1 /* 2 * Copyright (c) 1982, 1986, 1989, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94 34 * $Id$ 35 */ 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/proc.h> 40 #include <sys/filedesc.h> 41 #include <sys/domain.h> 42 #include <sys/protosw.h> 43 #include <sys/socket.h> 44 #include <sys/socketvar.h> 45 #include <sys/unpcb.h> 46 #include <sys/un.h> 47 #include <sys/namei.h> 48 #include <sys/vnode.h> 49 #include <sys/file.h> 50 #include <sys/stat.h> 51 #include <sys/mbuf.h> 52 53 void unp_detach __P((struct unpcb *)); 54 void unp_disconnect __P((struct unpcb *)); 55 void unp_shutdown __P((struct unpcb *)); 56 void unp_drop __P((struct unpcb *, int)); 57 void unp_gc __P((void)); 58 void unp_scan __P((struct mbuf *, void (*)(struct file *))); 59 void unp_mark __P((struct file *)); 60 void unp_discard __P((struct file *)); 61 62 /* 63 * Unix communications domain. 64 * 65 * TODO: 66 * SEQPACKET, RDM 67 * rethink name space problems 68 * need a proper out-of-band 69 */ 70 struct sockaddr sun_noname = { sizeof(sun_noname), AF_UNIX }; 71 ino_t unp_ino; /* prototype for fake inode numbers */ 72 73 /*ARGSUSED*/ 74 int 75 uipc_usrreq(so, req, m, nam, control) 76 struct socket *so; 77 int req; 78 struct mbuf *m, *nam, *control; 79 { 80 struct unpcb *unp = sotounpcb(so); 81 register struct socket *so2; 82 register int error = 0; 83 struct proc *p = curproc; /* XXX */ 84 85 if (req == PRU_CONTROL) 86 return (EOPNOTSUPP); 87 if (req != PRU_SEND && control && control->m_len) { 88 error = EOPNOTSUPP; 89 goto release; 90 } 91 if (unp == 0 && req != PRU_ATTACH) { 92 error = EINVAL; 93 goto release; 94 } 95 switch (req) { 96 97 case PRU_ATTACH: 98 if (unp) { 99 error = EISCONN; 100 break; 101 } 102 error = unp_attach(so); 103 break; 104 105 case PRU_DETACH: 106 unp_detach(unp); 107 break; 108 109 case PRU_BIND: 110 error = unp_bind(unp, nam, p); 111 break; 112 113 case PRU_LISTEN: 114 if (unp->unp_vnode == 0) 115 error = EINVAL; 116 break; 117 118 case PRU_CONNECT: 119 error = unp_connect(so, nam, p); 120 break; 121 122 case PRU_CONNECT2: 123 error = unp_connect2(so, (struct socket *)nam); 124 break; 125 126 case PRU_DISCONNECT: 127 unp_disconnect(unp); 128 break; 129 130 case PRU_ACCEPT: 131 /* 132 * Pass back name of connected socket, 133 * if it was bound and we are still connected 134 * (our peer may have closed already!). 135 */ 136 if (unp->unp_conn && unp->unp_conn->unp_addr) { 137 nam->m_len = unp->unp_conn->unp_addr->m_len; 138 bcopy(mtod(unp->unp_conn->unp_addr, caddr_t), 139 mtod(nam, caddr_t), (unsigned)nam->m_len); 140 } else { 141 nam->m_len = sizeof(sun_noname); 142 *(mtod(nam, struct sockaddr *)) = sun_noname; 143 } 144 break; 145 146 case PRU_SHUTDOWN: 147 socantsendmore(so); 148 unp_shutdown(unp); 149 break; 150 151 case PRU_RCVD: 152 switch (so->so_type) { 153 154 case SOCK_DGRAM: 155 panic("uipc 1"); 156 /*NOTREACHED*/ 157 158 case SOCK_STREAM: 159 #define rcv (&so->so_rcv) 160 #define snd (&so2->so_snd) 161 if (unp->unp_conn == 0) 162 break; 163 so2 = unp->unp_conn->unp_socket; 164 /* 165 * Adjust backpressure on sender 166 * and wakeup any waiting to write. 