2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
* linux/kernel/sys.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/utsname.h>
|
|
|
|
#include <linux/mman.h>
|
|
|
|
#include <linux/smp_lock.h>
|
|
|
|
#include <linux/notifier.h>
|
|
|
|
#include <linux/reboot.h>
|
|
|
|
#include <linux/prctl.h>
|
|
|
|
#include <linux/highuid.h>
|
|
|
|
#include <linux/fs.h>
|
2007-05-10 22:22:53 -07:00
|
|
|
#include <linux/resource.h>
|
2005-06-25 14:57:52 -07:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/kexec.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/workqueue.h>
|
2006-01-11 12:17:46 -08:00
|
|
|
#include <linux/capability.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/device.h>
|
|
|
|
#include <linux/key.h>
|
|
|
|
#include <linux/times.h>
|
|
|
|
#include <linux/posix-timers.h>
|
|
|
|
#include <linux/security.h>
|
|
|
|
#include <linux/dcookies.h>
|
|
|
|
#include <linux/suspend.h>
|
|
|
|
#include <linux/tty.h>
|
2005-05-01 08:59:14 -07:00
|
|
|
#include <linux/signal.h>
|
2005-11-07 00:59:16 -08:00
|
|
|
#include <linux/cn_proc.h>
|
2006-09-26 10:52:28 +02:00
|
|
|
#include <linux/getcpu.h>
|
2007-05-10 22:22:37 -07:00
|
|
|
#include <linux/task_io_accounting_ops.h>
|
2007-07-15 23:41:32 -07:00
|
|
|
#include <linux/seccomp.h>
|
2007-10-01 01:20:10 -07:00
|
|
|
#include <linux/cpu.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
#include <linux/compat.h>
|
|
|
|
#include <linux/syscalls.h>
|
2005-12-12 00:37:33 -08:00
|
|
|
#include <linux/kprobes.h>
|
2007-07-15 23:40:59 -07:00
|
|
|
#include <linux/user_namespace.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
#include <asm/io.h>
|
|
|
|
#include <asm/unistd.h>
|
|
|
|
|
|
|
|
#ifndef SET_UNALIGN_CTL
|
|
|
|
# define SET_UNALIGN_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef GET_UNALIGN_CTL
|
|
|
|
# define GET_UNALIGN_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef SET_FPEMU_CTL
|
|
|
|
# define SET_FPEMU_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef GET_FPEMU_CTL
|
|
|
|
# define GET_FPEMU_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef SET_FPEXC_CTL
|
|
|
|
# define SET_FPEXC_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef GET_FPEXC_CTL
|
|
|
|
# define GET_FPEXC_CTL(a,b) (-EINVAL)
|
|
|
|
#endif
|
2006-06-07 16:10:19 +10:00
|
|
|
#ifndef GET_ENDIAN
|
|
|
|
# define GET_ENDIAN(a,b) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef SET_ENDIAN
|
|
|
|
# define SET_ENDIAN(a,b) (-EINVAL)
|
|
|
|
#endif
|
2008-04-11 18:54:17 +02:00
|
|
|
#ifndef GET_TSC_CTL
|
|
|
|
# define GET_TSC_CTL(a) (-EINVAL)
|
|
|
|
#endif
|
|
|
|
#ifndef SET_TSC_CTL
|
|
|
|
# define SET_TSC_CTL(a) (-EINVAL)
|
|
|
|
#endif
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* this is where the system-wide overflow UID and GID are defined, for
|
|
|
|
* architectures that now have 32-bit UID/GID but didn't in the past
|
|
|
|
*/
|
|
|
|
|
|
|
|
int overflowuid = DEFAULT_OVERFLOWUID;
|
|
|
|
int overflowgid = DEFAULT_OVERFLOWGID;
|
|
|
|
|
|
|
|
#ifdef CONFIG_UID16
|
|
|
|
EXPORT_SYMBOL(overflowuid);
|
|
|
|
EXPORT_SYMBOL(overflowgid);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* the same as above, but for filesystems which can only store a 16-bit
|
|
|
|
* UID and GID. as such, this is needed on all architectures
|
|
|
|
*/
|
|
|
|
|
|
|
|
int fs_overflowuid = DEFAULT_FS_OVERFLOWUID;
|
|
|
|
int fs_overflowgid = DEFAULT_FS_OVERFLOWUID;
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(fs_overflowuid);
|
|
|
|
EXPORT_SYMBOL(fs_overflowgid);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* this indicates whether you can reboot with ctrl-alt-del: the default is yes
|
|
|
|
*/
|
|
|
|
|
|
|
|
int C_A_D = 1;
|
2006-10-02 02:19:00 -07:00
|
|
|
struct pid *cad_pid;
|
|
|
|
EXPORT_SYMBOL(cad_pid);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2007-07-19 01:47:40 -07:00
|
|
|
/*
|
|
|
|
* If set, this is used for preparing the system to power off.
|
|
|
|
*/
|
|
|
|
|
|
|
|
void (*pm_power_off_prepare)(void);
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static int set_one_prio(struct task_struct *p, int niceval, int error)
|
|
|
|
{
|
|
|
|
int no_nice;
|
|
|
|
|
|
|
|
if (p->uid != current->euid &&
|
|
|
|
p->euid != current->euid && !capable(CAP_SYS_NICE)) {
|
|
|
|
error = -EPERM;
|
|
|
|
goto out;
|
|
|
|
}
|
2005-05-01 08:59:00 -07:00
|
|
|
if (niceval < task_nice(p) && !can_nice(p, niceval)) {
|
2005-04-16 15:20:36 -07:00
|
|
|
error = -EACCES;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
no_nice = security_task_setnice(p, niceval);
|
|
|
|
if (no_nice) {
|
|
|
|
error = no_nice;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (error == -ESRCH)
|
|
|
|
error = 0;
|
|
|
|
set_user_nice(p, niceval);
|
|
|
|
out:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_setpriority(int which, int who, int niceval)
|
|
|
|
{
|
|
|
|
struct task_struct *g, *p;
|
|
|
|
struct user_struct *user;
|
|
|
|
int error = -EINVAL;
|
2007-02-12 00:53:01 -08:00
|
|
|
struct pid *pgrp;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2007-05-10 22:22:53 -07:00
|
|
|
if (which > PRIO_USER || which < PRIO_PROCESS)
|
2005-04-16 15:20:36 -07:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
/* normalize: avoid signed division (rounding problems) */
|
|
|
|
error = -ESRCH;
|
|
|
|
if (niceval < -20)
|
|
|
|
niceval = -20;
|
|
|
|
if (niceval > 19)
|
|
|
|
niceval = 19;
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
switch (which) {
|
|
|
|
case PRIO_PROCESS:
|
2007-02-12 00:53:01 -08:00
|
|
|
if (who)
|
2007-10-18 23:40:16 -07:00
|
|
|
p = find_task_by_vpid(who);
|
2007-02-12 00:53:01 -08:00
|
|
|
else
|
|
|
|
p = current;
|
2005-04-16 15:20:36 -07:00
|
|
|
if (p)
|
|
|
|
error = set_one_prio(p, niceval, error);
|
|
|
|
break;
|
|
|
|
case PRIO_PGRP:
|
2007-02-12 00:53:01 -08:00
|
|
|
if (who)
|
2007-10-18 23:40:14 -07:00
|
|
|
pgrp = find_vpid(who);
|
2007-02-12 00:53:01 -08:00
|
|
|
else
|
|
|
|
pgrp = task_pgrp(current);
|
2008-08-20 14:09:17 -07:00
|
|
|
do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
|
2005-04-16 15:20:36 -07:00
|
|
|
error = set_one_prio(p, niceval, error);
|
2008-08-20 14:09:17 -07:00
|
|
|
} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
case PRIO_USER:
|
|
|
|
user = current->user;
|
|
|
|
if (!who)
|
|
|
|
who = current->uid;
|
|
|
|
else
|
|
|
|
if ((who != current->uid) && !(user = find_user(who)))
|
|
|
|
goto out_unlock; /* No processes for this user */
|
|
|
|
|
|
|
|
do_each_thread(g, p)
|
|
|
|
if (p->uid == who)
|
|
|
|
error = set_one_prio(p, niceval, error);
|
|
|
|
while_each_thread(g, p);
|
|
|
|
if (who != current->uid)
|
|
|
|
free_uid(user); /* For find_user() */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
out_unlock:
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
out:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Ugh. To avoid negative return values, "getpriority()" will
|
|
|
|
* not return the normal nice-value, but a negated value that
|
|
|
|
* has been offset by 20 (ie it returns 40..1 instead of -20..19)
|
|
|
|
* to stay compatible.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_getpriority(int which, int who)
|
|
|
|
{
|
|
|
|
struct task_struct *g, *p;
|
|
|
|
struct user_struct *user;
|
|
|
|
long niceval, retval = -ESRCH;
|
2007-02-12 00:53:01 -08:00
|
|
|
struct pid *pgrp;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2007-05-10 22:22:53 -07:00
|
|
|
if (which > PRIO_USER || which < PRIO_PROCESS)
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
switch (which) {
|
|
|
|
case PRIO_PROCESS:
|
2007-02-12 00:53:01 -08:00
|
|
|
if (who)
|
2007-10-18 23:40:16 -07:00
|
|
|
p = find_task_by_vpid(who);
|
2007-02-12 00:53:01 -08:00
|
|
|
else
|
|
|
|
p = current;
|
2005-04-16 15:20:36 -07:00
|
|
|
if (p) {
|
|
|
|
niceval = 20 - task_nice(p);
|
|
|
|
if (niceval > retval)
|
|
|
|
retval = niceval;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case PRIO_PGRP:
|
2007-02-12 00:53:01 -08:00
|
|
|
if (who)
|
2007-10-18 23:40:14 -07:00
|
|
|
pgrp = find_vpid(who);
|
2007-02-12 00:53:01 -08:00
|
|
|
else
|
|
|
|
pgrp = task_pgrp(current);
|
2008-08-20 14:09:17 -07:00
|
|
|
do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
|
2005-04-16 15:20:36 -07:00
|
|
|
niceval = 20 - task_nice(p);
|
|
|
|
if (niceval > retval)
|
|
|
|
retval = niceval;
|
2008-08-20 14:09:17 -07:00
|
|
|
} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
case PRIO_USER:
|
|
|
|
user = current->user;
|
|
|
|
if (!who)
|
|
|
|
who = current->uid;
|
|
|
|
else
|
|
|
|
if ((who != current->uid) && !(user = find_user(who)))
|
|
|
|
goto out_unlock; /* No processes for this user */
|
|
|
|
|
|
|
|
do_each_thread(g, p)
|
|
|
|
if (p->uid == who) {
|
|
|
|
niceval = 20 - task_nice(p);
|
|
|
|
if (niceval > retval)
|
|
|
|
retval = niceval;
|
|
|
|
}
|
|
|
|
while_each_thread(g, p);
|
|
|
|
if (who != current->uid)
|
|
|
|
free_uid(user); /* for find_user() */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
out_unlock:
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2005-09-22 21:43:45 -07:00
|
|
|
/**
|
|
|
|
* emergency_restart - reboot the system
|
|
|
|
*
|
|
|
|
* Without shutting down any hardware or taking any locks
|
|
|
|
* reboot the system. This is called when we know we are in
|
|
|
|
* trouble so this is our best effort to reboot. This is
|
|
|
|
* safe to call in interrupt context.
|
|
|
|
*/
|
2005-07-26 11:29:55 -06:00
|
|
|
void emergency_restart(void)
|
|
|
|
{
|
|
|
|
machine_emergency_restart();
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(emergency_restart);
|
|
|
|
|
2008-08-15 00:40:24 -07:00
|
|
|
void kernel_restart_prepare(char *cmd)
|
2005-07-26 11:24:14 -06:00
|
|
|
{
|
[PATCH] Notifier chain update: API changes
The kernel's implementation of notifier chains is unsafe. There is no
protection against entries being added to or removed from a chain while the
chain is in use. The issues were discussed in this thread:
http://marc.theaimsgroup.com/?l=linux-kernel&m=113018709002036&w=2
We noticed that notifier chains in the kernel fall into two basic usage
classes:
"Blocking" chains are always called from a process context
and the callout routines are allowed to sleep;
"Atomic" chains can be called from an atomic context and
the callout routines are not allowed to sleep.
