remove unused struct sigstate; ok miod@

Change sendsig() interface so that the MD code does not need to access
data from struct process anymore. This changes how siginfo and onstack
are accessed and make sendsig() more MP friendly.
With an

Change sendsig() interface so that the MD code does not need to access
data from struct process anymore. This changes how siginfo and onstack
are accessed and make sendsig() more MP friendly.
With and OK semarie@ OK kettenis@

show more ...

In case of failure, call sigexit() from trapsignal instead of sensig().

Simplify MD code and reduce the amount of recursion into the signal code
which helps when dealing with locks.

ok cheloha@, de

In case of failure, call sigexit() from trapsignal instead of sensig().

Simplify MD code and reduce the amount of recursion into the signal code
which helps when dealing with locks.

ok cheloha@, deraadt@

show more ...

Move from sendsig() to its callers the initsiginfo() calls and
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sends

Move from sendsig() to its callers the initsiginfo() calls and
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sendsig(); we no longer have a SunOS4-compat version of sendsig()

ok deraadt@

show more ...

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_att

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

show more ...

Report the PID in sendsig() debugging

tested by aoyama@

Add sc_cookie in sigcontext, as same as other ports.
From Miod Vallat, tested by him and me.

ok deraadt@

hand-massage sendsig() and sys_sigreturn() to be much more similar.
ok guenther kettenis

SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookie
inside the sigcontext. sigreturn(2) checks syscall entry was from the
exact PC addr in the (per-process ASLR) sigtramp, verifi

SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookie
inside the sigcontext. sigreturn(2) checks syscall entry was from the
exact PC addr in the (per-process ASLR) sigtramp, verifies the cookie,
and clears it to prevent sigcontext reuse.
not yet tested on landisk, sparc, *88k, socppc.
ok kettenis

show more ...

Do not even try to call uvm_grow() from sendsig. It will be invoked
automagically if copyout() of the signal frame faults.

Remove conditional pipeline rewind on 88100, introduced in 1.19 - this seems
to create subtle problems, and removing it does not prevent existing signal
delivery tests from having the correct behavio

Remove conditional pipeline rewind on 88100, introduced in 1.19 - this seems
to create subtle problems, and removing it does not prevent existing signal
delivery tests from having the correct behaviour. And this is likely redundant
with DAE processing in sigreturn.

We should probably rewind if XIP_V is not set, but does this ever happen
in real life? To be investigated on a rainy day.

This seems to fix spurious signals encountered building libstdc++ and perl.

show more ...

Apply the ``make sure sigcontext does not overlap pending DAE addresses''
logic in the dedicated signal stack case, too.

Also, every time the sigcontext position is recomputed by the above logic,
re

Apply the ``make sure sigcontext does not overlap pending DAE addresses''
logic in the dedicated signal stack case, too.

Also, every time the sigcontext position is recomputed by the above logic,
recheck the DAE addresses from the beginning, in case a formerly avoided
address now risks being overwritten.

show more ...

Take subsequent stack alignment into account in local_stack_frame() when
making sure the sigcontext will not overlap pending DAE accesses.

Fixes sporadic sys/kern/signal/earlysig regress failure.

Address several problems in signal delivery on 88100 processors:
- when building the sigcontext, rewind the pipeline for recoverable
exceptions, so that sigreturn actually has a chance to cause the

Address several problems in signal delivery on 88100 processors:
- when building the sigcontext, rewind the pipeline for recoverable
exceptions, so that sigreturn actually has a chance to cause the
interrupted instruction to be run again.
- when returning with sigreturn, and the sigcontext contains valid
DAE information, the DAE need to be emulated before returning, for
the processor will not reissue them.
- finally, when the sigframe is allocated on the current process' stack,
be careful not to stomp upon addresses referenced by the DAE information,
for this would defeat the previous point.

All these changes only affect 88100 processors only. 88110 operation is
unchanged.

While there, do not copyout an empty siginfo struct if the signal handler
does not expect any.

Hair-pulling evil testcase provided by aoyama@, based upon one of
devel/libsigsegv configure tests (which would spin on 88100 and run happily on
88110).

show more ...

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to

Move p_emul and p_sigcode from proc to process.
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.

ok deraadt@ millert@

show more ...

Move p_sigacts from struct proc to struct process.

testing help mpi@

Determine whether we're currently on the alternative signal stack
dynamically, by comparing the stack pointer against the altstack
base and size, so that you get the correct answer if you longjmp
out

Determine whether we're currently on the alternative signal stack
dynamically, by comparing the stack pointer against the altstack
base and size, so that you get the correct answer if you longjmp
out of the signal handler, as tested by regress/sys/kern/stackjmp/.
Also, fix alt stack handling on vax, where it was completely broken.

Testing and corrections by miod@, krw@, tobiasu@, pirofti@

show more ...

sigpid should be of type pid_t (only visable with DEBUG).

ok miod@ (who found others to fix as well)

Do not include <machine/reg.h> and pollute userland namespace with struct reg
in <machine/signal.h>.

Recommit the reverted sigacts change now that the NFS use-after-free
problem has been tracked down. This fixes the sharing of the signal
handling state: shared bits go in sigacts, per-rthread bits g

Recommit the reverted sigacts change now that the NFS use-after-free
problem has been tracked down. This fixes the sharing of the signal
handling state: shared bits go in sigacts, per-rthread bits goes in
struct proc.

ok deraadt@

show more ...

Revert the sigacts diff: NFS can apparently retain pointers to processes
until they're zombies and then send them signals (for intr mounts). Until
that is untangled, the sigacts change is unsafe. s

Revert the sigacts diff: NFS can apparently retain pointers to processes
until they're zombies and then send them signals (for intr mounts). Until
that is untangled, the sigacts change is unsafe. sthen@ was the victim
for this one

show more ...

Correct the sharing of the signal handling state: stuff that should
be shared (p_sigignore, p_sigcatch, P_NOCLDSTOP, P_NOCLDWAIT) moves
to struct sigacts, wihle stuff that should be per rthread (ps_o

Correct the sharing of the signal handling state: stuff that should
be shared (p_sigignore, p_sigcatch, P_NOCLDSTOP, P_NOCLDWAIT) moves
to struct sigacts, wihle stuff that should be per rthread (ps_oldmask,
SAS_OLDMASK, ps_sigstk) moves to struct proc. Treat the coredumping
state bits (ps_sig, ps_code, ps_type, ps_sigval) as per-rthread
until our locking around coredumping is better.

Oh, and remove the old SunOS-compat ps_usertramp member.

"I like the sound of this" tedu@

show more ...

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha

Don't #include <sys/user.h> into files that don't need the stuff
it defines. In some cases, this means pulling in uvm.h or pcb.h
instead, but most of the inclusions were just noise. Tested on
alpha, amd64, armish, hppa, i386, macpcc, sgi, sparc64, and vax,
mostly by krw and naddy.
ok krw@

show more ...

In process_write_regs() and sigreturn(), be more strict about the bits
userland is allowed to change in psr.

replace ctob/btoc by ptoa/atop as done for other architectures