xref: /titanic_51/usr/src/uts/common/os/exec.c (revision 6357b7bb1039bed3ca23c5942e250f1bf1df550f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1988 AT&T	*/
28 /*	  All Rights Reserved  	*/
29 
30 #include <sys/types.h>
31 #include <sys/param.h>
32 #include <sys/sysmacros.h>
33 #include <sys/systm.h>
34 #include <sys/signal.h>
35 #include <sys/cred_impl.h>
36 #include <sys/policy.h>
37 #include <sys/user.h>
38 #include <sys/errno.h>
39 #include <sys/file.h>
40 #include <sys/vfs.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>
43 #include <sys/acct.h>
44 #include <sys/cpuvar.h>
45 #include <sys/proc.h>
46 #include <sys/cmn_err.h>
47 #include <sys/debug.h>
48 #include <sys/pathname.h>
49 #include <sys/vm.h>
50 #include <sys/lgrp.h>
51 #include <sys/vtrace.h>
52 #include <sys/exec.h>
53 #include <sys/exechdr.h>
54 #include <sys/kmem.h>
55 #include <sys/prsystm.h>
56 #include <sys/modctl.h>
57 #include <sys/vmparam.h>
58 #include <sys/door.h>
59 #include <sys/schedctl.h>
60 #include <sys/utrap.h>
61 #include <sys/systeminfo.h>
62 #include <sys/stack.h>
63 #include <sys/rctl.h>
64 #include <sys/dtrace.h>
65 #include <sys/lwpchan_impl.h>
66 #include <sys/pool.h>
67 #include <sys/sdt.h>
68 #include <sys/brand.h>
69 
70 #include <c2/audit.h>
71 
72 #include <vm/hat.h>
73 #include <vm/anon.h>
74 #include <vm/as.h>
75 #include <vm/seg.h>
76 #include <vm/seg_vn.h>
77 
78 #define	PRIV_RESET		0x01	/* needs to reset privs */
79 #define	PRIV_SETID		0x02	/* needs to change uids */
80 #define	PRIV_SETUGID		0x04	/* is setuid/setgid/forced privs */
81 #define	PRIV_INCREASE		0x08	/* child runs with more privs */
82 #define	MAC_FLAGS		0x10	/* need to adjust MAC flags */
83 
84 static int execsetid(struct vnode *, struct vattr *, uid_t *, uid_t *);
85 static int hold_execsw(struct execsw *);
86 
87 uint_t auxv_hwcap = 0;	/* auxv AT_SUN_HWCAP value; determined on the fly */
88 #if defined(_SYSCALL32_IMPL)
89 uint_t auxv_hwcap32 = 0;	/* 32-bit version of auxv_hwcap */
90 #endif
91 
92 #define	PSUIDFLAGS		(SNOCD|SUGID)
93 
94 /*
95  * exece() - system call wrapper around exec_common()
96  */
97 int
98 exece(const char *fname, const char **argp, const char **envp)
99 {
100 	int error;
101 
102 	error = exec_common(fname, argp, envp, EBA_NONE);
103 	return (error ? (set_errno(error)) : 0);
104 }
105 
106 int
107 exec_common(const char *fname, const char **argp, const char **envp,
108     int brand_action)
109 {
110 	vnode_t *vp = NULL, *dir = NULL, *tmpvp = NULL;
111 	proc_t *p = ttoproc(curthread);
112 	klwp_t *lwp = ttolwp(curthread);
113 	struct user *up = PTOU(p);
114 	long execsz;		/* temporary count of exec size */
115 	int i;
116 	int error;
117 	char exec_file[MAXCOMLEN+1];
118 	struct pathname pn;
119 	struct pathname resolvepn;
120 	struct uarg args;
121 	struct execa ua;
122 	k_sigset_t savedmask;
123 	lwpdir_t *lwpdir = NULL;
124 	tidhash_t *tidhash;
125 	lwpdir_t *old_lwpdir = NULL;
126 	uint_t old_lwpdir_sz;
127 	tidhash_t *old_tidhash;
128 	uint_t old_tidhash_sz;
129 	ret_tidhash_t *ret_tidhash;
130 	lwpent_t *lep;
131 	boolean_t brandme = B_FALSE;
132 
133 	/*
134 	 * exec() is not supported for the /proc agent lwp.
135 	 */
136 	if (curthread == p->p_agenttp)
137 		return (ENOTSUP);
138 
139 	if (brand_action != EBA_NONE) {
140 		/*
141 		 * Brand actions are not supported for processes that are not
142 		 * running in a branded zone.
143 		 */
144 		if (!ZONE_IS_BRANDED(p->p_zone))
145 			return (ENOTSUP);
146 
147 		if (brand_action == EBA_NATIVE) {
148 			/* Only branded processes can be unbranded */
149 			if (!PROC_IS_BRANDED(p))
150 				return (ENOTSUP);
151 		} else {
152 			/* Only unbranded processes can be branded */
153 			if (PROC_IS_BRANDED(p))
154 				return (ENOTSUP);
155 			brandme = B_TRUE;
156 		}
157 	} else {
158 		/*
159 		 * If this is a native zone, or if the process is already
160 		 * branded, then we don't need to do anything.  If this is
161 		 * a native process in a branded zone, we need to brand the
162 		 * process as it exec()s the new binary.
163 		 */
164 		if (ZONE_IS_BRANDED(p->p_zone) && !PROC_IS_BRANDED(p))
165 			brandme = B_TRUE;
166 	}
167 
168 	/*
169 	 * Inform /proc that an exec() has started.
170 	 * Hold signals that are ignored by default so that we will
171 	 * not be interrupted by a signal that will be ignored after
172 	 * successful completion of gexec().
173 	 */
174 	mutex_enter(&p->p_lock);
175 	prexecstart();
176 	schedctl_finish_sigblock(curthread);
177 	savedmask = curthread->t_hold;
178 	sigorset(&curthread->t_hold, &ignoredefault);
179 	mutex_exit(&p->p_lock);
180 
181 	/*
182 	 * Look up path name and remember last component for later.
183 	 * To help coreadm expand its %d token, we attempt to save
184 	 * the directory containing the executable in p_execdir. The
185 	 * first call to lookuppn() may fail and return EINVAL because
186 	 * dirvpp is non-NULL. In that case, we make a second call to
187 	 * lookuppn() with dirvpp set to NULL; p_execdir will be NULL,
188 	 * but coreadm is allowed to expand %d to the empty string and
189 	 * there are other cases in which that failure may occur.
190 	 */
191 	if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
192 		goto out;
193 	pn_alloc(&resolvepn);
194 	if ((error = lookuppn(&pn, &resolvepn, FOLLOW, &dir, &vp)) != 0) {
195 		pn_free(&resolvepn);
196 		pn_free(&pn);
197 		if (error != EINVAL)
198 			goto out;
199 
200 		dir = NULL;
201 		if ((error = pn_get((char *)fname, UIO_USERSPACE, &pn)) != 0)
202 			goto out;
203 		pn_alloc(&resolvepn);
204 		if ((error = lookuppn(&pn, &resolvepn, FOLLOW, NULLVPP,
205 		    &vp)) != 0) {
206 			pn_free(&resolvepn);
207 			pn_free(&pn);
208 			goto out;
209 		}
210 	}
211 	if (vp == NULL) {
212 		if (dir != NULL)
213 			VN_RELE(dir);
214 		error = ENOENT;
215 		pn_free(&resolvepn);
216 		pn_free(&pn);
217 		goto out;
218 	}
219 
220 	if ((error = secpolicy_basic_exec(CRED(), vp)) != 0) {
221 		if (dir != NULL)
222 			VN_RELE(dir);
223 		pn_free(&resolvepn);
224 		pn_free(&pn);
225 		VN_RELE(vp);
226 		goto out;
227 	}
228 
229 	/*
230 	 * We do not allow executing files in attribute directories.
231 	 * We test this by determining whether the resolved path
232 	 * contains a "/" when we're in an attribute directory;
233 	 * only if the pathname does not contain a "/" the resolved path
234 	 * points to a file in the current working (attribute) directory.
235 	 */
236 	if ((p->p_user.u_cdir->v_flag & V_XATTRDIR) != 0 &&
237 	    strchr(resolvepn.pn_path, '/') == NULL) {
238 		if (dir != NULL)
239 			VN_RELE(dir);
240 		error = EACCES;
241 		pn_free(&resolvepn);
242 		pn_free(&pn);
243 		VN_RELE(vp);
244 		goto out;
245 	}
246 
247 	bzero(exec_file, MAXCOMLEN+1);
248 	(void) strncpy(exec_file, pn.pn_path, MAXCOMLEN);
249 	bzero(&args, sizeof (args));
250 	args.pathname = resolvepn.pn_path;
251 	/* don't free resolvepn until we are done with args */
252 	pn_free(&pn);
253 
254 	/*
255 	 * Specific exec handlers, or policies determined via
256 	 * /etc/system may override the historical default.
