xref: /titanic_51/usr/src/uts/common/inet/tcp/tcp_tpi.c (revision ee97b7343f7aa60136a15b8f0258b30fb0d252c0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /* This files contains all TCP TLI/TPI related functions */
28 
29 #include <sys/types.h>
30 #include <sys/stream.h>
31 #include <sys/strsun.h>
32 #include <sys/strsubr.h>
33 #include <sys/stropts.h>
34 #include <sys/strlog.h>
35 #define	_SUN_TPI_VERSION 2
36 #include <sys/tihdr.h>
37 #include <sys/suntpi.h>
38 #include <sys/xti_inet.h>
39 #include <sys/squeue_impl.h>
40 #include <sys/squeue.h>
41 
42 #include <inet/common.h>
43 #include <inet/ip.h>
44 #include <inet/tcp.h>
45 #include <inet/tcp_impl.h>
46 #include <inet/proto_set.h>
47 
48 static void	tcp_accept_swap(tcp_t *, tcp_t *, tcp_t *);
49 static int	tcp_conprim_opt_process(tcp_t *, mblk_t *, int *, int *, int *);
50 static void	tcp_ulp_newconn(conn_t *, conn_t *, mblk_t *);
51 
52 void
53 tcp_use_pure_tpi(tcp_t *tcp)
54 {
55 	conn_t		*connp = tcp->tcp_connp;
56 
57 #ifdef	_ILP32
58 	tcp->tcp_acceptor_id = (t_uscalar_t)connp->conn_rq;
59 #else
60 	tcp->tcp_acceptor_id = connp->conn_dev;
61 #endif
62 	/*
63 	 * Insert this socket into the acceptor hash.
64 	 * We might need it for T_CONN_RES message
65 	 */
66 	tcp_acceptor_hash_insert(tcp->tcp_acceptor_id, tcp);
67 
68 	tcp->tcp_issocket = B_FALSE;
69 	TCP_STAT(tcp->tcp_tcps, tcp_sock_fallback);
70 }
71 
72 /* Shorthand to generate and send TPI error acks to our client */
73 void
74 tcp_err_ack(tcp_t *tcp, mblk_t *mp, int t_error, int sys_error)
75 {
76 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
77 		putnext(tcp->tcp_connp->conn_rq, mp);
78 }
79 
80 /* Shorthand to generate and send TPI error acks to our client */
81 void
82 tcp_err_ack_prim(tcp_t *tcp, mblk_t *mp, int primitive,
83     int t_error, int sys_error)
84 {
85 	struct T_error_ack	*teackp;
86 
87 	if ((mp = tpi_ack_alloc(mp, sizeof (struct T_error_ack),
88 	    M_PCPROTO, T_ERROR_ACK)) != NULL) {
89 		teackp = (struct T_error_ack *)mp->b_rptr;
90 		teackp->ERROR_prim = primitive;
91 		teackp->TLI_error = t_error;
92 		teackp->UNIX_error = sys_error;
93 		putnext(tcp->tcp_connp->conn_rq, mp);
94 	}
95 }
96 
97 /*
98  * TCP routine to get the values of options.
99  */
100 int
101 tcp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
102 {
103 	return (tcp_opt_get(Q_TO_CONN(q), level, name, ptr));
104 }
105 
106 /* ARGSUSED */
107 int
108 tcp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
109     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
110     void *thisdg_attrs, cred_t *cr)
111 {
112 	conn_t	*connp =  Q_TO_CONN(q);
113 
114 	return (tcp_opt_set(connp, optset_context, level, name, inlen, invalp,
115 	    outlenp, outvalp, thisdg_attrs, cr));
116 }
117 
118 static int
119 tcp_conprim_opt_process(tcp_t *tcp, mblk_t *mp, int *do_disconnectp,
120     int *t_errorp, int *sys_errorp)
121 {
122 	int error;
123 	int is_absreq_failure;
124 	t_scalar_t *opt_lenp;
125 	t_scalar_t opt_offset;
126 	int prim_type;
127 	struct T_conn_req *tcreqp;
128 	struct T_conn_res *tcresp;
129 	cred_t *cr;
130 
131 	/*
132 	 * All Solaris components should pass a db_credp
133 	 * for this TPI message, hence we ASSERT.
134 	 * But in case there is some other M_PROTO that looks
135 	 * like a TPI message sent by some other kernel
136 	 * component, we check and return an error.
137 	 */
138 	cr = msg_getcred(mp, NULL);
139 	ASSERT(cr != NULL);
140 	if (cr == NULL)
141 		return (-1);
142 
143 	prim_type = ((union T_primitives *)mp->b_rptr)->type;
144 	ASSERT(prim_type == T_CONN_REQ || prim_type == O_T_CONN_RES ||
145 	    prim_type == T_CONN_RES);
146 
147 	switch (prim_type) {
148 	case T_CONN_REQ:
149 		tcreqp = (struct T_conn_req *)mp->b_rptr;
150 		opt_offset = tcreqp->OPT_offset;
151 		opt_lenp = (t_scalar_t *)&tcreqp->OPT_length;
152 		break;
153 	case O_T_CONN_RES:
154 	case T_CONN_RES:
155 		tcresp = (struct T_conn_res *)mp->b_rptr;
156 		opt_offset = tcresp->OPT_offset;
157 		opt_lenp = (t_scalar_t *)&tcresp->OPT_length;
158 		break;
159 	}
160 
161 	*t_errorp = 0;
162 	*sys_errorp = 0;
163 	*do_disconnectp = 0;
164 
165 	error = tpi_optcom_buf(tcp->tcp_connp->conn_wq, mp, opt_lenp,
166 	    opt_offset, cr, &tcp_opt_obj,
167 	    NULL, &is_absreq_failure);
168 
169 	switch (error) {
170 	case  0:		/* no error */
171 		ASSERT(is_absreq_failure == 0);
172 		return (0);
173 	case ENOPROTOOPT:
174 		*t_errorp = TBADOPT;
175 		break;
176 	case EACCES:
177 		*t_errorp = TACCES;
178 		break;
179 	default:
180 		*t_errorp = TSYSERR; *sys_errorp = error;
181 		break;
182 	}
183 	if (is_absreq_failure != 0) {
184 		/*
185 		 * The connection request should get the local ack
186 		 * T_OK_ACK and then a T_DISCON_IND.
187 		 */
188 		*do_disconnectp = 1;
189 	}
190 	return (-1);
191 }
192 
193 void
194 tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
195 {
196 	int	error;
197 	conn_t	*connp = tcp->tcp_connp;
198 	struct sockaddr	*sa;
199 	mblk_t  *mp1;
200 	struct T_bind_req *tbr;
201 	int	backlog;
202 	socklen_t	len;
203 	sin_t	*sin;
204 	sin6_t	*sin6;
205 	cred_t		*cr;
206 
207 	/*
208 	 * All Solaris components should pass a db_credp
209 	 * for this TPI message, hence we ASSERT.
210 	 * But in case there is some other M_PROTO that looks
211 	 * like a TPI message sent by some other kernel
212 	 * component, we check and return an error.
213 	 */
214 	cr = msg_getcred(mp, NULL);
215 	ASSERT(cr != NULL);
216 	if (cr == NULL) {
217 		tcp_err_ack(tcp, mp, TSYSERR, EINVAL);
218 		return;
219 	}
220 
221 	ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
222 	if ((mp->b_wptr - mp->b_rptr) < sizeof (*tbr)) {
223 		if (connp->conn_debug) {
224 			(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
225 			    "tcp_tpi_bind: bad req, len %u",
226 			    (uint_t)(mp->b_wptr - mp->b_rptr));
227 		}
228 		tcp_err_ack(tcp, mp, TPROTO, 0);
229 		return;
230 	}
231 	/* Make sure the largest address fits */
232 	mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
233 	if (mp1 == NULL) {
234 		tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
235 		return;
236 	}
237 	mp = mp1;
238 	tbr = (struct T_bind_req *)mp->b_rptr;
239 
240 	backlog = tbr->CONIND_number;
241 	len = tbr->ADDR_length;
242 
243 	switch (len) {
244 	case 0:		/* request for a generic port */
245 		tbr->ADDR_offset = sizeof (struct T_bind_req);
246 		if (connp->conn_family == AF_INET) {
247 			tbr->ADDR_length = sizeof (sin_t);
248 			sin = (sin_t *)&tbr[1];
249 			*sin = sin_null;
250 			sin->sin_family = AF_INET;
251 			sa = (struct sockaddr *)sin;
252 			len = sizeof (sin_t);
253 			mp->b_wptr = (uchar_t *)&sin[1];
254 		} else {
255 			ASSERT(connp->conn_family == AF_INET6);
256 			tbr->ADDR_length = sizeof (sin6_t);
257 			sin6 = (sin6_t *)&tbr[1];
258 			*sin6 = sin6_null;
259 			sin6->sin6_family = AF_INET6;
260 			sa = (struct sockaddr *)sin6;
261 			len = sizeof (sin6_t);
262 			mp->b_wptr = (uchar_t *)&sin6[1];
263 		}
264 		break;
265 
266 	case sizeof (sin_t):    /* Complete IPv4 address */
267 		sa = (struct sockaddr *)mi_offset_param(mp, tbr->ADDR_offset,
268 		    sizeof (sin_t));
269 		break;
270 
271 	case sizeof (sin6_t): /* Complete IPv6 address */
272 		sa = (struct sockaddr *)mi_offset_param(mp,
273 		    tbr->ADDR_offset, sizeof (sin6_t));
274 		break;
275 
276 	default:
277 		if (connp->conn_debug) {
278 			(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
279 			    "tcp_tpi_bind: bad address length, %d",
280 			    tbr->ADDR_length);
281 		}
282 		tcp_err_ack(tcp, mp, TBADADDR, 0);
283 		return;
284 	}
285 
286 	if (backlog > 0) {
287 		error = tcp_do_listen(connp, sa, len, backlog, DB_CRED(mp),
288 		    tbr->PRIM_type != O_T_BIND_REQ);
289 	} else {
290 		error = tcp_do_bind(connp, sa, len, DB_CRED(mp),
291 		    tbr->PRIM_type != O_T_BIND_REQ);
292 	}
293 done:
294 	if (error > 0) {
295 		tcp_err_ack(tcp, mp, TSYSERR, error);
296 	} else if (error < 0) {
297 		tcp_err_ack(tcp, mp, -error, 0);
298 	} else {
299 		/*
300 		 * Update port information as sockfs/tpi needs it for checking
301 		 */
302 		if (connp->conn_family == AF_INET) {
303 			sin = (sin_t *)sa;
304 			sin->sin_port = connp->conn_lport;
305 		} else {
306 			sin6 = (sin6_t *)sa;
307 			sin6->sin6_port = connp->conn_lport;
308 		}
309 		mp->b_datap->db_type = M_PCPROTO;
310 		tbr->PRIM_type = T_BIND_ACK;
311 		putnext(connp->conn_rq, mp);
312 	}
313 }
314 
315 /* tcp_unbind is called by tcp_wput_proto to handle T_UNBIND_REQ messages. */
316 void
317 tcp_tpi_unbind(tcp_t *tcp, mblk_t *mp)
318 {
319 	conn_t *connp = tcp->tcp_connp;
320 	int error;
321 
322 	error = tcp_do_unbind(connp);
323 	if (error > 0) {
324 		tcp_err_ack(tcp, mp, TSYSERR, error);
325 	} else if (error < 0) {
326 		tcp_err_ack(tcp, mp, -error, 0);
327 	} else {
328 		/* Send M_FLUSH according to TPI */
329 		(void) putnextctl1(connp->conn_rq, M_FLUSH, FLUSHRW);
330 
331 		mp = mi_tpi_ok_ack_alloc(mp);
332 		if (mp != NULL)
333 			putnext(connp->conn_rq, mp);
334 	}
335 }
336 
337 int
338 tcp_tpi_close(queue_t *q, int flags)
339 {
340 	conn_t		*connp;
341 
342 	ASSERT(WR(q)->q_next == NULL);
343 
344 	if (flags & SO_FALLBACK) {
345 		/*
346 		 * stream is being closed while in fallback
347 		 * simply free the resources that were allocated
348 		 */
349 		inet_minor_free(WR(q)->q_ptr, (dev_t)(RD(q)->q_ptr));
350 		qprocsoff(q);
351 		goto done;
352 	}
353 
354 	connp = Q_TO_CONN(q);
355 	/*
356 	 * We are being closed as /dev/tcp or /dev/tcp6.
