system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-09-16 06:30:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
serenity/Kernel/Tasks/PowerStateSwitchTask.cpp

196 lines
7.4 KiB
C++
Raw Normal View History

Kernel: Allow relaxing cleanup task rules during system shutdown Once we move to a more proper shutdown procedure, processes other than the finalizer task must be able to perform cleanup and finalization duties, not only because the finalizer task itself needs to be cleaned up by someone. This global variable, mirroring the early boot flags, allows a future shutdown process to perform cleanup on its own. Note that while this *could* be considered a weakening in security, the attack surface is minimal and the results are not dramatic. To exploit this, an attacker would have to gain a Kernel write primitive to this global variable (bypassing KASLR among other things) and then gain some way of calling the relevant functions, all of this only to destroy some other running process. The same effect can be achieved with LPE which can often be gained with significantly simpler userspace exploits (e.g. of setuid binaries).
2023-07-09 22:20:48 +00:00
/*
* Copyright (c) 2023, kleines Filmröllchen <filmroellchen@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
#include <AK/Platform.h>
#if ARCH(X86_64)
# include <Kernel/Arch/x86_64/I8042Reboot.h>
# include <Kernel/Arch/x86_64/Shutdown.h>
#elif ARCH(AARCH64)
# include <Kernel/Arch/aarch64/RPi/Watchdog.h>
#endif
#include <AK/StringView.h>
#include <Kernel/Arch/PowerState.h>
Kernel: Move TTY-related code to a new subdirectory under Devices The TTY subsystem is represented with unix devices, so it should be under the Devices directory like the Audio, Storage, GPU and HID subsystems.
2023-07-08 11:18:32 +00:00
#include <Kernel/Devices/TTY/ConsoleManagement.h>
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
#include <Kernel/FileSystem/FileSystem.h>
#include <Kernel/FileSystem/VirtualFileSystem.h>
#include <Kernel/Firmware/ACPI/Parser.h>
#include <Kernel/Library/Panic.h>
#include <Kernel/Sections.h>
#include <Kernel/Tasks/FinalizerTask.h>
#include <Kernel/Tasks/PowerStateSwitchTask.h>
#include <Kernel/Tasks/Process.h>
#include <Kernel/Tasks/Scheduler.h>
Kernel: Allow relaxing cleanup task rules during system shutdown Once we move to a more proper shutdown procedure, processes other than the finalizer task must be able to perform cleanup and finalization duties, not only because the finalizer task itself needs to be cleaned up by someone. This global variable, mirroring the early boot flags, allows a future shutdown process to perform cleanup on its own. Note that while this *could* be considered a weakening in security, the attack surface is minimal and the results are not dramatic. To exploit this, an attacker would have to gain a Kernel write primitive to this global variable (bypassing KASLR among other things) and then gain some way of calling the relevant functions, all of this only to destroy some other running process. The same effect can be achieved with LPE which can often be gained with significantly simpler userspace exploits (e.g. of setuid binaries).
2023-07-09 22:20:48 +00:00
namespace Kernel {
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
Thread* g_power_state_switch_task;
Kernel: Allow relaxing cleanup task rules during system shutdown Once we move to a more proper shutdown procedure, processes other than the finalizer task must be able to perform cleanup and finalization duties, not only because the finalizer task itself needs to be cleaned up by someone. This global variable, mirroring the early boot flags, allows a future shutdown process to perform cleanup on its own. Note that while this *could* be considered a weakening in security, the attack surface is minimal and the results are not dramatic. To exploit this, an attacker would have to gain a Kernel write primitive to this global variable (bypassing KASLR among other things) and then gain some way of calling the relevant functions, all of this only to destroy some other running process. The same effect can be achieved with LPE which can often be gained with significantly simpler userspace exploits (e.g. of setuid binaries).
