xref: /illumos-gate/usr/src/uts/common/io/ppp/sppp/sppp.c (revision 8119dad84d6416f13557b0ba8e2aaf9064cbcfd3)
1 /*
2  * sppp.c - Solaris STREAMS PPP multiplexing pseudo-driver
3  *
4  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
5  * Use is subject to license terms.
6  * Copyright (c) 2016 by Delphix. All rights reserved.
7  * Copyright 2019, Joyent, Inc.
8  *
9  * Permission to use, copy, modify, and distribute this software and its
10  * documentation is hereby granted, provided that the above copyright
11  * notice appears in all copies.
12  *
13  * SUN MAKES NO REPRESENTATION OR WARRANTIES ABOUT THE SUITABILITY OF
14  * THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
15  * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
16  * PARTICULAR PURPOSE, OR NON-INFRINGEMENT.  SUN SHALL NOT BE LIABLE FOR
17  * ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
18  * DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES
19  *
20  * Copyright (c) 1994 The Australian National University.
21  * All rights reserved.
22  *
23  * Permission to use, copy, modify, and distribute this software and its
24  * documentation is hereby granted, provided that the above copyright
25  * notice appears in all copies.  This software is provided without any
26  * warranty, express or implied. The Australian National University
27  * makes no representations about the suitability of this software for
28  * any purpose.
29  *
30  * IN NO EVENT SHALL THE AUSTRALIAN NATIONAL UNIVERSITY BE LIABLE TO ANY
31  * PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
32  * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
33  * THE AUSTRALIAN NATIONAL UNIVERSITY HAS BEEN ADVISED OF THE POSSIBILITY
34  * OF SUCH DAMAGE.
35  *
36  * THE AUSTRALIAN NATIONAL UNIVERSITY SPECIFICALLY DISCLAIMS ANY WARRANTIES,
37  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
38  * AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
39  * ON AN "AS IS" BASIS, AND THE AUSTRALIAN NATIONAL UNIVERSITY HAS NO
40  * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS,
41  * OR MODIFICATIONS.
42  *
43  * This driver is derived from the original SVR4 STREAMS PPP driver
44  * originally written by Paul Mackerras <paul.mackerras@cs.anu.edu.au>.
45  *
46  * Adi Masputra <adi.masputra@sun.com> rewrote and restructured the code
47  * for improved performance and scalability.
48  */
49 
50 #define	RCSID	"$Id: sppp.c,v 1.0 2000/05/08 01:10:12 masputra Exp $"
51 
52 #include <sys/types.h>
53 #include <sys/debug.h>
54 #include <sys/param.h>
55 #include <sys/stat.h>
56 #include <sys/stream.h>
57 #include <sys/stropts.h>
58 #include <sys/sysmacros.h>
59 #include <sys/errno.h>
60 #include <sys/time.h>
61 #include <sys/cmn_err.h>
62 #include <sys/kmem.h>
63 #include <sys/conf.h>
64 #include <sys/dlpi.h>
65 #include <sys/ddi.h>
66 #include <sys/kstat.h>
67 #include <sys/strsun.h>
68 #include <sys/ethernet.h>
69 #include <sys/policy.h>
70 #include <sys/zone.h>
71 #include <net/ppp_defs.h>
72 #include <net/pppio.h>
73 #include "sppp.h"
74 #include "s_common.h"
75 
76 /*
77  * This is used to tag official Solaris sources.  Please do not define
78  * "INTERNAL_BUILD" when building this software outside of Sun Microsystems.
79  */
80 #ifdef INTERNAL_BUILD
81 /* MODINFO is limited to 32 characters. */
82 const char sppp_module_description[] = "PPP 4.0 mux";
83 #else /* INTERNAL_BUILD */
84 const char sppp_module_description[] = "ANU PPP mux";
85 
86 /* LINTED */
87 static const char buildtime[] = "Built " __DATE__ " at " __TIME__
88 #ifdef DEBUG
89 " DEBUG"
90 #endif
91 "\n";
92 #endif /* INTERNAL_BUILD */
93 
94 static void	sppp_inner_ioctl(queue_t *, mblk_t *);
95 static void	sppp_outer_ioctl(queue_t *, mblk_t *);
96 static queue_t	*sppp_send(queue_t *, mblk_t **, spppstr_t *);
97 static queue_t	*sppp_recv(queue_t *, mblk_t **, spppstr_t *);
98 static void	sppp_recv_nondata(queue_t *, mblk_t *, spppstr_t *);
99 static queue_t	*sppp_outpkt(queue_t *, mblk_t **, int, spppstr_t *);
100 static spppstr_t *sppp_inpkt(queue_t *, mblk_t *, spppstr_t *);
101 static int	sppp_kstat_update(kstat_t *, int);
102 static void	sppp_release_pkts(sppa_t *, uint16_t);
103 
104 /*
105  * sps_list contains the list of active per-stream instance state structures
106  * ordered on the minor device number (see sppp.h for details). All streams
107  * opened to this driver are threaded together in this list.
108  */
109 static spppstr_t *sps_list = NULL;
110 /*
111  * ppa_list contains the list of active per-attachment instance state
112  * structures ordered on the ppa id number (see sppp.h for details). All of
113  * the ppa structures created once per PPPIO_NEWPPA ioctl are threaded together
114  * in this list. There is exactly one ppa structure for a given PPP interface,
115  * and multiple sps streams (upper streams) may share a ppa by performing
116  * an attachment explicitly (PPPIO_ATTACH) or implicitly (DL_ATTACH_REQ).
117  */
118 static sppa_t *ppa_list = NULL;
119 
120 static const char *kstats_names[] = { SPPP_KSTATS_NAMES };
121 static const char *kstats64_names[] = { SPPP_KSTATS64_NAMES };
122 
123 /*
124  * map proto (which is an IANA defined ppp network protocol) to
125  * a bit position indicated by NP_* in ppa_npflag
126  */
127 static uint32_t
128 sppp_ppp2np(uint16_t proto)
129 {
130 	switch (proto) {
131 	case PPP_IP:
132 		return (NP_IP);
133 	case PPP_IPV6:
134 		return (NP_IPV6);
135 	default:
136 		return (0);
137 	}
138 }
139 
140 /*
141  * sppp_open()
142  *
143  * MT-Perimeters:
144  *    exclusive inner, exclusive outer.
145  *
146  * Description:
147  *    Common open procedure for module.
148  */
149 /* ARGSUSED */
150 int
151 sppp_open(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
152 {
153 	spppstr_t	*sps;
154 	spppstr_t	**nextmn;
155 	minor_t		mn;
156 
157 	ASSERT(q != NULL && devp != NULL);
158 	ASSERT(sflag != MODOPEN);
159 
160 	if (q->q_ptr != NULL) {
161 		return (0);		/* already open */
162 	}
163 	if (sflag != CLONEOPEN) {
164 		return (OPENFAIL);
165 	}
166 	/*
167 	 * The sps list is sorted using the minor number as the key. The
168 	 * following code walks the list to find the lowest valued minor
169 	 * number available to be used.
170 	 */
171 	mn = 0;
172 	for (nextmn = &sps_list; (sps = *nextmn) != NULL;
173 	    nextmn = &sps->sps_nextmn) {
174 		if (sps->sps_mn_id != mn) {
175 			break;
176 		}
177 		++mn;
178 	}
179 	sps = (spppstr_t *)kmem_zalloc(sizeof (spppstr_t), KM_SLEEP);
180 	ASSERT(sps != NULL);		/* KM_SLEEP must never return NULL */
181 	sps->sps_nextmn = *nextmn;	/* insert stream in global list */
182 	*nextmn = sps;
183 	sps->sps_mn_id = mn;		/* save minor id for this stream */
184 	sps->sps_rq = q;		/* save read queue pointer */
185 	sps->sps_sap = -1;		/* no sap bound to stream */
186 	sps->sps_dlstate = DL_UNATTACHED; /* dlpi state is unattached */
187 	sps->sps_npmode = NPMODE_DROP;	/* drop all packets initially */
188 	sps->sps_zoneid = crgetzoneid(credp);
189 	q->q_ptr = WR(q)->q_ptr = (caddr_t)sps;
190 	/*
191 	 * We explicitly disable the automatic queue scheduling for the
192 	 * write-side to obtain complete control over queuing during transmit.
193 	 * Packets will be queued at the upper write queue and the service
194 	 * routine will not be called until it gets scheduled by having the
195 	 * lower write service routine call the qenable(WR(uq)) for all streams
196 	 * attached to the same ppa instance.
197 	 */
198 	noenable(WR(q));
199 	*devp = makedevice(getmajor(*devp), mn);
200 	qprocson(q);
201 	return (0);
202 }
203 
204 /*
205  * Free storage used by a PPA.  This is not called until the last PPA
206  * user closes their connection or reattaches to a different PPA.
207  */
208 static void
209 sppp_free_ppa(sppa_t *ppa)
210 {
211 	sppa_t **nextppa;
212 
213 	ASSERT(ppa->ppa_refcnt == 1);
214 	if (ppa->ppa_kstats != NULL) {
215 		kstat_delete(ppa->ppa_kstats);
216 		ppa->ppa_kstats = NULL;
217 	}
218 	mutex_destroy(&ppa->ppa_sta_lock);
219 	mutex_destroy(&ppa->ppa_npmutex);
220 	rw_destroy(&ppa->ppa_sib_lock);
221 	nextppa = &ppa_list;
222 	while (*nextppa != NULL) {
223 		if (*nextppa == ppa) {
224 			*nextppa = ppa->ppa_nextppa;
225 			break;
226 		}
227 		nextppa = &(*nextppa)->ppa_nextppa;
228 	}
229 	kmem_free(ppa, sizeof (*ppa));
230 }
231 
232 /*
233  * Create a new PPA.  Caller must be exclusive on outer perimeter.
234  */
235 sppa_t *
236 sppp_create_ppa(uint32_t ppa_id, zoneid_t zoneid)
237 {
238 	sppa_t *ppa;
239 	sppa_t *curppa;
240 	sppa_t **availppa;
241 	char unit[32];		/* Unit name */
242 	const char **cpp;
243 	kstat_t *ksp;
244 	kstat_named_t *knt;
245 
246 	/*
247 	 * NOTE: unit *must* be named for the driver
248 	 * name plus the ppa number so that netstat
249 	 * can find the statistics.
250 	 */
251 	(void) sprintf(unit, "%s" "%d", PPP_DRV_NAME, ppa_id);
252 	/*
253 	 * Make sure we can allocate a buffer to
254 	 * contain the ppa to be sent upstream, as
255 	 * well as the actual ppa structure and its
256 	 * associated kstat structure.
257 	 */
258 	ppa = (sppa_t *)kmem_zalloc(sizeof (sppa_t),
259 	    KM_NOSLEEP);
260 	ksp = kstat_create(PPP_DRV_NAME, ppa_id, unit, "net", KSTAT_TYPE_NAMED,
261 	    sizeof (sppp_kstats_t) / sizeof (kstat_named_t), 0);
262 
263 	if (ppa == NULL || ksp == NULL) {
264 		if (ppa != NULL) {
265 			kmem_free(ppa, sizeof (sppa_t));
266 		}
267 		if (ksp != NULL) {
268 			kstat_delete(ksp);
269 		}
270 		return (NULL);
271 	}
272 	ppa->ppa_kstats = ksp;		/* chain kstat structure */
273 	ppa->ppa_ppa_id = ppa_id;	/* record ppa id */
274 	ppa->ppa_zoneid = zoneid;	/* zone that owns this PPA */
275 	ppa->ppa_mtu = PPP_MAXMTU;	/* 65535-(PPP_HDRLEN+PPP_FCSLEN) */
276 	ppa->ppa_mru = PPP_MAXMRU;	/* 65000 */
277 
278 	mutex_init(&ppa->ppa_sta_lock, NULL, MUTEX_DRIVER, NULL);
279 	mutex_init(&ppa->ppa_npmutex, NULL, MUTEX_DRIVER, NULL);
280 	rw_init(&ppa->ppa_sib_lock, NULL, RW_DRIVER, NULL);
281 
282 	/*
283 	 * Prepare and install kstat counters.  Note that for netstat
284 	 * -i to work, there needs to be "ipackets", "opackets",
285 	 * "ierrors", and "oerrors" kstat named variables.
286 	 */
287 	knt = (kstat_named_t *)ksp->ks_data;
288 	for (cpp = kstats_names; cpp < kstats_names + Dim(kstats_names);
289 	    cpp++) {
290 		kstat_named_init(knt, *cpp, KSTAT_DATA_UINT32);
291 		knt++;
292 	}
293 	for (cpp = kstats64_names; cpp < kstats64_names + Dim(kstats64_names);
294 	    cpp++) {
295 		kstat_named_init(knt, *cpp, KSTAT_DATA_UINT64);
296 		knt++;
297 	}
298 	ksp->ks_update = sppp_kstat_update;
299 	ksp->ks_private = (void *)ppa;
300 	kstat_install(ksp);
301 
302 	/* link to the next ppa and insert into global list */
303 	availppa = &ppa_list;
304 	while ((curppa = *availppa) != NULL) {
305 		if (ppa_id < curppa->ppa_ppa_id)
306 			break;
307 		availppa = &curppa->ppa_nextppa;
308 	}
309 	ppa->ppa_nextppa = *availppa;
310 	*availppa = ppa;
311 	return (ppa);
312 }
313 
314 /*
315  * sppp_close()
316  *
317  * MT-Perimeters:
318  *    exclusive inner, exclusive outer.
319  *
320  * Description:
321  *    Common close procedure for module.
322  */
323 /* ARGSUSED */
324 int
325 sppp_close(queue_t *q, int flags __unused, cred_t *credp __unused)
326 {
327 	spppstr_t	*sps;
328 	spppstr_t	**nextmn;
329 	spppstr_t	*sib;
330 	sppa_t		*ppa;
331 	mblk_t		*mp;
332 
333 	ASSERT(q != NULL && q->q_ptr != NULL);
334 	sps = (spppstr_t *)q->q_ptr;
335 	qprocsoff(q);
336 
337 	ppa = sps->sps_ppa;
338 	if (ppa == NULL) {
339 		ASSERT(!IS_SPS_CONTROL(sps));
340 		goto close_unattached;
341 	}
342 	if (IS_SPS_CONTROL(sps)) {
343 		uint32_t	cnt = 0;
344 
345 		ASSERT(ppa != NULL);
346 		ASSERT(ppa->ppa_ctl == sps);
347 		ppa->ppa_ctl = NULL;
348 		/*
349 		 * STREAMS framework always issues I_UNLINK prior to close,
350 		 * since we only allow I_LINK under the control stream.
351 		 * A given ppa structure has at most one lower stream pointed
352 		 * by the ppa_lower_wq field, because we only allow a single
353 		 * linkage (I_LINK) to be done on the control stream.
354 		 */
355 		ASSERT(ppa->ppa_lower_wq == NULL);
356 		/*
357 		 * Walk through all of sibling streams attached to this ppa,
358 		 * and remove all references to this ppa. We have exclusive
359 		 * access for the entire driver here, so there's no need
360 		 * to hold ppa_sib_lock.
361 		 */
362 		cnt++;
363 		sib = ppa->ppa_streams;
364 		while (sib != NULL) {
365 			ASSERT(ppa == sib->sps_ppa);
366 			sib->sps_npmode = NPMODE_DROP;
367 			sib->sps_flags &= ~(SPS_PIOATTACH | SPS_CACHED);
368 			/*
369 			 * There should be a preallocated hangup
370 			 * message here.  Fetch it and send it up to
371 			 * the stream head.  This will cause IP to
372 			 * mark the interface as "down."
373 			 */
374 			if ((mp = sib->sps_hangup) != NULL) {
375 				sib->sps_hangup = NULL;
376 				/*
377 				 * M_HANGUP works with IP, but snoop
378 				 * is lame and requires M_ERROR.  Send
379 				 * up a clean error code instead.
380 				 *
381 				 * XXX if snoop is fixed, fix this, too.
382 				 */
383 				MTYPE(mp) = M_ERROR;
384 				*mp->b_wptr++ = ENXIO;
385 				putnext(sib->sps_rq, mp);
386 			}
387 			qenable(WR(sib->sps_rq));
388 			cnt++;
389 			sib = sib->sps_nextsib;
390 		}
391 		ASSERT(ppa->ppa_refcnt == cnt);
392 	} else {
393 		ASSERT(ppa->ppa_streams != NULL);
394 		ASSERT(ppa->ppa_ctl != sps);
395 		mp = NULL;
396 		if (sps->sps_sap == PPP_IP) {
397 			ppa->ppa_ip_cache = NULL;
398 			mp = create_lsmsg(PPP_LINKSTAT_IPV4_UNBOUND);
399 		} else if (sps->sps_sap == PPP_IPV6) {
400 			ppa->ppa_ip6_cache = NULL;
401 			mp = create_lsmsg(PPP_LINKSTAT_IPV6_UNBOUND);
402 		}
403 		/* Tell the daemon the bad news. */
404 		if (mp != NULL && ppa->ppa_ctl != NULL &&
405 		    (sps->sps_npmode == NPMODE_PASS ||
406 		    sps->sps_npmode == NPMODE_QUEUE)) {
407 			putnext(ppa->ppa_ctl->sps_rq, mp);
408 		} else {
409 			freemsg(mp);
410 		}
411 		/*
412 		 * Walk through all of sibling streams attached to the
413 		 * same ppa, and remove this stream from the sibling
414 		 * streams list. We have exclusive access for the
415 		 * entire driver here, so there's no need to hold
416 		 * ppa_sib_lock.
417 		 */
418 		sib = ppa->ppa_streams;
419 		if (sib == sps) {
420 			ppa->ppa_streams = sps->sps_nextsib;
421 		} else {
422 			while (sib->sps_nextsib != NULL) {
423 				if (sib->sps_nextsib == sps) {
424 					sib->sps_nextsib = sps->sps_nextsib;
425 					break;
426 				}
427 				sib = sib->sps_nextsib;
428 			}
429 		}
430 		sps->sps_nextsib = NULL;
431 		freemsg(sps->sps_hangup);
432 		sps->sps_hangup = NULL;
433 		/*
434 		 * Check if this is a promiscous stream. If the SPS_PROMISC bit
435 		 * is still set, it means that the stream is closed without
436 		 * ever having issued DL_DETACH_REQ or DL_PROMISCOFF_REQ.
437 		 * In this case, we simply decrement the promiscous counter,
438 		 * and it's safe to do it without holding ppa_sib_lock since
439 		 * we're exclusive (inner and outer) at this point.
440 		 */
441 		if (IS_SPS_PROMISC(sps)) {
442 			ASSERT(ppa->ppa_promicnt > 0);
443 			ppa->ppa_promicnt--;
444 		}
445 	}
446 	/* If we're the only one left, then delete now. */
447 	if (ppa->ppa_refcnt <= 1)
448 		sppp_free_ppa(ppa);
449 	else
450 		ppa->ppa_refcnt--;
451 close_unattached:
452 	q->q_ptr = WR(q)->q_ptr = NULL;
453 	for (nextmn = &sps_list; *nextmn != NULL;
454 	    nextmn = &(*nextmn)->sps_nextmn) {
455 		if (*nextmn == sps) {
456 			*nextmn = sps->sps_nextmn;
457 			break;
458 		}
459 	}
460 	kmem_free(sps, sizeof (spppstr_t));
461 	return (0);
462 }
463 
464 static void
465 sppp_ioctl(struct queue *q, mblk_t *mp)
466 {
467 	spppstr_t	*sps;
468 	spppstr_t	*nextsib;
469 	sppa_t		*ppa;
470 	struct iocblk	*iop;
471 	mblk_t		*nmp;
472 	enum NPmode	npmode;
473 	struct ppp_idle	*pip;
474 	struct ppp_stats64 *psp;
475 	struct ppp_comp_stats *pcsp;
476 	hrtime_t	hrtime;
477 	int		sap;
478 	int		count = 0;
479 	int		error = EINVAL;
480 
481 	sps = (spppstr_t *)q->q_ptr;
482 	ppa = sps->sps_ppa;
483 
484 	iop = (struct iocblk *)mp->b_rptr;
485 	switch (iop->ioc_cmd) {
486 	case PPPIO_NPMODE:
487 		if (!IS_SPS_CONTROL(sps)) {
488 			break;		/* return EINVAL */
489 		} else if (iop->ioc_count != 2 * sizeof (uint32_t) ||
490 		    (mp->b_cont == NULL)) {
491 			error = EPROTO;
492 			break;
493 		}
494 		ASSERT(ppa != NULL);
495 		ASSERT(mp->b_cont->b_rptr != NULL);
496 		ASSERT(sps->sps_npmode == NPMODE_PASS);
497 		sap = ((uint32_t *)mp->b_cont->b_rptr)[0];
498 		npmode = (enum NPmode)((uint32_t *)mp->b_cont->b_rptr)[1];
499 		/*
500 		 * Walk the sibling streams which belong to the same
501 		 * ppa, and try to find a stream with matching sap
502 		 * number.
503 		 */
504 		rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
505 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
506 		    nextsib = nextsib->sps_nextsib) {
507 			if (nextsib->sps_sap == sap) {
508 				break;	/* found it */
509 			}
510 		}
511 		if (nextsib == NULL) {
512 			rw_exit(&ppa->ppa_sib_lock);
513 			break;		/* return EINVAL */
514 		} else {
515 			nextsib->sps_npmode = npmode;
516 			if ((nextsib->sps_npmode != NPMODE_QUEUE) &&
517 			    (WR(nextsib->sps_rq)->q_first != NULL)) {
518 				qenable(WR(nextsib->sps_rq));
519 			}
520 		}
521 		rw_exit(&ppa->ppa_sib_lock);
522 		error = 0;	/* return success */
523 		break;
524 	case PPPIO_GIDLE:
525 		if (ppa == NULL) {
526 			ASSERT(!IS_SPS_CONTROL(sps));
527 			error = ENOLINK;
528 			break;
529 		} else if (!IS_PPA_TIMESTAMP(ppa)) {
530 			break;		/* return EINVAL */
531 		}
532 		if ((nmp = allocb(sizeof (struct ppp_idle),
533 		    BPRI_MED)) == NULL) {
534 			mutex_enter(&ppa->ppa_sta_lock);
535 			ppa->ppa_allocbfail++;
536 			mutex_exit(&ppa->ppa_sta_lock);
537 			error = ENOSR;
538 			break;
539 		}
540 		if (mp->b_cont != NULL) {
541 			freemsg(mp->b_cont);
542 		}
543 		mp->b_cont = nmp;
544 		pip = (struct ppp_idle *)nmp->b_wptr;
545 		nmp->b_wptr += sizeof (struct ppp_idle);
546 		/*
547 		 * Get current timestamp and subtract the tx and rx
548 		 * timestamps to get the actual idle time to be
549 		 * returned.
550 		 */
551 		hrtime = gethrtime();
552 		pip->xmit_idle = (hrtime - ppa->ppa_lasttx) / 1000000000ul;
553 		pip->recv_idle = (hrtime - ppa->ppa_lastrx) / 1000000000ul;
554 		count = msgsize(nmp);
555 		error = 0;
556 		break;		/* return success (error is 0) */
557 	case PPPIO_GTYPE:
558 		nmp = allocb(sizeof (uint32_t), BPRI_MED);
559 		if (nmp == NULL) {
560 			error = ENOSR;
561 			break;
562 		}
563 		if (mp->b_cont != NULL) {
564 			freemsg(mp->b_cont);
565 		}
566 		mp->b_cont = nmp;
567 		/*
568 		 * Let the requestor know that we are the PPP
569 		 * multiplexer (PPPTYP_MUX).
570 		 */
571 		*(uint32_t *)nmp->b_wptr = PPPTYP_MUX;
572 		nmp->b_wptr += sizeof (uint32_t);
573 		count = msgsize(nmp);
574 		error = 0;		/* return success */
575 		break;
576 	case PPPIO_GETSTAT64:
577 		if (ppa == NULL) {
578 			break;		/* return EINVAL */
579 		} else if ((ppa->ppa_lower_wq != NULL) &&
580 		    !IS_PPA_LASTMOD(ppa)) {
581 			mutex_enter(&ppa->ppa_sta_lock);
582 			/*
583 			 * We match sps_ioc_id on the M_IOC{ACK,NAK},
584 			 * so if the response hasn't come back yet,
585 			 * new ioctls must be queued instead.
586 			 */
587 			if (IS_SPS_IOCQ(sps)) {
588 				mutex_exit(&ppa->ppa_sta_lock);
589 				if (!putq(q, mp)) {
590 					error = EAGAIN;
591 					break;
592 				}
593 				return;
594 			} else {
595 				ppa->ppa_ioctlsfwd++;
596 				/*
597 				 * Record the ioctl CMD & ID - this will be
598 				 * used to check the ACK or NAK responses
599 				 * coming from below.
600 				 */
601 				sps->sps_ioc_id = iop->ioc_id;
602 				sps->sps_flags |= SPS_IOCQ;
603 				mutex_exit(&ppa->ppa_sta_lock);
604 			}
605 			putnext(ppa->ppa_lower_wq, mp);
606 			return;	/* don't ack or nak the request */
607 		}
608 		nmp = allocb(sizeof (*psp), BPRI_MED);
609 		if (nmp == NULL) {
610 			mutex_enter(&ppa->ppa_sta_lock);
611 			ppa->ppa_allocbfail++;
612 			mutex_exit(&ppa->ppa_sta_lock);
613 			error = ENOSR;
614 			break;
615 		}
616 		if (mp->b_cont != NULL) {
617 			freemsg(mp->b_cont);
618 		}
619 		mp->b_cont = nmp;
620 		psp = (struct ppp_stats64 *)nmp->b_wptr;
621 		/*
622 		 * Copy the contents of ppp_stats64 structure for this
623 		 * ppa and return them to the caller.
624 		 */
625 		mutex_enter(&ppa->ppa_sta_lock);
626 		bcopy(&ppa->ppa_stats, psp, sizeof (*psp));
627 		mutex_exit(&ppa->ppa_sta_lock);
628 		nmp->b_wptr += sizeof (*psp);
629 		count = sizeof (*psp);
630 		error = 0;		/* return success */
631 		break;
632 	case PPPIO_GETCSTAT:
633 		if (ppa == NULL) {
634 			break;		/* return EINVAL */
635 		} else if ((ppa->ppa_lower_wq != NULL) &&
636 		    !IS_PPA_LASTMOD(ppa)) {
637 			mutex_enter(&ppa->ppa_sta_lock);
638 			/*
639 			 * See comments in PPPIO_GETSTAT64 case
640 			 * in sppp_ioctl().
641 			 */
642 			if (IS_SPS_IOCQ(sps)) {
643 				mutex_exit(&ppa->ppa_sta_lock);
644 				if (!putq(q, mp)) {
645 					error = EAGAIN;
646 					break;
647 				}
648 				return;
649 			} else {
650 				ppa->ppa_ioctlsfwd++;
651 				/*
652 				 * Record the ioctl CMD & ID - this will be
653 				 * used to check the ACK or NAK responses
654 				 * coming from below.
655 				 */
656 				sps->sps_ioc_id = iop->ioc_id;
657 				sps->sps_flags |= SPS_IOCQ;
658 				mutex_exit(&ppa->ppa_sta_lock);
659 			}
660 			putnext(ppa->ppa_lower_wq, mp);
661 			return;	/* don't ack or nak the request */
662 		}
663 		nmp = allocb(sizeof (struct ppp_comp_stats), BPRI_MED);
664 		if (nmp == NULL) {
665 			mutex_enter(&ppa->ppa_sta_lock);
666 			ppa->ppa_allocbfail++;
667 			mutex_exit(&ppa->ppa_sta_lock);
668 			error = ENOSR;
669 			break;
670 		}
671 		if (mp->b_cont != NULL) {
672 			freemsg(mp->b_cont);
673 		}
674 		mp->b_cont = nmp;
675 		pcsp = (struct ppp_comp_stats *)nmp->b_wptr;
676 		nmp->b_wptr += sizeof (struct ppp_comp_stats);
677 		bzero((caddr_t)pcsp, sizeof (struct ppp_comp_stats));
678 		count = msgsize(nmp);
679 		error = 0;		/* return success */
680 		break;
681 	}
682 
683 	if (error == 0) {
684 		/* Success; tell the user. */
685 		miocack(q, mp, count, 0);
686 	} else {
687 		/* Failure; send error back upstream. */
688 		miocnak(q, mp, 0, error);
689 	}
690 }
691 
692 /*
693  * sppp_uwput()
694  *
695  * MT-Perimeters:
696  *    shared inner, shared outer.
697  *
698  * Description:
699  *    Upper write-side put procedure. Messages from above arrive here.
700  */
701 int
702 sppp_uwput(queue_t *q, mblk_t *mp)
703 {
704 	queue_t		*nextq;
705 	spppstr_t	*sps;
706 	sppa_t		*ppa;
707 	struct iocblk	*iop;
708 	int		error;
709 
710 	ASSERT(q != NULL && q->q_ptr != NULL);
711 	ASSERT(mp != NULL && mp->b_rptr != NULL);
712 	sps = (spppstr_t *)q->q_ptr;
713 	ppa = sps->sps_ppa;
714 
715 	switch (MTYPE(mp)) {
716 	case M_PCPROTO:
717 	case M_PROTO:
718 		if (IS_SPS_CONTROL(sps)) {
719 			ASSERT(ppa != NULL);
720 			/*
721 			 * Intentionally change this to a high priority
722 			 * message so it doesn't get queued up. M_PROTO is
723 			 * specifically used for signalling between pppd and its
724 			 * kernel-level component(s), such as ppptun, so we
725 			 * make sure that it doesn't get queued up behind
726 			 * data messages.
727 			 */
728 			MTYPE(mp) = M_PCPROTO;
729 			if ((ppa->ppa_lower_wq != NULL) &&
730 			    canputnext(ppa->ppa_lower_wq)) {
731 				mutex_enter(&ppa->ppa_sta_lock);
732 				ppa->ppa_mctlsfwd++;
733 				mutex_exit(&ppa->ppa_sta_lock);
734 				putnext(ppa->ppa_lower_wq, mp);
735 			} else {
736 				mutex_enter(&ppa->ppa_sta_lock);
737 				ppa->ppa_mctlsfwderr++;
738 				mutex_exit(&ppa->ppa_sta_lock);
739 				freemsg(mp);
740 			}
741 		} else {
742 			(void) sppp_mproto(q, mp, sps);
743 			return (0);
744 		}
745 		break;
746 	case M_DATA:
747 		if ((nextq = sppp_send(q, &mp, sps)) != NULL)
748 			putnext(nextq, mp);
749 		break;
750 	case M_IOCTL:
751 		error = EINVAL;
752 		iop = (struct iocblk *)mp->b_rptr;
753 		switch (iop->ioc_cmd) {
754 		case DLIOCRAW:
755 		case DL_IOC_HDR_INFO:
756 		case PPPIO_ATTACH:
757 		case PPPIO_DEBUG:
758 		case PPPIO_DETACH:
759 		case PPPIO_LASTMOD:
760 		case PPPIO_MRU:
761 		case PPPIO_MTU:
762 		case PPPIO_USETIMESTAMP:
763 		case PPPIO_BLOCKNP:
764 		case PPPIO_UNBLOCKNP:
765 			qwriter(q, mp, sppp_inner_ioctl, PERIM_INNER);
766 			return (0);
767 		case I_LINK:
768 		case I_UNLINK:
769 		case PPPIO_NEWPPA:
770 			qwriter(q, mp, sppp_outer_ioctl, PERIM_OUTER);
771 			return (0);
772 		case PPPIO_NPMODE:
773 		case PPPIO_GIDLE:
774 		case PPPIO_GTYPE:
775 		case PPPIO_GETSTAT64:
776 		case PPPIO_GETCSTAT:
777 			/*
778 			 * These require additional auto variables to
779 			 * handle, so (for optimization reasons)
780 			 * they're moved off to a separate function.
781 			 */
782 			sppp_ioctl(q, mp);
783 			return (0);
784 		case PPPIO_GETSTAT:
785 			break;			/* 32 bit interface gone */
786 		default:
787 			if (iop->ioc_cr == NULL ||
788 			    secpolicy_ppp_config(iop->ioc_cr) != 0) {
789 				error = EPERM;
790 				break;
791 			} else if ((ppa == NULL) ||
792 			    (ppa->ppa_lower_wq == NULL)) {
793 				break;		/* return EINVAL */
794 			}
795 			mutex_enter(&ppa->ppa_sta_lock);
796 			/*
797 			 * See comments in PPPIO_GETSTAT64 case
798 			 * in sppp_ioctl().
799 			 */
800 			if (IS_SPS_IOCQ(sps)) {
801 				mutex_exit(&ppa->ppa_sta_lock);
802 				if (!putq(q, mp)) {
803 					error = EAGAIN;
804 					break;
805 				}
806 				return (0);
807 			} else {
808 				ppa->ppa_ioctlsfwd++;
809 				/*
810 				 * Record the ioctl CMD & ID -
811 				 * this will be used to check the
812 				 * ACK or NAK responses coming from below.
813 				 */
814 				sps->sps_ioc_id = iop->ioc_id;
815 				sps->sps_flags |= SPS_IOCQ;
816 				mutex_exit(&ppa->ppa_sta_lock);
817 			}
818 			putnext(ppa->ppa_lower_wq, mp);
819 			return (0);	/* don't ack or nak the request */
820 		}
821 		/* Failure; send error back upstream. */
822 		miocnak(q, mp, 0, error);
823 		break;
824 	case M_FLUSH:
825 		if (*mp->b_rptr & FLUSHW) {
826 			flushq(q, FLUSHDATA);
827 		}
828 		if (*mp->b_rptr & FLUSHR) {
829 			*mp->b_rptr &= ~FLUSHW;
830 			qreply(q, mp);
831 		} else {
832 			freemsg(mp);
833 		}
834 		break;
835 	default:
836 		freemsg(mp);
837 		break;
838 	}
839 	return (0);
840 }
841 
842 /*
843  * sppp_uwsrv()
844  *
845  * MT-Perimeters:
846  *    exclusive inner, shared outer.
847  *
848  * Description:
849  *    Upper write-side service procedure. Note that this procedure does
850  *    not get called when a message is placed on our write-side queue, since
851  *    automatic queue scheduling has been turned off by noenable() when
852  *    the queue was opened. We do this on purpose, as we explicitly control
853  *    the write-side queue. Therefore, this procedure gets called when
854  *    the lower write service procedure qenable() the upper write stream queue.
855  */
856 int
857 sppp_uwsrv(queue_t *q)
858 {
859 	spppstr_t	*sps;
860 	sppa_t		*ppa;
861 	mblk_t		*mp;
862 	queue_t		*nextq;
863 	struct iocblk	*iop;
864 
865 	ASSERT(q != NULL && q->q_ptr != NULL);
866 	sps = (spppstr_t *)q->q_ptr;
867 
868 	while ((mp = getq(q)) != NULL) {
869 		if (MTYPE(mp) == M_IOCTL) {
870 			ppa = sps->sps_ppa;
871 			if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
872 				miocnak(q, mp, 0, EINVAL);
873 				continue;
874 			}
875 
876 			iop = (struct iocblk *)mp->b_rptr;
877 			mutex_enter(&ppa->ppa_sta_lock);
878 			/*
879 			 * See comments in PPPIO_GETSTAT64 case
880 			 * in sppp_ioctl().
881 			 */
882 			if (IS_SPS_IOCQ(sps)) {
883 				mutex_exit(&ppa->ppa_sta_lock);
884 				if (putbq(q, mp) == 0)
885 					miocnak(q, mp, 0, EAGAIN);
886 				break;
887 			} else {
888 				ppa->ppa_ioctlsfwd++;
889 				sps->sps_ioc_id = iop->ioc_id;
890 				sps->sps_flags |= SPS_IOCQ;
891 				mutex_exit(&ppa->ppa_sta_lock);
892 				putnext(ppa->ppa_lower_wq, mp);
893 			}
894 		} else if ((nextq =
895 		    sppp_outpkt(q, &mp, msgdsize(mp), sps)) == NULL) {
896 			if (mp != NULL) {
897 				if (putbq(q, mp) == 0)
898 					freemsg(mp);
899 				break;
900 			}
901 		} else {
902 			putnext(nextq, mp);
903 		}
904 	}
905 	return (0);
906 }
907 
908 void
909 sppp_remove_ppa(spppstr_t *sps)
910 {
911 	spppstr_t *nextsib;
912 	sppa_t *ppa = sps->sps_ppa;
913 
914 	rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
915 	if (ppa->ppa_refcnt <= 1) {
916 		rw_exit(&ppa->ppa_sib_lock);
917 		sppp_free_ppa(ppa);
918 	} else {
919 		nextsib = ppa->ppa_streams;
920 		if (nextsib == sps) {
921 			ppa->ppa_streams = sps->sps_nextsib;
922 		} else {
923 			while (nextsib->sps_nextsib != NULL) {
924 				if (nextsib->sps_nextsib == sps) {
925 					nextsib->sps_nextsib =
926 					    sps->sps_nextsib;
927 					break;
928 				}
929 				nextsib = nextsib->sps_nextsib;
930 			}
931 		}
932 		ppa->ppa_refcnt--;
933 		/*
934 		 * And if this stream was marked as promiscuous
935 		 * (SPS_PROMISC), then we need to update the
936 		 * promiscuous streams count. This should only happen
937 		 * when DL_DETACH_REQ is issued prior to marking the
938 		 * stream as non-promiscuous, through
939 		 * DL_PROMISCOFF_REQ request.
940 		 */
941 		if (IS_SPS_PROMISC(sps)) {
942 			ASSERT(ppa->ppa_promicnt > 0);
943 			ppa->ppa_promicnt--;
944 		}
945 		rw_exit(&ppa->ppa_sib_lock);
946 	}
947 	sps->sps_nextsib = NULL;
948 	sps->sps_ppa = NULL;
949 	freemsg(sps->sps_hangup);
950 	sps->sps_hangup = NULL;
951 }
952 
953 sppa_t *
954 sppp_find_ppa(uint32_t ppa_id)
955 {
956 	sppa_t *ppa;
957 
958 	for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
959 		if (ppa->ppa_ppa_id == ppa_id) {
960 			break;	/* found the ppa */
961 		}
962 	}
963 	return (ppa);
964 }
965 
966 /*
967  * sppp_inner_ioctl()
968  *
969  * MT-Perimeters:
970  *    exclusive inner, shared outer
971  *
972  * Description:
973  *    Called by sppp_uwput as a result of receiving ioctls which require
974  *    an exclusive access at the inner perimeter.
975  */
976 static void
977 sppp_inner_ioctl(queue_t *q, mblk_t *mp)
978 {
979 	spppstr_t	*sps;
980 	sppa_t		*ppa;
981 	struct iocblk	*iop;
982 	mblk_t		*nmp;
983 	int		error = EINVAL;
984 	int		count = 0;
985 	int		dbgcmd;
986 	int		mru, mtu;
987 	uint32_t	ppa_id;
988 	hrtime_t	hrtime;
989 	uint16_t	proto;
990 
991 	ASSERT(q != NULL && q->q_ptr != NULL);
992 	ASSERT(mp != NULL && mp->b_rptr != NULL);
993 
994 	sps = (spppstr_t *)q->q_ptr;
995 	ppa = sps->sps_ppa;
996 	iop = (struct iocblk *)mp->b_rptr;
997 	switch (iop->ioc_cmd) {
998 	case DLIOCRAW:
999 		if (IS_SPS_CONTROL(sps)) {
1000 			break;		/* return EINVAL */
1001 		}
1002 		sps->sps_flags |= SPS_RAWDATA;
1003 		error = 0;		/* return success */
1004 		break;
1005 	case DL_IOC_HDR_INFO:
1006 		if (IS_SPS_CONTROL(sps)) {
1007 			break;		/* return EINVAL */
1008 		} else if ((mp->b_cont == NULL) ||
1009 		    *((t_uscalar_t *)mp->b_cont->b_rptr) != DL_UNITDATA_REQ ||
1010 		    (MBLKL(mp->b_cont) < (sizeof (dl_unitdata_req_t) +
1011 		    SPPP_ADDRL))) {
1012 			error = EPROTO;
1013 			break;
1014 		} else if (ppa == NULL) {
1015 			error = ENOLINK;
1016 			break;
1017 		}
1018 		if ((nmp = allocb(PPP_HDRLEN, BPRI_MED)) == NULL) {
1019 			mutex_enter(&ppa->ppa_sta_lock);
1020 			ppa->ppa_allocbfail++;
1021 			mutex_exit(&ppa->ppa_sta_lock);
1022 			error = ENOMEM;
1023 			break;
1024 		}
1025 		*(uchar_t *)nmp->b_wptr++ = PPP_ALLSTATIONS;
1026 		*(uchar_t *)nmp->b_wptr++ = PPP_UI;
1027 		*(uchar_t *)nmp->b_wptr++ = sps->sps_sap >> 8;
1028 		*(uchar_t *)nmp->b_wptr++ = sps->sps_sap & 0xff;
1029 		ASSERT(MBLKL(nmp) == PPP_HDRLEN);
1030 
1031 		linkb(mp, nmp);
1032 		sps->sps_flags |= SPS_FASTPATH;
1033 		error = 0;		/* return success */
1034 		count = msgsize(nmp);
1035 		break;
1036 	case PPPIO_ATTACH:
1037 		if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1038 		    (sps->sps_dlstate != DL_UNATTACHED) ||
1039 		    (iop->ioc_count != sizeof (uint32_t))) {
1040 			break;		/* return EINVAL */
1041 		} else if (mp->b_cont == NULL) {
1042 			error = EPROTO;
1043 			break;
1044 		}
1045 		ASSERT(mp->b_cont->b_rptr != NULL);
1046 		/* If there's something here, it's detached. */
1047 		if (ppa != NULL) {
1048 			sppp_remove_ppa(sps);
1049 		}
1050 		ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1051 		ppa = sppp_find_ppa(ppa_id);
1052 		/*
1053 		 * If we can't find it, then it's either because the requestor
1054 		 * has supplied a wrong ppa_id to be attached to, or because
1055 		 * the control stream for the specified ppa_id has been closed
1056 		 * before we get here.
1057 		 */
1058 		if (ppa == NULL) {
1059 			error = ENOENT;
1060 			break;
1061 		}
1062 		if (iop->ioc_cr == NULL ||
1063 		    ppa->ppa_zoneid != crgetzoneid(iop->ioc_cr)) {
1064 			error = EPERM;
1065 			break;
1066 		}
1067 		/*
1068 		 * Preallocate the hangup message so that we're always
1069 		 * able to send this upstream in the event of a
1070 		 * catastrophic failure.
1071 		 */
1072 		if ((sps->sps_hangup = allocb(1, BPRI_MED)) == NULL) {
1073 			error = ENOSR;
1074 			break;
1075 		}
1076 		/*
1077 		 * There are two ways to attach a stream to a ppa: one is
1078 		 * through DLPI (DL_ATTACH_REQ) and the other is through
1079 		 * PPPIO_ATTACH. This is why we need to distinguish whether or
1080 		 * not a stream was allocated via PPPIO_ATTACH, so that we can
1081 		 * properly detach it when we receive PPPIO_DETACH ioctl
1082 		 * request.
1083 		 */
1084 		sps->sps_flags |= SPS_PIOATTACH;
1085 		sps->sps_ppa = ppa;
1086 		/*
1087 		 * Add this stream to the head of the list of sibling streams
1088 		 * which belong to the same ppa as specified.
1089 		 */
1090 		rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
1091 		ppa->ppa_refcnt++;
1092 		sps->sps_nextsib = ppa->ppa_streams;
1093 		ppa->ppa_streams = sps;
1094 		rw_exit(&ppa->ppa_sib_lock);
1095 		error = 0;		/* return success */
1096 		break;
1097 	case PPPIO_BLOCKNP:
1098 	case PPPIO_UNBLOCKNP:
1099 		if (iop->ioc_cr == NULL ||
1100 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1101 			error = EPERM;
1102 			break;
1103 		}
1104 		error = miocpullup(mp, sizeof (uint16_t));
1105 		if (error != 0)
1106 			break;
1107 		ASSERT(mp->b_cont->b_rptr != NULL);
1108 		proto = *(uint16_t *)mp->b_cont->b_rptr;
1109 		if (iop->ioc_cmd == PPPIO_BLOCKNP) {
1110 			uint32_t npflagpos = sppp_ppp2np(proto);
1111 			/*
1112 			 * Mark proto as blocked in ppa_npflag until the
1113 			 * corresponding queues for proto have been plumbed.
1114 			 */
1115 			if (npflagpos != 0) {
1116 				mutex_enter(&ppa->ppa_npmutex);
1117 				ppa->ppa_npflag |= (1 << npflagpos);
1118 				mutex_exit(&ppa->ppa_npmutex);
1119 			} else {
1120 				error = EINVAL;
1121 			}
1122 		} else {
1123 			/*
1124 			 * reset ppa_npflag and release proto
1125 			 * packets that were being held in control queue.
1126 			 */
1127 			sppp_release_pkts(ppa, proto);
1128 		}
1129 		break;
1130 	case PPPIO_DEBUG:
1131 		if (iop->ioc_cr == NULL ||
1132 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1133 			error = EPERM;
1134 			break;
1135 		} else if (iop->ioc_count != sizeof (uint32_t)) {
1136 			break;		/* return EINVAL */
1137 		} else if (mp->b_cont == NULL) {
1138 			error = EPROTO;
1139 			break;
1140 		}
1141 		ASSERT(mp->b_cont->b_rptr != NULL);
1142 		dbgcmd = *(uint32_t *)mp->b_cont->b_rptr;
1143 		/*
1144 		 * We accept PPPDBG_LOG + PPPDBG_DRIVER value as an indication
1145 		 * that SPS_KDEBUG needs to be enabled for this upper stream.
1146 		 */
1147 		if (dbgcmd == PPPDBG_LOG + PPPDBG_DRIVER) {
1148 			sps->sps_flags |= SPS_KDEBUG;
1149 			error = 0;	/* return success */
1150 			break;
1151 		}
1152 		/*
1153 		 * Otherwise, for any other values, we send them down only if
1154 		 * there is an attachment and if the attachment has something
1155 		 * linked underneath it.
1156 		 */
1157 		if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
1158 			error = ENOLINK;
1159 			break;
1160 		}
1161 		mutex_enter(&ppa->ppa_sta_lock);
1162 		/*
1163 		 * See comments in PPPIO_GETSTAT64 case
1164 		 * in sppp_ioctl().
1165 		 */
1166 		if (IS_SPS_IOCQ(sps)) {
1167 			mutex_exit(&ppa->ppa_sta_lock);
1168 			if (!putq(q, mp)) {
1169 				error = EAGAIN;
1170 				break;
1171 			}
1172 			return;
1173 		} else {
1174 			ppa->ppa_ioctlsfwd++;
1175 			/*
1176 			 * Record the ioctl CMD & ID -
1177 			 * this will be used to check the
1178 			 * ACK or NAK responses coming from below.
1179 			 */
1180 			sps->sps_ioc_id = iop->ioc_id;
1181 			sps->sps_flags |= SPS_IOCQ;
1182 			mutex_exit(&ppa->ppa_sta_lock);
1183 		}
1184 		putnext(ppa->ppa_lower_wq, mp);
1185 		return;			/* don't ack or nak the request */
1186 	case PPPIO_DETACH:
1187 		if (!IS_SPS_PIOATTACH(sps)) {
1188 			break;		/* return EINVAL */
1189 		}
1190 		/*
1191 		 * The SPS_PIOATTACH flag set on the stream tells us that
1192 		 * the ppa field is still valid. In the event that the control
1193 		 * stream be closed prior to this stream's detachment, the
1194 		 * SPS_PIOATTACH flag would have been cleared from this stream
1195 		 * during close; in that case we won't get here.
1196 		 */
1197 		ASSERT(ppa != NULL);
1198 		ASSERT(ppa->ppa_ctl != sps);
1199 		ASSERT(sps->sps_dlstate == DL_UNATTACHED);
1200 
1201 		/*
1202 		 * We don't actually detach anything until the stream is
1203 		 * closed or reattached.
1204 		 */
1205 
1206 		sps->sps_flags &= ~SPS_PIOATTACH;
1207 		error = 0;		/* return success */
1208 		break;
1209 	case PPPIO_LASTMOD:
1210 		if (!IS_SPS_CONTROL(sps)) {
1211 			break;		/* return EINVAL */
1212 		}
1213 		ASSERT(ppa != NULL);
1214 		ppa->ppa_flags |= PPA_LASTMOD;
1215 		error = 0;		/* return success */
1216 		break;
1217 	case PPPIO_MRU:
1218 		if (!IS_SPS_CONTROL(sps) ||
1219 		    (iop->ioc_count != sizeof (uint32_t))) {
1220 			break;		/* return EINVAL */
1221 		} else if (mp->b_cont == NULL) {
1222 			error = EPROTO;
1223 			break;
1224 		}
1225 		ASSERT(ppa != NULL);
1226 		ASSERT(mp->b_cont->b_rptr != NULL);
1227 		mru = *(uint32_t *)mp->b_cont->b_rptr;
1228 		if ((mru <= 0) || (mru > PPP_MAXMRU)) {
1229 			error = EPROTO;
1230 			break;
1231 		}
1232 		if (mru < PPP_MRU) {
1233 			mru = PPP_MRU;
1234 		}
1235 		ppa->ppa_mru = (uint16_t)mru;
1236 		/*
1237 		 * If there's something beneath this driver for the ppa, then
1238 		 * inform it (or them) of the MRU size. Only do this is we
1239 		 * are not the last PPP module on the stream.
1240 		 */
1241 		if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1242 			(void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MRU,
1243 			    mru);
1244 		}
1245 		error = 0;		/* return success */
1246 		break;
1247 	case PPPIO_MTU:
1248 		if (!IS_SPS_CONTROL(sps) ||
1249 		    (iop->ioc_count != sizeof (uint32_t))) {
1250 			break;		/* return EINVAL */
1251 		} else if (mp->b_cont == NULL) {
1252 			error = EPROTO;
1253 			break;
1254 		}
1255 		ASSERT(ppa != NULL);
1256 		ASSERT(mp->b_cont->b_rptr != NULL);
1257 		mtu = *(uint32_t *)mp->b_cont->b_rptr;
1258 		if ((mtu <= 0) || (mtu > PPP_MAXMTU)) {
1259 			error = EPROTO;
1260 			break;
1261 		}
1262 		ppa->ppa_mtu = (uint16_t)mtu;
1263 		/*
1264 		 * If there's something beneath this driver for the ppa, then
1265 		 * inform it (or them) of the MTU size. Only do this if we
1266 		 * are not the last PPP module on the stream.
1267 		 */
1268 		if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1269 			(void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MTU,
1270 			    mtu);
1271 		}
1272 		error = 0;		/* return success */
1273 		break;
1274 	case PPPIO_USETIMESTAMP:
1275 		if (!IS_SPS_CONTROL(sps)) {
1276 			break;		/* return EINVAL */
1277 		}
1278 		if (!IS_PPA_TIMESTAMP(ppa)) {
1279 			hrtime = gethrtime();
1280 			ppa->ppa_lasttx = ppa->ppa_lastrx = hrtime;
1281 			ppa->ppa_flags |= PPA_TIMESTAMP;
1282 		}
1283 		error = 0;
1284 		break;
1285 	}
1286 
1287 	if (error == 0) {
1288 		/* Success; tell the user */
1289 		miocack(q, mp, count, 0);
1290 	} else {
1291 		/* Failure; send error back upstream */
1292 		miocnak(q, mp, 0, error);
1293 	}
1294 }
1295 
1296 /*
1297  * sppp_outer_ioctl()
1298  *
1299  * MT-Perimeters:
1300  *    exclusive inner, exclusive outer
1301  *
1302  * Description:
1303  *    Called by sppp_uwput as a result of receiving ioctls which require
1304  *    an exclusive access at the outer perimeter.
1305  */
1306 static void
1307 sppp_outer_ioctl(queue_t *q, mblk_t *mp)
1308 {
1309 	spppstr_t	*sps = q->q_ptr;
1310 	spppstr_t	*nextsib;
1311 	queue_t		*lwq;
1312 	sppa_t		*ppa;
1313 	struct iocblk	*iop;
1314 	int		error = EINVAL;
1315 	int		count = 0;
1316 	uint32_t	ppa_id;
1317 	mblk_t		*nmp;
1318 	zoneid_t	zoneid;
1319 
1320 	sps = (spppstr_t *)q->q_ptr;
1321 	ppa = sps->sps_ppa;
1322 	iop = (struct iocblk *)mp->b_rptr;
1323 	switch (iop->ioc_cmd) {
1324 	case I_LINK:
1325 		if (!IS_SPS_CONTROL(sps)) {
1326 			break;		/* return EINVAL */
1327 		} else if (ppa->ppa_lower_wq != NULL) {
1328 			error = EEXIST;
1329 			break;
1330 		}
1331 		ASSERT(ppa->ppa_ctl != NULL);
1332 		ASSERT(sps->sps_npmode == NPMODE_PASS);
1333 		ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1334 
1335 		lwq = ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot;
1336 		ASSERT(lwq != NULL);
1337 
1338 		ppa->ppa_lower_wq = lwq;
1339 		lwq->q_ptr = RD(lwq)->q_ptr = (caddr_t)ppa;
1340 		/*
1341 		 * Unblock upper network streams which now feed this lower
1342 		 * stream. We don't need to hold ppa_sib_lock here, since we
1343 		 * are writer at the outer perimeter.
1344 		 */
1345 		if (WR(sps->sps_rq)->q_first != NULL)
1346 			qenable(WR(sps->sps_rq));
1347 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
1348 		    nextsib = nextsib->sps_nextsib) {
1349 			nextsib->sps_npmode = NPMODE_PASS;
1350 			if (WR(nextsib->sps_rq)->q_first != NULL) {
1351 				qenable(WR(nextsib->sps_rq));
1352 			}
1353 		}
1354 
1355 		/*
1356 		 * Also unblock (run once) our lower read-side queue.  This is
1357 		 * where packets received while doing the I_LINK may be
1358 		 * languishing; see sppp_lrsrv.
1359 		 */
1360 		qenable(RD(lwq));
1361 
1362 		/*
1363 		 * Send useful information down to the modules which are now
1364 		 * linked below this driver (for this particular ppa). Only
1365 		 * do this if we are not the last PPP module on the stream.
1366 		 */
1367 		if (!IS_PPA_LASTMOD(ppa)) {
1368 			(void) putctl8(lwq, M_CTL, PPPCTL_UNIT,
1369 			    ppa->ppa_ppa_id);
1370 			(void) putctl4(lwq, M_CTL, PPPCTL_MRU, ppa->ppa_mru);
1371 			(void) putctl4(lwq, M_CTL, PPPCTL_MTU, ppa->ppa_mtu);
1372 		}
1373 
1374 		if (IS_SPS_KDEBUG(sps)) {
1375 			SPDEBUG(PPP_DRV_NAME
1376 			    "/%d: I_LINK lwq=0x%p sps=0x%p flags=0x%b ppa=0x%p "
1377 			    "flags=0x%b\n", sps->sps_mn_id,
1378 			    (void *)ppa->ppa_lower_wq, (void *)sps,
1379 			    sps->sps_flags, SPS_FLAGS_STR,
1380 			    (void *)ppa, ppa->ppa_flags,
1381 			    PPA_FLAGS_STR);
1382 		}
1383 		error = 0;		/* return success */
1384 		break;
1385 	case I_UNLINK:
1386 		ASSERT(IS_SPS_CONTROL(sps));
1387 		ASSERT(ppa != NULL);
1388 		lwq = ppa->ppa_lower_wq;
1389 		ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1390 		ASSERT(lwq == ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot);
1391 
1392 		if (IS_SPS_KDEBUG(sps)) {
1393 			SPDEBUG(PPP_DRV_NAME
1394 			    "/%d: I_UNLINK lwq=0x%p sps=0x%p flags=0x%b "
1395 			    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id,
1396 			    (void *)lwq, (void *)sps, sps->sps_flags,
1397 			    SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
1398 			    PPA_FLAGS_STR);
1399 		}
1400 		/*
1401 		 * While accessing the outer perimeter exclusively, we
1402 		 * disassociate our ppa's lower_wq from the lower stream linked
1403 		 * beneath us, and we also disassociate our control stream from
1404 		 * the q_ptr of the lower stream.
1405 		 */
1406 		lwq->q_ptr = RD(lwq)->q_ptr = NULL;
1407 		ppa->ppa_lower_wq = NULL;
1408 		/*
1409 		 * Unblock streams which now feed back up the control stream,
1410 		 * and acknowledge the request. We don't need to hold
1411 		 * ppa_sib_lock here, since we are writer at the outer
1412 		 * perimeter.
1413 		 */
1414 		if (WR(sps->sps_rq)->q_first != NULL)
1415 			qenable(WR(sps->sps_rq));
1416 		for (nextsib = ppa->ppa_streams; nextsib != NULL;
1417 		    nextsib = nextsib->sps_nextsib) {
1418 			if (WR(nextsib->sps_rq)->q_first != NULL) {
1419 				qenable(WR(nextsib->sps_rq));
1420 			}
1421 		}
1422 		error = 0;		/* return success */
1423 		break;
1424 	case PPPIO_NEWPPA:
1425 		/*
1426 		 * Do sanity check to ensure that we don't accept PPPIO_NEWPPA
1427 		 * on a stream which DLPI is used (since certain DLPI messages
1428 		 * will cause state transition reflected in sps_dlstate,
1429 		 * changing it from its default DL_UNATTACHED value). In other
1430 		 * words, we won't allow a network/snoop stream to become
1431 		 * a control stream.
1432 		 */
1433 		if (iop->ioc_cr == NULL ||
1434 		    secpolicy_ppp_config(iop->ioc_cr) != 0) {
1435 			error = EPERM;
1436 			break;
1437 		} else if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1438 		    (ppa != NULL) || (sps->sps_dlstate != DL_UNATTACHED)) {
1439 			break;		/* return EINVAL */
1440 		}
1441 		/* Get requested unit number (if any) */
1442 		if (iop->ioc_count == sizeof (uint32_t) && mp->b_cont != NULL)
1443 			ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1444 		else
1445 			ppa_id = 0;
1446 		/* Get mblk to use for response message */
1447 		nmp = allocb(sizeof (uint32_t), BPRI_MED);
1448 		if (nmp == NULL) {
1449 			error = ENOSR;
1450 			break;
1451 		}
1452 		if (mp->b_cont != NULL) {
1453 			freemsg(mp->b_cont);
1454 		}
1455 		mp->b_cont = nmp;		/* chain our response mblk */
1456 		/*
1457 		 * Walk the global ppa list and determine the lowest
1458 		 * available ppa_id number to be used.
1459 		 */
1460 		if (ppa_id == (uint32_t)-1)
1461 			ppa_id = 0;
1462 		zoneid = crgetzoneid(iop->ioc_cr);
1463 		for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
1464 			if (ppa_id == (uint32_t)-2) {
1465 				if (ppa->ppa_ctl == NULL &&
1466 				    ppa->ppa_zoneid == zoneid)
1467 					break;
1468 			} else {
1469 				if (ppa_id < ppa->ppa_ppa_id)
1470 					break;
1471 				if (ppa_id == ppa->ppa_ppa_id)
1472 					++ppa_id;
1473 			}
1474 		}
1475 		if (ppa_id == (uint32_t)-2) {
1476 			if (ppa == NULL) {
1477 				error = ENXIO;
1478 				break;
1479 			}
1480 			/* Clear timestamp and lastmod flags */
1481 			ppa->ppa_flags = 0;
1482 		} else {
1483 			ppa = sppp_create_ppa(ppa_id, zoneid);
1484 			if (ppa == NULL) {
1485 				error = ENOMEM;
1486 				break;
1487 			}
1488 		}
1489 
1490 		sps->sps_ppa = ppa;		/* chain the ppa structure */
1491 		sps->sps_npmode = NPMODE_PASS;	/* network packets may travel */
1492 		sps->sps_flags |= SPS_CONTROL;	/* this is the control stream */
1493 
1494 		ppa->ppa_refcnt++;		/* new PPA reference */
1495 		ppa->ppa_ctl = sps;		/* back ptr to upper stream */
1496 		/*
1497 		 * Return the newly created ppa_id to the requestor and
1498 		 * acnowledge the request.
1499 		 */
1500 		*(uint32_t *)nmp->b_wptr = ppa->ppa_ppa_id;
1501 		nmp->b_wptr += sizeof (uint32_t);
1502 
1503 		if (IS_SPS_KDEBUG(sps)) {
1504 			SPDEBUG(PPP_DRV_NAME
1505 			    "/%d: PPPIO_NEWPPA ppa_id=%d sps=0x%p flags=0x%b "
1506 			    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, ppa_id,
1507 			    (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1508 			    (void *)ppa, ppa->ppa_flags,
1509 			    PPA_FLAGS_STR);
1510 		}
1511 		count = msgsize(nmp);
1512 		error = 0;
1513 		break;
1514 	}
1515 
1516 	if (error == 0) {
1517 		/* Success; tell the user. */
1518 		miocack(q, mp, count, 0);
1519 	} else {
1520 		/* Failure; send error back upstream. */
1521 		miocnak(q, mp, 0, error);
1522 	}
1523 }
1524 
1525 /*
1526  * sppp_send()
1527  *
1528  * MT-Perimeters:
1529  *    shared inner, shared outer.
1530  *
1531  * Description:
1532  *    Called by sppp_uwput to handle M_DATA message type.  Returns
1533  *    queue_t for putnext, or NULL to mean that the packet was
1534  *    handled internally.
1535  */
1536 static queue_t *
1537 sppp_send(queue_t *q, mblk_t **mpp, spppstr_t *sps)
1538 {
1539 	mblk_t	*mp;
1540 	sppa_t	*ppa;
1541 	int	is_promisc;
1542 	int	msize;
1543 	int	error = 0;
1544 	queue_t	*nextq;
1545 
1546 	ASSERT(mpp != NULL);
1547 	mp = *mpp;
1548 	ASSERT(q != NULL && q->q_ptr != NULL);
1549 	ASSERT(mp != NULL && mp->b_rptr != NULL);
1550 	ASSERT(sps != NULL);
1551 	ASSERT(q->q_ptr == sps);
1552 	/*
1553 	 * We only let M_DATA through if the sender is either the control
1554 	 * stream (for PPP control packets) or one of the network streams
1555 	 * (for IP packets) in IP fastpath mode. If this stream is not attached
1556 	 * to any ppas, then discard data coming down through this stream.
1557 	 */
1558 	ppa = sps->sps_ppa;
1559 	if (ppa == NULL) {
1560 		ASSERT(!IS_SPS_CONTROL(sps));
1561 		error = ENOLINK;
1562 	} else if (!IS_SPS_CONTROL(sps) && !IS_SPS_FASTPATH(sps)) {
1563 		error = EPROTO;
1564 	}
1565 	if (error != 0) {
1566 		merror(q, mp, error);
1567 		return (NULL);
1568 	}
1569 	msize = msgdsize(mp);
1570 	if (msize > (ppa->ppa_mtu + PPP_HDRLEN)) {
1571 		/* Log, and send it anyway */
1572 		mutex_enter(&ppa->ppa_sta_lock);
1573 		ppa->ppa_otoolongs++;
1574 		mutex_exit(&ppa->ppa_sta_lock);
1575 	} else if (msize < PPP_HDRLEN) {
1576 		/*
1577 		 * Log, and send it anyway. We log it because we get things
1578 		 * in M_DATA form here, which tells us that the sender is
1579 		 * either IP in fastpath transmission mode, or pppd. In both
1580 		 * cases, they are currently expected to send the 4-bytes
1581 		 * PPP header in front of any possible payloads.
1582 		 */
1583 		mutex_enter(&ppa->ppa_sta_lock);
1584 		ppa->ppa_orunts++;
1585 		mutex_exit(&ppa->ppa_sta_lock);
1586 	}
1587 
1588 	if (IS_SPS_KDEBUG(sps)) {
1589 		SPDEBUG(PPP_DRV_NAME
1590 		    "/%d: M_DATA send (%d bytes) sps=0x%p flags=0x%b "
1591 		    "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, msize,
1592 		    (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1593 		    (void *)ppa, ppa->ppa_flags, PPA_FLAGS_STR);
1594 	}
1595 	/*
1596 	 * Should there be any promiscuous stream(s), send the data up
1597 	 * for each promiscuous stream that we recognize. Make sure that
1598 	 * for fastpath, we skip the PPP header in the M_DATA mblk. We skip
1599 	 * the control stream as we obviously never allow the control stream
1600 	 * to become promiscous and bind to PPP_ALLSAP.
1601 	 */
1602 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
1603 	is_promisc = sps->sps_ppa->ppa_promicnt;
1604 	if (is_promisc) {
1605 		ASSERT(ppa->ppa_streams != NULL);
1606 		sppp_dlprsendup(ppa->ppa_streams, mp, sps->sps_sap, B_TRUE);
1607 	}
1608 	rw_exit(&ppa->ppa_sib_lock);
1609 	/*
1610 	 * Only time-stamp the packet with hrtime if the upper stream
1611 	 * is configured to do so.  PPP control (negotiation) messages
1612 	 * are never considered link activity; only data is activity.
1613 	 */
1614 	if (!IS_SPS_CONTROL(sps) && IS_PPA_TIMESTAMP(ppa)) {
1615 		ppa->ppa_lasttx = gethrtime();
1616 	}
1617 	/*
1618 	 * If there's already a message in the write-side service queue,
1619 	 * then queue this message there as well, otherwise, try to send
1620 	 * it down to the module immediately below us.
1621 	 */
1622 	if (q->q_first != NULL ||
1623 	    (nextq = sppp_outpkt(q, mpp, msize, sps)) == NULL) {
1624 		mp = *mpp;
1625 		if (mp != NULL && putq(q, mp) == 0) {
1626 			mutex_enter(&ppa->ppa_sta_lock);
1627 			ppa->ppa_oqdropped++;
1628 			mutex_exit(&ppa->ppa_sta_lock);
1629 			freemsg(mp);
1630 		}
1631 		return (NULL);
1632 	}
1633 	return (nextq);
1634 }
1635 
1636 /*
1637  * sppp_outpkt()
1638  *
1639  * MT-Perimeters:
1640  *    shared inner, shared outer (if called from sppp_wput, sppp_dlunitdatareq).
1641  *    exclusive inner, shared outer (if called from sppp_wsrv).
1642  *
1643  * Description:
1644  *    Called from 1) sppp_uwput when processing a M_DATA fastpath message,
1645  *    or 2) sppp_uwsrv when processing the upper write-side service queue.
1646  *    For both cases, it prepares to send the data to the module below
1647  *    this driver if there is a lower stream linked underneath. If none, then
1648  *    the data will be sent upstream via the control channel to pppd.
1649  *
1650  * Returns:
1651  *	Non-NULL queue_t if message should be sent now, otherwise
1652  *	if *mpp == NULL, then message was freed, otherwise put *mpp
1653  *	(back) on the queue.  (Does not do putq/putbq, since it's
1654  *	called both from srv and put procedures.)
1655  */
1656 static queue_t *
1657 sppp_outpkt(queue_t *q, mblk_t **mpp, int msize, spppstr_t *sps)
1658 {
1659 	mblk_t		*mp;
1660 	sppa_t		*ppa;
1661 	enum NPmode	npmode;
1662 	mblk_t		*mpnew;
1663 
1664 	ASSERT(mpp != NULL);
1665 	mp = *mpp;
1666 	ASSERT(q != NULL && q->q_ptr != NULL);
1667 	ASSERT(mp != NULL && mp->b_rptr != NULL);
1668 	ASSERT(sps != NULL);
1669 
1670 	ppa = sps->sps_ppa;
1671 	npmode = sps->sps_npmode;
1672 
1673 	if (npmode == NPMODE_QUEUE) {
1674 		ASSERT(!IS_SPS_CONTROL(sps));
1675 		return (NULL);	/* queue it for later */
1676 	} else if (ppa == NULL || ppa->ppa_ctl == NULL ||
1677 	    npmode == NPMODE_DROP || npmode == NPMODE_ERROR) {
1678 		/*
1679 		 * This can not be the control stream, as it must always have
1680 		 * a valid ppa, and its npmode must always be NPMODE_PASS.
1681 		 */
1682 		ASSERT(!IS_SPS_CONTROL(sps));
1683 		if (npmode == NPMODE_DROP) {
1684 			freemsg(mp);
1685 		} else {
1686 			/*
1687 			 * If we no longer have the control stream, or if the
1688 			 * mode is set to NPMODE_ERROR, then we need to tell IP
1689 			 * that the interface need to be marked as down. In
1690 			 * other words, we tell IP to be quiescent.
1691 			 */
1692 			merror(q, mp, EPROTO);
1693 		}
1694 		*mpp = NULL;
1695 		return (NULL);	/* don't queue it */
1696 	}
1697 	/*
1698 	 * Do we have a driver stream linked underneath ? If not, we need to
1699 	 * notify pppd that the link needs to be brought up and configure
1700 	 * this upper stream to drop subsequent outgoing packets. This is
1701 	 * for demand-dialing, in which case pppd has done the IP plumbing
1702 	 * but hasn't linked the driver stream underneath us. Therefore, when
1703 	 * a packet is sent down the IP interface, a notification message
1704 	 * will be sent up the control stream to pppd in order for it to
1705 	 * establish the physical link. The driver stream is then expected
1706 	 * to be linked underneath after physical link establishment is done.
1707 	 */
1708 	if (ppa->ppa_lower_wq == NULL) {
1709 		ASSERT(ppa->ppa_ctl != NULL);
1710 		ASSERT(ppa->ppa_ctl->sps_rq != NULL);
1711 
1712 		*mpp = NULL;
1713 		mpnew = create_lsmsg(PPP_LINKSTAT_NEEDUP);
1714 		if (mpnew == NULL) {
1715 			freemsg(mp);
1716 			mutex_enter(&ppa->ppa_sta_lock);
1717 			ppa->ppa_allocbfail++;
1718 			mutex_exit(&ppa->ppa_sta_lock);
1719 			return (NULL);	/* don't queue it */
1720 		}
1721 		/* Include the data in the message for logging. */
1722 		mpnew->b_cont = mp;
1723 		mutex_enter(&ppa->ppa_sta_lock);
1724 		ppa->ppa_lsneedup++;
1725 		mutex_exit(&ppa->ppa_sta_lock);
1726 		/*
1727 		 * We need to set the mode to NPMODE_DROP, but should only
1728 		 * do so when this stream is not the control stream.
1729 		 */
1730 		if (!IS_SPS_CONTROL(sps)) {
1731 			sps->sps_npmode = NPMODE_DROP;
1732 		}
1733 		putnext(ppa->ppa_ctl->sps_rq, mpnew);
1734 		return (NULL);	/* don't queue it */
1735 	}
1736 	/*
1737 	 * If so, then try to send it down. The lower queue is only ever
1738 	 * detached while holding an exclusive lock on the whole driver,
1739 	 * so we can be confident that the lower queue is still there.
1740 	 */
1741 	if (bcanputnext(ppa->ppa_lower_wq, mp->b_band)) {
1742 		mutex_enter(&ppa->ppa_sta_lock);
1743 		ppa->ppa_stats.p.ppp_opackets++;
1744 		if (IS_SPS_CONTROL(sps)) {
1745 			ppa->ppa_opkt_ctl++;
1746 		}
1747 		ppa->ppa_stats.p.ppp_obytes += msize;
1748 		mutex_exit(&ppa->ppa_sta_lock);
1749 		return (ppa->ppa_lower_wq);	/* don't queue it */
1750 	}
1751 	return (NULL);	/* queue it for later */
1752 }
1753 
1754 /*
1755  * sppp_lwsrv()
1756  *
1757  * MT-Perimeters:
1758  *    exclusive inner, shared outer.
1759  *
1760  * Description:
1761  *    Lower write-side service procedure. No messages are ever placed on
1762  *    the write queue here, this just back-enables all upper write side
1763  *    service procedures.
1764  */
1765 int
1766 sppp_lwsrv(queue_t *q)
1767 {
1768 	sppa_t		*ppa;
1769 	spppstr_t	*nextsib;
1770 
1771 	ASSERT(q != NULL && q->q_ptr != NULL);
1772 	ppa = (sppa_t *)q->q_ptr;
1773 	ASSERT(ppa != NULL);
1774 
1775 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
1776 	if ((nextsib = ppa->ppa_ctl) != NULL &&
1777 	    WR(nextsib->sps_rq)->q_first != NULL)
1778 		qenable(WR(nextsib->sps_rq));
1779 	for (nextsib = ppa->ppa_streams; nextsib != NULL;
1780 	    nextsib = nextsib->sps_nextsib) {
1781 		if (WR(nextsib->sps_rq)->q_first != NULL) {
1782 			qenable(WR(nextsib->sps_rq));
1783 		}
1784 	}
1785 	rw_exit(&ppa->ppa_sib_lock);
1786 	return (0);
1787 }
1788 
1789 /*
1790  * sppp_lrput()
1791  *
1792  * MT-Perimeters:
1793  *    shared inner, shared outer.
1794  *
1795  * Description:
1796  *    Lower read-side put procedure. Messages from below get here.
1797  *    Data messages are handled separately to limit stack usage
1798  *    going into IP.
1799  *
1800  *    Note that during I_UNLINK processing, it's possible for a downstream
1801  *    message to enable upstream data (due to pass_wput() removing the
1802  *    SQ_BLOCKED flag), and thus we must protect against a NULL sppa pointer.
1803  *    In this case, the only thing above us is passthru, and we might as well
1804  *    discard.
