1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 /* 33 * Common Inter-Process Communication routines. 34 * 35 * Overview 36 * -------- 37 * 38 * The System V inter-process communication (IPC) facilities provide 39 * three services, message queues, semaphore arrays, and shared memory 40 * segments, which are mananged using filesystem-like namespaces. 41 * Unlike a filesystem, these namespaces aren't mounted and accessible 42 * via a path -- a special API is used to interact with the different 43 * facilities (nothing precludes a VFS-based interface, but the 44 * standards require the special APIs). Furthermore, these special 45 * APIs don't use file descriptors, nor do they have an equivalent. 46 * This means that every operation which acts on an object needs to 47 * perform the quivalent of a lookup, which in turn means that every 48 * operation can fail if the specified object doesn't exist in the 49 * facility's namespace. 50 * 51 * Objects 52 * ------- 53 * 54 * Each object in a namespace has a unique ID, which is assigned by the 55 * system and is used to identify the object when performing operations 56 * on it. An object can also have a key, which is selected by the user 57 * at allocation time and is used as a primitive rendezvous mechanism. 58 * An object without a key is said to have a "private" key. 59 * 60 * To perform an operation on an object given its key, one must first 61 * perform a lookup and obtain its ID. The ID is then used to identify 62 * the object when performing the operation. If the object has a 63 * private key, the ID must be known or obtained by other means. 64 * 65 * Each object in the namespace has a creator uid and gid, as well as 66 * an owner uid and gid. Both are initialized with the ruid and rgid 67 * of the process which created the object. The creator or current 68 * owner has the ability to change the owner of the object. 69 * 70 * Each object in the namespace has a set of file-like permissions, 71 * which, in conjunction with the creator and owner uid and gid, 72 * control read and write access to the object (execute is ignored). 73 * 74 * Each object also has a creator project and zone, which are used to 75 * account for its resource usage. 76 * 77 * Operations 78 * ---------- 79 * 80 * There are five operations which all three facilities have in 81 * common: GET, SET, STAT, RMID, and IDS. 82 * 83 * GET, like open, is used to allocate a new object or obtain an 84 * existing one (using its key). It takes a key, a set of flags and 85 * mode bits, and optionally facility-specific arguments. If the key 86 * is IPC_PRIVATE, a new object with the requested mode bits and 87 * facility-specific attributes is created. If the key isn't 88 * IPC_PRIVATE, the GET will attempt to look up the specified key and 89 * either return that or create a new key depending on the state of the 90 * IPC_CREAT and IPC_EXCL flags, much like open. If GET needs to 91 * allocate an object, it can fail if there is insufficient space in 92 * the namespace (the maximum number of ids for the facility has been 93 * exceeded) or if the facility-specific initialization fails. If GET 94 * finds an object it can return, it can still fail if that object's 95 * permissions or facility-specific attributes are less than those 96 * requested. 97 * 98 * SET is used to adjust facility-specific parameters of an object, in 99 * addition to the owner uid and gid, and mode bits. It can fail if 100 * the caller isn't the creator or owner. 101 * 102 * STAT is used to obtain information about an object including the 103 * general attributes object described as well as facility-specific 104 * information. It can fail if the caller doesn't have read 105 * permission. 106 * 107 * RMID removes an object from the namespace. Subsequent operations 108 * using the object's ID or key will fail (until another object is 109 * created with the same key or ID). Since an RMID may be performed 110 * asynchronously with other operations, it is possible that other 111 * threads and/or processes will have references to the object. While 112 * a facility may have actions which need to be performed at RMID time, 113 * only when all references are dropped can the object be destroyed. 114 * RMID will fail if the caller isn't the creator or owner. 115 * 116 * IDS obtains a list of all IDs in a facility's namespace. There are 117 * no facility-specific behaviors of IDS. 118 * 119 * Design 120 * ------ 121 * 122 * Because some IPC facilities provide services whose operations must 123 * scale, a mechanism which allows fast, concurrent access to 124 * individual objects is needed. Of primary importance is object 125 * lookup based on ID (SET, STAT, others). Allocation (GET), 126 * deallocation (RMID), ID enumeration (IDS), and key lookups (GET) are 127 * lesser concerns, but should be implemented in such a way that ID 128 * lookup isn't affected (at least not in the common case). 129 * 130 * Starting from the bottom up, each object is represented by a 131 * structure, the first member of which must be a kipc_perm_t. The 132 * kipc_perm_t contains the information described above in "Objects", a 133 * reference count (since the object may continue to exist after it has 134 * been removed from the namespace), as well as some additional 135 * metadata used to manage data structure membership. These objects 136 * are dynamically allocated. 