xref: /titanic_52/usr/src/uts/common/syscall/sem.c (revision 89b43686db1fe9681d80a7cf5662730cb9378cae)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 
29 /*
30  * Inter-Process Communication Semaphore Facility.
31  *
32  * See os/ipc.c for a description of common IPC functionality.
33  *
34  * Resource controls
35  * -----------------
36  *
37  * Control:      zone.max-sem-ids (rc_zone_semmni)
38  * Description:  Maximum number of semaphore ids allowed a zone.
39  *
40  *   When semget() is used to allocate a semaphore set, one id is
41  *   allocated.  If the id allocation doesn't succeed, semget() fails
42  *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
43  *   the id is deallocated.
44  *
45  * Control:      project.max-sem-ids (rc_project_semmni)
46  * Description:  Maximum number of semaphore ids allowed a project.
47  *
48  *   When semget() is used to allocate a semaphore set, one id is
49  *   allocated.  If the id allocation doesn't succeed, semget() fails
50  *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
51  *   the id is deallocated.
52  *
53  * Control:      process.max-sem-nsems (rc_process_semmsl)
54  * Description:  Maximum number of semaphores allowed per semaphore set.
55  *
56  *   When semget() is used to allocate a semaphore set, the size of the
57  *   set is compared with this limit.  If the number of semaphores
58  *   exceeds the limit, semget() fails and errno is set to EINVAL.
59  *
60  * Control:      process.max-sem-ops (rc_process_semopm)
61  * Description:  Maximum number of semaphore operations allowed per
62  *               semop call.
63  *
64  *   When semget() successfully allocates a semaphore set, the minimum
65  *   enforced value of this limit is used to initialize the
66  *   "system-imposed maximum" number of operations a semop() call for
67  *   this set can perform.
68  *
69  * Undo structures
70  * ---------------
71  *
72  * Removing the undo structure tunables involved a serious redesign of
73  * how they were implemented.  There is now one undo structure for
74  * every process/semaphore array combination (lazily allocated, of
75  * course), and each is equal in size to the semaphore it corresponds
76  * to.  To avoid scalability and performance problems, the undo
77  * structures are stored in two places: a per-process AVL tree sorted
78  * by ksemid pointer (p_semacct, protected by p_lock) and an unsorted
79  * per-semaphore linked list (sem_undos, protected by the semaphore's
80  * ID lock).  The former is used by semop, where a lookup is performed
81  * once and cached if SEM_UNDO is specified for any of the operations,
82  * and at process exit where the undoable operations are rolled back.
83  * The latter is used when removing the semaphore, so the undo
84  * structures can be removed from the appropriate processes' trees.
85  *
86  * The undo structure itself contains pointers to the ksemid and proc
87  * to which it corresponds, a list node, an AVL node, and an array of
88  * adjust-on-exit (AOE) values.  When an undo structure is allocated it
89  * is immediately added to both the process's tree and the semaphore's
90  * list.  Lastly, the reference count on the semaphore is increased.
91  *
92  * Avoiding a lock ordering violation between p_lock and the ID lock,
93  * wont to occur when there is a race between a process exiting and the
94  * removal of a semaphore, mandates the delicate dance that exists
95  * between semexit and sem_rmid.
96  *
97  * sem_rmid, holding the ID lock, iterates through all undo structures
98  * and for each takes the appropriate process's p_lock and checks to
99  * see if p_semacct is NULL.  If it is, it skips that undo structure
100  * and continues to the next.  Otherwise, it removes the undo structure
101  * from both the AVL tree and the semaphore's list, and releases the
102  * hold that the undo structure had on the semaphore.
103  *
104  * The important other half of this is semexit, which will immediately
105  * take p_lock, obtain the AVL pointer, clear p_semacct, and drop
106  * p_lock.  From this point on it is semexit's responsibility to clean
107  * up all undo structures found in the tree -- a coexecuting sem_rmid
108  * will see the NULL p_semacct and skip that undo structure.  It walks
109  * the AVL tree (using avl_destroy_nodes) and for each undo structure
110  * takes the appropriate semaphore's ID lock (always legal since the
111  * undo structure has a hold on the semaphore), updates all semaphores
112  * with non-zero AOE values, and removes the structure from the
113  * semaphore's list.  It then drops the structure's reference on the
114  * semaphore, drops the ID lock, and frees the undo structure.
115  */
116 
117 #include <sys/types.h>
118 #include <sys/t_lock.h>
119 #include <sys/param.h>
120 #include <sys/systm.h>
121 #include <sys/sysmacros.h>
122 #include <sys/cred.h>
123 #include <sys/vmem.h>
124 #include <sys/kmem.h>
125 #include <sys/errno.h>
126 #include <sys/time.h>
127 #include <sys/ipc.h>
128 #include <sys/ipc_impl.h>
129 #include <sys/sem.h>
130 #include <sys/sem_impl.h>
131 #include <sys/user.h>
132 #include <sys/proc.h>
133 #include <sys/cpuvar.h>
134 #include <sys/debug.h>
135 #include <sys/var.h>
136 #include <sys/cmn_err.h>
137 #include <sys/modctl.h>
138 #include <sys/syscall.h>
139 #include <sys/avl.h>
140 #include <sys/list.h>
141 #include <sys/zone.h>
142 
143 #include <c2/audit.h>
144 
145 extern rctl_hndl_t rc_zone_semmni;
146 extern rctl_hndl_t rc_project_semmni;
147 extern rctl_hndl_t rc_process_semmsl;
148 extern rctl_hndl_t rc_process_semopm;
149 static ipc_service_t *sem_svc;
150 static zone_key_t sem_zone_key;
151 
152 /*
153  * The following tunables are obsolete.  Though for compatibility we
154  * still read and interpret seminfo_semmsl, seminfo_semopm and
155  * seminfo_semmni (see os/project.c and os/rctl_proc.c), the preferred
156  * mechanism for administrating the IPC Semaphore facility is through
157  * the resource controls described at the top of this file.
