Context Navigation

task.c@ 07d4271

Visit:

Last change on this file since 07d4271 was 07d4271, checked in by Jiří Zárevúcky <zarevucky.jiri@…>, 17 months ago

Fix some unsound task reference manipulation and locking

In some operations that take task ID as an argument,
there's a possibility of the task being destroyed mid-operation
and a subsequent use-after-free situation.
As a general solution, task_find_by_id() is reimplemented to
check for this situation and always return a valid strong reference.
The callers then only need to handle the reference itself, and
don't need to concern themselves with tasks_lock.

Property mode set to 100644

File size: 16.1 KB

Line
1	/*
2	* Copyright (c) 2010 Jakub Jermar
3	* Copyright (c) 2018 Jiri Svoboda
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* - Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* - Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	* - The name of the author may not be used to endorse or promote products
16	* derived from this software without specific prior written permission.
17	*
18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28	*/
29
30	/** @addtogroup kernel_generic_proc
31	* @{
32	*/
33
34	/**
35	* @file
36	* @brief Task management.
37	*/
38
39	#include <assert.h>
40	#include <proc/thread.h>
41	#include <proc/task.h>
42	#include <mm/as.h>
43	#include <mm/slab.h>
44	#include <atomic.h>
45	#include <synch/spinlock.h>
46	#include <synch/waitq.h>
47	#include <arch.h>
48	#include <barrier.h>
49	#include <adt/list.h>
50	#include <adt/odict.h>
51	#include <cap/cap.h>
52	#include <ipc/ipc.h>
53	#include <ipc/ipcrsc.h>
54	#include <ipc/event.h>
55	#include <stdio.h>
56	#include <errno.h>
57	#include <halt.h>
58	#include <str.h>
59	#include <syscall/copy.h>
60	#include <macros.h>
61
62	/** Spinlock protecting the @c tasks ordered dictionary. */
63	IRQ_SPINLOCK_INITIALIZE(tasks_lock);
64
65	/** Ordered dictionary of active tasks by task ID.
66	*
67	* Members are task_t structures.
68	*
69	* The task is guaranteed to exist after it was found in the @c tasks
70	* dictionary as long as:
71	*
72	* @li the tasks_lock is held,
73	* @li the task's lock is held when task's lock is acquired before releasing
74	* tasks_lock or
75	* @li the task's refcount is greater than 0
76	*
77	*/
78	odict_t tasks;
79
80	static task_id_t task_counter = 0;
81
82	static slab_cache_t *task_cache;
83
84	/* Forward declarations. */
85	static void task_kill_internal(task_t *);
86	static errno_t tsk_constructor(void *, unsigned int);
87	static size_t tsk_destructor(void *);
88
89	static void tasks_getkey(odlink_t );
90	static int tasks_cmp(void , void );
91
92	/** Initialize kernel tasks support.
93	*
94	*/
95	void task_init(void)
96	{
97	TASK = NULL;
98	odict_initialize(&tasks, tasks_getkey, tasks_cmp);
99	task_cache = slab_cache_create("task_t", sizeof(task_t), 0,
100	tsk_constructor, tsk_destructor, 0);
101	}
102
103	/** Kill all tasks except the current task.
104	*
105	*/
106	void task_done(void)
107	{
108	size_t tasks_left;
109	task_t *task;
110
111	if (ipc_box_0) {
112	task_t *task_0 = ipc_box_0->task;
113	ipc_box_0 = NULL;
114	/*
115	* The first task is held by kinit(), we need to release it or
116	* it will never finish cleanup.
117	*/
118	task_release(task_0);
119	}
120
121	/* Repeat until there are any tasks except TASK */
122	do {
123	#ifdef CONFIG_DEBUG
124	printf("Killing tasks... ");
125	#endif
126	irq_spinlock_lock(&tasks_lock, true);
127	tasks_left = 0;
128
129	task = task_first();
130	while (task != NULL) {
131	if (task != TASK) {
132	tasks_left++;
133	#ifdef CONFIG_DEBUG