137 * 138 * Above the objects is a power-of-two sized table of ID slots. Each 139 * slot contains a pointer to an object, a sequence number, and a 140 * lock. An object's ID is a function of its slot's index in the table 141 * and its slot's sequence number. Every time a slot is released (via 142 * RMID) its sequence number is increased. Strictly speaking, the 143 * sequence number is unnecessary. However, checking the sequence 144 * number after a lookup provides a certain degree of robustness 145 * against the use of stale IDs (useful since nothing else does). When 146 * the table fills up, it is resized (see Locking, below). 147 * 148 * Of an ID's 31 bits (an ID is, as defined by the standards, a signed 149 * int) the top IPC_SEQ_BITS are used for the sequence number with the 150 * remainder holding the index into the table. The size of the table 151 * is therefore bounded at 2 ^ (31 - IPC_SEQ_BITS) slots. 152 * 153 * Managing this table is the ipc_service structure. It contains a 154 * pointer to the dynamically allocated ID table, a namespace-global 155 * lock, an id_space for managing the free space in the table, and 156 * sundry other metadata necessary for the maintenance of the 157 * namespace. An AVL tree of all keyed objects in the table (sorted by 158 * key) is used for key lookups. An unordered doubly linked list of 159 * all objects in the namespace (keyed or not) is maintained to 160 * facilitate ID enumeration. 161 * 162 * To help visualize these relationships, here's a picture of a 163 * namespace with a table of size 8 containing three objects 164 * (IPC_SEQ_BITS = 28): 165 * 166 * 167 * +-ipc_service_t--+ 168 * | table *---\ 169 * | keys *---+----------------------\ 170 * | all ids *--\| | 171 * | | || | 172 * +----------------+ || | 173 * || | 174 * /-------------------/| | 175 * | /---------------/ | 176 * | | | 177 * | v | 178 * | +-0------+-1------+-2------+-3------+-4--+---+-5------+-6------+-7------+ 179 * | | Seq=3 | | | Seq=1 | : | | | Seq=6 | 180 * | | | | | | : | | | | 181 * | +-*------+--------+--------+-*------+----+---+--------+--------+-*------+ 182 * | | | | | 183 * | | /---/ | /----------------/ 184 * | | | | | 185 * | v v | v 186 * | +-kipc_perm_t-+ +-kipc_perm_t-+ | +-kipc_perm_t-+ 187 * | | id=0x30 | | id=0x13 | | | id=0x67 | 188 * | | key=0xfeed | | key=0xbeef | | | key=0xcafe | 189 * \->| [list] |<------>| [list] |<------>| [list] | 190 * /->| [avl left] x /--->| [avl left] x \--->| [avl left] *---\ 191 * | | [avl right] x | | [avl right] x | [avl right] *---+-\ 192 * | | | | | | | | | | 193 * | +-------------+ | +-------------+ +-------------+ | | 194 * | \---------------------------------------------/ | 195 * \--------------------------------------------------------------------/ 196 * 197 * Locking 198 * ------- 199 * 200 * There are three locks (or sets of locks) which are used to ensure 201 * correctness: the slot locks, the namespace lock, and p_lock (needed 202 * when checking resource controls). Their ordering is 203 * 204 * namespace lock -> slot lock 0 -> ... -> slot lock t -> p_lock 205 * 206 * Generally speaking, the namespace lock is used to protect allocation 207 * and removal from the namespace, ID enumeration, and resizing the ID 208 * table. Specifically: 209 * 210 * - write access to all fields of the ipc_service structure 211 * - read access to all variable fields of ipc_service except 212 * ipcs_tabsz (table size) and ipcs_table (the table pointer) 213 * - read/write access to ipc_avl, ipc_list in visible objects' 214 * kipc_perm structures (i.e. objects which have been removed from 215 * the namespace don't have this restriction) 216 * - write access to ipct_seq and ipct_data in the table entries 217 * 218 * A slot lock by itself is meaningless (except when resizing). Of 219 * greater interest conceptually is the notion of an ID lock -- a 220 * "virtual lock" which refers to whichever slot lock an object's ID 221 * currently hashes to. 222 * 223 * An ID lock protects all objects with that ID. Normally there will 224 * only be one such object: the one pointed to by the locked slot. 225 * However, if an object is removed from the namespace but retains 226 * references (e.g. an attached shared memory segment which has been 227 * RMIDed), it continues to use the lock associated with its original 228 * ID. While this can result in increased contention, operations which 229 * require taking the ID lock of removed objects are infrequent. 230 * 231 * Specifically, an ID lock protects the contents of an object's 232 * structure, including the contents of the embedded kipc_perm 233 * structure (but excluding those fields protected by the namespace 234 * lock). It also protects the ipct_seq and ipct_data fields in its 235 * slot (it is really a slot lock, after all). 236 * 237 * Recall that the table is resizable. To avoid requiring every ID 238 * lookup to take a global lock, a scheme much like that employed for 239 * file descriptors (see the comment above UF_ENTER in user.h) is 240 * used. Note that the sequence number and data pointer are protected 241 * by both the namespace lock and their slot lock. When the table is 242 * resized, the following operations take place: 243 * 244 * 1) A new table is allocated. 245 * 2) The global lock is taken. 246 * 3) All old slots are locked, in order. 247 * 4) The first half of the new slots are locked. 248 * 5) All table entries are copied to the new table, and cleared from 249 * the old table. 250 * 6) The ipc_service structure is updated to point to the new table. 251 * 7) The ipc_service structure is updated with the new table size. 252 * 8) All slot locks (old and new) are dropped. 253 * 254 * Because the slot locks are embedded in the table, ID lookups and 255 * other operations which require taking an slot lock need to verify 256 * that the lock taken wasn't part of a stale table. This is 257 * accomplished by checking the table size before and after 258 * dereferencing the table pointer and taking the lock: if the size 259 * changes, the lock must be dropped and reacquired. It is this 260 * additional work which distinguishes an ID lock from a slot lock. 261 * 262 * Because we can't guarantee that threads aren't accessing the old 263 * tables' locks, they are never deallocated. To prevent spurious 264 * reports of memory leaks, a pointer to the discarded table is stored 265 * in the new one in step 5. (Theoretically ipcs_destroy will delete 266 * the discarded tables, but it is only ever called from a failed _init 267 * invocation; i.e. when there aren't any.) 268 * 269 * Interfaces 270 * ---------- 271 * 272 * The following interfaces are provided by the ipc module for use by 273 * the individual IPC facilities: 274 * 275 * ipcperm_access 276 * 277 * Given an object and a cred structure, determines if the requested 278 * access type is allowed. 279 * 280 * ipcperm_set, ipcperm_stat, 281 * ipcperm_set64, ipcperm_stat64 282 * 283 * Performs the common portion of an STAT or SET operation. All 284 * (except stat and stat64) can fail, so they should be called before 285 * any facility-specific non-reversible changes are made to an 286 * object. Similarly, the set operations have side effects, so they 287 * should only be called once the possibility of a facility-specific 288 * failure is eliminated. 289 * 290 * ipcs_create 291 * 292 * Creates an IPC namespace for use by an IPC facility. 293 * 294 * ipcs_destroy 295 * 296 * Destroys an IPC namespace. 297 * 298 * ipcs_lock, ipcs_unlock 299 * 300 * Takes the namespace lock. Ideally such access wouldn't be 301 * necessary, but there may be facility-specific data protected by 302 * this lock (e.g. project-wide resource consumption). 303 * 304 * ipc_lock 305 * 306 * Takes the lock associated with an ID. Can't fail. 307 * 308 * ipc_relock 309 * 310 * Like ipc_lock, but takes a pointer to a held lock. Drops the lock 311 * unless it is the one that would have been returned by ipc_lock. 312 * Used after calls to cv_wait. 313 * 314 * ipc_lookup 315 * 316 * Performs an ID lookup, returns with the ID lock held. Fails if 317 * the ID doesn't exist in the namespace. 318 * 319 * ipc_hold 320 * 321 * Takes a reference on an object. 322 * 323 * ipc_rele 324 * 325 * Releases a reference on an object, and drops the object's lock. 326 * Calls the object's destructor if last reference is being 327 * released. 328 * 329 * ipc_rele_locked 330 * 331 * Releases a reference on an object. Doesn't drop lock, and may 332 * only be called when there is more than one reference to the 333 * object. 334 * 335 * ipc_get, ipc_commit_begin, ipc_commit_end, ipc_cleanup 336 * 337 * Components of a GET operation. ipc_get performs a key lookup, 338 * allocating an object if the key isn't found (returning with the 339 * namespace lock and p_lock held), and returning the existing object 340 * if it is (with the object lock held). ipc_get doesn't modify the 341 * namespace. 342 * 343 * ipc_commit_begin begins the process of inserting an object 344 * allocated by ipc_get into the namespace, and can fail. If 345 * successful, it returns with the namespace lock and p_lock held. 346 * ipc_commit_end completes the process of inserting an object into 347 * the namespace and can't fail. The facility can call ipc_cleanup 348 * at any time following a successful ipc_get and before 349 * ipc_commit_end or a failed ipc_commit_begin to fail the 350 * allocation. Pseudocode for the suggested GET implementation: 351 * 352 * top: 353 * 354 * ipc_get 355 * 356 * if failure 357 * return 358 * 359 * if found { 360 * 361 * if object meets criteria 362 * unlock object and return success 363 * else 364 * unlock object and return failure 365 * 366 * } else { 367 * 368 * perform resource control tests 369 * drop namespace lock, p_lock 370 * if failure 371 * ipc_cleanup 372 * 373 * perform facility-specific initialization 374 * if failure { 375 * facility-specific cleanup 376 * ipc_cleanup 377 * } 378 * 379 * ( At this point the object should be destructible using the 380 * destructor given to ipcs_create ) 381 * 382 * ipc_commit_begin 383 * if retry 384 * goto top 385 * else if failure 386 * return 387 * 388 * perform facility-specific resource control tests/allocations 389 * if failure 390 * ipc_cleanup 391 * 392 * ipc_commit_end 393 * perform any infallible post-creation actions, unlock, and return 394 * 395 * } 396 * 397 * ipc_rmid 398 * 399 * Performs the common portion of an RMID operation -- looks up an ID 400 * removes it, and calls the a facility-specific function to do 401 * RMID-time cleanup on the private portions of the object. 402 * 403 * ipc_ids 404 * 405 * Performs the common portion of an IDS operation. 