2023-07-09 22:20:48 +00:00
bool g_in_system_shutdown { false };
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
void PowerStateSwitchTask::power_state_switch_task(void* raw_entry_data)
{
Thread::current()->set_priority(THREAD_PRIORITY_HIGH);
auto entry_data = bit_cast<PowerStateCommand>(raw_entry_data);
switch (entry_data) {
case PowerStateCommand::Shutdown:
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
MUST(PowerStateSwitchTask::perform_shutdown(DoReboot::No));
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
break;
case PowerStateCommand::Reboot:
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
MUST(PowerStateSwitchTask::perform_shutdown(DoReboot::Yes));
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
break;
default:
PANIC("Unknown power state command: {}", to_underlying(entry_data));
}
// Although common, the system may not halt through this task.
// Clear the power state switch task so that it can be spawned again.
g_power_state_switch_task = nullptr;
}
void PowerStateSwitchTask::spawn(PowerStateCommand command)
{
VERIFY(g_power_state_switch_task == nullptr);
auto [_, power_state_switch_task_thread] = MUST(Process::create_kernel_process(
Kernel: Don't allocate memory for names of processes and threads Instead, use the FixedCharBuffer class to ensure we always use a static buffer storage for these names. This ensures that if a Process or a Thread were created, there's a guarantee that setting a new name will never fail, as only copying of strings should be done to that static storage. The limits which are set are 32 characters for processes' names and 64 characters for thread names - this is because threads' names could be more verbose than processes' names.
2023-07-17 15:34:19 +00:00
"Power State Switch Task"sv, power_state_switch_task, bit_cast<void*>(command)));
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
g_power_state_switch_task = move(power_state_switch_task_thread);
}
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
ErrorOr<void> PowerStateSwitchTask::perform_shutdown(PowerStateSwitchTask::DoReboot do_reboot)
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
{
// We assume that by this point userland has tried as much as possible to shut down everything in an orderly fashion.
// Therefore, we force kill remaining processes, including Kernel processes, except the finalizer and ourselves.
dbgln("Killing remaining processes...");
Optional<Process&> finalizer_process;
Process::all_instances().for_each([&](Process& process) {
if (process.pid() == g_finalizer->process().pid())
finalizer_process = process;
});
VERIFY(finalizer_process.has_value());
// Allow init process and finalizer task to be killed.
g_in_system_shutdown = true;
// Make sure to kill all user processes first, otherwise we might get weird hangups.
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
TRY(kill_all_user_processes());
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
size_t alive_process_count = 0;
Process::all_instances().for_each([&](Process& process) {
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
if (!process.is_kernel_process() && !process.is_dead())
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
alive_process_count++;
});
// Don't panic here (since we may panic in a bit anyways) but report the probable cause of an unclean shutdown.
if (alive_process_count != 0)
dbgln("We're not the last process alive; proper shutdown may fail!");
ConsoleManagement::the().switch_to_debug();
dbgln("Locking all file systems...");
FileSystem::lock_all();
FileSystem::sync();
dbgln("Unmounting all file systems...");
auto unmount_was_successful = true;
while (unmount_was_successful) {
unmount_was_successful = false;
Vector<Mount&, 16> mounts;
TRY(VirtualFileSystem::the().for_each_mount([&](auto const& mount) -> ErrorOr<void> {
TRY(mounts.try_append(const_cast<Mount&>(mount)));
return {};
}));
if (mounts.is_empty())
break;
auto const remaining_mounts = mounts.size();
while (!mounts.is_empty()) {
auto& mount = mounts.take_last();
Kernel: Allow Ext2FS::flush_writes() to return ErrorOr<void>
2023-08-01 06:48:43 +00:00
TRY(mount.guest_fs().flush_writes());
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
auto mount_path = TRY(mount.absolute_path());
auto& mount_inode = mount.guest();
auto const result = VirtualFileSystem::the().unmount(mount_inode, mount_path->view());
if (result.is_error()) {
dbgln("Error during unmount of {}: {}", mount_path, result.error());
// FIXME: For unknown reasons the root FS stays busy even after everything else has shut down and was unmounted.
