path: root/src/misc
AgeCommit message (Collapse)AuthorLines
2021-10-19fix struct layout mismatch in sound ioctl time32 fallback conversionRich Felker-2/+7
the snd_pcm_mmap_control struct used with SNDRV_PCM_IOCTL_SYNC_PTR was mistakenly defined in the kernel uapi with "before u32" padding both before and after the first u32 member. our conversion between the modern struct and the legacy time32 struct was written without awareness of that mistake, and assumed the time64 version of the struct was the intended form with padding to match the layout on 64-bit archs. as a result, the struct was not converted correctly when running on old kernels, with audio glitches as the likely result. this was discovered thanks to a related bug in the kernel, whereby 32-bit userspace running on a 64-bit kernel also suffered from the types mismatching. the mistaken layout is now the ABI and can't be changed -- or at least making a new ioctl to change it would just result in a worse situation. our conversion here is changed to treat the snd_pcm_mmap_control substruct as two separate substructs at locations dependent on endianness (since the displacement depends on endianness), using the existing conversion framework.
2020-12-14fix VIDIOC_DQEVENT (v4l2) ioctl fallback for pre-5.6 kernelsRich Felker-1/+9
commit 2412638bb39eb799b2600393bbd71cca8ae96bb2 got the size of struct v4l2_event wrong and failed to account for the fact that the old struct might be either 120 bytes with time misaligned mod 8, or 128 bytes with time aligned mod 8, due to the contained union having 64-bit members whose alignment is arch-dependent. rather than adding new logic to handle the differences, use an actual stripped-down version of the structure in question to derive the ioctl number, size, and offsets.
2020-12-14fix v4l2 buffer ioctl fallbacks for pre-5.6 kernelsArnd Bergmann-4/+4
commit 2412638bb39eb799b2600393bbd71cca8ae96bb2 got the size of struct v4l2_buffer wrong and omitted the tv_usec member slot from the offset list, so the ioctl numbers never matched and fallback code path was never taken. this caused the affected ioctls to fail with ENOTTY on kernels not new enough to have the native time64 ioctls.
2020-11-30implement realpath directly instead of using procfs readlinkRich Felker-23/+136
inability to use realpath in chroot/container without procfs access and at early boot prior to mount of /proc has been an ongoing issue, and it turns out realpath was one of the last remaining interfaces that needed procfs for its core functionality. during investigation while reimplementing, it was determined that there were also serious problems with the procfs-based implementation. most seriously it was unsafe on pre-O_PATH kernels, and unlike other places where O_PATH was used, the unsafety was hard or impossible to fix because O_NOFOLLOW can't be used (since the whole purpose was to follow symlinks). the new implementation is a direct one, performing readlink on each path component to resolve it. an explicit stack, as opposed to recursion, is used to represent the remaining components to be processed. the stack starts out holding just the input string, and reading a link pushes the link contents onto the stack. unlike many other implementations, this one does not call getcwd initially for relative pathnames. instead it accumulates initial .. components to be applied to the working directory if the result is still a relative path. this avoids calling getcwd (which may fail) at all when symlink traversal will eventually yield an absolute path. it also doesn't use any form of stat operation; instead it arranges for readlink to tell it when a non-directory is used in a context where a directory is needed. this minimizes the number of syscalls needed, avoids accessing inodes when the directory table suffices, and reduces the amount of code pulled in for static linking.
