Remove the now unsued s argument to SCHED_LOCK and SCHED_UNLOCK.

The SPL level is not tacked by the mutex and we no longer need to track
this in the callers.
OK miod@ mlarkin@ tb@ jca@

remove useless whitespace; from Jia Tan

Prevent a recursion inside wakeup(9) when scheduler tracepoints are enabled.

Tracepoints like "sched:enqueue" and "sched:unsleep" were called from inside
the loop iterating over sleeping threads as part of wakeup_proc(). When such
tracepoints were enabled they could result in another wakeup(9) possibly
corrupting the sleepqueue.

Rewrite wakeup(9) in two stages, first dequeue threads from the sleepqueue then
call setrunnable() and possible tracepoints for each of them.

This requires moving unsleep() outside of setrunnable() because it messes with
the sleepqueue.

ok claudio@

Fix kernel build without option PTRACE, but with dt(4).

Since revision 1.26 dt_ioctl_get_auxbase() is calling process_domem().
Build the latter function into kernel if pseudo device dt is enabled.

from Matthias Pitzl; OK claudio@

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

ptrace reads/writes memory using uvm_io, which generates an temporary
alias mapping using uvm_map_extract. With xonly now operational, this
alias mapping is created with minprot, which for text will be xonly, and
the kernel cannot read it (unless the architecture has implied read for
exec from kernel pov).
Pass UVM_IO_FIXPROT to create the alias with maxprot instead.
ok kettenis

Add tfind_user(), for getting a proc* given a user-space TID and
the process* that it should be part of. Use that in clock_get{time,res}(),
thrkill(), and ptrace().

ok jca@ miod@ mpi@ mvs@

The location of the aux info vector is now cached in ps_auxinfo of struct
process. Use this information to access the vector.
OK mpi@ mbuhl@ deraadt@

zap a pile of dangling tabs

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Revert previous, it introduced a regression with breakpoints in gdb.

Refactor routines to stop/unstop processes and save the corresponding signal.

- Move the "hack" involving P_SINTR to avoid grabbing the SCHED_LOCK()
recursively closer to where it is necessary, in proc_stop()

- Introduce proc_unstop(), the symmetric routine to proc_stop(), which
manipulates `ps_xsig' and use it whenever a SSTOPed thread needs to be
awaken.

- Manipulate `ps_xsig' only in proc_stop/unstop()

ok kettenis@

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Serialize accesses to "struct vmspace" and document its refcounting.

The underlying vm_space lock is used as a substitute to the KERNEL_LOCK()
in uvm_grow() to make sure `vm_ssize' is not corrupted.

ok anton@, kettenis@

Keep track of traced child under a list of orphans while they are being
reparented to a debugger process.

Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.

Logic comes from FreeBSD pointed out by guenther@.

While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.

ok visa@

Replace p_xstat with ps_xexit and ps_xsig
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))

ok mpi@

Return EBUSY for successive PT_TRACE_ME calls.

Match FreeBSD and NetBSD.

ok bluhm@, deraadt@, kettenis@

Change some returns into gotos, will help keeping the unlocking path
simpler. No functional change.

Extracted from a larger diff from guenther@, ok kettenis@

Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Split sys_ptrace() by request type:
- control operations: trace_me, attach, detach, step, kill, continue.
Manipulate process relation/state or send a signal
- kernel-state get/set: thread list, event mask, trace state.
About the process and don't require target to be stopped, need copyin/out
- user-state get/set: memory, register, window cookie.
Often thread-specific, require target to be stopped, need copyin/out

sys_ptrace() changes to handle request checking, copyin/out to
kernel buffers with size check and zeroing, and dispatching to the
routines above for the real work. This simplfies the permission checks
and copyin/out handling and will simplify lock handling in the future.

Inspired in part by FreeBSD.
ok mpi@ visa@

Uninitialized variable can leak kernel memory.
Found by Ilja Van Sprundel
ok kettenis

branches: 1.76.4;
deSCARGize sys_ptrace()

ok mpi@

Rename pfind(9) into tfind(9) to reflect that it deals with threads.

While here document prfind(9.

with and ok guenther@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Change pmap_proc_iflush() to take a process instead of a proc
powerpc: rename second argument of pmap_proc_iflush() to match other archs

ok kettenis@

With systrace and procfs gone, process_checkioperm() and process_domem()
are for option PTRACE only

ok kettenis@

Get rid of 'relebad:'.

OK natano@ guenther@

branches: 1.69.2;
Fix ptrace PT_WRITE_D that returned EFAULT.

Broken in r.1.33. After discussion from kettenis@, don't attempt to
make PT_WRITE_D and PT_WRITE_I equivalent again.

From Mathieu (naabed at poolp dot org)

buglet: there's no way for req to be STEP in the DETACH case.
also fix the confusing comment. ok guethner.

Move ps_strings "after" the random stackgap. This makes its location a
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a
per-process one as well. This gets rid of a pointer to the bottom of the
stack at a fixed location. Also clears the road for unmapping the stackgap.

ok deraadt@

sysctl kern.global_ptrace.
controls whether you can ptrace any process with appropriate privileges
or only one own's children.
ok deraadt

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

pass the size to free in some of the obvious cases

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

It's init as a process that's special, not init's original thread.
Remember initprocess instead of initproc.

ok matthew@ blambert@

Add PS_SYSTEM, the process-level mirror of the thread-level P_SYSTEM,
and FORK_SYSTEM as a flag to set them. This eliminates needing to
peek into other processes threads in various places. Inspired by NetBSD

ok miod@ matthew@

Eliminates struct pcred by moving the real and saved ugids into
struct ucred; struct process then directly links to the ucred

Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.

ok matthew@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

bzero -> memset

For now, direct the kill signal sent by PT_KILL to the thread that made us
stop, just like we do for PT_CONTINUE/PT_STEP. The current code isn't
ready for directing signals to other threads yet.

First stab at making ptrace(2) usable for debugging multi-threaded programs.
It implements a full-stop model where all threads are stopped before handing
over control to the debugger. Events are reported as before through wait(2);
you will have to call ptrace(PT_GET_PROCESS_STATE, ...) to find out which
thread hit the event. Since this changes the size of struct ptrace_state,
you will have to recompile gdb.

ok guenther@

If the "main" thread exits it stays around but unlinks itself from the
threads list. Calling TAILQ_NEXT on them is a bad idea and will panic
the kernel. So check the P_WEXIT flag and pretend the thread doesn't
exist if it is set. Also make PT_GET_THREAD_FIRST return the first
thread on the threads list instead of the "main" thread, such that you
can actually keep enumerating the threads in this case.

ok guenther@, miod@

PT_GETXMMREGS and PT_SETXMMREGS can take a TID.

Move the P_WAITED flag from struct proc to struct process.

ok guenther@

Implement PT_GET_THREAD_FIRS and PT_GET_THREAD_NEXT.

ok miod@

Add PS_EXITING to better differentiate between the process exiting and
the main thread exiting. c.f. regress/sys/kern/main-thread-exited/

Allow this to build on platforms lacking PT_GETFPREGS or PT_SETFPREGS; broken
in previous rev.

First steps for making ptrace work with rthreads:
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT

ok kettenis@

Move P_SUGID and P_SUGIDEXEC from struct proc to struct process, so
that you can't evade the checks by doing the dirty work in an rthread

ok blambert@, deraadt@

Correct the links between threads, processes, pgrps, and sessions,
so that the process-level stuff is to/from struct process and not
struct proc. This fixes a bunch of problem cases in rthreads.
Based on earlier work by blambert and myself, but mostly written
at c2k10.

Tested by many: deraadt, sthen, krw, ray, and in snapshots

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha, amd64, armish, hppa, i386, macpcc, sgi, sparc64, and vax,
mostly by krw and naddy.
ok krw@

Use intermediate vaddr_t cast when casting a pointer to off_t. Prevents
gcc4 from complaining about casting a pointer to an integer type of different
size.

ok guenther@, jsg@

Make sure the process tree is is loop-free by forbidding ptrace()
of a direct ancestor, closing a localhost DoS. As an exception,
do permit ptrace() of pid 1 and have inferiors() stop climbing if
it hits that.

ok tedu@ hpux_compat suggestion from miod@

branches: 1.43.2; 1.43.6;
Do not assume that a pointer to another process will live over a set of
sleeping calls. Since we are simply operating on another process'
vmspace, grab a (refcounted) copy of that pointer and use that instead.
Similar to the bug just fixed in sysctl_proc_args.
discussed with art

accidental commit ... backout

kern_sysctl.c

Add PIOD_READ_AUXV, a way to get the ELF auxilliary vector through ptrace(2).

ok miod@

``it's'' -> ``its'' when the grammar gods require this change.

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Kernel stack can be swapped. This means that stuff that's on the stack
should never be referenced outside the context of the process to which
this stack belongs unless we do the PHOLD/PRELE dance. Loads of code
doesn't follow the rules here. Instead of trying to track down all
offenders and fix this hairy situation, it makes much more sense
to not swap kernel stacks.

From art@, tested by many some time ago.

make kernels w/o PTRACE compile again.

help from mickey@, "commit it" miod@

paramter -> parameter

ansi/deregister. No binary change.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

ptrace(2) following fork(2)
ok miod@

Reduce stack usage.

Remove regs and fpregs pseudo-files from procfs.
ok deraadt@, miod@

Implemente PT_[GS]ETXMMREGS ptrace(2) requests on i386.
ok deraadt@

debranch SMP, have fun

restored & repaired wcookie support; kettenis@chello.nl

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Disallow ptrace if P_SUGIDEXEC flag is set (we already disallow if P_SUGID
is set). deraadt@ and tholo@ OK.

KNF

don't attach to system processes.
art@ niklas@ markus@ millert@ deraadt@ ok.

Change the PT_IO interfaces like discussed on
the bsd-api-discuss list.

In the PT_STEP case, first set the new pc, then arrange
for the single-step. This can slightly break the error handling when
setting the sstep fails, but allows us to emulate single stepping in
software on arch that don't have support for that in hardware.

Since all archs implement PT_GETREGS and PT_SETREGS, make then unoptional.
They still stay in MD code for backwards compatibility, but a check in
ptrace.h checks if they are defined.

Note - the same thing will be done with PT_{GET,SET}FPREGS once vax implements
them and with PT_STEP when it's implemented by sparc, sparc64 and alpha.

Add a more sane API for reading/writing traced process memory
with ptrace - PT_IO.
Man page update in a few.

Move SET/CLR/ISSET macros to param.h. fgsch@ and millert@ ok

When a process is exec:ing mark it with a flag. Check that flag in ptrace
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.

register_t is not an int, so don't use it that way.
Fixes PT_{READ,WRITE}_{I,D} on sparc64.

branches: 1.14.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

branches: 1.13.2;
remove old vm

trace_req is not used anymore (was a nop).

split PT_DETACH handling, so that pc cannot be set by it; art ok

branches: 1.10.2;
Add emulation of Linux features to procfs; mostly from NetBSD. ok deraadt@

seperate -> separate, okay aaron@

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.7.6;
kmem allocation changes for uvm

securelevels do NOT protect running binaries; only filesystem activity

do not permit ptrace attach to immutable executable

comment on ptrace & P_SUGID

fix obscure problem involving ptrace of init

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

remove useless whitespace; from Jia Tan

Prevent a recursion inside wakeup(9) when scheduler tracepoints are enabled.

Tracepoints like "sched:enqueue" and "sched:unsleep" were called from inside
the loop iterating over sleeping threads as part of wakeup_proc(). When such
tracepoints were enabled they could result in another wakeup(9) possibly
corrupting the sleepqueue.

Rewrite wakeup(9) in two stages, first dequeue threads from the sleepqueue then
call setrunnable() and possible tracepoints for each of them.

This requires moving unsleep() outside of setrunnable() because it messes with
the sleepqueue.

ok claudio@

Fix kernel build without option PTRACE, but with dt(4).

Since revision 1.26 dt_ioctl_get_auxbase() is calling process_domem().
Build the latter function into kernel if pseudo device dt is enabled.

from Matthias Pitzl; OK claudio@

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

ptrace reads/writes memory using uvm_io, which generates an temporary
alias mapping using uvm_map_extract. With xonly now operational, this
alias mapping is created with minprot, which for text will be xonly, and
the kernel cannot read it (unless the architecture has implied read for
exec from kernel pov).
Pass UVM_IO_FIXPROT to create the alias with maxprot instead.
ok kettenis

Add tfind_user(), for getting a proc* given a user-space TID and
the process* that it should be part of. Use that in clock_get{time,res}(),
thrkill(), and ptrace().

ok jca@ miod@ mpi@ mvs@

The location of the aux info vector is now cached in ps_auxinfo of struct
process. Use this information to access the vector.
OK mpi@ mbuhl@ deraadt@

zap a pile of dangling tabs

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Revert previous, it introduced a regression with breakpoints in gdb.

Refactor routines to stop/unstop processes and save the corresponding signal.

- Move the "hack" involving P_SINTR to avoid grabbing the SCHED_LOCK()
recursively closer to where it is necessary, in proc_stop()

- Introduce proc_unstop(), the symmetric routine to proc_stop(), which
manipulates `ps_xsig' and use it whenever a SSTOPed thread needs to be
awaken.

- Manipulate `ps_xsig' only in proc_stop/unstop()

ok kettenis@

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Serialize accesses to "struct vmspace" and document its refcounting.

The underlying vm_space lock is used as a substitute to the KERNEL_LOCK()
in uvm_grow() to make sure `vm_ssize' is not corrupted.

ok anton@, kettenis@

Keep track of traced child under a list of orphans while they are being
reparented to a debugger process.

Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.

Logic comes from FreeBSD pointed out by guenther@.

While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.

ok visa@

Replace p_xstat with ps_xexit and ps_xsig
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))

ok mpi@

Return EBUSY for successive PT_TRACE_ME calls.

Match FreeBSD and NetBSD.

ok bluhm@, deraadt@, kettenis@

Change some returns into gotos, will help keeping the unlocking path
simpler. No functional change.

Extracted from a larger diff from guenther@, ok kettenis@

Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Split sys_ptrace() by request type:
- control operations: trace_me, attach, detach, step, kill, continue.
Manipulate process relation/state or send a signal
- kernel-state get/set: thread list, event mask, trace state.
About the process and don't require target to be stopped, need copyin/out
- user-state get/set: memory, register, window cookie.
Often thread-specific, require target to be stopped, need copyin/out

sys_ptrace() changes to handle request checking, copyin/out to
kernel buffers with size check and zeroing, and dispatching to the
routines above for the real work. This simplfies the permission checks
and copyin/out handling and will simplify lock handling in the future.

Inspired in part by FreeBSD.
ok mpi@ visa@

Uninitialized variable can leak kernel memory.
Found by Ilja Van Sprundel
ok kettenis

branches: 1.76.4;
deSCARGize sys_ptrace()

ok mpi@

Rename pfind(9) into tfind(9) to reflect that it deals with threads.

While here document prfind(9.

with and ok guenther@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Change pmap_proc_iflush() to take a process instead of a proc
powerpc: rename second argument of pmap_proc_iflush() to match other archs

ok kettenis@

With systrace and procfs gone, process_checkioperm() and process_domem()
are for option PTRACE only

ok kettenis@

Get rid of 'relebad:'.

OK natano@ guenther@

branches: 1.69.2;
Fix ptrace PT_WRITE_D that returned EFAULT.

Broken in r.1.33. After discussion from kettenis@, don't attempt to
make PT_WRITE_D and PT_WRITE_I equivalent again.

From Mathieu (naabed at poolp dot org)

buglet: there's no way for req to be STEP in the DETACH case.
also fix the confusing comment. ok guethner.

Move ps_strings "after" the random stackgap. This makes its location a
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a
per-process one as well. This gets rid of a pointer to the bottom of the
stack at a fixed location. Also clears the road for unmapping the stackgap.

ok deraadt@

sysctl kern.global_ptrace.
controls whether you can ptrace any process with appropriate privileges
or only one own's children.
ok deraadt

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

pass the size to free in some of the obvious cases

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

It's init as a process that's special, not init's original thread.
Remember initprocess instead of initproc.

ok matthew@ blambert@

Add PS_SYSTEM, the process-level mirror of the thread-level P_SYSTEM,
and FORK_SYSTEM as a flag to set them. This eliminates needing to
peek into other processes threads in various places. Inspired by NetBSD

ok miod@ matthew@

Eliminates struct pcred by moving the real and saved ugids into
struct ucred; struct process then directly links to the ucred

Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.

ok matthew@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

bzero -> memset

For now, direct the kill signal sent by PT_KILL to the thread that made us
stop, just like we do for PT_CONTINUE/PT_STEP. The current code isn't
ready for directing signals to other threads yet.

First stab at making ptrace(2) usable for debugging multi-threaded programs.
It implements a full-stop model where all threads are stopped before handing
over control to the debugger. Events are reported as before through wait(2);
you will have to call ptrace(PT_GET_PROCESS_STATE, ...) to find out which
thread hit the event. Since this changes the size of struct ptrace_state,
you will have to recompile gdb.

ok guenther@

If the "main" thread exits it stays around but unlinks itself from the
threads list. Calling TAILQ_NEXT on them is a bad idea and will panic
the kernel. So check the P_WEXIT flag and pretend the thread doesn't
exist if it is set. Also make PT_GET_THREAD_FIRST return the first
thread on the threads list instead of the "main" thread, such that you
can actually keep enumerating the threads in this case.

ok guenther@, miod@

PT_GETXMMREGS and PT_SETXMMREGS can take a TID.