257 	 */
258 	args.stk_prot = PROT_ZFOD;
259 	args.dat_prot = PROT_ZFOD;
260 
261 	CPU_STATS_ADD_K(sys, sysexec, 1);
262 	DTRACE_PROC1(exec, char *, args.pathname);
263 
264 	ua.fname = fname;
265 	ua.argp = argp;
266 	ua.envp = envp;
267 
268 	/* If necessary, brand this process before we start the exec. */
269 	if (brandme)
270 		brand_setbrand(p);
271 
272 	if ((error = gexec(&vp, &ua, &args, NULL, 0, &execsz,
273 	    exec_file, p->p_cred, brand_action)) != 0) {
274 		if (brandme)
275 			brand_clearbrand(p);
276 		VN_RELE(vp);
277 		if (dir != NULL)
278 			VN_RELE(dir);
279 		pn_free(&resolvepn);
280 		goto fail;
281 	}
282 
283 	/*
284 	 * Free floating point registers (sun4u only)
285 	 */
286 	ASSERT(lwp != NULL);
287 	lwp_freeregs(lwp, 1);
288 
289 	/*
290 	 * Free thread and process context ops.
291 	 */
292 	if (curthread->t_ctx)
293 		freectx(curthread, 1);
294 	if (p->p_pctx)
295 		freepctx(p, 1);
296 
297 	/*
298 	 * Remember file name for accounting; clear any cached DTrace predicate.
299 	 */
300 	up->u_acflag &= ~AFORK;
301 	bcopy(exec_file, up->u_comm, MAXCOMLEN+1);
302 	curthread->t_predcache = NULL;
303 
304 	/*
305 	 * Clear contract template state
306 	 */
307 	lwp_ctmpl_clear(lwp);
308 
309 	/*
310 	 * Save the directory in which we found the executable for expanding
311 	 * the %d token used in core file patterns.
312 	 */
313 	mutex_enter(&p->p_lock);
314 	tmpvp = p->p_execdir;
315 	p->p_execdir = dir;
316 	if (p->p_execdir != NULL)
317 		VN_HOLD(p->p_execdir);
318 	mutex_exit(&p->p_lock);
319 
320 	if (tmpvp != NULL)
321 		VN_RELE(tmpvp);
322 
323 	/*
324 	 * Reset stack state to the user stack, clear set of signals
325 	 * caught on the signal stack, and reset list of signals that
326 	 * restart system calls; the new program's environment should
327 	 * not be affected by detritus from the old program.  Any
328 	 * pending held signals remain held, so don't clear t_hold.
329 	 */
330 	mutex_enter(&p->p_lock);
331 	lwp->lwp_oldcontext = 0;
332 	lwp->lwp_ustack = 0;
333 	lwp->lwp_old_stk_ctl = 0;
334 	sigemptyset(&up->u_signodefer);
335 	sigemptyset(&up->u_sigonstack);
336 	sigemptyset(&up->u_sigresethand);
337 	lwp->lwp_sigaltstack.ss_sp = 0;
338 	lwp->lwp_sigaltstack.ss_size = 0;
339 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
340 
341 	/*
342 	 * Make saved resource limit == current resource limit.
343 	 */
344 	for (i = 0; i < RLIM_NLIMITS; i++) {
345 		/*CONSTCOND*/
346 		if (RLIM_SAVED(i)) {
347 			(void) rctl_rlimit_get(rctlproc_legacy[i], p,
348 			    &up->u_saved_rlimit[i]);
349 		}
350 	}
351 
352 	/*
353 	 * If the action was to catch the signal, then the action
354 	 * must be reset to SIG_DFL.
355 	 */
356 	sigdefault(p);
357 	p->p_flag &= ~(SNOWAIT|SJCTL);
358 	p->p_flag |= (SEXECED|SMSACCT|SMSFORK);
359 	up->u_signal[SIGCLD - 1] = SIG_DFL;
360 
361 	/*
362 	 * Delete the dot4 sigqueues/signotifies.
363 	 */
364 	sigqfree(p);
365 
366 	mutex_exit(&p->p_lock);
367 
368 	mutex_enter(&p->p_pflock);
369 	p->p_prof.pr_base = NULL;
370 	p->p_prof.pr_size = 0;
371 	p->p_prof.pr_off = 0;
372 	p->p_prof.pr_scale = 0;
373 	p->p_prof.pr_samples = 0;
374 	mutex_exit(&p->p_pflock);
375 
376 	ASSERT(curthread->t_schedctl == NULL);
377 
378 #if defined(__sparc)
379 	if (p->p_utraps != NULL)
380 		utrap_free(p);
381 #endif	/* __sparc */
382 
383 	/*
384 	 * Close all close-on-exec files.
385 	 */
386 	close_exec(P_FINFO(p));
387 	TRACE_2(TR_FAC_PROC, TR_PROC_EXEC, "proc_exec:p %p up %p", p, up);
388 
389 	/* Unbrand ourself if necessary. */
390 	if (PROC_IS_BRANDED(p) && (brand_action == EBA_NATIVE))
391 		brand_clearbrand(p);
392 
393 	setregs(&args);
394 
395 	/* Mark this as an executable vnode */
396 	mutex_enter(&vp->v_lock);
397 	vp->v_flag |= VVMEXEC;
398 	mutex_exit(&vp->v_lock);
399 
400 	VN_RELE(vp);
401 	if (dir != NULL)
402 		VN_RELE(dir);
403 	pn_free(&resolvepn);
404 
405 	/*
406 	 * Allocate a new lwp directory and lwpid hash table if necessary.
407 	 */
408 	if (curthread->t_tid != 1 || p->p_lwpdir_sz != 2) {
409 		lwpdir = kmem_zalloc(2 * sizeof (lwpdir_t), KM_SLEEP);
410 		lwpdir->ld_next = lwpdir + 1;
411 		tidhash = kmem_zalloc(2 * sizeof (tidhash_t), KM_SLEEP);
412 		if (p->p_lwpdir != NULL)
413 			lep = p->p_lwpdir[curthread->t_dslot].ld_entry;
414 		else
415 			lep = kmem_zalloc(sizeof (*lep), KM_SLEEP);
416 	}
417 
418 	if (PROC_IS_BRANDED(p))
419 		BROP(p)->b_exec();
420 
421 	mutex_enter(&p->p_lock);
422 	prbarrier(p);
423 
424 	/*
425 	 * Reset lwp id to the default value of 1.
426 	 * This is a single-threaded process now
427 	 * and lwp #1 is lwp_wait()able by default.
428 	 * The t_unpark flag should not be inherited.
429 	 */
430 	ASSERT(p->p_lwpcnt == 1 && p->p_zombcnt == 0);
431 	curthread->t_tid = 1;
432 	kpreempt_disable();
433 	ASSERT(curthread->t_lpl != NULL);
434 	p->p_t1_lgrpid = curthread->t_lpl->lpl_lgrpid;
435 	kpreempt_enable();
436 	if (p->p_tr_lgrpid != LGRP_NONE && p->p_tr_lgrpid != p->p_t1_lgrpid) {
437 		lgrp_update_trthr_migrations(1);
438 	}
439 	curthread->t_unpark = 0;
440 	curthread->t_proc_flag |= TP_TWAIT;
441 	curthread->t_proc_flag &= ~TP_DAEMON;	/* daemons shouldn't exec */
442 	p->p_lwpdaemon = 0;			/* but oh well ... */
443 	p->p_lwpid = 1;
444 
445 	/*
446 	 * Install the newly-allocated lwp directory and lwpid hash table
447 	 * and insert the current thread into the new hash table.
448 	 */
449 	if (lwpdir != NULL) {
450 		old_lwpdir = p->p_lwpdir;
451 		old_lwpdir_sz = p->p_lwpdir_sz;
452 		old_tidhash = p->p_tidhash;
453 		old_tidhash_sz = p->p_tidhash_sz;
454 		p->p_lwpdir = p->p_lwpfree = lwpdir;
455 		p->p_lwpdir_sz = 2;
456 		lep->le_thread = curthread;
457 		lep->le_lwpid = curthread->t_tid;
458 		lep->le_start = curthread->t_start;
459 		lwp_hash_in(p, lep, tidhash, 2, 0);
460 		p->p_tidhash = tidhash;
461 		p->p_tidhash_sz = 2;
462 	}
463 	ret_tidhash = p->p_ret_tidhash;
464 	p->p_ret_tidhash = NULL;
465 
466 	/*
467 	 * Restore the saved signal mask and
468 	 * inform /proc that the exec() has finished.
469 	 */
470 	curthread->t_hold = savedmask;
471 	prexecend();
472 	mutex_exit(&p->p_lock);
473 	if (old_lwpdir) {
474 		kmem_free(old_lwpdir, old_lwpdir_sz * sizeof (lwpdir_t));
475 		kmem_free(old_tidhash, old_tidhash_sz * sizeof (tidhash_t));
476 	}
477 	while (ret_tidhash != NULL) {
478 		ret_tidhash_t *next = ret_tidhash->rth_next;
479 		kmem_free(ret_tidhash->rth_tidhash,
480 		    ret_tidhash->rth_tidhash_sz * sizeof (tidhash_t));
481 		kmem_free(ret_tidhash, sizeof (*ret_tidhash));
482 		ret_tidhash = next;
483 	}
484 
485 	ASSERT(error == 0);
486 	DTRACE_PROC(exec__success);
487 	return (0);
488 
489 fail:
490 	DTRACE_PROC1(exec__failure, int, error);
491 out:		/* error return */
492 	mutex_enter(&p->p_lock);
493 	curthread->t_hold = savedmask;
494 	prexecend();
495 	mutex_exit(&p->p_lock);
496 	ASSERT(error != 0);
497 	return (error);
498 }
499 
500 
501 /*
502  * Perform generic exec duties and switchout to object-file specific
503  * handler.