357 	 */
358 	tcp_close_common(connp, flags);
359 
360 	qprocsoff(q);
361 	inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
362 
363 	/*
364 	 * Drop IP's reference on the conn. This is the last reference
365 	 * on the connp if the state was less than established. If the
366 	 * connection has gone into timewait state, then we will have
367 	 * one ref for the TCP and one more ref (total of two) for the
368 	 * classifier connected hash list (a timewait connections stays
369 	 * in connected hash till closed).
370 	 *
371 	 * We can't assert the references because there might be other
372 	 * transient reference places because of some walkers or queued
373 	 * packets in squeue for the timewait state.
374 	 */
375 	CONN_DEC_REF(connp);
376 done:
377 	q->q_ptr = WR(q)->q_ptr = NULL;
378 	return (0);
379 }
380 
381 int
382 tcp_tpi_close_accept(queue_t *q)
383 {
384 	vmem_t	*minor_arena;
385 	dev_t	conn_dev;
386 	extern struct qinit tcp_acceptor_winit;
387 
388 	ASSERT(WR(q)->q_qinfo == &tcp_acceptor_winit);
389 
390 	/*
391 	 * We had opened an acceptor STREAM for sockfs which is
392 	 * now being closed due to some error.
393 	 */
394 	qprocsoff(q);
395 
396 	minor_arena = (vmem_t *)WR(q)->q_ptr;
397 	conn_dev = (dev_t)RD(q)->q_ptr;
398 	ASSERT(minor_arena != NULL);
399 	ASSERT(conn_dev != 0);
400 	inet_minor_free(minor_arena, conn_dev);
401 	q->q_ptr = WR(q)->q_ptr = NULL;
402 	return (0);
403 }
404 
405 /*
406  * Put a connection confirmation message upstream built from the
407  * address/flowid information with the conn and iph. Report our success or
408  * failure.
409  */
410 boolean_t
411 tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, mblk_t *idmp,
412     mblk_t **defermp, ip_recv_attr_t *ira)
413 {
414 	sin_t	sin;
415 	sin6_t	sin6;
416 	mblk_t	*mp;
417 	char	*optp = NULL;
418 	int	optlen = 0;
419 	conn_t	*connp = tcp->tcp_connp;
420 
421 	if (defermp != NULL)
422 		*defermp = NULL;
423 
424 	if (tcp->tcp_conn.tcp_opts_conn_req != NULL) {
425 		/*
426 		 * Return in T_CONN_CON results of option negotiation through
427 		 * the T_CONN_REQ. Note: If there is an real end-to-end option
428 		 * negotiation, then what is received from remote end needs
429 		 * to be taken into account but there is no such thing (yet?)
430 		 * in our TCP/IP.
431 		 * Note: We do not use mi_offset_param() here as
432 		 * tcp_opts_conn_req contents do not directly come from
433 		 * an application and are either generated in kernel or
434 		 * from user input that was already verified.
435 		 */
436 		mp = tcp->tcp_conn.tcp_opts_conn_req;
437 		optp = (char *)(mp->b_rptr +
438 		    ((struct T_conn_req *)mp->b_rptr)->OPT_offset);
439 		optlen = (int)
440 		    ((struct T_conn_req *)mp->b_rptr)->OPT_length;
441 	}
442 
443 	if (IPH_HDR_VERSION(iphdr) == IPV4_VERSION) {
444 
445 		/* packet is IPv4 */
446 		if (connp->conn_family == AF_INET) {
447 			sin = sin_null;
448 			sin.sin_addr.s_addr = connp->conn_faddr_v4;
449 			sin.sin_port = connp->conn_fport;
450 			sin.sin_family = AF_INET;
451 			mp = mi_tpi_conn_con(NULL, (char *)&sin,
452 			    (int)sizeof (sin_t), optp, optlen);
453 		} else {
454 			sin6 = sin6_null;
455 			sin6.sin6_addr = connp->conn_faddr_v6;
456 			sin6.sin6_port = connp->conn_fport;
457 			sin6.sin6_family = AF_INET6;
458 			mp = mi_tpi_conn_con(NULL, (char *)&sin6,
459 			    (int)sizeof (sin6_t), optp, optlen);
460 
461 		}
462 	} else {
463 		ip6_t	*ip6h = (ip6_t *)iphdr;
464 
465 		ASSERT(IPH_HDR_VERSION(iphdr) == IPV6_VERSION);
466 		ASSERT(connp->conn_family == AF_INET6);
467 		sin6 = sin6_null;
468 		sin6.sin6_addr = connp->conn_faddr_v6;
469 		sin6.sin6_port = connp->conn_fport;
470 		sin6.sin6_family = AF_INET6;
471 		sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
472 		mp = mi_tpi_conn_con(NULL, (char *)&sin6,
473 		    (int)sizeof (sin6_t), optp, optlen);
474 	}
475 
476 	if (!mp)
477 		return (B_FALSE);
478 
479 	mblk_copycred(mp, idmp);
480 
481 	if (defermp == NULL) {
482 		conn_t *connp = tcp->tcp_connp;
483 		if (IPCL_IS_NONSTR(connp)) {
484 			(*connp->conn_upcalls->su_connected)
485 			    (connp->conn_upper_handle, tcp->tcp_connid,
486 			    ira->ira_cred, ira->ira_cpid);
487 			freemsg(mp);
488 		} else {
489 			if (ira->ira_cred != NULL) {
490 				/* So that getpeerucred works for TPI sockfs */
491 				mblk_setcred(mp, ira->ira_cred, ira->ira_cpid);
492 			}
493 			putnext(connp->conn_rq, mp);
494 		}
495 	} else {
496 		*defermp = mp;
497 	}
498 
499 	if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
500 		tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
501 	return (B_TRUE);
502 }
503 
504 /*
505  * Successful connect request processing begins when our client passes
506  * a T_CONN_REQ message into tcp_wput(), which performs function calls into
507  * IP and the passes a T_OK_ACK (or T_ERROR_ACK upstream).
508  *
509  * After various error checks are completed, tcp_tpi_connect() lays
510  * the target address and port into the composite header template.
511  * Then we ask IP for information, including a source address if we didn't
512  * already have one. Finally we prepare to send the SYN packet, and then
513  * send up the T_OK_ACK reply message.
514  */
515 void
516 tcp_tpi_connect(tcp_t *tcp, mblk_t *mp)
517 {
518 	sin_t		*sin;
519 	struct T_conn_req	*tcr;
520 	struct sockaddr	*sa;
521 	socklen_t	len;
522 	int		error;
523 	cred_t		*cr;
524 	pid_t		cpid;
525 	conn_t		*connp = tcp->tcp_connp;
526 	queue_t		*q = connp->conn_wq;
527 
528 	/*
529 	 * All Solaris components should pass a db_credp
530 	 * for this TPI message, hence we ASSERT.
531 	 * But in case there is some other M_PROTO that looks
532 	 * like a TPI message sent by some other kernel
533 	 * component, we check and return an error.
534 	 */
535 	cr = msg_getcred(mp, &cpid);
536 	ASSERT(cr != NULL);
537 	if (cr == NULL) {
538 		tcp_err_ack(tcp, mp, TSYSERR, EINVAL);
539 		return;
540 	}
541 
542 	tcr = (struct T_conn_req *)mp->b_rptr;
543 
544 	ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
545 	if ((mp->b_wptr - mp->b_rptr) < sizeof (*tcr)) {
546 		tcp_err_ack(tcp, mp, TPROTO, 0);
547 		return;
548 	}
549 
550 	/*
551 	 * Pre-allocate the T_ordrel_ind mblk so that at close time, we
552 	 * will always have that to send up.  Otherwise, we need to do
553 	 * special handling in case the allocation fails at that time.
554 	 * If the end point is TPI, the tcp_t can be reused and the
555 	 * tcp_ordrel_mp may be allocated already.
556 	 */
557 	if (tcp->tcp_ordrel_mp == NULL) {
558 		if ((tcp->tcp_ordrel_mp = mi_tpi_ordrel_ind()) == NULL) {
559 			tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
560 			return;
561 		}
562 	}
563 
564 	/*
565 	 * Determine packet type based on type of address passed in
566 	 * the request should contain an IPv4 or IPv6 address.
567 	 * Make sure that address family matches the type of
568 	 * family of the address passed down.
