]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/sysv_shm.c
xnu-6153.81.5.tar.gz
[apple/xnu.git] / bsd / kern / sysv_shm.c
CommitLineData
1c79356b 1/*
cb323159 2 * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
5d5c5d0d 3 *
2d21ac55 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
0a7de745 5 *
2d21ac55
A
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
0a7de745 14 *
2d21ac55
A
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
0a7de745 17 *
2d21ac55
A
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5
A
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55
A
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
0a7de745 25 *
2d21ac55 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
1c79356b
A
27 */
28/* $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $ */
29
30/*
31 * Copyright (c) 1994 Adam Glass and Charles Hannum. All rights reserved.
32 *
33 * Redistribution and use in source and binary forms, with or without
34 * modification, are permitted provided that the following conditions
35 * are met:
36 * 1. Redistributions of source code must retain the above copyright
37 * notice, this list of conditions and the following disclaimer.
38 * 2. Redistributions in binary form must reproduce the above copyright
39 * notice, this list of conditions and the following disclaimer in the
40 * documentation and/or other materials provided with the distribution.
41 * 3. All advertising materials mentioning features or use of this software
42 * must display the following acknowledgement:
43 * This product includes software developed by Adam Glass and Charles
44 * Hannum.
45 * 4. The names of the authors may not be used to endorse or promote products
46 * derived from this software without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
49 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
50 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
51 * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
52 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
53 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
54 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
55 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
56 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
57 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
58 */
2d21ac55
A
59/*
60 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
61 * support for mandatory and extensible security protections. This notice
62 * is included in support of clause 2.2 (b) of the Apple Public License,
63 * Version 2.0.
64 * Copyright (c) 2005-2006 SPARTA, Inc.
0a7de745 65 */
1c79356b
A
66
67
9bccf70c 68#include <sys/appleapiopts.h>
1c79356b
A
69#include <sys/param.h>
70#include <sys/systm.h>
71#include <sys/kernel.h>
91447636
A
72#include <sys/shm_internal.h>
73#include <sys/proc_internal.h>
74#include <sys/kauth.h>
1c79356b
A
75#include <sys/malloc.h>
76#include <sys/mman.h>
77#include <sys/stat.h>
9bccf70c 78#include <sys/sysctl.h>
91447636
A
79#include <sys/ipcs.h>
80#include <sys/sysent.h>
81#include <sys/sysproto.h>
2d21ac55
A
82#if CONFIG_MACF
83#include <security/mac_framework.h>
84#endif
e5568f75 85
b0d623f7 86#include <security/audit/audit.h>
1c79356b
A
87
88#include <mach/mach_types.h>
89#include <mach/vm_inherit.h>
91447636
A
90#include <mach/vm_map.h>
91
92#include <mach/mach_vm.h>
93
1c79356b 94#include <vm/vm_map.h>
91447636 95#include <vm/vm_protos.h>
3e170ce0 96#include <vm/vm_kern.h>
1c79356b 97
91447636 98#include <kern/locks.h>
39037602 99#include <os/overflow.h>
1c79356b 100
2d21ac55
A
101/* Uncomment this line to see MAC debugging output. */
102/* #define MAC_DEBUG */
103#if CONFIG_MACF_DEBUG
0a7de745 104#define MPRINTF(a) printf a
2d21ac55 105#else
0a7de745 106#define MPRINTF(a)
2d21ac55
A
107#endif
108
109#if SYSV_SHM
39037602 110static int shminit(void);
1c79356b 111
91447636
A
112static lck_grp_t *sysv_shm_subsys_lck_grp;
113static lck_grp_attr_t *sysv_shm_subsys_lck_grp_attr;
114static lck_attr_t *sysv_shm_subsys_lck_attr;
115static lck_mtx_t sysv_shm_subsys_mutex;
1c79356b 116
91447636
A
117#define SYSV_SHM_SUBSYS_LOCK() lck_mtx_lock(&sysv_shm_subsys_mutex)
118#define SYSV_SHM_SUBSYS_UNLOCK() lck_mtx_unlock(&sysv_shm_subsys_mutex)
119
120static int oshmctl(void *p, void *uap, void *retval);
121static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval);
122static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int * retval);
b0d623f7
A
123static void shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out);
124static void shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out);
1c79356b
A
125
126/* XXX casting to (sy_call_t *) is bogus, as usual. */
cb323159 127static sy_call_t* const shmcalls[] = {
1c79356b
A
128 (sy_call_t *)shmat, (sy_call_t *)oshmctl,
129 (sy_call_t *)shmdt, (sy_call_t *)shmget,
130 (sy_call_t *)shmctl
131};
132
0a7de745
A
133#define SHMSEG_FREE 0x0200
134#define SHMSEG_REMOVED 0x0400
135#define SHMSEG_ALLOCATED 0x0800
136#define SHMSEG_WANTED 0x1000
1c79356b
A
137
138static int shm_last_free, shm_nused, shm_committed;
0a7de745 139struct shmid_kernel *shmsegs; /* 64 bit version */
9bccf70c 140static int shm_inited = 0;
1c79356b 141
b0d623f7
A
142/*
143 * Since anonymous memory chunks are limited to ANON_MAX_SIZE bytes,
144 * we have to keep a list of chunks when we want to handle a shared memory
145 * segment bigger than ANON_MAX_SIZE.
146 * Each chunk points to a VM named entry of up to ANON_MAX_SIZE bytes
147 * of anonymous memory.
148 */
1c79356b 149struct shm_handle {
0a7de745
A
150 void * shm_object; /* named entry for this chunk*/
151 memory_object_size_t shm_handle_size; /* size of this chunk */
152 struct shm_handle *shm_handle_next; /* next chunk */
1c79356b
A
153};
154
155struct shmmap_state {
0a7de745
A
156 mach_vm_address_t va; /* user address */
157 int shmid; /* segment id */
1c79356b
A
158};
159
2d21ac55 160static void shm_deallocate_segment(struct shmid_kernel *);
91447636 161static int shm_find_segment_by_key(key_t);
2d21ac55 162static struct shmid_kernel *shm_find_segment_by_shmid(int);
91447636 163static int shm_delete_mapping(struct proc *, struct shmmap_state *, int);
1c79356b 164
9bccf70c 165#ifdef __APPLE_API_PRIVATE
0a7de745
A
166#define DEFAULT_SHMMAX (4 * 1024 * 1024)
167#define DEFAULT_SHMMIN 1
168#define DEFAULT_SHMMNI 32
169#define DEFAULT_SHMSEG 8
170#define DEFAULT_SHMALL 1024
3e170ce0 171
39037602 172struct shminfo shminfo = {
cb323159
A
173 .shmmax = DEFAULT_SHMMAX,
174 .shmmin = DEFAULT_SHMMIN,
175 .shmmni = DEFAULT_SHMMNI,
176 .shmseg = DEFAULT_SHMSEG,
177 .shmall = DEFAULT_SHMALL
9bccf70c 178};
39037602
A
179
180#define SHMID_IS_VALID(x) ((x) >= 0)
181#define SHMID_UNALLOCATED (-1)
182#define SHMID_SENTINEL (-2)
183
9bccf70c
A
184#endif /* __APPLE_API_PRIVATE */
185
91447636
A
186void sysv_shm_lock_init(void);
187
188static __inline__ time_t
189sysv_shmtime(void)
190{
0a7de745 191 struct timeval tv;
91447636 192 microtime(&tv);
0a7de745 193 return tv.tv_sec;
91447636
A
194}
195
196/*
197 * This conversion is safe, since if we are converting for a 32 bit process,
198 * then it's value of (struct shmid_ds)->shm_segsz will never exceed 4G.
