xref: /titanic_41/usr/src/uts/common/io/logindmux.c (revision 9a5d73e03cd3312ddb571a748c40a63c58bd66e5)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 
27 /*
28  * Description: logindmux.c
29  *
30  * The logindmux driver is used with login modules (like telmod/rlmod).
31  * This is a 1x1 cloning mux and two of these muxes are used. The lower link
32  * of one of the muxes receives input from net and the lower link of the
33  * other mux receives input from pseudo terminal subsystem.
34  *
35  * The logdmux_qexch_lock mutex manages the race between LOGDMX_IOC_QEXCHANGE,
36  * logdmuxunlink() and logdmuxclose(), so that the instance selected as a peer
37  * in LOGDMX_IOC_QEXCHANGE cannot be unlinked or closed until the qexchange
38  * is complete; see the inline comments in the code for details.
39  *
40  * The logdmux_peerq_lock mutex manages the race between logdmuxlwsrv() and
41  * logdmuxlrput() (when null'ing tmxp->peerq during LOGDMUX_UNLINK_REQ
42  * processing).
43  *
44  * The logdmux_minor_lock mutex serializes the growth of logdmux_minor_arena
45  * (the arena is grown gradually rather than allocated all at once so that
46  * minor numbers are recycled sooner; for simplicity it is never shrunk).
47  *
48  * The unlink operation is implemented using protocol messages that flow
49  * between the two logindmux peer instances. The instance processing the
50  * I_UNLINK ioctl will send a LOGDMUX_UNLINK_REQ protocol message to its
51  * peer to indicate that it wishes to unlink; the peer will process this
52  * message in its lrput, null its tmxp->peerq and then send a
53  * LOGDMUX_UNLINK_RESP protocol message in reply to indicate that the
54  * unlink can proceed; having received the reply in its lrput, the
55  * instance processing the I_UNLINK can then continue. To ensure that only
56  * one of the peer instances will be actively processing an I_UNLINK at
57  * any one time, a single structure (an unlinkinfo_t containing a mutex,
58  * state variable and pointer to an M_CTL mblk) is allocated during
59  * the processing of the LOGDMX_IOC_QEXCHANGE ioctl. The two instances, if
60  * trying to unlink simultaneously, will race to get control of this
61  * structure which contains the resources necessary to process the
62  * I_UNLINK. The instance that wins this race will be able to continue
63  * with the unlink whilst the other instance will be obliged to wait.
64  */
65 
66 #include <sys/types.h>
67 #include <sys/param.h>
68 #include <sys/errno.h>
69 #include <sys/debug.h>
70 #include <sys/stropts.h>
71 #include <sys/stream.h>
72 #include <sys/logindmux.h>
73 #include <sys/logindmux_impl.h>
74 #include <sys/stat.h>
75 #include <sys/kmem.h>
76 #include <sys/vmem.h>
77 #include <sys/strsun.h>
78 #include <sys/sysmacros.h>
79 #include <sys/mkdev.h>
80 #include <sys/ddi.h>
81 #include <sys/sunddi.h>
82 #include <sys/modctl.h>
83 #include <sys/termios.h>
84 #include <sys/cmn_err.h>
85 
86 static int logdmuxopen(queue_t *, dev_t *, int, int, cred_t *);
87 static int logdmuxclose(queue_t *, int, cred_t *);
88 static int logdmuxursrv(queue_t *);
89 static int logdmuxuwput(queue_t *, mblk_t *);
90 static int logdmuxlrput(queue_t *, mblk_t *);
91 static int logdmuxlrsrv(queue_t *);
92 static int logdmuxlwsrv(queue_t *);
93 static int logdmuxuwsrv(queue_t *);
94 static int logdmux_alloc_unlinkinfo(struct tmx *, struct tmx *);
95 
96 static void logdmuxlink(queue_t *, mblk_t *);
97 static void logdmuxunlink(queue_t *, mblk_t *);
98 static void logdmux_finish_unlink(queue_t *, mblk_t *);
99 static void logdmux_unlink_timer(void *arg);
100 static void recover(queue_t *, mblk_t *, size_t);
101 static void flushq_dataonly(queue_t *);
102 
103 static kmutex_t logdmux_qexch_lock;
104 static kmutex_t logdmux_peerq_lock;
105 static kmutex_t logdmux_minor_lock;
106 static minor_t	logdmux_maxminor = 256;	/* grown as necessary */
107 static vmem_t	*logdmux_minor_arena;
108 static void	*logdmux_statep;
109 
110 static struct module_info logdmuxm_info = {
111 	LOGDMX_ID,
112 	"logindmux",
