xref: /titanic_52/usr/src/cmd/sgs/rtld/common/remove.c (revision bdfc6d18da790deeec2e0eb09c625902defe2498)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  *
26  * Remove objects.  Objects need removal from a process as part of:
27  *
28  *  o	a dlclose() request
29  *
30  *  o	tearing down a dlopen(), lazy-load, or filter hierarchy that failed to
31  *	completely load
32  *
33  * Any other failure condition will result in process exit (in which case all
34  * we have to do is execute the fini's - tear down is unnecessary).
35  *
36  * Any removal of objects is therefore associated with a dlopen() handle.  There
37  * is a small window between creation of the first dlopen() object and creating
38  * its handle (in which case remove_so() can get rid of the new link-map if
39  * necessary), but other than this all object removal is driven by inspecting
40  * the components of a handle.
41  *
42  * Things to note.  The creation of a link-map, and its addition to the link-map
43  * list occurs in {elf|aout}_new_lm(), if this returns success the link-map is
44  * valid and added, otherwise any steps (allocations) in the process of creating
45  * the link-map would have been undone.  If a failure occurs between creating
46  * the link-map and adding it to a handle, remove_so() is called to remove the
47  * link-map.  If a failures occurs after a handle have been created,
48  * remove_hdl() is called to remove the handle and the link-map.
49  */
50 #pragma ident	"%Z%%M%	%I%	%E% SMI"
51 
52 #include	"_synonyms.h"
53 
54 #include	<string.h>
55 #include	<stdio.h>
56 #include	<unistd.h>
57 #include	<dlfcn.h>
58 #include	<sys/debug.h>
59 #include	<sys/avl.h>
60 #include	"libc_int.h"
61 #include	"_rtld.h"
62 #include	"_audit.h"
63 #include	"_elf.h"
64 #include	"debug.h"
65 #include	"msg.h"
66 
67 /*
68  * Atexit callback provided by libc.  As part of dlclose() determine the address
69  * ranges of all objects that are to be deleted.  Pass this information to
70  * libc's pre-atexit routine.  Libc will purge any registered atexit() calls
71  * related to those objects about to be deleted.
72  */
73 static int
74 purge_exit_handlers(Lm_list *lml, Rt_map **tobj)
75 {
76 	uint_t			num;
77 	Rt_map			**_tobj;
78 	Lc_addr_range_t		*addr, *_addr;
79 	int			error;
80 
81 	/*
82 	 * Has a callback been established?
83 	 */
84 	if (lml->lm_peh == 0)
85 		return (0);
86 
87 	/*
88 	 * Determine the total number of mapped segments that will be unloaded.
89 	 */
90 	for (num = 0, _tobj = tobj; *_tobj != NULL; _tobj++) {
91 		Rt_map *	lmp = *_tobj;
92 
93 		num += MMAPCNT(lmp);
94 	}
95 
96 	/*
97 	 * Account for a null entry at the end of the address range array.
98 	 */
99 	if (num++ == 0)
100 		return (0);
101 
102 	/*
103 	 * Allocate an array for the address range.
104 	 */
105 	if ((addr = malloc(num * sizeof (Lc_addr_range_t))) == 0)
106 		return (1);
107 
108 	/*
109 	 * Fill the address range with each loadable segments size and address.
110 	 */
111 	for (_tobj = tobj, _addr = addr; *_tobj != NULL; _tobj++) {
112 		Rt_map	*lmp = *_tobj;
113 		Mmap	*mmaps;
114 
115 		for (mmaps = MMAPS(lmp); mmaps->m_vaddr; mmaps++) {
116 			_addr->lb = (void *)mmaps->m_vaddr;
117 			_addr->ub = (void *)(mmaps->m_vaddr + mmaps->m_msize);
118 			_addr++;
119 		}
120 	}
121 	_addr->lb = _addr->ub = 0;
122 
123 	leave(LIST(*tobj));
124 
125 	error = (* lml->lm_peh)(addr, (num - 1));
126 
127 	(void) enter();
128 
129 	/*
130 	 * If we fail to converse with libc, generate an error message to
131 	 * satisfy any dlerror() usage.
132 	 */
133 	if (error)
134 		eprintf(ERR_FATAL, MSG_INTL(MSG_ARG_ATEXIT), error);
135 
136 	free(addr);
137 	return (error);
138 }
139 
140 /*
141  * Remove any rejection message allocations.
142  */
143 void
144 remove_rej(Rej_desc * rej)
145 {
146 	if (rej && (rej->rej_type)) {
147 		if (rej->rej_name)
148 			free((void *)rej->rej_name);
149 		if (rej->rej_str && (rej->rej_str != MSG_ORIG(MSG_EMG_ENOMEM)))
150 			free((void *)rej->rej_str);
151 	}
152 }
153 
154 /*
155  * Break down a Pnode list.
156  */
157 void
158 remove_pnode(Pnode * pnp)
159 {
160 	Pnode *	opnp;
161 
162 	for (opnp = 0; pnp; opnp = pnp, pnp = pnp->p_next) {
163 		if (pnp->p_name)
164 			free((void *)pnp->p_name);
165 		if (pnp->p_oname)
166 			free((void *)pnp->p_oname);
167 		if (opnp)
168 			free((void *)opnp);
169 	}
170 	if (opnp)
171 		free((void *)opnp);
172 }
173 
174 
175 /*
176  * Remove a link-map list descriptor.  This is called to finalize the removal
177  * of an entire link-map list, after all link-maps have been removed, or none
178  * got added.  As load_one() can process a list of potential candidates objects,
179  * the link-map descriptor must be maintained as each object is processed.  Only
180  * after all objects have been processed can a failure condition finally tear
181  * down the link-map list descriptor.
182  */
183 void
184 remove_lml(Lm_list *lml)
185 {
186 	if (lml && (lml->lm_head == 0)) {
187 		if (lml->lm_alp)
188 			free(lml->lm_alp);
189 		if (lml->lm_lists)
190 			free(lml->lm_lists);
191 
192 		/*
193 		 * Cleanup rtldinfo in the case where it was allocated but
194 		 * not called (see _relocate_so()).
195 		 */
196 		if (lml->lm_rtldinfo)
197 			free(lml->lm_rtldinfo);
198 		if (lml->lm_fpavl) {
199 			/*
200 			 * As we are freeing the link-map list, all nodes must
201 			 * have previously been removed.
