ipc_right.c source code [xnu/osfmk/ipc/ipc_right.c]

1	/*
2	* Copyright (c) 2000-2007 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28	/*
29	* @OSF_FREE_COPYRIGHT@
30	*/
31	/*
32	* Mach Operating System
33	* Copyright (c) 1991,1990,1989 Carnegie Mellon University
34	* All Rights Reserved.
35	*
36	* Permission to use, copy, modify and distribute this software and its
37	* documentation is hereby granted, provided that both the copyright
38	* notice and this permission notice appear in all copies of the
39	* software, derivative works or modified versions, and any portions
40	* thereof, and that both notices appear in supporting documentation.
41	*
42	* CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
43	* CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
44	* ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
45	*
46	* Carnegie Mellon requests users of this software to return to
47	*
48	* Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
49	* School of Computer Science
50	* Carnegie Mellon University
51	* Pittsburgh PA 15213-3890
52	*
53	* any improvements or extensions that they make and grant Carnegie Mellon
54	* the rights to redistribute these changes.
55	*/
56	/*
57	* NOTICE: This file was modified by McAfee Research in 2004 to introduce
58	* support for mandatory and extensible security protections. This notice
59	* is included in support of clause 2.2 (b) of the Apple Public License,
60	* Version 2.0.
61	* Copyright (c) 2005-2006 SPARTA, Inc.
62	*/
63	/*
64	*/
65	/*
66	* File: ipc/ipc_right.c
67	* Author: Rich Draves
68	* Date: 1989
69	*
70	* Functions to manipulate IPC capabilities.
71	*/
72
73	#include <mach/boolean.h>
74	#include <mach/kern_return.h>
75	#include <mach/port.h>
76	#include <mach/message.h>
77	#include <kern/assert.h>
78	#include <kern/ipc_kobject.h>
79	#include <kern/misc_protos.h>
80	#include <kern/policy_internal.h>
81	#include <libkern/coreanalytics/coreanalytics.h>
82	#include <ipc/port.h>
83	#include <ipc/ipc_entry.h>
84	#include <ipc/ipc_space.h>
85	#include <ipc/ipc_object.h>
86	#include <ipc/ipc_hash.h>
87	#include <ipc/ipc_port.h>
88	#include <ipc/ipc_pset.h>
89	#include <ipc/ipc_right.h>
90	#include <ipc/ipc_notify.h>
91	#include <ipc/ipc_importance.h>
92	#include <ipc/ipc_service_port.h>
93	#include <security/mac_mach_internal.h>
94
95	extern struct proc current_proc(void*);
96	extern int csproc_hardened_runtime(struct proc* p);
97
98	extern void * XNU_PTRAUTH_SIGNED_PTR("initproc") initproc;
99
100	TUNABLE(bool, service_port_defense_enabled, "-service_port_defense_enabled", false);
101	static TUNABLE(bool, reply_port_semantics, "reply_port_semantics", true);
102
103	/*
104	* Routine: ipc_right_lookup_read
105	* Purpose:
106	* Finds an entry in a space, given the name.
107	* Conditions:
108	* Nothing locked.
109	* If an object is found, it is locked and active.
110	* Returns:
111	* KERN_SUCCESS Found an entry.
112	* KERN_INVALID_TASK The space is dead.
113	* KERN_INVALID_NAME Name doesn't exist in space.
114	*/
115	kern_return_t
116	ipc_right_lookup_read(
117	ipc_space_t space,
118	mach_port_name_t name,
119	ipc_entry_bits_t *bitsp,
120	ipc_object_t *objectp)
121	{
122	mach_port_index_t index;
123	ipc_entry_table_t table;
124	ipc_entry_t entry;
125	ipc_object_t object;
126	kern_return_t kr;
127
128	index = MACH_PORT_INDEX(name);
129	if (__improbable(index == `0`)) {
130	*bitsp = `0`;
131	*objectp = IO_NULL;
132	return KERN_INVALID_NAME;
133	}
134
135	smr_ipc_enter();
136
137	/*
138	* Acquire a (possibly stale) pointer to the table,
139	* and guard it so that it can't be deallocated while we use it.
140	*
141	* smr_ipc_enter() has the property that it strongly serializes
142	* after any store-release. This is important because it means that if
143	* one considers this (broken) userspace usage:
144	*
145	* Thread 1:
146	* - makes a semaphore, gets name 0x1003
147	* - stores that name to a global `sema` in userspace
148	*
149	* Thread 2:
150	* - spins to observe `sema` becoming non 0
151	* - calls semaphore_wait() on 0x1003
152	*
153	* Then, because in order to return 0x1003 this thread issued
154	* a store-release (when calling is_write_unlock()),
155	* then this smr_entered_load() can't possibly observe a table
156	* pointer that is older than the one that was current when the
157	* semaphore was made.
158	*
159	* This fundamental property allows us to never loop.
160	*/
161	table = smr_entered_load(&space->is_table);
162	if (__improbable(table == NULL)) {
163	kr = KERN_INVALID_TASK;
164	goto out_put;
165	}
166	entry = ipc_entry_table_get(array: table, i: index);
167	if (__improbable(entry == NULL)) {
168	kr = KERN_INVALID_NAME;
169	goto out_put;
170	}
171
172	/*
173	* Note: this should be an atomic load, but PAC and atomics
174	* don't work interact well together.
175	*/
176	object = entry->ie_volatile_object;
177
178	/*
179	* Attempt to lock an object that lives in this entry.
180	* It might fail or be a completely different object by now.
181	*
182	* Make sure that acquiring the lock is fully ordered after any
183	* lock-release (using os_atomic_barrier_before_lock_acquire()).
184	* This allows us to always reliably observe space termination below.
185	*/
186	os_atomic_barrier_before_lock_acquire();
187	if (__improbable(object == IO_NULL \|\| !io_lock_allow_invalid(object))) {
188	kr = KERN_INVALID_NAME;
189	goto out_put;
190	}
191
192	/*
193	* Now that we hold the object lock, we are preventing any entry
194	* in this space for this object to be mutated.
195	*
196	* If the space didn't grow after we acquired our hazardous reference,
197	* and before a mutation of the entry, then holding the object lock
198	* guarantees we will observe the truth of ie_bits, ie_object and
199	* ie_request (those are always mutated with the object lock held).
200	*
201	* However this ordering is problematic:
202	* - [A]cquisition of the table pointer
203	* - [G]rowth of the space (making the table pointer in [A] stale)
204	* - [M]utation of the entry
205	* - [L]ocking of the object read through [A].
206	*
207	* The space lock is held for both [G] and [M], and the object lock
208	* is held for [M], which means that once we lock the object we can
209	* observe if [G] happenend by reloading the table pointer.
210	*
211	* We might still fail to observe any growth operation that happened
212	* after the last mutation of this object's entry, because holding
213	* an object lock doesn't guarantee anything about the liveness
214	* of the space table pointer. This is not a problem at all: by
215	* definition, those didn't affect the state of the entry.
216	*
217	* TODO: a data-structure where the entries are grown by "slabs",
218	* would allow for the address of an ipc_entry_t to never
219	* change once it exists in a space and would avoid a reload
220	* (as well as making space growth faster).
221	* We however still need to check for termination.
222	*/
223	table = smr_entered_load(&space->is_table);
224	if (__improbable(table == NULL)) {
225	kr = KERN_INVALID_TASK;
226	goto out_put_unlock;
227	}
228
229	/*
230	* Tables never shrink so we don't need to validate the length twice.
231	*/
232	entry = ipc_entry_table_get_nocheck(array: table, i: index);
233
234	/*
235	* Now that we hold the lock and have a "fresh enough" table pointer,
236	* validate if this entry is what we think it is.
237	*
238	* To the risk of being repetitive, we still need to protect
239	* those accesses under SMR, because subsequent
240	* table growths might retire the memory. However we know
241	* those growths will have left our entry unchanged.
242	*/
243	if (__improbable(entry->ie_object != object)) {
244	kr = KERN_INVALID_NAME;
245	goto out_put_unlock;
246	}
247
248	ipc_entry_bits_t bits = entry->ie_bits;
249	if (__improbable(IE_BITS_GEN(bits) != MACH_PORT_GEN(name) \|\|
250	IE_BITS_TYPE(bits) == MACH_PORT_TYPE_NONE)) {
251	kr = KERN_INVALID_NAME;
252	goto out_put_unlock;
253	}
254
255	/ Done with hazardous accesses to the table /
256	smr_ipc_leave();
257
258	*bitsp = bits;
259	*objectp = object;
260	return KERN_SUCCESS;
261
262	out_put_unlock:
263	ipc_object_unlock(object);
264	out_put:
265	smr_ipc_leave();
266	return kr;
267	}
268
269	/*
270	* Routine: ipc_right_lookup_write
271	* Purpose:
272	* Finds an entry in a space, given the name.
273	* Conditions:
274	* Nothing locked. If successful, the space is write-locked.
275	* Returns:
276	* KERN_SUCCESS Found an entry.
277	* KERN_INVALID_TASK The space is dead.
278	* KERN_INVALID_NAME Name doesn't exist in space.
279	*/
280
281	kern_return_t
282	ipc_right_lookup_write(
283	ipc_space_t space,
284	mach_port_name_t name,
285	ipc_entry_t *entryp)
286	{
287	ipc_entry_t entry;
288
289	assert(space != IS_NULL);
290
291	is_write_lock(space);
292
293	if (!is_active(space)) {
294	is_write_unlock(space);
295	return KERN_INVALID_TASK;
296	}
297
298	if ((entry = ipc_entry_lookup(space, name)) == IE_NULL) {
299	is_write_unlock(space);
300	return KERN_INVALID_NAME;
301	}
302
303	*entryp = entry;
304	return KERN_SUCCESS;
305	}
306
307	/*
308	* Routine: ipc_right_lookup_two_write
309	* Purpose:
310	* Like ipc_right_lookup except that it returns two
311	* entries for two different names that were looked
312	* up under the same space lock.
313	* Conditions:
314	* Nothing locked. If successful, the space is write-locked.
315	* Returns:
316	* KERN_INVALID_TASK The space is dead.
317	* KERN_INVALID_NAME Name doesn't exist in space.
318	*/
319
320	kern_return_t
321	ipc_right_lookup_two_write(
322	ipc_space_t space,
323	mach_port_name_t name1,
324	ipc_entry_t *entryp1,
325	mach_port_name_t name2,
326	ipc_entry_t *entryp2)
327	{
328	ipc_entry_t entry1;
329	ipc_entry_t entry2;
330
331	assert(space != IS_NULL);
332
333	is_write_lock(space);
334
335	if (!is_active(space)) {
336	is_write_unlock(space);
337	return KERN_INVALID_TASK;
338	}
339
340	if ((entry1 = ipc_entry_lookup(space, name: name1)) == IE_NULL) {
341	is_write_unlock(space);
342	mach_port_guard_exception(name: name1, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_NAME);
343	return KERN_INVALID_NAME;
344	}
345	if ((entry2 = ipc_entry_lookup(space, name: name2)) == IE_NULL) {
346	is_write_unlock(space);
347	mach_port_guard_exception(name: name2, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_NAME);
348	return KERN_INVALID_NAME;
349	}
350	*entryp1 = entry1;
351	*entryp2 = entry2;
352	return KERN_SUCCESS;
353	}
354
355	/*
356	* Routine: ipc_right_reverse
357	* Purpose:
358	* Translate (space, object) -> (name, entry).
359	* Only finds send/receive rights.
360	* Returns TRUE if an entry is found; if so,
361	* the object active.
362	* Conditions:
363	* The space must be locked (read or write) and active.
364	* The port is locked and active
365	*/
366
367	bool
368	ipc_right_reverse(
369	ipc_space_t space,
370	ipc_object_t object,
371	mach_port_name_t *namep,
372	ipc_entry_t *entryp)
373	{
374	ipc_port_t port;
375	mach_port_name_t name;
376	ipc_entry_t entry;
377
378	/ would switch on io_otype to handle multiple types of object /
379
380	assert(is_active(space));
381	assert(io_otype(object) == IOT_PORT);
382
383	port = ip_object_to_port(object);
384	require_ip_active(port);
385
386	ip_mq_lock_held(port);
387
388	if (ip_in_space(port, space)) {
389	name = ip_get_receiver_name(port);
390	assert(name != MACH_PORT_NULL);
391
392	entry = ipc_entry_lookup(space, name);
393
394	assert(entry != IE_NULL);
395	assert(entry->ie_bits & MACH_PORT_TYPE_RECEIVE);
396	assert(port == ip_object_to_port(entry->ie_object));
397
398	*namep = name;
399	*entryp = entry;
400	return true;
401	}
402
403	if (ipc_hash_lookup(space, ip_to_object(port), namep, entryp)) {
404	entry = *entryp;
405	assert(entry != IE_NULL);
406	assert(IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_SEND);
407	assert(port == ip_object_to_port(entry->ie_object));
408
409	return true;
410	}
411
412	return false;
413	}
414
415	/*
416	* Routine: ipc_right_dnrequest
417	* Purpose:
418	* Make a dead-name request, returning the previously
419	* registered send-once right. If notify is IP_NULL,
420	* just cancels the previously registered request.
421	*
422	* Conditions:
423	* Nothing locked. May allocate memory.
424	* Only consumes/returns refs if successful.
425	* Returns:
426	* KERN_SUCCESS Made/canceled dead-name request.
427	* KERN_INVALID_TASK The space is dead.
428	* KERN_INVALID_NAME Name doesn't exist in space.
429	* KERN_INVALID_RIGHT Name doesn't denote port/dead rights.
430	* KERN_INVALID_ARGUMENT Name denotes dead name, but
431	* immediate is FALSE or notify is IP_NULL.
432	* KERN_RESOURCE_SHORTAGE Couldn't allocate memory.
