xref: /titanic_52/usr/src/uts/common/io/ppp/sppptun/sppptun.c (revision 67ce1dada345581246cd990d73516418f321a793)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #include <sys/types.h>
7 #include <sys/debug.h>
8 #include <sys/param.h>
9 #include <sys/stat.h>
10 #include <sys/systm.h>
11 #include <sys/socket.h>
12 #include <sys/stream.h>
13 #include <sys/stropts.h>
14 #include <sys/errno.h>
15 #include <sys/time.h>
16 #include <sys/cmn_err.h>
17 #include <sys/sdt.h>
18 #include <sys/conf.h>
19 #include <sys/dlpi.h>
20 #include <sys/ddi.h>
21 #include <sys/kstat.h>
22 #include <sys/strsun.h>
23 #include <sys/bitmap.h>
24 #include <sys/sysmacros.h>
25 #include <sys/note.h>
26 #include <sys/policy.h>
27 #include <net/ppp_defs.h>
28 #include <net/pppio.h>
29 #include <net/sppptun.h>
30 #include <net/pppoe.h>
31 #include <netinet/in.h>
32 
33 #include "s_common.h"
34 #include "sppptun_mod.h"
35 #include "sppptun_impl.h"
36 
37 #define	NTUN_INITIAL 16			/* Initial number of sppptun slots */
38 #define	NTUN_PERCENT 5			/* Percent of memory to use */
39 
40 /*
41  * This is used to tag official Solaris sources.  Please do not define
42  * "INTERNAL_BUILD" when building this software outside of Sun
43  * Microsystems.
44  */
45 #ifdef INTERNAL_BUILD
46 /* MODINFO is limited to 32 characters. */
47 const char sppptun_driver_description[] = "PPP 4.0 tunnel driver";
48 const char sppptun_module_description[] = "PPP 4.0 tunnel module";
49 #else
50 const char sppptun_driver_description[] = "ANU PPP tundrv";
51 const char sppptun_module_description[] = "ANU PPP tunmod";
52 
53 /* LINTED */
54 static const char buildtime[] = "Built " __DATE__ " at " __TIME__
55 #ifdef DEBUG
56 " DEBUG"
57 #endif
58 "\n";
59 #endif
60 
61 /*
62  * Tunable values; these are similar to the values used in ptms_conf.c.
63  * Override these settings via /etc/system.
64  */
65 uint_t	sppptun_cnt = 0;		/* Minimum number of tunnels */
66 size_t	sppptun_max_pty = 0;		/* Maximum number of tunnels */
67 uint_t	sppptun_init_cnt = NTUN_INITIAL; /* Initial number of tunnel slots */
68 uint_t	sppptun_pctofmem = NTUN_PERCENT; /* Percent of memory to use */
69 
70 typedef struct ether_dest_s {
71 	ether_addr_t addr;
72 	ushort_t type;
73 } ether_dest_t;
74 
75 /* Allows unaligned access. */
76 #define	GETLONG(x)	(((x)[0]<<24)|((x)[1]<<16)|((x)[2]<<8)|(x)[3])
77 
78 static const char *tll_kstats_list[] = { TLL_KSTATS_NAMES };
79 static const char *tcl_kstats_list[] = { TCL_KSTATS_NAMES };
80 
81 #define	KREF(p, m, vn)	p->m.vn.value.ui64
82 #define	KINCR(p, m, vn)	++KREF(p, m, vn)
83 #define	KDECR(p, m, vn)	--KREF(p, m, vn)
84 
85 #define	KLINCR(vn)	KINCR(tll, tll_kstats, vn)
86 #define	KLDECR(vn)	KDECR(tll, tll_kstats, vn)
87 
88 #define	KCINCR(vn)	KINCR(tcl, tcl_kstats, vn)
89 #define	KCDECR(vn)	KDECR(tcl, tcl_kstats, vn)
90 
91 static int	sppptun_open(queue_t *, dev_t *, int, int, cred_t *);
92 static int	sppptun_close(queue_t *);
93 static void	sppptun_urput(queue_t *, mblk_t *);
94 static void	sppptun_uwput(queue_t *, mblk_t *);
95 static int	sppptun_ursrv(queue_t *);
96 static int	sppptun_uwsrv(queue_t *);
97 static void	sppptun_lrput(queue_t *, mblk_t *);
98 static void	sppptun_lwput(queue_t *, mblk_t *);
99 
100 /*
101  * This is the hash table of clients.  Clients are the programs that
102  * open /dev/sppptun as a device.  There may be a large number of
103  * these; one per tunneled PPP session.
104  *
105  * Note: slots are offset from minor node value by 1 because
106  * vmem_alloc returns 0 for failure.
107  *
108  * The tcl_slots array entries are modified only when exclusive on
109  * both inner and outer perimeters.  This ensures that threads on
110  * shared perimeters always view this as unchanging memory with no
111  * need to lock around accesses.  (Specifically, the tcl_slots array
112  * is modified by entry to sppptun_open, sppptun_close, and _fini.)
113  */
114 static tuncl_t **tcl_slots = NULL;	/* Slots for tuncl_t */
115 static size_t tcl_nslots = 0;		/* Size of slot array */
116 static size_t tcl_minormax = 0;		/* Maximum number of tunnels */
117 static size_t tcl_inuse = 0;		/* # of tunnels currently allocated */
118 static krwlock_t tcl_rwlock;
119 static struct kmem_cache *tcl_cache = NULL;	/* tunnel cache */
120 static vmem_t *tcl_minor_arena = NULL; /* Arena for device minors */
121 
122 /*
123  * This is the simple list of lower layers.  For PPPoE, there is one
124  * of these per Ethernet interface.  Lower layers are established by
125  * "plumbing" -- using I_PLINK to connect the tunnel multiplexor to
126  * the physical interface.
127  */
128 static struct qelem tunll_list;
129 static int tunll_index;
130 
131 /* Test value; if all zeroes, then address hasn't been set yet. */
132 static const ether_addr_t zero_mac_addr = { 0, 0, 0, 0, 0, 0 };
133 
134 #define	MIN_SET_FASTPATH_UNITDATAREQ_SIZE	\
135 	(sizeof (dl_unitdata_req_t) + 4)
136 
137 #define	TUN_MI_ID	2104	/* officially allocated module ID */
138 #define	TUN_MI_MINPSZ	(0)
139 #define	TUN_MI_MAXPSZ	(PPP_MAXMTU)
140 #define	TUN_MI_HIWAT	(PPP_MTU * 8)
141 #define	TUN_MI_LOWAT	(128)
142 
143 static struct module_info sppptun_modinfo = {
144 	TUN_MI_ID,		/* mi_idnum */
145 	PPP_TUN_NAME,		/* mi_idname */
146 	TUN_MI_MINPSZ,		/* mi_minpsz */
147 	TUN_MI_MAXPSZ,		/* mi_maxpsz */
148 	TUN_MI_HIWAT,		/* mi_hiwat */
149 	TUN_MI_LOWAT		/* mi_lowat */
150 };
151 
152 static struct qinit sppptun_urinit = {
153 	(int (*)())sppptun_urput, /* qi_putp */
154 	sppptun_ursrv,		/* qi_srvp */
155 	sppptun_open,		/* qi_qopen */
156 	sppptun_close,		/* qi_qclose */
157 	NULL,			/* qi_qadmin */
158 	&sppptun_modinfo,	/* qi_minfo */
159 	NULL			/* qi_mstat */
160 };
161 
162 static struct qinit sppptun_uwinit = {
163 	(int (*)())sppptun_uwput, /* qi_putp */
164 	sppptun_uwsrv,		/* qi_srvp */
165 	NULL,			/* qi_qopen */
166 	NULL,			/* qi_qclose */
167 	NULL,			/* qi_qadmin */
168 	&sppptun_modinfo,	/* qi_minfo */
169 	NULL			/* qi_mstat */
170 };
171 
172 static struct qinit sppptun_lrinit = {
173 	(int (*)())sppptun_lrput, /* qi_putp */
174 	NULL,			/* qi_srvp */
175 	NULL,			/* qi_qopen */
176 	NULL,			/* qi_qclose */
177 	NULL,			/* qi_qadmin */
178 	&sppptun_modinfo,	/* qi_minfo */
179 	NULL			/* qi_mstat */
180 };
181 
182 static struct qinit sppptun_lwinit = {
183 	(int (*)())sppptun_lwput, /* qi_putp */
184 	NULL,			/* qi_srvp */
185 	NULL,			/* qi_qopen */
186 	NULL,			/* qi_qclose */
187 	NULL,			/* qi_qadmin */
188 	&sppptun_modinfo,	/* qi_minfo */
189 	NULL			/* qi_mstat */
190 };
191 
192 /*
193  * This is referenced in sppptun_mod.c.
194  */
195 struct streamtab sppptun_tab = {
196 	&sppptun_urinit,	/* st_rdinit */
197 	&sppptun_uwinit,	/* st_wrinit */
198 	&sppptun_lrinit,	/* st_muxrinit */
199 	&sppptun_lwinit		/* st_muxwrinit */
200 };
201 
202 /*
203  * Allocate another slot table twice as large as the original one
204  * (limited to global maximum).  Migrate all tunnels to the new slot
205  * table and free the original one.  Assumes we're exclusive on both
206  * inner and outer perimeters, and thus there are no other users of
207  * the tcl_slots array.
208  */
209 static minor_t
210 tcl_grow(void)
211 {
212 	minor_t old_size = tcl_nslots;
213 	minor_t new_size = 2 * old_size;
214 	tuncl_t **tcl_old = tcl_slots;
215 	tuncl_t **tcl_new;
216 	void  *vaddr;			/* vmem_add return value */
217 
218 	ASSERT(RW_LOCK_HELD(&tcl_rwlock));
219 
220 	/* Allocate new ptms array */
221 	tcl_new = kmem_zalloc(new_size * sizeof (tuncl_t *), KM_NOSLEEP);
222 	if (tcl_new == NULL)
223 		return ((minor_t)0);
224 
225 	/* Increase clone index space */
226 	vaddr = vmem_add(tcl_minor_arena, (void*)((uintptr_t)old_size + 1),
227 	    new_size - old_size, VM_NOSLEEP);
228 
229 	if (vaddr == NULL) {
230 		kmem_free(tcl_new, new_size * sizeof (tuncl_t *));
231 		return ((minor_t)0);
232 	}
233 
234 	/* Migrate tuncl_t entries to a new location */
235 	tcl_nslots = new_size;
236 	bcopy(tcl_old, tcl_new, old_size * sizeof (tuncl_t *));
237 	tcl_slots = tcl_new;
238 	kmem_free(tcl_old, old_size * sizeof (tuncl_t *));
239 
240 	/* Allocate minor number and return it */
241 	return ((minor_t)(uintptr_t)vmem_alloc(tcl_minor_arena, 1, VM_NOSLEEP));
242 }
243 
244 /*
245  * Allocate new minor number and tunnel client entry.  Returns the new
246  * entry or NULL if no memory or maximum number of entries reached.
247  * Assumes we're exclusive on both inner and outer perimeters, and
248  * thus there are no other users of the tcl_slots array.
249  */
250 static tuncl_t *
251 tuncl_alloc(int wantminor)
252 {
253 	minor_t dminor;
254 	tuncl_t *tcl = NULL;
255 
256 	rw_enter(&tcl_rwlock, RW_WRITER);
257 
258 	ASSERT(tcl_slots != NULL);
259 
260 	/*
261 	 * Always try to allocate new pty when sppptun_cnt minimum
262 	 * limit is not achieved. If it is achieved, the maximum is
263 	 * determined by either user-specified value (if it is
264 	 * non-zero) or our memory estimations - whatever is less.
265 	 */
266 	if (tcl_inuse >= sppptun_cnt) {
267 		/*
268 		 * When system achieved required minimum of tunnels,
269 		 * check for the denial of service limits.
270 		 *
271 		 * Get user-imposed maximum, if configured, or
272 		 * calculated memory constraint.
