Home | History | Annotate | Line # | Download | only in kern
kern_exec.c revision 1.288
      1 /*	$NetBSD: kern_exec.c,v 1.288 2009/03/29 01:02:50 mrg Exp $	*/
      2 
      3 /*-
      4  * Copyright (c) 2008 The NetBSD Foundation, Inc.
      5  * All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  * 1. Redistributions of source code must retain the above copyright
     11  *    notice, this list of conditions and the following disclaimer.
     12  * 2. Redistributions in binary form must reproduce the above copyright
     13  *    notice, this list of conditions and the following disclaimer in the
     14  *    documentation and/or other materials provided with the distribution.
     15  *
     16  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     17  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     18  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     19  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     21  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     22  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     23  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     24  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     25  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     26  * POSSIBILITY OF SUCH DAMAGE.
     27  */
     28 
     29 /*-
     30  * Copyright (C) 1993, 1994, 1996 Christopher G. Demetriou
     31  * Copyright (C) 1992 Wolfgang Solfrank.
     32  * Copyright (C) 1992 TooLs GmbH.
     33  * All rights reserved.
     34  *
     35  * Redistribution and use in source and binary forms, with or without
     36  * modification, are permitted provided that the following conditions
     37  * are met:
     38  * 1. Redistributions of source code must retain the above copyright
     39  *    notice, this list of conditions and the following disclaimer.
     40  * 2. Redistributions in binary form must reproduce the above copyright
     41  *    notice, this list of conditions and the following disclaimer in the
     42  *    documentation and/or other materials provided with the distribution.
     43  * 3. All advertising materials mentioning features or use of this software
     44  *    must display the following acknowledgement:
     45  *	This product includes software developed by TooLs GmbH.
     46  * 4. The name of TooLs GmbH may not be used to endorse or promote products
     47  *    derived from this software without specific prior written permission.
     48  *
     49  * THIS SOFTWARE IS PROVIDED BY TOOLS GMBH ``AS IS'' AND ANY EXPRESS OR
     50  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     51  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     52  * IN NO EVENT SHALL TOOLS GMBH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     53  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     54  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
     55  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
     56  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
     57  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
     58  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     59  */
     60 
     61 #include <sys/cdefs.h>
     62 __KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.288 2009/03/29 01:02:50 mrg Exp $");
     63 
     64 #include "opt_ktrace.h"
     65 #include "opt_modular.h"
     66 #include "opt_syscall_debug.h"
     67 #include "veriexec.h"
     68 #include "opt_pax.h"
     69 #include "opt_sa.h"
     70 
     71 #include <sys/param.h>
     72 #include <sys/systm.h>
     73 #include <sys/filedesc.h>
     74 #include <sys/kernel.h>
     75 #include <sys/proc.h>
     76 #include <sys/mount.h>
     77 #include <sys/malloc.h>
     78 #include <sys/kmem.h>
     79 #include <sys/namei.h>
     80 #include <sys/vnode.h>
     81 #include <sys/file.h>
     82 #include <sys/acct.h>
     83 #include <sys/exec.h>
     84 #include <sys/ktrace.h>
     85 #include <sys/uidinfo.h>
     86 #include <sys/wait.h>
     87 #include <sys/mman.h>
     88 #include <sys/ras.h>
     89 #include <sys/signalvar.h>
     90 #include <sys/stat.h>
     91 #include <sys/syscall.h>
     92 #include <sys/kauth.h>
     93 #include <sys/lwpctl.h>
     94 #include <sys/pax.h>
     95 #include <sys/cpu.h>
     96 #include <sys/module.h>
     97 #include <sys/sa.h>
     98 #include <sys/savar.h>
     99 #include <sys/syscallargs.h>
    100 #if NVERIEXEC > 0
    101 #include <sys/verified_exec.h>
    102 #endif /* NVERIEXEC > 0 */
    103 
    104 #include <uvm/uvm_extern.h>
    105 
    106 #include <machine/reg.h>
    107 
    108 #include <compat/common/compat_util.h>
    109 
    110 static int exec_sigcode_map(struct proc *, const struct emul *);
    111 
    112 #ifdef DEBUG_EXEC
    113 #define DPRINTF(a) uprintf a
    114 #else
    115 #define DPRINTF(a)
    116 #endif /* DEBUG_EXEC */
    117 
    118 /*
    119  * Exec function switch:
    120  *
    121  * Note that each makecmds function is responsible for loading the
    122  * exec package with the necessary functions for any exec-type-specific
    123  * handling.
    124  *
    125  * Functions for specific exec types should be defined in their own
    126  * header file.
    127  */
    128 static const struct execsw	**execsw = NULL;
    129 static int			nexecs;
    130 
    131 u_int	exec_maxhdrsz;	 /* must not be static - used by netbsd32 */
    132 
    133 /* list of dynamically loaded execsw entries */
    134 static LIST_HEAD(execlist_head, exec_entry) ex_head =
    135     LIST_HEAD_INITIALIZER(ex_head);
    136 struct exec_entry {
    137 	LIST_ENTRY(exec_entry)	ex_list;
    138 	SLIST_ENTRY(exec_entry)	ex_slist;
    139 	const struct execsw	*ex_sw;
    140 };
    141 
    142 #ifdef SYSCALL_DEBUG
    143 extern const char * const syscallnames[];
    144 #endif
    145 
    146 #ifndef __HAVE_SYSCALL_INTERN
    147 void	syscall(void);
    148 #endif
    149 
    150 #ifdef KERN_SA
    151 static struct sa_emul saemul_netbsd = {
    152 	sizeof(ucontext_t),
    153 	sizeof(struct sa_t),
    154 	sizeof(struct sa_t *),
    155 	NULL,
    156 	NULL,
    157 	cpu_upcall,
    158 	(void (*)(struct lwp *, void *))getucontext_sa,
    159 	sa_ucsp
    160 };
    161 #endif /* KERN_SA */
    162 
    163 /* NetBSD emul struct */
    164 struct emul emul_netbsd = {
    165 	"netbsd",
    166 	NULL,		/* emulation path */
    167 #ifndef __HAVE_MINIMAL_EMUL
    168 	EMUL_HAS_SYS___syscall,
    169 	NULL,
    170 	SYS_syscall,
    171 	SYS_NSYSENT,
    172 #endif
    173 	sysent,
    174 #ifdef SYSCALL_DEBUG
    175 	syscallnames,
    176 #else
    177 	NULL,
    178 #endif
    179 	sendsig,
    180 	trapsignal,
    181 	NULL,
    182 	NULL,
    183 	NULL,
    184 	NULL,
    185 	setregs,
    186 	NULL,
    187 	NULL,
    188 	NULL,
    189 	NULL,
    190 	NULL,
    191 #ifdef __HAVE_SYSCALL_INTERN
    192 	syscall_intern,
    193 #else
    194 	syscall,
    195 #endif
    196 	NULL,
    197 	NULL,
    198 
    199 	uvm_default_mapaddr,
    200 	NULL,
    201 #ifdef KERN_SA
    202 	&saemul_netbsd,
    203 #else
    204 	NULL,
    205 #endif
    206 	sizeof(ucontext_t),
    207 	startlwp,
    208 };
    209 
    210 /*
    211  * Exec lock. Used to control access to execsw[] structures.
    212  * This must not be static so that netbsd32 can access it, too.
    213  */
    214 krwlock_t exec_lock;
    215 
    216 static kmutex_t sigobject_lock;
    217 
    218 static void *
    219 exec_pool_alloc(struct pool *pp, int flags)
    220 {
    221 
    222 	return (void *)uvm_km_alloc(kernel_map, NCARGS, 0,
    223 	    UVM_KMF_PAGEABLE | UVM_KMF_WAITVA);
    224 }
    225 
    226 static void
    227 exec_pool_free(struct pool *pp, void *addr)
    228 {
    229 
    230 	uvm_km_free(kernel_map, (vaddr_t)addr, NCARGS, UVM_KMF_PAGEABLE);
    231 }
    232 
    233 static struct pool exec_pool;
    234 
    235 static struct pool_allocator exec_palloc = {
    236 	.pa_alloc = exec_pool_alloc,
    237 	.pa_free = exec_pool_free,
    238 	.pa_pagesz = NCARGS
    239 };
    240 
    241 /*
    242  * check exec:
    243  * given an "executable" described in the exec package's namei info,
    244  * see what we can do with it.
