]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/sysv_shm.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-4570.1.46.tar.gz
[apple/xnu.git] / bsd / kern / sysv_shm.c
CommitLineData
1c79356b 1/*
2d21ac55 2 * Copyright (c) 2000-2007 Apple Inc. All rights reserved.
5d5c5d0d 3 *
2d21ac55 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
1c79356b 5 *
2d21ac55
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
8f6c56a5 14 *
2d21ac55
A		 15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5
A		 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55
A		 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
8f6c56a5 25 *
2d21ac55 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
1c79356b
A		 27 */
28/* $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $ */
29
30/*
31 * Copyright (c) 1994 Adam Glass and Charles Hannum. All rights reserved.
32 *
33 * Redistribution and use in source and binary forms, with or without
34 * modification, are permitted provided that the following conditions
35 * are met:
36 * 1. Redistributions of source code must retain the above copyright
37 * notice, this list of conditions and the following disclaimer.
38 * 2. Redistributions in binary form must reproduce the above copyright
39 * notice, this list of conditions and the following disclaimer in the
40 * documentation and/or other materials provided with the distribution.
41 * 3. All advertising materials mentioning features or use of this software
42 * must display the following acknowledgement:
43 * This product includes software developed by Adam Glass and Charles
44 * Hannum.
45 * 4. The names of the authors may not be used to endorse or promote products
46 * derived from this software without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
49 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
50 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
51 * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
52 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
53 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
54 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
55 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
56 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
57 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
58 */
2d21ac55
A		 59/*
60 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
61 * support for mandatory and extensible security protections. This notice
62 * is included in support of clause 2.2 (b) of the Apple Public License,
63 * Version 2.0.
64 * Copyright (c) 2005-2006 SPARTA, Inc.
65*/
1c79356b
A		 66
67
9bccf70c 68#include <sys/appleapiopts.h>
1c79356b
A		 69#include <sys/param.h>
70#include <sys/systm.h>
71#include <sys/kernel.h>
91447636
A		 72#include <sys/shm_internal.h>
73#include <sys/proc_internal.h>
74#include <sys/kauth.h>
1c79356b
A		 75#include <sys/malloc.h>
76#include <sys/mman.h>
77#include <sys/stat.h>
9bccf70c 78#include <sys/sysctl.h>
91447636
A		 79#include <sys/ipcs.h>
80#include <sys/sysent.h>
81#include <sys/sysproto.h>
2d21ac55
A		 82#if CONFIG_MACF
83#include <security/mac_framework.h>
84#endif
e5568f75 85
b0d623f7 86#include <security/audit/audit.h>
1c79356b
A		 87
88#include <mach/mach_types.h>
89#include <mach/vm_inherit.h>
91447636
A		 90#include <mach/vm_map.h>
91
92#include <mach/mach_vm.h>
93
1c79356b 94#include <vm/vm_map.h>
91447636 95#include <vm/vm_protos.h>
3e170ce0 96#include <vm/vm_kern.h>
1c79356b 97
91447636 98#include <kern/locks.h>
39037602 99#include <os/overflow.h>
1c79356b 100
2d21ac55
A		 101/* Uncomment this line to see MAC debugging output. */
102/* #define MAC_DEBUG */
103#if CONFIG_MACF_DEBUG
104#define MPRINTF(a) printf a
105#else
106#define MPRINTF(a)
107#endif
108
109#if SYSV_SHM
39037602 110static int shminit(void);
1c79356b 111
91447636
A		 112static lck_grp_t *sysv_shm_subsys_lck_grp;
113static lck_grp_attr_t *sysv_shm_subsys_lck_grp_attr;
114static lck_attr_t *sysv_shm_subsys_lck_attr;
115static lck_mtx_t sysv_shm_subsys_mutex;
1c79356b 116
91447636
A		 117#define SYSV_SHM_SUBSYS_LOCK() lck_mtx_lock(&sysv_shm_subsys_mutex)
118#define SYSV_SHM_SUBSYS_UNLOCK() lck_mtx_unlock(&sysv_shm_subsys_mutex)
119
120static int oshmctl(void *p, void *uap, void *retval);
121static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval);
122static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int * retval);
b0d623f7
A		 123static void shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out);
124static void shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out);
1c79356b
A		 125
126/* XXX casting to (sy_call_t *) is bogus, as usual. */
127static sy_call_t *shmcalls[] = {
128 (sy_call_t *)shmat, (sy_call_t *)oshmctl,
129 (sy_call_t *)shmdt, (sy_call_t *)shmget,
130 (sy_call_t *)shmctl
131};
132
133#define SHMSEG_FREE 0x0200
134#define SHMSEG_REMOVED 0x0400
135#define SHMSEG_ALLOCATED 0x0800
136#define SHMSEG_WANTED 0x1000
137
138static int shm_last_free, shm_nused, shm_committed;
2d21ac55 139struct shmid_kernel *shmsegs; /* 64 bit version */
9bccf70c 140static int shm_inited = 0;
1c79356b 141
b0d623f7
A		 142/*
143 * Since anonymous memory chunks are limited to ANON_MAX_SIZE bytes,
144 * we have to keep a list of chunks when we want to handle a shared memory
145 * segment bigger than ANON_MAX_SIZE.
146 * Each chunk points to a VM named entry of up to ANON_MAX_SIZE bytes
147 * of anonymous memory.
148 */
1c79356b 149struct shm_handle {
b0d623f7
A		 150 void * shm_object; /* named entry for this chunk*/
151 memory_object_size_t shm_handle_size; /* size of this chunk */
152 struct shm_handle *shm_handle_next; /* next chunk */
1c79356b
A		 153};
154
155struct shmmap_state {
91447636
A		 156 mach_vm_address_t va; /* user address */
157 int shmid; /* segment id */
1c79356b
A		 158};
159
2d21ac55 160static void shm_deallocate_segment(struct shmid_kernel *);
91447636 161static int shm_find_segment_by_key(key_t);
2d21ac55 162static struct shmid_kernel *shm_find_segment_by_shmid(int);
91447636 163static int shm_delete_mapping(struct proc *, struct shmmap_state *, int);
1c79356b 164
9bccf70c 165#ifdef __APPLE_API_PRIVATE
2d21ac55
A		 166#define DEFAULT_SHMMAX (4 * 1024 * 1024)
167#define DEFAULT_SHMMIN 1
168#define DEFAULT_SHMMNI 32
169#define DEFAULT_SHMSEG 8
170#define DEFAULT_SHMALL 1024
3e170ce0 171
39037602
A		 172struct shminfo shminfo = {
173 DEFAULT_SHMMAX,
174 DEFAULT_SHMMIN,
175 DEFAULT_SHMMNI,
2d21ac55
A		 176 DEFAULT_SHMSEG,
177 DEFAULT_SHMALL
9bccf70c 178};
39037602
A		 179
180#define SHMID_IS_VALID(x) ((x) >= 0)
181#define SHMID_UNALLOCATED (-1)
182#define SHMID_SENTINEL (-2)
183
9bccf70c
A		 184#endif /* __APPLE_API_PRIVATE */
185
91447636
A		 186void sysv_shm_lock_init(void);
187
188static __inline__ time_t
189sysv_shmtime(void)
190{
191 struct timeval tv;
192 microtime(&tv);
193 return (tv.tv_sec);
194}
195
196/*
197 * This conversion is safe, since if we are converting for a 32 bit process,
198 * then it's value of (struct shmid_ds)->shm_segsz will never exceed 4G.
199 *
200 * NOTE: Source and target may *NOT* overlap! (target is smaller)
201 */
202static void
b0d623f7 203shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out)
91447636
A		 204{
205 out->shm_perm = in->shm_perm;
b0d623f7 206 out->shm_segsz = in->shm_segsz;
91447636
A		 207 out->shm_lpid = in->shm_lpid;
208 out->shm_cpid = in->shm_cpid;
209 out->shm_nattch = in->shm_nattch;
210 out->shm_atime = in->shm_atime;
211 out->shm_dtime = in->shm_dtime;
212 out->shm_ctime = in->shm_ctime;
b0d623f7 213 out->shm_internal = CAST_DOWN_EXPLICIT(int,in->shm_internal);
91447636
A		 214}
215
216/*
217 * NOTE: Source and target may are permitted to overlap! (source is smaller);
218 * this works because we copy fields in order from the end of the struct to
219 * the beginning.
220 */
221static void
b0d623f7 222shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out)
91447636 223{
b0d623f7 224 out->shm_internal = in->shm_internal;
91447636
A		 225 out->shm_ctime = in->shm_ctime;
226 out->shm_dtime = in->shm_dtime;
227 out->shm_atime = in->shm_atime;
228 out->shm_nattch = in->shm_nattch;
229 out->shm_cpid = in->shm_cpid;
230 out->shm_lpid = in->shm_lpid;
b0d623f7 231 out->shm_segsz = in->shm_segsz;
91447636
A		 232 out->shm_perm = in->shm_perm;
233}
234
235
1c79356b 236static int
91447636 237shm_find_segment_by_key(key_t key)
1c79356b
A		 238{
239 int i;
240
241 for (i = 0; i < shminfo.shmmni; i++)
2d21ac55
A		 242 if ((shmsegs[i].u.shm_perm.mode & SHMSEG_ALLOCATED) &&
243 shmsegs[i].u.shm_perm._key == key)
1c79356b
A		 244 return i;
245 return -1;
246}
247
2d21ac55 248static struct shmid_kernel *
91447636 249shm_find_segment_by_shmid(int shmid)
1c79356b
A		 250{
251 int segnum;
2d21ac55 252 struct shmid_kernel *shmseg;
1c79356b
A		 253
254 segnum = IPCID_TO_IX(shmid);
255 if (segnum < 0 || segnum >= shminfo.shmmni)
256 return NULL;
257 shmseg = &shmsegs[segnum];
2d21ac55 258 if ((shmseg->u.shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
1c79356b 259 != SHMSEG_ALLOCATED ||
2d21ac55 260 shmseg->u.shm_perm._seq != IPCID_TO_SEQ(shmid))
1c79356b
A		 261 return NULL;
262 return shmseg;
263}
264
265static void
2d21ac55 266shm_deallocate_segment(struct shmid_kernel *shmseg)
1c79356b 267{
b0d623f7 268 struct shm_handle *shm_handle, *shm_handle_next;
91447636 269 mach_vm_size_t size;
1c79356b 270
b0d623f7
A		 271 for (shm_handle = CAST_DOWN(void *,shmseg->u.shm_internal); /* tunnel */
272 shm_handle != NULL;
273 shm_handle = shm_handle_next) {
274 shm_handle_next = shm_handle->shm_handle_next;
275 mach_memory_entry_port_release(shm_handle->shm_object);
276 FREE((caddr_t) shm_handle, M_SHM);
277 }
2d21ac55 278 shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
b0d623f7 279 size = mach_vm_round_page(shmseg->u.shm_segsz);
1c79356b
A		 280 shm_committed -= btoc(size);
281 shm_nused--;
2d21ac55
A		 282 shmseg->u.shm_perm.mode = SHMSEG_FREE;
283#if CONFIG_MACF
284 /* Reset the MAC label */
285 mac_sysvshm_label_recycle(shmseg);
286#endif
1c79356b
A		 287}
288
289static int
91447636
A		 290shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
291 int deallocate)
1c79356b 292{
2d21ac55 293 struct shmid_kernel *shmseg;
1c79356b 294 int segnum, result;
91447636 295 mach_vm_size_t size;
1c79356b
A		 296
297 segnum = IPCID_TO_IX(shmmap_s->shmid);
298 shmseg = &shmsegs[segnum];
2d21ac55 299 size = mach_vm_round_page(shmseg->u.shm_segsz); /* XXX done for us? */
55e303ae 300 if (deallocate) {
91447636 301 result = mach_vm_deallocate(current_map(), shmmap_s->va, size);
1c79356b
A		 302 if (result != KERN_SUCCESS)
303 return EINVAL;
55e303ae 304 }
39037602 305 shmmap_s->shmid = SHMID_UNALLOCATED;
2d21ac55
A		 306 shmseg->u.shm_dtime = sysv_shmtime();
307 if ((--shmseg->u.shm_nattch <= 0) &&
308 (shmseg->u.shm_perm.mode & SHMSEG_REMOVED)) {
1c79356b
A		 309 shm_deallocate_segment(shmseg);
310 shm_last_free = segnum;
311 }
312 return 0;
313}
314
1c79356b 315int
b0d623f7 316shmdt(struct proc *p, struct shmdt_args *uap, int32_t *retval)
1c79356b 317{
2d21ac55
A		 318#if CONFIG_MACF
319 struct shmid_kernel *shmsegptr;
320#endif
1c79356b
A		 321 struct shmmap_state *shmmap_s;
322 int i;
91447636
A		 323 int shmdtret = 0;
324
2d21ac55 325 AUDIT_ARG(svipc_addr, uap->shmaddr);
91447636
A		 326
327 SYSV_SHM_SUBSYS_LOCK();
1c79356b 328
39037602
A		 329 if ((shmdtret = shminit())) {
330 goto shmdt_out;
91447636 331 }
39037602 332
1c79356b 333 shmmap_s = (struct shmmap_state *)p->vm_shm;
91447636
A		 334 if (shmmap_s == NULL) {
335 shmdtret = EINVAL;
336 goto shmdt_out;
337 }
338
39037602
A		 339 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
340 if (SHMID_IS_VALID(shmmap_s->shmid) &&
341 shmmap_s->va == (mach_vm_offset_t)uap->shmaddr) {
1c79356b 342 break;
39037602
A		 343 }
344 }
345
346 if (!SHMID_IS_VALID(shmmap_s->shmid)) {
91447636
A		 347 shmdtret = EINVAL;
348 goto shmdt_out;
349 }
39037602 350
2d21ac55
A		 351#if CONFIG_MACF
352 /*
353 * XXX: It might be useful to move this into the shm_delete_mapping
354 * function
355 */
356 shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