202 			 */
203 			ASSERT(avl_numnodes(lml->lm_fpavl) == 0);
204 			free(lml->lm_fpavl);
205 		}
206 		list_delete(&dynlm_list, lml);
207 		free(lml);
208 	}
209 }
210 
211 /*
212  * Remove a link-map.  This removes a link-map from its associated list and
213  * free's up the link-map itself.  Note, all components that are freed are local
214  * to the link-map, no inter-link-map lists are operated on as these are all
215  * broken down by dlclose() while all objects are still mapped.
216  *
217  * This routine is called from dlclose() to zap individual link-maps after their
218  * interdependencies (DEPENDS(), CALLER(), handles, etc.) have been removed.
219  * This routine is also called from the bowels of load_one() in the case of a
220  * link-map creation failure.
221  */
222 void
223 remove_so(Lm_list *lml, Rt_map *lmp)
224 {
225 	Dyninfo *dip;
226 
227 	if (lmp == 0)
228 		return;
229 
230 	/*
231 	 * Unlink the link map from the link-map list.
232 	 */
233 	if (lml && lmp)
234 		lm_delete(lml, lmp);
235 
236 	/*
237 	 * If this object contributed the preexec_exit_handler() routine for
238 	 * the current link-map list, mark the list as no-longer containing a
239 	 * preexec_exit_handler() routine.
240 	 */
241 	if (lml && (lml->lm_peh_lmp == lmp)) {
242 		lml->lm_peh = 0;
243 		lml->lm_peh_lmp = 0;
244 	}
245 
246 	DBG_CALL(Dbg_file_delete(NAME(lmp)));
247 
248 	/*
249 	 * Unmap the object.
250 	 */
251 	LM_UNMAP_SO(lmp)(lmp);
252 
253 	/*
254 	 * Remove any FullpathNode AVL names if they still exist.
255 	 */
256 	if (FPNODE(lmp))
257 		fpavl_remove(lmp);
258 
259 	/*
260 	 * Remove any alias names.
261 	 */
262 	if (ALIAS(lmp)) {
263 		Aliste	off;
264 		char **	cpp;
265 
266 		for (ALIST_TRAVERSE(ALIAS(lmp), off, cpp))
267 			free(*cpp);
268 		free(ALIAS(lmp));
269 	}
270 
271 	/*
272 	 * Free the various names, as these were duplicated so that they were
273 	 * available in core files.
274 	 * The original name is set to the pathname by default (see fullpath()),
275 	 * but is overridden if the file is an alternative.  The pathname is set
276 	 * to the name by default (see [aout|elf]_new_lm()), but is overridden
277 	 * if the fullpath/resolve path differs (see fullpath()).  The original
278 	 * name is always duplicated, as it typically exists as a text string
279 	 * (see DT_NEEDED pointer) or was passed in from user code.
280 	 */
281 	if (ORIGNAME(lmp) != PATHNAME(lmp))
282 		free(ORIGNAME(lmp));
283 	if (PATHNAME(lmp) != NAME(lmp))
284 		free(PATHNAME(lmp));
285 	free(NAME(lmp));
286 
287 	/*
288 	 * Remove any of this objects filtee infrastructure.  The filtees them-
289 	 * selves have already been removed.
290 	 */
291 	if (((dip = DYNINFO(lmp)) != 0) && (FLAGS1(lmp) & MSK_RT_FILTER)) {
292 		uint_t	cnt, max = DYNINFOCNT(lmp);
293 
294 		for (cnt = 0; cnt < max; cnt++, dip++) {
295 			if (dip->di_info && (dip->di_flags & MSK_DI_FILTER))
296 				remove_pnode((Pnode *)dip->di_info);
297 		}
298 	}
299 	if (dip)
300 		free(DYNINFO(lmp));
301 
302 	/*
303 	 * Deallocate any remaining cruft and free the link-map.
304 	 */
305 	if (RLIST(lmp))
306 		remove_pnode(RLIST(lmp));
307 
308 	if (REFNAME(lmp))
309 		free(REFNAME(lmp));
310 	if (ELFPRV(lmp))
311 		free(ELFPRV(lmp));
312 	if (AUDITORS(lmp))
313 		audit_desc_cleanup(AUDITORS(lmp), lmp);
314 	if (AUDINFO(lmp))
315 		audit_info_cleanup(AUDINFO(lmp));
316 
317 	if (CONDVAR(lmp))
318 		free(CONDVAR(lmp));
319 	if (COPY(lmp))
320 		free(COPY(lmp));
321 	if (MMAPS(lmp))
322 		free(MMAPS(lmp));
323 
324 	/*
325 	 * During a dlclose() any groups this object was a part of will have
326 	 * been torn down.  However, we can get here to remove an object that
327 	 * has failed to load, perhaps because its addition to a handle failed.
328 	 * Therefore if this object indicates that its part of a group tear
329 	 * these associations down.
330 	 */
331 	if (GROUPS(lmp)) {
332 		Aliste		off1;
333 		Grp_hdl **	ghpp;
334 
335 		for (ALIST_TRAVERSE(GROUPS(lmp), off1, ghpp)) {
336 			Grp_hdl *	ghp = *ghpp;
337 			Grp_desc *	gdp;
338 			Aliste		off2;
339 
340 			for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
341 				if (gdp->gd_depend != lmp)
342 					continue;
343 
344 				(void) alist_delete(ghp->gh_depends, 0, &off2);
345 				break;
346 			}
347 		}
348 		free(GROUPS(lmp));
349 	}
350 	if (HANDLES(lmp))
351 		free(HANDLES(lmp));
352 
353 	/*
354 	 * Clean up reglist if needed
355 	 */
356 	if (reglist != (Reglist *)0) {
357 		Reglist *	cur, * prv, * del;
358 
359 		cur = prv = reglist;
360 		while (cur != (Reglist *)0) {
361 			if (cur->rl_lmp == lmp) {
362 				del = cur;
363 				if (cur == reglist) {
364 					reglist = cur->rl_next;
365 					cur = prv = reglist;
366 				} else {
367 					prv->rl_next = cur->rl_next;
368 					cur = cur->rl_next;
369 				}
370 				free(del);
371 			} else {
372 				prv = cur;
373 				cur = cur->rl_next;
374 			}
375 		}
376 	}
377 
378 	free(lmp);
379 }
380 
381 
382 /*
383  * Traverse an objects dependency list removing callers and dependencies.
