MFC r328996: exec_map_first_page: fix an inverse condition introduced in r254138

MFC r320498
Clear the MAP_WIREFUTURE flag on the vm map in exec_new_vmspace() when it
recycles the current vm space. Otherwise, an mlockall(MCL_FUTURE) could
still be in effect on the process after an execve(2), which violates the
specification for mlockall(2).

It's pointless for vm_map_stack() to check the MEMLOCK limit. It will
never be asked to wire the stack. Moreover, it doesn't even implement
wiring of the stack.

MFC r320619:
Resolve confusion between different error code spaces.

MFC 302900,302902,302921,303461,304009:
Add a mask of optional ptrace() events.

302900:
Add a test for user signal delivery.

This test verifies we get the correct ptrace event details when a signal
is posted to a traced process from userland.

302902:
Add a mask of optional ptrace() events.

ptrace() now stores a mask of optional events in p_ptevents. Currently
this mask is a single integer, but it can be expanded into an array of
integers in the future.

Two new ptrace requests can be used to manipulate the event mask:
PT_GET_EVENT_MASK fetches the current event mask and PT_SET_EVENT_MASK
sets the current event mask.

The current set of events include:
- PTRACE_EXEC: trace calls to execve().
- PTRACE_SCE: trace system call entries.
- PTRACE_SCX: trace syscam call exits.
- PTRACE_FORK: trace forks and auto-attach to new child processes.
- PTRACE_LWP: trace LWP events.

The S_PT_SCX and S_PT_SCE events in the procfs p_stops flags have
been replaced by PTRACE_SCE and PTRACE_SCX. PTRACE_FORK replaces
P_FOLLOW_FORK and PTRACE_LWP replaces P2_LWP_EVENTS.

The PT_FOLLOW_FORK and PT_LWP_EVENTS ptrace requests remain for
compatibility but now simply toggle corresponding flags in the
event mask.

While here, document that PT_SYSCALL, PT_TO_SCE, and PT_TO_SCX both
modify the event mask and continue the traced process.

302921:
Rename PTRACE_SYSCALL to LINUX_PTRACE_SYSCALL.

303461:
Note that not all optional ptrace events use SIGTRAP.

New child processes attached due to PTRACE_FORK use SIGSTOP instead of
SIGTRAP. All other ptrace events use SIGTRAP.

304009:
Remove description of P_FOLLOWFORK as this flag was removed.

MFC r302614:
Revive the check, disabled in r197963.

MFC r302999:
On first exec after vfork(), call signotify() to handle pending
reenabled signals.

MFC r300793:

exec: Provide execpath in imgp for the process_exec hook.

MFC r300792,r300851,r301580:

r300792:
exec: Add credential change information into imgp for process_exec hook.
r300851:
exec: get rid of one vnode lock/unlock pair in do_execve
r301580:
Old process credentials for setuid execve must not be dereferenced when the
process credentials were not changed. This can happen if an error occured
trying to activate the setuid binary. And on error, if new credentials
were not yet assigned, they must be freed to not create the leak.

MFC r292384:

Fix style issues around existing SDT probes.

** Changes to sys/netinet/in_kdtrace.c and sys/netinet/in_kdtrace.h skipped.

MFC r298819:

sys/kern: spelling fixes in comments.

MFC r297391:

Remove some NULL checks for M_WAITOK allocations.

MFC r285513:

exec: textvp -> oldtextvp; binvp -> newtextvp

MFC r285512:

exec plug a redundant vref + vrele of the image vnode

MFC r273351:

Plug unnecessary binvp NULL initialization and test.

MFC r280130:

cred: add proc_set_cred helper

MFC r296285:

Correct a comment.

MFC 287442,287537,288944:
Fix corruption of coredumps due to procstat notes changing size during
coredump generation. The changes in r287442 required some reworking
since the 'fo_fill_kinfo' file op does not exist in stable/10.

287442:
Detect badly behaved coredump note helpers

Coredump notes depend on being able to invoke dump routines twice; once
in a dry-run mode to get the size of the note, and another to actually
emit the note to the corefile.

When a note helper emits a different length section the second time
around than the length it requested the first time, the kernel produces
a corrupt coredump.

NT_PROCSTAT_FILES output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' fd table
via vn_fullpath. As vnodes may move around during dump, this is racy.

So:

- Detect badly behaved notes in putnote() and pad underfilled notes.

