xref: /illumos-gate/usr/src/uts/common/syscall/sem.c (revision d3e55dcdc881b833a707e39ae1e12d8d5d35ad2d)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5824c205fSml  * Common Development and Distribution License (the "License").
6824c205fSml  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22*d3e55dcdSgww  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
277c478bd9Sstevel@tonic-gate /*	  All Rights Reserved  	*/
287c478bd9Sstevel@tonic-gate 
297c478bd9Sstevel@tonic-gate 
307c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
317c478bd9Sstevel@tonic-gate 
327c478bd9Sstevel@tonic-gate /*
337c478bd9Sstevel@tonic-gate  * Inter-Process Communication Semaphore Facility.
347c478bd9Sstevel@tonic-gate  *
357c478bd9Sstevel@tonic-gate  * See os/ipc.c for a description of common IPC functionality.
367c478bd9Sstevel@tonic-gate  *
377c478bd9Sstevel@tonic-gate  * Resource controls
387c478bd9Sstevel@tonic-gate  * -----------------
397c478bd9Sstevel@tonic-gate  *
40824c205fSml  * Control:      zone.max-sem-ids (rc_zone_semmni)
41824c205fSml  * Description:  Maximum number of semaphore ids allowed a zone.
42824c205fSml  *
43824c205fSml  *   When semget() is used to allocate a semaphore set, one id is
44824c205fSml  *   allocated.  If the id allocation doesn't succeed, semget() fails
45824c205fSml  *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
46824c205fSml  *   the id is deallocated.
47824c205fSml  *
487c478bd9Sstevel@tonic-gate  * Control:      project.max-sem-ids (rc_project_semmni)
497c478bd9Sstevel@tonic-gate  * Description:  Maximum number of semaphore ids allowed a project.
507c478bd9Sstevel@tonic-gate  *
517c478bd9Sstevel@tonic-gate  *   When semget() is used to allocate a semaphore set, one id is
527c478bd9Sstevel@tonic-gate  *   allocated.  If the id allocation doesn't succeed, semget() fails
537c478bd9Sstevel@tonic-gate  *   and errno is set to ENOSPC.  Upon successful semctl(, IPC_RMID)
547c478bd9Sstevel@tonic-gate  *   the id is deallocated.
557c478bd9Sstevel@tonic-gate  *
567c478bd9Sstevel@tonic-gate  * Control:      process.max-sem-nsems (rc_process_semmsl)
577c478bd9Sstevel@tonic-gate  * Description:  Maximum number of semaphores allowed per semaphore set.
587c478bd9Sstevel@tonic-gate  *
597c478bd9Sstevel@tonic-gate  *   When semget() is used to allocate a semaphore set, the size of the
607c478bd9Sstevel@tonic-gate  *   set is compared with this limit.  If the number of semaphores
617c478bd9Sstevel@tonic-gate  *   exceeds the limit, semget() fails and errno is set to EINVAL.
627c478bd9Sstevel@tonic-gate  *
637c478bd9Sstevel@tonic-gate  * Control:      process.max-sem-ops (rc_process_semopm)
647c478bd9Sstevel@tonic-gate  * Description:  Maximum number of semaphore operations allowed per
657c478bd9Sstevel@tonic-gate  *               semop call.
667c478bd9Sstevel@tonic-gate  *
677c478bd9Sstevel@tonic-gate  *   When semget() successfully allocates a semaphore set, the minimum
687c478bd9Sstevel@tonic-gate  *   enforced value of this limit is used to initialize the
697c478bd9Sstevel@tonic-gate  *   "system-imposed maximum" number of operations a semop() call for
707c478bd9Sstevel@tonic-gate  *   this set can perform.
717c478bd9Sstevel@tonic-gate  *
727c478bd9Sstevel@tonic-gate  * Undo structures
737c478bd9Sstevel@tonic-gate  * ---------------
747c478bd9Sstevel@tonic-gate  *
757c478bd9Sstevel@tonic-gate  * Removing the undo structure tunables involved a serious redesign of
767c478bd9Sstevel@tonic-gate  * how they were implemented.  There is now one undo structure for
777c478bd9Sstevel@tonic-gate  * every process/semaphore array combination (lazily allocated, of
787c478bd9Sstevel@tonic-gate  * course), and each is equal in size to the semaphore it corresponds
797c478bd9Sstevel@tonic-gate  * to.  To avoid scalability and performance problems, the undo
807c478bd9Sstevel@tonic-gate  * structures are stored in two places: a per-process AVL tree sorted
817c478bd9Sstevel@tonic-gate  * by ksemid pointer (p_semacct, protected by p_lock) and an unsorted
827c478bd9Sstevel@tonic-gate  * per-semaphore linked list (sem_undos, protected by the semaphore's
837c478bd9Sstevel@tonic-gate  * ID lock).  The former is used by semop, where a lookup is performed
847c478bd9Sstevel@tonic-gate  * once and cached if SEM_UNDO is specified for any of the operations,
857c478bd9Sstevel@tonic-gate  * and at process exit where the undoable operations are rolled back.
867c478bd9Sstevel@tonic-gate  * The latter is used when removing the semaphore, so the undo
877c478bd9Sstevel@tonic-gate  * structures can be removed from the appropriate processes' trees.
887c478bd9Sstevel@tonic-gate  *
897c478bd9Sstevel@tonic-gate  * The undo structure itself contains pointers to the ksemid and proc
907c478bd9Sstevel@tonic-gate  * to which it corresponds, a list node, an AVL node, and an array of
917c478bd9Sstevel@tonic-gate  * adjust-on-exit (AOE) values.  When an undo structure is allocated it
927c478bd9Sstevel@tonic-gate  * is immediately added to both the process's tree and the semaphore's
937c478bd9Sstevel@tonic-gate  * list.  Lastly, the reference count on the semaphore is increased.
947c478bd9Sstevel@tonic-gate  *
957c478bd9Sstevel@tonic-gate  * Avoiding a lock ordering violation between p_lock and the ID lock,
967c478bd9Sstevel@tonic-gate  * wont to occur when there is a race between a process exiting and the
977c478bd9Sstevel@tonic-gate  * removal of a semaphore, mandates the delicate dance that exists
987c478bd9Sstevel@tonic-gate  * between semexit and sem_rmid.
997c478bd9Sstevel@tonic-gate  *
1007c478bd9Sstevel@tonic-gate  * sem_rmid, holding the ID lock, iterates through all undo structures
1017c478bd9Sstevel@tonic-gate  * and for each takes the appropriate process's p_lock and checks to
1027c478bd9Sstevel@tonic-gate  * see if p_semacct is NULL.  If it is, it skips that undo structure
1037c478bd9Sstevel@tonic-gate  * and continues to the next.  Otherwise, it removes the undo structure
1047c478bd9Sstevel@tonic-gate  * from both the AVL tree and the semaphore's list, and releases the
1057c478bd9Sstevel@tonic-gate  * hold that the undo structure had on the semaphore.
1067c478bd9Sstevel@tonic-gate  *
1077c478bd9Sstevel@tonic-gate  * The important other half of this is semexit, which will immediately
1087c478bd9Sstevel@tonic-gate  * take p_lock, obtain the AVL pointer, clear p_semacct, and drop
1097c478bd9Sstevel@tonic-gate  * p_lock.  From this point on it is semexit's responsibility to clean
1107c478bd9Sstevel@tonic-gate  * up all undo structures found in the tree -- a coexecuting sem_rmid
1117c478bd9Sstevel@tonic-gate  * will see the NULL p_semacct and skip that undo structure.  It walks
1127c478bd9Sstevel@tonic-gate  * the AVL tree (using avl_destroy_nodes) and for each undo structure
1137c478bd9Sstevel@tonic-gate  * takes the appropriate semaphore's ID lock (always legal since the
1147c478bd9Sstevel@tonic-gate  * undo structure has a hold on the semaphore), updates all semaphores
1157c478bd9Sstevel@tonic-gate  * with non-zero AOE values, and removes the structure from the
1167c478bd9Sstevel@tonic-gate  * semaphore's list.  It then drops the structure's reference on the
1177c478bd9Sstevel@tonic-gate  * semaphore, drops the ID lock, and frees the undo structure.
1187c478bd9Sstevel@tonic-gate  */
1197c478bd9Sstevel@tonic-gate 
1207c478bd9Sstevel@tonic-gate #include <sys/types.h>
1217c478bd9Sstevel@tonic-gate #include <sys/t_lock.h>
1227c478bd9Sstevel@tonic-gate #include <sys/param.h>
1237c478bd9Sstevel@tonic-gate #include <sys/systm.h>
1247c478bd9Sstevel@tonic-gate #include <sys/sysmacros.h>
1257c478bd9Sstevel@tonic-gate #include <sys/cred.h>
1267c478bd9Sstevel@tonic-gate #include <sys/vmem.h>
1277c478bd9Sstevel@tonic-gate #include <sys/kmem.h>
1287c478bd9Sstevel@tonic-gate #include <sys/errno.h>
1297c478bd9Sstevel@tonic-gate #include <sys/time.h>
1307c478bd9Sstevel@tonic-gate #include <sys/ipc.h>
1317c478bd9Sstevel@tonic-gate #include <sys/ipc_impl.h>
1327c478bd9Sstevel@tonic-gate #include <sys/sem.h>
1337c478bd9Sstevel@tonic-gate #include <sys/sem_impl.h>
1347c478bd9Sstevel@tonic-gate #include <sys/user.h>
1357c478bd9Sstevel@tonic-gate #include <sys/proc.h>
1367c478bd9Sstevel@tonic-gate #include <sys/cpuvar.h>
1377c478bd9Sstevel@tonic-gate #include <sys/debug.h>
1387c478bd9Sstevel@tonic-gate #include <sys/var.h>
1397c478bd9Sstevel@tonic-gate #include <sys/cmn_err.h>
1407c478bd9Sstevel@tonic-gate #include <sys/modctl.h>
1417c478bd9Sstevel@tonic-gate #include <sys/syscall.h>
1427c478bd9Sstevel@tonic-gate #include <sys/avl.h>
1437c478bd9Sstevel@tonic-gate #include <sys/list.h>
1447c478bd9Sstevel@tonic-gate #include <sys/zone.h>
1457c478bd9Sstevel@tonic-gate 
1467c478bd9Sstevel@tonic-gate #include <c2/audit.h>
1477c478bd9Sstevel@tonic-gate 
148824c205fSml extern rctl_hndl_t rc_zone_semmni;
1497c478bd9Sstevel@tonic-gate extern rctl_hndl_t rc_project_semmni;
1507c478bd9Sstevel@tonic-gate extern rctl_hndl_t rc_process_semmsl;
1517c478bd9Sstevel@tonic-gate extern rctl_hndl_t rc_process_semopm;
1527c478bd9Sstevel@tonic-gate static ipc_service_t *sem_svc;
1537c478bd9Sstevel@tonic-gate static zone_key_t sem_zone_key;
1547c478bd9Sstevel@tonic-gate 
1557c478bd9Sstevel@tonic-gate /*
1567c478bd9Sstevel@tonic-gate  * The following tunables are obsolete.  Though for compatibility we
1577c478bd9Sstevel@tonic-gate  * still read and interpret seminfo_semmsl, seminfo_semopm and
1587c478bd9Sstevel@tonic-gate  * seminfo_semmni (see os/project.c and os/rctl_proc.c), the preferred
1597c478bd9Sstevel@tonic-gate  * mechanism for administrating the IPC Semaphore facility is through
1607c478bd9Sstevel@tonic-gate  * the resource controls described at the top of this file.
