AddrSpace handles from dup(b'empty') and dup(b'exclusive') use the write
syscall for mmap commands, not seekable I/O. The kwriteoff handler returns
the mapped address (not bytes written), which sys_write would incorrectly
add to the file offset when POSITIONED is set. This corrupted the offset,
causing the next write to fail with EINVAL (offset_word skip exhausted
the buffer). Only mmap-min-addr needs POSITIONED for actual read/write.
The previous default only accepted u64::MAX as 'stream write' offset, but
sys_write/sys_read pass offset=0 for non-positioned I/O. This caused
ESPIPE on all writes to non-positioned FDs (Debug/stdout). Now both
u64::MAX and 0 are accepted as 'no offset' for the default implementation.
Schemes that override kwriteoff (AddrSpace) still handle offset=0 correctly.
The default kreadoff/kwriteoff implementations in scheme/mod.rs require
offset=u64::MAX for stream (non-positioned) I/O. Passing offset=0 causes
ESPIPE (Illegal seek), which breaks ALL writes to non-positioned FDs
including Debug/stdout. This was the root cause of the procmgr child
appearing to 'panic' — its log output silently failed with ESPIPE.
The addr_space_lock.mmap() result must be used or explicitly ignored.
Use let _ = ... to discard it — if mmap fails here, the process
crash will be more informative than a Result warning.
- syscall/futex.rs: scope the context write guard so futexes.swap_remove
can borrow mutably after the guard drops
- syscall/process.rs: add missing 'shared' arg to Grant::zeroed
The .map_err().?() pattern doesn't work in a function returning (),
because ? requires the enclosing function to return Result. Replace
with plain .expect() (these are bootstrap initialization failures —
if mmap fails here, the kernel cannot continue).
The initial bootstrap init (started directly by the kernel via
usermode_bootstrap) had RSP = 0 from InterruptStack::init(), which
does NOT set RSP. This caused any push/call in the binary to fault
on address 0.
The Rust panic handler caught the resulting page fault and generated
ud2 — visible as 'Invalid opcode fault' at a low RIP before main()
ever runs. This was the root cause of the init crash.
Fix:
- Map 8 pages (32 KiB) of user stack just above the initfs image
- Set RSP to the top of the stack
- Add debug log showing the mapped region
The stack is intentionally small (32 KiB) — enough for Rust _start
to run but small enough to detect stack overflow immediately. Once
init calls fexec_impl to spawn the real init, the real init gets its
own full 8 MB stack via the redox-rt exec path.
- rmm/src/arch/emulate.rs: replace unimplemented!() with actual TLB
invalidation (remove the address from the map). Without this the
emulate arch silently fails to invalidate TLB entries during
context switches, which can cause stale mappings.
- src/syscall/futex.rs: remove completed TODO marker for FUTEX_REQUEUE
(work done in a prior commit).
The sys_mkns and sys_setns functions added in 48fc2f1c reference
UserSliceRo and FileHandle but the imports were not updated, causing
the build to fail with 'cannot find type' errors. This commit adds
the missing imports.
Adds proper kernel-level namespace syscall handling:
- SYS_MKNS: dups the current namespace fd with the caller-supplied
buffer (NsDup::ForkNs + scheme names). The dup is handled by the
bootstrap's userspace namespace manager (initnsmgr) which creates
the new namespace and returns the fd.
- SYS_SETNS: switches the calling context's ns_fd to the given fd.
This makes the new namespace the default for all subsequent scheme
lookups by this context.
- Context gains an ns_fd: Option<usize> field, initialized to None,
meaning "use the global namespace" (default).
- Both syscalls are wired into the dispatch table in syscall/mod.rs.
Per local/docs/LOCAL-FORK-SUPREMACY-POLICY.md: the kernel fork must
be complete. Previously SYS_SETNS was undefined and SYS_MKNS returned
ENOSYS; init's setrens() panicked on bare metal.
sys_read and sys_write passed u64::MAX as the offset for non-positioned
file descriptors. Many scheme handlers (AddrSpace, proc:Start, etc.)
check offset != 0 or offset % word_size != 0, causing EINVAL when
receiving u64::MAX. Passing 0 instead fixes all non-positioned read/write
operations across all scheme handlers uniformly.