406 * 407 */ 408 409 #include <sys/types.h> 410 #include <sys/param.h> 411 #include <sys/cred.h> 412 #include <sys/policy.h> 413 #include <sys/proc.h> 414 #include <sys/user.h> 415 #include <sys/ipc.h> 416 #include <sys/ipc_impl.h> 417 #include <sys/errno.h> 418 #include <sys/systm.h> 419 #include <sys/list.h> 420 #include <sys/atomic.h> 421 #include <sys/zone.h> 422 #include <sys/task.h> 423 #include <sys/modctl.h> 424 425 #include <c2/audit.h> 426 427 static struct modlmisc modlmisc = { 428 &mod_miscops, 429 "common ipc code", 430 }; 431 432 static struct modlinkage modlinkage = { 433 MODREV_1, (void *)&modlmisc, NULL 434 }; 435 436 437 int 438 _init(void) 439 { 440 return (mod_install(&modlinkage)); 441 } 442 443 int 444 _fini(void) 445 { 446 return (mod_remove(&modlinkage)); 447 } 448 449 int 450 _info(struct modinfo *modinfop) 451 { 452 return (mod_info(&modlinkage, modinfop)); 453 } 454 455 456 /* 457 * Check message, semaphore, or shared memory access permissions. 458 * 459 * This routine verifies the requested access permission for the current 460 * process. The zone ids are compared, and the appropriate bits are 461 * checked corresponding to owner, group (including the list of 462 * supplementary groups), or everyone. Zero is returned on success. 463 * On failure, the security policy is asked to check to override the 464 * permissions check; the policy will either return 0 for access granted 465 * or EACCES. 466 * 467 * Access to objects in other zones requires that the caller be in the 468 * global zone and have the appropriate IPC_DAC_* privilege, regardless 469 * of whether the uid or gid match those of the object. Note that 470 * cross-zone accesses will normally never get here since they'll 471 * fail in ipc_lookup or ipc_get. 472 * 473 * The arguments must be set up as follows: 474 * p - Pointer to permission structure to verify 475 * mode - Desired access permissions 476 */ 477 int 478 ipcperm_access(kipc_perm_t *p, int mode, cred_t *cr) 479 { 480 int shifts = 0; 481 uid_t uid = crgetuid(cr); 482 zoneid_t zoneid = getzoneid(); 483 484 if (p->ipc_zoneid == zoneid) { 485 if (uid != p->ipc_uid && uid != p->ipc_cuid) { 486 shifts += 3; 487 if (!groupmember(p->ipc_gid, cr) && 488 !groupmember(p->ipc_cgid, cr)) 489 shifts += 3; 490 } 491 492 mode &= ~(p->ipc_mode << shifts); 493 494 if (mode == 0) 495 return (0); 496 } else if (zoneid != GLOBAL_ZONEID) 497 return (EACCES); 498 499 return (secpolicy_ipc_access(cr, p, mode)); 500 } 501 502 /* 503 * There are two versions of the ipcperm_set/stat functions: 504 * ipcperm_??? - for use with IPC_SET/STAT 505 * ipcperm_???_64 - for use with IPC_SET64/STAT64 506 * 507 * These functions encapsulate the common portions (copying, permission 508 * checks, and auditing) of the set/stat operations. All, except for 509 * stat and stat_64 which are void, return 0 on success or a non-zero 510 * errno value on error. 511 */ 512 513 int 514 ipcperm_set(ipc_service_t *service, struct cred *cr, 515 kipc_perm_t *kperm, struct ipc_perm *perm, model_t model) 516 { 517 STRUCT_HANDLE(ipc_perm, lperm); 518 uid_t uid; 519 gid_t gid; 520 mode_t mode; 521 522 ASSERT(IPC_LOCKED(service, kperm)); 523 524 STRUCT_SET_HANDLE(lperm, model, perm); 525 uid = STRUCT_FGET(lperm, uid); 526 gid = STRUCT_FGET(lperm, gid); 527 mode = STRUCT_FGET(lperm, mode); 528 529 if (secpolicy_ipc_owner(cr, kperm) != 0) 530 return (EPERM); 531 532 if ((uid < 0) || (uid > MAXUID) || (gid < 0) || (gid > MAXUID)) 533 return (EINVAL); 534 535 kperm->ipc_uid = uid; 536 kperm->ipc_gid = gid; 537 kperm->ipc_mode = (mode & 0777) | (kperm->ipc_mode & ~0777); 538 539 #ifdef C2_AUDIT 540 if (audit_active) 541 audit_ipcget(service->ipcs_atype, kperm); 542 #endif 543 544 return (0); 545 } 546 547 void 548 ipcperm_stat(struct ipc_perm *perm, kipc_perm_t *kperm, model_t model) 549 { 550 STRUCT_HANDLE(ipc_perm, lperm); 551 552 STRUCT_SET_HANDLE(lperm, model, perm); 553 STRUCT_FSET(lperm, uid, kperm->ipc_uid); 554 STRUCT_FSET(lperm, gid, kperm->ipc_gid); 555 STRUCT_FSET(lperm, cuid, kperm->ipc_cuid); 556 STRUCT_FSET(lperm, cgid, kperm->ipc_cgid); 557 STRUCT_FSET(lperm, mode, kperm->ipc_mode); 558 STRUCT_FSET(lperm, seq, 0); 559 STRUCT_FSET(lperm, key, kperm->ipc_key); 560 } 561 562 int 563 ipcperm_set64(ipc_service_t *service, struct cred *cr, 564 kipc_perm_t *kperm, ipc_perm64_t *perm64) 565 { 566 ASSERT(IPC_LOCKED(service, kperm)); 567 568 if (secpolicy_ipc_owner(cr, kperm) != 0) 569 return (EPERM); 570 571 if ((perm64->ipcx_uid < 0) || (perm64->ipcx_uid > MAXUID) || 572 (perm64->ipcx_gid < 0) || (perm64->ipcx_gid > MAXUID)) 573 return (EINVAL); 574 575 kperm->ipc_uid = perm64->ipcx_uid; 576 kperm->ipc_gid = perm64->ipcx_gid; 577 kperm->ipc_mode = (perm64->ipcx_mode & 0777) | 578 (kperm->ipc_mode & ~0777); 579 580 #ifdef C2_AUDIT 581 if (audit_active) 582 audit_ipcget(service->ipcs_atype, kperm); 583 #endif 584 585 return (0); 586 } 587 588 void 589 ipcperm_stat64(ipc_perm64_t *perm64, kipc_perm_t *kperm) 590 { 591 perm64->ipcx_uid = kperm->ipc_uid; 592 perm64->ipcx_gid = kperm->ipc_gid; 593 perm64->ipcx_cuid = kperm->ipc_cuid; 594 perm64->ipcx_cgid = kperm->ipc_cgid; 595 perm64->ipcx_mode = kperm->ipc_mode; 596 perm64->ipcx_key = kperm->ipc_key; 597 perm64->ipcx_projid = kperm->ipc_proj->kpj_id; 598 perm64->ipcx_zoneid = kperm->ipc_zoneid; 599 } 600 601 602 /* 603 * ipc key comparator. 604 */ 605 static int 606 ipc_key_compar(const void *a, const void *b) 607 { 608 kipc_perm_t *aperm = (kipc_perm_t *)a; 609 kipc_perm_t *bperm = (kipc_perm_t *)b; 610 int ak = aperm->ipc_key; 611 int bk = bperm->ipc_key; 612 zoneid_t az; 613 zoneid_t bz; 614 615 ASSERT(ak != IPC_PRIVATE); 616 ASSERT(bk != IPC_PRIVATE); 617 618 /* 619 * Compare key first, then zoneid. This optimizes performance for 620 * systems with only one zone, since the zone checks will only be 621 * made when the keys match. 