- Add a fail point, debug.fail_point.fill_kinfo_vnode__random_path to
exercise the NT_PROCSTAT_FILES corruption. It simply picks random
lengths to expand or truncate paths to in fo_fill_kinfo_vnode().

- Add a sysctl, kern.coredump_pack_fileinfo, to allow users to
disable kinfo packing for PROCSTAT_FILES notes. This should avoid
both FILES note corruption and truncation, even if filenames change,
at the cost of about 1 kiB in padding bloat per open fd. Document
the new sysctl in core.5.

- Fix note_procstat_files to self-limit in the 2nd pass. Since
sometimes this will result in a short write, pad up to our advertised
size. This addresses note corruption, at the risk of sometimes
truncating the last several fd info entries.

- Fix NT_PROCSTAT_FILES consumers libutil and libprocstat to grok the
zero padding.

287537:
Follow-up to r287442: Move sysctl to compiled-once file

Avoid duplicate sysctl nodes.

288944:
Fix core corruption caused by race in note_procstat_vmmap

This fix is spiritually similar to r287442 and was discovered thanks to
the KASSERT added in that revision.

NT_PROCSTAT_VMMAP output length, when packing kinfo structs, is tied to
the length of filenames corresponding to vnodes in the process' vm map
via vn_fullpath. As vnodes may move during coredump, this is racy.

We do not remove the race, only prevent it from causing coredump
corruption.

- Add a sysctl, kern.coredump_pack_vmmapinfo, to allow users to disable
kinfo packing for PROCSTAT_VMMAP notes. This avoids VMMAP corruption
and truncation, even if names change, at the cost of up to PATH_MAX
bytes per mapped object. The new sysctl is documented in core.5.

- Fix note_procstat_vmmap to self-limit in the second pass. This
addresses corruption, at the cost of sometimes producing a truncated
result.

- Fix PROCSTAT_VMMAP consumers libutil (and libprocstat, via copy-paste)
to grok the new zero padding.

Approved by: re (gjb)

MFC r288336: save some bytes by using more concise SDT_PROBE<n>

Fix ia64 to not override the call stack bottom address with the
register stack bottom address, after the merge of r284956 in r285967.

Note: this is a direct commit to stable/10.

Reported and tested by: clusteradm (peter)
Sponsored by: The FreeBSD Foundation

MFC r284956:
Do not calculate the stack's bottom address twice.

MFC r282708:
On exec, single-threading must be enforced before arguments space is
allocated from exec_map.

MFC r272290 (by mjg):
Use bzero instead of explicitly zeroing stuff in do_execve.

MFC r281883:
Handle incorrect ELF images specifying size for PT_GNU_STACK not being
multiple of page size.

MFC r281548:
Implement support for binary to request specific stack size for the
initial thread.

Merge r263233 from HEAD to stable/10:

Update kernel inclusions of capability.h to use capsicum.h instead; some
further refinement is required as some device drivers intended to be
portable over FreeBSD versions rely on __FreeBSD_version to decide whether
to include capability.h.

Sponsored by: Google, Inc.

MFC r277322:
Add procctl(2) PROC_TRACE_CTL command to enable or disable debugger
attachment to the process.

MFC r275745:
Add facility to stop all userspace processes.

MFC r275753:
Fix gcc build.

MFC r275820:
Add missed break.

Merge the fueword(9) and casueword(9). In particular,

MFC r273783:
Add fueword(9) and casueword(9) functions.
MFC note: ia64 is handled like arm, with NO_FUEWORD define.

MFC r273784:
Replace some calls to fuword() by fueword() with proper error checking.

MFC r273785:
Convert kern_umtx.c to use fueword() and casueword().
MFC note: the sys__umtx_lock and sys__umtx_unlock syscalls are not
converted, they are removed from HEAD, and not used. The do_sem2*()
family is not yet merged to stable/10, corresponding chunk will be
merged after do_sem2* are committed.

MFC r273788 (by jkim):
Actually install casuword(9) to fix build.

MFC r273911:
Add type qualifier volatile to the base (userspace) address argument
of fuword(9) and suword(9).

MFC r269907:
Fix leaks of unqueued unwired pages.

MFC r268636:

Plug p_pptr null test in do_execve. It is always true.

MFC r268365:

Don't call crdup nor uifind under vnode lock.

A locked vnode can get into the way of satisyfing malloc with M_WATOK.

This is a fixup to r268087.

