delete msyscall stub

On machines lacking xonly support hardware, we emulate xonly in the
copyin(9) layer below system calls, using a 4-entry lookup; the 4th
entry is libc.so text. We were assuming, or rather insisting, that
on all our architectures libc.so text is treated as xonly, even if
the linker was behind in it's game.
Since msyscall(2) is gone, kernel no longer has information about the
start,len of libc.so text segment. But we can instead use the (same)
start,len range of pinsyscalls() instead for this purpose.
ld.so is passing the same text-range to the kernel in this position.
regression tests run by anton discovered that libc.so text had become
copyin-readable.
ok kettenis

Esure the base,len range provided by ld.so is definately in the map.
Being outside the map doesn't seem like it can do anything bad.
Discussed with kettenis

Stopping grabbing the kernel lock in kbind(2).

ok mpi@

Delete the msyscall mechanism entirely, since mimmutable+pinsyscalls has
replaced it with a more strict mechanism, which happens to be lockless O(1)
rather than micro-lock O(1)+O(log N). Also nop-out the sys_msyscall(2) guts,
but leave the syscall around for a bit longer so that people can build through
it, since ld.so(1) still wants to call it.

Delete pinsyscall(2) [which was specific only to SYS_execve] now
that it has been replaced with pinsyscalls(2) [which tells the kernel
the location of all system calls in libc.so]
floated to various people before release, but it was prudent to wait.

remove the guts of pinsyscall(2), it just returns 0 now.
It has been made redundant by the introduction of pinsyscalls(2) which
handles all system calls, rather than just 1.

The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in
the main program or ld.so, and accept a submission of that information
for libc.so from ld.so via pinsyscalls(2). At system call invocation,
the syscall number is matched to the specific address it must come from.
ok kettenis, gnezdo, testing of variations by many people

Add a stub pinsyscalls() system call that simply returns 0 for now,
before future work where ld.so(1) will need this new system call.
Putting this in the kernel ahead of time will save some grief.
ok kettenis

Inline once-used variable to sync all uvm_map_clean() callers

OK mpi

fix double words in comments
feedback and ok jmc@ miod, ok millert@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Add pinsyscall(2). With this you can tell the kernel the location
(start,len) of the syscall stub in libc.so for a specified syscall
(using SYS_* notation). Only SYS_execve is supported at this time.
ok gnezdo mortimer kettenis

non-padded 64-bit system calls arrived 2021/12/23, over a year ago.
time to delete the backwards compat padded functions in the kernel.

Currently we disable kbind(2) for static program from libc.a's
preinit hook. Delete that and instead have the kernel disable kbind
at exec-time if the program doesn't have an ELF interpreter. For
now, permit userland calls to disable it when already disabled so
existing static programs continue to work.

prompted by deraadt@ questioning about the call in libc.a

ok deraadt@ miod@

Chuck Cranor rescinded the advertising clause of uvm_mmap.c in
NetBSD rev 1.134 and confirmed with Mike Hibler that the University of
Utah would do the same.

https://mail-index.netbsd.org/source-changes/2011/02/02/msg018021.html

ok deraadt@

stack growth from setrlimit was never updated to set UVM_ET_STACK on
the entries, so the check-sp-at-system-call check failed. Quite strange
it took this long to find this.
ok kettenis

the debug "name" parameter to uvm_map_immutable() is no longer needed

Add mimmutable(2) system call which locks the permissions (PROT_*) of
memory mappings so they cannot be changed by a later mmap(), mprotect(),
or munmap(), which will error with EPERM instead.
ok kettenis

some ports bootstraps, and go internals, need a bit more time to adapt
to the padded syscalls going away.

the _pad_ system calls from 2021/12/23 can go away
ok guenther

kbind(2): unlock syscall, push kernel lock down to binding loop

- Rearrange the security check code in sys_kbind() so that we only
need to take the kernel lock once if we need to raise SIGILL.

- Protect process.ps_kbind_addr and process.ps_kbind_cookie with
process.ps_mtx. This is easier to do after the aforementioned
rearrangement. Under normal circumstances this isn't necessary:
the process is single-threaded when we initialize kbind(2).
But in stranger situations this brief mutex ensures that the
first thread to reach sys_kbind() initializes both variables.

- Wrap the binding loop with the kernel lock. We need to carefully
confirm that uvm_unmap_remove(), uvm_map_extract(), and
uvm_unmap_detach() are MP-safe in a subsequent patch before
completely removing the kernel lock from sys_kbind().

- Remove the kernel lock from kbind(2) in syscalls.master.

Prompted by mpi@, dlg@, and deraadt@. Current patch workshopped with
deraadt@. Based on a patch from dlg@.

With input from dlg@, bluhm@, mpi@, kettenis@, deraadt@, and
guenther@.

Thread: https://marc.info/?l=openbsd-tech&m=165274831829349&w=2

ok deraadt@ kettenis@ mpi@

Grab the kernel lock in uvm_wxcheck() when aborting the process

kern.wxabort=1 logs and kills programs after W^X violations.
At least sigexit() -> coredump() as well as the non-atomic increment of
ps_wxcounter require protection, so grab the big lock for the entire block.

This is part of the effort to unlock mmap(2)'s MAP_ANON case.

Feedback mvs claudio kettenis deraadt
OK kettenis

Remove kbind(2)'s restriction that a target buffer not cross page
boundaries: hppa has 8-byte PLT entries that sometimes do that.

ok kettenis@

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

Revert "kbind(2): disable system call if not initialized before
first __tfork(2)"

The immediate issue is that a process linked with -znow will still
perform lazy relocation on objects loaded with dlopen(), but there
are possibly other dark corners to plumb to find a better invariant.

Problem reported by thfr@

kbind(2): disable system call if not initialized before first __tfork(2)

To unlock kbind(2) we need to protect ps_kbind_addr and
ps_kbind_cookie.

The simplest way to do this is to disallow kbind(2) initialization
after the first __tfork(2) call. If the first thread does not
initialize the kbind(2) variables before __tfork(2) then we disable
kbind(2) during that first __tfork(2) call.

This is guenther@'s patch, I'm just committing it.

Discussed with guenther@, deraadt@, kettenis@, and mpi@.

ok kettenis@, positive response from mpi@, "I am busy" guenther@

Remove parenthesis around return value to reduce the diff with NetBSD.

No functional change.

ok mlarkin@

Do not release the KERNEL_LOCK() when mmap(2)ing files.

Previous attempt to unlock amap & anon exposed a race in vnode reference
counting. So be conservative with the code paths that we're not fully moving
out of the KERNEL_LOCK() to allow us to concentrate on one area at a time.

The panic reported was:

....panic: vref used where vget required
....db_enter() at db_enter+0x5
....panic() at panic+0x129
....vref(ffffff03b20d29e8) at vref+0x5d
....uvn_attach(1010000,ffffff03a5879dc0) at uvn_attach+0x11d
....uvm_mmapfile(7,ffffff03a5879dc0,2,1,13,100000012) at uvm_mmapfile+0x12c
....sys_mmap(c50,ffff8000225f82a0,1) at sys_mmap+0x604
....syscall() at syscall+0x279

Note that this change has no effect as long as mmap(2) is still executed with
ze big lock.

ok kettenis@

Recent changes for PROT_NONE pages to not count against resource limits,
failed to note this also guarded against heavy amap allocations in the
MAP_SHARED case. Bring back the checks for MAP_SHARED
from semarie, ok kettenis
https://syzkaller.appspot.com/bug?extid=d80de26a8db6c009d060

branches: 1.161.4;
Do not count pages mapped as PROT_NONE against the RLIMIT_DATA limit.
Instead count (and check the limit) when their protection gets flipped
from PROT_NONE to something that permits access. This means that
mprotect(2) may now fail if changing the protection would exceed RLIMIT_DATA.

This helps code (such as Chromium's JavaScript interpreter that reserves
large chunks of address space but populates it sparsely.

ok deraadt@, otto@, kurt@, millert@, robert@

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

Remove end of line whitespace.

No code change.

Add dummy msyscall(2) system call which is currently a noop. This will
be used by kernel and ld.so in the near future. Adding the system call
earlier will reduce the number of people who try to build through and
encounter agony.
ok kettenis guenther

Make resource limit access MP-safe. So far, the copy-on-write sharing
of resource limit structs has been done between processes. By applying
copy-on-write also between threads, threads can read rlimits in
a nearly lock-free manner.

Inspired by code in DragonFly BSD and FreeBSD.

OK mpi@, agreement from jmatthew@ and anton@

move the noise about W^X mapping failure inside the sysctl kern.wxabort
knob, since we found a proram which tests RWX mapping then changes execution
behaviour to non-W^X.
(that program is chrome, as v8 is heading towards W^X compliance with
mprotect RW/RX swaps, and also has jitless components in developent.)
ok sthen kettenis robert

BOGO_PC is an invalid userland address, which indicates kbind() is now
disabled in the process. Rather than tying it to KERNBASE, make it simply
-1, which means it even more invalid..
ok tedu

New mmap(2) flag: MAP_CONCEAL.