    245  *
    246  * ON ENTRY:
    247  *	exec package with appropriate namei info
    248  *	lwp pointer of exec'ing lwp
    249  *	NO SELF-LOCKED VNODES
    250  *
    251  * ON EXIT:
    252  *	error:	nothing held, etc.  exec header still allocated.
    253  *	ok:	filled exec package, executable's vnode (unlocked).
    254  *
    255  * EXEC SWITCH ENTRY:
    256  * 	Locked vnode to check, exec package, proc.
    257  *
    258  * EXEC SWITCH EXIT:
    259  *	ok:	return 0, filled exec package, executable's vnode (unlocked).
    260  *	error:	destructive:
    261  *			everything deallocated execept exec header.
    262  *		non-destructive:
    263  *			error code, executable's vnode (unlocked),
    264  *			exec header unmodified.
    265  */
    266 int
    267 /*ARGSUSED*/
    268 check_exec(struct lwp *l, struct exec_package *epp)
    269 {
    270 	int		error, i;
    271 	struct vnode	*vp;
    272 	struct nameidata *ndp;
    273 	size_t		resid;
    274 
    275 	ndp = epp->ep_ndp;
    276 	ndp->ni_cnd.cn_nameiop = LOOKUP;
    277 	ndp->ni_cnd.cn_flags = FOLLOW | LOCKLEAF | SAVENAME | TRYEMULROOT;
    278 	/* first get the vnode */
    279 	if ((error = namei(ndp)) != 0)
    280 		return error;
    281 	epp->ep_vp = vp = ndp->ni_vp;
    282 
    283 	/* check access and type */
    284 	if (vp->v_type != VREG) {
    285 		error = EACCES;
    286 		goto bad1;
    287 	}
    288 	if ((error = VOP_ACCESS(vp, VEXEC, l->l_cred)) != 0)
    289 		goto bad1;
    290 
    291 	/* get attributes */
    292 	if ((error = VOP_GETATTR(vp, epp->ep_vap, l->l_cred)) != 0)
    293 		goto bad1;
    294 
    295 	/* Check mount point */
    296 	if (vp->v_mount->mnt_flag & MNT_NOEXEC) {
    297 		error = EACCES;
    298 		goto bad1;
    299 	}
    300 	if (vp->v_mount->mnt_flag & MNT_NOSUID)
    301 		epp->ep_vap->va_mode &= ~(S_ISUID | S_ISGID);
    302 
    303 	/* try to open it */
    304 	if ((error = VOP_OPEN(vp, FREAD, l->l_cred)) != 0)
    305 		goto bad1;
    306 
    307 	/* unlock vp, since we need it unlocked from here on out. */
    308 	VOP_UNLOCK(vp, 0);
    309 
    310 #if NVERIEXEC > 0
    311 	error = veriexec_verify(l, vp, ndp->ni_cnd.cn_pnbuf,
    312 	    epp->ep_flags & EXEC_INDIR ? VERIEXEC_INDIRECT : VERIEXEC_DIRECT,
    313 	    NULL);
    314 	if (error)
    315 		goto bad2;
    316 #endif /* NVERIEXEC > 0 */
    317 
    318 #ifdef PAX_SEGVGUARD
    319 	error = pax_segvguard(l, vp, ndp->ni_cnd.cn_pnbuf, false);
    320 	if (error)
    321 		goto bad2;
    322 #endif /* PAX_SEGVGUARD */
    323 
    324 	/* now we have the file, get the exec header */
    325 	error = vn_rdwr(UIO_READ, vp, epp->ep_hdr, epp->ep_hdrlen, 0,
    326 			UIO_SYSSPACE, 0, l->l_cred, &resid, NULL);
    327 	if (error)
    328 		goto bad2;
    329 	epp->ep_hdrvalid = epp->ep_hdrlen - resid;
    330 
    331 	/*
    332 	 * Set up default address space limits.  Can be overridden
    333 	 * by individual exec packages.
    334 	 *
    335 	 * XXX probably should be all done in the exec packages.
    336 	 */
    337 	epp->ep_vm_minaddr = VM_MIN_ADDRESS;
    338 	epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS;
    339 	/*
    340 	 * set up the vmcmds for creation of the process
    341 	 * address space
    342 	 */
    343 	error = ENOEXEC;
    344 	for (i = 0; i < nexecs; i++) {
    345 		int newerror;
    346 
    347 		epp->ep_esch = execsw[i];
    348 		newerror = (*execsw[i]->es_makecmds)(l, epp);
    349 
    350 		if (!newerror) {
    351 			/* Seems ok: check that entry point is sane */
    352 			if (epp->ep_entry > VM_MAXUSER_ADDRESS) {
    353 				error = ENOEXEC;
    354 				break;
    355 			}
    356 
    357 			/* check limits */
    358 			if ((epp->ep_tsize > MAXTSIZ) ||
    359 			    (epp->ep_dsize > (u_quad_t)l->l_proc->p_rlimit
    360 						    [RLIMIT_DATA].rlim_cur)) {
    361 				error = ENOMEM;
    362 				break;
    363 			}
    364 			return 0;
    365 		}
    366 
    367 		if (epp->ep_emul_root != NULL) {
    368 			vrele(epp->ep_emul_root);
    369 			epp->ep_emul_root = NULL;
    370 		}
    371 		if (epp->ep_interp != NULL) {
    372 			vrele(epp->ep_interp);
    373 			epp->ep_interp = NULL;
    374 		}
    375 
    376 		/* make sure the first "interesting" error code is saved. */
    377 		if (error == ENOEXEC)
    378 			error = newerror;
    379 
    380 		if (epp->ep_flags & EXEC_DESTR)
    381 			/* Error from "#!" code, tidied up by recursive call */
    382 			return error;
    383 	}
    384 
    385 	/* not found, error */
    386 
    387 	/*
    388 	 * free any vmspace-creation commands,
    389 	 * and release their references
    390 	 */
    391 	kill_vmcmds(&epp->ep_vmcmds);
    392 
    393 bad2:
    394 	/*
    395 	 * close and release the vnode, restore the old one, free the
    396 	 * pathname buf, and punt.
    397 	 */
    398 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
    399 	VOP_CLOSE(vp, FREAD, l->l_cred);
    400 	vput(vp);
    401 	PNBUF_PUT(ndp->ni_cnd.cn_pnbuf);
    402 	return error;
    403 
    404 bad1:
    405 	/*
    406 	 * free the namei pathname buffer, and put the vnode
    407 	 * (which we don't yet have open).
    408 	 */
    409 	vput(vp);				/* was still locked */
    410 	PNBUF_PUT(ndp->ni_cnd.cn_pnbuf);
    411 	return error;
    412 }
    413 
    414 #ifdef __MACHINE_STACK_GROWS_UP
    415 #define STACK_PTHREADSPACE NBPG
    416 #else
    417 #define STACK_PTHREADSPACE 0
    418 #endif
    419 
    420 static int
    421 execve_fetch_element(char * const *array, size_t index, char **value)
    422 {
    423 	return copyin(array + index, value, sizeof(*value));
    424 }
    425 
    426 /*
    427  * exec system call
    428  */
    429 /* ARGSUSED */
    430 int
    431 sys_execve(struct lwp *l, const struct sys_execve_args *uap, register_t *retval)
    432 {
    433 	/* {
    434 		syscallarg(const char *)	path;
    435 		syscallarg(char * const *)	argp;
    436 		syscallarg(char * const *)	envp;
    437 	} */
    438 
    439 	return execve1(l, SCARG(uap, path), SCARG(uap, argp),
    440 	    SCARG(uap, envp), execve_fetch_element);
    441 }
    442 
    443 /*
    444  * Load modules to try and execute an image that we do not understand.