1617c478bd9Sstevel@tonic-gate  */
1627c478bd9Sstevel@tonic-gate int seminfo_semaem = 16384;	/* (obsolete) */
1637c478bd9Sstevel@tonic-gate int seminfo_semmap = 10;	/* (obsolete) */
1647c478bd9Sstevel@tonic-gate int seminfo_semmni = 10;	/* (obsolete) */
1657c478bd9Sstevel@tonic-gate int seminfo_semmns = 60;	/* (obsolete) */
1667c478bd9Sstevel@tonic-gate int seminfo_semmnu = 30;	/* (obsolete) */
1677c478bd9Sstevel@tonic-gate int seminfo_semmsl = 25;	/* (obsolete) */
1687c478bd9Sstevel@tonic-gate int seminfo_semopm = 10;	/* (obsolete) */
1697c478bd9Sstevel@tonic-gate int seminfo_semume = 10;	/* (obsolete) */
1707c478bd9Sstevel@tonic-gate int seminfo_semusz = 96;	/* (obsolete) */
1717c478bd9Sstevel@tonic-gate int seminfo_semvmx = 32767;	/* (obsolete) */
1727c478bd9Sstevel@tonic-gate 
1737c478bd9Sstevel@tonic-gate #define	SEM_MAXUCOPS	4096	/* max # of unchecked ops per semop call */
1747c478bd9Sstevel@tonic-gate #define	SEM_UNDOSZ(n)	(sizeof (struct sem_undo) + (n - 1) * sizeof (int))
1757c478bd9Sstevel@tonic-gate 
1767c478bd9Sstevel@tonic-gate static int semsys(int opcode, uintptr_t a0, uintptr_t a1,
1777c478bd9Sstevel@tonic-gate     uintptr_t a2, uintptr_t a3);
1787c478bd9Sstevel@tonic-gate static void sem_dtor(kipc_perm_t *);
1797c478bd9Sstevel@tonic-gate static void sem_rmid(kipc_perm_t *);
1807c478bd9Sstevel@tonic-gate static void sem_remove_zone(zoneid_t, void *);
1817c478bd9Sstevel@tonic-gate 
1827c478bd9Sstevel@tonic-gate static struct sysent ipcsem_sysent = {
1837c478bd9Sstevel@tonic-gate 	5,
1847c478bd9Sstevel@tonic-gate 	SE_NOUNLOAD | SE_ARGC | SE_32RVAL1,
1857c478bd9Sstevel@tonic-gate 	semsys
1867c478bd9Sstevel@tonic-gate };
1877c478bd9Sstevel@tonic-gate 
1887c478bd9Sstevel@tonic-gate /*
1897c478bd9Sstevel@tonic-gate  * Module linkage information for the kernel.
1907c478bd9Sstevel@tonic-gate  */
1917c478bd9Sstevel@tonic-gate static struct modlsys modlsys = {
1927c478bd9Sstevel@tonic-gate 	&mod_syscallops, "System V semaphore facility", &ipcsem_sysent
1937c478bd9Sstevel@tonic-gate };
1947c478bd9Sstevel@tonic-gate 
1957c478bd9Sstevel@tonic-gate #ifdef _SYSCALL32_IMPL
1967c478bd9Sstevel@tonic-gate static struct modlsys modlsys32 = {
1977c478bd9Sstevel@tonic-gate 	&mod_syscallops32, "32-bit System V semaphore facility", &ipcsem_sysent
1987c478bd9Sstevel@tonic-gate };
1997c478bd9Sstevel@tonic-gate #endif
2007c478bd9Sstevel@tonic-gate 
2017c478bd9Sstevel@tonic-gate static struct modlinkage modlinkage = {
2027c478bd9Sstevel@tonic-gate 	MODREV_1,
2037c478bd9Sstevel@tonic-gate 	&modlsys,
2047c478bd9Sstevel@tonic-gate #ifdef _SYSCALL32_IMPL
2057c478bd9Sstevel@tonic-gate 	&modlsys32,
2067c478bd9Sstevel@tonic-gate #endif
2077c478bd9Sstevel@tonic-gate 	NULL
2087c478bd9Sstevel@tonic-gate };
2097c478bd9Sstevel@tonic-gate 
2107c478bd9Sstevel@tonic-gate 
2117c478bd9Sstevel@tonic-gate int
2127c478bd9Sstevel@tonic-gate _init(void)
2137c478bd9Sstevel@tonic-gate {
2147c478bd9Sstevel@tonic-gate 	int result;
2157c478bd9Sstevel@tonic-gate 
216824c205fSml 	sem_svc = ipcs_create("semids", rc_project_semmni, rc_zone_semmni,
217824c205fSml 	    sizeof (ksemid_t), sem_dtor, sem_rmid, AT_IPC_SEM,
218824c205fSml 	    offsetof(ipc_rqty_t, ipcq_semmni));
2197c478bd9Sstevel@tonic-gate 	zone_key_create(&sem_zone_key, NULL, sem_remove_zone, NULL);
2207c478bd9Sstevel@tonic-gate 
2217c478bd9Sstevel@tonic-gate 	if ((result = mod_install(&modlinkage)) == 0)
2227c478bd9Sstevel@tonic-gate 		return (0);
2237c478bd9Sstevel@tonic-gate 
2247c478bd9Sstevel@tonic-gate 	(void) zone_key_delete(sem_zone_key);
2257c478bd9Sstevel@tonic-gate 	ipcs_destroy(sem_svc);
2267c478bd9Sstevel@tonic-gate 
2277c478bd9Sstevel@tonic-gate 	return (result);
2287c478bd9Sstevel@tonic-gate }
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate int
2317c478bd9Sstevel@tonic-gate _fini(void)
2327c478bd9Sstevel@tonic-gate {
2337c478bd9Sstevel@tonic-gate 	return (EBUSY);
2347c478bd9Sstevel@tonic-gate }
2357c478bd9Sstevel@tonic-gate 
2367c478bd9Sstevel@tonic-gate int
2377c478bd9Sstevel@tonic-gate _info(struct modinfo *modinfop)
2387c478bd9Sstevel@tonic-gate {
2397c478bd9Sstevel@tonic-gate 	return (mod_info(&modlinkage, modinfop));
2407c478bd9Sstevel@tonic-gate }
2417c478bd9Sstevel@tonic-gate 
2427c478bd9Sstevel@tonic-gate static void
2437c478bd9Sstevel@tonic-gate sem_dtor(kipc_perm_t *perm)
2447c478bd9Sstevel@tonic-gate {
2457c478bd9Sstevel@tonic-gate 	ksemid_t *sp = (ksemid_t *)perm;
2467c478bd9Sstevel@tonic-gate 
2477c478bd9Sstevel@tonic-gate 	kmem_free(sp->sem_base,
2487c478bd9Sstevel@tonic-gate 	    P2ROUNDUP(sp->sem_nsems * sizeof (struct sem), 64));
2497c478bd9Sstevel@tonic-gate 	list_destroy(&sp->sem_undos);
2507c478bd9Sstevel@tonic-gate }
2517c478bd9Sstevel@tonic-gate 
2527c478bd9Sstevel@tonic-gate /*
2537c478bd9Sstevel@tonic-gate  * sem_undo_add - Create or update adjust on exit entry.
2547c478bd9Sstevel@tonic-gate  */
2557c478bd9Sstevel@tonic-gate static int
2567c478bd9Sstevel@tonic-gate sem_undo_add(short val, ushort_t num, struct sem_undo *undo)
2577c478bd9Sstevel@tonic-gate {
2587c478bd9Sstevel@tonic-gate 	int newval = undo->un_aoe[num] - val;
2597c478bd9Sstevel@tonic-gate 
2607c478bd9Sstevel@tonic-gate 	if (newval > USHRT_MAX || newval < -USHRT_MAX)
2617c478bd9Sstevel@tonic-gate 		return (ERANGE);
2627c478bd9Sstevel@tonic-gate 	undo->un_aoe[num] = newval;
2637c478bd9Sstevel@tonic-gate 
2647c478bd9Sstevel@tonic-gate 	return (0);
2657c478bd9Sstevel@tonic-gate }
2667c478bd9Sstevel@tonic-gate 
2677c478bd9Sstevel@tonic-gate /*
2687c478bd9Sstevel@tonic-gate  * sem_undo_clear - clears all undo entries for specified semaphores
2697c478bd9Sstevel@tonic-gate  *
2707c478bd9Sstevel@tonic-gate  * Used when semaphores are reset by SETVAL or SETALL.