384  * There's a chicken and egg problem with tearing down link-maps.  Any
385  * relationship between link-maps is maintained on a DEPENDS, and associated
386  * CALLERS list.  These lists can't be broken down at the time a single link-
387  * map is removed as any related link-map may have already been removed.  Thus,
388  * lists between link-maps must be broken down before the individual link-maps
389  * themselves.
390  */
391 void
392 remove_lists(Rt_map * lmp, int lazy)
393 {
394 	Aliste		off1;
395 	Bnd_desc **	bdpp;
396 
397 	/*
398 	 * First, traverse this objects dependencies.
399 	 */
400 	for (ALIST_TRAVERSE(DEPENDS(lmp), off1, bdpp)) {
401 		Bnd_desc *	bdp = *bdpp;
402 		Rt_map *	dlmp = bdp->b_depend;
403 
404 		/*
405 		 * Remove this object from the dependencies callers.
406 		 */
407 		(void) alist_delete(CALLERS(dlmp), &bdp, 0);
408 		free(bdp);
409 	}
410 	if (DEPENDS(lmp)) {
411 		free(DEPENDS(lmp));
412 		DEPENDS(lmp) = 0;
413 	}
414 
415 	/*
416 	 * Second, traverse this objects callers.
417 	 */
418 	for (ALIST_TRAVERSE(CALLERS(lmp), off1,  bdpp)) {
419 		Bnd_desc *	bdp = *bdpp;
420 		Rt_map *	clmp = bdp->b_caller;
421 
422 		/*
423 		 * If we're removing an object that was triggered by a lazyload,
424 		 * remove the callers DYNINFO() entry and bump the lazy counts.
425 		 * This reinitialization of the lazy information allows a lazy
426 		 * object to be reloaded again later.  Although we may be
427 		 * breaking down a group of lazyloaded objects because one has
428 		 * failed to relocate, it's possible that one or more of the
429 		 * individual objects can be reloaded without a problem.
430 		 */
431 		if (lazy) {
432 			Dyninfo *	dip;
433 
434 			if ((dip = DYNINFO(clmp)) != 0) {
435 				uint_t	cnt, max = DYNINFOCNT(clmp);
436 
437 				for (cnt = 0; cnt < max; cnt++, dip++) {
438 					if ((dip->di_flags &
439 					    FLG_DI_NEEDED) == 0)
440 						continue;
441 
442 					if (dip->di_info == (void *)lmp) {
443 						dip->di_info = 0;
444 
445 						if (LAZY(clmp)++ == 0)
446 							LIST(clmp)->lm_lazy++;
447 					}
448 				}
449 			}
450 		}
451 
452 		(void) alist_delete(DEPENDS(clmp), &bdp, 0);
453 		free(bdp);
454 	}
455 	if (CALLERS(lmp)) {
456 		free(CALLERS(lmp));
457 		CALLERS(lmp) = 0;
458 	}
459 }
460 
461 /*
462  * Delete any temporary link-map control list.
463  */
464 void
465 remove_cntl(Lm_list *lml, Aliste lmco)
466 {
467 	if (lmco && (lmco != ALO_DATA)) {
468 		Aliste	_lmco = lmco;
469 #if	DEBUG
470 		Lm_cntl	*lmc = (Lm_cntl *)((char *)lml->lm_lists + lmco);
471 
472 		/*
473 		 * This element should be empty.
474 		 */
475 		ASSERT(lmc->lc_head == 0);
476 #endif
477 		(void) alist_delete(lml->lm_lists, 0, &_lmco);
478 	}
479 }
480 
481 /*
482  * If a lazy loaded object, or filtee fails to load, possibly because it, or
483  * one of its dependencies can't be relocated, then tear down any objects
484  * that are apart of this link-map control list.
485  */
486 void
487 remove_incomplete(Lm_list *lml, Aliste lmco)
488 {
489 	Rt_map	*lmp;
490 	Lm_cntl	*lmc;
491 
492 	/* LINTED */
493 	lmc = (Lm_cntl *)((char *)lml->lm_lists + lmco);
494 
495 	/*
496 	 * First, remove any lists that may point between objects.
497 	 */
498 	for (lmp = lmc->lc_head; lmp; lmp = (Rt_map *)NEXT(lmp))
499 		remove_lists(lmp, 1);
500 
501 	/*
502 	 * Finally, remove each object.  remove_so() calls lm_delete(), thus
503 	 * effectively the link-map control head gets updated to point to the
504 	 * next link-map.
505 	 */
506 	while ((lmp = lmc->lc_head) != 0)
507 		remove_so(lml, lmp);
508 
509 	lmc->lc_head = lmc->lc_tail = 0;
510 }
511 
512 /*
513  * Determine whether an object is deletable.
514  */
515 int
516 is_deletable(Alist ** lmalp, Alist ** ghalp, Rt_map * lmp)
517 {
518 	Aliste		off;
519 	Bnd_desc **	bdpp;
520 	Grp_hdl **	ghpp;
521 
522 	/*
523 	 * If the object hasn't yet been relocated take this as a sign that
524 	 * it's loading failed, thus we're here to cleanup.  If the object is
525 	 * relocated it will only be retained if it was marked non-deletable,
526 	 * and exists on the main link-map control list.
527 	 */
528 	if ((FLAGS(lmp) & FLG_RT_RELOCED) &&
529 	    (MODE(lmp) & RTLD_NODELETE) && (CNTL(lmp) == ALO_DATA))
530 		return (0);
531 
532 	/*
533 	 * If this object is the head of a handle that has not been captured as
534 	 * a candidate for deletion, then this object is in use from a dlopen()
535 	 * outside of the scope of this dlclose() family.  Dlopen'ed objects,
536 	 * and filtees, have group descriptors for their callers.  Typically
537 	 * this parent will have callers that are not apart of this dlclose()
538 	 * family, and thus would be caught by the CALLERS test below.  However,
539 	 * if the caller had itself been dlopen'ed, it may not have any explicit
540 	 * callers registered for itself.  Thus, but looking for objects with
541 	 * handles we can ferret out these outsiders.
542 	 */
543 	for (ALIST_TRAVERSE(HANDLES(lmp), off, ghpp)) {
544 		if (alist_test(ghalp, *ghpp,
545 		    sizeof (Grp_hdl *), 0) != ALE_EXISTS)
546 			return (0);
547 	}
548 
549 	/*
550 	 * If this object is called by any object outside of the family of
551 	 * objects selected for deletion, it can't be deleted.
