xref: /titanic_52/usr/src/cmd/sgs/rtld/common/remove.c (revision 10db1377dafab8ba3feedef26db9c5d8539a5cd1)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Remove objects.  Objects need removal from a process as part of:
26  *
27  *  o	a dlclose() request
28  *
29  *  o	tearing down a dlopen(), lazy-load, or filter hierarchy that failed to
30  *	completely load
31  *
32  * Any other failure condition will result in process exit (in which case all
33  * we have to do is execute the fini's - tear down is unnecessary).
34  *
35  * Any removal of objects is therefore associated with a dlopen() handle.  There
36  * is a small window between creation of the first dlopen() object and creating
37  * its handle (in which case remove_so() can get rid of the new link-map if
38  * necessary), but other than this all object removal is driven by inspecting
39  * the components of a handle.
40  *
41  * Things to note.  The creation of a link-map, and its addition to the link-map
42  * list occurs in {elf|aout}_new_lm(), if this returns success the link-map is
43  * valid and added, otherwise any steps (allocations) in the process of creating
44  * the link-map would have been undone.  If a failure occurs between creating
45  * the link-map and adding it to a handle, remove_so() is called to remove the
46  * link-map.  If a failures occurs after a handle have been created,
47  * remove_hdl() is called to remove the handle and the link-map.
48  */
49 #pragma ident	"%Z%%M%	%I%	%E% SMI"
50 
51 #include	"_synonyms.h"
52 
53 #include	<string.h>
54 #include	<stdio.h>
55 #include	<unistd.h>
56 #include	<dlfcn.h>
57 #include	<sys/debug.h>
58 #include	<sys/avl.h>
59 #include	<libc_int.h>
60 #include	<debug.h>
61 #include	"_rtld.h"
62 #include	"_audit.h"
63 #include	"_elf.h"
64 #include	"msg.h"
65 
66 /*
67  * Atexit callback provided by libc.  As part of dlclose() determine the address
68  * ranges of all objects that are to be deleted.  Pass this information to
69  * libc's pre-atexit routine.  Libc will purge any registered atexit() calls
70  * related to those objects about to be deleted.
71  */
72 static int
73 purge_exit_handlers(Lm_list *lml, Rt_map **tobj)
74 {
75 	uint_t			num;
76 	Rt_map			**_tobj;
77 	Lc_addr_range_t		*addr, *_addr;
78 	int			error;
79 
80 	/*
81 	 * Has a callback been established?
82 	 */
83 	if (lml->lm_peh == 0)
84 		return (0);
85 
86 	/*
87 	 * Determine the total number of mapped segments that will be unloaded.
88 	 */
89 	for (num = 0, _tobj = tobj; *_tobj != NULL; _tobj++) {
90 		Rt_map *	lmp = *_tobj;
91 
92 		num += MMAPCNT(lmp);
93 	}
94 
95 	/*
96 	 * Account for a null entry at the end of the address range array.
97 	 */
98 	if (num++ == 0)
99 		return (0);
100 
101 	/*
102 	 * Allocate an array for the address range.
103 	 */
104 	if ((addr = malloc(num * sizeof (Lc_addr_range_t))) == 0)
105 		return (1);
106 
107 	/*
108 	 * Fill the address range with each loadable segments size and address.
109 	 */
110 	for (_tobj = tobj, _addr = addr; *_tobj != NULL; _tobj++) {
111 		Rt_map	*lmp = *_tobj;
112 		Mmap	*mmaps;
113 
114 		for (mmaps = MMAPS(lmp); mmaps->m_vaddr; mmaps++) {
115 			_addr->lb = (void *)mmaps->m_vaddr;
116 			_addr->ub = (void *)(mmaps->m_vaddr + mmaps->m_msize);
117 			_addr++;
118 		}
119 	}
120 	_addr->lb = _addr->ub = 0;
121 
122 	leave(LIST(*tobj));
123 
124 	error = (* lml->lm_peh)(addr, (num - 1));
125 
126 	(void) enter();
127 
128 	/*
129 	 * If we fail to converse with libc, generate an error message to
130 	 * satisfy any dlerror() usage.
131 	 */
132 	if (error)
133 		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_ARG_ATEXIT), error);
134 
135 	free(addr);
136 	return (error);
137 }
138 
139 /*
140  * Remove any rejection message allocations.
141  */
142 void
143 remove_rej(Rej_desc * rej)
144 {
145 	if (rej && (rej->rej_type)) {
146 		if (rej->rej_name)
147 			free((void *)rej->rej_name);
148 		if (rej->rej_str && (rej->rej_str != MSG_ORIG(MSG_EMG_ENOMEM)))
149 			free((void *)rej->rej_str);
150 	}
151 }
152 
153 /*
154  * Break down a Pnode list.
155  */
156 void
157 remove_pnode(Pnode * pnp)
158 {
159 	Pnode *	opnp;
160 
161 	for (opnp = 0; pnp; opnp = pnp, pnp = pnp->p_next) {
162 		if (pnp->p_name)
163 			free((void *)pnp->p_name);
164 		if (pnp->p_oname)
165 			free((void *)pnp->p_oname);
166 		if (opnp)
167 			free((void *)opnp);
168 	}
169 	if (opnp)
170 		free((void *)opnp);
171 }
172 
173 
174 /*
175  * Remove a link-map list descriptor.  This is called to finalize the removal
176  * of an entire link-map list, after all link-maps have been removed, or none
177  * got added.  As load_one() can process a list of potential candidates objects,
178  * the link-map descriptor must be maintained as each object is processed.  Only
179  * after all objects have been processed can a failure condition finally tear
180  * down the link-map list descriptor.
181  */
182 void
183 remove_lml(Lm_list *lml)
184 {
185 	if (lml && (lml->lm_head == 0)) {
186 		if (lml->lm_lmidstr)
187 			free(lml->lm_lmidstr);
188 		if (lml->lm_alp)
189 			free(lml->lm_alp);
190 		if (lml->lm_lists)
191 			free(lml->lm_lists);
192 
193 		/*
194 		 * Cleanup rtldinfo in the case where it was allocated but
195 		 * not called (see _relocate_so()).
196 		 */
197 		if (lml->lm_rtldinfo)
198 			free(lml->lm_rtldinfo);
199 		if (lml->lm_fpavl) {
200 			/*
201 			 * As we are freeing the link-map list, all nodes must
202 			 * have previously been removed.
