If a client decides to spontaneously send a DHCP DISCOVER again, even though
he has received a still valid IP config from the router, we don't want to
discard the DISCOVER like it was done before but discard the IP config
assignment and offer a new one.
Issue #2534
When this flag is set in the config tag, the NIC router will print a
short information to the log for each general state change of a domain.
This includes currently the IP-configuration state and the number of
connected NIC sessions. This a useful addition as the normal verbose
flag's purpose is a very deep insight into almost every activity in the
router, which is cool for debugging sophisticated problems but normally
floods the log and therefore discards this option for, e.g., desktop
systems. In such systems, the new verbosity is pretty discreet but
already gives a good hint on why packets may get dropped by the router
although the routing rules are correct.
Issue #2534
The run tool now by default checks configurations with target-specific
XML schemata. Each component may define a config schema file in its
target.mk via the CONFIG_XSD variable. When the run tool has checked an
configuration of an init instance, it additionally goes through the
start nodes of the config. For each start node it checks whether there
is an XSD file that matches. If so, the run tool also checks the config
of the start node (if existant). This is done recursively. I.e., also
the child configs of a sub-init of a sub-init of the top-level init
receive a config check.
Issue #2600
Channels, and therefore contexts, may be shared between children
causing corruption when a child is destroyed while another child still
uses the old context within the channel.
related to #2601
In the past, we had the lock of the context we found for the rest of the scope
of pending_signal. Now we use for_each_locked to find the context and the
lock is released as soon as we return from for_each_locked. Thus, we need to
lock the context again before returning it to avoid that the copy constructor
during the return reads values that are currently changing.
Fixes#2532
The missing dissolve of the dummy decorator input component resulted in
problems when using the themed_decorator when repeatedly opening and
closing windows. In contrast to the default decorator, the themed
decorator creates and destroys nitpicker sessions per window.
Added a new constructor that takes the entrypoint as constructor
argument. The original constructor retrieves the entrypoint from the
Genode environment. This does not allow to use a different entrypoint.
Replace former rtt_sec attribute of the <config> tag by more specific
(and still optional) attributes for timeouts used in the NIC router
(these are also the default values):
<config dhcp_discover_timeout_sec="10"
dhcp_request_timeout_sec="10"
dhcp_offer_timeout_sec="10"
udp_idle_timeout_sec="30"
tcp_idle_timeout_sec="600"
tcp_max_segm_lifetime_sec="30">
Details about the new attributes can be found in the README of the router.
Issue #2590
On x86 64 bit with SeL4, the test needs around 80MB that must be
completely composed of 4KB-pages due to current limitations of the SeL4
port. Thus, Core must flush the page table caches pretty often during
the test which is an expensive high-prior operation and makes it
impossible to provide a highly precise time.
Multi-wraps
-----------
Previously, on every new timeout, we programmed registers LR=timeout and
CMP=0. The counter than counted from LR down to 0, triggered the IRQ,
jumped back to LR, and counted down again. If one installed small
timeouts (< 1000 us), it was likely that the counter wrapped multiple
times before we were able to read it out. Initially, this was not a big
issue as the additional wraps were simply ignored and the amount of time
lost through this was not big. But when we want to do correct rate
limitation, multiple wraps cause an overflow in the additional
calculations, and this has a big effect on the resulting time value.
Thus, we now program the counter to start from ~0 and count down to 0.
We set CMP=~0-timeout so that the timer still triggers the IRQ at the right
time. The counter continues counting down after the IRQ has triggered until
we install a new timeout. We do not consider anymore that the counter wraps.
The maximum timeout is set to half the maximum counter value, so, we should
be able to install a new timeout before the counter wraps.
Rate limit for time updates
---------------------------
In the time span between two interrupts we have to remember how many ticks
we have already added to the time value. This is because at each call of
curr_time we can only see how many ticks have passed since the last call of
schedule_timeout and not since the last call of curr_time. But we want to
limit the rate of time updates in curr_time. With the member for ticks that
were already added since the last call to schedule_timeout we can then
calculate how many are yet to be added.
* integrate rump's contrib code into Genode's build system and build what is
required by Genode, only
* checkout needed NetBSD sources directly from CVS
fixes#2589
In case the video geometry (WxH) is larger than the current size of
the framebuffer, match its size and let libav do the scaling. This
enables the playback of 1080p movies on smaller screens.
Issue #2583.
This patch supplements the existing 'hover' report with the information
whether or not the user has recently moved the pointer. This works
analogously to how the 'focus' report features the information about
recent button/keyboard activity.
Together, the 'hover' and 'focus' reports may be combined to observe
prolonged user inactivity, e.g. to activate a lock screen.
This patch enables nitpicker to use an external focus policy instead of
the traditional builtin click-to-focus policy. The external focus policy
is obtained from a 'focus' ROM. The focus ROM is expected to have a
'label' attribute with the value set to the label of the to-be focused
client.
This patch revises the implementation of nitpicker in the following
respects:
- Split the implementation into smaller files,
- Consistently use the 'Nitpicker' namespace,
- Avoid the use of format strings,
- Retire old (and hackish) debug mode,
- Removal of unused timer connection,
- Merging 'Session' into 'Session_component',
- Merging 'Mode' into 'User_state',
- Adding the notions of 'View_owner' and 'Focus' as interfaces,
- Untangle 'User_state' and 'View_stack'
This patch adds a 'Color::print' method as counterpart to the 'ascii_to'
function. If the color is opaque (alpha is 255), its output has the form
"#rrggbb". If the color has a distinct alpha value, the output has the
form "#rrggbbaa". The new version of the 'ascii_to' overload for 'Color'
is able to deal with both forms.
This is a follup-up commit for "driver_manager: add fb_boot_drv
support". It refines the heuristics for selecting the most suitable
framebuffer driver be prevent boot_fb_drv from being preferred over
the VESA driver when running in Qemu.
The synchronization with the ACPI driver is not needed when starting
acpica at a later stage. It could already be disabled via the
'acpi_ready="yes"' config attribute. However, acpica still
unconditionally requests the so-called "Acpi" service, which is an
alias for the platform_drv's "Platform" service. This patch disables the
use of this alias when the 'acpi_ready' synchronization is disabled.
This patch supplements init's service-forwarding mechanism to propagate
the insufficient RAM/cap quota conditions from the server to the client.
Without it, the client's session request stays pending infinitely.
The debug version comes with an unwelcome libc dependency, which is
solely needed for the formatted output of error messages. Since the
distinction between the regular and the debug versions remained unused
in practice, this patch removes the debug version.
This is a follow-up patch to "init: periodic state updates if sensible".
In situations where the report rate is deliberately limited via the
'delay_ms' attribute while also reporting child-resource stats, we don't
want generate reports at a fixed rate of one second. This patch limits
the rate according to the 'delay_ms' value.
The input filter used to temporarily close all input sessions upon its
reconfiguration. In most cases, the same set of sessions is
re-established immediately afterwards. However, at the server (driver)
side, the closing of the session implicitly disables the input-event
queue. Hence events generated by the hardware while the session is
closed are dropped. This becomes a noticeable problem when using the
recently added <rom> modifier feature for handling capslock. The change
of the ROM always triggers the re-configuration of the input filter.
When pressing capslock and other keys at a high rate, press/release
events may get lost.
This patch solves this problem by maintaining all input sessions that
are defined in both the old and new configuration. It thereby removes
the short duration where the input event queues are temporarily disabled
at the drivers.
This makes '/' and the actual root of VFS distinguishable. A VFS root
may contain one ore more '/' entries for each file system. 'opendir' for
the VFS root opens all file systems via 'open_composite_dir', while
'opendir' for '/' only returns a VFS handle.
Fixes#2569
This patch adds a sanity check to the Event::type accessor. If the key
code of a given PRESS or RELEASE event is out of the valid range, it
reports an INVALID event. This way, client side code does not need to
deal with such edge cases. E.g., on Lenovo notebooks, the ps2 driver
reports strange key events when pressing shift-pageup/pagedown,
violating the general assumption that there is a release event for each
press event. By flagging these events as INVALID, the client-side logic
stays intact.
By now the file system gets mounted and unmounted on demand (whenever
the first clients comes along and whenever the last client leaves).
As a precaution we now also try to mount and unmounted the file system
in the init phase to prevent the first client from failing to its own
surprise.
Issue #2558.
Currently, LxIP peers need a lot of RAM (the simple test-client/server for the
nic_router test need at least 28 MB per component). As the nic_router test
previously used 6 instances of such components and a lot of other components,
it had issues with insufficient RAM on some platforms. By using two new
LwIP-based UDP tests instead, we save more than 100 MB.
Ref #2543
Check at the VFS server that the capability cost of sessions do not
exceed the session quota donation. Raise the default initial capability
donation for File_system connections.
Fix#2553
Instead of storing whether the first item in the timeout list was already
programmed using the timer service, just program the first timeout in the
list unconditionally. In the past we lost a timeout at least when using the
usb ethernet driver on hw/arndale sporadically.
Previously the destructors of classes derived from Source were not
called when destructing a Source because Source missed the declaration
of a virtual destructor. This caused at least problems when
reconstructing a Chargen_source with its Chargen_repeater that includes
a One_shot_timeout. In this case, the members of the Alarm behind the
timeout were not reset and the next time beeing used the Alarm appeared
to be still active which wasn't true.
Fixes#2570
Instead of changing the attributes (e.g., Xd bit) of the top-level page-tables,
set them to allow everything. Only leafs of the paging hierarchy are set
according to the paging attributes given by core. Otherwise, top-level page-
table attributes are changed during lifetime, which requires a TLB flush
operation (not intended in the semantic of the kernel/core).
This led to problems when using the non-executable features introduced by
issue #1723 in the recent past.
The dependency was added as a supposed work-around of a dysfunctional
fork when building bash as depot archive. However, it turned out that
the actual problem was related to the timestamps of 3rd-party source
file, which were discarded by the recipes/src/bash/content.mk.
A new configuration may implicitly change the domain color of the
currently focused session. We need to refresh the report to trigger an
update of the status bar.
This commit replaces the old xray_trigger component by a new component
called global_keys_handler. For details, please refer to the issue text
and the accompanied README file.
Fixes#2554
Without this patch, usb_drv would issue a resource request when
assigning a USB device to a VM in the sculpt scenario.
Furthermore, the patch adjusts the intel_fb quota to enable it on
devices where the driver allocates the framebuffer in many 4K pieces.
Linux does not do that in register_netdev() either. Some drivers set the
carrier flags on attach and never reenable it (as seen with rndis_host).
Consequently, the usbnet driver refuses to receive data as it checks the
carrier state before enqueuing new SKBs to its receive queue.
Apart from rndis_host, this change was tested with an ax88179_178a
device which worked as expected.
Whenever a childs is terminated the exit value is propagate through a
new state report. Thereby it becomes possibly for a managing component
to react upon the terminating condition of a child.
Issue #2558.
Until now the client called the Linux code directly through the EP
when sending ethernet frames and was not part of the driver's internal
task scheduling. This will lead to problems if the sending code needs
to grab a lock as those depend on running from within a Lx::Task.
Although this has only happend recently when using 8260 devices, this
is an issue that needs to be fix.
This commit addresses the issue by using a dedicated transmit task
in whose context the Linux code sends the ethernet frame or rather
newly allocated skb.
Fixes#2559.
As noted above the former enum for the local-attachment address we
discovered address clashes on current Linux installations, esp. 32-bit
runtime on 64-bit Linux. The local_attach_addr is now configurable in
the run script and the memory maps heuristics were removed.
Recent work related to issue 1723 showed that there is potential
to get rid of code duplication in MMU fault handling especially
with regard to ARM cpus.
If the attribute 'interface' is not set in a 'domain' tag, the router tries to
dynamically receive and maintain an IP configuration for that domain by using
DHCP in the client role at all interfaces that connect to the domain. In the
DHCP discover phase, the router simply chooses the first DHCP offer that
arrives. So, no comparison of different DHCP offers is done. In the DHCP
request phase, the server is expected to provide an IP address, a gateway, a
subnet mask, and an IP lease time to the router. If anything substantial goes
wrong during a DHCP exchange, the router discards the outcome of the exchange
and goes back to the DHCP discover phase. At any time where there is no valid
IP configuration present at a domain, the domain does only act as DHCP client
and all other router functionality is disabled for the domain. A domain cannot
act as DHCP client and DHCP server at once. So, a 'domain' tag must either
have an 'interface' attribute or must not contain a 'dhcp-server' tag.
Ref #2534
An IPv4 config (for a domain/interface of the router) consists of
an IPv4 address, a subnet prefix specifier, an optional gateway
IPv4 address, and some flags that declare whether these fields and
the config as a whole are valid. To make the handling of those
tightly connected values easier and less error prone, we encapsulate
them in a new class.
Ref #2534
Under certain circumstances we don't want inits state report to become too
outdated even if there is no change to its config or the sessions of its
children. This is the case if init is requested to provide a capability or RAM
info of it's children via its state report. Now, init automatically updates
the state report with each 1000 ms if the attribute 'child_caps' or
'child_ram' is positively set in the 'report' tag.
The tools.conf in base-fiasco/etc was obsolete and must therefore not
packaged.
This commit removes sporadic recipe hash changes due to missing or
existent etc/tools.conf.
Timing itself costs time. Thus, the stressfull timeout phase of the
test is not exactly as long as set but a little bit longer. This is why the
fast timeouts are able to trigger more often than they are expected to
(the timer has a static timeout-rate limit). Normally we consider this effect
through an error tolerance of 10%. But at least on foc x86_32 (PIT with very
low max timeout), timing is so expensive that 10% is not enough. We have to
raise it to 11%.
This patch propages the 'Service_denied' condition of forwarded sessions
to the parent. Without it, the invalid session request stays pending
infinitely, which leads to the problem described in issue #2542. It
turns out that suggested solution given in the issue text is actually
not needed when applying this fix.
Fixes#2542
The ROM filter did not handle the situation where the generated content
exceeds the size of the initially allocated dataspace for the target
buffer. This patch wraps the XML generation in a retry loop that
expands the buffer as needed.
This patch makes the specification of screen coordinates more flexible.
First, the 'origin' attribute allows one to refer to either of the four
screen corners without knowing the screen size. Second, the 'width'
and 'height' values now accept negative values, which are relative to
the screen size.
The 'File_system::Connection' already performs an on-demand session
upgrade should the server report an 'Out_of_caps' or 'Out_of_ram'
condition. So file-system clients are normally relieved from handling
those exceptions. However, the upgrade was limited to two attempts per
operation (which amounts to 16 KiB). When using the Rump VFS plugin in
the VFS server, this amount does not always suffice. So the exception is
reflected to the client. I observed this problem as a message "unhandled
error" printed by fs_rom. This patch removes the upgrade limit such that
a greedy file-system server becomes iteratively upgraded until it stops
arguing or the client's RAM is exhausted.
* Instead of always re-load page-tables when a thread context is switched
only do this when another user PD's thread is the next target,
core-threads are always executed within the last PD's page-table set
* remove the concept of the mode transition
* instead map the exception vector once in bootstrap code into kernel's
memory segment
* when a new page directory is constructed for a user PD, copy over the
top-level kernel segment entries on RISCV and X86, on ARM we use a designated
page directory register for the kernel segment
* transfer the current CPU id from bootstrap to core/kernel in a register
to ease first stack address calculation
* align cpu context member of threads and vms, because of x86 constraints
regarding the stack-pointer loading
* introduce Align_at template for members with alignment constraints
* let the x86 hardware do part of the context saving in ISS, by passing
the thread context into the TSS before leaving to user-land
* use one exception vector for all ARM platforms including Arm_v6
Fix#2091
* introduce new syscall (core-only) to create privileged threads
* take the privilege level of the thread into account
when doing a context switch
* map kernel segment as accessable for privileged code only
Ref #2091
Always switch to the "exception stack" instead of having a hardware initiated
stack switch during exceptions/interrupts when the privilege level changes only.
Moreover, this commit increases the exception stack slightly.
Ref #2091
* introduces central memory map for core/kernel
* on 32-bit platforms the kernel/core starts at 0x80000000
* on 64-bit platforms the kernel/core starts at 0xffffffc000000000
* mark kernel/core mappings as global ones (tagged TLB)
* move the exception vector to begin of core's binary,
thereby bootstrap knows from where to map it appropriately
* do not map boot modules into core anymore
* constrain core's virtual heap memory area
* differentiate in between user's and core's main thread's UTCB,
which now resides inside the kernel segment
Ref #2091
This was an error output-line for each affected packet previously but it
is pretty normal for the router to receive packets whose network layer
protocol it doesn't know . In the default case, these packets shall be
ignored silently.
Ref #2490
One can configure the NIC router to act as DHCP server at interfaces of a
domain by adding the <dhcp> tag to the configuration of the domain like
this:
<domain name="vbox" interface="10.0.1.1/24">
<dhcp-server ip_first="10.0.1.80"
ip_last="10.0.1.100"
ip_lease_time_sec="3600"
dns_server="10.0.0.2"/>
...
</domain>
The attributes ip_first and ip_last define the available IPv4 address
range while ip_lease_time_sec defines the lifetime of an IPv4 address
assignment in seconds. The IPv4 address range must be in the subnet
defined by the interface attribute of the domain tag and must not cover
the IPv4 address in this attribute. The dns_server attribute gives the
IPv4 address of the DNS server that might also be in another subnet.
The lifetime of an offered assignment is the configured round trip time of
the router while the ip_lease_time_sec is applied only if the offer is
requested by the client in time.
The ports/run/virtualbox_nic_router.run script is an example of how to
use the new DHCP server functionality.
Ref #2490
Previously, garbage collect was only done when an incoming packet passed the
Ethernet checks. Now it is really done first when receiving a packet at an
interface.
Ref #2490
If the router has no gateway attribute for a domain (means that the router
itself is the gateway), and it gets an ARP request for a foreign IP, it shall
answer with its own IP.
Ref #2490
Do not use two times the RTT for the lifetime of links but use it as
it is configured to simplify the usage of the router. Internally, use
Microseconds/Duration type instead of plain integers.
Ref #2490
The nic_dump uses a wrapper for all supported protocols that
takes a packet and a verbosity configuration. The wrapper object can
than be used as argument for a Genode log function and prints the
packet's contents according to the given configuration. The
configuration is a distinct class to enable the reuse of one instance
for different packets.
There are currently 4 possible configurations for each protocol:
* NONE (no output for this protocol)
* SHORT (only the protocol name)
* COMPACT (the most important information densely packed)
* COMPREHENSIVE (all header information of this protocol)
Ref #2490
Provide utilities for appending new options to an existing DHCP packet
and a utility for finding existing options that returns a typed option
object. Remove old version that return untyped options.
Ref #2490
Apply the style rule that an accessor is named similar to the the underlying
value. Provide read and write accessors for each mandatory header attribute.
Fix some incorrect structure in the headers like with the flags field
in Ipv4_packet.
Ref #2490
Encapsulate the enum into a struct so that it is named
Ethernet_frame::Type::Enum, give it the correct storage type
uint16_t, and remove those values that are (AFAIK) not used by
now (genode, world).
Ref #2490
Do not stop routing if the transport layer protocol is unknown but
continue with trying IP routing instead. The latter was already
done when no transport routing could be applied but for unknown transport
protocols we caught the exception at the wrong place.
Ref #2490
No starvation of timeout signals
--------------------------------
Add several timeouts < 1ms to the stress test and check that timeout
handling doesn't become significantly unfair (starvation) in this situation
where some timeouts trigger nmuch faster than they get handled.
Rate limiting for timeout handling in timer
-------------------------------------------
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
In the past, a signal context, that was chosen for handling by
'Signal_receiver::pending_signal and always triggered again before
the next call of 'pending_signal', caused all other contexts behind
in the list to starve. This was the case because 'pending_signal'
always took the first pending context in its context list.
We avoid this problem now by handling pending signals in a round-robin
fashion instead.
Ref #2532
We did not set the correct now_period previously but it wasn't conspicuous
because the bug triggered not before a full period had passed which on most
platforms is a pretty long time.
Ref #2490
Ensure that the timer does not handle timeouts again within 1000
microseconds after the last handling of timeouts. This makes denial of
service attacks harder. This commit does not limit the rate of timeout
signals handled inside the timer but it causes the timer to do it less
often. If a client continuously installs a very small timeout at the
timer it still causes a signal to be submitted to the timer each time
and some extra CPU time to be spent in the internal handling method. But
only every 1000 microseconds this internal handling causes user timeouts
to trigger.
If we would want to limit also the call of the internal handling method
to ensure that CPU time is spent beside the RPCs only every 1000
microseconds, things would get more complex. For instance, on NOVA
Time_source::schedule_timeout(0) must be called each time a new timeout
gets installed and becomes head of the scheduling queue. We cannot
simply overwrite the already running timeout with the new one.
Ref #2490
The remote shell facilities are past deprecation and there is an
obligation to prevent their use rather than to support them. This patch
removes the related function definitions from 'unistd.h', which have not
been been included in the Genode libc ABI regardless.
Fix#2530
Remove getaddrinfo and freeaddrinfo from the Libc::Plugin and get rid of
the extra libc_resolv library. Remove getaddrinfo/freeaddrinfo symbol
hiding patch for FreeBSD sources. Remove libc_resolv from Makefiles and
run scenarios.
Fix#2273
Linux del_timer() and mod_timer() return if the timer was pending before
the modification. Additionally, these functions are potentially called
from handler function of the timer to modify and, therefore, checking
for timeout != INVALID_TIMEOUT is not sufficient as the timeout is
indeed valid when the handler is executed.
This patch fixes an aliasing problem of the 'close' method signature
that prevented the Input::Root_component::close method to be called.
This way, the event-queue state was not reset at session-close time,
which prevented a subsequent session-creation request to succeed. With
the patch, input servers like ps2_drv, usb_drv that rely on the
Input::Root_component support the dynamic re-opening of sessions. This
happens in particular when using a dynamically configured input filter.