552 	 */
553 	for (ALIST_TRAVERSE(CALLERS(lmp), off, bdpp)) {
554 		if (alist_test(lmalp, (*bdpp)->b_caller,
555 		    sizeof (Rt_map *), 0) != ALE_EXISTS)
556 			return (0);
557 	}
558 
559 	/*
560 	 * This object is a candidate for deletion.
561 	 */
562 	return (1);
563 }
564 
565 /*
566  * Collect the groups (handles) and associated objects that are candidates for
567  * deletion.  The criteria for deleting an object is whether it is only refer-
568  * enced from the objects within the groups that are candidates for deletion.
569  */
570 static int
571 gdp_collect(Alist ** ghalpp, Alist ** lmalpp, Grp_hdl * ghp1)
572 {
573 	Aliste		off;
574 	Grp_desc *	gdp;
575 	int		action;
576 
577 	/*
578 	 * Add this group to our group collection.  If it isn't added either an
579 	 * allocation has failed, or it already exists.
580 	 */
581 	if ((action = alist_test(ghalpp, ghp1, sizeof (Grp_hdl *),
582 	    AL_CNT_GRPCLCT)) != ALE_CREATE)
583 		return (action);
584 
585 	/*
586 	 * Traverse the dependencies of the group and collect the associated
587 	 * objects.
588 	 */
589 	for (ALIST_TRAVERSE(ghp1->gh_depends, off, gdp)) {
590 		Rt_map *	lmp = gdp->gd_depend;
591 
592 		/*
593 		 * We only want to process dependencies for deletion.  Although
594 		 * we want to purge group descriptors for parents, we don't want
595 		 * to analyze the parent itself for additional filters or
596 		 * deletion.
597 		 */
598 		if ((gdp->gd_flags & GPD_ADDEPS) == 0)
599 			continue;
600 
601 		if ((action = alist_test(lmalpp, lmp, sizeof (Rt_map *),
602 		    AL_CNT_GRPCLCT)) == 0)
603 			return (0);
604 		if (action == ALE_EXISTS)
605 			continue;
606 
607 		/*
608 		 * If this object hasn't yet been relocated take this as a sign
609 		 * that it's loading failed, thus we're here to cleanup.  Or,
610 		 * if this object isn't obviously non-deletable, determine
611 		 * whether it provides any filtees.  Add these groups to the
612 		 * group collection.
613 		 */
614 		if ((((FLAGS(lmp) & FLG_RT_RELOCED) == 0) ||
615 		    ((MODE(lmp) & RTLD_NODELETE) == 0)) &&
616 		    (FLAGS1(lmp) & MSK_RT_FILTER)) {
617 			Dyninfo *	dip = DYNINFO(lmp);
618 			uint_t		cnt, max = DYNINFOCNT(lmp);
619 
620 			for (cnt = 0; cnt < max; cnt++, dip++) {
621 				Pnode *	pnp;
622 
623 				if ((dip->di_info == 0) ||
624 				    ((dip->di_flags & MSK_DI_FILTER) == 0))
625 					continue;
626 
627 				for (pnp = (Pnode *)dip->di_info; pnp;
628 				    pnp = pnp->p_next) {
629 					Grp_hdl *	ghp2;
630 
631 					if ((pnp->p_len == 0) || ((ghp2 =
632 					    (Grp_hdl *)pnp->p_info) == 0))
633 						continue;
634 
635 					if (gdp_collect(ghalpp, lmalpp,
636 					    ghp2) == 0)
637 						return (0);
638 				}
639 			}
640 		}
641 	}
642 	return (1);
643 }
644 
645 /*
646  * Traverse the list of deletable candidates.  If an object can't be deleted
647  * then neither can its dependencies or filtees.  Any object that is cleared
648  * from being deleted drops the deletion count, plus, if there are no longer
649  * any deletions pending we can discontinue any further processing.
650  */
651 static int
652 remove_rescan(Alist * lmalp, Alist * ghalp, int *delcnt)
653 {
654 	Aliste		off1;
655 	Rt_map **	lmpp;
656 	int		rescan = 0;
657 
658 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
659 		Aliste		off2;
660 		Bnd_desc **	bdpp;
661 		Rt_map *	lmp = *lmpp;
662 		Dyninfo *	dip;
663 		uint_t		cnt, max;
664 
665 		if (FLAGS(lmp) & FLG_RT_DELETE)
666 			continue;
667 
668 		/*
669 		 * As this object can't be deleted, make sure its dependencies
670 		 * aren't deleted either.
671 		 */
672 		for (ALIST_TRAVERSE(DEPENDS(lmp), off2, bdpp)) {
673 			Rt_map *	dlmp = (*bdpp)->b_depend;
674 
675 			if (FLAGS(dlmp) & FLG_RT_DELETE) {
676 				FLAGS(dlmp) &= ~FLG_RT_DELETE;
677 				if (--(*delcnt) == 0)
678 					return (0);
679 				rescan = 1;
680 			}
681 		}
682 
683 		/*
684 		 * If this object is a filtee and one of its filters is outside
685 		 * of this dlclose family, then it can't be deleted either.
686 		 */
687 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
688 			continue;
689 
690 		dip = DYNINFO(lmp);
691 		max = DYNINFOCNT(lmp);
692 
693 		for (cnt = 0; cnt < max; cnt++, dip++) {
694 			Pnode *	pnp;
695 
696 			if ((dip->di_info == 0) ||
697 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
698 				continue;
699 
700 			for (pnp = (Pnode *)dip->di_info; pnp;
701 			    pnp = pnp->p_next) {
702 				Grp_hdl *	ghp;
703 				Grp_desc *	gdp;
704 
705 				if ((pnp->p_len == 0) ||
706 				    ((ghp = (Grp_hdl *)pnp->p_info) == 0))
707 					continue;
708 
709 				if (alist_test(&ghalp, ghp,
710 				    sizeof (Grp_hdl *), 0) == ALE_EXISTS)
711 					continue;
712 
713 				for (ALIST_TRAVERSE(ghp->gh_depends, off2,
714 				    gdp)) {
715 					Rt_map *	dlmp = gdp->gd_depend;
716 
717 					if (FLAGS(dlmp) & FLG_RT_DELETE) {
718 						FLAGS(dlmp) &= ~FLG_RT_DELETE;
719 						if (--(*delcnt) == 0)
720 							return (0);
721 						rescan = 1;
722 					}
723 				}
724 
725 				/*
726 				 * Remove this group handle from our dynamic
727 				 * deletion list.
