17c478bdstevel@tonic-gate/*
27c478bdstevel@tonic-gate * CDDL HEADER START
37c478bdstevel@tonic-gate *
47c478bdstevel@tonic-gate * The contents of this file are subject to the terms of the
5824c205ml * Common Development and Distribution License (the "License").
6824c205ml * You may not use this file except in compliance with the License.
77c478bdstevel@tonic-gate *
87c478bdstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bdstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bdstevel@tonic-gate * See the License for the specific language governing permissions
117c478bdstevel@tonic-gate * and limitations under the License.
127c478bdstevel@tonic-gate *
137c478bdstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bdstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bdstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bdstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bdstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bdstevel@tonic-gate *
197c478bdstevel@tonic-gate * CDDL HEADER END
207c478bdstevel@tonic-gate */
217c478bdstevel@tonic-gate/*
22005d3feMarek Pospisil * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
237c478bdstevel@tonic-gate * Use is subject to license terms.
247c478bdstevel@tonic-gate */
257c478bdstevel@tonic-gate
267c478bdstevel@tonic-gate/*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
277c478bdstevel@tonic-gate/*	  All Rights Reserved  	*/
287c478bdstevel@tonic-gate
297c478bdstevel@tonic-gate/*
307c478bdstevel@tonic-gate * Inter-Process Communication Semaphore Facility.
317c478bdstevel@tonic-gate *
327c478bdstevel@tonic-gate * See os/ipc.c for a description of common IPC functionality.
337c478bdstevel@tonic-gate *
347c478bdstevel@tonic-gate * Resource controls
357c478bdstevel@tonic-gate * -----------------
367c478bdstevel@tonic-gate *
37824c205ml * Control:      zone.max-sem-ids (rc_zone_semmni)
38824c205ml * Description:  Maximum number of semaphore ids allowed a zone.
39824c205ml *
40824c205ml *   When semget() is used to allocate a semaphore set, one id is
41824c205ml *   allocated.  If the id allocation doesn't succeed, semget() fails
42824c205ml *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
43824c205ml *   the id is deallocated.
44824c205ml *
457c478bdstevel@tonic-gate * Control:      project.max-sem-ids (rc_project_semmni)
467c478bdstevel@tonic-gate * Description:  Maximum number of semaphore ids allowed a project.
477c478bdstevel@tonic-gate *
487c478bdstevel@tonic-gate *   When semget() is used to allocate a semaphore set, one id is
497c478bdstevel@tonic-gate *   allocated.  If the id allocation doesn't succeed, semget() fails
507c478bdstevel@tonic-gate *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
517c478bdstevel@tonic-gate *   the id is deallocated.
527c478bdstevel@tonic-gate *
537c478bdstevel@tonic-gate * Control:      process.max-sem-nsems (rc_process_semmsl)
547c478bdstevel@tonic-gate * Description:  Maximum number of semaphores allowed per semaphore set.
557c478bdstevel@tonic-gate *
567c478bdstevel@tonic-gate *   When semget() is used to allocate a semaphore set, the size of the
577c478bdstevel@tonic-gate *   set is compared with this limit.  If the number of semaphores
587c478bdstevel@tonic-gate *   exceeds the limit, semget() fails and errno is set to EINVAL.
597c478bdstevel@tonic-gate *
607c478bdstevel@tonic-gate * Control:      process.max-sem-ops (rc_process_semopm)
617c478bdstevel@tonic-gate * Description:  Maximum number of semaphore operations allowed per
627c478bdstevel@tonic-gate *               semop call.
637c478bdstevel@tonic-gate *
647c478bdstevel@tonic-gate *   When semget() successfully allocates a semaphore set, the minimum
657c478bdstevel@tonic-gate *   enforced value of this limit is used to initialize the
667c478bdstevel@tonic-gate *   "system-imposed maximum" number of operations a semop() call for
677c478bdstevel@tonic-gate *   this set can perform.
687c478bdstevel@tonic-gate *
697c478bdstevel@tonic-gate * Undo structures
707c478bdstevel@tonic-gate * ---------------
717c478bdstevel@tonic-gate *
727c478bdstevel@tonic-gate * Removing the undo structure tunables involved a serious redesign of
737c478bdstevel@tonic-gate * how they were implemented.  There is now one undo structure for
747c478bdstevel@tonic-gate * every process/semaphore array combination (lazily allocated, of
757c478bdstevel@tonic-gate * course), and each is equal in size to the semaphore it corresponds
767c478bdstevel@tonic-gate * to.  To avoid scalability and performance problems, the undo
777c478bdstevel@tonic-gate * structures are stored in two places: a per-process AVL tree sorted
787c478bdstevel@tonic-gate * by ksemid pointer (p_semacct, protected by p_lock) and an unsorted
797c478bdstevel@tonic-gate * per-semaphore linked list (sem_undos, protected by the semaphore's
807c478bdstevel@tonic-gate * ID lock).  The former is used by semop, where a lookup is performed
817c478bdstevel@tonic-gate * once and cached if SEM_UNDO is specified for any of the operations,
827c478bdstevel@tonic-gate * and at process exit where the undoable operations are rolled back.
837c478bdstevel@tonic-gate * The latter is used when removing the semaphore, so the undo
847c478bdstevel@tonic-gate * structures can be removed from the appropriate processes' trees.
857c478bdstevel@tonic-gate *
867c478bdstevel@tonic-gate * The undo structure itself contains pointers to the ksemid and proc
877c478bdstevel@tonic-gate * to which it corresponds, a list node, an AVL node, and an array of
887c478bdstevel@tonic-gate * adjust-on-exit (AOE) values.  When an undo structure is allocated it
897c478bdstevel@tonic-gate * is immediately added to both the process's tree and the semaphore's
907c478bdstevel@tonic-gate * list.  Lastly, the reference count on the semaphore is increased.
917c478bdstevel@tonic-gate *
927c478bdstevel@tonic-gate * Avoiding a lock ordering violation between p_lock and the ID lock,
937c478bdstevel@tonic-gate * wont to occur when there is a race between a process exiting and the
947c478bdstevel@tonic-gate * removal of a semaphore, mandates the delicate dance that exists
957c478bdstevel@tonic-gate * between semexit and sem_rmid.
967c478bdstevel@tonic-gate *
977c478bdstevel@tonic-gate * sem_rmid, holding the ID lock, iterates through all undo structures
987c478bdstevel@tonic-gate * and for each takes the appropriate process's p_lock and checks to
997c478bdstevel@tonic-gate * see if p_semacct is NULL.  If it is, it skips that undo structure
1007c478bdstevel@tonic-gate * and continues to the next.  Otherwise, it removes the undo structure
1017c478bdstevel@tonic-gate * from both the AVL tree and the semaphore's list, and releases the
1027c478bdstevel@tonic-gate * hold that the undo structure had on the semaphore.
1037c478bdstevel@tonic-gate *
1047c478bdstevel@tonic-gate * The important other half of this is semexit, which will immediately
1057c478bdstevel@tonic-gate * take p_lock, obtain the AVL pointer, clear p_semacct, and drop
1067c478bdstevel@tonic-gate * p_lock.  From this point on it is semexit's responsibility to clean
1077c478bdstevel@tonic-gate * up all undo structures found in the tree -- a coexecuting sem_rmid
1087c478bdstevel@tonic-gate * will see the NULL p_semacct and skip that undo structure.  It walks
1097c478bdstevel@tonic-gate * the AVL tree (using avl_destroy_nodes) and for each undo structure
1107c478bdstevel@tonic-gate * takes the appropriate semaphore's ID lock (always legal since the
1117c478bdstevel@tonic-gate * undo structure has a hold on the semaphore), updates all semaphores
1127c478bdstevel@tonic-gate * with non-zero AOE values, and removes the structure from the
1137c478bdstevel@tonic-gate * semaphore's list.  It then drops the structure's reference on the
1147c478bdstevel@tonic-gate * semaphore, drops the ID lock, and frees the undo structure.
1157c478bdstevel@tonic-gate */
1167c478bdstevel@tonic-gate
1177c478bdstevel@tonic-gate#include <sys/types.h>
1187c478bdstevel@tonic-gate#include <sys/t_lock.h>
1197c478bdstevel@tonic-gate#include <sys/param.h>
1207c478bdstevel@tonic-gate#include <sys/systm.h>
1217c478bdstevel@tonic-gate#include <sys/sysmacros.h>
1227c478bdstevel@tonic-gate#include <sys/cred.h>
1237c478bdstevel@tonic-gate#include <sys/vmem.h>
1247c478bdstevel@tonic-gate#include <sys/kmem.h>
1257c478bdstevel@tonic-gate#include <sys/errno.h>
1267c478bdstevel@tonic-gate#include <sys/time.h>
1277c478bdstevel@tonic-gate#include <sys/ipc.h>
1287c478bdstevel@tonic-gate#include <sys/ipc_impl.h>
1297c478bdstevel@tonic-gate#include <sys/sem.h>
1307c478bdstevel@tonic-gate#include <sys/sem_impl.h>
1317c478bdstevel@tonic-gate#include <sys/user.h>
1327c478bdstevel@tonic-gate#include <sys/proc.h>
1337c478bdstevel@tonic-gate#include <sys/cpuvar.h>
1347c478bdstevel@tonic-gate#include <sys/debug.h>
1357c478bdstevel@tonic-gate#include <sys/var.h>
1367c478bdstevel@tonic-gate#include <sys/cmn_err.h>
1377c478bdstevel@tonic-gate#include <sys/modctl.h>
1387c478bdstevel@tonic-gate#include <sys/syscall.h>
1397c478bdstevel@tonic-gate#include <sys/avl.h>
1407c478bdstevel@tonic-gate#include <sys/list.h>
1417c478bdstevel@tonic-gate#include <sys/zone.h>
1427c478bdstevel@tonic-gate
1437c478bdstevel@tonic-gate#include <c2/audit.h>
1447c478bdstevel@tonic-gate
145824c205mlextern rctl_hndl_t rc_zone_semmni;
1467c478bdstevel@tonic-gateextern rctl_hndl_t rc_project_semmni;
1477c478bdstevel@tonic-gateextern rctl_hndl_t rc_process_semmsl;
1487c478bdstevel@tonic-gateextern rctl_hndl_t rc_process_semopm;
1497c478bdstevel@tonic-gatestatic ipc_service_t *sem_svc;
1507c478bdstevel@tonic-gatestatic zone_key_t sem_zone_key;
1517c478bdstevel@tonic-gate
1527c478bdstevel@tonic-gate/*
1537c478bdstevel@tonic-gate * The following tunables are obsolete.  Though for compatibility we
1547c478bdstevel@tonic-gate * still read and interpret seminfo_semmsl, seminfo_semopm and
1557c478bdstevel@tonic-gate * seminfo_semmni (see os/project.c and os/rctl_proc.c), the preferred
1567c478bdstevel@tonic-gate * mechanism for administrating the IPC Semaphore facility is through
1577c478bdstevel@tonic-gate * the resource controls described at the top of this file.