1805  */
1806 int
1807 sppp_lrput(queue_t *q, mblk_t *mp)
1808 {
1809 	sppa_t		*ppa;
1810 	spppstr_t	*sps;
1811 
1812 	if ((ppa = q->q_ptr) == NULL) {
1813 		freemsg(mp);
1814 		return (0);
1815 	}
1816 
1817 	sps = ppa->ppa_ctl;
1818 
1819 	if (MTYPE(mp) != M_DATA) {
1820 		sppp_recv_nondata(q, mp, sps);
1821 	} else if (sps == NULL) {
1822 		freemsg(mp);
1823 	} else if ((q = sppp_recv(q, &mp, sps)) != NULL) {
1824 		putnext(q, mp);
1825 	}
1826 	return (0);
1827 }
1828 
1829 /*
1830  * sppp_lrsrv()
1831  *
1832  * MT-Perimeters:
1833  *    exclusive inner, shared outer.
1834  *
1835  * Description:
1836  *    Lower read-side service procedure.  This is run once after the I_LINK
1837  *    occurs in order to clean up any packets that came in while we were
1838  *    transferring in the lower stream.  Otherwise, it's not used.
1839  */
1840 int
1841 sppp_lrsrv(queue_t *q)
1842 {
1843 	mblk_t *mp;
1844 
1845 	while ((mp = getq(q)) != NULL)
1846 		(void) sppp_lrput(q, mp);
1847 	return (0);
1848 }
1849 
1850 /*
1851  * sppp_recv_nondata()
1852  *
1853  * MT-Perimeters:
1854  *    shared inner, shared outer.
1855  *
1856  * Description:
1857  *    All received non-data messages come through here.
1858  */
1859 static void
1860 sppp_recv_nondata(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
1861 {
1862 	sppa_t		*ppa;
1863 	spppstr_t	*destsps;
1864 	struct iocblk	*iop;
1865 
1866 	ppa = (sppa_t *)q->q_ptr;
1867 	ctlsps = ppa->ppa_ctl;
1868 
1869 	switch (MTYPE(mp)) {
1870 	case M_CTL:
1871 		mutex_enter(&ppa->ppa_sta_lock);
1872 		if (*mp->b_rptr == PPPCTL_IERROR) {
1873 			ppa->ppa_stats.p.ppp_ierrors++;
1874 			ppa->ppa_ierr_low++;
1875 			ppa->ppa_mctlsknown++;
1876 		} else if (*mp->b_rptr == PPPCTL_OERROR) {
1877 			ppa->ppa_stats.p.ppp_oerrors++;
1878 			ppa->ppa_oerr_low++;
1879 			ppa->ppa_mctlsknown++;
1880 		} else {
1881 			ppa->ppa_mctlsunknown++;
1882 		}
1883 		mutex_exit(&ppa->ppa_sta_lock);
1884 		freemsg(mp);
1885 		break;
1886 	case M_IOCTL:
1887 		miocnak(q, mp, 0, EINVAL);
1888 		break;
1889 	case M_IOCACK:
1890 	case M_IOCNAK:
1891 		iop = (struct iocblk *)mp->b_rptr;
1892 		ASSERT(iop != NULL);
1893 		/*
1894 		 * Attempt to match up the response with the stream that the
1895 		 * request came from. If ioc_id doesn't match the one that we
1896 		 * recorded, then discard this message.
1897 		 */
1898 		rw_enter(&ppa->ppa_sib_lock, RW_READER);
1899 		if ((destsps = ctlsps) == NULL ||
1900 		    destsps->sps_ioc_id != iop->ioc_id) {
1901 			destsps = ppa->ppa_streams;
1902 			while (destsps != NULL) {
1903 				if (destsps->sps_ioc_id == iop->ioc_id) {
1904 					break;	/* found the upper stream */
1905 				}
1906 				destsps = destsps->sps_nextsib;
1907 			}
1908 		}
1909 		rw_exit(&ppa->ppa_sib_lock);
1910 		if (destsps == NULL) {
1911 			mutex_enter(&ppa->ppa_sta_lock);
1912 			ppa->ppa_ioctlsfwderr++;
1913 			mutex_exit(&ppa->ppa_sta_lock);
1914 			freemsg(mp);
1915 			break;
1916 		}
1917 		mutex_enter(&ppa->ppa_sta_lock);
1918 		ppa->ppa_ioctlsfwdok++;
1919 
1920 		/*
1921 		 * Clear SPS_IOCQ and enable the lower write side queue,
1922 		 * this would allow the upper stream service routine
1923 		 * to start processing the queue for pending messages.
1924 		 * sppp_lwsrv -> sppp_uwsrv.
1925 		 */
1926 		destsps->sps_flags &= ~SPS_IOCQ;
1927 		mutex_exit(&ppa->ppa_sta_lock);
1928 		qenable(WR(destsps->sps_rq));
1929 
1930 		putnext(destsps->sps_rq, mp);
1931 		break;
1932 	case M_HANGUP:
1933 		/*
1934 		 * Free the original mblk_t. We don't really want to send
1935 		 * a M_HANGUP message upstream, so we need to translate this
1936 		 * message into something else.
1937 		 */
1938 		freemsg(mp);
1939 		if (ctlsps == NULL)
1940 			break;
1941 		mp = create_lsmsg(PPP_LINKSTAT_HANGUP);
1942 		if (mp == NULL) {
1943 			mutex_enter(&ppa->ppa_sta_lock);
1944 			ppa->ppa_allocbfail++;
1945 			mutex_exit(&ppa->ppa_sta_lock);
1946 			break;
1947 		}
1948 		mutex_enter(&ppa->ppa_sta_lock);
1949 		ppa->ppa_lsdown++;
1950 		mutex_exit(&ppa->ppa_sta_lock);
1951 		putnext(ctlsps->sps_rq, mp);
1952 		break;
1953 	case M_FLUSH:
1954 		if (*mp->b_rptr & FLUSHR) {
1955 			flushq(q, FLUSHDATA);
1956 		}
1957 		if (*mp->b_rptr & FLUSHW) {
1958 			*mp->b_rptr &= ~FLUSHR;
1959 			qreply(q, mp);
1960 		} else {
1961 			freemsg(mp);
1962 		}
1963 		break;
1964 	default:
1965 		if (ctlsps != NULL &&
1966 		    (queclass(mp) == QPCTL) || canputnext(ctlsps->sps_rq)) {
1967 			putnext(ctlsps->sps_rq, mp);
1968 		} else {
1969 			mutex_enter(&ppa->ppa_sta_lock);
1970 			ppa->ppa_iqdropped++;
1971 			mutex_exit(&ppa->ppa_sta_lock);
1972 			freemsg(mp);
1973 		}
1974 		break;
1975 	}
1976 }
1977 
1978 /*
1979  * sppp_recv()
1980  *
1981  * MT-Perimeters:
1982  *    shared inner, shared outer.
1983  *
1984  * Description:
1985  *    Receive function called by sppp_lrput.  Finds appropriate
1986  *    receive stream and does accounting.
1987  */
1988 static queue_t *
1989 sppp_recv(queue_t *q, mblk_t **mpp, spppstr_t *ctlsps)
1990 {
1991 	mblk_t		*mp;
1992 	int		len;
1993 	sppa_t		*ppa;
1994 	spppstr_t	*destsps;
1995 	mblk_t		*zmp;
1996 	uint32_t	npflagpos;
1997 
1998 	ASSERT(mpp != NULL);
1999 	mp = *mpp;
2000 	ASSERT(q != NULL && q->q_ptr != NULL);
2001 	ASSERT(mp != NULL && mp->b_rptr != NULL);
2002 	ASSERT(ctlsps != NULL);
2003 	ASSERT(IS_SPS_CONTROL(ctlsps));
2004 	ppa = ctlsps->sps_ppa;
2005 	ASSERT(ppa != NULL && ppa->ppa_ctl != NULL);
2006 
2007 	len = msgdsize(mp);
2008 	mutex_enter(&ppa->ppa_sta_lock);
2009 	ppa->ppa_stats.p.ppp_ibytes += len;
2010 	mutex_exit(&ppa->ppa_sta_lock);
2011 	/*
2012 	 * If the entire data size of the mblk is less than the length of the
2013 	 * PPP header, then free it. We can't do much with such message anyway,
2014 	 * since we can't really determine what the PPP protocol type is.
2015 	 */
2016 	if (len < PPP_HDRLEN) {
2017 		/* Log, and free it */
2018 		mutex_enter(&ppa->ppa_sta_lock);
2019 		ppa->ppa_irunts++;
2020 		mutex_exit(&ppa->ppa_sta_lock);
2021 		freemsg(mp);
2022 		return (NULL);
2023 	} else if (len > (ppa->ppa_mru + PPP_HDRLEN)) {
2024 		/* Log, and accept it anyway */
2025 		mutex_enter(&ppa->ppa_sta_lock);
2026 		ppa->ppa_itoolongs++;
2027 		mutex_exit(&ppa->ppa_sta_lock);
2028 	}
2029 	/*
2030 	 * We need at least be able to read the PPP protocol from the header,
2031 	 * so if the first message block is too small, then we concatenate the
2032 	 * rest of the following blocks into one message.
2033 	 */
2034 	if (MBLKL(mp) < PPP_HDRLEN) {
2035 		zmp = msgpullup(mp, PPP_HDRLEN);
2036 		freemsg(mp);
2037 		mp = zmp;
2038 		if (mp == NULL) {
2039 			mutex_enter(&ppa->ppa_sta_lock);
2040 			ppa->ppa_allocbfail++;
2041 			mutex_exit(&ppa->ppa_sta_lock);
2042 			return (NULL);
2043 		}
2044 		*mpp = mp;
2045 	}
2046 	/*
2047 	 * Hold this packet in the control-queue until
2048 	 * the matching network-layer upper stream for the PPP protocol (sap)
2049 	 * has not been plumbed and configured
2050 	 */
2051 	npflagpos = sppp_ppp2np(PPP_PROTOCOL(mp->b_rptr));
2052 	mutex_enter(&ppa->ppa_npmutex);
2053 	if (npflagpos != 0 && (ppa->ppa_npflag & (1 << npflagpos))) {
2054 		/*
2055 		 * proto is currently blocked; Hold up to 4 packets
2056 		 * in the kernel.
2057 		 */
2058 		if (ppa->ppa_holdpkts[npflagpos] > 3 ||
2059 		    putq(ctlsps->sps_rq, mp) == 0)
2060 			freemsg(mp);
2061 		else
2062 			ppa->ppa_holdpkts[npflagpos]++;
2063 		mutex_exit(&ppa->ppa_npmutex);
2064 		return (NULL);
2065 	}
2066 	mutex_exit(&ppa->ppa_npmutex);
2067 	/*
2068 	 * Try to find a matching network-layer upper stream for the specified
2069 	 * PPP protocol (sap), and if none is found, send this frame up the
2070 	 * control stream.
2071 	 */
2072 	destsps = sppp_inpkt(q, mp, ctlsps);
2073 	if (destsps == NULL) {
2074 		mutex_enter(&ppa->ppa_sta_lock);
2075 		ppa->ppa_ipkt_ctl++;
2076 		mutex_exit(&ppa->ppa_sta_lock);
2077 		if (canputnext(ctlsps->sps_rq)) {
2078 			if (IS_SPS_KDEBUG(ctlsps)) {
2079 				SPDEBUG(PPP_DRV_NAME
2080 				    "/%d: M_DATA recv (%d bytes) sps=0x%p "
2081 				    "flags=0x%b ppa=0x%p flags=0x%b\n",
2082 				    ctlsps->sps_mn_id, len, (void *)ctlsps,
2083 				    ctlsps->sps_flags, SPS_FLAGS_STR,
2084 				    (void *)ppa, ppa->ppa_flags,
2085 				    PPA_FLAGS_STR);
2086 			}
2087 			return (ctlsps->sps_rq);
2088 		} else {
2089 			mutex_enter(&ppa->ppa_sta_lock);
2090 			ppa->ppa_iqdropped++;
2091 			mutex_exit(&ppa->ppa_sta_lock);
2092 			freemsg(mp);
2093 			return (NULL);
2094 		}
2095 	}
2096 	if (canputnext(destsps->sps_rq)) {
2097 		if (IS_SPS_KDEBUG(destsps)) {
2098 			SPDEBUG(PPP_DRV_NAME
2099 			    "/%d: M_DATA recv (%d bytes) sps=0x%p flags=0x%b "
2100 			    "ppa=0x%p flags=0x%b\n", destsps->sps_mn_id, len,
2101 			    (void *)destsps, destsps->sps_flags,
2102 			    SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
2103 			    PPA_FLAGS_STR);
2104 		}
2105 		/*
2106 		 * If fastpath is enabled on the network-layer stream, then
2107 		 * make sure we skip over the PPP header, otherwise, we wrap
2108 		 * the message in a DLPI message.