MAP_CONCEAL'd memory is not written to disk in the event of a core dump.
It may grow other qualities in the future.

Wanted by libressl, probably useful elsewhere, too.

Prompted by deraadt@, concept from deraadt@/kettenis@. With input from
deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@,
and tedu@.

ok otto@ deraadt@

mincore() is a relic from the past, exposing physical machine information
about shared resources which no program should see. only a few pieces of
software use it, generally poorly thought out. they are being fixed, so
mincore() can be deleted.
ok guenther tedu jca sthen, others

Make mincore lie. The nature of shared memory means it can spy on what
another process is doing. We don't want that, so instead have it
always return that memory is in core.
ok deraadt kettenis

branches: 1.151.2;
Push back the kernel lock in sys_mmap(2) a little bit more now that
fd_getfile(9) is mpsafe. Note that sys_mmap(2) isn't actually unlocked
currently. However this diff has been tested with it unlocked, and I
hope to unlock it for real soon-ish.

ok visa@, mpi@

Move FREF() inside fd_getfile().

ok visa@

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

Make sure that programs violating a pledge(2) promise or some memory
protection cannot block the final SIGABRT.

While here apply the same logic to ddb(4)'s kill command.

From semarie@, ok deraadt@

branches: 1.147.2;
Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Can mask MAP_STACK by name rather than number

mask out (ie. ignore) the bit which will be MAP_STACK in the future,
so diffs in snapshots can exercise the change in a less disruptive way
idea with sthen, ok kettenis tom others

Stop assuming <sys/file.h> will pull in fcntl.h when _KERNEL is defined.

ok millert@ sthen@

__MAP_NOFAULT doesn't make sense with anon mappings, so return EINVAL if
that is attempted.
Minor cleanups:
- Eliminate some always false and always true tests against MAP_ANON
- We treat anon mappings with neither MAP_{SHARED,PRIVATE} as MAP_PRIVATE
so explicitly indicate that

ok kettenis@ beck@

p_comm is the process's command and isn't per thread, so move it from
struct proc to struct process.

ok deraadt@ kettenis@

Display/test/use the process PID, not the thread's TID, in a few places.

ok mpi@ mikeb@

move the uvm_map_addr RB tree from RB macros to the RBT functions

this tree is interesting because it uses all the red black tree
features, specifically the augment callback thats called on tree
topology changes, and it poisons and checks entries as theyre removed
from and inserted back into the tree respectively.

ok stefan@

uvm_wxcheck() should only abort the process if kern.wxabort is set.
The new semantics are W^X violations are reported to the application
via ENOTSUP. Forgot to fix this during the last change.
Spotted by kettenis

W^X violations are only permitted for binaries marked "wxneeded" on
"wxallowed" filesystems. mmap(2) & mprotect(2) now return ENOTSUP.
(To diagnose buggy programs, consider using sysctl kern.wxabort=1 and
looking at the coredumps)
ok kettenis tedu naddy

Since mappings established using __MAP_NOFAULT will be converted into anonymous
memory if the file backing the mapping is truncated, we should check resource
limits. This prevents callers from triggering a kernel panic and a potential
integer overflow in the amap code by forcing the allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@

Revert previous; the __MAP_NOFAULT test is inverted and the commit message is
wrong.

Since mappings established using __MAP_NOFAIL will be converted into anonymous
memory if the file backing the mapping is truncated, we should check resource
limits. This prevents callers from triggering a kernel panic and a potential
integer overflow in the amap code by forcing the allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@

Dereference p_p once rather than 4 times.

hppa & mips64 now can do the full W^X check. (Make sure you have
a new kernel before this change, and ld.so updated)

If a process trips the W^X violation check, abort it unless it came
from a filesystem with the wxallowed flag set. ok deraadt

Current status:

Filesystem Binary Action

Prevent vsize_t underflow when checking RLIMIT_DATA, which made the
check ineffective when you already had more memory than your limit
allowed.

I noticed after writing this diff that millert@ already committed a fix
for this in rev. 1.74 (2009/06/01), but it got backed out with the giant
pmemrange backout two weeks later and was never restored.

OK tedu@ ("just fix it" and "go ahead with your version")
stefan@ also agrees that a check is needed.

Delete the kernel compat bits for old mmap() MAP_OLD* flags

ok deraadt@ matthew@ jca@

Identify W^X labelled binaries at execve() time based upon WX_OPENBSD_WXNEEDED
flag set by ld -zwxneeded. Such binaries are allowed to run only on wxallowed
mountpoints. They do not report mmap/mprotect problems.

Rate limit mmap/mprotect reports from other binaries.

These semantics are chosen to encourage progress in the ports ecosystem,
without overwhelming the developers who work in the area.
ok sthen kettenis

backout to insert correct commit message

*** empty log message ***

W^X violations are no longer permitted by default. A kernel log message
is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.

W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option. One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright. Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem. At least your other
filesystems don't permit such programs.

ok jca kettenis mlarkin natano

remove hppa64 port, which we never got going beyond broken single users.
hppa reverse-stack gives us a valuable test case, but most developers don't
have a 2nd one to proceed further with this.
ok kettenis

Remove dead assignments and now unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpi@ stefan@

remove vaxisms

branches: 1.122.2;
Remove the superfluous typedef uvm_flag_t (unsigned int). Also, fix an
associated mistake in the uvm manpage.

Suggested by and ok tedu@

refactor pledge_*_check and pledge_fail functions

- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.

- makes pledge_fail call the responsability to the _check function. remove it
from caller.

- make proper use of (potential) returned error of _check() functions.

- adds pledge_kill() and pledge_protexec()

with and OK deraadt@

Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.

implement new "prot_exec" tame(2) request:
- by default, a tamed-program don't have the possibility to use PROT_EXEC for
mmap(2) or mprotect(2)
- for that, use the request "prot_exec" (that could be dropped later)

initial idea from deraadt@ and kettenis@

"make complete sense" beck@
ok deraadt@

the kernel lock is no longer needed in the fixed case since uvm_map
will perform the unmap as necessary, holding the vm lock.
reminded by kettenis

add a flag to indicate to uvm_map that it should unmap to make space.
this pulls all the relevant operations under the same map locking, and
relieves calling code from responsibility.
ok kettenis matthew

matthew noticed there's a race where we are using the kernel lock to tie
together the unmap and map portions of a fixed mmap. make this explicit
by pulling the lock up higher. in preparation for unlocking the syscall.

there's still (always has been) a race where if the unmap sleeps, another
mmap may see partial results because the map lock isn't held througout.
another problem, another day.

Corect a kbind comment to describe the version that was settled on: no old
data, only new

sizes for free(); ok semarie

In sys_kbind(), pages from uvm_map_extract() must be written to with kcopy()

ok kettenis@

branches: 1.112.4;
Actually return a value from sys_kbind() in the non-ld.so case, or the
compiler will warn.

include sys/user.h to unbreak the build on at least arm after rev 1.110
ok miod@

Add kbind, a syscall for ld.so to use to securely and efficiently update
memory for lazy binding

ok deraadt@

Pass a thread pointer instead of its file descriptor table to getvnode(9).

Input and ok millert@

Extend uvm_map_hint() to get an address range as extra arguments, and make
sure it will return an address within that range.

Use this in uaddr_rnd_select() to make sure we will not attempt to pick
an address beyond what we are allowed to map.

In my trees for 9 months, blackmailed s2k15 attendees into agreeing now would
be a good time to commit.

Include sys/stdint.h for SIZE_MAX instead of relying on the misplaced
define in sys/limits.h. OK guenther@

recombine some of the split uvm_mmap functions. the precondition checks
are not necessary because the caller already ensures these. the tail
section for handing mlock can be shared as well.
ok beck guenther

-Split out uvm_mmap and uvm_map into a version for anon's and a version
for everything else.
-Adapt the anon version to be callable without the biglock held.
Done by tedu@, kettenis@ and me.. pounded on a bunch.

This does not yet make mmap a NOLOCK call, but permits it to be so.
ok tedu@, kettenis@, guenther@ jsing@

Prefer MADV_* over POSIX_MADV_* in kernel for consistency: the latter
doesn't have all the values and therefore can't be used everywhere.

ok deraadt@ kettenis@

primary change: move uvm_vnode out of vnode, keeping only a pointer.
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt

Use MAP_INHERIT_* for the 'inh' argument to the UMV_MAPFLAG() macro,
eliminating the must-be-kept-in-sync UVM_INH_* macros

ok deraadt@ tedu@

Sprinkle in a little more mallocarray().

ok deraadt@ tedu@

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Introduce __MAP_NOFAULT, a mmap(2) flag that makes sure a mapping will not
cause a SIGSEGV or SIGBUS when a mapped file gets truncated. Access to
pages that are not backed by a file on such a mapping will be replaced by
zero-filled anonymous pages. Makes passing file descriptors of mapped files
usable without having to play tricks with signal handlers.