1587c478bdstevel@tonic-gate */
1597c478bdstevel@tonic-gateint seminfo_semaem = 16384;	/* (obsolete) */
1607c478bdstevel@tonic-gateint seminfo_semmap = 10;	/* (obsolete) */
1617c478bdstevel@tonic-gateint seminfo_semmni = 10;	/* (obsolete) */
1627c478bdstevel@tonic-gateint seminfo_semmns = 60;	/* (obsolete) */
1637c478bdstevel@tonic-gateint seminfo_semmnu = 30;	/* (obsolete) */
1647c478bdstevel@tonic-gateint seminfo_semmsl = 25;	/* (obsolete) */
1657c478bdstevel@tonic-gateint seminfo_semopm = 10;	/* (obsolete) */
1667c478bdstevel@tonic-gateint seminfo_semume = 10;	/* (obsolete) */
1677c478bdstevel@tonic-gateint seminfo_semusz = 96;	/* (obsolete) */
1687c478bdstevel@tonic-gateint seminfo_semvmx = 32767;	/* (obsolete) */
1697c478bdstevel@tonic-gate
1707c478bdstevel@tonic-gate#define	SEM_MAXUCOPS	4096	/* max # of unchecked ops per semop call */
1717c478bdstevel@tonic-gate#define	SEM_UNDOSZ(n)	(sizeof (struct sem_undo) + (n - 1) * sizeof (int))
1727c478bdstevel@tonic-gate
1737c478bdstevel@tonic-gatestatic int semsys(int opcode, uintptr_t a0, uintptr_t a1,
1747c478bdstevel@tonic-gate    uintptr_t a2, uintptr_t a3);
1757c478bdstevel@tonic-gatestatic void sem_dtor(kipc_perm_t *);
1767c478bdstevel@tonic-gatestatic void sem_rmid(kipc_perm_t *);
1777c478bdstevel@tonic-gatestatic void sem_remove_zone(zoneid_t, void *);
1787c478bdstevel@tonic-gate
1797c478bdstevel@tonic-gatestatic struct sysent ipcsem_sysent = {
1807c478bdstevel@tonic-gate	5,
1817c478bdstevel@tonic-gate	SE_NOUNLOAD | SE_ARGC | SE_32RVAL1,
1827c478bdstevel@tonic-gate	semsys
1837c478bdstevel@tonic-gate};
1847c478bdstevel@tonic-gate
1857c478bdstevel@tonic-gate/*
1867c478bdstevel@tonic-gate * Module linkage information for the kernel.
1877c478bdstevel@tonic-gate */
1887c478bdstevel@tonic-gatestatic struct modlsys modlsys = {
1897c478bdstevel@tonic-gate	&mod_syscallops, "System V semaphore facility", &ipcsem_sysent
1907c478bdstevel@tonic-gate};
1917c478bdstevel@tonic-gate
1927c478bdstevel@tonic-gate#ifdef _SYSCALL32_IMPL
1937c478bdstevel@tonic-gatestatic struct modlsys modlsys32 = {
1947c478bdstevel@tonic-gate	&mod_syscallops32, "32-bit System V semaphore facility", &ipcsem_sysent
1957c478bdstevel@tonic-gate};
1967c478bdstevel@tonic-gate#endif
1977c478bdstevel@tonic-gate
1987c478bdstevel@tonic-gatestatic struct modlinkage modlinkage = {
1997c478bdstevel@tonic-gate	MODREV_1,
2007c478bdstevel@tonic-gate	&modlsys,
2017c478bdstevel@tonic-gate#ifdef _SYSCALL32_IMPL
2027c478bdstevel@tonic-gate	&modlsys32,
2037c478bdstevel@tonic-gate#endif
2047c478bdstevel@tonic-gate	NULL
2057c478bdstevel@tonic-gate};
2067c478bdstevel@tonic-gate
2077c478bdstevel@tonic-gate
2087c478bdstevel@tonic-gateint
2097c478bdstevel@tonic-gate_init(void)
2107c478bdstevel@tonic-gate{
2117c478bdstevel@tonic-gate	int result;
2127c478bdstevel@tonic-gate
213824c205ml	sem_svc = ipcs_create("semids", rc_project_semmni, rc_zone_semmni,
214824c205ml	    sizeof (ksemid_t), sem_dtor, sem_rmid, AT_IPC_SEM,
215824c205ml	    offsetof(ipc_rqty_t, ipcq_semmni));
2167c478bdstevel@tonic-gate	zone_key_create(&sem_zone_key, NULL, sem_remove_zone, NULL);
2177c478bdstevel@tonic-gate
2187c478bdstevel@tonic-gate	if ((result = mod_install(&modlinkage)) == 0)
2197c478bdstevel@tonic-gate		return (0);
2207c478bdstevel@tonic-gate
2217c478bdstevel@tonic-gate	(void) zone_key_delete(sem_zone_key);
2227c478bdstevel@tonic-gate	ipcs_destroy(sem_svc);
2237c478bdstevel@tonic-gate
2247c478bdstevel@tonic-gate	return (result);
2257c478bdstevel@tonic-gate}
2267c478bdstevel@tonic-gate
2277c478bdstevel@tonic-gateint
2287c478bdstevel@tonic-gate_fini(void)
2297c478bdstevel@tonic-gate{
2307c478bdstevel@tonic-gate	return (EBUSY);
2317c478bdstevel@tonic-gate}
2327c478bdstevel@tonic-gate
2337c478bdstevel@tonic-gateint
2347c478bdstevel@tonic-gate_info(struct modinfo *modinfop)
2357c478bdstevel@tonic-gate{
2367c478bdstevel@tonic-gate	return (mod_info(&modlinkage, modinfop));
2377c478bdstevel@tonic-gate}
2387c478bdstevel@tonic-gate
2397c478bdstevel@tonic-gatestatic void
2407c478bdstevel@tonic-gatesem_dtor(kipc_perm_t *perm)
2417c478bdstevel@tonic-gate{
2427c478bdstevel@tonic-gate	ksemid_t *sp = (ksemid_t *)perm;
2437c478bdstevel@tonic-gate
2447c478bdstevel@tonic-gate	kmem_free(sp->sem_base,
2457c478bdstevel@tonic-gate	    P2ROUNDUP(sp->sem_nsems * sizeof (struct sem), 64));
2467c478bdstevel@tonic-gate	list_destroy(&sp->sem_undos);
2477c478bdstevel@tonic-gate}
2487c478bdstevel@tonic-gate
2497c478bdstevel@tonic-gate/*
2507c478bdstevel@tonic-gate * sem_undo_add - Create or update adjust on exit entry.
2517c478bdstevel@tonic-gate */
2527c478bdstevel@tonic-gatestatic int
2537c478bdstevel@tonic-gatesem_undo_add(short val, ushort_t num, struct sem_undo *undo)
2547c478bdstevel@tonic-gate{
2557c478bdstevel@tonic-gate	int newval = undo->un_aoe[num] - val;
2567c478bdstevel@tonic-gate
2577c478bdstevel@tonic-gate	if (newval > USHRT_MAX || newval < -USHRT_MAX)
2587c478bdstevel@tonic-gate		return (ERANGE);
2597c478bdstevel@tonic-gate	undo->un_aoe[num] = newval;
2607c478bdstevel@tonic-gate
2617c478bdstevel@tonic-gate	return (0);
2627c478bdstevel@tonic-gate}
2637c478bdstevel@tonic-gate
2647c478bdstevel@tonic-gate/*
2657c478bdstevel@tonic-gate * sem_undo_clear - clears all undo entries for specified semaphores
2667c478bdstevel@tonic-gate *
2677c478bdstevel@tonic-gate * Used when semaphores are reset by SETVAL or SETALL.