2717c478bd9Sstevel@tonic-gate  */
2727c478bd9Sstevel@tonic-gate static void
2737c478bd9Sstevel@tonic-gate sem_undo_clear(ksemid_t *sp, ushort_t low, ushort_t high)
2747c478bd9Sstevel@tonic-gate {
2757c478bd9Sstevel@tonic-gate 	struct sem_undo *undo;
2767c478bd9Sstevel@tonic-gate 	int i;
2777c478bd9Sstevel@tonic-gate 
2787c478bd9Sstevel@tonic-gate 	ASSERT(low <= high);
2797c478bd9Sstevel@tonic-gate 	ASSERT(high < sp->sem_nsems);
2807c478bd9Sstevel@tonic-gate 
2817c478bd9Sstevel@tonic-gate 	for (undo = list_head(&sp->sem_undos); undo;
2827c478bd9Sstevel@tonic-gate 	    undo = list_next(&sp->sem_undos, undo))
2837c478bd9Sstevel@tonic-gate 		for (i = low; i <= high; i++)
2847c478bd9Sstevel@tonic-gate 			undo->un_aoe[i] = 0;
2857c478bd9Sstevel@tonic-gate }
2867c478bd9Sstevel@tonic-gate 
2877c478bd9Sstevel@tonic-gate /*
2887c478bd9Sstevel@tonic-gate  * sem_rollback - roll back work done so far if unable to complete operation
2897c478bd9Sstevel@tonic-gate  */
2907c478bd9Sstevel@tonic-gate static void
2917c478bd9Sstevel@tonic-gate sem_rollback(ksemid_t *sp, struct sembuf *op, int n, struct sem_undo *undo)
2927c478bd9Sstevel@tonic-gate {
2937c478bd9Sstevel@tonic-gate 	struct sem *semp;	/* semaphore ptr */
2947c478bd9Sstevel@tonic-gate 
2957c478bd9Sstevel@tonic-gate 	for (op += n - 1; n--; op--) {
2967c478bd9Sstevel@tonic-gate 		if (op->sem_op == 0)
2977c478bd9Sstevel@tonic-gate 			continue;
2987c478bd9Sstevel@tonic-gate 		semp = &sp->sem_base[op->sem_num];
2997c478bd9Sstevel@tonic-gate 		semp->semval -= op->sem_op;
3007c478bd9Sstevel@tonic-gate 		if (op->sem_flg & SEM_UNDO) {
3017c478bd9Sstevel@tonic-gate 			ASSERT(undo != NULL);
3027c478bd9Sstevel@tonic-gate 			(void) sem_undo_add(-op->sem_op, op->sem_num, undo);
3037c478bd9Sstevel@tonic-gate 		}
3047c478bd9Sstevel@tonic-gate 	}
3057c478bd9Sstevel@tonic-gate }
3067c478bd9Sstevel@tonic-gate 
3077c478bd9Sstevel@tonic-gate static void
3087c478bd9Sstevel@tonic-gate sem_rmid(kipc_perm_t *perm)
3097c478bd9Sstevel@tonic-gate {
3107c478bd9Sstevel@tonic-gate 	ksemid_t *sp = (ksemid_t *)perm;
3117c478bd9Sstevel@tonic-gate 	struct sem *semp;
3127c478bd9Sstevel@tonic-gate 	struct sem_undo *undo;
3137c478bd9Sstevel@tonic-gate 	size_t size = SEM_UNDOSZ(sp->sem_nsems);
3147c478bd9Sstevel@tonic-gate 	int i;
3157c478bd9Sstevel@tonic-gate 
3167c478bd9Sstevel@tonic-gate 	/*LINTED*/
3177c478bd9Sstevel@tonic-gate 	while (undo = list_head(&sp->sem_undos)) {
3187c478bd9Sstevel@tonic-gate 		list_remove(&sp->sem_undos, undo);
3197c478bd9Sstevel@tonic-gate 		mutex_enter(&undo->un_proc->p_lock);
3207c478bd9Sstevel@tonic-gate 		if (undo->un_proc->p_semacct == NULL) {
3217c478bd9Sstevel@tonic-gate 			mutex_exit(&undo->un_proc->p_lock);
3227c478bd9Sstevel@tonic-gate 			continue;
3237c478bd9Sstevel@tonic-gate 		}
3247c478bd9Sstevel@tonic-gate 		avl_remove(undo->un_proc->p_semacct, undo);
3257c478bd9Sstevel@tonic-gate 		mutex_exit(&undo->un_proc->p_lock);
3267c478bd9Sstevel@tonic-gate 		kmem_free(undo, size);
3277c478bd9Sstevel@tonic-gate 		ipc_rele_locked(sem_svc, (kipc_perm_t *)sp);
3287c478bd9Sstevel@tonic-gate 	}
3297c478bd9Sstevel@tonic-gate 
3307c478bd9Sstevel@tonic-gate 	for (i = 0; i < sp->sem_nsems; i++) {
3317c478bd9Sstevel@tonic-gate 		semp = &sp->sem_base[i];
3327c478bd9Sstevel@tonic-gate 		semp->semval = semp->sempid = 0;
3337c478bd9Sstevel@tonic-gate 		if (semp->semncnt) {
3347c478bd9Sstevel@tonic-gate 			cv_broadcast(&semp->semncnt_cv);
3357c478bd9Sstevel@tonic-gate 			semp->semncnt = 0;
3367c478bd9Sstevel@tonic-gate 		}
3377c478bd9Sstevel@tonic-gate 		if (semp->semzcnt) {
3387c478bd9Sstevel@tonic-gate 			cv_broadcast(&semp->semzcnt_cv);
3397c478bd9Sstevel@tonic-gate 			semp->semzcnt = 0;
3407c478bd9Sstevel@tonic-gate 		}
3417c478bd9Sstevel@tonic-gate 	}
3427c478bd9Sstevel@tonic-gate }
3437c478bd9Sstevel@tonic-gate 
3447c478bd9Sstevel@tonic-gate /*
3457c478bd9Sstevel@tonic-gate  * semctl - Semctl system call.
3467c478bd9Sstevel@tonic-gate  */
3477c478bd9Sstevel@tonic-gate static int
3487c478bd9Sstevel@tonic-gate semctl(int semid, uint_t semnum, int cmd, uintptr_t arg)
3497c478bd9Sstevel@tonic-gate {
3507c478bd9Sstevel@tonic-gate 	ksemid_t		*sp;	/* ptr to semaphore header */
3517c478bd9Sstevel@tonic-gate 	struct sem		*p;	/* ptr to semaphore */
3527c478bd9Sstevel@tonic-gate 	unsigned int		i;	/* loop control */
3537c478bd9Sstevel@tonic-gate 	ushort_t		*vals, *vp;
3547c478bd9Sstevel@tonic-gate 	size_t			vsize = 0;
3557c478bd9Sstevel@tonic-gate 	int			error = 0;
3567c478bd9Sstevel@tonic-gate 	int			retval = 0;
3577c478bd9Sstevel@tonic-gate 	struct cred		*cr;
3587c478bd9Sstevel@tonic-gate 	kmutex_t		*lock;
3597c478bd9Sstevel@tonic-gate 	model_t			mdl = get_udatamodel();
3607c478bd9Sstevel@tonic-gate 	STRUCT_DECL(semid_ds, sid);
3617c478bd9Sstevel@tonic-gate 	struct semid_ds64	ds64;
3627c478bd9Sstevel@tonic-gate 
3637c478bd9Sstevel@tonic-gate 	STRUCT_INIT(sid, mdl);
3647c478bd9Sstevel@tonic-gate 	cr = CRED();
3657c478bd9Sstevel@tonic-gate 
3667c478bd9Sstevel@tonic-gate 	/*
3677c478bd9Sstevel@tonic-gate 	 * Perform pre- or non-lookup actions (e.g. copyins, RMID).
3687c478bd9Sstevel@tonic-gate 	 */
3697c478bd9Sstevel@tonic-gate 	switch (cmd) {
3707c478bd9Sstevel@tonic-gate 	case IPC_SET:
3717c478bd9Sstevel@tonic-gate 		if (copyin((void *)arg, STRUCT_BUF(sid), STRUCT_SIZE(sid)))
3727c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
3737c478bd9Sstevel@tonic-gate 		break;
3747c478bd9Sstevel@tonic-gate 
3757c478bd9Sstevel@tonic-gate 	case IPC_SET64:
3767c478bd9Sstevel@tonic-gate 		if (copyin((void *)arg, &ds64, sizeof (struct semid_ds64)))
3777c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
3787c478bd9Sstevel@tonic-gate 		break;
3797c478bd9Sstevel@tonic-gate 
3807c478bd9Sstevel@tonic-gate 	case SETALL:
3817c478bd9Sstevel@tonic-gate 		if ((lock = ipc_lookup(sem_svc, semid,
3827c478bd9Sstevel@tonic-gate 		    (kipc_perm_t **)&sp)) == NULL)
3837c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
3847c478bd9Sstevel@tonic-gate 		vsize = sp->sem_nsems * sizeof (*vals);
3857c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
3867c478bd9Sstevel@tonic-gate 
3877c478bd9Sstevel@tonic-gate 		/* allocate space to hold all semaphore values */
3887c478bd9Sstevel@tonic-gate 		vals = kmem_alloc(vsize, KM_SLEEP);
3897c478bd9Sstevel@tonic-gate 
3907c478bd9Sstevel@tonic-gate 		if (copyin((void *)arg, vals, vsize)) {
3917c478bd9Sstevel@tonic-gate 			kmem_free(vals, vsize);
3927c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
3937c478bd9Sstevel@tonic-gate 		}
3947c478bd9Sstevel@tonic-gate 		break;
3957c478bd9Sstevel@tonic-gate 
3967c478bd9Sstevel@tonic-gate 	case IPC_RMID:
3977c478bd9Sstevel@tonic-gate 		if (error = ipc_rmid(sem_svc, semid, cr))
3987c478bd9Sstevel@tonic-gate 			return (set_errno(error));
3997c478bd9Sstevel@tonic-gate 		return (0);
4007c478bd9Sstevel@tonic-gate 	}
4017c478bd9Sstevel@tonic-gate 
4027c478bd9Sstevel@tonic-gate 	if ((lock = ipc_lookup(sem_svc, semid, (kipc_perm_t **)&sp)) == NULL) {
4037c478bd9Sstevel@tonic-gate 		if (vsize != 0)
4047c478bd9Sstevel@tonic-gate 			kmem_free(vals, vsize);
4057c478bd9Sstevel@tonic-gate 		return (set_errno(EINVAL));
4067c478bd9Sstevel@tonic-gate 	}
4077c478bd9Sstevel@tonic-gate 	switch (cmd) {
4087c478bd9Sstevel@tonic-gate 	/* Set ownership and permissions. */
4097c478bd9Sstevel@tonic-gate 	case IPC_SET:
4107c478bd9Sstevel@tonic-gate 
4117c478bd9Sstevel@tonic-gate 		if (error = ipcperm_set(sem_svc, cr, &sp->sem_perm,
4127c478bd9Sstevel@tonic-gate 		    &STRUCT_BUF(sid)->sem_perm, mdl)) {
4137c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4147c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4157c478bd9Sstevel@tonic-gate 		}
4167c478bd9Sstevel@tonic-gate 		sp->sem_ctime = gethrestime_sec();
4177c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4187c478bd9Sstevel@tonic-gate 		return (0);
4197c478bd9Sstevel@tonic-gate 
4207c478bd9Sstevel@tonic-gate 	/* Get semaphore data structure. */
4217c478bd9Sstevel@tonic-gate 	case IPC_STAT:
4227c478bd9Sstevel@tonic-gate 
4237c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4247c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4257c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4267c478bd9Sstevel@tonic-gate 		}
4277c478bd9Sstevel@tonic-gate 
4287c478bd9Sstevel@tonic-gate 		ipcperm_stat(&STRUCT_BUF(sid)->sem_perm, &sp->sem_perm, mdl);
4297c478bd9Sstevel@tonic-gate 		STRUCT_FSETP(sid, sem_base, NULL);	/* kernel addr */
4307c478bd9Sstevel@tonic-gate 		STRUCT_FSET(sid, sem_nsems, sp->sem_nsems);
4317c478bd9Sstevel@tonic-gate 		STRUCT_FSET(sid, sem_otime, sp->sem_otime);
4327c478bd9Sstevel@tonic-gate 		STRUCT_FSET(sid, sem_ctime, sp->sem_ctime);
4337c478bd9Sstevel@tonic-gate 		STRUCT_FSET(sid, sem_binary, sp->sem_binary);
4347c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4357c478bd9Sstevel@tonic-gate 
4367c478bd9Sstevel@tonic-gate 		if (copyout(STRUCT_BUF(sid), (void *)arg, STRUCT_SIZE(sid)))
4377c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
4387c478bd9Sstevel@tonic-gate 		return (0);
4397c478bd9Sstevel@tonic-gate 
4407c478bd9Sstevel@tonic-gate 	case IPC_SET64:
4417c478bd9Sstevel@tonic-gate 
4427c478bd9Sstevel@tonic-gate 		if (error = ipcperm_set64(sem_svc, cr, &sp->sem_perm,
4437c478bd9Sstevel@tonic-gate 		    &ds64.semx_perm)) {
4447c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4457c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4467c478bd9Sstevel@tonic-gate 		}
4477c478bd9Sstevel@tonic-gate 		sp->sem_ctime = gethrestime_sec();
4487c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4497c478bd9Sstevel@tonic-gate 		return (0);
4507c478bd9Sstevel@tonic-gate 
4517c478bd9Sstevel@tonic-gate 	case IPC_STAT64:
4527c478bd9Sstevel@tonic-gate 
4537c478bd9Sstevel@tonic-gate 		ipcperm_stat64(&ds64.semx_perm, &sp->sem_perm);
4547c478bd9Sstevel@tonic-gate 		ds64.semx_nsems = sp->sem_nsems;
4557c478bd9Sstevel@tonic-gate 		ds64.semx_otime = sp->sem_otime;
4567c478bd9Sstevel@tonic-gate 		ds64.semx_ctime = sp->sem_ctime;
4577c478bd9Sstevel@tonic-gate 
4587c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4597c478bd9Sstevel@tonic-gate 		if (copyout(&ds64, (void *)arg, sizeof (struct semid_ds64)))
4607c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
4617c478bd9Sstevel@tonic-gate 
4627c478bd9Sstevel@tonic-gate 		return (0);
4637c478bd9Sstevel@tonic-gate 