569 	 */
570 	switch (tcr->DEST_length) {
571 	default:
572 		tcp_err_ack(tcp, mp, TBADADDR, 0);
573 		return;
574 
575 	case (sizeof (sin_t) - sizeof (sin->sin_zero)): {
576 		/*
577 		 * XXX: The check for valid DEST_length was not there
578 		 * in earlier releases and some buggy
579 		 * TLI apps (e.g Sybase) got away with not feeding
580 		 * in sin_zero part of address.
581 		 * We allow that bug to keep those buggy apps humming.
582 		 * Test suites require the check on DEST_length.
583 		 * We construct a new mblk with valid DEST_length
584 		 * free the original so the rest of the code does
585 		 * not have to keep track of this special shorter
586 		 * length address case.
587 		 */
588 		mblk_t *nmp;
589 		struct T_conn_req *ntcr;
590 		sin_t *nsin;
591 
592 		nmp = allocb(sizeof (struct T_conn_req) + sizeof (sin_t) +
593 		    tcr->OPT_length, BPRI_HI);
594 		if (nmp == NULL) {
595 			tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
596 			return;
597 		}
598 		ntcr = (struct T_conn_req *)nmp->b_rptr;
599 		bzero(ntcr, sizeof (struct T_conn_req)); /* zero fill */
600 		ntcr->PRIM_type = T_CONN_REQ;
601 		ntcr->DEST_length = sizeof (sin_t);
602 		ntcr->DEST_offset = sizeof (struct T_conn_req);
603 
604 		nsin = (sin_t *)((uchar_t *)ntcr + ntcr->DEST_offset);
605 		*nsin = sin_null;
606 		/* Get pointer to shorter address to copy from original mp */
607 		sin = (sin_t *)mi_offset_param(mp, tcr->DEST_offset,
608 		    tcr->DEST_length); /* extract DEST_length worth of sin_t */
609 		if (sin == NULL || !OK_32PTR((char *)sin)) {
610 			freemsg(nmp);
611 			tcp_err_ack(tcp, mp, TSYSERR, EINVAL);
612 			return;
613 		}
614 		nsin->sin_family = sin->sin_family;
615 		nsin->sin_port = sin->sin_port;
616 		nsin->sin_addr = sin->sin_addr;
617 		/* Note:nsin->sin_zero zero-fill with sin_null assign above */
618 		nmp->b_wptr = (uchar_t *)&nsin[1];
619 		if (tcr->OPT_length != 0) {
620 			ntcr->OPT_length = tcr->OPT_length;
621 			ntcr->OPT_offset = nmp->b_wptr - nmp->b_rptr;
622 			bcopy((uchar_t *)tcr + tcr->OPT_offset,
623 			    (uchar_t *)ntcr + ntcr->OPT_offset,
624 			    tcr->OPT_length);
625 			nmp->b_wptr += tcr->OPT_length;
626 		}
627 		freemsg(mp);	/* original mp freed */
628 		mp = nmp;	/* re-initialize original variables */
629 		tcr = ntcr;
630 	}
631 	/* FALLTHRU */
632 
633 	case sizeof (sin_t):
634 		sa = (struct sockaddr *)mi_offset_param(mp, tcr->DEST_offset,
635 		    sizeof (sin_t));
636 		len = sizeof (sin_t);
637 		break;
638 
639 	case sizeof (sin6_t):
640 		sa = (struct sockaddr *)mi_offset_param(mp, tcr->DEST_offset,
641 		    sizeof (sin6_t));
642 		len = sizeof (sin6_t);
643 		break;
644 	}
645 
646 	error = proto_verify_ip_addr(connp->conn_family, sa, len);
647 	if (error != 0) {
648 		tcp_err_ack(tcp, mp, TSYSERR, error);
649 		return;
650 	}
651 
652 	/*
653 	 * TODO: If someone in TCPS_TIME_WAIT has this dst/port we
654 	 * should key on their sequence number and cut them loose.
655 	 */
656 
657 	/*
658 	 * If options passed in, feed it for verification and handling
659 	 */
660 	if (tcr->OPT_length != 0) {
661 		mblk_t	*ok_mp;
662 		mblk_t	*discon_mp;
663 		mblk_t  *conn_opts_mp;
664 		int t_error, sys_error, do_disconnect;
665 
666 		conn_opts_mp = NULL;
667 
668 		if (tcp_conprim_opt_process(tcp, mp,
669 		    &do_disconnect, &t_error, &sys_error) < 0) {
670 			if (do_disconnect) {
671 				ASSERT(t_error == 0 && sys_error == 0);
672 				discon_mp = mi_tpi_discon_ind(NULL,
673 				    ECONNREFUSED, 0);
674 				if (!discon_mp) {
675 					tcp_err_ack_prim(tcp, mp, T_CONN_REQ,
676 					    TSYSERR, ENOMEM);
677 					return;
678 				}
679 				ok_mp = mi_tpi_ok_ack_alloc(mp);
680 				if (!ok_mp) {
681 					tcp_err_ack_prim(tcp, NULL, T_CONN_REQ,
682 					    TSYSERR, ENOMEM);
683 					return;
684 				}
685 				qreply(q, ok_mp);
686 				qreply(q, discon_mp); /* no flush! */
687 			} else {
688 				ASSERT(t_error != 0);
689 				tcp_err_ack_prim(tcp, mp, T_CONN_REQ, t_error,
690 				    sys_error);
691 			}
692 			return;
693 		}
694 		/*
695 		 * Success in setting options, the mp option buffer represented
696 		 * by OPT_length/offset has been potentially modified and
697 		 * contains results of option processing. We copy it in
698 		 * another mp to save it for potentially influencing returning
699 		 * it in T_CONN_CONN.
700 		 */
701 		if (tcr->OPT_length != 0) { /* there are resulting options */
702 			conn_opts_mp = copyb(mp);
703 			if (!conn_opts_mp) {
704 				tcp_err_ack_prim(tcp, mp, T_CONN_REQ,
705 				    TSYSERR, ENOMEM);
706 				return;
707 			}
708 			ASSERT(tcp->tcp_conn.tcp_opts_conn_req == NULL);
709 			tcp->tcp_conn.tcp_opts_conn_req = conn_opts_mp;
710 			/*
711 			 * Note:
712 			 * These resulting option negotiation can include any
713 			 * end-to-end negotiation options but there no such
714 			 * thing (yet?) in our TCP/IP.
715 			 */
716 		}
717 	}
718 
719 	/* call the non-TPI version */
720 	error = tcp_do_connect(tcp->tcp_connp, sa, len, cr, cpid);
721 	if (error < 0) {
722 		mp = mi_tpi_err_ack_alloc(mp, -error, 0);
723 	} else if (error > 0) {
724 		mp = mi_tpi_err_ack_alloc(mp, TSYSERR, error);
725 	} else {
726 		mp = mi_tpi_ok_ack_alloc(mp);
727 	}
728 
729 	/*
730 	 * Note: Code below is the "failure" case
731 	 */
732 	/* return error ack and blow away saved option results if any */
733 connect_failed:
734 	if (mp != NULL)
735 		putnext(connp->conn_rq, mp);
736 	else {
737 		tcp_err_ack_prim(tcp, NULL, T_CONN_REQ,
738 		    TSYSERR, ENOMEM);
739 	}
740 }
741 
742 /* Return the TPI/TLI equivalent of our current tcp_state */
743 static int
744 tcp_tpistate(tcp_t *tcp)
745 {
746 	switch (tcp->tcp_state) {
747 	case TCPS_IDLE:
748 		return (TS_UNBND);
749 	case TCPS_LISTEN:
750 		/*
751 		 * Return whether there are outstanding T_CONN_IND waiting
752 		 * for the matching T_CONN_RES. Therefore don't count q0.
753 		 */
754 		if (tcp->tcp_conn_req_cnt_q > 0)
755 			return (TS_WRES_CIND);
756 		else
757 			return (TS_IDLE);
758 	case TCPS_BOUND:
759 		return (TS_IDLE);
760 	case TCPS_SYN_SENT:
761 		return (TS_WCON_CREQ);
762 	case TCPS_SYN_RCVD:
763 		/*
764 		 * Note: assumption: this has to the active open SYN_RCVD.
765 		 * The passive instance is detached in SYN_RCVD stage of
766 		 * incoming connection processing so we cannot get request
767 		 * for T_info_ack on it.
768 		 */
769 		return (TS_WACK_CRES);
770 	case TCPS_ESTABLISHED:
771 		return (TS_DATA_XFER);
772 	case TCPS_CLOSE_WAIT:
773 		return (TS_WREQ_ORDREL);
774 	case TCPS_FIN_WAIT_1:
775 		return (TS_WIND_ORDREL);
776 	case TCPS_FIN_WAIT_2:
777 		return (TS_WIND_ORDREL);
778 
779 	case TCPS_CLOSING:
780 	case TCPS_LAST_ACK:
781 	case TCPS_TIME_WAIT:
782 	case TCPS_CLOSED:
783 		/*
784 		 * Following TS_WACK_DREQ7 is a rendition of "not
785 		 * yet TS_IDLE" TPI state. There is no best match to any
786 		 * TPI state for TCPS_{CLOSING, LAST_ACK, TIME_WAIT} but we
787 		 * choose a value chosen that will map to TLI/XTI level
788 		 * state of TSTATECHNG (state is process of changing) which
789 		 * captures what this dummy state represents.
