xnu-7195.81.3.tar.gz

[apple/xnu.git] / bsd / kern / sysv_shm.c
diff --git a/bsd/kern/sysv_shm.c b/bsd/kern/sysv_shm.c

index c86c5d59058f2ea3d8a7227a182f266e9967962f..7e778e60d97158e60ad4e25393ec5b2225dded6b 100644 (file)
--- a/bsd/kern/sysv_shm.c
+++ b/bsd/kern/sysv_shm.c
@@ -1,23 +1,29 @@
  /*
  /*
- * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
   *
   *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  /*     $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $      */
  
   */
  /*     $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $      */
  
@@ -50,401 +56,650 @@
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   */
+/*
+ * NOTICE: This file was modified by McAfee Research in 2004 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
+ */
  
  
  #include <sys/appleapiopts.h>
  #include <sys/param.h>
  #include <sys/systm.h>
  #include <sys/kernel.h>
  
  
  #include <sys/appleapiopts.h>
  #include <sys/param.h>
  #include <sys/systm.h>
  #include <sys/kernel.h>
-#include <sys/shm.h>
-#include <sys/proc.h>
+#include <sys/shm_internal.h>
+#include <sys/proc_internal.h>
+#include <sys/kauth.h>
  #include <sys/malloc.h>
  #include <sys/mman.h>
  #include <sys/stat.h>
  #include <sys/sysctl.h>
  #include <sys/malloc.h>
  #include <sys/mman.h>
  #include <sys/stat.h>
  #include <sys/sysctl.h>
+#include <sys/ipcs.h>
+#include <sys/sysent.h>
+#include <sys/sysproto.h>
+#if CONFIG_MACF
+#include <security/mac_framework.h>
+#endif
+
+#include <security/audit/audit.h>
  
  #include <mach/mach_types.h>
  #include <mach/vm_inherit.h>
  
  #include <mach/mach_types.h>
  #include <mach/vm_inherit.h>
+#include <mach/vm_map.h>
+
+#include <mach/mach_vm.h>
+
  #include <vm/vm_map.h>
  #include <vm/vm_map.h>
+#include <vm/vm_protos.h>
+#include <vm/vm_kern.h>
  
  
-struct shmat_args;
-extern int shmat __P((struct proc *p, struct shmat_args *uap, int *retval));
-struct shmctl_args;
-extern int shmctl __P((struct proc *p, struct shmctl_args *uap, int *retval));
-struct shmdt_args;
-extern int shmdt __P((struct proc *p, struct shmdt_args *uap, int *retval));
-struct shmget_args;
-extern int shmget __P((struct proc *p, struct shmget_args *uap, int *retval));
+#include <kern/locks.h>
+#include <os/overflow.h>
  
  
-#if 0
-static void shminit __P((void *));
-SYSINIT(sysv_shm, SI_SUB_SYSV_SHM, SI_ORDER_FIRST, shminit, NULL)
-#endif 0
+/* Uncomment this line to see MAC debugging output. */
+/* #define MAC_DEBUG */
+#if CONFIG_MACF_DEBUG
+#define MPRINTF(a)      printf a
+#else
+#define MPRINTF(a)
+#endif
+
+#if SYSV_SHM
+static int shminit(void);
  
  
-struct oshmctl_args;
-static int oshmctl __P((struct proc *p, struct oshmctl_args *uap, int * retval));
-static int shmget_allocate_segment __P((struct proc *p, struct shmget_args *uap, int mode, int * retval));
-static int shmget_existing __P((struct proc *p, struct shmget_args *uap, int mode, int segnum, int  * retval));
+static lck_grp_t       *sysv_shm_subsys_lck_grp;
+static lck_grp_attr_t  *sysv_shm_subsys_lck_grp_attr;
+static lck_attr_t      *sysv_shm_subsys_lck_attr;
+static lck_mtx_t        sysv_shm_subsys_mutex;
  
  
-typedef        int     sy_call_t __P((struct proc *, void *, int *));
+#define SYSV_SHM_SUBSYS_LOCK() lck_mtx_lock(&sysv_shm_subsys_mutex)
+#define SYSV_SHM_SUBSYS_UNLOCK() lck_mtx_unlock(&sysv_shm_subsys_mutex)
+
+static int oshmctl(void *p, void *uap, void *retval);
+static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval);
+static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int  * retval);
+static void shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out);
+static void shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out);
  
  /* XXX casting to (sy_call_t *) is bogus, as usual. */
  
  /* XXX casting to (sy_call_t *) is bogus, as usual. */
-static sy_call_t *shmcalls[] = {
+static sy_call_t* const shmcalls[] = {
         (sy_call_t *)shmat, (sy_call_t *)oshmctl,
         (sy_call_t *)shmdt, (sy_call_t *)shmget,
         (sy_call_t *)shmctl
  };
  
         (sy_call_t *)shmat, (sy_call_t *)oshmctl,
         (sy_call_t *)shmdt, (sy_call_t *)shmget,
         (sy_call_t *)shmctl
  };
  
-#define        SHMSEG_FREE             0x0200
-#define        SHMSEG_REMOVED          0x0400
-#define        SHMSEG_ALLOCATED        0x0800
-#define        SHMSEG_WANTED           0x1000
+#define SHMSEG_FREE             0x0200
+#define SHMSEG_REMOVED          0x0400
+#define SHMSEG_ALLOCATED        0x0800
+#define SHMSEG_WANTED           0x1000
  
  static int shm_last_free, shm_nused, shm_committed;
  
  static int shm_last_free, shm_nused, shm_committed;
-struct shmid_ds        *shmsegs;
+struct shmid_kernel     *shmsegs;       /* 64 bit version */
  static int shm_inited = 0;
  
  static int shm_inited = 0;
  
+/*
+ * Since anonymous memory chunks are limited to ANON_MAX_SIZE bytes,
+ * we have to keep a list of chunks when we want to handle a shared memory
+ * segment bigger than ANON_MAX_SIZE.
+ * Each chunk points to a VM named entry of up to ANON_MAX_SIZE bytes
+ * of anonymous memory.
+ */
  struct shm_handle {
  struct shm_handle {
-       /* vm_offset_t kva; */
-       void * shm_object;
+       void * shm_object;                      /* named entry for this chunk*/
+       memory_object_size_t shm_handle_size;   /* size of this chunk */
+       struct shm_handle *shm_handle_next;     /* next chunk */
  };
  
  struct shmmap_state {
  };
  
  struct shmmap_state {
-       vm_offset_t va;
-       int shmid;
+       mach_vm_address_t va;           /* user address */
+       int shmid;                      /* segment id */
  };
  
  };
  
-static void shm_deallocate_segment __P((struct shmid_ds *));
-static int shm_find_segment_by_key __P((key_t));
-static struct shmid_ds *shm_find_segment_by_shmid __P((int));
-static int shm_delete_mapping __P((struct proc *, struct shmmap_state *));
+static void shm_deallocate_segment(struct shmid_kernel *);
+static int shm_find_segment_by_key(key_t);
+static struct shmid_kernel *shm_find_segment_by_shmid(int);
+static int shm_delete_mapping(struct proc *, struct shmmap_state *, int);
  
  #ifdef __APPLE_API_PRIVATE
  
  #ifdef __APPLE_API_PRIVATE
-struct  shminfo shminfo = {
-        -1,    /* SHMMAX 4096 *1024 */
-        -1,    /* SHMMIN = 1 */
-        -1,    /* SHMMNI = 1 */
-        -1,    /* SHMSEG = 8 */
-        -1     /* SHMALL = 1024 */
+#define DEFAULT_SHMMAX  (4 * 1024 * 1024)
+#define DEFAULT_SHMMIN  1
+#define DEFAULT_SHMMNI  32
+#define DEFAULT_SHMSEG  8
+#define DEFAULT_SHMALL  1024
+
+struct shminfo shminfo = {
+       .shmmax = DEFAULT_SHMMAX,
+       .shmmin = DEFAULT_SHMMIN,
+       .shmmni = DEFAULT_SHMMNI,
+       .shmseg = DEFAULT_SHMSEG,
+       .shmall = DEFAULT_SHMALL
  };
  };
+
+#define SHMID_IS_VALID(x) ((x) >= 0)
+#define SHMID_UNALLOCATED (-1)
+#define SHMID_SENTINEL    (-2)
+
  #endif /* __APPLE_API_PRIVATE */
  
