aboutsummaryrefslogtreecommitdiff
path: root/sys/kern/tty.c
Commit message (Collapse)AuthorAgeFilesLines
* sys/kern: adoption of SPDX licensing ID tags.Pedro F. Giffuni2017-11-271-0/+2
| | | | | | | | | | | | | | | Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Notes: svn path=/head/; revision=326271
* Commit the 64-bit inode project.Konstantin Belousov2017-05-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extend the ino_t, dev_t, nlink_t types to 64-bit ints. Modify struct dirent layout to add d_off, increase the size of d_fileno to 64-bits, increase the size of d_namlen to 16-bits, and change the required alignment. Increase struct statfs f_mntfromname[] and f_mntonname[] array length MNAMELEN to 1024. ABI breakage is mitigated by providing compatibility using versioned symbols, ingenious use of the existing padding in structures, and by employing other tricks. Unfortunately, not everything can be fixed, especially outside the base system. For instance, third-party APIs which pass struct stat around are broken in backward and forward incompatible ways. Kinfo sysctl MIBs ABI is changed in backward-compatible way, but there is no general mechanism to handle other sysctl MIBS which return structures where the layout has changed. It was considered that the breakage is either in the management interfaces, where we usually allow ABI slip, or is not important. Struct xvnode changed layout, no compat shims are provided. For struct xtty, dev_t tty device member was reduced to uint32_t. It was decided that keeping ABI compat in this case is more useful than reporting 64-bit dev_t, for the sake of pstat. Update note: strictly follow the instructions in UPDATING. Build and install the new kernel with COMPAT_FREEBSD11 option enabled, then reboot, and only then install new world. Credits: The 64-bit inode project, also known as ino64, started life many years ago as a project by Gleb Kurtsou (gleb). Kirk McKusick (mckusick) then picked up and updated the patch, and acted as a flag-waver. Feedback, suggestions, and discussions were carried by Ed Maste (emaste), John Baldwin (jhb), Jilles Tjoelker (jilles), and Rick Macklem (rmacklem). Kris Moore (kris) performed an initial ports investigation followed by an exp-run by Antoine Brodin (antoine). Essential and all-embracing testing was done by Peter Holm (pho). The heavy lifting of coordinating all these efforts and bringing the project to completion were done by Konstantin Belousov (kib). Sponsored by: The FreeBSD Foundation (emaste, kib) Differential revision: https://reviews.freebsd.org/D10439 Notes: svn path=/head/; revision=318736
* Correct the comments about how much buffer is allocated.Ian Lepore2017-01-131-2/+2
| | | | Notes: svn path=/head/; revision=312080
* Check tty_gone() after allocating IO buffers. The tty lock has to beIan Lepore2017-01-131-5/+22
| | | | | | | | | | | | | | | | dropped then reacquired due to using M_WAITOK, which opens a window in which the tty device can disappear. Check for this and return ENXIO back up the call chain so that callers can cope. This closes a race where TF_GONE would get set while buffers were being allocated as part of ttydev_open(), causing a subsequent call to ttydevsw_modem() later in ttydev_open() to assert. Reported by: pho Reviewed by: kib Notes: svn path=/head/; revision=312077
* Restructure the tty_drain loop so that device-busy is checked one more timeIan Lepore2017-01-121-5/+3
| | | | | | | | | | | after tty_timedwait() returns an error only if the error is EWOULDBLOCK; other errors cause an immediate return. This fixes the case of the tty disappearing while in tty_drain(). Reported by: pho Notes: svn path=/head/; revision=311996
* Rework tty_drain() to poll the hardware for completion, and restoreIan Lepore2017-01-121-19/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | drain timeout handling to historical freebsd behavior. The primary reason for these changes is the need to have tty_drain() call ttydevsw_busy() at some reasonable sub-second rate, to poll hardware that doesn't signal an interrupt when the transmit shift register becomes empty (which includes virtually all USB serial hardware). Such hardware hangs in a ttyout wait, because it never gets an opportunity to trigger a wakeup from the sleep in tty_drain() by calling ttydisc_getc() again, after handing the last of the buffered data to the hardware. While researching the history of changes to tty_drain() I stumbled across some email describing the historical BSD behavior of tcdrain() and