1 /* 2 * Copyright (c) 1982, 1986, 1989, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * From: @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94 34 * $Id: uipc_usrreq.c,v 1.11 1995/08/16 16:13:27 bde Exp $ 35 */ 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/proc.h> 40 #include <sys/filedesc.h> 41 #include <sys/domain.h> 42 #include <sys/protosw.h> 43 #include <sys/stat.h> 44 #include <sys/socket.h> 45 #include <sys/socketvar.h> 46 #include <sys/unpcb.h> 47 #include <sys/un.h> 48 #include <sys/namei.h> 49 #include <sys/vnode.h> 50 #include <sys/file.h> 51 #include <sys/stat.h> 52 #include <sys/mbuf.h> 53 54 /* 55 * Unix communications domain. 56 * 57 * TODO: 58 * SEQPACKET, RDM 59 * rethink name space problems 60 * need a proper out-of-band 61 */ 62 struct sockaddr sun_noname = { sizeof(sun_noname), AF_LOCAL }; 63 ino_t unp_ino; /* prototype for fake inode numbers */ 64 65 /*ARGSUSED*/ 66 int 67 uipc_usrreq(so, req, m, nam, control) 68 struct socket *so; 69 int req; 70 struct mbuf *m, *nam, *control; 71 { 72 struct unpcb *unp = sotounpcb(so); 73 register struct socket *so2; 74 register int error = 0; 75 struct proc *p = curproc; /* XXX */ 76 77 if (req == PRU_CONTROL) 78 return (EOPNOTSUPP); 79 if (req != PRU_SEND && control && control->m_len) { 80 error = EOPNOTSUPP; 81 goto release; 82 } 83 if (unp == 0 && req != PRU_ATTACH) { 84 error = EINVAL; 85 goto release; 86 } 87 switch (req) { 88 89 case PRU_ATTACH: 90 if (unp) { 91 error = EISCONN; 92 break; 93 } 94 error = unp_attach(so); 95 break; 96 97 case PRU_DETACH: 98 unp_detach(unp); 99 break; 100 101 case PRU_BIND: 102 error = unp_bind(unp, nam, p); 103 break; 104 105 case PRU_LISTEN: 106 if (unp->unp_vnode == 0) 107 error = EINVAL; 108 break; 109 110 case PRU_CONNECT: 111 error = unp_connect(so, nam, p); 112 break; 113 114 case PRU_CONNECT2: 115 error = unp_connect2(so, (struct socket *)nam); 116 break; 117 118 case PRU_DISCONNECT: 119 unp_disconnect(unp); 120 break; 121 122 case PRU_ACCEPT: 123 /* 124 * Pass back name of connected socket, 125 * if it was bound and we are still connected 126 * (our peer may have closed already!). 127 */ 128 if (unp->unp_conn && unp->unp_conn->unp_addr) { 129 nam->m_len = unp->unp_conn->unp_addr->m_len; 130 bcopy(mtod(unp->unp_conn->unp_addr, caddr_t), 131 mtod(nam, caddr_t), (unsigned)nam->m_len); 132 } else { 133 nam->m_len = sizeof(sun_noname); 134 *(mtod(nam, struct sockaddr *)) = sun_noname; 135 } 136 break; 137 138 case PRU_SHUTDOWN: 139 socantsendmore(so); 140 unp_shutdown(unp); 141 break; 142 143 case PRU_RCVD: 144 switch (so->so_type) { 145 146 case SOCK_DGRAM: 147 panic("uipc 1"); 148 /*NOTREACHED*/ 149 150 case SOCK_STREAM: 151 #define rcv (&so->so_rcv) 152 #define snd (&so2->so_snd) 153 if (unp->unp_conn == 0) 154 break; 155 so2 = unp->unp_conn->unp_socket; 156 /* 157 * Adjust backpressure on sender 158 * and wakeup any waiting to write. 