203 			 */
204 			ASSERT(avl_numnodes(lml->lm_fpavl) == 0);
205 			free(lml->lm_fpavl);
206 		}
207 		list_delete(&dynlm_list, lml);
208 		free(lml);
209 	}
210 }
211 
212 /*
213  * Remove a link-map.  This removes a link-map from its associated list and
214  * free's up the link-map itself.  Note, all components that are freed are local
215  * to the link-map, no inter-link-map lists are operated on as these are all
216  * broken down by dlclose() while all objects are still mapped.
217  *
218  * This routine is called from dlclose() to zap individual link-maps after their
219  * interdependencies (DEPENDS(), CALLER(), handles, etc.) have been removed.
220  * This routine is also called from the bowels of load_one() in the case of a
221  * link-map creation failure.
222  */
223 void
224 remove_so(Lm_list *lml, Rt_map *lmp)
225 {
226 	Dyninfo *dip;
227 
228 	if (lmp == 0)
229 		return;
230 
231 	/*
232 	 * Unlink the link map from the link-map list.
233 	 */
234 	if (lml && lmp)
235 		lm_delete(lml, lmp);
236 
237 	/*
238 	 * If this object contributed the preexec_exit_handler() routine for
239 	 * the current link-map list, mark the list as no-longer containing a
240 	 * preexec_exit_handler() routine.
241 	 */
242 	if (lml && (lml->lm_peh_lmp == lmp)) {
243 		lml->lm_peh = 0;
244 		lml->lm_peh_lmp = 0;
245 	}
246 
247 	DBG_CALL(Dbg_file_delete(lmp));
248 
249 	/*
250 	 * Unmap the object.
251 	 */
252 	LM_UNMAP_SO(lmp)(lmp);
253 
254 	/*
255 	 * Remove any FullpathNode AVL names if they still exist.
256 	 */
257 	if (FPNODE(lmp))
258 		fpavl_remove(lmp);
259 
260 	/*
261 	 * Remove any alias names.
262 	 */
263 	if (ALIAS(lmp)) {
264 		Aliste	off;
265 		char **	cpp;
266 
267 		for (ALIST_TRAVERSE(ALIAS(lmp), off, cpp))
268 			free(*cpp);
269 		free(ALIAS(lmp));
270 	}
271 
272 	/*
273 	 * Free the various names, as these were duplicated so that they were
274 	 * available in core files.
275 	 * The original name is set to the pathname by default (see fullpath()),
276 	 * but is overridden if the file is an alternative.  The pathname is set
277 	 * to the name by default (see [aout|elf]_new_lm()), but is overridden
278 	 * if the fullpath/resolve path differs (see fullpath()).  The original
279 	 * name is always duplicated, as it typically exists as a text string
280 	 * (see DT_NEEDED pointer) or was passed in from user code.
281 	 */
282 	if (ORIGNAME(lmp) != PATHNAME(lmp))
283 		free(ORIGNAME(lmp));
284 	if (PATHNAME(lmp) != NAME(lmp))
285 		free(PATHNAME(lmp));
286 	free(NAME(lmp));
287 
288 	/*
289 	 * Remove any of this objects filtee infrastructure.  The filtees them-
290 	 * selves have already been removed.
291 	 */
292 	if (((dip = DYNINFO(lmp)) != 0) && (FLAGS1(lmp) & MSK_RT_FILTER)) {
293 		uint_t	cnt, max = DYNINFOCNT(lmp);
294 
295 		for (cnt = 0; cnt < max; cnt++, dip++) {
296 			if (dip->di_info && (dip->di_flags & MSK_DI_FILTER))
297 				remove_pnode((Pnode *)dip->di_info);
298 		}
299 	}
300 	if (dip)
301 		free(DYNINFO(lmp));
302 
303 	/*
304 	 * Deallocate any remaining cruft and free the link-map.
305 	 */
306 	if (RLIST(lmp))
307 		remove_pnode(RLIST(lmp));
308 
309 	if (REFNAME(lmp))
310 		free(REFNAME(lmp));
311 	if (ELFPRV(lmp))
312 		free(ELFPRV(lmp));
313 	if (AUDITORS(lmp))
314 		audit_desc_cleanup(AUDITORS(lmp), lmp);
315 	if (AUDINFO(lmp))
316 		audit_info_cleanup(AUDINFO(lmp));
317 
318 	if (CONDVAR(lmp))
319 		free(CONDVAR(lmp));
320 	if (COPY(lmp))
321 		free(COPY(lmp));
322 	if (MMAPS(lmp))
323 		free(MMAPS(lmp));
324 
325 	/*
326 	 * During a dlclose() any groups this object was a part of will have
327 	 * been torn down.  However, we can get here to remove an object that
328 	 * has failed to load, perhaps because its addition to a handle failed.
329 	 * Therefore if this object indicates that its part of a group tear
330 	 * these associations down.
331 	 */
332 	if (GROUPS(lmp)) {
333 		Aliste		off1;
334 		Grp_hdl **	ghpp;
335 
336 		for (ALIST_TRAVERSE(GROUPS(lmp), off1, ghpp)) {
337 			Grp_hdl *	ghp = *ghpp;
338 			Grp_desc *	gdp;
339 			Aliste		off2;
340 
341 			for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
342 				if (gdp->gd_depend != lmp)
343 					continue;
344 
345 				(void) alist_delete(ghp->gh_depends, 0, &off2);
346 				break;
347 			}
348 		}
349 		free(GROUPS(lmp));
350 	}
351 	if (HANDLES(lmp))
352 		free(HANDLES(lmp));
353 
354 	/*
355 	 * Clean up reglist if needed
356 	 */
357 	if (reglist != (Reglist *)0) {
358 		Reglist *	cur, * prv, * del;
359 
360 		cur = prv = reglist;
361 		while (cur != (Reglist *)0) {
362 			if (cur->rl_lmp == lmp) {
363 				del = cur;
364 				if (cur == reglist) {
365 					reglist = cur->rl_next;
366 					cur = prv = reglist;
367 				} else {
368 					prv->rl_next = cur->rl_next;
369 					cur = cur->rl_next;
370 				}
371 				free(del);
372 			} else {
373 				prv = cur;
374 				cur = cur->rl_next;
375 			}
376 		}
377 	}
378 
379 	free(lmp);
380 }
381 
382 
383 /*
384  * Traverse an objects dependency list removing callers and dependencies.