4647c478bd9Sstevel@tonic-gate 	/* Get # of processes sleeping for greater semval. */
4657c478bd9Sstevel@tonic-gate 	case GETNCNT:
4667c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4677c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4687c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4697c478bd9Sstevel@tonic-gate 		}
4707c478bd9Sstevel@tonic-gate 		if (semnum >= sp->sem_nsems) {
4717c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4727c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
4737c478bd9Sstevel@tonic-gate 		}
4747c478bd9Sstevel@tonic-gate 		retval = sp->sem_base[semnum].semncnt;
4757c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4767c478bd9Sstevel@tonic-gate 		return (retval);
4777c478bd9Sstevel@tonic-gate 
4787c478bd9Sstevel@tonic-gate 	/* Get pid of last process to operate on semaphore. */
4797c478bd9Sstevel@tonic-gate 	case GETPID:
4807c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4817c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4827c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4837c478bd9Sstevel@tonic-gate 		}
4847c478bd9Sstevel@tonic-gate 		if (semnum >= sp->sem_nsems) {
4857c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4867c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
4877c478bd9Sstevel@tonic-gate 		}
4887c478bd9Sstevel@tonic-gate 		retval = sp->sem_base[semnum].sempid;
4897c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
4907c478bd9Sstevel@tonic-gate 		return (retval);
4917c478bd9Sstevel@tonic-gate 
4927c478bd9Sstevel@tonic-gate 	/* Get semval of one semaphore. */
4937c478bd9Sstevel@tonic-gate 	case GETVAL:
4947c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
4957c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
4967c478bd9Sstevel@tonic-gate 			return (set_errno(error));
4977c478bd9Sstevel@tonic-gate 		}
4987c478bd9Sstevel@tonic-gate 		if (semnum >= sp->sem_nsems) {
4997c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5007c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
5017c478bd9Sstevel@tonic-gate 		}
5027c478bd9Sstevel@tonic-gate 		retval = sp->sem_base[semnum].semval;
5037c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
5047c478bd9Sstevel@tonic-gate 		return (retval);
5057c478bd9Sstevel@tonic-gate 
5067c478bd9Sstevel@tonic-gate 	/* Get all semvals in set. */
5077c478bd9Sstevel@tonic-gate 	case GETALL:
5087c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
5097c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5107c478bd9Sstevel@tonic-gate 			return (set_errno(error));
5117c478bd9Sstevel@tonic-gate 		}
5127c478bd9Sstevel@tonic-gate 
5137c478bd9Sstevel@tonic-gate 		/* allocate space to hold all semaphore values */
5147c478bd9Sstevel@tonic-gate 		vsize = sp->sem_nsems * sizeof (*vals);
5157c478bd9Sstevel@tonic-gate 		vals = vp = kmem_alloc(vsize, KM_SLEEP);
5167c478bd9Sstevel@tonic-gate 
5177c478bd9Sstevel@tonic-gate 		for (i = sp->sem_nsems, p = sp->sem_base; i--; p++, vp++)
5187c478bd9Sstevel@tonic-gate 			bcopy(&p->semval, vp, sizeof (p->semval));
5197c478bd9Sstevel@tonic-gate 
5207c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
5217c478bd9Sstevel@tonic-gate 
5227c478bd9Sstevel@tonic-gate 		if (copyout((void *)vals, (void *)arg, vsize)) {
5237c478bd9Sstevel@tonic-gate 			kmem_free(vals, vsize);
5247c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
5257c478bd9Sstevel@tonic-gate 		}
5267c478bd9Sstevel@tonic-gate 
5277c478bd9Sstevel@tonic-gate 		kmem_free(vals, vsize);
5287c478bd9Sstevel@tonic-gate 		return (0);
5297c478bd9Sstevel@tonic-gate 
5307c478bd9Sstevel@tonic-gate 	/* Get # of processes sleeping for semval to become zero. */
5317c478bd9Sstevel@tonic-gate 	case GETZCNT:
5327c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_R, cr)) {
5337c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5347c478bd9Sstevel@tonic-gate 			return (set_errno(error));
5357c478bd9Sstevel@tonic-gate 		}
5367c478bd9Sstevel@tonic-gate 		if (semnum >= sp->sem_nsems) {
5377c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5387c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
5397c478bd9Sstevel@tonic-gate 		}
5407c478bd9Sstevel@tonic-gate 		retval = sp->sem_base[semnum].semzcnt;
5417c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
5427c478bd9Sstevel@tonic-gate 		return (retval);
5437c478bd9Sstevel@tonic-gate 
5447c478bd9Sstevel@tonic-gate 	/* Set semval of one semaphore. */
5457c478bd9Sstevel@tonic-gate 	case SETVAL:
5467c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
5477c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5487c478bd9Sstevel@tonic-gate 			return (set_errno(error));
5497c478bd9Sstevel@tonic-gate 		}
5507c478bd9Sstevel@tonic-gate 		if (semnum >= sp->sem_nsems) {
5517c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5527c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
5537c478bd9Sstevel@tonic-gate 		}
5547c478bd9Sstevel@tonic-gate 		if ((uint_t)arg > USHRT_MAX) {
5557c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
5567c478bd9Sstevel@tonic-gate 			return (set_errno(ERANGE));
5577c478bd9Sstevel@tonic-gate 		}
5587c478bd9Sstevel@tonic-gate 		p = &sp->sem_base[semnum];
5597c478bd9Sstevel@tonic-gate 		if ((p->semval = (ushort_t)arg) != 0) {
5607c478bd9Sstevel@tonic-gate 			if (p->semncnt) {
5617c478bd9Sstevel@tonic-gate 				cv_broadcast(&p->semncnt_cv);
5627c478bd9Sstevel@tonic-gate 			}
5637c478bd9Sstevel@tonic-gate 		} else if (p->semzcnt) {
5647c478bd9Sstevel@tonic-gate 			cv_broadcast(&p->semzcnt_cv);
5657c478bd9Sstevel@tonic-gate 		}
5667c478bd9Sstevel@tonic-gate 		p->sempid = curproc->p_pid;
5677c478bd9Sstevel@tonic-gate 		sem_undo_clear(sp, (ushort_t)semnum, (ushort_t)semnum);
5687c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
5697c478bd9Sstevel@tonic-gate 		return (0);
5707c478bd9Sstevel@tonic-gate 
5717c478bd9Sstevel@tonic-gate 	/* Set semvals of all semaphores in set. */
5727c478bd9Sstevel@tonic-gate 	case SETALL:
5737c478bd9Sstevel@tonic-gate 		/* Check if semaphore set has been deleted and reallocated. */
5747c478bd9Sstevel@tonic-gate 		if (sp->sem_nsems * sizeof (*vals) != vsize) {
5757c478bd9Sstevel@tonic-gate 			error = set_errno(EINVAL);
5767c478bd9Sstevel@tonic-gate 			goto seterr;
5777c478bd9Sstevel@tonic-gate 		}
5787c478bd9Sstevel@tonic-gate 		if (error = ipcperm_access(&sp->sem_perm, SEM_A, cr)) {
5797c478bd9Sstevel@tonic-gate 			error = set_errno(error);
5807c478bd9Sstevel@tonic-gate 			goto seterr;
5817c478bd9Sstevel@tonic-gate 		}
5827c478bd9Sstevel@tonic-gate 		sem_undo_clear(sp, 0, sp->sem_nsems - 1);
5837c478bd9Sstevel@tonic-gate 		for (i = 0, p = sp->sem_base; i < sp->sem_nsems;
5847c478bd9Sstevel@tonic-gate 		    (p++)->sempid = curproc->p_pid) {
5857c478bd9Sstevel@tonic-gate 			if ((p->semval = vals[i++]) != 0) {
5867c478bd9Sstevel@tonic-gate 				if (p->semncnt) {
5877c478bd9Sstevel@tonic-gate 					cv_broadcast(&p->semncnt_cv);
5887c478bd9Sstevel@tonic-gate 				}
5897c478bd9Sstevel@tonic-gate 			} else if (p->semzcnt) {
5907c478bd9Sstevel@tonic-gate 				cv_broadcast(&p->semzcnt_cv);
5917c478bd9Sstevel@tonic-gate 			}
5927c478bd9Sstevel@tonic-gate 		}
5937c478bd9Sstevel@tonic-gate seterr:
5947c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
5957c478bd9Sstevel@tonic-gate 		kmem_free(vals, vsize);
5967c478bd9Sstevel@tonic-gate 		return (error);
5977c478bd9Sstevel@tonic-gate 
5987c478bd9Sstevel@tonic-gate 	default:
5997c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
6007c478bd9Sstevel@tonic-gate 		return (set_errno(EINVAL));
6017c478bd9Sstevel@tonic-gate 	}
6027c478bd9Sstevel@tonic-gate 
6037c478bd9Sstevel@tonic-gate 	/* NOTREACHED */
6047c478bd9Sstevel@tonic-gate }
6057c478bd9Sstevel@tonic-gate 
6067c478bd9Sstevel@tonic-gate /*
6077c478bd9Sstevel@tonic-gate  * semexit - Called by exit() to clean up on process exit.
6087c478bd9Sstevel@tonic-gate  */
6097c478bd9Sstevel@tonic-gate void
6107c478bd9Sstevel@tonic-gate semexit(proc_t *pp)
6117c478bd9Sstevel@tonic-gate {
6127c478bd9Sstevel@tonic-gate 	avl_tree_t	*tree;
6137c478bd9Sstevel@tonic-gate 	struct sem_undo	*undo;
6147c478bd9Sstevel@tonic-gate 	void		*cookie = NULL;
6157c478bd9Sstevel@tonic-gate 
6167c478bd9Sstevel@tonic-gate 	mutex_enter(&pp->p_lock);
6177c478bd9Sstevel@tonic-gate 	tree = pp->p_semacct;
6187c478bd9Sstevel@tonic-gate 	pp->p_semacct = NULL;
6197c478bd9Sstevel@tonic-gate 	mutex_exit(&pp->p_lock);
6207c478bd9Sstevel@tonic-gate 
6217c478bd9Sstevel@tonic-gate 	while (undo = avl_destroy_nodes(tree, &cookie)) {
6227c478bd9Sstevel@tonic-gate 		ksemid_t *sp = undo->un_sp;
6237c478bd9Sstevel@tonic-gate 		size_t size = SEM_UNDOSZ(sp->sem_nsems);
6247c478bd9Sstevel@tonic-gate 		int i;
6257c478bd9Sstevel@tonic-gate 
6267c478bd9Sstevel@tonic-gate 		(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
6277c478bd9Sstevel@tonic-gate 		if (!IPC_FREE(&sp->sem_perm)) {
6287c478bd9Sstevel@tonic-gate 			for (i = 0; i < sp->sem_nsems; i++) {
6297c478bd9Sstevel@tonic-gate 				int adj = undo->un_aoe[i];
6307c478bd9Sstevel@tonic-gate 				if (adj) {
6317c478bd9Sstevel@tonic-gate 					struct sem *semp = &sp->sem_base[i];
6327c478bd9Sstevel@tonic-gate 					int v = (int)semp->semval + adj;
6337c478bd9Sstevel@tonic-gate 
6347c478bd9Sstevel@tonic-gate 					if (v < 0 || v > USHRT_MAX)
6357c478bd9Sstevel@tonic-gate 						continue;
6367c478bd9Sstevel@tonic-gate 					semp->semval = (ushort_t)v;
6377c478bd9Sstevel@tonic-gate 					if (v == 0 && semp->semzcnt)
6387c478bd9Sstevel@tonic-gate 						cv_broadcast(&semp->semzcnt_cv);
6397c478bd9Sstevel@tonic-gate 					if (adj > 0 && semp->semncnt)
6407c478bd9Sstevel@tonic-gate 						cv_broadcast(&semp->semncnt_cv);
6417c478bd9Sstevel@tonic-gate 				}
6427c478bd9Sstevel@tonic-gate 			}
6437c478bd9Sstevel@tonic-gate 			list_remove(&sp->sem_undos, undo);
6447c478bd9Sstevel@tonic-gate 		}
6457c478bd9Sstevel@tonic-gate 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
6467c478bd9Sstevel@tonic-gate 		kmem_free(undo, size);
6477c478bd9Sstevel@tonic-gate 	}
6487c478bd9Sstevel@tonic-gate 
6497c478bd9Sstevel@tonic-gate 	avl_destroy(tree);
6507c478bd9Sstevel@tonic-gate 	kmem_free(tree, sizeof (avl_tree_t));
6517c478bd9Sstevel@tonic-gate }
6527c478bd9Sstevel@tonic-gate 
6537c478bd9Sstevel@tonic-gate /*
6547c478bd9Sstevel@tonic-gate  * Remove all semaphores associated with a given zone.  Called by
6557c478bd9Sstevel@tonic-gate  * zone_shutdown when the zone is halted.
