1 /*
   2  * sppp.c - Solaris STREAMS PPP multiplexing pseudo-driver
   3  *
   4  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   5  * Use is subject to license terms.
   6  * Copyright (c) 2016 by Delphix. All rights reserved.
   7  * Copyright 2019, Joyent, Inc.
   8  *
   9  * Permission to use, copy, modify, and distribute this software and its
  10  * documentation is hereby granted, provided that the above copyright
  11  * notice appears in all copies.
  12  *
  13  * SUN MAKES NO REPRESENTATION OR WARRANTIES ABOUT THE SUITABILITY OF
  14  * THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
  15  * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
  16  * PARTICULAR PURPOSE, OR NON-INFRINGEMENT.  SUN SHALL NOT BE LIABLE FOR
  17  * ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
  18  * DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES
  19  *
  20  * Copyright (c) 1994 The Australian National University.
  21  * All rights reserved.
  22  *
  23  * Permission to use, copy, modify, and distribute this software and its
  24  * documentation is hereby granted, provided that the above copyright
  25  * notice appears in all copies.  This software is provided without any
  26  * warranty, express or implied. The Australian National University
  27  * makes no representations about the suitability of this software for
  28  * any purpose.
  29  *
  30  * IN NO EVENT SHALL THE AUSTRALIAN NATIONAL UNIVERSITY BE LIABLE TO ANY
  31  * PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
  32  * ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
  33  * THE AUSTRALIAN NATIONAL UNIVERSITY HAS BEEN ADVISED OF THE POSSIBILITY
  34  * OF SUCH DAMAGE.
  35  *
  36  * THE AUSTRALIAN NATIONAL UNIVERSITY SPECIFICALLY DISCLAIMS ANY WARRANTIES,
  37  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
  38  * AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
  39  * ON AN "AS IS" BASIS, AND THE AUSTRALIAN NATIONAL UNIVERSITY HAS NO
  40  * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS,
  41  * OR MODIFICATIONS.
  42  *
  43  * This driver is derived from the original SVR4 STREAMS PPP driver
  44  * originally written by Paul Mackerras <paul.mackerras@cs.anu.edu.au>.
  45  *
  46  * Adi Masputra <adi.masputra@sun.com> rewrote and restructured the code
  47  * for improved performance and scalability.
  48  */
  49 
  50 #define RCSID   "$Id: sppp.c,v 1.0 2000/05/08 01:10:12 masputra Exp $"
  51 
  52 #include <sys/types.h>
  53 #include <sys/debug.h>
  54 #include <sys/param.h>
  55 #include <sys/stat.h>
  56 #include <sys/stream.h>
  57 #include <sys/stropts.h>
  58 #include <sys/sysmacros.h>
  59 #include <sys/errno.h>
  60 #include <sys/time.h>
  61 #include <sys/cmn_err.h>
  62 #include <sys/kmem.h>
  63 #include <sys/conf.h>
  64 #include <sys/dlpi.h>
  65 #include <sys/ddi.h>
  66 #include <sys/kstat.h>
  67 #include <sys/strsun.h>
  68 #include <sys/ethernet.h>
  69 #include <sys/policy.h>
  70 #include <sys/zone.h>
  71 #include <net/ppp_defs.h>
  72 #include <net/pppio.h>
  73 #include "sppp.h"
  74 #include "s_common.h"
  75 
  76 /*
  77  * This is used to tag official Solaris sources.  Please do not define
  78  * "INTERNAL_BUILD" when building this software outside of Sun Microsystems.
  79  */
  80 #ifdef INTERNAL_BUILD
  81 /* MODINFO is limited to 32 characters. */
  82 const char sppp_module_description[] = "PPP 4.0 mux";
  83 #else /* INTERNAL_BUILD */
  84 const char sppp_module_description[] = "ANU PPP mux";
  85 
  86 /* LINTED */
  87 static const char buildtime[] = "Built " __DATE__ " at " __TIME__
  88 #ifdef DEBUG
  89 " DEBUG"
  90 #endif
  91 "\n";
  92 #endif /* INTERNAL_BUILD */
  93 
  94 static void     sppp_inner_ioctl(queue_t *, mblk_t *);
  95 static void     sppp_outer_ioctl(queue_t *, mblk_t *);
  96 static queue_t  *sppp_send(queue_t *, mblk_t **, spppstr_t *);
  97 static queue_t  *sppp_recv(queue_t *, mblk_t **, spppstr_t *);
  98 static void     sppp_recv_nondata(queue_t *, mblk_t *, spppstr_t *);
  99 static queue_t  *sppp_outpkt(queue_t *, mblk_t **, int, spppstr_t *);
 100 static spppstr_t *sppp_inpkt(queue_t *, mblk_t *, spppstr_t *);
 101 static int      sppp_kstat_update(kstat_t *, int);
 102 static void     sppp_release_pkts(sppa_t *, uint16_t);
 103 
 104 /*
 105  * sps_list contains the list of active per-stream instance state structures
 106  * ordered on the minor device number (see sppp.h for details). All streams
 107  * opened to this driver are threaded together in this list.
 108  */
 109 static spppstr_t *sps_list = NULL;
 110 /*
 111  * ppa_list contains the list of active per-attachment instance state
 112  * structures ordered on the ppa id number (see sppp.h for details). All of
 113  * the ppa structures created once per PPPIO_NEWPPA ioctl are threaded together
 114  * in this list. There is exactly one ppa structure for a given PPP interface,
 115  * and multiple sps streams (upper streams) may share a ppa by performing
 116  * an attachment explicitly (PPPIO_ATTACH) or implicitly (DL_ATTACH_REQ).
 117  */
 118 static sppa_t *ppa_list = NULL;
 119 
 120 static const char *kstats_names[] = { SPPP_KSTATS_NAMES };
 121 static const char *kstats64_names[] = { SPPP_KSTATS64_NAMES };
 122 
 123 /*
 124  * map proto (which is an IANA defined ppp network protocol) to
 125  * a bit position indicated by NP_* in ppa_npflag
 126  */
 127 static uint32_t
 128 sppp_ppp2np(uint16_t proto)
 129 {
 130         switch (proto) {
 131         case PPP_IP:
 132                 return (NP_IP);
 133         case PPP_IPV6:
 134                 return (NP_IPV6);
 135         default:
 136                 return (0);
 137         }
 138 }
 139 
 140 /*
 141  * sppp_open()
 142  *
 143  * MT-Perimeters:
 144  *    exclusive inner, exclusive outer.
 145  *
 146  * Description:
 147  *    Common open procedure for module.
 148  */
 149 /* ARGSUSED */
 150 int
 151 sppp_open(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
 152 {
 153         spppstr_t       *sps;
 154         spppstr_t       **nextmn;
 155         minor_t         mn;
 156 
 157         ASSERT(q != NULL && devp != NULL);
 158         ASSERT(sflag != MODOPEN);
 159 
 160         if (q->q_ptr != NULL) {
 161                 return (0);             /* already open */
 162         }
 163         if (sflag != CLONEOPEN) {
 164                 return (OPENFAIL);
 165         }
 166         /*
 167          * The sps list is sorted using the minor number as the key. The
 168          * following code walks the list to find the lowest valued minor
 169          * number available to be used.
 170          */
 171         mn = 0;
 172         for (nextmn = &sps_list; (sps = *nextmn) != NULL;
 173             nextmn = &sps->sps_nextmn) {
 174                 if (sps->sps_mn_id != mn) {
 175                         break;
 176                 }
 177                 ++mn;
 178         }
 179         sps = (spppstr_t *)kmem_zalloc(sizeof (spppstr_t), KM_SLEEP);
 180         ASSERT(sps != NULL);            /* KM_SLEEP must never return NULL */
 181         sps->sps_nextmn = *nextmn;   /* insert stream in global list */
 182         *nextmn = sps;
 183         sps->sps_mn_id = mn;         /* save minor id for this stream */
 184         sps->sps_rq = q;             /* save read queue pointer */
 185         sps->sps_sap = -1;           /* no sap bound to stream */
 186         sps->sps_dlstate = DL_UNATTACHED; /* dlpi state is unattached */
 187         sps->sps_npmode = NPMODE_DROP;       /* drop all packets initially */
 188         sps->sps_zoneid = crgetzoneid(credp);
 189         q->q_ptr = WR(q)->q_ptr = (caddr_t)sps;
 190         /*
 191          * We explicitly disable the automatic queue scheduling for the
 192          * write-side to obtain complete control over queuing during transmit.
 193          * Packets will be queued at the upper write queue and the service
 194          * routine will not be called until it gets scheduled by having the
 195          * lower write service routine call the qenable(WR(uq)) for all streams
 196          * attached to the same ppa instance.
 197          */
 198         noenable(WR(q));
 199         *devp = makedevice(getmajor(*devp), mn);
 200         qprocson(q);
 201         return (0);
 202 }
 203 
 204 /*
 205  * Free storage used by a PPA.  This is not called until the last PPA
 206  * user closes their connection or reattaches to a different PPA.
 207  */
 208 static void
 209 sppp_free_ppa(sppa_t *ppa)
 210 {
 211         sppa_t **nextppa;
 212 
 213         ASSERT(ppa->ppa_refcnt == 1);
 214         if (ppa->ppa_kstats != NULL) {
 215                 kstat_delete(ppa->ppa_kstats);
 216                 ppa->ppa_kstats = NULL;
 217         }
 218         mutex_destroy(&ppa->ppa_sta_lock);
 219         mutex_destroy(&ppa->ppa_npmutex);
 220         rw_destroy(&ppa->ppa_sib_lock);
 221         nextppa = &ppa_list;
 222         while (*nextppa != NULL) {
 223                 if (*nextppa == ppa) {
 224                         *nextppa = ppa->ppa_nextppa;
 225                         break;
 226                 }
 227                 nextppa = &(*nextppa)->ppa_nextppa;
 228         }
 229         kmem_free(ppa, sizeof (*ppa));
 230 }
 231 
 232 /*
 233  * Create a new PPA.  Caller must be exclusive on outer perimeter.
 234  */
 235 sppa_t *
 236 sppp_create_ppa(uint32_t ppa_id, zoneid_t zoneid)
 237 {
 238         sppa_t *ppa;
 239         sppa_t *curppa;
 240         sppa_t **availppa;
 241         char unit[32];          /* Unit name */
 242         const char **cpp;
 243         kstat_t *ksp;
 244         kstat_named_t *knt;
 245 
 246         /*
 247          * NOTE: unit *must* be named for the driver
 248          * name plus the ppa number so that netstat
 249          * can find the statistics.
 250          */
 251         (void) sprintf(unit, "%s" "%d", PPP_DRV_NAME, ppa_id);
 252         /*
 253          * Make sure we can allocate a buffer to
 254          * contain the ppa to be sent upstream, as
 255          * well as the actual ppa structure and its
 256          * associated kstat structure.
 257          */
 258         ppa = (sppa_t *)kmem_zalloc(sizeof (sppa_t),
 259             KM_NOSLEEP);
 260         ksp = kstat_create(PPP_DRV_NAME, ppa_id, unit, "net", KSTAT_TYPE_NAMED,
 261             sizeof (sppp_kstats_t) / sizeof (kstat_named_t), 0);
 262 
 263         if (ppa == NULL || ksp == NULL) {
 264                 if (ppa != NULL) {
 265                         kmem_free(ppa, sizeof (sppa_t));
 266                 }
 267                 if (ksp != NULL) {
 268                         kstat_delete(ksp);
 269                 }
 270                 return (NULL);
 271         }
 272         ppa->ppa_kstats = ksp;               /* chain kstat structure */
 273         ppa->ppa_ppa_id = ppa_id;    /* record ppa id */
 274         ppa->ppa_zoneid = zoneid;    /* zone that owns this PPA */
 275         ppa->ppa_mtu = PPP_MAXMTU;   /* 65535-(PPP_HDRLEN+PPP_FCSLEN) */
 276         ppa->ppa_mru = PPP_MAXMRU;   /* 65000 */
 277 
 278         mutex_init(&ppa->ppa_sta_lock, NULL, MUTEX_DRIVER, NULL);
 279         mutex_init(&ppa->ppa_npmutex, NULL, MUTEX_DRIVER, NULL);
 280         rw_init(&ppa->ppa_sib_lock, NULL, RW_DRIVER, NULL);
 281 
 282         /*
 283          * Prepare and install kstat counters.  Note that for netstat
 284          * -i to work, there needs to be "ipackets", "opackets",
 285          * "ierrors", and "oerrors" kstat named variables.