"steal your mmap flag" deraadt@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bye bye UBC; ok beck dlg

Use real parameter types for u{dv,vn}_attach() instead of void *

ok guenther

Cleanup support for legacy mmap flags

Move all legacy MAP_FOO values behind #ifndef _KERNEL and redefine
them to either be aliases for existing flags (e.g., MAP_COPY ->
MAP_PRIVATE) or 0.

Also, add MAP_OLDFOO defines (behind #ifndef _KERNEL) so the kernel
and kdump can remain compatible with current OpenBSD binaries.

ok deraadt

compress code by turning four line comments into one line comments.
emphatic ok usual suspects, grudging ok miod

remove lots of comments about locking per beck's request

remove simple_locks from uvm code. ok beck deraadt

Add a new mmap(2) flag __MAP_NOREMAP for use with MAP_FIXED to
indicate that the kernel should fail with MAP_FAILED if the specified
address is not currently available instead of unmapping it.

Change ld.so on i386 to make use of __MAP_NOREMAP to improve
reliability.

__MAP_NOREMAP diff by guenther based on an earlier diff by Ariane;
ld.so bits by guenther and me
bulk build stress testing of earlier diffs by sthen
ok deraadt; committing now for further testing

Add struct proc * argument to FRELE() and FILE_SET_MATURE() in
anticipation of further changes to closef(). No binary change.

ok krw@ miod@ deraadt@

Return EINVAL on 0-byte mmap invocation.

- Posix rules that a 0-byte mmap must return EINVAL
- our allocators are unable to distinguish between free memory and
0 bytes of allocated memory

New vmmap implementation.

no oks (it is really a pain to review properly)
extensively tested, I'm confident it'll be stable
'now is the time' from several icb inhabitants

Diff provides:
- ability to specify different allocators for different regions/maps
- a simpler implementation of the current allocator
- currently in compatibility mode: it will generate similar addresses
as the old allocator

More syscalls.master cleanup:

sys_osigaltstack() is 7 years old and no longer needed; all glory to
the sys_sigaltstack()!

sys_ogetdirentries() is about 9 months old, but still acceptable
within our release cycle; move from STD to COMPAT_48 to make this
clearer for tedu@ next year.

sys_sbrk() and sys_sstk() are completely obsolete: all they do is
return ENOSYS.

ok guenther@

msync has some code that is based on *old* bsd behaviour where
msync(size == 0) did strange things based on the original mapping
segments and trying to manipulate same. This code was copied from the
original vm when we moved to uvm.

posix says nothing about this behaviour and anything that depends on it is
systemically broken, so rip it out and make sys_msync about 30% smaller.

ok deraadt@, tedu@, guenther@.

move the specfs code to a place people can see it; ok guenther thib krw

Backout vmmap in order to repair virtual address selection algorithms
outside the tree.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

add a param to uvm_map_hint to not skip over the heap, and use it as a last
resort if mmap fails otherwise to enable more complete address space
utilization. tested for a while with no ill effects.

add a BRKSIZ define and use it for the heap gap constant, decoupling
heap gap from max data size. nothing else changes yet. ok deraadt

Fix a locking problem in mincore where it was possible for us to sleep
with a spinlock (even vslocked() buffers may fault in the right
(complicated) situation).

We solve this by preallocating a bounded array for the response and copying the
data out when all locks have been released.

ok thib@, beck@

Add an extra argument to uvm_unmap_remove(), for the caller to tell it
whether removing holes or parts of them is allowed or not.
Only allow hole removal in uvmspace_free(), when tearing the vmspace down.

ok art@

Put the PG_RELEASED changes diff back in.

This has has been tested very very thoroughly on all archs we have
excepting 88k and 68k. Please see cvs log for the individual commit
messages.

ok beck@, thib@

Remove the VREF() macro and replaces all instances with a call to verf(),
which is exactly what the macro does.

Macro's that are nothing more then:
#define FUNCTION(arg) function(arg)
are almost always pointless and should go away.

OK blambert@
Agreed by many.

date based reversion of uvm to the 4th May.

More backouts in line with previous ones, this appears to bring us back to a
stable condition.

A machine forced to 64mb of ram cycled 10GB through swap with this diff
and is still running as I type this. Other tests by ariane@ and thib@
also seem to show that it's alright.

ok deraadt@, thib@, ariane@

Backout all changes to uvm after pmemrange (which will be backed out
separately).

a change at or just before the hackathon has either exposed or added a
very very nasty memory corruption bug that is giving us hell right now.
So in the interest of kernel stability these diffs are being backed out
until such a time as that corruption bug has been found and squashed,
then the ones that are proven good may slowly return.

a quick hitlist of the main commits this backs out:

mine:
uvm_objwire
the lock change in uvm_swap.c
using trees for uvm objects instead of the hash
removing the pgo_releasepg callback.

art@'s:
putting pmap_page_protect(VM_PROT_NONE) in uvm_pagedeactivate() since
all callers called that just prior anyway.

ok beck@, ariane@.

prompted by deraadt@.

Deal with wraparound when checking RLIMIT_DATA.
OK guenther@ otto@

Since we've now cleared up a lot of the PG_RELEASED setting, remove the
pgo_releasepg() hook and just free the page the "normal" way in the one
place we'll ever see PG_RELEASED and should care (uvm_page_unbusy,
called in aiodoned).

ok art@, beck@, thib@

While working on some stuff in uvm I've gotten REALLY sick of reading
K&R function declarations, so switch them all over to ansi-style, in
accordance with the prophesy.

"go for it" art@

vm_map_lock() around calls to uvm_map_findspace(); ok tedu

replace the machine dependant bytes-to-clicks macro by the MI ptoa()
version for i386

more architectures and ctob() replacement is being worked on

prodded by and ok miod

Bring back Mickey's UVM anon change. Testing by thib@, beck@ and
ckuethe@ for a while. Okay beck@, "it is good timing" deraadt@.

zap the vm_amap am_l simplelock, and amap_{lock/unlock} macros for
simple_{lock/unlock}.

ok art@

Clean up some return value handling now that we know that what's returned
is proper errnos.

millert@ ok and some help

Rip out the KERN_ error codes.
ok otto@

remove KERN_SUCCESS and use 0 instead.
eyeballed by miod@ and pedro@

Make integer wrap checks the same for mmap, munmap, msync, etc
by factoring most of the checks into a macro. OK otto@

Back out the anon change. Apparently it was tested by a few, but most of
us did not see it or get a chance to test it before it was commited. It
broke cvs, in the ami driver, making it not succeed at seeing it's devices.

fallout from previous: remmapping anonymous memory did not account dsize proper; found by krause and mmap_fixed

from netbsd: make anons dynamically allocated from pool.
this results in lesse kva waste due to static preallocation of those
for every phys page and also every swap page.
tested by beck krw miod

Fix a process datasize leak with MAP_FIXED. When zapping old mappings
call uvm_unmap_p instead of uvm_unmap so that it has the process information
and can adjust vm_dused. okay pedro@ tedu@

Revert r1.58, I was on drugs - the array we are locking is one byte per
page, so the arithmetic was ok. Spotted by david@

In sys_mincore(), pass a size in bytes, not pages, to uvm_vslock() and
uvm_vsunlock(). ok mickey@

branches: 1.57.2; 1.57.4;
use vm_dused for rlimit. much happier with mmap. tested by several
over past week. as a bonus, kills 5 XXXs.

add a new field to vm_space and use it to track the number of anon
pages a process uses. this is now the userland "data size" value.
ok art deraadt tdeval. thanks testers.

