- Copy stable/10@296371 to releng/10.3 in preparation for 10.3-RC1
builds.
- Update newvers.sh to reflect RC1.
- Update __FreeBSD_version to reflect 10.3.
- Update default pkg(8) configuration to use the quarterly branch.

Approved by: re (implicit)

o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]

Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677

Merge from head r292743, r293627 by dchagin:
------------------------------------------------------------------------
r292743 | dchagin | 2015-12-26 01:04:47 -0800 (сб, 26 дек. 2015) | 5 lines

Do not allow access to emuldata for non Linux processes.

------------------------------------------------------------------------
r293627 | dchagin | 2016-01-09 23:36:43 -0800 (сб, 09 янв. 2016) | 6 lines

Unlock process lock when return error from getrobustlist call and add
an forgotten dtrace probe when return the same error.

MFC r283463:

Do not use struct l_timespec without conversion. While here move
args->timeout handling before acquiring the futex key at FUTEX_WAIT path.

MFC r283462:

Add prototypes for static futex functions.

MFC r283460:

Print out unsupported futex operation message only once for the process.

MFC r283427:

Where possible we will use M_LINUX malloc(9) type.
Move M_FUTEX defines to the linux_common.ko.

MFC r283422:

Refund the proc emuldata struct for future use. For now move flags from
thread emuldata to proc emuldata as it was originally intended.

As we can have both 64 & 32 bit Linuxulator running any eventhandler
can be called twice for us. To prevent this move eventhandlers code
from linux_emul.c to the linux_common.ko module.

MFC r283383:

Switch linuxulator to use the native 1:1 threads.

The reasons:
1. Get rid of the stubs/quirks with process dethreading,
process reparent when the process group leader exits and close
to this problems on wait(), waitpid(), etc.
2. Reuse our kernel code instead of writing excessive thread
managment routines in Linuxulator.

Implementation details:

1. The thread is created via kern_thr_new() in the clone() call with
the CLONE_THREAD parameter. Thus, everything else is a process.
2. The test that the process has a threads is done via P_HADTHREADS
bit p_flag of struct proc.
3. Per thread emulator state data structure is now located in the
struct thread and freed in the thread_dtor() hook.
Mandatory holdig of the p_mtx required when referencing emuldata
from the other threads.
4. PID mangling has changed. Now Linux pid is the native tid
and Linux tgid is the native pid, with the exception of the first
thread in the process where tid and pid are one and the same.

Ugliness:

In case when the Linux thread is the initial thread in the thread
group thread id is equal to the process id. Glibc depends on this
magic (assert in pthread_getattr_np.c). So for system calls that
take thread id as a parameter we should use the special method
to reference struct thread.

MFC r276511:
Fix Clang warning: passing 'unsigned int *' to parameter of type 'int *'
converts between pointers to integer types with different sign.

MFC r266924:

Glibc was switched to the FUTEX_WAIT_BITSET op and CLOCK_REALTIME
flag has been added instead of FUTEX_WAIT to replace the FUTEX_WAIT
logic which needs to do gettimeofday() calls before the futex syscall
to convert the absolute timeout to a relative timeout.
Before this the CLOCK_MONOTONIC used by the FUTEX_WAIT_BITSET op.

When the FUTEX_CLOCK_REALTIME is specified the timeout is an absolute
time, not a relative time. Rework futex_wait to handle this.
On the side fix the futex leak in error case and remove useless
parentheses.

Properly calculate the timeout for the CLOCK_MONOTONIC case.

Tested by: Hans Petter Selasky

MFC r266782:

In r218101 I have not changed properly the futex syscall definition.
Some Linux futex ops atomically verifies that the futex address uaddr
(uval) contains the value val. Comparing signed uval and unsigned val
may lead to an unexpected result, mostly to a deadlock.

So copyin uaddr to an unsigned int to compare the parameters correctly.

While here change ktr records to print parameters in more readable format.

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fix some typos that were causing probe argument types to show up as unknown.

Reviewed by: rwatson (mac provider)
Approved by: re (glebius)
MFC after: 1 week

Arithmetic on pointers takes into account the size of the type. Properly cast the pointer to avoid incorrect pointer scaling.