159 */ 160 snd->sb_mbmax += unp->unp_mbcnt - rcv->sb_mbcnt; 161 unp->unp_mbcnt = rcv->sb_mbcnt; 162 snd->sb_hiwat += unp->unp_cc - rcv->sb_cc; 163 unp->unp_cc = rcv->sb_cc; 164 sowwakeup(so2); 165 #undef snd 166 #undef rcv 167 break; 168 169 default: 170 panic("uipc 2"); 171 } 172 break; 173 174 case PRU_SEND: 175 case PRU_SEND_EOF: 176 if (control && (error = unp_internalize(control, p))) 177 break; 178 switch (so->so_type) { 179 180 case SOCK_DGRAM: { 181 struct sockaddr *from; 182 183 if (nam) { 184 if (unp->unp_conn) { 185 error = EISCONN; 186 break; 187 } 188 error = unp_connect(so, nam, p); 189 if (error) 190 break; 191 } else { 192 if (unp->unp_conn == 0) { 193 error = ENOTCONN; 194 break; 195 } 196 } 197 so2 = unp->unp_conn->unp_socket; 198 if (unp->unp_addr) 199 from = mtod(unp->unp_addr, struct sockaddr *); 200 else 201 from = &sun_noname; 202 if (sbappendaddr(&so2->so_rcv, from, m, control)) { 203 sorwakeup(so2); 204 m = 0; 205 control = 0; 206 } else 207 error = ENOBUFS; 208 if (nam) 209 unp_disconnect(unp); 210 break; 211 } 212 213 case SOCK_STREAM: 214 #define rcv (&so2->so_rcv) 215 #define snd (&so->so_snd) 216 /* Connect if not connected yet. */ 217 /* 218 * Note: A better implementation would complain 219 * if not equal to the peer's address. 220 */ 221 if ((so->so_state & SS_ISCONNECTED) == 0) { 222 if (nam) { 223 error = unp_connect(so, nam, p); 224 if (error) 225 break; /* XXX */ 226 } else { 227 error = ENOTCONN; 228 break; 229 } 230 } 231 232 if (so->so_state & SS_CANTSENDMORE) { 233 error = EPIPE; 234 break; 235 } 236 if (unp->unp_conn == 0) 237 panic("uipc 3"); 238 so2 = unp->unp_conn->unp_socket; 239 /* 240 * Send to paired receive port, and then reduce 241 * send buffer hiwater marks to maintain backpressure. 242 * Wake up readers. 243 */ 244 if (control) { 245 if (sbappendcontrol(rcv, m, control)) 246 control = 0; 247 } else 248 sbappend(rcv, m); 249 snd->sb_mbmax -= 250 rcv->sb_mbcnt - unp->unp_conn->unp_mbcnt; 251 unp->unp_conn->unp_mbcnt = rcv->sb_mbcnt; 252 snd->sb_hiwat -= rcv->sb_cc - unp->unp_conn->unp_cc; 253 unp->unp_conn->unp_cc = rcv->sb_cc; 254 sorwakeup(so2); 255 m = 0; 256 #undef snd 257 #undef rcv 258 break; 259 260 default: 261 panic("uipc 4"); 262 } 263 /* 264 * SEND_EOF is equivalent to a SEND followed by 265 * a SHUTDOWN. 266 */ 267 if (req == PRU_SEND_EOF) { 268 socantsendmore(so); 269 unp_shutdown(unp); 270 } 271 break; 272 273 case PRU_ABORT: 274 unp_drop(unp, ECONNABORTED); 275 break; 276 277 case PRU_SENSE: 278 ((struct stat *) m)->st_blksize = so->so_snd.sb_hiwat; 279 if (so->so_type == SOCK_STREAM && unp->unp_conn != 0) { 280 so2 = unp->unp_conn->unp_socket; 281 ((struct stat *) m)->st_blksize += so2->so_rcv.sb_cc; 282 } 283 ((struct stat *) m)->st_dev = NODEV; 284 if (unp->unp_ino == 0) 285 unp->unp_ino = unp_ino++; 286 ((struct stat *) m)->st_ino = unp->unp_ino; 287 return (0); 288 289 case PRU_RCVOOB: 290 return (EOPNOTSUPP); 291 292 case PRU_SENDOOB: 293 error = EOPNOTSUPP; 294 