xref: /illumos-gate/usr/src/uts/common/io/ppp/sppp/sppp.c (revision 619a0f6c7269dc1950adc2e401a36d843dd9fa02)
1 /*
2  * sppp.c - Solaris STREAMS PPP multiplexing pseudo-driver
3  *
4  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
5  * Use is subject to license terms.
6  * Copyright (c) 2016 by Delphix. All rights reserved.
7  *
8  * Permission to use, copy, modify, and distribute this software and its
9  * documentation is hereby granted, provided that the above copyright
10  * notice appears in all copies.
11  *
12  * SUN MAKES NO REPRESENTATION OR WARRANTIES ABOUT THE SUITABILITY OF
13  * THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
14  * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
15  * PARTICULAR PURPOSE, OR NON-INFRINGEMENT.  SUN SHALL NOT BE LIABLE FOR
16  * ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
17  * DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES
18  *
19  * Copyright (c) 1994 The Australian National University.
20  * All rights reserved.
21  *
22  * Permission to use, copy, modify, and distribute this software and its
23  * documentation is hereby granted, provided that the above copyright
24  * notice appears in all copies.  This software is provided without any
25  * warranty, express or implied. The Australian National University
26  * makes no representations about the suitability of this software for
27  * any purpose.
28  *
29  * IN NO EVENT SHALL THE AUSTRALIAN NATIONAL UNIVERSITY BE LIABLE TO ANY
30  * PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
31  * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
32  * THE AUSTRALIAN NATIONAL UNIVERSITY HAS BEEN ADVISED OF THE POSSIBILITY
33  * OF SUCH DAMAGE.
34  *
35  * THE AUSTRALIAN NATIONAL UNIVERSITY SPECIFICALLY DISCLAIMS ANY WARRANTIES,
36  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
37  * AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
38  * ON AN "AS IS" BASIS, AND THE AUSTRALIAN NATIONAL UNIVERSITY HAS NO
39  * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS,
40  * OR MODIFICATIONS.
41  *
42  * This driver is derived from the original SVR4 STREAMS PPP driver
43  * originally written by Paul Mackerras <paul.mackerras@cs.anu.edu.au>.
44  *
45  * Adi Masputra <adi.masputra@sun.com> rewrote and restructured the code
46  * for improved performance and scalability.
47  */
48 
49 #define	RCSID	"$Id: sppp.c,v 1.0 2000/05/08 01:10:12 masputra Exp $"
50 
51 #include <sys/types.h>
52 #include <sys/debug.h>
53 #include <sys/param.h>
54 #include <sys/stat.h>
55 #include <sys/stream.h>
56 #include <sys/stropts.h>
57 #include <sys/sysmacros.h>
58 #include <sys/errno.h>
59 #include <sys/time.h>
60 #include <sys/cmn_err.h>
61 #include <sys/kmem.h>
62 #include <sys/conf.h>
63 #include <sys/dlpi.h>
64 #include <sys/ddi.h>
65 #include <sys/kstat.h>
66 #include <sys/strsun.h>
67 #include <sys/ethernet.h>
68 #include <sys/policy.h>
69 #include <sys/zone.h>
70 #include <net/ppp_defs.h>
71 #include <net/pppio.h>
72 #include "sppp.h"
73 #include "s_common.h"
74 
75 /*
76  * This is used to tag official Solaris sources.  Please do not define
77  * "INTERNAL_BUILD" when building this software outside of Sun Microsystems.
78  */
79 #ifdef INTERNAL_BUILD
80 /* MODINFO is limited to 32 characters. */
81 const char sppp_module_description[] = "PPP 4.0 mux";
82 #else /* INTERNAL_BUILD */
83 const char sppp_module_description[] = "ANU PPP mux";
84 
85 /* LINTED */
86 static const char buildtime[] = "Built " __DATE__ " at " __TIME__
87 #ifdef DEBUG
88 " DEBUG"
89 #endif
90 "\n";
91 #endif /* INTERNAL_BUILD */
92 
93 static void	sppp_inner_ioctl(queue_t *, mblk_t *);
94 static void	sppp_outer_ioctl(queue_t *, mblk_t *);
95 static queue_t	*sppp_send(queue_t *, mblk_t **, spppstr_t *);
96 static queue_t	*sppp_recv(queue_t *, mblk_t **, spppstr_t *);
97 static void	sppp_recv_nondata(queue_t *, mblk_t *, spppstr_t *);
98 static queue_t	*sppp_outpkt(queue_t *, mblk_t **, int, spppstr_t *);
99 static spppstr_t *sppp_inpkt(queue_t *, mblk_t *, spppstr_t *);
100 static int	sppp_kstat_update(kstat_t *, int);
101 static void	sppp_release_pkts(sppa_t *, uint16_t);
102 
103 /*
104  * sps_list contains the list of active per-stream instance state structures
105  * ordered on the minor device number (see sppp.h for details). All streams
106  * opened to this driver are threaded together in this list.
107  */
108 static spppstr_t *sps_list = NULL;
109 /*
110  * ppa_list contains the list of active per-attachment instance state
111  * structures ordered on the ppa id number (see sppp.h for details). All of
112  * the ppa structures created once per PPPIO_NEWPPA ioctl are threaded together
113  * in this list. There is exactly one ppa structure for a given PPP interface,
114  * and multiple sps streams (upper streams) may share a ppa by performing
115  * an attachment explicitly (PPPIO_ATTACH) or implicitly (DL_ATTACH_REQ).
116  */
117 static sppa_t *ppa_list = NULL;
118 
119 static const char *kstats_names[] = { SPPP_KSTATS_NAMES };
120 static const char *kstats64_names[] = { SPPP_KSTATS64_NAMES };
121 
122 /*
123  * map proto (which is an IANA defined ppp network protocol) to
124  * a bit position indicated by NP_* in ppa_npflag
125  */
126 static uint32_t
127 sppp_ppp2np(uint16_t proto)
128 {
129 	switch (proto) {
130 	case PPP_IP:
131 		return (NP_IP);
132 	case PPP_IPV6:
133 		return (NP_IPV6);
134 	default:
135 		return (0);
136 	}
137 }
138 
139 /*
140  * sppp_open()
141  *
142  * MT-Perimeters:
143  *    exclusive inner, exclusive outer.
144  *
145  * Description:
146  *    Common open procedure for module.
147  */
148 /* ARGSUSED */
149 int
150 sppp_open(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
151 {
152 	spppstr_t	*sps;
153 	spppstr_t	**nextmn;
154 	minor_t		mn;
155 
156 	ASSERT(q != NULL && devp != NULL);
157 	ASSERT(sflag != MODOPEN);
158 
159 	if (q->q_ptr != NULL) {
160 		return (0);		/* already open */
161 	}
162 	if (sflag != CLONEOPEN) {
163 		return (OPENFAIL);
164 	}
165 	/*
166 	 * The sps list is sorted using the minor number as the key. The
167 	 * following code walks the list to find the lowest valued minor
168 	 * number available to be used.
169 	 */
170 	mn = 0;
171 	for (nextmn = &sps_list; (sps = *nextmn) != NULL;
172 	    nextmn = &sps->sps_nextmn) {
173 		if (sps->sps_mn_id != mn) {
174 			break;
175 		}
176 		++mn;
177 	}
178 	sps = (spppstr_t *)kmem_zalloc(sizeof (spppstr_t), KM_SLEEP);
179 	ASSERT(sps != NULL);		/* KM_SLEEP must never return NULL */
180 	sps->sps_nextmn = *nextmn;	/* insert stream in global list */
181 	*nextmn = sps;
182 	sps->sps_mn_id = mn;		/* save minor id for this stream */
183 	sps->sps_rq = q;		/* save read queue pointer */
184 	sps->sps_sap = -1;		/* no sap bound to stream */
185 	sps->sps_dlstate = DL_UNATTACHED; /* dlpi state is unattached */
186 	sps->sps_npmode = NPMODE_DROP;	/* drop all packets initially */
187 	sps->sps_zoneid = crgetzoneid(credp);
188 	q->q_ptr = WR(q)->q_ptr = (caddr_t)sps;
189 	/*
190 	 * We explicitly disable the automatic queue scheduling for the
191 	 * write-side to obtain complete control over queuing during transmit.
192 	 * Packets will be queued at the upper write queue and the service
193 	 * routine will not be called until it gets scheduled by having the
194 	 * lower write service routine call the qenable(WR(uq)) for all streams
195 	 * attached to the same ppa instance.
196 	 */
197 	noenable(WR(q));
198 	*devp = makedevice(getmajor(*devp), mn);
199 	qprocson(q);
200 	return (0);
201 }
202 
203 /*
204  * Free storage used by a PPA.  This is not called until the last PPA
205  * user closes their connection or reattaches to a different PPA.
206  */
207 static void
208 sppp_free_ppa(sppa_t *ppa)
209 {
210 	sppa_t **nextppa;
211 
212 	ASSERT(ppa->ppa_refcnt == 1);
213 	if (ppa->ppa_kstats != NULL) {
214 		kstat_delete(ppa->ppa_kstats);
215 		ppa->ppa_kstats = NULL;
216 	}
217 	mutex_destroy(&ppa->ppa_sta_lock);
218 	mutex_destroy(&ppa->ppa_npmutex);
219 	rw_destroy(&ppa->ppa_sib_lock);
220 	nextppa = &ppa_list;
221 	while (*nextppa != NULL) {
222 		if (*nextppa == ppa) {
223 			*nextppa = ppa->ppa_nextppa;
224 			break;
225 		}
226 		nextppa = &(*nextppa)->ppa_nextppa;
227 	}
228 	kmem_free(ppa, sizeof (*ppa));
229 }
230 
231 /*
232  * Create a new PPA.  Caller must be exclusive on outer perimeter.
233  */
234 sppa_t *
235 sppp_create_ppa(uint32_t ppa_id, zoneid_t zoneid)
236 {
237 	sppa_t *ppa;
238 	sppa_t *curppa;
239 	sppa_t **availppa;
240 	char unit[32];		/* Unit name */
241 	const char **cpp;
242 	kstat_t *ksp;
243 	kstat_named_t *knt;
244 
245 	/*
246 	 * NOTE: unit *must* be named for the driver
247 	 * name plus the ppa number so that netstat
248 	 * can find the statistics.
249 	 */
250 	(void) sprintf(unit, "%s" "%d", PPP_DRV_NAME, ppa_id);
251 	/*
252 	 * Make sure we can allocate a buffer to
253 	 * contain the ppa to be sent upstream, as
254 	 * well as the actual ppa structure and its
255 	 * associated kstat structure.
256 	 */
257 	ppa = (sppa_t *)kmem_zalloc(sizeof (sppa_t),
258 	    KM_NOSLEEP);
259 	ksp = kstat_create(PPP_DRV_NAME, ppa_id, unit, "net", KSTAT_TYPE_NAMED,
260 	    sizeof (sppp_kstats_t) / sizeof (kstat_named_t), 0);
261 
262 	if (ppa == NULL || ksp == NULL) {
263 		if (ppa != NULL) {
264 			kmem_free(ppa, sizeof (sppa_t));
265 		}
266 		if (ksp != NULL) {
267 			kstat_delete(ksp);
268 		}
269 		return (NULL);
270 	}
271 	ppa->ppa_kstats = ksp;		/* chain kstat structure */
272 	ppa->ppa_ppa_id = ppa_id;	/* record ppa id */
273 	ppa->ppa_zoneid = zoneid;	/* zone that owns this PPA */
274 	ppa->ppa_mtu = PPP_MAXMTU;	/* 65535-(PPP_HDRLEN+PPP_FCSLEN) */
275 	ppa->ppa_mru = PPP_MAXMRU;	/* 65000 */
276 
277 	mutex_init(&ppa->ppa_sta_lock, NULL, MUTEX_DRIVER, NULL);
278 	mutex_init(&ppa->ppa_npmutex, NULL, MUTEX_DRIVER, NULL);
279 	rw_init(&ppa->ppa_sib_lock, NULL, RW_DRIVER, NULL);
280 
281 	/*
282 	 * Prepare and install kstat counters.  Note that for netstat
283 	 * -i to work, there needs to be "ipackets", "opackets",
284 	 * "ierrors", and "oerrors" kstat named variables.