357 shmdtret = mac_sysvshm_check_shmdt(kauth_cred_get(), shmsegptr);
358 if (shmdtret)
359 goto shmdt_out;
360#endif
91447636
A		 361 i = shm_delete_mapping(p, shmmap_s, 1);
362
363 if (i == 0)
364 *retval = 0;
365 shmdtret = i;
366shmdt_out:
367 SYSV_SHM_SUBSYS_UNLOCK();
368 return shmdtret;
1c79356b
A		 369}
370
1c79356b 371int
2d21ac55 372shmat(struct proc *p, struct shmat_args *uap, user_addr_t *retval)
1c79356b
A		 373{
374 int error, i, flags;
2d21ac55 375 struct shmid_kernel *shmseg;
91447636
A		 376 struct shmmap_state *shmmap_s = NULL;
377 struct shm_handle *shm_handle;
378 mach_vm_address_t attach_va; /* attach address in/out */
379 mach_vm_size_t map_size; /* size of map entry */
b0d623f7 380 mach_vm_size_t mapped_size;
3e170ce0
A		 381 vm_prot_t prot;
382 size_t size;
91447636 383 kern_return_t rv;
b0d623f7
A		 384 int shmat_ret;
385 int vm_flags;
386
387 shmat_ret = 0;
1c79356b 388
55e303ae 389 AUDIT_ARG(svipc_id, uap->shmid);
2d21ac55 390 AUDIT_ARG(svipc_addr, uap->shmaddr);
91447636
A		 391
392 SYSV_SHM_SUBSYS_LOCK();
393
39037602
A		 394 if ((shmat_ret = shminit())) {
395 goto shmat_out;
91447636
A		 396 }
397
1c79356b
A		 398 shmmap_s = (struct shmmap_state *)p->vm_shm;
399 if (shmmap_s == NULL) {
39037602
A		 400 /* lazily allocate the shm map */
401
402 int nsegs = shminfo.shmseg;
403 if (nsegs <= 0) {
404 shmat_ret = EMFILE;
405 goto shmat_out;
406 }
407
408 /* +1 for the sentinel */
409 if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
3e170ce0
A		 410 shmat_ret = ENOMEM;
411 goto shmat_out;
39037602
A		 412 }
413
813fb2f6 414 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK | M_NULL);
91447636
A		 415 if (shmmap_s == NULL) {
416 shmat_ret = ENOMEM;
417 goto shmat_out;
418 }
39037602
A		 419
420 /* initialize the entries */
421 for (i = 0; i < nsegs; i++) {
422 shmmap_s[i].shmid = SHMID_UNALLOCATED;
423 }
424 shmmap_s[i].shmid = SHMID_SENTINEL;
425
1c79356b
A		 426 p->vm_shm = (caddr_t)shmmap_s;
427 }
39037602 428
1c79356b 429 shmseg = shm_find_segment_by_shmid(uap->shmid);
91447636
A		 430 if (shmseg == NULL) {
431 shmat_ret = EINVAL;
432 goto shmat_out;
433 }
55e303ae 434
2d21ac55
A		 435 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
436 error = ipcperm(kauth_cred_get(), &shmseg->u.shm_perm,
1c79356b 437 (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R|IPC_W);
91447636
A		 438 if (error) {
439 shmat_ret = error;
440 goto shmat_out;
441 }
442
2d21ac55
A		 443#if CONFIG_MACF
444 error = mac_sysvshm_check_shmat(kauth_cred_get(), shmseg, uap->shmflg);
445 if (error) {
446 shmat_ret = error;
447 goto shmat_out;
448 }
449#endif
39037602
A		 450
451 /* find a free shmid */
452 while (SHMID_IS_VALID(shmmap_s->shmid)) {
1c79356b
A		 453 shmmap_s++;
454 }
39037602
A		 455 if (shmmap_s->shmid != SHMID_UNALLOCATED) {
456 /* no free shmids */
91447636
A		 457 shmat_ret = EMFILE;
458 goto shmat_out;
459 }
460
2d21ac55 461 map_size = mach_vm_round_page(shmseg->u.shm_segsz);
1c79356b
A		 462 prot = VM_PROT_READ;
463 if ((uap->shmflg & SHM_RDONLY) == 0)
464 prot |= VM_PROT_WRITE;
465 flags = MAP_ANON | MAP_SHARED;
91447636 466 if (uap->shmaddr)
1c79356b 467 flags |= MAP_FIXED;
91447636
A		 468
469 attach_va = (mach_vm_address_t)uap->shmaddr;
470 if (uap->shmflg & SHM_RND)
471 attach_va &= ~(SHMLBA-1);
472 else if ((attach_va & (SHMLBA-1)) != 0) {
473 shmat_ret = EINVAL;
474 goto shmat_out;
475 }
476
b0d623f7
A		 477 if (flags & MAP_FIXED) {
478 vm_flags = VM_FLAGS_FIXED;
479 } else {
480 vm_flags = VM_FLAGS_ANYWHERE;
481 }
482
483 mapped_size = 0;
484
485 /* first reserve enough space... */
5ba3f43e 486 rv = mach_vm_map_kernel(current_map(),
b0d623f7
A		 487 &attach_va,
488 map_size,
489 0,
490 vm_flags,
5ba3f43e 491 VM_KERN_MEMORY_NONE,
b0d623f7
A		 492 IPC_PORT_NULL,
493 0,
494 FALSE,
495 VM_PROT_NONE,
496 VM_PROT_NONE,
497 VM_INHERIT_NONE);
498 if (rv != KERN_SUCCESS) {
499 goto out;
500 }
91447636 501
b0d623f7
A		 502 shmmap_s->va = attach_va;
503
504 /* ... then map the shared memory over the reserved space */
505 for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal);/* tunnel */
506 shm_handle != NULL;
507 shm_handle = shm_handle->shm_handle_next) {
508
509 rv = vm_map_enter_mem_object(
510 current_map(), /* process map */
511 &attach_va, /* attach address */
512 shm_handle->shm_handle_size, /* segment size */
513 (mach_vm_offset_t)0, /* alignment mask */
514 VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
5ba3f43e
A		 515 VM_MAP_KERNEL_FLAGS_NONE,
516 VM_KERN_MEMORY_NONE,
91447636
A		 517 shm_handle->shm_object,
518 (mach_vm_offset_t)0,
519 FALSE,
520 prot,
521 prot,
b0d623f7
A		 522 VM_INHERIT_SHARE);
523 if (rv != KERN_SUCCESS)
1c79356b 524 goto out;
91447636 525
b0d623f7
A		 526 mapped_size += shm_handle->shm_handle_size;
527 attach_va = attach_va + shm_handle->shm_handle_size;
1c79356b
A		 528 }
529
1c79356b 530 shmmap_s->shmid = uap->shmid;
2d21ac55
A		 531 shmseg->u.shm_lpid = p->p_pid;
532 shmseg->u.shm_atime = sysv_shmtime();
533 shmseg->u.shm_nattch++;
b0d623f7 534 *retval = shmmap_s->va; /* XXX return -1 on error */
91447636