 286          */
 287         knt = (kstat_named_t *)ksp->ks_data;
 288         for (cpp = kstats_names; cpp < kstats_names + Dim(kstats_names);
 289             cpp++) {
 290                 kstat_named_init(knt, *cpp, KSTAT_DATA_UINT32);
 291                 knt++;
 292         }
 293         for (cpp = kstats64_names; cpp < kstats64_names + Dim(kstats64_names);
 294             cpp++) {
 295                 kstat_named_init(knt, *cpp, KSTAT_DATA_UINT64);
 296                 knt++;
 297         }
 298         ksp->ks_update = sppp_kstat_update;
 299         ksp->ks_private = (void *)ppa;
 300         kstat_install(ksp);
 301 
 302         /* link to the next ppa and insert into global list */
 303         availppa = &ppa_list;
 304         while ((curppa = *availppa) != NULL) {
 305                 if (ppa_id < curppa->ppa_ppa_id)
 306                         break;
 307                 availppa = &curppa->ppa_nextppa;
 308         }
 309         ppa->ppa_nextppa = *availppa;
 310         *availppa = ppa;
 311         return (ppa);
 312 }
 313 
 314 /*
 315  * sppp_close()
 316  *
 317  * MT-Perimeters:
 318  *    exclusive inner, exclusive outer.
 319  *
 320  * Description:
 321  *    Common close procedure for module.
 322  */
 323 /* ARGSUSED */
 324 int
 325 sppp_close(queue_t *q, int flags __unused, cred_t *credp __unused)
 326 {
 327         spppstr_t       *sps;
 328         spppstr_t       **nextmn;
 329         spppstr_t       *sib;
 330         sppa_t          *ppa;
 331         mblk_t          *mp;
 332 
 333         ASSERT(q != NULL && q->q_ptr != NULL);
 334         sps = (spppstr_t *)q->q_ptr;
 335         qprocsoff(q);
 336 
 337         ppa = sps->sps_ppa;
 338         if (ppa == NULL) {
 339                 ASSERT(!IS_SPS_CONTROL(sps));
 340                 goto close_unattached;
 341         }
 342         if (IS_SPS_CONTROL(sps)) {
 343                 uint32_t        cnt = 0;
 344 
 345                 ASSERT(ppa != NULL);
 346                 ASSERT(ppa->ppa_ctl == sps);
 347                 ppa->ppa_ctl = NULL;
 348                 /*
 349                  * STREAMS framework always issues I_UNLINK prior to close,
 350                  * since we only allow I_LINK under the control stream.
 351                  * A given ppa structure has at most one lower stream pointed
 352                  * by the ppa_lower_wq field, because we only allow a single
 353                  * linkage (I_LINK) to be done on the control stream.
 354                  */
 355                 ASSERT(ppa->ppa_lower_wq == NULL);
 356                 /*
 357                  * Walk through all of sibling streams attached to this ppa,
 358                  * and remove all references to this ppa. We have exclusive
 359                  * access for the entire driver here, so there's no need
 360                  * to hold ppa_sib_lock.
 361                  */
 362                 cnt++;
 363                 sib = ppa->ppa_streams;
 364                 while (sib != NULL) {
 365                         ASSERT(ppa == sib->sps_ppa);
 366                         sib->sps_npmode = NPMODE_DROP;
 367                         sib->sps_flags &= ~(SPS_PIOATTACH | SPS_CACHED);
 368                         /*
 369                          * There should be a preallocated hangup
 370                          * message here.  Fetch it and send it up to
 371                          * the stream head.  This will cause IP to
 372                          * mark the interface as "down."
 373                          */
 374                         if ((mp = sib->sps_hangup) != NULL) {
 375                                 sib->sps_hangup = NULL;
 376                                 /*
 377                                  * M_HANGUP works with IP, but snoop
 378                                  * is lame and requires M_ERROR.  Send
 379                                  * up a clean error code instead.
 380                                  *
 381                                  * XXX if snoop is fixed, fix this, too.
 382                                  */
 383                                 MTYPE(mp) = M_ERROR;
 384                                 *mp->b_wptr++ = ENXIO;
 385                                 putnext(sib->sps_rq, mp);
 386                         }
 387                         qenable(WR(sib->sps_rq));
 388                         cnt++;
 389                         sib = sib->sps_nextsib;
 390                 }
 391                 ASSERT(ppa->ppa_refcnt == cnt);
 392         } else {
 393                 ASSERT(ppa->ppa_streams != NULL);
 394                 ASSERT(ppa->ppa_ctl != sps);
 395                 mp = NULL;
 396                 if (sps->sps_sap == PPP_IP) {
 397                         ppa->ppa_ip_cache = NULL;
 398                         mp = create_lsmsg(PPP_LINKSTAT_IPV4_UNBOUND);
 399                 } else if (sps->sps_sap == PPP_IPV6) {
 400                         ppa->ppa_ip6_cache = NULL;
 401                         mp = create_lsmsg(PPP_LINKSTAT_IPV6_UNBOUND);
 402                 }
 403                 /* Tell the daemon the bad news. */
 404                 if (mp != NULL && ppa->ppa_ctl != NULL &&
 405                     (sps->sps_npmode == NPMODE_PASS ||
 406                     sps->sps_npmode == NPMODE_QUEUE)) {
 407                         putnext(ppa->ppa_ctl->sps_rq, mp);
 408                 } else {
 409                         freemsg(mp);
 410                 }
 411                 /*
 412                  * Walk through all of sibling streams attached to the
 413                  * same ppa, and remove this stream from the sibling
 414                  * streams list. We have exclusive access for the
 415                  * entire driver here, so there's no need to hold
 416                  * ppa_sib_lock.
 417                  */
 418                 sib = ppa->ppa_streams;
 419                 if (sib == sps) {
 420                         ppa->ppa_streams = sps->sps_nextsib;
 421                 } else {
 422                         while (sib->sps_nextsib != NULL) {
 423                                 if (sib->sps_nextsib == sps) {
 424                                         sib->sps_nextsib = sps->sps_nextsib;
 425                                         break;
 426                                 }
 427                                 sib = sib->sps_nextsib;
 428                         }
 429                 }
 430                 sps->sps_nextsib = NULL;
 431                 freemsg(sps->sps_hangup);
 432                 sps->sps_hangup = NULL;
 433                 /*
 434                  * Check if this is a promiscous stream. If the SPS_PROMISC bit
 435                  * is still set, it means that the stream is closed without
 436                  * ever having issued DL_DETACH_REQ or DL_PROMISCOFF_REQ.
 437                  * In this case, we simply decrement the promiscous counter,
 438                  * and it's safe to do it without holding ppa_sib_lock since
 439                  * we're exclusive (inner and outer) at this point.
 440                  */
 441                 if (IS_SPS_PROMISC(sps)) {
 442                         ASSERT(ppa->ppa_promicnt > 0);
 443                         ppa->ppa_promicnt--;
 444                 }
 445         }
 446         /* If we're the only one left, then delete now. */
 447         if (ppa->ppa_refcnt <= 1)
 448                 sppp_free_ppa(ppa);
 449         else
 450                 ppa->ppa_refcnt--;
 451 close_unattached:
 452         q->q_ptr = WR(q)->q_ptr = NULL;
 453         for (nextmn = &sps_list; *nextmn != NULL;
 454             nextmn = &(*nextmn)->sps_nextmn) {
 455                 if (*nextmn == sps) {
 456                         *nextmn = sps->sps_nextmn;
 457                         break;
 458                 }
 459         }
 460         kmem_free(sps, sizeof (spppstr_t));
 461         return (0);
 462 }
 463 
 464 static void
 465 sppp_ioctl(struct queue *q, mblk_t *mp)
 466 {
 467         spppstr_t       *sps;
 468         spppstr_t       *nextsib;
 469         sppa_t          *ppa;
 470         struct iocblk   *iop;
 471         mblk_t          *nmp;
 472         enum NPmode     npmode;
 473         struct ppp_idle *pip;
 474         struct ppp_stats64 *psp;
 475         struct ppp_comp_stats *pcsp;
 476         hrtime_t        hrtime;
 477         int             sap;
 478         int             count = 0;
 479         int             error = EINVAL;
 480 
 481         sps = (spppstr_t *)q->q_ptr;
 482         ppa = sps->sps_ppa;
 483 
 484         iop = (struct iocblk *)mp->b_rptr;
 485         switch (iop->ioc_cmd) {
 486         case PPPIO_NPMODE:
 487                 if (!IS_SPS_CONTROL(sps)) {
 488                         break;          /* return EINVAL */
 489                 } else if (iop->ioc_count != 2 * sizeof (uint32_t) ||
 490                     (mp->b_cont == NULL)) {
 491                         error = EPROTO;
 492                         break;
 493                 }
 494                 ASSERT(ppa != NULL);
 495                 ASSERT(mp->b_cont->b_rptr != NULL);
 496                 ASSERT(sps->sps_npmode == NPMODE_PASS);
 497                 sap = ((uint32_t *)mp->b_cont->b_rptr)[0];
 498                 npmode = (enum NPmode)((uint32_t *)mp->b_cont->b_rptr)[1];
 499                 /*
 500                  * Walk the sibling streams which belong to the same
 501                  * ppa, and try to find a stream with matching sap
 502                  * number.
 503                  */
 504                 rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
 505                 for (nextsib = ppa->ppa_streams; nextsib != NULL;
 506                     nextsib = nextsib->sps_nextsib) {
 507                         if (nextsib->sps_sap == sap) {
 508                                 break;  /* found it */
 509                         }
 510                 }
 511                 if (nextsib == NULL) {
 512                         rw_exit(&ppa->ppa_sib_lock);
 513                         break;          /* return EINVAL */
 514                 } else {
 515                         nextsib->sps_npmode = npmode;
 516                         if ((nextsib->sps_npmode != NPMODE_QUEUE) &&
 517                             (WR(nextsib->sps_rq)->q_first != NULL)) {
 518                                 qenable(WR(nextsib->sps_rq));
 519                         }
 520                 }
 521                 rw_exit(&ppa->ppa_sib_lock);
 522                 error = 0;      /* return success */
 523                 break;
 524         case PPPIO_GIDLE:
 525                 if (ppa == NULL) {
 526                         ASSERT(!IS_SPS_CONTROL(sps));
 527                         error = ENOLINK;
 528                         break;
 529                 } else if (!IS_PPA_TIMESTAMP(ppa)) {
 530                         break;          /* return EINVAL */
 531                 }
 532                 if ((nmp = allocb(sizeof (struct ppp_idle),
 533                     BPRI_MED)) == NULL) {
 534                         mutex_enter(&ppa->ppa_sta_lock);
 535                         ppa->ppa_allocbfail++;
 536                         mutex_exit(&ppa->ppa_sta_lock);
 537                         error = ENOSR;
 538                         break;
 539                 }
 540                 if (mp->b_cont != NULL) {
 541                         freemsg(mp->b_cont);
 542                 }
 543                 mp->b_cont = nmp;
 544                 pip = (struct ppp_idle *)nmp->b_wptr;
 545                 nmp->b_wptr += sizeof (struct ppp_idle);
 546                 /*
 547                  * Get current timestamp and subtract the tx and rx
 548                  * timestamps to get the actual idle time to be
 549                  * returned.
 550                  */
 551                 hrtime = gethrtime();
 552                 pip->xmit_idle = (hrtime - ppa->ppa_lasttx) / 1000000000ul;
 553                 pip->recv_idle = (hrtime - ppa->ppa_lastrx) / 1000000000ul;
 554                 count = msgsize(nmp);
 555                 error = 0;
 556                 break;          /* return success (error is 0) */
 557         case PPPIO_GTYPE:
 558                 nmp = allocb(sizeof (uint32_t), BPRI_MED);
 559                 if (nmp == NULL) {
 560                         error = ENOSR;
 561                         break;
 562                 }
 563                 if (mp->b_cont != NULL) {
 564                         freemsg(mp->b_cont);
 565                 }
 566                 mp->b_cont = nmp;
 567                 /*
 568                  * Let the requestor know that we are the PPP
 569                  * multiplexer (PPPTYP_MUX).
 570                  */
 571                 *(uint32_t *)nmp->b_wptr = PPPTYP_MUX;
 572                 nmp->b_wptr += sizeof (uint32_t);
 573                 count = msgsize(nmp);
 574                 error = 0;              /* return success */
 575                 break;
 576         case PPPIO_GETSTAT64:
 577                 if (ppa == NULL) {
 578                         break;          /* return EINVAL */
 579                 } else if ((ppa->ppa_lower_wq != NULL) &&
 580                     !IS_PPA_LASTMOD(ppa)) {
 581                         mutex_enter(&ppa->ppa_sta_lock);
 582                         /*
 583                          * We match sps_ioc_id on the M_IOC{ACK,NAK},
 584                          * so if the response hasn't come back yet,
 585                          * new ioctls must be queued instead.
