xref: /titanic_51/usr/src/uts/common/io/ppp/sppptun/sppptun.c (revision 29493bd8e037cbaea9095b34172305abb589cb6b)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 #include <sys/types.h>
9 #include <sys/debug.h>
10 #include <sys/param.h>
11 #include <sys/stat.h>
12 #include <sys/systm.h>
13 #include <sys/socket.h>
14 #include <sys/stream.h>
15 #include <sys/stropts.h>
16 #include <sys/errno.h>
17 #include <sys/time.h>
18 #include <sys/cmn_err.h>
19 #include <sys/sdt.h>
20 #include <sys/conf.h>
21 #include <sys/dlpi.h>
22 #include <sys/ddi.h>
23 #include <sys/kstat.h>
24 #include <sys/strsun.h>
25 #include <sys/bitmap.h>
26 #include <sys/sysmacros.h>
27 #include <sys/note.h>
28 #include <sys/policy.h>
29 #include <net/ppp_defs.h>
30 #include <net/pppio.h>
31 #include <net/sppptun.h>
32 #include <net/pppoe.h>
33 #include <netinet/in.h>
34 
35 #include "s_common.h"
36 #include "sppptun_mod.h"
37 #include "sppptun_impl.h"
38 
39 #define	NTUN_INITIAL 16			/* Initial number of sppptun slots */
40 #define	NTUN_PERCENT 5			/* Percent of memory to use */
41 
42 /*
43  * This is used to tag official Solaris sources.  Please do not define
44  * "INTERNAL_BUILD" when building this software outside of Sun
45  * Microsystems.
46  */
47 #ifdef INTERNAL_BUILD
48 /* MODINFO is limited to 32 characters. */
49 const char sppptun_driver_description[] = "PPP 4.0 tunnel driver";
50 const char sppptun_module_description[] = "PPP 4.0 tunnel module";
51 #else
52 const char sppptun_driver_description[] = "ANU PPP tundrv $Revision: $";
53 const char sppptun_module_description[] = "ANU PPP tunmod $Revision: $";
54 
55 /* LINTED */
56 static const char buildtime[] = "Built " __DATE__ " at " __TIME__
57 #ifdef DEBUG
58 " DEBUG"
59 #endif
60 "\n";
61 #endif
62 
63 /*
64  * Tunable values; these are similar to the values used in ptms_conf.c.
65  * Override these settings via /etc/system.
66  */
67 uint_t	sppptun_cnt = 0;		/* Minimum number of tunnels */
68 size_t	sppptun_max_pty = 0;		/* Maximum number of tunnels */
69 uint_t	sppptun_init_cnt = NTUN_INITIAL; /* Initial number of tunnel slots */
70 uint_t	sppptun_pctofmem = NTUN_PERCENT; /* Percent of memory to use */
71 
72 typedef struct ether_dest_s {
73 	ether_addr_t addr;
74 	ushort_t type;
75 } ether_dest_t;
76 
77 /* Allows unaligned access. */
78 #define	GETLONG(x)	(((x)[0]<<24)|((x)[1]<<16)|((x)[2]<<8)|(x)[3])
79 
80 static const char *tll_kstats_list[] = { TLL_KSTATS_NAMES };
81 static const char *tcl_kstats_list[] = { TCL_KSTATS_NAMES };
82 
83 #define	KREF(p, m, vn)	p->m.vn.value.ui64
84 #define	KINCR(p, m, vn)	++KREF(p, m, vn)
85 #define	KDECR(p, m, vn)	--KREF(p, m, vn)
86 
87 #define	KLINCR(vn)	KINCR(tll, tll_kstats, vn)
88 #define	KLDECR(vn)	KDECR(tll, tll_kstats, vn)
89 
90 #define	KCINCR(vn)	KINCR(tcl, tcl_kstats, vn)
91 #define	KCDECR(vn)	KDECR(tcl, tcl_kstats, vn)
92 
93 static int	sppptun_open(queue_t *, dev_t *, int, int, cred_t *);
94 static int	sppptun_close(queue_t *);
95 static void	sppptun_urput(queue_t *, mblk_t *);
96 static void	sppptun_uwput(queue_t *, mblk_t *);
97 static int	sppptun_ursrv(queue_t *);
98 static int	sppptun_uwsrv(queue_t *);
99 static void	sppptun_lrput(queue_t *, mblk_t *);
100 static void	sppptun_lwput(queue_t *, mblk_t *);
101 
102 /*
103  * This is the hash table of clients.  Clients are the programs that
104  * open /dev/sppptun as a device.  There may be a large number of
105  * these; one per tunneled PPP session.
106  *
107  * Note: slots are offset from minor node value by 1 because
108  * vmem_alloc returns 0 for failure.
109  *
110  * The tcl_slots array entries are modified only when exclusive on
111  * both inner and outer perimeters.  This ensures that threads on
112  * shared perimeters always view this as unchanging memory with no
113  * need to lock around accesses.  (Specifically, the tcl_slots array
114  * is modified by entry to sppptun_open, sppptun_close, and _fini.)
115  */
116 static tuncl_t **tcl_slots = NULL;	/* Slots for tuncl_t */
117 static size_t tcl_nslots = 0;		/* Size of slot array */
118 static size_t tcl_minormax = 0;		/* Maximum number of tunnels */
119 static size_t tcl_inuse = 0;		/* # of tunnels currently allocated */
120 static krwlock_t tcl_rwlock;
121 static struct kmem_cache *tcl_cache = NULL;	/* tunnel cache */
122 static vmem_t *tcl_minor_arena = NULL; /* Arena for device minors */
123 
124 /*
125  * This is the simple list of lower layers.  For PPPoE, there is one
126  * of these per Ethernet interface.  Lower layers are established by
127  * "plumbing" -- using I_PLINK to connect the tunnel multiplexor to
128  * the physical interface.
129  */
130 static struct qelem tunll_list;
131 static int tunll_index;
132 
133 /* Test value; if all zeroes, then address hasn't been set yet. */
134 static const ether_addr_t zero_mac_addr = { 0, 0, 0, 0, 0, 0 };
135 
136 #define	MIN_SET_FASTPATH_UNITDATAREQ_SIZE	\
137 	(sizeof (dl_unitdata_req_t) + 4)
138 
139 #define	TUN_MI_ID	2104	/* officially allocated module ID */
140 #define	TUN_MI_MINPSZ	(0)
141 #define	TUN_MI_MAXPSZ	(PPP_MAXMTU)
142 #define	TUN_MI_HIWAT	(PPP_MTU * 8)
143 #define	TUN_MI_LOWAT	(128)
144 
145 static struct module_info sppptun_modinfo = {
146 	TUN_MI_ID,		/* mi_idnum */
147 	PPP_TUN_NAME,		/* mi_idname */
148 	TUN_MI_MINPSZ,		/* mi_minpsz */
149 	TUN_MI_MAXPSZ,		/* mi_maxpsz */
150 	TUN_MI_HIWAT,		/* mi_hiwat */
151 	TUN_MI_LOWAT		/* mi_lowat */
152 };
153 
154 static struct qinit sppptun_urinit = {
155 	(int (*)())sppptun_urput, /* qi_putp */
156 	sppptun_ursrv,		/* qi_srvp */
157 	sppptun_open,		/* qi_qopen */
158 	sppptun_close,		/* qi_qclose */
159 	NULL,			/* qi_qadmin */
160 	&sppptun_modinfo,	/* qi_minfo */
161 	NULL			/* qi_mstat */
162 };
163 
164 static struct qinit sppptun_uwinit = {
165 	(int (*)())sppptun_uwput, /* qi_putp */
166 	sppptun_uwsrv,		/* qi_srvp */
167 	NULL,			/* qi_qopen */
168 	NULL,			/* qi_qclose */
169 	NULL,			/* qi_qadmin */
170 	&sppptun_modinfo,	/* qi_minfo */
171 	NULL			/* qi_mstat */
172 };
173 
174 static struct qinit sppptun_lrinit = {
175 	(int (*)())sppptun_lrput, /* qi_putp */
176 	NULL,			/* qi_srvp */
177 	NULL,			/* qi_qopen */
178 	NULL,			/* qi_qclose */
179 	NULL,			/* qi_qadmin */
180 	&sppptun_modinfo,	/* qi_minfo */
181 	NULL			/* qi_mstat */
182 };
183 
184 static struct qinit sppptun_lwinit = {
185 	(int (*)())sppptun_lwput, /* qi_putp */
186 	NULL,			/* qi_srvp */
187 	NULL,			/* qi_qopen */
188 	NULL,			/* qi_qclose */
189 	NULL,			/* qi_qadmin */
190 	&sppptun_modinfo,	/* qi_minfo */
191 	NULL			/* qi_mstat */
192 };
193 
194 /*
195  * This is referenced in sppptun_mod.c.
196  */
197 struct streamtab sppptun_tab = {
198 	&sppptun_urinit,	/* st_rdinit */
199 	&sppptun_uwinit,	/* st_wrinit */
200 	&sppptun_lrinit,	/* st_muxrinit */
201 	&sppptun_lwinit		/* st_muxwrinit */
202 };
203 
204 /*
205  * Allocate another slot table twice as large as the original one
206  * (limited to global maximum).  Migrate all tunnels to the new slot
207  * table and free the original one.  Assumes we're exclusive on both
208  * inner and outer perimeters, and thus there are no other users of
209  * the tcl_slots array.
210  */
211 static minor_t
212 tcl_grow(void)
213 {
214 	minor_t old_size = tcl_nslots;
215 	minor_t new_size = 2 * old_size;
216 	tuncl_t **tcl_old = tcl_slots;
217 	tuncl_t **tcl_new;
218 	void  *vaddr;			/* vmem_add return value */
219 
220 	ASSERT(RW_LOCK_HELD(&tcl_rwlock));
221 
222 	/* Allocate new ptms array */
223 	tcl_new = kmem_zalloc(new_size * sizeof (tuncl_t *), KM_NOSLEEP);
224 	if (tcl_new == NULL)
225 		return ((minor_t)0);
226 
227 	/* Increase clone index space */
228 	vaddr = vmem_add(tcl_minor_arena, (void*)((uintptr_t)old_size + 1),
229 	    new_size - old_size, VM_NOSLEEP);
230 
231 	if (vaddr == NULL) {
232 		kmem_free(tcl_new, new_size * sizeof (tuncl_t *));
233 		return ((minor_t)0);
234 	}
235 
236 	/* Migrate tuncl_t entries to a new location */
237 	tcl_nslots = new_size;
238 	bcopy(tcl_old, tcl_new, old_size * sizeof (tuncl_t *));
239 	tcl_slots = tcl_new;
240 	kmem_free(tcl_old, old_size * sizeof (tuncl_t *));
241 
242 	/* Allocate minor number and return it */
243 	return ((minor_t)(uintptr_t)vmem_alloc(tcl_minor_arena, 1, VM_NOSLEEP));
244 }
245 
246 /*
247  * Allocate new minor number and tunnel client entry.  Returns the new
248  * entry or NULL if no memory or maximum number of entries reached.
249  * Assumes we're exclusive on both inner and outer perimeters, and
250  * thus there are no other users of the tcl_slots array.
251  */
252 static tuncl_t *
253 tuncl_alloc(int wantminor)
254 {
255 	minor_t dminor;
256 	tuncl_t *tcl = NULL;
257 
258 	rw_enter(&tcl_rwlock, RW_WRITER);
259 
260 	ASSERT(tcl_slots != NULL);
261 
262 	/*
263 	 * Always try to allocate new pty when sppptun_cnt minimum
264 	 * limit is not achieved. If it is achieved, the maximum is
265 	 * determined by either user-specified value (if it is
266 	 * non-zero) or our memory estimations - whatever is less.
267 	 */
268 	if (tcl_inuse >= sppptun_cnt) {
269 		/*
270 		 * When system achieved required minimum of tunnels,
271 		 * check for the denial of service limits.
272 		 *
273 		 * Get user-imposed maximum, if configured, or
274 		 * calculated memory constraint.
