/*

 * Copyright (c) 2000-2020 Apple Inc. All rights reserved.

 *

 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@

 *

 * This file contains Original Code and/or Modifications of Original Code

 * as defined in and that are subject to the Apple Public Source License

 * Version 2.0 (the 'License'). You may not use this file except in

 * compliance with the License. The rights granted to you under the License

 * may not be used to create, or enable the creation or redistribution of,

 * unlawful or unlicensed copies of an Apple operating system, or to

 * circumvent, violate, or enable the circumvention or violation of, any

 * terms of an Apple operating system software license agreement.

 *

 * Please obtain a copy of the License at

 * http://www.opensource.apple.com/apsl/ and read it before using this file.

 *

 * The Original Code and all software distributed under the License are

 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER

 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,

 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.

 * Please see the License for the specific language governing rights and

 * limitations under the License.

 *

 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@

 */

/*

 * Copyright (c) 1990, 1991, 1993

 *  The Regents of the University of California.  All rights reserved.

 *

 * This code is derived from the Stanford/CMU enet packet filter,

 * (net/enet.c) distributed as part of 4.3BSD, and code contributed

 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence

 * Berkeley Laboratory.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgement:

 *  This product includes software developed by the University of

 *  California, Berkeley and its contributors.

 * 4. Neither the name of the University nor the names of its contributors

 *    may be used to endorse or promote products derived from this software

 *    without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND

 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

 * SUCH DAMAGE.

 *

 *  @(#)bpf.c 8.2 (Berkeley) 3/28/94

 *

 * $FreeBSD: src/sys/net/bpf.c,v 1.59.2.5 2001/01/05 04:49:09 jdp Exp $

 */

/*

 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce

 * support for mandatory and extensible security protections.  This notice

 * is included in support of clause 2.2 (b) of the Apple Public License,

 * Version 2.0.

 */

#include "bpf.h"

#ifndef __GNUC__

#define inline

#else

#define inline __inline

#endif

#include <sys/param.h>

#include <sys/systm.h>

#include <sys/conf.h>

#include <sys/malloc.h>

#include <sys/mbuf.h>

#include <sys/time.h>

#include <sys/proc.h>

#include <sys/signalvar.h>

#include <sys/filio.h>

#include <sys/sockio.h>

#include <sys/ttycom.h>

#include <sys/filedesc.h>

#include <sys/uio_internal.h>

#include <sys/file_internal.h>

#include <sys/event.h>

#include <sys/poll.h>

#include <sys/socket.h>

#include <sys/socketvar.h>

#include <sys/vnode.h>

#include <net/if.h>

#include <net/bpf.h>

#include <net/bpfdesc.h>

#include <netinet/in.h>

#include <netinet/ip.h>

#include <netinet/ip6.h>

#include <netinet/in_pcb.h>

#include <netinet/in_var.h>

#include <netinet/ip_var.h>

#include <netinet/tcp.h>

#include <netinet/tcp_var.h>

#include <netinet/udp.h>

#include <netinet/udp_var.h>

#include <netinet/if_ether.h>

#include <netinet/isakmp.h>

#include <netinet6/esp.h>

#include <sys/kernel.h>

#include <sys/sysctl.h>

#include <net/firewire.h>

#include <miscfs/devfs/devfs.h>

#include <net/dlil.h>

#include <net/pktap.h>

#include <kern/locks.h>

#include <kern/thread_call.h>

#include <libkern/section_keywords.h>

#include <os/log.h>

extern int tvtohz(struct timeval *);

#define BPF_BUFSIZE 4096

#define UIOMOVE(cp, len, code, uio) uiomove(cp, len, uio)

#define PRINET  26                      /* interruptible */

#define ISAKMP_HDR_SIZE (sizeof(struct isakmp) + sizeof(struct isakmp_gen))

#define ESP_HDR_SIZE sizeof(struct newesp)

typedef void (*pktcopyfunc_t)(const void *, void *, size_t);

/*

 * The default read buffer size is patchable.

 */

static unsigned int bpf_bufsize = BPF_BUFSIZE;

SYSCTL_INT(_debug, OID_AUTO, bpf_bufsize, CTLFLAG_RW | CTLFLAG_LOCKED,

    &bpf_bufsize, 0, "");

static int sysctl_bpf_maxbufsize SYSCTL_HANDLER_ARGS;

extern const int copysize_limit_panic;

#define BPF_MAXSIZE_CAP (copysize_limit_panic >> 1)

__private_extern__ unsigned int bpf_maxbufsize = BPF_MAXBUFSIZE;

SYSCTL_PROC(_debug, OID_AUTO, bpf_maxbufsize, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,

    &bpf_maxbufsize, 0,

    sysctl_bpf_maxbufsize, "I", "Default BPF max buffer size");

static unsigned int bpf_maxdevices = 256;

SYSCTL_UINT(_debug, OID_AUTO, bpf_maxdevices, CTLFLAG_RW | CTLFLAG_LOCKED,

    &bpf_maxdevices, 0, "");

/*

 * bpf_wantpktap controls the defaul visibility of DLT_PKTAP

 * For OS X is off by default so process need to use the ioctl BPF_WANT_PKTAP

 * explicitly to be able to use DLT_PKTAP.

 */

#if !XNU_TARGET_OS_OSX

static unsigned int bpf_wantpktap = 1;

#else /* XNU_TARGET_OS_OSX */

static unsigned int bpf_wantpktap = 0;

#endif /* XNU_TARGET_OS_OSX */

SYSCTL_UINT(_debug, OID_AUTO, bpf_wantpktap, CTLFLAG_RW | CTLFLAG_LOCKED,

    &bpf_wantpktap, 0, "");

static int bpf_debug = 0;

SYSCTL_INT(_debug, OID_AUTO, bpf_debug, CTLFLAG_RW | CTLFLAG_LOCKED,

    &bpf_debug, 0, "");

/*

 *  bpf_iflist is the list of interfaces; each corresponds to an ifnet

 *  bpf_dtab holds pointer to the descriptors, indexed by minor device #

 */

static struct bpf_if    *bpf_iflist;

#ifdef __APPLE__

/*

 * BSD now stores the bpf_d in the dev_t which is a struct

 * on their system. Our dev_t is an int, so we still store

 * the bpf_d in a separate table indexed by minor device #.

 *

 * The value stored in bpf_dtab[n] represent three states:

 *  NULL: device not opened

 *  BPF_DEV_RESERVED: device opening or closing

 *  other: device <n> opened with pointer to storage

 */

#define BPF_DEV_RESERVED ((struct bpf_d *)(uintptr_t)1)

static struct bpf_d     **bpf_dtab = NULL;

static unsigned int bpf_dtab_size = 0;

static unsigned int     nbpfilter = 0;

decl_lck_mtx_data(static, bpf_mlock_data);

static lck_mtx_t                *bpf_mlock = &bpf_mlock_data;

static lck_grp_t                *bpf_mlock_grp;

static lck_grp_attr_t   *bpf_mlock_grp_attr;

static lck_attr_t               *bpf_mlock_attr;

#endif /* __APPLE__ */

static int      bpf_allocbufs(struct bpf_d *);

static errno_t  bpf_attachd(struct bpf_d *d, struct bpf_if *bp);

static int      bpf_detachd(struct bpf_d *d, int);

static void     bpf_freed(struct bpf_d *);

static int      bpf_movein(struct uio *, int,

    struct mbuf **, struct sockaddr *, int *);

static int      bpf_setif(struct bpf_d *, ifnet_t ifp, bool, bool);

static void     bpf_timed_out(void *, void *);

static void     bpf_wakeup(struct bpf_d *);

static u_int    get_pkt_trunc_len(u_char *, u_int);

static void     catchpacket(struct bpf_d *, struct bpf_packet *, u_int, int);

static void     reset_d(struct bpf_d *);

static int      bpf_setf(struct bpf_d *, u_int, user_addr_t, u_long);

static int      bpf_getdltlist(struct bpf_d *, caddr_t, struct proc *);

static int      bpf_setdlt(struct bpf_d *, u_int);

static int      bpf_set_traffic_class(struct bpf_d *, int);

static void     bpf_set_packet_service_class(struct mbuf *, int);

static void     bpf_acquire_d(struct bpf_d *);

static void     bpf_release_d(struct bpf_d *);

static  int bpf_devsw_installed;

void bpf_init(void *unused);

static int bpf_tap_callback(struct ifnet *ifp, struct mbuf *m);

/*

 * Darwin differs from BSD here, the following are static

 * on BSD and not static on Darwin.

 */

d_open_t            bpfopen;

d_close_t           bpfclose;

d_read_t            bpfread;

d_write_t           bpfwrite;

ioctl_fcn_t         bpfioctl;

select_fcn_t        bpfselect;

/* Darwin's cdevsw struct differs slightly from BSDs */

#define CDEV_MAJOR 23

static const struct cdevsw bpf_cdevsw = {

  .d_open       = bpfopen,

  .d_close      = bpfclose,

  .d_read       = bpfread,

  .d_write      = bpfwrite,

  .d_ioctl      = bpfioctl,

  .d_stop       = eno_stop,

  .d_reset      = eno_reset,

  .d_ttys       = NULL,

  .d_select     = bpfselect,

  .d_mmap       = eno_mmap,

  .d_strategy   = eno_strat,

  .d_reserved_1 = eno_getc,

  .d_reserved_2 = eno_putc,

  .d_type       = 0

};

#define SOCKADDR_HDR_LEN           offsetof(struct sockaddr, sa_data)

static int

bpf_movein(struct uio *uio, int linktype, struct mbuf **mp,

    struct sockaddr *sockp, int *datlen)

{

  struct mbuf *m;

  int error;

  int len;

  uint8_t sa_family;

  int hlen;

  switch (linktype) {

#if SLIP

  case DLT_SLIP:

    sa_family = AF_INET;

    hlen = 0;

    break;

#endif /* SLIP */

  case DLT_EN10MB:

    sa_family = AF_UNSPEC;

    /* XXX Would MAXLINKHDR be better? */

    hlen = sizeof(struct ether_header);

    break;

#if FDDI

  case DLT_FDDI:

#if defined(__FreeBSD__) || defined(__bsdi__)

    sa_family = AF_IMPLINK;

    hlen = 0;

#else

    sa_family = AF_UNSPEC;

    /* XXX 4(FORMAC)+6(dst)+6(src)+3(LLC)+5(SNAP) */

    hlen = 24;

#endif

    break;

#endif /* FDDI */

  case DLT_RAW:

  case DLT_NULL:

    sa_family = AF_UNSPEC;

    hlen = 0;

    break;

#ifdef __FreeBSD__

  case DLT_ATM_RFC1483:

    /*

     * en atm driver requires 4-byte atm pseudo header.

     * though it isn't standard, vpi:vci needs to be

     * specified anyway.

     */

    sa_family = AF_UNSPEC;

    hlen = 12;      /* XXX 4(ATM_PH) + 3(LLC) + 5(SNAP) */

    break;

#endif

  case DLT_PPP:

    sa_family = AF_UNSPEC;

    hlen = 4;       /* This should match PPP_HDRLEN */

    break;

  case DLT_APPLE_IP_OVER_IEEE1394:

    sa_family = AF_UNSPEC;

    hlen = sizeof(struct firewire_header);

    break;

  case DLT_IEEE802_11:            /* IEEE 802.11 wireless */

    sa_family = AF_IEEE80211;

    hlen = 0;

    break;

  case DLT_IEEE802_11_RADIO:

    sa_family = AF_IEEE80211;

    hlen = 0;

    break;

  default:

    return EIO;

  }

  // LP64todo - fix this!

  len = uio_resid(uio);

  *datlen = len - hlen;

  if ((unsigned)len > MCLBYTES) {

    return EIO;

  }

  if (sockp) {

    /*

     * Build a sockaddr based on the data link layer type.

     * We do this at this level because the ethernet header

     * is copied directly into the data field of the sockaddr.

     * In the case of SLIP, there is no header and the packet

     * is forwarded as is.

     * Also, we are careful to leave room at the front of the mbuf

     * for the link level header.

     */

    if ((hlen + SOCKADDR_HDR_LEN) > sockp->sa_len) {

      return EIO;

    }

    sockp->sa_family = sa_family;

  } else {

    /*

     * We're directly sending the packet data supplied by

     * the user; we don't need to make room for the link

     * header, and don't need the header length value any

     * more, so set it to 0.

     */

    hlen = 0;

  }

  MGETHDR(m, M_WAIT, MT_DATA);

  if (m == 0) {

    return ENOBUFS;

  }

  if ((unsigned)len > MHLEN) {

    MCLGET(m, M_WAIT);

    if ((m->m_flags & M_EXT) == 0) {

      error = ENOBUFS;

      goto bad;

    }

  }

  m->m_pkthdr.len = m->m_len = len;

  m->m_pkthdr.rcvif = NULL;

  *mp = m;

  /*

   * Make room for link header.

   */

  if (hlen != 0) {

    m->m_pkthdr.len -= hlen;

    m->m_len -= hlen;

    m->m_data += hlen; /* XXX */

    error = UIOMOVE((caddr_t)sockp->sa_data, hlen, UIO_WRITE, uio);

    if (error) {

      goto bad;

    }

  }

  error = UIOMOVE(mtod(m, caddr_t), len - hlen, UIO_WRITE, uio);

  if (error) {

    goto bad;

  }

  /* Check for multicast destination */

  switch (linktype) {

  case DLT_EN10MB: {

    struct ether_header *eh;

    eh = mtod(m, struct ether_header *);

    if (ETHER_IS_MULTICAST(eh->ether_dhost)) {

      if (_ether_cmp(etherbroadcastaddr,

          eh->ether_dhost) == 0) {

        m->m_flags |= M_BCAST;

      } else {

        m->m_flags |= M_MCAST;

      }

    }

    break;

  }

  }

  return 0;

bad:

  m_freem(m);

  return error;

}

#ifdef __APPLE__

/*

 * The dynamic addition of a new device node must block all processes that

 * are opening the last device so that no process will get an unexpected

 * ENOENT

 */

static void

bpf_make_dev_t(int maj)

{

  static int              bpf_growing = 0;

  unsigned int    cur_size = nbpfilter, i;

  if (nbpfilter >= bpf_maxdevices) {

    return;

  }

  while (bpf_growing) {

    /* Wait until new device has been created */

    (void) tsleep((caddr_t)&bpf_growing, PZERO, "bpf_growing", 0);

  }

  if (nbpfilter > cur_size) {

    /* other thread grew it already */

    return;

  }

  bpf_growing = 1;

  /* need to grow bpf_dtab first */

  if (nbpfilter == bpf_dtab_size) {

    int new_dtab_size;

    struct bpf_d **new_dtab = NULL;

    struct bpf_d **old_dtab = NULL;

    new_dtab_size = bpf_dtab_size + NBPFILTER;

    new_dtab = (struct bpf_d **)_MALLOC(

      sizeof(struct bpf_d *) * new_dtab_size, M_DEVBUF, M_WAIT);

    if (new_dtab == 0) {

      printf("bpf_make_dev_t: malloc bpf_dtab failed\n");

      goto done;

    }

    if (bpf_dtab) {

      bcopy(bpf_dtab, new_dtab,

          sizeof(struct bpf_d *) * bpf_dtab_size);

    }

    bzero(new_dtab + bpf_dtab_size,

        sizeof(struct bpf_d *) * NBPFILTER);

    old_dtab = bpf_dtab;

    bpf_dtab = new_dtab;

    bpf_dtab_size = new_dtab_size;

    if (old_dtab != NULL) {

      _FREE(old_dtab, M_DEVBUF);

    }

  }

  i = nbpfilter++;

  (void) devfs_make_node(makedev(maj, i),

      DEVFS_CHAR, UID_ROOT, GID_WHEEL, 0600,

      "bpf%d", i);

done:

  bpf_growing = 0;

  wakeup((caddr_t)&bpf_growing);

}

#endif

/*

 * Attach file to the bpf interface, i.e. make d listen on bp.

 */

static errno_t

bpf_attachd(struct bpf_d *d, struct bpf_if *bp)

{

  int first = bp->bif_dlist == NULL;

  int     error = 0;

  /*

   * Point d at bp, and add d to the interface's list of listeners.

   * Finally, point the driver's bpf cookie at the interface so

   * it will divert packets to bpf.

   */

  d->bd_bif = bp;

  d->bd_next = bp->bif_dlist;

  bp->bif_dlist = d;

  /*

   * Take a reference on the device even if an error is returned

   * because we keep the device in the interface's list of listeners

   */

  bpf_acquire_d(d);

  if (first) {

    /* Find the default bpf entry for this ifp */

    if (bp->bif_ifp->if_bpf == NULL) {

      struct bpf_if   *tmp, *primary = NULL;

      for (tmp = bpf_iflist; tmp; tmp = tmp->bif_next) {

        if (tmp->bif_ifp == bp->bif_ifp) {

          primary = tmp;

          break;

        }

      }

      bp->bif_ifp->if_bpf = primary;

    }

    /* Only call dlil_set_bpf_tap for primary dlt */

    if (bp->bif_ifp->if_bpf == bp) {

      dlil_set_bpf_tap(bp->bif_ifp, BPF_TAP_INPUT_OUTPUT,

          bpf_tap_callback);

    }

    if (bp->bif_tap != NULL) {

      error = bp->bif_tap(bp->bif_ifp, bp->bif_dlt,

          BPF_TAP_INPUT_OUTPUT);

    }

  }

  /*

   * Reset the detach flags in case we previously detached an interface

   */

  d->bd_flags &= ~(BPF_DETACHING | BPF_DETACHED);

  if (bp->bif_dlt == DLT_PKTAP) {

    d->bd_flags |= BPF_FINALIZE_PKTAP;

  } else {

    d->bd_flags &= ~BPF_FINALIZE_PKTAP;

  }

  return error;

}

/*

 * Detach a file from its interface.

 *

 * Return 1 if was closed by some thread, 0 otherwise

 */

static int

bpf_detachd(struct bpf_d *d, int closing)

{

  struct bpf_d **p;

  struct bpf_if *bp;

  struct ifnet  *ifp;

  int bpf_closed = d->bd_flags & BPF_CLOSING;

  /*

   * Some other thread already detached

   */

  if ((d->bd_flags & (BPF_DETACHED | BPF_DETACHING)) != 0) {

    goto done;

  }

  /*

   * This thread is doing the detach

   */

  d->bd_flags |= BPF_DETACHING;

  ifp = d->bd_bif->bif_ifp;

  bp = d->bd_bif;

  if (bpf_debug != 0) {

    printf("%s: %llx %s%s\n",

        __func__, (uint64_t)VM_KERNEL_ADDRPERM(d),

        if_name(ifp), closing ? " closing" : "");

  }

  /* Remove d from the interface's descriptor list. */

  p = &bp->bif_dlist;

  while (*p != d) {

    p = &(*p)->bd_next;

    if (*p == 0) {

      panic("bpf_detachd: descriptor not in list");

    }

  }

  *p = (*p)->bd_next;

  if (bp->bif_dlist == 0) {

    /*

     * Let the driver know that there are no more listeners.

     */

    /* Only call dlil_set_bpf_tap for primary dlt */

    if (bp->bif_ifp->if_bpf == bp) {

      dlil_set_bpf_tap(ifp, BPF_TAP_DISABLE, NULL);

    }

    if (bp->bif_tap) {

      bp->bif_tap(ifp, bp->bif_dlt, BPF_TAP_DISABLE);

    }

    for (bp = bpf_iflist; bp; bp = bp->bif_next) {

      if (bp->bif_ifp == ifp && bp->bif_dlist != 0) {

        break;

      }

    }

    if (bp == NULL) {

      ifp->if_bpf = NULL;

    }

  }

  d->bd_bif = NULL;

  /*

   * Check if this descriptor had requested promiscuous mode.

   * If so, turn it off.

   */

  if (d->bd_promisc) {

    d->bd_promisc = 0;

    lck_mtx_unlock(bpf_mlock);

    if (ifnet_set_promiscuous(ifp, 0)) {

      /*

       * Something is really wrong if we were able to put

       * the driver into promiscuous mode, but can't

       * take it out.

       * Most likely the network interface is gone.

       */

      printf("%s: ifnet_set_promiscuous failed\n", __func__);

    }

    lck_mtx_lock(bpf_mlock);

  }

  /*

   * Wake up other thread that are waiting for this thread to finish

   * detaching

   */

  d->bd_flags &= ~BPF_DETACHING;

  d->bd_flags |= BPF_DETACHED;

  /* Refresh the local variable as d could have been modified */

  bpf_closed = d->bd_flags & BPF_CLOSING;

  /*

   * Note that We've kept the reference because we may have dropped

   * the lock when turning off promiscuous mode

   */

  bpf_release_d(d);

done:

  /*

   * When closing makes sure no other thread refer to the bpf_d

   */

  if (bpf_debug != 0) {

    printf("%s: %llx done\n",

        __func__, (uint64_t)VM_KERNEL_ADDRPERM(d));

  }

  /*

   * Let the caller know the bpf_d is closed

   */

  if (bpf_closed) {

    return 1;

  } else {

    return 0;

  }

}

/*

 * Start asynchronous timer, if necessary.

 * Must be called with bpf_mlock held.

 */

static void

bpf_start_timer(struct bpf_d *d)

{

  uint64_t deadline;

  struct timeval tv;

  if (d->bd_rtout > 0 && d->bd_state == BPF_IDLE) {

    tv.tv_sec = d->bd_rtout / hz;

    tv.tv_usec = (d->bd_rtout % hz) * tick;

    clock_interval_to_deadline(

      (uint64_t)tv.tv_sec * USEC_PER_SEC + tv.tv_usec,

      NSEC_PER_USEC, &deadline);

    /*

     * The state is BPF_IDLE, so the timer hasn't

     * been started yet, and hasn't gone off yet;

     * there is no thread call scheduled, so this

     * won't change the schedule.

     *

     * XXX - what if, by the time it gets entered,

     * the deadline has already passed?

     */

    thread_call_enter_delayed(d->bd_thread_call, deadline);

    d->bd_state = BPF_WAITING;

  }

}

/*

 * Cancel asynchronous timer.

 * Must be called with bpf_mlock held.

 */

static boolean_t

bpf_stop_timer(struct bpf_d *d)

{

  /*

   * If the timer has already gone off, this does nothing.

   * Our caller is expected to set d->bd_state to BPF_IDLE,

   * with the bpf_mlock, after we are called. bpf_timed_out()

   * also grabs bpf_mlock, so, if the timer has gone off and

   * bpf_timed_out() hasn't finished, it's waiting for the

   * lock; when this thread releases the lock, it will

   * find the state is BPF_IDLE, and just release the

   * lock and return.

   */

  return thread_call_cancel(d->bd_thread_call);

}

void

bpf_acquire_d(struct bpf_d *d)

{

  void *lr_saved =  __builtin_return_address(0);

  LCK_MTX_ASSERT(bpf_mlock, LCK_MTX_ASSERT_OWNED);

  d->bd_refcnt += 1;

  d->bd_ref_lr[d->bd_next_ref_lr] = lr_saved;

  d->bd_next_ref_lr = (d->bd_next_ref_lr + 1) % BPF_REF_HIST;

}

void

bpf_release_d(struct bpf_d *d)

{

  void *lr_saved =  __builtin_return_address(0);

  LCK_MTX_ASSERT(bpf_mlock, LCK_MTX_ASSERT_OWNED);

  if (d->bd_refcnt <= 0) {

    panic("%s: %p refcnt <= 0", __func__, d);

  }

  d->bd_refcnt -= 1;

  d->bd_unref_lr[d->bd_next_unref_lr] = lr_saved;

  d->bd_next_unref_lr = (d->bd_next_unref_lr + 1) % BPF_REF_HIST;

  if (d->bd_refcnt == 0) {

    /* Assert the device is detached */

    if ((d->bd_flags & BPF_DETACHED) == 0) {

      panic("%s: %p BPF_DETACHED not set", __func__, d);

    }

    _FREE(d, M_DEVBUF);

  }

}

/*

 * Open ethernet device.  Returns ENXIO for illegal minor device number,

 * EBUSY if file is open by another process.

 */

/* ARGSUSED */

int

bpfopen(dev_t dev, int flags, __unused int fmt,

    struct proc *p)

{

  struct bpf_d *d;

  lck_mtx_lock(bpf_mlock);

  if ((unsigned int) minor(dev) >= nbpfilter) {

    lck_mtx_unlock(bpf_mlock);

    return ENXIO;

  }

  /*

   * New device nodes are created on demand when opening the last one.

   * The programming model is for processes to loop on the minor starting

   * at 0 as long as EBUSY is returned. The loop stops when either the

   * open succeeds or an error other that EBUSY is returned. That means

   * that bpf_make_dev_t() must block all processes that are opening the

   * last  node. If not all processes are blocked, they could unexpectedly

   * get ENOENT and abort their opening loop.

   */

  if ((unsigned int) minor(dev) == (nbpfilter - 1)) {

    bpf_make_dev_t(major(dev));

  }

  /*

   * Each minor can be opened by only one process.  If the requested

   * minor is in use, return EBUSY.

   *

   * Important: bpfopen() and bpfclose() have to check and set the status

   * of a device in the same lockin context otherwise the device may be

   * leaked because the vnode use count will be unpextectly greater than 1

   * when close() is called.

   */

  if (bpf_dtab[minor(dev)] == NULL) {

    /* Reserve while opening */

    bpf_dtab[minor(dev)] = BPF_DEV_RESERVED;

  } else {

    lck_mtx_unlock(bpf_mlock);

    return EBUSY;

  }

  d = (struct bpf_d *)_MALLOC(sizeof(struct bpf_d), M_DEVBUF,

      M_WAIT | M_ZERO);

  if (d == NULL) {

    /* this really is a catastrophic failure */

    printf("bpfopen: malloc bpf_d failed\n");

    bpf_dtab[minor(dev)] = NULL;

    lck_mtx_unlock(bpf_mlock);

    return ENOMEM;

  }

  /* Mark "in use" and do most initialization. */

  bpf_acquire_d(d);

  d->bd_bufsize = bpf_bufsize;

  d->bd_sig = SIGIO;

  d->bd_seesent = 1;

  d->bd_oflags = flags;

  d->bd_state = BPF_IDLE;

  d->bd_traffic_class = SO_TC_BE;

  d->bd_flags |= BPF_DETACHED;

  if (bpf_wantpktap) {

    d->bd_flags |= BPF_WANT_PKTAP;

  } else {

    d->bd_flags &= ~BPF_WANT_PKTAP;

  }

  d->bd_thread_call = thread_call_allocate(bpf_timed_out, d);

  if (d->bd_thread_call == NULL) {

    printf("bpfopen: malloc thread call failed\n");

    bpf_dtab[minor(dev)] = NULL;

    bpf_release_d(d);

    lck_mtx_unlock(bpf_mlock);

    return ENOMEM;

  }

  d->bd_opened_by = p;

  uuid_generate(d->bd_uuid);

  bpf_dtab[minor(dev)] = d; /* Mark opened */

  lck_mtx_unlock(bpf_mlock);

  return 0;

}

/*

 * Close the descriptor by detaching it from its interface,

 * deallocating its buffers, and marking it free.

 */

/* ARGSUSED */

int

bpfclose(dev_t dev, __unused int flags, __unused int fmt,

    __unused struct proc *p)

{

  struct bpf_d *d;

  /* Take BPF lock to ensure no other thread is using the device */

  lck_mtx_lock(bpf_mlock);

  d = bpf_dtab[minor(dev)];

  if (d == NULL || d == BPF_DEV_RESERVED) {

    lck_mtx_unlock(bpf_mlock);

    return ENXIO;

  }

  /*

   * Other threads may call bpd_detachd() if we drop the bpf_mlock

   */

  d->bd_flags |= BPF_CLOSING;

  if (bpf_debug != 0) {

    printf("%s: %llx\n",

        __func__, (uint64_t)VM_KERNEL_ADDRPERM(d));

  }

  bpf_dtab[minor(dev)] = BPF_DEV_RESERVED; /* Reserve while closing */

  /*

   * Deal with any in-progress timeouts.

   */

  switch (d->bd_state) {

  case BPF_IDLE:

    /*

     * Not waiting for a timeout, and no timeout happened.

     */

    break;

  case BPF_WAITING:

    /*

     * Waiting for a timeout.

     * Cancel any timer that has yet to go off,

     * and mark the state as "closing".

     * Then drop the lock to allow any timers that

     * *have* gone off to run to completion, and wait

     * for them to finish.

     */

    if (!bpf_stop_timer(d)) {

      /*

       * There was no pending call, so the call must

       * have been in progress. Wait for the call to

       * complete; we have to drop the lock while

       * waiting. to let the in-progrss call complete

       */

      d->bd_state = BPF_DRAINING;

      while (d->bd_state == BPF_DRAINING) {

        msleep((caddr_t)d, bpf_mlock, PRINET,

            "bpfdraining", NULL);

      }

    }

    d->bd_state = BPF_IDLE;

    break;

  case BPF_TIMED_OUT:

    /*

     * Timer went off, and the timeout routine finished.

     */

    d->bd_state = BPF_IDLE;

    break;

  case BPF_DRAINING:

    /*

     * Another thread is blocked on a close waiting for

     * a timeout to finish.

     * This "shouldn't happen", as the first thread to enter

     * bpfclose() will set bpf_dtab[minor(dev)] to 1, and

     * all subsequent threads should see that and fail with

     * ENXIO.

     */

    panic("Two threads blocked in a BPF close");

    break;

  }

  if (d->bd_bif) {

    bpf_detachd(d, 1);

  }

  selthreadclear(&d->bd_sel);

  thread_call_free(d->bd_thread_call);

  while (d->bd_hbuf_read != 0) {

    msleep((caddr_t)d, bpf_mlock, PRINET, "bpf_reading", NULL);

  }

  bpf_freed(d);

  /* Mark free in same context as bpfopen comes to check */