A		 535 shmat_ret = 0;
536 goto shmat_out;
1c79356b 537out:
b0d623f7
A		 538 if (mapped_size > 0) {
539 (void) mach_vm_deallocate(current_map(),
540 shmmap_s->va,
541 mapped_size);
542 }
1c79356b
A		 543 switch (rv) {
544 case KERN_INVALID_ADDRESS:
545 case KERN_NO_SPACE:
91447636 546 shmat_ret = ENOMEM;
b0d623f7 547 break;
1c79356b 548 case KERN_PROTECTION_FAILURE:
91447636 549 shmat_ret = EACCES;
b0d623f7 550 break;
1c79356b 551 default:
91447636 552 shmat_ret = EINVAL;
b0d623f7 553 break;
1c79356b 554 }
91447636
A		 555shmat_out:
556 SYSV_SHM_SUBSYS_UNLOCK();
557 return shmat_ret;
1c79356b
A		 558}
559
1c79356b 560static int
91447636 561oshmctl(__unused void *p, __unused void *uap, __unused void *retval)
1c79356b 562{
1c79356b 563 return EINVAL;
1c79356b
A		 564}
565
2d21ac55
A		 566/*
567 * Returns: 0 Success
568 * EINVAL
569 * copyout:EFAULT
570 * copyin:EFAULT
571 * ipcperm:EPERM
572 * ipcperm:EACCES
573 */
1c79356b 574int
b0d623f7 575shmctl(__unused struct proc *p, struct shmctl_args *uap, int32_t *retval)
1c79356b
A		 576{
577 int error;
91447636
A		 578 kauth_cred_t cred = kauth_cred_get();
579 struct user_shmid_ds inbuf;
2d21ac55 580 struct shmid_kernel *shmseg;
91447636
A		 581
582 int shmctl_ret = 0;
1c79356b 583
55e303ae
A		 584 AUDIT_ARG(svipc_cmd, uap->cmd);
585 AUDIT_ARG(svipc_id, uap->shmid);
91447636
A		 586
587 SYSV_SHM_SUBSYS_LOCK();
588
39037602
A		 589 if ((shmctl_ret = shminit())) {
590 goto shmctl_out;
91447636
A		 591 }
592
1c79356b 593 shmseg = shm_find_segment_by_shmid(uap->shmid);
91447636
A		 594 if (shmseg == NULL) {
595 shmctl_ret = EINVAL;
596 goto shmctl_out;
597 }
598
55e303ae
A		 599 /* XXAUDIT: This is the perms BEFORE any change by this call. This
600 * may not be what is desired.
601 */
2d21ac55 602 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
55e303ae 603
2d21ac55
A		 604#if CONFIG_MACF
605 error = mac_sysvshm_check_shmctl(cred, shmseg, uap->cmd);
606 if (error) {
607 shmctl_ret = error;
608 goto shmctl_out;
609 }
610#endif
1c79356b
A		 611 switch (uap->cmd) {
612 case IPC_STAT:
2d21ac55 613 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_R);
91447636
A		 614 if (error) {
615 shmctl_ret = error;
616 goto shmctl_out;
617 }
618
619 if (IS_64BIT_PROCESS(p)) {
22ba694c
A		 620 struct user_shmid_ds shmid_ds;
621 memcpy(&shmid_ds, &shmseg->u, sizeof(struct user_shmid_ds));
622
623 /* Clear kernel reserved pointer before copying to user space */
624 shmid_ds.shm_internal = USER_ADDR_NULL;
625
626 error = copyout(&shmid_ds, uap->buf, sizeof(shmid_ds));
91447636 627 } else {
5ba3f43e 628 struct user32_shmid_ds shmid_ds32 = {};
2d21ac55 629 shmid_ds_64to32(&shmseg->u, &shmid_ds32);
22ba694c
A		 630
631 /* Clear kernel reserved pointer before copying to user space */
632 shmid_ds32.shm_internal = (user32_addr_t)0;
633
b0d623f7 634 error = copyout(&shmid_ds32, uap->buf, sizeof(shmid_ds32));
91447636
A		 635 }
636 if (error) {
637 shmctl_ret = error;
638 goto shmctl_out;
639 }
1c79356b
A		 640 break;
641 case IPC_SET:
2d21ac55 642 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
91447636
A		 643 if (error) {
644 shmctl_ret = error;
645 goto shmctl_out;
646 }
647 if (IS_64BIT_PROCESS(p)) {
648 error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds));
649 } else {
b0d623f7
A		 650 struct user32_shmid_ds shmid_ds32;
651 error = copyin(uap->buf, &shmid_ds32, sizeof(shmid_ds32));
91447636 652 /* convert in place; ugly, but safe */
b0d623f7 653 shmid_ds_32to64(&shmid_ds32, &inbuf);
91447636
A		 654 }
655 if (error) {
656 shmctl_ret = error;
657 goto shmctl_out;
658 }
2d21ac55
A		 659 shmseg->u.shm_perm.uid = inbuf.shm_perm.uid;
660 shmseg->u.shm_perm.gid = inbuf.shm_perm.gid;
661 shmseg->u.shm_perm.mode =
662 (shmseg->u.shm_perm.mode & ~ACCESSPERMS) |
1c79356b 663 (inbuf.shm_perm.mode & ACCESSPERMS);
2d21ac55 664 shmseg->u.shm_ctime = sysv_shmtime();
1c79356b
A		 665 break;
666 case IPC_RMID:
2d21ac55 667 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
91447636
A		 668 if (error) {
669 shmctl_ret = error;
670 goto shmctl_out;
671 }
2d21ac55
A		 672 shmseg->u.shm_perm._key = IPC_PRIVATE;
673 shmseg->u.shm_perm.mode |= SHMSEG_REMOVED;
674 if (shmseg->u.shm_nattch <= 0) {
1c79356b
A		 675 shm_deallocate_segment(shmseg);
676 shm_last_free = IPCID_TO_IX(uap->shmid);
677 }
678 break;
679#if 0
680 case SHM_LOCK:
681 case SHM_UNLOCK:
682#endif
683 default:
91447636
A		 684 shmctl_ret = EINVAL;
685 goto shmctl_out;
1c79356b 686 }
91447636
A		 687 *retval = 0;
688 shmctl_ret = 0;
689shmctl_out:
690 SYSV_SHM_SUBSYS_UNLOCK();
691 return shmctl_ret;
1c79356b
A		 692}
693
1c79356b 694static int
91447636 695shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval)
1c79356b 696{
2d21ac55
A		 697 struct shmid_kernel *shmseg;
698 int error = 0;
1c79356b
A		 699
700 shmseg = &shmsegs[segnum];
2d21ac55 701 if (shmseg->u.shm_perm.mode & SHMSEG_REMOVED) {
1c79356b
A		 702 /*
703 * This segment is in the process of being allocated. Wait
704 * until it's done, and look the key up again (in case the
705 * allocation failed or it was freed).