385  * There's a chicken and egg problem with tearing down link-maps.  Any
386  * relationship between link-maps is maintained on a DEPENDS, and associated
387  * CALLERS list.  These lists can't be broken down at the time a single link-
388  * map is removed as any related link-map may have already been removed.  Thus,
389  * lists between link-maps must be broken down before the individual link-maps
390  * themselves.
391  */
392 void
393 remove_lists(Rt_map * lmp, int lazy)
394 {
395 	Aliste		off1;
396 	Bnd_desc **	bdpp;
397 
398 	/*
399 	 * First, traverse this objects dependencies.
400 	 */
401 	for (ALIST_TRAVERSE(DEPENDS(lmp), off1, bdpp)) {
402 		Bnd_desc *	bdp = *bdpp;
403 		Rt_map *	dlmp = bdp->b_depend;
404 
405 		/*
406 		 * Remove this object from the dependencies callers.
407 		 */
408 		(void) alist_delete(CALLERS(dlmp), &bdp, 0);
409 		free(bdp);
410 	}
411 	if (DEPENDS(lmp)) {
412 		free(DEPENDS(lmp));
413 		DEPENDS(lmp) = 0;
414 	}
415 
416 	/*
417 	 * Second, traverse this objects callers.
418 	 */
419 	for (ALIST_TRAVERSE(CALLERS(lmp), off1,  bdpp)) {
420 		Bnd_desc *	bdp = *bdpp;
421 		Rt_map *	clmp = bdp->b_caller;
422 
423 		/*
424 		 * If we're removing an object that was triggered by a lazyload,
425 		 * remove the callers DYNINFO() entry and bump the lazy counts.
426 		 * This reinitialization of the lazy information allows a lazy
427 		 * object to be reloaded again later.  Although we may be
428 		 * breaking down a group of lazyloaded objects because one has
429 		 * failed to relocate, it's possible that one or more of the
430 		 * individual objects can be reloaded without a problem.
431 		 */
432 		if (lazy) {
433 			Dyninfo *	dip;
434 
435 			if ((dip = DYNINFO(clmp)) != 0) {
436 				uint_t	cnt, max = DYNINFOCNT(clmp);
437 
438 				for (cnt = 0; cnt < max; cnt++, dip++) {
439 					if ((dip->di_flags &
440 					    FLG_DI_NEEDED) == 0)
441 						continue;
442 
443 					if (dip->di_info == (void *)lmp) {
444 						dip->di_info = 0;
445 
446 						if (LAZY(clmp)++ == 0)
447 							LIST(clmp)->lm_lazy++;
448 					}
449 				}
450 			}
451 		}
452 
453 		(void) alist_delete(DEPENDS(clmp), &bdp, 0);
454 		free(bdp);
455 	}
456 	if (CALLERS(lmp)) {
457 		free(CALLERS(lmp));
458 		CALLERS(lmp) = 0;
459 	}
460 }
461 
462 /*
463  * Delete any temporary link-map control list.
464  */
465 void
466 remove_cntl(Lm_list *lml, Aliste lmco)
467 {
468 	if (lmco && (lmco != ALO_DATA)) {
469 		Aliste	_lmco = lmco;
470 #if	DEBUG
471 		Lm_cntl	*lmc = (Lm_cntl *)((char *)lml->lm_lists + lmco);
472 
473 		/*
474 		 * This element should be empty.
475 		 */
476 		ASSERT(lmc->lc_head == 0);
477 #endif
478 		(void) alist_delete(lml->lm_lists, 0, &_lmco);
479 	}
480 }
481 
482 /*
483  * If a lazy loaded object, or filtee fails to load, possibly because it, or
484  * one of its dependencies can't be relocated, then tear down any objects
485  * that are apart of this link-map control list.
486  */
487 void
488 remove_incomplete(Lm_list *lml, Aliste lmco)
489 {
490 	Rt_map	*lmp;
491 	Lm_cntl	*lmc;
492 
493 	/* LINTED */
494 	lmc = (Lm_cntl *)((char *)lml->lm_lists + lmco);
495 
496 	/*
497 	 * First, remove any lists that may point between objects.
498 	 */
499 	for (lmp = lmc->lc_head; lmp; lmp = (Rt_map *)NEXT(lmp))
500 		remove_lists(lmp, 1);
501 
502 	/*
503 	 * Finally, remove each object.  remove_so() calls lm_delete(), thus
504 	 * effectively the link-map control head gets updated to point to the
505 	 * next link-map.
506 	 */
507 	while ((lmp = lmc->lc_head) != 0)
508 		remove_so(lml, lmp);
509 
510 	lmc->lc_head = lmc->lc_tail = 0;
511 }
512 
513 /*
514  * Determine whether an object is deletable.
515  */
516 int
517 is_deletable(Alist ** lmalp, Alist ** ghalp, Rt_map * lmp)
518 {
519 	Aliste		off;
520 	Bnd_desc **	bdpp;
521 	Grp_hdl **	ghpp;
522 
523 	/*
524 	 * If the object hasn't yet been relocated take this as a sign that
525 	 * it's loading failed, thus we're here to cleanup.  If the object is
526 	 * relocated it will only be retained if it was marked non-deletable,
527 	 * and exists on the main link-map control list.
528 	 */
529 	if ((FLAGS(lmp) & FLG_RT_RELOCED) &&
530 	    (MODE(lmp) & RTLD_NODELETE) && (CNTL(lmp) == ALO_DATA))
531 		return (0);
532 
533 	/*
534 	 * If this object is the head of a handle that has not been captured as
535 	 * a candidate for deletion, then this object is in use from a dlopen()
536 	 * outside of the scope of this dlclose() family.  Dlopen'ed objects,
537 	 * and filtees, have group descriptors for their callers.  Typically
538 	 * this parent will have callers that are not apart of this dlclose()
539 	 * family, and thus would be caught by the CALLERS test below.  However,
540 	 * if the caller had itself been dlopen'ed, it may not have any explicit
541 	 * callers registered for itself.  Thus, but looking for objects with
542 	 * handles we can ferret out these outsiders.
543 	 */
544 	for (ALIST_TRAVERSE(HANDLES(lmp), off, ghpp)) {
545 		if (alist_test(ghalp, *ghpp,
546 		    sizeof (Grp_hdl *), 0) != ALE_EXISTS)
547 			return (0);
548 	}
549 
550 	/*
551 	 * If this object is called by any object outside of the family of
552 	 * objects selected for deletion, it can't be deleted.
