1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
14  * Copyright 2020 RackTop Systems, Inc.
15  */
16 
17 
18 #include <smbsrv/smb2_kproto.h>
19 #include <smbsrv/smb_kstat.h>
20 #include <smbsrv/smb2.h>
21 
22 #define	SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62))
23 
24 smb_sdrc_t smb2_invalid_cmd(smb_request_t *);
25 static void smb2_tq_work(void *);
26 static void smb2sr_run_postwork(smb_request_t *);
27 static int smb3_decrypt_msg(smb_request_t *);
28 
29 static const smb_disp_entry_t
30 smb2_disp_table[SMB2__NCMDS] = {
31 
32 	/* text-name, pre, func, post, cmd-code, dialect, flags */
33 
34 	{  "smb2_negotiate", NULL,
35 	    smb2_negotiate, NULL, 0, 0,
36 	    SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
37 
38 	{  "smb2_session_setup", NULL,
39 	    smb2_session_setup, NULL, 0, 0,
40 	    SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
41 
42 	{  "smb2_logoff", NULL,
43 	    smb2_logoff, NULL, 0, 0,
44 	    SDDF_SUPPRESS_TID },
45 
46 	{  "smb2_tree_connect", NULL,
47 	    smb2_tree_connect, NULL, 0, 0,
48 	    SDDF_SUPPRESS_TID },
49 
50 	{  "smb2_tree_disconn", NULL,
51 	    smb2_tree_disconn, NULL, 0, 0 },
52 
53 	{  "smb2_create", NULL,
54 	    smb2_create, NULL, 0, 0 },
55 
56 	{  "smb2_close", NULL,
57 	    smb2_close, NULL, 0, 0 },
58 
59 	{  "smb2_flush", NULL,
60 	    smb2_flush, NULL, 0, 0 },
61 
62 	{  "smb2_read", NULL,
63 	    smb2_read, NULL, 0, 0 },
64 
65 	{  "smb2_write", NULL,
66 	    smb2_write, NULL, 0, 0 },
67 
68 	{  "smb2_lock", NULL,
69 	    smb2_lock, NULL, 0, 0 },
70 
71 	{  "smb2_ioctl", NULL,
72 	    smb2_ioctl, NULL, 0, 0 },
73 
74 	{  "smb2_cancel", NULL,
75 	    smb2_cancel, NULL, 0, 0,
76 	    SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
77 
78 	{  "smb2_echo", NULL,
79 	    smb2_echo, NULL, 0, 0,
80 	    SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
81 
82 	{  "smb2_query_dir", NULL,
83 	    smb2_query_dir, NULL, 0, 0 },
84 
85 	{  "smb2_change_notify", NULL,
86 	    smb2_change_notify, NULL, 0, 0 },
87 
88 	{  "smb2_query_info", NULL,
89 	    smb2_query_info, NULL, 0, 0 },
90 
91 	{  "smb2_set_info", NULL,
92 	    smb2_set_info, NULL, 0, 0 },
93 
94 	{  "smb2_oplock_break_ack", NULL,
95 	    smb2_oplock_break_ack, NULL, 0, 0 },
96 
97 	{  "smb2_invalid_cmd", NULL,
98 	    smb2_invalid_cmd, NULL, 0, 0,
99 	    SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
100 };
101 
102 smb_sdrc_t
smb2_invalid_cmd(smb_request_t * sr)103 smb2_invalid_cmd(smb_request_t *sr)
104 {
105 #ifdef	DEBUG
106 	cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code",
107 	    sr->session->ip_addr_str);
108 #endif
109 	sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
110 	return (SDRC_DROP_VC);
111 }
112 
113 /*
114  * This is the SMB2 handler for new smb requests, called from
115  * smb_session_reader after SMB negotiate is done.  For most SMB2
116  * requests, we just enqueue them for the smb_session_worker to
117  * execute via the task queue, so they can block for resources
118  * without stopping the reader thread.  A few protocol messages
119  * are special cases and are handled directly here in the reader
120  * thread so they don't wait for taskq scheduling.
121  *
122  * This function must either enqueue the new request for
123  * execution via the task queue, or execute it directly
124  * and then free it.  If this returns non-zero, the caller
125  * will drop the session.
126  */
127 int
smb2sr_newrq(smb_request_t * sr)128 smb2sr_newrq(smb_request_t *sr)
129 {
130 	struct mbuf_chain *mbc = &sr->command;
131 	uint32_t magic;
132 	int rc, skip;
133 
134 	if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
135 		goto drop;
136 
137 	/* 0xFD S M B */
138 	if (magic == SMB3_ENCRYPTED_MAGIC) {
139 		if (smb3_decrypt_msg(sr) != 0)
140 			goto drop;
141 		/*
142 		 * Should now be looking at an un-encrypted
143 		 * SMB2 message header.
144 		 */
145 		if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
146 			goto drop;
147 	}
148 
149 	if (magic != SMB2_PROTOCOL_MAGIC)
150 		goto drop;
151 
152 	/*
153 	 * Walk the SMB2 commands in this compound message and
154 	 * keep track of the range of message IDs it uses.
155 	 */
156 	for (;;) {
157 		if (smb2_decode_header(sr) != 0)
158 			goto drop;
159 
160 		/*
161 		 * Cancel requests are special:  They refer to
162 		 * an earlier message ID (or an async. ID),
163 		 * never a new ID, and are never compounded.
164 		 * This is intentionally not "goto drop"
165 		 * because rc may be zero (success).
166 		 */
167 		if (sr->smb2_cmd_code == SMB2_CANCEL) {
168 			rc = smb2_newrq_cancel(sr);
169 			smb_request_free(sr);
170 			return (rc);
171 		}
172 
173 		/*
174 		 * Keep track of the total credits in this compound
175 		 * and the first (real) message ID (not: 0, -1)
176 		 * While we're looking, verify that all (real) IDs
177 		 * are (first <= ID < (first + msg_credits))
178 		 */
179 		if (sr->smb2_credit_charge == 0)
180 			sr->smb2_credit_charge = 1;
181 		sr->smb2_total_credits += sr->smb2_credit_charge;
182 
183 		if (sr->smb2_messageid != 0 &&
184 		    sr->smb2_messageid != UINT64_MAX) {
185 
186 			if (sr->smb2_first_msgid == 0)
187 				sr->smb2_first_msgid = sr->smb2_messageid;
188 
189 			if (sr->smb2_messageid < sr->smb2_first_msgid ||
190 			    sr->smb2_messageid >= (sr->smb2_first_msgid +
191 			    sr->smb2_total_credits)) {
192 				long long id = (long long) sr->smb2_messageid;
193 				cmn_err(CE_WARN, "clnt %s msg ID 0x%llx "
194 				    "out of sequence in compound",
195 				    sr->session->ip_addr_str, id);
196 			}
197 		}
198 
199 		/* Normal loop exit on next == zero */
200 		if (sr->smb2_next_command == 0)
201 			break;
202 
203 		/* Abundance of caution... */
204 		if (sr->smb2_next_command < SMB2_HDR_SIZE)
205 			goto drop;
206 
207 		/* Advance to the next header. */
208 		skip = sr->smb2_next_command - SMB2_HDR_SIZE;
209 		if (MBC_ROOM_FOR(mbc, skip) == 0)
210 			goto drop;
211 		mbc->chain_offset += skip;
212 	}
213 	/* Rewind back to the top. */
214 	mbc->chain_offset = 0;
215 
216 	/*
217 	 * Submit the request to the task queue, which calls
218 	 * smb2_tq_work when the workload permits.