113 	0,
114 	256,
115 	512,
116 	256
117 };
118 
119 static struct qinit logdmuxurinit = {
120 	NULL,
121 	logdmuxursrv,
122 	logdmuxopen,
123 	logdmuxclose,
124 	NULL,
125 	&logdmuxm_info
126 };
127 
128 static struct qinit logdmuxuwinit = {
129 	logdmuxuwput,
130 	logdmuxuwsrv,
131 	NULL,
132 	NULL,
133 	NULL,
134 	&logdmuxm_info
135 };
136 
137 static struct qinit logdmuxlrinit = {
138 	logdmuxlrput,
139 	logdmuxlrsrv,
140 	NULL,
141 	NULL,
142 	NULL,
143 	&logdmuxm_info
144 };
145 
146 static struct qinit logdmuxlwinit = {
147 	NULL,
148 	logdmuxlwsrv,
149 	NULL,
150 	NULL,
151 	NULL,
152 	&logdmuxm_info
153 };
154 
155 struct streamtab logdmuxinfo = {
156 	&logdmuxurinit,
157 	&logdmuxuwinit,
158 	&logdmuxlrinit,
159 	&logdmuxlwinit
160 };
161 
162 static int logdmux_info(dev_info_t *, ddi_info_cmd_t, void *, void **);
163 static int logdmux_attach(dev_info_t *, ddi_attach_cmd_t);
164 static int logdmux_detach(dev_info_t *, ddi_detach_cmd_t);
165 static dev_info_t *logdmux_dip;
166 
167 DDI_DEFINE_STREAM_OPS(logdmux_ops, nulldev, nulldev, logdmux_attach,
168     logdmux_detach, nulldev, logdmux_info, D_MP | D_MTPERQ, &logdmuxinfo,
169     ddi_quiesce_not_needed);
170 
171 static struct modldrv modldrv = {
172 	&mod_driverops,
173 	"logindmux driver",
174 	&logdmux_ops
175 };
176 
177 static struct modlinkage modlinkage = {
178 	MODREV_1, &modldrv, NULL
179 };
180 
181 int
182 _init(void)
183 {
184 	int	ret;
185 
186 	mutex_init(&logdmux_peerq_lock, NULL, MUTEX_DRIVER, NULL);
187 	mutex_init(&logdmux_qexch_lock, NULL, MUTEX_DRIVER, NULL);
188 
189 	if ((ret = mod_install(&modlinkage)) != 0) {
190 		mutex_destroy(&logdmux_peerq_lock);
191 		mutex_destroy(&logdmux_qexch_lock);
192 		return (ret);
193 	}
194 
195 	logdmux_minor_arena = vmem_create("logdmux_minor", (void *)1,
196 	    logdmux_maxminor, 1, NULL, NULL, NULL, 0,
197 	    VM_SLEEP | VMC_IDENTIFIER);
198 	(void) ddi_soft_state_init(&logdmux_statep, sizeof (struct tmx), 1);
199 
200 	return (0);
201 }
202 
203 int
204 _fini(void)
205 {
206 	int	ret;
207 
208 	if ((ret = mod_remove(&modlinkage)) == 0) {
209 		mutex_destroy(&logdmux_peerq_lock);
210 		mutex_destroy(&logdmux_qexch_lock);
211 		ddi_soft_state_fini(&logdmux_statep);
212 		vmem_destroy(logdmux_minor_arena);
213 		logdmux_minor_arena = NULL;
214 	}
215 
216 	return (ret);
217 }
218 
219 int
220 _info(struct modinfo *modinfop)
221 {
222 	return (mod_info(&modlinkage, modinfop));
223 }
224 
225 static int
226 logdmux_attach(dev_info_t *devi, ddi_attach_cmd_t cmd)
227 {
228 	if (cmd != DDI_ATTACH)
229 		return (DDI_FAILURE);
230 
231 	if (ddi_create_minor_node(devi, "logindmux", S_IFCHR, 0, DDI_PSEUDO,
232 	    CLONE_DEV) == DDI_FAILURE)
233 		return (DDI_FAILURE);
234 
235 	logdmux_dip = devi;
236 	return (DDI_SUCCESS);
237 }
238 
239 static int
240 logdmux_detach(dev_info_t *devi, ddi_detach_cmd_t cmd)
241 {
242 	if (cmd != DDI_DETACH)
243 		return (DDI_FAILURE);
244 
245 	ddi_remove_minor_node(devi, NULL);
246 	return (DDI_SUCCESS);
247 }
248 
249 /* ARGSUSED */
250 static int
251 logdmux_info(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
252 {
253 	int error;
254 
255 	switch (infocmd) {
256 	case DDI_INFO_DEVT2DEVINFO:
257 		if (logdmux_dip == NULL) {
258 			error = DDI_FAILURE;
259 		} else {
260 			*result = logdmux_dip;
261 			error = DDI_SUCCESS;
262 		}
263 		break;
264 	case DDI_INFO_DEVT2INSTANCE:
265 		*result = (void *)0;
266 		error = DDI_SUCCESS;
267 		break;
268 	default:
269 		error = DDI_FAILURE;
270 	}
271 	return (error);
272 }
273 
274 /*
275  * Logindmux open routine
276  */
277 /*ARGSUSED*/
278 static int
279 logdmuxopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *crp)
280 {
281 	struct	tmx *tmxp;
282 	minor_t	minor, omaxminor;
283 
284 	if (sflag != CLONEOPEN)
285 		return (EINVAL);
286 
287 	mutex_enter(&logdmux_minor_lock);
288 	if (vmem_size(logdmux_minor_arena, VMEM_FREE) == 0) {
289 		/*
290 		 * The arena has been exhausted; grow by powers of two
291 		 * up to MAXMIN; bail if we've run out of minors.
292 		 */
293 		if (logdmux_maxminor == MAXMIN) {
294 			mutex_exit(&logdmux_minor_lock);
295 			return (ENOMEM);
296 		}
297 
298 		omaxminor = logdmux_maxminor;
299 		logdmux_maxminor = MIN(logdmux_maxminor << 1, MAXMIN);
300 
301 		(void) vmem_add(logdmux_minor_arena,
302 		    (void *)(uintptr_t)(omaxminor + 1),
303 		    logdmux_maxminor - omaxminor, VM_SLEEP);
304 	}
305 	minor = (minor_t)(uintptr_t)
306 	    vmem_alloc(logdmux_minor_arena, 1, VM_SLEEP);
307 	mutex_exit(&logdmux_minor_lock);
308 
309 	if (ddi_soft_state_zalloc(logdmux_statep, minor) == DDI_FAILURE) {
310 		vmem_free(logdmux_minor_arena, (void *)(uintptr_t)minor, 1);
311 		return (ENOMEM);
312 	}
313 
314 	tmxp = ddi_get_soft_state(logdmux_statep, minor);
315 	tmxp->rdq = q;
316 	tmxp->muxq = NULL;
317 	tmxp->peerq = NULL;
318 	tmxp->unlinkinfop = NULL;
319 	tmxp->dev0 = minor;
320 
321 	*devp = makedevice(getmajor(*devp), tmxp->dev0);
322 	q->q_ptr = tmxp;
323 	WR(q)->q_ptr = tmxp;
324 
325 	qprocson(q);
326 	return (0);
327 }
328 
329 /*
330  * Logindmux close routine gets called when telnet connection is closed
331  */
332 /*ARGSUSED*/
333 static int
334 logdmuxclose(queue_t *q, int flag, cred_t *crp)
335 {
336 	struct tmx	*tmxp = q->q_ptr;
337 	minor_t		minor = tmxp->dev0;
338 
339 	ASSERT(tmxp->muxq == NULL);
340 	ASSERT(tmxp->peerq == NULL);
341 
342 	qprocsoff(q);
343 	if (tmxp->wbufcid != 0) {
344 		qunbufcall(q, tmxp->wbufcid);
345 		tmxp->wbufcid = 0;
346 	}
347 	if (tmxp->rbufcid != 0) {
348 		qunbufcall(q, tmxp->rbufcid);
349 		tmxp->rbufcid = 0;
350 	}
351 	if (tmxp->rtimoutid != 0) {
352 		(void) quntimeout(q, tmxp->rtimoutid);
353 		tmxp->rtimoutid = 0;
354 	}
355 	if (tmxp->wtimoutid != 0) {
356 		(void) quntimeout(q, tmxp->wtimoutid);
357 		tmxp->wtimoutid = 0;
358 	}
359 	if (tmxp->utimoutid != 0) {
360 		(void) quntimeout(q, tmxp->utimoutid);
361 		tmxp->utimoutid = 0;
362 	}
363 
364 	/*
365 	 * Hold logdmux_qexch_lock to prevent another thread that might be
366 	 * in LOGDMX_IOC_QEXCHANGE from looking up our state while we're
367 	 * disposing of it.
368 	 */
369 	mutex_enter(&logdmux_qexch_lock);
370 	ddi_soft_state_free(logdmux_statep, minor);
371 	vmem_free(logdmux_minor_arena, (void *)(uintptr_t)minor, 1);
372 	mutex_exit(&logdmux_qexch_lock);
373 
374 	q->q_ptr = NULL;
375 	WR(q)->q_ptr = NULL;
376 
377 	return (0);
378 }
379 
380 /*
381  * Upper read service routine
382  */
383 static int
384 logdmuxursrv(queue_t *q)
385 {
386 	struct tmx *tmxp = q->q_ptr;
387 
388 	if (tmxp->muxq != NULL)
389 		qenable(RD(tmxp->muxq));
390 	return (0);
391 }
392 
393 /*
394  * This routine gets called when telnet daemon sends data or ioctl messages
395  * to upper mux queue.
396  */
397 static int
398 logdmuxuwput(queue_t *q, mblk_t *mp)
399 {
400 	queue_t		*qp;
401 	mblk_t		*newmp;
402 	struct iocblk	*ioc;
403 	minor_t		minor;
404 	STRUCT_HANDLE(protocol_arg, protoh);
405 	struct tmx	*tmxp, *tmxpeerp;
406 	int		error;
407 
408 	tmxp = q->q_ptr;
409 
410 	switch (mp->b_datap->db_type) {
411 
412 	case M_IOCTL:
413 		ASSERT(MBLKL(mp) == sizeof (struct iocblk));
414 
415 		ioc = (struct iocblk *)mp->b_rptr;
416 		switch (ioc->ioc_cmd) {
417 		/*
418 		 * This is a special ioctl which exchanges q info
419 		 * of the two peers, connected to netf and ptmx.
420 		 */
421 		case LOGDMX_IOC_QEXCHANGE:
422 			error = miocpullup(mp,
423 			    SIZEOF_STRUCT(protocol_arg, ioc->ioc_flag));
424 			if (error != 0) {
425 				miocnak(q, mp, 0, error);
426 				break;
427 			}
428 			STRUCT_SET_HANDLE(protoh, ioc->ioc_flag,
429 			    (struct protocol_arg *)mp->b_cont->b_rptr);
430 #ifdef _SYSCALL32_IMPL
431 			if ((ioc->ioc_flag & DATAMODEL_MASK) ==
432 			    DATAMODEL_ILP32) {
433 				minor = getminor(expldev(
434 				    STRUCT_FGET(protoh, dev)));
435 			} else
436 #endif
437 			{
438 				minor = getminor(STRUCT_FGET(protoh, dev));
439 			}
440 
441 			/*
442 			 * The second argument to ddi_get_soft_state() is
443 			 * interpreted as an `int', so prohibit negative
444 			 * values.
445 			 */
446 			if ((int)minor < 0) {
447 				miocnak(q, mp, 0, EINVAL);
448 				break;
449 			}
450 
451 			/*
452 			 * We must hold logdmux_qexch_lock while looking up
453 			 * the proposed peer to prevent another thread from
454 			 * simultaneously I_UNLINKing or closing it.
455 			 */
456 			mutex_enter(&logdmux_qexch_lock);
457 
458 			/*
459 			 * For LOGDMX_IOC_QEXCHANGE to succeed, our peer must
460 			 * exist (and not be us), and both we and our peer
461 			 * must be I_LINKed (i.e., muxq must not be NULL) and
462 			 * not already have a peer.
463 			 */
464 			tmxpeerp = ddi_get_soft_state(logdmux_statep, minor);
465 			if (tmxpeerp == NULL || tmxpeerp == tmxp ||
466 			    tmxpeerp->muxq == NULL || tmxpeerp->peerq != NULL ||
467 			    tmxp->muxq == NULL || tmxp->peerq != NULL) {
468 				mutex_exit(&logdmux_qexch_lock);
469 				miocnak(q, mp, 0, EINVAL);
470 				break;
471 			}
472 
473 			/*
474 			 * If `flag' is set then exchange queues and assume
475 			 * tmxp refers to the ptmx stream.