553 	 */
554 	for (ALIST_TRAVERSE(CALLERS(lmp), off, bdpp)) {
555 		if (alist_test(lmalp, (*bdpp)->b_caller,
556 		    sizeof (Rt_map *), 0) != ALE_EXISTS)
557 			return (0);
558 	}
559 
560 	/*
561 	 * This object is a candidate for deletion.
562 	 */
563 	return (1);
564 }
565 
566 /*
567  * Collect the groups (handles) and associated objects that are candidates for
568  * deletion.  The criteria for deleting an object is whether it is only refer-
569  * enced from the objects within the groups that are candidates for deletion.
570  */
571 static int
572 gdp_collect(Alist **ghalpp, Alist **lmalpp, Grp_hdl *ghp1)
573 {
574 	Aliste		off;
575 	Grp_desc	*gdp;
576 	int		action;
577 
578 	/*
579 	 * Add this group to our group collection.  If it isn't added either an
580 	 * allocation has failed, or it already exists.
581 	 */
582 	if ((action = alist_test(ghalpp, ghp1, sizeof (Grp_hdl *),
583 	    AL_CNT_GRPCLCT)) != ALE_CREATE)
584 		return (action);
585 
586 	/*
587 	 * Traverse the dependencies of the group and collect the associated
588 	 * objects.
589 	 */
590 	for (ALIST_TRAVERSE(ghp1->gh_depends, off, gdp)) {
591 		Rt_map *	lmp = gdp->gd_depend;
592 
593 		/*
594 		 * We only want to process dependencies for deletion.  Although
595 		 * we want to purge group descriptors for parents, we don't want
596 		 * to analyze the parent itself for additional filters or
597 		 * deletion.
598 		 */
599 		if ((gdp->gd_flags & GPD_ADDEPS) == 0)
600 			continue;
601 
602 		if ((action = alist_test(lmalpp, lmp, sizeof (Rt_map *),
603 		    AL_CNT_GRPCLCT)) == 0)
604 			return (0);
605 		if (action == ALE_EXISTS)
606 			continue;
607 
608 		/*
609 		 * If this object hasn't yet been relocated take this as a sign
610 		 * that it's loading failed, thus we're here to cleanup.  Or,
611 		 * if this object isn't obviously non-deletable, determine
612 		 * whether it provides any filtees.  Add these groups to the
613 		 * group collection.
614 		 */
615 		if ((((FLAGS(lmp) & FLG_RT_RELOCED) == 0) ||
616 		    ((MODE(lmp) & RTLD_NODELETE) == 0)) &&
617 		    (FLAGS1(lmp) & MSK_RT_FILTER)) {
618 			Dyninfo *	dip = DYNINFO(lmp);
619 			uint_t		cnt, max = DYNINFOCNT(lmp);
620 
621 			for (cnt = 0; cnt < max; cnt++, dip++) {
622 				Pnode *	pnp;
623 
624 				if ((dip->di_info == 0) ||
625 				    ((dip->di_flags & MSK_DI_FILTER) == 0))
626 					continue;
627 
628 				for (pnp = (Pnode *)dip->di_info; pnp;
629 				    pnp = pnp->p_next) {
630 					Grp_hdl *	ghp2;
631 
632 					if ((pnp->p_len == 0) || ((ghp2 =
633 					    (Grp_hdl *)pnp->p_info) == 0))
634 						continue;
635 
636 					if (gdp_collect(ghalpp, lmalpp,
637 					    ghp2) == 0)
638 						return (0);
639 				}
640 			}
641 		}
642 	}
643 	return (1);
644 }
645 
646 /*
647  * Traverse the list of deletable candidates.  If an object can't be deleted
648  * then neither can its dependencies or filtees.  Any object that is cleared
649  * from being deleted drops the deletion count, plus, if there are no longer
650  * any deletions pending we can discontinue any further processing.
651  */
652 static int
653 remove_rescan(Alist * lmalp, Alist * ghalp, int *delcnt)
654 {
655 	Aliste		off1;
656 	Rt_map **	lmpp;
657 	int		rescan = 0;
658 
659 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
660 		Aliste		off2;
661 		Bnd_desc **	bdpp;
662 		Rt_map *	lmp = *lmpp;
663 		Dyninfo *	dip;
664 		uint_t		cnt, max;
665 
666 		if (FLAGS(lmp) & FLG_RT_DELETE)
667 			continue;
668 
669 		/*
670 		 * As this object can't be deleted, make sure its dependencies
671 		 * aren't deleted either.
672 		 */
673 		for (ALIST_TRAVERSE(DEPENDS(lmp), off2, bdpp)) {
674 			Rt_map *	dlmp = (*bdpp)->b_depend;
675 
676 			if (FLAGS(dlmp) & FLG_RT_DELETE) {
677 				FLAGS(dlmp) &= ~FLG_RT_DELETE;
678 				if (--(*delcnt) == 0)
679 					return (0);
680 				rescan = 1;
681 			}
682 		}
683 
684 		/*
685 		 * If this object is a filtee and one of its filters is outside
686 		 * of this dlclose family, then it can't be deleted either.
687 		 */
688 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
689 			continue;
690 
691 		dip = DYNINFO(lmp);
692 		max = DYNINFOCNT(lmp);
693 
694 		for (cnt = 0; cnt < max; cnt++, dip++) {
695 			Pnode *	pnp;
696 
697 			if ((dip->di_info == 0) ||
698 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
699 				continue;
700 
701 			for (pnp = (Pnode *)dip->di_info; pnp;
702 			    pnp = pnp->p_next) {
703 				Grp_hdl *	ghp;
704 				Grp_desc *	gdp;
705 
706 				if ((pnp->p_len == 0) ||
707 				    ((ghp = (Grp_hdl *)pnp->p_info) == 0))
708 					continue;
709 
710 				if (alist_test(&ghalp, ghp,
711 				    sizeof (Grp_hdl *), 0) == ALE_EXISTS)
712 					continue;
713 
714 				for (ALIST_TRAVERSE(ghp->gh_depends, off2,
715 				    gdp)) {
716 					Rt_map *	dlmp = gdp->gd_depend;
717 
718 					if (FLAGS(dlmp) & FLG_RT_DELETE) {
719 						FLAGS(dlmp) &= ~FLG_RT_DELETE;
720 						if (--(*delcnt) == 0)
721 							return (0);
722 						rescan = 1;
723 					}
724 				}
725 
726 				/*
727 				 * Remove this group handle from our dynamic
728 				 * deletion list.
729 				 */
730 				(void) alist_delete(ghalp, &ghp, 0);
731 			}
732 		}
733 	}
734 	return (rescan);
735 }
736 
737 /*
738  * Cleanup any collection alists we've created.
739  */
740 static void
741 remove_collect(Alist * ghalp, Alist * lmalp)
742 {
743 	if (ghalp)
744 		free(ghalp);
745 	if (lmalp)
746 		free(lmalp);
747 }
748 
749 /*
750  * Remove a handle, leaving the associated objects intact.  Besides the classic
751  * dlopen() usage, handles are used as a means of associating a group of objects
752  * and promoting modes.  Once object promotion is completed, the handle should
753  * be discarded while leaving the associated objects intact.  Leaving the handle
754  * would prevent the object from being deleted (as it looks like it's in use
755  * by another user).
756  */
757 void
758 free_hdl(Grp_hdl *ghp)
759 {
760 	if (--(ghp->gh_refcnt) == 0) {
761 		Grp_desc	*gdp;
762 		uintptr_t	ndx;
763 		Aliste		off;
764 
765 		for (ALIST_TRAVERSE(ghp->gh_depends, off, gdp)) {
766 			Rt_map	*lmp = gdp->gd_depend;
767 
768 			if (ghp->gh_ownlmp == lmp)
769 				(void) alist_delete(HANDLES(lmp), &ghp, 0);
770 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
771 		}
772 		(void) free(ghp->gh_depends);
773 
774 		/* LINTED */
775 		ndx = (uintptr_t)ghp % HDLIST_SZ;
776 		list_delete(&hdl_list[ndx], ghp);
777 
778 		(void) free(ghp);
779 	}
780 }
781 
782 /*
783  * Remove a caller from a group handle.  This breaks the bond between a caller
784  * and a hierarchy of dependencies represented by a handle, thus the caller
785  * doesn't lock the hierarchy and prevent their deletion should their processing
786  * fail to complete.  If the handle count drops to zero, the handle is marked
787  * as sticky to prevent it's removal, or to confuse orphan handle processing.
788  * The caller may establish a binding to this handle again, once the hierarchy
789  * processing has completed, thus retaining the handle saves having to recreate
790  * it over and over again.
791  */
792 void
793 remove_caller(Grp_hdl *ghp, Rt_map *clmp)
794 {
795 	Grp_desc	*gdp;
796 	Aliste		off;
797 
798 	if (--(ghp->gh_refcnt) == 0)
799 		ghp->gh_flags |= GPH_STICKY;
800 
801 	for (ALIST_TRAVERSE(ghp->gh_depends, off, gdp)) {
802 		Rt_map	*lmp = gdp->gd_depend;
803 
804 		if (lmp == clmp) {
805 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
806 			(void) alist_delete(ghp->gh_depends, 0, &off);
807 			break;
808 		}
809 	}
810 }
811 
812 /*
813  * Remove the objects associated with a handle.  There are two goals here, to
814  * delete the objects associated with the handle, and to remove the handle
815  * itself.  Things get a little more complex if the objects selected for
816  * deletion are filters, in this case we also need to collect their filtees,
817  * and process the combined groups as a whole.  But, care still must be exer-
818  * cised to make sure any filtees found aren't being used by filters outside of
819  * the groups we've collect.  The series of events is basically:
820  *
821  *  o	Determine the groups (handles) that might be deletable.
822  *
823  *  o	Determine the objects of these handles that can be deleted.
824  *
825  *  o	Fire the fini's of those objects selected for deletion.
826  *
827  *  o	Remove all inter-dependency linked lists while the objects link-maps
828  *	are still available.
829  *
830  *  o	Remove all deletable objects link-maps and unmap the objects themselves.
831  *
832  *  o	Remove the handle descriptors for each deleted object, and hopefully
833  *	the whole handle.
834  *
835  * An handle that can't be deleted is added to an orphans list.  This list is
836  * revisited any time another dlclose() request results in handle descriptors
837  * being deleted.  These deleted descriptors can be sufficient to allow the
838  * final deletion of the orphaned handles.
839  */
840 int
841 remove_hdl(Grp_hdl *ghp, Rt_map *clmp, int *removed)
842 {
843 	Rt_map *	lmp, ** lmpp;
844 	int		rescan = 0;
845 	int		delcnt = 0, rmcnt = 0, error = 0, orphans;
846 	Alist *		lmalp = 0, * ghalp = 0;
847 	Aliste		off1, off2;
848 	Grp_hdl **	ghpp;
849 	Grp_desc *	gdp;
850 	Lm_list *	lml = 0;
851 
852 	/*
853 	 * Generate the family of groups and objects that are candidates for
854 	 * deletion.  This consists of the objects that are explicitly defined
855 	 * as dependencies of this handle, plus any filtee handles and their
856 	 * associated objects.
857 	 */
858 	if (gdp_collect(&ghalp, &lmalp, ghp) == 0) {
859 		remove_collect(ghalp, lmalp);
860 		return (0);
861 	}
862 
863 	DBG_CALL(Dbg_file_hdl_title(DBG_DEP_DELETE));
864 
865 	/*
866 	 * Traverse the groups we've collected to determine if any filtees are
867 	 * included.  If so, and the filtee handle is in use by a filter outside
868 	 * of the family of objects collected for this deletion, it can not be
869 	 * removed.
870 	 */
871 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
872 		Grp_hdl *	ghp = *ghpp;
873 
874 		DBG_CALL(Dbg_file_hdl_collect(ghp, 0));
875 
876 		if ((ghp->gh_flags & GPH_FILTEE) == 0)
877 			continue;
878 
879 		/*
880 		 * Special case for ld.so.1.  There can be multiple instances of
881 		 * libdl.so.1 using this handle, so although we want the handles
882 		 * reference count to be decremented, we don't want the handle
883 		 * removed.
884 		 */
885 		if (ghp->gh_flags & GPH_LDSO) {
886 			DBG_CALL(Dbg_file_hdl_collect(ghp,
887 			    NAME(lml_rtld.lm_head)));
888 			(void) alist_delete(ghalp, 0, &off1);
889 			continue;
890 		}
891 
892 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
893 			Grp_hdl **	ghpp3;
894 			Aliste		off3;
895 
896 			/*
897 			 * Determine whether this dependency is the filtee's
898 			 * parent filter, and that it isn't also an explicit
899 			 * dependency (in which case it would have added its own
900 			 * dependencies to the handle).
901 			 */
902 			if ((gdp->gd_flags &
903 			    (GPD_FILTER | GPD_ADDEPS)) != GPD_FILTER)
904 				continue;
905 
906 			if (alist_test(&lmalp, gdp->gd_depend,
907 			    sizeof (Rt_map *), 0) == ALE_EXISTS)
908 				continue;
909 
910 			/*
911 			 * Remove this group handle from our dynamic deletion
912 			 * list.  In addition, recompute the list of objects
913 			 * that are candidates for deletion to continue this
914 			 * group verification.
915 			 */
916 			DBG_CALL(Dbg_file_hdl_collect(ghp,
917 			    NAME(gdp->gd_depend)));
918 			(void) alist_delete(ghalp, 0, &off1);
919 
920 			free(lmalp);
921 			lmalp = 0;
922 			for (ALIST_TRAVERSE(ghalp, off3, ghpp3)) {
923 				Aliste		off4;
924 				Grp_desc *	gdp4;
925 
926 				for (ALIST_TRAVERSE((*ghpp3)->gh_depends,
927 				    off4, gdp4))  {
928 					if ((gdp4->gd_flags & GPD_ADDEPS) == 0)
929 						continue;
930 					if (alist_test(&lmalp, gdp4->gd_depend,
931 					    sizeof (Rt_map *),
932 					    AL_CNT_GRPCLCT) == 0) {
933 						remove_collect(ghalp, lmalp);
934 						return (0);
935 					}
936 				}
937 			}
938 			break;
939 		}
940 	}
941 
942 	/*
943 	 * Now that we've collected all the handles dependencies, traverse the
944 	 * collection determining whether they are a candidate for deletion.
945 	 */
946 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
947 		lmp = *lmpp;
948 
949 		/*
950 		 * Establish which link-map list we're dealing with for later
951 		 * .fini processing.
952 		 */
953 		if (lml == 0)
954 			lml = LIST(lmp);
955 
956 		/*
957 		 * If an object isn't a candidate for deletion we'll have to
958 		 * rescan the handle insuring that this objects dependencies
959 		 * aren't deleted either.
960 		 */
961 		if (is_deletable(&lmalp, &ghalp, lmp)) {
962 			FLAGS(lmp) |= FLG_RT_DELETE;
963 			delcnt++;
964 		} else
965 			rescan = 1;
966 	}
967 
968 	/*
969 	 * Rescan the handle if any objects where found non-deletable.
970 	 */
971 	while (rescan)
972 		rescan = remove_rescan(lmalp, ghalp, &delcnt);
973 
974 	/*
975 	 * Now that we have determined the number of groups that are candidates
976 	 * for removal, mark each group descriptor as a candidate for removal
977 	 * from the group.
978 	 */
979 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
980 		for (ALIST_TRAVERSE((*ghpp)->gh_depends, off2, gdp))
981 			gdp->gd_flags |= GPD_REMOVE;
982 	}
983 
984 	/*
985 	 * Now that we know which objects on this handle can't be deleted
986 	 * determine whether they still need to remain identified as belonging
987 	 * to this group to be able to continue binding to one another.
988 	 */
989 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
990 		Grp_hdl *	ghp = *ghpp;
991 
992 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
993 			Aliste		off3;
994 			Bnd_desc **	bdpp;
995 
996 			lmp = gdp->gd_depend;
997 
998 			if (FLAGS(lmp) & FLG_RT_DELETE)
999 				continue;
1000 
1001 			for (ALIST_TRAVERSE(DEPENDS(lmp), off3, bdpp)) {
1002 				Aliste 		off4;
1003 				Grp_desc *	gdp4;
1004 				Rt_map *	dlmp = (*bdpp)->b_depend;
1005 
1006 				/*
1007 				 * If this dependency (dlmp) can be referenced
1008 				 * by the caller (clmp) without being part of
1009 				 * this group (ghp) then belonging to this group
1010 				 * is no longer necessary.  This can occur when
1011 				 * objects are part of multiple handles, or if a
1012 				 * previously deleted handle was moved to the
1013 				 * orphan list and has been reopened.  Note,
1014 				 * first make sure the caller can reference the
1015 				 * dependency with this group, if it can't we
1016 				 * must be bound to a filtee, so there's no need
1017 				 * to remain a part of this group either.
1018 				 */
1019 				if ((callable(lmp, dlmp, 0) == 0) ||
1020 				    callable(lmp, dlmp, ghp))
1021 					continue;
1022 
1023 				if (gdp->gd_flags & GPD_REMOVE)
1024 					gdp->gd_flags &= ~GPD_REMOVE;
1025 
1026 				for (ALIST_TRAVERSE(ghp->gh_depends,
1027 				    off4, gdp4)) {
1028 					if (gdp4->gd_depend != dlmp)
1029 						continue;
1030 
1031 					if (gdp4->gd_flags & GPD_REMOVE)
1032 						gdp4->gd_flags &= ~GPD_REMOVE;
1033 				}
1034 			}
1035 		}
1036 	}
1037 
1038 	/*
1039 	 * If the owner of a handle can't be deleted and it's handle descriptor
1040 	 * must remain also, don't delete the handle at all.  Leave it for
1041 	 * possible later use.  Although it's left intact, it will still be
1042 	 * moved to the orphans list, as we might be able to revisit it on later
1043 	 * dlclose() operations and finally remove the underlying objects.  Note
1044 	 * that the handle still remains attached to the owner via the HANDLES
1045 	 * list, so that it can be re-associated to the owner if a dlopen()
1046 	 * of this object reoccurs.
1047 	 */
1048 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1049 		Grp_hdl *	ghp = *ghpp;
1050 
1051 		/*
1052 		 * If this handle is already an orphan, or if it's owner is
1053 		 * deletable there's no need to inspect its dependencies.
1054 		 */
1055 		if ((ghp->gh_ownlmp == 0) ||
1056 		    (FLAGS(ghp->gh_ownlmp) & FLG_RT_DELETE))
1057 			continue;
1058 
1059 		/*
1060 		 * Make sure all handle dependencies aren't removed or the
1061 		 * dependencies themselves aren't deleted.
