2 * Copyright (c) 2005 The DragonFly Project. All rights reserved.
4 * This code is derived from software contributed to The DragonFly Project
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * 3. Neither the name of The DragonFly Project nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific, prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * Copyright (c) 1982, 1986, 1989, 1991, 1993
36 * The Regents of the University of California. All rights reserved.
37 * (c) UNIX System Laboratories, Inc.
38 * All or some portions of this file are derived from material licensed
39 * to the University of California by American Telephone and Telegraph
40 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
41 * the permission of UNIX System Laboratories, Inc.
43 * Redistribution and use in source and binary forms, with or without
44 * modification, are permitted provided that the following conditions
46 * 1. Redistributions of source code must retain the above copyright
47 * notice, this list of conditions and the following disclaimer.
48 * 2. Redistributions in binary form must reproduce the above copyright
49 * notice, this list of conditions and the following disclaimer in the
50 * documentation and/or other materials provided with the distribution.
51 * 3. All advertising materials mentioning features or use of this software
52 * must display the following acknowledgement:
53 * This product includes software developed by the University of
54 * California, Berkeley and its contributors.
55 * 4. Neither the name of the University nor the names of its contributors
56 * may be used to endorse or promote products derived from this software
57 * without specific prior written permission.
59 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
60 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
61 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
62 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
63 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
64 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
65 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
66 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
67 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
68 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
71 * @(#)kern_descrip.c 8.6 (Berkeley) 4/19/94
72 * $FreeBSD: src/sys/kern/kern_descrip.c,v 1.81.2.19 2004/02/28 00:43:31 tegge Exp $
75 #include "opt_compat.h"
76 #include <sys/param.h>
77 #include <sys/systm.h>
78 #include <sys/malloc.h>
79 #include <sys/sysproto.h>
81 #include <sys/device.h>
83 #include <sys/filedesc.h>
84 #include <sys/kernel.h>
85 #include <sys/sysctl.h>
86 #include <sys/vnode.h>
88 #include <sys/nlookup.h>
90 #include <sys/filio.h>
91 #include <sys/fcntl.h>
92 #include <sys/unistd.h>
93 #include <sys/resourcevar.h>
94 #include <sys/event.h>
95 #include <sys/kern_syscall.h>
96 #include <sys/kcore.h>
97 #include <sys/kinfo.h>
101 #include <vm/vm_extern.h>
103 #include <sys/thread2.h>
104 #include <sys/file2.h>
105 #include <sys/spinlock2.h>
107 static void fsetfd_locked(struct filedesc *fdp, struct file *fp, int fd);
108 static void fdreserve_locked (struct filedesc *fdp, int fd0, int incr);
109 static struct file *funsetfd_locked (struct filedesc *fdp, int fd);
110 static void ffree(struct file *fp);
112 static MALLOC_DEFINE(M_FILEDESC, "file desc", "Open file descriptor table");
113 static MALLOC_DEFINE(M_FILEDESC_TO_LEADER, "file desc to leader",
114 "file desc to leader structures");
115 MALLOC_DEFINE(M_FILE, "file", "Open file structure");
116 static MALLOC_DEFINE(M_SIGIO, "sigio", "sigio structures");
118 static struct krate krate_uidinfo = { .freq = 1 };
120 static d_open_t fdopen;
123 #define CDEV_MAJOR 22
124 static struct dev_ops fildesc_ops = {
130 * Descriptor management.
132 static struct filelist filehead = LIST_HEAD_INITIALIZER(&filehead);
133 static struct spinlock filehead_spin = SPINLOCK_INITIALIZER(&filehead_spin);
134 static int nfiles; /* actual number of open files */
138 * Fixup fd_freefile and fd_lastfile after a descriptor has been cleared.
140 * MPSAFE - must be called with fdp->fd_spin exclusively held
144 fdfixup_locked(struct filedesc *fdp, int fd)
146 if (fd < fdp->fd_freefile) {
147 fdp->fd_freefile = fd;
149 while (fdp->fd_lastfile >= 0 &&
150 fdp->fd_files[fdp->fd_lastfile].fp == NULL &&
151 fdp->fd_files[fdp->fd_lastfile].reserved == 0
158 * System calls on descriptors.
163 sys_getdtablesize(struct getdtablesize_args *uap)
165 struct proc *p = curproc;
166 struct plimit *limit = p->p_limit;
169 spin_lock(&limit->p_spin);
170 if (limit->pl_rlimit[RLIMIT_NOFILE].rlim_cur > INT_MAX)
173 dtsize = (int)limit->pl_rlimit[RLIMIT_NOFILE].rlim_cur;
174 spin_unlock(&limit->p_spin);
176 if (dtsize > maxfilesperproc)
177 dtsize = maxfilesperproc;
178 if (dtsize < minfilesperproc)
179 dtsize = minfilesperproc;
180 if (p->p_ucred->cr_uid && dtsize > maxfilesperuser)
181 dtsize = maxfilesperuser;
182 uap->sysmsg_result = dtsize;
187 * Duplicate a file descriptor to a particular value.
189 * note: keep in mind that a potential race condition exists when closing
190 * descriptors from a shared descriptor table (via rfork).
195 sys_dup2(struct dup2_args *uap)
200 error = kern_dup(DUP_FIXED, uap->from, uap->to, &fd);
201 uap->sysmsg_fds[0] = fd;
207 * Duplicate a file descriptor.
212 sys_dup(struct dup_args *uap)
217 error = kern_dup(DUP_VARIABLE, uap->fd, 0, &fd);
218 uap->sysmsg_fds[0] = fd;
224 * MPALMOSTSAFE - acquires mplock for fp operations
227 kern_fcntl(int fd, int cmd, union fcntl_dat *dat, struct ucred *cred)
229 struct thread *td = curthread;
230 struct proc *p = td->td_proc;
236 int tmp, error, flg = F_POSIX;
241 * Operations on file descriptors that do not require a file pointer.
245 error = fgetfdflags(p->p_fd, fd, &tmp);
247 dat->fc_cloexec = (tmp & UF_EXCLOSE) ? FD_CLOEXEC : 0;
251 if (dat->fc_cloexec & FD_CLOEXEC)
252 error = fsetfdflags(p->p_fd, fd, UF_EXCLOSE);
254 error = fclrfdflags(p->p_fd, fd, UF_EXCLOSE);
258 error = kern_dup(DUP_VARIABLE, fd, newmin, &dat->fc_fd);
265 * Operations on file pointers
267 if ((fp = holdfp(p->p_fd, fd, -1)) == NULL)
272 dat->fc_flags = OFLAGS(fp->f_flag);
278 nflags = FFLAGS(dat->fc_flags & ~O_ACCMODE) & FCNTLFLAGS;
279 nflags |= oflags & ~FCNTLFLAGS;
282 if (((nflags ^ oflags) & O_APPEND) && (oflags & FAPPENDONLY))
284 if (error == 0 && ((nflags ^ oflags) & FASYNC)) {
285 tmp = nflags & FASYNC;
286 error = fo_ioctl(fp, FIOASYNC, (caddr_t)&tmp,
294 error = fo_ioctl(fp, FIOGETOWN, (caddr_t)&dat->fc_owner,
299 error = fo_ioctl(fp, FIOSETOWN, (caddr_t)&dat->fc_owner,
305 /* Fall into F_SETLK */
308 if (fp->f_type != DTYPE_VNODE) {
312 vp = (struct vnode *)fp->f_data;
315 * copyin/lockop may block
317 if (dat->fc_flock.l_whence == SEEK_CUR)
318 dat->fc_flock.l_start += fp->f_offset;
320 switch (dat->fc_flock.l_type) {
322 if ((fp->f_flag & FREAD) == 0) {
326 p->p_leader->p_flag |= P_ADVLOCK;
327 error = VOP_ADVLOCK(vp, (caddr_t)p->p_leader, F_SETLK,
328 &dat->fc_flock, flg);
331 if ((fp->f_flag & FWRITE) == 0) {
335 p->p_leader->p_flag |= P_ADVLOCK;
336 error = VOP_ADVLOCK(vp, (caddr_t)p->p_leader, F_SETLK,
337 &dat->fc_flock, flg);
340 error = VOP_ADVLOCK(vp, (caddr_t)p->p_leader, F_UNLCK,
341 &dat->fc_flock, F_POSIX);
349 * It is possible to race a close() on the descriptor while
350 * we were blocked getting the lock. If this occurs the
351 * close might not have caught the lock.
353 if (checkfdclosed(p->p_fd, fd, fp)) {
354 dat->fc_flock.l_whence = SEEK_SET;
355 dat->fc_flock.l_start = 0;
356 dat->fc_flock.l_len = 0;
357 dat->fc_flock.l_type = F_UNLCK;
358 (void) VOP_ADVLOCK(vp, (caddr_t)p->p_leader,
359 F_UNLCK, &dat->fc_flock, F_POSIX);
364 if (fp->f_type != DTYPE_VNODE) {
368 vp = (struct vnode *)fp->f_data;
370 * copyin/lockop may block
372 if (dat->fc_flock.l_type != F_RDLCK &&
373 dat->fc_flock.l_type != F_WRLCK &&
374 dat->fc_flock.l_type != F_UNLCK) {
378 if (dat->fc_flock.l_whence == SEEK_CUR)
379 dat->fc_flock.l_start += fp->f_offset;
380 error = VOP_ADVLOCK(vp, (caddr_t)p->p_leader, F_GETLK,
381 &dat->fc_flock, F_POSIX);
393 * The file control system call.
398 sys_fcntl(struct fcntl_args *uap)
405 dat.fc_fd = uap->arg;
408 dat.fc_cloexec = uap->arg;
411 dat.fc_flags = uap->arg;
414 dat.fc_owner = uap->arg;
419 error = copyin((caddr_t)uap->arg, &dat.fc_flock,
420 sizeof(struct flock));
426 error = kern_fcntl(uap->fd, uap->cmd, &dat, curthread->td_ucred);
431 uap->sysmsg_result = dat.fc_fd;
434 uap->sysmsg_result = dat.fc_cloexec;
437 uap->sysmsg_result = dat.fc_flags;
440 uap->sysmsg_result = dat.fc_owner;
442 error = copyout(&dat.fc_flock, (caddr_t)uap->arg,
443 sizeof(struct flock));
452 * Common code for dup, dup2, and fcntl(F_DUPFD).
454 * The type flag can be either DUP_FIXED or DUP_VARIABLE. DUP_FIXED tells
455 * kern_dup() to destructively dup over an existing file descriptor if new
456 * is already open. DUP_VARIABLE tells kern_dup() to find the lowest
457 * unused file descriptor that is greater than or equal to new.
462 kern_dup(enum dup_type type, int old, int new, int *res)
464 struct thread *td = curthread;
465 struct proc *p = td->td_proc;
466 struct filedesc *fdp = p->p_fd;
475 * Verify that we have a valid descriptor to dup from and
476 * possibly to dup to.
478 * NOTE: maxfilesperuser is not applicable to dup()
481 if (p->p_rlimit[RLIMIT_NOFILE].rlim_cur > INT_MAX)
484 dtsize = (int)p->p_rlimit[RLIMIT_NOFILE].rlim_cur;
485 if (dtsize > maxfilesperproc)
486 dtsize = maxfilesperproc;
487 if (dtsize < minfilesperproc)
488 dtsize = minfilesperproc;
490 if (new < 0 || new > dtsize)
493 spin_lock(&fdp->fd_spin);
494 if ((unsigned)old >= fdp->fd_nfiles || fdp->fd_files[old].fp == NULL) {
495 spin_unlock(&fdp->fd_spin);
498 if (type == DUP_FIXED && old == new) {
500 spin_unlock(&fdp->fd_spin);
503 fp = fdp->fd_files[old].fp;
504 oldflags = fdp->fd_files[old].fileflags;
505 fhold(fp); /* MPSAFE - can be called with a spinlock held */
508 * Allocate a new descriptor if DUP_VARIABLE, or expand the table
509 * if the requested descriptor is beyond the current table size.
511 * This can block. Retry if the source descriptor no longer matches
512 * or if our expectation in the expansion case races.
514 * If we are not expanding or allocating a new decriptor, then reset
515 * the target descriptor to a reserved state so we have a uniform
516 * setup for the next code block.
518 if (type == DUP_VARIABLE || new >= fdp->fd_nfiles) {
519 spin_unlock(&fdp->fd_spin);
520 error = fdalloc(p, new, &newfd);
521 spin_lock(&fdp->fd_spin);
523 spin_unlock(&fdp->fd_spin);
530 if (old >= fdp->fd_nfiles || fdp->fd_files[old].fp != fp) {
531 fsetfd_locked(fdp, NULL, newfd);
532 spin_unlock(&fdp->fd_spin);
537 * Check for expansion race
539 if (type != DUP_VARIABLE && new != newfd) {
540 fsetfd_locked(fdp, NULL, newfd);
541 spin_unlock(&fdp->fd_spin);
546 * Check for ripout, newfd reused old (this case probably
550 fsetfd_locked(fdp, NULL, newfd);
551 spin_unlock(&fdp->fd_spin);
558 if (fdp->fd_files[new].reserved) {
559 spin_unlock(&fdp->fd_spin);
561 kprintf("Warning: dup(): target descriptor %d is reserved, waiting for it to be resolved\n", new);
562 tsleep(fdp, 0, "fdres", hz);
567 * If the target descriptor was never allocated we have
568 * to allocate it. If it was we have to clean out the
569 * old descriptor. delfp inherits the ref from the
572 delfp = fdp->fd_files[new].fp;
573 fdp->fd_files[new].fp = NULL;
574 fdp->fd_files[new].reserved = 1;
576 fdreserve_locked(fdp, new, 1);
577 if (new > fdp->fd_lastfile)
578 fdp->fd_lastfile = new;
584 * NOTE: still holding an exclusive spinlock
588 * If a descriptor is being overwritten we may hve to tell
589 * fdfree() to sleep to ensure that all relevant process
590 * leaders can be traversed in closef().
592 if (delfp != NULL && p->p_fdtol != NULL) {
593 fdp->fd_holdleaderscount++;
598 KASSERT(delfp == NULL || type == DUP_FIXED,
599 ("dup() picked an open file"));
602 * Duplicate the source descriptor, update lastfile. If the new
603 * descriptor was not allocated and we aren't replacing an existing
604 * descriptor we have to mark the descriptor as being in use.
606 * The fd_files[] array inherits fp's hold reference.
608 fsetfd_locked(fdp, fp, new);
609 fdp->fd_files[new].fileflags = oldflags & ~UF_EXCLOSE;
610 spin_unlock(&fdp->fd_spin);
615 * If we dup'd over a valid file, we now own the reference to it
616 * and must dispose of it using closef() semantics (as if a
617 * close() were performed on it).
620 if (SLIST_FIRST(&delfp->f_klist))
621 knote_fdclose(delfp, fdp, new);
624 spin_lock(&fdp->fd_spin);
625 fdp->fd_holdleaderscount--;
626 if (fdp->fd_holdleaderscount == 0 &&
627 fdp->fd_holdleaderswakeup != 0) {
628 fdp->fd_holdleaderswakeup = 0;
629 spin_unlock(&fdp->fd_spin);
630 wakeup(&fdp->fd_holdleaderscount);
632 spin_unlock(&fdp->fd_spin);
640 * If sigio is on the list associated with a process or process group,
641 * disable signalling from the device, remove sigio from the list and
647 funsetown(struct sigio **sigiop)
653 if ((sigio = *sigiop) != NULL) {
654 lwkt_gettoken(&proc_token); /* protect sigio */
655 KKASSERT(sigiop == sigio->sio_myref);
658 lwkt_reltoken(&proc_token);
663 if (sigio->sio_pgid < 0) {
664 pgrp = sigio->sio_pgrp;
665 sigio->sio_pgrp = NULL;
666 lwkt_gettoken(&pgrp->pg_token);
667 SLIST_REMOVE(&pgrp->pg_sigiolst, sigio, sigio, sio_pgsigio);
668 lwkt_reltoken(&pgrp->pg_token);
670 } else /* if ((*sigiop)->sio_pgid > 0) */ {
672 sigio->sio_proc = NULL;
674 lwkt_gettoken(&p->p_token);
675 SLIST_REMOVE(&p->p_sigiolst, sigio, sigio, sio_pgsigio);
676 lwkt_reltoken(&p->p_token);
679 crfree(sigio->sio_ucred);
680 sigio->sio_ucred = NULL;
681 kfree(sigio, M_SIGIO);
685 * Free a list of sigio structures. Caller is responsible for ensuring
686 * that the list is MPSAFE.
691 funsetownlst(struct sigiolst *sigiolst)
695 while ((sigio = SLIST_FIRST(sigiolst)) != NULL)
696 funsetown(sigio->sio_myref);
700 * This is common code for FIOSETOWN ioctl called by fcntl(fd, F_SETOWN, arg).
702 * After permission checking, add a sigio structure to the sigio list for
703 * the process or process group.
708 fsetown(pid_t pgid, struct sigio **sigiop)
710 struct proc *proc = NULL;
711 struct pgrp *pgrp = NULL;
728 * Policy - Don't allow a process to FSETOWN a process
729 * in another session.
731 * Remove this test to allow maximum flexibility or
732 * restrict FSETOWN to the current process or process
733 * group for maximum safety.
735 if (proc->p_session != curproc->p_session) {
739 } else /* if (pgid < 0) */ {
740 pgrp = pgfind(-pgid);
747 * Policy - Don't allow a process to FSETOWN a process
748 * in another session.
750 * Remove this test to allow maximum flexibility or
751 * restrict FSETOWN to the current process or process
752 * group for maximum safety.
754 if (pgrp->pg_session != curproc->p_session) {
759 sigio = kmalloc(sizeof(struct sigio), M_SIGIO, M_WAITOK | M_ZERO);
761 KKASSERT(pgrp == NULL);
762 lwkt_gettoken(&proc->p_token);
763 SLIST_INSERT_HEAD(&proc->p_sigiolst, sigio, sio_pgsigio);
764 sigio->sio_proc = proc;
765 lwkt_reltoken(&proc->p_token);
767 KKASSERT(proc == NULL);
768 lwkt_gettoken(&pgrp->pg_token);
769 SLIST_INSERT_HEAD(&pgrp->pg_sigiolst, sigio, sio_pgsigio);
770 sigio->sio_pgrp = pgrp;
771 lwkt_reltoken(&pgrp->pg_token);
774 sigio->sio_pgid = pgid;
775 sigio->sio_ucred = crhold(curthread->td_ucred);
776 /* It would be convenient if p_ruid was in ucred. */
777 sigio->sio_ruid = sigio->sio_ucred->cr_ruid;
778 sigio->sio_myref = sigiop;
780 lwkt_gettoken(&proc_token);
784 lwkt_reltoken(&proc_token);
795 * This is common code for FIOGETOWN ioctl called by fcntl(fd, F_GETOWN, arg).
800 fgetown(struct sigio **sigiop)
805 lwkt_gettoken(&proc_token);
807 own = (sigio != NULL ? sigio->sio_pgid : 0);
808 lwkt_reltoken(&proc_token);
814 * Close many file descriptors.
819 sys_closefrom(struct closefrom_args *uap)
821 return(kern_closefrom(uap->fd));
825 * Close all file descriptors greater then or equal to fd
830 kern_closefrom(int fd)
832 struct thread *td = curthread;
833 struct proc *p = td->td_proc;
834 struct filedesc *fdp;
843 * NOTE: This function will skip unassociated descriptors and
844 * reserved descriptors that have not yet been assigned.
845 * fd_lastfile can change as a side effect of kern_close().
847 spin_lock(&fdp->fd_spin);
848 while (fd <= fdp->fd_lastfile) {
849 if (fdp->fd_files[fd].fp != NULL) {
850 spin_unlock(&fdp->fd_spin);
851 /* ok if this races another close */
852 if (kern_close(fd) == EINTR)
854 spin_lock(&fdp->fd_spin);
858 spin_unlock(&fdp->fd_spin);
863 * Close a file descriptor.
868 sys_close(struct close_args *uap)
870 return(kern_close(uap->fd));
879 struct thread *td = curthread;
880 struct proc *p = td->td_proc;
881 struct filedesc *fdp;
889 spin_lock(&fdp->fd_spin);
890 if ((fp = funsetfd_locked(fdp, fd)) == NULL) {
891 spin_unlock(&fdp->fd_spin);
895 if (p->p_fdtol != NULL) {
897 * Ask fdfree() to sleep to ensure that all relevant
898 * process leaders can be traversed in closef().
900 fdp->fd_holdleaderscount++;
905 * we now hold the fp reference that used to be owned by the descriptor
908 spin_unlock(&fdp->fd_spin);
909 if (SLIST_FIRST(&fp->f_klist))
910 knote_fdclose(fp, fdp, fd);
911 error = closef(fp, p);
913 spin_lock(&fdp->fd_spin);
914 fdp->fd_holdleaderscount--;
915 if (fdp->fd_holdleaderscount == 0 &&
916 fdp->fd_holdleaderswakeup != 0) {
917 fdp->fd_holdleaderswakeup = 0;
918 spin_unlock(&fdp->fd_spin);
919 wakeup(&fdp->fd_holdleaderscount);
921 spin_unlock(&fdp->fd_spin);
928 * shutdown_args(int fd, int how)
931 kern_shutdown(int fd, int how)
933 struct thread *td = curthread;
934 struct proc *p = td->td_proc;
940 if ((fp = holdfp(p->p_fd, fd, -1)) == NULL)
942 error = fo_shutdown(fp, how);
952 sys_shutdown(struct shutdown_args *uap)
956 error = kern_shutdown(uap->s, uap->how);
965 kern_fstat(int fd, struct stat *ub)
967 struct thread *td = curthread;
968 struct proc *p = td->td_proc;
974 if ((fp = holdfp(p->p_fd, fd, -1)) == NULL)
976 error = fo_stat(fp, ub, td->td_ucred);
983 * Return status information about a file descriptor.
988 sys_fstat(struct fstat_args *uap)
993 error = kern_fstat(uap->fd, &st);
996 error = copyout(&st, uap->sb, sizeof(st));
1001 * Return pathconf information about a file descriptor.
1006 sys_fpathconf(struct fpathconf_args *uap)
1008 struct thread *td = curthread;
1009 struct proc *p = td->td_proc;
1014 if ((fp = holdfp(p->p_fd, uap->fd, -1)) == NULL)
1017 switch (fp->f_type) {
1020 if (uap->name != _PC_PIPE_BUF) {
1023 uap->sysmsg_result = PIPE_BUF;
1029 vp = (struct vnode *)fp->f_data;
1030 error = VOP_PATHCONF(vp, uap->name, &uap->sysmsg_reg);
1040 static int fdexpand;
1041 SYSCTL_INT(_debug, OID_AUTO, fdexpand, CTLFLAG_RD, &fdexpand, 0,
1042 "Number of times a file table has been expanded");
1045 * Grow the file table so it can hold through descriptor (want).
1047 * The fdp's spinlock must be held exclusively on entry and may be held
1048 * exclusively on return. The spinlock may be cycled by the routine.
1053 fdgrow_locked(struct filedesc *fdp, int want)
1055 struct fdnode *newfiles;
1056 struct fdnode *oldfiles;
1059 nf = fdp->fd_nfiles;
1061 /* nf has to be of the form 2^n - 1 */
1063 } while (nf <= want);
1065 spin_unlock(&fdp->fd_spin);
1066 newfiles = kmalloc(nf * sizeof(struct fdnode), M_FILEDESC, M_WAITOK);
1067 spin_lock(&fdp->fd_spin);
1070 * We could have raced another extend while we were not holding
1073 if (fdp->fd_nfiles >= nf) {
1074 spin_unlock(&fdp->fd_spin);
1075 kfree(newfiles, M_FILEDESC);
1076 spin_lock(&fdp->fd_spin);
1080 * Copy the existing ofile and ofileflags arrays
1081 * and zero the new portion of each array.
1083 extra = nf - fdp->fd_nfiles;
1084 bcopy(fdp->fd_files, newfiles, fdp->fd_nfiles * sizeof(struct fdnode));
1085 bzero(&newfiles[fdp->fd_nfiles], extra * sizeof(struct fdnode));
1087 oldfiles = fdp->fd_files;
1088 fdp->fd_files = newfiles;
1089 fdp->fd_nfiles = nf;
1091 if (oldfiles != fdp->fd_builtin_files) {
1092 spin_unlock(&fdp->fd_spin);
1093 kfree(oldfiles, M_FILEDESC);
1094 spin_lock(&fdp->fd_spin);
1100 * Number of nodes in right subtree, including the root.
1103 right_subtree_size(int n)
1105 return (n ^ (n | (n + 1)));
1112 right_ancestor(int n)
1114 return (n | (n + 1));
1121 left_ancestor(int n)
1123 return ((n & (n + 1)) - 1);
1127 * Traverse the in-place binary tree buttom-up adjusting the allocation
1128 * count so scans can determine where free descriptors are located.
1130 * MPSAFE - caller must be holding an exclusive spinlock on fdp
1134 fdreserve_locked(struct filedesc *fdp, int fd, int incr)
1137 fdp->fd_files[fd].allocated += incr;
1138 KKASSERT(fdp->fd_files[fd].allocated >= 0);
1139 fd = left_ancestor(fd);
1144 * Reserve a file descriptor for the process. If no error occurs, the
1145 * caller MUST at some point call fsetfd() or assign a file pointer
1146 * or dispose of the reservation.
1151 fdalloc(struct proc *p, int want, int *result)
1153 struct filedesc *fdp = p->p_fd;
1154 struct uidinfo *uip;
1155 int fd, rsize, rsum, node, lim;
1158 * Check dtable size limit
1160 spin_lock(&p->p_limit->p_spin);
1161 if (p->p_rlimit[RLIMIT_NOFILE].rlim_cur > INT_MAX)
1164 lim = (int)p->p_rlimit[RLIMIT_NOFILE].rlim_cur;
1165 spin_unlock(&p->p_limit->p_spin);
1167 if (lim > maxfilesperproc)
1168 lim = maxfilesperproc;
1169 if (lim < minfilesperproc)
1170 lim = minfilesperproc;
1175 * Check that the user has not run out of descriptors (non-root only).
1176 * As a safety measure the dtable is allowed to have at least
1177 * minfilesperproc open fds regardless of the maxfilesperuser limit.
1179 if (p->p_ucred->cr_uid && fdp->fd_nfiles >= minfilesperproc) {
1180 uip = p->p_ucred->cr_uidinfo;
1181 if (uip->ui_openfiles > maxfilesperuser) {
1182 krateprintf(&krate_uidinfo,
1183 "Warning: user %d pid %d (%s) ran out of "
1184 "file descriptors (%d/%d)\n",
1185 p->p_ucred->cr_uid, (int)p->p_pid,
1187 uip->ui_openfiles, maxfilesperuser);
1193 * Grow the dtable if necessary
1195 spin_lock(&fdp->fd_spin);
1196 if (want >= fdp->fd_nfiles)
1197 fdgrow_locked(fdp, want);
1200 * Search for a free descriptor starting at the higher
1201 * of want or fd_freefile. If that fails, consider
1202 * expanding the ofile array.
1204 * NOTE! the 'allocated' field is a cumulative recursive allocation
1205 * count. If we happen to see a value of 0 then we can shortcut
1206 * our search. Otherwise we run through through the tree going
1207 * down branches we know have free descriptor(s) until we hit a
1208 * leaf node. The leaf node will be free but will not necessarily
1209 * have an allocated field of 0.
1212 /* move up the tree looking for a subtree with a free node */
1213 for (fd = max(want, fdp->fd_freefile); fd < min(fdp->fd_nfiles, lim);
1214 fd = right_ancestor(fd)) {
1215 if (fdp->fd_files[fd].allocated == 0)
1218 rsize = right_subtree_size(fd);
1219 if (fdp->fd_files[fd].allocated == rsize)
1220 continue; /* right subtree full */
1223 * Free fd is in the right subtree of the tree rooted at fd.
1224 * Call that subtree R. Look for the smallest (leftmost)
1225 * subtree of R with an unallocated fd: continue moving
1226 * down the left branch until encountering a full left
1227 * subtree, then move to the right.
1229 for (rsum = 0, rsize /= 2; rsize > 0; rsize /= 2) {
1231 rsum += fdp->fd_files[node].allocated;
1232 if (fdp->fd_files[fd].allocated == rsum + rsize) {
1233 fd = node; /* move to the right */
1234 if (fdp->fd_files[node].allocated == 0)
1243 * No space in current array. Expand?
1245 if (fdp->fd_nfiles >= lim) {
1246 spin_unlock(&fdp->fd_spin);
1249 fdgrow_locked(fdp, want);
1253 KKASSERT(fd < fdp->fd_nfiles);
1254 if (fd > fdp->fd_lastfile)
1255 fdp->fd_lastfile = fd;
1256 if (want <= fdp->fd_freefile)
1257 fdp->fd_freefile = fd;
1259 KKASSERT(fdp->fd_files[fd].fp == NULL);
1260 KKASSERT(fdp->fd_files[fd].reserved == 0);
1261 fdp->fd_files[fd].fileflags = 0;
1262 fdp->fd_files[fd].reserved = 1;
1263 fdreserve_locked(fdp, fd, 1);
1264 spin_unlock(&fdp->fd_spin);
1269 * Check to see whether n user file descriptors
1270 * are available to the process p.
1275 fdavail(struct proc *p, int n)
1277 struct filedesc *fdp = p->p_fd;
1278 struct fdnode *fdnode;
1281 spin_lock(&p->p_limit->p_spin);
1282 if (p->p_rlimit[RLIMIT_NOFILE].rlim_cur > INT_MAX)
1285 lim = (int)p->p_rlimit[RLIMIT_NOFILE].rlim_cur;
1286 spin_unlock(&p->p_limit->p_spin);
1288 if (lim > maxfilesperproc)
1289 lim = maxfilesperproc;
1290 if (lim < minfilesperproc)
1291 lim = minfilesperproc;
1293 spin_lock(&fdp->fd_spin);
1294 if ((i = lim - fdp->fd_nfiles) > 0 && (n -= i) <= 0) {
1295 spin_unlock(&fdp->fd_spin);
1298 last = min(fdp->fd_nfiles, lim);
1299 fdnode = &fdp->fd_files[fdp->fd_freefile];
1300 for (i = last - fdp->fd_freefile; --i >= 0; ++fdnode) {
1301 if (fdnode->fp == NULL && --n <= 0) {
1302 spin_unlock(&fdp->fd_spin);
1306 spin_unlock(&fdp->fd_spin);
1311 * Revoke open descriptors referencing (f_data, f_type)
1313 * Any revoke executed within a prison is only able to
1314 * revoke descriptors for processes within that prison.
1316 * Returns 0 on success or an error code.
1318 struct fdrevoke_info {
1328 static int fdrevoke_check_callback(struct file *fp, void *vinfo);
1329 static int fdrevoke_proc_callback(struct proc *p, void *vinfo);
1332 fdrevoke(void *f_data, short f_type, struct ucred *cred)
1334 struct fdrevoke_info info;
1337 bzero(&info, sizeof(info));
1341 error = falloc(NULL, &info.nfp, NULL);
1346 * Scan the file pointer table once. dups do not dup file pointers,
1347 * only descriptors, so there is no leak. Set FREVOKED on the fps
1350 allfiles_scan_exclusive(fdrevoke_check_callback, &info);
1353 * If any fps were marked track down the related descriptors
1354 * and close them. Any dup()s at this point will notice
1355 * the FREVOKED already set in the fp and do the right thing.
1357 * Any fps with non-zero msgcounts (aka sent over a unix-domain
1358 * socket) bumped the intransit counter and will require a
1359 * scan. Races against fps leaving the socket are closed by
1360 * the socket code checking for FREVOKED.
1363 allproc_scan(fdrevoke_proc_callback, &info);
1365 unp_revoke_gc(info.nfp);
1371 * Locate matching file pointers directly.
1373 * WARNING: allfiles_scan_exclusive() holds a spinlock through these calls!
1376 fdrevoke_check_callback(struct file *fp, void *vinfo)
1378 struct fdrevoke_info *info = vinfo;
1381 * File pointers already flagged for revokation are skipped.
1383 if (fp->f_flag & FREVOKED)
1387 * If revoking from a prison file pointers created outside of
1388 * that prison, or file pointers without creds, cannot be revoked.
1390 if (info->cred->cr_prison &&
1391 (fp->f_cred == NULL ||
1392 info->cred->cr_prison != fp->f_cred->cr_prison)) {
1397 * If the file pointer matches then mark it for revocation. The
1398 * flag is currently only used by unp_revoke_gc().
1400 * info->count is a heuristic and can race in a SMP environment.
1402 if (info->data == fp->f_data && info->type == fp->f_type) {
1403 atomic_set_int(&fp->f_flag, FREVOKED);
1404 info->count += fp->f_count;
1412 * Locate matching file pointers via process descriptor tables.
1415 fdrevoke_proc_callback(struct proc *p, void *vinfo)
1417 struct fdrevoke_info *info = vinfo;
1418 struct filedesc *fdp;
1422 if (p->p_stat == SIDL || p->p_stat == SZOMB)
1424 if (info->cred->cr_prison &&
1425 info->cred->cr_prison != p->p_ucred->cr_prison) {
1430 * If the controlling terminal of the process matches the
1431 * vnode being revoked we clear the controlling terminal.
1433 * The normal spec_close() may not catch this because it
1434 * uses curproc instead of p.
1436 if (p->p_session && info->type == DTYPE_VNODE &&
1437 info->data == p->p_session->s_ttyvp) {
1438 p->p_session->s_ttyvp = NULL;
1443 * Softref the fdp to prevent it from being destroyed
1445 spin_lock(&p->p_spin);
1446 if ((fdp = p->p_fd) == NULL) {
1447 spin_unlock(&p->p_spin);
1450 atomic_add_int(&fdp->fd_softrefs, 1);
1451 spin_unlock(&p->p_spin);
1454 * Locate and close any matching file descriptors.
1456 spin_lock(&fdp->fd_spin);
1457 for (n = 0; n < fdp->fd_nfiles; ++n) {
1458 if ((fp = fdp->fd_files[n].fp) == NULL)
1460 if (fp->f_flag & FREVOKED) {
1462 fdp->fd_files[n].fp = info->nfp;
1463 spin_unlock(&fdp->fd_spin);
1464 knote_fdclose(fp, fdp, n); /* XXX */
1466 spin_lock(&fdp->fd_spin);
1470 spin_unlock(&fdp->fd_spin);
1471 atomic_subtract_int(&fdp->fd_softrefs, 1);
1477 * Create a new open file structure and reserve a file decriptor
1478 * for the process that refers to it.
1480 * Root creds are checked using lp, or assumed if lp is NULL. If
1481 * resultfd is non-NULL then lp must also be non-NULL. No file
1482 * descriptor is reserved (and no process context is needed) if
1485 * A file pointer with a refcount of 1 is returned. Note that the
1486 * file pointer is NOT associated with the descriptor. If falloc
1487 * returns success, fsetfd() MUST be called to either associate the
1488 * file pointer or clear the reservation.
1493 falloc(struct lwp *lp, struct file **resultfp, int *resultfd)
1495 static struct timeval lastfail;
1498 struct ucred *cred = lp ? lp->lwp_thread->td_ucred : proc0.p_ucred;
1504 * Handle filetable full issues and root overfill.
1506 if (nfiles >= maxfiles - maxfilesrootres &&
1507 (cred->cr_ruid != 0 || nfiles >= maxfiles)) {
1508 if (ppsratecheck(&lastfail, &curfail, 1)) {
1509 kprintf("kern.maxfiles limit exceeded by uid %d, "
1510 "please see tuning(7).\n",
1518 * Allocate a new file descriptor.
1520 fp = kmalloc(sizeof(struct file), M_FILE, M_WAITOK | M_ZERO);
1521 spin_init(&fp->f_spin);
1522 SLIST_INIT(&fp->f_klist);
1524 fp->f_ops = &badfileops;
1527 spin_lock(&filehead_spin);
1529 LIST_INSERT_HEAD(&filehead, fp, f_list);
1530 spin_unlock(&filehead_spin);
1532 if ((error = fdalloc(lp->lwp_proc, 0, resultfd)) != 0) {
1545 * Check for races against a file descriptor by determining that the
1546 * file pointer is still associated with the specified file descriptor,
1547 * and a close is not currently in progress.
1552 checkfdclosed(struct filedesc *fdp, int fd, struct file *fp)
1556 spin_lock(&fdp->fd_spin);
1557 if ((unsigned)fd >= fdp->fd_nfiles || fp != fdp->fd_files[fd].fp)
1561 spin_unlock(&fdp->fd_spin);
1566 * Associate a file pointer with a previously reserved file descriptor.
1567 * This function always succeeds.
1569 * If fp is NULL, the file descriptor is returned to the pool.
1573 * MPSAFE (exclusive spinlock must be held on call)
1576 fsetfd_locked(struct filedesc *fdp, struct file *fp, int fd)
1578 KKASSERT((unsigned)fd < fdp->fd_nfiles);
1579 KKASSERT(fdp->fd_files[fd].reserved != 0);
1582 fdp->fd_files[fd].fp = fp;
1583 fdp->fd_files[fd].reserved = 0;
1585 fdp->fd_files[fd].reserved = 0;
1586 fdreserve_locked(fdp, fd, -1);
1587 fdfixup_locked(fdp, fd);
1595 fsetfd(struct filedesc *fdp, struct file *fp, int fd)
1597 spin_lock(&fdp->fd_spin);
1598 fsetfd_locked(fdp, fp, fd);
1599 spin_unlock(&fdp->fd_spin);
1603 * MPSAFE (exclusive spinlock must be held on call)
1607 funsetfd_locked(struct filedesc *fdp, int fd)
1611 if ((unsigned)fd >= fdp->fd_nfiles)
1613 if ((fp = fdp->fd_files[fd].fp) == NULL)
1615 fdp->fd_files[fd].fp = NULL;
1616 fdp->fd_files[fd].fileflags = 0;
1618 fdreserve_locked(fdp, fd, -1);
1619 fdfixup_locked(fdp, fd);
1627 fgetfdflags(struct filedesc *fdp, int fd, int *flagsp)
1631 spin_lock(&fdp->fd_spin);
1632 if (((u_int)fd) >= fdp->fd_nfiles) {
1634 } else if (fdp->fd_files[fd].fp == NULL) {
1637 *flagsp = fdp->fd_files[fd].fileflags;
1640 spin_unlock(&fdp->fd_spin);
1648 fsetfdflags(struct filedesc *fdp, int fd, int add_flags)
1652 spin_lock(&fdp->fd_spin);
1653 if (((u_int)fd) >= fdp->fd_nfiles) {
1655 } else if (fdp->fd_files[fd].fp == NULL) {
1658 fdp->fd_files[fd].fileflags |= add_flags;
1661 spin_unlock(&fdp->fd_spin);
1669 fclrfdflags(struct filedesc *fdp, int fd, int rem_flags)
1673 spin_lock(&fdp->fd_spin);
1674 if (((u_int)fd) >= fdp->fd_nfiles) {
1676 } else if (fdp->fd_files[fd].fp == NULL) {
1679 fdp->fd_files[fd].fileflags &= ~rem_flags;
1682 spin_unlock(&fdp->fd_spin);
1687 * Set/Change/Clear the creds for a fp and synchronize the uidinfo.
1690 fsetcred(struct file *fp, struct ucred *ncr)
1693 struct uidinfo *uip;
1696 if (ocr == NULL || ncr == NULL || ocr->cr_uidinfo != ncr->cr_uidinfo) {
1698 uip = ocr->cr_uidinfo;
1699 atomic_add_int(&uip->ui_openfiles, -1);
1702 uip = ncr->cr_uidinfo;
1703 atomic_add_int(&uip->ui_openfiles, 1);
1714 * Free a file descriptor.
1718 ffree(struct file *fp)
1720 KASSERT((fp->f_count == 0), ("ffree: fp_fcount not 0!"));
1721 spin_lock(&filehead_spin);
1722 LIST_REMOVE(fp, f_list);
1724 spin_unlock(&filehead_spin);
1726 if (fp->f_nchandle.ncp)
1727 cache_drop(&fp->f_nchandle);
1732 * called from init_main, initialize filedesc0 for proc0.
1735 fdinit_bootstrap(struct proc *p0, struct filedesc *fdp0, int cmask)
1739 fdp0->fd_refcnt = 1;
1740 fdp0->fd_cmask = cmask;
1741 fdp0->fd_files = fdp0->fd_builtin_files;
1742 fdp0->fd_nfiles = NDFILE;
1743 fdp0->fd_lastfile = -1;
1744 spin_init(&fdp0->fd_spin);
1748 * Build a new filedesc structure.
1753 fdinit(struct proc *p)
1755 struct filedesc *newfdp;
1756 struct filedesc *fdp = p->p_fd;
1758 newfdp = kmalloc(sizeof(struct filedesc), M_FILEDESC, M_WAITOK|M_ZERO);
1759 spin_lock(&fdp->fd_spin);
1761 newfdp->fd_cdir = fdp->fd_cdir;
1762 vref(newfdp->fd_cdir);
1763 cache_copy(&fdp->fd_ncdir, &newfdp->fd_ncdir);
1767 * rdir may not be set in e.g. proc0 or anything vm_fork'd off of
1768 * proc0, but should unconditionally exist in other processes.
1771 newfdp->fd_rdir = fdp->fd_rdir;
1772 vref(newfdp->fd_rdir);
1773 cache_copy(&fdp->fd_nrdir, &newfdp->fd_nrdir);
1776 newfdp->fd_jdir = fdp->fd_jdir;
1777 vref(newfdp->fd_jdir);
1778 cache_copy(&fdp->fd_njdir, &newfdp->fd_njdir);
1780 spin_unlock(&fdp->fd_spin);
1782 /* Create the file descriptor table. */
1783 newfdp->fd_refcnt = 1;
1784 newfdp->fd_cmask = cmask;
1785 newfdp->fd_files = newfdp->fd_builtin_files;
1786 newfdp->fd_nfiles = NDFILE;
1787 newfdp->fd_lastfile = -1;
1788 spin_init(&newfdp->fd_spin);
1794 * Share a filedesc structure.
1799 fdshare(struct proc *p)
1801 struct filedesc *fdp;
1804 spin_lock(&fdp->fd_spin);
1806 spin_unlock(&fdp->fd_spin);
1811 * Copy a filedesc structure.
1816 fdcopy(struct proc *p, struct filedesc **fpp)
1818 struct filedesc *fdp = p->p_fd;
1819 struct filedesc *newfdp;
1820 struct fdnode *fdnode;
1825 * Certain daemons might not have file descriptors.
1831 * Allocate the new filedesc and fd_files[] array. This can race
1832 * with operations by other threads on the fdp so we have to be
1835 newfdp = kmalloc(sizeof(struct filedesc),
1836 M_FILEDESC, M_WAITOK | M_ZERO | M_NULLOK);
1837 if (newfdp == NULL) {
1842 spin_lock(&fdp->fd_spin);
1843 if (fdp->fd_lastfile < NDFILE) {
1844 newfdp->fd_files = newfdp->fd_builtin_files;
1848 * We have to allocate (N^2-1) entries for our in-place
1849 * binary tree. Allow the table to shrink.
1853 while (ni > fdp->fd_lastfile && ni > NDFILE) {
1857 spin_unlock(&fdp->fd_spin);
1858 newfdp->fd_files = kmalloc(i * sizeof(struct fdnode),
1859 M_FILEDESC, M_WAITOK | M_ZERO);
1862 * Check for race, retry
1864 spin_lock(&fdp->fd_spin);
1865 if (i <= fdp->fd_lastfile) {
1866 spin_unlock(&fdp->fd_spin);
1867 kfree(newfdp->fd_files, M_FILEDESC);
1873 * Dup the remaining fields. vref() and cache_hold() can be
1874 * safely called while holding the read spinlock on fdp.
1876 * The read spinlock on fdp is still being held.
1878 * NOTE: vref and cache_hold calls for the case where the vnode
1879 * or cache entry already has at least one ref may be called
1880 * while holding spin locks.
1882 if ((newfdp->fd_cdir = fdp->fd_cdir) != NULL) {
1883 vref(newfdp->fd_cdir);
1884 cache_copy(&fdp->fd_ncdir, &newfdp->fd_ncdir);
1887 * We must check for fd_rdir here, at least for now because
1888 * the init process is created before we have access to the
1889 * rootvode to take a reference to it.
1891 if ((newfdp->fd_rdir = fdp->fd_rdir) != NULL) {
1892 vref(newfdp->fd_rdir);
1893 cache_copy(&fdp->fd_nrdir, &newfdp->fd_nrdir);
1895 if ((newfdp->fd_jdir = fdp->fd_jdir) != NULL) {
1896 vref(newfdp->fd_jdir);
1897 cache_copy(&fdp->fd_njdir, &newfdp->fd_njdir);
1899 newfdp->fd_refcnt = 1;
1900 newfdp->fd_nfiles = i;
1901 newfdp->fd_lastfile = fdp->fd_lastfile;
1902 newfdp->fd_freefile = fdp->fd_freefile;
1903 newfdp->fd_cmask = fdp->fd_cmask;
1904 spin_init(&newfdp->fd_spin);
1907 * Copy the descriptor table through (i). This also copies the
1908 * allocation state. Then go through and ref the file pointers
1909 * and clean up any KQ descriptors.
1911 * kq descriptors cannot be copied. Since we haven't ref'd the
1912 * copied files yet we can ignore the return value from funsetfd().
1914 * The read spinlock on fdp is still being held.
1916 bcopy(fdp->fd_files, newfdp->fd_files, i * sizeof(struct fdnode));
1917 for (i = 0 ; i < newfdp->fd_nfiles; ++i) {
1918 fdnode = &newfdp->fd_files[i];
1919 if (fdnode->reserved) {
1920 fdreserve_locked(newfdp, i, -1);
1921 fdnode->reserved = 0;
1922 fdfixup_locked(newfdp, i);
1923 } else if (fdnode->fp) {
1924 if (fdnode->fp->f_type == DTYPE_KQUEUE) {
1925 (void)funsetfd_locked(newfdp, i);
1931 spin_unlock(&fdp->fd_spin);
1937 * Release a filedesc structure.
1939 * NOT MPSAFE (MPSAFE for refs > 1, but the final cleanup code is not MPSAFE)
1942 fdfree(struct proc *p, struct filedesc *repl)
1944 struct filedesc *fdp;
1945 struct fdnode *fdnode;
1947 struct filedesc_to_leader *fdtol;
1953 * Certain daemons might not have file descriptors.
1962 * Severe messing around to follow.
1964 spin_lock(&fdp->fd_spin);
1966 /* Check for special need to clear POSIX style locks */
1968 if (fdtol != NULL) {
1969 KASSERT(fdtol->fdl_refcount > 0,
1970 ("filedesc_to_refcount botch: fdl_refcount=%d",
1971 fdtol->fdl_refcount));
1972 if (fdtol->fdl_refcount == 1 &&
1973 (p->p_leader->p_flag & P_ADVLOCK) != 0) {
1974 for (i = 0; i <= fdp->fd_lastfile; ++i) {
1975 fdnode = &fdp->fd_files[i];
1976 if (fdnode->fp == NULL ||
1977 fdnode->fp->f_type != DTYPE_VNODE) {
1982 spin_unlock(&fdp->fd_spin);
1984 lf.l_whence = SEEK_SET;
1987 lf.l_type = F_UNLCK;
1988 vp = (struct vnode *)fp->f_data;
1989 (void) VOP_ADVLOCK(vp,
1990 (caddr_t)p->p_leader,
1995 spin_lock(&fdp->fd_spin);
1999 if (fdtol->fdl_refcount == 1) {
2000 if (fdp->fd_holdleaderscount > 0 &&
2001 (p->p_leader->p_flag & P_ADVLOCK) != 0) {
2003 * close() or do_dup() has cleared a reference
2004 * in a shared file descriptor table.
2006 fdp->fd_holdleaderswakeup = 1;
2007 ssleep(&fdp->fd_holdleaderscount,
2008 &fdp->fd_spin, 0, "fdlhold", 0);
2011 if (fdtol->fdl_holdcount > 0) {
2013 * Ensure that fdtol->fdl_leader
2014 * remains valid in closef().
2016 fdtol->fdl_wakeup = 1;
2017 ssleep(fdtol, &fdp->fd_spin, 0, "fdlhold", 0);
2021 fdtol->fdl_refcount--;
2022 if (fdtol->fdl_refcount == 0 &&
2023 fdtol->fdl_holdcount == 0) {
2024 fdtol->fdl_next->fdl_prev = fdtol->fdl_prev;
2025 fdtol->fdl_prev->fdl_next = fdtol->fdl_next;
2030 if (fdtol != NULL) {
2031 spin_unlock(&fdp->fd_spin);
2032 kfree(fdtol, M_FILEDESC_TO_LEADER);
2033 spin_lock(&fdp->fd_spin);
2036 if (--fdp->fd_refcnt > 0) {
2037 spin_unlock(&fdp->fd_spin);
2038 spin_lock(&p->p_spin);
2040 spin_unlock(&p->p_spin);
2045 * Even though we are the last reference to the structure allproc
2046 * scans may still reference the structure. Maintain proper
2047 * locks until we can replace p->p_fd.
2049 * Also note that kqueue's closef still needs to reference the
2050 * fdp via p->p_fd, so we have to close the descriptors before
2051 * we replace p->p_fd.
2053 for (i = 0; i <= fdp->fd_lastfile; ++i) {
2054 if (fdp->fd_files[i].fp) {
2055 fp = funsetfd_locked(fdp, i);
2057 spin_unlock(&fdp->fd_spin);
2058 if (SLIST_FIRST(&fp->f_klist))
2059 knote_fdclose(fp, fdp, i);
2061 spin_lock(&fdp->fd_spin);
2065 spin_unlock(&fdp->fd_spin);
2068 * Interlock against an allproc scan operations (typically frevoke).
2070 spin_lock(&p->p_spin);
2072 spin_unlock(&p->p_spin);
2075 * Wait for any softrefs to go away. This race rarely occurs so
2076 * we can use a non-critical-path style poll/sleep loop. The
2077 * race only occurs against allproc scans.
2079 * No new softrefs can occur with the fdp disconnected from the
2082 if (fdp->fd_softrefs) {
2083 kprintf("pid %d: Warning, fdp race avoided\n", p->p_pid);
2084 while (fdp->fd_softrefs)
2085 tsleep(&fdp->fd_softrefs, 0, "fdsoft", 1);
2088 if (fdp->fd_files != fdp->fd_builtin_files)
2089 kfree(fdp->fd_files, M_FILEDESC);
2091 cache_drop(&fdp->fd_ncdir);
2092 vrele(fdp->fd_cdir);
2095 cache_drop(&fdp->fd_nrdir);
2096 vrele(fdp->fd_rdir);
2099 cache_drop(&fdp->fd_njdir);
2100 vrele(fdp->fd_jdir);
2102 kfree(fdp, M_FILEDESC);
2106 * Retrieve and reference the file pointer associated with a descriptor.
2111 holdfp(struct filedesc *fdp, int fd, int flag)
2115 spin_lock(&fdp->fd_spin);
2116 if (((u_int)fd) >= fdp->fd_nfiles) {
2120 if ((fp = fdp->fd_files[fd].fp) == NULL)
2122 if ((fp->f_flag & flag) == 0 && flag != -1) {
2128 spin_unlock(&fdp->fd_spin);
2133 * holdsock() - load the struct file pointer associated
2134 * with a socket into *fpp. If an error occurs, non-zero
2135 * will be returned and *fpp will be set to NULL.
2140 holdsock(struct filedesc *fdp, int fd, struct file **fpp)
2145 spin_lock(&fdp->fd_spin);
2146 if ((unsigned)fd >= fdp->fd_nfiles) {
2151 if ((fp = fdp->fd_files[fd].fp) == NULL) {
2155 if (fp->f_type != DTYPE_SOCKET) {
2162 spin_unlock(&fdp->fd_spin);
2168 * Convert a user file descriptor to a held file pointer.
2173 holdvnode(struct filedesc *fdp, int fd, struct file **fpp)
2178 spin_lock(&fdp->fd_spin);
2179 if ((unsigned)fd >= fdp->fd_nfiles) {
2184 if ((fp = fdp->fd_files[fd].fp) == NULL) {
2188 if (fp->f_type != DTYPE_VNODE && fp->f_type != DTYPE_FIFO) {
2196 spin_unlock(&fdp->fd_spin);
2202 * For setugid programs, we don't want to people to use that setugidness
2203 * to generate error messages which write to a file which otherwise would
2204 * otherwise be off-limits to the process.
2206 * This is a gross hack to plug the hole. A better solution would involve
2207 * a special vop or other form of generalized access control mechanism. We
2208 * go ahead and just reject all procfs file systems accesses as dangerous.
2210 * Since setugidsafety calls this only for fd 0, 1 and 2, this check is
2211 * sufficient. We also don't for check setugidness since we know we are.
2214 is_unsafe(struct file *fp)
2216 if (fp->f_type == DTYPE_VNODE &&
2217 ((struct vnode *)(fp->f_data))->v_tag == VT_PROCFS)
2223 * Make this setguid thing safe, if at all possible.
