xref: /titanic_44/usr/src/cmd/sgs/rtld/common/remove.c (revision e61f9225a04b4fd585d00a48ef90f7948290b900)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * Remove objects.  Objects need removal from a process as part of:
29  *
30  *  o	a dlclose() request
31  *
32  *  o	tearing down a dlopen(), lazy-load, or filter hierarchy that failed to
33  *	completely load
34  *
35  * Any other failure condition will result in process exit (in which case all
36  * we have to do is execute the fini's - tear down is unnecessary).
37  *
38  * Any removal of objects is therefore associated with a dlopen() handle.  There
39  * is a small window between creation of the first dlopen() object and creating
40  * its handle (in which case remove_so() can get rid of the new link-map if
41  * necessary), but other than this all object removal is driven by inspecting
42  * the components of a handle.
43  *
44  * Things to note.  The creation of a link-map, and its addition to the link-map
45  * list occurs in {elf|aout}_new_lm(), if this returns success the link-map is
46  * valid and added, otherwise any steps (allocations) in the process of creating
47  * the link-map would have been undone.  If a failure occurs between creating
48  * the link-map and adding it to a handle, remove_so() is called to remove the
49  * link-map.  If a failures occurs after a handle have been created,
50  * remove_hdl() is called to remove the handle and the link-map.
51  */
52 
53 #include	<string.h>
54 #include	<stdio.h>
55 #include	<unistd.h>
56 #include	<dlfcn.h>
57 #include	<sys/debug.h>
58 #include	<sys/avl.h>
59 #include	<libc_int.h>
60 #include	<debug.h>
61 #include	"_rtld.h"
62 #include	"_audit.h"
63 #include	"_elf.h"
64 #include	"msg.h"
65 
66 /*
67  * Atexit callback provided by libc.  As part of dlclose() determine the address
68  * ranges of all objects that are to be deleted.  Pass this information to
69  * libc's pre-atexit routine.  Libc will purge any registered atexit() calls
70  * related to those objects about to be deleted.
71  */
72 static int
73 purge_exit_handlers(Lm_list *lml, Rt_map **tobj)
74 {
75 	uint_t			num;
76 	Rt_map			**_tobj;
77 	Lc_addr_range_t		*addr, *_addr;
78 	int			error;
79 	int			(*fptr)(Lc_addr_range_t *, uint_t);
80 
81 	/*
82 	 * Has a callback been established?
83 	 */
84 	if ((fptr = lml->lm_lcs[CI_ATEXIT].lc_un.lc_func) == NULL)
85 		return (0);
86 
87 	/*
88 	 * Determine the total number of mapped segments that will be unloaded.
89 	 */
90 	for (num = 0, _tobj = tobj; *_tobj != NULL; _tobj++) {
91 		Rt_map	*lmp = *_tobj;
92 
93 		num += MMAPCNT(lmp);
94 	}
95 
96 	/*
97 	 * Account for a null entry at the end of the address range array.
98 	 */
99 	if (num++ == 0)
100 		return (0);
101 
102 	/*
103 	 * Allocate an array for the address range.
104 	 */
105 	if ((addr = malloc(num * sizeof (Lc_addr_range_t))) == NULL)
106 		return (1);
107 
108 	/*
109 	 * Fill the address range with each loadable segments size and address.
110 	 */
111 	for (_tobj = tobj, _addr = addr; *_tobj != NULL; _tobj++) {
112 		Rt_map			*lmp = *_tobj;
113 		mmapobj_result_t	*mpp = MMAPS(lmp);
114 		uint_t			ndx;
115 
116 		for (ndx = 0; ndx < MMAPCNT(lmp); ndx++, mpp++) {
117 			_addr->lb = (void *)(uintptr_t)(mpp->mr_addr +
118 			    mpp->mr_offset);
119 			_addr->ub = (void *)(uintptr_t)(mpp->mr_addr +
120 			    mpp->mr_msize);
121 			_addr++;
122 		}
123 	}
124 	_addr->lb = _addr->ub = 0;
125 
126 	leave(LIST(*tobj), 0);
127 	error = (*fptr)(addr, (num - 1));
128 	(void) enter(0);
129 
130 	/*
131 	 * If we fail to converse with libc, generate an error message to
132 	 * satisfy any dlerror() usage.
133 	 */
134 	if (error)
135 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_ARG_ATEXIT), error);
136 
137 	free(addr);
138 	return (error);
139 }
140 
141 /*
142  * Break down an Alist containing pathname descriptors.  In most instances, the
143  * Alist is cleaned of all entries, but retained for later use.
144  */
145 void
146 remove_plist(Alist **alpp, int complete)
147 {
148 	Alist	*alp = *alpp;
149 
150 	if (alp) {
151 		if (complete) {
152 			free((void *)alp);
153 			*alpp = NULL;
154 		} else {
155 			alp->al_nitems = 0;
156 			alp->al_next = ALIST_OFF_DATA;
157 		}
158 	}
159 }
160 
161 /*
162  * Remove a link-map list descriptor.  This is called to finalize the removal
163  * of an entire link-map list, after all link-maps have been removed, or none
164  * got added.  As load_one() can process a list of potential candidate objects,
165  * the link-map descriptor must be maintained as each object is processed.  Only
166  * after all objects have been processed can a failure condition finally tear
167  * down the link-map list descriptor.
168  */
169 void
170 remove_lml(Lm_list *lml)
171 {
172 	if (lml && (lml->lm_head == NULL)) {
173 		/*
174 		 * As a whole link-map list is being removed, the debuggers
175 		 * would have been alerted of this deletion (or an addition
176 		 * in the case we're here to clean up from a failure).  Set
177 		 * the main link-map list so that a consistent registration
178 		 * can be signaled to the debuggers when we leave ld.so.1.
179 		 */
180 		lml_main.lm_flags |= LML_FLG_DBNOTIF;
181 
182 		if (lml->lm_lmidstr)
183 			free(lml->lm_lmidstr);
184 		if (lml->lm_alp)
185 			free(lml->lm_alp);
186 		if (lml->lm_lists)
187 			free(lml->lm_lists);
188 		if (lml->lm_actaudit)
189 			free(lml->lm_actaudit);
190 
191 		/*
192 		 * Cleanup any pending RTLDINFO in the case where it was
193 		 * allocated but not called (see _relocate_lmc()).
194 		 */
195 		if (lml->lm_rti)
196 			free(lml->lm_rti);
197 		if (lml->lm_fpavl) {
198 			/*
199 			 * As we are freeing the link-map list, all nodes must
200 			 * have previously been removed.
201 			 */
202 			ASSERT(avl_numnodes(lml->lm_fpavl) == 0);
203 			free(lml->lm_fpavl);
204 		}
205 		list_delete(&dynlm_list, lml);
206 		free(lml);
207 	}
208 }
209 
210 /*
211  * Remove a link-map.  This removes a link-map from its associated list and
212  * free's up the link-map itself.  Note, all components that are freed are local
213  * to the link-map, no inter-link-map lists are operated on as these are all
214  * broken down by dlclose() while all objects are still mapped.
215  *
216  * This routine is called from dlclose() to zap individual link-maps after their
217  * interdependencies (DEPENDS(), CALLER(), handles, etc.) have been removed.
218  * This routine is also called from the bowels of load_one() in the case of a
219  * link-map creation failure.
220  */
221 void
222 remove_so(Lm_list *lml, Rt_map *lmp)
223 {
224 	Dyninfo *dip;
225 
226 	if (lmp == NULL)
227 		return;
228 
229 	/*
230 	 * Unlink the link map from the link-map list.