// Until we find the underlying issue, allow an unclean shutdown here.
if (remaining_mounts <= 1)
dbgln("BUG! One mount remaining; the root file system may not be unmountable at all. Shutting down anyways.");
} else {
unmount_was_successful = true;
}
}
}
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
// NOTE: We don't really need to kill kernel processes, because in contrast
// to user processes, kernel processes will simply not make syscalls
// or do some other unexpected behavior.
// Therefore, we just lock the scheduler big lock to ensure nothing happens
// beyond this point forward.
SpinlockLocker lock(g_scheduler_lock);
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
if (do_reboot == DoReboot::Yes) {
dbgln("Attempting system reboot...");
dbgln("attempting reboot via ACPI");
if (ACPI::is_enabled())
ACPI::Parser::the()->try_acpi_reboot();
arch_specific_reboot();
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
dmesgln("Reboot can't be completed. It's safe to turn off the computer!");
Processor::halt();
VERIFY_NOT_REACHED();
}
VERIFY(do_reboot == DoReboot::No);
dbgln("Attempting system shutdown...");
arch_specific_poweroff();
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
dmesgln("Shutdown can't be completed. It's safe to turn off the computer!");
Processor::halt();
Kernel: Merge PowerStateSwitchTask reboot and shutdown procedures The reboot procedure should prepare to "shutdown" the system cleanly and therefore has to be merged with how shutdown is handled.
2023-08-19 09:25:40 +00:00
VERIFY_NOT_REACHED();
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
}
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
ErrorOr<void> PowerStateSwitchTask::kill_all_user_processes()
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
{
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
{
SpinlockLocker lock(g_scheduler_lock);
Process::all_instances().for_each([&](Process& process) {
if (!process.is_kernel_process())
process.die();
});
}
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
// Although we *could* finalize processes ourselves (g_in_system_shutdown allows this),
// we're nice citizens and let the finalizer task perform final duties before we kill it.
Scheduler::notify_finalizer();
int alive_process_count = 1;
MonotonicTime last_status_time = TimeManagement::the().monotonic_time();
while (alive_process_count > 0) {
Scheduler::yield();
alive_process_count = 0;
Process::all_instances().for_each([&](Process& process) {
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
if (!process.is_kernel_process() && !process.is_dead())
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
alive_process_count++;
});
if (TimeManagement::the().monotonic_time() - last_status_time > Duration::from_seconds(2)) {
last_status_time = TimeManagement::the().monotonic_time();
dmesgln("Waiting on {} processes to exit...", alive_process_count);
if constexpr (PROCESS_DEBUG) {
Process::all_instances().for_each_const([&](Process const& process) {
Kernel: Ensure only user processes are terminated properly in shutdown This patch ensures that the shutdown procedure can complete due to the fact we don't kill kernel processes anymore, and only stop the scheduler from running after the filesystems unmount procedure. We also need kernel processes during the shutdown procedure, because we rely on the WorkQueue threads to run WorkQueue items to complete async IO requests initiated by filesystem sync & unmounting, etc. This is also simplifying the code around the killing processes, because we don't need to worry about edge cases such as the FinalizerTask anymore.
2023-08-19 16:07:17 +00:00
if (!process.is_kernel_process() && !process.is_dead()) {
dbgln("Process (user) {:2} dead={} dying={} ({})",
process.pid(), process.is_dead(), process.is_dying(),
Kernel: Don't allocate memory for names of processes and threads Instead, use the FixedCharBuffer class to ensure we always use a static buffer storage for these names. This ensures that if a Process or a Thread were created, there's a guarantee that setting a new name will never fail, as only copying of strings should be done to that static storage. The limits which are set are 32 characters for processes' names and 64 characters for thread names - this is because threads' names could be more verbose than processes' names.
