fs/smbsrv/smb_session.c

da6c28aaSamw/*
da6c28aaSamw * CDDL HEADER START
da6c28aaSamw *
da6c28aaSamw * The contents of this file are subject to the terms of the
da6c28aaSamw * Common Development and Distribution License (the "License").
da6c28aaSamw * You may not use this file except in compliance with the License.
da6c28aaSamw *
da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaSamw * or http://www.opensolaris.org/os/licensing.
da6c28aaSamw * See the License for the specific language governing permissions
da6c28aaSamw * and limitations under the License.
da6c28aaSamw *
da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaSamw *
da6c28aaSamw * CDDL HEADER END
da6c28aaSamw */
da6c28aaSamw/*
5cdbe942Sjb * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
da6c28aaSamw * Use is subject to license terms.
da6c28aaSamw */
da6c28aaSamw
da6c28aaSamw#pragma ident	"%Z%%M%	%I%	%E% SMI"
da6c28aaSamw
da6c28aaSamw#include <sys/atomic.h>
da6c28aaSamw#include <sys/strsubr.h>
da6c28aaSamw#include <sys/synch.h>
da6c28aaSamw#include <sys/types.h>
da6c28aaSamw#include <sys/socketvar.h>
da6c28aaSamw#include <sys/sdt.h>
da6c28aaSamw#include <smbsrv/netbios.h>
da6c28aaSamw#include <smbsrv/smb_incl.h>
da6c28aaSamw#include <smbsrv/smb_i18n.h>
da6c28aaSamw
*faa1795aSjbstatic volatile uint64_t smb_kids;
da6c28aaSamw
*faa1795aSjbuint32_t smb_keep_alive = SSN_KEEP_ALIVE_TIMEOUT;
da6c28aaSamw
da6c28aaSamwstatic int smb_session_message(smb_session_t *);
da6c28aaSamwstatic int smb_session_xprt_puthdr(smb_session_t *, smb_xprt_t *,
da6c28aaSamw    uint8_t *, size_t);
da6c28aaSamw
*faa1795aSjbstatic void smb_request_init_command_mbuf(smb_request_t *sr);
da6c28aaSamw
da6c28aaSamw
da6c28aaSamwvoid
*faa1795aSjbsmb_session_timers(smb_session_list_t *se)
da6c28aaSamw{
*faa1795aSjb	smb_session_t	*session;
da6c28aaSamw
*faa1795aSjb	rw_enter(&se->se_lock, RW_READER);
*faa1795aSjb	session = list_head(&se->se_act.lst);
*faa1795aSjb	while (session) {
da6c28aaSamw		/*
da6c28aaSamw		 * Walk through the table and decrement each keep_alive
da6c28aaSamw		 * timer that has not timed out yet. (keepalive > 0)
da6c28aaSamw		 */
*faa1795aSjb		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		if (session->keep_alive &&
*faa1795aSjb		    (session->keep_alive != (uint32_t)-1))
*faa1795aSjb			session->keep_alive--;
*faa1795aSjb		session = list_next(&se->se_act.lst, session);
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb}
da6c28aaSamw
*faa1795aSjbvoid
*faa1795aSjbsmb_session_correct_keep_alive_values(
*faa1795aSjb    smb_session_list_t	*se,
*faa1795aSjb    uint32_t		new_keep_alive)
*faa1795aSjb{
*faa1795aSjb	smb_session_t		*sn;
*faa1795aSjb
*faa1795aSjb	if (new_keep_alive == smb_keep_alive)
*faa1795aSjb		return;
*faa1795aSjb	/*
*faa1795aSjb	 * keep alive == 0 means do not drop connection if it's idle
*faa1795aSjb	 */
*faa1795aSjb	smb_keep_alive = (new_keep_alive) ? new_keep_alive : -1;
*faa1795aSjb
*faa1795aSjb	/*
*faa1795aSjb	 * Walk through the table and set each session to the new keep_alive
*faa1795aSjb	 * value if they have not already timed out.  Block clock interrupts.
*faa1795aSjb	 */
*faa1795aSjb	rw_enter(&se->se_lock, RW_READER);
*faa1795aSjb	sn = list_head(&se->se_rdy.lst);
*faa1795aSjb	while (sn) {
*faa1795aSjb		ASSERT(sn->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		sn->keep_alive = new_keep_alive;
*faa1795aSjb		sn = list_next(&se->se_rdy.lst, sn);
da6c28aaSamw	}
*faa1795aSjb	sn = list_head(&se->se_act.lst);
*faa1795aSjb	while (sn) {
*faa1795aSjb		ASSERT(sn->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		if (sn->keep_alive)
*faa1795aSjb			sn->keep_alive = new_keep_alive;
*faa1795aSjb		sn = list_next(&se->se_act.lst, sn);
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * smb_reconnection_check
da6c28aaSamw *
da6c28aaSamw * This function is called when a client indicates its current connection
da6c28aaSamw * should be the only one it has with the server, as indicated by VC=0 in
da6c28aaSamw * a SessionSetupX request. We go through the session list and destroy any
da6c28aaSamw * stale connections for that client.
da6c28aaSamw *
da6c28aaSamw * Clients don't associate IP addresses and servers. So a client may make
da6c28aaSamw * independent connections (i.e. with VC=0) to a server with multiple
da6c28aaSamw * IP addresses. So, when checking for a reconnection, we need to include
da6c28aaSamw * the local IP address, to which the client is connecting, when checking
da6c28aaSamw * for stale sessions.
da6c28aaSamw *
da6c28aaSamw * Also check the server's NetBIOS name to support simultaneous access by
da6c28aaSamw * multiple clients behind a NAT server.  This will only work for SMB over
da6c28aaSamw * NetBIOS on TCP port 139, it will not work SMB over TCP port 445 because
da6c28aaSamw * there is no NetBIOS name.  See also Knowledge Base article Q301673.
da6c28aaSamw */
da6c28aaSamwvoid
*faa1795aSjbsmb_session_reconnection_check(smb_session_list_t *se, smb_session_t *session)
da6c28aaSamw{
*faa1795aSjb	smb_session_t	*sn;
da6c28aaSamw
*faa1795aSjb	rw_enter(&se->se_lock, RW_READER);
*faa1795aSjb	sn = list_head(&se->se_act.lst);
*faa1795aSjb	while (sn) {
da6c28aaSamw		ASSERT(sn->s_magic == SMB_SESSION_MAGIC);
da6c28aaSamw		if ((sn != session) &&
da6c28aaSamw		    (sn->ipaddr == session->ipaddr) &&
da6c28aaSamw		    (sn->local_ipaddr == session->local_ipaddr) &&
da6c28aaSamw		    (strcasecmp(sn->workstation, session->workstation) == 0) &&
da6c28aaSamw		    (sn->opentime <= session->opentime) &&
da6c28aaSamw		    (sn->s_kid < session->s_kid)) {
*faa1795aSjb			tsignal(sn->s_thread, SIGINT);
da6c28aaSamw		}
*faa1795aSjb		sn = list_next(&se->se_act.lst, sn);
da6c28aaSamw	}
*faa1795aSjb	rw_exit(&se->se_lock);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Send a session message - supports SMB-over-NBT and SMB-over-TCP.
da6c28aaSamw *
da6c28aaSamw * The mbuf chain is copied into a contiguous buffer so that the whole
da6c28aaSamw * message is submitted to smb_sosend as a single request.  This should
da6c28aaSamw * help Ethereal/Wireshark delineate the packets correctly even though
da6c28aaSamw * TCP_NODELAY has been set on the socket.
da6c28aaSamw *
da6c28aaSamw * If an mbuf chain is provided, it will be freed and set to NULL here.
da6c28aaSamw */
da6c28aaSamwint
da6c28aaSamwsmb_session_send(smb_session_t *session, uint8_t type, struct mbuf_chain *mbc)
da6c28aaSamw{
5cdbe942Sjb	struct mbuf	*m = NULL;
5cdbe942Sjb	smb_txbuf_t	*txb;
5cdbe942Sjb	int		len = 0;
5cdbe942Sjb	smb_xprt_t	hdr;
5cdbe942Sjb	int		rc;
5cdbe942Sjb	uint8_t		*data;
da6c28aaSamw
da6c28aaSamw	switch (session->s_state) {
da6c28aaSamw	case SMB_SESSION_STATE_DISCONNECTED:
da6c28aaSamw	case SMB_SESSION_STATE_TERMINATED:
da6c28aaSamw		if ((mbc != NULL) && (mbc->chain != NULL)) {
da6c28aaSamw			m_freem(mbc->chain);
da6c28aaSamw			mbc->chain = NULL;
da6c28aaSamw			mbc->flags = 0;
da6c28aaSamw		}
da6c28aaSamw		return (ENOTCONN);
da6c28aaSamw	default:
da6c28aaSamw		break;
da6c28aaSamw	}
da6c28aaSamw
5cdbe942Sjb	txb = smb_net_txb_alloc();
da6c28aaSamw
da6c28aaSamw	if ((mbc != NULL) && (mbc->chain != NULL)) {
5cdbe942Sjb		len = NETBIOS_HDR_SZ;	/* Account for the NBT header. */
da6c28aaSamw		m = mbc->chain;
5cdbe942Sjb		data = &txb->tb_data[len];
da6c28aaSamw
da6c28aaSamw		while (m) {
5cdbe942Sjb			if ((len + m->m_len) > sizeof (txb->tb_data)) {
5cdbe942Sjb				smb_net_txb_free(txb);
da6c28aaSamw				m_freem(mbc->chain);
da6c28aaSamw				mbc->chain = NULL;
da6c28aaSamw				mbc->flags = 0;
da6c28aaSamw				return (EMSGSIZE);
da6c28aaSamw			}
5cdbe942Sjb			bcopy(m->m_data, data, m->m_len);
5cdbe942Sjb			data += m->m_len;
5cdbe942Sjb			len += m->m_len;
da6c28aaSamw			m = m->m_next;
da6c28aaSamw		}
da6c28aaSamw
da6c28aaSamw		m_freem(mbc->chain);
da6c28aaSamw		mbc->chain = NULL;
da6c28aaSamw		mbc->flags = 0;
5cdbe942Sjb		len -= NETBIOS_HDR_SZ;
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	hdr.xh_type = type;
5cdbe942Sjb	hdr.xh_length = len;
da6c28aaSamw
5cdbe942Sjb	rc = smb_session_xprt_puthdr(session, &hdr, txb->tb_data,
5cdbe942Sjb	    NETBIOS_HDR_SZ);
da6c28aaSamw	if (rc == 0) {
5cdbe942Sjb		txb->tb_len = len + NETBIOS_HDR_SZ;
5cdbe942Sjb		rc = smb_net_txb_send(session->sock, &session->s_txlst, txb);
5cdbe942Sjb	} else {
5cdbe942Sjb		smb_net_txb_free(txb);
da6c28aaSamw	}
da6c28aaSamw	return (rc);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Read, process and respond to a NetBIOS session request.
da6c28aaSamw *
da6c28aaSamw * A NetBIOS session must be established for SMB-over-NetBIOS.  Validate
da6c28aaSamw * the calling and called name format and save the client NetBIOS name,
da6c28aaSamw * which is used when a NetBIOS session is established to check for and
da6c28aaSamw * cleanup leftover state from a previous session.
da6c28aaSamw *
da6c28aaSamw * Session requests are not valid for SMB-over-TCP, which is unfortunate
da6c28aaSamw * because without the client name leftover state cannot be cleaned up
da6c28aaSamw * if the client is behind a NAT server.
da6c28aaSamw */
da6c28aaSamwstatic int
da6c28aaSamwsmb_session_request(struct smb_session *session)
da6c28aaSamw{
da6c28aaSamw	int			rc;
da6c28aaSamw	char			*calling_name;
da6c28aaSamw	char			*called_name;
da6c28aaSamw	char 			client_name[NETBIOS_NAME_SZ];
da6c28aaSamw	struct mbuf_chain 	mbc;
da6c28aaSamw	char 			*names = NULL;
da6c28aaSamw	mts_wchar_t		*wbuf = NULL;
da6c28aaSamw	smb_xprt_t		hdr;
da6c28aaSamw	char *p;
da6c28aaSamw	unsigned int cpid = oem_get_smb_cpid();
da6c28aaSamw	int rc1, rc2;
da6c28aaSamw
da6c28aaSamw	session->keep_alive = smb_keep_alive;
da6c28aaSamw
*faa1795aSjb	if ((rc = smb_session_xprt_gethdr(session, &hdr)) != 0)
*faa1795aSjb		return (rc);
da6c28aaSamw
da6c28aaSamw	DTRACE_PROBE2(receive__session__req__xprthdr, struct session *, session,
da6c28aaSamw	    smb_xprt_t *, &hdr);
da6c28aaSamw
da6c28aaSamw	if ((hdr.xh_type != SESSION_REQUEST) ||
da6c28aaSamw	    (hdr.xh_length != NETBIOS_SESSION_REQUEST_DATA_LENGTH)) {
da6c28aaSamw		DTRACE_PROBE1(receive__session__req__failed,
da6c28aaSamw		    struct session *, session);
da6c28aaSamw		return (EINVAL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	names = kmem_alloc(hdr.xh_length, KM_SLEEP);
da6c28aaSamw
da6c28aaSamw	if ((rc = smb_sorecv(session->sock, names, hdr.xh_length)) != 0) {
da6c28aaSamw		kmem_free(names, hdr.xh_length);
da6c28aaSamw		DTRACE_PROBE1(receive__session__req__failed,
da6c28aaSamw		    struct session *, session);
da6c28aaSamw		return (rc);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	DTRACE_PROBE3(receive__session__req__data, struct session *, session,
da6c28aaSamw	    char *, names, uint32_t, hdr.xh_length);
da6c28aaSamw
da6c28aaSamw	called_name = &names[0];
da6c28aaSamw	calling_name = &names[NETBIOS_ENCODED_NAME_SZ + 2];
da6c28aaSamw
da6c28aaSamw	rc1 = netbios_name_isvalid(called_name, 0);
da6c28aaSamw	rc2 = netbios_name_isvalid(calling_name, client_name);
da6c28aaSamw
da6c28aaSamw	if (rc1 == 0 || rc2 == 0) {
da6c28aaSamw
da6c28aaSamw		DTRACE_PROBE3(receive__invalid__session__req,
da6c28aaSamw		    struct session *, session, char *, names,
da6c28aaSamw		    uint32_t, hdr.xh_length);
da6c28aaSamw
da6c28aaSamw		kmem_free(names, hdr.xh_length);
da6c28aaSamw		MBC_INIT(&mbc, MAX_DATAGRAM_LENGTH);
da6c28aaSamw		(void) smb_encode_mbc(&mbc, "b",
da6c28aaSamw		    DATAGRAM_INVALID_SOURCE_NAME_FORMAT);
da6c28aaSamw		(void) smb_session_send(session, NEGATIVE_SESSION_RESPONSE,
da6c28aaSamw		    &mbc);
da6c28aaSamw		return (EINVAL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	DTRACE_PROBE3(receive__session__req__calling__decoded,
da6c28aaSamw	    struct session *, session,
da6c28aaSamw	    char *, calling_name, char *, client_name);
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * The client NetBIOS name is in oem codepage format.
da6c28aaSamw	 * We need to convert it to unicode and store it in
da6c28aaSamw	 * multi-byte format.  We also need to strip off any
da6c28aaSamw	 * spaces added as part of the NetBIOS name encoding.
da6c28aaSamw	 */
da6c28aaSamw	wbuf = kmem_alloc((SMB_PI_MAX_HOST * sizeof (mts_wchar_t)), KM_SLEEP);
da6c28aaSamw	(void) oemstounicodes(wbuf, client_name, SMB_PI_MAX_HOST, cpid);
da6c28aaSamw	(void) mts_wcstombs(session->workstation, wbuf, SMB_PI_MAX_HOST);
da6c28aaSamw	kmem_free(wbuf, (SMB_PI_MAX_HOST * sizeof (mts_wchar_t)));
da6c28aaSamw
da6c28aaSamw	if ((p = strchr(session->workstation, ' ')) != 0)
da6c28aaSamw		*p = '\0';
da6c28aaSamw
da6c28aaSamw	kmem_free(names, hdr.xh_length);
da6c28aaSamw	return (smb_session_send(session, POSITIVE_SESSION_RESPONSE, NULL));
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Read 4-byte header from the session socket and build an in-memory
da6c28aaSamw * session transport header.  See smb_xprt_t definition for header
da6c28aaSamw * format information.
da6c28aaSamw *
da6c28aaSamw * Direct hosted NetBIOS-less SMB (SMB-over-TCP) uses port 445.  The
da6c28aaSamw * first byte of the four-byte header must be 0 and the next three
da6c28aaSamw * bytes contain the length of the remaining data.
da6c28aaSamw */
da6c28aaSamwint
da6c28aaSamwsmb_session_xprt_gethdr(smb_session_t *session, smb_xprt_t *ret_hdr)
da6c28aaSamw{
*faa1795aSjb	int		rc;
*faa1795aSjb	unsigned char	buf[NETBIOS_HDR_SZ];
da6c28aaSamw
*faa1795aSjb	if ((rc = smb_sorecv(session->sock, buf, NETBIOS_HDR_SZ)) != 0)
*faa1795aSjb		return (rc);
da6c28aaSamw
da6c28aaSamw	switch (session->s_local_port) {
da6c28aaSamw	case SSN_SRVC_TCP_PORT:
da6c28aaSamw		ret_hdr->xh_type = buf[0];
da6c28aaSamw		ret_hdr->xh_length = (((uint32_t)buf[1] & 1) << 16) |
da6c28aaSamw		    ((uint32_t)buf[2] << 8) |
da6c28aaSamw		    ((uint32_t)buf[3]);
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case SMB_SRVC_TCP_PORT:
da6c28aaSamw		ret_hdr->xh_type = buf[0];
da6c28aaSamw
da6c28aaSamw		if (ret_hdr->xh_type != 0) {
da6c28aaSamw			cmn_err(CE_WARN, "0x%08x: invalid type (%u)",
da6c28aaSamw			    session->ipaddr, ret_hdr->xh_type);
*faa1795aSjb			return (EPROTO);
da6c28aaSamw		}
da6c28aaSamw
da6c28aaSamw		ret_hdr->xh_length = ((uint32_t)buf[1] << 16) |
da6c28aaSamw		    ((uint32_t)buf[2] << 8) |
da6c28aaSamw		    ((uint32_t)buf[3]);
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	default:
da6c28aaSamw		cmn_err(CE_WARN, "0x%08x: invalid port %u",
da6c28aaSamw		    session->ipaddr, session->s_local_port);
*faa1795aSjb		return (EPROTO);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Encode a transport session packet header into a 4-byte buffer.
da6c28aaSamw * See smb_xprt_t definition for header format information.
da6c28aaSamw */
da6c28aaSamwstatic int
da6c28aaSamwsmb_session_xprt_puthdr(smb_session_t *session, smb_xprt_t *hdr,
da6c28aaSamw    uint8_t *buf, size_t buflen)
da6c28aaSamw{
da6c28aaSamw	if (session == NULL || hdr == NULL ||
da6c28aaSamw	    buf == NULL || buflen < NETBIOS_HDR_SZ) {
da6c28aaSamw		return (-1);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	switch (session->s_local_port) {
da6c28aaSamw	case SSN_SRVC_TCP_PORT:
da6c28aaSamw		buf[0] = hdr->xh_type;
da6c28aaSamw		buf[1] = ((hdr->xh_length >> 16) & 1);
da6c28aaSamw		buf[2] = (hdr->xh_length >> 8) & 0xff;
da6c28aaSamw		buf[3] = hdr->xh_length & 0xff;
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case SMB_SRVC_TCP_PORT:
da6c28aaSamw		buf[0] = hdr->xh_type;
da6c28aaSamw		buf[1] = (hdr->xh_length >> 16) & 0xff;
da6c28aaSamw		buf[2] = (hdr->xh_length >> 8) & 0xff;
da6c28aaSamw		buf[3] = hdr->xh_length & 0xff;
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	default:
da6c28aaSamw		cmn_err(CE_WARN, "0x%08x: invalid port (%u)",
da6c28aaSamw		    session->ipaddr, session->s_local_port);
da6c28aaSamw		return (-1);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
*faa1795aSjbstatic void
da6c28aaSamwsmb_request_init_command_mbuf(smb_request_t *sr)
da6c28aaSamw{
da6c28aaSamw	MGET(sr->command.chain, 0, MT_DATA);
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * Setup mbuf, mimic MCLGET but use the complete packet buffer.
da6c28aaSamw	 */
da6c28aaSamw	sr->command.chain->m_ext.ext_buf = sr->sr_request_buf;
da6c28aaSamw	sr->command.chain->m_data = sr->command.chain->m_ext.ext_buf;
da6c28aaSamw	sr->command.chain->m_len = sr->sr_req_length;
da6c28aaSamw	sr->command.chain->m_flags |= M_EXT;
da6c28aaSamw	sr->command.chain->m_ext.ext_size = sr->sr_req_length;
da6c28aaSamw	sr->command.chain->m_ext.ext_ref = &mclrefnoop;
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * Initialize the rest of the mbuf_chain fields
da6c28aaSamw	 */
da6c28aaSamw	sr->command.flags = 0;
da6c28aaSamw	sr->command.shadow_of = 0;
da6c28aaSamw	sr->command.max_bytes = sr->sr_req_length;
da6c28aaSamw	sr->command.chain_offset = 0;
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * smb_request_cancel
da6c28aaSamw *
da6c28aaSamw * Handle a cancel for a request properly depending on the current request
da6c28aaSamw * state.
