1 /*- 2 * Copyright (c) 2004 Tim J. Robbins 3 * Copyright (c) 2003 Peter Wemm 4 * Copyright (c) 2002 Doug Rabson 5 * Copyright (c) 1998-1999 Andrew Gallatin 6 * Copyright (c) 1994-1996 S�ren Schmidt 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer 14 * in this position and unchanged. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 #include "opt_compat.h" 36 37 #ifndef COMPAT_IA32 38 #error "Unable to compile Linux-emulator due to missing COMPAT_IA32 option!" 39 #endif 40 41 #define __ELF_WORD_SIZE 32 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/exec.h> 46 #include <sys/imgact.h> 47 #include <sys/imgact_elf.h> 48 #include <sys/kernel.h> 49 #include <sys/lock.h> 50 #include <sys/malloc.h> 51 #include <sys/module.h> 52 #include <sys/mutex.h> 53 #include <sys/proc.h> 54 #include <sys/resourcevar.h> 55 #include <sys/signalvar.h> 56 #include <sys/sysctl.h> 57 #include <sys/syscallsubr.h> 58 #include <sys/sysent.h> 59 #include <sys/sysproto.h> 60 #include <sys/vnode.h> 61 #include <sys/eventhandler.h> 62 63 #include <vm/vm.h> 64 #include <vm/pmap.h> 65 #include <vm/vm_extern.h> 66 #include <vm/vm_map.h> 67 #include <vm/vm_object.h> 68 #include <vm/vm_page.h> 69 #include <vm/vm_param.h> 70 71 #include <machine/cpu.h> 72 #include <machine/md_var.h> 73 #include <machine/pcb.h> 74 #include <machine/specialreg.h> 75 76 #include <amd64/linux32/linux.h> 77 #include <amd64/linux32/linux32_proto.h> 78 #include <compat/linux/linux_emul.h> 79 #include <compat/linux/linux_mib.h> 80 #include <compat/linux/linux_signal.h> 81 #include <compat/linux/linux_util.h> 82 83 MODULE_VERSION(linux, 1); 84 85 MALLOC_DEFINE(M_LINUX, "linux", "Linux mode structures"); 86 87 #define AUXARGS_ENTRY_32(pos, id, val) \ 88 do { \ 89 suword32(pos++, id); \ 90 suword32(pos++, val); \ 91 } while (0) 92 93 #if BYTE_ORDER == LITTLE_ENDIAN 94 #define SHELLMAGIC 0x2123 /* #! */ 95 #else 96 #define SHELLMAGIC 0x2321 97 #endif 98 99 /* 100 * Allow the sendsig functions to use the ldebug() facility 101 * even though they are not syscalls themselves. Map them 102 * to syscall 0. This is slightly less bogus than using 103 * ldebug(sigreturn). 104 */ 105 #define LINUX_SYS_linux_rt_sendsig 0 106 #define LINUX_SYS_linux_sendsig 0 107 108 extern char linux_sigcode[]; 109 extern int linux_szsigcode; 110 111 extern struct sysent linux_sysent[LINUX_SYS_MAXSYSCALL]; 112 113 SET_DECLARE(linux_ioctl_handler_set, struct linux_ioctl_handler); 114 SET_DECLARE(linux_device_handler_set, struct linux_device_handler); 115 116 static int elf_linux_fixup(register_t **stack_base, 117 struct image_params *iparams); 118 static register_t *linux_copyout_strings(struct image_params *imgp); 119 static void linux_prepsyscall(struct trapframe *tf, int *args, u_int *code, 120 caddr_t *params); 121 static void linux_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask); 122 static void exec_linux_setregs(struct thread *td, u_long entry, 123 u_long stack, u_long ps_strings); 124 static void linux32_fixlimits(struct proc *p); 125 126 extern LIST_HEAD(futex_list, futex) futex_list; 127 extern struct mtx futex_mtx; 128 extern struct sx emul_shared_lock; 129 extern struct sx emul_lock; 130 131 static eventhandler_tag linux_exit_tag; 132 static eventhandler_tag linux_schedtail_tag; 133 static eventhandler_tag linux_exec_tag; 134 135 /* 136 * Linux syscalls return negative errno's, we do positive and map them 137 * Reference: 138 * FreeBSD: src/sys/sys/errno.h 139 * Linux: linux-2.6.17.8/include/asm-generic/errno-base.h 140 * linux-2.6.17.8/include/asm-generic/errno.h 141 */ 142 static int bsd_to_linux_errno[ELAST + 1] = { 143 -0, -1, -2, -3, -4, -5, -6, -7, -8, -9, 144 -10, -35, -12, -13, -14, -15, -16, -17, -18, -19, 145 -20, -21, -22, -23, -24, -25, -26, -27, -28, -29, 146 -30, -31, -32, -33, -34, -11,-115,-114, -88, -89, 147 -90, -91, -92, -93, -94, -95, -96, -97, -98, -99, 148 -100,-101,-102,-103,-104,-105,-106,-107,-108,-109, 149 -110,-111, -40, -36,-112,-113, -39, -11, -87,-122, 150 -116, -66, -6, -6, -6, -6, -6, -37, -38, -9, 151 -6, -6, -43, -42, -75,-125, -84, -95, -16, -74, 152 -72, -67, -71 153 }; 154 155 int bsd_to_linux_signal[LINUX_SIGTBLSZ] = { 156 LINUX_SIGHUP, LINUX_SIGINT, LINUX_SIGQUIT, LINUX_SIGILL, 157 