199 *
200 * NOTE: Source and target may *NOT* overlap! (target is smaller)
201 */
202static void
b0d623f7 203shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out)
91447636
A
204{
205 out->shm_perm = in->shm_perm;
b0d623f7 206 out->shm_segsz = in->shm_segsz;
91447636
A
207 out->shm_lpid = in->shm_lpid;
208 out->shm_cpid = in->shm_cpid;
209 out->shm_nattch = in->shm_nattch;
210 out->shm_atime = in->shm_atime;
211 out->shm_dtime = in->shm_dtime;
212 out->shm_ctime = in->shm_ctime;
0a7de745 213 out->shm_internal = CAST_DOWN_EXPLICIT(int, in->shm_internal);
91447636
A
214}
215
216/*
217 * NOTE: Source and target may are permitted to overlap! (source is smaller);
218 * this works because we copy fields in order from the end of the struct to
219 * the beginning.
220 */
221static void
b0d623f7 222shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out)
91447636 223{
b0d623f7 224 out->shm_internal = in->shm_internal;
91447636
A
225 out->shm_ctime = in->shm_ctime;
226 out->shm_dtime = in->shm_dtime;
227 out->shm_atime = in->shm_atime;
228 out->shm_nattch = in->shm_nattch;
229 out->shm_cpid = in->shm_cpid;
230 out->shm_lpid = in->shm_lpid;
b0d623f7 231 out->shm_segsz = in->shm_segsz;
91447636
A
232 out->shm_perm = in->shm_perm;
233}
234
235
1c79356b 236static int
91447636 237shm_find_segment_by_key(key_t key)
1c79356b
A
238{
239 int i;
240
0a7de745 241 for (i = 0; i < shminfo.shmmni; i++) {
2d21ac55 242 if ((shmsegs[i].u.shm_perm.mode & SHMSEG_ALLOCATED) &&
0a7de745 243 shmsegs[i].u.shm_perm._key == key) {
1c79356b 244 return i;
0a7de745
A
245 }
246 }
1c79356b
A
247 return -1;
248}
249
2d21ac55 250static struct shmid_kernel *
91447636 251shm_find_segment_by_shmid(int shmid)
1c79356b
A
252{
253 int segnum;
2d21ac55 254 struct shmid_kernel *shmseg;
1c79356b
A
255
256 segnum = IPCID_TO_IX(shmid);
0a7de745 257 if (segnum < 0 || segnum >= shminfo.shmmni) {
1c79356b 258 return NULL;
0a7de745 259 }
1c79356b 260 shmseg = &shmsegs[segnum];
2d21ac55 261 if ((shmseg->u.shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
1c79356b 262 != SHMSEG_ALLOCATED ||
0a7de745 263 shmseg->u.shm_perm._seq != IPCID_TO_SEQ(shmid)) {
1c79356b 264 return NULL;
0a7de745 265 }
1c79356b
A
266 return shmseg;
267}
268
269static void
2d21ac55 270shm_deallocate_segment(struct shmid_kernel *shmseg)
1c79356b 271{
b0d623f7 272 struct shm_handle *shm_handle, *shm_handle_next;
91447636 273 mach_vm_size_t size;
1c79356b 274
0a7de745
A
275 for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal); /* tunnel */
276 shm_handle != NULL;
277 shm_handle = shm_handle_next) {
b0d623f7
A
278 shm_handle_next = shm_handle->shm_handle_next;
279 mach_memory_entry_port_release(shm_handle->shm_object);
0a7de745 280 FREE(shm_handle, M_SHM);
b0d623f7 281 }
0a7de745 282 shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
b0d623f7 283 size = mach_vm_round_page(shmseg->u.shm_segsz);
1c79356b
A
284 shm_committed -= btoc(size);
285 shm_nused--;
2d21ac55
A
286 shmseg->u.shm_perm.mode = SHMSEG_FREE;
287#if CONFIG_MACF
288 /* Reset the MAC label */
289 mac_sysvshm_label_recycle(shmseg);
290#endif
1c79356b
A
291}
292
293static int
91447636 294shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
0a7de745 295 int deallocate)
1c79356b 296{
2d21ac55 297 struct shmid_kernel *shmseg;
1c79356b 298 int segnum, result;
91447636 299 mach_vm_size_t size;
1c79356b
A
300
301 segnum = IPCID_TO_IX(shmmap_s->shmid);
302 shmseg = &shmsegs[segnum];
0a7de745 303 size = mach_vm_round_page(shmseg->u.shm_segsz); /* XXX done for us? */
55e303ae 304 if (deallocate) {
0a7de745
A
305 result = mach_vm_deallocate(current_map(), shmmap_s->va, size);
306 if (result != KERN_SUCCESS) {
307 return EINVAL;
308 }
55e303ae 309 }
39037602 310 shmmap_s->shmid = SHMID_UNALLOCATED;
2d21ac55
A
311 shmseg->u.shm_dtime = sysv_shmtime();
312 if ((--shmseg->u.shm_nattch <= 0) &&
313 (shmseg->u.shm_perm.mode & SHMSEG_REMOVED)) {
1c79356b
A
314 shm_deallocate_segment(shmseg);
315 shm_last_free = segnum;
316 }
317 return 0;
318}
319
1c79356b 320int
b0d623f7 321shmdt(struct proc *p, struct shmdt_args *uap, int32_t *retval)
1c79356b 322{
2d21ac55
A
323#if CONFIG_MACF
324 struct shmid_kernel *shmsegptr;
325#endif
1c79356b
A
326 struct shmmap_state *shmmap_s;
327 int i;
91447636
A
328 int shmdtret = 0;
329
2d21ac55 330 AUDIT_ARG(svipc_addr, uap->shmaddr);
91447636
A
331
332 SYSV_SHM_SUBSYS_LOCK();
1c79356b 333
39037602
A
334 if ((shmdtret = shminit())) {
335 goto shmdt_out;
91447636 336 }
39037602 337
1c79356b 338 shmmap_s = (struct shmmap_state *)p->vm_shm;
0a7de745 339 if (shmmap_s == NULL) {
91447636
A
340 shmdtret = EINVAL;
341 goto shmdt_out;
342 }
343
39037602
A
344 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
345 if (SHMID_IS_VALID(shmmap_s->shmid) &&
346 shmmap_s->va == (mach_vm_offset_t)uap->shmaddr) {
1c79356b 347 break;
39037602
A
348 }
349 }
350
351 if (!SHMID_IS_VALID(shmmap_s->shmid)) {
91447636
A
352 shmdtret = EINVAL;
353 goto shmdt_out;
354 }
39037602 355
2d21ac55
A
356#if CONFIG_MACF
357 /*
358 * XXX: It might be useful to move this into the shm_delete_mapping
359 * function
360 */
361 shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
362 shmdtret = mac_sysvshm_check_shmdt(kauth_cred_get(), shmsegptr);
0a7de745 363 if (shmdtret) {
2d21ac55 364 goto shmdt_out;
0a7de745 365 }
2d21ac55 366#endif
91447636
A
367 i = shm_delete_mapping(p, shmmap_s, 1);
368
0a7de745 369 if (i == 0) {
91447636 370 *retval = 0;
0a7de745 371 }
91447636
A
372 shmdtret = i;
373shmdt_out:
374 SYSV_SHM_SUBSYS_UNLOCK();
375 return shmdtret;
1c79356b
A
376}
377
1c79356b 378int
2d21ac55 379shmat(struct proc *p, struct shmat_args *uap, user_addr_t *retval)
1c79356b
A
380{
381 int error, i, flags;
0a7de745
A
382 struct shmid_kernel *shmseg;
383 struct shmmap_state *shmmap_s = NULL;
384 struct shm_handle *shm_handle;
385 mach_vm_address_t attach_va; /* attach address in/out */
386 mach_vm_size_t map_size; /* size of map entry */
387 mach_vm_size_t mapped_size;
3e170ce0 388 vm_prot_t prot;
0a7de745
A
389 size_t size;
390 kern_return_t rv;
391 int shmat_ret;
392 int vm_flags;
b0d623f7
A
393
394 shmat_ret = 0;
1c79356b 395
55e303ae 396 AUDIT_ARG(svipc_id, uap->shmid);
2d21ac55 397 AUDIT_ARG(svipc_addr, uap->shmaddr);
91447636
A
398
399 SYSV_SHM_SUBSYS_LOCK();
400
39037602
A
401 if ((shmat_ret = shminit())) {
402 goto shmat_out;
91447636
A
403 }
404
1c79356b
A
405 shmmap_s = (struct shmmap_state *)p->vm_shm;
406 if (shmmap_s == NULL) {
39037602
A
407 /* lazily allocate the shm map */
408
409 int nsegs = shminfo.shmseg;
410 if (nsegs <= 0) {
411 shmat_ret = EMFILE;
412 goto shmat_out;
413 }
414
415 /* +1 for the sentinel */
416 if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
0a7de745
A
417 shmat_ret = ENOMEM;
418 goto shmat_out;
39037602
A
419 }
420
813fb2f6 421 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK | M_NULL);
91447636
A
422 if (shmmap_s == NULL) {
423 shmat_ret = ENOMEM;
424 goto shmat_out;
425 }
39037602
A
426
427 /* initialize the entries */
428 for (i = 0; i < nsegs; i++) {
429 shmmap_s[i].shmid = SHMID_UNALLOCATED;
430 }
431 shmmap_s[i].shmid = SHMID_SENTINEL;
432
1c79356b
A
433 p->vm_shm = (caddr_t)shmmap_s;
434 }
39037602 435
1c79356b 436 shmseg = shm_find_segment_by_shmid(uap->shmid);
91447636
A
437 if (shmseg == NULL) {
438 shmat_ret = EINVAL;
439 goto shmat_out;
440 }
55e303ae 441
2d21ac55
A
442 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
443 error = ipcperm(kauth_cred_get(), &shmseg->u.shm_perm,
0a7de745 444 (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R | IPC_W);
91447636
A
445 if (error) {
446 shmat_ret = error;
447 goto shmat_out;
448 }
449
2d21ac55
A
450#if CONFIG_MACF
451 error = mac_sysvshm_check_shmat(kauth_cred_get(), shmseg, uap->shmflg);
452 if (error) {
453 shmat_ret = error;
454 goto shmat_out;
455 }
456#endif
39037602
A
457
458 /* find a free shmid */
459 while (SHMID_IS_VALID(shmmap_s->shmid)) {
1c79356b
A
460 shmmap_s++;
461 }
39037602
A
462 if (shmmap_s->shmid != SHMID_UNALLOCATED) {
463 /* no free shmids */
91447636
A
464 shmat_ret = EMFILE;
465 goto shmat_out;
466 }
467
2d21ac55 468 map_size = mach_vm_round_page(shmseg->u.shm_segsz);
1c79356b 469 prot = VM_PROT_READ;
0a7de745 470 if ((uap->shmflg & SHM_RDONLY) == 0) {
1c79356b 471 prot |= VM_PROT_WRITE;
0a7de745 472 }
1c79356b 473 flags = MAP_ANON | MAP_SHARED;
0a7de745 474 if (uap->shmaddr) {
1c79356b 475 flags |= MAP_FIXED;
0a7de745 476 }
91447636
A
477
478 attach_va = (mach_vm_address_t)uap->shmaddr;
0a7de745
A
479 if (uap->shmflg & SHM_RND) {
480 attach_va &= ~(SHMLBA - 1);
481 } else if ((attach_va & (SHMLBA - 1)) != 0) {
91447636
A
482 shmat_ret = EINVAL;
483 goto shmat_out;
484 }
485
b0d623f7
A
486 if (flags & MAP_FIXED) {
487 vm_flags = VM_FLAGS_FIXED;
488 } else {
489 vm_flags = VM_FLAGS_ANYWHERE;
490 }
491
492 mapped_size = 0;
493
494 /* first reserve enough space... */
5ba3f43e 495 rv = mach_vm_map_kernel(current_map(),
0a7de745
A
496 &attach_va,
497 map_size,
498 0,
499 vm_flags,
500 VM_MAP_KERNEL_FLAGS_NONE,
501 VM_KERN_MEMORY_NONE,
502 IPC_PORT_NULL,
503 0,
504 FALSE,
505 VM_PROT_NONE,
506 VM_PROT_NONE,
507 VM_INHERIT_NONE);
b0d623f7
A
508 if (rv != KERN_SUCCESS) {
509 goto out;
510 }
91447636 511
b0d623f7
A
512 shmmap_s->va = attach_va;
513
514 /* ... then map the shared memory over the reserved space */
515 for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal);/* tunnel */
0a7de745
A
516 shm_handle != NULL;
517 shm_handle = shm_handle->shm_handle_next) {
b0d623f7 518 rv = vm_map_enter_mem_object(
0a7de745
A
519 current_map(), /* process map */
520 &attach_va, /* attach address */
b0d623f7 521 shm_handle->shm_handle_size, /* segment size */
0a7de745 522 (mach_vm_offset_t)0, /* alignment mask */
b0d623f7 523 VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
5ba3f43e
A
524 VM_MAP_KERNEL_FLAGS_NONE,
525 VM_KERN_MEMORY_NONE,
91447636
A
526 shm_handle->shm_object,
527 (mach_vm_offset_t)0,
528 FALSE,
529 prot,
530 prot,
b0d623f7 531 VM_INHERIT_SHARE);
0a7de745 532 if (rv != KERN_SUCCESS) {
1c79356b 533 goto out;
0a7de745 534 }
91447636 535
b0d623f7
A
536 mapped_size += shm_handle->shm_handle_size;
537 attach_va = attach_va + shm_handle->shm_handle_size;
1c79356b
A
538 }
539
1c79356b 540 shmmap_s->shmid = uap->shmid;
2d21ac55
A
541 shmseg->u.shm_lpid = p->p_pid;
542 shmseg->u.shm_atime = sysv_shmtime();
543 shmseg->u.shm_nattch++;