219 	 */
220 	sr->sr_time_submitted = gethrtime();
221 	sr->sr_state = SMB_REQ_STATE_SUBMITTED;
222 	smb_srqueue_waitq_enter(sr->session->s_srqueue);
223 	(void) taskq_dispatch(sr->sr_server->sv_worker_pool,
224 	    smb2_tq_work, sr, TQ_SLEEP);
225 	return (0);
226 
227 drop:
228 	smb_request_free(sr);
229 	return (-1);
230 }
231 
232 static void
smb2_tq_work(void * arg)233 smb2_tq_work(void *arg)
234 {
235 	smb_request_t	*sr;
236 	smb_srqueue_t	*srq;
237 
238 	sr = (smb_request_t *)arg;
239 	SMB_REQ_VALID(sr);
240 
241 	srq = sr->session->s_srqueue;
242 	smb_srqueue_waitq_to_runq(srq);
243 	sr->sr_worker = curthread;
244 	sr->sr_time_active = gethrtime();
245 
246 	/*
247 	 * Always dispatch to the work function, because cancelled
248 	 * requests need an error reply (NT_STATUS_CANCELLED).
249 	 */
250 	mutex_enter(&sr->sr_mutex);
251 	if (sr->sr_state == SMB_REQ_STATE_SUBMITTED)
252 		sr->sr_state = SMB_REQ_STATE_ACTIVE;
253 	mutex_exit(&sr->sr_mutex);
254 
255 	smb2sr_work(sr);
256 
257 	smb_srqueue_runq_exit(srq);
258 }
259 
260 static int
smb3_decrypt_msg(smb_request_t * sr)261 smb3_decrypt_msg(smb_request_t *sr)
262 {
263 	int save_offset;
264 
265 	if (sr->session->dialect < SMB_VERS_3_0) {
266 		cmn_err(CE_WARN, "encrypted message in SMB 2.x");
267 		return (-1);
268 	}
269 
270 	sr->encrypted = B_TRUE;
271 	save_offset = sr->command.chain_offset;
272 	if (smb3_decode_tform_header(sr) != 0) {
273 		cmn_err(CE_WARN, "bad transform header");
274 		return (-1);
275 	}
276 	sr->command.chain_offset = save_offset;
277 
278 	sr->tform_ssn = smb_session_lookup_ssnid(sr->session,
279 	    sr->smb3_tform_ssnid);
280 	if (sr->tform_ssn == NULL) {
281 		cmn_err(CE_WARN, "transform header: session not found");
282 		return (-1);
283 	}
284 
285 	if (smb3_decrypt_sr(sr) != 0) {
286 		cmn_err(CE_WARN, "smb3 decryption failed");
287 		return (-1);
288 	}
289 
290 	return (0);
291 }
292 
293 /*
294  * SMB2 credits determine how many simultaneous commands the
295  * client may issue, and bounds the range of message IDs those
296  * commands may use.  With multi-credit support, commands may
297  * use ranges of message IDs, where the credits used by each
298  * command are proportional to their data transfer size.
299  *
300  * Every command may request an increase or decrease of
301  * the currently granted credits, based on the difference
302  * between the credit request and the credit charge.
303  * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
304  *
305  * Most commands have credit_request=1, credit_charge=1,
306  * which keeps the credit grant unchanged.
307  *
308  * All we're really doing here (for now) is reducing the
309  * credit_response if the client requests a credit increase
310  * that would take their credit over the maximum, and
311  * limiting the decrease so they don't run out of credits.
312  *
313  * Later, this could do something dynamic based on load.
314  *
315  * One other non-obvious bit about credits: We keep the
316  * session s_max_credits low until the 1st authentication,
317  * at which point we'll set the normal maximum_credits.
318  * Some clients ask for more credits with session setup,
319  * and we need to handle that requested increase _after_
320  * the command-specific handler returns so it won't be
321  * restricted to the lower (pre-auth) limit.
322  */
323 static inline void
smb2_credit_decrease(smb_request_t * sr)324 smb2_credit_decrease(smb_request_t *sr)
325 {
326 	smb_session_t *session = sr->session;
327 	uint16_t cur, d;
328 
329 	ASSERT3U(sr->smb2_credit_request, <, sr->smb2_credit_charge);
330 
331 	mutex_enter(&session->s_credits_mutex);
332 	cur = session->s_cur_credits;
333 	ASSERT(cur > 0);
334 
335 	/* Handle credit decrease. */
336 	d = sr->smb2_credit_charge - sr->smb2_credit_request;
337 
338 	/*
339 	 * Prevent underflow of current credits, and
340 	 * enforce a minimum of one credit, per:
341 	 * [MS-SMB2] 3.3.1.2
342 	 */
343 	if (d >= cur) {
344 		/*
345 		 * Tried to give up more credits than we should.
346 		 * Reduce the decrement.
347 		 */
348 		d = cur - 1;
349 		cur = 1;
350 		DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr);
351 	} else {
352 		cur -= d;
353 	}
354 
355 	ASSERT3U(d, <=, sr->smb2_credit_charge);
356 	sr->smb2_credit_response = sr->smb2_credit_charge - d;
357 
358 	DTRACE_PROBE3(smb2__credit__decrease,
359 	    smb_request_t *, sr, int, (int)cur,
360 	    int, (int)session->s_cur_credits);
361 
362 	session->s_cur_credits = cur;
363 	mutex_exit(&session->s_credits_mutex);
364 }
365 
366 /*
367  * Second half of SMB2 credit handling (increases)
368  */
369 static inline void
smb2_credit_increase(smb_request_t * sr)370 smb2_credit_increase(smb_request_t *sr)
371 {
372 	smb_session_t *session = sr->session;
373 	uint16_t cur, d;
374 
375 	ASSERT3U(sr->smb2_credit_request, >, sr->smb2_credit_charge);
376 
377 	mutex_enter(&session->s_credits_mutex);
378 	cur = session->s_cur_credits;
379 
380 	/* Handle credit increase. */
381 	d = sr->smb2_credit_request - sr->smb2_credit_charge;
382 
383 	/*
384 	 * If new credits would be above max,
385 	 * reduce the credit grant.