706 */
2d21ac55 707 shmseg->u.shm_perm.mode |= SHMSEG_WANTED;
1c79356b
A		 708 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
709 if (error)
710 return error;
711 return EAGAIN;
712 }
2d21ac55
A		 713
714 /*
715 * The low 9 bits of shmflag are the mode bits being requested, which
716 * are the actual mode bits desired on the segment, and not in IPC_R
717 * form; therefore it would be incorrect to call ipcperm() to validate
718 * them; instead, we AND the existing mode with the requested mode, and
719 * verify that it matches the requested mode; otherwise, we fail with
720 * EACCES (access denied).
721 */
722 if ((shmseg->u.shm_perm.mode & mode) != mode)
723 return EACCES;
724
725#if CONFIG_MACF
726 error = mac_sysvshm_check_shmget(kauth_cred_get(), shmseg, uap->shmflg);
727 if (error)
728 return (error);
729#endif
730
731 if (uap->size && uap->size > shmseg->u.shm_segsz)
1c79356b 732 return EINVAL;
2d21ac55 733
1c79356b
A		 734 if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
735 return EEXIST;
2d21ac55
A		 736
737 *retval = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
1c79356b
A		 738 return 0;
739}
740
741static int
91447636
A		 742shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
743 int *retval)
1c79356b 744{
2d21ac55 745 int i, segnum, shmid;
91447636 746 kauth_cred_t cred = kauth_cred_get();
2d21ac55 747 struct shmid_kernel *shmseg;
1c79356b
A		 748 struct shm_handle *shm_handle;
749 kern_return_t kret;
b0d623f7 750 mach_vm_size_t total_size, size, alloc_size;
1c79356b 751 void * mem_object;
b0d623f7 752 struct shm_handle *shm_handle_next, **shm_handle_next_p;
1c79356b 753
39037602
A		 754 if (uap->size <= 0 ||
755 uap->size < (user_size_t)shminfo.shmmin ||
756 uap->size > (user_size_t)shminfo.shmmax) {
1c79356b 757 return EINVAL;
39037602 758 }
1c79356b
A		 759 if (shm_nused >= shminfo.shmmni) /* any shmids left? */
760 return ENOSPC;
39037602
A		 761 if (mach_vm_round_page_overflow(uap->size, &total_size)) {
762 return EINVAL;
763 }
b0d623f7 764 if ((user_ssize_t)(shm_committed + btoc(total_size)) > shminfo.shmall)
1c79356b
A		 765 return ENOMEM;
766 if (shm_last_free < 0) {
767 for (i = 0; i < shminfo.shmmni; i++)
2d21ac55 768 if (shmsegs[i].u.shm_perm.mode & SHMSEG_FREE)
1c79356b
A		 769 break;
770 if (i == shminfo.shmmni)
771 panic("shmseg free count inconsistent");
772 segnum = i;
773 } else {
774 segnum = shm_last_free;
775 shm_last_free = -1;
776 }
777 shmseg = &shmsegs[segnum];
b0d623f7 778
1c79356b
A		 779 /*
780 * In case we sleep in malloc(), mark the segment present but deleted
781 * so that noone else tries to create the same key.
b0d623f7 782 * XXX but we don't release the global lock !?
1c79356b 783 */
2d21ac55
A		 784 shmseg->u.shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
785 shmseg->u.shm_perm._key = uap->key;
786 shmseg->u.shm_perm._seq = (shmseg->u.shm_perm._seq + 1) & 0x7fff;
b0d623f7
A		 787
788 shm_handle_next_p = NULL;
789 for (alloc_size = 0;
790 alloc_size < total_size;
791 alloc_size += size) {
792 size = MIN(total_size - alloc_size, ANON_MAX_SIZE);
793 kret = mach_make_memory_entry_64(
794 VM_MAP_NULL,
795 (memory_object_size_t *) &size,
796 (memory_object_offset_t) 0,
797 MAP_MEM_NAMED_CREATE | VM_PROT_DEFAULT,
798 (ipc_port_t *) &mem_object, 0);
799 if (kret != KERN_SUCCESS)
800 goto out;
801
802 MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK);
803 if (shm_handle == NULL) {
804 kret = KERN_NO_SPACE;
805 mach_memory_entry_port_release(mem_object);
806 mem_object = NULL;
807 goto out;
808 }
809 shm_handle->shm_object = mem_object;
810 shm_handle->shm_handle_size = size;
811 shm_handle->shm_handle_next = NULL;
812 if (shm_handle_next_p == NULL) {
813 shmseg->u.shm_internal = CAST_USER_ADDR_T(shm_handle);/* tunnel */
814 } else {
815 *shm_handle_next_p = shm_handle;
816 }
817 shm_handle_next_p = &shm_handle->shm_handle_next;
91447636 818 }
b0d623f7 819
2d21ac55 820 shmid = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
1c79356b 821
2d21ac55 822 shmseg->u.shm_perm.cuid = shmseg->u.shm_perm.uid = kauth_cred_getuid(cred);
6d2010ae 823 shmseg->u.shm_perm.cgid = shmseg->u.shm_perm.gid = kauth_cred_getgid(cred);
2d21ac55 824 shmseg->u.shm_perm.mode = (shmseg->u.shm_perm.mode & SHMSEG_WANTED) |
1c79356b 825 (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
2d21ac55
A		 826 shmseg->u.shm_segsz = uap->size;
827 shmseg->u.shm_cpid = p->p_pid;
828 shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
829 shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
830#if CONFIG_MACF
831 mac_sysvshm_label_associate(cred, shmseg);
832#endif
833 shmseg->u.shm_ctime = sysv_shmtime();
1c79356b
A		 834 shm_committed += btoc(size);
835 shm_nused++;
2d21ac55
A		 836 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
837 if (shmseg->u.shm_perm.mode & SHMSEG_WANTED) {
1c79356b
A		 838 /*
839 * Somebody else wanted this key while we were asleep. Wake
840 * them up now.
