s/grabing/grabbing/ in comments.

unix(4): Convert membar_exit to membar_release.

Use atomic_load_consume or atomic_load_relaxed where necessary.

Comment on why unlocked nonatomic access is valid where it is done.

introduce a SOL_LOCAL for unix-domain socket level socket options
as an alias of the current 0 used for these options, as in FreeBSD.

reviewed by many.

PR/55777: Ruslan Nikolaev: Move the unp_sysctl_create to uipc_usrreq.c to
facilitate splitting rump modules and does not require a dummy function.

branches: 1.199.2;
add socket info for user and group for unix sockets in fstat.

Revert the changes made in February to make cwdinfo use mostly lockless,
which relied on taking extra vnode refs.

Having benchmarked various experimental changes over the past few months it
seems that it's better to avoid vnode refs as much as possible. cwdi_lock
as a RW lock already did that to some extent for getcwd() and will permit
the same for namei() too.

branches: 1.197.4;
Merge from ad-namecache:

- Have a stab at clustering the members of vnode_t and vnode_impl_t in a
more cache-conscious way. With that done, go back to adjusting v_usecount
with atomics and keep vi_lock directly in vnode_impl_t (saves KVA).

- Allow VOP_LOCK(LK_NONE) for the benefit of VFS_VGET() and VFS_ROOT().
Make sure LK_UPGRADE always comes with LK_NOWAIT.

- Make cwdinfo use mostly lockless.

Load struct fdfile::ff_file with atomic_load_consume.

Exceptions: when we're only testing whether it's there, not about to
dereference it.

Note: We do not use atomic_store_release to set it because the
preceding mutex_exit should be enough.

(That said, it's not clear the mutex_enter/exit is needed unless
refcnt > 0 already, in which case maybe it would be a win to switch
from the membar implied by mutex_enter to the membar implied by
atomic_store_release -- which I would generally expect to be much
cheaper. And a little clearer without a long comment.)

Load struct filedesc::fd_dt with atomic_load_consume.

Exceptions: when fd_refcnt <= 1, or when holding fd_lock.

While here:

- Restore KASSERT(mutex_owned(&fdp->fd_lock)) in fd_unused.
=> This is used only in fd_close and fd_abort, where it holds.
- Move bounds check assertion in fd_putfile to where it matters.
- Store fd_dt with atomic_store_release.
- Move load of fd_dt under lock in knote_fdclose.
- Omit membar_consumer in fdesc_readdir.
=> atomic_load_consume serves the same purpose now.
=> Was needed only on alpha anyway.

branches: 1.194.2; 1.194.4;
Fix info leak: the padding after the header causes uninitialized heap
memory to be copied to userland in sys_recvmsg().

Fix typo in comment (s/seperate/separate/).

Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly
discussed on irc.

NFCI intended.

Ride the earlier kernel bump - it;s getting crowded.

compat70_ocreds_valid is not a pointer to a boolean, it is the boolean
itself which controls whether or not we recognize the OCRED options.

Should fix the panic identified in PR kern/53991 (awaiting confirmation
from submitter).

add or adjust fallthru comments.

Normalize all the compat hooks' names to the form

<subsystem>_<function>_<version>_hook

NFCI

XXX Note that although this introduces a change in the kernel-to-
XXX module interface, we are NOT bumping the kernel version number.
XXX We will bump the version number once the interface stabilizes.

Merge the [pgoyette-compat] branch

Don't call soroverflow when we return the error to the sender.

Thanks to thorpej@ for a sanity check.

branches: 1.186.2;
Increase the default size of some receive buffers from 8k to 16k.
This mitigates recent reports of socket overflow errors
and fixes PR bin/53247.

bump PIPSIZ from 4 to 8K like FreeBSD and provide the same sysctls

socket: report receive buffer overflows

Add soroverflow() which increments the overflow counter, sets so_error
to ENOBUFS and wakes the receive socket up.
Replace all code that manually increments this counter with soroverflow().
Add soroverflow() to raw_input().

This allows userland to detect route(4) overflows so it can re-sync
with the current state.

branches: 1.183.2;
fix LOCAL_PEEREID to not return the same info for both sides...
XXX: pullup-{7,8}

include opt_compat_netbsd.h, so that eg COMPAT_70 will be set.

branches: 1.181.8;
Memory leak, found by Mootja. It is easily triggerable from userland.

branches: 1.180.2;
Add sc_pid to sockcred so that SOCK_DGRAM and LOCAL_CREDS socket option
can learn the process id of the AF_LOCAL sender.
Add compat glue for old structure.

make connect syscall use sockaddr_big and modify pr_{send,connect}
nam parameter type from buf * to sockaddr *.

final commit for parameter type changes to protocol user requests

* bump kernel version to 7.99.15 for parameter type changes to pr_{send,connect}

remove pr_generic from struct pr_usrreqs and all implementations of
pr_generic in protocols.

bump to 7.99.13

approved by rmind@

make accept, getsockname and getpeername syscalls use sockaddr_big and modify
pr_{accept,sockname,peername} nam parameter type from mbuf * to sockaddr *.

* retained use of mbuftypes[MT_SONAME] for now.
* bump to netbsd version 7.99.12 for parameter type change.

patch posted to tech-net@ 2015/04/19

* change pr_bind to accept struct sockaddr * instead of struct mbuf *
* update protocol bind implementations to use/expect sockaddr *
instead of mbuf *
* introduce sockaddr_big struct for storage of addr data passed via
sys_bind; sockaddr_big is of sufficient size and alignment to
accommodate all addr data sizes received.
* modify sys_bind to allocate sockaddr_big instead of using an mbuf.
* bump kernel version to 7.99.9 for change to pr_bind() parameter type.

Patch posted to tech-net@
http://mail-index.netbsd.org/tech-net/2015/03/15/msg005004.html

The choice to use a new structure sockaddr_big has been retained since
changing sockaddr_storage size would lead to unnecessary ABI change. The
use of the new structure does not preclude future work that increases
the size of sockaddr_storage and at that time sockaddr_big may be
trivially replaced.

Tested by mrg@ and myself, discussed with rmind@, posted to tech-net@

PR/39918: ITOH Yasufumi: Replace KASSERT with continue, since the file
descriptor can be closed since closef() does not pay attention to FDEFER.
XXX: Pullup-7

Place opening brace to function at column 0, like in the rest of the file.

Handle LOCAL_PEERID for socketpair() connected sockets which connect through
connect2().
1. move the code that sets the peerid structure into connect1(). This
handles so2. The datagram code calls connect2 twice with flipped
so arguments so both sockets get set.
2. in connect2 copy the peerid structure from so2 to so, so that that
both stream sockets get set.

branches: 1.172.2;
Make behavior of getsockname(2) (and maybe getpeername(2)) as the same as
NetBSD 6.1_STABLE and other operating system (OS X 10.9.5).

* sa_len of sockaddr_un strucrure is always set to sizeof(sun_path).
* pathname stored in sun_path is alwasys '\0' terminated (except length
of sun_path is sizeof(sun_path)?).

Should be fix PR kern/49247, runtime problem of lmtp service of dovecot2 on
NetBSD current and NetBSD 7.0_BETA.

Try not to use f_data, use f_{vnode,socket,pipe,mqueue,kqueue,ksem} to get
a correctly typed pointer.

Don't next structure and enum definitions.
Don't use C++ keywords new, try, class, private, etc.

branches: 1.169.2;
split PRU_CONNECT2 & PRU_PURGEIF function out of pr_generic() usrreq
switches and put into separate functions

- always KASSERT(solocked(so)) even if not implemented
(for PRU_CONNECT2 only)

- replace calls to pr_generic() with req = PRU_CONNECT2 with calls to
pr_connect2()

- replace calls to pr_generic() with req = PRU_PURGEIF with calls to
pr_purgeif()

put common code from unp_connect2() (used by unp_connect() into
unp_connect1() and call out to it when needed

patch only briefly reviewed by rmind@

split PRU_RCVD function out of pr_generic() usrreq switches and put into
separate functions

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_RCVD with calls to
pr_rcvd()

actually use the passed in struct lwp *l instead of curlwp in unp_connect()

split PRU_SEND function out of pr_generic() usrreq switches and put into
separate functions

xxx_send(struct socket *, struct mbuf *, struct mbuf *,
struct mbuf *, struct lwp *)

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_SEND with calls to
pr_send()

rename existing functions that operate on PCB for consistency (and to
free up their names for xxx_send() PRUs

- l2cap_send() -> l2cap_send_pcb()
- sco_send() -> sco_send_pcb()
- rfcomm_send() -> rfcomm_send_pcb()

patch reviewed by rmind

revert the removal of struct lwp * parameter from bind, listen and connect
user requests.

this should resolve the issue relating to nfs client hangs presented
recently by wiz on current-users@

* remove declarations of unp_bind, unp_discard, unp_disconnect1, unp_drop,
unp_shutdown1, unp_internalize and unp_output functions from sys/un.h
and instead declare them as static in uipc_usrreq.c with prototype
declarations as necessary.

* remove struct lwp * parameter from unp_output() while here and just
use curlwp instead.

as discussed with rmind

split PRU_DISCONNECT, PRU_SHUTDOWN and PRU_ABORT function out of
pr_generic() usrreq switches and put into separate functions

xxx_disconnect(struct socket *)
xxx_shutdown(struct socket *)
xxx_abort(struct socket *)

- always KASSERT(solocked(so)) even if not implemented
- replace calls to pr_generic() with req =
PRU_{DISCONNECT,SHUTDOWN,ABORT}
with calls to pr_{disconnect,shutdown,abort}() respectively

rename existing internal functions used to implement above functionality
to permit use of the names for xxx_{disconnect,shutdown,abort}().

- {l2cap,sco,rfcomm}_disconnect() ->
{l2cap,sco,rfcomm}_disconnect_pcb()
- {unp,rip,tcp}_disconnect() -> {unp,rip,tcp}_disconnect1()
- unp_shutdown() -> unp_shutdown1()

patch reviewed by rmind

split PRU_CONNECT function out of pr_generic() usrreq switches and put
into seaparate functions

xxx_listen(struct socket *, struct mbuf *)

- always KASSERT(solocked(so)) and KASSERT(nam != NULL)
- replace calls to pr_generic() with req = PRU_CONNECT with
pr_connect()
- rename existin {l2cap,sco,rfcomm}_connect() to
{l2cap,sco,rfcomm}_connect_pcb() respectively to permit
naming consistency with other protocols functions.
- drop struct lwp * parameter from unp_connect() and at_pcbconnect()
and use curlwp instead where appropriate.

patch reviewed by rmind

split PRU_BIND and PRU_LISTEN function out of pr_generic() usrreq
switches and put into separate functions
xxx_bind(struct socket *, struct mbuf *)
xxx_listen(struct socket *)

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_BIND with call to
pr_bind()

- replace calls to pr_generic() with req = PRU_LISTEN with call to
pr_listen()

- drop struct lwp * parameter from at_pcbsetaddr(), in_pcbbind() and
unp_bind() and always use curlwp.

rename existing functions that operate on PCB for consistency (and to
free up their names for xxx_{bind,listen}() PRUs

- l2cap_{bind,listen}() -> l2cap_{bind,listen}_pcb()
- sco_{bind,listen}() -> sco_{bind,listen}_pcb()
- rfcomm_{bind,listen}() -> rfcomm_{bind,listen}_pcb()

patch reviewed by rmind

welcome to netbsd 6.99.48

split PRU_SENDOOB and PRU_RCVOOB function out of pr_generic() usrreq
switches and put into separate functions
xxx_sendoob(struct socket *, struct mbuf *, struct mbuf *)
xxx_recvoob(struct socket *, struct mbuf *, int)

- always KASSERT(solocked(so)) even if request is not implemented

- replace calls to pr_generic() with req = PRU_{SEND,RCV}OOB with
calls to pr_{send,recv}oob() respectively.

there is still some tweaking of m_freem(m) and m_freem(control) to come
for consistency. not performed with this commit for clarity.

reviewed by rmind

* split PRU_ACCEPT function out of pr_generic() usrreq switches and put
into a separate function xxx_accept(struct socket *, struct mbuf *)

note: future cleanup will take place to remove struct mbuf parameter
type and replace it with a more appropriate type.

patch reviewed by rmind

* split PRU_PEERADDR and PRU_SOCKADDR function out of pr_generic()
usrreq switches and put into separate functions
xxx_{peer,sock}addr(struct socket *, struct mbuf *).

- KASSERT(solocked(so)) always in new functions even if request
is not implemented

- KASSERT(pcb != NULL) and KASSERT(nam) if the request is
implemented and not for tcp.

* for tcp roll #ifdef KPROF and #ifdef DEBUG code from tcp_usrreq() into
easier to cut & paste functions tcp_debug_capture() and
tcp_debug_trace()

- functions provided by rmind
- remaining use of PRU_{PEER,SOCK}ADDR #define to be removed in a
future commit.

* rename netbt functions to permit consistency of pru function names
(as has been done with other requests already split out).

- l2cap_{peer,sock}addr() -> l2cap_{peer,sock}_addr_pcb()
- rfcomm_{peer,sock}addr() -> rfcomm_{peer,sock}_addr_pcb()
- sco_{peer,sock}addr() -> sco_{peer,sock}_addr_pcb()

* split/refactor do_sys_getsockname(lwp, fd, which, nam) into
two functions do_sys_get{peer,sock}name(fd, nam).

- move PRU_PEERADDR handling into do_sys_getpeername() from
do_sys_getsockname()
- have svr4_stream directly call do_sys_get{sock,peer}name()
respectively instead of providing `which' & fix a DPRINTF string
that incorrectly wrote "getpeername" when it meant "getsockname"
- fix sys_getpeername() and sys_getsockname() to call
do_sys_get{sock,peer}name() without `which' and `lwp' & adjust
comments
- bump kernel version for removal of lwp & which parameters from
do_sys_getsockname()

note: future cleanup to remove struct mbuf * abuse in
xxx_{peer,sock}name()
still to come, not done in this commit since it is easier to do post
split.

patch reviewed by rmind

welcome to 6.99.47

* sprinkle KASSERT(solocked(so)); in all pr_stat() functions.
* fix remaining inconsistent struct socket parameter names.

* split PRU_SENSE functionality out of xxx_usrreq() switches and place into
separate xxx_stat(struct socket *, struct stat *) functions.
* replace calls using pr_generic with req == PRU_SENSE with pr_stat().

further change will follow that cleans up the pattern used to extract the
pcb and test for its presence.

reviewed by rmind

fix parameter types in pr_ioctl, called xx_control() functions and remove
abuse of pointer to struct mbuf type.

param2 changed to u_long type and uses parameter name 'cmd' (ioctl command)
param3 changed to void * type and uses parameter name 'data'
param4 changed to struct ifnet * and uses parameter name 'ifp'
param5 has been removed (formerly struct lwp *) and uses of 'l' have been
replaced with curlwp from curproc(9).

callers have had (now unnecessary) casts to struct mbuf * removed, called
code has had (now unnecessary) casts to u_long, void * and struct ifnet *
respectively removed.

reviewed by rmind@

* split PRU_CONTROL functionality out of xxx_userreq() switches and place
into separate xxx_ioctl() functions.
* place KASSERT(req != PRU_CONTROL) inside xxx_userreq() as it is now
inappropriate for req = PRU_CONTROL in xxx_userreq().
* replace calls to pr_generic() with req = PRU_CONTROL with pr_ioctl().
* remove & fixup references to PRU_CONTROL xxx_userreq() function comments.
* fix various comments references for xxx_userreq() that mentioned
PRU_CONTROL as xxx_userreq() no longer handles the request.

a further change will follow to fix parameter and naming inconsistencies
retained from original code.

Reviewed by rmind@

Handle race where the server closed the socket between us 'connecting' and
sending data.

- Split off PRU_ATTACH and PRU_DETACH logic into separate functions.
- Replace malloc with kmem and eliminate M_PCB while here.
- Sprinkle more asserts.

Add struct pr_usrreqs with a pr_generic function and prepare for the
dismantling of pr_usrreq in the protocols; no functional change intended.
PRU_ATTACH/PRU_DETACH changes will follow soon.

Bump for struct protosw. Welcome to 6.99.62!

branches: 1.150.2;
Change vnode operations create, mknod, mkdir and symlink to return
the resulting vnode *vpp unlocked.

Discussed on tech-kern@

Welcome to 6.99.30

Change vnode operations create, mknod, mkdir and symlink to keep the
directory node dvp locked on return.

Discussed on tech-kern@

Welcome to 6.99.29

Vnode API cleanup pass 1.

- Make these defines and functions private to vfs_vnode.c:

VC_MASK, VC_LOCK, DOCLOSE, VI_IANCTREDO and VI_INACTNOW
vclean() and vrelel()

- Remove the long time unused lwp argument from vrecycle().

- Remove vtryget(), it is responsible for ugly hacks and doesn't
look that effective.

Presented on tech-kern.

Welcome to 6.99.25

Eliminat an unused variable and simplify the KASSERT which used to use it

Centralize the sockaddr_un allocation code. Set sun_len appropriately so
that the address length returned is correct, not always 106. Note that
we do things slightly differently than linux and explain why. Unit-tests
to come.

- Instead of having accept(2) return a zero-filled sockaddr for the case
where accept(2) was called on a unix socket that called connect(2) and
then close(2), before the connection was accepted, return the empty
sockaddr_un.
- Fix the length of the empty sockaddr_un socket so that it reflects reality.

Remove SS_ISCONFIRMING, it is unused and TP4 will not come back.

In unp_externalize, don't do anything if an SCM_RIGHTS control message
was sent with zero file descriptors in it. Otherwise, a zero-length
temporary storage would be allocated which triggers panic on DIAGNOSTIC
kernels (but is harmless for release kernels).
reviewed by Taylor R Campbell

branches: 1.142.2;
use sbcreatecontrol1() and m_add() instead of open-coding everything, and
getting it slightly wrong.

Fix some screw cases in cmsg file descriptor passing.

- Don't leave garbage in the control buffer if allocating file
descriptors fails in unp_externalize.

- Scrub the space between CMSG_LEN and CMSG_SPACE to avoid kernel
memory disclosure in unp_externalize.

- Don't read past cmsg_len when closing file descriptors that
couldn't get delivered, in free_rights.

ok christos

Avoid crash dereferencing a NULL fp in fd_affix() in unp_externalize
caused by the sequence of passing two fd's with two sendmsg()'s,
then doing a read() and a recvmsg(). The read() calls dom_dispose()
which discards both messages in the mbuf, and sets the fp's in the
array to NULL. Linux dequeues only one message per read() so the
second recvmsg() gets the fd from the second message. This fix
just avoids the NULL pointer de-reference, making the second
recvmsg() to fail. It is dubious to pass fd's with stream sockets
and expect mixing read() and recvmsg() to work. Plus processing
one control message per read() changes the current semantics and
should be examined before applied. In addition there is a race between
dom_externalize() and dom_dispose(): what happens in a multi-threaded
network stack when one thread disposes where the other externalizes
the same array?

NB: Pullup to 6.

branches: 1.139.2;
remove infinite loop on error, extra parens on return.

simplify unp_externalize(), some from gimpy, some from me.

Stopgap fix for PR kern/46463: disallow passing of kqueue descriptors
via SCM_RIGHT anxiliary socket messages.

branches: 1.136.2; 1.136.8;
* Arrange for interfaces that create new file descriptors to be able to
set close-on-exec on creation (http://udrepper.livejournal.com/20407.html).

- Add F_DUPFD_CLOEXEC to fcntl(2).
- Add MSG_CMSG_CLOEXEC to recvmsg(2) for unix file descriptor passing.
- Add dup3(2) syscall with a flags argument for O_CLOEXEC, O_NONBLOCK.
- Add pipe2(2) syscall with a flags argument for O_CLOEXEC, O_NONBLOCK.
- Add flags SOCK_CLOEXEC, SOCK_NONBLOCK to the socket type parameter
for socket(2) and socketpair(2).
- Add new paccept(2) syscall that takes an additional sigset_t to alter
the sigmask temporarily and a flags argument to set SOCK_CLOEXEC,
SOCK_NONBLOCK.
- Add new mode character 'e' to fopen(3) and popen(3) to open pipes
and file descriptors for close on exec.
- Add new kqueue1(2) syscall with a new flags argument to open the
kqueue file descriptor with O_CLOEXEC, O_NONBLOCK.

* Fix the system calls that take socklen_t arguments to actually do so.

* Don't include userland header files (signal.h) from system header files
(rump_syscallargs.h).

* Bump libc version for the new syscalls.

Welcome to 5.99.53! Merge rmind-uvmplock branch:

- Reorganize locking in UVM and provide extra serialisation for pmap(9).
New lock order: [vmpage-owner-lock] -> pmap-lock.

- Simplify locking in some pmap(9) modules by removing P->V locking.

- Use lock object on vmobjlock (and thus vnode_t::v_interlock) to share
the locks amongst UVM objects where necessary (tmpfs, layerfs, unionfs).

- Rewrite and optimise x86 TLB shootdown code, make it simpler and cleaner.
Add TLBSTATS option for x86 to collect statistics about TLB shootdowns.

- Unify /dev/mem et al in MI code and provide required locking (removes
kernel-lock on some ports). Also, avoid cache-aliasing issues.

Thanks to Andrew Doran and Joerg Sonnenberger, as their initial patches
formed the core changes of this branch.

branches: 1.134.2;
Add SOCK_SEQPACKET to PL_LOCAL sockets. Based on patch from Jesse Off,
submitted 8 years ago:
http://mail-index.netbsd.org/tech-kern/2003/04/14/0006.html

branches: 1.133.2;
Introduce struct pathbuf. This is an abstraction to hold a pathname
and the metadata required to interpret it. Callers of namei must now
create a pathbuf and pass it to NDINIT (instead of a string and a
uio_seg), then destroy the pathbuf after the namei session is
complete.