504  */
505 int
506 gexec(
507 	struct vnode **vpp,
508 	struct execa *uap,
509 	struct uarg *args,
510 	struct intpdata *idatap,
511 	int level,
512 	long *execsz,
513 	caddr_t exec_file,
514 	struct cred *cred,
515 	int brand_action)
516 {
517 	struct vnode *vp, *execvp = NULL;
518 	proc_t *pp = ttoproc(curthread);
519 	struct execsw *eswp;
520 	int error = 0;
521 	int suidflags = 0;
522 	ssize_t resid;
523 	uid_t uid, gid;
524 	struct vattr vattr;
525 	char magbuf[MAGIC_BYTES];
526 	int setid;
527 	cred_t *oldcred, *newcred = NULL;
528 	int privflags = 0;
529 	int setidfl;
530 
531 	/*
532 	 * If the SNOCD or SUGID flag is set, turn it off and remember the
533 	 * previous setting so we can restore it if we encounter an error.
534 	 */
535 	if (level == 0 && (pp->p_flag & PSUIDFLAGS)) {
536 		mutex_enter(&pp->p_lock);
537 		suidflags = pp->p_flag & PSUIDFLAGS;
538 		pp->p_flag &= ~PSUIDFLAGS;
539 		mutex_exit(&pp->p_lock);
540 	}
541 
542 	if ((error = execpermissions(*vpp, &vattr, args)) != 0)
543 		goto bad_noclose;
544 
545 	/* need to open vnode for stateful file systems */
546 	if ((error = VOP_OPEN(vpp, FREAD, CRED(), NULL)) != 0)
547 		goto bad_noclose;
548 	vp = *vpp;
549 
550 	/*
551 	 * Note: to support binary compatibility with SunOS a.out
552 	 * executables, we read in the first four bytes, as the
553 	 * magic number is in bytes 2-3.
554 	 */
555 	if (error = vn_rdwr(UIO_READ, vp, magbuf, sizeof (magbuf),
556 	    (offset_t)0, UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid))
557 		goto bad;
558 	if (resid != 0)
559 		goto bad;
560 
561 	if ((eswp = findexec_by_hdr(magbuf)) == NULL)
562 		goto bad;
563 
564 	if (level == 0 &&
565 	    (privflags = execsetid(vp, &vattr, &uid, &gid)) != 0) {
566 
567 		newcred = cred = crdup(cred);
568 
569 		/* If we can, drop the PA bit */
570 		if ((privflags & PRIV_RESET) != 0)
571 			priv_adjust_PA(cred);
572 
573 		if (privflags & PRIV_SETID) {
574 			cred->cr_uid = uid;
575 			cred->cr_gid = gid;
576 			cred->cr_suid = uid;
577 			cred->cr_sgid = gid;
578 		}
579 
580 		if (privflags & MAC_FLAGS) {
581 			if (!(CR_FLAGS(cred) & NET_MAC_AWARE_INHERIT))
582 				CR_FLAGS(cred) &= ~NET_MAC_AWARE;
583 			CR_FLAGS(cred) &= ~NET_MAC_AWARE_INHERIT;
584 		}
585 
586 		/*
587 		 * Implement the privilege updates:
588 		 *
589 		 * Restrict with L:
590 		 *
591 		 *	I' = I & L
592 		 *
593 		 *	E' = P' = (I' + F) & A
594 		 *
595 		 * But if running under ptrace, we cap I with P.
596 		 */
597 		if ((privflags & PRIV_RESET) != 0) {
598 			if ((privflags & PRIV_INCREASE) != 0 &&
599 			    (pp->p_proc_flag & P_PR_PTRACE) != 0)
600 				priv_intersect(&CR_OPPRIV(cred),
601 				    &CR_IPRIV(cred));
602 			priv_intersect(&CR_LPRIV(cred), &CR_IPRIV(cred));
603 			CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred);
604 			priv_adjust_PA(cred);
605 		}
606 	}
607 
608 	/* SunOS 4.x buy-back */
609 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) &&
610 	    (vattr.va_mode & (VSUID|VSGID))) {
611 		char path[MAXNAMELEN];
612 		refstr_t *mntpt = NULL;
613 		int ret = -1;
614 
615 		bzero(path, sizeof (path));
616 		zone_hold(pp->p_zone);
617 
618 		ret = vnodetopath(pp->p_zone->zone_rootvp, vp, path,
619 		    sizeof (path), cred);
620 
621 		/* fallback to mountpoint if a path can't be found */
622 		if ((ret != 0) || (ret == 0 && path[0] == '\0'))
623 			mntpt = vfs_getmntpoint(vp->v_vfsp);
624 
625 		if (mntpt == NULL)
626 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
627 			    "!uid %d: setuid execution not allowed, "
628 			    "file=%s", cred->cr_uid, path);
629 		else
630 			zcmn_err(pp->p_zone->zone_id, CE_NOTE,
631 			    "!uid %d: setuid execution not allowed, "
632 			    "fs=%s, file=%s", cred->cr_uid,
633 			    ZONE_PATH_TRANSLATE(refstr_value(mntpt),
634 			    pp->p_zone), exec_file);
635 
636 		if (!INGLOBALZONE(pp)) {
637 			/* zone_rootpath always has trailing / */
638 			if (mntpt == NULL)
639 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
640 				    "setuid execution not allowed, file=%s%s",
641 				    pp->p_zone->zone_name, cred->cr_uid,
642 				    pp->p_zone->zone_rootpath, path + 1);
643 			else
644 				cmn_err(CE_NOTE, "!zone: %s, uid: %d "
645 				    "setuid execution not allowed, fs=%s, "
646 				    "file=%s", pp->p_zone->zone_name,
647 				    cred->cr_uid, refstr_value(mntpt),
648 				    exec_file);
649 		}
650 
651 		if (mntpt != NULL)
652 			refstr_rele(mntpt);
653 
654 		zone_rele(pp->p_zone);
655 	}
656 
657 	/*
658 	 * execsetid() told us whether or not we had to change the
659 	 * credentials of the process.  In privflags, it told us
660 	 * whether we gained any privileges or executed a set-uid executable.
661 	 */
662 	setid = (privflags & (PRIV_SETUGID|PRIV_INCREASE));
663 
664 	/*
665 	 * Use /etc/system variable to determine if the stack
666 	 * should be marked as executable by default.
667 	 */
668 	if (noexec_user_stack)
669 		args->stk_prot &= ~PROT_EXEC;
670 
671 	args->execswp = eswp; /* Save execsw pointer in uarg for exec_func */
672 	args->ex_vp = vp;
673 
674 	/*
675 	 * Traditionally, the setid flags told the sub processes whether
676 	 * the file just executed was set-uid or set-gid; this caused
677 	 * some confusion as the 'setid' flag did not match the SUGID
678 	 * process flag which is only set when the uids/gids do not match.
679 	 * A script set-gid/set-uid to the real uid/gid would start with
680 	 * /dev/fd/X but an executable would happily trust LD_LIBRARY_PATH.
681 	 * Now we flag those cases where the calling process cannot
682 	 * be trusted to influence the newly exec'ed process, either
683 	 * because it runs with more privileges or when the uids/gids
684 	 * do in fact not match.
685 	 * This also makes the runtime linker agree with the on exec
686 	 * values of SNOCD and SUGID.
687 	 */
688 	setidfl = 0;
689 	if (cred->cr_uid != cred->cr_ruid || (cred->cr_rgid != cred->cr_gid &&
690 	    !supgroupmember(cred->cr_gid, cred))) {
691 		setidfl |= EXECSETID_UGIDS;
692 	}
693 	if (setid & PRIV_SETUGID)
694 		setidfl |= EXECSETID_SETID;
695 	if (setid & PRIV_INCREASE)
696 		setidfl |= EXECSETID_PRIVS;
697 
698 	execvp = pp->p_exec;
699 	if (execvp)
700 		VN_HOLD(execvp);
701 
702 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
703 	    setidfl, exec_file, cred, brand_action);
704 	rw_exit(eswp->exec_lock);
705 	if (error != 0) {
706 		if (newcred != NULL)
707 			crfree(newcred);
708 		if (execvp)
709 			VN_RELE(execvp);
710 		goto bad;
711 	}
712 
713 	if (level == 0) {
714 		if (execvp != NULL) {
715 			/*
716 			 * Close the previous executable only if we are
717 			 * at level 0.
718 			 */
719 			(void) VOP_CLOSE(execvp, FREAD, 1, (offset_t)0,
720 			    cred, NULL);
721 		}
722 
723 		mutex_enter(&pp->p_crlock);
724 		if (newcred != NULL) {
725 			/*
726 			 * Free the old credentials, and set the new ones.
727 			 * Do this for both the process and the (single) thread.