    445  * If no execsw entries are present, we load those likely to be needed
    446  * in order to run native images only.  Otherwise, we autoload all
    447  * possible modules that could let us run the binary.  XXX lame
    448  */
    449 static void
    450 exec_autoload(void)
    451 {
    452 #ifdef MODULAR
    453 	static const char * const native[] = {
    454 		"exec_elf32",
    455 		"exec_elf64",
    456 		"exec_script",
    457 		NULL
    458 	};
    459 	static const char * const compat[] = {
    460 		"exec_elf32",
    461 		"exec_elf64",
    462 		"exec_script",
    463 		"exec_aout",
    464 		"exec_coff",
    465 		"exec_ecoff",
    466 		"compat_aoutm68k",
    467 		"compat_freebsd",
    468 		"compat_ibcs2",
    469 		"compat_irix",
    470 		"compat_linux",
    471 		"compat_linux32",
    472 		"compat_netbsd32",
    473 		"compat_sunos",
    474 		"compat_sunos32",
    475 		"compat_svr4",
    476 		"compat_svr4_32",
    477 		"compat_ultrix",
    478 		NULL
    479 	};
    480 	char const * const *list;
    481 	int i;
    482 
    483 	mutex_enter(&module_lock);
    484 	list = (nexecs == 0 ? native : compat);
    485 	for (i = 0; list[i] != NULL; i++) {
    486 		if (module_autoload(list[i], MODULE_CLASS_MISC) != 0) {
    487 		    	continue;
    488 		}
    489 		mutex_exit(&module_lock);
    490 	   	yield();
    491 		mutex_enter(&module_lock);
    492 	}
    493 	mutex_exit(&module_lock);
    494 #endif
    495 }
    496 
    497 int
    498 execve1(struct lwp *l, const char *path, char * const *args,
    499     char * const *envs, execve_fetch_element_t fetch_element)
    500 {
    501 	int			error;
    502 	struct exec_package	pack;
    503 	struct nameidata	nid;
    504 	struct vattr		attr;
    505 	struct proc		*p;
    506 	char			*argp;
    507 	char			*dp, *sp;
    508 	long			argc, envc;
    509 	size_t			i, len;
    510 	char			*stack;
    511 	struct ps_strings	arginfo;
    512 	struct ps_strings	*aip = &arginfo;
    513 	struct vmspace		*vm;
    514 	struct exec_fakearg	*tmpfap;
    515 	int			szsigcode;
    516 	struct exec_vmcmd	*base_vcp;
    517 	int			oldlwpflags;
    518 	ksiginfo_t		ksi;
    519 	ksiginfoq_t		kq;
    520 	char			*pathbuf;
    521 	size_t			pathbuflen;
    522 	u_int			modgen;
    523 
    524 	p = l->l_proc;
    525  	modgen = 0;
    526 
    527 	/*
    528 	 * Check if we have exceeded our number of processes limit.
    529 	 * This is so that we handle the case where a root daemon
    530 	 * forked, ran setuid to become the desired user and is trying
    531 	 * to exec. The obvious place to do the reference counting check
    532 	 * is setuid(), but we don't do the reference counting check there
    533 	 * like other OS's do because then all the programs that use setuid()
    534 	 * must be modified to check the return code of setuid() and exit().
    535 	 * It is dangerous to make setuid() fail, because it fails open and
    536 	 * the program will continue to run as root. If we make it succeed
    537 	 * and return an error code, again we are not enforcing the limit.
    538 	 * The best place to enforce the limit is here, when the process tries
    539 	 * to execute a new image, because eventually the process will need
    540 	 * to call exec in order to do something useful.
    541 	 */
    542  retry:
    543 	if ((p->p_flag & PK_SUGID) && kauth_authorize_generic(l->l_cred,
    544 	    KAUTH_GENERIC_ISSUSER, NULL) != 0 && chgproccnt(kauth_cred_getuid(
    545 	    l->l_cred), 0) > p->p_rlimit[RLIMIT_NPROC].rlim_cur)
    546 		return EAGAIN;
    547 
    548 	oldlwpflags = l->l_flag & (LW_SA | LW_SA_UPCALL);
    549 	if (l->l_flag & LW_SA) {
    550 		lwp_lock(l);
    551 		l->l_flag &= ~(LW_SA | LW_SA_UPCALL);
    552 		lwp_unlock(l);
    553 	}
    554 
    555 	/*
    556 	 * Drain existing references and forbid new ones.  The process
    557 	 * should be left alone until we're done here.  This is necessary
    558 	 * to avoid race conditions - e.g. in ptrace() - that might allow
    559 	 * a local user to illicitly obtain elevated privileges.
    560 	 */
    561 	rw_enter(&p->p_reflock, RW_WRITER);
    562 
    563 	base_vcp = NULL;
    564 	/*
    565 	 * Init the namei data to point the file user's program name.
    566 	 * This is done here rather than in check_exec(), so that it's
    567 	 * possible to override this settings if any of makecmd/probe
    568 	 * functions call check_exec() recursively - for example,
    569 	 * see exec_script_makecmds().
    570 	 */
    571 	pathbuf = PNBUF_GET();
    572 	error = copyinstr(path, pathbuf, MAXPATHLEN, &pathbuflen);
    573 	if (error) {
    574 		DPRINTF(("execve: copyinstr path %d", error));
    575 		goto clrflg;
    576 	}
    577 
    578 	NDINIT(&nid, LOOKUP, NOFOLLOW | TRYEMULROOT, UIO_SYSSPACE, pathbuf);
    579 
    580 	/*
    581 	 * initialize the fields of the exec package.
    582 	 */
    583 	pack.ep_name = path;
    584 	pack.ep_hdr = kmem_alloc(exec_maxhdrsz, KM_SLEEP);
    585 	pack.ep_hdrlen = exec_maxhdrsz;
    586 	pack.ep_hdrvalid = 0;
    587 	pack.ep_ndp = &nid;
    588 	pack.ep_emul_arg = NULL;
    589 	pack.ep_vmcmds.evs_cnt = 0;
    590 	pack.ep_vmcmds.evs_used = 0;
    591 	pack.ep_vap = &attr;
    592 	pack.ep_flags = 0;
    593 	pack.ep_emul_root = NULL;
    594 	pack.ep_interp = NULL;
    595 	pack.ep_esch = NULL;
    596 	pack.ep_pax_flags = 0;
    597 
    598 	rw_enter(&exec_lock, RW_READER);
    599 
    600 	/* see if we can run it. */
    601 	if ((error = check_exec(l, &pack)) != 0) {
    602 		if (error != ENOENT) {
    603 			DPRINTF(("execve: check exec failed %d\n", error));
    604 		}
    605 		goto freehdr;
    606 	}
    607 
    608 	/* XXX -- THE FOLLOWING SECTION NEEDS MAJOR CLEANUP */
    609 
    610 	/* allocate an argument buffer */
    611 	argp = pool_get(&exec_pool, PR_WAITOK);
    612 	KASSERT(argp != NULL);
    613 	dp = argp;
    614 	argc = 0;
    615 
    616 	/* copy the fake args list, if there's one, freeing it as we go */
    617 	if (pack.ep_flags & EXEC_HASARGL) {
    618 		tmpfap = pack.ep_fa;
    619 		while (tmpfap->fa_arg != NULL) {
    620 			const char *cp;
    621 
    622 			cp = tmpfap->fa_arg;
    623 			while (*cp)
    624 				*dp++ = *cp++;
    625 			*dp++ = '\0';
    626 
    627 			kmem_free(tmpfap->fa_arg, tmpfap->fa_len);
    628 			tmpfap++; argc++;
    629 		}
    630 		kmem_free(pack.ep_fa, pack.ep_fa_len);
    631 		pack.ep_flags &= ~EXEC_HASARGL;
    632 	}
    633 
    634 	/* Now get argv & environment */
    635 	if (args == NULL) {
    636 		DPRINTF(("execve: null args\n"));
    637 		error = EINVAL;
    638 		goto bad;
    639 	}
    640 	/* 'i' will index the argp/envp element to be retrieved */
    641 	i = 0;
    642 	if (pack.ep_flags & EXEC_SKIPARG)
    643 		i++;
    644 
    645 	while (1) {
    646 		len = argp + ARG_MAX - dp;
    647 		if ((error = (*fetch_element)(args, i, &sp)) != 0) {
    648 			DPRINTF(("execve: fetch_element args %d\n", error));
    649 			goto bad;
    650 		}
    651 		if (!sp)
    652 			break;
    653 		if ((error = copyinstr(sp, dp, len, &len)) != 0) {
    654 			DPRINTF(("execve: copyinstr args %d\n", error));
    655 			if (error == ENAMETOOLONG)
    656 				error = E2BIG;
    657 			goto bad;
    658 		}
    659 		ktrexecarg(dp, len - 1);
    660 		dp += len;
    661 		i++;
    662 		argc++;
    663 	}
    664 
    665 	envc = 0;
    666 	/* environment need not be there */
    667 	if (envs != NULL) {
    668 		i = 0;
    669 		while (1) {
    670 			len = argp + ARG_MAX - dp;
    671 			if ((error = (*fetch_element)(envs, i, &sp)) != 0) {
    672 				DPRINTF(("execve: fetch_element env %d\n", error));
    673 				goto bad;
    674 			}
    675 			if (!sp)
    676 				break;
    677 			if ((error = copyinstr(sp, dp, len, &len)) != 0) {
    678 				DPRINTF(("execve: copyinstr env %d\n", error));
    679 				if (error == ENAMETOOLONG)
    680 					error = E2BIG;
    681 				goto bad;
    682 			}
    683 			ktrexecenv(dp, len - 1);
    684 			dp += len;
    685 			i++;
    686 			envc++;
    687 		}
    688 	}
    689 
    690 	dp = (char *) ALIGN(dp);
    691 
    692 	szsigcode = pack.ep_esch->es_emul->e_esigcode -
    693 	    pack.ep_esch->es_emul->e_sigcode;
    694 
    695 #ifdef __MACHINE_STACK_GROWS_UP
    696 /* See big comment lower down */
    697 #define	RTLD_GAP	32
    698 #else
    699 #define	RTLD_GAP	0
    700 #endif
    701 
    702 	/* Now check if args & environ fit into new stack */
    703 	if (pack.ep_flags & EXEC_32)
    704 		len = ((argc + envc + 2 + pack.ep_esch->es_arglen) *
    705 		    sizeof(int) + sizeof(int) + dp + RTLD_GAP +
    706 		    szsigcode + sizeof(struct ps_strings) + STACK_PTHREADSPACE)
    707 		    - argp;
    708 	else
    709 		len = ((argc + envc + 2 + pack.ep_esch->es_arglen) *
    710 		    sizeof(char *) + sizeof(int) + dp + RTLD_GAP +
    711 		    szsigcode + sizeof(struct ps_strings) + STACK_PTHREADSPACE)
    712 		    - argp;
    713 
    714 #ifdef PAX_ASLR
    715 	if (pax_aslr_active(l))
    716 		len += (arc4random() % PAGE_SIZE);
    717 #endif /* PAX_ASLR */
    718 
    719 #ifdef STACKLALIGN	/* arm, etc. */
    720 	len = STACKALIGN(len);	/* make the stack "safely" aligned */
    721 #else
    722 	len = ALIGN(len);	/* make the stack "safely" aligned */
    723 #endif
    724 
    725 	if (len > pack.ep_ssize) { /* in effect, compare to initial limit */
    726 		DPRINTF(("execve: stack limit exceeded %zu\n", len));
    727 		error = ENOMEM;
    728 		goto bad;
    729 	}
    730 
    731 	/* Get rid of other LWPs. */
    732 	if (p->p_sa || p->p_nlwps > 1) {
    733 		mutex_enter(p->p_lock);
    734 		exit_lwps(l);
    735 		mutex_exit(p->p_lock);
    736 	}
    737 	KDASSERT(p->p_nlwps == 1);
    738 
    739 	/* Destroy any lwpctl info. */
    740 	if (p->p_lwpctl != NULL)
    741 		lwp_ctl_exit();
    742 
    743 	/* This is now LWP 1 */
    744 	l->l_lid = 1;
    745 	p->p_nlwpid = 1;
    746 
    747 #ifdef KERN_SA
    748 	/* Release any SA state. */
    749 	if (p->p_sa)
    750 		sa_release(p);
    751 #endif /* KERN_SA */
    752 
    753 	/* Remove POSIX timers */
    754 	timers_free(p, TIMERS_POSIX);
    755 
    756 	/* adjust "active stack depth" for process VSZ */
    757 	pack.ep_ssize = len;	/* maybe should go elsewhere, but... */
    758 
    759 	/*
    760 	 * Do whatever is necessary to prepare the address space
    761 	 * for remapping.  Note that this might replace the current
    762 	 * vmspace with another!
    763 	 */
    764 	uvmspace_exec(l, pack.ep_vm_minaddr, pack.ep_vm_maxaddr);
    765 
    766 	/* record proc's vnode, for use by procfs and others */
    767         if (p->p_textvp)
    768                 vrele(p->p_textvp);
    769 	VREF(pack.ep_vp);
    770 	p->p_textvp = pack.ep_vp;
    771 
    772 	/* Now map address space */
    773 	vm = p->p_vmspace;
    774 	vm->vm_taddr = (void *)pack.ep_taddr;
    775 	vm->vm_tsize = btoc(pack.ep_tsize);
    776 	vm->vm_daddr = (void*)pack.ep_daddr;
    777 	vm->vm_dsize = btoc(pack.ep_dsize);
    778 	vm->vm_ssize = btoc(pack.ep_ssize);
    779 	vm->vm_issize = 0;
    780 	vm->vm_maxsaddr = (void *)pack.ep_maxsaddr;
    781 	vm->vm_minsaddr = (void *)pack.ep_minsaddr;
    782 
    783 #ifdef PAX_ASLR
    784 	pax_aslr_init(l, vm);
    785 #endif /* PAX_ASLR */
    786 
    787 	/* create the new process's VM space by running the vmcmds */
    788 #ifdef DIAGNOSTIC
    789 	if (pack.ep_vmcmds.evs_used == 0)
    790 		panic("execve: no vmcmds");
    791 #endif
    792 	for (i = 0; i < pack.ep_vmcmds.evs_used && !error; i++) {
    793 		struct exec_vmcmd *vcp;
    794 
    795 		vcp = &pack.ep_vmcmds.evs_cmds[i];
    796 		if (vcp->ev_flags & VMCMD_RELATIVE) {
    797 #ifdef DIAGNOSTIC
    798 			if (base_vcp == NULL)
    799 				panic("execve: relative vmcmd with no base");
    800 			if (vcp->ev_flags & VMCMD_BASE)
    801 				panic("execve: illegal base & relative vmcmd");
    802 #endif
    803 			vcp->ev_addr += base_vcp->ev_addr;
    804 		}
    805 		error = (*vcp->ev_proc)(l, vcp);
    806 #ifdef DEBUG_EXEC
    807 		if (error) {
    808 			size_t j;
    809 			struct exec_vmcmd *vp = &pack.ep_vmcmds.evs_cmds[0];
    810 			for (j = 0; j <= i; j++)
    811 				uprintf(
    812 			"vmcmd[%zu] = %#lx/%#lx fd@%#lx prot=0%o flags=%d\n",
    813 				    j, vp[j].ev_addr, vp[j].ev_len,
    814 				    vp[j].ev_offset, vp[j].ev_prot,
    815 				    vp[j].ev_flags);
    816 		}
    817 #endif /* DEBUG_EXEC */
    818 		if (vcp->ev_flags & VMCMD_BASE)
    819 			base_vcp = vcp;
    820 	}
    821 
    822 	/* free the vmspace-creation commands, and release their references */
    823 	kill_vmcmds(&pack.ep_vmcmds);
    824 
    825 	vn_lock(pack.ep_vp, LK_EXCLUSIVE | LK_RETRY);
    826 	VOP_CLOSE(pack.ep_vp, FREAD, l->l_cred);
    827 	vput(pack.ep_vp);
    828 
    829 	/* if an error happened, deallocate and punt */
    830 	if (error) {
    831 		DPRINTF(("execve: vmcmd %zu failed: %d\n", i - 1, error));
    832 		goto exec_abort;
    833 	}
    834 
    835 	/* remember information about the process */
    836 	arginfo.ps_nargvstr = argc;
    837 	arginfo.ps_nenvstr = envc;
    838 
    839 	/* set command name & other accounting info */
    840 	i = min(nid.ni_cnd.cn_namelen, MAXCOMLEN);
    841 	(void)memcpy(p->p_comm, nid.ni_cnd.cn_nameptr, i);
    842 	p->p_comm[i] = '\0';
    843 
    844 	dp = PNBUF_GET();
    845 	/*
    846 	 * If the path starts with /, we don't need to do any work.
