xref: /illumos-gate/usr/src/uts/common/io/ptm.c (revision e5803b76927480e8f9b67b22201c484ccf4c2bcf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
25 /*	  All Rights Reserved  	*/
26 
27 
28 
29 /*
30  * Pseudo Terminal Master Driver.
31  *
32  * The pseudo-tty subsystem simulates a terminal connection, where the master
33  * side represents the terminal and the slave represents the user process's
34  * special device end point. The master device is set up as a cloned device
35  * where its major device number is the major for the clone device and its minor
36  * device number is the major for the ptm driver. There are no nodes in the file
37  * system for master devices. The master pseudo driver is opened using the
38  * open(2) system call with /dev/ptmx as the device parameter.  The clone open
39  * finds the next available minor device for the ptm major device.
40  *
41  * A master device is available only if it and its corresponding slave device
42  * are not already open. When the master device is opened, the corresponding
43  * slave device is automatically locked out. Only one open is allowed on a
44  * master device.  Multiple opens are allowed on the slave device.  After both
45  * the master and slave have been opened, the user has two file descriptors
46  * which are the end points of a full duplex connection composed of two streams
47  * which are automatically connected at the master and slave drivers. The user
48  * may then push modules onto either side of the stream pair.
49  *
50  * The master and slave drivers pass all messages to their adjacent queues.
51  * Only the M_FLUSH needs some processing.  Because the read queue of one side
52  * is connected to the write queue of the other, the FLUSHR flag is changed to
53  * the FLUSHW flag and vice versa. When the master device is closed an M_HANGUP
54  * message is sent to the slave device which will render the device
55  * unusable. The process on the slave side gets the EIO when attempting to write
56  * on that stream but it will be able to read any data remaining on the stream
57  * head read queue.  When all the data has been read, read() returns 0
58  * indicating that the stream can no longer be used.  On the last close of the
59  * slave device, a 0-length message is sent to the master device. When the
60  * application on the master side issues a read() or getmsg() and 0 is returned,
61  * the user of the master device decides whether to issue a close() that
62  * dismantles the pseudo-terminal subsystem. If the master device is not closed,
63  * the pseudo-tty subsystem will be available to another user to open the slave
64  * device.
65  *
66  * If O_NONBLOCK or O_NDELAY is set, read on the master side returns -1 with
67  * errno set to EAGAIN if no data is available, and write returns -1 with errno
68  * set to EAGAIN if there is internal flow control.
69  *
70  * IOCTLS:
71  *
72  *  ISPTM: determines whether the file descriptor is that of an open master
73  *	   device. Return code of zero indicates that the file descriptor
74  *	   represents master device.
75  *
76  *  UNLKPT: unlocks the master and slave devices.  It returns 0 on success. On
77  *	    failure, the errno is set to EINVAL indicating that the master
78  *	    device is not open.
79  *
80  *  ZONEPT: sets the zone membership of the associated pts device.
81  *
82  *  GRPPT:  sets the group owner of the associated pts device.
83  *
84  * Synchronization:
85  *
86  *   All global data synchronization between ptm/pts is done via global
87  *   ptms_lock mutex which is initialized at system boot time from
88  *   ptms_initspace (called from space.c).
89  *
90  *   Individual fields of pt_ttys structure (except ptm_rdq, pts_rdq and
91  *   pt_nullmsg) are protected by pt_ttys.pt_lock mutex.
92  *
93  *   PT_ENTER_READ/PT_ENTER_WRITE are reference counter based read-write locks
94  *   which allow reader locks to be reacquired by the same thread (usual
95  *   reader/writer locks can't be used for that purpose since it is illegal for
96  *   a thread to acquire a lock it already holds, even as a reader). The sole
97  *   purpose of these macros is to guarantee that the peer queue will not
98  *   disappear (due to closing peer) while it is used. It is safe to use
99  *   PT_ENTER_READ/PT_EXIT_READ brackets across calls like putq/putnext (since
100  *   they are not real locks but reference counts).
101  *
102  *   PT_ENTER_WRITE/PT_EXIT_WRITE brackets are used ONLY in master/slave
103  *   open/close paths to modify ptm_rdq and pts_rdq fields. These fields should
104  *   be set to appropriate queues *after* qprocson() is called during open (to
105  *   prevent peer from accessing the queue with incomplete plumbing) and set to
106  *   NULL before qprocsoff() is called during close.
