X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/3903760236c30e3b5ace7a4eefac3a269d68957c..d9a64523371fa019c4575bb400cbbc3a50ac9903:/osfmk/ipc/mach_msg.c

diff --git a/osfmk/ipc/mach_msg.c b/osfmk/ipc/mach_msg.c
index 6a5241f71..d17cb24c3 100644
--- a/osfmk/ipc/mach_msg.c
+++ b/osfmk/ipc/mach_msg.c
@@ -91,9 +91,11 @@
 #include <kern/kalloc.h>
 #include <kern/processor.h>
 #include <kern/syscall_subr.h>
+#include <kern/policy_internal.h>
 
 #include <vm/vm_map.h>
 
+#include <ipc/port.h>
 #include <ipc/ipc_types.h>
 #include <ipc/ipc_kmsg.h>
 #include <ipc/ipc_mqueue.h>
@@ -145,6 +147,14 @@ mach_msg_return_t msg_receive_error(
 	ipc_space_t		space,
 	mach_msg_size_t		*out_size);
 
+static mach_msg_return_t
+mach_msg_rcv_link_special_reply_port(
+	ipc_port_t special_reply_port,
+	mach_port_name_t dest_name_port);
+
+void
+mach_msg_receive_results_complete(ipc_object_t object);
+
 security_token_t KERNEL_SECURITY_TOKEN = KERNEL_SECURITY_TOKEN_VALUE;
 audit_token_t KERNEL_AUDIT_TOKEN = KERNEL_AUDIT_TOKEN_VALUE;
 
@@ -196,7 +206,11 @@ mach_msg_send(
 	mach_msg_size_t	msg_and_trailer_size;
 	mach_msg_max_trailer_t	*trailer;
 
-	if ((send_size < sizeof(mach_msg_header_t)) || (send_size & 3))
+	option |= MACH_SEND_KERNEL;
+
+	if ((send_size & 3) ||
+	    send_size < sizeof(mach_msg_header_t) ||
+	    (send_size < sizeof(mach_msg_base_t) && (msg->msgh_bits & MACH_MSGH_BITS_COMPLEX)))
 		return MACH_SEND_MSG_TOO_SMALL;
 
 	if (send_size > MACH_MSG_SIZE_MAX - MAX_TRAILER_SIZE)
@@ -309,6 +323,11 @@ mach_msg_receive_results(
 	mach_msg_trailer_size_t trailer_size;
 	mach_msg_size_t   size = 0;
 
+	/*
+	 * unlink the special_reply_port before releasing reference to object.
+	 * get the thread's turnstile, if the thread donated it's turnstile to the port
+	 */
+	mach_msg_receive_results_complete(object);
 	io_release(object);
 
 	if (mr != MACH_MSG_SUCCESS) {
@@ -402,33 +421,6 @@ mach_msg_receive_results(
 		*sizep = size;
 	return mr;
 }
-#ifndef _PTHREAD_PRIORITY_EVENT_MANAGER_FLAG
-#define _PTHREAD_PRIORITY_EVENT_MANAGER_FLAG 0x02000000 /* pthread event manager bit */
-#endif
-#ifndef _PTHREAD_PRIORITY_OVERCOMMIT_FLAG
-#define _PTHREAD_PRIORITY_OVERCOMMIT_FLAG    0x80000000 /* request overcommit threads */
-#endif
-#ifndef _PTHREAD_PRIORITY_QOS_CLASS_MASK
-#define _PTHREAD_PRIORITY_QOS_CLASS_MASK    0x003fff00  /* QoS class mask */
-#endif
-
-/* JMM - this needs to invoke a pthread function to compute this */
-mach_msg_priority_t
-mach_msg_priority_combine(mach_msg_priority_t msg_qos,
-                          mach_msg_priority_t recv_qos)
-{
-    mach_msg_priority_t overcommit;
-	mach_msg_priority_t no_oc_qos;
-	mach_msg_priority_t res;
-
-	assert(msg_qos < _PTHREAD_PRIORITY_EVENT_MANAGER_FLAG);
-	overcommit = recv_qos & _PTHREAD_PRIORITY_OVERCOMMIT_FLAG;
-	no_oc_qos =  recv_qos & ~overcommit; 
-	res = (no_oc_qos > msg_qos) ? no_oc_qos : msg_qos;
-	res |= overcommit;
-
-	return res;
-}
 
 /*
  *	Routine:	mach_msg_receive [Kernel Internal]
@@ -438,7 +430,7 @@ mach_msg_priority_combine(mach_msg_priority_t msg_qos,
  *		Unlike being dispatched to by ipc_kobject_server() or the
  *		reply part of mach_msg_rpc_from_kernel(), this routine
  *		looks up the receive port name in the kernel's port
- * 		namespace and copies out received port rights to that namespace
+ *		namespace and copies out received port rights to that namespace
  *		as well.  Out-of-line memory is copied out the kernel's
  *		address space (rather than just providing the vm_map_copy_t).
  *	Conditions:
@@ -475,6 +467,7 @@ mach_msg_receive(
 	self->ith_msize = 0;
 	self->ith_option = option;
 	self->ith_continuation = continuation;
+	self->ith_knote = ITH_KNOTE_NULL;
 
 	ipc_mqueue_receive(mqueue, option, rcv_size, rcv_timeout, THREAD_ABORTSAFE);
 	if ((option & MACH_RCV_TIMEOUT) && rcv_timeout == 0)
@@ -572,10 +565,23 @@ mach_msg_overwrite_trap(
 
 		mr = ipc_mqueue_copyin(space, rcv_name, &mqueue, &object);
 		if (mr != MACH_MSG_SUCCESS) {
+			mach_port_guard_exception(rcv_name, 0, 0, kGUARD_EXC_RCV_INVALID_NAME);
 			return mr;
 		}
 		/* hold ref for object */
 
