1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (c) 1982, 1986, 1989, 1991, 1993
5
 *	The Regents of the University of California.  All rights reserved.
6
 * (c) UNIX System Laboratories, Inc.
7
 * All or some portions of this file are derived from material licensed
8
 * to the University of California by American Telephone and Telegraph
9
 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
10
 * the permission of UNIX System Laboratories, Inc.
11
 *
12
 * Redistribution and use in source and binary forms, with or without
13
 * modification, are permitted provided that the following conditions
14
 * are met:
15
 * 1. Redistributions of source code must retain the above copyright
16
 *    notice, this list of conditions and the following disclaimer.
17
 * 2. Redistributions in binary form must reproduce the above copyright
18
 *    notice, this list of conditions and the following disclaimer in the
19
 *    documentation and/or other materials provided with the distribution.
20
 * 3. Neither the name of the University nor the names of its contributors
21
 *    may be used to endorse or promote products derived from this software
22
 *    without specific prior written permission.
23
 *
24
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34
 * SUCH DAMAGE.
35
 */
36

37
#include <sys/cdefs.h>
38
#include "opt_ktrace.h"
39
#include "opt_kstack_pages.h"
40

41
#include <sys/param.h>
42
#include <sys/systm.h>
43
#include <sys/bitstring.h>
44
#include <sys/sysproto.h>
45
#include <sys/eventhandler.h>
46
#include <sys/fcntl.h>
47
#include <sys/filedesc.h>
48
#include <sys/jail.h>
49
#include <sys/kernel.h>
50
#include <sys/kthread.h>
51
#include <sys/sysctl.h>
52
#include <sys/lock.h>
53
#include <sys/malloc.h>
54
#include <sys/msan.h>
55
#include <sys/mutex.h>
56
#include <sys/priv.h>
57
#include <sys/proc.h>
58
#include <sys/procdesc.h>
59
#include <sys/ptrace.h>
60
#include <sys/racct.h>
61
#include <sys/resourcevar.h>
62
#include <sys/sched.h>
63
#include <sys/syscall.h>
64
#include <sys/vmmeter.h>
65
#include <sys/vnode.h>
66
#include <sys/acct.h>
67
#include <sys/ktr.h>
68
#include <sys/ktrace.h>
69
#include <sys/unistd.h>
70
#include <sys/sdt.h>
71
#include <sys/sx.h>
72
#include <sys/sysent.h>
73
#include <sys/signalvar.h>
74

75
#include <security/audit/audit.h>
76
#include <security/mac/mac_framework.h>
77

78
#include <vm/vm.h>
79
#include <vm/pmap.h>
80
#include <vm/vm_map.h>
81
#include <vm/vm_extern.h>
82
#include <vm/uma.h>
83

84
#ifdef KDTRACE_HOOKS
85
#include <sys/dtrace_bsd.h>
86
dtrace_fork_func_t	dtrace_fasttrap_fork;
87
#endif
88

89
SDT_PROVIDER_DECLARE(proc);
90
SDT_PROBE_DEFINE3(proc, , , create, "struct proc *", "struct proc *", "int");
91

92
#ifndef _SYS_SYSPROTO_H_
93
struct fork_args {
94
	int     dummy;
95
};
96
#endif
97

98
/* ARGSUSED */
99
int
100
sys_fork(struct thread *td, struct fork_args *uap)
101
{
102
	struct fork_req fr;
103
	int error, pid;
104

105
	bzero(&fr, sizeof(fr));
106
	fr.fr_flags = RFFDG | RFPROC;
107
	fr.fr_pidp = &pid;
108
	error = fork1(td, &fr);
109
	if (error == 0) {
110
		td->td_retval[0] = pid;
111
		td->td_retval[1] = 0;
112
	}
113
	return (error);
114
}
115

116
/* ARGUSED */
117
int
118
sys_pdfork(struct thread *td, struct pdfork_args *uap)
119
{
120
	struct fork_req fr;
121
	int error, fd, pid;
122

123
	bzero(&fr, sizeof(fr));
124
	fr.fr_flags = RFFDG | RFPROC | RFPROCDESC;
125
	fr.fr_pidp = &pid;
126
	fr.fr_pd_fd = &fd;
127
	fr.fr_pd_flags = uap->flags;
128
	AUDIT_ARG_FFLAGS(uap->flags);
129
	/*
130
	 * It is necessary to return fd by reference because 0 is a valid file
131
	 * descriptor number, and the child needs to be able to distinguish
132
	 * itself from the parent using the return value.
133
	 */
134
	error = fork1(td, &fr);
135
	if (error == 0) {
136
		td->td_retval[0] = pid;
137
		td->td_retval[1] = 0;
138
		error = copyout(&fd, uap->fdp, sizeof(fd));
139
	}
140
	return (error);
141
}
142

143
/* ARGSUSED */
144
int
145
sys_vfork(struct thread *td, struct vfork_args *uap)
146
{
147
	struct fork_req fr;
148
	int error, pid;
149

150
	bzero(&fr, sizeof(fr));
151
	fr.fr_flags = RFFDG | RFPROC | RFPPWAIT | RFMEM;
152
	fr.fr_pidp = &pid;
153
	error = fork1(td, &fr);
154
	if (error == 0) {
155
		td->td_retval[0] = pid;
156
		td->td_retval[1] = 0;
157
	}
158
	return (error);
159
}
160

161
int
162
sys_rfork(struct thread *td, struct rfork_args *uap)
163
{
164
	struct fork_req fr;
165
	int error, pid;
166

167
	/* Don't allow kernel-only flags. */
168
	if ((uap->flags & RFKERNELONLY) != 0)
169
		return (EINVAL);
170
	/* RFSPAWN must not appear with others */
171
	if ((uap->flags & RFSPAWN) != 0 && uap->flags != RFSPAWN)
172
		return (EINVAL);
173