231 	 */
232 	if (lml && lmp)
233 		lm_delete(lml, lmp);
234 
235 	/*
236 	 * If this object contributed any local external vectors for the current
237 	 * link-map list, remove the vectors.  If this object contributed any
238 	 * global external vectors we should find some new candidates, or leave
239 	 * this object lying around.
240 	 */
241 	if (lml) {
242 		int	tag;
243 
244 		for (tag = 0; tag < CI_MAX; tag++) {
245 			if (lml->lm_lcs[tag].lc_lmp == lmp) {
246 				lml->lm_lcs[tag].lc_lmp = NULL;
247 				lml->lm_lcs[tag].lc_un.lc_val = 0;
248 			}
249 			if (glcs[tag].lc_lmp == lmp) {
250 				ASSERT(glcs[tag].lc_lmp != NULL);
251 				glcs[tag].lc_lmp = NULL;
252 				glcs[tag].lc_un.lc_val = 0;
253 			}
254 		}
255 	}
256 
257 	DBG_CALL(Dbg_file_delete(lmp));
258 
259 	/*
260 	 * If this is a temporary link-map, put in place to facilitate the
261 	 * link-edit or a relocatable object, then the link-map contains no
262 	 * information that needs to be cleaned up.
263 	 */
264 	if (FLAGS(lmp) & FLG_RT_OBJECT)
265 		return;
266 
267 	/*
268 	 * Remove any FullpathNode AVL names if they still exist.
269 	 */
270 	if (FPNODE(lmp))
271 		fpavl_remove(lmp);
272 
273 	/*
274 	 * Remove any alias names.
275 	 */
276 	if (ALIAS(lmp))
277 		free(ALIAS(lmp));
278 
279 	/*
280 	 * Remove any of this objects filtee infrastructure.  The filtees them-
281 	 * selves have already been removed.
282 	 */
283 	if (((dip = DYNINFO(lmp)) != NULL) && (FLAGS1(lmp) & MSK_RT_FILTER)) {
284 		uint_t	cnt, max = DYNINFOCNT(lmp);
285 
286 		for (cnt = 0; cnt < max; cnt++, dip++) {
287 			if ((dip->di_info == NULL) ||
288 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
289 				continue;
290 
291 			remove_plist((Alist **)&(dip->di_info), 1);
292 		}
293 	}
294 
295 	/*
296 	 * Deallocate any remaining cruft and free the link-map.
297 	 */
298 	if (RLIST(lmp))
299 		remove_plist(&RLIST(lmp), 1);
300 
301 	if (AUDITORS(lmp))
302 		audit_desc_cleanup(lmp);
303 	if (AUDINFO(lmp))
304 		audit_info_cleanup(lmp);
305 
306 	/*
307 	 * Note that COPY_R() and COPY_S() reference the same memory
308 	 * location, and that we want to release the memory referenced
309 	 * without regard to which list it logically belongs to. We can
310 	 * use either pointer to do this.
311 	 */
312 	if (COPY_R(lmp))
313 		free(COPY_R(lmp));
314 
315 	/*
316 	 * During a dlclose() any groups this object was a part of will have
317 	 * been torn down.  However, we can get here to remove an object that
318 	 * has failed to load, perhaps because its addition to a handle failed.
319 	 * Therefore if this object indicates that its part of a group tear
320 	 * these associations down.
321 	 */
322 	if (GROUPS(lmp) != NULL) {
323 		Aliste	idx1;
324 		Grp_hdl	*ghp;
325 
326 		for (APLIST_TRAVERSE(GROUPS(lmp), idx1, ghp)) {
327 			Grp_desc	*gdp;
328 			Aliste		idx2;
329 
330 			for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
331 				if (gdp->gd_depend != lmp)
332 					continue;
333 
334 				alist_delete(ghp->gh_depends, &idx2);
335 				break;
336 			}
337 		}
338 		free(GROUPS(lmp));
339 	}
340 	if (HANDLES(lmp))
341 		free(HANDLES(lmp));
342 
343 	/*
344 	 * Clean up reglist if needed
345 	 */
346 	if (reglist) {
347 		Reglist	*cur, *prv, *del;
348 
349 		cur = prv = reglist;
350 		while (cur) {
351 			if (cur->rl_lmp == lmp) {
352 				del = cur;
353 				if (cur == reglist) {
354 					reglist = cur->rl_next;
355 					cur = prv = reglist;
356 				} else {
357 					prv->rl_next = cur->rl_next;
358 					cur = cur->rl_next;
359 				}
360 				free(del);
361 			} else {
362 				prv = cur;
363 				cur = cur->rl_next;
364 			}
365 		}
366 	}
367 
368 	/*
369 	 * If this link map represents a relocatable object concatenation, then
370 	 * the image was simply generated in allocated memory.  Free the memory.
371 	 * Note: memory maps were fabricated for the relocatable object, and
372 	 * the mapping infrastructure must be free'd, but there are no address
373 	 * mappings that must be unmapped.
374 	 *
375 	 * Otherwise, unmap the object.
376 	 */
377 	if (FLAGS(lmp) & FLG_RT_IMGALLOC)
378 		free((void *)ADDR(lmp));
379 
380 	if (MMAPS(lmp)) {
381 		if ((FLAGS(lmp) & FLG_RT_IMGALLOC) == 0)
382 			unmap_obj(MMAPS(lmp), MMAPCNT(lmp));
383 		free(MMAPS(lmp));
384 	}
385 
386 	free(lmp);
387 }
388 
389 /*
390  * Traverse an objects dependency list removing callers and dependencies.
391  * There's a chicken and egg problem with tearing down link-maps.  Any
392  * relationship between link-maps is maintained on a DEPENDS list, and an
393  * associated CALLERS list.  These lists can't be broken down at the time a
394  * single link-map is removed, as any related link-map may have already been
395  * removed.  Thus, lists between link-maps must be broken down before the
396  * individual link-maps themselves.
397  */
398 static void
399 remove_lists(Rt_map *lmp, int lazy)
400 {
401 	Aliste		idx1;
402 	Bnd_desc	*bdp;
403 
404 	/*
405 	 * First, traverse this objects dependencies.
406 	 */
407 	for (APLIST_TRAVERSE(DEPENDS(lmp), idx1, bdp)) {
408 		Rt_map		*dlmp = bdp->b_depend;
409 
410 		/*
411 		 * Remove this object from the dependencies callers.
412 		 */
413 		(void) aplist_delete_value(CALLERS(dlmp), bdp);
414 		free(bdp);
415 	}
416 	if (DEPENDS(lmp)) {
417 		free(DEPENDS(lmp));
418 		DEPENDS(lmp) = NULL;
419 	}
420 
421 	/*
422 	 * Second, traverse this objects callers.
423 	 */
424 	for (APLIST_TRAVERSE(CALLERS(lmp), idx1,  bdp)) {
425 		Rt_map		*clmp = bdp->b_caller;
426 		Dyninfo		*dip;
427 
428 		/*
429 		 * If we're removing an object that was triggered by a lazyload,
430 		 * remove the callers DYNINFO() entry and bump the lazy counts.
431 		 * This reinitialization of the lazy information allows a lazy
432 		 * object to be reloaded again later.  Although we may be
433 		 * breaking down a group of lazyloaded objects because one has
434 		 * failed to relocate, it's possible that one or more of the
435 		 * individual objects can be reloaded without a problem.