841 */
2d21ac55 842 shmseg->u.shm_perm.mode &= ~SHMSEG_WANTED;
1c79356b
A		 843 wakeup((caddr_t)shmseg);
844 }
845 *retval = shmid;
55e303ae 846 AUDIT_ARG(svipc_id, shmid);
1c79356b
A		 847 return 0;
848out:
b0d623f7
A		 849 if (kret != KERN_SUCCESS) {
850 for (shm_handle = CAST_DOWN(void *,shmseg->u.shm_internal); /* tunnel */
851 shm_handle != NULL;
852 shm_handle = shm_handle_next) {
853 shm_handle_next = shm_handle->shm_handle_next;
854 mach_memory_entry_port_release(shm_handle->shm_object);
855 FREE((caddr_t) shm_handle, M_SHM);
856 }
857 shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
858 }
859
1c79356b
A		 860 switch (kret) {
861 case KERN_INVALID_ADDRESS:
862 case KERN_NO_SPACE:
863 return (ENOMEM);
864 case KERN_PROTECTION_FAILURE:
865 return (EACCES);
866 default:
867 return (EINVAL);
868 }
869
870}
871
872int
b0d623f7 873shmget(struct proc *p, struct shmget_args *uap, int32_t *retval)
1c79356b
A		 874{
875 int segnum, mode, error;
91447636 876 int shmget_ret = 0;
39037602 877
55e303ae 878 /* Auditing is actually done in shmget_allocate_segment() */
91447636
A		 879
880 SYSV_SHM_SUBSYS_LOCK();
881
39037602
A		 882 if ((shmget_ret = shminit())) {
883 goto shmget_out;
91447636 884 }
9bccf70c 885
1c79356b
A		 886 mode = uap->shmflg & ACCESSPERMS;
887 if (uap->key != IPC_PRIVATE) {
888 again:
889 segnum = shm_find_segment_by_key(uap->key);
890 if (segnum >= 0) {
91447636 891 error = shmget_existing(uap, mode, segnum, retval);
1c79356b
A		 892 if (error == EAGAIN)
893 goto again;
91447636
A		 894 shmget_ret = error;
895 goto shmget_out;
896 }
897 if ((uap->shmflg & IPC_CREAT) == 0) {
898 shmget_ret = ENOENT;
899 goto shmget_out;
1c79356b 900 }
1c79356b 901 }
91447636
A		 902 shmget_ret = shmget_allocate_segment(p, uap, mode, retval);
903shmget_out:
904 SYSV_SHM_SUBSYS_UNLOCK();
905 return shmget_ret;
1c79356b
A		 906}
907
b0d623f7
A		 908/*
909 * shmsys
910 *
911 * Entry point for all SHM calls: shmat, oshmctl, shmdt, shmget, shmctl
912 *
913 * Parameters: p Process requesting the call
914 * uap User argument descriptor (see below)
915 * retval Return value of the selected shm call
916 *
917 * Indirect parameters: uap->which msg call to invoke (index in array of shm calls)
918 * uap->a2 User argument descriptor
919 *
920 * Returns: 0 Success
921 * !0 Not success
922 *
923 * Implicit returns: retval Return value of the selected shm call
924 *
925 * DEPRECATED: This interface should not be used to call the other SHM
926 * functions (shmat, oshmctl, shmdt, shmget, shmctl). The correct
927 * usage is to call the other SHM functions directly.
928 */
1c79356b 929int
b0d623f7 930shmsys(struct proc *p, struct shmsys_args *uap, int32_t *retval)
1c79356b
A		 931{
932
91447636 933 /* The routine that we are dispatching already does this */
9bccf70c 934
1c79356b
A		 935 if (uap->which >= sizeof(shmcalls)/sizeof(shmcalls[0]))
936 return EINVAL;
937 return ((*shmcalls[uap->which])(p, &uap->a2, retval));
938}
939
91447636
A		 940/*
941 * Return 0 on success, 1 on failure.
942 */
943int
944shmfork(struct proc *p1, struct proc *p2)
1c79356b
A		 945{
946 struct shmmap_state *shmmap_s;
39037602
A		 947 size_t size;
948 int nsegs = 0;
949 int ret = 0;
1c79356b 950
91447636
A		 951 SYSV_SHM_SUBSYS_LOCK();
952
39037602
A		 953 if (shminit()) {
954 ret = 1;
955 goto shmfork_out;
956 }
957
958 struct shmmap_state *src = (struct shmmap_state *)p1->vm_shm;
959 assert(src);
960
961 /* count number of shmid entries in src */
962 for (struct shmmap_state *s = src; s->shmid != SHMID_SENTINEL; s++) {
963 nsegs++;
964 }
965
966 if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
967 ret = 1;
968 goto shmfork_out;
91447636 969 }
91447636 970 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK);
39037602
A		 971 if (shmmap_s == NULL) {
972 ret = 1;
91447636
A		 973 goto shmfork_out;
974 }
975
39037602
A		 976 bcopy(src, (caddr_t)shmmap_s, size);
977 p2->vm_shm = (caddr_t)shmmap_s;
978 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
979 if (SHMID_IS_VALID(shmmap_s->shmid)) {
980 shmsegs[IPCID_TO_IX(shmmap_s->shmid)].u.shm_nattch++;
981 }
982 }
983
91447636
A		 984shmfork_out:
985 SYSV_SHM_SUBSYS_UNLOCK();
39037602 986 return ret;
1c79356b
A		 987}
988
39037602
A		 989static void
990shmcleanup(struct proc *p, int deallocate)
1c79356b
A		 991{
992 struct shmmap_state *shmmap_s;
91447636
A		 993
994 SYSV_SHM_SUBSYS_LOCK();
39037602
A		 995
996 shmmap_s = (struct shmmap_state *)p->vm_shm;
997 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
998 if (SHMID_IS_VALID(shmmap_s->shmid)) {
2d21ac55
A		 999 /*
1000 * XXX: Should the MAC framework enforce
1001 * check here as well.