273 		 */
274 		size_t user_max = (sppptun_max_pty == 0 ? tcl_minormax :
275 		    min(sppptun_max_pty, tcl_minormax));
276 
277 		/* Do not try to allocate more than allowed */
278 		if (tcl_inuse >= user_max) {
279 			rw_exit(&tcl_rwlock);
280 			return (NULL);
281 		}
282 	}
283 	tcl_inuse++;
284 
285 	/*
286 	 * Allocate new minor number. If this fails, all slots are
287 	 * busy and we need to grow the hash.
288 	 */
289 	if (wantminor <= 0) {
290 		dminor = (minor_t)(uintptr_t)vmem_alloc(tcl_minor_arena, 1,
291 		    VM_NOSLEEP);
292 		if (dminor == 0) {
293 			/* Grow the cache and retry allocation */
294 			dminor = tcl_grow();
295 		}
296 	} else {
297 		dminor = (minor_t)(uintptr_t)vmem_xalloc(tcl_minor_arena, 1,
298 		    0, 0, 0, (void *)(uintptr_t)wantminor,
299 		    (void *)((uintptr_t)wantminor+1), VM_NOSLEEP);
300 		if (dminor != 0 && dminor != wantminor) {
301 			vmem_free(tcl_minor_arena, (void *)(uintptr_t)dminor,
302 			    1);
303 			dminor = 0;
304 		}
305 	}
306 
307 	if (dminor == 0) {
308 		/* Not enough memory now */
309 		tcl_inuse--;
310 		rw_exit(&tcl_rwlock);
311 		return (NULL);
312 	}
313 
314 	tcl = kmem_cache_alloc(tcl_cache, KM_NOSLEEP);
315 	if (tcl == NULL) {
316 		/* Not enough memory - this entry can't be used now. */
317 		vmem_free(tcl_minor_arena, (void *)(uintptr_t)dminor, 1);
318 		tcl_inuse--;
319 	} else {
320 		bzero(tcl, sizeof (*tcl));
321 		tcl->tcl_lsessid = dminor;
322 		ASSERT(tcl_slots[dminor - 1] == NULL);
323 		tcl_slots[dminor - 1] = tcl;
324 	}
325 
326 	rw_exit(&tcl_rwlock);
327 	return (tcl);
328 }
329 
330 /*
331  * This routine frees an upper level (client) stream by removing it
332  * from the minor number pool and freeing the state structure storage.
333  * Assumes we're exclusive on both inner and outer perimeters, and
334  * thus there are no other concurrent users of the tcl_slots array or
335  * of any entry in that array.
336  */
337 static void
338 tuncl_free(tuncl_t *tcl)
339 {
340 	rw_enter(&tcl_rwlock, RW_WRITER);
341 	ASSERT(tcl->tcl_lsessid <= tcl_nslots);
342 	ASSERT(tcl_slots[tcl->tcl_lsessid - 1] == tcl);
343 	ASSERT(tcl_inuse > 0);
344 	tcl_inuse--;
345 	tcl_slots[tcl->tcl_lsessid - 1] = NULL;
346 
347 	if (tcl->tcl_ksp != NULL) {
348 		kstat_delete(tcl->tcl_ksp);
349 		tcl->tcl_ksp = NULL;
350 	}
351 
352 	/* Return minor number to the pool of minors */
353 	vmem_free(tcl_minor_arena, (void *)(uintptr_t)tcl->tcl_lsessid, 1);
354 
355 	/* Return tuncl_t to the cache */
356 	kmem_cache_free(tcl_cache, tcl);
357 	rw_exit(&tcl_rwlock);
358 }
359 
360 /*
361  * Get tuncl_t structure by minor number.  Returns NULL when minor is
362  * out of range.  Note that lookup of tcl pointers (and use of those
363  * pointers) is safe because modification is done only when exclusive
364  * on both inner and outer perimeters.
365  */
366 static tuncl_t *
367 tcl_by_minor(minor_t dminor)
368 {
369 	tuncl_t *tcl = NULL;
370 
371 	if ((dminor >= 1) && (dminor <= tcl_nslots) && tcl_slots != NULL) {
372 		tcl = tcl_slots[dminor - 1];
373 	}
374 
375 	return (tcl);
376 }
377 
378 /*
379  * Set up kstats for upper or lower stream.
380  */
381 static kstat_t *
382 kstat_setup(kstat_named_t *knt, const char **names, int nstat,
383     const char *modname, int unitnum)
384 {
385 	kstat_t *ksp;
386 	char unitname[KSTAT_STRLEN];
387 	int i;
388 
389 	for (i = 0; i < nstat; i++) {
390 		kstat_set_string(knt[i].name, names[i]);
391 		knt[i].data_type = KSTAT_DATA_UINT64;
392 	}
393 	(void) sprintf(unitname, "%s" "%d", modname, unitnum);
394 	ksp = kstat_create(modname, unitnum, unitname, "net",
395 	    KSTAT_TYPE_NAMED, nstat, KSTAT_FLAG_VIRTUAL);
396 	if (ksp != NULL) {
397 		ksp->ks_data = (void *)knt;
398 		kstat_install(ksp);
399 	}
400 	return (ksp);
401 }
402 
403 /*
404  * sppptun_open()
405  *
406  * MT-Perimeters:
407  *    exclusive inner, exclusive outer.
408  *
409  * Description:
410  *    Common open procedure for module and driver.
411  */
412 static int
413 sppptun_open(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
414 {
415 	_NOTE(ARGUNUSED(oflag))
416 
417 	/* Allow a re-open */
418 	if (q->q_ptr != NULL)
419 		return (0);
420 
421 	/* In the off chance that we're on our way out, just return error */
422 	if (tcl_slots == NULL)
423 		return (EINVAL);
424 
425 	if (sflag & MODOPEN) {
426 		tunll_t *tll;
427 		char *cp;
428 
429 		/* ordinary users have no need to push this module */
430 		if (secpolicy_net_config(credp, B_FALSE) != 0)
431 			return (EPERM);
432 
433 		tll = kmem_zalloc(sizeof (tunll_t), KM_SLEEP);
434 
435 		tll->tll_index = tunll_index++;
436 
437 		tll->tll_wq = WR(q);
438 
439 		/* Insert at end of list */
440 		insque(&tll->tll_next, tunll_list.q_back);
441 		q->q_ptr = WR(q)->q_ptr = tll;
442 
443 		tll->tll_style = PTS_PPPOE;
444 		tll->tll_alen = sizeof (tll->tll_lcladdr.pta_pppoe);
445 
446 		tll->tll_ksp = kstat_setup((kstat_named_t *)&tll->tll_kstats,
447 		    tll_kstats_list, Dim(tll_kstats_list), "tll",
448 		    tll->tll_index);
449 
450 		/*
451 		 * Find the name of the driver somewhere beneath us.
452 		 * Note that we have no driver under us until after
453 		 * qprocson().
454 		 */
455 		qprocson(q);
456 		for (q = WR(q); q->q_next != NULL; q = q->q_next)
457 			;
458 		cp = NULL;
459 		if (q->q_qinfo != NULL && q->q_qinfo->qi_minfo != NULL)
460 			cp = q->q_qinfo->qi_minfo->mi_idname;
461 		if (cp != NULL && *cp == '\0')
462 			cp = NULL;
463 
464 		/* Set initial name; user should overwrite. */
465 		if (cp == NULL)
466 			(void) snprintf(tll->tll_name, sizeof (tll->tll_name),
467 			    PPP_TUN_NAME "%d", tll->tll_index);
468 		else
469 			(void) snprintf(tll->tll_name, sizeof (tll->tll_name),
470 			    "%s:tun%d", cp, tll->tll_index);
471 	} else {
472 		tuncl_t	*tcl;
473 
474 		ASSERT(devp != NULL);
475 		if (sflag & CLONEOPEN) {
476 			tcl = tuncl_alloc(-1);
477 		} else {
478 			minor_t mn;
479 
480 			/*
481 			 * Support of non-clone open (ie, mknod with
482 			 * defined minor number) is supported for
483 			 * testing purposes so that 'arbitrary' minor
484 			 * numbers can be used.
485 			 */
486 			mn = getminor(*devp);
487 			if (mn == 0 || (tcl = tcl_by_minor(mn)) != NULL) {
488 				return (EPERM);
489 			}
490 			tcl = tuncl_alloc(mn);
491 		}
492 		if (tcl == NULL)
493 			return (ENOSR);
494 		tcl->tcl_rq = q;		/* save read queue pointer */
495 		tcl->tcl_flags |= TCLF_ISCLIENT;	/* sanity check */
496 
497 		q->q_ptr = WR(q)->q_ptr = (caddr_t)tcl;
498 		*devp = makedevice(getmajor(*devp), tcl->tcl_lsessid);
499 
500 		tcl->tcl_ksp = kstat_setup((kstat_named_t *)&tcl->tcl_kstats,
501 		    tcl_kstats_list, Dim(tcl_kstats_list), "tcl",
502 		    tcl->tcl_lsessid);
503 
504 		qprocson(q);
505 	}
506 	return (0);
507 }
508 
509 /*
510  * Create an appropriate control message for this client event.
511  */
512 static mblk_t *
513 make_control(tuncl_t *tclabout, tunll_t *tllabout, int action, tuncl_t *tclto)
514 {
515 	struct ppptun_control *ptc;
516 	mblk_t *mp = allocb(sizeof (*ptc), BPRI_HI);
517 
518 	if (mp != NULL) {
519 		MTYPE(mp) = M_PROTO;
520 		ptc = (struct ppptun_control *)mp->b_wptr;
521 		mp->b_wptr += sizeof (*ptc);
522 		if (tclabout != NULL) {
523 			ptc->ptc_rsessid = tclabout->tcl_rsessid;
524 			ptc->ptc_address = tclabout->tcl_address;
525 		} else {
526 			bzero(ptc, sizeof (*ptc));
527 		}
528 		ptc->ptc_discrim = tclto->tcl_ctlval;
529 		ptc->ptc_action = action;
530 		(void) strncpy(ptc->ptc_name, tllabout->tll_name,
531 		    sizeof (ptc->ptc_name));
532 	}
533 	return (mp);
534 }
535 
536 /*
537  * Send an appropriate control message up this client session.
538  */
539 static void
540 send_control(tuncl_t *tclabout, tunll_t *tllabout, int action, tuncl_t *tcl)
541 {
542 	mblk_t *mp;
543 
544 	if (tcl->tcl_rq != NULL) {
545 		mp = make_control(tclabout, tllabout, action, tcl);
546 		if (mp != NULL) {
547 			KCINCR(cks_octrl_spec);
548 			putnext(tcl->tcl_rq, mp);
549 		}
550 	}
551 }
552 
553 /*
554  * If a lower stream is being unplumbed, then the upper streams
555  * connected to this lower stream must be disconnected.  This routine
556  * accomplishes this by sending M_HANGUP to data streams and M_PROTO
557  * messages to control streams.  This is called by vmem_walk, and
558  * handles a span of minor node numbers.
559  *
560  * No need to update lks_clients here; the lower stream is on its way
561  * out.
562  */
563 static void
564 tclvm_remove_tll(void *arg, void *firstv, size_t numv)
565 {
566 	tunll_t *tll = (tunll_t *)arg;
567 	int minorn = (int)(uintptr_t)firstv;
568 	int minormax = minorn + numv;
569 	tuncl_t *tcl;
570 	mblk_t *mp;
571 
572 	while (minorn < minormax) {
573 		tcl = tcl_slots[minorn - 1];
574 		ASSERT(tcl != NULL);
575 		if (tcl->tcl_data_tll == tll && tcl->tcl_rq != NULL) {
576 			tcl->tcl_data_tll = NULL;
577 			mp = allocb(0, BPRI_HI);
578 			if (mp != NULL) {
579 				MTYPE(mp) = M_HANGUP;
580 				putnext(tcl->tcl_rq, mp);
581 				if (tcl->tcl_ctrl_tll == tll)
582 					tcl->tcl_ctrl_tll = NULL;
583 			}
584 		}
585 		if (tcl->tcl_ctrl_tll == tll) {
586 			send_control(tcl, tll, PTCA_UNPLUMB, tcl);
587 			tcl->tcl_ctrl_tll = NULL;
588 		}
589 		minorn++;
590 	}
591 }
592 
593 /*
594  * sppptun_close()
595  *
596  * MT-Perimeters:
597  *    exclusive inner, exclusive outer.
598  *
599  * Description:
600  *    Common close procedure for module and driver.
601  */
602 static int
603 sppptun_close(queue_t *q)
604 {
605 	int err;
606 	void *qptr;
607 	tunll_t *tll;
608 	tuncl_t *tcl;
609 
610 	qptr = q->q_ptr;
611 
612 	err = 0;
613 	tll = qptr;
614 	if (!(tll->tll_flags & TLLF_NOTLOWER)) {
615 		/* q_next is set on modules */
616 		ASSERT(WR(q)->q_next != NULL);
617 
618 		/* unlink any clients using this lower layer. */
619 		vmem_walk(tcl_minor_arena, VMEM_ALLOC, tclvm_remove_tll, tll);
620 
621 		/* tell daemon that this has been removed. */
622 		if ((tcl = tll->tll_defcl) != NULL)
623 			send_control(NULL, tll, PTCA_UNPLUMB, tcl);
624 
625 		tll->tll_flags |= TLLF_CLOSING;
626 		while (!(tll->tll_flags & TLLF_CLOSE_DONE)) {
627 			qenable(tll->tll_wq);
628 			qwait(tll->tll_wq);
629 		}
630 		tll->tll_error = 0;
631 		while (!(tll->tll_flags & TLLF_SHUTDOWN_DONE)) {
632 			if (!qwait_sig(tll->tll_wq))
633 				break;
634 		}
635 
636 		qprocsoff(q);
637 		q->q_ptr = WR(q)->q_ptr = NULL;
638 		tll->tll_wq = NULL;
639 		remque(&tll->tll_next);
640 		err = tll->tll_error;
641 		if (tll->tll_ksp != NULL)
642 			kstat_delete(tll->tll_ksp);
643 		kmem_free(tll, sizeof (*tll));
644 	} else {
645 		tcl = qptr;
646 
647 		/* devices are end of line; no q_next. */
648 		ASSERT(WR(q)->q_next == NULL);
649 
650 		qprocsoff(q);
651 		DTRACE_PROBE1(sppptun__client__close, tuncl_t *, tcl);
652 		tcl->tcl_rq = NULL;
653 		q->q_ptr = WR(q)->q_ptr = NULL;
654 
655 		tll = TO_TLL(tunll_list.q_forw);
656 		while (tll != TO_TLL(&tunll_list)) {
657 			if (tll->tll_defcl == tcl)
658 				tll->tll_defcl = NULL;
659 			if (tll->tll_lastcl == tcl)
660 				tll->tll_lastcl = NULL;
661 			tll = TO_TLL(tll->tll_next);
662 		}
663 		/*
664 		 * If this was a normal session, then tell the daemon.
665 		 */
666 		if (!(tcl->tcl_flags & TCLF_DAEMON) &&
667 		    (tll = tcl->tcl_ctrl_tll) != NULL &&
668 		    tll->tll_defcl != NULL) {
669 			send_control(tcl, tll, PTCA_DISCONNECT,
670 			    tll->tll_defcl);
671 		}
672 
673 		/* Update statistics for references being dropped. */
674 		if ((tll = tcl->tcl_data_tll) != NULL) {
675 			KLDECR(lks_clients);
676 		}
677 		if ((tll = tcl->tcl_ctrl_tll) != NULL) {
678 			KLDECR(lks_clients);
679 		}
680 
681 		tuncl_free(tcl);
682 	}
683 
684 	return (err);
685 }
686 
687 /*
688  * Allocate and initialize a DLPI or TPI template of the specified
689  * length.
690  */
691 static mblk_t *
692 pi_alloc(size_t len, int prim)
693 {
694 	mblk_t	*mp;
695 
696 	mp = allocb(len, BPRI_MED);
697 	if (mp != NULL) {
698 		MTYPE(mp) = M_PROTO;
699 		mp->b_wptr = mp->b_rptr + len;
700 		bzero(mp->b_rptr, len);
701 		*(int *)mp->b_rptr = prim;
702 	}
703 	return (mp);
704 }
705 
706 #define	dlpi_alloc(l, p)	pi_alloc((l), (p))
707 
708 /*
709  * Prepend some room to an mblk.  Try to reuse the existing buffer, if
710  * at all possible, rather than allocating a new one.  (Fast-path
711  * output should be able to use this.)
712  *
713  * (XXX why isn't this a library function ...?)
714  */
715 static mblk_t *
716 prependb(mblk_t *mp, size_t len, size_t align)
717 {
718 	mblk_t *newmp;
719 
720 
721 	if (align == 0)
722 		align = 8;
723 	if (DB_REF(mp) > 1 || mp->b_datap->db_base+len > mp->b_rptr ||
724 	    ((uint_t)((uintptr_t)mp->b_rptr - len) % align) != 0) {
725 		if ((newmp = allocb(len, BPRI_LO)) == NULL) {
726 			freemsg(mp);
727 			return (NULL);
728 		}
729 		newmp->b_wptr = newmp->b_rptr + len;
730 		newmp->b_cont = mp;
731 		return (newmp);
732 	}
733 	mp->b_rptr -= len;
734 	return (mp);
735 }
736 
737 /*
738  * sppptun_outpkt()
739  *
740  * MT-Perimeters:
741  *	shared inner, shared outer (if called from sppptun_uwput),
742  *	exclusive inner, shared outer (if called from sppptun_uwsrv).
743  *
744  * Description:
745  *    Called from sppptun_uwput or sppptun_uwsrv when processing a
746  *    M_DATA, M_PROTO, or M_PCPROTO message.  For all cases, it tries
747  *    to prepare the data to be sent to the module below this driver
748  *    if there is a lower stream linked underneath.  If no lower
749  *    stream exists, then the data will be discarded and an ENXIO
750  *    error returned.
751  *
752  * Returns:
753  *	pointer to queue if caller should do putnext, otherwise
754  *	*mpp != NULL if message should be enqueued, otherwise
755  *	*mpp == NULL if message is gone.
756  */
757 static queue_t *
758 sppptun_outpkt(queue_t *q, mblk_t **mpp)
759 {
760 	mblk_t *mp;
761 	tuncl_t *tcl;
762 	tunll_t *tll;
763 	mblk_t *encmb;
764 	mblk_t *datamb;
765 	dl_unitdata_req_t *dur;
766 	queue_t *lowerq;
767 	poep_t *poep;
768 	int len;
769 	ether_dest_t *edestp;
770 	enum { luNone, luCopy, luSend } loopup;
771 	boolean_t isdata;
772 	struct ppptun_control *ptc;
773 
774 	mp = *mpp;
775 	tcl = q->q_ptr;
776 
777 	*mpp = NULL;
778 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
779 		merror(q, mp, EINVAL);
780 		return (NULL);
781 	}
782 
783 	isdata = (MTYPE(mp) == M_DATA);
784 	if (isdata) {
785 		tll = tcl->tcl_data_tll;
786 		ptc = NULL;
787 	} else {
788 		/*
789 		 * If data are unaligned or otherwise unsuitable, then
790 		 * discard.
791 		 */
792 		if (MBLKL(mp) != sizeof (*ptc) || DB_REF(mp) > 1 ||
793 		    !IS_P2ALIGNED(mp->b_rptr, sizeof (ptc))) {
794 			KCINCR(cks_octrl_drop);
795 			DTRACE_PROBE2(sppptun__bad__control, tuncl_t *, tcl,
796 			    mblk_t *, mp);
797 			merror(q, mp, EINVAL);
798 			return (NULL);
799 		}
800 		ptc = (struct ppptun_control *)mp->b_rptr;
801 
802 		/* Set stream discriminator value if not yet set. */
803 		if (tcl->tcl_ctlval == 0)
804 			tcl->tcl_ctlval = ptc->ptc_discrim;
805 
806 		/* If this is a test message, then reply to caller. */
807 		if (ptc->ptc_action == PTCA_TEST) {
808 			DTRACE_PROBE2(sppptun__test, tuncl_t *, tcl,
809 			    struct ppptun_control *, ptc);
810 			if (mp->b_cont != NULL) {
811 				freemsg(mp->b_cont);
812 				mp->b_cont = NULL;
813 			}
814 			ptc->ptc_discrim = tcl->tcl_ctlval;
815 			putnext(RD(q), mp);
816 			return (NULL);
817 		}
818 
819 		/* If this one isn't for us, then discard it */
820 		if (tcl->tcl_ctlval != ptc->ptc_discrim) {
821 			DTRACE_PROBE2(sppptun__bad__discrim, tuncl_t *, tcl,
822 			    struct ppptun_control *, ptc);
823 			freemsg(mp);
824 			return (NULL);
825 		}
826 
827 		/* Don't allow empty control packets. */
828 		if (mp->b_cont == NULL) {
829 			KCINCR(cks_octrl_drop);
830 			merror(q, mp, EINVAL);
831 			return (NULL);
832 		}
833 		tll = tcl->tcl_ctrl_tll;
834 	}
835 
836 	if (tll == NULL || (lowerq = tll->tll_wq) == NULL) {
837 		DTRACE_PROBE3(sppptun__cannot__send, tuncl_t *, tcl,
838 		    tunll_t *, tll, mblk_t *, mp);
839 		merror(q, mp, ENXIO);
840 		if (isdata) {
841 			tcl->tcl_stats.ppp_oerrors++;
842 		} else {
843 			KCINCR(cks_octrl_drop);
844 		}
845 		return (NULL);
846 	}
847 
848 	/*
849 	 * If so, then try to send it down.  The lower queue is only
850 	 * ever detached while holding an exclusive lock on the whole
851 	 * driver, so we can be confident that the lower queue is
852 	 * still there.
853 	 */
854 	if (!bcanputnext(lowerq, mp->b_band)) {
855 		DTRACE_PROBE3(sppptun__flow__control, tuncl_t *, tcl,
856 		    tunll_t *, tll, mblk_t *, mp);
857 		*mpp = mp;
858 		return (NULL);
859 	}
860 
861 	/*
862 	 * Note: DLPI and TPI expect that the first buffer contains
863 	 * the control (unitdata-req) header, destination address, and
864 	 * nothing else.  Any protocol headers must go in the next
865 	 * buffer.
866 	 */
867 	loopup = luNone;
868 	encmb = NULL;
869 	if (isdata) {
870 		if (tll->tll_alen != 0 &&
871 		    bcmp(&tcl->tcl_address, &tll->tll_lcladdr,
872 		    tll->tll_alen) == 0)
873 			loopup = luSend;
874 		switch (tll->tll_style) {
875 		case PTS_PPPOE:
876 			/* Strip address and control fields if present. */
877 			if (mp->b_rptr[0] == 0xFF) {
878 				if (MBLKL(mp) < 3) {
879 					encmb = msgpullup(mp, 3);
880 					freemsg(mp);
881 					if ((mp = encmb) == NULL)
882 						break;
883 				}
884 				mp->b_rptr += 2;
885 			}
886 			/* Broadcasting data is probably not a good idea. */
887 			if (tcl->tcl_address.pta_pppoe.ptma_mac[0] & 1)
888 				break;
889 			encmb = dlpi_alloc(sizeof (*dur) + sizeof (*edestp),
890 			    DL_UNITDATA_REQ);
891 			if (encmb == NULL)
892 				break;
893 
894 			dur = (dl_unitdata_req_t *)encmb->b_rptr;
895 			dur->dl_dest_addr_length = sizeof (*edestp);
896 			dur->dl_dest_addr_offset = sizeof (*dur);
897 			edestp = (ether_dest_t *)(dur + 1);
898 			ether_copy(tcl->tcl_address.pta_pppoe.ptma_mac,
899 			    edestp->addr);
900 			/* DLPI SAPs are in host byte order! */
901 			edestp->type = ETHERTYPE_PPPOES;
902 
903 			/* Make sure the protocol field isn't compressed. */
904 			len = (*mp->b_rptr & 1);
905 			mp = prependb(mp, sizeof (*poep) + len, POE_HDR_ALIGN);
906 			if (mp == NULL)
907 				break;
908 			poep = (poep_t *)mp->b_rptr;
909 			poep->poep_version_type = POE_VERSION;
910 			poep->poep_code = POECODE_DATA;
911 			poep->poep_session_id = htons(tcl->tcl_rsessid);
912 			poep->poep_length = htons(msgsize(mp) -
913 			    sizeof (*poep));
914 			if (len > 0)
915 				*(char *)(poep + 1) = '\0';
916 			break;
917 
918 		default:
919 			ASSERT(0);
920 		}
921 	} else {
922 		/*
923 		 * Control side encapsulation.