  #endif /* __APPLE_API_PRIVATE */
  
+void sysv_shm_lock_init(void);
+
+static __inline__ time_t
+sysv_shmtime(void)
+{
+       struct timeval  tv;
+       microtime(&tv);
+       return tv.tv_sec;
+}
+
+/*
+ * This conversion is safe, since if we are converting for a 32 bit process,
+ * then it's value of (struct shmid_ds)->shm_segsz will never exceed 4G.
+ *
+ * NOTE: Source and target may *NOT* overlap! (target is smaller)
+ */
+static void
+shmid_ds_64to32(struct user_shmid_ds *in, struct user32_shmid_ds *out)
+{
+       out->shm_perm = in->shm_perm;
+       out->shm_segsz = in->shm_segsz;
+       out->shm_lpid = in->shm_lpid;
+       out->shm_cpid = in->shm_cpid;
+       out->shm_nattch = in->shm_nattch;
+       out->shm_atime = in->shm_atime;
+       out->shm_dtime = in->shm_dtime;
+       out->shm_ctime = in->shm_ctime;
+       out->shm_internal = CAST_DOWN_EXPLICIT(int, in->shm_internal);
+}
+
+/*
+ * NOTE: Source and target may are permitted to overlap! (source is smaller);
+ * this works because we copy fields in order from the end of the struct to
+ * the beginning.
+ */
+static void
+shmid_ds_32to64(struct user32_shmid_ds *in, struct user_shmid_ds *out)
+{
+       out->shm_internal = in->shm_internal;
+       out->shm_ctime = in->shm_ctime;
+       out->shm_dtime = in->shm_dtime;
+       out->shm_atime = in->shm_atime;
+       out->shm_nattch = in->shm_nattch;
+       out->shm_cpid = in->shm_cpid;
+       out->shm_lpid = in->shm_lpid;
+       out->shm_segsz = in->shm_segsz;
+       out->shm_perm = in->shm_perm;
+}
+
+
  static int
  static int
-shm_find_segment_by_key(key)
-       key_t key;
+shm_find_segment_by_key(key_t key)
  {
         int i;
  
  {
         int i;
  
-       for (i = 0; i < shminfo.shmmni; i++)
-               if ((shmsegs[i].shm_perm.mode & SHMSEG_ALLOCATED) &&
-                   shmsegs[i].shm_perm.key == key)
+       for (i = 0; i < shminfo.shmmni; i++) {
+               if ((shmsegs[i].u.shm_perm.mode & SHMSEG_ALLOCATED) &&
+                   shmsegs[i].u.shm_perm._key == key) {
                         return i;
                         return i;
+               }
+       }
         return -1;
  }
  
         return -1;
  }
  
-static struct shmid_ds *
-shm_find_segment_by_shmid(shmid)
-       int shmid;
+static struct shmid_kernel *
+shm_find_segment_by_shmid(int shmid)
  {
         int segnum;
  {
         int segnum;
-       struct shmid_ds *shmseg;
+       struct shmid_kernel *shmseg;
  
         segnum = IPCID_TO_IX(shmid);
  
         segnum = IPCID_TO_IX(shmid);
-       if (segnum < 0 || segnum >= shminfo.shmmni)
+       if (segnum < 0 || segnum >= shminfo.shmmni) {
                 return NULL;
                 return NULL;
+       }
         shmseg = &shmsegs[segnum];
         shmseg = &shmsegs[segnum];
-       if ((shmseg->shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
+       if ((shmseg->u.shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED))
             != SHMSEG_ALLOCATED ||
             != SHMSEG_ALLOCATED ||
-           shmseg->shm_perm.seq != IPCID_TO_SEQ(shmid))
+           shmseg->u.shm_perm._seq != IPCID_TO_SEQ(shmid)) {
                 return NULL;
                 return NULL;
+       }
         return shmseg;
  }
  
  static void
         return shmseg;
  }
  
  static void
-shm_deallocate_segment(shmseg)
-       struct shmid_ds *shmseg;
+shm_deallocate_segment(struct shmid_kernel *shmseg)
  {
  {
-       struct shm_handle *shm_handle;
-       struct shmmap_state *shmmap_s=NULL;
-       size_t size;
-       char * ptr;
-
-       shm_handle = shmseg->shm_internal;
-       size = round_page(shmseg->shm_segsz);
-       mach_destroy_memory_entry(shm_handle->shm_object);
-       FREE((caddr_t)shm_handle, M_SHM);
-       shmseg->shm_internal = NULL;
+       struct shm_handle *shm_handle, *shm_handle_next;
+       mach_vm_size_t size;
+
+       for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal); /* tunnel */
+           shm_handle != NULL;
+           shm_handle = shm_handle_next) {
+               shm_handle_next = shm_handle->shm_handle_next;
+               mach_memory_entry_port_release(shm_handle->shm_object);
+               FREE(shm_handle, M_SHM);
+       }
+       shmseg->u.shm_internal = USER_ADDR_NULL;                /* tunnel */
+       size = vm_map_round_page(shmseg->u.shm_segsz,
+           vm_map_page_mask(current_map()));
         shm_committed -= btoc(size);
         shm_nused--;
         shm_committed -= btoc(size);
         shm_nused--;
-       shmseg->shm_perm.mode = SHMSEG_FREE;
+       shmseg->u.shm_perm.mode = SHMSEG_FREE;
+#if CONFIG_MACF
+       /* Reset the MAC label */
+       mac_sysvshm_label_recycle(shmseg);
+#endif
  }
  
  static int
  }
  
  static int
-shm_delete_mapping(p, shmmap_s)
-       struct proc *p;
-       struct shmmap_state *shmmap_s;
+shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s,
+    int deallocate)
  {
  {
-       struct shmid_ds *shmseg;
+       struct shmid_kernel *shmseg;
         int segnum, result;
         int segnum, result;
-       size_t size;
+       mach_vm_size_t size;
  
         segnum = IPCID_TO_IX(shmmap_s->shmid);
         shmseg = &shmsegs[segnum];
  
         segnum = IPCID_TO_IX(shmmap_s->shmid);
         shmseg = &shmsegs[segnum];
-       size = round_page(shmseg->shm_segsz);
-       result = vm_deallocate(current_map(), shmmap_s->va, size);
-       if (result != KERN_SUCCESS)
-               return EINVAL;
-       shmmap_s->shmid = -1;
-       shmseg->shm_dtime = time_second;
-       if ((--shmseg->shm_nattch <= 0) &&
-           (shmseg->shm_perm.mode & SHMSEG_REMOVED)) {
+       size = vm_map_round_page(shmseg->u.shm_segsz,
+           vm_map_page_mask(current_map())); /* XXX done for us? */
+       if (deallocate) {
+               result = mach_vm_deallocate(current_map(), shmmap_s->va, size);
+               if (result != KERN_SUCCESS) {
+                       return EINVAL;
+               }
+       }
+       shmmap_s->shmid = SHMID_UNALLOCATED;
+       shmseg->u.shm_dtime = sysv_shmtime();
+       if ((--shmseg->u.shm_nattch <= 0) &&
+           (shmseg->u.shm_perm.mode & SHMSEG_REMOVED)) {
                 shm_deallocate_segment(shmseg);
                 shm_last_free = segnum;
         }
         return 0;
  }
  
                 shm_deallocate_segment(shmseg);
                 shm_last_free = segnum;
         }
         return 0;
  }
  
-struct shmdt_args {
-       void *shmaddr;
-};
-
  int
  int
-shmdt(p, uap, retval)
-       struct proc *p;
-       struct shmdt_args *uap;
-       register_t *retval;
+shmdt(struct proc *p, struct shmdt_args *uap, int32_t *retval)
  {
  {
+#if CONFIG_MACF
+       struct shmid_kernel *shmsegptr;
+#endif
         struct shmmap_state *shmmap_s;
         int i;
         struct shmmap_state *shmmap_s;
         int i;
+       int shmdtret = 0;
+
+       AUDIT_ARG(svipc_addr, uap->shmaddr);
+
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if ((shmdtret = shminit())) {
+               goto shmdt_out;
+       }
  
  
-       if (!shm_inited)
-               return(EINVAL);
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         shmmap_s = (struct shmmap_state *)p->vm_shm;
-       if (shmmap_s == NULL)
-           return EINVAL;
-       for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
-               if (shmmap_s->shmid != -1 &&
-                   shmmap_s->va == (vm_offset_t)uap->shmaddr)
+       if (shmmap_s == NULL) {
+               shmdtret = EINVAL;
+               goto shmdt_out;
+       }
+
+       for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
+               if (SHMID_IS_VALID(shmmap_s->shmid) &&
+                   shmmap_s->va == (mach_vm_offset_t)uap->shmaddr) {
                         break;
                         break;
-       if (i == shminfo.shmseg)
-               return EINVAL;
-       return shm_delete_mapping(p, shmmap_s);
-}
+               }
+       }
  