close() on serial ports, and the ability of comcontrol(1) to control timeout behavior. Using that and some advice from Bruce Evans as a guide, I've put together these changes to implement the hardware polling and restore the historical timeout behaviors... - tty_drain() now calls ttydevsw_busy() in a loop at 10 Hz to accomodate hardware that requires polling for busy state. - The "new historical" behavior for draining during close(2) is retained: the drain timeout is "1 second without making any progress". When the 1-second timeout expires, if the count of bytes remaining in the tty layer buffer is smaller than last time, the timeout is extended for another second. Unfortunately, the same logic cannot be extended all the way down to the hardware, because the interface to that layer is a simple busy/not-busy indication. - Due to the previous point, an application that needs a guarantee that all data has been transmitted must use TIOCDRAIN/tcdrain(3) before calling close(2). - The historical behavior of honoring the drainwait setting for TIOCDRAIN (used by tcdrain(3)) is restored. - The historical kern.drainwait sysctl to control the global default drainwait time is restored, but is now named kern.tty_drainwait. - The historical default drainwait timeout of 300 seconds is restored. - Handling of TIOCGDRAINWAIT and TIOCSDRAINWAIT ioctls is restored (this also makes the comcontrol(1) drainwait verb work again). - Manpages are updated to document these behaviors. Reviewed by: bde (prior version) Notes: svn path=/head/; revision=311954
* sys/kern: spelling fixes in comments.Pedro F. Giffuni2016-04-291-1/+1
| | | | | | | No functional change. Notes: svn path=/head/; revision=298819
* Don't clear the software flow control flag before draining for lastKonstantin Belousov2016-01-261-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | close or assert the bug that it is clear when leaving. Remove an unrelated rotted comment that was attached to the buggy clearing. Since draining is not done in more cases, flushing is needed in more cases, so start fixing flushing: - do a full flush in ttydisc_close(). State what POSIX requires more clearly. This was missing ttydevsw_pktnotify() calls to tell the devsw layer to flush. Hardware tty drivers don't actually flush since they don't understand this API. - fix 2 missing wakeups in tty_flush(). Most of the wakeups here are unnecessary for last close. But ttydisc_close() did one of the missing ones. This flow control bug ameliorated the design bug of requiring potentially unbounded waits in draining. Software flow control is the easiest way to get an unbounded wait, and a long wait is sometimes actually useful. Users can type the xoff character on the receiver and (if ixon is set on the sender) expect the output to be held until the user is ready for more. Hardware flow control can also give the unbounded wait, and this bug didn't affect hardware flow control. Unbounded waits from hardware flow control take a more unusual configuration. E.g., a terminal program that controls the modem status lines, or unplugging the cable in a configuration where this doesn't break the connection. The design bug is still ameliorated by a newer bug in draining for last close -- the 1 second timeout. E.g., if the user types the xoff character and the sender reaches last close, then output is not resumed and the wait times out after just 1 second. This is broken, but preferable to an unbounded wait. Before this change, the output was resumed immediately and usually completed. Submitted by: bde MFC after: 2 weeks Notes: svn path=/head/; revision=294836
* Restore flushing of output for revoke(2) again. Document revoke()'sKonstantin Belousov2016-01-261-15/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | intended behaviour in its man page. Simplify tty_drain() to match. Don't call ttydevsw methods in tty_flush() if the device is gone since we now sometimes call it then. The flushing was supposed to be implemented by passing the FNONBLOCK flag to VOP_CLOSE() for revoke(). The tty driver is one of the few that can block in close and was one of the fewer that knew about this. This almost worked in FreeBSD-1 and similarly in Net/2. These versions only almost worked because there was and is considerable confusion between IO_NDELAY and FNONBLOCK (aka O_NONBLOCK). IO_NDELAY is only valid for VOP_READ() and VOP_WRITE(). For other VOPs it has the same value as O_SHLOCK. But since vfs_subr.c and tty.c consistently used the wrong flag and the O_SHLOCK