| blob | 78834373ef5cd0b1648582819de5c091a6eef899 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
25 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
26 /* All Rights Reserved */
29 /*
30 * Common Inter-Process Communication routines.
31 *
32 * Overview
33 * --------
34 *
35 * The System V inter-process communication (IPC) facilities provide
36 * three services, message queues, semaphore arrays, and shared memory
37 * segments, which are mananged using filesystem-like namespaces.
38 * Unlike a filesystem, these namespaces aren't mounted and accessible
39 * via a path -- a special API is used to interact with the different
40 * facilities (nothing precludes a VFS-based interface, but the
41 * standards require the special APIs). Furthermore, these special
42 * APIs don't use file descriptors, nor do they have an equivalent.
43 * This means that every operation which acts on an object needs to
44 * perform the quivalent of a lookup, which in turn means that every
45 * operation can fail if the specified object doesn't exist in the
46 * facility's namespace.
47 *
48 * Objects
49 * -------
50 *
51 * Each object in a namespace has a unique ID, which is assigned by the
52 * system and is used to identify the object when performing operations
53 * on it. An object can also have a key, which is selected by the user
54 * at allocation time and is used as a primitive rendezvous mechanism.
55 * An object without a key is said to have a "private" key.
56 *
57 * To perform an operation on an object given its key, one must first
58 * perform a lookup and obtain its ID. The ID is then used to identify
59 * the object when performing the operation. If the object has a
60 * private key, the ID must be known or obtained by other means.
61 *
62 * Each object in the namespace has a creator uid and gid, as well as
63 * an owner uid and gid. Both are initialized with the ruid and rgid
64 * of the process which created the object. The creator or current
65 * owner has the ability to change the owner of the object.
66 *
67 * Each object in the namespace has a set of file-like permissions,
68 * which, in conjunction with the creator and owner uid and gid,
69 * control read and write access to the object (execute is ignored).
70 *
71 * Each object also has a creator project and zone, which are used to
72 * account for its resource usage.
73 *
74 * Operations
75 * ----------
76 *
77 * There are five operations which all three facilities have in
78 * common: GET, SET, STAT, RMID, and IDS.
79 *
80 * GET, like open, is used to allocate a new object or obtain an
81 * existing one (using its key). It takes a key, a set of flags and
82 * mode bits, and optionally facility-specific arguments. If the key
83 * is IPC_PRIVATE, a new object with the requested mode bits and
84 * facility-specific attributes is created. If the key isn't
85 * IPC_PRIVATE, the GET will attempt to look up the specified key and
86 * either return that or create a new key depending on the state of the
87 * IPC_CREAT and IPC_EXCL flags, much like open. If GET needs to
88 * allocate an object, it can fail if there is insufficient space in
89 * the namespace (the maximum number of ids for the facility has been
90 * exceeded) or if the facility-specific initialization fails. If GET
91 * finds an object it can return, it can still fail if that object's
92 * permissions or facility-specific attributes are less than those
93 * requested.
94 *
95 * SET is used to adjust facility-specific parameters of an object, in
96 * addition to the owner uid and gid, and mode bits. It can fail if
97 * the caller isn't the creator or owner.
98 *
99 * STAT is used to obtain information about an object including the
100 * general attributes object described as well as facility-specific
101 * information. It can fail if the caller doesn't have read
102 * permission.
103 *
104 * RMID removes an object from the namespace. Subsequent operations
105 * using the object's ID or key will fail (until another object is
106 * created with the same key or ID). Since an RMID may be performed
107 * asynchronously with other operations, it is possible that other
108 * threads and/or processes will have references to the object. While
109 * a facility may have actions which need to be performed at RMID time,
110 * only when all references are dropped can the object be destroyed.
111 * RMID will fail if the caller isn't the creator or owner.
112 *
113 * IDS obtains a list of all IDs in a facility's namespace. There are
114 * no facility-specific behaviors of IDS.
115 *
116 * Design
117 * ------
118 *
119 * Because some IPC facilities provide services whose operations must
120 * scale, a mechanism which allows fast, concurrent access to
121 * individual objects is needed. Of primary importance is object
122 * lookup based on ID (SET, STAT, others). Allocation (GET),
123 * deallocation (RMID), ID enumeration (IDS), and key lookups (GET) are
124 * lesser concerns, but should be implemented in such a way that ID
125 * lookup isn't affected (at least not in the common case).
126 *
127 * Starting from the bottom up, each object is represented by a
128 * structure, the first member of which must be a kipc_perm_t. The
129 * kipc_perm_t contains the information described above in "Objects", a
130 * reference count (since the object may continue to exist after it has
131 * been removed from the namespace), as well as some additional
132 * metadata used to manage data structure membership. These objects
133 * are dynamically allocated.
134 *
135 * Above the objects is a power-of-two sized table of ID slots. Each
136 * slot contains a pointer to an object, a sequence number, and a
137 * lock. An object's ID is a function of its slot's index in the table
138 * and its slot's sequence number. Every time a slot is released (via
139 * RMID) its sequence number is increased. Strictly speaking, the
140 * sequence number is unnecessary. However, checking the sequence
141 * number after a lookup provides a certain degree of robustness
142 * against the use of stale IDs (useful since nothing else does). When
143 * the table fills up, it is resized (see Locking, below).
144 *
145 * Of an ID's 31 bits (an ID is, as defined by the standards, a signed
146 * int) the top IPC_SEQ_BITS are used for the sequence number with the
147 * remainder holding the index into the table. The size of the table
148 * is therefore bounded at 2 ^ (31 - IPC_SEQ_BITS) slots.
149 *
150 * Managing this table is the ipc_service structure. It contains a
151 * pointer to the dynamically allocated ID table, a namespace-global
152 * lock, an id_space for managing the free space in the table, and
153 * sundry other metadata necessary for the maintenance of the
154 * namespace. An AVL tree of all keyed objects in the table (sorted by
155 * key) is used for key lookups. An unordered doubly linked list of
156 * all objects in the namespace (keyed or not) is maintained to
157 * facilitate ID enumeration.
158 *
159 * To help visualize these relationships, here's a picture of a
160 * namespace with a table of size 8 containing three objects
161 * (IPC_SEQ_BITS = 28):
162 *
163 *
164 * +-ipc_service_t--+
165 * | table *---\
166 * | keys *---+----------------------\
167 * | all ids *--\| |
168 * | | || |
169 * +----------------+ || |
170 * || |
171 * /-------------------/| |
172 * | /---------------/ |
173 * | | |
174 * | v |
175 * | +-0------+-1------+-2------+-3------+-4--+---+-5------+-6------+-7------+
176 * | | Seq=3 | | | Seq=1 | : | | | Seq=6 |
177 * | | | | | | : | | | |
178 * | +-*------+--------+--------+-*------+----+---+--------+--------+-*------+
179 * | | | | |
180 * | | /---/ | /----------------/
181 * | | | | |
182 * | v v | v
183 * | +-kipc_perm_t-+ +-kipc_perm_t-+ | +-kipc_perm_t-+
184 * | | id=0x30 | | id=0x13 | | | id=0x67 |
185 * | | key=0xfeed | | key=0xbeef | | | key=0xcafe |
186 * \->| [list] |<------>| [list] |<------>| [list] |
187 * /->| [avl left] x /--->| [avl left] x \--->| [avl left] *---\
188 * | | [avl right] x | | [avl right] x | [avl right] *---+-\
189 * | | | | | | | | | |
190 * | +-------------+ | +-------------+ +-------------+ | |
191 * | \---------------------------------------------/ |
192 * \--------------------------------------------------------------------/
193 *
194 * Locking
195 * -------
196 *
197 * There are three locks (or sets of locks) which are used to ensure
198 * correctness: the slot locks, the namespace lock, and p_lock (needed
199 * when checking resource controls). Their ordering is
200 *
201 * namespace lock -> slot lock 0 -> ... -> slot lock t -> p_lock
202 *
203 * Generally speaking, the namespace lock is used to protect allocation
204 * and removal from the namespace, ID enumeration, and resizing the ID
205 * table. Specifically:
206 *
207 * - write access to all fields of the ipc_service structure
208 * - read access to all variable fields of ipc_service except
209 * ipcs_tabsz (table size) and ipcs_table (the table pointer)
210 * - read/write access to ipc_avl, ipc_list in visible objects'
211 * kipc_perm structures (i.e. objects which have been removed from
212 * the namespace don't have this restriction)
213 * - write access to ipct_seq and ipct_data in the table entries
214 *
215 * A slot lock by itself is meaningless (except when resizing). Of
216 * greater interest conceptually is the notion of an ID lock -- a
217 * "virtual lock" which refers to whichever slot lock an object's ID
218 * currently hashes to.
219 *
220 * An ID lock protects all objects with that ID. Normally there will
221 * only be one such object: the one pointed to by the locked slot.
222 * However, if an object is removed from the namespace but retains
223 * references (e.g. an attached shared memory segment which has been
224 * RMIDed), it continues to use the lock associated with its original
225 * ID. While this can result in increased contention, operations which
226 * require taking the ID lock of removed objects are infrequent.
227 *
228 * Specifically, an ID lock protects the contents of an object's
229 * structure, including the contents of the embedded kipc_perm
230 * structure (but excluding those fields protected by the namespace
231 * lock). It also protects the ipct_seq and ipct_data fields in its
232 * slot (it is really a slot lock, after all).
233 *
234 * Recall that the table is resizable. To avoid requiring every ID
235 * lookup to take a global lock, a scheme much like that employed for
236 * file descriptors (see the comment above UF_ENTER in user.h) is
237 * used. Note that the sequence number and data pointer are protected
238 * by both the namespace lock and their slot lock. When the table is
239 * resized, the following operations take place:
240 *
241 * 1) A new table is allocated.
242 * 2) The global lock is taken.
243 * 3) All old slots are locked, in order.
244 * 4) The first half of the new slots are locked.
245 * 5) All table entries are copied to the new table, and cleared from
246 * the old table.
247 * 6) The ipc_service structure is updated to point to the new table.
248 * 7) The ipc_service structure is updated with the new table size.
249 * 8) All slot locks (old and new) are dropped.
250 *
251 * Because the slot locks are embedded in the table, ID lookups and
252 * other operations which require taking an slot lock need to verify
253 * that the lock taken wasn't part of a stale table. This is
254 * accomplished by checking the table size before and after
255 * dereferencing the table pointer and taking the lock: if the size
256 * changes, the lock must be dropped and reacquired. It is this
257 * additional work which distinguishes an ID lock from a slot lock.
258 *
259 * Because we can't guarantee that threads aren't accessing the old
260 * tables' locks, they are never deallocated. To prevent spurious
261 * reports of memory leaks, a pointer to the discarded table is stored
262 * in the new one in step 5. (Theoretically ipcs_destroy will delete
263 * the discarded tables, but it is only ever called from a failed _init
264 * invocation; i.e. when there aren't any.)
265 *
266 * Interfaces
267 * ----------
268 *
269 * The following interfaces are provided by the ipc module for use by
270 * the individual IPC facilities:
271 *
272 * ipcperm_access
273 *
274 * Given an object and a cred structure, determines if the requested
275 * access type is allowed.
276 *
277 * ipcperm_set, ipcperm_stat,
278 * ipcperm_set64, ipcperm_stat64
279 *
280 * Performs the common portion of an STAT or SET operation. All
281 * (except stat and stat64) can fail, so they should be called before
282 * any facility-specific non-reversible changes are made to an
283 * object. Similarly, the set operations have side effects, so they
284 * should only be called once the possibility of a facility-specific
285 * failure is eliminated.
286 *
287 * ipcs_create
288 *
289 * Creates an IPC namespace for use by an IPC facility.
290 *
291 * ipcs_destroy
292 *
293 * Destroys an IPC namespace.
294 *
295 * ipcs_lock, ipcs_unlock
296 *
297 * Takes the namespace lock. Ideally such access wouldn't be
298 * necessary, but there may be facility-specific data protected by
299 * this lock (e.g. project-wide resource consumption).
300 *
301 * ipc_lock
302 *
303 * Takes the lock associated with an ID. Can't fail.
304 *
305 * ipc_relock
306 *
307 * Like ipc_lock, but takes a pointer to a held lock. Drops the lock
308 * unless it is the one that would have been returned by ipc_lock.
309 * Used after calls to cv_wait.
310 *
311 * ipc_lookup
312 *
313 * Performs an ID lookup, returns with the ID lock held. Fails if
314 * the ID doesn't exist in the namespace.
315 *
316 * ipc_hold
317 *
318 * Takes a reference on an object.
319 *
320 * ipc_rele
321 *
322 * Releases a reference on an object, and drops the object's lock.
323 * Calls the object's destructor if last reference is being
324 * released.
325 *
326 * ipc_rele_locked
327 *
328 * Releases a reference on an object. Doesn't drop lock, and may
329 * only be called when there is more than one reference to the
330 * object.
331 *
332 * ipc_get, ipc_commit_begin, ipc_commit_end, ipc_cleanup
333 *
334 * Components of a GET operation. ipc_get performs a key lookup,
335 * allocating an object if the key isn't found (returning with the
336 * namespace lock and p_lock held), and returning the existing object
337 * if it is (with the object lock held). ipc_get doesn't modify the
338 * namespace.
339 *
340 * ipc_commit_begin begins the process of inserting an object
341 * allocated by ipc_get into the namespace, and can fail. If
342 * successful, it returns with the namespace lock and p_lock held.
343 * ipc_commit_end completes the process of inserting an object into
344 * the namespace and can't fail. The facility can call ipc_cleanup
345 * at any time following a successful ipc_get and before
346 * ipc_commit_end or a failed ipc_commit_begin to fail the
347 * allocation. Pseudocode for the suggested GET implementation:
348 *
349 * top:
350 *
351 * ipc_get
352 *
353 * if failure
354 * return
355 *
356 * if found {
357 *
358 * if object meets criteria
359 * unlock object and return success
360 * else
361 * unlock object and return failure
362 *
363 * } else {
364 *
365 * perform resource control tests
366 * drop namespace lock, p_lock
367 * if failure
368 * ipc_cleanup
369 *
370 * perform facility-specific initialization
371 * if failure {
372 * facility-specific cleanup
373 * ipc_cleanup
374 * }
375 *
376 * ( At this point the object should be destructible using the
377 * destructor given to ipcs_create )
378 *
379 * ipc_commit_begin
380 * if retry
381 * goto top
382 * else if failure
383 * return
384 *
385 * perform facility-specific resource control tests/allocations
386 * if failure
387 * ipc_cleanup
388 *
389 * ipc_commit_end
390 * perform any infallible post-creation actions, unlock, and return
391 *
392 * }
393 *
394 * ipc_rmid
395 *
396 * Performs the common portion of an RMID operation -- looks up an ID
397 * removes it, and calls the a facility-specific function to do
398 * RMID-time cleanup on the private portions of the object.
399 *
400 * ipc_ids
401 *
402 * Performs the common portion of an IDS operation.
403 *
404 */
406 #include <sys/types.h>
407 #include <sys/param.h>
408 #include <sys/cred.h>
409 #include <sys/policy.h>
410 #include <sys/proc.h>
411 #include <sys/user.h>
412 #include <sys/ipc.h>
413 #include <sys/ipc_impl.h>
414 #include <sys/errno.h>
415 #include <sys/systm.h>
416 #include <sys/list.h>
417 #include <sys/atomic.h>
418 #include <sys/zone.h>
419 #include <sys/task.h>
420 #include <sys/modctl.h>
422 #include <c2/audit.h>
427 };
431 };
434 int
436 {
438 }
440 int
442 {
444 }
446 int
448 {
450 }
453 /*
454 * Check message, semaphore, or shared memory access permissions.
455 *
456 * This routine verifies the requested access permission for the current
457 * process. The zone ids are compared, and the appropriate bits are
458 * checked corresponding to owner, group (including the list of
459 * supplementary groups), or everyone. Zero is returned on success.
460 * On failure, the security policy is asked to check to override the
461 * permissions check; the policy will either return 0 for access granted
462 * or EACCES.
463 *
464 * Access to objects in other zones requires that the caller be in the
465 * global zone and have the appropriate IPC_DAC_* privilege, regardless
466 * of whether the uid or gid match those of the object. Note that
467 * cross-zone accesses will normally never get here since they'll
468 * fail in ipc_lookup or ipc_get.
469 *
470 * The arguments must be set up as follows:
471 * p - Pointer to permission structure to verify
472 * mode - Desired access permissions
473 */
474 int
476 {
487 }
497 }
499 /*
500 * There are two versions of the ipcperm_set/stat functions:
501 * ipcperm_??? - for use with IPC_SET/STAT
502 * ipcperm_???_64 - for use with IPC_SET64/STAT64
503 *
504 * These functions encapsulate the common portions (copying, permission
505 * checks, and auditing) of the set/stat operations. All, except for
506 * stat and stat_64 which are void, return 0 on success or a non-zero
507 * errno value on error.
508 */
510 int
513 {
515 uid_t uid;
516 gid_t gid;
517 mode_t mode;
542 }
544 void
546 {
557 }
559 int
562 {
584 }
586 void
588 {
597 }
600 /*
601 * ipc key comparator.
602 */
603 static int
605 {
610 zoneid_t az;
611 zoneid_t bz;
616 /*
617 * Compare key first, then zoneid. This optimizes performance for
618 * systems with only one zone, since the zone checks will only be
619 * made when the keys match.
620 */
626 /* keys match */
634 }
636 /*
637 * Create an ipc service.
638 */
639 ipc_service_t *
643 {
667 }
669 /*
670 * Destroy an ipc service.
671 */
672 void
674 {
688 }
692 }
694 /*
695 * Takes the service lock.
696 */
697 void
699 {
701 }
703 /*
704 * Releases the service lock.
705 */
706 void
708 {
710 }
713 /*
714 * Locks the specified ID. Returns the ID's ID table index.
715 */
716 static int
718 {
719 uint_t tabsz;
720 uint_t index;
732 }
735 }
737 /*
738 * Locks the specified ID. Returns a pointer to the ID's lock.
739 */
740 kmutex_t *
742 {
743 uint_t index;
745 /*
746 * These assertions don't reflect requirements of the code
747 * which follows, but they should never fail nonetheless.
748 */
754 }
756 /*
757 * Checks to see if the held lock provided is the current lock for the
758 * specified id. If so, we return it instead of dropping it and
759 * returning the result of ipc_lock. This is intended to speed up cv
760 * wakeups where we are left holding a lock which could be stale, but
761 * probably isn't.
762 */
763 kmutex_t *
765 {
775 }
777 /*
778 * Performs an ID lookup. If the ID doesn't exist or has been removed,
779 * or isn't visible to the caller (because of zones), NULL is returned.
780 * Otherwise, a pointer to the ID's perm structure and held ID lock are
781 * returned.
782 */
783 kmutex_t *
785 {
787 uint_t index;
789 /*
790 * There is no need to check to see if id is in-range (i.e.
791 * positive and fits into the table). If it is out-of-range,
792 * the id simply won't match the object's.
793 */
801 }
810 }
812 /*
813 * Increase the reference count on an ID.
814 */
815 /*ARGSUSED*/
816 void
818 {
822 }
824 /*
825 * Decrease the reference count on an ID and drops the ID's lock.
826 * Destroys the ID if the new reference count is zero.
827 */
828 void
830 {
846 }
847 }
849 /*
850 * Decrease the reference count on an ID, but don't drop the ID lock.
851 * Used in cases where one thread needs to remove many references (on
852 * behalf of other parties).
853 */
854 void
856 {
862 }
865 /*
866 * Internal function to grow the service ID table.
867 */
868 static int
870 {
894 }
904 }
909 }
912 static int
914 {
916 avl_index_t where;
931 }
937 }
939 }
941 static int
943 {
946 /*
947 * Resizing the table first would result in a cleaner code
948 * path, but would also allow a user to (permanently) double
949 * the id table size in cases where the allocation would be
950 * denied. Hence we test the rctl first.
951 */
952 retry:
960 }
969 }
972 }
974 /*
975 * Given a key, search for or create the associated identifier.
976 *
977 * If IPC_CREAT is specified and the key isn't found, or if the key is
978 * equal to IPC_PRIVATE, we return 0 and place a pointer to a newly
979 * allocated object structure in permp. A pointer to the held service
980 * lock is placed in lockp. ipc_mode's IPC_ALLOC bit is clear.
981 *
982 * If the key is found and no error conditions arise, we return 0 and
983 * place a pointer to the existing object structure in permp. A
984 * pointer to the held ID lock is placed in lockp. ipc_mode's
985 * IPC_ALLOC bit is set.
986 *
987 * Otherwise, a non-zero errno value is returned.
988 */
989 int
992 {
1009 }
1016 }
1018 /* Key not found; fall through */
1019 }
1028 }
1041 }
1043 /*
1044 * Attempts to add the a newly created ID to the global namespace. If
1045 * creating it would cause an error, we return the error. If there is
1046 * the possibility that we could obtain the existing ID and return it
1047 * to the user, we return EAGAIN. Otherwise, we return 0 with p_lock
1048 * and the service lock held.
1049 *
1050 * Since this should be only called after all initialization has been
1051 * completed, on failure we automatically invoke the destructor for the
1052 * object and deallocate the memory associated with it.
1053 */
1054 int
1057 {
1065 /*
1066 * Set ipc_proj and ipc_zone_ref so that future calls to ipc_cleanup()
1067 * clean up the necessary state. This must be done before the
1068 * potential call to ipcs_dtor() below.
1069 */
1075 /*
1076 * Ensure that no-one has raced with us and created the key.
1077 */
1083 }
1085 /*
1086 * Ensure that no-one has raced with us and used the last of
1087 * the permissible ids, or the last of the free spaces in the
1088 * id table.
1089 */
1097 errout:
1103 }
1105 /*
1106 * Commit the ID allocation transaction. Called with p_lock and the
1107 * service lock held, both of which are dropped. Returns the held ID
1108 * lock so the caller can extract the ID and perform ipcget auditing.
1109 */
1110 kmutex_t *
1112 {
1114 avl_index_t where;
1124 /*
1125 * Pick out our slot.
1126 */
1134 /*
1135 * Update the perm structure.
1136 */
1140 /*
1141 * Push into global visibility.
1142 */
1148 }
1151 /*
1152 * Update resource consumption.
1153 */
1159 }
1161 /*
1162 * Clean up function, in case the allocation fails. If called between
1163 * ipc_lookup and ipc_commit_begin, perm->ipc_proj will be 0 and we
1164 * merely free the perm structure. If called after ipc_commit_begin,
1165 * we also drop locks and call the ID's destructor.
1166 */
1167 void
1169 {
1175 }
1179 }
1182 /*
1183 * Common code to remove an IPC object. This should be called after
1184 * all permissions checks have been performed, and with the service
1185 * and ID locked. Note that this does not remove the object from
1186 * the ipcs_usedids list (this needs to be done by the caller before
1187 * dropping the service lock).
1188 */
1189 static void
1191 {
1218 }
1221 /*
1222 * Common code to perform an IPC_RMID. Returns an errno value on
1223 * failure, 0 on success.
1224 */
1225 int
1227 {
1237 }
1245 }
1247 /*
1248 * Nothing can fail from this point on.
1249 */
1253 /* perform any per-service removal actions */
1259 }
1261 /*
1262 * Implementation for shmids, semids, and msgids. buf is the address
1263 * of the user buffer, nids is the size, and pnids is a pointer to
1264 * where we write the actual number of ids that [would] have been
1265 * copied out.
1266 */
1267 int
1269 {
1282 /*
1283 * Get an accurate count of the total number of ids, and allocate a
1284 * staging buffer. Since ipcs_count is always sane, we don't have
1285 * to take ipcs_lock for our first guess. If there are no ids, or
1286 * we're in the global zone and the number of ids is greater than
1287 * the size of the specified buffer, we shunt to the end. Otherwise,
1288 * we go through the id list looking for (and counting) what is
1289 * visible in the specified zone.
1290 */
1297 }
1311 }
1312 }
1319 }
1322 /*
1323 * If there isn't enough space to hold all of the ids, just
1324 * return the number of ids without copying out any of them.
1325 */
1329 out:
1336 }
1338 /*
1339 * Destroy IPC objects from the given service that are associated with
1340 * the given zone.
1341 *
1342 * We can't hold on to the service lock when freeing objects, so we
1343 * first search the service and move all the objects to a private
1344 * list, then walk through and free them after dropping the lock.
1345 */
1346 void
1348 {
1350 list_t rmlist;
1363 /*
1364 * Remove the object from the service, then put it on
1365 * the removal list so we can defer the call to
1366 * ipc_rele (which will actually free the structure).
1367 * We need to do this since the destructor may grab
1368 * the service lock.
1369 */
1375 }
1378 /*
1379 * Now that we've dropped the service lock, loop through the
1380 * private list freeing removed objects.
1381 */
1388 /* perform any per-service removal actions */
1391 /* release reference */
1393 }
1396 }