This replaces the per-handler u64::MAX workarounds with a root-cause fix.
sys_write passes u64::MAX as offset for non-positioned file descriptors.
ContextHandle::Start used an inline 'offset != 0' check which rejected
u64::MAX, causing EINVAL when bootstrap called start_fd.write(&[0]) during
fork_inner(). Replaced with require_zero_offset() which accepts both 0 and
u64::MAX (fixed in the previous commit for the same class of bug).
sys_write passes u64::MAX as the offset sentinel for non-positioned file
descriptors. The proc scheme's require_zero_offset rejected this value,
causing bootstrap's tcb_activate to crash with EINVAL when writing
EnvRegisters (fsbase) back to the regs/env handle.
This was the root cause of the 'Invalid opcode fault' during bootstrap
(PID 0) that prevented redbear-mini from reaching a login prompt.
Previously: PfError::Oom during page fault recovery caused the
entire kernel to panic via todo!("oom"). This means a single
OOM allocation in a user process would crash the whole OS.
Now: OOM is logged as a warning, the faulting process receives
SIGSEGV (same path as other non-fatal page faults), and the
kernel continues. The process may be killed, but the system
stays up. This is consistent with how Linux handles OOM during
page fault handling: send SIGSEGV/SIGKILL, don't panic.
The page fault handler for user-mode faults had a separate
arms for Segv, RecursionLimitExceeded, and NonfatalInternalError from
try_correcting_page_tables. The first two fell through to return
Segv to the process; NonfatalInternalError called todo!() which
causes a kernel panic. This is a kernel-level crash triggered by
a userspace page table correction attempt that reports an internal
(non-fatal) error.
Fix: collapse NonfatalInternalError into the same fall-through arm
as Segv and RecursionLimitExceeded. The error name says 'nonfatal'
— it should not crash the kernel. The userspace process receives
a segmentation fault signal instead.
Added println! to the syscall dispatch catch-all to log the
unknown syscall number and arguments when returning ENOSYS.
Previously any unrecognized syscall number silently returned
ENOSYS with no diagnostic, making it impossible to discover
missing syscall implementations without application-level
debugging.
Found by comprehensive disguised-stub audit (47 patterns, 37
actionable). This is the most impactful remaining fix from
that audit.
Added sync() and syncfs() syscall handlers. Both are no-ops
since Red Bear filesystem I/O is synchronous (data is always
on disk). syncfs(fd) delegates to scheme.fsync() for the
filesystem containing the fd.
Cross-referenced with Linux 7.1 fs/sync.c ksys_sync() and
do_syncfs(). SYS_SYNC uses number 119, SYS_SYNCFS uses 120.
Extended /proc/self resolution to handle sub-paths like
/proc/self/fd/0, /proc/self/stat, /proc/self/status, etc.
Previously only /proc/self (the directory itself) was resolved.
Now /proc/self/fd, /proc/self/stat, /proc/self/maps, and all
other sub-paths are resolved by replacing 'self' with the
current PID and delegating to the standard proc_open() parser.
Cross-referenced with Linux 7.1 fs/proc/self.c proc_self_get_link()
which creates a symlink to the current PID directory. This
completes the /proc/self implementation for all sub-entries.
The FADT fields (PM1a_CNT, PM1a_STS, FIRMWARE_CTRL) are at fixed
offsets from the START of the SDT (including the 36-byte ACPI header),
not from the data area. Previously using sdt.data_address() caused
reads from the wrong offset, making shutdown/reboot fail on real
hardware.
Fixed by reading from the SDT base pointer instead of data_address().
Cross-referenced with Linux 7.1 drivers/acpi/acpica/tbfadt.c which
reads FADT fields from the table base, accounting for the header.
Added FUTEX_REQUEUE (opcode 2) to the futex syscall implementation.
Cross-referenced with Linux 7.1 kernel/futex/requeue.c futex_requeue().
Operation: wake up to waiters on the primary futex, and
requeue up to waiters to a secondary futex at addr2.
This avoids the thundering herd problem in pthread condition
variable broadcast: instead of waking all waiters and having
them immediately contend, most are moved to a private futex
where they wake one at a time.
Previously the futex syscall would return EINVAL for FUTEX_REQUEUE,
breaking pthread_cond_broadcast on contended condition variables.
Added /proc/self resolution in open_inner(). When /proc/self
is opened, it resolves to /proc/<current-pid> by reading
context::current().pid and returning a ProcDir handle.
Cross-referenced with Linux 7.1 fs/proc/self.c proc_self_get_link()
which creates a symlink inode pointing to the current PID.
This enables 'ls /proc/self', 'cat /proc/self/status', and all
other tools that use /proc/self to access their own process info.
Added ProcFilesystems ContextHandle that lists supported filesystems
in Linux /proc/filesystems format. Lists sysfs, proc, devtmpfs,
and redoxfs as supported types.
Cross-referenced with Linux 7.1 fs/filesystems.c filesystems_proc_show().
'nodev' prefix indicates filesystems not requiring a block device.
Also added to ProcRoot directory listing.
Added ProcVersion ContextHandle that outputs the kernel version
string using CARGO_PKG_VERSION, TARGET, and COOKBOOK_SOURCE_IDENT
environment variables from the build system.
Cross-referenced with Linux 7.1 fs/proc/version.c version_proc_show().
Format: 'Red Bear OS version X.Y.Z (arch) source_ident'
Also added to ProcRoot directory listing.
Added ProcLoadavg ContextHandle that counts runnable contexts
using context::contexts() iterator and Status::is_runnable().
Outputs Linux /proc/loadavg format:
0.00 0.00 0.00 nr_runnable/total 0
Cross-referenced with Linux 7.1 fs/proc/loadavg.c loadavg_proc_show().
Load averages are 0.00 (Red Bear does not track 1/5/15-min EMA).
Last PID is 0 (no PID tracking yet).
Also added to ProcRoot directory listing.
Added ProcUptime ContextHandle that reads monotonic() time
from the kernel and outputs it as uptime_seconds idle_seconds
in Linux /proc/uptime format (two floats with newline).
Cross-referenced with Linux 7.1 fs/proc/uptime.c uptime_proc_show().
Idle time is 0.0 since Red Bear does not track per-CPU idle time.
Also added to ProcRoot directory listing.
Added ProcMeminfo ContextHandle that reads total_frames/free_frames
from the kernel memory subsystem and outputs them in Linux
/proc/meminfo format (MemTotal, MemFree, MemAvailable, Buffers,
Cached, SwapTotal, etc. all in kB).
Cross-referenced with Linux 7.1 fs/proc/meminfo.c meminfo_proc_show().
Also added to ProcRoot directory listing alongside cpuinfo.
Added ProcCpuinfo ContextHandle that calls the arch-specific
cpu_info() function to output processor information (model,
features, cache, topology). Appears as a regular file in
/proc/cpuinfo and is listed in the ProcRoot directory.
Cross-referenced with Linux 7.1 arch/x86/kernel/cpu/proc.c
show_cpuinfo() which formats /proc/cpuinfo from cpu_data.
Added ProcFdDir ContextHandle that lists open file descriptors
as symlink directory entries. Reads from posix_fdtbl and outputs
fd numbers (0, 1, 2, ...) as directory entries.
Cross-referenced with Linux 7.1 fs/proc/fd.c proc_fd_link()
and tid_fd_revalidate(). Listed fds are open (non-None) entries
from the process's POSIX file descriptor table.
Each entry appears as /proc/[pid]/fd/[n] for use by tools
like ls, lsof, and ps.
SYS_READ2 and SYS_WRITE2 are the positioned read/write syscalls
(equivalent to pread/pwrite in POSIX). Previously only SYS_READ and
SYS_WRITE were counted. Now all four I/O paths are tracked.
This makes /proc/[pid]/io accurate for programs that use
pread/pwrite (common in random-access file I/O, memory-mapped
I/O bypass, and async I/O libraries).
Cross-referenced with Linux 7.1 mm/filemap.c:rw_verify_area
which tracks these accounting fields for all read/write variants.