1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 /*
  27  * System call I/F to doors (outside of vnodes I/F) and misc support
  28  * routines
  29  */
  30 #include <sys/types.h>
  31 #include <sys/systm.h>
  32 #include <sys/door.h>
  33 #include <sys/door_data.h>
  34 #include <sys/proc.h>
  35 #include <sys/thread.h>
  36 #include <sys/prsystm.h>
  37 #include <sys/procfs.h>
  38 #include <sys/class.h>
  39 #include <sys/cred.h>
  40 #include <sys/kmem.h>
  41 #include <sys/cmn_err.h>
  42 #include <sys/stack.h>
  43 #include <sys/debug.h>
  44 #include <sys/cpuvar.h>
  45 #include <sys/file.h>
  46 #include <sys/fcntl.h>
  47 #include <sys/vnode.h>
  48 #include <sys/vfs.h>
  49 #include <sys/vfs_opreg.h>
  50 #include <sys/sobject.h>
  51 #include <sys/schedctl.h>
  52 #include <sys/callb.h>
  53 #include <sys/ucred.h>
  54 
  55 #include <sys/mman.h>
  56 #include <sys/sysmacros.h>
  57 #include <sys/vmsystm.h>
  58 #include <vm/as.h>
  59 #include <vm/hat.h>
  60 #include <vm/page.h>
  61 #include <vm/seg.h>
  62 #include <vm/seg_vn.h>
  63 #include <vm/seg_vn.h>
  64 #include <vm/seg_kpm.h>
  65 
  66 #include <sys/modctl.h>
  67 #include <sys/syscall.h>
  68 #include <sys/pathname.h>
  69 #include <sys/rctl.h>
  70 
  71 /*
  72  * The maximum amount of data (in bytes) that will be transferred using
  73  * an intermediate kernel buffer.  For sizes greater than this we map
  74  * in the destination pages and perform a 1-copy transfer.
  75  */
  76 size_t  door_max_arg = 16 * 1024;
  77 
  78 /*
  79  * Maximum amount of data that will be transferred in a reply to a
  80  * door_upcall.  Need to guard against a process returning huge amounts
  81  * of data and getting the kernel stuck in kmem_alloc.
  82  */
  83 size_t  door_max_upcall_reply = 1024 * 1024;
  84 
  85 /*
  86  * Maximum number of descriptors allowed to be passed in a single
  87  * door_call or door_return.  We need to allocate kernel memory
  88  * for all of them at once, so we can't let it scale without limit.
  89  */
  90 uint_t door_max_desc = 1024;
  91 
  92 /*
  93  * Definition of a door handle, used by other kernel subsystems when
  94  * calling door functions.  This is really a file structure but we
  95  * want to hide that fact.
  96  */
  97 struct __door_handle {
  98         file_t dh_file;
  99 };
 100 
 101 #define DHTOF(dh) ((file_t *)(dh))
 102 #define FTODH(fp) ((door_handle_t)(fp))
 103 
 104 static int doorfs(long, long, long, long, long, long);
 105 
 106 static struct sysent door_sysent = {
 107         6,
 108         SE_ARGC | SE_NOUNLOAD,
 109         (int (*)())doorfs,
 110 };
 111 
 112 static struct modlsys modlsys = {
 113         &mod_syscallops, "doors", &door_sysent
 114 };
 115 
 116 #ifdef _SYSCALL32_IMPL
 117 
 118 static int
 119 doorfs32(int32_t arg1, int32_t arg2, int32_t arg3, int32_t arg4,
 120     int32_t arg5, int32_t subcode);
 121 
 122 static struct sysent door_sysent32 = {
 123         6,
 124         SE_ARGC | SE_NOUNLOAD,
 125         (int (*)())doorfs32,
 126 };
 127 
 128 static struct modlsys modlsys32 = {
 129         &mod_syscallops32,
 130         "32-bit door syscalls",
 131         &door_sysent32
 132 };
 133 #endif
 134 
 135 static struct modlinkage modlinkage = {
 136         MODREV_1,
 137         &modlsys,
 138 #ifdef _SYSCALL32_IMPL
 139         &modlsys32,
 140 #endif
 141         NULL
 142 };
 143 
 144 dev_t   doordev;
 145 
 146 extern  struct vfs door_vfs;
 147 extern  struct vnodeops *door_vnodeops;
 148 
 149 int
 150 _init(void)
 151 {
 152         static const fs_operation_def_t door_vfsops_template[] = {
 153                 NULL, NULL
 154         };
 155         extern const fs_operation_def_t door_vnodeops_template[];
 156         vfsops_t *door_vfsops;
 157         major_t major;
 158         int error;
 159 
 160         mutex_init(&door_knob, NULL, MUTEX_DEFAULT, NULL);
 161         if ((major = getudev()) == (major_t)-1)
 162                 return (ENXIO);
 163         doordev = makedevice(major, 0);
 164 
 165         /* Create a dummy vfs */
 166         error = vfs_makefsops(door_vfsops_template, &door_vfsops);
 167         if (error != 0) {
 168                 cmn_err(CE_WARN, "door init: bad vfs ops");
 169                 return (error);
 170         }
 171         VFS_INIT(&door_vfs, door_vfsops, NULL);
 172         door_vfs.vfs_flag = VFS_RDONLY;
 173         door_vfs.vfs_dev = doordev;
 174         vfs_make_fsid(&(door_vfs.vfs_fsid), doordev, 0);
 175 
 176         error = vn_make_ops("doorfs", door_vnodeops_template, &door_vnodeops);
 177         if (error != 0) {
 178                 vfs_freevfsops(door_vfsops);
 179                 cmn_err(CE_WARN, "door init: bad vnode ops");
 180                 return (error);
 181         }
 182         return (mod_install(&modlinkage));
 183 }
 184 
 185 int
 186 _info(struct modinfo *modinfop)
 187 {
 188         return (mod_info(&modlinkage, modinfop));
 189 }
 190 
 191 /* system call functions */
 192 static int door_call(int, void *);
 193 static int door_return(caddr_t, size_t, door_desc_t *, uint_t, caddr_t, size_t);
 194 static int door_create(void (*pc_cookie)(void *, char *, size_t, door_desc_t *,
 195     uint_t), void *data_cookie, uint_t);
 196 static int door_revoke(int);
 197 static int door_info(int, struct door_info *);
 198 static int door_ucred(struct ucred_s *);
 199 static int door_bind(int);
 200 static int door_unbind(void);
 201 static int door_unref(void);
 202 static int door_getparam(int, int, size_t *);
 203 static int door_setparam(int, int, size_t);
 204 
 205 #define DOOR_RETURN_OLD 4               /* historic value, for s10 */
 206 
 207 /*
 208  * System call wrapper for all door related system calls
 209  */
 210 static int
 211 doorfs(long arg1, long arg2, long arg3, long arg4, long arg5, long subcode)
 212 {
 213         switch (subcode) {
 214         case DOOR_CALL:
 215                 return (door_call(arg1, (void *)arg2));
 216         case DOOR_RETURN: {
 217                 door_return_desc_t *drdp = (door_return_desc_t *)arg3;
 218 
 219                 if (drdp != NULL) {
 220                         door_return_desc_t drd;
 221                         if (copyin(drdp, &drd, sizeof (drd)))
 222                                 return (EFAULT);
 223                         return (door_return((caddr_t)arg1, arg2, drd.desc_ptr,
 224                             drd.desc_num, (caddr_t)arg4, arg5));
 225                 }
 226                 return (door_return((caddr_t)arg1, arg2, NULL,
 227                     0, (caddr_t)arg4, arg5));
 228         }
 229         case DOOR_RETURN_OLD:
 230                 /*
 231                  * In order to support the S10 runtime environment, we
 232                  * still respond to the old syscall subcode for door_return.
 233                  * We treat it as having no stack limits.  This code should
 234                  * be removed when such support is no longer needed.
 235                  */
 236                 return (door_return((caddr_t)arg1, arg2, (door_desc_t *)arg3,
 237                     arg4, (caddr_t)arg5, 0));
 238         case DOOR_CREATE:
 239                 return (door_create((void (*)())arg1, (void *)arg2, arg3));
 240         case DOOR_REVOKE:
 241                 return (door_revoke(arg1));
 242         case DOOR_INFO:
 243                 return (door_info(arg1, (struct door_info *)arg2));
 244         case DOOR_BIND:
 245                 return (door_bind(arg1));
 246         case DOOR_UNBIND:
 247                 return (door_unbind());
 248         case DOOR_UNREFSYS:
 249                 return (door_unref());
 250         case DOOR_UCRED:
 251                 return (door_ucred((struct ucred_s *)arg1));
 252         case DOOR_GETPARAM:
 253                 return (door_getparam(arg1, arg2, (size_t *)arg3));
 254         case DOOR_SETPARAM:
 255                 return (door_setparam(arg1, arg2, arg3));
 256         default:
 257                 return (set_errno(EINVAL));
 258         }
 259 }
 260 
 261 #ifdef _SYSCALL32_IMPL
 262 /*
 263  * System call wrapper for all door related system calls from 32-bit programs.
 264  * Needed at the moment because of the casts - they undo some damage
 265  * that truss causes (sign-extending the stack pointer) when truss'ing
 266  * a 32-bit program using doors.
 267  */
 268 static int
 269 doorfs32(int32_t arg1, int32_t arg2, int32_t arg3,
 270     int32_t arg4, int32_t arg5, int32_t subcode)
 271 {
 272         switch (subcode) {
 273         case DOOR_CALL:
 274                 return (door_call(arg1, (void *)(uintptr_t)(caddr32_t)arg2));
 275         case DOOR_RETURN: {
 276                 door_return_desc32_t *drdp =
 277                     (door_return_desc32_t *)(uintptr_t)(caddr32_t)arg3;
 278                 if (drdp != NULL) {
 279                         door_return_desc32_t drd;
 280                         if (copyin(drdp, &drd, sizeof (drd)))
 281                                 return (EFAULT);
 282                         return (door_return(
 283                             (caddr_t)(uintptr_t)(caddr32_t)arg1, arg2,
 284                             (door_desc_t *)(uintptr_t)drd.desc_ptr,
 285                             drd.desc_num, (caddr_t)(uintptr_t)(caddr32_t)arg4,
 286                             (size_t)(uintptr_t)(size32_t)arg5));
 287                 }
 288                 return (door_return((caddr_t)(uintptr_t)(caddr32_t)arg1,
 289                     arg2, NULL, 0, (caddr_t)(uintptr_t)(caddr32_t)arg4,
 290                     (size_t)(uintptr_t)(size32_t)arg5));
 291         }
 292         case DOOR_RETURN_OLD:
 293                 /*
 294                  * In order to support the S10 runtime environment, we
 295                  * still respond to the old syscall subcode for door_return.
 296                  * We treat it as having no stack limits.  This code should
 297                  * be removed when such support is no longer needed.
 298                  */
 299                 return (door_return((caddr_t)(uintptr_t)(caddr32_t)arg1, arg2,
 300                     (door_desc_t *)(uintptr_t)(caddr32_t)arg3, arg4,
 301                     (caddr_t)(uintptr_t)(caddr32_t)arg5, 0));
 302         case DOOR_CREATE:
 303                 return (door_create((void (*)())(uintptr_t)(caddr32_t)arg1,
 304                     (void *)(uintptr_t)(caddr32_t)arg2, arg3));
 305         case DOOR_REVOKE:
 306                 return (door_revoke(arg1));
 307         case DOOR_INFO:
 308                 return (door_info(arg1,
 309                     (struct door_info *)(uintptr_t)(caddr32_t)arg2));
 310         case DOOR_BIND:
 311                 return (door_bind(arg1));
 312         case DOOR_UNBIND:
 313                 return (door_unbind());
 314         case DOOR_UNREFSYS:
 315                 return (door_unref());
 316         case DOOR_UCRED:
 317                 return (door_ucred(
 318                     (struct ucred_s *)(uintptr_t)(caddr32_t)arg1));
 319         case DOOR_GETPARAM:
 320                 return (door_getparam(arg1, arg2,
 321                     (size_t *)(uintptr_t)(caddr32_t)arg3));
 322         case DOOR_SETPARAM:
 323                 return (door_setparam(arg1, arg2, (size_t)(size32_t)arg3));
 324 
 325         default:
 326                 return (set_errno(EINVAL));
 327         }
 328 }
 329 #endif
 330 
 331 void shuttle_resume(kthread_t *, kmutex_t *);
 332 void shuttle_swtch(kmutex_t *);
 333 void shuttle_sleep(kthread_t *);
 334 
 335 /*
 336  * Support routines
 337  */
 338 static int door_create_common(void (*)(), void *, uint_t, int, int *,
 339     file_t **);
 340 static int door_overflow(kthread_t *, caddr_t, size_t, door_desc_t *, uint_t);
 341 static int door_args(kthread_t *, int);
 342 static int door_results(kthread_t *, caddr_t, size_t, door_desc_t *, uint_t);
 343 static int door_copy(struct as *, caddr_t, caddr_t, uint_t);
 344 static void     door_server_exit(proc_t *, kthread_t *);
 345 static void     door_release_server(door_node_t *, kthread_t *);
 346 static kthread_t        *door_get_server(door_node_t *);
 347 static door_node_t      *door_lookup(int, file_t **);
 348 static int      door_translate_in(void);
 349 static int      door_translate_out(void);
 350 static void     door_fd_rele(door_desc_t *, uint_t, int);
 351 static void     door_list_insert(door_node_t *);
 352 static void     door_info_common(door_node_t *, door_info_t *, file_t *);
 353 static int      door_release_fds(door_desc_t *, uint_t);
 354 static void     door_fd_close(door_desc_t *, uint_t);
 355 static void     door_fp_close(struct file **, uint_t);
 356 
 357 static door_data_t *
 358 door_my_data(int create_if_missing)
 359 {
 360         door_data_t *ddp;
 361 
 362         ddp = curthread->t_door;
 363         if (create_if_missing && ddp == NULL)
 364                 ddp = curthread->t_door = kmem_zalloc(sizeof (*ddp), KM_SLEEP);
 365 
 366         return (ddp);
 367 }
 368 
 369 static door_server_t *
 370 door_my_server(int create_if_missing)
 371 {
 372         door_data_t *ddp = door_my_data(create_if_missing);
 373 
 374         return ((ddp != NULL)? DOOR_SERVER(ddp) : NULL);
 375 }
 376 
 377 static door_client_t *
 378 door_my_client(int create_if_missing)
 379 {
 380         door_data_t *ddp = door_my_data(create_if_missing);
 381 
 382         return ((ddp != NULL)? DOOR_CLIENT(ddp) : NULL);
 383 }
 384 
 385 /*
 386  * System call to create a door
 387  */
 388 int
 389 door_create(void (*pc_cookie)(), void *data_cookie, uint_t attributes)
 390 {
 391         int fd;
 392         int err;
 393 
 394         if ((attributes & ~DOOR_CREATE_MASK) ||
 395             ((attributes & (DOOR_UNREF | DOOR_UNREF_MULTI)) ==
 396             (DOOR_UNREF | DOOR_UNREF_MULTI)))
 397                 return (set_errno(EINVAL));
 398 
 399         if ((err = door_create_common(pc_cookie, data_cookie, attributes, 0,
 400             &fd, NULL)) != 0)
 401                 return (set_errno(err));
 402 
 403         f_setfd(fd, FD_CLOEXEC);
 404         return (fd);
 405 }
 406 
 407 /*
 408  * Common code for creating user and kernel doors.  If a door was
 409  * created, stores a file structure pointer in the location pointed
 410  * to by fpp (if fpp is non-NULL) and returns 0.  Also, if a non-NULL
 411  * pointer to a file descriptor is passed in as fdp, allocates a file
 412  * descriptor representing the door.  If a door could not be created,
 413  * returns an error.
 414  */
 415 static int
 416 door_create_common(void (*pc_cookie)(), void *data_cookie, uint_t attributes,
 417     int from_kernel, int *fdp, file_t **fpp)
 418 {
 419         door_node_t     *dp;
 420         vnode_t         *vp;
 421         struct file     *fp;
 422         static door_id_t index = 0;
 423         proc_t          *p = (from_kernel)? &p0 : curproc;
 424 
 425         dp = kmem_zalloc(sizeof (door_node_t), KM_SLEEP);
 426 
 427         dp->door_vnode = vn_alloc(KM_SLEEP);
 428         dp->door_target = p;
 429         dp->door_data = data_cookie;
 430         dp->door_pc = pc_cookie;
 431         dp->door_flags = attributes;
 432 #ifdef _SYSCALL32_IMPL
 433         if (!from_kernel && get_udatamodel() != DATAMODEL_NATIVE)
 434                 dp->door_data_max = UINT32_MAX;
 435         else
 436 #endif
 437                 dp->door_data_max = SIZE_MAX;
 438         dp->door_data_min = 0UL;
 439         dp->door_desc_max = (attributes & DOOR_REFUSE_DESC)? 0 : INT_MAX;
 440 
 441         vp = DTOV(dp);
 442         vn_setops(vp, door_vnodeops);
 443         vp->v_type = VDOOR;
 444         vp->v_vfsp = &door_vfs;
 445         vp->v_data = (caddr_t)dp;
 446         mutex_enter(&door_knob);
 447         dp->door_index = index++;
 448         /* add to per-process door list */
 449         door_list_insert(dp);
 450         mutex_exit(&door_knob);
 451 
 452         if (falloc(vp, FREAD | FWRITE, &fp, fdp)) {
 453                 /*
 454                  * If the file table is full, remove the door from the
 455                  * per-process list, free the door, and return NULL.
 456                  */
 457                 mutex_enter(&door_knob);
 458                 door_list_delete(dp);
 459                 mutex_exit(&door_knob);
 460                 vn_free(vp);
 461                 kmem_free(dp, sizeof (door_node_t));
 462                 return (EMFILE);
 463         }
 464         vn_exists(vp);
 465         if (fdp != NULL)
 466                 setf(*fdp, fp);
 467         mutex_exit(&fp->f_tlock);
 468 
 469         if (fpp != NULL)
 470                 *fpp = fp;
 471         return (0);
 472 }
 473 
 474 static int
 475 door_check_limits(door_node_t *dp, door_arg_t *da, int upcall)
 476 {
 477         ASSERT(MUTEX_HELD(&door_knob));
 478 
 479         /* we allow unref upcalls through, despite any minimum */
 480         if (da->data_size < dp->door_data_min &&
 481             !(upcall && da->data_ptr == DOOR_UNREF_DATA))
 482                 return (ENOBUFS);
 483 
 484         if (da->data_size > dp->door_data_max)
 485                 return (ENOBUFS);
 486 
 487         if (da->desc_num > 0 && (dp->door_flags & DOOR_REFUSE_DESC))
 488                 return (ENOTSUP);
 489 
 490         if (da->desc_num > dp->door_desc_max)
 491                 return (ENFILE);
 492 
 493         return (0);
 494 }
 495 
 496 /*
 497  * Door invocation.
 498  */
 499 int
 500 door_call(int did, void *args)
 501 {
 502         /* Locals */
 503         door_node_t     *dp;
 504         kthread_t       *server_thread;
 505         int             error = 0;
 506         klwp_t          *lwp;
 507         door_client_t   *ct;            /* curthread door_data */
 508         door_server_t   *st;            /* server thread door_data */
 509         door_desc_t     *start = NULL;
 510         uint_t          ncopied = 0;
 511         size_t          dsize;
 512         /* destructor for data returned by a kernel server */
 513         void            (*destfn)() = NULL;
 514         void            *destarg;
 515         model_t         datamodel;
 516         int             gotresults = 0;
 517         int             needcleanup = 0;
 518         int             cancel_pending;
 519 
 520         lwp = ttolwp(curthread);
 521         datamodel = lwp_getdatamodel(lwp);
 522 
 523         ct = door_my_client(1);
 524 
 525         /*
 526          * Get the arguments
 527          */
 528         if (args) {
 529                 if (datamodel == DATAMODEL_NATIVE) {
 530                         if (copyin(args, &ct->d_args, sizeof (door_arg_t)) != 0)
 531                                 return (set_errno(EFAULT));
 532                 } else {
 533                         door_arg32_t    da32;
 534 
 535                         if (copyin(args, &da32, sizeof (door_arg32_t)) != 0)
 536                                 return (set_errno(EFAULT));
 537                         ct->d_args.data_ptr =
 538                             (char *)(uintptr_t)da32.data_ptr;
 539                         ct->d_args.data_size = da32.data_size;
 540                         ct->d_args.desc_ptr =
 541                             (door_desc_t *)(uintptr_t)da32.desc_ptr;
 542                         ct->d_args.desc_num = da32.desc_num;
 543                         ct->d_args.rbuf =
 544                             (char *)(uintptr_t)da32.rbuf;
 545                         ct->d_args.rsize = da32.rsize;
 546                 }
 547         } else {
 548                 /* No arguments, and no results allowed */
 549                 ct->d_noresults = 1;
 550                 ct->d_args.data_size = 0;
 551                 ct->d_args.desc_num = 0;
 552                 ct->d_args.rsize = 0;
 553         }
 554 
 555         if ((dp = door_lookup(did, NULL)) == NULL)
 556                 return (set_errno(EBADF));
 557 
 558         /*
 559          * We don't want to hold the door FD over the entire operation;
 560          * instead, we put a hold on the door vnode and release the FD
 561          * immediately
 562          */
 563         VN_HOLD(DTOV(dp));
 564         releasef(did);
 565 
 566         /*
 567          * This should be done in shuttle_resume(), just before going to
 568          * sleep, but we want to avoid overhead while holding door_knob.
 569          * prstop() is just a no-op if we don't really go to sleep.
 570          * We test not-kernel-address-space for the sake of clustering code.
 571          */
 572         if (lwp && lwp->lwp_nostop == 0 && curproc->p_as != &kas)
 573                 prstop(PR_REQUESTED, 0);
 574 
 575         mutex_enter(&door_knob);
 576         if (DOOR_INVALID(dp)) {
 577                 mutex_exit(&door_knob);
 578                 error = EBADF;
 579                 goto out;
 580         }
 581 
 582         /*
 583          * before we do anything, check that we are not overflowing the
 584          * required limits.
 585          */
 586         error = door_check_limits(dp, &ct->d_args, 0);
 587         if (error != 0) {
 588                 mutex_exit(&door_knob);
 589                 goto out;
 590         }
 591 
 592         /*
 593          * Check for in-kernel door server.
 594          */
 595         if (dp->door_target == &p0) {
 596                 caddr_t rbuf = ct->d_args.rbuf;
 597                 size_t rsize = ct->d_args.rsize;
 598 
 599                 dp->door_active++;
 600                 ct->d_kernel = 1;
 601                 ct->d_error = DOOR_WAIT;
 602                 mutex_exit(&door_knob);
 603                 /* translate file descriptors to vnodes */
 604                 if (ct->d_args.desc_num) {
 605                         error = door_translate_in();
 606                         if (error)
 607                                 goto out;
 608                 }
 609                 /*
 610                  * Call kernel door server.  Arguments are passed and
 611                  * returned as a door_arg pointer.  When called, data_ptr
 612                  * points to user data and desc_ptr points to a kernel list
 613                  * of door descriptors that have been converted to file
 614                  * structure pointers.  It's the server function's
 615                  * responsibility to copyin the data pointed to by data_ptr
 616                  * (this avoids extra copying in some cases).  On return,
 617                  * data_ptr points to a user buffer of data, and desc_ptr
 618                  * points to a kernel list of door descriptors representing
 619                  * files.  When a reference is passed to a kernel server,
 620                  * it is the server's responsibility to release the reference
 621                  * (by calling closef).  When the server includes a
 622                  * reference in its reply, it is released as part of the
 623                  * the call (the server must duplicate the reference if
 624                  * it wants to retain a copy).  The destfn, if set to
 625                  * non-NULL, is a destructor to be called when the returned
 626                  * kernel data (if any) is no longer needed (has all been
 627                  * translated and copied to user level).
 628                  */
 629                 (*(dp->door_pc))(dp->door_data, &ct->d_args,
 630                     &destfn, &destarg, &error);
 631                 mutex_enter(&door_knob);
 632                 /* not implemented yet */
 633                 if (--dp->door_active == 0 && (dp->door_flags & DOOR_DELAY))
 634                         door_deliver_unref(dp);
 635                 mutex_exit(&door_knob);
 636                 if (error)
 637                         goto out;
 638 
 639                 /* translate vnodes to files */
 640                 if (ct->d_args.desc_num) {
 641                         error = door_translate_out();
 642                         if (error)
 643                                 goto out;
 644                 }
 645                 ct->d_buf = ct->d_args.rbuf;
 646                 ct->d_bufsize = ct->d_args.rsize;
 647                 if (rsize < (ct->d_args.data_size +
 648                     (ct->d_args.desc_num * sizeof (door_desc_t)))) {
 649                         /* handle overflow */
 650                         error = door_overflow(curthread, ct->d_args.data_ptr,
 651                             ct->d_args.data_size, ct->d_args.desc_ptr,
 652                             ct->d_args.desc_num);
 653                         if (error)
 654                                 goto out;
 655                         /* door_overflow sets d_args rbuf and rsize */
 656                 } else {
 657                         ct->d_args.rbuf = rbuf;
 658                         ct->d_args.rsize = rsize;
 659                 }
 660                 goto results;
 661         }
 662 
 663         /*
 664          * Get a server thread from the target domain
 665          */
 666         if ((server_thread = door_get_server(dp)) == NULL) {
 667                 if (DOOR_INVALID(dp))
 668                         error = EBADF;
 669                 else
 670                         error = EAGAIN;
 671                 mutex_exit(&door_knob);
 672                 goto out;
 673         }
 674 
 675         st = DOOR_SERVER(server_thread->t_door);
 676         if (ct->d_args.desc_num || ct->d_args.data_size) {
 677                 int is_private = (dp->door_flags & DOOR_PRIVATE);
 678                 /*
 679                  * Move data from client to server
 680                  */
 681                 DOOR_T_HOLD(st);
 682                 mutex_exit(&door_knob);
 683                 error = door_args(server_thread, is_private);
 684                 mutex_enter(&door_knob);
 685                 DOOR_T_RELEASE(st);
 686                 if (error) {
 687                         /*
 688                          * We're not going to resume this thread after all
 689                          */
 690                         door_release_server(dp, server_thread);
 691                         shuttle_sleep(server_thread);
 692                         mutex_exit(&door_knob);
 693                         goto out;
 694                 }
 695         }
 696 
 697         dp->door_active++;
 698         ct->d_error = DOOR_WAIT;
 699         ct->d_args_done = 0;
 700         st->d_caller = curthread;
 701         st->d_active = dp;
 702 
 703         shuttle_resume(server_thread, &door_knob);
 704 
 705         mutex_enter(&door_knob);
 706 shuttle_return:
 707         if ((error = ct->d_error) < 0) {  /* DOOR_WAIT or DOOR_EXIT */
 708                 /*
 709                  * Premature wakeup. Find out why (stop, forkall, sig, exit ...)
 710                  */
 711                 mutex_exit(&door_knob);             /* May block in ISSIG */
 712                 cancel_pending = 0;
 713                 if (ISSIG(curthread, FORREAL) || lwp->lwp_sysabort ||
 714                     MUSTRETURN(curproc, curthread) ||
 715                     (cancel_pending = schedctl_cancel_pending()) != 0) {
 716                         /* Signal, forkall, ... */
 717                         lwp->lwp_sysabort = 0;
 718                         if (cancel_pending)
 719                                 schedctl_cancel_eintr();
 720                         mutex_enter(&door_knob);
 721                         error = EINTR;
 722                         /*
 723                          * If the server has finished processing our call,
 724                          * or exited (calling door_slam()), then d_error
 725                          * will have changed.  If the server hasn't finished
 726                          * yet, d_error will still be DOOR_WAIT, and we
 727                          * let it know we are not interested in any
 728                          * results by sending a SIGCANCEL, unless the door
 729                          * is marked with DOOR_NO_CANCEL.
 730                          */
 731                         if (ct->d_error == DOOR_WAIT &&
 732                             st->d_caller == curthread) {
 733                                 proc_t  *p = ttoproc(server_thread);
 734 
 735                                 st->d_active = NULL;
 736                                 st->d_caller = NULL;
 737 
 738                                 if (!(dp->door_flags & DOOR_NO_CANCEL)) {
 739                                         DOOR_T_HOLD(st);
 740                                         mutex_exit(&door_knob);
 741 
 742                                         mutex_enter(&p->p_lock);
 743                                         sigtoproc(p, server_thread, SIGCANCEL);
 744                                         mutex_exit(&p->p_lock);
 745 
 746                                         mutex_enter(&door_knob);
 747                                         DOOR_T_RELEASE(st);
 748                                 }
 749                         }
 750                 } else {
 751                         /*
 752                          * Return from stop(), server exit...
 753                          *
 754                          * Note that the server could have done a
 755                          * door_return while the client was in stop state
 756                          * (ISSIG), in which case the error condition
 757                          * is updated by the server.
 758                          */
 759                         mutex_enter(&door_knob);
 760                         if (ct->d_error == DOOR_WAIT) {
 761                                 /* Still waiting for a reply */
 762                                 shuttle_swtch(&door_knob);
 763                                 mutex_enter(&door_knob);
 764                                 lwp->lwp_asleep = 0;
 765                                 goto    shuttle_return;
 766                         } else if (ct->d_error == DOOR_EXIT) {
 767                                 /* Server exit */
 768                                 error = EINTR;
 769                         } else {
 770                                 /* Server did a door_return during ISSIG */
 771                                 error = ct->d_error;
 772                         }
 773                 }
 774                 /*
 775                  * Can't exit if the server is currently copying
 776                  * results for me.
 777                  */
 778                 while (DOOR_T_HELD(ct))
 779                         cv_wait(&ct->d_cv, &door_knob);
 780 
 781                 /*
 782                  * If the server has not processed our message, free the
 783                  * descriptors.
 784                  */
 785                 if (!ct->d_args_done) {
 786                         needcleanup = 1;
 787                         ct->d_args_done = 1;
 788                 }
 789 
 790                 /*
 791                  * Find out if results were successfully copied.
 792                  */
 793                 if (ct->d_error == 0)
 794                         gotresults = 1;
 795         }
 796         ASSERT(ct->d_args_done);
 797         lwp->lwp_asleep = 0;         /* /proc */
 798         lwp->lwp_sysabort = 0;               /* /proc */
 799         if (--dp->door_active == 0 && (dp->door_flags & DOOR_DELAY))
 800                 door_deliver_unref(dp);
 801         mutex_exit(&door_knob);
 802 
 803         if (needcleanup)
 804                 door_fp_close(ct->d_fpp, ct->d_args.desc_num);
 805 
 806 results:
 807         /*
 808          * Move the results to userland (if any)
 809          */
 810 
 811         if (ct->d_noresults)
 812                 goto out;
 813 
 814         if (error) {
 815                 /*
 816                  * If server returned results successfully, then we've
 817                  * been interrupted and may need to clean up.
 818                  */
 819                 if (gotresults) {
 820                         ASSERT(error == EINTR);
 821                         door_fp_close(ct->d_fpp, ct->d_args.desc_num);
 822                 }
 823                 goto out;
 824         }
 825 
 826         /*
 827          * Copy back data if we haven't caused an overflow (already
 828          * handled) and we are using a 2 copy transfer, or we are
 829          * returning data from a kernel server.
 830          */
 831         if (ct->d_args.data_size) {
 832                 ct->d_args.data_ptr = ct->d_args.rbuf;
 833                 if (ct->d_kernel || (!ct->d_overflow &&
 834                     ct->d_args.data_size <= door_max_arg)) {
 835                         if (copyout_nowatch(ct->d_buf, ct->d_args.rbuf,
 836                             ct->d_args.data_size)) {
 837                                 door_fp_close(ct->d_fpp, ct->d_args.desc_num);
 838                                 error = EFAULT;
 839                                 goto out;
 840                         }
 841                 }
 842         }
 843 
 844         /*
 845          * stuff returned doors into our proc, copyout the descriptors
 846          */
 847         if (ct->d_args.desc_num) {
 848                 struct file     **fpp;
 849                 door_desc_t     *didpp;
 850                 uint_t          n = ct->d_args.desc_num;
 851 
 852                 dsize = n * sizeof (door_desc_t);
 853                 start = didpp = kmem_alloc(dsize, KM_SLEEP);
 854                 fpp = ct->d_fpp;
 855 
 856                 while (n--) {
 857                         if (door_insert(*fpp, didpp) == -1) {
 858                                 /* Close remaining files */
 859                                 door_fp_close(fpp, n + 1);
 860                                 error = EMFILE;
 861                                 goto out;
 862                         }
 863                         fpp++; didpp++; ncopied++;
 864                 }
 865 
 866                 ct->d_args.desc_ptr = (door_desc_t *)(ct->d_args.rbuf +
 867                     roundup(ct->d_args.data_size, sizeof (door_desc_t)));
 868 
 869                 if (copyout_nowatch(start, ct->d_args.desc_ptr, dsize)) {
 870                         error = EFAULT;
 871                         goto out;
 872                 }
 873         }
 874 
 875         /*
 876          * Return the results
 877          */
 878         if (datamodel == DATAMODEL_NATIVE) {
 879                 if (copyout_nowatch(&ct->d_args, args,
 880                     sizeof (door_arg_t)) != 0)
 881                         error = EFAULT;
 882         } else {
 883                 door_arg32_t    da32;
 884 
 885                 da32.data_ptr = (caddr32_t)(uintptr_t)ct->d_args.data_ptr;
 886                 da32.data_size = ct->d_args.data_size;
 887                 da32.desc_ptr = (caddr32_t)(uintptr_t)ct->d_args.desc_ptr;
 888                 da32.desc_num = ct->d_args.desc_num;
 889                 da32.rbuf = (caddr32_t)(uintptr_t)ct->d_args.rbuf;
 890                 da32.rsize = ct->d_args.rsize;
 891                 if (copyout_nowatch(&da32, args, sizeof (door_arg32_t)) != 0) {
 892                         error = EFAULT;
 893                 }
 894         }
 895 
 896 out:
 897         ct->d_noresults = 0;
 898 
 899         /* clean up the overflow buffer if an error occurred */
 900         if (error != 0 && ct->d_overflow) {
 901                 (void) as_unmap(curproc->p_as, ct->d_args.rbuf,
 902                     ct->d_args.rsize);
 903         }
 904         ct->d_overflow = 0;
 905 
 906         /* call destructor */
 907         if (destfn) {
 908                 ASSERT(ct->d_kernel);
 909                 (*destfn)(dp->door_data, destarg);
 910                 ct->d_buf = NULL;
 911                 ct->d_bufsize = 0;
 912         }
 913 
 914         if (dp)
 915                 VN_RELE(DTOV(dp));
 916 
 917         if (ct->d_buf) {
 918                 ASSERT(!ct->d_kernel);
 919                 kmem_free(ct->d_buf, ct->d_bufsize);
 920                 ct->d_buf = NULL;
 921                 ct->d_bufsize = 0;
 922         }
 923         ct->d_kernel = 0;
 924 
 925         /* clean up the descriptor copyout buffer */
 926         if (start != NULL) {
 927                 if (error != 0)
 928                         door_fd_close(start, ncopied);
 929                 kmem_free(start, dsize);
 930         }
 931 
 932         if (ct->d_fpp) {
 933                 kmem_free(ct->d_fpp, ct->d_fpp_size);
 934                 ct->d_fpp = NULL;
 935                 ct->d_fpp_size = 0;
 936         }
 937 
 938         if (error)
 939                 return (set_errno(error));
 940 
 941         return (0);
 942 }
 943 
 944 static int
 945 door_setparam_common(door_node_t *dp, int from_kernel, int type, size_t val)
 946 {
 947         int error = 0;
 948 
 949         mutex_enter(&door_knob);
 950 
 951         if (DOOR_INVALID(dp)) {
 952                 mutex_exit(&door_knob);
 953                 return (EBADF);
 954         }
 955 
 956         /*
 957          * door_ki_setparam() can only affect kernel doors.
 958          * door_setparam() can only affect doors attached to the current
 959          * process.
 960          */
 961         if ((from_kernel && dp->door_target != &p0) ||
 962             (!from_kernel && dp->door_target != curproc)) {
 963                 mutex_exit(&door_knob);
 964                 return (EPERM);
 965         }
 966 
 967         switch (type) {
 968         case DOOR_PARAM_DESC_MAX:
 969                 if (val > INT_MAX)
 970                         error = ERANGE;
 971                 else if ((dp->door_flags & DOOR_REFUSE_DESC) && val != 0)
 972                         error = ENOTSUP;
 973                 else
 974                         dp->door_desc_max = (uint_t)val;
 975                 break;
 976 
 977         case DOOR_PARAM_DATA_MIN:
 978                 if (val > dp->door_data_max)
 979                         error = EINVAL;
 980                 else
 981                         dp->door_data_min = val;
 982                 break;
 983 
 984         case DOOR_PARAM_DATA_MAX:
 985                 if (val < dp->door_data_min)
 986                         error = EINVAL;
 987                 else
 988                         dp->door_data_max = val;
 989                 break;
 990 
 991         default:
 992                 error = EINVAL;
 993                 break;
 994         }
 995 
 996         mutex_exit(&door_knob);
 997         return (error);
 998 }
 999 
1000 static int
1001 door_getparam_common(door_node_t *dp, int type, size_t *out)
1002 {
1003         int error = 0;
1004 
1005         mutex_enter(&door_knob);
1006         switch (type) {
1007         case DOOR_PARAM_DESC_MAX:
1008                 *out = (size_t)dp->door_desc_max;
1009                 break;
1010         case DOOR_PARAM_DATA_MIN:
1011                 *out = dp->door_data_min;
1012                 break;
1013         case DOOR_PARAM_DATA_MAX:
1014                 *out = dp->door_data_max;
1015                 break;
1016         default:
1017                 error = EINVAL;
1018                 break;
1019         }
1020         mutex_exit(&door_knob);
1021         return (error);
1022 }
1023 
1024 int
1025 door_setparam(int did, int type, size_t val)
1026 {
1027         door_node_t *dp;
1028         int error = 0;
1029 
1030         if ((dp = door_lookup(did, NULL)) == NULL)
1031                 return (set_errno(EBADF));
1032 
1033         error = door_setparam_common(dp, 0, type, val);
1034 
1035         releasef(did);
1036 
1037         if (error)
1038                 return (set_errno(error));
1039 
1040         return (0);
1041 }
1042 
1043 int
1044 door_getparam(int did, int type, size_t *out)
1045 {
1046         door_node_t *dp;
1047         size_t val = 0;
1048         int error = 0;
1049 
1050         if ((dp = door_lookup(did, NULL)) == NULL)
1051                 return (set_errno(EBADF));
1052 
1053         error = door_getparam_common(dp, type, &val);
1054 
1055         releasef(did);
1056 
1057         if (error)
1058                 return (set_errno(error));
1059 
1060         if (get_udatamodel() == DATAMODEL_NATIVE) {
1061                 if (copyout(&val, out, sizeof (val)))
1062                         return (set_errno(EFAULT));
1063 #ifdef _SYSCALL32_IMPL
1064         } else {
1065                 size32_t val32 = (size32_t)val;
1066 
1067                 if (val != val32)
1068                         return (set_errno(EOVERFLOW));
1069 
1070                 if (copyout(&val32, out, sizeof (val32)))
1071                         return (set_errno(EFAULT));
1072 #endif /* _SYSCALL32_IMPL */
1073         }
1074 
1075         return (0);
1076 }
1077 
1078 /*
1079  * A copyout() which proceeds from high addresses to low addresses.  This way,
1080  * stack guard pages are effective.
1081  *
1082  * Note that we use copyout_nowatch();  this is called while the client is
1083  * held.
1084  */
1085 static int
1086 door_stack_copyout(const void *kaddr, void *uaddr, size_t count)
1087 {
1088         const char *kbase = (const char *)kaddr;
1089         uintptr_t ubase = (uintptr_t)uaddr;
1090         size_t pgsize = PAGESIZE;
1091 
1092         if (count <= pgsize)
1093                 return (copyout_nowatch(kaddr, uaddr, count));
1094 
1095         while (count > 0) {
1096                 uintptr_t start, end, offset, amount;
1097 
1098                 end = ubase + count;
1099                 start = P2ALIGN(end - 1, pgsize);
1100                 if (P2ALIGN(ubase, pgsize) == start)
1101                         start = ubase;
1102 
1103                 offset = start - ubase;
1104                 amount = end - start;
1105 
1106                 ASSERT(amount > 0 && amount <= count && amount <= pgsize);
1107 
1108                 if (copyout_nowatch(kbase + offset, (void *)start, amount))
1109                         return (1);
1110                 count -= amount;
1111         }
1112         return (0);
1113 }
1114 
1115 /*
1116  * Writes the stack layout for door_return() into the door_server_t of the
1117  * server thread.
1118  */
1119 static int
1120 door_layout(kthread_t *tp, size_t data_size, uint_t ndesc, int info_needed)
1121 {
1122         door_server_t *st = DOOR_SERVER(tp->t_door);
1123         door_layout_t *out = &st->d_layout;
1124         uintptr_t base_sp = (uintptr_t)st->d_sp;
1125         size_t ssize = st->d_ssize;
1126         size_t descsz;
1127         uintptr_t descp, datap, infop, resultsp, finalsp;
1128         size_t align = STACK_ALIGN;
1129         size_t results_sz = sizeof (struct door_results);
1130         model_t datamodel = lwp_getdatamodel(ttolwp(tp));
1131 
1132         ASSERT(!st->d_layout_done);
1133 
1134 #ifndef _STACK_GROWS_DOWNWARD
1135 #error stack does not grow downward, door_layout() must change
1136 #endif
1137 
1138 #ifdef _SYSCALL32_IMPL
1139         if (datamodel != DATAMODEL_NATIVE) {
1140                 align = STACK_ALIGN32;
1141                 results_sz = sizeof (struct door_results32);
1142         }
1143 #endif
1144 
1145         descsz = ndesc * sizeof (door_desc_t);
1146 
1147         /*
1148          * To speed up the overflow checking, we do an initial check
1149          * that the passed in data size won't cause us to wrap past
1150          * base_sp.  Since door_max_desc limits descsz, we can
1151          * safely use it here.  65535 is an arbitrary 'bigger than
1152          * we need, small enough to not cause trouble' constant;
1153          * the only constraint is that it must be > than:
1154          *
1155          *      5 * STACK_ALIGN +
1156          *          sizeof (door_info_t) +
1157          *          sizeof (door_results_t) +
1158          *          (max adjustment from door_final_sp())
1159          *
1160          * After we compute the layout, we can safely do a "did we wrap
1161          * around" check, followed by a check against the recorded
1162          * stack size.
1163          */
1164         if (data_size >= SIZE_MAX - (size_t)65535UL - descsz)
1165                 return (E2BIG);         /* overflow */
1166 
1167         descp = P2ALIGN(base_sp - descsz, align);
1168         datap = P2ALIGN(descp - data_size, align);
1169 
1170         if (info_needed)
1171                 infop = P2ALIGN(datap - sizeof (door_info_t), align);
1172         else
1173                 infop = datap;
1174 
1175         resultsp = P2ALIGN(infop - results_sz, align);
1176         finalsp = door_final_sp(resultsp, align, datamodel);
1177 
1178         if (finalsp > base_sp)
1179                 return (E2BIG);         /* overflow */
1180 
1181         if (ssize != 0 && (base_sp - finalsp) > ssize)
1182                 return (E2BIG);         /* doesn't fit in stack */
1183 
1184         out->dl_descp = (ndesc != 0)? (caddr_t)descp : 0;
1185         out->dl_datap = (data_size != 0)? (caddr_t)datap : 0;
1186         out->dl_infop = info_needed? (caddr_t)infop : 0;
1187         out->dl_resultsp = (caddr_t)resultsp;
1188         out->dl_sp = (caddr_t)finalsp;
1189 
1190         st->d_layout_done = 1;
1191         return (0);
1192 }
1193 
1194 static int
1195 door_server_dispatch(door_client_t *ct, door_node_t *dp)
1196 {
1197         door_server_t *st = DOOR_SERVER(curthread->t_door);
1198         door_layout_t *layout = &st->d_layout;
1199         int error = 0;
1200 
1201         int is_private = (dp->door_flags & DOOR_PRIVATE);
1202 
1203         door_pool_t *pool = (is_private)? &dp->door_servers :
1204             &curproc->p_server_threads;
1205 
1206         int empty_pool = (pool->dp_threads == NULL);
1207 
1208         caddr_t infop = NULL;
1209         char *datap = NULL;
1210         size_t datasize = 0;
1211         size_t descsize;
1212 
1213         file_t **fpp = ct->d_fpp;
1214         door_desc_t *start = NULL;
1215         uint_t ndesc = 0;
1216         uint_t ncopied = 0;
1217 
1218         if (ct != NULL) {
1219                 datap = ct->d_args.data_ptr;
1220                 datasize = ct->d_args.data_size;
1221                 ndesc = ct->d_args.desc_num;
1222         }
1223 
1224         descsize = ndesc * sizeof (door_desc_t);
1225 
1226         /*
1227          * Reset datap to NULL if we aren't passing any data.  Be careful
1228          * to let unref notifications through, though.
1229          */
1230         if (datap == DOOR_UNREF_DATA) {
1231                 if (ct->d_upcall != NULL)
1232                         datasize = 0;
1233                 else
1234                         datap = NULL;
1235         } else if (datasize == 0) {
1236                 datap = NULL;
1237         }
1238 
1239         /*
1240          * Get the stack layout, if it hasn't already been done.
1241          */
1242         if (!st->d_layout_done) {
1243                 error = door_layout(curthread, datasize, ndesc,
1244                     (is_private && empty_pool));
1245                 if (error != 0)
1246                         goto fail;
1247         }
1248 
1249         /*
1250          * fill out the stack, starting from the top.  Layout was already
1251          * filled in by door_args() or door_translate_out().
1252          */
1253         if (layout->dl_descp != NULL) {
1254                 ASSERT(ndesc != 0);
1255                 start = kmem_alloc(descsize, KM_SLEEP);
1256 
1257                 while (ndesc > 0) {
1258                         if (door_insert(*fpp, &start[ncopied]) == -1) {
1259                                 error = EMFILE;
1260                                 goto fail;
1261                         }
1262                         ndesc--;
1263                         ncopied++;
1264                         fpp++;
1265                 }
1266                 if (door_stack_copyout(start, layout->dl_descp, descsize)) {
1267                         error = E2BIG;
1268                         goto fail;
1269                 }
1270         }
1271         fpp = NULL;                     /* finished processing */
1272 
1273         if (layout->dl_datap != NULL) {
1274                 ASSERT(datasize != 0);
1275                 datap = layout->dl_datap;
1276                 if (ct->d_upcall != NULL || datasize <= door_max_arg) {
1277                         if (door_stack_copyout(ct->d_buf, datap, datasize)) {
1278                                 error = E2BIG;
1279                                 goto fail;
1280                         }
1281                 }
1282         }
1283 
1284         if (is_private && empty_pool) {
1285                 door_info_t di;
1286 
1287                 infop = layout->dl_infop;
1288                 ASSERT(infop != NULL);
1289 
1290                 di.di_target = curproc->p_pid;
1291                 di.di_proc = (door_ptr_t)(uintptr_t)dp->door_pc;
1292                 di.di_data = (door_ptr_t)(uintptr_t)dp->door_data;
1293                 di.di_uniquifier = dp->door_index;
1294                 di.di_attributes = (dp->door_flags & DOOR_ATTR_MASK) |
1295                     DOOR_LOCAL;
1296 
1297                 if (door_stack_copyout(&di, infop, sizeof (di))) {
1298                         error = E2BIG;
1299                         goto fail;
1300                 }
1301         }
1302 
1303         if (get_udatamodel() == DATAMODEL_NATIVE) {
1304                 struct door_results dr;
1305 
1306                 dr.cookie = dp->door_data;
1307                 dr.data_ptr = datap;
1308                 dr.data_size = datasize;
1309                 dr.desc_ptr = (door_desc_t *)layout->dl_descp;
1310                 dr.desc_num = ncopied;
1311                 dr.pc = dp->door_pc;
1312                 dr.nservers = !empty_pool;
1313                 dr.door_info = (door_info_t *)infop;
1314 
1315                 if (door_stack_copyout(&dr, layout->dl_resultsp, sizeof (dr))) {
1316                         error = E2BIG;
1317                         goto fail;
1318                 }
1319 #ifdef _SYSCALL32_IMPL
1320         } else {
1321                 struct door_results32 dr32;
1322 
1323                 dr32.cookie = (caddr32_t)(uintptr_t)dp->door_data;
1324                 dr32.data_ptr = (caddr32_t)(uintptr_t)datap;
1325                 dr32.data_size = (size32_t)datasize;
1326                 dr32.desc_ptr = (caddr32_t)(uintptr_t)layout->dl_descp;
1327                 dr32.desc_num = ncopied;
1328                 dr32.pc = (caddr32_t)(uintptr_t)dp->door_pc;
1329                 dr32.nservers = !empty_pool;
1330                 dr32.door_info = (caddr32_t)(uintptr_t)infop;
1331 
1332                 if (door_stack_copyout(&dr32, layout->dl_resultsp,
1333                     sizeof (dr32))) {
1334                         error = E2BIG;
1335                         goto fail;
1336                 }
1337 #endif
1338         }
1339 
1340         error = door_finish_dispatch(layout->dl_sp);
1341 fail:
1342         if (start != NULL) {
1343                 if (error != 0)
1344                         door_fd_close(start, ncopied);
1345                 kmem_free(start, descsize);
1346         }
1347         if (fpp != NULL)
1348                 door_fp_close(fpp, ndesc);
1349 
1350         return (error);
1351 }
1352 
1353 /*
1354  * Return the results (if any) to the caller (if any) and wait for the
1355  * next invocation on a door.
1356  */
1357 int
1358 door_return(caddr_t data_ptr, size_t data_size,
1359     door_desc_t *desc_ptr, uint_t desc_num, caddr_t sp, size_t ssize)
1360 {
1361         kthread_t       *caller;
1362         klwp_t          *lwp;
1363         int             error = 0;
1364         door_node_t     *dp;
1365         door_server_t   *st;            /* curthread door_data */
1366         door_client_t   *ct;            /* caller door_data */
1367         int             cancel_pending;
1368 
1369         st = door_my_server(1);
1370 
1371         /*
1372          * If thread was bound to a door that no longer exists, return
1373          * an error.  This can happen if a thread is bound to a door
1374          * before the process calls forkall(); in the child, the door
1375          * doesn't exist and door_fork() sets the d_invbound flag.
1376          */
1377         if (st->d_invbound)
1378                 return (set_errno(EINVAL));
1379 
1380         st->d_sp = sp;                       /* Save base of stack. */
1381         st->d_ssize = ssize;         /* and its size */
1382 
1383         /*
1384          * This should be done in shuttle_resume(), just before going to
1385          * sleep, but we want to avoid overhead while holding door_knob.
1386          * prstop() is just a no-op if we don't really go to sleep.
1387          * We test not-kernel-address-space for the sake of clustering code.
1388          */
1389         lwp = ttolwp(curthread);
1390         if (lwp && lwp->lwp_nostop == 0 && curproc->p_as != &kas)
1391                 prstop(PR_REQUESTED, 0);
1392 
1393         /* Make sure the caller hasn't gone away */
1394         mutex_enter(&door_knob);
1395         if ((caller = st->d_caller) == NULL || caller->t_door == NULL) {
1396                 if (desc_num != 0) {
1397                         /* close any DOOR_RELEASE descriptors */
1398                         mutex_exit(&door_knob);
1399                         error = door_release_fds(desc_ptr, desc_num);
1400                         if (error)
1401                                 return (set_errno(error));
1402                         mutex_enter(&door_knob);
1403                 }
1404                 goto out;
1405         }
1406         ct = DOOR_CLIENT(caller->t_door);
1407 
1408         ct->d_args.data_size = data_size;
1409         ct->d_args.desc_num = desc_num;
1410         /*
1411          * Transfer results, if any, to the client
1412          */
1413         if (data_size != 0 || desc_num != 0) {
1414                 /*
1415                  * Prevent the client from exiting until we have finished
1416                  * moving results.
1417                  */
1418                 DOOR_T_HOLD(ct);
1419                 mutex_exit(&door_knob);
1420                 error = door_results(caller, data_ptr, data_size,
1421                     desc_ptr, desc_num);
1422                 mutex_enter(&door_knob);
1423                 DOOR_T_RELEASE(ct);
1424                 /*
1425                  * Pass EOVERFLOW errors back to the client
1426                  */
1427                 if (error && error != EOVERFLOW) {
1428                         mutex_exit(&door_knob);
1429                         return (set_errno(error));
1430                 }
1431         }
1432 out:
1433         /* Put ourselves on the available server thread list */
1434         door_release_server(st->d_pool, curthread);
1435 
1436         /*
1437          * Make sure the caller is still waiting to be resumed
1438          */
1439         if (caller) {
1440                 disp_lock_t *tlp;
1441 
1442                 thread_lock(caller);
1443                 ct->d_error = error;         /* Return any errors */
1444                 if (caller->t_state == TS_SLEEP &&
1445                     SOBJ_TYPE(caller->t_sobj_ops) == SOBJ_SHUTTLE) {
1446                         cpu_t *cp = CPU;
1447 
1448                         tlp = caller->t_lockp;
1449                         /*
1450                          * Setting t_disp_queue prevents erroneous preemptions
1451                          * if this thread is still in execution on another
1452                          * processor
1453                          */
1454                         caller->t_disp_queue = cp->cpu_disp;
1455                         CL_ACTIVE(caller);
1456                         /*
1457                          * We are calling thread_onproc() instead of
1458                          * THREAD_ONPROC() because compiler can reorder
1459                          * the two stores of t_state and t_lockp in
1460                          * THREAD_ONPROC().
1461                          */
1462                         thread_onproc(caller, cp);
1463                         disp_lock_exit_high(tlp);
1464                         shuttle_resume(caller, &door_knob);
1465                 } else {
1466                         /* May have been setrun or in stop state */
1467                         thread_unlock(caller);
1468                         shuttle_swtch(&door_knob);
1469                 }
1470         } else {
1471                 shuttle_swtch(&door_knob);
1472         }
1473 
1474         /*
1475          * We've sprung to life. Determine if we are part of a door
1476          * invocation, or just interrupted
1477          */
1478         mutex_enter(&door_knob);
1479         if ((dp = st->d_active) != NULL) {
1480                 /*
1481                  * Normal door invocation. Return any error condition
1482                  * encountered while trying to pass args to the server
1483                  * thread.
1484                  */
1485                 lwp->lwp_asleep = 0;
1486                 /*
1487                  * Prevent the caller from leaving us while we
1488                  * are copying out the arguments from it's buffer.
1489                  */
1490                 ASSERT(st->d_caller != NULL);
1491                 ct = DOOR_CLIENT(st->d_caller->t_door);
1492 
1493                 DOOR_T_HOLD(ct);
1494                 mutex_exit(&door_knob);
1495                 error = door_server_dispatch(ct, dp);
1496                 mutex_enter(&door_knob);
1497                 DOOR_T_RELEASE(ct);
1498 
1499                 /* let the client know we have processed his message */
1500                 ct->d_args_done = 1;
1501 
1502                 if (error) {
1503                         caller = st->d_caller;
1504                         if (caller)
1505                                 ct = DOOR_CLIENT(caller->t_door);
1506                         else
1507                                 ct = NULL;
1508                         goto out;
1509                 }
1510                 mutex_exit(&door_knob);
1511                 return (0);
1512         } else {
1513                 /*
1514                  * We are not involved in a door_invocation.
1515                  * Check for /proc related activity...
1516                  */
1517                 st->d_caller = NULL;
1518                 door_server_exit(curproc, curthread);
1519                 mutex_exit(&door_knob);
1520                 cancel_pending = 0;
1521                 if (ISSIG(curthread, FORREAL) || lwp->lwp_sysabort ||
1522                     MUSTRETURN(curproc, curthread) ||
1523                     (cancel_pending = schedctl_cancel_pending()) != 0) {
1524                         if (cancel_pending)
1525                                 schedctl_cancel_eintr();
1526                         lwp->lwp_asleep = 0;
1527                         lwp->lwp_sysabort = 0;
1528                         return (set_errno(EINTR));
1529                 }
1530                 /* Go back and wait for another request */
1531                 lwp->lwp_asleep = 0;
1532                 mutex_enter(&door_knob);
1533                 caller = NULL;
1534                 goto out;
1535         }
1536 }
1537 
1538 /*
1539  * Revoke any future invocations on this door
1540  */
1541 int
1542 door_revoke(int did)
1543 {
1544         door_node_t     *d;
1545         int             error;
1546 
1547         if ((d = door_lookup(did, NULL)) == NULL)
1548                 return (set_errno(EBADF));
1549 
1550         mutex_enter(&door_knob);
1551         if (d->door_target != curproc) {
1552                 mutex_exit(&door_knob);
1553                 releasef(did);
1554                 return (set_errno(EPERM));
1555         }
1556         d->door_flags |= DOOR_REVOKED;
1557         if (d->door_flags & DOOR_PRIVATE)
1558                 cv_broadcast(&d->door_servers.dp_cv);
1559         else
1560                 cv_broadcast(&curproc->p_server_threads.dp_cv);
1561         mutex_exit(&door_knob);
1562         releasef(did);
1563         /* Invalidate the descriptor */
1564         if ((error = closeandsetf(did, NULL)) != 0)
1565                 return (set_errno(error));
1566         return (0);
1567 }
1568 
1569 int
1570 door_info(int did, struct door_info *d_info)
1571 {
1572         door_node_t     *dp;
1573         door_info_t     di;
1574         door_server_t   *st;
1575         file_t          *fp = NULL;
1576 
1577         if (did == DOOR_QUERY) {
1578                 /* Get information on door current thread is bound to */
1579                 if ((st = door_my_server(0)) == NULL ||
1580                     (dp = st->d_pool) == NULL)
1581                         /* Thread isn't bound to a door */
1582                         return (set_errno(EBADF));
1583         } else if ((dp = door_lookup(did, &fp)) == NULL) {
1584                 /* Not a door */
1585                 return (set_errno(EBADF));
1586         }
1587 
1588         door_info_common(dp, &di, fp);
1589 
1590         if (did != DOOR_QUERY)
1591                 releasef(did);
1592 
1593         if (copyout(&di, d_info, sizeof (struct door_info)))
1594                 return (set_errno(EFAULT));
1595         return (0);
1596 }
1597 
1598 /*
1599  * Common code for getting information about a door either via the
1600  * door_info system call or the door_ki_info kernel call.
1601  */
1602 void
1603 door_info_common(door_node_t *dp, struct door_info *dip, file_t *fp)
1604 {
1605         int unref_count;
1606 
1607         bzero(dip, sizeof (door_info_t));
1608 
1609         mutex_enter(&door_knob);
1610         if (dp->door_target == NULL)
1611                 dip->di_target = -1;
1612         else
1613                 dip->di_target = dp->door_target->p_pid;
1614 
1615         dip->di_attributes = dp->door_flags & DOOR_ATTR_MASK;
1616         if (dp->door_target == curproc)
1617                 dip->di_attributes |= DOOR_LOCAL;
1618         dip->di_proc = (door_ptr_t)(uintptr_t)dp->door_pc;
1619         dip->di_data = (door_ptr_t)(uintptr_t)dp->door_data;
1620         dip->di_uniquifier = dp->door_index;
1621         /*
1622          * If this door is in the middle of having an unreferenced
1623          * notification delivered, don't count the VN_HOLD by
1624          * door_deliver_unref in determining if it is unreferenced.
1625          * This handles the case where door_info is called from the
1626          * thread delivering the unref notification.
1627          */
1628         if (dp->door_flags & DOOR_UNREF_ACTIVE)
1629                 unref_count = 2;
1630         else
1631                 unref_count = 1;
1632         mutex_exit(&door_knob);
1633 
1634         if (fp == NULL) {
1635                 /*
1636                  * If this thread is bound to the door, then we can just
1637                  * check the vnode; a ref count of 1 (or 2 if this is
1638                  * handling an unref notification) means that the hold
1639                  * from the door_bind is the only reference to the door
1640                  * (no file descriptor refers to it).
1641                  */
1642                 if (DTOV(dp)->v_count == unref_count)
1643                         dip->di_attributes |= DOOR_IS_UNREF;
1644         } else {
1645                 /*
1646                  * If we're working from a file descriptor or door handle
1647                  * we need to look at the file structure count.  We don't
1648                  * need to hold the vnode lock since this is just a snapshot.
1649                  */
1650                 mutex_enter(&fp->f_tlock);
1651                 if (fp->f_count == 1 && DTOV(dp)->v_count == unref_count)
1652                         dip->di_attributes |= DOOR_IS_UNREF;
1653                 mutex_exit(&fp->f_tlock);
1654         }
1655 }
1656 
1657 /*
1658  * Return credentials of the door caller (if any) for this invocation
1659  */
1660 int
1661 door_ucred(struct ucred_s *uch)
1662 {
1663         kthread_t       *caller;
1664         door_server_t   *st;
1665         door_client_t   *ct;
1666         door_upcall_t   *dup;
1667         struct proc     *p;
1668         struct ucred_s  *res;
1669         int             err;
1670 
1671         mutex_enter(&door_knob);
1672         if ((st = door_my_server(0)) == NULL ||
1673             (caller = st->d_caller) == NULL) {
1674                 mutex_exit(&door_knob);
1675                 return (set_errno(EINVAL));
1676         }
1677 
1678         ASSERT(caller->t_door != NULL);
1679         ct = DOOR_CLIENT(caller->t_door);
1680 
1681         /* Prevent caller from exiting while we examine the cred */
1682         DOOR_T_HOLD(ct);
1683         mutex_exit(&door_knob);
1684 
1685         p = ttoproc(caller);
1686 
1687         /*
1688          * If the credentials are not specified by the client, get the one
1689          * associated with the calling process.
1690          */
1691         if ((dup = ct->d_upcall) != NULL)
1692                 res = cred2ucred(dup->du_cred, p0.p_pid, NULL, CRED());
1693         else
1694                 res = cred2ucred(caller->t_cred, p->p_pid, NULL, CRED());
1695 
1696         mutex_enter(&door_knob);
1697         DOOR_T_RELEASE(ct);
1698         mutex_exit(&door_knob);
1699 
1700         err = copyout(res, uch, res->uc_size);
1701 
1702         kmem_free(res, res->uc_size);
1703 
1704         if (err != 0)
1705                 return (set_errno(EFAULT));
1706 
1707         return (0);
1708 }
1709 
1710 /*
1711  * Bind the current lwp to the server thread pool associated with 'did'
1712  */
1713 int
1714 door_bind(int did)
1715 {
1716         door_node_t     *dp;
1717         door_server_t   *st;
1718 
1719         if ((dp = door_lookup(did, NULL)) == NULL) {
1720                 /* Not a door */
1721                 return (set_errno(EBADF));
1722         }
1723 
1724         /*
1725          * Can't bind to a non-private door, and can't bind to a door
1726          * served by another process.
1727          */
1728         if ((dp->door_flags & DOOR_PRIVATE) == 0 ||
1729             dp->door_target != curproc) {
1730                 releasef(did);
1731                 return (set_errno(EINVAL));
1732         }
1733 
1734         st = door_my_server(1);
1735         if (st->d_pool)
1736                 door_unbind_thread(st->d_pool);
1737         st->d_pool = dp;
1738         st->d_invbound = 0;
1739         door_bind_thread(dp);
1740         releasef(did);
1741 
1742         return (0);
1743 }
1744 
1745 /*
1746  * Unbind the current lwp from it's server thread pool
1747  */
1748 int
1749 door_unbind(void)
1750 {
1751         door_server_t *st;
1752 
1753         if ((st = door_my_server(0)) == NULL)
1754                 return (set_errno(EBADF));
1755 
1756         if (st->d_invbound) {
1757                 ASSERT(st->d_pool == NULL);
1758                 st->d_invbound = 0;
1759                 return (0);
1760         }
1761         if (st->d_pool == NULL)
1762                 return (set_errno(EBADF));
1763         door_unbind_thread(st->d_pool);
1764         st->d_pool = NULL;
1765         return (0);
1766 }
1767 
1768 /*
1769  * Create a descriptor for the associated file and fill in the
1770  * attributes associated with it.
1771  *
1772  * Return 0 for success, -1 otherwise;
1773  */
1774 int
1775 door_insert(struct file *fp, door_desc_t *dp)
1776 {
1777         struct vnode *vp;
1778         int     fd;
1779         door_attr_t attributes = DOOR_DESCRIPTOR;
1780 
1781         ASSERT(MUTEX_NOT_HELD(&door_knob));
1782         if ((fd = ufalloc(0)) == -1)
1783                 return (-1);
1784         setf(fd, fp);
1785         dp->d_data.d_desc.d_descriptor = fd;
1786 
1787         /* Fill in the attributes */
1788         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
1789                 vp = fp->f_vnode;
1790         if (vp && vp->v_type == VDOOR) {
1791                 if (VTOD(vp)->door_target == curproc)
1792                         attributes |= DOOR_LOCAL;
1793                 attributes |= VTOD(vp)->door_flags & DOOR_ATTR_MASK;
1794                 dp->d_data.d_desc.d_id = VTOD(vp)->door_index;
1795         }
1796         dp->d_attributes = attributes;
1797         return (0);
1798 }
1799 
1800 /*
1801  * Return an available thread for this server.  A NULL return value indicates
1802  * that either:
1803  *      The door has been revoked, or
1804  *      a signal was received.
1805  * The two conditions can be differentiated using DOOR_INVALID(dp).
1806  */
1807 static kthread_t *
1808 door_get_server(door_node_t *dp)
1809 {
1810         kthread_t **ktp;
1811         kthread_t *server_t;
1812         door_pool_t *pool;
1813         door_server_t *st;
1814         int signalled;
1815 
1816         disp_lock_t *tlp;
1817         cpu_t *cp;
1818 
1819         ASSERT(MUTEX_HELD(&door_knob));
1820 
1821         if (dp->door_flags & DOOR_PRIVATE)
1822                 pool = &dp->door_servers;
1823         else
1824                 pool = &dp->door_target->p_server_threads;
1825 
1826         for (;;) {
1827                 /*
1828                  * We search the thread pool, looking for a server thread
1829                  * ready to take an invocation (i.e. one which is still
1830                  * sleeping on a shuttle object).  If none are available,
1831                  * we sleep on the pool's CV, and will be signaled when a
1832                  * thread is added to the pool.
1833                  *
1834                  * This relies on the fact that once a thread in the thread
1835                  * pool wakes up, it *must* remove and add itself to the pool
1836                  * before it can receive door calls.
1837                  */
1838                 if (DOOR_INVALID(dp))
1839                         return (NULL);  /* Target has become invalid */
1840 
1841                 for (ktp = &pool->dp_threads;
1842                     (server_t = *ktp) != NULL;
1843                     ktp = &st->d_servers) {
1844                         st = DOOR_SERVER(server_t->t_door);
1845 
1846                         thread_lock(server_t);
1847                         if (server_t->t_state == TS_SLEEP &&
1848                             SOBJ_TYPE(server_t->t_sobj_ops) == SOBJ_SHUTTLE)
1849                                 break;
1850                         thread_unlock(server_t);
1851                 }
1852                 if (server_t != NULL)
1853                         break;          /* we've got a live one! */
1854 
1855                 if (!cv_wait_sig_swap_core(&pool->dp_cv, &door_knob,
1856                     &signalled)) {
1857                         /*
1858                          * If we were signaled and the door is still
1859                          * valid, pass the signal on to another waiter.
1860                          */
1861                         if (signalled && !DOOR_INVALID(dp))
1862                                 cv_signal(&pool->dp_cv);
1863                         return (NULL);  /* Got a signal */
1864                 }
1865         }
1866 
1867         /*
1868          * We've got a thread_lock()ed thread which is still on the
1869          * shuttle.  Take it off the list of available server threads
1870          * and mark it as ONPROC.  We are committed to resuming this
1871          * thread now.
1872          */
1873         tlp = server_t->t_lockp;
1874         cp = CPU;
1875 
1876         *ktp = st->d_servers;
1877         st->d_servers = NULL;
1878         /*
1879          * Setting t_disp_queue prevents erroneous preemptions
1880          * if this thread is still in execution on another processor
1881          */
1882         server_t->t_disp_queue = cp->cpu_disp;
1883         CL_ACTIVE(server_t);
1884         /*
1885          * We are calling thread_onproc() instead of
1886          * THREAD_ONPROC() because compiler can reorder
1887          * the two stores of t_state and t_lockp in
1888          * THREAD_ONPROC().
1889          */
1890         thread_onproc(server_t, cp);
1891         disp_lock_exit(tlp);
1892         return (server_t);
1893 }
1894 
1895 /*
1896  * Put a server thread back in the pool.
1897  */
1898 static void
1899 door_release_server(door_node_t *dp, kthread_t *t)
1900 {
1901         door_server_t *st = DOOR_SERVER(t->t_door);
1902         door_pool_t *pool;
1903 
1904         ASSERT(MUTEX_HELD(&door_knob));
1905         st->d_active = NULL;
1906         st->d_caller = NULL;
1907         st->d_layout_done = 0;
1908         if (dp && (dp->door_flags & DOOR_PRIVATE)) {
1909                 ASSERT(dp->door_target == NULL ||
1910                     dp->door_target == ttoproc(t));
1911                 pool = &dp->door_servers;
1912         } else {
1913                 pool = &ttoproc(t)->p_server_threads;
1914         }
1915 
1916         st->d_servers = pool->dp_threads;
1917         pool->dp_threads = t;
1918 
1919         /* If someone is waiting for a server thread, wake him up */
1920         cv_signal(&pool->dp_cv);
1921 }
1922 
1923 /*
1924  * Remove a server thread from the pool if present.
1925  */
1926 static void
1927 door_server_exit(proc_t *p, kthread_t *t)
1928 {
1929         door_pool_t *pool;
1930         kthread_t **next;
1931         door_server_t *st = DOOR_SERVER(t->t_door);
1932 
1933         ASSERT(MUTEX_HELD(&door_knob));
1934         if (st->d_pool != NULL) {
1935                 ASSERT(st->d_pool->door_flags & DOOR_PRIVATE);
1936                 pool = &st->d_pool->door_servers;
1937         } else {
1938                 pool = &p->p_server_threads;
1939         }
1940 
1941         next = &pool->dp_threads;
1942         while (*next != NULL) {
1943                 if (*next == t) {
1944                         *next = DOOR_SERVER(t->t_door)->d_servers;
1945                         return;
1946                 }
1947                 next = &(DOOR_SERVER((*next)->t_door)->d_servers);
1948         }
1949 }
1950 
1951 /*
1952  * Lookup the door descriptor. Caller must call releasef when finished
1953  * with associated door.
1954  */
1955 static door_node_t *
1956 door_lookup(int did, file_t **fpp)
1957 {
1958         vnode_t *vp;
1959         file_t *fp;
1960 
1961         ASSERT(MUTEX_NOT_HELD(&door_knob));
1962         if ((fp = getf(did)) == NULL)
1963                 return (NULL);
1964         /*
1965          * Use the underlying vnode (we may be namefs mounted)
1966          */
1967         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
1968                 vp = fp->f_vnode;
1969 
1970         if (vp == NULL || vp->v_type != VDOOR) {
1971                 releasef(did);
1972                 return (NULL);
1973         }
1974 
1975         if (fpp)
1976                 *fpp = fp;
1977 
1978         return (VTOD(vp));
1979 }
1980 
1981 /*
1982  * The current thread is exiting, so clean up any pending
1983  * invocation details
1984  */
1985 void
1986 door_slam(void)
1987 {
1988         door_node_t *dp;
1989         door_data_t *dt;
1990         door_client_t *ct;
1991         door_server_t *st;
1992 
1993         /*
1994          * If we are an active door server, notify our
1995          * client that we are exiting and revoke our door.
1996          */
1997         if ((dt = door_my_data(0)) == NULL)
1998                 return;
1999         ct = DOOR_CLIENT(dt);
2000         st = DOOR_SERVER(dt);
2001 
2002         mutex_enter(&door_knob);
2003         for (;;) {
2004                 if (DOOR_T_HELD(ct))
2005                         cv_wait(&ct->d_cv, &door_knob);
2006                 else if (DOOR_T_HELD(st))
2007                         cv_wait(&st->d_cv, &door_knob);
2008                 else
2009                         break;                  /* neither flag is set */
2010         }
2011         curthread->t_door = NULL;
2012         if ((dp = st->d_active) != NULL) {
2013                 kthread_t *t = st->d_caller;
2014                 proc_t *p = curproc;
2015 
2016                 /* Revoke our door if the process is exiting */
2017                 if (dp->door_target == p && (p->p_flag & SEXITING)) {
2018                         door_list_delete(dp);
2019                         dp->door_target = NULL;
2020                         dp->door_flags |= DOOR_REVOKED;
2021                         if (dp->door_flags & DOOR_PRIVATE)
2022                                 cv_broadcast(&dp->door_servers.dp_cv);
2023                         else
2024                                 cv_broadcast(&p->p_server_threads.dp_cv);
2025                 }
2026 
2027                 if (t != NULL) {
2028                         /*
2029                          * Let the caller know we are gone
2030                          */
2031                         DOOR_CLIENT(t->t_door)->d_error = DOOR_EXIT;
2032                         thread_lock(t);
2033                         if (t->t_state == TS_SLEEP &&
2034                             SOBJ_TYPE(t->t_sobj_ops) == SOBJ_SHUTTLE)
2035                                 setrun_locked(t);
2036                         thread_unlock(t);
2037                 }
2038         }
2039         mutex_exit(&door_knob);
2040         if (st->d_pool)
2041                 door_unbind_thread(st->d_pool);      /* Implicit door_unbind */
2042         kmem_free(dt, sizeof (door_data_t));
2043 }
2044 
2045 /*
2046  * Set DOOR_REVOKED for all doors of the current process. This is called
2047  * on exit before all lwp's are being terminated so that door calls will
2048  * return with an error.
2049  */
2050 void
2051 door_revoke_all()
2052 {
2053         door_node_t *dp;
2054         proc_t *p = ttoproc(curthread);
2055 
2056         mutex_enter(&door_knob);
2057         for (dp = p->p_door_list; dp != NULL; dp = dp->door_list) {
2058                 ASSERT(dp->door_target == p);
2059                 dp->door_flags |= DOOR_REVOKED;
2060                 if (dp->door_flags & DOOR_PRIVATE)
2061                         cv_broadcast(&dp->door_servers.dp_cv);
2062         }
2063         cv_broadcast(&p->p_server_threads.dp_cv);
2064         mutex_exit(&door_knob);
2065 }
2066 
2067 /*
2068  * The process is exiting, and all doors it created need to be revoked.
2069  */
2070 void
2071 door_exit(void)
2072 {
2073         door_node_t *dp;
2074         proc_t *p = ttoproc(curthread);
2075 
2076         ASSERT(p->p_lwpcnt == 1);
2077         /*
2078          * Walk the list of active doors created by this process and
2079          * revoke them all.
2080          */
2081         mutex_enter(&door_knob);
2082         for (dp = p->p_door_list; dp != NULL; dp = dp->door_list) {
2083                 dp->door_target = NULL;
2084                 dp->door_flags |= DOOR_REVOKED;
2085                 if (dp->door_flags & DOOR_PRIVATE)
2086                         cv_broadcast(&dp->door_servers.dp_cv);
2087         }
2088         cv_broadcast(&p->p_server_threads.dp_cv);
2089         /* Clear the list */
2090         p->p_door_list = NULL;
2091 
2092         /* Clean up the unref list */
2093         while ((dp = p->p_unref_list) != NULL) {
2094                 p->p_unref_list = dp->door_ulist;
2095                 dp->door_ulist = NULL;
2096                 mutex_exit(&door_knob);
2097                 VN_RELE(DTOV(dp));
2098                 mutex_enter(&door_knob);
2099         }
2100         mutex_exit(&door_knob);
2101 }
2102 
2103 
2104 /*
2105  * The process is executing forkall(), and we need to flag threads that
2106  * are bound to a door in the child.  This will make the child threads
2107  * return an error to door_return unless they call door_unbind first.
2108  */
2109 void
2110 door_fork(kthread_t *parent, kthread_t *child)
2111 {
2112         door_data_t *pt = parent->t_door;
2113         door_server_t *st = DOOR_SERVER(pt);
2114         door_data_t *dt;
2115 
2116         ASSERT(MUTEX_NOT_HELD(&door_knob));
2117         if (pt != NULL && (st->d_pool != NULL || st->d_invbound)) {
2118                 /* parent thread is bound to a door */
2119                 dt = child->t_door =
2120                     kmem_zalloc(sizeof (door_data_t), KM_SLEEP);
2121                 DOOR_SERVER(dt)->d_invbound = 1;
2122         }
2123 }
2124 
2125 /*
2126  * Deliver queued unrefs to appropriate door server.
2127  */
2128 static int
2129 door_unref(void)
2130 {
2131         door_node_t     *dp;
2132         static door_arg_t unref_args = { DOOR_UNREF_DATA, 0, 0, 0, 0, 0 };
2133         proc_t *p = ttoproc(curthread);
2134 
2135         /* make sure there's only one unref thread per process */
2136         mutex_enter(&door_knob);
2137         if (p->p_unref_thread) {
2138                 mutex_exit(&door_knob);
2139                 return (set_errno(EALREADY));
2140         }
2141         p->p_unref_thread = 1;
2142         mutex_exit(&door_knob);
2143 
2144         (void) door_my_data(1);                 /* create info, if necessary */
2145 
2146         for (;;) {
2147                 mutex_enter(&door_knob);
2148 
2149                 /* Grab a queued request */
2150                 while ((dp = p->p_unref_list) == NULL) {
2151                         if (!cv_wait_sig(&p->p_unref_cv, &door_knob)) {
2152                                 /*
2153                                  * Interrupted.
2154                                  * Return so we can finish forkall() or exit().
2155                                  */
2156                                 p->p_unref_thread = 0;
2157                                 mutex_exit(&door_knob);
2158                                 return (set_errno(EINTR));
2159                         }
2160                 }
2161                 p->p_unref_list = dp->door_ulist;
2162                 dp->door_ulist = NULL;
2163                 dp->door_flags |= DOOR_UNREF_ACTIVE;
2164                 mutex_exit(&door_knob);
2165 
2166                 (void) door_upcall(DTOV(dp), &unref_args, NULL, SIZE_MAX, 0);
2167 
2168                 if (unref_args.rbuf != 0) {
2169                         kmem_free(unref_args.rbuf, unref_args.rsize);
2170                         unref_args.rbuf = NULL;
2171                         unref_args.rsize = 0;
2172                 }
2173 
2174                 mutex_enter(&door_knob);
2175                 ASSERT(dp->door_flags & DOOR_UNREF_ACTIVE);
2176                 dp->door_flags &= ~DOOR_UNREF_ACTIVE;
2177                 mutex_exit(&door_knob);
2178                 VN_RELE(DTOV(dp));
2179         }
2180 }
2181 
2182 
2183 /*
2184  * Deliver queued unrefs to kernel door server.
2185  */
2186 /* ARGSUSED */
2187 static void
2188 door_unref_kernel(caddr_t arg)
2189 {
2190         door_node_t     *dp;
2191         static door_arg_t unref_args = { DOOR_UNREF_DATA, 0, 0, 0, 0, 0 };
2192         proc_t *p = ttoproc(curthread);
2193         callb_cpr_t cprinfo;
2194 
2195         /* should only be one of these */
2196         mutex_enter(&door_knob);
2197         if (p->p_unref_thread) {
2198                 mutex_exit(&door_knob);
2199                 return;
2200         }
2201         p->p_unref_thread = 1;
2202         mutex_exit(&door_knob);
2203 
2204         (void) door_my_data(1);         /* make sure we have a door_data_t */
2205 
2206         CALLB_CPR_INIT(&cprinfo, &door_knob, callb_generic_cpr, "door_unref");
2207         for (;;) {
2208                 mutex_enter(&door_knob);
2209                 /* Grab a queued request */
2210                 while ((dp = p->p_unref_list) == NULL) {
2211                         CALLB_CPR_SAFE_BEGIN(&cprinfo);
2212                         cv_wait(&p->p_unref_cv, &door_knob);
2213                         CALLB_CPR_SAFE_END(&cprinfo, &door_knob);
2214                 }
2215                 p->p_unref_list = dp->door_ulist;
2216                 dp->door_ulist = NULL;
2217                 dp->door_flags |= DOOR_UNREF_ACTIVE;
2218                 mutex_exit(&door_knob);
2219 
2220                 (*(dp->door_pc))(dp->door_data, &unref_args, NULL, NULL, NULL);
2221 
2222                 mutex_enter(&door_knob);
2223                 ASSERT(dp->door_flags & DOOR_UNREF_ACTIVE);
2224                 dp->door_flags &= ~DOOR_UNREF_ACTIVE;
2225                 mutex_exit(&door_knob);
2226                 VN_RELE(DTOV(dp));
2227         }
2228 }
2229 
2230 
2231 /*
2232  * Queue an unref invocation for processing for the current process
2233  * The door may or may not be revoked at this point.
2234  */
2235 void
2236 door_deliver_unref(door_node_t *d)
2237 {
2238         struct proc *server = d->door_target;
2239 
2240         ASSERT(MUTEX_HELD(&door_knob));
2241         ASSERT(d->door_active == 0);
2242 
2243         if (server == NULL)
2244                 return;
2245         /*
2246          * Create a lwp to deliver unref calls if one isn't already running.
2247          *
2248          * A separate thread is used to deliver unrefs since the current
2249          * thread may be holding resources (e.g. locks) in user land that
2250          * may be needed by the unref processing. This would cause a
2251          * deadlock.
2252          */
2253         if (d->door_flags & DOOR_UNREF_MULTI) {
2254                 /* multiple unrefs */
2255                 d->door_flags &= ~DOOR_DELAY;
2256         } else {
2257                 /* Only 1 unref per door */
2258                 d->door_flags &= ~(DOOR_UNREF|DOOR_DELAY);
2259         }
2260         mutex_exit(&door_knob);
2261 
2262         /*
2263          * Need to bump the vnode count before putting the door on the
2264          * list so it doesn't get prematurely released by door_unref.
2265          */
2266         VN_HOLD(DTOV(d));
2267 
2268         mutex_enter(&door_knob);
2269         /* is this door already on the unref list? */
2270         if (d->door_flags & DOOR_UNREF_MULTI) {
2271                 door_node_t *dp;
2272                 for (dp = server->p_unref_list; dp != NULL;
2273                     dp = dp->door_ulist) {
2274                         if (d == dp) {
2275                                 /* already there, don't need to add another */
2276                                 mutex_exit(&door_knob);
2277                                 VN_RELE(DTOV(d));
2278                                 mutex_enter(&door_knob);
2279                                 return;
2280                         }
2281                 }
2282         }
2283         ASSERT(d->door_ulist == NULL);
2284         d->door_ulist = server->p_unref_list;
2285         server->p_unref_list = d;
2286         cv_broadcast(&server->p_unref_cv);
2287 }
2288 
2289 /*
2290  * The callers buffer isn't big enough for all of the data/fd's. Allocate
2291  * space in the callers address space for the results and copy the data
2292  * there.
2293  *
2294  * For EOVERFLOW, we must clean up the server's door descriptors.
2295  */
2296 static int
2297 door_overflow(
2298         kthread_t       *caller,
2299         caddr_t         data_ptr,       /* data location */
2300         size_t          data_size,      /* data size */
2301         door_desc_t     *desc_ptr,      /* descriptor location */
2302         uint_t          desc_num)       /* descriptor size */
2303 {
2304         proc_t *callerp = ttoproc(caller);
2305         struct as *as = callerp->p_as;
2306         door_client_t *ct = DOOR_CLIENT(caller->t_door);
2307         caddr_t addr;                   /* Resulting address in target */
2308         size_t  rlen;                   /* Rounded len */
2309         size_t  len;
2310         uint_t  i;
2311         size_t  ds = desc_num * sizeof (door_desc_t);
2312 
2313         ASSERT(MUTEX_NOT_HELD(&door_knob));
2314         ASSERT(DOOR_T_HELD(ct) || ct->d_kernel);
2315 
2316         /* Do initial overflow check */
2317         if (!ufcanalloc(callerp, desc_num))
2318                 return (EMFILE);
2319 
2320         /*
2321          * Allocate space for this stuff in the callers address space
2322          */
2323         rlen = roundup(data_size + ds, PAGESIZE);
2324         as_rangelock(as);
2325         map_addr_proc(&addr, rlen, 0, 1, as->a_userlimit, ttoproc(caller), 0);
2326         if (addr == NULL ||
2327             as_map(as, addr, rlen, segvn_create, zfod_argsp) != 0) {
2328                 /* No virtual memory available, or anon mapping failed */
2329                 as_rangeunlock(as);
2330                 if (!ct->d_kernel && desc_num > 0) {
2331                         int error = door_release_fds(desc_ptr, desc_num);
2332                         if (error)
2333                                 return (error);
2334                 }
2335                 return (EOVERFLOW);
2336         }
2337         as_rangeunlock(as);
2338 
2339         if (ct->d_kernel)
2340                 goto out;
2341 
2342         if (data_size != 0) {
2343                 caddr_t src = data_ptr;
2344                 caddr_t saddr = addr;
2345 
2346                 /* Copy any data */
2347                 len = data_size;
2348                 while (len != 0) {
2349                         int     amount;
2350                         int     error;
2351 
2352                         amount = len > PAGESIZE ? PAGESIZE : len;
2353                         if ((error = door_copy(as, src, saddr, amount)) != 0) {
2354                                 (void) as_unmap(as, addr, rlen);
2355                                 return (error);
2356                         }
2357                         saddr += amount;
2358                         src += amount;
2359                         len -= amount;
2360                 }
2361         }
2362         /* Copy any fd's */
2363         if (desc_num != 0) {
2364                 door_desc_t     *didpp, *start;
2365                 struct file     **fpp;
2366                 int             fpp_size;
2367 
2368                 start = didpp = kmem_alloc(ds, KM_SLEEP);
2369                 if (copyin_nowatch(desc_ptr, didpp, ds)) {
2370                         kmem_free(start, ds);
2371                         (void) as_unmap(as, addr, rlen);
2372                         return (EFAULT);
2373                 }
2374 
2375                 fpp_size = desc_num * sizeof (struct file *);
2376                 if (fpp_size > ct->d_fpp_size) {
2377                         /* make more space */
2378                         if (ct->d_fpp_size)
2379                                 kmem_free(ct->d_fpp, ct->d_fpp_size);
2380                         ct->d_fpp_size = fpp_size;
2381                         ct->d_fpp = kmem_alloc(ct->d_fpp_size, KM_SLEEP);
2382                 }
2383                 fpp = ct->d_fpp;
2384 
2385                 for (i = 0; i < desc_num; i++) {
2386                         struct file *fp;
2387                         int fd = didpp->d_data.d_desc.d_descriptor;
2388 
2389                         if (!(didpp->d_attributes & DOOR_DESCRIPTOR) ||
2390                             (fp = getf(fd)) == NULL) {
2391                                 /* close translated references */
2392                                 door_fp_close(ct->d_fpp, fpp - ct->d_fpp);
2393                                 /* close untranslated references */
2394                                 door_fd_rele(didpp, desc_num - i, 0);
2395                                 kmem_free(start, ds);
2396                                 (void) as_unmap(as, addr, rlen);
2397                                 return (EINVAL);
2398                         }
2399                         mutex_enter(&fp->f_tlock);
2400                         fp->f_count++;
2401                         mutex_exit(&fp->f_tlock);
2402 
2403                         *fpp = fp;
2404                         releasef(fd);
2405 
2406                         if (didpp->d_attributes & DOOR_RELEASE) {
2407                                 /* release passed reference */
2408                                 (void) closeandsetf(fd, NULL);
2409                         }
2410 
2411                         fpp++; didpp++;
2412                 }
2413                 kmem_free(start, ds);
2414         }
2415 
2416 out:
2417         ct->d_overflow = 1;
2418         ct->d_args.rbuf = addr;
2419         ct->d_args.rsize = rlen;
2420         return (0);
2421 }
2422 
2423 /*
2424  * Transfer arguments from the client to the server.
2425  */
2426 static int
2427 door_args(kthread_t *server, int is_private)
2428 {
2429         door_server_t *st = DOOR_SERVER(server->t_door);
2430         door_client_t *ct = DOOR_CLIENT(curthread->t_door);
2431         uint_t  ndid;
2432         size_t  dsize;
2433         int     error;
2434 
2435         ASSERT(DOOR_T_HELD(st));
2436         ASSERT(MUTEX_NOT_HELD(&door_knob));
2437 
2438         ndid = ct->d_args.desc_num;
2439         if (ndid > door_max_desc)
2440                 return (E2BIG);
2441 
2442         /*
2443          * Get the stack layout, and fail now if it won't fit.
2444          */
2445         error = door_layout(server, ct->d_args.data_size, ndid, is_private);
2446         if (error != 0)
2447                 return (error);
2448 
2449         dsize = ndid * sizeof (door_desc_t);
2450         if (ct->d_args.data_size != 0) {
2451                 if (ct->d_args.data_size <= door_max_arg) {
2452                         /*
2453                          * Use a 2 copy method for small amounts of data
2454                          *
2455                          * Allocate a little more than we need for the
2456                          * args, in the hope that the results will fit
2457                          * without having to reallocate a buffer
2458                          */
2459                         ASSERT(ct->d_buf == NULL);
2460                         ct->d_bufsize = roundup(ct->d_args.data_size,
2461                             DOOR_ROUND);
2462                         ct->d_buf = kmem_alloc(ct->d_bufsize, KM_SLEEP);
2463                         if (copyin_nowatch(ct->d_args.data_ptr,
2464                             ct->d_buf, ct->d_args.data_size) != 0) {
2465                                 kmem_free(ct->d_buf, ct->d_bufsize);
2466                                 ct->d_buf = NULL;
2467                                 ct->d_bufsize = 0;
2468                                 return (EFAULT);
2469                         }
2470                 } else {
2471                         struct as       *as;
2472                         caddr_t         src;
2473                         caddr_t         dest;
2474                         size_t          len = ct->d_args.data_size;
2475                         uintptr_t       base;
2476 
2477                         /*
2478                          * Use a 1 copy method
2479                          */
2480                         as = ttoproc(server)->p_as;
2481                         src = ct->d_args.data_ptr;
2482 
2483                         dest = st->d_layout.dl_datap;
2484                         base = (uintptr_t)dest;
2485 
2486                         /*
2487                          * Copy data directly into server.  We proceed
2488                          * downward from the top of the stack, to mimic
2489                          * normal stack usage. This allows the guard page
2490                          * to stop us before we corrupt anything.
2491                          */
2492                         while (len != 0) {
2493                                 uintptr_t start;
2494                                 uintptr_t end;
2495                                 uintptr_t offset;
2496                                 size_t  amount;
2497 
2498                                 /*
2499                                  * Locate the next part to copy.
2500                                  */
2501                                 end = base + len;
2502                                 start = P2ALIGN(end - 1, PAGESIZE);
2503 
2504                                 /*
2505                                  * if we are on the final (first) page, fix
2506                                  * up the start position.
2507                                  */
2508                                 if (P2ALIGN(base, PAGESIZE) == start)
2509                                         start = base;
2510 
2511                                 offset = start - base;  /* the copy offset */
2512                                 amount = end - start;   /* # bytes to copy */
2513 
2514                                 ASSERT(amount > 0 && amount <= len &&
2515                                     amount <= PAGESIZE);
2516 
2517                                 error = door_copy(as, src + offset,
2518                                     dest + offset, amount);
2519                                 if (error != 0)
2520                                         return (error);
2521                                 len -= amount;
2522                         }
2523                 }
2524         }
2525         /*
2526          * Copyin the door args and translate them into files
2527          */
2528         if (ndid != 0) {
2529                 door_desc_t     *didpp;
2530                 door_desc_t     *start;
2531                 struct file     **fpp;
2532 
2533                 start = didpp = kmem_alloc(dsize, KM_SLEEP);
2534 
2535                 if (copyin_nowatch(ct->d_args.desc_ptr, didpp, dsize)) {
2536                         kmem_free(start, dsize);
2537                         return (EFAULT);
2538                 }
2539                 ct->d_fpp_size = ndid * sizeof (struct file *);
2540                 ct->d_fpp = kmem_alloc(ct->d_fpp_size, KM_SLEEP);
2541                 fpp = ct->d_fpp;
2542                 while (ndid--) {
2543                         struct file *fp;
2544                         int fd = didpp->d_data.d_desc.d_descriptor;
2545 
2546                         /* We only understand file descriptors as passed objs */
2547                         if (!(didpp->d_attributes & DOOR_DESCRIPTOR) ||
2548                             (fp = getf(fd)) == NULL) {
2549                                 /* close translated references */
2550                                 door_fp_close(ct->d_fpp, fpp - ct->d_fpp);
2551                                 /* close untranslated references */
2552                                 door_fd_rele(didpp, ndid + 1, 0);
2553                                 kmem_free(start, dsize);
2554                                 kmem_free(ct->d_fpp, ct->d_fpp_size);
2555                                 ct->d_fpp = NULL;
2556                                 ct->d_fpp_size = 0;
2557                                 return (EINVAL);
2558                         }
2559                         /* Hold the fp */
2560                         mutex_enter(&fp->f_tlock);
2561                         fp->f_count++;
2562                         mutex_exit(&fp->f_tlock);
2563 
2564                         *fpp = fp;
2565                         releasef(fd);
2566 
2567                         if (didpp->d_attributes & DOOR_RELEASE) {
2568                                 /* release passed reference */
2569                                 (void) closeandsetf(fd, NULL);
2570                         }
2571 
2572                         fpp++; didpp++;
2573                 }
2574                 kmem_free(start, dsize);
2575         }
2576         return (0);
2577 }
2578 
2579 /*
2580  * Transfer arguments from a user client to a kernel server.  This copies in
2581  * descriptors and translates them into door handles.  It doesn't touch the
2582  * other data, letting the kernel server deal with that (to avoid needing
2583  * to copy the data twice).
2584  */
2585 static int
2586 door_translate_in(void)
2587 {
2588         door_client_t *ct = DOOR_CLIENT(curthread->t_door);
2589         uint_t  ndid;
2590 
2591         ASSERT(MUTEX_NOT_HELD(&door_knob));
2592         ndid = ct->d_args.desc_num;
2593         if (ndid > door_max_desc)
2594                 return (E2BIG);
2595         /*
2596          * Copyin the door args and translate them into door handles.
2597          */
2598         if (ndid != 0) {
2599                 door_desc_t     *didpp;
2600                 door_desc_t     *start;
2601                 size_t          dsize = ndid * sizeof (door_desc_t);
2602                 struct file     *fp;
2603 
2604                 start = didpp = kmem_alloc(dsize, KM_SLEEP);
2605 
2606                 if (copyin_nowatch(ct->d_args.desc_ptr, didpp, dsize)) {
2607                         kmem_free(start, dsize);
2608                         return (EFAULT);
2609                 }
2610                 while (ndid--) {
2611                         vnode_t *vp;
2612                         int fd = didpp->d_data.d_desc.d_descriptor;
2613 
2614                         /*
2615                          * We only understand file descriptors as passed objs
2616                          */
2617                         if ((didpp->d_attributes & DOOR_DESCRIPTOR) &&
2618                             (fp = getf(fd)) != NULL) {
2619                                 didpp->d_data.d_handle = FTODH(fp);
2620                                 /* Hold the door */
2621                                 door_ki_hold(didpp->d_data.d_handle);
2622 
2623                                 releasef(fd);
2624 
2625                                 if (didpp->d_attributes & DOOR_RELEASE) {
2626                                         /* release passed reference */
2627                                         (void) closeandsetf(fd, NULL);
2628                                 }
2629 
2630                                 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
2631                                         vp = fp->f_vnode;
2632 
2633                                 /* Set attributes */
2634                                 didpp->d_attributes = DOOR_HANDLE |
2635                                     (VTOD(vp)->door_flags & DOOR_ATTR_MASK);
2636                         } else {
2637                                 /* close translated references */
2638                                 door_fd_close(start, didpp - start);
2639                                 /* close untranslated references */
2640                                 door_fd_rele(didpp, ndid + 1, 0);
2641                                 kmem_free(start, dsize);
2642                                 return (EINVAL);
2643                         }
2644                         didpp++;
2645                 }
2646                 ct->d_args.desc_ptr = start;
2647         }
2648         return (0);
2649 }
2650 
2651 /*
2652  * Translate door arguments from kernel to user.  This copies the passed
2653  * door handles.  It doesn't touch other data.  It is used by door_upcall,
2654  * and for data returned by a door_call to a kernel server.
2655  */
2656 static int
2657 door_translate_out(void)
2658 {
2659         door_client_t *ct = DOOR_CLIENT(curthread->t_door);
2660         uint_t  ndid;
2661 
2662         ASSERT(MUTEX_NOT_HELD(&door_knob));
2663         ndid = ct->d_args.desc_num;
2664         if (ndid > door_max_desc) {
2665                 door_fd_rele(ct->d_args.desc_ptr, ndid, 1);
2666                 return (E2BIG);
2667         }
2668         /*
2669          * Translate the door args into files
2670          */
2671         if (ndid != 0) {
2672                 door_desc_t     *didpp = ct->d_args.desc_ptr;
2673                 struct file     **fpp;
2674 
2675                 ct->d_fpp_size = ndid * sizeof (struct file *);
2676                 fpp = ct->d_fpp = kmem_alloc(ct->d_fpp_size, KM_SLEEP);
2677                 while (ndid--) {
2678                         struct file *fp = NULL;
2679                         int fd = -1;
2680 
2681                         /*
2682                          * We understand file descriptors and door
2683                          * handles as passed objs.