285 	 */
286 	knt = (kstat_named_t *)ksp->ks_data;
287 	for (cpp = kstats_names; cpp < kstats_names + Dim(kstats_names);
288 	    cpp++) {
289 		kstat_named_init(knt, *cpp, KSTAT_DATA_UINT32);
290 		knt++;
291 	}
292 	for (cpp = kstats64_names; cpp < kstats64_names + Dim(kstats64_names);
293 	    cpp++) {
294 		kstat_named_init(knt, *cpp, KSTAT_DATA_UINT64);
295 		knt++;
296 	}
297 	ksp->ks_update = sppp_kstat_update;
298 	ksp->ks_private = (void *)ppa;
299 	kstat_install(ksp);
300 
301 	/* link to the next ppa and insert into global list */
302 	availppa = &ppa_list;
303 	while ((curppa = *availppa) != NULL) {
304 		if (ppa_id < curppa->ppa_ppa_id)
305 			break;
306 		availppa = &curppa->ppa_nextppa;
307 	}
308 	ppa->ppa_nextppa = *availppa;
309 	*availppa = ppa;
310 	return (ppa);
311 }
312 
313 /*
314  * sppp_close()
315  *
316  * MT-Perimeters:
317  *    exclusive inner, exclusive outer.
318  *
319  * Description:
320  *    Common close procedure for module.
321  */
322 /* ARGSUSED */
323 int
324 sppp_close(queue_t *q, int flags __unused, cred_t *credp __unused)
325 {
326 	spppstr_t	*sps;
327 	spppstr_t	**nextmn;
328 	spppstr_t	*sib;
329 	sppa_t		*ppa;
330 	mblk_t		*mp;
331 
332 	ASSERT(q != NULL && q->q_ptr != NULL);
333 	sps = (spppstr_t *)q->q_ptr;
334 	qprocsoff(q);
335 
336 	ppa = sps->sps_ppa;
337 	if (ppa == NULL) {
338 		ASSERT(!IS_SPS_CONTROL(sps));
339 		goto close_unattached;
340 	}
341 	if (IS_SPS_CONTROL(sps)) {
342 		uint32_t	cnt = 0;
343 
344 		ASSERT(ppa != NULL);
345 		ASSERT(ppa->ppa_ctl == sps);
346 		ppa->ppa_ctl = NULL;
347 		/*
348 		 * STREAMS framework always issues I_UNLINK prior to close,
349 		 * since we only allow I_LINK under the control stream.
350 		 * A given ppa structure has at most one lower stream pointed
351 		 * by the ppa_lower_wq field, because we only allow a single
352 		 * linkage (I_LINK) to be done on the control stream.
353 		 */
354 		ASSERT(ppa->ppa_lower_wq == NULL);
355 		/*
356 		 * Walk through all of sibling streams attached to this ppa,
357 		 * and remove all references to this ppa. We have exclusive
358 		 * access for the entire driver here, so there's no need
359 		 * to hold ppa_sib_lock.
360 		 */
361 		cnt++;
362 		sib = ppa->ppa_streams;
363 		while (sib != NULL) {
364 			ASSERT(ppa == sib->sps_ppa);
365 			sib->sps_npmode = NPMODE_DROP;
366 			sib->sps_flags &= ~(SPS_PIOATTACH | SPS_CACHED);
367 			/*
368 			 * There should be a preallocated hangup
369 			 * message here.  Fetch it and send it up to
370 			 * the stream head.  This will cause IP to
371 			 * mark the interface as "down."
372 			 */
373 			if ((mp = sib->sps_hangup) != NULL) {
374 				sib->sps_hangup = NULL;
375 				/*
376 				 * M_HANGUP works with IP, but snoop
377 				 * is lame and requires M_ERROR.  Send
378 				 * up a clean error code instead.
379 				 *
380 				 * XXX if snoop is fixed, fix this, too.
381 				 */
382 				MTYPE(mp) = M_ERROR;
383 				*mp->b_wptr++ = ENXIO;
384 				putnext(sib->sps_rq, mp);
385 			}
386 			qenable(WR(sib->sps_rq));
387 			cnt++;
388 			sib = sib->sps_nextsib;
389 		}
390 		ASSERT(ppa->ppa_refcnt == cnt);
391 	} else {
392 		ASSERT(ppa->ppa_streams != NULL);
393 		ASSERT(ppa->ppa_ctl != sps);
394 		mp = NULL;
395 		if (sps->sps_sap == PPP_IP) {
396 			ppa->ppa_ip_cache = NULL;
397 			mp = create_lsmsg(PPP_LINKSTAT_IPV4_UNBOUND);
398 		} else if (sps->sps_sap == PPP_IPV6) {
399 			ppa->ppa_ip6_cache = NULL;
400 			mp = create_lsmsg(PPP_LINKSTAT_IPV6_UNBOUND);
401 		}
402 		/* Tell the daemon the bad news. */
403 		if (mp != NULL && ppa->ppa_ctl != NULL &&
404 		    (sps->sps_npmode == NPMODE_PASS ||
405 		    sps->sps_npmode == NPMODE_QUEUE)) {
406 			putnext(ppa->ppa_ctl->sps_rq, mp);
407 		} else {
408 			freemsg(mp);
409 		}
410 		/*
411 		 * Walk through all of sibling streams attached to the
412 		 * same ppa, and remove this stream from the sibling
413 		 * streams list. We have exclusive access for the
414 		 * entire driver here, so there's no need to hold
415 		 * ppa_sib_lock.
416 		 */
417 		sib = ppa->ppa_streams;
418 		if (sib == sps) {
419 			ppa->ppa_streams = sps->sps_nextsib;
420 		} else {
421 			while (sib->sps_nextsib != NULL) {
422 				if (sib->sps_nextsib == sps) {
423 					sib->sps_nextsib = sps->sps_nextsib;
424 					break;
425 				}
426 				sib = sib->sps_nextsib;
427 			}
428 		}
429 		sps->sps_nextsib = NULL;
430 		freemsg(sps->sps_hangup);
431 		sps->sps_hangup = NULL;
432 		/*
433 		 * Check if this is a promiscous stream. If the SPS_PROMISC bit
434 		 * is still set, it means that the stream is closed without
435 		 * ever having issued DL_DETACH_REQ or DL_PROMISCOFF_REQ.
436 		 * In this case, we simply decrement the promiscous counter,
437 		 * and it's safe to do it without holding ppa_sib_lock since
438 		 * we're exclusive (inner and outer) at this point.
439 		 */
440 		if (IS_SPS_PROMISC(sps)) {
441 			ASSERT(ppa->ppa_promicnt > 0);
442 			ppa->ppa_promicnt--;
443 		}
444 	}
445 	/* If we're the only one left, then delete now. */
446 	if (ppa->ppa_refcnt <= 1)
447 		sppp_free_ppa(ppa);
448 	else
449 		ppa->ppa_refcnt--;
450 close_unattached:
451 	q->q_ptr = WR(q)->q_ptr = NULL;
452 	for (nextmn = &sps_list; *nextmn != NULL;
453 	    nextmn = &(*nextmn)->sps_nextmn) {
454 		if (*nextmn == sps) {
455 			*nextmn = sps->sps_nextmn;
456 			break;
457 		}
458 	}
459 	kmem_free(sps, sizeof (spppstr_t));
460 	return (0);
461 }
462 
463 static void
464 sppp_ioctl(struct queue *q, mblk_t *mp)
465 {
466 	spppstr_t	*sps;
467 	spppstr_t	*nextsib;
468 	sppa_t		*ppa;
469 	struct iocblk	*iop;
470 	mblk_t		*nmp;
471 	enum NPmode	npmode;
472 	struct ppp_idle	*pip;
473 	struct ppp_stats64 *psp;
474 	struct ppp_comp_stats *pcsp;
475 	hrtime_t	hrtime;
476 	int		sap;
477 	int		count = 0;
478 	int		error = EINVAL;
479 
480 	sps = (spppstr_t *)q->q_ptr;
481 	ppa = sps->sps_ppa;
482 
483 	iop = (struct iocblk *)mp->b_rptr;
484 	switch (iop->ioc_cmd) {
485 	case PPPIO_NPMODE:
486 		if (!IS_SPS_CONTROL(sps)) {
487 			break;		/* return EINVAL */
488 		} else if (iop->ioc_count != 2 * sizeof (uint32_t) ||
489 		    (mp->b_cont == NULL)) {
490 			error = EPROTO;
491 			break;
492 		}
493 		ASSERT(ppa != NULL);
494 		ASSERT(mp->b_cont->b_rptr != NULL);
495 		ASSERT(sps->sps_npmode == NPMODE_PASS);
496 		sap = ((uint32_t *)mp->b_cont->b_rptr)[0];
497 		npmode = (enum NPmode)((uint32_t *)mp->b_cont->b_rptr)[1];
498 		/*
499 		 * Walk the sibling streams which belong to the same
500 		 * ppa, and try to find a stream with matching sap
501 		 * number.
502 		 */
503 		rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
504 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
505 		    nextsib = nextsib->sps_nextsib) {
506 			if (nextsib->sps_sap == sap) {
507 				break;	/* found it */
508 			}
509 		}
510 		if (nextsib == NULL) {
511 			rw_exit(&ppa->ppa_sib_lock);
512 			break;		/* return EINVAL */
513 		} else {
514 			nextsib->sps_npmode = npmode;
515 			if ((nextsib->sps_npmode != NPMODE_QUEUE) &&
516 			    (WR(nextsib->sps_rq)->q_first != NULL)) {
517 				qenable(WR(nextsib->sps_rq));
518 			}
519 		}
520 		rw_exit(&ppa->ppa_sib_lock);
521 		error = 0;	/* return success */
522 		break;
523 	case PPPIO_GIDLE:
524 		if (ppa == NULL) {
525 			ASSERT(!IS_SPS_CONTROL(sps));
526 			error = ENOLINK;
527 			break;
528 		} else if (!IS_PPA_TIMESTAMP(ppa)) {
529 			break;		/* return EINVAL */
530 		}
531 		if ((nmp = allocb(sizeof (struct ppp_idle),
532 		    BPRI_MED)) == NULL) {
533 			mutex_enter(&ppa->ppa_sta_lock);
534 			ppa->ppa_allocbfail++;
535 			mutex_exit(&ppa->ppa_sta_lock);
536 			error = ENOSR;
537 			break;
538 		}
539 		if (mp->b_cont != NULL) {
540 			freemsg(mp->b_cont);
541 		}
542 		mp->b_cont = nmp;
543 		pip = (struct ppp_idle *)nmp->b_wptr;
544 		nmp->b_wptr += sizeof (struct ppp_idle);
545 		/*
546 		 * Get current timestamp and subtract the tx and rx
547 		 * timestamps to get the actual idle time to be
548 		 * returned.
549 		 */
550 		hrtime = gethrtime();
551 		pip->xmit_idle = (hrtime - ppa->ppa_lasttx) / 1000000000ul;
552 		pip->recv_idle = (hrtime - ppa->ppa_lastrx) / 1000000000ul;
553 		count = msgsize(nmp);
554 		error = 0;
555 		break;		/* return success (error is 0) */
556 	case PPPIO_GTYPE:
557 		nmp = allocb(sizeof (uint32_t), BPRI_MED);
558 		if (nmp == NULL) {
559 			error = ENOSR;
560 			break;
561 		}
562 		if (mp->b_cont != NULL) {
563 			freemsg(mp->b_cont);
564 		}
565 		mp->b_cont = nmp;
566 		/*
567 		 * Let the requestor know that we are the PPP
568 		 * multiplexer (PPPTYP_MUX).
569 		 */
570 		*(uint32_t *)nmp->b_wptr = PPPTYP_MUX;
571 		nmp->b_wptr += sizeof (uint32_t);
572 		count = msgsize(nmp);
573 		error = 0;		/* return success */
574 		break;
575 	case PPPIO_GETSTAT64:
576 		if (ppa == NULL) {
577 			break;		/* return EINVAL */
578 		} else if ((ppa->ppa_lower_wq != NULL) &&
579 		    !IS_PPA_LASTMOD(ppa)) {
580 			mutex_enter(&ppa->ppa_sta_lock);
581 			/*
582 			 * We match sps_ioc_id on the M_IOC{ACK,NAK},
583 			 * so if the response hasn't come back yet,
584 			 * new ioctls must be queued instead.
585 			 */
586 			if (IS_SPS_IOCQ(sps)) {
587 				mutex_exit(&ppa->ppa_sta_lock);
588 				if (!putq(q, mp)) {
589 					error = EAGAIN;
590 					break;
591 				}
592 				return;
593 			} else {
594 				ppa->ppa_ioctlsfwd++;
595 				/*
596 				 * Record the ioctl CMD & ID - this will be
597 				 * used to check the ACK or NAK responses
598 				 * coming from below.