2020-11-11lift child restrictions after multi-threaded forkRich Felker-0/+2
as the outcome of Austin Group tracker issue #62, future editions of POSIX have dropped the requirement that fork be AS-safe. this allows but does not require implementations to synchronize fork with internal locks and give forked children of multithreaded parents a partly or fully unrestricted execution environment where they can continue to use the standard library (per POSIX, they can only portably use AS-safe functions). up until recently, taking this allowance did not seem desirable. however, commit 8ed2bd8bfcb4ea6448afb55a941f4b5b2b0398c0 exposed the extent to which applications and libraries are depending on the ability to use malloc and other non-AS-safe interfaces in MT-forked children, by converting latent very-low-probability catastrophic state corruption into predictable deadlock. dealing with the fallout has been a huge burden for users/distros. while it looks like most of the non-portable usage in applications could be fixed given sufficient effort, at least some of it seems to occur in language runtimes which are exposing the ability to run unrestricted code in the child as part of the contract with the programmer. any attempt at fixing such contracts is not just a technical problem but a social one, and is probably not tractable. this patch extends the fork function to take locks for all libc singletons in the parent, and release or reset those locks in the child, so that when the underlying fork operation takes place, the state protected by these locks is consistent and ready for the child to use. locking is skipped in the case where the parent is single-threaded so as not to interfere with legacy AS-safety property of fork in single-threaded programs. lock order is mostly arbitrary, but the malloc locks (including bump allocator in case it's used) must be taken after the locks on any subsystems that might use malloc, and non-AS-safe locks cannot be taken while the thread list lock is held, imposing a requirement that it be taken last.
2020-10-27avoid __synccall for setrlimit on kernels with prlimit syscallRich Felker-20/+17
resource limits have been process-wide since linux 2.6.10, and the prlimit syscall was added in 2.6.36, so prlimit can be assumed to set the resource limits correctly for the whole process.
2020-07-24getentropy: fix UB if len==0Bartosz Brachaczek-1/+1
if len==0, an uninitalized variable would be returned
2020-06-15fix invalid use of access function in nftwRich Felker-4/+18
access always computes result with real ids not effective ones, so it is not a valid means of determining whether the directory is readable. instead, attempt to open it before reporting whether it's readable, and then use fdopendir rather than opendir to open and read the entries. effort is made here to keep fd_limit behavior the same as before even if it was not correct.
2019-12-22spare archs without time32 legacy the cost of ioctl fallback conversionsRich Felker-1/+1
adding this condition makes the entire convert_ioctl_struct function and compat_map table statically unreachable, and thereby optimized out by dead code elimination, on archs where they are not needed.
2019-12-22add further ioctl time64 fallback conversion for device-specific commandRich Felker-0/+3
VIDIOC_OMAP3ISP_STAT_REQ is a device-specific command for the omap3isp video device. the command number is in a device-private range and therefore could theoretically be used by other devices too in the future, but problematic clashes should not be able to arise without intentional misuse.
2019-12-21don't continue looping through ioctl compat_map after finding matchRich Felker-0/+1
there's only one matching entry for any given command so this had no functional distinction, but additional loops are pointless and wasteful.
2019-12-20add further ioctl time64 fallback conversionsRich Felker-1/+49
this commit covers all remaining ioctls I'm aware of that use time_t-derived types in their interfaces. it may still be incomplete, and has undergone only minimal testing for a few commands used in audio playback. the SNDRV_PCM_IOCTL_SYNC_PTR command is special-cased because, rather than the whole structure expanding, it has two substructures each padded to 64 bytes that expand within their own 64-byte reserved zone. as long as it's the only one of its type, it doesn't really make sense to make a general framework for it, but the existing table framework is still used for the substructures in the special-case. one of the substructures, snd_pcm_mmap_status, has a snd_pcm_uframes_t member which is not a timestamp but is expanded just like one, to match the 64-bit-arch version of the structure. this is handled just like a timestamp at offset 8, and is the motivation for the conversions table holding offsets of individual values to be expanded rather than timespec/timeval type pairs. for some of the types, the size to which they expand is dependent on whether the arch's ABI aligns 8-byte types on 8-byte boundaries. new_req entries in the table need to reflect this size to get the right ioctl request number that will match what callers pass, but we don't have access to the actual structure type definitions here and duplicating them would be cumbersome. instead, the new_misaligned macro introduced here constructs an artificial object whose size is the result of expanding a misaligned timespec/timeval to 64-bit and imposing the arch's alignment on the result, which can be passed to the _IO{R,W,WR} macros.
2019-12-19improve ioctl time64 conversion fallback frameworkRich Felker-17/+18
record offsets of individual slots that expand from 32- to 64-bit, rather than timespec/timeval pairs. this flexibility will be needed for some ioctls. reduce size of types in table. adjust representation of offsets to include a count rather than needing -1 padding so that the table is less ugly and doesn't need large diffs if we increase max number of slots.