We decided to codify this distinction and make it part of the API. Therefore
this set of patches introduces three new, parallel APIs: one for blocking
notifiers, one for atomic notifiers, and one for "raw" notifiers (which is
really just the old API under a new name). New kinds of data structures are
used for the heads of the chains, and new routines are defined for
registration, unregistration, and calling a chain. The three APIs are
explained in include/linux/notifier.h and their implementation is in
kernel/sys.c.
With atomic and blocking chains, the implementation guarantees that the chain
links will not be corrupted and that chain callers will not get messed up by
entries being added or removed. For raw chains the implementation provides no
guarantees at all; users of this API must provide their own protections. (The
idea was that situations may come up where the assumptions of the atomic and
blocking APIs are not appropriate, so it should be possible for users to
handle these things in their own way.)
There are some limitations, which should not be too hard to live with. For
atomic/blocking chains, registration and unregistration must always be done in
a process context since the chain is protected by a mutex/rwsem. Also, a
callout routine for a non-raw chain must not try to register or unregister
entries on its own chain. (This did happen in a couple of places and the code
had to be changed to avoid it.)
Since atomic chains may be called from within an NMI handler, they cannot use
spinlocks for synchronization. Instead we use RCU. The overhead falls almost
entirely in the unregister routine, which is okay since unregistration is much
less frequent that calling a chain.
Here is the list of chains that we adjusted and their classifications. None
of them use the raw API, so for the moment it is only a placeholder.
ATOMIC CHAINS
-------------
arch/i386/kernel/traps.c: i386die_chain
arch/ia64/kernel/traps.c: ia64die_chain
arch/powerpc/kernel/traps.c: powerpc_die_chain
arch/sparc64/kernel/traps.c: sparc64die_chain
arch/x86_64/kernel/traps.c: die_chain
drivers/char/ipmi/ipmi_si_intf.c: xaction_notifier_list
kernel/panic.c: panic_notifier_list
kernel/profile.c: task_free_notifier
net/bluetooth/hci_core.c: hci_notifier
net/ipv4/netfilter/ip_conntrack_core.c: ip_conntrack_chain
net/ipv4/netfilter/ip_conntrack_core.c: ip_conntrack_expect_chain
net/ipv6/addrconf.c: inet6addr_chain
net/netfilter/nf_conntrack_core.c: nf_conntrack_chain
net/netfilter/nf_conntrack_core.c: nf_conntrack_expect_chain
net/netlink/af_netlink.c: netlink_chain
BLOCKING CHAINS
---------------
arch/powerpc/platforms/pseries/reconfig.c: pSeries_reconfig_chain
arch/s390/kernel/process.c: idle_chain
arch/x86_64/kernel/process.c idle_notifier
drivers/base/memory.c: memory_chain
drivers/cpufreq/cpufreq.c cpufreq_policy_notifier_list
drivers/cpufreq/cpufreq.c cpufreq_transition_notifier_list
drivers/macintosh/adb.c: adb_client_list
drivers/macintosh/via-pmu.c sleep_notifier_list
drivers/macintosh/via-pmu68k.c sleep_notifier_list
drivers/macintosh/windfarm_core.c wf_client_list
drivers/usb/core/notify.c usb_notifier_list
drivers/video/fbmem.c fb_notifier_list
kernel/cpu.c cpu_chain
kernel/module.c module_notify_list
kernel/profile.c munmap_notifier
kernel/profile.c task_exit_notifier
kernel/sys.c reboot_notifier_list
net/core/dev.c netdev_chain
net/decnet/dn_dev.c: dnaddr_chain
net/ipv4/devinet.c: inetaddr_chain
It's possible that some of these classifications are wrong. If they are,
please let us know or submit a patch to fix them. Note that any chain that
gets called very frequently should be atomic, because the rwsem read-locking
used for blocking chains is very likely to incur cache misses on SMP systems.
(However, if the chain's callout routines may sleep then the chain cannot be
atomic.)
The patch set was written by Alan Stern and Chandra Seetharaman, incorporating
material written by Keith Owens and suggestions from Paul McKenney and Andrew
Morton.
[jes@sgi.com: restructure the notifier chain initialization macros]
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: Jes Sorensen <jes@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-27 01:16:30 -08:00
|
|
|
blocking_notifier_call_chain(&reboot_notifier_list, SYS_RESTART, cmd);
|
2005-07-26 11:24:14 -06:00
|
|
|
system_state = SYSTEM_RESTART;
|
|
|
|
device_shutdown();
|
2007-07-26 16:29:55 +02:00
|
|
|
sysdev_shutdown();
|
2005-09-22 21:43:45 -07:00
|
|
|
}
|
2005-11-07 01:01:06 -08:00
|
|
|
|
|
|
|
/**
|
|
|
|
* kernel_restart - reboot the system
|
|
|
|
* @cmd: pointer to buffer containing command to execute for restart
|
2005-11-07 01:01:07 -08:00
|
|
|
* or %NULL
|
2005-11-07 01:01:06 -08:00
|
|
|
*
|
|
|
|
* Shutdown everything and perform a clean reboot.
|
|
|
|
* This is not safe to call in interrupt context.
|
|
|
|
*/
|
2005-09-22 21:43:45 -07:00
|
|
|
void kernel_restart(char *cmd)
|
|
|
|
{
|
|
|
|
kernel_restart_prepare(cmd);
|
2006-09-30 23:27:24 -07:00
|
|
|
if (!cmd)
|
2005-07-26 11:24:14 -06:00
|
|
|
printk(KERN_EMERG "Restarting system.\n");
|
2006-09-30 23:27:24 -07:00
|
|
|
else
|
2005-07-26 11:24:14 -06:00
|
|
|
printk(KERN_EMERG "Restarting system with command '%s'.\n", cmd);
|
|
|
|
machine_restart(cmd);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(kernel_restart);
|
|
|
|
|
2008-02-04 22:30:06 -08:00
|
|
|
static void kernel_shutdown_prepare(enum system_states state)
|
2005-12-01 04:29:00 -05:00
|
|
|
{
|
[PATCH] Notifier chain update: API changes
The kernel's implementation of notifier chains is unsafe. There is no
protection against entries being added to or removed from a chain while the
chain is in use. The issues were discussed in this thread:
http://marc.theaimsgroup.com/?l=linux-kernel&m=113018709002036&w=2
We noticed that notifier chains in the kernel fall into two basic usage
classes:
"Blocking" chains are always called from a process context
and the callout routines are allowed to sleep;
"Atomic" chains can be called from an atomic context and
the callout routines are not allowed to sleep.
We decided to codify this distinction and make it part of the API. Therefore
this set of patches introduces three new, parallel APIs: one for blocking
notifiers, one for atomic notifiers, and one for "raw" notifiers (which is
really just the old API under a new name). New kinds of data structures are
used for the heads of the chains, and new routines are defined for
registration, unregistration, and calling a chain. The three APIs are
explained in include/linux/notifier.h and their implementation is in
kernel/sys.c.
With atomic and blocking chains, the implementation guarantees that the chain
links will not be corrupted and that chain callers will not get messed up by
entries being added or removed. For raw chains the implementation provides no
guarantees at all; users of this API must provide their own protections. (The
idea was that situations may come up where the assumptions of the atomic and
blocking APIs are not appropriate, so it should be possible for users to
handle these things in their own way.)
There are some limitations, which should not be too hard to live with. For
atomic/blocking chains, registration and unregistration must always be done in
a process context since the chain is protected by a mutex/rwsem. Also, a
callout routine for a non-raw chain must not try to register or unregister
entries on its own chain. (This did happen in a couple of places and the code
had to be changed to avoid it.)
Since atomic chains may be called from within an NMI handler, they cannot use
spinlocks for synchronization. Instead we use RCU. The overhead falls almost
entirely in the unregister routine, which is okay since unregistration is much
less frequent that calling a chain.
Here is the list of chains that we adjusted and their classifications. None
of them use the raw API, so for the moment it is only a placeholder.
ATOMIC CHAINS
-------------
arch/i386/kernel/traps.c: i386die_chain
arch/ia64/kernel/traps.c: ia64die_chain
arch/powerpc/kernel/traps.c: powerpc_die_chain
arch/sparc64/kernel/traps.c: sparc64die_chain
arch/x86_64/kernel/traps.c: die_chain
drivers/char/ipmi/ipmi_si_intf.c: xaction_notifier_list
kernel/panic.c: panic_notifier_list
kernel/profile.c: task_free_notifier
net/bluetooth/hci_core.c: hci_notifier
net/ipv4/netfilter/ip_conntrack_core.c: ip_conntrack_chain
net/ipv4/netfilter/ip_conntrack_core.c: ip_conntrack_expect_chain
net/ipv6/addrconf.c: inet6addr_chain
net/netfilter/nf_conntrack_core.c: nf_conntrack_chain
net/netfilter/nf_conntrack_core.c: nf_conntrack_expect_chain
net/netlink/af_netlink.c: netlink_chain
BLOCKING CHAINS
---------------
arch/powerpc/platforms/pseries/reconfig.c: pSeries_reconfig_chain
arch/s390/kernel/process.c: idle_chain
arch/x86_64/kernel/process.c idle_notifier
drivers/base/memory.c: memory_chain
drivers/cpufreq/cpufreq.c cpufreq_policy_notifier_list
drivers/cpufreq/cpufreq.c cpufreq_transition_notifier_list
drivers/macintosh/adb.c: adb_client_list
drivers/macintosh/via-pmu.c sleep_notifier_list
drivers/macintosh/via-pmu68k.c sleep_notifier_list
drivers/macintosh/windfarm_core.c wf_client_list
drivers/usb/core/notify.c usb_notifier_list
drivers/video/fbmem.c fb_notifier_list
kernel/cpu.c cpu_chain
kernel/module.c module_notify_list
kernel/profile.c munmap_notifier
kernel/profile.c task_exit_notifier
kernel/sys.c reboot_notifier_list
net/core/dev.c netdev_chain
net/decnet/dn_dev.c: dnaddr_chain
net/ipv4/devinet.c: inetaddr_chain
It's possible that some of these classifications are wrong. If they are,
please let us know or submit a patch to fix them. Note that any chain that
gets called very frequently should be atomic, because the rwsem read-locking
used for blocking chains is very likely to incur cache misses on SMP systems.
(However, if the chain's callout routines may sleep then the chain cannot be
atomic.)
The patch set was written by Alan Stern and Chandra Seetharaman, incorporating
material written by Keith Owens and suggestions from Paul McKenney and Andrew
Morton.