2109 		 */
2110 		if (IS_SPS_FASTPATH(destsps)) {
2111 			mp->b_rptr += PPP_HDRLEN;
2112 			return (destsps->sps_rq);
2113 		} else {
2114 			spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2115 			ASSERT(uqs != NULL);
2116 			mp->b_rptr += PPP_HDRLEN;
2117 			mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2118 			if (mp != NULL) {
2119 				*mpp = mp;
2120 				return (destsps->sps_rq);
2121 			} else {
2122 				mutex_enter(&ppa->ppa_sta_lock);
2123 				ppa->ppa_allocbfail++;
2124 				mutex_exit(&ppa->ppa_sta_lock);
2125 				/* mp already freed by sppp_dladdud */
2126 				return (NULL);
2127 			}
2128 		}
2129 	} else {
2130 		mutex_enter(&ppa->ppa_sta_lock);
2131 		ppa->ppa_iqdropped++;
2132 		mutex_exit(&ppa->ppa_sta_lock);
2133 		freemsg(mp);
2134 		return (NULL);
2135 	}
2136 }
2137 
2138 /*
2139  * sppp_inpkt()
2140  *
2141  * MT-Perimeters:
2142  *    shared inner, shared outer.
2143  *
2144  * Description:
2145  *    Find the destination upper stream for the received packet, called
2146  *    from sppp_recv.
2147  *
2148  * Returns:
2149  *    ptr to destination upper network stream, or NULL for control stream.
2150  */
2151 /* ARGSUSED */
2152 static spppstr_t *
2153 sppp_inpkt(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
2154 {
2155 	spppstr_t	*destsps = NULL;
2156 	sppa_t		*ppa;
2157 	uint16_t	proto;
2158 	int		is_promisc;
2159 
2160 	ASSERT(q != NULL && q->q_ptr != NULL);
2161 	ASSERT(mp != NULL && mp->b_rptr != NULL);
2162 	ASSERT(IS_SPS_CONTROL(ctlsps));
2163 	ppa = ctlsps->sps_ppa;
2164 	ASSERT(ppa != NULL);
2165 	/*
2166 	 * From RFC 1661 (Section 2):
2167 	 *
2168 	 * The Protocol field is one or two octets, and its value identifies
2169 	 * the datagram encapsulated in the Information field of the packet.
2170 	 * The field is transmitted and received most significant octet first.
2171 	 *
2172 	 * The structure of this field is consistent with the ISO 3309
2173 	 * extension mechanism for address fields.  All Protocols MUST be odd;
2174 	 * the least significant bit of the least significant octet MUST equal
2175 	 * "1".  Also, all Protocols MUST be assigned such that the least
2176 	 * significant bit of the most significant octet equals "0". Frames
2177 	 * received which don't comply with these rules MUST be treated as
2178 	 * having an unrecognized Protocol.
2179 	 *
2180 	 * Protocol field values in the "0***" to "3***" range identify the
2181 	 * network-layer protocol of specific packets, and values in the
2182 	 * "8***" to "b***" range identify packets belonging to the associated
2183 	 * Network Control Protocols (NCPs), if any.
2184 	 *
2185 	 * Protocol field values in the "4***" to "7***" range are used for
2186 	 * protocols with low volume traffic which have no associated NCP.
2187 	 * Protocol field values in the "c***" to "f***" range identify packets
2188 	 * as link-layer Control Protocols (such as LCP).
2189 	 */
2190 	proto = PPP_PROTOCOL(mp->b_rptr);
2191 	mutex_enter(&ppa->ppa_sta_lock);
2192 	ppa->ppa_stats.p.ppp_ipackets++;
2193 	mutex_exit(&ppa->ppa_sta_lock);
2194 	/*
2195 	 * We check if this is not a network-layer protocol, and if so,
2196 	 * then send this packet up the control stream.
2197 	 */
2198 	if (proto > 0x7fff) {
2199 		goto inpkt_done;	/* send it up the control stream */
2200 	}
2201 	/*
2202 	 * Try to grab the destination upper stream from the network-layer
2203 	 * stream cache for this ppa for PPP_IP (0x0021) or PPP_IPV6 (0x0057)
2204 	 * protocol types. Otherwise, if the type is not known to the cache,
2205 	 * or if its sap can't be matched with any of the upper streams, then
2206 	 * send this packet up the control stream so that it can be rejected.
2207 	 */
2208 	if (proto == PPP_IP) {
2209 		destsps = ppa->ppa_ip_cache;
2210 	} else if (proto == PPP_IPV6) {
2211 		destsps = ppa->ppa_ip6_cache;
2212 	}
2213 	/*
2214 	 * Toss this one away up the control stream if there's no matching sap;
2215 	 * this way the protocol can be rejected (destsps is NULL).
2216 	 */
2217 
2218 inpkt_done:
2219 	/*
2220 	 * Only time-stamp the packet with hrtime if the upper stream
2221 	 * is configured to do so.  PPP control (negotiation) messages
2222 	 * are never considered link activity; only data is activity.
2223 	 */
2224 	if (destsps != NULL && IS_PPA_TIMESTAMP(ppa)) {
2225 		ppa->ppa_lastrx = gethrtime();
2226 	}
2227 	/*
2228 	 * Should there be any promiscuous stream(s), send the data up for
2229 	 * each promiscuous stream that we recognize. We skip the control
2230 	 * stream as we obviously never allow the control stream to become
2231 	 * promiscous and bind to PPP_ALLSAP.
2232 	 */
2233 	rw_enter(&ppa->ppa_sib_lock, RW_READER);
2234 	is_promisc = ppa->ppa_promicnt;
2235 	if (is_promisc) {
2236 		ASSERT(ppa->ppa_streams != NULL);
2237 		sppp_dlprsendup(ppa->ppa_streams, mp, proto, B_TRUE);
2238 	}
2239 	rw_exit(&ppa->ppa_sib_lock);
2240 	return (destsps);
2241 }
2242 
2243 /*
2244  * sppp_kstat_update()
2245  *
2246  * Description:
2247  *    Update per-ppa kstat interface statistics.
2248  */
2249 static int
2250 sppp_kstat_update(kstat_t *ksp, int rw)
2251 {
2252 	register sppa_t		*ppa;
2253 	register sppp_kstats_t	*pppkp;
2254 	register struct pppstat64 *sp;
2255 
2256 	if (rw == KSTAT_WRITE) {
2257 		return (EACCES);
2258 	}
2259 
2260 	ppa = (sppa_t *)ksp->ks_private;
2261 	ASSERT(ppa != NULL);
2262 
2263 	pppkp = (sppp_kstats_t *)ksp->ks_data;
2264 	sp = &ppa->ppa_stats.p;
2265 
2266 	mutex_enter(&ppa->ppa_sta_lock);
2267 	pppkp->allocbfail.value.ui32	= ppa->ppa_allocbfail;
2268 	pppkp->mctlsfwd.value.ui32	= ppa->ppa_mctlsfwd;
2269 	pppkp->mctlsfwderr.value.ui32	= ppa->ppa_mctlsfwderr;
2270 	pppkp->rbytes.value.ui32	= sp->ppp_ibytes;
2271 	pppkp->rbytes64.value.ui64	= sp->ppp_ibytes;
2272 	pppkp->ierrors.value.ui32	= sp->ppp_ierrors;
2273 	pppkp->ierrors_lower.value.ui32	= ppa->ppa_ierr_low;
2274 	pppkp->ioctlsfwd.value.ui32	= ppa->ppa_ioctlsfwd;
2275 	pppkp->ioctlsfwdok.value.ui32	= ppa->ppa_ioctlsfwdok;
2276 	pppkp->ioctlsfwderr.value.ui32	= ppa->ppa_ioctlsfwderr;
2277 	pppkp->ipackets.value.ui32	= sp->ppp_ipackets;
2278 	pppkp->ipackets64.value.ui64	= sp->ppp_ipackets;
2279 	pppkp->ipackets_ctl.value.ui32	= ppa->ppa_ipkt_ctl;
2280 	pppkp->iqdropped.value.ui32	= ppa->ppa_iqdropped;
2281 	pppkp->irunts.value.ui32	= ppa->ppa_irunts;
2282 	pppkp->itoolongs.value.ui32	= ppa->ppa_itoolongs;
2283 	pppkp->lsneedup.value.ui32	= ppa->ppa_lsneedup;
2284 	pppkp->lsdown.value.ui32	= ppa->ppa_lsdown;
2285 	pppkp->mctlsknown.value.ui32	= ppa->ppa_mctlsknown;
2286 	pppkp->mctlsunknown.value.ui32	= ppa->ppa_mctlsunknown;
2287 	pppkp->obytes.value.ui32	= sp->ppp_obytes;
2288 	pppkp->obytes64.value.ui64	= sp->ppp_obytes;
2289 	pppkp->oerrors.value.ui32	= sp->ppp_oerrors;
2290 	pppkp->oerrors_lower.value.ui32	= ppa->ppa_oerr_low;
2291 	pppkp->opackets.value.ui32	= sp->ppp_opackets;
2292 	pppkp->opackets64.value.ui64	= sp->ppp_opackets;
2293 	pppkp->opackets_ctl.value.ui32	= ppa->ppa_opkt_ctl;
2294 	pppkp->oqdropped.value.ui32	= ppa->ppa_oqdropped;
2295 	pppkp->otoolongs.value.ui32	= ppa->ppa_otoolongs;
2296 	pppkp->orunts.value.ui32	= ppa->ppa_orunts;
2297 	mutex_exit(&ppa->ppa_sta_lock);
2298 
2299 	return (0);
2300 }
2301 
2302 /*
2303  * Turn off proto in ppa_npflag to indicate that
2304  * the corresponding network protocol has been plumbed.
2305  * Release proto packets that were being held in the control
2306  * queue in anticipation of this event.
2307  */
2308 static void
2309 sppp_release_pkts(sppa_t *ppa, uint16_t proto)
2310 {
2311 	uint32_t npflagpos = sppp_ppp2np(proto);
2312 	int count;
2313 	mblk_t *mp;
2314 	uint16_t mp_proto;
2315 	queue_t *q;
2316 	spppstr_t *destsps;
2317 
2318 	ASSERT(ppa != NULL);
2319 
2320 	if (npflagpos == 0 || (ppa->ppa_npflag & (1 << npflagpos)) == 0)
2321 		return;
2322 
2323 	mutex_enter(&ppa->ppa_npmutex);
2324 	ppa->ppa_npflag &= ~(1 << npflagpos);
2325 	count = ppa->ppa_holdpkts[npflagpos];
2326 	ppa->ppa_holdpkts[npflagpos] = 0;
2327 	mutex_exit(&ppa->ppa_npmutex);
2328 
2329 	q = ppa->ppa_ctl->sps_rq;
2330 
2331 	while (count > 0) {
2332 		mp = getq(q);
2333 		ASSERT(mp != NULL);
2334 
2335 		mp_proto = PPP_PROTOCOL(mp->b_rptr);
2336 		if (mp_proto !=  proto) {
2337 			(void) putq(q, mp);
2338 			continue;
2339 		}
2340 		count--;
2341 		destsps = NULL;
2342 		if (mp_proto == PPP_IP) {
2343 			destsps = ppa->ppa_ip_cache;
2344 		} else if (mp_proto == PPP_IPV6) {
2345 			destsps = ppa->ppa_ip6_cache;
2346 		}
2347 		ASSERT(destsps != NULL);
2348 
2349 		if (IS_SPS_FASTPATH(destsps)) {
2350 			mp->b_rptr += PPP_HDRLEN;
2351 		} else {
2352 			spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2353 			ASSERT(uqs != NULL);
2354 			mp->b_rptr += PPP_HDRLEN;
2355 			mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2356 			if (mp == NULL) {
2357 				mutex_enter(&ppa->ppa_sta_lock);
2358 				ppa->ppa_allocbfail++;
2359 				mutex_exit(&ppa->ppa_sta_lock);
2360 				/* mp already freed by sppp_dladdud */
2361 				continue;
2362 			}
2363 		}
2364 
2365 		if (canputnext(destsps->sps_rq)) {
2366 			putnext(destsps->sps_rq, mp);
2367 		} else {
2368 			mutex_enter(&ppa->ppa_sta_lock);
2369 			ppa->ppa_iqdropped++;
2370 			mutex_exit(&ppa->ppa_sta_lock);
2371 			freemsg(mp);
2372 			continue;
2373 		}
2374 	}
2375 }
2376