728 			 */
729 			crfree(pp->p_cred);
730 			pp->p_cred = cred;	/* cred already held for proc */
731 			crhold(cred);		/* hold new cred for thread */
732 			/*
733 			 * DTrace accesses t_cred in probe context.  t_cred
734 			 * must always be either NULL, or point to a valid,
735 			 * allocated cred structure.
736 			 */
737 			oldcred = curthread->t_cred;
738 			curthread->t_cred = cred;
739 			crfree(oldcred);
740 
741 			if (priv_basic_test >= 0 &&
742 			    !PRIV_ISASSERT(&CR_IPRIV(newcred),
743 			    priv_basic_test)) {
744 				pid_t pid = pp->p_pid;
745 				char *fn = PTOU(pp)->u_comm;
746 
747 				cmn_err(CE_WARN, "%s[%d]: exec: basic_test "
748 				    "privilege removed from E/I", fn, pid);
749 			}
750 		}
751 		/*
752 		 * On emerging from a successful exec(), the saved
753 		 * uid and gid equal the effective uid and gid.
754 		 */
755 		cred->cr_suid = cred->cr_uid;
756 		cred->cr_sgid = cred->cr_gid;
757 
758 		/*
759 		 * If the real and effective ids do not match, this
760 		 * is a setuid process that should not dump core.
761 		 * The group comparison is tricky; we prevent the code
762 		 * from flagging SNOCD when executing with an effective gid
763 		 * which is a supplementary group.
764 		 */
765 		if (cred->cr_ruid != cred->cr_uid ||
766 		    (cred->cr_rgid != cred->cr_gid &&
767 		    !supgroupmember(cred->cr_gid, cred)) ||
768 		    (privflags & PRIV_INCREASE) != 0)
769 			suidflags = PSUIDFLAGS;
770 		else
771 			suidflags = 0;
772 
773 		mutex_exit(&pp->p_crlock);
774 		if (suidflags) {
775 			mutex_enter(&pp->p_lock);
776 			pp->p_flag |= suidflags;
777 			mutex_exit(&pp->p_lock);
778 		}
779 		if (setid && (pp->p_proc_flag & P_PR_PTRACE) == 0) {
780 			/*
781 			 * If process is traced via /proc, arrange to
782 			 * invalidate the associated /proc vnode.
783 			 */
784 			if (pp->p_plist || (pp->p_proc_flag & P_PR_TRACE))
785 				args->traceinval = 1;
786 		}
787 		if (pp->p_proc_flag & P_PR_PTRACE)
788 			psignal(pp, SIGTRAP);
789 		if (args->traceinval)
790 			prinvalidate(&pp->p_user);
791 	}
792 	if (execvp)
793 		VN_RELE(execvp);
794 	return (0);
795 
796 bad:
797 	(void) VOP_CLOSE(vp, FREAD, 1, (offset_t)0, cred, NULL);
798 
799 bad_noclose:
800 	if (error == 0)
801 		error = ENOEXEC;
802 
803 	if (suidflags) {
804 		mutex_enter(&pp->p_lock);
805 		pp->p_flag |= suidflags;
806 		mutex_exit(&pp->p_lock);
807 	}
808 	return (error);
809 }
810 
811 extern char *execswnames[];
812 
813 struct execsw *
814 allocate_execsw(char *name, char *magic, size_t magic_size)
815 {
816 	int i, j;
817 	char *ename;
818 	char *magicp;
819 
820 	mutex_enter(&execsw_lock);
821 	for (i = 0; i < nexectype; i++) {
822 		if (execswnames[i] == NULL) {
823 			ename = kmem_alloc(strlen(name) + 1, KM_SLEEP);
824 			(void) strcpy(ename, name);
825 			execswnames[i] = ename;
826 			/*
827 			 * Set the magic number last so that we
828 			 * don't need to hold the execsw_lock in
829 			 * findexectype().
830 			 */
831 			magicp = kmem_alloc(magic_size, KM_SLEEP);
832 			for (j = 0; j < magic_size; j++)
833 				magicp[j] = magic[j];
834 			execsw[i].exec_magic = magicp;
835 			mutex_exit(&execsw_lock);
836 			return (&execsw[i]);
837 		}
838 	}
839 	mutex_exit(&execsw_lock);
840 	return (NULL);
841 }
842 
843 /*
844  * Find the exec switch table entry with the corresponding magic string.
845  */
846 struct execsw *
847 findexecsw(char *magic)
848 {
849 	struct execsw *eswp;
850 
851 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
852 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
853 		if (magic && eswp->exec_maglen != 0 &&
854 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0)
855 			return (eswp);
856 	}
857 	return (NULL);
858 }
859 
860 /*
861  * Find the execsw[] index for the given exec header string by looking for the
862  * magic string at a specified offset and length for each kind of executable
863  * file format until one matches.  If no execsw[] entry is found, try to
864  * autoload a module for this magic string.
865  */
866 struct execsw *
867 findexec_by_hdr(char *header)
868 {
869 	struct execsw *eswp;
870 
871 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
872 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
873 		if (header && eswp->exec_maglen != 0 &&
874 		    bcmp(&header[eswp->exec_magoff], eswp->exec_magic,
875 		    eswp->exec_maglen) == 0) {
876 			if (hold_execsw(eswp) != 0)
877 				return (NULL);
878 			return (eswp);
879 		}
880 	}
881 	return (NULL);	/* couldn't find the type */
882 }
883 
884 /*
885  * Find the execsw[] index for the given magic string.  If no execsw[] entry
886  * is found, try to autoload a module for this magic string.
887  */
888 struct execsw *
889 findexec_by_magic(char *magic)
890 {
891 	struct execsw *eswp;
892 
893 	for (eswp = execsw; eswp < &execsw[nexectype]; eswp++) {
894 		ASSERT(eswp->exec_maglen <= MAGIC_BYTES);
895 		if (magic && eswp->exec_maglen != 0 &&
896 		    bcmp(magic, eswp->exec_magic, eswp->exec_maglen) == 0) {
897 			if (hold_execsw(eswp) != 0)
898 				return (NULL);
899 			return (eswp);
900 		}
901 	}
902 	return (NULL);	/* couldn't find the type */
903 }
904 
905 static int
906 hold_execsw(struct execsw *eswp)
907 {
908 	char *name;
909 
910 	rw_enter(eswp->exec_lock, RW_READER);
911 	while (!LOADED_EXEC(eswp)) {
912 		rw_exit(eswp->exec_lock);
913 		name = execswnames[eswp-execsw];
914 		ASSERT(name);
915 		if (modload("exec", name) == -1)
916 			return (-1);
917 		rw_enter(eswp->exec_lock, RW_READER);
918 	}
919 	return (0);
920 }
921 
922 static int
923 execsetid(struct vnode *vp, struct vattr *vattrp, uid_t *uidp, uid_t *gidp)
924 {
925 	proc_t *pp = ttoproc(curthread);
926 	uid_t uid, gid;
927 	cred_t *cr = pp->p_cred;
928 	int privflags = 0;
929 
930 	/*
931 	 * Remember credentials.
932 	 */
933 	uid = cr->cr_uid;
934 	gid = cr->cr_gid;
935 
936 	/* Will try to reset the PRIV_AWARE bit later. */
937 	if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_INHERIT)) == PRIV_AWARE)
938 		privflags |= PRIV_RESET;
939 
940 	if ((vp->v_vfsp->vfs_flag & VFS_NOSETUID) == 0) {
941 		/*
942 		 * Set-uid root execution only allowed if the limit set
943 		 * holds all unsafe privileges.
944 		 */
945 		if ((vattrp->va_mode & VSUID) && (vattrp->va_uid != 0 ||
946 		    priv_issubset(&priv_unsafe, &CR_LPRIV(cr)))) {
947 			uid = vattrp->va_uid;
948 			privflags |= PRIV_SETUGID;
949 		}
950 		if (vattrp->va_mode & VSGID) {
951 			gid = vattrp->va_gid;
952 			privflags |= PRIV_SETUGID;
953 		}
954 	}
955 
956 	/*
957 	 * Do we need to change our credential anyway?
958 	 * This is the case when E != I or P != I, as
959 	 * we need to do the assignments (with F empty and A full)
960 	 * Or when I is not a subset of L; in that case we need to
961 	 * enforce L.
962 	 *
963 	 *		I' = L & I
964 	 *
965 	 *		E' = P' = (I' + F) & A
966 	 * or
967 	 *		E' = P' = I'
968 	 */
969 	if (!priv_isequalset(&CR_EPRIV(cr), &CR_IPRIV(cr)) ||
970 	    !priv_issubset(&CR_IPRIV(cr), &CR_LPRIV(cr)) ||
971 	    !priv_isequalset(&CR_PPRIV(cr), &CR_IPRIV(cr)))
972 		privflags |= PRIV_RESET;
973 
974 	/* If MAC-aware flag(s) are on, need to update cred to remove. */
975 	if ((CR_FLAGS(cr) & NET_MAC_AWARE) ||
976 	    (CR_FLAGS(cr) & NET_MAC_AWARE_INHERIT))
977 		privflags |= MAC_FLAGS;
978 
979 	/*
980 	 * When we introduce the "forced" set then we will need
981 	 * to set PRIV_INCREASE here if I not a subset of P.