flag is rarely set, this mostly worked. It also gave the feature than applications could get the non-blocking close by abusing O_SHLOCK. This was first broken then fixed in 1995. I changed only the tty driver to use FNONBLOCK, as a hack to get non-blocking via the normal flag FNONBLOCK for last closes. I didn't know about revoke()'s use of IO_NDELAY or change it to be consistent, so revoke() was broken. Then I changed revoke() to match. This was next broken in 1997 then fixed in 1998. Importing Lite2 made the flags inconsistent again by undoing the fix only in vfs_subr.c. This was next broken in 2008 by replacing everything in tty.c and not checking any flags in last close. Other bugs in draining limited the resulting unbounded waits to drain in some cases. It is now possible to fix this better using the new FREVOKE flag. Just restore flushing for revoke() for now. Don't restore or undo any hacks for ordinary last closes yet. But remove dead code in the 1-second relative timeout (r272789). This did extra work to extend the buggy draining for revoke() for as long as possible. The 1-second timeout made this not very long by usually flushing after 1 second. Submitted by: bde MFC after: 2 weeks Notes: svn path=/head/; revision=294778
* - Make the code consistent with itself style-wise and bring it closerMarius Strobl2016-01-251-33/+57
| | | | | | | | | to style(9). - Mark unused arguments as such. - Make the ttystates table const. Notes: svn path=/head/; revision=294753
* Don't allow opening the callout device when the callin device is alreadyKonstantin Belousov2016-01-251-3/+6
| | | | | | | | | | | | | | | open (in disguise as the console device). The only allowed combination was supposed to be the callin device with the console. Fix the assertion in ttydev_close() that was meant to detect this (it only detected all 3 devices being open). Assert this in ttydev_open() too. Submitted by: bde MFC after: 2 weeks Notes: svn path=/head/; revision=294735
* Fix the %b flags string for ddb. All bits above the 5thKonstantin Belousov2016-01-251-5/+7
| | | | | | | | | | | | | | | | | | | | | (TF_OPENED_CONS) were broken in r188147 by adding TF_OPENED_CONS without updating the string. It was especially confusing to display OPENED_CONS as GONE and BYPASS as ZOMBIE. 2 flags at the end were not updated in r188487. Don't print an extra 0x prefix for %p in a ddb command. In the rest of the kernel there are more than 6000 lines with %p and only about 40 with this bug. Print a non-extra 0x prefix for %b in a ddb command. In the rest of the kernel, there are approx. 180 lines with %b and 2/3 of them have this bug. Submitted by: bde MFC after: 2 weeks Notes: svn path=/head/; revision=294732
* In tty_dealloc(), clear the queues. See the comment for a scenarioKonstantin Belousov2016-01-221-5/+10
| | | | | | | | | | which explains why ttydev_leave() cleanup might not happen. Submitted by: bde MFC after: 3 weeks Notes: svn path=/head/; revision=294598
* Fix tty_drain() and, thus, TIOCDRAIN of the current tty(4) incarnationMarius Strobl2016-01-191-2/+10
| | | | | | | | | | | | | | | | to actually wait until the TX FIFOs of UARTs have be drained before returning. This is done by bringing the equivalent of the TS_BUSY flag found in the previous implementation back in an ABI-preserving way. Reported and tested by: Patrick Powell Most likely, drivers for USB-serial-adapters likewise incorporating TX FIFOs as well as other terminal devices that buffer output in some form should also provide implementations of tsw_busy. MFC after: 3 days Notes: svn path=/head/; revision=294362
* Convert tty common code to use make_dev_s().Konstantin Belousov2016-01-071-52/+47
| | | | | | | | | | | | | | | | Tty.c was untypical in that it handled the si_drv1 issue consistently and correctly, by always checking for si_drv1 being non-NULL and sleeping if NULL. The removed code also illustrated unneeded complications in drivers which are eliminated by the use of new KPI. Reviewed by: hps, jhb Discussed with: bde Sponsored by: The FreeBSD Foundation MFC after: 3 weeks Differential revision: https://reviews.freebsd.org/D4746 Notes: svn path=/head/; revision=293349
* filedesc: simplify fget_unlocked & friendsMateusz Guzik2015-02-171-1/+1
| | | | | | | | | | | | | | | | | Introduce fget_fcntl which performs appropriate checks when needed. This removes a branch from fget_unlocked. Introduce fget_mmap dealing with cap_rights_to_vmprot conversion. This removes a branch from _fget. Modify fget_unlocked to pass sequence counter to interested callers so that they can perform their own checks and make sure the result was otained from stable & current state. Reviewed by: silence on -hackers Notes: svn path=/head/; revision=278930
