2 * Implementation of SVID messages
4 * Author: Daniel Boulet
6 * Copyright 1993 Daniel Boulet and RTMX Inc.
8 * This system call was implemented by Daniel Boulet under contract from RTMX.
10 * Redistribution and use in source forms, with and without modification,
11 * are permitted provided that this entire comment appears intact.
13 * Redistribution in binary form may occur without any restrictions.
14 * Obviously, it would be nice if you gave credit where credit is due
15 * but requiring it would be too onerous.
17 * This software is provided ``AS IS'' without any warranties of any kind.
20 * Copyright (c) 2003-2005 McAfee, Inc.
21 * All rights reserved.
23 * This software was developed for the FreeBSD Project in part by McAfee
24 * Research, the Security Research Division of McAfee, Inc under DARPA/SPAWAR
25 * contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research
28 * Redistribution and use in source and binary forms, with or without
29 * modification, are permitted provided that the following conditions
31 * 1. Redistributions of source code must retain the above copyright
32 * notice, this list of conditions and the following disclaimer.
33 * 2. Redistributions in binary form must reproduce the above copyright
34 * notice, this list of conditions and the following disclaimer in the
35 * documentation and/or other materials provided with the distribution.
37 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
38 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
40 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
41 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
42 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
43 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
45 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
46 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
53 #include "opt_compat.h"
54 #include "opt_sysvipc.h"
56 #include <sys/param.h>
57 #include <sys/systm.h>
58 #include <sys/sysproto.h>
59 #include <sys/kernel.h>
63 #include <sys/mutex.h>
64 #include <sys/module.h>
66 #include <sys/syscall.h>
67 #include <sys/syscallsubr.h>
68 #include <sys/sysent.h>
69 #include <sys/sysctl.h>
70 #include <sys/malloc.h>
73 #include <security/mac/mac_framework.h>
75 static MALLOC_DEFINE(M_MSG, "msg", "SVID compatible message queues");
77 static int msginit(void);
78 static int msgunload(void);
79 static int sysvmsg_modload(struct module *, int, void *);
82 #define DPRINTF(a) printf a
84 #define DPRINTF(a) (void)0
87 static void msg_freehdr(struct msg *msghdr);
90 #define MSGSSZ 8 /* Each segment must be 2^N long */
93 #define MSGSEG 2048 /* must be less than 32767 */
95 #define MSGMAX (MSGSSZ*MSGSEG)
97 #define MSGMNB 2048 /* max # of bytes in a queue */
107 * Based on the configuration parameters described in an SVR2 (yes, two)
108 * config(1m) man page.
110 * Each message is broken up and stored in segments that are msgssz bytes
111 * long. For efficiency reasons, this should be a power of two. Also,
112 * it doesn't make sense if it is less than 8 or greater than about 256.
113 * Consequently, msginit in kern/sysv_msg.c checks that msgssz is a power of
114 * two between 8 and 1024 inclusive (and panic's if it isn't).
116 struct msginfo msginfo = {
117 MSGMAX, /* max chars in a message */
118 MSGMNI, /* # of message queue identifiers */
119 MSGMNB, /* max chars in a queue */
120 MSGTQL, /* max messages in system */
121 MSGSSZ, /* size of a message segment */
122 /* (must be small power of 2 greater than 4) */
123 MSGSEG /* number of message segments */
127 * macros to convert between msqid_ds's and msqid's.
128 * (specific to this implementation)
130 #define MSQID(ix,ds) ((ix) & 0xffff | (((ds).msg_perm.seq << 16) & 0xffff0000))
131 #define MSQID_IX(id) ((id) & 0xffff)
132 #define MSQID_SEQ(id) (((id) >> 16) & 0xffff)
135 * The rest of this file is specific to this particular implementation.
139 short next; /* next segment in buffer */
140 /* -1 -> available */
141 /* 0..(MSGSEG-1) -> index of next segment */
144 #define MSG_LOCKED 01000 /* Is this msqid_ds locked? */
146 static int nfree_msgmaps; /* # of free map entries */
147 static short free_msgmaps; /* head of linked list of free map entries */
148 static struct msg *free_msghdrs;/* list of free msg headers */
149 static char *msgpool; /* MSGMAX byte long msg buffer pool */
150 static struct msgmap *msgmaps; /* MSGSEG msgmap structures */
151 static struct msg *msghdrs; /* MSGTQL msg headers */
152 static struct msqid_kernel *msqids; /* MSGMNI msqid_kernel struct's */
153 static struct mtx msq_mtx; /* global mutex for message queues. */
155 static struct syscall_helper_data msg_syscalls[] = {
156 SYSCALL_INIT_HELPER(msgctl),
157 SYSCALL_INIT_HELPER(msgget),
158 SYSCALL_INIT_HELPER(msgsnd),
159 SYSCALL_INIT_HELPER(msgrcv),
160 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
161 defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
162 SYSCALL_INIT_HELPER(msgsys),
163 SYSCALL_INIT_HELPER(freebsd7_msgctl),
168 #ifdef COMPAT_FREEBSD32
169 #include <compat/freebsd32/freebsd32.h>
170 #include <compat/freebsd32/freebsd32_ipc.h>
171 #include <compat/freebsd32/freebsd32_proto.h>
172 #include <compat/freebsd32/freebsd32_signal.h>
173 #include <compat/freebsd32/freebsd32_syscall.h>
174 #include <compat/freebsd32/freebsd32_util.h>
176 static struct syscall_helper_data msg32_syscalls[] = {
177 SYSCALL32_INIT_HELPER(freebsd32_msgctl),
178 SYSCALL32_INIT_HELPER(freebsd32_msgsnd),
179 SYSCALL32_INIT_HELPER(freebsd32_msgrcv),
180 SYSCALL32_INIT_HELPER(msgget),
181 SYSCALL32_INIT_HELPER(freebsd32_msgsys),
182 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
183 defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
184 SYSCALL32_INIT_HELPER(freebsd7_freebsd32_msgctl),
195 TUNABLE_INT_FETCH("kern.ipc.msgseg", &msginfo.msgseg);
196 TUNABLE_INT_FETCH("kern.ipc.msgssz", &msginfo.msgssz);
197 msginfo.msgmax = msginfo.msgseg * msginfo.msgssz;
198 TUNABLE_INT_FETCH("kern.ipc.msgmni", &msginfo.msgmni);
199 TUNABLE_INT_FETCH("kern.ipc.msgmnb", &msginfo.msgmnb);
200 TUNABLE_INT_FETCH("kern.ipc.msgtql", &msginfo.msgtql);
202 msgpool = malloc(msginfo.msgmax, M_MSG, M_WAITOK);
204 panic("msgpool is NULL");
205 msgmaps = malloc(sizeof(struct msgmap) * msginfo.msgseg, M_MSG, M_WAITOK);
207 panic("msgmaps is NULL");
208 msghdrs = malloc(sizeof(struct msg) * msginfo.msgtql, M_MSG, M_WAITOK);
210 panic("msghdrs is NULL");
211 msqids = malloc(sizeof(struct msqid_kernel) * msginfo.msgmni, M_MSG,
214 panic("msqids is NULL");
217 * msginfo.msgssz should be a power of two for efficiency reasons.