275 		 */
276 		size_t user_max = (sppptun_max_pty == 0 ? tcl_minormax :
277 		    min(sppptun_max_pty, tcl_minormax));
278 
279 		/* Do not try to allocate more than allowed */
280 		if (tcl_inuse >= user_max) {
281 			rw_exit(&tcl_rwlock);
282 			return (NULL);
283 		}
284 	}
285 	tcl_inuse++;
286 
287 	/*
288 	 * Allocate new minor number. If this fails, all slots are
289 	 * busy and we need to grow the hash.
290 	 */
291 	if (wantminor <= 0) {
292 		dminor = (minor_t)(uintptr_t)vmem_alloc(tcl_minor_arena, 1,
293 		    VM_NOSLEEP);
294 		if (dminor == 0) {
295 			/* Grow the cache and retry allocation */
296 			dminor = tcl_grow();
297 		}
298 	} else {
299 		dminor = (minor_t)(uintptr_t)vmem_xalloc(tcl_minor_arena, 1,
300 		    0, 0, 0, (void *)(uintptr_t)wantminor,
301 		    (void *)((uintptr_t)wantminor+1), VM_NOSLEEP);
302 		if (dminor != 0 && dminor != wantminor) {
303 			vmem_free(tcl_minor_arena, (void *)(uintptr_t)dminor,
304 			    1);
305 			dminor = 0;
306 		}
307 	}
308 
309 	if (dminor == 0) {
310 		/* Not enough memory now */
311 		tcl_inuse--;
312 		rw_exit(&tcl_rwlock);
313 		return (NULL);
314 	}
315 
316 	tcl = kmem_cache_alloc(tcl_cache, KM_NOSLEEP);
317 	if (tcl == NULL) {
318 		/* Not enough memory - this entry can't be used now. */
319 		vmem_free(tcl_minor_arena, (void *)(uintptr_t)dminor, 1);
320 		tcl_inuse--;
321 	} else {
322 		bzero(tcl, sizeof (*tcl));
323 		tcl->tcl_lsessid = dminor;
324 		ASSERT(tcl_slots[dminor - 1] == NULL);
325 		tcl_slots[dminor - 1] = tcl;
326 	}
327 
328 	rw_exit(&tcl_rwlock);
329 	return (tcl);
330 }
331 
332 /*
333  * This routine frees an upper level (client) stream by removing it
334  * from the minor number pool and freeing the state structure storage.
335  * Assumes we're exclusive on both inner and outer perimeters, and
336  * thus there are no other concurrent users of the tcl_slots array or
337  * of any entry in that array.
338  */
339 static void
340 tuncl_free(tuncl_t *tcl)
341 {
342 	rw_enter(&tcl_rwlock, RW_WRITER);
343 	ASSERT(tcl->tcl_lsessid <= tcl_nslots);
344 	ASSERT(tcl_slots[tcl->tcl_lsessid - 1] == tcl);
345 	ASSERT(tcl_inuse > 0);
346 	tcl_inuse--;
347 	tcl_slots[tcl->tcl_lsessid - 1] = NULL;
348 
349 	if (tcl->tcl_ksp != NULL) {
350 		kstat_delete(tcl->tcl_ksp);
351 		tcl->tcl_ksp = NULL;
352 	}
353 
354 	/* Return minor number to the pool of minors */
355 	vmem_free(tcl_minor_arena, (void *)(uintptr_t)tcl->tcl_lsessid, 1);
356 
357 	/* Return tuncl_t to the cache */
358 	kmem_cache_free(tcl_cache, tcl);
359 	rw_exit(&tcl_rwlock);
360 }
361 
362 /*
363  * Get tuncl_t structure by minor number.  Returns NULL when minor is
364  * out of range.  Note that lookup of tcl pointers (and use of those
365  * pointers) is safe because modification is done only when exclusive
366  * on both inner and outer perimeters.
367  */
368 static tuncl_t *
369 tcl_by_minor(minor_t dminor)
370 {
371 	tuncl_t *tcl = NULL;
372 
373 	if ((dminor >= 1) && (dminor <= tcl_nslots) && tcl_slots != NULL) {
374 		tcl = tcl_slots[dminor - 1];
375 	}
376 
377 	return (tcl);
378 }
379 
380 /*
381  * Set up kstats for upper or lower stream.
382  */
383 static kstat_t *
384 kstat_setup(kstat_named_t *knt, const char **names, int nstat,
385     const char *modname, int unitnum)
386 {
387 	kstat_t *ksp;
388 	char unitname[KSTAT_STRLEN];
389 	int i;
390 
391 	for (i = 0; i < nstat; i++) {
392 		kstat_set_string(knt[i].name, names[i]);
393 		knt[i].data_type = KSTAT_DATA_UINT64;
394 	}
395 	(void) sprintf(unitname, "%s" "%d", modname, unitnum);
396 	ksp = kstat_create(modname, unitnum, unitname, "net",
397 	    KSTAT_TYPE_NAMED, nstat, KSTAT_FLAG_VIRTUAL);
398 	if (ksp != NULL) {
399 		ksp->ks_data = (void *)knt;
400 		kstat_install(ksp);
401 	}
402 	return (ksp);
403 }
404 
405 /*
406  * sppptun_open()
407  *
408  * MT-Perimeters:
409  *    exclusive inner, exclusive outer.
410  *
411  * Description:
412  *    Common open procedure for module and driver.
413  */
414 static int
415 sppptun_open(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
416 {
417 	_NOTE(ARGUNUSED(oflag))
418 
419 	/* Allow a re-open */
420 	if (q->q_ptr != NULL)
421 		return (0);
422 
423 	/* In the off chance that we're on our way out, just return error */
424 	if (tcl_slots == NULL)
425 		return (EINVAL);
426 
427 	if (sflag & MODOPEN) {
428 		tunll_t *tll;
429 		char *cp;
430 
431 		/* ordinary users have no need to push this module */
432 		if (secpolicy_net_config(credp, B_FALSE) != 0)
433 			return (EPERM);
434 
435 		tll = kmem_zalloc(sizeof (tunll_t), KM_SLEEP);
436 
437 		tll->tll_index = tunll_index++;
438 
439 		tll->tll_wq = WR(q);
440 
441 		/* Insert at end of list */
442 		insque(&tll->tll_next, tunll_list.q_back);
443 		q->q_ptr = WR(q)->q_ptr = tll;
444 
445 		tll->tll_style = PTS_PPPOE;
446 		tll->tll_alen = sizeof (tll->tll_lcladdr.pta_pppoe);
447 
448 		tll->tll_ksp = kstat_setup((kstat_named_t *)&tll->tll_kstats,
449 		    tll_kstats_list, Dim(tll_kstats_list), "tll",
450 		    tll->tll_index);
451 
452 		/*
453 		 * Find the name of the driver somewhere beneath us.
454 		 * Note that we have no driver under us until after
455 		 * qprocson().
456 		 */
457 		qprocson(q);
458 		for (q = WR(q); q->q_next != NULL; q = q->q_next)
459 			;
460 		cp = NULL;
461 		if (q->q_qinfo != NULL && q->q_qinfo->qi_minfo != NULL)
462 			cp = q->q_qinfo->qi_minfo->mi_idname;
463 		if (cp != NULL && *cp == '\0')
464 			cp = NULL;
465 
466 		/* Set initial name; user should overwrite. */
467 		if (cp == NULL)
468 			(void) snprintf(tll->tll_name, sizeof (tll->tll_name),
469 			    PPP_TUN_NAME "%d", tll->tll_index);
470 		else
471 			(void) snprintf(tll->tll_name, sizeof (tll->tll_name),
472 			    "%s:tun%d", cp, tll->tll_index);
473 	} else {
474 		tuncl_t	*tcl;
475 
476 		ASSERT(devp != NULL);
477 		if (sflag & CLONEOPEN) {
478 			tcl = tuncl_alloc(-1);
479 		} else {
480 			minor_t mn;
481 
482 			/*
483 			 * Support of non-clone open (ie, mknod with
484 			 * defined minor number) is supported for
485 			 * testing purposes so that 'arbitrary' minor
486 			 * numbers can be used.
487 			 */
488 			mn = getminor(*devp);
489 			if (mn == 0 || (tcl = tcl_by_minor(mn)) != NULL) {
490 				return (EPERM);
491 			}
492 			tcl = tuncl_alloc(mn);
493 		}
494 		if (tcl == NULL)
495 			return (ENOSR);
496 		tcl->tcl_rq = q;		/* save read queue pointer */
497 		tcl->tcl_flags |= TCLF_ISCLIENT;	/* sanity check */
498 
499 		q->q_ptr = WR(q)->q_ptr = (caddr_t)tcl;
500 		*devp = makedevice(getmajor(*devp), tcl->tcl_lsessid);
501 
502 		tcl->tcl_ksp = kstat_setup((kstat_named_t *)&tcl->tcl_kstats,
503 		    tcl_kstats_list, Dim(tcl_kstats_list), "tcl",
504 		    tcl->tcl_lsessid);
505 
506 		qprocson(q);
507 	}
508 	return (0);
509 }
510 
511 /*
512  * Create an appropriate control message for this client event.
513  */
514 static mblk_t *
515 make_control(tuncl_t *tclabout, tunll_t *tllabout, int action, tuncl_t *tclto)
516 {
517 	struct ppptun_control *ptc;
518 	mblk_t *mp = allocb(sizeof (*ptc), BPRI_HI);
519 
520 	if (mp != NULL) {
521 		MTYPE(mp) = M_PROTO;
522 		ptc = (struct ppptun_control *)mp->b_wptr;
523 		mp->b_wptr += sizeof (*ptc);
524 		if (tclabout != NULL) {
525 			ptc->ptc_rsessid = tclabout->tcl_rsessid;
526 			ptc->ptc_address = tclabout->tcl_address;
527 		} else {
528 			bzero(ptc, sizeof (*ptc));
529 		}
530 		ptc->ptc_discrim = tclto->tcl_ctlval;
531 		ptc->ptc_action = action;
532 		(void) strncpy(ptc->ptc_name, tllabout->tll_name,
533 		    sizeof (ptc->ptc_name));
534 	}
535 	return (mp);
536 }
537 
538 /*
539  * Send an appropriate control message up this client session.
540  */
541 static void
542 send_control(tuncl_t *tclabout, tunll_t *tllabout, int action, tuncl_t *tcl)
543 {
544 	mblk_t *mp;
545 
546 	if (tcl->tcl_rq != NULL) {
547 		mp = make_control(tclabout, tllabout, action, tcl);
548 		if (mp != NULL) {
549 			KCINCR(cks_octrl_spec);
550 			putnext(tcl->tcl_rq, mp);
551 		}
552 	}
553 }
554 
555 /*
556  * If a lower stream is being unplumbed, then the upper streams
557  * connected to this lower stream must be disconnected.  This routine
558  * accomplishes this by sending M_HANGUP to data streams and M_PROTO
559  * messages to control streams.  This is called by vmem_walk, and
560  * handles a span of minor node numbers.
561  *
562  * No need to update lks_clients here; the lower stream is on its way
563  * out.
564  */
565 static void
566 tclvm_remove_tll(void *arg, void *firstv, size_t numv)
567 {
568 	tunll_t *tll = (tunll_t *)arg;
569 	int minorn = (int)(uintptr_t)firstv;
570 	int minormax = minorn + numv;
571 	tuncl_t *tcl;
572 	mblk_t *mp;
573 
574 	while (minorn < minormax) {
575 		tcl = tcl_slots[minorn - 1];
576 		ASSERT(tcl != NULL);
577 		if (tcl->tcl_data_tll == tll && tcl->tcl_rq != NULL) {
578 			tcl->tcl_data_tll = NULL;
579 			mp = allocb(0, BPRI_HI);
580 			if (mp != NULL) {
581 				MTYPE(mp) = M_HANGUP;
582 				putnext(tcl->tcl_rq, mp);
583 				if (tcl->tcl_ctrl_tll == tll)
584 					tcl->tcl_ctrl_tll = NULL;
585 			}
586 		}
587 		if (tcl->tcl_ctrl_tll == tll) {
588 			send_control(tcl, tll, PTCA_UNPLUMB, tcl);
589 			tcl->tcl_ctrl_tll = NULL;
590 		}
591 		minorn++;
592 	}
593 }
594 
595 /*
596  * sppptun_close()
597  *
598  * MT-Perimeters:
599  *    exclusive inner, exclusive outer.