* Fix draining in ttydev_leave():Marcel Moolenaar2014-10-091-10/+25
| | | | | | | | | | | | | | | | | | | | 1. ERESTART is not only returned when the revoke count changed. It is also returned when a signal is received. While a change in the revoke count should be ignored, a signal should not. 2. Waiting until the output queue is entirely drained can cause a hang when the underlying device is stuck or broken. Have tty_drain() take care of this by telling it when we're leaving. When leaving, tty_drain() will use a timed wait to address point 2 above and it will check the revoke count to handle point 1 above. The timeout is set to 1 second, which is arbitrary and long enough to expect a change in the output queue. Discussed with: jilles@ Reported by: Yamagi Burmeister <lists@yamagi.org> Notes: svn path=/head/; revision=272789
* Apply r269126 to tty_timedwait():Marcel Moolenaar2014-10-091-4/+4
| | | | | | | Don't return ERESTART when the device is gone. Notes: svn path=/head/; revision=272786
* tty_rel_free() can be called more than once for the same tty so make sureNeel Natu2014-09-281-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | that the tty is dequeued from 'tty_list' only the first time. The panic below was seen when a revoke(2) was issued on an nmdm device. In this case there was also a thread that was blocked on a read(2) on the device. The revoke(2) woke up the blocked thread which would typically return an error to userspace. In this case the reader also held the last reference on the file descriptor so fdrop() ended up calling tty_rel_free() via ttydev_close(). tty_rel_free() then tried to dequeue 'tp' again which led to the panic. panic: Bad link elm 0xfffff80042602400 prev->next != elm cpuid = 1 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00f9c90460 kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe00f9c90510 vpanic() at vpanic+0x189/frame 0xfffffe00f9c90590 panic() at panic+0x43/frame 0xfffffe00f9c905f0 tty_rel_free() at tty_rel_free+0x29b/frame 0xfffffe00f9c90640 ttydev_close() at ttydev_close+0x1f9/frame 0xfffffe00f9c90690 devfs_close() at devfs_close+0x298/frame 0xfffffe00f9c90720 VOP_CLOSE_APV() at VOP_CLOSE_APV+0x13c/frame 0xfffffe00f9c90770 vn_close() at vn_close+0x194/frame 0xfffffe00f9c90810 vn_closefile() at vn_closefile+0x48/frame 0xfffffe00f9c90890 devfs_close_f() at devfs_close_f+0x2c/frame 0xfffffe00f9c908c0 _fdrop() at _fdrop+0x29/frame 0xfffffe00f9c908e0 sys_read() at sys_read+0x63/frame 0xfffffe00f9c90980 amd64_syscall() at amd64_syscall+0x2b3/frame 0xfffffe00f9c90ab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00f9c90ab0 --- syscall (3, FreeBSD ELF64, sys_read), rip = 0x800b78d8a, rsp = 0x7fffffbfdaf8, rbp = 0x7fffffbfdb30 --- CR: https://reviews.freebsd.org/D851 Reviewed by: glebius, ed Reported by: Leon Dang Sponsored by: Nahanni Systems MFC after: 1 week Notes: svn path=/head/; revision=272270
* Don't return ERESTART when the device is gone. In ttydev_leave() ERESTARTMarcel Moolenaar2014-07-261-4/+4
| | | | | | | | | | | | is the indication that draining got interrupted due to a revoke(2) and that tty_drain() is to be called again for draining to complete. If the device is flagged as gone, then waiting/draining is not possible. Only return ERESTART when waiting is still possible. Obtained from: Juniper Networks, Inc. Notes: svn path=/head/; revision=269126
* Update kernel inclusions of capability.h to use capsicum.h instead; someRobert Watson2014-03-161-1/+1
| | | | | | | | | | | further refinement is required as some device drivers intended to be portable over FreeBSD versions rely on __FreeBSD_version to decide whether to include capability.h. MFC after: 3 weeks Notes: svn path=/head/; revision=263233
* Move list of ttys handling from the allocating procedures, to theGleb Smirnoff2013-12-201-10/+10
| | | | | | | | | | device creation stage. A device creation can fail, and in that case an entry already on the list will be freed. Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=259663
* - Rename tty_makedev() into tty_makedevf() and make it capableGleb Smirnoff2013-12-181-36/+73
