1/*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 *    this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in
14 *    the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 *    contributors may be used to endorse or promote products derived
18 *    from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#ifdef __FreeBSD__
34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD: head/sys/netinet/sctputil.c 271221 2014-09-07 09:06:26Z tuexen $");
36#endif
37
38#include <netinet/sctp_os.h>
39#include <netinet/sctp_pcb.h>
40#include <netinet/sctputil.h>
41#include <netinet/sctp_var.h>
42#include <netinet/sctp_sysctl.h>
43#ifdef INET6
44#if defined(__Userspace__) || defined(__FreeBSD__)
45#include <netinet6/sctp6_var.h>
46#endif
47#endif
48#include <netinet/sctp_header.h>
49#include <netinet/sctp_output.h>
50#include <netinet/sctp_uio.h>
51#include <netinet/sctp_timer.h>
52#include <netinet/sctp_indata.h>/* for sctp_deliver_data() */
53#include <netinet/sctp_auth.h>
54#include <netinet/sctp_asconf.h>
55#include <netinet/sctp_bsd_addr.h>
56#if defined(__Userspace__)
57#include <netinet/sctp_constants.h>
58#endif
59#if defined(__FreeBSD__)
60#include <netinet/udp.h>
61#include <netinet/udp_var.h>
62#include <sys/proc.h>
63#endif
64
65#if defined(__APPLE__)
66#define APPLE_FILE_NO 8
67#endif
68
69#if defined(__Windows__)
70#if !defined(SCTP_LOCAL_TRACE_BUF)
71#include "eventrace_netinet.h"
72#include "sctputil.tmh" /* this is the file that will be auto generated */
73#endif
74#else
75#ifndef KTR_SCTP
76#define KTR_SCTP KTR_SUBSYS
77#endif
78#endif
79
80extern struct sctp_cc_functions sctp_cc_functions[];
81extern struct sctp_ss_functions sctp_ss_functions[];
82
83void
84sctp_sblog(struct sockbuf *sb, struct sctp_tcb *stcb, int from, int incr)
85{
86#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
87	struct sctp_cwnd_log sctp_clog;
88
89	sctp_clog.x.sb.stcb = stcb;
90	sctp_clog.x.sb.so_sbcc = sb->sb_cc;
91	if (stcb)
92		sctp_clog.x.sb.stcb_sbcc = stcb->asoc.sb_cc;
93	else
94		sctp_clog.x.sb.stcb_sbcc = 0;
95	sctp_clog.x.sb.incr = incr;
96	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
97	     SCTP_LOG_EVENT_SB,
98	     from,
99	     sctp_clog.x.misc.log1,
100	     sctp_clog.x.misc.log2,
101	     sctp_clog.x.misc.log3,
102	     sctp_clog.x.misc.log4);
103#endif
104}
105
106void
107sctp_log_closing(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int16_t loc)
108{
109#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
110	struct sctp_cwnd_log sctp_clog;
111
112	sctp_clog.x.close.inp = (void *)inp;
113	sctp_clog.x.close.sctp_flags = inp->sctp_flags;
114	if (stcb) {
115		sctp_clog.x.close.stcb = (void *)stcb;
116		sctp_clog.x.close.state = (uint16_t)stcb->asoc.state;
117	} else {
118		sctp_clog.x.close.stcb = 0;
119		sctp_clog.x.close.state = 0;
120	}
121	sctp_clog.x.close.loc = loc;
122	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
123	     SCTP_LOG_EVENT_CLOSE,
124	     0,
125	     sctp_clog.x.misc.log1,
126	     sctp_clog.x.misc.log2,
127	     sctp_clog.x.misc.log3,
128	     sctp_clog.x.misc.log4);
129#endif
130}
131
132void
133rto_logging(struct sctp_nets *net, int from)
134{
135#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
136	struct sctp_cwnd_log sctp_clog;
137
138	memset(&sctp_clog, 0, sizeof(sctp_clog));
139	sctp_clog.x.rto.net = (void *) net;
140	sctp_clog.x.rto.rtt = net->rtt / 1000;
141	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
142	     SCTP_LOG_EVENT_RTT,
143	     from,
144	     sctp_clog.x.misc.log1,
145	     sctp_clog.x.misc.log2,
146	     sctp_clog.x.misc.log3,
147	     sctp_clog.x.misc.log4);
148#endif
149}
150
151void
152sctp_log_strm_del_alt(struct sctp_tcb *stcb, uint32_t tsn, uint16_t sseq, uint16_t stream, int from)
153{
154#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
155	struct sctp_cwnd_log sctp_clog;
156
157	sctp_clog.x.strlog.stcb = stcb;
158	sctp_clog.x.strlog.n_tsn = tsn;
159	sctp_clog.x.strlog.n_sseq = sseq;
160	sctp_clog.x.strlog.e_tsn = 0;
161	sctp_clog.x.strlog.e_sseq = 0;
162	sctp_clog.x.strlog.strm = stream;
163	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
164	     SCTP_LOG_EVENT_STRM,
165	     from,
166	     sctp_clog.x.misc.log1,
167	     sctp_clog.x.misc.log2,
168	     sctp_clog.x.misc.log3,
169	     sctp_clog.x.misc.log4);
170#endif
171}
172
173void
174sctp_log_nagle_event(struct sctp_tcb *stcb, int action)
175{
176#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
177	struct sctp_cwnd_log sctp_clog;
178
179	sctp_clog.x.nagle.stcb = (void *)stcb;
180	sctp_clog.x.nagle.total_flight = stcb->asoc.total_flight;
181	sctp_clog.x.nagle.total_in_queue = stcb->asoc.total_output_queue_size;
182	sctp_clog.x.nagle.count_in_queue = stcb->asoc.chunks_on_out_queue;
183	sctp_clog.x.nagle.count_in_flight = stcb->asoc.total_flight_count;
184	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
185	     SCTP_LOG_EVENT_NAGLE,
186	     action,
187	     sctp_clog.x.misc.log1,
188	     sctp_clog.x.misc.log2,
189	     sctp_clog.x.misc.log3,
190	     sctp_clog.x.misc.log4);
191#endif
192}
193
194void
195sctp_log_sack(uint32_t old_cumack, uint32_t cumack, uint32_t tsn, uint16_t gaps, uint16_t dups, int from)
196{
197#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
198	struct sctp_cwnd_log sctp_clog;
199
200	sctp_clog.x.sack.cumack = cumack;
201	sctp_clog.x.sack.oldcumack = old_cumack;
202	sctp_clog.x.sack.tsn = tsn;
203	sctp_clog.x.sack.numGaps = gaps;
204	sctp_clog.x.sack.numDups = dups;
205	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
206	     SCTP_LOG_EVENT_SACK,
207	     from,
208	     sctp_clog.x.misc.log1,
209	     sctp_clog.x.misc.log2,
210	     sctp_clog.x.misc.log3,
211	     sctp_clog.x.misc.log4);
212#endif
213}
214
215void
216sctp_log_map(uint32_t map, uint32_t cum, uint32_t high, int from)
217{
218#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
219	struct sctp_cwnd_log sctp_clog;
220
221	memset(&sctp_clog, 0, sizeof(sctp_clog));
222	sctp_clog.x.map.base = map;
223	sctp_clog.x.map.cum = cum;
224	sctp_clog.x.map.high = high;
225	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
226	     SCTP_LOG_EVENT_MAP,
227	     from,
228	     sctp_clog.x.misc.log1,
229	     sctp_clog.x.misc.log2,
230	     sctp_clog.x.misc.log3,
231	     sctp_clog.x.misc.log4);
232#endif
233}
234
235void
236sctp_log_fr(uint32_t biggest_tsn, uint32_t biggest_new_tsn, uint32_t tsn, int from)
237{
238#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
239	struct sctp_cwnd_log sctp_clog;
240
241	memset(&sctp_clog, 0, sizeof(sctp_clog));
242	sctp_clog.x.fr.largest_tsn = biggest_tsn;
243	sctp_clog.x.fr.largest_new_tsn = biggest_new_tsn;
244	sctp_clog.x.fr.tsn = tsn;
245	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
246	     SCTP_LOG_EVENT_FR,
247	     from,
248	     sctp_clog.x.misc.log1,
249	     sctp_clog.x.misc.log2,
250	     sctp_clog.x.misc.log3,
251	     sctp_clog.x.misc.log4);
252#endif
253}
254
255void
256sctp_log_mb(struct mbuf *m, int from)
257{
258#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
259	struct sctp_cwnd_log sctp_clog;
260
261	sctp_clog.x.mb.mp = m;
262	sctp_clog.x.mb.mbuf_flags = (uint8_t)(SCTP_BUF_GET_FLAGS(m));
263	sctp_clog.x.mb.size = (uint16_t)(SCTP_BUF_LEN(m));
264	sctp_clog.x.mb.data = SCTP_BUF_AT(m, 0);
265	if (SCTP_BUF_IS_EXTENDED(m)) {
266		sctp_clog.x.mb.ext = SCTP_BUF_EXTEND_BASE(m);
267#if defined(__APPLE__)
268		/* APPLE does not use a ref_cnt, but a forward/backward ref queue */
269#else
270		sctp_clog.x.mb.refcnt = (uint8_t)(SCTP_BUF_EXTEND_REFCNT(m));
271#endif
272	} else {
273		sctp_clog.x.mb.ext = 0;
274		sctp_clog.x.mb.refcnt = 0;
275	}
276	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
277	     SCTP_LOG_EVENT_MBUF,
278	     from,
279	     sctp_clog.x.misc.log1,
280	     sctp_clog.x.misc.log2,
281	     sctp_clog.x.misc.log3,
282	     sctp_clog.x.misc.log4);
283#endif
284}
285
286void
287sctp_log_strm_del(struct sctp_queued_to_read *control, struct sctp_queued_to_read *poschk, int from)
288{
289#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
290	struct sctp_cwnd_log sctp_clog;
291
292	if (control == NULL) {
293		SCTP_PRINTF("Gak log of NULL?\n");
294		return;
295	}
296	sctp_clog.x.strlog.stcb = control->stcb;
297	sctp_clog.x.strlog.n_tsn = control->sinfo_tsn;
298	sctp_clog.x.strlog.n_sseq = control->sinfo_ssn;
299	sctp_clog.x.strlog.strm = control->sinfo_stream;
300	if (poschk != NULL) {
301		sctp_clog.x.strlog.e_tsn = poschk->sinfo_tsn;
302		sctp_clog.x.strlog.e_sseq = poschk->sinfo_ssn;
303	} else {
304		sctp_clog.x.strlog.e_tsn = 0;
305		sctp_clog.x.strlog.e_sseq = 0;
306	}
307	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
308	     SCTP_LOG_EVENT_STRM,
309	     from,
310	     sctp_clog.x.misc.log1,
311	     sctp_clog.x.misc.log2,
312	     sctp_clog.x.misc.log3,
313	     sctp_clog.x.misc.log4);
314#endif
315}
316
317void
318sctp_log_cwnd(struct sctp_tcb *stcb, struct sctp_nets *net, int augment, uint8_t from)
319{
320#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
321	struct sctp_cwnd_log sctp_clog;
322
323	sctp_clog.x.cwnd.net = net;
324	if (stcb->asoc.send_queue_cnt > 255)
325		sctp_clog.x.cwnd.cnt_in_send = 255;
326	else
327		sctp_clog.x.cwnd.cnt_in_send = stcb->asoc.send_queue_cnt;
328	if (stcb->asoc.stream_queue_cnt > 255)
329		sctp_clog.x.cwnd.cnt_in_str = 255;
330	else
331		sctp_clog.x.cwnd.cnt_in_str = stcb->asoc.stream_queue_cnt;
332
333	if (net) {
334		sctp_clog.x.cwnd.cwnd_new_value = net->cwnd;
335		sctp_clog.x.cwnd.inflight = net->flight_size;
336		sctp_clog.x.cwnd.pseudo_cumack = net->pseudo_cumack;
337		sctp_clog.x.cwnd.meets_pseudo_cumack = net->new_pseudo_cumack;
338		sctp_clog.x.cwnd.need_new_pseudo_cumack = net->find_pseudo_cumack;
339	}
340	if (SCTP_CWNDLOG_PRESEND == from) {
341		sctp_clog.x.cwnd.meets_pseudo_cumack = stcb->asoc.peers_rwnd;
342	}
343	sctp_clog.x.cwnd.cwnd_augment = augment;
344	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
345	     SCTP_LOG_EVENT_CWND,
346	     from,
347	     sctp_clog.x.misc.log1,
348	     sctp_clog.x.misc.log2,
349	     sctp_clog.x.misc.log3,
350	     sctp_clog.x.misc.log4);
351#endif
352}
353
354#ifndef __APPLE__
355void
356sctp_log_lock(struct sctp_inpcb *inp, struct sctp_tcb *stcb, uint8_t from)
357{
358#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
359	struct sctp_cwnd_log sctp_clog;
360
361	memset(&sctp_clog, 0, sizeof(sctp_clog));
362	if (inp) {
363		sctp_clog.x.lock.sock = (void *) inp->sctp_socket;
364
365	} else {
366		sctp_clog.x.lock.sock = (void *) NULL;
367	}
368	sctp_clog.x.lock.inp = (void *) inp;
369#if (defined(__FreeBSD__) && __FreeBSD_version >= 503000) || (defined(__APPLE__))
370	if (stcb) {
371		sctp_clog.x.lock.tcb_lock = mtx_owned(&stcb->tcb_mtx);
372	} else {
373		sctp_clog.x.lock.tcb_lock = SCTP_LOCK_UNKNOWN;
374	}
375	if (inp) {
376		sctp_clog.x.lock.inp_lock = mtx_owned(&inp->inp_mtx);
377		sctp_clog.x.lock.create_lock = mtx_owned(&inp->inp_create_mtx);
378	} else {
379		sctp_clog.x.lock.inp_lock = SCTP_LOCK_UNKNOWN;
380		sctp_clog.x.lock.create_lock = SCTP_LOCK_UNKNOWN;
381	}
382#if (defined(__FreeBSD__) && __FreeBSD_version <= 602000)
383	sctp_clog.x.lock.info_lock = mtx_owned(&SCTP_BASE_INFO(ipi_ep_mtx));
384#else
385	sctp_clog.x.lock.info_lock = rw_wowned(&SCTP_BASE_INFO(ipi_ep_mtx));
386#endif
387	if (inp && (inp->sctp_socket)) {
388		sctp_clog.x.lock.sock_lock = mtx_owned(&(inp->sctp_socket->so_rcv.sb_mtx));
389		sctp_clog.x.lock.sockrcvbuf_lock = mtx_owned(&(inp->sctp_socket->so_rcv.sb_mtx));
390		sctp_clog.x.lock.socksndbuf_lock = mtx_owned(&(inp->sctp_socket->so_snd.sb_mtx));
391	} else {
392		sctp_clog.x.lock.sock_lock = SCTP_LOCK_UNKNOWN;
393		sctp_clog.x.lock.sockrcvbuf_lock = SCTP_LOCK_UNKNOWN;
394		sctp_clog.x.lock.socksndbuf_lock = SCTP_LOCK_UNKNOWN;
395	}
396#endif
397	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
398	     SCTP_LOG_LOCK_EVENT,
399	     from,
400	     sctp_clog.x.misc.log1,
401	     sctp_clog.x.misc.log2,
402	     sctp_clog.x.misc.log3,
403	     sctp_clog.x.misc.log4);
404#endif
405}
406#endif
407
408void
409sctp_log_maxburst(struct sctp_tcb *stcb, struct sctp_nets *net, int error, int burst, uint8_t from)
410{
411#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
412	struct sctp_cwnd_log sctp_clog;
413
414	memset(&sctp_clog, 0, sizeof(sctp_clog));
415	sctp_clog.x.cwnd.net = net;
416	sctp_clog.x.cwnd.cwnd_new_value = error;
417	sctp_clog.x.cwnd.inflight = net->flight_size;
418	sctp_clog.x.cwnd.cwnd_augment = burst;
419	if (stcb->asoc.send_queue_cnt > 255)
420		sctp_clog.x.cwnd.cnt_in_send = 255;
421	else
422		sctp_clog.x.cwnd.cnt_in_send = stcb->asoc.send_queue_cnt;
423	if (stcb->asoc.stream_queue_cnt > 255)
424		sctp_clog.x.cwnd.cnt_in_str = 255;
425	else
426		sctp_clog.x.cwnd.cnt_in_str = stcb->asoc.stream_queue_cnt;
427	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
428	     SCTP_LOG_EVENT_MAXBURST,
429	     from,
430	     sctp_clog.x.misc.log1,
431	     sctp_clog.x.misc.log2,
432	     sctp_clog.x.misc.log3,
433	     sctp_clog.x.misc.log4);
434#endif
435}
436
437void
438sctp_log_rwnd(uint8_t from, uint32_t peers_rwnd, uint32_t snd_size, uint32_t overhead)
439{
440#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
441	struct sctp_cwnd_log sctp_clog;
442
443	sctp_clog.x.rwnd.rwnd = peers_rwnd;
444	sctp_clog.x.rwnd.send_size = snd_size;
445	sctp_clog.x.rwnd.overhead = overhead;
446	sctp_clog.x.rwnd.new_rwnd = 0;
447	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
448	     SCTP_LOG_EVENT_RWND,
449	     from,
450	     sctp_clog.x.misc.log1,
451	     sctp_clog.x.misc.log2,
452	     sctp_clog.x.misc.log3,
453	     sctp_clog.x.misc.log4);
454#endif
455}
456
457void
458sctp_log_rwnd_set(uint8_t from, uint32_t peers_rwnd, uint32_t flight_size, uint32_t overhead, uint32_t a_rwndval)
459{
460#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
461	struct sctp_cwnd_log sctp_clog;
462
463	sctp_clog.x.rwnd.rwnd = peers_rwnd;
464	sctp_clog.x.rwnd.send_size = flight_size;
465	sctp_clog.x.rwnd.overhead = overhead;
466	sctp_clog.x.rwnd.new_rwnd = a_rwndval;
467	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
468	     SCTP_LOG_EVENT_RWND,
469	     from,
470	     sctp_clog.x.misc.log1,
471	     sctp_clog.x.misc.log2,
472	     sctp_clog.x.misc.log3,
473	     sctp_clog.x.misc.log4);
474#endif
475}
476
477void
478sctp_log_mbcnt(uint8_t from, uint32_t total_oq, uint32_t book, uint32_t total_mbcnt_q, uint32_t mbcnt)
479{
480#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
481	struct sctp_cwnd_log sctp_clog;
482
483	sctp_clog.x.mbcnt.total_queue_size = total_oq;
484	sctp_clog.x.mbcnt.size_change = book;
485	sctp_clog.x.mbcnt.total_queue_mb_size = total_mbcnt_q;
486	sctp_clog.x.mbcnt.mbcnt_change = mbcnt;
487	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
488	     SCTP_LOG_EVENT_MBCNT,
489	     from,
490	     sctp_clog.x.misc.log1,
491	     sctp_clog.x.misc.log2,
492	     sctp_clog.x.misc.log3,
493	     sctp_clog.x.misc.log4);
494#endif
495}
496
497void
498sctp_misc_ints(uint8_t from, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
499{
500#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
501	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
502	     SCTP_LOG_MISC_EVENT,
503	     from,
504	     a, b, c, d);
505#endif
506}
507
508void
509sctp_wakeup_log(struct sctp_tcb *stcb, uint32_t wake_cnt, int from)
510{
511#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
512	struct sctp_cwnd_log sctp_clog;
513
514	sctp_clog.x.wake.stcb = (void *)stcb;
515	sctp_clog.x.wake.wake_cnt = wake_cnt;
516	sctp_clog.x.wake.flight = stcb->asoc.total_flight_count;
517	sctp_clog.x.wake.send_q = stcb->asoc.send_queue_cnt;
518	sctp_clog.x.wake.sent_q = stcb->asoc.sent_queue_cnt;
519
520	if (stcb->asoc.stream_queue_cnt < 0xff)
521		sctp_clog.x.wake.stream_qcnt = (uint8_t) stcb->asoc.stream_queue_cnt;
522	else
523		sctp_clog.x.wake.stream_qcnt = 0xff;
524
525	if (stcb->asoc.chunks_on_out_queue < 0xff)
526		sctp_clog.x.wake.chunks_on_oque = (uint8_t) stcb->asoc.chunks_on_out_queue;
527	else
528		sctp_clog.x.wake.chunks_on_oque = 0xff;
529
530	sctp_clog.x.wake.sctpflags = 0;
531	/* set in the defered mode stuff */
532	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE)
533		sctp_clog.x.wake.sctpflags |= 1;
534	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_WAKEOUTPUT)
535		sctp_clog.x.wake.sctpflags |= 2;
536	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_WAKEINPUT)
537		sctp_clog.x.wake.sctpflags |= 4;
538	/* what about the sb */
539	if (stcb->sctp_socket) {
540		struct socket *so = stcb->sctp_socket;
541
542		sctp_clog.x.wake.sbflags = (uint8_t)((so->so_snd.sb_flags & 0x00ff));
543	} else {
544		sctp_clog.x.wake.sbflags = 0xff;
545	}
546	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
547	     SCTP_LOG_EVENT_WAKE,
548	     from,
549	     sctp_clog.x.misc.log1,
550	     sctp_clog.x.misc.log2,
551	     sctp_clog.x.misc.log3,
552	     sctp_clog.x.misc.log4);
553#endif
554}
555
556void
557sctp_log_block(uint8_t from, struct sctp_association *asoc, int sendlen)
558{
559#if defined(__FreeBSD__) || defined(SCTP_LOCAL_TRACE_BUF)
560	struct sctp_cwnd_log sctp_clog;
561
562	sctp_clog.x.blk.onsb = asoc->total_output_queue_size;
563	sctp_clog.x.blk.send_sent_qcnt = (uint16_t) (asoc->send_queue_cnt + asoc->sent_queue_cnt);
564	sctp_clog.x.blk.peer_rwnd = asoc->peers_rwnd;
565	sctp_clog.x.blk.stream_qcnt = (uint16_t) asoc->stream_queue_cnt;
566	sctp_clog.x.blk.chunks_on_oque = (uint16_t) asoc->chunks_on_out_queue;
567	sctp_clog.x.blk.flight_size = (uint16_t) (asoc->total_flight/1024);
568	sctp_clog.x.blk.sndlen = sendlen;
569	SCTP_CTR6(KTR_SCTP, "SCTP:%d[%d]:%x-%x-%x-%x",
570	     SCTP_LOG_EVENT_BLOCK,
571	     from,
572	     sctp_clog.x.misc.log1,
573	     sctp_clog.x.misc.log2,
574	     sctp_clog.x.misc.log3,
575	     sctp_clog.x.misc.log4);
576#endif
577}
578
579int
580sctp_fill_stat_log(void *optval SCTP_UNUSED, size_t *optsize SCTP_UNUSED)
581{
582	/* May need to fix this if ktrdump does not work */
583	return (0);
584}
585
586#ifdef SCTP_AUDITING_ENABLED
587uint8_t sctp_audit_data[SCTP_AUDIT_SIZE][2];
588static int sctp_audit_indx = 0;
589
590static
591void
592sctp_print_audit_report(void)
593{
594	int i;
595	int cnt;
596
597	cnt = 0;
598	for (i = sctp_audit_indx; i < SCTP_AUDIT_SIZE; i++) {
599		if ((sctp_audit_data[i][0] == 0xe0) &&
600		    (sctp_audit_data[i][1] == 0x01)) {
601			cnt = 0;
602			SCTP_PRINTF("\n");
603		} else if (sctp_audit_data[i][0] == 0xf0) {
604			cnt = 0;
605			SCTP_PRINTF("\n");
606		} else if ((sctp_audit_data[i][0] == 0xc0) &&
607		    (sctp_audit_data[i][1] == 0x01)) {
608			SCTP_PRINTF("\n");
609			cnt = 0;
610		}
611		SCTP_PRINTF("%2.2x%2.2x ", (uint32_t) sctp_audit_data[i][0],
612			    (uint32_t) sctp_audit_data[i][1]);
613		cnt++;
614		if ((cnt % 14) == 0)
615			SCTP_PRINTF("\n");
616	}
617	for (i = 0; i < sctp_audit_indx; i++) {
618		if ((sctp_audit_data[i][0] == 0xe0) &&
619		    (sctp_audit_data[i][1] == 0x01)) {
620			cnt = 0;
621			SCTP_PRINTF("\n");
622		} else if (sctp_audit_data[i][0] == 0xf0) {
623			cnt = 0;
624			SCTP_PRINTF("\n");
625		} else if ((sctp_audit_data[i][0] == 0xc0) &&
626		    (sctp_audit_data[i][1] == 0x01)) {
627			SCTP_PRINTF("\n");
628			cnt = 0;
629		}
630		SCTP_PRINTF("%2.2x%2.2x ", (uint32_t) sctp_audit_data[i][0],
631			    (uint32_t) sctp_audit_data[i][1]);
632		cnt++;
633		if ((cnt % 14) == 0)
634			SCTP_PRINTF("\n");
635	}
636	SCTP_PRINTF("\n");
637}
638
639void
640sctp_auditing(int from, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
641    struct sctp_nets *net)
642{
643	int resend_cnt, tot_out, rep, tot_book_cnt;
644	struct sctp_nets *lnet;
645	struct sctp_tmit_chunk *chk;
646
647	sctp_audit_data[sctp_audit_indx][0] = 0xAA;
648	sctp_audit_data[sctp_audit_indx][1] = 0x000000ff & from;
649	sctp_audit_indx++;
650	if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
651		sctp_audit_indx = 0;
652	}
653	if (inp == NULL) {
654		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
655		sctp_audit_data[sctp_audit_indx][1] = 0x01;
656		sctp_audit_indx++;
657		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
658			sctp_audit_indx = 0;
659		}
660		return;
661	}
662	if (stcb == NULL) {
663		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
664		sctp_audit_data[sctp_audit_indx][1] = 0x02;
665		sctp_audit_indx++;
666		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
667			sctp_audit_indx = 0;
668		}
669		return;
670	}
671	sctp_audit_data[sctp_audit_indx][0] = 0xA1;
672	sctp_audit_data[sctp_audit_indx][1] =
673	    (0x000000ff & stcb->asoc.sent_queue_retran_cnt);
674	sctp_audit_indx++;
675	if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
676		sctp_audit_indx = 0;
677	}
678	rep = 0;
679	tot_book_cnt = 0;
680	resend_cnt = tot_out = 0;
681	TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
682		if (chk->sent == SCTP_DATAGRAM_RESEND) {
683			resend_cnt++;
684		} else if (chk->sent < SCTP_DATAGRAM_RESEND) {
685			tot_out += chk->book_size;
686			tot_book_cnt++;
687		}
688	}
689	if (resend_cnt != stcb->asoc.sent_queue_retran_cnt) {
690		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
691		sctp_audit_data[sctp_audit_indx][1] = 0xA1;
692		sctp_audit_indx++;
693		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
694			sctp_audit_indx = 0;
695		}
696		SCTP_PRINTF("resend_cnt:%d asoc-tot:%d\n",
697			    resend_cnt, stcb->asoc.sent_queue_retran_cnt);
698		rep = 1;
699		stcb->asoc.sent_queue_retran_cnt = resend_cnt;
700		sctp_audit_data[sctp_audit_indx][0] = 0xA2;
701		sctp_audit_data[sctp_audit_indx][1] =
702		    (0x000000ff & stcb->asoc.sent_queue_retran_cnt);
703		sctp_audit_indx++;
704		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
705			sctp_audit_indx = 0;
706		}
707	}
708	if (tot_out != stcb->asoc.total_flight) {
709		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
710		sctp_audit_data[sctp_audit_indx][1] = 0xA2;
711		sctp_audit_indx++;
712		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
713			sctp_audit_indx = 0;
714		}
715		rep = 1;
716		SCTP_PRINTF("tot_flt:%d asoc_tot:%d\n", tot_out,
717			    (int)stcb->asoc.total_flight);
718		stcb->asoc.total_flight = tot_out;
719	}
720	if (tot_book_cnt != stcb->asoc.total_flight_count) {
721		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
722		sctp_audit_data[sctp_audit_indx][1] = 0xA5;
723		sctp_audit_indx++;
724		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
725			sctp_audit_indx = 0;
726		}
727		rep = 1;
728		SCTP_PRINTF("tot_flt_book:%d\n", tot_book_cnt);
729
730		stcb->asoc.total_flight_count = tot_book_cnt;
731	}
732	tot_out = 0;
733	TAILQ_FOREACH(lnet, &stcb->asoc.nets, sctp_next) {
734		tot_out += lnet->flight_size;
735	}
736	if (tot_out != stcb->asoc.total_flight) {
737		sctp_audit_data[sctp_audit_indx][0] = 0xAF;
738		sctp_audit_data[sctp_audit_indx][1] = 0xA3;
739		sctp_audit_indx++;
740		if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
741			sctp_audit_indx = 0;
742		}
743		rep = 1;
744		SCTP_PRINTF("real flight:%d net total was %d\n",
745			    stcb->asoc.total_flight, tot_out);
746		/* now corrective action */
747		TAILQ_FOREACH(lnet, &stcb->asoc.nets, sctp_next) {
748
749			tot_out = 0;
750			TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
751				if ((chk->whoTo == lnet) &&
752				    (chk->sent < SCTP_DATAGRAM_RESEND)) {
753					tot_out += chk->book_size;
754				}
755			}
756			if (lnet->flight_size != tot_out) {
757				SCTP_PRINTF("net:%p flight was %d corrected to %d\n",
758					    (void *)lnet, lnet->flight_size,
759					    tot_out);
760				lnet->flight_size = tot_out;
761			}
762		}
763	}
764	if (rep) {
765		sctp_print_audit_report();
766	}
767}
768
769void
770sctp_audit_log(uint8_t ev, uint8_t fd)
771{
772
773	sctp_audit_data[sctp_audit_indx][0] = ev;
774	sctp_audit_data[sctp_audit_indx][1] = fd;
775	sctp_audit_indx++;
776	if (sctp_audit_indx >= SCTP_AUDIT_SIZE) {
777		sctp_audit_indx = 0;
778	}
779}
780
781#endif
782
783/*
784 * sctp_stop_timers_for_shutdown() should be called
785 * when entering the SHUTDOWN_SENT or SHUTDOWN_ACK_SENT
786 * state to make sure that all timers are stopped.