728 				 */
729 				(void) alist_delete(ghalp, &ghp, 0);
730 			}
731 		}
732 	}
733 	return (rescan);
734 }
735 
736 /*
737  * Cleanup any collection alists we've created.
738  */
739 static void
740 remove_collect(Alist * ghalp, Alist * lmalp)
741 {
742 	if (ghalp)
743 		free(ghalp);
744 	if (lmalp)
745 		free(lmalp);
746 }
747 
748 /*
749  * Remove a handle, leaving the associated objects intact.  Besides the classic
750  * dlopen() usage, handles are used as a means of associating a group of objects
751  * and promoting modes.  Once object promotion is completed, the handle should
752  * be discarded while leaving the associated objects intact.  Leaving the handle
753  * would prevent the object from being deleted (as it looks like it's in use
754  * by another user).
755  */
756 void
757 free_hdl(Grp_hdl *ghp)
758 {
759 	if (--(ghp->gh_refcnt) == 0) {
760 		Grp_desc	*gdp;
761 		uintptr_t	ndx;
762 		Aliste		off;
763 
764 		for (ALIST_TRAVERSE(ghp->gh_depends, off, gdp)) {
765 			Rt_map	*lmp = gdp->gd_depend;
766 
767 			if (ghp->gh_owner == lmp)
768 				(void) alist_delete(HANDLES(lmp), &ghp, 0);
769 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
770 		}
771 		(void) free(ghp->gh_depends);
772 
773 		/* LINTED */
774 		ndx = (uintptr_t)ghp % HDLIST_SZ;
775 		list_delete(&hdl_list[ndx], ghp);
776 
777 		(void) free(ghp);
778 	}
779 }
780 
781 /*
782  * Remove a caller from a group handle.  This breaks the bond between a caller
783  * and a hierarchy of dependencies represented by a handle, thus the caller
784  * doesn't lock the hierarchy and prevent their deletion should their processing
785  * fail to complete.  If the handle count drops to zero, the handle is marked
786  * as sticky to prevent it's removal, or to confuse orphan handle processing.
787  * The caller may establish a binding to this handle again, once the hierarchy
788  * processing has completed, thus retaining the handle saves having to recreate
789  * it over and over again.
790  */
791 void
792 remove_caller(Grp_hdl *ghp, Rt_map *clmp)
793 {
794 	Grp_desc	*gdp;
795 	Aliste		off;
796 
797 	if (--(ghp->gh_refcnt) == 0)
798 		ghp->gh_flags |= GPH_STICKY;
799 
800 	for (ALIST_TRAVERSE(ghp->gh_depends, off, gdp)) {
801 		Rt_map	*lmp = gdp->gd_depend;
802 
803 		if (lmp == clmp) {
804 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
805 			(void) alist_delete(ghp->gh_depends, 0, &off);
806 			break;
807 		}
808 	}
809 }
810 
811 /*
812  * Remove the objects associated with a handle.  There are two goals here, to
813  * delete the objects associated with the handle, and to remove the handle
814  * itself.  Things get a little more complex if the objects selected for
815  * deletion are filters, in this case we also need to collect their filtees,
816  * and process the combined groups as a whole.  But, care still must be exer-
817  * cised to make sure any filtees found aren't being used by filters outside of
818  * the groups we've collect.  The series of events is basically:
819  *
820  *  o	Determine the groups (handles) that might be deletable.
821  *
822  *  o	Determine the objects of these handles that can be deleted.
823  *
824  *  o	Fire the fini's of those objects selected for deletion.
825  *
826  *  o	Remove all inter-dependency linked lists while the objects link-maps
827  *	are still available.
828  *
829  *  o	Remove all deletable objects link-maps and unmap the objects themselves.
830  *
831  *  o	Remove the handle descriptors for each deleted object, and hopefully
832  *	the whole handle.
833  *
834  * An handle that can't be deleted is added to an orphans list.  This list is
835  * revisited any time another dlclose() request results in handle descriptors
836  * being deleted.  These deleted descriptors can be sufficient to allow the
837  * final deletion of the orphaned handles.
838  */
839 int
840 remove_hdl(Grp_hdl * ghp, Rt_map * clmp, int *removed)
841 {
842 	Rt_map *	lmp, ** lmpp;
843 	int		rescan = 0;
844 	int		delcnt = 0, rmcnt = 0, error = 0, orphans;
845 	Alist *		lmalp = 0, * ghalp = 0;
846 	Aliste		off1, off2;
847 	Grp_hdl **	ghpp;
848 	Grp_desc *	gdp;
849 	Lm_list *	lml = 0;
850 
851 	/*
852 	 * Generate the family of groups and objects that are candidates for
853 	 * deletion.  This consists of the objects that are explicitly defined
854 	 * as dependencies of this handle, plus any filtee handles and their
855 	 * associated objects.
856 	 */
857 	if (gdp_collect(&ghalp, &lmalp, ghp) == 0) {
858 		remove_collect(ghalp, lmalp);
859 		return (0);
860 	}
861 
862 	DBG_CALL(Dbg_file_hdl_title(DBG_DEP_DELETE));
863 
864 	/*
865 	 * Traverse the groups we've collected to determine if any filtees are
866 	 * included.  If so, and the filtee handle is in use by a filter outside
867 	 * of the family of objects collected for this deletion, it can not be
868 	 * removed.
869 	 */
870 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
871 		Grp_hdl *	ghp = *ghpp;
872 
873 		DBG_CALL(Dbg_file_hdl_collect(ghp, 0));
874 
875 		if ((ghp->gh_flags & GPH_FILTEE) == 0)
876 			continue;
877 
878 		/*
879 		 * Special case for ld.so.1.  There can be multiple instances of
880 		 * libdl.so.1 using this handle, so although we want the handles
881 		 * reference count to be decremented, we don't want the handle
882 		 * removed.
883 		 */
884 		if (ghp->gh_flags & GPH_LDSO) {
885 			DBG_CALL(Dbg_file_hdl_collect(ghp,
886 			    NAME(lml_rtld.lm_head)));
887 			(void) alist_delete(ghalp, 0, &off1);
888 			continue;
889 		}
890 
891 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
892 			Grp_hdl **	ghpp3;
893 			Aliste		off3;
894 
895 			/*
896 			 * Determine whether this dependency is the filtee's
897 			 * parent filter, and that it isn't also an explicit
898 			 * dependency (in which case it would have added its own
899 			 * dependencies to the handle).