Move the P_WAITED flag from struct proc to struct process.

ok guenther@

Implement PT_GET_THREAD_FIRS and PT_GET_THREAD_NEXT.

ok miod@

Add PS_EXITING to better differentiate between the process exiting and
the main thread exiting. c.f. regress/sys/kern/main-thread-exited/

Allow this to build on platforms lacking PT_GETFPREGS or PT_SETFPREGS; broken
in previous rev.

First steps for making ptrace work with rthreads:
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT

ok kettenis@

Move P_SUGID and P_SUGIDEXEC from struct proc to struct process, so
that you can't evade the checks by doing the dirty work in an rthread

ok blambert@, deraadt@

Correct the links between threads, processes, pgrps, and sessions,
so that the process-level stuff is to/from struct process and not
struct proc. This fixes a bunch of problem cases in rthreads.
Based on earlier work by blambert and myself, but mostly written
at c2k10.

Tested by many: deraadt, sthen, krw, ray, and in snapshots

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha, amd64, armish, hppa, i386, macpcc, sgi, sparc64, and vax,
mostly by krw and naddy.
ok krw@

Use intermediate vaddr_t cast when casting a pointer to off_t. Prevents
gcc4 from complaining about casting a pointer to an integer type of different
size.

ok guenther@, jsg@

Make sure the process tree is is loop-free by forbidding ptrace()
of a direct ancestor, closing a localhost DoS. As an exception,
do permit ptrace() of pid 1 and have inferiors() stop climbing if
it hits that.

ok tedu@ hpux_compat suggestion from miod@

branches: 1.43.2; 1.43.6;
Do not assume that a pointer to another process will live over a set of
sleeping calls. Since we are simply operating on another process'
vmspace, grab a (refcounted) copy of that pointer and use that instead.
Similar to the bug just fixed in sysctl_proc_args.
discussed with art

accidental commit ... backout

kern_sysctl.c

Add PIOD_READ_AUXV, a way to get the ELF auxilliary vector through ptrace(2).

ok miod@

``it's'' -> ``its'' when the grammar gods require this change.

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Kernel stack can be swapped. This means that stuff that's on the stack
should never be referenced outside the context of the process to which
this stack belongs unless we do the PHOLD/PRELE dance. Loads of code
doesn't follow the rules here. Instead of trying to track down all
offenders and fix this hairy situation, it makes much more sense
to not swap kernel stacks.

From art@, tested by many some time ago.

make kernels w/o PTRACE compile again.

help from mickey@, "commit it" miod@

paramter -> parameter

ansi/deregister. No binary change.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

ptrace(2) following fork(2)
ok miod@

Reduce stack usage.

Remove regs and fpregs pseudo-files from procfs.
ok deraadt@, miod@

Implemente PT_[GS]ETXMMREGS ptrace(2) requests on i386.
ok deraadt@

debranch SMP, have fun

restored & repaired wcookie support; kettenis@chello.nl

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Disallow ptrace if P_SUGIDEXEC flag is set (we already disallow if P_SUGID
is set). deraadt@ and tholo@ OK.

KNF

don't attach to system processes.
art@ niklas@ markus@ millert@ deraadt@ ok.

Change the PT_IO interfaces like discussed on
the bsd-api-discuss list.

In the PT_STEP case, first set the new pc, then arrange
for the single-step. This can slightly break the error handling when
setting the sstep fails, but allows us to emulate single stepping in
software on arch that don't have support for that in hardware.

Since all archs implement PT_GETREGS and PT_SETREGS, make then unoptional.
They still stay in MD code for backwards compatibility, but a check in
ptrace.h checks if they are defined.

Note - the same thing will be done with PT_{GET,SET}FPREGS once vax implements
them and with PT_STEP when it's implemented by sparc, sparc64 and alpha.

Add a more sane API for reading/writing traced process memory
with ptrace - PT_IO.
Man page update in a few.

Move SET/CLR/ISSET macros to param.h. fgsch@ and millert@ ok

When a process is exec:ing mark it with a flag. Check that flag in ptrace
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.

register_t is not an int, so don't use it that way.
Fixes PT_{READ,WRITE}_{I,D} on sparc64.

branches: 1.14.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

branches: 1.13.2;
remove old vm

trace_req is not used anymore (was a nop).

split PT_DETACH handling, so that pc cannot be set by it; art ok

branches: 1.10.2;
Add emulation of Linux features to procfs; mostly from NetBSD. ok deraadt@

seperate -> separate, okay aaron@

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.7.6;
kmem allocation changes for uvm

securelevels do NOT protect running binaries; only filesystem activity

do not permit ptrace attach to immutable executable

comment on ptrace & P_SUGID

fix obscure problem involving ptrace of init

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Prevent a recursion inside wakeup(9) when scheduler tracepoints are enabled.

Tracepoints like "sched:enqueue" and "sched:unsleep" were called from inside
the loop iterating over sleeping threads as part of wakeup_proc(). When such
tracepoints were enabled they could result in another wakeup(9) possibly
corrupting the sleepqueue.

Rewrite wakeup(9) in two stages, first dequeue threads from the sleepqueue then
call setrunnable() and possible tracepoints for each of them.

This requires moving unsleep() outside of setrunnable() because it messes with
the sleepqueue.

ok claudio@

Fix kernel build without option PTRACE, but with dt(4).

Since revision 1.26 dt_ioctl_get_auxbase() is calling process_domem().
Build the latter function into kernel if pseudo device dt is enabled.

from Matthias Pitzl; OK claudio@

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

ptrace reads/writes memory using uvm_io, which generates an temporary
alias mapping using uvm_map_extract. With xonly now operational, this
alias mapping is created with minprot, which for text will be xonly, and
the kernel cannot read it (unless the architecture has implied read for
exec from kernel pov).
Pass UVM_IO_FIXPROT to create the alias with maxprot instead.
ok kettenis

Add tfind_user(), for getting a proc* given a user-space TID and
the process* that it should be part of. Use that in clock_get{time,res}(),
thrkill(), and ptrace().

ok jca@ miod@ mpi@ mvs@

The location of the aux info vector is now cached in ps_auxinfo of struct
process. Use this information to access the vector.
OK mpi@ mbuhl@ deraadt@

zap a pile of dangling tabs

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Revert previous, it introduced a regression with breakpoints in gdb.