600  *
601  * Description:
602  *    Common close procedure for module and driver.
603  */
604 static int
605 sppptun_close(queue_t *q)
606 {
607 	int err;
608 	void *qptr;
609 	tunll_t *tll;
610 	tuncl_t *tcl;
611 
612 	qptr = q->q_ptr;
613 
614 	err = 0;
615 	tll = qptr;
616 	if (!(tll->tll_flags & TLLF_NOTLOWER)) {
617 		/* q_next is set on modules */
618 		ASSERT(WR(q)->q_next != NULL);
619 
620 		/* unlink any clients using this lower layer. */
621 		vmem_walk(tcl_minor_arena, VMEM_ALLOC, tclvm_remove_tll, tll);
622 
623 		/* tell daemon that this has been removed. */
624 		if ((tcl = tll->tll_defcl) != NULL)
625 			send_control(NULL, tll, PTCA_UNPLUMB, tcl);
626 
627 		tll->tll_flags |= TLLF_CLOSING;
628 		while (!(tll->tll_flags & TLLF_CLOSE_DONE)) {
629 			qenable(tll->tll_wq);
630 			qwait(tll->tll_wq);
631 		}
632 		tll->tll_error = 0;
633 		while (!(tll->tll_flags & TLLF_SHUTDOWN_DONE)) {
634 			if (!qwait_sig(tll->tll_wq))
635 				break;
636 		}
637 
638 		qprocsoff(q);
639 		q->q_ptr = WR(q)->q_ptr = NULL;
640 		tll->tll_wq = NULL;
641 		remque(&tll->tll_next);
642 		err = tll->tll_error;
643 		if (tll->tll_ksp != NULL)
644 			kstat_delete(tll->tll_ksp);
645 		kmem_free(tll, sizeof (*tll));
646 	} else {
647 		tcl = qptr;
648 
649 		/* devices are end of line; no q_next. */
650 		ASSERT(WR(q)->q_next == NULL);
651 
652 		qprocsoff(q);
653 		DTRACE_PROBE1(sppptun__client__close, tuncl_t *, tcl);
654 		tcl->tcl_rq = NULL;
655 		q->q_ptr = WR(q)->q_ptr = NULL;
656 
657 		tll = TO_TLL(tunll_list.q_forw);
658 		while (tll != TO_TLL(&tunll_list)) {
659 			if (tll->tll_defcl == tcl)
660 				tll->tll_defcl = NULL;
661 			if (tll->tll_lastcl == tcl)
662 				tll->tll_lastcl = NULL;
663 			tll = TO_TLL(tll->tll_next);
664 		}
665 		/*
666 		 * If this was a normal session, then tell the daemon.
667 		 */
668 		if (!(tcl->tcl_flags & TCLF_DAEMON) &&
669 		    (tll = tcl->tcl_ctrl_tll) != NULL &&
670 		    tll->tll_defcl != NULL) {
671 			send_control(tcl, tll, PTCA_DISCONNECT,
672 			    tll->tll_defcl);
673 		}
674 
675 		/* Update statistics for references being dropped. */
676 		if ((tll = tcl->tcl_data_tll) != NULL) {
677 			KLDECR(lks_clients);
678 		}
679 		if ((tll = tcl->tcl_ctrl_tll) != NULL) {
680 			KLDECR(lks_clients);
681 		}
682 
683 		tuncl_free(tcl);
684 	}
685 
686 	return (err);
687 }
688 
689 /*
690  * Allocate and initialize a DLPI or TPI template of the specified
691  * length.
692  */
693 static mblk_t *
694 pi_alloc(size_t len, int prim)
695 {
696 	mblk_t	*mp;
697 
698 	mp = allocb(len, BPRI_MED);
699 	if (mp != NULL) {
700 		MTYPE(mp) = M_PROTO;
701 		mp->b_wptr = mp->b_rptr + len;
702 		bzero(mp->b_rptr, len);
703 		*(int *)mp->b_rptr = prim;
704 	}
705 	return (mp);
706 }
707 
708 #define	dlpi_alloc(l, p)	pi_alloc((l), (p))
709 
710 /*
711  * Prepend some room to an mblk.  Try to reuse the existing buffer, if
712  * at all possible, rather than allocating a new one.  (Fast-path
713  * output should be able to use this.)
714  *
715  * (XXX why isn't this a library function ...?)
716  */
717 static mblk_t *
718 prependb(mblk_t *mp, size_t len, size_t align)
719 {
720 	mblk_t *newmp;
721 
722 
723 	if (align == 0)
724 		align = 8;
725 	if (DB_REF(mp) > 1 || mp->b_datap->db_base+len > mp->b_rptr ||
726 	    ((uint_t)((uintptr_t)mp->b_rptr - len) % align) != 0) {
727 		if ((newmp = allocb(len, BPRI_LO)) == NULL) {
728 			freemsg(mp);
729 			return (NULL);
730 		}
731 		newmp->b_wptr = newmp->b_rptr + len;
732 		newmp->b_cont = mp;
733 		return (newmp);
734 	}
735 	mp->b_rptr -= len;
736 	return (mp);
737 }
738 
739 /*
740  * sppptun_outpkt()
741  *
742  * MT-Perimeters:
743  *	shared inner, shared outer (if called from sppptun_uwput),
744  *	exclusive inner, shared outer (if called from sppptun_uwsrv).
745  *
746  * Description:
747  *    Called from sppptun_uwput or sppptun_uwsrv when processing a
748  *    M_DATA, M_PROTO, or M_PCPROTO message.  For all cases, it tries
749  *    to prepare the data to be sent to the module below this driver
750  *    if there is a lower stream linked underneath.  If no lower
751  *    stream exists, then the data will be discarded and an ENXIO
752  *    error returned.
753  *
754  * Returns:
755  *	pointer to queue if caller should do putnext, otherwise
756  *	*mpp != NULL if message should be enqueued, otherwise
757  *	*mpp == NULL if message is gone.
758  */
759 static queue_t *
760 sppptun_outpkt(queue_t *q, mblk_t **mpp)
761 {
762 	mblk_t *mp;
763 	tuncl_t *tcl;
764 	tunll_t *tll;
765 	mblk_t *encmb;
766 	mblk_t *datamb;
767 	dl_unitdata_req_t *dur;
768 	queue_t *lowerq;
769 	poep_t *poep;
770 	int len;
771 	ether_dest_t *edestp;
772 	enum { luNone, luCopy, luSend } loopup;
773 	boolean_t isdata;
774 	struct ppptun_control *ptc;
775 
776 	mp = *mpp;
777 	tcl = q->q_ptr;
778 
779 	*mpp = NULL;
780 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
781 		merror(q, mp, EINVAL);
782 		return (NULL);
783 	}
784 
785 	isdata = (MTYPE(mp) == M_DATA);
786 	if (isdata) {
787 		tll = tcl->tcl_data_tll;
788 		ptc = NULL;
789 	} else {
790 		/*
791 		 * If data are unaligned or otherwise unsuitable, then
792 		 * discard.
793 		 */
794 		if (MBLKL(mp) != sizeof (*ptc) || DB_REF(mp) > 1 ||
795 		    !IS_P2ALIGNED(mp->b_rptr, sizeof (ptc))) {
796 			KCINCR(cks_octrl_drop);
797 			DTRACE_PROBE2(sppptun__bad__control, tuncl_t *, tcl,
798 			    mblk_t *, mp);
799 			merror(q, mp, EINVAL);
800 			return (NULL);
801 		}
802 		ptc = (struct ppptun_control *)mp->b_rptr;
803 
804 		/* Set stream discriminator value if not yet set. */
805 		if (tcl->tcl_ctlval == 0)
806 			tcl->tcl_ctlval = ptc->ptc_discrim;
807 
808 		/* If this is a test message, then reply to caller. */
809 		if (ptc->ptc_action == PTCA_TEST) {
810 			DTRACE_PROBE2(sppptun__test, tuncl_t *, tcl,
811 			    struct ppptun_control *, ptc);
812 			if (mp->b_cont != NULL) {
813 				freemsg(mp->b_cont);
814 				mp->b_cont = NULL;
815 			}
816 			ptc->ptc_discrim = tcl->tcl_ctlval;
817 			putnext(RD(q), mp);
818 			return (NULL);
819 		}
820 
821 		/* If this one isn't for us, then discard it */
822 		if (tcl->tcl_ctlval != ptc->ptc_discrim) {
823 			DTRACE_PROBE2(sppptun__bad__discrim, tuncl_t *, tcl,
824 			    struct ppptun_control *, ptc);
825 			freemsg(mp);
826 			return (NULL);
827 		}
828 
829 		/* Don't allow empty control packets. */
830 		if (mp->b_cont == NULL) {
831 			KCINCR(cks_octrl_drop);
832 			merror(q, mp, EINVAL);
833 			return (NULL);
834 		}
835 		tll = tcl->tcl_ctrl_tll;
836 	}
837 
838 	if (tll == NULL || (lowerq = tll->tll_wq) == NULL) {
839 		DTRACE_PROBE3(sppptun__cannot__send, tuncl_t *, tcl,
840 		    tunll_t *, tll, mblk_t *, mp);
841 		merror(q, mp, ENXIO);
842 		if (isdata) {
843 			tcl->tcl_stats.ppp_oerrors++;
844 		} else {
845 			KCINCR(cks_octrl_drop);
846 		}
847 		return (NULL);
848 	}
849 
850 	/*
851 	 * If so, then try to send it down.  The lower queue is only
852 	 * ever detached while holding an exclusive lock on the whole
853 	 * driver, so we can be confident that the lower queue is
854 	 * still there.
855 	 */
856 	if (!bcanputnext(lowerq, mp->b_band)) {
857 		DTRACE_PROBE3(sppptun__flow__control, tuncl_t *, tcl,
858 		    tunll_t *, tll, mblk_t *, mp);
859 		*mpp = mp;
860 		return (NULL);
861 	}
862 
863 	/*
864 	 * Note: DLPI and TPI expect that the first buffer contains
865 	 * the control (unitdata-req) header, destination address, and
866 	 * nothing else.  Any protocol headers must go in the next
867 	 * buffer.
868 	 */
869 	loopup = luNone;
870 	encmb = NULL;
871 	if (isdata) {
872 		if (tll->tll_alen != 0 &&
873 		    bcmp(&tcl->tcl_address, &tll->tll_lcladdr,
874 		    tll->tll_alen) == 0)
875 			loopup = luSend;
876 		switch (tll->tll_style) {
877 		case PTS_PPPOE:
878 			/* Strip address and control fields if present. */
879 			if (mp->b_rptr[0] == 0xFF) {
880 				if (MBLKL(mp) < 3) {
881 					encmb = msgpullup(mp, 3);
882 					freemsg(mp);
883 					if ((mp = encmb) == NULL)
884 						break;
885 				}
886 				mp->b_rptr += 2;
887 			}
888 			/* Broadcasting data is probably not a good idea. */
889 			if (tcl->tcl_address.pta_pppoe.ptma_mac[0] & 1)
890 				break;
891 			encmb = dlpi_alloc(sizeof (*dur) + sizeof (*edestp),
892 			    DL_UNITDATA_REQ);
893 			if (encmb == NULL)
894 				break;
895 
896 			dur = (dl_unitdata_req_t *)encmb->b_rptr;
897 			dur->dl_dest_addr_length = sizeof (*edestp);
898 			dur->dl_dest_addr_offset = sizeof (*dur);
899 			edestp = (ether_dest_t *)(dur + 1);
900 			ether_copy(tcl->tcl_address.pta_pppoe.ptma_mac,
901 			    edestp->addr);
902 			/* DLPI SAPs are in host byte order! */
903 			edestp->type = ETHERTYPE_PPPOES;
904 
905 			/* Make sure the protocol field isn't compressed. */
906 			len = (*mp->b_rptr & 1);
907 			mp = prependb(mp, sizeof (*poep) + len, POE_HDR_ALIGN);
908 			if (mp == NULL)
909 				break;
910 			poep = (poep_t *)mp->b_rptr;
911 			poep->poep_version_type = POE_VERSION;
912 			poep->poep_code = POECODE_DATA;
913 			poep->poep_session_id = htons(tcl->tcl_rsessid);
914 			poep->poep_length = htons(msgsize(mp) -
915 			    sizeof (*poep));
916 			if (len > 0)
917 				*(char *)(poep + 1) = '\0';
918 			break;
919 
920 		default:
921 			ASSERT(0);
922 		}
923 	} else {
924 		/*
925 		 * Control side encapsulation.