    847 	 * This handles the majority of the cases.
    848 	 * In the future perhaps we could canonicalize it?
    849 	 */
    850 	if (pathbuf[0] == '/')
    851 		(void)strlcpy(pack.ep_path = dp, pathbuf, MAXPATHLEN);
    852 #ifdef notyet
    853 	/*
    854 	 * Although this works most of the time [since the entry was just
    855 	 * entered in the cache] we don't use it because it theoretically
    856 	 * can fail and it is not the cleanest interface, because there
    857 	 * could be races. When the namei cache is re-written, this can
    858 	 * be changed to use the appropriate function.
    859 	 */
    860 	else if (!(error = vnode_to_path(dp, MAXPATHLEN, p->p_textvp, l, p)))
    861 		pack.ep_path = dp;
    862 #endif
    863 	else {
    864 #ifdef notyet
    865 		printf("Cannot get path for pid %d [%s] (error %d)",
    866 		    (int)p->p_pid, p->p_comm, error);
    867 #endif
    868 		pack.ep_path = NULL;
    869 		PNBUF_PUT(dp);
    870 	}
    871 
    872 	stack = (char *)STACK_ALLOC(STACK_GROW(vm->vm_minsaddr,
    873 		STACK_PTHREADSPACE + sizeof(struct ps_strings) + szsigcode),
    874 		len - (sizeof(struct ps_strings) + szsigcode));
    875 
    876 #ifdef __MACHINE_STACK_GROWS_UP
    877 	/*
    878 	 * The copyargs call always copies into lower addresses
    879 	 * first, moving towards higher addresses, starting with
    880 	 * the stack pointer that we give.  When the stack grows
    881 	 * down, this puts argc/argv/envp very shallow on the
    882 	 * stack, right at the first user stack pointer.
    883 	 * When the stack grows up, the situation is reversed.
    884 	 *
    885 	 * Normally, this is no big deal.  But the ld_elf.so _rtld()
    886 	 * function expects to be called with a single pointer to
    887 	 * a region that has a few words it can stash values into,
    888 	 * followed by argc/argv/envp.  When the stack grows down,
    889 	 * it's easy to decrement the stack pointer a little bit to
    890 	 * allocate the space for these few words and pass the new
    891 	 * stack pointer to _rtld.  When the stack grows up, however,
    892 	 * a few words before argc is part of the signal trampoline, XXX
    893 	 * so we have a problem.
    894 	 *
    895 	 * Instead of changing how _rtld works, we take the easy way
    896 	 * out and steal 32 bytes before we call copyargs.
    897 	 * This extra space was allowed for when 'len' was calculated.
    898 	 */
    899 	stack += RTLD_GAP;
    900 #endif /* __MACHINE_STACK_GROWS_UP */
    901 
    902 	/* Now copy argc, args & environ to new stack */
    903 	error = (*pack.ep_esch->es_copyargs)(l, &pack, &arginfo, &stack, argp);
    904 	if (pack.ep_path) {
    905 		PNBUF_PUT(pack.ep_path);
    906 		pack.ep_path = NULL;
    907 	}
    908 	if (error) {
    909 		DPRINTF(("execve: copyargs failed %d\n", error));
    910 		goto exec_abort;
    911 	}
    912 	/* Move the stack back to original point */
    913 	stack = (char *)STACK_GROW(vm->vm_minsaddr, len);
    914 
    915 	/* fill process ps_strings info */
    916 	p->p_psstr = (struct ps_strings *)
    917 	    STACK_ALLOC(STACK_GROW(vm->vm_minsaddr, STACK_PTHREADSPACE),
    918 	    sizeof(struct ps_strings));
    919 	p->p_psargv = offsetof(struct ps_strings, ps_argvstr);
    920 	p->p_psnargv = offsetof(struct ps_strings, ps_nargvstr);
    921 	p->p_psenv = offsetof(struct ps_strings, ps_envstr);
    922 	p->p_psnenv = offsetof(struct ps_strings, ps_nenvstr);
    923 
    924 	/* copy out the process's ps_strings structure */
    925 	if ((error = copyout(aip, (char *)p->p_psstr,
    926 	    sizeof(arginfo))) != 0) {
    927 		DPRINTF(("execve: ps_strings copyout %p->%p size %ld failed\n",
    928 		       aip, (char *)p->p_psstr, (long)sizeof(arginfo)));
    929 		goto exec_abort;
    930 	}
    931 
    932 	fd_closeexec();		/* handle close on exec */
    933 	execsigs(p);		/* reset catched signals */
    934 
    935 	l->l_ctxlink = NULL;	/* reset ucontext link */
    936 
    937 
    938 	p->p_acflag &= ~AFORK;
    939 	mutex_enter(p->p_lock);
    940 	p->p_flag |= PK_EXEC;
    941 	mutex_exit(p->p_lock);
    942 
    943 	/*
    944 	 * Stop profiling.
    945 	 */
    946 	if ((p->p_stflag & PST_PROFIL) != 0) {
    947 		mutex_spin_enter(&p->p_stmutex);
    948 		stopprofclock(p);
    949 		mutex_spin_exit(&p->p_stmutex);
    950 	}
    951 
    952 	/*
    953 	 * It's OK to test PL_PPWAIT unlocked here, as other LWPs have
    954 	 * exited and exec()/exit() are the only places it will be cleared.
    955 	 */
    956 	if ((p->p_lflag & PL_PPWAIT) != 0) {
    957 		mutex_enter(proc_lock);
    958 		p->p_lflag &= ~PL_PPWAIT;
    959 		cv_broadcast(&p->p_pptr->p_waitcv);
    960 		mutex_exit(proc_lock);
    961 	}
    962 
    963 	/*
    964 	 * Deal with set[ug]id.  MNT_NOSUID has already been used to disable
    965 	 * s[ug]id.  It's OK to check for PSL_TRACED here as we have blocked
    966 	 * out additional references on the process for the moment.
    967 	 */
    968 	if ((p->p_slflag & PSL_TRACED) == 0 &&
    969 
    970 	    (((attr.va_mode & S_ISUID) != 0 &&
    971 	      kauth_cred_geteuid(l->l_cred) != attr.va_uid) ||
    972 
    973 	     ((attr.va_mode & S_ISGID) != 0 &&
    974 	      kauth_cred_getegid(l->l_cred) != attr.va_gid))) {
    975 		/*
    976 		 * Mark the process as SUGID before we do
    977 		 * anything that might block.
    978 		 */
    979 		proc_crmod_enter();
    980 		proc_crmod_leave(NULL, NULL, true);
    981 
    982 		/* Make sure file descriptors 0..2 are in use. */
    983 		if ((error = fd_checkstd()) != 0) {
    984 			DPRINTF(("execve: fdcheckstd failed %d\n", error));
    985 			goto exec_abort;
    986 		}
    987 
    988 		/*
    989 		 * Copy the credential so other references don't see our
    990 		 * changes.