622 */ 623 if (ak < bk) 624 return (-1); 625 if (ak > bk) 626 return (1); 627 628 /* keys match */ 629 az = aperm->ipc_zoneid; 630 bz = bperm->ipc_zoneid; 631 if (az < bz) 632 return (-1); 633 if (az > bz) 634 return (1); 635 return (0); 636 } 637 638 /* 639 * Create an ipc service. 640 */ 641 ipc_service_t * 642 ipcs_create(const char *name, rctl_hndl_t proj_rctl, rctl_hndl_t zone_rctl, 643 size_t size, ipc_func_t *dtor, ipc_func_t *rmid, int audit_type, 644 size_t rctl_offset) 645 { 646 ipc_service_t *result; 647 648 result = kmem_alloc(sizeof (ipc_service_t), KM_SLEEP); 649 650 mutex_init(&result->ipcs_lock, NULL, MUTEX_ADAPTIVE, NULL); 651 result->ipcs_count = 0; 652 avl_create(&result->ipcs_keys, ipc_key_compar, size, 0); 653 result->ipcs_tabsz = IPC_IDS_MIN; 654 result->ipcs_table = 655 kmem_zalloc(IPC_IDS_MIN * sizeof (ipc_slot_t), KM_SLEEP); 656 result->ipcs_ssize = size; 657 result->ipcs_ids = id_space_create(name, 0, IPC_IDS_MIN); 658 result->ipcs_dtor = dtor; 659 result->ipcs_rmid = rmid; 660 result->ipcs_proj_rctl = proj_rctl; 661 result->ipcs_zone_rctl = zone_rctl; 662 result->ipcs_atype = audit_type; 663 ASSERT(rctl_offset < sizeof (ipc_rqty_t)); 664 result->ipcs_rctlofs = rctl_offset; 665 list_create(&result->ipcs_usedids, sizeof (kipc_perm_t), 666 offsetof(kipc_perm_t, ipc_list)); 667 668 return (result); 669 } 670 671 /* 672 * Destroy an ipc service. 673 */ 674 void 675 ipcs_destroy(ipc_service_t *service) 676 { 677 ipc_slot_t *slot, *next; 678 679 mutex_enter(&service->ipcs_lock); 680 681 ASSERT(service->ipcs_count == 0); 682 avl_destroy(&service->ipcs_keys); 683 list_destroy(&service->ipcs_usedids); 684 id_space_destroy(service->ipcs_ids); 685 686 for (slot = service->ipcs_table; slot; slot = next) { 687 next = slot[0].ipct_chain; 688 kmem_free(slot, service->ipcs_tabsz * sizeof (ipc_slot_t)); 689 service->ipcs_tabsz >>= 1; 690 } 691 692 mutex_destroy(&service->ipcs_lock); 693 kmem_free(service, sizeof (ipc_service_t)); 694 } 695 696 /* 697 * Takes the service lock. 698 */ 699 void 700 ipcs_lock(ipc_service_t *service) 701 { 702 mutex_enter(&service->ipcs_lock); 703 } 704 705 /* 706 * Releases the service lock. 707 */ 708 void 709 ipcs_unlock(ipc_service_t *service) 710 { 711 mutex_exit(&service->ipcs_lock); 712 } 713 714 715 /* 716 * Locks the specified ID. Returns the ID's ID table index. 717 */ 718 static int 719 ipc_lock_internal(ipc_service_t *service, uint_t id) 720 { 721 uint_t tabsz; 722 uint_t index; 723 kmutex_t *mutex; 724 725 for (;;) { 726 tabsz = service->ipcs_tabsz; 727 membar_consumer(); 728 index = id & (tabsz - 1); 729 mutex = &service->ipcs_table[index].ipct_lock; 730 mutex_enter(mutex); 731 if (tabsz == service->ipcs_tabsz) 732 break; 733 mutex_exit(mutex); 734 } 735 736 return (index); 737 } 738 739 /* 740 * Locks the specified ID. Returns a pointer to the ID's lock. 741 */ 742 kmutex_t * 743 ipc_lock(ipc_service_t *service, int id) 744 { 745 uint_t index; 746 747 /* 748 * These assertions don't reflect requirements of the code 749 * which follows, but they should never fail nonetheless. 750 */ 751 ASSERT(id >= 0); 752 ASSERT(IPC_INDEX(id) < service->ipcs_tabsz); 753 index = ipc_lock_internal(service, id); 754 755 return (&service->ipcs_table[index].ipct_lock); 756 } 757 758 /* 759 * Checks to see if the held lock provided is the current lock for the 760 * specified id. If so, we return it instead of dropping it and 761 * returning the result of ipc_lock. This is intended to speed up cv 762 * wakeups where we are left holding a lock which could be stale, but 763 * probably isn't. 764 */ 765 kmutex_t * 766 ipc_relock(ipc_service_t *service, int id, kmutex_t *lock) 767 { 768 ASSERT(id >= 0); 769 ASSERT(IPC_INDEX(id) < service->ipcs_tabsz); 770 ASSERT(MUTEX_HELD(lock)); 771 772 if (&service->ipcs_table[IPC_INDEX(id)].ipct_lock == lock) 773 return (lock); 774 775 mutex_exit(lock); 776 return (ipc_lock(service, id)); 777 } 778 779 /* 780 * Performs an ID lookup. If the ID doesn't exist or has been removed, 781 * or isn't visible to the caller (because of zones), NULL is returned. 782 * Otherwise, a pointer to the ID's perm structure and held ID lock are 783 * returned. 784 */ 785 kmutex_t * 786 ipc_lookup(ipc_service_t *service, int id, kipc_perm_t **perm) 787 { 788 kipc_perm_t *result; 789 uint_t index; 790 791 /* 792 * There is no need to check to see if id is in-range (i.e. 793 * positive and fits into the table). If it is out-of-range, 794 * the id simply won't match the object's. 795 */ 796 797 index = ipc_lock_internal(service, id); 798 result = service->ipcs_table[index].ipct_data; 799 if (result == NULL || result->ipc_id != (uint_t)id || 800 !HASZONEACCESS(curproc, result->ipc_zoneid)) { 801 mutex_exit(&service->ipcs_table[index].ipct_lock); 802 return (NULL); 803 } 804 805 ASSERT(IPC_SEQ(id) == service->ipcs_table[index].ipct_seq); 806 807 *perm = result; 808 #ifdef C2_AUDIT 809 if (audit_active) 810 audit_ipc(service->ipcs_atype, id, result); 811 #endif 812 813 return (&service->ipcs_table[index].ipct_lock); 814 } 815 816 /* 817 * Increase the reference count on an ID. 818 */ 819 /*ARGSUSED*/ 820 void 821 ipc_hold(ipc_service_t *s, kipc_perm_t *perm) 822 { 823 ASSERT(IPC_INDEX(perm->ipc_id) < s->ipcs_tabsz); 