LINUX_SIGTRAP, LINUX_SIGABRT, 0, LINUX_SIGFPE, 158 LINUX_SIGKILL, LINUX_SIGBUS, LINUX_SIGSEGV, LINUX_SIGSYS, 159 LINUX_SIGPIPE, LINUX_SIGALRM, LINUX_SIGTERM, LINUX_SIGURG, 160 LINUX_SIGSTOP, LINUX_SIGTSTP, LINUX_SIGCONT, LINUX_SIGCHLD, 161 LINUX_SIGTTIN, LINUX_SIGTTOU, LINUX_SIGIO, LINUX_SIGXCPU, 162 LINUX_SIGXFSZ, LINUX_SIGVTALRM, LINUX_SIGPROF, LINUX_SIGWINCH, 163 0, LINUX_SIGUSR1, LINUX_SIGUSR2 164 }; 165 166 int linux_to_bsd_signal[LINUX_SIGTBLSZ] = { 167 SIGHUP, SIGINT, SIGQUIT, SIGILL, 168 SIGTRAP, SIGABRT, SIGBUS, SIGFPE, 169 SIGKILL, SIGUSR1, SIGSEGV, SIGUSR2, 170 SIGPIPE, SIGALRM, SIGTERM, SIGBUS, 171 SIGCHLD, SIGCONT, SIGSTOP, SIGTSTP, 172 SIGTTIN, SIGTTOU, SIGURG, SIGXCPU, 173 SIGXFSZ, SIGVTALRM, SIGPROF, SIGWINCH, 174 SIGIO, SIGURG, SIGSYS 175 }; 176 177 #define LINUX_T_UNKNOWN 255 178 static int _bsd_to_linux_trapcode[] = { 179 LINUX_T_UNKNOWN, /* 0 */ 180 6, /* 1 T_PRIVINFLT */ 181 LINUX_T_UNKNOWN, /* 2 */ 182 3, /* 3 T_BPTFLT */ 183 LINUX_T_UNKNOWN, /* 4 */ 184 LINUX_T_UNKNOWN, /* 5 */ 185 16, /* 6 T_ARITHTRAP */ 186 254, /* 7 T_ASTFLT */ 187 LINUX_T_UNKNOWN, /* 8 */ 188 13, /* 9 T_PROTFLT */ 189 1, /* 10 T_TRCTRAP */ 190 LINUX_T_UNKNOWN, /* 11 */ 191 14, /* 12 T_PAGEFLT */ 192 LINUX_T_UNKNOWN, /* 13 */ 193 17, /* 14 T_ALIGNFLT */ 194 LINUX_T_UNKNOWN, /* 15 */ 195 LINUX_T_UNKNOWN, /* 16 */ 196 LINUX_T_UNKNOWN, /* 17 */ 197 0, /* 18 T_DIVIDE */ 198 2, /* 19 T_NMI */ 199 4, /* 20 T_OFLOW */ 200 5, /* 21 T_BOUND */ 201 7, /* 22 T_DNA */ 202 8, /* 23 T_DOUBLEFLT */ 203 9, /* 24 T_FPOPFLT */ 204 10, /* 25 T_TSSFLT */ 205 11, /* 26 T_SEGNPFLT */ 206 12, /* 27 T_STKFLT */ 207 18, /* 28 T_MCHK */ 208 19, /* 29 T_XMMFLT */ 209 15 /* 30 T_RESERVED */ 210 }; 211 #define bsd_to_linux_trapcode(code) \ 212 ((code)<sizeof(_bsd_to_linux_trapcode)/sizeof(*_bsd_to_linux_trapcode)? \ 213 _bsd_to_linux_trapcode[(code)]: \ 214 LINUX_T_UNKNOWN) 215 216 struct linux32_ps_strings { 217 u_int32_t ps_argvstr; /* first of 0 or more argument strings */ 218 u_int ps_nargvstr; /* the number of argument strings */ 219 u_int32_t ps_envstr; /* first of 0 or more environment strings */ 220 u_int ps_nenvstr; /* the number of environment strings */ 221 }; 222 223 /* 224 * If FreeBSD & Linux have a difference of opinion about what a trap 225 * means, deal with it here. 226 * 227 * MPSAFE 228 */ 229 static int 230 translate_traps(int signal, int trap_code) 231 { 232 if (signal != SIGBUS) 233 return signal; 234 switch (trap_code) { 235 case T_PROTFLT: 236 case T_TSSFLT: 237 case T_DOUBLEFLT: 238 case T_PAGEFLT: 239 return SIGSEGV; 240 default: 241 return signal; 242 } 243 } 244 245 static int 246 elf_linux_fixup(register_t **stack_base, struct image_params *imgp) 247 { 248 Elf32_Auxargs *args; 249 Elf32_Addr *base; 250 Elf32_Addr *pos; 251 252 KASSERT(curthread->td_proc == imgp->proc && 253 (curthread->td_proc->p_flag & P_SA) == 0, 254 ("unsafe elf_linux_fixup(), should be curproc")); 255 base = (Elf32_Addr *)*stack_base; 256 args = (Elf32_Auxargs *)imgp->auxargs; 257 pos = base + (imgp->args->argc + imgp->args->envc + 2); 258 259 if (args->trace) 260 AUXARGS_ENTRY_32(pos, AT_DEBUG, 1); 261 if (args->execfd != -1) 262 AUXARGS_ENTRY_32(pos, AT_EXECFD, args->execfd); 263 AUXARGS_ENTRY_32(pos, AT_PHDR, args->phdr); 264 AUXARGS_ENTRY_32(pos, AT_PHENT, args->phent); 265 AUXARGS_ENTRY_32(pos, AT_PHNUM, args->phnum); 266 AUXARGS_ENTRY_32(pos, AT_PAGESZ, args->pagesz); 267 AUXARGS_ENTRY_32(pos, AT_FLAGS, args->flags); 268 AUXARGS_ENTRY_32(pos, AT_ENTRY, args->entry); 269 AUXARGS_ENTRY_32(pos, AT_BASE, args->base); 270 AUXARGS_ENTRY_32(pos, AT_UID, imgp->proc->p_ucred->cr_ruid); 271 AUXARGS_ENTRY_32(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid); 272 AUXARGS_ENTRY_32(pos, AT_GID, imgp->proc->p_ucred->cr_rgid); 273 AUXARGS_ENTRY_32(pos, AT_EGID, imgp->proc->p_ucred->cr_svgid); 274 AUXARGS_ENTRY_32(pos, AT_NULL, 0); 275 276 free(imgp->auxargs, M_TEMP); 277 imgp->auxargs = NULL; 278 279 base--; 280 suword32(base, (uint32_t)imgp->args->argc); 281 *stack_base = (register_t *)base; 282 return 0; 283 } 284 285 extern int _ucodesel, _ucode32sel, _udatasel; 286 extern unsigned long linux_sznonrtsigcode; 287 288 static void 289 linux_rt_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask) 290 { 291 struct thread *td = curthread; 292 struct proc *p = td->td_proc; 293 struct sigacts *psp; 294 struct trapframe *regs; 295 struct l_rt_sigframe *fp, frame; 296 int oonstack; 297 int sig; 298 int code; 299 300 sig = ksi->ksi_signo; 301 code = ksi->ksi_code; 302 PROC_LOCK_ASSERT(p, MA_OWNED); 303 psp = p->p_sigacts; 304 mtx_assert(&psp->ps_mtx, MA_OWNED); 305 regs = td->td_frame; 306 oonstack = sigonstack(regs->tf_rsp); 307 308 #ifdef DEBUG 309 if (ldebug(rt_sendsig)) 310 printf(ARGS(rt_sendsig, "%p, %d, %p, %u"), 311 catcher, sig, (void*)mask, code); 312 #endif 313 /* 314 * Allocate space for the signal handler context. 