926 		 */
927 		if (bcmp(&ptc->ptc_address, &tll->tll_lcladdr, tll->tll_alen)
928 		    == 0)
929 			loopup = luSend;
930 		datamb = mp->b_cont;
931 		switch (tll->tll_style) {
932 		case PTS_PPPOE:
933 			/*
934 			 * Don't allow a loopback session to establish
935 			 * itself.  PPPoE is broken; it uses only one
936 			 * session ID for both data directions, so the
937 			 * loopback data path can simply never work.
938 			 */
939 			if (loopup == luSend &&
940 			    ((poep_t *)datamb->b_rptr)->poep_code ==
941 			    POECODE_PADR)
942 				break;
943 			encmb = dlpi_alloc(sizeof (*dur) + sizeof (*edestp),
944 			    DL_UNITDATA_REQ);
945 			if (encmb == NULL)
946 				break;
947 			dur = (dl_unitdata_req_t *)encmb->b_rptr;
948 			dur->dl_dest_addr_length = sizeof (*edestp);
949 			dur->dl_dest_addr_offset = sizeof (*dur);
950 
951 			edestp = (ether_dest_t *)(dur + 1);
952 			/* DLPI SAPs are in host byte order! */
953 			edestp->type = ETHERTYPE_PPPOED;
954 
955 			/*
956 			 * If destination isn't set yet, then we have to
957 			 * allow anything at all.  Otherwise, force use
958 			 * of configured peer address.
959 			 */
960 			if (bcmp(tcl->tcl_address.pta_pppoe.ptma_mac,
961 			    zero_mac_addr, sizeof (zero_mac_addr)) == 0 ||
962 			    (tcl->tcl_flags & TCLF_DAEMON)) {
963 				ether_copy(ptc->ptc_address.pta_pppoe.ptma_mac,
964 				    edestp->addr);
965 			} else {
966 				ether_copy(tcl->tcl_address.pta_pppoe.ptma_mac,
967 				    edestp->addr);
968 			}
969 			/* Reflect multicast/broadcast back up. */
970 			if (edestp->addr[0] & 1)
971 				loopup = luCopy;
972 			break;
973 
974 		case PTS_PPTP:
975 			/*
976 			 * PPTP's control side is actually done over
977 			 * separate TCP connections.
978 			 */
979 		default:
980 			ASSERT(0);
981 		}
982 		freeb(mp);
983 		mp = datamb;
984 	}
985 	if (mp == NULL || encmb == NULL) {
986 		DTRACE_PROBE1(sppptun__output__failure, tuncl_t *, tcl);
987 		freemsg(mp);
988 		freemsg(encmb);
989 		if (isdata) {
990 			tcl->tcl_stats.ppp_oerrors++;
991 		} else {
992 			KCINCR(cks_octrl_drop);
993 			KLINCR(lks_octrl_drop);
994 		}
995 		lowerq = NULL;
996 	} else {
997 		if (isdata) {
998 			tcl->tcl_stats.ppp_obytes += msgsize(mp);
999 			tcl->tcl_stats.ppp_opackets++;
1000 		} else {
1001 			KCINCR(cks_octrls);
1002 			KLINCR(lks_octrls);
1003 		}
1004 		if (encmb != mp)
1005 			encmb->b_cont = mp;
1006 		switch (loopup) {
1007 		case luNone:
1008 			*mpp = encmb;
1009 			break;
1010 		case luCopy:
1011 			mp = copymsg(encmb);
1012 			if (mp != NULL)
1013 				sppptun_urput(RD(lowerq), mp);
1014 			*mpp = encmb;
1015 			break;
1016 		case luSend:
1017 			sppptun_urput(RD(lowerq), encmb);
1018 			lowerq = NULL;
1019 			break;
1020 		}
1021 	}
1022 	return (lowerq);
1023 }
1024 
1025 /*
1026  * Enqueue a message to be sent when the lower stream is closed.  This
1027  * is done so that we're guaranteed that we always have the necessary
1028  * resources to properly detach ourselves from the system.  (If we
1029  * waited until the close was done to allocate these messages, then
1030  * the message allocation could fail, and we'd be unable to properly
1031  * detach.)
1032  */
1033 static void
1034 save_for_close(tunll_t *tll, mblk_t *mp)
1035 {
1036 	mblk_t *onc;
1037 
1038 	if ((onc = tll->tll_onclose) == NULL)
1039 		tll->tll_onclose = mp;
1040 	else {
1041 		while (onc->b_next != NULL)
1042 			onc = onc->b_next;
1043 		onc->b_next = mp;
1044 	}
1045 }
1046 
1047 /*
1048  * Given the lower stream name, locate the state structure.  Note that
1049  * lookup of tcl pointers (and use of those pointers) is safe because
1050  * modification is done only when exclusive on both inner and outer
1051  * perimeters.
1052  */
1053 static tunll_t *
1054 tll_lookup_on_name(char *dname)
1055 {
1056 	tunll_t *tll;
1057 
1058 	tll = TO_TLL(tunll_list.q_forw);
1059 	for (; tll != TO_TLL(&tunll_list); tll = TO_TLL(tll->tll_next))
1060 		if (strcmp(dname, tll->tll_name) == 0)
1061 			return (tll);
1062 	return (NULL);
1063 }
1064 
1065 /*
1066  * sppptun_inner_ioctl()
1067  *
1068  * MT-Perimeters:
1069  *    exclusive inner, shared outer.
1070  *
1071  * Description:
1072  *    Called by qwriter from sppptun_ioctl as the result of receiving
1073  *    a handled ioctl.
1074  */
1075 static void
1076 sppptun_inner_ioctl(queue_t *q, mblk_t *mp)
1077 {
1078 	struct iocblk *iop;
1079 	int rc = 0;
1080 	int len = 0;
1081 	int i;
1082 	tuncl_t *tcl;
1083 	tunll_t *tll;
1084 	union ppptun_name *ptn;
1085 	struct ppptun_info *pti;
1086 	struct ppptun_peer *ptp;
1087 	mblk_t *mptmp;
1088 	ppptun_atype *pap;
1089 	struct ppp_stats64 *psp;
1090 
1091 	iop = (struct iocblk *)mp->b_rptr;
1092 	tcl = NULL;
1093 	tll = q->q_ptr;
1094 	if (tll->tll_flags & TLLF_NOTLOWER) {
1095 		tcl = (tuncl_t *)tll;
1096 		tll = NULL;
1097 	}
1098 
1099 	DTRACE_PROBE3(sppptun__ioctl, tuncl_t *, tcl, tunll_t *, tll,
1100 	    struct iocblk *, iop);
1101 
1102 	switch (iop->ioc_cmd) {
1103 	case PPPIO_DEBUG:
1104 		/*
1105 		 * Debug requests are now ignored; use dtrace or wireshark
1106 		 * instead.
1107 		 */
1108 		break;
1109 
1110 	case PPPIO_GETSTAT:
1111 		rc = EINVAL;
1112 		break;
1113 
1114 	case PPPIO_GETSTAT64:
1115 		/* Client (device) side only */
1116 		if (tcl == NULL) {
1117 			rc = EINVAL;
1118 			break;
1119 		}
1120 		mptmp = allocb(sizeof (*psp), BPRI_HI);
1121 		if (mptmp == NULL) {
1122 			rc = ENOSR;
1123 			break;
1124 		}
1125 		freemsg(mp->b_cont);
1126 		mp->b_cont = mptmp;
1127 
1128 		psp = (struct ppp_stats64 *)mptmp->b_wptr;
1129 		bzero((caddr_t)psp, sizeof (*psp));
1130 		psp->p = tcl->tcl_stats;
1131 
1132 		len = sizeof (*psp);
1133 		break;
1134 
1135 	case PPPTUN_SNAME:
1136 		/* This is done on the *module* (lower level) side. */
1137 		if (tll == NULL || mp->b_cont == NULL ||
1138 		    iop->ioc_count != sizeof (*ptn) ||
1139 		    *mp->b_cont->b_rptr == '\0') {
1140 			rc = EINVAL;
1141 			break;
1142 		}
1143 
1144 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1145 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1146 
1147 		if ((tll = tll_lookup_on_name(ptn->ptn_name)) != NULL) {
1148 			rc = EEXIST;
1149 			break;
1150 		}
1151 		tll = (tunll_t *)q->q_ptr;
1152 		(void) strcpy(tll->tll_name, ptn->ptn_name);
1153 		break;
1154 
1155 	case PPPTUN_GNAME:
1156 		/* This is done on the *module* (lower level) side. */
1157 		if (tll == NULL) {
1158 			rc = EINVAL;
1159 			break;
1160 		}
1161 		if (mp->b_cont != NULL)
1162 			freemsg(mp->b_cont);
1163 		if ((mp->b_cont = allocb(sizeof (*ptn), BPRI_HI)) == NULL) {
1164 			rc = ENOSR;
1165 			break;
1166 		}
1167 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1168 		bcopy(tll->tll_name, ptn->ptn_name, sizeof (ptn->ptn_name));
1169 		len = sizeof (*ptn);
1170 		break;
1171 
1172 	case PPPTUN_SINFO:
1173 	case PPPTUN_GINFO:
1174 		/* Either side */
1175 		if (mp->b_cont == NULL || iop->ioc_count != sizeof (*pti)) {
1176 			rc = EINVAL;
1177 			break;
1178 		}
1179 		pti = (struct ppptun_info *)mp->b_cont->b_rptr;
1180 		if (pti->pti_name[0] != '\0')
1181 			tll = tll_lookup_on_name(pti->pti_name);
1182 		if (tll == NULL) {
1183 			/* Driver (client) side must have name */
1184 			if (tcl != NULL && pti->pti_name[0] == '\0')
1185 				rc = EINVAL;
1186 			else
1187 				rc = ESRCH;
1188 			break;
1189 		}
1190 		if (iop->ioc_cmd == PPPTUN_GINFO) {
1191 			pti->pti_muxid = tll->tll_muxid;
1192 			pti->pti_style = tll->tll_style;
1193 			len = sizeof (*pti);
1194 			break;
1195 		}
1196 		tll->tll_muxid = pti->pti_muxid;
1197 		tll->tll_style = pti->pti_style;
1198 		switch (tll->tll_style) {
1199 		case PTS_PPPOE:		/* DLPI type */
1200 			tll->tll_alen = sizeof (tll->tll_lcladdr.pta_pppoe);
1201 			mptmp = dlpi_alloc(sizeof (dl_unbind_req_t),
1202 			    DL_UNBIND_REQ);
1203 			if (mptmp == NULL) {