167 */ 168 snd->sb_mbmax += unp->unp_mbcnt - rcv->sb_mbcnt; 169 unp->unp_mbcnt = rcv->sb_mbcnt; 170 snd->sb_hiwat += unp->unp_cc - rcv->sb_cc; 171 unp->unp_cc = rcv->sb_cc; 172 sowwakeup(so2); 173 #undef snd 174 #undef rcv 175 break; 176 177 default: 178 panic("uipc 2"); 179 } 180 break; 181 182 case PRU_SEND: 183 if (control && (error = unp_internalize(control, p))) 184 break; 185 switch (so->so_type) { 186 187 case SOCK_DGRAM: { 188 struct sockaddr *from; 189 190 if (nam) { 191 if (unp->unp_conn) { 192 error = EISCONN; 193 break; 194 } 195 error = unp_connect(so, nam, p); 196 if (error) 197 break; 198 } else { 199 if (unp->unp_conn == 0) { 200 error = ENOTCONN; 201 break; 202 } 203 } 204 so2 = unp->unp_conn->unp_socket; 205 if (unp->unp_addr) 206 from = mtod(unp->unp_addr, struct sockaddr *); 207 else 208 from = &sun_noname; 209 if (sbappendaddr(&so2->so_rcv, from, m, control)) { 210 sorwakeup(so2); 211 m = 0; 212 control = 0; 213 } else 214 error = ENOBUFS; 215 if (nam) 216 unp_disconnect(unp); 217 break; 218 } 219 220 case SOCK_STREAM: 221 #define rcv (&so2->so_rcv) 222 #define snd (&so->so_snd) 223 if (so->so_state & SS_CANTSENDMORE) { 224 error = EPIPE; 225 break; 226 } 227 if (unp->unp_conn == 0) 228 panic("uipc 3"); 229 so2 = unp->unp_conn->unp_socket; 230 /* 231 * Send to paired receive port, and then reduce 232 * send buffer hiwater marks to maintain backpressure. 233 * Wake up readers. 234 */ 235 if (control) { 236 if (sbappendcontrol(rcv, m, control)) 237 control = 0; 238 } else 239 sbappend(rcv, m); 240 snd->sb_mbmax -= 241 rcv->sb_mbcnt - unp->unp_conn->unp_mbcnt; 242 unp->unp_conn->unp_mbcnt = rcv->sb_mbcnt; 243 snd->sb_hiwat -= rcv->sb_cc - unp->unp_conn->unp_cc; 244 unp->unp_conn->unp_cc = rcv->sb_cc; 245 sorwakeup(so2); 246 m = 0; 247 #undef snd 248 #undef rcv 249 break; 250 251 default: 252 panic("uipc 4"); 253 } 254 break; 255 256 case PRU_ABORT: 257 unp_drop(unp, ECONNABORTED); 258 break; 259 260 case PRU_SENSE: 261 ((struct stat *) m)->st_blksize = so->so_snd.sb_hiwat; 262 if (so->so_type == SOCK_STREAM && unp->unp_conn != 0) { 263 so2 = unp->unp_conn->unp_socket; 264 ((struct stat *) m)->st_blksize += so2->so_rcv.sb_cc; 265 } 266 ((struct stat *) m)->st_dev = NODEV; 267 if (unp->unp_ino == 0) 268 unp->unp_ino = unp_ino++; 269 ((struct stat *) m)->st_ino = unp->unp_ino; 270 return (0); 271 272 case PRU_RCVOOB: 273 return (EOPNOTSUPP); 274 275 case PRU_SENDOOB: 276 error = EOPNOTSUPP; 277 break; 278 279 case PRU_SOCKADDR: 280 if (unp->unp_addr) { 281 nam->m_len = unp->unp_addr->m_len; 282 bcopy(mtod(unp->unp_addr, caddr_t), 283 mtod(nam, caddr_t), (unsigned)nam->m_len); 284 } else 285 nam->m_len = 0; 286 break; 287 288 case PRU_PEERADDR: 289 if (unp->unp_conn && unp->unp_conn->unp_addr) { 290 nam->m_len = unp->unp_conn->unp_addr->m_len; 291 bcopy(mtod(unp->unp_conn->unp_addr, caddr_t), 292 mtod(nam, caddr_t), (unsigned)nam->m_len); 293 } else 294 nam->m_len = 0; 295 break; 296 297 case PRU_SLOWTIMO: 298 break; 299 300 default: 301 panic("piusrreq"); 302 } 303 release: 304 if (control) 305 m_freem(control); 306 if (m) 307 m_freem(m); 308 return (error); 309 } 310 311 /* 312 * Both send and receive buffers are allocated PIPSIZ bytes of buffering 313 * for stream sockets, although the total for sender and receiver is 314 * actually only PIPSIZ. 315 * Datagram sockets really use the sendspace as the maximum datagram size, 316 * and don't really want to reserve the sendspace. Their recvspace should 317 * be large enough for at least one max-size datagram plus address. 