  
-#ifndef _SYS_SYSPROTO_H_
-struct shmat_args {
-       int shmid;
-       void *shmaddr;
-       int shmflg;
-};
+       if (!SHMID_IS_VALID(shmmap_s->shmid)) {
+               shmdtret = EINVAL;
+               goto shmdt_out;
+       }
+
+#if CONFIG_MACF
+       /*
+        * XXX: It might be useful to move this into the shm_delete_mapping
+        * function
+        */
+       shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
+       shmdtret = mac_sysvshm_check_shmdt(kauth_cred_get(), shmsegptr);
+       if (shmdtret) {
+               goto shmdt_out;
+       }
  #endif
  #endif
+       i = shm_delete_mapping(p, shmmap_s, 1);
+
+       if (i == 0) {
+               *retval = 0;
+       }
+       shmdtret = i;
+shmdt_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return shmdtret;
+}
  
  int
  
  int
-shmat(p, uap, retval)
-       struct proc *p;
-       struct shmat_args *uap;
-       register_t *retval;
+shmat(struct proc *p, struct shmat_args *uap, user_addr_t *retval)
  {
         int error, i, flags;
  {
         int error, i, flags;
-       struct ucred *cred = p->p_ucred;
-       struct shmid_ds *shmseg;
-       struct shmmap_state *shmmap_s = NULL;
-       struct shm_handle *shm_handle;
-       vm_offset_t attach_va;
-       vm_prot_t prot;
-       vm_size_t size;
-       kern_return_t rv;
+       struct shmid_kernel     *shmseg;
+       struct shmmap_state     *shmmap_s = NULL;
+       struct shm_handle       *shm_handle;
+       mach_vm_address_t       attach_va;      /* attach address in/out */
+       mach_vm_address_t       shmlba;
+       mach_vm_size_t          map_size;       /* size of map entry */
+       mach_vm_size_t          mapped_size;
+       vm_prot_t           prot;
+       size_t              size;
+       kern_return_t           rv;
+       int                     shmat_ret;
+       int                     vm_flags;
+
+       shmat_ret = 0;
+
+       AUDIT_ARG(svipc_id, uap->shmid);
+       AUDIT_ARG(svipc_addr, uap->shmaddr);
+
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if ((shmat_ret = shminit())) {
+               goto shmat_out;
+       }
  
  
-       if (!shm_inited)
-               return(EINVAL);
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         if (shmmap_s == NULL) {
         shmmap_s = (struct shmmap_state *)p->vm_shm;
         if (shmmap_s == NULL) {
-               size = shminfo.shmseg * sizeof(struct shmmap_state);
-               shmmap_s = (struct shmmap_state *)_MALLOC(size, M_SHM, M_WAITOK);
-               for (i = 0; i < shminfo.shmseg; i++)
-                       shmmap_s[i].shmid = -1;
+               /* lazily allocate the shm map */
+
+               int nsegs = shminfo.shmseg;
+               if (nsegs <= 0) {
+                       shmat_ret = EMFILE;
+                       goto shmat_out;
+               }
+
+               /* +1 for the sentinel */
+               if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
+                       shmat_ret = ENOMEM;
+                       goto shmat_out;
+               }
+
+               MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK | M_NULL);
+               if (shmmap_s == NULL) {
+                       shmat_ret = ENOMEM;
+                       goto shmat_out;
+               }
+
+               /* initialize the entries */
+               for (i = 0; i < nsegs; i++) {
+                       shmmap_s[i].shmid = SHMID_UNALLOCATED;
+               }
+               shmmap_s[i].shmid = SHMID_SENTINEL;
+
                 p->vm_shm = (caddr_t)shmmap_s;
         }
                 p->vm_shm = (caddr_t)shmmap_s;
         }
+
         shmseg = shm_find_segment_by_shmid(uap->shmid);
         shmseg = shm_find_segment_by_shmid(uap->shmid);
-       if (shmseg == NULL)
-               return EINVAL;
-       error = ipcperm(cred, &shmseg->shm_perm,
-           (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R|IPC_W);
-       if (error)
-               return error;
-       for (i = 0; i < shminfo.shmseg; i++) {
-               if (shmmap_s->shmid == -1)
-                       break;
+       if (shmseg == NULL) {
+               shmat_ret = EINVAL;
+               goto shmat_out;
+       }
+
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
+       error = ipcperm(kauth_cred_get(), &shmseg->u.shm_perm,
+           (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R | IPC_W);
+       if (error) {
+               shmat_ret = error;
+               goto shmat_out;
+       }
+
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmat(kauth_cred_get(), shmseg, uap->shmflg);
+       if (error) {
+               shmat_ret = error;
+               goto shmat_out;
+       }
+#endif
+
+       /* find a free shmid */
+       while (SHMID_IS_VALID(shmmap_s->shmid)) {
                 shmmap_s++;
         }
                 shmmap_s++;
         }
-       if (i >= shminfo.shmseg)
-               return EMFILE;
-       size = round_page(shmseg->shm_segsz);
+       if (shmmap_s->shmid != SHMID_UNALLOCATED) {
+               /* no free shmids */
+               shmat_ret = EMFILE;
+               goto shmat_out;
+       }
+
+       map_size = vm_map_round_page(shmseg->u.shm_segsz,
+           vm_map_page_mask(current_map()));
         prot = VM_PROT_READ;
         prot = VM_PROT_READ;
-       if ((uap->shmflg & SHM_RDONLY) == 0)
+       if ((uap->shmflg & SHM_RDONLY) == 0) {
                 prot |= VM_PROT_WRITE;
                 prot |= VM_PROT_WRITE;
+       }
         flags = MAP_ANON | MAP_SHARED;
         if (uap->shmaddr) {
                 flags |= MAP_FIXED;
         flags = MAP_ANON | MAP_SHARED;
         if (uap->shmaddr) {
                 flags |= MAP_FIXED;
-               if (uap->shmflg & SHM_RND)
-                       attach_va = (vm_offset_t)uap->shmaddr & ~(SHMLBA-1);
-               else if (((vm_offset_t)uap->shmaddr & (SHMLBA-1)) == 0)
-                       attach_va = (vm_offset_t)uap->shmaddr;
-               else
-                       return EINVAL;
+       }
+
+       attach_va = (mach_vm_address_t)uap->shmaddr;
+       shmlba = vm_map_page_size(current_map()); /* XXX instead of SHMLBA */
+       if (uap->shmflg & SHM_RND) {
+               attach_va &= ~(shmlba - 1);
+       } else if ((attach_va & (shmlba - 1)) != 0) {
+               shmat_ret = EINVAL;
+               goto shmat_out;
+       }
+
+       if (flags & MAP_FIXED) {
+               vm_flags = VM_FLAGS_FIXED;
         } else {
         } else {
-               attach_va = round_page(uap->shmaddr);
+               vm_flags = VM_FLAGS_ANYWHERE;
         }
  
         }
  
-       shm_handle = shmseg->shm_internal;
-       rv = vm_map(current_map(), &attach_va, size, 0, (flags & MAP_FIXED)? FALSE: TRUE,
-               shm_handle->shm_object, 0, FALSE, prot, prot, VM_INHERIT_DEFAULT);
-       if (rv != KERN_SUCCESS) 
-                       goto out;
-       rv = vm_inherit(current_map(), attach_va, size,
-                       VM_INHERIT_SHARE);
+       mapped_size = 0;
+
+       /* first reserve enough space... */
+       rv = mach_vm_map_kernel(current_map(),
+           &attach_va,
+           map_size,
+           0,
+           vm_flags,
+           VM_MAP_KERNEL_FLAGS_NONE,
+           VM_KERN_MEMORY_NONE,
+           IPC_PORT_NULL,
+           0,
+           FALSE,
+           VM_PROT_NONE,
+           VM_PROT_NONE,
+           VM_INHERIT_NONE);
         if (rv != KERN_SUCCESS) {
         if (rv != KERN_SUCCESS) {
-               (void) vm_deallocate(current_map(), attach_va, size);
                 goto out;
         }
  