433	*/
434
435	kern_return_t
436	ipc_right_request_alloc(
437	ipc_space_t space,
438	mach_port_name_t name,
439	ipc_port_request_opts_t options,
440	ipc_port_t notify,
441	ipc_port_t *previousp)
442	{
443	ipc_port_request_index_t prev_request;
444	ipc_port_t previous = IP_NULL;
445	ipc_entry_t entry;
446	kern_return_t kr;
447	#if IMPORTANCE_INHERITANCE
448	bool will_arm = false;
449	#endif /* IMPORTANCE_INHERITANCE */
450
451	for (;;) {
452	ipc_port_t port = IP_NULL;
453
454	kr = ipc_right_lookup_write(space, name, entryp: &entry);
455	if (kr != KERN_SUCCESS) {
456	return kr;
457	}
458
459	/ space is write-locked and active /
460
461	prev_request = entry->ie_request;
462
463	/ if nothing to do or undo, we're done /
464	if (notify == IP_NULL && prev_request == IE_REQ_NONE) {
465	is_write_unlock(space);
466	*previousp = IP_NULL;
467	return KERN_SUCCESS;
468	}
469
470	/ see if the entry is of proper type for requests /
471	if (entry->ie_bits & MACH_PORT_TYPE_PORT_RIGHTS) {
472	ipc_port_request_index_t new_request;
473
474	port = ip_object_to_port(entry->ie_object);
475	assert(port != IP_NULL);
476
477	if (!ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
478	/ port is locked and active /
479
480	/ if no new request, just cancel previous /
481	if (notify == IP_NULL) {
482	if (prev_request != IE_REQ_NONE) {
483	previous = ipc_port_request_cancel(port, name, index: prev_request);
484	entry->ie_request = IE_REQ_NONE;
485	}
486	ip_mq_unlock(port);
487	ipc_entry_modified(space, name, entry);
488	is_write_unlock(space);
489	break;
490	}
491
492	/*
493	* send-once rights, kernel objects, and non-full other queues
494	* fire immediately (if immediate specified).
495	*/
496	if (options == (IPR_SOR_SPARM_MASK \| IPR_SOR_SPREQ_MASK) &&
497	((entry->ie_bits & MACH_PORT_TYPE_SEND_ONCE) \|\|
498	ip_in_space(port, space: ipc_space_kernel) \|\| !ip_full(port))) {
499	if (prev_request != IE_REQ_NONE) {
500	previous = ipc_port_request_cancel(port, name, index: prev_request);
501	entry->ie_request = IE_REQ_NONE;
502	}
503	ip_mq_unlock(port);
504	ipc_entry_modified(space, name, entry);
505	is_write_unlock(space);
506
507	ipc_notify_send_possible(port: notify, name);
508	break;
509	}
510
511	/*
512	* If there is a previous request, free it. Any subsequent
513	* allocation cannot fail, thus assuring an atomic swap.
514	*/
515	if (prev_request != IE_REQ_NONE) {
516	previous = ipc_port_request_cancel(port, name, index: prev_request);
517	}
518
519	#if IMPORTANCE_INHERITANCE
520	will_arm = port->ip_sprequests == `0` &&
521	options == (IPR_SOR_SPARM_MASK \| IPR_SOR_SPREQ_MASK);
522	#endif /* IMPORTANCE_INHERITANCE */
523	kr = ipc_port_request_alloc(port, name, soright: notify,
524	options, indexp: &new_request);
525
526	if (kr != KERN_SUCCESS) {
527	assert(previous == IP_NULL);
528	is_write_unlock(space);
529
530	kr = ipc_port_request_grow(port);
531	/ port is unlocked /
532
533	if (kr != KERN_SUCCESS) {
534	return kr;
535	}
536
537	continue;
538	}
539
540	assert(new_request != IE_REQ_NONE);
541	entry->ie_request = new_request;
542	ipc_entry_modified(space, name, entry);
543	is_write_unlock(space);
544
545	#if IMPORTANCE_INHERITANCE
546	if (will_arm &&
547	port->ip_impdonation != `0` &&
548	port->ip_spimportant == `0` &&
549	task_is_importance_donor(task: current_task())) {
550	if (ipc_port_importance_delta(port, options: IPID_OPTION_SENDPOSSIBLE, delta: `1`) == FALSE) {
551	ip_mq_unlock(port);
552	}
553	} else
554	#endif /* IMPORTANCE_INHERITANCE */
555	ip_mq_unlock(port);
556
557	break;
558	}
559	/ entry may have changed to dead-name by ipc_right_check() /
560	}
561
562	/ treat send_possible requests as immediate w.r.t. dead-name /
563	if (options && notify != IP_NULL &&
564	(entry->ie_bits & MACH_PORT_TYPE_DEAD_NAME)) {
565	mach_port_urefs_t urefs = IE_BITS_UREFS(entry->ie_bits);
566
567	assert(urefs > `0`);
568
569	/ leave urefs pegged to maximum if it overflowed /
570	if (urefs < MACH_PORT_UREFS_MAX) {
571	(entry->ie_bits)++; / increment urefs /
572	}
573	ipc_entry_modified(space, name, entry);
574
575	is_write_unlock(space);
576
577	if (port != IP_NULL) {
578	ip_release(port);
579	}
580
581	ipc_notify_dead_name(port: notify, name);
582	previous = IP_NULL;
583	break;
584	}
585
586	kr = (entry->ie_bits & MACH_PORT_TYPE_PORT_OR_DEAD) ?
587	KERN_INVALID_ARGUMENT : KERN_INVALID_RIGHT;
588
589	is_write_unlock(space);
590
591	if (port != IP_NULL) {
592	ip_release(port);
593	}
594
595	return kr;
596	}
597
598	*previousp = previous;
599	return KERN_SUCCESS;
600	}
601
602	/*
603	* Routine: ipc_right_request_cancel
604	* Purpose:
605	* Cancel a notification request and return the send-once right.
606	* Afterwards, entry->ie_request == 0.
607	* Conditions:
608	* The space must be write-locked; the port must be locked.
609	* The port and space must be active.
610	*/
611
612	ipc_port_t
613	ipc_right_request_cancel(
614	ipc_space_t space,
615	ipc_port_t port,
616	mach_port_name_t name,
617	ipc_entry_t entry)
618	{
619	ipc_port_t previous;
620
621	require_ip_active(port);
622	assert(is_active(space));
623	assert(port == ip_object_to_port(entry->ie_object));
624
625	if (entry->ie_request == IE_REQ_NONE) {
626	return IP_NULL;
627	}
628
629	previous = ipc_port_request_cancel(port, name, index: entry->ie_request);
630	entry->ie_request = IE_REQ_NONE;
631	ipc_entry_modified(space, name, entry);
632	return previous;
633	}
634
635	/*
636	* Routine: ipc_right_inuse
637	* Purpose:
638	* Check if an entry is being used.
639	* Returns TRUE if it is.
640	* Conditions:
641	* The space is write-locked and active.
642	*/
643
644	bool
645	ipc_right_inuse(
646	ipc_entry_t entry)
647	{
648	return IE_BITS_TYPE(entry->ie_bits) != MACH_PORT_TYPE_NONE;
649	}
650
651	/*
652	* Routine: ipc_right_check
653	* Purpose:
654	* Check if the port has died. If it has,
655	* and IPC_OBJECT_COPYIN_FLAGS_ALLOW_DEAD_SEND_ONCE is not
656	* passed and it is not a send once right then
657	* clean up the entry and return TRUE.
658	* Conditions:
659	* The space is write-locked; the port is not locked.
660	* If returns FALSE, the port is also locked.
661	* Otherwise, entry is converted to a dead name.
662	*
663	* Caller is responsible for a reference to port if it
664	* had died (returns TRUE).
665	*/
666
667	boolean_t
668	ipc_right_check(
669	ipc_space_t space,
670	ipc_port_t port,
671	mach_port_name_t name,
672	ipc_entry_t entry,
673	ipc_object_copyin_flags_t flags)
674	{
675	ipc_entry_bits_t bits;
676
677	assert(is_active(space));
678	assert(port == ip_object_to_port(entry->ie_object));
679
680	ip_mq_lock(port);
681	if (ip_active(port) \|\|
682	((flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_DEAD_SEND_ONCE) &&
683	entry->ie_request == IE_REQ_NONE &&
684	(entry->ie_bits & MACH_PORT_TYPE_SEND_ONCE))) {
685	return FALSE;
686	}
687
688	/ this was either a pure send right or a send-once right /
689
690	bits = entry->ie_bits;
691	assert((bits & MACH_PORT_TYPE_RECEIVE) == `0`);
692	assert(IE_BITS_UREFS(bits) > `0`);
693
694	if (bits & MACH_PORT_TYPE_SEND) {
695	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND);
696	assert(IE_BITS_UREFS(bits) > `0`);
697	ip_srights_dec(port);
698	} else {
699	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_ONCE);
700	assert(IE_BITS_UREFS(bits) == `1`);
701	ip_sorights_dec(port);
702	}
703
704	/*
705	* delete SEND rights from ipc hash.
706	*/
707
708	if ((bits & MACH_PORT_TYPE_SEND) != `0`) {
709	ipc_hash_delete(space, ip_to_object(port), name, entry);
710	}
711
712	/ convert entry to dead name /
713	bits = (bits & ~IE_BITS_TYPE_MASK) \| MACH_PORT_TYPE_DEAD_NAME;
714
715	/*
716	* If there was a notification request outstanding on this
717	* name, and the port went dead, that notification
718	* must already be on its way up from the port layer.
719	*
720	* Add the reference that the notification carries. It
721	* is done here, and not in the notification delivery,
722	* because the latter doesn't have a space reference and
723	* trying to actually move a send-right reference would
724	* get short-circuited into a MACH_PORT_DEAD by IPC. Since
725	* all calls that deal with the right eventually come
726	* through here, it has the same result.
727	*
728	* Once done, clear the request index so we only account
729	* for it once.
730	*/
731	if (entry->ie_request != IE_REQ_NONE) {
732	if (ipc_port_request_type(port, name, index: entry->ie_request) != `0`) {
733	/ if urefs are pegged due to overflow, leave them pegged /
734	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
735	bits++; / increment urefs /
736	}
737	}
738	entry->ie_request = IE_REQ_NONE;
739	}
740	entry->ie_bits = bits;
741	entry->ie_object = IO_NULL;
742
743	ip_mq_unlock(port);
744
745	ipc_entry_modified(space, name, entry);
746
747	return TRUE;
748	}
749
750	/*
751	* Routine: ipc_right_terminate
752	* Purpose:
753	* Cleans up an entry in a terminated space.
754	* The entry isn't deallocated or removed
755	* from reverse hash tables.
756	* Conditions:
757	* The space is dead and unlocked.
758	*/
759
760	void
761	ipc_right_terminate(
762	ipc_space_t space,
763	mach_port_name_t name,
764	ipc_entry_t entry)
765	{
766	mach_port_type_t type;
767	ipc_object_t object;
768
769	assert(!is_active(space));
770
771	type = IE_BITS_TYPE(entry->ie_bits);
772	object = entry->ie_object;
773
774	/*
775	* Hollow the entry under the port lock,
776	* in order to avoid dangling pointers.
777	*
778	* ipc_right_lookup_read() doesn't need it for correctness,
779	* but ipc_space_terminate() as it now goes through 2 rounds
780	* of termination (receive rights first, the rest second).
781	*/
782
783	if (type != MACH_PORT_TYPE_DEAD_NAME) {
784	assert(object != IO_NULL);
785	io_lock(object);
786	}
787	entry->ie_object = IO_NULL;
788	entry->ie_bits &= (IE_BITS_GEN_MASK \| IE_BITS_ROLL_MASK);
789
790	switch (type) {
791	case MACH_PORT_TYPE_DEAD_NAME:
792	assert(entry->ie_request == IE_REQ_NONE);
793	assert(object == IO_NULL);
794	break;
795
796	case MACH_PORT_TYPE_PORT_SET: {
797	ipc_pset_t pset = ips_object_to_pset(object);
798
799	assert(entry->ie_request == IE_REQ_NONE);
800	assert(ips_active(pset));
801
802	ipc_pset_destroy(space, pset); / consumes ref, unlocks /
803	break;
804	}
805
806	case MACH_PORT_TYPE_SEND:
807	case MACH_PORT_TYPE_RECEIVE:
808	case MACH_PORT_TYPE_SEND_RECEIVE:
809	case MACH_PORT_TYPE_SEND_ONCE: {
810	ipc_port_t port = ip_object_to_port(object);
811	ipc_port_t request = IP_NULL;
812	ipc_notify_nsenders_t nsrequest = { };
813
814	if (!ip_active(port)) {
815	ip_mq_unlock(port);
816	ip_release(port);
817	break;
818	}
819
820	/*
821	* same as ipc_right_request_cancel(),
822	* except for calling ipc_entry_modified()
823	* as the space is now table-less.
824	*/
825	if (entry->ie_request != IE_REQ_NONE) {
826	request = ipc_port_request_cancel(port, name,
827	index: entry->ie_request);
828	entry->ie_request = IE_REQ_NONE;
829	}
830
831	if (type & MACH_PORT_TYPE_SEND) {
832	ip_srights_dec(port);
833	if (port->ip_srights == `0`) {
834	nsrequest = ipc_notify_no_senders_prepare(port);
835	}
836	}
837
838	if (type & MACH_PORT_TYPE_RECEIVE) {
839	assert(ip_get_receiver_name(port) == name);
840	assert(ip_in_space(port, space));
841
842	ipc_port_destroy(port); / clears receiver, consumes our ref, unlocks /
843	} else if (type & MACH_PORT_TYPE_SEND_ONCE) {
844	assert(port->ip_sorights > `0`);
845	port->ip_reply_context = `0`;
846
847	ipc_notify_send_once_and_unlock(port); / consumes our ref /
848	} else {
849	/ port could be dead, in-transit, or in a foreign space /
850	assert(!ip_in_space(port, space));
851
852	ip_mq_unlock(port);
853	ip_release(port);
854	}
855
856	/*
857	* For both no-senders and port-deleted notifications,
858	* look at whether the destination is still active.