6567c478bd9Sstevel@tonic-gate  */
6577c478bd9Sstevel@tonic-gate /*ARGSUSED1*/
6587c478bd9Sstevel@tonic-gate static void
6597c478bd9Sstevel@tonic-gate sem_remove_zone(zoneid_t zoneid, void *arg)
6607c478bd9Sstevel@tonic-gate {
6617c478bd9Sstevel@tonic-gate 	ipc_remove_zone(sem_svc, zoneid);
6627c478bd9Sstevel@tonic-gate }
6637c478bd9Sstevel@tonic-gate 
6647c478bd9Sstevel@tonic-gate /*
6657c478bd9Sstevel@tonic-gate  * semget - Semget system call.
6667c478bd9Sstevel@tonic-gate  */
6677c478bd9Sstevel@tonic-gate static int
6687c478bd9Sstevel@tonic-gate semget(key_t key, int nsems, int semflg)
6697c478bd9Sstevel@tonic-gate {
6707c478bd9Sstevel@tonic-gate 	ksemid_t	*sp;
6717c478bd9Sstevel@tonic-gate 	kmutex_t	*lock;
6727c478bd9Sstevel@tonic-gate 	int		id, error;
6737c478bd9Sstevel@tonic-gate 	proc_t		*pp = curproc;
6747c478bd9Sstevel@tonic-gate 
6757c478bd9Sstevel@tonic-gate top:
6767c478bd9Sstevel@tonic-gate 	if (error = ipc_get(sem_svc, key, semflg, (kipc_perm_t **)&sp, &lock))
6777c478bd9Sstevel@tonic-gate 		return (set_errno(error));
6787c478bd9Sstevel@tonic-gate 
6797c478bd9Sstevel@tonic-gate 	if (!IPC_FREE(&sp->sem_perm)) {
6807c478bd9Sstevel@tonic-gate 		/*
6817c478bd9Sstevel@tonic-gate 		 * A semaphore with the requested key exists.
6827c478bd9Sstevel@tonic-gate 		 */
6837c478bd9Sstevel@tonic-gate 		if (!((nsems >= 0) && (nsems <= sp->sem_nsems))) {
6847c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
6857c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
6867c478bd9Sstevel@tonic-gate 		}
6877c478bd9Sstevel@tonic-gate 	} else {
6887c478bd9Sstevel@tonic-gate 		/*
6897c478bd9Sstevel@tonic-gate 		 * This is a new semaphore set.  Finish initialization.
6907c478bd9Sstevel@tonic-gate 		 */
6917c478bd9Sstevel@tonic-gate 		if (nsems <= 0 || (rctl_test(rc_process_semmsl, pp->p_rctls, pp,
6927c478bd9Sstevel@tonic-gate 		    nsems, RCA_SAFE) & RCT_DENY)) {
6937c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
6947c478bd9Sstevel@tonic-gate 			mutex_exit(&pp->p_lock);
6957c478bd9Sstevel@tonic-gate 			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
6967c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
6977c478bd9Sstevel@tonic-gate 		}
6987c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
6997c478bd9Sstevel@tonic-gate 		mutex_exit(&pp->p_lock);
7007c478bd9Sstevel@tonic-gate 
7017c478bd9Sstevel@tonic-gate 		/*
7027c478bd9Sstevel@tonic-gate 		 * We round the allocation up to coherency granularity
7037c478bd9Sstevel@tonic-gate 		 * so that multiple semaphore allocations won't result
7047c478bd9Sstevel@tonic-gate 		 * in the false sharing of their sem structures.
7057c478bd9Sstevel@tonic-gate 		 */
7067c478bd9Sstevel@tonic-gate 		sp->sem_base =
7077c478bd9Sstevel@tonic-gate 		    kmem_zalloc(P2ROUNDUP(nsems * sizeof (struct sem), 64),
7087c478bd9Sstevel@tonic-gate 		    KM_SLEEP);
7097c478bd9Sstevel@tonic-gate 		sp->sem_binary = (nsems == 1);
7107c478bd9Sstevel@tonic-gate 		sp->sem_nsems = (ushort_t)nsems;
7117c478bd9Sstevel@tonic-gate 		sp->sem_ctime = gethrestime_sec();
7127c478bd9Sstevel@tonic-gate 		sp->sem_otime = 0;
7137c478bd9Sstevel@tonic-gate 		list_create(&sp->sem_undos, sizeof (struct sem_undo),
7147c478bd9Sstevel@tonic-gate 		    offsetof(struct sem_undo, un_list));
7157c478bd9Sstevel@tonic-gate 
7167c478bd9Sstevel@tonic-gate 		if (error = ipc_commit_begin(sem_svc, key, semflg,
7177c478bd9Sstevel@tonic-gate 		    (kipc_perm_t *)sp)) {
7187c478bd9Sstevel@tonic-gate 			if (error == EAGAIN)
7197c478bd9Sstevel@tonic-gate 				goto top;
7207c478bd9Sstevel@tonic-gate 			return (set_errno(error));
7217c478bd9Sstevel@tonic-gate 		}
7227c478bd9Sstevel@tonic-gate 		sp->sem_maxops =
7237c478bd9Sstevel@tonic-gate 		    rctl_enforced_value(rc_process_semopm, pp->p_rctls, pp);
7247c478bd9Sstevel@tonic-gate 		if (rctl_test(rc_process_semmsl, pp->p_rctls, pp, nsems,
7257c478bd9Sstevel@tonic-gate 		    RCA_SAFE) & RCT_DENY) {
7267c478bd9Sstevel@tonic-gate 			ipc_cleanup(sem_svc, (kipc_perm_t *)sp);
7277c478bd9Sstevel@tonic-gate 			return (set_errno(EINVAL));
7287c478bd9Sstevel@tonic-gate 		}
7297c478bd9Sstevel@tonic-gate 		lock = ipc_commit_end(sem_svc, &sp->sem_perm);
7307c478bd9Sstevel@tonic-gate 	}
7317c478bd9Sstevel@tonic-gate 	if (audit_active)
7327c478bd9Sstevel@tonic-gate 		audit_ipcget(AT_IPC_SEM, (void *)sp);
7337c478bd9Sstevel@tonic-gate 	id = sp->sem_perm.ipc_id;
7347c478bd9Sstevel@tonic-gate 	mutex_exit(lock);
7357c478bd9Sstevel@tonic-gate 	return (id);
7367c478bd9Sstevel@tonic-gate }
7377c478bd9Sstevel@tonic-gate 
7387c478bd9Sstevel@tonic-gate /*
7397c478bd9Sstevel@tonic-gate  * semids system call.
7407c478bd9Sstevel@tonic-gate  */
7417c478bd9Sstevel@tonic-gate static int
7427c478bd9Sstevel@tonic-gate semids(int *buf, uint_t nids, uint_t *pnids)
7437c478bd9Sstevel@tonic-gate {
7447c478bd9Sstevel@tonic-gate 	int error;
7457c478bd9Sstevel@tonic-gate 
7467c478bd9Sstevel@tonic-gate 	if (error = ipc_ids(sem_svc, buf, nids, pnids))
7477c478bd9Sstevel@tonic-gate 		return (set_errno(error));
7487c478bd9Sstevel@tonic-gate 
7497c478bd9Sstevel@tonic-gate 	return (0);
7507c478bd9Sstevel@tonic-gate }
7517c478bd9Sstevel@tonic-gate 
7527c478bd9Sstevel@tonic-gate 
7537c478bd9Sstevel@tonic-gate /*
7547c478bd9Sstevel@tonic-gate  * Helper function for semop - copies in the provided timespec and
7557c478bd9Sstevel@tonic-gate  * computes the absolute future time after which we must return.
7567c478bd9Sstevel@tonic-gate  */
7577c478bd9Sstevel@tonic-gate static int
7587c478bd9Sstevel@tonic-gate compute_timeout(timespec_t **tsp, timespec_t *ts, timespec_t *now,
7597c478bd9Sstevel@tonic-gate 	timespec_t *timeout)
7607c478bd9Sstevel@tonic-gate {
7617c478bd9Sstevel@tonic-gate 	model_t datamodel = get_udatamodel();
7627c478bd9Sstevel@tonic-gate 
7637c478bd9Sstevel@tonic-gate 	if (datamodel == DATAMODEL_NATIVE) {
7647c478bd9Sstevel@tonic-gate 		if (copyin(timeout, ts, sizeof (timespec_t)))
7657c478bd9Sstevel@tonic-gate 			return (EFAULT);
7667c478bd9Sstevel@tonic-gate 	} else {
7677c478bd9Sstevel@tonic-gate 		timespec32_t ts32;
7687c478bd9Sstevel@tonic-gate 
7697c478bd9Sstevel@tonic-gate 		if (copyin(timeout, &ts32, sizeof (timespec32_t)))
7707c478bd9Sstevel@tonic-gate 			return (EFAULT);
7717c478bd9Sstevel@tonic-gate 		TIMESPEC32_TO_TIMESPEC(ts, &ts32)
7727c478bd9Sstevel@tonic-gate 	}
7737c478bd9Sstevel@tonic-gate 
7747c478bd9Sstevel@tonic-gate 	if (itimerspecfix(ts))
7757c478bd9Sstevel@tonic-gate 		return (EINVAL);
7767c478bd9Sstevel@tonic-gate 
7777c478bd9Sstevel@tonic-gate 	/*
7787c478bd9Sstevel@tonic-gate 	 * Convert the timespec value into absolute time.