In uvm_mmap(), check for size wrap to 0, and return ENOMEM in that
case. Do not arbitarily disallow sizes with the high bit set, they
are unsigned. With lotsa help from miod@, test by danh@
ok miod@ millert@ tedu@

branches: 1.54.2;
align to __LDPGSZ for anon mmap. this allows userland to be compiled
with a static page size on platforms where it may vary.
ok deraadt@ millert@ tdeval@

branches: 1.53.4;
add a random offset to uvm_map_hint. this has the primary effect of
scattering ld.so and libraries around, although all mmaps will also
have some jitter too. better version after some discussion with drahn
testing/ok deraadt henning marcm otto pb

match syscallargs comments with reality
from Patrick Latifi <patrick.l@hermes.usherb.ca>
ok jason@ tedu@

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

enforce restrictions on prot and flags to mprotect and mmap. invalid or
undefined flags are now rejected instead of silently ignored. makes
"unintentional" mprotect calls a touch harder.
ok art@ deraadt@ jason@

add MAP_TRYFIXED, mostly to help emulate other systems.
when set, uvm will not attempt to avoid a heap address, if requested.
from todd vierling, via
http://marc.theaimsgroup.com/?l=netbsd-tech-kern&m=105612525808607&w=1

remove sys_omquery. it was only used for two weeks, and you can't
source upgrade from a system that used it anyway.
ok art deraadt drahn

Typos; from Julien Bordet <zejames@greyhats.org>
Close PR 3262

Change mquery() function call signature to be the same a mmap(). It
needs the prot/flags info and passing the addresses via arg/return allows
it to be traced via ktrace better than an in/out paramter.
This adds a new mquery syscall and renames the old one to omquery.
New kernel _MUST_ be built, booted, and 'make includes' before building
ld.so with this change.

backout mquery change, something broke when not combined with a different diff.

change mquery() function call signature to be the same a mmap(). It
needs the prot/flags info and passing the addresses via arg/return allows
it to be traced via ktrace better than an in/out paramter.
This adds a new mquery syscall and renames the old one to omquery.
New kernel _MUST_ be built and installed before building ld.so with this change.
ok millert@ tedu@

Return EINVAL if MAP_FIXED was specified but was not available. ok tedu@

changes to support mquery with 1Gsep on i386. avoid heap on mappings.

There are two related changes.

The first one is an mquery(2) syscall. It's for asking the VM system
about where to map things. It will be used by ld.so, read the man page
for details.

The second change is related and is a centralization of uvm_map hint
that all callers of uvm_map calculated. This will allow us to adjust
this hint on architectures that have segments for non-exec mappings.

deraadt@ drahn@ ok.

int -> ssize_t.
+checked by regress.

millert@, art@ ok.

Remove fetch(9) and store(9) functions from the kernel, and replace the few
remaining instances of them with appropriate copy(9) usage.

ok art@, tested on all arches unless my memory is non-ECC

Don't uvm_useracc and then vslock. vslock is better at finding illegal mappings.

Since memory deallocation can't fail, remove the error return from
uvm_unmap, uvm_deallocate and a few other functions.
Simplifies some code and reduces diff to the UBC branch.

Fix missing FRELE in mmap(2); ok art

Correctly FREF/FRELE in mmap(2).

UBC was a disaster. It worked very good when it worked, but on some
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.

We apologise for the inconvenience.

branches: 1.32.2;
Merge in struct uvm_vnode into struct vnode.

Yet another sync to NetBSD uvm.
Today we add a pmap argument to pmap_update() and allocate map entries for
kernel_map from kmem_map instead of using the static entries. This should
get rid of MAX_KMAPENT panics. Also some uvm_loan problems are fixed.

Sync in more uvm from NetBSD. Mostly just cosmetic stuff.
Contains also support for page coloring.

Sync in more uvm changes from NetBSD.
This time we're getting rid of KERN_* and VM_PAGER_* error codes and
use errnos instead.

Merge in the unified buffer cache code as found in NetBSD 2001/03/10. The
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.

Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.

Bring in more changes from NetBSD. Mostly pagedaemon improvements.

minor sync to NetBSD.

Another sync of uvm to NetBSD. Just minor fiddling, no major changes.

Add an alignment argument to uvm_map that specifies an alignment hint
for the virtual address.

Move the last content from vm/ to uvm/
The only thing left in vm/ are just dumb wrappers.
vm/vm.h includes uvm/uvm_extern.h
vm/pmap.h includes uvm/uvm_pmap.h
vm/vm_page.h includes uvm/uvm_page.h

Minor sync to NetBSD.

- every new fd created by falloc() is marked as larval and should not be used
any anyone. Every caller of falloc matures the fd when it's usable.
- Since every lookup in the fd table must now check this flag and all of
them do the same thing, move all the necessary checks into a function -
fd_getfile.

Don't include <vm/vm_kern.h> if you don't need foo_map.

Various random fixes from NetBSD.
Including support for zeroing pages in the idle loop (not enabled yet).

Add a new type voff_t (right now it's typedefed as off_t) used for offsets
into objects.

Gives the possibilty to mmap beyond the size of vaddr_t.

From NetBSD.

Some updates to UVM from NetBSD. Nothing really critical, just a sync.

Change the pmap_enter interface to merge access_type and the wired boolean
and arbitrary flags into one argument.

One new flag is PMAP_CANFAIL that tells pmap_enter that it can fail if there
are not enough resources to satisfy the request. If this flag is not passed,
pmap_enter should panic as it should have done before this change (XXX - many
pmaps are still not doing that).

Only i386 and alpha implement CANFAIL for now.

Includes uvm updates from NetBSD.

Sync with NetBSD 19990911 (just before PMAP_NEW was required)
- thread_sleep_msg() -> uvm_sleep()
- initialize reference count lock in uvm_anon_{init,add}()
- add uao_flush()
- replace boolean 'islocked' with 'lockflags'
- in uvm_fault() change FALSE to TRUE to in 'wide' fault handling
- get rid of uvm_km_get()
- various bug fixes

Change the paddr_t pmap_extract(struct pmap *, vaddr_t) interface to
boolean_t pmap_extract(struct pmap *, vaddr_t, paddr_t *).
Matches NetBSD. Tested by various people on various platforms.

More sync to NetBSD.
The highlight is some more advices to madvise(2).
o MADV_DONTNEED will deactive the pages in the given range giving a quicker
reuse.
o MADV_FREE will garbage-collect the pages and swap resources causing the
next fault to either page in new pages from backing store (mapped vnode)
or allocate new zero-fill pages (anonymous mapping).

Some locking protocol fixes and better enforcement of wiring limits.

From NetBSD.

Remove the (vaddr_t) casts inside the round_page and trunc_page macros.
We might want to use them on types that are bigger than vaddr_t.

Fix all callers that pass pointers without casts.

Sync style, typo, and comments a little closer to NetBSD. art@ ok

locking typo.

Add mlockall and munlockall (dummy for the old vm system).

More syncing to NetBSD.

Implements mincore(2), mlockall(2) and munlockall(2). mlockall and munlockall
are disabled for the moment.

The rest is mostly cosmetic.

$OpenBSD$

Bring in some new UVM code from NetBSD (not current).

- Introduce a new type of map that are interrupt safe and never allow faults
in them. mb_map and kmem_map are made intrsafe.
- Add "access protection" to uvm_vslock (to be passed down to uvm_fault and
later to pmap_enter).
- madvise(2) now works.
- various cleanups.

branches: 1.4.4;
sync with NetBSD from 1999.05.24 (there is a reason for this date)
Mostly cleanups, but also a few improvements to pagedaemon for better
handling of low memory and/or low swap conditions.

remove sys_omsync, it's in already in compat. (how did this ever link?)

add OpenBSD tags

Import of uvm from NetBSD. Some local changes, some code disabled

Stopping grabbing the kernel lock in kbind(2).

ok mpi@

Delete the msyscall mechanism entirely, since mimmutable+pinsyscalls has
replaced it with a more strict mechanism, which happens to be lockless O(1)
rather than micro-lock O(1)+O(log N). Also nop-out the sys_msyscall(2) guts,
but leave the syscall around for a bit longer so that people can build through
it, since ld.so(1) still wants to call it.

Delete pinsyscall(2) [which was specific only to SYS_execve] now
that it has been replaced with pinsyscalls(2) [which tells the kernel
the location of all system calls in libc.so]
floated to various people before release, but it was prudent to wait.

remove the guts of pinsyscall(2), it just returns 0 now.
It has been made redundant by the introduction of pinsyscalls(2) which
handles all system calls, rather than just 1.

The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in
the main program or ld.so, and accept a submission of that information
for libc.so from ld.so via pinsyscalls(2). At system call invocation,
the syscall number is matched to the specific address it must come from.
ok kettenis, gnezdo, testing of variations by many people

Add a stub pinsyscalls() system call that simply returns 0 for now,
before future work where ld.so(1) will need this new system call.
Putting this in the kernel ahead of time will save some grief.
ok kettenis

Inline once-used variable to sync all uvm_map_clean() callers

OK mpi

fix double words in comments
feedback and ok jmc@ miod, ok millert@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Add pinsyscall(2). With this you can tell the kernel the location
(start,len) of the syscall stub in libc.so for a specified syscall
(using SYS_* notation). Only SYS_execve is supported at this time.
ok gnezdo mortimer kettenis

non-padded 64-bit system calls arrived 2021/12/23, over a year ago.
time to delete the backwards compat padded functions in the kernel.