924 		 */
925 		if (bcmp(&ptc->ptc_address, &tll->tll_lcladdr, tll->tll_alen)
926 		    == 0)
927 			loopup = luSend;
928 		datamb = mp->b_cont;
929 		switch (tll->tll_style) {
930 		case PTS_PPPOE:
931 			/*
932 			 * Don't allow a loopback session to establish
933 			 * itself.  PPPoE is broken; it uses only one
934 			 * session ID for both data directions, so the
935 			 * loopback data path can simply never work.
936 			 */
937 			if (loopup == luSend &&
938 			    ((poep_t *)datamb->b_rptr)->poep_code ==
939 			    POECODE_PADR)
940 				break;
941 			encmb = dlpi_alloc(sizeof (*dur) + sizeof (*edestp),
942 			    DL_UNITDATA_REQ);
943 			if (encmb == NULL)
944 				break;
945 			dur = (dl_unitdata_req_t *)encmb->b_rptr;
946 			dur->dl_dest_addr_length = sizeof (*edestp);
947 			dur->dl_dest_addr_offset = sizeof (*dur);
948 
949 			edestp = (ether_dest_t *)(dur + 1);
950 			/* DLPI SAPs are in host byte order! */
951 			edestp->type = ETHERTYPE_PPPOED;
952 
953 			/*
954 			 * If destination isn't set yet, then we have to
955 			 * allow anything at all.  Otherwise, force use
956 			 * of configured peer address.
957 			 */
958 			if (bcmp(tcl->tcl_address.pta_pppoe.ptma_mac,
959 			    zero_mac_addr, sizeof (zero_mac_addr)) == 0 ||
960 			    (tcl->tcl_flags & TCLF_DAEMON)) {
961 				ether_copy(ptc->ptc_address.pta_pppoe.ptma_mac,
962 				    edestp->addr);
963 			} else {
964 				ether_copy(tcl->tcl_address.pta_pppoe.ptma_mac,
965 				    edestp->addr);
966 			}
967 			/* Reflect multicast/broadcast back up. */
968 			if (edestp->addr[0] & 1)
969 				loopup = luCopy;
970 			break;
971 
972 		case PTS_PPTP:
973 			/*
974 			 * PPTP's control side is actually done over
975 			 * separate TCP connections.
976 			 */
977 		default:
978 			ASSERT(0);
979 		}
980 		freeb(mp);
981 		mp = datamb;
982 	}
983 	if (mp == NULL || encmb == NULL) {
984 		DTRACE_PROBE1(sppptun__output__failure, tuncl_t *, tcl);
985 		freemsg(mp);
986 		freemsg(encmb);
987 		if (isdata) {
988 			tcl->tcl_stats.ppp_oerrors++;
989 		} else {
990 			KCINCR(cks_octrl_drop);
991 			KLINCR(lks_octrl_drop);
992 		}
993 		lowerq = NULL;
994 	} else {
995 		if (isdata) {
996 			tcl->tcl_stats.ppp_obytes += msgsize(mp);
997 			tcl->tcl_stats.ppp_opackets++;
998 		} else {
999 			KCINCR(cks_octrls);
1000 			KLINCR(lks_octrls);
1001 		}
1002 		if (encmb != mp)
1003 			encmb->b_cont = mp;
1004 		switch (loopup) {
1005 		case luNone:
1006 			*mpp = encmb;
1007 			break;
1008 		case luCopy:
1009 			mp = copymsg(encmb);
1010 			if (mp != NULL)
1011 				sppptun_urput(RD(lowerq), mp);
1012 			*mpp = encmb;
1013 			break;
1014 		case luSend:
1015 			sppptun_urput(RD(lowerq), encmb);
1016 			lowerq = NULL;
1017 			break;
1018 		}
1019 	}
1020 	return (lowerq);
1021 }
1022 
1023 /*
1024  * Enqueue a message to be sent when the lower stream is closed.  This
1025  * is done so that we're guaranteed that we always have the necessary
1026  * resources to properly detach ourselves from the system.  (If we
1027  * waited until the close was done to allocate these messages, then
1028  * the message allocation could fail, and we'd be unable to properly
1029  * detach.)
1030  */
1031 static void
1032 save_for_close(tunll_t *tll, mblk_t *mp)
1033 {
1034 	mblk_t *onc;
1035 
1036 	if ((onc = tll->tll_onclose) == NULL)
1037 		tll->tll_onclose = mp;
1038 	else {
1039 		while (onc->b_next != NULL)
1040 			onc = onc->b_next;
1041 		onc->b_next = mp;
1042 	}
1043 }
1044 
1045 /*
1046  * Given the lower stream name, locate the state structure.  Note that
1047  * lookup of tcl pointers (and use of those pointers) is safe because
1048  * modification is done only when exclusive on both inner and outer
1049  * perimeters.
1050  */
1051 static tunll_t *
1052 tll_lookup_on_name(char *dname)
1053 {
1054 	tunll_t *tll;
1055 
1056 	tll = TO_TLL(tunll_list.q_forw);
1057 	for (; tll != TO_TLL(&tunll_list); tll = TO_TLL(tll->tll_next))
1058 		if (strcmp(dname, tll->tll_name) == 0)
1059 			return (tll);
1060 	return (NULL);
1061 }
1062 
1063 /*
1064  * sppptun_inner_ioctl()
1065  *
1066  * MT-Perimeters:
1067  *    exclusive inner, shared outer.
1068  *
1069  * Description:
1070  *    Called by qwriter from sppptun_ioctl as the result of receiving
1071  *    a handled ioctl.
1072  */
1073 static void
1074 sppptun_inner_ioctl(queue_t *q, mblk_t *mp)
1075 {
1076 	struct iocblk *iop;
1077 	int rc = 0;
1078 	int len = 0;
1079 	int i;
1080 	tuncl_t *tcl;
1081 	tunll_t *tll;
1082 	union ppptun_name *ptn;
1083 	struct ppptun_info *pti;
1084 	struct ppptun_peer *ptp;
1085 	mblk_t *mptmp;
1086 	ppptun_atype *pap;
1087 	struct ppp_stats64 *psp;
1088 
1089 	iop = (struct iocblk *)mp->b_rptr;
1090 	tcl = NULL;
1091 	tll = q->q_ptr;
1092 	if (tll->tll_flags & TLLF_NOTLOWER) {
1093 		tcl = (tuncl_t *)tll;
1094 		tll = NULL;
1095 	}
1096 
1097 	DTRACE_PROBE3(sppptun__ioctl, tuncl_t *, tcl, tunll_t *, tll,
1098 	    struct iocblk *, iop);
1099 
1100 	switch (iop->ioc_cmd) {
1101 	case PPPIO_DEBUG:
1102 		/*
1103 		 * Debug requests are now ignored; use dtrace or wireshark
1104 		 * instead.
1105 		 */
1106 		break;
1107 
1108 	case PPPIO_GETSTAT:
1109 		rc = EINVAL;
1110 		break;
1111 
1112 	case PPPIO_GETSTAT64:
1113 		/* Client (device) side only */
1114 		if (tcl == NULL) {
1115 			rc = EINVAL;
1116 			break;
1117 		}
1118 		mptmp = allocb(sizeof (*psp), BPRI_HI);
1119 		if (mptmp == NULL) {
1120 			rc = ENOSR;
1121 			break;
1122 		}
1123 		freemsg(mp->b_cont);
1124 		mp->b_cont = mptmp;
1125 
1126 		psp = (struct ppp_stats64 *)mptmp->b_wptr;
1127 		bzero((caddr_t)psp, sizeof (*psp));
1128 		psp->p = tcl->tcl_stats;
1129 
1130 		len = sizeof (*psp);
1131 		break;
1132 
1133 	case PPPTUN_SNAME:
1134 		/* This is done on the *module* (lower level) side. */
1135 		if (tll == NULL || mp->b_cont == NULL ||
1136 		    iop->ioc_count != sizeof (*ptn) ||
1137 		    *mp->b_cont->b_rptr == '\0') {
1138 			rc = EINVAL;
1139 			break;
1140 		}
1141 
1142 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1143 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1144 
1145 		if ((tll = tll_lookup_on_name(ptn->ptn_name)) != NULL) {
1146 			rc = EEXIST;
1147 			break;
1148 		}
1149 		tll = (tunll_t *)q->q_ptr;
1150 		(void) strcpy(tll->tll_name, ptn->ptn_name);
1151 		break;
1152 
1153 	case PPPTUN_GNAME:
1154 		/* This is done on the *module* (lower level) side. */
1155 		if (tll == NULL) {
1156 			rc = EINVAL;
1157 			break;
1158 		}
1159 		if (mp->b_cont != NULL)
1160 			freemsg(mp->b_cont);
1161 		if ((mp->b_cont = allocb(sizeof (*ptn), BPRI_HI)) == NULL) {
1162 			rc = ENOSR;
1163 			break;
1164 		}
1165 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1166 		bcopy(tll->tll_name, ptn->ptn_name, sizeof (ptn->ptn_name));
1167 		len = sizeof (*ptn);
1168 		break;
1169 
1170 	case PPPTUN_SINFO:
1171 	case PPPTUN_GINFO:
1172 		/* Either side */
1173 		if (mp->b_cont == NULL || iop->ioc_count != sizeof (*pti)) {
1174 			rc = EINVAL;
1175 			break;
1176 		}
1177 		pti = (struct ppptun_info *)mp->b_cont->b_rptr;
1178 		if (pti->pti_name[0] != '\0')
1179 			tll = tll_lookup_on_name(pti->pti_name);
1180 		if (tll == NULL) {
1181 			/* Driver (client) side must have name */
1182 			if (tcl != NULL && pti->pti_name[0] == '\0')
1183 				rc = EINVAL;
1184 			else
1185 				rc = ESRCH;
1186 			break;
1187 		}
1188 		if (iop->ioc_cmd == PPPTUN_GINFO) {
1189 			pti->pti_muxid = tll->tll_muxid;
1190 			pti->pti_style = tll->tll_style;
1191 			len = sizeof (*pti);
1192 			break;
1193 		}
1194 		tll->tll_muxid = pti->pti_muxid;
1195 		tll->tll_style = pti->pti_style;
1196 		switch (tll->tll_style) {
1197 		case PTS_PPPOE:		/* DLPI type */
1198 			tll->tll_alen = sizeof (tll->tll_lcladdr.pta_pppoe);
1199 			mptmp = dlpi_alloc(sizeof (dl_unbind_req_t),
1200 			    DL_UNBIND_REQ);
1201 			if (mptmp == NULL) {
1202 				rc = ENOSR;
1203 				break;
1204 			}
1205 			save_for_close(tll, mptmp);
1206 			mptmp = dlpi_alloc(sizeof (dl_detach_req_t),
1207 			    DL_DETACH_REQ);
1208 			if (mptmp == NULL) {
1209 				rc = ENOSR;
1210 				break;
1211 			}
1212 			save_for_close(tll, mptmp);
1213 			break;
1214 		default:
1215 			tll->tll_style = PTS_NONE;
1216 			tll->tll_alen = 0;
1217 			rc = EINVAL;
1218 			break;
1219 		}
1220 		break;
1221 
1222 	case PPPTUN_GNNAME:
1223 		/* This can be done on either side. */
1224 		if (mp->b_cont == NULL || iop->ioc_count < sizeof (uint32_t)) {
1225 			rc = EINVAL;
1226 			break;
1227 		}
1228 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1229 		i = ptn->ptn_index;
1230 		tll = TO_TLL(tunll_list.q_forw);
1231 		while (--i >= 0 && tll != TO_TLL(&tunll_list))
1232 			tll = TO_TLL(tll->tll_next);
1233 		if (tll != TO_TLL(&tunll_list)) {
1234 			bcopy(tll->tll_name, ptn->ptn_name,
1235 			    sizeof (ptn->ptn_name));
1236 		} else {
1237 			bzero(ptn, sizeof (*ptn));
1238 		}
1239 		len = sizeof (*ptn);
1240 		break;
1241 
1242 	case PPPTUN_LCLADDR:
1243 		/* This is done on the *module* (lower level) side. */
1244 		if (tll == NULL || mp->b_cont == NULL) {
1245 			rc = EINVAL;
1246 			break;
1247 		}
1248 
1249 		pap = &tll->tll_lcladdr;
1250 		len = tll->tll_alen;
1251 		if (len == 0 || len > iop->ioc_count) {
1252 			rc = EINVAL;
1253 			break;
1254 		}
1255 		bcopy(mp->b_cont->b_rptr, pap, len);
1256 		len = 0;
1257 		break;
1258 
1259 	case PPPTUN_SPEER:
1260 		/* Client (device) side only; before SDATA */
1261 		if (tcl == NULL || mp->b_cont == NULL ||
1262 		    iop->ioc_count != sizeof (*ptp)) {
1263 			rc = EINVAL;
1264 			break;
1265 		}
1266 		if (tcl->tcl_data_tll != NULL) {
1267 			rc = EINVAL;
1268 			break;
1269 		}
1270 		ptp = (struct ppptun_peer *)mp->b_cont->b_rptr;
1271 		DTRACE_PROBE2(sppptun__speer, tuncl_t *, tcl,
1272 		    struct ppptun_peer *, ptp);
1273 		/* Once set, the style cannot change. */
1274 		if (tcl->tcl_style != PTS_NONE &&
1275 		    tcl->tcl_style != ptp->ptp_style) {
1276 			rc = EINVAL;
1277 			break;
1278 		}
1279 		if (ptp->ptp_flags & PTPF_DAEMON) {
1280 			/* User requests registration for tunnel 0 */
1281 			if ((tcl->tcl_flags & TCLF_SPEER_DONE) ||
1282 			    ptp->ptp_ltunid != 0 || ptp->ptp_rtunid != 0 ||
1283 			    ptp->ptp_lsessid != 0 || ptp->ptp_rsessid != 0) {
1284 				rc = EINVAL;
1285 				break;
1286 			}
1287 			tcl->tcl_flags |= TCLF_DAEMON;
1288 		} else {
1289 			/* Normal client connection */
1290 			if (tcl->tcl_flags & TCLF_DAEMON) {
1291 				rc = EINVAL;
1292 				break;
1293 			}
1294 			if (ptp->ptp_lsessid != 0 &&
1295 			    ptp->ptp_lsessid != tcl->tcl_lsessid) {
1296 				rc = EINVAL;
1297 				break;
1298 			}
1299 			/*
1300 			 * If we're reassigning the peer data, then
1301 			 * the previous assignment must have been for
1302 			 * a client control connection.  Check that.