824 ASSERT(IPC_LOCKED(s, perm)); 825 perm->ipc_ref++; 826 } 827 828 /* 829 * Decrease the reference count on an ID and drops the ID's lock. 830 * Destroys the ID if the new reference count is zero. 831 */ 832 void 833 ipc_rele(ipc_service_t *s, kipc_perm_t *perm) 834 { 835 int nref; 836 837 ASSERT(IPC_INDEX(perm->ipc_id) < s->ipcs_tabsz); 838 ASSERT(IPC_LOCKED(s, perm)); 839 ASSERT(perm->ipc_ref > 0); 840 841 nref = --perm->ipc_ref; 842 mutex_exit(&s->ipcs_table[IPC_INDEX(perm->ipc_id)].ipct_lock); 843 844 if (nref == 0) { 845 ASSERT(IPC_FREE(perm)); /* ipc_rmid clears IPC_ALLOC */ 846 s->ipcs_dtor(perm); 847 project_rele(perm->ipc_proj); 848 zone_rele(perm->ipc_zone); 849 kmem_free(perm, s->ipcs_ssize); 850 } 851 } 852 853 /* 854 * Decrease the reference count on an ID, but don't drop the ID lock. 855 * Used in cases where one thread needs to remove many references (on 856 * behalf of other parties). 857 */ 858 void 859 ipc_rele_locked(ipc_service_t *s, kipc_perm_t *perm) 860 { 861 ASSERT(perm->ipc_ref > 1); 862 ASSERT(IPC_INDEX(perm->ipc_id) < s->ipcs_tabsz); 863 ASSERT(IPC_LOCKED(s, perm)); 864 865 perm->ipc_ref--; 866 } 867 868 869 /* 870 * Internal function to grow the service ID table. 871 */ 872 static int 873 ipc_grow(ipc_service_t *service) 874 { 875 ipc_slot_t *new, *old; 876 int i, oldsize, newsize; 877 878 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 879 ASSERT(MUTEX_NOT_HELD(&curproc->p_lock)); 880 881 if (service->ipcs_tabsz == IPC_IDS_MAX) 882 return (ENOSPC); 883 884 oldsize = service->ipcs_tabsz; 885 newsize = oldsize << 1; 886 new = kmem_zalloc(newsize * sizeof (ipc_slot_t), KM_NOSLEEP); 887 if (new == NULL) 888 return (ENOSPC); 889 890 old = service->ipcs_table; 891 for (i = 0; i < oldsize; i++) { 892 mutex_enter(&old[i].ipct_lock); 893 mutex_enter(&new[i].ipct_lock); 894 895 new[i].ipct_seq = old[i].ipct_seq; 896 new[i].ipct_data = old[i].ipct_data; 897 old[i].ipct_data = NULL; 898 } 899 900 new[0].ipct_chain = old; 901 service->ipcs_table = new; 902 membar_producer(); 903 service->ipcs_tabsz = newsize; 904 905 for (i = 0; i < oldsize; i++) { 906 mutex_exit(&old[i].ipct_lock); 907 mutex_exit(&new[i].ipct_lock); 908 } 909 910 id_space_extend(service->ipcs_ids, oldsize, service->ipcs_tabsz); 911 912 return (0); 913 } 914 915 916 static int 917 ipc_keylookup(ipc_service_t *service, key_t key, int flag, kipc_perm_t **permp) 918 { 919 kipc_perm_t *perm = NULL; 920 avl_index_t where; 921 kipc_perm_t template; 922 923 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 924 925 template.ipc_key = key; 926 template.ipc_zoneid = getzoneid(); 927 if (perm = avl_find(&service->ipcs_keys, &template, &where)) { 928 ASSERT(!IPC_FREE(perm)); 929 if ((flag & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) 930 return (EEXIST); 931 if ((flag & 0777) & ~perm->ipc_mode) { 932 #ifdef C2_AUDIT 933 if (audit_active) 934 audit_ipcget(NULL, (void *)perm); 935 #endif 936 return (EACCES); 937 } 938 *permp = perm; 939 return (0); 940 } else if (flag & IPC_CREAT) { 941 *permp = NULL; 942 return (0); 943 } 944 return (ENOENT); 945 } 946 947 static int 948 ipc_alloc_test(ipc_service_t *service, proc_t *pp) 949 { 950 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 951 952 /* 953 * Resizing the table first would result in a cleaner code 954 * path, but would also allow a user to (permanently) double 955 * the id table size in cases where the allocation would be 956 * denied. Hence we test the rctl first. 957 */ 958 retry: 959 mutex_enter(&pp->p_lock); 960 if ((rctl_test(service->ipcs_proj_rctl, pp->p_task->tk_proj->kpj_rctls, 961 pp, 1, RCA_SAFE) & RCT_DENY) || 962 (rctl_test(service->ipcs_zone_rctl, pp->p_zone->zone_rctls, 963 pp, 1, RCA_SAFE) & RCT_DENY)) { 964 mutex_exit(&pp->p_lock); 965 return (ENOSPC); 966 } 967 968 if (service->ipcs_count == service->ipcs_tabsz) { 969 int error; 970 971 mutex_exit(&pp->p_lock); 972 if (error = ipc_grow(service)) 973 return (error); 974 goto retry; 975 } 976 977 return (0); 978 } 979 980 /* 981 * Given a key, search for or create the associated identifier. 982 * 983 * If IPC_CREAT is specified and the key isn't found, or if the key is 984 * equal to IPC_PRIVATE, we return 0 and place a pointer to a newly 985 * allocated object structure in permp. A pointer to the held service 986 * lock is placed in lockp. ipc_mode's IPC_ALLOC bit is clear. 987 * 988 * If the key is found and no error conditions arise, we return 0 and 989 * place a pointer to the existing object structure in permp. A 990 * pointer to the held ID lock is placed in lockp. ipc_mode's 991 * IPC_ALLOC bit is set. 992 * 993 * Otherwise, a non-zero errno value is returned. 