790 		 */
791 		return (TS_WACK_DREQ7);
792 	default:
793 		cmn_err(CE_WARN, "tcp_tpistate: strange state (%d) %s",
794 		    tcp->tcp_state, tcp_display(tcp, NULL,
795 		    DISP_PORT_ONLY));
796 		return (TS_UNBND);
797 	}
798 }
799 
800 static void
801 tcp_copy_info(struct T_info_ack *tia, tcp_t *tcp)
802 {
803 	tcp_stack_t	*tcps = tcp->tcp_tcps;
804 	conn_t		*connp = tcp->tcp_connp;
805 	extern struct T_info_ack tcp_g_t_info_ack;
806 	extern struct T_info_ack tcp_g_t_info_ack_v6;
807 
808 	if (connp->conn_family == AF_INET6)
809 		*tia = tcp_g_t_info_ack_v6;
810 	else
811 		*tia = tcp_g_t_info_ack;
812 	tia->CURRENT_state = tcp_tpistate(tcp);
813 	tia->OPT_size = tcp_max_optsize;
814 	if (tcp->tcp_mss == 0) {
815 		/* Not yet set - tcp_open does not set mss */
816 		if (connp->conn_ipversion == IPV4_VERSION)
817 			tia->TIDU_size = tcps->tcps_mss_def_ipv4;
818 		else
819 			tia->TIDU_size = tcps->tcps_mss_def_ipv6;
820 	} else {
821 		tia->TIDU_size = tcp->tcp_mss;
822 	}
823 	/* TODO: Default ETSDU is 1.  Is that correct for tcp? */
824 }
825 
826 static void
827 tcp_do_capability_ack(tcp_t *tcp, struct T_capability_ack *tcap,
828     t_uscalar_t cap_bits1)
829 {
830 	tcap->CAP_bits1 = 0;
831 
832 	if (cap_bits1 & TC1_INFO) {
833 		tcp_copy_info(&tcap->INFO_ack, tcp);
834 		tcap->CAP_bits1 |= TC1_INFO;
835 	}
836 
837 	if (cap_bits1 & TC1_ACCEPTOR_ID) {
838 		tcap->ACCEPTOR_id = tcp->tcp_acceptor_id;
839 		tcap->CAP_bits1 |= TC1_ACCEPTOR_ID;
840 	}
841 
842 }
843 
844 /*
845  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
846  * tcp_wput.  Much of the T_CAPABILITY_ACK information is copied from
847  * tcp_g_t_info_ack.  The current state of the stream is copied from
848  * tcp_state.
849  */
850 void
851 tcp_capability_req(tcp_t *tcp, mblk_t *mp)
852 {
853 	t_uscalar_t		cap_bits1;
854 	struct T_capability_ack	*tcap;
855 
856 	if (MBLKL(mp) < sizeof (struct T_capability_req)) {
857 		freemsg(mp);
858 		return;
859 	}
860 
861 	cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
862 
863 	mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
864 	    mp->b_datap->db_type, T_CAPABILITY_ACK);
865 	if (mp == NULL)
866 		return;
867 
868 	tcap = (struct T_capability_ack *)mp->b_rptr;
869 	tcp_do_capability_ack(tcp, tcap, cap_bits1);
870 
871 	putnext(tcp->tcp_connp->conn_rq, mp);
872 }
873 
874 /*
875  * This routine responds to T_INFO_REQ messages.  It is called by tcp_wput.
876  * Most of the T_INFO_ACK information is copied from tcp_g_t_info_ack.
877  * The current state of the stream is copied from tcp_state.
878  */
879 void
880 tcp_info_req(tcp_t *tcp, mblk_t *mp)
881 {
882 	mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
883 	    T_INFO_ACK);
884 	if (!mp) {
885 		tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
886 		return;
887 	}
888 	tcp_copy_info((struct T_info_ack *)mp->b_rptr, tcp);
889 	putnext(tcp->tcp_connp->conn_rq, mp);
890 }
891 
892 /* Respond to the TPI addr request */
893 void
894 tcp_addr_req(tcp_t *tcp, mblk_t *mp)
895 {
896 	struct sockaddr *sa;
897 	mblk_t	*ackmp;
898 	struct T_addr_ack *taa;
899 	conn_t	*connp = tcp->tcp_connp;
900 	uint_t	addrlen;
901 
902 	/* Make it large enough for worst case */
903 	ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
904 	    2 * sizeof (sin6_t), 1);
905 	if (ackmp == NULL) {
906 		tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
907 		return;
908 	}
909 
910 	taa = (struct T_addr_ack *)ackmp->b_rptr;
911 
912 	bzero(taa, sizeof (struct T_addr_ack));
913 	ackmp->b_wptr = (uchar_t *)&taa[1];
914 
915 	taa->PRIM_type = T_ADDR_ACK;
916 	ackmp->b_datap->db_type = M_PCPROTO;
917 
918 	if (connp->conn_family == AF_INET)
919 		addrlen = sizeof (sin_t);
920 	else
921 		addrlen = sizeof (sin6_t);
922 
923 	/*
924 	 * Note: Following code assumes 32 bit alignment of basic
925 	 * data structures like sin_t and struct T_addr_ack.
926 	 */
927 	if (tcp->tcp_state >= TCPS_BOUND) {
928 		/*
929 		 * Fill in local address first
930 		 */
931 		taa->LOCADDR_offset = sizeof (*taa);
932 		taa->LOCADDR_length = addrlen;
933 		sa = (struct sockaddr *)&taa[1];
934 		(void) conn_getsockname(connp, sa, &addrlen);
935 		ackmp->b_wptr += addrlen;
936 	}
937 	if (tcp->tcp_state >= TCPS_SYN_RCVD) {
938 		/*
939 		 * Fill in Remote address
940 		 */
941 		taa->REMADDR_length = addrlen;
942 		/* assumed 32-bit alignment */
943 		taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
944 		sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
945 		(void) conn_getpeername(connp, sa, &addrlen);
946 		ackmp->b_wptr += addrlen;
947 	}
948 	ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
949 	putnext(tcp->tcp_connp->conn_rq, ackmp);
950 }
951 
952 /*
953  * tcp_fallback
954  *
955  * A direct socket is falling back to using STREAMS. The queue
956  * that is being passed down was created using tcp_open() with
957  * the SO_FALLBACK flag set. As a result, the queue is not
958  * associated with a conn, and the q_ptrs instead contain the
959  * dev and minor area that should be used.
960  *
961  * The 'issocket' flag indicates whether the FireEngine
962  * optimizations should be used. The common case would be that
963  * optimizations are enabled, and they might be subsequently
964  * disabled using the _SIOCSOCKFALLBACK ioctl.
965  */
966 
967 /*
968  * An active connection is falling back to TPI. Gather all the information
969  * required by the STREAM head and TPI sonode and send it up.
970  */
971 void
972 tcp_fallback_noneager(tcp_t *tcp, mblk_t *stropt_mp, queue_t *q,
973     boolean_t issocket, so_proto_quiesced_cb_t quiesced_cb)
974 {
975 	conn_t			*connp = tcp->tcp_connp;
976 	struct stroptions	*stropt;
977 	struct T_capability_ack tca;
978 	struct sockaddr_in6	laddr, faddr;
979 	socklen_t 		laddrlen, faddrlen;
980 	short			opts;
981 	int			error;
982 	mblk_t			*mp;
983 
984 	connp->conn_dev = (dev_t)RD(q)->q_ptr;
985 	connp->conn_minor_arena = WR(q)->q_ptr;
986 
987 	RD(q)->q_ptr = WR(q)->q_ptr = connp;
988 
989 	connp->conn_rq = RD(q);
990 	connp->conn_wq = WR(q);
991 
992 	WR(q)->q_qinfo = &tcp_sock_winit;
993 
994 	if (!issocket)
995 		tcp_use_pure_tpi(tcp);
996 
997 	/*
998 	 * free the helper stream
999 	 */
1000 	ip_free_helper_stream(connp);
1001 
1002 	/*
1003 	 * Notify the STREAM head about options
1004 	 */
1005 	DB_TYPE(stropt_mp) = M_SETOPTS;
1006 	stropt = (struct stroptions *)stropt_mp->b_rptr;
1007 	stropt_mp->b_wptr += sizeof (struct stroptions);
1008 	stropt->so_flags = SO_HIWAT | SO_WROFF | SO_MAXBLK;
1009 
1010 	stropt->so_wroff = connp->conn_ht_iphc_len + (tcp->tcp_loopback ? 0 :
1011 	    tcp->tcp_tcps->tcps_wroff_xtra);
1012 	if (tcp->tcp_snd_sack_ok)
1013 		stropt->so_wroff += TCPOPT_MAX_SACK_LEN;
1014 	stropt->so_hiwat = connp->conn_rcvbuf;
1015 	stropt->so_maxblk = tcp_maxpsz_set(tcp, B_FALSE);
1016 
1017 	putnext(RD(q), stropt_mp);
1018 
1019 	/*
1020 	 * Collect the information needed to sync with the sonode
1021 	 */
1022 	tcp_do_capability_ack(tcp, &tca, TC1_INFO|TC1_ACCEPTOR_ID);
1023 
1024 	laddrlen = faddrlen = sizeof (sin6_t);
1025 	(void) tcp_getsockname((sock_lower_handle_t)connp,
1026 	    (struct sockaddr *)&laddr, &laddrlen, CRED());
1027 	error = tcp_getpeername((sock_lower_handle_t)connp,
1028 	    (struct sockaddr *)&faddr, &faddrlen, CRED());
1029 	if (error != 0)
1030 		faddrlen = 0;
1031 
1032 	opts = 0;
1033 	if (connp->conn_oobinline)
1034 		opts |= SO_OOBINLINE;
1035 	if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
1036 		opts |= SO_DONTROUTE;
1037 
1038 	/*
1039 	 * Notify the socket that the protocol is now quiescent,
1040 	 * and it's therefore safe move data from the socket
1041 	 * to the stream head.
1042 	 */
1043 	(*quiesced_cb)(connp->conn_upper_handle, q, &tca,
1044 	    (struct sockaddr *)&laddr, laddrlen,
1045 	    (struct sockaddr *)&faddr, faddrlen, opts);
1046 
1047 	while ((mp = tcp->tcp_rcv_list) != NULL) {
1048 		tcp->tcp_rcv_list = mp->b_next;
1049 		mp->b_next = NULL;
1050 		/* We never do fallback for kernel RPC */
1051 		putnext(q, mp);
1052 	}
1053 	tcp->tcp_rcv_last_head = NULL;
1054 	tcp->tcp_rcv_last_tail = NULL;
1055 	tcp->tcp_rcv_cnt = 0;
1056 }
1057 
1058 /*
1059  * An eager is falling back to TPI. All we have to do is send
1060  * up a T_CONN_IND.
1061  */
1062 void
1063 tcp_fallback_eager(tcp_t *eager, boolean_t direct_sockfs)
1064 {
1065 	tcp_t *listener = eager->tcp_listener;
1066 	mblk_t *mp = eager->tcp_conn.tcp_eager_conn_ind;
1067 
1068 	ASSERT(listener != NULL);
1069 	ASSERT(mp != NULL);
1070 
1071 	eager->tcp_conn.tcp_eager_conn_ind = NULL;
1072 
1073 	/*
1074 	 * TLI/XTI applications will get confused by
1075 	 * sending eager as an option since it violates
1076 	 * the option semantics. So remove the eager as
1077 	 * option since TLI/XTI app doesn't need it anyway.