318 */ 319 #define PIPSIZ 4096 320 u_long unpst_sendspace = PIPSIZ; 321 u_long unpst_recvspace = PIPSIZ; 322 u_long unpdg_sendspace = 2*1024; /* really max datagram size */ 323 u_long unpdg_recvspace = 4*1024; 324 325 int unp_rights; /* file descriptors in flight */ 326 327 int 328 unp_attach(so) 329 struct socket *so; 330 { 331 register struct mbuf *m; 332 register struct unpcb *unp; 333 int error; 334 335 if (so->so_snd.sb_hiwat == 0 || so->so_rcv.sb_hiwat == 0) { 336 switch (so->so_type) { 337 338 case SOCK_STREAM: 339 error = soreserve(so, unpst_sendspace, unpst_recvspace); 340 break; 341 342 case SOCK_DGRAM: 343 error = soreserve(so, unpdg_sendspace, unpdg_recvspace); 344 break; 345 346 default: 347 panic("unp_attach"); 348 } 349 if (error) 350 return (error); 351 } 352 m = m_getclr(M_DONTWAIT, MT_PCB); 353 if (m == NULL) 354 return (ENOBUFS); 355 unp = mtod(m, struct unpcb *); 356 so->so_pcb = (caddr_t)unp; 357 unp->unp_socket = so; 358 return (0); 359 } 360 361 void 362 unp_detach(unp) 363 register struct unpcb *unp; 364 { 365 366 if (unp->unp_vnode) { 367 unp->unp_vnode->v_socket = 0; 368 vrele(unp->unp_vnode); 369 unp->unp_vnode = 0; 370 } 371 if (unp->unp_conn) 372 unp_disconnect(unp); 373 while (unp->unp_refs) 374 unp_drop(unp->unp_refs, ECONNRESET); 375 soisdisconnected(unp->unp_socket); 376 unp->unp_socket->so_pcb = 0; 377 m_freem(unp->unp_addr); 378 (void) m_free(dtom(unp)); 379 if (unp_rights) { 380 /* 381 * Normally the receive buffer is flushed later, 382 * in sofree, but if our receive buffer holds references 383 * to descriptors that are now garbage, we will dispose 384 * of those descriptor references after the garbage collector 385 * gets them (resulting in a "panic: closef: count < 0"). 386 */ 387 sorflush(unp->unp_socket); 388 unp_gc(); 389 } 390 } 391 392 int 393 unp_bind(unp, nam, p) 394 struct unpcb *unp; 395 struct mbuf *nam; 396 struct proc *p; 397 { 398 struct sockaddr_un *soun = mtod(nam, struct sockaddr_un *); 399 register struct vnode *vp; 400 struct vattr vattr; 401 int error; 402 struct nameidata nd; 403 404 NDINIT(&nd, CREATE, FOLLOW | LOCKPARENT, UIO_SYSSPACE, 405 soun->sun_path, p); 406 if (unp->unp_vnode != NULL) 407 return (EINVAL); 408 if (nam->m_len == MLEN) { 409 if (*(mtod(nam, caddr_t) + nam->m_len - 1) != 0) 410 return (EINVAL); 411 } else 412 *(mtod(nam, caddr_t) + nam->m_len) = 0; 413 /* SHOULD BE ABLE TO ADOPT EXISTING AND wakeup() ALA FIFO's */ 414 if (error = namei(&nd)) 415 return (error); 416 vp = nd.ni_vp; 417 if (vp != NULL) { 418 VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); 419 if (nd.ni_dvp == vp) 420 vrele(nd.ni_dvp); 421 else 422 vput(nd.ni_dvp); 423 vrele(vp); 424 return (EADDRINUSE); 425 } 426 VATTR_NULL(&vattr); 427 vattr.va_type = VSOCK; 428 vattr.va_mode = ACCESSPERMS; 429 LEASE_CHECK(nd.ni_dvp, p, p->p_ucred, LEASE_WRITE); 430 if (error = VOP_CREATE(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr)) 431 return (error); 432 vp = nd.ni_vp; 433 vp->v_socket = unp->unp_socket; 434 unp->unp_vnode = vp; 435 unp->unp_addr = m_copy(nam, 0, (int)M_COPYALL); 436 VOP_UNLOCK(vp); 437 return (0); 438 } 439 440 int 441 unp_connect(so, nam, p) 442 struct socket *so; 443 struct mbuf *nam; 444 struct proc *p; 445 { 446 register struct sockaddr_un *soun = mtod(nam, struct sockaddr_un *); 447 register struct vnode *vp; 448 register struct socket *so2, *so3; 449 struct unpcb *unp2, *unp3; 450 int error; 451 struct nameidata nd; 452 453 