174
	AUDIT_ARG_FFLAGS(uap->flags);
175
	bzero(&fr, sizeof(fr));
176
	if ((uap->flags & RFSPAWN) != 0) {
177
		fr.fr_flags = RFFDG | RFPROC | RFPPWAIT | RFMEM;
178
		fr.fr_flags2 = FR2_DROPSIG_CAUGHT;
179
	} else {
180
		fr.fr_flags = uap->flags;
181
	}
182
	fr.fr_pidp = &pid;
183
	error = fork1(td, &fr);
184
	if (error == 0) {
185
		td->td_retval[0] = pid;
186
		td->td_retval[1] = 0;
187
	}
188
	return (error);
189
}
190

191
int __exclusive_cache_line	nprocs = 1;		/* process 0 */
192
int	lastpid = 0;
193
SYSCTL_INT(_kern, OID_AUTO, lastpid, CTLFLAG_RD, &lastpid, 0,
194
    "Last used PID");
195

196
/*
197
 * Random component to lastpid generation.  We mix in a random factor to make
198
 * it a little harder to predict.  We sanity check the modulus value to avoid
199
 * doing it in critical paths.  Don't let it be too small or we pointlessly
200
 * waste randomness entropy, and don't let it be impossibly large.  Using a
201
 * modulus that is too big causes a LOT more process table scans and slows
202
 * down fork processing as the pidchecked caching is defeated.
203
 */
204
static int randompid = 0;
205

206
static int
207
sysctl_kern_randompid(SYSCTL_HANDLER_ARGS)
208
{
209
	int error, pid;
210

211
	error = sysctl_wire_old_buffer(req, sizeof(int));
212
	if (error != 0)
213
		return(error);
214
	sx_xlock(&allproc_lock);
215
	pid = randompid;
216
	error = sysctl_handle_int(oidp, &pid, 0, req);
217
	if (error == 0 && req->newptr != NULL) {
218
		if (pid == 0)
219
			randompid = 0;
220
		else if (pid == 1)
221
			/* generate a random PID modulus between 100 and 1123 */
222
			randompid = 100 + arc4random() % 1024;
223
		else if (pid < 0 || pid > pid_max - 100)
224
			/* out of range */
225
			randompid = pid_max - 100;
226
		else if (pid < 100)
227
			/* Make it reasonable */
228
			randompid = 100;
229
		else
230
			randompid = pid;
231
	}
232
	sx_xunlock(&allproc_lock);
233
	return (error);
234
}
235

236
SYSCTL_PROC(_kern, OID_AUTO, randompid,
237
    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 0,
238
    sysctl_kern_randompid, "I",
239
    "Random PID modulus. Special values: 0: disable, 1: choose random value");
240

241
extern bitstr_t proc_id_pidmap;
242
extern bitstr_t proc_id_grpidmap;
243
extern bitstr_t proc_id_sessidmap;
244
extern bitstr_t proc_id_reapmap;
245

246
/*
247
 * Find an unused process ID
248
 *
249
 * If RFHIGHPID is set (used during system boot), do not allocate
250
 * low-numbered pids.
251
 */
252
static int
253
fork_findpid(int flags)
254
{
255
	pid_t result;
256
	int trypid, random;
257

258
	/*
259
	 * Avoid calling arc4random with procid_lock held.
260
	 */
261
	random = 0;
262
	if (__predict_false(randompid))
263
		random = arc4random() % randompid;
264

265
	mtx_lock(&procid_lock);
266

267
	trypid = lastpid + 1;
268
	if (flags & RFHIGHPID) {
269
		if (trypid < 10)
270
			trypid = 10;
271
	} else {
272
		trypid += random;
273
	}
274
retry:
275
	if (trypid >= pid_max)
276
		trypid = 2;
277

278
	bit_ffc_at(&proc_id_pidmap, trypid, pid_max, &result);
279
	if (result == -1) {
280
		KASSERT(trypid != 2, ("unexpectedly ran out of IDs"));
281
		trypid = 2;
282
		goto retry;
283
	}
284
	if (bit_test(&proc_id_grpidmap, result) ||
285
	    bit_test(&proc_id_sessidmap, result) ||
286
	    bit_test(&proc_id_reapmap, result)) {
287
		trypid = result + 1;
288
		goto retry;
289
	}
290

291
	/*
292
	 * RFHIGHPID does not mess with the lastpid counter during boot.
293
	 */
294
	if ((flags & RFHIGHPID) == 0)
295
		lastpid = result;
296

297
	bit_set(&proc_id_pidmap, result);
298
	mtx_unlock(&procid_lock);
299

300
	return (result);
301
}
302

303
static int
304
fork_norfproc(struct thread *td, int flags)
305
{
306
	struct proc *p1;
307
	int error;
308

309
	KASSERT((flags & RFPROC) == 0,
310
	    ("fork_norfproc called with RFPROC set"));
311
	p1 = td->td_proc;
312

313
	/*
314
	 * Quiesce other threads if necessary.  If RFMEM is not specified we
315
	 * must ensure that other threads do not concurrently create a second
316
	 * process sharing the vmspace, see vmspace_unshare().
317
	 */
318
	if ((p1->p_flag & (P_HADTHREADS | P_SYSTEM)) == P_HADTHREADS &&
319
	    ((flags & (RFCFDG | RFFDG)) != 0 || (flags & RFMEM) == 0)) {
320
		PROC_LOCK(p1);
321
		if (thread_single(p1, SINGLE_BOUNDARY)) {
322
			PROC_UNLOCK(p1);
323
			return (ERESTART);
324
		}
325
		PROC_UNLOCK(p1);
326
	}
327

328
	error = vm_forkproc(td, NULL, NULL, NULL, flags);
329
	if (error != 0)
330
		goto fail;
331

332
	/*
333
	 * Close all file descriptors.
334
	 */
335
	if ((flags & RFCFDG) != 0) {
336
		struct filedesc *fdtmp;
337
		struct pwddesc *pdtmp;
338

339
		pdtmp = pdinit(td->td_proc->p_pd, false);
340
		fdtmp = fdinit();
341
		pdescfree(td);
342
		fdescfree(td);
343
		p1->p_fd = fdtmp;
344
		p1->p_pd = pdtmp;
345
	}
346

347
	/*
348
	 * Unshare file descriptors (from parent).
349
	 */
350
	if ((flags & RFFDG) != 0) {
351
		fdunshare(td);
352
		pdunshare(td);
353
	}
354