158  */
159 int seminfo_semaem = 16384;	/* (obsolete) */
160 int seminfo_semmap = 10;	/* (obsolete) */
161 int seminfo_semmni = 10;	/* (obsolete) */
162 int seminfo_semmns = 60;	/* (obsolete) */
163 int seminfo_semmnu = 30;	/* (obsolete) */
164 int seminfo_semmsl = 25;	/* (obsolete) */
165 int seminfo_semopm = 10;	/* (obsolete) */
166 int seminfo_semume = 10;	/* (obsolete) */
167 int seminfo_semusz = 96;	/* (obsolete) */
168 int seminfo_semvmx = 32767;	/* (obsolete) */
169 
170 #define	SEM_MAXUCOPS	4096	/* max # of unchecked ops per semop call */
171 #define	SEM_UNDOSZ(n)	(sizeof (struct sem_undo) + (n - 1) * sizeof (int))
172 
173 static int semsys(int opcode, uintptr_t a0, uintptr_t a1,
174     uintptr_t a2, uintptr_t a3);
175 static void sem_dtor(kipc_perm_t *);
176 static void sem_rmid(kipc_perm_t *);
177 static void sem_remove_zone(zoneid_t, void *);
178 
179 static struct sysent ipcsem_sysent = {
180 	5,
181 	SE_NOUNLOAD | SE_ARGC | SE_32RVAL1,
182 	semsys
183 };
184 
185 /*
186  * Module linkage information for the kernel.
187  */
188 static struct modlsys modlsys = {
189 	&mod_syscallops, "System V semaphore facility", &ipcsem_sysent
190 };
191 
192 #ifdef _SYSCALL32_IMPL
193 static struct modlsys modlsys32 = {
194 	&mod_syscallops32, "32-bit System V semaphore facility", &ipcsem_sysent
195 };
196 #endif
197 
198 static struct modlinkage modlinkage = {
199 	MODREV_1,
200 	&modlsys,
201 #ifdef _SYSCALL32_IMPL
202 	&modlsys32,
203 #endif
204 	NULL
205 };
206 
207 
208 int
209 _init(void)
210 {
211 	int result;
212 
213 	sem_svc = ipcs_create("semids", rc_project_semmni, rc_zone_semmni,
214 	    sizeof (ksemid_t), sem_dtor, sem_rmid, AT_IPC_SEM,
215 	    offsetof(ipc_rqty_t, ipcq_semmni));
216 	zone_key_create(&sem_zone_key, NULL, sem_remove_zone, NULL);
217 
218 	if ((result = mod_install(&modlinkage)) == 0)
219 		return (0);
220 
221 	(void) zone_key_delete(sem_zone_key);
222 	ipcs_destroy(sem_svc);
223 
224 	return (result);
225 }
226 
227 int
228 _fini(void)
229 {
230 	return (EBUSY);
231 }
232 
233 int
234 _info(struct modinfo *modinfop)
235 {
236 	return (mod_info(&modlinkage, modinfop));
237 }
238 
239 static void
240 sem_dtor(kipc_perm_t *perm)
241 {
242 	ksemid_t *sp = (ksemid_t *)perm;
243 
244 	kmem_free(sp->sem_base,
245 	    P2ROUNDUP(sp->sem_nsems * sizeof (struct sem), 64));
246 	list_destroy(&sp->sem_undos);
247 }
248 
249 /*
250  * sem_undo_add - Create or update adjust on exit entry.
251  */
252 static int
253 sem_undo_add(short val, ushort_t num, struct sem_undo *undo)
254 {
255 	int newval = undo->un_aoe[num] - val;
256 
257 	if (newval > USHRT_MAX || newval < -USHRT_MAX)
258 		return (ERANGE);
259 	undo->un_aoe[num] = newval;
260 
261 	return (0);
262 }
263 
264 /*
265  * sem_undo_clear - clears all undo entries for specified semaphores
266  *
267  * Used when semaphores are reset by SETVAL or SETALL.