| | | | | | | | | | | | | | | | | | | | | | to fail and return error. - Use make_dev_p() in tty_makedevf() instead of make_dev_cred(). - Always pass MAKEDEV_CHECKNAME flag. - Optionally pass MAKEDEV_REF flag. - Provide macro for compatibility with old API. This fixes races with simultaneous creation and desctruction of ttys, and makes it possible to call tty_makedevf() from device cloners. A race in tty_watermarks() still exist, since the latter drops lock for M_WAITOK allocation. This will be addressed in separate commit. Reviewed by: kib Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=259549
* Properly drain the TTY when both revoke(2) and close(2) end up closingMarcel Moolenaar2013-12-161-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the TTY. In such a case, ttydev_close() is called multiple times and each time, t_revokecnt is incremented and cv_broadcast() is called for both the t_outwait and t_inwait condition variables. Let's say revoke(2) comes in first and gets to call tty_drain() from ttydev_leave(). Let's say that the revoke comes from init(8) as the result of running "shutdown -r now". Since shutdown prints various messages to the console before announing that the machine will reboot immediately, let's also say that the output queue is not empty and that tty_drain() has something to do. Let's assume this all happens on a 9600 baud serial console, so it takes a time to drain. The shutdown command will exit(2) and as such will end up closing stdout. Let's say this close will come in second, bump t_revokecnt and call tty_wakeup(). This has tty_wait() return prematurely and the next thing that will happen is that the thread doing revoke(2) will flush the TTY. Since the drain wasn't complete, the flush will effectively drop whatever is left in t_outq. This change takes into account that tty_drain() will return ERESTART due to the fact that t_revokecnt was bumped and in that case simply call tty_drain() again. The thread in question is already performing the close so it can safely finish draining the TTY before destroying the TTY structure. Now all messages from shutdown will be printed on the serial console. Obtained from: Juniper Networks, Inc. Notes: svn path=/head/; revision=259441
* Change the cap_rights_t type from uint64_t to a structure that we can extendPawel Jakub Dawidek2013-09-051-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | in the future in a backward compatible (API and ABI) way. The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough. The structure definition looks like this: struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; }; The initial CAP_RIGHTS_VERSION is 0. The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements. The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future. To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg. #define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL) We still support aliases that combine few rights, but the rights have to belong to the same array element, eg: #define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL) #define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP) There is new API to manage the new cap_rights_t structure: cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...); bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little); Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg: cap_rights_t rights; cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT); There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg: #define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...); Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1: cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL); Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition. This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=255219
* Merge Capsicum overhaul:Pawel Jakub Dawidek2013-03-021-12/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Capability is no longer separate descriptor type. Now every descriptor has set of its own capability rights. - The cap_new(2) system call is left, but it is no longer documented and should not be used in new code. - The new syscall cap_rights_limit(2) should be used instead of cap_new(2), which limits capability rights of the given descriptor without creating a new one. - The cap_getrights(2) syscall is renamed to cap_rights_get(2). - If CAP_IOCTL capability right is present we can further reduce allowed ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed ioctls can be retrived with cap_ioctls_get(2) syscall. - If CAP_FCNTL capability right is present we can further reduce fcntls that can be used with the new cap_fcntls_limit(2) syscall and retrive them with cap_fcntls_get(2). - To