982 	 * If the "allowed" set is introduced we will need to do
983 	 * a similar thing; however, it seems more reasonable to
984 	 * have the allowed set reduce "L": script language interpreters
985 	 * would typically have an allowed set of "all".
986 	 */
987 
988 	/*
989 	 * Set setuid/setgid protections if no ptrace() compatibility.
990 	 * For privileged processes, honor setuid/setgid even in
991 	 * the presence of ptrace() compatibility.
992 	 */
993 	if (((pp->p_proc_flag & P_PR_PTRACE) == 0 ||
994 	    PRIV_POLICY_ONLY(cr, PRIV_PROC_OWNER, (uid == 0))) &&
995 	    (cr->cr_uid != uid ||
996 	    cr->cr_gid != gid ||
997 	    cr->cr_suid != uid ||
998 	    cr->cr_sgid != gid)) {
999 		*uidp = uid;
1000 		*gidp = gid;
1001 		privflags |= PRIV_SETID;
1002 	}
1003 	return (privflags);
1004 }
1005 
1006 int
1007 execpermissions(struct vnode *vp, struct vattr *vattrp, struct uarg *args)
1008 {
1009 	int error;
1010 	proc_t *p = ttoproc(curthread);
1011 
1012 	vattrp->va_mask = AT_MODE | AT_UID | AT_GID | AT_SIZE;
1013 	if (error = VOP_GETATTR(vp, vattrp, ATTR_EXEC, p->p_cred, NULL))
1014 		return (error);
1015 	/*
1016 	 * Check the access mode.
1017 	 * If VPROC, ask /proc if the file is an object file.
1018 	 */
1019 	if ((error = VOP_ACCESS(vp, VEXEC, 0, p->p_cred, NULL)) != 0 ||
1020 	    !(vp->v_type == VREG || (vp->v_type == VPROC && pr_isobject(vp))) ||
1021 	    (vp->v_vfsp->vfs_flag & VFS_NOEXEC) != 0 ||
1022 	    (vattrp->va_mode & (VEXEC|(VEXEC>>3)|(VEXEC>>6))) == 0) {
1023 		if (error == 0)
1024 			error = EACCES;
1025 		return (error);
1026 	}
1027 
1028 	if ((p->p_plist || (p->p_proc_flag & (P_PR_PTRACE|P_PR_TRACE))) &&
1029 	    (error = VOP_ACCESS(vp, VREAD, 0, p->p_cred, NULL))) {
1030 		/*
1031 		 * If process is under ptrace(2) compatibility,
1032 		 * fail the exec(2).
1033 		 */
1034 		if (p->p_proc_flag & P_PR_PTRACE)
1035 			goto bad;
1036 		/*
1037 		 * Process is traced via /proc.
1038 		 * Arrange to invalidate the /proc vnode.
1039 		 */
1040 		args->traceinval = 1;
1041 	}
1042 	return (0);
1043 bad:
1044 	if (error == 0)
1045 		error = ENOEXEC;
1046 	return (error);
1047 }
1048 
1049 /*
1050  * Map a section of an executable file into the user's
1051  * address space.
1052  */
1053 int
1054 execmap(struct vnode *vp, caddr_t addr, size_t len, size_t zfodlen,
1055     off_t offset, int prot, int page, uint_t szc)
1056 {
1057 	int error = 0;
1058 	off_t oldoffset;
1059 	caddr_t zfodbase, oldaddr;
1060 	size_t end, oldlen;
1061 	size_t zfoddiff;
1062 	label_t ljb;
1063 	proc_t *p = ttoproc(curthread);
1064 
1065 	oldaddr = addr;
1066 	addr = (caddr_t)((uintptr_t)addr & (uintptr_t)PAGEMASK);
1067 	if (len) {
1068 		oldlen = len;
1069 		len += ((size_t)oldaddr - (size_t)addr);
1070 		oldoffset = offset;
1071 		offset = (off_t)((uintptr_t)offset & PAGEMASK);
1072 		if (page) {
1073 			spgcnt_t  prefltmem, availm, npages;
1074 			int preread;
1075 			uint_t mflag = MAP_PRIVATE | MAP_FIXED;
1076 
1077 			if ((prot & (PROT_WRITE | PROT_EXEC)) == PROT_EXEC) {
1078 				mflag |= MAP_TEXT;
1079 			} else {
1080 				mflag |= MAP_INITDATA;
1081 			}
1082 
1083 			if (valid_usr_range(addr, len, prot, p->p_as,
1084 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1085 				error = ENOMEM;
1086 				goto bad;
1087 			}
1088 			if (error = VOP_MAP(vp, (offset_t)offset,
1089 			    p->p_as, &addr, len, prot, PROT_ALL,
1090 			    mflag, CRED(), NULL))
1091 				goto bad;
1092 
1093 			/*
1094 			 * If the segment can fit, then we prefault
1095 			 * the entire segment in.  This is based on the
1096 			 * model that says the best working set of a
1097 			 * small program is all of its pages.
1098 			 */
1099 			npages = (spgcnt_t)btopr(len);
1100 			prefltmem = freemem - desfree;
1101 			preread =
1102 			    (npages < prefltmem && len < PGTHRESH) ? 1 : 0;
1103 
1104 			/*
1105 			 * If we aren't prefaulting the segment,
1106 			 * increment "deficit", if necessary to ensure
1107 			 * that pages will become available when this
1108 			 * process starts executing.
1109 			 */
1110 			availm = freemem - lotsfree;
1111 			if (preread == 0 && npages > availm &&
1112 			    deficit < lotsfree) {
1113 				deficit += MIN((pgcnt_t)(npages - availm),
1114 				    lotsfree - deficit);
1115 			}
1116 
1117 			if (preread) {
1118 				TRACE_2(TR_FAC_PROC, TR_EXECMAP_PREREAD,
1119 				    "execmap preread:freemem %d size %lu",
1120 				    freemem, len);
1121 				(void) as_fault(p->p_as->a_hat, p->p_as,
1122 				    (caddr_t)addr, len, F_INVAL, S_READ);
1123 			}
1124 		} else {
1125 			if (valid_usr_range(addr, len, prot, p->p_as,
1126 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1127 				error = ENOMEM;
1128 				goto bad;
1129 			}
1130 
1131 			if (error = as_map(p->p_as, addr, len,
1132 			    segvn_create, zfod_argsp))
1133 				goto bad;
1134 			/*
1135 			 * Read in the segment in one big chunk.
1136 			 */
1137 			if (error = vn_rdwr(UIO_READ, vp, (caddr_t)oldaddr,
1138 			    oldlen, (offset_t)oldoffset, UIO_USERSPACE, 0,
1139 			    (rlim64_t)0, CRED(), (ssize_t *)0))
1140 				goto bad;
1141 			/*
1142 			 * Now set protections.
1143 			 */
1144 			if (prot != PROT_ZFOD) {
1145 				(void) as_setprot(p->p_as, (caddr_t)addr,
1146 				    len, prot);
1147 			}
1148 		}
1149 	}
1150 
1151 	if (zfodlen) {
1152 		struct as *as = curproc->p_as;
1153 		struct seg *seg;
1154 		uint_t zprot = 0;
1155 
1156 		end = (size_t)addr + len;
1157 		zfodbase = (caddr_t)roundup(end, PAGESIZE);
1158 		zfoddiff = (uintptr_t)zfodbase - end;
1159 		if (zfoddiff) {
1160 			/*
1161 			 * Before we go to zero the remaining space on the last
1162 			 * page, make sure we have write permission.
1163 			 */
1164 
1165 			AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
1166 			seg = as_segat(curproc->p_as, (caddr_t)end);
1167 			if (seg != NULL)
1168 				SEGOP_GETPROT(seg, (caddr_t)end, zfoddiff - 1,
1169 				    &zprot);
1170 			AS_LOCK_EXIT(as, &as->a_lock);
1171 
1172 			if (seg != NULL && (zprot & PROT_WRITE) == 0) {
1173 				(void) as_setprot(as, (caddr_t)end,
1174 				    zfoddiff - 1, zprot | PROT_WRITE);
1175 			}
1176 
1177 			if (on_fault(&ljb)) {
1178 				no_fault();
1179 				if (seg != NULL && (zprot & PROT_WRITE) == 0)
1180 					(void) as_setprot(as, (caddr_t)end,
1181 					    zfoddiff - 1, zprot);
1182 				error = EFAULT;
1183 				goto bad;
1184 			}
1185 			uzero((void *)end, zfoddiff);
1186 			no_fault();
1187 			if (seg != NULL && (zprot & PROT_WRITE) == 0)
1188 				(void) as_setprot(as, (caddr_t)end,
1189 				    zfoddiff - 1, zprot);
1190 		}
1191 		if (zfodlen > zfoddiff) {
1192 			struct segvn_crargs crargs =
1193 			    SEGVN_ZFOD_ARGS(PROT_ZFOD, PROT_ALL);
1194 
1195 			zfodlen -= zfoddiff;
1196 			if (valid_usr_range(zfodbase, zfodlen, prot, p->p_as,
1197 			    p->p_as->a_userlimit) != RANGE_OKAY) {
1198 				error = ENOMEM;
1199 				goto bad;
1200 			}
1201 			if (szc > 0) {
1202 				/*
1203 				 * ASSERT alignment because the mapelfexec()
1204 				 * caller for the szc > 0 case extended zfod
1205 				 * so it's end is pgsz aligned.