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, soun->sun_path, p); 454 if (nam->m_data + nam->m_len == &nam->m_dat[MLEN]) { /* XXX */ 455 if (*(mtod(nam, caddr_t) + nam->m_len - 1) != 0) 456 return (EMSGSIZE); 457 } else 458 *(mtod(nam, caddr_t) + nam->m_len) = 0; 459 if (error = namei(&nd)) 460 return (error); 461 vp = nd.ni_vp; 462 if (vp->v_type != VSOCK) { 463 error = ENOTSOCK; 464 goto bad; 465 } 466 if (error = VOP_ACCESS(vp, VWRITE, p->p_ucred, p)) 467 goto bad; 468 so2 = vp->v_socket; 469 if (so2 == 0) { 470 error = ECONNREFUSED; 471 goto bad; 472 } 473 if (so->so_type != so2->so_type) { 474 error = EPROTOTYPE; 475 goto bad; 476 } 477 if (so->so_proto->pr_flags & PR_CONNREQUIRED) { 478 if ((so2->so_options & SO_ACCEPTCONN) == 0 || 479 (so3 = sonewconn(so2, 0)) == 0) { 480 error = ECONNREFUSED; 481 goto bad; 482 } 483 unp2 = sotounpcb(so2); 484 unp3 = sotounpcb(so3); 485 if (unp2->unp_addr) 486 unp3->unp_addr = 487 m_copy(unp2->unp_addr, 0, (int)M_COPYALL); 488 so2 = so3; 489 } 490 error = unp_connect2(so, so2); 491 bad: 492 vput(vp); 493 return (error); 494 } 495 496 int 497 unp_connect2(so, so2) 498 register struct socket *so; 499 register struct socket *so2; 500 { 501 register struct unpcb *unp = sotounpcb(so); 502 register struct unpcb *unp2; 503 504 if (so2->so_type != so->so_type) 505 return (EPROTOTYPE); 506 unp2 = sotounpcb(so2); 507 unp->unp_conn = unp2; 508 switch (so->so_type) { 509 510 case SOCK_DGRAM: 511 unp->unp_nextref = unp2->unp_refs; 512 unp2->unp_refs = unp; 513 soisconnected(so); 514 break; 515 516 case SOCK_STREAM: 517 unp2->unp_conn = unp; 518 soisconnected(so); 519 soisconnected(so2); 520 break; 521 522 default: 523 panic("unp_connect2"); 524 } 525 return (0); 526 } 527 528 void 529 unp_disconnect(unp) 530 struct unpcb *unp; 531 { 532 register struct unpcb *unp2 = unp->unp_conn; 533 534 if (unp2 == 0) 535 return; 536 unp->unp_conn = 0; 537 switch (unp->unp_socket->so_type) { 538 539 case SOCK_DGRAM: 540 if (unp2->unp_refs == unp) 541 unp2->unp_refs = unp->unp_nextref; 542 else { 543 unp2 = unp2->unp_refs; 544 for (;;) { 545 if (unp2 == 0) 546 panic("unp_disconnect"); 547 if (unp2->unp_nextref == unp) 548 break; 549 unp2 = unp2->unp_nextref; 550 } 551 unp2->unp_nextref = unp->unp_nextref; 552 } 553 unp->unp_nextref = 0; 554 unp->unp_socket->so_state &= ~SS_ISCONNECTED; 555 break; 556 557 case SOCK_STREAM: 558 soisdisconnected(unp->unp_socket); 559 unp2->unp_conn = 0; 560 soisdisconnected(unp2->unp_socket); 561 break; 562 } 563 } 564 565 #ifdef notdef 566 void 567 unp_abort(unp) 568 struct unpcb *unp; 569 { 570 571 unp_detach(unp); 572 } 573 #endif 574 575 void 576 unp_shutdown(unp) 577 struct unpcb *unp; 578 { 579 struct socket *so; 580 581 if (unp->unp_socket->so_type == SOCK_STREAM && unp->unp_conn && 582 (so = unp->unp_conn->unp_socket)) 583 socantrcvmore(so); 584 } 585 586 void 587 unp_drop(unp, errno) 588 struct unpcb *unp; 589 int errno; 590 { 591 struct socket *so = unp->unp_socket; 592 593 so->so_error = errno; 594 unp_disconnect(unp); 595 if (so->so_head) { 596 so->so_pcb = (caddr_t) 0; 597 m_freem(unp->unp_addr); 598 (void) m_free(dtom(unp)); 599 sofree(so); 600 } 601 } 602 603 #ifdef notdef 604 void 605 unp_drain() 606 { 607 608 } 609 #endif 610 611 int 612 unp_externalize(rights) 613 struct mbuf *rights; 614 { 615 struct proc *p = curproc; /* XXX */ 616 register int