support ioctl and fcntl white-listing the filedesc structure was heavly modified. - The audit subsystem, kdump and procstat tools were updated to recognize new syscalls. - Capability rights were revised and eventhough I tried hard to provide backward API and ABI compatibility there are some incompatible changes that are described in detail below: CAP_CREATE old behaviour: - Allow for openat(2)+O_CREAT. - Allow for linkat(2). - Allow for symlinkat(2). CAP_CREATE new behaviour: - Allow for openat(2)+O_CREAT. Added CAP_LINKAT: - Allow for linkat(2). ABI: Reuses CAP_RMDIR bit. - Allow to be target for renameat(2). Added CAP_SYMLINKAT: - Allow for symlinkat(2). Removed CAP_DELETE. Old behaviour: - Allow for unlinkat(2) when removing non-directory object. - Allow to be source for renameat(2). Removed CAP_RMDIR. Old behaviour: - Allow for unlinkat(2) when removing directory. Added CAP_RENAMEAT: - Required for source directory for the renameat(2) syscall. Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR): - Allow for unlinkat(2) on any object. - Required if target of renameat(2) exists and will be removed by this call. Removed CAP_MAPEXEC. CAP_MMAP old behaviour: - Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and PROT_WRITE. CAP_MMAP new behaviour: - Allow for mmap(2)+PROT_NONE. Added CAP_MMAP_R: - Allow for mmap(PROT_READ). Added CAP_MMAP_W: - Allow for mmap(PROT_WRITE). Added CAP_MMAP_X: - Allow for mmap(PROT_EXEC). Added CAP_MMAP_RW: - Allow for mmap(PROT_READ | PROT_WRITE). Added CAP_MMAP_RX: - Allow for mmap(PROT_READ | PROT_EXEC). Added CAP_MMAP_WX: - Allow for mmap(PROT_WRITE | PROT_EXEC). Added CAP_MMAP_RWX: - Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC). Renamed CAP_MKDIR to CAP_MKDIRAT. Renamed CAP_MKFIFO to CAP_MKFIFOAT. Renamed CAP_MKNODE to CAP_MKNODEAT. CAP_READ old behaviour: - Allow pread(2). - Disallow read(2), readv(2) (if there is no CAP_SEEK). CAP_READ new behaviour: - Allow read(2), readv(2). - Disallow pread(2) (CAP_SEEK was also required). CAP_WRITE old behaviour: - Allow pwrite(2). - Disallow write(2), writev(2) (if there is no CAP_SEEK). CAP_WRITE new behaviour: - Allow write(2), writev(2). - Disallow pwrite(2) (CAP_SEEK was also required). Added convinient defines: #define CAP_PREAD (CAP_SEEK | CAP_READ) #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) #define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ) #define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE) #define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL) #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W) #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X) #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X) #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE #define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) #define CAP_SOCK_SERVER \ (CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \ CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \ CAP_SETSOCKOPT | CAP_SHUTDOWN) Added defines for backward API compatibility: #define CAP_MAPEXEC CAP_MMAP_X #define CAP_DELETE CAP_UNLINKAT #define CAP_MKDIR CAP_MKDIRAT #define CAP_RMDIR CAP_UNLINKAT #define CAP_MKFIFO CAP_MKFIFOAT #define CAP_MKNOD CAP_MKNODAT #define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER) Sponsored by: The FreeBSD Foundation Reviewed by: Christoph Mallon <christoph.mallon@gmx.de> Many aspects discussed with: rwatson, benl, jonathan ABI compatibility discussed with: kib Notes: svn path=/head/; revision=247602
* Fix typo; s/ouput/outputKevin Lo2012-11-071-1/+1
| | | | Notes: svn path=/head/; revision=242692
* Add tty_set_winsize().Ed Schouten2012-11-031-4/+11
| | | | | | | | This removes some of the signalling magic from the Syscons driver and puts it in the TTY layer, where it belongs. Notes: svn path=/head/; revision=242529
* Correct SIGTTIN handling.Ed Schouten2012-10-251-8/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | In the old TTY layer, SIGTTIN was correctly handled like this: while (data should be read) { send SIGTTIN if not foreground process group read data } In the new TTY layer, however, this behaviour was changed, based on a false interpretation of the standard: send SIGTTIN if not foreground process group while (data should be read) { read data } Correct this by pushing tty_wait_background() into the ttydisc_read_*() functions. Reported by: koitsu PR: kern/173010 MFC after: 2 weeks Notes: svn path=/head/; revision=242078
* In tty_makedev() the following construction:Peter Holm2012-06-181-2/+19
