1 /* $NetBSD: sysv_msg.c,v 1.43 2006/06/07 22:33:41 kardel Exp $ */ 2 3 /*- 4 * Copyright (c) 1999 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 9 * NASA Ames Research Center. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. All advertising materials mentioning features or use of this software 20 * must display the following acknowledgement: 21 * This product includes software developed by the NetBSD 22 * Foundation, Inc. and its contributors. 23 * 4. Neither the name of The NetBSD Foundation nor the names of its 24 * contributors may be used to endorse or promote products derived 25 * from this software without specific prior written permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 28 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 29 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 31 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 32 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 33 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 34 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 35 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 36 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 37 * POSSIBILITY OF SUCH DAMAGE. 38 */ 39 40 /* 41 * Implementation of SVID messages 42 * 43 * Author: Daniel Boulet 44 * 45 * Copyright 1993 Daniel Boulet and RTMX Inc. 46 * 47 * This system call was implemented by Daniel Boulet under contract from RTMX. 48 * 49 * Redistribution and use in source forms, with and without modification, 50 * are permitted provided that this entire comment appears intact. 51 * 52 * Redistribution in binary form may occur without any restrictions. 53 * Obviously, it would be nice if you gave credit where credit is due 54 * but requiring it would be too onerous. 55 * 56 * This software is provided ``AS IS'' without any warranties of any kind. 57 */ 58 59 #include <sys/cdefs.h> 60 __KERNEL_RCSID(0, "$NetBSD: sysv_msg.c,v 1.43 2006/06/07 22:33:41 kardel Exp $"); 61 62 #define SYSVMSG 63 64 #include <sys/param.h> 65 #include <sys/kernel.h> 66 #include <sys/msg.h> 67 #include <sys/sysctl.h> 68 #include <sys/mount.h> /* XXX for <sys/syscallargs.h> */ 69 #include <sys/sa.h> 70 #include <sys/syscallargs.h> 71 #include <sys/kauth.h> 72 73 #define MSG_DEBUG 74 #undef MSG_DEBUG_OK 75 76 #ifdef MSG_DEBUG_OK 77 #define MSG_PRINTF(a) printf a 78 #else 79 #define MSG_PRINTF(a) 80 #endif 81 82 static int nfree_msgmaps; /* # of free map entries */ 83 static short free_msgmaps; /* head of linked list of free map entries */ 84 static struct __msg *free_msghdrs; /* list of free msg headers */ 85 static char *msgpool; /* MSGMAX byte long msg buffer pool */ 86 static struct msgmap *msgmaps; /* MSGSEG msgmap structures */ 87 static struct __msg *msghdrs; /* MSGTQL msg headers */ 88 struct msqid_ds *msqids; /* MSGMNI msqid_ds struct's */ 89 90 static void msg_freehdr(struct __msg *); 91 92 void 93 msginit(void) 94 { 95 int i, sz; 96 vaddr_t v; 97 98 /* 99 * msginfo.msgssz should be a power of two for efficiency reasons. 100 * It is also pretty silly if msginfo.msgssz is less than 8 101 * or greater than about 256 so ... 102 */ 103 104 i = 8; 105 while (i < 1024 && i != msginfo.msgssz) 106 i <<= 1; 107 if (i != msginfo.msgssz) { 108 MSG_PRINTF(("msginfo.msgssz=%d (0x%x)\n", msginfo.msgssz, 109 msginfo.msgssz)); 110 panic("msginfo.msgssz not a small power of 2"); 111 } 112 113 if (msginfo.msgseg > 32767) { 114 MSG_PRINTF(("msginfo.msgseg=%d\n", msginfo.msgseg)); 115 panic("msginfo.msgseg > 32767"); 116 } 117 118 /* Allocate pageable memory for our structures */ 119 sz = msginfo.msgmax 120 + msginfo.msgseg * sizeof(struct msgmap) 121 + msginfo.msgtql * sizeof(struct __msg) 122 + msginfo.msgmni * sizeof(struct msqid_ds); 123 v = uvm_km_alloc(kernel_map, round_page(sz), 0, 124 UVM_KMF_WIRED|UVM_KMF_ZERO); 125 if (v == 0) 126 panic("sysv_msg: cannot allocate memory"); 127 msgpool = (void *)v; 128 msgmaps = (void *) (msgpool + msginfo.msgmax); 129 msghdrs = (void *) (msgmaps + msginfo.msgseg); 130 msqids = (void *) (msghdrs + msginfo.msgtql); 131 132 for (i = 0; i < msginfo.msgseg; i++) { 133 if (i > 0) 134 msgmaps[i-1].next = i; 135 msgmaps[i].next = -1; /* implies entry is available */ 136 } 137 free_msgmaps = 0; 138 nfree_msgmaps = msginfo.msgseg; 139 140 if (msghdrs == NULL) 141 panic("msghdrs is NULL"); 142 143 for (i = 0; i < msginfo.msgtql; i++) { 144 msghdrs[i].msg_type = 0; 145 if (i > 0) 146 msghdrs[i-1].msg_next = &msghdrs[i]; 147 msghdrs[i].msg_next = NULL; 148 } 149 free_msghdrs = &msghdrs[0]; 150 151 if (msqids == NULL) 152 panic("msqids is NULL"); 153 154 for (i = 0; i < msginfo.msgmni; i++) { 155 msqids[i].msg_qbytes = 0; /* implies entry is available */ 156 msqids[i].msg_perm._seq = 0; /* reset to a known value */ 157 } 158 } 159 160 static void 161 msg_freehdr(struct __msg *msghdr) 162 { 163 while (msghdr->msg_ts > 0) { 164 short next; 165 if (msghdr->msg_spot < 0 || msghdr->msg_spot >= msginfo.msgseg) 166 panic("msghdr->msg_spot out of range"); 167 next = msgmaps[msghdr->msg_spot].next; 168 msgmaps[msghdr->msg_spot].next = free_msgmaps; 169 free_msgmaps = msghdr->msg_spot; 170 nfree_msgmaps++; 171 msghdr->msg_spot = next; 172 if (msghdr->msg_ts >= msginfo.msgssz) 173 msghdr->msg_ts -= msginfo.msgssz; 174 else 175 msghdr->msg_ts = 0; 176 } 177 if (msghdr->msg_spot != -1) 178 panic("msghdr->msg_spot != -1"); 179 msghdr->msg_next = free_msghdrs; 180 free_msghdrs = msghdr; 181 } 182 183 int 184 sys___msgctl13(struct lwp *l, void *v, register_t *retval) 185 { 186 struct sys___msgctl13_args /* { 187 syscallarg(int) msqid; 188 syscallarg(int) cmd; 189 syscallarg(struct msqid_ds *) buf; 190 } */ *uap = v; 191 struct proc *p = l->l_proc; 192 struct msqid_ds msqbuf; 193 int cmd, error; 194 195 cmd = SCARG(uap, cmd); 196 197 if (cmd == IPC_SET) { 198 error = copyin(SCARG(uap, buf), &msqbuf, sizeof(msqbuf)); 199 if (error) 200 return (error); 201 } 202 203 error = msgctl1(p, SCARG(uap, msqid), cmd, 204 (cmd == IPC_SET || cmd == IPC_STAT) ? &msqbuf : NULL); 205 206 if (error == 0 && cmd == IPC_STAT) 207 error = copyout(&msqbuf, SCARG(uap, buf), sizeof(msqbuf)); 208 209 return (error); 210 } 211 212 int 213 msgctl1(struct proc *p, int msqid, int cmd, struct msqid_ds *msqbuf) 214 { 215 kauth_cred_t cred = p->p_cred; 216 struct msqid_ds *msqptr; 217 int error = 0, ix; 218 219 MSG_PRINTF(("call to msgctl1(%d, %d)\n", msqid, cmd)); 220 221 ix = IPCID_TO_IX(msqid); 222 223 if (ix < 0 || ix >= msginfo.msgmni) { 224 MSG_PRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", ix, 225 msginfo.msgmni)); 226 return (EINVAL); 227 } 228 229 msqptr = &msqids[ix]; 230 231 if (msqptr->msg_qbytes == 0) { 232 MSG_PRINTF(("no such msqid\n")); 233 return (EINVAL); 234 } 235 if (msqptr->msg_perm._seq != IPCID_TO_SEQ(msqid)) { 236 MSG_PRINTF(("wrong sequence number\n")); 237 return (EINVAL); 238 } 239 240 switch (cmd) { 241 case IPC_RMID: 242 { 243 struct __msg *msghdr; 244 if ((error = ipcperm(cred, &msqptr->msg_perm, IPC_M)) != 0) 245 return (error); 246 /* Free the message headers */ 247 msghdr = msqptr->_msg_first; 248 while (msghdr != NULL) { 249 struct __msg *msghdr_tmp; 250 251 /* Free the segments of each message */ 252 msqptr->_msg_cbytes -= msghdr->msg_ts; 253 msqptr->msg_qnum--; 254 msghdr_tmp = msghdr; 255 msghdr = msghdr->msg_next; 256 msg_freehdr(msghdr_tmp); 257 } 258 259 if (msqptr->_msg_cbytes != 0) 260 panic("msg_cbytes is screwed up"); 261 if (msqptr->msg_qnum != 0) 262 panic("msg_qnum is screwed up"); 263 264 msqptr->msg_qbytes = 0; /* Mark it as free */ 265 266 wakeup(msqptr); 267 } 268 break; 269 270 case IPC_SET: 271 if ((error = ipcperm(cred, &msqptr->msg_perm, IPC_M))) 272 return (error); 273 if (msqbuf->msg_qbytes > msqptr->msg_qbytes && kauth_cred_geteuid(cred) != 0) 274 return (EPERM); 275 if (msqbuf->msg_qbytes > msginfo.msgmnb) { 276 MSG_PRINTF(("can't increase msg_qbytes beyond %d " 277 "(truncating)\n", msginfo.msgmnb)); 278 /* silently restrict qbytes to system limit */ 279 msqbuf->msg_qbytes = msginfo.msgmnb; 280 } 281 if (msqbuf->msg_qbytes == 0) { 282 MSG_PRINTF(("can't reduce msg_qbytes to 0\n")); 283 return (EINVAL); /* XXX non-standard errno! */ 284 } 285 msqptr->msg_perm.uid = msqbuf->msg_perm.uid; 286 msqptr->msg_perm.gid = msqbuf->msg_perm.gid; 287 msqptr->msg_perm.mode = (msqptr->msg_perm.mode & ~0777) | 288 (msqbuf->msg_perm.mode & 0777); 289 msqptr->msg_qbytes = msqbuf->msg_qbytes; 290 msqptr->msg_ctime = time_second; 291 break; 292 293 case IPC_STAT: 294 if ((error = ipcperm(cred, &msqptr->msg_perm, IPC_R))) { 295 MSG_PRINTF(("requester doesn't have read access\n")); 296 return (error); 297 } 298 memcpy(msqbuf, msqptr, sizeof(struct msqid_ds)); 299 break; 300 301 default: 302 MSG_PRINTF(("invalid command %d\n", cmd)); 303 return (EINVAL); 304 } 305 306 return (error); 307 } 308 309 int 310 sys_msgget(struct lwp *l, void *v, register_t *retval) 311 { 312 struct sys_msgget_args /* { 313 syscallarg(key_t) key; 314 syscallarg(int) msgflg; 315 } */ *uap = v; 316 struct proc *p = l->l_proc; 317 int msqid, error; 318 int key = SCARG(uap, key); 319 int msgflg = SCARG(uap, msgflg); 320 kauth_cred_t cred = p->p_cred; 321 struct msqid_ds *msqptr = NULL; 322 323 MSG_PRINTF(("msgget(0x%x, 0%o)\n", key, msgflg)); 324 325 if (key != IPC_PRIVATE) { 326 for (msqid = 0; msqid < msginfo.msgmni; msqid++) { 327 msqptr = &msqids[msqid]; 328 if (msqptr->msg_qbytes != 0 && 329 msqptr->msg_perm._key == key) 330 break; 331 } 332 if (msqid < msginfo.msgmni) { 333 MSG_PRINTF(("found public key\n")); 334 if ((msgflg & IPC_CREAT) && (msgflg & IPC_EXCL)) { 335 MSG_PRINTF(("not exclusive\n")); 336 return(EEXIST); 337 } 338 if ((error = ipcperm(cred, &msqptr->msg_perm, 339 msgflg & 0700 ))) { 340 MSG_PRINTF(("requester doesn't have 0%o access\n", 341 msgflg & 0700)); 342 return (error); 343 } 344 goto found; 345 } 346 } 347 348 MSG_PRINTF(("need to allocate the msqid_ds\n")); 349 if (key == IPC_PRIVATE || (msgflg & IPC_CREAT)) { 350 for (msqid = 0; msqid < msginfo.msgmni; msqid++) { 351 /* 352 * Look for an unallocated and unlocked msqid_ds. 353 * msqid_ds's can be locked by msgsnd or msgrcv while 354 * they are copying the message in/out. We can't 355 * re-use the entry until they release it. 356 */ 357 msqptr = &msqids[msqid]; 358 if (msqptr->msg_qbytes == 0 && 359 (msqptr->msg_perm.mode & MSG_LOCKED) == 0) 360 break; 361 } 362 if (msqid == msginfo.msgmni) { 363 MSG_PRINTF(("no more msqid_ds's available\n")); 364 return (ENOSPC); 365 } 366 MSG_PRINTF(("msqid %d is available\n", msqid)); 367 msqptr->msg_perm._key = key; 368 msqptr->msg_perm.cuid = kauth_cred_geteuid(cred); 369 msqptr->msg_perm.uid = kauth_cred_geteuid(cred); 370 msqptr->msg_perm.cgid = kauth_cred_getegid(cred); 371 msqptr->msg_perm.gid = kauth_cred_getegid(cred); 372 msqptr->msg_perm.mode = (msgflg & 0777); 373 /* Make sure that the returned msqid is unique */ 374 msqptr->msg_perm._seq++; 375 msqptr->_msg_first = NULL; 376 msqptr->_msg_last = NULL; 377 msqptr->_msg_cbytes = 0; 378 msqptr->msg_qnum = 0; 379 msqptr->msg_qbytes = msginfo.msgmnb; 380 msqptr->msg_lspid = 0; 381 msqptr->msg_lrpid = 0; 382 msqptr->msg_stime = 0; 383 msqptr->msg_rtime = 0; 384 msqptr->msg_ctime = time_second; 385 } else { 386 MSG_PRINTF(("didn't find it and wasn't asked to create it\n")); 387 return (ENOENT); 388 } 389 390 found: 391 /* Construct the unique msqid */ 392 *retval = IXSEQ_TO_IPCID(msqid, msqptr->msg_perm); 393 return (0); 394 } 395 396 int 397 sys_msgsnd(struct lwp *l, void *v, register_t *retval) 398 { 399 struct sys_msgsnd_args /* { 400 syscallarg(int) msqid; 401 syscallarg(const void *) msgp; 402 syscallarg(size_t) msgsz; 403 syscallarg(int) msgflg; 404 } */ *uap = v; 405 406 return msgsnd1(l->l_proc, SCARG(uap, msqid), SCARG(uap, msgp), 407 SCARG(uap, msgsz), SCARG(uap, msgflg), sizeof(long), copyin); 408 } 409 410 int 411 msgsnd1(struct proc *p, int msqidr, const char *user_msgp, size_t msgsz, 412 int msgflg, size_t typesz, copyin_t fetch_type) 413 { 414 int segs_needed, error, msqid; 415 kauth_cred_t cred = p->p_cred; 416 struct msqid_ds *msqptr; 417 struct __msg *msghdr; 418 short next; 419 420 MSG_PRINTF(("call to msgsnd(%d, %p, %lld, %d)\n", msqid, user_msgp, 421 (long long)msgsz, msgflg)); 422 423 msqid = IPCID_TO_IX(msqidr); 424 425 if (msqid < 0 || msqid >= msginfo.msgmni) { 426 MSG_PRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", msqid, 427 msginfo.msgmni)); 428 return (EINVAL); 429 } 430 431 msqptr = &msqids[msqid]; 432 if (msqptr->msg_qbytes == 