1206 				 */
1207 				size_t pgsz = page_get_pagesize(szc);
1208 				ASSERT(IS_P2ALIGNED(zfodbase + zfodlen, pgsz));
1209 
1210 				if (IS_P2ALIGNED(zfodbase, pgsz)) {
1211 					crargs.szc = szc;
1212 				} else {
1213 					crargs.szc = AS_MAP_HEAP;
1214 				}
1215 			} else {
1216 				crargs.szc = AS_MAP_NO_LPOOB;
1217 			}
1218 			if (error = as_map(p->p_as, (caddr_t)zfodbase,
1219 			    zfodlen, segvn_create, &crargs))
1220 				goto bad;
1221 			if (prot != PROT_ZFOD) {
1222 				(void) as_setprot(p->p_as, (caddr_t)zfodbase,
1223 				    zfodlen, prot);
1224 			}
1225 		}
1226 	}
1227 	return (0);
1228 bad:
1229 	return (error);
1230 }
1231 
1232 void
1233 setexecenv(struct execenv *ep)
1234 {
1235 	proc_t *p = ttoproc(curthread);
1236 	klwp_t *lwp = ttolwp(curthread);
1237 	struct vnode *vp;
1238 
1239 	p->p_bssbase = ep->ex_bssbase;
1240 	p->p_brkbase = ep->ex_brkbase;
1241 	p->p_brksize = ep->ex_brksize;
1242 	if (p->p_exec)
1243 		VN_RELE(p->p_exec);	/* out with the old */
1244 	vp = p->p_exec = ep->ex_vp;
1245 	if (vp != NULL)
1246 		VN_HOLD(vp);		/* in with the new */
1247 
1248 	lwp->lwp_sigaltstack.ss_sp = 0;
1249 	lwp->lwp_sigaltstack.ss_size = 0;
1250 	lwp->lwp_sigaltstack.ss_flags = SS_DISABLE;
1251 }
1252 
1253 int
1254 execopen(struct vnode **vpp, int *fdp)
1255 {
1256 	struct vnode *vp = *vpp;
1257 	file_t *fp;
1258 	int error = 0;
1259 	int filemode = FREAD;
1260 
1261 	VN_HOLD(vp);		/* open reference */
1262 	if (error = falloc(NULL, filemode, &fp, fdp)) {
1263 		VN_RELE(vp);
1264 		*fdp = -1;	/* just in case falloc changed value */
1265 		return (error);
1266 	}
1267 	if (error = VOP_OPEN(&vp, filemode, CRED(), NULL)) {
1268 		VN_RELE(vp);
1269 		setf(*fdp, NULL);
1270 		unfalloc(fp);
1271 		*fdp = -1;
1272 		return (error);
1273 	}
1274 	*vpp = vp;		/* vnode should not have changed */
1275 	fp->f_vnode = vp;
1276 	mutex_exit(&fp->f_tlock);
1277 	setf(*fdp, fp);
1278 	return (0);
1279 }
1280 
1281 int
1282 execclose(int fd)
1283 {
1284 	return (closeandsetf(fd, NULL));
1285 }
1286 
1287 
1288 /*
1289  * noexec stub function.
1290  */
1291 /*ARGSUSED*/
1292 int
1293 noexec(
1294     struct vnode *vp,
1295     struct execa *uap,
1296     struct uarg *args,
1297     struct intpdata *idatap,
1298     int level,
1299     long *execsz,
1300     int setid,
1301     caddr_t exec_file,
1302     struct cred *cred)
1303 {
1304 	cmn_err(CE_WARN, "missing exec capability for %s", uap->fname);
1305 	return (ENOEXEC);
1306 }
1307 
1308 /*
1309  * Support routines for building a user stack.
1310  *
1311  * execve(path, argv, envp) must construct a new stack with the specified
1312  * arguments and environment variables (see exec_args() for a description
1313  * of the user stack layout).  To do this, we copy the arguments and
1314  * environment variables from the old user address space into the kernel,
1315  * free the old as, create the new as, and copy our buffered information
1316  * to the new stack.  Our kernel buffer has the following structure:
1317  *
1318  *	+-----------------------+ <--- stk_base + stk_size
1319  *	| string offsets	|
1320  *	+-----------------------+ <--- stk_offp
1321  *	|			|
1322  *	| STK_AVAIL() space	|
1323  *	|			|
1324  *	+-----------------------+ <--- stk_strp
1325  *	| strings		|
1326  *	+-----------------------+ <--- stk_base
1327  *
1328  * When we add a string, we store the string's contents (including the null
1329  * terminator) at stk_strp, and we store the offset of the string relative to
1330  * stk_base at --stk_offp.  At strings are added, stk_strp increases and
1331  * stk_offp decreases.  The amount of space remaining, STK_AVAIL(), is just
1332  * the difference between these pointers.  If we run out of space, we return
1333  * an error and exec_args() starts all over again with a buffer twice as large.
1334  * When we're all done, the kernel buffer looks like this:
1335  *
1336  *	+-----------------------+ <--- stk_base + stk_size
1337  *	| argv[0] offset	|
1338  *	+-----------------------+
1339  *	| ...			|
1340  *	+-----------------------+
1341  *	| argv[argc-1] offset	|
1342  *	+-----------------------+
1343  *	| envp[0] offset	|
1344  *	+-----------------------+
1345  *	| ...			|
1346  *	+-----------------------+
1347  *	| envp[envc-1] offset	|
1348  *	+-----------------------+
1349  *	| AT_SUN_PLATFORM offset|
1350  *	+-----------------------+
1351  *	| AT_SUN_EXECNAME offset|
1352  *	+-----------------------+ <--- stk_offp
1353  *	|			|
1354  *	| STK_AVAIL() space	|
1355  *	|			|
1356  *	+-----------------------+ <--- stk_strp
1357  *	| AT_SUN_EXECNAME offset|
1358  *	+-----------------------+
1359  *	| AT_SUN_PLATFORM offset|
1360  *	+-----------------------+
1361  *	| envp[envc-1] string	|
1362  *	+-----------------------+
1363  *	| ...			|
1364  *	+-----------------------+
1365  *	| envp[0] string	|
1366  *	+-----------------------+
1367  *	| argv[argc-1] string	|
1368  *	+-----------------------+
1369  *	| ...			|
1370  *	+-----------------------+
1371  *	| argv[0] string	|
1372  *	+-----------------------+ <--- stk_base
1373  */
1374 
1375 #define	STK_AVAIL(args)		((char *)(args)->stk_offp - (args)->stk_strp)
1376 
1377 /*
1378  * Add a string to the stack.
1379  */
1380 static int
1381 stk_add(uarg_t *args, const char *sp, enum uio_seg segflg)
1382 {
1383 	int error;
1384 	size_t len;
1385 
1386 	if (STK_AVAIL(args) < sizeof (int))
1387 		return (E2BIG);
1388 	*--args->stk_offp = args->stk_strp - args->stk_base;
1389 
1390 	if (segflg == UIO_USERSPACE) {
1391 		error = copyinstr(sp, args->stk_strp, STK_AVAIL(args), &len);
1392 		if (error != 0)
1393 			return (error);
1394 	} else {
1395 		len = strlen(sp) + 1;
1396 		if (len > STK_AVAIL(args))
1397 			return (E2BIG);
1398 		bcopy(sp, args->stk_strp, len);
1399 	}
1400 
1401 	args->stk_strp += len;
1402 
1403 	return (0);
1404 }
1405 
1406 static int
1407 stk_getptr(uarg_t *args, char *src, char **dst)
1408 {
1409 	int error;
1410 
1411 	if (args->from_model == DATAMODEL_NATIVE) {
1412 		ulong_t ptr;
1413 		error = fulword(src, &ptr);
1414 		*dst = (caddr_t)ptr;
1415 	} else {
1416 		uint32_t ptr;
1417 		error = fuword32(src, &ptr);
1418 		*dst = (caddr_t)(uintptr_t)ptr;
1419 	}
1420 	return (error);
1421 }
1422 
1423 static int
1424 stk_putptr(uarg_t *args, char *addr, char *value)
1425 {
1426 	if (args->to_model == DATAMODEL_NATIVE)
1427 		return (sulword(addr, (ulong_t)value));
1428 	else
1429 		return (suword32(addr, (uint32_t)(uintptr_t)value));
1430 }
1431 
1432 static int
1433 stk_copyin(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1434 {
1435 	char *sp;
1436 	int argc, error;
1437 	int argv_empty = 0;
1438 	size_t ptrsize = args->from_ptrsize;
1439 	size_t size, pad;
1440 	char *argv = (char *)uap->argp;
1441 	char *envp = (char *)uap->envp;
1442 
1443 	/*
1444 	 * Copy interpreter's name and argument to argv[0] and argv[1].