315 */ 316 if ((td->td_pflags & TDP_ALTSTACK) && !oonstack && 317 SIGISMEMBER(psp->ps_sigonstack, sig)) { 318 fp = (struct l_rt_sigframe *)(td->td_sigstk.ss_sp + 319 td->td_sigstk.ss_size - sizeof(struct l_rt_sigframe)); 320 } else 321 fp = (struct l_rt_sigframe *)regs->tf_rsp - 1; 322 mtx_unlock(&psp->ps_mtx); 323 324 /* 325 * Build the argument list for the signal handler. 326 */ 327 if (p->p_sysent->sv_sigtbl) 328 if (sig <= p->p_sysent->sv_sigsize) 329 sig = p->p_sysent->sv_sigtbl[_SIG_IDX(sig)]; 330 331 bzero(&frame, sizeof(frame)); 332 333 frame.sf_handler = PTROUT(catcher); 334 frame.sf_sig = sig; 335 frame.sf_siginfo = PTROUT(&fp->sf_si); 336 frame.sf_ucontext = PTROUT(&fp->sf_sc); 337 338 /* Fill in POSIX parts */ 339 frame.sf_si.lsi_signo = sig; 340 frame.sf_si.lsi_code = code; 341 frame.sf_si.lsi_addr = PTROUT(ksi->ksi_addr); 342 343 /* 344 * Build the signal context to be used by sigreturn. 345 */ 346 frame.sf_sc.uc_flags = 0; /* XXX ??? */ 347 frame.sf_sc.uc_link = 0; /* XXX ??? */ 348 349 frame.sf_sc.uc_stack.ss_sp = PTROUT(td->td_sigstk.ss_sp); 350 frame.sf_sc.uc_stack.ss_size = td->td_sigstk.ss_size; 351 frame.sf_sc.uc_stack.ss_flags = (td->td_pflags & TDP_ALTSTACK) 352 ? ((oonstack) ? LINUX_SS_ONSTACK : 0) : LINUX_SS_DISABLE; 353 PROC_UNLOCK(p); 354 355 bsd_to_linux_sigset(mask, &frame.sf_sc.uc_sigmask); 356 357 frame.sf_sc.uc_mcontext.sc_mask = frame.sf_sc.uc_sigmask.__bits[0]; 358 frame.sf_sc.uc_mcontext.sc_gs = rgs(); 359 frame.sf_sc.uc_mcontext.sc_fs = rfs(); 360 __asm __volatile("movl %%es,%0" : 361 "=rm" (frame.sf_sc.uc_mcontext.sc_es)); 362 __asm __volatile("movl %%ds,%0" : 363 "=rm" (frame.sf_sc.uc_mcontext.sc_ds)); 364 frame.sf_sc.uc_mcontext.sc_edi = regs->tf_rdi; 365 frame.sf_sc.uc_mcontext.sc_esi = regs->tf_rsi; 366 frame.sf_sc.uc_mcontext.sc_ebp = regs->tf_rbp; 367 frame.sf_sc.uc_mcontext.sc_ebx = regs->tf_rbx; 368 frame.sf_sc.uc_mcontext.sc_edx = regs->tf_rdx; 369 frame.sf_sc.uc_mcontext.sc_ecx = regs->tf_rcx; 370 frame.sf_sc.uc_mcontext.sc_eax = regs->tf_rax; 371 frame.sf_sc.uc_mcontext.sc_eip = regs->tf_rip; 372 frame.sf_sc.uc_mcontext.sc_cs = regs->tf_cs; 373 frame.sf_sc.uc_mcontext.sc_eflags = regs->tf_rflags; 374 frame.sf_sc.uc_mcontext.sc_esp_at_signal = regs->tf_rsp; 375 frame.sf_sc.uc_mcontext.sc_ss = regs->tf_ss; 376 frame.sf_sc.uc_mcontext.sc_err = regs->tf_err; 377 frame.sf_sc.uc_mcontext.sc_trapno = bsd_to_linux_trapcode(code); 378 379 #ifdef DEBUG 380 if (ldebug(rt_sendsig)) 381 printf(LMSG("rt_sendsig flags: 0x%x, sp: %p, ss: 0x%lx, mask: 0x%x"), 382 frame.sf_sc.uc_stack.ss_flags, td->td_sigstk.ss_sp, 383 td->td_sigstk.ss_size, frame.sf_sc.uc_mcontext.sc_mask); 384 #endif 385 386 if (copyout(&frame, fp, sizeof(frame)) != 0) { 387 /* 388 * Process has trashed its stack; give it an illegal 389 * instruction to halt it in its tracks. 390 */ 391 #ifdef DEBUG 392 if (ldebug(rt_sendsig)) 393 printf(LMSG("rt_sendsig: bad stack %p, oonstack=%x"), 394 fp, oonstack); 395 #endif 396 PROC_LOCK(p); 397 sigexit(td, SIGILL); 398 } 399 400 /* 401 * Build context to run handler in. 402 */ 403 regs->tf_rsp = PTROUT(fp); 404 regs->tf_rip = LINUX32_PS_STRINGS - *(p->p_sysent->sv_szsigcode) + 405 linux_sznonrtsigcode; 406 regs->tf_rflags &= ~PSL_T; 407 regs->tf_cs = _ucode32sel; 408 regs->tf_ss = _udatasel; 409 load_ds(_udatasel); 410 td->td_pcb->pcb_ds = _udatasel; 411 load_es(_udatasel); 412 td->td_pcb->pcb_es = _udatasel; 413 PROC_LOCK(p); 414 mtx_lock(&psp->ps_mtx); 415 } 416 417 418 /* 419 * Send an interrupt to process. 