7797c478bd9Sstevel@tonic-gate 	 */
7807c478bd9Sstevel@tonic-gate 	timespecadd(ts, now);
7817c478bd9Sstevel@tonic-gate 	*tsp = ts;
7827c478bd9Sstevel@tonic-gate 
7837c478bd9Sstevel@tonic-gate 	return (0);
7847c478bd9Sstevel@tonic-gate }
7857c478bd9Sstevel@tonic-gate 
7867c478bd9Sstevel@tonic-gate /*
7877c478bd9Sstevel@tonic-gate  * Undo structure comparator.  We sort based on ksemid_t pointer.
7887c478bd9Sstevel@tonic-gate  */
7897c478bd9Sstevel@tonic-gate static int
7907c478bd9Sstevel@tonic-gate sem_undo_compar(const void *x, const void *y)
7917c478bd9Sstevel@tonic-gate {
7927c478bd9Sstevel@tonic-gate 	struct sem_undo *undo1 = (struct sem_undo *)x;
7937c478bd9Sstevel@tonic-gate 	struct sem_undo *undo2 = (struct sem_undo *)y;
7947c478bd9Sstevel@tonic-gate 
7957c478bd9Sstevel@tonic-gate 	if (undo1->un_sp < undo2->un_sp)
7967c478bd9Sstevel@tonic-gate 		return (-1);
7977c478bd9Sstevel@tonic-gate 	if (undo1->un_sp > undo2->un_sp)
7987c478bd9Sstevel@tonic-gate 		return (1);
7997c478bd9Sstevel@tonic-gate 	return (0);
8007c478bd9Sstevel@tonic-gate }
8017c478bd9Sstevel@tonic-gate 
8027c478bd9Sstevel@tonic-gate /*
8037c478bd9Sstevel@tonic-gate  * Helper function for semop - creates an undo structure and adds it to
8047c478bd9Sstevel@tonic-gate  * the process's avl tree and the semaphore's list.
8057c478bd9Sstevel@tonic-gate  */
8067c478bd9Sstevel@tonic-gate static int
8077c478bd9Sstevel@tonic-gate sem_undo_alloc(proc_t *pp, ksemid_t *sp, kmutex_t **lock,
8087c478bd9Sstevel@tonic-gate     struct sem_undo *template, struct sem_undo **un)
8097c478bd9Sstevel@tonic-gate {
8107c478bd9Sstevel@tonic-gate 	size_t size;
8117c478bd9Sstevel@tonic-gate 	struct sem_undo *undo;
8127c478bd9Sstevel@tonic-gate 	avl_tree_t *tree = NULL;
8137c478bd9Sstevel@tonic-gate 	avl_index_t where;
8147c478bd9Sstevel@tonic-gate 
8157c478bd9Sstevel@tonic-gate 	mutex_exit(*lock);
8167c478bd9Sstevel@tonic-gate 
8177c478bd9Sstevel@tonic-gate 	size = SEM_UNDOSZ(sp->sem_nsems);
8187c478bd9Sstevel@tonic-gate 	undo = kmem_zalloc(size, KM_SLEEP);
8197c478bd9Sstevel@tonic-gate 	undo->un_proc = pp;
8207c478bd9Sstevel@tonic-gate 	undo->un_sp = sp;
8217c478bd9Sstevel@tonic-gate 
8227c478bd9Sstevel@tonic-gate 	if (pp->p_semacct == NULL)
8237c478bd9Sstevel@tonic-gate 		tree = kmem_alloc(sizeof (avl_tree_t), KM_SLEEP);
8247c478bd9Sstevel@tonic-gate 
8257c478bd9Sstevel@tonic-gate 	*lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
8267c478bd9Sstevel@tonic-gate 	if (IPC_FREE(&sp->sem_perm)) {
8277c478bd9Sstevel@tonic-gate 		kmem_free(undo, size);
8287c478bd9Sstevel@tonic-gate 		if (tree)
8297c478bd9Sstevel@tonic-gate 			kmem_free(tree, sizeof (avl_tree_t));
8307c478bd9Sstevel@tonic-gate 		return (EIDRM);
8317c478bd9Sstevel@tonic-gate 	}
8327c478bd9Sstevel@tonic-gate 
8337c478bd9Sstevel@tonic-gate 	mutex_enter(&pp->p_lock);
8347c478bd9Sstevel@tonic-gate 	if (tree) {
8357c478bd9Sstevel@tonic-gate 		if (pp->p_semacct == NULL) {
8367c478bd9Sstevel@tonic-gate 			avl_create(tree, sem_undo_compar,
8377c478bd9Sstevel@tonic-gate 			    sizeof (struct sem_undo),
8387c478bd9Sstevel@tonic-gate 			    offsetof(struct sem_undo, un_avl));
8397c478bd9Sstevel@tonic-gate 			pp->p_semacct = tree;
8407c478bd9Sstevel@tonic-gate 		} else {
8417c478bd9Sstevel@tonic-gate 			kmem_free(tree, sizeof (avl_tree_t));
8427c478bd9Sstevel@tonic-gate 		}
8437c478bd9Sstevel@tonic-gate 	}
8447c478bd9Sstevel@tonic-gate 
8457c478bd9Sstevel@tonic-gate 	if (*un = avl_find(pp->p_semacct, template, &where)) {
8467c478bd9Sstevel@tonic-gate 		mutex_exit(&pp->p_lock);
8477c478bd9Sstevel@tonic-gate 		kmem_free(undo, size);
8487c478bd9Sstevel@tonic-gate 	} else {
8497c478bd9Sstevel@tonic-gate 		*un = undo;
8507c478bd9Sstevel@tonic-gate 		avl_insert(pp->p_semacct, undo, where);
8517c478bd9Sstevel@tonic-gate 		mutex_exit(&pp->p_lock);
8527c478bd9Sstevel@tonic-gate 		list_insert_head(&sp->sem_undos, undo);
8537c478bd9Sstevel@tonic-gate 		ipc_hold(sem_svc, (kipc_perm_t *)sp);
8547c478bd9Sstevel@tonic-gate 	}
8557c478bd9Sstevel@tonic-gate 
8567c478bd9Sstevel@tonic-gate 
8577c478bd9Sstevel@tonic-gate 	return (0);
8587c478bd9Sstevel@tonic-gate }
8597c478bd9Sstevel@tonic-gate 
8607c478bd9Sstevel@tonic-gate /*
8617c478bd9Sstevel@tonic-gate  * semop - Semop system call.
8627c478bd9Sstevel@tonic-gate  */
8637c478bd9Sstevel@tonic-gate static int
8647c478bd9Sstevel@tonic-gate semop(int semid, struct sembuf *sops, size_t nsops, timespec_t *timeout)
8657c478bd9Sstevel@tonic-gate {
8667c478bd9Sstevel@tonic-gate 	ksemid_t	*sp = NULL;
8677c478bd9Sstevel@tonic-gate 	kmutex_t	*lock;
8687c478bd9Sstevel@tonic-gate 	struct sembuf	*op;	/* ptr to operation */
8697c478bd9Sstevel@tonic-gate 	int		i;	/* loop control */
8707c478bd9Sstevel@tonic-gate 	struct sem	*semp;	/* ptr to semaphore */
8717c478bd9Sstevel@tonic-gate 	int 		error = 0;
8727c478bd9Sstevel@tonic-gate 	struct sembuf	*uops;	/* ptr to copy of user ops */
8737c478bd9Sstevel@tonic-gate 	struct sembuf 	x_sem;	/* avoid kmem_alloc's */
8747c478bd9Sstevel@tonic-gate 	timespec_t	now, ts, *tsp = NULL;
8753348528fSdm 	int		timecheck = 0;
8767c478bd9Sstevel@tonic-gate 	int		cvres, needundo, mode;
8777c478bd9Sstevel@tonic-gate 	struct sem_undo	*undo;
8787c478bd9Sstevel@tonic-gate 	proc_t		*pp = curproc;
8797c478bd9Sstevel@tonic-gate 	int		held = 0;
8807c478bd9Sstevel@tonic-gate 
8817c478bd9Sstevel@tonic-gate 	CPU_STATS_ADDQ(CPU, sys, sema, 1); /* bump semaphore op count */
8827c478bd9Sstevel@tonic-gate 
8837c478bd9Sstevel@tonic-gate 	/*
8847c478bd9Sstevel@tonic-gate 	 * To avoid the cost of copying in 'timeout' in the common
8857c478bd9Sstevel@tonic-gate 	 * case, we could only grab the time here and defer the copyin
8867c478bd9Sstevel@tonic-gate 	 * and associated computations until we are about to block.
8877c478bd9Sstevel@tonic-gate 	 *
8887c478bd9Sstevel@tonic-gate 	 * The down side to this is that we would then have to spin
8897c478bd9Sstevel@tonic-gate 	 * some goto top nonsense to avoid the copyin behind the semid
8907c478bd9Sstevel@tonic-gate 	 * lock.  As a common use of timed semaphores is as an explicit
8917c478bd9Sstevel@tonic-gate 	 * blocking mechanism, this could incur a greater penalty.
8927c478bd9Sstevel@tonic-gate 	 *
8937c478bd9Sstevel@tonic-gate 	 * If we eventually decide that this would be a wise route to
8947c478bd9Sstevel@tonic-gate 	 * take, the deferrable functionality is completely contained
8957c478bd9Sstevel@tonic-gate 	 * in 'compute_timeout', and the interface is defined such that
8967c478bd9Sstevel@tonic-gate 	 * we can legally not validate 'timeout' if it is unused.
8977c478bd9Sstevel@tonic-gate 	 */
8987c478bd9Sstevel@tonic-gate 	if (timeout != NULL) {
8993348528fSdm 		timecheck = timechanged;
9007c478bd9Sstevel@tonic-gate 		gethrestime(&now);
9017c478bd9Sstevel@tonic-gate 		if (error = compute_timeout(&tsp, &ts, &now, timeout))
9027c478bd9Sstevel@tonic-gate 			return (set_errno(error));
9037c478bd9Sstevel@tonic-gate 	}
9047c478bd9Sstevel@tonic-gate 
9057c478bd9Sstevel@tonic-gate 	/*
9067c478bd9Sstevel@tonic-gate 	 * Allocate space to hold the vector of semaphore ops.  If
9077c478bd9Sstevel@tonic-gate 	 * there is only 1 operation we use a preallocated buffer on
9087c478bd9Sstevel@tonic-gate 	 * the stack for speed.
9097c478bd9Sstevel@tonic-gate 	 *
9107c478bd9Sstevel@tonic-gate 	 * Since we don't want to allow the user to allocate an
9117c478bd9Sstevel@tonic-gate 	 * arbitrary amount of kernel memory, we need to check against
9127c478bd9Sstevel@tonic-gate 	 * the number of operations allowed by the semaphore.  We only
9137c478bd9Sstevel@tonic-gate 	 * bother doing this if the number of operations is larger than
9147c478bd9Sstevel@tonic-gate 	 * SEM_MAXUCOPS.