break; 295 296 case PRU_SOCKADDR: 297 if (unp->unp_addr) { 298 nam->m_len = unp->unp_addr->m_len; 299 bcopy(mtod(unp->unp_addr, caddr_t), 300 mtod(nam, caddr_t), (unsigned)nam->m_len); 301 } else 302 nam->m_len = 0; 303 break; 304 305 case PRU_PEERADDR: 306 if (unp->unp_conn && unp->unp_conn->unp_addr) { 307 nam->m_len = unp->unp_conn->unp_addr->m_len; 308 bcopy(mtod(unp->unp_conn->unp_addr, caddr_t), 309 mtod(nam, caddr_t), (unsigned)nam->m_len); 310 } else 311 nam->m_len = 0; 312 break; 313 314 case PRU_SLOWTIMO: 315 break; 316 317 default: 318 panic("piusrreq"); 319 } 320 release: 321 if (control) 322 m_freem(control); 323 if (m) 324 m_freem(m); 325 return (error); 326 } 327 328 /* 329 * Both send and receive buffers are allocated PIPSIZ bytes of buffering 330 * for stream sockets, although the total for sender and receiver is 331 * actually only PIPSIZ. 332 * Datagram sockets really use the sendspace as the maximum datagram size, 333 * and don't really want to reserve the sendspace. Their recvspace should 334 * be large enough for at least one max-size datagram plus address. 335 */ 336 #ifndef PIPSIZ 337 #define PIPSIZ 8192 338 #endif 339 u_long unpst_sendspace = PIPSIZ; 340 u_long unpst_recvspace = PIPSIZ; 341 u_long unpdg_sendspace = 2*1024; /* really max datagram size */ 342 u_long unpdg_recvspace = 4*1024; 343 344 int unp_rights; /* file descriptors in flight */ 345 346 int 347 unp_attach(so) 348 struct socket *so; 349 { 350 register struct mbuf *m; 351 register struct unpcb *unp; 352 int error; 353 354 if (so->so_snd.sb_hiwat == 0 || so->so_rcv.sb_hiwat == 0) { 355 switch (so->so_type) { 356 357 case SOCK_STREAM: 358 error = soreserve(so, unpst_sendspace, unpst_recvspace); 359 break; 360 361 case SOCK_DGRAM: 362 error = soreserve(so, unpdg_sendspace, unpdg_recvspace); 363 break; 364 365 default: 366 panic("unp_attach"); 367 } 368 if (error) 369 return (error); 370 } 371 m = m_getclr(M_DONTWAIT, MT_PCB); 372 if (m == NULL) 373 return (ENOBUFS); 374 unp = mtod(m, struct unpcb *); 375 so->so_pcb = (caddr_t)unp; 376 unp->unp_socket = so; 377 return (0); 378 } 379 380 void 381 unp_detach(unp) 382 register struct unpcb *unp; 383 { 384 385 if (unp->unp_vnode) { 386 unp->unp_vnode->v_socket = 0; 387 vrele(unp->unp_vnode); 388 unp->unp_vnode = 0; 389 } 390 if (unp->unp_conn) 391 unp_disconnect(unp); 392 while (unp->unp_refs) 393 unp_drop(unp->unp_refs, ECONNRESET); 394 soisdisconnected(unp->unp_socket); 395 unp->unp_socket->so_pcb = 0; 396 if (unp_rights) { 397 /* 398 * Normally the receive buffer is flushed later, 399 * in sofree, but if our receive buffer holds references 400 * to descriptors that are now garbage, we will dispose 401 * of those descriptor references after the garbage collector 402 * gets them (resulting in a "panic: closef: count < 0"). 