420 * 421 * Stack is set up to allow sigcode stored 422 * in u. to call routine, followed by kcall 423 * to sigreturn routine below. After sigreturn 424 * resets the signal mask, the stack, and the 425 * frame pointer, it returns to the user 426 * specified pc, psl. 427 */ 428 static void 429 linux_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask) 430 { 431 struct thread *td = curthread; 432 struct proc *p = td->td_proc; 433 struct sigacts *psp; 434 struct trapframe *regs; 435 struct l_sigframe *fp, frame; 436 l_sigset_t lmask; 437 int oonstack, i; 438 int sig, code; 439 440 sig = ksi->ksi_signo; 441 code = ksi->ksi_code; 442 PROC_LOCK_ASSERT(p, MA_OWNED); 443 psp = p->p_sigacts; 444 mtx_assert(&psp->ps_mtx, MA_OWNED); 445 if (SIGISMEMBER(psp->ps_siginfo, sig)) { 446 /* Signal handler installed with SA_SIGINFO. */ 447 linux_rt_sendsig(catcher, ksi, mask); 448 return; 449 } 450 451 regs = td->td_frame; 452 oonstack = sigonstack(regs->tf_rsp); 453 454 #ifdef DEBUG 455 if (ldebug(sendsig)) 456 printf(ARGS(sendsig, "%p, %d, %p, %u"), 457 catcher, sig, (void*)mask, code); 458 #endif 459 460 /* 461 * Allocate space for the signal handler context. 462 */ 463 if ((td->td_pflags & TDP_ALTSTACK) && !oonstack && 464 SIGISMEMBER(psp->ps_sigonstack, sig)) { 465 fp = (struct l_sigframe *)(td->td_sigstk.ss_sp + 466 td->td_sigstk.ss_size - sizeof(struct l_sigframe)); 467 } else 468 fp = (struct l_sigframe *)regs->tf_rsp - 1; 469 mtx_unlock(&psp->ps_mtx); 470 PROC_UNLOCK(p); 471 472 /* 473 * Build the argument list for the signal handler. 474 */ 475 if (p->p_sysent->sv_sigtbl) 476 if (sig <= p->p_sysent->sv_sigsize) 477 sig = p->p_sysent->sv_sigtbl[_SIG_IDX(sig)]; 478 479 bzero(&frame, sizeof(frame)); 480 481 frame.sf_handler = PTROUT(catcher); 482 frame.sf_sig = sig; 483 484 bsd_to_linux_sigset(mask, &lmask); 485 486 /* 487 * Build the signal context to be used by sigreturn. 488 */ 489 frame.sf_sc.sc_mask = lmask.__bits[0]; 490 frame.sf_sc.sc_gs = rgs(); 491 frame.sf_sc.sc_fs = rfs(); 492 __asm __volatile("movl %%es,%0" : "=rm" (frame.sf_sc.sc_es)); 493 __asm __volatile("movl %%ds,%0" : "=rm" (frame.sf_sc.sc_ds)); 494 frame.sf_sc.sc_edi = regs->tf_rdi; 495 frame.sf_sc.sc_esi = regs->tf_rsi; 496 frame.sf_sc.sc_ebp = regs->tf_rbp; 497 frame.sf_sc.sc_ebx = regs->tf_rbx; 498 frame.sf_sc.sc_edx = regs->tf_rdx; 499 frame.sf_sc.sc_ecx = regs->tf_rcx; 500 frame.sf_sc.sc_eax = regs->tf_rax; 501 frame.sf_sc.sc_eip = regs->tf_rip; 502 frame.sf_sc.sc_cs = regs->tf_cs; 503 frame.sf_sc.sc_eflags = regs->tf_rflags; 504 frame.sf_sc.sc_esp_at_signal = regs->tf_rsp; 505 frame.sf_sc.sc_ss = regs->tf_ss; 506 frame.sf_sc.sc_err = regs->tf_err; 507 frame.sf_sc.sc_trapno = bsd_to_linux_trapcode(code); 508 509 for (i = 0; i < (LINUX_NSIG_WORDS-1); i++) 510 frame.sf_extramask[i] = lmask.__bits[i+1]; 511 512 if (copyout(&frame, fp, sizeof(frame)) != 0) { 513 /* 514 * Process has trashed its stack; give it an illegal 515 * instruction to halt it in its tracks. 516 */ 517 PROC_LOCK(p); 518 sigexit(td, SIGILL); 519 } 520 521 /* 522 * Build context to run handler in. 523 */ 524 regs->tf_rsp = PTROUT(fp); 525 regs->tf_rip = LINUX32_PS_STRINGS - *(p->p_sysent->sv_szsigcode); 526 regs->tf_rflags &= ~PSL_T; 527 regs->tf_cs = _ucode32sel; 528 regs->tf_ss = _udatasel; 529 load_ds(_udatasel); 530 td->td_pcb->pcb_ds = _udatasel; 531 load_es(_udatasel); 532 td->td_pcb->pcb_es = _udatasel; 533 PROC_LOCK(p); 534 mtx_lock(&psp->ps_mtx); 535 } 536 537 /* 538 * System call to cleanup state after a signal 539 * has been taken. Reset signal mask and 540 * stack state from context left by sendsig (above). 541 * Return to previous pc and psl as specified by 542 * context left by sendsig. Check carefully to 543 * make sure that the user has not modified the 544 * psl to gain improper privileges or to cause 545 * a machine fault. 546 */ 547 int 548 linux_sigreturn(struct thread *td, struct linux_sigreturn_args *args) 549 { 550 struct proc *p = td->td_proc; 551 struct l_sigframe frame; 552 struct trapframe *regs; 553 l_sigset_t lmask; 554 int eflags, i; 555 ksiginfo_t ksi; 556 557 regs = td->td_frame; 558 559 #ifdef DEBUG 560 if (ldebug(sigreturn)) 561 printf(ARGS(sigreturn, "%p"), (void *)args->sfp); 562 #endif 563 /* 564 * The trampoline code hands us the sigframe. 565 * It is unsafe to keep track of it ourselves, in the event that a 566 * program jumps out of a signal handler. 