599 				 */
600 				sps->sps_ioc_id = iop->ioc_id;
601 				sps->sps_flags |= SPS_IOCQ;
602 				mutex_exit(&ppa->ppa_sta_lock);
603 			}
604 			putnext(ppa->ppa_lower_wq, mp);
605 			return;	/* don't ack or nak the request */
606 		}
607 		nmp = allocb(sizeof (*psp), BPRI_MED);
608 		if (nmp == NULL) {
609 			mutex_enter(&ppa->ppa_sta_lock);
610 			ppa->ppa_allocbfail++;
611 			mutex_exit(&ppa->ppa_sta_lock);
612 			error = ENOSR;
613 			break;
614 		}
615 		if (mp->b_cont != NULL) {
616 			freemsg(mp->b_cont);
617 		}
618 		mp->b_cont = nmp;
619 		psp = (struct ppp_stats64 *)nmp->b_wptr;
620 		/*
621 		 * Copy the contents of ppp_stats64 structure for this
622 		 * ppa and return them to the caller.
623 		 */
624 		mutex_enter(&ppa->ppa_sta_lock);
625 		bcopy(&ppa->ppa_stats, psp, sizeof (*psp));
626 		mutex_exit(&ppa->ppa_sta_lock);
627 		nmp->b_wptr += sizeof (*psp);
628 		count = sizeof (*psp);
629 		error = 0;		/* return success */
630 		break;
631 	case PPPIO_GETCSTAT:
632 		if (ppa == NULL) {
633 			break;		/* return EINVAL */
634 		} else if ((ppa->ppa_lower_wq != NULL) &&
635 		    !IS_PPA_LASTMOD(ppa)) {
636 			mutex_enter(&ppa->ppa_sta_lock);
637 			/*
638 			 * See comments in PPPIO_GETSTAT64 case
639 			 * in sppp_ioctl().
640 			 */
641 			if (IS_SPS_IOCQ(sps)) {
642 				mutex_exit(&ppa->ppa_sta_lock);
643 				if (!putq(q, mp)) {
644 					error = EAGAIN;
645 					break;
646 				}
647 				return;
648 			} else {
649 				ppa->ppa_ioctlsfwd++;
650 				/*
651 				 * Record the ioctl CMD & ID - this will be
652 				 * used to check the ACK or NAK responses
653 				 * coming from below.
654 				 */
655 				sps->sps_ioc_id = iop->ioc_id;
656 				sps->sps_flags |= SPS_IOCQ;
657 				mutex_exit(&ppa->ppa_sta_lock);
658 			}
659 			putnext(ppa->ppa_lower_wq, mp);
660 			return;	/* don't ack or nak the request */
661 		}
662 		nmp = allocb(sizeof (struct ppp_comp_stats), BPRI_MED);
663 		if (nmp == NULL) {
664 			mutex_enter(&ppa->ppa_sta_lock);
665 			ppa->ppa_allocbfail++;
666 			mutex_exit(&ppa->ppa_sta_lock);
667 			error = ENOSR;
668 			break;
669 		}
670 		if (mp->b_cont != NULL) {
671 			freemsg(mp->b_cont);
672 		}
673 		mp->b_cont = nmp;
674 		pcsp = (struct ppp_comp_stats *)nmp->b_wptr;
675 		nmp->b_wptr += sizeof (struct ppp_comp_stats);
676 		bzero((caddr_t)pcsp, sizeof (struct ppp_comp_stats));
677 		count = msgsize(nmp);
678 		error = 0;		/* return success */
679 		break;
680 	}
681 
682 	if (error == 0) {
683 		/* Success; tell the user. */
684 		miocack(q, mp, count, 0);
685 	} else {
686 		/* Failure; send error back upstream. */
687 		miocnak(q, mp, 0, error);
688 	}
689 }
690 
691 /*
692  * sppp_uwput()
693  *
694  * MT-Perimeters:
695  *    shared inner, shared outer.
696  *
697  * Description:
698  *    Upper write-side put procedure. Messages from above arrive here.
699  */
700 int
701 sppp_uwput(queue_t *q, mblk_t *mp)
702 {
703 	queue_t		*nextq;
704 	spppstr_t	*sps;
705 	sppa_t		*ppa;
706 	struct iocblk	*iop;
707 	int		error;
708 
709 	ASSERT(q != NULL && q->q_ptr != NULL);
710 	ASSERT(mp != NULL && mp->b_rptr != NULL);
711 	sps = (spppstr_t *)q->q_ptr;
712 	ppa = sps->sps_ppa;
713 
714 	switch (MTYPE(mp)) {
715 	case M_PCPROTO:
716 	case M_PROTO:
717 		if (IS_SPS_CONTROL(sps)) {
718 			ASSERT(ppa != NULL);
719 			/*
720 			 * Intentionally change this to a high priority
721 			 * message so it doesn't get queued up. M_PROTO is
722 			 * specifically used for signalling between pppd and its
723 			 * kernel-level component(s), such as ppptun, so we
724 			 * make sure that it doesn't get queued up behind
725 			 * data messages.
726 			 */
727 			MTYPE(mp) = M_PCPROTO;
728 			if ((ppa->ppa_lower_wq != NULL) &&
729 			    canputnext(ppa->ppa_lower_wq)) {
730 				mutex_enter(&ppa->ppa_sta_lock);
731 				ppa->ppa_mctlsfwd++;
732 				mutex_exit(&ppa->ppa_sta_lock);
733 				putnext(ppa->ppa_lower_wq, mp);
734 			} else {
735 				mutex_enter(&ppa->ppa_sta_lock);
736 				ppa->ppa_mctlsfwderr++;
737 				mutex_exit(&ppa->ppa_sta_lock);
738 				freemsg(mp);
739 			}
740 		} else {
741 			(void) sppp_mproto(q, mp, sps);
742 			return (0);
743 		}
744 		break;
745 	case M_DATA:
746 		if ((nextq = sppp_send(q, &mp, sps)) != NULL)
747 			putnext(nextq, mp);
748 		break;
749 	case M_IOCTL:
750 		error = EINVAL;
751 		iop = (struct iocblk *)mp->b_rptr;
752 		switch (iop->ioc_cmd) {
753 		case DLIOCRAW:
754 		case DL_IOC_HDR_INFO:
755 		case PPPIO_ATTACH:
756 		case PPPIO_DEBUG:
757 		case PPPIO_DETACH:
758 		case PPPIO_LASTMOD:
759 		case PPPIO_MRU:
760 		case PPPIO_MTU:
761 		case PPPIO_USETIMESTAMP:
762 		case PPPIO_BLOCKNP:
763 		case PPPIO_UNBLOCKNP:
764 			qwriter(q, mp, sppp_inner_ioctl, PERIM_INNER);
765 			return (0);
766 		case I_LINK:
767 		case I_UNLINK:
768 		case PPPIO_NEWPPA:
769 			qwriter(q, mp, sppp_outer_ioctl, PERIM_OUTER);
770 			return (0);
771 		case PPPIO_NPMODE:
772 		case PPPIO_GIDLE:
773 		case PPPIO_GTYPE:
774 		case PPPIO_GETSTAT64:
775 		case PPPIO_GETCSTAT:
776 			/*
777 			 * These require additional auto variables to
778 			 * handle, so (for optimization reasons)
779 			 * they're moved off to a separate function.
780 			 */
781 			sppp_ioctl(q, mp);
782 			return (0);
783 		case PPPIO_GETSTAT:
784 			break;			/* 32 bit interface gone */
785 		default:
786 			if (iop->ioc_cr == NULL ||
787 			    secpolicy_ppp_config(iop->ioc_cr) != 0) {
788 				error = EPERM;
789 				break;
790 			} else if ((ppa == NULL) ||
791 			    (ppa->ppa_lower_wq == NULL)) {
792 				break;		/* return EINVAL */
793 			}
794 			mutex_enter(&ppa->ppa_sta_lock);
795 			/*
796 			 * See comments in PPPIO_GETSTAT64 case
797 			 * in sppp_ioctl().
798 			 */
799 			if (IS_SPS_IOCQ(sps)) {
800 				mutex_exit(&ppa->ppa_sta_lock);
801 				if (!putq(q, mp)) {
802 					error = EAGAIN;
803 					break;
804 				}
805 				return (0);
806 			} else {
807 				ppa->ppa_ioctlsfwd++;
808 				/*
809 				 * Record the ioctl CMD & ID -
810 				 * this will be used to check the
811 				 * ACK or NAK responses coming from below.
812 				 */
813 				sps->sps_ioc_id = iop->ioc_id;
814 				sps->sps_flags |= SPS_IOCQ;
815 				mutex_exit(&ppa->ppa_sta_lock);
816 			}
817 			putnext(ppa->ppa_lower_wq, mp);
818 			return (0);	/* don't ack or nak the request */
819 		}
820 		/* Failure; send error back upstream. */
821 		miocnak(q, mp, 0, error);
822 		break;
823 	case M_FLUSH:
824 		if (*mp->b_rptr & FLUSHW) {
825 			flushq(q, FLUSHDATA);
826 		}
827 		if (*mp->b_rptr & FLUSHR) {
828 			*mp->b_rptr &= ~FLUSHW;
829 			qreply(q, mp);
830 		} else {
831 			freemsg(mp);
832 		}
833 		break;
834 	default:
835 		freemsg(mp);
836 		break;
837 	}
838 	return (0);
839 }
840 
841 /*
842  * sppp_uwsrv()
843  *
844  * MT-Perimeters:
845  *    exclusive inner, shared outer.
846  *
847  * Description:
848  *    Upper write-side service procedure. Note that this procedure does
849  *    not get called when a message is placed on our write-side queue, since
850  *    automatic queue scheduling has been turned off by noenable() when
851  *    the queue was opened. We do this on purpose, as we explicitly control
852  *    the write-side queue. Therefore, this procedure gets called when
853  *    the lower write service procedure qenable() the upper write stream queue.
854  */
855 int
856 sppp_uwsrv(queue_t *q)
857 {
858 	spppstr_t	*sps;
859 	sppa_t		*ppa;
860 	mblk_t		*mp;
861 	queue_t		*nextq;
862 	struct iocblk	*iop;
863 
864 	ASSERT(q != NULL && q->q_ptr != NULL);
865 	sps = (spppstr_t *)q->q_ptr;
866 
867 	while ((mp = getq(q)) != NULL) {
868 		if (MTYPE(mp) == M_IOCTL) {
869 			ppa = sps->sps_ppa;
870 			if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
871 				miocnak(q, mp, 0, EINVAL);
872 				continue;
873 			}
874 
875 			iop = (struct iocblk *)mp->b_rptr;
876 			mutex_enter(&ppa->ppa_sta_lock);
877 			/*
878 			 * See comments in PPPIO_GETSTAT64 case
879 			 * in sppp_ioctl().
880 			 */
881 			if (IS_SPS_IOCQ(sps)) {
882 				mutex_exit(&ppa->ppa_sta_lock);
883 				if (putbq(q, mp) == 0)
884 					miocnak(q, mp, 0, EAGAIN);
885 				break;
886 			} else {
887 				ppa->ppa_ioctlsfwd++;
888 				sps->sps_ioc_id = iop->ioc_id;
889 				sps->sps_flags |= SPS_IOCQ;
890 				mutex_exit(&ppa->ppa_sta_lock);
891 				putnext(ppa->ppa_lower_wq, mp);
892 			}
893 		} else if ((nextq =
894 		    sppp_outpkt(q, &mp, msgdsize(mp), sps)) == NULL) {
895 			if (mp != NULL) {
896 				if (putbq(q, mp) == 0)
897 					freemsg(mp);
898 				break;
899 			}
900 		} else {
901 			putnext(nextq, mp);
902 		}
903 	}
904 	return (0);
905 }
906 
907 void
908 sppp_remove_ppa(spppstr_t *sps)
909 {
910 	spppstr_t *nextsib;
911 	sppa_t *ppa = sps->sps_ppa;
912 
913 	rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
914 	if (ppa->ppa_refcnt <= 1) {
915 		rw_exit(&ppa->ppa_sib_lock);
916 		sppp_free_ppa(ppa);
917 	} else {
918 		nextsib = ppa->ppa_streams;
919 		if (nextsib == sps) {
920 			ppa->ppa_streams = sps->sps_nextsib;
921 		} else {
922 			while (nextsib->sps_nextsib != NULL) {
923 				if (nextsib->sps_nextsib == sps) {
924 					nextsib->sps_nextsib =
925 					    sps->sps_nextsib;
926 					break;
927 				}
928 				nextsib = nextsib->sps_nextsib;
929 			}
930 		}
931 		ppa->ppa_refcnt--;
932 		/*
933 		 * And if this stream was marked as promiscuous
934 		 * (SPS_PROMISC), then we need to update the
935 		 * promiscuous streams count. This should only happen
936 		 * when DL_DETACH_REQ is issued prior to marking the
937 		 * stream as non-promiscuous, through
938 		 * DL_PROMISCOFF_REQ request.
939 		 */
940 		if (IS_SPS_PROMISC(sps)) {
941 			ASSERT(ppa->ppa_promicnt > 0);
942 			ppa->ppa_promicnt--;
943 		}
944 		rw_exit(&ppa->ppa_sib_lock);
945 	}
946 	sps->sps_nextsib = NULL;
947 	sps->sps_ppa = NULL;
948 	freemsg(sps->sps_hangup);
949 	sps->sps_hangup = NULL;
950 }
951 
952 sppa_t *
953 sppp_find_ppa(uint32_t ppa_id)
954 {
955 	sppa_t *ppa;
956 
957 	for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
958 		if (ppa->ppa_ppa_id == ppa_id) {
959 			break;	/* found the ppa */
960 		}
961 	}
962 	return (ppa);
963 }
964 
965 /*
966  * sppp_inner_ioctl()
967  *
968  * MT-Perimeters:
969  *    exclusive inner, shared outer
970  *
971  * Description:
972  *    Called by sppp_uwput as a result of receiving ioctls which require
973  *    an exclusive access at the inner perimeter.
974  */
975 static void
976 sppp_inner_ioctl(queue_t *q, mblk_t *mp)
977 {
978 	spppstr_t	*sps;
979 	sppa_t		*ppa;
980 	struct iocblk	*iop;
981 	mblk_t		*nmp;
982 	int		error = EINVAL;
983 	int		count = 0;
984 	int		dbgcmd;
985 	int		mru, mtu;
986 	uint32_t	ppa_id;
987 	hrtime_t	hrtime;
988 	uint16_t	proto;
989 
990 	ASSERT(q != NULL && q->q_ptr != NULL);
991 	ASSERT(mp != NULL && mp->b_rptr != NULL);
992 
993 	sps = (spppstr_t *)q->q_ptr;
994 	ppa = sps->sps_ppa;
995 	iop = (struct iocblk *)mp->b_rptr;
996 	switch (iop->ioc_cmd) {
997 	case DLIOCRAW:
998 		if (IS_SPS_CONTROL(sps)) {
999 			break;		/* return EINVAL */
1000 		}
1001 		sps->sps_flags |= SPS_RAWDATA;
1002 		error = 0;		/* return success */
1003 		break;
1004 	case DL_IOC_HDR_INFO:
1005 		if (IS_SPS_CONTROL(sps)) {
1006 			break;		/* return EINVAL */
1007 		} else if ((mp->b_cont == NULL) ||
1008 		    *((t_uscalar_t *)mp->b_cont->b_rptr) != DL_UNITDATA_REQ ||
1009 		    (MBLKL(mp->b_cont) < (sizeof (dl_unitdata_req_t) +
1010 		    SPPP_ADDRL))) {
1011 			error = EPROTO;
1012 			break;
1013 		} else if (ppa == NULL) {
1014 			error = ENOLINK;
1015 			break;
1016 		}
1017 		if ((nmp = allocb(PPP_HDRLEN, BPRI_MED)) == NULL) {
1018 			mutex_enter(&ppa->ppa_sta_lock);
1019 			ppa->ppa_allocbfail++;
1020 			mutex_exit(&ppa->ppa_sta_lock);
1021 			error = ENOMEM;
1022 			break;
1023 		}
1024 		*(uchar_t *)nmp->b_wptr++ = PPP_ALLSTATIONS;
1025 		*(uchar_t *)nmp->b_wptr++ = PPP_UI;
1026 		*(uchar_t *)nmp->b_wptr++ = sps->sps_sap >> 8;
1027 		*(uchar_t *)nmp->b_wptr++ = sps->sps_sap & 0xff;
1028 		ASSERT(MBLKL(nmp) == PPP_HDRLEN);
1029 
1030 		linkb(mp, nmp);
1031 		sps->sps_flags |= SPS_FASTPATH;
1032 		error = 0;		/* return success */
1033 		count = msgsize(nmp);
1034 		break;
1035 	case PPPIO_ATTACH:
1036 		if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1037 		    (sps->sps_dlstate != DL_UNATTACHED) ||
1038 		    (iop->ioc_count != sizeof (uint32_t))) {
1039 			break;		/* return EINVAL */
1040 		} else if (mp->b_cont == NULL) {
1041 			error = EPROTO;
1042 			break;
1043 		}
1044 		ASSERT(mp->b_cont->b_rptr != NULL);
1045 		/* If there's something here, it's detached. */
1046 		if (ppa != NULL) {
1047 			sppp_remove_ppa(sps);
1048 		}
1049 		ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1050 		ppa = sppp_find_ppa(ppa_id);
1051 		/*
1052 		 * If we can't find it, then it's either because the requestor
1053 		 * has supplied a wrong ppa_id to be attached to, or because
1054 		 * the control stream for the specified ppa_id has been closed
1055 		 * before we get here.
1056 		 */
1057 		if (ppa == NULL) {
1058 			error = ENOENT;
1059 			break;
1060 		}
1061 		if (iop->ioc_cr == NULL ||
1062 		    ppa->ppa_zoneid != crgetzoneid(iop->ioc_cr)) {
1063 			error = EPERM;
1064 			break;
1065 		}
1066 		/*
1067 		 * Preallocate the hangup message so that we're always
1068 		 * able to send this upstream in the event of a
1069 		 * catastrophic failure.
1070 		 */
1071 		if ((sps->sps_hangup = allocb(1, BPRI_MED)) == NULL) {
1072 			error = ENOSR;
1073 			break;
1074 		}
1075 		/*
1076 		 * There are two ways to attach a stream to a ppa: one is
1077 		 * through DLPI (DL_ATTACH_REQ) and the other is through
1078 		 * PPPIO_ATTACH. This is why we need to distinguish whether or
1079 		 * not a stream was allocated via PPPIO_ATTACH, so that we can
1080 		 * properly detach it when we receive PPPIO_DETACH ioctl
1081 		 * request.
1082 		 */
1083 		sps->sps_flags |= SPS_PIOATTACH;
1084 		sps->sps_ppa = ppa;
1085 		/*
1086 		 * Add this stream to the head of the list of sibling streams
1087 		 * which belong to the same ppa as specified.
1088 		 */
1089 		rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
1090 		ppa->ppa_refcnt++;
1091 		sps->sps_nextsib = ppa->ppa_streams;
1092 		ppa->ppa_streams = sps;
1093 		rw_exit(&ppa->ppa_sib_lock);
1094 		error = 0;		/* return success */
1095 		break;
1096 	case PPPIO_BLOCKNP:
1097 	case PPPIO_UNBLOCKNP:
1098 		if (iop->ioc_cr == NULL ||
1099 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1100 			error = EPERM;
1101 			break;
1102 		}
1103 		error = miocpullup(mp, sizeof (uint16_t));
1104 		if (error != 0)
1105 			break;
1106 		ASSERT(mp->b_cont->b_rptr != NULL);
1107 		proto = *(uint16_t *)mp->b_cont->b_rptr;
1108 		if (iop->ioc_cmd == PPPIO_BLOCKNP) {
1109 			uint32_t npflagpos = sppp_ppp2np(proto);
1110 			/*
1111 			 * Mark proto as blocked in ppa_npflag until the
1112 			 * corresponding queues for proto have been plumbed.
1113 			 */
1114 			if (npflagpos != 0) {
1115 				mutex_enter(&ppa->ppa_npmutex);
1116 				ppa->ppa_npflag |= (1 << npflagpos);
1117 				mutex_exit(&ppa->ppa_npmutex);
1118 			} else {
1119 				error = EINVAL;
1120 			}
1121 		} else {
1122 			/*
1123 			 * reset ppa_npflag and release proto
1124 			 * packets that were being held in control queue.
1125 			 */
1126 			sppp_release_pkts(ppa, proto);
1127 		}
1128 		break;
1129 	case PPPIO_DEBUG:
1130 		if (iop->ioc_cr == NULL ||
1131 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1132 			error = EPERM;
1133 			break;
1134 		} else if (iop->ioc_count != sizeof (uint32_t)) {
1135 			break;		/* return EINVAL */
1136 		} else if (mp->b_cont == NULL) {
1137 			error = EPROTO;
1138 			break;
1139 		}
1140 		ASSERT(mp->b_cont->b_rptr != NULL);
1141 		dbgcmd = *(uint32_t *)mp->b_cont->b_rptr;
1142 		/*
1143 		 * We accept PPPDBG_LOG + PPPDBG_DRIVER value as an indication
1144 		 * that SPS_KDEBUG needs to be enabled for this upper stream.
1145 		 */
1146 		if (dbgcmd == PPPDBG_LOG + PPPDBG_DRIVER) {
1147 			sps->sps_flags |= SPS_KDEBUG;
1148 			error = 0;	/* return success */
1149 			break;
1150 		}
1151 		/*
1152 		 * Otherwise, for any other values, we send them down only if
1153 		 * there is an attachment and if the attachment has something
1154 		 * linked underneath it.
1155 		 */
1156 		if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
1157 			error = ENOLINK;
1158 			break;
1159 		}
1160 		mutex_enter(&ppa->ppa_sta_lock);
1161 		/*
1162 		 * See comments in PPPIO_GETSTAT64 case
1163 		 * in sppp_ioctl().
1164 		 */
1165 		if (IS_SPS_IOCQ(sps)) {
1166 			mutex_exit(&ppa->ppa_sta_lock);
1167 			if (!putq(q, mp)) {
1168 				error = EAGAIN;
1169 				break;
1170 			}
1171 			return;
1172 		} else {
1173 			ppa->ppa_ioctlsfwd++;
1174 			/*
1175 			 * Record the ioctl CMD & ID -
1176 			 * this will be used to check the
1177 			 * ACK or NAK responses coming from below.
1178 			 */
1179 			sps->sps_ioc_id = iop->ioc_id;
1180 			sps->sps_flags |= SPS_IOCQ;
1181 			mutex_exit(&ppa->ppa_sta_lock);
1182 		}
1183 		putnext(ppa->ppa_lower_wq, mp);
1184 		return;			/* don't ack or nak the request */
1185 	case PPPIO_DETACH:
1186 		if (!IS_SPS_PIOATTACH(sps)) {
1187 			break;		/* return EINVAL */
1188 		}
1189 		/*
1190 		 * The SPS_PIOATTACH flag set on the stream tells us that
1191 		 * the ppa field is still valid. In the event that the control
1192 		 * stream be closed prior to this stream's detachment, the
1193 		 * SPS_PIOATTACH flag would have been cleared from this stream
1194 		 * during close; in that case we won't get here.
1195 		 */
1196 		ASSERT(ppa != NULL);
1197 		ASSERT(ppa->ppa_ctl != sps);
1198 		ASSERT(sps->sps_dlstate == DL_UNATTACHED);
1199 
1200 		/*
1201 		 * We don't actually detach anything until the stream is
1202 		 * closed or reattached.
1203 		 */
1204 
1205 		sps->sps_flags &= ~SPS_PIOATTACH;
1206 		error = 0;		/* return success */
1207 		break;
1208 	case PPPIO_LASTMOD:
1209 		if (!IS_SPS_CONTROL(sps)) {
1210 			break;		/* return EINVAL */
1211 		}
1212 		ASSERT(ppa != NULL);
1213 		ppa->ppa_flags |= PPA_LASTMOD;
1214 		error = 0;		/* return success */
1215 		break;
1216 	case PPPIO_MRU:
1217 		if (!IS_SPS_CONTROL(sps) ||
1218 		    (iop->ioc_count != sizeof (uint32_t))) {
1219 			break;		/* return EINVAL */
1220 		} else if (mp->b_cont == NULL) {
1221 			error = EPROTO;
1222 			break;
1223 		}
1224 		ASSERT(ppa != NULL);
1225 		ASSERT(mp->b_cont->b_rptr != NULL);
1226 		mru = *(uint32_t *)mp->b_cont->b_rptr;
1227 		if ((mru <= 0) || (mru > PPP_MAXMRU)) {
1228 			error = EPROTO;
1229 			break;
1230 		}
1231 		if (mru < PPP_MRU) {
1232 			mru = PPP_MRU;
1233 		}
1234 		ppa->ppa_mru = (uint16_t)mru;
1235 		/*
1236 		 * If there's something beneath this driver for the ppa, then
1237 		 * inform it (or them) of the MRU size. Only do this is we
1238 		 * are not the last PPP module on the stream.
1239 		 */
1240 		if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1241 			(void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MRU,
1242 			    mru);
1243 		}
1244 		error = 0;		/* return success */
1245 		break;
1246 	case PPPIO_MTU:
1247 		if (!IS_SPS_CONTROL(sps) ||
1248 		    (iop->ioc_count != sizeof (uint32_t))) {
1249 			break;		/* return EINVAL */
1250 		} else if (mp->b_cont == NULL) {
1251 			error = EPROTO;
1252 			break;
1253 		}
1254 		ASSERT(ppa != NULL);
1255 		ASSERT(mp->b_cont->b_rptr != NULL);
1256 		mtu = *(uint32_t *)mp->b_cont->b_rptr;
1257 		if ((mtu <= 0) || (mtu > PPP_MAXMTU)) {
1258 			error = EPROTO;
1259 			break;
1260 		}
1261 		ppa->ppa_mtu = (uint16_t)mtu;
1262 		/*
1263 		 * If there's something beneath this driver for the ppa, then
1264 		 * inform it (or them) of the MTU size. Only do this if we
1265 		 * are not the last PPP module on the stream.
1266 		 */
1267 		if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1268 			(void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MTU,
1269 			    mtu);
1270 		}
1271 		error = 0;		/* return success */
1272 		break;
1273 	case PPPIO_USETIMESTAMP:
1274 		if (!IS_SPS_CONTROL(sps)) {
1275 			break;		/* return EINVAL */
1276 		}
1277 		if (!IS_PPA_TIMESTAMP(ppa)) {
1278 			hrtime = gethrtime();
1279 			ppa->ppa_lasttx = ppa->ppa_lastrx = hrtime;
1280 			ppa->ppa_flags |= PPA_TIMESTAMP;
1281 		}
1282 		error = 0;
1283 		break;
1284 	}
1285 
1286 	if (error == 0) {
1287 		/* Success; tell the user */
1288 		miocack(q, mp, count, 0);
1289 	} else {
1290 		/* Failure; send error back upstream */
1291 		miocnak(q, mp, 0, error);
1292 	}
1293 }
1294 
1295 /*
1296  * sppp_outer_ioctl()
1297  *
1298  * MT-Perimeters:
1299  *    exclusive inner, exclusive outer
1300  *
1301  * Description:
1302  *    Called by sppp_uwput as a result of receiving ioctls which require
1303  *    an exclusive access at the outer perimeter.
1304  */
1305 static void
1306 sppp_outer_ioctl(queue_t *q, mblk_t *mp)
1307 {
1308 	spppstr_t	*sps = q->q_ptr;
1309 	spppstr_t	*nextsib;
1310 	queue_t		*lwq;
1311 	sppa_t		*ppa;
1312 	struct iocblk	*iop;
1313 	int		error = EINVAL;
1314 	int		count = 0;
1315 	uint32_t	ppa_id;
1316 	mblk_t		*nmp;
1317 	zoneid_t	zoneid;
1318 
1319 	sps = (spppstr_t *)q->q_ptr;
1320 	ppa = sps->sps_ppa;
1321 	iop = (struct iocblk *)mp->b_rptr;
1322 	switch (iop->ioc_cmd) {
1323 	case I_LINK:
1324 		if (!IS_SPS_CONTROL(sps)) {
1325 			break;		/* return EINVAL */
1326 		} else if (ppa->ppa_lower_wq != NULL) {
1327 			error = EEXIST;
1328 			break;
1329 		}
1330 		ASSERT(ppa->ppa_ctl != NULL);
1331 		ASSERT(sps->sps_npmode == NPMODE_PASS);
1332 		ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1333 
1334 		lwq = ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot;
1335 		ASSERT(lwq != NULL);
1336 
1337 		ppa->ppa_lower_wq = lwq;
1338 		lwq->q_ptr = RD(lwq)->q_ptr = (caddr_t)ppa;
1339 		/*
1340 		 * Unblock upper network streams which now feed this lower
1341 		 * stream. We don't need to hold ppa_sib_lock here, since we
1342 		 * are writer at the outer perimeter.
1343 		 */
1344 		if (WR(sps->sps_rq)->q_first != NULL)
1345 			qenable(WR(sps->sps_rq));
1346 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
1347 		    nextsib = nextsib->sps_nextsib) {
1348 			nextsib->sps_npmode = NPMODE_PASS;
1349 			if (WR(nextsib->sps_rq)->q_first != NULL) {
1350 				qenable(WR(nextsib->sps_rq));
1351 			}
1352 		}
1353 
1354 		/*
1355 		 * Also unblock (run once) our lower read-side queue.  This is
1356 		 * where packets received while doing the I_LINK may be
1357 		 * languishing; see sppp_lrsrv.
1358 		 */
1359 		qenable(RD(lwq));
1360 
1361 		/*
1362 		 * Send useful information down to the modules which are now
1363 		 * linked below this driver (for this particular ppa). Only
1364 		 * do this if we are not the last PPP module on the stream.
1365 		 */
1366 		if (!IS_PPA_LASTMOD(ppa)) {
1367 			(void) putctl8(lwq, M_CTL, PPPCTL_UNIT,
1368 			    ppa->ppa_ppa_id);
1369 			(void) putctl4(lwq, M_CTL, PPPCTL_MRU, ppa->ppa_mru);
1370 			(void) putctl4(lwq, M_CTL, PPPCTL_MTU, ppa->ppa_mtu);
1371 		}
1372 
1373 		if (IS_SPS_KDEBUG(sps)) {
1374 			SPDEBUG(PPP_DRV_NAME
1375 			    "/%d: I_LINK lwq=0x%p sps=0x%p flags=0x%b ppa=0x%p "
1376 			    "flags=0x%b\n", sps->sps_mn_id,
1377 			    (void *)ppa->ppa_lower_wq, (void *)sps,
1378 			    sps->sps_flags, SPS_FLAGS_STR,
1379 			    (void *)ppa, ppa->ppa_flags,
1380 			    PPA_FLAGS_STR);
1381 		}
1382 		error = 0;		/* return success */
1383 		break;
1384 	case I_UNLINK:
1385 		ASSERT(IS_SPS_CONTROL(sps));
1386 		ASSERT(ppa != NULL);
1387 		lwq = ppa->ppa_lower_wq;
1388 		ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1389 		ASSERT(lwq == ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot);
1390 
1391 		if (IS_SPS_KDEBUG(sps)) {
1392 			SPDEBUG(PPP_DRV_NAME
1393 			    "/%d: I_UNLINK lwq=0x%p sps=0x%p flags=0x%b "
1394 			    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id,
1395 			    (void *)lwq, (void *)sps, sps->sps_flags,
1396 			    SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
1397 			    PPA_FLAGS_STR);
1398 		}
1399 		/*
1400 		 * While accessing the outer perimeter exclusively, we
1401 		 * disassociate our ppa's lower_wq from the lower stream linked
1402 		 * beneath us, and we also disassociate our control stream from
1403 		 * the q_ptr of the lower stream.
1404 		 */
1405 		lwq->q_ptr = RD(lwq)->q_ptr = NULL;
1406 		ppa->ppa_lower_wq = NULL;
1407 		/*
1408 		 * Unblock streams which now feed back up the control stream,
1409 		 * and acknowledge the request. We don't need to hold
1410 		 * ppa_sib_lock here, since we are writer at the outer
1411 		 * perimeter.
1412 		 */
1413 		if (WR(sps->sps_rq)->q_first != NULL)
1414 			qenable(WR(sps->sps_rq));
1415 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
1416 		    nextsib = nextsib->sps_nextsib) {
1417 			if (WR(nextsib->sps_rq)->q_first != NULL) {
1418 				qenable(WR(nextsib->sps_rq));
1419 			}
1420 		}
1421 		error = 0;		/* return success */
1422 		break;
1423 	case PPPIO_NEWPPA:
1424 		/*
1425 		 * Do sanity check to ensure that we don't accept PPPIO_NEWPPA
1426 		 * on a stream which DLPI is used (since certain DLPI messages
1427 		 * will cause state transition reflected in sps_dlstate,
1428 		 * changing it from its default DL_UNATTACHED value). In other
1429 		 * words, we won't allow a network/snoop stream to become
1430 		 * a control stream.
1431 		 */
1432 		if (iop->ioc_cr == NULL ||
1433 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1434 			error = EPERM;
1435 			break;
1436 		} else if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1437 		    (ppa != NULL) || (sps->sps_dlstate != DL_UNATTACHED)) {
1438 			break;		/* return EINVAL */
1439 		}
1440 		/* Get requested unit number (if any) */
1441 		if (iop->ioc_count == sizeof (uint32_t) && mp->b_cont != NULL)
1442 			ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1443 		else
1444 			ppa_id = 0;
1445 		/* Get mblk to use for response message */
1446 		nmp = allocb(sizeof (uint32_t), BPRI_MED);
1447 		if (nmp == NULL) {
1448 			error = ENOSR;
1449 			break;
1450 		}
1451 		if (mp->b_cont != NULL) {
1452 			freemsg(mp->b_cont);
1453 		}
1454 		mp->b_cont = nmp;		/* chain our response mblk */
1455 		/*
1456 		 * Walk the global ppa list and determine the lowest
1457 		 * available ppa_id number to be used.
1458 		 */
1459 		if (ppa_id == (uint32_t)-1)
1460 			ppa_id = 0;
1461 		zoneid = crgetzoneid(iop->ioc_cr);
1462 		for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
1463 			if (ppa_id == (uint32_t)-2) {
1464 				if (ppa->ppa_ctl == NULL &&
1465 				    ppa->ppa_zoneid == zoneid)
1466 					break;
1467 			} else {
1468 				if (ppa_id < ppa->ppa_ppa_id)
1469 					break;
1470 				if (ppa_id == ppa->ppa_ppa_id)
1471 					++ppa_id;
1472 			}
1473 		}
1474 		if (ppa_id == (uint32_t)-2) {
1475 			if (ppa == NULL) {
1476 				error = ENXIO;
1477 				break;
1478 			}
1479 			/* Clear timestamp and lastmod flags */
1480 			ppa->ppa_flags = 0;
1481 		} else {
1482 			ppa = sppp_create_ppa(ppa_id, zoneid);
1483 			if (ppa == NULL) {
1484 				error = ENOMEM;
1485 				break;
1486 			}
1487 		}
1488 
1489 		sps->sps_ppa = ppa;		/* chain the ppa structure */
1490 		sps->sps_npmode = NPMODE_PASS;	/* network packets may travel */
1491 		sps->sps_flags |= SPS_CONTROL;	/* this is the control stream */
1492 
1493 		ppa->ppa_refcnt++;		/* new PPA reference */
1494 		ppa->ppa_ctl = sps;		/* back ptr to upper stream */
1495 		/*
1496 		 * Return the newly created ppa_id to the requestor and
1497 		 * acnowledge the request.
1498 		 */
1499 		*(uint32_t *)nmp->b_wptr = ppa->ppa_ppa_id;
1500 		nmp->b_wptr += sizeof (uint32_t);
1501 
1502 		if (IS_SPS_KDEBUG(sps)) {
1503 			SPDEBUG(PPP_DRV_NAME
1504 			    "/%d: PPPIO_NEWPPA ppa_id=%d sps=0x%p flags=0x%b "
1505 			    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, ppa_id,
1506 			    (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1507 			    (void *)ppa, ppa->ppa_flags,
1508 			    PPA_FLAGS_STR);
1509 		}
1510 		count = msgsize(nmp);
1511 		error = 0;
1512 		break;
1513 	}
1514 
1515 	if (error == 0) {
1516 		/* Success; tell the user. */
1517 		miocack(q, mp, count, 0);
1518 	} else {
1519 		/* Failure; send error back upstream. */
1520 		miocnak(q, mp, 0, error);
1521 	}
1522 }
1523 
1524 /*
1525  * sppp_send()
1526  *
1527  * MT-Perimeters:
1528  *    shared inner, shared outer.
1529  *
1530  * Description:
1531  *    Called by sppp_uwput to handle M_DATA message type.  Returns
1532  *    queue_t for putnext, or NULL to mean that the packet was
1533  *    handled internally.
1534  */
1535 static queue_t *
1536 sppp_send(queue_t *q, mblk_t **mpp, spppstr_t *sps)
1537 {
1538 	mblk_t	*mp;
1539 	sppa_t	*ppa;
1540 	int	is_promisc;
1541 	int	msize;
1542 	int	error = 0;
1543 	queue_t	*nextq;
1544 
1545 	ASSERT(mpp != NULL);
1546 	mp = *mpp;
1547 	ASSERT(q != NULL && q->q_ptr != NULL);
1548 	ASSERT(mp != NULL && mp->b_rptr != NULL);
1549 	ASSERT(sps != NULL);
1550 	ASSERT(q->q_ptr == sps);
1551 	/*
1552 	 * We only let M_DATA through if the sender is either the control
1553 	 * stream (for PPP control packets) or one of the network streams
1554 	 * (for IP packets) in IP fastpath mode. If this stream is not attached
1555 	 * to any ppas, then discard data coming down through this stream.
1556 	 */
1557 	ppa = sps->sps_ppa;
1558 	if (ppa == NULL) {
1559 		ASSERT(!IS_SPS_CONTROL(sps));
1560 		error = ENOLINK;
1561 	} else if (!IS_SPS_CONTROL(sps) && !IS_SPS_FASTPATH(sps)) {
1562 		error = EPROTO;
1563 	}
1564 	if (error != 0) {
1565 		merror(q, mp, error);
1566 		return (NULL);
1567 	}
1568 	msize = msgdsize(mp);
1569 	if (msize > (ppa->ppa_mtu + PPP_HDRLEN)) {
1570 		/* Log, and send it anyway */
1571 		mutex_enter(&ppa->ppa_sta_lock);
1572 		ppa->ppa_otoolongs++;
1573 		mutex_exit(&ppa->ppa_sta_lock);
1574 	} else if (msize < PPP_HDRLEN) {
1575 		/*
1576 		 * Log, and send it anyway. We log it because we get things
1577 		 * in M_DATA form here, which tells us that the sender is
1578 		 * either IP in fastpath transmission mode, or pppd. In both
1579 		 * cases, they are currently expected to send the 4-bytes
1580 		 * PPP header in front of any possible payloads.
1581 		 */
1582 		mutex_enter(&ppa->ppa_sta_lock);
1583 		ppa->ppa_orunts++;
1584 		mutex_exit(&ppa->ppa_sta_lock);
1585 	}
1586 
1587 	if (IS_SPS_KDEBUG(sps)) {
1588 		SPDEBUG(PPP_DRV_NAME
1589 		    "/%d: M_DATA send (%d bytes) sps=0x%p flags=0x%b "
1590 		    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, msize,
1591 		    (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1592 		    (void *)ppa, ppa->ppa_flags, PPA_FLAGS_STR);
1593 	}
1594 	/*
1595 	 * Should there be any promiscuous stream(s), send the data up
1596 	 * for each promiscuous stream that we recognize. Make sure that
1597 	 * for fastpath, we skip the PPP header in the M_DATA mblk. We skip
1598 	 * the control stream as we obviously never allow the control stream
1599 	 * to become promiscous and bind to PPP_ALLSAP.
1600 	 */
1601 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
1602 	is_promisc = sps->sps_ppa->ppa_promicnt;
1603 	if (is_promisc) {
1604 		ASSERT(ppa->ppa_streams != NULL);
1605 		sppp_dlprsendup(ppa->ppa_streams, mp, sps->sps_sap, B_TRUE);
1606 	}
1607 	rw_exit(&ppa->ppa_sib_lock);
1608 	/*
1609 	 * Only time-stamp the packet with hrtime if the upper stream
1610 	 * is configured to do so.  PPP control (negotiation) messages
1611 	 * are never considered link activity; only data is activity.
1612 	 */
1613 	if (!IS_SPS_CONTROL(sps) && IS_PPA_TIMESTAMP(ppa)) {
1614 		ppa->ppa_lasttx = gethrtime();
1615 	}
1616 	/*
1617 	 * If there's already a message in the write-side service queue,
1618 	 * then queue this message there as well, otherwise, try to send
1619 	 * it down to the module immediately below us.
1620 	 */
1621 	if (q->q_first != NULL ||
1622 	    (nextq = sppp_outpkt(q, mpp, msize, sps)) == NULL) {
1623 		mp = *mpp;
1624 		if (mp != NULL && putq(q, mp) == 0) {
1625 			mutex_enter(&ppa->ppa_sta_lock);
1626 			ppa->ppa_oqdropped++;
1627 			mutex_exit(&ppa->ppa_sta_lock);
1628 			freemsg(mp);
1629 		}
1630 		return (NULL);
1631 	}
1632 	return (nextq);
1633 }
1634 
1635 /*
1636  * sppp_outpkt()
1637  *
1638  * MT-Perimeters:
1639  *    shared inner, shared outer (if called from sppp_wput, sppp_dlunitdatareq).
1640  *    exclusive inner, shared outer (if called from sppp_wsrv).
1641  *
1642  * Description:
1643  *    Called from 1) sppp_uwput when processing a M_DATA fastpath message,
1644  *    or 2) sppp_uwsrv when processing the upper write-side service queue.
1645  *    For both cases, it prepares to send the data to the module below
1646  *    this driver if there is a lower stream linked underneath. If none, then
1647  *    the data will be sent upstream via the control channel to pppd.
1648  *
1649  * Returns:
1650  *	Non-NULL queue_t if message should be sent now, otherwise
1651  *	if *mpp == NULL, then message was freed, otherwise put *mpp
1652  *	(back) on the queue.  (Does not do putq/putbq, since it's
1653  *	called both from srv and put procedures.)
1654  */
1655 static queue_t *
1656 sppp_outpkt(queue_t *q, mblk_t **mpp, int msize, spppstr_t *sps)
1657 {
1658 	mblk_t		*mp;
1659 	sppa_t		*ppa;
1660 	enum NPmode	npmode;
1661 	mblk_t		*mpnew;
1662 
1663 	ASSERT(mpp != NULL);
1664 	mp = *mpp;
1665 	ASSERT(q != NULL && q->q_ptr != NULL);
1666 	ASSERT(mp != NULL && mp->b_rptr != NULL);
1667 	ASSERT(sps != NULL);
1668 
1669 	ppa = sps->sps_ppa;
1670 	npmode = sps->sps_npmode;
1671 
1672 	if (npmode == NPMODE_QUEUE) {
1673 		ASSERT(!IS_SPS_CONTROL(sps));
1674 		return (NULL);	/* queue it for later */
1675 	} else if (ppa == NULL || ppa->ppa_ctl == NULL ||
1676 	    npmode == NPMODE_DROP || npmode == NPMODE_ERROR) {
1677 		/*
1678 		 * This can not be the control stream, as it must always have
1679 		 * a valid ppa, and its npmode must always be NPMODE_PASS.
1680 		 */
1681 		ASSERT(!IS_SPS_CONTROL(sps));
1682 		if (npmode == NPMODE_DROP) {
1683 			freemsg(mp);
1684 		} else {
1685 			/*
1686 			 * If we no longer have the control stream, or if the
1687 			 * mode is set to NPMODE_ERROR, then we need to tell IP
1688 			 * that the interface need to be marked as down. In
1689 			 * other words, we tell IP to be quiescent.
1690 			 */
1691 			merror(q, mp, EPROTO);
1692 		}
1693 		*mpp = NULL;
1694 		return (NULL);	/* don't queue it */
1695 	}
1696 	/*
1697 	 * Do we have a driver stream linked underneath ? If not, we need to
1698 	 * notify pppd that the link needs to be brought up and configure
1699 	 * this upper stream to drop subsequent outgoing packets. This is
1700 	 * for demand-dialing, in which case pppd has done the IP plumbing
1701 	 * but hasn't linked the driver stream underneath us. Therefore, when
1702 	 * a packet is sent down the IP interface, a notification message
1703 	 * will be sent up the control stream to pppd in order for it to
1704 	 * establish the physical link. The driver stream is then expected
1705 	 * to be linked underneath after physical link establishment is done.
1706 	 */
1707 	if (ppa->ppa_lower_wq == NULL) {
1708 		ASSERT(ppa->ppa_ctl != NULL);
1709 		ASSERT(ppa->ppa_ctl->sps_rq != NULL);
1710 
1711 		*mpp = NULL;
1712 		mpnew = create_lsmsg(PPP_LINKSTAT_NEEDUP);
1713 		if (mpnew == NULL) {
1714 			freemsg(mp);
1715 			mutex_enter(&ppa->ppa_sta_lock);
1716 			ppa->ppa_allocbfail++;
1717 			mutex_exit(&ppa->ppa_sta_lock);
1718 			return (NULL);	/* don't queue it */
1719 		}
1720 		/* Include the data in the message for logging. */
1721 		mpnew->b_cont = mp;
1722 		mutex_enter(&ppa->ppa_sta_lock);
1723 		ppa->ppa_lsneedup++;
1724 		mutex_exit(&ppa->ppa_sta_lock);
1725 		/*
1726 		 * We need to set the mode to NPMODE_DROP, but should only
1727 		 * do so when this stream is not the control stream.
1728 		 */
1729 		if (!IS_SPS_CONTROL(sps)) {
1730 			sps->sps_npmode = NPMODE_DROP;
1731 		}
1732 		putnext(ppa->ppa_ctl->sps_rq, mpnew);
1733 		return (NULL);	/* don't queue it */
1734 	}
1735 	/*
1736 	 * If so, then try to send it down. The lower queue is only ever
1737 	 * detached while holding an exclusive lock on the whole driver,
1738 	 * so we can be confident that the lower queue is still there.
1739 	 */
1740 	if (bcanputnext(ppa->ppa_lower_wq, mp->b_band)) {
1741 		mutex_enter(&ppa->ppa_sta_lock);
1742 		ppa->ppa_stats.p.ppp_opackets++;
1743 		if (IS_SPS_CONTROL(sps)) {
1744 			ppa->ppa_opkt_ctl++;
1745 		}
1746 		ppa->ppa_stats.p.ppp_obytes += msize;
1747 		mutex_exit(&ppa->ppa_sta_lock);
1748 		return (ppa->ppa_lower_wq);	/* don't queue it */
1749 	}
1750 	return (NULL);	/* queue it for later */
1751 }
1752 
1753 /*
1754  * sppp_lwsrv()
1755  *
1756  * MT-Perimeters:
1757  *    exclusive inner, shared outer.
1758  *
1759  * Description:
1760  *    Lower write-side service procedure. No messages are ever placed on
1761  *    the write queue here, this just back-enables all upper write side
1762  *    service procedures.
1763  */
1764 int
1765 sppp_lwsrv(queue_t *q)
1766 {
1767 	sppa_t		*ppa;
1768 	spppstr_t	*nextsib;
1769 
1770 	ASSERT(q != NULL && q->q_ptr != NULL);
1771 	ppa = (sppa_t *)q->q_ptr;
1772 	ASSERT(ppa != NULL);
1773 
1774 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
1775 	if ((nextsib = ppa->ppa_ctl) != NULL &&
1776 	    WR(nextsib->sps_rq)->q_first != NULL)
1777 		qenable(WR(nextsib->sps_rq));
1778 	for (nextsib = ppa->ppa_streams; nextsib != NULL;
1779 	    nextsib = nextsib->sps_nextsib) {
1780 		if (WR(nextsib->sps_rq)->q_first != NULL) {
1781 			qenable(WR(nextsib->sps_rq));
1782 		}
1783 	}
1784 	rw_exit(&ppa->ppa_sib_lock);
1785 	return (0);
1786 }
1787 
1788 /*
1789  * sppp_lrput()
1790  *
1791  * MT-Perimeters:
1792  *    shared inner, shared outer.
1793  *
1794  * Description:
1795  *    Lower read-side put procedure. Messages from below get here.
1796  *    Data messages are handled separately to limit stack usage
1797  *    going into IP.
1798  *
1799  *    Note that during I_UNLINK processing, it's possible for a downstream
1800  *    message to enable upstream data (due to pass_wput() removing the
1801  *    SQ_BLOCKED flag), and thus we must protect against a NULL sppa pointer.
1802  *    In this case, the only thing above us is passthru, and we might as well
1803  *    discard.
1804  */
1805 int
1806 sppp_lrput(queue_t *q, mblk_t *mp)
1807 {
1808 	sppa_t		*ppa;
1809 	spppstr_t	*sps;
1810 
1811 	if ((ppa = q->q_ptr) == NULL) {
1812 		freemsg(mp);
1813 		return (0);
1814 	}
1815 
1816 	sps = ppa->ppa_ctl;
1817 
1818 	if (MTYPE(mp) != M_DATA) {
1819 		sppp_recv_nondata(q, mp, sps);
1820 	} else if (sps == NULL) {
1821 		freemsg(mp);
1822 	} else if ((q = sppp_recv(q, &mp, sps)) != NULL) {
1823 		putnext(q, mp);
1824 	}
1825 	return (0);
1826 }
1827 
1828 /*
1829  * sppp_lrsrv()
1830  *
1831  * MT-Perimeters:
1832  *    exclusive inner, shared outer.
1833  *
1834  * Description:
1835  *    Lower read-side service procedure.  This is run once after the I_LINK
1836  *    occurs in order to clean up any packets that came in while we were
1837  *    transferring in the lower stream.  Otherwise, it's not used.
1838  */
1839 int
1840 sppp_lrsrv(queue_t *q)
1841 {
1842 	mblk_t *mp;
1843 
1844 	while ((mp = getq(q)) != NULL)
1845 		sppp_lrput(q, mp);
1846 	return (0);
1847 }
1848 
1849 /*
1850  * sppp_recv_nondata()
1851  *
1852  * MT-Perimeters:
1853  *    shared inner, shared outer.
1854  *
1855  * Description:
1856  *    All received non-data messages come through here.
1857  */
1858 static void
1859 sppp_recv_nondata(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
1860 {
1861 	sppa_t		*ppa;
1862 	spppstr_t	*destsps;
1863 	struct iocblk	*iop;
1864 
1865 	ppa = (sppa_t *)q->q_ptr;
1866 	ctlsps = ppa->ppa_ctl;
1867 
1868 	switch (MTYPE(mp)) {
1869 	case M_CTL:
1870 		mutex_enter(&ppa->ppa_sta_lock);
1871 		if (*mp->b_rptr == PPPCTL_IERROR) {
1872 			ppa->ppa_stats.p.ppp_ierrors++;
1873 			ppa->ppa_ierr_low++;
1874 			ppa->ppa_mctlsknown++;
1875 		} else if (*mp->b_rptr == PPPCTL_OERROR) {
1876 			ppa->ppa_stats.p.ppp_oerrors++;
1877 			ppa->ppa_oerr_low++;
1878 			ppa->ppa_mctlsknown++;
1879 		} else {
1880 			ppa->ppa_mctlsunknown++;
1881 		}
1882 		mutex_exit(&ppa->ppa_sta_lock);
1883 		freemsg(mp);
1884 		break;
1885 	case M_IOCTL:
1886 		miocnak(q, mp, 0, EINVAL);
1887 		break;
1888 	case M_IOCACK:
1889 	case M_IOCNAK:
1890 		iop = (struct iocblk *)mp->b_rptr;
1891 		ASSERT(iop != NULL);
1892 		/*
1893 		 * Attempt to match up the response with the stream that the
1894 		 * request came from. If ioc_id doesn't match the one that we
1895 		 * recorded, then discard this message.
1896 		 */
1897 		rw_enter(&ppa->ppa_sib_lock, RW_READER);
1898 		if ((destsps = ctlsps) == NULL ||
1899 		    destsps->sps_ioc_id != iop->ioc_id) {
1900 			destsps = ppa->ppa_streams;
1901 			while (destsps != NULL) {
1902 				if (destsps->sps_ioc_id == iop->ioc_id) {
1903 					break;	/* found the upper stream */
1904 				}
1905 				destsps = destsps->sps_nextsib;
1906 			}
1907 		}
1908 		rw_exit(&ppa->ppa_sib_lock);
1909 		if (destsps == NULL) {
1910 			mutex_enter(&ppa->ppa_sta_lock);
1911 			ppa->ppa_ioctlsfwderr++;
1912 			mutex_exit(&ppa->ppa_sta_lock);
1913 			freemsg(mp);
1914 			break;
1915 		}
1916 		mutex_enter(&ppa->ppa_sta_lock);
1917 		ppa->ppa_ioctlsfwdok++;
1918 
1919 		/*
1920 		 * Clear SPS_IOCQ and enable the lower write side queue,
1921 		 * this would allow the upper stream service routine
1922 		 * to start processing the queue for pending messages.
1923 		 * sppp_lwsrv -> sppp_uwsrv.
1924 		 */
1925 		destsps->sps_flags &= ~SPS_IOCQ;
1926 		mutex_exit(&ppa->ppa_sta_lock);
1927 		qenable(WR(destsps->sps_rq));
1928 
1929 		putnext(destsps->sps_rq, mp);
1930 		break;
1931 	case M_HANGUP:
1932 		/*
1933 		 * Free the original mblk_t. We don't really want to send
1934 		 * a M_HANGUP message upstream, so we need to translate this
1935 		 * message into something else.
1936 		 */
1937 		freemsg(mp);
1938 		if (ctlsps == NULL)
1939 			break;
1940 		mp = create_lsmsg(PPP_LINKSTAT_HANGUP);
1941 		if (mp == NULL) {
1942 			mutex_enter(&ppa->ppa_sta_lock);
1943 			ppa->ppa_allocbfail++;
1944 			mutex_exit(&ppa->ppa_sta_lock);
1945 			break;
1946 		}
1947 		mutex_enter(&ppa->ppa_sta_lock);
1948 		ppa->ppa_lsdown++;
1949 		mutex_exit(&ppa->ppa_sta_lock);
1950 		putnext(ctlsps->sps_rq, mp);
1951 		break;
1952 	case M_FLUSH:
1953 		if (*mp->b_rptr & FLUSHR) {
1954 			flushq(q, FLUSHDATA);
1955 		}
1956 		if (*mp->b_rptr & FLUSHW) {
1957 			*mp->b_rptr &= ~FLUSHR;
1958 			qreply(q, mp);
1959 		} else {
1960 			freemsg(mp);
1961 		}
1962 		break;
1963 	default:
1964 		if (ctlsps != NULL &&
1965 		    (queclass(mp) == QPCTL) || canputnext(ctlsps->sps_rq)) {
1966 			putnext(ctlsps->sps_rq, mp);
1967 		} else {
1968 			mutex_enter(&ppa->ppa_sta_lock);
1969 			ppa->ppa_iqdropped++;
1970 			mutex_exit(&ppa->ppa_sta_lock);
1971 			freemsg(mp);
1972 		}
1973 		break;
1974 	}
1975 }
1976 
1977 /*
1978  * sppp_recv()
1979  *
1980  * MT-Perimeters:
1981  *    shared inner, shared outer.
1982  *
1983  * Description:
1984  *    Receive function called by sppp_lrput.  Finds appropriate
1985  *    receive stream and does accounting.
1986  */
1987 static queue_t *
1988 sppp_recv(queue_t *q, mblk_t **mpp, spppstr_t *ctlsps)
1989 {
1990 	mblk_t		*mp;
1991 	int		len;
1992 	sppa_t		*ppa;
1993 	spppstr_t	*destsps;
1994 	mblk_t		*zmp;
1995 	uint32_t	npflagpos;
1996 
1997 	ASSERT(mpp != NULL);
1998 	mp = *mpp;
1999 	ASSERT(q != NULL && q->q_ptr != NULL);
2000 	ASSERT(mp != NULL && mp->b_rptr != NULL);
2001 	ASSERT(ctlsps != NULL);
2002 	ASSERT(IS_SPS_CONTROL(ctlsps));
2003 	ppa = ctlsps->sps_ppa;
2004 	ASSERT(ppa != NULL && ppa->ppa_ctl != NULL);
2005 
2006 	len = msgdsize(mp);
2007 	mutex_enter(&ppa->ppa_sta_lock);
2008 	ppa->ppa_stats.p.ppp_ibytes += len;
2009 	mutex_exit(&ppa->ppa_sta_lock);
2010 	/*
2011 	 * If the entire data size of the mblk is less than the length of the
2012 	 * PPP header, then free it. We can't do much with such message anyway,
2013 	 * since we can't really determine what the PPP protocol type is.
2014 	 */
2015 	if (len < PPP_HDRLEN) {
2016 		/* Log, and free it */
2017 		mutex_enter(&ppa->ppa_sta_lock);
2018 		ppa->ppa_irunts++;
2019 		mutex_exit(&ppa->ppa_sta_lock);
2020 		freemsg(mp);
2021 		return (NULL);
2022 	} else if (len > (ppa->ppa_mru + PPP_HDRLEN)) {
2023 		/* Log, and accept it anyway */
2024 		mutex_enter(&ppa->ppa_sta_lock);
2025 		ppa->ppa_itoolongs++;
2026 		mutex_exit(&ppa->ppa_sta_lock);
2027 	}
2028 	/*
2029 	 * We need at least be able to read the PPP protocol from the header,
2030 	 * so if the first message block is too small, then we concatenate the
2031 	 * rest of the following blocks into one message.
2032 	 */
2033 	if (MBLKL(mp) < PPP_HDRLEN) {
2034 		zmp = msgpullup(mp, PPP_HDRLEN);
2035 		freemsg(mp);
2036 		mp = zmp;
2037 		if (mp == NULL) {
2038 			mutex_enter(&ppa->ppa_sta_lock);
2039 			ppa->ppa_allocbfail++;
2040 			mutex_exit(&ppa->ppa_sta_lock);
2041 			return (NULL);
2042 		}
2043 		*mpp = mp;
2044 	}
2045 	/*
2046 	 * Hold this packet in the control-queue until
2047 	 * the matching network-layer upper stream for the PPP protocol (sap)
2048 	 * has not been plumbed and configured
2049 	 */
2050 	npflagpos = sppp_ppp2np(PPP_PROTOCOL(mp->b_rptr));
2051 	mutex_enter(&ppa->ppa_npmutex);
2052 	if (npflagpos != 0 && (ppa->ppa_npflag & (1 << npflagpos))) {
2053 		/*
2054 		 * proto is currently blocked; Hold up to 4 packets
2055 		 * in the kernel.
2056 		 */
2057 		if (ppa->ppa_holdpkts[npflagpos] > 3 ||
2058 		    putq(ctlsps->sps_rq, mp) == 0)
2059 			freemsg(mp);
2060 		else
2061 			ppa->ppa_holdpkts[npflagpos]++;
2062 		mutex_exit(&ppa->ppa_npmutex);
2063 		return (NULL);
2064 	}
2065 	mutex_exit(&ppa->ppa_npmutex);
2066 	/*
2067 	 * Try to find a matching network-layer upper stream for the specified
2068 	 * PPP protocol (sap), and if none is found, send this frame up the
2069 	 * control stream.
2070 	 */
2071 	destsps = sppp_inpkt(q, mp, ctlsps);
2072 	if (destsps == NULL) {
2073 		mutex_enter(&ppa->ppa_sta_lock);
2074 		ppa->ppa_ipkt_ctl++;
2075 		mutex_exit(&ppa->ppa_sta_lock);
2076 		if (canputnext(ctlsps->sps_rq)) {
2077 			if (IS_SPS_KDEBUG(ctlsps)) {
2078 				SPDEBUG(PPP_DRV_NAME
2079 				    "/%d: M_DATA recv (%d bytes) sps=0x%p "
2080 				    "flags=0x%b ppa=0x%p flags=0x%b\n",
2081 				    ctlsps->sps_mn_id, len, (void *)ctlsps,
2082 				    ctlsps->sps_flags, SPS_FLAGS_STR,
2083 				    (void *)ppa, ppa->ppa_flags,
2084 				    PPA_FLAGS_STR);
2085 			}
2086 			return (ctlsps->sps_rq);
2087 		} else {
2088 			mutex_enter(&ppa->ppa_sta_lock);
2089 			ppa->ppa_iqdropped++;
2090 			mutex_exit(&ppa->ppa_sta_lock);
2091 			freemsg(mp);
2092 			return (NULL);
2093 		}
2094 	}
2095 	if (canputnext(destsps->sps_rq)) {
2096 		if (IS_SPS_KDEBUG(destsps)) {
2097 			SPDEBUG(PPP_DRV_NAME
2098 			    "/%d: M_DATA recv (%d bytes) sps=0x%p flags=0x%b "
2099 			    "ppa=0x%p flags=0x%b\n", destsps->sps_mn_id, len,
2100 			    (void *)destsps, destsps->sps_flags,
2101 			    SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
2102 			    PPA_FLAGS_STR);
2103 		}
2104 		/*
2105 		 * If fastpath is enabled on the network-layer stream, then
2106 		 * make sure we skip over the PPP header, otherwise, we wrap
2107 		 * the message in a DLPI message.
2108 		 */
2109 		if (IS_SPS_FASTPATH(destsps)) {
2110 			mp->b_rptr += PPP_HDRLEN;
2111 			return (destsps->sps_rq);
2112 		} else {
2113 			spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2114 			ASSERT(uqs != NULL);
2115 			mp->b_rptr += PPP_HDRLEN;
2116 			mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2117 			if (mp != NULL) {
2118 				*mpp = mp;
2119 				return (destsps->sps_rq);
2120 			} else {
2121 				mutex_enter(&ppa->ppa_sta_lock);
2122 				ppa->ppa_allocbfail++;
2123 				mutex_exit(&ppa->ppa_sta_lock);
2124 				/* mp already freed by sppp_dladdud */
2125 				return (NULL);
2126 			}
2127 		}
2128 	} else {
2129 		mutex_enter(&ppa->ppa_sta_lock);
2130 		ppa->ppa_iqdropped++;
2131 		mutex_exit(&ppa->ppa_sta_lock);
2132 		freemsg(mp);
2133 		return (NULL);
2134 	}
2135 }
2136 
2137 /*
2138  * sppp_inpkt()
2139  *
2140  * MT-Perimeters:
2141  *    shared inner, shared outer.
2142  *
2143  * Description:
2144  *    Find the destination upper stream for the received packet, called
2145  *    from sppp_recv.
2146  *
2147  * Returns:
2148  *    ptr to destination upper network stream, or NULL for control stream.
2149  */
2150 /* ARGSUSED */
2151 static spppstr_t *
2152 sppp_inpkt(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
2153 {
2154 	spppstr_t	*destsps = NULL;
2155 	sppa_t		*ppa;
2156 	uint16_t	proto;
2157 	int		is_promisc;
2158 
2159 	ASSERT(q != NULL && q->q_ptr != NULL);
2160 	ASSERT(mp != NULL && mp->b_rptr != NULL);
2161 	ASSERT(IS_SPS_CONTROL(ctlsps));
2162 	ppa = ctlsps->sps_ppa;
2163 	ASSERT(ppa != NULL);
2164 	/*
2165 	 * From RFC 1661 (Section 2):
2166 	 *
2167 	 * The Protocol field is one or two octets, and its value identifies
2168 	 * the datagram encapsulated in the Information field of the packet.
2169 	 * The field is transmitted and received most significant octet first.
2170 	 *
2171 	 * The structure of this field is consistent with the ISO 3309
2172 	 * extension mechanism for address fields.  All Protocols MUST be odd;
2173 	 * the least significant bit of the least significant octet MUST equal
2174 	 * "1".  Also, all Protocols MUST be assigned such that the least
2175 	 * significant bit of the most significant octet equals "0". Frames
2176 	 * received which don't comply with these rules MUST be treated as
2177 	 * having an unrecognized Protocol.
2178 	 *
2179 	 * Protocol field values in the "0***" to "3***" range identify the
2180 	 * network-layer protocol of specific packets, and values in the
2181 	 * "8***" to "b***" range identify packets belonging to the associated
2182 	 * Network Control Protocols (NCPs), if any.
2183 	 *
2184 	 * Protocol field values in the "4***" to "7***" range are used for
2185 	 * protocols with low volume traffic which have no associated NCP.
2186 	 * Protocol field values in the "c***" to "f***" range identify packets
2187 	 * as link-layer Control Protocols (such as LCP).
2188 	 */
2189 	proto = PPP_PROTOCOL(mp->b_rptr);
2190 	mutex_enter(&ppa->ppa_sta_lock);
2191 	ppa->ppa_stats.p.ppp_ipackets++;
2192 	mutex_exit(&ppa->ppa_sta_lock);
2193 	/*
2194 	 * We check if this is not a network-layer protocol, and if so,
2195 	 * then send this packet up the control stream.
2196 	 */
2197 	if (proto > 0x7fff) {
2198 		goto inpkt_done;	/* send it up the control stream */
2199 	}
2200 	/*
2201 	 * Try to grab the destination upper stream from the network-layer
2202 	 * stream cache for this ppa for PPP_IP (0x0021) or PPP_IPV6 (0x0057)
2203 	 * protocol types. Otherwise, if the type is not known to the cache,
2204 	 * or if its sap can't be matched with any of the upper streams, then
2205 	 * send this packet up the control stream so that it can be rejected.
2206 	 */
2207 	if (proto == PPP_IP) {
2208 		destsps = ppa->ppa_ip_cache;
2209 	} else if (proto == PPP_IPV6) {
2210 		destsps = ppa->ppa_ip6_cache;
2211 	}
2212 	/*
2213 	 * Toss this one away up the control stream if there's no matching sap;
2214 	 * this way the protocol can be rejected (destsps is NULL).
2215 	 */
2216 
2217 inpkt_done:
2218 	/*
2219 	 * Only time-stamp the packet with hrtime if the upper stream
2220 	 * is configured to do so.  PPP control (negotiation) messages
2221 	 * are never considered link activity; only data is activity.
2222 	 */
2223 	if (destsps != NULL && IS_PPA_TIMESTAMP(ppa)) {
2224 		ppa->ppa_lastrx = gethrtime();
2225 	}
2226 	/*
2227 	 * Should there be any promiscuous stream(s), send the data up for
2228 	 * each promiscuous stream that we recognize. We skip the control
2229 	 * stream as we obviously never allow the control stream to become
2230 	 * promiscous and bind to PPP_ALLSAP.
2231 	 */
2232 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
2233 	is_promisc = ppa->ppa_promicnt;
2234 	if (is_promisc) {
2235 		ASSERT(ppa->ppa_streams != NULL);
2236 		sppp_dlprsendup(ppa->ppa_streams, mp, proto, B_TRUE);
2237 	}
2238 	rw_exit(&ppa->ppa_sib_lock);
2239 	return (destsps);
2240 }
2241 
2242 /*
2243  * sppp_kstat_update()
2244  *
2245  * Description:
2246  *    Update per-ppa kstat interface statistics.
2247  */
2248 static int
2249 sppp_kstat_update(kstat_t *ksp, int rw)
2250 {
2251 	register sppa_t		*ppa;
2252 	register sppp_kstats_t	*pppkp;
2253 	register struct pppstat64 *sp;
2254 
2255 	if (rw == KSTAT_WRITE) {
2256 		return (EACCES);
2257 	}
2258 
2259 	ppa = (sppa_t *)ksp->ks_private;
2260 	ASSERT(ppa != NULL);
2261 
2262 	pppkp = (sppp_kstats_t *)ksp->ks_data;
2263 	sp = &ppa->ppa_stats.p;
2264 
2265 	mutex_enter(&ppa->ppa_sta_lock);
2266 	pppkp->allocbfail.value.ui32	= ppa->ppa_allocbfail;
2267 	pppkp->mctlsfwd.value.ui32	= ppa->ppa_mctlsfwd;
2268 	pppkp->mctlsfwderr.value.ui32	= ppa->ppa_mctlsfwderr;
2269 	pppkp->rbytes.value.ui32	= sp->ppp_ibytes;
2270 	pppkp->rbytes64.value.ui64	= sp->ppp_ibytes;
2271 	pppkp->ierrors.value.ui32	= sp->ppp_ierrors;
2272 	pppkp->ierrors_lower.value.ui32	= ppa->ppa_ierr_low;
2273 	pppkp->ioctlsfwd.value.ui32	= ppa->ppa_ioctlsfwd;
2274 	pppkp->ioctlsfwdok.value.ui32	= ppa->ppa_ioctlsfwdok;
2275 	pppkp->ioctlsfwderr.value.ui32	= ppa->ppa_ioctlsfwderr;
2276 	pppkp->ipackets.value.ui32	= sp->ppp_ipackets;
2277 	pppkp->ipackets64.value.ui64	= sp->ppp_ipackets;
2278 	pppkp->ipackets_ctl.value.ui32	= ppa->ppa_ipkt_ctl;
2279 	pppkp->iqdropped.value.ui32	= ppa->ppa_iqdropped;
2280 	pppkp->irunts.value.ui32	= ppa->ppa_irunts;
2281 	pppkp->itoolongs.value.ui32	= ppa->ppa_itoolongs;
2282 	pppkp->lsneedup.value.ui32	= ppa->ppa_lsneedup;
2283 	pppkp->lsdown.value.ui32	= ppa->ppa_lsdown;
2284 	pppkp->mctlsknown.value.ui32	= ppa->ppa_mctlsknown;
2285 	pppkp->mctlsunknown.value.ui32	= ppa->ppa_mctlsunknown;
2286 	pppkp->obytes.value.ui32	= sp->ppp_obytes;
2287 	pppkp->obytes64.value.ui64	= sp->ppp_obytes;
2288 	pppkp->oerrors.value.ui32	= sp->ppp_oerrors;
2289 	pppkp->oerrors_lower.value.ui32	= ppa->ppa_oerr_low;
2290 	pppkp->opackets.value.ui32	= sp->ppp_opackets;
2291 	pppkp->opackets64.value.ui64	= sp->ppp_opackets;
2292 	pppkp->opackets_ctl.value.ui32	= ppa->ppa_opkt_ctl;
2293 	pppkp->oqdropped.value.ui32	= ppa->ppa_oqdropped;
2294 	pppkp->otoolongs.value.ui32	= ppa->ppa_otoolongs;
2295 	pppkp->orunts.value.ui32	= ppa->ppa_orunts;
2296 	mutex_exit(&ppa->ppa_sta_lock);
2297 
2298 	return (0);
2299 }
2300 
2301 /*
2302  * Turn off proto in ppa_npflag to indicate that
2303  * the corresponding network protocol has been plumbed.
2304  * Release proto packets that were being held in the control
2305  * queue in anticipation of this event.
2306  */
2307 static void
2308 sppp_release_pkts(sppa_t *ppa, uint16_t proto)
2309 {
2310 	uint32_t npflagpos = sppp_ppp2np(proto);
2311 	int count;
2312 	mblk_t *mp;
2313 	uint16_t mp_proto;
2314 	queue_t *q;
2315 	spppstr_t *destsps;
2316 
2317 	ASSERT(ppa != NULL);
2318 
2319 	if (npflagpos == 0 || (ppa->ppa_npflag & (1 << npflagpos)) == 0)
2320 		return;
2321 
2322 	mutex_enter(&ppa->ppa_npmutex);
2323 	ppa->ppa_npflag &= ~(1 << npflagpos);
2324 	count = ppa->ppa_holdpkts[npflagpos];
2325 	ppa->ppa_holdpkts[npflagpos] = 0;
2326 	mutex_exit(&ppa->ppa_npmutex);
2327 
2328 	q = ppa->ppa_ctl->sps_rq;
2329 
2330 	while (count > 0) {
2331 		mp = getq(q);
2332 		ASSERT(mp != NULL);
2333 
2334 		mp_proto = PPP_PROTOCOL(mp->b_rptr);
2335 		if (mp_proto !=  proto) {
2336 			(void) putq(q, mp);
2337 			continue;
2338 		}
2339 		count--;
2340 		destsps = NULL;
2341 		if (mp_proto == PPP_IP) {
2342 			destsps = ppa->ppa_ip_cache;
2343 		} else if (mp_proto == PPP_IPV6) {
2344 			destsps = ppa->ppa_ip6_cache;
2345 		}
2346 		ASSERT(destsps != NULL);
2347 
2348 		if (IS_SPS_FASTPATH(destsps)) {
2349 			mp->b_rptr += PPP_HDRLEN;
2350 		} else {
2351 			spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2352 			ASSERT(uqs != NULL);
2353 			mp->b_rptr += PPP_HDRLEN;
2354 			mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2355 			if (mp == NULL) {
2356 				mutex_enter(&ppa->ppa_sta_lock);
2357 				ppa->ppa_allocbfail++;
2358 				mutex_exit(&ppa->ppa_sta_lock);
2359 				/* mp already freed by sppp_dladdud */
2360 				continue;
2361 			}
2362 		}
2363 
2364 		if (canputnext(destsps->sps_rq)) {
2365 			putnext(destsps->sps_rq, mp);
2366 		} else {
2367 			mutex_enter(&ppa->ppa_sta_lock);
2368 			ppa->ppa_iqdropped++;
2369 			mutex_exit(&ppa->ppa_sta_lock);
2370 			freemsg(mp);
2371 			continue;
2372 		}
2373 	}
2374 }
2375