         shmmap_s->va = attach_va;
                 goto out;
         }
  
         shmmap_s->va = attach_va;
+
+       /* ... then map the shared memory over the reserved space */
+       for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal);/* tunnel */
+           shm_handle != NULL;
+           shm_handle = shm_handle->shm_handle_next) {
+               vm_map_size_t chunk_size;
+
+               assert(mapped_size < map_size);
+               chunk_size = shm_handle->shm_handle_size;
+               if (chunk_size > map_size - mapped_size) {
+                       /*
+                        * Partial mapping of last chunk due to
+                        * page size mismatch.
+                        */
+                       assert(vm_map_page_shift(current_map()) < PAGE_SHIFT);
+                       assert(shm_handle->shm_handle_next == NULL);
+                       chunk_size = map_size - mapped_size;
+               }
+               rv = vm_map_enter_mem_object(
+                       current_map(),          /* process map */
+                       &attach_va,             /* attach address */
+                       chunk_size,             /* size to map */
+                       (mach_vm_offset_t)0,    /* alignment mask */
+                       VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
+                       VM_MAP_KERNEL_FLAGS_NONE,
+                       VM_KERN_MEMORY_NONE,
+                       shm_handle->shm_object,
+                       (mach_vm_offset_t)0,
+                       FALSE,
+                       prot,
+                       prot,
+                       VM_INHERIT_SHARE);
+               if (rv != KERN_SUCCESS) {
+                       goto out;
+               }
+
+               mapped_size += chunk_size;
+               attach_va = attach_va + chunk_size;
+       }
+
         shmmap_s->shmid = uap->shmid;
         shmmap_s->shmid = uap->shmid;
-       shmseg->shm_lpid = p->p_pid;
-       shmseg->shm_atime = time_second;
-       shmseg->shm_nattch++;
-       *retval = attach_va;
-       return( 0);
+       shmseg->u.shm_lpid = p->p_pid;
+       shmseg->u.shm_atime = sysv_shmtime();
+       shmseg->u.shm_nattch++;
+       *retval = shmmap_s->va; /* XXX return -1 on error */
+       shmat_ret = 0;
+       goto shmat_out;
  out:
  out:
+       if (mapped_size > 0) {
+               (void) mach_vm_deallocate(current_map(),
+                   shmmap_s->va,
+                   mapped_size);
+       }
         switch (rv) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
         switch (rv) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
-               return (ENOMEM);
+               shmat_ret = ENOMEM;
+               break;
         case KERN_PROTECTION_FAILURE:
         case KERN_PROTECTION_FAILURE:
-               return (EACCES);
+               shmat_ret = EACCES;
+               break;
         default:
         default:
-               return (EINVAL);
+               shmat_ret = EINVAL;
+               break;
         }
         }
-
+shmat_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return shmat_ret;
  }
  
  }
  
-struct oshmid_ds {
-       struct  ipc_perm shm_perm;      /* operation perms */
-       int     shm_segsz;              /* size of segment (bytes) */
-       ushort  shm_cpid;               /* pid, creator */
-       ushort  shm_lpid;               /* pid, last operation */
-       short   shm_nattch;             /* no. of current attaches */
-       time_t  shm_atime;              /* last attach time */
-       time_t  shm_dtime;              /* last detach time */
-       time_t  shm_ctime;              /* last change time */
-       void    *shm_handle;            /* internal handle for shm segment */
-};
-
-struct oshmctl_args {
-       int shmid;
-       int cmd;
-       struct oshmid_ds *ubuf;
-};
-
  static int
  static int
-oshmctl(p, uap, retval)
-       struct proc *p;
-       struct oshmctl_args *uap;
-       register_t *retval;
+oshmctl(__unused void *p, __unused void *uap, __unused void *retval)
  {
  {
-#ifdef COMPAT_43
-       int error;
-       struct ucred *cred = p->p_ucred;
-       struct shmid_ds *shmseg;
-       struct oshmid_ds outbuf;
-
-       if (!shm_inited)
-               return(EINVAL);
-       shmseg = shm_find_segment_by_shmid(uap->shmid);
-       if (shmseg == NULL)
-               return EINVAL;
-       switch (uap->cmd) {
-       case IPC_STAT:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_R);
-               if (error)
-                       return error;
-               outbuf.shm_perm = shmseg->shm_perm;
-               outbuf.shm_segsz = shmseg->shm_segsz;
-               outbuf.shm_cpid = shmseg->shm_cpid;
-               outbuf.shm_lpid = shmseg->shm_lpid;
-               outbuf.shm_nattch = shmseg->shm_nattch;
-               outbuf.shm_atime = shmseg->shm_atime;
-               outbuf.shm_dtime = shmseg->shm_dtime;
-               outbuf.shm_ctime = shmseg->shm_ctime;
-               outbuf.shm_handle = shmseg->shm_internal;
-               error = copyout((caddr_t)&outbuf, uap->ubuf, sizeof(outbuf));
-               if (error)
-                       return error;
-               break;
-       default:
-               /* XXX casting to (sy_call_t *) is bogus, as usual. */
-               return ((sy_call_t *)shmctl)(p, uap, retval);
-       }
-       return 0;
-#else
         return EINVAL;
         return EINVAL;
-#endif
  }
  
  }
  
-#ifndef _SYS_SYSPROTO_H_
-struct shmctl_args {
-       int shmid;
-       int cmd;
-       struct shmid_ds *buf;
-};
-#endif
-
+/*
+ * Returns:    0                       Success
+ *             EINVAL
+ *     copyout:EFAULT
+ *     copyin:EFAULT
+ *     ipcperm:EPERM
+ *     ipcperm:EACCES
+ */
  int
  int
-shmctl(p, uap,         retval)
-       struct proc *p;
-       struct shmctl_args *uap;
-       register_t *retval;
+shmctl(__unused struct proc *p, struct shmctl_args *uap, int32_t *retval)
  {
         int error;
  {
         int error;
-       struct ucred *cred = p->p_ucred;
-       struct shmid_ds inbuf;
-       struct shmid_ds *shmseg;
+       kauth_cred_t cred = kauth_cred_get();
+       struct user_shmid_ds inbuf;
+       struct shmid_kernel *shmseg;
+
+       int shmctl_ret = 0;
+
+       AUDIT_ARG(svipc_cmd, uap->cmd);
+       AUDIT_ARG(svipc_id, uap->shmid);
+
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if ((shmctl_ret = shminit())) {
+               goto shmctl_out;
+       }
  