403 */ 404 sorflush(unp->unp_socket); 405 unp_gc(); 406 } 407 m_freem(unp->unp_addr); 408 (void) m_free(dtom(unp)); 409 } 410 411 int 412 unp_bind(unp, nam, p) 413 struct unpcb *unp; 414 struct mbuf *nam; 415 struct proc *p; 416 { 417 struct sockaddr_un *soun = mtod(nam, struct sockaddr_un *); 418 register struct vnode *vp; 419 struct vattr vattr; 420 int error; 421 struct nameidata nd; 422 423 NDINIT(&nd, CREATE, FOLLOW | LOCKPARENT, UIO_SYSSPACE, 424 soun->sun_path, p); 425 if (unp->unp_vnode != NULL) 426 return (EINVAL); 427 if (nam->m_len == MLEN) { 428 if (*(mtod(nam, caddr_t) + nam->m_len - 1) != 0) 429 return (EINVAL); 430 } else 431 *(mtod(nam, caddr_t) + nam->m_len) = 0; 432 /* SHOULD BE ABLE TO ADOPT EXISTING AND wakeup() ALA FIFO's */ 433 error = namei(&nd); 434 if (error) 435 return (error); 436 vp = nd.ni_vp; 437 if (vp != NULL) { 438 VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd); 439 if (nd.ni_dvp == vp) 440 vrele(nd.ni_dvp); 441 else 442 vput(nd.ni_dvp); 443 vrele(vp); 444 return (EADDRINUSE); 445 } 446 VATTR_NULL(&vattr); 447 vattr.va_type = VSOCK; 448 vattr.va_mode = ACCESSPERMS; 449 LEASE_CHECK(nd.ni_dvp, p, p->p_ucred, LEASE_WRITE); 450 error = VOP_CREATE(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr); 451 if (error) 452 return (error); 453 vp = nd.ni_vp; 454 vp->v_socket = unp->unp_socket; 455 unp->unp_vnode = vp; 456 unp->unp_addr = m_copy(nam, 0, (int)M_COPYALL); 457 VOP_UNLOCK(vp); 458 return (0); 459 } 460 461 int 462 unp_connect(so, nam, p) 463 struct socket *so; 464 struct mbuf *nam; 465 struct proc *p; 466 { 467 register struct sockaddr_un *soun = mtod(nam, struct sockaddr_un *); 468 register struct vnode *vp; 469 register struct socket *so2, *so3; 470 struct unpcb *unp2, *unp3; 471 int error; 472 struct nameidata nd; 473 474 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, soun->sun_path, p); 475 if (nam->m_data + nam->m_len == &nam->m_dat[MLEN]) { /* XXX */ 476 if (*(mtod(nam, caddr_t) + nam->m_len - 1) != 0) 477 return (EMSGSIZE); 478 } else 479 *(mtod(nam, caddr_t) + nam->m_len) = 0; 480 error = namei(&nd); 481 if (error) 482 return (error); 483 vp = nd.ni_vp; 484 if (vp->v_type != VSOCK) { 485 error = ENOTSOCK; 486 goto bad; 487 } 488 error = VOP_ACCESS(vp, VWRITE, p->p_ucred, p); 489 if (error) 490 goto bad; 491 so2 = vp->v_socket; 492 if (so2 == 0) { 493 error = ECONNREFUSED; 494 goto bad; 495 } 496 if (so->so_type != so2->so_type) { 497 error = EPROTOTYPE; 498 goto bad; 499 } 500 if (so->so_proto->pr_flags & PR_CONNREQUIRED) { 501 if ((so2->so_options & SO_ACCEPTCONN) == 0 || 502 (so3 = sonewconn(so2, 0)) == 0) { 503 error = ECONNREFUSED; 504 goto bad; 505 } 506 unp2 = sotounpcb(so2); 507 unp3 = sotounpcb(so3); 508 if (unp2->unp_addr) 509 unp3->unp_addr = 510 m_copy(unp2->unp_addr, 0, (int)M_COPYALL); 511 so2 = so3; 512 } 513 error = unp_connect2(so, so2); 514 bad: 515 vput(vp); 516 return (error); 517 } 518 519 int 520 unp_connect2(so, so2) 521 register struct socket *so; 522 register struct socket *so2; 523 { 524 register struct unpcb *unp = sotounpcb(so); 525 register struct