Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Nov 2005 15:30:39 +0800
From:      "nocool" <nocool@263.net>
To:        "Robert Watson" <rwatson@FreeBSD.org>
Cc:        freebsd-hackers <freebsd-hackers@freebsd.org>, freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: Why INVARIANTS option and sanity checking?
Message-ID:  <20051107072955.E585B1187@smtp.263.net>

next in thread | raw e-mail | index | archive | help
>The design for FreeBSD calls for all memory and other resources provided 
>to unprivileged processes to be scrubbed before being made available. 
>Only using privilege should a process be able to gain access to unscrubbed 
>resources through allocation.  For example:
>
>- When a process allocates a new file, it will be created as zero-length.
>   When extended using ftruncate(), any data read or pages mapped from the
>   file will be zero-filled.
>
>- When new memory is allocated to the process at time of exec(), using
>   brk(), or using anonymous mmap(), zero'd pages are provided to the
>   process (often optimized using copy-on-write).
>
I noticed the code for brk() and mmap() only set up the structure for addrees mapping, and the physical pages are allocated in vmfault(). I looked through the code of vmfault(), but I can't find the optimization of COW from zero's pages you mentioned. Can you give me some tips? Thanks.

>- When kernel data structures are returned to user space, they are zero'd.
>   This is necessary even when a structure is filled out explicitly, as the
>   padding in the structure introduced by the compiler must also be zero'd.
>   For example, with data structures returned by ioctl(), sysctl(), etc.
>
I can't grasp your meaning. You mean to zero the structure before kernel filling it and copyouting it to the user space, or to zero after filling? I scan ioctl() and find the codes:
{
       memp = malloc((u_long)size, M_IOCTLOPS, M_WAITOK);
		data = memp;
...
	if (com & IOC_OUT) {
		bzero(data, size);
	}
...
	error = fo_ioctl(fp, com, data, td->td_ucred, td);
	if (error == 0 && (com & IOC_OUT))
		error = copyout(data, uap->data, (u_int)size);
}

These codes is consistent to my first understanding. Did you mean the same.
But I really finds some codes not coincident with your answer, for example:
In msgsnd(), message segments from msgpool[] are organised to form the message buffer, and kernel copy the user message into these buffer. And in msgrcv() the message are copyout to user area according the length strod in message header. There are not cleaning for these message segments in both functions.
Can you give me some further explanation.
Have a good weekend. Thanks






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051107072955.E585B1187>