567 */ 568 if (copyin(args->sfp, &frame, sizeof(frame)) != 0) 569 return (EFAULT); 570 571 /* 572 * Check for security violations. 573 */ 574 #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) 575 eflags = frame.sf_sc.sc_eflags; 576 /* 577 * XXX do allow users to change the privileged flag PSL_RF. The 578 * cpu sets PSL_RF in tf_eflags for faults. Debuggers should 579 * sometimes set it there too. tf_eflags is kept in the signal 580 * context during signal handling and there is no other place 581 * to remember it, so the PSL_RF bit may be corrupted by the 582 * signal handler without us knowing. Corruption of the PSL_RF 583 * bit at worst causes one more or one less debugger trap, so 584 * allowing it is fairly harmless. 585 */ 586 if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) 587 return(EINVAL); 588 589 /* 590 * Don't allow users to load a valid privileged %cs. Let the 591 * hardware check for invalid selectors, excess privilege in 592 * other selectors, invalid %eip's and invalid %esp's. 593 */ 594 #define CS_SECURE(cs) (ISPL(cs) == SEL_UPL) 595 if (!CS_SECURE(frame.sf_sc.sc_cs)) { 596 ksiginfo_init_trap(&ksi); 597 ksi.ksi_signo = SIGBUS; 598 ksi.ksi_code = BUS_OBJERR; 599 ksi.ksi_trapno = T_PROTFLT; 600 ksi.ksi_addr = (void *)regs->tf_rip; 601 trapsignal(td, &ksi); 602 return(EINVAL); 603 } 604 605 lmask.__bits[0] = frame.sf_sc.sc_mask; 606 for (i = 0; i < (LINUX_NSIG_WORDS-1); i++) 607 lmask.__bits[i+1] = frame.sf_extramask[i]; 608 PROC_LOCK(p); 609 linux_to_bsd_sigset(&lmask, &td->td_sigmask); 610 SIG_CANTMASK(td->td_sigmask); 611 signotify(td); 612 PROC_UNLOCK(p); 613 614 /* 615 * Restore signal context. 616 */ 617 /* Selectors were restored by the trampoline. */ 618 regs->tf_rdi = frame.sf_sc.sc_edi; 619 regs->tf_rsi = frame.sf_sc.sc_esi; 620 regs->tf_rbp = frame.sf_sc.sc_ebp; 621 regs->tf_rbx = frame.sf_sc.sc_ebx; 622 regs->tf_rdx = frame.sf_sc.sc_edx; 623 regs->tf_rcx = frame.sf_sc.sc_ecx; 624 regs->tf_rax = frame.sf_sc.sc_eax; 625 regs->tf_rip = frame.sf_sc.sc_eip; 626 regs->tf_cs = frame.sf_sc.sc_cs; 627 regs->tf_rflags = eflags; 628 regs->tf_rsp = frame.sf_sc.sc_esp_at_signal; 629 regs->tf_ss = frame.sf_sc.sc_ss; 630 631 return (EJUSTRETURN); 632 } 633 634 /* 635 * System call to cleanup state after a signal 636 * has been taken. Reset signal mask and 637 * stack state from context left by rt_sendsig (above). 638 * Return to previous pc and psl as specified by 639 * context left by sendsig. Check carefully to 640 * make sure that the user has not modified the 641 * psl to gain improper privileges or to cause 642 * a machine fault. 643 */ 644 int 645 linux_rt_sigreturn(struct thread *td, struct linux_rt_sigreturn_args *args) 646 { 647 struct proc *p = td->td_proc; 648 struct l_ucontext uc; 649 struct l_sigcontext *context; 650 l_stack_t *lss; 651 stack_t ss; 652 struct trapframe *regs; 653 int eflags; 654 ksiginfo_t ksi; 655 656 regs = td->td_frame; 657 658 #ifdef DEBUG 659 if (ldebug(rt_sigreturn)) 660 printf(ARGS(rt_sigreturn, "%p"), (void *)args->ucp); 661 #endif 662 /* 663 * The trampoline code hands us the ucontext. 664 * It is unsafe to keep track of it ourselves, in the event that a 665 * program jumps out of a signal handler. 666 */ 667 if (copyin(args->ucp, &uc, sizeof(uc)) != 0) 668 return (EFAULT); 669 670 context = &uc.uc_mcontext; 671 672 /* 673 * Check for security violations. 674 */ 675 #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) 676 eflags = context->sc_eflags; 677 /* 678 * XXX do allow users to change the privileged flag PSL_RF. The 679 * cpu sets PSL_RF in tf_eflags for faults. Debuggers should 680 * sometimes set it there too. tf_eflags is kept in the signal 681 * context during signal handling and there is no other place 682 * to remember it, so the PSL_RF bit may be corrupted by the 683 * signal handler without us knowing. Corruption of the PSL_RF 684 * bit at worst causes one more or one less debugger trap, so 685 * allowing it is fairly harmless. 