  
-       if (!shm_inited)
-               return(EINVAL);
         shmseg = shm_find_segment_by_shmid(uap->shmid);
         shmseg = shm_find_segment_by_shmid(uap->shmid);
-       if (shmseg == NULL)
-               return EINVAL;
+       if (shmseg == NULL) {
+               shmctl_ret = EINVAL;
+               goto shmctl_out;
+       }
+
+       /* XXAUDIT: This is the perms BEFORE any change by this call. This
+        * may not be what is desired.
+        */
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
+
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmctl(cred, shmseg, uap->cmd);
+       if (error) {
+               shmctl_ret = error;
+               goto shmctl_out;
+       }
+#endif
         switch (uap->cmd) {
         case IPC_STAT:
         switch (uap->cmd) {
         case IPC_STAT:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_R);
-               if (error)
-                       return error;
-               error = copyout((caddr_t)shmseg, uap->buf, sizeof(inbuf));
-               if (error)
-                       return error;
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_R);
+               if (error) {
+                       shmctl_ret = error;
+                       goto shmctl_out;
+               }
+
+               if (IS_64BIT_PROCESS(p)) {
+                       struct user_shmid_ds shmid_ds = {};
+                       memcpy(&shmid_ds, &shmseg->u, sizeof(struct user_shmid_ds));
+
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds.shm_internal = USER_ADDR_NULL;
+
+                       error = copyout(&shmid_ds, uap->buf, sizeof(shmid_ds));
+               } else {
+                       struct user32_shmid_ds shmid_ds32 = {};
+                       shmid_ds_64to32(&shmseg->u, &shmid_ds32);
+
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds32.shm_internal = (user32_addr_t)0;
+
+                       error = copyout(&shmid_ds32, uap->buf, sizeof(shmid_ds32));
+               }
+               if (error) {
+                       shmctl_ret = error;
+                       goto shmctl_out;
+               }
                 break;
         case IPC_SET:
                 break;
         case IPC_SET:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_M);
-               if (error)
-                       return error;
-               error = copyin(uap->buf, (caddr_t)&inbuf, sizeof(inbuf));
-               if (error)
-                       return error;
-               shmseg->shm_perm.uid = inbuf.shm_perm.uid;
-               shmseg->shm_perm.gid = inbuf.shm_perm.gid;
-               shmseg->shm_perm.mode =
-                   (shmseg->shm_perm.mode & ~ACCESSPERMS) |
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
+               if (error) {
+                       shmctl_ret = error;
+                       goto shmctl_out;
+               }
+               if (IS_64BIT_PROCESS(p)) {
+                       error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds));
+               } else {
+                       struct user32_shmid_ds shmid_ds32;
+                       error = copyin(uap->buf, &shmid_ds32, sizeof(shmid_ds32));
+                       /* convert in place; ugly, but safe */
+                       shmid_ds_32to64(&shmid_ds32, &inbuf);
+               }
+               if (error) {
+                       shmctl_ret = error;
+                       goto shmctl_out;
+               }
+               shmseg->u.shm_perm.uid = inbuf.shm_perm.uid;
+               shmseg->u.shm_perm.gid = inbuf.shm_perm.gid;
+               shmseg->u.shm_perm.mode =
+                   (shmseg->u.shm_perm.mode & ~ACCESSPERMS) |
                     (inbuf.shm_perm.mode & ACCESSPERMS);
                     (inbuf.shm_perm.mode & ACCESSPERMS);
-               shmseg->shm_ctime = time_second;
+               shmseg->u.shm_ctime = sysv_shmtime();
                 break;
         case IPC_RMID:
                 break;
         case IPC_RMID:
-               error = ipcperm(cred, &shmseg->shm_perm, IPC_M);
-               if (error)
-                       return error;
-               shmseg->shm_perm.key = IPC_PRIVATE;
-               shmseg->shm_perm.mode |= SHMSEG_REMOVED;
-               if (shmseg->shm_nattch <= 0) {
+               error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M);
+               if (error) {
+                       shmctl_ret = error;
+                       goto shmctl_out;
+               }
+               shmseg->u.shm_perm._key = IPC_PRIVATE;
+               shmseg->u.shm_perm.mode |= SHMSEG_REMOVED;
+               if (shmseg->u.shm_nattch <= 0) {
                         shm_deallocate_segment(shmseg);
                         shm_last_free = IPCID_TO_IX(uap->shmid);
                 }
                         shm_deallocate_segment(shmseg);
                         shm_last_free = IPCID_TO_IX(uap->shmid);
                 }
@@ -454,302 +709,634 @@ shmctl(p, uap,  retval)
         case SHM_UNLOCK:
  #endif
         default:
         case SHM_UNLOCK:
  #endif
         default:
-               return EINVAL;
+               shmctl_ret = EINVAL;
+               goto shmctl_out;
         }
         }
-       return 0;
+       *retval = 0;
+       shmctl_ret = 0;
+shmctl_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return shmctl_ret;
  }
  
  }
  
-#ifndef _SYS_SYSPROTO_H_
-struct shmget_args {
-       key_t key;
-       size_t size;
-       int shmflg;
-};
-#endif
-
  static int
  static int
-shmget_existing(p, uap, mode, segnum, retval)
-       struct proc *p;
-       struct shmget_args *uap;
-       int mode;
-       int segnum;
-       int *retval;
+shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval)
  {
  {
-       struct shmid_ds *shmseg;
-       struct ucred *cred = p->p_ucred;
-       int error;
+       struct shmid_kernel *shmseg;
+       int error = 0;
  
         shmseg = &shmsegs[segnum];
  
         shmseg = &shmsegs[segnum];
-       if (shmseg->shm_perm.mode & SHMSEG_REMOVED) {
+       if (shmseg->u.shm_perm.mode & SHMSEG_REMOVED) {
                 /*
                  * This segment is in the process of being allocated.  Wait
                  * until it's done, and look the key up again (in case the
                  * allocation failed or it was freed).
                  */
                 /*
                  * This segment is in the process of being allocated.  Wait
                  * until it's done, and look the key up again (in case the
                  * allocation failed or it was freed).
                  */
-               shmseg->shm_perm.mode |= SHMSEG_WANTED;
+               shmseg->u.shm_perm.mode |= SHMSEG_WANTED;
                 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
                 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0);
-               if (error)
+               if (error) {
                         return error;
                         return error;
+               }
                 return EAGAIN;
         }
                 return EAGAIN;
         }
-       error = ipcperm(cred, &shmseg->shm_perm, mode);
-       if (error)
+
+       /*
+        * The low 9 bits of shmflag are the mode bits being requested, which
+        * are the actual mode bits desired on the segment, and not in IPC_R
+        * form; therefore it would be incorrect to call ipcperm() to validate
+        * them; instead, we AND the existing mode with the requested mode, and
+        * verify that it matches the requested mode; otherwise, we fail with
+        * EACCES (access denied).
+        */
+       if ((shmseg->u.shm_perm.mode & mode) != mode) {
+               return EACCES;
+       }
+
+#if CONFIG_MACF
+       error = mac_sysvshm_check_shmget(kauth_cred_get(), shmseg, uap->shmflg);
+       if (error) {
                 return error;
                 return error;
-       if (uap->size && uap->size > shmseg->shm_segsz)
+       }
+#endif
+
+       if (uap->size && uap->size > shmseg->u.shm_segsz) {
                 return EINVAL;
                 return EINVAL;
-       if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
+       }
+
+       if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) {
                 return EEXIST;
                 return EEXIST;
-       *retval = IXSEQ_TO_IPCID(segnum, shmseg->shm_perm);
+       }
+
+       *retval = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
         return 0;
  }
  
  static int
         return 0;
  }
  
  static int
-shmget_allocate_segment(p, uap, mode, retval)
-       struct proc *p;
-       struct shmget_args *uap;
-       int mode;
-       int * retval;
+shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode,
+    int *retval)
  {
  {
-       int i, segnum, shmid, size;
-       struct ucred *cred = p->p_ucred;
-       struct shmid_ds *shmseg;
+       int i, segnum, shmid;
+       kauth_cred_t cred = kauth_cred_get();
+       struct shmid_kernel *shmseg;
         struct shm_handle *shm_handle;
         kern_return_t kret;
         struct shm_handle *shm_handle;
         kern_return_t kret;
-       vm_offset_t user_addr;
+       mach_vm_size_t total_size, size, alloc_size;
         void * mem_object;
         void * mem_object;
+       struct shm_handle *shm_handle_next, **shm_handle_next_p;
  
  
-       if (uap->size < shminfo.shmmin || uap->size > shminfo.shmmax)
+       if (uap->size <= 0 ||
+           uap->size < (user_size_t)shminfo.shmmin ||
+           uap->size > (user_size_t)shminfo.shmmax) {
                 return EINVAL;
                 return EINVAL;
-       if (shm_nused >= shminfo.shmmni) /* any shmids left? */
+       }
+       if (shm_nused >= shminfo.shmmni) { /* any shmids left? */
                 return ENOSPC;
                 return ENOSPC;
-       size = round_page(uap->size);
-       if (shm_committed + btoc(size) > shminfo.shmall)
+       }
+       if (mach_vm_round_page_overflow(uap->size, &total_size)) {
+               return EINVAL;
+       }
+       if ((user_ssize_t)(shm_committed + btoc(total_size)) > shminfo.shmall) {
                 return ENOMEM;
                 return ENOMEM;
+       }
         if (shm_last_free < 0) {
         if (shm_last_free < 0) {
-               for (i = 0; i < shminfo.shmmni; i++)
-                       if (shmsegs[i].shm_perm.mode & SHMSEG_FREE)
+               for (i = 0; i < shminfo.shmmni; i++) {
+                       if (shmsegs[i].u.shm_perm.mode & SHMSEG_FREE) {
                                 break;
                                 break;
-               if (i == shminfo.shmmni)
+                       }
+               }
+               if (i == shminfo.shmmni) {
                         panic("shmseg free count inconsistent");
                         panic("shmseg free count inconsistent");
+               }
                 segnum = i;
                 segnum = i;
-       } else  {
+       } else {
                 segnum = shm_last_free;
                 shm_last_free = -1;
         }
         shmseg = &shmsegs[segnum];
                 segnum = shm_last_free;
                 shm_last_free = -1;
         }
         shmseg = &shmsegs[segnum];
+
         /*
          * In case we sleep in malloc(), mark the segment present but deleted
          * so that noone else tries to create the same key.
         /*
          * In case we sleep in malloc(), mark the segment present but deleted
          * so that noone else tries to create the same key.
+        * XXX but we don't release the global lock !?
          */
          */
-       kret = vm_allocate(current_map(), &user_addr, size, TRUE);
-       if (kret != KERN_SUCCESS) 
-               goto out;
+       shmseg->u.shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
+       shmseg->u.shm_perm._key = uap->key;
+       shmseg->u.shm_perm._seq = (shmseg->u.shm_perm._seq + 1) & 0x7fff;
+
+       shm_handle_next_p = NULL;
+       for (alloc_size = 0;
+           alloc_size < total_size;
+           alloc_size += size) {
+               size = MIN(total_size - alloc_size, ANON_MAX_SIZE);
+               kret = mach_make_memory_entry_64(
+                       VM_MAP_NULL,
+                       (memory_object_size_t *) &size,
+                       (memory_object_offset_t) 0,
+                       MAP_MEM_NAMED_CREATE | VM_PROT_DEFAULT,
+                       (ipc_port_t *) &mem_object, 0);
+               if (kret != KERN_SUCCESS) {
+                       goto out;
+               }
+
+               MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK);
+               if (shm_handle == NULL) {
+                       kret = KERN_NO_SPACE;
+                       mach_memory_entry_port_release(mem_object);
+                       mem_object = NULL;
+                       goto out;
+               }
+               shm_handle->shm_object = mem_object;
+               shm_handle->shm_handle_size = size;
+               shm_handle->shm_handle_next = NULL;
+               if (shm_handle_next_p == NULL) {
+                       shmseg->u.shm_internal = CAST_USER_ADDR_T(shm_handle);/* tunnel */
+               } else {
+                       *shm_handle_next_p = shm_handle;
+               }
+               shm_handle_next_p = &shm_handle->shm_handle_next;
+       }
  
  
-       kret = mach_make_memory_entry (current_map(), &size,
-                       user_addr, VM_PROT_DEFAULT, &mem_object, 0);
+       shmid = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm);
  
  
-       if (kret != KERN_SUCCESS) 
-               goto out;
-       shmseg->shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED;
-       shmseg->shm_perm.key = uap->key;
-       shmseg->shm_perm.seq = (shmseg->shm_perm.seq + 1) & 0x7fff;
-       shm_handle = (struct shm_handle *)
-           _MALLOC(sizeof(struct shm_handle), M_SHM, M_WAITOK);
-       shm_handle->shm_object = mem_object;
-       shmid = IXSEQ_TO_IPCID(segnum, shmseg->shm_perm);
-
-       shmseg->shm_internal = shm_handle;
-       shmseg->shm_perm.cuid = shmseg->shm_perm.uid = cred->cr_uid;
-       shmseg->shm_perm.cgid = shmseg->shm_perm.gid = cred->cr_gid;
-       shmseg->shm_perm.mode = (shmseg->shm_perm.mode & SHMSEG_WANTED) |
+       shmseg->u.shm_perm.cuid = shmseg->u.shm_perm.uid = kauth_cred_getuid(cred);
+       shmseg->u.shm_perm.cgid = shmseg->u.shm_perm.gid = kauth_cred_getgid(cred);
+       shmseg->u.shm_perm.mode = (shmseg->u.shm_perm.mode & SHMSEG_WANTED) |
             (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
             (mode & ACCESSPERMS) | SHMSEG_ALLOCATED;
-       shmseg->shm_segsz = uap->size;
-       shmseg->shm_cpid = p->p_pid;
-       shmseg->shm_lpid = shmseg->shm_nattch = 0;
-       shmseg->shm_atime = shmseg->shm_dtime = 0;
-       shmseg->shm_ctime = time_second;
+       shmseg->u.shm_segsz = uap->size;
+       shmseg->u.shm_cpid = p->p_pid;
+       shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
+       shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
+#if CONFIG_MACF
+       mac_sysvshm_label_associate(cred, shmseg);
+#endif
+       shmseg->u.shm_ctime = sysv_shmtime();
         shm_committed += btoc(size);
         shm_nused++;
         shm_committed += btoc(size);
         shm_nused++;
-       if (shmseg->shm_perm.mode & SHMSEG_WANTED) {
+       AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm);
+       if (shmseg->u.shm_perm.mode & SHMSEG_WANTED) {
                 /*
                  * Somebody else wanted this key while we were asleep.  Wake
                  * them up now.
                  */
                 /*
                  * Somebody else wanted this key while we were asleep.  Wake
                  * them up now.
                  */
-               shmseg->shm_perm.mode &= ~SHMSEG_WANTED;
+               shmseg->u.shm_perm.mode &= ~SHMSEG_WANTED;
                 wakeup((caddr_t)shmseg);
         }
         *retval = shmid;
                 wakeup((caddr_t)shmseg);
         }
         *retval = shmid;
+       AUDIT_ARG(svipc_id, shmid);
         return 0;
         return 0;
-out: 
+out:
+       if (kret != KERN_SUCCESS) {
+               for (shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal); /* tunnel */
+                   shm_handle != NULL;
+                   shm_handle = shm_handle_next) {
+                       shm_handle_next = shm_handle->shm_handle_next;
+                       mach_memory_entry_port_release(shm_handle->shm_object);
+                       FREE(shm_handle, M_SHM);
+               }
+               shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */
+       }
+
         switch (kret) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
         switch (kret) {
         case KERN_INVALID_ADDRESS:
         case KERN_NO_SPACE:
-               return (ENOMEM);
+               return ENOMEM;
         case KERN_PROTECTION_FAILURE:
         case KERN_PROTECTION_FAILURE:
-               return (EACCES);
+               return EACCES;
         default:
         default:
-               return (EINVAL);
+               return EINVAL;
         }
         }
-
  }
  
  int
  }
  
  int
-shmget(p, uap, retval)
-       struct proc *p;
-       struct shmget_args *uap;
-       register_t *retval;
+shmget(struct proc *p, struct shmget_args *uap, int32_t *retval)
  {
         int segnum, mode, error;
  {
         int segnum, mode, error;
+       int shmget_ret = 0;
+
+       /* Auditing is actually done in shmget_allocate_segment() */
  
  
-       if (!shm_inited)
-               return(EINVAL);
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if ((shmget_ret = shminit())) {
+               goto shmget_out;
+       }
  
         mode = uap->shmflg & ACCESSPERMS;
         if (uap->key != IPC_PRIVATE) {
  
         mode = uap->shmflg & ACCESSPERMS;
         if (uap->key != IPC_PRIVATE) {
-       again:
+again:
                 segnum = shm_find_segment_by_key(uap->key);
                 if (segnum >= 0) {
                 segnum = shm_find_segment_by_key(uap->key);
                 if (segnum >= 0) {
-                       error = shmget_existing(p, uap, mode, segnum, retval);
-                       if (error == EAGAIN)
+                       error = shmget_existing(uap, mode, segnum, retval);
+                       if (error == EAGAIN) {
                                 goto again;
                                 goto again;
-                       return(error);
+                       }
+                       shmget_ret = error;
+                       goto shmget_out;
+               }
+               if ((uap->shmflg & IPC_CREAT) == 0) {
+                       shmget_ret = ENOENT;
+                       goto shmget_out;
                 }
                 }
-               if ((uap->shmflg & IPC_CREAT) == 0)
-                       return ENOENT;
         }
         }
-       return( shmget_allocate_segment(p, uap, mode, retval));;
-       /*NOTREACHED*/
-
+       shmget_ret = shmget_allocate_segment(p, uap, mode, retval);
+shmget_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return shmget_ret;
  }
  
  }
  
-struct shmsys_args  {
-       u_int   which;
-       int     a2;
-       int     a3;
-       int     a4;
-};
+/*
+ * shmsys
+ *
+ * Entry point for all SHM calls: shmat, oshmctl, shmdt, shmget, shmctl
+ *
+ * Parameters: p       Process requesting the call
+ *              uap    User argument descriptor (see below)
+ *              retval Return value of the selected shm call
+ *
+ * Indirect parameters:        uap->which      msg call to invoke (index in array of shm calls)
+ *                      uap->a2                User argument descriptor
+ *
+ * Returns:    0       Success
+ *              !0     Not success
+ *
+ * Implicit returns: retval     Return value of the selected shm call
+ *
+ * DEPRECATED:  This interface should not be used to call the other SHM
+ *              functions (shmat, oshmctl, shmdt, shmget, shmctl). The correct
+ *              usage is to call the other SHM functions directly.
+ */
  int
  int
-shmsys(p, uap, retval)
-       struct proc *p;
-       /* XXX actually varargs. */
-       struct shmsys_args *uap;
-       register_t *retval;
+shmsys(struct proc *p, struct shmsys_args *uap, int32_t *retval)
  {
  {
+       /* The routine that we are dispatching already does this */
  
  
-       if (!shm_inited)
-               return(EINVAL);
-
-       if (uap->which >= sizeof(shmcalls)/sizeof(shmcalls[0]))
+       if (uap->which >= sizeof(shmcalls) / sizeof(shmcalls[0])) {
                 return EINVAL;
                 return EINVAL;
-       return ((*shmcalls[uap->which])(p, &uap->a2, retval));
+       }
+       return (*shmcalls[uap->which])(p, &uap->a2, retval);
  }
  
  }
  
-void
-shmfork(p1, p2)
-       struct proc *p1, *p2;
+/*
+ * Return 0 on success, 1 on failure.
+ */
+int
+shmfork(struct proc *p1, struct proc *p2)
  {
         struct shmmap_state *shmmap_s;
         size_t size;
  {
         struct shmmap_state *shmmap_s;
         size_t size;
-       int i;
+       int nsegs = 0;
+       int ret = 0;
  
  
-       if (!shm_inited)
-               return;
-       size = shminfo.shmseg * sizeof(struct shmmap_state);
-       shmmap_s = (struct shmmap_state *)_MALLOC(size, M_SHM, M_WAITOK);
-       bcopy((caddr_t)p1->vm_shm, (caddr_t)shmmap_s, size);
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if (shminit()) {
+               ret = 1;
+               goto shmfork_out;
+       }
+
+       struct shmmap_state *src = (struct shmmap_state *)p1->vm_shm;
+       assert(src);
+
+       /* count number of shmid entries in src */
+       for (struct shmmap_state *s = src; s->shmid != SHMID_SENTINEL; s++) {
+               nsegs++;
+       }
+
+       if (os_add_and_mul_overflow(nsegs, 1, sizeof(struct shmmap_state), &size)) {
+               ret = 1;
+               goto shmfork_out;
+       }
+       MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK);
+       if (shmmap_s == NULL) {
+               ret = 1;
+               goto shmfork_out;
+       }
+
+       bcopy(src, (caddr_t)shmmap_s, size);
         p2->vm_shm = (caddr_t)shmmap_s;
         p2->vm_shm = (caddr_t)shmmap_s;
-       for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
-               if (shmmap_s->shmid != -1)
-                       shmsegs[IPCID_TO_IX(shmmap_s->shmid)].shm_nattch++;
+       for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
+               if (SHMID_IS_VALID(shmmap_s->shmid)) {
+                       shmsegs[IPCID_TO_IX(shmmap_s->shmid)].u.shm_nattch++;
+               }
+       }
+
+shmfork_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return ret;
  }
  
  }
  
-void
-shmexit(p)
-       struct proc *p;
+static void
+shmcleanup(struct proc *p, int deallocate)
  {
         struct shmmap_state *shmmap_s;
  {
         struct shmmap_state *shmmap_s;
-       int i;
+
+       SYSV_SHM_SUBSYS_LOCK();
  
         shmmap_s = (struct shmmap_state *)p->vm_shm;
  
         shmmap_s = (struct shmmap_state *)p->vm_shm;
-       for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
-               if (shmmap_s->shmid != -1)
-                       shm_delete_mapping(p, shmmap_s);
-       FREE((caddr_t)p->vm_shm, M_SHM);
+       for (; shmmap_s->shmid != SHMID_SENTINEL; shmmap_s++) {
+               if (SHMID_IS_VALID(shmmap_s->shmid)) {
+                       /*
+                        * XXX: Should the MAC framework enforce
+                        * check here as well.
+                        */
+                       shm_delete_mapping(p, shmmap_s, deallocate);
+               }
+       }
+
+       FREE(p->vm_shm, M_SHM);
         p->vm_shm = NULL;
         p->vm_shm = NULL;
+       SYSV_SHM_SUBSYS_UNLOCK();
  }
  
  void
  }
  
  void
-shminit(dummy)
-       void *dummy;
+shmexit(struct proc *p)
+{
+       shmcleanup(p, 1);
+}
+
+/*
+ * shmexec() is like shmexit(), only it doesn't delete the mappings,
+ * since the old address space has already been destroyed and the new
+ * one instantiated.  Instead, it just does the housekeeping work we
+ * need to do to keep the System V shared memory subsystem sane.
+ */
+__private_extern__ void
+shmexec(struct proc *p)
+{
+       shmcleanup(p, 0);
+}
+
+int
+shminit(void)
  {
  {
+       size_t sz;
         int i;
         int i;
-       int s;
  
         if (!shm_inited) {
  
         if (!shm_inited) {
-               s = sizeof(struct shmid_ds) * shminfo.shmmni;
+               /*
+                * we store internally 64 bit, since if we didn't, we would
+                * be unable to represent a segment size in excess of 32 bits
+                * with the (struct shmid_ds)->shm_segsz field; also, POSIX
+                * dictates this filed be a size_t, which is 64 bits when
+                * running 64 bit binaries.
+                */
+               if (os_mul_overflow(shminfo.shmmni, sizeof(struct shmid_kernel), &sz)) {
+                       return ENOMEM;
+               }
  
  
-               MALLOC(shmsegs, struct shmid_ds *, s, 
-                       M_SHM, M_WAITOK);
+               MALLOC(shmsegs, struct shmid_kernel *, sz, M_SHM, M_WAITOK | M_ZERO);
+               if (shmsegs == NULL) {
+                       return ENOMEM;
+               }
                 for (i = 0; i < shminfo.shmmni; i++) {
                 for (i = 0; i < shminfo.shmmni; i++) {
-                       shmsegs[i].shm_perm.mode = SHMSEG_FREE;
-                       shmsegs[i].shm_perm.seq = 0;
+                       shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
+                       shmsegs[i].u.shm_perm._seq = 0;
+#if CONFIG_MACF
+                       mac_sysvshm_label_init(&shmsegs[i]);
+#endif
                 }
                 shm_last_free = 0;
                 shm_nused = 0;
                 shm_committed = 0;
                 shm_inited = 1;
         }
                 }
                 shm_last_free = 0;
                 shm_nused = 0;
                 shm_committed = 0;
                 shm_inited = 1;
         }
+
+       return 0;
+}
+
+/* Initialize the mutex governing access to the SysV shm subsystem */
+__private_extern__ void
+sysv_shm_lock_init( void )
+{
+       sysv_shm_subsys_lck_grp_attr = lck_grp_attr_alloc_init();
+
+       sysv_shm_subsys_lck_grp = lck_grp_alloc_init("sysv_shm_subsys_lock", sysv_shm_subsys_lck_grp_attr);
+
+       sysv_shm_subsys_lck_attr = lck_attr_alloc_init();
+       lck_mtx_init(&sysv_shm_subsys_mutex, sysv_shm_subsys_lck_grp, sysv_shm_subsys_lck_attr);
  }
  
  /* (struct sysctl_oid *oidp, void *arg1, int arg2, \
  }
  
  /* (struct sysctl_oid *oidp, void *arg1, int arg2, \
-        struct sysctl_req *req) */
+ *       struct sysctl_req *req) */
  static int
  static int
-sysctl_shminfo SYSCTL_HANDLER_ARGS
+sysctl_shminfo(__unused struct sysctl_oid *oidp, void *arg1,
+    __unused int arg2, struct sysctl_req *req)
  {
         int error = 0;
  {
         int error = 0;
+       int sysctl_shminfo_ret = 0;
+       int64_t saved_shmmax;
+       int64_t saved_shmmin;
+       int64_t saved_shmseg;
+       int64_t saved_shmmni;
+       int64_t saved_shmall;
+
+       error = SYSCTL_OUT(req, arg1, sizeof(int64_t));
+       if (error || req->newptr == USER_ADDR_NULL) {
+               return error;
+       }
  
  
-       error = SYSCTL_OUT(req, arg1, sizeof(int));
-       if (error || !req->newptr)
-               return(error);
+       SYSV_SHM_SUBSYS_LOCK();
  
  
-       /* Set the values only if shared memory is not initialised */
-       if (!shm_inited) {
-               if (error = SYSCTL_IN(req, arg1, sizeof(int)))
-                       return(error);
-               if (arg1 == &shminfo.shmmax) {
-                       if (shminfo.shmmax & PAGE_MASK) {
-                               shminfo.shmmax = -1;
-                               return(EINVAL);
+       /* shmmni can not be changed after SysV SHM has been initialized */
+       if (shm_inited && arg1 == &shminfo.shmmni) {
+               sysctl_shminfo_ret = EPERM;
+               goto sysctl_shminfo_out;
+       }
+       saved_shmmax = shminfo.shmmax;
+       saved_shmmin = shminfo.shmmin;
+       saved_shmseg = shminfo.shmseg;
+       saved_shmmni = shminfo.shmmni;
+       saved_shmall = shminfo.shmall;
+
+       if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) != 0) {
+               sysctl_shminfo_ret = error;
+               goto sysctl_shminfo_out;
+       }
+
+       if (arg1 == &shminfo.shmmax) {
+               /* shmmax needs to be page-aligned */
+               if (shminfo.shmmax & PAGE_MASK_64 || shminfo.shmmax < 0) {
+                       shminfo.shmmax = saved_shmmax;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
+               }
+       } else if (arg1 == &shminfo.shmmin) {
+               if (shminfo.shmmin < 0) {
+                       shminfo.shmmin = saved_shmmin;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
+               }
+       } else if (arg1 == &shminfo.shmseg) {
+               /* add a sanity check - 20847256 */
+               if (shminfo.shmseg > INT32_MAX || shminfo.shmseg < 0) {
+                       shminfo.shmseg = saved_shmseg;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
+               }
+       } else if (arg1 == &shminfo.shmmni) {
+               /* add a sanity check - 20847256 */
+               if (shminfo.shmmni > INT32_MAX || shminfo.shmmni < 0) {
+                       shminfo.shmmni = saved_shmmni;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
+               }
+       } else if (arg1 == &shminfo.shmall) {
+               /* add a sanity check - 20847256 */
+               if (shminfo.shmall > INT32_MAX || shminfo.shmall < 0) {
+                       shminfo.shmall = saved_shmall;
+                       sysctl_shminfo_ret = EINVAL;
+                       goto sysctl_shminfo_out;
+               }
+       }
+       sysctl_shminfo_ret = 0;
+sysctl_shminfo_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return sysctl_shminfo_ret;
+}
+
+static int
+IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1,
+    __unused int arg2, struct sysctl_req *req)
+{
+       int error;
+       int cursor;
+       union {
+               struct user32_IPCS_command u32;
+               struct user_IPCS_command u64;
+       } ipcs = { };
+       struct user32_shmid_ds shmid_ds32 = { }; /* post conversion, 32 bit version */
+       struct user_shmid_ds   shmid_ds = { };   /* 64 bit version */
+       void *shmid_dsp;
+       size_t ipcs_sz = sizeof(struct user_IPCS_command);
+       size_t shmid_ds_sz = sizeof(struct user_shmid_ds);
+       struct proc *p = current_proc();
+
+       SYSV_SHM_SUBSYS_LOCK();
+
+       if ((error = shminit())) {
+               goto ipcs_shm_sysctl_out;
+       }
+
+       if (!IS_64BIT_PROCESS(p)) {
+               ipcs_sz = sizeof(struct user32_IPCS_command);
+               shmid_ds_sz = sizeof(struct user32_shmid_ds);
+       }
+
+       /* Copy in the command structure */
+       if ((error = SYSCTL_IN(req, &ipcs, ipcs_sz)) != 0) {
+               goto ipcs_shm_sysctl_out;
+       }
+
+       if (!IS_64BIT_PROCESS(p)) {     /* convert in place */
+               ipcs.u64.ipcs_data = CAST_USER_ADDR_T(ipcs.u32.ipcs_data);
+       }
+
+       /* Let us version this interface... */
+       if (ipcs.u64.ipcs_magic != IPCS_MAGIC) {
+               error = EINVAL;
+               goto ipcs_shm_sysctl_out;
+       }
+
+       switch (ipcs.u64.ipcs_op) {
+       case IPCS_SHM_CONF:     /* Obtain global configuration data */
+               if (ipcs.u64.ipcs_datalen != sizeof(struct shminfo)) {
+                       if (ipcs.u64.ipcs_cursor != 0) { /* fwd. compat. */
+                               error = ENOMEM;
+                               break;
+                       }
+                       error = ERANGE;
+                       break;
+               }
+               error = copyout(&shminfo, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
+               break;
+
+       case IPCS_SHM_ITER:     /* Iterate over existing segments */
+               cursor = ipcs.u64.ipcs_cursor;
+               if (cursor < 0 || cursor >= shminfo.shmmni) {
+                       error = ERANGE;
+                       break;
+               }
+               if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) {
+                       error = EINVAL;
+                       break;
+               }
+               for (; cursor < shminfo.shmmni; cursor++) {
+                       if (shmsegs[cursor].u.shm_perm.mode & SHMSEG_ALLOCATED) {
+                               break;
                         }
                         }
+                       continue;
                 }
                 }
+               if (cursor == shminfo.shmmni) {
+                       error = ENOENT;
+                       break;
+               }
+
+               shmid_dsp = &shmsegs[cursor];   /* default: 64 bit */
+
+               /*
+                * If necessary, convert the 64 bit kernel segment
+                * descriptor to a 32 bit user one.
+                */
+               if (!IS_64BIT_PROCESS(p)) {
+                       shmid_ds_64to32(shmid_dsp, &shmid_ds32);
+
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds32.shm_internal = (user32_addr_t)0;
+
+                       shmid_dsp = &shmid_ds32;
+               } else {
+                       memcpy(&shmid_ds, shmid_dsp, sizeof(shmid_ds));
  
  
-               /* Initialize only when all values are set */
-               if ((shminfo.shmmax != -1) &&
-                       (shminfo.shmmin != -1) &&       
-                       (shminfo.shmmni != -1) &&
-                       (shminfo.shmseg != -1) &&
-                       (shminfo.shmall != -1)) {
-                               shminit();
+                       /* Clear kernel reserved pointer before copying to user space */
+                       shmid_ds.shm_internal = USER_ADDR_NULL;
+
+                       shmid_dsp = &shmid_ds;
+               }
+               error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen);
+               if (!error) {
+                       /* update cursor */
+                       ipcs.u64.ipcs_cursor = cursor + 1;
+
+                       if (!IS_64BIT_PROCESS(p)) { /* convert in place */
+                               ipcs.u32.ipcs_data = CAST_DOWN_EXPLICIT(user32_addr_t, ipcs.u64.ipcs_data);
+                       }
+
+                       error = SYSCTL_OUT(req, &ipcs, ipcs_sz);
                 }
                 }
+               break;
+
+       default:
+               error = EINVAL;
+               break;
         }
         }
-       return(0);
+ipcs_shm_sysctl_out:
+       SYSV_SHM_SUBSYS_UNLOCK();
+       return error;
  }
  
  }
  
-SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW, 0, "SYSV");
+SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSV");
+
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmax, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &shminfo.shmmax, 0, &sysctl_shminfo, "Q", "shmmax");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMAX, shmmax, CTLTYPE_INT | CTLFLAG_RW,
-    &shminfo.shmmax, 0, &sysctl_shminfo ,"I","shmmax");
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmin, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &shminfo.shmmin, 0, &sysctl_shminfo, "Q", "shmmin");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMIN, shmmin, CTLTYPE_INT | CTLFLAG_RW,
-    &shminfo.shmmin, 0, &sysctl_shminfo ,"I","shmmin");
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmni, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &shminfo.shmmni, 0, &sysctl_shminfo, "Q", "shmmni");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMMNI, shmmni, CTLTYPE_INT | CTLFLAG_RW,
-    &shminfo.shmmni, 0, &sysctl_shminfo ,"I","shmmni");
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmseg, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &shminfo.shmseg, 0, &sysctl_shminfo, "Q", "shmseg");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMSEG, shmseg, CTLTYPE_INT | CTLFLAG_RW,
-    &shminfo.shmseg, 0, &sysctl_shminfo ,"I","shmseg");
+SYSCTL_PROC(_kern_sysv, OID_AUTO, shmall, CTLTYPE_QUAD | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &shminfo.shmall, 0, &sysctl_shminfo, "Q", "shmall");
  
  
-SYSCTL_PROC(_kern_sysv, KSYSV_SHMALL, shmall, CTLTYPE_INT | CTLFLAG_RW,
-    &shminfo.shmall, 0, &sysctl_shminfo ,"I","shmall");
+SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW | CTLFLAG_LOCKED | CTLFLAG_ANYBODY, 0, "SYSVIPCS");
  
  
+SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW | CTLFLAG_ANYBODY | CTLFLAG_LOCKED,
+    0, 0, IPCS_shm_sysctl,
+    "S,IPCS_shm_command",
+    "ipcs shm command interface");
+#endif /* SYSV_SHM */
  
  
+/* DSEP Review Done pl-20051108-v02 @2743,@2908,@2913,@3009 */