0a7de745 544 *retval = shmmap_s->va; /* XXX return -1 on error */
91447636
A
545 shmat_ret = 0;
546 goto shmat_out;
1c79356b 547out:
b0d623f7
A
548 if (mapped_size > 0) {
549 (void) mach_vm_deallocate(current_map(),
0a7de745
A
550 shmmap_s->va,
551 mapped_size);
b0d623f7 552 }
1c79356b
A
553 switch (rv) {
554 case KERN_INVALID_ADDRESS:
555 case KERN_NO_SPACE:
91447636 556 shmat_ret = ENOMEM;
b0d623f7 557 break;
1c79356b 558 case KERN_PROTECTION_FAILURE:
91447636 559 shmat_ret = EACCES;
b0d623f7 560 break;
1c79356b 561 default:
91447636 562 shmat_ret = EINVAL;
b0d623f7 563 break;
1c79356b 564 }
91447636
A
565shmat_out:
566 SYSV_SHM_SUBSYS_UNLOCK();
567 return shmat_ret;
1c79356b
A
568}
569
1c79356b 570static int
91447636 571oshmctl(__unused void *p, __unused void *uap, __unused void *retval)
1c79356b 572{
1c79356b 573 return EINVAL;
1c79356b
A
574}
575
2d21ac55
A
576/*
577 * Returns: 0 Success
578 * EINVAL
579 * copyout:EFAULT
580 * copyin:EFAULT
581 * ipcperm:EPERM
582 * ipcperm:EACCES
583 */
1c79356b 584int
b0d623f7 585shmctl(__unused struct proc *p, struct shmctl_args *uap, int32_t *retval)
1c79356b
A
586{
587 int error;
91447636
A
588 kauth_cred_t cred = kauth_cred_get();
589 struct user_shmid_ds inbuf;
2d21ac55 590 struct shmid_kernel *shmseg;
91447636
A
591
592 int shmctl_ret = 0;
1c79356b 593
55e303ae
A
594 AUDIT_ARG(svipc_cmd, uap->cmd);
595 AUDIT_ARG(svipc_id, uap->shmid);
91447636
A
596
597 SYSV_SHM_SUBSYS_LOCK();
598
39037602
A
599 if ((shmctl_ret = shminit())) {
600 goto shmctl_out;
91447636
A
601 }
602
1c79356b 603 shmseg = shm_find_segment_by_shmid(uap->shmid);
91447636
A
604 if (shmseg == NULL) {
605 shmctl_ret = EINVAL;
606 goto shmctl_out;
607 }
608
0a7de745 609 /* XXAUDIT: This is the perms BEFORE any change by this call. This
55e303ae
A
610 * may not be what is desired.
611 */
2d21ac55 612 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
55e303ae 613
2d21ac55
A
614#if CONFIG_MACF
615 error = mac_sysvshm_check_shmctl(cred, shmseg, uap->cmd);
616 if (error) {
617 shmctl_ret = error;
618 goto shmctl_out;
619 }
620#endif
1c79356b
A
621 switch (uap->cmd) {
622 case IPC_STAT:
2d21ac55 623 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_R);
91447636
A
624 if (error) {
625 shmctl_ret = error;
626 goto shmctl_out;
627 }
628
629 if (IS_64BIT_PROCESS(p)) {
e8c3f781 630 struct user_shmid_ds shmid_ds = {};
22ba694c 631 memcpy(&shmid_ds, &shmseg->u, sizeof(struct user_shmid_ds));
0a7de745 632
22ba694c
A
633 /* Clear kernel reserved pointer before copying to user space */
634 shmid_ds.shm_internal = USER_ADDR_NULL;
0a7de745 635
22ba694c 636 error = copyout(&shmid_ds, uap->buf, sizeof(shmid_ds));
91447636 637 } else {
5ba3f43e 638 struct user32_shmid_ds shmid_ds32 = {};
2d21ac55 639 shmid_ds_64to32(&shmseg->u, &shmid_ds32);
0a7de745 640
22ba694c
A
641 /* Clear kernel reserved pointer before copying to user space */
642 shmid_ds32.shm_internal = (user32_addr_t)0;
0a7de745 643
b0d623f7 644 error = copyout(&shmid_ds32, uap->buf, sizeof(shmid_ds32));
91447636
A
645 }
646 if (error) {
647 shmctl_ret = error;
648 goto shmctl_out;
649 }
1c79356b
A
650 break;
651 case IPC_SET:
2d21ac55 652 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
91447636
A
653 if (error) {
654 shmctl_ret = error;
655 goto shmctl_out;
656 }
657 if (IS_64BIT_PROCESS(p)) {
658 error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds));
659 } else {
b0d623f7
A
660 struct user32_shmid_ds shmid_ds32;
661 error = copyin(uap->buf, &shmid_ds32, sizeof(shmid_ds32));
91447636 662 /* convert in place; ugly, but safe */
b0d623f7 663 shmid_ds_32to64(&shmid_ds32, &inbuf);
91447636
A
664 }
665 if (error) {
666 shmctl_ret = error;
667 goto shmctl_out;
668 }
2d21ac55
A
669 shmseg->u.shm_perm.uid = inbuf.shm_perm.uid;
670 shmseg->u.shm_perm.gid = inbuf.shm_perm.gid;
671 shmseg->u.shm_perm.mode =
672 (shmseg->u.shm_perm.mode & ~ACCESSPERMS) |
1c79356b 673 (inbuf.shm_perm.mode & ACCESSPERMS);
2d21ac55 674 shmseg->u.shm_ctime = sysv_shmtime();
1c79356b
A
675 break;
676 case IPC_RMID:
2d21ac55 677 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
91447636
A
678 if (error) {
679 shmctl_ret = error;
680 goto shmctl_out;
681 }
2d21ac55
A
682 shmseg->u.shm_perm._key = IPC_PRIVATE;
683 shmseg->u.shm_perm.mode |= SHMSEG_REMOVED;
684 if (shmseg->u.shm_nattch <= 0) {
1c79356b
A
685 shm_deallocate_segment(shmseg);
686 shm_last_free = IPCID_TO_IX(uap->shmid);
687 }
688 break;
689#if 0
690 case SHM_LOCK:
691 case SHM_UNLOCK:
692#endif
693 default:
91447636
A
694 shmctl_ret = EINVAL;
695 goto shmctl_out;
1c79356b 696 }
91447636
A
697 *retval = 0;
698 shmctl_ret = 0;
699shmctl_out:
700 SYSV_SHM_SUBSYS_UNLOCK();
701 return shmctl_ret;
1c79356b
A
702}
703
1c79356b 704static int
91447636 705shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval)
1c79356b 706{
2d21ac55
A
707 struct shmid_kernel *shmseg;
708 int error = 0;
1c79356b
A
709
710 shmseg = &shmsegs[segnum];
2d21ac55 711 if (shmseg->u.shm_perm.mode & SHMSEG_REMOVED) {
1c79356b
A
712 /*
713 * This segment is in the process of being allocated. Wait
714 * until it's done, and look the key up again (in case the
715 * allocation failed or it was freed).