Refactor routines to stop/unstop processes and save the corresponding signal.

- Move the "hack" involving P_SINTR to avoid grabbing the SCHED_LOCK()
recursively closer to where it is necessary, in proc_stop()

- Introduce proc_unstop(), the symmetric routine to proc_stop(), which
manipulates `ps_xsig' and use it whenever a SSTOPed thread needs to be
awaken.

- Manipulate `ps_xsig' only in proc_stop/unstop()

ok kettenis@

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Serialize accesses to "struct vmspace" and document its refcounting.

The underlying vm_space lock is used as a substitute to the KERNEL_LOCK()
in uvm_grow() to make sure `vm_ssize' is not corrupted.

ok anton@, kettenis@

Keep track of traced child under a list of orphans while they are being
reparented to a debugger process.

Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.

Logic comes from FreeBSD pointed out by guenther@.

While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.

ok visa@

Replace p_xstat with ps_xexit and ps_xsig
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))

ok mpi@

Return EBUSY for successive PT_TRACE_ME calls.

Match FreeBSD and NetBSD.

ok bluhm@, deraadt@, kettenis@

Change some returns into gotos, will help keeping the unlocking path
simpler. No functional change.

Extracted from a larger diff from guenther@, ok kettenis@

Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Split sys_ptrace() by request type:
- control operations: trace_me, attach, detach, step, kill, continue.
Manipulate process relation/state or send a signal
- kernel-state get/set: thread list, event mask, trace state.
About the process and don't require target to be stopped, need copyin/out
- user-state get/set: memory, register, window cookie.
Often thread-specific, require target to be stopped, need copyin/out

sys_ptrace() changes to handle request checking, copyin/out to
kernel buffers with size check and zeroing, and dispatching to the
routines above for the real work. This simplfies the permission checks
and copyin/out handling and will simplify lock handling in the future.

Inspired in part by FreeBSD.
ok mpi@ visa@

Uninitialized variable can leak kernel memory.
Found by Ilja Van Sprundel
ok kettenis

branches: 1.76.4;
deSCARGize sys_ptrace()

ok mpi@

Rename pfind(9) into tfind(9) to reflect that it deals with threads.

While here document prfind(9.

with and ok guenther@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Change pmap_proc_iflush() to take a process instead of a proc
powerpc: rename second argument of pmap_proc_iflush() to match other archs

ok kettenis@

With systrace and procfs gone, process_checkioperm() and process_domem()
are for option PTRACE only

ok kettenis@

Get rid of 'relebad:'.

OK natano@ guenther@

branches: 1.69.2;
Fix ptrace PT_WRITE_D that returned EFAULT.

Broken in r.1.33. After discussion from kettenis@, don't attempt to
make PT_WRITE_D and PT_WRITE_I equivalent again.

From Mathieu (naabed at poolp dot org)

buglet: there's no way for req to be STEP in the DETACH case.
also fix the confusing comment. ok guethner.

Move ps_strings "after" the random stackgap. This makes its location a
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a
per-process one as well. This gets rid of a pointer to the bottom of the
stack at a fixed location. Also clears the road for unmapping the stackgap.

ok deraadt@

sysctl kern.global_ptrace.
controls whether you can ptrace any process with appropriate privileges
or only one own's children.
ok deraadt

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

pass the size to free in some of the obvious cases

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

It's init as a process that's special, not init's original thread.
Remember initprocess instead of initproc.

ok matthew@ blambert@

Add PS_SYSTEM, the process-level mirror of the thread-level P_SYSTEM,
and FORK_SYSTEM as a flag to set them. This eliminates needing to
peek into other processes threads in various places. Inspired by NetBSD

ok miod@ matthew@

Eliminates struct pcred by moving the real and saved ugids into
struct ucred; struct process then directly links to the ucred

Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.

ok matthew@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

bzero -> memset

For now, direct the kill signal sent by PT_KILL to the thread that made us
stop, just like we do for PT_CONTINUE/PT_STEP. The current code isn't
ready for directing signals to other threads yet.

First stab at making ptrace(2) usable for debugging multi-threaded programs.
It implements a full-stop model where all threads are stopped before handing
over control to the debugger. Events are reported as before through wait(2);
you will have to call ptrace(PT_GET_PROCESS_STATE, ...) to find out which
thread hit the event. Since this changes the size of struct ptrace_state,
you will have to recompile gdb.

ok guenther@

If the "main" thread exits it stays around but unlinks itself from the
threads list. Calling TAILQ_NEXT on them is a bad idea and will panic
the kernel. So check the P_WEXIT flag and pretend the thread doesn't
exist if it is set. Also make PT_GET_THREAD_FIRST return the first
thread on the threads list instead of the "main" thread, such that you
can actually keep enumerating the threads in this case.

ok guenther@, miod@

PT_GETXMMREGS and PT_SETXMMREGS can take a TID.

Move the P_WAITED flag from struct proc to struct process.

ok guenther@

Implement PT_GET_THREAD_FIRS and PT_GET_THREAD_NEXT.

ok miod@

Add PS_EXITING to better differentiate between the process exiting and
the main thread exiting. c.f. regress/sys/kern/main-thread-exited/

Allow this to build on platforms lacking PT_GETFPREGS or PT_SETFPREGS; broken
in previous rev.

First steps for making ptrace work with rthreads:
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT

ok kettenis@

Move P_SUGID and P_SUGIDEXEC from struct proc to struct process, so
that you can't evade the checks by doing the dirty work in an rthread

ok blambert@, deraadt@

Correct the links between threads, processes, pgrps, and sessions,
so that the process-level stuff is to/from struct process and not
struct proc. This fixes a bunch of problem cases in rthreads.
Based on earlier work by blambert and myself, but mostly written
at c2k10.

