use access_type as the PROT_* variable for uvm_fault() consistantly
ok kettenis

mi_ast() needs curcpu()->ci_want_resched rather than ci->ci_want_resched,
because refreshcreds() may sleep in pool_put(). Subtle isn't it...
ok visa kettenis

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a stra

Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi

show more ...

Push KERNEL_LOCK/UNLOCK() dance inside trapsignal().

ok kettenis@, visa@

Use a distinct trap code with retguard on mips64.

This lets the kernel detect retguard traps and send SIGABRT instead
of SIGEMT.

SIGEMT does not indicate correctly the nature of the error (stack
ov

Use a distinct trap code with retguard on mips64.

This lets the kernel detect retguard traps and send SIGABRT instead
of SIGEMT.

SIGEMT does not indicate correctly the nature of the error (stack
overflow, violation of control flow). It can confuse the user to restart
the program without further investigation.

Prompted by and OK deraadt@
OK mortimer@

show more ...

Sync existing stacktrace_save() implementations

Upgrade stacktrace_save() to stacktrace_save_at() on architectures where
the latter is missing. Define stacktrace_save() as an inline function
in head

Sync existing stacktrace_save() implementations

Upgrade stacktrace_save() to stacktrace_save_at() on architectures where
the latter is missing. Define stacktrace_save() as an inline function
in header <sys/stacktrace.h> to reduce duplication of code.

OK mpi@

show more ...

Separate the stack trace saving interface from ddb. The saving does not
require the debugger on most architectures, and the separation makes the
code easier to use from other subsystems.

The functio

Separate the stack trace saving interface from ddb. The saving does not
require the debugger on most architectures, and the separation makes the
code easier to use from other subsystems.

The function definitions are still conditional to DDB. However, that
should not matter for now.

OK deraadt@, mpi@

show more ...

Do not stop prologue scan at branch instructions. This lets stack trace
saving work with the twisted code that clang occasionally emits; stack
frame setup can happen very late after blocks of conditi

Do not stop prologue scan at branch instructions. This lets stack trace
saving work with the twisted code that clang occasionally emits; stack
frame setup can happen very late after blocks of conditional code.

show more ...

Stop stack trace saving if the current subroutine is u_general or u_intr
because the next frame is in userspace.

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Ko

If uvm_map_inentry returns false then a signal has been delivered, and
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa

show more ...

Call refreshcreds() from ast() on mips64. This ensures that credentials
get updated when handling an AST after an interrupt.

OK deraadt@

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at

I wrote the pc-page-writeable and sp-not-MAP_STACK code to be shared, and
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.

show more ...

Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings a

Refactor the MAP_STACK feature, and introduce another similar variation:
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.
ok kettenis stefan visa

show more ...

Reduce branch emulation page access protection during setup. The setup
stage does not need execute access, so map the page initially with
read-write protection.

OK miod@

Drop redundant pmap_proc_iflush() call. The needed instruction cache
invalidation is done by mips64 pmap when the branch emulation page is
made executable.

Originally, the pmap_proc_iflush() call wa

Drop redundant pmap_proc_iflush() call. The needed instruction cache
invalidation is done by mips64 pmap when the branch emulation page is
made executable.

Originally, the pmap_proc_iflush() call was necessary. The instruction
cache invalidation was added in pmap_protect() after the FPU emulation
was introduced.

OK miod@

show more ...

Enforce store/load order when setting or clearing AST flag on mips64

Make sure that any preceding stores become visible to other CPUs before
setting the AST flag in need_resched() and signotify(). T

Enforce store/load order when setting or clearing AST flag on mips64

Make sure that any preceding stores become visible to other CPUs before
setting the AST flag in need_resched() and signotify(). This should
prevent a very unlikely case with inter-CPU ASTs where the receiving
CPU uses stale state.

When clearing the AST flag in ast(), ensure that the clearing store
is performed before any other memory accesses in the AST handler.
Otherwise, there is a slight risk of losing an AST request that gets
posted while the handler is running.

OK guenther@

show more ...

Make octeon kernels compile with DEBUG.

Based on a diff from jj@. Thank you!

Implement stack trace saving on mips64.

OK mpi@

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_att

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

show more ...

Let the kernel utilize the FPU if one is available, even when the
FPUEMUL option is enabled. This benefits OCTEON III systems which can
run floating-point operations natively.

Feedback from and OK m

Let the kernel utilize the FPU if one is available, even when the
FPUEMUL option is enabled. This benefits OCTEON III systems which can
run floating-point operations natively.

Feedback from and OK miod@; he also helped with testing.

Tested on octeon without FPU (CN5020, CN6120) and with FPU (CN7130),
as well as on sgi/IP27 (MP R16000), sgi/IP32 (R5000), and
loongson (3A1000).

show more ...

Prefer copyin32() to copyin() when fetching instructions
from user space. This improves performance slightly.

Discussed with miod@

Use copyin32() instead of a direct memory load when fetching a branch
instruction for branch emulation. This ensures the userspace memory
access is properly guarded and that TLB faults are handled.

Use copyin32() instead of a direct memory load when fetching a branch
instruction for branch emulation. This ensures the userspace memory
access is properly guarded and that TLB faults are handled.

In order not to complicate the interface of MipsEmulateBranch(), each
caller now has to provide the branch instruction for the function.

Feedback from miod@

show more ...

Rename variables for clarity.

It does not seem necessary to provide initial value for `sicode'.
When `signal' gets set, `sicode' is set as well.

OK deraadt@, kettenis@

Bring SIGBUS and SIGSEGV handling better in line with the other
architectures.

OK kettenis@, deraadt@

Use copyin32() instead of copyin() in RDHWR emulation.
This reduces emulation time about 5%.