2687c478bdstevel@tonic-gate */
2697c478bdstevel@tonic-gatestatic void
2707c478bdstevel@tonic-gatesem_undo_clear(ksemid_t *sp, ushort_t low, ushort_t high)
2717c478bdstevel@tonic-gate{
2727c478bdstevel@tonic-gate	struct sem_undo *undo;
2737c478bdstevel@tonic-gate	int i;
2747c478bdstevel@tonic-gate
2757c478bdstevel@tonic-gate	ASSERT(low <= high);
2767c478bdstevel@tonic-gate	ASSERT(high < sp->sem_nsems);
2777c478bdstevel@tonic-gate
2787c478bdstevel@tonic-gate	for (undo = list_head(&sp->sem_undos); undo;
2797c478bdstevel@tonic-gate	    undo = list_next(&sp->sem_undos, undo))
2807c478bdstevel@tonic-gate		for (i = low; i <= high; i++)
2817c478bdstevel@tonic-gate			undo->un_aoe[i] = 0;
2827c478bdstevel@tonic-gate}
2837c478bdstevel@tonic-gate
2847c478bdstevel@tonic-gate/*
2857c478bdstevel@tonic-gate * sem_rollback - roll back work done so far if unable to complete operation
2867c478bdstevel@tonic-gate */
2877c478bdstevel@tonic-gatestatic void
2887c478bdstevel@tonic-gatesem_rollback(ksemid_t *sp, struct sembuf *op, int n, struct sem_undo *undo)
2897c478bdstevel@tonic-gate{
2907c478bdstevel@tonic-gate	struct sem *semp;	/* semaphore ptr */
2917c478bdstevel@tonic-gate
2927c478bdstevel@tonic-gate	for (op += n - 1; n--; op--) {
2937c478bdstevel@tonic-gate		if (op->sem_op == 0)
2947c478bdstevel@tonic-gate			continue;
2957c478bdstevel@tonic-gate		semp = &sp->sem_base[op->sem_num];
2967c478bdstevel@tonic-gate		semp->semval -= op->sem_op;
2977c478bdstevel@tonic-gate		if (op->sem_flg & SEM_UNDO) {
2987c478bdstevel@tonic-gate			ASSERT(undo != NULL);
2997c478bdstevel@tonic-gate			(void) sem_undo_add(-op->sem_op, op->sem_num, undo);
3007c478bdstevel@tonic-gate		}
3017c478bdstevel@tonic-gate	}
3027c478bdstevel@tonic-gate}
3037c478bdstevel@tonic-gate
3047c478bdstevel@tonic-gatestatic void
3057c478bdstevel@tonic-gatesem_rmid(kipc_perm_t *perm)
3067c478bdstevel@tonic-gate{
3077c478bdstevel@tonic-gate	ksemid_t *sp = (ksemid_t *)perm;
3087c478bdstevel@tonic-gate	struct sem *semp;
3097c478bdstevel@tonic-gate	struct sem_undo *undo;
3107c478bdstevel@tonic-gate	size_t size = SEM_UNDOSZ(sp->sem_nsems);
3117c478bdstevel@tonic-gate	int i;
3127c478bdstevel@tonic-gate
3137c478bdstevel@tonic-gate	/*LINTED*/
3147c478bdstevel@tonic-gate	while (undo = list_head(&sp->sem_undos)) {
3157c478bdstevel@tonic-gate		list_remove(&sp->sem_undos, undo);
3167c478bdstevel@tonic-gate		mutex_enter(&undo->un_proc->p_lock);
3177c478bdstevel@tonic-gate		if (undo->un_proc->p_semacct == NULL) {
3187c478bdstevel@tonic-gate			mutex_exit(&undo->un_proc->p_lock);
3197c478bdstevel@tonic-gate			continue;
3207c478bdstevel@tonic-gate		}
3217c478bdstevel@tonic-gate		avl_remove(undo->un_proc->p_semacct, undo);
3227c478bdstevel@tonic-gate		mutex_exit(&undo->un_proc->p_lock);
3237c478bdstevel@tonic-gate		kmem_free(undo, size);
3247c478bdstevel@tonic-gate		ipc_rele_locked(sem_svc, (kipc_perm_t *)sp);
3257c478bdstevel@tonic-gate	}
3267c478bdstevel@tonic-gate
3277c478bdstevel@tonic-gate	for (i = 0; i < sp->sem_nsems; i++) {
3287c478bdstevel@tonic-gate		semp = &sp->sem_base[i];
3297c478bdstevel@tonic-gate		semp->semval = semp->sempid = 0;
3307c478bdstevel@tonic-gate		if (semp->semncnt) {
3317c478bdstevel@tonic-gate			cv_broadcast(&semp->semncnt_cv);
3327c478bdstevel@tonic-gate			semp->semncnt = 0;
3337c478bdstevel@tonic-gate		}
3347c478bdstevel@tonic-gate		if (semp->semzcnt) {
3357c478bdstevel@tonic-gate			cv_broadcast(&semp->semzcnt_cv);
3367c478bdstevel@tonic-gate			semp->semzcnt = 0;
3377c478bdstevel@tonic-gate		}
3387c478bdstevel@tonic-gate	}
3397c478bdstevel@tonic-gate}
3407c478bdstevel@tonic-gate
3417c478bdstevel@tonic-gate/*
3427c478bdstevel@tonic-gate * semctl - Semctl system call.
3437c478bdstevel@tonic-gate */
3447c478bdstevel@tonic-gatestatic int
3457c478bdstevel@tonic-gatesemctl(int semid, uint_t semnum, int cmd, uintptr_t arg)
3467c478bdstevel@tonic-gate{
3477c478bdstevel@tonic-gate	ksemid_t		*sp;	/* ptr to semaphore header */
3487c478bdstevel@tonic-gate	struct sem		*p;	/* ptr to semaphore */
3497c478bdstevel@tonic-gate	unsigned int		i;	/* loop control */
3507c478bdstevel@tonic-gate	ushort_t		*vals, *vp;
3517c478bdstevel@tonic-gate	size_t			vsize = 0;
3527c478bdstevel@tonic-gate	int			error = 0;
3537c478bdstevel@tonic-gate	int			retval = 0;
3547c478bdstevel@tonic-gate	struct cred		*cr;
3557c478bdstevel@tonic-gate	kmutex_t		*lock;
3567c478bdstevel@tonic-gate	model_t			mdl = get_udatamodel();
3577c478bdstevel@tonic-gate	STRUCT_DECL(semid_ds, sid);
3587c478bdstevel@tonic-gate	struct semid_ds64	ds64;
3597c478bdstevel@tonic-gate
3607c478bdstevel@tonic-gate	STRUCT_INIT(sid, mdl);
3617c478bdstevel@tonic-gate	cr = CRED();
3627c478bdstevel@tonic-gate
3637c478bdstevel@tonic-gate	/*
3647c478bdstevel@tonic-gate	 * Perform pre- or non-lookup actions (e.g. copyins, RMID).
3657c478bdstevel@tonic-gate	 */
3667c478bdstevel@tonic-gate	switch (cmd) {
3677c478bdstevel@tonic-gate	case IPC_SET:
3687c478bdstevel@tonic-gate		if (copyin((void *)arg, STRUCT_BUF(sid), STRUCT_SIZE(sid)))
3697c478bdstevel@tonic-gate			return (set_errno(EFAULT));
3707c478bdstevel@tonic-gate		break;
3717c478bdstevel@tonic-gate
3727c478bdstevel@tonic-gate	case IPC_SET64:
3737c478bdstevel@tonic-gate		if (copyin((void *)arg, &ds64, sizeof (struct semid_ds64)))
3747c478bdstevel@tonic-gate			return (set_errno(EFAULT));
3757c478bdstevel@tonic-gate		break;
3767c478bdstevel@tonic-gate
3777c478bdstevel@tonic-gate	case SETALL:
3787c478bdstevel@tonic-gate		if ((lock = ipc_lookup(sem_svc, semid,
3797c478bdstevel@tonic-gate		    (kipc_perm_t **)&sp)) == NULL)
3807c478bdstevel@tonic-gate			return (set_errno(EINVAL));
3817c478bdstevel@tonic-gate		vsize = sp->sem_nsems * sizeof (*vals);
3827c478bdstevel@tonic-gate		mutex_exit(lock);
3837c478bdstevel@tonic-gate
3847c478bdstevel@tonic-gate		/* allocate space to hold all semaphore values */
3857c478bdstevel@tonic-gate		vals = kmem_alloc(vsize, KM_SLEEP);
3867c478bdstevel@tonic-gate
3877c478bdstevel@tonic-gate		if (copyin((void *)arg, vals, vsize)) {
3887c478bdstevel@tonic-gate			kmem_free(vals, vsize);
3897c478bdstevel@tonic-gate			return (set_errno(EFAULT));
3907c478bdstevel@tonic-gate		}
3917c478bdstevel@tonic-gate		break;
3927c478bdstevel@tonic-gate
3937c478bdstevel@tonic-gate	case IPC_RMID:
3947c478bdstevel@tonic-gate		if (error = ipc_rmid(sem_svc, semid, cr))
3957c478bdstevel@tonic-gate			return (set_errno(error));
3967c478bdstevel@tonic-gate		return (0);
3977c478bdstevel@tonic-gate	}
3987c478bdstevel@tonic-gate
3997c478bdstevel@tonic-gate	if ((lock = ipc_lookup(sem_svc, semid, (kipc_perm_t **)&sp)) == NULL) {
4007c478bdstevel@tonic-gate		if (vsize != 0)
4017c478bdstevel@tonic-gate			kmem_free(vals, vsize);
4027c478bdstevel@tonic-gate		return (set_errno(EINVAL));
4037c478bdstevel@tonic-gate	}
4047c478bdstevel@tonic-gate	switch (cmd) {
4057c478bdstevel@tonic-gate	/* Set ownership and permissions. */
4067c478bdstevel@tonic-gate	case IPC_SET:
4077c478bdstevel@tonic-gate
4087c478bdstevel@tonic-gate		if (error = ipcperm_set(sem_svc, cr, &sp->sem_perm,
4097c478bdstevel@tonic-gate		    &STRUCT_BUF(sid)->sem_perm, mdl)) {
4107c478bdstevel@tonic-gate			mutex_exit(lock);
4117c478bdstevel@tonic-gate			return (set_errno(error));
4127c478bdstevel@tonic-gate		}
4137c478bdstevel@tonic-gate		sp->sem_ctime = gethrestime_sec();
4147c478bdstevel@tonic-gate		mutex_exit(lock);
4157c478bdstevel@tonic-gate		return (0);
4167c478bdstevel@tonic-gate
4177c478bdstevel@tonic-gate	/* Get semaphore data structure. */
4187c478bdstevel@tonic-gate	case IPC_STAT:
4197c478bdstevel@tonic-gate
4207c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4217c478bdstevel@tonic-gate			mutex_exit(lock);
4227c478bdstevel@tonic-gate			return (set_errno(error));
4237c478bdstevel@tonic-gate		}
4247c478bdstevel@tonic-gate
4257c478bdstevel@tonic-gate		ipcperm_stat(&STRUCT_BUF(sid)->sem_perm, &sp->sem_perm, mdl);
4267c478bdstevel@tonic-gate		STRUCT_FSETP(sid, sem_base, NULL);	/* kernel addr */
4277c478bdstevel@tonic-gate		STRUCT_FSET(sid, sem_nsems, sp->sem_nsems);
4287c478bdstevel@tonic-gate		STRUCT_FSET(sid, sem_otime, sp->sem_otime);
4297c478bdstevel@tonic-gate		STRUCT_FSET(sid, sem_ctime, sp->sem_ctime);
4307c478bdstevel@tonic-gate		STRUCT_FSET(sid, sem_binary, sp->sem_binary);
4317c478bdstevel@tonic-gate		mutex_exit(lock);
4327c478bdstevel@tonic-gate
4337c478bdstevel@tonic-gate		if (copyout(STRUCT_BUF(sid), (void *)arg, STRUCT_SIZE(sid)))
4347c478bdstevel@tonic-gate			return (set_errno(EFAULT));
4357c478bdstevel@tonic-gate		return (0);
4367c478bdstevel@tonic-gate
4377c478bdstevel@tonic-gate	case IPC_SET64:
4387c478bdstevel@tonic-gate
4397c478bdstevel@tonic-gate		if (error = ipcperm_set64(sem_svc, cr, &sp->sem_perm,
4407c478bdstevel@tonic-gate		    &ds64.semx_perm)) {
4417c478bdstevel@tonic-gate			mutex_exit(lock);
4427c478bdstevel@tonic-gate			return (set_errno(error));
4437c478bdstevel@tonic-gate		}
4447c478bdstevel@tonic-gate		sp->sem_ctime = gethrestime_sec();
4457c478bdstevel@tonic-gate		mutex_exit(lock);
4467c478bdstevel@tonic-gate		return (0);
4477c478bdstevel@tonic-gate
4487c478bdstevel@tonic-gate	case IPC_STAT64:
4497c478bdstevel@tonic-gate
4507c478bdstevel@tonic-gate		ipcperm_stat64(&ds64.semx_perm, &sp->sem_perm);
4517c478bdstevel@tonic-gate		ds64.semx_nsems = sp->sem_nsems;
4527c478bdstevel@tonic-gate		ds64.semx_otime = sp->sem_otime;
4537c478bdstevel@tonic-gate		ds64.semx_ctime = sp->sem_ctime;
4547c478bdstevel@tonic-gate
4557c478bdstevel@tonic-gate		mutex_exit(lock);
4567c478bdstevel@tonic-gate		if (copyout(&ds64, (void *)arg, sizeof (struct semid_ds64)))
4577c478bdstevel@tonic-gate			return (set_errno(EFAULT));
4587c478bdstevel@tonic-gate
4597c478bdstevel@tonic-gate		return (0);
4607c478bdstevel@tonic-gate
4617c478bdstevel@tonic-gate	/* Get # of processes sleeping for greater semval. */
4627c478bdstevel@tonic-gate	case GETNCNT:
4637c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4647c478bdstevel@tonic-gate			mutex_exit(lock);
4657c478bdstevel@tonic-gate			return (set_errno(error));
4667c478bdstevel@tonic-gate		}
4677c478bdstevel@tonic-gate		if (semnum >= sp->sem_nsems) {
4687c478bdstevel@tonic-gate			mutex_exit(lock);
4697c478bdstevel@tonic-gate			return (set_errno(EINVAL));
4707c478bdstevel@tonic-gate		}
4717c478bdstevel@tonic-gate		retval = sp->sem_base[semnum].semncnt;
4727c478bdstevel@tonic-gate		mutex_exit(lock);
4737c478bdstevel@tonic-gate		return (retval);
4747c478bdstevel@tonic-gate
4757c478bdstevel@tonic-gate	/* Get pid of last process to operate on semaphore. */
4767c478bdstevel@tonic-gate	case GETPID:
4777c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4787c478bdstevel@tonic-gate			mutex_exit(lock);
4797c478bdstevel@tonic-gate			return (set_errno(error));
4807c478bdstevel@tonic-gate		}
4817c478bdstevel@tonic-gate		if (semnum >= sp->sem_nsems) {
4827c478bdstevel@tonic-gate			mutex_exit(lock);
4837c478bdstevel@tonic-gate			return (set_errno(EINVAL));
4847c478bdstevel@tonic-gate		}
4857c478bdstevel@tonic-gate		retval = sp->sem_base[semnum].sempid;
4867c478bdstevel@tonic-gate		mutex_exit(lock);
4877c478bdstevel@tonic-gate		return (retval);
4887c478bdstevel@tonic-gate
4897c478bdstevel@tonic-gate	/* Get semval of one semaphore. */
4907c478bdstevel@tonic-gate	case GETVAL:
4917c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4927c478bdstevel@tonic-gate			mutex_exit(lock);
4937c478bdstevel@tonic-gate			return (set_errno(error));
4947c478bdstevel@tonic-gate		}
4957c478bdstevel@tonic-gate		if (semnum >= sp->sem_nsems) {
4967c478bdstevel@tonic-gate			mutex_exit(lock);
4977c478bdstevel@tonic-gate			return (set_errno(EINVAL));
4987c478bdstevel@tonic-gate		}
4997c478bdstevel@tonic-gate		retval = sp->sem_base[semnum].semval;
5007c478bdstevel@tonic-gate		mutex_exit(lock);
5017c478bdstevel@tonic-gate		return (retval);
5027c478bdstevel@tonic-gate
5037c478bdstevel@tonic-gate	/* Get all semvals in set. */
5047c478bdstevel@tonic-gate	case GETALL:
5057c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
5067c478bdstevel@tonic-gate			mutex_exit(lock);
5077c478bdstevel@tonic-gate			return (set_errno(error));
5087c478bdstevel@tonic-gate		}
5097c478bdstevel@tonic-gate
5107c478bdstevel@tonic-gate		/* allocate space to hold all semaphore values */
5117c478bdstevel@tonic-gate		vsize = sp->sem_nsems * sizeof (*vals);
5127c478bdstevel@tonic-gate		vals = vp = kmem_alloc(vsize, KM_SLEEP);
5137c478bdstevel@tonic-gate
5147c478bdstevel@tonic-gate		for (i = sp->sem_nsems, p = sp->sem_base; i--; p++, vp++)
5157c478bdstevel@tonic-gate			bcopy(&p->semval, vp, sizeof (p->semval));
5167c478bdstevel@tonic-gate
5177c478bdstevel@tonic-gate		mutex_exit(lock);
5187c478bdstevel@tonic-gate
5197c478bdstevel@tonic-gate		if (copyout((void *)vals, (void *)arg, vsize)) {
5207c478bdstevel@tonic-gate			kmem_free(vals, vsize);
5217c478bdstevel@tonic-gate			return (set_errno(EFAULT));
5227c478bdstevel@tonic-gate		}
5237c478bdstevel@tonic-gate
5247c478bdstevel@tonic-gate		kmem_free(vals, vsize);
5257c478bdstevel@tonic-gate		return (0);
5267c478bdstevel@tonic-gate
5277c478bdstevel@tonic-gate	/* Get # of processes sleeping for semval to become zero. */
5287c478bdstevel@tonic-gate	case GETZCNT:
5297c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
5307c478bdstevel@tonic-gate			mutex_exit(lock);
5317c478bdstevel@tonic-gate			return (set_errno(error));
5327c478bdstevel@tonic-gate		}
5337c478bdstevel@tonic-gate		if (semnum >= sp->sem_nsems) {
5347c478bdstevel@tonic-gate			mutex_exit(lock);
5357c478bdstevel@tonic-gate			return (set_errno(EINVAL));
5367c478bdstevel@tonic-gate		}
5377c478bdstevel@tonic-gate		retval = sp->sem_base[semnum].semzcnt;
5387c478bdstevel@tonic-gate		mutex_exit(lock);
5397c478bdstevel@tonic-gate		return (retval);
5407c478bdstevel@tonic-gate
5417c478bdstevel@tonic-gate	/* Set semval of one semaphore. */
5427c478bdstevel@tonic-gate	case SETVAL:
5437c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
5447c478bdstevel@tonic-gate			mutex_exit(lock);
5457c478bdstevel@tonic-gate			return (set_errno(error));
5467c478bdstevel@tonic-gate		}
5477c478bdstevel@tonic-gate		if (semnum >= sp->sem_nsems) {
5487c478bdstevel@tonic-gate			mutex_exit(lock);
5497c478bdstevel@tonic-gate			return (set_errno(EINVAL));
5507c478bdstevel@tonic-gate		}
5517c478bdstevel@tonic-gate		if ((uint_t)arg > USHRT_MAX) {
5527c478bdstevel@tonic-gate			mutex_exit(lock);
5537c478bdstevel@tonic-gate			return (set_errno(ERANGE));
5547c478bdstevel@tonic-gate		}
5557c478bdstevel@tonic-gate		p = &sp->sem_base[semnum];
5567c478bdstevel@tonic-gate		if ((p->semval = (ushort_t)arg) != 0) {
5577c478bdstevel@tonic-gate			if (p->semncnt) {
5587c478bdstevel@tonic-gate				cv_broadcast(&p->semncnt_cv);
5597c478bdstevel@tonic-gate			}
5607c478bdstevel@tonic-gate		} else if (p->semzcnt) {
5617c478bdstevel@tonic-gate			cv_broadcast(&p->semzcnt_cv);
5627c478bdstevel@tonic-gate		}
5637c478bdstevel@tonic-gate		p->sempid = curproc->p_pid;
5647c478bdstevel@tonic-gate		sem_undo_clear(sp, (ushort_t)semnum, (ushort_t)semnum);
5657c478bdstevel@tonic-gate		mutex_exit(lock);
5667c478bdstevel@tonic-gate		return (0);
5677c478bdstevel@tonic-gate
5687c478bdstevel@tonic-gate	/* Set semvals of all semaphores in set. */
5697c478bdstevel@tonic-gate	case SETALL:
5707c478bdstevel@tonic-gate		/* Check if semaphore set has been deleted and reallocated. */
5717c478bdstevel@tonic-gate		if (sp->sem_nsems * sizeof (*vals) != vsize) {
5727c478bdstevel@tonic-gate			error = set_errno(EINVAL);
5737c478bdstevel@tonic-gate			goto seterr;
5747c478bdstevel@tonic-gate		}
5757c478bdstevel@tonic-gate		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
5767c478bdstevel@tonic-gate			error = set_errno(error);
5777c478bdstevel@tonic-gate			goto seterr;
5787c478bdstevel@tonic-gate		}
5797c478bdstevel@tonic-gate		sem_undo_clear(sp, 0, sp->sem_nsems - 1);
5807c478bdstevel@tonic-gate		for (i = 0, p = sp->sem_base; i < sp->sem_nsems;
5817c478bdstevel@tonic-gate		    (p++)->sempid = curproc->p_pid) {
5827c478bdstevel@tonic-gate			if ((p->semval = vals[i++]) != 0) {
5837c478bdstevel@tonic-gate				if (p->semncnt) {
5847c478bdstevel@tonic-gate					cv_broadcast(&p->semncnt_cv);
5857c478bdstevel@tonic-gate				}
5867c478bdstevel@tonic-gate			} else if (p->semzcnt) {
5877c478bdstevel@tonic-gate				cv_broadcast(&p->semzcnt_cv);
5887c478bdstevel@tonic-gate			}
5897c478bdstevel@tonic-gate		}
5907c478bdstevel@tonic-gateseterr:
5917c478bdstevel@tonic-gate		mutex_exit(lock);
5927c478bdstevel@tonic-gate		kmem_free(vals, vsize);
5937c478bdstevel@tonic-gate		return (error);
5947c478bdstevel@tonic-gate
5957c478bdstevel@tonic-gate	default:
5967c478bdstevel@tonic-gate		mutex_exit(lock);
5977c478bdstevel@tonic-gate		return (set_errno(EINVAL));
5987c478bdstevel@tonic-gate	}
5997c478bdstevel@tonic-gate
6007c478bdstevel@tonic-gate	/* NOTREACHED */
6017c478bdstevel@tonic-gate}
6027c478bdstevel@tonic-gate
6037c478bdstevel@tonic-gate/*
6047c478bdstevel@tonic-gate * semexit - Called by exit() to clean up on process exit.