436 		 */
437 		if (lazy && ((dip = DYNINFO(clmp)) != NULL)) {
438 			uint_t	cnt, max = DYNINFOCNT(clmp);
439 
440 			for (cnt = 0; cnt < max; cnt++, dip++) {
441 				if ((dip->di_flags & FLG_DI_LAZY) == 0)
442 					continue;
443 
444 				if (dip->di_info == (void *)lmp) {
445 					dip->di_info = NULL;
446 
447 					if (LAZY(clmp)++ == 0)
448 						LIST(clmp)->lm_lazy++;
449 				}
450 			}
451 		}
452 
453 		(void) aplist_delete_value(DEPENDS(clmp), bdp);
454 		free(bdp);
455 	}
456 	if (CALLERS(lmp)) {
457 		free(CALLERS(lmp));
458 		CALLERS(lmp) = NULL;
459 	}
460 }
461 
462 /*
463  * Delete any temporary link-map control list.
464  */
465 void
466 remove_cntl(Lm_list *lml, Aliste lmco)
467 {
468 	if (lmco && (lmco != ALIST_OFF_DATA)) {
469 		Aliste	_lmco = lmco;
470 #if	DEBUG
471 		Lm_cntl	*lmc;
472 
473 		lmc = (Lm_cntl *)alist_item_by_offset(lml->lm_lists, lmco);
474 
475 		/*
476 		 * This element should be empty.
477 		 */
478 		ASSERT(lmc->lc_head == NULL);
479 #endif
480 		alist_delete_by_offset(lml->lm_lists, &_lmco);
481 	}
482 }
483 
484 /*
485  * If a lazy loaded object, or filtee fails to load, possibly because it, or
486  * one of its dependencies can't be relocated, then tear down any objects
487  * that are apart of this link-map control list.
488  */
489 static void
490 remove_incomplete(Lm_list *lml, Aliste lmco)
491 {
492 	Rt_map	*lmp;
493 	Lm_cntl	*lmc;
494 
495 	/* LINTED */
496 	lmc = (Lm_cntl *)alist_item_by_offset(lml->lm_lists, lmco);
497 
498 	/*
499 	 * First, remove any lists that may point between objects.
500 	 */
501 	for (lmp = lmc->lc_head; lmp; lmp = NEXT_RT_MAP(lmp))
502 		remove_lists(lmp, 1);
503 
504 	/*
505 	 * Finally, remove each object.  remove_so() calls lm_delete(), thus
506 	 * effectively the link-map control head gets updated to point to the
507 	 * next link-map.
508 	 */
509 	while ((lmp = lmc->lc_head) != NULL)
510 		remove_so(lml, lmp);
511 
512 	lmc->lc_head = lmc->lc_tail = NULL;
513 }
514 
515 /*
516  * Determine whether an object is deletable.
517  */
518 static int
519 is_deletable(APlist **lmalp, APlist **ghalp, Rt_map *lmp)
520 {
521 	Aliste		idx;
522 	Bnd_desc	*bdp;
523 	Grp_hdl		*ghp;
524 
525 	/*
526 	 * If the object hasn't yet been relocated take this as a sign that
527 	 * it's loading failed, thus we're here to cleanup.  If the object is
528 	 * relocated it will only be retained if it was marked non-deletable,
529 	 * and exists on the main link-map control list.
530 	 */
531 	if ((FLAGS(lmp) & FLG_RT_RELOCED) &&
532 	    (MODE(lmp) & RTLD_NODELETE) && (CNTL(lmp) == ALIST_OFF_DATA))
533 		return (0);
534 
535 	/*
536 	 * If this object is the head of a handle that has not been captured as
537 	 * a candidate for deletion, then this object is in use from a dlopen()
538 	 * outside of the scope of this dlclose() family.  Dlopen'ed objects,
539 	 * and filtees, have group descriptors for their callers.  Typically
540 	 * this parent will have callers that are not apart of this dlclose()
541 	 * family, and thus would be caught by the CALLERS test below.  However,
542 	 * if the caller had itself been dlopen'ed, it may not have any explicit
543 	 * callers registered for itself.  Thus, but looking for objects with
544 	 * handles we can ferret out these outsiders.
545 	 */
546 	for (APLIST_TRAVERSE(HANDLES(lmp), idx, ghp)) {
547 		if (aplist_test(ghalp, ghp, 0) != ALE_EXISTS)
548 			return (0);
549 	}
550 
551 	/*
552 	 * If this object is called by any object outside of the family of
553 	 * objects selected for deletion, it can't be deleted.
554 	 */
555 	for (APLIST_TRAVERSE(CALLERS(lmp), idx, bdp)) {
556 		if (aplist_test(lmalp, bdp->b_caller, 0) !=
557 		    ALE_EXISTS)
558 			return (0);
559 	}
560 
561 	/*
562 	 * This object is a candidate for deletion.
563 	 */
564 	return (1);
565 }
566 
567 /*
568  * Collect the groups (handles) and associated objects that are candidates for
569  * deletion.  The criteria for deleting an object is whether it is only refer-
570  * enced from the objects within the groups that are candidates for deletion.
571  */
572 static int
573 gdp_collect(APlist **ghalpp, APlist **lmalpp, Grp_hdl *ghp1)
574 {
575 	Aliste		idx1;
576 	Grp_desc	*gdp;
577 	int		action;
578 
579 	/*
580 	 * Add this group to our group collection.  If it isn't added either an
581 	 * allocation has failed, or it already exists.
582 	 */
583 	if ((action = aplist_test(ghalpp, ghp1, AL_CNT_GRPCLCT)) !=
584 	    ALE_CREATE)
585 		return (action);
586 
587 	/*
588 	 * Traverse the dependencies of the group and collect the associated
589 	 * objects.
590 	 */
591 	for (ALIST_TRAVERSE(ghp1->gh_depends, idx1, gdp)) {
592 		Rt_map	*lmp = gdp->gd_depend;
593 
594 		/*
595 		 * We only want to process dependencies for deletion.  Although
596 		 * we want to purge group descriptors for parents, we don't want
597 		 * to analyze the parent itself for additional filters or
598 		 * deletion.
599 		 */
600 		if ((gdp->gd_flags & GPD_PARENT) ||
601 		    ((gdp->gd_flags & GPD_ADDEPS) == 0))
602 			continue;
603 
604 		if ((action = aplist_test(lmalpp, lmp, AL_CNT_GRPCLCT)) ==
605 		    ALE_ALLOCFAIL)
606 			return (0);
607 		if (action == ALE_EXISTS)
608 			continue;
609 
610 		/*
611 		 * If this object is a candidate for deletion, determine if the
612 		 * object provides any filtees.  If so, the filter groups are
613 		 * added to the group collection.
614 		 *
615 		 * An object is a candidate for deletion if:
616 		 *
617 		 *  .	the object hasn't yet been relocated, in which case
618 		 *	we're here to clean up a failed load, or
619 		 *  .	the object doesn't reside on the base link-map control
620 		 *	list, in which case a group of objects, typically
621 		 *	lazily loaded, or filtees, need cleaning up, or
622 		 *  .   the object isn't tagged as non-deletable.
623 		 */
624 		if ((((FLAGS(lmp) & FLG_RT_RELOCED) == 0) ||
625 		    (CNTL(lmp) != ALIST_OFF_DATA) ||
626 		    ((MODE(lmp) & RTLD_NODELETE) == 0)) &&
627 		    (FLAGS1(lmp) & MSK_RT_FILTER)) {
628 			Dyninfo	*dip = DYNINFO(lmp);
629 			uint_t	cnt, max = DYNINFOCNT(lmp);
630 
631 			for (cnt = 0; cnt < max; cnt++, dip++) {
632 				Alist	*falp;
633 				Aliste	idx2;
634 				Pdesc	*pdp;
635 
636 				if (((falp = (Alist *)dip->di_info) == NULL) ||
637 				    ((dip->di_flags & MSK_DI_FILTER) == 0))
638 					continue;
639 
640 				for (ALIST_TRAVERSE(falp, idx2, pdp)) {
641 					Grp_hdl	*ghp2;
642 
643 					if ((pdp->pd_plen == 0) || ((ghp2 =
644 					    (Grp_hdl *)pdp->pd_info) == NULL))
645 						continue;
646 
647 					if (gdp_collect(ghalpp, lmalpp,
648 					    ghp2) == 0)
649 						return (0);
650 				}
651 			}
652 		}
653 	}
654 	return (1);
655 }
656 
657 /*
658  * Traverse the list of deletable candidates.  If an object can't be deleted
659  * then neither can its dependencies or filtees.  Any object that is cleared
660  * from being deleted drops the deletion count, plus, if there are no longer
661  * any deletions pending we can discontinue any further processing.
662  */
663 static int
664 remove_rescan(APlist *lmalp, APlist *ghalp, int *delcnt)
665 {
666 	Aliste		idx1;
667 	Rt_map		*lmp;
668 	int		rescan = 0;
669 
670 	for (APLIST_TRAVERSE(lmalp, idx1, lmp)) {
671 		Aliste		idx2;
672 		Bnd_desc	*bdp;
673 		Dyninfo		*dip;
674 		uint_t		cnt, max;
675 
676 		if (FLAGS(lmp) & FLG_RT_DELETE)
677 			continue;
678 
679 		/*
680 		 * As this object can't be deleted, make sure its dependencies
681 		 * aren't deleted either.
682 		 */
683 		for (APLIST_TRAVERSE(DEPENDS(lmp), idx2, bdp)) {
684 			Rt_map	*dlmp = bdp->b_depend;
685 
686 			if (FLAGS(dlmp) & FLG_RT_DELETE) {
687 				FLAGS(dlmp) &= ~FLG_RT_DELETE;
688 				if (--(*delcnt) == 0)
689 					return (0);
690 				rescan = 1;
691 			}
692 		}
693 
694 		/*
695 		 * If this object is a filtee and one of its filters is outside
696 		 * of this dlclose family, then it can't be deleted either.
697 		 */
698 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
699 			continue;
700 
701 		dip = DYNINFO(lmp);
702 		max = DYNINFOCNT(lmp);
703 
704 		for (cnt = 0; cnt < max; cnt++, dip++) {
705 			Alist	*falp;
706 			Pdesc	*pdp;
707 
708 			if (((falp = (Alist *)dip->di_info) == NULL) ||
709 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
710 				continue;
711 
712 			for (ALIST_TRAVERSE(falp, idx2, pdp)) {
713 				Aliste		idx3;
714 				Grp_hdl		*ghp;
715 				Grp_desc	*gdp;
716 
717 				if ((pdp->pd_plen == 0) ||
718 				    ((ghp = (Grp_hdl *)pdp->pd_info) == NULL))
719 					continue;
720 
721 				if (aplist_test(&ghalp, ghp, 0) ==
722 				    ALE_EXISTS)
723 					continue;
724 
725 				for (ALIST_TRAVERSE(ghp->gh_depends, idx3,
726 				    gdp)) {
727 					Rt_map	*dlmp = gdp->gd_depend;
728 
729 					if (FLAGS(dlmp) & FLG_RT_DELETE) {
730 						FLAGS(dlmp) &= ~FLG_RT_DELETE;
731 						if (--(*delcnt) == 0)
732 							return (0);
733 						rescan = 1;
734 					}
735 				}
736 
737 				/*
738 				 * Remove this group handle from our dynamic
739 				 * deletion list.
740 				 */
741 				(void) aplist_delete_value(ghalp, ghp);
742 			}
743 		}
744 	}
745 	return (rescan);
746 }
747 
748 /*
749  * Cleanup any collection alists we've created.
750  */
751 static void
752 remove_collect(APlist *ghalp, APlist *lmalp)
753 {
754 	if (ghalp)
755 		free(ghalp);
756 	if (lmalp)
757 		free(lmalp);
758 }
759 
760 /*
761  * Remove a handle, leaving the associated objects intact.  Besides the classic
762  * dlopen() usage, handles are used as a means of associating a group of objects
763  * and promoting modes.  Once object promotion is completed, the handle should
764  * be discarded while leaving the associated objects intact.  Leaving the handle
765  * would prevent the object from being deleted (as it looks like it's in use
766  * by another user).
767  */
768 void
769 free_hdl(Grp_hdl *ghp, Rt_map *clmp, uint_t cdflags)
770 {
771 	Grp_desc	*gdp;
772 	Aliste		idx;
773 
774 	if (--(ghp->gh_refcnt) == 0) {
775 		uintptr_t	ndx;
776 
777 		for (ALIST_TRAVERSE(ghp->gh_depends, idx, gdp)) {
778 			Rt_map	*lmp = gdp->gd_depend;
779 
780 			if (ghp->gh_ownlmp == lmp)
781 				(void) aplist_delete_value(HANDLES(lmp), ghp);
782 			(void) aplist_delete_value(GROUPS(lmp), ghp);
783 		}
784 		(void) free(ghp->gh_depends);
785 
786 		/* LINTED */
787 		ndx = (uintptr_t)ghp % HDLIST_SZ;
788 		(void) aplist_delete_value(hdl_alp[ndx], ghp);
789 
790 		(void) free(ghp);
791 
792 	} else if (clmp) {
793 		/*
794 		 * It's possible that an RTLD_NOW promotion (via GPD_PROMOTE)
795 		 * has associated a caller with a handle that is already in use.
796 		 * In this case, find the caller and either remove the caller
797 		 * from the handle, or if the caller is used for any other
798 		 * reason, clear the promotion flag.
799 		 */
800 		for (ALIST_TRAVERSE(ghp->gh_depends, idx, gdp)) {
801 			Rt_map	*lmp = gdp->gd_depend;
802 
803 			if (lmp != clmp)
804 				continue;
805 
806 			if (gdp->gd_flags == cdflags) {
807 				alist_delete(ghp->gh_depends, &idx);
808 				(void) aplist_delete_value(GROUPS(lmp), ghp);
809 			} else {
810 				gdp->gd_flags &= ~cdflags;
811 			}
812 			return;
813 		}
814 	}
815 }
816 
817 /*
818  * If a load operation, using a new link-map control list, has failed, then
819  * forcibly remove the failed objects.  This failure can occur as a result
820  * of a lazy load, a dlopen(), or a filtee load, once the application is
821  * running.  If the link-map control list has not yet started relocation, then
822  * cleanup is simply a process of removing all the objects from the control
823  * list.  If relocation has begun, then other loads may have been triggered to
824  * satisfy the relocations, and thus we need to break down the control list
825  * using handles.
826  *
827  * The objects associated with this load must be part of a unique handle.  In
828  * the case of a dlopen() or filtee request, a handle will have been created.
829  * For a lazyload request, a handle must be generated so that the remove
830  * process can use the handle.