2023-07-17 15:34:19 +00:00
process.name().with([](auto& name) { return name.representable_view(); }));
Kernel: Overhaul system shutdown procedure For a long time, our shutdown procedure has basically been: - Acquire big process lock. - Switch framebuffer to Kernel debug console. - Sync and lock all file systems so that disk caches are flushed and files are in a good state. - Use firmware and architecture-specific functionality to perform hardware shutdown. This naive and simple shutdown procedure has multiple issues: - No processes are terminated properly, meaning they cannot perform more complex cleanup work. If they were in the middle of I/O, for instance, only the data that already reached the Kernel is written to disk, and data corruption due to unfinished writes can therefore still occur. - No file systems are unmounted, meaning that any important unmount work will never happen. This is important for e.g. Ext2, which has facilites for detecting improper unmounts (see superblock's s_state variable) and therefore requires a proper unmount to be performed. This was also the starting point for this PR, since I wanted to introduce basic Ext2 file system checking and unmounting. - No hardware is properly shut down beyond what the system firmware does on its own. - Shutdown is performed within the write() call that asked the Kernel to change its power state. If the shutdown procedure takes longer (i.e. when it's done properly), this blocks the process causing the shutdown and prevents any potentially-useful interactions between Kernel and userland during shutdown. In essence, current shutdown is a glorified system crash with minimal file system cleanliness guarantees. Therefore, this commit is the first step in improving our shutdown procedure. The new shutdown flow is now as follows: - From the write() call to the power state SysFS node, a new task is started, the Power State Switch Task. Its only purpose is to change the operating system's power state. This task takes over shutdown and reboot duties, although reboot is not modified in this commit. - The Power State Switch Task assumes that userland has performed all shutdown duties it can perform on its own. In particular, it assumes that all kinds of clean process shutdown have been done, and remaining processes can be hard-killed without consequence. This is an important separation of concerns: While this commit does not modify userland, in the future SystemServer will be responsible for performing proper shutdown of user processes, including timeouts for stubborn processes etc. - As mentioned above, the task hard-kills remaining user processes. - The task hard-kills all Kernel processes except itself and the Finalizer Task. Since Kernel processes can delay their own shutdown indefinitely if they want to, they have plenty opportunity to perform proper shutdown if necessary. This may become a problem with non-cooperative Kernel tasks, but as seen two commits earlier, for now all tasks will cooperate within a few seconds. - The task waits for the Finalizer Task to clean up all processes. - The task hard-kills and finalizes the Finalizer Task itself, meaning that it now is the only remaining process in the system. - The task syncs and locks all file systems, and then unmounts them. Due to an unknown refcount bug we currently cannot unmount the root file system; therefore the task is able to abort the clean unmount if necessary. - The task performs platform-dependent hardware shutdown as before. This commit has multiple remaining issues (or exposed existing ones) which will need to be addressed in the future but are out of scope for now: - Unmounting the root filesystem is impossible due to remaining references to the inodes /home and /home/anon. I investigated this very heavily and could not find whoever is holding the last two references. - Userland cannot perform proper cleanup, since the Kernel's power state variable is accessed directly by tools instead of a proper userland shutdown procedure directed by SystemServer. The recently introduced Firmware/PowerState procedures are removed again, since all of the architecture-independent code can live in the power state switch task. The architecture-specific code is kept, however.
2023-07-09 22:17:11 +00:00
}
});
}
}
}
return {};
}
Kernel: Allow relaxing cleanup task rules during system shutdown Once we move to a more proper shutdown procedure, processes other than the finalizer task must be able to perform cleanup and finalization duties, not only because the finalizer task itself needs to be cleaned up by someone. This global variable, mirroring the early boot flags, allows a future shutdown process to perform cleanup on its own. Note that while this *could* be considered a weakening in security, the attack surface is minimal and the results are not dramatic. To exploit this, an attacker would have to gain a Kernel write primitive to this global variable (bypassing KASLR among other things) and then gain some way of calling the relevant functions, all of this only to destroy some other running process. The same effect can be achieved with LPE which can often be gained with significantly simpler userspace exploits (e.g. of setuid binaries).
2023-07-09 22:20:48 +00:00
}
Reference in a new issue Copy permalink