1445 	 */
1446 	if (intp != NULL && intp->intp_name != NULL) {
1447 		if ((error = stk_add(args, intp->intp_name, UIO_SYSSPACE)) != 0)
1448 			return (error);
1449 		if (intp->intp_arg != NULL &&
1450 		    (error = stk_add(args, intp->intp_arg, UIO_SYSSPACE)) != 0)
1451 			return (error);
1452 		if (args->fname != NULL)
1453 			error = stk_add(args, args->fname, UIO_SYSSPACE);
1454 		else
1455 			error = stk_add(args, uap->fname, UIO_USERSPACE);
1456 		if (error)
1457 			return (error);
1458 
1459 		/*
1460 		 * Check for an empty argv[].
1461 		 */
1462 		if (stk_getptr(args, argv, &sp))
1463 			return (EFAULT);
1464 		if (sp == NULL)
1465 			argv_empty = 1;
1466 
1467 		argv += ptrsize;		/* ignore original argv[0] */
1468 	}
1469 
1470 	if (argv_empty == 0) {
1471 		/*
1472 		 * Add argv[] strings to the stack.
1473 		 */
1474 		for (;;) {
1475 			if (stk_getptr(args, argv, &sp))
1476 				return (EFAULT);
1477 			if (sp == NULL)
1478 				break;
1479 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1480 				return (error);
1481 			argv += ptrsize;
1482 		}
1483 	}
1484 	argc = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1485 	args->arglen = args->stk_strp - args->stk_base;
1486 
1487 	/*
1488 	 * Add environ[] strings to the stack.
1489 	 */
1490 	if (envp != NULL) {
1491 		for (;;) {
1492 			if (stk_getptr(args, envp, &sp))
1493 				return (EFAULT);
1494 			if (sp == NULL)
1495 				break;
1496 			if ((error = stk_add(args, sp, UIO_USERSPACE)) != 0)
1497 				return (error);
1498 			envp += ptrsize;
1499 		}
1500 	}
1501 	args->na = (int *)(args->stk_base + args->stk_size) - args->stk_offp;
1502 	args->ne = args->na - argc;
1503 
1504 	/*
1505 	 * Add AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME, and
1506 	 * AT_SUN_EMULATOR strings to the stack.
1507 	 */
1508 	if (auxvpp != NULL && *auxvpp != NULL) {
1509 		if ((error = stk_add(args, platform, UIO_SYSSPACE)) != 0)
1510 			return (error);
1511 		if ((error = stk_add(args, args->pathname, UIO_SYSSPACE)) != 0)
1512 			return (error);
1513 		if (args->brandname != NULL &&
1514 		    (error = stk_add(args, args->brandname, UIO_SYSSPACE)) != 0)
1515 			return (error);
1516 		if (args->emulator != NULL &&
1517 		    (error = stk_add(args, args->emulator, UIO_SYSSPACE)) != 0)
1518 			return (error);
1519 	}
1520 
1521 	/*
1522 	 * Compute the size of the stack.  This includes all the pointers,
1523 	 * the space reserved for the aux vector, and all the strings.
1524 	 * The total number of pointers is args->na (which is argc + envc)
1525 	 * plus 4 more: (1) a pointer's worth of space for argc; (2) the NULL
1526 	 * after the last argument (i.e. argv[argc]); (3) the NULL after the
1527 	 * last environment variable (i.e. envp[envc]); and (4) the NULL after
1528 	 * all the strings, at the very top of the stack.
1529 	 */
1530 	size = (args->na + 4) * args->to_ptrsize + args->auxsize +
1531 	    (args->stk_strp - args->stk_base);
1532 
1533 	/*
1534 	 * Pad the string section with zeroes to align the stack size.
1535 	 */
1536 	pad = P2NPHASE(size, args->stk_align);
1537 
1538 	if (STK_AVAIL(args) < pad)
1539 		return (E2BIG);
1540 
1541 	args->usrstack_size = size + pad;
1542 
1543 	while (pad-- != 0)
1544 		*args->stk_strp++ = 0;
1545 
1546 	args->nc = args->stk_strp - args->stk_base;
1547 
1548 	return (0);
1549 }
1550 
1551 static int
1552 stk_copyout(uarg_t *args, char *usrstack, void **auxvpp, user_t *up)
1553 {
1554 	size_t ptrsize = args->to_ptrsize;
1555 	ssize_t pslen;
1556 	char *kstrp = args->stk_base;
1557 	char *ustrp = usrstack - args->nc - ptrsize;
1558 	char *usp = usrstack - args->usrstack_size;
1559 	int *offp = (int *)(args->stk_base + args->stk_size);
1560 	int envc = args->ne;
1561 	int argc = args->na - envc;
1562 	int i;
1563 
1564 	/*
1565 	 * Record argc for /proc.
1566 	 */
1567 	up->u_argc = argc;
1568 
1569 	/*
1570 	 * Put argc on the stack.  Note that even though it's an int,
1571 	 * it always consumes ptrsize bytes (for alignment).
1572 	 */
1573 	if (stk_putptr(args, usp, (char *)(uintptr_t)argc))
1574 		return (-1);
1575 
1576 	/*
1577 	 * Add argc space (ptrsize) to usp and record argv for /proc.
1578 	 */
1579 	up->u_argv = (uintptr_t)(usp += ptrsize);
1580 
1581 	/*
1582 	 * Put the argv[] pointers on the stack.
1583 	 */
1584 	for (i = 0; i < argc; i++, usp += ptrsize)
1585 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1586 			return (-1);
1587 
1588 	/*
1589 	 * Copy arguments to u_psargs.
1590 	 */
1591 	pslen = MIN(args->arglen, PSARGSZ) - 1;
1592 	for (i = 0; i < pslen; i++)
1593 		up->u_psargs[i] = (kstrp[i] == '\0' ? ' ' : kstrp[i]);
1594 	while (i < PSARGSZ)
1595 		up->u_psargs[i++] = '\0';
1596 
1597 	/*
1598 	 * Add space for argv[]'s NULL terminator (ptrsize) to usp and
1599 	 * record envp for /proc.
1600 	 */
1601 	up->u_envp = (uintptr_t)(usp += ptrsize);
1602 
1603 	/*
1604 	 * Put the envp[] pointers on the stack.
1605 	 */
1606 	for (i = 0; i < envc; i++, usp += ptrsize)
1607 		if (stk_putptr(args, usp, &ustrp[*--offp]))
1608 			return (-1);
1609 
1610 	/*
1611 	 * Add space for envp[]'s NULL terminator (ptrsize) to usp and
1612 	 * remember where the stack ends, which is also where auxv begins.
1613 	 */
1614 	args->stackend = usp += ptrsize;
1615 
1616 	/*
1617 	 * Put all the argv[], envp[], and auxv strings on the stack.
1618 	 */
1619 	if (copyout(args->stk_base, ustrp, args->nc))
1620 		return (-1);
1621 
1622 	/*
1623 	 * Fill in the aux vector now that we know the user stack addresses
1624 	 * for the AT_SUN_PLATFORM, AT_SUN_EXECNAME, AT_SUN_BRANDNAME and
1625 	 * AT_SUN_EMULATOR strings.
1626 	 */
1627 	if (auxvpp != NULL && *auxvpp != NULL) {
1628 		if (args->to_model == DATAMODEL_NATIVE) {
1629 			auxv_t **a = (auxv_t **)auxvpp;
1630 			ADDAUX(*a, AT_SUN_PLATFORM, (long)&ustrp[*--offp])
1631 			ADDAUX(*a, AT_SUN_EXECNAME, (long)&ustrp[*--offp])
1632 			if (args->brandname != NULL)
1633 				ADDAUX(*a,
1634 				    AT_SUN_BRANDNAME, (long)&ustrp[*--offp])
1635 			if (args->emulator != NULL)
1636 				ADDAUX(*a,
1637 				    AT_SUN_EMULATOR, (long)&ustrp[*--offp])
1638 		} else {
1639 			auxv32_t **a = (auxv32_t **)auxvpp;
1640 			ADDAUX(*a,
1641 			    AT_SUN_PLATFORM, (int)(uintptr_t)&ustrp[*--offp])
1642 			ADDAUX(*a,
1643 			    AT_SUN_EXECNAME, (int)(uintptr_t)&ustrp[*--offp])
1644 			if (args->brandname != NULL)
1645 				ADDAUX(*a, AT_SUN_BRANDNAME,
1646 				    (int)(uintptr_t)&ustrp[*--offp])
1647 			if (args->emulator != NULL)
1648 				ADDAUX(*a, AT_SUN_EMULATOR,
1649 				    (int)(uintptr_t)&ustrp[*--offp])
1650 		}
1651 	}
1652 
1653 	return (0);
1654 }
1655 
1656 /*
1657  * Initialize a new user stack with the specified arguments and environment.