2684                          */
2685                         if (didpp->d_attributes & DOOR_DESCRIPTOR) {
2686                                 fd = didpp->d_data.d_desc.d_descriptor;
2687                                 fp = getf(fd);
2688                         } else if (didpp->d_attributes & DOOR_HANDLE)
2689                                 fp = DHTOF(didpp->d_data.d_handle);
2690                         if (fp != NULL) {
2691                                 /* Hold the fp */
2692                                 mutex_enter(&fp->f_tlock);
2693                                 fp->f_count++;
2694                                 mutex_exit(&fp->f_tlock);
2695 
2696                                 *fpp = fp;
2697                                 if (didpp->d_attributes & DOOR_DESCRIPTOR)
2698                                         releasef(fd);
2699                                 if (didpp->d_attributes & DOOR_RELEASE) {
2700                                         /* release passed reference */
2701                                         if (fd >= 0)
2702                                                 (void) closeandsetf(fd, NULL);
2703                                         else
2704                                                 (void) closef(fp);
2705                                 }
2706                         } else {
2707                                 /* close translated references */
2708                                 door_fp_close(ct->d_fpp, fpp - ct->d_fpp);
2709                                 /* close untranslated references */
2710                                 door_fd_rele(didpp, ndid + 1, 1);
2711                                 kmem_free(ct->d_fpp, ct->d_fpp_size);
2712                                 ct->d_fpp = NULL;
2713                                 ct->d_fpp_size = 0;
2714                                 return (EINVAL);
2715                         }
2716                         fpp++; didpp++;
2717                 }
2718         }
2719         return (0);
2720 }
2721 
2722 /*
2723  * Move the results from the server to the client
2724  */
2725 static int
2726 door_results(kthread_t *caller, caddr_t data_ptr, size_t data_size,
2727                 door_desc_t *desc_ptr, uint_t desc_num)
2728 {
2729         door_client_t   *ct = DOOR_CLIENT(caller->t_door);
2730         door_upcall_t   *dup = ct->d_upcall;
2731         size_t          dsize;
2732         size_t          rlen;
2733         size_t          result_size;
2734 
2735         ASSERT(DOOR_T_HELD(ct));
2736         ASSERT(MUTEX_NOT_HELD(&door_knob));
2737 
2738         if (ct->d_noresults)
2739                 return (E2BIG);         /* No results expected */
2740 
2741         if (desc_num > door_max_desc)
2742                 return (E2BIG);         /* Too many descriptors */
2743 
2744         dsize = desc_num * sizeof (door_desc_t);
2745         /*
2746          * Check if the results are bigger than the clients buffer
2747          */
2748         if (dsize)
2749                 rlen = roundup(data_size, sizeof (door_desc_t));
2750         else
2751                 rlen = data_size;
2752         if ((result_size = rlen + dsize) == 0)
2753                 return (0);
2754 
2755         if (dup != NULL) {
2756                 if (desc_num > dup->du_max_descs)
2757                         return (EMFILE);
2758 
2759                 if (data_size > dup->du_max_data)
2760                         return (E2BIG);
2761 
2762                 /*
2763                  * Handle upcalls
2764                  */
2765                 if (ct->d_args.rbuf == NULL || ct->d_args.rsize < result_size) {
2766                         /*
2767                          * If there's no return buffer or the buffer is too
2768                          * small, allocate a new one.  The old buffer (if it
2769                          * exists) will be freed by the upcall client.
2770                          */
2771                         if (result_size > door_max_upcall_reply)
2772                                 return (E2BIG);
2773                         ct->d_args.rsize = result_size;
2774                         ct->d_args.rbuf = kmem_alloc(result_size, KM_SLEEP);
2775                 }
2776                 ct->d_args.data_ptr = ct->d_args.rbuf;
2777                 if (data_size != 0 &&
2778                     copyin_nowatch(data_ptr, ct->d_args.data_ptr,
2779                     data_size) != 0)
2780                         return (EFAULT);
2781         } else if (result_size > ct->d_args.rsize) {
2782                 return (door_overflow(caller, data_ptr, data_size,
2783                     desc_ptr, desc_num));
2784         } else if (data_size != 0) {
2785                 if (data_size <= door_max_arg) {
2786                         /*
2787                          * Use a 2 copy method for small amounts of data
2788                          */
2789                         if (ct->d_buf == NULL) {
2790                                 ct->d_bufsize = data_size;
2791                                 ct->d_buf = kmem_alloc(ct->d_bufsize, KM_SLEEP);
2792                         } else if (ct->d_bufsize < data_size) {
2793                                 kmem_free(ct->d_buf, ct->d_bufsize);
2794                                 ct->d_bufsize = data_size;
2795                                 ct->d_buf = kmem_alloc(ct->d_bufsize, KM_SLEEP);
2796                         }
2797                         if (copyin_nowatch(data_ptr, ct->d_buf, data_size) != 0)
2798                                 return (EFAULT);
2799                 } else {
2800                         struct as *as = ttoproc(caller)->p_as;
2801                         caddr_t dest = ct->d_args.rbuf;
2802                         caddr_t src = data_ptr;
2803                         size_t  len = data_size;
2804 
2805                         /* Copy data directly into client */
2806                         while (len != 0) {
2807                                 uint_t  amount;
2808                                 uint_t  max;
2809                                 uint_t  off;
2810                                 int     error;
2811 
2812                                 off = (uintptr_t)dest & PAGEOFFSET;
2813                                 if (off)
2814                                         max = PAGESIZE - off;
2815                                 else
2816                                         max = PAGESIZE;
2817                                 amount = len > max ? max : len;
2818                                 error = door_copy(as, src, dest, amount);
2819                                 if (error != 0)
2820                                         return (error);
2821                                 dest += amount;
2822                                 src += amount;
2823                                 len -= amount;
2824                         }
2825                 }
2826         }
2827 
2828         /*
2829          * Copyin the returned door ids and translate them into door_node_t
2830          */
2831         if (desc_num != 0) {
2832                 door_desc_t *start;
2833                 door_desc_t *didpp;
2834                 struct file **fpp;
2835                 size_t  fpp_size;
2836                 uint_t  i;
2837 
2838                 /* First, check if we would overflow client */
2839                 if (!ufcanalloc(ttoproc(caller), desc_num))
2840                         return (EMFILE);
2841 
2842                 start = didpp = kmem_alloc(dsize, KM_SLEEP);
2843                 if (copyin_nowatch(desc_ptr, didpp, dsize)) {
2844                         kmem_free(start, dsize);
2845                         return (EFAULT);
2846                 }
2847                 fpp_size = desc_num * sizeof (struct file *);
2848                 if (fpp_size > ct->d_fpp_size) {
2849                         /* make more space */
2850                         if (ct->d_fpp_size)
2851                                 kmem_free(ct->d_fpp, ct->d_fpp_size);
2852                         ct->d_fpp_size = fpp_size;
2853                         ct->d_fpp = kmem_alloc(fpp_size, KM_SLEEP);
2854                 }
2855                 fpp = ct->d_fpp;
2856 
2857                 for (i = 0; i < desc_num; i++) {
2858                         struct file *fp;
2859                         int fd = didpp->d_data.d_desc.d_descriptor;
2860 
2861                         /* Only understand file descriptor results */
2862                         if (!(didpp->d_attributes & DOOR_DESCRIPTOR) ||
2863                             (fp = getf(fd)) == NULL) {
2864                                 /* close translated references */
2865                                 door_fp_close(ct->d_fpp, fpp - ct->d_fpp);
2866                                 /* close untranslated references */
2867                                 door_fd_rele(didpp, desc_num - i, 0);
2868                                 kmem_free(start, dsize);
2869                                 return (EINVAL);
2870                         }
2871 
2872                         mutex_enter(&fp->f_tlock);
2873                         fp->f_count++;
2874                         mutex_exit(&fp->f_tlock);
2875 
2876                         *fpp = fp;
2877                         releasef(fd);
2878 
2879                         if (didpp->d_attributes & DOOR_RELEASE) {
2880                                 /* release passed reference */
2881                                 (void) closeandsetf(fd, NULL);
2882                         }
2883 
2884                         fpp++; didpp++;
2885                 }
2886                 kmem_free(start, dsize);
2887         }
2888         return (0);
2889 }
2890 
2891 /*
2892  * Close all the descriptors.
2893  */
2894 static void
2895 door_fd_close(door_desc_t *d, uint_t n)
2896 {
2897         uint_t  i;
2898 
2899         ASSERT(MUTEX_NOT_HELD(&door_knob));
2900         for (i = 0; i < n; i++) {
2901                 if (d->d_attributes & DOOR_DESCRIPTOR) {
2902                         (void) closeandsetf(
2903                             d->d_data.d_desc.d_descriptor, NULL);
2904                 } else if (d->d_attributes & DOOR_HANDLE) {
2905                         door_ki_rele(d->d_data.d_handle);
2906                 }
2907                 d++;
2908         }
2909 }
2910 
2911 /*
2912  * Close descriptors that have the DOOR_RELEASE attribute set.
2913  */
2914 void
2915 door_fd_rele(door_desc_t *d, uint_t n, int from_kernel)
2916 {
2917         uint_t  i;
2918 
2919         ASSERT(MUTEX_NOT_HELD(&door_knob));
2920         for (i = 0; i < n; i++) {
2921                 if (d->d_attributes & DOOR_RELEASE) {
2922                         if (d->d_attributes & DOOR_DESCRIPTOR) {
2923                                 (void) closeandsetf(
2924                                     d->d_data.d_desc.d_descriptor, NULL);
2925                         } else if (from_kernel &&
2926                             (d->d_attributes & DOOR_HANDLE)) {
2927                                 door_ki_rele(d->d_data.d_handle);
2928                         }
2929                 }
2930                 d++;
2931         }
2932 }
2933 
2934 /*
2935  * Copy descriptors into the kernel so we can release any marked
2936  * DOOR_RELEASE.
2937  */
2938 int
2939 door_release_fds(door_desc_t *desc_ptr, uint_t ndesc)
2940 {
2941         size_t dsize;
2942         door_desc_t *didpp;
2943         uint_t desc_num;
2944 
2945         ASSERT(MUTEX_NOT_HELD(&door_knob));
2946         ASSERT(ndesc != 0);
2947 
2948         desc_num = MIN(ndesc, door_max_desc);
2949 
2950         dsize = desc_num * sizeof (door_desc_t);
2951         didpp = kmem_alloc(dsize, KM_SLEEP);
2952 
2953         while (ndesc > 0) {
2954                 uint_t count = MIN(ndesc, desc_num);
2955 
2956                 if (copyin_nowatch(desc_ptr, didpp,
2957                     count * sizeof (door_desc_t))) {
2958                         kmem_free(didpp, dsize);
2959                         return (EFAULT);
2960                 }
2961                 door_fd_rele(didpp, count, 0);
2962 
2963                 ndesc -= count;
2964                 desc_ptr += count;
2965         }
2966         kmem_free(didpp, dsize);
2967         return (0);
2968 }
2969 
2970 /*
2971  * Decrement ref count on all the files passed
2972  */
2973 static void
2974 door_fp_close(struct file **fp, uint_t n)
2975 {
2976         uint_t  i;
2977 
2978         ASSERT(MUTEX_NOT_HELD(&door_knob));
2979 
2980         for (i = 0; i < n; i++)
2981                 (void) closef(fp[i]);
2982 }
2983 
2984 /*
2985  * Copy data from 'src' in current address space to 'dest' in 'as' for 'len'
2986  * bytes.
2987  *
2988  * Performs this using 1 mapin and 1 copy operation.
2989  *
2990  * We really should do more than 1 page at a time to improve
2991  * performance, but for now this is treated as an anomalous condition.
2992  */
2993 static int
2994 door_copy(struct as *as, caddr_t src, caddr_t dest, uint_t len)
2995 {
2996         caddr_t kaddr;
2997         caddr_t rdest;
2998         uint_t  off;
2999         page_t  **pplist;
3000         page_t  *pp = NULL;
3001         int     error = 0;
3002 
3003         ASSERT(len <= PAGESIZE);
3004         off = (uintptr_t)dest & PAGEOFFSET; /* offset within the page */
3005         rdest = (caddr_t)((uintptr_t)dest &
3006             (uintptr_t)PAGEMASK);       /* Page boundary */
3007         ASSERT(off + len <= PAGESIZE);
3008 
3009         /*
3010          * Lock down destination page.
3011          */
3012         if (as_pagelock(as, &pplist, rdest, PAGESIZE, S_WRITE))
3013                 return (E2BIG);
3014         /*
3015          * Check if we have a shadow page list from as_pagelock. If not,
3016          * we took the slow path and have to find our page struct the hard
3017          * way.
3018          */
3019         if (pplist == NULL) {
3020                 pfn_t   pfnum;
3021 
3022                 /* MMU mapping is already locked down */
3023                 AS_LOCK_ENTER(as, &as->a_lock, RW_READER);
3024                 pfnum = hat_getpfnum(as->a_hat, rdest);
3025                 AS_LOCK_EXIT(as, &as->a_lock);
3026 
3027                 /*
3028                  * TODO: The pfn step should not be necessary - need
3029                  * a hat_getpp() function.
3030                  */
3031                 if (pf_is_memory(pfnum)) {
3032                         pp = page_numtopp_nolock(pfnum);
3033                         ASSERT(pp == NULL || PAGE_LOCKED(pp));
3034                 } else
3035                         pp = NULL;
3036                 if (pp == NULL) {
3037                         as_pageunlock(as, pplist, rdest, PAGESIZE, S_WRITE);
3038                         return (E2BIG);
3039                 }
3040         } else {
3041                 pp = *pplist;
3042         }
3043         /*
3044          * Map destination page into kernel address
3045          */
3046         if (kpm_enable)
3047                 kaddr = (caddr_t)hat_kpm_mapin(pp, (struct kpme *)NULL);
3048         else
3049                 kaddr = (caddr_t)ppmapin(pp, PROT_READ | PROT_WRITE,
3050                     (caddr_t)-1);
3051 
3052         /*
3053          * Copy from src to dest
3054          */
3055         if (copyin_nowatch(src, kaddr + off, len) != 0)
3056                 error = EFAULT;
3057         /*
3058          * Unmap destination page from kernel
3059          */
3060         if (kpm_enable)
3061                 hat_kpm_mapout(pp, (struct kpme *)NULL, kaddr);
3062         else
3063                 ppmapout(kaddr);
3064         /*
3065          * Unlock destination page
3066          */
3067         as_pageunlock(as, pplist, rdest, PAGESIZE, S_WRITE);
3068         return (error);
3069 }
3070 
3071 /*
3072  * General kernel upcall using doors
3073  *      Returns 0 on success, errno for failures.
3074  *      Caller must have a hold on the door based vnode, and on any
3075  *      references passed in desc_ptr.  The references are released
3076  *      in the event of an error, and passed without duplication
3077  *      otherwise.  Note that param->rbuf must be 64-bit aligned in
3078  *      a 64-bit kernel, since it may be used to store door descriptors
3079  *      if they are returned by the server.  The caller is responsible
3080  *      for holding a reference to the cred passed in.
3081  */
3082 int
3083 door_upcall(vnode_t *vp, door_arg_t *param, struct cred *cred,
3084     size_t max_data, uint_t max_descs)
3085 {
3086         /* Locals */
3087         door_upcall_t   *dup;
3088         door_node_t     *dp;
3089         kthread_t       *server_thread;
3090         int             error = 0;
3091         klwp_t          *lwp;
3092         door_client_t   *ct;            /* curthread door_data */
3093         door_server_t   *st;            /* server thread door_data */
3094         int             gotresults = 0;
3095         int             cancel_pending;
3096 
3097         if (vp->v_type != VDOOR) {
3098                 if (param->desc_num)
3099                         door_fd_rele(param->desc_ptr, param->desc_num, 1);
3100                 return (EINVAL);
3101         }
3102 
3103         lwp = ttolwp(curthread);
3104         ct = door_my_client(1);
3105         dp = VTOD(vp);  /* Convert to a door_node_t */
3106 
3107         dup = kmem_zalloc(sizeof (*dup), KM_SLEEP);
3108         dup->du_cred = (cred != NULL) ? cred : curthread->t_cred;
3109         dup->du_max_data = max_data;
3110         dup->du_max_descs = max_descs;
3111 
3112         /*
3113          * This should be done in shuttle_resume(), just before going to
3114          * sleep, but we want to avoid overhead while holding door_knob.