900 			 */
901 			if ((gdp->gd_flags &
902 			    (GPD_FILTER | GPD_ADDEPS)) != GPD_FILTER)
903 				continue;
904 
905 			if (alist_test(&lmalp, gdp->gd_depend,
906 			    sizeof (Rt_map *), 0) == ALE_EXISTS)
907 				continue;
908 
909 			/*
910 			 * Remove this group handle from our dynamic deletion
911 			 * list.  In addition, recompute the list of objects
912 			 * that are candidates for deletion to continue this
913 			 * group verification.
914 			 */
915 			DBG_CALL(Dbg_file_hdl_collect(ghp,
916 			    NAME(gdp->gd_depend)));
917 			(void) alist_delete(ghalp, 0, &off1);
918 
919 			free(lmalp);
920 			lmalp = 0;
921 			for (ALIST_TRAVERSE(ghalp, off3, ghpp3)) {
922 				Aliste		off4;
923 				Grp_desc *	gdp4;
924 
925 				for (ALIST_TRAVERSE((*ghpp3)->gh_depends,
926 				    off4, gdp4))  {
927 					if ((gdp4->gd_flags & GPD_ADDEPS) == 0)
928 						continue;
929 					if (alist_test(&lmalp, gdp4->gd_depend,
930 					    sizeof (Rt_map *),
931 					    AL_CNT_GRPCLCT) == 0) {
932 						remove_collect(ghalp, lmalp);
933 						return (0);
934 					}
935 				}
936 			}
937 			break;
938 		}
939 	}
940 
941 	/*
942 	 * Now that we've collected all the handles dependencies, traverse the
943 	 * collection determining whether they are a candidate for deletion.
944 	 */
945 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
946 		lmp = *lmpp;
947 
948 		/*
949 		 * Establish which link-map list we're dealing with for later
950 		 * .fini processing.
951 		 */
952 		if (lml == 0)
953 			lml = LIST(lmp);
954 
955 		/*
956 		 * If an object isn't a candidate for deletion we'll have to
957 		 * rescan the handle insuring that this objects dependencies
958 		 * aren't deleted either.
959 		 */
960 		if (is_deletable(&lmalp, &ghalp, lmp)) {
961 			FLAGS(lmp) |= FLG_RT_DELETE;
962 			delcnt++;
963 		} else
964 			rescan = 1;
965 	}
966 
967 	/*
968 	 * Rescan the handle if any objects where found non-deletable.
969 	 */
970 	while (rescan)
971 		rescan = remove_rescan(lmalp, ghalp, &delcnt);
972 
973 	/*
974 	 * Now that we have determined the number of groups that are candidates
975 	 * for removal, mark each group descriptor as a candidate for removal
976 	 * from the group.
977 	 */
978 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
979 		for (ALIST_TRAVERSE((*ghpp)->gh_depends, off2, gdp))
980 			gdp->gd_flags |= GPD_REMOVE;
981 	}
982 
983 	/*
984 	 * Now that we know which objects on this handle can't be deleted
985 	 * determine whether they still need to remain identified as belonging
986 	 * to this group to be able to continue binding to one another.
987 	 */
988 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
989 		Grp_hdl *	ghp = *ghpp;
990 
991 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
992 			Aliste		off3;
993 			Bnd_desc **	bdpp;
994 
995 			lmp = gdp->gd_depend;
996 
997 			if (FLAGS(lmp) & FLG_RT_DELETE)
998 				continue;
999 
1000 			for (ALIST_TRAVERSE(DEPENDS(lmp), off3, bdpp)) {
1001 				Aliste 		off4;
1002 				Grp_desc *	gdp4;
1003 				Rt_map *	dlmp = (*bdpp)->b_depend;
1004 
1005 				/*
1006 				 * If this dependency (dlmp) can be referenced
1007 				 * by the caller (clmp) without being part of
1008 				 * this group (ghp) then belonging to this group
1009 				 * is no longer necessary.  This can occur when
1010 				 * objects are part of multiple handles, or if a
1011 				 * previously deleted handle was moved to the
1012 				 * orphan list and has been reopened.  Note,
1013 				 * first make sure the caller can reference the
1014 				 * dependency with this group, if it can't we
1015 				 * must be bound to a filtee, so there's no need
1016 				 * to remain a part of this group either.
1017 				 */
1018 				if ((callable(lmp, dlmp, 0) == 0) ||
1019 				    callable(lmp, dlmp, ghp))
1020 					continue;
1021 
1022 				if (gdp->gd_flags & GPD_REMOVE)
1023 					gdp->gd_flags &= ~GPD_REMOVE;
1024 
1025 				for (ALIST_TRAVERSE(ghp->gh_depends,
1026 				    off4, gdp4)) {
1027 					if (gdp4->gd_depend != dlmp)
1028 						continue;
1029 
1030 					if (gdp4->gd_flags & GPD_REMOVE)
1031 						gdp4->gd_flags &= ~GPD_REMOVE;
1032 				}
1033 			}
1034 		}
1035 	}
1036 
1037 	/*
1038 	 * If the owner of a handle can't be deleted and it's handle descriptor
1039 	 * must remain also, don't delete the handle at all.  Leave it for
1040 	 * possible later use.  Although it's left intact, it will still be
1041 	 * moved to the orphans list, as we might be able to revisit it on later
1042 	 * dlclose() operations and finally remove the underlying objects.  Note
1043 	 * that the handle still remains attached to the owner via the HANDLES
1044 	 * list, so that it can be re-associated to the owner if a dlopen()
1045 	 * of this object reoccurs.
1046 	 */
1047 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1048 		Grp_hdl *	ghp = *ghpp;
1049 
1050 		/*
1051 		 * If this handle is already an orphan, or if it's owner is
1052 		 * deletable there's no need to inspect its dependencies.
1053 		 */
1054 		if ((ghp->gh_owner == 0) ||
1055 		    (FLAGS(ghp->gh_owner) & FLG_RT_DELETE))
1056 			continue;
1057 
1058 		/*
1059 		 * Make sure all handle dependencies aren't removed or the
1060 		 * dependencies themselves aren't deleted.
1061 		 */
1062 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1063 			lmp = gdp->gd_depend;
1064 
1065 			/*
1066 			 * The first dependency of a non-orphaned handle is the
1067 			 * owner.  If the handle descriptor for this isn't
1068 			 * required there's no need to look at any other of the
1069 			 * handles dependencies.