386 	 */
387 	if (d > (session->s_max_credits - cur)) {
388 		d = session->s_max_credits - cur;
389 		cur = session->s_max_credits;
390 		DTRACE_PROBE1(smb2__credit__max, smb_request_t *, sr);
391 	} else {
392 		cur += d;
393 	}
394 	sr->smb2_credit_response = sr->smb2_credit_charge + d;
395 
396 	DTRACE_PROBE3(smb2__credit__increase,
397 	    smb_request_t *, sr, int, (int)cur,
398 	    int, (int)session->s_cur_credits);
399 
400 	session->s_cur_credits = cur;
401 	mutex_exit(&session->s_credits_mutex);
402 }
403 
404 /*
405  * Record some statistics:  latency, rx bytes, tx bytes
406  * per:  server, session & kshare.
407  */
408 static inline void
smb2_record_stats(smb_request_t * sr,smb_disp_stats_t * sds,boolean_t tx_only)409 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only)
410 {
411 	hrtime_t	dt;
412 	int64_t		rxb;
413 	int64_t		txb;
414 
415 	dt = gethrtime() - sr->sr_time_start;
416 	rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr);
417 	txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr);
418 
419 	if (!tx_only) {
420 		smb_server_inc_req(sr->sr_server);
421 		smb_latency_add_sample(&sds->sdt_lat, dt);
422 		atomic_add_64(&sds->sdt_rxb, rxb);
423 	}
424 	atomic_add_64(&sds->sdt_txb, txb);
425 }
426 
427 /*
428  * smb2sr_work
429  *
430  * This function processes each SMB command in the current request
431  * (which may be a compound request) building a reply containing
432  * SMB reply messages, one-to-one with the SMB commands.  Some SMB
433  * commands (change notify, blocking locks) may require both an
434  * "interim response" and a later "async response" at completion.
435  * In such cases, we'll encode the interim response in the reply
436  * compound we're building, and put the (now async) command on a
437  * list of commands that need further processing.  After we've
438  * finished processing the commands in this compound and building
439  * the compound reply, we'll send the compound reply, and finally
440  * process the list of async commands.
441  *
442  * As we work our way through the compound request and reply,
443  * we need to keep track of the bounds of the current request
444  * and reply.  For the request, this uses an MBC_SHADOW_CHAIN
445  * that begins at smb2_cmd_hdr.  The reply is appended to the
446  * sr->reply chain starting at smb2_reply_hdr.
447  *
448  * This function must always free the smb request, or arrange
449  * for it to be completed and free'd later (if SDRC_SR_KEPT).
450  */
451 void
smb2sr_work(struct smb_request * sr)452 smb2sr_work(struct smb_request *sr)
453 {
454 	const smb_disp_entry_t	*sdd;
455 	smb_disp_stats_t	*sds;
456 	smb_session_t		*session;
457 	uint32_t		msg_len;
458 	uint16_t		cmd_idx;
459 	int			rc = 0;
460 	boolean_t		disconnect = B_FALSE;
461 	boolean_t		related;
462 
463 	session = sr->session;
464 
465 	ASSERT(sr->smb2_async == B_FALSE);
466 	ASSERT(sr->tid_tree == 0);
467 	ASSERT(sr->uid_user == 0);
468 	ASSERT(sr->fid_ofile == 0);
469 	sr->smb_fid = (uint16_t)-1;
470 	sr->smb2_status = 0;
471 
472 	/* temporary until we identify a user */
473 	sr->user_cr = zone_kcred();
474 
475 cmd_start:
476 	/*
477 	 * Note that we don't check sr_state here and abort the
478 	 * compound if cancelled (etc.) because some SMB2 command
479 	 * handlers need to do work even when cancelled.
480 	 *
481 	 * We treat some status codes as if "sticky", meaning
482 	 * once they're set after some command handler returns,
483 	 * all remaining commands get this status without even
484 	 * calling the command-specific handler.
485 	 */
486 	if (sr->smb2_status != NT_STATUS_CANCELLED &&
487 	    sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES)
488 		sr->smb2_status = 0;
489 
490 	/*
491 	 * Decode the request header
492 	 *
493 	 * Most problems with decoding will result in the error
494 	 * STATUS_INVALID_PARAMETER.  If the decoding problem
495 	 * prevents continuing, we'll close the connection.
496 	 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
497 	 */
498 	sr->smb2_cmd_hdr = sr->command.chain_offset;
499 	if ((rc = smb2_decode_header(sr)) != 0) {
500 		cmn_err(CE_WARN, "clnt %s bad SMB2 header",
501 		    session->ip_addr_str);
502 		disconnect = B_TRUE;
503 		goto cleanup;
504 	}
505 
506 	/*
507 	 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear
508 	 * in messages from the server back to the client.
509 	 */
510 	if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) {
511 		cmn_err(CE_WARN, "clnt %s bad SMB2 flags",
512 		    session->ip_addr_str);
513 		disconnect = B_TRUE;
514 		goto cleanup;
515 	}
516 	related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS);
517 	sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
518 	if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
519 		/* Probably an async cancel. */
520 		DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr);
521 	} else if (sr->smb2_async) {
522 		/* Previous command in compound went async. */
523 		sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
524 		sr->smb2_async_id = SMB2_ASYNCID(sr);
525 	}
526 
527 	/*
528 	 * In case we bail out with an error before we get to the
529 	 * section that computes the credit grant, initialize the
530 	 * response header fields so that credits won't change.
531 	 * Note: SMB 2.02 clients may send credit charge zero.
532 	 */
533 	if (sr->smb2_credit_charge == 0)
534 		sr->smb2_credit_charge = 1;
535 	sr->smb2_credit_response = sr->smb2_credit_charge;
536 
537 	/*
538 	 * Write a tentative reply header.
539 	 *
540 	 * We could just leave this blank, but if we're using the
541 	 * mdb module feature that extracts packets, it's useful
542 	 * to have the header mostly correct here.
543 	 *
544 	 * If we have already exhausted the output space, then the
545 	 * client is trying something funny.  Log it and kill 'em.
546 	 */
547 	sr->smb2_next_reply = 0;
548 	ASSERT((sr->reply.chain_offset & 7) == 0);
549 	sr->smb2_reply_hdr = sr->reply.chain_offset;
550 	if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) {
551 		cmn_err(CE_WARN, "clnt %s excessive reply",
552 		    session->ip_addr_str);
553 		disconnect = B_TRUE;
554 		goto cleanup;
555 	}
556 
557 	/*
558 	 * Figure out the length of data following the SMB2 header.
559 	 * It ends at either the next SMB2 header if there is one
560 	 * (smb2_next_command != 0) or at the end of the message.
561 	 */
562 	if (sr->smb2_next_command != 0) {
563 		/* [MS-SMB2] says this is 8-byte aligned */
564 		msg_len = sr->smb2_next_command;
565 		if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
566 		    ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
567 			cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
568 			    session->ip_addr_str);
569 			disconnect = B_TRUE;
570 			goto cleanup;
571 		}
572 	} else {
573 		msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
574 	}
575 
576 	/*
577 	 * Setup a shadow chain for this SMB2 command, starting
578 	 * with the header and ending at either the next command
579 	 * or the end of the message.  The signing check below
580 	 * needs the entire SMB2 command.  After that's done, we
581 	 * advance chain_offset to the end of the header where
582 	 * the command specific handlers continue decoding.
583 	 */
584 	(void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
585 	    sr->smb2_cmd_hdr, msg_len);
586 
587 	/*
588 	 * We will consume the data for this request from smb_data.
589 	 * That effectively consumes msg_len bytes from sr->command
590 	 * but doesn't update its chain_offset, so we need to update
591 	 * that here to make later received bytes accounting work.
592 	 */
593 	sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
594 	ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
595 
596 	/*
597 	 * Validate the commmand code, get dispatch table entries.
598 	 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
599 	 *
600 	 * The last slot in the dispatch table is used to handle
601 	 * invalid commands.  Same for statistics.
602 	 */
603 	if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
604 		cmd_idx = sr->smb2_cmd_code;
605 	else
606 		cmd_idx = SMB2_INVALID_CMD;
607 	sdd = &smb2_disp_table[cmd_idx];
608 	sds = &session->s_server->sv_disp_stats2[cmd_idx];
609 
610 	/*
611 	 * If this command is NOT "related" to the previous,
612 	 * clear out the UID, TID, FID state that might be
613 	 * left over from the previous command.
614 	 *
615 	 * If the command IS related, any new IDs are ignored,
616 	 * and we simply continue with the previous user, tree,
617 	 * and open file.
618 	 */
619 	if (!related) {
620 		/*
621 		 * Drop user, tree, file; carefully ordered to
622 		 * avoid dangling references: file, tree, user
623 		 */
624 		if (sr->fid_ofile != NULL) {
625 			smb_ofile_release(sr->fid_ofile);
626 			sr->fid_ofile = NULL;
627 		}
628 		if (sr->tid_tree != NULL) {
629 			smb_tree_release(sr->tid_tree);
630 			sr->tid_tree = NULL;
631 		}
632 		if (sr->uid_user != NULL) {
633 			smb_user_release(sr->uid_user);
634 			sr->uid_user = NULL;
635 			sr->user_cr = zone_kcred();
636 		}
637 	}
638 
639 	/*
640 	 * Make sure we have a user and tree as needed
641 	 * according to the flags for the this command.
642 	 * Note that we may have inherited these.
643 	 */
644 	if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) {
645 		/*
646 		 * This command requires a user session.
647 		 */
648 		if (related) {
649 			/*
650 			 * Previous command should have given us a user.
651 			 * [MS-SMB2] 3.3.5.2 Handling Related Requests
652 			 */
653 			if (sr->uid_user == NULL) {
654 				smb2sr_put_error(sr,
655 				    NT_STATUS_INVALID_PARAMETER);
656 				goto cmd_done;
657 			}
658 			sr->smb2_ssnid = sr->uid_user->u_ssnid;
659 		} else {
660 			/*
661 			 * Lookup the UID
662 			 * [MS-SMB2] 3.3.5.2 Verifying the Session
663 			 */
664 			ASSERT(sr->uid_user == NULL);
665 			/*
666 			 * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests
667 			 *
668 			 * If this is an encrypted compound request,
669 			 * ensure that the ssnid in the request
670 			 * is the same as the tform ssnid if this
671 			 * message is not related.
672 			 *
673 			 * The reasons this is done seem to apply equally
674 			 * to uncompounded requests, so we apply it to all.
675 			 */
676 
677 			if (sr->encrypted &&
678 			    sr->smb2_ssnid != sr->smb3_tform_ssnid) {
679 				disconnect = B_TRUE;
680 				goto cleanup; /* just do this for now */
681 			}
682 
683 			sr->uid_user = smb_session_lookup_ssnid(session,
684 			    sr->smb2_ssnid);
685 			if (sr->uid_user == NULL) {
686 				smb2sr_put_error(sr,
687 				    NT_STATUS_USER_SESSION_DELETED);
688 				goto cmd_done;
689 			}
690 
691 			/*
692 			 * [MS-SMB2] 3.3.5.2.9 Verifying the Session
693 			 *
694 			 * If we're talking 3.x,
695 			 * RejectUnencryptedAccess is TRUE,
696 			 * Session.EncryptData is TRUE,
697 			 * and the message wasn't encrypted,
698 			 * return ACCESS_DENIED.
699 			 *
700 			 * Note that Session.EncryptData can only be TRUE when
701 			 * we're talking 3.x.
702 			 */
703 
704 			if (sr->uid_user->u_encrypt ==
705 			    SMB_CONFIG_REQUIRED &&
706 			    !sr->encrypted) {
707 				smb2sr_put_error(sr,
708 				    NT_STATUS_ACCESS_DENIED);
709 				goto cmd_done;
710 			}
711 
712 			sr->user_cr = smb_user_getcred(sr->uid_user);
713 		}
714 		ASSERT(sr->uid_user != NULL);
715 
716 		/*
717 		 * Encrypt if:
718 		 * - The cmd is not SESSION_SETUP or NEGOTIATE; AND
719 		 * - Session.EncryptData is TRUE
720 		 *
721 		 * Those commands suppress UID, so they can't be the cmd here.
722 		 */
723 		if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED &&
724 		    sr->tform_ssn == NULL) {
725 			smb_user_hold_internal(sr->uid_user);
726 			sr->tform_ssn = sr->uid_user;
727 			sr->smb3_tform_ssnid = sr->smb2_ssnid;
728 		}
729 	}
730 
731 	if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) {
732 		/*
733 		 * This command requires a tree connection.
734 		 */
735 		if (related) {
736 			/*
737 			 * Previous command should have given us a tree.
738 			 * [MS-SMB2] 3.3.5.2 Handling Related Requests
739 			 */
740 			if (sr->tid_tree == NULL) {
741 				smb2sr_put_error(sr,
742 				    NT_STATUS_INVALID_PARAMETER);
743 				goto cmd_done;
744 			}
745 			sr->smb_tid = sr->tid_tree->t_tid;
746 		} else {
747 			/*
748 			 * Lookup the TID
749 			 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
750 			 */
751 			ASSERT(sr->tid_tree == NULL);
752 			sr->tid_tree = smb_session_lookup_tree(session,
753 			    sr->smb_tid);
754 			if (sr->tid_tree == NULL) {
755 				smb2sr_put_error(sr,
756 				    NT_STATUS_NETWORK_NAME_DELETED);
757 				goto cmd_done;
758 			}
759 
760 			/*
761 			 * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect
762 			 *
763 			 * If we support 3.x, RejectUnencryptedAccess is TRUE,
764 			 * if Tcon.EncryptData is TRUE or
765 			 * global EncryptData is TRUE and
766 			 * the message wasn't encrypted, or
767 			 * if Tcon.EncryptData is TRUE or
768 			 * global EncryptData is TRUE or
769 			 * the request was encrypted and
770 			 * the connection doesn't support encryption,
771 			 * return ACCESS_DENIED.
