 @@ -1,14 +1,14 @@
-/*	$NetBSD: sys_mqueue.c,v 1.12.4.1.2.1 2009/05/18 19:50:13 bouyer Exp $	*/
+/*	$NetBSD: sys_mqueue.c,v 1.12.4.1.2.2 2009/05/27 21:33:50 snj Exp $	*/
 /*
  * Copyright (c) 2007, 2008 Mindaugas Rasiukevicius <rmind at NetBSD org>
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -32,27 +32,27 @@
+ *
  * Locking
+ *
  * Global list of message queues (mqueue_head) and proc_t::p_mqueue_cnt
  * counter are protected by mqlist_mtx lock.  The very message queue and
  * its members are protected by mqueue::mq_mtx.
+ *
  * Lock order:
  * 	mqlist_mtx
  * 	  -> mqueue::mq_mtx
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_mqueue.c,v 1.12.4.1.2.1 2009/05/18 19:50:13 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_mqueue.c,v 1.12.4.1.2.2 2009/05/27 21:33:50 snj Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/condvar.h>
 #include <sys/errno.h>
 #include <sys/fcntl.h>
 #include <sys/file.h>
 #include <sys/filedesc.h>
 #include <sys/kauth.h>
 #include <sys/kernel.h>
 #include <sys/kmem.h>
 #include <sys/lwp.h>
 #include <sys/mqueue.h>
 @@ -76,28 +76,26 @@ static u_int			mq_open_max = MQ_OPEN_MAX
 static u_int			mq_prio_max = MQ_PRIO_MAX;
 static u_int			mq_max_msgsize = 16 * MQ_DEF_MSGSIZE;
 static u_int			mq_def_maxmsg = 32;
 static kmutex_t			mqlist_mtx;
 static pool_cache_t		mqmsg_cache;
 static LIST_HEAD(, mqueue)	mqueue_head =
 	LIST_HEAD_INITIALIZER(mqueue_head);
 static int	mq_poll_fop(file_t *, int);
 static int	mq_close_fop(file_t *);
 #define	FNOVAL	-1
 static const struct fileops mqops = {
 	.fo_read = fbadop_read,
 	.fo_write = fbadop_write,
 	.fo_ioctl = fbadop_ioctl,
 	.fo_fcntl = fnullop_fcntl,
 	.fo_poll = mq_poll_fop,
 	.fo_stat = fbadop_stat,
 	.fo_close = mq_close_fop,
 	.fo_kqfilter = fnullop_kqfilter,
 	.fo_drain = fnullop_drain,
 };
 /*
 @@ -156,77 +154,48 @@ mqueue_lookup(char *name)
 	KASSERT(mutex_owned(&mqlist_mtx));
 	LIST_FOREACH(mq, &mqueue_head, mq_list) {
 		if (strncmp(mq->mq_name, name, MQ_NAMELEN) == 0) {
 			mutex_enter(&mq->mq_mtx);
 			return mq;
+		}
+	}
 	return NULL;
+}
 /*
- * Check access against message queue.
+ * mqueue_get: get the mqueue from the descriptor.
- */
+ *  => locks the message queue, if found.
-static inline int
+ *  => holds a reference on the file descriptor.
 mqueue_access(struct lwp *l, struct mqueue *mq, int access)
 	mode_t acc_mode = 0;
 	KASSERT(mutex_owned(&mq->mq_mtx));
 	KASSERT(access != FNOVAL);
 	/* Note the difference between VREAD/VWRITE and FREAD/FWRITE */
 	if (access & FREAD)
 		acc_mode |= VREAD;
 	if (access & FWRITE)
 		acc_mode |= VWRITE;
 	return vaccess(VNON, mq->mq_mode, mq->mq_euid, mq->mq_egid,
 	    acc_mode, l->l_cred);
 /*
  * Get the mqueue from the descriptor.
  *  => locks the message queue, if found
  *  => increments the reference on file entry
  */
 static int
-mqueue_get(struct lwp *l, mqd_t mqd, int access, file_t **fpr)
+mqueue_get(mqd_t mqd, file_t **fpr)
+{
 	file_t *fp;
 	struct mqueue *mq;
 	file_t *fp;
 	/* Get the file and descriptor */
 	fp = fd_getfile((int)mqd);
-	if (fp == NULL)
+	if (__predict_false(fp == NULL)) {
 		return EBADF;
 	/* Increment the reference of file entry, and lock the mqueue */
 	mq = fp->f_data;
 	*fpr = fp;
 	mutex_enter(&mq->mq_mtx);
 	if (access == FNOVAL) {
 		KASSERT(mutex_owned(&mq->mq_mtx));
 		return 0;
+	}
 	if (__predict_false(fp->f_type != DTYPE_MQUEUE)) {
 	/* Check the access mode and permission */
 	if ((fp->f_flag & access) != access || mqueue_access(l, mq, access)) {
 		mutex_exit(&mq->mq_mtx);
 		fd_putfile((int)mqd);
-		return EPERM;
+		return EBADF;
+	}
 	mq = fp->f_data;
 	mutex_enter(&mq->mq_mtx);
 	*fpr = fp;
 	return 0;
+}
 /*
  * Converter from struct timespec to the ticks.
  * Used by mq_timedreceive(), mq_timedsend().
  */
 static int
 abstimeout2timo(const void *uaddr, int *timo)
+{
 	struct timespec ts;
 	int error;
 @@ -337,26 +306,32 @@ sys_mq_open(struct lwp *l, const struct
 		return error;
+	}
 	if (oflag & O_CREAT) {
 		struct cwdinfo *cwdi = p->p_cwdi;
 		struct mq_attr attr;
 		/* Check the limit */
 		if (p->p_mqueue_cnt == mq_open_max) {
 			kmem_free(name, MQ_NAMELEN);
 			return EMFILE;
+		}
 		/* Empty name is invalid */
 		if (name[0] == '\0') {
 			kmem_free(name, MQ_NAMELEN);
 			return EINVAL;
+		}
 		/* Check for mqueue attributes */
 		if (SCARG(uap, attr)) {
 			error = copyin(SCARG(uap, attr), &attr,
 				sizeof(struct mq_attr));
 			if (error) {
 				kmem_free(name, MQ_NAMELEN);
 				return error;
+			}
 			if (attr.mq_maxmsg <= 0 || attr.mq_msgsize <= 0 ||
 			    attr.mq_msgsize > mq_max_msgsize) {
 				kmem_free(name, MQ_NAMELEN);
 				return EINVAL;
+			}
 @@ -373,65 +348,81 @@ sys_mq_open(struct lwp *l, const struct
 		 * copy the name, attributes and set the flag.
 		 */
 		mq_new = kmem_zalloc(sizeof(struct mqueue), KM_SLEEP);
 		mutex_init(&mq_new->mq_mtx, MUTEX_DEFAULT, IPL_NONE);
 		cv_init(&mq_new->mq_send_cv, "mqsendcv");
 		cv_init(&mq_new->mq_recv_cv, "mqrecvcv");
 		TAILQ_INIT(&mq_new->mq_head);
 		selinit(&mq_new->mq_rsel);
 		selinit(&mq_new->mq_wsel);
 		strlcpy(mq_new->mq_name, name, MQ_NAMELEN);
 		memcpy(&mq_new->mq_attrib, &attr, sizeof(struct mq_attr));
 		mq_new->mq_attrib.mq_flags = oflag;
 		CTASSERT((O_MASK & (MQ_UNLINK | MQ_RECEIVE)) == 0);
 		mq_new->mq_attrib.mq_flags = (O_MASK & oflag);
 		/* Store mode and effective UID with GID */
 		mq_new->mq_mode = ((SCARG(uap, mode) &
 		    ~cwdi->cwdi_cmask) & ALLPERMS) & ~S_ISTXT;
 		mq_new->mq_euid = kauth_cred_geteuid(l->l_cred);
 		mq_new->mq_egid = kauth_cred_getegid(l->l_cred);
+	}
 	/* Allocate file structure and descriptor */
 	error = fd_allocfile(&fp, &mqd);
 	if (error) {
 		if (mq_new)
 			mqueue_destroy(mq_new);
 		kmem_free(name, MQ_NAMELEN);
 		return error;
+	}
 	fp->f_type = DTYPE_MQUEUE;
 	fp->f_flag = FFLAGS(oflag) & (FREAD | FWRITE);
 	fp->f_ops = &mqops;
 	/* Look up for mqueue with such name */
 	mutex_enter(&mqlist_mtx);
 	mq = mqueue_lookup(name);
 	if (mq) {
 		mode_t acc_mode;
 		KASSERT(mutex_owned(&mq->mq_mtx));
 		/* Check if mqueue is not marked as unlinking */
 		if (mq->mq_attrib.mq_flags & MQ_UNLINK) {
 			error = EACCES;
 			goto exit;
+		}
 		/* Fail if O_EXCL is set, and mqueue already exists */
 		if ((oflag & O_CREAT) && (oflag & O_EXCL)) {
 			error = EEXIST;
 			goto exit;
+		}
 		/* Check the permission */
-		if (mqueue_access(l, mq, fp->f_flag)) {
+		/*
 		 * Check the permissions.  Note the difference between
 		 * VREAD/VWRITE and FREAD/FWRITE.