i; 617 register struct cmsghdr *cm = mtod(rights, struct cmsghdr *); 618 register struct file **rp = (struct file **)(cm + 1); 619 register struct file *fp; 620 int newfds = (cm->cmsg_len - sizeof(*cm)) / sizeof (int); 621 int f; 622 623 if (!fdavail(p, newfds)) { 624 for (i = 0; i < newfds; i++) { 625 fp = *rp; 626 unp_discard(fp); 627 *rp++ = 0; 628 } 629 return (EMSGSIZE); 630 } 631 for (i = 0; i < newfds; i++) { 632 if (fdalloc(p, 0, &f)) 633 panic("unp_externalize"); 634 fp = *rp; 635 p->p_fd->fd_ofiles[f] = fp; 636 fp->f_msgcount--; 637 unp_rights--; 638 *(int *)rp++ = f; 639 } 640 return (0); 641 } 642 643 int 644 unp_internalize(control, p) 645 struct mbuf *control; 646 struct proc *p; 647 { 648 struct filedesc *fdp = p->p_fd; 649 register struct cmsghdr *cm = mtod(control, struct cmsghdr *); 650 register struct file **rp; 651 register struct file *fp; 652 register int i, fd; 653 int oldfds; 654 655 if (cm->cmsg_type != SCM_RIGHTS || cm->cmsg_level != SOL_SOCKET || 656 cm->cmsg_len != control->m_len) 657 return (EINVAL); 658 oldfds = (cm->cmsg_len - sizeof (*cm)) / sizeof (int); 659 rp = (struct file **)(cm + 1); 660 for (i = 0; i < oldfds; i++) { 661 fd = *(int *)rp++; 662 if ((unsigned)fd >= fdp->fd_nfiles || 663 fdp->fd_ofiles[fd] == NULL) 664 return (EBADF); 665 } 666 rp = (struct file **)(cm + 1); 667 for (i = 0; i < oldfds; i++) { 668 fp = fdp->fd_ofiles[*(int *)rp]; 669 *rp++ = fp; 670 fp->f_count++; 671 fp->f_msgcount++; 672 unp_rights++; 673 } 674 return (0); 675 } 676 677 int unp_defer, unp_gcing; 678 extern struct domain unixdomain; 679 680 void 681 unp_gc() 682 { 683 register struct file *fp, *nextfp; 684 register struct socket *so; 685 struct file **extra_ref, **fpp; 686 int nunref, i; 687 688 if (unp_gcing) 689 return; 690 unp_gcing = 1; 691 unp_defer = 0; 692 for (fp = filehead; fp; fp = fp->f_filef) 693 fp->f_flag &= ~(FMARK|FDEFER); 694 do { 695 for (fp = filehead; fp; fp = fp->f_filef) { 696 if (fp->f_count == 0) 697 continue; 698 if (fp->f_flag & FDEFER) { 699 fp->f_flag &= ~FDEFER; 700 unp_defer--; 701 } else { 702 if (fp->f_flag & FMARK) 703 continue; 704 if (fp->f_count == fp->f_msgcount) 705 continue; 706 fp->f_flag |= FMARK; 707 } 708 if (fp->f_type != DTYPE_SOCKET || 709 (so = (struct socket *)fp->f_data) == 0) 710 continue; 711 if (so->so_proto->pr_domain != &unixdomain || 712 (so->so_proto->pr_flags&PR_RIGHTS) == 0) 713 continue; 714 #ifdef notdef 715 if (so->so_rcv.sb_flags & SB_LOCK) { 716 /* 717 * This is problematical; it's not clear 718 * we need to wait for the sockbuf to be 719 * unlocked (on a uniprocessor, at least), 720 * and it's also not clear what to do 721 * if sbwait returns an error due to receipt 722 * of a signal. If sbwait does return 723 * an error, we'll go into an infinite 724 * loop. Delete all of this for now. 725 */ 726 (void) sbwait(&so->so_rcv); 727 goto restart; 728 } 729 #endif 730 unp_scan(so->so_rcv.sb_mb, unp_mark); 731 } 732 } while (unp_defer); 733 /* 734 * We grab an extra reference to each of the file table entries 735 * that are not otherwise accessible and then free the rights 736 * that are stored in messages on them. 737 * 738 * The bug in the orginal code is a little tricky, so I'll describe 739 * what's wrong with it here. 740 * 741 * It is incorrect to simply unp_discard each entry for f_msgcount 742 * times -- consider the case of sockets A