1/*
2 * Copyright (c) 2000-2001 Boris Popov
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 *    must display the following acknowledgement:
15 *    This product includes software developed by Boris Popov.
16 * 4. Neither the name of the author nor the names of any co-contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 *
32 * $Id: smb_iod.c,v 1.32 2005/02/12 00:17:09 lindak Exp $
33 */
34
35/*
36 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
37 * Use is subject to license terms.
38 *
39 * Portions Copyright (C) 2001 - 2013 Apple Inc. All rights reserved.
40 * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
41 */
42
43#ifdef DEBUG
44/* See sys/queue.h */
45#define	QUEUEDEBUG 1
46#endif
47
48#include <sys/param.h>
49#include <sys/systm.h>
50#include <sys/atomic.h>
51#include <sys/proc.h>
52#include <sys/thread.h>
53#include <sys/file.h>
54#include <sys/kmem.h>
55#include <sys/unistd.h>
56#include <sys/mount.h>
57#include <sys/vnode.h>
58#include <sys/types.h>
59#include <sys/ddi.h>
60#include <sys/sunddi.h>
61#include <sys/stream.h>
62#include <sys/strsun.h>
63#include <sys/time.h>
64#include <sys/class.h>
65#include <sys/disp.h>
66#include <sys/cmn_err.h>
67#include <sys/zone.h>
68#include <sys/sdt.h>
69
70#include <netsmb/smb_osdep.h>
71
72#include <netsmb/smb.h>
73#include <netsmb/smb2.h>
74#include <netsmb/smb_conn.h>
75#include <netsmb/smb_rq.h>
76#include <netsmb/smb2_rq.h>
77#include <netsmb/smb_subr.h>
78#include <netsmb/smb_tran.h>
79#include <netsmb/smb_trantcp.h>
80
81/*
82 * SMB messages are up to 64K.  Let's leave room for two.
83 * If we negotiate up to SMB2, increase these. XXX todo
84 */
85static int smb_tcpsndbuf = 0x20000;
86static int smb_tcprcvbuf = 0x20000;
87static int smb_connect_timeout = 10; /* seconds */
88
89static int smb1_iod_process(smb_vc_t *, mblk_t *);
90static int smb2_iod_process(smb_vc_t *, mblk_t *);
91static int smb_iod_send_echo(smb_vc_t *, cred_t *cr);
92static int smb_iod_logoff(struct smb_vc *vcp, cred_t *cr);
93
94/*
95 * This is set/cleared when smbfs loads/unloads
96 * No locks should be necessary, because smbfs
97 * can't unload until all the mounts are gone.
98 */
99static smb_fscb_t *fscb;
100void
101smb_fscb_set(smb_fscb_t *cb)
102{
103	fscb = cb;
104}
105
106static void
107smb_iod_share_disconnected(smb_share_t *ssp)
108{
109
110	smb_share_invalidate(ssp);
111
112	/*
113	 * This is the only fscb hook smbfs currently uses.
114	 * Replaces smbfs_dead() from Darwin.
115	 */
116	if (fscb && fscb->fscb_disconn) {
117		fscb->fscb_disconn(ssp);
118	}
119}
120
121/*
122 * State changes are important and infrequent.
123 * Make them easily observable via dtrace.
124 */
125void
126smb_iod_newstate(struct smb_vc *vcp, int state)
127{
128	vcp->vc_state = state;
129}
130
131/* Lock Held version of the next function. */
132static inline void
133smb_iod_rqprocessed_LH(
134	struct smb_rq *rqp,
135	int error,
136	int flags)
137{
138	rqp->sr_flags |= flags;
139	rqp->sr_lerror = error;
140	rqp->sr_rpgen++;
141	rqp->sr_state = SMBRQ_NOTIFIED;
142	cv_broadcast(&rqp->sr_cond);
143}
144
145static void
146smb_iod_rqprocessed(
147	struct smb_rq *rqp,
148	int error,
149	int flags)
150{
151
152	SMBRQ_LOCK(rqp);
153	smb_iod_rqprocessed_LH(rqp, error, flags);
154	SMBRQ_UNLOCK(rqp);
155}
156
157static void
158smb_iod_invrq(struct smb_vc *vcp)
159{
160	struct smb_rq *rqp;
161
162	/*
163	 * Invalidate all outstanding requests for this connection
164	 * Also wakeup iod_muxwant waiters.
165	 */
166	rw_enter(&vcp->iod_rqlock, RW_READER);
167	TAILQ_FOREACH(rqp, &vcp->iod_rqlist, sr_link) {
168		smb_iod_rqprocessed(rqp, ENOTCONN, SMBR_RESTART);
169	}
170	rw_exit(&vcp->iod_rqlock);
171	cv_broadcast(&vcp->iod_muxwait);
172}
173
174/*
175 * Called by smb_vc_rele/smb_vc_kill on last ref, and by
176 * the driver close function if the IOD closes its minor.
177 * In those cases, the caller should be the IOD thread.
178 *
179 * Forcibly kill the connection.
180 */
181void
182smb_iod_disconnect(struct smb_vc *vcp)
183{
184
185	/*
186	 * Inform everyone of the state change.
187	 */
188	SMB_VC_LOCK(vcp);
189	if (vcp->vc_state != SMBIOD_ST_DEAD) {
190		smb_iod_newstate(vcp, SMBIOD_ST_DEAD);
191		cv_broadcast(&vcp->vc_statechg);
192	}
193	SMB_VC_UNLOCK(vcp);
194
195	SMB_TRAN_DISCONNECT(vcp);
196}
197
198/*
199 * Send one request.
200 *
201 * SMB1 only
202 *
203 * Called by _addrq (for internal requests)
204 * and _sendall (via _addrq, _multirq, _waitrq)
205 * Errors are reported via the smb_rq, using:
206 *   smb_iod_rqprocessed(rqp, ...)
207 */
208static void
209smb1_iod_sendrq(struct smb_rq *rqp)
210{
211	struct smb_vc *vcp = rqp->sr_vc;
212	mblk_t *m;
213	int error;
214
215	ASSERT(vcp);
216	ASSERT(RW_WRITE_HELD(&vcp->iod_rqlock));
217	ASSERT((vcp->vc_flags & SMBV_SMB2) == 0);
218
219	/*
220	 * Internal requests are allowed in any state;
221	 * otherwise should be active.
222	 */
223	if ((rqp->sr_flags & SMBR_INTERNAL) == 0 &&
224	    vcp->vc_state != SMBIOD_ST_VCACTIVE) {
225		SMBIODEBUG("bad vc_state=%d\n", vcp->vc_state);
226		smb_iod_rqprocessed(rqp, ENOTCONN, SMBR_RESTART);
227		return;
228	}
229
230	/*
231	 * Overwrite the SMB header with the assigned MID and
232	 * (if we're signing) sign it.
233	 */
234	smb_rq_fillhdr(rqp);
235	if (rqp->sr_rqflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) {
236		smb_rq_sign(rqp);
237	}
238
239	/*
240	 * The transport send consumes the message and we'd
241	 * prefer to keep a copy, so dupmsg() before sending.
242	 */
243	m = dupmsg(rqp->sr_rq.mb_top);
244	if (m == NULL) {
245		error = ENOBUFS;
246		goto fatal;
247	}
248
249#ifdef DTRACE_PROBE2
250	DTRACE_PROBE2(iod_sendrq,
251	    (smb_rq_t *), rqp, (mblk_t *), m);
252#endif
253
254	error = SMB_TRAN_SEND(vcp, m);
255	m = 0; /* consumed by SEND */
256
257	rqp->sr_lerror = error;
258	if (error == 0) {
259		SMBRQ_LOCK(rqp);
260		rqp->sr_flags |= SMBR_SENT;
261		rqp->sr_state = SMBRQ_SENT;
262		SMBRQ_UNLOCK(rqp);
263		return;
264	}
265	/*
266	 * Transport send returned an error.
267	 * Was it a fatal one?
268	 */
269	if (SMB_TRAN_FATAL(vcp, error)) {
270		/*
271		 * No further attempts should be made
272		 */
273	fatal:
274		SMBSDEBUG("TRAN_SEND returned fatal error %d\n", error);
275		smb_iod_rqprocessed(rqp, error, SMBR_RESTART);
276		return;
277	}
278}
279
280/*
281 * Send one request.
282 *
283 * SMB2 only
284 *
285 * Called by _addrq (for internal requests)
286 * and _sendall (via _addrq, _multirq, _waitrq)
287 * Errors are reported via the smb_rq, using:
288 *   smb_iod_rqprocessed(rqp, ...)
289 */
290static void
291smb2_iod_sendrq(struct smb_rq *rqp)
292{
293	struct smb_rq *c_rqp;	/* compound */
294	struct smb_vc *vcp = rqp->sr_vc;
295	mblk_t *top_m;
296	mblk_t *cur_m;
297	int error;
298
299	ASSERT(vcp);
300	ASSERT(RW_WRITE_HELD(&vcp->iod_rqlock));
301	ASSERT((vcp->vc_flags & SMBV_SMB2) != 0);
302
303	/*
304	 * Internal requests are allowed in any state;
305	 * otherwise should be active.
306	 */
307	if ((rqp->sr_flags & SMBR_INTERNAL) == 0 &&
308	    vcp->vc_state != SMBIOD_ST_VCACTIVE) {
309		SMBIODEBUG("bad vc_state=%d\n", vcp->vc_state);
310		smb_iod_rqprocessed(rqp, ENOTCONN, SMBR_RESTART);
311		return;
312	}
313
314	/*
315	 * Overwrite the SMB header with the assigned MID and
316	 * (if we're signing) sign it.  If there are compounded
317	 * requests after the top one, do those too.
318	 */
319	smb2_rq_fillhdr(rqp);
320	if (rqp->sr2_rqflags & SMB2_FLAGS_SIGNED) {
321		smb2_rq_sign(rqp);
322	}
323	c_rqp = rqp->sr2_compound_next;
324	while (c_rqp != NULL) {
325		smb2_rq_fillhdr(c_rqp);
326		if (c_rqp->sr2_rqflags & SMB2_FLAGS_SIGNED) {
327			smb2_rq_sign(c_rqp);
328		}
329		c_rqp = c_rqp->sr2_compound_next;
330	}
331
332	/*
333	 * The transport send consumes the message and we'd
334	 * prefer to keep a copy, so dupmsg() before sending.
335	 * We also need this to build the compound message
336	 * that we'll actually send.  The message offset at
337	 * the start of each compounded message should be
338	 * eight-byte aligned.  The caller preparing the
339	 * compounded request has to take care of that
340	 * before we get here and sign messages etc.
341	 */
342	top_m = dupmsg(rqp->sr_rq.mb_top);
343	if (top_m == NULL) {
344		error = ENOBUFS;
345		goto fatal;
346	}
347	c_rqp = rqp->sr2_compound_next;
348	while (c_rqp != NULL) {
349		size_t len = msgdsize(top_m);
350		ASSERT((len & 7) == 0);
351		cur_m = dupmsg(c_rqp->sr_rq.mb_top);
352		if (cur_m == NULL) {
353			freemsg(top_m);
354			error = ENOBUFS;
355			goto fatal;
356		}
357		linkb(top_m, cur_m);
358	}
359
360	DTRACE_PROBE2(iod_sendrq,
361	    (smb_rq_t *), rqp, (mblk_t *), top_m);
362
363	error = SMB_TRAN_SEND(vcp, top_m);
364	top_m = 0; /* consumed by SEND */
365
366	rqp->sr_lerror = error;
367	if (error == 0) {
368		SMBRQ_LOCK(rqp);
369		rqp->sr_flags |= SMBR_SENT;
370		rqp->sr_state = SMBRQ_SENT;
371		SMBRQ_UNLOCK(rqp);
372		return;
373	}
374	/*
375	 * Transport send returned an error.
376	 * Was it a fatal one?
377	 */
378	if (SMB_TRAN_FATAL(vcp, error)) {
379		/*
380		 * No further attempts should be made
381		 */
382	fatal:
383		SMBSDEBUG("TRAN_SEND returned fatal error %d\n", error);
384		smb_iod_rqprocessed(rqp, error, SMBR_RESTART);
385		return;
386	}
387}
388
389/*
390 * Receive one NetBIOS (or NBT over TCP) message.  If none have arrived,
391 * wait up to SMB_NBTIMO (15 sec.) for one to arrive, and then if still
392 * none have arrived, return ETIME.
393 */
394static int
395smb_iod_recvmsg(struct smb_vc *vcp, mblk_t **mpp)
396{
397	mblk_t *m;
398	int error;
399
400top:
401	m = NULL;
402	error = SMB_TRAN_RECV(vcp, &m);
403	if (error == EAGAIN)
404		goto top;
405	if (error)
406		return (error);
407	ASSERT(m != NULL);
408
409	m = m_pullup(m, 4);
410	if (m == NULL) {
411		return (ENOSR);
412	}
413
414	*mpp = m;
415	return (0);
416}
417
418/*
419 * How long should we keep around an unused VC (connection)?
420 * There's usually a good chance connections will be reused,
421 * so the default is to keep such connections for 5 min.
422 */
423#ifdef	DEBUG
424int smb_iod_idle_keep_time = 60;	/* seconds */
425#else
426int smb_iod_idle_keep_time = 300;	/* seconds */
427#endif
428
429/*
430 * Process incoming packets
431 *
432 * This is the "reader" loop, run by the IOD thread.  Normally we're in
433 * state SMBIOD_ST_VCACTIVE here, but during reconnect we're called in
434 * other states with poll==TRUE
435 *
436 * A non-zero error return here causes the IOD work loop to terminate.
437 */
438int
439smb_iod_recvall(struct smb_vc *vcp, boolean_t poll)
440{
441	mblk_t *m;
442	int error = 0;
443	int etime_idle = 0;	/* How many 15 sec. "ticks" idle. */
444	int etime_count = 0;	/* ... and when we have requests. */
445
446	for (;;) {
447		/*
448		 * Check whether someone "killed" this VC,
449		 * or is asking the IOD to terminate.
450		 */
451		if (vcp->iod_flags & SMBIOD_SHUTDOWN) {
452			SMBIODEBUG("SHUTDOWN set\n");
453			/* This IOD thread will terminate. */
454			SMB_VC_LOCK(vcp);
455			smb_iod_newstate(vcp, SMBIOD_ST_DEAD);
456			cv_broadcast(&vcp->vc_statechg);
457			SMB_VC_UNLOCK(vcp);
458			error = EINTR;
459			break;
460		}
461
462		m = NULL;
463		error = smb_iod_recvmsg(vcp, &m);
464
465		/*
466		 * Internal requests (reconnecting) call this in a loop
467		 * (with poll==TRUE) until the request completes.
468		 */
469		if (error == ETIME && poll)
470			break;
471
472		if (error == ETIME &&
473		    vcp->iod_rqlist.tqh_first != NULL) {
474
475			/*
476			 * Nothing received and requests waiting.
477			 * Increment etime_count.  If we were idle,
478			 * skip the 1st tick, because we started
479			 * waiting before there were any requests.
480			 */
481			if (etime_idle != 0) {
482				etime_idle = 0;
483			} else if (etime_count < INT16_MAX) {
484				etime_count++;
485			}
486
487			/*
488			 * ETIME and requests in the queue.
489			 * The first time (at 15 sec.)
490			 * Log an error (just once).
491			 */
492			if (etime_count > 0 &&
493			    vcp->iod_noresp == B_FALSE) {
494				vcp->iod_noresp = B_TRUE;
495				zprintf(vcp->vc_zoneid,
496				    "SMB server %s not responding\n",
497				    vcp->vc_srvname);
498			}
499			/*
500			 * At 30 sec. try sending an echo, which
501			 * should cause some response.
502			 */
503			if (etime_count == 2) {
504				SMBIODEBUG("send echo\n");
505				(void) smb_iod_send_echo(vcp, CRED());
506			}
507			/*
508			 * At 45 sec. give up on the connection
509			 * and try to reconnect.
510			 */
511			if (etime_count == 3) {
512				SMB_VC_LOCK(vcp);
513				smb_iod_newstate(vcp, SMBIOD_ST_RECONNECT);
514				SMB_VC_UNLOCK(vcp);
515				SMB_TRAN_DISCONNECT(vcp);
516				break;
517			}
518			continue;
519		} /* ETIME and requests in the queue */
520
521		if (error == ETIME) {
522			/*
523			 * Nothing received and no active requests.
524			 *
525			 * If we've received nothing from the server for
526			 * smb_iod_idle_keep_time seconds, and the IOD
527			 * thread holds the last reference to this VC,
528			 * move to state IDLE and drop the TCP session.
529			 * The IDLE handler will destroy the VC unless
530			 * vc_state goes to RECONNECT before then.
531			 */
532			etime_count = 0;
533			if (etime_idle < INT16_MAX)
534				etime_idle++;
535			if ((etime_idle * SMB_NBTIMO) <
536			    smb_iod_idle_keep_time)
537				continue;
538			SMB_VC_LOCK(vcp);
539			if (vcp->vc_co.co_usecount == 1) {
540				smb_iod_newstate(vcp, SMBIOD_ST_IDLE);
541				SMB_VC_UNLOCK(vcp);
542				SMBIODEBUG("logoff & disconnect\n");
543				(void) smb_iod_logoff(vcp, CRED());
544				SMB_TRAN_DISCONNECT(vcp);
545				error = 0;
546				break;
547			}
548			SMB_VC_UNLOCK(vcp);
549			continue;
550		} /* error == ETIME */
551
552		if (error) {
553			/*
554			 * The recv above returned an error indicating
555			 * that our TCP session is no longer usable.
556			 * Disconnect the session and get ready to
557			 * reconnect.  If we have pending requests,
558			 * move to state reconnect immediately;
559			 * otherwise move to state IDLE until a
560			 * request is issued on this VC.
561			 */
562			SMB_VC_LOCK(vcp);
563			if (vcp->iod_rqlist.tqh_first != NULL)
564				smb_iod_newstate(vcp, SMBIOD_ST_RECONNECT);
565			else
566				smb_iod_newstate(vcp, SMBIOD_ST_IDLE);
567			cv_broadcast(&vcp->vc_statechg);
568			SMB_VC_UNLOCK(vcp);
569			SMB_TRAN_DISCONNECT(vcp);
570			break;
571		}
572
573		/*
574		 * Received something.  Yea!
575		 */
576		etime_count = 0;
577		etime_idle = 0;
578
579		/*
580		 * If we just completed a reconnect after logging
581		 * "SMB server %s not responding" then log OK now.
582		 */
583		if (vcp->iod_noresp) {
584			vcp->iod_noresp = B_FALSE;
585			zprintf(vcp->vc_zoneid, "SMB server %s OK\n",
586			    vcp->vc_srvname);
587		}
588
589		if ((vcp->vc_flags & SMBV_SMB2) != 0) {
590			error = smb2_iod_process(vcp, m);
591		} else {
592			error = smb1_iod_process(vcp, m);
593		}
594
595		/*
596		 * Reconnect calls this in a loop with poll=TRUE
597		 * We've received a response, so break now.
598		 */
599		if (poll) {
600			error = 0;
601			break;
602		}
603	}
604
605	return (error);
606}
607
608/*
609 * Have what should be an SMB1 reply.  Check and parse the header,
610 * then use the message ID to find the request this belongs to and
611 * post it on that request.
612 *
613 * Returns an error if the reader should give up.
614 * To be safe, error if we read garbage.
615 */
616static int
617smb1_iod_process(smb_vc_t *vcp, mblk_t *m)
618{
619	struct mdchain md;
620	struct smb_rq *rqp;
621	uint8_t cmd, sig[4];
622	uint16_t mid;
623	int err, skip;
624
625	m = m_pullup(m, SMB_HDRLEN);
626	if (m == NULL)
627		return (ENOMEM);
628
629	/*
630	 * Note: Intentionally do NOT md_done(&md)
631	 * because that would free the message and
632	 * we just want to peek here.
633	 */
634	md_initm(&md, m);
635
636	/*
637	 * Check the SMB header version and get the MID.
638	 *
639	 * The header version should be SMB1 except when we're
640	 * doing SMB1-to-SMB2 negotiation, in which case we may
641	 * see an SMB2 header with message ID=0 (only allowed in
642	 * vc_state == SMBIOD_ST_CONNECTED -- negotiationg).
643	 */
644	err = md_get_mem(&md, sig, 4, MB_MSYSTEM);
645	if (err)
646		return (err);
647	if (sig[1] != 'S' || sig[2] != 'M' || sig[3] != 'B') {
648		goto bad_hdr;
649	}
650	switch (sig[0]) {
651	case SMB_HDR_V1:	/* SMB1 */
652		md_get_uint8(&md, &cmd);
653		/* Skip to and get the MID. At offset 5 now. */
654		skip = SMB_HDR_OFF_MID - 5;
655		md_get_mem(&md, NULL, skip, MB_MSYSTEM);
656		err = md_get_uint16le(&md, &mid);
657		if (err)
658			return (err);
659		break;
660	case SMB_HDR_V2:	/* SMB2+ */
661		if (vcp->vc_state == SMBIOD_ST_CONNECTED) {
662			/*
663			 * No need to look, can only be
664			 * MID=0, cmd=negotiate
665			 */
666			cmd = SMB_COM_NEGOTIATE;
667			mid = 0;
668			break;
669		}
670		/* FALLTHROUGH */
671	bad_hdr:
672	default:
673		SMBIODEBUG("Bad SMB hdr\n");
674		m_freem(m);
675		return (EPROTO);
676	}
677
678	/*
679	 * Find the reqeuest and post the reply
680	 */
681	rw_enter(&vcp->iod_rqlock, RW_READER);
682	TAILQ_FOREACH(rqp, &vcp->iod_rqlist, sr_link) {
683
684		if (rqp->sr_mid != mid)
685			continue;
686
687		DTRACE_PROBE2(iod_post_reply,
688		    (smb_rq_t *), rqp, (mblk_t *), m);
689		m_dumpm(m);
690
691		SMBRQ_LOCK(rqp);
692		if (rqp->sr_rp.md_top == NULL) {
693			md_initm(&rqp->sr_rp, m);
694		} else {
695			if (rqp->sr_flags & SMBR_MULTIPACKET) {
696				md_append_record(&rqp->sr_rp, m);
697			} else {
698				SMBRQ_UNLOCK(rqp);
699				rqp = NULL;
700				break;
701			}
702		}
703		smb_iod_rqprocessed_LH(rqp, 0, 0);
704		SMBRQ_UNLOCK(rqp);
705		break;
706	}
707	rw_exit(&vcp->iod_rqlock);
708
709	if (rqp == NULL) {
710		if (cmd != SMB_COM_ECHO) {
711			SMBSDEBUG("drop resp: MID 0x%04x\n", (uint_t)mid);
712		}
713		m_freem(m);
714		/*
715		 * Keep going.  It's possible this reply came
716		 * after the request timed out and went away.
717		 */
718	}
719	return (0);
720}
721
722/*
723 * Have what should be an SMB2 reply.  Check and parse the header,
724 * then use the message ID to find the request this belongs to and
725 * post it on that request.
726 *
727 * We also want to apply any credit grant in this reply now,
728 * rather than waiting for the owner to wake up.
729 */
730static int
731smb2_iod_process(smb_vc_t *vcp, mblk_t *m)
732{
733	struct mdchain md;
734	struct smb_rq *rqp;
735	uint8_t sig[4];
736	mblk_t *next_m = NULL;
737	uint64_t message_id, async_id;
738	uint32_t flags, next_cmd_off, status;
739	uint16_t command, credits_granted;
740	int err;
741
742top:
743	m = m_pullup(m, SMB2_HDRLEN);
744	if (m == NULL)
745		return (ENOMEM);
746
747	/*
748	 * Note: Intentionally do NOT md_done(&md)
749	 * because that would free the message and
750	 * we just want to peek here.
751	 */
752	md_initm(&md, m);
753
754	/*
755	 * Check the SMB header.  Must be SMB2
756	 * (and later, could be SMB3 encrypted)
757	 */
758	err = md_get_mem(&md, sig, 4, MB_MSYSTEM);
759	if (err)
760		return (err);
761	if (sig[1] != 'S' || sig[2] != 'M' || sig[3] != 'B') {
762		goto bad_hdr;
763	}
764	switch (sig[0]) {
765	case SMB_HDR_V2:
766		break;
767	case SMB_HDR_V3E:
768		/*
769		 * Todo: If encryption enabled, decrypt the message
770		 * and restart processing on the cleartext.
771		 */
772		/* FALLTHROUGH */
773	bad_hdr:
774	default:
775		SMBIODEBUG("Bad SMB2 hdr\n");
776		m_freem(m);
777		return (EPROTO);
778	}
779
780	/*
781	 * Parse the rest of the SMB2 header,
782	 * skipping what we don't need.
783	 */
784	md_get_uint32le(&md, NULL);	/* length, credit_charge */
785	md_get_uint32le(&md, &status);
786	md_get_uint16le(&md, &command);
787	md_get_uint16le(&md, &credits_granted);
788	md_get_uint32le(&md, &flags);
789	md_get_uint32le(&md, &next_cmd_off);
790	md_get_uint64le(&md, &message_id);
791	if (flags & SMB2_FLAGS_ASYNC_COMMAND) {
792		md_get_uint64le(&md, &async_id);
793	} else {
794		/* PID, TID (not needed) */
795		async_id = 0;
796	}
797
798	/*
799	 * If this is a compound reply, split it.
800	 * Next must be 8-byte aligned.
801	 */
802	if (next_cmd_off != 0) {
803		if ((next_cmd_off & 7) != 0)
804			SMBIODEBUG("Misaligned next cmd\n");
805		else
806			next_m = m_split(m, next_cmd_off, 1);
807	}
808
809	/*
810	 * SMB2 Negotiate may return zero credits_granted,
811	 * in which case we should assume it granted one.
812	 */
813	if (command == SMB2_NEGOTIATE && credits_granted == 0)
814		credits_granted = 1;
815
816	/*
817	 * Apply the credit grant
818	 */
819	rw_enter(&vcp->iod_rqlock, RW_WRITER);
820	vcp->vc2_limit_message_id += credits_granted;
821
822	/*
823	 * Find the reqeuest and post the reply
824	 */
825	rw_downgrade(&vcp->iod_rqlock);
826	TAILQ_FOREACH(rqp, &vcp->iod_rqlist, sr_link) {
827
828		if (rqp->sr2_messageid != message_id)
829			continue;
830
831		DTRACE_PROBE2(iod_post_reply,
832		    (smb_rq_t *), rqp, (mblk_t *), m);
833		m_dumpm(m);
834
835		/*
836		 * If this is an interim response, just save the
837		 * async ID but don't wakup the request.
838		 * Don't need SMBRQ_LOCK for this.
839		 */
840		if (status == NT_STATUS_PENDING && async_id != 0) {
841			rqp->sr2_rspasyncid = async_id;
842			m_freem(m);
843			break;
844		}
845
846		SMBRQ_LOCK(rqp);
847		if (rqp->sr_rp.md_top == NULL) {
848			md_initm(&rqp->sr_rp, m);
849		} else {
850			SMBRQ_UNLOCK(rqp);
851			rqp = NULL;
852			break;
853		}
854		smb_iod_rqprocessed_LH(rqp, 0, 0);
855		SMBRQ_UNLOCK(rqp);
856		break;
857	}
858	rw_exit(&vcp->iod_rqlock);
859
860	if (rqp == NULL) {
861		if (command != SMB2_ECHO) {
862			SMBSDEBUG("drop resp: MID %lld\n",
863			    (long long)message_id);
864		}
865		m_freem(m);
866		/*
867		 * Keep going.  It's possible this reply came
868		 * after the request timed out and went away.
869		 */
870	}
871
872	/*
873	 * If we split a compound reply, continue with the
874	 * next part of the compound.
875	 */
876	if (next_m != NULL) {
877		m = next_m;
878		goto top;
879	}
880
881	return (0);
882}
883
884/*
885 * The IOD receiver thread has requests pending and
886 * has not received anything in a while.  Try to
887 * send an SMB echo request.  It's tricky to do a
888 * send from the IOD thread because we can't block.
889 *
890 * Using tmo=SMBNOREPLYWAIT in the request
891 * so smb_rq_reply will skip smb_iod_waitrq.
892 * The smb_smb_echo call uses SMBR_INTERNAL
893 * to avoid calling smb_iod_sendall().
894 */
895static int
896smb_iod_send_echo(smb_vc_t *vcp, cred_t *cr)
897{
898	smb_cred_t scred;
899	int err, tmo = SMBNOREPLYWAIT;
900
901	ASSERT(vcp->iod_thr == curthread);
902
903	smb_credinit(&scred, cr);
904	if ((vcp->vc_flags & SMBV_SMB2) != 0) {
905		err = smb2_smb_echo(vcp, &scred, tmo);
906	} else {
907		err = smb_smb_echo(vcp, &scred, tmo);
908	}
909	smb_credrele(&scred);
910	return (err);
911}
912
913/*
914 * Helper for smb1_iod_addrq, smb2_iod_addrq
915 * Returns zero if interrupted, else 1.
916 */
917static int
918smb_iod_muxwait(smb_vc_t *vcp, boolean_t sig_ok)
919{
920	int rc;
921
922	SMB_VC_LOCK(vcp);
923	vcp->iod_muxwant++;
924	if (sig_ok) {
925		rc = cv_wait_sig(&vcp->iod_muxwait, &vcp->vc_lock);
926	} else {
927		cv_wait(&vcp->iod_muxwait, &vcp->vc_lock);
928		rc = 1;
929	}
930	vcp->iod_muxwant--;
931	SMB_VC_UNLOCK(vcp);
932
933	return (rc);
934}
935
936/*
937 * Place request in the queue, and send it.
938 * Called with no locks held.
939 *
940 * Called for SMB1 only
941 *
942 * The logic for how we limit active requests differs between
943 * SMB1 and SMB2.  With SMB1 it's a simple counter ioc_muxcnt.
944 */
945int
946smb1_iod_addrq(struct smb_rq *rqp)
947{
948	struct smb_vc *vcp = rqp->sr_vc;
949	uint16_t need;
950	boolean_t sig_ok =
951	    (rqp->sr_flags & SMBR_NOINTR_SEND) == 0;
952
953	ASSERT(rqp->sr_cred);
954	ASSERT((vcp->vc_flags & SMBV_SMB2) == 0);
955
956	rqp->sr_owner = curthread;
957
958	rw_enter(&vcp->iod_rqlock, RW_WRITER);
959
960recheck:
961	/*
962	 * Internal requests can be added in any state,
963	 * but normal requests only in state active.
964	 */
965	if ((rqp->sr_flags & SMBR_INTERNAL) == 0 &&
966	    vcp->vc_state != SMBIOD_ST_VCACTIVE) {
967		SMBIODEBUG("bad vc_state=%d\n", vcp->vc_state);
968		rw_exit(&vcp->iod_rqlock);
969		return (ENOTCONN);
970	}
971
972	/*
973	 * If we're at the limit of active requests, block until
974	 * enough requests complete so we can make ours active.
975	 * Wakeup in smb_iod_removerq().
976	 *
977	 * Normal callers leave one slot free, so internal
978	 * callers can have the last slot if needed.
979	 */
980	need = 1;
981	if ((rqp->sr_flags & SMBR_INTERNAL) == 0)
982		need++;
983	if ((vcp->iod_muxcnt + need) > vcp->vc_maxmux) {
984		rw_exit(&vcp->iod_rqlock);
985		if (rqp->sr_flags & SMBR_INTERNAL)
986			return (EBUSY);
987		if (smb_iod_muxwait(vcp, sig_ok) == 0)
988			return (EINTR);
989		rw_enter(&vcp->iod_rqlock, RW_WRITER);
990		goto recheck;
991	}
992
993	/*
994	 * Add this request to the active list and send it.
995	 * For SMB2 we may have a sequence of compounded
996	 * requests, in which case we must add them all.
997	 * They're sent as a compound in smb2_iod_sendrq.
998	 */
999	rqp->sr_mid = vcp->vc_next_mid++;
1000	/* If signing, set the signing sequence numbers. */
1001	if (vcp->vc_mackey != NULL && (rqp->sr_rqflags2 &
1002	    SMB_FLAGS2_SECURITY_SIGNATURE) != 0) {
1003		rqp->sr_seqno = vcp->vc_next_seq++;
1004		rqp->sr_rseqno = vcp->vc_next_seq++;
1005	}
1006	vcp->iod_muxcnt++;
1007	TAILQ_INSERT_TAIL(&vcp->iod_rqlist, rqp, sr_link);
1008	smb1_iod_sendrq(rqp);
1009
1010	rw_exit(&vcp->iod_rqlock);
1011	return (0);
1012}
1013
1014/*
1015 * Place request in the queue, and send it.
1016 * Called with no locks held.
1017 *
1018 * Called for SMB2 only.
1019 *
1020 * With SMB2 we have a range of valid message IDs, and we may
1021 * only send requests when we can assign a message ID within
1022 * the valid range.  We may need to wait here for some active
1023 * request to finish (and update vc2_limit_message_id) before
1024 * we can get message IDs for our new request(s).  Another
1025 * difference is that the request sequence we're waiting to
1026 * add here may require multipe message IDs, either due to
1027 * either compounding or multi-credit requests.  Therefore
1028 * we need to wait for the availibility of how ever many
1029 * message IDs are required by our request sequence.
1030 */
1031int
1032smb2_iod_addrq(struct smb_rq *rqp)
1033{
1034	struct smb_vc *vcp = rqp->sr_vc;
1035	struct smb_rq *c_rqp;	/* compound req */
1036	uint16_t charge;
1037	boolean_t sig_ok =
1038	    (rqp->sr_flags & SMBR_NOINTR_SEND) == 0;
1039
1040	ASSERT(rqp->sr_cred != NULL);
1041	ASSERT((vcp->vc_flags & SMBV_SMB2) != 0);
1042
1043	/*
1044	 * Figure out the credit charges
1045	 * No multi-credit messages yet.
1046	 */
1047	rqp->sr2_totalcreditcharge = rqp->sr2_creditcharge;
1048	c_rqp = rqp->sr2_compound_next;
1049	while (c_rqp != NULL) {
1050		rqp->sr2_totalcreditcharge += c_rqp->sr2_creditcharge;
1051		c_rqp = c_rqp->sr2_compound_next;
1052	}
1053
1054	/*
1055	 * Internal request must not be compounded
1056	 * and should use exactly one credit.
1057	 */
1058	if (rqp->sr_flags & SMBR_INTERNAL) {
1059		if (rqp->sr2_compound_next != NULL) {
1060			ASSERT(0);
1061			return (EINVAL);
1062		}
1063	}
1064
1065	rqp->sr_owner = curthread;
1066
1067	rw_enter(&vcp->iod_rqlock, RW_WRITER);
1068
1069recheck:
1070	/*
1071	 * Internal requests can be added in any state,
1072	 * but normal requests only in state active.
1073	 */
1074	if ((rqp->sr_flags & SMBR_INTERNAL) == 0 &&
1075	    vcp->vc_state != SMBIOD_ST_VCACTIVE) {
1076		SMBIODEBUG("bad vc_state=%d\n", vcp->vc_state);
1077		rw_exit(&vcp->iod_rqlock);
1078		return (ENOTCONN);
1079	}
1080
1081	/*
1082	 * If we're at the limit of active requests, block until
1083	 * enough requests complete so we can make ours active.
1084	 * Wakeup in smb_iod_removerq().
1085	 *
1086	 * Normal callers leave one slot free, so internal
1087	 * callers can have the last slot if needed.
1088	 */
1089	charge = rqp->sr2_totalcreditcharge;
1090	if ((rqp->sr_flags & SMBR_INTERNAL) == 0)
1091		charge++;
1092	if ((vcp->vc2_next_message_id + charge) >
1093	    vcp->vc2_limit_message_id) {
1094		rw_exit(&vcp->iod_rqlock);
1095		if (rqp->sr_flags & SMBR_INTERNAL)
1096			return (EBUSY);
1097		if (smb_iod_muxwait(vcp, sig_ok) == 0)
1098			return (EINTR);
1099		rw_enter(&vcp->iod_rqlock, RW_WRITER);
1100		goto recheck;
1101	}
1102
1103	/*
1104	 * Add this request to the active list and send it.
1105	 * For SMB2 we may have a sequence of compounded
1106	 * requests, in which case we must add them all.
1107	 * They're sent as a compound in smb2_iod_sendrq.
1108	 */
1109
1110	rqp->sr2_messageid = vcp->vc2_next_message_id;
1111	vcp->vc2_next_message_id += rqp->sr2_creditcharge;
1112	TAILQ_INSERT_TAIL(&vcp->iod_rqlist, rqp, sr_link);
1113
1114	c_rqp = rqp->sr2_compound_next;
1115	while (c_rqp != NULL) {
1116		c_rqp->sr2_messageid = vcp->vc2_next_message_id;
1117		vcp->vc2_next_message_id += c_rqp->sr2_creditcharge;
1118		TAILQ_INSERT_TAIL(&vcp->iod_rqlist, c_rqp, sr_link);
1119		c_rqp = c_rqp->sr2_compound_next;
1120	}
1121	smb2_iod_sendrq(rqp);
1122
1123	rw_exit(&vcp->iod_rqlock);
1124	return (0);
1125}
1126
1127/*
1128 * Mark an SMBR_MULTIPACKET request as
1129 * needing another send.  Similar to the
1130 * "normal" part of smb1_iod_addrq.
1131 * Only used by SMB1
1132 */
1133int
1134smb1_iod_multirq(struct smb_rq *rqp)
1135{
1136	struct smb_vc *vcp = rqp->sr_vc;
1137
1138	ASSERT(rqp->sr_flags & SMBR_MULTIPACKET);
1139
1140	if (vcp->vc_flags & SMBV_SMB2) {
1141		ASSERT("!SMB2?");
1142		return (EINVAL);
1143	}
1144
1145	if (rqp->sr_flags & SMBR_INTERNAL)
1146		return (EINVAL);
1147
1148	if (vcp->vc_state != SMBIOD_ST_VCACTIVE) {
1149		SMBIODEBUG("bad vc_state=%d\n", vcp->vc_state);
1150		return (ENOTCONN);
1151	}
1152
1153	rw_enter(&vcp->iod_rqlock, RW_WRITER);
1154
1155	/* Already on iod_rqlist, just reset state. */
1156	rqp->sr_state = SMBRQ_NOTSENT;
1157	smb1_iod_sendrq(rqp);
1158
1159	rw_exit(&vcp->iod_rqlock);
1160
1161	return (0);
1162}
1163
1164/*
1165 * Remove a request from the active list, and
1166 * wake up requests waiting to go active.
1167 *
1168 * Shared by SMB1 + SMB2
1169 *
1170 * The logic for how we limit active requests differs between
1171 * SMB1 and SMB2.  With SMB1 it's a simple counter ioc_muxcnt.
1172 * With SMB2 we have a range of valid message IDs, and when we
1173 * retire the oldest request we need to keep track of what is
1174 * now the oldest message ID.  In both cases, after we take a
1175 * request out of the list here, we should be able to wake up
1176 * a request waiting to get in the active list.
1177 */
1178void
1179smb_iod_removerq(struct smb_rq *rqp)
1180{
1181	struct smb_rq *rqp2;
1182	struct smb_vc *vcp = rqp->sr_vc;
1183	boolean_t was_head = B_FALSE;
1184
1185	rw_enter(&vcp->iod_rqlock, RW_WRITER);
1186
1187#ifdef QUEUEDEBUG
1188	/*
1189	 * Make sure we have not already removed it.
1190	 * See sys/queue.h QUEUEDEBUG_TAILQ_POSTREMOVE
1191	 * XXX: Don't like the constant 1 here...
1192	 */
1193	ASSERT(rqp->sr_link.tqe_next != (void *)1L);
1194#endif
1195
1196	if (TAILQ_FIRST(&vcp->iod_rqlist) == rqp)
1197		was_head = B_TRUE;
1198	TAILQ_REMOVE(&vcp->iod_rqlist, rqp, sr_link);
1199	if (vcp->vc_flags & SMBV_SMB2) {
1200		rqp2 = TAILQ_FIRST(&vcp->iod_rqlist);
1201		if (was_head && rqp2 != NULL) {
1202			/* Do we still need this? */
1203			vcp->vc2_oldest_message_id =
1204			    rqp2->sr2_messageid;
1205		}
1206	} else {
1207		ASSERT(vcp->iod_muxcnt > 0);
1208		vcp->iod_muxcnt--;
1209	}
1210
1211	rw_exit(&vcp->iod_rqlock);
1212
1213	/*
1214	 * If there are requests waiting for "mux" slots,
1215	 * wake one.
1216	 */
1217	SMB_VC_LOCK(vcp);
1218	if (vcp->iod_muxwant != 0)
1219		cv_signal(&vcp->iod_muxwait);
1220	SMB_VC_UNLOCK(vcp);
1221}
1222
1223/*
1224 * Wait for a request to complete.
1225 */
1226int
1227smb_iod_waitrq(struct smb_rq *rqp)
1228{
1229	struct smb_vc *vcp = rqp->sr_vc;
1230	clock_t tr, tmo1, tmo2;
1231	int error;
1232
1233	if (rqp->sr_flags & SMBR_INTERNAL) {
1234		/* XXX - Do we ever take this path now? */
1235		return (smb_iod_waitrq_int(rqp));
1236	}
1237
1238	/*
1239	 * Make sure this is NOT the IOD thread,
1240	 * or the wait below will stop the reader.
1241	 */
1242	ASSERT(curthread != vcp->iod_thr);
1243
1244	SMBRQ_LOCK(rqp);
1245
1246	/*
1247	 * The request has been sent.  Now wait for the response,
1248	 * with the timeout specified for this request.
1249	 * Compute all the deadlines now, so we effectively
1250	 * start the timer(s) after the request is sent.
1251	 */
1252	if (smb_timo_notice && (smb_timo_notice < rqp->sr_timo))
1253		tmo1 = SEC_TO_TICK(smb_timo_notice);
1254	else
1255		tmo1 = 0;
1256	tmo2 = ddi_get_lbolt() + SEC_TO_TICK(rqp->sr_timo);
1257
1258	/*
1259	 * As above, we don't want to allow interrupt for some
1260	 * requests like open, because we could miss a succesful
1261	 * response and therefore "leak" a FID.  Such requests
1262	 * are marked SMBR_NOINTR_RECV to prevent that.
1263	 *
1264	 * If "slow server" warnings are enabled, wait first
1265	 * for the "notice" timeout, and warn if expired.
1266	 */
1267	if (tmo1 && rqp->sr_rpgen == rqp->sr_rplast) {
1268		if (rqp->sr_flags & SMBR_NOINTR_RECV)
1269			tr = cv_reltimedwait(&rqp->sr_cond,
1270			    &rqp->sr_lock, tmo1, TR_CLOCK_TICK);
1271		else
1272			tr = cv_reltimedwait_sig(&rqp->sr_cond,
1273			    &rqp->sr_lock, tmo1, TR_CLOCK_TICK);
1274		if (tr == 0) {
1275			error = EINTR;
1276			goto out;
1277		}
1278		if (tr < 0) {
1279			DTRACE_PROBE1(smb_iod_waitrq1,
1280			    (smb_rq_t *), rqp);
1281		}
1282	}
1283
1284	/*
1285	 * Keep waiting until tmo2 is expired.
1286	 */
1287	while (rqp->sr_rpgen == rqp->sr_rplast) {
1288		if (rqp->sr_flags & SMBR_NOINTR_RECV)
1289			tr = cv_timedwait(&rqp->sr_cond,
1290			    &rqp->sr_lock, tmo2);
1291		else
1292			tr = cv_timedwait_sig(&rqp->sr_cond,
1293			    &rqp->sr_lock, tmo2);
1294		if (tr == 0) {
1295			error = EINTR;
1296			goto out;
1297		}
1298		if (tr < 0) {
1299			DTRACE_PROBE1(smb_iod_waitrq2,
1300			    (smb_rq_t *), rqp);
1301			error = ETIME;
1302			goto out;
1303		}
1304		/* got wakeup */
1305	}
1306	error = rqp->sr_lerror;
1307	rqp->sr_rplast++;
1308
1309out:
1310	SMBRQ_UNLOCK(rqp);
1311
1312	/*
1313	 * MULTIPACKET request must stay in the list.
1314	 * They may need additional responses.
1315	 */
1316	if ((rqp->sr_flags & SMBR_MULTIPACKET) == 0)
1317		smb_iod_removerq(rqp);
1318
1319	return (error);
1320}
1321
1322/*
1323 * Internal variant of smb_iod_waitrq(), for use in
1324 * requests run by the IOD (reader) thread itself.
1325 * Block only long enough to receive one reply.
1326 */
1327int
1328smb_iod_waitrq_int(struct smb_rq *rqp)
1329{
1330	struct smb_vc *vcp = rqp->sr_vc;
1331	int timeleft = rqp->sr_timo;
1332	int error;
1333
1334	ASSERT((rqp->sr_flags & SMBR_MULTIPACKET) == 0);
1335again:
1336	error = smb_iod_recvall(vcp, B_TRUE);
1337	if (error == ETIME) {
1338		/* We waited SMB_NBTIMO sec. */
1339		timeleft -= SMB_NBTIMO;
1340		if (timeleft > 0)
1341			goto again;
1342	}
1343
1344	smb_iod_removerq(rqp);
1345	if (rqp->sr_state != SMBRQ_NOTIFIED)
1346		error = ETIME;
1347
1348	return (error);
1349}
1350
1351/*
1352 * Shutdown all outstanding I/O requests on the specified share with
1353 * ENXIO; used when unmounting a share.  (There shouldn't be any for a
1354 * non-forced unmount; if this is a forced unmount, we have to shutdown
1355 * the requests as part of the unmount process.)
1356 */
1357void
1358smb_iod_shutdown_share(struct smb_share *ssp)
1359{
1360	struct smb_vc *vcp = SSTOVC(ssp);
1361	struct smb_rq *rqp;
1362
1363	/*
1364	 * Loop through the list of requests and shutdown the ones
1365	 * that are for the specified share.
1366	 */
1367	rw_enter(&vcp->iod_rqlock, RW_READER);
1368	TAILQ_FOREACH(rqp, &vcp->iod_rqlist, sr_link) {
1369		if (rqp->sr_state != SMBRQ_NOTIFIED && rqp->sr_share == ssp)
1370			smb_iod_rqprocessed(rqp, EIO, 0);
1371	}
1372	rw_exit(&vcp->iod_rqlock);
1373}
1374
1375/*
1376 * Ioctl functions called by the user-level I/O Deamon (IOD)
1377 * to bring up and service a connection to some SMB server.
1378 */
1379
1380/*
1381 * Handle ioctl SMBIOC_IOD_CONNECT
1382 */
1383int
1384nsmb_iod_connect(struct smb_vc *vcp, cred_t *cr)
1385{
1386	int err, val;
1387
1388	ASSERT(vcp->iod_thr == curthread);
1389
1390	if (vcp->vc_state != SMBIOD_ST_RECONNECT) {
1391		cmn_err(CE_NOTE, "iod_connect: bad state %d", vcp->vc_state);
1392		return (EINVAL);
1393	}
1394
1395	/*
1396	 * Putting a TLI endpoint back in the right state for a new
1397	 * connection is a bit tricky.  In theory, this could be:
1398	 *	SMB_TRAN_DISCONNECT(vcp);
1399	 *	SMB_TRAN_UNBIND(vcp);
1400	 * but that method often results in TOUTSTATE errors.
1401	 * It's easier to just close it and open a new endpoint.
1402	 */
1403	SMB_VC_LOCK(vcp);
1404	if (vcp->vc_tdata)
1405		SMB_TRAN_DONE(vcp);
1406	err = SMB_TRAN_CREATE(vcp, cr);
1407	SMB_VC_UNLOCK(vcp);
1408	if (err != 0)
1409		return (err);
1410
1411	/*
1412	 * Set various options on this endpoint.
1413	 * Keep going in spite of errors.
1414	 */
1415	val = smb_tcpsndbuf;
1416	err = SMB_TRAN_SETPARAM(vcp, SMBTP_SNDBUF, &val);
1417	if (err != 0) {
1418		cmn_err(CE_NOTE, "iod_connect: setopt SNDBUF, err=%d", err);
1419	}
1420	val = smb_tcprcvbuf;
1421	err = SMB_TRAN_SETPARAM(vcp, SMBTP_RCVBUF, &val);
1422	if (err != 0) {
1423		cmn_err(CE_NOTE, "iod_connect: setopt RCVBUF, err=%d", err);
1424	}
1425	val = 1;
1426	err = SMB_TRAN_SETPARAM(vcp, SMBTP_KEEPALIVE, &val);
1427	if (err != 0) {
1428		cmn_err(CE_NOTE, "iod_connect: setopt KEEPALIVE, err=%d", err);
1429	}
1430	val = 1;
1431	err = SMB_TRAN_SETPARAM(vcp, SMBTP_TCP_NODELAY, &val);
1432	if (err != 0) {
1433		cmn_err(CE_NOTE, "iod_connect: setopt TCP_NODELAY err=%d", err);
1434	}
1435	val = smb_connect_timeout * 1000;
1436	err = SMB_TRAN_SETPARAM(vcp, SMBTP_TCP_CON_TMO, &val);
1437	if (err != 0) {
1438		cmn_err(CE_NOTE, "iod_connect: setopt TCP con tmo err=%d", err);
1439	}
1440
1441	/*
1442	 * Bind and connect
1443	 */
1444	err = SMB_TRAN_BIND(vcp, NULL);
1445	if (err != 0) {
1446		cmn_err(CE_NOTE, "iod_connect: t_kbind: err=%d", err);
1447		/* Continue on and try connect. */
1448	}
1449	err = SMB_TRAN_CONNECT(vcp, &vcp->vc_srvaddr.sa);
1450	/*
1451	 * No cmn_err here, as connect failures are normal, i.e.
1452	 * when a server has multiple addresses and only some are
1453	 * routed for us. (libsmbfs tries them all)
1454	 */
1455	if (err == 0) {
1456		SMB_VC_LOCK(vcp);
1457		smb_iod_newstate(vcp, SMBIOD_ST_CONNECTED);
1458		SMB_VC_UNLOCK(vcp);
1459	} /* else stay in state reconnect */
1460
1461	return (err);
1462}
1463
1464/*
1465 * Handle ioctl SMBIOC_IOD_NEGOTIATE
1466 * Do the whole SMB1/SMB2 negotiate
1467 *
1468 * This is where we send our first request to the server.
1469 * If this is the first time we're talking to this server,
1470 * (meaning not a reconnect) then we don't know whether
1471 * the server supports SMB2, so we need to use the weird
1472 * SMB1-to-SMB2 negotiation. That's where we send an SMB1
1473 * negotiate including dialect "SMB 2.???" and if the
1474 * server supports SMB2 we get an SMB2 reply -- Yes, an
1475 * SMB2 reply to an SMB1 request.  A strange protocol...
1476 *
1477 * If on the other hand we already know the server supports
1478 * SMB2 (because this is a reconnect) or if the client side
1479 * has disabled SMB1 entirely, we'll skip the SMB1 part.
1480 */
1481int
1482nsmb_iod_negotiate(struct smb_vc *vcp, cred_t *cr)
1483{
1484	struct smb_sopt *sv = &vcp->vc_sopt;
1485	smb_cred_t scred;
1486	int err = 0;
1487
1488	ASSERT(vcp->iod_thr == curthread);
1489
1490	smb_credinit(&scred, cr);
1491
1492	if (vcp->vc_state != SMBIOD_ST_CONNECTED) {
1493		cmn_err(CE_NOTE, "iod_negotiate: bad state %d", vcp->vc_state);
1494		err = EINVAL;
1495		goto out;
1496	}
1497
1498	if (vcp->vc_maxver == 0 || vcp->vc_minver > vcp->vc_maxver) {
1499		err = EINVAL;
1500		goto out;
1501	}
1502
1503	/*
1504	 * (Re)init negotiated values
1505	 */
1506	bzero(sv, sizeof (*sv));
1507	vcp->vc2_next_message_id = 0;
1508	vcp->vc2_limit_message_id = 1;
1509	vcp->vc2_session_id = 0;
1510	vcp->vc_next_seq = 0;
1511
1512	/*
1513	 * If this was reconnect, get rid of the old MAC key
1514	 * and session key.
1515	 */
1516	SMB_VC_LOCK(vcp);
1517	if (vcp->vc_mackey != NULL) {
1518		kmem_free(vcp->vc_mackey, vcp->vc_mackeylen);
1519		vcp->vc_mackey = NULL;
1520		vcp->vc_mackeylen = 0;
1521	}
1522	if (vcp->vc_ssnkey != NULL) {
1523		kmem_free(vcp->vc_ssnkey, vcp->vc_ssnkeylen);
1524		vcp->vc_ssnkey = NULL;
1525		vcp->vc_ssnkeylen = 0;
1526	}
1527	SMB_VC_UNLOCK(vcp);
1528
1529	/*
1530	 * If this is not an SMB2 reconect (SMBV_SMB2 not set),
1531	 * and if SMB1 is enabled, do SMB1 neogotiate.  Then
1532	 * if either SMB1-to-SMB2 negotiate tells us we should
1533	 * switch to SMB2, or the local configuration has
1534	 * disabled SMB1, set the SMBV_SMB2 flag.
1535	 *
1536	 * Note that vc_maxver is handled in smb_smb_negotiate
1537	 * so we never get sv_proto == SMB_DIALECT_SMB2_FF when
1538	 * the local configuration disables SMB2, and therefore
1539	 * we won't set the SMBV_SMB2 flag.
1540	 */
1541	if ((vcp->vc_flags & SMBV_SMB2) == 0) {
1542		if (vcp->vc_minver < SMB2_DIALECT_BASE) {
1543			/*
1544			 * SMB1 is enabled
1545			 */
1546			err = smb_smb_negotiate(vcp, &scred);
1547			if (err != 0)
1548				goto out;
1549		}
1550		/*
1551		 * If SMB1-to-SMB2 negotiate told us we should
1552		 * switch to SMB2, or if the local configuration
1553		 * disables SMB1, set the SMB2 flag.
1554		 */
1555		if (sv->sv_proto == SMB_DIALECT_SMB2_FF ||
1556		    vcp->vc_minver >= SMB2_DIALECT_BASE) {
1557			/*
1558			 * Switch this VC to SMB2.
1559			 */
1560			SMB_VC_LOCK(vcp);
1561			vcp->vc_flags |= SMBV_SMB2;
1562			SMB_VC_UNLOCK(vcp);
1563		}
1564	}
1565
1566	/*
1567	 * If this is an SMB2 reconnect (SMBV_SMB2 was set before this
1568	 * function was called), or SMB1-to-SMB2 negotiate indicated
1569	 * we should switch to SMB2, or we have SMB1 disabled (both
1570	 * cases set SMBV_SMB2 above), then do SMB2 negotiate.
1571	 */
1572	if ((vcp->vc_flags & SMBV_SMB2) != 0) {
1573		err = smb2_smb_negotiate(vcp, &scred);
1574	}
1575
1576out:
1577	if (err == 0) {
1578		SMB_VC_LOCK(vcp);
1579		smb_iod_newstate(vcp, SMBIOD_ST_NEGOTIATED);
1580		SMB_VC_UNLOCK(vcp);
1581	}
1582	/*
1583	 * (else) leave state as it was.
1584	 * User-level will either close this handle (if connecting
1585	 * for the first time) or call rcfail and then try again.
1586	 */
1587
1588	smb_credrele(&scred);
1589
1590	return (err);
1591}
1592
1593/*
1594 * Handle ioctl SMBIOC_IOD_SSNSETUP
1595 * Do either SMB1 or SMB2 session setup (one call/reply)
1596 */
1597int
1598nsmb_iod_ssnsetup(struct smb_vc *vcp, cred_t *cr)
1599{
1600	smb_cred_t scred;
1601	int err;
1602
1603	ASSERT(vcp->iod_thr == curthread);
1604
1605	switch (vcp->vc_state) {
1606	case SMBIOD_ST_NEGOTIATED:
1607	case SMBIOD_ST_AUTHCONT:
1608		break;
1609	default:
1610		return (EINVAL);
1611	}
1612
1613	smb_credinit(&scred, cr);
1614	if (vcp->vc_flags & SMBV_SMB2)
1615		err = smb2_smb_ssnsetup(vcp, &scred);
1616	else
1617		err = smb_smb_ssnsetup(vcp, &scred);
1618	smb_credrele(&scred);
1619
1620	SMB_VC_LOCK(vcp);
1621	switch (err) {
1622	case 0:
1623		smb_iod_newstate(vcp, SMBIOD_ST_AUTHOK);
1624		break;
1625	case EINPROGRESS:	/* MORE_PROCESSING_REQUIRED */
1626		smb_iod_newstate(vcp, SMBIOD_ST_AUTHCONT);
1627		break;
1628	default:
1629		smb_iod_newstate(vcp, SMBIOD_ST_AUTHFAIL);
1630		break;
1631	}
1632	SMB_VC_UNLOCK(vcp);
1633
1634	return (err);
1635}
1636
1637static int
1638smb_iod_logoff(struct smb_vc *vcp, cred_t *cr)
1639{
1640	smb_cred_t scred;
1641	int err;
1642
1643	ASSERT(vcp->iod_thr == curthread);
1644
1645	smb_credinit(&scred, cr);
1646	if (vcp->vc_flags & SMBV_SMB2)
1647		err = smb2_smb_logoff(vcp, &scred);
1648	else
1649		err = smb_smb_logoff(vcp, &scred);
1650	smb_credrele(&scred);
1651
1652	return (err);
1653}
1654
1655/*
1656 * Handle ioctl SMBIOC_IOD_WORK
1657 *
1658 * The smbiod agent calls this after authentication to become
1659 * the reader for this session, so long as that's possible.
1660 * This should only return non-zero if we want that agent to
1661 * give up on this VC permanently.
1662 */
1663/* ARGSUSED */
1664int
1665smb_iod_vc_work(struct smb_vc *vcp, int flags, cred_t *cr)
1666{
1667	smbioc_ssn_work_t *wk = &vcp->vc_work;
1668	int err = 0;
1669
1670	/*
1671	 * This is called by the one-and-only
1672	 * IOD thread for this VC.
1673	 */
1674	ASSERT(vcp->iod_thr == curthread);
1675
1676	/*
1677	 * Should be in state...
1678	 */
1679	if (vcp->vc_state != SMBIOD_ST_AUTHOK) {
1680		cmn_err(CE_NOTE, "iod_vc_work: bad state %d", vcp->vc_state);
1681		return (EINVAL);
1682	}
1683
1684	/*
1685	 * Update the session key and initialize SMB signing.
1686	 *
1687	 * This implementation does not use multiple SMB sessions per
1688	 * TCP connection (where only the first session key is used)
1689	 * so we always have a new session key here.  Sanity check the
1690	 * length from user space.  Normally 16 or 32.
1691	 */
1692	if (wk->wk_u_ssnkey_len > 1024) {
1693		cmn_err(CE_NOTE, "iod_vc_work: ssn key too long");
1694		return (EINVAL);
1695	}
1696
1697	ASSERT(vcp->vc_ssnkey == NULL);
1698	SMB_VC_LOCK(vcp);
1699	if (wk->wk_u_ssnkey_len != 0 &&
1700	    wk->wk_u_ssnkey_buf.lp_ptr != NULL) {
1701		vcp->vc_ssnkeylen = wk->wk_u_ssnkey_len;
1702		vcp->vc_ssnkey = kmem_alloc(vcp->vc_ssnkeylen, KM_SLEEP);
1703		if (ddi_copyin(wk->wk_u_ssnkey_buf.lp_ptr,
1704		    vcp->vc_ssnkey, vcp->vc_ssnkeylen, flags) != 0) {
1705			err = EFAULT;
1706		}
1707	}
1708	SMB_VC_UNLOCK(vcp);
1709	if (err)
1710		return (err);
1711
1712	/*
1713	 * If we have a session key, derive the MAC key for SMB signing.
1714	 * If this was a NULL session, we might have no session key.
1715	 */
1716	ASSERT(vcp->vc_mackey == NULL);
1717	if (vcp->vc_ssnkey != NULL) {
1718		if (vcp->vc_flags & SMBV_SMB2)
1719			err = smb2_sign_init(vcp);
1720		else
1721			err = smb_sign_init(vcp);
1722		if (err != 0)
1723			return (err);
1724	}
1725
1726	/*
1727	 * Tell any enqueued requests they can start.
1728	 */
1729	SMB_VC_LOCK(vcp);
1730	vcp->vc_genid++;	/* possibly new connection */
1731	smb_iod_newstate(vcp, SMBIOD_ST_VCACTIVE);
1732	cv_broadcast(&vcp->vc_statechg);
1733	SMB_VC_UNLOCK(vcp);
1734
1735	/*
1736	 * The above cv_broadcast should be sufficient to
1737	 * get requests going again.
1738	 *
1739	 * If we have a callback function, run it.
1740	 * Was: smb_iod_notify_connected()
1741	 */
1742	if (fscb && fscb->fscb_connect)
1743		smb_vc_walkshares(vcp, fscb->fscb_connect);
1744
1745	/*
1746	 * Run the "reader" loop.  An error return here is normal
1747	 * (i.e. when we need to reconnect) so ignore errors.
1748	 * Note: This call updates the vc_state.
1749	 */
1750	(void) smb_iod_recvall(vcp, B_FALSE);
1751
1752	/*
1753	 * The reader loop returned, so we must have a
1754	 * new state.  (disconnected or reconnecting)
1755	 *
1756	 * Notify shares of the disconnect.
1757	 * Was: smb_iod_notify_disconnect()
1758	 */
1759	smb_vc_walkshares(vcp, smb_iod_share_disconnected);
1760
1761	/*
1762	 * The reader loop function returns only when
1763	 * there's been an error on the connection, or
1764	 * this VC has no more references.  It also
1765	 * updates the state before it returns.
1766	 *
1767	 * Tell any requests to give up or restart.
1768	 */
1769	smb_iod_invrq(vcp);
1770
1771	return (err);
1772}
1773
1774/*
1775 * Handle ioctl SMBIOC_IOD_IDLE
1776 *
1777 * Wait around for someone to ask to use this VC again after the
1778 * TCP session has closed.  When one of the connected trees adds a
1779 * request, smb_iod_reconnect will set vc_state to RECONNECT and
1780 * wake this cv_wait.  When a VC ref. goes away in smb_vc_rele,
1781 * that also signals this wait so we can re-check whether we
1782 * now hold the last ref. on this VC (and can destroy it).
1783 */
1784int
1785smb_iod_vc_idle(struct smb_vc *vcp)
1786{
1787	int err = 0;
1788	boolean_t destroy = B_FALSE;
1789
1790	/*
1791	 * This is called by the one-and-only
1792	 * IOD thread for this VC.
1793	 */
1794	ASSERT(vcp->iod_thr == curthread);
1795
1796	/*
1797	 * Should be in state...
1798	 */
1799	if (vcp->vc_state != SMBIOD_ST_IDLE &&
1800	    vcp->vc_state != SMBIOD_ST_RECONNECT) {
1801		cmn_err(CE_NOTE, "iod_vc_idle: bad state %d", vcp->vc_state);
1802		return (EINVAL);
1803	}
1804
1805	SMB_VC_LOCK(vcp);
1806
1807	while (vcp->vc_state == SMBIOD_ST_IDLE &&
1808	    vcp->vc_co.co_usecount > 1) {
1809		if (cv_wait_sig(&vcp->iod_idle, &vcp->vc_lock) == 0) {
1810			err = EINTR;
1811			break;
1812		}
1813	}
1814	if (vcp->vc_state == SMBIOD_ST_IDLE &&
1815	    vcp->vc_co.co_usecount == 1) {
1816		/*
1817		 * We were woken because we now have the last ref.
1818		 * Arrange for this VC to be destroyed now.
1819		 * Set the "GONE" flag while holding the lock,
1820		 * to prevent a race with new references.
1821		 * The destroy happens after unlock.
1822		 */
1823		vcp->vc_flags |= SMBV_GONE;
1824		destroy = B_TRUE;
1825	}
1826
1827	SMB_VC_UNLOCK(vcp);
1828
1829	if (destroy) {
1830		/* This sets vc_state = DEAD */
1831		smb_iod_disconnect(vcp);
1832	}
1833
1834	return (err);
1835}
1836
1837/*
1838 * Handle ioctl SMBIOC_IOD_RCFAIL
1839 *
1840 * After a failed reconnect attempt, smbiod will
1841 * call this to make current requests error out.
1842 */
1843int
1844smb_iod_vc_rcfail(struct smb_vc *vcp)
1845{
1846	clock_t tr;
1847	int err = 0;
1848
1849	/*
1850	 * This is called by the one-and-only
1851	 * IOD thread for this VC.
1852	 */
1853	ASSERT(vcp->iod_thr == curthread);
1854	SMB_VC_LOCK(vcp);
1855
1856	smb_iod_newstate(vcp, SMBIOD_ST_RCFAILED);
1857	cv_broadcast(&vcp->vc_statechg);
1858
1859	/*
1860	 * Short wait here for two reasons:
1861	 * (1) Give requests a chance to error out.
1862	 * (2) Prevent immediate retry.
1863	 */
1864	tr = cv_reltimedwait_sig(&vcp->iod_idle, &vcp->vc_lock,
1865	    SEC_TO_TICK(5), TR_CLOCK_TICK);
1866	if (tr == 0)
1867		err = EINTR;
1868
1869	/*
1870	 * Normally we'll switch to state IDLE here.  However,
1871	 * if something called smb_iod_reconnect() while we were
1872	 * waiting above, we'll be in in state reconnect already.
1873	 * In that case, keep state RECONNECT, so we essentially
1874	 * skip transition through state IDLE that would normally
1875	 * happen next.
1876	 */
1877	if (vcp->vc_state != SMBIOD_ST_RECONNECT) {
1878		smb_iod_newstate(vcp, SMBIOD_ST_IDLE);
1879		cv_broadcast(&vcp->vc_statechg);
1880	}
1881
1882	SMB_VC_UNLOCK(vcp);
1883
1884	return (err);
1885}
1886
1887/*
1888 * Ask the IOD to reconnect (if not already underway)
1889 * then wait for the reconnect to finish.
1890 */
1891int
1892smb_iod_reconnect(struct smb_vc *vcp)
1893{
1894	int err = 0, rv;
1895
1896	SMB_VC_LOCK(vcp);
1897again:
1898	switch (vcp->vc_state) {
1899
1900	case SMBIOD_ST_IDLE:
1901		/* Tell the IOD thread it's no longer IDLE. */
1902		smb_iod_newstate(vcp, SMBIOD_ST_RECONNECT);
1903		cv_signal(&vcp->iod_idle);
1904		/* FALLTHROUGH */
1905
1906	case SMBIOD_ST_RECONNECT:
1907	case SMBIOD_ST_CONNECTED:
1908	case SMBIOD_ST_NEGOTIATED:
1909	case SMBIOD_ST_AUTHCONT:
1910	case SMBIOD_ST_AUTHOK:
1911		/* Wait for the VC state to become ACTIVE. */
1912		rv = cv_wait_sig(&vcp->vc_statechg, &vcp->vc_lock);
1913		if (rv == 0) {
1914			err = EINTR;
1915			break;
1916		}
1917		goto again;
1918
1919	case SMBIOD_ST_VCACTIVE:
1920		err = 0; /* success! */
1921		break;
1922
1923	case SMBIOD_ST_AUTHFAIL:
1924	case SMBIOD_ST_RCFAILED:
1925	case SMBIOD_ST_DEAD:
1926	default:
1927		err = ENOTCONN;
1928		break;
1929	}
1930
1931	SMB_VC_UNLOCK(vcp);
1932	return (err);
1933}
1934