859	* If it isn't, just swallow the send-once right.
860	*
861	* This is a racy check, but this ok because we can only
862	* fail to notice that the port is now inactive, which
863	* only causes us to fail at an optimizaiton.
864	*
865	* The purpose here is to avoid sending messages
866	* to receive rights that used to be in this space,
867	* which we can't fail to observe.
868	*/
869	if (nsrequest.ns_notify != IP_NULL) {
870	if (ip_active(nsrequest.ns_notify)) {
871	ipc_notify_no_senders_emit(nsrequest);
872	} else {
873	ipc_notify_no_senders_consume(nsrequest);
874	}
875	}
876
877	if (request != IP_NULL) {
878	if (ip_active(request)) {
879	ipc_notify_port_deleted(port: request, name);
880	} else {
881	ipc_port_release_sonce(port: request);
882	}
883	}
884	break;
885	}
886
887	default:
888	panic("ipc_right_terminate: strange type - 0x%x", type);
889	}
890	}
891
892	/*
893	* Routine: ipc_right_destroy
894	* Purpose:
895	* Destroys an entry in a space.
896	* Conditions:
897	* The space is write-locked (returns unlocked).
898	* The space must be active.
899	* Returns:
900	* KERN_SUCCESS The entry was destroyed.
901	* KERN_INVALID_CAPABILITY The port is pinned.
902	* KERN_INVALID_RIGHT Port guard violation.
903	*/
904
905	kern_return_t
906	ipc_right_destroy(
907	ipc_space_t space,
908	mach_port_name_t name,
909	ipc_entry_t entry,
910	boolean_t check_guard,
911	uint64_t guard)
912	{
913	ipc_entry_bits_t bits;
914	mach_port_type_t type;
915
916	bits = entry->ie_bits;
917	type = IE_BITS_TYPE(bits);
918
919	assert(is_active(space));
920
921	switch (type) {
922	case MACH_PORT_TYPE_DEAD_NAME:
923	assert(entry->ie_request == IE_REQ_NONE);
924	assert(entry->ie_object == IO_NULL);
925
926	ipc_entry_dealloc(space, IO_NULL, name, entry);
927	is_write_unlock(space);
928	break;
929
930	case MACH_PORT_TYPE_PORT_SET: {
931	ipc_pset_t pset = ips_object_to_pset(entry->ie_object);
932
933	assert(entry->ie_request == IE_REQ_NONE);
934	assert(pset != IPS_NULL);
935
936	ips_mq_lock(pset);
937	assert(ips_active(pset));
938
939	ipc_entry_dealloc(space, ips_to_object(pset), name, entry);
940
941	is_write_unlock(space);
942
943	ipc_pset_destroy(space, pset); / consumes ref, unlocks /
944	break;
945	}
946
947	case MACH_PORT_TYPE_SEND:
948	case MACH_PORT_TYPE_RECEIVE:
949	case MACH_PORT_TYPE_SEND_RECEIVE:
950	case MACH_PORT_TYPE_SEND_ONCE: {
951	ipc_port_t port = ip_object_to_port(entry->ie_object);
952	ipc_notify_nsenders_t nsrequest = { };
953	ipc_port_t request;
954
955	assert(port != IP_NULL);
956
957	if (type == MACH_PORT_TYPE_SEND) {
958	if (ip_is_pinned(port)) {
959	assert(ip_active(port));
960	is_write_unlock(space);
961	mach_port_guard_exception_pinned(space, name, port, MPG_FLAGS_MOD_REFS_PINNED_DESTROY);
962	return KERN_INVALID_CAPABILITY;
963	}
964	ipc_hash_delete(space, ip_to_object(port), name, entry);
965	}
966
967	ip_mq_lock(port);
968
969	if (!ip_active(port)) {
970	assert((type & MACH_PORT_TYPE_RECEIVE) == `0`);
971	entry->ie_request = IE_REQ_NONE;
972	assert(!ip_is_pinned(port));
973	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
974	ip_mq_unlock(port);
975	is_write_unlock(space);
976	ip_release(port);
977	break;
978	}
979
980	/ For receive rights, check for guarding /
981	if ((type & MACH_PORT_TYPE_RECEIVE) &&
982	(check_guard) && (port->ip_guarded) &&
983	(guard != port->ip_context)) {
984	/ Guard Violation /
985	uint64_t portguard = port->ip_context;
986	ip_mq_unlock(port);
987	is_write_unlock(space);
988	/ Raise mach port guard exception /
989	mach_port_guard_exception(name, inguard: `0`, portguard, reason: kGUARD_EXC_DESTROY);
990	return KERN_INVALID_RIGHT;
991	}
992
993
994	request = ipc_right_request_cancel_macro(space, port,
995	name, entry);
996	assert(!ip_is_pinned(port));
997	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
998
999	is_write_unlock(space);
1000
1001	if (type & MACH_PORT_TYPE_SEND) {
1002	ip_srights_dec(port);
1003	if (port->ip_srights == `0`) {
1004	nsrequest = ipc_notify_no_senders_prepare(port);
1005	}
1006	}
1007
1008	if (type & MACH_PORT_TYPE_RECEIVE) {
1009	require_ip_active(port);
1010	assert(ip_in_space(port, space));
1011
1012	ipc_port_destroy(port); / clears receiver, consumes our ref, unlocks /
1013	} else if (type & MACH_PORT_TYPE_SEND_ONCE) {
1014	assert(port->ip_sorights > `0`);
1015	port->ip_reply_context = `0`;
1016	ipc_notify_send_once_and_unlock(port); / consumes our ref /
1017	} else {
1018	assert(!ip_in_space(port, space));
1019
1020	ip_mq_unlock(port);
1021	ip_release(port);
1022	}
1023
1024	ipc_notify_no_senders_emit(nsrequest);
1025
1026	if (request != IP_NULL) {
1027	ipc_notify_port_deleted(port: request, name);
1028	}
1029
1030
1031	break;
1032	}
1033
1034	default:
1035	panic("ipc_right_destroy: strange type");
1036	}
1037
1038	return KERN_SUCCESS;
1039	}
1040
1041	/*
1042	* Routine: ipc_right_dealloc
1043	* Purpose:
1044	* Releases a send/send-once/dead-name/port_set user ref.
1045	* Like ipc_right_delta with a delta of -1,
1046	* but looks at the entry to determine the right.
1047	* Conditions:
1048	* The space is write-locked, and is unlocked upon return.
1049	* The space must be active.
1050	* Returns:
1051	* KERN_SUCCESS A user ref was released.
1052	* KERN_INVALID_RIGHT Entry has wrong type.
1053	* KERN_INVALID_CAPABILITY Deallocating a pinned right.
1054	*/
1055
1056	kern_return_t
1057	ipc_right_dealloc(
1058	ipc_space_t space,
1059	mach_port_name_t name,
1060	ipc_entry_t entry)
1061	{
1062	ipc_port_t port = IP_NULL;
1063	ipc_entry_bits_t bits;
1064	mach_port_type_t type;
1065
1066	bits = entry->ie_bits;
1067	type = IE_BITS_TYPE(bits);
1068
1069
1070	assert(is_active(space));
1071
1072	switch (type) {
1073	case MACH_PORT_TYPE_PORT_SET: {
1074	ipc_pset_t pset;
1075
1076	assert(IE_BITS_UREFS(bits) == `0`);
1077	assert(entry->ie_request == IE_REQ_NONE);
1078
1079	pset = ips_object_to_pset(entry->ie_object);
1080	ips_mq_lock(pset);
1081	assert(ips_active(pset));
1082
1083	ipc_entry_dealloc(space, ips_to_object(pset), name, entry);
1084
1085	is_write_unlock(space);
1086
1087	ipc_pset_destroy(space, pset); / consumes ref, unlocks /
1088	break;
1089	}
1090
1091	case MACH_PORT_TYPE_DEAD_NAME: {
1092	dead_name:
1093
1094	assert(IE_BITS_UREFS(bits) > `0`);
1095	assert(entry->ie_request == IE_REQ_NONE);
1096	assert(entry->ie_object == IO_NULL);
1097
1098	if (IE_BITS_UREFS(bits) == `1`) {
1099	ipc_entry_dealloc(space, IO_NULL, name, entry);
1100	} else {
1101	/ if urefs are pegged due to overflow, leave them pegged /
1102	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
1103	entry->ie_bits = bits - `1`; / decrement urefs /
1104	}
1105	ipc_entry_modified(space, name, entry);
1106	}
1107	is_write_unlock(space);
1108
1109	/ release any port that got converted to dead name below /
1110	if (port != IP_NULL) {
1111	ip_release(port);
1112	}
1113	break;
1114	}
1115
1116	case MACH_PORT_TYPE_SEND_ONCE: {
1117	ipc_port_t request;
1118
1119	assert(IE_BITS_UREFS(bits) == `1`);
1120
1121	port = ip_object_to_port(entry->ie_object);
1122	assert(port != IP_NULL);
1123
1124	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1125	bits = entry->ie_bits;
1126	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
1127	goto dead_name; / it will release port /
1128	}
1129	/ port is locked and active /
1130
1131	assert(port->ip_sorights > `0`);
1132
1133	/*
1134	* clear any reply context:
1135	* no one will be sending the response b/c we are destroying
1136	* the single, outstanding send once right.
1137	*/
1138	port->ip_reply_context = `0`;
1139
1140	request = ipc_right_request_cancel_macro(space, port,
1141	name, entry);
1142	assert(!ip_is_pinned(port));
1143	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
1144
1145	is_write_unlock(space);
1146
1147	ipc_notify_send_once_and_unlock(port);
1148
1149	if (request != IP_NULL) {
1150	ipc_notify_port_deleted(port: request, name);
1151	}
1152	break;
1153	}
1154
1155	case MACH_PORT_TYPE_SEND: {
1156	ipc_port_t request = IP_NULL;
1157	ipc_notify_nsenders_t nsrequest = { };
1158
1159	assert(IE_BITS_UREFS(bits) > `0`);
1160
1161	port = ip_object_to_port(entry->ie_object);
1162	assert(port != IP_NULL);
1163
1164	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1165	bits = entry->ie_bits;
1166	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
1167	goto dead_name; / it will release port /
1168	}
1169	/ port is locked and active /
1170
1171	assert(port->ip_srights > `0`);
1172
1173	if (IE_BITS_UREFS(bits) == `1`) {
1174	if (ip_is_pinned(port)) {
1175	ip_mq_unlock(port);
1176	is_write_unlock(space);
1177	mach_port_guard_exception_pinned(space, name, port, MPG_FLAGS_MOD_REFS_PINNED_DEALLOC);
1178	return KERN_INVALID_CAPABILITY;
1179	}
1180	ip_srights_dec(port);
1181	if (port->ip_srights == `0`) {
1182	nsrequest = ipc_notify_no_senders_prepare(port);
1183	}
1184
1185	request = ipc_right_request_cancel_macro(space, port,
1186	name, entry);
1187	ipc_hash_delete(space, ip_to_object(port), name, entry);
1188	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
1189	ip_mq_unlock(port);
1190	is_write_unlock(space);
1191
1192	ip_release(port);
1193	} else {
1194	/ if urefs are pegged due to overflow, leave them pegged /
1195	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
1196	entry->ie_bits = bits - `1`; / decrement urefs /
1197	}
1198	ip_mq_unlock(port);
1199	ipc_entry_modified(space, name, entry);
1200	is_write_unlock(space);
1201	}
1202
1203	ipc_notify_no_senders_emit(nsrequest);
1204
1205	if (request != IP_NULL) {
1206	ipc_notify_port_deleted(port: request, name);
1207	}
1208	break;
1209	}
1210
1211	case MACH_PORT_TYPE_SEND_RECEIVE: {
1212	ipc_notify_nsenders_t nsrequest = { };
1213
1214	assert(IE_BITS_UREFS(bits) > `0`);
1215
1216	port = ip_object_to_port(entry->ie_object);
1217	assert(port != IP_NULL);
1218
1219	ip_mq_lock(port);
1220	require_ip_active(port);
1221	assert(ip_get_receiver_name(port) == name);
1222	assert(ip_in_space(port, space));
1223	assert(port->ip_srights > `0`);
1224
1225	if (IE_BITS_UREFS(bits) == `1`) {
1226	ip_srights_dec(port);
1227	if (port->ip_srights == `0`) {
1228	nsrequest = ipc_notify_no_senders_prepare(port);
1229	}
1230
1231	entry->ie_bits = bits & ~(IE_BITS_UREFS_MASK \|
1232	MACH_PORT_TYPE_SEND);
1233	} else {
1234	/ if urefs are pegged due to overflow, leave them pegged /
1235	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
1236	entry->ie_bits = bits - `1`; / decrement urefs /
1237	}
1238	}
1239	ip_mq_unlock(port);
1240
1241	ipc_entry_modified(space, name, entry);
1242	is_write_unlock(space);
1243
1244	ipc_notify_no_senders_emit(nsrequest);
1245	break;
1246	}
1247
1248	default:
1249	is_write_unlock(space);
1250	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1251	return KERN_INVALID_RIGHT;
1252	}
1253
1254	return KERN_SUCCESS;
1255	}
1256
1257	/*
1258	* Routine: ipc_right_delta
1259	* Purpose:
1260	* Modifies the user-reference count for a right.
1261	* May deallocate the right, if the count goes to zero.
1262	* Conditions:
1263	* The space is write-locked, and is unlocked upon return.
1264	* The space must be active.
1265	* Returns:
1266	* KERN_SUCCESS Count was modified.
1267	* KERN_INVALID_RIGHT Entry has wrong type.
1268	* KERN_INVALID_VALUE Bad delta for the right.
1269	* KERN_INVALID_CAPABILITY Deallocating a pinned right.
1270	*/
1271
1272	kern_return_t
1273	ipc_right_delta(
1274	ipc_space_t space,
1275	mach_port_name_t name,
1276	ipc_entry_t entry,
1277	mach_port_right_t right,
1278	mach_port_delta_t delta)
1279	{
1280	ipc_port_t port = IP_NULL;
1281	ipc_entry_bits_t bits;
1282
1283	bits = entry->ie_bits;
1284
1285	/*
1286	* The following is used (for case MACH_PORT_RIGHT_DEAD_NAME) in the
1287	* switch below. It is used to keep track of those cases (in DIPC)
1288	* where we have postponed the dropping of a port reference. Since
1289	* the dropping of the reference could cause the port to disappear
1290	* we postpone doing so when we are holding the space lock.
1291	*/
1292
1293	assert(is_active(space));
1294	assert(right < MACH_PORT_RIGHT_NUMBER);
1295
1296	/ Rights-specific restrictions and operations. /
1297
1298	switch (right) {
1299	case MACH_PORT_RIGHT_PORT_SET: {
1300	ipc_pset_t pset;
1301
1302	if ((bits & MACH_PORT_TYPE_PORT_SET) == `0`) {
1303	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1304	goto invalid_right;
1305	}
1306
1307	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_PORT_SET);
1308	assert(IE_BITS_UREFS(bits) == `0`);
1309	assert(entry->ie_request == IE_REQ_NONE);
1310
1311	if (delta == `0`) {
1312	goto success;
1313	}
1314
1315	if (delta != -`1`) {
1316	goto invalid_value;
1317	}
1318
1319	pset = ips_object_to_pset(entry->ie_object);
1320	ips_mq_lock(pset);
1321	assert(ips_active(pset));
1322
1323	ipc_entry_dealloc(space, ips_to_object(pset), name, entry);
1324
1325	is_write_unlock(space);
1326
1327	ipc_pset_destroy(space, pset); / consumes ref, unlocks /
1328	break;
1329	}
1330
1331	case MACH_PORT_RIGHT_RECEIVE: {
1332	ipc_port_t request = IP_NULL;
1333
1334	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
1335	if ((bits & MACH_PORT_TYPE_EX_RECEIVE) == `0`) {
1336	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1337	}
1338	goto invalid_right;
1339	}
1340
1341	if (delta == `0`) {
1342	goto success;
1343	}
1344
1345	if (delta != -`1`) {
1346	goto invalid_value;
1347	}
1348
1349	port = ip_object_to_port(entry->ie_object);
1350	assert(port != IP_NULL);
1351
1352	/*
1353	* The port lock is needed for ipc_right_dncancel;
1354	* otherwise, we wouldn't have to take the lock
1355	* until just before dropping the space lock.
1356	*/
1357
1358	ip_mq_lock(port);
1359	require_ip_active(port);
1360	assert(ip_get_receiver_name(port) == name);
1361	assert(ip_in_space(port, space));
1362
1363	/ Mach Port Guard Checking /
1364	if (port->ip_guarded) {
1365	uint64_t portguard = port->ip_context;
1366	ip_mq_unlock(port);
1367	is_write_unlock(space);
1368	/ Raise mach port guard exception /
1369	mach_port_guard_exception(name, inguard: `0`, portguard, reason: kGUARD_EXC_MOD_REFS);
1370	goto guard_failure;
1371	}
1372
1373	if (bits & MACH_PORT_TYPE_SEND) {
1374	assert(IE_BITS_TYPE(bits) ==
1375	MACH_PORT_TYPE_SEND_RECEIVE);
1376	assert(IE_BITS_UREFS(bits) > `0`);
1377	assert(port->ip_srights > `0`);
1378
1379	if (ipc_port_has_prdrequest(port)) {
1380	/*
1381	* Since another task has requested a
1382	* destroy notification for this port, it
1383	* isn't actually being destroyed - the receive
1384	* right is just being moved to another task.
1385	* Since we still have one or more send rights,
1386	* we need to record the loss of the receive
1387	* right and enter the remaining send right
1388	* into the hash table.
1389	*/
1390	bits &= ~MACH_PORT_TYPE_RECEIVE;
1391	bits \|= MACH_PORT_TYPE_EX_RECEIVE;
1392	ipc_hash_insert(space, ip_to_object(port),
1393	name, entry);
1394	ip_reference(port);
1395	} else {
1396	/*
1397	* The remaining send right turns into a
1398	* dead name. Notice we don't decrement
1399	* ip_srights, generate a no-senders notif,
1400	* or use ipc_right_dncancel, because the
1401	* port is destroyed "first".
1402	*/
1403	bits &= ~IE_BITS_TYPE_MASK;
1404	bits \|= (MACH_PORT_TYPE_DEAD_NAME \| MACH_PORT_TYPE_EX_RECEIVE);
1405	if (entry->ie_request) {
1406	entry->ie_request = IE_REQ_NONE;
1407	/ if urefs are pegged due to overflow, leave them pegged /
1408	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
1409	bits++; / increment urefs /
1410	}
1411	}
1412	entry->ie_object = IO_NULL;
1413	}
1414	entry->ie_bits = bits;
1415	ipc_entry_modified(space, name, entry);
1416	} else {
1417	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_RECEIVE);
1418	assert(IE_BITS_UREFS(bits) == `0`);
1419
1420	request = ipc_right_request_cancel_macro(space, port,
1421	name, entry);
1422	assert(!ip_is_pinned(port));
1423	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
1424	}
1425	is_write_unlock(space);
1426
1427	ipc_port_destroy(port); / clears receiver, consumes ref, unlocks /
1428
1429	if (request != IP_NULL) {
1430	ipc_notify_port_deleted(port: request, name);
1431	}
1432	break;
1433	}
1434
1435	case MACH_PORT_RIGHT_SEND_ONCE: {
1436	ipc_port_t request;
1437
1438	if ((bits & MACH_PORT_TYPE_SEND_ONCE) == `0`) {
1439	goto invalid_right;
1440	}
1441
1442	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_ONCE);
1443	assert(IE_BITS_UREFS(bits) == `1`);
1444
1445	port = ip_object_to_port(entry->ie_object);
1446	assert(port != IP_NULL);
1447
1448	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1449	assert(!(entry->ie_bits & MACH_PORT_TYPE_SEND_ONCE));
1450	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1451	goto invalid_right;
1452	}
1453	/ port is locked and active /
1454
1455	assert(port->ip_sorights > `0`);
1456
1457	if ((delta > `0`) \|\| (delta < -`1`)) {
1458	ip_mq_unlock(port);
1459	goto invalid_value;
1460	}
1461
1462	if (delta == `0`) {
1463	ip_mq_unlock(port);
1464	goto success;
1465	}
1466
1467	/*
1468	* clear any reply context:
1469	* no one will be sending the response b/c we are destroying
1470	* the single, outstanding send once right.
1471	*/
1472	port->ip_reply_context = `0`;
1473
1474	request = ipc_right_request_cancel_macro(space, port, name, entry);
1475	assert(!ip_is_pinned(port));
1476	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
1477
1478	is_write_unlock(space);
1479
1480	ipc_notify_send_once_and_unlock(port);
1481
1482	if (request != IP_NULL) {
1483	ipc_notify_port_deleted(port: request, name);
1484	}
1485	break;
1486	}
1487
1488	case MACH_PORT_RIGHT_DEAD_NAME: {
1489	ipc_port_t relport = IP_NULL;
1490	mach_port_urefs_t urefs;
1491
1492	if (bits & MACH_PORT_TYPE_SEND_RIGHTS) {
1493	port = ip_object_to_port(entry->ie_object);
1494	assert(port != IP_NULL);
1495
1496	if (!ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1497	/ port is locked and active /
1498	ip_mq_unlock(port);
1499	port = IP_NULL;
1500	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1501	goto invalid_right;
1502	}
1503	bits = entry->ie_bits;
1504	relport = port;
1505	port = IP_NULL;
1506	} else if ((bits & MACH_PORT_TYPE_DEAD_NAME) == `0`) {
1507	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1508	goto invalid_right;
1509	}
1510
1511	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
1512	assert(IE_BITS_UREFS(bits) > `0`);
1513	assert(entry->ie_object == IO_NULL);
1514	assert(entry->ie_request == IE_REQ_NONE);
1515
1516	if (delta > ((mach_port_delta_t)MACH_PORT_UREFS_MAX) \|\|
1517	delta < (-((mach_port_delta_t)MACH_PORT_UREFS_MAX))) {
1518	goto invalid_value;
1519	}
1520
1521	urefs = IE_BITS_UREFS(bits);
1522
1523	if (urefs == MACH_PORT_UREFS_MAX) {
1524	/*
1525	* urefs are pegged due to an overflow
1526	* only a delta removing all refs at once can change it
1527	*/
1528
1529	if (delta != (-((mach_port_delta_t)MACH_PORT_UREFS_MAX))) {
1530	delta = `0`;
1531	}
1532	} else {
1533	if (MACH_PORT_UREFS_UNDERFLOW(urefs, delta)) {
1534	goto invalid_value;
1535	}
1536	if (MACH_PORT_UREFS_OVERFLOW(urefs, delta)) {
1537	/ leave urefs pegged to maximum if it overflowed /
1538	delta = MACH_PORT_UREFS_MAX - urefs;
1539	}
1540	}
1541
1542	if ((urefs + delta) == `0`) {
1543	ipc_entry_dealloc(space, IO_NULL, name, entry);
1544	} else if (delta != `0`) {
1545	entry->ie_bits = bits + delta;
1546	ipc_entry_modified(space, name, entry);
1547	}
1548
1549	is_write_unlock(space);
1550
1551	if (relport != IP_NULL) {
1552	ip_release(relport);
1553	}
1554
1555	break;
1556	}
1557
1558	case MACH_PORT_RIGHT_SEND: {
1559	mach_port_urefs_t urefs;
1560	ipc_port_t request = IP_NULL;
1561	ipc_notify_nsenders_t nsrequest = { };
1562	ipc_port_t port_to_release = IP_NULL;
1563
1564	if ((bits & MACH_PORT_TYPE_SEND) == `0`) {
1565	/ invalid right exception only when not live/dead confusion /
1566	if ((bits & MACH_PORT_TYPE_DEAD_NAME) == `0`
1567	#if !defined(AE_MAKESENDRIGHT_FIXED)
1568	/*
1569	* AE tries to add single send right without knowing if it already owns one.
1570	* But if it doesn't, it should own the receive right and delta should be 1.
1571	*/
1572	&& (((bits & MACH_PORT_TYPE_RECEIVE) == `0`) \|\| (delta != `1`))
1573	#endif
1574	) {
1575	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1576	}
1577	goto invalid_right;
1578	}
1579
1580	/ maximum urefs for send is MACH_PORT_UREFS_MAX /
1581
1582	port = ip_object_to_port(entry->ie_object);
1583	assert(port != IP_NULL);
1584
1585	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1586	assert((entry->ie_bits & MACH_PORT_TYPE_SEND) == `0`);
1587	goto invalid_right;
1588	}
1589	/ port is locked and active /
1590
1591	assert(port->ip_srights > `0`);
1592
1593	if (delta > ((mach_port_delta_t)MACH_PORT_UREFS_MAX) \|\|
1594	delta < (-((mach_port_delta_t)MACH_PORT_UREFS_MAX))) {
1595	ip_mq_unlock(port);
1596	goto invalid_value;
1597	}
1598
1599	urefs = IE_BITS_UREFS(bits);
1600
1601	if (urefs == MACH_PORT_UREFS_MAX) {
1602	/*
1603	* urefs are pegged due to an overflow
1604	* only a delta removing all refs at once can change it
1605	*/
1606
1607	if (delta != (-((mach_port_delta_t)MACH_PORT_UREFS_MAX))) {
1608	delta = `0`;
1609	}
1610	} else {
1611	if (MACH_PORT_UREFS_UNDERFLOW(urefs, delta)) {
1612	ip_mq_unlock(port);
1613	goto invalid_value;
1614	}
1615	if (MACH_PORT_UREFS_OVERFLOW(urefs, delta)) {
1616	/ leave urefs pegged to maximum if it overflowed /
1617	delta = MACH_PORT_UREFS_MAX - urefs;
1618	}
1619	}
1620
1621	if ((urefs + delta) == `0`) {
1622	if (ip_is_pinned(port)) {
1623	ip_mq_unlock(port);
1624	is_write_unlock(space);
1625	mach_port_guard_exception_pinned(space, name, port, MPG_FLAGS_MOD_REFS_PINNED_DEALLOC);
1626	return KERN_INVALID_CAPABILITY;
1627	}
1628
1629	ip_srights_dec(port);
1630	if (port->ip_srights == `0`) {
1631	nsrequest = ipc_notify_no_senders_prepare(port);
1632	}
1633
1634	if (bits & MACH_PORT_TYPE_RECEIVE) {
1635	assert(ip_get_receiver_name(port) == name);
1636	assert(ip_in_space(port, space));
1637	assert(IE_BITS_TYPE(bits) ==
1638	MACH_PORT_TYPE_SEND_RECEIVE);
1639
1640	entry->ie_bits = bits & ~(IE_BITS_UREFS_MASK \|
1641	MACH_PORT_TYPE_SEND);
1642	ipc_entry_modified(space, name, entry);
1643	} else {
1644	assert(IE_BITS_TYPE(bits) ==
1645	MACH_PORT_TYPE_SEND);
1646
1647	request = ipc_right_request_cancel_macro(space, port,
1648	name, entry);
1649	ipc_hash_delete(space, ip_to_object(port),
1650	name, entry);
1651	assert(!ip_is_pinned(port));
1652	ipc_entry_dealloc(space, ip_to_object(port),
1653	name, entry);
1654	port_to_release = port;
1655	}
1656	} else if (delta != `0`) {
1657	entry->ie_bits = bits + delta;
1658	ipc_entry_modified(space, name, entry);
1659	}
1660
1661	ip_mq_unlock(port);
1662
1663	is_write_unlock(space);
1664
1665	if (port_to_release != IP_NULL) {
1666	ip_release(port_to_release);
1667	}
1668
1669	ipc_notify_no_senders_emit(nsrequest);
1670
1671	if (request != IP_NULL) {
1672	ipc_notify_port_deleted(port: request, name);
1673	}
1674	break;
1675	}
1676
1677	case MACH_PORT_RIGHT_LABELH:
1678	goto invalid_right;
1679
1680	default:
1681	panic("ipc_right_delta: strange right %d for 0x%x (%p) in space:%p",
1682	right, name, (void )entry, (void* *)space);
1683	}
1684
1685	return KERN_SUCCESS;
1686
1687	success:
1688	is_write_unlock(space);
1689	return KERN_SUCCESS;
1690
1691	invalid_right:
1692	is_write_unlock(space);
1693	if (port != IP_NULL) {
1694	ip_release(port);
1695	}
1696	return KERN_INVALID_RIGHT;
1697
1698	invalid_value:
1699	is_write_unlock(space);
1700	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_VALUE);
1701	return KERN_INVALID_VALUE;
1702
1703	guard_failure:
1704	return KERN_INVALID_RIGHT;
1705	}
1706
1707	/*
1708	* Routine: ipc_right_destruct
1709	* Purpose:
1710	* Deallocates the receive right and modifies the
1711	* user-reference count for the send rights as requested.
1712	* Conditions:
1713	* The space is write-locked, and is unlocked upon return.
1714	* The space must be active.
1715	* Returns:
1716	* KERN_SUCCESS Count was modified.
1717	* KERN_INVALID_RIGHT Entry has wrong type.
1718	* KERN_INVALID_VALUE Bad delta for the right.
1719	*/
1720
1721	kern_return_t
1722	ipc_right_destruct(
1723	ipc_space_t space,
1724	mach_port_name_t name,
1725	ipc_entry_t entry,
1726	mach_port_delta_t srdelta,
1727	uint64_t guard)
1728	{
1729	ipc_port_t port = IP_NULL;
1730	ipc_entry_bits_t bits;
1731
1732	mach_port_urefs_t urefs;
1733	ipc_port_t request = IP_NULL;
1734	ipc_notify_nsenders_t nsrequest = { };
1735
1736	bits = entry->ie_bits;
1737
1738	assert(is_active(space));
1739
1740	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
1741	is_write_unlock(space);
1742
1743	/ No exception if we used to have receive and held entry since /
1744	if ((bits & MACH_PORT_TYPE_EX_RECEIVE) == `0`) {
1745	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1746	}
1747	return KERN_INVALID_RIGHT;
1748	}
1749
1750	if (srdelta && (bits & MACH_PORT_TYPE_SEND) == `0`) {
1751	is_write_unlock(space);
1752	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
1753	return KERN_INVALID_RIGHT;
1754	}
1755
1756	if (srdelta > `0`) {
1757	goto invalid_value;
1758	}
1759
1760	port = ip_object_to_port(entry->ie_object);
1761	assert(port != IP_NULL);
1762
1763	ip_mq_lock(port);
1764	require_ip_active(port);
1765	assert(ip_get_receiver_name(port) == name);
1766	assert(ip_in_space(port, space));
1767
1768	/ Mach Port Guard Checking /
1769	if (port->ip_guarded && (guard != port->ip_context)) {
1770	uint64_t portguard = port->ip_context;
1771	ip_mq_unlock(port);
1772	is_write_unlock(space);
1773	mach_port_guard_exception(name, inguard: `0`, portguard, reason: kGUARD_EXC_DESTROY);
1774	return KERN_INVALID_ARGUMENT;
1775	}
1776
1777	/*
1778	* First reduce the send rights as requested and
1779	* adjust the entry->ie_bits accordingly. The
1780	* ipc_entry_modified() call is made once the receive
1781	* right is destroyed too.
1782	*/
1783
1784	if (srdelta) {
1785	assert(port->ip_srights > `0`);
1786
1787	urefs = IE_BITS_UREFS(bits);
1788
1789	/*
1790	* Since we made sure that srdelta is negative,
1791	* the check for urefs overflow is not required.
1792	*/
1793	if (MACH_PORT_UREFS_UNDERFLOW(urefs, srdelta)) {
1794	ip_mq_unlock(port);
1795	goto invalid_value;
1796	}
1797
1798	if (urefs == MACH_PORT_UREFS_MAX) {
1799	/*
1800	* urefs are pegged due to an overflow
1801	* only a delta removing all refs at once can change it
1802	*/
1803	if (srdelta != (-((mach_port_delta_t)MACH_PORT_UREFS_MAX))) {
1804	srdelta = `0`;
1805	}
1806	}
1807
1808	if ((urefs + srdelta) == `0`) {
1809	ip_srights_dec(port);
1810	if (port->ip_srights == `0`) {
1811	nsrequest = ipc_notify_no_senders_prepare(port);
1812	}
1813	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_RECEIVE);
1814	entry->ie_bits = bits & ~(IE_BITS_UREFS_MASK \|
1815	MACH_PORT_TYPE_SEND);
1816	} else {
1817	entry->ie_bits = bits + srdelta;
1818	}
1819	}
1820
1821	/*
1822	* Now destroy the receive right. Update space and
1823	* entry accordingly.
1824	*/
1825
1826	bits = entry->ie_bits;
1827	if (bits & MACH_PORT_TYPE_SEND) {
1828	assert(IE_BITS_UREFS(bits) > `0`);
1829	assert(IE_BITS_UREFS(bits) <= MACH_PORT_UREFS_MAX);
1830
1831	if (ipc_port_has_prdrequest(port)) {
1832	/*
1833	* Since another task has requested a
1834	* destroy notification for this port, it
1835	* isn't actually being destroyed - the receive
1836	* right is just being moved to another task.
1837	* Since we still have one or more send rights,
1838	* we need to record the loss of the receive
1839	* right and enter the remaining send right
1840	* into the hash table.
1841	*/
1842	bits &= ~MACH_PORT_TYPE_RECEIVE;
1843	bits \|= MACH_PORT_TYPE_EX_RECEIVE;
1844	ipc_hash_insert(space, ip_to_object(port),
1845	name, entry);
1846	ip_reference(port);
1847	} else {
1848	/*
1849	* The remaining send right turns into a
1850	* dead name. Notice we don't decrement
1851	* ip_srights, generate a no-senders notif,
1852	* or use ipc_right_dncancel, because the
1853	* port is destroyed "first".
1854	*/
1855	bits &= ~IE_BITS_TYPE_MASK;
1856	bits \|= (MACH_PORT_TYPE_DEAD_NAME \| MACH_PORT_TYPE_EX_RECEIVE);
1857	if (entry->ie_request) {
1858	entry->ie_request = IE_REQ_NONE;
1859	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
1860	bits++; / increment urefs /
1861	}
1862	}
1863	entry->ie_object = IO_NULL;
1864	}
1865	entry->ie_bits = bits;
1866	ipc_entry_modified(space, name, entry);
1867	} else {
1868	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_RECEIVE);
1869	assert(IE_BITS_UREFS(bits) == `0`);
1870	request = ipc_right_request_cancel_macro(space, port,
1871	name, entry);
1872	assert(!ip_is_pinned(port));
1873	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
1874	}
1875
1876	/ Unlock space /
1877	is_write_unlock(space);
1878
1879	ipc_notify_no_senders_emit(nsrequest);
1880
1881	ipc_port_destroy(port); / clears receiver, consumes ref, unlocks /
1882
1883	if (request != IP_NULL) {
1884	ipc_notify_port_deleted(port: request, name);
1885	}
1886
1887	return KERN_SUCCESS;
1888
1889	invalid_value:
1890	is_write_unlock(space);
1891	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_VALUE);
1892	return KERN_INVALID_VALUE;
1893	}
1894
1895
1896	/*
1897	* Routine: ipc_right_info
1898	* Purpose:
1899	* Retrieves information about the right.
1900	* Conditions:
1901	* The space is active and write-locked.
1902	* The space is unlocked upon return.
1903	* Returns:
1904	* KERN_SUCCESS Retrieved info
1905	*/
1906
1907	kern_return_t
1908	ipc_right_info(
1909	ipc_space_t space,
1910	mach_port_name_t name,
1911	ipc_entry_t entry,
1912	mach_port_type_t *typep,
1913	mach_port_urefs_t *urefsp)
1914	{
1915	ipc_port_t port;
1916	ipc_entry_bits_t bits;
1917	mach_port_type_t type = `0`;
1918	ipc_port_request_index_t request;
1919
1920	bits = entry->ie_bits;
1921	request = entry->ie_request;
1922	port = ip_object_to_port(entry->ie_object);
1923
1924	if (bits & MACH_PORT_TYPE_RECEIVE) {
1925	assert(IP_VALID(port));
1926
1927	if (request != IE_REQ_NONE) {
1928	ip_mq_lock(port);
1929	require_ip_active(port);
1930	type \|= ipc_port_request_type(port, name, index: request);
1931	ip_mq_unlock(port);
1932	}
1933	is_write_unlock(space);
1934	} else if (bits & MACH_PORT_TYPE_SEND_RIGHTS) {
1935	/*
1936	* validate port is still alive - if so, get request
1937	* types while we still have it locked. Otherwise,
1938	* recapture the (now dead) bits.
1939	*/
1940	if (!ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
1941	if (request != IE_REQ_NONE) {
1942	type \|= ipc_port_request_type(port, name, index: request);
1943	}
1944	ip_mq_unlock(port);
1945	is_write_unlock(space);
1946	} else {
1947	bits = entry->ie_bits;
1948	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
1949	is_write_unlock(space);
1950	ip_release(port);
1951	}
1952	} else {
1953	is_write_unlock(space);
1954	}
1955
1956	type \|= IE_BITS_TYPE(bits);
1957
1958	*typep = type;
1959	*urefsp = IE_BITS_UREFS(bits);
1960	return KERN_SUCCESS;
1961	}
1962
1963	/*
1964	* Routine: ipc_right_copyin_check_reply
1965	* Purpose:
1966	* Check if a subsequent ipc_right_copyin would succeed. Used only
1967	* by ipc_kmsg_copyin_header to check if reply_port can be copied in.
1968	* If the reply port is an immovable send right, it errors out.
1969	* Conditions:
1970	* The space is locked (read or write) and active.
1971	*/
1972
1973	boolean_t
1974	ipc_right_copyin_check_reply(
1975	__assert_only ipc_space_t space,
1976	mach_port_name_t reply_name,
1977	ipc_entry_t reply_entry,
1978	mach_msg_type_name_t reply_type,
1979	ipc_entry_t dest_entry,
1980	int *reply_port_semantics_violation)
1981	{
1982	ipc_entry_bits_t bits;
1983	ipc_port_t reply_port;
1984	ipc_port_t dest_port;
1985
1986	bits = reply_entry->ie_bits;
1987	assert(is_active(space));
1988
1989	switch (reply_type) {
1990	case MACH_MSG_TYPE_MAKE_SEND:
1991	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
1992	return FALSE;
1993	}
1994	break;
1995
1996	case MACH_MSG_TYPE_MAKE_SEND_ONCE:
1997	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
1998	return FALSE;
1999	}
2000	break;
2001
2002	case MACH_MSG_TYPE_MOVE_RECEIVE:
2003	/ ipc_kmsg_copyin_header already filters it out /
2004	return FALSE;
2005
2006	case MACH_MSG_TYPE_COPY_SEND:
2007	case MACH_MSG_TYPE_MOVE_SEND:
2008	case MACH_MSG_TYPE_MOVE_SEND_ONCE: {
2009	if (bits & MACH_PORT_TYPE_DEAD_NAME) {
2010	break;
2011	}
2012
2013	if ((bits & MACH_PORT_TYPE_SEND_RIGHTS) == `0`) {
2014	return FALSE;
2015	}
2016
2017	reply_port = ip_object_to_port(reply_entry->ie_object);
2018	assert(reply_port != IP_NULL);
2019
2020	/*
2021	* active status peek to avoid checks that will be skipped
2022	* on copyin for dead ports. Lock not held, so will not be
2023	* atomic (but once dead, there's no going back).
2024	*/
2025	if (!ip_active(reply_port)) {
2026	break;
2027	}
2028
2029	/*
2030	* Can't copyin a send right that is marked immovable. This bit
2031	* is set only during port creation and never unset. So it can
2032	* be read without a lock.
2033	*/
2034	if (ip_is_immovable_send(reply_port)) {
2035	mach_port_guard_exception_immovable(space, name: reply_name, port: reply_port, MPG_FLAGS_NONE);
2036	return FALSE;
2037	}
2038
2039	if (reply_type == MACH_MSG_TYPE_MOVE_SEND_ONCE) {
2040	if ((bits & MACH_PORT_TYPE_SEND_ONCE) == `0`) {
2041	return FALSE;
2042	}
2043	} else {
2044	if ((bits & MACH_PORT_TYPE_SEND) == `0`) {
2045	return FALSE;
2046	}
2047	}
2048
2049	break;
2050	}
2051
2052	default:
2053	panic("ipc_right_copyin_check: strange rights");
2054	}
2055
2056	if ((IE_BITS_TYPE(dest_entry->ie_bits) == MACH_PORT_TYPE_PORT_SET) \|\|
2057	(IE_BITS_TYPE(reply_entry->ie_bits) == MACH_PORT_TYPE_PORT_SET)) {
2058	return TRUE;
2059	}
2060
2061	/ The only disp allowed when a reply port is a local port of mach msg is MAKE_SO. /
2062	reply_port = ip_object_to_port(reply_entry->ie_object);
2063	assert(reply_port != IP_NULL);
2064
2065	if (ip_active(reply_port)) {
2066	if (ip_is_reply_port(reply_port) && (reply_type != MACH_MSG_TYPE_MAKE_SEND_ONCE)) {
2067	return FALSE;
2068	}
2069
2070	/ When sending a msg to remote port that requires reply port semantics enforced the local port of that msg needs to be a reply port. /
2071	dest_port = ip_object_to_port(dest_entry->ie_object);
2072	if (IP_VALID(dest_port) && ip_active(dest_port)) {
2073	/ populates reply_port_semantics_violation if we need to send telemetry /
2074	if (ip_violates_rigid_reply_port_semantics(dest_port, reply_port, reply_port_semantics_violation) \|\|
2075	ip_violates_reply_port_semantics(dest_port, reply_port, reply_port_semantics_violation)) {
2076	if (reply_port_semantics && (*reply_port_semantics_violation == REPLY_PORT_SEMANTICS_VIOLATOR)) {
2077	/ Don't crash for rigid reply ports /
2078	mach_port_guard_exception(name: reply_name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_REQUIRE_REPLY_PORT_SEMANTICS);
2079	return FALSE;
2080	}
2081	}
2082	}
2083	}
2084
2085	return TRUE;
2086	}
2087
2088	/*
2089	* Routine: ipc_right_copyin_check_guard_locked
2090	* Purpose:
2091	* Check if the port is guarded and the guard
2092	* value matches the one passed in the arguments.
2093	* If MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND is set,
2094	* check if the port is unguarded.
2095	* Conditions:
2096	* The port is locked.
2097	* Returns:
2098	* KERN_SUCCESS Port is either unguarded
2099	* or guarded with expected value
2100	* KERN_INVALID_ARGUMENT Port is either unguarded already or guard mismatch.
2101	* This also raises a EXC_GUARD exception.
2102	*/
2103	static kern_return_t
2104	ipc_right_copyin_check_guard_locked(
2105	mach_port_name_t name,
2106	ipc_port_t port,
2107	mach_port_context_t context,
2108	mach_msg_guard_flags_t *guard_flags)
2109	{
2110	mach_msg_guard_flags_t flags = *guard_flags;
2111	if ((flags & MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND) && !port->ip_guarded && !context) {
2112	return KERN_SUCCESS;
2113	} else if (port->ip_guarded && (port->ip_context == context)) {
2114	return KERN_SUCCESS;
2115	}
2116
2117	/ Incorrect guard; Raise exception /
2118	mach_port_guard_exception(name, inguard: context, portguard: port->ip_context, reason: kGUARD_EXC_INCORRECT_GUARD);
2119	return KERN_INVALID_ARGUMENT;
2120	}
2121
2122	/*
2123	* Routine: ipc_right_copyin
2124	* Purpose:
2125	* Copyin a capability from a space.
2126	* If successful, the caller gets a ref
2127	* for the resulting object, unless it is IO_DEAD,
2128	* and possibly a send-once right which should
2129	* be used in a port-deleted notification.
2130	*
2131	* If deadok is not TRUE, the copyin operation
2132	* will fail instead of producing IO_DEAD.
2133	*
2134	* The entry is deallocated if the entry type becomes
2135	* MACH_PORT_TYPE_NONE.
2136	* Conditions:
2137	* The space is write-locked and active.
2138	* Returns:
2139	* KERN_SUCCESS Acquired an object, possibly IO_DEAD.
2140	* KERN_INVALID_RIGHT Name doesn't denote correct right.
2141	* KERN_INVALID_CAPABILITY Trying to move an kobject port or an immovable right,
2142	* or moving the last ref of pinned right
2143	* KERN_INVALID_ARGUMENT Port is unguarded or guard mismatch
2144	*/
2145
2146	kern_return_t
2147	ipc_right_copyin(
2148	ipc_space_t space,
2149	mach_port_name_t name,
2150	ipc_entry_t entry,
2151	mach_msg_type_name_t msgt_name,
2152	ipc_object_copyin_flags_t flags,
2153	ipc_object_t *objectp,
2154	ipc_port_t *sorightp,
2155	ipc_port_t *releasep,
2156	int *assertcntp,
2157	mach_port_context_t context,
2158	mach_msg_guard_flags_t *guard_flags)
2159	{
2160	ipc_entry_bits_t bits;
2161	ipc_port_t port;
2162	kern_return_t kr;
2163	boolean_t deadok = !!(flags & IPC_OBJECT_COPYIN_FLAGS_DEADOK);
2164	boolean_t allow_imm_send = !!(flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND);
2165	boolean_t allow_reply_make_so = !!(flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_REPLY_MAKE_SEND_ONCE);
2166	boolean_t allow_reply_move_so = !!(flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_REPLY_MOVE_SEND_ONCE);
2167
2168	*releasep = IP_NULL;
2169	*assertcntp = `0`;
2170
2171	bits = entry->ie_bits;
2172
2173	assert(is_active(space));
2174
2175	switch (msgt_name) {
2176	case MACH_MSG_TYPE_MAKE_SEND: {
2177	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
2178	goto invalid_right;
2179	}
2180
2181	port = ip_object_to_port(entry->ie_object);
2182	assert(port != IP_NULL);
2183
2184	if (ip_is_reply_port(port)) {
2185	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2186	return KERN_INVALID_CAPABILITY;
2187	}
2188
2189	ip_mq_lock(port);
2190	assert(ip_get_receiver_name(port) == name);
2191	assert(ip_in_space(port, space));
2192
2193	ipc_port_make_send_any_locked(port);
2194	ip_mq_unlock(port);
2195
2196	*objectp = ip_to_object(port);
2197	*sorightp = IP_NULL;
2198	break;
2199	}
2200
2201	case MACH_MSG_TYPE_MAKE_SEND_ONCE: {
2202	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
2203	goto invalid_right;
2204	}
2205
2206	port = ip_object_to_port(entry->ie_object);
2207	assert(port != IP_NULL);
2208
2209	if ((ip_is_reply_port(port)) && !allow_reply_make_so) {
2210	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2211	return KERN_INVALID_CAPABILITY;
2212	}
2213
2214	ip_mq_lock(port);
2215	require_ip_active(port);
2216	assert(ip_get_receiver_name(port) == name);
2217	assert(ip_in_space(port, space));
2218
2219	ipc_port_make_sonce_locked(port);
2220	ip_mq_unlock(port);
2221
2222	*objectp = ip_to_object(port);
2223	*sorightp = IP_NULL;
2224	break;
2225	}
2226
2227	case MACH_MSG_TYPE_MOVE_RECEIVE: {
2228	bool allow_imm_recv = false;
2229	ipc_port_t request = IP_NULL;
2230	waitq_link_list_t free_l = { };
2231
2232	if ((bits & MACH_PORT_TYPE_RECEIVE) == `0`) {
2233	goto invalid_right;
2234	}
2235
2236	port = ip_object_to_port(entry->ie_object);
2237	assert(port != IP_NULL);
2238
2239	ip_mq_lock(port);
2240	require_ip_active(port);
2241	assert(ip_get_receiver_name(port) == name);
2242	assert(ip_in_space(port, space));
2243
2244	/*
2245	* Disallow moving receive-right kobjects/kolabel, e.g. mk_timer ports
2246	* The ipc_port structure uses the kdata union of kobject and
2247	* imp_task exclusively. Thus, general use of a kobject port as
2248	* a receive right can cause type confusion in the importance
2249	* code.
2250	*/
2251	if (ip_is_kobject(port) \|\| ip_is_kolabeled(port)) {
2252	/*
2253	* Distinguish an invalid right, e.g., trying to move
2254	* a send right as a receive right, from this
2255	* situation which is, "This is a valid receive right,
2256	* but it's also a kobject and you can't move it."
2257	*/
2258	ip_mq_unlock(port);
2259	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_IMMOVABLE);
2260	return KERN_INVALID_CAPABILITY;
2261	}
2262
2263	if (port->ip_service_port && port->ip_splabel &&
2264	!ipc_service_port_label_is_bootstrap_port((ipc_service_port_label_t)port->ip_splabel)) {
2265	allow_imm_recv = !!(flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_RECEIVE);
2266	} else if (ip_is_libxpc_connection_port(port)) {
2267	allow_imm_recv = !!(flags & IPC_OBJECT_COPYIN_FLAGS_ALLOW_CONN_IMMOVABLE_RECEIVE);
2268	}
2269
2270	if ((!allow_imm_recv && port->ip_immovable_receive) \|\|
2271	ip_is_reply_port(port) \|\| / never move reply port rcv right /
2272	port->ip_specialreply) {
2273	assert(!ip_in_space(port, ipc_space_kernel));
2274	ip_mq_unlock(port);
2275	assert(current_task() != kernel_task);
2276	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_IMMOVABLE);
2277	return KERN_INVALID_CAPABILITY;
2278	}
2279
2280	if (guard_flags != NULL) {
2281	kr = ipc_right_copyin_check_guard_locked(name, port, context, guard_flags);
2282	if (kr != KERN_SUCCESS) {
2283	ip_mq_unlock(port);
2284	return kr;
2285	}
2286	}
2287
2288	if (bits & MACH_PORT_TYPE_SEND) {
2289	assert(IE_BITS_TYPE(bits) ==
2290	MACH_PORT_TYPE_SEND_RECEIVE);
2291	assert(IE_BITS_UREFS(bits) > `0`);
2292	assert(port->ip_srights > `0`);
2293
2294	bits &= ~MACH_PORT_TYPE_RECEIVE;
2295	bits \|= MACH_PORT_TYPE_EX_RECEIVE;
2296	entry->ie_bits = bits;
2297	ipc_hash_insert(space, ip_to_object(port),
2298	name, entry);
2299	ip_reference(port);
2300	ipc_entry_modified(space, name, entry);
2301	} else {
2302	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_RECEIVE);
2303	assert(IE_BITS_UREFS(bits) == `0`);
2304
2305	request = ipc_right_request_cancel_macro(space, port,
2306	name, entry);
2307	assert(!ip_is_pinned(port));
2308	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
2309	}
2310
2311	/ ipc_port_clear_receiver unguards the port and clears the ip_immovable_receive bit /
2312	(void)ipc_port_clear_receiver(port, FALSE, free_l: &free_l); / don't destroy the port/mqueue /
2313	if (guard_flags != NULL) {
2314	/ this flag will be cleared during copyout /
2315	guard_flags = guard_flags \| MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND;
2316	}
2317
2318	#if IMPORTANCE_INHERITANCE
2319	/*
2320	* Account for boosts the current task is going to lose when
2321	* copying this right in. Tempowner ports have either not
2322	* been accounting to any task (and therefore are already in
2323	* "limbo" state w.r.t. assertions) or to some other specific
2324	* task. As we have no way to drop the latter task's assertions
2325	* here, We'll deduct those when we enqueue it on its
2326	* destination port (see ipc_port_check_circularity()).
2327	*/
2328	if (port->ip_tempowner == `0`) {
2329	assert(IIT_NULL == ip_get_imp_task(port));
2330
2331	/ ports in limbo have to be tempowner /
2332	port->ip_tempowner = `1`;
2333	*assertcntp = port->ip_impcount;
2334	}
2335	#endif /* IMPORTANCE_INHERITANCE */
2336
2337	ip_mq_unlock(port);
2338
2339	/*
2340	* This is unfortunate to do this while the space is locked,
2341	* but plumbing it through all callers really hurts.
2342	*/
2343	waitq_link_free_list(type: WQT_PORT_SET, list: &free_l);
2344
2345	*objectp = ip_to_object(port);
2346	*sorightp = request;
2347	break;
2348	}
2349
2350	case MACH_MSG_TYPE_COPY_SEND: {
2351	if (bits & MACH_PORT_TYPE_DEAD_NAME) {
2352	goto copy_dead;
2353	}
2354
2355	/ allow for dead send-once rights /
2356
2357	if ((bits & MACH_PORT_TYPE_SEND_RIGHTS) == `0`) {
2358	goto invalid_right;
2359	}
2360
2361	assert(IE_BITS_UREFS(bits) > `0`);
2362
2363	port = ip_object_to_port(entry->ie_object);
2364	assert(port != IP_NULL);
2365
2366	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
2367	bits = entry->ie_bits;
2368	*releasep = port;
2369	goto copy_dead;
2370	}
2371	/ port is locked and active /
2372
2373	if ((bits & MACH_PORT_TYPE_SEND) == `0`) {
2374	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_ONCE);
2375	assert(port->ip_sorights > `0`);
2376
2377	ip_mq_unlock(port);
2378	goto invalid_right;
2379	}
2380
2381	if (ip_is_reply_port(port)) {
2382	ip_mq_unlock(port);
2383	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2384	return KERN_INVALID_CAPABILITY;
2385	}
2386
2387	if (!allow_imm_send && ip_is_immovable_send(port)) {
2388	ip_mq_unlock(port);
2389	mach_port_guard_exception_immovable(space, name, port, MPG_FLAGS_NONE);
2390	return KERN_INVALID_CAPABILITY;
2391	}
2392
2393	ipc_port_copy_send_any_locked(port);
2394	ip_mq_unlock(port);
2395
2396	*objectp = ip_to_object(port);
2397	*sorightp = IP_NULL;
2398	break;
2399	}
2400
2401	case MACH_MSG_TYPE_MOVE_SEND: {
2402	ipc_port_t request = IP_NULL;
2403
2404	if (bits & MACH_PORT_TYPE_DEAD_NAME) {
2405	goto move_dead;
2406	}
2407
2408	/ allow for dead send-once rights /
2409
2410	if ((bits & MACH_PORT_TYPE_SEND_RIGHTS) == `0`) {
2411	goto invalid_right;
2412	}
2413
2414	assert(IE_BITS_UREFS(bits) > `0`);
2415
2416	port = ip_object_to_port(entry->ie_object);
2417	assert(port != IP_NULL);
2418
2419	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
2420	bits = entry->ie_bits;
2421	*releasep = port;
2422	goto move_dead;
2423	}
2424	/ port is locked and active /
2425
2426	if ((bits & MACH_PORT_TYPE_SEND) == `0`) {
2427	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_ONCE);
2428	assert(port->ip_sorights > `0`);
2429	ip_mq_unlock(port);
2430	goto invalid_right;
2431	}
2432
2433	if (ip_is_reply_port(port)) {
2434	ip_mq_unlock(port);
2435	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2436	return KERN_INVALID_CAPABILITY;
2437	}
2438
2439	if (!allow_imm_send && ip_is_immovable_send(port)) {
2440	ip_mq_unlock(port);
2441	mach_port_guard_exception_immovable(space, name, port, MPG_FLAGS_NONE);
2442	return KERN_INVALID_CAPABILITY;
2443	}
2444
2445	if (IE_BITS_UREFS(bits) == `1`) {
2446	assert(port->ip_srights > `0`);
2447	if (bits & MACH_PORT_TYPE_RECEIVE) {
2448	assert(ip_get_receiver_name(port) == name);
2449	assert(ip_in_space(port, space));
2450	assert(IE_BITS_TYPE(bits) ==
2451	MACH_PORT_TYPE_SEND_RECEIVE);
2452	assert(!ip_is_pinned(port));
2453
2454	entry->ie_bits = bits & ~
2455	(IE_BITS_UREFS_MASK \| MACH_PORT_TYPE_SEND);
2456	ipc_entry_modified(space, name, entry);
2457	ip_reference(port);
2458	} else {
2459	assert(IE_BITS_TYPE(bits) ==
2460	MACH_PORT_TYPE_SEND);
2461
2462	if (ip_is_pinned(port)) {
2463	ip_mq_unlock(port);
2464	mach_port_guard_exception_pinned(space, name, port, MPG_FLAGS_MOD_REFS_PINNED_COPYIN);
2465	return KERN_INVALID_CAPABILITY;
2466	}
2467
2468	request = ipc_right_request_cancel_macro(space, port,
2469	name, entry);
2470	ipc_hash_delete(space, ip_to_object(port),
2471	name, entry);
2472	ipc_entry_dealloc(space, ip_to_object(port),
2473	name, entry);
2474	/ transfer entry's reference to caller /
2475	}
2476	} else {
2477	ipc_port_copy_send_any_locked(port);
2478	/ if urefs are pegged due to overflow, leave them pegged /
2479	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
2480	entry->ie_bits = bits - `1`; / decrement urefs /
2481	}
2482	ipc_entry_modified(space, name, entry);
2483	}
2484
2485	ip_mq_unlock(port);
2486	*objectp = ip_to_object(port);
2487	*sorightp = request;
2488	break;
2489	}
2490
2491	case MACH_MSG_TYPE_MOVE_SEND_ONCE: {
2492	ipc_port_t request;
2493
2494	if (bits & MACH_PORT_TYPE_DEAD_NAME) {
2495	goto move_dead;
2496	}
2497
2498	/ allow for dead send rights /
2499
2500	if ((bits & MACH_PORT_TYPE_SEND_RIGHTS) == `0`) {
2501	goto invalid_right;
2502	}
2503
2504	assert(IE_BITS_UREFS(bits) > `0`);
2505
2506	port = ip_object_to_port(entry->ie_object);
2507	assert(port != IP_NULL);
2508
2509	if (ipc_right_check(space, port, name, entry, flags)) {
2510	bits = entry->ie_bits;
2511	*releasep = port;
2512	goto move_dead;
2513	}
2514	/*
2515	* port is locked, but may not be active:
2516	* Allow copyin of inactive ports with no dead name request and treat it
2517	* as if the copyin of the port was successful and port became inactive
2518	* later.
