with empty body loops, put final semicolon on a new line for readability
ok bluhm@ jca@

Remove more __syscall() leftovers.

Fix syscall number bounds check computations.

Put back variable initialization mistakenly lost in 1.162

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

Make sure we don't pass uninitialized siginfo values to trapsignal(); from
clang via jsg@, ok jsg@

the _pad_ system calls from 2021/12/23 can go away
ok guenther

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

trapsignal() can be called without KERNEL_LOCK, adjust code accordingly.
OK mpi@

spelling

uvm_grow() doesn't need KERNEL_LOCK anymore, and onfault never did.
minor refactorings to narrow KERNEL_LOCK just around uvm_fault()
ok kettenis

move the backwards-stack vm_minsaddr check from hppa trap.c to uvm_grow(),
within the correct #ifdef of course.
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

When emulating reading from cr26 and cr27 on PCXS, simply set cr26 to zero
and take the cr27 value that was saved in the trap frame. This matches
what process_read_regs() does and prevents returning the wrong values if
the uvm_map_inentry() checks sleeps trying to grab the vm_map read lock.

ok miod@, deraadt@

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.
ok kettenis stefan visa

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

Fix the various SIGSEGV and SIGBUS scenarios to match what we do on
amd64/arm64/armv7/i386/sparc64.

ok visa@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Various printf claim to report the PID, so actually report that and not the TID

Build testing assistance from deraadt@

Rename kdb_trap() into db_ktrap().

The goal is to include it in the list of functions that must not be
instrumented. All ddb(8) functions should be in this list and have
their names start with 'db_'.

ok visa@, deraadt@

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

#ifndef DDB, correct a format string..

Do the 64-bit argument swap dance, for the syscalls which require it,
unconditionaly instead of only doing it if invoked indirectly through syscall
or __syscall.

While there, tweak stack argument fetching to only perform one large copyin()
call, rather than a loop of small ones.

ok kettenis@

Fix ptrace() hanging hppa MP systems

Fiddling with uvm, registers and breakpoints requires taking the kernel lock
Problem spotted by tedu@

ok kettenis@ deraadt@ miod@

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

sigh, another case of user.h before syscall_mi.h

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes and removal of -Wno-format for hppa kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Less <uvm/uvm.h>

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Correctly handle data memory protection ID traps: if occuring in user mode,
SIGSEGV the process; if occuring in kernel mode, check for a possible
pcb_onfault to recover, before otherwise panicing.

ok kettenis@

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

Handle T_IPROT traps from userland by call vm_fault() instead of doing an
unconditional SIGSEGV. Fixes random SIGSEGVs during single-stepping.

ok miod@

Don't include <sys/ktrace.h>; makes this file compile again.

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

oops, need a prototype for ast()

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

On PCXS processors, reading %cr26 and %cr27 from userland causes a
privileged register trap. Cope with this in the trap handler to let
userland use these registers; this will be necessary in the not-so-distant
future.

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix whitespace and use #ifdef TRAPDEBUG instead of #if 0.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Ansify function.

Convert netisr to a normal soft interrupt instead of hanving MD code
for it. This makes the netisr a real C function which will help further
development. No noticable performance change on i386 and amd64.
With input from kettenis@ and miod@ additional OKs mikeb@ and henning@

Remove ddb single-step load and store counters. Most platforms do not
implement them, and they are of questionable usefulness.

Create a struct to store FP state and include a pointer to the CPU that
currently holds the FPU context for this process. This will be soon used
to implement FPU shootdowns on multiprocessor kernels.

ok kettenis@

Do not store curcpu() in syscall and trap handlers since we can go to
sleep and wake up on another CPU.

ok kettenis@

Add missing prototypes
ok jsing kettenis

Make single stepping a system call work. Instead of single stepping through
the syscall gateway page, which doesn't work since that page is shared
between processes, this makes us step over that bit by setting a breakpoint
on the instruction where the system call returns.

ok miod@, jsing@

Since we use a direct mapping for the area where we save a process' floating
point registers, we no longer need to flush/purge the cache.

Add locking to trap and syscall handlers.

ok kettenis@ miod@

Make cpl and cpu_inintr per CPU variables. For locore.S, cpl becomes an
offset within cpu_primary_info - this will need to be revisited shortly.

ok kettenis@

Make want_resched a per CPU variable.

ok kettenis@ miod@

Move hppa to per process AST.

ok kettenis@ miod@

Handle PCXS data protection traps. Unlike other PA1.1 chips, there is a
single trap code for alignment and protection faults, so we have to
figure out which kind of problem we are facing.

ok kettenis@

realy -> really in comments. Most reported on tech@ by Jung.

move hppa to __HAVE_CPUINFO

input from miod@, ok kettenis@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

proper check for [non]user returns to syscall gate page; found by miod@

new shorter version of userret() as surely miod ment it to be like (; miod@ ok

undo last broken userret() change here; miod@ ok

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

Nuke leftover references to procfs_mem.h.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

no more hppa_round_page() and hppa_trunc_page() macros

ok mickey@

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

Add mquery to the system calls which need extra care due to off_t arguments
and reversed stack direction; ok mickey@

remove trailing newline in panic(9); ok millert@ and deraadt@

Implement PT_STEP for hppa.
ok mickey@

dig lpa

proper fault address selection (list all possible pc-based traps)

proper non-access fault handlers and probe emulations; testing by pval@ miod@ deraadt@

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

poke and clean all exceptions regs and not just one

more coherent intrs counting

fill out error info into ret* regs upon failed syscall return

use local var copy of frame->tf_iir everywhere and fix one panic

handle zero division for userland as well; from otto@

Generate SIGTRAP for breakpoint instructions.
ok mickey@

implement spop1,,0 support

support probe instructions

only set child return values in the child_return() more like other archs

update copyright; miod@ is fine w/ files where he holds it too

repair fcnv* emulation.
generate proper signals/siginfo.
partially repairs the "otto" case.

Pass -Wformat, fix a few uninitialized variables as well.

Maybe fixing typos will unbore me.

do not treat traps from the syscall gate page as user code

on syscall exit restore old cpl if there is a need; move call for softints processing towards after that

typos

ok jmc@

always reread curproc and frame on return from the system call

count traps and interrupts

only check for space mismatch when coming from user.
the only case of user refering the kernel space is for the
syscall and that never faults since always mapped.
this fixes some random sig11 occurences.

In trap(), always initialize tts, even if TRAPDEBUG is not defined, as it
might needed for panic() messages.
ok mickey@

knf; mickey ok

Let kernels compile without DDB, USELEDS, and DIAGNOSTIC.
For future intallation media.

consistantly use uvm_prot_* vs vm_prot_* evewrhere

on user trap space mismatch just kill the offender, panic the kernel otherwise

make sure we are not allowing user to fault outside user address space and always print smth before dead_end

kill some debugging kdb_traps

make sure we are hitting user stack and not smth else here, make init show normal vsz in ps now

real interrupts/spl framework.
tested on 712/* 715/100, 715/33 which main cpu/bus types.
miod@ ok

this is a precision architecture -- be more precise about fault types and in sigsegv deliveries; vm_ssize is in pages, apparently

on implementations w/ fpu included unimplemented instructions
are signaled through the exception trap w/ invalid opcode marked
instruction in the exception registers, not through the emulation
trap (as long as the fpu is enabled, of course).
parse emulation from the exception trap as well as the emulation
trap and fix the dispatcher into usable condition.
parse invalid op exception on trap and signal the user appropriately.
reset the exception on exec and for child on fork.
the later is appropriate since exceptions are delayed until next
fpu instruction, which was in the parent indeed, let him get it.
save parent's fpu context on fork before cipying it, if the
parent owned the fpu.

make the leds blink (on those machines where we have 'em).
simple logic is to light up the led in the intrhook and dim in the
heartbeat always, makes a believable impression.
upper four bits represent a cpu usage w/in the last Hz/8
made up from the cp_time[] times.

handle fpu exceptions properly, might use a regress, i guess

give a condition trap own treatment, per millicode; and, oh horror, swap return of quad_t, sort of, sometimes

correct argsize for ktrsyscall

copy syscall args in the syscall() based on the
amount given in the sysent.
deal w/ the words swappage phenomena due to reverse
long word storage on the stack and that being
reverse copied by words yielding long word being word swapped.
do it only for syscall(2) and __syscall(2) since that's how those
w/ long word args syscalls get used (for proper alignment).
discussed and ideas from: deraadt@, drahn@ and fredette@

note: this might be a good point for a regress.

reset iir in the frame on _onfault handling, for mr.ddb

only one trap generates exec fault and fetches the fault address from the pc queues, also supply fault_type (not that it is used that much)

on itlb miss say type is VM_PROT_EXECUTE, per art@s suggestion

force alignment on the netisr and sir by mobving 'em into .data
and allocating space in the locore (ldcw require a 16byte alignment).
inform gcc that ldcw will change the memory (in asm()).
fix spl handling in the soft intrs piece.

Add systrace support to all the remaining architectures.

Tested by various people on various platforms, I'm willing to fix any
breakage this causes.

ok niels@ deraadt@ and mickey@ (after his comments were applied)

separate out interrupt handling stuff

rewrite a pmap to use multilevel page tables.
lower 12 bits contain the perms, no unused bits left,
but a couple for off-tlb use (as the ref implemented now).
do not use the hvt, which might get some use later
if proven to speed thigs up, tlb handlers would po
another dozen of insns though, but if that's worth its...
move on the data seg and map kernel text rdonly (idea form fredette),
since all of the page0 mods done before that we are all fine
except for some viper fluff, but later w/ that.
this also picks up a bit more of ddb magic for bpt and ss.
tlb handlers can use a little bit more of attention,
but things, visually, seem to be much faster already, --
sorry, no benchmarks for now.

* effort sponsored in part by the `henry st. old ale house'
* and mr.pete and mr.lee in particular in thier generous entrirety.
* the proj took a little more that 72man*h as it was expected,
* but within murhy's law estimations.

First round of __P removal in sys

remove debugging printf

disable trapdebug, better handling of eirr too

use splraise() when calling handlers; from fredette@

tiny fixens from netbsd

branches: 1.34.2;
zap some typedefs.
vm_map_t -> struct vm_map *
vm_map_entry_t -> struct vm_map_entry *
simple_lock_data_t -> struct simplelock

(uvm not done yet, coming in the next commit)

Sync in more uvm changes from NetBSD.
This time we're getting rid of KERN_* and VM_PAGER_* error codes and
use errnos instead.

child_return unscrewart

Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

merge vm/vm_kern.h into uvm/uvm_extern.h; art@ ok

simplify userret

Get rid of CLSIZE and all related stuff.
CLSIZE -> 1
CLBYTES -> PAGE_SIZE
OLOFSET -> PAGE_MASK
etc.
At the same time some archs needed some cleaning in vmparam.h so that
goes in at the same time.

remove a little debugging

handle d/i prot traps proper

implement a few macros in cpu.h; pointer out by miod@

dirty trap should be handed w/ uvm_fault() as well

Change the ktrace interface functions from taking the trace vnode to taking the
traced proc. The vnode is in the proc and all functions need the proc.

use net/netisr_dispatch.h

missing semicolon

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.19.2;
mark interrupt frames

some more cautions and debuggings; repair __syscall

some more paranoid checks, shorter trap desriptions

choose right map for a fault, better pcq advancement technique

rearrange diagnostic trap cases

fix order of uvm_fault() arguments in debug printf (;

track the maximum accessed stack size; basically this small piece of code is the same in all the archs

s/ipv6intr/ip6intr/

many traps, syscall nad other stuff

report unhandled interrupts w/ DEBUG only

unscrew the screup

evcnt count the interrupts, also optimize diagnostic printing

do the clock interrupt the narrow way.
fix soft interrupts.
some more debugs and other fixes.

skip break insn in the proper place, print cr28 in ddb, some debugging cruft

almost all of them

child_return(), some more traps to handle

syscall(), fix interrupt handling

panic prints a newline for you, don't do it in the panic string

some traps, hehe

Remove more __syscall() leftovers.

Fix syscall number bounds check computations.

Put back variable initialization mistakenly lost in 1.162

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

Make sure we don't pass uninitialized siginfo values to trapsignal(); from
clang via jsg@, ok jsg@

the _pad_ system calls from 2021/12/23 can go away
ok guenther

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

trapsignal() can be called without KERNEL_LOCK, adjust code accordingly.
OK mpi@

spelling

uvm_grow() doesn't need KERNEL_LOCK anymore, and onfault never did.
minor refactorings to narrow KERNEL_LOCK just around uvm_fault()
ok kettenis

move the backwards-stack vm_minsaddr check from hppa trap.c to uvm_grow(),
within the correct #ifdef of course.
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

When emulating reading from cr26 and cr27 on PCXS, simply set cr26 to zero
and take the cr27 value that was saved in the trap frame. This matches
what process_read_regs() does and prevents returning the wrong values if
the uvm_map_inentry() checks sleeps trying to grab the vm_map read lock.

ok miod@, deraadt@

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.
ok kettenis stefan visa

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

Fix the various SIGSEGV and SIGBUS scenarios to match what we do on
amd64/arm64/armv7/i386/sparc64.

ok visa@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Various printf claim to report the PID, so actually report that and not the TID

Build testing assistance from deraadt@

Rename kdb_trap() into db_ktrap().

The goal is to include it in the list of functions that must not be
instrumented. All ddb(8) functions should be in this list and have
their names start with 'db_'.

ok visa@, deraadt@

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

#ifndef DDB, correct a format string..

Do the 64-bit argument swap dance, for the syscalls which require it,
unconditionaly instead of only doing it if invoked indirectly through syscall
or __syscall.

While there, tweak stack argument fetching to only perform one large copyin()
call, rather than a loop of small ones.

ok kettenis@

Fix ptrace() hanging hppa MP systems

Fiddling with uvm, registers and breakpoints requires taking the kernel lock
Problem spotted by tedu@

ok kettenis@ deraadt@ miod@

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

sigh, another case of user.h before syscall_mi.h

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes and removal of -Wno-format for hppa kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Less <uvm/uvm.h>

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Correctly handle data memory protection ID traps: if occuring in user mode,
SIGSEGV the process; if occuring in kernel mode, check for a possible
pcb_onfault to recover, before otherwise panicing.

ok kettenis@

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

Handle T_IPROT traps from userland by call vm_fault() instead of doing an
unconditional SIGSEGV. Fixes random SIGSEGVs during single-stepping.

ok miod@

Don't include <sys/ktrace.h>; makes this file compile again.

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

oops, need a prototype for ast()

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

On PCXS processors, reading %cr26 and %cr27 from userland causes a
privileged register trap. Cope with this in the trap handler to let
userland use these registers; this will be necessary in the not-so-distant
future.

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix whitespace and use #ifdef TRAPDEBUG instead of #if 0.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Ansify function.

Convert netisr to a normal soft interrupt instead of hanving MD code
for it. This makes the netisr a real C function which will help further
development. No noticable performance change on i386 and amd64.
With input from kettenis@ and miod@ additional OKs mikeb@ and henning@

Remove ddb single-step load and store counters. Most platforms do not
implement them, and they are of questionable usefulness.

Create a struct to store FP state and include a pointer to the CPU that
currently holds the FPU context for this process. This will be soon used
to implement FPU shootdowns on multiprocessor kernels.

ok kettenis@

Do not store curcpu() in syscall and trap handlers since we can go to
sleep and wake up on another CPU.

ok kettenis@

Add missing prototypes
ok jsing kettenis

Make single stepping a system call work. Instead of single stepping through
the syscall gateway page, which doesn't work since that page is shared
between processes, this makes us step over that bit by setting a breakpoint
on the instruction where the system call returns.

ok miod@, jsing@

Since we use a direct mapping for the area where we save a process' floating
point registers, we no longer need to flush/purge the cache.

Add locking to trap and syscall handlers.

ok kettenis@ miod@

Make cpl and cpu_inintr per CPU variables. For locore.S, cpl becomes an
offset within cpu_primary_info - this will need to be revisited shortly.

ok kettenis@

Make want_resched a per CPU variable.

ok kettenis@ miod@

Move hppa to per process AST.

ok kettenis@ miod@

Handle PCXS data protection traps. Unlike other PA1.1 chips, there is a
single trap code for alignment and protection faults, so we have to
figure out which kind of problem we are facing.

ok kettenis@

realy -> really in comments. Most reported on tech@ by Jung.

move hppa to __HAVE_CPUINFO

input from miod@, ok kettenis@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

proper check for [non]user returns to syscall gate page; found by miod@

new shorter version of userret() as surely miod ment it to be like (; miod@ ok

undo last broken userret() change here; miod@ ok

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

Nuke leftover references to procfs_mem.h.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

no more hppa_round_page() and hppa_trunc_page() macros

ok mickey@

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

Add mquery to the system calls which need extra care due to off_t arguments
and reversed stack direction; ok mickey@

remove trailing newline in panic(9); ok millert@ and deraadt@

Implement PT_STEP for hppa.
ok mickey@

dig lpa

proper fault address selection (list all possible pc-based traps)

proper non-access fault handlers and probe emulations; testing by pval@ miod@ deraadt@

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

poke and clean all exceptions regs and not just one

more coherent intrs counting

fill out error info into ret* regs upon failed syscall return

use local var copy of frame->tf_iir everywhere and fix one panic

handle zero division for userland as well; from otto@

Generate SIGTRAP for breakpoint instructions.
ok mickey@

implement spop1,,0 support

support probe instructions

only set child return values in the child_return() more like other archs

update copyright; miod@ is fine w/ files where he holds it too

repair fcnv* emulation.
generate proper signals/siginfo.
partially repairs the "otto" case.

Pass -Wformat, fix a few uninitialized variables as well.

Maybe fixing typos will unbore me.

do not treat traps from the syscall gate page as user code

on syscall exit restore old cpl if there is a need; move call for softints processing towards after that

typos

ok jmc@

always reread curproc and frame on return from the system call

count traps and interrupts

only check for space mismatch when coming from user.
the only case of user refering the kernel space is for the
syscall and that never faults since always mapped.
this fixes some random sig11 occurences.

In trap(), always initialize tts, even if TRAPDEBUG is not defined, as it
might needed for panic() messages.
ok mickey@

knf; mickey ok

Let kernels compile without DDB, USELEDS, and DIAGNOSTIC.
For future intallation media.

consistantly use uvm_prot_* vs vm_prot_* evewrhere

on user trap space mismatch just kill the offender, panic the kernel otherwise

make sure we are not allowing user to fault outside user address space and always print smth before dead_end

kill some debugging kdb_traps

make sure we are hitting user stack and not smth else here, make init show normal vsz in ps now

real interrupts/spl framework.
tested on 712/* 715/100, 715/33 which main cpu/bus types.
miod@ ok

this is a precision architecture -- be more precise about fault types and in sigsegv deliveries; vm_ssize is in pages, apparently

on implementations w/ fpu included unimplemented instructions
are signaled through the exception trap w/ invalid opcode marked
instruction in the exception registers, not through the emulation
trap (as long as the fpu is enabled, of course).
parse emulation from the exception trap as well as the emulation
trap and fix the dispatcher into usable condition.
parse invalid op exception on trap and signal the user appropriately.
reset the exception on exec and for child on fork.
the later is appropriate since exceptions are delayed until next
fpu instruction, which was in the parent indeed, let him get it.
save parent's fpu context on fork before cipying it, if the
parent owned the fpu.

make the leds blink (on those machines where we have 'em).
simple logic is to light up the led in the intrhook and dim in the
heartbeat always, makes a believable impression.
upper four bits represent a cpu usage w/in the last Hz/8
made up from the cp_time[] times.

handle fpu exceptions properly, might use a regress, i guess

give a condition trap own treatment, per millicode; and, oh horror, swap return of quad_t, sort of, sometimes

correct argsize for ktrsyscall

copy syscall args in the syscall() based on the
amount given in the sysent.
deal w/ the words swappage phenomena due to reverse
long word storage on the stack and that being
reverse copied by words yielding long word being word swapped.
do it only for syscall(2) and __syscall(2) since that's how those
w/ long word args syscalls get used (for proper alignment).
discussed and ideas from: deraadt@, drahn@ and fredette@

note: this might be a good point for a regress.

reset iir in the frame on _onfault handling, for mr.ddb

only one trap generates exec fault and fetches the fault address from the pc queues, also supply fault_type (not that it is used that much)

on itlb miss say type is VM_PROT_EXECUTE, per art@s suggestion

force alignment on the netisr and sir by mobving 'em into .data
and allocating space in the locore (ldcw require a 16byte alignment).
inform gcc that ldcw will change the memory (in asm()).
fix spl handling in the soft intrs piece.

Add systrace support to all the remaining architectures.

Tested by various people on various platforms, I'm willing to fix any
breakage this causes.

ok niels@ deraadt@ and mickey@ (after his comments were applied)

separate out interrupt handling stuff

rewrite a pmap to use multilevel page tables.
lower 12 bits contain the perms, no unused bits left,
but a couple for off-tlb use (as the ref implemented now).
do not use the hvt, which might get some use later
if proven to speed thigs up, tlb handlers would po
another dozen of insns though, but if that's worth its...
move on the data seg and map kernel text rdonly (idea form fredette),
since all of the page0 mods done before that we are all fine
except for some viper fluff, but later w/ that.
this also picks up a bit more of ddb magic for bpt and ss.
tlb handlers can use a little bit more of attention,
but things, visually, seem to be much faster already, --
sorry, no benchmarks for now.

* effort sponsored in part by the `henry st. old ale house'
* and mr.pete and mr.lee in particular in thier generous entrirety.
* the proj took a little more that 72man*h as it was expected,
* but within murhy's law estimations.

First round of __P removal in sys

remove debugging printf

disable trapdebug, better handling of eirr too

use splraise() when calling handlers; from fredette@

tiny fixens from netbsd

branches: 1.34.2;
zap some typedefs.
vm_map_t -> struct vm_map *
vm_map_entry_t -> struct vm_map_entry *
simple_lock_data_t -> struct simplelock

(uvm not done yet, coming in the next commit)

Sync in more uvm changes from NetBSD.
This time we're getting rid of KERN_* and VM_PAGER_* error codes and
use errnos instead.

child_return unscrewart

Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

merge vm/vm_kern.h into uvm/uvm_extern.h; art@ ok

simplify userret

Get rid of CLSIZE and all related stuff.
CLSIZE -> 1
CLBYTES -> PAGE_SIZE
OLOFSET -> PAGE_MASK
etc.
At the same time some archs needed some cleaning in vmparam.h so that
goes in at the same time.

remove a little debugging

handle d/i prot traps proper

implement a few macros in cpu.h; pointer out by miod@

dirty trap should be handed w/ uvm_fault() as well

Change the ktrace interface functions from taking the trace vnode to taking the
traced proc. The vnode is in the proc and all functions need the proc.

use net/netisr_dispatch.h

missing semicolon

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.19.2;
mark interrupt frames

some more cautions and debuggings; repair __syscall

some more paranoid checks, shorter trap desriptions

choose right map for a fault, better pcq advancement technique

rearrange diagnostic trap cases

fix order of uvm_fault() arguments in debug printf (;

track the maximum accessed stack size; basically this small piece of code is the same in all the archs

s/ipv6intr/ip6intr/

many traps, syscall nad other stuff

report unhandled interrupts w/ DEBUG only

unscrew the screup

evcnt count the interrupts, also optimize diagnostic printing

do the clock interrupt the narrow way.
fix soft interrupts.
some more debugs and other fixes.

skip break insn in the proper place, print cr28 in ddb, some debugging cruft

almost all of them

child_return(), some more traps to handle

syscall(), fix interrupt handling

panic prints a newline for you, don't do it in the panic string

some traps, hehe

Fix syscall number bounds check computations.

Put back variable initialization mistakenly lost in 1.162

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

Make sure we don't pass uninitialized siginfo values to trapsignal(); from
clang via jsg@, ok jsg@

the _pad_ system calls from 2021/12/23 can go away
ok guenther

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

trapsignal() can be called without KERNEL_LOCK, adjust code accordingly.
OK mpi@

spelling

uvm_grow() doesn't need KERNEL_LOCK anymore, and onfault never did.
minor refactorings to narrow KERNEL_LOCK just around uvm_fault()
ok kettenis

move the backwards-stack vm_minsaddr check from hppa trap.c to uvm_grow(),
within the correct #ifdef of course.
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

When emulating reading from cr26 and cr27 on PCXS, simply set cr26 to zero
and take the cr27 value that was saved in the trap frame. This matches
what process_read_regs() does and prevents returning the wrong values if
the uvm_map_inentry() checks sleeps trying to grab the vm_map read lock.

ok miod@, deraadt@

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.
ok kettenis stefan visa

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

Fix the various SIGSEGV and SIGBUS scenarios to match what we do on
amd64/arm64/armv7/i386/sparc64.

ok visa@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Various printf claim to report the PID, so actually report that and not the TID

Build testing assistance from deraadt@

Rename kdb_trap() into db_ktrap().

The goal is to include it in the list of functions that must not be
instrumented. All ddb(8) functions should be in this list and have
their names start with 'db_'.

ok visa@, deraadt@

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

#ifndef DDB, correct a format string..

Do the 64-bit argument swap dance, for the syscalls which require it,
unconditionaly instead of only doing it if invoked indirectly through syscall
or __syscall.