1070 			 */
1071 			if ((lmp == ghp->gh_owner) &&
1072 			    (gdp->gd_flags & GPD_REMOVE))
1073 				break;
1074 
1075 			if (gdp->gd_flags & GPD_REMOVE)
1076 				gdp->gd_flags &= ~GPD_REMOVE;
1077 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1078 				FLAGS(lmp) &= ~FLG_RT_DELETE;
1079 				delcnt--;
1080 			}
1081 		}
1082 	}
1083 
1084 	/*
1085 	 * Final scan of objects to see if any objects are to to be deleted.
1086 	 * Also - display diagnostic information on what operations are to be
1087 	 * performed on the collected handles before firing .fini's (which
1088 	 * produces additional diagnostics).
1089 	 */
1090 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1091 		Grp_hdl *	ghp = *ghpp;
1092 
1093 		DBG_CALL(Dbg_file_hdl_title(DBG_DEP_DELETE));
1094 
1095 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1096 			int	flag;
1097 
1098 			lmp = gdp->gd_depend;
1099 
1100 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1101 				flag = DBG_DEP_DELETE;
1102 				/*
1103 				 * Remove any pathnames from the FullpathNode
1104 				 * AVL tree.  As we're about to fire .fini's,
1105 				 * it's possible this object will be required
1106 				 * again, in which case we want to make sure a
1107 				 * new version of the object gets loaded.
1108 				 */
1109 				if (FPNODE(lmp))
1110 					fpavl_remove(lmp);
1111 			} else if (gdp->gd_flags & GPD_REMOVE)
1112 				flag = DBG_DEP_REMOVE;
1113 			else
1114 				flag = DBG_DEP_REMAIN;
1115 
1116 			DBG_CALL(Dbg_file_hdl_action(ghp, lmp, flag));
1117 		}
1118 	}
1119 
1120 	/*
1121 	 * If there are objects to be deleted process their .fini's.
1122 	 */
1123 	if (delcnt) {
1124 		Rt_map **	tobj;
1125 
1126 		/*
1127 		 * If we're being audited tell the audit library that we're
1128 		 * about to go deleting dependencies.
1129 		 */
1130 		if (clmp && ((LIST(clmp)->lm_tflags | FLAGS1(clmp)) &
1131 		    LML_TFLG_AUD_ACTIVITY))
1132 			audit_activity(clmp, LA_ACT_DELETE);
1133 
1134 		/*
1135 		 * Sort and fire all fini's of the objects selected for
1136 		 * deletion.  Note that we have to start our search from the
1137 		 * link-map head - there's no telling whether this object has
1138 		 * dependencies on objects that were loaded before it and which
1139 		 * can now be deleted.  If the tsort() fails because of an
1140 		 * allocation error then that might just be a symptom of why
1141 		 * we're here in the first place - forgo the fini's but
1142 		 * continue to try cleaning up.
1143 		 */
1144 		lml->lm_flags |= LML_FLG_OBJDELETED;
1145 
1146 		if (((tobj = tsort(lml->lm_head, delcnt,
1147 		    (RT_SORT_DELETE | RT_SORT_FWD))) != 0) &&
1148 		    (tobj != (Rt_map **)S_ERROR)) {
1149 			error = purge_exit_handlers(lml, tobj);
1150 			call_fini(lml, tobj);
1151 		}
1152 
1153 		/*
1154 		 * Audit the closure of the dlopen'ed object to any local
1155 		 * auditors.  Any global auditors would have been caught by
1156 		 * call_fini(), but as the link-maps CALLERS was removed
1157 		 * already we do the local auditors explicitly.
1158 		 */
1159 		for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1160 			Grp_hdl *	ghp = *ghpp;
1161 			Rt_map *	dlmp = ghp->gh_owner;
1162 
1163 			if (clmp && dlmp &&
1164 			    ((LIST(dlmp)->lm_flags & LML_FLG_NOAUDIT) == 0) &&
1165 			    (FLAGS1(clmp) & LML_TFLG_AUD_OBJCLOSE))
1166 				_audit_objclose(&(AUDITORS(clmp)->ad_list),
1167 				    dlmp);
1168 		}
1169 	}
1170 
1171 	/*
1172 	 * Now that .fini processing (which may have involved new bindings)
1173 	 * is complete, remove all inter-dependency lists from those objects
1174 	 * selected for deletion.
1175 	 */
1176 	for (ALIST_TRAVERSE(lmalp, off1, lmpp)) {
1177 		Dyninfo *	dip;
1178 		uint_t		cnt, max;
1179 
1180 		lmp = *lmpp;
1181 
1182 		if (FLAGS(lmp) & FLG_RT_DELETE)
1183 			remove_lists(lmp, 0);
1184 
1185 		/*
1186 		 * Determine whether we're dealing with a filter, and if so
1187 		 * process any inter-dependencies with its filtee's.
1188 		 */
1189 		if ((FLAGS1(lmp) & MSK_RT_FILTER) == 0)
1190 			continue;
1191 
1192 		dip = DYNINFO(lmp);
1193 		max = DYNINFOCNT(lmp);
1194 
1195 		for (cnt = 0; cnt < max; cnt++, dip++) {
1196 			Pnode *	pnp;
1197 
1198 			if ((dip->di_info == 0) ||
1199 			    ((dip->di_flags & MSK_DI_FILTER) == 0))
1200 				continue;
1201 
1202 			for (pnp = (Pnode *)dip->di_info; pnp;
1203 			    pnp = pnp->p_next) {
1204 				Grp_hdl *	ghp;
1205 
1206 				if ((pnp->p_len == 0) ||
1207 				    ((ghp = (Grp_hdl *)pnp->p_info) == 0))
1208 					continue;
1209 
1210 				/*
1211 				 * Determine whether this filtee's handle is a
1212 				 * part of the list of handles being deleted.
1213 				 */
1214 				if (alist_test(&ghalp, ghp,
1215 				    sizeof (Grp_hdl *), 0) == ALE_EXISTS) {
1216 					/*
1217 					 * If this handle exists on the deletion
1218 					 * list, then it has been removed.  If
1219 					 * this filter isn't going to be
1220 					 * deleted, server its reference to the
1221 					 * handle.