+		if ((option & MACH_RCV_SYNC_WAIT) && !(option & MACH_SEND_SYNC_OVERRIDE)) {
+			ipc_port_t special_reply_port;
+			__IGNORE_WCASTALIGN(special_reply_port = (ipc_port_t) object);
+			/* link the special reply port to the destination */
+			mr = mach_msg_rcv_link_special_reply_port(special_reply_port,
+					(mach_port_name_t)override);
+			if (mr != MACH_MSG_SUCCESS) {
+				io_release(object);
+				return mr;
+			}
+		}
+
 		if (rcv_msg_addr != (mach_vm_address_t)0)
 			self->ith_msg_addr = rcv_msg_addr;
 		else
@@ -586,6 +592,7 @@ mach_msg_overwrite_trap(
 		self->ith_option = option;
 		self->ith_receiver_name = MACH_PORT_NULL;
 		self->ith_continuation = thread_syscall_return;
+		self->ith_knote = ITH_KNOTE_NULL;
 
 		ipc_mqueue_receive(mqueue, option, rcv_size, msg_timeout, THREAD_ABORTSAFE);
 		if ((option & MACH_RCV_TIMEOUT) && msg_timeout == 0)
@@ -596,6 +603,95 @@ mach_msg_overwrite_trap(
 	return MACH_MSG_SUCCESS;
 }
 
+/*
+ *	Routine:	mach_msg_rcv_link_special_reply_port
+ *	Purpose:
+ *		Link the special reply port(rcv right) to the
+ *		other end of the sync ipc channel.
+ *	Conditions:
+ *		Nothing locked.
+ *	Returns:
+ *		None.
+ */
+static mach_msg_return_t
+mach_msg_rcv_link_special_reply_port(
+	ipc_port_t special_reply_port,
+	mach_port_name_t dest_name_port)
+{
+	ipc_port_t dest_port = IP_NULL;
+	kern_return_t kr;
+
+	if (current_thread()->ith_special_reply_port != special_reply_port) {
+		return MACH_RCV_INVALID_NOTIFY;
+	}
+
+	/* Copyin the destination port */
+	if (!MACH_PORT_VALID(dest_name_port)) {
+		return MACH_RCV_INVALID_NOTIFY;
+	}
+
+	kr = ipc_object_copyin(current_space(),
+			       dest_name_port, MACH_MSG_TYPE_COPY_SEND,
+			       (ipc_object_t *) &dest_port);
+
+	/*
+	 * The receive right of dest port might have gone away,
+	 * do not fail the receive in that case.
+	 */
+	if (kr == KERN_SUCCESS && IP_VALID(dest_port)) {
+		ipc_port_link_special_reply_port(special_reply_port,
+			dest_port);
+
+		/* release the send right */
+		ipc_port_release_send(dest_port);
+	}
+	return MACH_MSG_SUCCESS;
+}
+
+/*
+ *	Routine:	mach_msg_receive_results_complete
+ *	Purpose:
+ *		Get thread's turnstile back from the object and
+ *              if object is a special reply port then reset its
+ *		linkage.
+ *	Condition:
+ *		Nothing locked.
+ *	Returns:
+ *		None.
+ */
+void
+mach_msg_receive_results_complete(ipc_object_t object)
+{
+	thread_t self = current_thread();
+	ipc_port_t port = IPC_PORT_NULL;
+	boolean_t get_turnstile = self->turnstile ? FALSE : TRUE;
+
+	if (io_otype(object) == IOT_PORT) {
+		__IGNORE_WCASTALIGN(port = (ipc_port_t) object);
+	} else {
+		assert(self->turnstile != TURNSTILE_NULL);
+		return;
+	}
+
+	uint8_t flags = IPC_PORT_ADJUST_SR_ALLOW_SYNC_LINKAGE;
+
+	/*
+	 * Don't clear the ip_srp_msg_sent bit if...
+	 */
+	if (!((self->ith_state == MACH_RCV_TOO_LARGE && self->ith_option & MACH_RCV_LARGE) || //msg was too large and the next receive will get it
+		self->ith_state == MACH_RCV_INTERRUPTED ||
+		self->ith_state == MACH_RCV_TIMED_OUT ||
+		self->ith_state == MACH_RCV_PORT_CHANGED ||
+		self->ith_state == MACH_PEEK_READY)) {
+
+		flags |= IPC_PORT_ADJUST_SR_RECEIVED_MSG;
+	}
+
+	ipc_port_adjust_special_reply_port(port,
+		flags, get_turnstile);
+	/* thread now has a turnstile */
+}
+
 /*
  *	Routine:	mach_msg_trap [mach trap]
  *	Purpose: