1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
25 */
26
27/*
28 * This module provides the common open functionality to the various
29 * open and create SMB interface functions.
30 */
31
32#include <sys/types.h>
33#include <sys/cmn_err.h>
34#include <sys/fcntl.h>
35#include <sys/nbmlock.h>
36#include <smbsrv/string.h>
37#include <smbsrv/smb2_kproto.h>
38#include <smbsrv/smb_fsops.h>
39#include <smbsrv/smbinfo.h>
40
41int smb_session_ofile_max = 32768;
42
43extern uint32_t smb_is_executable(char *);
44static void smb_delete_new_object(smb_request_t *);
45static int smb_set_open_attributes(smb_request_t *, smb_ofile_t *);
46
47/*
48 * smb_access_generic_to_file
49 *
50 * Search MSDN for IoCreateFile to see following mapping.
51 *
52 * GENERIC_READ		STANDARD_RIGHTS_READ, FILE_READ_DATA,
53 *			FILE_READ_ATTRIBUTES and FILE_READ_EA
54 *
55 * GENERIC_WRITE	STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA,
56 *               FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA
57 *
58 * GENERIC_EXECUTE	STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE.
59 */
60static uint32_t
61smb_access_generic_to_file(uint32_t desired_access)
62{
63	uint32_t access = 0;
64
65	if (desired_access & GENERIC_ALL)
66		return (FILE_ALL_ACCESS & ~SYNCHRONIZE);
67
68	if (desired_access & GENERIC_EXECUTE) {
69		desired_access &= ~GENERIC_EXECUTE;
70		access |= (STANDARD_RIGHTS_EXECUTE |
71		    SYNCHRONIZE | FILE_EXECUTE);
72	}
73
74	if (desired_access & GENERIC_WRITE) {
75		desired_access &= ~GENERIC_WRITE;
76		access |= (FILE_GENERIC_WRITE & ~SYNCHRONIZE);
77	}
78
79	if (desired_access & GENERIC_READ) {
80		desired_access &= ~GENERIC_READ;
81		access |= FILE_GENERIC_READ;
82	}
83
84	return (access | desired_access);
85}
86
87/*
88 * smb_omode_to_amask
89 *
90 * This function converts open modes used by Open and Open AndX
91 * commands to desired access bits used by NT Create AndX command.
92 */
93uint32_t
94smb_omode_to_amask(uint32_t desired_access)
95{
96	switch (desired_access & SMB_DA_ACCESS_MASK) {
97	case SMB_DA_ACCESS_READ:
98		return (FILE_GENERIC_READ);
99
100	case SMB_DA_ACCESS_WRITE:
101		return (FILE_GENERIC_WRITE);
102
103	case SMB_DA_ACCESS_READ_WRITE:
104		return (FILE_GENERIC_READ | FILE_GENERIC_WRITE);
105
106	case SMB_DA_ACCESS_EXECUTE:
107		return (FILE_GENERIC_READ | FILE_GENERIC_EXECUTE);
108
109	default:
110		return (FILE_GENERIC_ALL);
111	}
112}
113
114/*
115 * smb_denymode_to_sharemode
116 *
117 * This function converts deny modes used by Open and Open AndX
118 * commands to share access bits used by NT Create AndX command.
119 */
120uint32_t
121smb_denymode_to_sharemode(uint32_t desired_access, char *fname)
122{
123	switch (desired_access & SMB_DA_SHARE_MASK) {
124	case SMB_DA_SHARE_COMPATIBILITY:
125		if (smb_is_executable(fname))
126			return (FILE_SHARE_READ | FILE_SHARE_WRITE);
127
128		return (FILE_SHARE_ALL);
129
130	case SMB_DA_SHARE_EXCLUSIVE:
131		return (FILE_SHARE_NONE);
132
133	case SMB_DA_SHARE_DENY_WRITE:
134		return (FILE_SHARE_READ);
135
136	case SMB_DA_SHARE_DENY_READ:
137		return (FILE_SHARE_WRITE);
138
139	case SMB_DA_SHARE_DENY_NONE:
140	default:
141		return (FILE_SHARE_READ | FILE_SHARE_WRITE);
142	}
143}
144
145/*
146 * smb_ofun_to_crdisposition
147 *
148 * This function converts open function values used by Open and Open AndX
149 * commands to create disposition values used by NT Create AndX command.
150 */
151uint32_t
152smb_ofun_to_crdisposition(uint16_t  ofun)
153{
154	static int ofun_cr_map[3][2] =
155	{
156		{ -1,			FILE_CREATE },
157		{ FILE_OPEN,		FILE_OPEN_IF },
158		{ FILE_OVERWRITE,	FILE_OVERWRITE_IF }
159	};
160
161	int row = ofun & SMB_OFUN_OPEN_MASK;
162	int col = (ofun & SMB_OFUN_CREATE_MASK) >> 4;
163
164	if (row == 3)
165		return (FILE_MAXIMUM_DISPOSITION + 1);
166
167	return (ofun_cr_map[row][col]);
168}
169
170/*
171 * smb_common_open
172 *
173 * Notes on write-through behaviour. It looks like pre-LM0.12 versions
174 * of the protocol specify the write-through mode when a file is opened,
175 * (SmbOpen, SmbOpenAndX) so the write calls (SmbWrite, SmbWriteAndClose,
176 * SmbWriteAndUnlock) don't need to contain a write-through flag.
177 *
178 * With LM0.12, the open calls (SmbCreateAndX, SmbNtTransactCreate)
179 * don't indicate which write-through mode to use. Instead the write
180 * calls (SmbWriteAndX, SmbWriteRaw) specify the mode on a per call
181 * basis.
182 *
183 * We don't care which open call was used to get us here, we just need
184 * to ensure that the write-through mode flag is copied from the open
185 * parameters to the node. We test the omode write-through flag in all
186 * write functions.
187 *
188 * This function returns NT status codes.
189 *
190 * The following rules apply when processing a file open request:
191 *
192 * - Oplocks must be broken prior to share checking as the break may
193 *   cause other clients to close the file, which would affect sharing
194 *   checks.
195 *
196 * - Share checks must take place prior to access checks for correct
197 * Windows semantics and to prevent unnecessary NFS delegation recalls.
198 *
199 * - Oplocks must be acquired after open to ensure the correct
200 * synchronization with NFS delegation and FEM installation.
201 *
202 * DOS readonly bit rules
203 *
204 * 1. The creator of a readonly file can write to/modify the size of the file
205 * using the original create fid, even though the file will appear as readonly
206 * to all other fids and via a CIFS getattr call.
207 *
208 * 2. A setinfo operation (using either an open fid or a path) to set/unset
209 * readonly will be successful regardless of whether a creator of a readonly
210 * file has an open fid.
211 *
212 * 3. The DOS readonly bit affects only data and some metadata.
213 * The following metadata can be changed regardless of the readonly bit:
214 *	- security descriptors
215 *	- DOS attributes
216 *	- timestamps
217 *
218 * In the current implementation, the file size cannot be changed (except for
219 * the exceptions in #1 and #2, above).
220 *
221 *
222 * DOS attribute rules
223 *
224 * These rules are specific to creating / opening files and directories.
225 * How the attribute value (specifically ZERO or FILE_ATTRIBUTE_NORMAL)
226 * should be interpreted may differ in other requests.
227 *
228 * - An attribute value equal to ZERO or FILE_ATTRIBUTE_NORMAL means that the
229 *   file's attributes should be cleared.
230 * - If FILE_ATTRIBUTE_NORMAL is specified with any other attributes,
231 *   FILE_ATTRIBUTE_NORMAL is ignored.
232 *
233 * 1. Creating a new file
234 * - The request attributes + FILE_ATTRIBUTE_ARCHIVE are applied to the file.
235 *
236 * 2. Creating a new directory
237 * - The request attributes + FILE_ATTRIBUTE_DIRECTORY are applied to the file.
238 * - FILE_ATTRIBUTE_ARCHIVE does not get set.
239 *
240 * 3. Overwriting an existing file
241 * - the request attributes are used as search attributes. If the existing
242 *   file does not meet the search criteria access is denied.
243 * - otherwise, applies attributes + FILE_ATTRIBUTE_ARCHIVE.
244 *
245 * 4. Opening an existing file or directory
246 *    The request attributes are ignored.
247 */
248uint32_t
249smb_common_open(smb_request_t *sr)
250{
251	smb_server_t	*sv = sr->sr_server;
252	smb_tree_t	*tree = sr->tid_tree;
253	smb_node_t	*fnode = NULL;
254	smb_node_t	*dnode = NULL;
255	smb_node_t	*cur_node = NULL;
256	smb_arg_open_t	*op = &sr->sr_open;
257	smb_pathname_t	*pn = &op->fqi.fq_path;
258	smb_ofile_t	*of = NULL;
259	smb_attr_t	new_attr;
260	hrtime_t	shrlock_t0;
261	int		max_requested = 0;
262	uint32_t	max_allowed;
263	uint32_t	status = NT_STATUS_SUCCESS;
264	int		is_dir;
265	int		rc;
266	boolean_t	is_stream = B_FALSE;
267	int		lookup_flags = SMB_FOLLOW_LINKS;
268	uint32_t	uniq_fid = 0;
269	uint16_t	tree_fid = 0;
270	boolean_t	created = B_FALSE;
271	boolean_t	last_comp_found = B_FALSE;
272	boolean_t	opening_incr = B_FALSE;
273	boolean_t	dnode_held = B_FALSE;
274	boolean_t	dnode_wlock = B_FALSE;
275	boolean_t	fnode_held = B_FALSE;
276	boolean_t	fnode_wlock = B_FALSE;
277	boolean_t	fnode_shrlk = B_FALSE;
278	boolean_t	did_open = B_FALSE;
279	boolean_t	did_break_handle = B_FALSE;
280	boolean_t	did_cleanup_orphans = B_FALSE;
281
282	/* Get out now if we've been cancelled. */
283	mutex_enter(&sr->sr_mutex);
284	if (sr->sr_state != SMB_REQ_STATE_ACTIVE) {
285		mutex_exit(&sr->sr_mutex);
286		return (NT_STATUS_CANCELLED);
287	}
288	mutex_exit(&sr->sr_mutex);
289
290	is_dir = (op->create_options & FILE_DIRECTORY_FILE) ? 1 : 0;
291
292	/*
293	 * If the object being created or opened is a directory
294	 * the Disposition parameter must be one of FILE_CREATE,
295	 * FILE_OPEN, or FILE_OPEN_IF
296	 */
297	if (is_dir) {
298		if ((op->create_disposition != FILE_CREATE) &&
299		    (op->create_disposition != FILE_OPEN_IF) &&
300		    (op->create_disposition != FILE_OPEN)) {
301			return (NT_STATUS_INVALID_PARAMETER);
302		}
303	}
304
305	if (op->desired_access & MAXIMUM_ALLOWED) {
306		max_requested = 1;
307		op->desired_access &= ~MAXIMUM_ALLOWED;
308	}
309	op->desired_access = smb_access_generic_to_file(op->desired_access);
310
311	if (sr->session->s_file_cnt >= smb_session_ofile_max) {
312		ASSERT(sr->uid_user);
313		cmn_err(CE_NOTE, "smbsrv[%s\\%s]: TOO_MANY_OPENED_FILES",
314		    sr->uid_user->u_domain, sr->uid_user->u_name);
315		return (NT_STATUS_TOO_MANY_OPENED_FILES);
316	}
317
318	if (smb_idpool_alloc(&tree->t_fid_pool, &tree_fid))
319		return (NT_STATUS_TOO_MANY_OPENED_FILES);
320
321	/* This must be NULL at this point */
322	sr->fid_ofile = NULL;
323
324	op->devstate = 0;
325
326	switch (sr->tid_tree->t_res_type & STYPE_MASK) {
327	case STYPE_DISKTREE:
328	case STYPE_PRINTQ:
329		break;
330
331	case STYPE_IPC:
332		/*
333		 * Security descriptors for pipes are not implemented,
334		 * so just setup a reasonable access mask.