1078 	 */
1079 	if (!direct_sockfs) {
1080 		struct T_conn_ind *conn_ind;
1081 
1082 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1083 		conn_ind->OPT_length = 0;
1084 		conn_ind->OPT_offset = 0;
1085 	}
1086 
1087 	/*
1088 	 * Sockfs guarantees that the listener will not be closed
1089 	 * during fallback. So we can safely use the listener's queue.
1090 	 */
1091 	putnext(listener->tcp_connp->conn_rq, mp);
1092 }
1093 
1094 /*
1095  * Swap information between the eager and acceptor for a TLI/XTI client.
1096  * The sockfs accept is done on the acceptor stream and control goes
1097  * through tcp_tli_accept() and tcp_accept()/tcp_accept_swap() is not
1098  * called. In either case, both the eager and listener are in their own
1099  * perimeter (squeue) and the code has to deal with potential race.
1100  *
1101  * See the block comment on top of tcp_accept() and tcp_tli_accept().
1102  */
1103 static void
1104 tcp_accept_swap(tcp_t *listener, tcp_t *acceptor, tcp_t *eager)
1105 {
1106 	conn_t	*econnp, *aconnp;
1107 
1108 	ASSERT(eager->tcp_connp->conn_rq == listener->tcp_connp->conn_rq);
1109 	ASSERT(eager->tcp_detached && !acceptor->tcp_detached);
1110 	ASSERT(!TCP_IS_SOCKET(acceptor));
1111 	ASSERT(!TCP_IS_SOCKET(eager));
1112 	ASSERT(!TCP_IS_SOCKET(listener));
1113 
1114 	/*
1115 	 * Trusted Extensions may need to use a security label that is
1116 	 * different from the acceptor's label on MLP and MAC-Exempt
1117 	 * sockets. If this is the case, the required security label
1118 	 * already exists in econnp->conn_ixa->ixa_tsl. Since we make the
1119 	 * acceptor stream refer to econnp we atomatically get that label.
1120 	 */
1121 
1122 	acceptor->tcp_detached = B_TRUE;
1123 	/*
1124 	 * To permit stream re-use by TLI/XTI, the eager needs a copy of
1125 	 * the acceptor id.
1126 	 */
1127 	eager->tcp_acceptor_id = acceptor->tcp_acceptor_id;
1128 
1129 	/* remove eager from listen list... */
1130 	mutex_enter(&listener->tcp_eager_lock);
1131 	tcp_eager_unlink(eager);
1132 	ASSERT(eager->tcp_eager_next_q == NULL &&
1133 	    eager->tcp_eager_last_q == NULL);
1134 	ASSERT(eager->tcp_eager_next_q0 == NULL &&
1135 	    eager->tcp_eager_prev_q0 == NULL);
1136 	mutex_exit(&listener->tcp_eager_lock);
1137 
1138 	econnp = eager->tcp_connp;
1139 	aconnp = acceptor->tcp_connp;
1140 	econnp->conn_rq = aconnp->conn_rq;
1141 	econnp->conn_wq = aconnp->conn_wq;
1142 	econnp->conn_rq->q_ptr = econnp;
1143 	econnp->conn_wq->q_ptr = econnp;
1144 
1145 	/*
1146 	 * In the TLI/XTI loopback case, we are inside the listener's squeue,
1147 	 * which might be a different squeue from our peer TCP instance.
1148 	 * For TCP Fusion, the peer expects that whenever tcp_detached is
1149 	 * clear, our TCP queues point to the acceptor's queues.  Thus, use
1150 	 * membar_producer() to ensure that the assignments of conn_rq/conn_wq
1151 	 * above reach global visibility prior to the clearing of tcp_detached.
1152 	 */
1153 	membar_producer();
1154 	eager->tcp_detached = B_FALSE;
1155 
1156 	ASSERT(eager->tcp_ack_tid == 0);
1157 
1158 	econnp->conn_dev = aconnp->conn_dev;
1159 	econnp->conn_minor_arena = aconnp->conn_minor_arena;
1160 
1161 	ASSERT(econnp->conn_minor_arena != NULL);
1162 	if (econnp->conn_cred != NULL)
1163 		crfree(econnp->conn_cred);
1164 	econnp->conn_cred = aconnp->conn_cred;
1165 	econnp->conn_ixa->ixa_cred = econnp->conn_cred;
1166 	aconnp->conn_cred = NULL;
1167 	econnp->conn_cpid = aconnp->conn_cpid;
1168 	ASSERT(econnp->conn_netstack == aconnp->conn_netstack);
1169 	ASSERT(eager->tcp_tcps == acceptor->tcp_tcps);
1170 
1171 	econnp->conn_zoneid = aconnp->conn_zoneid;
1172 	econnp->conn_allzones = aconnp->conn_allzones;
1173 	econnp->conn_ixa->ixa_zoneid = aconnp->conn_ixa->ixa_zoneid;
1174 
1175 	econnp->conn_mac_mode = aconnp->conn_mac_mode;
1176 	econnp->conn_zone_is_global = aconnp->conn_zone_is_global;
1177 	aconnp->conn_mac_mode = CONN_MAC_DEFAULT;
1178 
1179 	/* Do the IPC initialization */
1180 	CONN_INC_REF(econnp);
1181 
1182 	/* Done with old IPC. Drop its ref on its connp */
1183 	CONN_DEC_REF(aconnp);
1184 }
1185 
1186 /*
1187  * Reply to a clients T_CONN_RES TPI message. This function
1188  * is used only for TLI/XTI listener. Sockfs sends T_CONN_RES
1189  * on the acceptor STREAM and processed in tcp_accept_common().
1190  * Read the block comment on top of tcp_input_listener().
1191  */
1192 void
1193 tcp_tli_accept(tcp_t *listener, mblk_t *mp)
1194 {
1195 	tcp_t		*acceptor;
1196 	tcp_t		*eager;
1197 	tcp_t   	*tcp;
1198 	struct T_conn_res	*tcr;
1199 	t_uscalar_t	acceptor_id;
1200 	t_scalar_t	seqnum;
1201 	mblk_t		*discon_mp = NULL;
1202 	mblk_t		*ok_mp;
1203 	mblk_t		*mp1;
1204 	tcp_stack_t	*tcps = listener->tcp_tcps;
1205 	conn_t		*econnp;
1206 
1207 	if ((mp->b_wptr - mp->b_rptr) < sizeof (*tcr)) {
1208 		tcp_err_ack(listener, mp, TPROTO, 0);
1209 		return;
1210 	}
1211 	tcr = (struct T_conn_res *)mp->b_rptr;
1212 
1213 	/*
1214 	 * Under ILP32 the stream head points tcr->ACCEPTOR_id at the
1215 	 * read side queue of the streams device underneath us i.e. the
1216 	 * read side queue of 'ip'. Since we can't deference QUEUE_ptr we
1217 	 * look it up in the queue_hash.  Under LP64 it sends down the
1218 	 * minor_t of the accepting endpoint.
1219 	 *
1220 	 * Once the acceptor/eager are modified (in tcp_accept_swap) the
1221 	 * fanout hash lock is held.
1222 	 * This prevents any thread from entering the acceptor queue from
1223 	 * below (since it has not been hard bound yet i.e. any inbound
1224 	 * packets will arrive on the listener conn_t and
1225 	 * go through the classifier).
1226 	 * The CONN_INC_REF will prevent the acceptor from closing.
1227 	 *
1228 	 * XXX It is still possible for a tli application to send down data
1229 	 * on the accepting stream while another thread calls t_accept.
1230 	 * This should not be a problem for well-behaved applications since
1231 	 * the T_OK_ACK is sent after the queue swapping is completed.
1232 	 *
1233 	 * If the accepting fd is the same as the listening fd, avoid
1234 	 * queue hash lookup since that will return an eager listener in a
1235 	 * already established state.
1236 	 */
1237 	acceptor_id = tcr->ACCEPTOR_id;
1238 	mutex_enter(&listener->tcp_eager_lock);
1239 	if (listener->tcp_acceptor_id == acceptor_id) {
1240 		eager = listener->tcp_eager_next_q;
1241 		/* only count how many T_CONN_INDs so don't count q0 */
1242 		if ((listener->tcp_conn_req_cnt_q != 1) ||
1243 		    (eager->tcp_conn_req_seqnum != tcr->SEQ_number)) {
1244 			mutex_exit(&listener->tcp_eager_lock);
1245 			tcp_err_ack(listener, mp, TBADF, 0);
1246 			return;
1247 		}
1248 		if (listener->tcp_conn_req_cnt_q0 != 0) {
1249 			/* Throw away all the eagers on q0. */
1250 			tcp_eager_cleanup(listener, 1);
1251 		}
1252 		if (listener->tcp_syn_defense) {
1253 			listener->tcp_syn_defense = B_FALSE;
1254 			if (listener->tcp_ip_addr_cache != NULL) {
1255 				kmem_free(listener->tcp_ip_addr_cache,
1256 				    IP_ADDR_CACHE_SIZE * sizeof (ipaddr_t));
1257 				listener->tcp_ip_addr_cache = NULL;
1258 			}
1259 		}
1260 		/*
1261 		 * Transfer tcp_conn_req_max to the eager so that when
1262 		 * a disconnect occurs we can revert the endpoint to the
1263 		 * listen state.
1264 		 */
1265 		eager->tcp_conn_req_max = listener->tcp_conn_req_max;
1266 		ASSERT(listener->tcp_conn_req_cnt_q0 == 0);
1267 		/*
1268 		 * Get a reference on the acceptor just like the
1269 		 * tcp_acceptor_hash_lookup below.
1270 		 */
1271 		acceptor = listener;
1272 		CONN_INC_REF(acceptor->tcp_connp);
1273 	} else {
1274 		acceptor = tcp_acceptor_hash_lookup(acceptor_id, tcps);
1275 		if (acceptor == NULL) {
1276 			if (listener->tcp_connp->conn_debug) {
1277 				(void) strlog(TCP_MOD_ID, 0, 1,
1278 				    SL_ERROR|SL_TRACE,
1279 				    "tcp_accept: did not find acceptor 0x%x\n",
1280 				    acceptor_id);
1281 			}
1282 			mutex_exit(&listener->tcp_eager_lock);
1283 			tcp_err_ack(listener, mp, TPROVMISMATCH, 0);
1284 			return;
1285 		}
1286 		/*
1287 		 * Verify acceptor state. The acceptable states for an acceptor
1288 		 * include TCPS_IDLE and TCPS_BOUND.
1289 		 */
1290 		switch (acceptor->tcp_state) {
1291 		case TCPS_IDLE:
1292 			/* FALLTHRU */
1293 		case TCPS_BOUND:
1294 			break;
1295 		default:
1296 			CONN_DEC_REF(acceptor->tcp_connp);
1297 			mutex_exit(&listener->tcp_eager_lock);
1298 			tcp_err_ack(listener, mp, TOUTSTATE, 0);
1299 			return;
1300 		}
1301 	}
1302 
1303 	/* The listener must be in TCPS_LISTEN */
1304 	if (listener->tcp_state != TCPS_LISTEN) {
1305 		CONN_DEC_REF(acceptor->tcp_connp);
1306 		mutex_exit(&listener->tcp_eager_lock);
1307 		tcp_err_ack(listener, mp, TOUTSTATE, 0);
1308 		return;
1309 	}
1310 
1311 	/*
1312 	 * Rendezvous with an eager connection request packet hanging off
1313 	 * 'tcp' that has the 'seqnum' tag.  We tagged the detached open
1314 	 * tcp structure when the connection packet arrived in
1315 	 * tcp_input_listener().
1316 	 */
1317 	seqnum = tcr->SEQ_number;
1318 	eager = listener;
1319 	do {
1320 		eager = eager->tcp_eager_next_q;
1321 		if (eager == NULL) {
1322 			CONN_DEC_REF(acceptor->tcp_connp);
1323 			mutex_exit(&listener->tcp_eager_lock);
1324 			tcp_err_ack(listener, mp, TBADSEQ, 0);
1325 			return;
1326 		}
1327 	} while (eager->tcp_conn_req_seqnum != seqnum);
1328 	mutex_exit(&listener->tcp_eager_lock);
1329 
1330 	/*
1331 	 * At this point, both acceptor and listener have 2 ref
1332 	 * that they begin with. Acceptor has one additional ref
1333 	 * we placed in lookup while listener has 3 additional
1334 	 * ref for being behind the squeue (tcp_accept() is
1335 	 * done on listener's squeue); being in classifier hash;
1336 	 * and eager's ref on listener.
1337 	 */
1338 	ASSERT(listener->tcp_connp->conn_ref >= 5);
1339 	ASSERT(acceptor->tcp_connp->conn_ref >= 3);
1340 
1341 	/*
1342 	 * The eager at this point is set in its own squeue and
1343 	 * could easily have been killed (tcp_accept_finish will
1344 	 * deal with that) because of a TH_RST so we can only
1345 	 * ASSERT for a single ref.
1346 	 */
1347 	ASSERT(eager->tcp_connp->conn_ref >= 1);
1348 
1349 	/*
1350 	 * Pre allocate the discon_ind mblk also. tcp_accept_finish will
1351 	 * use it if something failed.
1352 	 */
1353 	discon_mp = allocb(MAX(sizeof (struct T_discon_ind),
1354 	    sizeof (struct stroptions)), BPRI_HI);
1355 	if (discon_mp == NULL) {
1356 		CONN_DEC_REF(acceptor->tcp_connp);
1357 		CONN_DEC_REF(eager->tcp_connp);
1358 		tcp_err_ack(listener, mp, TSYSERR, ENOMEM);
1359 		return;
1360 	}
1361 
1362 	econnp = eager->tcp_connp;
1363 
1364 	/* Hold a copy of mp, in case reallocb fails */
1365 	if ((mp1 = copymsg(mp)) == NULL) {
1366 		CONN_DEC_REF(acceptor->tcp_connp);
1367 		CONN_DEC_REF(eager->tcp_connp);
1368 		freemsg(discon_mp);
1369 		tcp_err_ack(listener, mp, TSYSERR, ENOMEM);
1370 		return;
1371 	}
1372 
1373 	tcr = (struct T_conn_res *)mp1->b_rptr;
1374 
1375 	/*
1376 	 * This is an expanded version of mi_tpi_ok_ack_alloc()
1377 	 * which allocates a larger mblk and appends the new
1378 	 * local address to the ok_ack.  The address is copied by
1379 	 * soaccept() for getsockname().
1380 	 */
1381 	{
1382 		int extra;
1383 
1384 		extra = (econnp->conn_family == AF_INET) ?
1385 		    sizeof (sin_t) : sizeof (sin6_t);
1386 
1387 		/*
1388 		 * Try to re-use mp, if possible.  Otherwise, allocate
1389 		 * an mblk and return it as ok_mp.  In any case, mp
1390 		 * is no longer usable upon return.
1391 		 */
1392 		if ((ok_mp = mi_tpi_ok_ack_alloc_extra(mp, extra)) == NULL) {
1393 			CONN_DEC_REF(acceptor->tcp_connp);
1394 			CONN_DEC_REF(eager->tcp_connp);
1395 			freemsg(discon_mp);
1396 			/* Original mp has been freed by now, so use mp1 */
1397 			tcp_err_ack(listener, mp1, TSYSERR, ENOMEM);
1398 			return;
1399 		}
1400 
1401 		mp = NULL;	/* We should never use mp after this point */
1402 
1403 		switch (extra) {
1404 		case sizeof (sin_t): {
1405 			sin_t *sin = (sin_t *)ok_mp->b_wptr;
1406 
1407 			ok_mp->b_wptr += extra;
1408 			sin->sin_family = AF_INET;
1409 			sin->sin_port = econnp->conn_lport;
1410 			sin->sin_addr.s_addr = econnp->conn_laddr_v4;
1411 			break;
1412 		}
1413 		case sizeof (sin6_t): {
1414 			sin6_t *sin6 = (sin6_t *)ok_mp->b_wptr;
1415 
1416 			ok_mp->b_wptr += extra;
1417 			sin6->sin6_family = AF_INET6;
1418 			sin6->sin6_port = econnp->conn_lport;
1419 			sin6->sin6_addr = econnp->conn_laddr_v6;
1420 			sin6->sin6_flowinfo = econnp->conn_flowinfo;
1421 			if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6) &&
1422 			    (econnp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)) {
1423 				sin6->sin6_scope_id =
1424 				    econnp->conn_ixa->ixa_scopeid;
1425 			} else {
1426 				sin6->sin6_scope_id = 0;
1427 			}
1428 			sin6->__sin6_src_id = 0;
1429 			break;
1430 		}
1431 		default:
1432 			break;
1433 		}
1434 		ASSERT(ok_mp->b_wptr <= ok_mp->b_datap->db_lim);
1435 	}
1436 
1437 	/*
1438 	 * If there are no options we know that the T_CONN_RES will
1439 	 * succeed. However, we can't send the T_OK_ACK upstream until
1440 	 * the tcp_accept_swap is done since it would be dangerous to
1441 	 * let the application start using the new fd prior to the swap.
1442 	 */
1443 	tcp_accept_swap(listener, acceptor, eager);
1444 
1445 	/*
1446 	 * tcp_accept_swap unlinks eager from listener but does not drop
1447 	 * the eager's reference on the listener.
1448 	 */
1449 	ASSERT(eager->tcp_listener == NULL);
1450 	ASSERT(listener->tcp_connp->conn_ref >= 5);
1451 
1452 	/*
1453 	 * The eager is now associated with its own queue. Insert in
1454 	 * the hash so that the connection can be reused for a future
1455 	 * T_CONN_RES.
1456 	 */
1457 	tcp_acceptor_hash_insert(acceptor_id, eager);
1458 
1459 	/*
1460 	 * We now do the processing of options with T_CONN_RES.
1461 	 * We delay till now since we wanted to have queue to pass to
1462 	 * option processing routines that points back to the right
1463 	 * instance structure which does not happen until after
1464 	 * tcp_accept_swap().
1465 	 *
1466 	 * Note:
1467 	 * The sanity of the logic here assumes that whatever options
1468 	 * are appropriate to inherit from listner=>eager are done
1469 	 * before this point, and whatever were to be overridden (or not)
1470 	 * in transfer logic from eager=>acceptor in tcp_accept_swap().
1471 	 * [ Warning: acceptor endpoint can have T_OPTMGMT_REQ done to it
1472 	 *   before its ACCEPTOR_id comes down in T_CONN_RES ]
1473 	 * This may not be true at this point in time but can be fixed
1474 	 * independently. This option processing code starts with
1475 	 * the instantiated acceptor instance and the final queue at
1476 	 * this point.
1477 	 */
1478 
1479 	if (tcr->OPT_length != 0) {
1480 		/* Options to process */
1481 		int t_error = 0;
1482 		int sys_error = 0;
1483 		int do_disconnect = 0;
1484 
1485 		if (tcp_conprim_opt_process(eager, mp1,
1486 		    &do_disconnect, &t_error, &sys_error) < 0) {
1487 			eager->tcp_accept_error = 1;
1488 			if (do_disconnect) {
1489 				/*
1490 				 * An option failed which does not allow
1491 				 * connection to be accepted.
1492 				 *
1493 				 * We allow T_CONN_RES to succeed and
1494 				 * put a T_DISCON_IND on the eager queue.
1495 				 */
1496 				ASSERT(t_error == 0 && sys_error == 0);
1497 				eager->tcp_send_discon_ind = 1;
1498 			} else {
1499 				ASSERT(t_error != 0);
1500 				freemsg(ok_mp);
1501 				/*
1502 				 * Original mp was either freed or set
1503 				 * to ok_mp above, so use mp1 instead.
1504 				 */
1505 				tcp_err_ack(listener, mp1, t_error, sys_error);
1506 				goto finish;
1507 			}
1508 		}
1509 		/*
1510 		 * Most likely success in setting options (except if
1511 		 * eager->tcp_send_discon_ind set).
1512 		 * mp1 option buffer represented by OPT_length/offset
1513 		 * potentially modified and contains results of setting
1514 		 * options at this point
1515 		 */
1516 	}
1517 
1518 	/* We no longer need mp1, since all options processing has passed */
1519 	freemsg(mp1);
1520 
1521 	putnext(listener->tcp_connp->conn_rq, ok_mp);
1522 
1523 	mutex_enter(&listener->tcp_eager_lock);
1524 	if (listener->tcp_eager_prev_q0->tcp_conn_def_q0) {
1525 		tcp_t	*tail;
1526 		mblk_t	*conn_ind;
1527 
1528 		/*
1529 		 * This path should not be executed if listener and
1530 		 * acceptor streams are the same.