268  */
269 static void
270 sem_undo_clear(ksemid_t *sp, ushort_t low, ushort_t high)
271 {
272 	struct sem_undo *undo;
273 	int i;
274 
275 	ASSERT(low <= high);
276 	ASSERT(high < sp->sem_nsems);
277 
278 	for (undo = list_head(&sp->sem_undos); undo;
279 	    undo = list_next(&sp->sem_undos, undo))
280 		for (i = low; i <= high; i++)
281 			undo->un_aoe[i] = 0;
282 }
283 
284 /*
285  * sem_rollback - roll back work done so far if unable to complete operation
286  */
287 static void
288 sem_rollback(ksemid_t *sp, struct sembuf *op, int n, struct sem_undo *undo)
289 {
290 	struct sem *semp;	/* semaphore ptr */
291 
292 	for (op += n - 1; n--; op--) {
293 		if (op->sem_op == 0)
294 			continue;
295 		semp = &sp->sem_base[op->sem_num];
296 		semp->semval -= op->sem_op;
297 		if (op->sem_flg & SEM_UNDO) {
298 			ASSERT(undo != NULL);
299 			(void) sem_undo_add(-op->sem_op, op->sem_num, undo);
300 		}
301 	}
302 }
303 
304 static void
305 sem_rmid(kipc_perm_t *perm)
306 {
307 	ksemid_t *sp = (ksemid_t *)perm;
308 	struct sem *semp;
309 	struct sem_undo *undo;
310 	size_t size = SEM_UNDOSZ(sp->sem_nsems);
311 	int i;
312 
313 	/*LINTED*/
314 	while (undo = list_head(&sp->sem_undos)) {
315 		list_remove(&sp->sem_undos, undo);
316 		mutex_enter(&undo->un_proc->p_lock);
317 		if (undo->un_proc->p_semacct == NULL) {
318 			mutex_exit(&undo->un_proc->p_lock);
319 			continue;
320 		}
321 		avl_remove(undo->un_proc->p_semacct, undo);
322 		mutex_exit(&undo->un_proc->p_lock);
323 		kmem_free(undo, size);
324 		ipc_rele_locked(sem_svc, (kipc_perm_t *)sp);
325 	}
326 
327 	for (i = 0; i < sp->sem_nsems; i++) {
328 		semp = &sp->sem_base[i];
329 		semp->semval = semp->sempid = 0;
330 		if (semp->semncnt) {
331 			cv_broadcast(&semp->semncnt_cv);
332 			semp->semncnt = 0;
333 		}
334 		if (semp->semzcnt) {
335 			cv_broadcast(&semp->semzcnt_cv);
336 			semp->semzcnt = 0;
337 		}
338 	}
339 }
340 
341 /*
342  * semctl - Semctl system call.
343  */
344 static int
345 semctl(int semid, uint_t semnum, int cmd, uintptr_t arg)
346 {
347 	ksemid_t		*sp;	/* ptr to semaphore header */
348 	struct sem		*p;	/* ptr to semaphore */
349 	unsigned int		i;	/* loop control */
350 	ushort_t		*vals, *vp;
351 	size_t			vsize = 0;
352 	int			error = 0;
353 	int			retval = 0;
354 	struct cred		*cr;
355 	kmutex_t		*lock;
356 	model_t			mdl = get_udatamodel();
357 	STRUCT_DECL(semid_ds, sid);
358 	struct semid_ds64	ds64;
359 
360 	STRUCT_INIT(sid, mdl);
361 	cr = CRED();
362 
363 	/*
364 	 * Perform pre- or non-lookup actions (e.g. copyins, RMID).
365 	 */
366 	switch (cmd) {
367 	case IPC_SET:
368 		if (copyin((void *)arg, STRUCT_BUF(sid), STRUCT_SIZE(sid)))
369 			return (set_errno(EFAULT));
370 		break;
371 
372 	case IPC_SET64:
373 		if (copyin((void *)arg, &ds64, sizeof (struct semid_ds64)))
374 			return (set_errno(EFAULT));
375 		break;
376 
377 	case SETALL:
378 		if ((lock = ipc_lookup(sem_svc, semid,
379 		    (kipc_perm_t **)&sp)) == NULL)
380 			return (set_errno(EINVAL));
381 		vsize = sp->sem_nsems * sizeof (*vals);
382 		mutex_exit(lock);
383 
384 		/* allocate space to hold all semaphore values */
385 		vals = kmem_alloc(vsize, KM_SLEEP);
386 
387 		if (copyin((void *)arg, vals, vsize)) {
388 			kmem_free(vals, vsize);
389 			return (set_errno(EFAULT));
390 		}
391 		break;
392 
393 	case IPC_RMID:
394 		if (error = ipc_rmid(sem_svc, semid, cr))
395 			return (set_errno(error));
396 		return (0);
397 	}
398 
399 	if ((lock = ipc_lookup(sem_svc, semid, (kipc_perm_t **)&sp)) == NULL) {
400 		if (vsize != 0)
401 			kmem_free(vals, vsize);
402 		return (set_errno(EINVAL));
403 	}
404 	switch (cmd) {
405 	/* Set ownership and permissions. */
406 	case IPC_SET:
407 
408 		if (error = ipcperm_set(sem_svc, cr, &sp->sem_perm,
409 		    &STRUCT_BUF(sid)->sem_perm, mdl)) {
410 			mutex_exit(lock);
411 			return (set_errno(error));
412 		}
413 		sp->sem_ctime = gethrestime_sec();
414 		mutex_exit(lock);
415 		return (0);
416 
417 	/* Get semaphore data structure. */
418 	case IPC_STAT:
419 
420 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
421 			mutex_exit(lock);
422 			return (set_errno(error));
423 		}
424 
425 		ipcperm_stat(&STRUCT_BUF(sid)->sem_perm, &sp->sem_perm, mdl);
426 		STRUCT_FSETP(sid, sem_base, NULL);	/* kernel addr */
427 		STRUCT_FSET(sid, sem_nsems, sp->sem_nsems);
428 		STRUCT_FSET(sid, sem_otime, sp->sem_otime);
429 		STRUCT_FSET(sid, sem_ctime, sp->sem_ctime);
430 		STRUCT_FSET(sid, sem_binary, sp->sem_binary);
431 		mutex_exit(lock);
432 
433 		if (copyout(STRUCT_BUF(sid), (void *)arg, STRUCT_SIZE(sid)))
434 			return (set_errno(EFAULT));
435 		return (0);
436 
437 	case IPC_SET64:
438 
439 		if (error = ipcperm_set64(sem_svc, cr, &sp->sem_perm,
440 		    &ds64.semx_perm)) {
441 			mutex_exit(lock);
442 			return (set_errno(error));
443 		}
444 		sp->sem_ctime = gethrestime_sec();
445 		mutex_exit(lock);
446 		return (0);
447 
448 	case IPC_STAT64:
449 
450 		ipcperm_stat64(&ds64.semx_perm, &sp->sem_perm);
451 		ds64.semx_nsems = sp->sem_nsems;
452 		ds64.semx_otime = sp->sem_otime;
453 		ds64.semx_ctime = sp->sem_ctime;
454 
455 		mutex_exit(lock);
456 		if (copyout(&ds64, (void *)arg, sizeof (struct semid_ds64)))
457 			return (set_errno(EFAULT));
458 
459 		return (0);
460 
461 	/* Get # of processes sleeping for greater semval. */
462 	case GETNCNT:
463 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
464 			mutex_exit(lock);
465 			return (set_errno(error));
466 		}
467 		if (semnum >= sp->sem_nsems) {
468 			mutex_exit(lock);
469 			return (set_errno(EINVAL));
470 		}
471 		retval = sp->sem_base[semnum].semncnt;
472 		mutex_exit(lock);
473 		return (retval);
474 
475 	/* Get pid of last process to operate on semaphore. */
476 	case GETPID:
477 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
478 			mutex_exit(lock);
479 			return (set_errno(error));
480 		}
481 		if (semnum >= sp->sem_nsems) {
482 			mutex_exit(lock);
483 			return (set_errno(EINVAL));
484 		}
485 		retval = sp->sem_base[semnum].sempid;
486 		mutex_exit(lock);
487 		return (retval);
488 
489 	/* Get semval of one semaphore. */
490 	case GETVAL:
491 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
492 			mutex_exit(lock);
493 			return (set_errno(error));
494 		}
495 		if (semnum >= sp->sem_nsems) {
496 			mutex_exit(lock);
497 			return (set_errno(EINVAL));
498 		}
499 		retval = sp->sem_base[semnum].semval;
500 		mutex_exit(lock);
501 		return (retval);
502 
503 	/* Get all semvals in set. */
504 	case GETALL:
505 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
506 			mutex_exit(lock);
507 			return (set_errno(error));
508 		}
509 
510 		/* allocate space to hold all semaphore values */
511 		vsize = sp->sem_nsems * sizeof (*vals);
512 		vals = vp = kmem_alloc(vsize, KM_SLEEP);
513 
514 		for (i = sp->sem_nsems, p = sp->sem_base; i--; p++, vp++)
515 			bcopy(&p->semval, vp, sizeof (p->semval));
516 
517 		mutex_exit(lock);
518 
519 		if (copyout((void *)vals, (void *)arg, vsize)) {
520 			kmem_free(vals, vsize);
521 			return (set_errno(EFAULT));
522 		}
523 
524 		kmem_free(vals, vsize);
525 		return (0);
526 
527 	/* Get # of processes sleeping for semval to become zero. */
528 	case GETZCNT:
529 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
530 			mutex_exit(lock);
531 			return (set_errno(error));
532 		}
533 		if (semnum >= sp->sem_nsems) {
534 			mutex_exit(lock);
535 			return (set_errno(EINVAL));
536 		}
537 		retval = sp->sem_base[semnum].semzcnt;
538 		mutex_exit(lock);
539 		return (retval);
540 
541 	/* Set semval of one semaphore. */
542 	case SETVAL:
543 		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
544 			mutex_exit(lock);
545 			return (set_errno(error));
546 		}
547 		if (semnum >= sp->sem_nsems) {
548 			mutex_exit(lock);
549 			return (set_errno(EINVAL));
550 		}
551 		if ((uint_t)arg > USHRT_MAX) {
552 			mutex_exit(lock);
553 			return (set_errno(ERANGE));
554 		}
555 		p = &sp->sem_base[semnum];
556 		if ((p->semval = (ushort_t)arg) != 0) {
557 			if (p->semncnt) {
558 				cv_broadcast(&p->semncnt_cv);
559 			}
560 		} else if (p->semzcnt) {
561 			cv_broadcast(&p->semzcnt_cv);
562 		}
563 		p->sempid = curproc->p_pid;
564 		sem_undo_clear(sp, (ushort_t)semnum, (ushort_t)semnum);
565 		mutex_exit(lock);
566 		return (0);
567 
568 	/* Set semvals of all semaphores in set. */
569 	case SETALL:
570 		/* Check if semaphore set has been deleted and reallocated. */
571 		if (sp->sem_nsems * sizeof (*vals) != vsize) {
572 			error = set_errno(EINVAL);
573 			goto seterr;
574 		}
575 		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
576 			error = set_errno(error);
577 			goto seterr;
578 		}
579 		sem_undo_clear(sp, 0, sp->sem_nsems - 1);
580 		for (i = 0, p = sp->sem_base; i < sp->sem_nsems;
581 		    (p++)->sempid = curproc->p_pid) {
582 			if ((p->semval = vals[i++]) != 0) {
583 				if (p->semncnt) {
584 					cv_broadcast(&p->semncnt_cv);
585 				}
586 			} else if (p->semzcnt) {
587 				cv_broadcast(&p->semzcnt_cv);
588 			}
589 		}
590 seterr:
591 		mutex_exit(lock);
592 		kmem_free(vals, vsize);
593 		return (error);
594 
595 	default:
596 		mutex_exit(lock);
597 		return (set_errno(EINVAL));
598 	}
599 
600 	/* NOTREACHED */
601 }
602 
603 /*
604  * semexit - Called by exit() to clean up on process exit.