6057c478bdstevel@tonic-gate */
6067c478bdstevel@tonic-gatevoid
6077c478bdstevel@tonic-gatesemexit(proc_t *pp)
6087c478bdstevel@tonic-gate{
6097c478bdstevel@tonic-gate	avl_tree_t	*tree;
6107c478bdstevel@tonic-gate	struct sem_undo	*undo;
6117c478bdstevel@tonic-gate	void		*cookie = NULL;
6127c478bdstevel@tonic-gate
6137c478bdstevel@tonic-gate	mutex_enter(&pp->p_lock);
6147c478bdstevel@tonic-gate	tree = pp->p_semacct;
6157c478bdstevel@tonic-gate	pp->p_semacct = NULL;
6167c478bdstevel@tonic-gate	mutex_exit(&pp->p_lock);
6177c478bdstevel@tonic-gate
6187c478bdstevel@tonic-gate	while (undo = avl_destroy_nodes(tree, &cookie)) {
6197c478bdstevel@tonic-gate		ksemid_t *sp = undo->un_sp;
6207c478bdstevel@tonic-gate		size_t size = SEM_UNDOSZ(sp->sem_nsems);
6217c478bdstevel@tonic-gate		int i;
6227c478bdstevel@tonic-gate
6237c478bdstevel@tonic-gate		(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
6247c478bdstevel@tonic-gate		if (!IPC_FREE(&sp->sem_perm)) {
6257c478bdstevel@tonic-gate			for (i = 0; i < sp->sem_nsems; i++) {
6267c478bdstevel@tonic-gate				int adj = undo->un_aoe[i];
6277c478bdstevel@tonic-gate				if (adj) {
6287c478bdstevel@tonic-gate					struct sem *semp = &sp->sem_base[i];
6297c478bdstevel@tonic-gate					int v = (int)semp->semval + adj;
6307c478bdstevel@tonic-gate
6317c478bdstevel@tonic-gate					if (v < 0 || v > USHRT_MAX)
6327c478bdstevel@tonic-gate						continue;
6337c478bdstevel@tonic-gate					semp->semval = (ushort_t)v;
6347c478bdstevel@tonic-gate					if (v == 0 && semp->semzcnt)
6357c478bdstevel@tonic-gate						cv_broadcast(&semp->semzcnt_cv);
6367c478bdstevel@tonic-gate					if (adj > 0 && semp->semncnt)
6377c478bdstevel@tonic-gate						cv_broadcast(&semp->semncnt_cv);
6387c478bdstevel@tonic-gate				}
6397c478bdstevel@tonic-gate			}
6407c478bdstevel@tonic-gate			list_remove(&sp->sem_undos, undo);
6417c478bdstevel@tonic-gate		}
6427c478bdstevel@tonic-gate		ipc_rele(sem_svc, (kipc_perm_t *)sp);
6437c478bdstevel@tonic-gate		kmem_free(undo, size);
6447c478bdstevel@tonic-gate	}
6457c478bdstevel@tonic-gate
6467c478bdstevel@tonic-gate	avl_destroy(tree);
6477c478bdstevel@tonic-gate	kmem_free(tree, sizeof (avl_tree_t));
6487c478bdstevel@tonic-gate}
6497c478bdstevel@tonic-gate
6507c478bdstevel@tonic-gate/*
6517c478bdstevel@tonic-gate * Remove all semaphores associated with a given zone.  Called by
6527c478bdstevel@tonic-gate * zone_shutdown when the zone is halted.
6537c478bdstevel@tonic-gate */
6547c478bdstevel@tonic-gate/*ARGSUSED1*/
6557c478bdstevel@tonic-gatestatic void
6567c478bdstevel@tonic-gatesem_remove_zone(zoneid_t zoneid, void *arg)
6577c478bdstevel@tonic-gate{
6587c478bdstevel@tonic-gate	ipc_remove_zone(sem_svc, zoneid);
6597c478bdstevel@tonic-gate}
6607c478bdstevel@tonic-gate
6617c478bdstevel@tonic-gate/*
6627c478bdstevel@tonic-gate * semget - Semget system call.
6637c478bdstevel@tonic-gate */
6647c478bdstevel@tonic-gatestatic int
6657c478bdstevel@tonic-gatesemget(key_t key, int nsems, int semflg)
6667c478bdstevel@tonic-gate{
6677c478bdstevel@tonic-gate	ksemid_t	*sp;
6687c478bdstevel@tonic-gate	kmutex_t	*lock;
6697c478bdstevel@tonic-gate	int		id, error;
6707c478bdstevel@tonic-gate	proc_t		*pp = curproc;
6717c478bdstevel@tonic-gate
6727c478bdstevel@tonic-gatetop:
6737c478bdstevel@tonic-gate	if (error = ipc_get(sem_svc, key, semflg, (kipc_perm_t **)&sp, &lock))
6747c478bdstevel@tonic-gate		return (set_errno(error));
6757c478bdstevel@tonic-gate
6767c478bdstevel@tonic-gate	if (!IPC_FREE(&sp->sem_perm)) {
6777c478bdstevel@tonic-gate		/*
6787c478bdstevel@tonic-gate		 * A semaphore with the requested key exists.
6797c478bdstevel@tonic-gate		 */
6807c478bdstevel@tonic-gate		if (!((nsems >= 0) && (nsems <= sp->sem_nsems))) {
6817c478bdstevel@tonic-gate			mutex_exit(lock);
6827c478bdstevel@tonic-gate			return (set_errno(EINVAL));
6837c478bdstevel@tonic-gate		}
6847c478bdstevel@tonic-gate	} else {
6857c478bdstevel@tonic-gate		/*
6867c478bdstevel@tonic-gate		 * This is a new semaphore set.  Finish initialization.
6877c478bdstevel@tonic-gate		 */
6887c478bdstevel@tonic-gate		if (nsems <= 0 || (rctl_test(rc_process_semmsl, pp->p_rctls, pp,
6897c478bdstevel@tonic-gate		    nsems, RCA_SAFE) & RCT_DENY)) {
6907c478bdstevel@tonic-gate			mutex_exit(lock);
6917c478bdstevel@tonic-gate			mutex_exit(&pp->p_lock);
6927c478bdstevel@tonic-gate			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
6937c478bdstevel@tonic-gate			return (set_errno(EINVAL));
6947c478bdstevel@tonic-gate		}
6957c478bdstevel@tonic-gate		mutex_exit(lock);
6967c478bdstevel@tonic-gate		mutex_exit(&pp->p_lock);
6977c478bdstevel@tonic-gate
6987c478bdstevel@tonic-gate		/*
6997c478bdstevel@tonic-gate		 * We round the allocation up to coherency granularity
7007c478bdstevel@tonic-gate		 * so that multiple semaphore allocations won't result
7017c478bdstevel@tonic-gate		 * in the false sharing of their sem structures.
7027c478bdstevel@tonic-gate		 */
7037c478bdstevel@tonic-gate		sp->sem_base =
7047c478bdstevel@tonic-gate		    kmem_zalloc(P2ROUNDUP(nsems * sizeof (struct sem), 64),
7057c478bdstevel@tonic-gate		    KM_SLEEP);
7067c478bdstevel@tonic-gate		sp->sem_binary = (nsems == 1);
7077c478bdstevel@tonic-gate		sp->sem_nsems = (ushort_t)nsems;
7087c478bdstevel@tonic-gate		sp->sem_ctime = gethrestime_sec();
7097c478bdstevel@tonic-gate		sp->sem_otime = 0;
7107c478bdstevel@tonic-gate		list_create(&sp->sem_undos, sizeof (struct sem_undo),
7117c478bdstevel@tonic-gate		    offsetof(struct sem_undo, un_list));
7127c478bdstevel@tonic-gate
7137c478bdstevel@tonic-gate		if (error = ipc_commit_begin(sem_svc, key, semflg,
7147c478bdstevel@tonic-gate		    (kipc_perm_t *)sp)) {
7157c478bdstevel@tonic-gate			if (error == EAGAIN)
7167c478bdstevel@tonic-gate				goto top;
7177c478bdstevel@tonic-gate			return (set_errno(error));
7187c478bdstevel@tonic-gate		}
7197c478bdstevel@tonic-gate		sp->sem_maxops =
7207c478bdstevel@tonic-gate		    rctl_enforced_value(rc_process_semopm, pp->p_rctls, pp);
7217c478bdstevel@tonic-gate		if (rctl_test(rc_process_semmsl, pp->p_rctls, pp, nsems,
7227c478bdstevel@tonic-gate		    RCA_SAFE) & RCT_DENY) {
7237c478bdstevel@tonic-gate			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
7247c478bdstevel@tonic-gate			return (set_errno(EINVAL));
7257c478bdstevel@tonic-gate		}
7267c478bdstevel@tonic-gate		lock = ipc_commit_end(sem_svc, &sp->sem_perm);
7277c478bdstevel@tonic-gate	}
728005d3feMarek Pospisil
729005d3feMarek Pospisil	if (AU_AUDITING())
7307c478bdstevel@tonic-gate		audit_ipcget(AT_IPC_SEM, (void *)sp);
731005d3feMarek Pospisil
7327c478bdstevel@tonic-gate	id = sp->sem_perm.ipc_id;
7337c478bdstevel@tonic-gate	mutex_exit(lock);
7347c478bdstevel@tonic-gate	return (id);
7357c478bdstevel@tonic-gate}
7367c478bdstevel@tonic-gate
7377c478bdstevel@tonic-gate/*
7387c478bdstevel@tonic-gate * semids system call.
7397c478bdstevel@tonic-gate */
7407c478bdstevel@tonic-gatestatic int
7417c478bdstevel@tonic-gatesemids(int *buf, uint_t nids, uint_t *pnids)
7427c478bdstevel@tonic-gate{
7437c478bdstevel@tonic-gate	int error;
7447c478bdstevel@tonic-gate
7457c478bdstevel@tonic-gate	if (error = ipc_ids(sem_svc, buf, nids, pnids))
7467c478bdstevel@tonic-gate		return (set_errno(error));
7477c478bdstevel@tonic-gate
7487c478bdstevel@tonic-gate	return (0);
7497c478bdstevel@tonic-gate}
7507c478bdstevel@tonic-gate
7517c478bdstevel@tonic-gate
7527c478bdstevel@tonic-gate/*
7537c478bdstevel@tonic-gate * Helper function for semop - copies in the provided timespec and
7547c478bdstevel@tonic-gate * computes the absolute future time after which we must return.