MFC r268136:

Plug gcc warning after r268074 about unitialized newsigacts

MFC r268087:

Don't call crcopysafe or uifind unnecessarily in execve.

MFC r268074:

Perform a lockless check in sigacts_shared.

It is used only during execve (i.e. singlethreaded), so there is no fear
of returning 'not shared' which soon becomes 'shared'.

While here reorganize the code a little to avoid proc lock/unlock in
shared case.

MFC r268002:

Call fdcloseexec right after fdunshare.

No functional changes.

MFC r268001:
Make fdunshare accept only td parameter.

Proc had to match the thread anyway and 2 parameters were inconsistent
with the rest.

MFC r266464:
In execve(2), postpone the free of old vmspace until the threads are resumed
and exited.

MFC r263349:
Make the array pointed to by AT_PAGESIZES auxv properly aligned.

MFC r258622: dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE

MFC r256504:
Add a sysctl kern.disallow_high_osrel which disables executing the
images compiled on the world with higher major version number than the
high version number of the booted kernel. Default to disable.

Approved by: re (glebius)

Fix ia64 to not override the call stack bottom address with the
register stack bottom address, after the merge of r284956 in r285967.

Note: this is a direct commit to stable/10.

Reported and tested by: clusteradm (peter)
Sponsored by: The FreeBSD Foundation

MFC r284956:
Do not calculate the stack's bottom address twice.

MFC r282708:
On exec, single-threading must be enforced before arguments space is
allocated from exec_map.

MFC r272290 (by mjg):
Use bzero instead of explicitly zeroing stuff in do_execve.

MFC r281883:
Handle incorrect ELF images specifying size for PT_GNU_STACK not being
multiple of page size.

MFC r281548:
Implement support for binary to request specific stack size for the
initial thread.

Merge r263233 from HEAD to stable/10:

Update kernel inclusions of capability.h to use capsicum.h instead; some
further refinement is required as some device drivers intended to be
portable over FreeBSD versions rely on __FreeBSD_version to decide whether
to include capability.h.

Sponsored by: Google, Inc.

MFC r277322:
Add procctl(2) PROC_TRACE_CTL command to enable or disable debugger
attachment to the process.

MFC r275745:
Add facility to stop all userspace processes.

MFC r275753:
Fix gcc build.

MFC r275820:
Add missed break.

Merge the fueword(9) and casueword(9). In particular,

MFC r273783:
Add fueword(9) and casueword(9) functions.
MFC note: ia64 is handled like arm, with NO_FUEWORD define.

MFC r273784:
Replace some calls to fuword() by fueword() with proper error checking.

MFC r273785:
Convert kern_umtx.c to use fueword() and casueword().
MFC note: the sys__umtx_lock and sys__umtx_unlock syscalls are not
converted, they are removed from HEAD, and not used. The do_sem2*()
family is not yet merged to stable/10, corresponding chunk will be
merged after do_sem2* are committed.

MFC r273788 (by jkim):
Actually install casuword(9) to fix build.

MFC r273911:
Add type qualifier volatile to the base (userspace) address argument
of fuword(9) and suword(9).

MFC r269907:
Fix leaks of unqueued unwired pages.

MFC r268636:

Plug p_pptr null test in do_execve. It is always true.

MFC r268365:

Don't call crdup nor uifind under vnode lock.

A locked vnode can get into the way of satisyfing malloc with M_WATOK.

This is a fixup to r268087.

MFC r268136:

Plug gcc warning after r268074 about unitialized newsigacts

MFC r268087:

Don't call crcopysafe or uifind unnecessarily in execve.

MFC r268074:

Perform a lockless check in sigacts_shared.

It is used only during execve (i.e. singlethreaded), so there is no fear
of returning 'not shared' which soon becomes 'shared'.

While here reorganize the code a little to avoid proc lock/unlock in
shared case.

MFC r268002:

Call fdcloseexec right after fdunshare.

No functional changes.

MFC r268001:
Make fdunshare accept only td parameter.

Proc had to match the thread anyway and 2 parameters were inconsistent
with the rest.

MFC r266464:
In execve(2), postpone the free of old vmspace until the threads are resumed
and exited.

MFC r263349:
Make the array pointed to by AT_PAGESIZES auxv properly aligned.

MFC r258622: dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE

MFC r256504:
Add a sysctl kern.disallow_high_osrel which disables executing the
images compiled on the world with higher major version number than the
high version number of the booted kernel. Default to disable.

Approved by: re (glebius)