1303 			 */
1304 			if ((tcl->tcl_flags & TCLF_SPEER_DONE) &&
1305 			    ((tcl->tcl_ltunid != 0 &&
1306 			    tcl->tcl_ltunid != ptp->ptp_ltunid) ||
1307 			    (tcl->tcl_rtunid != 0 &&
1308 			    tcl->tcl_rtunid != ptp->ptp_rtunid) ||
1309 			    (tcl->tcl_rsessid != 0 &&
1310 			    tcl->tcl_rsessid != ptp->ptp_rsessid))) {
1311 				rc = EINVAL;
1312 				break;
1313 			}
1314 			if ((tcl->tcl_ltunid = ptp->ptp_ltunid) == 0 &&
1315 			    tcl->tcl_style == PTS_L2FTP)
1316 				tcl->tcl_ltunid = ptp->ptp_lsessid;
1317 			tcl->tcl_rtunid = ptp->ptp_rtunid;
1318 			tcl->tcl_rsessid = ptp->ptp_rsessid;
1319 		}
1320 		tcl->tcl_flags |= TCLF_SPEER_DONE;
1321 		tcl->tcl_style = ptp->ptp_style;
1322 		tcl->tcl_address = ptp->ptp_address;
1323 		goto fill_in_peer;
1324 
1325 	case PPPTUN_GPEER:
1326 		/* Client (device) side only */
1327 		if (tcl == NULL) {
1328 			rc = EINVAL;
1329 			break;
1330 		}
1331 		if (mp->b_cont != NULL)
1332 			freemsg(mp->b_cont);
1333 		mp->b_cont = allocb(sizeof (*ptp), BPRI_HI);
1334 		if (mp->b_cont == NULL) {
1335 			rc = ENOSR;
1336 			break;
1337 		}
1338 		ptp = (struct ppptun_peer *)mp->b_cont->b_rptr;
1339 	fill_in_peer:
1340 		ptp->ptp_style = tcl->tcl_style;
1341 		ptp->ptp_flags = (tcl->tcl_flags & TCLF_DAEMON) ? PTPF_DAEMON :
1342 		    0;
1343 		ptp->ptp_ltunid = tcl->tcl_ltunid;
1344 		ptp->ptp_rtunid = tcl->tcl_rtunid;
1345 		ptp->ptp_lsessid = tcl->tcl_lsessid;
1346 		ptp->ptp_rsessid = tcl->tcl_rsessid;
1347 		ptp->ptp_address = tcl->tcl_address;
1348 		len = sizeof (*ptp);
1349 		break;
1350 
1351 	case PPPTUN_SDATA:
1352 	case PPPTUN_SCTL:
1353 		/* Client (device) side only; must do SPEER first */
1354 		if (tcl == NULL || mp->b_cont == NULL ||
1355 		    iop->ioc_count != sizeof (*ptn) ||
1356 		    *mp->b_cont->b_rptr == '\0') {
1357 			rc = EINVAL;
1358 			break;
1359 		}
1360 		if (!(tcl->tcl_flags & TCLF_SPEER_DONE)) {
1361 			rc = EINVAL;
1362 			break;
1363 		}
1364 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1365 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1366 		tll = tll_lookup_on_name(ptn->ptn_name);
1367 		if (tll == NULL) {
1368 			rc = ESRCH;
1369 			break;
1370 		}
1371 		if (tll->tll_style != tcl->tcl_style) {
1372 			rc = ENXIO;
1373 			break;
1374 		}
1375 		if (iop->ioc_cmd == PPPTUN_SDATA) {
1376 			if (tcl->tcl_data_tll != NULL) {
1377 				rc = EEXIST;
1378 				break;
1379 			}
1380 			/* server daemons cannot use regular data */
1381 			if (tcl->tcl_flags & TCLF_DAEMON) {
1382 				rc = EINVAL;
1383 				break;
1384 			}
1385 			tcl->tcl_data_tll = tll;
1386 		} else if (tcl->tcl_flags & TCLF_DAEMON) {
1387 			if (tll->tll_defcl != NULL && tll->tll_defcl != tcl) {
1388 				rc = EEXIST;
1389 				break;
1390 			}
1391 			tll->tll_defcl = tcl;
1392 			if (tcl->tcl_ctrl_tll != NULL) {
1393 				KDECR(tcl->tcl_ctrl_tll, tll_kstats,
1394 				    lks_clients);
1395 			}
1396 			tcl->tcl_ctrl_tll = tll;
1397 		} else {
1398 			if (tcl->tcl_ctrl_tll != NULL) {
1399 				rc = EEXIST;
1400 				break;
1401 			}
1402 			tcl->tcl_ctrl_tll = tll;
1403 		}
1404 		KLINCR(lks_clients);
1405 		break;
1406 
1407 	case PPPTUN_GDATA:
1408 	case PPPTUN_GCTL:
1409 		/* Client (device) side only */
1410 		if (tcl == NULL) {
1411 			rc = EINVAL;
1412 			break;
1413 		}
1414 		if (mp->b_cont != NULL)
1415 			freemsg(mp->b_cont);
1416 		mp->b_cont = allocb(sizeof (*ptn), BPRI_HI);
1417 		if (mp->b_cont == NULL) {
1418 			rc = ENOSR;
1419 			break;
1420 		}
1421 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1422 		if (iop->ioc_cmd == PPPTUN_GDATA)
1423 			tll = tcl->tcl_data_tll;
1424 		else
1425 			tll = tcl->tcl_ctrl_tll;
1426 		if (tll == NULL)
1427 			bzero(ptn, sizeof (*ptn));
1428 		else
1429 			bcopy(tll->tll_name, ptn->ptn_name,
1430 			    sizeof (ptn->ptn_name));
1431 		len = sizeof (*ptn);
1432 		break;
1433 
1434 	case PPPTUN_DCTL:
1435 		/* Client (device) side daemon mode only */
1436 		if (tcl == NULL || mp->b_cont == NULL ||
1437 		    iop->ioc_count != sizeof (*ptn) ||
1438 		    !(tcl->tcl_flags & TCLF_DAEMON)) {
1439 			rc = EINVAL;
1440 			break;
1441 		}
1442 		ptn = (union ppptun_name *)mp->b_cont->b_rptr;
1443 		ptn->ptn_name[sizeof (ptn->ptn_name) - 1] = '\0';
1444 		tll = tll_lookup_on_name(ptn->ptn_name);
1445 		if (tll == NULL || tll->tll_defcl != tcl) {
1446 			rc = ESRCH;
1447 			break;
1448 		}
1449 		tll->tll_defcl = NULL;
1450 		break;
1451 
1452 	default:
1453 		/* Caller should already have checked command value */
1454 		ASSERT(0);
1455 	}
1456 	if (rc != 0) {
1457 		miocnak(q, mp, 0, rc);
1458 	} else {
1459 		if (len > 0)
1460 			mp->b_cont->b_wptr = mp->b_cont->b_rptr + len;
1461 		miocack(q, mp, len, 0);
1462 	}
1463 }
1464 
1465 /*
1466  * sppptun_ioctl()
1467  *
1468  * MT-Perimeters:
1469  *    shared inner, shared outer.
1470  *
1471  * Description:
1472  *    Called by sppptun_uwput as the result of receiving a M_IOCTL command.