9157c478bd9Sstevel@tonic-gate 	 */
9167c478bd9Sstevel@tonic-gate 	if (nsops == 1)
9177c478bd9Sstevel@tonic-gate 		uops = &x_sem;
9187c478bd9Sstevel@tonic-gate 	else if (nsops == 0)
9197c478bd9Sstevel@tonic-gate 		return (0);
9207c478bd9Sstevel@tonic-gate 	else if (nsops <= SEM_MAXUCOPS)
9217c478bd9Sstevel@tonic-gate 		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
9227c478bd9Sstevel@tonic-gate 
9237c478bd9Sstevel@tonic-gate 	if (nsops > SEM_MAXUCOPS) {
9247c478bd9Sstevel@tonic-gate 		if ((lock = ipc_lookup(sem_svc, semid,
9257c478bd9Sstevel@tonic-gate 		    (kipc_perm_t **)&sp)) == NULL)
9267c478bd9Sstevel@tonic-gate 			return (set_errno(EFAULT));
9277c478bd9Sstevel@tonic-gate 
9287c478bd9Sstevel@tonic-gate 		if (nsops > sp->sem_maxops) {
9297c478bd9Sstevel@tonic-gate 			mutex_exit(lock);
9307c478bd9Sstevel@tonic-gate 			return (set_errno(E2BIG));
9317c478bd9Sstevel@tonic-gate 		}
9327c478bd9Sstevel@tonic-gate 		held = 1;
9337c478bd9Sstevel@tonic-gate 		ipc_hold(sem_svc, (kipc_perm_t *)sp);
9347c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
9357c478bd9Sstevel@tonic-gate 
9367c478bd9Sstevel@tonic-gate 		uops = kmem_alloc(nsops * sizeof (*uops), KM_SLEEP);
9377c478bd9Sstevel@tonic-gate 		if (copyin(sops, uops, nsops * sizeof (*op))) {
9387c478bd9Sstevel@tonic-gate 			error = EFAULT;
9397c478bd9Sstevel@tonic-gate 			(void) ipc_lock(sem_svc, sp->sem_perm.ipc_id);
9407c478bd9Sstevel@tonic-gate 			goto semoperr;
9417c478bd9Sstevel@tonic-gate 		}
9427c478bd9Sstevel@tonic-gate 
9437c478bd9Sstevel@tonic-gate 		lock = ipc_lock(sem_svc, sp->sem_perm.ipc_id);
9447c478bd9Sstevel@tonic-gate 		if (IPC_FREE(&sp->sem_perm)) {
9457c478bd9Sstevel@tonic-gate 			error = EIDRM;
9467c478bd9Sstevel@tonic-gate 			goto semoperr;
9477c478bd9Sstevel@tonic-gate 		}
9487c478bd9Sstevel@tonic-gate 	} else {
9497c478bd9Sstevel@tonic-gate 		/*
9507c478bd9Sstevel@tonic-gate 		 * This could be interleaved with the above code, but
9517c478bd9Sstevel@tonic-gate 		 * keeping them separate improves readability.
9527c478bd9Sstevel@tonic-gate 		 */
9537c478bd9Sstevel@tonic-gate 		if (copyin(sops, uops, nsops * sizeof (*op))) {
9547c478bd9Sstevel@tonic-gate 			error = EFAULT;
9557c478bd9Sstevel@tonic-gate 			goto semoperr_unlocked;
9567c478bd9Sstevel@tonic-gate 		}
9577c478bd9Sstevel@tonic-gate 
9587c478bd9Sstevel@tonic-gate 		if ((lock = ipc_lookup(sem_svc, semid,
9597c478bd9Sstevel@tonic-gate 		    (kipc_perm_t **)&sp)) == NULL) {
9607c478bd9Sstevel@tonic-gate 			error = EINVAL;
9617c478bd9Sstevel@tonic-gate 			goto semoperr_unlocked;
9627c478bd9Sstevel@tonic-gate 		}
9637c478bd9Sstevel@tonic-gate 
9647c478bd9Sstevel@tonic-gate 		if (nsops > sp->sem_maxops) {
9657c478bd9Sstevel@tonic-gate 			error = E2BIG;
9667c478bd9Sstevel@tonic-gate 			goto semoperr;
9677c478bd9Sstevel@tonic-gate 		}
9687c478bd9Sstevel@tonic-gate 	}
9697c478bd9Sstevel@tonic-gate 
9707c478bd9Sstevel@tonic-gate 	/*
9717c478bd9Sstevel@tonic-gate 	 * Scan all operations.  Verify that sem #s are in range and
9727c478bd9Sstevel@tonic-gate 	 * this process is allowed the requested operations.  If any
9737c478bd9Sstevel@tonic-gate 	 * operations are marked SEM_UNDO, find (or allocate) the undo
9747c478bd9Sstevel@tonic-gate 	 * structure for this process and semaphore.
9757c478bd9Sstevel@tonic-gate 	 */
9767c478bd9Sstevel@tonic-gate 	needundo = 0;
9777c478bd9Sstevel@tonic-gate 	mode = 0;
9787c478bd9Sstevel@tonic-gate 	for (i = 0, op = uops; i++ < nsops; op++) {
9797c478bd9Sstevel@tonic-gate 		mode |= op->sem_op ? SEM_A : SEM_R;
9807c478bd9Sstevel@tonic-gate 		if (op->sem_num >= sp->sem_nsems) {
9817c478bd9Sstevel@tonic-gate 			error = EFBIG;
9827c478bd9Sstevel@tonic-gate 			goto semoperr;
9837c478bd9Sstevel@tonic-gate 		}
9847c478bd9Sstevel@tonic-gate 		if ((op->sem_flg & SEM_UNDO) && op->sem_op)
9857c478bd9Sstevel@tonic-gate 			needundo = 1;
9867c478bd9Sstevel@tonic-gate 	}
9877c478bd9Sstevel@tonic-gate 	if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
9887c478bd9Sstevel@tonic-gate 		goto semoperr;
9897c478bd9Sstevel@tonic-gate 
9907c478bd9Sstevel@tonic-gate 	if (needundo) {
9917c478bd9Sstevel@tonic-gate 		struct sem_undo template;
9927c478bd9Sstevel@tonic-gate 
9937c478bd9Sstevel@tonic-gate 		template.un_sp = sp;
9947c478bd9Sstevel@tonic-gate 		mutex_enter(&pp->p_lock);
9957c478bd9Sstevel@tonic-gate 		if (pp->p_semacct)
9967c478bd9Sstevel@tonic-gate 			undo = avl_find(pp->p_semacct, &template, NULL);
9977c478bd9Sstevel@tonic-gate 		else
9987c478bd9Sstevel@tonic-gate 			undo = NULL;
9997c478bd9Sstevel@tonic-gate 		mutex_exit(&pp->p_lock);
10007c478bd9Sstevel@tonic-gate 		if (undo == NULL) {
10017c478bd9Sstevel@tonic-gate 			if (error = sem_undo_alloc(pp, sp, &lock, &template,
10027c478bd9Sstevel@tonic-gate 			    &undo))
10037c478bd9Sstevel@tonic-gate 				goto semoperr;
10047c478bd9Sstevel@tonic-gate 
10057c478bd9Sstevel@tonic-gate 			/* sem_undo_alloc unlocks the semaphore */
10067c478bd9Sstevel@tonic-gate 			if (error = ipcperm_access(&sp->sem_perm, mode, CRED()))
10077c478bd9Sstevel@tonic-gate 				goto semoperr;
10087c478bd9Sstevel@tonic-gate 		}
10097c478bd9Sstevel@tonic-gate 	}
10107c478bd9Sstevel@tonic-gate 
10117c478bd9Sstevel@tonic-gate check:
10127c478bd9Sstevel@tonic-gate 	/*
10137c478bd9Sstevel@tonic-gate 	 * Loop waiting for the operations to be satisfied atomically.
10147c478bd9Sstevel@tonic-gate 	 * Actually, do the operations and undo them if a wait is needed
10157c478bd9Sstevel@tonic-gate 	 * or an error is detected.
10167c478bd9Sstevel@tonic-gate 	 */
10177c478bd9Sstevel@tonic-gate 	for (i = 0; i < nsops; i++) {
10187c478bd9Sstevel@tonic-gate 		op = &uops[i];
10197c478bd9Sstevel@tonic-gate 		semp = &sp->sem_base[op->sem_num];
10207c478bd9Sstevel@tonic-gate 
10217c478bd9Sstevel@tonic-gate 		/*
10227c478bd9Sstevel@tonic-gate 		 * Raise the semaphore (i.e. sema_v)
10237c478bd9Sstevel@tonic-gate 		 */
10247c478bd9Sstevel@tonic-gate 		if (op->sem_op > 0) {
10257c478bd9Sstevel@tonic-gate 			if (op->sem_op + (int)semp->semval > USHRT_MAX ||
10267c478bd9Sstevel@tonic-gate 			    ((op->sem_flg & SEM_UNDO) &&
10277c478bd9Sstevel@tonic-gate 			    (error = sem_undo_add(op->sem_op, op->sem_num,
10287c478bd9Sstevel@tonic-gate 			    undo)))) {
10297c478bd9Sstevel@tonic-gate 				if (i)
10307c478bd9Sstevel@tonic-gate 					sem_rollback(sp, uops, i, undo);
10317c478bd9Sstevel@tonic-gate 				if (error == 0)
10327c478bd9Sstevel@tonic-gate 					error = ERANGE;
10337c478bd9Sstevel@tonic-gate 				goto semoperr;
10347c478bd9Sstevel@tonic-gate 			}
10357c478bd9Sstevel@tonic-gate 			semp->semval += op->sem_op;
10367c478bd9Sstevel@tonic-gate 			/*
10377c478bd9Sstevel@tonic-gate 			 * If we are only incrementing the semaphore value
10387c478bd9Sstevel@tonic-gate 			 * by one on a binary semaphore, we can cv_signal.
10397c478bd9Sstevel@tonic-gate 			 */
10407c478bd9Sstevel@tonic-gate 			if (semp->semncnt) {
10417c478bd9Sstevel@tonic-gate 				if (op->sem_op == 1 && sp->sem_binary)
10427c478bd9Sstevel@tonic-gate 					cv_signal(&semp->semncnt_cv);
10437c478bd9Sstevel@tonic-gate 				else
10447c478bd9Sstevel@tonic-gate 					cv_broadcast(&semp->semncnt_cv);
10457c478bd9Sstevel@tonic-gate 			}
10467c478bd9Sstevel@tonic-gate 			if (semp->semzcnt && !semp->semval)
10477c478bd9Sstevel@tonic-gate 				cv_broadcast(&semp->semzcnt_cv);
10487c478bd9Sstevel@tonic-gate 			continue;
10497c478bd9Sstevel@tonic-gate 		}
10507c478bd9Sstevel@tonic-gate 
10517c478bd9Sstevel@tonic-gate 		/*
10527c478bd9Sstevel@tonic-gate 		 * Lower the semaphore (i.e. sema_p)
10537c478bd9Sstevel@tonic-gate 		 */
10547c478bd9Sstevel@tonic-gate 		if (op->sem_op < 0) {
10557c478bd9Sstevel@tonic-gate 			if (semp->semval >= (unsigned)(-op->sem_op)) {
10567c478bd9Sstevel@tonic-gate 				if ((op->sem_flg & SEM_UNDO) &&
10577c478bd9Sstevel@tonic-gate 				    (error = sem_undo_add(op->sem_op,
10587c478bd9Sstevel@tonic-gate 				    op->sem_num, undo))) {
10597c478bd9Sstevel@tonic-gate 					if (i)
10607c478bd9Sstevel@tonic-gate 						sem_rollback(sp, uops, i, undo);
10617c478bd9Sstevel@tonic-gate 					goto semoperr;
10627c478bd9Sstevel@tonic-gate 				}
10637c478bd9Sstevel@tonic-gate 				semp->semval += op->sem_op;
10647c478bd9Sstevel@tonic-gate 				if (semp->semzcnt && !semp->semval)
10657c478bd9Sstevel@tonic-gate 					cv_broadcast(&semp->semzcnt_cv);
10667c478bd9Sstevel@tonic-gate 				continue;
10677c478bd9Sstevel@tonic-gate 			}
10687c478bd9Sstevel@tonic-gate 			if (i)
10697c478bd9Sstevel@tonic-gate 				sem_rollback(sp, uops, i, undo);
10707c478bd9Sstevel@tonic-gate 			if (op->sem_flg & IPC_NOWAIT) {
10717c478bd9Sstevel@tonic-gate 				error = EAGAIN;
10727c478bd9Sstevel@tonic-gate 				goto semoperr;
10737c478bd9Sstevel@tonic-gate 			}
10747c478bd9Sstevel@tonic-gate 
10757c478bd9Sstevel@tonic-gate 			/*
10767c478bd9Sstevel@tonic-gate 			 * Mark the semaphore set as not a binary type
10777c478bd9Sstevel@tonic-gate 			 * if we are decrementing the value by more than 1.