1222 					 */
1223 					pnp->p_info = 0;
1224 				} else {
1225 					/*
1226 					 * If this handle isn't on the deletion
1227 					 * list, then it must still exist.  If
1228 					 * this filter is being deleted, make
1229 					 * sure the filtees reference count
1230 					 * gets decremented.
1231 					 */
1232 					if (FLAGS(lmp) & FLG_RT_DELETE)
1233 					    (void) dlclose_core(ghp, lmp);
1234 				}
1235 			}
1236 		}
1237 	}
1238 
1239 	/*
1240 	 * If called from dlclose(), determine if there are already handles on
1241 	 * the orphans list that we can reinvestigate.
1242 	 */
1243 	if ((removed == 0) && hdl_list[HDLIST_ORP].head)
1244 		orphans = 1;
1245 	else
1246 		orphans = 0;
1247 
1248 	/*
1249 	 * Finally remove any handle infrastructure and remove any objects
1250 	 * marked for deletion.
1251 	 */
1252 	for (ALIST_TRAVERSE(ghalp, off1, ghpp)) {
1253 		Grp_hdl *	ghp = *ghpp;
1254 
1255 		/*
1256 		 * If we're not dealing with orphaned handles remove this handle
1257 		 * from its present handle list.
1258 		 */
1259 		if (removed == 0) {
1260 			uintptr_t ndx;
1261 
1262 			/* LINTED */
1263 			ndx = (uintptr_t)ghp % HDLIST_SZ;
1264 			list_delete(&hdl_list[ndx], ghp);
1265 		}
1266 
1267 		/*
1268 		 * Traverse each handle dependency.
1269 		 */
1270 		for (ALIST_TRAVERSE(ghp->gh_depends, off2, gdp)) {
1271 			if ((gdp->gd_flags & GPD_REMOVE) == 0)
1272 				continue;
1273 
1274 			lmp = gdp->gd_depend;
1275 			rmcnt++;
1276 
1277 			/*
1278 			 * If this object is the owner of the handle break that
1279 			 * association in case the handle is retained.
1280 			 */
1281 			if (ghp->gh_owner == lmp) {
1282 				(void) alist_delete(HANDLES(lmp), &ghp, 0);
1283 				ghp->gh_owner = 0;
1284 			}
1285 
1286 			(void) alist_delete(GROUPS(lmp), &ghp, 0);
1287 			(void) alist_delete(ghp->gh_depends, 0, &off2);
1288 
1289 			/*
1290 			 * Complete the link-map deletion if appropriate.
1291 			 */
1292 			if (FLAGS(lmp) & FLG_RT_DELETE) {
1293 				tls_modactivity(lmp, TM_FLG_MODREM);
1294 				remove_so(LIST(lmp), lmp);
1295 			}
1296 		}
1297 
1298 		/*
1299 		 * If we've deleted all the dependencies of the handle finalize
1300 		 * the cleanup by removing the handle itself.
1301 		 *
1302 		 * Otherwise we're left with a handle containing one or more
1303 		 * objects that can not be deleted (they're in use by other
1304 		 * handles, non-deletable, etc.), but require to remain a part
1305 		 * of this group to allow them to continue binding to one
1306 		 * another.  Should any other dlclose() operation occur that
1307 		 * results in the removal of handle descriptors, these orphan
1308 		 * handles are re-examined to determine if their deletion can be
1309 		 * completed.
1310 		 */
1311 		if (ghp->gh_depends->al_data[0] == 0) {
1312 			remove_lml(lml);
1313 			free(ghp->gh_depends);
1314 			free(ghp);
1315 		} else if (removed == 0) {
1316 			/*
1317 			 * Move this handle to the orphans list (if it isn't
1318 			 * already there).
1319 			 */
1320 			(void) list_append(&hdl_list[HDLIST_ORP], ghp);
1321 
1322 			if (dbg_mask) {
1323 				DBG_CALL(Dbg_file_hdl_title(DBG_DEP_ORPHAN));
1324 				for (ALIST_TRAVERSE(ghp->gh_depends, off1, gdp))
1325 					DBG_CALL(Dbg_file_hdl_action(ghp,
1326 					    gdp->gd_depend, DBG_DEP_REMAIN));
1327 			}
1328 		}
1329 	}
1330 
1331 	/*
1332 	 * If no handle descriptors got removed there's no point in looking for
1333 	 * orphans to process.
1334 	 */
1335 	if (rmcnt == 0)
1336 		orphans = 0;
1337 
1338 	/*
1339 	 * Cleanup any alists we've created.
1340 	 */
1341 	remove_collect(ghalp, lmalp);
1342 
1343 	/*
1344 	 * If orphan processing isn't required we're done.  If our processing
1345 	 * originated from investigating orphans, return the number of handle
1346 	 * descriptors removed as an indication whether orphan processing
1347 	 * should continue.
1348 	 */
1349 	if (orphans == 0) {
1350 		if (removed)
1351 			*removed = rmcnt;
1352 		return (error);
1353 	}
1354 
1355 	/*
1356 	 * Traverse the orphans list as many times as necessary until no
1357 	 * handle removals occur.
1358 	 */
1359 	do {
1360 		List		list;
1361 		Listnode *	lnp;
1362 		Grp_hdl *	ghp, * oghp = 0;
1363 
1364 		DBG_CALL(Dbg_file_del_rescan());
1365 
1366 		/*
1367 		 * Effectively clean the HDLIST_ORP list.  Any object that can't
1368 		 * be removed will be re-added to the list.
1369 		 */
1370 		list = hdl_list[HDLIST_ORP];
1371 		hdl_list[HDLIST_ORP].head = hdl_list[HDLIST_ORP].tail = 0;
1372 
1373 		rescan = 0;
1374 		for (LIST_TRAVERSE(&list, lnp, ghp)) {
1375 			int	_error, _remove;
1376 
1377 			if (oghp) {
1378 				list_delete(&list, oghp);
1379 				oghp = 0;
1380 			}
1381 
1382 			if (((_error = remove_hdl(ghp, clmp, &_remove)) != 0) &&
1383 			    (error == 0))
1384 				error = _error;
1385 
1386 			if (_remove)
1387 				rescan++;
1388 
1389 			oghp = ghp;
1390 		}
1391 		if (oghp) {
1392 			list_delete(&list, oghp);
1393 			oghp = 0;
1394 		}
1395 
1396 	} while (rescan && hdl_list[HDLIST_ORP].head);
1397 
1398 	return (error);
1399 }
1400