1062 		 */
1063 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1064 			lmp = gdp->gd_depend;
1065 
1066 			/*
1067 			 * The first dependency of a non-orphaned handle is the
1068 			 * owner.  If the handle descriptor for this isn't
1069 			 * required there's no need to look at any other of the
1070 			 * handles dependencies.
1071 			 */
1072 			if ((lmp == ghp->gh_ownlmp) &&
1073 			    (gdp->gd_flags & GPD_REMOVE))
1074 				break;
1075 
1076 			if (gdp->gd_flags & GPD_REMOVE)
1077 				gdp->gd_flags &= ~GPD_REMOVE;
1078 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1079 				FLAGS(lmp) &= ~FLG_RT_DELETE;
1080 				delcnt--;
1081 			}
1082 		}
1083 	}
1084 
1085 	/*
1086 	 * Final scan of objects to see if any objects are to to be deleted.
1087 	 * Also - display diagnostic information on what operations are to be
1088 	 * performed on the collected handles before firing .fini's (which
1089 	 * produces additional diagnostics).
1090 	 */
1091 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1092 		Grp_hdl *	ghp = *ghpp;
1093 
1094 		DBG_CALL(Dbg_file_hdl_title(DBG_DEP_DELETE));
1095 
1096 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1097 			int	flag;
1098 
1099 			lmp = gdp->gd_depend;
1100 
1101 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1102 				flag = DBG_DEP_DELETE;
1103 				/*
1104 				 * Remove any pathnames from the FullpathNode
1105 				 * AVL tree.  As we're about to fire .fini's,
1106 				 * it's possible this object will be required
1107 				 * again, in which case we want to make sure a
1108 				 * new version of the object gets loaded.
1109 				 */
1110 				if (FPNODE(lmp))
1111 					fpavl_remove(lmp);
1112 			} else if (gdp->gd_flags & GPD_REMOVE)
1113 				flag = DBG_DEP_REMOVE;
1114 			else
1115 				flag = DBG_DEP_REMAIN;
1116 
1117 			DBG_CALL(Dbg_file_hdl_action(ghp, lmp, flag));
1118 		}
1119 	}
1120 
1121 	/*
1122 	 * If there are objects to be deleted process their .fini's.
1123 	 */
1124 	if (delcnt) {
1125 		Rt_map **	tobj;
1126 
1127 		/*
1128 		 * If we're being audited tell the audit library that we're
1129 		 * about to go deleting dependencies.
1130 		 */
1131 		if (clmp && ((LIST(clmp)->lm_tflags | FLAGS1(clmp)) &
1132 		    LML_TFLG_AUD_ACTIVITY))
1133 			audit_activity(clmp, LA_ACT_DELETE);
1134 
1135 		/*
1136 		 * Sort and fire all fini's of the objects selected for
1137 		 * deletion.  Note that we have to start our search from the
1138 		 * link-map head - there's no telling whether this object has
1139 		 * dependencies on objects that were loaded before it and which
1140 		 * can now be deleted.  If the tsort() fails because of an
1141 		 * allocation error then that might just be a symptom of why
1142 		 * we're here in the first place - forgo the fini's but
1143 		 * continue to try cleaning up.
1144 		 */
1145 		lml->lm_flags |= LML_FLG_OBJDELETED;
1146 
1147 		if (((tobj = tsort(lml->lm_head, delcnt,
1148 		    (RT_SORT_DELETE | RT_SORT_FWD))) != 0) &&
1149 		    (tobj != (Rt_map **)S_ERROR)) {
1150 			error = purge_exit_handlers(lml, tobj);
1151 			call_fini(lml, tobj);
1152 		}
1153 
1154 		/*
1155 		 * Audit the closure of the dlopen'ed object to any local
1156 		 * auditors.  Any global auditors would have been caught by
1157 		 * call_fini(), but as the link-maps CALLERS was removed
1158 		 * already we do the local auditors explicitly.
1159 		 */
1160 		for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1161 			Grp_hdl *	ghp = *ghpp;
1162 			Rt_map *	dlmp = ghp->gh_ownlmp;
1163 
1164 			if (clmp && dlmp &&
1165 			    ((LIST(dlmp)->lm_flags & LML_FLG_NOAUDIT) == 0) &&
1166 			    (FLAGS1(clmp) & LML_TFLG_AUD_OBJCLOSE))
1167 				_audit_objclose(&(AUDITORS(clmp)->ad_list),
1168 				    dlmp);
1169 		}
1170 	}
1171 
1172 	/*
1173 	 * Now that .fini processing (which may have involved new bindings)
1174 	 * is complete, remove all inter-dependency lists from those objects
1175 	 * selected for deletion.
1176 	 */
1177 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
1178 		Dyninfo *	dip;
1179 		uint_t		cnt, max;
1180 
1181 		lmp = *lmpp;
1182 
1183 		if (FLAGS(lmp) & FLG_RT_DELETE)
1184 			remove_lists(lmp, 0);
1185 
1186 		/*
1187 		 * Determine whether we're dealing with a filter, and if so
1188 		 * process any inter-dependencies with its filtee's.
1189 		 */
1190 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
1191 			continue;
1192 
1193 		dip = DYNINFO(lmp);
1194 		max = DYNINFOCNT(lmp);
1195 
1196 		for (cnt = 0; cnt < max; cnt++, dip++) {
1197 			Pnode *	pnp;
1198 
1199 			if ((dip->di_info == 0) ||
1200 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
1201 				continue;
1202 
1203 			for (pnp = (Pnode *)dip->di_info; pnp;
1204 			    pnp = pnp->p_next) {
1205 				Grp_hdl *	ghp;
1206 
1207 				if ((pnp->p_len == 0) ||
1208 				    ((ghp = (Grp_hdl *)pnp->p_info) == 0))
1209 					continue;
1210 
1211 				/*
1212 				 * Determine whether this filtee's handle is a
1213 				 * part of the list of handles being deleted.
1214 				 */
1215 				if (alist_test(&ghalp, ghp,
1216 				    sizeof (Grp_hdl *), 0) == ALE_EXISTS) {
1217 					/*
1218 					 * If this handle exists on the deletion
1219 					 * list, then it has been removed.  If
1220 					 * this filter isn't going to be
1221 					 * deleted, server its reference to the
1222 					 * handle.