Update all namei call sites accordingly. Add a pathbuf(9) man page and
update namei(9).

The pathbuf interface also now appears in a couple of related
additional places that were passing string/uio_seg pairs that were
later fed into NDINIT. Update other call sites accordingly.

unp_connect: fix an assertion

unp_connect2: fix a comment.

Clean up vnode lock operations pass 2:

VOP_UNLOCK(vp, flags) -> VOP_UNLOCK(vp): Remove the unneeded flags argument.

Welcome to 5.99.32.

Discussed on tech-kern.

branches: 1.129.2;
Fix typo in comment.

branches: 1.128.2;
The VATTR_NULL/VREF/VHOLD/HOLDRELE() macros lost their will to live
years ago when the kernel was modified to not alter ABI based on
DIAGNOSTIC, and now just call the respective function interfaces
(in lowercase). Plenty of mix'n match upper/lowercase has creeped
into the tree since then. Nuke the macros and convert all callsites
to lowercase.

no functional change

In uipc_usrreq(PRU_ACCEPT), grab the unp_streamlock before unp_setpeerlocks().
This fixes a race where, for a short period of time, so->so_lock and
so2->so_lock are not sync. This makes solocked2() and solocked()
unreliable and cause DIAGNOSTIC kernel panics. This also fixes a possible
panic in unp_setaddr() which expects the socket locked.
Should fix kern/38968, fix proposed in
http://mail-index.netbsd.org/tech-kern/2009/08/17/msg005863.html

More changes to improve kern_descrip.c.

- Avoid atomics in more places.
- Remove the per-descriptor mutex, and just use filedesc_t::fd_lock.
It was only being used to synchronize close, and in any case we needed
to take fd_lock to free the descriptor slot.
- Optimize certain paths for the <NDFDFILE case.
- Sprinkle more comments and assertions.
- Cache more stuff in filedesc_t.
- Fix numerous minor bugs spotted along the way.
- Restructure how the open files array is maintained, for clarity and so
that we can eliminate the membar_consumer() call in fd_getfile(). This is
mostly syntactic sugar; the main functional change is that fd_nfiles now
lives alongside the open file array.

Some measurements with libmicro:

- simple file syscalls are like close() are between 1 to 10% faster.
- some nice improvements, e.g. poll(1000) which is ~50% faster.

tweak some assertions on so_head to make them more meaningful.

0 -> NULL

remove an unnecessary cast.

0 -> NULL where appropriate

completely rework the way that orphaned sockets that are being fdpassed
via SCM_RIGHTS messages are dealt with:

1. unp_gc: make this a kthread.

2. unp_detach: go not call unp_gc directly. instead, wake up unp_gc kthread.

3. unp_scan: do not close files here. instead, put them on a global list
for unp_gc to close, along with a per-file "deferred close count". if
file is already enqueued for close, just increment deferred close count.
this eliminates the recursive calls.

3. unp_gc: scan files on global deferred close list. close each file N
times, as specified by deferred close count in file. continue processing
list until it becomes empty (closing may cause additional files to be
queued for close).

4. unp_gc: add additional bit to mark files we are scanning. set during
initial scan of global file list that currently clears FMARK/FDEFER.
during later scans, never examine / garbage collect descriptors that
we have not marked during the earlier scan. do not proceed with this
initial scan until all deferred closes have been processed. be careful
with locking to ensure no races are introduced between deferred close
and file scan.

5. unp_gc: use dummy file_t to mark position in list when scanning. allow
us to drop filelist_lock. in turn allows us to eliminate kmem_alloc()
and safely close files, etc.

6. prohibit transfer of descriptors within SCM_RIGHTS messages if
(num_files_in_transit > maxfiles / unp_rights_ratio)

7. fd_allocfile: ensure recycled filse don't get scanned.


this is 97% work done by andrew doran, with a couple of minor bug fixes
and a lot of testing by yours truly.

branches: 1.120.2;
Don't try to fd_putfile() descriptors we didn't manage to fd_getfile().

Fixes local DoS panic described in kern/40570.

branches: 1.119.2; 1.119.4;
Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.

Convert socket options code to use a sockopt structure
instead of laying everything into an mbuf.

approved by core

branches: 1.117.2;
Also enforce that cm->cmsg_len >= CMSG_ALIGN(sizeof cmsghdr), from
Michael van Elst

Don't require cm->cmsg_len == control->m_len, just that the cm->cmsg_len
<= control->m_len, like FreeBSD does. Idea from Taylor R Campbell.

There can be existing waiters on a socket's condition variables when we
change socket::so_lock, and they rely on the old lock to synchronize.
Wake them up whenever we change so_lock so they can restart their waits.

branches: 1.114.2; 1.114.4;
Remove clause 3 and 4 from TNF licenses

branches: 1.113.2;
Add a comment.

Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.

When unp_internalize fails (due to the sanity check or an out-of-memory
condition), it leaves the control message with file descriptors. Calling
unp_dispose() will interpret the message as containing file pointers
and crash the system.
This change removes unp_dispose() from this failure path and avoids
using goto to jump into switch statements...
The previous workaround to ignore such messages in unp_scan() is removed.

If cm->cmsg_len is not valid for unp_internalize do not use it to work out
where the data is in unp_scan.

Fixes PR/38391

branches: 1.109.2;
Prevent overlapping calls to bind() and/or connect() on a Unix socket.

merge yamt-lazymbuf branch.

unp_gc: unlock filelist_lock in a case of restart.

Catch up with descriptor handling changes. See kern_descrip.c revision
1.173 for details.

branches: 1.105.6;
Remove VOP_LEASE. Discussed on tech-kern.

Use FILE_LOCK() and FILE_UNLOCK()

branches: 1.103.4;
Remove cn_lwp from struct componentname. curlwp should be used
from on. The NDINIT() macro no longer takes the lwp parameter and
associates the credentials of the calling thread with the namei
structure.

branches: 1.102.2;
Remove the "struct lwp *" argument from all VFS and VOP interfaces.
The general trend is to remove it from all kernel interfaces and
this is a start. In case the calling lwp is desired, curlwp should
be used.

quick consensus on tech-kern

branches: 1.101.4;
Merge file descriptor locking, cwdi locking and cross-call changes
from the vmlocking branch.

branches: 1.100.2;
Make uipc_ctloutput() return ENOPROTOOPT instead of EINVAL when it
is passed a handle socket-option level that it does not care about.

branches: 1.99.2;
Add a new socket option for unix domain sockets: LOCAL_PEEREID, to make
it possible to get the pid, euid and egid of the process at the remote
end at the time it did bind() or connect().

Add a new libc function, getpeereid() to easily get at the euid and egid.
As a consequence, bump libc's minor number.

Document the LOCAL_PEEREID socket option in unix(4).

Based on contribution by Arne H. Juul, minor modifications by myself.

branches: 1.98.2;
PR kern/32842:
do not leak file descriptors when sending a datagram with SCM_RIGHTS
fails. Patch from Gary Thorpe, based on changes in FreeBSD and work
from Christian Biere.

branches: 1.97.2; 1.97.6;
Change the way that emulations locate files within the emulation root to
avoid having to allocate space in the 'stackgap'
- which is very LWP unfriendly.
The additional code for non-emulation namei() is trivial, the reduction for
the emulations is massive.
The vnode for a processes emulation root is saved in the cwdi structure
during process exec.
If the emulation root the TRYEMULROOT flag are set, namei() will do an initial
search for absolute pathnames in the emulation root, if that fails it will
retry from the normal root.
".." at the emulation root will always go to the real root, even in the middle
of paths and when expanding symlinks.
Absolute symlinks found using absolute paths in the emulation root will be
relative to the emulation root (so /usr/lib/xxx.so -> /lib/xxx.so links
inside the emulation root don't need changing).
If the root of the emulation would be returned (for an emulation lookup), then
the real root is returned instead (matching the behaviour of emul_lookup,
but being a cheap comparison here) so that programs that scan "../.."
looking for the root dircetory don't loop forever.
The target for symbolic links is no longer mangled (it used to get the
CHECK_ALT_xxx() treatment, so could get /emul/xxx prepended).
CHECK_ALT_xxx() are no more. Most of the change is deleting them, and adding
TRYEMULROOT to the flags to NDINIT().
A lot of the emulation system call stubs could now be deleted.

Remove calls to now obsolete vn_start_write() and vn_finished_write().

branches: 1.95.2; 1.95.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.94.2; 1.94.4; 1.94.8;
Pointing one element past an array is fine, pointing before it isn't.

branches: 1.93.2; 1.93.4;
use c99 initializers

Use the LWP cached credentials where sane.

integrate kauth.

Coverity CID 1089: Add more KASSERTs to prevent NULL deref.

Coverity CID 1088: Add KASSERT to prevent NULL pointer deref.

Add a KASSERT to document a condition for the PRU_ABORT case.

branches: 1.87.2; 1.87.4; 1.87.6;
PR/32856: Christian Biere: Don't panic if you send a control message with
SCM_RIGHTS on an unconnected stream socket.

branches: 1.86.2; 1.86.4; 1.86.6;
merge ktrace-lwp.

Call nanotime() directly, instead of doing the
microtime()/TIMEVAL_TO_TIMESPEC() dance.

Honor the user's umask while creating local sockets. Several other systems
do already this (such as FreeBSD, OpenBSD and Linux), so it will improve
portability of some third-party programs. No objections in tech-kern@.

branches: 1.83.2;
uipc_usrreq: plug mbuf leak.

- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

PR/30154: YAMAMOTO Takashi: tcp_close locking botch
chgsbsize() as mentioned in the PR can be called from an interrupt context
via tcp_close(). Avoid calling uid_find() in chgsbsize().
- Instead of storing so_uid in struct socketvar, store *so_uidinfo
- Add a simple lock to struct uidinfo.

branches: 1.80.2;
nuke trailing whitespace

branches: 1.79.4; 1.79.6;
add a per-socket counter for dropped UDP packets when the internal buffers
are full.

Eliminate several uses of `curproc' from the socket-layer code and from NFS.

Add a new explicit `struct proc *p' argument to socreate(), sosend().
Use that argument instead of curproc. Follow-on changes to pass that
argument to socreate(), sosend(), and (*so->so_send)() calls.
These changes reviewed and independently recoded by Matt Thomas.

Changes to soreceive() and (*dom->dom_exernalize() from Matt Thomas:
pass soreceive()'s struct uio* uio->uio_procp to unp_externalize().
Eliminate curproc from unp_externalize. Also, now soreceive() uses
its uio->uio_procp value, pass that same value downward to
((pr->pru_usrreq)() calls for consistency, instead of (struct proc * )0.