2225 * NOT MPSAFE - scans fdp without spinlocks, calls knote_fdclose()
2228 setugidsafety(struct proc *p)
2230 struct filedesc *fdp = p->p_fd;
2233 /* Certain daemons might not have file descriptors. */
2238 * note: fdp->fd_files may be reallocated out from under us while
2239 * we are blocked in a close. Be careful!
2241 for (i = 0; i <= fdp->fd_lastfile; i++) {
2244 if (fdp->fd_files[i].fp && is_unsafe(fdp->fd_files[i].fp)) {
2248 * NULL-out descriptor prior to close to avoid
2249 * a race while close blocks.
2251 if ((fp = funsetfd_locked(fdp, i)) != NULL) {
2252 knote_fdclose(fp, fdp, i);
2260 * Close any files on exec?
2262 * NOT MPSAFE - scans fdp without spinlocks, calls knote_fdclose()
2265 fdcloseexec(struct proc *p)
2267 struct filedesc *fdp = p->p_fd;
2270 /* Certain daemons might not have file descriptors. */
2275 * We cannot cache fd_files since operations may block and rip
2276 * them out from under us.
2278 for (i = 0; i <= fdp->fd_lastfile; i++) {
2279 if (fdp->fd_files[i].fp != NULL &&
2280 (fdp->fd_files[i].fileflags & UF_EXCLOSE)) {
2284 * NULL-out descriptor prior to close to avoid
2285 * a race while close blocks.
2287 if ((fp = funsetfd_locked(fdp, i)) != NULL) {
2288 knote_fdclose(fp, fdp, i);
2296 * It is unsafe for set[ug]id processes to be started with file
2297 * descriptors 0..2 closed, as these descriptors are given implicit
2298 * significance in the Standard C library. fdcheckstd() will create a
2299 * descriptor referencing /dev/null for each of stdin, stdout, and
2300 * stderr that is not already open.
2302 * NOT MPSAFE - calls falloc, vn_open, etc
2305 fdcheckstd(struct lwp *lp)
2307 struct nlookupdata nd;
2308 struct filedesc *fdp;
2311 int i, error, flags, devnull;
2313 fdp = lp->lwp_proc->p_fd;
2318 for (i = 0; i < 3; i++) {
2319 if (fdp->fd_files[i].fp != NULL)
2322 if ((error = falloc(lp, &fp, &devnull)) != 0)
2325 error = nlookup_init(&nd, "/dev/null", UIO_SYSSPACE,
2326 NLC_FOLLOW|NLC_LOCKVP);
2327 flags = FREAD | FWRITE;
2329 error = vn_open(&nd, fp, flags, 0);
2331 fsetfd(fdp, fp, devnull);
2333 fsetfd(fdp, NULL, devnull);
2338 KKASSERT(i == devnull);
2340 error = kern_dup(DUP_FIXED, devnull, i, &retval);
2349 * Internal form of close.
2350 * Decrement reference count on file structure.
2351 * Note: td and/or p may be NULL when closing a file
2352 * that was being passed in a message.
2354 * MPALMOSTSAFE - acquires mplock for VOP operations
2357 closef(struct file *fp, struct proc *p)
2361 struct filedesc_to_leader *fdtol;
2367 * POSIX record locking dictates that any close releases ALL
2368 * locks owned by this process. This is handled by setting
2369 * a flag in the unlock to free ONLY locks obeying POSIX
2370 * semantics, and not to free BSD-style file locks.
2371 * If the descriptor was in a message, POSIX-style locks
2372 * aren't passed with the descriptor.
2374 if (p != NULL && fp->f_type == DTYPE_VNODE &&
2375 (((struct vnode *)fp->f_data)->v_flag & VMAYHAVELOCKS)
2377 if ((p->p_leader->p_flag & P_ADVLOCK) != 0) {
2378 lf.l_whence = SEEK_SET;
2381 lf.l_type = F_UNLCK;
2382 vp = (struct vnode *)fp->f_data;
2383 (void) VOP_ADVLOCK(vp, (caddr_t)p->p_leader, F_UNLCK,
2387 if (fdtol != NULL) {
2388 lwkt_gettoken(&p->p_token);
2390 * Handle special case where file descriptor table
2391 * is shared between multiple process leaders.
2393 for (fdtol = fdtol->fdl_next;
2394 fdtol != p->p_fdtol;
2395 fdtol = fdtol->fdl_next) {
2396 if ((fdtol->fdl_leader->p_flag &
2399 fdtol->fdl_holdcount++;
2400 lf.l_whence = SEEK_SET;
2403 lf.l_type = F_UNLCK;
2404 vp = (struct vnode *)fp->f_data;
2405 (void) VOP_ADVLOCK(vp,
2406 (caddr_t)fdtol->fdl_leader,
2407 F_UNLCK, &lf, F_POSIX);
2408 fdtol->fdl_holdcount--;
2409 if (fdtol->fdl_holdcount == 0 &&
2410 fdtol->fdl_wakeup != 0) {
2411 fdtol->fdl_wakeup = 0;
2415 lwkt_reltoken(&p->p_token);
2424 * fhold() can only be called if f_count is already at least 1 (i.e. the
2425 * caller of fhold() already has a reference to the file pointer in some
2428 * f_count is not spin-locked. Instead, atomic ops are used for
2429 * incrementing, decrementing, and handling the 1->0 transition.
2432 fhold(struct file *fp)
2434 atomic_add_int(&fp->f_count, 1);
2438 * fdrop() - drop a reference to a descriptor
2440 * MPALMOSTSAFE - acquires mplock for final close sequence
2443 fdrop(struct file *fp)
2450 * A combined fetch and subtract is needed to properly detect
2451 * 1->0 transitions, otherwise two cpus dropping from a ref
2452 * count of 2 might both try to run the 1->0 code.
2454 if (atomic_fetchadd_int(&fp->f_count, -1) > 1)
2457 KKASSERT(SLIST_FIRST(&fp->f_klist) == NULL);
2460 * The last reference has gone away, we own the fp structure free
2463 if (fp->f_count < 0)
2464 panic("fdrop: count < 0");
2465 if ((fp->f_flag & FHASLOCK) && fp->f_type == DTYPE_VNODE &&
2466 (((struct vnode *)fp->f_data)->v_flag & VMAYHAVELOCKS)
2468 lf.l_whence = SEEK_SET;
2471 lf.l_type = F_UNLCK;
2472 vp = (struct vnode *)fp->f_data;
2473 (void) VOP_ADVLOCK(vp, (caddr_t)fp, F_UNLCK, &lf, 0);
2475 if (fp->f_ops != &badfileops)
2476 error = fo_close(fp);
2484 * Apply an advisory lock on a file descriptor.
2486 * Just attempt to get a record lock of the requested type on
2487 * the entire file (l_whence = SEEK_SET, l_start = 0, l_len = 0).
2492 sys_flock(struct flock_args *uap)
2494 struct proc *p = curproc;
2500 if ((fp = holdfp(p->p_fd, uap->fd, -1)) == NULL)
2502 if (fp->f_type != DTYPE_VNODE) {
2506 vp = (struct vnode *)fp->f_data;
2507 lf.l_whence = SEEK_SET;
2510 if (uap->how & LOCK_UN) {
2511 lf.l_type = F_UNLCK;
2512 fp->f_flag &= ~FHASLOCK;
2513 error = VOP_ADVLOCK(vp, (caddr_t)fp, F_UNLCK, &lf, 0);
2516 if (uap->how & LOCK_EX)
2517 lf.l_type = F_WRLCK;
2518 else if (uap->how & LOCK_SH)
2519 lf.l_type = F_RDLCK;
2524 fp->f_flag |= FHASLOCK;
2525 if (uap->how & LOCK_NB)
2526 error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, 0);
2528 error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, F_WAIT);
2535 * File Descriptor pseudo-device driver (/dev/fd/).
2537 * Opening minor device N dup()s the file (if any) connected to file
2538 * descriptor N belonging to the calling process. Note that this driver
2539 * consists of only the ``open()'' routine, because all subsequent
2540 * references to this file will be direct to the other driver.
2543 fdopen(struct dev_open_args *ap)
2545 thread_t td = curthread;
2547 KKASSERT(td->td_lwp != NULL);
2550 * XXX Kludge: set curlwp->lwp_dupfd to contain the value of the
2551 * the file descriptor being sought for duplication. The error
2552 * return ensures that the vnode for this device will be released
2553 * by vn_open. Open will detect this special error and take the
2554 * actions in dupfdopen below. Other callers of vn_open or VOP_OPEN
2555 * will simply report the error.
2557 td->td_lwp->lwp_dupfd = minor(ap->a_head.a_dev);
2562 * The caller has reserved the file descriptor dfd for us. On success we
2563 * must fsetfd() it. On failure the caller will clean it up.
2568 dupfdopen(struct filedesc *fdp, int dfd, int sfd, int mode, int error)
2574 if ((wfp = holdfp(fdp, sfd, -1)) == NULL)
2578 * Close a revoke/dup race. Duping a descriptor marked as revoked
2579 * will dup a dummy descriptor instead of the real one.
2581 if (wfp->f_flag & FREVOKED) {
2582 kprintf("Warning: attempt to dup() a revoked descriptor\n");
2585 werror = falloc(NULL, &wfp, NULL);
2591 * There are two cases of interest here.
2593 * For ENODEV simply dup sfd to file descriptor dfd and return.
2595 * For ENXIO steal away the file structure from sfd and store it
2596 * dfd. sfd is effectively closed by this operation.
2598 * Any other error code is just returned.
2603 * Check that the mode the file is being opened for is a
2604 * subset of the mode of the existing descriptor.
2606 if (((mode & (FREAD|FWRITE)) | wfp->f_flag) != wfp->f_flag) {
2610 spin_lock(&fdp->fd_spin);
2611 fdp->fd_files[dfd].fileflags = fdp->fd_files[sfd].fileflags;
2612 fsetfd_locked(fdp, wfp, dfd);
2613 spin_unlock(&fdp->fd_spin);
2618 * Steal away the file pointer from dfd, and stuff it into indx.
2620 spin_lock(&fdp->fd_spin);
2621 fdp->fd_files[dfd].fileflags = fdp->fd_files[sfd].fileflags;
2622 fsetfd(fdp, wfp, dfd);
2623 if ((xfp = funsetfd_locked(fdp, sfd)) != NULL) {
2624 spin_unlock(&fdp->fd_spin);
2627 spin_unlock(&fdp->fd_spin);
2639 * NOT MPSAFE - I think these refer to a common file descriptor table
2640 * and we need to spinlock that to link fdtol in.
2642 struct filedesc_to_leader *
2643 filedesc_to_leader_alloc(struct filedesc_to_leader *old,
2644 struct proc *leader)
2646 struct filedesc_to_leader *fdtol;
2648 fdtol = kmalloc(sizeof(struct filedesc_to_leader),
2649 M_FILEDESC_TO_LEADER, M_WAITOK | M_ZERO);
2650 fdtol->fdl_refcount = 1;
2651 fdtol->fdl_holdcount = 0;
2652 fdtol->fdl_wakeup = 0;
2653 fdtol->fdl_leader = leader;
2655 fdtol->fdl_next = old->fdl_next;
2656 fdtol->fdl_prev = old;
2657 old->fdl_next = fdtol;
2658 fdtol->fdl_next->fdl_prev = fdtol;
2660 fdtol->fdl_next = fdtol;
2661 fdtol->fdl_prev = fdtol;
2667 * Scan all file pointers in the system. The callback is made with
2668 * the master list spinlock held exclusively.
2673 allfiles_scan_exclusive(int (*callback)(struct file *, void *), void *data)
2678 spin_lock(&filehead_spin);
2679 LIST_FOREACH(fp, &filehead, f_list) {
2680 res = callback(fp, data);
2684 spin_unlock(&filehead_spin);
2688 * Get file structures.
2690 * NOT MPSAFE - process list scan, SYSCTL_OUT (probably not mpsafe)
2693 struct sysctl_kern_file_info {
2696 struct sysctl_req *req;
2699 static int sysctl_kern_file_callback(struct proc *p, void *data);
2702 sysctl_kern_file(SYSCTL_HANDLER_ARGS)
2704 struct sysctl_kern_file_info info;
2707 * Note: because the number of file descriptors is calculated
2708 * in different ways for sizing vs returning the data,
2709 * there is information leakage from the first loop. However,
2710 * it is of a similar order of magnitude to the leakage from
2711 * global system statistics such as kern.openfiles.
2713 * When just doing a count, note that we cannot just count
2714 * the elements and add f_count via the filehead list because
2715 * threaded processes share their descriptor table and f_count might
2716 * still be '1' in that case.
2718 * Since the SYSCTL op can block, we must hold the process to
2719 * prevent it being ripped out from under us either in the
2720 * file descriptor loop or in the greater LIST_FOREACH. The
2721 * process may be in varying states of disrepair. If the process
2722 * is in SZOMB we may have caught it just as it is being removed
2723 * from the allproc list, we must skip it in that case to maintain
2724 * an unbroken chain through the allproc list.
2729 allproc_scan(sysctl_kern_file_callback, &info);
2732 * When just calculating the size, overestimate a bit to try to
2733 * prevent system activity from causing the buffer-fill call
2736 if (req->oldptr == NULL) {
2737 info.count = (info.count + 16) + (info.count / 10);
2738 info.error = SYSCTL_OUT(req, NULL,
2739 info.count * sizeof(struct kinfo_file));
2741 return (info.error);
2745 sysctl_kern_file_callback(struct proc *p, void *data)
2747 struct sysctl_kern_file_info *info = data;
2748 struct kinfo_file kf;
2749 struct filedesc *fdp;
2754 if (p->p_stat == SIDL || p->p_stat == SZOMB)
2756 if (!PRISON_CHECK(info->req->td->td_ucred, p->p_ucred) != 0)
2760 * Softref the fdp to prevent it from being destroyed
2762 spin_lock(&p->p_spin);
2763 if ((fdp = p->p_fd) == NULL) {
2764 spin_unlock(&p->p_spin);
2767 atomic_add_int(&fdp->fd_softrefs, 1);
2768 spin_unlock(&p->p_spin);
2771 * The fdp's own spinlock prevents the contents from being
2774 spin_lock(&fdp->fd_spin);
2775 for (n = 0; n < fdp->fd_nfiles; ++n) {
2776 if ((fp = fdp->fd_files[n].fp) == NULL)
2778 if (info->req->oldptr == NULL) {
2781 uid = p->p_ucred ? p->p_ucred->cr_uid : -1;
2782 kcore_make_file(&kf, fp, p->p_pid, uid, n);
2783 spin_unlock(&fdp->fd_spin);
2784 info->error = SYSCTL_OUT(info->req, &kf, sizeof(kf));
2785 spin_lock(&fdp->fd_spin);
2790 spin_unlock(&fdp->fd_spin);
2791 atomic_subtract_int(&fdp->fd_softrefs, 1);
2797 SYSCTL_PROC(_kern, KERN_FILE, file, CTLTYPE_OPAQUE|CTLFLAG_RD,
2798 0, 0, sysctl_kern_file, "S,file", "Entire file table");
2800 SYSCTL_INT(_kern, OID_AUTO, minfilesperproc, CTLFLAG_RW,
2801 &minfilesperproc, 0, "Minimum files allowed open per process");
2802 SYSCTL_INT(_kern, KERN_MAXFILESPERPROC, maxfilesperproc, CTLFLAG_RW,
2803 &maxfilesperproc, 0, "Maximum files allowed open per process");
2804 SYSCTL_INT(_kern, OID_AUTO, maxfilesperuser, CTLFLAG_RW,
2805 &maxfilesperuser, 0, "Maximum files allowed open per user");
2807 SYSCTL_INT(_kern, KERN_MAXFILES, maxfiles, CTLFLAG_RW,
2808 &maxfiles, 0, "Maximum number of files");
2810 SYSCTL_INT(_kern, OID_AUTO, maxfilesrootres, CTLFLAG_RW,
2811 &maxfilesrootres, 0, "Descriptors reserved for root use");
2813 SYSCTL_INT(_kern, OID_AUTO, openfiles, CTLFLAG_RD,
2814 &nfiles, 0, "System-wide number of open files");
2817 fildesc_drvinit(void *unused)
2821 for (fd = 0; fd < NUMFDESC; fd++) {
2822 make_dev(&fildesc_ops, fd,
2823 UID_BIN, GID_BIN, 0666, "fd/%d", fd);
2826 make_dev(&fildesc_ops, 0, UID_ROOT, GID_WHEEL, 0666, "stdin");
2827 make_dev(&fildesc_ops, 1, UID_ROOT, GID_WHEEL, 0666, "stdout");
2828 make_dev(&fildesc_ops, 2, UID_ROOT, GID_WHEEL, 0666, "stderr");
2834 struct fileops badfileops = {
2835 .fo_read = badfo_readwrite,
2836 .fo_write = badfo_readwrite,
2837 .fo_ioctl = badfo_ioctl,
2838 .fo_kqfilter = badfo_kqfilter,
2839 .fo_stat = badfo_stat,
2840 .fo_close = badfo_close,
2841 .fo_shutdown = badfo_shutdown
2855 badfo_ioctl(struct file *fp, u_long com, caddr_t data,
2856 struct ucred *cred, struct sysmsg *msgv)
2862 * Must return an error to prevent registration, typically
2863 * due to a revoked descriptor (file_filtops assigned).
2866 badfo_kqfilter(struct file *fp, struct knote *kn)
2868 return (EOPNOTSUPP);
2875 badfo_stat(struct file *fp, struct stat *sb, struct ucred *cred)
2884 badfo_close(struct file *fp)
2893 badfo_shutdown(struct file *fp, int how)
2902 nofo_shutdown(struct file *fp, int how)
2904 return (EOPNOTSUPP);
2907 SYSINIT(fildescdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,
2908 fildesc_drvinit,NULL)