da6c28aaSamw */
da6c28aaSamwvoid
da6c28aaSamwsmb_request_cancel(smb_request_t *sr)
da6c28aaSamw{
da6c28aaSamw	mutex_enter(&sr->sr_mutex);
da6c28aaSamw	switch (sr->sr_state) {
da6c28aaSamw
da6c28aaSamw	case SMB_REQ_STATE_SUBMITTED:
da6c28aaSamw	case SMB_REQ_STATE_ACTIVE:
da6c28aaSamw	case SMB_REQ_STATE_CLEANED_UP:
da6c28aaSamw		sr->sr_state = SMB_REQ_STATE_CANCELED;
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case SMB_REQ_STATE_WAITING_LOCK:
da6c28aaSamw		/*
da6c28aaSamw		 * This request is waiting on a lock.  Wakeup everything
da6c28aaSamw		 * waiting on the lock so that the relevant thread regains
da6c28aaSamw		 * control and notices that is has been canceled.  The
da6c28aaSamw		 * other lock request threads waiting on this lock will go
da6c28aaSamw		 * back to sleep when they discover they are still blocked.
da6c28aaSamw		 */
da6c28aaSamw		sr->sr_state = SMB_REQ_STATE_CANCELED;
da6c28aaSamw
da6c28aaSamw		ASSERT(sr->sr_awaiting != NULL);
da6c28aaSamw		mutex_enter(&sr->sr_awaiting->l_mutex);
da6c28aaSamw		cv_broadcast(&sr->sr_awaiting->l_cv);
da6c28aaSamw		mutex_exit(&sr->sr_awaiting->l_mutex);
da6c28aaSamw
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case SMB_REQ_STATE_WAITING_EVENT:
da6c28aaSamw	case SMB_REQ_STATE_EVENT_OCCURRED:
da6c28aaSamw		/*
da6c28aaSamw		 * Cancellations for these states are handled by the
da6c28aaSamw		 * notify-change code
da6c28aaSamw		 */
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case SMB_REQ_STATE_COMPLETED:
da6c28aaSamw	case SMB_REQ_STATE_CANCELED:
da6c28aaSamw		/*
da6c28aaSamw		 * No action required for these states since the request
da6c28aaSamw		 * is completing.
da6c28aaSamw		 */
da6c28aaSamw		break;
da6c28aaSamw	/*
da6c28aaSamw	 * Cases included:
da6c28aaSamw	 *	SMB_REQ_STATE_FREE:
da6c28aaSamw	 *	SMB_REQ_STATE_INITIALIZING:
da6c28aaSamw	 */
da6c28aaSamw	default:
da6c28aaSamw		ASSERT(0);
da6c28aaSamw		break;
da6c28aaSamw	}
da6c28aaSamw	mutex_exit(&sr->sr_mutex);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * This is the entry point for processing SMB messages over NetBIOS or
da6c28aaSamw * SMB-over-TCP.
da6c28aaSamw *
da6c28aaSamw * NetBIOS connections require a session request to establish a session
da6c28aaSamw * on which to send session messages.
da6c28aaSamw *
da6c28aaSamw * Session requests are not valid on SMB-over-TCP.  We don't need to do
da6c28aaSamw * anything here as session requests will be treated as an error when
da6c28aaSamw * handling session messages.
da6c28aaSamw */
*faa1795aSjbint
*faa1795aSjbsmb_session_daemon(smb_session_list_t *se)
da6c28aaSamw{
*faa1795aSjb	int		rc = 0;
*faa1795aSjb	smb_session_t	*session;
da6c28aaSamw
*faa1795aSjb	session = smb_session_list_activate_head(se);
*faa1795aSjb	if (session == NULL)
*faa1795aSjb		return (EINVAL);
da6c28aaSamw
*faa1795aSjb	if (session->s_local_port == SSN_SRVC_TCP_PORT) {
da6c28aaSamw		rc = smb_session_request(session);
*faa1795aSjb		if (rc) {
*faa1795aSjb			smb_rwx_rwenter(&session->s_lock, RW_WRITER);
*faa1795aSjb			session->s_state = SMB_SESSION_STATE_DISCONNECTED;
*faa1795aSjb			smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb			smb_session_list_terminate(se, session);
*faa1795aSjb			return (rc);
*faa1795aSjb		}
*faa1795aSjb	}
da6c28aaSamw
da6c28aaSamw	smb_rwx_rwenter(&session->s_lock, RW_WRITER);
*faa1795aSjb	session->s_state = SMB_SESSION_STATE_ESTABLISHED;
*faa1795aSjb	smb_rwx_rwexit(&session->s_lock);
da6c28aaSamw
*faa1795aSjb	rc = smb_session_message(session);
da6c28aaSamw
*faa1795aSjb	smb_rwx_rwenter(&session->s_lock, RW_WRITER);
da6c28aaSamw	session->s_state = SMB_SESSION_STATE_DISCONNECTED;
da6c28aaSamw	smb_rwx_rwexit(&session->s_lock);
da6c28aaSamw
*faa1795aSjb	smb_soshutdown(session->sock);
*faa1795aSjb
da6c28aaSamw	DTRACE_PROBE2(session__drop, struct session *, session, int, rc);
da6c28aaSamw
da6c28aaSamw	smb_session_cancel(session);
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * At this point everything related to the session should have been
da6c28aaSamw	 * cleaned up and we expect that nothing will attempt to use the
da6c28aaSamw	 * socket.
da6c28aaSamw	 */
*faa1795aSjb	smb_session_list_terminate(se, session);
da6c28aaSamw
*faa1795aSjb	return (rc);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Read and process SMB requests.
da6c28aaSamw *
da6c28aaSamw * Returns:
da6c28aaSamw *	0	Success
da6c28aaSamw *	1	Unable to read transport header
da6c28aaSamw *	2	Invalid transport header type
da6c28aaSamw *	3	Invalid SMB length (too small)
da6c28aaSamw *	4	Unable to read SMB header
da6c28aaSamw *	5	Invalid SMB header (bad magic number)
da6c28aaSamw *	6	Unable to read SMB data
da6c28aaSamw *	2x	Write raw failed
da6c28aaSamw */
da6c28aaSamwstatic int
da6c28aaSamwsmb_session_message(smb_session_t *session)
da6c28aaSamw{
*faa1795aSjb	smb_request_t	*sr = NULL;
*faa1795aSjb	smb_xprt_t	hdr;
*faa1795aSjb	uint8_t		*req_buf;
*faa1795aSjb	uint32_t	resid;
*faa1795aSjb	int		rc;
da6c28aaSamw
*faa1795aSjb	for (;;) {
*faa1795aSjb
*faa1795aSjb		rc = smb_session_xprt_gethdr(session, &hdr);
*faa1795aSjb		if (rc)
*faa1795aSjb			return (rc);
*faa1795aSjb
*faa1795aSjb		DTRACE_PROBE2(session__receive__xprthdr, session_t *, session,
*faa1795aSjb		    smb_xprt_t *, &hdr);
*faa1795aSjb
*faa1795aSjb		if (hdr.xh_type != SESSION_MESSAGE) {
*faa1795aSjb			/*
*faa1795aSjb			 * Anything other than SESSION_MESSAGE or
*faa1795aSjb			 * SESSION_KEEP_ALIVE is an error.  A SESSION_REQUEST
*faa1795aSjb			 * may indicate a new session request but we need to
*faa1795aSjb			 * close this session and we can treat it as an error
*faa1795aSjb			 * here.