7557c478bdstevel@tonic-gate */
7567c478bdstevel@tonic-gatestatic int
7577c478bdstevel@tonic-gatecompute_timeout(timespec_t **tsp, timespec_t *ts, timespec_t *now,
7587c478bdstevel@tonic-gate	timespec_t *timeout)
7597c478bdstevel@tonic-gate{
7607c478bdstevel@tonic-gate	model_t datamodel = get_udatamodel();
7617c478bdstevel@tonic-gate
7627c478bdstevel@tonic-gate	if (datamodel == DATAMODEL_NATIVE) {
7637c478bdstevel@tonic-gate		if (copyin(timeout, ts, sizeof (timespec_t)))
7647c478bdstevel@tonic-gate			return (EFAULT);
7657c478bdstevel@tonic-gate	} else {
7667c478bdstevel@tonic-gate		timespec32_t ts32;
7677c478bdstevel@tonic-gate
7687c478bdstevel@tonic-gate		if (copyin(timeout, &ts32, sizeof (timespec32_t)))
7697c478bdstevel@tonic-gate			return (EFAULT);
7707c478bdstevel@tonic-gate		TIMESPEC32_TO_TIMESPEC(ts, &ts32)
7717c478bdstevel@tonic-gate	}
7727c478bdstevel@tonic-gate
7737c478bdstevel@tonic-gate	if (itimerspecfix(ts))
7747c478bdstevel@tonic-gate		return (EINVAL);
7757c478bdstevel@tonic-gate
7767c478bdstevel@tonic-gate	/*
7777c478bdstevel@tonic-gate	 * Convert the timespec value into absolute time.
7787c478bdstevel@tonic-gate	 */
7797c478bdstevel@tonic-gate	timespecadd(ts, now);
7807c478bdstevel@tonic-gate	*tsp = ts;
7817c478bdstevel@tonic-gate
7827c478bdstevel@tonic-gate	return (0);
7837c478bdstevel@tonic-gate}
7847c478bdstevel@tonic-gate
7857c478bdstevel@tonic-gate/*
7867c478bdstevel@tonic-gate * Undo structure comparator.  We sort based on ksemid_t pointer.
7877c478bdstevel@tonic-gate */
7887c478bdstevel@tonic-gatestatic int
7897c478bdstevel@tonic-gatesem_undo_compar(const void *x, const void *y)
7907c478bdstevel@tonic-gate{
7917c478bdstevel@tonic-gate	struct sem_undo *undo1 = (struct sem_undo *)x;
7927c478bdstevel@tonic-gate	struct sem_undo *undo2 = (struct sem_undo *)y;
7937c478bdstevel@tonic-gate
7947c478bdstevel@tonic-gate	if (undo1->un_sp < undo2->un_sp)
7957c478bdstevel@tonic-gate		return (-1);
7967c478bdstevel@tonic-gate	if (undo1->un_sp > undo2->un_sp)
7977c478bdstevel@tonic-gate		return (1);
7987c478bdstevel@tonic-gate	return (0);
7997c478bdstevel@tonic-gate}
8007c478bdstevel@tonic-gate
8017c478bdstevel@tonic-gate/*
8027c478bdstevel@tonic-gate * Helper function for semop - creates an undo structure and adds it to
8037c478bdstevel@tonic-gate * the process's avl tree and the semaphore's list.
8047c478bdstevel@tonic-gate */
8057c478bdstevel@tonic-gatestatic int
8067c478bdstevel@tonic-gatesem_undo_alloc(proc_t *pp, ksemid_t *sp, kmutex_t **lock,
8077c478bdstevel@tonic-gate    struct sem_undo *template, struct sem_undo **un)
8087c478bdstevel@tonic-gate{
8097c478bdstevel@tonic-gate	size_t size;
8107c478bdstevel@tonic-gate	struct sem_undo *undo;
8117c478bdstevel@tonic-gate	avl_tree_t *tree = NULL;
8127c478bdstevel@tonic-gate	avl_index_t where;
8137c478bdstevel@tonic-gate
8147c478bdstevel@tonic-gate	mutex_exit(*lock);
8157c478bdstevel@tonic-gate
8167c478bdstevel@tonic-gate	size = SEM_UNDOSZ(sp->sem_nsems);
8177c478bdstevel@tonic-gate	undo = kmem_zalloc(size, KM_SLEEP);
8187c478bdstevel@tonic-gate	undo->un_proc = pp;
8197c478bdstevel@tonic-gate	undo->un_sp = sp;
8207c478bdstevel@tonic-gate
8217c478bdstevel@tonic-gate	if (pp->p_semacct == NULL)
8227c478bdstevel@tonic-gate		tree = kmem_alloc(sizeof (avl_tree_t), KM_SLEEP);
8237c478bdstevel@tonic-gate
8247c478bdstevel@tonic-gate	*lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
8257c478bdstevel@tonic-gate	if (IPC_FREE(&sp->sem_perm)) {
8267c478bdstevel@tonic-gate		kmem_free(undo, size);
8277c478bdstevel@tonic-gate		if (tree)
8287c478bdstevel@tonic-gate			kmem_free(tree, sizeof (avl_tree_t));
8297c478bdstevel@tonic-gate		return (EIDRM);
8307c478bdstevel@tonic-gate	}
8317c478bdstevel@tonic-gate
8327c478bdstevel@tonic-gate	mutex_enter(&pp->p_lock);
8337c478bdstevel@tonic-gate	if (tree) {
8347c478bdstevel@tonic-gate		if (pp->p_semacct == NULL) {
8357c478bdstevel@tonic-gate			avl_create(tree, sem_undo_compar,
8367c478bdstevel@tonic-gate			    sizeof (struct sem_undo),
8377c478bdstevel@tonic-gate			    offsetof(struct sem_undo, un_avl));
8387c478bdstevel@tonic-gate			pp->p_semacct = tree;
8397c478bdstevel@tonic-gate		} else {
8407c478bdstevel@tonic-gate			kmem_free(tree, sizeof (avl_tree_t));
8417c478bdstevel@tonic-gate		}
8427c478bdstevel@tonic-gate	}
8437c478bdstevel@tonic-gate
8447c478bdstevel@tonic-gate	if (*un = avl_find(pp->p_semacct, template, &where)) {
8457c478bdstevel@tonic-gate		mutex_exit(&pp->p_lock);
8467c478bdstevel@tonic-gate		kmem_free(undo, size);
8477c478bdstevel@tonic-gate	} else {
8487c478bdstevel@tonic-gate		*un = undo;
8497c478bdstevel@tonic-gate		avl_insert(pp->p_semacct, undo, where);
8507c478bdstevel@tonic-gate		mutex_exit(&pp->p_lock);
8517c478bdstevel@tonic-gate		list_insert_head(&sp->sem_undos, undo);
8527c478bdstevel@tonic-gate		ipc_hold(sem_svc, (kipc_perm_t *)sp);
8537c478bdstevel@tonic-gate	}
8547c478bdstevel@tonic-gate
8557c478bdstevel@tonic-gate
8567c478bdstevel@tonic-gate	return (0);
8577c478bdstevel@tonic-gate}
8587c478bdstevel@tonic-gate
8597c478bdstevel@tonic-gate/*
8607c478bdstevel@tonic-gate * semop - Semop system call.
8617c478bdstevel@tonic-gate */
8627c478bdstevel@tonic-gatestatic int
8637c478bdstevel@tonic-gatesemop(int semid, struct sembuf *sops, size_t nsops, timespec_t *timeout)
8647c478bdstevel@tonic-gate{
8657c478bdstevel@tonic-gate	ksemid_t	*sp = NULL;
8667c478bdstevel@tonic-gate	kmutex_t	*lock;
8677c478bdstevel@tonic-gate	struct sembuf	*op;	/* ptr to operation */
8687c478bdstevel@tonic-gate	int		i;	/* loop control */
8697c478bdstevel@tonic-gate	struct sem	*semp;	/* ptr to semaphore */
8707c478bdstevel@tonic-gate	int 		error = 0;
8717c478bdstevel@tonic-gate	struct sembuf	*uops;	/* ptr to copy of user ops */
8727c478bdstevel@tonic-gate	struct sembuf 	x_sem;	/* avoid kmem_alloc's */
8737c478bdstevel@tonic-gate	timespec_t	now, ts, *tsp = NULL;
8743348528dm	int		timecheck = 0;
8757c478bdstevel@tonic-gate	int		cvres, needundo, mode;
8767c478bdstevel@tonic-gate	struct sem_undo	*undo;
8777c478bdstevel@tonic-gate	proc_t		*pp = curproc;
8787c478bdstevel@tonic-gate	int		held = 0;
8797c478bdstevel@tonic-gate
8807c478bdstevel@tonic-gate	CPU_STATS_ADDQ(CPU, sys, sema, 1); /* bump semaphore op count */
8817c478bdstevel@tonic-gate
8827c478bdstevel@tonic-gate	/*
8837c478bdstevel@tonic-gate	 * To avoid the cost of copying in 'timeout' in the common
8847c478bdstevel@tonic-gate	 * case, we could only grab the time here and defer the copyin
8857c478bdstevel@tonic-gate	 * and associated computations until we are about to block.
8867c478bdstevel@tonic-gate	 *
8877c478bdstevel@tonic-gate	 * The down side to this is that we would then have to spin
8887c478bdstevel@tonic-gate	 * some goto top nonsense to avoid the copyin behind the semid
8897c478bdstevel@tonic-gate	 * lock.  As a common use of timed semaphores is as an explicit
8907c478bdstevel@tonic-gate	 * blocking mechanism, this could incur a greater penalty.
8917c478bdstevel@tonic-gate	 *
8927c478bdstevel@tonic-gate	 * If we eventually decide that this would be a wise route to
8937c478bdstevel@tonic-gate	 * take, the deferrable functionality is completely contained
8947c478bdstevel@tonic-gate	 * in 'compute_timeout', and the interface is defined such that
8957c478bdstevel@tonic-gate	 * we can legally not validate 'timeout' if it is unused.
8967c478bdstevel@tonic-gate	 */
8977c478bdstevel@tonic-gate	if (timeout != NULL) {
8983348528dm		timecheck = timechanged;
8997c478bdstevel@tonic-gate		gethrestime(&now);
9007c478bdstevel@tonic-gate		if (error = compute_timeout(&tsp, &ts, &now, timeout))
9017c478bdstevel@tonic-gate			return (set_errno(error));
9027c478bdstevel@tonic-gate	}
9037c478bdstevel@tonic-gate
9047c478bdstevel@tonic-gate	/*
9057c478bdstevel@tonic-gate	 * Allocate space to hold the vector of semaphore ops.  If
9067c478bdstevel@tonic-gate	 * there is only 1 operation we use a preallocated buffer on
9077c478bdstevel@tonic-gate	 * the stack for speed.
9087c478bdstevel@tonic-gate	 *
9097c478bdstevel@tonic-gate	 * Since we don't want to allow the user to allocate an
9107c478bdstevel@tonic-gate	 * arbitrary amount of kernel memory, we need to check against
9117c478bdstevel@tonic-gate	 * the number of operations allowed by the semaphore.  We only
9127c478bdstevel@tonic-gate	 * bother doing this if the number of operations is larger than
9137c478bdstevel@tonic-gate	 * SEM_MAXUCOPS.
9147c478bdstevel@tonic-gate	 */
9157c478bdstevel@tonic-gate	if (nsops == 1)
9167c478bdstevel@tonic-gate		uops = &x_sem;
9177c478bdstevel@tonic-gate	else if (nsops == 0)
9187c478bdstevel@tonic-gate		return (0);
9197c478bdstevel@tonic-gate	else if (nsops <= SEM_MAXUCOPS)
9207c478bdstevel@tonic-gate		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
9217c478bdstevel@tonic-gate
9227c478bdstevel@tonic-gate	if (nsops > SEM_MAXUCOPS) {
9237c478bdstevel@tonic-gate		if ((lock = ipc_lookup(sem_svc, semid,
9247c478bdstevel@tonic-gate		    (kipc_perm_t **)&sp)) == NULL)
9257c478bdstevel@tonic-gate			return (set_errno(EFAULT));
9267c478bdstevel@tonic-gate
9277c478bdstevel@tonic-gate		if (nsops > sp->sem_maxops) {
9287c478bdstevel@tonic-gate			mutex_exit(lock);
9297c478bdstevel@tonic-gate			return (set_errno(E2BIG));
9307c478bdstevel@tonic-gate		}
9317c478bdstevel@tonic-gate		held = 1;
9327c478bdstevel@tonic-gate		ipc_hold(sem_svc, (kipc_perm_t *)sp);
9337c478bdstevel@tonic-gate		mutex_exit(lock);
9347c478bdstevel@tonic-gate
9357c478bdstevel@tonic-gate		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
9367c478bdstevel@tonic-gate		if (copyin(sops, uops, nsops * sizeof (*op))) {
9377c478bdstevel@tonic-gate			error = EFAULT;
9387c478bdstevel@tonic-gate			(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
9397c478bdstevel@tonic-gate			goto semoperr;
9407c478bdstevel@tonic-gate		}
9417c478bdstevel@tonic-gate
9427c478bdstevel@tonic-gate		lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
9437c478bdstevel@tonic-gate		if (IPC_FREE(&sp->sem_perm)) {
9447c478bdstevel@tonic-gate			error = EIDRM;
9457c478bdstevel@tonic-gate			goto semoperr;
9467c478bdstevel@tonic-gate		}
9477c478bdstevel@tonic-gate	} else {
9487c478bdstevel@tonic-gate		/*
9497c478bdstevel@tonic-gate		 * This could be interleaved with the above code, but
9507c478bdstevel@tonic-gate		 * keeping them separate improves readability.
9517c478bdstevel@tonic-gate		 */
9527c478bdstevel@tonic-gate		if (copyin(sops, uops, nsops * sizeof (*op))) {
9537c478bdstevel@tonic-gate			error = EFAULT;
9547c478bdstevel@tonic-gate			goto semoperr_unlocked;
9557c478bdstevel@tonic-gate		}
9567c478bdstevel@tonic-gate
9577c478bdstevel@tonic-gate		if ((lock = ipc_lookup(sem_svc, semid,
9587c478bdstevel@tonic-gate		    (kipc_perm_t **)&sp)) == NULL) {
9597c478bdstevel@tonic-gate			error = EINVAL;
9607c478bdstevel@tonic-gate			goto semoperr_unlocked;
9617c478bdstevel@tonic-gate		}
9627c478bdstevel@tonic-gate
9637c478bdstevel@tonic-gate		if (nsops > sp->sem_maxops) {
9647c478bdstevel@tonic-gate			error = E2BIG;
9657c478bdstevel@tonic-gate			goto semoperr;
9667c478bdstevel@tonic-gate		}
9677c478bdstevel@tonic-gate	}
9687c478bdstevel@tonic-gate
9697c478bdstevel@tonic-gate	/*
9707c478bdstevel@tonic-gate	 * Scan all operations.  Verify that sem #s are in range and
9717c478bdstevel@tonic-gate	 * this process is allowed the requested operations.  If any
9727c478bdstevel@tonic-gate	 * operations are marked SEM_UNDO, find (or allocate) the undo
9737c478bdstevel@tonic-gate	 * structure for this process and semaphore.
9747c478bdstevel@tonic-gate	 */
9757c478bdstevel@tonic-gate	needundo = 0;
9767c478bdstevel@tonic-gate	mode = 0;
9777c478bdstevel@tonic-gate	for (i = 0, op = uops; i++ < nsops; op++) {
9787c478bdstevel@tonic-gate		mode |= op->sem_op ? SEM_A : SEM_R;
9797c478bdstevel@tonic-gate		if (op->sem_num >= sp->sem_nsems) {
9807c478bdstevel@tonic-gate			error = EFBIG;
9817c478bdstevel@tonic-gate			goto semoperr;
9827c478bdstevel@tonic-gate		}
9837c478bdstevel@tonic-gate		if ((op->sem_flg & SEM_UNDO) && op->sem_op)
9847c478bdstevel@tonic-gate			needundo = 1;
9857c478bdstevel@tonic-gate	}
9867c478bdstevel@tonic-gate	if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
9877c478bdstevel@tonic-gate		goto semoperr;
9887c478bdstevel@tonic-gate
9897c478bdstevel@tonic-gate	if (needundo) {
9907c478bdstevel@tonic-gate		struct sem_undo template;
9917c478bdstevel@tonic-gate
9927c478bdstevel@tonic-gate		template.un_sp = sp;
9937c478bdstevel@tonic-gate		mutex_enter(&pp->p_lock);
9947c478bdstevel@tonic-gate		if (pp->p_semacct)
9957c478bdstevel@tonic-gate			undo = avl_find(pp->p_semacct, &template, NULL);
9967c478bdstevel@tonic-gate		else
9977c478bdstevel@tonic-gate			undo = NULL;
9987c478bdstevel@tonic-gate		mutex_exit(&pp->p_lock);
9997c478bdstevel@tonic-gate		if (undo == NULL) {
1000f027834Amrita Sadhukhan			if (!held) {
1001f027834Amrita Sadhukhan				held = 1;
1002f027834Amrita Sadhukhan				ipc_hold(sem_svc, (kipc_perm_t *)sp);
1003f027834Amrita Sadhukhan			}
10047c478bdstevel@tonic-gate			if (error = sem_undo_alloc(pp, sp, &lock, &template,
10057c478bdstevel@tonic-gate			    &undo))
10067c478bdstevel@tonic-gate				goto semoperr;
10077c478bdstevel@tonic-gate
10087c478bdstevel@tonic-gate			/* sem_undo_alloc unlocks the semaphore */
10097c478bdstevel@tonic-gate			if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
10107c478bdstevel@tonic-gate				goto semoperr;
10117c478bdstevel@tonic-gate		}
10127c478bdstevel@tonic-gate	}
10137c478bdstevel@tonic-gate
10147c478bdstevel@tonic-gatecheck:
10157c478bdstevel@tonic-gate	/*
10167c478bdstevel@tonic-gate	 * Loop waiting for the operations to be satisfied atomically.
10177c478bdstevel@tonic-gate	 * Actually, do the operations and undo them if a wait is needed
10187c478bdstevel@tonic-gate	 * or an error is detected.
10197c478bdstevel@tonic-gate	 */
10207c478bdstevel@tonic-gate	for (i = 0; i < nsops; i++) {
10217c478bdstevel@tonic-gate		op = &uops[i];
10227c478bdstevel@tonic-gate		semp = &sp->sem_base[op->sem_num];
10237c478bdstevel@tonic-gate
10247c478bdstevel@tonic-gate		/*
10257c478bdstevel@tonic-gate		 * Raise the semaphore (i.e. sema_v)
10267c478bdstevel@tonic-gate		 */
10277c478bdstevel@tonic-gate		if (op->sem_op > 0) {
10287c478bdstevel@tonic-gate			if (op->sem_op + (int)semp->semval > USHRT_MAX ||
10297c478bdstevel@tonic-gate			    ((op->sem_flg & SEM_UNDO) &&
10307c478bdstevel@tonic-gate			    (error = sem_undo_add(op->sem_op, op->sem_num,
10317c478bdstevel@tonic-gate			    undo)))) {
10327c478bdstevel@tonic-gate				if (i)
10337c478bdstevel@tonic-gate					sem_rollback(sp, uops, i, undo);
10347c478bdstevel@tonic-gate				if (error == 0)
10357c478bdstevel@tonic-gate					error = ERANGE;
10367c478bdstevel@tonic-gate				goto semoperr;
10377c478bdstevel@tonic-gate			}
10387c478bdstevel@tonic-gate			semp->semval += op->sem_op;
10397c478bdstevel@tonic-gate			/*
10407c478bdstevel@tonic-gate			 * If we are only incrementing the semaphore value
10417c478bdstevel@tonic-gate			 * by one on a binary semaphore, we can cv_signal.
10427c478bdstevel@tonic-gate			 */
10437c478bdstevel@tonic-gate			if (semp->semncnt) {
10447c478bdstevel@tonic-gate				if (op->sem_op == 1 && sp->sem_binary)
10457c478bdstevel@tonic-gate					cv_signal(&semp->semncnt_cv);
10467c478bdstevel@tonic-gate				else
10477c478bdstevel@tonic-gate					cv_broadcast(&semp->semncnt_cv);
10487c478bdstevel@tonic-gate			}
10497c478bdstevel@tonic-gate			if (semp->semzcnt && !semp->semval)
10507c478bdstevel@tonic-gate				cv_broadcast(&semp->semzcnt_cv);
10517c478bdstevel@tonic-gate			continue;
10527c478bdstevel@tonic-gate		}
10537c478bdstevel@tonic-gate
10547c478bdstevel@tonic-gate		/*
10557c478bdstevel@tonic-gate		 * Lower the semaphore (i.e. sema_p)
10567c478bdstevel@tonic-gate		 */
10577c478bdstevel@tonic-gate		if (op->sem_op < 0) {
10587c478bdstevel@tonic-gate			if (semp->semval >= (unsigned)(-op->sem_op)) {
10597c478bdstevel@tonic-gate				if ((op->sem_flg & SEM_UNDO) &&
10607c478bdstevel@tonic-gate				    (error = sem_undo_add(op->sem_op,
10617c478bdstevel@tonic-gate				    op->sem_num, undo))) {
10627c478bdstevel@tonic-gate					if (i)
10637c478bdstevel@tonic-gate						sem_rollback(sp, uops, i, undo);
10647c478bdstevel@tonic-gate					goto semoperr;
10657c478bdstevel@tonic-gate				}
10667c478bdstevel@tonic-gate				semp->semval += op->sem_op;
10677c478bdstevel@tonic-gate				if (semp->semzcnt && !semp->semval)
10687c478bdstevel@tonic-gate					cv_broadcast(&semp->semzcnt_cv);
10697c478bdstevel@tonic-gate				continue;
10707c478bdstevel@tonic-gate			}
10717c478bdstevel@tonic-gate			if (i)
10727c478bdstevel@tonic-gate				sem_rollback(sp, uops, i, undo);
10737c478bdstevel@tonic-gate			if (op->sem_flg & IPC_NOWAIT) {
10747c478bdstevel@tonic-gate				error = EAGAIN;
10757c478bdstevel@tonic-gate				goto semoperr;
10767c478bdstevel@tonic-gate			}
10777c478bdstevel@tonic-gate
10787c478bdstevel@tonic-gate			/*
10797c478bdstevel@tonic-gate			 * Mark the semaphore set as not a binary type
10807c478bdstevel@tonic-gate			 * if we are decrementing the value by more than 1.
10817c478bdstevel@tonic-gate			 *
10827c478bdstevel@tonic-gate			 * V operations will resort to cv_broadcast
10837c478bdstevel@tonic-gate			 * for this set because there are too many weird
10847c478bdstevel@tonic-gate			 * cases that have to be caught.
10857c478bdstevel@tonic-gate			 */
10867c478bdstevel@tonic-gate			if (op->sem_op < -1)
10877c478bdstevel@tonic-gate				sp->sem_binary = 0;
10887c478bdstevel@tonic-gate			if (!held) {
10897c478bdstevel@tonic-gate				held = 1;
10907c478bdstevel@tonic-gate				ipc_hold(sem_svc, (kipc_perm_t *)sp);
10917c478bdstevel@tonic-gate			}
10927c478bdstevel@tonic-gate			semp->semncnt++;
10933348528dm			cvres = cv_waituntil_sig(&semp->semncnt_cv, lock,
1094d3e55dcgww			    tsp, timecheck);
10957c478bdstevel@tonic-gate			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
10967c478bdstevel@tonic-gate
10977c478bdstevel@tonic-gate			if (!IPC_FREE(&sp->sem_perm)) {
10987c478bdstevel@tonic-gate				ASSERT(semp->semncnt != 0);
10997c478bdstevel@tonic-gate				semp->semncnt--;
11007c478bdstevel@tonic-gate				if (cvres > 0)	/* normal wakeup */
11017c478bdstevel@tonic-gate					goto check;
11027c478bdstevel@tonic-gate			}
11037c478bdstevel@tonic-gate
11047c478bdstevel@tonic-gate			/* EINTR or EAGAIN overrides EIDRM */
11057c478bdstevel@tonic-gate			if (cvres == 0)
11067c478bdstevel@tonic-gate				error = EINTR;
11077c478bdstevel@tonic-gate			else if (cvres < 0)
11087c478bdstevel@tonic-gate				error = EAGAIN;
11097c478bdstevel@tonic-gate			else
11107c478bdstevel@tonic-gate				error = EIDRM;
11117c478bdstevel@tonic-gate			goto semoperr;
11127c478bdstevel@tonic-gate		}
11137c478bdstevel@tonic-gate
11147c478bdstevel@tonic-gate		/*
11157c478bdstevel@tonic-gate		 * Wait for zero value
11167c478bdstevel@tonic-gate		 */
11177c478bdstevel@tonic-gate		if (semp->semval) {
11187c478bdstevel@tonic-gate			if (i)
11197c478bdstevel@tonic-gate				sem_rollback(sp, uops, i, undo);
11207c478bdstevel@tonic-gate			if (op->sem_flg & IPC_NOWAIT) {
11217c478bdstevel@tonic-gate				error = EAGAIN;
11227c478bdstevel@tonic-gate				goto semoperr;
11237c478bdstevel@tonic-gate			}
11247c478bdstevel@tonic-gate
11257c478bdstevel@tonic-gate			if (!held) {
11267c478bdstevel@tonic-gate				held = 1;
11277c478bdstevel@tonic-gate				ipc_hold(sem_svc, (kipc_perm_t *)sp);
11287c478bdstevel@tonic-gate			}
11297c478bdstevel@tonic-gate			semp->semzcnt++;
11303348528dm			cvres = cv_waituntil_sig(&semp->semzcnt_cv, lock,
1131d3e55dcgww			    tsp, timecheck);
11327c478bdstevel@tonic-gate			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
11337c478bdstevel@tonic-gate
11347c478bdstevel@tonic-gate			/*
11357c478bdstevel@tonic-gate			 * Don't touch semp if the semaphores have been removed.
11367c478bdstevel@tonic-gate			 */
11377c478bdstevel@tonic-gate			if (!IPC_FREE(&sp->sem_perm)) {
11387c478bdstevel@tonic-gate				ASSERT(semp->semzcnt != 0);
11397c478bdstevel@tonic-gate				semp->semzcnt--;
11407c478bdstevel@tonic-gate				if (cvres > 0)	/* normal wakeup */
11417c478bdstevel@tonic-gate					goto check;
11427c478bdstevel@tonic-gate			}
11437c478bdstevel@tonic-gate
11447c478bdstevel@tonic-gate			/* EINTR or EAGAIN overrides EIDRM */
11457c478bdstevel@tonic-gate			if (cvres == 0)
11467c478bdstevel@tonic-gate				error = EINTR;
11477c478bdstevel@tonic-gate			else if (cvres < 0)
11487c478bdstevel@tonic-gate				error = EAGAIN;
11497c478bdstevel@tonic-gate			else
11507c478bdstevel@tonic-gate				error = EIDRM;
11517c478bdstevel@tonic-gate			goto semoperr;
11527c478bdstevel@tonic-gate		}
11537c478bdstevel@tonic-gate	}
11547c478bdstevel@tonic-gate
11557c478bdstevel@tonic-gate	/* All operations succeeded.  Update sempid for accessed semaphores. */
11567c478bdstevel@tonic-gate	for (i = 0, op = uops; i++ < nsops;
11577c478bdstevel@tonic-gate	    sp->sem_base[(op++)->sem_num].sempid = pp->p_pid)
11587c478bdstevel@tonic-gate		;
11597c478bdstevel@tonic-gate	sp->sem_otime = gethrestime_sec();
11607c478bdstevel@tonic-gate	if (held)
11617c478bdstevel@tonic-gate		ipc_rele(sem_svc, (kipc_perm_t *)sp);
11627c478bdstevel@tonic-gate	else
11637c478bdstevel@tonic-gate		mutex_exit(lock);
11647c478bdstevel@tonic-gate
11657c478bdstevel@tonic-gate	/* Before leaving, deallocate the buffer that held the user semops */
11667c478bdstevel@tonic-gate	if (nsops != 1)
11677c478bdstevel@tonic-gate		kmem_free(uops, sizeof (*uops) * nsops);
11687c478bdstevel@tonic-gate	return (0);
11697c478bdstevel@tonic-gate
11707c478bdstevel@tonic-gate	/*
11717c478bdstevel@tonic-gate	 * Error return labels
11727c478bdstevel@tonic-gate	 */
11737c478bdstevel@tonic-gatesemoperr:
11747c478bdstevel@tonic-gate	if (held)
11757c478bdstevel@tonic-gate		ipc_rele(sem_svc, (kipc_perm_t *)sp);
11767c478bdstevel@tonic-gate	else
11777c478bdstevel@tonic-gate		mutex_exit(lock);
11787c478bdstevel@tonic-gate
11797c478bdstevel@tonic-gatesemoperr_unlocked:
11807c478bdstevel@tonic-gate
11817c478bdstevel@tonic-gate	/* Before leaving, deallocate the buffer that held the user semops */
11827c478bdstevel@tonic-gate	if (nsops != 1)
11837c478bdstevel@tonic-gate		kmem_free(uops, sizeof (*uops) * nsops);
11847c478bdstevel@tonic-gate	return (set_errno(error));
11857c478bdstevel@tonic-gate}
11867c478bdstevel@tonic-gate
11877c478bdstevel@tonic-gate/*
11887c478bdstevel@tonic-gate * semsys - System entry point for semctl, semget, and semop system calls.
11897c478bdstevel@tonic-gate */
11907c478bdstevel@tonic-gatestatic int
11917c478bdstevel@tonic-gatesemsys(int opcode, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4)
11927c478bdstevel@tonic-gate{
11937c478bdstevel@tonic-gate	int error;
11947c478bdstevel@tonic-gate
11957c478bdstevel@tonic-gate	switch (opcode) {
11967c478bdstevel@tonic-gate	case SEMCTL:
11977c478bdstevel@tonic-gate		error = semctl((int)a1, (uint_t)a2, (int)a3, a4);
11987c478bdstevel@tonic-gate		break;
11997c478bdstevel@tonic-gate	case SEMGET:
12007c478bdstevel@tonic-gate		error = semget((key_t)a1, (int)a2, (int)a3);
12017c478bdstevel@tonic-gate		break;
12027c478bdstevel@tonic-gate	case SEMOP:
12037c478bdstevel@tonic-gate		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3, 0);
12047c478bdstevel@tonic-gate		break;
12057c478bdstevel@tonic-gate	case SEMIDS:
12067c478bdstevel@tonic-gate		error = semids((int *)a1, (uint_t)a2, (uint_t *)a3);
12077c478bdstevel@tonic-gate		break;
12087c478bdstevel@tonic-gate	case SEMTIMEDOP:
12097c478bdstevel@tonic-gate		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3,
12107c478bdstevel@tonic-gate		    (timespec_t *)a4);
12117c478bdstevel@tonic-gate		break;
12127c478bdstevel@tonic-gate	default:
12137c478bdstevel@tonic-gate		error = set_errno(EINVAL);
12147c478bdstevel@tonic-gate		break;
12157c478bdstevel@tonic-gate	}
12167c478bdstevel@tonic-gate	return (error);
12177c478bdstevel@tonic-gate}
1218