    991 		 */
    992 		l->l_cred = kauth_cred_copy(l->l_cred);
    993 #ifdef KTRACE
    994 		/*
    995 		 * If the persistent trace flag isn't set, turn off.
    996 		 */
    997 		if (p->p_tracep) {
    998 			mutex_enter(&ktrace_lock);
    999 			if (!(p->p_traceflag & KTRFAC_PERSISTENT))
   1000 				ktrderef(p);
   1001 			mutex_exit(&ktrace_lock);
   1002 		}
   1003 #endif
   1004 		if (attr.va_mode & S_ISUID)
   1005 			kauth_cred_seteuid(l->l_cred, attr.va_uid);
   1006 		if (attr.va_mode & S_ISGID)
   1007 			kauth_cred_setegid(l->l_cred, attr.va_gid);
   1008 	} else {
   1009 		if (kauth_cred_geteuid(l->l_cred) ==
   1010 		    kauth_cred_getuid(l->l_cred) &&
   1011 		    kauth_cred_getegid(l->l_cred) ==
   1012 		    kauth_cred_getgid(l->l_cred))
   1013 			p->p_flag &= ~PK_SUGID;
   1014 	}
   1015 
   1016 	/*
   1017 	 * Copy the credential so other references don't see our changes.
   1018 	 * Test to see if this is necessary first, since in the common case
   1019 	 * we won't need a private reference.
   1020 	 */
   1021 	if (kauth_cred_geteuid(l->l_cred) != kauth_cred_getsvuid(l->l_cred) ||
   1022 	    kauth_cred_getegid(l->l_cred) != kauth_cred_getsvgid(l->l_cred)) {
   1023 		l->l_cred = kauth_cred_copy(l->l_cred);
   1024 		kauth_cred_setsvuid(l->l_cred, kauth_cred_geteuid(l->l_cred));
   1025 		kauth_cred_setsvgid(l->l_cred, kauth_cred_getegid(l->l_cred));
   1026 	}
   1027 
   1028 	/* Update the master credentials. */
   1029 	if (l->l_cred != p->p_cred) {
   1030 		kauth_cred_t ocred;
   1031 
   1032 		kauth_cred_hold(l->l_cred);
   1033 		mutex_enter(p->p_lock);
   1034 		ocred = p->p_cred;
   1035 		p->p_cred = l->l_cred;
   1036 		mutex_exit(p->p_lock);
   1037 		kauth_cred_free(ocred);
   1038 	}
   1039 
   1040 #if defined(__HAVE_RAS)
   1041 	/*
   1042 	 * Remove all RASs from the address space.
   1043 	 */
   1044 	ras_purgeall();
   1045 #endif
   1046 
   1047 	doexechooks(p);
   1048 
   1049 	/* setup new registers and do misc. setup. */
   1050 	(*pack.ep_esch->es_emul->e_setregs)(l, &pack, (u_long) stack);
   1051 	if (pack.ep_esch->es_setregs)
   1052 		(*pack.ep_esch->es_setregs)(l, &pack, (u_long) stack);
   1053 
   1054 	/* map the process's signal trampoline code */
   1055 	if (exec_sigcode_map(p, pack.ep_esch->es_emul)) {
   1056 		DPRINTF(("execve: map sigcode failed %d\n", error));
   1057 		goto exec_abort;
   1058 	}
   1059 
   1060 	pool_put(&exec_pool, argp);
   1061 
   1062 	PNBUF_PUT(nid.ni_cnd.cn_pnbuf);
   1063 
   1064 	/* notify others that we exec'd */
   1065 	KNOTE(&p->p_klist, NOTE_EXEC);
   1066 
   1067 	kmem_free(pack.ep_hdr, pack.ep_hdrlen);
   1068 
   1069 	/* The emulation root will usually have been found when we looked
   1070 	 * for the elf interpreter (or similar), if not look now. */
   1071 	if (pack.ep_esch->es_emul->e_path != NULL && pack.ep_emul_root == NULL)
   1072 		emul_find_root(l, &pack);
   1073 
   1074 	/* Any old emulation root got removed by fdcloseexec */
   1075 	rw_enter(&p->p_cwdi->cwdi_lock, RW_WRITER);
   1076 	p->p_cwdi->cwdi_edir = pack.ep_emul_root;
   1077 	rw_exit(&p->p_cwdi->cwdi_lock);
   1078 	pack.ep_emul_root = NULL;
   1079 	if (pack.ep_interp != NULL)
   1080 		vrele(pack.ep_interp);
   1081 
   1082 	/*
   1083 	 * Call emulation specific exec hook. This can setup per-process
   1084 	 * p->p_emuldata or do any other per-process stuff an emulation needs.
   1085 	 *
   1086 	 * If we are executing process of different emulation than the
   1087 	 * original forked process, call e_proc_exit() of the old emulation
   1088 	 * first, then e_proc_exec() of new emulation. If the emulation is
   1089 	 * same, the exec hook code should deallocate any old emulation
   1090 	 * resources held previously by this process.
   1091 	 */
   1092 	if (p->p_emul && p->p_emul->e_proc_exit
   1093 	    && p->p_emul != pack.ep_esch->es_emul)
   1094 		(*p->p_emul->e_proc_exit)(p);
   1095 
   1096 	/*
   1097 	 * Call exec hook. Emulation code may NOT store reference to anything
   1098 	 * from &pack.
   1099 	 */
   1100         if (pack.ep_esch->es_emul->e_proc_exec)
   1101                 (*pack.ep_esch->es_emul->e_proc_exec)(p, &pack);
   1102 
   1103 	/* update p_emul, the old value is no longer needed */
   1104 	p->p_emul = pack.ep_esch->es_emul;
   1105 
   1106 	/* ...and the same for p_execsw */
   1107 	p->p_execsw = pack.ep_esch;
   1108 
   1109 #ifdef __HAVE_SYSCALL_INTERN
   1110 	(*p->p_emul->e_syscall_intern)(p);
   1111 #endif
   1112 	ktremul();
   1113 
   1114 	/* Allow new references from the debugger/procfs. */
   1115 	rw_exit(&p->p_reflock);
   1116 	rw_exit(&exec_lock);
   1117 
   1118 	mutex_enter(proc_lock);
   1119 
   1120 	if ((p->p_slflag & (PSL_TRACED|PSL_SYSCALL)) == PSL_TRACED) {
   1121 		KSI_INIT_EMPTY(&ksi);
   1122 		ksi.ksi_signo = SIGTRAP;
   1123 		ksi.ksi_lid = l->l_lid;
   1124 		kpsignal(p, &ksi, NULL);
   1125 	}
   1126 
   1127 	if (p->p_sflag & PS_STOPEXEC) {
   1128 		KERNEL_UNLOCK_ALL(l, &l->l_biglocks);
   1129 		p->p_pptr->p_nstopchild++;
   1130 		p->p_pptr->p_waited = 0;
   1131 		mutex_enter(p->p_lock);
   1132 		ksiginfo_queue_init(&kq);
   1133 		sigclearall(p, &contsigmask, &kq);
   1134 		lwp_lock(l);
   1135 		l->l_stat = LSSTOP;
   1136 		p->p_stat = SSTOP;
   1137 		p->p_nrlwps--;
   1138 		mutex_exit(p->p_lock);
   1139 		mutex_exit(proc_lock);
   1140 		mi_switch(l);
   1141 		ksiginfo_queue_drain(&kq);
   1142 		KERNEL_LOCK(l->l_biglocks, l);
   1143 	} else {
   1144 		mutex_exit(proc_lock);
   1145 	}
   1146 
   1147 	PNBUF_PUT(pathbuf);
   1148 	return (EJUSTRETURN);
   1149 
   1150  bad:
   1151 	/* free the vmspace-creation commands, and release their references */
   1152 	kill_vmcmds(&pack.ep_vmcmds);
   1153 	/* kill any opened file descriptor, if necessary */
   1154 	if (pack.ep_flags & EXEC_HASFD) {
   1155 		pack.ep_flags &= ~EXEC_HASFD;
   1156 		fd_close(pack.ep_fd);
   1157 	}
   1158 	/* close and put the exec'd file */
   1159 	vn_lock(pack.ep_vp, LK_EXCLUSIVE | LK_RETRY);
   1160 	VOP_CLOSE(pack.ep_vp, FREAD, l->l_cred);
   1161 	vput(pack.ep_vp);
   1162 	PNBUF_PUT(nid.ni_cnd.cn_pnbuf);
   1163 	pool_put(&exec_pool, argp);
   1164 
   1165  freehdr:
   1166 	kmem_free(pack.ep_hdr, pack.ep_hdrlen);
   1167 	if (pack.ep_emul_root != NULL)
   1168 		vrele(pack.ep_emul_root);
   1169 	if (pack.ep_interp != NULL)
   1170 		vrele(pack.ep_interp);
   1171 
   1172 	rw_exit(&exec_lock);
   1173 
   1174  clrflg:
   1175 	lwp_lock(l);
   1176 	l->l_flag |= oldlwpflags;
   1177 	lwp_unlock(l);
   1178 	PNBUF_PUT(pathbuf);
   1179 	rw_exit(&p->p_reflock);
   1180 
   1181 	if (modgen != module_gen && error == ENOEXEC) {
   1182 		modgen = module_gen;
   1183 		exec_autoload();
   1184 		goto retry;
   1185 	}
   1186 
   1187 	return error;
   1188 
   1189  exec_abort:
   1190 	PNBUF_PUT(pathbuf);
   1191 	rw_exit(&p->p_reflock);
   1192 	rw_exit(&exec_lock);
   1193 
   1194 	/*
   1195 	 * the old process doesn't exist anymore.  exit gracefully.