787 */
788void
789sctp_stop_timers_for_shutdown(struct sctp_tcb *stcb)
790{
791	struct sctp_association *asoc;
792	struct sctp_nets *net;
793
794	asoc = &stcb->asoc;
795
796	(void)SCTP_OS_TIMER_STOP(&asoc->dack_timer.timer);
797	(void)SCTP_OS_TIMER_STOP(&asoc->strreset_timer.timer);
798	(void)SCTP_OS_TIMER_STOP(&asoc->asconf_timer.timer);
799	(void)SCTP_OS_TIMER_STOP(&asoc->autoclose_timer.timer);
800	(void)SCTP_OS_TIMER_STOP(&asoc->delayed_event_timer.timer);
801	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
802		(void)SCTP_OS_TIMER_STOP(&net->pmtu_timer.timer);
803		(void)SCTP_OS_TIMER_STOP(&net->hb_timer.timer);
804	}
805}
806
807/*
808 * a list of sizes based on typical mtu's, used only if next hop size not
809 * returned.
810 */
811static uint32_t sctp_mtu_sizes[] = {
812	68,
813	296,
814	508,
815	512,
816	544,
817	576,
818	1006,
819	1492,
820	1500,
821	1536,
822	2002,
823	2048,
824	4352,
825	4464,
826	8166,
827	17914,
828	32000,
829	65535
830};
831
832/*
833 * Return the largest MTU smaller than val. If there is no
834 * entry, just return val.
835 */
836uint32_t
837sctp_get_prev_mtu(uint32_t val)
838{
839	uint32_t i;
840
841	if (val <= sctp_mtu_sizes[0]) {
842		return (val);
843	}
844	for (i = 1; i < (sizeof(sctp_mtu_sizes) / sizeof(uint32_t)); i++) {
845		if (val <= sctp_mtu_sizes[i]) {
846			break;
847		}
848	}
849	return (sctp_mtu_sizes[i - 1]);
850}
851
852/*
853 * Return the smallest MTU larger than val. If there is no
854 * entry, just return val.
855 */
856uint32_t
857sctp_get_next_mtu(uint32_t val)
858{
859	/* select another MTU that is just bigger than this one */
860	uint32_t i;
861
862	for (i = 0; i < (sizeof(sctp_mtu_sizes) / sizeof(uint32_t)); i++) {
863		if (val < sctp_mtu_sizes[i]) {
864			return (sctp_mtu_sizes[i]);
865		}
866	}
867	return (val);
868}
869
870void
871sctp_fill_random_store(struct sctp_pcb *m)
872{
873	/*
874	 * Here we use the MD5/SHA-1 to hash with our good randomNumbers and
875	 * our counter. The result becomes our good random numbers and we
876	 * then setup to give these out. Note that we do no locking to
877	 * protect this. This is ok, since if competing folks call this we
878	 * will get more gobbled gook in the random store which is what we
879	 * want. There is a danger that two guys will use the same random
880	 * numbers, but thats ok too since that is random as well :->
881	 */
882	m->store_at = 0;
883	(void)sctp_hmac(SCTP_HMAC, (uint8_t *)m->random_numbers,
884	    sizeof(m->random_numbers), (uint8_t *)&m->random_counter,
885	    sizeof(m->random_counter), (uint8_t *)m->random_store);
886	m->random_counter++;
887}
888
889uint32_t
890sctp_select_initial_TSN(struct sctp_pcb *inp)
891{
892	/*
893	 * A true implementation should use random selection process to get
894	 * the initial stream sequence number, using RFC1750 as a good
895	 * guideline
896	 */
897	uint32_t x, *xp;
898	uint8_t *p;
899	int store_at, new_store;
900
901	if (inp->initial_sequence_debug != 0) {
902		uint32_t ret;
903
904		ret = inp->initial_sequence_debug;
905		inp->initial_sequence_debug++;
906		return (ret);
907	}
908 retry:
909	store_at = inp->store_at;
910	new_store = store_at + sizeof(uint32_t);
911	if (new_store >= (SCTP_SIGNATURE_SIZE-3)) {
912		new_store = 0;
913	}
914	if (!atomic_cmpset_int(&inp->store_at, store_at, new_store)) {
915		goto retry;
916	}
917	if (new_store == 0) {
918		/* Refill the random store */
919		sctp_fill_random_store(inp);
920	}
921	p = &inp->random_store[store_at];
922	xp = (uint32_t *)p;
923	x = *xp;
924	return (x);
925}
926
927uint32_t
928sctp_select_a_tag(struct sctp_inpcb *inp, uint16_t lport, uint16_t rport, int check)
929{
930	uint32_t x;
931	struct timeval now;
932
933	if (check) {
934		(void)SCTP_GETTIME_TIMEVAL(&now);
935	}
936	for (;;) {
937		x = sctp_select_initial_TSN(&inp->sctp_ep);
938		if (x == 0) {
939			/* we never use 0 */
940			continue;
941		}
942		if (!check || sctp_is_vtag_good(x, lport, rport, &now)) {
943			break;
944		}
945	}
946	return (x);
947}
948
949int
950sctp_init_asoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
951               uint32_t override_tag, uint32_t vrf_id)
952{
953	struct sctp_association *asoc;
954	/*
955	 * Anything set to zero is taken care of by the allocation routine's
956	 * bzero
957	 */
958
959	/*
960	 * Up front select what scoping to apply on addresses I tell my peer
961	 * Not sure what to do with these right now, we will need to come up
962	 * with a way to set them. We may need to pass them through from the
963	 * caller in the sctp_aloc_assoc() function.
964	 */
965	int i;
966#if defined(SCTP_DETAILED_STR_STATS)
967	int j;
968#endif
969
970	asoc = &stcb->asoc;
971	/* init all variables to a known value. */
972	SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_INUSE);
973	asoc->max_burst = inp->sctp_ep.max_burst;
974	asoc->fr_max_burst = inp->sctp_ep.fr_max_burst;
975	asoc->heart_beat_delay = TICKS_TO_MSEC(inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_HEARTBEAT]);
976	asoc->cookie_life = inp->sctp_ep.def_cookie_life;
977	asoc->sctp_cmt_on_off = inp->sctp_cmt_on_off;
978	asoc->ecn_supported = inp->ecn_supported;
979	asoc->prsctp_supported = inp->prsctp_supported;
980	asoc->auth_supported = inp->auth_supported;
981	asoc->asconf_supported = inp->asconf_supported;
982	asoc->reconfig_supported = inp->reconfig_supported;
983	asoc->nrsack_supported = inp->nrsack_supported;
984	asoc->pktdrop_supported = inp->pktdrop_supported;
985	asoc->sctp_cmt_pf = (uint8_t)0;
986	asoc->sctp_frag_point = inp->sctp_frag_point;
987	asoc->sctp_features = inp->sctp_features;
988	asoc->default_dscp = inp->sctp_ep.default_dscp;
989#ifdef INET6
990	if (inp->sctp_ep.default_flowlabel) {
991		asoc->default_flowlabel = inp->sctp_ep.default_flowlabel;
992	} else {
993		if (inp->ip_inp.inp.inp_flags & IN6P_AUTOFLOWLABEL) {
994			asoc->default_flowlabel = sctp_select_initial_TSN(&inp->sctp_ep);
995			asoc->default_flowlabel &= 0x000fffff;
996			asoc->default_flowlabel |= 0x80000000;
997		} else {
998			asoc->default_flowlabel = 0;
999		}
1000	}
1001#endif
1002	asoc->sb_send_resv = 0;
1003	if (override_tag) {
1004		asoc->my_vtag = override_tag;
1005	} else {
1006		asoc->my_vtag = sctp_select_a_tag(inp, stcb->sctp_ep->sctp_lport, stcb->rport,  1);
1007	}
1008	/* Get the nonce tags */
1009	asoc->my_vtag_nonce = sctp_select_a_tag(inp, stcb->sctp_ep->sctp_lport, stcb->rport, 0);
1010	asoc->peer_vtag_nonce = sctp_select_a_tag(inp, stcb->sctp_ep->sctp_lport, stcb->rport, 0);
1011	asoc->vrf_id = vrf_id;
1012
1013#ifdef SCTP_ASOCLOG_OF_TSNS
1014	asoc->tsn_in_at = 0;
1015	asoc->tsn_out_at = 0;
1016	asoc->tsn_in_wrapped = 0;
1017	asoc->tsn_out_wrapped = 0;
1018	asoc->cumack_log_at = 0;
1019	asoc->cumack_log_atsnt = 0;
1020#endif
1021#ifdef SCTP_FS_SPEC_LOG
1022	asoc->fs_index = 0;
1023#endif
1024	asoc->refcnt = 0;
1025	asoc->assoc_up_sent = 0;
1026	asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number = asoc->sending_seq =
1027	    sctp_select_initial_TSN(&inp->sctp_ep);
1028	asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1029	/* we are optimisitic here */
1030	asoc->peer_supports_nat = 0;
1031	asoc->sent_queue_retran_cnt = 0;
1032
1033	/* for CMT */
1034        asoc->last_net_cmt_send_started = NULL;
1035
1036	/* This will need to be adjusted */
1037	asoc->last_acked_seq = asoc->init_seq_number - 1;
1038	asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1039	asoc->asconf_seq_in = asoc->last_acked_seq;
1040
1041	/* here we are different, we hold the next one we expect */
1042	asoc->str_reset_seq_in = asoc->last_acked_seq + 1;
1043
1044	asoc->initial_init_rto_max = inp->sctp_ep.initial_init_rto_max;
1045	asoc->initial_rto = inp->sctp_ep.initial_rto;
1046
1047	asoc->max_init_times = inp->sctp_ep.max_init_times;
1048	asoc->max_send_times = inp->sctp_ep.max_send_times;
1049	asoc->def_net_failure = inp->sctp_ep.def_net_failure;
1050	asoc->def_net_pf_threshold = inp->sctp_ep.def_net_pf_threshold;
1051	asoc->free_chunk_cnt = 0;
1052
1053	asoc->iam_blocking = 0;
1054	asoc->context = inp->sctp_context;
1055	asoc->local_strreset_support = inp->local_strreset_support;
1056	asoc->def_send = inp->def_send;
1057	asoc->delayed_ack = TICKS_TO_MSEC(inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_RECV]);
1058	asoc->sack_freq = inp->sctp_ep.sctp_sack_freq;
1059	asoc->pr_sctp_cnt = 0;
1060	asoc->total_output_queue_size = 0;
1061
1062	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
1063		asoc->scope.ipv6_addr_legal = 1;
1064		if (SCTP_IPV6_V6ONLY(inp) == 0) {
1065			asoc->scope.ipv4_addr_legal = 1;
1066		} else {
1067			asoc->scope.ipv4_addr_legal = 0;
1068		}
1069#if defined(__Userspace__)
1070			asoc->scope.conn_addr_legal = 0;
1071#endif
1072	} else {
1073		asoc->scope.ipv6_addr_legal = 0;
1074#if defined(__Userspace__)
1075		if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) {
1076			asoc->scope.conn_addr_legal = 1;
1077			asoc->scope.ipv4_addr_legal = 0;
1078		} else {
1079			asoc->scope.conn_addr_legal = 0;
1080			asoc->scope.ipv4_addr_legal = 1;
1081		}
1082#else
1083		asoc->scope.ipv4_addr_legal = 1;
1084#endif
1085	}
1086
1087	asoc->my_rwnd = max(SCTP_SB_LIMIT_RCV(inp->sctp_socket), SCTP_MINIMAL_RWND);
1088	asoc->peers_rwnd = SCTP_SB_LIMIT_RCV(inp->sctp_socket);
1089
1090	asoc->smallest_mtu = inp->sctp_frag_point;
1091	asoc->minrto = inp->sctp_ep.sctp_minrto;
1092	asoc->maxrto = inp->sctp_ep.sctp_maxrto;
1093
1094	asoc->locked_on_sending = NULL;
1095	asoc->stream_locked_on = 0;
1096	asoc->ecn_echo_cnt_onq = 0;
1097	asoc->stream_locked = 0;
1098
1099	asoc->send_sack = 1;
1100
1101	LIST_INIT(&asoc->sctp_restricted_addrs);
1102
1103	TAILQ_INIT(&asoc->nets);
1104	TAILQ_INIT(&asoc->pending_reply_queue);
1105	TAILQ_INIT(&asoc->asconf_ack_sent);
1106	/* Setup to fill the hb random cache at first HB */
1107	asoc->hb_random_idx = 4;
1108
1109	asoc->sctp_autoclose_ticks = inp->sctp_ep.auto_close_time;
1110
1111	stcb->asoc.congestion_control_module = inp->sctp_ep.sctp_default_cc_module;
1112	stcb->asoc.cc_functions = sctp_cc_functions[inp->sctp_ep.sctp_default_cc_module];
1113
1114	stcb->asoc.stream_scheduling_module = inp->sctp_ep.sctp_default_ss_module;
1115	stcb->asoc.ss_functions = sctp_ss_functions[inp->sctp_ep.sctp_default_ss_module];
1116
1117	/*
1118	 * Now the stream parameters, here we allocate space for all streams
1119	 * that we request by default.
1120	 */
1121	asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams =
1122	    inp->sctp_ep.pre_open_stream_count;
1123	SCTP_MALLOC(asoc->strmout, struct sctp_stream_out *,
1124		    asoc->streamoutcnt * sizeof(struct sctp_stream_out),
1125		    SCTP_M_STRMO);
1126	if (asoc->strmout == NULL) {
1127		/* big trouble no memory */
1128		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ENOMEM);
1129		return (ENOMEM);
1130	}
1131	for (i = 0; i < asoc->streamoutcnt; i++) {
1132		/*
1133		 * inbound side must be set to 0xffff, also NOTE when we get
1134		 * the INIT-ACK back (for INIT sender) we MUST reduce the
1135		 * count (streamoutcnt) but first check if we sent to any of
1136		 * the upper streams that were dropped (if some were). Those
1137		 * that were dropped must be notified to the upper layer as
1138		 * failed to send.
1139		 */
1140		asoc->strmout[i].next_sequence_send = 0x0;
1141		TAILQ_INIT(&asoc->strmout[i].outqueue);
1142		asoc->strmout[i].chunks_on_queues = 0;
1143#if defined(SCTP_DETAILED_STR_STATS)
1144		for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
1145			asoc->strmout[i].abandoned_sent[j] = 0;
1146			asoc->strmout[i].abandoned_unsent[j] = 0;
1147		}
1148#else
1149		asoc->strmout[i].abandoned_sent[0] = 0;
1150		asoc->strmout[i].abandoned_unsent[0] = 0;
1151#endif
1152		asoc->strmout[i].stream_no = i;
1153		asoc->strmout[i].last_msg_incomplete = 0;
1154		asoc->ss_functions.sctp_ss_init_stream(&asoc->strmout[i], NULL);
1155	}
1156	asoc->ss_functions.sctp_ss_init(stcb, asoc, 0);
1157
1158	/* Now the mapping array */
1159	asoc->mapping_array_size = SCTP_INITIAL_MAPPING_ARRAY;
1160	SCTP_MALLOC(asoc->mapping_array, uint8_t *, asoc->mapping_array_size,
1161		    SCTP_M_MAP);
1162	if (asoc->mapping_array == NULL) {
1163		SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
1164		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ENOMEM);
1165		return (ENOMEM);
1166	}
1167	memset(asoc->mapping_array, 0, asoc->mapping_array_size);
1168	SCTP_MALLOC(asoc->nr_mapping_array, uint8_t *, asoc->mapping_array_size,
1169	    SCTP_M_MAP);
1170	if (asoc->nr_mapping_array == NULL) {
1171		SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
1172		SCTP_FREE(asoc->mapping_array, SCTP_M_MAP);
1173		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ENOMEM);
1174		return (ENOMEM);
1175	}
1176	memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size);
1177
1178	/* Now the init of the other outqueues */
1179	TAILQ_INIT(&asoc->free_chunks);
1180	TAILQ_INIT(&asoc->control_send_queue);
1181	TAILQ_INIT(&asoc->asconf_send_queue);
1182	TAILQ_INIT(&asoc->send_queue);
1183	TAILQ_INIT(&asoc->sent_queue);
1184	TAILQ_INIT(&asoc->reasmqueue);
1185	TAILQ_INIT(&asoc->resetHead);
1186	asoc->max_inbound_streams = inp->sctp_ep.max_open_streams_intome;
1187	TAILQ_INIT(&asoc->asconf_queue);
1188	/* authentication fields */
1189	asoc->authinfo.random = NULL;
1190	asoc->authinfo.active_keyid = 0;
1191	asoc->authinfo.assoc_key = NULL;
1192	asoc->authinfo.assoc_keyid = 0;
1193	asoc->authinfo.recv_key = NULL;
1194	asoc->authinfo.recv_keyid = 0;
1195	LIST_INIT(&asoc->shared_keys);
1196	asoc->marked_retrans = 0;
1197	asoc->port = inp->sctp_ep.port;
1198	asoc->timoinit = 0;
1199	asoc->timodata = 0;
1200	asoc->timosack = 0;
1201	asoc->timoshutdown = 0;
1202	asoc->timoheartbeat = 0;
1203	asoc->timocookie = 0;
1204	asoc->timoshutdownack = 0;
1205	(void)SCTP_GETTIME_TIMEVAL(&asoc->start_time);
1206	asoc->discontinuity_time = asoc->start_time;
1207	for (i = 0; i < SCTP_PR_SCTP_MAX + 1; i++) {
1208		asoc->abandoned_unsent[i] = 0;
1209		asoc->abandoned_sent[i] = 0;
1210	}
1211	/* sa_ignore MEMLEAK {memory is put in the assoc mapping array and freed later when
1212	 * the association is freed.