[jes@sgi.com: restructure the notifier chain initialization macros]
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: Jes Sorensen <jes@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-27 01:16:30 -08:00
|
|
|
blocking_notifier_call_chain(&reboot_notifier_list,
|
2005-12-01 04:29:00 -05:00
|
|
|
(state == SYSTEM_HALT)?SYS_HALT:SYS_POWER_OFF, NULL);
|
|
|
|
system_state = state;
|
|
|
|
device_shutdown();
|
|
|
|
}
|
2005-09-22 21:43:45 -07:00
|
|
|
/**
|
|
|
|
* kernel_halt - halt the system
|
|
|
|
*
|
|
|
|
* Shutdown everything and perform a clean system halt.
|
|
|
|
*/
|
|
|
|
void kernel_halt(void)
|
|
|
|
{
|
2005-12-01 04:29:00 -05:00
|
|
|
kernel_shutdown_prepare(SYSTEM_HALT);
|
2007-07-26 16:29:55 +02:00
|
|
|
sysdev_shutdown();
|
2005-07-26 11:24:14 -06:00
|
|
|
printk(KERN_EMERG "System halted.\n");
|
|
|
|
machine_halt();
|
|
|
|
}
|
2005-12-01 04:29:00 -05:00
|
|
|
|
2005-07-26 11:24:14 -06:00
|
|
|
EXPORT_SYMBOL_GPL(kernel_halt);
|
|
|
|
|
2005-09-22 21:43:45 -07:00
|
|
|
/**
|
|
|
|
* kernel_power_off - power_off the system
|
|
|
|
*
|
|
|
|
* Shutdown everything and perform a clean system power_off.
|
|
|
|
*/
|
|
|
|
void kernel_power_off(void)
|
|
|
|
{
|
2005-12-01 04:29:00 -05:00
|
|
|
kernel_shutdown_prepare(SYSTEM_POWER_OFF);
|
2007-07-19 01:47:40 -07:00
|
|
|
if (pm_power_off_prepare)
|
|
|
|
pm_power_off_prepare();
|
2007-10-01 01:20:10 -07:00
|
|
|
disable_nonboot_cpus();
|
2007-07-26 16:29:55 +02:00
|
|
|
sysdev_shutdown();
|
2005-07-26 11:24:14 -06:00
|
|
|
printk(KERN_EMERG "Power down.\n");
|
|
|
|
machine_power_off();
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(kernel_power_off);
|
2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
* Reboot system call: for obvious reasons only root may call it,
|
|
|
|
* and even root needs to set up some magic numbers in the registers
|
|
|
|
* so that some mistake won't make this reboot the whole machine.
|
|
|
|
* You can also set the meaning of the ctrl-alt-del-key here.
|
|
|
|
*
|
|
|
|
* reboot doesn't sync: do that yourself before calling this.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_reboot(int magic1, int magic2, unsigned int cmd, void __user * arg)
|
|
|
|
{
|
|
|
|
char buffer[256];
|
|
|
|
|
|
|
|
/* We only trust the superuser with rebooting the system. */
|
|
|
|
if (!capable(CAP_SYS_BOOT))
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
/* For safety, we require "magic" arguments. */
|
|
|
|
if (magic1 != LINUX_REBOOT_MAGIC1 ||
|
|
|
|
(magic2 != LINUX_REBOOT_MAGIC2 &&
|
|
|
|
magic2 != LINUX_REBOOT_MAGIC2A &&
|
|
|
|
magic2 != LINUX_REBOOT_MAGIC2B &&
|
|
|
|
magic2 != LINUX_REBOOT_MAGIC2C))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2006-01-08 01:03:46 -08:00
|
|
|
/* Instead of trying to make the power_off code look like
|
|
|
|
* halt when pm_power_off is not set do it the easy way.
|
|
|
|
*/
|
|
|
|
if ((cmd == LINUX_REBOOT_CMD_POWER_OFF) && !pm_power_off)
|
|
|
|
cmd = LINUX_REBOOT_CMD_HALT;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
lock_kernel();
|
|
|
|
switch (cmd) {
|
|
|
|
case LINUX_REBOOT_CMD_RESTART:
|
2005-07-26 11:24:14 -06:00
|
|
|
kernel_restart(NULL);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case LINUX_REBOOT_CMD_CAD_ON:
|
|
|
|
C_A_D = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case LINUX_REBOOT_CMD_CAD_OFF:
|
|
|
|
C_A_D = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case LINUX_REBOOT_CMD_HALT:
|
2005-07-26 11:24:14 -06:00
|
|
|
kernel_halt();
|
2005-04-16 15:20:36 -07:00
|
|
|
unlock_kernel();
|
|
|
|
do_exit(0);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case LINUX_REBOOT_CMD_POWER_OFF:
|
2005-07-26 11:24:14 -06:00
|
|
|
kernel_power_off();
|
2005-04-16 15:20:36 -07:00
|
|
|
unlock_kernel();
|
|
|
|
do_exit(0);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case LINUX_REBOOT_CMD_RESTART2:
|
|
|
|
if (strncpy_from_user(&buffer[0], arg, sizeof(buffer) - 1) < 0) {
|
|
|
|
unlock_kernel();
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
buffer[sizeof(buffer) - 1] = '\0';
|
|
|
|
|
2005-07-26 11:24:14 -06:00
|
|
|
kernel_restart(buffer);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
|
2008-07-25 19:45:07 -07:00
|
|
|
#ifdef CONFIG_KEXEC
|
2005-06-25 14:57:52 -07:00
|
|
|
case LINUX_REBOOT_CMD_KEXEC:
|
2008-07-25 19:45:07 -07:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
ret = kernel_kexec();
|
|
|
|
unlock_kernel();
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
2005-07-26 11:24:14 -06:00
|
|
|
|
2007-07-29 23:24:36 +02:00
|
|
|
#ifdef CONFIG_HIBERNATION
|
2005-04-16 15:20:36 -07:00
|
|
|
case LINUX_REBOOT_CMD_SW_SUSPEND:
|
|
|
|
{
|
2007-05-09 02:33:18 -07:00
|
|
|
int ret = hibernate();
|
2005-04-16 15:20:36 -07:00
|
|
|
unlock_kernel();
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
default:
|
|
|
|
unlock_kernel();
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
unlock_kernel();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-11-22 14:55:48 +00:00
|
|
|
static void deferred_cad(struct work_struct *dummy)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2005-07-26 11:27:34 -06:00
|
|
|
kernel_restart(NULL);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function gets called by ctrl-alt-del - ie the keyboard interrupt.
|
|
|
|
* As it's called within an interrupt, it may NOT sync: the only choice
|
|
|
|
* is whether to reboot at once, or just ignore the ctrl-alt-del.
|
|
|
|
*/
|
|
|
|
void ctrl_alt_del(void)
|
|
|
|
{
|
2006-11-22 14:55:48 +00:00
|
|
|
static DECLARE_WORK(cad_work, deferred_cad);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (C_A_D)
|
|
|
|
schedule_work(&cad_work);
|
|
|
|
else
|
2006-10-02 02:19:00 -07:00
|
|
|
kill_cad_pid(SIGINT, 1);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Unprivileged users may change the real gid to the effective gid
|
|
|
|
* or vice versa. (BSD-style)
|
|
|
|
*
|
|
|
|
* If you set the real gid at all, or set the effective gid to a value not
|
|
|
|
* equal to the real gid, then the saved gid is set to the new effective gid.
|
|
|
|
*
|
|
|
|
* This makes it possible for a setgid program to completely drop its
|
|
|
|
* privileges, which is often a useful assertion to make when you are doing
|
|
|
|
* a security audit over a program.
|
|
|
|
*
|
|
|
|
* The general idea is that a program which uses just setregid() will be
|
|
|
|
* 100% compatible with BSD. A program which uses just setgid() will be
|
|
|
|
* 100% compatible with POSIX with saved IDs.
|
|
|
|
*
|
|
|
|
* SMP: There are not races, the GIDs are checked only by filesystem
|
|
|
|
* operations (as far as semantic preservation is concerned).
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setregid(gid_t rgid, gid_t egid)
|
|
|
|
{
|
|
|
|
int old_rgid = current->gid;
|
|
|
|
int old_egid = current->egid;
|
|
|
|
int new_rgid = old_rgid;
|
|
|
|
int new_egid = old_egid;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setgid(rgid, egid, (gid_t)-1, LSM_SETID_RE);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
if (rgid != (gid_t) -1) {
|
|
|
|
if ((old_rgid == rgid) ||
|
|
|
|
(current->egid==rgid) ||
|
|
|
|
capable(CAP_SETGID))
|
|
|
|
new_rgid = rgid;
|
|
|
|
else
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
if (egid != (gid_t) -1) {
|
|
|
|
if ((old_rgid == egid) ||
|
|
|
|
(current->egid == egid) ||
|
|
|
|
(current->sgid == egid) ||
|
|
|
|
capable(CAP_SETGID))
|
|
|
|
new_egid = egid;
|
2006-09-30 23:27:24 -07:00
|
|
|
else
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EPERM;
|
|
|
|
}
|
2006-09-30 23:27:24 -07:00
|
|
|
if (new_egid != old_egid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
if (rgid != (gid_t) -1 ||
|
|
|
|
(egid != (gid_t) -1 && egid != old_rgid))
|
|
|
|
current->sgid = new_egid;
|
|
|
|
current->fsgid = new_egid;
|
|
|
|
current->egid = new_egid;
|
|
|
|
current->gid = new_rgid;
|
|
|
|
key_fsgid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_GID);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* setgid() is implemented like SysV w/ SAVED_IDS
|
|
|
|
*
|
|
|
|
* SMP: Same implicit races as above.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setgid(gid_t gid)
|
|
|
|
{
|
|
|
|
int old_egid = current->egid;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
2006-09-30 23:27:24 -07:00
|
|
|
if (capable(CAP_SETGID)) {
|
|
|
|
if (old_egid != gid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->gid = current->egid = current->sgid = current->fsgid = gid;
|
2006-09-30 23:27:24 -07:00
|
|
|
} else if ((gid == current->gid) || (gid == current->sgid)) {
|
|
|
|
if (old_egid != gid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->egid = current->fsgid = gid;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
key_fsgid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_GID);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int set_user(uid_t new_ruid, int dumpclear)
|
|
|
|
{
|
|
|
|
struct user_struct *new_user;
|
|
|
|
|
2007-07-15 23:40:59 -07:00
|
|
|
new_user = alloc_uid(current->nsproxy->user_ns, new_ruid);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (!new_user)
|
|
|
|
return -EAGAIN;
|
|
|
|
|
|
|
|
if (atomic_read(&new_user->processes) >=
|
|
|
|
current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
|
2007-07-15 23:40:59 -07:00
|
|
|
new_user != current->nsproxy->user_ns->root_user) {
|
2005-04-16 15:20:36 -07:00
|
|
|
free_uid(new_user);
|
|
|
|
return -EAGAIN;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch_uid(new_user);
|
|
|
|
|
2006-09-30 23:27:24 -07:00
|
|
|
if (dumpclear) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->uid = new_ruid;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Unprivileged users may change the real uid to the effective uid
|
|
|
|
* or vice versa. (BSD-style)
|
|
|
|
*
|
|
|
|
* If you set the real uid at all, or set the effective uid to a value not
|
|
|
|
* equal to the real uid, then the saved uid is set to the new effective uid.
|
|
|
|
*
|
|
|
|
* This makes it possible for a setuid program to completely drop its
|
|
|
|
* privileges, which is often a useful assertion to make when you are doing
|
|
|
|
* a security audit over a program.
