem to differ as to whether an unadorned constant is an int
or a long, so I cast them to unsigned long so they can be printed
consistently. However, they are also used in stub.S, where C types don't work
so well. So, there are ASM_ versions of these constants for use in stub.S. I
also ifdef-ed the non-asm-friendly portion of as-layout.h.
With this in place, most of the rest of this patch is changing CONFIG_STUB_*
to STUB_*, except in stub.S, where they are changed to ASM_STUB_*.
defconfig has the old symbols deleted.
I also print these addresses out in case there is any problem mapping them on
the host.
The two stub.S files had some trailing whitespace, so that is cleaned up here.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch folds mmu_context_skas into struct mm_context, changing all users
of these structures as needed.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Formatting changes in the files which have been changed in the course
of folding foo_skas functions into their callers. These include:
copyright updates
header file trimming
style fixes
adding severity to printks
These changes should be entirely non-functional.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch makes a number of simplifications enabled by the removal of
CHOOSE_MODE. There were lots of functions that looked like
int foo(args){
foo_skas(args);
}
The bodies of foo_skas are now folded into foo, and their declarations (and
sometimes entire header files) are deleted.
In addition, the union uml_pt_regs, which was a union between the tt and skas
register formats, is now a struct, with the tt-mode arm of the union being
removed.
It turns out that usr2_handler was unused, so it is gone.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2.6.23-rc1 turned up another batch of references from non-__init code to
__init code. In most cases, these were missing __init annotations. In one
case (os_drop_memory), the annotation was present but wrong.
init_maps is __init, but for some reason was being very careful about the
mechanism by which it allocated memory, checking whether it was OK to use
kmalloc (at this point in the boot, it definitely isn't) and using either
alloc_bootmem_low_pages or kmalloc/vmalloc. So, the kmalloc/vmalloc code is
removed.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Add a separate IRQ stack. This differs from i386 in having the entire
interrupt run on a separate stack rather than starting on the normal kernel
stack and switching over once some preparation has been done. The underlying
mechanism, is of course, sigaltstack.
Another difference is that interrupts that happen in userspace are handled on
the normal kernel stack. These cause a wait wakeup instead of a signal
delivery so there is no point in trying to switch stacks for these. There's
no other stuff on the stack, so there is no extra stack consumption.
This quirk makes it possible to have the entire interrupt run on a separate
stack - process preemption (and calls to schedule()) happens on a normal
kernel stack. If we enable CONFIG_PREEMPT, this will need to be rethought.
The IRQ stack for CPU 0 is declared in the same way as the initial kernel
stack. IRQ stacks for other CPUs will be allocated dynamically.
An extra field was added to the thread_info structure. When the active
thread_info is copied to the IRQ stack, the real_thread field points back to
the original stack. This makes it easy to tell where to copy the thread_info
struct back to when the interrupt is finished. It also serves as a marker of
a nested interrupt. It is NULL for the first interrupt on the stack, and
non-NULL for any nested interrupts.
Care is taken to behave correctly if a second interrupt comes in when the
thread_info structure is being set up or taken down. I could just disable
interrupts here, but I don't feel like giving up any of the performance gained
by not flipping signals on and off.
If an interrupt comes in during these critical periods, the handler can't run
because it has no idea what shape the stack is in. So, it sets a bit for its
signal in a global mask and returns. The outer handler will deal with this
signal itself.
Atomicity is had with xchg. A nested interrupt that needs to bail out will
xchg its signal mask into pending_mask and repeat in case yet another
interrupt hit at the same time, until the mask stabilizes.
The outermost interrupt will set up the thread_info and xchg a zero into
pending_mask when it is done. At this point, nested interrupts will look at
->real_thread and see that no setup needs to be done. They can just continue
normally.
Similar care needs to be taken when exiting the outer handler. If another
interrupt comes in while it is copying the thread_info, it will drop a bit
into pending_mask. The outer handler will check this and if it is non-zero,
will loop, set up the stack again, and handle the interrupt.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
These haven't been fixed for ages. Just make comments out of them.
arch/um/kernel/skas/process.c:181:2: warning: #warning Need to look up
+userspace_pid by cpu
arch/um/kernel/skas/process.c:187:2: warning: #warning Need to look up
+userspace_pid by cpu
arch/um/kernel/skas/process.c:194:2: warning: #warning need to loop over
+userspace_pids in kill_off_processes_skas
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
user_util.h isn't needed any more, so delete it and remove all includes of it.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch moves all the the symbols defined in um_arch.c, which are mostly
boundaries between different parts of the UML kernel address space, to a new
header, as-layout.h. There are also a few things here which aren't really
related to address space layout, but which don't really have a better place to
go.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Move some foo_kern.c files to foo.c now that the old foo.c files are out
of the way.
Also cleaned up some whitespace and an emacs formatting comment.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
A previous patch removed a file from the build without removing it from the
tree.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The serial UML OS-abstraction layer patch (um/kernel dir).
This moves all systemcalls from time.c file under os-Linux dir and joins
time.c and tine_kernel.c files
Signed-off-by: Gennady Sharapov <Gennady.V.Sharapov@intel.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The debug-stub patch was broken on x86_64 because it thinks the frame size
there is 168 words. In reality, it is 168 bytes, and using HOST_FRAME_SIZE,
which is expressed in consistent units across architectures, fixes this.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The serial UML OS-abstraction layer patch (um/kernel dir).
This moves all systemcalls from signal_user.c file under os-Linux dir
Signed-off-by: Gennady Sharapov <Gennady.V.Sharapov@intel.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Patch imlements full LDT handling in SKAS:
* UML holds it's own LDT table, used to deliver data on
modify_ldt(READ)
* UML disables the default_ldt, inherited from the host (SKAS3)
or resets LDT entries, set by host's clib and inherited in
SKAS0
* A new global variable skas_needs_stub is inserted, that
can be used to decide, whether stub-pages must be supported
or not.
* Uses the syscall-stub to replace missing PTRACE_LDT (therefore,
write_ldt_entry needs to be modified)
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Add some more debugging information when a stub does something unexpected,
usually segfaulting. Now, it dumps out the stub's registers as well as the
signal.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This change enables SKAS0/SKAS3 to work with all combinations of /proc/mm and
PTRACE_FAULTINFO being available or not.
Also it changes the initialization of proc_mm and ptrace_faultinfo slightly,
to ease forcing SKAS0 on a patched host. Forcing UML to run without /proc/mm
or PTRACE_FAULTINFO by cmdline parameter can be implemented with a setup
resetting the related variable.
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Running UML inside a detached screen delivers SIGWINCH when UML is not
expecting it. This patch ignores them.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Fix a typo in wait_stub_done.
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This patch implements the clone-stub mechanism, which allows skas0 to run
with proc_mm==0, even if the clib in UML uses modify_ldt.
Note: There is a bug in skas3.v7 host patch, that avoids UML-skas from
running properly on a SMP-box. In full skas3, I never really saw problems,
but in skas0 they showed up.
More commentary by jdike - What this patch does is makes sure that the host
parent of each new host process matches the UML parent of the corresponding
UML process. This ensures that any changed LDTs are inherited. This is
done by having clone actually called by the UML process from its stub,
rather than by the kernel. We have special syscall stubs that are loaded
onto the stub code page because that code must be completely
self-contained. These stubs are given C interfaces, and used like normal C
functions, but there are subtleties. Principally, we have to be careful
about stack variables in stub_clone_handler after the clone. The code is
written so that there aren't any - everything boils down to a fixed
address. If there were any locals, references to them after the clone
would be wrong because the stack just changed.
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
UML has had two modes of operation - an insecure, slow mode (tt mode) in
which the kernel is mapped into every process address space which requires
no host kernel modifications, and a secure, faster mode (skas mode) in
which the UML kernel is in a separate host address space, which requires a
patch to the host kernel.
This patch implements something very close to skas mode for hosts which
don't support skas - I'm calling this skas0. It provides the security of
the skas host patch, and some of the performance gains.
The two main things that are provided by the skas patch, /proc/mm and
PTRACE_FAULTINFO, are implemented in a way that require no host patch.
For the remote address space changing stuff (mmap, munmap, and mprotect),
we set aside two pages in the process above its stack, one of which
contains a little bit of code which can call mmap et al.
To update the address space, the system call information (system call
number and arguments) are written to the stub page above the code. The
%esp is set to the beginning of the data, the %eip is set the the start of
the stub, and it repeatedly pops the information into its registers and
makes the system call until it sees a system call number of zero. This is
to amortize the cost of the context switch across multiple address space
updates.
When the updates are done, it SIGSTOPs itself, and the kernel process
continues what it was doing.
For a PTRACE_FAULTINFO replacement, we set up a SIGSEGV handler in the
child, and let it handle segfaults rather than nullifying them. The
handler is in the same page as the mmap stub. The second page is used as
the stack. The handler reads cr2 and err from the sigcontext, sticks them
at the base of the stack in a faultinfo struct, and SIGSTOPs itself. The
kernel then reads the faultinfo and handles the fault.
A complication on x86_64 is that this involves resetting the registers to
the segfault values when the process is inside the kill system call. This
breaks on x86_64 because %rcx will contain %rip because you tell SYSRET
where to return to by putting the value in %rcx. So, this corrupts $rcx on
return from the segfault. To work around this, I added an
arch_finish_segv, which on x86 does nothing, but which on x86_64 ptraces
the child back through the sigreturn. This causes %rcx to be restored by
sigreturn and avoids the corruption. Ultimately, I think I will replace
this with the trick of having it send itself a blocked signal which will be
unblocked by the sigreturn. This will allow it to be stopped just after
the sigreturn, and PTRACE_SYSCALLed without all the back-and-forth of
PTRACE_SYSCALLing it through sigreturn.
This runs on a stock host, so theoretically (and hopefully), tt mode isn't
needed any more. We need to make sure that this is better in every way
than tt mode, though. I'm concerned about the speed of address space
updates and page fault handling, since they involve extra round-trips to
the child. We can amortize the round-trip cost for large address space
updates by writing all of the operations to the data page and having the
child execute them all at the same time. This will help fork and exec, but
not page faults, since they involve only one page.
I can't think of any way to help page faults, except to add something like
PTRACE_FAULTINFO to the host. There is PTRACE_SIGINFO, but UML doesn't use
siginfo for SIGSEGV (or anything else) because there isn't enough
information in the siginfo struct to handle page faults (the faulting
operation type is missing). Adding that would make PTRACE_SIGINFO a usable
equivalent to PTRACE_FAULTINFO.
As for the code itself:
- The system call stub is in arch/um/kernel/sys-$(SUBARCH)/stub.S. It is
put in its own section of the binary along with stub_segv_handler in
arch/um/kernel/skas/process.c. This is manipulated with run_syscall_stub
in arch/um/kernel/skas/mem_user.c. syscall_stub will execute any system
call at all, but it's only used for mmap, munmap, and mprotect.
- The x86_64 stub calls sigreturn by hand rather than allowing the normal
sigreturn to happen, because the normal sigreturn is a SA_RESTORER in
UML's address space provided by libc. Needless to say, this is not
available in the child's address space. Also, it does a couple of odd
pops before that which restore the stack to the state it was in at the
time the signal handler was called.
- There is a new field in the arch mmu_context, which is now a union.
This is the pid to be manipulated rather than the /proc/mm file
descriptor. Code which deals with this now checks proc_mm to see whether
it should use the usual skas code or the new code.
- userspace_tramp is now used to create a new host process for every UML
process, rather than one per UML processor. It checks proc_mm and
ptrace_faultinfo to decide whether to map in the pages above its stack.
- start_userspace now makes CLONE_VM conditional on proc_mm since we need
separate address spaces now.