134	printf("[%" PRIu64 "] ", task->taskid);
135	#endif
136	task_kill_internal(task);
137	}
138
139	task = task_next(task);
140	}
141
142	irq_spinlock_unlock(&tasks_lock, true);
143
144	thread_sleep(1);
145
146	#ifdef CONFIG_DEBUG
147	printf("\n");
148	#endif
149	} while (tasks_left > 0);
150	}
151
152	errno_t tsk_constructor(void *obj, unsigned int kmflags)
153	{
154	task_t task = (task_t ) obj;
155
156	errno_t rc = caps_task_alloc(task);
157	if (rc != EOK)
158	return rc;
159
160	atomic_store(&task->lifecount, 0);
161
162	irq_spinlock_initialize(&task->lock, "task_t_lock");
163
164	list_initialize(&task->threads);
165
166	ipc_answerbox_init(&task->answerbox, task);
167
168	spinlock_initialize(&task->active_calls_lock, "active_calls_lock");
169	list_initialize(&task->active_calls);
170
171	#ifdef CONFIG_UDEBUG
172	/* Init kbox stuff */
173	task->kb.thread = NULL;
174	ipc_answerbox_init(&task->kb.box, task);
175	mutex_initialize(&task->kb.cleanup_lock, MUTEX_PASSIVE);
176	#endif
177
178	return EOK;
179	}
180
181	size_t tsk_destructor(void *obj)
182	{
183	task_t task = (task_t ) obj;
184
185	caps_task_free(task);
186	return 0;
187	}
188
189	/** Create new task with no threads.
190	*
191	* @param as Task's address space.
192	* @param name Symbolic name (a copy is made).
193	*
194	* @return New task's structure.
195	*
196	*/
197	task_t task_create(as_t as, const char *name)
198	{
199	task_t task = (task_t ) slab_alloc(task_cache, FRAME_ATOMIC);
200	if (!task)
201	return NULL;
202
203	refcount_init(&task->refcount);
204
205	task_create_arch(task);
206
207	task->as = as;
208	str_cpy(task->name, TASK_NAME_BUFLEN, name);
209
210	task->container = CONTAINER;
211	task->perms = 0;
212	task->ucycles = 0;
213	task->kcycles = 0;
214
215	caps_task_init(task);
216
217	task->ipc_info.call_sent = 0;
218	task->ipc_info.call_received = 0;
219	task->ipc_info.answer_sent = 0;
220	task->ipc_info.answer_received = 0;
221	task->ipc_info.irq_notif_received = 0;
222	task->ipc_info.forwarded = 0;
223
224	event_task_init(task);
225
226	task->answerbox.active = true;
227
228	task->debug_sections = NULL;
229
230	#ifdef CONFIG_UDEBUG
231	/* Init debugging stuff */
232	udebug_task_init(&task->udebug);
233
234	/* Init kbox stuff */
235	task->kb.box.active = true;
236	task->kb.finished = false;
237	#endif
238
239	if ((ipc_box_0) &&
240	(container_check(ipc_box_0->task->container, task->container))) {
241	cap_phone_handle_t phone_handle;
242	errno_t rc = phone_alloc(task, true, &phone_handle, NULL);
243	if (rc != EOK) {
244	task->as = NULL;
245	task_destroy_arch(task);
246	slab_free(task_cache, task);
247	return NULL;
248	}
249
250	kobject_t *phone_obj = kobject_get(task, phone_handle,
251	KOBJECT_TYPE_PHONE);
252	(void) ipc_phone_connect(phone_obj->phone, ipc_box_0);
253	}
254
255	irq_spinlock_lock(&tasks_lock, true);
256
257	task->taskid = ++task_counter;
258	odlink_initialize(&task->ltasks);
259	odict_insert(&task->ltasks, &tasks, NULL);
260
261	irq_spinlock_unlock(&tasks_lock, true);
262
263	return task;
264	}
265
266	/** Destroy task.
267	*
268	* @param task Task to be destroyed.
269	*
270	*/
271	static void task_destroy(task_t *task)
272	{
273	/*
274	* Remove the task from the task odict.
275	*/
276	irq_spinlock_lock(&tasks_lock, true);
277	odict_remove(&task->ltasks);
278	irq_spinlock_unlock(&tasks_lock, true);
279
280	/*
281	* Perform architecture specific task destruction.
282	*/
283	task_destroy_arch(task);
284
285	/*
286	* Drop our reference to the address space.
287	*/
288	as_release(task->as);
289
290	slab_free(task_cache, task);
291	}
292
293	/** Hold a reference to a task.
294	*
295	* Holding a reference to a task prevents destruction of that task.
296	*
297	* @param task Task to be held.
298	*
299	*/
300	void task_hold(task_t *task)
301	{
302	refcount_up(&task->refcount);
303	}
304
305	/** Release a reference to a task.
306	*
307	* The last one to release a reference to a task destroys the task.
308	*
309	* @param task Task to be released.
310	*
311	*/
312	void task_release(task_t *task)
313	{
314	if (refcount_down(&task->refcount))
315	task_destroy(task);
316	}
317
318	#ifdef __32_BITS__
319
320	/** Syscall for reading task ID from userspace (32 bits)
321	*
322	* @param uspace_taskid Pointer to user-space buffer
323	* where to store current task ID.
324	*
325	* @return Zero on success or an error code from @ref errno.h.
326	*
327	*/
328	sys_errno_t sys_task_get_id(uspace_ptr_sysarg64_t uspace_taskid)
329	{
330	/*
331	* No need to acquire lock on TASK because taskid remains constant for
332	* the lifespan of the task.
333	*/
334	return (sys_errno_t) copy_to_uspace(uspace_taskid, &TASK->taskid,
335	sizeof(TASK->taskid));
336	}
337
338	#endif /* __32_BITS__ */
339
340	#ifdef __64_BITS__
341
342	/** Syscall for reading task ID from userspace (64 bits)
343	*
344	* @return Current task ID.
345	*
346	*/
347	sysarg_t sys_task_get_id(void)
348	{
349	/*
350	* No need to acquire lock on TASK because taskid remains constant for
351	* the lifespan of the task.
352	*/
353	return TASK->taskid;
354	}
355
356	#endif /* __64_BITS__ */
357
358	/** Syscall for setting the task name.
359	*
360	* The name simplifies identifying the task in the task list.
361	*
362	* @param name The new name for the task. (typically the same
363	* as the command used to execute it).
364	*
365	* @return 0 on success or an error code from @ref errno.h.
366	*
367	*/
368	sys_errno_t sys_task_set_name(const uspace_ptr_char uspace_name, size_t name_len)
369	{
370	char namebuf[TASK_NAME_BUFLEN];
371
372	/* Cap length of name and copy it from userspace. */
373	if (name_len > TASK_NAME_BUFLEN - 1)
374	name_len = TASK_NAME_BUFLEN - 1;
375
376	errno_t rc = copy_from_uspace(namebuf, uspace_name, name_len);
377	if (rc != EOK)
378	return (sys_errno_t) rc;
379
380	namebuf[name_len] = '\0';
381
382	/*
383	* As the task name is referenced also from the
384	* threads, lock the threads' lock for the course
385	* of the update.
386	*/
387
388	irq_spinlock_lock(&tasks_lock, true);
389	irq_spinlock_lock(&TASK->lock, false);
390
391	/* Set task name */
392	str_cpy(TASK->name, TASK_NAME_BUFLEN, namebuf);
393
394	irq_spinlock_unlock(&TASK->lock, false);
395	irq_spinlock_unlock(&tasks_lock, true);
396
397	return EOK;
398	}
399
400	/** Syscall to forcefully terminate a task
401	*
402	* @param uspace_taskid Pointer to task ID in user space.
403	*
404	* @return 0 on success or an error code from @ref errno.h.
405	*
406	*/
407	sys_errno_t sys_task_kill(uspace_ptr_task_id_t uspace_taskid)
408	{
409	task_id_t taskid;
410	errno_t rc = copy_from_uspace(&taskid, uspace_taskid, sizeof(taskid));
411	if (rc != EOK)
412	return (sys_errno_t) rc;
413
414	return (sys_errno_t) task_kill(taskid);
415	}
416
417	/** Find task structure corresponding to task ID.
418	*
419	* @param id Task ID.
420	*
421	* @return Task reference or NULL if there is no such task ID.
422	*
423	*/
424	task_t *task_find_by_id(task_id_t id)
425	{
426	task_t *task = NULL;
427
428	irq_spinlock_lock(&tasks_lock, true);
429
430	odlink_t *odlink = odict_find_eq(&tasks, &id, NULL);
431	if (odlink != NULL) {
432	task = odict_get_instance(odlink, task_t, ltasks);
433
434	/*
435	* The directory of tasks can't hold a reference, since that would