| | | | | | | | | | | | | | | | | dev = make_dev_cred(); dev->si_drv1 = tp; leaves a small window where the newly created device may be opened and si_drv1 is NULL. As this is a vary rare situation, using a lock to close the window seems overkill. Instead just wait for the assignment of si_drv1. Suggested by: kib MFC after: 1 week Notes: svn path=/head/; revision=237219
* Eliminate redundant variable.Pawel Jakub Dawidek2012-06-071-5/+1
| | | | | | | | Sponsored by: FreeBSD Foundation MFC after: 1 week Notes: svn path=/head/; revision=236730
* Plug file reference leak in capability failure case.Pawel Jakub Dawidek2012-06-071-1/+1
| | | | | | | | Sponsored by: FreeBSD Foundation MFC after: 3 days Notes: svn path=/head/; revision=236727
* Also call the low-level driver if ->c_iflag & (IXON|IXOFF|IXANY) changes.Poul-Henning Kamp2012-02-261-0/+2
| | | | | | | | | Uftdi(4) examines (c_iflag & (IXON|IXOFF)) to control hw XON-XOFF support. This is obviously no good, if changes to those bits are not communicated down the stack. Notes: svn path=/head/; revision=232197
* Fix whitespace inconsistencies in TTY code.Ed Schouten2012-02-061-1/+1
| | | | Notes: svn path=/head/; revision=231095
* In order to maximize the re-usability of kernel code in user space thisKip Macy2011-09-161-1/+1
| | | | | | | | | | | | | | | | patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz) Notes: svn path=/head/; revision=225617
* Fix error return codes for ioctls on init/lock state devices.Ed Schouten2011-09-121-1/+2
| | | | | | | | | | | | | | In revision 223722 we introduced support for driver ioctls on init/lock state devices. Unfortunately the call to ttydevsw_cioctl() clobbers the value of the error variable, meaning that in many cases ioctl() will now return ENOTTY, even though the ioctl() was processed properly. Reported by: Boris Samorodov <bsam ipt ru> Patch by: jilles@ Approved by: re@ (kib@) Notes: svn path=/head/; revision=225506
* Fix a deficiency in the selinfo interface:Attilio Rao2011-08-251-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a selinfo object is recorded (via selrecord()) and then it is quickly destroyed, with the waiters missing the opportunity to awake, at the next iteration they will find the selinfo object destroyed, causing a PF#. That happens because the selinfo interface has no way to drain the waiters before to destroy the registered selinfo object. Also this race is quite rare to get in practice, because it would require a selrecord(), a poll request by another thread and a quick destruction of the selrecord()'ed selinfo object. Fix this by adding the seldrain() routine which should be called before to destroy the selinfo objects (in order to avoid such case), and fix the present cases where it might have already been called. Sometimes, the context is safe enough to prevent this type of race, like it happens in device drivers which installs selinfo objects on poll callbacks. There, the destruction of the selinfo object happens at driver detach time, when all the filedescriptors should be already closed, thus there cannot be a race. For this case, mfi(4) device driver can be set as an example, as it implements a full correct logic for preventing this from happening. Sponsored by: Sandvine Incorporated Reported by: rstone Tested by: pluknet Reviewed by: jhb, kib Approved by: re (bz) MFC after: 3 weeks Notes: svn path=/head/; revision=225177
* Second-to-last commit implementing Capsicum capabilities in the FreeBSDRobert Watson2011-08-111-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | kernel for FreeBSD 9.0: Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op. Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions. In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit. Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent. Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc Notes: svn path=/head/; revision=224778
* Reintroduce the cioctl() hook in the TTY layer for digi(4).Ed Schouten2011-07-021-6/+20
| | | | | | | | | | | | | The cioctl() hook can be used by drivers to add ioctls to the *.init and *.lock devices. This commit breaks the ttydevsw ABI, since this structure didn't provide any padding. To prevent ABI breakage in the future, add a tsw_spare. Submitted by: Peter Jeremy <peter jeremy alcatel lucent com> Obtained from: kern/152254 (slightly modified) Notes: svn path=/head/; revision=223722
* Fix whitespace inconsistencies in the TTY layer and its drivers owned by me.Ed Schouten2011-06-261-12/+12
| | | | Notes: svn path=/head/; revision=223575