Tested by many: deraadt, sthen, krw, ray, and in snapshots

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha, amd64, armish, hppa, i386, macpcc, sgi, sparc64, and vax,
mostly by krw and naddy.
ok krw@

Use intermediate vaddr_t cast when casting a pointer to off_t. Prevents
gcc4 from complaining about casting a pointer to an integer type of different
size.

ok guenther@, jsg@

Make sure the process tree is is loop-free by forbidding ptrace()
of a direct ancestor, closing a localhost DoS. As an exception,
do permit ptrace() of pid 1 and have inferiors() stop climbing if
it hits that.

ok tedu@ hpux_compat suggestion from miod@

branches: 1.43.2; 1.43.6;
Do not assume that a pointer to another process will live over a set of
sleeping calls. Since we are simply operating on another process'
vmspace, grab a (refcounted) copy of that pointer and use that instead.
Similar to the bug just fixed in sysctl_proc_args.
discussed with art

accidental commit ... backout

kern_sysctl.c

Add PIOD_READ_AUXV, a way to get the ELF auxilliary vector through ptrace(2).

ok miod@

``it's'' -> ``its'' when the grammar gods require this change.

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Kernel stack can be swapped. This means that stuff that's on the stack
should never be referenced outside the context of the process to which
this stack belongs unless we do the PHOLD/PRELE dance. Loads of code
doesn't follow the rules here. Instead of trying to track down all
offenders and fix this hairy situation, it makes much more sense
to not swap kernel stacks.

From art@, tested by many some time ago.

make kernels w/o PTRACE compile again.

help from mickey@, "commit it" miod@

paramter -> parameter

ansi/deregister. No binary change.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

ptrace(2) following fork(2)
ok miod@

Reduce stack usage.

Remove regs and fpregs pseudo-files from procfs.
ok deraadt@, miod@

Implemente PT_[GS]ETXMMREGS ptrace(2) requests on i386.
ok deraadt@

debranch SMP, have fun

restored & repaired wcookie support; kettenis@chello.nl

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Disallow ptrace if P_SUGIDEXEC flag is set (we already disallow if P_SUGID
is set). deraadt@ and tholo@ OK.

KNF

don't attach to system processes.
art@ niklas@ markus@ millert@ deraadt@ ok.

Change the PT_IO interfaces like discussed on
the bsd-api-discuss list.

In the PT_STEP case, first set the new pc, then arrange
for the single-step. This can slightly break the error handling when
setting the sstep fails, but allows us to emulate single stepping in
software on arch that don't have support for that in hardware.

Since all archs implement PT_GETREGS and PT_SETREGS, make then unoptional.
They still stay in MD code for backwards compatibility, but a check in
ptrace.h checks if they are defined.

Note - the same thing will be done with PT_{GET,SET}FPREGS once vax implements
them and with PT_STEP when it's implemented by sparc, sparc64 and alpha.

Add a more sane API for reading/writing traced process memory
with ptrace - PT_IO.
Man page update in a few.

Move SET/CLR/ISSET macros to param.h. fgsch@ and millert@ ok

When a process is exec:ing mark it with a flag. Check that flag in ptrace
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.

register_t is not an int, so don't use it that way.
Fixes PT_{READ,WRITE}_{I,D} on sparc64.

branches: 1.14.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

branches: 1.13.2;
remove old vm

trace_req is not used anymore (was a nop).

split PT_DETACH handling, so that pc cannot be set by it; art ok

branches: 1.10.2;
Add emulation of Linux features to procfs; mostly from NetBSD. ok deraadt@

seperate -> separate, okay aaron@

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.7.6;
kmem allocation changes for uvm

securelevels do NOT protect running binaries; only filesystem activity

do not permit ptrace attach to immutable executable

comment on ptrace & P_SUGID

fix obscure problem involving ptrace of init

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Fix kernel build without option PTRACE, but with dt(4).

Since revision 1.26 dt_ioctl_get_auxbase() is calling process_domem().
Build the latter function into kernel if pseudo device dt is enabled.

from Matthias Pitzl; OK claudio@

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

ptrace reads/writes memory using uvm_io, which generates an temporary
alias mapping using uvm_map_extract. With xonly now operational, this
alias mapping is created with minprot, which for text will be xonly, and
the kernel cannot read it (unless the architecture has implied read for
exec from kernel pov).
Pass UVM_IO_FIXPROT to create the alias with maxprot instead.
ok kettenis

Add tfind_user(), for getting a proc* given a user-space TID and
the process* that it should be part of. Use that in clock_get{time,res}(),
thrkill(), and ptrace().

ok jca@ miod@ mpi@ mvs@

The location of the aux info vector is now cached in ps_auxinfo of struct
process. Use this information to access the vector.
OK mpi@ mbuhl@ deraadt@

zap a pile of dangling tabs

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Revert previous, it introduced a regression with breakpoints in gdb.

Refactor routines to stop/unstop processes and save the corresponding signal.

- Move the "hack" involving P_SINTR to avoid grabbing the SCHED_LOCK()
recursively closer to where it is necessary, in proc_stop()

- Introduce proc_unstop(), the symmetric routine to proc_stop(), which
manipulates `ps_xsig' and use it whenever a SSTOPed thread needs to be
awaken.

- Manipulate `ps_xsig' only in proc_stop/unstop()

ok kettenis@

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Serialize accesses to "struct vmspace" and document its refcounting.

The underlying vm_space lock is used as a substitute to the KERNEL_LOCK()
in uvm_grow() to make sure `vm_ssize' is not corrupted.

ok anton@, kettenis@

Keep track of traced child under a list of orphans while they are being
reparented to a debugger process.

Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.

Logic comes from FreeBSD pointed out by guenther@.

While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.

ok visa@

Replace p_xstat with ps_xexit and ps_xsig
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))

ok mpi@

Return EBUSY for successive PT_TRACE_ME calls.

Match FreeBSD and NetBSD.

ok bluhm@, deraadt@, kettenis@

Change some returns into gotos, will help keeping the unlocking path
simpler. No functional change.