3115          * prstop() is just a no-op if we don't really go to sleep.
3116          * We test not-kernel-address-space for the sake of clustering code.
3117          */
3118         if (lwp && lwp->lwp_nostop == 0 && curproc->p_as != &kas)
3119                 prstop(PR_REQUESTED, 0);
3120 
3121         mutex_enter(&door_knob);
3122         if (DOOR_INVALID(dp)) {
3123                 mutex_exit(&door_knob);
3124                 if (param->desc_num)
3125                         door_fd_rele(param->desc_ptr, param->desc_num, 1);
3126                 error = EBADF;
3127                 goto out;
3128         }
3129 
3130         if (dp->door_target == &p0) {
3131                 /* Can't do an upcall to a kernel server */
3132                 mutex_exit(&door_knob);
3133                 if (param->desc_num)
3134                         door_fd_rele(param->desc_ptr, param->desc_num, 1);
3135                 error = EINVAL;
3136                 goto out;
3137         }
3138 
3139         error = door_check_limits(dp, param, 1);
3140         if (error != 0) {
3141                 mutex_exit(&door_knob);
3142                 if (param->desc_num)
3143                         door_fd_rele(param->desc_ptr, param->desc_num, 1);
3144                 goto out;
3145         }
3146 
3147         /*
3148          * Get a server thread from the target domain
3149          */
3150         if ((server_thread = door_get_server(dp)) == NULL) {
3151                 if (DOOR_INVALID(dp))
3152                         error = EBADF;
3153                 else
3154                         error = EAGAIN;
3155                 mutex_exit(&door_knob);
3156                 if (param->desc_num)
3157                         door_fd_rele(param->desc_ptr, param->desc_num, 1);
3158                 goto out;
3159         }
3160 
3161         st = DOOR_SERVER(server_thread->t_door);
3162         ct->d_buf = param->data_ptr;
3163         ct->d_bufsize = param->data_size;
3164         ct->d_args = *param; /* structure assignment */
3165 
3166         if (ct->d_args.desc_num) {
3167                 /*
3168                  * Move data from client to server
3169                  */
3170                 DOOR_T_HOLD(st);
3171                 mutex_exit(&door_knob);
3172                 error = door_translate_out();
3173                 mutex_enter(&door_knob);
3174                 DOOR_T_RELEASE(st);
3175                 if (error) {
3176                         /*
3177                          * We're not going to resume this thread after all
3178                          */
3179                         door_release_server(dp, server_thread);
3180                         shuttle_sleep(server_thread);
3181                         mutex_exit(&door_knob);
3182                         goto out;
3183                 }
3184         }
3185 
3186         ct->d_upcall = dup;
3187         if (param->rsize == 0)
3188                 ct->d_noresults = 1;
3189         else
3190                 ct->d_noresults = 0;
3191 
3192         dp->door_active++;
3193 
3194         ct->d_error = DOOR_WAIT;
3195         st->d_caller = curthread;
3196         st->d_active = dp;
3197 
3198         shuttle_resume(server_thread, &door_knob);
3199 
3200         mutex_enter(&door_knob);
3201 shuttle_return:
3202         if ((error = ct->d_error) < 0) {  /* DOOR_WAIT or DOOR_EXIT */
3203                 /*
3204                  * Premature wakeup. Find out why (stop, forkall, sig, exit ...)
3205                  */
3206                 mutex_exit(&door_knob);             /* May block in ISSIG */
3207                 cancel_pending = 0;
3208                 if (lwp && (ISSIG(curthread, FORREAL) || lwp->lwp_sysabort ||
3209                     MUSTRETURN(curproc, curthread) ||
3210                     (cancel_pending = schedctl_cancel_pending()) != 0)) {
3211                         /* Signal, forkall, ... */
3212                         if (cancel_pending)
3213                                 schedctl_cancel_eintr();
3214                         lwp->lwp_sysabort = 0;
3215                         mutex_enter(&door_knob);
3216                         error = EINTR;
3217                         /*
3218                          * If the server has finished processing our call,
3219                          * or exited (calling door_slam()), then d_error
3220                          * will have changed.  If the server hasn't finished
3221                          * yet, d_error will still be DOOR_WAIT, and we
3222                          * let it know we are not interested in any
3223                          * results by sending a SIGCANCEL, unless the door
3224                          * is marked with DOOR_NO_CANCEL.
3225                          */
3226                         if (ct->d_error == DOOR_WAIT &&
3227                             st->d_caller == curthread) {
3228                                 proc_t  *p = ttoproc(server_thread);
3229 
3230                                 st->d_active = NULL;
3231                                 st->d_caller = NULL;
3232                                 if (!(dp->door_flags & DOOR_NO_CANCEL)) {
3233                                         DOOR_T_HOLD(st);
3234                                         mutex_exit(&door_knob);
3235 
3236                                         mutex_enter(&p->p_lock);
3237                                         sigtoproc(p, server_thread, SIGCANCEL);
3238                                         mutex_exit(&p->p_lock);
3239 
3240                                         mutex_enter(&door_knob);
3241                                         DOOR_T_RELEASE(st);
3242                                 }
3243                         }
3244                 } else {
3245                         /*
3246                          * Return from stop(), server exit...
3247                          *
3248                          * Note that the server could have done a
3249                          * door_return while the client was in stop state
3250                          * (ISSIG), in which case the error condition
3251                          * is updated by the server.
3252                          */
3253                         mutex_enter(&door_knob);
3254                         if (ct->d_error == DOOR_WAIT) {
3255                                 /* Still waiting for a reply */
3256                                 shuttle_swtch(&door_knob);
3257                                 mutex_enter(&door_knob);
3258                                 if (lwp)
3259                                         lwp->lwp_asleep = 0;
3260                                 goto    shuttle_return;
3261                         } else if (ct->d_error == DOOR_EXIT) {
3262                                 /* Server exit */
3263                                 error = EINTR;
3264                         } else {
3265                                 /* Server did a door_return during ISSIG */
3266                                 error = ct->d_error;
3267                         }
3268                 }
3269                 /*
3270                  * Can't exit if the server is currently copying
3271                  * results for me
3272                  */
3273                 while (DOOR_T_HELD(ct))
3274                         cv_wait(&ct->d_cv, &door_knob);
3275 
3276                 /*
3277                  * Find out if results were successfully copied.
3278                  */
3279                 if (ct->d_error == 0)
3280                         gotresults = 1;
3281         }
3282         if (lwp) {
3283                 lwp->lwp_asleep = 0;         /* /proc */
3284                 lwp->lwp_sysabort = 0;               /* /proc */
3285         }
3286         if (--dp->door_active == 0 && (dp->door_flags & DOOR_DELAY))
3287                 door_deliver_unref(dp);
3288         mutex_exit(&door_knob);
3289 
3290         /*
3291          * Translate returned doors (if any)
3292          */
3293 
3294         if (ct->d_noresults)
3295                 goto out;
3296 
3297         if (error) {
3298                 /*
3299                  * If server returned results successfully, then we've
3300                  * been interrupted and may need to clean up.
3301                  */
3302                 if (gotresults) {
3303                         ASSERT(error == EINTR);
3304                         door_fp_close(ct->d_fpp, ct->d_args.desc_num);
3305                 }
3306                 goto out;
3307         }
3308 
3309         if (ct->d_args.desc_num) {
3310                 struct file     **fpp;
3311                 door_desc_t     *didpp;
3312                 vnode_t         *vp;
3313                 uint_t          n = ct->d_args.desc_num;
3314 
3315                 didpp = ct->d_args.desc_ptr = (door_desc_t *)(ct->d_args.rbuf +
3316                     roundup(ct->d_args.data_size, sizeof (door_desc_t)));
3317                 fpp = ct->d_fpp;
3318 
3319                 while (n--) {
3320                         struct file *fp;
3321 
3322                         fp = *fpp;
3323                         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
3324                                 vp = fp->f_vnode;
3325 
3326                         didpp->d_attributes = DOOR_HANDLE |
3327                             (VTOD(vp)->door_flags & DOOR_ATTR_MASK);
3328                         didpp->d_data.d_handle = FTODH(fp);
3329 
3330                         fpp++; didpp++;
3331                 }
3332         }
3333 
3334         /* on return data is in rbuf */
3335         *param = ct->d_args;         /* structure assignment */
3336 
3337 out:
3338         kmem_free(dup, sizeof (*dup));
3339 
3340         if (ct->d_fpp) {
3341                 kmem_free(ct->d_fpp, ct->d_fpp_size);
3342                 ct->d_fpp = NULL;
3343                 ct->d_fpp_size = 0;
3344         }
3345 
3346         ct->d_upcall = NULL;
3347         ct->d_noresults = 0;
3348         ct->d_buf = NULL;
3349         ct->d_bufsize = 0;
3350         return (error);
3351 }
3352 
3353 /*
3354  * Add a door to the per-process list of active doors for which the
3355  * process is a server.
3356  */
3357 static void
3358 door_list_insert(door_node_t *dp)
3359 {
3360         proc_t *p = dp->door_target;
3361 
3362         ASSERT(MUTEX_HELD(&door_knob));
3363         dp->door_list = p->p_door_list;
3364         p->p_door_list = dp;
3365 }
3366 
3367 /*
3368  * Remove a door from the per-process list of active doors.
3369  */
3370 void
3371 door_list_delete(door_node_t *dp)
3372 {
3373         door_node_t **pp;
3374 
3375         ASSERT(MUTEX_HELD(&door_knob));
3376         /*
3377          * Find the door in the list.  If the door belongs to another process,
3378          * it's OK to use p_door_list since that process can't exit until all
3379          * doors have been taken off the list (see door_exit).
3380          */
3381         pp = &(dp->door_target->p_door_list);
3382         while (*pp != dp)
3383                 pp = &((*pp)->door_list);
3384 
3385         /* found it, take it off the list */
3386         *pp = dp->door_list;
3387 }
3388 
3389 
3390 /*
3391  * External kernel interfaces for doors.  These functions are available
3392  * outside the doorfs module for use in creating and using doors from
3393  * within the kernel.
3394  */
3395 
3396 /*
3397  * door_ki_upcall invokes a user-level door server from the kernel, with
3398  * the credentials associated with curthread.
3399  */
3400 int
3401 door_ki_upcall(door_handle_t dh, door_arg_t *param)
3402 {
3403         return (door_ki_upcall_limited(dh, param, NULL, SIZE_MAX, UINT_MAX));
3404 }
3405 
3406 /*
3407  * door_ki_upcall_limited invokes a user-level door server from the
3408  * kernel with the given credentials and reply limits.  If the "cred"
3409  * argument is NULL, uses the credentials associated with current
3410  * thread.  max_data limits the maximum length of the returned data (the
3411  * client will get E2BIG if they go over), and max_desc limits the
3412  * number of returned descriptors (the client will get EMFILE if they
3413  * go over).
3414  */
3415 int
3416 door_ki_upcall_limited(door_handle_t dh, door_arg_t *param, struct cred *cred,
3417     size_t max_data, uint_t max_desc)
3418 {
3419         file_t *fp = DHTOF(dh);
3420         vnode_t *realvp;
3421 
3422         if (VOP_REALVP(fp->f_vnode, &realvp, NULL))
3423                 realvp = fp->f_vnode;
3424         return (door_upcall(realvp, param, cred, max_data, max_desc));
3425 }
3426 
3427 /*
3428  * Function call to create a "kernel" door server.  A kernel door
3429  * server provides a way for a user-level process to invoke a function
3430  * in the kernel through a door_call.  From the caller's point of
3431  * view, a kernel door server looks the same as a user-level one
3432  * (except the server pid is 0).  Unlike normal door calls, the
3433  * kernel door function is invoked via a normal function call in the
3434  * same thread and context as the caller.
3435  */
3436 int
3437 door_ki_create(void (*pc_cookie)(), void *data_cookie, uint_t attributes,
3438     door_handle_t *dhp)
3439 {
3440         int err;
3441         file_t *fp;
3442 
3443         /* no DOOR_PRIVATE */
3444         if ((attributes & ~DOOR_KI_CREATE_MASK) ||
3445             (attributes & (DOOR_UNREF | DOOR_UNREF_MULTI)) ==
3446             (DOOR_UNREF | DOOR_UNREF_MULTI))
3447                 return (EINVAL);
3448 
3449         err = door_create_common(pc_cookie, data_cookie, attributes,
3450             1, NULL, &fp);
3451         if (err == 0 && (attributes & (DOOR_UNREF | DOOR_UNREF_MULTI)) &&
3452             p0.p_unref_thread == 0) {
3453                 /* need to create unref thread for process 0 */
3454                 (void) thread_create(NULL, 0, door_unref_kernel, NULL, 0, &p0,
3455                     TS_RUN, minclsyspri);
3456         }
3457         if (err == 0) {
3458                 *dhp = FTODH(fp);
3459         }
3460         return (err);
3461 }
3462 
3463 void
3464 door_ki_hold(door_handle_t dh)
3465 {
3466         file_t *fp = DHTOF(dh);
3467 
3468         mutex_enter(&fp->f_tlock);
3469         fp->f_count++;
3470         mutex_exit(&fp->f_tlock);
3471 }
3472 
3473 void
3474 door_ki_rele(door_handle_t dh)
3475 {
3476         file_t *fp = DHTOF(dh);
3477 
3478         (void) closef(fp);
3479 }
3480 
3481 int
3482 door_ki_open(char *pathname, door_handle_t *dhp)
3483 {
3484         file_t *fp;
3485         vnode_t *vp;
3486         int err;
3487 
3488         if ((err = lookupname(pathname, UIO_SYSSPACE, FOLLOW, NULL, &vp)) != 0)
3489                 return (err);
3490         if (err = VOP_OPEN(&vp, FREAD, kcred, NULL)) {
3491                 VN_RELE(vp);
3492                 return (err);
3493         }
3494         if (vp->v_type != VDOOR) {
3495                 VN_RELE(vp);
3496                 return (EINVAL);
3497         }
3498         if ((err = falloc(vp, FREAD | FWRITE, &fp, NULL)) != 0) {
3499                 VN_RELE(vp);
3500                 return (err);
3501         }
3502         /* falloc returns with f_tlock held on success */
3503         mutex_exit(&fp->f_tlock);
3504         *dhp = FTODH(fp);
3505         return (0);
3506 }
3507 
3508 int
3509 door_ki_info(door_handle_t dh, struct door_info *dip)
3510 {
3511         file_t *fp = DHTOF(dh);
3512         vnode_t *vp;
3513 
3514         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
3515                 vp = fp->f_vnode;
3516         if (vp->v_type != VDOOR)
3517                 return (EINVAL);
3518         door_info_common(VTOD(vp), dip, fp);
3519         return (0);
3520 }
3521 
3522 door_handle_t
3523 door_ki_lookup(int did)
3524 {
3525         file_t *fp;
3526         door_handle_t dh;
3527 
3528         /* is the descriptor really a door? */
3529         if (door_lookup(did, &fp) == NULL)
3530                 return (NULL);
3531         /* got the door, put a hold on it and release the fd */
3532         dh = FTODH(fp);
3533         door_ki_hold(dh);
3534         releasef(did);
3535         return (dh);
3536 }
3537 
3538 int
3539 door_ki_setparam(door_handle_t dh, int type, size_t val)
3540 {
3541         file_t *fp = DHTOF(dh);
3542         vnode_t *vp;
3543 
3544         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
3545                 vp = fp->f_vnode;
3546         if (vp->v_type != VDOOR)
3547                 return (EINVAL);
3548         return (door_setparam_common(VTOD(vp), 1, type, val));
3549 }
3550 
3551 int
3552 door_ki_getparam(door_handle_t dh, int type, size_t *out)
3553 {
3554         file_t *fp = DHTOF(dh);
3555         vnode_t *vp;
3556 
3557         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
3558                 vp = fp->f_vnode;
3559         if (vp->v_type != VDOOR)
3560                 return (EINVAL);
3561         return (door_getparam_common(VTOD(vp), type, out));
3562 }