218 * It is also pretty silly if msginfo.msgssz is less than 8
219 * or greater than about 256 so ...
223 while (i < 1024 && i != msginfo.msgssz)
225 if (i != msginfo.msgssz) {
226 DPRINTF(("msginfo.msgssz=%d (0x%x)\n", msginfo.msgssz,
228 panic("msginfo.msgssz not a small power of 2");
231 if (msginfo.msgseg > 32767) {
232 DPRINTF(("msginfo.msgseg=%d\n", msginfo.msgseg));
233 panic("msginfo.msgseg > 32767");
237 panic("msgmaps is NULL");
239 for (i = 0; i < msginfo.msgseg; i++) {
241 msgmaps[i-1].next = i;
242 msgmaps[i].next = -1; /* implies entry is available */
245 nfree_msgmaps = msginfo.msgseg;
248 panic("msghdrs is NULL");
250 for (i = 0; i < msginfo.msgtql; i++) {
251 msghdrs[i].msg_type = 0;
253 msghdrs[i-1].msg_next = &msghdrs[i];
254 msghdrs[i].msg_next = NULL;
256 mac_sysvmsg_init(&msghdrs[i]);
259 free_msghdrs = &msghdrs[0];
262 panic("msqids is NULL");
264 for (i = 0; i < msginfo.msgmni; i++) {
265 msqids[i].u.msg_qbytes = 0; /* implies entry is available */
266 msqids[i].u.msg_perm.seq = 0; /* reset to a known value */
267 msqids[i].u.msg_perm.mode = 0;
269 mac_sysvmsq_init(&msqids[i]);
272 mtx_init(&msq_mtx, "msq", NULL, MTX_DEF);
274 error = syscall_helper_register(msg_syscalls);
277 #ifdef COMPAT_FREEBSD32
278 error = syscall32_helper_register(msg32_syscalls);
288 struct msqid_kernel *msqkptr;
294 syscall_helper_unregister(msg_syscalls);
295 #ifdef COMPAT_FREEBSD32
296 syscall32_helper_unregister(msg32_syscalls);
299 for (msqid = 0; msqid < msginfo.msgmni; msqid++) {
301 * Look for an unallocated and unlocked msqid_ds.
302 * msqid_ds's can be locked by msgsnd or msgrcv while
303 * they are copying the message in/out. We can't
304 * re-use the entry until they release it.