772 			 *
773 			 * If RejectUnencryptedAccess is TRUE, we force
774 			 * max_protocol to at least 3.0. Additionally,
775 			 * if the tree requires encryption, we don't care
776 			 * what we support, we still enforce encryption.
777 			 */
778 			if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED &&
779 			    (!sr->encrypted ||
780 			    (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) {
781 				smb2sr_put_error(sr,
782 				    NT_STATUS_ACCESS_DENIED);
783 				goto cmd_done;
784 			}
785 		}
786 		ASSERT(sr->tid_tree != NULL);
787 
788 		/*
789 		 * Encrypt if:
790 		 * - The cmd is not TREE_CONNECT; AND
791 		 * - Tree.EncryptData is TRUE
792 		 *
793 		 * TREE_CONNECT suppresses TID, so that can't be the cmd here.
794 		 * NOTE: assumes we can't have a tree without a user
795 		 */
796 		if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED &&
797 		    sr->tform_ssn == NULL) {
798 			smb_user_hold_internal(sr->uid_user);
799 			sr->tform_ssn = sr->uid_user;
800 			sr->smb3_tform_ssnid = sr->smb2_ssnid;
801 		}
802 	}
803 
804 	/*
805 	 * SMB2 signature verification, two parts:
806 	 * (a) Require SMB2_FLAGS_SIGNED (for most request types)
807 	 * (b) If SMB2_FLAGS_SIGNED is set, check the signature.
808 	 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
809 	 */
810 
811 	/*
812 	 * No user session means no signature check.  That's OK,
813 	 * i.e. for commands marked SDDF_SUPPRESS_UID above.
814 	 * Note, this also means we won't sign the reply.
815 	 */
816 	if (sr->uid_user == NULL)
817 		sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
818 
819 	/*
820 	 * The SDDF_SUPPRESS_UID dispatch is set for requests that
821 	 * don't need a UID (user).  These also don't require a
822 	 * signature check here.
823 	 *
824 	 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
825 	 *
826 	 * If the packet was successfully decrypted, the message
827 	 * signature has already been verified, so we can skip this.
828 	 */
829 	if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
830 	    !sr->encrypted && sr->uid_user != NULL &&
831 	    (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) {
832 		/*
833 		 * If the request is signed, check the signature.
834 		 * Otherwise, if signing is required, deny access.
835 		 */
836 		if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
837 			rc = smb2_sign_check_request(sr);
838 			if (rc != 0) {
839 				DTRACE_PROBE1(smb2__sign__check,
840 				    smb_request_t *, sr);
841 				smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
842 				goto cmd_done;
843 			}
844 		} else if (
845 		    (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) {
846 			smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
847 			goto cmd_done;
848 		}
849 	}
850 
851 	/*
852 	 * Now that the signing check is done with smb_data,
853 	 * advance past the SMB2 header we decoded earlier.
854 	 * This leaves sr->smb_data correctly positioned
855 	 * for command-specific decoding in the dispatch
856 	 * function called next.
857 	 */
858 	sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE;
859 
860 	/*
861 	 * Credit adjustments (decrease)
862 	 *
863 	 * If we've gone async, credit adjustments were done
864 	 * when we sent the interim reply.
865 	 */
866 	if (!sr->smb2_async) {
867 		if (sr->smb2_credit_request < sr->smb2_credit_charge) {
868 			smb2_credit_decrease(sr);
869 		}
870 	}
871 
872 	/*
873 	 * The real work: call the SMB2 command handler
874 	 * (except for "sticky" smb2_status - see above)
875 	 */
876 	sr->sr_time_start = gethrtime();
877 	rc = SDRC_SUCCESS;
878 	if (sr->smb2_status == 0) {
879 		/* NB: not using pre_op */
880 		rc = (*sdd->sdt_function)(sr);
881 		/* NB: not using post_op */
882 	} else {
883 		smb2sr_put_error(sr, sr->smb2_status);
884 	}
885 
886 	/*
887 	 * When the sdt_function returns SDRC_SR_KEPT, it means
888 	 * this SR may have been passed to another thread so we
889 	 * MUST NOT touch it anymore.
890 	 */
891 	if (rc == SDRC_SR_KEPT)
892 		return;
893 
894 	MBC_FLUSH(&sr->raw_data);
895 
896 	/*
897 	 * Credit adjustments (increase)
898 	 */
899 	if (!sr->smb2_async) {
900 		if (sr->smb2_credit_request > sr->smb2_credit_charge) {
901 			smb2_credit_increase(sr);
902 		}
903 	}
904 
905 cmd_done:
906 	switch (rc) {
907 	case SDRC_SUCCESS:
908 		break;
909 	default:
910 		/*
911 		 * SMB2 does not use the other dispatch return codes.
912 		 * If we see something else, log an event so we'll
913 		 * know something is returning bogus status codes.
914 		 * If you see these in the log, use dtrace to find
915 		 * the code returning something else.
916 		 */
917 #ifdef	DEBUG
918 		cmn_err(CE_NOTE, "handler for %u returned 0x%x",
919 		    sr->smb2_cmd_code, rc);
920 #endif
921 		smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR);
922 		break;
923 	case SDRC_ERROR:
924 		/*
925 		 * Many command handlers return SDRC_ERROR for any
926 		 * problems decoding the request, and don't bother
927 		 * setting smb2_status.  For those cases, the best
928 		 * status return would be "invalid parameter".
929 		 */
930 		if (sr->smb2_status == 0)
931 			sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
932 		smb2sr_put_error(sr, sr->smb2_status);
933 		break;
934 	case SDRC_DROP_VC:
935 		disconnect = B_TRUE;
936 		goto cleanup;
937 
938 	case SDRC_NO_REPLY:
939 		/* will free sr */
940 		goto cleanup;
941 	}
942 
943 	/*
944 	 * Pad the reply to align(8) if there will be another.
945 	 * (We don't compound async replies.)
946 	 */
947 	if (!sr->smb2_async && sr->smb2_next_command != 0)
948 		(void) smb_mbc_put_align(&sr->reply, 8);
949 
950 	/*
951 	 * Record some statistics.  Uses:
952 	 *   rxb = command.chain_offset - smb2_cmd_hdr;
953 	 *   txb = reply.chain_offset - smb2_reply_hdr;
954 	 * which at this point represent the current cmd/reply.