   1196 	 * get rid of the (new) address space we have created, if any, get rid
   1197 	 * of our namei data and vnode, and exit noting failure
   1198 	 */
   1199 	uvm_deallocate(&vm->vm_map, VM_MIN_ADDRESS,
   1200 		VM_MAXUSER_ADDRESS - VM_MIN_ADDRESS);
   1201 	if (pack.ep_emul_arg)
   1202 		free(pack.ep_emul_arg, M_TEMP);
   1203 	PNBUF_PUT(nid.ni_cnd.cn_pnbuf);
   1204 	pool_put(&exec_pool, argp);
   1205 	kmem_free(pack.ep_hdr, pack.ep_hdrlen);
   1206 	if (pack.ep_emul_root != NULL)
   1207 		vrele(pack.ep_emul_root);
   1208 	if (pack.ep_interp != NULL)
   1209 		vrele(pack.ep_interp);
   1210 
   1211 	/* Acquire the sched-state mutex (exit1() will release it). */
   1212 	mutex_enter(p->p_lock);
   1213 	exit1(l, W_EXITCODE(error, SIGABRT));
   1214 
   1215 	/* NOTREACHED */
   1216 	return 0;
   1217 }
   1218 
   1219 
   1220 int
   1221 copyargs(struct lwp *l, struct exec_package *pack, struct ps_strings *arginfo,
   1222     char **stackp, void *argp)
   1223 {
   1224 	char	**cpp, *dp, *sp;
   1225 	size_t	len;
   1226 	void	*nullp;
   1227 	long	argc, envc;
   1228 	int	error;
   1229 
   1230 	cpp = (char **)*stackp;
   1231 	nullp = NULL;
   1232 	argc = arginfo->ps_nargvstr;
   1233 	envc = arginfo->ps_nenvstr;
   1234 	if ((error = copyout(&argc, cpp++, sizeof(argc))) != 0)
   1235 		return error;
   1236 
   1237 	dp = (char *) (cpp + argc + envc + 2 + pack->ep_esch->es_arglen);
   1238 	sp = argp;
   1239 
   1240 	/* XXX don't copy them out, remap them! */
   1241 	arginfo->ps_argvstr = cpp; /* remember location of argv for later */
   1242 
   1243 	for (; --argc >= 0; sp += len, dp += len)
   1244 		if ((error = copyout(&dp, cpp++, sizeof(dp))) != 0 ||
   1245 		    (error = copyoutstr(sp, dp, ARG_MAX, &len)) != 0)
   1246 			return error;
   1247 
   1248 	if ((error = copyout(&nullp, cpp++, sizeof(nullp))) != 0)
   1249 		return error;
   1250 
   1251 	arginfo->ps_envstr = cpp; /* remember location of envp for later */
   1252 
   1253 	for (; --envc >= 0; sp += len, dp += len)
   1254 		if ((error = copyout(&dp, cpp++, sizeof(dp))) != 0 ||
   1255 		    (error = copyoutstr(sp, dp, ARG_MAX, &len)) != 0)
   1256 			return error;
   1257 
   1258 	if ((error = copyout(&nullp, cpp++, sizeof(nullp))) != 0)
   1259 		return error;
   1260 
   1261 	*stackp = (char *)cpp;
   1262 	return 0;
   1263 }
   1264 
   1265 
   1266 /*
   1267  * Add execsw[] entries.
   1268  */
   1269 int
   1270 exec_add(struct execsw *esp, int count)
   1271 {
   1272 	struct exec_entry	*it;
   1273 	int			i;
   1274 
   1275 	if (count == 0) {
   1276 		return 0;
   1277 	}
   1278 
   1279 	/* Check for duplicates. */
   1280 	rw_enter(&exec_lock, RW_WRITER);
   1281 	for (i = 0; i < count; i++) {
   1282 		LIST_FOREACH(it, &ex_head, ex_list) {
   1283 			/* assume unique (makecmds, probe_func, emulation) */
   1284 			if (it->ex_sw->es_makecmds == esp[i].es_makecmds &&
   1285 			    it->ex_sw->u.elf_probe_func ==
   1286 			    esp[i].u.elf_probe_func &&
   1287 			    it->ex_sw->es_emul == esp[i].es_emul) {
   1288 				rw_exit(&exec_lock);
   1289 				return EEXIST;
   1290 			}
   1291 		}
   1292 	}
   1293 
   1294 	/* Allocate new entries. */
   1295 	for (i = 0; i < count; i++) {
   1296 		it = kmem_alloc(sizeof(*it), KM_SLEEP);
   1297 		it->ex_sw = &esp[i];
   1298 		LIST_INSERT_HEAD(&ex_head, it, ex_list);
   1299 	}
   1300 
   1301 	/* update execsw[] */
   1302 	exec_init(0);
   1303 	rw_exit(&exec_lock);
   1304 	return 0;
   1305 }
   1306 
   1307 /*
   1308  * Remove execsw[] entry.
   1309  */
   1310 int
   1311 exec_remove(struct execsw *esp, int count)
   1312 {
   1313 	struct exec_entry	*it, *next;
   1314 	int			i;
   1315 	const struct proclist_desc *pd;
   1316 	proc_t			*p;
   1317 
   1318 	if (count == 0) {
   1319 		return 0;
   1320 	}
   1321 
   1322 	/* Abort if any are busy. */
   1323 	rw_enter(&exec_lock, RW_WRITER);
   1324 	for (i = 0; i < count; i++) {
   1325 		mutex_enter(proc_lock);
   1326 		for (pd = proclists; pd->pd_list != NULL; pd++) {
   1327 			PROCLIST_FOREACH(p, pd->pd_list) {
   1328 				if (p->p_execsw == &esp[i]) {
   1329 					mutex_exit(proc_lock);
   1330 					rw_exit(&exec_lock);
   1331 					return EBUSY;
   1332 				}
   1333 			}
   1334 		}
   1335 		mutex_exit(proc_lock);
   1336 	}
   1337 
   1338 	/* None are busy, so remove them all. */
   1339 	for (i = 0; i < count; i++) {
   1340 		for (it = LIST_FIRST(&ex_head); it != NULL; it = next) {
   1341 			next = LIST_NEXT(it, ex_list);
   1342 			if (it->ex_sw == &esp[i]) {
   1343 				LIST_REMOVE(it, ex_list);
   1344 				kmem_free(it, sizeof(*it));
   1345 				break;
   1346 			}
   1347 		}
   1348 	}
   1349 
   1350 	/* update execsw[] */
   1351 	exec_init(0);
   1352 	rw_exit(&exec_lock);
   1353 	return 0;
   1354 }
   1355 
   1356 /*
   1357  * Initialize exec structures. If init_boot is true, also does necessary
   1358  * one-time initialization (it's called from main() that way).