0) { 433 MSG_PRINTF(("no such message queue id\n")); 434 return (EINVAL); 435 } 436 if (msqptr->msg_perm._seq != IPCID_TO_SEQ(msqidr)) { 437 MSG_PRINTF(("wrong sequence number\n")); 438 return (EINVAL); 439 } 440 441 if ((error = ipcperm(cred, &msqptr->msg_perm, IPC_W))) { 442 MSG_PRINTF(("requester doesn't have write access\n")); 443 return (error); 444 } 445 446 segs_needed = (msgsz + msginfo.msgssz - 1) / msginfo.msgssz; 447 MSG_PRINTF(("msgsz=%lld, msgssz=%d, segs_needed=%d\n", 448 (long long)msgsz, msginfo.msgssz, segs_needed)); 449 for (;;) { 450 int need_more_resources = 0; 451 452 /* 453 * check msgsz [cannot be negative since it is unsigned] 454 * (inside this loop in case msg_qbytes changes while we sleep) 455 */ 456 457 if (msgsz > msqptr->msg_qbytes) { 458 MSG_PRINTF(("msgsz > msqptr->msg_qbytes\n")); 459 return (EINVAL); 460 } 461 462 if (msqptr->msg_perm.mode & MSG_LOCKED) { 463 MSG_PRINTF(("msqid is locked\n")); 464 need_more_resources = 1; 465 } 466 if (msgsz + msqptr->_msg_cbytes > msqptr->msg_qbytes) { 467 MSG_PRINTF(("msgsz + msg_cbytes > msg_qbytes\n")); 468 need_more_resources = 1; 469 } 470 if (segs_needed > nfree_msgmaps) { 471 MSG_PRINTF(("segs_needed > nfree_msgmaps\n")); 472 need_more_resources = 1; 473 } 474 if (free_msghdrs == NULL) { 475 MSG_PRINTF(("no more msghdrs\n")); 476 need_more_resources = 1; 477 } 478 479 if (need_more_resources) { 480 int we_own_it; 481 482 if ((msgflg & IPC_NOWAIT) != 0) { 483 MSG_PRINTF(("need more resources but caller " 484 "doesn't want to wait\n")); 485 return (EAGAIN); 486 } 487 488 if ((msqptr->msg_perm.mode & MSG_LOCKED) != 0) { 489 MSG_PRINTF(("we don't own the msqid_ds\n")); 490 we_own_it = 0; 491 } else { 492 /* Force later arrivals to wait for our 493 request */ 494 MSG_PRINTF(("we own the msqid_ds\n")); 495 msqptr->msg_perm.mode |= MSG_LOCKED; 496 we_own_it = 1; 497 } 498 MSG_PRINTF(("goodnight\n")); 499 error = tsleep(msqptr, (PZERO - 4) | PCATCH, 500 "msgwait", 0); 501 MSG_PRINTF(("good morning, error=%d\n", error)); 502 if (we_own_it) 503 msqptr->msg_perm.mode &= ~MSG_LOCKED; 504 if (error != 0) { 505 MSG_PRINTF(("msgsnd: interrupted system " 506 "call\n")); 507 return (EINTR); 508 } 509 510 /* 511 * Make sure that the msq queue still exists 512 */ 513 514 if (msqptr->msg_qbytes == 0) { 515 MSG_PRINTF(("msqid deleted\n")); 516 return (EIDRM); 517 } 518 } else { 519 MSG_PRINTF(("got all the resources that we need\n")); 520 break; 521 } 522 } 523 524 /* 525 * We have the resources that we need. 526 * Make sure! 527 */ 528 529 if (msqptr->msg_perm.mode & MSG_LOCKED) 530 panic("msg_perm.mode & MSG_LOCKED"); 531 if (segs_needed > nfree_msgmaps) 532 panic("segs_needed > nfree_msgmaps"); 533 if (msgsz + msqptr->_msg_cbytes > msqptr->msg_qbytes) 534 panic("msgsz + msg_cbytes > msg_qbytes"); 535 if (free_msghdrs == NULL) 536 panic("no more msghdrs"); 537 538 /* 539 * Re-lock the msqid_ds in case we page-fault when copying in the 540 * message 541 */ 542 543 if ((msqptr->msg_perm.mode & MSG_LOCKED) != 0) 544 panic("msqid_ds is already locked"); 545 msqptr->msg_perm.mode |= MSG_LOCKED; 546 547 /* 548 * Allocate a message header 549 */ 550 551 msghdr = free_msghdrs; 552 free_msghdrs = msghdr->msg_next; 553 msghdr->msg_spot = -1; 554 msghdr->msg_ts = msgsz; 555 556 /* 557 * Allocate space for the message 558 */ 559 560 while (segs_needed > 0) { 561 if (nfree_msgmaps <= 0) 562 panic("not enough msgmaps"); 563 if (free_msgmaps == -1) 564 panic("nil free_msgmaps"); 565 next = free_msgmaps; 566 if (next <= -1) 567 panic("next too low #1"); 568 if (next >= msginfo.msgseg) 569 panic("next out of range #1"); 570 MSG_PRINTF(("allocating segment %d to message\n", next)); 571 free_msgmaps = msgmaps[next].next; 572 nfree_msgmaps--; 573 msgmaps[next].next = msghdr->msg_spot; 574 msghdr->msg_spot = next; 575 segs_needed--; 576 } 577 578 /* 579 * Copy in the message type 580 */ 581 582 if ((error = (*fetch_type)(user_msgp, &msghdr->msg_type, 583 typesz)) != 0) { 584 MSG_PRINTF(("error %d copying the message type\n", error)); 585 msg_freehdr(msghdr); 586 msqptr->msg_perm.mode &= ~MSG_LOCKED; 587 wakeup(msqptr); 588 return (error); 589 } 590 user_msgp += typesz; 591 592 /* 593 * Validate the message type 594 */ 595 596 if (msghdr->msg_type < 1) { 597 msg_freehdr(msghdr); 598 msqptr->msg_perm.mode &= ~MSG_LOCKED; 599 wakeup(msqptr); 600 MSG_PRINTF(("mtype (%ld) < 1\n", msghdr->msg_type)); 601 return (EINVAL); 602 } 603 604 /* 605 * Copy in the message body 606 */ 607 608 next = msghdr->msg_spot; 609 while (msgsz > 0) { 610 size_t tlen; 611 if (msgsz > msginfo.msgssz) 612 tlen = msginfo.msgssz; 613 else 614 tlen = msgsz; 615 if (next <= -1) 616 panic("next too low #2"); 617 if (next >= msginfo.msgseg) 618 panic("next out of range #2"); 619 if ((error = copyin(user_msgp, &msgpool[next * msginfo.msgssz], 620 tlen)) != 0) { 621 MSG_PRINTF(("error %d copying in message segment\n", 622 error)); 623 msg_freehdr(msghdr); 624 msqptr->msg_perm.mode &= ~MSG_LOCKED; 625 wakeup(msqptr); 626 return (error); 627 } 628 msgsz -= tlen; 629 user_msgp += tlen; 630 next = msgmaps[next].next; 631 } 632 if (next != -1) 633 panic("didn't use all the msg segments"); 634 635 /* 636 * We've got the message. Unlock the msqid_ds. 637 */ 638 639 msqptr->msg_perm.mode &= ~MSG_LOCKED; 640 641 /* 642 * Make sure that the msqid_ds is still allocated. 643 */ 644 645 if (msqptr->msg_qbytes == 0) { 646 msg_freehdr(msghdr); 647 wakeup(msqptr); 648 return (EIDRM); 649 } 650 651 /* 652 * Put the message into the queue 653 */ 654 655 if (msqptr->_msg_first == NULL) { 656 msqptr->_msg_first = msghdr; 657 msqptr->_msg_last = msghdr; 658 } else { 659 msqptr->_msg_last->msg_next = msghdr; 660 msqptr->_msg_last = msghdr; 661 } 662 msqptr->_msg_last->msg_next = NULL; 663 664 msqptr->_msg_cbytes += msghdr->msg_ts; 665 msqptr->msg_qnum++; 666 msqptr->msg_lspid = p->p_pid; 667 msqptr->msg_stime = time_second; 668 669 wakeup(msqptr); 670 return (0); 671 } 672 673 int 674 sys_msgrcv(struct lwp *l, void *v, register_t *retval) 675 { 676 struct sys_msgrcv_args /* { 677 syscallarg(int) msqid; 678 syscallarg(void *) msgp; 679 syscallarg(size_t) msgsz; 680 syscallarg(long) msgtyp; 681 syscallarg(int) msgflg; 682 } */ *uap = v; 683 684 return msgrcv1(l->l_proc, SCARG(uap, msqid), SCARG(uap, msgp), 685 SCARG(uap, msgsz), SCARG(uap, msgtyp), SCARG(uap, msgflg), 686 sizeof(long), copyout, retval); 687 } 688 689 int 690 msgrcv1(struct proc *p, int msqidr, char *user_msgp, size_t msgsz, long msgtyp, 691 int msgflg, size_t typesz, copyout_t put_type, register_t *retval) 692 { 693 size_t len; 694 kauth_cred_t cred = p->p_cred; 695 struct msqid_ds *msqptr; 696 struct __msg *msghdr; 697 int error, msqid; 698 short next; 699 700 MSG_PRINTF(("call to msgrcv(%d, %p, %lld, %ld, %d)\n", msqid, 701 user_msgp, (long long)msgsz, msgtyp, msgflg)); 702 703 msqid = IPCID_TO_IX(msqidr); 704 705 if (msqid < 0 || msqid >= msginfo.msgmni) { 706 MSG_PRINTF(("msqid (%d) out of range (0<=msqid<%d)\n", msqid, 707 msginfo.msgmni)); 708 return (EINVAL); 709 } 710 711 msqptr = &msqids[msqid]; 712 if (msqptr->msg_qbytes == 0) { 713 MSG_PRINTF(("no such message queue id\n")); 714 return (EINVAL); 715 } 716 if (msqptr->msg_perm._seq != IPCID_TO_SEQ(msqidr)) { 717 MSG_PRINTF(("wrong sequence number\n")); 718 return (EINVAL); 719 } 720 721 if ((error = ipcperm(cred, &msqptr->msg_perm, IPC_R))) { 722 MSG_PRINTF(("requester doesn't have read access\n")); 723 return (error); 724 } 725 726 #if 0 727 /* cannot happen, msgsz is unsigned */ 728 if (msgsz < 0) { 729 MSG_PRINTF(("msgsz < 0\n")); 730 return (EINVAL); 731 } 732 #endif 733 734 msghdr = NULL; 735 while (msghdr == NULL) { 736 if (msgtyp == 0) { 737 msghdr = msqptr->_msg_first; 738 if (msghdr != NULL) { 739 if (msgsz < msghdr->msg_ts && 740 (msgflg & MSG_NOERROR) == 0) { 741 MSG_PRINTF(("first message on the " 742 "queue is too big " 743 "(want %lld, got %d)\n", 744 (long long)msgsz, msghdr->msg_ts)); 745 return (E2BIG); 746 } 747 if (msqptr->_msg_first == msqptr->_msg_last) { 748 msqptr->_msg_first = NULL; 749 msqptr->_msg_last = NULL; 750 } else { 751 msqptr->_msg_first = msghdr->msg_next; 752 if (msqptr->_msg_first == NULL) 753 panic("msg_first/last screwed " 754 "up #1"); 755 } 756 } 757 } else { 758 struct __msg *previous; 759 struct __msg **prev; 760 761 for (previous = NULL, prev = &msqptr->_msg_first; 762 (msghdr = *prev) != NULL; 763 previous = msghdr, prev = &msghdr->msg_next) { 764 /* 765 * Is this message's type an exact match or is 766 * this message's type less than or equal to 767 * the absolute value of a negative msgtyp? 768 * Note that the second half of this test can 769 * NEVER be true if msgtyp is positive since 770 * msg_type is always positive! 771 */ 772 773 if (msgtyp == msghdr->msg_type || 774 msghdr->msg_type <= -msgtyp) { 775 MSG_PRINTF(("found message type %ld, " 776 "requested %ld\n", 777 msghdr->msg_type, msgtyp)); 778 if (msgsz < msghdr->msg_ts && 779 (msgflg & MSG_NOERROR) == 0) { 780 MSG_PRINTF(("requested message " 781 "on the queue is too big " 782 "(want %lld, got %d)\n", 783 (long long)msgsz, 784 msghdr->msg_ts)); 785 return (E2BIG); 786 } 787 *prev = msghdr->msg_next; 788 if (msghdr == msqptr->_msg_last) { 789 if (previous == NULL) { 790 if (prev != 791 &msqptr->_msg_first) 792 panic("msg_first/last screwed up #2"); 793 msqptr->_msg_first = 794 NULL; 795 msqptr->_msg_last = 796 NULL; 797 } else { 798 if (prev == 799 &msqptr->_msg_first) 800 panic("msg_first/last screwed up #3"); 801 msqptr->_msg_last = 802 previous; 803 } 804 } 805 break; 806 } 807 } 808 } 809 810 /* 811 * We've either extracted the msghdr for the appropriate 812 * message or there isn't one. 813 * If there is one then bail out of this loop. 814 */ 815 816 if (msghdr != NULL) 817 break; 818 819 /* 820 * Hmph! No message found. Does the user want to wait? 821 */ 822 823 if ((msgflg & IPC_NOWAIT) != 0) { 824 MSG_PRINTF(("no appropriate message found (msgtyp=%ld)\n", 825 msgtyp)); 826 /* The SVID says to return ENOMSG. */ 827 #ifdef ENOMSG 828 return (ENOMSG); 829 #else 830 /* Unfortunately, BSD doesn't define that code yet! */ 831 return (EAGAIN); 832 #endif 833 } 834 835 /* 836 * Wait for something to happen 837 */ 838 839 MSG_PRINTF(("msgrcv: goodnight\n")); 840 error = tsleep(msqptr, (PZERO - 4) | PCATCH, "msgwait", 841 0); 842 MSG_PRINTF(("msgrcv: good morning (error=%d)\n", error)); 843 844 if (error != 0) { 845 MSG_PRINTF(("msgsnd: interrupted system call\n")); 846 return (EINTR); 847 } 848 849 /* 850 * Make sure that the msq queue still exists 851 */ 852 853 if (msqptr->msg_qbytes == 0 || 854 msqptr->msg_perm._seq != IPCID_TO_SEQ(msqidr)) { 855 MSG_PRINTF(("msqid deleted\n")); 856 return (EIDRM); 857 } 858 } 859 860 /* 861 * Return the message to the user. 862 * 863 * First, do the bookkeeping (before we risk being interrupted). 864 */ 865 866 msqptr->_msg_cbytes -= msghdr->msg_ts; 867 msqptr->msg_qnum--; 868 msqptr->msg_lrpid = p->p_pid; 869 msqptr->msg_rtime = time_second; 870 871 /* 872 * Make msgsz the actual amount that we'll be returning. 873 * Note that this effectively truncates the message if it is too long 874 * (since msgsz is never increased). 875 */ 876 877 MSG_PRINTF(("found a message, msgsz=%lld, msg_ts=%d\n", 878 (long long)msgsz, msghdr->msg_ts)); 879 if (msgsz > msghdr->msg_ts) 880 msgsz = msghdr->msg_ts; 881 882 /* 883 * Return the type to the user. 884 */ 885 886 error = (*put_type)(&msghdr->msg_type, user_msgp, typesz); 887 if (error != 0) { 888 MSG_PRINTF(("error (%d) copying out message type\n", error)); 889 msg_freehdr(msghdr); 890 wakeup(msqptr); 891 return (error); 892 } 893 user_msgp += typesz; 894 895 /* 896 * Return the segments to the user 897 */ 898 899 next = msghdr->msg_spot; 900 for (len = 0; len < msgsz; len += msginfo.msgssz) { 901 size_t tlen; 902 903 if (msgsz - len > msginfo.msgssz) 904 tlen = msginfo.msgssz; 905 else 906 tlen = msgsz - len; 907 if (next <= -1) 908 panic("next too low #3"); 909 if (next >= msginfo.msgseg) 910 panic("next out of range #3"); 911 error = copyout(&msgpool[next * msginfo.msgssz], 912 user_msgp, tlen); 913 if (error != 0) { 914 MSG_PRINTF(("error (%d) copying out message segment\n", 915 error)); 916 msg_freehdr(msghdr); 917 wakeup(msqptr); 918 return (error); 919 } 920 user_msgp += tlen; 921 next = msgmaps[next].next; 922 } 923 924 /* 925 * Done, return the actual number of bytes copied out. 926 */ 927 928 msg_freehdr(msghdr); 929 wakeup(msqptr); 930 *retval = msgsz; 931 return (0); 932 } 933