955 	 *
956 	 * Note: If async, this does txb only, and
957 	 * skips the smb_latency_add_sample() calls.
958 	 */
959 	smb2_record_stats(sr, sds, sr->smb2_async);
960 
961 	/*
962 	 * If there's a next command, figure out where it starts,
963 	 * and fill in the next header offset for the reply.
964 	 * Note: We sanity checked smb2_next_command above.
965 	 */
966 	if (sr->smb2_next_command != 0) {
967 		sr->command.chain_offset =
968 		    sr->smb2_cmd_hdr + sr->smb2_next_command;
969 		sr->smb2_next_reply =
970 		    sr->reply.chain_offset - sr->smb2_reply_hdr;
971 	} else {
972 		ASSERT(sr->smb2_next_reply == 0);
973 	}
974 
975 	/*
976 	 * Overwrite the (now final) SMB2 header for this response.
977 	 */
978 	(void) smb2_encode_header(sr, B_TRUE);
979 
980 	/*
981 	 * Cannot move this into smb2_session_setup() - encoded header required.
982 	 */
983 	if (session->dialect >= SMB_VERS_3_11 &&
984 	    sr->smb2_cmd_code == SMB2_SESSION_SETUP &&
985 	    sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) {
986 		if (smb31_preauth_sha512_calc(sr, &sr->reply,
987 		    sr->uid_user->u_preauth_hashval,
988 		    sr->uid_user->u_preauth_hashval) != 0)
989 			cmn_err(CE_WARN, "(3) Preauth hash calculation "
990 			    "failed");
991 	}
992 
993 	/* Don't sign if we're going to encrypt */
994 	if (sr->tform_ssn == NULL &&
995 	    (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0)
996 		smb2_sign_reply(sr);
997 
998 	/*
999 	 * Non-async runs the whole compound before send.
1000 	 * When we've gone async, send each individually.
1001 	 */
1002 	if (!sr->smb2_async && sr->smb2_next_command != 0)
1003 		goto cmd_start;
1004 
1005 	/*
1006 	 * If we have a durable handle, and this operation updated
1007 	 * the nvlist, write it out (before smb2_send_reply).
1008 	 */
1009 	if (sr->dh_nvl_dirty) {
1010 		sr->dh_nvl_dirty = B_FALSE;
1011 		smb2_dh_update_nvfile(sr);
1012 	}
1013 
1014 	smb2_send_reply(sr);
1015 	if (sr->smb2_async && sr->smb2_next_command != 0) {
1016 		MBC_FLUSH(&sr->reply);	/* New reply buffer. */
1017 		ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1018 		goto cmd_start;
1019 	}
1020 
1021 cleanup:
1022 	if (disconnect)
1023 		smb_session_disconnect(session);
1024 
1025 	/*
1026 	 * Do "postwork" for oplock (and maybe other things)
1027 	 */
1028 	if (sr->sr_postwork != NULL)
1029 		smb2sr_run_postwork(sr);
1030 
1031 	mutex_enter(&sr->sr_mutex);
1032 	sr->sr_state = SMB_REQ_STATE_COMPLETED;
1033 	mutex_exit(&sr->sr_mutex);
1034 
1035 	smb_request_free(sr);
1036 }
1037 
1038 /*
1039  * Build interim responses for the current and all following
1040  * requests in this compound, then send the compound response,
1041  * leaving the SR state so that smb2sr_work() can continue its
1042  * processing of this compound in "async mode".
1043  *
1044  * If we agree to "go async", this should return STATUS_SUCCESS.
1045  * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
1046  * all requests following this request.  (See the comments re.
1047  * "sticky" smb2_status values in smb2sr_work).
1048  *
1049  * Note: the Async ID we assign here is arbitrary, and need only
1050  * be unique among pending async responses on this connection, so
1051  * this just uses a modified messageID, which is already unique.
1052  *
1053  * Credits:  All credit changes should happen via the interim
1054  * responses, so we have to manage credits here.  After this
1055  * returns to smb2sr_work, the final replies for all these
1056  * commands will have smb2_credit_response = smb2_credit_charge
1057  * (meaning no further changes to the clients' credits).
1058  */
1059 uint32_t
smb2sr_go_async(smb_request_t * sr)1060 smb2sr_go_async(smb_request_t *sr)
1061 {
1062 	smb_session_t *session;
1063 	smb_disp_stats_t *sds;
1064 	uint16_t cmd_idx;
1065 	int32_t saved_com_offset;
1066 	uint32_t saved_cmd_hdr;
1067 	uint16_t saved_cred_resp;
1068 	uint32_t saved_hdr_flags;
1069 	uint32_t saved_reply_hdr;
1070 	uint32_t msg_len;
1071 	boolean_t disconnect = B_FALSE;
1072 
1073 	if (sr->smb2_async) {
1074 		/* already went async in some previous cmd. */
1075 		return (NT_STATUS_SUCCESS);
1076 	}
1077 	sr->smb2_async = B_TRUE;
1078 
1079 	/* The "server" session always runs async. */
1080 	session = sr->session;
1081 	if (session->sock == NULL)
1082 		return (NT_STATUS_SUCCESS);
1083 
1084 	sds = NULL;
1085 	saved_com_offset = sr->command.chain_offset;
1086 	saved_cmd_hdr = sr->smb2_cmd_hdr;
1087 	saved_cred_resp = sr->smb2_credit_response;
1088 	saved_hdr_flags = sr->smb2_hdr_flags;
1089 	saved_reply_hdr = sr->smb2_reply_hdr;
1090 
1091 	/*
1092 	 * The command-specific handler should not yet have put any
1093 	 * data in the reply except for the (place holder) header.
1094 	 */
1095 	if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) {
1096 		ASSERT3U(sr->reply.chain_offset, ==,
1097 		    sr->smb2_reply_hdr + SMB2_HDR_SIZE);
1098 		return (NT_STATUS_INTERNAL_ERROR);
1099 	}
1100 
1101 	/*
1102 	 * Rewind to the start of the current header in both the
1103 	 * command and reply bufers, so the loop below can just
1104 	 * decode/encode just in every pass.  This means the
1105 	 * current command header is decoded again, but that
1106 	 * avoids having to special-case the first loop pass.
1107 	 */
1108 	sr->command.chain_offset = sr->smb2_cmd_hdr;
1109 	sr->reply.chain_offset = sr->smb2_reply_hdr;
1110 
1111 	/*
1112 	 * This command processing loop is a simplified version of
1113 	 * smb2sr_work() that just puts an "interim response" for
1114 	 * every command in the compound (NT_STATUS_PENDING).