1204 				rc = ENOSR;
1205 				break;
1206 			}
1207 			save_for_close(tll, mptmp);
1208 			mptmp = dlpi_alloc(sizeof (dl_detach_req_t),
1209 			    DL_DETACH_REQ);
1210 			if (mptmp == NULL) {
1211 				rc = ENOSR;
1212 				break;
1213 			}
1214 			save_for_close(tll, mptmp);
1215 			break;
1216 		default:
1217 			tll->tll_style = PTS_NONE;
1218 			tll->tll_alen = 0;
1219 			rc = EINVAL;
1220 			break;
1221 		}
1222 		break;
1223 
1224 	case PPPTUN_GNNAME:
1225 		/* This can be done on either side. */
1226 		if (mp->b_cont == NULL || iop->ioc_count < sizeof (uint32_t)) {
1227 			rc = EINVAL;
1228 			break;
1229 		}
1230 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1231 		i = ptn->ptn_index;
1232 		tll = TO_TLL(tunll_list.q_forw);
1233 		while (--i >= 0 && tll != TO_TLL(&tunll_list))
1234 			tll = TO_TLL(tll->tll_next);
1235 		if (tll != TO_TLL(&tunll_list)) {
1236 			bcopy(tll->tll_name, ptn->ptn_name,
1237 			    sizeof (ptn->ptn_name));
1238 		} else {
1239 			bzero(ptn, sizeof (*ptn));
1240 		}
1241 		len = sizeof (*ptn);
1242 		break;
1243 
1244 	case PPPTUN_LCLADDR:
1245 		/* This is done on the *module* (lower level) side. */
1246 		if (tll == NULL || mp->b_cont == NULL) {
1247 			rc = EINVAL;
1248 			break;
1249 		}
1250 
1251 		pap = &tll->tll_lcladdr;
1252 		len = tll->tll_alen;
1253 		if (len == 0 || len > iop->ioc_count) {
1254 			rc = EINVAL;
1255 			break;
1256 		}
1257 		bcopy(mp->b_cont->b_rptr, pap, len);
1258 		len = 0;
1259 		break;
1260 
1261 	case PPPTUN_SPEER:
1262 		/* Client (device) side only; before SDATA */
1263 		if (tcl == NULL || mp->b_cont == NULL ||
1264 		    iop->ioc_count != sizeof (*ptp)) {
1265 			rc = EINVAL;
1266 			break;
1267 		}
1268 		if (tcl->tcl_data_tll != NULL) {
1269 			rc = EINVAL;
1270 			break;
1271 		}
1272 		ptp = (struct ppptun_peer *)mp->b_cont->b_rptr;
1273 		DTRACE_PROBE2(sppptun__speer, tuncl_t *, tcl,
1274 		    struct ppptun_peer *, ptp);
1275 		/* Once set, the style cannot change. */
1276 		if (tcl->tcl_style != PTS_NONE &&
1277 		    tcl->tcl_style != ptp->ptp_style) {
1278 			rc = EINVAL;
1279 			break;
1280 		}
1281 		if (ptp->ptp_flags & PTPF_DAEMON) {
1282 			/* User requests registration for tunnel 0 */
1283 			if ((tcl->tcl_flags & TCLF_SPEER_DONE) ||
1284 			    ptp->ptp_ltunid != 0 || ptp->ptp_rtunid != 0 ||
1285 			    ptp->ptp_lsessid != 0 || ptp->ptp_rsessid != 0) {
1286 				rc = EINVAL;
1287 				break;
1288 			}
1289 			tcl->tcl_flags |= TCLF_DAEMON;
1290 		} else {
1291 			/* Normal client connection */
1292 			if (tcl->tcl_flags & TCLF_DAEMON) {
1293 				rc = EINVAL;
1294 				break;
1295 			}
1296 			if (ptp->ptp_lsessid != 0 &&
1297 			    ptp->ptp_lsessid != tcl->tcl_lsessid) {
1298 				rc = EINVAL;
1299 				break;
1300 			}
1301 			/*
1302 			 * If we're reassigning the peer data, then
1303 			 * the previous assignment must have been for
1304 			 * a client control connection.  Check that.
1305 			 */
1306 			if ((tcl->tcl_flags & TCLF_SPEER_DONE) &&
1307 			    ((tcl->tcl_ltunid != 0 &&
1308 			    tcl->tcl_ltunid != ptp->ptp_ltunid) ||
1309 			    (tcl->tcl_rtunid != 0 &&
1310 			    tcl->tcl_rtunid != ptp->ptp_rtunid) ||
1311 			    (tcl->tcl_rsessid != 0 &&
1312 			    tcl->tcl_rsessid != ptp->ptp_rsessid))) {
1313 				rc = EINVAL;
1314 				break;
1315 			}
1316 			if ((tcl->tcl_ltunid = ptp->ptp_ltunid) == 0 &&
1317 			    tcl->tcl_style == PTS_L2FTP)
1318 				tcl->tcl_ltunid = ptp->ptp_lsessid;
1319 			tcl->tcl_rtunid = ptp->ptp_rtunid;
1320 			tcl->tcl_rsessid = ptp->ptp_rsessid;
1321 		}
1322 		tcl->tcl_flags |= TCLF_SPEER_DONE;
1323 		tcl->tcl_style = ptp->ptp_style;
1324 		tcl->tcl_address = ptp->ptp_address;
1325 		goto fill_in_peer;
1326 
1327 	case PPPTUN_GPEER:
1328 		/* Client (device) side only */
1329 		if (tcl == NULL) {
1330 			rc = EINVAL;
1331 			break;
1332 		}
1333 		if (mp->b_cont != NULL)
1334 			freemsg(mp->b_cont);
1335 		mp->b_cont = allocb(sizeof (*ptp), BPRI_HI);
1336 		if (mp->b_cont == NULL) {
1337 			rc = ENOSR;
1338 			break;
1339 		}
1340 		ptp = (struct ppptun_peer *)mp->b_cont->b_rptr;
1341 	fill_in_peer:
1342 		ptp->ptp_style = tcl->tcl_style;
1343 		ptp->ptp_flags = (tcl->tcl_flags & TCLF_DAEMON) ? PTPF_DAEMON :
1344 		    0;
1345 		ptp->ptp_ltunid = tcl->tcl_ltunid;
1346 		ptp->ptp_rtunid = tcl->tcl_rtunid;
1347 		ptp->ptp_lsessid = tcl->tcl_lsessid;
1348 		ptp->ptp_rsessid = tcl->tcl_rsessid;
1349 		ptp->ptp_address = tcl->tcl_address;
1350 		len = sizeof (*ptp);
1351 		break;
1352 
1353 	case PPPTUN_SDATA:
1354 	case PPPTUN_SCTL:
1355 		/* Client (device) side only; must do SPEER first */
1356 		if (tcl == NULL || mp->b_cont == NULL ||
1357 		    iop->ioc_count != sizeof (*ptn) ||
1358 		    *mp->b_cont->b_rptr == '\0') {
1359 			rc = EINVAL;
1360 			break;
1361 		}
1362 		if (!(tcl->tcl_flags & TCLF_SPEER_DONE)) {
1363 			rc = EINVAL;
1364 			break;
1365 		}
1366 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1367 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1368 		tll = tll_lookup_on_name(ptn->ptn_name);
1369 		if (tll == NULL) {
1370 			rc = ESRCH;
1371 			break;
1372 		}
1373 		if (tll->tll_style != tcl->tcl_style) {
1374 			rc = ENXIO;
1375 			break;
1376 		}
1377 		if (iop->ioc_cmd == PPPTUN_SDATA) {
1378 			if (tcl->tcl_data_tll != NULL) {
1379 				rc = EEXIST;
1380 				break;
1381 			}
1382 			/* server daemons cannot use regular data */
1383 			if (tcl->tcl_flags & TCLF_DAEMON) {
1384 				rc = EINVAL;
1385 				break;
1386 			}
1387 			tcl->tcl_data_tll = tll;
1388 		} else if (tcl->tcl_flags & TCLF_DAEMON) {
1389 			if (tll->tll_defcl != NULL && tll->tll_defcl != tcl) {
1390 				rc = EEXIST;
1391 				break;
1392 			}
1393 			tll->tll_defcl = tcl;
1394 			if (tcl->tcl_ctrl_tll != NULL) {
1395 				KDECR(tcl->tcl_ctrl_tll, tll_kstats,
1396 				    lks_clients);
1397 			}
1398 			tcl->tcl_ctrl_tll = tll;
1399 		} else {
1400 			if (tcl->tcl_ctrl_tll != NULL) {
1401 				rc = EEXIST;
1402 				break;
1403 			}
1404 			tcl->tcl_ctrl_tll = tll;
1405 		}
1406 		KLINCR(lks_clients);
1407 		break;
1408 
1409 	case PPPTUN_GDATA:
1410 	case PPPTUN_GCTL:
1411 		/* Client (device) side only */
1412 		if (tcl == NULL) {
1413 			rc = EINVAL;
1414 			break;
1415 		}
1416 		if (mp->b_cont != NULL)
1417 			freemsg(mp->b_cont);
1418 		mp->b_cont = allocb(sizeof (*ptn), BPRI_HI);
1419 		if (mp->b_cont == NULL) {
1420 			rc = ENOSR;
1421 			break;
1422 		}
1423 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1424 		if (iop->ioc_cmd == PPPTUN_GDATA)
1425 			tll = tcl->tcl_data_tll;
1426 		else
1427 			tll = tcl->tcl_ctrl_tll;
1428 		if (tll == NULL)
1429 			bzero(ptn, sizeof (*ptn));
1430 		else
1431 			bcopy(tll->tll_name, ptn->ptn_name,
1432 			    sizeof (ptn->ptn_name));
1433 		len = sizeof (*ptn);
1434 		break;
1435 
1436 	case PPPTUN_DCTL:
1437 		/* Client (device) side daemon mode only */
1438 		if (tcl == NULL || mp->b_cont == NULL ||
1439 		    iop->ioc_count != sizeof (*ptn) ||
1440 		    !(tcl->tcl_flags & TCLF_DAEMON)) {
1441 			rc = EINVAL;
1442 			break;
1443 		}
1444 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1445 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1446 		tll = tll_lookup_on_name(ptn->ptn_name);
1447 		if (tll == NULL || tll->tll_defcl != tcl) {
1448 			rc = ESRCH;
1449 			break;
1450 		}
1451 		tll->tll_defcl = NULL;
1452 		break;
1453 
1454 	default:
1455 		/* Caller should already have checked command value */
1456 		ASSERT(0);
1457 	}
1458 	if (rc != 0) {
1459 		miocnak(q, mp, 0, rc);
1460 	} else {
1461 		if (len > 0)
1462 			mp->b_cont->b_wptr = mp->b_cont->b_rptr + len;
1463 		miocack(q, mp, len, 0);
1464 	}
1465 }
1466 
1467 /*
1468  * sppptun_ioctl()
1469  *
1470  * MT-Perimeters:
1471  *    shared inner, shared outer.
1472  *
1473  * Description:
1474  *    Called by sppptun_uwput as the result of receiving a M_IOCTL command.