436	* prevent task from ever being destroyed. That means we have to
437	* check for the case where the task is already being destroyed, but
438	* not yet removed from the directory.
439	*/
440	if (!refcount_try_up(&task->refcount))
441	task = NULL;
442	}
443
444	irq_spinlock_unlock(&tasks_lock, true);
445
446	return task;
447	}
448
449	/** Get count of tasks.
450	*
451	* @return Number of tasks in the system
452	*/
453	size_t task_count(void)
454	{
455	assert(interrupts_disabled());
456	assert(irq_spinlock_locked(&tasks_lock));
457
458	return odict_count(&tasks);
459	}
460
461	/** Get first task (task with lowest ID).
462	*
463	* @return Pointer to first task or @c NULL if there are none.
464	*/
465	task_t *task_first(void)
466	{
467	odlink_t *odlink;
468
469	assert(interrupts_disabled());
470	assert(irq_spinlock_locked(&tasks_lock));
471
472	odlink = odict_first(&tasks);
473	if (odlink == NULL)
474	return NULL;
475
476	return odict_get_instance(odlink, task_t, ltasks);
477	}
478
479	/** Get next task (with higher task ID).
480	*
481	* @param cur Current task
482	* @return Pointer to next task or @c NULL if there are no more tasks.
483	*/
484	task_t task_next(task_t cur)
485	{
486	odlink_t *odlink;
487
488	assert(interrupts_disabled());
489	assert(irq_spinlock_locked(&tasks_lock));
490
491	odlink = odict_next(&cur->ltasks, &tasks);
492	if (odlink == NULL)
493	return NULL;
494
495	return odict_get_instance(odlink, task_t, ltasks);
496	}
497
498	/** Get accounting data of given task.
499	*
500	* Note that task lock of 'task' must be already held and interrupts must be
501	* already disabled.
502	*
503	* @param task Pointer to the task.
504	* @param ucycles Out pointer to sum of all user cycles.
505	* @param kcycles Out pointer to sum of all kernel cycles.
506	*
507	*/
508	void task_get_accounting(task_t task, uint64_t ucycles, uint64_t *kcycles)
509	{
510	assert(interrupts_disabled());
511	assert(irq_spinlock_locked(&task->lock));
512
513	/* Accumulated values of task */
514	uint64_t uret = task->ucycles;
515	uint64_t kret = task->kcycles;
516
517	/* Current values of threads */
518	list_foreach(task->threads, th_link, thread_t, thread) {
519	/* Process only counted threads */
520	if (!thread->uncounted) {
521	if (thread == THREAD) {
522	/* Update accounting of current thread */
523	thread_update_accounting(false);
524	}
525
526	uret += atomic_time_read(&thread->ucycles);
527	kret += atomic_time_read(&thread->kcycles);
528	}
529	}
530
531	*ucycles = uret;
532	*kcycles = kret;
533	}
534
535	static void task_kill_internal(task_t *task)
536	{
537	irq_spinlock_lock(&task->lock, true);
538
539	/*
540	* Interrupt all threads.
541	*/
542
543	list_foreach(task->threads, th_link, thread_t, thread) {
544	thread_interrupt(thread);
545	}
546
547	irq_spinlock_unlock(&task->lock, true);
548	}
549
550	/** Kill task.
551	*
552	* This function is idempotent.
553	* It signals all the task's threads to bail it out.
554	*
555	* @param id ID of the task to be killed.
556	*
557	* @return Zero on success or an error code from errno.h.
558	*
559	*/
560	errno_t task_kill(task_id_t id)
561	{
562	if (id == 1)
563	return EPERM;
564
565	task_t *task = task_find_by_id(id);
566	if (!task)
567	return ENOENT;
568
569	task_kill_internal(task);
570	task_release(task);
571	return EOK;
572	}
573
574	/** Kill the currently running task.
575	*
576	* @param notify Send out fault notifications.
577	*
578	* @return Zero on success or an error code from errno.h.
579	*
580	*/
581	void task_kill_self(bool notify)
582	{
583	/*
584	* User space can subscribe for FAULT events to take action