1002 */
39037602
A		 1003 shm_delete_mapping(p, shmmap_s, deallocate);
1004 }
1005 }
1006
55e303ae
A		 1007 FREE((caddr_t)p->vm_shm, M_SHM);
1008 p->vm_shm = NULL;
91447636 1009 SYSV_SHM_SUBSYS_UNLOCK();
55e303ae
A		 1010}
1011
39037602
A		 1012void
1013shmexit(struct proc *p)
1014{
1015 shmcleanup(p, 1);
1016}
1017
55e303ae
A		 1018/*
1019 * shmexec() is like shmexit(), only it doesn't delete the mappings,
1020 * since the old address space has already been destroyed and the new
1021 * one instantiated. Instead, it just does the housekeeping work we
1022 * need to do to keep the System V shared memory subsystem sane.
1023 */
1024__private_extern__ void
91447636 1025shmexec(struct proc *p)
55e303ae 1026{
39037602 1027 shmcleanup(p, 0);
1c79356b
A		 1028}
1029
39037602
A		 1030int
1031shminit(void)
1c79356b 1032{
39037602 1033 size_t sz;
1c79356b 1034 int i;
1c79356b 1035
9bccf70c 1036 if (!shm_inited) {
91447636
A		 1037 /*
1038 * we store internally 64 bit, since if we didn't, we would
1039 * be unable to represent a segment size in excess of 32 bits
1040 * with the (struct shmid_ds)->shm_segsz field; also, POSIX
1041 * dictates this filed be a size_t, which is 64 bits when
1042 * running 64 bit binaries.
1043 */
39037602
A		 1044 if (os_mul_overflow(shminfo.shmmni, sizeof(struct shmid_kernel), &sz)) {
1045 return ENOMEM;
1046 }
9bccf70c 1047
39037602 1048 MALLOC(shmsegs, struct shmid_kernel *, sz, M_SHM, M_WAITOK);
91447636 1049 if (shmsegs == NULL) {
39037602 1050 return ENOMEM;
91447636 1051 }
9bccf70c 1052 for (i = 0; i < shminfo.shmmni; i++) {
2d21ac55
A		 1053 shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
1054 shmsegs[i].u.shm_perm._seq = 0;
1055#if CONFIG_MACF
1056 mac_sysvshm_label_init(&shmsegs[i]);
1057#endif
9bccf70c
A		 1058 }
1059 shm_last_free = 0;
1060 shm_nused = 0;
1061 shm_committed = 0;
1062 shm_inited = 1;
1063 }
39037602
A		 1064
1065 return 0;
9bccf70c 1066}
39037602 1067
91447636
A		 1068/* Initialize the mutex governing access to the SysV shm subsystem */
1069__private_extern__ void
1070sysv_shm_lock_init( void )
1071{
1072
1073 sysv_shm_subsys_lck_grp_attr = lck_grp_attr_alloc_init();
91447636
A		 1074
1075 sysv_shm_subsys_lck_grp = lck_grp_alloc_init("sysv_shm_subsys_lock", sysv_shm_subsys_lck_grp_attr);
1076
1077 sysv_shm_subsys_lck_attr = lck_attr_alloc_init();
91447636
A		 1078 lck_mtx_init(&sysv_shm_subsys_mutex, sysv_shm_subsys_lck_grp, sysv_shm_subsys_lck_attr);
1079}
9bccf70c
A		 1080
1081/* (struct sysctl_oid *oidp, void *arg1, int arg2, \
1082 struct sysctl_req *req) */
1083static int
91447636
A		 1084sysctl_shminfo(__unused struct sysctl_oid *oidp, void *arg1,
1085 __unused int arg2, struct sysctl_req *req)
9bccf70c
A		 1086{
1087 int error = 0;
91447636 1088 int sysctl_shminfo_ret = 0;
39037602
A		 1089 int64_t saved_shmmax;
1090 int64_t saved_shmmin;
1091 int64_t saved_shmseg;
1092 int64_t saved_shmmni;
1093 int64_t saved_shmall;
9bccf70c 1094
0c530ab8 1095 error = SYSCTL_OUT(req, arg1, sizeof(int64_t));
91447636 1096 if (error || req->newptr == USER_ADDR_NULL)
9bccf70c 1097 return(error);
1c79356b 1098
91447636 1099 SYSV_SHM_SUBSYS_LOCK();
91447636 1100
2d21ac55
A		 1101 /* shmmni can not be changed after SysV SHM has been initialized */
1102 if (shm_inited && arg1 == &shminfo.shmmni) {
1103 sysctl_shminfo_ret = EPERM;
1104 goto sysctl_shminfo_out;
1105 }
3e170ce0 1106 saved_shmmax = shminfo.shmmax;
39037602 1107 saved_shmmin = shminfo.shmmin;
3e170ce0
A		 1108 saved_shmseg = shminfo.shmseg;
1109 saved_shmmni = shminfo.shmmni;
1110 saved_shmall = shminfo.shmall;
9bccf70c 1111
2d21ac55
A		 1112 if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) != 0) {
1113 sysctl_shminfo_ret = error;
1114 goto sysctl_shminfo_out;
1115 }
1116
1117 if (arg1 == &shminfo.shmmax) {
1118 /* shmmax needs to be page-aligned */
39037602 1119 if (shminfo.shmmax & PAGE_MASK_64 || shminfo.shmmax < 0) {
2d21ac55
A		 1120 shminfo.shmmax = saved_shmmax;
1121 sysctl_shminfo_ret = EINVAL;
1122 goto sysctl_shminfo_out;
9bccf70c 1123 }
1c79356b 1124 }
39037602
A		 1125 else if (arg1 == &shminfo.shmmin) {
1126 if (shminfo.shmmin < 0) {
1127 shminfo.shmmin = saved_shmmin;
1128 sysctl_shminfo_ret = EINVAL;
1129 goto sysctl_shminfo_out;
1130 }
1131 }
3e170ce0
A		 1132 else if (arg1 == &shminfo.shmseg) {
1133 /* add a sanity check - 20847256 */
1134 if (shminfo.shmseg > INT32_MAX || shminfo.shmseg < 0) {
1135 shminfo.shmseg = saved_shmseg;
1136 sysctl_shminfo_ret = EINVAL;
1137 goto sysctl_shminfo_out;
1138 }
1139 }
1140 else if (arg1 == &shminfo.shmmni) {
1141 /* add a sanity check - 20847256 */
1142 if (shminfo.shmmni > INT32_MAX || shminfo.shmmni < 0) {
1143 shminfo.shmmni = saved_shmmni;
1144 sysctl_shminfo_ret = EINVAL;
1145 goto sysctl_shminfo_out;
1146 }
1147 }
1148 else if (arg1 == &shminfo.shmall) {
1149 /* add a sanity check - 20847256 */
1150 if (shminfo.shmall > INT32_MAX || shminfo.shmall < 0) {
1151 shminfo.shmall = saved_shmall;
1152 sysctl_shminfo_ret = EINVAL;
1153 goto sysctl_shminfo_out;
1154 }
1155 }
91447636
A		 1156 sysctl_shminfo_ret = 0;
1157sysctl_shminfo_out:
1158 SYSV_SHM_SUBSYS_UNLOCK();
1159 return sysctl_shminfo_ret;
1160}
1161
1162static int
1163IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
1164 __unused int arg2, struct sysctl_req *req)
1165{
1166 int error;
1167 int cursor;
1168 union {
b0d623f7 1169 struct user32_IPCS_command u32;
91447636
A		 1170 struct user_IPCS_command u64;
1171 } ipcs;
5ba3f43e 1172 struct user32_shmid_ds shmid_ds32 = {}; /* post conversion, 32 bit version */
22ba694c 1173 struct user_shmid_ds shmid_ds; /* 64 bit version */
91447636
A		 1174 void *shmid_dsp;
1175 size_t ipcs_sz = sizeof(struct user_IPCS_command);
1176 size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
1177 struct proc *p = current_proc();
1178
91447636
A		 1179 SYSV_SHM_SUBSYS_LOCK();
1180
39037602
A		 1181 if ((error = shminit())) {
1182 goto ipcs_shm_sysctl_out;
91447636
A		 1183 }
1184
1185 if (!IS_64BIT_PROCESS(p)) {
b0d623f7
A		 1186 ipcs_sz = sizeof(struct user32_IPCS_command);
1187 shmid_ds_sz = sizeof(struct user32_shmid_ds);
91447636
A		 1188 }
1189
1190 /* Copy in the command structure */
1191 if ((error = SYSCTL_IN(req, &ipcs, ipcs_sz)) != 0) {
1192 goto ipcs_shm_sysctl_out;
1193 }
1194
1195 if (!IS_64BIT_PROCESS(p)) /* convert in place */
1196 ipcs.u64.ipcs_data = CAST_USER_ADDR_T(ipcs.u32.ipcs_data);
1197
1198 /* Let us version this interface... */
1199 if (ipcs.u64.ipcs_magic != IPCS_MAGIC) {
1200 error = EINVAL;
1201 goto ipcs_shm_sysctl_out;
1202 }
1203
1204 switch(ipcs.u64.ipcs_op) {
1205 case IPCS_SHM_CONF: /* Obtain global configuration data */
1206 if (ipcs.u64.ipcs_datalen != sizeof(struct shminfo)) {
1207 if (ipcs.u64.ipcs_cursor != 0) { /* fwd. compat. */
1208 error = ENOMEM;
1209 break;
1210 }
1211 error = ERANGE;
1212 break;
1213 }
1214 error = copyout(&shminfo, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
1215 break;
1216
1217 case IPCS_SHM_ITER: /* Iterate over existing segments */
1218 cursor = ipcs.u64.ipcs_cursor;
1219 if (cursor < 0 || cursor >= shminfo.shmmni) {
1220 error = ERANGE;
1221 break;
1222 }
1223 if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) {
2d21ac55 1224 error = EINVAL;
91447636
A		 1225 break;
1226 }
1227 for( ; cursor < shminfo.shmmni; cursor++) {
2d21ac55 1228 if (shmsegs[cursor].u.shm_perm.mode & SHMSEG_ALLOCATED)
91447636
A		 1229 break;
1230 continue;
1231 }
1232 if (cursor == shminfo.shmmni) {
1233 error = ENOENT;
1234 break;
1235 }
1236
1237 shmid_dsp = &shmsegs[cursor]; /* default: 64 bit */
1238
1239 /*
1240 * If necessary, convert the 64 bit kernel segment
1241 * descriptor to a 32 bit user one.
1242 */
1243 if (!IS_64BIT_PROCESS(p)) {
1244 shmid_ds_64to32(shmid_dsp, &shmid_ds32);
22ba694c
A		 1245
1246 /* Clear kernel reserved pointer before copying to user space */
1247 shmid_ds32.shm_internal = (user32_addr_t)0;
1248
91447636 1249 shmid_dsp = &shmid_ds32;
22ba694c
A		 1250 } else {
1251 memcpy(&shmid_ds, shmid_dsp, sizeof(shmid_ds));
1252
1253 /* Clear kernel reserved pointer before copying to user space */
1254 shmid_ds.shm_internal = USER_ADDR_NULL;
1255
1256 shmid_dsp = &shmid_ds;
91447636
A		 1257 }
1258 error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
1259 if (!error) {
1260 /* update cursor */
1261 ipcs.u64.ipcs_cursor = cursor + 1;
1262
1263 if (!IS_64BIT_PROCESS(p)) /* convert in place */
b0d623f7
A		 1264 ipcs.u32.ipcs_data = CAST_DOWN_EXPLICIT(user32_addr_t,ipcs.u64.ipcs_data);
1265
1266 error = SYSCTL_OUT(req, &ipcs, ipcs_sz);
91447636
A		 1267 }
1268 break;
1269
1270 default:
1271 error = EINVAL;
1272 break;
1273 }
1274ipcs_shm_sysctl_out:
1275 SYSV_SHM_SUBSYS_UNLOCK();
1276 return(error);
1c79356b 1277}
9bccf70c 1278
6d2010ae 1279SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSV");
9bccf70c 1280
6d2010ae 1281SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmax, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
91447636 1282 &shminfo.shmmax, 0, &sysctl_shminfo ,"Q","shmmax");
9bccf70c 1283
6d2010ae 1284SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmin, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
91447636 1285 &shminfo.shmmin, 0, &sysctl_shminfo ,"Q","shmmin");
9bccf70c 1286
6d2010ae 1287SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmni, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
91447636 1288 &shminfo.shmmni, 0, &sysctl_shminfo ,"Q","shmmni");
9bccf70c 1289
6d2010ae 1290SYSCTL_PROC(_kern_sysv, OID_AUTO, shmseg, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
91447636 1291 &shminfo.shmseg, 0, &sysctl_shminfo ,"Q","shmseg");
9bccf70c 1292
6d2010ae 1293SYSCTL_PROC(_kern_sysv, OID_AUTO, shmall, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
91447636 1294 &shminfo.shmall, 0, &sysctl_shminfo ,"Q","shmall");
9bccf70c 1295
6d2010ae 1296SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSVIPCS");
9bccf70c 1297
6d2010ae 1298SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_LOCKED,
91447636
A		 1299 0, 0, IPCS_shm_sysctl,
1300 "S,IPCS_shm_command",
1301 "ipcs shm command interface");
2d21ac55
A		 1302#endif /* SYSV_SHM */
1303
1304/* DSEP Review Done pl-20051108-v02 @2743,@2908,@2913,@3009 */
mirror of XNU