355
fail:
356
	if ((p1->p_flag & (P_HADTHREADS | P_SYSTEM)) == P_HADTHREADS &&
357
	    ((flags & (RFCFDG | RFFDG)) != 0 || (flags & RFMEM) == 0)) {
358
		PROC_LOCK(p1);
359
		thread_single_end(p1, SINGLE_BOUNDARY);
360
		PROC_UNLOCK(p1);
361
	}
362
	return (error);
363
}
364

365
static void
366
do_fork(struct thread *td, struct fork_req *fr, struct proc *p2, struct thread *td2,
367
    struct vmspace *vm2, struct file *fp_procdesc)
368
{
369
	struct proc *p1, *pptr;
370
	struct filedesc *fd;
371
	struct filedesc_to_leader *fdtol;
372
	struct pwddesc *pd;
373
	struct sigacts *newsigacts;
374

375
	p1 = td->td_proc;
376

377
	PROC_LOCK(p1);
378
	bcopy(&p1->p_startcopy, &p2->p_startcopy,
379
	    __rangeof(struct proc, p_startcopy, p_endcopy));
380
	pargs_hold(p2->p_args);
381
	PROC_UNLOCK(p1);
382

383
	bzero(&p2->p_startzero,
384
	    __rangeof(struct proc, p_startzero, p_endzero));
385

386
	/* Tell the prison that we exist. */
387
	prison_proc_hold(p2->p_ucred->cr_prison);
388

389
	p2->p_state = PRS_NEW;		/* protect against others */
390
	p2->p_pid = fork_findpid(fr->fr_flags);
391
	AUDIT_ARG_PID(p2->p_pid);
392
	TSFORK(p2->p_pid, p1->p_pid);
393

394
	sx_xlock(&allproc_lock);
395
	LIST_INSERT_HEAD(&allproc, p2, p_list);
396
	allproc_gen++;
397
	prison_proc_link(p2->p_ucred->cr_prison, p2);
398
	sx_xunlock(&allproc_lock);
399

400
	sx_xlock(PIDHASHLOCK(p2->p_pid));
401
	LIST_INSERT_HEAD(PIDHASH(p2->p_pid), p2, p_hash);
402
	sx_xunlock(PIDHASHLOCK(p2->p_pid));
403

404
	tidhash_add(td2);
405

406
	/*
407
	 * Malloc things while we don't hold any locks.
408
	 */
409
	if (fr->fr_flags & RFSIGSHARE)
410
		newsigacts = NULL;
411
	else
412
		newsigacts = sigacts_alloc();
413

414
	/*
415
	 * Copy filedesc.
416
	 */
417
	if (fr->fr_flags & RFCFDG) {
418
		pd = pdinit(p1->p_pd, false);
419
		fd = fdinit();
420
		fdtol = NULL;
421
	} else if (fr->fr_flags & RFFDG) {
422
		if (fr->fr_flags2 & FR2_SHARE_PATHS)
423
			pd = pdshare(p1->p_pd);
424
		else
425
			pd = pdcopy(p1->p_pd);
426
		fd = fdcopy(p1->p_fd);
427
		fdtol = NULL;
428
	} else {
429
		if (fr->fr_flags2 & FR2_SHARE_PATHS)
430
			pd = pdcopy(p1->p_pd);
431
		else
432
			pd = pdshare(p1->p_pd);
433
		fd = fdshare(p1->p_fd);
434
		if (p1->p_fdtol == NULL)
435
			p1->p_fdtol = filedesc_to_leader_alloc(NULL, NULL,
436
			    p1->p_leader);
437
		if ((fr->fr_flags & RFTHREAD) != 0) {
438
			/*
439
			 * Shared file descriptor table, and shared
440
			 * process leaders.
441
			 */
442
			fdtol = filedesc_to_leader_share(p1->p_fdtol, p1->p_fd);
443
		} else {
444
			/*
445
			 * Shared file descriptor table, and different
446
			 * process leaders.
447
			 */
448
			fdtol = filedesc_to_leader_alloc(p1->p_fdtol,
449
			    p1->p_fd, p2);
450
		}
451
	}
452
	/*
453
	 * Make a proc table entry for the new process.
454
	 * Start by zeroing the section of proc that is zero-initialized,
455
	 * then copy the section that is copied directly from the parent.
456
	 */
457

458
	PROC_LOCK(p2);
459
	PROC_LOCK(p1);
460

461
	bzero(&td2->td_startzero,
462
	    __rangeof(struct thread, td_startzero, td_endzero));
463

464
	bcopy(&td->td_startcopy, &td2->td_startcopy,
465
	    __rangeof(struct thread, td_startcopy, td_endcopy));
466

467
	bcopy(&p2->p_comm, &td2->td_name, sizeof(td2->td_name));
468
	td2->td_sigstk = td->td_sigstk;
469
	td2->td_flags = TDF_INMEM;
470
	td2->td_lend_user_pri = PRI_MAX;
471

472
#ifdef VIMAGE
473
	td2->td_vnet = NULL;
474
	td2->td_vnet_lpush = NULL;
475
#endif
476

477
	/*
478
	 * Allow the scheduler to initialize the child.
479
	 */
480
	thread_lock(td);
481
	sched_fork(td, td2);
482
	/*
483
	 * Request AST to check for TDP_RFPPWAIT.  Do it here
484
	 * to avoid calling thread_lock() again.
485
	 */
486
	if ((fr->fr_flags & RFPPWAIT) != 0)
487
		ast_sched_locked(td, TDA_VFORK);
488
	thread_unlock(td);
489

490
	/*
491
	 * Duplicate sub-structures as needed.
492
	 * Increase reference counts on shared objects.
493
	 */
494
	p2->p_flag = P_INMEM;
495
	p2->p_flag2 = p1->p_flag2 & (P2_ASLR_DISABLE | P2_ASLR_ENABLE |
496
	    P2_ASLR_IGNSTART | P2_NOTRACE | P2_NOTRACE_EXEC |
497
	    P2_PROTMAX_ENABLE | P2_PROTMAX_DISABLE | P2_TRAPCAP |
498
	    P2_STKGAP_DISABLE | P2_STKGAP_DISABLE_EXEC | P2_NO_NEW_PRIVS |
499
	    P2_WXORX_DISABLE | P2_WXORX_ENABLE_EXEC | P2_LOGSIGEXIT_CTL |
500
	    P2_LOGSIGEXIT_ENABLE);
501
	p2->p_swtick = ticks;
502
	if (p1->p_flag & P_PROFIL)
503
		startprofclock(p2);
504