1213	 */
1214	return (0);
1215}
1216
1217void
1218sctp_print_mapping_array(struct sctp_association *asoc)
1219{
1220	unsigned int i, limit;
1221
1222	SCTP_PRINTF("Mapping array size: %d, baseTSN: %8.8x, cumAck: %8.8x, highestTSN: (%8.8x, %8.8x).\n",
1223	            asoc->mapping_array_size,
1224	            asoc->mapping_array_base_tsn,
1225	            asoc->cumulative_tsn,
1226	            asoc->highest_tsn_inside_map,
1227	            asoc->highest_tsn_inside_nr_map);
1228	for (limit = asoc->mapping_array_size; limit > 1; limit--) {
1229		if (asoc->mapping_array[limit - 1] != 0) {
1230			break;
1231		}
1232	}
1233	SCTP_PRINTF("Renegable mapping array (last %d entries are zero):\n", asoc->mapping_array_size - limit);
1234	for (i = 0; i < limit; i++) {
1235		SCTP_PRINTF("%2.2x%c", asoc->mapping_array[i], ((i + 1) % 16) ? ' ' : '\n');
1236	}
1237	if (limit % 16)
1238		SCTP_PRINTF("\n");
1239	for (limit = asoc->mapping_array_size; limit > 1; limit--) {
1240		if (asoc->nr_mapping_array[limit - 1]) {
1241			break;
1242		}
1243	}
1244	SCTP_PRINTF("Non renegable mapping array (last %d entries are zero):\n", asoc->mapping_array_size - limit);
1245	for (i = 0; i < limit; i++) {
1246		SCTP_PRINTF("%2.2x%c", asoc->nr_mapping_array[i], ((i + 1) % 16) ? ' ': '\n');
1247	}
1248	if (limit % 16)
1249		SCTP_PRINTF("\n");
1250}
1251
1252int
1253sctp_expand_mapping_array(struct sctp_association *asoc, uint32_t needed)
1254{
1255	/* mapping array needs to grow */
1256	uint8_t *new_array1, *new_array2;
1257	uint32_t new_size;
1258
1259	new_size = asoc->mapping_array_size + ((needed+7)/8 + SCTP_MAPPING_ARRAY_INCR);
1260	SCTP_MALLOC(new_array1, uint8_t *, new_size, SCTP_M_MAP);
1261	SCTP_MALLOC(new_array2, uint8_t *, new_size, SCTP_M_MAP);
1262	if ((new_array1 == NULL) || (new_array2 == NULL)) {
1263		/* can't get more, forget it */
1264		SCTP_PRINTF("No memory for expansion of SCTP mapping array %d\n", new_size);
1265		if (new_array1) {
1266			SCTP_FREE(new_array1, SCTP_M_MAP);
1267		}
1268		if (new_array2) {
1269			SCTP_FREE(new_array2, SCTP_M_MAP);
1270		}
1271		return (-1);
1272	}
1273	memset(new_array1, 0, new_size);
1274	memset(new_array2, 0, new_size);
1275	memcpy(new_array1, asoc->mapping_array, asoc->mapping_array_size);
1276	memcpy(new_array2, asoc->nr_mapping_array, asoc->mapping_array_size);
1277	SCTP_FREE(asoc->mapping_array, SCTP_M_MAP);
1278	SCTP_FREE(asoc->nr_mapping_array, SCTP_M_MAP);
1279	asoc->mapping_array = new_array1;
1280	asoc->nr_mapping_array = new_array2;
1281	asoc->mapping_array_size = new_size;
1282	return (0);
1283}
1284
1285
1286static void
1287sctp_iterator_work(struct sctp_iterator *it)
1288{
1289	int iteration_count = 0;
1290	int inp_skip = 0;
1291	int first_in = 1;
1292	struct sctp_inpcb *tinp;
1293
1294	SCTP_INP_INFO_RLOCK();
1295	SCTP_ITERATOR_LOCK();
1296	if (it->inp) {
1297		SCTP_INP_RLOCK(it->inp);
1298		SCTP_INP_DECR_REF(it->inp);
1299	}
1300	if (it->inp == NULL) {
1301		/* iterator is complete */
1302done_with_iterator:
1303		SCTP_ITERATOR_UNLOCK();
1304		SCTP_INP_INFO_RUNLOCK();
1305		if (it->function_atend != NULL) {
1306			(*it->function_atend) (it->pointer, it->val);
1307		}
1308		SCTP_FREE(it, SCTP_M_ITER);
1309		return;
1310	}
1311select_a_new_ep:
1312	if (first_in) {
1313		first_in = 0;
1314	} else {
1315		SCTP_INP_RLOCK(it->inp);
1316	}
1317	while (((it->pcb_flags) &&
1318		((it->inp->sctp_flags & it->pcb_flags) != it->pcb_flags)) ||
1319	       ((it->pcb_features) &&
1320		((it->inp->sctp_features & it->pcb_features) != it->pcb_features))) {
1321		/* endpoint flags or features don't match, so keep looking */
1322		if (it->iterator_flags & SCTP_ITERATOR_DO_SINGLE_INP) {
1323			SCTP_INP_RUNLOCK(it->inp);
1324			goto done_with_iterator;
1325		}
1326		tinp = it->inp;
1327		it->inp = LIST_NEXT(it->inp, sctp_list);
1328		SCTP_INP_RUNLOCK(tinp);
1329		if (it->inp == NULL) {
1330			goto done_with_iterator;
1331		}
1332		SCTP_INP_RLOCK(it->inp);
1333	}
1334	/* now go through each assoc which is in the desired state */
1335	if (it->done_current_ep == 0) {
1336		if (it->function_inp != NULL)
1337			inp_skip = (*it->function_inp)(it->inp, it->pointer, it->val);
1338		it->done_current_ep = 1;
1339	}
1340	if (it->stcb == NULL) {
1341		/* run the per instance function */
1342		it->stcb = LIST_FIRST(&it->inp->sctp_asoc_list);
1343	}
1344	if ((inp_skip) || it->stcb == NULL) {
1345		if (it->function_inp_end != NULL) {
1346			inp_skip = (*it->function_inp_end)(it->inp,
1347							   it->pointer,
1348							   it->val);
1349		}
1350		SCTP_INP_RUNLOCK(it->inp);
1351		goto no_stcb;
1352	}
1353	while (it->stcb) {
1354		SCTP_TCB_LOCK(it->stcb);
1355		if (it->asoc_state && ((it->stcb->asoc.state & it->asoc_state) != it->asoc_state)) {
1356			/* not in the right state... keep looking */
1357			SCTP_TCB_UNLOCK(it->stcb);
1358			goto next_assoc;
1359		}
1360		/* see if we have limited out the iterator loop */
1361		iteration_count++;
1362		if (iteration_count > SCTP_ITERATOR_MAX_AT_ONCE) {
1363			/* Pause to let others grab the lock */
1364			atomic_add_int(&it->stcb->asoc.refcnt, 1);
1365			SCTP_TCB_UNLOCK(it->stcb);
1366			SCTP_INP_INCR_REF(it->inp);
1367			SCTP_INP_RUNLOCK(it->inp);
1368			SCTP_ITERATOR_UNLOCK();
1369			SCTP_INP_INFO_RUNLOCK();
1370			SCTP_INP_INFO_RLOCK();
1371			SCTP_ITERATOR_LOCK();
1372			if (sctp_it_ctl.iterator_flags) {
1373				/* We won't be staying here */
1374				SCTP_INP_DECR_REF(it->inp);
1375				atomic_add_int(&it->stcb->asoc.refcnt, -1);
1376#if !defined(__FreeBSD__)
1377				if (sctp_it_ctl.iterator_flags &
1378				   SCTP_ITERATOR_MUST_EXIT) {
1379					goto done_with_iterator;
1380				}
1381#endif
1382				if (sctp_it_ctl.iterator_flags &
1383				   SCTP_ITERATOR_STOP_CUR_IT) {
1384					sctp_it_ctl.iterator_flags &= ~SCTP_ITERATOR_STOP_CUR_IT;
1385					goto done_with_iterator;
1386				}
1387				if (sctp_it_ctl.iterator_flags &
1388				   SCTP_ITERATOR_STOP_CUR_INP) {
1389					sctp_it_ctl.iterator_flags &= ~SCTP_ITERATOR_STOP_CUR_INP;
1390					goto no_stcb;
1391				}
1392				/* If we reach here huh? */
1393				SCTP_PRINTF("Unknown it ctl flag %x\n",
1394					    sctp_it_ctl.iterator_flags);
1395				sctp_it_ctl.iterator_flags = 0;
1396			}
1397			SCTP_INP_RLOCK(it->inp);
1398			SCTP_INP_DECR_REF(it->inp);
1399			SCTP_TCB_LOCK(it->stcb);
1400			atomic_add_int(&it->stcb->asoc.refcnt, -1);
1401			iteration_count = 0;
1402		}
1403
1404		/* run function on this one */
1405		(*it->function_assoc)(it->inp, it->stcb, it->pointer, it->val);
1406
1407		/*
1408		 * we lie here, it really needs to have its own type but
1409		 * first I must verify that this won't effect things :-0
1410		 */
1411		if (it->no_chunk_output == 0)
1412			sctp_chunk_output(it->inp, it->stcb, SCTP_OUTPUT_FROM_T3, SCTP_SO_NOT_LOCKED);
1413
1414		SCTP_TCB_UNLOCK(it->stcb);
1415	next_assoc:
1416		it->stcb = LIST_NEXT(it->stcb, sctp_tcblist);
1417		if (it->stcb == NULL) {
1418			/* Run last function */
1419			if (it->function_inp_end != NULL) {
1420				inp_skip = (*it->function_inp_end)(it->inp,
1421								   it->pointer,
1422								   it->val);
1423			}
1424		}
1425	}
1426	SCTP_INP_RUNLOCK(it->inp);
1427 no_stcb:
1428	/* done with all assocs on this endpoint, move on to next endpoint */
1429	it->done_current_ep = 0;
1430	if (it->iterator_flags & SCTP_ITERATOR_DO_SINGLE_INP) {
1431		it->inp = NULL;
1432	} else {
1433		it->inp = LIST_NEXT(it->inp, sctp_list);
1434	}
1435	if (it->inp == NULL) {
1436		goto done_with_iterator;
1437	}
1438	goto select_a_new_ep;
1439}
1440
1441void
1442sctp_iterator_worker(void)
1443{
1444	struct sctp_iterator *it, *nit;
1445
1446	/* This function is called with the WQ lock in place */
1447
1448	sctp_it_ctl.iterator_running = 1;
1449	TAILQ_FOREACH_SAFE(it, &sctp_it_ctl.iteratorhead, sctp_nxt_itr, nit) {
1450		sctp_it_ctl.cur_it = it;
1451		/* now lets work on this one */
1452		TAILQ_REMOVE(&sctp_it_ctl.iteratorhead, it, sctp_nxt_itr);
1453		SCTP_IPI_ITERATOR_WQ_UNLOCK();
1454#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1455		CURVNET_SET(it->vn);
1456#endif
1457		sctp_iterator_work(it);
1458		sctp_it_ctl.cur_it = NULL;
1459#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1460		CURVNET_RESTORE();
1461#endif
1462		SCTP_IPI_ITERATOR_WQ_LOCK();
1463#if !defined(__FreeBSD__)
1464		if (sctp_it_ctl.iterator_flags & SCTP_ITERATOR_MUST_EXIT) {
1465			break;
1466		}
1467#endif
1468	        /*sa_ignore FREED_MEMORY*/
1469	}
1470	sctp_it_ctl.iterator_running = 0;
1471	return;
1472}
1473
1474
1475static void
1476sctp_handle_addr_wq(void)
1477{
1478	/* deal with the ADDR wq from the rtsock calls */
1479	struct sctp_laddr *wi, *nwi;
1480	struct sctp_asconf_iterator *asc;
1481
1482	SCTP_MALLOC(asc, struct sctp_asconf_iterator *,
1483		    sizeof(struct sctp_asconf_iterator), SCTP_M_ASC_IT);
1484	if (asc == NULL) {
1485		/* Try later, no memory */
1486		sctp_timer_start(SCTP_TIMER_TYPE_ADDR_WQ,
1487				 (struct sctp_inpcb *)NULL,
1488				 (struct sctp_tcb *)NULL,
1489				 (struct sctp_nets *)NULL);
1490		return;
1491	}
1492	LIST_INIT(&asc->list_of_work);
1493	asc->cnt = 0;
1494
1495	SCTP_WQ_ADDR_LOCK();
1496	LIST_FOREACH_SAFE(wi, &SCTP_BASE_INFO(addr_wq), sctp_nxt_addr, nwi) {
1497		LIST_REMOVE(wi, sctp_nxt_addr);
1498		LIST_INSERT_HEAD(&asc->list_of_work, wi, sctp_nxt_addr);
1499		asc->cnt++;
1500	}
1501	SCTP_WQ_ADDR_UNLOCK();
1502
1503	if (asc->cnt == 0) {
1504		SCTP_FREE(asc, SCTP_M_ASC_IT);
1505	} else {
1506		(void)sctp_initiate_iterator(sctp_asconf_iterator_ep,
1507					     sctp_asconf_iterator_stcb,
1508					     NULL, /* No ep end for boundall */
1509					     SCTP_PCB_FLAGS_BOUNDALL,
1510					     SCTP_PCB_ANY_FEATURES,
1511					     SCTP_ASOC_ANY_STATE,
1512					     (void *)asc, 0,
1513					     sctp_asconf_iterator_end, NULL, 0);
1514	}
1515}
1516
1517void
1518sctp_timeout_handler(void *t)
1519{
1520	struct sctp_inpcb *inp;
1521	struct sctp_tcb *stcb;
1522	struct sctp_nets *net;
1523	struct sctp_timer *tmr;
1524#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1525	struct socket *so;
1526#endif
1527	int did_output, type;
1528
1529	tmr = (struct sctp_timer *)t;
1530	inp = (struct sctp_inpcb *)tmr->ep;
1531	stcb = (struct sctp_tcb *)tmr->tcb;
1532	net = (struct sctp_nets *)tmr->net;
1533#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1534	CURVNET_SET((struct vnet *)tmr->vnet);
1535#endif
1536	did_output = 1;
1537
1538#ifdef SCTP_AUDITING_ENABLED
1539	sctp_audit_log(0xF0, (uint8_t) tmr->type);
1540	sctp_auditing(3, inp, stcb, net);
1541#endif
1542
1543	/* sanity checks... */
1544	if (tmr->self != (void *)tmr) {
1545		/*
1546		 * SCTP_PRINTF("Stale SCTP timer fired (%p), ignoring...\n",
1547		 *             (void *)tmr);
1548		 */
1549#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1550		CURVNET_RESTORE();
1551#endif
1552		return;
1553	}
1554	tmr->stopped_from = 0xa001;
1555	if (!SCTP_IS_TIMER_TYPE_VALID(tmr->type)) {
1556		/*
1557		 * SCTP_PRINTF("SCTP timer fired with invalid type: 0x%x\n",
1558		 * tmr->type);
1559		 */
1560#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1561		CURVNET_RESTORE();
1562#endif
1563		return;
1564	}
1565	tmr->stopped_from = 0xa002;
1566	if ((tmr->type != SCTP_TIMER_TYPE_ADDR_WQ) && (inp == NULL)) {
1567#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1568		CURVNET_RESTORE();
1569#endif
1570		return;
1571	}
1572	/* if this is an iterator timeout, get the struct and clear inp */
1573	tmr->stopped_from = 0xa003;
1574	type = tmr->type;
1575	if (inp) {
1576		SCTP_INP_INCR_REF(inp);
1577		if ((inp->sctp_socket == NULL) &&
1578		    ((tmr->type != SCTP_TIMER_TYPE_INPKILL) &&
1579		     (tmr->type != SCTP_TIMER_TYPE_INIT) &&
1580		     (tmr->type != SCTP_TIMER_TYPE_SEND) &&
1581		     (tmr->type != SCTP_TIMER_TYPE_RECV) &&
1582		     (tmr->type != SCTP_TIMER_TYPE_HEARTBEAT) &&
1583		     (tmr->type != SCTP_TIMER_TYPE_SHUTDOWN) &&
1584		     (tmr->type != SCTP_TIMER_TYPE_SHUTDOWNACK) &&
1585		     (tmr->type != SCTP_TIMER_TYPE_SHUTDOWNGUARD) &&
1586		     (tmr->type != SCTP_TIMER_TYPE_ASOCKILL))
1587			) {
1588			SCTP_INP_DECR_REF(inp);
1589#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1590			CURVNET_RESTORE();
1591#endif
1592			return;
1593		}
1594	}
1595	tmr->stopped_from = 0xa004;
1596	if (stcb) {
1597		atomic_add_int(&stcb->asoc.refcnt, 1);
1598		if (stcb->asoc.state == 0) {
1599			atomic_add_int(&stcb->asoc.refcnt, -1);
1600			if (inp) {
1601				SCTP_INP_DECR_REF(inp);
1602			}
1603#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1604			CURVNET_RESTORE();
1605#endif
1606			return;
1607		}
1608	}
1609	tmr->stopped_from = 0xa005;
1610	SCTPDBG(SCTP_DEBUG_TIMER1, "Timer type %d goes off\n", tmr->type);
1611	if (!SCTP_OS_TIMER_ACTIVE(&tmr->timer)) {
1612		if (inp) {
1613			SCTP_INP_DECR_REF(inp);
1614		}
1615		if (stcb) {
1616			atomic_add_int(&stcb->asoc.refcnt, -1);
1617		}
1618#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1619		CURVNET_RESTORE();
1620#endif
1621		return;
1622	}
1623	tmr->stopped_from = 0xa006;
1624
1625	if (stcb) {
1626		SCTP_TCB_LOCK(stcb);
1627		atomic_add_int(&stcb->asoc.refcnt, -1);
1628		if ((tmr->type != SCTP_TIMER_TYPE_ASOCKILL) &&
1629		    ((stcb->asoc.state == 0) ||
1630		     (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED))) {
1631			SCTP_TCB_UNLOCK(stcb);
1632			if (inp) {
1633				SCTP_INP_DECR_REF(inp);
1634			}
1635#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1636			CURVNET_RESTORE();
1637#endif
1638			return;
1639		}
1640	}
1641	/* record in stopped what t-o occured */
1642	tmr->stopped_from = tmr->type;
1643
1644	/* mark as being serviced now */
1645	if (SCTP_OS_TIMER_PENDING(&tmr->timer)) {
1646		/*
1647		 * Callout has been rescheduled.
1648		 */
1649		goto get_out;
1650	}
1651	if (!SCTP_OS_TIMER_ACTIVE(&tmr->timer)) {
1652		/*
1653		 * Not active, so no action.
1654		 */
1655		goto get_out;
1656	}
1657	SCTP_OS_TIMER_DEACTIVATE(&tmr->timer);
1658
1659	/* call the handler for the appropriate timer type */
1660	switch (tmr->type) {
1661	case SCTP_TIMER_TYPE_ZERO_COPY:
1662		if (inp == NULL) {
1663			break;
1664		}
1665		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_ZERO_COPY_ACTIVE)) {
1666			SCTP_ZERO_COPY_EVENT(inp, inp->sctp_socket);
1667		}
1668		break;
1669	case SCTP_TIMER_TYPE_ZCOPY_SENDQ:
1670		if (inp == NULL) {
1671			break;
1672		}
1673		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_ZERO_COPY_ACTIVE)) {
1674		    SCTP_ZERO_COPY_SENDQ_EVENT(inp, inp->sctp_socket);
1675		}
1676                break;
1677	case SCTP_TIMER_TYPE_ADDR_WQ:
1678		sctp_handle_addr_wq();
1679		break;
1680	case SCTP_TIMER_TYPE_SEND:
1681		if ((stcb == NULL) || (inp == NULL)) {
1682			break;
1683		}
1684		SCTP_STAT_INCR(sctps_timodata);
1685		stcb->asoc.timodata++;
1686		stcb->asoc.num_send_timers_up--;
1687		if (stcb->asoc.num_send_timers_up < 0) {
1688			stcb->asoc.num_send_timers_up = 0;
1689		}
1690		SCTP_TCB_LOCK_ASSERT(stcb);
1691		if (sctp_t3rxt_timer(inp, stcb, net)) {
1692			/* no need to unlock on tcb its gone */
1693
1694			goto out_decr;
1695		}
1696		SCTP_TCB_LOCK_ASSERT(stcb);
1697#ifdef SCTP_AUDITING_ENABLED
1698		sctp_auditing(4, inp, stcb, net);
1699#endif
1700		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_T3, SCTP_SO_NOT_LOCKED);
1701		if ((stcb->asoc.num_send_timers_up == 0) &&
1702		    (stcb->asoc.sent_queue_cnt > 0)) {
1703			struct sctp_tmit_chunk *chk;
1704
1705			/*
1706			 * safeguard. If there on some on the sent queue
1707			 * somewhere but no timers running something is
1708			 * wrong... so we start a timer on the first chunk
1709			 * on the send queue on whatever net it is sent to.
1710			 */
1711			chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
1712			sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb,
1713			    chk->whoTo);
1714		}
1715		break;
1716	case SCTP_TIMER_TYPE_INIT:
1717		if ((stcb == NULL) || (inp == NULL)) {
1718			break;
1719		}
1720		SCTP_STAT_INCR(sctps_timoinit);
1721		stcb->asoc.timoinit++;
1722		if (sctp_t1init_timer(inp, stcb, net)) {
1723			/* no need to unlock on tcb its gone */
1724			goto out_decr;
1725		}
1726		/* We do output but not here */
1727		did_output = 0;
1728		break;
1729	case SCTP_TIMER_TYPE_RECV:
1730		if ((stcb == NULL) || (inp == NULL)) {
1731			break;
1732		}
1733		SCTP_STAT_INCR(sctps_timosack);
1734		stcb->asoc.timosack++;
1735		sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
1736#ifdef SCTP_AUDITING_ENABLED
1737		sctp_auditing(4, inp, stcb, net);
1738#endif
1739		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_SACK_TMR, SCTP_SO_NOT_LOCKED);
1740		break;
1741	case SCTP_TIMER_TYPE_SHUTDOWN:
1742		if ((stcb == NULL) || (inp == NULL)) {
1743			break;
1744		}
1745		if (sctp_shutdown_timer(inp, stcb, net)) {
1746			/* no need to unlock on tcb its gone */
1747			goto out_decr;
1748		}
1749		SCTP_STAT_INCR(sctps_timoshutdown);
1750		stcb->asoc.timoshutdown++;
1751#ifdef SCTP_AUDITING_ENABLED
1752		sctp_auditing(4, inp, stcb, net);
1753#endif
1754		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_SHUT_TMR, SCTP_SO_NOT_LOCKED);
1755		break;
1756	case SCTP_TIMER_TYPE_HEARTBEAT:
1757		if ((stcb == NULL) || (inp == NULL) || (net == NULL)) {
1758			break;
1759		}
1760		SCTP_STAT_INCR(sctps_timoheartbeat);
1761		stcb->asoc.timoheartbeat++;
1762		if (sctp_heartbeat_timer(inp, stcb, net)) {
1763			/* no need to unlock on tcb its gone */
1764			goto out_decr;
1765		}
1766#ifdef SCTP_AUDITING_ENABLED
1767		sctp_auditing(4, inp, stcb, net);
1768#endif
1769		if (!(net->dest_state & SCTP_ADDR_NOHB)) {
1770			sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1771			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_HB_TMR, SCTP_SO_NOT_LOCKED);
1772		}
1773		break;
1774	case SCTP_TIMER_TYPE_COOKIE:
1775		if ((stcb == NULL) || (inp == NULL)) {
1776			break;
1777		}
1778
1779		if (sctp_cookie_timer(inp, stcb, net)) {
1780			/* no need to unlock on tcb its gone */
1781			goto out_decr;
1782		}
1783		SCTP_STAT_INCR(sctps_timocookie);
1784		stcb->asoc.timocookie++;
1785#ifdef SCTP_AUDITING_ENABLED
1786		sctp_auditing(4, inp, stcb, net);
1787#endif
1788		/*
1789		 * We consider T3 and Cookie timer pretty much the same with
1790		 * respect to where from in chunk_output.
1791		 */
1792		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_T3, SCTP_SO_NOT_LOCKED);
1793		break;
1794	case SCTP_TIMER_TYPE_NEWCOOKIE:
1795		{
1796			struct timeval tv;
1797			int i, secret;
1798			if (inp == NULL) {
1799				break;
1800			}
1801			SCTP_STAT_INCR(sctps_timosecret);
1802			(void)SCTP_GETTIME_TIMEVAL(&tv);
1803			SCTP_INP_WLOCK(inp);
1804			inp->sctp_ep.time_of_secret_change = tv.tv_sec;
1805			inp->sctp_ep.last_secret_number =
1806			    inp->sctp_ep.current_secret_number;
1807			inp->sctp_ep.current_secret_number++;
1808			if (inp->sctp_ep.current_secret_number >=
1809			    SCTP_HOW_MANY_SECRETS) {
1810				inp->sctp_ep.current_secret_number = 0;
1811			}
1812			secret = (int)inp->sctp_ep.current_secret_number;
1813			for (i = 0; i < SCTP_NUMBER_OF_SECRETS; i++) {
1814				inp->sctp_ep.secret_key[secret][i] =
1815				    sctp_select_initial_TSN(&inp->sctp_ep);
1816			}
1817			SCTP_INP_WUNLOCK(inp);
1818			sctp_timer_start(SCTP_TIMER_TYPE_NEWCOOKIE, inp, stcb, net);
1819		}
1820		did_output = 0;
1821		break;
1822	case SCTP_TIMER_TYPE_PATHMTURAISE:
1823		if ((stcb == NULL) || (inp == NULL)) {
1824			break;
1825		}
1826		SCTP_STAT_INCR(sctps_timopathmtu);
1827		sctp_pathmtu_timer(inp, stcb, net);
1828		did_output = 0;
1829		break;
1830	case SCTP_TIMER_TYPE_SHUTDOWNACK:
1831		if ((stcb == NULL) || (inp == NULL)) {
1832			break;
1833		}
1834		if (sctp_shutdownack_timer(inp, stcb, net)) {
1835			/* no need to unlock on tcb its gone */
1836			goto out_decr;
1837		}
1838		SCTP_STAT_INCR(sctps_timoshutdownack);
1839		stcb->asoc.timoshutdownack++;
1840#ifdef SCTP_AUDITING_ENABLED
1841		sctp_auditing(4, inp, stcb, net);
1842#endif
1843		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_SHUT_ACK_TMR, SCTP_SO_NOT_LOCKED);
1844		break;
1845	case SCTP_TIMER_TYPE_SHUTDOWNGUARD:
1846		if ((stcb == NULL) || (inp == NULL)) {
1847			break;
1848		}
1849		SCTP_STAT_INCR(sctps_timoshutdownguard);
1850		sctp_abort_an_association(inp, stcb, NULL, SCTP_SO_NOT_LOCKED);
1851		/* no need to unlock on tcb its gone */
1852		goto out_decr;
1853
1854	case SCTP_TIMER_TYPE_STRRESET:
1855		if ((stcb == NULL) || (inp == NULL)) {
1856			break;
1857		}
1858		if (sctp_strreset_timer(inp, stcb, net)) {
1859			/* no need to unlock on tcb its gone */
1860			goto out_decr;
1861		}
1862		SCTP_STAT_INCR(sctps_timostrmrst);
1863		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_STRRST_TMR, SCTP_SO_NOT_LOCKED);
1864		break;
1865	case SCTP_TIMER_TYPE_ASCONF:
1866		if ((stcb == NULL) || (inp == NULL)) {
1867			break;
1868		}
1869		if (sctp_asconf_timer(inp, stcb, net)) {
1870			/* no need to unlock on tcb its gone */
1871			goto out_decr;
1872		}
1873		SCTP_STAT_INCR(sctps_timoasconf);
1874#ifdef SCTP_AUDITING_ENABLED
1875		sctp_auditing(4, inp, stcb, net);
1876#endif
1877		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_ASCONF_TMR, SCTP_SO_NOT_LOCKED);
1878		break;
1879	case SCTP_TIMER_TYPE_PRIM_DELETED:
1880		if ((stcb == NULL) || (inp == NULL)) {
1881			break;
1882		}
1883		sctp_delete_prim_timer(inp, stcb, net);
1884		SCTP_STAT_INCR(sctps_timodelprim);
1885		break;
1886
1887	case SCTP_TIMER_TYPE_AUTOCLOSE:
1888		if ((stcb == NULL) || (inp == NULL)) {
1889			break;
1890		}
1891		SCTP_STAT_INCR(sctps_timoautoclose);
1892		sctp_autoclose_timer(inp, stcb, net);
1893		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_AUTOCLOSE_TMR, SCTP_SO_NOT_LOCKED);
1894		did_output = 0;
1895		break;
1896	case SCTP_TIMER_TYPE_ASOCKILL:
1897		if ((stcb == NULL) || (inp == NULL)) {
1898			break;
1899		}
1900		SCTP_STAT_INCR(sctps_timoassockill);
1901		/* Can we free it yet? */
1902		SCTP_INP_DECR_REF(inp);
1903		sctp_timer_stop(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL, SCTP_FROM_SCTPUTIL+SCTP_LOC_1);
1904#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1905		so = SCTP_INP_SO(inp);
1906		atomic_add_int(&stcb->asoc.refcnt, 1);
1907		SCTP_TCB_UNLOCK(stcb);
1908		SCTP_SOCKET_LOCK(so, 1);
1909		SCTP_TCB_LOCK(stcb);
1910		atomic_subtract_int(&stcb->asoc.refcnt, 1);
1911#endif
1912		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTPUTIL+SCTP_LOC_2);
1913#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1914		SCTP_SOCKET_UNLOCK(so, 1);
1915#endif
1916		/*
1917		 * free asoc, always unlocks (or destroy's) so prevent
1918		 * duplicate unlock or unlock of a free mtx :-0
1919		 */
1920		stcb = NULL;
1921		goto out_no_decr;
1922	case SCTP_TIMER_TYPE_INPKILL:
1923		SCTP_STAT_INCR(sctps_timoinpkill);
1924		if (inp == NULL) {
1925			break;
1926		}
1927		/*
1928		 * special case, take away our increment since WE are the
1929		 * killer
1930		 */
1931		SCTP_INP_DECR_REF(inp);
1932		sctp_timer_stop(SCTP_TIMER_TYPE_INPKILL, inp, NULL, NULL, SCTP_FROM_SCTPUTIL+SCTP_LOC_3);
1933#if defined(__APPLE__)
1934		SCTP_SOCKET_LOCK(SCTP_INP_SO(inp), 1);
1935#endif
1936		sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
1937				SCTP_CALLED_FROM_INPKILL_TIMER);
1938#if defined(__APPLE__)
1939		SCTP_SOCKET_UNLOCK(SCTP_INP_SO(inp), 1);
1940#endif
1941		inp = NULL;
1942		goto out_no_decr;
1943	default:
1944		SCTPDBG(SCTP_DEBUG_TIMER1, "sctp_timeout_handler:unknown timer %d\n",
1945			tmr->type);
1946		break;
1947	}
1948#ifdef SCTP_AUDITING_ENABLED
1949	sctp_audit_log(0xF1, (uint8_t) tmr->type);
1950	if (inp)
1951		sctp_auditing(5, inp, stcb, net);
1952#endif
1953	if ((did_output) && stcb) {
1954		/*
1955		 * Now we need to clean up the control chunk chain if an
1956		 * ECNE is on it. It must be marked as UNSENT again so next
1957		 * call will continue to send it until such time that we get
1958		 * a CWR, to remove it. It is, however, less likely that we
1959		 * will find a ecn echo on the chain though.
1960		 */
1961		sctp_fix_ecn_echo(&stcb->asoc);
1962	}
1963get_out:
1964	if (stcb) {
1965		SCTP_TCB_UNLOCK(stcb);
1966	}
1967
1968out_decr:
1969	if (inp) {
1970		SCTP_INP_DECR_REF(inp);
1971	}
1972
1973out_no_decr:
1974	SCTPDBG(SCTP_DEBUG_TIMER1, "Timer now complete (type %d)\n",
1975			  type);
1976#if defined(__FreeBSD__) && __FreeBSD_version >= 801000
1977	CURVNET_RESTORE();
1978#endif
1979}
1980
1981void
1982sctp_timer_start(int t_type, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
1983    struct sctp_nets *net)
1984{
1985	uint32_t to_ticks;
1986	struct sctp_timer *tmr;
1987
1988	if ((t_type != SCTP_TIMER_TYPE_ADDR_WQ) && (inp == NULL))
1989		return;
1990
1991	tmr = NULL;
1992	if (stcb) {
1993		SCTP_TCB_LOCK_ASSERT(stcb);
1994	}
1995	switch (t_type) {
1996	case SCTP_TIMER_TYPE_ZERO_COPY:
1997		tmr = &inp->sctp_ep.zero_copy_timer;
1998		to_ticks = SCTP_ZERO_COPY_TICK_DELAY;
1999		break;
2000	case SCTP_TIMER_TYPE_ZCOPY_SENDQ:
2001		tmr = &inp->sctp_ep.zero_copy_sendq_timer;
2002		to_ticks = SCTP_ZERO_COPY_SENDQ_TICK_DELAY;
2003		break;
2004	case SCTP_TIMER_TYPE_ADDR_WQ:
2005		/* Only 1 tick away :-) */
2006		tmr = &SCTP_BASE_INFO(addr_wq_timer);
2007		to_ticks = SCTP_ADDRESS_TICK_DELAY;
2008		break;
2009	case SCTP_TIMER_TYPE_SEND:
2010		/* Here we use the RTO timer */
2011		{
2012			int rto_val;
2013
2014			if ((stcb == NULL) || (net == NULL)) {
2015				return;
2016			}
2017			tmr = &net->rxt_timer;
2018			if (net->RTO == 0) {
2019				rto_val = stcb->asoc.initial_rto;
2020			} else {
2021				rto_val = net->RTO;
2022			}
2023			to_ticks = MSEC_TO_TICKS(rto_val);
2024		}
2025		break;
2026	case SCTP_TIMER_TYPE_INIT:
2027		/*
2028		 * Here we use the INIT timer default usually about 1
2029		 * minute.
2030		 */
2031		if ((stcb == NULL) || (net == NULL)) {
2032			return;
2033		}
2034		tmr = &net->rxt_timer;
2035		if (net->RTO == 0) {
2036			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2037		} else {
2038			to_ticks = MSEC_TO_TICKS(net->RTO);
2039		}
2040		break;
2041	case SCTP_TIMER_TYPE_RECV:
2042		/*
2043		 * Here we use the Delayed-Ack timer value from the inp
2044		 * ususually about 200ms.