unpcb *unp2; 526 527 if (so2->so_type != so->so_type) 528 return (EPROTOTYPE); 529 unp2 = sotounpcb(so2); 530 unp->unp_conn = unp2; 531 switch (so->so_type) { 532 533 case SOCK_DGRAM: 534 unp->unp_nextref = unp2->unp_refs; 535 unp2->unp_refs = unp; 536 soisconnected(so); 537 break; 538 539 case SOCK_STREAM: 540 unp2->unp_conn = unp; 541 soisconnected(so); 542 soisconnected(so2); 543 break; 544 545 default: 546 panic("unp_connect2"); 547 } 548 return (0); 549 } 550 551 void 552 unp_disconnect(unp) 553 struct unpcb *unp; 554 { 555 register struct unpcb *unp2 = unp->unp_conn; 556 557 if (unp2 == 0) 558 return; 559 unp->unp_conn = 0; 560 switch (unp->unp_socket->so_type) { 561 562 case SOCK_DGRAM: 563 if (unp2->unp_refs == unp) 564 unp2->unp_refs = unp->unp_nextref; 565 else { 566 unp2 = unp2->unp_refs; 567 for (;;) { 568 if (unp2 == 0) 569 panic("unp_disconnect"); 570 if (unp2->unp_nextref == unp) 571 break; 572 unp2 = unp2->unp_nextref; 573 } 574 unp2->unp_nextref = unp->unp_nextref; 575 } 576 unp->unp_nextref = 0; 577 unp->unp_socket->so_state &= ~SS_ISCONNECTED; 578 break; 579 580 case SOCK_STREAM: 581 soisdisconnected(unp->unp_socket); 582 unp2->unp_conn = 0; 583 soisdisconnected(unp2->unp_socket); 584 break; 585 } 586 } 587 588 #ifdef notdef 589 void 590 unp_abort(unp) 591 struct unpcb *unp; 592 { 593 594 unp_detach(unp); 595 } 596 #endif 597 598 void 599 unp_shutdown(unp) 600 struct unpcb *unp; 601 { 602 struct socket *so; 603 604 if (unp->unp_socket->so_type == SOCK_STREAM && unp->unp_conn && 605 (so = unp->unp_conn->unp_socket)) 606 socantrcvmore(so); 607 } 608 609 void 610 unp_drop(unp, errno) 611 struct unpcb *unp; 612 int errno; 613 { 614 struct socket *so = unp->unp_socket; 615 616 so->so_error = errno; 617 unp_disconnect(unp); 618 if (so->so_head) { 619 so->so_pcb = (caddr_t) 0; 620 m_freem(unp->unp_addr); 621 (void) m_free(dtom(unp)); 622 sofree(so); 623 } 624 } 625 626 #ifdef notdef 627 void 628 unp_drain() 629 { 630 631 } 632 #endif 633 634 int 635 unp_externalize(rights) 636 struct mbuf *rights; 637 { 638 struct proc *p = curproc; /* XXX */ 639 register int i; 640 register struct cmsghdr *cm = mtod(rights, struct cmsghdr *); 641 register struct file **rp = (struct file **)(cm + 1); 642 register struct file *fp; 643 int newfds = (cm->cmsg_len - sizeof(*cm)) / sizeof (int); 644 int f; 645 646 if (!fdavail(p, newfds)) { 647 for (i = 0; i < newfds; i++) { 648 fp = *rp; 649 unp_discard(fp); 650 *rp++ = 0; 651 } 652 return (EMSGSIZE); 653 } 654 for (i = 0; i < newfds; i++) { 655 if (fdalloc(p, 0, &f)) 656 panic("unp_externalize"); 657 fp = *rp; 658 p->p_fd->fd_ofiles[f] = fp; 659 fp->f_msgcount--; 660 unp_rights--; 661 *(int *)rp++ = f; 662 } 663 return (0); 664 } 665 666 int 667 unp_internalize(control, p) 668 struct mbuf *control; 669 struct proc *p; 670 { 671 struct filedesc *fdp = p->p_fd; 672 register struct cmsghdr *cm = mtod(control, struct cmsghdr *); 673 register struct file **rp; 