summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/mm
AgeCommit message (Collapse)Author
2021-07-13Merge release-20210705.0-15-g520795aaa (automated)gVisor bot
2021-07-12Merge release-20210705.0-11-ge3fdd1593 (automated)gVisor bot
2021-07-12[syserror] Update syserror to linuxerr for more errors.Zach Koopmans
Update the following from syserror to the linuxerr equivalent: EEXIST EFAULT ENOTDIR ENOTTY EOPNOTSUPP ERANGE ESRCH PiperOrigin-RevId: 384329869
2021-07-01Merge release-20210628.0-19-g16b751b6c (automated)gVisor bot
2021-07-01Mix checklocks and atomic analyzers.Adin Scannell
This change makes the checklocks analyzer considerable more powerful, adding: * The ability to traverse complex structures, e.g. to have multiple nested fields as part of the annotation. * The ability to resolve simple anonymous functions and closures, and perform lock analysis across these invocations. This does not apply to closures that are passed elsewhere, since it is not possible to know the context in which they might be invoked. * The ability to annotate return values in addition to receivers and other parameters, with the same complex structures noted above. * Ignoring locking semantics for "fresh" objects, i.e. objects that are allocated in the local frame (typically a new-style function). * Sanity checking of locking state across block transitions and returns, to ensure that no unexpected locks are held. Note that initially, most of these findings are excluded by a comprehensive nogo.yaml. The findings that are included are fundamental lock violations. The changes here should be relatively low risk, minor refactorings to either include necessary annotations to simplify the code structure (in general removing closures in favor of methods) so that the analyzer can be easily track the lock state. This change additional includes two changes to nogo itself: * Sanity checking of all types to ensure that the binary and ast-derived types have a consistent objectpath, to prevent the bug above from occurring silently (and causing much confusion). This also requires a trick in order to ensure that serialized facts are consumable downstream. This can be removed with https://go-review.googlesource.com/c/tools/+/331789 merged. * A minor refactoring to isolation the objdump settings in its own package. This was originally used to implement the sanity check above, but this information is now being passed another way. The minor refactor is preserved however, since it cleans up the code slightly and is minimal risk. PiperOrigin-RevId: 382613300
2021-07-01Merge release-20210628.0-16-g590b8d3e9 (automated)gVisor bot
2021-07-01[syserror] Update several syserror errors to linuxerr equivalents.Zach Koopmans
Update/remove most syserror errors to linuxerr equivalents. For list of removed errors, see //pkg/syserror/syserror.go. PiperOrigin-RevId: 382574582
2021-06-30Merge release-20210628.0-14-g6ef268409 (automated)gVisor bot
2021-06-30[syserror] Update syserror to linuxerr for EACCES, EBADF, and EPERM.Zach Koopmans
Update all instances of the above errors to the faster linuxerr implementation. With the temporary linuxerr.Equals(), no logical changes are made. PiperOrigin-RevId: 382306655
2021-06-29Merge release-20210628.0-8-g54b71221c (automated)gVisor bot
2021-06-29[syserror] Change syserror to linuxerr for E2BIG, EADDRINUSE, and EINVALZach Koopmans
Remove three syserror entries duplicated in linuxerr. Because of the linuxerr.Equals method, this is a mere change of return values from syserror to linuxerr definitions. Done with only these three errnos as CLs removing all grow to a significantly large size. PiperOrigin-RevId: 382173835
2021-06-22Merge release-20210614.0-14-ge1dc1c78e (automated)gVisor bot
2021-06-22[syserror] Add conversions to linuxerr with temporary Equals method.Zach Koopmans
Add Equals method to compare syserror and unix.Errno errors to linuxerr errors. This will facilitate removal of syserror definitions in a followup, and finding needed conversions from unix.Errno to linuxerr. PiperOrigin-RevId: 380909667
2021-05-12Merge release-20210503.0-47-g07e32fa69 (automated)gVisor bot
2021-03-29Merge release-20210322.0-29-g8a2f7e716 (automated)gVisor bot
2021-03-29[syserror] Split usermem packageZach Koopmans
Split usermem package to help remove syserror dependency in go_marshal. New hostarch package contains code not dependent on syserror. PiperOrigin-RevId: 365651233
2021-03-23Merge release-20210315.0-15-gacb4c6288 (automated)gVisor bot
2021-01-25Merge release-20210112.0-84-g032d14a06 (automated)gVisor bot
2021-01-25Remove synchronous decommit for MADV_DONTNEED on private anonymous vmas.Jamie Liu
PiperOrigin-RevId: 353697719
2021-01-21Merge release-20210112.0-49-g9af6150b5 (automated)gVisor bot
2021-01-20Remove string allocation from strings.Repeat() in /proc/[pid]/maps.Jamie Liu
PiperOrigin-RevId: 352894106
2021-01-12Merge release-20201216.0-87-g4e03e8754 (automated)gVisor bot
2021-01-11Merge release-20201216.0-82-g4c4de6644 (automated)gVisor bot
2020-12-28Merge release-20201208.0-89-g3ff7324df (automated)gVisor bot
2020-12-15[syzkaller] Avoid AIOContext from resurrecting after being marked dead.Ayush Ranjan
syzkaller reported the closing of a nil channel. This is only possible when the AIOContext was destroyed twice. Some scenarios that could lead to this: - It died and then some called aioCtx.Prepare() on it and then killed it again which could cause the double destroy. The context could have been destroyed in between the call to LookupAIOContext() and Prepare(). - aioManager was destroyed but it did not update the contexts map. So Lookup could still return a dead AIOContext and then someone could call Prepare on it and kill it again. So added a check in aioCtx.Prepare() for the context being dead. This will prevent a dead context from resurrecting. Also refactored code to destroy the aioContext consistently. Earlier we were not munmapping the aioContexts that were destroyed upon aioManager destruction. Reported-by: syzbot+ef6a588d0ce6059991d2@syzkaller.appspotmail.com PiperOrigin-RevId: 347704347
2020-12-12Merge release-20201208.0-36-g1e92732eb (automated)gVisor bot
2020-12-11Merge release-20201208.0-31-g4cba3904f (automated)gVisor bot
2020-12-11Remove existing nogo exceptions.Adin Scannell
PiperOrigin-RevId: 347047550
2020-11-09Merge release-20201030.0-53-g0fb5353e4 (automated)gVisor bot
2020-11-09Initialize references with a value of 1.Dean Deng
This lets us avoid treating a value of 0 as one reference. All references using the refsvfs2 template must call InitRefs() before the reference is incremented/decremented, or else a panic will occur. Therefore, it should be pretty easy to identify missing InitRef calls during testing. Updates #1486. PiperOrigin-RevId: 341411151
2020-10-29Merge release-20201019.0-95-g3b4674ffe (automated)gVisor bot
2020-10-23Merge release-20201019.0-34-g9ca66ec59 (automated)gVisor bot
2020-10-23Rewrite reference leak checker without finalizers.Dean Deng
Our current reference leak checker uses finalizers to verify whether an object has reached zero references before it is garbage collected. There are multiple problems with this mechanism, so a rewrite is in order. With finalizers, there is no way to guarantee that a finalizer will run before the program exits. When an unreachable object with a finalizer is garbage collected, its finalizer will be added to a queue and run asynchronously. The best we can do is run garbage collection upon sandbox exit to make sure that all finalizers are enqueued. Furthermore, if there is a chain of finalized objects, e.g. A points to B points to C, garbage collection needs to run multiple times before all of the finalizers are enqueued. The first GC run will register the finalizer for A but not free it. It takes another GC run to free A, at which point B's finalizer can be registered. As a result, we need to run GC as many times as the length of the longest such chain to have a somewhat reliable leak checker. Finally, a cyclical chain of structs pointing to one another will never be garbage collected if a finalizer is set. This is a well-known issue with Go finalizers (https://github.com/golang/go/issues/7358). Using leak checking on filesystem objects that produce cycles will not work and even result in memory leaks. The new leak checker stores reference counted objects in a global map when leak check is enabled and removes them once they are destroyed. At sandbox exit, any remaining objects in the map are considered as leaked. This provides a deterministic way of detecting leaks without relying on the complexities of finalizers and garbage collection. This approach has several benefits over the former, including: - Always detects leaks of objects that should be destroyed very close to sandbox exit. The old checker very rarely detected these leaks, because it relied on garbage collection to be run in a short window of time. - Panics if we forgot to enable leak check on a ref-counted object (we will try to remove it from the map when it is destroyed, but it will never have been added). - Can store extra logging information in the map values without adding to the size of the ref count struct itself. With the size of just an int64, the ref count object remains compact, meaning frequent operations like IncRef/DecRef are more cache-efficient. - Can aggregate leak results in a single report after the sandbox exits. Instead of having warnings littered in the log, which were non-deterministically triggered by garbage collection, we can print all warning messages at once. Note that this could also be a limitation--the sandbox must exit properly for leaks to be detected. Some basic benchmarking indicates that this change does not significantly affect performance when leak checking is enabled, which is understandable since registering/unregistering is only done once for each filesystem object. Updates #1486. PiperOrigin-RevId: 338685972
2020-10-09Merge release-20200928.0-78-g743327817 (automated)gVisor bot
2020-10-08Merge release-20200928.0-72-g6bad4851d (automated)gVisor bot
2020-10-08Implement MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ.Jamie Liu
cf. 2a36ab717e8f "rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ" PiperOrigin-RevId: 336186795
2020-10-08Merge release-20200928.0-66-ga55bd73d4 (automated)gVisor bot
2020-10-07Add staticcheck and staticstyle analyzers.Adin Scannell
This change also adds support to go_stateify for detecting an appropriate receiver name, avoiding a large number of false positives. PiperOrigin-RevId: 335994587
2020-10-06Merge release-20200928.0-55-g1336af78d (automated)gVisor bot
2020-10-06Implement membarrier(2) commands other than *_SYNC_CORE.Jamie Liu
Updates #267 PiperOrigin-RevId: 335713923
2020-09-23Merge release-20200914.0-137-g99decaadd (automated)gVisor bot
2020-09-23Merge release-20200914.0-136-gb54dbdfdc (automated)gVisor bot
2020-09-23Merge release-20200914.0-135-gc0f21bb19 (automated)gVisor bot
2020-09-22Merge release-20200914.0-134-gcf3cef117 (automated)gVisor bot
2020-09-22Merge release-20200914.0-133-g20dc83c9e (automated)gVisor bot
2020-09-22Merge release-20200914.0-132-g778c36717 (automated)gVisor bot
2020-09-22Merge release-20200914.0-130-g13a9a622e (automated)gVisor bot
2020-09-22Merge release-20200914.0-129-gf134f873f (automated)gVisor bot
2020-09-21Merge release-20200914.0-127-g059d90b9f (automated)gVisor bot
2020-09-21Merge release-20200914.0-125-g06dbd5b7b (automated)gVisor bot