1658  * The initial user stack layout is as follows:
1659  *
1660  *	User Stack
1661  *	+---------------+ <--- curproc->p_usrstack
1662  *	|		|
1663  *	| slew		|
1664  *	|		|
1665  *	+---------------+
1666  *	| NULL		|
1667  *	+---------------+
1668  *	|		|
1669  *	| auxv strings	|
1670  *	|		|
1671  *	+---------------+
1672  *	|		|
1673  *	| envp strings	|
1674  *	|		|
1675  *	+---------------+
1676  *	|		|
1677  *	| argv strings	|
1678  *	|		|
1679  *	+---------------+ <--- ustrp
1680  *	|		|
1681  *	| aux vector	|
1682  *	|		|
1683  *	+---------------+ <--- auxv
1684  *	| NULL		|
1685  *	+---------------+
1686  *	| envp[envc-1]	|
1687  *	+---------------+
1688  *	| ...		|
1689  *	+---------------+
1690  *	| envp[0]	|
1691  *	+---------------+ <--- envp[]
1692  *	| NULL		|
1693  *	+---------------+
1694  *	| argv[argc-1]	|
1695  *	+---------------+
1696  *	| ...		|
1697  *	+---------------+
1698  *	| argv[0]	|
1699  *	+---------------+ <--- argv[]
1700  *	| argc		|
1701  *	+---------------+ <--- stack base
1702  */
1703 int
1704 exec_args(execa_t *uap, uarg_t *args, intpdata_t *intp, void **auxvpp)
1705 {
1706 	size_t size;
1707 	int error;
1708 	proc_t *p = ttoproc(curthread);
1709 	user_t *up = PTOU(p);
1710 	char *usrstack;
1711 	rctl_entity_p_t e;
1712 	struct as *as;
1713 	extern int use_stk_lpg;
1714 	size_t sp_slew;
1715 
1716 	args->from_model = p->p_model;
1717 	if (p->p_model == DATAMODEL_NATIVE) {
1718 		args->from_ptrsize = sizeof (long);
1719 	} else {
1720 		args->from_ptrsize = sizeof (int32_t);
1721 	}
1722 
1723 	if (args->to_model == DATAMODEL_NATIVE) {
1724 		args->to_ptrsize = sizeof (long);
1725 		args->ncargs = NCARGS;
1726 		args->stk_align = STACK_ALIGN;
1727 		if (args->addr32)
1728 			usrstack = (char *)USRSTACK64_32;
1729 		else
1730 			usrstack = (char *)USRSTACK;
1731 	} else {
1732 		args->to_ptrsize = sizeof (int32_t);
1733 		args->ncargs = NCARGS32;
1734 		args->stk_align = STACK_ALIGN32;
1735 		usrstack = (char *)USRSTACK32;
1736 	}
1737 
1738 	ASSERT(P2PHASE((uintptr_t)usrstack, args->stk_align) == 0);
1739 
1740 #if defined(__sparc)
1741 	/*
1742 	 * Make sure user register windows are empty before
1743 	 * attempting to make a new stack.
1744 	 */
1745 	(void) flush_user_windows_to_stack(NULL);
1746 #endif
1747 
1748 	for (size = PAGESIZE; ; size *= 2) {
1749 		args->stk_size = size;
1750 		args->stk_base = kmem_alloc(size, KM_SLEEP);
1751 		args->stk_strp = args->stk_base;
1752 		args->stk_offp = (int *)(args->stk_base + size);
1753 		error = stk_copyin(uap, args, intp, auxvpp);
1754 		if (error == 0)
1755 			break;
1756 		kmem_free(args->stk_base, size);
1757 		if (error != E2BIG && error != ENAMETOOLONG)
1758 			return (error);
1759 		if (size >= args->ncargs)
1760 			return (E2BIG);
1761 	}
1762 
1763 	size = args->usrstack_size;
1764 
1765 	ASSERT(error == 0);
1766 	ASSERT(P2PHASE(size, args->stk_align) == 0);
1767 	ASSERT((ssize_t)STK_AVAIL(args) >= 0);
1768 
1769 	if (size > args->ncargs) {
1770 		kmem_free(args->stk_base, args->stk_size);
1771 		return (E2BIG);
1772 	}
1773 
1774 	/*
1775 	 * Leave only the current lwp and force the other lwps to exit.
1776 	 * If another lwp beat us to the punch by calling exit(), bail out.
1777 	 */
1778 	if ((error = exitlwps(0)) != 0) {
1779 		kmem_free(args->stk_base, args->stk_size);
1780 		return (error);
1781 	}
1782 
1783 	/*
1784 	 * Revoke any doors created by the process.
1785 	 */
1786 	if (p->p_door_list)
1787 		door_exit();
1788 
1789 	/*
1790 	 * Release schedctl data structures.
1791 	 */
1792 	if (p->p_pagep)
1793 		schedctl_proc_cleanup();
1794 
1795 	/*
1796 	 * Clean up any DTrace helpers for the process.
1797 	 */
1798 	if (p->p_dtrace_helpers != NULL) {
1799 		ASSERT(dtrace_helpers_cleanup != NULL);
1800 		(*dtrace_helpers_cleanup)();
1801 	}
1802 
1803 	mutex_enter(&p->p_lock);
1804 	/*
1805 	 * Cleanup the DTrace provider associated with this process.
1806 	 */
1807 	if (p->p_dtrace_probes) {
1808 		ASSERT(dtrace_fasttrap_exec_ptr != NULL);
1809 		dtrace_fasttrap_exec_ptr(p);
1810 	}
1811 	mutex_exit(&p->p_lock);
1812 
1813 	/*
1814 	 * discard the lwpchan cache.
1815 	 */
1816 	if (p->p_lcp != NULL)
1817 		lwpchan_destroy_cache(1);
1818 
1819 	/*
1820 	 * Delete the POSIX timers.
1821 	 */
1822 	if (p->p_itimer != NULL)
1823 		timer_exit();
1824 
1825 	/*
1826 	 * Delete the ITIMER_REALPROF interval timer.
1827 	 * The other ITIMER_* interval timers are specified
1828 	 * to be inherited across exec().
1829 	 */
1830 	delete_itimer_realprof();
1831 
1832 	if (audit_active)
1833 		audit_exec(args->stk_base, args->stk_base + args->arglen,
1834 		    args->na - args->ne, args->ne);
1835 
1836 	/*
1837 	 * Ensure that we don't change resource associations while we
1838 	 * change address spaces.
1839 	 */
1840 	mutex_enter(&p->p_lock);
1841 	pool_barrier_enter();
1842 	mutex_exit(&p->p_lock);
1843 
1844 	/*
1845 	 * Destroy the old address space and create a new one.
1846 	 * From here on, any errors are fatal to the exec()ing process.
1847 	 * On error we return -1, which means the caller must SIGKILL
1848 	 * the process.
1849 	 */
1850 	relvm();
1851 
1852 	mutex_enter(&p->p_lock);
1853 	pool_barrier_exit();
1854 	mutex_exit(&p->p_lock);
1855 
1856 	up->u_execsw = args->execswp;
1857 
1858 	p->p_brkbase = NULL;
1859 	p->p_brksize = 0;
1860 	p->p_brkpageszc = 0;
1861 	p->p_stksize = 0;
1862 	p->p_stkpageszc = 0;
1863 	p->p_model = args->to_model;
1864 	p->p_usrstack = usrstack;
1865 	p->p_stkprot = args->stk_prot;
1866 	p->p_datprot = args->dat_prot;
1867 
1868 	/*
1869 	 * Reset resource controls such that all controls are again active as
1870 	 * well as appropriate to the potentially new address model for the
1871 	 * process.
1872 	 */
1873 	e.rcep_p.proc = p;
1874 	e.rcep_t = RCENTITY_PROCESS;
1875 	rctl_set_reset(p->p_rctls, p, &e);
1876 
1877 	/* Too early to call map_pgsz for the heap */
1878 	if (use_stk_lpg) {
1879 		p->p_stkpageszc = page_szc(map_pgsz(MAPPGSZ_STK, p, 0, 0, 0));
1880 	}
1881 
1882 	mutex_enter(&p->p_lock);
1883 	p->p_flag |= SAUTOLPG;	/* kernel controls page sizes */
1884 	mutex_exit(&p->p_lock);
1885 
1886 	/*
1887 	 * Some platforms may choose to randomize real stack start by adding a
1888 	 * small slew (not more than a few hundred bytes) to the top of the
1889 	 * stack. This helps avoid cache thrashing when identical processes
1890 	 * simultaneously share caches that don't provide enough associativity
1891 	 * (e.g. sun4v systems). In this case stack slewing makes the same hot
1892 	 * stack variables in different processes to live in different cache
1893 	 * sets increasing effective associativity.
1894 	 */
1895 	sp_slew = exec_get_spslew();
1896 	ASSERT(P2PHASE(sp_slew, args->stk_align) == 0);
1897 	exec_set_sp(size + sp_slew);
1898 
1899 	as = as_alloc();
1900 	p->p_as = as;
1901 	as->a_proc = p;
1902 	if (p->p_model == DATAMODEL_ILP32 || args->addr32)
1903 		as->a_userlimit = (caddr_t)USERLIMIT32;
1904 	(void) hat_setup(as->a_hat, HAT_ALLOC);
1905 	hat_join_srd(as->a_hat, args->ex_vp);
1906 
1907 	/*
1908 	 * Finally, write out the contents of the new stack.
1909 	 */
1910 	error = stk_copyout(args, usrstack - sp_slew, auxvpp, up);
1911 	kmem_free(args->stk_base, args->stk_size);
1912 	return (error);
1913 }
1914