994 */ 995 int 996 ipc_get(ipc_service_t *service, key_t key, int flag, kipc_perm_t **permp, 997 kmutex_t **lockp) 998 { 999 kipc_perm_t *perm = NULL; 1000 proc_t *pp = curproc; 1001 int error, index; 1002 cred_t *cr = CRED(); 1003 1004 if (key != IPC_PRIVATE) { 1005 1006 mutex_enter(&service->ipcs_lock); 1007 error = ipc_keylookup(service, key, flag, &perm); 1008 if (perm != NULL) 1009 index = ipc_lock_internal(service, perm->ipc_id); 1010 mutex_exit(&service->ipcs_lock); 1011 1012 if (error) { 1013 ASSERT(perm == NULL); 1014 return (error); 1015 } 1016 1017 if (perm) { 1018 ASSERT(!IPC_FREE(perm)); 1019 *permp = perm; 1020 *lockp = &service->ipcs_table[index].ipct_lock; 1021 return (0); 1022 } 1023 1024 /* Key not found; fall through */ 1025 } 1026 1027 perm = kmem_zalloc(service->ipcs_ssize, KM_SLEEP); 1028 1029 mutex_enter(&service->ipcs_lock); 1030 if (error = ipc_alloc_test(service, pp)) { 1031 mutex_exit(&service->ipcs_lock); 1032 kmem_free(perm, service->ipcs_ssize); 1033 return (error); 1034 } 1035 1036 perm->ipc_cuid = perm->ipc_uid = crgetuid(cr); 1037 perm->ipc_cgid = perm->ipc_gid = crgetgid(cr); 1038 perm->ipc_zoneid = getzoneid(); 1039 perm->ipc_mode = flag & 0777; 1040 perm->ipc_key = key; 1041 perm->ipc_ref = 1; 1042 perm->ipc_id = IPC_ID_INVAL; 1043 *permp = perm; 1044 *lockp = &service->ipcs_lock; 1045 1046 return (0); 1047 } 1048 1049 /* 1050 * Attempts to add the a newly created ID to the global namespace. If 1051 * creating it would cause an error, we return the error. If there is 1052 * the possibility that we could obtain the existing ID and return it 1053 * to the user, we return EAGAIN. Otherwise, we return 0 with p_lock 1054 * and the service lock held. 1055 * 1056 * Since this should be only called after all initialization has been 1057 * completed, on failure we automatically invoke the destructor for the 1058 * object and deallocate the memory associated with it. 1059 */ 1060 int 1061 ipc_commit_begin(ipc_service_t *service, key_t key, int flag, 1062 kipc_perm_t *newperm) 1063 { 1064 kipc_perm_t *perm; 1065 int error; 1066 proc_t *pp = curproc; 1067 1068 ASSERT(newperm->ipc_ref == 1); 1069 ASSERT(IPC_FREE(newperm)); 1070 1071 mutex_enter(&service->ipcs_lock); 1072 /* 1073 * Ensure that no-one has raced with us and created the key. 1074 */ 1075 if ((key != IPC_PRIVATE) && 1076 (((error = ipc_keylookup(service, key, flag, &perm)) != 0) || 1077 (perm != NULL))) { 1078 error = error ? error : EAGAIN; 1079 goto errout; 1080 } 1081 1082 /* 1083 * Ensure that no-one has raced with us and used the last of 1084 * the permissible ids, or the last of the free spaces in the 1085 * id table. 1086 */ 1087 if (error = ipc_alloc_test(service, pp)) 1088 goto errout; 1089 1090 /* 1091 * Set ipc_proj so ipc_cleanup cleans up necessary state. 1092 */ 1093 newperm->ipc_proj = pp->p_task->tk_proj; 1094 newperm->ipc_zone = pp->p_zone; 1095 1096 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 1097 ASSERT(MUTEX_HELD(&pp->p_lock)); 1098 1099 return (0); 1100 errout: 1101 mutex_exit(&service->ipcs_lock); 1102 service->ipcs_dtor(newperm); 1103 kmem_free(newperm, service->ipcs_ssize); 1104 return (error); 1105 } 1106 1107 /* 1108 * Commit the ID allocation transaction. Called with p_lock and the 1109 * service lock held, both of which are dropped. Returns the held ID 1110 * lock so the caller can extract the ID and perform ipcget auditing. 1111 */ 1112 kmutex_t * 1113 ipc_commit_end(ipc_service_t *service, kipc_perm_t *perm) 1114 { 1115 ipc_slot_t *slot; 1116 avl_index_t where; 1117 int index; 1118 void *loc; 1119 1120 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 1121 ASSERT(MUTEX_HELD(&curproc->p_lock)); 1122 1123 (void) project_hold(perm->ipc_proj); 1124 (void) zone_hold(perm->ipc_zone); 1125 mutex_exit(&curproc->p_lock); 1126 1127 /* 1128 * Pick out our slot. 1129 */ 1130 service->ipcs_count++; 1131 index = id_alloc(service->ipcs_ids); 1132 ASSERT(index < service->ipcs_tabsz); 1133 slot = &service->ipcs_table[index]; 1134 mutex_enter(&slot->ipct_lock); 1135 ASSERT(slot->ipct_data == NULL); 1136 1137 /* 1138 * Update the perm structure. 1139 */ 1140 perm->ipc_mode |= IPC_ALLOC; 1141 perm->ipc_id = (slot->ipct_seq << IPC_SEQ_SHIFT) | index; 1142 1143 /* 1144 * Push into global visibility. 1145 */ 1146 slot->ipct_data = perm; 1147 if (perm->ipc_key != IPC_PRIVATE) { 1148 loc = avl_find(&service->ipcs_keys, perm, &where); 1149 ASSERT(loc == NULL); 1150 avl_insert(&service->ipcs_keys, perm, where); 1151 } 1152 list_insert_head(&service->ipcs_usedids, perm); 1153 1154 /* 1155 * Update resource consumption. 1156 */ 1157 IPC_PROJ_USAGE(perm, service) += 1; 1158 IPC_ZONE_USAGE(perm, service) += 1; 1159 1160 mutex_exit(&service->ipcs_lock); 1161 return (&slot->ipct_lock); 1162 } 1163 1164 /* 1165 * Clean up function, in case the allocation fails. If called between 1166 * ipc_lookup and ipc_commit_begin, perm->ipc_proj will be 0 and we 1167 * merely free the perm structure. If called after ipc_commit_begin, 1168 * we also drop locks and call the ID's destructor. 1169 */ 1170 void 1171 ipc_cleanup(ipc_service_t *service, kipc_perm_t *perm) 1172 { 1173 ASSERT(IPC_FREE(perm)); 1174 if (perm->ipc_proj) { 1175 mutex_exit(&curproc->p_lock); 1176 mutex_exit(&service->ipcs_lock); 1177 service->ipcs_dtor(perm); 1178 } 1179 kmem_free(perm, service->ipcs_ssize); 1180 } 1181 1182 1183 /* 1184 * Common code to remove an IPC object. This should be called after 1185 * all permissions checks have been performed, and with the service 1186 * and ID locked. Note that this does not remove the object from 1187 * the ipcs_usedids list (this needs to be done by the caller before 1188 * dropping the service lock). 