   1359  * Once system is multiuser, this should be called with exec_lock held,
   1360  * i.e. via exec_{add|remove}().
   1361  */
   1362 int
   1363 exec_init(int init_boot)
   1364 {
   1365 	const struct execsw 	**sw;
   1366 	struct exec_entry	*ex;
   1367 	SLIST_HEAD(,exec_entry)	first;
   1368 	SLIST_HEAD(,exec_entry)	any;
   1369 	SLIST_HEAD(,exec_entry)	last;
   1370 	int			i, sz;
   1371 
   1372 	if (init_boot) {
   1373 		/* do one-time initializations */
   1374 		rw_init(&exec_lock);
   1375 		mutex_init(&sigobject_lock, MUTEX_DEFAULT, IPL_NONE);
   1376 		pool_init(&exec_pool, NCARGS, 0, 0, PR_NOALIGN|PR_NOTOUCH,
   1377 		    "execargs", &exec_palloc, IPL_NONE);
   1378 		pool_sethardlimit(&exec_pool, maxexec, "should not happen", 0);
   1379 	} else {
   1380 		KASSERT(rw_write_held(&exec_lock));
   1381 	}
   1382 
   1383 	/* Sort each entry onto the appropriate queue. */
   1384 	SLIST_INIT(&first);
   1385 	SLIST_INIT(&any);
   1386 	SLIST_INIT(&last);
   1387 	sz = 0;
   1388 	LIST_FOREACH(ex, &ex_head, ex_list) {
   1389 		switch(ex->ex_sw->es_prio) {
   1390 		case EXECSW_PRIO_FIRST:
   1391 			SLIST_INSERT_HEAD(&first, ex, ex_slist);
   1392 			break;
   1393 		case EXECSW_PRIO_ANY:
   1394 			SLIST_INSERT_HEAD(&any, ex, ex_slist);
   1395 			break;
   1396 		case EXECSW_PRIO_LAST:
   1397 			SLIST_INSERT_HEAD(&last, ex, ex_slist);
   1398 			break;
   1399 		default:
   1400 			panic("exec_init");
   1401 			break;
   1402 		}
   1403 		sz++;
   1404 	}
   1405 
   1406 	/*
   1407 	 * Create new execsw[].  Ensure we do not try a zero-sized
   1408 	 * allocation.
   1409 	 */
   1410 	sw = kmem_alloc(sz * sizeof(struct execsw *) + 1, KM_SLEEP);
   1411 	i = 0;
   1412 	SLIST_FOREACH(ex, &first, ex_slist) {
   1413 		sw[i++] = ex->ex_sw;
   1414 	}
   1415 	SLIST_FOREACH(ex, &any, ex_slist) {
   1416 		sw[i++] = ex->ex_sw;
   1417 	}
   1418 	SLIST_FOREACH(ex, &last, ex_slist) {
   1419 		sw[i++] = ex->ex_sw;
   1420 	}
   1421 
   1422 	/* Replace old execsw[] and free used memory. */
   1423 	if (execsw != NULL) {
   1424 		kmem_free(__UNCONST(execsw),
   1425 		    nexecs * sizeof(struct execsw *) + 1);
   1426 	}
   1427 	execsw = sw;
   1428 	nexecs = sz;
   1429 
   1430 	/* Figure out the maximum size of an exec header. */
   1431 	exec_maxhdrsz = sizeof(int);
   1432 	for (i = 0; i < nexecs; i++) {
   1433 		if (execsw[i]->es_hdrsz > exec_maxhdrsz)
   1434 			exec_maxhdrsz = execsw[i]->es_hdrsz;
   1435 	}
   1436 
   1437 	return 0;
   1438 }
   1439 
   1440 static int
   1441 exec_sigcode_map(struct proc *p, const struct emul *e)
   1442 {
   1443 	vaddr_t va;
   1444 	vsize_t sz;
   1445 	int error;
   1446 	struct uvm_object *uobj;
   1447 
   1448 	sz = (vaddr_t)e->e_esigcode - (vaddr_t)e->e_sigcode;
   1449 
   1450 	if (e->e_sigobject == NULL || sz == 0) {
   1451 		return 0;
   1452 	}
   1453 
   1454 	/*
   1455 	 * If we don't have a sigobject for this emulation, create one.
   1456 	 *
   1457 	 * sigobject is an anonymous memory object (just like SYSV shared
   1458 	 * memory) that we keep a permanent reference to and that we map
   1459 	 * in all processes that need this sigcode. The creation is simple,
   1460 	 * we create an object, add a permanent reference to it, map it in
   1461 	 * kernel space, copy out the sigcode to it and unmap it.
   1462 	 * We map it with PROT_READ|PROT_EXEC into the process just
   1463 	 * the way sys_mmap() would map it.
   1464 	 */
   1465 
   1466 	uobj = *e->e_sigobject;
   1467 	if (uobj == NULL) {
   1468 		mutex_enter(&sigobject_lock);
   1469 		if ((uobj = *e->e_sigobject) == NULL) {
   1470 			uobj = uao_create(sz, 0);
   1471 			(*uobj->pgops->pgo_reference)(uobj);
   1472 			va = vm_map_min(kernel_map);
   1473 			if ((error = uvm_map(kernel_map, &va, round_page(sz),
   1474 			    uobj, 0, 0,
   1475 			    UVM_MAPFLAG(UVM_PROT_RW, UVM_PROT_RW,
   1476 			    UVM_INH_SHARE, UVM_ADV_RANDOM, 0)))) {
   1477 				printf("kernel mapping failed %d\n", error);
   1478 				(*uobj->pgops->pgo_detach)(uobj);
   1479 				mutex_exit(&sigobject_lock);
   1480 				return (error);
   1481 			}
   1482 			memcpy((void *)va, e->e_sigcode, sz);
   1483 #ifdef PMAP_NEED_PROCWR
   1484 			pmap_procwr(&proc0, va, sz);
   1485 #endif
   1486 			uvm_unmap(kernel_map, va, va + round_page(sz));
   1487 			*e->e_sigobject = uobj;
   1488 		}
   1489 		mutex_exit(&sigobject_lock);
   1490 	}
   1491 
   1492 	/* Just a hint to uvm_map where to put it. */
   1493 	va = e->e_vm_default_addr(p, (vaddr_t)p->p_vmspace->vm_daddr,
   1494 	    round_page(sz));
   1495 
   1496 #ifdef __alpha__
   1497 	/*
   1498 	 * Tru64 puts /sbin/loader at the end of user virtual memory,
   1499 	 * which causes the above calculation to put the sigcode at
   1500 	 * an invalid address.  Put it just below the text instead.
   1501 	 */
   1502 	if (va == (vaddr_t)vm_map_max(&p->p_vmspace->vm_map)) {
   1503 		va = (vaddr_t)p->p_vmspace->vm_taddr - round_page(sz);
   1504 	}
   1505 #endif
   1506 
   1507 	(*uobj->pgops->pgo_reference)(uobj);
   1508 	error = uvm_map(&p->p_vmspace->vm_map, &va, round_page(sz),
   1509 			uobj, 0, 0,
   1510 			UVM_MAPFLAG(UVM_PROT_RX, UVM_PROT_RX, UVM_INH_SHARE,
   1511 				    UVM_ADV_RANDOM, 0));
   1512 	if (error) {
   1513 		(*uobj->pgops->pgo_detach)(uobj);
   1514 		return (error);
   1515 	}
   1516 	p->p_sigctx.ps_sigcode = (void *)va;
   1517 	return (0);
   1518 }
   1519