Similar changes in sys/nfs to eliminate (most) uses of curproc,
either via the req-> r_procp field of a struct nfsreq *req argument,
or by passing down new explicit struct proc * arguments.

Reviewed by: Matt Thomas, posted to tech-kern.
NB: The (*pr->pru_usrreq)() change should be tested on more (all!) protocols.

Constify sun_noname.

ANSI'fy.

PR/9347: Eric E. Fair: socket buffer pool exhaustion leads to system deadlock
and unkillable processes.
1. Introduce new SBSIZE resource limit from FreeBSD to limit socket buffer
size resource.
2. make sokvareserve interruptible, so processes ltsleeping on it can be
killed.

branches: 1.74.2; 1.74.4;
Nuke __P().

Avoid using m_clget() on a mbuf already in use, especially when we
need the data in the mbuf later and m_clget() changes some fields
overlaid to regular mbuf data. Instead, rearange code a bit, create
data into a new allocated buffer and and use MEXTADD to attach it to
the mbuf, if the mbuf internal space is not sufficient.

This fixes a crash on sparc64 (and probably all other archs where
sizeof(int) != sizeof(struct file *)) when running
regress/sys/kern/unfdpass.

Idea for solution from Matt Thomas, with additional input from YAMAMOTO
Takashi.

Restore a change that made AF_LOCAL sockets block on connect(2) until
accepted. However, this time this behavor is not the default. Instead
it must enabled by using the LOCAL_CONNWAIT socket option on either the
connecting or accepting socket.

Revert a change that altered the semantics of AF_LOCAL sockets. Sadly
this made us API incompatible with other Unixes.

Add the gating of system calls that cause modifications to the underlying
file system.
The function vfs_write_suspend stops all new write operations to a file
system, allows any file system modifying system calls already in progress
to complete, then sync's the file system to disk and returns. The
function vfs_write_resume allows the suspended write operations to
complete.

From FreeBSD with slight modifications.

Approved by: Frank van der Linden <fvdl@netbsd.org>

Fix typo.

Change the behavor of AF_LOCAL connect() to sleep until the server has
accepted the connection. This can prevent a client from overwhelming a
server.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.

back rev 1.63 (the linux hack) off - no compat specific code
in generic code, please

we need to massage the passed linux cmsg anyway, linux uses different
alignment for CMSG_DATA on at least some architectures

backout previous, there was a comment on LINUX_SOL_SOCKET=1

#define LINUX_SOL_SOCKET 1, so that we can answer "what the hell is this 1?"
at ease.

From Todd Vierling: Accept level == 1 for linux compat.

branches: 1.62.2;
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
and need to be examined and discussed more.

Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V

RP/21088: Jesse Off: Return ENOBUFS instead of EINVAL when sbappend fails.

Add MBUFTRACE kernel option.
Do a little mbuf rework while here. Change all uses of MGET*(*, M_WAIT, *)
to m_get*(M_WAIT, *). These are not performance critical and making them
call m_get saves considerable space. Add m_clget analogue of MCLGET and
make corresponding change for M_WAIT uses.
Modify netinet, gem, fxp, tulip, nfs to support MBUFTRACE.
Begin to change netstat to use sysctl.

Fix a simple_lock() mismatch in unp_internalize().
We may need to merge the passes over the files contained in the message
as noted by enami tsugutomo on tech-smp.

Make updating a file's reference and use count MP-safe.

branches: 1.56.2;
no need for error check after MEXTMALLOC - jdolecek

MEXTMALLOC() can fail even if M_WAITOK, if arg is too big for malloc().

Use the queue macros from <sys/queue.h> instead of referring to the queue
members directly. Use *_FOREACH whenever possible.

add RCSIDs

branches: 1.52.2;
Deprecate the "m_act" alias of "m_nextpkt" (m_act is a historical
name), and just use m_nextpkt everywhere.

branches: 1.51.2;
Fix a partial construction problem that can cause race conditions
between creation of a file descriptor and close(2) when using kernel
assisted threads. What we do is stick descriptors in the table, but
mark them as "larval". This causes essentially everything to treat
it as a non-existent descriptor, except for fdalloc(), which sees a
filled slot so that it won't (incorrectly) allocate it again. When
a descriptor is fully constructed, the code that has constructed it
marks it as "mature" (which actually clears the "larval" flag), and
things continue to work as normal.

While here, gather all the code that gets a descriptor from the table
into a fd_getfile() function, and call it, rather than having the
same (sometimes incorrect) code copied all over the place.

Rework fdalloc() even further: split fdalloc() into fdalloc() and
fdexpand(). The former will return ENOSPC if there is not space
in the current filedesc table. The latter performs the expansion
of the filedesc table. This means that fdalloc() won't ever block,
and it gives callers an opportunity to clean up before the
potentially-blocking fdexpand() call.

Update all fdalloc() callers to deal with the need-to-fdexpand() case.

Rewrite unp_externalize() to use fdalloc() and fdexpand() in a
safe way, using an algorithm suggested by Bill Sommerfeld:
- Use a temporary array of integers to hold the new filedesc table
indexes. This allows us to repeat the loop if necessary.
- Loop through the array of file *'s, assigning them to filedesc table
slots. If fdalloc() indicates expansion is necessary, undo the
assignments we've done so far, expand, and retry the whole process.
- Once all file *'s have been assigned to slots, update the f_msgcount
and unp_rights counters.
- Right before we return, copy the temporary integer array to the message
buffer, and trim the length as before.
Note that once locking is added to the filedesc array, this entire
operation will be `atomic', in that the lock will be held while
file *'s are assigned to embryonic table slots, thus preventing anything
else from using them.

Change fdalloc() to return ERESTART if we had to reallocate the
descriptor array, which may have blocked. Change callers of
fdalloc() to restart whatever they\'re doing if this condition
happens. (XXX unp_externalize() needs some work, but that will
be tackled later.)

Change finishdup() to close the descriptor in the `new\' slot if
one exists, and change sys_dup2() accordingly.

Closes a race condition when using kernel-assisted user threads.

While here, garbage-collect UF_MAPPED -- it is not used anywhere.

branches: 1.48.2; 1.48.4;
Oops, missed a couple of places where CMSG_*() should be used. No
functional change in this case, but the code is now correct.

- Fix file descriptor passing AGAIN. This has apparently been broken
on LP64 systems (and probably the SPARC) since the __cmsg_alignbytes()
changes went in.
- Change file descriptor passing to use CMSG_DATA(), not (cm + 1). This
pretty much has to be done in order to make it work properly on LP64,
and considering that it's been broken this long...
- Use CMSG_SPACE() to determine the mbuf length needed for a given
control message, and CMSG_LEN() to stash in the cmsg_len member.

branches: 1.46.2;
Get rid of register declarations.

branches: 1.45.2;
Um, hi, let's initialize pointers before we use them.

Add "use counting" to file entries. When closing a file, and it's reference
count is 0, wait for use count to drain before finishing the close.

This is necessary in order for multiple processes to safely share file
descriptor tables.

Fix alignment problem in the garbage-collection code path.

Break cdir/rdir/cmask info out of struct filedesc, and put it in a new
substructure, `cwdinfo'. Implement optional sharing of this substructure.

This is required for clone(2).

revert previous. oops.

properly test the msgsz as "msgsz - len". from PR#7386

branches: 1.39.2;
Disallow descriptor-passing of descriptors which are open on
directories which aren't under the recipient's root.

Clean up of many error conditions involving descriptor passing, to
eliminate infinite loops, panics, premature garbage collection of
sockets, and descriptor leaks:
- Avoid letting unp_gc() see descriptors with a refcount of zero by
removing them from the socket's queue before releasing them.
- Avoid socket leak in PRU_ABORT (this will also gc descriptors queued
on a not-yet accepted socket when the accepting socket goes away).
- Put in block comment explaining how unp_gc() should work.
- Correctly manage unp_defer count so we don't get stuck in an infinite
loop with nothing to do.
- Don't tie MARK and DEFER bits so closely together.
- Mark descriptors queued on not-yet-accepted sockets as well.
- Don't call sorflush on non-socket, it doesn't work very well.
- Deal with discard of NULL file pointer.
- Hopefully cause GC to converge faster by only deferring sockets in
unp_mark().

In unp_internalize(), add a comment explaining why we must ALIGN() the
data after the cmsghdr when accessing internalized SCM_RIGHTS messages
(i.e. array of struct file *s). The historic interface does not align
the externalized SCM_RIGHTS messages (i.e. array of ints).

Fix a fencepost error in unp_scan() which caused a bad pointer deref on
the SPARC platform only (ILP32 but ALIGNBYTES of 7), due to a missing
ALIGN().

Abolition of bcopy, ovbcopy, bcmp, and bzero, phase one.
bcopy(x, y, z) -> memcpy(y, x, z)
ovbcopy(x, y, z) -> memmove(y, x, z)
bcmp(x, y, z) -> memcmp(x, y, z)
bzero(x, y) -> memset(x, 0, y)

fix sizeofs so they comply with the KNF style guide. yes, it is pedantic.

branches: 1.34.2;
use AF_LOCAL instead of AF_UNIX

Back out previous, I botched something.

For SOCK_STREAM, provide the socket credentials to the accepter as soon as
the client connects.

Merge with Lite2 + local changes

Implement passing credentials as ancillary data on Unix domain sockets,
enabled with the LOCAL_CREDS socket option on the listener. Semantics are
similar to BSD/OS's:
- Creds are available with first data on SOCK_STREAM, and with every datagram
on SOCK_DGRAM.
- It is not possible to forge credentials.

Different in that:
- Different credential data structure (ours does not rely on the format
of internal kernel data structures, and does not pass the login name).
- We can pass creds and file descriptors at the same time (this does not
work in BSD/OS).

Luke Mewburn <lukem@netbsd.org> gets credit for inspiring me to implement
this. :-)

Fix passing of multiple file descriptors (was broken when code was made
64-bit safe).

branches: 1.28.2;
PR/4280: Chris Jones: Sending more than one fd over AF_UNIX sockets causes
panic. Bug in the fd -> struct file * conversion...

Several small changes to eliminate kludginess in dealing with unix domain
socket names:
- In unp_setsockaddr() and unp_setpeeraddr(), if the socket name can't
fit into a single mbuf, allocate enough external storage space to
hold it.
- In unp_bind() and unp_connect(), perform a similar operation, but allocate
one extra byte, and ensure that the pathname is nul-terminated.
Many thanks to enami tsugutomo <enami@cv.sony.co.jp> for the sanity
checking.

Eliminate use of dtom() in the handing of UNIX domain sockets. Add an
"unp_addrlen" member to the unpcb, and use it when copying the socket
name. This eliminates that last uses of dtom() in the system.

When fstat(2)ing a file descriptor of a local communications domain socket,
fill the socket's creation time into the stat structure's st_[acm]time fields:
POSIX requires this behavior for pipe(2). N.B.: updating the st_[am]time fields
when reading/writing the pipe is neither required nor implemented, though.