1473  */
1474 static void
1475 sppptun_ioctl(queue_t *q, mblk_t *mp)
1476 {
1477 	struct iocblk *iop;
1478 	int rc = 0;
1479 	int len = 0;
1480 	uint32_t val = 0;
1481 	tunll_t *tll;
1482 
1483 	iop = (struct iocblk *)mp->b_rptr;
1484 
1485 	switch (iop->ioc_cmd) {
1486 	case PPPIO_DEBUG:
1487 	case PPPIO_GETSTAT:
1488 	case PPPIO_GETSTAT64:
1489 	case PPPTUN_SNAME:
1490 	case PPPTUN_GNAME:
1491 	case PPPTUN_SINFO:
1492 	case PPPTUN_GINFO:
1493 	case PPPTUN_GNNAME:
1494 	case PPPTUN_LCLADDR:
1495 	case PPPTUN_SPEER:
1496 	case PPPTUN_GPEER:
1497 	case PPPTUN_SDATA:
1498 	case PPPTUN_GDATA:
1499 	case PPPTUN_SCTL:
1500 	case PPPTUN_GCTL:
1501 	case PPPTUN_DCTL:
1502 		qwriter(q, mp, sppptun_inner_ioctl, PERIM_INNER);
1503 		return;
1504 
1505 	case PPPIO_GCLEAN:	/* always clean */
1506 		val = RCV_B7_1 | RCV_B7_0 | RCV_ODDP | RCV_EVNP;
1507 		len = sizeof (uint32_t);
1508 		break;
1509 
1510 	case PPPIO_GTYPE:	/* we look like an async driver. */
1511 		val = PPPTYP_AHDLC;
1512 		len = sizeof (uint32_t);
1513 		break;
1514 
1515 	case PPPIO_CFLAGS:	/* never compress headers */
1516 		val = 0;
1517 		len = sizeof (uint32_t);
1518 		break;
1519 
1520 		/* quietly ack PPP things we don't need to do. */
1521 	case PPPIO_XFCS:
1522 	case PPPIO_RFCS:
1523 	case PPPIO_XACCM:
1524 	case PPPIO_RACCM:
1525 	case PPPIO_LASTMOD:
1526 	case PPPIO_MUX:
1527 	case I_PLINK:
1528 	case I_PUNLINK:
1529 	case I_LINK:
1530 	case I_UNLINK:
1531 		break;
1532 
1533 	default:
1534 		tll = (tunll_t *)q->q_ptr;
1535 		if (!(tll->tll_flags & TLLF_NOTLOWER)) {
1536 			/* module side; pass this through. */
1537 			putnext(q, mp);
1538 			return;
1539 		}
1540 		rc = EINVAL;
1541 		break;
1542 	}
1543 	if (rc == 0 && len == sizeof (uint32_t)) {
1544 		if (mp->b_cont != NULL)
1545 			freemsg(mp->b_cont);
1546 		mp->b_cont = allocb(sizeof (uint32_t), BPRI_HI);
1547 		if (mp->b_cont == NULL) {
1548 			rc = ENOSR;
1549 		} else {
1550 			*(uint32_t *)mp->b_cont->b_wptr = val;
1551 			mp->b_cont->b_wptr += sizeof (uint32_t);
1552 		}
1553 	}
1554 	if (rc == 0) {
1555 		miocack(q, mp, len, 0);
1556 	} else {
1557 		miocnak(q, mp, 0, rc);
1558 	}
1559 }
1560 
1561 /*
1562  * sppptun_inner_mctl()
1563  *
1564  * MT-Perimeters:
1565  *    exclusive inner, shared outer.
1566  *
1567  * Description:
1568  *    Called by qwriter (via sppptun_uwput) as the result of receiving
1569  *    an M_CTL.  Called only on the client (driver) side.
1570  */
1571 static void
1572 sppptun_inner_mctl(queue_t *q, mblk_t *mp)
1573 {
1574 	int msglen;
1575 	tuncl_t *tcl;
1576 
1577 	tcl = q->q_ptr;
1578 
1579 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
1580 		freemsg(mp);
1581 		return;
1582 	}
1583 
1584 	msglen = MBLKL(mp);
1585 	switch (*mp->b_rptr) {
1586 	case PPPCTL_UNIT:
1587 		if (msglen == 2)
1588 			tcl->tcl_unit = mp->b_rptr[1];
1589 		else if (msglen == 8)
1590 			tcl->tcl_unit = ((uint32_t *)mp->b_rptr)[1];
1591 		break;
1592 	}
1593 	freemsg(mp);
1594 }
1595 
1596 /*
1597  * sppptun_uwput()
1598  *
1599  * MT-Perimeters:
1600  *    shared inner, shared outer.
1601  *
1602  * Description:
1603  *	Regular output data and controls pass through here.
1604  */
1605 static void
1606 sppptun_uwput(queue_t *q, mblk_t *mp)
1607 {
1608 	queue_t *nextq;
1609 	tuncl_t *tcl;
1610 
1611 	ASSERT(q->q_ptr != NULL);
1612 
1613 	switch (MTYPE(mp)) {
1614 	case M_DATA:
1615 	case M_PROTO:
1616 	case M_PCPROTO:
1617 		if (q->q_first == NULL &&
1618 		    (nextq = sppptun_outpkt(q, &mp)) != NULL) {
1619 			putnext(nextq, mp);
1620 		} else if (mp != NULL && !putq(q, mp)) {
1621 			freemsg(mp);
1622 		}
1623 		break;
1624 	case M_IOCTL:
1625 		sppptun_ioctl(q, mp);
1626 		break;
1627 	case M_CTL:
1628 		qwriter(q, mp, sppptun_inner_mctl, PERIM_INNER);
1629 		break;
1630 	default:
1631 		tcl = (tuncl_t *)q->q_ptr;
1632 		/*
1633 		 * If we're the driver, then discard unknown junk.
1634 		 * Otherwise, if we're the module, then forward along.
1635 		 */
1636 		if (tcl->tcl_flags & TCLF_ISCLIENT)
1637 			freemsg(mp);
1638 		else
1639 			putnext(q, mp);
1640 		break;
1641 	}
1642 }
1643 
1644 /*
1645  * Send a DLPI/TPI control message to the driver but make sure there
1646  * is only one outstanding message.  Uses tll_msg_pending to tell when
1647  * it must queue.  sppptun_urput calls message_done() when an ACK or a
1648  * NAK is received to process the next queued message.
1649  */
1650 static void
1651 message_send(tunll_t *tll, mblk_t *mp)
1652 {
1653 	mblk_t **mpp;
1654 
1655 	if (tll->tll_msg_pending) {
1656 		/* Must queue message. Tail insertion */
1657 		mpp = &tll->tll_msg_deferred;
1658 		while (*mpp != NULL)
1659 			mpp = &((*mpp)->b_next);
1660 		*mpp = mp;
1661 		return;
1662 	}
1663 	tll->tll_msg_pending = 1;
1664 	putnext(tll->tll_wq, mp);
1665 }
1666 
1667 /*
1668  * Called when an DLPI/TPI control message has been acked or nacked to
1669  * send down the next queued message (if any).
1670  */
1671 static void
1672 message_done(tunll_t *tll)
1673 {
1674 	mblk_t *mp;
1675 
1676 	ASSERT(tll->tll_msg_pending);
1677 	tll->tll_msg_pending = 0;
1678 	mp = tll->tll_msg_deferred;
1679 	if (mp != NULL) {
1680 		tll->tll_msg_deferred = mp->b_next;
1681 		mp->b_next = NULL;
1682 		tll->tll_msg_pending = 1;
1683 		putnext(tll->tll_wq, mp);
1684 	}
1685 }
1686 
1687 /*
1688  * Send down queued "close" messages to lower stream.  These were
1689  * enqueued right after the stream was originally allocated, when the
1690  * tll_style was set by PPPTUN_SINFO.
1691  */
1692 static int
1693 tll_close_req(tunll_t *tll)
1694 {
1695 	mblk_t *mb, *mbnext;
1696 
1697 	if ((mb = tll->tll_onclose) == NULL)
1698 		tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1699 	else {
1700 		tll->tll_onclose = NULL;
1701 		while (mb != NULL) {
1702 			mbnext = mb->b_next;
1703 			mb->b_next = NULL;
1704 			message_send(tll, mb);
1705 			mb = mbnext;
1706 		}
1707 	}
1708 	return (0);
1709 }
1710 
1711 /*
1712  * This function is called when a backenable occurs on the write side of a
1713  * lower stream.  It walks over the client streams, looking for ones that use
1714  * the given tunll_t lower stream.  Each client is then backenabled.
1715  */
1716 static void
1717 tclvm_backenable(void *arg, void *firstv, size_t numv)
1718 {
1719 	tunll_t *tll = arg;
1720 	int minorn = (int)(uintptr_t)firstv;
1721 	int minormax = minorn + numv;
1722 	tuncl_t *tcl;
1723 	queue_t *q;
1724 
1725 	while (minorn < minormax) {
1726 		tcl = tcl_slots[minorn - 1];
1727 		if ((tcl->tcl_data_tll == tll ||
1728 		    tcl->tcl_ctrl_tll == tll) &&
1729 		    (q = tcl->tcl_rq) != NULL) {
1730 			qenable(OTHERQ(q));
1731 		}
1732 		minorn++;
1733 	}
1734 }
1735 
1736 /*
1737  * sppptun_uwsrv()
1738  *
1739  * MT-Perimeters:
1740  *    exclusive inner, shared outer.
1741  *
1742  * Description:
1743  *    Upper write-side service procedure.  In addition to the usual
1744  *    STREAMS queue service handling, this routine also handles the
1745  *    transmission of the unbind/detach messages to the lower stream
1746  *    driver when a lower stream is being closed.  (See the use of
1747  *    qenable/qwait in sppptun_close().)
1748  */
1749 static int
1750 sppptun_uwsrv(queue_t *q)
1751 {
1752 	tuncl_t	*tcl;
1753 	mblk_t *mp;
1754 	queue_t *nextq;
1755 
1756 	tcl = q->q_ptr;
1757 	if (!(tcl->tcl_flags & TCLF_ISCLIENT)) {
1758 		tunll_t *tll = (tunll_t *)tcl;
1759 
1760 		if ((tll->tll_flags & (TLLF_CLOSING|TLLF_CLOSE_DONE)) ==
1761 		    TLLF_CLOSING) {
1762 			tll->tll_error = tll_close_req(tll);
1763 			tll->tll_flags |= TLLF_CLOSE_DONE;
1764 		} else {
1765 			/*
1766 			 * We've been enabled here because of a backenable on
1767 			 * output flow control.  Backenable clients using this
1768 			 * lower layer.
1769 			 */
1770 			vmem_walk(tcl_minor_arena, VMEM_ALLOC, tclvm_backenable,
1771 			    tll);
1772 		}
1773 		return (0);
1774 	}
1775 
1776 	while ((mp = getq(q)) != NULL) {
1777 		if ((nextq = sppptun_outpkt(q, &mp)) != NULL) {
1778 			putnext(nextq, mp);
1779 		} else if (mp != NULL) {
1780 			(void) putbq(q, mp);
1781 			break;
1782 		}
1783 	}
1784 	return (0);
1785 }
1786 
1787 /*
1788  * sppptun_lwput()
1789  *
1790  * MT-Perimeters:
1791  *    shared inner, shared outer.
1792  *
1793  * Description:
1794  *    Lower write-side put procedure.  Nothing should be sending
1795  *    packets down this stream.
1796  */
1797 static void
1798 sppptun_lwput(queue_t *q, mblk_t *mp)
1799 {
1800 	switch (MTYPE(mp)) {
1801 	case M_PROTO:
1802 		putnext(q, mp);
1803 		break;
1804 	default:
1805 		freemsg(mp);
1806 		break;
1807 	}
1808 }
1809 
1810 /*
1811  * sppptun_lrput()
1812  *
1813  * MT-Perimeters:
1814  *    shared inner, shared outer.
1815  *
1816  * Description:
1817  *    Lower read-side put procedure.  Nothing should arrive here.
1818  */
1819 static void
1820 sppptun_lrput(queue_t *q, mblk_t *mp)
1821 {
1822 	tuncl_t *tcl;
1823 
1824 	switch (MTYPE(mp)) {
1825 	case M_IOCTL:
1826 		miocnak(q, mp, 0, EINVAL);
1827 		return;
1828 	case M_FLUSH:
1829 		if (*mp->b_rptr & FLUSHR) {
1830 			flushq(q, FLUSHDATA);
1831 		}
1832 		if (*mp->b_rptr & FLUSHW) {
1833 			*mp->b_rptr &= ~FLUSHR;
1834 			qreply(q, mp);
1835 		} else {
1836 			freemsg(mp);
1837 		}
1838 		return;
1839 	}
1840 	/*
1841 	 * Try to forward the message to the put procedure for the upper
1842 	 * control stream for this lower stream. If there are already messages
1843 	 * queued here, queue this one up to preserve message ordering.
1844 	 */
1845 	if ((tcl = (tuncl_t *)q->q_ptr) == NULL || tcl->tcl_rq == NULL) {
1846 		freemsg(mp);
1847 		return;
1848 	}
1849 	if (queclass(mp) == QPCTL ||
1850 	    (q->q_first == NULL && canput(tcl->tcl_rq))) {
1851 		put(tcl->tcl_rq, mp);
1852 	} else {
1853 		if (!putq(q, mp))
1854 			freemsg(mp);
1855 	}
1856 }
1857 
1858 /*
1859  * MT-Perimeters:
1860  *    shared inner, shared outer.
1861  *
1862  *    Handle non-data DLPI messages.  Used with PPPoE, which runs over
1863  *    Ethernet only.
1864  */
1865 static void
1866 urput_dlpi(queue_t *q, mblk_t *mp)
1867 {
1868 	int err;
1869 	union DL_primitives *dlp = (union DL_primitives *)mp->b_rptr;
1870 	tunll_t *tll = q->q_ptr;
1871 	size_t mlen = MBLKL(mp);
1872 
1873 	switch (dlp->dl_primitive) {
1874 	case DL_UDERROR_IND:
1875 		break;
1876 
1877 	case DL_ERROR_ACK:
1878 		if (mlen < DL_ERROR_ACK_SIZE)
1879 			break;
1880 		err = dlp->error_ack.dl_unix_errno ?
1881 		    dlp->error_ack.dl_unix_errno : ENXIO;
1882 		switch (dlp->error_ack.dl_error_primitive) {
1883 		case DL_UNBIND_REQ:
1884 			message_done(tll);
1885 			break;
1886 		case DL_DETACH_REQ:
1887 			message_done(tll);
1888 			tll->tll_error = err;
1889 			tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1890 			break;
1891 		case DL_PHYS_ADDR_REQ:
1892 			message_done(tll);
1893 			break;
1894 		case DL_INFO_REQ:
1895 		case DL_ATTACH_REQ:
1896 		case DL_BIND_REQ:
1897 			message_done(tll);
1898 			tll->tll_error = err;
1899 			break;
1900 		}
1901 		break;
1902 
1903 	case DL_INFO_ACK:
1904 		message_done(tll);
1905 		break;
1906 
1907 	case DL_BIND_ACK:
1908 		message_done(tll);
1909 		break;
1910 
1911 	case DL_PHYS_ADDR_ACK:
1912 		break;
1913 
1914 	case DL_OK_ACK:
1915 		if (mlen < DL_OK_ACK_SIZE)
1916 			break;
1917 		switch (dlp->ok_ack.dl_correct_primitive) {
1918 		case DL_UNBIND_REQ:
1919 			message_done(tll);
1920 			break;
1921 		case DL_DETACH_REQ:
1922 			tll->tll_flags |= TLLF_SHUTDOWN_DONE;
1923 			break;
1924 		case DL_ATTACH_REQ:
1925 			message_done(tll);
1926 			break;
1927 		}
1928 		break;
1929 	}
1930 	freemsg(mp);
1931 }
1932 
1933 /* Search structure used with PPPoE only; see tclvm_pppoe_search(). */
1934 struct poedat {
1935 	uint_t sessid;
1936 	tunll_t *tll;
1937 	const void *srcaddr;
1938 	int isdata;
1939 	tuncl_t *tcl;
1940 };
1941 
1942 /*
1943  * This function is called by vmem_walk from within sppptun_recv.  It
1944  * iterates over a span of allocated minor node numbers to search for
1945  * the appropriate lower stream, session ID, and peer MAC address.
1946  *
1947  * (This is necessary due to a design flaw in the PPPoE protocol
1948  * itself.  The protocol assigns session IDs from the server side
1949  * only.  Both server and client use the same number.  Thus, if there
1950  * are multiple clients on a single host, there can be session ID
1951  * conflicts between servers and there's no way to detangle them
1952  * except by looking at the remote MAC address.)
1953  *
1954  * (This could have been handled by linking together sessions that
1955  * differ only in the remote MAC address.  This isn't done because it
1956  * would involve extra per-session storage and it's very unlikely that
1957  * PPPoE would be used this way.)
1958  */
1959 static void
1960 tclvm_pppoe_search(void *arg, void *firstv, size_t numv)
1961 {
1962 	struct poedat *poedat = (struct poedat *)arg;
1963 	int minorn = (int)(uintptr_t)firstv;
1964 	int minormax = minorn + numv;
1965 	tuncl_t *tcl;
1966 
1967 	if (poedat->tcl != NULL)
1968 		return;
1969 	while (minorn < minormax) {
1970 		tcl = tcl_slots[minorn - 1];
1971 		ASSERT(tcl != NULL);
1972 		if (tcl->tcl_rsessid == poedat->sessid &&
1973 		    ((!poedat->isdata && tcl->tcl_ctrl_tll == poedat->tll) ||
1974 		    (poedat->isdata && tcl->tcl_data_tll == poedat->tll)) &&
1975 		    bcmp(tcl->tcl_address.pta_pppoe.ptma_mac,
1976 		    poedat->srcaddr,
1977 		    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) == 0) {
1978 			poedat->tcl = tcl;
1979 			break;
1980 		}
1981 		minorn++;
1982 	}
1983 }
1984 
1985 /*
1986  * sppptun_recv()
1987  *
1988  * MT-Perimeters:
1989  *    shared inner, shared outer.
1990  *
1991  * Description:
1992  *    Receive function called by sppptun_urput, which is called when
1993  *    the lower read-side put or service procedure sends a message
1994  *    upstream to the a device user (PPP).  It attempts to find an
1995  *    appropriate queue on the module above us (depending on what the
1996  *    associated upper stream for the protocol would be), and if not
1997  *    possible, it will find an upper control stream for the protocol.
1998  *    Returns a pointer to the upper queue_t, or NULL if the message
1999  *    has been discarded.
2000  *
2001  * About demultiplexing:
2002  *
2003  *	All four protocols (L2F, PPTP, L2TP, and PPPoE) support a
2004  *	locally assigned ID for demultiplexing incoming traffic.  For
2005  *	L2F, this is called the Client ID, for PPTP the Call ID, for
2006  *	L2TP the Session ID, and for PPPoE the SESSION_ID.  This is a
2007  *	16 bit number for all four protocols, and is used to directly
2008  *	index into a list of upper streams.  With the upper stream in
2009  *	hand, we verify that this is the right stream and deliver the
2010  *	data.
2011  *
2012  *	L2TP has a Tunnel ID, which represents a bundle of PPP
2013  *	sessions between the peers.  Because we always assign unique
2014  *	session ID numbers, we merely check that the given ID matches
2015  *	the assigned ID for the upper stream.
2016  *
2017  *	L2F has a Multiplex ID, which is unique per connection.  It
2018  *	does not have L2TP's concept of multiple-connections-within-
2019  *	a-tunnel.  The same checking is done.
2020  *
2021  *	PPPoE is a horribly broken protocol.  Only one ID is assigned
2022  *	per connection.  The client must somehow demultiplex based on
2023  *	an ID number assigned by the server.  It's not necessarily
2024  *	unique.  The search is done based on {ID,peerEthernet} (using
2025  *	tcl_rsessid) for all packet types except PADI and PADS.
2026  *
2027  *	Neither PPPoE nor PPTP supports additional ID numbers.
2028  *
2029  *	Both L2F and L2TP come in over UDP.  They are distinguished by
2030  *	looking at the GRE version field -- 001 for L2F and 010 for
2031  *	L2TP.
2032  */
2033 static queue_t *
2034 sppptun_recv(queue_t *q, mblk_t **mpp, const void *srcaddr)
2035 {
2036 	mblk_t *mp;
2037 	tunll_t *tll;
2038 	tuncl_t *tcl;
2039 	int sessid;
2040 	int remlen;
2041 	int msglen;
2042 	int isdata;
2043 	int i;
2044 	const uchar_t *ucp;
2045 	const poep_t *poep;
2046 	mblk_t *mnew;
2047 	ppptun_atype *pap;
2048 
2049 	mp = *mpp;
2050 
2051 	tll = q->q_ptr;
2052 	ASSERT(!(tll->tll_flags & TLLF_NOTLOWER));
2053 
2054 	tcl = NULL;
2055 	switch (tll->tll_style) {
2056 	case PTS_PPPOE:
2057 		/* Note that poep_t alignment is uint16_t */
2058 		if ((!IS_P2ALIGNED(mp->b_rptr, sizeof (uint16_t)) ||
2059 		    MBLKL(mp) < sizeof (poep_t)) &&
2060 		    !pullupmsg(mp, sizeof (poep_t)))
2061 			break;
2062 		poep = (const poep_t *)mp->b_rptr;
2063 		if (poep->poep_version_type != POE_VERSION)
2064 			break;
2065 		/*
2066 		 * First, extract a session ID number.  All protocols have
2067 		 * this.
2068 		 */
2069 		isdata = (poep->poep_code == POECODE_DATA);
2070 		sessid = ntohs(poep->poep_session_id);
2071 		remlen = sizeof (*poep);
2072 		msglen = ntohs(poep->poep_length);
2073 		i = poep->poep_code;
2074 		if (i == POECODE_PADI || i == POECODE_PADR) {
2075 			/* These go to the server daemon only. */
2076 			tcl = tll->tll_defcl;
2077 		} else if (i == POECODE_PADO || i == POECODE_PADS) {
2078 			/*
2079 			 * These go to a client only, and are demuxed
2080 			 * by the Host-Uniq field (into which we stuff
2081 			 * our local ID number when generating
2082 			 * PADI/PADR).
2083 			 */
2084 			ucp = (const uchar_t *)(poep + 1);
2085 			i = msglen;
2086 			while (i > POET_HDRLEN) {
2087 				if (POET_GET_TYPE(ucp) == POETT_END) {
2088 					i = 0;
2089 					break;
2090 				}
2091 				if (POET_GET_TYPE(ucp) == POETT_UNIQ &&
2092 				    POET_GET_LENG(ucp) >= sizeof (uint32_t))
2093 					break;
2094 				i -= POET_GET_LENG(ucp) + POET_HDRLEN;
2095 				ucp = POET_NEXT(ucp);
2096 			}
2097 			if (i >= POET_HDRLEN + 4)
2098 				sessid = GETLONG(ucp + POET_HDRLEN);
2099 			tcl = tcl_by_minor((minor_t)sessid);
2100 		} else {
2101 			/*
2102 			 * Try minor number as session ID first, since
2103 			 * it's used that way on server side.  It's
2104 			 * not used that way on the client, though, so
2105 			 * this might not work.  If this isn't the
2106 			 * right one, then try the tll cache.  If
2107 			 * neither is right, then search all open
2108 			 * clients.  Did I mention that the PPPoE
2109 			 * protocol is badly designed?
2110 			 */
2111 			tcl = tcl_by_minor((minor_t)sessid);
2112 			if (tcl == NULL ||
2113 			    (!isdata && tcl->tcl_ctrl_tll != tll) ||
2114 			    (isdata && tcl->tcl_data_tll != tll) ||
2115 			    sessid != tcl->tcl_rsessid ||
2116 			    bcmp(srcaddr, tcl->tcl_address.pta_pppoe.ptma_mac,
2117 			    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) != 0)
2118 				tcl = tll->tll_lastcl;
2119 			if (tcl == NULL ||
2120 			    (!isdata && tcl->tcl_ctrl_tll != tll) ||
2121 			    (isdata && tcl->tcl_data_tll != tll) ||
2122 			    sessid != tcl->tcl_rsessid ||
2123 			    bcmp(srcaddr, tcl->tcl_address.pta_pppoe.ptma_mac,
2124 			    sizeof (tcl->tcl_address.pta_pppoe.ptma_mac)) != 0)
2125 				tcl = NULL;
2126 			if (tcl == NULL && sessid != 0) {
2127 				struct poedat poedat;
2128 
2129 				/*
2130 				 * Slow mode.  Too bad.  If you don't like it,
2131 				 * you can always choose a better protocol.
2132 				 */
2133 				poedat.sessid = sessid;
2134 				poedat.tll = tll;
2135 				poedat.srcaddr = srcaddr;
2136 				poedat.tcl = NULL;
2137 				poedat.isdata = isdata;
2138 				vmem_walk(tcl_minor_arena, VMEM_ALLOC,
2139 				    tclvm_pppoe_search, &poedat);
2140 				KLINCR(lks_walks);
2141 				if ((tcl = poedat.tcl) != NULL) {
2142 					tll->tll_lastcl = tcl;
2143 					KCINCR(cks_walks);
2144 				}
2145 			}
2146 		}
2147 		break;
2148 	}
2149 
2150 	if (tcl == NULL || tcl->tcl_rq == NULL) {
2151 		DTRACE_PROBE3(sppptun__recv__discard, int, sessid,
2152 		    tuncl_t *, tcl, mblk_t *, mp);
2153 		if (tcl == NULL) {
2154 			KLINCR(lks_in_nomatch);
2155 		}
2156 		if (isdata) {
2157 			KLINCR(lks_indata_drops);
2158 			if (tcl != NULL)
2159 				tcl->tcl_stats.ppp_ierrors++;
2160 		} else {
2161 			KLINCR(lks_inctrl_drops);
2162 			if (tcl != NULL) {
2163 				KCINCR(cks_inctrl_drops);
2164 			}
2165 		}
2166 		freemsg(mp);
2167 		return (NULL);
2168 	}
2169 
2170 	if (tcl->tcl_data_tll == tll && isdata) {
2171 		if (!adjmsg(mp, remlen) ||
2172 		    (i = msgsize(mp)) < msglen ||
2173 		    (i > msglen && !adjmsg(mp, msglen - i))) {
2174 			KLINCR(lks_indata_drops);
2175 			tcl->tcl_stats.ppp_ierrors++;
2176 			freemsg(mp);
2177 			return (NULL);
2178 		}
2179 		/* XXX -- address/control handling in pppd needs help. */
2180 		if (*mp->b_rptr != 0xFF) {
2181 			if ((mp = prependb(mp, 2, 1)) == NULL) {
2182 				KLINCR(lks_indata_drops);
2183 				tcl->tcl_stats.ppp_ierrors++;
2184 				return (NULL);
2185 			}
2186 			mp->b_rptr[0] = 0xFF;
2187 			mp->b_rptr[1] = 0x03;
2188 		}
2189 		MTYPE(mp) = M_DATA;
2190 		tcl->tcl_stats.ppp_ibytes += msgsize(mp);
2191 		tcl->tcl_stats.ppp_ipackets++;
2192 		KLINCR(lks_indata);
2193 	} else {
2194 		if (isdata || tcl->tcl_ctrl_tll != tll ||
2195 		    (mnew = make_control(tcl, tll, PTCA_CONTROL, tcl)) ==
2196 		    NULL) {
2197 			KLINCR(lks_inctrl_drops);
2198 			KCINCR(cks_inctrl_drops);
2199 			freemsg(mp);
2200 			return (NULL);
2201 		}
2202 		/* Fix up source address; peer might not be set yet. */
2203 		pap = &((struct ppptun_control *)mnew->b_rptr)->ptc_address;
2204 		bcopy(srcaddr, pap->pta_pppoe.ptma_mac,
2205 		    sizeof (pap->pta_pppoe.ptma_mac));
2206 		mnew->b_cont = mp;
2207 		mp = mnew;
2208 		KLINCR(lks_inctrls);
2209 		KCINCR(cks_inctrls);
2210 	}
2211 	*mpp = mp;
2212 	return (tcl->tcl_rq);
2213 }
2214 
2215 /*
2216  * sppptun_urput()
2217  *
2218  * MT-Perimeters:
2219  *    shared inner, shared outer.
2220  *
2221  * Description:
2222  *    Upper read-side put procedure.  Messages from the underlying
2223  *    lower stream driver arrive here.  See sppptun_recv for the
2224  *    demultiplexing logic.
2225  */
2226 static void
2227 sppptun_urput(queue_t *q, mblk_t *mp)
2228 {
2229 	union DL_primitives *dlprim;
2230 	mblk_t *mpnext;
2231 	tunll_t *tll;
2232 	queue_t *nextq;
2233 
2234 	tll = q->q_ptr;
2235 	ASSERT(!(tll->tll_flags & TLLF_NOTLOWER));
2236 
2237 	switch (MTYPE(mp)) {
2238 	case M_DATA:
2239 		/*
2240 		 * When we're bound over IP, data arrives here.  The
2241 		 * packet starts with the IP header itself.
2242 		 */
2243 		if ((nextq = sppptun_recv(q, &mp, NULL)) != NULL)
2244 			putnext(nextq, mp);
2245 		break;
2246 
2247 	case M_PROTO:
2248 	case M_PCPROTO:
2249 		/* Data arrives here for UDP or raw Ethernet, not IP. */
2250 		switch (tll->tll_style) {
2251 			/* PPTP control messages are over TCP only. */
2252 		case PTS_PPTP:
2253 		default:
2254 			ASSERT(0);	/* how'd that happen? */
2255 			break;
2256 
2257 		case PTS_PPPOE:		/* DLPI message */
2258 			if (MBLKL(mp) < sizeof (t_uscalar_t))
2259 				break;
2260 			dlprim = (union DL_primitives *)mp->b_rptr;
2261 			switch (dlprim->dl_primitive) {
2262 			case DL_UNITDATA_IND: {
2263 				size_t mlen = MBLKL(mp);
2264 
2265 				if (mlen < DL_UNITDATA_IND_SIZE)
2266 					break;
2267 				if (dlprim->unitdata_ind.dl_src_addr_offset <
2268 				    DL_UNITDATA_IND_SIZE ||
2269 				    dlprim->unitdata_ind.dl_src_addr_offset +
2270 				    dlprim->unitdata_ind.dl_src_addr_length >
2271 				    mlen)
2272 					break;
2273 			}
2274 				/* FALLTHROUGH */
2275 			case DL_UNITDATA_REQ:	/* For loopback support. */
2276 				if (dlprim->dl_primitive == DL_UNITDATA_REQ &&
2277 				    MBLKL(mp) < DL_UNITDATA_REQ_SIZE)
2278 					break;
2279 				if ((mpnext = mp->b_cont) == NULL)
2280 					break;
2281 				MTYPE(mpnext) = M_DATA;
2282 				nextq = sppptun_recv(q, &mpnext,
2283 				    dlprim->dl_primitive == DL_UNITDATA_IND ?
2284 				    mp->b_rptr +
2285 				    dlprim->unitdata_ind.dl_src_addr_offset :
2286 				    tll->tll_lcladdr.pta_pppoe.ptma_mac);
2287 				if (nextq != NULL)
2288 					putnext(nextq, mpnext);
2289 				freeb(mp);
2290 				return;
2291 
2292 			default:
2293 				urput_dlpi(q, mp);
2294 				return;
2295 			}
2296 			break;
2297 		}
2298 		freemsg(mp);
2299 		break;
2300 
2301 	default:
2302 		freemsg(mp);
2303 		break;
2304 	}
2305 }
2306 
2307 /*
2308  * sppptun_ursrv()
2309  *
2310  * MT-Perimeters:
2311  *    exclusive inner, shared outer.
2312  *
2313  * Description:
2314  *    Upper read-side service procedure.  This procedure services the
2315  *    client streams.  We get here because the client (PPP) asserts
2316  *    flow control down to us.
2317  */
2318 static int
2319 sppptun_ursrv(queue_t *q)
2320 {
2321 	mblk_t		*mp;
2322 
2323 	ASSERT(q->q_ptr != NULL);
2324 
2325 	while ((mp = getq(q)) != NULL) {
2326 		if (canputnext(q)) {
2327 			putnext(q, mp);
2328 		} else {
2329 			(void) putbq(q, mp);
2330 			break;
2331 		}
2332 	}
2333 	return (0);
2334 }
2335 
2336 /*
2337  * Dummy constructor/destructor functions for kmem_cache_create.
2338  * We're just using kmem as an allocator of integers, not real
2339  * storage.
2340  */
2341 
2342 /*ARGSUSED*/
2343 static int
2344 tcl_constructor(void *maddr, void *arg, int kmflags)
2345 {
2346 	return (0);
2347 }
2348 
2349 /*ARGSUSED*/
2350 static void
2351 tcl_destructor(void *maddr, void *arg)
2352 {
2353 }
2354 
2355 /*
2356  * Total size occupied by one tunnel client.  Each tunnel client
2357  * consumes one pointer for tcl_slots array, one tuncl_t structure and
2358  * two messages preallocated for close.
2359  */
2360 #define	TUNCL_SIZE (sizeof (tuncl_t) + sizeof (tuncl_t *) + \
2361 			2 * sizeof (dblk_t))
2362 
2363 /*
2364  * Clear all bits of x except the highest bit
2365  */
2366 #define	truncate(x) 	((x) <= 2 ? (x) : (1 << (highbit(x) - 1)))
2367 
2368 /*
2369  * This function initializes some well-known global variables inside
2370  * the module.
2371  *
2372  * Called by sppptun_mod.c:_init() before installing the module.
2373  */
2374 void
2375 sppptun_init(void)
2376 {
2377 	tunll_list.q_forw = tunll_list.q_back = &tunll_list;
2378 }
2379 
2380 /*
2381  * This function allocates the initial internal storage for the
2382  * sppptun driver.
2383  *
2384  * Called by sppptun_mod.c:_init() after installing module.
2385  */
2386 void
2387 sppptun_tcl_init(void)
2388 {
2389 	uint_t i, j;
2390 
2391 	rw_init(&tcl_rwlock, NULL, RW_DRIVER, NULL);
2392 	rw_enter(&tcl_rwlock, RW_WRITER);
2393 	tcl_nslots = sppptun_init_cnt;
2394 	tcl_slots = kmem_zalloc(tcl_nslots * sizeof (tuncl_t *), KM_SLEEP);
2395 
2396 	tcl_cache = kmem_cache_create("sppptun_map", sizeof (tuncl_t), 0,
2397 	    tcl_constructor, tcl_destructor, NULL, NULL, NULL, 0);
2398 
2399 	/* Allocate integer space for minor numbers */
2400 	tcl_minor_arena = vmem_create("sppptun_minor", (void *)1, tcl_nslots,
2401 	    1, NULL, NULL, NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
2402 
2403 	/*
2404 	 * Calculate available number of tunnels - how many tunnels
2405 	 * can we allocate in sppptun_pctofmem % of available
2406 	 * memory.  The value is rounded up to the nearest power of 2.
2407 	 */
2408 	i = (sppptun_pctofmem * kmem_maxavail()) / (100 * TUNCL_SIZE);
2409 	j = truncate(i);	/* i with non-high bits stripped */
2410 	if (i != j)
2411 		j *= 2;
2412 	tcl_minormax = j;
2413 	rw_exit(&tcl_rwlock);
2414 }
2415 
2416 /*
2417  * This function checks that there are no plumbed streams or other users.
2418  *
2419  * Called by sppptun_mod.c:_fini().  Assumes that we're exclusive on
2420  * both perimeters.
2421  */
2422 int
2423 sppptun_tcl_fintest(void)
2424 {
2425 	if (tunll_list.q_forw != &tunll_list || tcl_inuse > 0)
2426 		return (EBUSY);
2427 	else
2428 		return (0);
2429 }
2430 
2431 /*
2432  * If no lower streams are plumbed, then this function deallocates all
2433  * internal storage in preparation for unload.
2434  *
2435  * Called by sppptun_mod.c:_fini().  Assumes that we're exclusive on
2436  * both perimeters.
2437  */
2438 void
2439 sppptun_tcl_fini(void)
2440 {
2441 	if (tcl_minor_arena != NULL) {
2442 		vmem_destroy(tcl_minor_arena);
2443 		tcl_minor_arena = NULL;
2444 	}
2445 	if (tcl_cache != NULL) {
2446 		kmem_cache_destroy(tcl_cache);
2447 		tcl_cache = NULL;
2448 	}
2449 	kmem_free(tcl_slots, tcl_nslots * sizeof (tuncl_t *));
2450 	tcl_slots = NULL;
2451 	rw_destroy(&tcl_rwlock);
2452 	ASSERT(tcl_slots == NULL);
2453 	ASSERT(tcl_cache == NULL);
2454 	ASSERT(tcl_minor_arena == NULL);
2455 }
2456