716 */
2d21ac55 717 shmseg->u.shm_perm.mode |= SHMSEG_WANTED;
1c79356b 718 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
0a7de745 719 if (error) {
1c79356b 720 return error;
0a7de745 721 }
1c79356b
A
722 return EAGAIN;
723 }
2d21ac55
A
724
725 /*
726 * The low 9 bits of shmflag are the mode bits being requested, which
727 * are the actual mode bits desired on the segment, and not in IPC_R
728 * form; therefore it would be incorrect to call ipcperm() to validate
729 * them; instead, we AND the existing mode with the requested mode, and
730 * verify that it matches the requested mode; otherwise, we fail with
731 * EACCES (access denied).
732 */
0a7de745 733 if ((shmseg->u.shm_perm.mode & mode) != mode) {
2d21ac55 734 return EACCES;
0a7de745 735 }
2d21ac55
A
736
737#if CONFIG_MACF
738 error = mac_sysvshm_check_shmget(kauth_cred_get(), shmseg, uap->shmflg);
0a7de745
A
739 if (error) {
740 return error;
741 }
2d21ac55
A
742#endif
743
0a7de745 744 if (uap->size && uap->size > shmseg->u.shm_segsz) {
1c79356b 745 return EINVAL;
0a7de745 746 }
2d21ac55 747
0a7de745 748 if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) {
1c79356b 749 return EEXIST;
0a7de745 750 }
2d21ac55
A
751
752 *retval = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
1c79356b
A
753 return 0;
754}
755
756static int
91447636 757shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
0a7de745 758 int *retval)
1c79356b 759{
2d21ac55 760 int i, segnum, shmid;
91447636 761 kauth_cred_t cred = kauth_cred_get();
2d21ac55 762 struct shmid_kernel *shmseg;
1c79356b
A
763 struct shm_handle *shm_handle;
764 kern_return_t kret;
b0d623f7 765 mach_vm_size_t total_size, size, alloc_size;
1c79356b 766 void * mem_object;
b0d623f7 767 struct shm_handle *shm_handle_next, **shm_handle_next_p;
1c79356b 768
39037602 769 if (uap->size <= 0 ||
0a7de745
A
770 uap->size < (user_size_t)shminfo.shmmin ||
771 uap->size > (user_size_t)shminfo.shmmax) {
1c79356b 772 return EINVAL;
39037602 773 }
0a7de745 774 if (shm_nused >= shminfo.shmmni) { /* any shmids left? */
1c79356b 775 return ENOSPC;
0a7de745 776 }
39037602
A
777 if (mach_vm_round_page_overflow(uap->size, &total_size)) {
778 return EINVAL;
779 }
0a7de745 780 if ((user_ssize_t)(shm_committed + btoc(total_size)) > shminfo.shmall) {
1c79356b 781 return ENOMEM;
0a7de745 782 }
1c79356b 783 if (shm_last_free < 0) {
0a7de745
A
784 for (i = 0; i < shminfo.shmmni; i++) {
785 if (shmsegs[i].u.shm_perm.mode & SHMSEG_FREE) {
1c79356b 786 break;
0a7de745
A
787 }
788 }
789 if (i == shminfo.shmmni) {
1c79356b 790 panic("shmseg free count inconsistent");
0a7de745 791 }
1c79356b 792 segnum = i;
0a7de745 793 } else {
1c79356b
A
794 segnum = shm_last_free;
795 shm_last_free = -1;
796 }
797 shmseg = &shmsegs[segnum];
b0d623f7 798
1c79356b
A
799 /*
800 * In case we sleep in malloc(), mark the segment present but deleted
801 * so that noone else tries to create the same key.
b0d623f7 802 * XXX but we don't release the global lock !?
1c79356b 803 */
2d21ac55
A
804 shmseg->u.shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
805 shmseg->u.shm_perm._key = uap->key;
806 shmseg->u.shm_perm._seq = (shmseg->u.shm_perm._seq + 1) & 0x7fff;
b0d623f7
A
807
808 shm_handle_next_p = NULL;
809 for (alloc_size = 0;
0a7de745
A
810 alloc_size < total_size;
811 alloc_size += size) {
b0d623f7
A
812 size = MIN(total_size - alloc_size, ANON_MAX_SIZE);
813 kret = mach_make_memory_entry_64(
814 VM_MAP_NULL,
815 (memory_object_size_t *) &size,
816 (memory_object_offset_t) 0,
817 MAP_MEM_NAMED_CREATE | VM_PROT_DEFAULT,
818 (ipc_port_t *) &mem_object, 0);
0a7de745 819 if (kret != KERN_SUCCESS) {
b0d623f7 820 goto out;
0a7de745
A
821 }
822
b0d623f7
A
823 MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK);
824 if (shm_handle == NULL) {
825 kret = KERN_NO_SPACE;
826 mach_memory_entry_port_release(mem_object);
827 mem_object = NULL;
828 goto out;
829 }
830 shm_handle->shm_object = mem_object;
831 shm_handle->shm_handle_size = size;
832 shm_handle->shm_handle_next = NULL;
833 if (shm_handle_next_p == NULL) {
834 shmseg->u.shm_internal = CAST_USER_ADDR_T(shm_handle);/* tunnel */
835 } else {
836 *shm_handle_next_p = shm_handle;
837 }
838 shm_handle_next_p = &shm_handle->shm_handle_next;
91447636 839 }
b0d623f7 840
2d21ac55 841 shmid = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
1c79356b 842
2d21ac55 843 shmseg->u.shm_perm.cuid = shmseg->u.shm_perm.uid = kauth_cred_getuid(cred);
6d2010ae 844 shmseg->u.shm_perm.cgid = shmseg->u.shm_perm.gid = kauth_cred_getgid(cred);
2d21ac55 845 shmseg->u.shm_perm.mode = (shmseg->u.shm_perm.mode & SHMSEG_WANTED) |
1c79356b 846 (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
2d21ac55
A
847 shmseg->u.shm_segsz = uap->size;
848 shmseg->u.shm_cpid = p->p_pid;
849 shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
850 shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
851#if CONFIG_MACF
852 mac_sysvshm_label_associate(cred, shmseg);
853#endif
854 shmseg->u.shm_ctime = sysv_shmtime();
1c79356b
A
855 shm_committed += btoc(size);
856 shm_nused++;
2d21ac55
A
857 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
858 if (shmseg->u.shm_perm.mode & SHMSEG_WANTED) {
1c79356b
A
859 /*
860 * Somebody else wanted this key while we were asleep. Wake
861 * them up now.
862 */
2d21ac55 863 shmseg->u.shm_perm.mode &= ~SHMSEG_WANTED;
1c79356b
A
864 wakeup((caddr_t)shmseg);
865 }
866 *retval = shmid;
55e303ae 867 AUDIT_ARG(svipc_id, shmid);
1c79356b 868 return 0;
0a7de745 869out:
b0d623f7 870 if (kret != KERN_SUCCESS) {
0a7de745
A
871 for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal); /* tunnel */
872 shm_handle != NULL;
873 shm_handle = shm_handle_next) {
b0d623f7
A
874 shm_handle_next = shm_handle->shm_handle_next;
875 mach_memory_entry_port_release(shm_handle->shm_object);
0a7de745 876 FREE(shm_handle, M_SHM);
b0d623f7
A
877 }
878 shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
879 }
880
1c79356b
A
881 switch (kret) {
882 case KERN_INVALID_ADDRESS:
883 case KERN_NO_SPACE:
0a7de745 884 return ENOMEM;
1c79356b 885 case KERN_PROTECTION_FAILURE:
0a7de745 886 return EACCES;
1c79356b 887 default:
0a7de745 888 return EINVAL;
1c79356b 889 }
1c79356b
A
890}
891
892int
b0d623f7 893shmget(struct proc *p, struct shmget_args *uap, int32_t *retval)
1c79356b
A
894{
895 int segnum, mode, error;
91447636 896 int shmget_ret = 0;
39037602 897
55e303ae 898 /* Auditing is actually done in shmget_allocate_segment() */
91447636
A
899
900 SYSV_SHM_SUBSYS_LOCK();
901
39037602
A
902 if ((shmget_ret = shminit())) {
903 goto shmget_out;
91447636 904 }
9bccf70c 905
1c79356b
A
906 mode = uap->shmflg & ACCESSPERMS;
907 if (uap->key != IPC_PRIVATE) {
0a7de745 908again:
1c79356b
A
909 segnum = shm_find_segment_by_key(uap->key);
910 if (segnum >= 0) {
91447636 911 error = shmget_existing(uap, mode, segnum, retval);
0a7de745 912 if (error == EAGAIN) {
1c79356b 913 goto again;
0a7de745 914 }
91447636
A
915 shmget_ret = error;
916 goto shmget_out;
917 }
918 if ((uap->shmflg & IPC_CREAT) == 0) {
919 shmget_ret = ENOENT;
920 goto shmget_out;
1c79356b 921 }
1c79356b 922 }
91447636
A
923 shmget_ret = shmget_allocate_segment(p, uap, mode, retval);
924shmget_out:
925 SYSV_SHM_SUBSYS_UNLOCK();
926 return shmget_ret;
1c79356b
A
927}
928
b0d623f7
A
929/*
930 * shmsys
931 *
932 * Entry point for all SHM calls: shmat, oshmctl, shmdt, shmget, shmctl
933 *
934 * Parameters: p Process requesting the call
0a7de745
A
935 * uap User argument descriptor (see below)
936 * retval Return value of the selected shm call
b0d623f7
A
937 *
938 * Indirect parameters: uap->which msg call to invoke (index in array of shm calls)
0a7de745
A
939 * uap->a2 User argument descriptor
940 *
b0d623f7 941 * Returns: 0 Success
0a7de745 942 * !0 Not success
b0d623f7
A
943 *
944 * Implicit returns: retval Return value of the selected shm call
945 *
0a7de745
A
946 * DEPRECATED: This interface should not be used to call the other SHM
947 * functions (shmat, oshmctl, shmdt, shmget, shmctl). The correct
948 * usage is to call the other SHM functions directly.
b0d623f7 949 */
1c79356b 950int
b0d623f7 951shmsys(struct proc *p, struct shmsys_args *uap, int32_t *retval)
1c79356b 952{
91447636 953 /* The routine that we are dispatching already does this */
9bccf70c 954
0a7de745 955 if (uap->which >= sizeof(shmcalls) / sizeof(shmcalls[0])) {
1c79356b 956 return EINVAL;
0a7de745
A
957 }
958 return (*shmcalls[uap->which])(p, &uap->a2, retval);
1c79356b
A
959}
960
91447636
A
961/*
962 * Return 0 on success, 1 on failure.
963 */
964int
965shmfork(struct proc *p1, struct proc *p2)
1c79356b
A
966{
967 struct shmmap_state *shmmap_s;
39037602
A
968 size_t size;
969 int nsegs = 0;
970 int ret = 0;
1c79356b 971
91447636
A
972 SYSV_SHM_SUBSYS_LOCK();
973
39037602
A
974 if (shminit()) {
975 ret = 1;
976 goto shmfork_out;
977 }
978
979 struct shmmap_state *src = (struct shmmap_state *)p1->vm_shm;
980 assert(src);
981
982 /* count number of shmid entries in src */
983 for (struct shmmap_state *s = src; s->shmid != SHMID_SENTINEL; s++) {
984 nsegs++;
985 }
986
987 if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
988 ret = 1;
989 goto shmfork_out;
91447636 990 }
91447636 991 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK);
39037602
A
992 if (shmmap_s == NULL) {
993 ret = 1;
91447636
A
994 goto shmfork_out;
995 }
996
39037602
A
997 bcopy(src, (caddr_t)shmmap_s, size);
998 p2->vm_shm = (caddr_t)shmmap_s;
999 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
1000 if (SHMID_IS_VALID(shmmap_s->shmid)) {
1001 shmsegs[IPCID_TO_IX(shmmap_s->shmid)].u.shm_nattch++;
1002 }
1003 }
1004
91447636
A
1005shmfork_out:
1006 SYSV_SHM_SUBSYS_UNLOCK();
39037602 1007 return ret;
1c79356b
A
1008}
1009
39037602
A
1010static void
1011shmcleanup(struct proc *p, int deallocate)
1c79356b
A
1012{
1013 struct shmmap_state *shmmap_s;
91447636
A
1014
1015 SYSV_SHM_SUBSYS_LOCK();
39037602
A
1016
1017 shmmap_s = (struct shmmap_state *)p->vm_shm;
1018 for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
1019 if (SHMID_IS_VALID(shmmap_s->shmid)) {
2d21ac55
A
1020 /*
1021 * XXX: Should the MAC framework enforce
1022 * check here as well.