585	* whenever a task faults (to take a dump, run a debugger, etc.).
586	* The notification is always available, but unless udebug is enabled,
587	* that's all you get.
588	*/
589	if (notify) {
590	/* Notify the subscriber that a fault occurred. */
591	if (event_notify_3(EVENT_FAULT, false, LOWER32(TASK->taskid),
592	UPPER32(TASK->taskid), (sysarg_t) THREAD) == EOK) {
593	#ifdef CONFIG_UDEBUG
594	/* Wait for a debugging session. */
595	udebug_thread_fault();
596	#endif
597	}
598	}
599
600	task_kill_internal(TASK);
601	thread_exit();
602	}
603
604	/** Process syscall to terminate the current task.
605	*
606	* @param notify Send out fault notifications.
607	*
608	*/
609	sys_errno_t sys_task_exit(sysarg_t notify)
610	{
611	task_kill_self(notify);
612	unreachable();
613	}
614
615	static void task_print(task_t *task, bool additional)
616	{
617	irq_spinlock_lock(&task->lock, false);
618
619	uint64_t ucycles;
620	uint64_t kcycles;
621	char usuffix, ksuffix;
622	task_get_accounting(task, &ucycles, &kcycles);
623	order_suffix(ucycles, &ucycles, &usuffix);
624	order_suffix(kcycles, &kcycles, &ksuffix);
625
626	#ifdef __32_BITS__
627	if (additional)
628	printf("%-8" PRIu64 " %9zu", task->taskid,
629	atomic_load(&task->lifecount));
630	else
631	printf("%-8" PRIu64 " %-14s %-5" PRIu32 " %10p %10p"
632	" %9" PRIu64 "%c %9" PRIu64 "%c\n", task->taskid,
633	task->name, task->container, task, task->as,
634	ucycles, usuffix, kcycles, ksuffix);
635	#endif
636
637	#ifdef __64_BITS__
638	if (additional)
639	printf("%-8" PRIu64 " %9" PRIu64 "%c %9" PRIu64 "%c "
640	"%9zu\n", task->taskid, ucycles, usuffix, kcycles,
641	ksuffix, atomic_load(&task->lifecount));
642	else
643	printf("%-8" PRIu64 " %-14s %-5" PRIu32 " %18p %18p\n",
644	task->taskid, task->name, task->container, task, task->as);
645	#endif
646
647	irq_spinlock_unlock(&task->lock, false);
648	}
649
650	/** Print task list
651	*
652	* @param additional Print additional information.
653	*
654	*/
655	void task_print_list(bool additional)
656	{
657	/* Messing with task structures, avoid deadlock */
658	irq_spinlock_lock(&tasks_lock, true);
659
660	#ifdef __32_BITS__
661	if (additional)
662	printf("[id ] [threads] [calls] [callee\n");
663	else
664	printf("[id ] [name ] [ctn] [address ] [as ]"
665	" [ucycles ] [kcycles ]\n");
666	#endif
667
668	#ifdef __64_BITS__
669	if (additional)
670	printf("[id ] [ucycles ] [kcycles ] [threads] [calls]"
671	" [callee\n");
672	else
673	printf("[id ] [name ] [ctn] [address ]"
674	" [as ]\n");
675	#endif
676
677	task_t *task;
678
679	task = task_first();
680	while (task != NULL) {
681	task_print(task, additional);
682	task = task_next(task);
683	}
684
685	irq_spinlock_unlock(&tasks_lock, true);
686	}
687
688	/** Get key function for the @c tasks ordered dictionary.
689	*
690	* @param odlink Link
691	* @return Pointer to task ID cast as 'void *'
692	*/
693	static void tasks_getkey(odlink_t odlink)
694	{
695	task_t *task = odict_get_instance(odlink, task_t, ltasks);
696	return (void *) &task->taskid;
697	}
698
699	/** Key comparison function for the @c tasks ordered dictionary.
700	*
701	* @param a Pointer to thread A ID
702	* @param b Pointer to thread B ID
703	* @return -1, 0, 1 iff ID A is less than, equal to, greater than B
704	*/
705	static int tasks_cmp(void a, void b)
706	{
707	task_id_t ida = (task_id_t )a;
708	task_id_t idb = (task_id_t )b;
709
710	if (ida < idb)
711	return -1;
712	else if (ida == idb)
713	return 0;
714	else
715	return +1;
716	}
717
718	/** @}
719	*/

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mainline/kernel/generic/src/proc/task.c@ 07d4271

Download in other formats: