Cope with the rare case of an imprecise FPU exception caught when
reenabling the FPU as part of the regular processing of another exception.

Fix format strings in TRAPDEBUG code and unbreak 88110_syscall. NFC

Delete unused labels which cause error in making kernel.

ok miod@

Since no system call takes more than 6 arguments, and no more than one
off_t argument, there is no need to process more than 6 arguments on
64-bit platforms and 8 on 32-bit platforms.

Make the syscall argument gathering code simpler by removing never-used code
to fetch more arguments from the stack, and local argument arrays when pointing
to the trap frame does the job.

ok guenther@ jsing@

Drop no-longer-applicable comment.

Fix syscall number bounds check computations.

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

Revert r1.31 - contrary to what I wrote, scaled versions of ld.d and st.d
are 64-bit loads and stores and may hit aligned-to-32-bits-but-not-64-bits
addresses.

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable

ok kettenis, additional help from miod

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Use PROT_EXEC when servicing instruction faults.
ok aoyama@

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

use string literal for format string
ok miod@

Correctly detect xmem operations faulting on missing pages on 88110.
These must be handled as write faults rather than read faults, since xmem
performs both a read and a write, and unlike on 88100, we don't have an easy
bit to check.

This solves libcrypto spinning on its locks on 88110.

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

As done on other architectures, narrow the KERNEL_LOCK only around
uvm_fault (and some similar "fault emulation" code which scream danger
danger)
tested by aoyama

uvm_grow() now does the vm_maxsaddr check (before locking), so callers don't
need to do it
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

miod's proposal for traps was also wrong, causing one type of kernel
trap to reach the userland check. as suggested, this might fix it.

add uvm_map_isentry check for 88100, and alter the KERNEL_LOCK
management.
Comments from miod.

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

|= is not supposed to be spelled +=

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

%r26 hasn't been used by the threads implementation since 2016, so stop
resetting it in child_return() and update the comment in tcb.h to reflect
reality

ok miod@ aoyama@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

add code to check stack pointer is within MAP_STACK
from miod

If you use sys/param.h, you don't need sys/types.h

Make this build (and run) with gcc 4.

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

rename raiseipl to splraise()

another step toward making splraise an MI api.

ok aoyama@

<sys/systm.h> must be before <sys/syscall_mi.h> now.

Enable `va < VM_MIN_ADDRESS' check now that VM_MIN_ADDRESS is nonzero.

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Make sure the kernel lock is held when invoking process_domem(); fixes
ptrace operation on MP kernels.

Replace the assembly 88100 FPU imprecise exception code (mostly triggered by
denormal results) with C code using softfloat to correctly round the inexact
results in the best possible way according to the current rounding mode.

No functional change intended, and this assembly code was surprisingly almost
non-buggy, as opposed to the precise exception code replaced a few weeks ago;
still an improvement as this replaces 900 lines of arcane assembly with 90
lines of understandable C code.

Replace the unmaintainable assembler code responsible for 88100 precise FPU
fault handling with a C wrapper around the softfloat code, as already done for
88110 kernels.

As a bonus, attempting to read or write FPU control registers but fcr62 and
fcr63 in userland will now correctly signal an illegal instruction, instead
of leaving the destination register unchanged and pretending nothing bad
happened.

Be sure to rm m88100_fp.d in your kernel compile directory after updating your
tree.

More format string fixes (in 88110 code)

Address several problems in signal delivery on 88100 processors:
- when building the sigcontext, rewind the pipeline for recoverable
exceptions, so that sigreturn actually has a chance to cause the
interrupted instruction to be run again.
- when returning with sigreturn, and the sigcontext contains valid
DAE information, the DAE need to be emulated before returning, for
the processor will not reissue them.
- finally, when the sigframe is allocated on the current process' stack,
be careful not to stomp upon addresses referenced by the DAE information,
for this would defeat the previous point.

All these changes only affect 88100 processors only. 88110 operation is
unchanged.

While there, do not copyout an empty siginfo struct if the signal handler
does not expect any.

Hair-pulling evil testcase provided by aoyama@, based upon one of
devel/libsigsegv configure tests (which would spin on 88100 and run happily on
88110).

Introduce m88100_rewind_insn() to rewind the execution pipeline one
instruction, rather than gazillions of inline variants. This also makes
the situations where we clear specific bits in the fip or nip registers
more visible.

No functional change.

Do not change the state of the carry bit in the psr when returning with
ERESTART or EJUSTRETURN, for we're not supposed to. (Actually, setting the
carry bit upon syscall failure doesn't make much sense on m88k, since this is
not how the syscall stubs check for failure)

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes for m88k; remove -Wno-format from the m88k kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Service the 88100 floating-point exceptions through trap(), keeping the
existing assembly code for now. Make sure the trapframe images of %fpsr and
%fpcr are updated by the assembly handlers (in addition to the real registers
which were already updated). When returning into trap(), check these updated
value to decide whether a signal ought to be sent to the userland process.

With these changes, computations which ought to cause a signal to be delivered
will indeed trigger the signal, even when they are handled by the completion
code in the floating point exception handlers.

This fixes the libc/ieeefp/except and lib/fenv regress tests on 88100 systems,
finally!

Use %r27 as the thread control block pointer, allowing for __get_tcb() calls
in libpthread to be optimized away.

While there, follow DG/UX's example of using more than one register for thread
purposes (after all, the ABI reserves four of them), and also use %r26 to store
a pointer to the current thread's errno.

Since it is not possible to initialize %r26 at thread creation without
intrusive and potentially race-prone changes, have __tfork() reset %r26 to
zero, and libpthread's __cerror lazy initialize it. As soon as %r26 is nonzero,
it will be used instead of calling __errno().

This means that binaries linked against HEAD libpthread need to run on HEAD
kernels, and we are belatedly jumping on the 64-bit time_t bump (since there
are no 64-bit time_t m88k snapshots yet).

Joint work with guenther@; "Your love of asm is sick and wrong, and yet
beautiful." and ok guenther@

data_access_emulation() may fault. Be sure to clear pcb_onfault before
invoking it.

While there, rework the return-to-pcb_onfault logic to avoid falling through
the DAE code. This allows us to get rid of the bogus DMT_SKIP flag as well:
DAE is only necessary if DMT_VALID is set in DMT0, and DMT0 is reset to zero
afterwards.

Double-register load and store instructions using an odd-numbered register as
the low part trigger an `illegal instruction' trap on the 88110 (and I can't
see this documented anywhere in the manual). Of course there is code "in the
wild" which uses such constructs (libgmp is one such example).

Extend double_reg_fixup() to take the trap type as an extra argument, and
explicitely allow ld.d or st.d instructions with odd-numbered registers at
aligned addresses if we are invoked from the `illegal instruction' trap
handler, to give this code a chance to run on 88110.

Correctly signal SIGSEGV, instead of SIGBUS, for faults caused by access to
pages mapped without read (or write) permissions.
The existing logic would incorrectly match uvm_fault() returning EACCES with
the CMMU fault logic reporting a bus error (which will still cause SIGBUS
to be sent).

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

<sys/ktrace.h> is now pulled in via <sys/syscall_mi.h>, so drop it from here

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix a typo causing a sanity check in m88110_syscall() to never trigger.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Standardize cache handling functions and defines to use wb/wbinv/inv instead
of flush/sync/inval. No functional change.

Check for pcb_onfault being set for genuine kernel data faults, copyout()
may be invoked with an address under the kernel text and we're about to
stop having such pages always mapped.

KNF

mvme88k kernels running on 88110 systems have been prone to panicing for
``invalid opcode'' in kernel mode after being idle for a few hours, since
many months already. This panic does not make sense.

Recently, I've been able to gather enough samples and, looking at the
instructions surrounding the panic location, I have narrowed a pattern,
and I'll conveniently blame these panics upon a (to the best of my
knowledge) new genuine 88110 bug.

The exception handler will now recognize this situation and apply a large
hammer of workaround - probably not the best workaround that could be devised,
but it's short, easy to implement, and works 100% of the time so far. Besides,
since the machine is idle, who cares as long as it keeps running?

(the curious reader will find more information in the trap.c comments)

Files forgotten during last commit:

Rework nmi handling to handle ``complex'' NMI faster, and return as fast as
possible from the exception, without doing the AST and softintr dance.

This should avoid too much stack usage under load.

ok deraadt@

Since NMI are now handled separately, remove the ``interrupt type'' argument
from interrupt() and related function pointers.

Use a different dispatcher for the NMI traps on 88110, these are too
different from regular hardware interrupts to be worth handling the
same way.

Disable IPI reception while we are handling pending IPIs. And do not
reenable them by mistake if we need to send an IPI in return.

This lets GENERIC.MP boot single user on a MVME197DP. There are still
many bugs to fix.

Don't bother trying to recover from DSR_WE data faults in kernel mode,
pmap makes sure these can't happen.

Remove dma_cachectl() and rename dma_cachectl_pa() to dma_cachectl() now that
the old vs(4) code is gone.

On 88100 cpus, make sure userland processes start with SNIP and SFIP valid
(i.e. with the valid bit set in them). Found the hard way by Anders Gavare
trying his latest gxemul, proves the hardware is more permitting than one
would expect it to be...

Grab the biglock unconditionnaly when system calls go through systrace;
spotted by drahn

typo

Restart the m88110 floating-point trap code from scratch, basing it on the
sparc{,64} floating-point emulator, adapted to the 88110 specifics. Handling
of these traps is now entirely done in C for convenience.

Although there are a few rounding issues to address, and the XRF is ignored,
this allows all the ieee754 regression tests to pass (lib/libc/ieeefp,
sys/kern/signal/fpsig, sys/kern/signal/sigfpe).

Make non-88110 kernels (aviion, luna88k) kernels compile again.

Better siginfo fault codes for floating point exceptions on 88110, with
more work in progress to handle these exceptions correctly, and document
a new undocumented and evil chip bug while there.

In double_reg_fixup(), do not rely on tf_r[0] being zero.

Faster splassert_check()

Fix userland vs system test in errata #16 handling.

Do not take biglock for NOLOCK system calls.

Only check for errata #16 for instruction faults.

spelling fixes, from Martynas Venckus;

Introduce an inline function to skip an instruction on 88110 and use it
whenever necessary, instead of duplicating the same code 10+ times.

A decent workaround for errata #16. I have verified it gets triggered, the
hard way.

On 88110, skip the faulting instruction in double_reg_fixup() if it can
recover, otherwise we'll fault in a loop.

Quote a few errata to explain why odd things are done in oddly ways on 88110.

Move pmap_set_modify() prototype to a header file

Move external interrupt and ast handling from m881[01]0_trap() to their
own functions, which do not need to be processor-specific.

This speeds up the exception return sequence a bit.

A line got lost while hand-editing diffs...

Move 88110 trap-on-write processing from two duplicated sections in trap.c to
a single function in pmap.c, which will do the right thing and also perform
mod/ref vm_page flags accounting.

Fix MP locking issues when processing data access faults on 88110, similar
to the fix already applied to 88100.

Replace many ``unsigned'' variables with ``unsigned int'', ``u_int'' or other
appropriate types. No functional change.

When processing a data access fault, keep the kernel lock while invoking
data_access_emulation() to complete the interrupted pipeline operations,
as data_access_emulation() can fault in turn.

When handling a userland data fault occuring in kernel mode, take the kernel
lock with KERNEL_LOCK, not KERNEL_PROC_LOCK. This lets bsd.mp run multiuser
on a single-processor board.

Don't use LK_CANRECURSE for the kernel lock, okay miod@ art@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Rework the cache handling routines again. We now try to operate on the exact
address range we've been given, rounded to cache line boundaries, instead
of being lazy and operating on pages as soon as the range was large enough.

Also, since the ranges we'll be invoked for are reasonably small, it does
not make sense to check for segment sizes - we're always smaller, really.

While there, hardcode the size in cmmu_flush_data_cache(), which becomes
cmmu_flush_data_page(), since it was always invoked for complete pages.

Define PROC_PC. Then, since profiling information is being reported in
statclock(), do not bother doing this in userret() anymore. As a result,
userret() does not need its pc and ticks arguments, simplify.

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

In syscall handlers, fix copyin() failure path wrt locking macros.

Fetch syscall arguments beyond r9 with copyin() from the userland stack,
instead of having the userland syscall code put the first three locations
from the stack in r10-r12.

This will speed-up most of the system calls (but mmap) once these fetches
are removed, in a few weeks from now.

Replace gazillions of badvaddr() or badwordaddr() calls with badaddr() calls.
With a few prototype declarations shuffling, this finally allows
<machine/locore.h> to die.

Clean the internal m88k trap type codes; while there, simplify and
factorize the build of the VBR page betweem luna88k and mvme88k.

Tested by aoyama@ and I.

scaled version of ld.d and st.d is obviously not a 64 bit transaction,
so there is no need to take care of it in double_reg_fixup(), as it will
never trigger the kind of misalignment faults this function recovers from.
Doh!

Replace db_{disable,enable}_interrupts with expanded version of themselves,
having macros for this is not worth doing.

Work in progress SMP code; mvme88k boards can spin up secondary CPUs,
kernel boots single user. Still a lot of polishing and bugfixing to do.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

Sprinkle holds and releases of the kernel lock whenever necessary; no functional
change for UP kernels.

Simplify ptrace branch handling code.

Switch m88k ports to __HAVE_CPUINFO. Current cpu pointer is held in SR0
on all running processors.
Tested aoyama@ and I

Get rid of PMAP_NULL and xx_ENTRY_NULL and simply use NULL when necessary.

Maintain an interrupt depth counter for CLKF_INTR to be correct.
Tested aoyama@ martin@ and I.

Switch to per-process AST flags and clean AST-related codepaths; speeds up
forks as a bonus.
Tested on luna88k and mvme88k by aoyama@ martin@ and I.

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

In cache_flush(), after testing for curproc != NULL, do not use curproc
blindly...

Rework the single step implementation; mostly delaying breakpoint
removal so that single stepping delay slots work. Also added the ability
to single step through system calls (which cause an implicit branch if
successfull).

works for me, "looks ok" kettenis@

Remove m88k_psr_type and function with utterly long names to control the psr,
and use get_psr() / set_psr() or simple macros that expand into them everywhere.
No functional change.

Allow userland to cause the data cache to be flushed for any arbitrary address
range in the current process, using trap #451.

This is necessary for proper gcc trampolines operation, and, later, ld.so...

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

Kill guarded_access() - the way we map OBIO, there is no need for special
treatement of interrupt vectors variables, a simple read will do.

While there, speed up the interrupt handlers a bit:
- remove old debug code or only compile it if option DEBUG.
- use short circuits for setipl() if we know interrupts are disabled at
this point: there is no need playing with the psr in these cases.

Kill struct md_p, which was really only necessary for mvme88k; on
luna88k it disappears completely, while mvme88k keeps 3 global variables,
one of them scheduled to disappear very soon.

guarded_access() is really only used by the MVME188 interrupt engine, so
do not provide it on luna88k. Makes trap() slightly faster on non-MVME188
kernels.

Introduce sparc-like CPU_ISFOO macros, to short-circuit evaluations when
compiling for one flavour only.

This makes code slightly smaller on all m88k-based platforms (my roughly
1KB), and saves more than meets the eye on luna88k, which is m88100-based.

Shrink more code if option PTRACE is not set; also use ss_put_value()
in trap handlers instead of inlining it by hand.

Reset pcb_onfault to NULL before invoking uvm_fault().

Do not use db_printf() without a godd reason; while there, shrinken some
messages.

After 88110 exception processing, do not reset the in-frame [di][lp]ar
values, they won't be put back to registers anyways...

On 88110, simplify enip processing:
- always fetch its value when building trapframe, it is faster than only
doing it after checking if it will have a meaningful value.
- don't bother setting it to a safe value if we change exip to a
non-delayslot address.

Allow userland to issue ld.d or st.d with a long, but not long long aligned
address, by recovering from the misaligned address exception.

branches: 1.4.2;
Signal bus errors when a write back operation fails on 88110.

Be sure to preserve r3 for syscalls which return 32-bit values.

Make #endif /* foo */ comments really match the #if condition.

Continue factorizing m88k common code, this time files in <arch>/<arch>
which were copied verbatim from mvme88k to luna88k.

This requires backing out syntactic sugar in mvme88k kernel configuration
files which would deduct the required processor types from the board models,
as the common code only depends upon the M88100 and M88110 defines.

Fix format strings in TRAPDEBUG code and unbreak 88110_syscall. NFC

Delete unused labels which cause error in making kernel.

ok miod@

Since no system call takes more than 6 arguments, and no more than one
off_t argument, there is no need to process more than 6 arguments on
64-bit platforms and 8 on 32-bit platforms.

Make the syscall argument gathering code simpler by removing never-used code
to fetch more arguments from the stack, and local argument arrays when pointing
to the trap frame does the job.

ok guenther@ jsing@

Drop no-longer-applicable comment.

Fix syscall number bounds check computations.

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

Revert r1.31 - contrary to what I wrote, scaled versions of ld.d and st.d
are 64-bit loads and stores and may hit aligned-to-32-bits-but-not-64-bits
addresses.

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable

ok kettenis, additional help from miod

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Use PROT_EXEC when servicing instruction faults.
ok aoyama@

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

use string literal for format string
ok miod@

Correctly detect xmem operations faulting on missing pages on 88110.
These must be handled as write faults rather than read faults, since xmem
performs both a read and a write, and unlike on 88100, we don't have an easy
bit to check.

This solves libcrypto spinning on its locks on 88110.

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

As done on other architectures, narrow the KERNEL_LOCK only around
uvm_fault (and some similar "fault emulation" code which scream danger
danger)
tested by aoyama

uvm_grow() now does the vm_maxsaddr check (before locking), so callers don't
need to do it
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

miod's proposal for traps was also wrong, causing one type of kernel
trap to reach the userland check. as suggested, this might fix it.

add uvm_map_isentry check for 88100, and alter the KERNEL_LOCK
management.
Comments from miod.

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

|= is not supposed to be spelled +=

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

%r26 hasn't been used by the threads implementation since 2016, so stop
resetting it in child_return() and update the comment in tcb.h to reflect
reality

ok miod@ aoyama@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

add code to check stack pointer is within MAP_STACK
from miod

If you use sys/param.h, you don't need sys/types.h

Make this build (and run) with gcc 4.

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

rename raiseipl to splraise()

another step toward making splraise an MI api.

ok aoyama@

<sys/systm.h> must be before <sys/syscall_mi.h> now.

Enable `va < VM_MIN_ADDRESS' check now that VM_MIN_ADDRESS is nonzero.

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Make sure the kernel lock is held when invoking process_domem(); fixes
ptrace operation on MP kernels.

Replace the assembly 88100 FPU imprecise exception code (mostly triggered by
denormal results) with C code using softfloat to correctly round the inexact
results in the best possible way according to the current rounding mode.

No functional change intended, and this assembly code was surprisingly almost
non-buggy, as opposed to the precise exception code replaced a few weeks ago;
still an improvement as this replaces 900 lines of arcane assembly with 90
lines of understandable C code.

Replace the unmaintainable assembler code responsible for 88100 precise FPU
fault handling with a C wrapper around the softfloat code, as already done for
88110 kernels.

As a bonus, attempting to read or write FPU control registers but fcr62 and
fcr63 in userland will now correctly signal an illegal instruction, instead
of leaving the destination register unchanged and pretending nothing bad
happened.

Be sure to rm m88100_fp.d in your kernel compile directory after updating your
tree.

More format string fixes (in 88110 code)

Address several problems in signal delivery on 88100 processors:
- when building the sigcontext, rewind the pipeline for recoverable
exceptions, so that sigreturn actually has a chance to cause the
interrupted instruction to be run again.
- when returning with sigreturn, and the sigcontext contains valid
DAE information, the DAE need to be emulated before returning, for
the processor will not reissue them.
- finally, when the sigframe is allocated on the current process' stack,
be careful not to stomp upon addresses referenced by the DAE information,
for this would defeat the previous point.

All these changes only affect 88100 processors only. 88110 operation is
unchanged.

While there, do not copyout an empty siginfo struct if the signal handler
does not expect any.

Hair-pulling evil testcase provided by aoyama@, based upon one of
devel/libsigsegv configure tests (which would spin on 88100 and run happily on
88110).

Introduce m88100_rewind_insn() to rewind the execution pipeline one
instruction, rather than gazillions of inline variants. This also makes
the situations where we clear specific bits in the fip or nip registers
more visible.

No functional change.

Do not change the state of the carry bit in the psr when returning with
ERESTART or EJUSTRETURN, for we're not supposed to. (Actually, setting the
carry bit upon syscall failure doesn't make much sense on m88k, since this is
not how the syscall stubs check for failure)

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes for m88k; remove -Wno-format from the m88k kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Service the 88100 floating-point exceptions through trap(), keeping the
existing assembly code for now. Make sure the trapframe images of %fpsr and
%fpcr are updated by the assembly handlers (in addition to the real registers
which were already updated). When returning into trap(), check these updated
value to decide whether a signal ought to be sent to the userland process.

With these changes, computations which ought to cause a signal to be delivered
will indeed trigger the signal, even when they are handled by the completion
code in the floating point exception handlers.

This fixes the libc/ieeefp/except and lib/fenv regress tests on 88100 systems,
finally!

Use %r27 as the thread control block pointer, allowing for __get_tcb() calls
in libpthread to be optimized away.

While there, follow DG/UX's example of using more than one register for thread
purposes (after all, the ABI reserves four of them), and also use %r26 to store
a pointer to the current thread's errno.

Since it is not possible to initialize %r26 at thread creation without
intrusive and potentially race-prone changes, have __tfork() reset %r26 to
zero, and libpthread's __cerror lazy initialize it. As soon as %r26 is nonzero,
it will be used instead of calling __errno().

This means that binaries linked against HEAD libpthread need to run on HEAD
kernels, and we are belatedly jumping on the 64-bit time_t bump (since there
are no 64-bit time_t m88k snapshots yet).

Joint work with guenther@; "Your love of asm is sick and wrong, and yet
beautiful." and ok guenther@

data_access_emulation() may fault. Be sure to clear pcb_onfault before
invoking it.

While there, rework the return-to-pcb_onfault logic to avoid falling through
the DAE code. This allows us to get rid of the bogus DMT_SKIP flag as well:
DAE is only necessary if DMT_VALID is set in DMT0, and DMT0 is reset to zero
afterwards.

Double-register load and store instructions using an odd-numbered register as
the low part trigger an `illegal instruction' trap on the 88110 (and I can't
see this documented anywhere in the manual). Of course there is code "in the
wild" which uses such constructs (libgmp is one such example).

Extend double_reg_fixup() to take the trap type as an extra argument, and
explicitely allow ld.d or st.d instructions with odd-numbered registers at
aligned addresses if we are invoked from the `illegal instruction' trap
handler, to give this code a chance to run on 88110.

Correctly signal SIGSEGV, instead of SIGBUS, for faults caused by access to
pages mapped without read (or write) permissions.
The existing logic would incorrectly match uvm_fault() returning EACCES with
the CMMU fault logic reporting a bus error (which will still cause SIGBUS
to be sent).

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

<sys/ktrace.h> is now pulled in via <sys/syscall_mi.h>, so drop it from here

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix a typo causing a sanity check in m88110_syscall() to never trigger.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Standardize cache handling functions and defines to use wb/wbinv/inv instead
of flush/sync/inval. No functional change.

Check for pcb_onfault being set for genuine kernel data faults, copyout()
may be invoked with an address under the kernel text and we're about to
stop having such pages always mapped.

KNF

mvme88k kernels running on 88110 systems have been prone to panicing for
``invalid opcode'' in kernel mode after being idle for a few hours, since
many months already. This panic does not make sense.

Recently, I've been able to gather enough samples and, looking at the
instructions surrounding the panic location, I have narrowed a pattern,
and I'll conveniently blame these panics upon a (to the best of my
knowledge) new genuine 88110 bug.

The exception handler will now recognize this situation and apply a large
hammer of workaround - probably not the best workaround that could be devised,
but it's short, easy to implement, and works 100% of the time so far. Besides,
since the machine is idle, who cares as long as it keeps running?

(the curious reader will find more information in the trap.c comments)

Files forgotten during last commit:

Rework nmi handling to handle ``complex'' NMI faster, and return as fast as
possible from the exception, without doing the AST and softintr dance.

This should avoid too much stack usage under load.

ok deraadt@

Since NMI are now handled separately, remove the ``interrupt type'' argument
from interrupt() and related function pointers.

Use a different dispatcher for the NMI traps on 88110, these are too
different from regular hardware interrupts to be worth handling the
same way.

Disable IPI reception while we are handling pending IPIs. And do not
reenable them by mistake if we need to send an IPI in return.

This lets GENERIC.MP boot single user on a MVME197DP. There are still
many bugs to fix.

Don't bother trying to recover from DSR_WE data faults in kernel mode,
pmap makes sure these can't happen.

Remove dma_cachectl() and rename dma_cachectl_pa() to dma_cachectl() now that
the old vs(4) code is gone.

On 88100 cpus, make sure userland processes start with SNIP and SFIP valid
(i.e. with the valid bit set in them). Found the hard way by Anders Gavare
trying his latest gxemul, proves the hardware is more permitting than one
would expect it to be...

Grab the biglock unconditionnaly when system calls go through systrace;
spotted by drahn

typo

Restart the m88110 floating-point trap code from scratch, basing it on the
sparc{,64} floating-point emulator, adapted to the 88110 specifics. Handling
of these traps is now entirely done in C for convenience.

Although there are a few rounding issues to address, and the XRF is ignored,
this allows all the ieee754 regression tests to pass (lib/libc/ieeefp,
sys/kern/signal/fpsig, sys/kern/signal/sigfpe).

Make non-88110 kernels (aviion, luna88k) kernels compile again.

Better siginfo fault codes for floating point exceptions on 88110, with
more work in progress to handle these exceptions correctly, and document
a new undocumented and evil chip bug while there.

In double_reg_fixup(), do not rely on tf_r[0] being zero.

Faster splassert_check()

Fix userland vs system test in errata #16 handling.

Do not take biglock for NOLOCK system calls.

Only check for errata #16 for instruction faults.

spelling fixes, from Martynas Venckus;

Introduce an inline function to skip an instruction on 88110 and use it
whenever necessary, instead of duplicating the same code 10+ times.

A decent workaround for errata #16. I have verified it gets triggered, the
hard way.

On 88110, skip the faulting instruction in double_reg_fixup() if it can
recover, otherwise we'll fault in a loop.

Quote a few errata to explain why odd things are done in oddly ways on 88110.

Move pmap_set_modify() prototype to a header file

Move external interrupt and ast handling from m881[01]0_trap() to their
own functions, which do not need to be processor-specific.

This speeds up the exception return sequence a bit.

A line got lost while hand-editing diffs...

Move 88110 trap-on-write processing from two duplicated sections in trap.c to
a single function in pmap.c, which will do the right thing and also perform
mod/ref vm_page flags accounting.

Fix MP locking issues when processing data access faults on 88110, similar
to the fix already applied to 88100.

Replace many ``unsigned'' variables with ``unsigned int'', ``u_int'' or other
appropriate types. No functional change.

When processing a data access fault, keep the kernel lock while invoking
data_access_emulation() to complete the interrupted pipeline operations,
as data_access_emulation() can fault in turn.

When handling a userland data fault occuring in kernel mode, take the kernel
lock with KERNEL_LOCK, not KERNEL_PROC_LOCK. This lets bsd.mp run multiuser
on a single-processor board.

Don't use LK_CANRECURSE for the kernel lock, okay miod@ art@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Rework the cache handling routines again. We now try to operate on the exact
address range we've been given, rounded to cache line boundaries, instead
of being lazy and operating on pages as soon as the range was large enough.

Also, since the ranges we'll be invoked for are reasonably small, it does
not make sense to check for segment sizes - we're always smaller, really.

While there, hardcode the size in cmmu_flush_data_cache(), which becomes
cmmu_flush_data_page(), since it was always invoked for complete pages.

Define PROC_PC. Then, since profiling information is being reported in
statclock(), do not bother doing this in userret() anymore. As a result,
userret() does not need its pc and ticks arguments, simplify.

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

In syscall handlers, fix copyin() failure path wrt locking macros.

Fetch syscall arguments beyond r9 with copyin() from the userland stack,
instead of having the userland syscall code put the first three locations
from the stack in r10-r12.

This will speed-up most of the system calls (but mmap) once these fetches
are removed, in a few weeks from now.

Replace gazillions of badvaddr() or badwordaddr() calls with badaddr() calls.
With a few prototype declarations shuffling, this finally allows
<machine/locore.h> to die.

Clean the internal m88k trap type codes; while there, simplify and
factorize the build of the VBR page betweem luna88k and mvme88k.

Tested by aoyama@ and I.

scaled version of ld.d and st.d is obviously not a 64 bit transaction,
so there is no need to take care of it in double_reg_fixup(), as it will
never trigger the kind of misalignment faults this function recovers from.
Doh!

Replace db_{disable,enable}_interrupts with expanded version of themselves,
having macros for this is not worth doing.

Work in progress SMP code; mvme88k boards can spin up secondary CPUs,
kernel boots single user. Still a lot of polishing and bugfixing to do.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

Sprinkle holds and releases of the kernel lock whenever necessary; no functional
change for UP kernels.

Simplify ptrace branch handling code.

Switch m88k ports to __HAVE_CPUINFO. Current cpu pointer is held in SR0
on all running processors.
Tested aoyama@ and I

Get rid of PMAP_NULL and xx_ENTRY_NULL and simply use NULL when necessary.

Maintain an interrupt depth counter for CLKF_INTR to be correct.
Tested aoyama@ martin@ and I.

Switch to per-process AST flags and clean AST-related codepaths; speeds up
forks as a bonus.
Tested on luna88k and mvme88k by aoyama@ martin@ and I.

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

In cache_flush(), after testing for curproc != NULL, do not use curproc
blindly...

Rework the single step implementation; mostly delaying breakpoint
removal so that single stepping delay slots work. Also added the ability
to single step through system calls (which cause an implicit branch if
successfull).

works for me, "looks ok" kettenis@

Remove m88k_psr_type and function with utterly long names to control the psr,
and use get_psr() / set_psr() or simple macros that expand into them everywhere.
No functional change.

Allow userland to cause the data cache to be flushed for any arbitrary address
range in the current process, using trap #451.

This is necessary for proper gcc trampolines operation, and, later, ld.so...

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

Kill guarded_access() - the way we map OBIO, there is no need for special
treatement of interrupt vectors variables, a simple read will do.

While there, speed up the interrupt handlers a bit:
- remove old debug code or only compile it if option DEBUG.
- use short circuits for setipl() if we know interrupts are disabled at
this point: there is no need playing with the psr in these cases.

Kill struct md_p, which was really only necessary for mvme88k; on
luna88k it disappears completely, while mvme88k keeps 3 global variables,
one of them scheduled to disappear very soon.

guarded_access() is really only used by the MVME188 interrupt engine, so
do not provide it on luna88k. Makes trap() slightly faster on non-MVME188
kernels.

Introduce sparc-like CPU_ISFOO macros, to short-circuit evaluations when
compiling for one flavour only.

This makes code slightly smaller on all m88k-based platforms (my roughly
1KB), and saves more than meets the eye on luna88k, which is m88100-based.

Shrink more code if option PTRACE is not set; also use ss_put_value()
in trap handlers instead of inlining it by hand.

Reset pcb_onfault to NULL before invoking uvm_fault().

Do not use db_printf() without a godd reason; while there, shrinken some
messages.

After 88110 exception processing, do not reset the in-frame [di][lp]ar
values, they won't be put back to registers anyways...

On 88110, simplify enip processing:
- always fetch its value when building trapframe, it is faster than only
doing it after checking if it will have a meaningful value.
- don't bother setting it to a safe value if we change exip to a
non-delayslot address.

Allow userland to issue ld.d or st.d with a long, but not long long aligned
address, by recovering from the misaligned address exception.

branches: 1.4.2;
Signal bus errors when a write back operation fails on 88110.

Be sure to preserve r3 for syscalls which return 32-bit values.

Make #endif /* foo */ comments really match the #if condition.

Continue factorizing m88k common code, this time files in <arch>/<arch>
which were copied verbatim from mvme88k to luna88k.

This requires backing out syntactic sugar in mvme88k kernel configuration
files which would deduct the required processor types from the board models,
as the common code only depends upon the M88100 and M88110 defines.

Delete unused labels which cause error in making kernel.

ok miod@

Since no system call takes more than 6 arguments, and no more than one
off_t argument, there is no need to process more than 6 arguments on
64-bit platforms and 8 on 32-bit platforms.

Make the syscall argument gathering code simpler by removing never-used code
to fetch more arguments from the stack, and local argument arrays when pointing
to the trap frame does the job.

ok guenther@ jsing@

Drop no-longer-applicable comment.

Fix syscall number bounds check computations.

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

Revert r1.31 - contrary to what I wrote, scaled versions of ld.d and st.d
are 64-bit loads and stores and may hit aligned-to-32-bits-but-not-64-bits
addresses.

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable

ok kettenis, additional help from miod

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Use PROT_EXEC when servicing instruction faults.
ok aoyama@

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

use string literal for format string
ok miod@

Correctly detect xmem operations faulting on missing pages on 88110.
These must be handled as write faults rather than read faults, since xmem
performs both a read and a write, and unlike on 88100, we don't have an easy
bit to check.

This solves libcrypto spinning on its locks on 88110.

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

As done on other architectures, narrow the KERNEL_LOCK only around
uvm_fault (and some similar "fault emulation" code which scream danger
danger)
tested by aoyama

uvm_grow() now does the vm_maxsaddr check (before locking), so callers don't
need to do it
ok kettenis

use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

miod's proposal for traps was also wrong, causing one type of kernel
trap to reach the userland check. as suggested, this might fix it.

add uvm_map_isentry check for 88100, and alter the KERNEL_LOCK
management.
Comments from miod.

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

|= is not supposed to be spelled +=

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

%r26 hasn't been used by the threads implementation since 2016, so stop
resetting it in child_return() and update the comment in tcb.h to reflect
reality

ok miod@ aoyama@

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

add code to check stack pointer is within MAP_STACK
from miod

If you use sys/param.h, you don't need sys/types.h

Make this build (and run) with gcc 4.

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

rename raiseipl to splraise()

another step toward making splraise an MI api.

ok aoyama@

<sys/systm.h> must be before <sys/syscall_mi.h> now.

Enable `va < VM_MIN_ADDRESS' check now that VM_MIN_ADDRESS is nonzero.

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Make sure the kernel lock is held when invoking process_domem(); fixes
ptrace operation on MP kernels.

Replace the assembly 88100 FPU imprecise exception code (mostly triggered by
denormal results) with C code using softfloat to correctly round the inexact
results in the best possible way according to the current rounding mode.

No functional change intended, and this assembly code was surprisingly almost
non-buggy, as opposed to the precise exception code replaced a few weeks ago;
still an improvement as this replaces 900 lines of arcane assembly with 90
lines of understandable C code.

Replace the unmaintainable assembler code responsible for 88100 precise FPU
fault handling with a C wrapper around the softfloat code, as already done for
88110 kernels.

As a bonus, attempting to read or write FPU control registers but fcr62 and
fcr63 in userland will now correctly signal an illegal instruction, instead
of leaving the destination register unchanged and pretending nothing bad
happened.

Be sure to rm m88100_fp.d in your kernel compile directory after updating your
tree.

More format string fixes (in 88110 code)

Address several problems in signal delivery on 88100 processors:
- when building the sigcontext, rewind the pipeline for recoverable
exceptions, so that sigreturn actually has a chance to cause the
interrupted instruction to be run again.
- when returning with sigreturn, and the sigcontext contains valid
DAE information, the DAE need to be emulated before returning, for
the processor will not reissue them.
- finally, when the sigframe is allocated on the current process' stack,
be careful not to stomp upon addresses referenced by the DAE information,
for this would defeat the previous point.

All these changes only affect 88100 processors only. 88110 operation is
unchanged.

While there, do not copyout an empty siginfo struct if the signal handler
does not expect any.

Hair-pulling evil testcase provided by aoyama@, based upon one of
devel/libsigsegv configure tests (which would spin on 88100 and run happily on
88110).

Introduce m88100_rewind_insn() to rewind the execution pipeline one
instruction, rather than gazillions of inline variants. This also makes
the situations where we clear specific bits in the fip or nip registers
more visible.

No functional change.

Do not change the state of the carry bit in the psr when returning with
ERESTART or EJUSTRETURN, for we're not supposed to. (Actually, setting the
carry bit upon syscall failure doesn't make much sense on m88k, since this is
not how the syscall stubs check for failure)

Move the increment of uvmexp.softs back to the caller of mi_ast():
it needs to be done atomicly on some MP archs and we don't have
atomic_add_int() everywhere yet. Also, mi_ast() was meant to be inline.

noted by miod@

Factor out the common ast bits into mi_ast()

ok deraadt@

Format string fixes for m88k; remove -Wno-format from the m88k kernels.

Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.

Inspired by FreeBSD and NetBSD
"right time" deraadt@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

Service the 88100 floating-point exceptions through trap(), keeping the
existing assembly code for now. Make sure the trapframe images of %fpsr and
%fpcr are updated by the assembly handlers (in addition to the real registers
which were already updated). When returning into trap(), check these updated
value to decide whether a signal ought to be sent to the userland process.

With these changes, computations which ought to cause a signal to be delivered
will indeed trigger the signal, even when they are handled by the completion
code in the floating point exception handlers.

This fixes the libc/ieeefp/except and lib/fenv regress tests on 88100 systems,
finally!

Use %r27 as the thread control block pointer, allowing for __get_tcb() calls
in libpthread to be optimized away.

While there, follow DG/UX's example of using more than one register for thread
purposes (after all, the ABI reserves four of them), and also use %r26 to store
a pointer to the current thread's errno.

Since it is not possible to initialize %r26 at thread creation without
intrusive and potentially race-prone changes, have __tfork() reset %r26 to
zero, and libpthread's __cerror lazy initialize it. As soon as %r26 is nonzero,
it will be used instead of calling __errno().

This means that binaries linked against HEAD libpthread need to run on HEAD
kernels, and we are belatedly jumping on the 64-bit time_t bump (since there
are no 64-bit time_t m88k snapshots yet).

Joint work with guenther@; "Your love of asm is sick and wrong, and yet
beautiful." and ok guenther@

data_access_emulation() may fault. Be sure to clear pcb_onfault before
invoking it.

While there, rework the return-to-pcb_onfault logic to avoid falling through
the DAE code. This allows us to get rid of the bogus DMT_SKIP flag as well:
DAE is only necessary if DMT_VALID is set in DMT0, and DMT0 is reset to zero
afterwards.

Double-register load and store instructions using an odd-numbered register as
the low part trigger an `illegal instruction' trap on the 88110 (and I can't
see this documented anywhere in the manual). Of course there is code "in the
wild" which uses such constructs (libgmp is one such example).

Extend double_reg_fixup() to take the trap type as an extra argument, and
explicitely allow ld.d or st.d instructions with odd-numbered registers at
aligned addresses if we are invoked from the `illegal instruction' trap
handler, to give this code a chance to run on 88110.

Correctly signal SIGSEGV, instead of SIGBUS, for faults caused by access to
pages mapped without read (or write) permissions.
The existing logic would incorrectly match uvm_fault() returning EACCES with
the CMMU fault logic reporting a bus error (which will still cause SIGBUS
to be sent).

Remove emulation errno mapping code from platforms that no longer have
non-native emulations.

ok miod@

<sys/ktrace.h> is now pulled in via <sys/syscall_mi.h>, so drop it from here

Move the common bits of syscall invocation and return handling into
an MI file, <sys/syscall_mi.h>, correcting inconsistencies and the
handling when copyin() of arguments fails.

Tested on i386, amd64, sparc64, and alpha (thanks naddy@)
Any issues with other platforms will be fixed in tree.

header name from millert@; ok miod@

The first ktrace record for a newly spawned thread is a return
from a fork syscall done by the parent. Use __tfork, not rfork
here to match the ktrace records for the parent (CALL __tfork,
RET __tfork). ok guenther

Make userret() MI. On architectures which jammed stuff into it in the
past, pull that code out seperately.
ok guenther miod

Revert art@'s moving around of the KERNEL_LOCK()/KERNEL_UNLOCK() calls,
as it causes hangs in some ports, including libsigsegv's configure script

confirmed by krw@, landry@

There is a bunch of places in the kernel entry points where we don't
hold the kernel lock, but still need call one function that needs it.

Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.

kettenis@, beck@ ok

Clean up after P_BIGLOCK removal.
KERNEL_PROC_LOCK -> KERNEL_LOCK
KERNEL_PROC_UNLOCK -> KERNEL_UNLOCK

oga@ ok

Fix a typo causing a sanity check in m88110_syscall() to never trigger.

Move PPWAIT flag from struct proc to process, so that rthreads in
a vforked child behave correctly. Have the parent in a vfork()
wait on a (different) flag in *its* process instead of the child
to prevent a possible use-after-free. When ktracing the child
return from a fork, call it rfork if an rthread was created.

ok blambert@

Standardize cache handling functions and defines to use wb/wbinv/inv instead
of flush/sync/inval. No functional change.

Check for pcb_onfault being set for genuine kernel data faults, copyout()
may be invoked with an address under the kernel text and we're about to
stop having such pages always mapped.

KNF

mvme88k kernels running on 88110 systems have been prone to panicing for
``invalid opcode'' in kernel mode after being idle for a few hours, since
many months already. This panic does not make sense.

Recently, I've been able to gather enough samples and, looking at the
instructions surrounding the panic location, I have narrowed a pattern,
and I'll conveniently blame these panics upon a (to the best of my
knowledge) new genuine 88110 bug.

The exception handler will now recognize this situation and apply a large
hammer of workaround - probably not the best workaround that could be devised,
but it's short, easy to implement, and works 100% of the time so far. Besides,
since the machine is idle, who cares as long as it keeps running?

(the curious reader will find more information in the trap.c comments)

Files forgotten during last commit:

Rework nmi handling to handle ``complex'' NMI faster, and return as fast as
possible from the exception, without doing the AST and softintr dance.

This should avoid too much stack usage under load.

ok deraadt@

Since NMI are now handled separately, remove the ``interrupt type'' argument
from interrupt() and related function pointers.

Use a different dispatcher for the NMI traps on 88110, these are too
different from regular hardware interrupts to be worth handling the
same way.

Disable IPI reception while we are handling pending IPIs. And do not
reenable them by mistake if we need to send an IPI in return.

This lets GENERIC.MP boot single user on a MVME197DP. There are still
many bugs to fix.

Don't bother trying to recover from DSR_WE data faults in kernel mode,
pmap makes sure these can't happen.

Remove dma_cachectl() and rename dma_cachectl_pa() to dma_cachectl() now that
the old vs(4) code is gone.

On 88100 cpus, make sure userland processes start with SNIP and SFIP valid
(i.e. with the valid bit set in them). Found the hard way by Anders Gavare
trying his latest gxemul, proves the hardware is more permitting than one
would expect it to be...

Grab the biglock unconditionnaly when system calls go through systrace;
spotted by drahn

typo

Restart the m88110 floating-point trap code from scratch, basing it on the
sparc{,64} floating-point emulator, adapted to the 88110 specifics. Handling
of these traps is now entirely done in C for convenience.

Although there are a few rounding issues to address, and the XRF is ignored,
this allows all the ieee754 regression tests to pass (lib/libc/ieeefp,
sys/kern/signal/fpsig, sys/kern/signal/sigfpe).

Make non-88110 kernels (aviion, luna88k) kernels compile again.

Better siginfo fault codes for floating point exceptions on 88110, with
more work in progress to handle these exceptions correctly, and document
a new undocumented and evil chip bug while there.

In double_reg_fixup(), do not rely on tf_r[0] being zero.

Faster splassert_check()

Fix userland vs system test in errata #16 handling.

Do not take biglock for NOLOCK system calls.

Only check for errata #16 for instruction faults.

spelling fixes, from Martynas Venckus;

Introduce an inline function to skip an instruction on 88110 and use it
whenever necessary, instead of duplicating the same code 10+ times.

A decent workaround for errata #16. I have verified it gets triggered, the
hard way.

On 88110, skip the faulting instruction in double_reg_fixup() if it can
recover, otherwise we'll fault in a loop.

Quote a few errata to explain why odd things are done in oddly ways on 88110.

Move pmap_set_modify() prototype to a header file

Move external interrupt and ast handling from m881[01]0_trap() to their
own functions, which do not need to be processor-specific.

This speeds up the exception return sequence a bit.

A line got lost while hand-editing diffs...

Move 88110 trap-on-write processing from two duplicated sections in trap.c to
a single function in pmap.c, which will do the right thing and also perform
mod/ref vm_page flags accounting.

Fix MP locking issues when processing data access faults on 88110, similar
to the fix already applied to 88100.

Replace many ``unsigned'' variables with ``unsigned int'', ``u_int'' or other
appropriate types. No functional change.

When processing a data access fault, keep the kernel lock while invoking
data_access_emulation() to complete the interrupted pipeline operations,
as data_access_emulation() can fault in turn.

When handling a userland data fault occuring in kernel mode, take the kernel
lock with KERNEL_LOCK, not KERNEL_PROC_LOCK. This lets bsd.mp run multiuser
on a single-processor board.

Don't use LK_CANRECURSE for the kernel lock, okay miod@ art@

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Rework the cache handling routines again. We now try to operate on the exact
address range we've been given, rounded to cache line boundaries, instead
of being lazy and operating on pages as soon as the range was large enough.

Also, since the ranges we'll be invoked for are reasonably small, it does
not make sense to check for segment sizes - we're always smaller, really.

While there, hardcode the size in cmmu_flush_data_cache(), which becomes
cmmu_flush_data_page(), since it was always invoked for complete pages.

Define PROC_PC. Then, since profiling information is being reported in
statclock(), do not bother doing this in userret() anymore. As a result,
userret() does not need its pc and ticks arguments, simplify.

Check for want_resched when processing AST and nowhere else. But then, when
doing so, do not check for signals - userret() will do this.

In syscall handlers, fix copyin() failure path wrt locking macros.