107  *
108  *   The pt_nullmsg field is only used in open/close routines and it is also
109  *   protected by PT_ENTER_WRITE/PT_EXIT_WRITE brackets to avoid extra mutex
110  *   holds.
111  *
112  * Lock Ordering:
113  *
114  *   If both ptms_lock and per-pty lock should be held, ptms_lock should always
115  *   be entered first, followed by per-pty lock.
116  *
117  * See ptms.h, pts.c and ptms_conf.c for more information.
118  */
119 
120 #include <sys/types.h>
121 #include <sys/param.h>
122 #include <sys/file.h>
123 #include <sys/sysmacros.h>
124 #include <sys/stream.h>
125 #include <sys/stropts.h>
126 #include <sys/proc.h>
127 #include <sys/errno.h>
128 #include <sys/debug.h>
129 #include <sys/cmn_err.h>
130 #include <sys/ptms.h>
131 #include <sys/stat.h>
132 #include <sys/strsun.h>
133 #include <sys/systm.h>
134 #include <sys/modctl.h>
135 #include <sys/conf.h>
136 #include <sys/ddi.h>
137 #include <sys/sunddi.h>
138 #include <sys/zone.h>
139 
140 #ifdef DEBUG
141 int ptm_debug = 0;
142 #define	DBG(a)	 if (ptm_debug) cmn_err(CE_NOTE, a)
143 #else
144 #define	DBG(a)
145 #endif
146 
147 static int ptmopen(queue_t *, dev_t *, int, int, cred_t *);
148 static int ptmclose(queue_t *, int, cred_t *);
149 static void ptmwput(queue_t *, mblk_t *);
150 static void ptmrsrv(queue_t *);
151 static void ptmwsrv(queue_t *);
152 
153 /*
154  * Master Stream Pseudo Terminal Module: stream data structure definitions
155  */
156 
157 static struct module_info ptm_info = {
158 	0xdead,
159 	"ptm",
160 	0,
161 	512,
162 	512,
163 	128
164 };
165 
166 static struct qinit ptmrint = {
167 	NULL,
168 	(int (*)()) ptmrsrv,
169 	ptmopen,
170 	ptmclose,
171 	NULL,
172 	&ptm_info,
173 	NULL
174 };
175 
176 static struct qinit ptmwint = {
177 	(int (*)()) ptmwput,
178 	(int (*)()) ptmwsrv,
179 	NULL,
180 	NULL,
181 	NULL,
182 	&ptm_info,
183 	NULL
184 };
185 
186 static struct streamtab ptminfo = {
187 	&ptmrint,
188 	&ptmwint,
189 	NULL,
190 	NULL
191 };
192 
193 static int ptm_attach(dev_info_t *, ddi_attach_cmd_t);
194 static int ptm_detach(dev_info_t *, ddi_detach_cmd_t);
195 static int ptm_devinfo(dev_info_t *, ddi_info_cmd_t, void *, void **);
196 
197 static dev_info_t	*ptm_dip;		/* private devinfo pointer */
198 
199 /*
200  * this will define (struct cb_ops cb_ptm_ops) and (struct dev_ops ptm_ops)
201  */
202 DDI_DEFINE_STREAM_OPS(ptm_ops, nulldev, nulldev, ptm_attach, ptm_detach,
203     nodev, ptm_devinfo, D_MP, &ptminfo, ddi_quiesce_not_supported);
204 
205 /*
206  * Module linkage information for the kernel.
207  */
208 
209 static struct modldrv modldrv = {
210 	&mod_driverops, /* Type of module.  This one is a pseudo driver */
211 	"Master streams driver 'ptm'",
212 	&ptm_ops,	/* driver ops */
213 };
214 
215 static struct modlinkage modlinkage = {
216 	MODREV_1,
217 	&modldrv,
218 	NULL
219 };
220 
221 int
222 _init(void)
223 {
224 	int rc;
225 
226 	if ((rc = mod_install(&modlinkage)) == 0)
227 		ptms_init();
228 	return (rc);
229 }
230 
231 int
232 _fini(void)
233 {
234 	return (mod_remove(&modlinkage));
235 }
236 
237 int
238 _info(struct modinfo *modinfop)
239 {
240 	return (mod_info(&modlinkage, modinfop));
241 }
242 
243 static int
244 ptm_attach(dev_info_t *devi, ddi_attach_cmd_t cmd)
245 {
246 	if (cmd != DDI_ATTACH)
247 		return (DDI_FAILURE);
248 
249 	if (ddi_create_minor_node(devi, "ptmajor", S_IFCHR,
250 	    0, DDI_PSEUDO, NULL) == DDI_FAILURE) {
251 		ddi_remove_minor_node(devi, NULL);
252 		return (DDI_FAILURE);
253 	}
254 	if (ddi_create_minor_node(devi, "ptmx", S_IFCHR,
255 	    0, DDI_PSEUDO, CLONE_DEV) == DDI_FAILURE) {
256 		ddi_remove_minor_node(devi, NULL);
257 		return (DDI_FAILURE);
258 	}
259 	ptm_dip = devi;
260 
261 	return (DDI_SUCCESS);
262 }
263 
264 static int
265 ptm_detach(dev_info_t *devi, ddi_detach_cmd_t cmd)
266 {
267 	if (cmd != DDI_DETACH)
268 		return (DDI_FAILURE);
269 
270 	ddi_remove_minor_node(devi, NULL);
271 	return (DDI_SUCCESS);
272 }
273 
274 /*ARGSUSED*/
275 static int
276 ptm_devinfo(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg,
277     void **result)
278 {
279 	int error;
280 
281 	switch (infocmd) {
282 	case DDI_INFO_DEVT2DEVINFO:
283 		if (ptm_dip == NULL) {
284 			error = DDI_FAILURE;
285 		} else {
286 			*result = (void *)ptm_dip;
287 			error = DDI_SUCCESS;
288 		}
289 		break;
290 	case DDI_INFO_DEVT2INSTANCE:
291 		*result = (void *)0;
292 		error = DDI_SUCCESS;
293 		break;
294 	default:
295 		error = DDI_FAILURE;
296 	}
297 	return (error);
298 }
299 
300 
301 /* ARGSUSED */
302 /*
303  * Open a minor of the master device. Store the write queue pointer and set the
304  * pt_state field to (PTMOPEN | PTLOCK).
305  * This code will work properly with both clone opens and direct opens of the
306  * master device.
307  */
308 static int
309 ptmopen(
310 	queue_t *rqp,		/* pointer to the read side queue */
311 	dev_t   *devp,		/* pointer to stream tail's dev */
312 	int	oflag,		/* the user open(2) supplied flags */
313 	int	sflag,		/* open state flag */
314 	cred_t  *credp)		/* credentials */
315 {
316 	struct pt_ttys	*ptmp;
317 	mblk_t		*mop;		/* ptr to a setopts message block */
318 	struct stroptions *sop;
319 	minor_t		dminor = getminor(*devp);
320 
321 	/* Allow reopen */
322 	if (rqp->q_ptr != NULL)
323 		return (0);
324 
325 	if (sflag & MODOPEN)
326 		return (ENXIO);
327 
328 	if (!(sflag & CLONEOPEN) && dminor != 0) {
329 		/*
330 		 * This is a direct open to specific master device through an
331 		 * artificially created entry with specific minor in
332 		 * /dev/directory. Such behavior is not supported.
333 		 */
334 		return (ENXIO);
335 	}
336 
337 	/*
338 	 * The master open requires that the slave be attached
339 	 * before it returns so that attempts to open the slave will
340 	 * succeeed
341 	 */
342 	if (ptms_attach_slave() != 0) {
343 		return (ENXIO);
344 	}
345 
346 	mop = allocb(sizeof (struct stroptions), BPRI_MED);
347 	if (mop == NULL) {
348 		DDBG("ptmopen(): mop allocation failed\n", 0);
349 		return (ENOMEM);
350 	}
351 
352 	if ((ptmp = pt_ttys_alloc()) == NULL) {
353 		DDBG("ptmopen(): pty allocation failed\n", 0);
354 		freemsg(mop);
355 		return (ENOMEM);
356 	}
357 
358 	dminor = ptmp->pt_minor;
359 
360 	DDBGP("ptmopen(): allocated ptmp %p\n", (uintptr_t)ptmp);
361 	DDBG("ptmopen(): allocated minor %d\n", dminor);
362 
363 	WR(rqp)->q_ptr = rqp->q_ptr = ptmp;
364 
365 	qprocson(rqp);
366 
367 	/* Allow slave to send messages to master */
368 	PT_ENTER_WRITE(ptmp);
369 	ptmp->ptm_rdq = rqp;
370 	PT_EXIT_WRITE(ptmp);
371 
372 	/*
373 	 * set up hi/lo water marks on stream head read queue
374 	 * and add controlling tty if not set
375 	 */
376 	mop->b_datap->db_type = M_SETOPTS;
377 	mop->b_wptr += sizeof (struct stroptions);
378 	sop = (struct stroptions *)mop->b_rptr;
379 	if (oflag & FNOCTTY)
380 		sop->so_flags = SO_HIWAT | SO_LOWAT;
381 	else
382 		sop->so_flags = SO_HIWAT | SO_LOWAT | SO_ISTTY;
383 	sop->so_hiwat = 512;
384 	sop->so_lowat = 256;
385 	putnext(rqp, mop);
386 
387 	/*
388 	 * The input, devp, is a major device number, the output is put
389 	 * into the same parm as a major,minor pair.
390 	 */
391 	*devp = makedevice(getmajor(*devp), dminor);
392 
393 	return (0);
394 }
395 
396 
397 /*
398  * Find the address to private data identifying the slave's write queue.
399  * Send a hang-up message up the slave's read queue to designate the
400  * master/slave pair is tearing down. Uattach the master and slave by
401  * nulling out the write queue fields in the private data structure.
402  * Finally, unlock the master/slave pair and mark the master as closed.
403  */
404 /*ARGSUSED1*/
405 static int
406 ptmclose(queue_t *rqp, int flag, cred_t *credp)
407 {
408 	struct pt_ttys	*ptmp;
409 	queue_t *pts_rdq;
410 
411 	ASSERT(rqp->q_ptr);
412 
413 	ptmp = (struct pt_ttys *)rqp->q_ptr;
414 	PT_ENTER_READ(ptmp);
415 	if (ptmp->pts_rdq) {
416 		pts_rdq = ptmp->pts_rdq;
417 		if (pts_rdq->q_next) {
418 			DBG(("send hangup message to slave\n"));
419 			(void) putnextctl(pts_rdq, M_HANGUP);
420 		}
421 	}
422 	PT_EXIT_READ(ptmp);
423 	/*
424 	 * ptm_rdq should be cleared before call to qprocsoff() to prevent pts
425 	 * write procedure to attempt using ptm_rdq after qprocsoff.
426 	 */
427 	PT_ENTER_WRITE(ptmp);
428 	ptmp->ptm_rdq = NULL;
429 	freemsg(ptmp->pt_nullmsg);
430 	ptmp->pt_nullmsg = NULL;
431 	/*
432 	 * qenable slave side write queue so that it can flush
433 	 * its messages as master's read queue is going away
434 	 */
435 	if (ptmp->pts_rdq)
436 		qenable(WR(ptmp->pts_rdq));
437 	PT_EXIT_WRITE(ptmp);
438 
439 	qprocsoff(rqp);
440 
441 	/* Finish the close */
442 	rqp->q_ptr = NULL;
443 	WR(rqp)->q_ptr = NULL;
444 
445 	ptms_close(ptmp, PTMOPEN | PTLOCK);
446 
447 	return (0);
448 }
449 
450 /*
451  * The wput procedure will only handle ioctl and flush messages.
452  */
453 static void
454 ptmwput(queue_t *qp, mblk_t *mp)
455 {
456 	struct pt_ttys	*ptmp;
457 	struct iocblk	*iocp;
458 
459 	DBG(("entering ptmwput\n"));
460 	ASSERT(qp->q_ptr);
461 
462 	ptmp = (struct pt_ttys *)qp->q_ptr;
463 	PT_ENTER_READ(ptmp);
464 
465 	switch (mp->b_datap->db_type) {
466 	/*
467 	 * if write queue request, flush master's write
468 	 * queue and send FLUSHR up slave side. If read
469 	 * queue request, convert to FLUSHW and putnext().
470 	 */
471 	case M_FLUSH:
472 		{
473 			unsigned char flush_flg = 0;
474 
475 			DBG(("ptm got flush request\n"));
476 			if (*mp->b_rptr & FLUSHW) {
477 				DBG(("got FLUSHW, flush ptm write Q\n"));
478 				if (*mp->b_rptr & FLUSHBAND)
479 					/*
480 					 * if it is a FLUSHBAND, do flushband.
481 					 */
482 					flushband(qp, *(mp->b_rptr + 1),
483 					    FLUSHDATA);
484 				else
485 					flushq(qp, FLUSHDATA);
486 				flush_flg = (*mp->b_rptr & ~FLUSHW) | FLUSHR;
487 			}
488 			if (*mp->b_rptr & FLUSHR) {
489 				DBG(("got FLUSHR, set FLUSHW\n"));
490 				flush_flg |= (*mp->b_rptr & ~FLUSHR) | FLUSHW;
491 			}
492 			if (flush_flg != 0 && ptmp->pts_rdq &&
493 			    !(ptmp->pt_state & PTLOCK)) {
494 				DBG(("putnext to pts\n"));
495 				*mp->b_rptr = flush_flg;
496 				putnext(ptmp->pts_rdq, mp);
497 			} else
498 				freemsg(mp);
499 			break;
500 		}
501 
502 	case M_IOCTL:
503 		iocp = (struct iocblk *)mp->b_rptr;
504 		switch (iocp->ioc_cmd) {
505 		default:
506 			if ((ptmp->pt_state & PTLOCK) ||
507 			    (ptmp->pts_rdq == NULL)) {
508 				DBG(("got M_IOCTL but no slave\n"));
509 				miocnak(qp, mp, 0, EINVAL);
510 				PT_EXIT_READ(ptmp);
511 				return;
512 			}
513 			(void) putq(qp, mp);
514 			break;
515 		case UNLKPT:
516 			mutex_enter(&ptmp->pt_lock);
517 			ptmp->pt_state &= ~PTLOCK;
518 			mutex_exit(&ptmp->pt_lock);
519 			/*FALLTHROUGH*/
520 		case ISPTM:
521 			DBG(("ack the UNLKPT/ISPTM\n"));
522 			miocack(qp, mp, 0, 0);
523 			break;
524 		case ZONEPT:
525 		{
526 			zoneid_t z;
527 			int error;
528 
529 			if ((error = drv_priv(iocp->ioc_cr)) != 0) {
530 				miocnak(qp, mp, 0, error);
531 				break;
532 			}
533 			if ((error = miocpullup(mp, sizeof (zoneid_t))) != 0) {
534 				miocnak(qp, mp, 0, error);
535 				break;
536 			}
537 			z = *((zoneid_t *)mp->b_cont->b_rptr);
538 			if (z < MIN_ZONEID || z > MAX_ZONEID) {
539 				miocnak(qp, mp, 0, EINVAL);
540 				break;
541 			}
542 
543 			mutex_enter(&ptmp->pt_lock);
544 			ptmp->pt_zoneid = z;
545 			mutex_exit(&ptmp->pt_lock);
546 			miocack(qp, mp, 0, 0);
547 			break;
548 		}
549 		case OWNERPT:
550 		{
551 			pt_own_t *ptop;
552 			int error;
553 			zone_t *zone;
554 
555 			if ((error = miocpullup(mp, sizeof (pt_own_t))) != 0) {
556 				miocnak(qp, mp, 0, error);
557 				break;
558 			}
559 
560 			zone = zone_find_by_id(ptmp->pt_zoneid);
561 			ptop = (pt_own_t *)mp->b_cont->b_rptr;
562 
563 			if (!VALID_UID(ptop->pto_ruid, zone) ||
564 			    !VALID_GID(ptop->pto_rgid, zone)) {
565 				zone_rele(zone);
566 				miocnak(qp, mp, 0, EINVAL);
567 				break;
568 			}
569 			zone_rele(zone);
570 			mutex_enter(&ptmp->pt_lock);
571 			ptmp->pt_ruid = ptop->pto_ruid;
572 			ptmp->pt_rgid = ptop->pto_rgid;
573 			mutex_exit(&ptmp->pt_lock);
574 			miocack(qp, mp, 0, 0);
575 			break;
576 		}
577 		}
578 		break;
579 
580 	case M_READ:
581 		/* Caused by ldterm - can not pass to slave */
582 		freemsg(mp);
583 		break;
584 
585 	/*
586 	 * send other messages to slave
587 	 */
588 	default:
589 		if ((ptmp->pt_state  & PTLOCK) || (ptmp->pts_rdq == NULL)) {
590 			DBG(("got msg. but no slave\n"));
591 			mp = mexchange(NULL, mp, 2, M_ERROR, -1);
592 			if (mp != NULL) {
593 				mp->b_rptr[0] = NOERROR;
594 				mp->b_rptr[1] = EINVAL;
595 				qreply(qp, mp);
596 			}
597 			PT_EXIT_READ(ptmp);
598 			return;
599 		}
600 		DBG(("put msg on master's write queue\n"));
601 		(void) putq(qp, mp);
602 		break;
603 	}
604 	DBG(("return from ptmwput()\n"));
605 	PT_EXIT_READ(ptmp);
606 }
607 
608 
609 /*
610  * enable the write side of the slave. This triggers the
611  * slave to send any messages queued on its write side to
612  * the read side of this master.