1531 		 */
1532 		ASSERT(listener != acceptor);
1533 
1534 		tcp = listener->tcp_eager_prev_q0;
1535 		/*
1536 		 * listener->tcp_eager_prev_q0 points to the TAIL of the
1537 		 * deferred T_conn_ind queue. We need to get to the head of
1538 		 * the queue in order to send up T_conn_ind the same order as
1539 		 * how the 3WHS is completed.
1540 		 */
1541 		while (tcp != listener) {
1542 			if (!tcp->tcp_eager_prev_q0->tcp_conn_def_q0)
1543 				break;
1544 			else
1545 				tcp = tcp->tcp_eager_prev_q0;
1546 		}
1547 		ASSERT(tcp != listener);
1548 		conn_ind = tcp->tcp_conn.tcp_eager_conn_ind;
1549 		ASSERT(conn_ind != NULL);
1550 		tcp->tcp_conn.tcp_eager_conn_ind = NULL;
1551 
1552 		/* Move from q0 to q */
1553 		ASSERT(listener->tcp_conn_req_cnt_q0 > 0);
1554 		listener->tcp_conn_req_cnt_q0--;
1555 		listener->tcp_conn_req_cnt_q++;
1556 		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
1557 		    tcp->tcp_eager_prev_q0;
1558 		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
1559 		    tcp->tcp_eager_next_q0;
1560 		tcp->tcp_eager_prev_q0 = NULL;
1561 		tcp->tcp_eager_next_q0 = NULL;
1562 		tcp->tcp_conn_def_q0 = B_FALSE;
1563 
1564 		/* Make sure the tcp isn't in the list of droppables */
1565 		ASSERT(tcp->tcp_eager_next_drop_q0 == NULL &&
1566 		    tcp->tcp_eager_prev_drop_q0 == NULL);
1567 
1568 		/*
1569 		 * Insert at end of the queue because sockfs sends
1570 		 * down T_CONN_RES in chronological order. Leaving
1571 		 * the older conn indications at front of the queue
1572 		 * helps reducing search time.
1573 		 */
1574 		tail = listener->tcp_eager_last_q;
1575 		if (tail != NULL)
1576 			tail->tcp_eager_next_q = tcp;
1577 		else
1578 			listener->tcp_eager_next_q = tcp;
1579 		listener->tcp_eager_last_q = tcp;
1580 		tcp->tcp_eager_next_q = NULL;
1581 		mutex_exit(&listener->tcp_eager_lock);
1582 		putnext(tcp->tcp_connp->conn_rq, conn_ind);
1583 	} else {
1584 		mutex_exit(&listener->tcp_eager_lock);
1585 	}
1586 
1587 	/*
1588 	 * Done with the acceptor - free it
1589 	 *
1590 	 * Note: from this point on, no access to listener should be made
1591 	 * as listener can be equal to acceptor.
1592 	 */
1593 finish:
1594 	ASSERT(acceptor->tcp_detached);
1595 	acceptor->tcp_connp->conn_rq = NULL;
1596 	ASSERT(!IPCL_IS_NONSTR(acceptor->tcp_connp));
1597 	acceptor->tcp_connp->conn_wq = NULL;
1598 	(void) tcp_clean_death(acceptor, 0);
1599 	CONN_DEC_REF(acceptor->tcp_connp);
1600 
1601 	/*
1602 	 * We pass discon_mp to tcp_accept_finish to get on the right squeue.
1603 	 *
1604 	 * It will update the setting for sockfs/stream head and also take
1605 	 * care of any data that arrived before accept() wad called.
1606 	 * In case we already received a FIN then tcp_accept_finish will send up
1607 	 * the ordrel. It will also send up a window update if the window
1608 	 * has opened up.
1609 	 */
1610 
1611 	/*
1612 	 * XXX: we currently have a problem if XTI application closes the
1613 	 * acceptor stream in between. This problem exists in on10-gate also
1614 	 * and is well know but nothing can be done short of major rewrite
1615 	 * to fix it. Now it is possible to take care of it by assigning TLI/XTI
1616 	 * eager same squeue as listener (we can distinguish non socket
1617 	 * listeners at the time of handling a SYN in tcp_input_listener)
1618 	 * and do most of the work that tcp_accept_finish does here itself
1619 	 * and then get behind the acceptor squeue to access the acceptor
1620 	 * queue.
1621 	 */
1622 	/*
1623 	 * We already have a ref on tcp so no need to do one before squeue_enter
1624 	 */
1625 	SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, discon_mp,
1626 	    tcp_accept_finish, eager->tcp_connp, NULL, SQ_FILL,
1627 	    SQTAG_TCP_ACCEPT_FINISH);
1628 }
1629 
1630 
1631 /*
1632  * This is the STREAMS entry point for T_CONN_RES coming down on
1633  * Acceptor STREAM when  sockfs listener does accept processing.
1634  * Read the block comment on top of tcp_input_listener().
1635  */
1636 void
1637 tcp_tpi_accept(queue_t *q, mblk_t *mp)
1638 {
1639 	queue_t *rq = RD(q);
1640 	struct T_conn_res *conn_res;
1641 	tcp_t *eager;
1642 	tcp_t *listener;
1643 	struct T_ok_ack *ok;
1644 	t_scalar_t PRIM_type;
1645 	conn_t *econnp;
1646 	cred_t *cr;
1647 
1648 	ASSERT(DB_TYPE(mp) == M_PROTO);
1649 
1650 	/*
1651 	 * All Solaris components should pass a db_credp
1652 	 * for this TPI message, hence we ASSERT.
1653 	 * But in case there is some other M_PROTO that looks
1654 	 * like a TPI message sent by some other kernel
1655 	 * component, we check and return an error.
1656 	 */
1657 	cr = msg_getcred(mp, NULL);
1658 	ASSERT(cr != NULL);
1659 	if (cr == NULL) {
1660 		mp = mi_tpi_err_ack_alloc(mp, TSYSERR, EINVAL);
1661 		if (mp != NULL)
1662 			putnext(rq, mp);
1663 		return;
1664 	}
1665 	conn_res = (struct T_conn_res *)mp->b_rptr;
1666 	ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
1667 	if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_conn_res)) {
1668 		mp = mi_tpi_err_ack_alloc(mp, TPROTO, 0);
1669 		if (mp != NULL)
1670 			putnext(rq, mp);
1671 		return;
1672 	}
1673 	switch (conn_res->PRIM_type) {
1674 	case O_T_CONN_RES:
1675 	case T_CONN_RES:
1676 		/*
1677 		 * We pass up an err ack if allocb fails. This will
1678 		 * cause sockfs to issue a T_DISCON_REQ which will cause
1679 		 * tcp_eager_blowoff to be called. sockfs will then call
1680 		 * rq->q_qinfo->qi_qclose to cleanup the acceptor stream.
1681 		 * we need to do the allocb up here because we have to
1682 		 * make sure rq->q_qinfo->qi_qclose still points to the
1683 		 * correct function (tcp_tpi_close_accept) in case allocb
1684 		 * fails.
1685 		 */
1686 		bcopy(mp->b_rptr + conn_res->OPT_offset,
1687 		    &eager, conn_res->OPT_length);
1688 		PRIM_type = conn_res->PRIM_type;
1689 		mp->b_datap->db_type = M_PCPROTO;
1690 		mp->b_wptr = mp->b_rptr + sizeof (struct T_ok_ack);
1691 		ok = (struct T_ok_ack *)mp->b_rptr;
1692 		ok->PRIM_type = T_OK_ACK;
1693 		ok->CORRECT_prim = PRIM_type;
1694 		econnp = eager->tcp_connp;
1695 		econnp->conn_dev = (dev_t)RD(q)->q_ptr;
1696 		econnp->conn_minor_arena = (vmem_t *)(WR(q)->q_ptr);
1697 		econnp->conn_rq = rq;
1698 		econnp->conn_wq = q;
1699 		rq->q_ptr = econnp;
1700 		rq->q_qinfo = &tcp_rinitv4;	/* No open - same as rinitv6 */
1701 		q->q_ptr = econnp;
1702 		q->q_qinfo = &tcp_winit;
1703 		listener = eager->tcp_listener;
1704 
1705 		if (tcp_accept_common(listener->tcp_connp,
1706 		    econnp, cr) < 0) {
1707 			mp = mi_tpi_err_ack_alloc(mp, TPROTO, 0);
1708 			if (mp != NULL)
1709 				putnext(rq, mp);
1710 			return;
1711 		}
1712 
1713 		/*
1714 		 * Send the new local address also up to sockfs. There
1715 		 * should already be enough space in the mp that came
1716 		 * down from soaccept().
1717 		 */
1718 		if (econnp->conn_family == AF_INET) {
1719 			sin_t *sin;
1720 
1721 			ASSERT((mp->b_datap->db_lim - mp->b_datap->db_base) >=
1722 			    (sizeof (struct T_ok_ack) + sizeof (sin_t)));
1723 			sin = (sin_t *)mp->b_wptr;
1724 			mp->b_wptr += sizeof (sin_t);
1725 			sin->sin_family = AF_INET;
1726 			sin->sin_port = econnp->conn_lport;
1727 			sin->sin_addr.s_addr = econnp->conn_laddr_v4;
1728 		} else {
1729 			sin6_t *sin6;
1730 
1731 			ASSERT((mp->b_datap->db_lim - mp->b_datap->db_base) >=
1732 			    sizeof (struct T_ok_ack) + sizeof (sin6_t));
1733 			sin6 = (sin6_t *)mp->b_wptr;
1734 			mp->b_wptr += sizeof (sin6_t);
1735 			sin6->sin6_family = AF_INET6;
1736 			sin6->sin6_port = econnp->conn_lport;
1737 			sin6->sin6_addr = econnp->conn_laddr_v6;
1738 			if (econnp->conn_ipversion == IPV4_VERSION)
1739 				sin6->sin6_flowinfo = 0;
1740 			else
1741 				sin6->sin6_flowinfo = econnp->conn_flowinfo;
1742 			if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6) &&
1743 			    (econnp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)) {
1744 				sin6->sin6_scope_id =
1745 				    econnp->conn_ixa->ixa_scopeid;
1746 			} else {
1747 				sin6->sin6_scope_id = 0;
1748 			}
1749 			sin6->__sin6_src_id = 0;
1750 		}
1751 
1752 		putnext(rq, mp);
1753 		return;
1754 	default:
1755 		mp = mi_tpi_err_ack_alloc(mp, TNOTSUPPORT, 0);
1756 		if (mp != NULL)
1757 			putnext(rq, mp);
1758 		return;
1759 	}
1760 }
1761 
1762 /*
1763  * Send the newconn notification to ulp. The eager is blown off if the
1764  * notification fails.