*faa1795aSjb			 */
*faa1795aSjb			if (hdr.xh_type == SESSION_KEEP_ALIVE) {
*faa1795aSjb				session->keep_alive = smb_keep_alive;
da6c28aaSamw				continue;
da6c28aaSamw			}
*faa1795aSjb			return (EPROTO);
da6c28aaSamw		}
da6c28aaSamw
*faa1795aSjb		if (hdr.xh_length < SMB_HEADER_LEN)
*faa1795aSjb			return (EPROTO);
da6c28aaSamw
*faa1795aSjb		session->keep_alive = smb_keep_alive;
da6c28aaSamw
da6c28aaSamw		/*
*faa1795aSjb		 * Allocate a request context, read the SMB header and validate
*faa1795aSjb		 * it. The sr includes a buffer large enough to hold the SMB
*faa1795aSjb		 * request payload.  If the header looks valid, read any
*faa1795aSjb		 * remaining data.
da6c28aaSamw		 */
*faa1795aSjb		sr = smb_request_alloc(session, hdr.xh_length);
da6c28aaSamw
*faa1795aSjb		req_buf = (uint8_t *)sr->sr_request_buf;
*faa1795aSjb		resid = hdr.xh_length;
da6c28aaSamw
*faa1795aSjb		rc = smb_sorecv(session->sock, req_buf, SMB_HEADER_LEN);
*faa1795aSjb		if (rc) {
*faa1795aSjb			smb_request_free(sr);
*faa1795aSjb			return (rc);
*faa1795aSjb		}
da6c28aaSamw
*faa1795aSjb		if (SMB_PROTOCOL_MAGIC_INVALID(sr)) {
*faa1795aSjb			smb_request_free(sr);
*faa1795aSjb			return (EPROTO);
*faa1795aSjb		}
da6c28aaSamw
*faa1795aSjb		if (resid > SMB_HEADER_LEN) {
*faa1795aSjb			req_buf += SMB_HEADER_LEN;
*faa1795aSjb			resid -= SMB_HEADER_LEN;
da6c28aaSamw
*faa1795aSjb			rc = smb_sorecv(session->sock, req_buf, resid);
*faa1795aSjb			if (rc) {
*faa1795aSjb				smb_request_free(sr);
*faa1795aSjb				return (rc);
da6c28aaSamw			}
da6c28aaSamw		}
da6c28aaSamw
*faa1795aSjb		/*
*faa1795aSjb		 * Initialize command MBC to represent the received data.
*faa1795aSjb		 */
*faa1795aSjb		smb_request_init_command_mbuf(sr);
da6c28aaSamw
*faa1795aSjb		DTRACE_PROBE1(session__receive__smb, smb_request_t *, sr);
da6c28aaSamw
da6c28aaSamw		/*
*faa1795aSjb		 * If this is a raw write, hand off the request.  The handler
*faa1795aSjb		 * will retrieve the remaining raw data and process the request.
da6c28aaSamw		 */
*faa1795aSjb		if (SMB_IS_WRITERAW(sr)) {
*faa1795aSjb			rc = smb_handle_write_raw(session, sr);
*faa1795aSjb			/* XXX smb_request_free(sr); ??? */
*faa1795aSjb			return (rc);
*faa1795aSjb		}
da6c28aaSamw
*faa1795aSjb		sr->sr_state = SMB_REQ_STATE_SUBMITTED;
*faa1795aSjb		(void) taskq_dispatch(session->s_server->sv_thread_pool,
*faa1795aSjb		    smb_session_worker, sr, TQ_SLEEP);
da6c28aaSamw	}
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * smb_session_reject
da6c28aaSamw *
da6c28aaSamw * Build and send a NEGATIVE_SESSION_RESPONSE on the specified socket.
da6c28aaSamw * The reason is written to the log.
da6c28aaSamw */
da6c28aaSamw/*ARGSUSED*/
da6c28aaSamwvoid
da6c28aaSamwsmb_session_reject(smb_session_t *session, char *reason)
da6c28aaSamw{
5cdbe942Sjb	smb_txbuf_t	*txb;
da6c28aaSamw
da6c28aaSamw	smb_rwx_rwenter(&session->s_lock, RW_READER);
da6c28aaSamw	if (session->sock != NULL) {
5cdbe942Sjb		txb = smb_net_txb_alloc();
5cdbe942Sjb		txb->tb_data[0] = NEGATIVE_SESSION_RESPONSE;
5cdbe942Sjb		txb->tb_data[1] = 0;
5cdbe942Sjb		txb->tb_data[2] = 0;
5cdbe942Sjb		txb->tb_data[3] = 1;
5cdbe942Sjb		txb->tb_data[4] = SESSION_INSUFFICIENT_RESOURCES;
5cdbe942Sjb		txb->tb_len = 5;
5cdbe942Sjb		(void) smb_net_txb_send(session->sock, &session->s_txlst, txb);
da6c28aaSamw	}
da6c28aaSamw	smb_rwx_rwexit(&session->s_lock);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Port will be SSN_SRVC_TCP_PORT or SMB_SRVC_TCP_PORT.