Internalize and externalize file descriptors being passed via local domain
socket control messages correctly, without assuming that sizeof(int) ==
sizeof(pointer). Fixes PR#3183.

Oops. Add missing label.

We can only get a control mbuf for PRU_SEND or PRU_SENDOOB. Add diagnostic
code to panic in this case.

Make sure the control and data mbufs are freed in all cases.

Separate some code into separate functions.
Make unp_addr be a pointer to the sockaddr, not to the mbuf, as with raw
sockets.
Other minor cleanup.

Pass a proc pointer down to the usrreq and pcbbind functions for PRU_ATTACH, PRU_BIND and
PRU_CONTROL. The usrreq interface really needs to be split up, but this will have to wait.
Remove SS_PRIV completely.

branches: 1.18.4;
More proto fixes

unp_detach() return type botch.

First pass at prototyping

so_pcb should be a void *.

Allocate PCBs with malloc(), more mgetclr(). Be more careful to free the
PCB after it's done with.

Add missing argument to closef().

LEASE_CHECK -> VOP_LEASE

Convert process, file, and namei lists and hash tables to use queue.h.

New RCS ID's, take two. they're more aesthecially pleasant, and use 'NetBSD'

Update to 4.4-Lite fs code.

Fix panic when closing a file descriptor on which access rights have been sent
but not received.

Canonicalize all #includes.

Fix from Noriyuki Soda <soda@sra.co.jp>:
recvmsg(2) always returns -1 with errno==EMSGSIZE, when trying
to pass file descriptors through UNIX domain socket.

branches: 1.5.4;
ANSIfications - removed all implicit function return types and argument
definitions. Ensured that all files include "systm.h" to gain access to
general prototypes. Casts where necessary.

Yuval Yarom's 'panic:closef: count < 0' fix to unp_discard().

add include of select.h if necessary for protos, or delete if extraneous

make kernel select interface be one-stop shopping & clean it all up.

branches: 1.1.1;
Initial revision

unix(4): Convert membar_exit to membar_release.

Use atomic_load_consume or atomic_load_relaxed where necessary.

Comment on why unlocked nonatomic access is valid where it is done.

introduce a SOL_LOCAL for unix-domain socket level socket options
as an alias of the current 0 used for these options, as in FreeBSD.

reviewed by many.

PR/55777: Ruslan Nikolaev: Move the unp_sysctl_create to uipc_usrreq.c to
facilitate splitting rump modules and does not require a dummy function.

branches: 1.199.2;
add socket info for user and group for unix sockets in fstat.

Revert the changes made in February to make cwdinfo use mostly lockless,
which relied on taking extra vnode refs.

Having benchmarked various experimental changes over the past few months it
seems that it's better to avoid vnode refs as much as possible. cwdi_lock
as a RW lock already did that to some extent for getcwd() and will permit
the same for namei() too.

branches: 1.197.4;
Merge from ad-namecache:

- Have a stab at clustering the members of vnode_t and vnode_impl_t in a
more cache-conscious way. With that done, go back to adjusting v_usecount
with atomics and keep vi_lock directly in vnode_impl_t (saves KVA).

- Allow VOP_LOCK(LK_NONE) for the benefit of VFS_VGET() and VFS_ROOT().
Make sure LK_UPGRADE always comes with LK_NOWAIT.

- Make cwdinfo use mostly lockless.

Load struct fdfile::ff_file with atomic_load_consume.

Exceptions: when we're only testing whether it's there, not about to
dereference it.

Note: We do not use atomic_store_release to set it because the
preceding mutex_exit should be enough.

(That said, it's not clear the mutex_enter/exit is needed unless
refcnt > 0 already, in which case maybe it would be a win to switch
from the membar implied by mutex_enter to the membar implied by
atomic_store_release -- which I would generally expect to be much
cheaper. And a little clearer without a long comment.)

Load struct filedesc::fd_dt with atomic_load_consume.

Exceptions: when fd_refcnt <= 1, or when holding fd_lock.

While here:

- Restore KASSERT(mutex_owned(&fdp->fd_lock)) in fd_unused.
=> This is used only in fd_close and fd_abort, where it holds.
- Move bounds check assertion in fd_putfile to where it matters.
- Store fd_dt with atomic_store_release.
- Move load of fd_dt under lock in knote_fdclose.
- Omit membar_consumer in fdesc_readdir.
=> atomic_load_consume serves the same purpose now.
=> Was needed only on alpha anyway.

branches: 1.194.2; 1.194.4;
Fix info leak: the padding after the header causes uninitialized heap
memory to be copied to userland in sys_recvmsg().

Fix typo in comment (s/seperate/separate/).

Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly
discussed on irc.

NFCI intended.

Ride the earlier kernel bump - it;s getting crowded.

compat70_ocreds_valid is not a pointer to a boolean, it is the boolean
itself which controls whether or not we recognize the OCRED options.

Should fix the panic identified in PR kern/53991 (awaiting confirmation
from submitter).

add or adjust fallthru comments.

Normalize all the compat hooks' names to the form

<subsystem>_<function>_<version>_hook

NFCI

XXX Note that although this introduces a change in the kernel-to-
XXX module interface, we are NOT bumping the kernel version number.
XXX We will bump the version number once the interface stabilizes.

Merge the [pgoyette-compat] branch

Don't call soroverflow when we return the error to the sender.

Thanks to thorpej@ for a sanity check.

branches: 1.186.2;
Increase the default size of some receive buffers from 8k to 16k.
This mitigates recent reports of socket overflow errors
and fixes PR bin/53247.

bump PIPSIZ from 4 to 8K like FreeBSD and provide the same sysctls

socket: report receive buffer overflows

Add soroverflow() which increments the overflow counter, sets so_error
to ENOBUFS and wakes the receive socket up.
Replace all code that manually increments this counter with soroverflow().
Add soroverflow() to raw_input().

This allows userland to detect route(4) overflows so it can re-sync
with the current state.

branches: 1.183.2;
fix LOCAL_PEEREID to not return the same info for both sides...
XXX: pullup-{7,8}

include opt_compat_netbsd.h, so that eg COMPAT_70 will be set.

branches: 1.181.8;
Memory leak, found by Mootja. It is easily triggerable from userland.

branches: 1.180.2;
Add sc_pid to sockcred so that SOCK_DGRAM and LOCAL_CREDS socket option
can learn the process id of the AF_LOCAL sender.
Add compat glue for old structure.

make connect syscall use sockaddr_big and modify pr_{send,connect}
nam parameter type from buf * to sockaddr *.

final commit for parameter type changes to protocol user requests

* bump kernel version to 7.99.15 for parameter type changes to pr_{send,connect}

remove pr_generic from struct pr_usrreqs and all implementations of
pr_generic in protocols.

bump to 7.99.13

approved by rmind@

make accept, getsockname and getpeername syscalls use sockaddr_big and modify
pr_{accept,sockname,peername} nam parameter type from mbuf * to sockaddr *.

* retained use of mbuftypes[MT_SONAME] for now.
* bump to netbsd version 7.99.12 for parameter type change.

patch posted to tech-net@ 2015/04/19

* change pr_bind to accept struct sockaddr * instead of struct mbuf *
* update protocol bind implementations to use/expect sockaddr *
instead of mbuf *
* introduce sockaddr_big struct for storage of addr data passed via
sys_bind; sockaddr_big is of sufficient size and alignment to
accommodate all addr data sizes received.
* modify sys_bind to allocate sockaddr_big instead of using an mbuf.
* bump kernel version to 7.99.9 for change to pr_bind() parameter type.

Patch posted to tech-net@
http://mail-index.netbsd.org/tech-net/2015/03/15/msg005004.html

The choice to use a new structure sockaddr_big has been retained since
changing sockaddr_storage size would lead to unnecessary ABI change. The
use of the new structure does not preclude future work that increases
the size of sockaddr_storage and at that time sockaddr_big may be
trivially replaced.

Tested by mrg@ and myself, discussed with rmind@, posted to tech-net@

PR/39918: ITOH Yasufumi: Replace KASSERT with continue, since the file
descriptor can be closed since closef() does not pay attention to FDEFER.
XXX: Pullup-7

Place opening brace to function at column 0, like in the rest of the file.

Handle LOCAL_PEERID for socketpair() connected sockets which connect through
connect2().
1. move the code that sets the peerid structure into connect1(). This
handles so2. The datagram code calls connect2 twice with flipped
so arguments so both sockets get set.
2. in connect2 copy the peerid structure from so2 to so, so that that
both stream sockets get set.

branches: 1.172.2;
Make behavior of getsockname(2) (and maybe getpeername(2)) as the same as
NetBSD 6.1_STABLE and other operating system (OS X 10.9.5).

* sa_len of sockaddr_un strucrure is always set to sizeof(sun_path).
* pathname stored in sun_path is alwasys '\0' terminated (except length
of sun_path is sizeof(sun_path)?).

Should be fix PR kern/49247, runtime problem of lmtp service of dovecot2 on
NetBSD current and NetBSD 7.0_BETA.

Try not to use f_data, use f_{vnode,socket,pipe,mqueue,kqueue,ksem} to get
a correctly typed pointer.

Don't next structure and enum definitions.
Don't use C++ keywords new, try, class, private, etc.

branches: 1.169.2;
split PRU_CONNECT2 & PRU_PURGEIF function out of pr_generic() usrreq
switches and put into separate functions

- always KASSERT(solocked(so)) even if not implemented
(for PRU_CONNECT2 only)

- replace calls to pr_generic() with req = PRU_CONNECT2 with calls to
pr_connect2()

- replace calls to pr_generic() with req = PRU_PURGEIF with calls to
pr_purgeif()

put common code from unp_connect2() (used by unp_connect() into
unp_connect1() and call out to it when needed

patch only briefly reviewed by rmind@

split PRU_RCVD function out of pr_generic() usrreq switches and put into
separate functions

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_RCVD with calls to
pr_rcvd()

actually use the passed in struct lwp *l instead of curlwp in unp_connect()

split PRU_SEND function out of pr_generic() usrreq switches and put into
separate functions

xxx_send(struct socket *, struct mbuf *, struct mbuf *,
struct mbuf *, struct lwp *)

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_SEND with calls to
pr_send()

rename existing functions that operate on PCB for consistency (and to
free up their names for xxx_send() PRUs

- l2cap_send() -> l2cap_send_pcb()
- sco_send() -> sco_send_pcb()
- rfcomm_send() -> rfcomm_send_pcb()

patch reviewed by rmind

revert the removal of struct lwp * parameter from bind, listen and connect
user requests.

this should resolve the issue relating to nfs client hangs presented
recently by wiz on current-users@

* remove declarations of unp_bind, unp_discard, unp_disconnect1, unp_drop,
unp_shutdown1, unp_internalize and unp_output functions from sys/un.h
and instead declare them as static in uipc_usrreq.c with prototype
declarations as necessary.