476 			 */
477 			if (STRUCT_FGET(protoh, flag)) {
478 				/*
479 				 * Allocate and populate the structure we
480 				 * need when processing an I_UNLINK ioctl.
481 				 * Give both logindmux instances a pointer
482 				 * to it from their tmx structure.
483 				 */
484 				if ((error = logdmux_alloc_unlinkinfo(
485 				    tmxp, tmxpeerp)) != 0) {
486 					mutex_exit(&logdmux_qexch_lock);
487 					miocnak(q, mp, 0, error);
488 					break;
489 				}
490 				tmxp->peerq = tmxpeerp->muxq;
491 				tmxpeerp->peerq = tmxp->muxq;
492 				tmxp->isptm = B_TRUE;
493 			}
494 			mutex_exit(&logdmux_qexch_lock);
495 			miocack(q, mp, 0, 0);
496 			break;
497 
498 		case I_LINK:
499 			ASSERT(MBLKL(mp->b_cont) == sizeof (struct linkblk));
500 			logdmuxlink(q, mp);
501 			break;
502 
503 		case I_UNLINK:
504 			ASSERT(MBLKL(mp->b_cont) == sizeof (struct linkblk));
505 			logdmuxunlink(q, mp);
506 			break;
507 
508 		default:
509 			if (tmxp->muxq == NULL) {
510 				miocnak(q, mp, 0, EINVAL);
511 				return (0);
512 			}
513 			putnext(tmxp->muxq, mp);
514 			break;
515 		}
516 
517 		break;
518 
519 	case M_DATA:
520 		if (!tmxp->isptm) {
521 			if ((newmp = allocb(sizeof (char), BPRI_MED)) == NULL) {
522 				recover(q, mp, sizeof (char));
523 				return (0);
524 			}
525 			newmp->b_datap->db_type = M_CTL;
526 			*newmp->b_wptr++ = M_CTL_MAGIC_NUMBER;
527 			newmp->b_cont = mp;
528 			mp = newmp;
529 		}
530 		/* FALLTHRU */
531 
532 	case M_PROTO:
533 	case M_PCPROTO:
534 		qp = tmxp->muxq;
535 		if (qp == NULL) {
536 			merror(q, mp, EINVAL);
537 			return (0);
538 		}
539 
540 		if (queclass(mp) < QPCTL) {
541 			if (q->q_first != NULL || !canputnext(qp)) {
542 				(void) putq(q, mp);
543 				return (0);
544 			}
545 		}
546 		putnext(qp, mp);
547 		break;
548 
549 	case M_FLUSH:
550 		if (*mp->b_rptr & FLUSHW)
551 			flushq(q, FLUSHALL);
552 
553 		if (tmxp->muxq != NULL) {
554 			putnext(tmxp->muxq, mp);
555 			return (0);
556 		}
557 
558 		*mp->b_rptr &= ~FLUSHW;
559 		if (*mp->b_rptr & FLUSHR)
560 			qreply(q, mp);
561 		else
562 			freemsg(mp);
563 		break;
564 
565 	default:
566 		cmn_err(CE_NOTE, "logdmuxuwput: received unexpected message"
567 		    " of type 0x%x", mp->b_datap->db_type);
568 		freemsg(mp);
569 	}
570 	return (0);
571 }
572 
573 /*
574  * Upper write service routine
575  */
576 static int
577 logdmuxuwsrv(queue_t *q)
578 {
579 	mblk_t		*mp, *newmp;
580 	queue_t		*qp;
581 	struct tmx	*tmxp = q->q_ptr;
582 
583 	while ((mp = getq(q)) != NULL) {
584 		switch (mp->b_datap->db_type) {
585 		case M_DATA:
586 			if (!tmxp->isptm) {
587 				if ((newmp = allocb(sizeof (char), BPRI_MED)) ==
588 				    NULL) {
589 					recover(q, mp, sizeof (char));
590 					return (0);
591 				}
592 				newmp->b_datap->db_type = M_CTL;
593 				*newmp->b_wptr++ = M_CTL_MAGIC_NUMBER;
594 				newmp->b_cont = mp;
595 				mp = newmp;
596 			}
597 			/* FALLTHRU */
598 
599 		case M_CTL:
600 		case M_PROTO:
601 			if (tmxp->muxq == NULL) {
602 				merror(q, mp, EIO);
603 				break;
604 			}
605 			qp = tmxp->muxq;
606 			if (!canputnext(qp)) {
607 				(void) putbq(q, mp);
608 				return (0);
609 			}
610 			putnext(qp, mp);
611 			break;
612 
613 
614 		default:
615 			cmn_err(CE_NOTE, "logdmuxuwsrv: received unexpected"
616 			    " message of type 0x%x", mp->b_datap->db_type);
617 			freemsg(mp);
618 		}
619 	}
620 	return (0);
621 }
622 
623 /*
624  * Logindmux lower put routine detects from which of the two lower queues
625  * the data needs to be read from and writes it out to its peer queue.
626  * For protocol, it detects M_CTL and sends its data to the daemon. Also,
627  * for ioctl and other types of messages, it lets the daemon handle it.
628  */
629 static int
630 logdmuxlrput(queue_t *q, mblk_t *mp)
631 {
632 	mblk_t		*savemp;
633 	queue_t 	*qp;
634 	struct iocblk	*ioc;
635 	struct tmx	*tmxp = q->q_ptr;
636 	uchar_t		flush;
637 	uint_t		*messagep;
638 	unlinkinfo_t	*unlinkinfop = tmxp->unlinkinfop;
639 
640 	if (tmxp->muxq == NULL || tmxp->peerq == NULL) {
641 		freemsg(mp);
642 		return (0);
643 	}
644 
645 	/*
646 	 * If there's already a message on our queue and the incoming
647 	 * message is not of a high-priority, enqueue the message --
648 	 * but not if it's a logindmux protocol message.
649 	 */
650 	if ((q->q_first != NULL) && (queclass(mp) < QPCTL) &&
651 	    (!LOGDMUX_PROTO_MBLK(mp))) {
652 		(void) putq(q, mp);
653 		return (0);
654 	}
655 
656 	switch (mp->b_datap->db_type) {
657 
658 	case M_IOCTL:
659 		ioc = (struct iocblk *)mp->b_rptr;
660 		switch (ioc->ioc_cmd) {
661 
662 		case TIOCSWINSZ:
663 		case TCSETAF:
664 		case TCSETSF:
665 		case TCSETA:
666 		case TCSETAW:
667 		case TCSETS:
668 		case TCSETSW:
669 		case TCSBRK:
670 		case TIOCSTI:
671 			qp = tmxp->peerq;
672 			break;
673 
674 		default:
675 			cmn_err(CE_NOTE, "logdmuxlrput: received unexpected"
676 			    " request for ioctl 0x%x", ioc->ioc_cmd);
677 
678 			/* NAK unrecognized ioctl's. */
679 			miocnak(q, mp, 0, 0);
680 			return (0);
681 		}
682 		break;
683 
684 	case M_DATA:
685 	case M_HANGUP:
686 		qp = tmxp->peerq;
687 		break;
688 
689 	case M_CTL:
690 		/*
691 		 * The protocol messages that flow between the peers
692 		 * to implement the unlink functionality are M_CTLs
693 		 * which have the M_IOCTL/I_UNLINK mblk of the ioctl
694 		 * attached via b_cont.  LOGDMUX_PROTO_MBLK() uses
695 		 * this to determine whether a particular M_CTL is a
696 		 * peer protocol message.
697 		 */
698 		if (LOGDMUX_PROTO_MBLK(mp)) {
699 			messagep = (uint_t *)mp->b_rptr;
700 
701 			switch (*messagep) {
702 
703 			case LOGDMUX_UNLINK_REQ:
704 				/*
705 				 * We've received a message from our
706 				 * peer indicating that it wants to
707 				 * unlink.
708 				 */
709 				*messagep = LOGDMUX_UNLINK_RESP;
710 				qp = tmxp->peerq;
711 
712 				mutex_enter(&logdmux_peerq_lock);
713 				tmxp->peerq = NULL;
714 				mutex_exit(&logdmux_peerq_lock);
715 
716 				put(RD(qp), mp);
717 				return (0);
718 
719 			case LOGDMUX_UNLINK_RESP:
720 				/*
721 				 * We've received a positive response
722 				 * from our peer to an earlier
723 				 * LOGDMUX_UNLINK_REQ that we sent.
724 				 * We can now carry on with the unlink.
725 				 */
726 				qp = tmxp->rdq;
727 				mutex_enter(&unlinkinfop->state_lock);
728 				ASSERT(unlinkinfop->state ==
729 				    LOGDMUX_UNLINK_PENDING);
730 				unlinkinfop->state = LOGDMUX_UNLINKED;
731 				mutex_exit(&unlinkinfop->state_lock);
732 				logdmux_finish_unlink(WR(qp), mp->b_cont);
733 				return (0);
734 			}
735 		}
736 
737 		qp = tmxp->rdq;
738 		if (q->q_first != NULL || !canputnext(qp)) {
739 			(void) putq(q, mp);
740 			return (0);
741 		}
742 		if ((MBLKL(mp) == 1) && (*mp->b_rptr == M_CTL_MAGIC_NUMBER)) {
743 			savemp = mp->b_cont;
744 			freeb(mp);
745 			mp = savemp;
746 		}
747 		putnext(qp, mp);
748 		return (0);
749 
750 	case M_IOCACK:
751 	case M_IOCNAK:
752 	case M_PROTO:
753 	case M_PCPROTO:
754 	case M_PCSIG:
755 	case M_SETOPTS:
756 		qp = tmxp->rdq;
757 		break;
758 
759 	case M_ERROR:
760 		if (tmxp->isptm) {
761 			/*
762 			 * This error is from ptm.  We could tell TCP to
763 			 * shutdown the connection, but it's easier to just
764 			 * wait for the daemon to get SIGCHLD and close from
765 			 * above.
766 			 */
767 			freemsg(mp);
768 			return (0);
769 		}
770 		/*
771 		 * This is from TCP.  Don't really know why we'd
772 		 * get this, but we have a pretty good idea what
773 		 * to do:  Send M_HANGUP to the pty.
774 		 */
775 		mp->b_datap->db_type = M_HANGUP;
776 		mp->b_wptr = mp->b_rptr;
777 		qp = tmxp->peerq;
778 		break;
779 
780 	case M_FLUSH:
781 		if (*mp->b_rptr & FLUSHR)
782 			flushq_dataonly(q);
783 
784 		if (mp->b_flag & MSGMARK) {
785 			/*
786 			 * This M_FLUSH has been marked by the module
787 			 * below as intended for the upper queue,
788 			 * not the peer queue.
789 			 */
790 			qp = tmxp->rdq;
791 			mp->b_flag &= ~MSGMARK;
792 		} else {
793 			/*
794 			 * Wrap this M_FLUSH through the mux.
795 			 * The FLUSHR and FLUSHW bits must be
796 			 * reversed.
797 			 */
798 			qp = tmxp->peerq;
799 			flush = *mp->b_rptr;
800 			*mp->b_rptr &= ~(FLUSHR | FLUSHW);
801 			if (flush & FLUSHW)
802 				*mp->b_rptr |= FLUSHR;
803 			if (flush & FLUSHR)
804 				*mp->b_rptr |= FLUSHW;
805 		}
806 		break;
807 
808 	case M_START:
809 	case M_STOP:
810 	case M_STARTI:
811 	case M_STOPI:
812 		freemsg(mp);
813 		return (0);
814 
815 	default:
816 		cmn_err(CE_NOTE, "logdmuxlrput: received unexpected "
817 		    "message of type 0x%x", mp->b_datap->db_type);
818 		freemsg(mp);
819 		return (0);
820 	}
821 	if (queclass(mp) < QPCTL) {
822 		if (q->q_first != NULL || !canputnext(qp)) {
823 			(void) putq(q, mp);
824 			return (0);
825 		}
826 	}
827 	putnext(qp, mp);
828 	return (0);
829 }
830 
831 /*
832  * Lower read service routine
833  */
834 static int
835 logdmuxlrsrv(queue_t *q)
836 {
837 	mblk_t		*mp, *savemp;
838 	queue_t 	*qp;
839 	struct iocblk	*ioc;
840 	struct tmx	*tmxp = q->q_ptr;
841 
842 	while ((mp = getq(q)) != NULL) {
843 		if (tmxp->muxq == NULL || tmxp->peerq == NULL) {
844 			freemsg(mp);
845 			continue;
846 		}
847 
848 		switch (mp->b_datap->db_type) {
849 
850 		case M_IOCTL:
851 			ioc = (struct iocblk *)mp->b_rptr;
852 
853 			switch (ioc->ioc_cmd) {
854 
855 			case TIOCSWINSZ:
856 			case TCSETAF:
857 			case TCSETSF:
858 			case TCSETA:
859 			case TCSETAW:
860 			case TCSETS:
861 			case TCSETSW:
862 			case TCSBRK:
863 			case TIOCSTI:
864 				qp = tmxp->peerq;
865 				break;
866 
867 			default:
868 				cmn_err(CE_NOTE, "logdmuxlrsrv: received "
869 				    "unexpected request for ioctl 0x%x",
870 				    ioc->ioc_cmd);
871 
872 				/* NAK unrecognized ioctl's. */
873 				miocnak(q, mp, 0, 0);
874 				continue;
875 			}
876 			break;
877 
878 		case M_DATA:
879 		case M_HANGUP:
880 			qp = tmxp->peerq;
881 			break;
882 
883 		case M_CTL:
884 			qp = tmxp->rdq;
885 			if (!canputnext(qp)) {
886 				(void) putbq(q, mp);
887 				return (0);
888 			}
889 			if (MBLKL(mp) == 1 &&
890 			    (*mp->b_rptr == M_CTL_MAGIC_NUMBER)) {
891 				savemp = mp->b_cont;
892 				freeb(mp);
893 				mp = savemp;
894 			}
895 			putnext(qp, mp);
896 			continue;
897 
898 		case M_PROTO:
899 		case M_SETOPTS:
900 			qp = tmxp->rdq;
901 			break;
902 
903 		default:
904 			cmn_err(CE_NOTE, "logdmuxlrsrv: received unexpected "
905 			    "message of type 0x%x", mp->b_datap->db_type);
906 			freemsg(mp);
907 			continue;
908 		}
909 		ASSERT(queclass(mp) < QPCTL);
910 		if (!canputnext(qp)) {
911 			(void) putbq(q, mp);
912 			return (0);
913 		}
914 		putnext(qp, mp);
915 	}
916 	return (0);
917 }
918 
919 /*
920  * Lower side write service procedure.  No messages are ever placed on
921  * the write queue here, this just back-enables all of the upper side
922  * write service procedures.
923  */
924 static int
925 logdmuxlwsrv(queue_t *q)
926 {
927 	struct tmx *tmxp = q->q_ptr;
928 
929 	/*
930 	 * Qenable upper write queue and find out which lower
931 	 * queue needs to be restarted with flow control.
932 	 * Qenable the peer queue so canputnext will
933 	 * succeed on next call to logdmuxlrput.
934 	 */
935 	qenable(WR(tmxp->rdq));
936 
937 	mutex_enter(&logdmux_peerq_lock);
938 	if (tmxp->peerq != NULL)
939 		qenable(RD(tmxp->peerq));
940 	mutex_exit(&logdmux_peerq_lock);
941 
942 	return (0);
943 }
944 
945 /*
946  * This routine does I_LINK operation.
947  */
948 static void
949 logdmuxlink(queue_t *q, mblk_t *mp)
950 {
951 	struct tmx	*tmxp = q->q_ptr;
952 	struct linkblk	*lp = (struct linkblk *)mp->b_cont->b_rptr;
953 
954 	/*
955 	 * Fail if we're already linked.
956 	 */
957 	if (tmxp->muxq != NULL) {
958 		miocnak(q, mp, 0, EINVAL);
959 		return;
960 	}
961 
962 	tmxp->muxq = lp->l_qbot;
963 	tmxp->muxq->q_ptr = tmxp;
964 	RD(tmxp->muxq)->q_ptr = tmxp;
965 
966 	miocack(q, mp, 0, 0);
967 }
968 
969 /*
970  * logdmuxunlink() is called from logdmuxuwput() and is the first of two
971  * functions which process an I_UNLINK ioctl. logdmuxunlink() will determine
972  * the state of logindmux peer linkage and, based on this, control when the
973  * second function, logdmux_finish_unlink(), is called.  It's
974  * logdmux_finish_unlink() that's sending the M_IOCACK upstream and
975  * resetting the link state.
976  */
977 static void
978 logdmuxunlink(queue_t *q, mblk_t *mp)
979 {
980 	struct tmx	*tmxp = q->q_ptr;
981 	unlinkinfo_t	*unlinkinfop;
982 
983 	/*
984 	 * If we don't have a peer, just unlink.  Note that this check needs
985 	 * to be done under logdmux_qexch_lock to prevent racing with
986 	 * LOGDMX_IOC_QEXCHANGE, and we *must* set muxq to NULL prior to
987 	 * releasing the lock so that LOGDMX_IOC_QEXCHANGE will not consider
988 	 * us as a possible peer anymore (if it already considers us to be a
989 	 * peer, then unlinkinfop will not be NULL) -- NULLing muxq precludes
990 	 * use of logdmux_finish_unlink() here.
991 	 */
992 	mutex_enter(&logdmux_qexch_lock);
993 	unlinkinfop = tmxp->unlinkinfop;
994 	if (unlinkinfop == NULL) {
995 		ASSERT(tmxp->peerq == NULL);
996 		tmxp->muxq = NULL;
997 		mutex_exit(&logdmux_qexch_lock);
998 		miocack(q, mp, 0, 0);
999 		return;
1000 	}
1001 	mutex_exit(&logdmux_qexch_lock);
1002 
1003 	mutex_enter(&unlinkinfop->state_lock);
1004 
1005 	switch (unlinkinfop->state) {
1006 
1007 	case LOGDMUX_LINKED:
1008 		/*
1009 		 * We're the first instance to process an I_UNLINK --
1010 		 * ie, the peer instance is still there. We'll change
1011 		 * the state so that only one instance is executing an
1012 		 * I_UNLINK at any one time.
1013 		 */
1014 		unlinkinfop->state = LOGDMUX_UNLINK_PENDING;
1015 		mutex_exit(&unlinkinfop->state_lock);
1016 		/*
1017 		 * Attach the original M_IOCTL message to a
1018 		 * LOGDMUX_UNLINK_REQ message and send it to our peer to
1019 		 * tell it to unlink from us. When it has completed the
1020 		 * task, it will send us a LOGDMUX_UNLINK_RESP message
1021 		 * with the original M_IOCTL still attached, which will be
1022 		 * processed in our logdmuxlrput(). At that point, we will
1023 		 * call logdmux_finish_unlink() to complete the unlink
1024 		 * operation using the attached M_IOCTL.
1025 		 */
1026 		unlinkinfop->prot_mp->b_cont = mp;
1027 		/*
1028 		 * Put the M_CTL directly to the peer's lower RQ.
1029 		 */
1030 		put(RD(tmxp->peerq), unlinkinfop->prot_mp);
1031 		break;
1032 
1033 	case LOGDMUX_UNLINK_PENDING:
1034 		mutex_exit(&unlinkinfop->state_lock);
1035 		/*
1036 		 * Our peer is actively processing an I_UNLINK itself.
1037 		 * We have to wait for the peer to complete and we use
1038 		 * qtimeout as a way to poll for its completion.
1039 		 * We save a reference to our mblk so that we can send
1040 		 * it upstream once our peer is done.
1041 		 */
1042 		tmxp->unlink_mp = mp;
1043 		tmxp->utimoutid = qtimeout(q, logdmux_unlink_timer, q,
1044 		    drv_usectohz(LOGDMUX_POLL_WAIT));
1045 		break;
1046 
1047 	case LOGDMUX_UNLINKED:
1048 		/*
1049 		 * Our peer is no longer linked so we can proceed.
1050 		 */
1051 		mutex_exit(&unlinkinfop->state_lock);
1052 		mutex_destroy(&unlinkinfop->state_lock);
1053 		freeb(unlinkinfop->prot_mp);
1054 		kmem_free(unlinkinfop, sizeof (unlinkinfo_t));
1055 		logdmux_finish_unlink(q, mp);
1056 		break;
1057 
1058 	default:
1059 		mutex_exit(&unlinkinfop->state_lock);
1060 		cmn_err(CE_PANIC,
1061 		    "logdmuxunlink: peer linkage is in an unrecognized state");
1062 		break;
1063 	}
1064 }
1065 
1066 /*
1067  * Finish the unlink operation.  Note that no locks should be held since
1068  * this routine calls into other queues.
1069  */
1070 static void
1071 logdmux_finish_unlink(queue_t *q, mblk_t *unlink_mp)
1072 {
1073 	struct tmx *tmxp = q->q_ptr;
1074 	mblk_t *mp;
1075 
1076 	/*
1077 	 * Flush any write side data downstream.
1078 	 */
1079 	while ((mp = getq(WR(q))) != NULL)
1080 		putnext(tmxp->muxq, mp);
1081 
1082 	/*
1083 	 * Note that we do not NULL out q_ptr since another thread (e.g., a
1084 	 * STREAMS service thread) might call logdmuxlrput() between the time
1085 	 * we exit the logindmux perimeter and the time the STREAMS framework
1086 	 * resets q_ptr to stdata (since muxq is set to NULL, any messages
1087 	 * will just be discarded).
1088 	 */
1089 	tmxp->muxq = NULL;
1090 	tmxp->unlinkinfop = NULL;
1091 	tmxp->peerq = NULL;
1092 	miocack(q, unlink_mp, 0, 0);
1093 }
1094 
1095 /*
1096  * logdmux_unlink_timer() is executed by qtimeout(). This function will
1097  * check unlinkinfop->state to determine whether the peer has completed
1098  * its I_UNLINK. If it hasn't, we use qtimeout() to initiate another poll.
1099  */
1100 static void
1101 logdmux_unlink_timer(void *arg)
1102 {
1103 	queue_t		*q = arg;
1104 	struct	tmx	*tmxp = q->q_ptr;
1105 	unlinkinfo_t	*unlinkinfop = tmxp->unlinkinfop;
1106 
1107 	tmxp->utimoutid = 0;
1108 
1109 	mutex_enter(&unlinkinfop->state_lock);
1110 
1111 	if (unlinkinfop->state != LOGDMUX_UNLINKED) {
1112 		ASSERT(unlinkinfop->state == LOGDMUX_UNLINK_PENDING);
1113 		mutex_exit(&unlinkinfop->state_lock);
1114 		/*
1115 		 * We need to wait longer for our peer to complete.