2019-12-18convert ioctl time64 fallbacks to table-driven frameworkRich Felker-17/+66
with the current set of supported ioctls, this conversion is hardly an improvement, but it sets the stage for being able to do alsa, v4l2, ppp, and other ioctls with timespec/timeval-derived types. without this capability, a lot of functionality users depend on would stop working with the time64 switchover.
2019-10-24fix errno for posix_openpt with no free ptys availableRich Felker-1/+3
linux fails the open with ENOSPC, but POSIX mandates EAGAIN.
2019-10-19wait4, getrusage: add time64/x32 variantRich Felker-1/+29
presently the kernel does not actually define time64 versions of these syscalls, and they're not really needed except to represent extreme cpu time usage. however, x32's versions of the syscalls already behave as time64 ones, meaning the functions were broken on x32 if the caller used any part of the rusage result other than ru_utime and ru_stime. commit 7e8171143124f7f510db555dc6f6327a965a3e84 made it possible to fix this by treating x32's syscalls as time64 versions. in the non-time64-syscall case, make the syscall with the rusage destination pointer adjusted so that all members but the timevals line up between the libc and kernel structures. on 64-bit archs, or present 32-bit archs with 32-bit time_t, the timevals will line up too and no further work is needed. for future 32-bit archs with 64-bit time_t, the timevals are copied into place, contingent on time_t being larger than long.
2019-08-30add public declaration for optreset under appropriate feature profilesRich Felker-0/+1
commit 030e52639248ac8417a4934298caa78c21a228d1 added optreset, a BSD extension to getopt duplicating the functionality (also an extension) of setting optind to 0, but failed to provide a public declaration for it. according to the BSD documentation and headers, the application is not supposed to need to provide its own declaration.
2019-07-31ioctl: add fallback for new time64 SIOCGSTAMP[NS]Rich Felker-1/+24
without this, the SIOCGSTAMP and SIOCGSTAMPNS ioctl commands, for obtaining timestamps, would stop working on pre-5.1 kernels after time_t is switched to 64-bit and their values are changed to the new time64 versions. new code is written such that it's statically unreachable on 64-bit archs, and on existing 32-bit archs until the macro values are changed to activate 64-bit time_t.
2018-12-09add namespace-safe version of getauxval for internal useRich Felker-1/+3
2018-12-09fix wordexp not to read past end of string ending with lone backslashRich Felker-1/+1
2018-09-12split internal lock API out of libc.h, creating lock.hRich Felker-1/+1
this further reduces the number of source files which need to include libc.h and thereby be potentially exposed to libc global state and internals. this will also facilitate further improvements like adding an inline fast-path, if we want to do so later.
2018-09-12remove spurious inclusion of libc.h for LFS64 ABI aliasesRich Felker-7/+4
the LFS64 macro was not self-documenting and barely saved any characters. simply use weak_alias directly so that it's clear what's being done, and doesn't depend on a header to provide a strange macro.
2018-09-12reduce spurious inclusion of libc.hRich Felker-3/+0
libc.h was intended to be a header for access to global libc state and related interfaces, but ended up included all over the place because it was the way to get the weak_alias macro. most of the inclusions removed here are places where weak_alias was needed. a few were recently introduced for hidden. some go all the way back to when libc.h defined CANCELPT_BEGIN and _END, and all (wrongly implemented) cancellation points had to include it. remaining spurious users are mostly callers of the LOCK/UNLOCK macros and files that use the LFS64 macro to define the awful *64 aliases. in a few places, new inclusion of libc.h is added because several internal headers no longer implicitly include libc.h. declarations for __lockfile and __unlockfile are moved from libc.h to stdio_impl.h so that the latter does not need libc.h. putting them in libc.h made no sense at all, since the macros in stdio_impl.h are needed to use them correctly anyway.