Currently we disable kbind(2) for static program from libc.a's
preinit hook. Delete that and instead have the kernel disable kbind
at exec-time if the program doesn't have an ELF interpreter. For
now, permit userland calls to disable it when already disabled so
existing static programs continue to work.

prompted by deraadt@ questioning about the call in libc.a

ok deraadt@ miod@

Chuck Cranor rescinded the advertising clause of uvm_mmap.c in
NetBSD rev 1.134 and confirmed with Mike Hibler that the University of
Utah would do the same.

https://mail-index.netbsd.org/source-changes/2011/02/02/msg018021.html

ok deraadt@

stack growth from setrlimit was never updated to set UVM_ET_STACK on
the entries, so the check-sp-at-system-call check failed. Quite strange
it took this long to find this.
ok kettenis

the debug "name" parameter to uvm_map_immutable() is no longer needed

Add mimmutable(2) system call which locks the permissions (PROT_*) of
memory mappings so they cannot be changed by a later mmap(), mprotect(),
or munmap(), which will error with EPERM instead.
ok kettenis

some ports bootstraps, and go internals, need a bit more time to adapt
to the padded syscalls going away.

the _pad_ system calls from 2021/12/23 can go away
ok guenther

kbind(2): unlock syscall, push kernel lock down to binding loop

- Rearrange the security check code in sys_kbind() so that we only
need to take the kernel lock once if we need to raise SIGILL.

- Protect process.ps_kbind_addr and process.ps_kbind_cookie with
process.ps_mtx. This is easier to do after the aforementioned
rearrangement. Under normal circumstances this isn't necessary:
the process is single-threaded when we initialize kbind(2).
But in stranger situations this brief mutex ensures that the
first thread to reach sys_kbind() initializes both variables.

- Wrap the binding loop with the kernel lock. We need to carefully
confirm that uvm_unmap_remove(), uvm_map_extract(), and
uvm_unmap_detach() are MP-safe in a subsequent patch before
completely removing the kernel lock from sys_kbind().

- Remove the kernel lock from kbind(2) in syscalls.master.

Prompted by mpi@, dlg@, and deraadt@. Current patch workshopped with
deraadt@. Based on a patch from dlg@.

With input from dlg@, bluhm@, mpi@, kettenis@, deraadt@, and
guenther@.

Thread: https://marc.info/?l=openbsd-tech&m=165274831829349&w=2

ok deraadt@ kettenis@ mpi@

Grab the kernel lock in uvm_wxcheck() when aborting the process

kern.wxabort=1 logs and kills programs after W^X violations.
At least sigexit() -> coredump() as well as the non-atomic increment of
ps_wxcounter require protection, so grab the big lock for the entire block.

This is part of the effort to unlock mmap(2)'s MAP_ANON case.

Feedback mvs claudio kettenis deraadt
OK kettenis

Remove kbind(2)'s restriction that a target buffer not cross page
boundaries: hppa has 8-byte PLT entries that sometimes do that.

ok kettenis@

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

Revert "kbind(2): disable system call if not initialized before
first __tfork(2)"

The immediate issue is that a process linked with -znow will still
perform lazy relocation on objects loaded with dlopen(), but there
are possibly other dark corners to plumb to find a better invariant.

Problem reported by thfr@

kbind(2): disable system call if not initialized before first __tfork(2)

To unlock kbind(2) we need to protect ps_kbind_addr and
ps_kbind_cookie.

The simplest way to do this is to disallow kbind(2) initialization
after the first __tfork(2) call. If the first thread does not
initialize the kbind(2) variables before __tfork(2) then we disable
kbind(2) during that first __tfork(2) call.

This is guenther@'s patch, I'm just committing it.

Discussed with guenther@, deraadt@, kettenis@, and mpi@.

ok kettenis@, positive response from mpi@, "I am busy" guenther@

Remove parenthesis around return value to reduce the diff with NetBSD.

No functional change.

ok mlarkin@

Do not release the KERNEL_LOCK() when mmap(2)ing files.

Previous attempt to unlock amap & anon exposed a race in vnode reference
counting. So be conservative with the code paths that we're not fully moving
out of the KERNEL_LOCK() to allow us to concentrate on one area at a time.

The panic reported was:

....panic: vref used where vget required
....db_enter() at db_enter+0x5
....panic() at panic+0x129
....vref(ffffff03b20d29e8) at vref+0x5d
....uvn_attach(1010000,ffffff03a5879dc0) at uvn_attach+0x11d
....uvm_mmapfile(7,ffffff03a5879dc0,2,1,13,100000012) at uvm_mmapfile+0x12c
....sys_mmap(c50,ffff8000225f82a0,1) at sys_mmap+0x604
....syscall() at syscall+0x279

Note that this change has no effect as long as mmap(2) is still executed with
ze big lock.

ok kettenis@

Recent changes for PROT_NONE pages to not count against resource limits,
failed to note this also guarded against heavy amap allocations in the
MAP_SHARED case. Bring back the checks for MAP_SHARED
from semarie, ok kettenis
https://syzkaller.appspot.com/bug?extid=d80de26a8db6c009d060

branches: 1.161.4;
Do not count pages mapped as PROT_NONE against the RLIMIT_DATA limit.
Instead count (and check the limit) when their protection gets flipped
from PROT_NONE to something that permits access. This means that
mprotect(2) may now fail if changing the protection would exceed RLIMIT_DATA.

This helps code (such as Chromium's JavaScript interpreter that reserves
large chunks of address space but populates it sparsely.

ok deraadt@, otto@, kurt@, millert@, robert@

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

Remove end of line whitespace.

No code change.

Add dummy msyscall(2) system call which is currently a noop. This will
be used by kernel and ld.so in the near future. Adding the system call
earlier will reduce the number of people who try to build through and
encounter agony.
ok kettenis guenther

Make resource limit access MP-safe. So far, the copy-on-write sharing
of resource limit structs has been done between processes. By applying
copy-on-write also between threads, threads can read rlimits in
a nearly lock-free manner.

Inspired by code in DragonFly BSD and FreeBSD.

OK mpi@, agreement from jmatthew@ and anton@

move the noise about W^X mapping failure inside the sysctl kern.wxabort
knob, since we found a proram which tests RWX mapping then changes execution
behaviour to non-W^X.
(that program is chrome, as v8 is heading towards W^X compliance with
mprotect RW/RX swaps, and also has jitless components in developent.)
ok sthen kettenis robert

BOGO_PC is an invalid userland address, which indicates kbind() is now
disabled in the process. Rather than tying it to KERNBASE, make it simply
-1, which means it even more invalid..
ok tedu

New mmap(2) flag: MAP_CONCEAL.

MAP_CONCEAL'd memory is not written to disk in the event of a core dump.
It may grow other qualities in the future.

Wanted by libressl, probably useful elsewhere, too.

Prompted by deraadt@, concept from deraadt@/kettenis@. With input from
deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@,
and tedu@.

ok otto@ deraadt@

mincore() is a relic from the past, exposing physical machine information
about shared resources which no program should see. only a few pieces of
software use it, generally poorly thought out. they are being fixed, so
mincore() can be deleted.
ok guenther tedu jca sthen, others

Make mincore lie. The nature of shared memory means it can spy on what
another process is doing. We don't want that, so instead have it
always return that memory is in core.
ok deraadt kettenis

branches: 1.151.2;
Push back the kernel lock in sys_mmap(2) a little bit more now that
fd_getfile(9) is mpsafe. Note that sys_mmap(2) isn't actually unlocked
currently. However this diff has been tested with it unlocked, and I
hope to unlock it for real soon-ish.

ok visa@, mpi@

Move FREF() inside fd_getfile().

ok visa@

Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

Make sure that programs violating a pledge(2) promise or some memory
protection cannot block the final SIGABRT.

While here apply the same logic to ddb(4)'s kill command.

From semarie@, ok deraadt@

branches: 1.147.2;
Remove almost unused `flags' argument of suser().

The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.

No objection from millert@, ok tedu@, bluhm@

Can mask MAP_STACK by name rather than number

mask out (ie. ignore) the bit which will be MAP_STACK in the future,
so diffs in snapshots can exercise the change in a less disruptive way
idea with sthen, ok kettenis tom others

Stop assuming <sys/file.h> will pull in fcntl.h when _KERNEL is defined.

ok millert@ sthen@

__MAP_NOFAULT doesn't make sense with anon mappings, so return EINVAL if
that is attempted.
Minor cleanups:
- Eliminate some always false and always true tests against MAP_ANON
- We treat anon mappings with neither MAP_{SHARED,PRIVATE} as MAP_PRIVATE
so explicitly indicate that

ok kettenis@ beck@

p_comm is the process's command and isn't per thread, so move it from
struct proc to struct process.

ok deraadt@ kettenis@

Display/test/use the process PID, not the thread's TID, in a few places.

ok mpi@ mikeb@

move the uvm_map_addr RB tree from RB macros to the RBT functions

this tree is interesting because it uses all the red black tree
features, specifically the augment callback thats called on tree
topology changes, and it poisons and checks entries as theyre removed
from and inserted back into the tree respectively.

ok stefan@

uvm_wxcheck() should only abort the process if kern.wxabort is set.
The new semantics are W^X violations are reported to the application
via ENOTSUP. Forgot to fix this during the last change.
Spotted by kettenis

W^X violations are only permitted for binaries marked "wxneeded" on
"wxallowed" filesystems. mmap(2) & mprotect(2) now return ENOTSUP.
(To diagnose buggy programs, consider using sysctl kern.wxabort=1 and
looking at the coredumps)
ok kettenis tedu naddy

Since mappings established using __MAP_NOFAULT will be converted into anonymous
memory if the file backing the mapping is truncated, we should check resource
limits. This prevents callers from triggering a kernel panic and a potential
integer overflow in the amap code by forcing the allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@

Revert previous; the __MAP_NOFAULT test is inverted and the commit message is
wrong.