505
	if (fr->fr_flags & RFSIGSHARE) {
506
		p2->p_sigacts = sigacts_hold(p1->p_sigacts);
507
	} else {
508
		sigacts_copy(newsigacts, p1->p_sigacts);
509
		p2->p_sigacts = newsigacts;
510
		if ((fr->fr_flags2 & (FR2_DROPSIG_CAUGHT | FR2_KPROC)) != 0) {
511
			mtx_lock(&p2->p_sigacts->ps_mtx);
512
			if ((fr->fr_flags2 & FR2_DROPSIG_CAUGHT) != 0)
513
				sig_drop_caught(p2);
514
			if ((fr->fr_flags2 & FR2_KPROC) != 0)
515
				p2->p_sigacts->ps_flag |= PS_NOCLDWAIT;
516
			mtx_unlock(&p2->p_sigacts->ps_mtx);
517
		}
518
	}
519

520
	if (fr->fr_flags & RFTSIGZMB)
521
	        p2->p_sigparent = RFTSIGNUM(fr->fr_flags);
522
	else if (fr->fr_flags & RFLINUXTHPN)
523
	        p2->p_sigparent = SIGUSR1;
524
	else
525
	        p2->p_sigparent = SIGCHLD;
526

527
	if ((fr->fr_flags2 & FR2_KPROC) != 0) {
528
		p2->p_flag |= P_SYSTEM | P_KPROC;
529
		td2->td_pflags |= TDP_KTHREAD;
530
	}
531

532
	p2->p_textvp = p1->p_textvp;
533
	p2->p_textdvp = p1->p_textdvp;
534
	p2->p_fd = fd;
535
	p2->p_fdtol = fdtol;
536
	p2->p_pd = pd;
537

538
	if (p1->p_flag2 & P2_INHERIT_PROTECTED) {
539
		p2->p_flag |= P_PROTECTED;
540
		p2->p_flag2 |= P2_INHERIT_PROTECTED;
541
	}
542

543
	/*
544
	 * p_limit is copy-on-write.  Bump its refcount.
545
	 */
546
	lim_fork(p1, p2);
547

548
	thread_cow_get_proc(td2, p2);
549

550
	pstats_fork(p1->p_stats, p2->p_stats);
551

552
	PROC_UNLOCK(p1);
553
	PROC_UNLOCK(p2);
554

555
	/*
556
	 * Bump references to the text vnode and directory, and copy
557
	 * the hardlink name.
558
	 */
559
	if (p2->p_textvp != NULL)
560
		vrefact(p2->p_textvp);
561
	if (p2->p_textdvp != NULL)
562
		vrefact(p2->p_textdvp);
563
	p2->p_binname = p1->p_binname == NULL ? NULL :
564
	    strdup(p1->p_binname, M_PARGS);
565

566
	/*
567
	 * Set up linkage for kernel based threading.
568
	 */
569
	if ((fr->fr_flags & RFTHREAD) != 0) {
570
		mtx_lock(&ppeers_lock);
571
		p2->p_peers = p1->p_peers;
572
		p1->p_peers = p2;
573
		p2->p_leader = p1->p_leader;
574
		mtx_unlock(&ppeers_lock);
575
		PROC_LOCK(p1->p_leader);
576
		if ((p1->p_leader->p_flag & P_WEXIT) != 0) {
577
			PROC_UNLOCK(p1->p_leader);
578
			/*
579
			 * The task leader is exiting, so process p1 is
580
			 * going to be killed shortly.  Since p1 obviously
581
			 * isn't dead yet, we know that the leader is either
582
			 * sending SIGKILL's to all the processes in this
583
			 * task or is sleeping waiting for all the peers to
584
			 * exit.  We let p1 complete the fork, but we need
585
			 * to go ahead and kill the new process p2 since
586
			 * the task leader may not get a chance to send
587
			 * SIGKILL to it.  We leave it on the list so that
588
			 * the task leader will wait for this new process
589
			 * to commit suicide.
590
			 */
591
			PROC_LOCK(p2);
592
			kern_psignal(p2, SIGKILL);
593
			PROC_UNLOCK(p2);
594
		} else
595
			PROC_UNLOCK(p1->p_leader);
596
	} else {
597
		p2->p_peers = NULL;
598
		p2->p_leader = p2;
599
	}
600

601
	sx_xlock(&proctree_lock);
602
	PGRP_LOCK(p1->p_pgrp);
603
	PROC_LOCK(p2);
604
	PROC_LOCK(p1);
605

606
	/*
607
	 * Preserve some more flags in subprocess.  P_PROFIL has already
608
	 * been preserved.
609
	 */
610
	p2->p_flag |= p1->p_flag & P_SUGID;
611
	td2->td_pflags |= td->td_pflags & (TDP_ALTSTACK | TDP_SIGFASTBLOCK);
612
	td2->td_pflags2 |= td->td_pflags2 & TDP2_UEXTERR;
613
	if (p1->p_flag & P_CONTROLT) {
614
		SESS_LOCK(p1->p_session);
615
		if (p1->p_session->s_ttyvp != NULL)
616
			p2->p_flag |= P_CONTROLT;
617
		SESS_UNLOCK(p1->p_session);
618
	}
619
	if (fr->fr_flags & RFPPWAIT)
620
		p2->p_flag |= P_PPWAIT;
621

622
	p2->p_pgrp = p1->p_pgrp;
623
	LIST_INSERT_AFTER(p1, p2, p_pglist);
624
	PGRP_UNLOCK(p1->p_pgrp);
625
	LIST_INIT(&p2->p_children);
626
	LIST_INIT(&p2->p_orphans);
627