10787c478bd9Sstevel@tonic-gate 			 *
10797c478bd9Sstevel@tonic-gate 			 * V operations will resort to cv_broadcast
10807c478bd9Sstevel@tonic-gate 			 * for this set because there are too many weird
10817c478bd9Sstevel@tonic-gate 			 * cases that have to be caught.
10827c478bd9Sstevel@tonic-gate 			 */
10837c478bd9Sstevel@tonic-gate 			if (op->sem_op < -1)
10847c478bd9Sstevel@tonic-gate 				sp->sem_binary = 0;
10857c478bd9Sstevel@tonic-gate 			if (!held) {
10867c478bd9Sstevel@tonic-gate 				held = 1;
10877c478bd9Sstevel@tonic-gate 				ipc_hold(sem_svc, (kipc_perm_t *)sp);
10887c478bd9Sstevel@tonic-gate 			}
10897c478bd9Sstevel@tonic-gate 			semp->semncnt++;
10903348528fSdm 			cvres = cv_waituntil_sig(&semp->semncnt_cv, lock,
1091*d3e55dcdSgww 			    tsp, timecheck);
10927c478bd9Sstevel@tonic-gate 			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
10937c478bd9Sstevel@tonic-gate 
10947c478bd9Sstevel@tonic-gate 			if (!IPC_FREE(&sp->sem_perm)) {
10957c478bd9Sstevel@tonic-gate 				ASSERT(semp->semncnt != 0);
10967c478bd9Sstevel@tonic-gate 				semp->semncnt--;
10977c478bd9Sstevel@tonic-gate 				if (cvres > 0)	/* normal wakeup */
10987c478bd9Sstevel@tonic-gate 					goto check;
10997c478bd9Sstevel@tonic-gate 			}
11007c478bd9Sstevel@tonic-gate 
11017c478bd9Sstevel@tonic-gate 			/* EINTR or EAGAIN overrides EIDRM */
11027c478bd9Sstevel@tonic-gate 			if (cvres == 0)
11037c478bd9Sstevel@tonic-gate 				error = EINTR;
11047c478bd9Sstevel@tonic-gate 			else if (cvres < 0)
11057c478bd9Sstevel@tonic-gate 				error = EAGAIN;
11067c478bd9Sstevel@tonic-gate 			else
11077c478bd9Sstevel@tonic-gate 				error = EIDRM;
11087c478bd9Sstevel@tonic-gate 			goto semoperr;
11097c478bd9Sstevel@tonic-gate 		}
11107c478bd9Sstevel@tonic-gate 
11117c478bd9Sstevel@tonic-gate 		/*
11127c478bd9Sstevel@tonic-gate 		 * Wait for zero value
11137c478bd9Sstevel@tonic-gate 		 */
11147c478bd9Sstevel@tonic-gate 		if (semp->semval) {
11157c478bd9Sstevel@tonic-gate 			if (i)
11167c478bd9Sstevel@tonic-gate 				sem_rollback(sp, uops, i, undo);
11177c478bd9Sstevel@tonic-gate 			if (op->sem_flg & IPC_NOWAIT) {
11187c478bd9Sstevel@tonic-gate 				error = EAGAIN;
11197c478bd9Sstevel@tonic-gate 				goto semoperr;
11207c478bd9Sstevel@tonic-gate 			}
11217c478bd9Sstevel@tonic-gate 
11227c478bd9Sstevel@tonic-gate 			if (!held) {
11237c478bd9Sstevel@tonic-gate 				held = 1;
11247c478bd9Sstevel@tonic-gate 				ipc_hold(sem_svc, (kipc_perm_t *)sp);
11257c478bd9Sstevel@tonic-gate 			}
11267c478bd9Sstevel@tonic-gate 			semp->semzcnt++;
11273348528fSdm 			cvres = cv_waituntil_sig(&semp->semzcnt_cv, lock,
1128*d3e55dcdSgww 			    tsp, timecheck);
11297c478bd9Sstevel@tonic-gate 			lock = ipc_relock(sem_svc, sp->sem_perm.ipc_id, lock);
11307c478bd9Sstevel@tonic-gate 
11317c478bd9Sstevel@tonic-gate 			/*
11327c478bd9Sstevel@tonic-gate 			 * Don't touch semp if the semaphores have been removed.
11337c478bd9Sstevel@tonic-gate 			 */
11347c478bd9Sstevel@tonic-gate 			if (!IPC_FREE(&sp->sem_perm)) {
11357c478bd9Sstevel@tonic-gate 				ASSERT(semp->semzcnt != 0);
11367c478bd9Sstevel@tonic-gate 				semp->semzcnt--;
11377c478bd9Sstevel@tonic-gate 				if (cvres > 0)	/* normal wakeup */
11387c478bd9Sstevel@tonic-gate 					goto check;
11397c478bd9Sstevel@tonic-gate 			}
11407c478bd9Sstevel@tonic-gate 
11417c478bd9Sstevel@tonic-gate 			/* EINTR or EAGAIN overrides EIDRM */
11427c478bd9Sstevel@tonic-gate 			if (cvres == 0)
11437c478bd9Sstevel@tonic-gate 				error = EINTR;
11447c478bd9Sstevel@tonic-gate 			else if (cvres < 0)
11457c478bd9Sstevel@tonic-gate 				error = EAGAIN;
11467c478bd9Sstevel@tonic-gate 			else
11477c478bd9Sstevel@tonic-gate 				error = EIDRM;
11487c478bd9Sstevel@tonic-gate 			goto semoperr;
11497c478bd9Sstevel@tonic-gate 		}
11507c478bd9Sstevel@tonic-gate 	}
11517c478bd9Sstevel@tonic-gate 
11527c478bd9Sstevel@tonic-gate 	/* All operations succeeded.  Update sempid for accessed semaphores. */
11537c478bd9Sstevel@tonic-gate 	for (i = 0, op = uops; i++ < nsops;
11547c478bd9Sstevel@tonic-gate 	    sp->sem_base[(op++)->sem_num].sempid = pp->p_pid)
11557c478bd9Sstevel@tonic-gate 		;
11567c478bd9Sstevel@tonic-gate 	sp->sem_otime = gethrestime_sec();
11577c478bd9Sstevel@tonic-gate 	if (held)
11587c478bd9Sstevel@tonic-gate 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
11597c478bd9Sstevel@tonic-gate 	else
11607c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
11617c478bd9Sstevel@tonic-gate 
11627c478bd9Sstevel@tonic-gate 	/* Before leaving, deallocate the buffer that held the user semops */
11637c478bd9Sstevel@tonic-gate 	if (nsops != 1)
11647c478bd9Sstevel@tonic-gate 		kmem_free(uops, sizeof (*uops) * nsops);
11657c478bd9Sstevel@tonic-gate 	return (0);
11667c478bd9Sstevel@tonic-gate 
11677c478bd9Sstevel@tonic-gate 	/*
11687c478bd9Sstevel@tonic-gate 	 * Error return labels
11697c478bd9Sstevel@tonic-gate 	 */
11707c478bd9Sstevel@tonic-gate semoperr:
11717c478bd9Sstevel@tonic-gate 	if (held)
11727c478bd9Sstevel@tonic-gate 		ipc_rele(sem_svc, (kipc_perm_t *)sp);
11737c478bd9Sstevel@tonic-gate 	else
11747c478bd9Sstevel@tonic-gate 		mutex_exit(lock);
11757c478bd9Sstevel@tonic-gate 
11767c478bd9Sstevel@tonic-gate semoperr_unlocked:
11777c478bd9Sstevel@tonic-gate 
11787c478bd9Sstevel@tonic-gate 	/* Before leaving, deallocate the buffer that held the user semops */
11797c478bd9Sstevel@tonic-gate 	if (nsops != 1)
11807c478bd9Sstevel@tonic-gate 		kmem_free(uops, sizeof (*uops) * nsops);
11817c478bd9Sstevel@tonic-gate 	return (set_errno(error));
11827c478bd9Sstevel@tonic-gate }
11837c478bd9Sstevel@tonic-gate 
11847c478bd9Sstevel@tonic-gate /*
11857c478bd9Sstevel@tonic-gate  * semsys - System entry point for semctl, semget, and semop system calls.
11867c478bd9Sstevel@tonic-gate  */
11877c478bd9Sstevel@tonic-gate static int
11887c478bd9Sstevel@tonic-gate semsys(int opcode, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4)
11897c478bd9Sstevel@tonic-gate {
11907c478bd9Sstevel@tonic-gate 	int error;
11917c478bd9Sstevel@tonic-gate 
11927c478bd9Sstevel@tonic-gate 	switch (opcode) {
11937c478bd9Sstevel@tonic-gate 	case SEMCTL:
11947c478bd9Sstevel@tonic-gate 		error = semctl((int)a1, (uint_t)a2, (int)a3, a4);
11957c478bd9Sstevel@tonic-gate 		break;
11967c478bd9Sstevel@tonic-gate 	case SEMGET:
11977c478bd9Sstevel@tonic-gate 		error = semget((key_t)a1, (int)a2, (int)a3);
11987c478bd9Sstevel@tonic-gate 		break;
11997c478bd9Sstevel@tonic-gate 	case SEMOP:
12007c478bd9Sstevel@tonic-gate 		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3, 0);
12017c478bd9Sstevel@tonic-gate 		break;
12027c478bd9Sstevel@tonic-gate 	case SEMIDS:
12037c478bd9Sstevel@tonic-gate 		error = semids((int *)a1, (uint_t)a2, (uint_t *)a3);
12047c478bd9Sstevel@tonic-gate 		break;
12057c478bd9Sstevel@tonic-gate 	case SEMTIMEDOP:
12067c478bd9Sstevel@tonic-gate 		error = semop((int)a1, (struct sembuf *)a2, (size_t)a3,
12077c478bd9Sstevel@tonic-gate 		    (timespec_t *)a4);
12087c478bd9Sstevel@tonic-gate 		break;
12097c478bd9Sstevel@tonic-gate 	default:
12107c478bd9Sstevel@tonic-gate 		error = set_errno(EINVAL);
12117c478bd9Sstevel@tonic-gate 		break;
12127c478bd9Sstevel@tonic-gate 	}
12137c478bd9Sstevel@tonic-gate 	return (error);
12147c478bd9Sstevel@tonic-gate }
1215