and B that contain 743 * references to each other. On a last close of some other socket, 744 * we trigger a gc since the number of outstanding rights (unp_rights) 745 * is non-zero. If during the sweep phase the gc code un_discards, 746 * we end up doing a (full) closef on the descriptor. A closef on A 747 * results in the following chain. Closef calls soo_close, which 748 * calls soclose. Soclose calls first (through the switch 749 * uipc_usrreq) unp_detach, which re-invokes unp_gc. Unp_gc simply 750 * returns because the previous instance had set unp_gcing, and 751 * we return all the way back to soclose, which marks the socket 752 * with SS_NOFDREF, and then calls sofree. Sofree calls sorflush 753 * to free up the rights that are queued in messages on the socket A, 754 * i.e., the reference on B. The sorflush calls via the dom_dispose 755 * switch unp_dispose, which unp_scans with unp_discard. This second 756 * instance of unp_discard just calls closef on B. 757 * 758 * Well, a similar chain occurs on B, resulting in a sorflush on B, 759 * which results in another closef on A. Unfortunately, A is already 760 * being closed, and the descriptor has already been marked with 761 * SS_NOFDREF, and soclose panics at this point. 762 * 763 * Here, we first take an extra reference to each inaccessible 764 * descriptor. Then, we call sorflush ourself, since we know 765 * it is a Unix domain socket anyhow. After we destroy all the 766 * rights carried in messages, we do a last closef to get rid 767 * of our extra reference. This is the last close, and the 768 * unp_detach etc will shut down the socket. 769 * 770 * 91/09/19, bsy@cs.cmu.edu 771 */ 772 extra_ref = malloc(nfiles * sizeof(struct file *), M_FILE, M_WAITOK); 773 for (nunref = 0, fp = filehead, fpp = extra_ref; fp; fp = nextfp) { 774 nextfp = fp->f_filef; 775 if (fp->f_count == 0) 776 continue; 777 if (fp->f_count == fp->f_msgcount && !(fp->f_flag & FMARK)) { 778 *fpp++ = fp; 779 nunref++; 780 fp->f_count++; 781 } 782 } 783 for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) 784 sorflush((struct socket *)(*fpp)->f_data); 785 for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) 786 closef(*fpp); 787 free((caddr_t)extra_ref, M_FILE); 788 unp_gcing = 0; 789 } 790 791 void 792 unp_dispose(m) 793 struct mbuf *m; 794 { 795 if (m) 796 unp_scan(m, unp_discard); 797 } 798 799 void 800 unp_scan(m0, op) 801 register struct mbuf *m0; 802 void (*op)(struct file *); 803 { 804 register struct mbuf *m; 805 register struct file **rp; 806 register struct cmsghdr *cm; 807 register int i; 808 int qfds; 809 810 while (m0) { 811 for (m = m0; m; m = m->m_next) 812 if (m->m_type == MT_CONTROL && 813 m->m_len >= sizeof(*cm)) { 814 cm = mtod(m, struct cmsghdr *); 815 if (cm->cmsg_level != SOL_SOCKET || 816 cm->cmsg_type != SCM_RIGHTS) 817 continue; 818 qfds = (cm->cmsg_len - sizeof *cm) 819 / sizeof (struct file *); 820 rp = (struct file **)(cm + 1); 821 for (i = 0; i < qfds; i++) 822 (*op)(*rp++); 823 break; /* XXX, but saves time */ 824 } 825 m0 = m0->m_act; 826 } 827 } 828 829 void 830 unp_mark(fp) 831 struct file *fp; 832 { 833 834 if (fp->f_flag & FMARK) 835 return; 836 unp_defer++; 837 fp->f_flag |= (FMARK|FDEFER); 838 } 839 840 void 841 unp_discard(fp) 842 struct file *fp; 843 { 844 845 fp->f_msgcount--; 846 unp_rights--; 847 (void) closef(fp, (struct proc *)NULL); 848 } 849