628
	callout_init_mtx(&p2->p_itcallout, &p2->p_mtx, 0);
629

630
	/*
631
	 * This begins the section where we must prevent the parent
632
	 * from being swapped.
633
	 */
634
	_PHOLD(p1);
635
	PROC_UNLOCK(p1);
636

637
	/*
638
	 * Attach the new process to its parent.
639
	 *
640
	 * If RFNOWAIT is set, the newly created process becomes a child
641
	 * of init.  This effectively disassociates the child from the
642
	 * parent.
643
	 */
644
	if ((fr->fr_flags & RFNOWAIT) != 0) {
645
		pptr = p1->p_reaper;
646
		p2->p_reaper = pptr;
647
	} else {
648
		p2->p_reaper = (p1->p_treeflag & P_TREE_REAPER) != 0 ?
649
		    p1 : p1->p_reaper;
650
		pptr = p1;
651
	}
652
	p2->p_pptr = pptr;
653
	p2->p_oppid = pptr->p_pid;
654
	LIST_INSERT_HEAD(&pptr->p_children, p2, p_sibling);
655
	LIST_INIT(&p2->p_reaplist);
656
	LIST_INSERT_HEAD(&p2->p_reaper->p_reaplist, p2, p_reapsibling);
657
	if (p2->p_reaper == p1 && p1 != initproc) {
658
		p2->p_reapsubtree = p2->p_pid;
659
		proc_id_set_cond(PROC_ID_REAP, p2->p_pid);
660
	}
661
	sx_xunlock(&proctree_lock);
662

663
	/* Inform accounting that we have forked. */
664
	p2->p_acflag = AFORK;
665
	PROC_UNLOCK(p2);
666

667
#ifdef KTRACE
668
	ktrprocfork(p1, p2);
669
#endif
670

671
	/*
672
	 * Finish creating the child process.  It will return via a different
673
	 * execution path later.  (ie: directly into user mode)
674
	 */
675
	vm_forkproc(td, p2, td2, vm2, fr->fr_flags);
676

677
	if (fr->fr_flags == (RFFDG | RFPROC)) {
678
		VM_CNT_INC(v_forks);
679
		VM_CNT_ADD(v_forkpages, p2->p_vmspace->vm_dsize +
680
		    p2->p_vmspace->vm_ssize);
681
	} else if (fr->fr_flags == (RFFDG | RFPROC | RFPPWAIT | RFMEM)) {
682
		VM_CNT_INC(v_vforks);
683
		VM_CNT_ADD(v_vforkpages, p2->p_vmspace->vm_dsize +
684
		    p2->p_vmspace->vm_ssize);
685
	} else if (p1 == &proc0) {
686
		VM_CNT_INC(v_kthreads);
687
		VM_CNT_ADD(v_kthreadpages, p2->p_vmspace->vm_dsize +
688
		    p2->p_vmspace->vm_ssize);
689
	} else {
690
		VM_CNT_INC(v_rforks);
691
		VM_CNT_ADD(v_rforkpages, p2->p_vmspace->vm_dsize +
692
		    p2->p_vmspace->vm_ssize);
693
	}
694

695
	/*
696
	 * Associate the process descriptor with the process before anything
697
	 * can happen that might cause that process to need the descriptor.
698
	 * However, don't do this until after fork(2) can no longer fail.
699
	 */
700
	if (fr->fr_flags & RFPROCDESC)
701
		procdesc_new(p2, fr->fr_pd_flags);
702

703
	/*
704
	 * Both processes are set up, now check if any loadable modules want
705
	 * to adjust anything.
706
	 */
707
	EVENTHANDLER_DIRECT_INVOKE(process_fork, p1, p2, fr->fr_flags);
708

709
	/*
710
	 * Set the child start time and mark the process as being complete.
711
	 */
712
	PROC_LOCK(p2);
713
	PROC_LOCK(p1);
714
	microuptime(&p2->p_stats->p_start);
715
	PROC_SLOCK(p2);
716
	p2->p_state = PRS_NORMAL;
717
	PROC_SUNLOCK(p2);
718

719
#ifdef KDTRACE_HOOKS
720
	/*
721
	 * Tell the DTrace fasttrap provider about the new process so that any
722
	 * tracepoints inherited from the parent can be removed. We have to do
723
	 * this only after p_state is PRS_NORMAL since the fasttrap module will
724
	 * use pfind() later on.
725
	 */
726
	if ((fr->fr_flags & RFMEM) == 0 && dtrace_fasttrap_fork)
727
		dtrace_fasttrap_fork(p1, p2);
728
#endif
729
	if (fr->fr_flags & RFPPWAIT) {
730
		td->td_pflags |= TDP_RFPPWAIT;
731
		td->td_rfppwait_p = p2;
732
		td->td_dbgflags |= TDB_VFORK;
733
	}
734
	PROC_UNLOCK(p2);
735

736
	/*
737
	 * Tell any interested parties about the new process.
738
	 */
739
	knote_fork(p1->p_klist, p2->p_pid);
740

741
	/*
742
	 * Now can be swapped.
743
	 */
744
	_PRELE(p1);
745
	PROC_UNLOCK(p1);
746
	SDT_PROBE3(proc, , , create, p2, p1, fr->fr_flags);
747

748
	if (fr->fr_flags & RFPROCDESC) {
749
		procdesc_finit(p2->p_procdesc, fp_procdesc);
750
		fdrop(fp_procdesc, td);
751
	}
752

753
	/*
754
	 * Speculative check for PTRACE_FORK. PTRACE_FORK is not
755
	 * synced with forks in progress so it is OK if we miss it
756
	 * if being set atm.
757
	 */
758
	if ((p1->p_ptevents & PTRACE_FORK) != 0) {
759
		sx_xlock(&proctree_lock);
760
		PROC_LOCK(p2);
761

762
		/*
763
		 * p1->p_ptevents & p1->p_pptr are protected by both
764
		 * process and proctree locks for modifications,
765
		 * so owning proctree_lock allows the race-free read.
766
		 */
767
		if ((p1->p_ptevents & PTRACE_FORK) != 0) {
768
			/*
769
			 * Arrange for debugger to receive the fork event.
770
			 *
771
			 * We can report PL_FLAG_FORKED regardless of
772
			 * P_FOLLOWFORK settings, but it does not make a sense
773
			 * for runaway child.
774
			 */
775
			td->td_dbgflags |= TDB_FORK;
776
			td->td_dbg_forked = p2->p_pid;
777
			td2->td_dbgflags |= TDB_STOPATFORK;
778
			proc_set_traced(p2, true);
779
			CTR2(KTR_PTRACE,
780
			    "do_fork: attaching to new child pid %d: oppid %d",
781
			    p2->p_pid, p2->p_oppid);
782
			proc_reparent(p2, p1->p_pptr, false);
783
		}
784
		PROC_UNLOCK(p2);
785
		sx_xunlock(&proctree_lock);
786
	}
787

788
	racct_proc_fork_done(p2);
789

790
	if ((fr->fr_flags & RFSTOPPED) == 0) {
791
		if (fr->fr_pidp != NULL)
792
			*fr->fr_pidp = p2->p_pid;
793
		/*
794
		 * If RFSTOPPED not requested, make child runnable and
795
		 * add to run queue.
796
		 */
797
		thread_lock(td2);
798
		TD_SET_CAN_RUN(td2);
799
		sched_add(td2, SRQ_BORING);
800
	} else {
801
		*fr->fr_procp = p2;
802
	}
803
}
804

805
static void
806
ast_vfork(struct thread *td, int tda __unused)
807
{
808
	struct proc *p, *p2;
809

810
	MPASS(td->td_pflags & TDP_RFPPWAIT);
811

812
	p = td->td_proc;
813
	/*
814
	 * Preserve synchronization semantics of vfork.  If
815
	 * waiting for child to exec or exit, fork set
816
	 * P_PPWAIT on child, and there we sleep on our proc
817
	 * (in case of exit).
818
	 *
819
	 * Do it after the ptracestop() above is finished, to
820
	 * not block our debugger until child execs or exits
821
	 * to finish vfork wait.
822
	 */
823
	td->td_pflags &= ~TDP_RFPPWAIT;
824
	p2 = td->td_rfppwait_p;
825
again:
826
	PROC_LOCK(p2);
827
	while (p2->p_flag & P_PPWAIT) {
828
		PROC_LOCK(p);
829
		if (thread_suspend_check_needed()) {
830
			PROC_UNLOCK(p2);
831
			thread_suspend_check(0);
832
			PROC_UNLOCK(p);
833
			goto again;
834
		} else {
835
			PROC_UNLOCK(p);
836
		}
837
		cv_timedwait(&p2->p_pwait, &p2->p_mtx, hz);
838
	}
839
	PROC_UNLOCK(p2);
840

841
	if (td->td_dbgflags & TDB_VFORK) {
842
		PROC_LOCK(p);
843
		if (p->p_ptevents & PTRACE_VFORK)
844
			ptracestop(td, SIGTRAP, NULL);
845
		td->td_dbgflags &= ~TDB_VFORK;
846
		PROC_UNLOCK(p);
847
	}
848
}
849

850
int
851
fork1(struct thread *td, struct fork_req *fr)
852
{
853
	struct proc *p1, *newproc;
854
	struct thread *td2;
855
	struct vmspace *vm2;
856
	struct ucred *cred;
857
	struct file *fp_procdesc;
858
	struct pgrp *pg;
859
	vm_ooffset_t mem_charged;
860
	int error, nprocs_new;
861
	static int curfail;
862
	static struct timeval lastfail;
863
	int flags, pages;
864
	bool killsx_locked, singlethreaded;
865

866
	flags = fr->fr_flags;
867
	pages = fr->fr_pages;
868

869
	if ((flags & RFSTOPPED) != 0)
870
		MPASS(fr->fr_procp != NULL && fr->fr_pidp == NULL);
871
	else
872
		MPASS(fr->fr_procp == NULL);
873

874
	/* Check for the undefined or unimplemented flags. */
875
	if ((flags & ~(RFFLAGS | RFTSIGFLAGS(RFTSIGMASK))) != 0)
876
		return (EINVAL);
877

878
	/* Signal value requires RFTSIGZMB. */
879
	if ((flags & RFTSIGFLAGS(RFTSIGMASK)) != 0 && (flags & RFTSIGZMB) == 0)
880
		return (EINVAL);
881

882
	/* Can't copy and clear. */
883
	if ((flags & (RFFDG|RFCFDG)) == (RFFDG|RFCFDG))
884
		return (EINVAL);
885

886
	/* Check the validity of the signal number. */
887
	if ((flags & RFTSIGZMB) != 0 && (u_int)RFTSIGNUM(flags) > _SIG_MAXSIG)
888
		return (EINVAL);
889

890
	if ((flags & RFPROCDESC) != 0) {
891
		/* Can't not create a process yet get a process descriptor. */
892
		if ((flags & RFPROC) == 0)
893
			return (EINVAL);
894

895
		/* Must provide a place to put a procdesc if creating one. */
896
		if (fr->fr_pd_fd == NULL)
897
			return (EINVAL);
898

899
		/* Check if we are using supported flags. */
900
		if ((fr->fr_pd_flags & ~PD_ALLOWED_AT_FORK) != 0)
901
			return (EINVAL);
902
	}
903

904
	p1 = td->td_proc;
905

906
	/*
907
	 * Here we don't create a new process, but we divorce
908
	 * certain parts of a process from itself.
909
	 */
910
	if ((flags & RFPROC) == 0) {
911
		if (fr->fr_procp != NULL)
912
			*fr->fr_procp = NULL;
913
		else if (fr->fr_pidp != NULL)
914
			*fr->fr_pidp = 0;
915
		return (fork_norfproc(td, flags));
916
	}
917

918
	fp_procdesc = NULL;
919
	newproc = NULL;
920
	vm2 = NULL;
921
	killsx_locked = false;
922
	singlethreaded = false;
923

924
	/*
925
	 * Increment the nprocs resource before allocations occur.
926
	 * Although process entries are dynamically created, we still
927
	 * keep a global limit on the maximum number we will
928
	 * create. There are hard-limits as to the number of processes
929
	 * that can run, established by the KVA and memory usage for
930
	 * the process data.
931
	 *
932
	 * Don't allow a nonprivileged user to use the last ten
933
	 * processes; don't let root exceed the limit.
934
	 */
935
	nprocs_new = atomic_fetchadd_int(&nprocs, 1) + 1;
936
	if (nprocs_new >= maxproc - 10) {
937
		if (priv_check_cred(td->td_ucred, PRIV_MAXPROC) != 0 ||
938
		    nprocs_new >= maxproc) {
939
			error = EAGAIN;
940
			sx_xlock(&allproc_lock);
941
			if (ppsratecheck(&lastfail, &curfail, 1)) {
942
				printf("maxproc limit exceeded by uid %u "
943
				    "(pid %d); see tuning(7) and "
944
				    "login.conf(5)\n",
945
				    td->td_ucred->cr_ruid, p1->p_pid);
946
			}
947
			sx_xunlock(&allproc_lock);
948
			goto fail2;
949
		}
950
	}
951

952
	/*
953
	 * If we are possibly multi-threaded, and there is a process
954
	 * sending a signal to our group right now, ensure that our
955
	 * other threads cannot be chosen for the signal queueing.
956
	 * Otherwise, this might delay signal action, and make the new
957
	 * child escape the signaling.
958
	 */
959
	pg = p1->p_pgrp;
960
	if (p1->p_numthreads > 1) {
961
		if (sx_try_slock(&pg->pg_killsx) != 0) {
962
			killsx_locked = true;
963
		} else {
964
			PROC_LOCK(p1);
965
			if (thread_single(p1, SINGLE_BOUNDARY)) {
966
				PROC_UNLOCK(p1);
967
				error = ERESTART;
968
				goto fail2;
969
			}
970
			PROC_UNLOCK(p1);
971
			singlethreaded = true;
972
		}
973
	}
974

975
	/*
976
	 * Atomically check for signals and block processes from sending
977
	 * a signal to our process group until the child is visible.
978
	 */
979
	if (!killsx_locked && sx_slock_sig(&pg->pg_killsx) != 0) {
980
		error = ERESTART;
981
		goto fail2;
982
	}
983
	if (__predict_false(p1->p_pgrp != pg || sig_intr() != 0)) {
984
		/*
985
		 * Either the process was moved to other process
986
		 * group, or there is pending signal.  sx_slock_sig()
987
		 * does not check for signals if not sleeping for the
988
		 * lock.
989
		 */
990
		sx_sunlock(&pg->pg_killsx);
991
		killsx_locked = false;
992
		error = ERESTART;
993
		goto fail2;
994
	} else {
995
		killsx_locked = true;
996
	}
997

998
	/*
999
	 * If required, create a process descriptor in the parent first; we
1000
	 * will abandon it if something goes wrong. We don't finit() until
1001
	 * later.
1002
	 */
1003
	if (flags & RFPROCDESC) {
1004
		error = procdesc_falloc(td, &fp_procdesc, fr->fr_pd_fd,
1005
		    fr->fr_pd_flags, fr->fr_pd_fcaps);
1006
		if (error != 0)
1007
			goto fail2;
1008
		AUDIT_ARG_FD(*fr->fr_pd_fd);
1009
	}
1010

1011
	mem_charged = 0;
1012
	if (pages == 0)
1013
		pages = kstack_pages;
1014
	/* Allocate new proc. */
1015
	newproc = uma_zalloc(proc_zone, M_WAITOK);
1016
	td2 = FIRST_THREAD_IN_PROC(newproc);
1017
	if (td2 == NULL) {
1018
		td2 = thread_alloc(pages);
1019
		if (td2 == NULL) {
1020
			error = ENOMEM;
1021
			goto fail2;
1022
		}
1023
		proc_linkup(newproc, td2);
1024
	} else {
1025
		error = thread_recycle(td2, pages);
1026
		if (error != 0)
1027
			goto fail2;
1028
	}
1029

1030
	if ((flags & RFMEM) == 0) {
1031
		vm2 = vmspace_fork(p1->p_vmspace, &mem_charged);
1032
		if (vm2 == NULL) {
1033
			error = ENOMEM;
1034
			goto fail2;
1035
		}
1036
		if (!swap_reserve(mem_charged)) {
1037
			/*
1038
			 * The swap reservation failed. The accounting
1039
			 * from the entries of the copied vm2 will be
1040
			 * subtracted in vmspace_free(), so force the
1041
			 * reservation there.
1042
			 */
1043
			swap_reserve_force(mem_charged);
1044
			error = ENOMEM;
1045
			goto fail2;
1046
		}
1047
	} else
1048
		vm2 = NULL;
1049

1050
	/*
1051
	 * XXX: This is ugly; when we copy resource usage, we need to bump
1052
	 *      per-cred resource counters.
1053
	 */
1054
	newproc->p_ucred = crcowget(td->td_ucred);
1055

1056
	/*
1057
	 * Initialize resource accounting for the child process.
1058
	 */
1059
	error = racct_proc_fork(p1, newproc);
1060
	if (error != 0) {
1061
		error = EAGAIN;
1062
		goto fail1;
1063
	}
1064

1065
#ifdef MAC
1066
	mac_proc_init(newproc);
1067
#endif
1068
	newproc->p_klist = knlist_alloc(&newproc->p_mtx);
1069
	STAILQ_INIT(&newproc->p_ktr);
1070

1071
	/*
1072
	 * Increment the count of procs running with this uid. Don't allow
1073
	 * a nonprivileged user to exceed their current limit.
1074
	 */
1075
	cred = td->td_ucred;
1076
	if (!chgproccnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_NPROC))) {
1077
		if (priv_check_cred(cred, PRIV_PROC_LIMIT) != 0)
1078
			goto fail0;
1079
		chgproccnt(cred->cr_ruidinfo, 1, 0);
1080
	}
1081

