1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * Copyright 2013 Joyent, Inc. All rights reserved. 26 */ 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 #include <sys/sysmacros.h> 31 #include <sys/systm.h> 32 #include <sys/errno.h> 33 #include <sys/vfs.h> 34 #include <sys/vnode.h> 35 #include <sys/swap.h> 36 #include <sys/file.h> 37 #include <sys/proc.h> 38 #include <sys/var.h> 39 #include <sys/uadmin.h> 40 #include <sys/signal.h> 41 #include <sys/time.h> 42 #include <vm/seg_kmem.h> 43 #include <sys/modctl.h> 44 #include <sys/callb.h> 45 #include <sys/dumphdr.h> 46 #include <sys/debug.h> 47 #include <sys/ftrace.h> 48 #include <sys/cmn_err.h> 49 #include <sys/panic.h> 50 #include <sys/ddi.h> 51 #include <sys/ddi_periodic.h> 52 #include <sys/sunddi.h> 53 #include <sys/policy.h> 54 #include <sys/zone.h> 55 #include <sys/condvar.h> 56 #include <sys/thread.h> 57 #include <sys/sdt.h> 58 59 /* 60 * Administrivia system call. We provide this in two flavors: one for calling 61 * from the system call path (uadmin), and the other for calling from elsewhere 62 * within the kernel (kadmin). Callers must beware that certain uadmin cmd 63 * values (specifically A_SWAPCTL) are only supported by uadmin and not kadmin. 64 */ 65 66 extern ksema_t fsflush_sema; 67 kmutex_t ualock; 68 kcondvar_t uacond; 69 kthread_t *ua_shutdown_thread = NULL; 70 71 int sys_shutdown = 0; 72 volatile int fastreboot_dryrun = 0; 73 74 /* 75 * Kill all user processes in said zone. A special argument of ALL_ZONES is 76 * passed in when the system as a whole is shutting down. The lack of per-zone 77 * process lists is likely to make the following a performance bottleneck on a 78 * system with many zones. 79 */ 80 void 81 killall(zoneid_t zoneid, boolean_t force) 82 { 83 proc_t *p; 84 85 ASSERT(zoneid != GLOBAL_ZONEID); 86 /* 87 * Kill all processes except kernel daemons and ourself. 88 * Make a first pass to stop all processes so they won't 89 * be trying to restart children as we kill them. 90 */ 91 mutex_enter(&pidlock); 92 for (p = practive; p != NULL; p = p->p_next) { 93 if ((zoneid == ALL_ZONES || p->p_zone->zone_id == zoneid) && 94 p->p_exec != NULLVP && /* kernel daemons */ 95 p->p_as != &kas && 96 p->p_stat != SZOMB) { 97 mutex_enter(&p->p_lock); 98 p->p_flag |= SNOWAIT; 99 sigtoproc(p, NULL, SIGSTOP); 100 mutex_exit(&p->p_lock); 101 } 102 } 103 p = practive; 104 while (p != NULL) { 105 if ((zoneid == ALL_ZONES || p->p_zone->zone_id == zoneid) && 106 p->p_exec != NULLVP && /* kernel daemons */ 107 p->p_as != &kas && 108 p->p_stat != SIDL && 109 p->p_stat != SZOMB) { 110 mutex_enter(&p->p_lock); 111 if (!force && sigismember(&p->p_sig, SIGKILL)) { 112 mutex_exit(&p->p_lock); 113 p = p->p_next; 114 } else { 115 sigtoproc(p, NULL, SIGKILL); 116 mutex_exit(&p->p_lock); 117 (void) cv_reltimedwait(&p->p_srwchan_cv, 118 &pidlock, hz, TR_CLOCK_TICK); 119 p = practive; 120 } 121 } else { 122 p = p->p_next; 123 } 124 } 125 mutex_exit(&pidlock); 126 } 127 128 int 129 kadmin(int cmd, int fcn, void *mdep, cred_t *credp) 130 { 131 int error = 0; 132 char *buf; 133 size_t buflen = 0; 134 boolean_t invoke_cb = B_FALSE; 135 136 /* 137 * We might be called directly by the kernel's fault-handling code, so 138 * we can't assert that the caller is in the global zone. 139 */ 140 141 /* 142 * Make sure that cmd is one of the valid <sys/uadmin.h> command codes 143 * and that we have appropriate privileges for this action. 144 */ 145 switch (cmd) { 146 case A_FTRACE: 147 case A_SHUTDOWN: 148 case A_REBOOT: 149 case A_REMOUNT: 150 case A_FREEZE: 151 case A_DUMP: 152 case A_SDTTEST: 153 case A_CONFIG: 154 if (secpolicy_sys_config(credp, B_FALSE) != 0) 155 return (EPERM); 156 break; 157 158 default: 159 return (EINVAL); 160 } 161 162 /* 163 * Serialize these operations on ualock. If it is held, the 164 * system should shutdown, reboot, or remount shortly, unless there is 165 * an error. We need a cv rather than just a mutex because proper 166 * functioning of A_REBOOT relies on being able to interrupt blocked 167 * userland callers. 168 * 169 * We only clear ua_shutdown_thread after A_REMOUNT or A_CONFIG. 170 * Other commands should never return. 171 */ 172 if (cmd == A_SHUTDOWN || cmd == A_REBOOT || cmd == A_REMOUNT || 173 cmd == A_CONFIG) { 174 mutex_enter(&ualock); 175 while (ua_shutdown_thread != NULL) { 176 if (cv_wait_sig(&uacond, &ualock) == 0) { 177 /* 178 * If we were interrupted, leave, and handle 179 * the signal (or exit, depending on what 180 * happened) 181 */ 182 mutex_exit(&ualock); 183 return (EINTR); 184 } 185 } 186 ua_shutdown_thread = curthread; 187 mutex_exit(&ualock); 188 } 189 190 switch (cmd) { 191 case A_SHUTDOWN: 192 { 193 proc_t *p = ttoproc(curthread); 194 195 /* 196 * Release (almost) all of our own resources if we are called 197 * from a user context, however if we are calling kadmin() from 198 * a kernel context then we do not release these resources. 199 */ 200 if (p != &p0) { 201 proc_is_exiting(p); 202 if ((error = exitlwps(0)) != 0) { 203 /* 204 * Another thread in this process also called 205 * exitlwps(). 206 */ 207 mutex_enter(&ualock); 208 ua_shutdown_thread = NULL; 209 cv_signal(&uacond); 210 mutex_exit(&ualock); 211 return (error); 212 } 213 mutex_enter(&p->p_lock); 214 p->p_flag |= SNOWAIT; 215 sigfillset(&p->p_ignore); 216 curthread->t_lwp->lwp_cursig = 0; 217 curthread->t_lwp->lwp_extsig = 0; 218 if (p->p_exec) { 219 vnode_t *exec_vp = p->p_exec; 220 p->p_exec = NULLVP; 221 mutex_exit(&p->p_lock); 222 VN_RELE(exec_vp); 223 } else { 224 mutex_exit(&p->p_lock); 225 } 226 227 pollcleanup(); 228 closeall(P_FINFO(curproc)); 229 relvm(); 230 231 } else { 232 /* 233 * Reset t_cred if not set because much of the 234 * filesystem code depends on CRED() being valid. 235 */ 236 if (curthread->t_cred == NULL) 237 curthread->t_cred = kcred; 238 } 239 240 /* indicate shutdown in progress */ 241 sys_shutdown = 1; 242 243 /* 244 * Communcate that init shouldn't be restarted. 245 */ 246 zone_shutdown_global(); 247 248 killall(ALL_ZONES, B_FALSE); 249 /* 250 * If we are calling kadmin() from a kernel context then we 251 * do not release these resources. 252 */ 253 if (ttoproc(curthread) != &p0) { 254 VN_RELE(PTOU(curproc)->u_cdir); 255 if (PTOU(curproc)->u_rdir) 256 VN_RELE(PTOU(curproc)->u_rdir); 257 if (PTOU(curproc)->u_cwd) 258 refstr_rele(PTOU(curproc)->u_cwd); 259 260 PTOU(curproc)->u_cdir = rootdir; 261 PTOU(curproc)->u_rdir = NULL; 262 PTOU(curproc)->u_cwd = NULL; 263 } 264 265 /* 266 * Allow the reboot/halt/poweroff code a chance to do 267 * anything it needs to whilst we still have filesystems 268 * mounted, like loading any modules necessary for later 269 * performing the actual poweroff. 270 */ 271 if ((mdep != NULL) && (*(char *)mdep == '/')) { 272 buf = i_convert_boot_device_name(mdep, NULL, &buflen); 273 mdpreboot(cmd, fcn, buf); 274 } else 275 mdpreboot(cmd, fcn, mdep); 276 277 /* 278 * Allow fsflush to finish running and then prevent it 279 * from ever running again so that vfs_unmountall() and 280 * vfs_syncall() can acquire the vfs locks they need. 281 */ 282 sema_p(&fsflush_sema); 283 (void) callb_execute_class(CB_CL_UADMIN_PRE_VFS, NULL); 284 285 vfs_unmountall(); 286 (void) VFS_MOUNTROOT(rootvfs, ROOT_UNMOUNT); 287 vfs_syncall(); 288 289 /* 290 * Check for (and unregister) any DDI periodic handlers that 291 * still exist, as they most likely constitute resource leaks: 292 */ 293 ddi_periodic_fini(); 294 295 dump_ereports(); 296 dump_messages(); 297 298 invoke_cb = B_TRUE; 299 300 /* FALLTHROUGH */ 301 } 302 303 case A_REBOOT: 304 if ((mdep != NULL) && (*(char *)mdep == '/')) { 305 buf = i_convert_boot_device_name(mdep, NULL, &buflen); 306 mdboot(cmd, fcn, buf, invoke_cb); 307 } else 308 mdboot(cmd, fcn, mdep, invoke_cb); 309 /* no return expected */ 310 break; 311 312 case A_CONFIG: 313 switch (fcn) { 314 case AD_UPDATE_BOOT_CONFIG: 315 #ifndef __sparc 316 { 317 extern void fastboot_update_config(const char *); 318 319 fastboot_update_config(mdep); 320 } 321 #endif 322 323 break; 324 } 325 /* Let other threads enter the shutdown path now */ 326 mutex_enter(&ualock); 327 ua_shutdown_thread = NULL; 328 cv_signal(&uacond); 329 mutex_exit(&ualock); 330 break; 331 332 case A_REMOUNT: 333 (void) VFS_MOUNTROOT(rootvfs, ROOT_REMOUNT); 334 /* Let other threads enter the shutdown path now */ 335 mutex_enter(&ualock); 336 ua_shutdown_thread = NULL; 337 cv_signal(&uacond); 338 mutex_exit(&ualock); 339 break; 340 341 case A_FREEZE: 342 { 343 /* 344 * This is the entrypoint for all suspend/resume actions. 345 */ 346 extern int cpr(int, void *); 347 348 if (modload("misc", "cpr") == -1) 349 return (ENOTSUP); 350 /* Let the CPR module decide what to do with mdep */ 351 error = cpr(fcn, mdep); 352 break; 353 } 354 355 case A_FTRACE: 356 { 357 switch (fcn) { 358 case AD_FTRACE_START: 359 (void) FTRACE_START(); 360 break; 361 case AD_FTRACE_STOP: 362 (void) FTRACE_STOP(); 363 break; 364 default: 365 error = EINVAL; 366 } 367 break; 368 } 369 370 case A_DUMP: 371 { 372 if (fcn == AD_NOSYNC) { 373 in_sync = 1; 374 break; 375 } 376 377 panic_bootfcn = fcn; 378 panic_forced = 1; 379 380 if ((mdep != NULL) && (*(char *)mdep == '/')) { 381 panic_bootstr = i_convert_boot_device_name(mdep, 382 NULL, &buflen); 383 } else 384 panic_bootstr = mdep; 385 386 #ifndef __sparc 387 extern void fastboot_update_and_load(int, char *); 388 389 fastboot_update_and_load(fcn, mdep); 390 #endif 391 392 panic("forced crash dump initiated at user request"); 393 /*NOTREACHED*/ 394 } 395 396 case A_SDTTEST: 397 { 398 DTRACE_PROBE7(test, int, 1, int, 2, int, 3, int, 4, int, 5, 399 int, 6, int, 7); 400 break; 401 } 402 403 default: 404 error = EINVAL; 405 } 406 407 return (error); 408 } 409 410 int 411 uadmin(int cmd, int fcn, uintptr_t mdep) 412 { 413 int error = 0, rv = 0; 414 size_t nbytes = 0; 415 cred_t *credp = CRED(); 416 char *bootargs = NULL; 417 int reset_status = 0; 418 419 if (cmd == A_SHUTDOWN && fcn == AD_FASTREBOOT_DRYRUN) { 420 ddi_walk_devs(ddi_root_node(), check_driver_quiesce, 421 &reset_status); 422 if (reset_status != 0) 423 return (EIO); 424 else 425 return (0); 426 } 427 428 /* 429 * The swapctl system call doesn't have its own entry point: it uses 430 * uadmin as a wrapper so we just call it directly from here. 431 */ 432 if (cmd == A_SWAPCTL) { 433 if (get_udatamodel() == DATAMODEL_NATIVE) 434 error = swapctl(fcn, (void *)mdep, &rv); 435 #if defined(_SYSCALL32_IMPL) 436 else 437 error = swapctl32(fcn, (void *)mdep, &rv); 438 #endif /* _SYSCALL32_IMPL */ 439 return (error ? set_errno(error) : rv); 440 } 441 442 /* 443 * Certain subcommands intepret a non-NULL mdep value as a pointer to 444 * a boot string. We pull that in as bootargs, if applicable. 445 */ 446 if (mdep != NULL && 447 (cmd == A_SHUTDOWN || cmd == A_REBOOT || cmd == A_DUMP || 448 cmd == A_FREEZE || cmd == A_CONFIG)) { 449 bootargs = kmem_zalloc(BOOTARGS_MAX, KM_SLEEP); 450 if ((error = copyinstr((const char *)mdep, bootargs, 451 BOOTARGS_MAX, &nbytes)) != 0) { 452 kmem_free(bootargs, BOOTARGS_MAX); 453 return (set_errno(error)); 454 } 455 } 456 457 /* 458 * Invoke the appropriate kadmin() routine. 459 */ 460 if (getzoneid() != GLOBAL_ZONEID) 461 error = zone_kadmin(cmd, fcn, bootargs, credp); 462 else 463 error = kadmin(cmd, fcn, bootargs, credp); 464 465 if (bootargs != NULL) 466 kmem_free(bootargs, BOOTARGS_MAX); 467 return (error ? set_errno(error) : 0); 468 }