1115 	 */
1116 cmd_start:
1117 	sr->smb2_status = NT_STATUS_PENDING;
1118 
1119 	/*
1120 	 * Decode the request header
1121 	 */
1122 	sr->smb2_cmd_hdr = sr->command.chain_offset;
1123 	if ((smb2_decode_header(sr)) != 0) {
1124 		cmn_err(CE_WARN, "clnt %s bad SMB2 header",
1125 		    session->ip_addr_str);
1126 		disconnect = B_TRUE;
1127 		goto cleanup;
1128 	}
1129 	sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR |
1130 	    SMB2_FLAGS_ASYNC_COMMAND);
1131 	sr->smb2_async_id = SMB2_ASYNCID(sr);
1132 
1133 	/*
1134 	 * In case we bail out...
1135 	 */
1136 	if (sr->smb2_credit_charge == 0)
1137 		sr->smb2_credit_charge = 1;
1138 	sr->smb2_credit_response = sr->smb2_credit_charge;
1139 
1140 	/*
1141 	 * Write a tentative reply header.
1142 	 */
1143 	sr->smb2_next_reply = 0;
1144 	ASSERT((sr->reply.chain_offset & 7) == 0);
1145 	sr->smb2_reply_hdr = sr->reply.chain_offset;
1146 	if ((smb2_encode_header(sr, B_FALSE)) != 0) {
1147 		cmn_err(CE_WARN, "clnt %s excessive reply",
1148 		    session->ip_addr_str);
1149 		disconnect = B_TRUE;
1150 		goto cleanup;
1151 	}
1152 
1153 	/*
1154 	 * Figure out the length of data...
1155 	 */
1156 	if (sr->smb2_next_command != 0) {
1157 		/* [MS-SMB2] says this is 8-byte aligned */
1158 		msg_len = sr->smb2_next_command;
1159 		if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
1160 		    ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
1161 			cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
1162 			    session->ip_addr_str);
1163 			disconnect = B_TRUE;
1164 			goto cleanup;
1165 		}
1166 	} else {
1167 		msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
1168 	}
1169 
1170 	/*
1171 	 * We just skip any data, so no shadow chain etc.
1172 	 */
1173 	sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
1174 	ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
1175 
1176 	/*
1177 	 * Validate the commmand code...
1178 	 */
1179 	if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
1180 		cmd_idx = sr->smb2_cmd_code;
1181 	else
1182 		cmd_idx = SMB2_INVALID_CMD;
1183 	sds = &session->s_server->sv_disp_stats2[cmd_idx];
1184 
1185 	/*
1186 	 * Don't change (user, tree, file) because we want them
1187 	 * exactly as they were when we entered.  That also means
1188 	 * we may not have the right user in sr->uid_user for
1189 	 * signature checks, so leave that until smb2sr_work
1190 	 * runs these commands "for real".  Therefore, here
1191 	 * we behave as if: (sr->uid_user == NULL)
1192 	 */
1193 	sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
1194 
1195 	/*
1196 	 * Credit adjustments (decrease)
1197 	 *
1198 	 * NOTE: interim responses are not signed.
1199 	 * Any attacker can modify the credit grant
1200 	 * in the response. Because of this property,
1201 	 * it is no worse to assume the credit charge and grant
1202 	 * are sane without verifying the signature,
1203 	 * and that saves us a whole lot of work.
1204 	 * If the credits WERE modified, we'll find out
1205 	 * when we verify the signature later,
1206 	 * which nullifies any changes caused here.
1207 	 *
1208 	 * Skip this on the first command, because the
1209 	 * credit decrease was done by the caller.
1210 	 */
1211 	if (sr->smb2_cmd_hdr != saved_cmd_hdr) {
1212 		if (sr->smb2_credit_request < sr->smb2_credit_charge) {
1213 			smb2_credit_decrease(sr);
1214 		}
1215 	}
1216 
1217 	/*
1218 	 * The real work: ... (would be here)
1219 	 */
1220 	smb2sr_put_error(sr, sr->smb2_status);
1221 
1222 	/*
1223 	 * Credit adjustments (increase)
1224 	 */
1225 	if (sr->smb2_credit_request > sr->smb2_credit_charge) {
1226 		smb2_credit_increase(sr);
1227 	}
1228 
1229 	/* cmd_done: label */
1230 
1231 	/*
1232 	 * Pad the reply to align(8) if there will be another.
1233 	 * This (interim) reply uses compounding.
1234 	 */
1235 	if (sr->smb2_next_command != 0)
1236 		(void) smb_mbc_put_align(&sr->reply, 8);
1237 
1238 	/*
1239 	 * Record some statistics.  Uses:
1240 	 *   rxb = command.chain_offset - smb2_cmd_hdr;
1241 	 *   txb = reply.chain_offset - smb2_reply_hdr;
1242 	 * which at this point represent the current cmd/reply.
1243 	 *
1244 	 * Note: We're doing smb_latency_add_sample() for all
1245 	 * remaining commands NOW, which means we won't include
1246 	 * the async part of their work in latency statistics.
1247 	 * That's intentional, as the async part of a command
1248 	 * would otherwise skew our latency statistics.
1249 	 */
1250 	smb2_record_stats(sr, sds, B_FALSE);
1251 
1252 	/*
1253 	 * If there's a next command, figure out where it starts,
1254 	 * and fill in the next header offset for the reply.
1255 	 * Note: We sanity checked smb2_next_command above.
1256 	 */
1257 	if (sr->smb2_next_command != 0) {
1258 		sr->command.chain_offset =
1259 		    sr->smb2_cmd_hdr + sr->smb2_next_command;
1260 		sr->smb2_next_reply =
1261 		    sr->reply.chain_offset - sr->smb2_reply_hdr;
1262 	} else {
1263 		ASSERT(sr->smb2_next_reply == 0);
1264 	}
1265 
1266 	/*
1267 	 * Overwrite the (now final) SMB2 header for this response.
1268 	 */
1269 	(void) smb2_encode_header(sr, B_TRUE);
1270 
1271 	/*
1272 	 * Process whole compound before sending.
1273 	 */
1274 	if (sr->smb2_next_command != 0)
1275 		goto cmd_start;
1276 	smb2_send_reply(sr);
1277 
1278 	ASSERT(!disconnect);
1279 
1280 cleanup:
1281 	/*
1282 	 * Restore caller's command processing state.
1283 	 */
1284 	sr->smb2_cmd_hdr = saved_cmd_hdr;
1285 	sr->command.chain_offset = saved_cmd_hdr;
1286 	(void) smb2_decode_header(sr);
1287 	sr->command.chain_offset = saved_com_offset;
1288 
1289 	sr->smb2_credit_response = saved_cred_resp;
1290 	sr->smb2_hdr_flags = saved_hdr_flags;
1291 	sr->smb2_status = NT_STATUS_SUCCESS;
1292 
1293 	/*
1294 	 * In here, the "disconnect" flag just means we had an
1295 	 * error decoding or encoding something.  Rather than
1296 	 * actually disconnect here, let's assume whatever
1297 	 * problem we encountered will be seen by the caller
1298 	 * as they continue processing the compound, and just
1299 	 * restore everything and return an error.