831  *
832  * During the course of processing these objects, other objects (handles) may
833  * have been loaded to satisfy relocation requirements.  After these families
834  * have successfully loaded, they will have been propagated to the same link-map
835  * control list.  The failed objects need to be removed from this list, while
836  * any successfully loaded families can be left alone, and propagated to the
837  * previous link-map control list.  By associating each load request with a
838  * handle, we can isolate the failed objects while not interfering with any
839  * successfully loaded families.
840  */
841 void
842 remove_lmc(Lm_list *lml, Rt_map *clmp, Aliste lmco, const char *name)
843 {
844 	Grp_hdl		*ghp;
845 	Grp_desc	*gdp;
846 	Aliste		idx;
847 	Lm_cntl		*lmc;
848 	Rt_map		*lmp;
849 
850 	/*
851 	 * Determine the link-map control list, and whether any object has been
852 	 * added to this list.
853 	 */
854 	/* LINTED */
855 	lmc = (Lm_cntl *)alist_item_by_offset(lml->lm_lists, lmco);
856 	if (lmc->lc_head == NULL)
857 		return;
858 
859 	DBG_CALL(Dbg_file_cleanup(lml, name, lmco));
860 
861 	/*
862 	 * Obtain a handle for the first object on the link-map control list.
863 	 * If none exists (which would occur from a lazy load request), and
864 	 * the link-map control list is being relocated, create a handle.
865 	 */
866 	lmp = lmc->lc_head;
867 	if (HANDLES(lmp)) {
868 		ghp = (Grp_hdl *)HANDLES(lmp)->apl_data[0];
869 
870 	} else if (lmc->lc_flags & LMC_FLG_RELOCATING) {
871 		/*
872 		 * Establish a handle, and should anything fail, fall through
873 		 * to remove the link-map control list.
874 		 */
875 		if (((ghp = hdl_create(lml, lmc->lc_head, 0, 0,
876 		    GPD_ADDEPS, 0)) == NULL) ||
877 		    (hdl_initialize(ghp, lmc->lc_head, 0, 0) == 0))
878 			lmc->lc_flags &= ~LMC_FLG_RELOCATING;
879 	} else {
880 		ghp = NULL;
881 	}
882 
883 	/*
884 	 * If relocation hasn't begun, simply remove all the objects from this
885 	 * list, and any handle that may have been created.
886 	 */
887 	if ((lmc->lc_flags & LMC_FLG_RELOCATING) == 0) {
888 		remove_incomplete(lml, lmco);
889 
890 		if (ghp) {
891 			ghp->gh_refcnt = 1;
892 			free_hdl(ghp, 0, 0);
893 		}
894 		return;
895 	}
896 
897 	ASSERT(ghp != NULL);
898 
899 	/*
900 	 * As the objects of this handle are being forcibly removed, first
901 	 * remove any associations to objects on parent link-map control
902 	 * lists.  This breaks the bond between a caller and a hierarchy of
903 	 * dependencies represented by the handle, thus the caller doesn't lock
904 	 * the hierarchy and prevent their deletion from the generic handle
905 	 * processing or remove_hdl().
906 	 *
907 	 * This scenario can be produced when the relocation of a object
908 	 * results in vectoring through a filter that is already loaded.  The
909 	 * filtee may be on the link-map list that is presently being processed,
910 	 * however an association between the filter and filtee would have been
911 	 * established during filtee processing.  It is this association that
912 	 * must be broken to allow the objects on this link-map list to be
913 	 * removed.
914 	 */
915 	for (ALIST_TRAVERSE(ghp->gh_depends, idx, gdp)) {
916 		Rt_map	*lmp = gdp->gd_depend;
917 
918 		/*
919 		 * If this object has not been relocated, break down any
920 		 * dependency relationships the object might have established.
921 		 */
922 		if ((FLAGS(lmp) & FLG_RT_RELOCED) == 0)
923 			remove_lists(lmp, 1);
924 
925 		if (CNTL(lmp) == lmco)
926 			continue;
927 
928 		if (gdp->gd_flags & GPD_FILTER) {
929 			Dyninfo	*dip = DYNINFO(lmp);
930 			uint_t	cnt, max = DYNINFOCNT(lmp);
931 
932 			for (cnt = 0; cnt < max; cnt++, dip++) {
933 				Alist	*falp;
934 				Aliste	idx2;
935 				Pdesc	*pdp;
936 
937 				if (((falp = (Alist *)dip->di_info) == NULL) ||
938 				    ((dip->di_flags & MSK_DI_FILTER) == 0))
939 					continue;
940 
941 				for (ALIST_TRAVERSE(falp, idx2, pdp)) {
942 					if ((Grp_hdl *)pdp->pd_info == ghp) {
943 						pdp->pd_info = NULL;
944 						break;
945 					}
946 				}
947 			}
948 		}
949 		(void) aplist_delete_value(GROUPS(lmp), ghp);
950 		alist_delete(ghp->gh_depends, &idx);
951 	}
952 
953 	/*
954 	 * Having removed any callers, set the group handle reference count to
955 	 * one, and let the generic handle remover delete the associated
956 	 * objects.
957 	 */
958 	ghp->gh_refcnt = 1;
959 	(void) remove_hdl(ghp, clmp, NULL);
960 
961 	/*
962 	 * If this link-map control list still contains objects, determine the
963 	 * previous control list and move the objects.
964 	 */
965 	if (lmc->lc_head) {
966 		Lm_cntl *plmc;
967 		Aliste  plmco;
968 
969 		plmco = lmco - lml->lm_lists->al_size;
970 		/* LINTED */
971 		plmc = (Lm_cntl *)alist_item_by_offset(lml->lm_lists, plmco);
972 
973 		lm_move(lml, lmco, plmco, lmc, plmc);
974 	}
975 }
976 
977 /*
978  * Remove the objects associated with a handle.  There are two goals here, to
979  * delete the objects associated with the handle, and to remove the handle
980  * itself.  Things get a little more complex if the objects selected for
981  * deletion are filters, in this case we also need to collect their filtees,
982  * and process the combined groups as a whole.  But, care still must be exer-
983  * cised to make sure any filtees found aren't being used by filters outside of
984  * the groups we've collect.  The series of events is basically:
985  *
986  *  o	Determine the groups (handles) that might be deletable.
987  *
988  *  o	Determine the objects of these handles that can be deleted.
989  *
990  *  o	Fire the fini's of those objects selected for deletion.
991  *
992  *  o	Remove all inter-dependency linked lists while the objects link-maps
993  *	are still available.
994  *
995  *  o	Remove all deletable objects link-maps and unmap the objects themselves.
996  *
997  *  o	Remove the handle descriptors for each deleted object, and hopefully
998  *	the whole handle.
999  *
1000  * An handle that can't be deleted is added to an orphans list.  This list is
1001  * revisited any time another dlclose() request results in handle descriptors
1002  * being deleted.  These deleted descriptors can be sufficient to allow the
1003  * final deletion of the orphaned handles.
1004  */
1005 int
1006 remove_hdl(Grp_hdl *ghp, Rt_map *clmp, int *removed)
1007 {
1008 	Rt_map		*lmp;
1009 	int		rescan = 0;
1010 	int		delcnt = 0, rmcnt = 0, error = 0, orphans;
1011 	APlist		*lmalp = NULL, *ghalp = NULL;
1012 	Aliste		idx1, idx2;
1013 	Grp_hdl		*ghp2;
1014 	Grp_desc	*gdp;
1015 	Lm_list		*lml = NULL;
1016 
1017 	/*
1018 	 * Generate the family of groups and objects that are candidates for
1019 	 * deletion.  This consists of the objects that are explicitly defined
1020 	 * as dependencies of this handle, plus any filtee handles and their
1021 	 * associated objects.