605  */
606 void
607 semexit(proc_t *pp)
608 {
609 	avl_tree_t	*tree;
610 	struct sem_undo	*undo;
611 	void		*cookie = NULL;
612 
613 	mutex_enter(&pp->p_lock);
614 	tree = pp->p_semacct;
615 	pp->p_semacct = NULL;
616 	mutex_exit(&pp->p_lock);
617 
618 	while (undo = avl_destroy_nodes(tree, &cookie)) {
619 		ksemid_t *sp = undo->un_sp;
620 		size_t size = SEM_UNDOSZ(sp->sem_nsems);
621 		int i;
622 
623 		(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
624 		if (!IPC_FREE(&sp->sem_perm)) {
625 			for (i = 0; i < sp->sem_nsems; i++) {
626 				int adj = undo->un_aoe[i];
627 				if (adj) {
628 					struct sem *semp = &sp->sem_base[i];
629 					int v = (int)semp->semval + adj;
630 
631 					if (v < 0 || v > USHRT_MAX)
632 						continue;
633 					semp->semval = (ushort_t)v;
634 					if (v == 0 && semp->semzcnt)
635 						cv_broadcast(&semp->semzcnt_cv);
636 					if (adj > 0 && semp->semncnt)
637 						cv_broadcast(&semp->semncnt_cv);
638 				}
639 			}
640 			list_remove(&sp->sem_undos, undo);
641 		}
642 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
643 		kmem_free(undo, size);
644 	}
645 
646 	avl_destroy(tree);
647 	kmem_free(tree, sizeof (avl_tree_t));
648 }
649 
650 /*
651  * Remove all semaphores associated with a given zone.  Called by
652  * zone_shutdown when the zone is halted.
653  */
654 /*ARGSUSED1*/
655 static void
656 sem_remove_zone(zoneid_t zoneid, void *arg)
657 {
658 	ipc_remove_zone(sem_svc, zoneid);
659 }
660 
661 /*
662  * semget - Semget system call.
663  */
664 static int
665 semget(key_t key, int nsems, int semflg)
666 {
667 	ksemid_t	*sp;
668 	kmutex_t	*lock;
669 	int		id, error;
670 	proc_t		*pp = curproc;
671 
672 top:
673 	if (error = ipc_get(sem_svc, key, semflg, (kipc_perm_t **)&sp, &lock))
674 		return (set_errno(error));
675 
676 	if (!IPC_FREE(&sp->sem_perm)) {
677 		/*
678 		 * A semaphore with the requested key exists.
679 		 */
680 		if (!((nsems >= 0) && (nsems <= sp->sem_nsems))) {
681 			mutex_exit(lock);
682 			return (set_errno(EINVAL));
683 		}
684 	} else {
685 		/*
686 		 * This is a new semaphore set.  Finish initialization.
687 		 */
688 		if (nsems <= 0 || (rctl_test(rc_process_semmsl, pp->p_rctls, pp,
689 		    nsems, RCA_SAFE) & RCT_DENY)) {
690 			mutex_exit(lock);
691 			mutex_exit(&pp->p_lock);
692 			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
693 			return (set_errno(EINVAL));
694 		}
695 		mutex_exit(lock);
696 		mutex_exit(&pp->p_lock);
697 
698 		/*
699 		 * We round the allocation up to coherency granularity
700 		 * so that multiple semaphore allocations won't result
701 		 * in the false sharing of their sem structures.
702 		 */
703 		sp->sem_base =
704 		    kmem_zalloc(P2ROUNDUP(nsems * sizeof (struct sem), 64),
705 		    KM_SLEEP);
706 		sp->sem_binary = (nsems == 1);
707 		sp->sem_nsems = (ushort_t)nsems;
708 		sp->sem_ctime = gethrestime_sec();
709 		sp->sem_otime = 0;
710 		list_create(&sp->sem_undos, sizeof (struct sem_undo),
711 		    offsetof(struct sem_undo, un_list));
712 
713 		if (error = ipc_commit_begin(sem_svc, key, semflg,
714 		    (kipc_perm_t *)sp)) {
715 			if (error == EAGAIN)
716 				goto top;
717 			return (set_errno(error));
718 		}
719 		sp->sem_maxops =
720 		    rctl_enforced_value(rc_process_semopm, pp->p_rctls, pp);
721 		if (rctl_test(rc_process_semmsl, pp->p_rctls, pp, nsems,
722 		    RCA_SAFE) & RCT_DENY) {
723 			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
724 			return (set_errno(EINVAL));
725 		}
726 		lock = ipc_commit_end(sem_svc, &sp->sem_perm);
727 	}
728 
729 	if (AU_AUDITING())
730 		audit_ipcget(AT_IPC_SEM, (void *)sp);
731 
732 	id = sp->sem_perm.ipc_id;
733 	mutex_exit(lock);
734 	return (id);
735 }
736 
737 /*
738  * semids system call.
739  */
740 static int
741 semids(int *buf, uint_t nids, uint_t *pnids)
742 {
743 	int error;
744 
745 	if (error = ipc_ids(sem_svc, buf, nids, pnids))
746 		return (set_errno(error));
747 
748 	return (0);
749 }
750 
751 
752 /*
753  * Helper function for semop - copies in the provided timespec and
754  * computes the absolute future time after which we must return.
755  */
756 static int
757 compute_timeout(timespec_t **tsp, timespec_t *ts, timespec_t *now,
758 	timespec_t *timeout)
759 {
760 	model_t datamodel = get_udatamodel();
761 
762 	if (datamodel == DATAMODEL_NATIVE) {
763 		if (copyin(timeout, ts, sizeof (timespec_t)))
764 			return (EFAULT);
765 	} else {
766 		timespec32_t ts32;
767 
768 		if (copyin(timeout, &ts32, sizeof (timespec32_t)))
769 			return (EFAULT);
770 		TIMESPEC32_TO_TIMESPEC(ts, &ts32)
771 	}
772 
773 	if (itimerspecfix(ts))
774 		return (EINVAL);
775 
776 	/*
777 	 * Convert the timespec value into absolute time.
778 	 */
779 	timespecadd(ts, now);
780 	*tsp = ts;
781 
782 	return (0);
783 }
784 
785 /*
786  * Undo structure comparator.  We sort based on ksemid_t pointer.
787  */
788 static int
789 sem_undo_compar(const void *x, const void *y)
790 {
791 	struct sem_undo *undo1 = (struct sem_undo *)x;
792 	struct sem_undo *undo2 = (struct sem_undo *)y;
793 
794 	if (undo1->un_sp < undo2->un_sp)
795 		return (-1);
796 	if (undo1->un_sp > undo2->un_sp)
797 		return (1);
798 	return (0);
799 }
800 
801 /*
802  * Helper function for semop - creates an undo structure and adds it to
803  * the process's avl tree and the semaphore's list.
804  */
805 static int
806 sem_undo_alloc(proc_t *pp, ksemid_t *sp, kmutex_t **lock,
807     struct sem_undo *template, struct sem_undo **un)
808 {
809 	size_t size;
810 	struct sem_undo *undo;
811 	avl_tree_t *tree = NULL;
812 	avl_index_t where;
813 
814 	mutex_exit(*lock);
815 
816 	size = SEM_UNDOSZ(sp->sem_nsems);
817 	undo = kmem_zalloc(size, KM_SLEEP);
818 	undo->un_proc = pp;
819 	undo->un_sp = sp;
820 
821 	if (pp->p_semacct == NULL)
822 		tree = kmem_alloc(sizeof (avl_tree_t), KM_SLEEP);
823 
824 	*lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
825 	if (IPC_FREE(&sp->sem_perm)) {
826 		kmem_free(undo, size);
827 		if (tree)
828 			kmem_free(tree, sizeof (avl_tree_t));
829 		return (EIDRM);
830 	}
831 
832 	mutex_enter(&pp->p_lock);
833 	if (tree) {
834 		if (pp->p_semacct == NULL) {
835 			avl_create(tree, sem_undo_compar,
836 			    sizeof (struct sem_undo),
837 			    offsetof(struct sem_undo, un_avl));
838 			pp->p_semacct = tree;
839 		} else {
840 			kmem_free(tree, sizeof (avl_tree_t));
841 		}
842 	}
843 
844 	if (*un = avl_find(pp->p_semacct, template, &where)) {
845 		mutex_exit(&pp->p_lock);
846 		kmem_free(undo, size);
847 	} else {
848 		*un = undo;
849 		avl_insert(pp->p_semacct, undo, where);
850 		mutex_exit(&pp->p_lock);
851 		list_insert_head(&sp->sem_undos, undo);
852 		ipc_hold(sem_svc, (kipc_perm_t *)sp);
853 	}
854 
855 
856 	return (0);
857 }
858 
859 /*
860  * semop - Semop system call.
861  */
862 static int
863 semop(int semid, struct sembuf *sops, size_t nsops, timespec_t *timeout)
864 {
865 	ksemid_t	*sp = NULL;
866 	kmutex_t	*lock;
867 	struct sembuf	*op;	/* ptr to operation */
868 	int		i;	/* loop control */
869 	struct sem	*semp;	/* ptr to semaphore */
870 	int 		error = 0;
871 	struct sembuf	*uops;	/* ptr to copy of user ops */
872 	struct sembuf 	x_sem;	/* avoid kmem_alloc's */
873 	timespec_t	now, ts, *tsp = NULL;
874 	int		timecheck = 0;
875 	int		cvres, needundo, mode;
876 	struct sem_undo	*undo;
877 	proc_t		*pp = curproc;
878 	int		held = 0;
879 
880 	CPU_STATS_ADDQ(CPU, sys, sema, 1); /* bump semaphore op count */
881 
882 	/*
883 	 * To avoid the cost of copying in 'timeout' in the common
884 	 * case, we could only grab the time here and defer the copyin
885 	 * and associated computations until we are about to block.
886 	 *
887 	 * The down side to this is that we would then have to spin
888 	 * some goto top nonsense to avoid the copyin behind the semid
889 	 * lock.  As a common use of timed semaphores is as an explicit
890 	 * blocking mechanism, this could incur a greater penalty.
891 	 *
892 	 * If we eventually decide that this would be a wise route to
893 	 * take, the deferrable functionality is completely contained
894 	 * in 'compute_timeout', and the interface is defined such that
895 	 * we can legally not validate 'timeout' if it is unused.
896 	 */
897 	if (timeout != NULL) {
898 		timecheck = timechanged;
899 		gethrestime(&now);
900 		if (error = compute_timeout(&tsp, &ts, &now, timeout))
901 			return (set_errno(error));
902 	}
903 
904 	/*
905 	 * Allocate space to hold the vector of semaphore ops.  If
906 	 * there is only 1 operation we use a preallocated buffer on
907 	 * the stack for speed.
908 	 *
909 	 * Since we don't want to allow the user to allocate an
910 	 * arbitrary amount of kernel memory, we need to check against
911 	 * the number of operations allowed by the semaphore.  We only
912 	 * bother doing this if the number of operations is larger than
913 	 * SEM_MAXUCOPS.
914 	 */
915 	if (nsops == 1)
916 		uops = &x_sem;
917 	else if (nsops == 0)
918 		return (0);
919 	else if (nsops <= SEM_MAXUCOPS)
920 		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
921 
922 	if (nsops > SEM_MAXUCOPS) {
923 		if ((lock = ipc_lookup(sem_svc, semid,
924 		    (kipc_perm_t **)&sp)) == NULL)
925 			return (set_errno(EFAULT));
926 
927 		if (nsops > sp->sem_maxops) {
928 			mutex_exit(lock);
929 			return (set_errno(E2BIG));
930 		}
931 		held = 1;
932 		ipc_hold(sem_svc, (kipc_perm_t *)sp);
933 		mutex_exit(lock);
934 
935 		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
936 		if (copyin(sops, uops, nsops * sizeof (*op))) {
937 			error = EFAULT;
938 			(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
939 			goto semoperr;
940 		}
941 
942 		lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
943 		if (IPC_FREE(&sp->sem_perm)) {
944 			error = EIDRM;
945 			goto semoperr;
946 		}
947 	} else {
948 		/*
949 		 * This could be interleaved with the above code, but
950 		 * keeping them separate improves readability.
951 		 */
952 		if (copyin(sops, uops, nsops * sizeof (*op))) {
953 			error = EFAULT;
954 			goto semoperr_unlocked;
955 		}
956 
957 		if ((lock = ipc_lookup(sem_svc, semid,
958 		    (kipc_perm_t **)&sp)) == NULL) {
959 			error = EINVAL;
960 			goto semoperr_unlocked;
961 		}
962 
963 		if (nsops > sp->sem_maxops) {
964 			error = E2BIG;
965 			goto semoperr;
966 		}
967 	}
968 
969 	/*
970 	 * Scan all operations.  Verify that sem #s are in range and
971 	 * this process is allowed the requested operations.  If any
972 	 * operations are marked SEM_UNDO, find (or allocate) the undo
973 	 * structure for this process and semaphore.
974 	 */
975 	needundo = 0;
976 	mode = 0;
977 	for (i = 0, op = uops; i++ < nsops; op++) {
978 		mode |= op->sem_op ? SEM_A : SEM_R;
979 		if (op->sem_num >= sp->sem_nsems) {
980 			error = EFBIG;
981 			goto semoperr;
982 		}
983 		if ((op->sem_flg & SEM_UNDO) && op->sem_op)
984 			needundo = 1;
985 	}
986 	if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
987 		goto semoperr;
988 
989 	if (needundo) {
990 		struct sem_undo template;
991 
992 		template.un_sp = sp;
993 		mutex_enter(&pp->p_lock);
994 		if (pp->p_semacct)
995 			undo = avl_find(pp->p_semacct, &template, NULL);
996 		else
997 			undo = NULL;
998 		mutex_exit(&pp->p_lock);
999 		if (undo == NULL) {
1000 			if (!held) {
1001 				held = 1;
1002 				ipc_hold(sem_svc, (kipc_perm_t *)sp);
1003 			}
1004 			if (error = sem_undo_alloc(pp, sp, &lock, &template,
1005 			    &undo))
1006 				goto semoperr;
1007 
1008 			/* sem_undo_alloc unlocks the semaphore */
1009 			if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
1010 				goto semoperr;
1011 		}
1012 	}
1013 
1014 check:
1015 	/*
1016 	 * Loop waiting for the operations to be satisfied atomically.
1017 	 * Actually, do the operations and undo them if a wait is needed
1018 	 * or an error is detected.
1019 	 */
1020 	for (i = 0; i < nsops; i++) {
1021 		op = &uops[i];
1022 		semp = &sp->sem_base[op->sem_num];
1023 
1024 		/*
1025 		 * Raise the semaphore (i.e. sema_v)
1026 		 */
1027 		if (op->sem_op > 0) {
1028 			if (op->sem_op + (int)semp->semval > USHRT_MAX ||
1029 			    ((op->sem_flg & SEM_UNDO) &&
1030 			    (error = sem_undo_add(op->sem_op, op->sem_num,
1031 			    undo)))) {
1032 				if (i)
1033 					sem_rollback(sp, uops, i, undo);
1034 				if (error == 0)
1035 					error = ERANGE;
1036 				goto semoperr;
1037 			}
1038 			semp->semval += op->sem_op;
1039 			/*
1040 			 * If we are only incrementing the semaphore value
1041 			 * by one on a binary semaphore, we can cv_signal.