613  */
614 static void
615 ptmrsrv(queue_t *qp)
616 {
617 	struct pt_ttys	*ptmp;
618 
619 	DBG(("entering ptmrsrv\n"));
620 	ASSERT(qp->q_ptr);
621 
622 	ptmp = (struct pt_ttys *)qp->q_ptr;
623 	PT_ENTER_READ(ptmp);
624 	if (ptmp->pts_rdq) {
625 		qenable(WR(ptmp->pts_rdq));
626 	}
627 	PT_EXIT_READ(ptmp);
628 	DBG(("leaving ptmrsrv\n"));
629 }
630 
631 
632 /*
633  * If there are messages on this queue that can be sent to
634  * slave, send them via putnext(). Else, if queued messages
635  * cannot be sent, leave them on this queue. If priority
636  * messages on this queue, send them to slave no matter what.
637  */
638 static void
639 ptmwsrv(queue_t *qp)
640 {
641 	struct pt_ttys	*ptmp;
642 	mblk_t 		*mp;
643 
644 	DBG(("entering ptmwsrv\n"));
645 	ASSERT(qp->q_ptr);
646 
647 	ptmp = (struct pt_ttys *)qp->q_ptr;
648 
649 	if ((mp = getq(qp)) == NULL) {
650 		/* If there are no messages there's nothing to do. */
651 		DBG(("leaving ptmwsrv (no messages)\n"));
652 		return;
653 	}
654 
655 	PT_ENTER_READ(ptmp);
656 	if ((ptmp->pt_state  & PTLOCK) || (ptmp->pts_rdq == NULL)) {
657 		DBG(("in master write srv proc but no slave\n"));
658 		/*
659 		 * Free messages on the write queue and send
660 		 * NAK for any M_IOCTL type messages to wakeup
661 		 * the user process waiting for ACK/NAK from
662 		 * the ioctl invocation
663 		 */
664 		do {
665 			if (mp->b_datap->db_type == M_IOCTL)
666 				miocnak(qp, mp, 0, EINVAL);
667 			else
668 				freemsg(mp);
669 		} while ((mp = getq(qp)) != NULL);
670 		flushq(qp, FLUSHALL);
671 
672 		mp = mexchange(NULL, NULL, 2, M_ERROR, -1);
673 		if (mp != NULL) {
674 			mp->b_rptr[0] = NOERROR;
675 			mp->b_rptr[1] = EINVAL;
676 			qreply(qp, mp);
677 		}
678 		PT_EXIT_READ(ptmp);
679 		return;
680 	}
681 	/*
682 	 * while there are messages on this write queue...
683 	 */
684 	do {
685 		/*
686 		 * if don't have control message and cannot put
687 		 * msg. on slave's read queue, put it back on
688 		 * this queue.
689 		 */
690 		if (mp->b_datap->db_type <= QPCTL &&
691 		    !bcanputnext(ptmp->pts_rdq, mp->b_band)) {
692 			DBG(("put msg. back on queue\n"));
693 			(void) putbq(qp, mp);
694 			break;
695 		}
696 		/*
697 		 * else send the message up slave's stream
698 		 */
699 		DBG(("send message to slave\n"));
700 		putnext(ptmp->pts_rdq, mp);
701 	} while ((mp = getq(qp)) != NULL);
702 	DBG(("leaving ptmwsrv\n"));
703 	PT_EXIT_READ(ptmp);
704 }
705