686 */ 687 if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) 688 return(EINVAL); 689 690 /* 691 * Don't allow users to load a valid privileged %cs. Let the 692 * hardware check for invalid selectors, excess privilege in 693 * other selectors, invalid %eip's and invalid %esp's. 694 */ 695 #define CS_SECURE(cs) (ISPL(cs) == SEL_UPL) 696 if (!CS_SECURE(context->sc_cs)) { 697 ksiginfo_init_trap(&ksi); 698 ksi.ksi_signo = SIGBUS; 699 ksi.ksi_code = BUS_OBJERR; 700 ksi.ksi_trapno = T_PROTFLT; 701 ksi.ksi_addr = (void *)regs->tf_rip; 702 trapsignal(td, &ksi); 703 return(EINVAL); 704 } 705 706 PROC_LOCK(p); 707 linux_to_bsd_sigset(&uc.uc_sigmask, &td->td_sigmask); 708 SIG_CANTMASK(td->td_sigmask); 709 signotify(td); 710 PROC_UNLOCK(p); 711 712 /* 713 * Restore signal context 714 */ 715 /* Selectors were restored by the trampoline. */ 716 regs->tf_rdi = context->sc_edi; 717 regs->tf_rsi = context->sc_esi; 718 regs->tf_rbp = context->sc_ebp; 719 regs->tf_rbx = context->sc_ebx; 720 regs->tf_rdx = context->sc_edx; 721 regs->tf_rcx = context->sc_ecx; 722 regs->tf_rax = context->sc_eax; 723 regs->tf_rip = context->sc_eip; 724 regs->tf_cs = context->sc_cs; 725 regs->tf_rflags = eflags; 726 regs->tf_rsp = context->sc_esp_at_signal; 727 regs->tf_ss = context->sc_ss; 728 729 /* 730 * call sigaltstack & ignore results.. 731 */ 732 lss = &uc.uc_stack; 733 ss.ss_sp = PTRIN(lss->ss_sp); 734 ss.ss_size = lss->ss_size; 735 ss.ss_flags = linux_to_bsd_sigaltstack(lss->ss_flags); 736 737 #ifdef DEBUG 738 if (ldebug(rt_sigreturn)) 739 printf(LMSG("rt_sigret flags: 0x%x, sp: %p, ss: 0x%lx, mask: 0x%x"), 740 ss.ss_flags, ss.ss_sp, ss.ss_size, context->sc_mask); 741 #endif 742 (void)kern_sigaltstack(td, &ss, NULL); 743 744 return (EJUSTRETURN); 745 } 746 747 /* 748 * MPSAFE 749 */ 750 static void 751 linux_prepsyscall(struct trapframe *tf, int *args, u_int *code, caddr_t *params) 752 { 753 args[0] = tf->tf_rbx; 754 args[1] = tf->tf_rcx; 755 args[2] = tf->tf_rdx; 756 args[3] = tf->tf_rsi; 757 args[4] = tf->tf_rdi; 758 args[5] = tf->tf_rbp; /* Unconfirmed */ 759 *params = NULL; /* no copyin */ 760 } 761 762 /* 763 * If a linux binary is exec'ing something, try this image activator 764 * first. We override standard shell script execution in order to 765 * be able to modify the interpreter path. We only do this if a linux 766 * binary is doing the exec, so we do not create an EXEC module for it. 767 */ 768 static int exec_linux_imgact_try(struct image_params *iparams); 769 770 static int 771 exec_linux_imgact_try(struct image_params *imgp) 772 { 773 const char *head = (const char *)imgp->image_header; 774 char *rpath; 775 int error = -1, len; 776 777 /* 778 * The interpreter for shell scripts run from a linux binary needs 779 * to be located in /compat/linux if possible in order to recursively 780 * maintain linux path emulation. 781 */ 782 if (((const short *)head)[0] == SHELLMAGIC) { 783 /* 784 * Run our normal shell image activator. If it succeeds attempt 785 * to use the alternate path for the interpreter. If an alternate 786 * path is found, use our stringspace to store it. 787 */ 788 if ((error = exec_shell_imgact(imgp)) == 0) { 789 linux_emul_convpath(FIRST_THREAD_IN_PROC(imgp->proc), 790 imgp->interpreter_name, UIO_SYSSPACE, &rpath, 0); 791 if (rpath != NULL) { 792 len = strlen(rpath) + 1; 793 794 if (len <= MAXSHELLCMDLEN) { 795 memcpy(imgp->interpreter_name, rpath, len); 796 } 797 free(rpath, M_TEMP); 798 } 799 } 800 } 801 return(error); 802 } 803 804 /* 805 * Clear registers on exec 806 * XXX copied from ia32_signal.c. 807 */ 808 static void 809 exec_linux_setregs(td, entry, stack, ps_strings) 810 struct thread *td; 811 u_long entry; 812 u_long stack; 813 u_long ps_strings; 814 { 815 struct trapframe *regs = td->td_frame; 816 struct pcb *pcb = td->td_pcb; 817 818 wrmsr(MSR_FSBASE, 0); 819 wrmsr(MSR_KGSBASE, 0); /* User value while we're in the kernel */ 820 pcb->pcb_fsbase = 0; 821 pcb->pcb_gsbase = 0; 822 load_ds(_udatasel); 823 load_es(_udatasel); 824 load_fs(_udatasel); 825 load_gs(0); 826 pcb->pcb_ds = _udatasel; 827 pcb->pcb_es = _udatasel; 828 pcb->pcb_fs = _udatasel; 829 pcb->pcb_gs = 0; 830 831 bzero((char *)regs, sizeof(struct trapframe)); 832 regs->tf_rip = entry; 833 regs->tf_rsp = stack; 834 regs->tf_rflags = PSL_USER | (regs->tf_rflags & PSL_T); 835 regs->tf_ss = _udatasel; 836 regs->tf_cs = _ucode32sel; 837 regs->tf_rbx = ps_strings; 838 load_cr0(rcr0() | CR0_MP | CR0_TS); 839 fpstate_drop(td); 840 841 /* Return via doreti so that we can change to a different %cs */ 842 pcb->pcb_flags |= PCB_FULLCTX; 843 td->td_retval[1] = 0; 844 } 845 846 /* 847 * XXX copied from ia32_sysvec.c. 848 */ 849 static register_t * 850 linux_copyout_strings(struct image_params *imgp) 851 { 852 int argc, envc; 853 u_int32_t *vectp; 854 char *stringp, *destp; 855 u_int32_t *stack_base; 856 struct linux32_ps_strings *arginfo; 857 int sigcodesz; 858 859 /* 860 * Calculate string base and vector table pointers. 