* remove struct lwp * parameter from unp_output() while here and just
use curlwp instead.

as discussed with rmind

split PRU_DISCONNECT, PRU_SHUTDOWN and PRU_ABORT function out of
pr_generic() usrreq switches and put into separate functions

xxx_disconnect(struct socket *)
xxx_shutdown(struct socket *)
xxx_abort(struct socket *)

- always KASSERT(solocked(so)) even if not implemented
- replace calls to pr_generic() with req =
PRU_{DISCONNECT,SHUTDOWN,ABORT}
with calls to pr_{disconnect,shutdown,abort}() respectively

rename existing internal functions used to implement above functionality
to permit use of the names for xxx_{disconnect,shutdown,abort}().

- {l2cap,sco,rfcomm}_disconnect() ->
{l2cap,sco,rfcomm}_disconnect_pcb()
- {unp,rip,tcp}_disconnect() -> {unp,rip,tcp}_disconnect1()
- unp_shutdown() -> unp_shutdown1()

patch reviewed by rmind

split PRU_CONNECT function out of pr_generic() usrreq switches and put
into seaparate functions

xxx_listen(struct socket *, struct mbuf *)

- always KASSERT(solocked(so)) and KASSERT(nam != NULL)
- replace calls to pr_generic() with req = PRU_CONNECT with
pr_connect()
- rename existin {l2cap,sco,rfcomm}_connect() to
{l2cap,sco,rfcomm}_connect_pcb() respectively to permit
naming consistency with other protocols functions.
- drop struct lwp * parameter from unp_connect() and at_pcbconnect()
and use curlwp instead where appropriate.

patch reviewed by rmind

split PRU_BIND and PRU_LISTEN function out of pr_generic() usrreq
switches and put into separate functions
xxx_bind(struct socket *, struct mbuf *)
xxx_listen(struct socket *)

- always KASSERT(solocked(so)) even if not implemented

- replace calls to pr_generic() with req = PRU_BIND with call to
pr_bind()

- replace calls to pr_generic() with req = PRU_LISTEN with call to
pr_listen()

- drop struct lwp * parameter from at_pcbsetaddr(), in_pcbbind() and
unp_bind() and always use curlwp.

rename existing functions that operate on PCB for consistency (and to
free up their names for xxx_{bind,listen}() PRUs

- l2cap_{bind,listen}() -> l2cap_{bind,listen}_pcb()
- sco_{bind,listen}() -> sco_{bind,listen}_pcb()
- rfcomm_{bind,listen}() -> rfcomm_{bind,listen}_pcb()

patch reviewed by rmind

welcome to netbsd 6.99.48

split PRU_SENDOOB and PRU_RCVOOB function out of pr_generic() usrreq
switches and put into separate functions
xxx_sendoob(struct socket *, struct mbuf *, struct mbuf *)
xxx_recvoob(struct socket *, struct mbuf *, int)

- always KASSERT(solocked(so)) even if request is not implemented

- replace calls to pr_generic() with req = PRU_{SEND,RCV}OOB with
calls to pr_{send,recv}oob() respectively.

there is still some tweaking of m_freem(m) and m_freem(control) to come
for consistency. not performed with this commit for clarity.

reviewed by rmind

* split PRU_ACCEPT function out of pr_generic() usrreq switches and put
into a separate function xxx_accept(struct socket *, struct mbuf *)

note: future cleanup will take place to remove struct mbuf parameter
type and replace it with a more appropriate type.

patch reviewed by rmind

* split PRU_PEERADDR and PRU_SOCKADDR function out of pr_generic()
usrreq switches and put into separate functions
xxx_{peer,sock}addr(struct socket *, struct mbuf *).

- KASSERT(solocked(so)) always in new functions even if request
is not implemented

- KASSERT(pcb != NULL) and KASSERT(nam) if the request is
implemented and not for tcp.

* for tcp roll #ifdef KPROF and #ifdef DEBUG code from tcp_usrreq() into
easier to cut & paste functions tcp_debug_capture() and
tcp_debug_trace()

- functions provided by rmind
- remaining use of PRU_{PEER,SOCK}ADDR #define to be removed in a
future commit.

* rename netbt functions to permit consistency of pru function names
(as has been done with other requests already split out).

- l2cap_{peer,sock}addr() -> l2cap_{peer,sock}_addr_pcb()
- rfcomm_{peer,sock}addr() -> rfcomm_{peer,sock}_addr_pcb()
- sco_{peer,sock}addr() -> sco_{peer,sock}_addr_pcb()

* split/refactor do_sys_getsockname(lwp, fd, which, nam) into
two functions do_sys_get{peer,sock}name(fd, nam).

- move PRU_PEERADDR handling into do_sys_getpeername() from
do_sys_getsockname()
- have svr4_stream directly call do_sys_get{sock,peer}name()
respectively instead of providing `which' & fix a DPRINTF string
that incorrectly wrote "getpeername" when it meant "getsockname"
- fix sys_getpeername() and sys_getsockname() to call
do_sys_get{sock,peer}name() without `which' and `lwp' & adjust
comments
- bump kernel version for removal of lwp & which parameters from
do_sys_getsockname()

note: future cleanup to remove struct mbuf * abuse in
xxx_{peer,sock}name()
still to come, not done in this commit since it is easier to do post
split.

patch reviewed by rmind

welcome to 6.99.47

* sprinkle KASSERT(solocked(so)); in all pr_stat() functions.
* fix remaining inconsistent struct socket parameter names.

* split PRU_SENSE functionality out of xxx_usrreq() switches and place into
separate xxx_stat(struct socket *, struct stat *) functions.
* replace calls using pr_generic with req == PRU_SENSE with pr_stat().

further change will follow that cleans up the pattern used to extract the
pcb and test for its presence.

reviewed by rmind

fix parameter types in pr_ioctl, called xx_control() functions and remove
abuse of pointer to struct mbuf type.

param2 changed to u_long type and uses parameter name 'cmd' (ioctl command)
param3 changed to void * type and uses parameter name 'data'
param4 changed to struct ifnet * and uses parameter name 'ifp'
param5 has been removed (formerly struct lwp *) and uses of 'l' have been
replaced with curlwp from curproc(9).

callers have had (now unnecessary) casts to struct mbuf * removed, called
code has had (now unnecessary) casts to u_long, void * and struct ifnet *
respectively removed.

reviewed by rmind@

* split PRU_CONTROL functionality out of xxx_userreq() switches and place
into separate xxx_ioctl() functions.
* place KASSERT(req != PRU_CONTROL) inside xxx_userreq() as it is now
inappropriate for req = PRU_CONTROL in xxx_userreq().
* replace calls to pr_generic() with req = PRU_CONTROL with pr_ioctl().
* remove & fixup references to PRU_CONTROL xxx_userreq() function comments.
* fix various comments references for xxx_userreq() that mentioned
PRU_CONTROL as xxx_userreq() no longer handles the request.

a further change will follow to fix parameter and naming inconsistencies
retained from original code.

Reviewed by rmind@

Handle race where the server closed the socket between us 'connecting' and
sending data.

- Split off PRU_ATTACH and PRU_DETACH logic into separate functions.
- Replace malloc with kmem and eliminate M_PCB while here.
- Sprinkle more asserts.

Add struct pr_usrreqs with a pr_generic function and prepare for the
dismantling of pr_usrreq in the protocols; no functional change intended.
PRU_ATTACH/PRU_DETACH changes will follow soon.

Bump for struct protosw. Welcome to 6.99.62!

branches: 1.150.2;
Change vnode operations create, mknod, mkdir and symlink to return
the resulting vnode *vpp unlocked.

Discussed on tech-kern@

Welcome to 6.99.30

Change vnode operations create, mknod, mkdir and symlink to keep the
directory node dvp locked on return.

Discussed on tech-kern@

Welcome to 6.99.29

Vnode API cleanup pass 1.

- Make these defines and functions private to vfs_vnode.c:

VC_MASK, VC_LOCK, DOCLOSE, VI_IANCTREDO and VI_INACTNOW
vclean() and vrelel()

- Remove the long time unused lwp argument from vrecycle().

- Remove vtryget(), it is responsible for ugly hacks and doesn't
look that effective.

Presented on tech-kern.

Welcome to 6.99.25

Eliminat an unused variable and simplify the KASSERT which used to use it

Centralize the sockaddr_un allocation code. Set sun_len appropriately so
that the address length returned is correct, not always 106. Note that
we do things slightly differently than linux and explain why. Unit-tests
to come.

- Instead of having accept(2) return a zero-filled sockaddr for the case
where accept(2) was called on a unix socket that called connect(2) and
then close(2), before the connection was accepted, return the empty
sockaddr_un.
- Fix the length of the empty sockaddr_un socket so that it reflects reality.

Remove SS_ISCONFIRMING, it is unused and TP4 will not come back.

In unp_externalize, don't do anything if an SCM_RIGHTS control message
was sent with zero file descriptors in it. Otherwise, a zero-length
temporary storage would be allocated which triggers panic on DIAGNOSTIC
kernels (but is harmless for release kernels).
reviewed by Taylor R Campbell

branches: 1.142.2;
use sbcreatecontrol1() and m_add() instead of open-coding everything, and
getting it slightly wrong.

Fix some screw cases in cmsg file descriptor passing.

- Don't leave garbage in the control buffer if allocating file
descriptors fails in unp_externalize.

- Scrub the space between CMSG_LEN and CMSG_SPACE to avoid kernel
memory disclosure in unp_externalize.

- Don't read past cmsg_len when closing file descriptors that
couldn't get delivered, in free_rights.

ok christos

Avoid crash dereferencing a NULL fp in fd_affix() in unp_externalize
caused by the sequence of passing two fd's with two sendmsg()'s,
then doing a read() and a recvmsg(). The read() calls dom_dispose()
which discards both messages in the mbuf, and sets the fp's in the
array to NULL. Linux dequeues only one message per read() so the
second recvmsg() gets the fd from the second message. This fix
just avoids the NULL pointer de-reference, making the second
recvmsg() to fail. It is dubious to pass fd's with stream sockets
and expect mixing read() and recvmsg() to work. Plus processing
one control message per read() changes the current semantics and
should be examined before applied. In addition there is a race between
dom_externalize() and dom_dispose(): what happens in a multi-threaded
network stack when one thread disposes where the other externalizes
the same array?

NB: Pullup to 6.

branches: 1.139.2;
remove infinite loop on error, extra parens on return.

simplify unp_externalize(), some from gimpy, some from me.

Stopgap fix for PR kern/46463: disallow passing of kqueue descriptors
via SCM_RIGHT anxiliary socket messages.

branches: 1.136.2; 1.136.8;
* Arrange for interfaces that create new file descriptors to be able to
set close-on-exec on creation (http://udrepper.livejournal.com/20407.html).