 		 */
 		acc_mode = 0;
 		if (fp->f_flag & FREAD) {
 			acc_mode |= VREAD;
+		}
 		if (fp->f_flag & FWRITE) {
 			acc_mode |= VWRITE;
+		}
 		if (vaccess(VNON, mq->mq_mode, mq->mq_euid, mq->mq_egid,
 		    acc_mode, l->l_cred)) {
 			error = EACCES;
 			goto exit;
+		}
 	} else {
 		/* Fail if mqueue neither exists, nor we create it */
 		if ((oflag & O_CREAT) == 0) {
 			mutex_exit(&mqlist_mtx);
 			KASSERT(mq_new == NULL);
 			fd_abort(p, fp, mqd);
 			kmem_free(name, MQ_NAMELEN);
 			return ENOENT;
+		}
 @@ -480,27 +471,27 @@ sys_mq_close(struct lwp *l, const struct
 /*
  * Primary mq_receive1() function.
  */
 static int
 mq_receive1(struct lwp *l, mqd_t mqdes, void *msg_ptr, size_t msg_len,
     unsigned *msg_prio, int t, ssize_t *mlen)
+{
 	file_t *fp = NULL;
 	struct mqueue *mq;
 	struct mq_msg *msg = NULL;
 	int error;
 	/* Get the message queue */
-	error = mqueue_get(l, mqdes, FREAD, &fp);
+	error = mqueue_get(mqdes, &fp);
 	if (error)
 		return error;
 	mq = fp->f_data;
 	/* Check the message size limits */
 	if (msg_len < mq->mq_attrib.mq_msgsize) {
 		error = EMSGSIZE;
 		goto error;
+	}
 	/* Check if queue is empty */
 	while (TAILQ_EMPTY(&mq->mq_head)) {
 		if (mq->mq_attrib.mq_flags & O_NONBLOCK) {
 @@ -635,27 +626,27 @@ mq_send1(struct lwp *l, mqd_t mqdes, con
 	else
 		msg = pool_cache_get(mqmsg_cache, PR_WAITOK);
 	/* Get the data from user-space */
 	error = copyin(msg_ptr, msg->msg_ptr, msg_len);
 	if (error) {
 		mqueue_freemsg(msg, size);
 		return error;
+	}
 	msg->msg_len = msg_len;
 	msg->msg_prio = msg_prio;
 	/* Get the mqueue */
-	error = mqueue_get(l, mqdes, FWRITE, &fp);
+	error = mqueue_get(mqdes, &fp);
 	if (error) {
 		mqueue_freemsg(msg, size);
 		return error;
+	}
 	mq = fp->f_data;
 	/* Check the message size limit */
 	if (msg_len <= 0 || msg_len > mq->mq_attrib.mq_msgsize) {
 		error = EMSGSIZE;
 		goto error;
+	}
 	/* Check if queue is full */
 @@ -772,27 +763,27 @@ sys_mq_notify(struct lwp *l, const struc
 	file_t *fp = NULL;
 	struct mqueue *mq;
 	struct sigevent sig;
 	int error;
 	if (SCARG(uap, notification)) {
 		/* Get the signal from user-space */
 		error = copyin(SCARG(uap, notification), &sig,
 		    sizeof(struct sigevent));
 		if (error)
 			return error;
+	}
-	error = mqueue_get(l, SCARG(uap, mqdes), FNOVAL, &fp);
+	error = mqueue_get(SCARG(uap, mqdes), &fp);
 	if (error)
 		return error;
 	mq = fp->f_data;
 	if (SCARG(uap, notification)) {
 		/* Register notification: set the signal and target process */
 		if (mq->mq_notify_proc == NULL) {
 			memcpy(&mq->mq_sig_notify, &sig,
 			    sizeof(struct sigevent));
 			mq->mq_notify_proc = l->l_proc;
 		} else {
 			/* Fail if someone else already registered */
 			error = EBUSY;
 @@ -811,27 +802,27 @@ int
 sys_mq_getattr(struct lwp *l, const struct sys_mq_getattr_args *uap,
     register_t *retval)
+{
 	/* {
 		syscallarg(mqd_t) mqdes;
 		syscallarg(struct mq_attr *) mqstat;
 	} */
 	file_t *fp = NULL;
 	struct mqueue *mq;
 	struct mq_attr attr;
 	int error;
 	/* Get the message queue */
-	error = mqueue_get(l, SCARG(uap, mqdes), FNOVAL, &fp);
+	error = mqueue_get(SCARG(uap, mqdes), &fp);
 	if (error)
 		return error;
 	mq = fp->f_data;
 	memcpy(&attr, &mq->mq_attrib, sizeof(struct mq_attr));
 	mutex_exit(&mq->mq_mtx);
 	fd_putfile((int)SCARG(uap, mqdes));
 	return copyout(&attr, SCARG(uap, mqstat), sizeof(struct mq_attr));
+}
 int
 sys_mq_setattr(struct lwp *l, const struct sys_mq_setattr_args *uap,
     register_t *retval)
 @@ -842,27 +833,27 @@ sys_mq_setattr(struct lwp *l, const stru
 		syscallarg(struct mq_attr *) omqstat;
 	} */
 	file_t *fp = NULL;
 	struct mqueue *mq;
 	struct mq_attr attr;
 	int error, nonblock;
 	error = copyin(SCARG(uap, mqstat), &attr, sizeof(struct mq_attr));
 	if (error)
 		return error;
 	nonblock = (attr.mq_flags & O_NONBLOCK);
 	/* Get the message queue */
-	error = mqueue_get(l, SCARG(uap, mqdes), FNOVAL, &fp);
+	error = mqueue_get(SCARG(uap, mqdes), &fp);
 	if (error)
 		return error;
 	mq = fp->f_data;
 	/* Copy the old attributes, if needed */
 	if (SCARG(uap, omqstat))
 		memcpy(&attr, &mq->mq_attrib, sizeof(struct mq_attr));
 	/* Ignore everything, except O_NONBLOCK */
 	if (nonblock)
 		mq->mq_attrib.mq_flags |= O_NONBLOCK;
 	else
 		mq->mq_attrib.mq_flags &= ~O_NONBLOCK;
 @@ -900,27 +891,28 @@ sys_mq_unlink(struct lwp *l, const struc
 		kmem_free(name, MQ_NAMELEN);
 		return error;
+	}
 	/* Lookup for this file */
 	mutex_enter(&mqlist_mtx);
 	mq = mqueue_lookup(name);
 	if (mq == NULL) {
 		error = ENOENT;
 		goto error;
+	}
 	/* Check the permissions */
-	if (mqueue_access(l, mq, FWRITE)) {
+	if (kauth_cred_geteuid(l->l_cred) != mq->mq_euid &&
 	    kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER, NULL)) {
 		mutex_exit(&mq->mq_mtx);
 		error = EACCES;
 		goto error;
+	}
 	/* Mark message queue as unlinking, before leaving the window */
 	mq->mq_attrib.mq_flags |= MQ_UNLINK;
 	/* Wake up all waiters, if there are such */
 	cv_broadcast(&mq->mq_send_cv);
 	cv_broadcast(&mq->mq_recv_cv);
 	selnotify(&mq->mq_rsel, POLLHUP, 0);