1223 					 */
1224 					pnp->p_info = 0;
1225 				} else {
1226 					/*
1227 					 * If this handle isn't on the deletion
1228 					 * list, then it must still exist.  If
1229 					 * this filter is being deleted, make
1230 					 * sure the filtees reference count
1231 					 * gets decremented.
1232 					 */
1233 					if (FLAGS(lmp) & FLG_RT_DELETE)
1234 					    (void) dlclose_core(ghp, lmp);
1235 				}
1236 			}
1237 		}
1238 	}
1239 
1240 	/*
1241 	 * If called from dlclose(), determine if there are already handles on
1242 	 * the orphans list that we can reinvestigate.
1243 	 */
1244 	if ((removed == 0) && hdl_list[HDLIST_ORP].head)
1245 		orphans = 1;
1246 	else
1247 		orphans = 0;
1248 
1249 	/*
1250 	 * Finally remove any handle infrastructure and remove any objects
1251 	 * marked for deletion.
1252 	 */
1253 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1254 		Grp_hdl *	ghp = *ghpp;
1255 
1256 		/*
1257 		 * If we're not dealing with orphaned handles remove this handle
1258 		 * from its present handle list.
1259 		 */
1260 		if (removed == 0) {
1261 			uintptr_t ndx;
1262 
1263 			/* LINTED */
1264 			ndx = (uintptr_t)ghp % HDLIST_SZ;
1265 			list_delete(&hdl_list[ndx], ghp);
1266 		}
1267 
1268 		/*
1269 		 * Traverse each handle dependency.
1270 		 */
1271 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1272 			if ((gdp->gd_flags & GPD_REMOVE) == 0)
1273 				continue;
1274 
1275 			lmp = gdp->gd_depend;
1276 			rmcnt++;
1277 
1278 			/*
1279 			 * If this object is the owner of the handle break that
1280 			 * association in case the handle is retained.
1281 			 */
1282 			if (ghp->gh_ownlmp == lmp) {
1283 				(void) alist_delete(HANDLES(lmp), &ghp, 0);
1284 				ghp->gh_ownlmp = 0;
1285 			}
1286 
1287 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
1288 			(void) alist_delete(ghp->gh_depends, 0, &off2);
1289 
1290 			/*
1291 			 * Complete the link-map deletion if appropriate.
1292 			 */
1293 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1294 				tls_modactivity(lmp, TM_FLG_MODREM);
1295 				remove_so(LIST(lmp), lmp);
1296 			}
1297 		}
1298 
1299 		/*
1300 		 * If we've deleted all the dependencies of the handle finalize
1301 		 * the cleanup by removing the handle itself.
1302 		 *
1303 		 * Otherwise we're left with a handle containing one or more
1304 		 * objects that can not be deleted (they're in use by other
1305 		 * handles, non-deletable, etc.), but require to remain a part
1306 		 * of this group to allow them to continue binding to one
1307 		 * another.  Should any other dlclose() operation occur that
1308 		 * results in the removal of handle descriptors, these orphan
1309 		 * handles are re-examined to determine if their deletion can be
1310 		 * completed.
1311 		 */
1312 		if (ghp->gh_depends->al_data[0] == 0) {
1313 			remove_lml(lml);
1314 			free(ghp->gh_depends);
1315 			free(ghp);
1316 		} else if (removed == 0) {
1317 			/*
1318 			 * Move this handle to the orphans list (if it isn't
1319 			 * already there).
1320 			 */
1321 			(void) list_append(&hdl_list[HDLIST_ORP], ghp);
1322 
1323 			if (DBG_ENABLED) {
1324 				DBG_CALL(Dbg_file_hdl_title(DBG_DEP_ORPHAN));
1325 				for (ALIST_TRAVERSE(ghp->gh_depends, off1, gdp))
1326 					DBG_CALL(Dbg_file_hdl_action(ghp,
1327 					    gdp->gd_depend, DBG_DEP_REMAIN));
1328 			}
1329 		}
1330 	}
1331 
1332 	/*
1333 	 * If no handle descriptors got removed there's no point in looking for
1334 	 * orphans to process.
1335 	 */
1336 	if (rmcnt == 0)
1337 		orphans = 0;
1338 
1339 	/*
1340 	 * Cleanup any alists we've created.
1341 	 */
1342 	remove_collect(ghalp, lmalp);
1343 
1344 	/*
1345 	 * If orphan processing isn't required we're done.  If our processing
1346 	 * originated from investigating orphans, return the number of handle
1347 	 * descriptors removed as an indication whether orphan processing
1348 	 * should continue.
1349 	 */
1350 	if (orphans == 0) {
1351 		if (removed)
1352 			*removed = rmcnt;
1353 		return (error);
1354 	}
1355 
1356 	/*
1357 	 * Traverse the orphans list as many times as necessary until no
1358 	 * handle removals occur.
1359 	 */
1360 	do {
1361 		List		list;
1362 		Listnode	*lnp;
1363 		Grp_hdl		*ghp, *oghp = 0;
1364 		int		title = 0;
1365 
1366 		/*
1367 		 * Effectively clean the HDLIST_ORP list.  Any object that can't
1368 		 * be removed will be re-added to the list.
1369 		 */
1370 		list = hdl_list[HDLIST_ORP];
1371 		hdl_list[HDLIST_ORP].head = hdl_list[HDLIST_ORP].tail = 0;
1372 
1373 		rescan = 0;
1374 		for (LIST_TRAVERSE(&list, lnp, ghp)) {
1375 			int	_error, _remove;
1376 
1377 			if (title++ == 0)
1378 				DBG_CALL(Dbg_file_del_rescan(ghp->gh_ownlml));
1379 
1380 			if (oghp) {
1381 				list_delete(&list, oghp);
1382 				oghp = 0;
1383 			}
1384 
1385 			if (((_error = remove_hdl(ghp, clmp, &_remove)) != 0) &&
1386 			    (error == 0))
1387 				error = _error;
1388 
1389 			if (_remove)
1390 				rescan++;
1391 
1392 			oghp = ghp;
1393 		}
1394 		if (oghp) {
1395 			list_delete(&list, oghp);
1396 			oghp = 0;
1397 		}
1398 
1399 	} while (rescan && hdl_list[HDLIST_ORP].head);
1400 
1401 	return (error);
1402 }
1403