2045		 */
2046		if (stcb == NULL) {
2047			return;
2048		}
2049		tmr = &stcb->asoc.dack_timer;
2050		to_ticks = MSEC_TO_TICKS(stcb->asoc.delayed_ack);
2051		break;
2052	case SCTP_TIMER_TYPE_SHUTDOWN:
2053		/* Here we use the RTO of the destination. */
2054		if ((stcb == NULL) || (net == NULL)) {
2055			return;
2056		}
2057		if (net->RTO == 0) {
2058			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2059		} else {
2060			to_ticks = MSEC_TO_TICKS(net->RTO);
2061		}
2062		tmr = &net->rxt_timer;
2063		break;
2064	case SCTP_TIMER_TYPE_HEARTBEAT:
2065		/*
2066		 * the net is used here so that we can add in the RTO. Even
2067		 * though we use a different timer. We also add the HB timer
2068		 * PLUS a random jitter.
2069		 */
2070		if ((inp == NULL) || (stcb == NULL) || (net == NULL)) {
2071			return;
2072		} else {
2073			uint32_t rndval;
2074			uint32_t jitter;
2075
2076			if ((net->dest_state & SCTP_ADDR_NOHB) &&
2077			    !(net->dest_state & SCTP_ADDR_UNCONFIRMED)) {
2078				return;
2079			}
2080			if (net->RTO == 0) {
2081				to_ticks = stcb->asoc.initial_rto;
2082			} else {
2083				to_ticks = net->RTO;
2084			}
2085			rndval = sctp_select_initial_TSN(&inp->sctp_ep);
2086			jitter = rndval % to_ticks;
2087			if (jitter >= (to_ticks >> 1)) {
2088				to_ticks = to_ticks + (jitter - (to_ticks >> 1));
2089			} else {
2090				to_ticks = to_ticks - jitter;
2091			}
2092			if (!(net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
2093			    !(net->dest_state & SCTP_ADDR_PF)) {
2094				to_ticks += net->heart_beat_delay;
2095			}
2096			/*
2097			 * Now we must convert the to_ticks that are now in
2098			 * ms to ticks.
2099			 */
2100			to_ticks = MSEC_TO_TICKS(to_ticks);
2101			tmr = &net->hb_timer;
2102		}
2103		break;
2104	case SCTP_TIMER_TYPE_COOKIE:
2105		/*
2106		 * Here we can use the RTO timer from the network since one
2107		 * RTT was compelete. If a retran happened then we will be
2108		 * using the RTO initial value.
2109		 */
2110		if ((stcb == NULL) || (net == NULL)) {
2111			return;
2112		}
2113		if (net->RTO == 0) {
2114			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2115		} else {
2116			to_ticks = MSEC_TO_TICKS(net->RTO);
2117		}
2118		tmr = &net->rxt_timer;
2119		break;
2120	case SCTP_TIMER_TYPE_NEWCOOKIE:
2121		/*
2122		 * nothing needed but the endpoint here ususually about 60
2123		 * minutes.
2124		 */
2125		if (inp == NULL) {
2126			return;
2127		}
2128		tmr = &inp->sctp_ep.signature_change;
2129		to_ticks = inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_SIGNATURE];
2130		break;
2131	case SCTP_TIMER_TYPE_ASOCKILL:
2132		if (stcb == NULL) {
2133			return;
2134		}
2135		tmr = &stcb->asoc.strreset_timer;
2136		to_ticks = MSEC_TO_TICKS(SCTP_ASOC_KILL_TIMEOUT);
2137		break;
2138	case SCTP_TIMER_TYPE_INPKILL:
2139		/*
2140		 * The inp is setup to die. We re-use the signature_chage
2141		 * timer since that has stopped and we are in the GONE
2142		 * state.
2143		 */
2144		if (inp == NULL) {
2145			return;
2146		}
2147		tmr = &inp->sctp_ep.signature_change;
2148		to_ticks = MSEC_TO_TICKS(SCTP_INP_KILL_TIMEOUT);
2149		break;
2150	case SCTP_TIMER_TYPE_PATHMTURAISE:
2151		/*
2152		 * Here we use the value found in the EP for PMTU ususually
2153		 * about 10 minutes.
2154		 */
2155		if ((stcb == NULL) || (inp == NULL)) {
2156			return;
2157		}
2158		if (net == NULL) {
2159			return;
2160		}
2161		if (net->dest_state & SCTP_ADDR_NO_PMTUD) {
2162			return;
2163		}
2164		to_ticks = inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_PMTU];
2165		tmr = &net->pmtu_timer;
2166		break;
2167	case SCTP_TIMER_TYPE_SHUTDOWNACK:
2168		/* Here we use the RTO of the destination */
2169		if ((stcb == NULL) || (net == NULL)) {
2170			return;
2171		}
2172		if (net->RTO == 0) {
2173			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2174		} else {
2175			to_ticks = MSEC_TO_TICKS(net->RTO);
2176		}
2177		tmr = &net->rxt_timer;
2178		break;
2179	case SCTP_TIMER_TYPE_SHUTDOWNGUARD:
2180		/*
2181		 * Here we use the endpoints shutdown guard timer usually
2182		 * about 3 minutes.
2183		 */
2184		if ((inp == NULL) || (stcb == NULL)) {
2185			return;
2186		}
2187		to_ticks = inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_MAXSHUTDOWN];
2188		tmr = &stcb->asoc.shut_guard_timer;
2189		break;
2190	case SCTP_TIMER_TYPE_STRRESET:
2191		/*
2192		 * Here the timer comes from the stcb but its value is from
2193		 * the net's RTO.
2194		 */
2195		if ((stcb == NULL) || (net == NULL)) {
2196			return;
2197		}
2198		if (net->RTO == 0) {
2199			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2200		} else {
2201			to_ticks = MSEC_TO_TICKS(net->RTO);
2202		}
2203		tmr = &stcb->asoc.strreset_timer;
2204		break;
2205	case SCTP_TIMER_TYPE_ASCONF:
2206		/*
2207		 * Here the timer comes from the stcb but its value is from
2208		 * the net's RTO.
2209		 */
2210		if ((stcb == NULL) || (net == NULL)) {
2211			return;
2212		}
2213		if (net->RTO == 0) {
2214			to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2215		} else {
2216			to_ticks = MSEC_TO_TICKS(net->RTO);
2217		}
2218		tmr = &stcb->asoc.asconf_timer;
2219		break;
2220	case SCTP_TIMER_TYPE_PRIM_DELETED:
2221		if ((stcb == NULL) || (net != NULL)) {
2222			return;
2223		}
2224		to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
2225		tmr = &stcb->asoc.delete_prim_timer;
2226		break;
2227	case SCTP_TIMER_TYPE_AUTOCLOSE:
2228		if (stcb == NULL) {
2229			return;
2230		}
2231		if (stcb->asoc.sctp_autoclose_ticks == 0) {
2232			/*
2233			 * Really an error since stcb is NOT set to
2234			 * autoclose
2235			 */
2236			return;
2237		}
2238		to_ticks = stcb->asoc.sctp_autoclose_ticks;
2239		tmr = &stcb->asoc.autoclose_timer;
2240		break;
2241	default:
2242		SCTPDBG(SCTP_DEBUG_TIMER1, "%s: Unknown timer type %d\n",
2243			__FUNCTION__, t_type);
2244		return;
2245		break;
2246	}
2247	if ((to_ticks <= 0) || (tmr == NULL)) {
2248		SCTPDBG(SCTP_DEBUG_TIMER1, "%s: %d:software error to_ticks:%d tmr:%p not set ??\n",
2249			__FUNCTION__, t_type, to_ticks, (void *)tmr);
2250		return;
2251	}
2252	if (SCTP_OS_TIMER_PENDING(&tmr->timer)) {
2253		/*
2254		 * we do NOT allow you to have it already running. if it is
2255		 * we leave the current one up unchanged
2256		 */
2257		return;
2258	}
2259	/* At this point we can proceed */
2260	if (t_type == SCTP_TIMER_TYPE_SEND) {
2261		stcb->asoc.num_send_timers_up++;
2262	}
2263	tmr->stopped_from = 0;
2264	tmr->type = t_type;
2265	tmr->ep = (void *)inp;
2266	tmr->tcb = (void *)stcb;
2267	tmr->net = (void *)net;
2268	tmr->self = (void *)tmr;
2269#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
2270	tmr->vnet = (void *)curvnet;
2271#endif
2272#ifndef __Panda__
2273	tmr->ticks = sctp_get_tick_count();
2274#endif
2275	(void)SCTP_OS_TIMER_START(&tmr->timer, to_ticks, sctp_timeout_handler, tmr);
2276	return;
2277}
2278
2279void
2280sctp_timer_stop(int t_type, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2281    struct sctp_nets *net, uint32_t from)
2282{
2283	struct sctp_timer *tmr;
2284
2285	if ((t_type != SCTP_TIMER_TYPE_ADDR_WQ) &&
2286	    (inp == NULL))
2287		return;
2288
2289	tmr = NULL;
2290	if (stcb) {
2291		SCTP_TCB_LOCK_ASSERT(stcb);
2292	}
2293	switch (t_type) {
2294	case SCTP_TIMER_TYPE_ZERO_COPY:
2295		tmr = &inp->sctp_ep.zero_copy_timer;
2296		break;
2297	case SCTP_TIMER_TYPE_ZCOPY_SENDQ:
2298		tmr = &inp->sctp_ep.zero_copy_sendq_timer;
2299		break;
2300	case SCTP_TIMER_TYPE_ADDR_WQ:
2301		tmr = &SCTP_BASE_INFO(addr_wq_timer);
2302		break;
2303	case SCTP_TIMER_TYPE_SEND:
2304		if ((stcb == NULL) || (net == NULL)) {
2305			return;
2306		}
2307		tmr = &net->rxt_timer;
2308		break;
2309	case SCTP_TIMER_TYPE_INIT:
2310		if ((stcb == NULL) || (net == NULL)) {
2311			return;
2312		}
2313		tmr = &net->rxt_timer;
2314		break;
2315	case SCTP_TIMER_TYPE_RECV:
2316		if (stcb == NULL) {
2317			return;
2318		}
2319		tmr = &stcb->asoc.dack_timer;
2320		break;
2321	case SCTP_TIMER_TYPE_SHUTDOWN:
2322		if ((stcb == NULL) || (net == NULL)) {
2323			return;
2324		}
2325		tmr = &net->rxt_timer;
2326		break;
2327	case SCTP_TIMER_TYPE_HEARTBEAT:
2328		if ((stcb == NULL) || (net == NULL)) {
2329			return;
2330		}
2331		tmr = &net->hb_timer;
2332		break;
2333	case SCTP_TIMER_TYPE_COOKIE:
2334		if ((stcb == NULL) || (net == NULL)) {
2335			return;
2336		}
2337		tmr = &net->rxt_timer;
2338		break;
2339	case SCTP_TIMER_TYPE_NEWCOOKIE:
2340		/* nothing needed but the endpoint here */
2341		tmr = &inp->sctp_ep.signature_change;
2342		/*
2343		 * We re-use the newcookie timer for the INP kill timer. We
2344		 * must assure that we do not kill it by accident.
2345		 */
2346		break;
2347	case SCTP_TIMER_TYPE_ASOCKILL:
2348		/*
2349		 * Stop the asoc kill timer.
2350		 */
2351		if (stcb == NULL) {
2352			return;
2353		}
2354		tmr = &stcb->asoc.strreset_timer;
2355		break;
2356
2357	case SCTP_TIMER_TYPE_INPKILL:
2358		/*
2359		 * The inp is setup to die. We re-use the signature_chage
2360		 * timer since that has stopped and we are in the GONE
2361		 * state.
2362		 */
2363		tmr = &inp->sctp_ep.signature_change;
2364		break;
2365	case SCTP_TIMER_TYPE_PATHMTURAISE:
2366		if ((stcb == NULL) || (net == NULL)) {
2367			return;
2368		}
2369		tmr = &net->pmtu_timer;
2370		break;
2371	case SCTP_TIMER_TYPE_SHUTDOWNACK:
2372		if ((stcb == NULL) || (net == NULL)) {
2373			return;
2374		}
2375		tmr = &net->rxt_timer;
2376		break;
2377	case SCTP_TIMER_TYPE_SHUTDOWNGUARD:
2378		if (stcb == NULL) {
2379			return;
2380		}
2381		tmr = &stcb->asoc.shut_guard_timer;
2382		break;
2383	case SCTP_TIMER_TYPE_STRRESET:
2384		if (stcb == NULL) {
2385			return;
2386		}
2387		tmr = &stcb->asoc.strreset_timer;
2388		break;
2389	case SCTP_TIMER_TYPE_ASCONF:
2390		if (stcb == NULL) {
2391			return;
2392		}
2393		tmr = &stcb->asoc.asconf_timer;
2394		break;
2395	case SCTP_TIMER_TYPE_PRIM_DELETED:
2396		if (stcb == NULL) {
2397			return;
2398		}
2399		tmr = &stcb->asoc.delete_prim_timer;
2400		break;
2401	case SCTP_TIMER_TYPE_AUTOCLOSE:
2402		if (stcb == NULL) {
2403			return;
2404		}
2405		tmr = &stcb->asoc.autoclose_timer;
2406		break;
2407	default:
2408		SCTPDBG(SCTP_DEBUG_TIMER1, "%s: Unknown timer type %d\n",
2409			__FUNCTION__, t_type);
2410		break;
2411	}
2412	if (tmr == NULL) {
2413		return;
2414	}
2415	if ((tmr->type != t_type) && tmr->type) {
2416		/*
2417		 * Ok we have a timer that is under joint use. Cookie timer
2418		 * per chance with the SEND timer. We therefore are NOT
2419		 * running the timer that the caller wants stopped.  So just
2420		 * return.
2421		 */
2422		return;
2423	}
2424	if ((t_type == SCTP_TIMER_TYPE_SEND) && (stcb != NULL)) {
2425		stcb->asoc.num_send_timers_up--;
2426		if (stcb->asoc.num_send_timers_up < 0) {
2427			stcb->asoc.num_send_timers_up = 0;
2428		}
2429	}
2430	tmr->self = NULL;
2431	tmr->stopped_from = from;
2432	(void)SCTP_OS_TIMER_STOP(&tmr->timer);
2433	return;
2434}
2435
2436uint32_t
2437sctp_calculate_len(struct mbuf *m)
2438{
2439	uint32_t tlen = 0;
2440	struct mbuf *at;
2441
2442	at = m;
2443	while (at) {
2444		tlen += SCTP_BUF_LEN(at);
2445		at = SCTP_BUF_NEXT(at);
2446	}
2447	return (tlen);
2448}
2449
2450void
2451sctp_mtu_size_reset(struct sctp_inpcb *inp,
2452    struct sctp_association *asoc, uint32_t mtu)
2453{
2454	/*
2455	 * Reset the P-MTU size on this association, this involves changing
2456	 * the asoc MTU, going through ANY chunk+overhead larger than mtu to
2457	 * allow the DF flag to be cleared.
2458	 */
2459	struct sctp_tmit_chunk *chk;
2460	unsigned int eff_mtu, ovh;
2461
2462	asoc->smallest_mtu = mtu;
2463	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
2464		ovh = SCTP_MIN_OVERHEAD;
2465	} else {
2466		ovh = SCTP_MIN_V4_OVERHEAD;
2467	}
2468	eff_mtu = mtu - ovh;
2469	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
2470		if (chk->send_size > eff_mtu) {
2471			chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
2472		}
2473	}
2474	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
2475		if (chk->send_size > eff_mtu) {
2476			chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
2477		}
2478	}
2479}
2480
2481
2482/*
2483 * given an association and starting time of the current RTT period return
2484 * RTO in number of msecs net should point to the current network
2485 */
2486
2487uint32_t
2488sctp_calculate_rto(struct sctp_tcb *stcb,
2489		   struct sctp_association *asoc,
2490		   struct sctp_nets *net,
2491		   struct timeval *told,
2492		   int safe, int rtt_from_sack)
2493{
2494	/*-
2495	 * given an association and the starting time of the current RTT
2496	 * period (in value1/value2) return RTO in number of msecs.
2497	 */
2498	int32_t rtt; /* RTT in ms */
2499	uint32_t new_rto;
2500	int first_measure = 0;
2501	struct timeval now, then, *old;
2502
2503	/* Copy it out for sparc64 */
2504	if (safe == sctp_align_unsafe_makecopy) {
2505		old = &then;
2506		memcpy(&then, told, sizeof(struct timeval));
2507	} else if (safe == sctp_align_safe_nocopy) {
2508		old = told;
2509	} else {
2510		/* error */
2511		SCTP_PRINTF("Huh, bad rto calc call\n");
2512		return (0);
2513	}
2514	/************************/
2515	/* 1. calculate new RTT */
2516	/************************/
2517	/* get the current time */
2518	if (stcb->asoc.use_precise_time) {
2519		(void)SCTP_GETPTIME_TIMEVAL(&now);
2520	} else {
2521		(void)SCTP_GETTIME_TIMEVAL(&now);
2522	}
2523	timevalsub(&now, old);
2524	/* store the current RTT in us */
2525	net->rtt = (uint64_t)1000000 * (uint64_t)now.tv_sec +
2526	           (uint64_t)now.tv_usec;
2527	/* computer rtt in ms */
2528	rtt = net->rtt / 1000;
2529	if ((asoc->cc_functions.sctp_rtt_calculated) && (rtt_from_sack == SCTP_RTT_FROM_DATA)) {
2530		/* Tell the CC module that a new update has just occurred from a sack */
2531		(*asoc->cc_functions.sctp_rtt_calculated)(stcb, net, &now);
2532	}
2533	/* Do we need to determine the lan? We do this only
2534	 * on sacks i.e. RTT being determined from data not
2535	 * non-data (HB/INIT->INITACK).
2536	 */
2537	if ((rtt_from_sack == SCTP_RTT_FROM_DATA) &&
2538	    (net->lan_type == SCTP_LAN_UNKNOWN)) {
2539		if (net->rtt > SCTP_LOCAL_LAN_RTT) {
2540			net->lan_type = SCTP_LAN_INTERNET;
2541		} else {
2542			net->lan_type = SCTP_LAN_LOCAL;
2543		}
2544	}
2545
2546	/***************************/
2547	/* 2. update RTTVAR & SRTT */
2548	/***************************/
2549	/*-
2550	 * Compute the scaled average lastsa and the
2551	 * scaled variance lastsv as described in van Jacobson
2552	 * Paper "Congestion Avoidance and Control", Annex A.
2553	 *
2554	 * (net->lastsa >> SCTP_RTT_SHIFT) is the srtt
2555	 * (net->lastsa >> SCTP_RTT_VAR_SHIFT) is the rttvar
2556	 */
2557	if (net->RTO_measured) {
2558		rtt -= (net->lastsa >> SCTP_RTT_SHIFT);
2559		net->lastsa += rtt;
2560		if (rtt < 0) {
2561			rtt = -rtt;
2562		}
2563		rtt -= (net->lastsv >> SCTP_RTT_VAR_SHIFT);
2564		net->lastsv += rtt;
2565		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_RTTVAR_LOGGING_ENABLE) {
2566			rto_logging(net, SCTP_LOG_RTTVAR);
2567		}
2568	} else {
2569		/* First RTO measurment */
2570		net->RTO_measured = 1;
2571		first_measure = 1;
2572		net->lastsa = rtt << SCTP_RTT_SHIFT;
2573		net->lastsv = (rtt / 2) << SCTP_RTT_VAR_SHIFT;
2574		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_RTTVAR_LOGGING_ENABLE) {
2575			rto_logging(net, SCTP_LOG_INITIAL_RTT);
2576		}
2577	}
2578	if (net->lastsv == 0) {
2579		net->lastsv = SCTP_CLOCK_GRANULARITY;
2580	}
2581	new_rto = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
2582	if ((new_rto > SCTP_SAT_NETWORK_MIN) &&
2583	    (stcb->asoc.sat_network_lockout == 0)) {
2584		stcb->asoc.sat_network = 1;
2585	} else if ((!first_measure) && stcb->asoc.sat_network) {
2586		stcb->asoc.sat_network = 0;
2587		stcb->asoc.sat_network_lockout = 1;
2588	}
2589	/* bound it, per C6/C7 in Section 5.3.1 */
2590	if (new_rto < stcb->asoc.minrto) {
2591		new_rto = stcb->asoc.minrto;
2592	}
2593	if (new_rto > stcb->asoc.maxrto) {
2594		new_rto = stcb->asoc.maxrto;
2595	}
2596	/* we are now returning the RTO */
2597	return (new_rto);
2598}
2599
2600/*
2601 * return a pointer to a contiguous piece of data from the given mbuf chain
2602 * starting at 'off' for 'len' bytes.  If the desired piece spans more than
2603 * one mbuf, a copy is made at 'ptr'. caller must ensure that the buffer size
2604 * is >= 'len' returns NULL if there there isn't 'len' bytes in the chain.
2605 */
2606caddr_t
2607sctp_m_getptr(struct mbuf *m, int off, int len, uint8_t * in_ptr)
2608{
2609	uint32_t count;
2610	uint8_t *ptr;
2611
2612	ptr = in_ptr;
2613	if ((off < 0) || (len <= 0))
2614		return (NULL);
2615
2616	/* find the desired start location */
2617	while ((m != NULL) && (off > 0)) {
2618		if (off < SCTP_BUF_LEN(m))
2619			break;
2620		off -= SCTP_BUF_LEN(m);
2621		m = SCTP_BUF_NEXT(m);
2622	}
2623	if (m == NULL)
2624		return (NULL);
2625
2626	/* is the current mbuf large enough (eg. contiguous)? */
2627	if ((SCTP_BUF_LEN(m) - off) >= len) {
2628		return (mtod(m, caddr_t) + off);
2629	} else {
2630		/* else, it spans more than one mbuf, so save a temp copy... */
2631		while ((m != NULL) && (len > 0)) {
2632			count = min(SCTP_BUF_LEN(m) - off, len);
2633			bcopy(mtod(m, caddr_t) + off, ptr, count);
2634			len -= count;
2635			ptr += count;
2636			off = 0;
2637			m = SCTP_BUF_NEXT(m);
2638		}
2639		if ((m == NULL) && (len > 0))
2640			return (NULL);
2641		else
2642			return ((caddr_t)in_ptr);
2643	}
2644}
2645
2646
2647
2648struct sctp_paramhdr *
2649sctp_get_next_param(struct mbuf *m,
2650    int offset,
2651    struct sctp_paramhdr *pull,
2652    int pull_limit)
2653{
2654	/* This just provides a typed signature to Peter's Pull routine */
2655	return ((struct sctp_paramhdr *)sctp_m_getptr(m, offset, pull_limit,
2656	    (uint8_t *) pull));
2657}
2658
2659
2660struct mbuf *
2661sctp_add_pad_tombuf(struct mbuf *m, int padlen)
2662{
2663	struct mbuf *m_last;
2664	caddr_t dp;
2665
2666	if (padlen > 3) {
2667		return (NULL);
2668	}
2669	if (padlen <= M_TRAILINGSPACE(m)) {
2670		/*
2671		 * The easy way. We hope the majority of the time we hit
2672		 * here :)
2673		 */
2674		m_last = m;
2675	} else {
2676		/* Hard way we must grow the mbuf chain */
2677		m_last = sctp_get_mbuf_for_msg(padlen, 0, M_NOWAIT, 1, MT_DATA);
2678		if (m_last == NULL) {
2679			return (NULL);
2680		}
2681		SCTP_BUF_LEN(m_last) = 0;
2682		SCTP_BUF_NEXT(m_last) = NULL;
2683		SCTP_BUF_NEXT(m) = m_last;
2684	}
2685	dp = mtod(m_last, caddr_t) + SCTP_BUF_LEN(m_last);
2686	SCTP_BUF_LEN(m_last) += padlen;
2687	memset(dp, 0, padlen);
2688	return (m_last);
2689}
2690
2691struct mbuf *
2692sctp_pad_lastmbuf(struct mbuf *m, int padval, struct mbuf *last_mbuf)
2693{
2694	/* find the last mbuf in chain and pad it */
2695	struct mbuf *m_at;
2696
2697	if (last_mbuf != NULL) {
2698		return (sctp_add_pad_tombuf(last_mbuf, padval));
2699	} else {
2700		for (m_at = m; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
2701			if (SCTP_BUF_NEXT(m_at) == NULL) {
2702				return (sctp_add_pad_tombuf(m_at, padval));
2703			}
2704		}
2705	}
2706	return (NULL);
2707}
2708
2709static void
2710sctp_notify_assoc_change(uint16_t state, struct sctp_tcb *stcb,
2711    uint16_t error, struct sctp_abort_chunk *abort, uint8_t from_peer, int so_locked
2712#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
2713    SCTP_UNUSED
2714#endif
2715    )
2716{
2717	struct mbuf *m_notify;
2718	struct sctp_assoc_change *sac;
2719	struct sctp_queued_to_read *control;
2720	size_t notif_len, abort_len;
2721	unsigned int i;
2722#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2723	struct socket *so;
2724#endif
2725
2726	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVASSOCEVNT)) {
2727		notif_len = sizeof(struct sctp_assoc_change);
2728		if (abort != NULL) {
2729			abort_len = ntohs(abort->ch.chunk_length);
2730		} else {
2731			abort_len = 0;
2732		}
2733		if ((state == SCTP_COMM_UP) || (state == SCTP_RESTART)) {
2734			notif_len += SCTP_ASSOC_SUPPORTS_MAX;
2735		} else if ((state == SCTP_COMM_LOST) || (state == SCTP_CANT_STR_ASSOC)) {
2736			notif_len += abort_len;
2737		}
2738		m_notify = sctp_get_mbuf_for_msg(notif_len, 0, M_NOWAIT, 1, MT_DATA);
2739		if (m_notify == NULL) {
2740			/* Retry with smaller value. */
2741			notif_len = sizeof(struct sctp_assoc_change);
2742			m_notify = sctp_get_mbuf_for_msg(notif_len, 0, M_NOWAIT, 1, MT_DATA);
2743			if (m_notify == NULL) {
2744				goto set_error;
2745			}
2746		}
2747		SCTP_BUF_NEXT(m_notify) = NULL;
2748		sac = mtod(m_notify, struct sctp_assoc_change *);
2749		memset(sac, 0, notif_len);
2750		sac->sac_type = SCTP_ASSOC_CHANGE;
2751		sac->sac_flags = 0;
2752		sac->sac_length = sizeof(struct sctp_assoc_change);
2753		sac->sac_state = state;
2754		sac->sac_error = error;
2755		/* XXX verify these stream counts */
2756		sac->sac_outbound_streams = stcb->asoc.streamoutcnt;
2757		sac->sac_inbound_streams = stcb->asoc.streamincnt;
2758		sac->sac_assoc_id = sctp_get_associd(stcb);
2759		if (notif_len > sizeof(struct sctp_assoc_change)) {
2760			if ((state == SCTP_COMM_UP) || (state == SCTP_RESTART)) {
2761				i = 0;
2762				if (stcb->asoc.prsctp_supported == 1) {
2763					sac->sac_info[i++] = SCTP_ASSOC_SUPPORTS_PR;
2764				}
2765				if (stcb->asoc.auth_supported == 1) {
2766					sac->sac_info[i++] = SCTP_ASSOC_SUPPORTS_AUTH;
2767				}
2768				if (stcb->asoc.asconf_supported == 1) {
2769					sac->sac_info[i++] = SCTP_ASSOC_SUPPORTS_ASCONF;
2770				}
2771				sac->sac_info[i++] = SCTP_ASSOC_SUPPORTS_MULTIBUF;
2772				if (stcb->asoc.reconfig_supported == 1) {
2773					sac->sac_info[i++] = SCTP_ASSOC_SUPPORTS_RE_CONFIG;
2774				}
2775				sac->sac_length += i;
2776			} else if ((state == SCTP_COMM_LOST) || (state == SCTP_CANT_STR_ASSOC)) {
2777				memcpy(sac->sac_info, abort, abort_len);
2778				sac->sac_length += abort_len;
2779			}
2780		}
2781		SCTP_BUF_LEN(m_notify) = sac->sac_length;
2782		control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
2783		                                 0, 0, stcb->asoc.context, 0, 0, 0,
2784		                                 m_notify);
2785		if (control != NULL) {
2786			control->length = SCTP_BUF_LEN(m_notify);
2787			/* not that we need this */
2788			control->tail_mbuf = m_notify;
2789			control->spec_flags = M_NOTIFICATION;
2790			sctp_add_to_readq(stcb->sctp_ep, stcb,
2791			                  control,
2792			                  &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD,
2793			                  so_locked);
2794		} else {
2795			sctp_m_freem(m_notify);
2796		}
2797	}
2798	/*
2799	 * For 1-to-1 style sockets, we send up and error when an ABORT
2800	 * comes in.
2801	 */
2802set_error:
2803	if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2804	     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2805	    ((state == SCTP_COMM_LOST) || (state == SCTP_CANT_STR_ASSOC))) {
2806		SOCK_LOCK(stcb->sctp_socket);
2807		if (from_peer) {
2808			if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
2809				SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ECONNREFUSED);
2810				stcb->sctp_socket->so_error = ECONNREFUSED;
2811			} else {
2812				SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ECONNRESET);
2813				stcb->sctp_socket->so_error = ECONNRESET;
2814			}
2815		} else {
2816			if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) ||
2817			    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
2818				SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ETIMEDOUT);
2819				stcb->sctp_socket->so_error = ETIMEDOUT;
2820			} else {
2821				SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTPUTIL, ECONNABORTED);
2822				stcb->sctp_socket->so_error = ECONNABORTED;
2823			}
2824		}
2825	}
2826	/* Wake ANY sleepers */
2827#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2828	so = SCTP_INP_SO(stcb->sctp_ep);
2829	if (!so_locked) {
2830		atomic_add_int(&stcb->asoc.refcnt, 1);
2831		SCTP_TCB_UNLOCK(stcb);
2832		SCTP_SOCKET_LOCK(so, 1);
2833		SCTP_TCB_LOCK(stcb);
2834		atomic_subtract_int(&stcb->asoc.refcnt, 1);
2835		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2836			SCTP_SOCKET_UNLOCK(so, 1);
2837			return;
2838		}
2839	}
2840#endif
2841	if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2842	     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2843	    ((state == SCTP_COMM_LOST) || (state == SCTP_CANT_STR_ASSOC))) {
2844#if defined(__APPLE__)
2845		socantrcvmore(stcb->sctp_socket);
2846#else
2847		socantrcvmore_locked(stcb->sctp_socket);
2848#endif
2849	}
2850	sorwakeup(stcb->sctp_socket);
2851	sowwakeup(stcb->sctp_socket);
2852#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2853	if (!so_locked) {
2854		SCTP_SOCKET_UNLOCK(so, 1);
2855	}
2856#endif
2857}
2858
2859static void
2860sctp_notify_peer_addr_change(struct sctp_tcb *stcb, uint32_t state,
2861    struct sockaddr *sa, uint32_t error)
2862{
2863	struct mbuf *m_notify;
2864	struct sctp_paddr_change *spc;
2865	struct sctp_queued_to_read *control;
2866
2867	if ((stcb == NULL) ||
2868	    sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVPADDREVNT)) {
2869		/* event not enabled */
2870		return;
2871	}
2872	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_paddr_change), 0, M_NOWAIT, 1, MT_DATA);
2873	if (m_notify == NULL)
2874		return;
2875	SCTP_BUF_LEN(m_notify) = 0;
2876	spc = mtod(m_notify, struct sctp_paddr_change *);
2877	memset(spc, 0, sizeof(struct sctp_paddr_change));
2878	spc->spc_type = SCTP_PEER_ADDR_CHANGE;
2879	spc->spc_flags = 0;
2880	spc->spc_length = sizeof(struct sctp_paddr_change);
2881	switch (sa->sa_family) {
2882#ifdef INET
2883	case AF_INET:
2884		memcpy(&spc->spc_aaddr, sa, sizeof(struct sockaddr_in));
2885		break;
2886#endif
2887#ifdef INET6
2888	case AF_INET6:
2889	{
2890#ifdef SCTP_EMBEDDED_V6_SCOPE
2891		struct sockaddr_in6 *sin6;
2892#endif /* SCTP_EMBEDDED_V6_SCOPE */
2893		memcpy(&spc->spc_aaddr, sa, sizeof(struct sockaddr_in6));
2894
2895#ifdef SCTP_EMBEDDED_V6_SCOPE
2896		sin6 = (struct sockaddr_in6 *)&spc->spc_aaddr;
2897		if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr)) {
2898			if (sin6->sin6_scope_id == 0) {
2899				/* recover scope_id for user */
2900#ifdef SCTP_KAME
2901				(void)sa6_recoverscope(sin6);
2902#else
2903				(void)in6_recoverscope(sin6, &sin6->sin6_addr,
2904						       NULL);
2905#endif
2906			} else {
2907				/* clear embedded scope_id for user */
2908				in6_clearscope(&sin6->sin6_addr);
2909			}
2910		}
2911#endif /* SCTP_EMBEDDED_V6_SCOPE */
2912		break;
2913	}
2914#endif
2915#if defined(__Userspace__)
2916	case AF_CONN:
2917		memcpy(&spc->spc_aaddr, sa, sizeof(struct sockaddr_conn));
2918		break;
2919#endif
2920	default:
2921		/* TSNH */
2922		break;
2923	}
2924	spc->spc_state = state;
2925	spc->spc_error = error;
2926	spc->spc_assoc_id = sctp_get_associd(stcb);
2927
2928	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_paddr_change);
2929	SCTP_BUF_NEXT(m_notify) = NULL;
2930
2931	/* append to socket */
2932	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
2933	                                 0, 0, stcb->asoc.context, 0, 0, 0,
2934	                                 m_notify);
2935	if (control == NULL) {
2936		/* no memory */
2937		sctp_m_freem(m_notify);
2938		return;
2939	}
2940	control->length = SCTP_BUF_LEN(m_notify);
2941	control->spec_flags = M_NOTIFICATION;
2942	/* not that we need this */
2943	control->tail_mbuf = m_notify;
2944	sctp_add_to_readq(stcb->sctp_ep, stcb,
2945	                  control,
2946	                  &stcb->sctp_socket->so_rcv, 1,
2947	                  SCTP_READ_LOCK_NOT_HELD,
2948	                  SCTP_SO_NOT_LOCKED);
2949}
2950
2951
2952static void
2953sctp_notify_send_failed(struct sctp_tcb *stcb, uint8_t sent, uint32_t error,
2954    struct sctp_tmit_chunk *chk, int so_locked
2955#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
2956    SCTP_UNUSED
2957#endif
2958    )
2959{
2960	struct mbuf *m_notify;
2961	struct sctp_send_failed *ssf;
2962	struct sctp_send_failed_event *ssfe;
2963	struct sctp_queued_to_read *control;
2964	int length;
2965
2966	if ((stcb == NULL) ||
2967	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVSENDFAILEVNT) &&
2968	     sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT))) {
2969		/* event not enabled */
2970		return;
2971	}
2972
2973	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
2974		length = sizeof(struct sctp_send_failed_event);
2975	} else {
2976		length = sizeof(struct sctp_send_failed);
2977	}
2978	m_notify = sctp_get_mbuf_for_msg(length, 0, M_NOWAIT, 1, MT_DATA);
2979	if (m_notify == NULL)
2980		/* no space left */
2981		return;
2982	SCTP_BUF_LEN(m_notify) = 0;
2983	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
2984		ssfe = mtod(m_notify, struct sctp_send_failed_event *);
2985		memset(ssfe, 0, length);
2986		ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
2987		if (sent) {
2988			ssfe->ssfe_flags = SCTP_DATA_SENT;
2989		} else {
2990			ssfe->ssfe_flags = SCTP_DATA_UNSENT;
2991		}
2992		length += chk->send_size;
2993		length -= sizeof(struct sctp_data_chunk);
2994		ssfe->ssfe_length = length;
2995		ssfe->ssfe_error = error;
2996		/* not exactly what the user sent in, but should be close :) */
2997		ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
2998		ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
2999		ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
3000		ssfe->ssfe_info.snd_context = chk->rec.data.context;
3001		ssfe->ssfe_info.snd_assoc_id = sctp_get_associd(stcb);
3002		ssfe->ssfe_assoc_id = sctp_get_associd(stcb);
3003		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
3004	} else {
3005		ssf = mtod(m_notify, struct sctp_send_failed *);
3006		memset(ssf, 0, length);
3007		ssf->ssf_type = SCTP_SEND_FAILED;
3008		if (sent) {
3009			ssf->ssf_flags = SCTP_DATA_SENT;
3010		} else {
3011			ssf->ssf_flags = SCTP_DATA_UNSENT;
3012		}
3013		length += chk->send_size;
3014		length -= sizeof(struct sctp_data_chunk);
3015		ssf->ssf_length = length;
3016		ssf->ssf_error = error;
3017		/* not exactly what the user sent in, but should be close :) */
3018		bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
3019		ssf->ssf_info.sinfo_stream = chk->rec.data.stream_number;
3020		ssf->ssf_info.sinfo_ssn = chk->rec.data.stream_seq;
3021		ssf->ssf_info.sinfo_flags = chk->rec.data.rcv_flags;
3022		ssf->ssf_info.sinfo_ppid = chk->rec.data.payloadtype;
3023		ssf->ssf_info.sinfo_context = chk->rec.data.context;
3024		ssf->ssf_info.sinfo_assoc_id = sctp_get_associd(stcb);
3025		ssf->ssf_assoc_id = sctp_get_associd(stcb);
3026		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed);
3027	}
3028	if (chk->data) {
3029		/*
3030		 * trim off the sctp chunk header(it should
3031		 * be there)
3032		 */
3033		if (chk->send_size >= sizeof(struct sctp_data_chunk)) {
3034			m_adj(chk->data, sizeof(struct sctp_data_chunk));
3035			sctp_mbuf_crush(chk->data);
3036			chk->send_size -= sizeof(struct sctp_data_chunk);
3037		}
3038	}
3039	SCTP_BUF_NEXT(m_notify) = chk->data;
3040	/* Steal off the mbuf */
3041	chk->data = NULL;
3042	/*
3043	 * For this case, we check the actual socket buffer, since the assoc
3044	 * is going away we don't want to overfill the socket buffer for a
3045	 * non-reader
3046	 */
3047	if (sctp_sbspace_failedmsgs(&stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
3048		sctp_m_freem(m_notify);
3049		return;
3050	}
3051	/* append to socket */
3052	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3053	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3054	                                 m_notify);
3055	if (control == NULL) {
3056		/* no memory */
3057		sctp_m_freem(m_notify);
3058		return;
3059	}
3060	control->spec_flags = M_NOTIFICATION;
3061	sctp_add_to_readq(stcb->sctp_ep, stcb,
3062	                  control,
3063	                  &stcb->sctp_socket->so_rcv, 1,
3064	                  SCTP_READ_LOCK_NOT_HELD,
3065	                  so_locked);
3066}
3067
3068
3069static void
3070sctp_notify_send_failed2(struct sctp_tcb *stcb, uint32_t error,
3071			 struct sctp_stream_queue_pending *sp, int so_locked
3072#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3073                         SCTP_UNUSED
3074#endif
3075                         )
3076{
3077	struct mbuf *m_notify;
3078	struct sctp_send_failed *ssf;
3079	struct sctp_send_failed_event *ssfe;
3080	struct sctp_queued_to_read *control;
3081	int length;
3082
3083	if ((stcb == NULL) ||
3084	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVSENDFAILEVNT) &&
3085	     sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT))) {
3086		/* event not enabled */
3087		return;
3088	}
3089	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
3090		length = sizeof(struct sctp_send_failed_event);
3091	} else {
3092		length = sizeof(struct sctp_send_failed);
3093	}
3094	m_notify = sctp_get_mbuf_for_msg(length, 0, M_NOWAIT, 1, MT_DATA);
3095	if (m_notify == NULL) {
3096		/* no space left */
3097		return;
3098	}
3099	SCTP_BUF_LEN(m_notify) = 0;
3100	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
3101		ssfe = mtod(m_notify, struct sctp_send_failed_event *);
3102		memset(ssfe, 0, length);
3103		ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
3104		ssfe->ssfe_flags = SCTP_DATA_UNSENT;
3105		length += sp->length;
3106		ssfe->ssfe_length = length;
3107		ssfe->ssfe_error = error;
3108		/* not exactly what the user sent in, but should be close :) */
3109		ssfe->ssfe_info.snd_sid = sp->stream;
3110		if (sp->some_taken) {
3111			ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
3112		} else {
3113			ssfe->ssfe_info.snd_flags = SCTP_DATA_NOT_FRAG;
3114		}
3115		ssfe->ssfe_info.snd_ppid = sp->ppid;
3116		ssfe->ssfe_info.snd_context = sp->context;
3117		ssfe->ssfe_info.snd_assoc_id = sctp_get_associd(stcb);
3118		ssfe->ssfe_assoc_id = sctp_get_associd(stcb);
3119		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
3120	} else {
3121		ssf = mtod(m_notify, struct sctp_send_failed *);
3122		memset(ssf, 0, length);
3123		ssf->ssf_type = SCTP_SEND_FAILED;
3124		ssf->ssf_flags = SCTP_DATA_UNSENT;
3125		length += sp->length;
3126		ssf->ssf_length = length;
3127		ssf->ssf_error = error;
3128		/* not exactly what the user sent in, but should be close :) */
3129		ssf->ssf_info.sinfo_stream = sp->stream;
3130		ssf->ssf_info.sinfo_ssn = 0;
3131		if (sp->some_taken) {
3132			ssf->ssf_info.sinfo_flags = SCTP_DATA_LAST_FRAG;
3133		} else {
3134			ssf->ssf_info.sinfo_flags = SCTP_DATA_NOT_FRAG;
3135		}
3136		ssf->ssf_info.sinfo_ppid = sp->ppid;
3137		ssf->ssf_info.sinfo_context = sp->context;
3138		ssf->ssf_info.sinfo_assoc_id = sctp_get_associd(stcb);
3139		ssf->ssf_assoc_id = sctp_get_associd(stcb);
3140		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed);
3141	}
3142	SCTP_BUF_NEXT(m_notify) = sp->data;
3143
3144	/* Steal off the mbuf */
3145	sp->data = NULL;
3146	/*
3147	 * For this case, we check the actual socket buffer, since the assoc
3148	 * is going away we don't want to overfill the socket buffer for a
3149	 * non-reader
3150	 */
3151	if (sctp_sbspace_failedmsgs(&stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
3152		sctp_m_freem(m_notify);
3153		return;
3154	}
3155	/* append to socket */
3156	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3157	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3158	                                 m_notify);
3159	if (control == NULL) {
3160		/* no memory */
3161		sctp_m_freem(m_notify);
3162		return;
3163	}
3164	control->spec_flags = M_NOTIFICATION;
3165	sctp_add_to_readq(stcb->sctp_ep, stcb,
3166	    control,
3167	    &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, so_locked);
3168}
3169
3170
3171
3172static void
3173sctp_notify_adaptation_layer(struct sctp_tcb *stcb)
3174{
3175	struct mbuf *m_notify;
3176	struct sctp_adaptation_event *sai;
3177	struct sctp_queued_to_read *control;
3178
3179	if ((stcb == NULL) ||
3180	    sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ADAPTATIONEVNT)) {
3181		/* event not enabled */
3182		return;
3183	}
3184
3185	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_adaption_event), 0, M_NOWAIT, 1, MT_DATA);
3186	if (m_notify == NULL)
3187		/* no space left */
3188		return;
3189	SCTP_BUF_LEN(m_notify) = 0;
3190	sai = mtod(m_notify, struct sctp_adaptation_event *);
3191	memset(sai, 0, sizeof(struct sctp_adaptation_event));
3192	sai->sai_type = SCTP_ADAPTATION_INDICATION;
3193	sai->sai_flags = 0;
3194	sai->sai_length = sizeof(struct sctp_adaptation_event);
3195	sai->sai_adaptation_ind = stcb->asoc.peers_adaptation;
3196	sai->sai_assoc_id = sctp_get_associd(stcb);
3197
3198	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_adaptation_event);
3199	SCTP_BUF_NEXT(m_notify) = NULL;
3200
3201	/* append to socket */
3202	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3203	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3204	                                 m_notify);
3205	if (control == NULL) {
3206		/* no memory */
3207		sctp_m_freem(m_notify);
3208		return;
3209	}
3210	control->length = SCTP_BUF_LEN(m_notify);
3211	control->spec_flags = M_NOTIFICATION;
3212	/* not that we need this */
3213	control->tail_mbuf = m_notify;
3214	sctp_add_to_readq(stcb->sctp_ep, stcb,
3215	    control,
3216	    &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3217}
3218
3219/* This always must be called with the read-queue LOCKED in the INP */
3220static void
3221sctp_notify_partial_delivery_indication(struct sctp_tcb *stcb, uint32_t error,
3222					uint32_t val, int so_locked
3223#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3224                             SCTP_UNUSED
3225#endif
3226                                        )
3227{
3228	struct mbuf *m_notify;
3229	struct sctp_pdapi_event *pdapi;
3230	struct sctp_queued_to_read *control;
3231	struct sockbuf *sb;
3232
3233	if ((stcb == NULL) ||
3234	    sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_PDAPIEVNT)) {
3235		/* event not enabled */
3236		return;
3237	}
3238	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_CANT_READ) {
3239		return;
3240	}
3241
3242	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_pdapi_event), 0, M_NOWAIT, 1, MT_DATA);
3243	if (m_notify == NULL)
3244		/* no space left */
3245		return;
3246	SCTP_BUF_LEN(m_notify) = 0;
3247	pdapi = mtod(m_notify, struct sctp_pdapi_event *);
3248	memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
3249	pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
3250	pdapi->pdapi_flags = 0;
3251	pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
3252	pdapi->pdapi_indication = error;
3253	pdapi->pdapi_stream = (val >> 16);
3254	pdapi->pdapi_seq = (val & 0x0000ffff);
3255	pdapi->pdapi_assoc_id = sctp_get_associd(stcb);
3256
3257	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_pdapi_event);
3258	SCTP_BUF_NEXT(m_notify) = NULL;
3259	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3260					 0, 0, stcb->asoc.context, 0, 0, 0,
3261					 m_notify);
3262	if (control == NULL) {
3263		/* no memory */
3264		sctp_m_freem(m_notify);
3265		return;
3266	}
3267	control->spec_flags = M_NOTIFICATION;
3268	control->length = SCTP_BUF_LEN(m_notify);
3269	/* not that we need this */
3270	control->tail_mbuf = m_notify;
3271	control->held_length = 0;
3272	control->length = 0;
3273	sb = &stcb->sctp_socket->so_rcv;
3274	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
3275		sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBALLOC, SCTP_BUF_LEN(m_notify));
3276	}
3277	sctp_sballoc(stcb, sb, m_notify);
3278	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
3279		sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBRESULT, 0);
3280	}
3281	atomic_add_int(&control->length, SCTP_BUF_LEN(m_notify));
3282	control->end_added = 1;
3283	if (stcb->asoc.control_pdapi)
3284		TAILQ_INSERT_AFTER(&stcb->sctp_ep->read_queue, stcb->asoc.control_pdapi,  control, next);
3285	else {
3286		/* we really should not see this case */
3287		TAILQ_INSERT_TAIL(&stcb->sctp_ep->read_queue, control, next);
3288	}
3289	if (stcb->sctp_ep && stcb->sctp_socket) {
3290		/* This should always be the case */
3291#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3292		struct socket *so;
3293
3294		so = SCTP_INP_SO(stcb->sctp_ep);
3295		if (!so_locked) {
3296			atomic_add_int(&stcb->asoc.refcnt, 1);
3297			SCTP_TCB_UNLOCK(stcb);
3298			SCTP_SOCKET_LOCK(so, 1);
3299			SCTP_TCB_LOCK(stcb);
3300			atomic_subtract_int(&stcb->asoc.refcnt, 1);
3301			if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3302				SCTP_SOCKET_UNLOCK(so, 1);
3303				return;
3304			}
3305		}
3306#endif
3307		sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
3308#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3309		if (!so_locked) {
3310			SCTP_SOCKET_UNLOCK(so, 1);
3311		}
3312#endif
3313	}
3314}
3315
3316static void
3317sctp_notify_shutdown_event(struct sctp_tcb *stcb)
3318{
3319	struct mbuf *m_notify;
3320	struct sctp_shutdown_event *sse;
3321	struct sctp_queued_to_read *control;
3322
3323	/*
3324	 * For TCP model AND UDP connected sockets we will send an error up
3325	 * when an SHUTDOWN completes
3326	 */
3327	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
3328	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
3329		/* mark socket closed for read/write and wakeup! */
3330#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3331		struct socket *so;
3332
3333		so = SCTP_INP_SO(stcb->sctp_ep);
3334		atomic_add_int(&stcb->asoc.refcnt, 1);
3335		SCTP_TCB_UNLOCK(stcb);
3336		SCTP_SOCKET_LOCK(so, 1);
3337		SCTP_TCB_LOCK(stcb);
3338		atomic_subtract_int(&stcb->asoc.refcnt, 1);
3339		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
3340			SCTP_SOCKET_UNLOCK(so, 1);
3341			return;
3342		}
3343#endif
3344		socantsendmore(stcb->sctp_socket);
3345#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3346		SCTP_SOCKET_UNLOCK(so, 1);
3347#endif
3348	}
3349	if (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVSHUTDOWNEVNT)) {
3350		/* event not enabled */
3351		return;
3352	}
3353
3354	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_event), 0, M_NOWAIT, 1, MT_DATA);
3355	if (m_notify == NULL)
3356		/* no space left */
3357		return;
3358	sse = mtod(m_notify, struct sctp_shutdown_event *);
3359	memset(sse, 0, sizeof(struct sctp_shutdown_event));
3360	sse->sse_type = SCTP_SHUTDOWN_EVENT;
3361	sse->sse_flags = 0;
3362	sse->sse_length = sizeof(struct sctp_shutdown_event);
3363	sse->sse_assoc_id = sctp_get_associd(stcb);
3364
3365	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_shutdown_event);
3366	SCTP_BUF_NEXT(m_notify) = NULL;
3367
3368	/* append to socket */
3369	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3370	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3371	                                 m_notify);
3372	if (control == NULL) {
3373		/* no memory */
3374		sctp_m_freem(m_notify);
3375		return;
3376	}
3377	control->spec_flags = M_NOTIFICATION;
3378	control->length = SCTP_BUF_LEN(m_notify);
3379	/* not that we need this */
3380	control->tail_mbuf = m_notify;
3381	sctp_add_to_readq(stcb->sctp_ep, stcb,
3382	    control,
3383	    &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3384}
3385
3386static void
3387sctp_notify_sender_dry_event(struct sctp_tcb *stcb,
3388                             int so_locked
3389#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3390                             SCTP_UNUSED
3391#endif
3392                             )
3393{
3394	struct mbuf *m_notify;
3395	struct sctp_sender_dry_event *event;
3396	struct sctp_queued_to_read *control;
3397
3398	if ((stcb == NULL) ||
3399	    sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_DRYEVNT)) {
3400		/* event not enabled */
3401		return;
3402	}
3403
3404	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_sender_dry_event), 0, M_NOWAIT, 1, MT_DATA);
3405	if (m_notify == NULL) {
3406		/* no space left */
3407		return;
3408	}
3409	SCTP_BUF_LEN(m_notify) = 0;
3410	event = mtod(m_notify, struct sctp_sender_dry_event *);
3411	memset(event, 0, sizeof(struct sctp_sender_dry_event));
3412	event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
3413	event->sender_dry_flags = 0;
3414	event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
3415	event->sender_dry_assoc_id = sctp_get_associd(stcb);
3416
3417	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_sender_dry_event);
3418	SCTP_BUF_NEXT(m_notify) = NULL;
3419
3420	/* append to socket */
3421	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3422	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3423	                                 m_notify);
3424	if (control == NULL) {
3425		/* no memory */
3426		sctp_m_freem(m_notify);
3427		return;
3428	}
3429	control->length = SCTP_BUF_LEN(m_notify);
3430	control->spec_flags = M_NOTIFICATION;
3431	/* not that we need this */
3432	control->tail_mbuf = m_notify;
3433	sctp_add_to_readq(stcb->sctp_ep, stcb, control,
3434	                  &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, so_locked);
3435}
3436
3437
3438void
3439sctp_notify_stream_reset_add(struct sctp_tcb *stcb, uint16_t numberin, uint16_t numberout, int flag)
3440{
3441	struct mbuf *m_notify;
3442	struct sctp_queued_to_read *control;
3443	struct sctp_stream_change_event *stradd;
3444
3445	if ((stcb == NULL) ||
3446	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
3447		/* event not enabled */
3448		return;
3449	}
3450	if ((stcb->asoc.peer_req_out) && flag) {
3451		/* Peer made the request, don't tell the local user */
3452		stcb->asoc.peer_req_out = 0;
3453		return;
3454	}
3455	stcb->asoc.peer_req_out = 0;
3456	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA);
3457	if (m_notify == NULL)
3458		/* no space left */
3459		return;
3460	SCTP_BUF_LEN(m_notify) = 0;
3461	stradd = mtod(m_notify, struct sctp_stream_change_event *);
3462	memset(stradd, 0, sizeof(struct sctp_stream_change_event));
3463	stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
3464	stradd->strchange_flags = flag;
3465	stradd->strchange_length = sizeof(struct sctp_stream_change_event);
3466	stradd->strchange_assoc_id = sctp_get_associd(stcb);
3467	stradd->strchange_instrms = numberin;
3468	stradd->strchange_outstrms = numberout;
3469	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
3470	SCTP_BUF_NEXT(m_notify) = NULL;
3471	if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
3472		/* no space */
3473		sctp_m_freem(m_notify);
3474		return;
3475	}
3476	/* append to socket */
3477	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3478	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3479	                                 m_notify);
3480	if (control == NULL) {
3481		/* no memory */
3482		sctp_m_freem(m_notify);
3483		return;
3484	}
3485	control->spec_flags = M_NOTIFICATION;
3486	control->length = SCTP_BUF_LEN(m_notify);
3487	/* not that we need this */
3488	control->tail_mbuf = m_notify;
3489	sctp_add_to_readq(stcb->sctp_ep, stcb,
3490	    control,
3491	    &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3492}
3493
3494void
3495sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb, uint32_t sending_tsn, uint32_t recv_tsn, int flag)
3496{
3497	struct mbuf *m_notify;
3498	struct sctp_queued_to_read *control;
3499	struct sctp_assoc_reset_event *strasoc;
3500
3501	if ((stcb == NULL) ||
3502	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
3503		/* event not enabled */
3504		return;
3505	}
3506	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA);
3507	if (m_notify == NULL)
3508		/* no space left */
3509		return;
3510	SCTP_BUF_LEN(m_notify) = 0;
3511	strasoc = mtod(m_notify, struct sctp_assoc_reset_event  *);
3512	memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
3513	strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
3514	strasoc->assocreset_flags = flag;
3515	strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
3516	strasoc->assocreset_assoc_id= sctp_get_associd(stcb);
3517	strasoc->assocreset_local_tsn = sending_tsn;
3518	strasoc->assocreset_remote_tsn = recv_tsn;
3519	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
3520	SCTP_BUF_NEXT(m_notify) = NULL;
3521	if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
3522		/* no space */
3523		sctp_m_freem(m_notify);
3524		return;
3525	}
3526	/* append to socket */
3527	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3528	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3529	                                 m_notify);
3530	if (control == NULL) {
3531		/* no memory */
3532		sctp_m_freem(m_notify);
3533		return;
3534	}
3535	control->spec_flags = M_NOTIFICATION;
3536	control->length = SCTP_BUF_LEN(m_notify);
3537	/* not that we need this */
3538	control->tail_mbuf = m_notify;
3539	sctp_add_to_readq(stcb->sctp_ep, stcb,
3540	    control,
3541	    &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3542}
3543
3544
3545
3546static void
3547sctp_notify_stream_reset(struct sctp_tcb *stcb,
3548    int number_entries, uint16_t * list, int flag)
3549{
3550	struct mbuf *m_notify;
3551	struct sctp_queued_to_read *control;
3552	struct sctp_stream_reset_event *strreset;
3553	int len;
3554
3555	if ((stcb == NULL) ||
3556	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_RESETEVNT))) {
3557		/* event not enabled */
3558		return;
3559	}
3560
3561	m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
3562	if (m_notify == NULL)
3563		/* no space left */
3564		return;
3565	SCTP_BUF_LEN(m_notify) = 0;
3566	len = sizeof(struct sctp_stream_reset_event) + (number_entries * sizeof(uint16_t));
3567	if (len > M_TRAILINGSPACE(m_notify)) {
3568		/* never enough room */
3569		sctp_m_freem(m_notify);
3570		return;
3571	}
3572	strreset = mtod(m_notify, struct sctp_stream_reset_event *);
3573	memset(strreset, 0, len);
3574	strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
3575	strreset->strreset_flags = flag;
3576	strreset->strreset_length = len;
3577	strreset->strreset_assoc_id = sctp_get_associd(stcb);
3578	if (number_entries) {
3579		int i;
3580
3581		for (i = 0; i < number_entries; i++) {
3582			strreset->strreset_stream_list[i] = ntohs(list[i]);
3583		}
3584	}
3585	SCTP_BUF_LEN(m_notify) = len;
3586	SCTP_BUF_NEXT(m_notify) = NULL;
3587	if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
3588		/* no space */
3589		sctp_m_freem(m_notify);
3590		return;
3591	}
3592	/* append to socket */
3593	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3594	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3595	                                 m_notify);
3596	if (control == NULL) {
3597		/* no memory */
3598		sctp_m_freem(m_notify);
3599		return;
3600	}
3601	control->spec_flags = M_NOTIFICATION;
3602	control->length = SCTP_BUF_LEN(m_notify);
3603	/* not that we need this */
3604	control->tail_mbuf = m_notify;
3605	sctp_add_to_readq(stcb->sctp_ep, stcb,
3606	                  control,
3607	                  &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3608}
3609
3610
3611static void
3612sctp_notify_remote_error(struct sctp_tcb *stcb, uint16_t error, struct sctp_error_chunk *chunk)
3613{
3614	struct mbuf *m_notify;
3615	struct sctp_remote_error *sre;
3616	struct sctp_queued_to_read *control;
3617	size_t notif_len, chunk_len;
3618
3619	if ((stcb == NULL) ||
3620	    sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVPEERERR)) {
3621		return;
3622	}
3623	if (chunk != NULL) {
3624		chunk_len = ntohs(chunk->ch.chunk_length);
3625	} else {
3626		chunk_len = 0;
3627	}
3628	notif_len = sizeof(struct sctp_remote_error) + chunk_len;
3629	m_notify = sctp_get_mbuf_for_msg(notif_len, 0, M_NOWAIT, 1, MT_DATA);
3630	if (m_notify == NULL) {
3631		/* Retry with smaller value. */
3632		notif_len = sizeof(struct sctp_remote_error);
3633		m_notify = sctp_get_mbuf_for_msg(notif_len, 0, M_NOWAIT, 1, MT_DATA);
3634		if (m_notify == NULL) {
3635			return;
3636		}
3637	}
3638	SCTP_BUF_NEXT(m_notify) = NULL;
3639	sre = mtod(m_notify, struct sctp_remote_error *);
3640	memset(sre, 0, notif_len);
3641	sre->sre_type = SCTP_REMOTE_ERROR;
3642	sre->sre_flags = 0;
3643	sre->sre_length = sizeof(struct sctp_remote_error);
3644	sre->sre_error = error;
3645	sre->sre_assoc_id = sctp_get_associd(stcb);
3646	if (notif_len > sizeof(struct sctp_remote_error)) {
3647		memcpy(sre->sre_data, chunk, chunk_len);
3648		sre->sre_length += chunk_len;
3649	}
3650	SCTP_BUF_LEN(m_notify) = sre->sre_length;
3651	control = sctp_build_readq_entry(stcb, stcb->asoc.primary_destination,
3652	                                 0, 0, stcb->asoc.context, 0, 0, 0,
3653	                                 m_notify);
3654	if (control != NULL) {
3655		control->length = SCTP_BUF_LEN(m_notify);
3656		/* not that we need this */
3657		control->tail_mbuf = m_notify;
3658		control->spec_flags = M_NOTIFICATION;
3659		sctp_add_to_readq(stcb->sctp_ep, stcb,
3660		                  control,
3661		                  &stcb->sctp_socket->so_rcv, 1,
3662				  SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
3663	} else {
3664		sctp_m_freem(m_notify);
3665	}
3666}
3667
3668
3669void
3670sctp_ulp_notify(uint32_t notification, struct sctp_tcb *stcb,
3671    uint32_t error, void *data, int so_locked
3672#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3673    SCTP_UNUSED
3674#endif
3675    )
3676{
3677	if ((stcb == NULL) ||
3678	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
3679	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
3680	    (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
3681		/* If the socket is gone we are out of here */
3682		return;
3683	}
3684#if (defined(__FreeBSD__) && __FreeBSD_version > 500000) || defined(__Windows__)
3685	if (stcb->sctp_socket->so_rcv.sb_state & SBS_CANTRCVMORE) {
3686#else
3687	if (stcb->sctp_socket->so_state & SS_CANTRCVMORE) {
3688#endif
3689		return;
3690	}
3691#if defined(__APPLE__)
3692	if (so_locked) {
3693		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
3694	} else {
3695		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
3696	}
3697#endif
3698	if ((stcb->asoc.state & SCTP_STATE_COOKIE_WAIT) ||
3699	    (stcb->asoc.state &  SCTP_STATE_COOKIE_ECHOED)) {
3700		if ((notification == SCTP_NOTIFY_INTERFACE_DOWN) ||
3701		    (notification == SCTP_NOTIFY_INTERFACE_UP) ||
3702		    (notification == SCTP_NOTIFY_INTERFACE_CONFIRMED)) {
3703			/* Don't report these in front states */
3704			return;
3705		}
3706	}
3707	switch (notification) {
3708	case SCTP_NOTIFY_ASSOC_UP:
3709		if (stcb->asoc.assoc_up_sent == 0) {
3710			sctp_notify_assoc_change(SCTP_COMM_UP, stcb, error, NULL, 0, so_locked);
3711			stcb->asoc.assoc_up_sent = 1;
3712		}
3713		if (stcb->asoc.adaptation_needed && (stcb->asoc.adaptation_sent == 0)) {
3714			sctp_notify_adaptation_layer(stcb);
3715		}
3716		if (stcb->asoc.auth_supported == 0) {
3717			sctp_ulp_notify(SCTP_NOTIFY_NO_PEER_AUTH, stcb, 0,
3718			                NULL, so_locked);
3719		}
3720		break;
3721	case SCTP_NOTIFY_ASSOC_DOWN:
3722		sctp_notify_assoc_change(SCTP_SHUTDOWN_COMP, stcb, error, NULL, 0, so_locked);
3723#if defined(__Userspace__)
3724		if (stcb->sctp_ep->recv_callback) {
3725			if (stcb->sctp_socket) {
3726				union sctp_sockstore addr;
3727				struct sctp_rcvinfo rcv;
3728
3729				memset(&addr, 0, sizeof(union sctp_sockstore));
3730				memset(&rcv, 0, sizeof(struct sctp_rcvinfo));
3731				atomic_add_int(&stcb->asoc.refcnt, 1);
3732				SCTP_TCB_UNLOCK(stcb);
3733				stcb->sctp_ep->recv_callback(stcb->sctp_socket, addr, NULL, 0, rcv, 0, stcb->sctp_ep->ulp_info);
3734				SCTP_TCB_LOCK(stcb);
3735				atomic_subtract_int(&stcb->asoc.refcnt, 1);
3736			}
3737		}
3738#endif
3739		break;
3740	case SCTP_NOTIFY_INTERFACE_DOWN:
3741		{
3742			struct sctp_nets *net;
3743
3744			net = (struct sctp_nets *)data;
3745			sctp_notify_peer_addr_change(stcb, SCTP_ADDR_UNREACHABLE,
3746			    (struct sockaddr *)&net->ro._l_addr, error);
3747			break;
3748		}
3749	case SCTP_NOTIFY_INTERFACE_UP:
3750		{
3751			struct sctp_nets *net;
3752
3753			net = (struct sctp_nets *)data;
3754			sctp_notify_peer_addr_change(stcb, SCTP_ADDR_AVAILABLE,
3755			    (struct sockaddr *)&net->ro._l_addr, error);
3756			break;
3757		}
3758	case SCTP_NOTIFY_INTERFACE_CONFIRMED:
3759		{
3760			struct sctp_nets *net;
3761
3762			net = (struct sctp_nets *)data;
3763			sctp_notify_peer_addr_change(stcb, SCTP_ADDR_CONFIRMED,
3764			    (struct sockaddr *)&net->ro._l_addr, error);
3765			break;
3766		}
3767	case SCTP_NOTIFY_SPECIAL_SP_FAIL:
3768		sctp_notify_send_failed2(stcb, error,
3769		                         (struct sctp_stream_queue_pending *)data, so_locked);
3770		break;
3771	case SCTP_NOTIFY_SENT_DG_FAIL:
3772		sctp_notify_send_failed(stcb, 1, error,
3773		    (struct sctp_tmit_chunk *)data, so_locked);
3774		break;
3775	case SCTP_NOTIFY_UNSENT_DG_FAIL:
3776		sctp_notify_send_failed(stcb, 0, error,
3777		                        (struct sctp_tmit_chunk *)data, so_locked);
3778		break;
3779	case SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION:
3780		{
3781			uint32_t val;
3782			val = *((uint32_t *)data);
3783
3784			sctp_notify_partial_delivery_indication(stcb, error, val, so_locked);
3785		break;
3786		}
3787	case SCTP_NOTIFY_ASSOC_LOC_ABORTED:
3788		if (((stcb->asoc.state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_WAIT) ||
3789		    ((stcb->asoc.state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_ECHOED)) {
3790			sctp_notify_assoc_change(SCTP_CANT_STR_ASSOC, stcb, error, data, 0, so_locked);
3791		} else {
3792			sctp_notify_assoc_change(SCTP_COMM_LOST, stcb, error, data, 0, so_locked);
3793		}
3794		break;
3795	case SCTP_NOTIFY_ASSOC_REM_ABORTED:
3796		if (((stcb->asoc.state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_WAIT) ||
3797		    ((stcb->asoc.state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_ECHOED)) {
3798			sctp_notify_assoc_change(SCTP_CANT_STR_ASSOC, stcb, error, data, 1, so_locked);
3799		} else {
3800			sctp_notify_assoc_change(SCTP_COMM_LOST, stcb, error, data, 1, so_locked);
3801		}
3802		break;
3803	case SCTP_NOTIFY_ASSOC_RESTART:
3804		sctp_notify_assoc_change(SCTP_RESTART, stcb, error, NULL, 0, so_locked);
3805		if (stcb->asoc.auth_supported == 0) {
3806			sctp_ulp_notify(SCTP_NOTIFY_NO_PEER_AUTH, stcb, 0,
3807			                NULL, so_locked);
3808		}
3809		break;
3810	case SCTP_NOTIFY_STR_RESET_SEND:
3811		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data), SCTP_STREAM_RESET_OUTGOING_SSN);
3812		break;
3813	case SCTP_NOTIFY_STR_RESET_RECV:
3814		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data), SCTP_STREAM_RESET_INCOMING);
3815		break;
3816	case SCTP_NOTIFY_STR_RESET_FAILED_OUT:
3817		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data),
3818		                         (SCTP_STREAM_RESET_OUTGOING_SSN|SCTP_STREAM_RESET_FAILED));
3819		break;
3820	case SCTP_NOTIFY_STR_RESET_DENIED_OUT:
3821		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data),
3822		                         (SCTP_STREAM_RESET_OUTGOING_SSN|SCTP_STREAM_RESET_DENIED));
3823		break;
3824	case SCTP_NOTIFY_STR_RESET_FAILED_IN:
3825		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data),
3826		                         (SCTP_STREAM_RESET_INCOMING|SCTP_STREAM_RESET_FAILED));
3827		break;
3828	case SCTP_NOTIFY_STR_RESET_DENIED_IN:
3829		sctp_notify_stream_reset(stcb, error, ((uint16_t *) data),
3830		                         (SCTP_STREAM_RESET_INCOMING|SCTP_STREAM_RESET_DENIED));
3831		break;
3832	case SCTP_NOTIFY_ASCONF_ADD_IP:
3833		sctp_notify_peer_addr_change(stcb, SCTP_ADDR_ADDED, data,
3834		    error);
3835		break;
3836	case SCTP_NOTIFY_ASCONF_DELETE_IP:
3837		sctp_notify_peer_addr_change(stcb, SCTP_ADDR_REMOVED, data,
3838		                             error);
3839		break;
3840	case SCTP_NOTIFY_ASCONF_SET_PRIMARY:
3841		sctp_notify_peer_addr_change(stcb, SCTP_ADDR_MADE_PRIM, data,
3842		                             error);
3843		break;
3844	case SCTP_NOTIFY_PEER_SHUTDOWN:
3845		sctp_notify_shutdown_event(stcb);
3846		break;
3847	case SCTP_NOTIFY_AUTH_NEW_KEY:
3848		sctp_notify_authentication(stcb, SCTP_AUTH_NEW_KEY, error,
3849		                           (uint16_t)(uintptr_t)data,
3850		                           so_locked);
3851		break;
3852	case SCTP_NOTIFY_AUTH_FREE_KEY:
3853		sctp_notify_authentication(stcb, SCTP_AUTH_FREE_KEY, error,
3854		                           (uint16_t)(uintptr_t)data,
3855		                           so_locked);
3856		break;
3857	case SCTP_NOTIFY_NO_PEER_AUTH:
3858		sctp_notify_authentication(stcb, SCTP_AUTH_NO_AUTH, error,
3859		                           (uint16_t)(uintptr_t)data,
3860		                           so_locked);
3861		break;
3862	case SCTP_NOTIFY_SENDER_DRY:
3863		sctp_notify_sender_dry_event(stcb, so_locked);
3864		break;
3865	case SCTP_NOTIFY_REMOTE_ERROR:
3866		sctp_notify_remote_error(stcb, error, data);
3867		break;
3868	default:
3869		SCTPDBG(SCTP_DEBUG_UTIL1, "%s: unknown notification %xh (%u)\n",
3870			__FUNCTION__, notification, notification);
3871		break;
3872	}			/* end switch */
3873}
3874
3875void
3876sctp_report_all_outbound(struct sctp_tcb *stcb, uint16_t error, int holds_lock, int so_locked
3877#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3878    SCTP_UNUSED
3879#endif
3880    )
3881{
3882	struct sctp_association *asoc;
3883	struct sctp_stream_out *outs;
3884	struct sctp_tmit_chunk *chk, *nchk;
3885	struct sctp_stream_queue_pending *sp, *nsp;
3886	int i;
3887
3888	if (stcb == NULL) {
3889		return;
3890	}
3891	asoc = &stcb->asoc;
3892	if (asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) {
3893		/* already being freed */
3894		return;
3895	}
3896#if defined(__APPLE__)
3897	if (so_locked) {
3898		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
3899	} else {
3900		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
3901	}
3902#endif
3903	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
3904	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
3905	    (asoc->state & SCTP_STATE_CLOSED_SOCKET)) {
3906		return;
3907	}
3908	/* now through all the gunk freeing chunks */
3909	if (holds_lock == 0) {
3910		SCTP_TCB_SEND_LOCK(stcb);
3911	}
3912	/* sent queue SHOULD be empty */
3913	TAILQ_FOREACH_SAFE(chk, &asoc->sent_queue, sctp_next, nchk) {
3914		TAILQ_REMOVE(&asoc->sent_queue, chk, sctp_next);
3915		asoc->sent_queue_cnt--;
3916		if (chk->sent != SCTP_DATAGRAM_NR_ACKED) {
3917			if (asoc->strmout[chk->rec.data.stream_number].chunks_on_queues > 0) {
3918				asoc->strmout[chk->rec.data.stream_number].chunks_on_queues--;
3919#ifdef INVARIANTS
3920			} else {
3921				panic("No chunks on the queues for sid %u.", chk->rec.data.stream_number);
3922#endif
3923			}
3924		}
3925		if (chk->data != NULL) {
3926			sctp_free_bufspace(stcb, asoc, chk, 1);
3927			sctp_ulp_notify(SCTP_NOTIFY_SENT_DG_FAIL, stcb,
3928			                error, chk, so_locked);
3929			if (chk->data) {
3930				sctp_m_freem(chk->data);
3931				chk->data = NULL;
3932			}
3933		}
3934		sctp_free_a_chunk(stcb, chk, so_locked);
3935		/*sa_ignore FREED_MEMORY*/
3936	}
3937	/* pending send queue SHOULD be empty */
3938	TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
3939		TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
3940		asoc->send_queue_cnt--;
3941		if (asoc->strmout[chk->rec.data.stream_number].chunks_on_queues > 0) {
3942			asoc->strmout[chk->rec.data.stream_number].chunks_on_queues--;
3943#ifdef INVARIANTS
3944		} else {
3945			panic("No chunks on the queues for sid %u.", chk->rec.data.stream_number);
3946#endif
3947		}
3948		if (chk->data != NULL) {
3949			sctp_free_bufspace(stcb, asoc, chk, 1);
3950			sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
3951			                error, chk, so_locked);
3952			if (chk->data) {
3953				sctp_m_freem(chk->data);
3954				chk->data = NULL;
3955			}
3956		}
3957		sctp_free_a_chunk(stcb, chk, so_locked);
3958		/*sa_ignore FREED_MEMORY*/
3959	}
3960	for (i = 0; i < asoc->streamoutcnt; i++) {
3961		/* For each stream */
3962		outs = &asoc->strmout[i];
3963		/* clean up any sends there */
3964		asoc->locked_on_sending = NULL;
3965		TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
3966			asoc->stream_queue_cnt--;
3967			TAILQ_REMOVE(&outs->outqueue, sp, next);
3968			sctp_free_spbufspace(stcb, asoc, sp);
3969			if (sp->data) {
3970				sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb,
3971						error, (void *)sp, so_locked);
3972				if (sp->data) {
3973					sctp_m_freem(sp->data);
3974					sp->data = NULL;
3975					sp->tail_mbuf = NULL;
3976					sp->length = 0;
3977				}
3978			}
3979			if (sp->net) {
3980				sctp_free_remote_addr(sp->net);
3981				sp->net = NULL;
3982			}
3983			/* Free the chunk */
3984			sctp_free_a_strmoq(stcb, sp, so_locked);
3985			/*sa_ignore FREED_MEMORY*/
3986		}
3987	}
3988
3989	if (holds_lock == 0) {
3990		SCTP_TCB_SEND_UNLOCK(stcb);
3991	}
3992}
3993
3994void
3995sctp_abort_notification(struct sctp_tcb *stcb, uint8_t from_peer, uint16_t error,
3996			struct sctp_abort_chunk *abort, int so_locked
3997#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3998    SCTP_UNUSED
3999#endif
4000    )
4001{
4002	if (stcb == NULL) {
4003		return;
4004	}
4005#if defined(__APPLE__)
4006	if (so_locked) {
4007		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
4008	} else {
4009		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
4010	}
4011#endif
4012	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) ||
4013	    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
4014	     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_CONNECTED))) {
4015		stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_WAS_ABORTED;
4016	}
4017	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
4018	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
4019	    (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
4020		return;
4021	}
4022	/* Tell them we lost the asoc */
4023	sctp_report_all_outbound(stcb, error, 1, so_locked);
4024	if (from_peer) {
4025		sctp_ulp_notify(SCTP_NOTIFY_ASSOC_REM_ABORTED, stcb, error, abort, so_locked);
4026	} else {
4027		sctp_ulp_notify(SCTP_NOTIFY_ASSOC_LOC_ABORTED, stcb, error, abort, so_locked);
4028	}
4029}
4030
4031void
4032sctp_abort_association(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
4033                       struct mbuf *m, int iphlen,
4034                       struct sockaddr *src, struct sockaddr *dst,
4035                       struct sctphdr *sh, struct mbuf *op_err,
4036#if defined(__FreeBSD__)
4037                       uint8_t use_mflowid, uint32_t mflowid,
4038#endif
4039                       uint32_t vrf_id, uint16_t port)
4040{
4041	uint32_t vtag;
4042#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4043	struct socket *so;
4044#endif
4045
4046	vtag = 0;
4047	if (stcb != NULL) {
4048		/* We have a TCB to abort, send notification too */
4049		vtag = stcb->asoc.peer_vtag;
4050		sctp_abort_notification(stcb, 0, 0, NULL, SCTP_SO_NOT_LOCKED);
4051		/* get the assoc vrf id and table id */
4052		vrf_id = stcb->asoc.vrf_id;
4053		stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
4054	}
4055	sctp_send_abort(m, iphlen, src, dst, sh, vtag, op_err,
4056#if defined(__FreeBSD__)
4057	                use_mflowid, mflowid,
4058#endif
4059	                vrf_id, port);
4060	if (stcb != NULL) {
4061		/* Ok, now lets free it */
4062#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4063		so = SCTP_INP_SO(inp);
4064		atomic_add_int(&stcb->asoc.refcnt, 1);
4065		SCTP_TCB_UNLOCK(stcb);
4066		SCTP_SOCKET_LOCK(so, 1);
4067		SCTP_TCB_LOCK(stcb);
4068		atomic_subtract_int(&stcb->asoc.refcnt, 1);
4069#endif
4070		SCTP_STAT_INCR_COUNTER32(sctps_aborted);
4071		if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
4072		    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4073			SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4074		}
4075		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTPUTIL+SCTP_LOC_4);
4076#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4077		SCTP_SOCKET_UNLOCK(so, 1);
4078#endif
4079	}
4080}
4081#ifdef SCTP_ASOCLOG_OF_TSNS
4082void
4083sctp_print_out_track_log(struct sctp_tcb *stcb)
4084{
4085#ifdef NOSIY_PRINTS
4086	int i;
4087	SCTP_PRINTF("Last ep reason:%x\n", stcb->sctp_ep->last_abort_code);
4088	SCTP_PRINTF("IN bound TSN log-aaa\n");
4089	if ((stcb->asoc.tsn_in_at == 0) && (stcb->asoc.tsn_in_wrapped == 0)) {
4090		SCTP_PRINTF("None rcvd\n");
4091		goto none_in;
4092	}
4093	if (stcb->asoc.tsn_in_wrapped) {
4094		for (i = stcb->asoc.tsn_in_at; i < SCTP_TSN_LOG_SIZE; i++) {
4095			SCTP_PRINTF("TSN:%x strm:%d seq:%d flags:%x sz:%d\n",
4096				    stcb->asoc.in_tsnlog[i].tsn,
4097				    stcb->asoc.in_tsnlog[i].strm,
4098				    stcb->asoc.in_tsnlog[i].seq,
4099				    stcb->asoc.in_tsnlog[i].flgs,
4100				    stcb->asoc.in_tsnlog[i].sz);
4101		}
4102	}
4103	if (stcb->asoc.tsn_in_at) {
4104		for (i = 0; i < stcb->asoc.tsn_in_at; i++) {
4105			SCTP_PRINTF("TSN:%x strm:%d seq:%d flags:%x sz:%d\n",
4106				    stcb->asoc.in_tsnlog[i].tsn,
4107				    stcb->asoc.in_tsnlog[i].strm,
4108				    stcb->asoc.in_tsnlog[i].seq,
4109				    stcb->asoc.in_tsnlog[i].flgs,
4110				    stcb->asoc.in_tsnlog[i].sz);
4111		}
4112	}
4113 none_in:
4114	SCTP_PRINTF("OUT bound TSN log-aaa\n");
4115	if ((stcb->asoc.tsn_out_at == 0) &&
4116	    (stcb->asoc.tsn_out_wrapped == 0)) {
4117		SCTP_PRINTF("None sent\n");
4118	}
4119	if (stcb->asoc.tsn_out_wrapped) {
4120		for (i = stcb->asoc.tsn_out_at; i < SCTP_TSN_LOG_SIZE; i++) {
4121			SCTP_PRINTF("TSN:%x strm:%d seq:%d flags:%x sz:%d\n",
4122				    stcb->asoc.out_tsnlog[i].tsn,
4123				    stcb->asoc.out_tsnlog[i].strm,
4124				    stcb->asoc.out_tsnlog[i].seq,
4125				    stcb->asoc.out_tsnlog[i].flgs,
4126				    stcb->asoc.out_tsnlog[i].sz);
4127		}
4128	}
4129	if (stcb->asoc.tsn_out_at) {
4130		for (i = 0; i < stcb->asoc.tsn_out_at; i++) {
4131			SCTP_PRINTF("TSN:%x strm:%d seq:%d flags:%x sz:%d\n",
4132				    stcb->asoc.out_tsnlog[i].tsn,
4133				    stcb->asoc.out_tsnlog[i].strm,
4134				    stcb->asoc.out_tsnlog[i].seq,
4135				    stcb->asoc.out_tsnlog[i].flgs,
4136				    stcb->asoc.out_tsnlog[i].sz);
4137		}
4138	}
4139#endif
4140}
4141#endif
4142
4143void
4144sctp_abort_an_association(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
4145                          struct mbuf *op_err,
4146                          int so_locked
4147#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4148                          SCTP_UNUSED
4149#endif
4150)
4151{
4152#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4153	struct socket *so;
4154#endif
4155
4156#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4157	so = SCTP_INP_SO(inp);
4158#endif
4159#if defined(__APPLE__)
4160	if (so_locked) {
4161		sctp_lock_assert(SCTP_INP_SO(inp));
4162	} else {
4163		sctp_unlock_assert(SCTP_INP_SO(inp));
4164	}
4165#endif
4166	if (stcb == NULL) {
4167		/* Got to have a TCB */
4168		if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4169			if (LIST_EMPTY(&inp->sctp_asoc_list)) {
4170#if defined(__APPLE__)
4171				if (!so_locked) {
4172					SCTP_SOCKET_LOCK(so, 1);
4173				}
4174#endif
4175				sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
4176						SCTP_CALLED_DIRECTLY_NOCMPSET);
4177#if defined(__APPLE__)
4178				if (!so_locked) {
4179					SCTP_SOCKET_UNLOCK(so, 1);
4180				}
4181#endif
4182			}
4183		}
4184		return;
4185	} else {
4186		stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
4187	}
4188	/* notify the ulp */
4189	if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) == 0) {
4190		sctp_abort_notification(stcb, 0, 0, NULL, so_locked);
4191	}
4192	/* notify the peer */
4193	sctp_send_abort_tcb(stcb, op_err, so_locked);
4194	SCTP_STAT_INCR_COUNTER32(sctps_aborted);
4195	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
4196	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4197		SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4198	}
4199	/* now free the asoc */
4200#ifdef SCTP_ASOCLOG_OF_TSNS
4201	sctp_print_out_track_log(stcb);
4202#endif
4203#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4204	if (!so_locked) {
4205		atomic_add_int(&stcb->asoc.refcnt, 1);
4206		SCTP_TCB_UNLOCK(stcb);
4207		SCTP_SOCKET_LOCK(so, 1);
4208		SCTP_TCB_LOCK(stcb);
4209		atomic_subtract_int(&stcb->asoc.refcnt, 1);
4210	}
4211#endif
4212	(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTPUTIL+SCTP_LOC_5);
4213#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4214	if (!so_locked) {
4215		SCTP_SOCKET_UNLOCK(so, 1);
4216	}
4217#endif
4218}
4219
4220void
4221sctp_handle_ootb(struct mbuf *m, int iphlen, int offset,
4222                 struct sockaddr *src, struct sockaddr *dst,
4223                 struct sctphdr *sh, struct sctp_inpcb *inp,
4224                 struct mbuf *cause,
4225#if defined(__FreeBSD__)
4226                 uint8_t use_mflowid, uint32_t mflowid,
4227#endif
4228                 uint32_t vrf_id, uint16_t port)
4229{
4230	struct sctp_chunkhdr *ch, chunk_buf;
4231	unsigned int chk_length;
4232	int contains_init_chunk;
4233
4234	SCTP_STAT_INCR_COUNTER32(sctps_outoftheblue);
4235	/* Generate a TO address for future reference */
4236	if (inp && (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE)) {
4237		if (LIST_EMPTY(&inp->sctp_asoc_list)) {
4238#if defined(__APPLE__)
4239			SCTP_SOCKET_LOCK(SCTP_INP_SO(inp), 1);
4240#endif
4241			sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
4242					SCTP_CALLED_DIRECTLY_NOCMPSET);
4243#if defined(__APPLE__)
4244			SCTP_SOCKET_UNLOCK(SCTP_INP_SO(inp), 1);
4245#endif
4246		}
4247	}
4248	contains_init_chunk = 0;
4249	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
4250	    sizeof(*ch), (uint8_t *) & chunk_buf);
4251	while (ch != NULL) {
4252		chk_length = ntohs(ch->chunk_length);
4253		if (chk_length < sizeof(*ch)) {
4254			/* break to abort land */
4255			break;
4256		}
4257		switch (ch->chunk_type) {
4258		case SCTP_INIT:
4259			contains_init_chunk = 1;
4260			break;
4261		case SCTP_PACKET_DROPPED:
4262			/* we don't respond to pkt-dropped */
4263			return;
4264		case SCTP_ABORT_ASSOCIATION:
4265			/* we don't respond with an ABORT to an ABORT */
4266			return;
4267		case SCTP_SHUTDOWN_COMPLETE:
4268			/*
4269			 * we ignore it since we are not waiting for it and
4270			 * peer is gone
4271			 */
4272			return;
4273		case SCTP_SHUTDOWN_ACK:
4274			sctp_send_shutdown_complete2(src, dst, sh,
4275#if defined(__FreeBSD__)
4276			                             use_mflowid, mflowid,
4277#endif
4278			                             vrf_id, port);
4279			return;
4280		default:
4281			break;
4282		}
4283		offset += SCTP_SIZE32(chk_length);
4284		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
4285		    sizeof(*ch), (uint8_t *) & chunk_buf);
4286	}
4287	if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) ||
4288	    ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) &&
4289	     (contains_init_chunk == 0))) {
4290		sctp_send_abort(m, iphlen, src, dst, sh, 0, cause,
4291#if defined(__FreeBSD__)
4292		                use_mflowid, mflowid,
4293#endif
4294		                vrf_id, port);
4295	}
4296}
4297
4298/*
4299 * check the inbound datagram to make sure there is not an abort inside it,
4300 * if there is return 1, else return 0.
4301 */
4302int
4303sctp_is_there_an_abort_here(struct mbuf *m, int iphlen, uint32_t * vtagfill)
4304{
4305	struct sctp_chunkhdr *ch;
4306	struct sctp_init_chunk *init_chk, chunk_buf;
4307	int offset;
4308	unsigned int chk_length;
4309
4310	offset = iphlen + sizeof(struct sctphdr);
4311	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset, sizeof(*ch),
4312	    (uint8_t *) & chunk_buf);
4313	while (ch != NULL) {
4314		chk_length = ntohs(ch->chunk_length);
4315		if (chk_length < sizeof(*ch)) {
4316			/* packet is probably corrupt */
4317			break;
4318		}
4319		/* we seem to be ok, is it an abort? */
4320		if (ch->chunk_type == SCTP_ABORT_ASSOCIATION) {
4321			/* yep, tell them */
4322			return (1);
4323		}
4324		if (ch->chunk_type == SCTP_INITIATION) {
4325			/* need to update the Vtag */
4326			init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
4327			    offset, sizeof(*init_chk), (uint8_t *) & chunk_buf);
4328			if (init_chk != NULL) {
4329				*vtagfill = ntohl(init_chk->init.initiate_tag);
4330			}
4331		}
4332		/* Nope, move to the next chunk */
4333		offset += SCTP_SIZE32(chk_length);
4334		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
4335		    sizeof(*ch), (uint8_t *) & chunk_buf);
4336	}
4337	return (0);
4338}
4339
4340/*
4341 * currently (2/02), ifa_addr embeds scope_id's and don't have sin6_scope_id
4342 * set (i.e. it's 0) so, create this function to compare link local scopes
4343 */
4344#ifdef INET6
4345uint32_t
4346sctp_is_same_scope(struct sockaddr_in6 *addr1, struct sockaddr_in6 *addr2)
4347{
4348#if defined(__Userspace__)
4349    /*__Userspace__ Returning 1 here always */
4350#endif
4351#if defined(SCTP_EMBEDDED_V6_SCOPE)
4352	struct sockaddr_in6 a, b;
4353
4354	/* save copies */
4355	a = *addr1;
4356	b = *addr2;
4357
4358	if (a.sin6_scope_id == 0)
4359#ifdef SCTP_KAME
4360		if (sa6_recoverscope(&a)) {
4361#else
4362		if (in6_recoverscope(&a, &a.sin6_addr, NULL)) {
4363#endif				/* SCTP_KAME */
4364			/* can't get scope, so can't match */
4365			return (0);
4366		}
4367	if (b.sin6_scope_id == 0)
4368#ifdef SCTP_KAME
4369		if (sa6_recoverscope(&b)) {
4370#else
4371		if (in6_recoverscope(&b, &b.sin6_addr, NULL)) {
4372#endif				/* SCTP_KAME */
4373			/* can't get scope, so can't match */
4374			return (0);
4375		}
4376	if (a.sin6_scope_id != b.sin6_scope_id)
4377		return (0);
4378#else
4379	if (addr1->sin6_scope_id != addr2->sin6_scope_id)
4380		return (0);
4381#endif /* SCTP_EMBEDDED_V6_SCOPE */
4382
4383	return (1);
4384}
4385
4386#if defined(SCTP_EMBEDDED_V6_SCOPE)
4387/*
4388 * returns a sockaddr_in6 with embedded scope recovered and removed
4389 */
4390struct sockaddr_in6 *
4391sctp_recover_scope(struct sockaddr_in6 *addr, struct sockaddr_in6 *store)
4392{
4393	/* check and strip embedded scope junk */
4394	if (addr->sin6_family == AF_INET6) {
4395		if (IN6_IS_SCOPE_LINKLOCAL(&addr->sin6_addr)) {
4396			if (addr->sin6_scope_id == 0) {
4397				*store = *addr;
4398#ifdef SCTP_KAME
4399				if (!sa6_recoverscope(store)) {
4400#else
4401				if (!in6_recoverscope(store, &store->sin6_addr,
4402				    NULL)) {
4403#endif /* SCTP_KAME */
4404					/* use the recovered scope */
4405					addr = store;
4406				}
4407			} else {
4408				/* else, return the original "to" addr */
4409				in6_clearscope(&addr->sin6_addr);
4410			}
4411		}
4412	}
4413	return (addr);
4414}
4415#endif /* SCTP_EMBEDDED_V6_SCOPE */
4416#endif
4417
4418/*
4419 * are the two addresses the same?  currently a "scopeless" check returns: 1
4420 * if same, 0 if not
4421 */
4422int
4423sctp_cmpaddr(struct sockaddr *sa1, struct sockaddr *sa2)
4424{
4425
4426	/* must be valid */
4427	if (sa1 == NULL || sa2 == NULL)
4428		return (0);
4429
4430	/* must be the same family */
4431	if (sa1->sa_family != sa2->sa_family)
4432		return (0);
4433
4434	switch (sa1->sa_family) {
4435#ifdef INET6
4436	case AF_INET6:
4437	{
4438		/* IPv6 addresses */
4439		struct sockaddr_in6 *sin6_1, *sin6_2;
4440
4441		sin6_1 = (struct sockaddr_in6 *)sa1;
4442		sin6_2 = (struct sockaddr_in6 *)sa2;
4443		return (SCTP6_ARE_ADDR_EQUAL(sin6_1,
4444		    sin6_2));
4445	}
4446#endif
4447#ifdef INET
4448	case AF_INET:
4449	{
4450		/* IPv4 addresses */
4451		struct sockaddr_in *sin_1, *sin_2;
4452
4453		sin_1 = (struct sockaddr_in *)sa1;
4454		sin_2 = (struct sockaddr_in *)sa2;
4455		return (sin_1->sin_addr.s_addr == sin_2->sin_addr.s_addr);
4456	}
4457#endif
4458#if defined(__Userspace__)
4459	case AF_CONN:
4460	{
4461		struct sockaddr_conn *sconn_1, *sconn_2;
4462
4463		sconn_1 = (struct sockaddr_conn *)sa1;
4464		sconn_2 = (struct sockaddr_conn *)sa2;
4465		return (sconn_1->sconn_addr == sconn_2->sconn_addr);
4466	}
4467#endif
4468	default:
4469		/* we don't do these... */
4470		return (0);
4471	}
4472}
4473
4474void
4475sctp_print_address(struct sockaddr *sa)
4476{
4477#ifdef INET6
4478#if defined(__FreeBSD__) && __FreeBSD_version >= 700000
4479	char ip6buf[INET6_ADDRSTRLEN];
4480#endif
4481#endif
4482
4483	switch (sa->sa_family) {
4484#ifdef INET6
4485	case AF_INET6:
4486	{
4487		struct sockaddr_in6 *sin6;
4488
4489		sin6 = (struct sockaddr_in6 *)sa;
4490#if defined(__Userspace__)
4491		SCTP_PRINTF("IPv6 address: %x:%x:%x:%x:%x:%x:%x:%x:port:%d scope:%u\n",
4492			    ntohs(sin6->sin6_addr.s6_addr16[0]),
4493			    ntohs(sin6->sin6_addr.s6_addr16[1]),
4494			    ntohs(sin6->sin6_addr.s6_addr16[2]),
4495			    ntohs(sin6->sin6_addr.s6_addr16[3]),
4496			    ntohs(sin6->sin6_addr.s6_addr16[4]),
4497			    ntohs(sin6->sin6_addr.s6_addr16[5]),
4498			    ntohs(sin6->sin6_addr.s6_addr16[6]),
4499			    ntohs(sin6->sin6_addr.s6_addr16[7]),
4500			    ntohs(sin6->sin6_port),
4501			    sin6->sin6_scope_id);
4502#else
4503#if defined(__FreeBSD__) && __FreeBSD_version >= 700000
4504		SCTP_PRINTF("IPv6 address: %s:port:%d scope:%u\n",
4505			    ip6_sprintf(ip6buf, &sin6->sin6_addr),
4506			    ntohs(sin6->sin6_port),
4507			    sin6->sin6_scope_id);
4508#else
4509		SCTP_PRINTF("IPv6 address: %s:port:%d scope:%u\n",
4510			    ip6_sprintf(&sin6->sin6_addr),
4511			    ntohs(sin6->sin6_port),
4512			    sin6->sin6_scope_id);
4513#endif
4514#endif
4515		break;
4516	}
4517#endif
4518#ifdef INET
4519	case AF_INET:
4520	{
4521		struct sockaddr_in *sin;
4522		unsigned char *p;
4523
4524		sin = (struct sockaddr_in *)sa;
4525		p = (unsigned char *)&sin->sin_addr;
4526		SCTP_PRINTF("IPv4 address: %u.%u.%u.%u:%d\n",
4527			    p[0], p[1], p[2], p[3], ntohs(sin->sin_port));
4528		break;
4529	}
4530#endif
4531#if defined(__Userspace__)
4532	case AF_CONN:
4533	{
4534		struct sockaddr_conn *sconn;
4535
4536		sconn = (struct sockaddr_conn *)sa;
4537		SCTP_PRINTF("AF_CONN address: %p\n", sconn->sconn_addr);
4538		break;
4539	}
4540#endif
4541	default:
4542		SCTP_PRINTF("?\n");
4543		break;
4544	}
4545}
4546
4547void
4548sctp_pull_off_control_to_new_inp(struct sctp_inpcb *old_inp,
4549    struct sctp_inpcb *new_inp,
4550    struct sctp_tcb *stcb,
4551    int waitflags)
4552{
4553	/*
4554	 * go through our old INP and pull off any control structures that
4555	 * belong to stcb and move then to the new inp.
4556	 */
4557	struct socket *old_so, *new_so;
4558	struct sctp_queued_to_read *control, *nctl;
4559	struct sctp_readhead tmp_queue;
4560	struct mbuf *m;
4561	int error = 0;
4562
4563	old_so = old_inp->sctp_socket;
4564	new_so = new_inp->sctp_socket;
4565	TAILQ_INIT(&tmp_queue);
4566#if defined(__FreeBSD__) && __FreeBSD_version < 700000
4567	SOCKBUF_LOCK(&(old_so->so_rcv));
4568#endif
4569#if defined(__FreeBSD__) || defined(__APPLE__)
4570	error = sblock(&old_so->so_rcv, waitflags);
4571#endif
4572#if defined(__FreeBSD__) && __FreeBSD_version < 700000
4573	SOCKBUF_UNLOCK(&(old_so->so_rcv));
4574#endif
4575	if (error) {
4576		/* Gak, can't get sblock, we have a problem.
4577		 * data will be left stranded.. and we
4578		 * don't dare look at it since the
4579		 * other thread may be reading something.
4580		 * Oh well, its a screwed up app that does
4581		 * a peeloff OR a accept while reading
4582		 * from the main socket... actually its
4583		 * only the peeloff() case, since I think
4584		 * read will fail on a listening socket..
4585		 */
4586		return;
4587	}
4588	/* lock the socket buffers */
4589	SCTP_INP_READ_LOCK(old_inp);
4590	TAILQ_FOREACH_SAFE(control, &old_inp->read_queue, next, nctl) {
4591		/* Pull off all for out target stcb */
4592		if (control->stcb == stcb) {
4593			/* remove it we want it */
4594			TAILQ_REMOVE(&old_inp->read_queue, control, next);
4595			TAILQ_INSERT_TAIL(&tmp_queue, control, next);
4596			m = control->data;
4597			while (m) {
4598				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4599					sctp_sblog(&old_so->so_rcv, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBFREE,SCTP_BUF_LEN(m));
4600				}
4601				sctp_sbfree(control, stcb, &old_so->so_rcv, m);
4602				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4603					sctp_sblog(&old_so->so_rcv, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBRESULT, 0);
4604				}
4605				m = SCTP_BUF_NEXT(m);
4606			}
4607		}
4608	}
4609	SCTP_INP_READ_UNLOCK(old_inp);
4610	/* Remove the sb-lock on the old socket */
4611#if defined(__FreeBSD__) && __FreeBSD_version < 700000
4612	SOCKBUF_LOCK(&(old_so->so_rcv));
4613#endif
4614#if defined(__APPLE__)
4615	sbunlock(&old_so->so_rcv, 1);
4616#endif
4617
4618#if defined(__FreeBSD__)
4619	sbunlock(&old_so->so_rcv);
4620#endif
4621#if defined(__FreeBSD__) && __FreeBSD_version < 700000
4622	SOCKBUF_UNLOCK(&(old_so->so_rcv));
4623#endif
4624	/* Now we move them over to the new socket buffer */
4625	SCTP_INP_READ_LOCK(new_inp);
4626	TAILQ_FOREACH_SAFE(control, &tmp_queue, next, nctl) {
4627		TAILQ_INSERT_TAIL(&new_inp->read_queue, control, next);
4628		m = control->data;
4629		while (m) {
4630			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4631				sctp_sblog(&new_so->so_rcv, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBALLOC, SCTP_BUF_LEN(m));
4632			}
4633			sctp_sballoc(stcb, &new_so->so_rcv, m);
4634			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4635				sctp_sblog(&new_so->so_rcv, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBRESULT, 0);
4636			}
4637			m = SCTP_BUF_NEXT(m);
4638		}
4639	}
4640	SCTP_INP_READ_UNLOCK(new_inp);
4641}
4642
4643void
4644sctp_add_to_readq(struct sctp_inpcb *inp,
4645    struct sctp_tcb *stcb,
4646    struct sctp_queued_to_read *control,
4647    struct sockbuf *sb,
4648    int end,
4649    int inp_read_lock_held,
4650    int so_locked
4651#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4652    SCTP_UNUSED
4653#endif
4654    )
4655{
4656	/*
4657	 * Here we must place the control on the end of the socket read
4658	 * queue AND increment sb_cc so that select will work properly on
4659	 * read.
4660	 */
4661	struct mbuf *m, *prev = NULL;
4662
4663	if (inp == NULL) {
4664		/* Gak, TSNH!! */
4665#ifdef INVARIANTS
4666		panic("Gak, inp NULL on add_to_readq");
4667#endif
4668		return;
4669	}
4670#if defined(__APPLE__)
4671	if (so_locked) {
4672		sctp_lock_assert(SCTP_INP_SO(inp));
4673	} else {
4674		sctp_unlock_assert(SCTP_INP_SO(inp));
4675	}
4676#endif
4677	if (inp_read_lock_held == 0)
4678		SCTP_INP_READ_LOCK(inp);
4679	if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_CANT_READ) {
4680		sctp_free_remote_addr(control->whoFrom);
4681		if (control->data) {
4682			sctp_m_freem(control->data);
4683			control->data = NULL;
4684		}
4685		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_readq), control);
4686		if (inp_read_lock_held == 0)
4687			SCTP_INP_READ_UNLOCK(inp);
4688		return;
4689	}
4690	if (!(control->spec_flags & M_NOTIFICATION)) {
4691		atomic_add_int(&inp->total_recvs, 1);
4692		if (!control->do_not_ref_stcb) {
4693			atomic_add_int(&stcb->total_recvs, 1);
4694		}
4695	}
4696	m = control->data;
4697	control->held_length = 0;
4698	control->length = 0;
4699	while (m) {
4700		if (SCTP_BUF_LEN(m) == 0) {
4701			/* Skip mbufs with NO length */
4702			if (prev == NULL) {
4703				/* First one */
4704				control->data = sctp_m_free(m);
4705				m = control->data;
4706			} else {
4707				SCTP_BUF_NEXT(prev) = sctp_m_free(m);
4708				m = SCTP_BUF_NEXT(prev);
4709			}
4710			if (m == NULL) {
4711				control->tail_mbuf = prev;
4712			}
4713			continue;
4714		}
4715		prev = m;
4716		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4717			sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBALLOC, SCTP_BUF_LEN(m));
4718		}
4719		sctp_sballoc(stcb, sb, m);
4720		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4721			sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBRESULT, 0);
4722		}
4723		atomic_add_int(&control->length, SCTP_BUF_LEN(m));
4724		m = SCTP_BUF_NEXT(m);
4725	}
4726	if (prev != NULL) {
4727		control->tail_mbuf = prev;
4728	} else {
4729		/* Everything got collapsed out?? */
4730		sctp_free_remote_addr(control->whoFrom);
4731		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_readq), control);
4732		if (inp_read_lock_held == 0)
4733			SCTP_INP_READ_UNLOCK(inp);
4734		return;
4735	}
4736	if (end) {
4737		control->end_added = 1;
4738	}
4739#if defined(__Userspace__)
4740	if (inp->recv_callback) {
4741		if (inp_read_lock_held == 0)
4742			SCTP_INP_READ_UNLOCK(inp);
4743		if (control->end_added == 1) {
4744			struct socket *so;
4745			struct mbuf *m;
4746			char *buffer;
4747			struct sctp_rcvinfo rcv;
4748			union sctp_sockstore addr;
4749			int flags;
4750
4751			if ((buffer = malloc(control->length)) == NULL) {
4752				return;
4753			}
4754			so = stcb->sctp_socket;
4755			for (m = control->data; m; m = SCTP_BUF_NEXT(m)) {
4756				sctp_sbfree(control, control->stcb, &so->so_rcv, m);
4757			}
4758			atomic_add_int(&stcb->asoc.refcnt, 1);
4759			SCTP_TCB_UNLOCK(stcb);
4760			m_copydata(control->data, 0, control->length, buffer);
4761			memset(&rcv, 0, sizeof(struct sctp_rcvinfo));
4762			rcv.rcv_sid = control->sinfo_stream;
4763			rcv.rcv_ssn = control->sinfo_ssn;
4764			rcv.rcv_flags = control->sinfo_flags;
4765			rcv.rcv_ppid = control->sinfo_ppid;
4766			rcv.rcv_tsn = control->sinfo_tsn;
4767			rcv.rcv_cumtsn = control->sinfo_cumtsn;
4768			rcv.rcv_context = control->sinfo_context;
4769			rcv.rcv_assoc_id = control->sinfo_assoc_id;
4770			memset(&addr, 0, sizeof(union sctp_sockstore));
4771			switch (control->whoFrom->ro._l_addr.sa.sa_family) {
4772#ifdef INET
4773			case AF_INET:
4774				addr.sin = control->whoFrom->ro._l_addr.sin;
4775				break;
4776#endif
4777#ifdef INET6
4778			case AF_INET6:
4779				addr.sin6 = control->whoFrom->ro._l_addr.sin6;
4780				break;
4781#endif
4782			case AF_CONN:
4783				addr.sconn = control->whoFrom->ro._l_addr.sconn;
4784				break;
4785			default:
4786				addr.sa = control->whoFrom->ro._l_addr.sa;
4787				break;
4788			}
4789			flags = MSG_EOR;
4790			if (control->spec_flags & M_NOTIFICATION) {
4791				flags |= MSG_NOTIFICATION;
4792			}
4793			inp->recv_callback(so, addr, buffer, control->length, rcv, flags, inp->ulp_info);
4794			SCTP_TCB_LOCK(stcb);
4795			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4796			sctp_free_remote_addr(control->whoFrom);
4797			control->whoFrom = NULL;
4798			sctp_m_freem(control->data);
4799			control->data = NULL;
4800			control->length = 0;
4801			sctp_free_a_readq(stcb, control);
4802		}
4803		return;
4804	}
4805#endif
4806	TAILQ_INSERT_TAIL(&inp->read_queue, control, next);
4807	if (inp_read_lock_held == 0)
4808		SCTP_INP_READ_UNLOCK(inp);
4809	if (inp && inp->sctp_socket) {
4810		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_ZERO_COPY_ACTIVE)) {
4811			SCTP_ZERO_COPY_EVENT(inp, inp->sctp_socket);
4812		} else {
4813#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4814			struct socket *so;
4815
4816			so = SCTP_INP_SO(inp);
4817			if (!so_locked) {
4818				if (stcb) {
4819					atomic_add_int(&stcb->asoc.refcnt, 1);
4820					SCTP_TCB_UNLOCK(stcb);
4821				}
4822				SCTP_SOCKET_LOCK(so, 1);
4823				if (stcb) {
4824					SCTP_TCB_LOCK(stcb);
4825					atomic_subtract_int(&stcb->asoc.refcnt, 1);
4826				}
4827				if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4828					SCTP_SOCKET_UNLOCK(so, 1);
4829					return;
4830				}
4831			}
4832#endif
4833			sctp_sorwakeup(inp, inp->sctp_socket);
4834#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4835			if (!so_locked) {
4836				SCTP_SOCKET_UNLOCK(so, 1);
4837			}
4838#endif
4839		}
4840	}
4841}
4842
4843
4844int
4845sctp_append_to_readq(struct sctp_inpcb *inp,
4846    struct sctp_tcb *stcb,
4847    struct sctp_queued_to_read *control,
4848    struct mbuf *m,
4849    int end,
4850    int ctls_cumack,
4851    struct sockbuf *sb)
4852{
4853	/*
4854	 * A partial delivery API event is underway. OR we are appending on
4855	 * the reassembly queue.
4856	 *
4857	 * If PDAPI this means we need to add m to the end of the data.
4858	 * Increase the length in the control AND increment the sb_cc.
4859	 * Otherwise sb is NULL and all we need to do is put it at the end
4860	 * of the mbuf chain.
4861	 */
4862	int len = 0;
4863	struct mbuf *mm, *tail = NULL, *prev = NULL;
4864
4865	if (inp) {
4866		SCTP_INP_READ_LOCK(inp);
4867	}
4868	if (control == NULL) {
4869	get_out:
4870		if (inp) {
4871			SCTP_INP_READ_UNLOCK(inp);
4872		}
4873		return (-1);
4874	}
4875	if (inp && (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_CANT_READ)) {
4876		SCTP_INP_READ_UNLOCK(inp);
4877		return (0);
4878	}
4879	if (control->end_added) {
4880		/* huh this one is complete? */
4881		goto get_out;
4882	}
4883	mm = m;
4884	if (mm == NULL) {
4885		goto get_out;
4886	}
4887
4888	while (mm) {
4889		if (SCTP_BUF_LEN(mm) == 0) {
4890			/* Skip mbufs with NO lenght */
4891			if (prev == NULL) {
4892				/* First one */
4893				m = sctp_m_free(mm);
4894				mm = m;
4895			} else {
4896				SCTP_BUF_NEXT(prev) = sctp_m_free(mm);
4897				mm = SCTP_BUF_NEXT(prev);
4898			}
4899			continue;
4900		}
4901		prev = mm;
4902		len += SCTP_BUF_LEN(mm);
4903		if (sb) {
4904			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4905				sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBALLOC, SCTP_BUF_LEN(mm));
4906			}
4907			sctp_sballoc(stcb, sb, mm);
4908			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
4909				sctp_sblog(sb, control->do_not_ref_stcb?NULL:stcb, SCTP_LOG_SBRESULT, 0);
4910			}
4911		}
4912		mm = SCTP_BUF_NEXT(mm);
4913	}
4914	if (prev) {
4915		tail = prev;
4916	} else {
4917		/* Really there should always be a prev */
4918		if (m == NULL) {
4919			/* Huh nothing left? */
4920#ifdef INVARIANTS
4921			panic("Nothing left to add?");
4922#else
4923			goto get_out;
4924#endif
4925		}
4926		tail = m;
4927	}
4928	if (control->tail_mbuf) {
4929		/* append */
4930		SCTP_BUF_NEXT(control->tail_mbuf) = m;
4931		control->tail_mbuf = tail;
4932	} else {
4933		/* nothing there */
4934#ifdef INVARIANTS
4935		if (control->data != NULL) {
4936			panic("This should NOT happen");
4937		}
4938#endif
4939		control->data = m;
4940		control->tail_mbuf = tail;
4941	}
4942	atomic_add_int(&control->length, len);
4943	if (end) {
4944		/* message is complete */
4945		if (stcb && (control == stcb->asoc.control_pdapi)) {
4946			stcb->asoc.control_pdapi = NULL;
4947		}
4948		control->held_length = 0;
4949		control->end_added = 1;
4950	}
4951	if (stcb == NULL) {
4952		control->do_not_ref_stcb = 1;
4953	}
4954	/*
4955	 * When we are appending in partial delivery, the cum-ack is used
4956	 * for the actual pd-api highest tsn on this mbuf. The true cum-ack
4957	 * is populated in the outbound sinfo structure from the true cumack
4958	 * if the association exists...
4959	 */
4960	control->sinfo_tsn = control->sinfo_cumtsn = ctls_cumack;
4961#if defined(__Userspace__)
4962	if (inp->recv_callback) {
4963		uint32_t pd_point, length;
4964
4965		length = control->length;
4966		if (stcb != NULL && stcb->sctp_socket != NULL) {
4967			pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
4968			               stcb->sctp_ep->partial_delivery_point);
4969		} else {
4970			pd_point = inp->partial_delivery_point;
4971		}
4972		if ((control->end_added == 1) || (length >= pd_point)) {
4973			struct socket *so;
4974			char *buffer;
4975			struct sctp_rcvinfo rcv;
4976			union sctp_sockstore addr;
4977			int flags;
4978
4979			if ((buffer = malloc(control->length)) == NULL) {
4980				return (-1);
4981			}
4982			so = stcb->sctp_socket;
4983			for (m = control->data; m; m = SCTP_BUF_NEXT(m)) {
4984				sctp_sbfree(control, control->stcb, &so->so_rcv, m);
4985			}
4986			m_copydata(control->data, 0, control->length, buffer);
4987			memset(&rcv, 0, sizeof(struct sctp_rcvinfo));
4988			rcv.rcv_sid = control->sinfo_stream;
4989			rcv.rcv_ssn = control->sinfo_ssn;
4990			rcv.rcv_flags = control->sinfo_flags;
4991			rcv.rcv_ppid = control->sinfo_ppid;
4992			rcv.rcv_tsn = control->sinfo_tsn;
4993			rcv.rcv_cumtsn = control->sinfo_cumtsn;
4994			rcv.rcv_context = control->sinfo_context;
4995			rcv.rcv_assoc_id = control->sinfo_assoc_id;
4996			memset(&addr, 0, sizeof(union sctp_sockstore));
4997			switch (control->whoFrom->ro._l_addr.sa.sa_family) {
4998#ifdef INET
4999			case AF_INET:
5000				addr.sin = control->whoFrom->ro._l_addr.sin;
5001				break;
5002#endif
5003#ifdef INET6
5004			case AF_INET6:
5005				addr.sin6 = control->whoFrom->ro._l_addr.sin6;
5006				break;
5007#endif
5008			case AF_CONN:
5009				addr.sconn = control->whoFrom->ro._l_addr.sconn;
5010				break;
5011			default:
5012				addr.sa = control->whoFrom->ro._l_addr.sa;
5013				break;
5014			}
5015			flags = 0;
5016			if (control->end_added == 1) {
5017				flags |= MSG_EOR;
5018			}
5019			if (control->spec_flags & M_NOTIFICATION) {
5020				flags |= MSG_NOTIFICATION;
5021			}
5022			sctp_m_freem(control->data);
5023			control->data = NULL;
5024			control->tail_mbuf = NULL;
5025			control->length = 0;
5026			if (control->end_added) {
5027				sctp_free_remote_addr(control->whoFrom);
5028				control->whoFrom = NULL;
5029				sctp_free_a_readq(stcb, control);
5030			} else {
5031				control->some_taken = 1;
5032			}
5033			atomic_add_int(&stcb->asoc.refcnt, 1);
5034			SCTP_TCB_UNLOCK(stcb);
5035			inp->recv_callback(so, addr, buffer, length, rcv, flags, inp->ulp_info);
5036			SCTP_TCB_LOCK(stcb);
5037			atomic_subtract_int(&stcb->asoc.refcnt, 1);
5038		}
5039		if (inp)
5040			SCTP_INP_READ_UNLOCK(inp);
5041		return (0);
5042	}
5043#endif
5044	if (inp) {
5045		SCTP_INP_READ_UNLOCK(inp);
5046	}
5047	if (inp && inp->sctp_socket) {
5048		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_ZERO_COPY_ACTIVE)) {
5049			SCTP_ZERO_COPY_EVENT(inp, inp->sctp_socket);
5050		} else {
5051#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5052			struct socket *so;
5053
5054			so = SCTP_INP_SO(inp);
5055			if (stcb) {
5056				atomic_add_int(&stcb->asoc.refcnt, 1);
5057				SCTP_TCB_UNLOCK(stcb);
5058			}
5059			SCTP_SOCKET_LOCK(so, 1);
5060			if (stcb) {
5061				SCTP_TCB_LOCK(stcb);
5062				atomic_subtract_int(&stcb->asoc.refcnt, 1);
5063			}
5064			if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5065				SCTP_SOCKET_UNLOCK(so, 1);
5066				return (0);
5067			}
5068#endif
5069			sctp_sorwakeup(inp, inp->sctp_socket);
5070#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5071			SCTP_SOCKET_UNLOCK(so, 1);
5072#endif
5073		}
5074	}
5075	return (0);
5076}
5077
5078
5079
5080/*************HOLD THIS COMMENT FOR PATCH FILE OF
5081 *************ALTERNATE ROUTING CODE
5082 */
5083
5084/*************HOLD THIS COMMENT FOR END OF PATCH FILE OF
5085 *************ALTERNATE ROUTING CODE
5086 */
5087
5088struct mbuf *
5089sctp_generate_cause(uint16_t code, char *info)
5090{
5091	struct mbuf *m;
5092	struct sctp_gen_error_cause *cause;
5093	size_t info_len, len;
5094
5095	if ((code == 0) || (info == NULL)) {
5096		return (NULL);
5097	}
5098	info_len = strlen(info);
5099	len = sizeof(struct sctp_paramhdr) + info_len;
5100	m = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
5101	if (m != NULL) {
5102		SCTP_BUF_LEN(m) = len;
5103		cause = mtod(m, struct sctp_gen_error_cause *);
5104		cause->code = htons(code);
5105		cause->length = htons((uint16_t)len);
5106		memcpy(cause->info, info, info_len);
5107	}
5108	return (m);
5109}
5110
5111struct mbuf *
5112sctp_generate_no_user_data_cause(uint32_t tsn)
5113{
5114	struct mbuf *m;
5115	struct sctp_error_no_user_data *no_user_data_cause;
5116	size_t len;
5117
5118	len = sizeof(struct sctp_error_no_user_data);
5119	m = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
5120	if (m != NULL) {
5121		SCTP_BUF_LEN(m) = len;
5122		no_user_data_cause = mtod(m, struct sctp_error_no_user_data *);
5123		no_user_data_cause->cause.code = htons(SCTP_CAUSE_NO_USER_DATA);
5124		no_user_data_cause->cause.length = htons((uint16_t)len);
5125		no_user_data_cause->tsn = tsn; /* tsn is passed in as NBO */
5126	}
5127	return (m);
5128}
5129
5130#ifdef SCTP_MBCNT_LOGGING
5131void
5132sctp_free_bufspace(struct sctp_tcb *stcb, struct sctp_association *asoc,
5133    struct sctp_tmit_chunk *tp1, int chk_cnt)
5134{
5135	if (tp1->data == NULL) {
5136		return;
5137	}
5138	asoc->chunks_on_out_queue -= chk_cnt;
5139	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBCNT_LOGGING_ENABLE) {
5140		sctp_log_mbcnt(SCTP_LOG_MBCNT_DECREASE,
5141			       asoc->total_output_queue_size,
5142			       tp1->book_size,
5143			       0,
5144			       tp1->mbcnt);
5145	}
5146	if (asoc->total_output_queue_size >= tp1->book_size) {
5147		atomic_add_int(&asoc->total_output_queue_size, -tp1->book_size);
5148	} else {
5149		asoc->total_output_queue_size = 0;
5150	}
5151
5152	if (stcb->sctp_socket && (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) ||
5153				  ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE)))) {
5154		if (stcb->sctp_socket->so_snd.sb_cc >= tp1->book_size) {
5155			stcb->sctp_socket->so_snd.sb_cc -= tp1->book_size;
5156		} else {
5157			stcb->sctp_socket->so_snd.sb_cc = 0;
5158
5159		}
5160	}
5161}
5162
5163#endif
5164
5165int
5166sctp_release_pr_sctp_chunk(struct sctp_tcb *stcb, struct sctp_tmit_chunk *tp1,
5167			   uint8_t sent, int so_locked
5168#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
5169			   SCTP_UNUSED
5170#endif
5171	)
5172{
5173	struct sctp_stream_out *strq;
5174	struct sctp_tmit_chunk *chk = NULL, *tp2;
5175	struct sctp_stream_queue_pending *sp;
5176	uint16_t stream = 0, seq = 0;
5177	uint8_t foundeom = 0;
5178	int ret_sz = 0;
5179	int notdone;
5180	int do_wakeup_routine = 0;
5181
5182#if defined(__APPLE__)
5183	if (so_locked) {
5184		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
5185	} else {
5186		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
5187	}
5188#endif
5189	stream = tp1->rec.data.stream_number;
5190	seq = tp1->rec.data.stream_seq;
5191	if (sent || !(tp1->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG)) {
5192		stcb->asoc.abandoned_sent[0]++;
5193		stcb->asoc.abandoned_sent[PR_SCTP_POLICY(tp1->flags)]++;
5194		stcb->asoc.strmout[stream].abandoned_sent[0]++;
5195#if defined(SCTP_DETAILED_STR_STATS)
5196		stcb->asoc.strmout[stream].abandoned_sent[PR_SCTP_POLICY(tp1->flags)]++;
5197#endif
5198	} else {
5199		stcb->asoc.abandoned_unsent[0]++;
5200		stcb->asoc.abandoned_unsent[PR_SCTP_POLICY(tp1->flags)]++;
5201		stcb->asoc.strmout[stream].abandoned_unsent[0]++;
5202#if defined(SCTP_DETAILED_STR_STATS)
5203		stcb->asoc.strmout[stream].abandoned_unsent[PR_SCTP_POLICY(tp1->flags)]++;
5204#endif
5205	}
5206	do {
5207		ret_sz += tp1->book_size;
5208		if (tp1->data != NULL) {
5209			if (tp1->sent < SCTP_DATAGRAM_RESEND) {
5210				sctp_flight_size_decrease(tp1);
5211				sctp_total_flight_decrease(stcb, tp1);
5212			}
5213			sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
5214			stcb->asoc.peers_rwnd += tp1->send_size;
5215			stcb->asoc.peers_rwnd += SCTP_BASE_SYSCTL(sctp_peer_chunk_oh);
5216			if (sent) {
5217				sctp_ulp_notify(SCTP_NOTIFY_SENT_DG_FAIL, stcb, 0, tp1, so_locked);
5218			} else {
5219				sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb, 0, tp1, so_locked);
5220			}
5221			if (tp1->data) {
5222				sctp_m_freem(tp1->data);
5223				tp1->data = NULL;
5224			}
5225			do_wakeup_routine = 1;
5226			if (PR_SCTP_BUF_ENABLED(tp1->flags)) {
5227				stcb->asoc.sent_queue_cnt_removeable--;
5228			}
5229		}
5230		tp1->sent = SCTP_FORWARD_TSN_SKIP;
5231		if ((tp1->rec.data.rcv_flags & SCTP_DATA_NOT_FRAG) ==
5232		    SCTP_DATA_NOT_FRAG) {
5233			/* not frag'ed we ae done   */
5234			notdone = 0;
5235			foundeom = 1;
5236		} else if (tp1->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
5237			/* end of frag, we are done */
5238			notdone = 0;
5239			foundeom = 1;
5240		} else {
5241			/*
5242			 * Its a begin or middle piece, we must mark all of
5243			 * it
5244			 */
5245			notdone = 1;
5246			tp1 = TAILQ_NEXT(tp1, sctp_next);
5247		}
5248	} while (tp1 && notdone);
5249	if (foundeom == 0) {
5250		/*
5251		 * The multi-part message was scattered across the send and
5252		 * sent queue.
5253		 */
5254		TAILQ_FOREACH_SAFE(tp1, &stcb->asoc.send_queue, sctp_next, tp2) {
5255			if ((tp1->rec.data.stream_number != stream) ||
5256			    (tp1->rec.data.stream_seq != seq)) {
5257				break;
5258			}
5259			/* save to chk in case we have some on stream out
5260			 * queue. If so and we have an un-transmitted one
5261			 * we don't have to fudge the TSN.
5262			 */
5263			chk = tp1;
5264			ret_sz += tp1->book_size;
5265			sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
5266			if (sent) {
5267				sctp_ulp_notify(SCTP_NOTIFY_SENT_DG_FAIL, stcb, 0, tp1, so_locked);
5268			} else {
5269				sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb, 0, tp1, so_locked);
5270			}
5271			if (tp1->data) {
5272				sctp_m_freem(tp1->data);
5273				tp1->data = NULL;
5274			}
5275			/* No flight involved here book the size to 0 */
5276			tp1->book_size = 0;
5277			if (tp1->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
5278				foundeom = 1;
5279			}
5280			do_wakeup_routine = 1;
5281			tp1->sent = SCTP_FORWARD_TSN_SKIP;
5282			TAILQ_REMOVE(&stcb->asoc.send_queue, tp1, sctp_next);
5283			/* on to the sent queue so we can wait for it to be passed by. */
5284			TAILQ_INSERT_TAIL(&stcb->asoc.sent_queue, tp1,
5285					  sctp_next);
5286			stcb->asoc.send_queue_cnt--;
5287			stcb->asoc.sent_queue_cnt++;
5288		}
5289	}
5290	if (foundeom == 0) {
5291		/*
5292		 * Still no eom found. That means there
5293		 * is stuff left on the stream out queue.. yuck.
5294		 */
5295		SCTP_TCB_SEND_LOCK(stcb);
5296		strq = &stcb->asoc.strmout[stream];
5297		sp = TAILQ_FIRST(&strq->outqueue);
5298		if (sp != NULL) {
5299			sp->discard_rest = 1;
5300			/*
5301			 * We may need to put a chunk on the
5302			 * queue that holds the TSN that
5303			 * would have been sent with the LAST
5304			 * bit.
5305			 */
5306			if (chk == NULL) {
5307				/* Yep, we have to */
5308				sctp_alloc_a_chunk(stcb, chk);
5309				if (chk == NULL) {
5310					/* we are hosed. All we can
5311					 * do is nothing.. which will
5312					 * cause an abort if the peer is
5313					 * paying attention.
5314					 */
5315					goto oh_well;
5316				}
5317				memset(chk, 0, sizeof(*chk));
5318				chk->rec.data.rcv_flags = SCTP_DATA_LAST_FRAG;
5319				chk->sent = SCTP_FORWARD_TSN_SKIP;
5320				chk->asoc = &stcb->asoc;
5321				chk->rec.data.stream_seq = strq->next_sequence_send;
5322				chk->rec.data.stream_number = sp->stream;
5323				chk->rec.data.payloadtype = sp->ppid;
5324				chk->rec.data.context = sp->context;
5325				chk->flags = sp->act_flags;
5326				if (sp->net)
5327					chk->whoTo = sp->net;
5328				else
5329					chk->whoTo = stcb->asoc.primary_destination;
5330				atomic_add_int(&chk->whoTo->ref_count, 1);
5331#if defined(__FreeBSD__) || defined(__Panda__)
5332				chk->rec.data.TSN_seq = atomic_fetchadd_int(&stcb->asoc.sending_seq, 1);
5333#else
5334				chk->rec.data.TSN_seq = stcb->asoc.sending_seq++;
5335#endif
5336				stcb->asoc.pr_sctp_cnt++;
5337				TAILQ_INSERT_TAIL(&stcb->asoc.sent_queue, chk, sctp_next);
5338				stcb->asoc.sent_queue_cnt++;
5339				stcb->asoc.pr_sctp_cnt++;
5340			} else {
5341				chk->rec.data.rcv_flags |= SCTP_DATA_LAST_FRAG;
5342			}
5343			strq->next_sequence_send++;
5344		oh_well:
5345			if (sp->data) {
5346				/* Pull any data to free up the SB and
5347				 * allow sender to "add more" while we
5348				 * will throw away :-)
5349				 */
5350				sctp_free_spbufspace(stcb, &stcb->asoc, sp);
5351				ret_sz += sp->length;
5352				do_wakeup_routine = 1;
5353				sp->some_taken = 1;
5354				sctp_m_freem(sp->data);
5355				sp->data = NULL;
5356				sp->tail_mbuf = NULL;
5357				sp->length = 0;
5358			}
5359		}
5360		SCTP_TCB_SEND_UNLOCK(stcb);
5361	}
5362	if (do_wakeup_routine) {
5363#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5364		struct socket *so;
5365
5366		so = SCTP_INP_SO(stcb->sctp_ep);
5367		if (!so_locked) {
5368			atomic_add_int(&stcb->asoc.refcnt, 1);
5369			SCTP_TCB_UNLOCK(stcb);
5370			SCTP_SOCKET_LOCK(so, 1);
5371			SCTP_TCB_LOCK(stcb);
5372			atomic_subtract_int(&stcb->asoc.refcnt, 1);
5373			if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
5374				/* assoc was freed while we were unlocked */
5375				SCTP_SOCKET_UNLOCK(so, 1);
5376				return (ret_sz);
5377			}
5378		}
5379#endif
5380		sctp_sowwakeup(stcb->sctp_ep, stcb->sctp_socket);
5381#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5382		if (!so_locked) {
5383			SCTP_SOCKET_UNLOCK(so, 1);
5384		}
5385#endif
5386	}
5387	return (ret_sz);
5388}
5389
5390/*
5391 * checks to see if the given address, sa, is one that is currently known by
5392 * the kernel note: can't distinguish the same address on multiple interfaces
5393 * and doesn't handle multiple addresses with different zone/scope id's note:
5394 * ifa_ifwithaddr() compares the entire sockaddr struct
5395 */
5396struct sctp_ifa *
5397sctp_find_ifa_in_ep(struct sctp_inpcb *inp, struct sockaddr *addr,
5398		    int holds_lock)
5399{
5400	struct sctp_laddr *laddr;
5401
5402	if (holds_lock == 0) {
5403		SCTP_INP_RLOCK(inp);
5404	}
5405
5406	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
5407		if (laddr->ifa == NULL)
5408			continue;
5409		if (addr->sa_family != laddr->ifa->address.sa.sa_family)
5410			continue;
5411#ifdef INET
5412		if (addr->sa_family == AF_INET) {
5413			if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
5414			    laddr->ifa->address.sin.sin_addr.s_addr) {
5415				/* found him. */
5416				if (holds_lock == 0) {
5417					SCTP_INP_RUNLOCK(inp);
5418				}
5419				return (laddr->ifa);
5420				break;
5421			}
5422		}
5423#endif
5424#ifdef INET6
5425		if (addr->sa_family == AF_INET6) {
5426			if (SCTP6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
5427						 &laddr->ifa->address.sin6)) {
5428				/* found him. */
5429				if (holds_lock == 0) {
5430					SCTP_INP_RUNLOCK(inp);
5431				}
5432				return (laddr->ifa);
5433				break;
5434			}
5435		}
5436#endif
5437#if defined(__Userspace__)
5438		if (addr->sa_family == AF_CONN) {
5439			if (((struct sockaddr_conn *)addr)->sconn_addr == laddr->ifa->address.sconn.sconn_addr) {
5440				/* found him. */
5441				if (holds_lock == 0) {
5442					SCTP_INP_RUNLOCK(inp);
5443				}
5444				return (laddr->ifa);
5445				break;
5446			}
5447		}
5448#endif
5449	}
5450	if (holds_lock == 0) {
5451		SCTP_INP_RUNLOCK(inp);
5452	}
5453	return (NULL);
5454}
5455
5456uint32_t
5457sctp_get_ifa_hash_val(struct sockaddr *addr)
5458{
5459	switch (addr->sa_family) {
5460#ifdef INET
5461	case AF_INET:
5462	{
5463		struct sockaddr_in *sin;
5464
5465		sin = (struct sockaddr_in *)addr;
5466		return (sin->sin_addr.s_addr ^ (sin->sin_addr.s_addr >> 16));
5467	}
5468#endif
5469#ifdef INET6
5470	case AF_INET6:
5471	{
5472		struct sockaddr_in6 *sin6;
5473		uint32_t hash_of_addr;
5474
5475		sin6 = (struct sockaddr_in6 *)addr;
5476#if !defined(__Windows__) && !defined(__Userspace_os_FreeBSD) && !defined(__Userspace_os_Darwin) && !defined(__Userspace_os_Windows)
5477		hash_of_addr = (sin6->sin6_addr.s6_addr32[0] +
5478				sin6->sin6_addr.s6_addr32[1] +
5479				sin6->sin6_addr.s6_addr32[2] +
5480				sin6->sin6_addr.s6_addr32[3]);
5481#else
5482		hash_of_addr = (((uint32_t *)&sin6->sin6_addr)[0] +
5483				((uint32_t *)&sin6->sin6_addr)[1] +
5484				((uint32_t *)&sin6->sin6_addr)[2] +
5485				((uint32_t *)&sin6->sin6_addr)[3]);
5486#endif
5487		hash_of_addr = (hash_of_addr ^ (hash_of_addr >> 16));
5488		return (hash_of_addr);
5489	}
5490#endif
5491#if defined(__Userspace__)
5492	case AF_CONN:
5493	{
5494		struct sockaddr_conn *sconn;
5495		uintptr_t temp;
5496
5497		sconn = (struct sockaddr_conn *)addr;
5498		temp = (uintptr_t)sconn->sconn_addr;
5499		return ((uint32_t)(temp ^ (temp >> 16)));
5500	}
5501#endif
5502	default:
5503		break;
5504	}
5505	return (0);
5506}
5507
5508struct sctp_ifa *
5509sctp_find_ifa_by_addr(struct sockaddr *addr, uint32_t vrf_id, int holds_lock)
5510{
5511	struct sctp_ifa *sctp_ifap;
5512	struct sctp_vrf *vrf;
5513	struct sctp_ifalist *hash_head;
5514	uint32_t hash_of_addr;
5515
5516	if (holds_lock == 0)
5517		SCTP_IPI_ADDR_RLOCK();
5518
5519	vrf = sctp_find_vrf(vrf_id);
5520	if (vrf == NULL) {
5521	stage_right:
5522		if (holds_lock == 0)
5523			SCTP_IPI_ADDR_RUNLOCK();
5524		return (NULL);
5525	}
5526
5527	hash_of_addr = sctp_get_ifa_hash_val(addr);
5528
5529	hash_head = &vrf->vrf_addr_hash[(hash_of_addr & vrf->vrf_addr_hashmark)];
5530	if (hash_head == NULL) {
5531		SCTP_PRINTF("hash_of_addr:%x mask:%x table:%x - ",
5532			    hash_of_addr, (uint32_t)vrf->vrf_addr_hashmark,
5533			    (uint32_t)(hash_of_addr & vrf->vrf_addr_hashmark));
5534		sctp_print_address(addr);
5535		SCTP_PRINTF("No such bucket for address\n");
5536		if (holds_lock == 0)
5537			SCTP_IPI_ADDR_RUNLOCK();
5538
5539		return (NULL);
5540	}
5541	LIST_FOREACH(sctp_ifap, hash_head, next_bucket) {
5542		if (sctp_ifap == NULL) {
5543#ifdef INVARIANTS
5544			panic("Huh LIST_FOREACH corrupt");
5545		        goto stage_right;
5546#else
5547			SCTP_PRINTF("LIST corrupt of sctp_ifap's?\n");
5548			goto stage_right;
5549#endif
5550		}
5551		if (addr->sa_family != sctp_ifap->address.sa.sa_family)
5552			continue;
5553#ifdef INET
5554		if (addr->sa_family == AF_INET) {
5555			if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
5556			    sctp_ifap->address.sin.sin_addr.s_addr) {
5557				/* found him. */
5558				if (holds_lock == 0)
5559					SCTP_IPI_ADDR_RUNLOCK();
5560				return (sctp_ifap);
5561				break;
5562			}
5563		}
5564#endif
5565#ifdef INET6
5566		if (addr->sa_family == AF_INET6) {
5567			if (SCTP6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
5568						 &sctp_ifap->address.sin6)) {
5569				/* found him. */
5570				if (holds_lock == 0)
5571					SCTP_IPI_ADDR_RUNLOCK();
5572				return (sctp_ifap);
5573				break;
5574			}
5575		}
5576#endif
5577#if defined(__Userspace__)
5578		if (addr->sa_family == AF_CONN) {
5579			if (((struct sockaddr_conn *)addr)->sconn_addr == sctp_ifap->address.sconn.sconn_addr) {
5580				/* found him. */
5581				if (holds_lock == 0)
5582					SCTP_IPI_ADDR_RUNLOCK();
5583				return (sctp_ifap);
5584				break;
5585			}
5586		}
5587#endif
5588	}
5589	if (holds_lock == 0)
5590		SCTP_IPI_ADDR_RUNLOCK();
5591	return (NULL);
5592}
5593
5594static void
5595sctp_user_rcvd(struct sctp_tcb *stcb, uint32_t *freed_so_far, int hold_rlock,
5596	       uint32_t rwnd_req)
5597{
5598	/* User pulled some data, do we need a rwnd update? */
5599	int r_unlocked = 0;
5600	uint32_t dif, rwnd;
5601	struct socket *so = NULL;
5602
5603	if (stcb == NULL)
5604		return;
5605
5606	atomic_add_int(&stcb->asoc.refcnt, 1);
5607
5608	if (stcb->asoc.state & (SCTP_STATE_ABOUT_TO_BE_FREED |
5609				SCTP_STATE_SHUTDOWN_RECEIVED |
5610				SCTP_STATE_SHUTDOWN_ACK_SENT)) {
5611		/* Pre-check If we are freeing no update */
5612		goto no_lock;
5613	}
5614	SCTP_INP_INCR_REF(stcb->sctp_ep);
5615	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
5616	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
5617		goto out;
5618	}
5619	so = stcb->sctp_socket;
5620	if (so == NULL) {
5621		goto out;
5622	}
5623	atomic_add_int(&stcb->freed_by_sorcv_sincelast, *freed_so_far);
5624	/* Have you have freed enough to look */
5625	*freed_so_far = 0;
5626	/* Yep, its worth a look and the lock overhead */
5627
5628	/* Figure out what the rwnd would be */
5629	rwnd = sctp_calc_rwnd(stcb, &stcb->asoc);
5630	if (rwnd >= stcb->asoc.my_last_reported_rwnd) {
5631		dif = rwnd - stcb->asoc.my_last_reported_rwnd;
5632	} else {
5633		dif = 0;
5634	}
5635	if (dif >= rwnd_req) {
5636		if (hold_rlock) {
5637			SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5638			r_unlocked = 1;
5639		}
5640		if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
5641			/*
5642			 * One last check before we allow the guy possibly
5643			 * to get in. There is a race, where the guy has not
5644			 * reached the gate. In that case
5645			 */
5646			goto out;
5647		}
5648		SCTP_TCB_LOCK(stcb);
5649		if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
5650			/* No reports here */
5651			SCTP_TCB_UNLOCK(stcb);
5652			goto out;
5653		}
5654		SCTP_STAT_INCR(sctps_wu_sacks_sent);
5655		sctp_send_sack(stcb, SCTP_SO_LOCKED);
5656
5657		sctp_chunk_output(