Extracted from a larger diff from guenther@, ok kettenis@

Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Split sys_ptrace() by request type:
- control operations: trace_me, attach, detach, step, kill, continue.
Manipulate process relation/state or send a signal
- kernel-state get/set: thread list, event mask, trace state.
About the process and don't require target to be stopped, need copyin/out
- user-state get/set: memory, register, window cookie.
Often thread-specific, require target to be stopped, need copyin/out

sys_ptrace() changes to handle request checking, copyin/out to
kernel buffers with size check and zeroing, and dispatching to the
routines above for the real work. This simplfies the permission checks
and copyin/out handling and will simplify lock handling in the future.

Inspired in part by FreeBSD.
ok mpi@ visa@

Uninitialized variable can leak kernel memory.
Found by Ilja Van Sprundel
ok kettenis

branches: 1.76.4;
deSCARGize sys_ptrace()

ok mpi@

Rename pfind(9) into tfind(9) to reflect that it deals with threads.

While here document prfind(9.

with and ok guenther@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

Change process_{domem,auxv_offset}() to take a process instead of a proc.
Make process_auxv_offset() take and release a reference of the vmspace like
process_domem() does.

ok kettenis@

Change pmap_proc_iflush() to take a process instead of a proc
powerpc: rename second argument of pmap_proc_iflush() to match other archs

ok kettenis@

With systrace and procfs gone, process_checkioperm() and process_domem()
are for option PTRACE only

ok kettenis@

Get rid of 'relebad:'.

OK natano@ guenther@

branches: 1.69.2;
Fix ptrace PT_WRITE_D that returned EFAULT.

Broken in r.1.33. After discussion from kettenis@, don't attempt to
make PT_WRITE_D and PT_WRITE_I equivalent again.

From Mathieu (naabed at poolp dot org)

buglet: there's no way for req to be STEP in the DETACH case.
also fix the confusing comment. ok guethner.

Move ps_strings "after" the random stackgap. This makes its location a
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a
per-process one as well. This gets rid of a pointer to the bottom of the
stack at a fixed location. Also clears the road for unmapping the stackgap.

ok deraadt@

sysctl kern.global_ptrace.
controls whether you can ptrace any process with appropriate privileges
or only one own's children.
ok deraadt

Delete procfs; it's always had races and is now unused: no one noticed for
months that I broke it before the 5.5 release.

confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@

pass the size to free in some of the obvious cases

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

It's init as a process that's special, not init's original thread.
Remember initprocess instead of initproc.

ok matthew@ blambert@

Add PS_SYSTEM, the process-level mirror of the thread-level P_SYSTEM,
and FORK_SYSTEM as a flag to set them. This eliminates needing to
peek into other processes threads in various places. Inspired by NetBSD

ok miod@ matthew@

Eliminates struct pcred by moving the real and saved ugids into
struct ucred; struct process then directly links to the ucred

Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.

ok matthew@

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

bzero -> memset

For now, direct the kill signal sent by PT_KILL to the thread that made us
stop, just like we do for PT_CONTINUE/PT_STEP. The current code isn't
ready for directing signals to other threads yet.

First stab at making ptrace(2) usable for debugging multi-threaded programs.
It implements a full-stop model where all threads are stopped before handing
over control to the debugger. Events are reported as before through wait(2);
you will have to call ptrace(PT_GET_PROCESS_STATE, ...) to find out which
thread hit the event. Since this changes the size of struct ptrace_state,
you will have to recompile gdb.

ok guenther@

If the "main" thread exits it stays around but unlinks itself from the
threads list. Calling TAILQ_NEXT on them is a bad idea and will panic
the kernel. So check the P_WEXIT flag and pretend the thread doesn't
exist if it is set. Also make PT_GET_THREAD_FIRST return the first
thread on the threads list instead of the "main" thread, such that you
can actually keep enumerating the threads in this case.

ok guenther@, miod@

PT_GETXMMREGS and PT_SETXMMREGS can take a TID.

Move the P_WAITED flag from struct proc to struct process.

ok guenther@

Implement PT_GET_THREAD_FIRS and PT_GET_THREAD_NEXT.

ok miod@

Add PS_EXITING to better differentiate between the process exiting and
the main thread exiting. c.f. regress/sys/kern/main-thread-exited/

Allow this to build on platforms lacking PT_GETFPREGS or PT_SETFPREGS; broken
in previous rev.

First steps for making ptrace work with rthreads:
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT

ok kettenis@

Move P_SUGID and P_SUGIDEXEC from struct proc to struct process, so
that you can't evade the checks by doing the dirty work in an rthread

ok blambert@, deraadt@

Correct the links between threads, processes, pgrps, and sessions,
so that the process-level stuff is to/from struct process and not
struct proc. This fixes a bunch of problem cases in rthreads.
Based on earlier work by blambert and myself, but mostly written
at c2k10.

Tested by many: deraadt, sthen, krw, ray, and in snapshots

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha, amd64, armish, hppa, i386, macpcc, sgi, sparc64, and vax,
mostly by krw and naddy.
ok krw@

Use intermediate vaddr_t cast when casting a pointer to off_t. Prevents
gcc4 from complaining about casting a pointer to an integer type of different
size.

ok guenther@, jsg@

Make sure the process tree is is loop-free by forbidding ptrace()
of a direct ancestor, closing a localhost DoS. As an exception,
do permit ptrace() of pid 1 and have inferiors() stop climbing if
it hits that.

ok tedu@ hpux_compat suggestion from miod@

branches: 1.43.2; 1.43.6;
Do not assume that a pointer to another process will live over a set of
sleeping calls. Since we are simply operating on another process'
vmspace, grab a (refcounted) copy of that pointer and use that instead.
Similar to the bug just fixed in sysctl_proc_args.
discussed with art

accidental commit ... backout

kern_sysctl.c

Add PIOD_READ_AUXV, a way to get the ELF auxilliary vector through ptrace(2).

ok miod@

``it's'' -> ``its'' when the grammar gods require this change.