1022 	 */
1023 	if (gdp_collect(&ghalp, &lmalp, ghp) == 0) {
1024 		remove_collect(ghalp, lmalp);
1025 		return (0);
1026 	}
1027 
1028 	DBG_CALL(Dbg_file_hdl_title(DBG_HDL_DELETE));
1029 
1030 	/*
1031 	 * Traverse the groups we've collected to determine if any filtees are
1032 	 * included.  If so, and the filtee handle is in use by a filter outside
1033 	 * of the family of objects collected for this deletion, it can not be
1034 	 * removed.
1035 	 */
1036 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1037 		Grp_hdl	*ghp = ghp2;
1038 
1039 		DBG_CALL(Dbg_file_hdl_collect(ghp, 0));
1040 
1041 		if ((ghp->gh_flags & GPH_FILTEE) == 0)
1042 			continue;
1043 
1044 		/*
1045 		 * Special case for ld.so.1.  There can be multiple instances of
1046 		 * libdl.so.1 using this handle, so although we want the handles
1047 		 * reference count to be decremented, we don't want the handle
1048 		 * removed.
1049 		 */
1050 		if (ghp->gh_flags & GPH_LDSO) {
1051 			DBG_CALL(Dbg_file_hdl_collect(ghp,
1052 			    NAME(lml_rtld.lm_head)));
1053 			aplist_delete(ghalp, &idx1);
1054 			continue;
1055 		}
1056 
1057 		for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
1058 			Grp_hdl	*ghp3;
1059 			Aliste	idx3;
1060 
1061 			/*
1062 			 * Determine whether this dependency is the filtee's
1063 			 * parent filter, and that it isn't also an explicit
1064 			 * dependency (in which case it would have added its own
1065 			 * dependencies to the handle).
1066 			 */
1067 			if ((gdp->gd_flags &
1068 			    (GPD_FILTER | GPD_ADDEPS)) != GPD_FILTER)
1069 				continue;
1070 
1071 			if (aplist_test(&lmalp, gdp->gd_depend, 0) ==
1072 			    ALE_EXISTS)
1073 				continue;
1074 
1075 			/*
1076 			 * Remove this group handle from our dynamic deletion
1077 			 * list.  In addition, recompute the list of objects
1078 			 * that are candidates for deletion to continue this
1079 			 * group verification.
1080 			 */
1081 			DBG_CALL(Dbg_file_hdl_collect(ghp,
1082 			    NAME(gdp->gd_depend)));
1083 			aplist_delete(ghalp, &idx1);
1084 
1085 			free(lmalp);
1086 			lmalp = NULL;
1087 			for (APLIST_TRAVERSE(ghalp, idx3, ghp3)) {
1088 				Aliste		idx4;
1089 				Grp_desc	*gdp4;
1090 
1091 				for (ALIST_TRAVERSE(ghp3->gh_depends,
1092 				    idx4, gdp4))  {
1093 					if ((gdp4->gd_flags & GPD_ADDEPS) == 0)
1094 						continue;
1095 					if (aplist_test(&lmalp, gdp4->gd_depend,
1096 					    AL_CNT_GRPCLCT) == ALE_ALLOCFAIL) {
1097 						remove_collect(ghalp, lmalp);
1098 						return (0);
1099 					}
1100 				}
1101 			}
1102 			break;
1103 		}
1104 	}
1105 
1106 	/*
1107 	 * Now that we've collected all the handles dependencies, traverse the
1108 	 * collection determining whether they are a candidate for deletion.
1109 	 */
1110 	for (APLIST_TRAVERSE(lmalp, idx1, lmp)) {
1111 		/*
1112 		 * Establish which link-map list we're dealing with for later
1113 		 * .fini processing.
1114 		 */
1115 		if (lml == NULL)
1116 			lml = LIST(lmp);
1117 
1118 		/*
1119 		 * If an object isn't a candidate for deletion we'll have to
1120 		 * rescan the handle insuring that this objects dependencies
1121 		 * aren't deleted either.
1122 		 */
1123 		if (is_deletable(&lmalp, &ghalp, lmp)) {
1124 			FLAGS(lmp) |= FLG_RT_DELETE;
1125 			delcnt++;
1126 		} else
1127 			rescan = 1;
1128 	}
1129 
1130 	/*
1131 	 * Rescan the handle if any objects where found non-deletable.
1132 	 */
1133 	while (rescan)
1134 		rescan = remove_rescan(lmalp, ghalp, &delcnt);
1135 
1136 	/*
1137 	 * Now that we have determined the number of groups that are candidates
1138 	 * for removal, mark each group descriptor as a candidate for removal
1139 	 * from the group.
1140 	 */
1141 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1142 		for (ALIST_TRAVERSE(ghp2->gh_depends, idx2, gdp))
1143 			gdp->gd_flags |= GPD_REMOVE;
1144 	}
1145 
1146 	/*
1147 	 * Now that we know which objects on this handle can't be deleted
1148 	 * determine whether they still need to remain identified as belonging
1149 	 * to this group to be able to continue binding to one another.
1150 	 */
1151 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1152 		Grp_hdl	*ghp = ghp2;
1153 
1154 		for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
1155 			Aliste		idx3;
1156 			Bnd_desc	*bdp;
1157 
1158 			lmp = gdp->gd_depend;
1159 
1160 			if (FLAGS(lmp) & FLG_RT_DELETE)
1161 				continue;
1162 
1163 			for (APLIST_TRAVERSE(DEPENDS(lmp), idx3, bdp)) {
1164 				Aliste 		idx4;
1165 				Grp_desc	*gdp4;
1166 				Rt_map		*dlmp = bdp->b_depend;
1167 
1168 				/*
1169 				 * If this dependency (dlmp) can be referenced
1170 				 * by the caller (clmp) without being part of
1171 				 * this group (ghp) then belonging to this group
1172 				 * is no longer necessary.  This can occur when
1173 				 * objects are part of multiple handles, or if a
1174 				 * previously deleted handle was moved to the
1175 				 * orphan list and has been reopened.  Note,
1176 				 * first make sure the caller can reference the
1177 				 * dependency with this group, if it can't we
1178 				 * must be bound to a filtee, so there's no need
1179 				 * to remain a part of this group either.
1180 				 */
1181 				if ((callable(lmp, dlmp, 0, 0) == 0) ||
1182 				    callable(lmp, dlmp, ghp, 0))
1183 					continue;
1184 
1185 				if (gdp->gd_flags & GPD_REMOVE)
1186 					gdp->gd_flags &= ~GPD_REMOVE;
1187 
1188 				for (ALIST_TRAVERSE(ghp->gh_depends,
1189 				    idx4, gdp4)) {
1190 					if (gdp4->gd_depend != dlmp)
1191 						continue;
1192 
1193 					if (gdp4->gd_flags & GPD_REMOVE)
1194 						gdp4->gd_flags &= ~GPD_REMOVE;
1195 				}
1196 			}
1197 		}
1198 	}
1199 
1200 	/*
1201 	 * If the owner of a handle can't be deleted and it's handle descriptor
1202 	 * must remain also, don't delete the handle at all.  Leave it for
1203 	 * possible later use.  Although it's left intact, it will still be
1204 	 * moved to the orphans list, as we might be able to revisit it on later
1205 	 * dlclose() operations and finally remove the underlying objects.  Note
1206 	 * that the handle still remains attached to the owner via the HANDLES
1207 	 * list, so that it can be re-associated to the owner if a dlopen()
1208 	 * of this object reoccurs.