da6c28aaSamw */
da6c28aaSamwsmb_session_t *
*faa1795aSjbsmb_session_create(struct sonode *new_so, uint16_t port, smb_server_t *sv)
da6c28aaSamw{
da6c28aaSamw	uint32_t		ipaddr;
da6c28aaSamw	uint32_t		local_ipaddr;
da6c28aaSamw	struct sockaddr_in	sin;
da6c28aaSamw	smb_session_t		*session;
da6c28aaSamw
*faa1795aSjb	session = kmem_cache_alloc(sv->si_cache_session, KM_SLEEP);
da6c28aaSamw	bzero(session, sizeof (smb_session_t));
da6c28aaSamw
da6c28aaSamw	if (smb_idpool_constructor(&session->s_uid_pool)) {
*faa1795aSjb		kmem_cache_free(sv->si_cache_session, session);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	session->s_kid = SMB_NEW_KID();
*faa1795aSjb	session->s_state = SMB_SESSION_STATE_INITIALIZED;
da6c28aaSamw	session->native_os = NATIVE_OS_UNKNOWN;
da6c28aaSamw	session->opentime = lbolt64;
da6c28aaSamw	session->keep_alive = smb_keep_alive;
da6c28aaSamw	session->activity_timestamp = lbolt64;
da6c28aaSamw
da6c28aaSamw	smb_slist_constructor(&session->s_req_list, sizeof (smb_request_t),
da6c28aaSamw	    offsetof(smb_request_t, sr_session_lnd));
da6c28aaSamw
da6c28aaSamw	smb_llist_constructor(&session->s_user_list, sizeof (smb_user_t),
da6c28aaSamw	    offsetof(smb_user_t, u_lnd));
da6c28aaSamw
da6c28aaSamw	smb_llist_constructor(&session->s_xa_list, sizeof (smb_xa_t),
da6c28aaSamw	    offsetof(smb_xa_t, xa_lnd));
da6c28aaSamw
5cdbe942Sjb	smb_net_txl_constructor(&session->s_txlst);
5cdbe942Sjb
da6c28aaSamw	smb_rwx_init(&session->s_lock);
da6c28aaSamw
*faa1795aSjb	if (new_so) {
*faa1795aSjb		bcopy(new_so->so_faddr_sa, &sin, new_so->so_faddr_len);
*faa1795aSjb		ipaddr = sin.sin_addr.s_addr;
*faa1795aSjb		bcopy(new_so->so_laddr_sa, &sin, new_so->so_faddr_len);
*faa1795aSjb		local_ipaddr = sin.sin_addr.s_addr;
*faa1795aSjb		session->s_local_port = port;
*faa1795aSjb		session->ipaddr = ipaddr;
*faa1795aSjb		session->local_ipaddr = local_ipaddr;
*faa1795aSjb		session->sock = new_so;
*faa1795aSjb	}
da6c28aaSamw
*faa1795aSjb	session->s_server = sv;
*faa1795aSjb	smb_server_get_cfg(sv, &session->s_cfg);
*faa1795aSjb	session->s_cache_request = sv->si_cache_request;
*faa1795aSjb	session->s_cache = sv->si_cache_session;
da6c28aaSamw	session->s_magic = SMB_SESSION_MAGIC;
da6c28aaSamw	return (session);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamwvoid
da6c28aaSamwsmb_session_delete(smb_session_t *session)
da6c28aaSamw{
da6c28aaSamw	ASSERT(session->s_magic == SMB_SESSION_MAGIC);
da6c28aaSamw
da6c28aaSamw	session->s_magic = (uint32_t)~SMB_SESSION_MAGIC;
da6c28aaSamw
da6c28aaSamw	smb_rwx_destroy(&session->s_lock);
5cdbe942Sjb	smb_net_txl_destructor(&session->s_txlst);
da6c28aaSamw	smb_slist_destructor(&session->s_req_list);
da6c28aaSamw	smb_llist_destructor(&session->s_user_list);
da6c28aaSamw	smb_llist_destructor(&session->s_xa_list);
da6c28aaSamw
da6c28aaSamw	ASSERT(session->s_tree_cnt == 0);
da6c28aaSamw	ASSERT(session->s_file_cnt == 0);
da6c28aaSamw	ASSERT(session->s_dir_cnt == 0);
da6c28aaSamw
da6c28aaSamw	smb_idpool_destructor(&session->s_uid_pool);
*faa1795aSjb	kmem_cache_free(session->s_cache, session);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamwvoid
da6c28aaSamwsmb_session_cancel(smb_session_t *session)
da6c28aaSamw{
da6c28aaSamw	smb_xa_t	*xa, *nextxa;
da6c28aaSamw
da6c28aaSamw	/* All the request currently being treated must be canceled. */
da6c28aaSamw	smb_session_cancel_requests(session);
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * We wait for the completion of all the requests associated with
da6c28aaSamw	 * this session.
da6c28aaSamw	 */
da6c28aaSamw	smb_slist_wait_for_empty(&session->s_req_list);
da6c28aaSamw
da6c28aaSamw	/*
da6c28aaSamw	 * At this point the reference count of the users, trees, files,
da6c28aaSamw	 * directories should be zero. It should be possible to destroy them
da6c28aaSamw	 * without any problem.
da6c28aaSamw	 */
da6c28aaSamw	xa = smb_llist_head(&session->s_xa_list);
da6c28aaSamw	while (xa) {
da6c28aaSamw		nextxa = smb_llist_next(&session->s_xa_list, xa);
da6c28aaSamw		smb_xa_close(xa);
da6c28aaSamw		xa = nextxa;
da6c28aaSamw	}
da6c28aaSamw	smb_user_logoff_all(session);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamwvoid
da6c28aaSamwsmb_session_cancel_requests(
da6c28aaSamw    smb_session_t	*session)
da6c28aaSamw{
da6c28aaSamw	smb_request_t	*sr;
da6c28aaSamw	smb_request_t	*tmp;
da6c28aaSamw
da6c28aaSamw	/* All the SMB requests on the notification queue are canceled. */
da6c28aaSamw	smb_process_session_notify_change_queue(session);
da6c28aaSamw
da6c28aaSamw	smb_slist_enter(&session->s_req_list);
da6c28aaSamw	sr = smb_slist_head(&session->s_req_list);
da6c28aaSamw	while (sr) {
da6c28aaSamw		ASSERT(sr->sr_magic == SMB_REQ_MAGIC);
da6c28aaSamw		tmp = smb_slist_next(&session->s_req_list, sr);
da6c28aaSamw
da6c28aaSamw		smb_request_cancel(sr);
da6c28aaSamw
da6c28aaSamw		sr = tmp;
da6c28aaSamw	}
da6c28aaSamw	smb_slist_exit(&session->s_req_list);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamwvoid
da6c28aaSamwsmb_session_worker(
da6c28aaSamw    void	*arg)
da6c28aaSamw{
da6c28aaSamw	smb_request_t	*sr;
da6c28aaSamw
da6c28aaSamw	sr = (smb_request_t *)arg;
da6c28aaSamw
da6c28aaSamw	ASSERT(sr->sr_magic == SMB_REQ_MAGIC);
da6c28aaSamw
*faa1795aSjb
da6c28aaSamw	mutex_enter(&sr->sr_mutex);
da6c28aaSamw	switch (sr->sr_state) {
da6c28aaSamw	case SMB_REQ_STATE_SUBMITTED:
da6c28aaSamw		mutex_exit(&sr->sr_mutex);
7b59d02dSjb		smb_dispatch_request(sr);
da6c28aaSamw		mutex_enter(&sr->sr_mutex);
da6c28aaSamw		if (!sr->sr_keep) {
da6c28aaSamw			sr->sr_state = SMB_REQ_STATE_COMPLETED;
da6c28aaSamw			mutex_exit(&sr->sr_mutex);
da6c28aaSamw			smb_request_free(sr);
da6c28aaSamw			break;
da6c28aaSamw		}
da6c28aaSamw		mutex_exit(&sr->sr_mutex);
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	default:
da6c28aaSamw		ASSERT(sr->sr_state == SMB_REQ_STATE_CANCELED);
da6c28aaSamw		sr->sr_state = SMB_REQ_STATE_COMPLETED;
da6c28aaSamw		mutex_exit(&sr->sr_mutex);
da6c28aaSamw		smb_request_free(sr);
da6c28aaSamw		break;
da6c28aaSamw	}
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * smb_session_disconnect_share
da6c28aaSamw *
da6c28aaSamw * Disconnects the specified share. This function should be called after the
da6c28aaSamw * share passed in has been made unavailable by the "share manager".