1023 */
39037602
A
1024 shm_delete_mapping(p, shmmap_s, deallocate);
1025 }
1026 }
1027
0a7de745 1028 FREE(p->vm_shm, M_SHM);
55e303ae 1029 p->vm_shm = NULL;
91447636 1030 SYSV_SHM_SUBSYS_UNLOCK();
55e303ae
A
1031}
1032
39037602
A
1033void
1034shmexit(struct proc *p)
1035{
1036 shmcleanup(p, 1);
1037}
1038
55e303ae
A
1039/*
1040 * shmexec() is like shmexit(), only it doesn't delete the mappings,
1041 * since the old address space has already been destroyed and the new
1042 * one instantiated. Instead, it just does the housekeeping work we
1043 * need to do to keep the System V shared memory subsystem sane.
1044 */
1045__private_extern__ void
91447636 1046shmexec(struct proc *p)
55e303ae 1047{
39037602 1048 shmcleanup(p, 0);
1c79356b
A
1049}
1050
39037602
A
1051int
1052shminit(void)
1c79356b 1053{
39037602 1054 size_t sz;
1c79356b 1055 int i;
1c79356b 1056
9bccf70c 1057 if (!shm_inited) {
91447636
A
1058 /*
1059 * we store internally 64 bit, since if we didn't, we would
1060 * be unable to represent a segment size in excess of 32 bits
1061 * with the (struct shmid_ds)->shm_segsz field; also, POSIX
1062 * dictates this filed be a size_t, which is 64 bits when
1063 * running 64 bit binaries.
1064 */
39037602
A
1065 if (os_mul_overflow(shminfo.shmmni, sizeof(struct shmid_kernel), &sz)) {
1066 return ENOMEM;
1067 }
9bccf70c 1068
e8c3f781 1069 MALLOC(shmsegs, struct shmid_kernel *, sz, M_SHM, M_WAITOK | M_ZERO);
91447636 1070 if (shmsegs == NULL) {
39037602 1071 return ENOMEM;
91447636 1072 }
9bccf70c 1073 for (i = 0; i < shminfo.shmmni; i++) {
2d21ac55
A
1074 shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
1075 shmsegs[i].u.shm_perm._seq = 0;
1076#if CONFIG_MACF
1077 mac_sysvshm_label_init(&shmsegs[i]);
1078#endif
9bccf70c
A
1079 }
1080 shm_last_free = 0;
1081 shm_nused = 0;
1082 shm_committed = 0;
1083 shm_inited = 1;
1084 }
39037602
A
1085
1086 return 0;
9bccf70c 1087}
39037602 1088
91447636
A
1089/* Initialize the mutex governing access to the SysV shm subsystem */
1090__private_extern__ void
1091sysv_shm_lock_init( void )
1092{
91447636 1093 sysv_shm_subsys_lck_grp_attr = lck_grp_attr_alloc_init();
0a7de745 1094
91447636 1095 sysv_shm_subsys_lck_grp = lck_grp_alloc_init("sysv_shm_subsys_lock", sysv_shm_subsys_lck_grp_attr);
0a7de745 1096
91447636 1097 sysv_shm_subsys_lck_attr = lck_attr_alloc_init();
91447636
A
1098 lck_mtx_init(&sysv_shm_subsys_mutex, sysv_shm_subsys_lck_grp, sysv_shm_subsys_lck_attr);
1099}
9bccf70c
A
1100
1101/* (struct sysctl_oid *oidp, void *arg1, int arg2, \
0a7de745 1102 * struct sysctl_req *req) */
9bccf70c 1103static int
91447636 1104sysctl_shminfo(__unused struct sysctl_oid *oidp, void *arg1,
0a7de745 1105 __unused int arg2, struct sysctl_req *req)
9bccf70c
A
1106{
1107 int error = 0;
91447636 1108 int sysctl_shminfo_ret = 0;
0a7de745
A
1109 int64_t saved_shmmax;
1110 int64_t saved_shmmin;
39037602
A
1111 int64_t saved_shmseg;
1112 int64_t saved_shmmni;
1113 int64_t saved_shmall;
9bccf70c 1114
0c530ab8 1115 error = SYSCTL_OUT(req, arg1, sizeof(int64_t));
0a7de745
A
1116 if (error || req->newptr == USER_ADDR_NULL) {
1117 return error;
1118 }
1c79356b 1119
91447636 1120 SYSV_SHM_SUBSYS_LOCK();
91447636 1121
2d21ac55
A
1122 /* shmmni can not be changed after SysV SHM has been initialized */
1123 if (shm_inited && arg1 == &shminfo.shmmni) {
1124 sysctl_shminfo_ret = EPERM;
1125 goto sysctl_shminfo_out;
1126 }
0a7de745
A
1127 saved_shmmax = shminfo.shmmax;
1128 saved_shmmin = shminfo.shmmin;
1129 saved_shmseg = shminfo.shmseg;
1130 saved_shmmni = shminfo.shmmni;
1131 saved_shmall = shminfo.shmall;
9bccf70c 1132
2d21ac55
A
1133 if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) != 0) {
1134 sysctl_shminfo_ret = error;
1135 goto sysctl_shminfo_out;
1136 }
1137
1138 if (arg1 == &shminfo.shmmax) {
1139 /* shmmax needs to be page-aligned */
39037602 1140 if (shminfo.shmmax & PAGE_MASK_64 || shminfo.shmmax < 0) {
2d21ac55
A
1141 shminfo.shmmax = saved_shmmax;
1142 sysctl_shminfo_ret = EINVAL;
1143 goto sysctl_shminfo_out;
9bccf70c 1144 }
0a7de745 1145 } else if (arg1 == &shminfo.shmmin) {
39037602
A
1146 if (shminfo.shmmin < 0) {
1147 shminfo.shmmin = saved_shmmin;
1148 sysctl_shminfo_ret = EINVAL;
1149 goto sysctl_shminfo_out;
1150 }
0a7de745
A
1151 } else if (arg1 == &shminfo.shmseg) {
1152 /* add a sanity check - 20847256 */
1153 if (shminfo.shmseg > INT32_MAX || shminfo.shmseg < 0) {
1154 shminfo.shmseg = saved_shmseg;
1155 sysctl_shminfo_ret = EINVAL;
1156 goto sysctl_shminfo_out;
1157 }
1158 } else if (arg1 == &shminfo.shmmni) {
1159 /* add a sanity check - 20847256 */
1160 if (shminfo.shmmni > INT32_MAX || shminfo.shmmni < 0) {
1161 shminfo.shmmni = saved_shmmni;
1162 sysctl_shminfo_ret = EINVAL;
1163 goto sysctl_shminfo_out;
1164 }
1165 } else if (arg1 == &shminfo.shmall) {
1166 /* add a sanity check - 20847256 */
1167 if (shminfo.shmall > INT32_MAX || shminfo.shmall < 0) {
1168 shminfo.shmall = saved_shmall;
1169 sysctl_shminfo_ret = EINVAL;
1170 goto sysctl_shminfo_out;
1171 }
39037602 1172 }
91447636
A
1173 sysctl_shminfo_ret = 0;
1174sysctl_shminfo_out:
1175 SYSV_SHM_SUBSYS_UNLOCK();
1176 return sysctl_shminfo_ret;
1177}
1178
1179static int