- Add F_DUPFD_CLOEXEC to fcntl(2).
- Add MSG_CMSG_CLOEXEC to recvmsg(2) for unix file descriptor passing.
- Add dup3(2) syscall with a flags argument for O_CLOEXEC, O_NONBLOCK.
- Add pipe2(2) syscall with a flags argument for O_CLOEXEC, O_NONBLOCK.
- Add flags SOCK_CLOEXEC, SOCK_NONBLOCK to the socket type parameter
for socket(2) and socketpair(2).
- Add new paccept(2) syscall that takes an additional sigset_t to alter
the sigmask temporarily and a flags argument to set SOCK_CLOEXEC,
SOCK_NONBLOCK.
- Add new mode character 'e' to fopen(3) and popen(3) to open pipes
and file descriptors for close on exec.
- Add new kqueue1(2) syscall with a new flags argument to open the
kqueue file descriptor with O_CLOEXEC, O_NONBLOCK.

* Fix the system calls that take socklen_t arguments to actually do so.

* Don't include userland header files (signal.h) from system header files
(rump_syscallargs.h).

* Bump libc version for the new syscalls.

Welcome to 5.99.53! Merge rmind-uvmplock branch:

- Reorganize locking in UVM and provide extra serialisation for pmap(9).
New lock order: [vmpage-owner-lock] -> pmap-lock.

- Simplify locking in some pmap(9) modules by removing P->V locking.

- Use lock object on vmobjlock (and thus vnode_t::v_interlock) to share
the locks amongst UVM objects where necessary (tmpfs, layerfs, unionfs).

- Rewrite and optimise x86 TLB shootdown code, make it simpler and cleaner.
Add TLBSTATS option for x86 to collect statistics about TLB shootdowns.

- Unify /dev/mem et al in MI code and provide required locking (removes
kernel-lock on some ports). Also, avoid cache-aliasing issues.

Thanks to Andrew Doran and Joerg Sonnenberger, as their initial patches
formed the core changes of this branch.

branches: 1.134.2;
Add SOCK_SEQPACKET to PL_LOCAL sockets. Based on patch from Jesse Off,
submitted 8 years ago:
http://mail-index.netbsd.org/tech-kern/2003/04/14/0006.html

branches: 1.133.2;
Introduce struct pathbuf. This is an abstraction to hold a pathname
and the metadata required to interpret it. Callers of namei must now
create a pathbuf and pass it to NDINIT (instead of a string and a
uio_seg), then destroy the pathbuf after the namei session is
complete.

Update all namei call sites accordingly. Add a pathbuf(9) man page and
update namei(9).

The pathbuf interface also now appears in a couple of related
additional places that were passing string/uio_seg pairs that were
later fed into NDINIT. Update other call sites accordingly.

unp_connect: fix an assertion

unp_connect2: fix a comment.

Clean up vnode lock operations pass 2:

VOP_UNLOCK(vp, flags) -> VOP_UNLOCK(vp): Remove the unneeded flags argument.

Welcome to 5.99.32.

Discussed on tech-kern.

branches: 1.129.2;
Fix typo in comment.

branches: 1.128.2;
The VATTR_NULL/VREF/VHOLD/HOLDRELE() macros lost their will to live
years ago when the kernel was modified to not alter ABI based on
DIAGNOSTIC, and now just call the respective function interfaces
(in lowercase). Plenty of mix'n match upper/lowercase has creeped
into the tree since then. Nuke the macros and convert all callsites
to lowercase.

no functional change

In uipc_usrreq(PRU_ACCEPT), grab the unp_streamlock before unp_setpeerlocks().
This fixes a race where, for a short period of time, so->so_lock and
so2->so_lock are not sync. This makes solocked2() and solocked()
unreliable and cause DIAGNOSTIC kernel panics. This also fixes a possible
panic in unp_setaddr() which expects the socket locked.
Should fix kern/38968, fix proposed in
http://mail-index.netbsd.org/tech-kern/2009/08/17/msg005863.html

More changes to improve kern_descrip.c.

- Avoid atomics in more places.
- Remove the per-descriptor mutex, and just use filedesc_t::fd_lock.
It was only being used to synchronize close, and in any case we needed
to take fd_lock to free the descriptor slot.
- Optimize certain paths for the <NDFDFILE case.
- Sprinkle more comments and assertions.
- Cache more stuff in filedesc_t.
- Fix numerous minor bugs spotted along the way.
- Restructure how the open files array is maintained, for clarity and so
that we can eliminate the membar_consumer() call in fd_getfile(). This is
mostly syntactic sugar; the main functional change is that fd_nfiles now
lives alongside the open file array.

Some measurements with libmicro:

- simple file syscalls are like close() are between 1 to 10% faster.
- some nice improvements, e.g. poll(1000) which is ~50% faster.

tweak some assertions on so_head to make them more meaningful.

0 -> NULL

remove an unnecessary cast.

0 -> NULL where appropriate

completely rework the way that orphaned sockets that are being fdpassed
via SCM_RIGHTS messages are dealt with:

1. unp_gc: make this a kthread.

2. unp_detach: go not call unp_gc directly. instead, wake up unp_gc kthread.

3. unp_scan: do not close files here. instead, put them on a global list
for unp_gc to close, along with a per-file "deferred close count". if
file is already enqueued for close, just increment deferred close count.
this eliminates the recursive calls.

3. unp_gc: scan files on global deferred close list. close each file N
times, as specified by deferred close count in file. continue processing
list until it becomes empty (closing may cause additional files to be
queued for close).

4. unp_gc: add additional bit to mark files we are scanning. set during
initial scan of global file list that currently clears FMARK/FDEFER.
during later scans, never examine / garbage collect descriptors that
we have not marked during the earlier scan. do not proceed with this
initial scan until all deferred closes have been processed. be careful
with locking to ensure no races are introduced between deferred close
and file scan.

5. unp_gc: use dummy file_t to mark position in list when scanning. allow
us to drop filelist_lock. in turn allows us to eliminate kmem_alloc()
and safely close files, etc.

6. prohibit transfer of descriptors within SCM_RIGHTS messages if
(num_files_in_transit > maxfiles / unp_rights_ratio)

7. fd_allocfile: ensure recycled filse don't get scanned.


this is 97% work done by andrew doran, with a couple of minor bug fixes
and a lot of testing by yours truly.

branches: 1.120.2;
Don't try to fd_putfile() descriptors we didn't manage to fd_getfile().

Fixes local DoS panic described in kern/40570.

branches: 1.119.2; 1.119.4;
Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.

Convert socket options code to use a sockopt structure
instead of laying everything into an mbuf.

approved by core

branches: 1.117.2;
Also enforce that cm->cmsg_len >= CMSG_ALIGN(sizeof cmsghdr), from
Michael van Elst

Don't require cm->cmsg_len == control->m_len, just that the cm->cmsg_len
<= control->m_len, like FreeBSD does. Idea from Taylor R Campbell.

There can be existing waiters on a socket's condition variables when we
change socket::so_lock, and they rely on the old lock to synchronize.
Wake them up whenever we change so_lock so they can restart their waits.

branches: 1.114.2; 1.114.4;
Remove clause 3 and 4 from TNF licenses

branches: 1.113.2;
Add a comment.

Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.

When unp_internalize fails (due to the sanity check or an out-of-memory
condition), it leaves the control message with file descriptors. Calling
unp_dispose() will interpret the message as containing file pointers
and crash the system.
This change removes unp_dispose() from this failure path and avoids
using goto to jump into switch statements...
The previous workaround to ignore such messages in unp_scan() is removed.

If cm->cmsg_len is not valid for unp_internalize do not use it to work out
where the data is in unp_scan.

Fixes PR/38391

branches: 1.109.2;
Prevent overlapping calls to bind() and/or connect() on a Unix socket.

merge yamt-lazymbuf branch.

unp_gc: unlock filelist_lock in a case of restart.

Catch up with descriptor handling changes. See kern_descrip.c revision
1.173 for details.

branches: 1.105.6;
Remove VOP_LEASE. Discussed on tech-kern.

Use FILE_LOCK() and FILE_UNLOCK()

branches: 1.103.4;
Remove cn_lwp from struct componentname. curlwp should be used
from on. The NDINIT() macro no longer takes the lwp parameter and
associates the credentials of the calling thread with the namei
structure.

branches: 1.102.2;
Remove the "struct lwp *" argument from all VFS and VOP interfaces.
The general trend is to remove it from all kernel interfaces and
this is a start. In case the calling lwp is desired, curlwp should
be used.

quick consensus on tech-kern

branches: 1.101.4;
Merge file descriptor locking, cwdi locking and cross-call changes
from the vmlocking branch.

branches: 1.100.2;
Make uipc_ctloutput() return ENOPROTOOPT instead of EINVAL when it
is passed a handle socket-option level that it does not care about.

branches: 1.99.2;
Add a new socket option for unix domain sockets: LOCAL_PEEREID, to make
it possible to get the pid, euid and egid of the process at the remote
end at the time it did bind() or connect().

Add a new libc function, getpeereid() to easily get at the euid and egid.
As a consequence, bump libc's minor number.

Document the LOCAL_PEEREID socket option in unix(4).

Based on contribution by Arne H. Juul, minor modifications by myself.

branches: 1.98.2;
PR kern/32842:
do not leak file descriptors when sending a datagram with SCM_RIGHTS
fails. Patch from Gary Thorpe, based on changes in FreeBSD and work
from Christian Biere.

branches: 1.97.2; 1.97.6;
Change the way that emulations locate files within the emulation root to
avoid having to allocate space in the 'stackgap'
- which is very LWP unfriendly.
The additional code for non-emulation namei() is trivial, the reduction for
the emulations is massive.
The vnode for a processes emulation root is saved in the cwdi structure
during process exec.
If the emulation root the TRYEMULROOT flag are set, namei() will do an initial
search for absolute pathnames in the emulation root, if that fails it will
retry from the normal root.
".." at the emulation root will always go to the real root, even in the middle
of paths and when expanding symlinks.
Absolute symlinks found using absolute paths in the emulation root will be
relative to the emulation root (so /usr/lib/xxx.so -> /lib/xxx.so links
inside the emulation root don't need changing).
If the root of the emulation would be returned (for an emulation lookup), then
the real root is returned instead (matching the behaviour of emul_lookup,
but being a cheap comparison here) so that programs that scan "../.."
looking for the root dircetory don't loop forever.
The target for symbolic links is no longer mangled (it used to get the
CHECK_ALT_xxx() treatment, so could get /emul/xxx prepended).
CHECK_ALT_xxx() are no more. Most of the change is deleting them, and adding
TRYEMULROOT to the flags to NDINIT().
A lot of the emulation system call stubs could now be deleted.

Remove calls to now obsolete vn_start_write() and vn_finished_write().

branches: 1.95.2; 1.95.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.94.2; 1.94.4; 1.94.8;
Pointing one element past an array is fine, pointing before it isn't.

branches: 1.93.2; 1.93.4;
use c99 initializers

Use the LWP cached credentials where sane.

integrate kauth.

Coverity CID 1089: Add more KASSERTs to prevent NULL deref.

Coverity CID 1088: Add KASSERT to prevent NULL pointer deref.