1116 		 */
1117 		tmxp->utimoutid = qtimeout(q, logdmux_unlink_timer, q,
1118 		    drv_usectohz(LOGDMUX_POLL_WAIT));
1119 	} else {
1120 		/*
1121 		 * Our peer is no longer linked so we can proceed with
1122 		 * the cleanup.
1123 		 */
1124 		mutex_exit(&unlinkinfop->state_lock);
1125 		mutex_destroy(&unlinkinfop->state_lock);
1126 		freeb(unlinkinfop->prot_mp);
1127 		kmem_free(unlinkinfop, sizeof (unlinkinfo_t));
1128 		logdmux_finish_unlink(q, tmxp->unlink_mp);
1129 	}
1130 }
1131 
1132 static void
1133 logdmux_timer(void *arg)
1134 {
1135 	queue_t		*q = arg;
1136 	struct tmx	*tmxp = q->q_ptr;
1137 
1138 	ASSERT(tmxp != NULL);
1139 
1140 	if (q->q_flag & QREADR) {
1141 		ASSERT(tmxp->rtimoutid != 0);
1142 		tmxp->rtimoutid = 0;
1143 	} else {
1144 		ASSERT(tmxp->wtimoutid != 0);
1145 		tmxp->wtimoutid = 0;
1146 	}
1147 	enableok(q);
1148 	qenable(q);
1149 }
1150 
1151 static void
1152 logdmux_buffer(void *arg)
1153 {
1154 	queue_t		*q = arg;
1155 	struct tmx	*tmxp = q->q_ptr;
1156 
1157 	ASSERT(tmxp != NULL);
1158 
1159 	if (q->q_flag & QREADR) {
1160 		ASSERT(tmxp->rbufcid != 0);
1161 		tmxp->rbufcid = 0;
1162 	} else {
1163 		ASSERT(tmxp->wbufcid != 0);
1164 		tmxp->wbufcid = 0;
1165 	}
1166 	enableok(q);
1167 	qenable(q);
1168 }
1169 
1170 static void
1171 recover(queue_t *q, mblk_t *mp, size_t size)
1172 {
1173 	timeout_id_t	tid;
1174 	bufcall_id_t	bid;
1175 	struct	tmx	*tmxp = q->q_ptr;
1176 
1177 	/*
1178 	 * Avoid re-enabling the queue.
1179 	 */
1180 	ASSERT(queclass(mp) < QPCTL);
1181 	ASSERT(WR(q)->q_next == NULL); /* Called from upper queue only */
1182 	noenable(q);
1183 	(void) putbq(q, mp);
1184 
1185 	/*
1186 	 * Make sure there is at most one outstanding request per queue.
1187 	 */
1188 	if (q->q_flag & QREADR) {
1189 		if (tmxp->rtimoutid != 0 || tmxp->rbufcid != 0)
1190 			return;
1191 	} else {
1192 		if (tmxp->wtimoutid != 0 || tmxp->wbufcid != 0)
1193 			return;
1194 	}
1195 	if (!(bid = qbufcall(RD(q), size, BPRI_MED, logdmux_buffer, q))) {
1196 		tid = qtimeout(RD(q), logdmux_timer, q, drv_usectohz(SIMWAIT));
1197 		if (q->q_flag & QREADR)
1198 			tmxp->rtimoutid = tid;
1199 		else
1200 			tmxp->wtimoutid = tid;
1201 	} else	{
1202 		if (q->q_flag & QREADR)
1203 			tmxp->rbufcid = bid;
1204 		else
1205 			tmxp->wbufcid = bid;
1206 	}
1207 }
1208 
1209 static void
1210 flushq_dataonly(queue_t *q)
1211 {
1212 	mblk_t *mp, *nmp;
1213 
1214 	/*
1215 	 * Since we are already in the perimeter, and we are not a put-shared
1216 	 * perimeter, we don't need to freeze the stream or anything to
1217 	 * be ensured of exclusivity.
1218 	 */
1219 	mp = q->q_first;
1220 	while (mp != NULL) {
1221 		if (mp->b_datap->db_type == M_DATA) {
1222 			nmp = mp->b_next;
1223 			rmvq(q, mp);
1224 			freemsg(mp);
1225 			mp = nmp;
1226 		} else {
1227 			mp = mp->b_next;
1228 		}
1229 	}
1230 }
1231 
1232 /*
1233  * logdmux_alloc_unlinkinfo() is called from logdmuxuwput() during the
1234  * processing of a LOGDMX_IOC_QEXCHANGE ioctl() to allocate the
1235  * unlinkinfo_t which is needed during the processing of an I_UNLINK.
1236  */
1237 static int
1238 logdmux_alloc_unlinkinfo(struct tmx *t0, struct tmx *t1)
1239 {
1240 	unlinkinfo_t	*p;
1241 	uint_t		*messagep;
1242 
1243 	if ((p = kmem_zalloc(sizeof (unlinkinfo_t), KM_NOSLEEP)) == NULL)
1244 		return (ENOSR);
1245 
1246 	if ((p->prot_mp = allocb(sizeof (uint_t), BPRI_MED)) == NULL) {
1247 		kmem_free(p, sizeof (unlinkinfo_t));
1248 		return (ENOSR);
1249 	}
1250 
1251 	DB_TYPE(p->prot_mp) = M_CTL;
1252 	messagep = (uint_t *)p->prot_mp->b_wptr;
1253 	*messagep = LOGDMUX_UNLINK_REQ;
1254 	p->prot_mp->b_wptr += sizeof (*messagep);
1255 	p->state = LOGDMUX_LINKED;
1256 	mutex_init(&p->state_lock, NULL, MUTEX_DRIVER, NULL);
1257 
1258 	t0->unlinkinfop = t1->unlinkinfop = p;
1259 
1260 	return (0);
1261 }
1262