Since mappings established using __MAP_NOFAIL will be converted into anonymous
memory if the file backing the mapping is truncated, we should check resource
limits. This prevents callers from triggering a kernel panic and a potential
integer overflow in the amap code by forcing the allocation of too many slots.

Based on an analysis from Jesse Hertz and Tim Newsham.

ok deraadt@

Dereference p_p once rather than 4 times.

hppa & mips64 now can do the full W^X check. (Make sure you have
a new kernel before this change, and ld.so updated)

If a process trips the W^X violation check, abort it unless it came
from a filesystem with the wxallowed flag set. ok deraadt

Current status:

Filesystem Binary Action

Prevent vsize_t underflow when checking RLIMIT_DATA, which made the
check ineffective when you already had more memory than your limit
allowed.

I noticed after writing this diff that millert@ already committed a fix
for this in rev. 1.74 (2009/06/01), but it got backed out with the giant
pmemrange backout two weeks later and was never restored.

OK tedu@ ("just fix it" and "go ahead with your version")
stefan@ also agrees that a check is needed.

Delete the kernel compat bits for old mmap() MAP_OLD* flags

ok deraadt@ matthew@ jca@

Identify W^X labelled binaries at execve() time based upon WX_OPENBSD_WXNEEDED
flag set by ld -zwxneeded. Such binaries are allowed to run only on wxallowed
mountpoints. They do not report mmap/mprotect problems.

Rate limit mmap/mprotect reports from other binaries.

These semantics are chosen to encourage progress in the ports ecosystem,
without overwhelming the developers who work in the area.
ok sthen kettenis

backout to insert correct commit message

*** empty log message ***

W^X violations are no longer permitted by default. A kernel log message
is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.

W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option. One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright. Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem. At least your other
filesystems don't permit such programs.

ok jca kettenis mlarkin natano

remove hppa64 port, which we never got going beyond broken single users.
hppa reverse-stack gives us a valuable test case, but most developers don't
have a 2nd one to proceed further with this.
ok kettenis

Remove dead assignments and now unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpi@ stefan@

remove vaxisms

branches: 1.122.2;
Remove the superfluous typedef uvm_flag_t (unsigned int). Also, fix an
associated mistake in the uvm manpage.

Suggested by and ok tedu@

refactor pledge_*_check and pledge_fail functions

- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.

- makes pledge_fail call the responsability to the _check function. remove it
from caller.

- make proper use of (potential) returned error of _check() functions.

- adds pledge_kill() and pledge_protexec()

with and OK deraadt@

Rename tame() to pledge(). This fairly interface has evolved to be more
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.

implement new "prot_exec" tame(2) request:
- by default, a tamed-program don't have the possibility to use PROT_EXEC for
mmap(2) or mprotect(2)
- for that, use the request "prot_exec" (that could be dropped later)

initial idea from deraadt@ and kettenis@

"make complete sense" beck@
ok deraadt@

the kernel lock is no longer needed in the fixed case since uvm_map
will perform the unmap as necessary, holding the vm lock.
reminded by kettenis

add a flag to indicate to uvm_map that it should unmap to make space.
this pulls all the relevant operations under the same map locking, and
relieves calling code from responsibility.
ok kettenis matthew

matthew noticed there's a race where we are using the kernel lock to tie
together the unmap and map portions of a fixed mmap. make this explicit
by pulling the lock up higher. in preparation for unlocking the syscall.

there's still (always has been) a race where if the unmap sleeps, another
mmap may see partial results because the map lock isn't held througout.
another problem, another day.

Corect a kbind comment to describe the version that was settled on: no old
data, only new

sizes for free(); ok semarie

In sys_kbind(), pages from uvm_map_extract() must be written to with kcopy()

ok kettenis@

branches: 1.112.4;
Actually return a value from sys_kbind() in the non-ld.so case, or the
compiler will warn.

include sys/user.h to unbreak the build on at least arm after rev 1.110
ok miod@

Add kbind, a syscall for ld.so to use to securely and efficiently update
memory for lazy binding

ok deraadt@

Pass a thread pointer instead of its file descriptor table to getvnode(9).

Input and ok millert@

Extend uvm_map_hint() to get an address range as extra arguments, and make
sure it will return an address within that range.

Use this in uaddr_rnd_select() to make sure we will not attempt to pick
an address beyond what we are allowed to map.

In my trees for 9 months, blackmailed s2k15 attendees into agreeing now would
be a good time to commit.

Include sys/stdint.h for SIZE_MAX instead of relying on the misplaced
define in sys/limits.h. OK guenther@

recombine some of the split uvm_mmap functions. the precondition checks
are not necessary because the caller already ensures these. the tail
section for handing mlock can be shared as well.
ok beck guenther

-Split out uvm_mmap and uvm_map into a version for anon's and a version
for everything else.
-Adapt the anon version to be callable without the biglock held.
Done by tedu@, kettenis@ and me.. pounded on a bunch.

This does not yet make mmap a NOLOCK call, but permits it to be so.
ok tedu@, kettenis@, guenther@ jsing@

Prefer MADV_* over POSIX_MADV_* in kernel for consistency: the latter
doesn't have all the values and therefore can't be used everywhere.

ok deraadt@ kettenis@

primary change: move uvm_vnode out of vnode, keeping only a pointer.
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt

Use MAP_INHERIT_* for the 'inh' argument to the UMV_MAPFLAG() macro,
eliminating the must-be-kept-in-sync UVM_INH_* macros

ok deraadt@ tedu@

Sprinkle in a little more mallocarray().

ok deraadt@ tedu@

Replace a plethora of historical protection options with just
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis

Introduce __MAP_NOFAULT, a mmap(2) flag that makes sure a mapping will not
cause a SIGSEGV or SIGBUS when a mapped file gets truncated. Access to
pages that are not backed by a file on such a mapping will be replaced by
zero-filled anonymous pages. Makes passing file descriptors of mapped files
usable without having to play tricks with signal handlers.

"steal your mmap flag" deraadt@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bye bye UBC; ok beck dlg

Use real parameter types for u{dv,vn}_attach() instead of void *

ok guenther

Cleanup support for legacy mmap flags

Move all legacy MAP_FOO values behind #ifndef _KERNEL and redefine
them to either be aliases for existing flags (e.g., MAP_COPY ->
MAP_PRIVATE) or 0.

Also, add MAP_OLDFOO defines (behind #ifndef _KERNEL) so the kernel
and kdump can remain compatible with current OpenBSD binaries.

ok deraadt

compress code by turning four line comments into one line comments.
emphatic ok usual suspects, grudging ok miod

remove lots of comments about locking per beck's request

remove simple_locks from uvm code. ok beck deraadt

Add a new mmap(2) flag __MAP_NOREMAP for use with MAP_FIXED to
indicate that the kernel should fail with MAP_FAILED if the specified
address is not currently available instead of unmapping it.

Change ld.so on i386 to make use of __MAP_NOREMAP to improve
reliability.

__MAP_NOREMAP diff by guenther based on an earlier diff by Ariane;
ld.so bits by guenther and me
bulk build stress testing of earlier diffs by sthen
ok deraadt; committing now for further testing

Add struct proc * argument to FRELE() and FILE_SET_MATURE() in
anticipation of further changes to closef(). No binary change.

ok krw@ miod@ deraadt@

Return EINVAL on 0-byte mmap invocation.