1475  */
1476 static void
1477 sppptun_ioctl(queue_t *q, mblk_t *mp)
1478 {
1479 	struct iocblk *iop;
1480 	int rc = 0;
1481 	int len = 0;
1482 	uint32_t val = 0;
1483 	tunll_t *tll;
1484 
1485 	iop = (struct iocblk *)mp->b_rptr;
1486 
1487 	switch (iop->ioc_cmd) {
1488 	case PPPIO_DEBUG:
1489 	case PPPIO_GETSTAT:
1490 	case PPPIO_GETSTAT64:
1491 	case PPPTUN_SNAME:
1492 	case PPPTUN_GNAME:
1493 	case PPPTUN_SINFO:
1494 	case PPPTUN_GINFO:
1495 	case PPPTUN_GNNAME:
1496 	case PPPTUN_LCLADDR:
1497 	case PPPTUN_SPEER:
1498 	case PPPTUN_GPEER:
1499 	case PPPTUN_SDATA:
1500 	case PPPTUN_GDATA:
1501 	case PPPTUN_SCTL:
1502 	case PPPTUN_GCTL:
1503 	case PPPTUN_DCTL:
1504 		qwriter(q, mp, sppptun_inner_ioctl, PERIM_INNER);
1505 		return;
1506 
1507 	case PPPIO_GCLEAN:	/* always clean */
1508 		val = RCV_B7_1 | RCV_B7_0 | RCV_ODDP | RCV_EVNP;
1509 		len = sizeof (uint32_t);
1510 		break;
1511 
1512 	case PPPIO_GTYPE:	/* we look like an async driver. */
1513 		val = PPPTYP_AHDLC;
1514 		len = sizeof (uint32_t);
1515 		break;
1516 
1517 	case PPPIO_CFLAGS:	/* never compress headers */
1518 		val = 0;
1519 		len = sizeof (uint32_t);
1520 		break;
1521 
1522 		/* quietly ack PPP things we don't need to do. */
1523 	case PPPIO_XFCS:
1524 	case PPPIO_RFCS:
1525 	case PPPIO_XACCM:
1526 	case PPPIO_RACCM:
1527 	case PPPIO_LASTMOD:
1528 	case PPPIO_MUX:
1529 	case I_PLINK:
1530 	case I_PUNLINK:
1531 	case I_LINK:
1532 	case I_UNLINK:
1533 		break;
1534 
1535 	default:
1536 		tll = (tunll_t *)q->q_ptr;
1537 		if (!(tll->tll_flags & TLLF_NOTLOWER)) {
1538 			/* module side; pass this through. */
1539 			putnext(q, mp);
1540 			return;
1541 		}
1542 		rc = EINVAL;
1543 		break;
1544 	}
1545 	if (rc == 0 && len == sizeof (uint32_t)) {
1546 		if (mp->b_cont != NULL)
1547 			freemsg(mp->b_cont);
1548 		mp->b_cont = allocb(sizeof (uint32_t), BPRI_HI);
1549 		if (mp->b_cont == NULL) {
1550 			rc = ENOSR;
1551 		} else {
1552 			*(uint32_t *)mp->b_cont->b_wptr = val;
1553 			mp->b_cont->b_wptr += sizeof (uint32_t);
1554 		}
1555 	}
1556 	if (rc == 0) {
1557 		miocack(q, mp, len, 0);
1558 	} else {
1559 		miocnak(q, mp, 0, rc);
1560 	}
1561 }
1562 
1563 /*
1564  * sppptun_inner_mctl()
1565  *
1566  * MT-Perimeters:
1567  *    exclusive inner, shared outer.
1568  *
1569  * Description:
1570  *    Called by qwriter (via sppptun_uwput) as the result of receiving
1571  *    an M_CTL.  Called only on the client (driver) side.
1572  */
1573 static void
1574 sppptun_inner_mctl(queue_t *q, mblk_t *mp)
1575 {
1576 	int msglen;
1577 	tuncl_t *tcl;
1578 
1579 	tcl = q->q_ptr;
1580 
1581 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
1582 		freemsg(mp);
1583 		return;
1584 	}
1585 
1586 	msglen = MBLKL(mp);
1587 	switch (*mp->b_rptr) {
1588 	case PPPCTL_UNIT:
1589 		if (msglen == 2)
1590 			tcl->tcl_unit = mp->b_rptr[1];
1591 		else if (msglen == 8)
1592 			tcl->tcl_unit = ((uint32_t *)mp->b_rptr)[1];
1593 		break;
1594 	}
1595 	freemsg(mp);
1596 }
1597 
1598 /*
1599  * sppptun_uwput()
1600  *
1601  * MT-Perimeters:
1602  *    shared inner, shared outer.
1603  *
1604  * Description:
1605  *	Regular output data and controls pass through here.
1606  */
1607 static void
1608 sppptun_uwput(queue_t *q, mblk_t *mp)
1609 {
1610 	queue_t *nextq;
1611 	tuncl_t *tcl;
1612 
1613 	ASSERT(q->q_ptr != NULL);
1614 
1615 	switch (MTYPE(mp)) {
1616 	case M_DATA:
1617 	case M_PROTO:
1618 	case M_PCPROTO:
1619 		if (q->q_first == NULL &&
1620 		    (nextq = sppptun_outpkt(q, &mp)) != NULL) {
1621 			putnext(nextq, mp);
1622 		} else if (mp != NULL && !putq(q, mp)) {
1623 			freemsg(mp);
1624 		}
1625 		break;
1626 	case M_IOCTL:
1627 		sppptun_ioctl(q, mp);
1628 		break;
1629 	case M_CTL:
1630 		qwriter(q, mp, sppptun_inner_mctl, PERIM_INNER);
1631 		break;
1632 	default:
1633 		tcl = (tuncl_t *)q->q_ptr;
1634 		/*
1635 		 * If we're the driver, then discard unknown junk.
1636 		 * Otherwise, if we're the module, then forward along.
1637 		 */
1638 		if (tcl->tcl_flags & TCLF_ISCLIENT)
1639 			freemsg(mp);
1640 		else
1641 			putnext(q, mp);
1642 		break;
1643 	}
1644 }
1645 
1646 /*
1647  * Send a DLPI/TPI control message to the driver but make sure there
1648  * is only one outstanding message.  Uses tll_msg_pending to tell when
1649  * it must queue.  sppptun_urput calls message_done() when an ACK or a
1650  * NAK is received to process the next queued message.
1651  */
1652 static void
1653 message_send(tunll_t *tll, mblk_t *mp)
1654 {
1655 	mblk_t **mpp;
1656 
1657 	if (tll->tll_msg_pending) {
1658 		/* Must queue message. Tail insertion */
1659 		mpp = &tll->tll_msg_deferred;
1660 		while (*mpp != NULL)
1661 			mpp = &((*mpp)->b_next);
1662 		*mpp = mp;
1663 		return;
1664 	}
1665 	tll->tll_msg_pending = 1;
1666 	putnext(tll->tll_wq, mp);
1667 }
1668 
1669 /*
1670  * Called when an DLPI/TPI control message has been acked or nacked to
1671  * send down the next queued message (if any).
1672  */
1673 static void
1674 message_done(tunll_t *tll)
1675 {
1676 	mblk_t *mp;
1677 
1678 	ASSERT(tll->tll_msg_pending);
1679 	tll->tll_msg_pending = 0;
1680 	mp = tll->tll_msg_deferred;
1681 	if (mp != NULL) {
1682 		tll->tll_msg_deferred = mp->b_next;
1683 		mp->b_next = NULL;
1684 		tll->tll_msg_pending = 1;
1685 		putnext(tll->tll_wq, mp);
1686 	}
1687 }
1688 
1689 /*
1690  * Send down queued "close" messages to lower stream.  These were
1691  * enqueued right after the stream was originally allocated, when the
1692  * tll_style was set by PPPTUN_SINFO.
1693  */
1694 static int
1695 tll_close_req(tunll_t *tll)
1696 {
1697 	mblk_t *mb, *mbnext;
1698 
1699 	if ((mb = tll->tll_onclose) == NULL)
1700 		tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1701 	else {
1702 		tll->tll_onclose = NULL;
1703 		while (mb != NULL) {
1704 			mbnext = mb->b_next;
1705 			mb->b_next = NULL;
1706 			message_send(tll, mb);
1707 			mb = mbnext;
1708 		}
1709 	}
1710 	return (0);
1711 }
1712 
1713 /*
1714  * This function is called when a backenable occurs on the write side of a
1715  * lower stream.  It walks over the client streams, looking for ones that use
1716  * the given tunll_t lower stream.  Each client is then backenabled.
1717  */
1718 static void
1719 tclvm_backenable(void *arg, void *firstv, size_t numv)
1720 {
1721 	tunll_t *tll = arg;
1722 	int minorn = (int)(uintptr_t)firstv;
1723 	int minormax = minorn + numv;
1724 	tuncl_t *tcl;
1725 	queue_t *q;
1726 
1727 	while (minorn < minormax) {
1728 		tcl = tcl_slots[minorn - 1];
1729 		if ((tcl->tcl_data_tll == tll ||
1730 		    tcl->tcl_ctrl_tll == tll) &&
1731 		    (q = tcl->tcl_rq) != NULL) {
1732 			qenable(OTHERQ(q));
1733 		}
1734 		minorn++;
1735 	}
1736 }
1737 
1738 /*
1739  * sppptun_uwsrv()
1740  *
1741  * MT-Perimeters:
1742  *    exclusive inner, shared outer.
1743  *
1744  * Description:
1745  *    Upper write-side service procedure.  In addition to the usual
1746  *    STREAMS queue service handling, this routine also handles the
1747  *    transmission of the unbind/detach messages to the lower stream
1748  *    driver when a lower stream is being closed.  (See the use of
1749  *    qenable/qwait in sppptun_close().)
1750  */
1751 static int
1752 sppptun_uwsrv(queue_t *q)
1753 {
1754 	tuncl_t	*tcl;
1755 	mblk_t *mp;
1756 	queue_t *nextq;
1757 
1758 	tcl = q->q_ptr;
1759 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
1760 		tunll_t *tll = (tunll_t *)tcl;
1761 
1762 		if ((tll->tll_flags & (TLLF_CLOSING|TLLF_CLOSE_DONE)) ==
1763 		    TLLF_CLOSING) {
1764 			tll->tll_error = tll_close_req(tll);
1765 			tll->tll_flags |= TLLF_CLOSE_DONE;
1766 		} else {
1767 			/*
1768 			 * We've been enabled here because of a backenable on
1769 			 * output flow control.  Backenable clients using this
1770 			 * lower layer.
1771 			 */
1772 			vmem_walk(tcl_minor_arena, VMEM_ALLOC, tclvm_backenable,
1773 			    tll);
1774 		}
1775 		return (0);
1776 	}
1777 
1778 	while ((mp = getq(q)) != NULL) {
1779 		if ((nextq = sppptun_outpkt(q, &mp)) != NULL) {
1780 			putnext(nextq, mp);
1781 		} else if (mp != NULL) {
1782 			(void) putbq(q, mp);
1783 			break;
1784 		}
1785 	}
1786 	return (0);
1787 }
1788 
1789 /*
1790  * sppptun_lwput()
1791  *
1792  * MT-Perimeters:
1793  *    shared inner, shared outer.
1794  *
1795  * Description:
1796  *    Lower write-side put procedure.  Nothing should be sending
1797  *    packets down this stream.
1798  */
1799 static void
1800 sppptun_lwput(queue_t *q, mblk_t *mp)
1801 {
1802 	switch (MTYPE(mp)) {
1803 	case M_PROTO:
1804 		putnext(q, mp);
1805 		break;
1806 	default:
1807 		freemsg(mp);
1808 		break;
1809 	}
1810 }
1811 
1812 /*
1813  * sppptun_lrput()
1814  *
1815  * MT-Perimeters:
1816  *    shared inner, shared outer.
1817  *
1818  * Description:
1819  *    Lower read-side put procedure.  Nothing should arrive here.
1820  */
1821 static void
1822 sppptun_lrput(queue_t *q, mblk_t *mp)
1823 {
1824 	tuncl_t *tcl;
1825 
1826 	switch (MTYPE(mp)) {
1827 	case M_IOCTL:
1828 		miocnak(q, mp, 0, EINVAL);
1829 		return;
1830 	case M_FLUSH:
1831 		if (*mp->b_rptr & FLUSHR) {
1832 			flushq(q, FLUSHDATA);
1833 		}
1834 		if (*mp->b_rptr & FLUSHW) {
1835 			*mp->b_rptr &= ~FLUSHR;
1836 			qreply(q, mp);
1837 		} else {
1838 			freemsg(mp);
1839 		}
1840 		return;
1841 	}
1842 	/*
1843 	 * Try to forward the message to the put procedure for the upper
1844 	 * control stream for this lower stream. If there are already messages
1845 	 * queued here, queue this one up to preserve message ordering.
1846 	 */
1847 	if ((tcl = (tuncl_t *)q->q_ptr) == NULL || tcl->tcl_rq == NULL) {
1848 		freemsg(mp);
1849 		return;
1850 	}
1851 	if (queclass(mp) == QPCTL ||
1852 	    (q->q_first == NULL && canput(tcl->tcl_rq))) {
1853 		put(tcl->tcl_rq, mp);
1854 	} else {
1855 		if (!putq(q, mp))
1856 			freemsg(mp);
1857 	}
1858 }
1859 
1860 /*
1861  * MT-Perimeters:
1862  *    shared inner, shared outer.