2519	*/
2520
2521	if ((bits & MACH_PORT_TYPE_SEND_ONCE) == `0`) {
2522	assert(bits & MACH_PORT_TYPE_SEND);
2523	assert(port->ip_srights > `0`);
2524
2525	ip_mq_unlock(port);
2526	goto invalid_right;
2527	}
2528
2529	if (ip_is_reply_port(port) && !allow_reply_move_so) {
2530	ip_mq_unlock(port);
2531	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2532	return KERN_INVALID_CAPABILITY;
2533	}
2534
2535	if (!allow_imm_send && ip_is_immovable_send(port)) {
2536	ip_mq_unlock(port);
2537	mach_port_guard_exception_immovable(space, name, port, MPG_FLAGS_NONE);
2538	return KERN_INVALID_CAPABILITY;
2539	}
2540
2541	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND_ONCE);
2542	assert(IE_BITS_UREFS(bits) == `1`);
2543	assert(port->ip_sorights > `0`);
2544
2545	request = ipc_right_request_cancel_macro(space, port, name, entry);
2546	assert(!ip_is_pinned(port));
2547	ipc_entry_dealloc(space, ip_to_object(port), name, entry);
2548	ip_mq_unlock(port);
2549
2550	*objectp = ip_to_object(port);
2551	*sorightp = request;
2552	break;
2553	}
2554
2555	default:
2556	invalid_right:
2557	return KERN_INVALID_RIGHT;
2558	}
2559
2560	return KERN_SUCCESS;
2561
2562	copy_dead:
2563	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
2564	assert(IE_BITS_UREFS(bits) > `0`);
2565	assert(entry->ie_request == IE_REQ_NONE);
2566	assert(entry->ie_object == `0`);
2567
2568	if (!deadok) {
2569	goto invalid_right;
2570	}
2571
2572	*objectp = IO_DEAD;
2573	*sorightp = IP_NULL;
2574	return KERN_SUCCESS;
2575
2576	move_dead:
2577	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_DEAD_NAME);
2578	assert(IE_BITS_UREFS(bits) > `0`);
2579	assert(entry->ie_request == IE_REQ_NONE);
2580	assert(entry->ie_object == IO_NULL);
2581
2582	if (!deadok) {
2583	goto invalid_right;
2584	}
2585
2586	if (IE_BITS_UREFS(bits) == `1`) {
2587	ipc_entry_dealloc(space, IO_NULL, name, entry);
2588	} else {
2589	/ if urefs are pegged due to overflow, leave them pegged /
2590	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
2591	entry->ie_bits = bits - `1`; / decrement urefs /
2592	}
2593	ipc_entry_modified(space, name, entry);
2594	}
2595	*objectp = IO_DEAD;
2596	*sorightp = IP_NULL;
2597	return KERN_SUCCESS;
2598	}
2599
2600	/*
2601	* Routine: ipc_right_copyin_two_move_sends
2602	* Purpose:
2603	* Like ipc_right_copyin with MACH_MSG_TYPE_MOVE_SEND
2604	* and deadok == FALSE, except that this moves two
2605	* send rights at once.
2606	* Conditions:
2607	* The space is write-locked and active.
2608	* The object is returned with two refs/send rights.
2609	* Returns:
2610	* KERN_SUCCESS Acquired an object.
2611	* KERN_INVALID_RIGHT Name doesn't denote correct right.
2612	* KERN_INVALID_CAPABILITY Name does not allow copyin move send capability.
2613	*/
2614	static
2615	kern_return_t
2616	ipc_right_copyin_two_move_sends(
2617	ipc_space_t space,
2618	mach_port_name_t name,
2619	ipc_entry_t entry,
2620	ipc_object_t *objectp,
2621	ipc_port_t *sorightp,
2622	ipc_port_t *releasep)
2623	{
2624	ipc_entry_bits_t bits;
2625	mach_port_urefs_t urefs;
2626	ipc_port_t port;
2627	ipc_port_t request = IP_NULL;
2628
2629	*releasep = IP_NULL;
2630
2631	assert(is_active(space));
2632
2633	bits = entry->ie_bits;
2634
2635	if ((bits & MACH_PORT_TYPE_SEND) == `0`) {
2636	goto invalid_right;
2637	}
2638
2639	urefs = IE_BITS_UREFS(bits);
2640	if (urefs < `2`) {
2641	goto invalid_right;
2642	}
2643
2644	port = ip_object_to_port(entry->ie_object);
2645	assert(port != IP_NULL);
2646
2647	if (ip_is_reply_port(port)) {
2648	mach_port_guard_exception(name, inguard: `0`, portguard: `0`, reason: kGUARD_EXC_INVALID_RIGHT);
2649	return KERN_INVALID_CAPABILITY;
2650	}
2651
2652	if (ipc_right_check(space, port, name, entry, flags: IPC_OBJECT_COPYIN_FLAGS_NONE)) {
2653	*releasep = port;
2654	goto invalid_right;
2655	}
2656	/ port is locked and active /
2657
2658	/*
2659	* To reach here we either have:
2660	* (1) reply_name == voucher_name, but voucher is not immovable send right.
2661	* (2) reply_name == dest_name, but ipc_right_copyin_check_reply() guaranteed
2662	* that we can't use MOVE_SEND on reply port marked as immovable send right.
2663	*/
2664	assert(!ip_is_immovable_send(port));
2665	assert(!ip_is_pinned(port));
2666
2667	if (urefs > `2`) {
2668	/*
2669	* We are moving 2 urefs as naked send rights, which is decomposed as:
2670	* - two copy sends (which doesn't affect the make send count)
2671	* - decrementing the local urefs twice.
2672	*/
2673	ipc_port_copy_send_any_locked(port);
2674	ipc_port_copy_send_any_locked(port);
2675	/ if urefs are pegged due to overflow, leave them pegged /
2676	if (IE_BITS_UREFS(bits) < MACH_PORT_UREFS_MAX) {
2677	entry->ie_bits = bits - `2`; / decrement urefs /
2678	}
2679	ipc_entry_modified(space, name, entry);
2680	} else {
2681	/*
2682	* We have exactly 2 send rights for this port in this space,
2683	* which means that we will liberate the naked send right held
2684	* by this entry.
2685	*
2686	* However refcounting rules around entries are that naked send rights
2687	* on behalf of spaces do not have an associated port reference,
2688	* so we need to donate one ...
2689	*/
2690	ipc_port_copy_send_any_locked(port);
2691
2692	if (bits & MACH_PORT_TYPE_RECEIVE) {
2693	assert(ip_get_receiver_name(port) == name);
2694	assert(ip_in_space(port, space));
2695	assert(IE_BITS_TYPE(bits) ==
2696	MACH_PORT_TYPE_SEND_RECEIVE);
2697
2698	/ ... that we inject manually when the entry stays alive /
2699	entry->ie_bits = bits & ~(IE_BITS_UREFS_MASK \| MACH_PORT_TYPE_SEND);
2700	ipc_entry_modified(space, name, entry);
2701	ip_reference(port);
2702	} else {
2703	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND);
2704
2705	/ ... that we steal from the entry when it dies /
2706	request = ipc_right_request_cancel_macro(space, port,
2707	name, entry);
2708	ipc_hash_delete(space, ip_to_object(port),
2709	name, entry);
2710	ipc_entry_dealloc(space, ip_to_object(port),
2711	name, entry);
2712	}
2713	}
2714
2715	ip_mq_unlock(port);
2716
2717	*objectp = ip_to_object(port);
2718	*sorightp = request;
2719	return KERN_SUCCESS;
2720
2721	invalid_right:
2722	return KERN_INVALID_RIGHT;
2723	}
2724
2725
2726	/*
2727	* Routine: ipc_right_copyin_two
2728	* Purpose:
2729	* Like ipc_right_copyin with two dispositions,
2730	* each of which results in a send or send-once right,
2731	* and deadok = FALSE.
2732	* Conditions:
2733	* The space is write-locked and active.
2734	* The object is returned with two refs/rights.
2735	* Msgt_one refers to the dest_type.
2736	* Copyin flags are currently only used in the context of send once rights.
2737	* Returns:
2738	* KERN_SUCCESS Acquired an object.
2739	* KERN_INVALID_RIGHT Name doesn't denote correct right(s).
2740	* KERN_INVALID_CAPABILITY Name doesn't denote correct right for msgt_two.
2741	*/
2742	kern_return_t
2743	ipc_right_copyin_two(
2744	ipc_space_t space,
2745	mach_port_name_t name,
2746	ipc_entry_t entry,
2747	mach_msg_type_name_t msgt_one,
2748	mach_msg_type_name_t msgt_two,
2749	ipc_object_copyin_flags_t flags_one, / Used only for send once rights. /
2750	ipc_object_copyin_flags_t flags_two, / Used only for send once rights. /
2751	ipc_object_t *objectp,
2752	ipc_port_t *sorightp,
2753	ipc_port_t *releasep)
2754	{
2755	ipc_port_t port;
2756	kern_return_t kr;
2757	int assertcnt = `0`;
2758
2759	assert(MACH_MSG_TYPE_PORT_ANY_SEND(msgt_one));
2760	assert(MACH_MSG_TYPE_PORT_ANY_SEND(msgt_two));
2761
2762	/*
2763	* This is a little tedious to make atomic, because
2764	* there are 25 combinations of valid dispositions.
2765	* However, most are easy.
2766	*/
2767
2768	/*
2769	* If either is move-sonce, then there must be an error.
2770	*/
2771	if (msgt_one == MACH_MSG_TYPE_MOVE_SEND_ONCE \|\|
2772	msgt_two == MACH_MSG_TYPE_MOVE_SEND_ONCE) {
2773	return KERN_INVALID_RIGHT;
2774	}
2775
2776	if ((msgt_one == MACH_MSG_TYPE_MAKE_SEND) \|\|
2777	(msgt_one == MACH_MSG_TYPE_MAKE_SEND_ONCE) \|\|
2778	(msgt_two == MACH_MSG_TYPE_MAKE_SEND) \|\|
2779	(msgt_two == MACH_MSG_TYPE_MAKE_SEND_ONCE)) {
2780	/*
2781	* One of the dispositions needs a receive right.
2782	*
2783	* If the copyin below succeeds, we know the receive
2784	* right is there (because the pre-validation of
2785	* the second disposition already succeeded in our
2786	* caller).
2787	*
2788	* Hence the port is not in danger of dying.
2789	*/
2790	ipc_object_t object_two;
2791
2792	flags_one = flags_one \| IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND;
2793	kr = ipc_right_copyin(space, name, entry,
2794	msgt_name: msgt_one, flags: flags_one,
2795	objectp, sorightp, releasep,
2796	assertcntp: &assertcnt, context: `0`, NULL);
2797	assert(assertcnt == `0`);
2798	if (kr != KERN_SUCCESS) {
2799	return kr;
2800	}
2801
2802	assert(IO_VALID(*objectp));
2803	assert(*sorightp == IP_NULL);
2804	assert(*releasep == IP_NULL);
2805
2806	/*
2807	* Now copyin the second (previously validated)
2808	* disposition. The result can't be a dead port,
2809	* as no valid disposition can make us lose our
2810	* receive right.