335		 */
336		op->desired_access = (READ_CONTROL | SYNCHRONIZE |
337		    FILE_READ_DATA | FILE_READ_ATTRIBUTES |
338		    FILE_WRITE_DATA | FILE_APPEND_DATA);
339
340		/*
341		 * Limit the number of open pipe instances.
342		 */
343		if ((rc = smb_threshold_enter(&sv->sv_opipe_ct)) != 0) {
344			status = RPC_NT_SERVER_TOO_BUSY;
345			goto errout;
346		}
347
348		/*
349		 * Most of IPC open is handled in smb_opipe_open()
350		 */
351		op->create_options = 0;
352		of = smb_ofile_alloc(sr, op, NULL, SMB_FTYPE_MESG_PIPE,
353		    tree_fid);
354		tree_fid = 0; // given to the ofile
355		status = smb_opipe_open(sr, of);
356		smb_threshold_exit(&sv->sv_opipe_ct);
357		if (status != NT_STATUS_SUCCESS)
358			goto errout;
359		return (NT_STATUS_SUCCESS);
360
361	default:
362		status = NT_STATUS_BAD_DEVICE_TYPE;
363		goto errout;
364	}
365
366	smb_pathname_init(sr, pn, pn->pn_path);
367	if (!smb_pathname_validate(sr, pn)) {
368		status = sr->smb_error.status;
369		goto errout;
370	}
371
372	if (strlen(pn->pn_path) >= SMB_MAXPATHLEN) {
373		status = NT_STATUS_OBJECT_PATH_INVALID;
374		goto errout;
375	}
376
377	if (is_dir) {
378		if (!smb_validate_dirname(sr, pn)) {
379			status = sr->smb_error.status;
380			goto errout;
381		}
382	} else {
383		if (!smb_validate_object_name(sr, pn)) {
384			status = sr->smb_error.status;
385			goto errout;
386		}
387	}
388
389	cur_node = op->fqi.fq_dnode ?
390	    op->fqi.fq_dnode : sr->tid_tree->t_snode;
391
392	rc = smb_pathname_reduce(sr, sr->user_cr, pn->pn_path,
393	    sr->tid_tree->t_snode, cur_node, &op->fqi.fq_dnode,
394	    op->fqi.fq_last_comp);
395	if (rc != 0) {
396		status = smb_errno2status(rc);
397		goto errout;
398	}
399	dnode = op->fqi.fq_dnode;
400	dnode_held = B_TRUE;
401
402	/*
403	 * Lock the parent dir node in case another create
404	 * request to the same parent directory comes in.
405	 * Drop this once either lookup succeeds, or we've
406	 * created the object in this directory.
407	 */
408	smb_node_wrlock(dnode);
409	dnode_wlock = B_TRUE;
410
411	/*
412	 * If the access mask has only DELETE set (ignore
413	 * FILE_READ_ATTRIBUTES), then assume that this
414	 * is a request to delete the link (if a link)
415	 * and do not follow links.  Otherwise, follow
416	 * the link to the target.
417	 */
418	if ((op->desired_access & ~FILE_READ_ATTRIBUTES) == DELETE)
419		lookup_flags &= ~SMB_FOLLOW_LINKS;
420
421	rc = smb_fsop_lookup_name(sr, zone_kcred(), lookup_flags,
422	    sr->tid_tree->t_snode, op->fqi.fq_dnode, op->fqi.fq_last_comp,
423	    &op->fqi.fq_fnode);
424
425	if (rc == 0) {
426		last_comp_found = B_TRUE;
427		fnode_held = B_TRUE;
428
429		/*
430		 * Need the DOS attributes below, where we
431		 * check the search attributes (sattr).
432		 * Also UID, for owner check below.