2018-09-12remove or make static various unused __-prefixed symbolsRich Felker-2/+2
2018-09-12overhaul internally-public declarations using wrapper headersRich Felker-2/+0
commits leading up to this one have moved the vast majority of libc-internal interface declarations to appropriate internal headers, allowing them to be type-checked and setting the stage to limit their visibility. the ones that have not yet been moved are mostly namespace-protected aliases for standard/public interfaces, which exist to facilitate implementing plain C functions in terms of POSIX functionality, or C or POSIX functionality in terms of extensions that are not standardized. some don't quite fit this description, but are "internally public" interfacs between subsystems of libc. rather than create a number of newly-named headers to declare these functions, and having to add explicit include directives for them to every source file where they're needed, I have introduced a method of wrapping the corresponding public headers. parallel to the public headers in $(srcdir)/include, we now have wrappers in $(srcdir)/src/include that come earlier in the include path order. they include the public header they're wrapping, then add declarations for namespace-protected versions of the same interfaces and any "internally public" interfaces for the subsystem they correspond to. along these lines, the wrapper for features.h is now responsible for the definition of the hidden, weak, and weak_alias macros. this means source files will no longer need to include any special headers to access these features. over time, it is my expectation that the scope of what is "internally public" will expand, reducing the number of source files which need to include *_impl.h and related headers down to those which are actually implementing the corresponding subsystems, not just using them.
2018-09-12declare __getopt_msg in stdio_impl.hRich Felker-2/+1
it's not ideal, but the function is essentially an extended stdio function specialized to getopt's needs. the only reason it exists is avoiding pulling printf code into every program using getopt.
2018-09-12use lighter internal stdio lock in getopt error printingRich Felker-2/+3
the public flockfile interface is significantly heavier because it has to handle the possibility of caller returning or thread exiting while holding the lock.
2018-09-12move and deduplicate declarations of __procfdname to make it checkableRich Felker-2/+0
syscall.h was chosen as the header to declare it, since its intended usage is alongside syscalls as a fallback for operations the direct syscall does not support.
2018-09-12fix issues from public functions defined without declaration visibleRich Felker-0/+5
policy is that all public functions which have a public declaration should be defined in a context where that public declaration is visible, to avoid preventable type mismatches. an audit performed using GCC's -Wmissing-declarations turned up the violations corrected here. in some cases the public header had not been included; in others, a feature test macro needed to make the declaration visible had been omitted. in the case of gethostent and getnetent, the omission seems to have been intentional, as a hack to admit a single stub definition for both functions. this kind of hack is no longer acceptable; it's UB and would not fly with LTO or advanced toolchains. the hack is undone to make exposure of the declarations possible.
2018-08-22getopt: update optarg and optind correctly on missing argumentRich Felker-6/+6
the text of the specification for getopt's handling of options that require an argument, which requires updating optarg and optind, does not exclude the error case where the end of the argument list has been reached. in that case, it is expected that optarg be assigned argv[argc] (normally null) and optind be incremented by 2, resulting in a value of argc+1.
2018-04-27getopt_long_only: don't prefix-match long-options that match short onesRich Felker-2/+15
for getopt_long, partial (prefix) matches of long options always begin with "--" and thus can never be ambiguous with a short option. for getopt_long_only, though, a single-character option can match both a short option and as a prefix for a long option. in this case, we wrongly interpreted it as a prefix for the long option. introduce a new pass, only in long-only mode, to check the prefix match against short options before accepting it. the only reason there's a slightly nontrivial loop being introduced rather than strchr is that our getopt already supports multibyte short options, and getopt_long_long should handle them consistently. a temp buffer and strstr could have been used, but the code to set it up would be just as large as what's introduced here and it would unnecessarily pull in relatively large code for strstr.
2018-02-25add public interface headers to implementation filesRich Felker-0/+2
general policy is that all source files defining a public API or an ABI mechanism referenced by a public header should include the public header that declares the interface, so that the compiler or analysis tools can check the consistency of the declarations. Alexander Monakov pointed out a number of violations of this principle a few years back. fix them now.