While there, tweak stack argument fetching to only perform one large copyin()
call, rather than a loop of small ones.

ok kettenis@

Fix ptrace() hanging hppa MP systems

Fiddling with uvm, registers and breakpoints requires taking the kernel lock
Problem spotted by tedu@

ok kettenis@ deraadt@ miod@

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

sigh, another case of user.h before syscall_mi.h

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes and removal of -Wno-format for hppa kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Less <uvm/uvm.h>

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Correctly handle data memory protection ID traps: if occuring in user mode,
SIGSEGV the process; if occuring in kernel mode, check for a possible
pcb_onfault to recover, before otherwise panicing.

ok kettenis@

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

Handle T_IPROT traps from userland by call vm_fault() instead of doing an
unconditional SIGSEGV. Fixes random SIGSEGVs during single-stepping.

ok miod@

Don't include <sys/ktrace.h>; makes this file compile again.

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

oops, need a prototype for ast()

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

On PCXS processors, reading %cr26 and %cr27 from userland causes a
privileged register trap. Cope with this in the trap handler to let
userland use these registers; this will be necessary in the not-so-distant
future.

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix whitespace and use #ifdef TRAPDEBUG instead of #if 0.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Ansify function.

Convert netisr to a normal soft interrupt instead of hanving MD code
for it. This makes the netisr a real C function which will help further
development. No noticable performance change on i386 and amd64.
With input from kettenis@ and miod@ additional OKs mikeb@ and henning@

Remove ddb single-step load and store counters. Most platforms do not
implement them, and they are of questionable usefulness.

Create a struct to store FP state and include a pointer to the CPU that
currently holds the FPU context for this process. This will be soon used
to implement FPU shootdowns on multiprocessor kernels.

ok kettenis@

Do not store curcpu() in syscall and trap handlers since we can go to
sleep and wake up on another CPU.

ok kettenis@

Add missing prototypes
ok jsing kettenis

Make single stepping a system call work. Instead of single stepping through
the syscall gateway page, which doesn't work since that page is shared
between processes, this makes us step over that bit by setting a breakpoint
on the instruction where the system call returns.

ok miod@, jsing@

Since we use a direct mapping for the area where we save a process' floating
point registers, we no longer need to flush/purge the cache.

Add locking to trap and syscall handlers.

ok kettenis@ miod@

Make cpl and cpu_inintr per CPU variables. For locore.S, cpl becomes an
offset within cpu_primary_info - this will need to be revisited shortly.

ok kettenis@

Make want_resched a per CPU variable.

ok kettenis@ miod@

Move hppa to per process AST.

ok kettenis@ miod@

Handle PCXS data protection traps. Unlike other PA1.1 chips, there is a
single trap code for alignment and protection faults, so we have to
figure out which kind of problem we are facing.

ok kettenis@

realy -> really in comments. Most reported on tech@ by Jung.

move hppa to __HAVE_CPUINFO

input from miod@, ok kettenis@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

proper check for [non]user returns to syscall gate page; found by miod@

new shorter version of userret() as surely miod ment it to be like (; miod@ ok

undo last broken userret() change here; miod@ ok

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

Nuke leftover references to procfs_mem.h.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

no more hppa_round_page() and hppa_trunc_page() macros

ok mickey@

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

Add mquery to the system calls which need extra care due to off_t arguments
and reversed stack direction; ok mickey@

remove trailing newline in panic(9); ok millert@ and deraadt@

Implement PT_STEP for hppa.
ok mickey@

dig lpa

proper fault address selection (list all possible pc-based traps)

proper non-access fault handlers and probe emulations; testing by pval@ miod@ deraadt@

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

poke and clean all exceptions regs and not just one

more coherent intrs counting

fill out error info into ret* regs upon failed syscall return

use local var copy of frame->tf_iir everywhere and fix one panic

handle zero division for userland as well; from otto@

Generate SIGTRAP for breakpoint instructions.
ok mickey@

implement spop1,,0 support

support probe instructions

only set child return values in the child_return() more like other archs

update copyright; miod@ is fine w/ files where he holds it too

repair fcnv* emulation.
generate proper signals/siginfo.
partially repairs the "otto" case.

Pass -Wformat, fix a few uninitialized variables as well.

Maybe fixing typos will unbore me.

do not treat traps from the syscall gate page as user code

on syscall exit restore old cpl if there is a need; move call for softints processing towards after that

typos

ok jmc@

always reread curproc and frame on return from the system call

count traps and interrupts

only check for space mismatch when coming from user.
the only case of user refering the kernel space is for the
syscall and that never faults since always mapped.
this fixes some random sig11 occurences.