- switch_mm_skas now just sets userspace_pid[0] to the new pid rather
than PTRACE_SWITCH_MM. There is an addition to userspace which updates
its idea of the pid being manipulated each time around the loop. This is
important on exec, when the pid will change underneath userspace().
- The stub page has a pte, but it can't be mapped in using tlb_flush
because it is part of tlb_flush. This is why it's required for it to be
mapped in by userspace_tramp.
Other random things:
- The stub section in uml.lds.S is page aligned. This page is written
out to the backing vm file in setup_physmem because it is mapped from
there into user processes.
- There's some confusion with TASK_SIZE now that there are a couple of
extra pages that the process can't use. TASK_SIZE is considered by the
elf code to be the usable process memory, which is reasonable, so it is
decreased by two pages. This confuses the definition of
USER_PGDS_IN_LAST_PML4, making it too small because of the rounding down
of the uneven division. So we round it to the nearest PGDIR_SIZE rather
than the lower one.
- I added a missing PT_SYSCALL_ARG6_OFFSET macro.
- um_mmu.h was made into a userspace-usable file.
- proc_mm and ptrace_faultinfo are globals which say whether the host
supports these features.
- There is a bad interaction between the mm.nr_ptes check at the end of
exit_mmap, stack randomization, and skas0. exit_mmap will stop freeing
pages at the PGDIR_SIZE boundary after the last vma. If the stack isn't
on the last page table page, the last pte page won't be freed, as it
should be since the stub ptes are there, and exit_mmap will BUG because
there is an unfreed page. To get around this, TASK_SIZE is set to the
next lowest PGDIR_SIZE boundary and mm->nr_ptes is decremented after the
calls to init_stub_pte. This ensures that we know the process stack (and
all other process mappings) will be below the top page table page, and
thus we know that mm->nr_ptes will be one too many, and can be
decremented.
Things that need fixing:
- We may need better assurrences that the stub code is PIC.
- The stub pte is set up in init_new_context_skas.
- alloc_pgdir is probably the right place.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
So, there I was, looking at my own code, wondering what the magic setjmp
return values did. This patch turns the constants that are used to make
requests of the initial thread into meaningful symbols.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This makes SIGWINCH work again, and fixes a couple of SIGWINCH-associated
crashes. First, the sigio thread disables SIGWINCH because all hell breaks
loose if it ever gets one and tries to call the signal handling code. Second,
there was a problem with deferencing tty structs after they were freed. The
SIGWINCH support for a tty wasn't being turned off or freed after the tty went
away.
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This patch removes the arch-specific fault/trap-infos from thread and
skas-regs.
It adds a new struct faultinfo, that is arch-specific defined in
sysdep/faultinfo.h.
The structure is inserted in thread.arch and thread.regs.skas and
thread.regs.tt
Now, segv and other trap-handlers can copy the contents from regs.X.faultinfo
to thread.arch.faultinfo with one simple assignment.
Also, the number of macros necessary is reduced to
FAULT_ADDRESS(struct faultinfo)
extracts the faulting address from faultinfo
FAULT_WRITE(struct faultinfo)
extracts the "is_write" flag
SEGV_IS_FIXABLE(struct faultinfo)
is true for the fixable segvs, i.e. (TRAP == 14)
on i386
UPT_FAULTINFO(regs)
result is (struct faultinfo *) to the faultinfo
in regs->skas.faultinfo
GET_FAULTINFO_FROM_SC(struct faultinfo, struct sigcontext *)
copies the relevant parts of the sigcontext to
struct faultinfo.
On SIGSEGV, call user_signal() instead of handle_segv(), if the architecture
provides the information needed in PTRACE_FAULTINFO, or if PTRACE_FAULTINFO is
missing, because segv-stub will provide the info.
The benefit of the change is, that in case of a non-fixable SIGSEGV, we can
give user processes a SIGSEGV, instead of possibly looping on pagefault
handling.
Since handle_segv() sikked arch_fixup() implicitly by passing ip==0 to segv(),
I changed segv() to call arch_fixup() only, if !is_user.
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!