2018-02-24fix getopt wrongly treating colons in optstring as valid option charsRich Felker-1/+1
the ':' in optstring has special meaning as a flag applying to the previous option character, or to getopt's error handling behavior when it appears at the beginning. don't also accept a "-:" option based on its presence.
2018-02-23add getentropy functionRich Felker-0/+31
based loosely on patch by Hauke Mehrtens; converted to wrap the public API of the underlying getrandom function rather than direct syscalls, so that if/when a fallback implementation of getrandom is added it will automatically get picked up by getentropy too.
2018-02-05re-fix child reaping in wordexpAlexander Monakov-7/+1
Do not retry waitpid if the child was terminated by a signal. Do not examine status: since we are not passing any flags, we will not receive stop or continue notifications.
2018-01-31getopt_long: accept prefix match of long options containing equals signsSamuel Holland-1/+2
Consider the first equals sign found in the option to be the delimiter between it and its argument, even if it matches an equals sign in the option name. This avoids consuming the equals sign, which would prevent finding the argument. Instead, it forces a partial match of the part of the option name before the equals sign. Maintainer's note: GNU getopt_long does not explicitly document this behavior, but it can be seen as a consequence of how partial matches are specified, and at least GNU (bfd) ld is known to make use of it.
2018-01-31fix getopt_long arguments to partial matchesSamuel Holland-1/+3
If we find a partial option name match, we need to keep looking for ambiguous/conflicting options. However, we need to remember the position in the candidate argument to find its option-argument later, if there is one. This fixes e.g. option "foobar" being given as "--fooba=baz".
2018-01-09revise the definition of multiple basic locks in the codeJens Gustedt-1/+1
In all cases this is just a change from two volatile int to one.
2017-10-13fix incorrect base name offset from nftw when pathname ends in slash(es)Rich Felker-3/+9
the rightmost '/' character is not necessarily the delimiter before the basename; it could be a spurious trailing character on the directory name. this change does not introduce any normalization of pathnames or stripping of trailing slashes, contrary to at least glibc and perhaps other implementations; it jusst prevents their presence from breaking things. whether further changes should be made is an open question that may depend on conformance and/or application compatibility considerations. based loosely on patch by Joakim Sindholt.
2017-01-04fix getopt[_long] clobbering of optopt on successRich Felker-2/+5
getopt is only specified to modify optopt on error, and some software apparently infers an error from optopt!=0. getopt_long is changed analogously. the resulting behavior differs slightly from the behavior of the GNU implementation of getopt_long, which keeps an internal shadow copy of optopt and copies it to the public one on return, but since the GNU implementation also exhibits this shadow-copy behavior for plain getopt where is is non-conforming, I think this can reasonably be considered a bug rather than an intentional behavior that merits mimicing.
2016-10-20fix getopt_long_only misinterpreting "--" as an optionRich Felker-1/+1
2016-10-20use dynamic buffer for getmntentNatanael Copa-4/+13
overlayfs may have fairly long lines so we use getline to allocate a buffer dynamically. The buffer will be allocated on first use, expand as needed, but will never be free'ed. Downstream bug: Signed-off-by: Natanael Copa <>
2016-05-23fix a64l undefined behavior on ILP32 archs, wrong results on LP64 archsRich Felker-3/+6
the difference of pointers is a signed type ptrdiff_t; if it is only 32-bit, left-shifting it by 30 bits produces undefined behavior. cast the difference to an appropriate unsigned type, uint32_t, before shifting to avoid this. the a64l function is specified to return a signed 32-bit result in type long. as noted in the bug report by Ed Schouten, converting implicitly from uint32_t only produces the desired result when long is a 32-bit type. since the computation has to be done in unsigned arithmetic to avoid overflow, simply cast the result to int32_t. further, POSIX leaves the behavior on invalid input unspecified but not undefined, so we should not take the difference between the potentially-null result of strchr and the base pointer without first checking the result. the simplest behavior is just returning the partial conversion already performed in this case, so do that.