1180IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
0a7de745 1181 __unused int arg2, struct sysctl_req *req)
91447636
A
1182{
1183 int error;
1184 int cursor;
1185 union {
b0d623f7 1186 struct user32_IPCS_command u32;
91447636
A
1187 struct user_IPCS_command u64;
1188 } ipcs;
0a7de745
A
1189 struct user32_shmid_ds shmid_ds32 = {}; /* post conversion, 32 bit version */
1190 struct user_shmid_ds shmid_ds; /* 64 bit version */
91447636
A
1191 void *shmid_dsp;
1192 size_t ipcs_sz = sizeof(struct user_IPCS_command);
1193 size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
1194 struct proc *p = current_proc();
1195
91447636
A
1196 SYSV_SHM_SUBSYS_LOCK();
1197
39037602
A
1198 if ((error = shminit())) {
1199 goto ipcs_shm_sysctl_out;
91447636
A
1200 }
1201
1202 if (!IS_64BIT_PROCESS(p)) {
b0d623f7
A
1203 ipcs_sz = sizeof(struct user32_IPCS_command);
1204 shmid_ds_sz = sizeof(struct user32_shmid_ds);
91447636
A
1205 }
1206
1207 /* Copy in the command structure */
1208 if ((error = SYSCTL_IN(req, &ipcs, ipcs_sz)) != 0) {
1209 goto ipcs_shm_sysctl_out;
1210 }
1211
0a7de745 1212 if (!IS_64BIT_PROCESS(p)) { /* convert in place */
91447636 1213 ipcs.u64.ipcs_data = CAST_USER_ADDR_T(ipcs.u32.ipcs_data);
0a7de745 1214 }
91447636
A
1215
1216 /* Let us version this interface... */
1217 if (ipcs.u64.ipcs_magic != IPCS_MAGIC) {
1218 error = EINVAL;
1219 goto ipcs_shm_sysctl_out;
1220 }
1221
0a7de745
A
1222 switch (ipcs.u64.ipcs_op) {
1223 case IPCS_SHM_CONF: /* Obtain global configuration data */
91447636
A
1224 if (ipcs.u64.ipcs_datalen != sizeof(struct shminfo)) {
1225 if (ipcs.u64.ipcs_cursor != 0) { /* fwd. compat. */
1226 error = ENOMEM;
1227 break;
1228 }
1229 error = ERANGE;
1230 break;
1231 }
1232 error = copyout(&shminfo, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
1233 break;
1234
0a7de745 1235 case IPCS_SHM_ITER: /* Iterate over existing segments */
91447636
A
1236 cursor = ipcs.u64.ipcs_cursor;
1237 if (cursor < 0 || cursor >= shminfo.shmmni) {
1238 error = ERANGE;
1239 break;
1240 }
1241 if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) {
2d21ac55 1242 error = EINVAL;
91447636
A
1243 break;
1244 }
0a7de745
A
1245 for (; cursor < shminfo.shmmni; cursor++) {
1246 if (shmsegs[cursor].u.shm_perm.mode & SHMSEG_ALLOCATED) {
91447636 1247 break;
0a7de745 1248 }
91447636
A
1249 continue;
1250 }
1251 if (cursor == shminfo.shmmni) {
1252 error = ENOENT;
1253 break;
1254 }
1255
0a7de745 1256 shmid_dsp = &shmsegs[cursor]; /* default: 64 bit */
91447636
A
1257
1258 /*
1259 * If necessary, convert the 64 bit kernel segment
1260 * descriptor to a 32 bit user one.
1261 */
1262 if (!IS_64BIT_PROCESS(p)) {
1263 shmid_ds_64to32(shmid_dsp, &shmid_ds32);
0a7de745 1264
22ba694c
A
1265 /* Clear kernel reserved pointer before copying to user space */
1266 shmid_ds32.shm_internal = (user32_addr_t)0;
0a7de745 1267
91447636 1268 shmid_dsp = &shmid_ds32;
22ba694c
A
1269 } else {
1270 memcpy(&shmid_ds, shmid_dsp, sizeof(shmid_ds));
1271
1272 /* Clear kernel reserved pointer before copying to user space */
1273 shmid_ds.shm_internal = USER_ADDR_NULL;
0a7de745 1274
22ba694c 1275 shmid_dsp = &shmid_ds;
91447636
A
1276 }
1277 error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
1278 if (!error) {
1279 /* update cursor */
1280 ipcs.u64.ipcs_cursor = cursor + 1;
1281
0a7de745
A
1282 if (!IS_64BIT_PROCESS(p)) { /* convert in place */
1283 ipcs.u32.ipcs_data = CAST_DOWN_EXPLICIT(user32_addr_t, ipcs.u64.ipcs_data);
1284 }
b0d623f7 1285
0a7de745 1286 error = SYSCTL_OUT(req, &ipcs, ipcs_sz);
91447636
A
1287 }
1288 break;
1289
1290 default:
1291 error = EINVAL;
1292 break;
1293 }
1294ipcs_shm_sysctl_out:
1295 SYSV_SHM_SUBSYS_UNLOCK();
0a7de745 1296 return error;
1c79356b 1297}
9bccf70c 1298
6d2010ae 1299SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSV");
9bccf70c 1300
6d2010ae 1301SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmax, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
0a7de745 1302 &shminfo.shmmax, 0, &sysctl_shminfo, "Q", "shmmax");
9bccf70c 1303
6d2010ae 1304SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmin, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
0a7de745 1305 &shminfo.shmmin, 0, &sysctl_shminfo, "Q", "shmmin");
9bccf70c 1306
6d2010ae 1307SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmni, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
0a7de745 1308 &shminfo.shmmni, 0, &sysctl_shminfo, "Q", "shmmni");
9bccf70c 1309
6d2010ae 1310SYSCTL_PROC(_kern_sysv, OID_AUTO, shmseg, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
0a7de745 1311 &shminfo.shmseg, 0, &sysctl_shminfo, "Q", "shmseg");
9bccf70c 1312
6d2010ae 1313SYSCTL_PROC(_kern_sysv, OID_AUTO, shmall, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
0a7de745 1314 &shminfo.shmall, 0, &sysctl_shminfo, "Q", "shmall");
9bccf70c 1315
6d2010ae 1316SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSVIPCS");
9bccf70c 1317
6d2010ae 1318SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_LOCKED,
0a7de745
A
1319 0, 0, IPCS_shm_sysctl,
1320 "S,IPCS_shm_command",
1321 "ipcs shm command interface");
2d21ac55
A
1322#endif /* SYSV_SHM */
1323
1324/* DSEP Review Done pl-20051108-v02 @2743,@2908,@2913,@3009 */