674 register struct file *fp; 675 register int i, fd; 676 int oldfds; 677 678 if (cm->cmsg_type != SCM_RIGHTS || cm->cmsg_level != SOL_SOCKET || 679 cm->cmsg_len != control->m_len) 680 return (EINVAL); 681 oldfds = (cm->cmsg_len - sizeof (*cm)) / sizeof (int); 682 rp = (struct file **)(cm + 1); 683 for (i = 0; i < oldfds; i++) { 684 fd = *(int *)rp++; 685 if ((unsigned)fd >= fdp->fd_nfiles || 686 fdp->fd_ofiles[fd] == NULL) 687 return (EBADF); 688 } 689 rp = (struct file **)(cm + 1); 690 for (i = 0; i < oldfds; i++) { 691 fp = fdp->fd_ofiles[*(int *)rp]; 692 *rp++ = fp; 693 fp->f_count++; 694 fp->f_msgcount++; 695 unp_rights++; 696 } 697 return (0); 698 } 699 700 int unp_defer, unp_gcing; 701 702 void 703 unp_gc() 704 { 705 register struct file *fp, *nextfp; 706 register struct socket *so; 707 struct file **extra_ref, **fpp; 708 int nunref, i; 709 710 if (unp_gcing) 711 return; 712 unp_gcing = 1; 713 unp_defer = 0; 714 for (fp = filehead; fp; fp = fp->f_filef) 715 fp->f_flag &= ~(FMARK|FDEFER); 716 do { 717 for (fp = filehead; fp; fp = fp->f_filef) { 718 if (fp->f_count == 0) 719 continue; 720 if (fp->f_flag & FDEFER) { 721 fp->f_flag &= ~FDEFER; 722 unp_defer--; 723 } else { 724 if (fp->f_flag & FMARK) 725 continue; 726 if (fp->f_count == fp->f_msgcount) 727 continue; 728 fp->f_flag |= FMARK; 729 } 730 if (fp->f_type != DTYPE_SOCKET || 731 (so = (struct socket *)fp->f_data) == 0) 732 continue; 733 if (so->so_proto->pr_domain != &localdomain || 734 (so->so_proto->pr_flags&PR_RIGHTS) == 0) 735 continue; 736 #ifdef notdef 737 if (so->so_rcv.sb_flags & SB_LOCK) { 738 /* 739 * This is problematical; it's not clear 740 * we need to wait for the sockbuf to be 741 * unlocked (on a uniprocessor, at least), 742 * and it's also not clear what to do 743 * if sbwait returns an error due to receipt 744 * of a signal. If sbwait does return 745 * an error, we'll go into an infinite 746 * loop. Delete all of this for now. 747 */ 748 (void) sbwait(&so->so_rcv); 749 goto restart; 750 } 751 #endif 752 unp_scan(so->so_rcv.sb_mb, unp_mark); 753 } 754 } while (unp_defer); 755 /* 756 * We grab an extra reference to each of the file table entries 757 * that are not otherwise accessible and then free the rights 758 * that are stored in messages on them. 759 * 760 * The bug in the orginal code is a little tricky, so I'll describe 761 * what's wrong with it here. 762 * 763 * It is incorrect to simply unp_discard each entry for f_msgcount 764 * times -- consider the case of sockets A and B that contain 765 * references to each other. On a last close of some other socket, 766 * we trigger a gc since the number of outstanding rights (unp_rights) 767 * is non-zero. If during the sweep phase the gc code un_discards, 768 * we end up doing a (full) closef on the descriptor. A closef on A 769 * results in the following chain. Closef calls soo_close, which 770 * calls soclose. Soclose calls first (through the switch 771 * uipc_usrreq) unp_detach, which re-invokes unp_gc. Unp_gc simply 772 * returns because the previous instance had set unp_gcing, and 773 * we return all the way back to soclose, which marks the socket 774 * with SS_NOFDREF, and then calls sofree. Sofree calls sorflush 775 * to free up the rights that are queued in messages on the socket A, 776 * i.e., the reference on B. The sorflush calls via the dom_dispose 777 * switch unp_dispose, which unp_scans with unp_discard. This second 778 * instance of unp_discard just calls closef on B. 779 * 780 * Well, a similar chain occurs on B, resulting in a sorflush on B, 781 * which results in another closef on A. Unfortunately, A is already 782 * being closed, and the descriptor has already been marked with 783 * SS_NOFDREF, and soclose panics at this point. 784 * 785 * Here, we first take an extra reference to each inaccessible 786 * descriptor. Then, we call sorflush ourself, since we know 787 * it is a Unix domain socket anyhow. After we destroy all the 788 * rights carried in messages, we do a last closef to get rid 789 * of our extra reference. This is the last close, and the 790 * unp_detach etc will shut down the socket. 791 * 792 * 91/09/19, bsy@cs.cmu.edu 793 */ 794 extra_ref = malloc(nfiles * sizeof(struct file *), M_FILE, M_WAITOK); 795 for (nunref = 0, fp = filehead, fpp = extra_ref; fp; fp = nextfp) { 796 nextfp = fp->f_filef; 797 if (fp->f_count == 0) 798 continue; 799 if (fp->f_count == fp->f_msgcount && !(fp->f_flag & FMARK)) { 800 *fpp++ = fp; 801 nunref++; 802 fp->f_count++; 803 } 804 } 805 for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) 806 sorflush((struct socket *)(*fpp)->f_data); 807 for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) 808 closef(*fpp,(struct proc*) NULL); 809 free((caddr_t)extra_ref, M_FILE); 810 unp_gcing = 0; 811 } 812 813 void 814 unp_dispose(m) 815 struct mbuf *m; 816 { 817 if (m) 818 unp_scan(m, unp_discard); 819 } 820 821 void 822 unp_scan(m0, op) 823 register struct mbuf *m0; 824 void (*op)(struct file *); 825 { 826 register struct mbuf *m; 827 register struct file **rp; 828 register struct cmsghdr *cm; 829 register int i; 830 int qfds; 831 832 while (m0) { 833 for (m = m0; m; m = m->m_next) 834 if (m->m_type == MT_CONTROL && 835 m->m_len >= sizeof(*cm)) { 836 cm = mtod(m, struct cmsghdr *); 837 if (cm->cmsg_level != SOL_SOCKET || 838 cm->cmsg_type != SCM_RIGHTS) 839 continue; 840 qfds = (cm->cmsg_len - sizeof *cm) 841 / sizeof (struct file *); 842 rp = (struct file **)(cm + 1); 843 for (i = 0; i < qfds; i++) 844 (*op)(*rp++); 845 break; /* XXX, but saves time */ 846 } 847 m0 = m0->m_act; 848 } 849 } 850 851 void 852 unp_mark(fp) 853 struct file *fp; 854 { 855 856 if (fp->f_flag & FMARK) 857 return; 858 unp_defer++; 859 fp->f_flag |= (FMARK|FDEFER); 860 } 861 862 void 863 unp_discard(fp) 864 struct file *fp; 865 { 866 867 fp->f_msgcount--; 868 unp_rights--; 869 (void) closef(fp, (struct proc *)NULL); 870 } 871