1863  *
1864  *    Handle non-data DLPI messages.  Used with PPPoE, which runs over
1865  *    Ethernet only.
1866  */
1867 static void
1868 urput_dlpi(queue_t *q, mblk_t *mp)
1869 {
1870 	int err;
1871 	union DL_primitives *dlp = (union DL_primitives *)mp->b_rptr;
1872 	tunll_t *tll = q->q_ptr;
1873 	size_t mlen = MBLKL(mp);
1874 
1875 	switch (dlp->dl_primitive) {
1876 	case DL_UDERROR_IND:
1877 		break;
1878 
1879 	case DL_ERROR_ACK:
1880 		if (mlen < DL_ERROR_ACK_SIZE)
1881 			break;
1882 		err = dlp->error_ack.dl_unix_errno ?
1883 		    dlp->error_ack.dl_unix_errno : ENXIO;
1884 		switch (dlp->error_ack.dl_error_primitive) {
1885 		case DL_UNBIND_REQ:
1886 			message_done(tll);
1887 			break;
1888 		case DL_DETACH_REQ:
1889 			message_done(tll);
1890 			tll->tll_error = err;
1891 			tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1892 			break;
1893 		case DL_PHYS_ADDR_REQ:
1894 			message_done(tll);
1895 			break;
1896 		case DL_INFO_REQ:
1897 		case DL_ATTACH_REQ:
1898 		case DL_BIND_REQ:
1899 			message_done(tll);
1900 			tll->tll_error = err;
1901 			break;
1902 		}
1903 		break;
1904 
1905 	case DL_INFO_ACK:
1906 		message_done(tll);
1907 		break;
1908 
1909 	case DL_BIND_ACK:
1910 		message_done(tll);
1911 		break;
1912 
1913 	case DL_PHYS_ADDR_ACK:
1914 		break;
1915 
1916 	case DL_OK_ACK:
1917 		if (mlen < DL_OK_ACK_SIZE)
1918 			break;
1919 		switch (dlp->ok_ack.dl_correct_primitive) {
1920 		case DL_UNBIND_REQ:
1921 			message_done(tll);
1922 			break;
1923 		case DL_DETACH_REQ:
1924 			tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1925 			break;
1926 		case DL_ATTACH_REQ:
1927 			message_done(tll);
1928 			break;
1929 		}
1930 		break;
1931 	}
1932 	freemsg(mp);
1933 }
1934 
1935 /* Search structure used with PPPoE only; see tclvm_pppoe_search(). */
1936 struct poedat {
1937 	uint_t sessid;
1938 	tunll_t *tll;
1939 	const void *srcaddr;
1940 	int isdata;
1941 	tuncl_t *tcl;
1942 };
1943 
1944 /*
1945  * This function is called by vmem_walk from within sppptun_recv.  It
1946  * iterates over a span of allocated minor node numbers to search for
1947  * the appropriate lower stream, session ID, and peer MAC address.
1948  *
1949  * (This is necessary due to a design flaw in the PPPoE protocol
1950  * itself.  The protocol assigns session IDs from the server side
1951  * only.  Both server and client use the same number.  Thus, if there
1952  * are multiple clients on a single host, there can be session ID
1953  * conflicts between servers and there's no way to detangle them
1954  * except by looking at the remote MAC address.)
1955  *
1956  * (This could have been handled by linking together sessions that
1957  * differ only in the remote MAC address.  This isn't done because it
1958  * would involve extra per-session storage and it's very unlikely that
1959  * PPPoE would be used this way.)
1960  */
1961 static void
1962 tclvm_pppoe_search(void *arg, void *firstv, size_t numv)
1963 {
1964 	struct poedat *poedat = (struct poedat *)arg;
1965 	int minorn = (int)(uintptr_t)firstv;
1966 	int minormax = minorn + numv;
1967 	tuncl_t *tcl;
1968 
1969 	if (poedat->tcl != NULL)
1970 		return;
1971 	while (minorn < minormax) {
1972 		tcl = tcl_slots[minorn - 1];
1973 		ASSERT(tcl != NULL);
1974 		if (tcl->tcl_rsessid == poedat->sessid &&
1975 		    ((!poedat->isdata && tcl->tcl_ctrl_tll == poedat->tll) ||
1976 		    (poedat->isdata && tcl->tcl_data_tll == poedat->tll)) &&
1977 		    bcmp(tcl->tcl_address.pta_pppoe.ptma_mac,
1978 		    poedat->srcaddr,
1979 		    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) == 0) {
1980 			poedat->tcl = tcl;
1981 			break;
1982 		}
1983 		minorn++;
1984 	}
1985 }
1986 
1987 /*
1988  * sppptun_recv()
1989  *
1990  * MT-Perimeters:
1991  *    shared inner, shared outer.
1992  *
1993  * Description:
1994  *    Receive function called by sppptun_urput, which is called when
1995  *    the lower read-side put or service procedure sends a message
1996  *    upstream to the a device user (PPP).  It attempts to find an
1997  *    appropriate queue on the module above us (depending on what the
1998  *    associated upper stream for the protocol would be), and if not
1999  *    possible, it will find an upper control stream for the protocol.
2000  *    Returns a pointer to the upper queue_t, or NULL if the message
2001  *    has been discarded.
2002  *
2003  * About demultiplexing:
2004  *
2005  *	All four protocols (L2F, PPTP, L2TP, and PPPoE) support a
2006  *	locally assigned ID for demultiplexing incoming traffic.  For
2007  *	L2F, this is called the Client ID, for PPTP the Call ID, for
2008  *	L2TP the Session ID, and for PPPoE the SESSION_ID.  This is a
2009  *	16 bit number for all four protocols, and is used to directly
2010  *	index into a list of upper streams.  With the upper stream in
2011  *	hand, we verify that this is the right stream and deliver the
2012  *	data.
2013  *
2014  *	L2TP has a Tunnel ID, which represents a bundle of PPP
2015  *	sessions between the peers.  Because we always assign unique
2016  *	session ID numbers, we merely check that the given ID matches
2017  *	the assigned ID for the upper stream.
2018  *
2019  *	L2F has a Multiplex ID, which is unique per connection.  It
2020  *	does not have L2TP's concept of multiple-connections-within-
2021  *	a-tunnel.  The same checking is done.
2022  *
2023  *	PPPoE is a horribly broken protocol.  Only one ID is assigned
2024  *	per connection.  The client must somehow demultiplex based on
2025  *	an ID number assigned by the server.  It's not necessarily
2026  *	unique.  The search is done based on {ID,peerEthernet} (using
2027  *	tcl_rsessid) for all packet types except PADI and PADS.
2028  *
2029  *	Neither PPPoE nor PPTP supports additional ID numbers.
2030  *
2031  *	Both L2F and L2TP come in over UDP.  They are distinguished by
2032  *	looking at the GRE version field -- 001 for L2F and 010 for
2033  *	L2TP.
2034  */
2035 static queue_t *
2036 sppptun_recv(queue_t *q, mblk_t **mpp, const void *srcaddr)
2037 {
2038 	mblk_t *mp;
2039 	tunll_t *tll;
2040 	tuncl_t *tcl;
2041 	int sessid;
2042 	int remlen;
2043 	int msglen;
2044 	int isdata;
2045 	int i;
2046 	const uchar_t *ucp;
2047 	const poep_t *poep;
2048 	mblk_t *mnew;
2049 	ppptun_atype *pap;
2050 
2051 	mp = *mpp;
2052 
2053 	tll = q->q_ptr;
2054 	ASSERT(!(tll->tll_flags & TLLF_NOTLOWER));
2055 
2056 	tcl = NULL;
2057 	switch (tll->tll_style) {
2058 	case PTS_PPPOE:
2059 		/* Note that poep_t alignment is uint16_t */
2060 		if ((!IS_P2ALIGNED(mp->b_rptr, sizeof (uint16_t)) ||
2061 		    MBLKL(mp) < sizeof (poep_t)) &&
2062 		    !pullupmsg(mp, sizeof (poep_t)))
2063 			break;
2064 		poep = (const poep_t *)mp->b_rptr;
2065 		if (poep->poep_version_type != POE_VERSION)
2066 			break;
2067 		/*
2068 		 * First, extract a session ID number.  All protocols have
2069 		 * this.
2070 		 */
2071 		isdata = (poep->poep_code == POECODE_DATA);
2072 		sessid = ntohs(poep->poep_session_id);
2073 		remlen = sizeof (*poep);
2074 		msglen = ntohs(poep->poep_length);
2075 		i = poep->poep_code;
2076 		if (i == POECODE_PADI || i == POECODE_PADR) {
2077 			/* These go to the server daemon only. */
2078 			tcl = tll->tll_defcl;
2079 		} else if (i == POECODE_PADO || i == POECODE_PADS) {
2080 			/*
2081 			 * These go to a client only, and are demuxed
2082 			 * by the Host-Uniq field (into which we stuff
2083 			 * our local ID number when generating
2084 			 * PADI/PADR).
2085 			 */
2086 			ucp = (const uchar_t *)(poep + 1);
2087 			i = msglen;
2088 			while (i > POET_HDRLEN) {
2089 				if (POET_GET_TYPE(ucp) == POETT_END) {
2090 					i = 0;
2091 					break;
2092 				}
2093 				if (POET_GET_TYPE(ucp) == POETT_UNIQ &&
2094 				    POET_GET_LENG(ucp) >= sizeof (uint32_t))
2095 					break;
2096 				i -= POET_GET_LENG(ucp) + POET_HDRLEN;
2097 				ucp = POET_NEXT(ucp);
2098 			}
2099 			if (i >= POET_HDRLEN + 4)
2100 				sessid = GETLONG(ucp + POET_HDRLEN);
2101 			tcl = tcl_by_minor((minor_t)sessid);
2102 		} else {
2103 			/*
2104 			 * Try minor number as session ID first, since
2105 			 * it's used that way on server side.  It's
2106 			 * not used that way on the client, though, so
2107 			 * this might not work.  If this isn't the
2108 			 * right one, then try the tll cache.  If
2109 			 * neither is right, then search all open
2110 			 * clients.  Did I mention that the PPPoE
2111 			 * protocol is badly designed?
2112 			 */
2113 			tcl = tcl_by_minor((minor_t)sessid);
2114 			if (tcl == NULL ||
2115 			    (!isdata && tcl->tcl_ctrl_tll != tll) ||
2116 			    (isdata && tcl->tcl_data_tll != tll) ||
2117 			    sessid != tcl->tcl_rsessid ||
2118 			    bcmp(srcaddr, tcl->tcl_address.pta_pppoe.ptma_mac,
2119 			    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) != 0)
2120 				tcl = tll->tll_lastcl;
2121 			if (tcl == NULL ||
2122 			    (!isdata && tcl->tcl_ctrl_tll != tll) ||
2123 			    (isdata && tcl->tcl_data_tll != tll) ||
2124 			    sessid != tcl->tcl_rsessid ||
2125 			    bcmp(srcaddr, tcl->tcl_address.pta_pppoe.ptma_mac,
2126 			    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) != 0)
2127 				tcl = NULL;
2128 			if (tcl == NULL && sessid != 0) {
2129 				struct poedat poedat;
2130 
2131 				/*
2132 				 * Slow mode.  Too bad.  If you don't like it,
2133 				 * you can always choose a better protocol.
2134 				 */
2135 				poedat.sessid = sessid;
2136 				poedat.tll = tll;
2137 				poedat.srcaddr = srcaddr;
2138 				poedat.tcl = NULL;
2139 				poedat.isdata = isdata;
2140 				vmem_walk(tcl_minor_arena, VMEM_ALLOC,
2141 				    tclvm_pppoe_search, &poedat);
2142 				KLINCR(lks_walks);
2143 				if ((tcl = poedat.tcl) != NULL) {
2144 					tll->tll_lastcl = tcl;
2145 					KCINCR(cks_walks);
2146 				}
2147 			}
2148 		}
2149 		break;
2150 	}
2151 
2152 	if (tcl == NULL || tcl->tcl_rq == NULL) {
2153 		DTRACE_PROBE3(sppptun__recv__discard, int, sessid,
2154 		    tuncl_t *, tcl, mblk_t *, mp);
2155 		if (tcl == NULL) {
2156 			KLINCR(lks_in_nomatch);
2157 		}
2158 		if (isdata) {
2159 			KLINCR(lks_indata_drops);
2160 			if (tcl != NULL)
2161 				tcl->tcl_stats.ppp_ierrors++;
2162 		} else {
2163 			KLINCR(lks_inctrl_drops);
2164 			if (tcl != NULL) {
2165 				KCINCR(cks_inctrl_drops);
2166 			}
2167 		}
2168 		freemsg(mp);
2169 		return (NULL);
2170 	}
2171 
2172 	if (tcl->tcl_data_tll == tll && isdata) {
2173 		if (!adjmsg(mp, remlen) ||
2174 		    (i = msgsize(mp)) < msglen ||
2175 		    (i > msglen && !adjmsg(mp, msglen - i))) {
2176 			KLINCR(lks_indata_drops);
2177 			tcl->tcl_stats.ppp_ierrors++;
2178 			freemsg(mp);
2179 			return (NULL);
2180 		}
2181 		/* XXX -- address/control handling in pppd needs help. */
2182 		if (*mp->b_rptr != 0xFF) {
2183 			if ((mp = prependb(mp, 2, 1)) == NULL) {
2184 				KLINCR(lks_indata_drops);
2185 				tcl->tcl_stats.ppp_ierrors++;
2186 				return (NULL);
2187 			}
2188 			mp->b_rptr[0] = 0xFF;
2189 			mp->b_rptr[1] = 0x03;
2190 		}
2191 		MTYPE(mp) = M_DATA;
2192 		tcl->tcl_stats.ppp_ibytes += msgsize(mp);
2193 		tcl->tcl_stats.ppp_ipackets++;
2194 		KLINCR(lks_indata);
2195 	} else {
2196 		if (isdata || tcl->tcl_ctrl_tll != tll ||
2197 		    (mnew = make_control(tcl, tll, PTCA_CONTROL, tcl)) ==
2198 		    NULL) {
2199 			KLINCR(lks_inctrl_drops);
2200 			KCINCR(cks_inctrl_drops);
2201 			freemsg(mp);
2202 			return (NULL);
2203 		}
2204 		/* Fix up source address; peer might not be set yet. */
2205 		pap = &((struct ppptun_control *)mnew->b_rptr)->ptc_address;
2206 		bcopy(srcaddr, pap->pta_pppoe.ptma_mac,
2207 		    sizeof (pap->pta_pppoe.ptma_mac));
2208 		mnew->b_cont = mp;
2209 		mp = mnew;
2210 		KLINCR(lks_inctrls);
2211 		KCINCR(cks_inctrls);
2212 	}
2213 	*mpp = mp;
2214 	return (tcl->tcl_rq);
2215 }
2216 
2217 /*
2218  * sppptun_urput()
2219  *
2220  * MT-Perimeters:
2221  *    shared inner, shared outer.
2222  *
2223  * Description:
2224  *    Upper read-side put procedure.  Messages from the underlying
2225  *    lower stream driver arrive here.  See sppptun_recv for the
2226  *    demultiplexing logic.
2227  */
2228 static void
2229 sppptun_urput(queue_t *q, mblk_t *mp)
2230 {
2231 	union DL_primitives *dlprim;
2232 	mblk_t *mpnext;
2233 	tunll_t *tll;
2234 	queue_t *nextq;
2235 
2236 	tll = q->q_ptr;
2237 	ASSERT(!(tll->tll_flags & TLLF_NOTLOWER));
2238 
2239 	switch (MTYPE(mp)) {
2240 	case M_DATA:
2241 		/*
2242 		 * When we're bound over IP, data arrives here.  The
2243 		 * packet starts with the IP header itself.
2244 		 */
2245 		if ((nextq = sppptun_recv(q, &mp, NULL)) != NULL)
2246 			putnext(nextq, mp);
2247 		break;
2248 
2249 	case M_PROTO:
2250 	case M_PCPROTO:
2251 		/* Data arrives here for UDP or raw Ethernet, not IP. */
2252 		switch (tll->tll_style) {
2253 			/* PPTP control messages are over TCP only. */
2254 		case PTS_PPTP:
2255 		default:
2256 			ASSERT(0);	/* how'd that happen? */
2257 			break;
2258 
2259 		case PTS_PPPOE:		/* DLPI message */
2260 			if (MBLKL(mp) < sizeof (t_uscalar_t))
2261 				break;
2262 			dlprim = (union DL_primitives *)mp->b_rptr;
2263 			switch (dlprim->dl_primitive) {
2264 			case DL_UNITDATA_IND: {
2265 				size_t mlen = MBLKL(mp);
2266 
2267 				if (mlen < DL_UNITDATA_IND_SIZE)
2268 					break;
2269 				if (dlprim->unitdata_ind.dl_src_addr_offset <
2270 				    DL_UNITDATA_IND_SIZE ||
2271 				    dlprim->unitdata_ind.dl_src_addr_offset +
2272 				    dlprim->unitdata_ind.dl_src_addr_length >
2273 				    mlen)
2274 					break;
2275 			}
2276 				/* FALLTHROUGH */
2277 			case DL_UNITDATA_REQ:	/* For loopback support. */
2278 				if (dlprim->dl_primitive == DL_UNITDATA_REQ &&
2279 				    MBLKL(mp) < DL_UNITDATA_REQ_SIZE)
2280 					break;
2281 				if ((mpnext = mp->b_cont) == NULL)
2282 					break;
2283 				MTYPE(mpnext) = M_DATA;
2284 				nextq = sppptun_recv(q, &mpnext,
2285 				    dlprim->dl_primitive == DL_UNITDATA_IND ?
2286 				    mp->b_rptr +
2287 				    dlprim->unitdata_ind.dl_src_addr_offset :
2288 				    tll->tll_lcladdr.pta_pppoe.ptma_mac);
2289 				if (nextq != NULL)
2290 					putnext(nextq, mpnext);
2291 				freeb(mp);
2292 				return;
2293 
2294 			default:
2295 				urput_dlpi(q, mp);
2296 				return;
2297 			}
2298 			break;
2299 		}
2300 		freemsg(mp);
2301 		break;
2302 
2303 	default:
2304 		freemsg(mp);
2305 		break;
2306 	}
2307 }
2308 
2309 /*
2310  * sppptun_ursrv()
2311  *
2312  * MT-Perimeters:
2313  *    exclusive inner, shared outer.
2314  *
2315  * Description:
2316  *    Upper read-side service procedure.  This procedure services the
2317  *    client streams.  We get here because the client (PPP) asserts
2318  *    flow control down to us.
2319  */
2320 static int
2321 sppptun_ursrv(queue_t *q)
2322 {
2323 	mblk_t		*mp;
2324 
2325 	ASSERT(q->q_ptr != NULL);
2326 
2327 	while ((mp = getq(q)) != NULL) {
2328 		if (canputnext(q)) {
2329 			putnext(q, mp);
2330 		} else {
2331 			(void) putbq(q, mp);
2332 			break;
2333 		}
2334 	}
2335 	return (0);
2336 }
2337 
2338 /*
2339  * Dummy constructor/destructor functions for kmem_cache_create.
2340  * We're just using kmem as an allocator of integers, not real
2341  * storage.
2342  */
2343 
2344 /*ARGSUSED*/
2345 static int
2346 tcl_constructor(void *maddr, void *arg, int kmflags)
2347 {
2348 	return (0);
2349 }
2350 
2351 /*ARGSUSED*/
2352 static void
2353 tcl_destructor(void *maddr, void *arg)
2354 {
2355 }
2356 
2357 /*
2358  * Total size occupied by one tunnel client.  Each tunnel client
2359  * consumes one pointer for tcl_slots array, one tuncl_t structure and
2360  * two messages preallocated for close.
2361  */
2362 #define	TUNCL_SIZE (sizeof (tuncl_t) + sizeof (tuncl_t *) + \
2363 			2 * sizeof (dblk_t))
2364 
2365 /*
2366  * Clear all bits of x except the highest bit
2367  */
2368 #define	truncate(x) 	((x) <= 2 ? (x) : (1 << (highbit(x) - 1)))
2369 
2370 /*
2371  * This function initializes some well-known global variables inside
2372  * the module.
2373  *
2374  * Called by sppptun_mod.c:_init() before installing the module.
2375  */
2376 void
2377 sppptun_init(void)
2378 {
2379 	tunll_list.q_forw = tunll_list.q_back = &tunll_list;
2380 }
2381 
2382 /*
2383  * This function allocates the initial internal storage for the
2384  * sppptun driver.
2385  *
2386  * Called by sppptun_mod.c:_init() after installing module.
2387  */
2388 void
2389 sppptun_tcl_init(void)
2390 {
2391 	uint_t i, j;
2392 
2393 	rw_init(&tcl_rwlock, NULL, RW_DRIVER, NULL);
2394 	rw_enter(&tcl_rwlock, RW_WRITER);
2395 	tcl_nslots = sppptun_init_cnt;
2396 	tcl_slots = kmem_zalloc(tcl_nslots * sizeof (tuncl_t *), KM_SLEEP);
2397 
2398 	tcl_cache = kmem_cache_create("sppptun_map", sizeof (tuncl_t), 0,
2399 	    tcl_constructor, tcl_destructor, NULL, NULL, NULL, 0);
2400 
2401 	/* Allocate integer space for minor numbers */
2402 	tcl_minor_arena = vmem_create("sppptun_minor", (void *)1, tcl_nslots,
2403 	    1, NULL, NULL, NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
2404 
2405 	/*
2406 	 * Calculate available number of tunnels - how many tunnels
2407 	 * can we allocate in sppptun_pctofmem % of available
2408 	 * memory.  The value is rounded up to the nearest power of 2.
2409 	 */
2410 	i = (sppptun_pctofmem * kmem_maxavail()) / (100 * TUNCL_SIZE);
2411 	j = truncate(i);	/* i with non-high bits stripped */
2412 	if (i != j)
2413 		j *= 2;
2414 	tcl_minormax = j;
2415 	rw_exit(&tcl_rwlock);
2416 }
2417 
2418 /*
2419  * This function checks that there are no plumbed streams or other users.
2420  *
2421  * Called by sppptun_mod.c:_fini().  Assumes that we're exclusive on
2422  * both perimeters.
2423  */
2424 int
2425 sppptun_tcl_fintest(void)
2426 {
2427 	if (tunll_list.q_forw != &tunll_list || tcl_inuse > 0)
2428 		return (EBUSY);
2429 	else
2430 		return (0);
2431 }
2432 
2433 /*
2434  * If no lower streams are plumbed, then this function deallocates all
2435  * internal storage in preparation for unload.
2436  *
2437  * Called by sppptun_mod.c:_fini().  Assumes that we're exclusive on
2438  * both perimeters.
2439  */
2440 void
2441 sppptun_tcl_fini(void)
2442 {
2443 	if (tcl_minor_arena != NULL) {
2444 		vmem_destroy(tcl_minor_arena);
2445 		tcl_minor_arena = NULL;
2446 	}
2447 	if (tcl_cache != NULL) {
2448 		kmem_cache_destroy(tcl_cache);
2449 		tcl_cache = NULL;
2450 	}
2451 	kmem_free(tcl_slots, tcl_nslots * sizeof (tuncl_t *));
2452 	tcl_slots = NULL;
2453 	rw_destroy(&tcl_rwlock);
2454 	ASSERT(tcl_slots == NULL);
2455 	ASSERT(tcl_cache == NULL);
2456 	ASSERT(tcl_minor_arena == NULL);
2457 }
2458