|
|
|
|
*
|
|
|
|
* The general idea is that a program which uses just setreuid() will be
|
|
|
|
* 100% compatible with BSD. A program which uses just setuid() will be
|
|
|
|
* 100% compatible with POSIX with saved IDs.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setreuid(uid_t ruid, uid_t euid)
|
|
|
|
{
|
|
|
|
int old_ruid, old_euid, old_suid, new_ruid, new_euid;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setuid(ruid, euid, (uid_t)-1, LSM_SETID_RE);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
new_ruid = old_ruid = current->uid;
|
|
|
|
new_euid = old_euid = current->euid;
|
|
|
|
old_suid = current->suid;
|
|
|
|
|
|
|
|
if (ruid != (uid_t) -1) {
|
|
|
|
new_ruid = ruid;
|
|
|
|
if ((old_ruid != ruid) &&
|
|
|
|
(current->euid != ruid) &&
|
|
|
|
!capable(CAP_SETUID))
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (euid != (uid_t) -1) {
|
|
|
|
new_euid = euid;
|
|
|
|
if ((old_ruid != euid) &&
|
|
|
|
(current->euid != euid) &&
|
|
|
|
(current->suid != euid) &&
|
|
|
|
!capable(CAP_SETUID))
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (new_ruid != old_ruid && set_user(new_ruid, new_euid != old_euid) < 0)
|
|
|
|
return -EAGAIN;
|
|
|
|
|
2006-09-30 23:27:24 -07:00
|
|
|
if (new_euid != old_euid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->fsuid = current->euid = new_euid;
|
|
|
|
if (ruid != (uid_t) -1 ||
|
|
|
|
(euid != (uid_t) -1 && euid != old_ruid))
|
|
|
|
current->suid = current->euid;
|
|
|
|
current->fsuid = current->euid;
|
|
|
|
|
|
|
|
key_fsuid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_UID);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
return security_task_post_setuid(old_ruid, old_euid, old_suid, LSM_SETID_RE);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* setuid() is implemented like SysV with SAVED_IDS
|
|
|
|
*
|
|
|
|
* Note that SAVED_ID's is deficient in that a setuid root program
|
|
|
|
* like sendmail, for example, cannot set its uid to be a normal
|
|
|
|
* user and then switch back, because if you're root, setuid() sets
|
|
|
|
* the saved uid too. If you don't like this, blame the bright people
|
|
|
|
* in the POSIX committee and/or USG. Note that the BSD-style setreuid()
|
|
|
|
* will allow a root program to temporarily drop privileges and be able to
|
|
|
|
* regain them by swapping the real and effective uid.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setuid(uid_t uid)
|
|
|
|
{
|
|
|
|
int old_euid = current->euid;
|
2006-12-06 20:40:18 -08:00
|
|
|
int old_ruid, old_suid, new_suid;
|
2005-04-16 15:20:36 -07:00
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_ID);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
2006-12-06 20:40:18 -08:00
|
|
|
old_ruid = current->uid;
|
2005-04-16 15:20:36 -07:00
|
|
|
old_suid = current->suid;
|
|
|
|
new_suid = old_suid;
|
|
|
|
|
|
|
|
if (capable(CAP_SETUID)) {
|
|
|
|
if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
|
|
|
|
return -EAGAIN;
|
|
|
|
new_suid = uid;
|
|
|
|
} else if ((uid != current->uid) && (uid != new_suid))
|
|
|
|
return -EPERM;
|
|
|
|
|
2006-09-30 23:27:24 -07:00
|
|
|
if (old_euid != uid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->fsuid = current->euid = uid;
|
|
|
|
current->suid = new_suid;
|
|
|
|
|
|
|
|
key_fsuid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_UID);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
return security_task_post_setuid(old_ruid, old_euid, old_suid, LSM_SETID_ID);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function implements a generic ability to update ruid, euid,
|
|
|
|
* and suid. This allows you to implement the 4.4 compatible seteuid().
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
|
|
{
|
|
|
|
int old_ruid = current->uid;
|
|
|
|
int old_euid = current->euid;
|
|
|
|
int old_suid = current->suid;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
if (!capable(CAP_SETUID)) {
|
|
|
|
if ((ruid != (uid_t) -1) && (ruid != current->uid) &&
|
|
|
|
(ruid != current->euid) && (ruid != current->suid))
|
|
|
|
return -EPERM;
|
|
|
|
if ((euid != (uid_t) -1) && (euid != current->uid) &&
|
|
|
|
(euid != current->euid) && (euid != current->suid))
|
|
|
|
return -EPERM;
|
|
|
|
if ((suid != (uid_t) -1) && (suid != current->uid) &&
|
|
|
|
(suid != current->euid) && (suid != current->suid))
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
if (ruid != (uid_t) -1) {
|
|
|
|
if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
|
|
|
|
return -EAGAIN;
|
|
|
|
}
|
|
|
|
if (euid != (uid_t) -1) {
|
2006-09-30 23:27:24 -07:00
|
|
|
if (euid != current->euid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->euid = euid;
|
|
|
|
}
|
|
|
|
current->fsuid = current->euid;
|
|
|
|
if (suid != (uid_t) -1)
|
|
|
|
current->suid = suid;
|
|
|
|
|
|
|
|
key_fsuid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_UID);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
return security_task_post_setuid(old_ruid, old_euid, old_suid, LSM_SETID_RES);
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_getresuid(uid_t __user *ruid, uid_t __user *euid, uid_t __user *suid)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
if (!(retval = put_user(current->uid, ruid)) &&
|
|
|
|
!(retval = put_user(current->euid, euid)))
|
|
|
|
retval = put_user(current->suid, suid);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Same as above, but for rgid, egid, sgid.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
if (!capable(CAP_SETGID)) {
|
|
|
|
if ((rgid != (gid_t) -1) && (rgid != current->gid) &&
|
|
|
|
(rgid != current->egid) && (rgid != current->sgid))
|
|
|
|
return -EPERM;
|
|
|
|
if ((egid != (gid_t) -1) && (egid != current->gid) &&
|
|
|
|
(egid != current->egid) && (egid != current->sgid))
|
|
|
|
return -EPERM;
|
|
|
|
if ((sgid != (gid_t) -1) && (sgid != current->gid) &&
|
|
|
|
(sgid != current->egid) && (sgid != current->sgid))
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
if (egid != (gid_t) -1) {
|
2006-09-30 23:27:24 -07:00
|
|
|
if (egid != current->egid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->egid = egid;
|
|
|
|
}
|
|
|
|
current->fsgid = current->egid;
|
|
|
|
if (rgid != (gid_t) -1)
|
|
|
|
current->gid = rgid;
|
|
|
|
if (sgid != (gid_t) -1)
|
|
|
|
current->sgid = sgid;
|
|
|
|
|
|
|
|
key_fsgid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_GID);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_getresgid(gid_t __user *rgid, gid_t __user *egid, gid_t __user *sgid)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
if (!(retval = put_user(current->gid, rgid)) &&
|
|
|
|
!(retval = put_user(current->egid, egid)))
|
|
|
|
retval = put_user(current->sgid, sgid);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* "setfsuid()" sets the fsuid - the uid used for filesystem checks. This
|
|
|
|
* is used for "access()" and for the NFS daemon (letting nfsd stay at
|
|
|
|
* whatever uid it wants to). It normally shadows "euid", except when
|
|
|
|
* explicitly set by setfsuid() or for access..
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setfsuid(uid_t uid)
|
|
|
|
{
|
|
|
|
int old_fsuid;
|
|
|
|
|
|
|
|
old_fsuid = current->fsuid;
|
|
|
|
if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS))
|
|
|
|
return old_fsuid;
|
|
|
|
|
|
|
|
if (uid == current->uid || uid == current->euid ||
|
|
|
|
uid == current->suid || uid == current->fsuid ||
|
2006-09-30 23:27:24 -07:00
|
|
|
capable(CAP_SETUID)) {
|
|
|
|
if (uid != old_fsuid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->fsuid = uid;
|
|
|
|
}
|
|
|
|
|
|
|
|
key_fsuid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_UID);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
security_task_post_setuid(old_fsuid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS);
|
|
|
|
|
|
|
|
return old_fsuid;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-05-09 08:23:08 +02:00
|
|
|
* Samma på svenska..
|
2005-04-16 15:20:36 -07:00
|
|
|
*/
|
|
|
|
asmlinkage long sys_setfsgid(gid_t gid)
|
|
|
|
{
|
|
|
|
int old_fsgid;
|
|
|
|
|
|
|
|
old_fsgid = current->fsgid;
|
|
|
|
if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS))
|
|
|
|
return old_fsgid;
|
|
|
|
|
|
|
|
if (gid == current->gid || gid == current->egid ||
|
|
|
|
gid == current->sgid || gid == current->fsgid ||
|
2006-09-30 23:27:24 -07:00
|
|
|
capable(CAP_SETGID)) {
|
|
|
|
if (gid != old_fsgid) {
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, suid_dumpable);
|
2005-05-01 08:58:47 -07:00
|
|
|
smp_wmb();
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
current->fsgid = gid;
|
|
|
|
key_fsgid_changed(current);
|
2005-11-07 00:59:16 -08:00
|
|
|
proc_id_connector(current, PROC_EVENT_GID);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
return old_fsgid;
|
|
|
|
}
|
|
|
|
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
void do_sys_times(struct tms *tms)
|
|
|
|
{
|
|
|
|
struct task_cputime cputime;
|
|
|
|
cputime_t cutime, cstime;
|
|
|
|
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
|
|
|
thread_group_cputime(current, &cputime);
|
|
|
|
cutime = current->signal->cutime;
|
|
|
|
cstime = current->signal->cstime;
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
tms->tms_utime = cputime_to_clock_t(cputime.utime);
|
|
|
|
tms->tms_stime = cputime_to_clock_t(cputime.stime);
|
|
|
|
tms->tms_cutime = cputime_to_clock_t(cutime);
|
|
|
|
tms->tms_cstime = cputime_to_clock_t(cstime);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
asmlinkage long sys_times(struct tms __user * tbuf)
|
|
|
|
{
|
|
|
|
if (tbuf) {
|
|
|
|
struct tms tmp;
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
|
|
|
|
do_sys_times(&tmp);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (copy_to_user(tbuf, &tmp, sizeof(struct tms)))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
return (long) jiffies_64_to_clock_t(get_jiffies_64());
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This needs some heavy checking ...
|
|
|
|
* I just haven't the stomach for it. I also don't fully
|
|
|
|
* understand sessions/pgrp etc. Let somebody who does explain it.
|
|
|
|
*
|
|
|
|
* OK, I think I have the protection semantics right.... this is really
|
|
|
|
* only important on a multi-user system anyway, to make sure one user
|
|
|
|
* can't send a signal to a process owned by another. -TYT, 12/12/91
|
|
|
|
*
|
|
|
|
* Auch. Had to add the 'did_exec' flag to conform completely to POSIX.