306 msqkptr = &msqids[msqid];
307 if (msqkptr->u.msg_qbytes != 0 ||
308 (msqkptr->u.msg_perm.mode & MSG_LOCKED) != 0)
311 if (msqid != msginfo.msgmni)
315 for (i = 0; i < msginfo.msgtql; i++)
316 mac_sysvmsg_destroy(&msghdrs[i]);
317 for (msqid = 0; msqid < msginfo.msgmni; msqid++)
318 mac_sysvmsq_destroy(&msqids[msqid]);
320 free(msgpool, M_MSG);
321 free(msgmaps, M_MSG);
322 free(msghdrs, M_MSG);
324 mtx_destroy(&msq_mtx);
330 sysvmsg_modload(struct module *module, int cmd, void *arg)
352 static moduledata_t sysvmsg_mod = {
358 DECLARE_MODULE(sysvmsg, sysvmsg_mod, SI_SUB_SYSV_MSG, SI_ORDER_FIRST);
359 MODULE_VERSION(sysvmsg, 1);
365 while (msghdr->msg_ts > 0) {
367 if (msghdr->msg_spot < 0 || msghdr->msg_spot >= msginfo.msgseg)
368 panic("msghdr->msg_spot out of range");
369 next = msgmaps[msghdr->msg_spot].next;
370 msgmaps[msghdr->msg_spot].next = free_msgmaps;
371 free_msgmaps = msghdr->msg_spot;
373 msghdr->msg_spot = next;
374 if (msghdr->msg_ts >= msginfo.msgssz)
375 msghdr->msg_ts -= msginfo.msgssz;
379 if (msghdr->msg_spot != -1)
380 panic("msghdr->msg_spot != -1");
381 msghdr->msg_next = free_msghdrs;
382 free_msghdrs = msghdr;
384 mac_sysvmsg_cleanup(msghdr);
388 #ifndef _SYS_SYSPROTO_H_
392 struct msqid_ds *buf;
398 register struct msgctl_args *uap;
400 int msqid = uap->msqid;
402 struct msqid_ds msqbuf;
405 DPRINTF(("call to msgctl(%d, %d, %p)\n", msqid, cmd, uap->buf));
406 if (cmd == IPC_SET &&
407 (error = copyin(uap->buf, &msqbuf, sizeof(msqbuf))) != 0)
409 error = kern_msgctl(td, msqid, cmd, &msqbuf);
410 if (cmd == IPC_STAT && error == 0)
411 error = copyout(&msqbuf, uap->buf, sizeof(struct msqid_ds));
416 kern_msgctl(td, msqid, cmd, msqbuf)
420 struct msqid_ds *msqbuf;
422 int rval, error, msqix;
423 register struct msqid_kernel *msqkptr;
425 if (!prison_allow(td->td_ucred, PR_ALLOW_SYSVIPC))
428 msqix = IPCID_TO_IX(msqid);
430 if (msqix < 0 || msqix >= msginfo.msgmni) {
431 DPRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", msqix,
436 msqkptr = &msqids[msqix];
439 if (msqkptr->u.msg_qbytes == 0) {
440 DPRINTF(("no such msqid\n"));
444 if (msqkptr->u.msg_perm.seq != IPCID_TO_SEQ(msqid)) {
445 DPRINTF(("wrong sequence number\n"));
450 error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd);
463 if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M)))
468 * Check that the thread has MAC access permissions to
469 * individual msghdrs. Note: We need to do this in a
470 * separate loop because the actual loop alters the
471 * msq/msghdr info as it progresses, and there is no going
472 * back if half the way through we discover that the
473 * thread cannot free a certain msghdr. The msq will get
474 * into an inconsistent state.
476 for (msghdr = msqkptr->u.msg_first; msghdr != NULL;
477 msghdr = msghdr->msg_next) {
478 error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr);
484 /* Free the message headers */
485 msghdr = msqkptr->u.msg_first;
486 while (msghdr != NULL) {
487 struct msg *msghdr_tmp;
489 /* Free the segments of each message */
490 msqkptr->u.msg_cbytes -= msghdr->msg_ts;
491 msqkptr->u.msg_qnum--;
493 msghdr = msghdr->msg_next;
494 msg_freehdr(msghdr_tmp);
497 if (msqkptr->u.msg_cbytes != 0)
498 panic("msg_cbytes is screwed up");
499 if (msqkptr->u.msg_qnum != 0)
500 panic("msg_qnum is screwed up");
502 msqkptr->u.msg_qbytes = 0; /* Mark it as free */
505 mac_sysvmsq_cleanup(msqkptr);
514 if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M)))
516 if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) {
517 error = priv_check(td, PRIV_IPC_MSGSIZE);
521 if (msqbuf->msg_qbytes > msginfo.msgmnb) {
522 DPRINTF(("can't increase msg_qbytes beyond %d"
523 "(truncating)\n", msginfo.msgmnb));
524 msqbuf->msg_qbytes = msginfo.msgmnb; /* silently restrict qbytes to system limit */
526 if (msqbuf->msg_qbytes == 0) {
527 DPRINTF(("can't reduce msg_qbytes to 0\n"));
528 error = EINVAL; /* non-standard errno! */
531 msqkptr->u.msg_perm.uid = msqbuf->msg_perm.uid; /* change the owner */
532 msqkptr->u.msg_perm.gid = msqbuf->msg_perm.gid; /* change the owner */
533 msqkptr->u.msg_perm.mode = (msqkptr->u.msg_perm.mode & ~0777) |
534 (msqbuf->msg_perm.mode & 0777);
535 msqkptr->u.msg_qbytes = msqbuf->msg_qbytes;
536 msqkptr->u.msg_ctime = time_second;
540 if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_R))) {
541 DPRINTF(("requester doesn't have read access\n"));
544 *msqbuf = msqkptr->u;
548 DPRINTF(("invalid command %d\n", cmd));
554 td->td_retval[0] = rval;
556 mtx_unlock(&msq_mtx);
560 #ifndef _SYS_SYSPROTO_H_
569 register struct msgget_args *uap;
571 int msqid, error = 0;
573 int msgflg = uap->msgflg;
574 struct ucred *cred = td->td_ucred;
575 register struct msqid_kernel *msqkptr = NULL;
577 DPRINTF(("msgget(0x%x, 0%o)\n", key, msgflg));
579 if (!prison_allow(td->td_ucred, PR_ALLOW_SYSVIPC))
583 if (key != IPC_PRIVATE) {
584 for (msqid = 0; msqid < msginfo.msgmni; msqid++) {
585 msqkptr = &msqids[msqid];
586 if (msqkptr->u.msg_qbytes != 0 &&
587 msqkptr->u.msg_perm.key == key)
590 if (msqid < msginfo.msgmni) {
591 DPRINTF(("found public key\n"));
592 if ((msgflg & IPC_CREAT) && (msgflg & IPC_EXCL)) {
593 DPRINTF(("not exclusive\n"));
597 if ((error = ipcperm(td, &msqkptr->u.msg_perm,
599 DPRINTF(("requester doesn't have 0%o access\n",
604 error = mac_sysvmsq_check_msqget(cred, msqkptr);
612 DPRINTF(("need to allocate the msqid_ds\n"));
613 if (key == IPC_PRIVATE || (msgflg & IPC_CREAT)) {
614 for (msqid = 0; msqid < msginfo.msgmni; msqid++) {
616 * Look for an unallocated and unlocked msqid_ds.
617 * msqid_ds's can be locked by msgsnd or msgrcv while
618 * they are copying the message in/out. We can't
619 * re-use the entry until they release it.
621 msqkptr = &msqids[msqid];
622 if (msqkptr->u.msg_qbytes == 0 &&
623 (msqkptr->u.msg_perm.mode & MSG_LOCKED) == 0)
626 if (msqid == msginfo.msgmni) {
627 DPRINTF(("no more msqid_ds's available\n"));
631 DPRINTF(("msqid %d is available\n", msqid));
632 msqkptr->u.msg_perm.key = key;
633 msqkptr->u.msg_perm.cuid = cred->cr_uid;
634 msqkptr->u.msg_perm.uid = cred->cr_uid;
635 msqkptr->u.msg_perm.cgid = cred->cr_gid;
636 msqkptr->u.msg_perm.gid = cred->cr_gid;
637 msqkptr->u.msg_perm.mode = (msgflg & 0777);
638 /* Make sure that the returned msqid is unique */
639 msqkptr->u.msg_perm.seq = (msqkptr->u.msg_perm.seq + 1) & 0x7fff;
640 msqkptr->u.msg_first = NULL;
641 msqkptr->u.msg_last = NULL;
642 msqkptr->u.msg_cbytes = 0;
643 msqkptr->u.msg_qnum = 0;
644 msqkptr->u.msg_qbytes = msginfo.msgmnb;
645 msqkptr->u.msg_lspid = 0;
646 msqkptr->u.msg_lrpid = 0;
647 msqkptr->u.msg_stime = 0;
648 msqkptr->u.msg_rtime = 0;
649 msqkptr->u.msg_ctime = time_second;
651 mac_sysvmsq_create(cred, msqkptr);
654 DPRINTF(("didn't find it and wasn't asked to create it\n"));
660 /* Construct the unique msqid */
661 td->td_retval[0] = IXSEQ_TO_IPCID(msqid, msqkptr->u.msg_perm);
663 mtx_unlock(&msq_mtx);
667 #ifndef _SYS_SYSPROTO_H_
676 kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
679 const void *msgp; /* XXX msgp is actually mtext. */
684 int msqix, segs_needed, error = 0;
685 register struct msqid_kernel *msqkptr;
686 register struct msg *msghdr;
689 if (!prison_allow(td->td_ucred, PR_ALLOW_SYSVIPC))
693 msqix = IPCID_TO_IX(msqid);
695 if (msqix < 0 || msqix >= msginfo.msgmni) {
696 DPRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", msqix,
702 msqkptr = &msqids[msqix];
703 if (msqkptr->u.msg_qbytes == 0) {
704 DPRINTF(("no such message queue id\n"));
708 if (msqkptr->u.msg_perm.seq != IPCID_TO_SEQ(msqid)) {
709 DPRINTF(("wrong sequence number\n"));
714 if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_W))) {
715 DPRINTF(("requester doesn't have write access\n"));
720 error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr);
725 segs_needed = (msgsz + msginfo.msgssz - 1) / msginfo.msgssz;
726 DPRINTF(("msgsz=%zu, msgssz=%d, segs_needed=%d\n", msgsz,
727 msginfo.msgssz, segs_needed));
729 int need_more_resources = 0;
733 * (inside this loop in case msg_qbytes changes while we sleep)
736 if (msgsz > msqkptr->u.msg_qbytes) {
737 DPRINTF(("msgsz > msqkptr->u.msg_qbytes\n"));
742 if (msqkptr->u.msg_perm.mode & MSG_LOCKED) {
743 DPRINTF(("msqid is locked\n"));
744 need_more_resources = 1;
746 if (msgsz + msqkptr->u.msg_cbytes > msqkptr->u.msg_qbytes) {
747 DPRINTF(("msgsz + msg_cbytes > msg_qbytes\n"));
748 need_more_resources = 1;
750 if (segs_needed > nfree_msgmaps) {
751 DPRINTF(("segs_needed > nfree_msgmaps\n"));
752 need_more_resources = 1;
754 if (free_msghdrs == NULL) {
755 DPRINTF(("no more msghdrs\n"));
756 need_more_resources = 1;
759 if (need_more_resources) {
762 if ((msgflg & IPC_NOWAIT) != 0) {
763 DPRINTF(("need more resources but caller "
764 "doesn't want to wait\n"));
769 if ((msqkptr->u.msg_perm.mode & MSG_LOCKED) != 0) {
770 DPRINTF(("we don't own the msqid_ds\n"));
773 /* Force later arrivals to wait for our
775 DPRINTF(("we own the msqid_ds\n"));
776 msqkptr->u.msg_perm.mode |= MSG_LOCKED;
779 DPRINTF(("msgsnd: goodnight\n"));
780 error = msleep(msqkptr, &msq_mtx, (PZERO - 4) | PCATCH,
782 DPRINTF(("msgsnd: good morning, error=%d\n", error));
784 msqkptr->u.msg_perm.mode &= ~MSG_LOCKED;
785 if (error == EWOULDBLOCK) {
786 DPRINTF(("msgsnd: timed out\n"));
790 DPRINTF(("msgsnd: interrupted system call\n"));
796 * Make sure that the msq queue still exists
799 if (msqkptr->u.msg_qbytes == 0) {
800 DPRINTF(("msqid deleted\n"));
806 DPRINTF(("got all the resources that we need\n"));
812 * We have the resources that we need.
816 if (msqkptr->u.msg_perm.mode & MSG_LOCKED)
817 panic("msg_perm.mode & MSG_LOCKED");
818 if (segs_needed > nfree_msgmaps)
819 panic("segs_needed > nfree_msgmaps");
820 if (msgsz + msqkptr->u.msg_cbytes > msqkptr->u.msg_qbytes)
821 panic("msgsz + msg_cbytes > msg_qbytes");
822 if (free_msghdrs == NULL)
823 panic("no more msghdrs");
826 * Re-lock the msqid_ds in case we page-fault when copying in the
830 if ((msqkptr->u.msg_perm.mode & MSG_LOCKED) != 0)
831 panic("msqid_ds is already locked");
832 msqkptr->u.msg_perm.mode |= MSG_LOCKED;
835 * Allocate a message header
838 msghdr = free_msghdrs;
839 free_msghdrs = msghdr->msg_next;
840 msghdr->msg_spot = -1;
841 msghdr->msg_ts = msgsz;
842 msghdr->msg_type = mtype;
845 * XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here
846 * immediately? Or, should it be checked just before the msg is
847 * enqueued in the msgq (as it is done now)?
849 mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr);
853 * Allocate space for the message
856 while (segs_needed > 0) {
857 if (nfree_msgmaps <= 0)
858 panic("not enough msgmaps");
859 if (free_msgmaps == -1)
860 panic("nil free_msgmaps");
863 panic("next too low #1");
864 if (next >= msginfo.msgseg)
865 panic("next out of range #1");
866 DPRINTF(("allocating segment %d to message\n", next));
867 free_msgmaps = msgmaps[next].next;
869 msgmaps[next].next = msghdr->msg_spot;
870 msghdr->msg_spot = next;
875 * Validate the message type
878 if (msghdr->msg_type < 1) {
880 msqkptr->u.msg_perm.mode &= ~MSG_LOCKED;
882 DPRINTF(("mtype (%ld) < 1\n", msghdr->msg_type));
888 * Copy in the message body
891 next = msghdr->msg_spot;
894 if (msgsz > msginfo.msgssz)
895 tlen = msginfo.msgssz;
899 panic("next too low #2");
900 if (next >= msginfo.msgseg)
901 panic("next out of range #2");
902 mtx_unlock(&msq_mtx);
903 if ((error = copyin(msgp, &msgpool[next * msginfo.msgssz],
906 DPRINTF(("error %d copying in message segment\n",
909 msqkptr->u.msg_perm.mode &= ~MSG_LOCKED;
915 msgp = (const char *)msgp + tlen;
916 next = msgmaps[next].next;
919 panic("didn't use all the msg segments");
922 * We've got the message. Unlock the msqid_ds.
925 msqkptr->u.msg_perm.mode &= ~MSG_LOCKED;
928 * Make sure that the msqid_ds is still allocated.
931 if (msqkptr->u.msg_qbytes == 0) {
940 * Note: Since the task/thread allocates the msghdr and usually
941 * primes it with its own MAC label, for a majority of policies, it
942 * won't be necessary to check whether the msghdr has access
943 * permissions to the msgq. The mac_sysvmsq_check_msqsnd check would
944 * suffice in that case. However, this hook may be required where
945 * individual policies derive a non-identical label for the msghdr
946 * from the current thread label and may want to check the msghdr
947 * enqueue permissions, along with read/write permissions to the
950 error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr);
959 * Put the message into the queue
961 if (msqkptr->u.msg_first == NULL) {
962 msqkptr->u.msg_first = msghdr;
963 msqkptr->u.msg_last = msghdr;
965 msqkptr->u.msg_last->msg_next = msghdr;
966 msqkptr->u.msg_last = msghdr;
968 msqkptr->u.msg_last->msg_next = NULL;
970 msqkptr->u.msg_cbytes += msghdr->msg_ts;
971 msqkptr->u.msg_qnum++;
972 msqkptr->u.msg_lspid = td->td_proc->p_pid;
973 msqkptr->u.msg_stime = time_second;
976 td->td_retval[0] = 0;
978 mtx_unlock(&msq_mtx);
985 register struct msgsnd_args *uap;
990 DPRINTF(("call to msgsnd(%d, %p, %zu, %d)\n", uap->msqid, uap->msgp,
991 uap->msgsz, uap->msgflg));
993 if ((error = copyin(uap->msgp, &mtype, sizeof(mtype))) != 0) {
994 DPRINTF(("error %d copying the message type\n", error));
997 return (kern_msgsnd(td, uap->msqid,
998 (const char *)uap->msgp + sizeof(mtype),
999 uap->msgsz, uap->msgflg, mtype));
1002 #ifndef _SYS_SYSPROTO_H_
1003 struct msgrcv_args {
1012 kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
1015 void *msgp; /* XXX msgp is actually mtext. */
1022 register struct msqid_kernel *msqkptr;
1023 register struct msg *msghdr;
1024 int msqix, error = 0;
1027 if (!prison_allow(td->td_ucred, PR_ALLOW_SYSVIPC))
1030 msqix = IPCID_TO_IX(msqid);
1032 if (msqix < 0 || msqix >= msginfo.msgmni) {
1033 DPRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", msqix,
1038 msqkptr = &msqids[msqix];
1040 if (msqkptr->u.msg_qbytes == 0) {
1041 DPRINTF(("no such message queue id\n"));
1045 if (msqkptr->u.msg_perm.seq != IPCID_TO_SEQ(msqid)) {
1046 DPRINTF(("wrong sequence number\n"));
1051 if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_R))) {
1052 DPRINTF(("requester doesn't have read access\n"));
1057 error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr);
1063 while (msghdr == NULL) {
1065 msghdr = msqkptr->u.msg_first;
1066 if (msghdr != NULL) {
1067 if (msgsz < msghdr->msg_ts &&
1068 (msgflg & MSG_NOERROR) == 0) {
1069 DPRINTF(("first message on the queue "
1070 "is too big (want %zu, got %d)\n",
1071 msgsz, msghdr->msg_ts));
1076 error = mac_sysvmsq_check_msgrcv(td->td_ucred,
1081 if (msqkptr->u.msg_first == msqkptr->u.msg_last) {
1082 msqkptr->u.msg_first = NULL;
1083 msqkptr->u.msg_last = NULL;
1085 msqkptr->u.msg_first = msghdr->msg_next;
1086 if (msqkptr->u.msg_first == NULL)
1087 panic("msg_first/last screwed up #1");
1091 struct msg *previous;
1095 prev = &(msqkptr->u.msg_first);
1096 while ((msghdr = *prev) != NULL) {
1098 * Is this message's type an exact match or is
1099 * this message's type less than or equal to
1100 * the absolute value of a negative msgtyp?
1101 * Note that the second half of this test can
1102 * NEVER be true if msgtyp is positive since
1103 * msg_type is always positive!
1106 if (msgtyp == msghdr->msg_type ||
1107 msghdr->msg_type <= -msgtyp) {
1108 DPRINTF(("found message type %ld, "
1110 msghdr->msg_type, msgtyp));
1111 if (msgsz < msghdr->msg_ts &&
1112 (msgflg & MSG_NOERROR) == 0) {
1113 DPRINTF(("requested message "
1114 "on the queue is too big "
1115 "(want %zu, got %hu)\n",
1116 msgsz, msghdr->msg_ts));
1121 error = mac_sysvmsq_check_msgrcv(
1122 td->td_ucred, msghdr);
1126 *prev = msghdr->msg_next;
1127 if (msghdr == msqkptr->u.msg_last) {
1128 if (previous == NULL) {
1130 &msqkptr->u.msg_first)
1131 panic("msg_first/last screwed up #2");
1132 msqkptr->u.msg_first =
1134 msqkptr->u.msg_last =
1138 &msqkptr->u.msg_first)
1139 panic("msg_first/last screwed up #3");
1140 msqkptr->u.msg_last =
1147 prev = &(msghdr->msg_next);
1152 * We've either extracted the msghdr for the appropriate
1153 * message or there isn't one.
1154 * If there is one then bail out of this loop.
1161 * Hmph! No message found. Does the user want to wait?
1164 if ((msgflg & IPC_NOWAIT) != 0) {
1165 DPRINTF(("no appropriate message found (msgtyp=%ld)\n",
1167 /* The SVID says to return ENOMSG. */
1173 * Wait for something to happen
1176 DPRINTF(("msgrcv: goodnight\n"));
1177 error = msleep(msqkptr, &msq_mtx, (PZERO - 4) | PCATCH,
1179 DPRINTF(("msgrcv: good morning (error=%d)\n", error));
1182 DPRINTF(("msgrcv: interrupted system call\n"));
1188 * Make sure that the msq queue still exists
1191 if (msqkptr->u.msg_qbytes == 0 ||
1192 msqkptr->u.msg_perm.seq != IPCID_TO_SEQ(msqid)) {
1193 DPRINTF(("msqid deleted\n"));
1200 * Return the message to the user.
1202 * First, do the bookkeeping (before we risk being interrupted).
1205 msqkptr->u.msg_cbytes -= msghdr->msg_ts;
1206 msqkptr->u.msg_qnum--;
1207 msqkptr->u.msg_lrpid = td->td_proc->p_pid;
1208 msqkptr->u.msg_rtime = time_second;
1211 * Make msgsz the actual amount that we'll be returning.
1212 * Note that this effectively truncates the message if it is too long
1213 * (since msgsz is never increased).
1216 DPRINTF(("found a message, msgsz=%zu, msg_ts=%hu\n", msgsz,
1218 if (msgsz > msghdr->msg_ts)
1219 msgsz = msghdr->msg_ts;
1220 *mtype = msghdr->msg_type;
1223 * Return the segments to the user
1226 next = msghdr->msg_spot;
1227 for (len = 0; len < msgsz; len += msginfo.msgssz) {
1230 if (msgsz - len > msginfo.msgssz)
1231 tlen = msginfo.msgssz;
1235 panic("next too low #3");
1236 if (next >= msginfo.msgseg)
1237 panic("next out of range #3");
1238 mtx_unlock(&msq_mtx);
1239 error = copyout(&msgpool[next * msginfo.msgssz], msgp, tlen);
1242 DPRINTF(("error (%d) copying out message segment\n",
1244 msg_freehdr(msghdr);
1248 msgp = (char *)msgp + tlen;
1249 next = msgmaps[next].next;
1253 * Done, return the actual number of bytes copied out.
1256 msg_freehdr(msghdr);
1258 td->td_retval[0] = msgsz;
1260 mtx_unlock(&msq_mtx);
1267 register struct msgrcv_args *uap;
1272 DPRINTF(("call to msgrcv(%d, %p, %zu, %ld, %d)\n", uap->msqid,
1273 uap->msgp, uap->msgsz, uap->msgtyp, uap->msgflg));
1275 if ((error = kern_msgrcv(td, uap->msqid,
1276 (char *)uap->msgp + sizeof(mtype), uap->msgsz,
1277 uap->msgtyp, uap->msgflg, &mtype)) != 0)
1279 if ((error = copyout(&mtype, uap->msgp, sizeof(mtype))) != 0)
1280 DPRINTF(("error %d copying the message type\n", error));
1285 sysctl_msqids(SYSCTL_HANDLER_ARGS)
1288 return (SYSCTL_OUT(req, msqids,
1289 sizeof(struct msqid_kernel) * msginfo.msgmni));
1292 SYSCTL_INT(_kern_ipc, OID_AUTO, msgmax, CTLFLAG_RD, &msginfo.msgmax, 0,
1293 "Maximum message size");
1294 SYSCTL_INT(_kern_ipc, OID_AUTO, msgmni, CTLFLAG_RDTUN, &msginfo.msgmni, 0,
1295 "Number of message queue identifiers");
1296 SYSCTL_INT(_kern_ipc, OID_AUTO, msgmnb, CTLFLAG_RDTUN, &msginfo.msgmnb, 0,
1297 "Maximum number of bytes in a queue");
1298 SYSCTL_INT(_kern_ipc, OID_AUTO, msgtql, CTLFLAG_RDTUN, &msginfo.msgtql, 0,
1299 "Maximum number of messages in the system");
1300 SYSCTL_INT(_kern_ipc, OID_AUTO, msgssz, CTLFLAG_RDTUN, &msginfo.msgssz, 0,
1301 "Size of a message segment");
1302 SYSCTL_INT(_kern_ipc, OID_AUTO, msgseg, CTLFLAG_RDTUN, &msginfo.msgseg, 0,
1303 "Number of message segments");
1304 SYSCTL_PROC(_kern_ipc, OID_AUTO, msqids, CTLFLAG_RD,
1305 NULL, 0, sysctl_msqids, "", "Message queue IDs");
1307 #ifdef COMPAT_FREEBSD32
1309 freebsd32_msgsys(struct thread *td, struct freebsd32_msgsys_args *uap)
1312 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
1313 defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
1314 switch (uap->which) {
1316 return (freebsd7_freebsd32_msgctl(td,
1317 (struct freebsd7_freebsd32_msgctl_args *)&uap->a2));
1319 return (freebsd32_msgsnd(td,
1320 (struct freebsd32_msgsnd_args *)&uap->a2));
1322 return (freebsd32_msgrcv(td,
1323 (struct freebsd32_msgrcv_args *)&uap->a2));
1325 return (msgsys(td, (struct msgsys_args *)uap));
1328 return (nosys(td, NULL));
1332 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
1333 defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
1335 freebsd7_freebsd32_msgctl(struct thread *td,
1336 struct freebsd7_freebsd32_msgctl_args *uap)
1338 struct msqid_ds msqbuf;
1339 struct msqid_ds32_old msqbuf32;
1342 if (uap->cmd == IPC_SET) {
1343 error = copyin(uap->buf, &msqbuf32, sizeof(msqbuf32));
1346 freebsd32_ipcperm_old_in(&msqbuf32.msg_perm, &msqbuf.msg_perm);
1347 PTRIN_CP(msqbuf32, msqbuf, msg_first);
1348 PTRIN_CP(msqbuf32, msqbuf, msg_last);
1349 CP(msqbuf32, msqbuf, msg_cbytes);
1350 CP(msqbuf32, msqbuf, msg_qnum);
1351 CP(msqbuf32, msqbuf, msg_qbytes);
1352 CP(msqbuf32, msqbuf, msg_lspid);
1353 CP(msqbuf32, msqbuf, msg_lrpid);
1354 CP(msqbuf32, msqbuf, msg_stime);
1355 CP(msqbuf32, msqbuf, msg_rtime);
1356 CP(msqbuf32, msqbuf, msg_ctime);
1358 error = kern_msgctl(td, uap->msqid, uap->cmd, &msqbuf);
1361 if (uap->cmd == IPC_STAT) {
1362 bzero(&msqbuf32, sizeof(msqbuf32));
1363 freebsd32_ipcperm_old_out(&msqbuf.msg_perm, &msqbuf32.msg_perm);
1364 PTROUT_CP(msqbuf, msqbuf32, msg_first);
1365 PTROUT_CP(msqbuf, msqbuf32, msg_last);
1366 CP(msqbuf, msqbuf32, msg_cbytes);
1367 CP(msqbuf, msqbuf32, msg_qnum);
1368 CP(msqbuf, msqbuf32, msg_qbytes);
1369 CP(msqbuf, msqbuf32, msg_lspid);
1370 CP(msqbuf, msqbuf32, msg_lrpid);
1371 CP(msqbuf, msqbuf32, msg_stime);
1372 CP(msqbuf, msqbuf32, msg_rtime);
1373 CP(msqbuf, msqbuf32, msg_ctime);
1374 error = copyout(&msqbuf32, uap->buf, sizeof(struct msqid_ds32));
1381 freebsd32_msgctl(struct thread *td, struct freebsd32_msgctl_args *uap)
1383 struct msqid_ds msqbuf;
1384 struct msqid_ds32 msqbuf32;
1387 if (uap->cmd == IPC_SET) {
1388 error = copyin(uap->buf, &msqbuf32, sizeof(msqbuf32));
1391 freebsd32_ipcperm_in(&msqbuf32.msg_perm, &msqbuf.msg_perm);
1392 PTRIN_CP(msqbuf32, msqbuf, msg_first);
1393 PTRIN_CP(msqbuf32, msqbuf, msg_last);
1394 CP(msqbuf32, msqbuf, msg_cbytes);
1395 CP(msqbuf32, msqbuf, msg_qnum);
1396 CP(msqbuf32, msqbuf, msg_qbytes);
1397 CP(msqbuf32, msqbuf, msg_lspid);
1398 CP(msqbuf32, msqbuf, msg_lrpid);
1399 CP(msqbuf32, msqbuf, msg_stime);
1400 CP(msqbuf32, msqbuf, msg_rtime);
1401 CP(msqbuf32, msqbuf, msg_ctime);
1403 error = kern_msgctl(td, uap->msqid, uap->cmd, &msqbuf);
1406 if (uap->cmd == IPC_STAT) {
1407 freebsd32_ipcperm_out(&msqbuf.msg_perm, &msqbuf32.msg_perm);
1408 PTROUT_CP(msqbuf, msqbuf32, msg_first);
1409 PTROUT_CP(msqbuf, msqbuf32, msg_last);
1410 CP(msqbuf, msqbuf32, msg_cbytes);
1411 CP(msqbuf, msqbuf32, msg_qnum);
1412 CP(msqbuf, msqbuf32, msg_qbytes);
1413 CP(msqbuf, msqbuf32, msg_lspid);
1414 CP(msqbuf, msqbuf32, msg_lrpid);
1415 CP(msqbuf, msqbuf32, msg_stime);
1416 CP(msqbuf, msqbuf32, msg_rtime);
1417 CP(msqbuf, msqbuf32, msg_ctime);
1418 error = copyout(&msqbuf32, uap->buf, sizeof(struct msqid_ds32));
1424 freebsd32_msgsnd(struct thread *td, struct freebsd32_msgsnd_args *uap)
1431 msgp = PTRIN(uap->msgp);
1432 if ((error = copyin(msgp, &mtype32, sizeof(mtype32))) != 0)
1435 return (kern_msgsnd(td, uap->msqid,
1436 (const char *)msgp + sizeof(mtype32),
1437 uap->msgsz, uap->msgflg, mtype));
1441 freebsd32_msgrcv(struct thread *td, struct freebsd32_msgrcv_args *uap)
1448 msgp = PTRIN(uap->msgp);
1449 if ((error = kern_msgrcv(td, uap->msqid,
1450 (char *)msgp + sizeof(mtype32), uap->msgsz,
1451 uap->msgtyp, uap->msgflg, &mtype)) != 0)
1453 mtype32 = (int32_t)mtype;
1454 return (copyout(&mtype32, msgp, sizeof(mtype32)));
1458 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
1459 defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
1461 /* XXX casting to (sy_call_t *) is bogus, as usual. */
1462 static sy_call_t *msgcalls[] = {
1463 (sy_call_t *)freebsd7_msgctl, (sy_call_t *)msgget,
1464 (sy_call_t *)msgsnd, (sy_call_t *)msgrcv
1468 * Entry point for all MSG calls.
1473 /* XXX actually varargs. */
1474 struct msgsys_args /* {
1485 if (!prison_allow(td->td_ucred, PR_ALLOW_SYSVIPC))
1487 if (uap->which < 0 ||
1488 uap->which >= sizeof(msgcalls)/sizeof(msgcalls[0]))
1490 error = (*msgcalls[uap->which])(td, &uap->a2);
1495 #define CP(src, dst, fld) do { (dst).fld = (src).fld; } while (0)
1498 #ifndef _SYS_SYSPROTO_H_
1499 struct freebsd7_msgctl_args {
1502 struct msqid_ds_old *buf;
1506 freebsd7_msgctl(td, uap)
1508 struct freebsd7_msgctl_args *uap;
1510 struct msqid_ds_old msqold;
1511 struct msqid_ds msqbuf;
1514 DPRINTF(("call to freebsd7_msgctl(%d, %d, %p)\n", uap->msqid, uap->cmd,
1516 if (uap->cmd == IPC_SET) {
1517 error = copyin(uap->buf, &msqold, sizeof(msqold));
1520 ipcperm_old2new(&msqold.msg_perm, &msqbuf.msg_perm);
1521 CP(msqold, msqbuf, msg_first);
1522 CP(msqold, msqbuf, msg_last);
1523 CP(msqold, msqbuf, msg_cbytes);
1524 CP(msqold, msqbuf, msg_qnum);
1525 CP(msqold, msqbuf, msg_qbytes);
1526 CP(msqold, msqbuf, msg_lspid);
1527 CP(msqold, msqbuf, msg_lrpid);
1528 CP(msqold, msqbuf, msg_stime);
1529 CP(msqold, msqbuf, msg_rtime);
1530 CP(msqold, msqbuf, msg_ctime);
1532 error = kern_msgctl(td, uap->msqid, uap->cmd, &msqbuf);
1535 if (uap->cmd == IPC_STAT) {
1536 bzero(&msqold, sizeof(msqold));
1537 ipcperm_new2old(&msqbuf.msg_perm, &msqold.msg_perm);
1538 CP(msqbuf, msqold, msg_first);
1539 CP(msqbuf, msqold, msg_last);
1540 CP(msqbuf, msqold, msg_cbytes);
1541 CP(msqbuf, msqold, msg_qnum);
1542 CP(msqbuf, msqold, msg_qbytes);
1543 CP(msqbuf, msqold, msg_lspid);
1544 CP(msqbuf, msqold, msg_lrpid);
1545 CP(msqbuf, msqold, msg_stime);
1546 CP(msqbuf, msqold, msg_rtime);
1547 CP(msqbuf, msqold, msg_ctime);
1548 error = copyout(&msqold, uap->buf, sizeof(struct msqid_ds_old));
1555 #endif /* COMPAT_FREEBSD4 || COMPAT_FREEBSD5 || COMPAT_FREEBSD6 ||
projects / FreeBSD / releng / 8.1.git / blob