433		 */
434		op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR | SMB_AT_UID;
435		rc = smb_node_getattr(sr, op->fqi.fq_fnode, zone_kcred(),
436		    NULL, &op->fqi.fq_fattr);
437		if (rc != 0) {
438			status = NT_STATUS_INTERNAL_ERROR;
439			goto errout;
440		}
441	} else if (rc == ENOENT) {
442		last_comp_found = B_FALSE;
443		op->fqi.fq_fnode = NULL;
444		rc = 0;
445	} else {
446		status = smb_errno2status(rc);
447		goto errout;
448	}
449
450	if (last_comp_found) {
451
452		smb_node_unlock(dnode);
453		dnode_wlock = B_FALSE;
454
455		fnode = op->fqi.fq_fnode;
456		dnode = op->fqi.fq_dnode;
457
458		if (!smb_node_is_file(fnode) &&
459		    !smb_node_is_dir(fnode) &&
460		    !smb_node_is_symlink(fnode)) {
461			status = NT_STATUS_ACCESS_DENIED;
462			goto errout;
463		}
464
465		/*
466		 * Reject this request if either:
467		 * - the target IS a directory and the client requires that
468		 *   it must NOT be (required by Lotus Notes)
469		 * - the target is NOT a directory and client requires that
470		 *   it MUST be.
471		 */
472		if (smb_node_is_dir(fnode)) {
473			if (op->create_options & FILE_NON_DIRECTORY_FILE) {
474				status = NT_STATUS_FILE_IS_A_DIRECTORY;
475				goto errout;
476			}
477		} else {
478			if ((op->create_options & FILE_DIRECTORY_FILE) ||
479			    (op->nt_flags & NT_CREATE_FLAG_OPEN_TARGET_DIR)) {
480				status = NT_STATUS_NOT_A_DIRECTORY;
481				goto errout;
482			}
483		}
484
485		/*
486		 * No more open should be accepted when "Delete on close"
487		 * flag is set.
488		 */
489		if (fnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
490			status = NT_STATUS_DELETE_PENDING;
491			goto errout;
492		}
493
494		/*
495		 * Specified file already exists so the operation should fail.
496		 */
497		if (op->create_disposition == FILE_CREATE) {
498			status = NT_STATUS_OBJECT_NAME_COLLISION;
499			goto errout;
500		}
501
502		/*
503		 * Windows seems to check read-only access before file
504		 * sharing check.
505		 *
506		 * Check to see if the file is currently readonly (regardless
507		 * of whether this open will make it readonly).
508		 * Readonly is ignored on directories.
509		 */
510		if (SMB_PATHFILE_IS_READONLY(sr, fnode) &&
511		    !smb_node_is_dir(fnode)) {
512			if (op->desired_access &
513			    (FILE_WRITE_DATA | FILE_APPEND_DATA)) {
514				status = NT_STATUS_ACCESS_DENIED;
515				goto errout;
516			}
517			if (op->create_options & FILE_DELETE_ON_CLOSE) {
518				status = NT_STATUS_CANNOT_DELETE;
519				goto errout;
520			}
521		}
522
523		if ((op->create_disposition == FILE_SUPERSEDE) ||
524		    (op->create_disposition == FILE_OVERWRITE_IF) ||
525		    (op->create_disposition == FILE_OVERWRITE)) {
526
527			if (!smb_sattr_check(op->fqi.fq_fattr.sa_dosattr,
528			    op->dattr)) {
529				status = NT_STATUS_ACCESS_DENIED;
530				goto errout;
531			}
532
533			if (smb_node_is_dir(fnode)) {
534				status = NT_STATUS_ACCESS_DENIED;
535				goto errout;
536			}
537		}
538
539		/* MS-FSA 2.1.5.1.2 */
540		if (op->create_disposition == FILE_SUPERSEDE)
541			op->desired_access |= DELETE;
542		if ((op->create_disposition == FILE_OVERWRITE_IF) ||
543		    (op->create_disposition == FILE_OVERWRITE))
544			op->desired_access |= FILE_WRITE_DATA;
545
546		/* Dataset roots can't be deleted, so don't set DOC */
547		if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 &&
548		    (fnode->flags & NODE_FLAGS_VFSROOT) != 0) {
549			status = NT_STATUS_CANNOT_DELETE;
550			goto errout;
551		}
552
553		status = smb_fsop_access(sr, sr->user_cr, fnode,
554		    op->desired_access);
555		if (status != NT_STATUS_SUCCESS)
556			goto errout;
557
558		if (max_requested) {
559			smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
560			op->desired_access |= max_allowed;
561		}
562
563		/*
564		 * File owner should always get read control + read attr.
565		 */
566		if (crgetuid(sr->user_cr) == op->fqi.fq_fattr.sa_vattr.va_uid)
567			op->desired_access |=
568			    (READ_CONTROL | FILE_READ_ATTRIBUTES);
569
570		/*
571		 * According to MS "dochelp" mail in Mar 2015, any handle
572		 * on which read or write access is granted implicitly
573		 * gets "read attributes", even if it was not requested.
574		 */
575		if ((op->desired_access & FILE_DATA_ALL) != 0)
576			op->desired_access |= FILE_READ_ATTRIBUTES;
577
578		/*
579		 * Oplock break is done prior to sharing checks as the break
580		 * may cause other clients to close the file which would
581		 * affect the sharing checks, and may delete the file due to
582		 * DELETE_ON_CLOSE. This may block, so set the file opening
583		 * count before oplock stuff.
584		 *
585		 * Need the "proposed" ofile (and its TargetOplockKey) for
586		 * correct oplock break semantics.
587		 */
588		of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
589		    tree_fid);
590		tree_fid = 0; // given to the ofile
591		uniq_fid = of->f_uniqid;
592
593		smb_node_inc_opening_count(fnode);
594		opening_incr = B_TRUE;
595
596		/*
597		 * XXX Supposed to do share access checks next.
598		 * [MS-FSA] describes that as part of access check:
599		 * 2.1.5.1.2.1 Alg... Check Access to an Existing File
600		 *
601		 * If CreateDisposition is FILE_OPEN or FILE_OPEN_IF:
602		 *   If Open.Stream.Oplock is not empty and
603		 *   Open.Stream.Oplock.State contains BATCH_OPLOCK,
604		 *   the object store MUST check for an oplock
605		 *   break according to the algorithm in section 2.1.4.12,
606		 *   with input values as follows:
607		 *	Open equal to this operation's Open
608		 *	Oplock equal to Open.Stream.Oplock
609		 *	Operation equal to "OPEN"
610		 *	OpParams containing two members:
611		 *	  DesiredAccess, CreateDisposition
612		 *
613		 * It's not clear how Windows would ask the FS layer if
614		 * the file has a BATCH oplock.  We'll use a call to the
615		 * common oplock code, which calls smb_oplock_break_OPEN
616		 * only if the oplock state contains BATCH_OPLOCK.
617		 * See: smb_oplock_break_BATCH()
618		 *
619		 * Also note: There's a nearly identical section in the
620		 * spec. at the start of the "else" part of the above
621		 * "if (disposition is overwrite, overwrite_if)" so this
622		 * section (oplock break, the share mode check, and the
623		 * next oplock_break_HANDLE) are all factored out to be
624		 * in all cases above that if/else from the spec.
625		 */
626		status = smb_oplock_break_BATCH(fnode, of,
627		    op->desired_access, op->create_disposition);
628		if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
629			if (sr->session->dialect >= SMB_VERS_2_BASE)
630				(void) smb2sr_go_async(sr);
631			(void) smb_oplock_wait_break(fnode, 0);
632			status = 0;
633		}
634		if (status != NT_STATUS_SUCCESS)
635			goto errout;
636
637		/*
638		 * Check for sharing violations, and if any,
639		 * do oplock break of handle caching.
640		 *
641		 * Need node_wrlock during shrlock checks,
642		 * and not locked during oplock breaks etc.
643		 */
644		shrlock_t0 = gethrtime();
645	shrlock_again:
646		smb_node_wrlock(fnode);
647		fnode_wlock = B_TRUE;
648		status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
649		    op->desired_access, op->share_access);
650		smb_node_unlock(fnode);
651		fnode_wlock = B_FALSE;
652
653		/*
654		 * [MS-FSA] "OPEN_BREAK_H"
655		 * If the (proposed) new open would violate sharing rules,
656		 * indicate an oplock break with OPEN_BREAK_H (to break
657		 * handle level caching rights) then try again.
658		 */
659		if (status == NT_STATUS_SHARING_VIOLATION &&
660		    did_break_handle == B_FALSE) {
661			did_break_handle = B_TRUE;
662
663			status = smb_oplock_break_HANDLE(fnode, of);
664			if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
665				if (sr->session->dialect >= SMB_VERS_2_BASE)
666					(void) smb2sr_go_async(sr);
667				(void) smb_oplock_wait_break(fnode, 0);
668				status = 0;
669			} else {
670				/*
671				 * Even when the oplock layer does NOT
672				 * give us the special status indicating
673				 * we should wait, it may have scheduled
674				 * taskq jobs that may close handles.
675				 * Give those a chance to run before we
676				 * check again for sharing violations.
677				 */
678				delay(MSEC_TO_TICK(10));
679			}
680			if (status != NT_STATUS_SUCCESS)
681				goto errout;
682
683			goto shrlock_again;
684		}
685
686		/*
687		 * If we still have orphaned durable handles on this file,
688		 * let's assume the client has lost interest in those and
689		 * close them so they don't cause sharing violations.
690		 * See longer comment at smb2_dh_close_my_orphans().
691		 */
692		if (status == NT_STATUS_SHARING_VIOLATION &&
693		    sr->session->dialect >= SMB_VERS_2_BASE &&
694		    did_cleanup_orphans == B_FALSE) {
695
696			did_cleanup_orphans = B_TRUE;
697			smb2_dh_close_my_orphans(sr, of);
698
699			goto shrlock_again;
700		}
701
702		/*
703		 * SMB1 expects a 1 sec. delay before returning a
704		 * sharing violation error.  If breaking oplocks
705		 * above took less than a sec, wait some more.
706		 * See: smbtorture base.defer_open
707		 */
708		if (status == NT_STATUS_SHARING_VIOLATION &&
709		    sr->session->dialect < SMB_VERS_2_BASE) {
710			hrtime_t t1 = shrlock_t0 + NANOSEC;
711			hrtime_t now = gethrtime();
712			if (now < t1) {
713				delay(NSEC_TO_TICK_ROUNDUP(t1 - now));
714			}
715		}
716
717		if (status != NT_STATUS_SUCCESS)
718			goto errout;
719		fnode_shrlk = B_TRUE;
720
721		/*
722		 * The [MS-FSA] spec. describes this oplock break as
723		 * part of the sharing access checks.  See:
724		 * 2.1.5.1.2.2 Algorithm to Check Sharing Access...
725		 * At the end of the share mode tests described there,
726		 * if it has not returned "sharing violation", it
727		 * specifies a call to the alg. in sec. 2.1.4.12,
728		 * that boils down to: smb_oplock_break_OPEN()
729		 */
730		status = smb_oplock_break_OPEN(fnode, of,
731		    op->desired_access,
732		    op->create_disposition);
733		if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
734			if (sr->session->dialect >= SMB_VERS_2_BASE)
735				(void) smb2sr_go_async(sr);
736			(void) smb_oplock_wait_break(fnode, 0);
737			status = 0;
738		}
739		if (status != NT_STATUS_SUCCESS)
740			goto errout;
741
742		if ((fnode->flags & NODE_FLAGS_DELETE_COMMITTED) != 0) {
743			/*
744			 * Breaking the oplock caused the file to be deleted,
745			 * so let's bail and pretend the file wasn't found.
746			 * Have to duplicate much of the logic found a the
747			 * "errout" label here.
748			 *
749			 * This code path is exercised by smbtorture
750			 * smb2.durable-open.delete_on_close1
751			 */
752			DTRACE_PROBE1(node_deleted, smb_node_t, fnode);
753			smb_ofile_free(of);
754			of = NULL;
755			last_comp_found = B_FALSE;
756
757			/*
758			 * Get all the holds and locks into the state
759			 * they would have if lookup had failed.
760			 */
761			fnode_shrlk = B_FALSE;
762			smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
763
764			opening_incr = B_FALSE;
765			smb_node_dec_opening_count(fnode);
766
767			fnode_held = B_FALSE;
768			smb_node_release(fnode);
769
770			dnode_wlock = B_TRUE;
771			smb_node_wrlock(dnode);
772
773			goto create;
774		}
775
776		/*
777		 * Go ahead with modifications as necessary.
778		 */
779		switch (op->create_disposition) {
780		case FILE_SUPERSEDE:
781		case FILE_OVERWRITE_IF:
782		case FILE_OVERWRITE:
783			op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
784			/* Don't apply readonly until smb_set_open_attributes */
785			if (op->dattr & FILE_ATTRIBUTE_READONLY) {
786				op->dattr &= ~FILE_ATTRIBUTE_READONLY;
787				op->created_readonly = B_TRUE;
788			}
789
790			/*
791			 * Truncate the file data here.
792			 * We set alloc_size = op->dsize later,
793			 * after we have an ofile.  See:
794			 * smb_set_open_attributes
795			 */
796			bzero(&new_attr, sizeof (new_attr));
797			new_attr.sa_dosattr = op->dattr;
798			new_attr.sa_vattr.va_size = 0;
799			new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_SIZE;
800			rc = smb_fsop_setattr(sr, sr->user_cr, fnode,
801			    &new_attr);
802			if (rc != 0) {
803				status = smb_errno2status(rc);
804				goto errout;
805			}
806
807			/*
808			 * If file is being replaced, remove existing streams
809			 */
810			if (SMB_IS_STREAM(fnode) == 0) {
811				status = smb_fsop_remove_streams(sr,
812				    sr->user_cr, fnode);
813				if (status != 0)
814					goto errout;
815			}
816
817			op->action_taken = SMB_OACT_TRUNCATED;
818			break;
819
820		default:
821			/*
822			 * FILE_OPEN or FILE_OPEN_IF.
823			 */
824			/*
825			 * Ignore any user-specified alloc_size for
826			 * existing files, to avoid truncation in
827			 * smb_set_open_attributes
828			 */
829			op->dsize = 0L;
830			op->action_taken = SMB_OACT_OPENED;
831			break;
832		}
833	} else {
834create:
835		/* Last component was not found. */
836		dnode = op->fqi.fq_dnode;
837
838		if (is_dir == 0)
839			is_stream = smb_is_stream_name(pn->pn_path);
840
841		if ((op->create_disposition == FILE_OPEN) ||
842		    (op->create_disposition == FILE_OVERWRITE)) {
843			status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
844			goto errout;
845		}
846
847		if (pn->pn_fname && smb_is_invalid_filename(pn->pn_fname)) {
848			status = NT_STATUS_OBJECT_NAME_INVALID;
849			goto errout;
850		}
851
852		/*
853		 * Don't create in directories marked "Delete on close".
854		 */
855		if (dnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
856			status = NT_STATUS_DELETE_PENDING;
857			goto errout;
858		}
859
860		/*
861		 * Create always sets the DOS attributes, type, and mode
862		 * in the if/else below (different for file vs directory).
863		 * Don't set the readonly bit until smb_set_open_attributes
864		 * or that would prevent this open.  Note that op->dattr
865		 * needs to be what smb_set_open_attributes will use,
866		 * except for the readonly bit.
867		 */
868		bzero(&new_attr, sizeof (new_attr));
869		new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_TYPE | SMB_AT_MODE;
870		if (op->dattr & FILE_ATTRIBUTE_READONLY) {
871			op->dattr &= ~FILE_ATTRIBUTE_READONLY;
872			op->created_readonly = B_TRUE;
873		}
874
875		/*
876		 * SMB create can specify the create time.
877		 */
878		if ((op->crtime.tv_sec != 0) &&
879		    (op->crtime.tv_sec != UINT_MAX)) {
880			new_attr.sa_mask |= SMB_AT_CRTIME;
881			new_attr.sa_crtime = op->crtime;
882		}
883
884		if (is_dir == 0) {
885			op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
886			new_attr.sa_dosattr = op->dattr;
887			new_attr.sa_vattr.va_type = VREG;
888			if (is_stream)
889				new_attr.sa_vattr.va_mode = S_IRUSR | S_IWUSR;
890			else
891				new_attr.sa_vattr.va_mode =
892				    S_IRUSR | S_IRGRP | S_IROTH |
893				    S_IWUSR | S_IWGRP | S_IWOTH;
894
895			/*
896			 * We set alloc_size = op->dsize later,
897			 * (in smb_set_open_attributes) after we
898			 * have an ofile on which to save that.
899			 *
900			 * Legacy Open&X sets size to alloc_size
901			 * when creating a new file.
902			 */
903			if (sr->smb_com == SMB_COM_OPEN_ANDX) {
904				new_attr.sa_vattr.va_size = op->dsize;
905				new_attr.sa_mask |= SMB_AT_SIZE;
906			}
907
908			rc = smb_fsop_create(sr, sr->user_cr, dnode,
909			    op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
910		} else {
911			op->dattr |= FILE_ATTRIBUTE_DIRECTORY;
912			new_attr.sa_dosattr = op->dattr;
913			new_attr.sa_vattr.va_type = VDIR;
914			new_attr.sa_vattr.va_mode = 0777;
915
916			rc = smb_fsop_mkdir(sr, sr->user_cr, dnode,
917			    op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
918		}
919		if (rc != 0) {
920			status = smb_errno2status(rc);
921			goto errout;
922		}
923
924		/* Create done. */
925		smb_node_unlock(dnode);
926		dnode_wlock = B_FALSE;
927
928		created = B_TRUE;
929		op->action_taken = SMB_OACT_CREATED;
930
931		/* Note: hold from create */
932		fnode = op->fqi.fq_fnode;
933		fnode_held = B_TRUE;
934
935		if (max_requested) {
936			smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
937			op->desired_access |= max_allowed;
938		}
939		/*
940		 * We created this object (we own it) so grant
941		 * read_control + read_attributes on this handle,
942		 * even if that was not requested.  This avoids
943		 * unexpected access failures later.
944		 */
945		op->desired_access |= (READ_CONTROL | FILE_READ_ATTRIBUTES);
946
947		/* Allocate the ofile and fill in most of it. */
948		of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
949		    tree_fid);
950		tree_fid = 0; // given to the ofile
951		uniq_fid = of->f_uniqid;
952
953		smb_node_inc_opening_count(fnode);
954		opening_incr = B_TRUE;
955
956		/*
957		 * Share access checks...
958		 */
959		smb_node_wrlock(fnode);
960		fnode_wlock = B_TRUE;
961
962		status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
963		    op->desired_access, op->share_access);
964		if (status != 0)
965			goto errout;
966		fnode_shrlk = B_TRUE;
967
968		/*
969		 * MS-FSA 2.1.5.1.1
970		 * If the Oplock member of the DirectoryStream in
971		 * Link.ParentFile.StreamList (ParentOplock) is
972		 * not empty ... oplock break on the parent...
973		 * (dnode is the parent directory)
974		 *
975		 * This compares of->ParentOplockKey with each
976		 * oplock of->TargetOplockKey and breaks...
977		 * so it's OK that we're passing an OF that's
978		 * NOT a member of dnode->n_ofile_list
979		 *
980		 * The break never blocks, so ignore the return.
981		 */
982		(void) smb_oplock_break_PARENT(dnode, of);
983	}
984
985	/*
986	 * We might have blocked in smb_oplock_break_OPEN long enough
987	 * so a tree disconnect might have happened.  In that case,
988	 * we would be adding an ofile to a tree that's disconnecting,
989	 * which would interfere with tear-down.  If so, error out.
990	 */
991	if (!smb_tree_is_connected(sr->tid_tree)) {
992		status = NT_STATUS_INVALID_PARAMETER;
993		goto errout;
994	}
995
996	/*
997	 * Moved this up from smb_ofile_open()
998	 */
999	if ((rc = smb_fsop_open(fnode, of->f_mode, of->f_cr)) != 0) {
1000		status = smb_errno2status(rc);
1001		goto errout;
1002	}
1003
1004	/*
1005	 * Complete this open (add to ofile lists)
1006	 */
1007	smb_ofile_open(sr, op, of);
1008	did_open = B_TRUE;
1009
1010	/*
1011	 * This MUST be done after ofile creation, so that explicitly
1012	 * set timestamps can be remembered on the ofile, and setting
1013	 * the readonly flag won't affect access via this open.
1014	 */
1015	if ((rc = smb_set_open_attributes(sr, of)) != 0) {
1016		status = smb_errno2status(rc);
1017		goto errout;
1018	}
1019
1020	/*
1021	 * We've already done access checks above,
1022	 * and want this call to succeed even when
1023	 * !(desired_access & FILE_READ_ATTRIBUTES),
1024	 * so pass kcred here.
1025	 */
1026	op->fqi.fq_fattr.sa_mask = SMB_AT_ALL;
1027	(void) smb_node_getattr(sr, fnode, zone_kcred(), of,
1028	    &op->fqi.fq_fattr);
1029
1030	/*
1031	 * Propagate the write-through mode from the open params
1032	 * to the node: see the notes in the function header.
1033	 * XXX: write_through should be a flag on the ofile.
1034	 */
1035	if (sr->sr_cfg->skc_sync_enable ||
1036	    (op->create_options & FILE_WRITE_THROUGH))
1037		fnode->flags |= NODE_FLAGS_WRITE_THROUGH;
1038
1039	/*
1040	 * Set up the fileid and dosattr in open_param for response
1041	 */
1042	op->fileid = op->fqi.fq_fattr.sa_vattr.va_nodeid;
1043	op->dattr = op->fqi.fq_fattr.sa_dosattr;
1044
1045	/*
1046	 * Set up the file type in open_param for the response
1047	 */
1048	op->ftype = SMB_FTYPE_DISK;
1049	sr->smb_fid = of->f_fid;
1050	sr->fid_ofile = of;
1051
1052	if (smb_node_is_file(fnode)) {
1053		op->dsize = op->fqi.fq_fattr.sa_vattr.va_size;
1054	} else {
1055		/* directory or symlink */
1056		op->dsize = 0;
1057	}
1058
1059	/*
1060	 * Note: oplock_acquire happens in callers, because
1061	 * how that happens is protocol-specific.
1062	 */
1063
1064	if (fnode_wlock)
1065		smb_node_unlock(fnode);
1066	if (opening_incr)
1067		smb_node_dec_opening_count(fnode);
1068	if (fnode_held)
1069		smb_node_release(fnode);
1070	if (dnode_wlock)
1071		smb_node_unlock(dnode);
1072	if (dnode_held)
1073		smb_node_release(dnode);
1074
1075	return (NT_STATUS_SUCCESS);
1076
1077errout:
1078	if (did_open) {
1079		smb_ofile_close(of, 0);
1080		/* rele via sr->fid_ofile */
1081	} else if (of != NULL) {
1082		/* No other refs possible */
1083		smb_ofile_free(of);
1084	}
1085
1086	if (fnode_shrlk)
1087		smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
1088
1089	if (created) {
1090		/* Try to roll-back create. */
1091		smb_delete_new_object(sr);
1092	}
1093
1094	if (fnode_wlock)
1095		smb_node_unlock(fnode);
1096	if (opening_incr)
1097		smb_node_dec_opening_count(fnode);
1098	if (fnode_held)
1099		smb_node_release(fnode);
1100	if (dnode_wlock)
1101		smb_node_unlock(dnode);
1102	if (dnode_held)
1103		smb_node_release(dnode);
1104
1105	if (tree_fid != 0)
1106		smb_idpool_free(&tree->t_fid_pool, tree_fid);
1107
1108	return (status);
1109}
1110
1111/*
1112 * smb_set_open_attributes
1113 *
1114 * Last write time:
1115 * - If the last_write time specified in the open params is not 0 or -1,
1116 *   use it as file's mtime. This will be considered an explicitly set
1117 *   timestamps, not reset by subsequent writes.
1118 *
1119 * DOS attributes
1120 * - If we created_readonly, we now store the real DOS attributes
1121 *   (including the readonly bit) so subsequent opens will see it.
1122 *
1123 * Returns: errno
1124 */
1125static int
1126smb_set_open_attributes(smb_request_t *sr, smb_ofile_t *of)
1127{
1128	smb_attr_t	attr;
1129	smb_arg_open_t	*op = &sr->sr_open;
1130	smb_node_t	*node = of->f_node;
1131	int		rc = 0;
1132
1133	bzero(&attr, sizeof (smb_attr_t));
1134
1135	if (op->created_readonly) {
1136		attr.sa_dosattr = op->dattr | FILE_ATTRIBUTE_READONLY;
1137		attr.sa_mask |= SMB_AT_DOSATTR;
1138	}
1139
1140	if (op->dsize != 0) {
1141		attr.sa_allocsz = op->dsize;
1142		attr.sa_mask |= SMB_AT_ALLOCSZ;
1143	}
1144
1145	if ((op->mtime.tv_sec != 0) && (op->mtime.tv_sec != UINT_MAX)) {
1146		attr.sa_vattr.va_mtime = op->mtime;
1147		attr.sa_mask |= SMB_AT_MTIME;
1148	}
1149
1150	/*
1151	 * Used to have code here to set mtime, ctime, atime
1152	 * when the open op->create_disposition is any of:
1153	 * FILE_SUPERSEDE, FILE_OVERWRITE_IF, FILE_OVERWRITE.
1154	 * We know that in those cases we will have set the
1155	 * file size, in which case the file system will
1156	 * update those times, so we don't have to.
1157	 *
1158	 * However, keep track of the fact that we modified
1159	 * the file via this handle, so we can do the evil,
1160	 * gratuitious mtime update on close that Windows
1161	 * clients expect.
1162	 */
1163	if (op->action_taken == SMB_OACT_TRUNCATED)
1164		of->f_written = B_TRUE;
1165
1166	if (attr.sa_mask != 0)
1167		rc = smb_node_setattr(sr, node, of->f_cr, of, &attr);
1168
1169	return (rc);
1170}
1171
1172/*
1173 * This function is used to delete a newly created object (file or
1174 * directory) if an error occurs after creation of the object.
1175 */
1176static void
1177smb_delete_new_object(smb_request_t *sr)
1178{
1179	smb_arg_open_t	*op = &sr->sr_open;
1180	smb_fqi_t	*fqi = &(op->fqi);
1181	uint32_t	flags = 0;
1182
1183	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1184		flags |= SMB_IGNORE_CASE;
1185	if (SMB_TREE_SUPPORTS_CATIA(sr))
1186		flags |= SMB_CATIA;
1187
1188	if (op->create_options & FILE_DIRECTORY_FILE)
1189		(void) smb_fsop_rmdir(sr, sr->user_cr, fqi->fq_dnode,
1190		    fqi->fq_last_comp, flags);
1191	else
1192		(void) smb_fsop_remove(sr, sr->user_cr, fqi->fq_dnode,
1193		    fqi->fq_last_comp, flags);
1194}
1195