|
|
|
|
* LBT 04.03.94
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
|
|
|
|
{
|
|
|
|
struct task_struct *p;
|
2006-01-08 01:03:53 -08:00
|
|
|
struct task_struct *group_leader = current->group_leader;
|
2008-02-08 04:19:08 -08:00
|
|
|
struct pid *pgrp;
|
|
|
|
int err;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (!pid)
|
2007-10-18 23:40:14 -07:00
|
|
|
pid = task_pid_vnr(group_leader);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (!pgid)
|
|
|
|
pgid = pid;
|
|
|
|
if (pgid < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* From this point forward we keep holding onto the tasklist lock
|
|
|
|
* so that our parent does not change from under us. -DaveM
|
|
|
|
*/
|
|
|
|
write_lock_irq(&tasklist_lock);
|
|
|
|
|
|
|
|
err = -ESRCH;
|
2008-02-08 04:19:08 -08:00
|
|
|
p = find_task_by_vpid(pid);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (!p)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = -EINVAL;
|
|
|
|
if (!thread_group_leader(p))
|
|
|
|
goto out;
|
|
|
|
|
2008-02-08 04:19:08 -08:00
|
|
|
if (same_thread_group(p->real_parent, group_leader)) {
|
2005-04-16 15:20:36 -07:00
|
|
|
err = -EPERM;
|
2007-02-12 00:53:01 -08:00
|
|
|
if (task_session(p) != task_session(group_leader))
|
2005-04-16 15:20:36 -07:00
|
|
|
goto out;
|
|
|
|
err = -EACCES;
|
|
|
|
if (p->did_exec)
|
|
|
|
goto out;
|
|
|
|
} else {
|
|
|
|
err = -ESRCH;
|
2006-01-08 01:03:53 -08:00
|
|
|
if (p != group_leader)
|
2005-04-16 15:20:36 -07:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = -EPERM;
|
|
|
|
if (p->signal->leader)
|
|
|
|
goto out;
|
|
|
|
|
2008-02-08 04:19:08 -08:00
|
|
|
pgrp = task_pid(p);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (pgid != pid) {
|
2007-10-18 23:40:14 -07:00
|
|
|
struct task_struct *g;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-02-08 04:19:08 -08:00
|
|
|
pgrp = find_vpid(pgid);
|
|
|
|
g = pid_task(pgrp, PIDTYPE_PGID);
|
2007-02-12 00:53:01 -08:00
|
|
|
if (!g || task_session(g) != task_session(group_leader))
|
2006-12-08 02:38:02 -08:00
|
|
|
goto out;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
err = security_task_setpgid(p, pgid);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
|
2008-02-08 04:19:08 -08:00
|
|
|
if (task_pgrp(p) != pgrp) {
|
2008-04-30 00:54:27 -07:00
|
|
|
change_pid(p, PIDTYPE_PGID, pgrp);
|
2008-02-08 04:19:08 -08:00
|
|
|
set_task_pgrp(p, pid_nr(pgrp));
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
err = 0;
|
|
|
|
out:
|
|
|
|
/* All paths lead to here, thus we are safe. -DaveM */
|
|
|
|
write_unlock_irq(&tasklist_lock);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_getpgid(pid_t pid)
|
|
|
|
{
|
2008-04-30 00:54:29 -07:00
|
|
|
struct task_struct *p;
|
|
|
|
struct pid *grp;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2006-09-30 23:27:24 -07:00
|
|
|
if (!pid)
|
2008-04-30 00:54:29 -07:00
|
|
|
grp = task_pgrp(current);
|
2006-09-30 23:27:24 -07:00
|
|
|
else {
|
2005-04-16 15:20:36 -07:00
|
|
|
retval = -ESRCH;
|
2008-04-30 00:54:29 -07:00
|
|
|
p = find_task_by_vpid(pid);
|
|
|
|
if (!p)
|
|
|
|
goto out;
|
|
|
|
grp = task_pgrp(p);
|
|
|
|
if (!grp)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
retval = security_task_getpgid(p);
|
|
|
|
if (retval)
|
|
|
|
goto out;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2008-04-30 00:54:29 -07:00
|
|
|
retval = pid_vnr(grp);
|
|
|
|
out:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return retval;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_GETPGRP
|
|
|
|
|
|
|
|
asmlinkage long sys_getpgrp(void)
|
|
|
|
{
|
2008-04-30 00:54:29 -07:00
|
|
|
return sys_getpgid(0);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
asmlinkage long sys_getsid(pid_t pid)
|
|
|
|
{
|
2008-04-30 00:54:28 -07:00
|
|
|
struct task_struct *p;
|
|
|
|
struct pid *sid;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2006-09-30 23:27:24 -07:00
|
|
|
if (!pid)
|
2008-04-30 00:54:28 -07:00
|
|
|
sid = task_session(current);
|
2006-09-30 23:27:24 -07:00
|
|
|
else {
|
2005-04-16 15:20:36 -07:00
|
|
|
retval = -ESRCH;
|
2008-04-30 00:54:28 -07:00
|
|
|
p = find_task_by_vpid(pid);
|
|
|
|
if (!p)
|
|
|
|
goto out;
|
|
|
|
sid = task_session(p);
|
|
|
|
if (!sid)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
retval = security_task_getsid(p);
|
|
|
|
if (retval)
|
|
|
|
goto out;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2008-04-30 00:54:28 -07:00
|
|
|
retval = pid_vnr(sid);
|
|
|
|
out:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return retval;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_setsid(void)
|
|
|
|
{
|
2006-01-08 01:03:58 -08:00
|
|
|
struct task_struct *group_leader = current->group_leader;
|
2008-02-08 04:19:09 -08:00
|
|
|
struct pid *sid = task_pid(group_leader);
|
|
|
|
pid_t session = pid_vnr(sid);
|
2005-04-16 15:20:36 -07:00
|
|
|
int err = -EPERM;
|
|
|
|
|
|
|
|
write_lock_irq(&tasklist_lock);
|
2006-03-31 02:31:33 -08:00
|
|
|
/* Fail if I am already a session leader */
|
|
|
|
if (group_leader->signal->leader)
|
|
|
|
goto out;
|
|
|
|
|
2008-02-08 04:19:11 -08:00
|
|
|
/* Fail if a process group id already exists that equals the
|
|
|
|
* proposed session id.
|
2006-03-31 02:31:33 -08:00
|
|
|
*/
|
2008-02-08 04:19:12 -08:00
|
|
|
if (pid_task(sid, PIDTYPE_PGID))
|
2005-04-16 15:20:36 -07:00
|
|
|
goto out;
|
|
|
|
|
2006-01-08 01:03:58 -08:00
|
|
|
group_leader->signal->leader = 1;
|
2008-02-08 04:19:09 -08:00
|
|
|
__set_special_pids(sid);
|
2006-12-08 02:36:04 -08:00
|
|
|
|
2008-10-13 10:37:26 +01:00
|
|
|
proc_clear_tty(group_leader);
|
2006-12-08 02:36:04 -08:00
|
|
|
|
2008-02-08 04:19:09 -08:00
|
|
|
err = session;
|
2005-04-16 15:20:36 -07:00
|
|
|
out:
|
|
|
|
write_unlock_irq(&tasklist_lock);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Supplementary group IDs
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* init to 2 - one for init_task, one to ensure it is never freed */
|
|
|
|
struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
|
|
|
|
|
|
|
|
struct group_info *groups_alloc(int gidsetsize)
|
|
|
|
{
|
|
|
|
struct group_info *group_info;
|
|
|
|
int nblocks;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;
|
|
|
|
/* Make sure we always allocate at least one indirect block pointer */
|
|
|
|
nblocks = nblocks ? : 1;
|
|
|
|
group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), GFP_USER);
|
|
|
|
if (!group_info)
|
|
|
|
return NULL;
|
|
|
|
group_info->ngroups = gidsetsize;
|
|
|
|
group_info->nblocks = nblocks;
|
|
|
|
atomic_set(&group_info->usage, 1);
|
|
|
|
|
2006-09-30 23:27:24 -07:00
|
|
|
if (gidsetsize <= NGROUPS_SMALL)
|
2005-04-16 15:20:36 -07:00
|
|
|
group_info->blocks[0] = group_info->small_block;
|
2006-09-30 23:27:24 -07:00
|
|
|
else {
|
2005-04-16 15:20:36 -07:00
|
|
|
for (i = 0; i < nblocks; i++) {
|
|
|
|
gid_t *b;
|
|
|
|
b = (void *)__get_free_page(GFP_USER);
|
|
|
|
if (!b)
|
|
|
|
goto out_undo_partial_alloc;
|
|
|
|
group_info->blocks[i] = b;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return group_info;
|
|
|
|
|
|
|
|
out_undo_partial_alloc:
|
|
|
|
while (--i >= 0) {
|
|
|
|
free_page((unsigned long)group_info->blocks[i]);
|
|
|
|
}
|
|
|
|
kfree(group_info);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(groups_alloc);
|
|
|
|
|
|
|
|
void groups_free(struct group_info *group_info)
|
|
|
|
{
|
|
|
|
if (group_info->blocks[0] != group_info->small_block) {
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < group_info->nblocks; i++)
|
|
|
|
free_page((unsigned long)group_info->blocks[i]);
|
|
|
|
}
|
|
|
|
kfree(group_info);
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(groups_free);
|
|
|
|
|
|
|
|
/* export the group_info to a user-space array */
|
|
|
|
static int groups_to_user(gid_t __user *grouplist,
|
|
|
|
struct group_info *group_info)
|
|
|
|
{
|
|
|
|
int i;
|
2008-02-06 01:37:56 -08:00
|
|
|
unsigned int count = group_info->ngroups;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
for (i = 0; i < group_info->nblocks; i++) {
|
2008-02-06 01:37:56 -08:00
|
|
|
unsigned int cp_count = min(NGROUPS_PER_BLOCK, count);
|
|
|
|
unsigned int len = cp_count * sizeof(*grouplist);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-02-06 01:37:56 -08:00
|
|
|
if (copy_to_user(grouplist, group_info->blocks[i], len))
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EFAULT;
|
|
|
|
|
2008-02-06 01:37:56 -08:00
|
|
|
grouplist += NGROUPS_PER_BLOCK;
|
2005-04-16 15:20:36 -07:00
|
|
|
count -= cp_count;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* fill a group_info from a user-space array - it must be allocated already */
|
|
|
|
static int groups_from_user(struct group_info *group_info,
|
|
|
|
gid_t __user *grouplist)
|
2006-09-30 23:27:24 -07:00
|
|
|
{
|
2005-04-16 15:20:36 -07:00
|
|
|
int i;
|
2008-02-06 01:37:56 -08:00
|
|
|
unsigned int count = group_info->ngroups;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
for (i = 0; i < group_info->nblocks; i++) {
|
2008-02-06 01:37:56 -08:00
|
|
|
unsigned int cp_count = min(NGROUPS_PER_BLOCK, count);
|
|
|
|
unsigned int len = cp_count * sizeof(*grouplist);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-02-06 01:37:56 -08:00
|
|
|
if (copy_from_user(group_info->blocks[i], grouplist, len))
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EFAULT;
|
|
|
|
|
2008-02-06 01:37:56 -08:00
|
|
|
grouplist += NGROUPS_PER_BLOCK;
|
2005-04-16 15:20:36 -07:00
|
|
|
count -= cp_count;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-05-05 16:16:19 -07:00
|
|
|
/* a simple Shell sort */
|
2005-04-16 15:20:36 -07:00
|
|
|
static void groups_sort(struct group_info *group_info)
|
|
|
|
{
|
|
|
|
int base, max, stride;
|
|
|
|
int gidsetsize = group_info->ngroups;
|
|
|
|
|
|
|
|
for (stride = 1; stride < gidsetsize; stride = 3 * stride + 1)
|
|
|
|
; /* nothing */
|
|
|
|
stride /= 3;
|
|
|
|
|
|
|
|
while (stride) {
|
|
|
|
max = gidsetsize - stride;
|
|
|
|
for (base = 0; base < max; base++) {
|
|
|
|
int left = base;
|
|
|
|
int right = left + stride;
|
|
|
|
gid_t tmp = GROUP_AT(group_info, right);
|
|
|
|
|
|
|
|
while (left >= 0 && GROUP_AT(group_info, left) > tmp) {
|
|
|
|
GROUP_AT(group_info, right) =
|
|
|
|
GROUP_AT(group_info, left);
|
|
|
|
right = left;
|
|
|
|
left -= stride;
|
|
|
|
}
|
|
|
|
GROUP_AT(group_info, right) = tmp;
|
|
|
|
}
|
|
|
|
stride /= 3;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* a simple bsearch */
|
[PATCH] Keys: Make request-key create an authorisation key
The attached patch makes the following changes:
(1) There's a new special key type called ".request_key_auth".
This is an authorisation key for when one process requests a key and
another process is started to construct it. This type of key cannot be
created by the user; nor can it be requested by kernel services.
Authorisation keys hold two references:
(a) Each refers to a key being constructed. When the key being
constructed is instantiated the authorisation key is revoked,
rendering it of no further use.
(b) The "authorising process". This is either:
(i) the process that called request_key(), or:
(ii) if the process that called request_key() itself had an
authorisation key in its session keyring, then the authorising
process referred to by that authorisation key will also be
referred to by the new authorisation key.
This means that the process that initiated a chain of key requests
will authorise the lot of them, and will, by default, wind up with
the keys obtained from them in its keyrings.
(2) request_key() creates an authorisation key which is then passed to
/sbin/request-key in as part of a new session keyring.
(3) When request_key() is searching for a key to hand back to the caller, if
it comes across an authorisation key in the session keyring of the
calling process, it will also search the keyrings of the process
specified therein and it will use the specified process's credentials
(fsuid, fsgid, groups) to do that rather than the calling process's
credentials.
This allows a process started by /sbin/request-key to find keys belonging
to the authorising process.
(4) A key can be read, even if the process executing KEYCTL_READ doesn't have
direct read or search permission if that key is contained within the
keyrings of a process specified by an authorisation key found within the
calling process's session keyring, and is searchable using the
credentials of the authorising process.
This allows a process started by /sbin/request-key to read keys belonging
to the authorising process.
(5) The magic KEY_SPEC_*_KEYRING key IDs when passed to KEYCTL_INSTANTIATE or
KEYCTL_NEGATE will specify a keyring of the authorising process, rather
than the process doing the instantiation.
(6) One of the process keyrings can be nominated as the default to which
request_key() should attach new keys if not otherwise specified. This is
done with KEYCTL_SET_REQKEY_KEYRING and one of the KEY_REQKEY_DEFL_*
constants. The current setting can also be read using this call.
(7) request_key() is partially interruptible. If it is waiting for another
process to finish constructing a key, it can be interrupted. This permits
a request-key cycle to be broken without recourse to rebooting.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-Off-By: Benoit Boissinot <benoit.boissinot@ens-lyon.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-23 22:00:56 -07:00
|
|
|
int groups_search(struct group_info *group_info, gid_t grp)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2006-03-25 03:08:19 -08:00
|
|
|
unsigned int left, right;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (!group_info)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
left = 0;
|
|
|
|
right = group_info->ngroups;
|
|
|
|
while (left < right) {
|
2006-03-25 03:08:19 -08:00
|
|
|
unsigned int mid = (left+right)/2;
|
2005-04-16 15:20:36 -07:00
|
|
|
int cmp = grp - GROUP_AT(group_info, mid);
|
|
|
|
if (cmp > 0)
|
|
|
|
left = mid + 1;
|
|
|
|
else if (cmp < 0)
|
|
|
|
right = mid;
|
|
|
|
else
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* validate and set current->group_info */
|
|
|
|
int set_current_groups(struct group_info *group_info)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
struct group_info *old_info;
|
|
|
|
|
|
|
|
retval = security_task_setgroups(group_info);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
groups_sort(group_info);
|
|
|
|
get_group_info(group_info);
|
|
|
|
|
|
|
|
task_lock(current);
|
|
|
|
old_info = current->group_info;
|
|
|
|
current->group_info = group_info;
|
|
|
|
task_unlock(current);
|
|
|
|
|
|
|
|
put_group_info(old_info);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(set_current_groups);
|
|
|
|
|
|
|
|
asmlinkage long sys_getgroups(int gidsetsize, gid_t __user *grouplist)
|
|
|
|
{
|
|
|
|
int i = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* SMP: Nobody else can change our grouplist. Thus we are
|
|
|
|
* safe.
|
|
|
|
*/
|
|
|
|
|
|
|
|
if (gidsetsize < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* no need to grab task_lock here; it cannot change */
|
|
|
|
i = current->group_info->ngroups;
|
|
|
|
if (gidsetsize) {
|
|
|
|
if (i > gidsetsize) {
|
|
|
|
i = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (groups_to_user(grouplist, current->group_info)) {
|
|
|
|
i = -EFAULT;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
out:
|
|
|
|
return i;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* SMP: Our groups are copy-on-write. We can set them safely
|
|
|
|
* without another task interfering.
|
|
|
|
*/
|
|
|
|
|
|
|
|
asmlinkage long sys_setgroups(int gidsetsize, gid_t __user *grouplist)
|
|
|
|
{
|
|
|
|
struct group_info *group_info;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
if (!capable(CAP_SETGID))
|
|
|
|
return -EPERM;
|
|
|
|
if ((unsigned)gidsetsize > NGROUPS_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
group_info = groups_alloc(gidsetsize);
|
|
|
|
if (!group_info)
|
|
|
|
return -ENOMEM;
|
|
|
|
retval = groups_from_user(group_info, grouplist);
|
|
|
|
if (retval) {
|
|
|
|
put_group_info(group_info);
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
retval = set_current_groups(group_info);
|
|
|
|
put_group_info(group_info);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check whether we're fsgid/egid or in the supplemental group..
|
|
|
|
*/
|
|
|
|
int in_group_p(gid_t grp)
|
|
|
|
{
|
|
|
|
int retval = 1;
|
2006-09-30 23:27:24 -07:00
|
|
|
if (grp != current->fsgid)
|
2005-04-16 15:20:36 -07:00
|
|
|
retval = groups_search(current->group_info, grp);
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(in_group_p);
|
|
|
|
|
|
|
|
int in_egroup_p(gid_t grp)
|
|
|
|
{
|
|
|
|
int retval = 1;
|
2006-09-30 23:27:24 -07:00
|
|
|
if (grp != current->egid)
|
2005-04-16 15:20:36 -07:00
|
|
|
retval = groups_search(current->group_info, grp);
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(in_egroup_p);
|
|
|
|
|
|
|
|
DECLARE_RWSEM(uts_sem);
|
|
|
|
|
|
|
|
asmlinkage long sys_newuname(struct new_utsname __user * name)
|
|
|
|
{
|
|
|
|
int errno = 0;
|
|
|
|
|
|
|
|
down_read(&uts_sem);
|
2006-10-02 02:18:11 -07:00
|
|
|
if (copy_to_user(name, utsname(), sizeof *name))
|
2005-04-16 15:20:36 -07:00
|
|
|
errno = -EFAULT;
|
|
|
|
up_read(&uts_sem);
|
|
|
|
return errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_sethostname(char __user *name, int len)
|
|
|
|
{
|
|
|
|
int errno;
|
|
|
|
char tmp[__NEW_UTS_LEN];
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
if (len < 0 || len > __NEW_UTS_LEN)
|
|
|
|
return -EINVAL;
|
|
|
|
down_write(&uts_sem);
|
|
|
|
errno = -EFAULT;
|
|
|
|
if (!copy_from_user(tmp, name, len)) {
|
2008-10-15 22:01:51 -07:00
|
|
|
struct new_utsname *u = utsname();
|
|
|
|
|
|
|
|
memcpy(u->nodename, tmp, len);
|
|
|
|
memset(u->nodename + len, 0, sizeof(u->nodename) - len);
|
2005-04-16 15:20:36 -07:00
|
|
|
errno = 0;
|
|
|
|
}
|
|
|
|
up_write(&uts_sem);
|
|
|
|
return errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_GETHOSTNAME
|
|
|
|
|
|
|
|
asmlinkage long sys_gethostname(char __user *name, int len)
|
|
|
|
{
|
|
|
|
int i, errno;
|
2008-10-15 22:01:51 -07:00
|
|
|
struct new_utsname *u;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (len < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
down_read(&uts_sem);
|
2008-10-15 22:01:51 -07:00
|
|
|
u = utsname();
|
|
|
|
i = 1 + strlen(u->nodename);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (i > len)
|
|
|
|
i = len;
|
|
|
|
errno = 0;
|
2008-10-15 22:01:51 -07:00
|
|
|
if (copy_to_user(name, u->nodename, i))
|
2005-04-16 15:20:36 -07:00
|
|
|
errno = -EFAULT;
|
|
|
|
up_read(&uts_sem);
|
|
|
|
return errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only setdomainname; getdomainname can be implemented by calling
|
|
|
|
* uname()
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_setdomainname(char __user *name, int len)
|
|
|
|
{
|
|
|
|
int errno;
|
|
|
|
char tmp[__NEW_UTS_LEN];
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
if (len < 0 || len > __NEW_UTS_LEN)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
down_write(&uts_sem);
|
|
|
|
errno = -EFAULT;
|
|
|
|
if (!copy_from_user(tmp, name, len)) {
|
2008-10-15 22:01:51 -07:00
|
|
|
struct new_utsname *u = utsname();
|
|
|
|
|
|
|
|
memcpy(u->domainname, tmp, len);
|
|
|
|
memset(u->domainname + len, 0, sizeof(u->domainname) - len);
|
2005-04-16 15:20:36 -07:00
|
|
|
errno = 0;
|
|
|
|
}
|
|
|
|
up_write(&uts_sem);
|
|
|
|
return errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
|
|
{
|
|
|
|
if (resource >= RLIM_NLIMITS)
|
|
|
|
return -EINVAL;
|
|
|
|
else {
|
|
|
|
struct rlimit value;
|
|
|
|
task_lock(current->group_leader);
|
|
|
|
value = current->signal->rlim[resource];
|
|
|
|
task_unlock(current->group_leader);
|
|
|
|
return copy_to_user(rlim, &value, sizeof(*rlim)) ? -EFAULT : 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_OLD_GETRLIMIT
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Back compatibility for getrlimit. Needed for some apps.
|
|
|
|
*/
|
|
|
|
|
|
|
|
asmlinkage long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
|
|
{
|
|
|
|
struct rlimit x;
|
|
|
|
if (resource >= RLIM_NLIMITS)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
task_lock(current->group_leader);
|
|
|
|
x = current->signal->rlim[resource];
|
|
|
|
task_unlock(current->group_leader);
|
2006-09-30 23:27:24 -07:00
|
|
|
if (x.rlim_cur > 0x7FFFFFFF)
|
2005-04-16 15:20:36 -07:00
|
|
|
x.rlim_cur = 0x7FFFFFFF;
|
2006-09-30 23:27:24 -07:00
|
|
|
if (x.rlim_max > 0x7FFFFFFF)
|
2005-04-16 15:20:36 -07:00
|
|
|
x.rlim_max = 0x7FFFFFFF;
|
|
|
|
return copy_to_user(rlim, &x, sizeof(x))?-EFAULT:0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
asmlinkage long sys_setrlimit(unsigned int resource, struct rlimit __user *rlim)
|
|
|
|
{
|
|
|
|
struct rlimit new_rlim, *old_rlim;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
if (resource >= RLIM_NLIMITS)
|
|
|
|
return -EINVAL;
|
2006-03-24 03:18:34 -08:00
|
|
|
if (copy_from_user(&new_rlim, rlim, sizeof(*rlim)))
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EFAULT;
|
|
|
|
old_rlim = current->signal->rlim + resource;
|
|
|
|
if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
|
|
|
|
!capable(CAP_SYS_RESOURCE))
|
|
|
|
return -EPERM;
|
2008-10-15 22:01:45 -07:00
|
|
|
|
|
|
|
if (resource == RLIMIT_NOFILE) {
|
|
|
|
if (new_rlim.rlim_max == RLIM_INFINITY)
|
|
|
|
new_rlim.rlim_max = sysctl_nr_open;
|
|
|
|
if (new_rlim.rlim_cur == RLIM_INFINITY)
|
|
|
|
new_rlim.rlim_cur = sysctl_nr_open;
|
|
|
|
if (new_rlim.rlim_max > sysctl_nr_open)
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (new_rlim.rlim_cur > new_rlim.rlim_max)
|
|
|
|
return -EINVAL;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
retval = security_task_setrlimit(resource, &new_rlim);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
|
CPU time limit patch / setrlimit(RLIMIT_CPU, 0) cheat fix
As discovered here today, the change in Kernel 2.6.17 intended to inhibit
users from setting RLIMIT_CPU to 0 (as that is equivalent to unlimited) by
"cheating" and setting it to 1 in such a case, does not make a difference,
as the check is done in the wrong place (too late), and only applies to the
profiling code.
On all systems I checked running kernels above 2.6.17, no matter what the
hard and soft CPU time limits were before, a user could escape them by
issuing in the shell (sh/bash/zsh) "ulimit -t 0", and then the user's
process was not ever killed.
Attached is a trivial patch to fix that. Simply moving the check to a
slightly earlier location (specifically, before the line that actually
assigns the limit - *old_rlim = new_rlim), does the trick.
Do note that at least the zsh (but not ash, dash, or bash) shell has the
problem of "caching" the limits set by the ulimit command, so when running
zsh the fix will not immediately be evident - after entering "ulimit -t 0",
"ulimit -a" will show "-t: cpu time (seconds) 0", even though the actual
limit as returned by getrlimit(...) will be 1. It can be verified by
opening a subshell (which will not have the values of the parent shell in
cache) and checking in it, or just by running a CPU intensive command like
"echo '65536^1048576' | bc" and verifying that it dumps core after one
second.
Regardless of whether that is a misfeature in the shell, perhaps it would
be better to return -EINVAL from setrlimit in such a case instead of
cheating and setting to 1, as that does not really reflect the actual state
of the process anymore. I do not however know what the ground for that
decision was in the original 2.6.17 change, and whether there would be any
"backward" compatibility issues, so I preferred not to touch that right
now.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-08 00:30:31 -07:00
|
|
|
if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
|
|
|
|
/*
|
|
|
|
* The caller is asking for an immediate RLIMIT_CPU
|
|
|
|
* expiry. But we use the zero value to mean "it was
|
|
|
|
* never set". So let's cheat and make it one second
|
|
|
|
* instead
|
|
|
|
*/
|
|
|
|
new_rlim.rlim_cur = 1;
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
task_lock(current->group_leader);
|
|
|
|
*old_rlim = new_rlim;
|
|
|
|
task_unlock(current->group_leader);
|
|
|
|
|
2006-03-24 03:18:34 -08:00
|
|
|
if (resource != RLIMIT_CPU)
|
|
|
|
goto out;
|
2006-03-24 03:18:36 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* RLIMIT_CPU handling. Note that the kernel fails to return an error
|
|
|
|
* code if it rejected the user's attempt to set RLIMIT_CPU. This is a
|
|
|
|
* very long-standing error, and fixing it now risks breakage of
|
|
|
|
* applications, so we live with it
|
|
|
|
*/
|
2006-03-24 03:18:34 -08:00
|
|
|
if (new_rlim.rlim_cur == RLIM_INFINITY)
|
|
|
|
goto out;
|
|
|
|
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
update_rlimit_cpu(new_rlim.rlim_cur);
|
2006-03-24 03:18:34 -08:00
|
|
|
out:
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It would make sense to put struct rusage in the task_struct,
|
|
|
|
* except that would make the task_struct be *really big*. After
|
|
|
|
* task_struct gets moved into malloc'ed memory, it would
|
|
|
|
* make sense to do this. It will make moving the rest of the information
|
|
|
|
* a lot simpler! (Which we're not doing right now because we're not
|
|
|
|
* measuring them yet).
|
|
|
|
*
|
|
|
|
* When sampling multiple threads for RUSAGE_SELF, under SMP we might have
|
|
|
|
* races with threads incrementing their own counters. But since word
|
|
|
|
* reads are atomic, we either get new values or old values and we don't
|
|
|
|
* care which for the sums. We always take the siglock to protect reading
|
|
|
|
* the c* fields from p->signal from races with exit.c updating those
|
|
|
|
* fields when reaping, so a sample either gets all the additions of a
|
|
|
|
* given child after it's reaped, or none so this sample is before reaping.
|
2006-03-23 03:00:13 -08:00
|
|
|
*
|
2006-06-22 14:47:26 -07:00
|
|
|
* Locking:
|
|
|
|
* We need to take the siglock for CHILDEREN, SELF and BOTH
|
|
|
|
* for the cases current multithreaded, non-current single threaded
|
|
|
|
* non-current multithreaded. Thread traversal is now safe with
|
|
|
|
* the siglock held.
|
|
|
|
* Strictly speaking, we donot need to take the siglock if we are current and
|
|
|
|
* single threaded, as no one else can take our signal_struct away, no one
|
|
|
|
* else can reap the children to update signal->c* counters, and no one else
|
|
|
|
* can race with the signal-> fields. If we do not take any lock, the
|
|
|
|
* signal-> fields could be read out of order while another thread was just
|
|
|
|
* exiting. So we should place a read memory barrier when we avoid the lock.
|
|
|
|
* On the writer side, write memory barrier is implied in __exit_signal
|
|
|
|
* as __exit_signal releases the siglock spinlock after updating the signal->
|
|
|
|
* fields. But we don't do this yet to keep things simple.
|
2006-03-23 03:00:13 -08:00
|
|
|
*
|
2005-04-16 15:20:36 -07:00
|
|
|
*/
|
|
|
|
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
static void accumulate_thread_rusage(struct task_struct *t, struct rusage *r)
|
2008-04-29 00:58:42 -07:00
|
|
|
{
|
|
|
|
r->ru_nvcsw += t->nvcsw;
|
|
|
|
r->ru_nivcsw += t->nivcsw;
|
|
|
|
r->ru_minflt += t->min_flt;
|
|
|
|
r->ru_majflt += t->maj_flt;
|
|
|
|
r->ru_inblock += task_io_get_inblock(t);
|
|
|
|
r->ru_oublock += task_io_get_oublock(t);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static void k_getrusage(struct task_struct *p, int who, struct rusage *r)
|
|
|
|
{
|
|
|
|
struct task_struct *t;
|
|
|
|
unsigned long flags;
|
|
|
|
cputime_t utime, stime;
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
struct task_cputime cputime;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
memset((char *) r, 0, sizeof *r);
|
2006-03-23 03:00:13 -08:00
|
|
|
utime = stime = cputime_zero;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-04-29 00:58:42 -07:00
|
|
|
if (who == RUSAGE_THREAD) {
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
accumulate_thread_rusage(p, r);
|
2008-04-29 00:58:42 -07:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-04-30 00:52:38 -07:00
|
|
|
if (!lock_task_sighand(p, &flags))
|
2006-06-22 14:47:26 -07:00
|
|
|
return;
|
2006-01-08 01:05:15 -08:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
switch (who) {
|
2006-01-08 01:05:15 -08:00
|
|
|
case RUSAGE_BOTH:
|
2005-04-16 15:20:36 -07:00
|
|
|
case RUSAGE_CHILDREN:
|
|
|
|
utime = p->signal->cutime;
|
|
|
|
stime = p->signal->cstime;
|
|
|
|
r->ru_nvcsw = p->signal->cnvcsw;
|
|
|
|
r->ru_nivcsw = p->signal->cnivcsw;
|
|
|
|
r->ru_minflt = p->signal->cmin_flt;
|
|
|
|
r->ru_majflt = p->signal->cmaj_flt;
|
2007-05-10 22:22:37 -07:00
|
|
|
r->ru_inblock = p->signal->cinblock;
|
|
|
|
r->ru_oublock = p->signal->coublock;
|
2006-01-08 01:05:15 -08:00
|
|
|
|
|
|
|
if (who == RUSAGE_CHILDREN)
|
|
|
|
break;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
case RUSAGE_SELF:
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
thread_group_cputime(p, &cputime);
|
|
|
|
utime = cputime_add(utime, cputime.utime);
|
|
|
|
stime = cputime_add(stime, cputime.stime);
|
2005-04-16 15:20:36 -07:00
|
|
|
r->ru_nvcsw += p->signal->nvcsw;
|
|
|
|
r->ru_nivcsw += p->signal->nivcsw;
|
|
|
|
r->ru_minflt += p->signal->min_flt;
|
|
|
|
r->ru_majflt += p->signal->maj_flt;
|
2007-05-10 22:22:37 -07:00
|
|
|
r->ru_inblock += p->signal->inblock;
|
|
|
|
r->ru_oublock += p->signal->oublock;
|
2005-04-16 15:20:36 -07:00
|
|
|
t = p;
|
|
|
|
do {
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 09:54:39 -07:00
|
|
|
accumulate_thread_rusage(t, r);
|
2005-04-16 15:20:36 -07:00
|
|
|
t = next_thread(t);
|
|
|
|
} while (t != p);
|
|
|
|
break;
|
2006-01-08 01:05:15 -08:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
default:
|
|
|
|
BUG();
|
|
|
|
}
|
2006-06-22 14:47:26 -07:00
|
|
|
unlock_task_sighand(p, &flags);
|
|
|
|
|
2008-04-29 00:58:42 -07:00
|
|
|
out:
|
2006-01-08 01:05:15 -08:00
|
|
|
cputime_to_timeval(utime, &r->ru_utime);
|
|
|
|
cputime_to_timeval(stime, &r->ru_stime);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
int getrusage(struct task_struct *p, int who, struct rusage __user *ru)
|
|
|
|
{
|
|
|
|
struct rusage r;
|
|
|
|
k_getrusage(p, who, &r);
|
|
|
|
return copy_to_user(ru, &r, sizeof(r)) ? -EFAULT : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_getrusage(int who, struct rusage __user *ru)
|
|
|
|
{
|
2008-04-29 00:58:42 -07:00
|
|
|
if (who != RUSAGE_SELF && who != RUSAGE_CHILDREN &&
|
|
|
|
who != RUSAGE_THREAD)
|
2005-04-16 15:20:36 -07:00
|
|
|
return -EINVAL;
|
|
|
|
return getrusage(current, who, ru);
|
|
|
|
}
|
|
|
|
|
|
|
|
asmlinkage long sys_umask(int mask)
|
|
|
|
{
|
|
|
|
mask = xchg(¤t->fs->umask, mask & S_IRWXUGO);
|
|
|
|
return mask;
|
|
|
|
}
|
capabilities: introduce per-process capability bounding set
The capability bounding set is a set beyond which capabilities cannot grow.
Currently cap_bset is per-system. It can be manipulated through sysctl,
but only init can add capabilities. Root can remove capabilities. By
default it includes all caps except CAP_SETPCAP.
This patch makes the bounding set per-process when file capabilities are
enabled. It is inherited at fork from parent. Noone can add elements,
CAP_SETPCAP is required to remove them.
One example use of this is to start a safer container. For instance, until
device namespaces or per-container device whitelists are introduced, it is
best to take CAP_MKNOD away from a container.