MFC after: 1 Week

- >500 static DTrace probes for the linuxulator
- DTrace scripts to check for errors, performance, ...
they serve mostly as examples of what you can do with the static probe;s
with moderate load the scripts may be overwhelmed, excessive lock-tracing
may influence program behavior (see the last design decission)

Design decissions:
- use "linuxulator" as the provider for the native bitsize; add the
bitsize for the non-native emulation (e.g. "linuxuator32" on amd64)
- Add probes only for locks which are acquired in one function and released
in another function. Locks which are aquired and released in the same
function should be easy to pair in the code, inter-function
locking is more easy to verify in DTrace.
- Probes for locks should be fired after locking and before releasing to
prevent races (to provide data/function stability in DTrace, see the
man-page of "dtrace -v ..." and the corresponding DTrace docs).

Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.

This means that their use is restricted to a single C file.

Remove now-obsolete comment.

Submitted by: netchild
MFC after: 1 week

Print out shared flag for debug purpose.

MFC after: 1 Week

Switch PROCESS_SHARE to AUTO_SHARE (as umtx do). Even for SHARED,
if page mapped MAP_ANON linux uses private algorithm too.

Disscussed with: jhb

MFC after: 3 Days

Use umtx_key objects to uniquely identify futexes. Private futexes in
different processes that happen to use the same user address in the
separate processes will now be treated as distinct futexes rather than the
same futex. We can now honor shared futexes properly by mapping them to a
PROCESS_SHARED umtx_key. Private futexes use THREAD_SHARED umtx_key
objects.

In conjunction with: dchagin
Reviewed by: kib
MFC after: 1 week

Style(9) fix. Do not initialize variables in the declarations.

Sort include files in the alphabetical order.

Remove comment about 'ftlk' LOR.

Stop printing the LOR, as this is expected behavior.

The bitset field of freshly created futex should be initialized explicity.
Otherwise, REQUEUE operations fails.

Rename used_requeue and use it as bitwise field to store more flags.
Reimplement used_requeue logic with LINUX_XDEPR_REQUEUEOP flag.

Yet another unimplemented futex operation, print out about.

Submitted by: arundel
MFC after: 1 month.

Implement a futex BITSET op.

Submitted by: arundel
MFC after: 1 month.

Remove trailing dot from the unimplemented futex messages to make
them consistent with the syscall and ipc messages.

Submitted by: arundel
MFC after: 3 days

Some style(9) fixes.

Submitted by: arundel
MFC after: 1 week

- print out the PID and program name of the program trying to use an
unsupported futex operation
- for those futex operations which are known to be not supported,
print out which futex operation it is
- shortcut the error return of the unsupported FUTEX_CLOCK_REALTIME in
some cases:
FUTEX_CLOCK_REALTIME can be used to tell linux to use
CLOCK_REALTIME instead of CLOCK_MONOTONIC. FUTEX_CLOCK_REALTIME
however must only be set, if either FUTEX_WAIT_BITSET or
FUTEX_WAIT_REQUEUE_PI are set too. If that's not the case
we can die with ENOSYS right at the beginning.

Submitted by: arundel
Reviewed by: rdivacky (earlier iteration of the patch)
MFC after: 1 week

Simplify timeout check in futex_wait() using itimerfix() and return error
if the given timeout is invalid. Consistently use int type for timeout and
correct a format string in futex_sleep().

Fix a comparision of an uninitialised pointer.

Submitted by: arundel
Found by: clang analysis (automatic service by uqs@)
Reviewed by: rdivacky

Remove extraneous semicolons, no functional changes.

Submitted by: Marc Balmer <marc@msys.ch>
MFC after: 1 week

Unlock process lock when return error from getrobustlist call.

Tested by: Alexander Best <alexbestms at math uni-muenster de>
Approved by: kib (mentor)
MFC after: 3 days

Add KTR(9) tracing for futex emulation.

Approved by: kib (mentor)
MFC after: 1 month

Move extern variable definitions to the header file.

Approved by: kib (mentor)
MFC after: 1 month

Reimplement futexes.
Old implemention used Giant to protect the kernel data structures,
but at the same time called malloc(M_WAITOK), that could cause the
calling thread to sleep and lost Giant protection. User-visible
result was the missed wakeup.

New implementation uses one sx lock per futex. The sx protects
the futex structures and allows to sleep while copyin or copyout
are performed.

Unlike linux, we return EINVAL when FUTEX_CMP_REQUEUE operation
is requested and either caller specified futexes are equial or
second futex already exists. This is acceptable since the situation
can only occur from the application error, and glibc falls back to
old FUTEX_WAKE operation when FUTEX_CMP_REQUEUE returns an error.

Approved by: kib (mentor)
MFC after: 1 month

Remove support for FUTEX_REQUEUE operation.
Glibc does not use this operation since 2.3.3 version (Jun 2004),
as it is racy and replaced by FUTEX_CMP_REQUEUE operation.
Glibc versions prior to 2.3.3 fall back to FUTEX_WAKE when
FUTEX_REQUEUE returned EINVAL.

Any application directly using FUTEX_REQUEUE without return
value checking are definitely broken.

Limit quantity of messages per process about unsupported
operation.

Approved by: kib (mentor)
MFC after: 1 month

Sort include files in the alphabetical order.

Approved by: kib (mentor)
MFC after: 2 weeks

Ignore FUTEX_FD op, as it is done by linux.

Approved by: kib (mentor)
MFC after: 2 weeks

Include linux_futex.h before linux_emul.h

Approved by: kib (mentor)
MFC after: 6 days

In the robust futexes list head, futex_offset shall be signed,
and glibc actually supplies negative offsets. Change l_ulong to l_long.

Submitted by: dchagin

Make robust futexes work on linux32/amd64. Use PTRIN to read
user-mode pointers. Change types used in the structures definitions to
properly-sized architecture-specific types.

Submitted by: dchagin
MFC after: 1 week

Implement robust futexes. Most of the code is modelled after
what Linux does. This is because robust futexes are mostly
userspace thing which we cannot alter. Two syscalls maintain
pointer to userspace list and when process exits a routine
walks this list waking up processes sleeping on futexes
from that list.

Reviewed by: kib (mentor)
MFC after: 1 month

o Add stub support for some new futex operations,
so the annoying message is not printed.

o Don't warn about FUTEX_FD not being implemented
and return ENOSYS instead of 0 (eg. success).

o Clear FUTEX_PRIVATE_FLAG as we actually implement
only private futexes so there is no reason to
return ENOSYS when app asks for a private futex.
We don't reject shared futexes because they worked
just fine with our implementation so far.

Approved by: kib (mentor)
Tested by: bsam
MFC after: 1 week

Return ENOSYS instead of 0 for the unknown futex operations.

Submitted by: rdivacky
Reported and tested by: Gary Stanley <gary velocity-servers net>

Move futex support code from <arch>/support.s into linux compat directory.
Implement all futex atomic operations in assembler to not depend on the
fuword() that does not allow to distinguish between -1 and failure return.
Correctly return 0 from atomic operations on success.

In collaboration with: rdivacky
Tested by: Scot Hetzel <swhetzel gmail com>, Milos Vyletel <mvyletel mzm cz>
Sponsored by: Google SoC 2007

MFP4: Linux futex support for amd64.

Initial patch was submitted by kib and additional work was done
by Divacky Roman.

Tested by: emulation

MFp4 (110541):
Sync with rev 1.7 in NetBSD.

Obtained from: NetBSD

MFp4 (110523, parts which apply cleanly):
semi-automatic style(9)

The futex stuff already differs a lot (only a small part does not differ)
from NetBSD, so we are already way off and can't apply changes from NetBSD
automatically. As we need to merge everything by hand already, we can even
make the files comply to our world order.

Change futex lock from mutex to sx. Make futex_get atomic (protected by the
futex lock).

Sponsored by: Google SoC 2006
Submitted by: rdivacky
Suggested by: jhb

- don't wake every sleeper just the first one [1]
- remove debuging printf [2]

Submitted by: intron <mag@intron.ac> [1], rdivacky [2]

Correct the number of retries in a futex_wake() call.

Sponsored by: Google SoC 2006
Submitted by: rdivacky

ifdef DEBUG a printf

Submitted by: rdivacky

Fix the DEBUG build:
- linux_emul.c [1]
- linux_futex.c [2]

Sponsored by: Google SoC 2006 [1]
Submitted by: rdivacky [1]
netchild [2]

Add some new files needed for linux 2.6.x compatibility.

Please don't style(9) the NetBSD code, we want to stay in sync. Not imported
on a vendor branch since we need local changes.

Sponsored by: Google SoC 2006
Submitted by: rdivacky
With help from: manu@NetBSD.org
Obtained from: NetBSD (linux_{futex,time}.*)