1082
	do_fork(td, fr, newproc, td2, vm2, fp_procdesc);
1083
	error = 0;
1084
	goto cleanup;
1085
fail0:
1086
	error = EAGAIN;
1087
#ifdef MAC
1088
	mac_proc_destroy(newproc);
1089
#endif
1090
	racct_proc_exit(newproc);
1091
fail1:
1092
	proc_unset_cred(newproc, false);
1093
fail2:
1094
	if (vm2 != NULL)
1095
		vmspace_free(vm2);
1096
	uma_zfree(proc_zone, newproc);
1097
	if ((flags & RFPROCDESC) != 0 && fp_procdesc != NULL) {
1098
		fdclose(td, fp_procdesc, *fr->fr_pd_fd);
1099
		fdrop(fp_procdesc, td);
1100
	}
1101
	atomic_add_int(&nprocs, -1);
1102
cleanup:
1103
	if (killsx_locked)
1104
		sx_sunlock(&pg->pg_killsx);
1105
	if (singlethreaded) {
1106
		PROC_LOCK(p1);
1107
		thread_single_end(p1, SINGLE_BOUNDARY);
1108
		PROC_UNLOCK(p1);
1109
	}
1110
	if (error != 0)
1111
		pause("fork", hz / 2);
1112
	return (error);
1113
}
1114

1115
/*
1116
 * Handle the return of a child process from fork1().  This function
1117
 * is called from the MD fork_trampoline() entry point.
1118
 */
1119
void
1120
fork_exit(void (*callout)(void *, struct trapframe *), void *arg,
1121
    struct trapframe *frame)
1122
{
1123
	struct proc *p;
1124
	struct thread *td;
1125
	struct thread *dtd;
1126

1127
	kmsan_mark(frame, sizeof(*frame), KMSAN_STATE_INITED);
1128

1129
	td = curthread;
1130
	p = td->td_proc;
1131
	KASSERT(p->p_state == PRS_NORMAL, ("executing process is still new"));
1132

1133
	CTR4(KTR_PROC, "fork_exit: new thread %p (td_sched %p, pid %d, %s)",
1134
	    td, td_get_sched(td), p->p_pid, td->td_name);
1135

1136
	sched_fork_exit(td);
1137

1138
	/*
1139
	 * Processes normally resume in mi_switch() after being
1140
	 * cpu_switch()'ed to, but when children start up they arrive here
1141
	 * instead, so we must do much the same things as mi_switch() would.
1142
	 */
1143
	if ((dtd = PCPU_GET(deadthread))) {
1144
		PCPU_SET(deadthread, NULL);
1145
		thread_stash(dtd);
1146
	}
1147
	thread_unlock(td);
1148

1149
	/*
1150
	 * cpu_fork_kthread_handler intercepts this function call to
1151
	 * have this call a non-return function to stay in kernel mode.
1152
	 * initproc has its own fork handler, but it does return.
1153
	 */
1154
	KASSERT(callout != NULL, ("NULL callout in fork_exit"));
1155
	callout(arg, frame);
1156

1157
	/*
1158
	 * Check if a kernel thread misbehaved and returned from its main
1159
	 * function.
1160
	 */
1161
	if (p->p_flag & P_KPROC) {
1162
		printf("Kernel thread \"%s\" (pid %d) exited prematurely.\n",
1163
		    td->td_name, p->p_pid);
1164
		kthread_exit();
1165
	}
1166
	mtx_assert(&Giant, MA_NOTOWNED);
1167

1168
	/*
1169
	 * Now going to return to userland.
1170
	 */
1171

1172
	if (p->p_sysent->sv_schedtail != NULL)
1173
		(p->p_sysent->sv_schedtail)(td);
1174

1175
	userret(td, frame);
1176
}
1177

1178
/*
1179
 * Simplified back end of syscall(), used when returning from fork()
1180
 * directly into user mode.  This function is passed in to fork_exit()
1181
 * as the first parameter and is called when returning to a new
1182
 * userland process.
1183
 */
1184
void
1185
fork_return(struct thread *td, struct trapframe *frame)
1186
{
1187
	struct proc *p;
1188

1189
	p = td->td_proc;
1190
	if (td->td_dbgflags & TDB_STOPATFORK) {
1191
		PROC_LOCK(p);
1192
		if ((p->p_flag & P_TRACED) != 0) {
1193
			/*
1194
			 * Inform the debugger if one is still present.
1195
			 */
1196
			td->td_dbgflags |= TDB_CHILD | TDB_SCX | TDB_FSTP;
1197
			ptracestop(td, SIGSTOP, NULL);
1198
			td->td_dbgflags &= ~(TDB_CHILD | TDB_SCX);
1199
		} else {
1200
			/*
1201
			 * ... otherwise clear the request.
1202
			 */
1203
			td->td_dbgflags &= ~TDB_STOPATFORK;
1204
		}
1205
		PROC_UNLOCK(p);
1206
	} else if (p->p_flag & P_TRACED) {
1207
 		/*
1208
		 * This is the start of a new thread in a traced
1209
		 * process.  Report a system call exit event.
1210
		 */
1211
		PROC_LOCK(p);
1212
		td->td_dbgflags |= TDB_SCX;
1213
		if ((p->p_ptevents & PTRACE_SCX) != 0 ||
1214
		    (td->td_dbgflags & TDB_BORN) != 0)
1215
			ptracestop(td, SIGTRAP, NULL);
1216
		td->td_dbgflags &= ~(TDB_SCX | TDB_BORN);
1217
		PROC_UNLOCK(p);
1218
	}
1219

1220
	/*
1221
	 * If the prison was killed mid-fork, die along with it.
1222
	 */
1223
	if (!prison_isalive(td->td_ucred->cr_prison))
1224
		exit1(td, 0, SIGKILL);
1225

1226
#ifdef KTRACE
1227
	if (KTRPOINT(td, KTR_SYSRET))
1228
		ktrsysret(td->td_sa.code, 0, 0);
1229
#endif
1230
}
1231

1232
static void
1233
fork_init(void *arg __unused)
1234
{
1235
	ast_register(TDA_VFORK, ASTR_ASTF_REQUIRED | ASTR_TDP, TDP_RFPPWAIT,
1236
	    ast_vfork);
1237
}
1238
SYSINIT(fork, SI_SUB_INTRINSIC, SI_ORDER_ANY, fork_init, NULL);
1239

1240