* Finish r210923, 210926. Mark some devices as eternal.Konstantin Belousov2011-01-041-2/+2
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=216952
* Just make callout devices and /dev/console force CLOCAL on open().Ed Schouten2010-09-191-6/+7
| | | | | | | | | | | | Instead of adding custom checks to wait for DCD on open(), just modify the termios structure to set CLOCAL. This means SIGHUP is no longer generated when losing DCD as well. Reviewed by: kib@ MFC after: 1 week Notes: svn path=/head/; revision=212867
* Ignore DCD handling on /dev/console entirely.Ed Schouten2010-09-191-1/+2
| | | | | | | | | | | | This makes /dev/console more fail-safe and prevents a potential console lock-up during boot. Discussed on: stable@ Tested by: koitsu@ MFC after: 1 week Notes: svn path=/head/; revision=212860
* Add new make_dev_p(9) flag MAKEDEV_ETERNAL to inform devfs that createdKonstantin Belousov2010-08-061-3/+3
| | | | | | | | | | | | cdev will never be destroyed. Propagate the flag to devfs vnodes as VV_ETERNVALDEV. Use the flags to avoid acquiring devmtx and taking a thread reference on such nodes. In collaboration with: pho MFC after: 1 month Notes: svn path=/head/; revision=210923
* Fix a race condition, where a TTY could be destroyed twice.Ed Schouten2010-07-061-1/+2
| | | | | | | | | | | | There are special cases where tty_rel_free() can be called twice in a row, namely when closing and revoking the TTY at the same moment. Only call destroy_dev_sched_cb() once. Reported by: Jeremie Le Hen MFC after: 1 week Notes: svn path=/head/; revision=209718
* Make TIOCSTI work again.Ed Schouten2010-01-041-6/+16
| | | | | | | | | | | It looks like I didn't implement this when I imported MPSAFE TTY. Applications like mail(1) still use this. I think it's conceptually bad. Tested by: Pete French <petefrench ticketswitch com> MFC after: 2 weeks Notes: svn path=/head/; revision=201532
* Update d_mmap() to accept vm_ooffset_t and vm_memattr_t.Robert Noland2009-12-291-4/+5
| | | | | | | | | | | | | | | | This replaces d_mmap() with the d_mmap2() implementation and also changes the type of offset to vm_ooffset_t. Purge d_mmap2(). All driver modules will need to be rebuilt since D_VERSION is also bumped. Reviewed by: jhb@ MFC after: Not in this lifetime... Notes: svn path=/head/; revision=201223
* Don't allocate an input buffer for a TTY when the receiver is turned off.Ed Schouten2009-12-011-2/+4
| | | | | | | | | | | | When the termios CREAD flag is not set, it makes little sense to allocate an input buffer. Just set the size to 0 in this case to reduce memory footprint. Disallow CREAD to be disabled for pseudo-devices to prevent foot-shooting. Notes: svn path=/head/; revision=199998
* Among signal generation syscalls, only sigqueue(2) is allowed by POSIXKonstantin Belousov2009-11-171-2/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | to fail due to lack of resources to queue siginfo. Add KSI_SIGQ flag that allows sigqueue_add() to fail while trying to allocate memory for new siginfo. When the flag is not set, behaviour is the same as for KSI_TRAP: if memory cannot be allocated, set bit in sq_kill. KSI_TRAP is kept to preserve KBI. Add SI_KERNEL si_code, to be used in siginfo.si_code when signal is generated by kernel. Deliver siginfo when signal is generated by kill(2) family of syscalls (SI_USER with properly filled si_uid and si_pid), or by kernel (SI_KERNEL, mostly job control or SIGIO). Since KSI_SIGQ flag is not set for the ksi, low memory condition cause old behaviour. Keep psignal(9) KBI intact, but modify it to generate SI_KERNEL si_code. Pgsignal(9) and gsignal(9) now take ksi explicitely. Add pksignal(9) that behaves like psignal but takes ksi, and ddb kill command implemented as pksignal(..., ksi = NULL) to not do allocation while in debugger. While there, remove some register specifiers and use ANSI C prototypes. Reviewed by: davidxu MFC after: 1 month Notes: svn path=/head/; revision=199355
* Properly set the low watermarks when reducing the baud rate.Ed Schouten2009-10-191-2/+2
| | | | | | | | | | | | | | | | Now that buffers are deallocated lazily, we should not use tty*q_getsize() to obtain the buffer size to calculate the low watermarks. Doing this may cause the watermark to be placed outside the typical buffer size. This caused some regressions after my previous commit to the TTY code, which allows pseudo-devices to resize the buffers as well. Reported by: yongari, dougb MFC after: 1 week Notes: svn path=/head/; revision=198223