1189 */ 1190 static void 1191 ipc_remove(ipc_service_t *service, kipc_perm_t *perm) 1192 { 1193 int id = perm->ipc_id; 1194 int index; 1195 1196 ASSERT(MUTEX_HELD(&service->ipcs_lock)); 1197 ASSERT(IPC_LOCKED(service, perm)); 1198 1199 index = IPC_INDEX(id); 1200 1201 service->ipcs_table[index].ipct_data = NULL; 1202 1203 if (perm->ipc_key != IPC_PRIVATE) 1204 avl_remove(&service->ipcs_keys, perm); 1205 list_remove(&service->ipcs_usedids, perm); 1206 perm->ipc_mode &= ~IPC_ALLOC; 1207 1208 id_free(service->ipcs_ids, index); 1209 1210 if (service->ipcs_table[index].ipct_seq++ == IPC_SEQ_MASK) 1211 service->ipcs_table[index].ipct_seq = 0; 1212 service->ipcs_count--; 1213 ASSERT(IPC_PROJ_USAGE(perm, service) > 0); 1214 ASSERT(IPC_ZONE_USAGE(perm, service) > 0); 1215 IPC_PROJ_USAGE(perm, service) -= 1; 1216 IPC_ZONE_USAGE(perm, service) -= 1; 1217 ASSERT(service->ipcs_count || ((IPC_PROJ_USAGE(perm, service) == 0) && 1218 (IPC_ZONE_USAGE(perm, service) == 0))); 1219 } 1220 1221 1222 /* 1223 * Common code to perform an IPC_RMID. Returns an errno value on 1224 * failure, 0 on success. 1225 */ 1226 int 1227 ipc_rmid(ipc_service_t *service, int id, cred_t *cr) 1228 { 1229 kipc_perm_t *perm; 1230 kmutex_t *lock; 1231 1232 mutex_enter(&service->ipcs_lock); 1233 1234 lock = ipc_lookup(service, id, &perm); 1235 if (lock == NULL) { 1236 mutex_exit(&service->ipcs_lock); 1237 return (EINVAL); 1238 } 1239 1240 ASSERT(service->ipcs_count > 0); 1241 1242 if (secpolicy_ipc_owner(cr, perm) != 0) { 1243 mutex_exit(lock); 1244 mutex_exit(&service->ipcs_lock); 1245 return (EPERM); 1246 } 1247 1248 /* 1249 * Nothing can fail from this point on. 1250 */ 1251 ipc_remove(service, perm); 1252 mutex_exit(&service->ipcs_lock); 1253 1254 /* perform any per-service removal actions */ 1255 service->ipcs_rmid(perm); 1256 1257 ipc_rele(service, perm); 1258 1259 return (0); 1260 } 1261 1262 /* 1263 * Implementation for shmids, semids, and msgids. buf is the address 1264 * of the user buffer, nids is the size, and pnids is a pointer to 1265 * where we write the actual number of ids that [would] have been 1266 * copied out. 1267 */ 1268 int 1269 ipc_ids(ipc_service_t *service, int *buf, uint_t nids, uint_t *pnids) 1270 { 1271 kipc_perm_t *perm; 1272 size_t idsize = 0; 1273 int error = 0; 1274 int idcount; 1275 int *ids; 1276 int numids = 0; 1277 zoneid_t zoneid = getzoneid(); 1278 int global = INGLOBALZONE(curproc); 1279 1280 if (buf == NULL) 1281 nids = 0; 1282 1283 /* 1284 * Get an accurate count of the total number of ids, and allocate a 1285 * staging buffer. Since ipcs_count is always sane, we don't have 1286 * to take ipcs_lock for our first guess. If there are no ids, or 1287 * we're in the global zone and the number of ids is greater than 1288 * the size of the specified buffer, we shunt to the end. Otherwise, 1289 * we go through the id list looking for (and counting) what is 1290 * visible in the specified zone. 1291 */ 1292 idcount = service->ipcs_count; 1293 for (;;) { 1294 if ((global && idcount > nids) || idcount == 0) { 1295 numids = idcount; 1296 nids = 0; 1297 goto out; 1298 } 1299 1300 idsize = idcount * sizeof (int); 1301 ids = kmem_alloc(idsize, KM_SLEEP); 1302 1303 mutex_enter(&service->ipcs_lock); 1304 if (idcount >= service->ipcs_count) 1305 break; 1306 idcount = service->ipcs_count; 1307 mutex_exit(&service->ipcs_lock); 1308 1309 if (idsize != 0) { 1310 kmem_free(ids, idsize); 1311 idsize = 0; 1312 } 1313 } 1314 1315 for (perm = list_head(&service->ipcs_usedids); perm != NULL; 1316 perm = list_next(&service->ipcs_usedids, perm)) { 1317 ASSERT(!IPC_FREE(perm)); 1318 if (global || perm->ipc_zoneid == zoneid) 1319 ids[numids++] = perm->ipc_id; 1320 } 1321 mutex_exit(&service->ipcs_lock); 1322 1323 /* 1324 * If there isn't enough space to hold all of the ids, just 1325 * return the number of ids without copying out any of them. 1326 */ 1327 if (nids < numids) 1328 nids = 0; 1329 1330 out: 1331 if (suword32(pnids, (uint32_t)numids) || 1332 (nids != 0 && copyout(ids, buf, numids * sizeof (int)))) 1333 error = EFAULT; 1334 if (idsize != 0) 1335 kmem_free(ids, idsize); 1336 return (error); 1337 } 1338 1339 /* 1340 * Destroy IPC objects from the given service that are associated with 1341 * the given zone. 1342 * 1343 * We can't hold on to the service lock when freeing objects, so we 1344 * first search the service and move all the objects to a private 1345 * list, then walk through and free them after dropping the lock. 1346 */ 1347 void 1348 ipc_remove_zone(ipc_service_t *service, zoneid_t zoneid) 1349 { 1350 kipc_perm_t *perm, *next; 1351 list_t rmlist; 1352 kmutex_t *lock; 1353 1354 list_create(&rmlist, sizeof (kipc_perm_t), 1355 offsetof(kipc_perm_t, ipc_list)); 1356 1357 mutex_enter(&service->ipcs_lock); 1358 for (perm = list_head(&service->ipcs_usedids); perm != NULL; 1359 perm = next) { 1360 next = list_next(&service->ipcs_usedids, perm); 1361 if (perm->ipc_zoneid != zoneid) 1362 continue; 1363 1364 /* 1365 * Remove the object from the service, then put it on 1366 * the removal list so we can defer the call to 1367 * ipc_rele (which will actually free the structure). 1368 * We need to do this since the destructor may grab 1369 * the service lock. 1370 */ 1371 ASSERT(!IPC_FREE(perm)); 1372 lock = ipc_lock(service, perm->ipc_id); 1373 ipc_remove(service, perm); 1374 mutex_exit(lock); 1375 list_insert_tail(&rmlist, perm); 1376 } 1377 mutex_exit(&service->ipcs_lock); 1378 1379 /* 1380 * Now that we've dropped the service lock, loop through the 1381 * private list freeing removed objects. 1382 */ 1383 for (perm = list_head(&rmlist); perm != NULL; perm = next) { 1384 next = list_next(&rmlist, perm); 1385 list_remove(&rmlist, perm); 1386 1387 (void) ipc_lock(service, perm->ipc_id); 1388 1389 /* perform any per-service removal actions */ 1390 service->ipcs_rmid(perm); 1391 1392 /* release reference */ 1393 ipc_rele(service, perm); 1394 } 1395 1396 list_destroy(&rmlist); 1397 } 1398