- Posix rules that a 0-byte mmap must return EINVAL
- our allocators are unable to distinguish between free memory and
0 bytes of allocated memory

New vmmap implementation.

no oks (it is really a pain to review properly)
extensively tested, I'm confident it'll be stable
'now is the time' from several icb inhabitants

Diff provides:
- ability to specify different allocators for different regions/maps
- a simpler implementation of the current allocator
- currently in compatibility mode: it will generate similar addresses
as the old allocator

More syscalls.master cleanup:

sys_osigaltstack() is 7 years old and no longer needed; all glory to
the sys_sigaltstack()!

sys_ogetdirentries() is about 9 months old, but still acceptable
within our release cycle; move from STD to COMPAT_48 to make this
clearer for tedu@ next year.

sys_sbrk() and sys_sstk() are completely obsolete: all they do is
return ENOSYS.

ok guenther@

msync has some code that is based on *old* bsd behaviour where
msync(size == 0) did strange things based on the original mapping
segments and trying to manipulate same. This code was copied from the
original vm when we moved to uvm.

posix says nothing about this behaviour and anything that depends on it is
systemically broken, so rip it out and make sys_msync about 30% smaller.

ok deraadt@, tedu@, guenther@.

move the specfs code to a place people can see it; ok guenther thib krw

Backout vmmap in order to repair virtual address selection algorithms
outside the tree.

Reimplement uvm/uvm_map.

vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.

Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build

Tested by alot of people on tech@ and developers.
Theo's machines are still happy.

add a param to uvm_map_hint to not skip over the heap, and use it as a last
resort if mmap fails otherwise to enable more complete address space
utilization. tested for a while with no ill effects.

add a BRKSIZ define and use it for the heap gap constant, decoupling
heap gap from max data size. nothing else changes yet. ok deraadt

Fix a locking problem in mincore where it was possible for us to sleep
with a spinlock (even vslocked() buffers may fault in the right
(complicated) situation).

We solve this by preallocating a bounded array for the response and copying the
data out when all locks have been released.

ok thib@, beck@

Add an extra argument to uvm_unmap_remove(), for the caller to tell it
whether removing holes or parts of them is allowed or not.
Only allow hole removal in uvmspace_free(), when tearing the vmspace down.

ok art@

Put the PG_RELEASED changes diff back in.

This has has been tested very very thoroughly on all archs we have
excepting 88k and 68k. Please see cvs log for the individual commit
messages.

ok beck@, thib@

Remove the VREF() macro and replaces all instances with a call to verf(),
which is exactly what the macro does.

Macro's that are nothing more then:
#define FUNCTION(arg) function(arg)
are almost always pointless and should go away.

OK blambert@
Agreed by many.

date based reversion of uvm to the 4th May.

More backouts in line with previous ones, this appears to bring us back to a
stable condition.

A machine forced to 64mb of ram cycled 10GB through swap with this diff
and is still running as I type this. Other tests by ariane@ and thib@
also seem to show that it's alright.

ok deraadt@, thib@, ariane@

Backout all changes to uvm after pmemrange (which will be backed out
separately).

a change at or just before the hackathon has either exposed or added a
very very nasty memory corruption bug that is giving us hell right now.
So in the interest of kernel stability these diffs are being backed out
until such a time as that corruption bug has been found and squashed,
then the ones that are proven good may slowly return.

a quick hitlist of the main commits this backs out:

mine:
uvm_objwire
the lock change in uvm_swap.c
using trees for uvm objects instead of the hash
removing the pgo_releasepg callback.

art@'s:
putting pmap_page_protect(VM_PROT_NONE) in uvm_pagedeactivate() since
all callers called that just prior anyway.

ok beck@, ariane@.

prompted by deraadt@.

Deal with wraparound when checking RLIMIT_DATA.
OK guenther@ otto@

Since we've now cleared up a lot of the PG_RELEASED setting, remove the
pgo_releasepg() hook and just free the page the "normal" way in the one
place we'll ever see PG_RELEASED and should care (uvm_page_unbusy,
called in aiodoned).

ok art@, beck@, thib@

While working on some stuff in uvm I've gotten REALLY sick of reading
K&R function declarations, so switch them all over to ansi-style, in
accordance with the prophesy.

"go for it" art@

vm_map_lock() around calls to uvm_map_findspace(); ok tedu

replace the machine dependant bytes-to-clicks macro by the MI ptoa()
version for i386

more architectures and ctob() replacement is being worked on

prodded by and ok miod

Bring back Mickey's UVM anon change. Testing by thib@, beck@ and
ckuethe@ for a while. Okay beck@, "it is good timing" deraadt@.

zap the vm_amap am_l simplelock, and amap_{lock/unlock} macros for
simple_{lock/unlock}.

ok art@

Clean up some return value handling now that we know that what's returned
is proper errnos.

millert@ ok and some help

Rip out the KERN_ error codes.
ok otto@

remove KERN_SUCCESS and use 0 instead.
eyeballed by miod@ and pedro@

Make integer wrap checks the same for mmap, munmap, msync, etc
by factoring most of the checks into a macro. OK otto@

Back out the anon change. Apparently it was tested by a few, but most of
us did not see it or get a chance to test it before it was commited. It
broke cvs, in the ami driver, making it not succeed at seeing it's devices.

fallout from previous: remmapping anonymous memory did not account dsize proper; found by krause and mmap_fixed

from netbsd: make anons dynamically allocated from pool.
this results in lesse kva waste due to static preallocation of those
for every phys page and also every swap page.
tested by beck krw miod

Fix a process datasize leak with MAP_FIXED. When zapping old mappings
call uvm_unmap_p instead of uvm_unmap so that it has the process information
and can adjust vm_dused. okay pedro@ tedu@

Revert r1.58, I was on drugs - the array we are locking is one byte per
page, so the arithmetic was ok. Spotted by david@

In sys_mincore(), pass a size in bytes, not pages, to uvm_vslock() and
uvm_vsunlock(). ok mickey@

branches: 1.57.2; 1.57.4;
use vm_dused for rlimit. much happier with mmap. tested by several
over past week. as a bonus, kills 5 XXXs.

add a new field to vm_space and use it to track the number of anon
pages a process uses. this is now the userland "data size" value.
ok art deraadt tdeval. thanks testers.

In uvm_mmap(), check for size wrap to 0, and return ENOMEM in that
case. Do not arbitarily disallow sizes with the high bit set, they
are unsigned. With lotsa help from miod@, test by danh@
ok miod@ millert@ tedu@

branches: 1.54.2;
align to __LDPGSZ for anon mmap. this allows userland to be compiled
with a static page size on platforms where it may vary.
ok deraadt@ millert@ tdeval@

branches: 1.53.4;
add a random offset to uvm_map_hint. this has the primary effect of
scattering ld.so and libraries around, although all mmaps will also
have some jitter too. better version after some discussion with drahn
testing/ok deraadt henning marcm otto pb

match syscallargs comments with reality
from Patrick Latifi <patrick.l@hermes.usherb.ca>
ok jason@ tedu@

change arguments to suser. suser now takes the process, and a flags
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

enforce restrictions on prot and flags to mprotect and mmap. invalid or
undefined flags are now rejected instead of silently ignored. makes
"unintentional" mprotect calls a touch harder.
ok art@ deraadt@ jason@

add MAP_TRYFIXED, mostly to help emulate other systems.
when set, uvm will not attempt to avoid a heap address, if requested.
from todd vierling, via
http://marc.theaimsgroup.com/?l=netbsd-tech-kern&m=105612525808607&w=1

remove sys_omquery. it was only used for two weeks, and you can't
source upgrade from a system that used it anyway.
ok art deraadt drahn

Typos; from Julien Bordet <zejames@greyhats.org>
Close PR 3262

Change mquery() function call signature to be the same a mmap(). It
needs the prot/flags info and passing the addresses via arg/return allows
it to be traced via ktrace better than an in/out paramter.
This adds a new mquery syscall and renames the old one to omquery.
New kernel _MUST_ be built, booted, and 'make includes' before building
ld.so with this change.

backout mquery change, something broke when not combined with a different diff.

change mquery() function call signature to be the same a mmap(). It
needs the prot/flags info and passing the addresses via arg/return allows
it to be traced via ktrace better than an in/out paramter.
This adds a new mquery syscall and renames the old one to omquery.
New kernel _MUST_ be built and installed before building ld.so with this change.
ok millert@ tedu@

Return EINVAL if MAP_FIXED was specified but was not available. ok tedu@

changes to support mquery with 1Gsep on i386. avoid heap on mappings.

There are two related changes.

The first one is an mquery(2) syscall. It's for asking the VM system
about where to map things. It will be used by ld.so, read the man page
for details.

The second change is related and is a centralization of uvm_map hint
that all callers of uvm_map calculated. This will allow us to adjust
this hint on architectures that have segments for non-exec mappings.

deraadt@ drahn@ ok.

int -> ssize_t.
+checked by regress.

millert@, art@ ok.

Remove fetch(9) and store(9) functions from the kernel, and replace the few
remaining instances of them with appropriate copy(9) usage.

ok art@, tested on all arches unless my memory is non-ECC

Don't uvm_useracc and then vslock. vslock is better at finding illegal mappings.