861 * Also deal with signal trampoline code for this exec type. 862 */ 863 arginfo = (struct linux32_ps_strings *)LINUX32_PS_STRINGS; 864 sigcodesz = *(imgp->proc->p_sysent->sv_szsigcode); 865 destp = (caddr_t)arginfo - sigcodesz - SPARE_USRSPACE - 866 roundup((ARG_MAX - imgp->args->stringspace), sizeof(char *)); 867 868 /* 869 * install sigcode 870 */ 871 if (sigcodesz) 872 copyout(imgp->proc->p_sysent->sv_sigcode, 873 ((caddr_t)arginfo - sigcodesz), szsigcode); 874 875 /* 876 * If we have a valid auxargs ptr, prepare some room 877 * on the stack. 878 */ 879 if (imgp->auxargs) { 880 /* 881 * 'AT_COUNT*2' is size for the ELF Auxargs data. This is for 882 * lower compatibility. 883 */ 884 imgp->auxarg_size = (imgp->auxarg_size) ? imgp->auxarg_size 885 : (AT_COUNT * 2); 886 /* 887 * The '+ 2' is for the null pointers at the end of each of 888 * the arg and env vector sets,and imgp->auxarg_size is room 889 * for argument of Runtime loader. 890 */ 891 vectp = (u_int32_t *) (destp - (imgp->args->argc + imgp->args->envc + 2 + 892 imgp->auxarg_size) * sizeof(u_int32_t)); 893 894 } else 895 /* 896 * The '+ 2' is for the null pointers at the end of each of 897 * the arg and env vector sets 898 */ 899 vectp = (u_int32_t *) 900 (destp - (imgp->args->argc + imgp->args->envc + 2) * sizeof(u_int32_t)); 901 902 /* 903 * vectp also becomes our initial stack base 904 */ 905 stack_base = vectp; 906 907 stringp = imgp->args->begin_argv; 908 argc = imgp->args->argc; 909 envc = imgp->args->envc; 910 /* 911 * Copy out strings - arguments and environment. 912 */ 913 copyout(stringp, destp, ARG_MAX - imgp->args->stringspace); 914 915 /* 916 * Fill in "ps_strings" struct for ps, w, etc. 917 */ 918 suword32(&arginfo->ps_argvstr, (u_int32_t)(intptr_t)vectp); 919 suword32(&arginfo->ps_nargvstr, argc); 920 921 /* 922 * Fill in argument portion of vector table. 923 */ 924 for (; argc > 0; --argc) { 925 suword32(vectp++, (u_int32_t)(intptr_t)destp); 926 while (*stringp++ != 0) 927 destp++; 928 destp++; 929 } 930 931 /* a null vector table pointer separates the argp's from the envp's */ 932 suword32(vectp++, 0); 933 934 suword32(&arginfo->ps_envstr, (u_int32_t)(intptr_t)vectp); 935 suword32(&arginfo->ps_nenvstr, envc); 936 937 /* 938 * Fill in environment portion of vector table. 939 */ 940 for (; envc > 0; --envc) { 941 suword32(vectp++, (u_int32_t)(intptr_t)destp); 942 while (*stringp++ != 0) 943 destp++; 944 destp++; 945 } 946 947 /* end of vector table is a null pointer */ 948 suword32(vectp, 0); 949 950 return ((register_t *)stack_base); 951 } 952 953 SYSCTL_NODE(_compat, OID_AUTO, linux32, CTLFLAG_RW, 0, 954 "32-bit Linux emulation"); 955 956 static u_long linux32_maxdsiz = LINUX32_MAXDSIZ; 957 SYSCTL_ULONG(_compat_linux32, OID_AUTO, maxdsiz, CTLFLAG_RW, 958 &linux32_maxdsiz, 0, ""); 959 static u_long linux32_maxssiz = LINUX32_MAXSSIZ; 960 SYSCTL_ULONG(_compat_linux32, OID_AUTO, maxssiz, CTLFLAG_RW, 961 &linux32_maxssiz, 0, ""); 962 static u_long linux32_maxvmem = LINUX32_MAXVMEM; 963 SYSCTL_ULONG(_compat_linux32, OID_AUTO, maxvmem, CTLFLAG_RW, 964 &linux32_maxvmem, 0, ""); 965 966 /* 967 * XXX copied from ia32_sysvec.c. 968 */ 969 static void 970 linux32_fixlimits(struct proc *p) 971 { 972 struct plimit *oldlim, *newlim; 973 974 if (linux32_maxdsiz == 0 && linux32_maxssiz == 0 && 975 linux32_maxvmem == 0) 976 return; 977 newlim = lim_alloc(); 978 PROC_LOCK(p); 979 oldlim = p->p_limit; 980 lim_copy(newlim, oldlim); 981 if (linux32_maxdsiz != 0) { 982 if (newlim->pl_rlimit[RLIMIT_DATA].rlim_cur > linux32_maxdsiz) 983 newlim->pl_rlimit[RLIMIT_DATA].rlim_cur = linux32_maxdsiz; 984 if (newlim->pl_rlimit[RLIMIT_DATA].rlim_max > linux32_maxdsiz) 985 newlim->pl_rlimit[RLIMIT_DATA].rlim_max = linux32_maxdsiz; 986 } 987 if (linux32_maxssiz != 0) { 988 if (newlim->pl_rlimit[RLIMIT_STACK].rlim_cur > linux32_maxssiz) 989 newlim->pl_rlimit[RLIMIT_STACK].rlim_cur = linux32_maxssiz; 990 if (newlim->pl_rlimit[RLIMIT_STACK].rlim_max > linux32_maxssiz) 991 newlim->pl_rlimit[RLIMIT_STACK].rlim_max = linux32_maxssiz; 992 } 993 if (linux32_maxvmem != 0) { 994 if (newlim->pl_rlimit[RLIMIT_VMEM].rlim_cur > linux32_maxvmem) 995 newlim->pl_rlimit[RLIMIT_VMEM].rlim_cur = linux32_maxvmem; 996 if (newlim->pl_rlimit[RLIMIT_VMEM].rlim_max > linux32_maxvmem) 997 newlim->pl_rlimit[RLIMIT_VMEM].rlim_max = linux32_maxvmem; 998 } 999 p->p_limit = newlim; 1000 PROC_UNLOCK(p); 1001 lim_free(oldlim); 1002 } 1003 1004 struct sysentvec elf_linux_sysvec = { 1005 LINUX_SYS_MAXSYSCALL, 1006 linux_sysent, 1007 0, 1008 LINUX_SIGTBLSZ, 1009 bsd_to_linux_signal, 1010 ELAST + 1, 1011 bsd_to_linux_errno, 1012 translate_traps, 1013 elf_linux_fixup, 1014 linux_sendsig, 1015 linux_sigcode, 1016 &linux_szsigcode, 1017 linux_prepsyscall, 1018 "Linux ELF32", 1019 elf32_coredump, 1020 exec_linux_imgact_try, 1021 LINUX_MINSIGSTKSZ, 1022 PAGE_SIZE, 1023 VM_MIN_ADDRESS, 1024 LINUX32_USRSTACK, 1025 LINUX32_USRSTACK, 1026 LINUX32_PS_STRINGS, 1027 VM_PROT_ALL, 1028 linux_copyout_strings, 1029 exec_linux_setregs, 1030 linux32_fixlimits 1031 }; 1032 1033 static Elf32_Brandinfo linux_brand = { 1034 ELFOSABI_LINUX, 1035 EM_386, 1036 "Linux", 1037 "/compat/linux", 1038 "/lib/ld-linux.so.1", 1039 &elf_linux_sysvec, 1040 NULL, 1041 BI_CAN_EXEC_DYN, 1042 }; 1043 1044 static Elf32_Brandinfo linux_glibc2brand = { 1045 ELFOSABI_LINUX, 1046 EM_386, 1047 "Linux", 1048 "/compat/linux", 1049 "/lib/ld-linux.so.2", 1050 &elf_linux_sysvec, 1051 NULL, 1052 BI_CAN_EXEC_DYN, 1053 }; 1054 1055 Elf32_Brandinfo *linux_brandlist[] = { 1056 &linux_brand, 1057 &linux_glibc2brand, 1058 NULL 1059 }; 1060 1061 static int 1062 linux_elf_modevent(module_t mod, int type, void *data) 1063 { 1064 Elf32_Brandinfo **brandinfo; 1065 int error; 1066 struct linux_ioctl_handler **lihp; 1067 struct linux_device_handler **ldhp; 1068 1069 error = 0; 1070 1071 switch(type) { 1072 case MOD_LOAD: 1073 for (brandinfo = &linux_brandlist[0]; *brandinfo != NULL; 1074 ++brandinfo) 1075 if (elf32_insert_brand_entry(*brandinfo) < 0) 1076 error = EINVAL; 1077 if (error == 0) { 1078 SET_FOREACH(lihp, linux_ioctl_handler_set) 1079 linux_ioctl_register_handler(*lihp); 1080 SET_FOREACH(ldhp, linux_device_handler_set) 1081 linux_device_register_handler(*ldhp); 1082 sx_init(&emul_shared_lock, "emuldata->shared lock"); 1083 LIST_INIT(&futex_list); 1084 mtx_init(&futex_mtx, "futex protection lock", NULL, MTX_DEF); 1085 linux_exit_tag = EVENTHANDLER_REGISTER(process_exit, linux_proc_exit, 1086 NULL, 1000); 1087 linux_schedtail_tag = EVENTHANDLER_REGISTER(schedtail, linux_schedtail, 1088 NULL, 1000); 1089 linux_exec_tag = EVENTHANDLER_REGISTER(process_exec, linux_proc_exec, 1090 NULL, 1000); 1091 if (bootverbose) 1092 printf("Linux ELF exec handler installed\n"); 1093 } else 1094 printf("cannot insert Linux ELF brand handler\n"); 1095 break; 1096 case MOD_UNLOAD: 1097 for (brandinfo = &linux_brandlist[0]; *brandinfo != NULL; 1098 ++brandinfo) 1099 if (elf32_brand_inuse(*brandinfo)) 1100 error = EBUSY; 1101 if (error == 0) { 1102 for (brandinfo = &linux_brandlist[0]; 1103 *brandinfo != NULL; ++brandinfo) 1104 if (elf32_remove_brand_entry(*brandinfo) < 0) 1105 error = EINVAL; 1106 } 1107 if (error == 0) { 1108 SET_FOREACH(lihp, linux_ioctl_handler_set) 1109 linux_ioctl_unregister_handler(*lihp); 1110 SET_FOREACH(ldhp, linux_device_handler_set) 1111 linux_device_unregister_handler(*ldhp); 1112 sx_destroy(&emul_lock); 1113 sx_destroy(&emul_shared_lock); 1114 mtx_destroy(&futex_mtx); 1115 EVENTHANDLER_DEREGISTER(process_exit, linux_exit_tag); 1116 EVENTHANDLER_DEREGISTER(schedtail, linux_schedtail_tag); 1117 EVENTHANDLER_DEREGISTER(process_exec, linux_exec_tag); 1118 if (bootverbose) 1119 printf("Linux ELF exec handler removed\n"); 1120 } else 1121 printf("Could not deinstall ELF interpreter entry\n"); 1122 break; 1123 default: 1124 break; 1125 } 1126 return error; 1127 } 1128 1129 static moduledata_t linux_elf_mod = { 1130 "linuxelf", 1131 linux_elf_modevent, 1132 0 1133 }; 1134 1135 DECLARE_MODULE(linuxelf, linux_elf_mod, SI_SUB_EXEC, SI_ORDER_ANY); 1136