The bounding set will not affect pP and pE immediately. It will only
affect pP' and pE' after subsequent exec()s. It also does not affect pI,
and exec() does not constrain pI'. So to really start a shell with no way
of regain CAP_MKNOD, you would do
prctl(PR_CAPBSET_DROP, CAP_MKNOD);
cap_t cap = cap_get_proc();
cap_value_t caparray[1];
caparray[0] = CAP_MKNOD;
cap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);
cap_set_proc(cap);
cap_free(cap);
The following test program will get and set the bounding
set (but not pI). For instance
./bset get
(lists capabilities in bset)
./bset drop cap_net_raw
(starts shell with new bset)
(use capset, setuid binary, or binary with
file capabilities to try to increase caps)
************************************************************
cap_bound.c
************************************************************
#include <sys/prctl.h>
#include <linux/capability.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifndef PR_CAPBSET_READ
#define PR_CAPBSET_READ 23
#endif
#ifndef PR_CAPBSET_DROP
#define PR_CAPBSET_DROP 24
#endif
int usage(char *me)
{
printf("Usage: %s get\n", me);
printf(" %s drop <capability>\n", me);
return 1;
}
#define numcaps 32
char *captable[numcaps] = {
"cap_chown",
"cap_dac_override",
"cap_dac_read_search",
"cap_fowner",
"cap_fsetid",
"cap_kill",
"cap_setgid",
"cap_setuid",
"cap_setpcap",
"cap_linux_immutable",
"cap_net_bind_service",
"cap_net_broadcast",
"cap_net_admin",
"cap_net_raw",
"cap_ipc_lock",
"cap_ipc_owner",
"cap_sys_module",
"cap_sys_rawio",
"cap_sys_chroot",
"cap_sys_ptrace",
"cap_sys_pacct",
"cap_sys_admin",
"cap_sys_boot",
"cap_sys_nice",
"cap_sys_resource",
"cap_sys_time",
"cap_sys_tty_config",
"cap_mknod",
"cap_lease",
"cap_audit_write",
"cap_audit_control",
"cap_setfcap"
};
int getbcap(void)
{
int comma=0;
unsigned long i;
int ret;
printf("i know of %d capabilities\n", numcaps);
printf("capability bounding set:");
for (i=0; i<numcaps; i++) {
ret = prctl(PR_CAPBSET_READ, i);
if (ret < 0)
perror("prctl");
else if (ret==1)
printf("%s%s", (comma++) ? ", " : " ", captable[i]);
}
printf("\n");
return 0;
}
int capdrop(char *str)
{
unsigned long i;
int found=0;
for (i=0; i<numcaps; i++) {
if (strcmp(captable[i], str) == 0) {
found=1;
break;
}
}
if (!found)
return 1;
if (prctl(PR_CAPBSET_DROP, i)) {
perror("prctl");
return 1;
}
return 0;
}
int main(int argc, char *argv[])
{
if (argc<2)
return usage(argv[0]);
if (strcmp(argv[1], "get")==0)
return getbcap();
if (strcmp(argv[1], "drop")!=0 || argc<3)
return usage(argv[0]);
if (capdrop(argv[2])) {
printf("unknown capability\n");
return 1;
}
return execl("/bin/bash", "/bin/bash", NULL);
}
************************************************************
[serue@us.ibm.com: fix typo]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>a
Signed-off-by: "Serge E. Hallyn" <serue@us.ibm.com>
Tested-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-04 22:29:45 -08:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|
|
|
unsigned long arg4, unsigned long arg5)
|
|
|
|
{
|
2008-05-23 13:04:59 -07:00
|
|
|
long error = 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
capabilities: implement per-process securebits
Filesystem capability support makes it possible to do away with (set)uid-0
based privilege and use capabilities instead. That is, with filesystem
support for capabilities but without this present patch, it is (conceptually)
possible to manage a system with capabilities alone and never need to obtain
privilege via (set)uid-0.
Of course, conceptually isn't quite the same as currently possible since few
user applications, certainly not enough to run a viable system, are currently
prepared to leverage capabilities to exercise privilege. Further, many
applications exist that may never get upgraded in this way, and the kernel
will continue to want to support their setuid-0 base privilege needs.
Where pure-capability applications evolve and replace setuid-0 binaries, it is
desirable that there be a mechanisms by which they can contain their
privilege. In addition to leveraging the per-process bounding and inheritable
sets, this should include suppressing the privilege of the uid-0 superuser
from the process' tree of children.
The feature added by this patch can be leveraged to suppress the privilege
associated with (set)uid-0. This suppression requires CAP_SETPCAP to
initiate, and only immediately affects the 'current' process (it is inherited
through fork()/exec()). This reimplementation differs significantly from the
historical support for securebits which was system-wide, unwieldy and which
has ultimately withered to a dead relic in the source of the modern kernel.
With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
all legacy privilege (through uid=0) for itself and all subsequently
fork()'d/exec()'d children with:
prctl(PR_SET_SECUREBITS, 0x2f);
This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
enabled at configure time.
[akpm@linux-foundation.org: fix uninitialised var warning]
[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Reviewed-by: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-28 02:13:40 -07:00
|
|
|
if (security_task_prctl(option, arg2, arg3, arg4, arg5, &error))
|
2005-04-16 15:20:36 -07:00
|
|
|
return error;
|
|
|
|
|
|
|
|
switch (option) {
|
|
|
|
case PR_SET_PDEATHSIG:
|
2005-09-06 15:17:37 -07:00
|
|
|
if (!valid_signal(arg2)) {
|
2005-04-16 15:20:36 -07:00
|
|
|
error = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
2005-09-06 15:17:37 -07:00
|
|
|
current->pdeath_signal = arg2;
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
case PR_GET_PDEATHSIG:
|
|
|
|
error = put_user(current->pdeath_signal, (int __user *)arg2);
|
|
|
|
break;
|
|
|
|
case PR_GET_DUMPABLE:
|
2007-07-19 01:48:27 -07:00
|
|
|
error = get_dumpable(current->mm);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
case PR_SET_DUMPABLE:
|
2006-07-12 13:12:00 +02:00
|
|
|
if (arg2 < 0 || arg2 > 1) {
|
2005-04-16 15:20:36 -07:00
|
|
|
error = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
2007-07-19 01:48:27 -07:00
|
|
|
set_dumpable(current->mm, arg2);
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PR_SET_UNALIGN:
|
|
|
|
error = SET_UNALIGN_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_GET_UNALIGN:
|
|
|
|
error = GET_UNALIGN_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_SET_FPEMU:
|
|
|
|
error = SET_FPEMU_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_GET_FPEMU:
|
|
|
|
error = GET_FPEMU_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_SET_FPEXC:
|
|
|
|
error = SET_FPEXC_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_GET_FPEXC:
|
|
|
|
error = GET_FPEXC_CTL(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_GET_TIMING:
|
|
|
|
error = PR_TIMING_STATISTICAL;
|
|
|
|
break;
|
|
|
|
case PR_SET_TIMING:
|
2008-05-23 13:04:59 -07:00
|
|
|
if (arg2 != PR_TIMING_STATISTICAL)
|
2005-04-16 15:20:36 -07:00
|
|
|
error = -EINVAL;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PR_SET_NAME: {
|
|
|
|
struct task_struct *me = current;
|
|
|
|
unsigned char ncomm[sizeof(me->comm)];
|
|
|
|
|
|
|
|
ncomm[sizeof(me->comm)-1] = 0;
|
|
|
|
if (strncpy_from_user(ncomm, (char __user *)arg2,
|
|
|
|
sizeof(me->comm)-1) < 0)
|
|
|
|
return -EFAULT;
|
|
|
|
set_task_comm(me, ncomm);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
case PR_GET_NAME: {
|
|
|
|
struct task_struct *me = current;
|
|
|
|
unsigned char tcomm[sizeof(me->comm)];
|
|
|
|
|
|
|
|
get_task_comm(tcomm, me);
|
|
|
|
if (copy_to_user((char __user *)arg2, tcomm, sizeof(tcomm)))
|
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
2006-06-07 16:10:19 +10:00
|
|
|
case PR_GET_ENDIAN:
|
|
|
|
error = GET_ENDIAN(current, arg2);
|
|
|
|
break;
|
|
|
|
case PR_SET_ENDIAN:
|
|
|
|
error = SET_ENDIAN(current, arg2);
|
|
|
|
break;
|
|
|
|
|
2007-07-15 23:41:32 -07:00
|
|
|
case PR_GET_SECCOMP:
|
|
|
|
error = prctl_get_seccomp();
|
|
|
|
break;
|
|
|
|
case PR_SET_SECCOMP:
|
|
|
|
error = prctl_set_seccomp(arg2);
|
|
|
|
break;
|
2008-04-11 18:54:17 +02:00
|
|
|
case PR_GET_TSC:
|
|
|
|
error = GET_TSC_CTL(arg2);
|
|
|
|
break;
|
|
|
|
case PR_SET_TSC:
|
|
|
|
error = SET_TSC_CTL(arg2);
|
|
|
|
break;
|
2008-09-01 15:52:40 -07:00
|
|
|
case PR_GET_TIMERSLACK:
|
|
|
|
error = current->timer_slack_ns;
|
|
|
|
break;
|
|
|
|
case PR_SET_TIMERSLACK:
|
|
|
|
if (arg2 <= 0)
|
|
|
|
current->timer_slack_ns =
|
|
|
|
current->default_timer_slack_ns;
|
|
|
|
else
|
|
|
|
current->timer_slack_ns = arg2;
|
|
|
|
break;
|
2005-04-16 15:20:36 -07:00
|
|
|
default:
|
|
|
|
error = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
2006-09-26 10:52:28 +02:00
|
|
|
|
|
|
|
asmlinkage long sys_getcpu(unsigned __user *cpup, unsigned __user *nodep,
|
2007-11-07 18:37:48 +01:00
|
|
|
struct getcpu_cache __user *unused)
|
2006-09-26 10:52:28 +02:00
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
int cpu = raw_smp_processor_id();
|
|
|
|
if (cpup)
|
|
|
|
err |= put_user(cpu, cpup);
|
|
|
|
if (nodep)
|
|
|
|
err |= put_user(cpu_to_node(cpu), nodep);
|
|
|
|
return err ? -EFAULT : 0;
|
|
|
|
}
|
2007-07-17 18:37:02 -07:00
|
|
|
|
|
|
|
char poweroff_cmd[POWEROFF_CMD_PATH_LEN] = "/sbin/poweroff";
|
|
|
|
|
|
|
|
static void argv_cleanup(char **argv, char **envp)
|
|
|
|
{
|
|
|
|
argv_free(argv);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* orderly_poweroff - Trigger an orderly system poweroff
|
|
|
|
* @force: force poweroff if command execution fails
|
|
|
|
*
|
|
|
|
* This may be called from any context to trigger a system shutdown.
|
|
|
|
* If the orderly shutdown fails, it will force an immediate shutdown.
|
|
|
|
*/
|
|
|
|
int orderly_poweroff(bool force)
|
|
|
|
{
|
|
|
|
int argc;
|
|
|
|
char **argv = argv_split(GFP_ATOMIC, poweroff_cmd, &argc);
|
|
|
|
static char *envp[] = {
|
|
|
|
"HOME=/",
|
|
|
|
"PATH=/sbin:/bin:/usr/sbin:/usr/bin",
|
|
|
|
NULL
|
|
|
|
};
|
|
|
|
int ret = -ENOMEM;
|
|
|
|
struct subprocess_info *info;
|
|
|
|
|
|
|
|
if (argv == NULL) {
|
|
|
|
printk(KERN_WARNING "%s failed to allocate memory for \"%s\"\n",
|
|
|
|
__func__, poweroff_cmd);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-07-25 01:45:38 -07:00
|
|
|
info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC);
|
2007-07-17 18:37:02 -07:00
|
|
|
if (info == NULL) {
|
|
|
|
argv_free(argv);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
call_usermodehelper_setcleanup(info, argv_cleanup);
|
|
|
|
|
2007-07-17 18:37:03 -07:00
|
|
|
ret = call_usermodehelper_exec(info, UMH_NO_WAIT);
|
2007-07-17 18:37:02 -07:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (ret && force) {
|
|
|
|
printk(KERN_WARNING "Failed to start orderly shutdown: "
|
|
|
|
"forcing the issue\n");
|
|
|
|
|
|
|
|
/* I guess this should try to kick off some daemon to
|
|
|
|
sync and poweroff asap. Or not even bother syncing
|
|
|
|
if we're doing an emergency shutdown? */
|
|
|
|
emergency_sync();
|
|
|
|
kernel_power_off();
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(orderly_poweroff);
|