Add a KASSERT to document a condition for the PRU_ABORT case.

branches: 1.87.2; 1.87.4; 1.87.6;
PR/32856: Christian Biere: Don't panic if you send a control message with
SCM_RIGHTS on an unconnected stream socket.

branches: 1.86.2; 1.86.4; 1.86.6;
merge ktrace-lwp.

Call nanotime() directly, instead of doing the
microtime()/TIMEVAL_TO_TIMESPEC() dance.

Honor the user's umask while creating local sockets. Several other systems
do already this (such as FreeBSD, OpenBSD and Linux), so it will improve
portability of some third-party programs. No objections in tech-kern@.

branches: 1.83.2;
uipc_usrreq: plug mbuf leak.

- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

PR/30154: YAMAMOTO Takashi: tcp_close locking botch
chgsbsize() as mentioned in the PR can be called from an interrupt context
via tcp_close(). Avoid calling uid_find() in chgsbsize().
- Instead of storing so_uid in struct socketvar, store *so_uidinfo
- Add a simple lock to struct uidinfo.

branches: 1.80.2;
nuke trailing whitespace

branches: 1.79.4; 1.79.6;
add a per-socket counter for dropped UDP packets when the internal buffers
are full.

Eliminate several uses of `curproc' from the socket-layer code and from NFS.

Add a new explicit `struct proc *p' argument to socreate(), sosend().
Use that argument instead of curproc. Follow-on changes to pass that
argument to socreate(), sosend(), and (*so->so_send)() calls.
These changes reviewed and independently recoded by Matt Thomas.

Changes to soreceive() and (*dom->dom_exernalize() from Matt Thomas:
pass soreceive()'s struct uio* uio->uio_procp to unp_externalize().
Eliminate curproc from unp_externalize. Also, now soreceive() uses
its uio->uio_procp value, pass that same value downward to
((pr->pru_usrreq)() calls for consistency, instead of (struct proc * )0.

Similar changes in sys/nfs to eliminate (most) uses of curproc,
either via the req-> r_procp field of a struct nfsreq *req argument,
or by passing down new explicit struct proc * arguments.

Reviewed by: Matt Thomas, posted to tech-kern.
NB: The (*pr->pru_usrreq)() change should be tested on more (all!) protocols.

Constify sun_noname.

ANSI'fy.

PR/9347: Eric E. Fair: socket buffer pool exhaustion leads to system deadlock
and unkillable processes.
1. Introduce new SBSIZE resource limit from FreeBSD to limit socket buffer
size resource.
2. make sokvareserve interruptible, so processes ltsleeping on it can be
killed.

branches: 1.74.2; 1.74.4;
Nuke __P().

Avoid using m_clget() on a mbuf already in use, especially when we
need the data in the mbuf later and m_clget() changes some fields
overlaid to regular mbuf data. Instead, rearange code a bit, create
data into a new allocated buffer and and use MEXTADD to attach it to
the mbuf, if the mbuf internal space is not sufficient.

This fixes a crash on sparc64 (and probably all other archs where
sizeof(int) != sizeof(struct file *)) when running
regress/sys/kern/unfdpass.

Idea for solution from Matt Thomas, with additional input from YAMAMOTO
Takashi.

Restore a change that made AF_LOCAL sockets block on connect(2) until
accepted. However, this time this behavor is not the default. Instead
it must enabled by using the LOCAL_CONNWAIT socket option on either the
connecting or accepting socket.

Revert a change that altered the semantics of AF_LOCAL sockets. Sadly
this made us API incompatible with other Unixes.

Add the gating of system calls that cause modifications to the underlying
file system.
The function vfs_write_suspend stops all new write operations to a file
system, allows any file system modifying system calls already in progress
to complete, then sync's the file system to disk and returns. The
function vfs_write_resume allows the suspended write operations to
complete.

From FreeBSD with slight modifications.

Approved by: Frank van der Linden <fvdl@netbsd.org>

Fix typo.

Change the behavor of AF_LOCAL connect() to sleep until the server has
accepted the connection. This can prevent a client from overwhelming a
server.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.

back rev 1.63 (the linux hack) off - no compat specific code
in generic code, please

we need to massage the passed linux cmsg anyway, linux uses different
alignment for CMSG_DATA on at least some architectures

backout previous, there was a comment on LINUX_SOL_SOCKET=1

#define LINUX_SOL_SOCKET 1, so that we can answer "what the hell is this 1?"
at ease.

From Todd Vierling: Accept level == 1 for linux compat.

branches: 1.62.2;
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
and need to be examined and discussed more.

Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V

RP/21088: Jesse Off: Return ENOBUFS instead of EINVAL when sbappend fails.

Add MBUFTRACE kernel option.
Do a little mbuf rework while here. Change all uses of MGET*(*, M_WAIT, *)
to m_get*(M_WAIT, *). These are not performance critical and making them
call m_get saves considerable space. Add m_clget analogue of MCLGET and
make corresponding change for M_WAIT uses.
Modify netinet, gem, fxp, tulip, nfs to support MBUFTRACE.
Begin to change netstat to use sysctl.

Fix a simple_lock() mismatch in unp_internalize().
We may need to merge the passes over the files contained in the message
as noted by enami tsugutomo on tech-smp.

Make updating a file's reference and use count MP-safe.

branches: 1.56.2;
no need for error check after MEXTMALLOC - jdolecek

MEXTMALLOC() can fail even if M_WAITOK, if arg is too big for malloc().

Use the queue macros from <sys/queue.h> instead of referring to the queue
members directly. Use *_FOREACH whenever possible.

add RCSIDs

branches: 1.52.2;
Deprecate the "m_act" alias of "m_nextpkt" (m_act is a historical
name), and just use m_nextpkt everywhere.

branches: 1.51.2;
Fix a partial construction problem that can cause race conditions
between creation of a file descriptor and close(2) when using kernel
assisted threads. What we do is stick descriptors in the table, but
mark them as "larval". This causes essentially everything to treat
it as a non-existent descriptor, except for fdalloc(), which sees a
filled slot so that it won't (incorrectly) allocate it again. When
a descriptor is fully constructed, the code that has constructed it
marks it as "mature" (which actually clears the "larval" flag), and
things continue to work as normal.

While here, gather all the code that gets a descriptor from the table
into a fd_getfile() function, and call it, rather than having the
same (sometimes incorrect) code copied all over the place.

Rework fdalloc() even further: split fdalloc() into fdalloc() and
fdexpand(). The former will return ENOSPC if there is not space
in the current filedesc table. The latter performs the expansion
of the filedesc table. This means that fdalloc() won't ever block,
and it gives callers an opportunity to clean up before the
potentially-blocking fdexpand() call.

Update all fdalloc() callers to deal with the need-to-fdexpand() case.

Rewrite unp_externalize() to use fdalloc() and fdexpand() in a
safe way, using an algorithm suggested by Bill Sommerfeld:
- Use a temporary array of integers to hold the new filedesc table
indexes. This allows us to repeat the loop if necessary.
- Loop through the array of file *'s, assigning them to filedesc table
slots. If fdalloc() indicates expansion is necessary, undo the
assignments we've done so far, expand, and retry the whole process.
- Once all file *'s have been assigned to slots, update the f_msgcount
and unp_rights counters.
- Right before we return, copy the temporary integer array to the message
buffer, and trim the length as before.
Note that once locking is added to the filedesc array, this entire
operation will be `atomic', in that the lock will be held while
file *'s are assigned to embryonic table slots, thus preventing anything
else from using them.

Change fdalloc() to return ERESTART if we had to reallocate the
descriptor array, which may have blocked. Change callers of
fdalloc() to restart whatever they\'re doing if this condition
happens. (XXX unp_externalize() needs some work, but that will
be tackled later.)

Change finishdup() to close the descriptor in the `new\' slot if
one exists, and change sys_dup2() accordingly.

Closes a race condition when using kernel-assisted user threads.

While here, garbage-collect UF_MAPPED -- it is not used anywhere.

branches: 1.48.2; 1.48.4;
Oops, missed a couple of places where CMSG_*() should be used. No
functional change in this case, but the code is now correct.

- Fix file descriptor passing AGAIN. This has apparently been broken
on LP64 systems (and probably the SPARC) since the __cmsg_alignbytes()
changes went in.
- Change file descriptor passing to use CMSG_DATA(), not (cm + 1). This
pretty much has to be done in order to make it work properly on LP64,
and considering that it's been broken this long...
- Use CMSG_SPACE() to determine the mbuf length needed for a given
control message, and CMSG_LEN() to stash in the cmsg_len member.

branches: 1.46.2;
Get rid of register declarations.

branches: 1.45.2;
Um, hi, let's initialize pointers before we use them.

Add "use counting" to file entries. When closing a file, and it's reference
count is 0, wait for use count to drain before finishing the close.

This is necessary in order for multiple processes to safely share file
descriptor tables.

Fix alignment problem in the garbage-collection code path.

Break cdir/rdir/cmask info out of struct filedesc, and put it in a new
substructure, `cwdinfo'. Implement optional sharing of this substructure.

This is required for clone(2).

revert previous. oops.

properly test the msgsz as "msgsz - len". from PR#7386

branches: 1.39.2;
Disallow descriptor-passing of descriptors which are open on
directories which aren't under the recipient's root.

Clean up of many error conditions involving descriptor passing, to
eliminate infinite loops, panics, premature garbage collection of
sockets, and descriptor leaks:
- Avoid letting unp_gc() see descriptors with a refcount of zero by
removing them from the socket's queue before releasing them.
- Avoid socket leak in PRU_ABORT (this will also gc descriptors queued
on a not-yet accepted socket when the accepting socket goes away).
- Put in block comment explaining how unp_gc() should work.
- Correctly manage unp_defer count so we don't get stuck in an infinite
loop with nothing to do.
- Don't tie MARK and DEFER bits so closely together.
- Mark descriptors queued on not-yet-accepted sockets as well.
- Don't call sorflush on non-socket, it doesn't work very well.
- Deal with discard of NULL file pointer.
- Hopefully cause GC to converge faster by only deferring sockets in
unp_mark().

In unp_internalize(), add a comment explaining why we must ALIGN() the
data after the cmsghdr when accessing internalized SCM_RIGHTS messages
(i.e. array of struct file *s). The historic interface does not align
the externalized SCM_RIGHTS messages (i.e. array of ints).

Fix a fencepost error in unp_scan() which caused a bad pointer deref on
the SPARC platform only (ILP32 but ALIGNBYTES of 7), due to a missing
ALIGN().

Abolition of bcopy, ovbcopy, bcmp, and bzero, phase one.
bcopy(x, y, z) -> memcpy(y, x, z)
ovbcopy(x, y, z) -> memmove(y, x, z)
bcmp(x, y, z) -> memcmp(x, y, z)
bzero(x, y) -> memset(x, 0, y)

fix sizeofs so they comply with the KNF style guide. yes, it is pedantic.

branches: 1.34.2;
use AF_LOCAL instead of AF_UNIX

Back out previous, I botched something.