1042 			 */
1043 			if (semp->semncnt) {
1044 				if (op->sem_op == 1 && sp->sem_binary)
1045 					cv_signal(&semp->semncnt_cv);
1046 				else
1047 					cv_broadcast(&semp->semncnt_cv);
1048 			}
1049 			if (semp->semzcnt && !semp->semval)
1050 				cv_broadcast(&semp->semzcnt_cv);
1051 			continue;
1052 		}
1053 
1054 		/*
1055 		 * Lower the semaphore (i.e. sema_p)
1056 		 */
1057 		if (op->sem_op < 0) {
1058 			if (semp->semval >= (unsigned)(-op->sem_op)) {
1059 				if ((op->sem_flg & SEM_UNDO) &&
1060 				    (error = sem_undo_add(op->sem_op,
1061 				    op->sem_num, undo))) {
1062 					if (i)
1063 						sem_rollback(sp, uops, i, undo);
1064 					goto semoperr;
1065 				}
1066 				semp->semval += op->sem_op;
1067 				if (semp->semzcnt && !semp->semval)
1068 					cv_broadcast(&semp->semzcnt_cv);
1069 				continue;
1070 			}
1071 			if (i)
1072 				sem_rollback(sp, uops, i, undo);
1073 			if (op->sem_flg & IPC_NOWAIT) {
1074 				error = EAGAIN;
1075 				goto semoperr;
1076 			}
1077 
1078 			/*
1079 			 * Mark the semaphore set as not a binary type
1080 			 * if we are decrementing the value by more than 1.
1081 			 *
1082 			 * V operations will resort to cv_broadcast
1083 			 * for this set because there are too many weird
1084 			 * cases that have to be caught.
1085 			 */
1086 			if (op->sem_op < -1)
1087 				sp->sem_binary = 0;
1088 			if (!held) {
1089 				held = 1;
1090 				ipc_hold(sem_svc, (kipc_perm_t *)sp);
1091 			}
1092 			semp->semncnt++;
1093 			cvres = cv_waituntil_sig(&semp->semncnt_cv, lock,
1094 			    tsp, timecheck);
1095 			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
1096 
1097 			if (!IPC_FREE(&sp->sem_perm)) {
1098 				ASSERT(semp->semncnt != 0);
1099 				semp->semncnt--;
1100 				if (cvres > 0)	/* normal wakeup */
1101 					goto check;
1102 			}
1103 
1104 			/* EINTR or EAGAIN overrides EIDRM */
1105 			if (cvres == 0)
1106 				error = EINTR;
1107 			else if (cvres < 0)
1108 				error = EAGAIN;
1109 			else
1110 				error = EIDRM;
1111 			goto semoperr;
1112 		}
1113 
1114 		/*
1115 		 * Wait for zero value
1116 		 */
1117 		if (semp->semval) {
1118 			if (i)
1119 				sem_rollback(sp, uops, i, undo);
1120 			if (op->sem_flg & IPC_NOWAIT) {
1121 				error = EAGAIN;
1122 				goto semoperr;
1123 			}
1124 
1125 			if (!held) {
1126 				held = 1;
1127 				ipc_hold(sem_svc, (kipc_perm_t *)sp);
1128 			}
1129 			semp->semzcnt++;
1130 			cvres = cv_waituntil_sig(&semp->semzcnt_cv, lock,
1131 			    tsp, timecheck);
1132 			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
1133 
1134 			/*
1135 			 * Don't touch semp if the semaphores have been removed.
1136 			 */
1137 			if (!IPC_FREE(&sp->sem_perm)) {
1138 				ASSERT(semp->semzcnt != 0);
1139 				semp->semzcnt--;
1140 				if (cvres > 0)	/* normal wakeup */
1141 					goto check;
1142 			}
1143 
1144 			/* EINTR or EAGAIN overrides EIDRM */
1145 			if (cvres == 0)
1146 				error = EINTR;
1147 			else if (cvres < 0)
1148 				error = EAGAIN;
1149 			else
1150 				error = EIDRM;
1151 			goto semoperr;
1152 		}
1153 	}
1154 
1155 	/* All operations succeeded.  Update sempid for accessed semaphores. */
1156 	for (i = 0, op = uops; i++ < nsops;
1157 	    sp->sem_base[(op++)->sem_num].sempid = pp->p_pid)
1158 		;
1159 	sp->sem_otime = gethrestime_sec();
1160 	if (held)
1161 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
1162 	else
1163 		mutex_exit(lock);
1164 
1165 	/* Before leaving, deallocate the buffer that held the user semops */
1166 	if (nsops != 1)
1167 		kmem_free(uops, sizeof (*uops) * nsops);
1168 	return (0);
1169 
1170 	/*
1171 	 * Error return labels
1172 	 */
1173 semoperr:
1174 	if (held)
1175 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
1176 	else
1177 		mutex_exit(lock);
1178 
1179 semoperr_unlocked:
1180 
1181 	/* Before leaving, deallocate the buffer that held the user semops */
1182 	if (nsops != 1)
1183 		kmem_free(uops, sizeof (*uops) * nsops);
1184 	return (set_errno(error));
1185 }
1186 
1187 /*
1188  * semsys - System entry point for semctl, semget, and semop system calls.
1189  */
1190 static int
1191 semsys(int opcode, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4)
1192 {
1193 	int error;
1194 
1195 	switch (opcode) {
1196 	case SEMCTL:
1197 		error = semctl((int)a1, (uint_t)a2, (int)a3, a4);
1198 		break;
1199 	case SEMGET:
1200 		error = semget((key_t)a1, (int)a2, (int)a3);
1201 		break;
1202 	case SEMOP:
1203 		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3, 0);
1204 		break;
1205 	case SEMIDS:
1206 		error = semids((int *)a1, (uint_t)a2, (uint_t *)a3);
1207 		break;
1208 	case SEMTIMEDOP:
1209 		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3,
1210 		    (timespec_t *)a4);
1211 		break;
1212 	default:
1213 		error = set_errno(EINVAL);
1214 		break;
1215 	}
1216 	return (error);
1217 }
1218