Since p_flag is often manipulated in interrupts and without biglock
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.

Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.

kettenis@ ok

Kernel stack can be swapped. This means that stuff that's on the stack
should never be referenced outside the context of the process to which
this stack belongs unless we do the PHOLD/PRELE dance. Loads of code
doesn't follow the rules here. Instead of trying to track down all
offenders and fix this hairy situation, it makes much more sense
to not swap kernel stacks.

From art@, tested by many some time ago.

make kernels w/o PTRACE compile again.

help from mickey@, "commit it" miod@

paramter -> parameter

ansi/deregister. No binary change.

Replace procfs_domem() with a similar interface, process_domem(), which lives
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().

From art@ some time ago; ok kettenis@ pedro@

ptrace(2) following fork(2)
ok miod@

Reduce stack usage.

Remove regs and fpregs pseudo-files from procfs.
ok deraadt@, miod@

Implemente PT_[GS]ETXMMREGS ptrace(2) requests on i386.
ok deraadt@

debranch SMP, have fun

restored & repaired wcookie support; kettenis@chello.nl

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Disallow ptrace if P_SUGIDEXEC flag is set (we already disallow if P_SUGID
is set). deraadt@ and tholo@ OK.

KNF

don't attach to system processes.
art@ niklas@ markus@ millert@ deraadt@ ok.

Change the PT_IO interfaces like discussed on
the bsd-api-discuss list.

In the PT_STEP case, first set the new pc, then arrange
for the single-step. This can slightly break the error handling when
setting the sstep fails, but allows us to emulate single stepping in
software on arch that don't have support for that in hardware.

Since all archs implement PT_GETREGS and PT_SETREGS, make then unoptional.
They still stay in MD code for backwards compatibility, but a check in
ptrace.h checks if they are defined.

Note - the same thing will be done with PT_{GET,SET}FPREGS once vax implements
them and with PT_STEP when it's implemented by sparc, sparc64 and alpha.

Add a more sane API for reading/writing traced process memory
with ptrace - PT_IO.
Man page update in a few.

Move SET/CLR/ISSET macros to param.h. fgsch@ and millert@ ok

When a process is exec:ing mark it with a flag. Check that flag in ptrace
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.

register_t is not an int, so don't use it that way.
Fixes PT_{READ,WRITE}_{I,D} on sparc64.

branches: 1.14.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

branches: 1.13.2;
remove old vm

trace_req is not used anymore (was a nop).

split PT_DETACH handling, so that pc cannot be set by it; art ok

branches: 1.10.2;
Add emulation of Linux features to procfs; mostly from NetBSD. ok deraadt@

seperate -> separate, okay aaron@

Add explicit inclusions of signalvar.h to files actually using syms defined
there but relying on an indirect inclusion

branches: 1.7.6;
kmem allocation changes for uvm

securelevels do NOT protect running binaries; only filesystem activity

do not permit ptrace attach to immutable executable

comment on ptrace & P_SUGID

fix obscure problem involving ptrace of init

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

ptrace reads/writes memory using uvm_io, which generates an temporary
alias mapping using uvm_map_extract. With xonly now operational, this
alias mapping is created with minprot, which for text will be xonly, and
the kernel cannot read it (unless the architecture has implied read for
exec from kernel pov).
Pass UVM_IO_FIXPROT to create the alias with maxprot instead.
ok kettenis

Add tfind_user(), for getting a proc* given a user-space TID and
the process* that it should be part of. Use that in clock_get{time,res}(),
thrkill(), and ptrace().

ok jca@ miod@ mpi@ mvs@

The location of the aux info vector is now cached in ps_auxinfo of struct
process. Use this information to access the vector.
OK mpi@ mbuhl@ deraadt@

zap a pile of dangling tabs

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Revert previous, it introduced a regression with breakpoints in gdb.

Refactor routines to stop/unstop processes and save the corresponding signal.

- Move the "hack" involving P_SINTR to avoid grabbing the SCHED_LOCK()
recursively closer to where it is necessary, in proc_stop()

- Introduce proc_unstop(), the symmetric routine to proc_stop(), which
manipulates `ps_xsig' and use it whenever a SSTOPed thread needs to be
awaken.

- Manipulate `ps_xsig' only in proc_stop/unstop()

ok kettenis@

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Serialize accesses to "struct vmspace" and document its refcounting.

The underlying vm_space lock is used as a substitute to the KERNEL_LOCK()
in uvm_grow() to make sure `vm_ssize' is not corrupted.

ok anton@, kettenis@

Keep track of traced child under a list of orphans while they are being
reparented to a debugger process.

Also re-parent exiting traced processes to their original parent, if it
is still alive, after the debugger has seen the exit status.

Logic comes from FreeBSD pointed out by guenther@.

While here rename proc_reparent() into process_reparent() and get rid of
superfluous checks.

ok visa@

Replace p_xstat with ps_xexit and ps_xsig
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))

ok mpi@

Return EBUSY for successive PT_TRACE_ME calls.

Match FreeBSD and NetBSD.

ok bluhm@, deraadt@, kettenis@

Change some returns into gotos, will help keeping the unlocking path
simpler. No functional change.

Extracted from a larger diff from guenther@, ok kettenis@

Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Split sys_ptrace() by request type:
- control operations: trace_me, attach, detach, step, kill, continue.
Manipulate process relation/state or send a signal
- kernel-state get/set: thread list, event mask, trace state.
About the process and don't require target to be stopped, need copyin/out
- user-state get/set: memory, register, window cookie.
Often thread-specific, require target to be stopped, need copyin/out

sys_ptrace() changes to handle request checking, copyin/out to
kernel buffers with size check and zeroing, and dispatching to the
routines above for the real work. This simplfies the permission checks
and copyin/out handling and will simplify lock handling in the future.

Inspired in part by FreeBSD.
ok mpi@ visa@

Uninitialized variable can leak kernel memory.
Found by Ilja Van Sprundel
ok kettenis