da6c28aaSamw */
da6c28aaSamwvoid
*faa1795aSjbsmb_session_disconnect_share(smb_session_list_t *se, char *sharename)
da6c28aaSamw{
da6c28aaSamw	smb_session_t	*session;
da6c28aaSamw
*faa1795aSjb	rw_enter(&se->se_lock, RW_READER);
*faa1795aSjb	session = list_head(&se->se_act.lst);
*faa1795aSjb	while (session) {
da6c28aaSamw		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
da6c28aaSamw		smb_rwx_rwenter(&session->s_lock, RW_READER);
da6c28aaSamw		switch (session->s_state) {
da6c28aaSamw		case SMB_SESSION_STATE_NEGOTIATED:
da6c28aaSamw		case SMB_SESSION_STATE_OPLOCK_BREAKING:
da6c28aaSamw		case SMB_SESSION_STATE_WRITE_RAW_ACTIVE: {
da6c28aaSamw			smb_user_t	*user;
da6c28aaSamw			smb_user_t	*next;
da6c28aaSamw
da6c28aaSamw			user = smb_user_lookup_by_state(session, NULL);
da6c28aaSamw			while (user) {
da6c28aaSamw				smb_user_disconnect_share(user, sharename);
da6c28aaSamw				next = smb_user_lookup_by_state(session, user);
da6c28aaSamw				smb_user_release(user);
da6c28aaSamw				user = next;
da6c28aaSamw			}
da6c28aaSamw			break;
da6c28aaSamw
da6c28aaSamw		}
da6c28aaSamw		default:
da6c28aaSamw			break;
da6c28aaSamw		}
da6c28aaSamw		smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb		session = list_next(&se->se_act.lst, session);
da6c28aaSamw	}
*faa1795aSjb	rw_exit(&se->se_lock);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * smb_session_disconnect_volume
da6c28aaSamw *
da6c28aaSamw * This function is called when a volume is deleted. We need to ensure
da6c28aaSamw * all trees with a reference to the volume are destroyed before we
da6c28aaSamw * discard the fs_online. Before destroying each tree, we notify any
da6c28aaSamw * in-progress requests and give them a chance to complete.
da6c28aaSamw *
da6c28aaSamw * NOTE:
da6c28aaSamw * We shouldn't be accepting any new connection on this volume while
da6c28aaSamw * we are in this function.
da6c28aaSamw */
da6c28aaSamwvoid
*faa1795aSjbsmb_session_disconnect_volume(smb_session_list_t *se, fs_desc_t *fsd)
da6c28aaSamw{
da6c28aaSamw	smb_session_t	*session;
da6c28aaSamw
*faa1795aSjb	rw_enter(&se->se_lock, RW_READER);
*faa1795aSjb	session = list_head(&se->se_act.lst);
*faa1795aSjb	while (session) {
da6c28aaSamw
da6c28aaSamw		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
da6c28aaSamw		smb_rwx_rwenter(&session->s_lock, RW_READER);
da6c28aaSamw		switch (session->s_state) {
da6c28aaSamw		case SMB_SESSION_STATE_NEGOTIATED:
da6c28aaSamw		case SMB_SESSION_STATE_OPLOCK_BREAKING:
da6c28aaSamw		case SMB_SESSION_STATE_WRITE_RAW_ACTIVE: {
da6c28aaSamw			smb_user_t	*user;
da6c28aaSamw			smb_user_t	*next;
da6c28aaSamw
da6c28aaSamw			user = smb_user_lookup_by_state(session, NULL);
da6c28aaSamw			while (user) {
da6c28aaSamw				smb_user_disconnect_volume(user, fsd);
da6c28aaSamw				next = smb_user_lookup_by_state(session, user);
da6c28aaSamw				smb_user_release(user);
da6c28aaSamw				user = next;
da6c28aaSamw			}
da6c28aaSamw			break;
da6c28aaSamw
da6c28aaSamw		}
da6c28aaSamw		default:
da6c28aaSamw			break;
da6c28aaSamw		}
da6c28aaSamw		smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb		session = list_next(&se->se_act.lst, session);
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_constructor(smb_session_list_t *se)
*faa1795aSjb{
*faa1795aSjb	bzero(se, sizeof (*se));
*faa1795aSjb	rw_init(&se->se_lock, NULL, RW_DEFAULT, NULL);
*faa1795aSjb	list_create(&se->se_rdy.lst, sizeof (smb_session_t),
*faa1795aSjb	    offsetof(smb_session_t, s_lnd));
*faa1795aSjb	list_create(&se->se_act.lst, sizeof (smb_session_t),
*faa1795aSjb	    offsetof(smb_session_t, s_lnd));
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_destructor(smb_session_list_t *se)
*faa1795aSjb{
*faa1795aSjb	list_destroy(&se->se_rdy.lst);
*faa1795aSjb	list_destroy(&se->se_act.lst);
*faa1795aSjb	rw_destroy(&se->se_lock);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_append(smb_session_list_t *se, smb_session_t *session)
*faa1795aSjb{
*faa1795aSjb	ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb	ASSERT(session->s_state == SMB_SESSION_STATE_INITIALIZED);
*faa1795aSjb
*faa1795aSjb	rw_enter(&se->se_lock, RW_WRITER);
*faa1795aSjb	list_insert_tail(&se->se_rdy.lst, session);
*faa1795aSjb	se->se_rdy.count++;
*faa1795aSjb	se->se_wrop++;
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_delete_tail(smb_session_list_t *se)
*faa1795aSjb{
*faa1795aSjb	smb_session_t	*session;
*faa1795aSjb
*faa1795aSjb	rw_enter(&se->se_lock, RW_WRITER);
*faa1795aSjb	session = list_tail(&se->se_rdy.lst);
*faa1795aSjb	if (session) {
*faa1795aSjb		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		ASSERT(session->s_state == SMB_SESSION_STATE_INITIALIZED);
*faa1795aSjb		list_remove(&se->se_rdy.lst, session);
*faa1795aSjb		ASSERT(se->se_rdy.count);
*faa1795aSjb		se->se_rdy.count--;
*faa1795aSjb		rw_exit(&se->se_lock);
*faa1795aSjb		smb_session_delete(session);
*faa1795aSjb		return;
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbsmb_session_t *
*faa1795aSjbsmb_session_list_activate_head(smb_session_list_t *se)
*faa1795aSjb{
*faa1795aSjb	smb_session_t	*session;
*faa1795aSjb
*faa1795aSjb	rw_enter(&se->se_lock, RW_WRITER);
*faa1795aSjb	session = list_head(&se->se_rdy.lst);
*faa1795aSjb	if (session) {
*faa1795aSjb		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		smb_rwx_rwenter(&session->s_lock, RW_WRITER);
*faa1795aSjb		ASSERT(session->s_state == SMB_SESSION_STATE_INITIALIZED);
*faa1795aSjb		session->s_thread = curthread;
*faa1795aSjb		session->s_ktdid = session->s_thread->t_did;
*faa1795aSjb		smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb		list_remove(&se->se_rdy.lst, session);
*faa1795aSjb		se->se_rdy.count--;
*faa1795aSjb		list_insert_tail(&se->se_act.lst, session);
*faa1795aSjb		se->se_act.count++;
*faa1795aSjb		se->se_wrop++;
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb	return (session);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_terminate(smb_session_list_t *se, smb_session_t *session)
*faa1795aSjb{
*faa1795aSjb	ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb
*faa1795aSjb	rw_enter(&se->se_lock, RW_WRITER);
*faa1795aSjb
*faa1795aSjb	smb_rwx_rwenter(&session->s_lock, RW_WRITER);
*faa1795aSjb	ASSERT(session->s_state == SMB_SESSION_STATE_DISCONNECTED);
*faa1795aSjb	session->s_state = SMB_SESSION_STATE_TERMINATED;
*faa1795aSjb	smb_sodestroy(session->sock);
*faa1795aSjb	session->sock = NULL;
*faa1795aSjb	smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb
*faa1795aSjb	list_remove(&se->se_act.lst, session);
*faa1795aSjb	se->se_act.count--;
*faa1795aSjb	se->se_wrop++;
*faa1795aSjb
*faa1795aSjb	ASSERT(session->s_thread == curthread);
*faa1795aSjb
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb
*faa1795aSjb	smb_session_delete(session);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjb/*
*faa1795aSjb * smb_session_list_signal
*faa1795aSjb *
*faa1795aSjb * This function signals all the session threads. The intent is to terminate
*faa1795aSjb * them. The sessions still in the SMB_SESSION_STATE_INITIALIZED are delete
*faa1795aSjb * immediately.
*faa1795aSjb *
*faa1795aSjb * This function must only be called by the threads listening and accepting
*faa1795aSjb * connections. They must pass in their respective session list.
*faa1795aSjb */
*faa1795aSjbvoid
*faa1795aSjbsmb_session_list_signal(smb_session_list_t *se)
*faa1795aSjb{
*faa1795aSjb	smb_session_t	*session;
*faa1795aSjb
*faa1795aSjb	rw_enter(&se->se_lock, RW_WRITER);
*faa1795aSjb	while (session = list_head(&se->se_rdy.lst)) {
*faa1795aSjb
*faa1795aSjb		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb
*faa1795aSjb		smb_rwx_rwenter(&session->s_lock, RW_WRITER);
*faa1795aSjb		ASSERT(session->s_state == SMB_SESSION_STATE_INITIALIZED);
*faa1795aSjb		session->s_state = SMB_SESSION_STATE_TERMINATED;
*faa1795aSjb		smb_sodestroy(session->sock);
*faa1795aSjb		session->sock = NULL;
*faa1795aSjb		smb_rwx_rwexit(&session->s_lock);
*faa1795aSjb
*faa1795aSjb		list_remove(&se->se_rdy.lst, session);
*faa1795aSjb		se->se_rdy.count--;
*faa1795aSjb		se->se_wrop++;
*faa1795aSjb
*faa1795aSjb		rw_exit(&se->se_lock);
*faa1795aSjb		smb_session_delete(session);
*faa1795aSjb		rw_enter(&se->se_lock, RW_WRITER);
da6c28aaSamw	}
*faa1795aSjb	rw_downgrade(&se->se_lock);
*faa1795aSjb
*faa1795aSjb	session = list_head(&se->se_act.lst);
*faa1795aSjb	while (session) {
*faa1795aSjb
*faa1795aSjb		ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb		tsignal(session->s_thread, SIGINT);
*faa1795aSjb		session = list_next(&se->se_act.lst, session);
*faa1795aSjb	}
*faa1795aSjb	rw_exit(&se->se_lock);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjb/*
*faa1795aSjb * smb_request_alloc
*faa1795aSjb *
*faa1795aSjb * Allocate an smb_request_t structure from the kmem_cache.  Partially
*faa1795aSjb * initialize the found/new request.
*faa1795aSjb *
*faa1795aSjb * Returns pointer to a request
*faa1795aSjb */
*faa1795aSjbsmb_request_t *
*faa1795aSjbsmb_request_alloc(smb_session_t *session, int req_length)
*faa1795aSjb{
*faa1795aSjb	smb_request_t	*sr;
*faa1795aSjb
*faa1795aSjb	ASSERT(session->s_magic == SMB_SESSION_MAGIC);
*faa1795aSjb
*faa1795aSjb	sr = kmem_cache_alloc(session->s_cache_request, KM_SLEEP);
*faa1795aSjb
*faa1795aSjb	/*
*faa1795aSjb	 * Future:  Use constructor to pre-initialize some fields.  For now
*faa1795aSjb	 * there are so many fields that it is easiest just to zero the
*faa1795aSjb	 * whole thing and start over.
*faa1795aSjb	 */
*faa1795aSjb	bzero(sr, sizeof (smb_request_t));
*faa1795aSjb
*faa1795aSjb	mutex_init(&sr->sr_mutex, NULL, MUTEX_DEFAULT, NULL);
*faa1795aSjb	sr->session = session;
*faa1795aSjb	sr->sr_server = session->s_server;
*faa1795aSjb	sr->sr_gmtoff = session->s_server->si_gmtoff;
*faa1795aSjb	sr->sr_cache = session->s_server->si_cache_request;
*faa1795aSjb	sr->sr_cfg = &session->s_cfg;
*faa1795aSjb	sr->request_storage.forw = &sr->request_storage;
*faa1795aSjb	sr->request_storage.back = &sr->request_storage;
*faa1795aSjb	sr->command.max_bytes = req_length;
*faa1795aSjb	sr->reply.max_bytes = smb_maxbufsize;
*faa1795aSjb	sr->sr_req_length = req_length;
*faa1795aSjb	if (req_length)
*faa1795aSjb		sr->sr_request_buf = kmem_alloc(req_length, KM_SLEEP);
*faa1795aSjb	sr->sr_magic = SMB_REQ_MAGIC;
*faa1795aSjb	sr->sr_state = SMB_REQ_STATE_INITIALIZING;
*faa1795aSjb	smb_slist_insert_tail(&session->s_req_list, sr);
*faa1795aSjb	return (sr);
*faa1795aSjb}
*faa1795aSjb
*faa1795aSjb/*
*faa1795aSjb * smb_request_free
*faa1795aSjb *
*faa1795aSjb * release the memories which have been allocated for a smb request.
*faa1795aSjb */
*faa1795aSjbvoid
*faa1795aSjbsmb_request_free(smb_request_t *sr)
*faa1795aSjb{
*faa1795aSjb	ASSERT(sr->sr_magic == SMB_REQ_MAGIC);
*faa1795aSjb	ASSERT(sr->session);
*faa1795aSjb	ASSERT(sr->fid_ofile == NULL);
*faa1795aSjb	ASSERT(sr->sid_odir == NULL);
*faa1795aSjb	ASSERT(sr->r_xa == NULL);
*faa1795aSjb
*faa1795aSjb	if (sr->tid_tree)
*faa1795aSjb		smb_tree_release(sr->tid_tree);
*faa1795aSjb
*faa1795aSjb	if (sr->uid_user)
*faa1795aSjb		smb_user_release(sr->uid_user);
*faa1795aSjb
*faa1795aSjb	smb_slist_remove(&sr->session->s_req_list, sr);
*faa1795aSjb
*faa1795aSjb	sr->session = NULL;
*faa1795aSjb
*faa1795aSjb	/* Release any temp storage */
*faa1795aSjb	smbsr_free_malloc_list(&sr->request_storage);
*faa1795aSjb
*faa1795aSjb	if (sr->sr_request_buf)
*faa1795aSjb		kmem_free(sr->sr_request_buf, sr->sr_req_length);
*faa1795aSjb	if (sr->command.chain)
*faa1795aSjb		m_freem(sr->command.chain);
*faa1795aSjb	if (sr->reply.chain)
*faa1795aSjb		m_freem(sr->reply.chain);
*faa1795aSjb	if (sr->raw_data.chain)
*faa1795aSjb		m_freem(sr->raw_data.chain);
*faa1795aSjb
*faa1795aSjb	sr->sr_magic = 0;
*faa1795aSjb	mutex_destroy(&sr->sr_mutex);
*faa1795aSjb	kmem_cache_free(sr->sr_cache, sr);
da6c28aaSamw}