2016-02-16fix unlikely corner cases in getopt's message printingRich Felker-2/+2
like fputs (see commit 10a17dfbad2c267d885817abc9c7589fc7ff630b), the message printing code for getopt assumed that fwrite only returns 0 on failure, but it can also happen on success if the total length to be written is zero. programs with zero-length argv[0] were affected. commit 500c6886c654fd45e4926990fee2c61d816be197 introduced this problem in getopt by fixing the fwrite behavior to conform to the requirements of ISO C. previously the wrong expectations of the getopt code were met by the fwrite implementation.
2015-08-21getsubopt: don't include leading = in value stringSteven Barth-1/+1
getsubopt incorrectly returns the delimiting = in the value string, this patch fixes it by increasing the pointer position by one. Signed-off-by: Steven Barth <>
2015-07-09handle loss of syslog socket connectionRich Felker-7/+11
when traditional syslogd implementations are restarted, the old server socket ceases to exist and a new unix socket with the same pathname is created. when this happens, the default destination address associated with the client socket via connect is no longer valid, and attempts to send produce errors. this happens despite the socket being datagram type, and is in contrast to the behavior that would be seen with an IP datagram (UDP) socket. in order to avoid a situation where the application is unable to send further syslog messages without calling closelog, this patch makes syslog attempt to reconnect the socket when send returns an error indicating a lost connection. additionally, initial failure to connect the socket no longer results in the socket being closed. this ensures that an application which calls openlog to reserve the socket file descriptor will not run into a situation where transient connection failure (e.g. due to syslogd restart) prevents fd reservation. however, applications which may be unable to connect the socket later (e.g. due to chroot, restricted permissions, seccomp, etc.) will still fail to log if the syslog socket cannot be connected at openlog time or if it has to be reconnected later.
2015-03-15add alternate backend support for getgrouplistJosiah Worcester-24/+0
This completes the alternate backend support that was previously added to the getpw* and getgr* functions. Unlike those, though, it unconditionally queries nscd. Any groups from nscd that aren't in the /etc/groups file are added to the returned list, and any that are present in the file are ignored. The purpose of this behavior is to provide a view of the group database consistent with what is observed by the getgr* functions. If group memberships reported by nscd were honored when the corresponding group already has a definition in the /etc/groups file, the user's getgrouplist-based membership in the group would conflict with their non-membership in the reported gr_mem[] for the group. The changes made also make getgrouplist thread-safe and eliminate its clobbering of the global getgrent state.
2015-03-04eliminate atomics in syslog setlogmask functionRich Felker-4/+6
2015-03-03make all objects used with atomic operations volatileRich Felker-2/+2
the memory model we use internally for atomics permits plain loads of values which may be subject to concurrent modification without requiring that a special load function be used. since a compiler is free to make transformations that alter the number of loads or the way in which loads are performed, the compiler is theoretically free to break this usage. the most obvious concern is with atomic cas constructs: something of the form tmp=*p;a_cas(p,tmp,f(tmp)); could be transformed to a_cas(p,*p,f(*p)); where the latter is intended to show multiple loads of *p whose resulting values might fail to be equal; this would break the atomicity of the whole operation. but even more fundamental breakage is possible. with the changes being made now, objects that may be modified by atomics are modeled as volatile, and the atomic operations performed on them by other threads are modeled as asynchronous stores by hardware which happens to be acting on the request of another thread. such modeling of course does not itself address memory synchronization between cores/cpus, but that aspect was already handled. this all seems less than ideal, but it's the best we can do without mandating a C11 compiler and using the C11 model for atomics. in the case of pthread_once_t, the ABI type of the underlying object is not volatile-qualified. so we are assuming that accessing the object through a volatile-qualified lvalue via casts yields volatile access semantics. the language of the C standard is somewhat unclear on this matter, but this is an assumption the linux kernel also makes, and seems to be the correct interpretation of the standard.
2015-02-11fix bad character checking in wordexpRich Felker-0/+1
the character sequence '$((' was incorrectly interpreted as the opening of arithmetic even within single-quoted contexts, thereby suppressing the checks for bad characters after the closing quote. presently bad character checking is only performed when the WRDE_NOCMD is used; this patch only corrects checking in that case.