1765  */
1766 static void
1767 tcp_ulp_newconn(conn_t *lconnp, conn_t *econnp, mblk_t *mp)
1768 {
1769 	if (IPCL_IS_NONSTR(lconnp)) {
1770 		cred_t	*cr;
1771 		pid_t	cpid = NOPID;
1772 
1773 		ASSERT(econnp->conn_tcp->tcp_listener == lconnp->conn_tcp);
1774 		ASSERT(econnp->conn_tcp->tcp_saved_listener ==
1775 		    lconnp->conn_tcp);
1776 
1777 		cr = msg_getcred(mp, &cpid);
1778 
1779 		/* Keep the message around in case of a fallback to TPI */
1780 		econnp->conn_tcp->tcp_conn.tcp_eager_conn_ind = mp;
1781 		/*
1782 		 * Notify the ULP about the newconn. It is guaranteed that no
1783 		 * tcp_accept() call will be made for the eager if the
1784 		 * notification fails, so it's safe to blow it off in that
1785 		 * case.
1786 		 *
1787 		 * The upper handle will be assigned when tcp_accept() is
1788 		 * called.
1789 		 */
1790 		if ((*lconnp->conn_upcalls->su_newconn)
1791 		    (lconnp->conn_upper_handle,
1792 		    (sock_lower_handle_t)econnp,
1793 		    &sock_tcp_downcalls, cr, cpid,
1794 		    &econnp->conn_upcalls) == NULL) {
1795 			/* Failed to allocate a socket */
1796 			TCPS_BUMP_MIB(lconnp->conn_tcp->tcp_tcps,
1797 			    tcpEstabResets);
1798 			(void) tcp_eager_blowoff(lconnp->conn_tcp,
1799 			    econnp->conn_tcp->tcp_conn_req_seqnum);
1800 		}
1801 	} else {
1802 		putnext(lconnp->conn_rq, mp);
1803 	}
1804 }
1805 
1806 /*
1807  * The function called through squeue to get behind listener's perimeter to
1808  * send a deferred conn_ind.
1809  */
1810 /* ARGSUSED */
1811 void
1812 tcp_send_pending(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
1813 {
1814 	conn_t	*lconnp = (conn_t *)arg;
1815 	tcp_t *listener = lconnp->conn_tcp;
1816 	struct T_conn_ind *conn_ind;
1817 	tcp_t *tcp;
1818 
1819 	conn_ind = (struct T_conn_ind *)mp->b_rptr;
1820 	bcopy(mp->b_rptr + conn_ind->OPT_offset, &tcp,
1821 	    conn_ind->OPT_length);
1822 
1823 	if (listener->tcp_state != TCPS_LISTEN) {
1824 		/*
1825 		 * If listener has closed, it would have caused a
1826 		 * a cleanup/blowoff to happen for the eager, so
1827 		 * we don't need to do anything more.
1828 		 */
1829 		freemsg(mp);
1830 		return;
1831 	}
1832 
1833 	tcp_ulp_newconn(lconnp, tcp->tcp_connp, mp);
1834 }
1835 
1836 /*
1837  * Sends the T_CONN_IND to the listener. The caller calls this
1838  * functions via squeue to get inside the listener's perimeter
1839  * once the 3 way hand shake is done a T_CONN_IND needs to be
1840  * sent. As an optimization, the caller can call this directly
1841  * if listener's perimeter is same as eager's.
1842  */
1843 /* ARGSUSED */
1844 void
1845 tcp_send_conn_ind(void *arg, mblk_t *mp, void *arg2)
1846 {
1847 	conn_t			*lconnp = (conn_t *)arg;
1848 	tcp_t			*listener = lconnp->conn_tcp;
1849 	tcp_t			*tcp;
1850 	struct T_conn_ind	*conn_ind;
1851 	ipaddr_t 		*addr_cache;
1852 	boolean_t		need_send_conn_ind = B_FALSE;
1853 	tcp_stack_t		*tcps = listener->tcp_tcps;
1854 
1855 	/* retrieve the eager */
1856 	conn_ind = (struct T_conn_ind *)mp->b_rptr;
1857 	ASSERT(conn_ind->OPT_offset != 0 &&
1858 	    conn_ind->OPT_length == sizeof (intptr_t));
1859 	bcopy(mp->b_rptr + conn_ind->OPT_offset, &tcp,
1860 	    conn_ind->OPT_length);
1861 
1862 	/*
1863 	 * TLI/XTI applications will get confused by
1864 	 * sending eager as an option since it violates
1865 	 * the option semantics. So remove the eager as
1866 	 * option since TLI/XTI app doesn't need it anyway.
1867 	 */
1868 	if (!TCP_IS_SOCKET(listener)) {
1869 		conn_ind->OPT_length = 0;
1870 		conn_ind->OPT_offset = 0;
1871 	}
1872 	if (listener->tcp_state != TCPS_LISTEN) {
1873 		/*
1874 		 * If listener has closed, it would have caused a
1875 		 * a cleanup/blowoff to happen for the eager. We
1876 		 * just need to return.
1877 		 */
1878 		freemsg(mp);
1879 		return;
1880 	}
1881 
1882 
1883 	/*
1884 	 * if the conn_req_q is full defer passing up the
1885 	 * T_CONN_IND until space is availabe after t_accept()
1886 	 * processing
1887 	 */
1888 	mutex_enter(&listener->tcp_eager_lock);
1889 
1890 	/*
1891 	 * Take the eager out, if it is in the list of droppable eagers
1892 	 * as we are here because the 3W handshake is over.
1893 	 */
1894 	MAKE_UNDROPPABLE(tcp);
1895 
1896 	if (listener->tcp_conn_req_cnt_q < listener->tcp_conn_req_max) {
1897 		tcp_t *tail;
1898 
1899 		/*
1900 		 * The eager already has an extra ref put in tcp_input_data
1901 		 * so that it stays till accept comes back even though it
1902 		 * might get into TCPS_CLOSED as a result of a TH_RST etc.
1903 		 */
1904 		ASSERT(listener->tcp_conn_req_cnt_q0 > 0);
1905 		listener->tcp_conn_req_cnt_q0--;
1906 		listener->tcp_conn_req_cnt_q++;
1907 
1908 		/* Move from SYN_RCVD to ESTABLISHED list  */
1909 		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
1910 		    tcp->tcp_eager_prev_q0;
1911 		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
1912 		    tcp->tcp_eager_next_q0;
1913 		tcp->tcp_eager_prev_q0 = NULL;
1914 		tcp->tcp_eager_next_q0 = NULL;
1915 
1916 		/*
1917 		 * Insert at end of the queue because sockfs
1918 		 * sends down T_CONN_RES in chronological
1919 		 * order. Leaving the older conn indications
1920 		 * at front of the queue helps reducing search
1921 		 * time.
1922 		 */
1923 		tail = listener->tcp_eager_last_q;
1924 		if (tail != NULL)
1925 			tail->tcp_eager_next_q = tcp;
1926 		else
1927 			listener->tcp_eager_next_q = tcp;
1928 		listener->tcp_eager_last_q = tcp;
1929 		tcp->tcp_eager_next_q = NULL;
1930 		/*
1931 		 * Delay sending up the T_conn_ind until we are
1932 		 * done with the eager. Once we have have sent up
1933 		 * the T_conn_ind, the accept can potentially complete
1934 		 * any time and release the refhold we have on the eager.
1935 		 */
1936 		need_send_conn_ind = B_TRUE;
1937 	} else {
1938 		/*
1939 		 * Defer connection on q0 and set deferred
1940 		 * connection bit true
1941 		 */
1942 		tcp->tcp_conn_def_q0 = B_TRUE;
1943 
1944 		/* take tcp out of q0 ... */
1945 		tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
1946 		    tcp->tcp_eager_next_q0;
1947 		tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
1948 		    tcp->tcp_eager_prev_q0;
1949 
1950 		/* ... and place it at the end of q0 */
1951 		tcp->tcp_eager_prev_q0 = listener->tcp_eager_prev_q0;
1952 		tcp->tcp_eager_next_q0 = listener;
1953 		listener->tcp_eager_prev_q0->tcp_eager_next_q0 = tcp;
1954 		listener->tcp_eager_prev_q0 = tcp;
1955 		tcp->tcp_conn.tcp_eager_conn_ind = mp;
1956 	}
1957 
1958 	/* we have timed out before */
1959 	if (tcp->tcp_syn_rcvd_timeout != 0) {
1960 		tcp->tcp_syn_rcvd_timeout = 0;
1961 		listener->tcp_syn_rcvd_timeout--;
1962 		if (listener->tcp_syn_defense &&
1963 		    listener->tcp_syn_rcvd_timeout <=
1964 		    (tcps->tcps_conn_req_max_q0 >> 5) &&
1965 		    10*MINUTES < TICK_TO_MSEC(ddi_get_lbolt64() -
1966 		    listener->tcp_last_rcv_lbolt)) {
1967 			/*
1968 			 * Turn off the defense mode if we
1969 			 * believe the SYN attack is over.
1970 			 */
1971 			listener->tcp_syn_defense = B_FALSE;
1972 			if (listener->tcp_ip_addr_cache) {
1973 				kmem_free((void *)listener->tcp_ip_addr_cache,
1974 				    IP_ADDR_CACHE_SIZE * sizeof (ipaddr_t));
1975 				listener->tcp_ip_addr_cache = NULL;
1976 			}
1977 		}
1978 	}
1979 	addr_cache = (ipaddr_t *)(listener->tcp_ip_addr_cache);
1980 	if (addr_cache != NULL) {
1981 		/*
1982 		 * We have finished a 3-way handshake with this
1983 		 * remote host. This proves the IP addr is good.
1984 		 * Cache it!
1985 		 */
1986 		addr_cache[IP_ADDR_CACHE_HASH(tcp->tcp_connp->conn_faddr_v4)] =
1987 		    tcp->tcp_connp->conn_faddr_v4;
1988 	}
1989 	mutex_exit(&listener->tcp_eager_lock);
1990 	if (need_send_conn_ind)
1991 		tcp_ulp_newconn(lconnp, tcp->tcp_connp, mp);
1992 }
1993