1209 	 */
1210 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1211 		Grp_hdl	*ghp = ghp2;
1212 
1213 		/*
1214 		 * If this handle is already an orphan, or if it's owner is
1215 		 * deletable there's no need to inspect its dependencies.
1216 		 */
1217 		if ((ghp->gh_ownlmp == NULL) ||
1218 		    (FLAGS(ghp->gh_ownlmp) & FLG_RT_DELETE))
1219 			continue;
1220 
1221 		/*
1222 		 * Make sure all handle dependencies aren't removed or the
1223 		 * dependencies themselves aren't deleted.
1224 		 */
1225 		for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
1226 			lmp = gdp->gd_depend;
1227 
1228 			/*
1229 			 * The first dependency of a non-orphaned handle is the
1230 			 * owner.  If the handle descriptor for this isn't
1231 			 * required there's no need to look at any other of the
1232 			 * handles dependencies.
1233 			 */
1234 			if ((lmp == ghp->gh_ownlmp) &&
1235 			    (gdp->gd_flags & GPD_REMOVE))
1236 				break;
1237 
1238 			if (gdp->gd_flags & GPD_REMOVE)
1239 				gdp->gd_flags &= ~GPD_REMOVE;
1240 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1241 				FLAGS(lmp) &= ~FLG_RT_DELETE;
1242 				delcnt--;
1243 			}
1244 		}
1245 	}
1246 
1247 	/*
1248 	 * Final scan of objects to see if any objects are to to be deleted.
1249 	 * Also - display diagnostic information on what operations are to be
1250 	 * performed on the collected handles before firing .fini's (which
1251 	 * produces additional diagnostics).
1252 	 */
1253 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1254 		Grp_hdl	*ghp = ghp2;
1255 
1256 		DBG_CALL(Dbg_file_hdl_title(DBG_HDL_DELETE));
1257 
1258 		for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
1259 			int	flag;
1260 
1261 			lmp = gdp->gd_depend;
1262 
1263 			/*
1264 			 * Note, we must never delete a parent.  The parent
1265 			 * may already be tagged for deletion from a previous
1266 			 * dlclose(). That dlclose has triggered this dlclose(),
1267 			 * but the parents deletion is the responsibility of the
1268 			 * previous dlclose(), not this one.
1269 			 */
1270 			if ((FLAGS(lmp) & FLG_RT_DELETE) &&
1271 			    ((gdp->gd_flags & GPD_PARENT) == 0)) {
1272 				flag = DBG_DEP_DELETE;
1273 
1274 				/*
1275 				 * Remove any pathnames from the FullpathNode
1276 				 * AVL tree.  As we're about to fire .fini's,
1277 				 * it's possible this object will be required
1278 				 * again, in which case we want to make sure a
1279 				 * new version of the object gets loaded.
1280 				 */
1281 				if (FPNODE(lmp))
1282 					fpavl_remove(lmp);
1283 			} else if (gdp->gd_flags & GPD_REMOVE)
1284 				flag = DBG_DEP_REMOVE;
1285 			else
1286 				flag = DBG_DEP_REMAIN;
1287 
1288 			DBG_CALL(Dbg_file_hdl_action(ghp, lmp, flag, 0));
1289 		}
1290 	}
1291 
1292 	/*
1293 	 * If there are objects to be deleted process their .fini's.
1294 	 */
1295 	if (delcnt) {
1296 		Rt_map	**tobj;
1297 
1298 		/*
1299 		 * If we're being audited tell the audit library that we're
1300 		 * about to go deleting dependencies.
1301 		 */
1302 		if (clmp && ((LIST(clmp)->lm_tflags | AFLAGS(clmp)) &
1303 		    LML_TFLG_AUD_ACTIVITY))
1304 			audit_activity(clmp, LA_ACT_DELETE);
1305 
1306 		/*
1307 		 * Sort and fire all fini's of the objects selected for
1308 		 * deletion.  Note that we have to start our search from the
1309 		 * link-map head - there's no telling whether this object has
1310 		 * dependencies on objects that were loaded before it and which
1311 		 * can now be deleted.  If the tsort() fails because of an
1312 		 * allocation error then that might just be a symptom of why
1313 		 * we're here in the first place - forgo the fini's but
1314 		 * continue to try cleaning up.
1315 		 */
1316 		lml->lm_flags |= LML_FLG_OBJDELETED;
1317 
1318 		if (((tobj = tsort(lml->lm_head, delcnt,
1319 		    (RT_SORT_DELETE | RT_SORT_FWD))) != NULL) &&
1320 		    (tobj != (Rt_map **)S_ERROR)) {
1321 			error = purge_exit_handlers(lml, tobj);
1322 			call_fini(lml, tobj);
1323 		}
1324 
1325 		/*
1326 		 * Audit the closure of the dlopen'ed object to any local
1327 		 * auditors.  Any global auditors would have been caught by
1328 		 * call_fini(), but as the link-maps CALLERS was removed
1329 		 * already we do the local auditors explicitly.
1330 		 */
1331 		for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1332 			Grp_hdl	*ghp = ghp2;
1333 			Rt_map	*dlmp = ghp->gh_ownlmp;
1334 
1335 			if (clmp && dlmp &&
1336 			    ((LIST(dlmp)->lm_flags & LML_FLG_NOAUDIT) == 0) &&
1337 			    (AFLAGS(clmp) & LML_TFLG_AUD_OBJCLOSE))
1338 				_audit_objclose(&(AUDITORS(clmp)->ad_list),
1339 				    dlmp);
1340 		}
1341 	}
1342 
1343 	/*
1344 	 * Now that .fini processing (which may have involved new bindings)
1345 	 * is complete, remove all inter-dependency lists from those objects
1346 	 * selected for deletion.
1347 	 */
1348 	for (APLIST_TRAVERSE(lmalp, idx1, lmp)) {
1349 		Dyninfo	*dip;
1350 		uint_t	cnt, max;
1351 
1352 		if (FLAGS(lmp) & FLG_RT_DELETE)
1353 			remove_lists(lmp, 0);
1354 
1355 		/*
1356 		 * Determine whether we're dealing with a filter, and if so
1357 		 * process any inter-dependencies with its filtee's.
1358 		 */
1359 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
1360 			continue;
1361 
1362 		dip = DYNINFO(lmp);
1363 		max = DYNINFOCNT(lmp);
1364 
1365 		for (cnt = 0; cnt < max; cnt++, dip++) {
1366 			Alist	*falp;
1367 			Aliste	idx2;
1368 			Pdesc	*pdp;
1369 
1370 			if (((falp = (Alist *)dip->di_info) == NULL) ||
1371 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
1372 				continue;
1373 
1374 			for (ALIST_TRAVERSE(falp, idx2, pdp)) {
1375 				Grp_hdl	*ghp;
1376 
1377 				if ((pdp->pd_plen == 0) ||
1378 				    ((ghp = (Grp_hdl *)pdp->pd_info) == NULL))
1379 					continue;
1380 
1381 				/*
1382 				 * Determine whether this filtee's handle is a
1383 				 * part of the list of handles being deleted.
1384 				 */
1385 				if (aplist_test(&ghalp, ghp, 0) == ALE_EXISTS) {
1386 					/*
1387 					 * If this handle exists on the deletion
1388 					 * list, then it has been removed.  If
1389 					 * this filter isn't going to be
1390 					 * deleted, sever its reference to the
1391 					 * handle.
1392 					 */
1393 					pdp->pd_info = NULL;
1394 				} else {
1395 					/*
1396 					 * If this handle isn't on the deletion
1397 					 * list, then it must still exist.  If
1398 					 * this filter is being deleted, make
1399 					 * sure the filtees reference count
1400 					 * gets decremented.
1401 					 */
1402 					if ((FLAGS(lmp) & FLG_RT_DELETE) &&
1403 					    ((gdp->gd_flags &
1404 					    GPD_PARENT) == 0)) {
1405 						(void) dlclose_core(ghp,
1406 						    lmp, lml);
1407 					}
1408 				}
1409 			}
1410 		}
1411 	}
1412 
1413 	/*
1414 	 * If called from dlclose(), determine if there are already handles on
1415 	 * the orphans list that we can reinvestigate.
1416 	 */
1417 	if ((removed == 0) && aplist_nitems(hdl_alp[HDLIST_ORP]))
1418 		orphans = 1;
1419 	else
1420 		orphans = 0;
1421 
1422 	/*
1423 	 * Finally remove any handle infrastructure and remove any objects
1424 	 * marked for deletion.
1425 	 */
1426 	for (APLIST_TRAVERSE(ghalp, idx1, ghp2)) {
1427 		Grp_hdl	*ghp = ghp2;
1428 
1429 		/*
1430 		 * If we're not dealing with orphaned handles remove this handle
1431 		 * from its present handle list.
1432 		 */
1433 		if (removed == 0) {
1434 			uintptr_t ndx;
1435 
1436 			/* LINTED */
1437 			ndx = (uintptr_t)ghp % HDLIST_SZ;
1438 			(void) aplist_delete_value(hdl_alp[ndx], ghp);
1439 		}
1440 
1441 		/*
1442 		 * Traverse each handle dependency.  Retain the dependencies
1443 		 * flags to insure we don't delete any parents (the flags
1444 		 * information is deleted as part of the alist removal that
1445 		 * occurs before we inspect the object for deletion).
1446 		 */
1447 		for (ALIST_TRAVERSE(ghp->gh_depends, idx2, gdp)) {
1448 			uint_t	flags = gdp->gd_flags;
1449 
1450 			if ((flags & GPD_REMOVE) == 0)
1451 				continue;
1452 
1453 			lmp = gdp->gd_depend;
1454 			rmcnt++;
1455 
1456 			/*
1457 			 * If this object is the owner of the handle break that
1458 			 * association in case the handle is retained.
1459 			 */
1460 			if (ghp->gh_ownlmp == lmp) {
1461 				(void) aplist_delete_value(HANDLES(lmp), ghp);
1462 				ghp->gh_ownlmp = NULL;
1463 			}
1464 
1465 			(void) aplist_delete_value(GROUPS(lmp), ghp);
1466 			alist_delete(ghp->gh_depends, &idx2);
1467 
1468 			/*
1469 			 * Complete the link-map deletion if appropriate.
1470 			 */
1471 			if ((FLAGS(lmp) & FLG_RT_DELETE) &&
1472 			    ((flags & GPD_PARENT) == 0)) {
1473 				tls_modaddrem(lmp, TM_FLG_MODREM);
1474 				remove_so(LIST(lmp), lmp);
1475 			}
1476 		}
1477 
1478 		/*
1479 		 * If we've deleted all the dependencies of the handle, finalize
1480 		 * the cleanup by removing the handle itself.
1481 		 *
1482 		 * Otherwise we're left with a handle containing one or more
1483 		 * objects that can not be deleted (they're in use by other
1484 		 * handles, non-deletable, etc.), but require to remain a part
1485 		 * of this group to allow them to continue binding to one
1486 		 * another.
1487 		 *
1488 		 * If the handles reference count is zero, or represents a
1489 		 * link-map list (dlopen(0)), then move that handle to the
1490 		 * orphans list.  Should another dlclose() operation occur that
1491 		 * results in the removal of handle descriptors, these orphan
1492 		 * handles are re-examined to determine if their deletion can
1493 		 * be completed.
1494 		 */
1495 		if (ghp->gh_depends->al_nitems == 0) {
1496 			free(ghp->gh_depends);
1497 			free(ghp);
1498 
1499 		} else if ((ghp->gh_refcnt == 0) &&
1500 		    ((ghp->gh_flags & GPH_ZERO) == 0)) {
1501 			/*
1502 			 * Move this handle to the orphans list.
1503 			 */
1504 			(void) aplist_append(&hdl_alp[HDLIST_ORP], ghp,
1505 			    AL_CNT_HANDLES);
1506 
1507 			if (DBG_ENABLED) {
1508 				DBG_CALL(Dbg_file_hdl_title(DBG_HDL_ORPHAN));
1509 				for (ALIST_TRAVERSE(ghp->gh_depends, idx1, gdp))
1510 					DBG_CALL(Dbg_file_hdl_action(ghp,
1511 					    gdp->gd_depend, DBG_DEP_ORPHAN, 0));
1512 			}
1513 		}
1514 	}
1515 
1516 	/*
1517 	 * If no handle descriptors got removed there's no point in looking for
1518 	 * orphans to process.
1519 	 */
1520 	if (rmcnt == 0)
1521 		orphans = 0;
1522 
1523 	/*
1524 	 * Cleanup any alists we've created.
1525 	 */
1526 	remove_collect(ghalp, lmalp);
1527 
1528 	/*
1529 	 * If orphan processing isn't required we're done.  If our processing
1530 	 * originated from investigating orphans, return the number of handle
1531 	 * descriptors removed as an indication whether orphan processing
1532 	 * should continue.
1533 	 */
1534 	if (orphans == 0) {
1535 		if (removed)
1536 			*removed = rmcnt;
1537 		return (error);
1538 	}
1539 
1540 	/*
1541 	 * Traverse the orphans list as many times as necessary until no
1542 	 * handle removals occur.
1543 	 */
1544 	do {
1545 		APlist		*alp;
1546 		Aliste		idx;
1547 		Grp_hdl		*ghp, *oghp = NULL;
1548 		int		title = 0;
1549 
1550 		/*
1551 		 * Effectively clean the HDLIST_ORP list.  Any object that can't
1552 		 * be removed will be re-added to the list.
1553 		 */
1554 		alp = hdl_alp[HDLIST_ORP];
1555 		hdl_alp[HDLIST_ORP] = NULL;
1556 
1557 		rescan = 0;
1558 		for (APLIST_TRAVERSE(alp, idx, ghp)) {
1559 			int	_error, _remove;
1560 
1561 			if (title++ == 0)
1562 				DBG_CALL(Dbg_file_del_rescan(ghp->gh_ownlml));
1563 
1564 			if (oghp) {
1565 				(void) aplist_delete_value(alp, oghp);
1566 				oghp = NULL;
1567 			}
1568 
1569 			if (((_error = remove_hdl(ghp, clmp, &_remove)) != 0) &&
1570 			    (error == 0))
1571 				error = _error;
1572 
1573 			if (_remove)
1574 				rescan++;
1575 
1576 			oghp = ghp;
1577 		}
1578 		if (oghp) {
1579 			(void) aplist_delete_value(alp, oghp);
1580 			oghp = NULL;
1581 		}
1582 		if (alp)
1583 			free((void *)alp);
1584 
1585 	} while (rescan && aplist_nitems(hdl_alp[HDLIST_ORP]));
1586 
1587 	return (error);
1588 }
1589