Since memory deallocation can't fail, remove the error return from
uvm_unmap, uvm_deallocate and a few other functions.
Simplifies some code and reduces diff to the UBC branch.

Fix missing FRELE in mmap(2); ok art

Correctly FREF/FRELE in mmap(2).

UBC was a disaster. It worked very good when it worked, but on some
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.

We apologise for the inconvenience.

branches: 1.32.2;
Merge in struct uvm_vnode into struct vnode.

Yet another sync to NetBSD uvm.
Today we add a pmap argument to pmap_update() and allocate map entries for
kernel_map from kmem_map instead of using the static entries. This should
get rid of MAX_KMAPENT panics. Also some uvm_loan problems are fixed.

Sync in more uvm from NetBSD. Mostly just cosmetic stuff.
Contains also support for page coloring.

Sync in more uvm changes from NetBSD.
This time we're getting rid of KERN_* and VM_PAGER_* error codes and
use errnos instead.

Merge in the unified buffer cache code as found in NetBSD 2001/03/10. The
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.

Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.

Bring in more changes from NetBSD. Mostly pagedaemon improvements.

minor sync to NetBSD.

Another sync of uvm to NetBSD. Just minor fiddling, no major changes.

Add an alignment argument to uvm_map that specifies an alignment hint
for the virtual address.

Move the last content from vm/ to uvm/
The only thing left in vm/ are just dumb wrappers.
vm/vm.h includes uvm/uvm_extern.h
vm/pmap.h includes uvm/uvm_pmap.h
vm/vm_page.h includes uvm/uvm_page.h

Minor sync to NetBSD.

- every new fd created by falloc() is marked as larval and should not be used
any anyone. Every caller of falloc matures the fd when it's usable.
- Since every lookup in the fd table must now check this flag and all of
them do the same thing, move all the necessary checks into a function -
fd_getfile.

Don't include <vm/vm_kern.h> if you don't need foo_map.

Various random fixes from NetBSD.
Including support for zeroing pages in the idle loop (not enabled yet).

Add a new type voff_t (right now it's typedefed as off_t) used for offsets
into objects.

Gives the possibilty to mmap beyond the size of vaddr_t.

From NetBSD.

Some updates to UVM from NetBSD. Nothing really critical, just a sync.

Change the pmap_enter interface to merge access_type and the wired boolean
and arbitrary flags into one argument.

One new flag is PMAP_CANFAIL that tells pmap_enter that it can fail if there
are not enough resources to satisfy the request. If this flag is not passed,
pmap_enter should panic as it should have done before this change (XXX - many
pmaps are still not doing that).

Only i386 and alpha implement CANFAIL for now.

Includes uvm updates from NetBSD.

Sync with NetBSD 19990911 (just before PMAP_NEW was required)
- thread_sleep_msg() -> uvm_sleep()
- initialize reference count lock in uvm_anon_{init,add}()
- add uao_flush()
- replace boolean 'islocked' with 'lockflags'
- in uvm_fault() change FALSE to TRUE to in 'wide' fault handling
- get rid of uvm_km_get()
- various bug fixes

Change the paddr_t pmap_extract(struct pmap *, vaddr_t) interface to
boolean_t pmap_extract(struct pmap *, vaddr_t, paddr_t *).
Matches NetBSD. Tested by various people on various platforms.

More sync to NetBSD.
The highlight is some more advices to madvise(2).
o MADV_DONTNEED will deactive the pages in the given range giving a quicker
reuse.
o MADV_FREE will garbage-collect the pages and swap resources causing the
next fault to either page in new pages from backing store (mapped vnode)
or allocate new zero-fill pages (anonymous mapping).

Some locking protocol fixes and better enforcement of wiring limits.

From NetBSD.

Remove the (vaddr_t) casts inside the round_page and trunc_page macros.
We might want to use them on types that are bigger than vaddr_t.

Fix all callers that pass pointers without casts.

Sync style, typo, and comments a little closer to NetBSD. art@ ok

locking typo.

Add mlockall and munlockall (dummy for the old vm system).

More syncing to NetBSD.

Implements mincore(2), mlockall(2) and munlockall(2). mlockall and munlockall
are disabled for the moment.

The rest is mostly cosmetic.

$OpenBSD$

Bring in some new UVM code from NetBSD (not current).

- Introduce a new type of map that are interrupt safe and never allow faults
in them. mb_map and kmem_map are made intrsafe.
- Add "access protection" to uvm_vslock (to be passed down to uvm_fault and
later to pmap_enter).
- madvise(2) now works.
- various cleanups.

branches: 1.4.4;
sync with NetBSD from 1999.05.24 (there is a reason for this date)
Mostly cleanups, but also a few improvements to pagedaemon for better
handling of low memory and/or low swap conditions.

remove sys_omsync, it's in already in compat. (how did this ever link?)

add OpenBSD tags

Import of uvm from NetBSD. Some local changes, some code disabled

Delete the msyscall mechanism entirely, since mimmutable+pinsyscalls has
replaced it with a more strict mechanism, which happens to be lockless O(1)
rather than micro-lock O(1)+O(log N). Also nop-out the sys_msyscall(2) guts,
but leave the syscall around for a bit longer so that people can build through
it, since ld.so(1) still wants to call it.

Delete pinsyscall(2) [which was specific only to SYS_execve] now
that it has been replaced with pinsyscalls(2) [which tells the kernel
the location of all system calls in libc.so]
floated to various people before release, but it was prudent to wait.

remove the guts of pinsyscall(2), it just returns 0 now.
It has been made redundant by the introduction of pinsyscalls(2) which
handles all system calls, rather than just 1.

The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in
the main program or ld.so, and accept a submission of that information
for libc.so from ld.so via pinsyscalls(2). At system call invocation,
the syscall number is matched to the specific address it must come from.
ok kettenis, gnezdo, testing of variations by many people

Add a stub pinsyscalls() system call that simply returns 0 for now,
before future work where ld.so(1) will need this new system call.
Putting this in the kernel ahead of time will save some grief.
ok kettenis

Inline once-used variable to sync all uvm_map_clean() callers

OK mpi

fix double words in comments
feedback and ok jmc@ miod, ok millert@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Add pinsyscall(2). With this you can tell the kernel the location
(start,len) of the syscall stub in libc.so for a specified syscall
(using SYS_* notation). Only SYS_execve is supported at this time.
ok gnezdo mortimer kettenis

non-padded 64-bit system calls arrived 2021/12/23, over a year ago.
time to delete the backwards compat padded functions in the kernel.

Currently we disable kbind(2) for static program from libc.a's
preinit hook. Delete that and instead have the kernel disable kbind
at exec-time if the program doesn't have an ELF interpreter. For
now, permit userland calls to disable it when already disabled so
existing static programs continue to work.

prompted by deraadt@ questioning about the call in libc.a

ok deraadt@ miod@

Chuck Cranor rescinded the advertising clause of uvm_mmap.c in
NetBSD rev 1.134 and confirmed with Mike Hibler that the University of
Utah would do the same.

https://mail-index.netbsd.org/source-changes/2011/02/02/msg018021.html

ok deraadt@

stack growth from setrlimit was never updated to set UVM_ET_STACK on
the entries, so the check-sp-at-system-call check failed. Quite strange
it took this long to find this.
ok kettenis

the debug "name" parameter to uvm_map_immutable() is no longer needed

Add mimmutable(2) system call which locks the permissions (PROT_*) of
memory mappings so they cannot be changed by a later mmap(), mprotect(),
or munmap(), which will error with EPERM instead.
ok kettenis

some ports bootstraps, and go internals, need a bit more time to adapt
to the padded syscalls going away.

the _pad_ system calls from 2021/12/23 can go away
ok guenther

kbind(2): unlock syscall, push kernel lock down to binding loop

- Rearrange the security check code in sys_kbind() so that we only
need to take the kernel lock once if we need to raise SIGILL.

- Protect process.ps_kbind_addr and process.ps_kbind_cookie with
process.ps_mtx. This is easier to do after the aforementioned
rearrangement. Under normal circumstances this isn't necessary:
the process is single-threaded when we initialize kbind(2).
But in stranger situations this brief mutex ensures that the
first thread to reach sys_kbind() initializes both variables.

- Wrap the binding loop with the kernel lock. We need to carefully
confirm that uvm_unmap_remove(), uvm_map_extract(), and
uvm_unmap_detach() are MP-safe in a subsequent patch before
completely removing the kernel lock from sys_kbind().

- Remove the kernel lock from kbind(2) in syscalls.master.

Prompted by mpi@, dlg@, and deraadt@. Current patch workshopped with
deraadt@. Based on a patch from dlg@.

With input from dlg@, bluhm@, mpi@, kettenis@, deraadt@, and
guenther@.

Thread: https://marc.info/?l=openbsd-tech&m=165274831829349&w=2

ok deraadt@ kettenis@ mpi@