 586                          */
 587                         if (IS_SPS_IOCQ(sps)) {
 588                                 mutex_exit(&ppa->ppa_sta_lock);
 589                                 if (!putq(q, mp)) {
 590                                         error = EAGAIN;
 591                                         break;
 592                                 }
 593                                 return;
 594                         } else {
 595                                 ppa->ppa_ioctlsfwd++;
 596                                 /*
 597                                  * Record the ioctl CMD & ID - this will be
 598                                  * used to check the ACK or NAK responses
 599                                  * coming from below.
 600                                  */
 601                                 sps->sps_ioc_id = iop->ioc_id;
 602                                 sps->sps_flags |= SPS_IOCQ;
 603                                 mutex_exit(&ppa->ppa_sta_lock);
 604                         }
 605                         putnext(ppa->ppa_lower_wq, mp);
 606                         return; /* don't ack or nak the request */
 607                 }
 608                 nmp = allocb(sizeof (*psp), BPRI_MED);
 609                 if (nmp == NULL) {
 610                         mutex_enter(&ppa->ppa_sta_lock);
 611                         ppa->ppa_allocbfail++;
 612                         mutex_exit(&ppa->ppa_sta_lock);
 613                         error = ENOSR;
 614                         break;
 615                 }
 616                 if (mp->b_cont != NULL) {
 617                         freemsg(mp->b_cont);
 618                 }
 619                 mp->b_cont = nmp;
 620                 psp = (struct ppp_stats64 *)nmp->b_wptr;
 621                 /*
 622                  * Copy the contents of ppp_stats64 structure for this
 623                  * ppa and return them to the caller.
 624                  */
 625                 mutex_enter(&ppa->ppa_sta_lock);
 626                 bcopy(&ppa->ppa_stats, psp, sizeof (*psp));
 627                 mutex_exit(&ppa->ppa_sta_lock);
 628                 nmp->b_wptr += sizeof (*psp);
 629                 count = sizeof (*psp);
 630                 error = 0;              /* return success */
 631                 break;
 632         case PPPIO_GETCSTAT:
 633                 if (ppa == NULL) {
 634                         break;          /* return EINVAL */
 635                 } else if ((ppa->ppa_lower_wq != NULL) &&
 636                     !IS_PPA_LASTMOD(ppa)) {
 637                         mutex_enter(&ppa->ppa_sta_lock);
 638                         /*
 639                          * See comments in PPPIO_GETSTAT64 case
 640                          * in sppp_ioctl().
 641                          */
 642                         if (IS_SPS_IOCQ(sps)) {
 643                                 mutex_exit(&ppa->ppa_sta_lock);
 644                                 if (!putq(q, mp)) {
 645                                         error = EAGAIN;
 646                                         break;
 647                                 }
 648                                 return;
 649                         } else {
 650                                 ppa->ppa_ioctlsfwd++;
 651                                 /*
 652                                  * Record the ioctl CMD & ID - this will be
 653                                  * used to check the ACK or NAK responses
 654                                  * coming from below.
 655                                  */
 656                                 sps->sps_ioc_id = iop->ioc_id;
 657                                 sps->sps_flags |= SPS_IOCQ;
 658                                 mutex_exit(&ppa->ppa_sta_lock);
 659                         }
 660                         putnext(ppa->ppa_lower_wq, mp);
 661                         return; /* don't ack or nak the request */
 662                 }
 663                 nmp = allocb(sizeof (struct ppp_comp_stats), BPRI_MED);
 664                 if (nmp == NULL) {
 665                         mutex_enter(&ppa->ppa_sta_lock);
 666                         ppa->ppa_allocbfail++;
 667                         mutex_exit(&ppa->ppa_sta_lock);
 668                         error = ENOSR;
 669                         break;
 670                 }
 671                 if (mp->b_cont != NULL) {
 672                         freemsg(mp->b_cont);
 673                 }
 674                 mp->b_cont = nmp;
 675                 pcsp = (struct ppp_comp_stats *)nmp->b_wptr;
 676                 nmp->b_wptr += sizeof (struct ppp_comp_stats);
 677                 bzero((caddr_t)pcsp, sizeof (struct ppp_comp_stats));
 678                 count = msgsize(nmp);
 679                 error = 0;              /* return success */
 680                 break;
 681         }
 682 
 683         if (error == 0) {
 684                 /* Success; tell the user. */
 685                 miocack(q, mp, count, 0);
 686         } else {
 687                 /* Failure; send error back upstream. */
 688                 miocnak(q, mp, 0, error);
 689         }
 690 }
 691 
 692 /*
 693  * sppp_uwput()
 694  *
 695  * MT-Perimeters:
 696  *    shared inner, shared outer.
 697  *
 698  * Description:
 699  *    Upper write-side put procedure. Messages from above arrive here.
 700  */
 701 int
 702 sppp_uwput(queue_t *q, mblk_t *mp)
 703 {
 704         queue_t         *nextq;
 705         spppstr_t       *sps;
 706         sppa_t          *ppa;
 707         struct iocblk   *iop;
 708         int             error;
 709 
 710         ASSERT(q != NULL && q->q_ptr != NULL);
 711         ASSERT(mp != NULL && mp->b_rptr != NULL);
 712         sps = (spppstr_t *)q->q_ptr;
 713         ppa = sps->sps_ppa;
 714 
 715         switch (MTYPE(mp)) {
 716         case M_PCPROTO:
 717         case M_PROTO:
 718                 if (IS_SPS_CONTROL(sps)) {
 719                         ASSERT(ppa != NULL);
 720                         /*
 721                          * Intentionally change this to a high priority
 722                          * message so it doesn't get queued up. M_PROTO is
 723                          * specifically used for signalling between pppd and its
 724                          * kernel-level component(s), such as ppptun, so we
 725                          * make sure that it doesn't get queued up behind
 726                          * data messages.
 727                          */
 728                         MTYPE(mp) = M_PCPROTO;
 729                         if ((ppa->ppa_lower_wq != NULL) &&
 730                             canputnext(ppa->ppa_lower_wq)) {
 731                                 mutex_enter(&ppa->ppa_sta_lock);
 732                                 ppa->ppa_mctlsfwd++;
 733                                 mutex_exit(&ppa->ppa_sta_lock);
 734                                 putnext(ppa->ppa_lower_wq, mp);
 735                         } else {
 736                                 mutex_enter(&ppa->ppa_sta_lock);
 737                                 ppa->ppa_mctlsfwderr++;
 738                                 mutex_exit(&ppa->ppa_sta_lock);
 739                                 freemsg(mp);
 740                         }
 741                 } else {
 742                         (void) sppp_mproto(q, mp, sps);
 743                         return (0);
 744                 }
 745                 break;
 746         case M_DATA:
 747                 if ((nextq = sppp_send(q, &mp, sps)) != NULL)
 748                         putnext(nextq, mp);
 749                 break;
 750         case M_IOCTL:
 751                 error = EINVAL;
 752                 iop = (struct iocblk *)mp->b_rptr;
 753                 switch (iop->ioc_cmd) {
 754                 case DLIOCRAW:
 755                 case DL_IOC_HDR_INFO:
 756                 case PPPIO_ATTACH:
 757                 case PPPIO_DEBUG:
 758                 case PPPIO_DETACH:
 759                 case PPPIO_LASTMOD:
 760                 case PPPIO_MRU:
 761                 case PPPIO_MTU:
 762                 case PPPIO_USETIMESTAMP:
 763                 case PPPIO_BLOCKNP:
 764                 case PPPIO_UNBLOCKNP:
 765                         qwriter(q, mp, sppp_inner_ioctl, PERIM_INNER);
 766                         return (0);
 767                 case I_LINK:
 768                 case I_UNLINK:
 769                 case PPPIO_NEWPPA:
 770                         qwriter(q, mp, sppp_outer_ioctl, PERIM_OUTER);
 771                         return (0);
 772                 case PPPIO_NPMODE:
 773                 case PPPIO_GIDLE:
 774                 case PPPIO_GTYPE:
 775                 case PPPIO_GETSTAT64:
 776                 case PPPIO_GETCSTAT:
 777                         /*
 778                          * These require additional auto variables to
 779                          * handle, so (for optimization reasons)
 780                          * they're moved off to a separate function.
 781                          */
 782                         sppp_ioctl(q, mp);
 783                         return (0);
 784                 case PPPIO_GETSTAT:
 785                         break;                  /* 32 bit interface gone */
 786                 default:
 787                         if (iop->ioc_cr == NULL ||
 788                             secpolicy_ppp_config(iop->ioc_cr) != 0) {
 789                                 error = EPERM;
 790                                 break;
 791                         } else if ((ppa == NULL) ||
 792                             (ppa->ppa_lower_wq == NULL)) {
 793                                 break;          /* return EINVAL */
 794                         }
 795                         mutex_enter(&ppa->ppa_sta_lock);
 796                         /*
 797                          * See comments in PPPIO_GETSTAT64 case
 798                          * in sppp_ioctl().
 799                          */
 800                         if (IS_SPS_IOCQ(sps)) {
 801                                 mutex_exit(&ppa->ppa_sta_lock);
 802                                 if (!putq(q, mp)) {
 803                                         error = EAGAIN;
 804                                         break;
 805                                 }
 806                                 return (0);
 807                         } else {
 808                                 ppa->ppa_ioctlsfwd++;
 809                                 /*
 810                                  * Record the ioctl CMD & ID -
 811                                  * this will be used to check the
 812                                  * ACK or NAK responses coming from below.
 813                                  */
 814                                 sps->sps_ioc_id = iop->ioc_id;
 815                                 sps->sps_flags |= SPS_IOCQ;
 816                                 mutex_exit(&ppa->ppa_sta_lock);
 817                         }
 818                         putnext(ppa->ppa_lower_wq, mp);
 819                         return (0);     /* don't ack or nak the request */
 820                 }
 821                 /* Failure; send error back upstream. */
 822                 miocnak(q, mp, 0, error);
 823                 break;
 824         case M_FLUSH:
 825                 if (*mp->b_rptr & FLUSHW) {
 826                         flushq(q, FLUSHDATA);
 827                 }
 828                 if (*mp->b_rptr & FLUSHR) {
 829                         *mp->b_rptr &= ~FLUSHW;
 830                         qreply(q, mp);
 831                 } else {
 832                         freemsg(mp);
 833                 }
 834                 break;
 835         default:
 836                 freemsg(mp);
 837                 break;
 838         }
 839         return (0);
 840 }
 841 
 842 /*
 843  * sppp_uwsrv()
 844  *
 845  * MT-Perimeters:
 846  *    exclusive inner, shared outer.
 847  *
 848  * Description:
 849  *    Upper write-side service procedure. Note that this procedure does
 850  *    not get called when a message is placed on our write-side queue, since
 851  *    automatic queue scheduling has been turned off by noenable() when
 852  *    the queue was opened. We do this on purpose, as we explicitly control
 853  *    the write-side queue. Therefore, this procedure gets called when
 854  *    the lower write service procedure qenable() the upper write stream queue.
 855  */
 856 int
 857 sppp_uwsrv(queue_t *q)
 858 {
 859         spppstr_t       *sps;
 860         sppa_t          *ppa;
 861         mblk_t          *mp;
 862         queue_t         *nextq;
 863         struct iocblk   *iop;
 864 
 865         ASSERT(q != NULL && q->q_ptr != NULL);
 866         sps = (spppstr_t *)q->q_ptr;
 867 
 868         while ((mp = getq(q)) != NULL) {
 869                 if (MTYPE(mp) == M_IOCTL) {
 870                         ppa = sps->sps_ppa;
 871                         if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
 872                                 miocnak(q, mp, 0, EINVAL);
 873                                 continue;
 874                         }
 875 
 876                         iop = (struct iocblk *)mp->b_rptr;
 877                         mutex_enter(&ppa->ppa_sta_lock);
 878                         /*
 879                          * See comments in PPPIO_GETSTAT64 case
 880                          * in sppp_ioctl().
 881                          */
 882                         if (IS_SPS_IOCQ(sps)) {
 883                                 mutex_exit(&ppa->ppa_sta_lock);
 884                                 if (putbq(q, mp) == 0)
 885                                         miocnak(q, mp, 0, EAGAIN);
 886                                 break;
 887                         } else {
 888                                 ppa->ppa_ioctlsfwd++;
 889                                 sps->sps_ioc_id = iop->ioc_id;
 890                                 sps->sps_flags |= SPS_IOCQ;
 891                                 mutex_exit(&ppa->ppa_sta_lock);
 892                                 putnext(ppa->ppa_lower_wq, mp);
 893                         }
 894                 } else if ((nextq =
 895                     sppp_outpkt(q, &mp, msgdsize(mp), sps)) == NULL) {
 896                         if (mp != NULL) {
 897                                 if (putbq(q, mp) == 0)
 898                                         freemsg(mp);
 899                                 break;
 900                         }
 901                 } else {
 902                         putnext(nextq, mp);
 903                 }
 904         }
 905         return (0);
 906 }
 907 
 908 void
 909 sppp_remove_ppa(spppstr_t *sps)
 910 {
 911         spppstr_t *nextsib;
 912         sppa_t *ppa = sps->sps_ppa;
 913 
 914         rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
 915         if (ppa->ppa_refcnt <= 1) {
 916                 rw_exit(&ppa->ppa_sib_lock);
 917                 sppp_free_ppa(ppa);
 918         } else {
 919                 nextsib = ppa->ppa_streams;
 920                 if (nextsib == sps) {
 921                         ppa->ppa_streams = sps->sps_nextsib;
 922                 } else {
 923                         while (nextsib->sps_nextsib != NULL) {
 924                                 if (nextsib->sps_nextsib == sps) {
 925                                         nextsib->sps_nextsib =
 926                                             sps->sps_nextsib;
 927                                         break;
 928                                 }
 929                                 nextsib = nextsib->sps_nextsib;
 930                         }
 931                 }
 932                 ppa->ppa_refcnt--;
 933                 /*
 934                  * And if this stream was marked as promiscuous
 935                  * (SPS_PROMISC), then we need to update the
 936                  * promiscuous streams count. This should only happen
 937                  * when DL_DETACH_REQ is issued prior to marking the
 938                  * stream as non-promiscuous, through
 939                  * DL_PROMISCOFF_REQ request.
 940                  */
 941                 if (IS_SPS_PROMISC(sps)) {
 942                         ASSERT(ppa->ppa_promicnt > 0);
 943                         ppa->ppa_promicnt--;
 944                 }
 945                 rw_exit(&ppa->ppa_sib_lock);
 946         }
 947         sps->sps_nextsib = NULL;
 948         sps->sps_ppa = NULL;
 949         freemsg(sps->sps_hangup);
 950         sps->sps_hangup = NULL;
 951 }
 952 
 953 sppa_t *
 954 sppp_find_ppa(uint32_t ppa_id)
 955 {
 956         sppa_t *ppa;
 957 
 958         for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
 959                 if (ppa->ppa_ppa_id == ppa_id) {
 960                         break;  /* found the ppa */
 961                 }
 962         }
 963         return (ppa);
 964 }
 965 
 966 /*
 967  * sppp_inner_ioctl()
 968  *
 969  * MT-Perimeters:
 970  *    exclusive inner, shared outer
 971  *
 972  * Description:
 973  *    Called by sppp_uwput as a result of receiving ioctls which require
 974  *    an exclusive access at the inner perimeter.
 975  */
 976 static void
 977 sppp_inner_ioctl(queue_t *q, mblk_t *mp)
 978 {
 979         spppstr_t       *sps;
 980         sppa_t          *ppa;
 981         struct iocblk   *iop;
 982         mblk_t          *nmp;
 983         int             error = EINVAL;
 984         int             count = 0;
 985         int             dbgcmd;
 986         int             mru, mtu;
 987         uint32_t        ppa_id;
 988         hrtime_t        hrtime;
 989         uint16_t        proto;
 990 
 991         ASSERT(q != NULL && q->q_ptr != NULL);
 992         ASSERT(mp != NULL && mp->b_rptr != NULL);
 993 
 994         sps = (spppstr_t *)q->q_ptr;
 995         ppa = sps->sps_ppa;
 996         iop = (struct iocblk *)mp->b_rptr;
 997         switch (iop->ioc_cmd) {
 998         case DLIOCRAW:
 999                 if (IS_SPS_CONTROL(sps)) {
1000                         break;          /* return EINVAL */
1001                 }
1002                 sps->sps_flags |= SPS_RAWDATA;
1003                 error = 0;              /* return success */
1004                 break;
1005         case DL_IOC_HDR_INFO:
1006                 if (IS_SPS_CONTROL(sps)) {
1007                         break;          /* return EINVAL */
1008                 } else if ((mp->b_cont == NULL) ||
1009                     *((t_uscalar_t *)mp->b_cont->b_rptr) != DL_UNITDATA_REQ ||
1010                     (MBLKL(mp->b_cont) < (sizeof (dl_unitdata_req_t) +
1011                     SPPP_ADDRL))) {
1012                         error = EPROTO;
1013                         break;
1014                 } else if (ppa == NULL) {
1015                         error = ENOLINK;
1016                         break;
1017                 }
1018                 if ((nmp = allocb(PPP_HDRLEN, BPRI_MED)) == NULL) {
1019                         mutex_enter(&ppa->ppa_sta_lock);
1020                         ppa->ppa_allocbfail++;
1021                         mutex_exit(&ppa->ppa_sta_lock);
1022                         error = ENOMEM;
1023                         break;
1024                 }
1025                 *(uchar_t *)nmp->b_wptr++ = PPP_ALLSTATIONS;
1026                 *(uchar_t *)nmp->b_wptr++ = PPP_UI;
1027                 *(uchar_t *)nmp->b_wptr++ = sps->sps_sap >> 8;
1028                 *(uchar_t *)nmp->b_wptr++ = sps->sps_sap & 0xff;
1029                 ASSERT(MBLKL(nmp) == PPP_HDRLEN);
1030 
1031                 linkb(mp, nmp);
1032                 sps->sps_flags |= SPS_FASTPATH;
1033                 error = 0;              /* return success */
1034                 count = msgsize(nmp);
1035                 break;
1036         case PPPIO_ATTACH:
1037                 if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1038                     (sps->sps_dlstate != DL_UNATTACHED) ||
1039                     (iop->ioc_count != sizeof (uint32_t))) {
1040                         break;          /* return EINVAL */
1041                 } else if (mp->b_cont == NULL) {
1042                         error = EPROTO;
1043                         break;
1044                 }
1045                 ASSERT(mp->b_cont->b_rptr != NULL);
1046                 /* If there's something here, it's detached. */
1047                 if (ppa != NULL) {
1048                         sppp_remove_ppa(sps);
1049                 }
1050                 ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1051                 ppa = sppp_find_ppa(ppa_id);
1052                 /*
1053                  * If we can't find it, then it's either because the requestor
1054                  * has supplied a wrong ppa_id to be attached to, or because
1055                  * the control stream for the specified ppa_id has been closed
1056                  * before we get here.
1057                  */
1058                 if (ppa == NULL) {
1059                         error = ENOENT;
1060                         break;
1061                 }
1062                 if (iop->ioc_cr == NULL ||
1063                     ppa->ppa_zoneid != crgetzoneid(iop->ioc_cr)) {
1064                         error = EPERM;
1065                         break;
1066                 }
1067                 /*
1068                  * Preallocate the hangup message so that we're always
1069                  * able to send this upstream in the event of a
1070                  * catastrophic failure.
1071                  */
1072                 if ((sps->sps_hangup = allocb(1, BPRI_MED)) == NULL) {
1073                         error = ENOSR;
1074                         break;
1075                 }
1076                 /*
1077                  * There are two ways to attach a stream to a ppa: one is
1078                  * through DLPI (DL_ATTACH_REQ) and the other is through
1079                  * PPPIO_ATTACH. This is why we need to distinguish whether or
1080                  * not a stream was allocated via PPPIO_ATTACH, so that we can
1081                  * properly detach it when we receive PPPIO_DETACH ioctl
1082                  * request.
1083                  */
1084                 sps->sps_flags |= SPS_PIOATTACH;
1085                 sps->sps_ppa = ppa;
1086                 /*
1087                  * Add this stream to the head of the list of sibling streams
1088                  * which belong to the same ppa as specified.
1089                  */
1090                 rw_enter(&ppa->ppa_sib_lock, RW_WRITER);
1091                 ppa->ppa_refcnt++;
1092                 sps->sps_nextsib = ppa->ppa_streams;
1093                 ppa->ppa_streams = sps;
1094                 rw_exit(&ppa->ppa_sib_lock);
1095                 error = 0;              /* return success */
1096                 break;
1097         case PPPIO_BLOCKNP:
1098         case PPPIO_UNBLOCKNP:
1099                 if (iop->ioc_cr == NULL ||
1100                     secpolicy_ppp_config(iop->ioc_cr) != 0) {
1101                         error = EPERM;
1102                         break;
1103                 }
1104                 error = miocpullup(mp, sizeof (uint16_t));
1105                 if (error != 0)
1106                         break;
1107                 ASSERT(mp->b_cont->b_rptr != NULL);
1108                 proto = *(uint16_t *)mp->b_cont->b_rptr;
1109                 if (iop->ioc_cmd == PPPIO_BLOCKNP) {
1110                         uint32_t npflagpos = sppp_ppp2np(proto);
1111                         /*
1112                          * Mark proto as blocked in ppa_npflag until the
1113                          * corresponding queues for proto have been plumbed.
1114                          */
1115                         if (npflagpos != 0) {
1116                                 mutex_enter(&ppa->ppa_npmutex);
1117                                 ppa->ppa_npflag |= (1 << npflagpos);
1118                                 mutex_exit(&ppa->ppa_npmutex);
1119                         } else {
1120                                 error = EINVAL;
1121                         }
1122                 } else {
1123                         /*
1124                          * reset ppa_npflag and release proto
1125                          * packets that were being held in control queue.
1126                          */
1127                         sppp_release_pkts(ppa, proto);
1128                 }
1129                 break;
1130         case PPPIO_DEBUG:
1131                 if (iop->ioc_cr == NULL ||
1132                     secpolicy_ppp_config(iop->ioc_cr) != 0) {
1133                         error = EPERM;
1134                         break;
1135                 } else if (iop->ioc_count != sizeof (uint32_t)) {
1136                         break;          /* return EINVAL */
1137                 } else if (mp->b_cont == NULL) {
1138                         error = EPROTO;
1139                         break;
1140                 }
1141                 ASSERT(mp->b_cont->b_rptr != NULL);
1142                 dbgcmd = *(uint32_t *)mp->b_cont->b_rptr;
1143                 /*
1144                  * We accept PPPDBG_LOG + PPPDBG_DRIVER value as an indication
1145                  * that SPS_KDEBUG needs to be enabled for this upper stream.
1146                  */
1147                 if (dbgcmd == PPPDBG_LOG + PPPDBG_DRIVER) {
1148                         sps->sps_flags |= SPS_KDEBUG;
1149                         error = 0;      /* return success */
1150                         break;
1151                 }
1152                 /*
1153                  * Otherwise, for any other values, we send them down only if
1154                  * there is an attachment and if the attachment has something
1155                  * linked underneath it.
1156                  */
1157                 if ((ppa == NULL) || (ppa->ppa_lower_wq == NULL)) {
1158                         error = ENOLINK;
1159                         break;
1160                 }
1161                 mutex_enter(&ppa->ppa_sta_lock);
1162                 /*
1163                  * See comments in PPPIO_GETSTAT64 case
1164                  * in sppp_ioctl().
1165                  */
1166                 if (IS_SPS_IOCQ(sps)) {
1167                         mutex_exit(&ppa->ppa_sta_lock);
1168                         if (!putq(q, mp)) {
1169                                 error = EAGAIN;
1170                                 break;
1171                         }
1172                         return;
1173                 } else {
1174                         ppa->ppa_ioctlsfwd++;
1175                         /*
1176                          * Record the ioctl CMD & ID -
1177                          * this will be used to check the
1178                          * ACK or NAK responses coming from below.
1179                          */
1180                         sps->sps_ioc_id = iop->ioc_id;
1181                         sps->sps_flags |= SPS_IOCQ;
1182                         mutex_exit(&ppa->ppa_sta_lock);
1183                 }
1184                 putnext(ppa->ppa_lower_wq, mp);
1185                 return;                 /* don't ack or nak the request */
1186         case PPPIO_DETACH:
1187                 if (!IS_SPS_PIOATTACH(sps)) {
1188                         break;          /* return EINVAL */
1189                 }
1190                 /*
1191                  * The SPS_PIOATTACH flag set on the stream tells us that
1192                  * the ppa field is still valid. In the event that the control
1193                  * stream be closed prior to this stream's detachment, the
1194                  * SPS_PIOATTACH flag would have been cleared from this stream
1195                  * during close; in that case we won't get here.
1196                  */
1197                 ASSERT(ppa != NULL);
1198                 ASSERT(ppa->ppa_ctl != sps);
1199                 ASSERT(sps->sps_dlstate == DL_UNATTACHED);
1200 
1201                 /*
1202                  * We don't actually detach anything until the stream is
1203                  * closed or reattached.
1204                  */
1205 
1206                 sps->sps_flags &= ~SPS_PIOATTACH;
1207                 error = 0;              /* return success */
1208                 break;
1209         case PPPIO_LASTMOD:
1210                 if (!IS_SPS_CONTROL(sps)) {
1211                         break;          /* return EINVAL */
1212                 }
1213                 ASSERT(ppa != NULL);
1214                 ppa->ppa_flags |= PPA_LASTMOD;
1215                 error = 0;              /* return success */
1216                 break;
1217         case PPPIO_MRU:
1218                 if (!IS_SPS_CONTROL(sps) ||
1219                     (iop->ioc_count != sizeof (uint32_t))) {
1220                         break;          /* return EINVAL */
1221                 } else if (mp->b_cont == NULL) {
1222                         error = EPROTO;
1223                         break;
1224                 }
1225                 ASSERT(ppa != NULL);
1226                 ASSERT(mp->b_cont->b_rptr != NULL);
1227                 mru = *(uint32_t *)mp->b_cont->b_rptr;
1228                 if ((mru <= 0) || (mru > PPP_MAXMRU)) {
1229                         error = EPROTO;
1230                         break;
1231                 }
1232                 if (mru < PPP_MRU) {
1233                         mru = PPP_MRU;
1234                 }
1235                 ppa->ppa_mru = (uint16_t)mru;
1236                 /*
1237                  * If there's something beneath this driver for the ppa, then
1238                  * inform it (or them) of the MRU size. Only do this is we
1239                  * are not the last PPP module on the stream.
1240                  */
1241                 if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1242                         (void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MRU,
1243                             mru);
1244                 }
1245                 error = 0;              /* return success */
1246                 break;
1247         case PPPIO_MTU:
1248                 if (!IS_SPS_CONTROL(sps) ||
1249                     (iop->ioc_count != sizeof (uint32_t))) {
1250                         break;          /* return EINVAL */
1251                 } else if (mp->b_cont == NULL) {
1252                         error = EPROTO;
1253                         break;
1254                 }
1255                 ASSERT(ppa != NULL);
1256                 ASSERT(mp->b_cont->b_rptr != NULL);
1257                 mtu = *(uint32_t *)mp->b_cont->b_rptr;
1258                 if ((mtu <= 0) || (mtu > PPP_MAXMTU)) {
1259                         error = EPROTO;
1260                         break;
1261                 }
1262                 ppa->ppa_mtu = (uint16_t)mtu;
1263                 /*
1264                  * If there's something beneath this driver for the ppa, then
1265                  * inform it (or them) of the MTU size. Only do this if we
1266                  * are not the last PPP module on the stream.
1267                  */
1268                 if (!IS_PPA_LASTMOD(ppa) && (ppa->ppa_lower_wq != NULL)) {
1269                         (void) putctl4(ppa->ppa_lower_wq, M_CTL, PPPCTL_MTU,
1270                             mtu);
1271                 }
1272                 error = 0;              /* return success */
1273                 break;
1274         case PPPIO_USETIMESTAMP:
1275                 if (!IS_SPS_CONTROL(sps)) {
1276                         break;          /* return EINVAL */
1277                 }
1278                 if (!IS_PPA_TIMESTAMP(ppa)) {
1279                         hrtime = gethrtime();
1280                         ppa->ppa_lasttx = ppa->ppa_lastrx = hrtime;
1281                         ppa->ppa_flags |= PPA_TIMESTAMP;
1282                 }
1283                 error = 0;
1284                 break;
1285         }
1286 
1287         if (error == 0) {
1288                 /* Success; tell the user */
1289                 miocack(q, mp, count, 0);
1290         } else {
1291                 /* Failure; send error back upstream */
1292                 miocnak(q, mp, 0, error);
1293         }
1294 }
1295 
1296 /*
1297  * sppp_outer_ioctl()
1298  *
1299  * MT-Perimeters:
1300  *    exclusive inner, exclusive outer
1301  *
1302  * Description:
1303  *    Called by sppp_uwput as a result of receiving ioctls which require
1304  *    an exclusive access at the outer perimeter.
1305  */
1306 static void
1307 sppp_outer_ioctl(queue_t *q, mblk_t *mp)
1308 {
1309         spppstr_t       *sps = q->q_ptr;
1310         spppstr_t       *nextsib;
1311         queue_t         *lwq;
1312         sppa_t          *ppa;
1313         struct iocblk   *iop;
1314         int             error = EINVAL;
1315         int             count = 0;
1316         uint32_t        ppa_id;
1317         mblk_t          *nmp;
1318         zoneid_t        zoneid;
1319 
1320         sps = (spppstr_t *)q->q_ptr;
1321         ppa = sps->sps_ppa;
1322         iop = (struct iocblk *)mp->b_rptr;
1323         switch (iop->ioc_cmd) {
1324         case I_LINK:
1325                 if (!IS_SPS_CONTROL(sps)) {
1326                         break;          /* return EINVAL */
1327                 } else if (ppa->ppa_lower_wq != NULL) {
1328                         error = EEXIST;
1329                         break;
1330                 }
1331                 ASSERT(ppa->ppa_ctl != NULL);
1332                 ASSERT(sps->sps_npmode == NPMODE_PASS);
1333                 ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1334 
1335                 lwq = ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot;
1336                 ASSERT(lwq != NULL);
1337 
1338                 ppa->ppa_lower_wq = lwq;
1339                 lwq->q_ptr = RD(lwq)->q_ptr = (caddr_t)ppa;
1340                 /*
1341                  * Unblock upper network streams which now feed this lower
1342                  * stream. We don't need to hold ppa_sib_lock here, since we
1343                  * are writer at the outer perimeter.
1344                  */
1345                 if (WR(sps->sps_rq)->q_first != NULL)
1346                         qenable(WR(sps->sps_rq));
1347                 for (nextsib = ppa->ppa_streams; nextsib != NULL;
1348                     nextsib = nextsib->sps_nextsib) {
1349                         nextsib->sps_npmode = NPMODE_PASS;
1350                         if (WR(nextsib->sps_rq)->q_first != NULL) {
1351                                 qenable(WR(nextsib->sps_rq));
1352                         }
1353                 }
1354 
1355                 /*
1356                  * Also unblock (run once) our lower read-side queue.  This is
1357                  * where packets received while doing the I_LINK may be
1358                  * languishing; see sppp_lrsrv.
1359                  */
1360                 qenable(RD(lwq));
1361 
1362                 /*
1363                  * Send useful information down to the modules which are now
1364                  * linked below this driver (for this particular ppa). Only
1365                  * do this if we are not the last PPP module on the stream.
1366                  */
1367                 if (!IS_PPA_LASTMOD(ppa)) {
1368                         (void) putctl8(lwq, M_CTL, PPPCTL_UNIT,
1369                             ppa->ppa_ppa_id);
1370                         (void) putctl4(lwq, M_CTL, PPPCTL_MRU, ppa->ppa_mru);
1371                         (void) putctl4(lwq, M_CTL, PPPCTL_MTU, ppa->ppa_mtu);
1372                 }
1373 
1374                 if (IS_SPS_KDEBUG(sps)) {
1375                         SPDEBUG(PPP_DRV_NAME
1376                             "/%d: I_LINK lwq=0x%p sps=0x%p flags=0x%b ppa=0x%p "
1377                             "flags=0x%b\n", sps->sps_mn_id,
1378                             (void *)ppa->ppa_lower_wq, (void *)sps,
1379                             sps->sps_flags, SPS_FLAGS_STR,
1380                             (void *)ppa, ppa->ppa_flags,
1381                             PPA_FLAGS_STR);
1382                 }
1383                 error = 0;              /* return success */
1384                 break;
1385         case I_UNLINK:
1386                 ASSERT(IS_SPS_CONTROL(sps));
1387                 ASSERT(ppa != NULL);
1388                 lwq = ppa->ppa_lower_wq;
1389                 ASSERT(mp->b_cont != NULL && mp->b_cont->b_rptr != NULL);
1390                 ASSERT(lwq == ((struct linkblk *)mp->b_cont->b_rptr)->l_qbot);
1391 
1392                 if (IS_SPS_KDEBUG(sps)) {
1393                         SPDEBUG(PPP_DRV_NAME
1394                             "/%d: I_UNLINK lwq=0x%p sps=0x%p flags=0x%b "
1395                             "ppa=0x%p flags=0x%b\n", sps->sps_mn_id,
1396                             (void *)lwq, (void *)sps, sps->sps_flags,
1397                             SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
1398                             PPA_FLAGS_STR);
1399                 }
1400                 /*
1401                  * While accessing the outer perimeter exclusively, we
1402                  * disassociate our ppa's lower_wq from the lower stream linked
1403                  * beneath us, and we also disassociate our control stream from
1404                  * the q_ptr of the lower stream.
1405                  */
1406                 lwq->q_ptr = RD(lwq)->q_ptr = NULL;
1407                 ppa->ppa_lower_wq = NULL;
1408                 /*
1409                  * Unblock streams which now feed back up the control stream,
1410                  * and acknowledge the request. We don't need to hold
1411                  * ppa_sib_lock here, since we are writer at the outer
1412                  * perimeter.
1413                  */
1414                 if (WR(sps->sps_rq)->q_first != NULL)
1415                         qenable(WR(sps->sps_rq));
1416                 for (nextsib = ppa->ppa_streams; nextsib != NULL;
1417                     nextsib = nextsib->sps_nextsib) {
1418                         if (WR(nextsib->sps_rq)->q_first != NULL) {
1419                                 qenable(WR(nextsib->sps_rq));
1420                         }
1421                 }
1422                 error = 0;              /* return success */
1423                 break;
1424         case PPPIO_NEWPPA:
1425                 /*
1426                  * Do sanity check to ensure that we don't accept PPPIO_NEWPPA
1427                  * on a stream which DLPI is used (since certain DLPI messages
1428                  * will cause state transition reflected in sps_dlstate,
1429                  * changing it from its default DL_UNATTACHED value). In other
1430                  * words, we won't allow a network/snoop stream to become
1431                  * a control stream.
1432                  */
1433                 if (iop->ioc_cr == NULL ||
1434                     secpolicy_ppp_config(iop->ioc_cr) != 0) {
1435                         error = EPERM;
1436                         break;
1437                 } else if (IS_SPS_CONTROL(sps) || IS_SPS_PIOATTACH(sps) ||
1438                     (ppa != NULL) || (sps->sps_dlstate != DL_UNATTACHED)) {
1439                         break;          /* return EINVAL */
1440                 }
1441                 /* Get requested unit number (if any) */
1442                 if (iop->ioc_count == sizeof (uint32_t) && mp->b_cont != NULL)
1443                         ppa_id = *(uint32_t *)mp->b_cont->b_rptr;
1444                 else
1445                         ppa_id = 0;
1446                 /* Get mblk to use for response message */
1447                 nmp = allocb(sizeof (uint32_t), BPRI_MED);
1448                 if (nmp == NULL) {
1449                         error = ENOSR;
1450                         break;
1451                 }
1452                 if (mp->b_cont != NULL) {
1453                         freemsg(mp->b_cont);
1454                 }
1455                 mp->b_cont = nmp;            /* chain our response mblk */
1456                 /*
1457                  * Walk the global ppa list and determine the lowest
1458                  * available ppa_id number to be used.
1459                  */
1460                 if (ppa_id == (uint32_t)-1)
1461                         ppa_id = 0;
1462                 zoneid = crgetzoneid(iop->ioc_cr);
1463                 for (ppa = ppa_list; ppa != NULL; ppa = ppa->ppa_nextppa) {
1464                         if (ppa_id == (uint32_t)-2) {
1465                                 if (ppa->ppa_ctl == NULL &&
1466                                     ppa->ppa_zoneid == zoneid)
1467                                         break;
1468                         } else {
1469                                 if (ppa_id < ppa->ppa_ppa_id)
1470                                         break;
1471                                 if (ppa_id == ppa->ppa_ppa_id)
1472                                         ++ppa_id;
1473                         }
1474                 }
1475                 if (ppa_id == (uint32_t)-2) {
1476                         if (ppa == NULL) {
1477                                 error = ENXIO;
1478                                 break;
1479                         }
1480                         /* Clear timestamp and lastmod flags */
1481                         ppa->ppa_flags = 0;
1482                 } else {
1483                         ppa = sppp_create_ppa(ppa_id, zoneid);
1484                         if (ppa == NULL) {
1485                                 error = ENOMEM;
1486                                 break;
1487                         }
1488                 }
1489 
1490                 sps->sps_ppa = ppa;          /* chain the ppa structure */
1491                 sps->sps_npmode = NPMODE_PASS;       /* network packets may travel */
1492                 sps->sps_flags |= SPS_CONTROL;       /* this is the control stream */
1493 
1494                 ppa->ppa_refcnt++;           /* new PPA reference */
1495                 ppa->ppa_ctl = sps;          /* back ptr to upper stream */
1496                 /*
1497                  * Return the newly created ppa_id to the requestor and
1498                  * acnowledge the request.
1499                  */
1500                 *(uint32_t *)nmp->b_wptr = ppa->ppa_ppa_id;
1501                 nmp->b_wptr += sizeof (uint32_t);
1502 
1503                 if (IS_SPS_KDEBUG(sps)) {
1504                         SPDEBUG(PPP_DRV_NAME
1505                             "/%d: PPPIO_NEWPPA ppa_id=%d sps=0x%p flags=0x%b "
1506                             "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, ppa_id,
1507                             (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1508                             (void *)ppa, ppa->ppa_flags,
1509                             PPA_FLAGS_STR);
1510                 }
1511                 count = msgsize(nmp);
1512                 error = 0;
1513                 break;
1514         }
1515 
1516         if (error == 0) {
1517                 /* Success; tell the user. */
1518                 miocack(q, mp, count, 0);
1519         } else {
1520                 /* Failure; send error back upstream. */
1521                 miocnak(q, mp, 0, error);
1522         }
1523 }
1524 
1525 /*
1526  * sppp_send()
1527  *
1528  * MT-Perimeters:
1529  *    shared inner, shared outer.
1530  *
1531  * Description:
1532  *    Called by sppp_uwput to handle M_DATA message type.  Returns
1533  *    queue_t for putnext, or NULL to mean that the packet was
1534  *    handled internally.
1535  */
1536 static queue_t *
1537 sppp_send(queue_t *q, mblk_t **mpp, spppstr_t *sps)
1538 {
1539         mblk_t  *mp;
1540         sppa_t  *ppa;
1541         int     is_promisc;
1542         int     msize;
1543         int     error = 0;
1544         queue_t *nextq;
1545 
1546         ASSERT(mpp != NULL);
1547         mp = *mpp;
1548         ASSERT(q != NULL && q->q_ptr != NULL);
1549         ASSERT(mp != NULL && mp->b_rptr != NULL);
1550         ASSERT(sps != NULL);
1551         ASSERT(q->q_ptr == sps);
1552         /*
1553          * We only let M_DATA through if the sender is either the control
1554          * stream (for PPP control packets) or one of the network streams
1555          * (for IP packets) in IP fastpath mode. If this stream is not attached
1556          * to any ppas, then discard data coming down through this stream.
1557          */
1558         ppa = sps->sps_ppa;
1559         if (ppa == NULL) {
1560                 ASSERT(!IS_SPS_CONTROL(sps));
1561                 error = ENOLINK;
1562         } else if (!IS_SPS_CONTROL(sps) && !IS_SPS_FASTPATH(sps)) {
1563                 error = EPROTO;
1564         }
1565         if (error != 0) {
1566                 merror(q, mp, error);
1567                 return (NULL);
1568         }
1569         msize = msgdsize(mp);
1570         if (msize > (ppa->ppa_mtu + PPP_HDRLEN)) {
1571                 /* Log, and send it anyway */
1572                 mutex_enter(&ppa->ppa_sta_lock);
1573                 ppa->ppa_otoolongs++;
1574                 mutex_exit(&ppa->ppa_sta_lock);
1575         } else if (msize < PPP_HDRLEN) {
1576                 /*
1577                  * Log, and send it anyway. We log it because we get things
1578                  * in M_DATA form here, which tells us that the sender is
1579                  * either IP in fastpath transmission mode, or pppd. In both
1580                  * cases, they are currently expected to send the 4-bytes
1581                  * PPP header in front of any possible payloads.
1582                  */
1583                 mutex_enter(&ppa->ppa_sta_lock);
1584                 ppa->ppa_orunts++;
1585                 mutex_exit(&ppa->ppa_sta_lock);
1586         }
1587 
1588         if (IS_SPS_KDEBUG(sps)) {
1589                 SPDEBUG(PPP_DRV_NAME
1590                     "/%d: M_DATA send (%d bytes) sps=0x%p flags=0x%b "
1591                     "ppa=0x%p flags=0x%b\n", sps->sps_mn_id, msize,
1592                     (void *)sps, sps->sps_flags, SPS_FLAGS_STR,
1593                     (void *)ppa, ppa->ppa_flags, PPA_FLAGS_STR);
1594         }
1595         /*
1596          * Should there be any promiscuous stream(s), send the data up
1597          * for each promiscuous stream that we recognize. Make sure that
1598          * for fastpath, we skip the PPP header in the M_DATA mblk. We skip
1599          * the control stream as we obviously never allow the control stream
1600          * to become promiscous and bind to PPP_ALLSAP.
1601          */
1602         rw_enter(&ppa->ppa_sib_lock, RW_READER);
1603         is_promisc = sps->sps_ppa->ppa_promicnt;
1604         if (is_promisc) {
1605                 ASSERT(ppa->ppa_streams != NULL);
1606                 sppp_dlprsendup(ppa->ppa_streams, mp, sps->sps_sap, B_TRUE);
1607         }
1608         rw_exit(&ppa->ppa_sib_lock);
1609         /*
1610          * Only time-stamp the packet with hrtime if the upper stream
1611          * is configured to do so.  PPP control (negotiation) messages
1612          * are never considered link activity; only data is activity.
1613          */
1614         if (!IS_SPS_CONTROL(sps) && IS_PPA_TIMESTAMP(ppa)) {
1615                 ppa->ppa_lasttx = gethrtime();
1616         }
1617         /*
1618          * If there's already a message in the write-side service queue,
1619          * then queue this message there as well, otherwise, try to send
1620          * it down to the module immediately below us.
1621          */
1622         if (q->q_first != NULL ||
1623             (nextq = sppp_outpkt(q, mpp, msize, sps)) == NULL) {
1624                 mp = *mpp;
1625                 if (mp != NULL && putq(q, mp) == 0) {
1626                         mutex_enter(&ppa->ppa_sta_lock);
1627                         ppa->ppa_oqdropped++;
1628                         mutex_exit(&ppa->ppa_sta_lock);
1629                         freemsg(mp);
1630                 }
1631                 return (NULL);
1632         }
1633         return (nextq);
1634 }
1635 
1636 /*
1637  * sppp_outpkt()
1638  *
1639  * MT-Perimeters:
1640  *    shared inner, shared outer (if called from sppp_wput, sppp_dlunitdatareq).
1641  *    exclusive inner, shared outer (if called from sppp_wsrv).
1642  *
1643  * Description:
1644  *    Called from 1) sppp_uwput when processing a M_DATA fastpath message,
1645  *    or 2) sppp_uwsrv when processing the upper write-side service queue.
1646  *    For both cases, it prepares to send the data to the module below
1647  *    this driver if there is a lower stream linked underneath. If none, then
1648  *    the data will be sent upstream via the control channel to pppd.
1649  *
1650  * Returns:
1651  *      Non-NULL queue_t if message should be sent now, otherwise
1652  *      if *mpp == NULL, then message was freed, otherwise put *mpp
1653  *      (back) on the queue.  (Does not do putq/putbq, since it's
1654  *      called both from srv and put procedures.)
1655  */
1656 static queue_t *
1657 sppp_outpkt(queue_t *q, mblk_t **mpp, int msize, spppstr_t *sps)
1658 {
1659         mblk_t          *mp;
1660         sppa_t          *ppa;
1661         enum NPmode     npmode;
1662         mblk_t          *mpnew;
1663 
1664         ASSERT(mpp != NULL);
1665         mp = *mpp;
1666         ASSERT(q != NULL && q->q_ptr != NULL);
1667         ASSERT(mp != NULL && mp->b_rptr != NULL);
1668         ASSERT(sps != NULL);
1669 
1670         ppa = sps->sps_ppa;
1671         npmode = sps->sps_npmode;
1672 
1673         if (npmode == NPMODE_QUEUE) {
1674                 ASSERT(!IS_SPS_CONTROL(sps));
1675                 return (NULL);  /* queue it for later */
1676         } else if (ppa == NULL || ppa->ppa_ctl == NULL ||
1677             npmode == NPMODE_DROP || npmode == NPMODE_ERROR) {
1678                 /*
1679                  * This can not be the control stream, as it must always have
1680                  * a valid ppa, and its npmode must always be NPMODE_PASS.
1681                  */
1682                 ASSERT(!IS_SPS_CONTROL(sps));
1683                 if (npmode == NPMODE_DROP) {
1684                         freemsg(mp);
1685                 } else {
1686                         /*
1687                          * If we no longer have the control stream, or if the
1688                          * mode is set to NPMODE_ERROR, then we need to tell IP
1689                          * that the interface need to be marked as down. In
1690                          * other words, we tell IP to be quiescent.
1691                          */
1692                         merror(q, mp, EPROTO);
1693                 }
1694                 *mpp = NULL;
1695                 return (NULL);  /* don't queue it */
1696         }
1697         /*
1698          * Do we have a driver stream linked underneath ? If not, we need to
1699          * notify pppd that the link needs to be brought up and configure
1700          * this upper stream to drop subsequent outgoing packets. This is
1701          * for demand-dialing, in which case pppd has done the IP plumbing
1702          * but hasn't linked the driver stream underneath us. Therefore, when
1703          * a packet is sent down the IP interface, a notification message
1704          * will be sent up the control stream to pppd in order for it to
1705          * establish the physical link. The driver stream is then expected
1706          * to be linked underneath after physical link establishment is done.
1707          */
1708         if (ppa->ppa_lower_wq == NULL) {
1709                 ASSERT(ppa->ppa_ctl != NULL);
1710                 ASSERT(ppa->ppa_ctl->sps_rq != NULL);
1711 
1712                 *mpp = NULL;
1713                 mpnew = create_lsmsg(PPP_LINKSTAT_NEEDUP);
1714                 if (mpnew == NULL) {
1715                         freemsg(mp);
1716                         mutex_enter(&ppa->ppa_sta_lock);
1717                         ppa->ppa_allocbfail++;
1718                         mutex_exit(&ppa->ppa_sta_lock);
1719                         return (NULL);  /* don't queue it */
1720                 }
1721                 /* Include the data in the message for logging. */
1722                 mpnew->b_cont = mp;
1723                 mutex_enter(&ppa->ppa_sta_lock);
1724                 ppa->ppa_lsneedup++;
1725                 mutex_exit(&ppa->ppa_sta_lock);
1726                 /*
1727                  * We need to set the mode to NPMODE_DROP, but should only
1728                  * do so when this stream is not the control stream.
1729                  */
1730                 if (!IS_SPS_CONTROL(sps)) {
1731                         sps->sps_npmode = NPMODE_DROP;
1732                 }
1733                 putnext(ppa->ppa_ctl->sps_rq, mpnew);
1734                 return (NULL);  /* don't queue it */
1735         }
1736         /*
1737          * If so, then try to send it down. The lower queue is only ever
1738          * detached while holding an exclusive lock on the whole driver,
1739          * so we can be confident that the lower queue is still there.
1740          */
1741         if (bcanputnext(ppa->ppa_lower_wq, mp->b_band)) {
1742                 mutex_enter(&ppa->ppa_sta_lock);
1743                 ppa->ppa_stats.p.ppp_opackets++;
1744                 if (IS_SPS_CONTROL(sps)) {
1745                         ppa->ppa_opkt_ctl++;
1746                 }
1747                 ppa->ppa_stats.p.ppp_obytes += msize;
1748                 mutex_exit(&ppa->ppa_sta_lock);
1749                 return (ppa->ppa_lower_wq);  /* don't queue it */
1750         }
1751         return (NULL);  /* queue it for later */
1752 }
1753 
1754 /*
1755  * sppp_lwsrv()
1756  *
1757  * MT-Perimeters:
1758  *    exclusive inner, shared outer.
1759  *
1760  * Description:
1761  *    Lower write-side service procedure. No messages are ever placed on
1762  *    the write queue here, this just back-enables all upper write side
1763  *    service procedures.
1764  */
1765 int
1766 sppp_lwsrv(queue_t *q)
1767 {
1768         sppa_t          *ppa;
1769         spppstr_t       *nextsib;
1770 
1771         ASSERT(q != NULL && q->q_ptr != NULL);
1772         ppa = (sppa_t *)q->q_ptr;
1773         ASSERT(ppa != NULL);
1774 
1775         rw_enter(&ppa->ppa_sib_lock, RW_READER);
1776         if ((nextsib = ppa->ppa_ctl) != NULL &&
1777             WR(nextsib->sps_rq)->q_first != NULL)
1778                 qenable(WR(nextsib->sps_rq));
1779         for (nextsib = ppa->ppa_streams; nextsib != NULL;
1780             nextsib = nextsib->sps_nextsib) {
1781                 if (WR(nextsib->sps_rq)->q_first != NULL) {
1782                         qenable(WR(nextsib->sps_rq));
1783                 }
1784         }
1785         rw_exit(&ppa->ppa_sib_lock);
1786         return (0);
1787 }
1788 
1789 /*
1790  * sppp_lrput()
1791  *
1792  * MT-Perimeters:
1793  *    shared inner, shared outer.
1794  *
1795  * Description:
1796  *    Lower read-side put procedure. Messages from below get here.
1797  *    Data messages are handled separately to limit stack usage
1798  *    going into IP.
1799  *
1800  *    Note that during I_UNLINK processing, it's possible for a downstream
1801  *    message to enable upstream data (due to pass_wput() removing the
1802  *    SQ_BLOCKED flag), and thus we must protect against a NULL sppa pointer.
1803  *    In this case, the only thing above us is passthru, and we might as well
1804  *    discard.
1805  */
1806 int
1807 sppp_lrput(queue_t *q, mblk_t *mp)
1808 {
1809         sppa_t          *ppa;
1810         spppstr_t       *sps;
1811 
1812         if ((ppa = q->q_ptr) == NULL) {
1813                 freemsg(mp);
1814                 return (0);
1815         }
1816 
1817         sps = ppa->ppa_ctl;
1818 
1819         if (MTYPE(mp) != M_DATA) {
1820                 sppp_recv_nondata(q, mp, sps);
1821         } else if (sps == NULL) {
1822                 freemsg(mp);
1823         } else if ((q = sppp_recv(q, &mp, sps)) != NULL) {
1824                 putnext(q, mp);
1825         }
1826         return (0);
1827 }
1828 
1829 /*
1830  * sppp_lrsrv()
1831  *
1832  * MT-Perimeters:
1833  *    exclusive inner, shared outer.
1834  *
1835  * Description:
1836  *    Lower read-side service procedure.  This is run once after the I_LINK
1837  *    occurs in order to clean up any packets that came in while we were
1838  *    transferring in the lower stream.  Otherwise, it's not used.
1839  */
1840 int
1841 sppp_lrsrv(queue_t *q)
1842 {
1843         mblk_t *mp;
1844 
1845         while ((mp = getq(q)) != NULL)
1846                 (void) sppp_lrput(q, mp);
1847         return (0);
1848 }
1849 
1850 /*
1851  * sppp_recv_nondata()
1852  *
1853  * MT-Perimeters:
1854  *    shared inner, shared outer.
1855  *
1856  * Description:
1857  *    All received non-data messages come through here.
1858  */
1859 static void
1860 sppp_recv_nondata(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
1861 {
1862         sppa_t          *ppa;
1863         spppstr_t       *destsps;
1864         struct iocblk   *iop;
1865 
1866         ppa = (sppa_t *)q->q_ptr;
1867         ctlsps = ppa->ppa_ctl;
1868 
1869         switch (MTYPE(mp)) {
1870         case M_CTL:
1871                 mutex_enter(&ppa->ppa_sta_lock);
1872                 if (*mp->b_rptr == PPPCTL_IERROR) {
1873                         ppa->ppa_stats.p.ppp_ierrors++;
1874                         ppa->ppa_ierr_low++;
1875                         ppa->ppa_mctlsknown++;
1876                 } else if (*mp->b_rptr == PPPCTL_OERROR) {
1877                         ppa->ppa_stats.p.ppp_oerrors++;
1878                         ppa->ppa_oerr_low++;
1879                         ppa->ppa_mctlsknown++;
1880                 } else {
1881                         ppa->ppa_mctlsunknown++;
1882                 }
1883                 mutex_exit(&ppa->ppa_sta_lock);
1884                 freemsg(mp);
1885                 break;
1886         case M_IOCTL:
1887                 miocnak(q, mp, 0, EINVAL);
1888                 break;
1889         case M_IOCACK:
1890         case M_IOCNAK:
1891                 iop = (struct iocblk *)mp->b_rptr;
1892                 ASSERT(iop != NULL);
1893                 /*
1894                  * Attempt to match up the response with the stream that the
1895                  * request came from. If ioc_id doesn't match the one that we
1896                  * recorded, then discard this message.
1897                  */
1898                 rw_enter(&ppa->ppa_sib_lock, RW_READER);
1899                 if ((destsps = ctlsps) == NULL ||
1900                     destsps->sps_ioc_id != iop->ioc_id) {
1901                         destsps = ppa->ppa_streams;
1902                         while (destsps != NULL) {
1903                                 if (destsps->sps_ioc_id == iop->ioc_id) {
1904                                         break;  /* found the upper stream */
1905                                 }
1906                                 destsps = destsps->sps_nextsib;
1907                         }
1908                 }
1909                 rw_exit(&ppa->ppa_sib_lock);
1910                 if (destsps == NULL) {
1911                         mutex_enter(&ppa->ppa_sta_lock);
1912                         ppa->ppa_ioctlsfwderr++;
1913                         mutex_exit(&ppa->ppa_sta_lock);
1914                         freemsg(mp);
1915                         break;
1916                 }
1917                 mutex_enter(&ppa->ppa_sta_lock);
1918                 ppa->ppa_ioctlsfwdok++;
1919 
1920                 /*
1921                  * Clear SPS_IOCQ and enable the lower write side queue,
1922                  * this would allow the upper stream service routine
1923                  * to start processing the queue for pending messages.
1924                  * sppp_lwsrv -> sppp_uwsrv.
1925                  */
1926                 destsps->sps_flags &= ~SPS_IOCQ;
1927                 mutex_exit(&ppa->ppa_sta_lock);
1928                 qenable(WR(destsps->sps_rq));
1929 
1930                 putnext(destsps->sps_rq, mp);
1931                 break;
1932         case M_HANGUP:
1933                 /*
1934                  * Free the original mblk_t. We don't really want to send
1935                  * a M_HANGUP message upstream, so we need to translate this
1936                  * message into something else.
1937                  */
1938                 freemsg(mp);
1939                 if (ctlsps == NULL)
1940                         break;
1941                 mp = create_lsmsg(PPP_LINKSTAT_HANGUP);
1942                 if (mp == NULL) {
1943                         mutex_enter(&ppa->ppa_sta_lock);
1944                         ppa->ppa_allocbfail++;
1945                         mutex_exit(&ppa->ppa_sta_lock);
1946                         break;
1947                 }
1948                 mutex_enter(&ppa->ppa_sta_lock);
1949                 ppa->ppa_lsdown++;
1950                 mutex_exit(&ppa->ppa_sta_lock);
1951                 putnext(ctlsps->sps_rq, mp);
1952                 break;
1953         case M_FLUSH:
1954                 if (*mp->b_rptr & FLUSHR) {
1955                         flushq(q, FLUSHDATA);
1956                 }
1957                 if (*mp->b_rptr & FLUSHW) {
1958                         *mp->b_rptr &= ~FLUSHR;
1959                         qreply(q, mp);
1960                 } else {
1961                         freemsg(mp);
1962                 }
1963                 break;
1964         default:
1965                 if (ctlsps != NULL &&
1966                     (queclass(mp) == QPCTL) || canputnext(ctlsps->sps_rq)) {
1967                         putnext(ctlsps->sps_rq, mp);
1968                 } else {
1969                         mutex_enter(&ppa->ppa_sta_lock);
1970                         ppa->ppa_iqdropped++;
1971                         mutex_exit(&ppa->ppa_sta_lock);
1972                         freemsg(mp);
1973                 }
1974                 break;
1975         }
1976 }
1977 
1978 /*
1979  * sppp_recv()
1980  *
1981  * MT-Perimeters:
1982  *    shared inner, shared outer.
1983  *
1984  * Description:
1985  *    Receive function called by sppp_lrput.  Finds appropriate
1986  *    receive stream and does accounting.
1987  */
1988 static queue_t *
1989 sppp_recv(queue_t *q, mblk_t **mpp, spppstr_t *ctlsps)
1990 {
1991         mblk_t          *mp;
1992         int             len;
1993         sppa_t          *ppa;
1994         spppstr_t       *destsps;
1995         mblk_t          *zmp;
1996         uint32_t        npflagpos;
1997 
1998         ASSERT(mpp != NULL);
1999         mp = *mpp;
2000         ASSERT(q != NULL && q->q_ptr != NULL);
2001         ASSERT(mp != NULL && mp->b_rptr != NULL);
2002         ASSERT(ctlsps != NULL);
2003         ASSERT(IS_SPS_CONTROL(ctlsps));
2004         ppa = ctlsps->sps_ppa;
2005         ASSERT(ppa != NULL && ppa->ppa_ctl != NULL);
2006 
2007         len = msgdsize(mp);
2008         mutex_enter(&ppa->ppa_sta_lock);
2009         ppa->ppa_stats.p.ppp_ibytes += len;
2010         mutex_exit(&ppa->ppa_sta_lock);
2011         /*
2012          * If the entire data size of the mblk is less than the length of the
2013          * PPP header, then free it. We can't do much with such message anyway,
2014          * since we can't really determine what the PPP protocol type is.
2015          */
2016         if (len < PPP_HDRLEN) {
2017                 /* Log, and free it */
2018                 mutex_enter(&ppa->ppa_sta_lock);
2019                 ppa->ppa_irunts++;
2020                 mutex_exit(&ppa->ppa_sta_lock);
2021                 freemsg(mp);
2022                 return (NULL);
2023         } else if (len > (ppa->ppa_mru + PPP_HDRLEN)) {
2024                 /* Log, and accept it anyway */
2025                 mutex_enter(&ppa->ppa_sta_lock);
2026                 ppa->ppa_itoolongs++;
2027                 mutex_exit(&ppa->ppa_sta_lock);
2028         }
2029         /*
2030          * We need at least be able to read the PPP protocol from the header,
2031          * so if the first message block is too small, then we concatenate the
2032          * rest of the following blocks into one message.
2033          */
2034         if (MBLKL(mp) < PPP_HDRLEN) {
2035                 zmp = msgpullup(mp, PPP_HDRLEN);
2036                 freemsg(mp);
2037                 mp = zmp;
2038                 if (mp == NULL) {
2039                         mutex_enter(&ppa->ppa_sta_lock);
2040                         ppa->ppa_allocbfail++;
2041                         mutex_exit(&ppa->ppa_sta_lock);
2042                         return (NULL);
2043                 }
2044                 *mpp = mp;
2045         }
2046         /*
2047          * Hold this packet in the control-queue until
2048          * the matching network-layer upper stream for the PPP protocol (sap)
2049          * has not been plumbed and configured
2050          */
2051         npflagpos = sppp_ppp2np(PPP_PROTOCOL(mp->b_rptr));
2052         mutex_enter(&ppa->ppa_npmutex);
2053         if (npflagpos != 0 && (ppa->ppa_npflag & (1 << npflagpos))) {
2054                 /*
2055                  * proto is currently blocked; Hold up to 4 packets
2056                  * in the kernel.
2057                  */
2058                 if (ppa->ppa_holdpkts[npflagpos] > 3 ||
2059                     putq(ctlsps->sps_rq, mp) == 0)
2060                         freemsg(mp);
2061                 else
2062                         ppa->ppa_holdpkts[npflagpos]++;
2063                 mutex_exit(&ppa->ppa_npmutex);
2064                 return (NULL);
2065         }
2066         mutex_exit(&ppa->ppa_npmutex);
2067         /*
2068          * Try to find a matching network-layer upper stream for the specified
2069          * PPP protocol (sap), and if none is found, send this frame up the
2070          * control stream.
2071          */
2072         destsps = sppp_inpkt(q, mp, ctlsps);
2073         if (destsps == NULL) {
2074                 mutex_enter(&ppa->ppa_sta_lock);
2075                 ppa->ppa_ipkt_ctl++;
2076                 mutex_exit(&ppa->ppa_sta_lock);
2077                 if (canputnext(ctlsps->sps_rq)) {
2078                         if (IS_SPS_KDEBUG(ctlsps)) {
2079                                 SPDEBUG(PPP_DRV_NAME
2080                                     "/%d: M_DATA recv (%d bytes) sps=0x%p "
2081                                     "flags=0x%b ppa=0x%p flags=0x%b\n",
2082                                     ctlsps->sps_mn_id, len, (void *)ctlsps,
2083                                     ctlsps->sps_flags, SPS_FLAGS_STR,
2084                                     (void *)ppa, ppa->ppa_flags,
2085                                     PPA_FLAGS_STR);
2086                         }
2087                         return (ctlsps->sps_rq);
2088                 } else {
2089                         mutex_enter(&ppa->ppa_sta_lock);
2090                         ppa->ppa_iqdropped++;
2091                         mutex_exit(&ppa->ppa_sta_lock);
2092                         freemsg(mp);
2093                         return (NULL);
2094                 }
2095         }
2096         if (canputnext(destsps->sps_rq)) {
2097                 if (IS_SPS_KDEBUG(destsps)) {
2098                         SPDEBUG(PPP_DRV_NAME
2099                             "/%d: M_DATA recv (%d bytes) sps=0x%p flags=0x%b "
2100                             "ppa=0x%p flags=0x%b\n", destsps->sps_mn_id, len,
2101                             (void *)destsps, destsps->sps_flags,
2102                             SPS_FLAGS_STR, (void *)ppa, ppa->ppa_flags,
2103                             PPA_FLAGS_STR);
2104                 }
2105                 /*
2106                  * If fastpath is enabled on the network-layer stream, then
2107                  * make sure we skip over the PPP header, otherwise, we wrap
2108                  * the message in a DLPI message.
2109                  */
2110                 if (IS_SPS_FASTPATH(destsps)) {
2111                         mp->b_rptr += PPP_HDRLEN;
2112                         return (destsps->sps_rq);
2113                 } else {
2114                         spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2115                         ASSERT(uqs != NULL);
2116                         mp->b_rptr += PPP_HDRLEN;
2117                         mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2118                         if (mp != NULL) {
2119                                 *mpp = mp;
2120                                 return (destsps->sps_rq);
2121                         } else {
2122                                 mutex_enter(&ppa->ppa_sta_lock);
2123                                 ppa->ppa_allocbfail++;
2124                                 mutex_exit(&ppa->ppa_sta_lock);
2125                                 /* mp already freed by sppp_dladdud */
2126                                 return (NULL);
2127                         }
2128                 }
2129         } else {
2130                 mutex_enter(&ppa->ppa_sta_lock);
2131                 ppa->ppa_iqdropped++;
2132                 mutex_exit(&ppa->ppa_sta_lock);
2133                 freemsg(mp);
2134                 return (NULL);
2135         }
2136 }
2137 
2138 /*
2139  * sppp_inpkt()
2140  *
2141  * MT-Perimeters:
2142  *    shared inner, shared outer.
2143  *
2144  * Description:
2145  *    Find the destination upper stream for the received packet, called
2146  *    from sppp_recv.
2147  *
2148  * Returns:
2149  *    ptr to destination upper network stream, or NULL for control stream.
2150  */
2151 /* ARGSUSED */
2152 static spppstr_t *
2153 sppp_inpkt(queue_t *q, mblk_t *mp, spppstr_t *ctlsps)
2154 {
2155         spppstr_t       *destsps = NULL;
2156         sppa_t          *ppa;
2157         uint16_t        proto;
2158         int             is_promisc;
2159 
2160         ASSERT(q != NULL && q->q_ptr != NULL);
2161         ASSERT(mp != NULL && mp->b_rptr != NULL);
2162         ASSERT(IS_SPS_CONTROL(ctlsps));
2163         ppa = ctlsps->sps_ppa;
2164         ASSERT(ppa != NULL);
2165         /*
2166          * From RFC 1661 (Section 2):
2167          *
2168          * The Protocol field is one or two octets, and its value identifies
2169          * the datagram encapsulated in the Information field of the packet.
2170          * The field is transmitted and received most significant octet first.
2171          *
2172          * The structure of this field is consistent with the ISO 3309
2173          * extension mechanism for address fields.  All Protocols MUST be odd;
2174          * the least significant bit of the least significant octet MUST equal
2175          * "1".  Also, all Protocols MUST be assigned such that the least
2176          * significant bit of the most significant octet equals "0". Frames
2177          * received which don't comply with these rules MUST be treated as
2178          * having an unrecognized Protocol.
2179          *
2180          * Protocol field values in the "0***" to "3***" range identify the
2181          * network-layer protocol of specific packets, and values in the
2182          * "8***" to "b***" range identify packets belonging to the associated
2183          * Network Control Protocols (NCPs), if any.
2184          *
2185          * Protocol field values in the "4***" to "7***" range are used for
2186          * protocols with low volume traffic which have no associated NCP.
2187          * Protocol field values in the "c***" to "f***" range identify packets
2188          * as link-layer Control Protocols (such as LCP).
2189          */
2190         proto = PPP_PROTOCOL(mp->b_rptr);
2191         mutex_enter(&ppa->ppa_sta_lock);
2192         ppa->ppa_stats.p.ppp_ipackets++;
2193         mutex_exit(&ppa->ppa_sta_lock);
2194         /*
2195          * We check if this is not a network-layer protocol, and if so,
2196          * then send this packet up the control stream.
2197          */
2198         if (proto > 0x7fff) {
2199                 goto inpkt_done;        /* send it up the control stream */
2200         }
2201         /*
2202          * Try to grab the destination upper stream from the network-layer
2203          * stream cache for this ppa for PPP_IP (0x0021) or PPP_IPV6 (0x0057)
2204          * protocol types. Otherwise, if the type is not known to the cache,
2205          * or if its sap can't be matched with any of the upper streams, then
2206          * send this packet up the control stream so that it can be rejected.
2207          */
2208         if (proto == PPP_IP) {
2209                 destsps = ppa->ppa_ip_cache;
2210         } else if (proto == PPP_IPV6) {
2211                 destsps = ppa->ppa_ip6_cache;
2212         }
2213         /*
2214          * Toss this one away up the control stream if there's no matching sap;
2215          * this way the protocol can be rejected (destsps is NULL).
2216          */
2217 
2218 inpkt_done:
2219         /*
2220          * Only time-stamp the packet with hrtime if the upper stream
2221          * is configured to do so.  PPP control (negotiation) messages
2222          * are never considered link activity; only data is activity.
2223          */
2224         if (destsps != NULL && IS_PPA_TIMESTAMP(ppa)) {
2225                 ppa->ppa_lastrx = gethrtime();
2226         }
2227         /*
2228          * Should there be any promiscuous stream(s), send the data up for
2229          * each promiscuous stream that we recognize. We skip the control
2230          * stream as we obviously never allow the control stream to become
2231          * promiscous and bind to PPP_ALLSAP.
2232          */
2233         rw_enter(&ppa->ppa_sib_lock, RW_READER);
2234         is_promisc = ppa->ppa_promicnt;
2235         if (is_promisc) {
2236                 ASSERT(ppa->ppa_streams != NULL);
2237                 sppp_dlprsendup(ppa->ppa_streams, mp, proto, B_TRUE);
2238         }
2239         rw_exit(&ppa->ppa_sib_lock);
2240         return (destsps);
2241 }
2242 
2243 /*
2244  * sppp_kstat_update()
2245  *
2246  * Description:
2247  *    Update per-ppa kstat interface statistics.
2248  */
2249 static int
2250 sppp_kstat_update(kstat_t *ksp, int rw)
2251 {
2252         register sppa_t         *ppa;
2253         register sppp_kstats_t  *pppkp;
2254         register struct pppstat64 *sp;
2255 
2256         if (rw == KSTAT_WRITE) {
2257                 return (EACCES);
2258         }
2259 
2260         ppa = (sppa_t *)ksp->ks_private;
2261         ASSERT(ppa != NULL);
2262 
2263         pppkp = (sppp_kstats_t *)ksp->ks_data;
2264         sp = &ppa->ppa_stats.p;
2265 
2266         mutex_enter(&ppa->ppa_sta_lock);
2267         pppkp->allocbfail.value.ui32 = ppa->ppa_allocbfail;
2268         pppkp->mctlsfwd.value.ui32   = ppa->ppa_mctlsfwd;
2269         pppkp->mctlsfwderr.value.ui32        = ppa->ppa_mctlsfwderr;
2270         pppkp->rbytes.value.ui32     = sp->ppp_ibytes;
2271         pppkp->rbytes64.value.ui64   = sp->ppp_ibytes;
2272         pppkp->ierrors.value.ui32    = sp->ppp_ierrors;
2273         pppkp->ierrors_lower.value.ui32      = ppa->ppa_ierr_low;
2274         pppkp->ioctlsfwd.value.ui32  = ppa->ppa_ioctlsfwd;
2275         pppkp->ioctlsfwdok.value.ui32        = ppa->ppa_ioctlsfwdok;
2276         pppkp->ioctlsfwderr.value.ui32       = ppa->ppa_ioctlsfwderr;
2277         pppkp->ipackets.value.ui32   = sp->ppp_ipackets;
2278         pppkp->ipackets64.value.ui64 = sp->ppp_ipackets;
2279         pppkp->ipackets_ctl.value.ui32       = ppa->ppa_ipkt_ctl;
2280         pppkp->iqdropped.value.ui32  = ppa->ppa_iqdropped;
2281         pppkp->irunts.value.ui32     = ppa->ppa_irunts;
2282         pppkp->itoolongs.value.ui32  = ppa->ppa_itoolongs;
2283         pppkp->lsneedup.value.ui32   = ppa->ppa_lsneedup;
2284         pppkp->lsdown.value.ui32     = ppa->ppa_lsdown;
2285         pppkp->mctlsknown.value.ui32 = ppa->ppa_mctlsknown;
2286         pppkp->mctlsunknown.value.ui32       = ppa->ppa_mctlsunknown;
2287         pppkp->obytes.value.ui32     = sp->ppp_obytes;
2288         pppkp->obytes64.value.ui64   = sp->ppp_obytes;
2289         pppkp->oerrors.value.ui32    = sp->ppp_oerrors;
2290         pppkp->oerrors_lower.value.ui32      = ppa->ppa_oerr_low;
2291         pppkp->opackets.value.ui32   = sp->ppp_opackets;
2292         pppkp->opackets64.value.ui64 = sp->ppp_opackets;
2293         pppkp->opackets_ctl.value.ui32       = ppa->ppa_opkt_ctl;
2294         pppkp->oqdropped.value.ui32  = ppa->ppa_oqdropped;
2295         pppkp->otoolongs.value.ui32  = ppa->ppa_otoolongs;
2296         pppkp->orunts.value.ui32     = ppa->ppa_orunts;
2297         mutex_exit(&ppa->ppa_sta_lock);
2298 
2299         return (0);
2300 }
2301 
2302 /*
2303  * Turn off proto in ppa_npflag to indicate that
2304  * the corresponding network protocol has been plumbed.
2305  * Release proto packets that were being held in the control
2306  * queue in anticipation of this event.
2307  */
2308 static void
2309 sppp_release_pkts(sppa_t *ppa, uint16_t proto)
2310 {
2311         uint32_t npflagpos = sppp_ppp2np(proto);
2312         int count;
2313         mblk_t *mp;
2314         uint16_t mp_proto;
2315         queue_t *q;
2316         spppstr_t *destsps;
2317 
2318         ASSERT(ppa != NULL);
2319 
2320         if (npflagpos == 0 || (ppa->ppa_npflag & (1 << npflagpos)) == 0)
2321                 return;
2322 
2323         mutex_enter(&ppa->ppa_npmutex);
2324         ppa->ppa_npflag &= ~(1 << npflagpos);
2325         count = ppa->ppa_holdpkts[npflagpos];
2326         ppa->ppa_holdpkts[npflagpos] = 0;
2327         mutex_exit(&ppa->ppa_npmutex);
2328 
2329         q = ppa->ppa_ctl->sps_rq;
2330 
2331         while (count > 0) {
2332                 mp = getq(q);
2333                 ASSERT(mp != NULL);
2334 
2335                 mp_proto = PPP_PROTOCOL(mp->b_rptr);
2336                 if (mp_proto !=  proto) {
2337                         (void) putq(q, mp);
2338                         continue;
2339                 }
2340                 count--;
2341                 destsps = NULL;
2342                 if (mp_proto == PPP_IP) {
2343                         destsps = ppa->ppa_ip_cache;
2344                 } else if (mp_proto == PPP_IPV6) {
2345                         destsps = ppa->ppa_ip6_cache;
2346                 }
2347                 ASSERT(destsps != NULL);
2348 
2349                 if (IS_SPS_FASTPATH(destsps)) {
2350                         mp->b_rptr += PPP_HDRLEN;
2351                 } else {
2352                         spppstr_t *uqs = (spppstr_t *)destsps->sps_rq->q_ptr;
2353                         ASSERT(uqs != NULL);
2354                         mp->b_rptr += PPP_HDRLEN;
2355                         mp = sppp_dladdud(uqs, mp, uqs->sps_sap, B_FALSE);
2356                         if (mp == NULL) {
2357                                 mutex_enter(&ppa->ppa_sta_lock);
2358                                 ppa->ppa_allocbfail++;
2359                                 mutex_exit(&ppa->ppa_sta_lock);
2360                                 /* mp already freed by sppp_dladdud */
2361                                 continue;
2362                         }
2363                 }
2364 
2365                 if (canputnext(destsps->sps_rq)) {
2366                         putnext(destsps->sps_rq, mp);
2367                 } else {
2368                         mutex_enter(&ppa->ppa_sta_lock);
2369                         ppa->ppa_iqdropped++;
2370                         mutex_exit(&ppa->ppa_sta_lock);
2371                         freemsg(mp);
2372                         continue;
2373                 }
2374         }
2375 }