Fetch syscall arguments beyond r9 with copyin() from the userland stack,
instead of having the userland syscall code put the first three locations
from the stack in r10-r12.

This will speed-up most of the system calls (but mmap) once these fetches
are removed, in a few weeks from now.

Replace gazillions of badvaddr() or badwordaddr() calls with badaddr() calls.
With a few prototype declarations shuffling, this finally allows
<machine/locore.h> to die.

Clean the internal m88k trap type codes; while there, simplify and
factorize the build of the VBR page betweem luna88k and mvme88k.

Tested by aoyama@ and I.

scaled version of ld.d and st.d is obviously not a 64 bit transaction,
so there is no need to take care of it in double_reg_fixup(), as it will
never trigger the kind of misalignment faults this function recovers from.
Doh!

Replace db_{disable,enable}_interrupts with expanded version of themselves,
having macros for this is not worth doing.

Work in progress SMP code; mvme88k boards can spin up secondary CPUs,
kernel boots single user. Still a lot of polishing and bugfixing to do.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

Sprinkle holds and releases of the kernel lock whenever necessary; no functional
change for UP kernels.

Simplify ptrace branch handling code.

Switch m88k ports to __HAVE_CPUINFO. Current cpu pointer is held in SR0
on all running processors.
Tested aoyama@ and I

Get rid of PMAP_NULL and xx_ENTRY_NULL and simply use NULL when necessary.

Maintain an interrupt depth counter for CLKF_INTR to be correct.
Tested aoyama@ martin@ and I.

Switch to per-process AST flags and clean AST-related codepaths; speeds up
forks as a bonus.
Tested on luna88k and mvme88k by aoyama@ martin@ and I.

In syscall(), do not recompute the struct proc * after the syscall has
succeeded. This used to be necessary for fork(), when returning in the child,
but we return in the child in child_return() which does TRT.

ok art@

Change child_return() to record a proper ktrace record for vfork child
processes.

ok art@ uwe@ (some time ago)

In cache_flush(), after testing for curproc != NULL, do not use curproc
blindly...

Rework the single step implementation; mostly delaying breakpoint
removal so that single stepping delay slots work. Also added the ability
to single step through system calls (which cause an implicit branch if
successfull).

works for me, "looks ok" kettenis@

Remove m88k_psr_type and function with utterly long names to control the psr,
and use get_psr() / set_psr() or simple macros that expand into them everywhere.
No functional change.

Allow userland to cause the data cache to be flushed for any arbitrary address
range in the current process, using trap #451.

This is necessary for proper gcc trampolines operation, and, later, ld.so...

Use uvm_grow() to account for stack growth, rather than home-grown code
or nothing.
Inspired by a similar recent change in NetBSD.

Kill guarded_access() - the way we map OBIO, there is no need for special
treatement of interrupt vectors variables, a simple read will do.

While there, speed up the interrupt handlers a bit:
- remove old debug code or only compile it if option DEBUG.
- use short circuits for setipl() if we know interrupts are disabled at
this point: there is no need playing with the psr in these cases.

Kill struct md_p, which was really only necessary for mvme88k; on
luna88k it disappears completely, while mvme88k keeps 3 global variables,
one of them scheduled to disappear very soon.

guarded_access() is really only used by the MVME188 interrupt engine, so
do not provide it on luna88k. Makes trap() slightly faster on non-MVME188
kernels.

Introduce sparc-like CPU_ISFOO macros, to short-circuit evaluations when
compiling for one flavour only.

This makes code slightly smaller on all m88k-based platforms (my roughly
1KB), and saves more than meets the eye on luna88k, which is m88100-based.

Shrink more code if option PTRACE is not set; also use ss_put_value()
in trap handlers instead of inlining it by hand.

Reset pcb_onfault to NULL before invoking uvm_fault().

Do not use db_printf() without a godd reason; while there, shrinken some
messages.

After 88110 exception processing, do not reset the in-frame [di][lp]ar
values, they won't be put back to registers anyways...

On 88110, simplify enip processing:
- always fetch its value when building trapframe, it is faster than only
doing it after checking if it will have a meaningful value.
- don't bother setting it to a safe value if we change exip to a
non-delayslot address.

Allow userland to issue ld.d or st.d with a long, but not long long aligned
address, by recovering from the misaligned address exception.

branches: 1.4.2;
Signal bus errors when a write back operation fails on 88110.

Be sure to preserve r3 for syscalls which return 32-bit values.

Make #endif /* foo */ comments really match the #if condition.

Continue factorizing m88k common code, this time files in <arch>/<arch>
which were copied verbatim from mvme88k to luna88k.

This requires backing out syntactic sugar in mvme88k kernel configuration
files which would deduct the required processor types from the board models,
as the common code only depends upon the M88100 and M88110 defines.

Since no system call takes more than 6 arguments, and no more than one
off_t argument, there is no need to process more than 6 arguments on
64-bit platforms and 8 on 32-bit platforms.

Make the syscall argument gathering code simpler by removing never-used code
to fetch more arguments from the stack, and local argument arrays when pointing
to the trap frame does the job.

ok guenther@ jsing@

Drop no-longer-applicable comment.

Fix syscall number bounds check computations.

remove support for syscall(2) -- the "indirection system call" because
it is a dangerous alternative entry point for all system calls, and thus
incompatible with the precision system call entry point scheme we are
heading towards. This has been a 3-year mission:
First perl needed a code-generated wrapper to fake syscall(2) as a giant
switch table, then all the ports were cleaned with relatively minor fixes,
except for "go". "go" required two fixes -- 1) a framework issue with
old library versions, and 2) like perl, a fake syscall(2) wrapper to
handle ioctl(2) and sysctl(2) because "syscall(SYS_ioctl" occurs all over
the place in the "go" ecosystem because the "go developers" are plan9-loving
unix-hating folk who tried to build an ecosystem without allowing "ioctl".
ok kettenis, jsing, afresh1, sthen

Revert r1.31 - contrary to what I wrote, scaled versions of ld.d and st.d
are 64-bit loads and stores and may hit aligned-to-32-bits-but-not-64-bits
addresses.

__syscall() is no longer neccessary since the system calls which needed
it are now unpadded
ok kettenis guenther

On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable

ok kettenis, additional help from miod

we spent far too long debugging a weird go library problem (incorrect
arguments to mmap) because it was using syscall(2) and that callpath
is invisible in ktrace. make it visible, it will now show "(via syscall)"
and such.
ok guenther

Use PROT_EXEC when servicing instruction faults.
ok aoyama@

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

use string literal for format string
ok miod@

Correctly detect xmem operations faulting on missing pages on 88110.
These must be handled as write faults rather than read faults, since xmem
performs both a read and a write, and unlike on 88100, we don't have an easy
bit to check.

This solves libcrypto spinning on its locks on 88110.

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@