2811	*/
2812	kr = ipc_right_copyin(space, name, entry,
2813	msgt_name: msgt_two, flags: flags_two,
2814	objectp: &object_two, sorightp, releasep,
2815	assertcntp: &assertcnt, context: `0`, NULL);
2816	assert(assertcnt == `0`);
2817	assert(kr == KERN_SUCCESS);
2818	assert(*sorightp == IP_NULL);
2819	assert(*releasep == IP_NULL);
2820	assert(object_two == *objectp);
2821	assert(entry->ie_bits & MACH_PORT_TYPE_RECEIVE);
2822	} else if ((msgt_one == MACH_MSG_TYPE_MOVE_SEND) &&
2823	(msgt_two == MACH_MSG_TYPE_MOVE_SEND)) {
2824	/*
2825	* This is an easy case. Just use our
2826	* handy-dandy special-purpose copyin call
2827	* to get two send rights for the price of one.
2828	*/
2829	kr = ipc_right_copyin_two_move_sends(space, name, entry,
2830	objectp, sorightp,
2831	releasep);
2832	if (kr != KERN_SUCCESS) {
2833	return kr;
2834	}
2835	} else {
2836	mach_msg_type_name_t msgt_name;
2837
2838	/*
2839	* Must be either a single move-send and a
2840	* copy-send, or two copy-send dispositions.
2841	* Use the disposition with the greatest side
2842	* effects for the actual copyin - then just
2843	* duplicate the send right you get back.
2844	*/
2845	if (msgt_one == MACH_MSG_TYPE_MOVE_SEND \|\|
2846	msgt_two == MACH_MSG_TYPE_MOVE_SEND) {
2847	msgt_name = MACH_MSG_TYPE_MOVE_SEND;
2848	} else {
2849	msgt_name = MACH_MSG_TYPE_COPY_SEND;
2850	}
2851
2852	kr = ipc_right_copyin(space, name, entry,
2853	msgt_name, flags: IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND,
2854	objectp, sorightp, releasep,
2855	assertcntp: &assertcnt, context: `0`, NULL);
2856	assert(assertcnt == `0`);
2857	if (kr != KERN_SUCCESS) {
2858	return kr;
2859	}
2860
2861	/*
2862	* Copy the right we got back. If it is dead now,
2863	* that's OK. Neither right will be usable to send
2864	* a message anyway.
2865	*
2866	* Note that the port could be concurrently moved
2867	* outside of the space as a descriptor, and then
2868	* destroyed, which would not happen under the space lock.
2869	*
2870	* It means we can't use ipc_port_copy_send() which
2871	* may fail if the port died.
2872	*/
2873	port = ip_object_to_port(*objectp);
2874	ip_mq_lock(port);
2875	ipc_port_copy_send_any_locked(port);
2876	ip_mq_unlock(port);
2877	}
2878
2879	return KERN_SUCCESS;
2880	}
2881
2882
2883	/*
2884	* Routine: ipc_right_copyout
2885	* Purpose:
2886	* Copyout a capability to a space.
2887	* If successful, consumes a ref for the object.
2888	*
2889	* Always succeeds when given a newly-allocated entry,
2890	* because user-reference overflow isn't a possibility.
2891	*
2892	* If copying out the object would cause the user-reference
2893	* count in the entry to overflow, then the user-reference
2894	* count is left pegged to its maximum value and the copyout
2895	* succeeds anyway.
2896	* Conditions:
2897	* The space is write-locked and active.
2898	* The object is locked and active.
2899	* The object is unlocked; the space isn't.
2900	* Returns:
2901	* KERN_SUCCESS Copied out capability.
2902	*/
2903
2904	kern_return_t
2905	ipc_right_copyout(
2906	ipc_space_t space,
2907	mach_port_name_t name,
2908	ipc_entry_t entry,
2909	mach_msg_type_name_t msgt_name,
2910	ipc_object_copyout_flags_t flags,
2911	mach_port_context_t *context,
2912	mach_msg_guard_flags_t *guard_flags,
2913	ipc_object_t object)
2914	{
2915	ipc_entry_bits_t bits;
2916	ipc_port_t port;
2917	mach_port_name_t sp_name = MACH_PORT_NULL;
2918	mach_port_context_t sp_context = `0`;
2919
2920	bits = entry->ie_bits;
2921
2922	assert(IO_VALID(object));
2923	assert(io_otype(object) == IOT_PORT);
2924	assert(io_active(object));
2925	assert(entry->ie_object == object);
2926
2927	port = ip_object_to_port(object);
2928
2929	if (flags & IPC_OBJECT_COPYOUT_FLAGS_PINNED) {
2930	assert(!ip_is_pinned(port));
2931	assert(ip_is_immovable_send(port));
2932	assert(task_is_immovable(space->is_task));
2933	assert(task_is_pinned(space->is_task));
2934	port->ip_pinned = `1`;
2935	}
2936
2937	switch (msgt_name) {
2938	case MACH_MSG_TYPE_PORT_SEND_ONCE:
2939
2940	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_NONE);
2941	assert(IE_BITS_UREFS(bits) == `0`);
2942	assert(port->ip_sorights > `0`);
2943
2944	if (port->ip_specialreply) {
2945	ipc_port_adjust_special_reply_port_locked(special_reply_port: port,
2946	kn: current_thread()->ith_knote, IPC_PORT_ADJUST_SR_LINK_WORKLOOP, FALSE);
2947	/ port unlocked on return /
2948	} else {
2949	ip_mq_unlock(port);
2950	}
2951
2952	entry->ie_bits = bits \| (MACH_PORT_TYPE_SEND_ONCE \| `1`); / set urefs to 1 /
2953	ipc_entry_modified(space, name, entry);
2954	break;
2955
2956	case MACH_MSG_TYPE_PORT_SEND:
2957	assert(port->ip_srights > `0`);
2958
2959	if (bits & MACH_PORT_TYPE_SEND) {
2960	mach_port_urefs_t urefs = IE_BITS_UREFS(bits);
2961
2962	assert(port->ip_srights > `1`);
2963	assert(urefs > `0`);
2964	assert(urefs <= MACH_PORT_UREFS_MAX);
2965
2966	if (urefs == MACH_PORT_UREFS_MAX) {
2967	/*
2968	* leave urefs pegged to maximum,
2969	* consume send right and ref
2970	*/
2971
2972	ip_srights_dec(port);
2973	ip_mq_unlock(port);
2974	ip_release_live(port);
2975	return KERN_SUCCESS;
2976	}
2977
2978	/ consume send right and ref /
2979	ip_srights_dec(port);
2980	ip_mq_unlock(port);
2981	ip_release_live(port);
2982	} else if (bits & MACH_PORT_TYPE_RECEIVE) {
2983	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_RECEIVE);
2984	assert(IE_BITS_UREFS(bits) == `0`);
2985
2986	/ transfer send right to entry, consume ref /
2987	ip_mq_unlock(port);
2988	ip_release_live(port);
2989	} else {
2990	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_NONE);
2991	assert(IE_BITS_UREFS(bits) == `0`);
2992
2993	/ transfer send right and ref to entry /
2994	ip_mq_unlock(port);
2995
2996	/ entry is locked holding ref, so can use port /
2997
2998	ipc_hash_insert(space, ip_to_object(port), name, entry);
2999	}
3000
3001	entry->ie_bits = (bits \| MACH_PORT_TYPE_SEND) + `1`; / increment urefs /
3002	ipc_entry_modified(space, name, entry);
3003	break;
3004
3005	case MACH_MSG_TYPE_PORT_RECEIVE: {
3006	ipc_port_t dest;
3007	#if IMPORTANCE_INHERITANCE
3008	natural_t assertcnt = port->ip_impcount;
3009	#endif /* IMPORTANCE_INHERITANCE */
3010
3011	assert(port->ip_mscount == `0`);
3012	assert(!ip_in_a_space(port));
3013
3014	/*
3015	* Don't copyout kobjects or kolabels as receive right
3016	*/
3017	if (ip_is_kobject(port) \|\| ip_is_kolabeled(port)) {
3018	panic("ipc_right_copyout: Copyout kobject/kolabel as receive right");
3019	}
3020
3021	dest = ip_get_destination(port);
3022
3023	/ port transitions to IN-SPACE state /
3024	port->ip_receiver_name = name;
3025	port->ip_receiver = space;
3026
3027	struct knote *kn = current_thread()->ith_knote;
3028
3029	if ((guard_flags != NULL) && ((*guard_flags & MACH_MSG_GUARD_FLAGS_IMMOVABLE_RECEIVE) != `0`)) {
3030	assert(port->ip_immovable_receive == `0`);
3031	port->ip_guarded = `1`;
3032	port->ip_strict_guard = `0`;
3033	/ pseudo receive shouldn't set the receive right as immovable in the sender's space /
3034	if (kn != ITH_KNOTE_PSEUDO) {
3035	port->ip_immovable_receive = `1`;
3036	}
3037	port->ip_context = current_thread()->ith_msg_addr;
3038	*context = port->ip_context;
3039	guard_flags = guard_flags & ~MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND;
3040	}
3041
3042	if (ip_is_libxpc_connection_port(port)) {
3043	/*
3044	* There are 3 ways to reach here.
3045	* 1. A libxpc client successfully sent this receive right to a named service
3046	* and we are copying out in that service's ipc space.
3047	* 2. A libxpc client tried doing (1) but failed so we are doing pseudo-receive.
3048	* 3. Kernel sent this receive right to a libxpc client as a part of port destroyed notification.
3049	*
3050	* This flag needs to be set again in all 3 cases as they reset it as part of their flow.
3051	*/
3052	port->ip_immovable_receive = `1`;
3053	}
3054
3055	/ Check if this is a service port /
3056	if (port->ip_service_port) {
3057	assert(port->ip_splabel != NULL);
3058	/*
3059	* This flag gets reset during all 3 ways described above for libxpc connection port.
3060	* The only difference is launchd acts as an initiator instead of a libxpc client.
3061	*/
3062	if (service_port_defense_enabled) {
3063	port->ip_immovable_receive = `1`;
3064	}
3065
3066	/ Check if this is a port-destroyed notification to ensure*
3067	* that initproc doesnt end up with a guarded service port
3068	* sent in a regular message
3069	*/
3070	if (!ipc_service_port_label_is_pd_notification((ipc_service_port_label_t)port->ip_splabel)) {
3071	goto skip_sp_check;
3072	}
3073
3074	ipc_service_port_label_clear_flag(port_splabel: port->ip_splabel, flag: ISPL_FLAGS_SEND_PD_NOTIFICATION);
3075	#if !(DEVELOPMENT \|\| DEBUG)
3076	if (get_bsdtask_info(current_task()) != initproc) {
3077	goto skip_sp_check;
3078	}
3079	#endif /* !(DEVELOPMENT \|\| DEBUG) */
3080	ipc_service_port_label_get_attr(port_splabel: port->ip_splabel, name: &sp_name, context: &sp_context);
3081	assert(sp_name != MACH_PORT_NULL);
3082	/ Verify the port name and restore the guard value, if any /
3083	if (name != sp_name) {
3084	panic("Service port name = 0x%x doesnt match the stored launchd port name = 0x%x", name, sp_name);
3085	}
3086	if (sp_context) {
3087	port->ip_guarded = `1`;
3088	port->ip_strict_guard = `1`;
3089	port->ip_context = sp_context;
3090	}
3091	}
3092	skip_sp_check:
3093
3094	assert((bits & MACH_PORT_TYPE_RECEIVE) == `0`);
3095	if (bits & MACH_PORT_TYPE_SEND) {
3096	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_SEND);
3097	assert(IE_BITS_UREFS(bits) > `0`);
3098	assert(port->ip_srights > `0`);
3099	} else {
3100	assert(IE_BITS_TYPE(bits) == MACH_PORT_TYPE_NONE);
3101	assert(IE_BITS_UREFS(bits) == `0`);
3102	}
3103	entry->ie_bits = bits \| MACH_PORT_TYPE_RECEIVE;
3104	ipc_entry_modified(space, name, entry);
3105
3106	boolean_t sync_bootstrap_checkin = FALSE;
3107	if (kn != ITH_KNOTE_PSEUDO && port->ip_sync_bootstrap_checkin) {
3108	sync_bootstrap_checkin = TRUE;
3109	}
3110	if (!ITH_KNOTE_VALID(kn, MACH_MSG_TYPE_PORT_RECEIVE)) {
3111	kn = NULL;
3112	}
3113	ipc_port_adjust_port_locked(port, kn, sync_bootstrap_checkin);
3114	/ port unlocked /
3115
3116	if (bits & MACH_PORT_TYPE_SEND) {
3117	ip_release_live(port);
3118
3119	/ entry is locked holding ref, so can use port /
3120	ipc_hash_delete(space, ip_to_object(port), name, entry);
3121	}
3122
3123	if (dest != IP_NULL) {
3124	#if IMPORTANCE_INHERITANCE
3125	/*
3126	* Deduct the assertion counts we contributed to
3127	* the old destination port. They've already
3128	* been reflected into the task as a result of
3129	* getting enqueued.
3130	*/
3131	ip_mq_lock(dest);
3132	ipc_port_impcount_delta(port: dest, delta: `0` - assertcnt, IP_NULL);
3133	ip_mq_unlock(dest);
3134	#endif /* IMPORTANCE_INHERITANCE */
3135
3136	/ Drop turnstile ref on dest /
3137	ipc_port_send_turnstile_complete(port: dest);
3138	/ space lock is held /
3139	ip_release_safe(dest);
3140	}
3141	break;
3142	}
3143
3144	default:
3145	panic("ipc_right_copyout: strange rights");
3146	}
3147	return KERN_SUCCESS;
3148	}
3149

Browse the source code of xnu/osfmk/ipc/ipc_right.c