1300 	 */
1301 	if (disconnect) {
1302 		sr->smb2_async = B_FALSE;
1303 		sr->smb2_reply_hdr = saved_reply_hdr;
1304 		sr->reply.chain_offset = sr->smb2_reply_hdr;
1305 		(void) smb2_encode_header(sr, B_FALSE);
1306 		return (NT_STATUS_INVALID_PARAMETER);
1307 	}
1308 
1309 	/*
1310 	 * The compound reply buffer we sent is now gone.
1311 	 * Setup a new reply buffer for the caller.
1312 	 */
1313 	sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
1314 	sr->smb2_async_id = SMB2_ASYNCID(sr);
1315 	sr->smb2_next_reply = 0;
1316 	MBC_FLUSH(&sr->reply);
1317 	ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1318 	ASSERT(sr->reply.chain_offset == 0);
1319 	sr->smb2_reply_hdr = 0;
1320 	(void) smb2_encode_header(sr, B_FALSE);
1321 
1322 	return (NT_STATUS_SUCCESS);
1323 }
1324 
1325 int
smb3_decode_tform_header(smb_request_t * sr)1326 smb3_decode_tform_header(smb_request_t *sr)
1327 {
1328 	uint16_t flags;
1329 	int rc;
1330 	uint32_t protocolid;
1331 
1332 	rc = smb_mbc_decodef(
1333 	    &sr->command, "l16c16cl..wq",
1334 	    &protocolid,	/*  l  */
1335 	    sr->smb2_sig,	/* 16c */
1336 	    sr->nonce,	/* 16c */
1337 	    &sr->msgsize,	/* l */
1338 	    /* reserved	  .. */
1339 	    &flags,		/* w */
1340 	    &sr->smb3_tform_ssnid); /* q */
1341 	if (rc)
1342 		return (rc);
1343 
1344 	ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC);
1345 
1346 	if (flags != 1) {
1347 #ifdef DEBUG
1348 		cmn_err(CE_NOTE, "flags field not 1: %x", flags);
1349 #endif
1350 		return (-1);
1351 	}
1352 
1353 	/*
1354 	 * MsgSize is the amount of data the client tell us to decrypt.
1355 	 * Make sure this value is not too big and not too small.
1356 	 */
1357 	if (sr->msgsize < SMB2_HDR_SIZE ||
1358 	    sr->msgsize > sr->session->cmd_max_bytes ||
1359 	    sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE)
1360 		return (-1);
1361 
1362 	return (rc);
1363 }
1364 
1365 int
smb3_encode_tform_header(smb_request_t * sr,struct mbuf_chain * mbc)1366 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc)
1367 {
1368 	int rc;
1369 
1370 	/* Signature and Nonce are added in smb3_encrypt_sr */
1371 	rc = smb_mbc_encodef(
1372 	    mbc, "l32.lwwq",
1373 	    SMB3_ENCRYPTED_MAGIC, /* l */
1374 	    /* signature(16), nonce(16) 32. */
1375 	    sr->msgsize,	/* l */
1376 	    0, /* reserved	   w */
1377 	    1, /* flags		   w */
1378 	    sr->smb3_tform_ssnid); /* q */
1379 
1380 	return (rc);
1381 }
1382 
1383 int
smb2_decode_header(smb_request_t * sr)1384 smb2_decode_header(smb_request_t *sr)
1385 {
1386 	uint32_t pid, tid;
1387 	uint16_t hdr_len;
1388 	int rc;
1389 
1390 	rc = smb_mbc_decodef(
1391 	    &sr->command, "Nwww..wwllqllq16c",
1392 	    &hdr_len,			/* w */
1393 	    &sr->smb2_credit_charge,	/* w */
1394 	    &sr->smb2_chan_seq,		/* w */
1395 	    /* reserved			  .. */
1396 	    &sr->smb2_cmd_code,		/* w */
1397 	    &sr->smb2_credit_request,	/* w */
1398 	    &sr->smb2_hdr_flags,	/* l */
1399 	    &sr->smb2_next_command,	/* l */
1400 	    &sr->smb2_messageid,	/* q */
1401 	    &pid,			/* l */
1402 	    &tid,			/* l */
1403 	    &sr->smb2_ssnid,		/* q */
1404 	    sr->smb2_sig);		/* 16c */
1405 	if (rc)
1406 		return (rc);
1407 
1408 	if (hdr_len != SMB2_HDR_SIZE)
1409 		return (-1);
1410 
1411 	if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1412 		sr->smb2_async_id = pid |
1413 		    ((uint64_t)tid) << 32;
1414 		sr->smb_pid = 0;
1415 		sr->smb_tid = 0;
1416 	} else {
1417 		sr->smb2_async_id = 0;
1418 		sr->smb_pid = pid;
1419 		sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */
1420 	}
1421 
1422 	return (rc);
1423 }
1424 
1425 int
smb2_encode_header(smb_request_t * sr,boolean_t overwrite)1426 smb2_encode_header(smb_request_t *sr, boolean_t overwrite)
1427 {
1428 	uint64_t pid_tid_aid; /* pid+tid, or async id */
1429 	int rc;
1430 
1431 	if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1432 		pid_tid_aid = sr->smb2_async_id;
1433 	} else {
1434 		pid_tid_aid = sr->smb_pid |
1435 		    ((uint64_t)sr->smb_tid) << 32;
1436 	}
1437 
1438 	if (overwrite) {
1439 		rc = smb_mbc_poke(&sr->reply,
1440 		    sr->smb2_reply_hdr,
1441 		    "Nwwlwwllqqq16c",
1442 		    SMB2_HDR_SIZE,		/* w */
1443 		    sr->smb2_credit_charge,	/* w */
1444 		    sr->smb2_status,		/* l */
1445 		    sr->smb2_cmd_code,		/* w */
1446 		    sr->smb2_credit_response,	/* w */
1447 		    sr->smb2_hdr_flags,		/* l */
1448 		    sr->smb2_next_reply,	/* l */
1449 		    sr->smb2_messageid,		/* q */
1450 		    pid_tid_aid,		/* q */
1451 		    sr->smb2_ssnid,		/* q */
1452 		    sr->smb2_sig);		/* 16c */
1453 	} else {
1454 		rc = smb_mbc_encodef(&sr->reply,
1455 		    "Nwwlwwllqqq16c",
1456 		    SMB2_HDR_SIZE,		/* w */
1457 		    sr->smb2_credit_charge,	/* w */
1458 		    sr->smb2_status,		/* l */
1459 		    sr->smb2_cmd_code,		/* w */
1460 		    sr->smb2_credit_response,	/* w */
1461 		    sr->smb2_hdr_flags,		/* l */
1462 		    sr->smb2_next_reply,	/* l */
1463 		    sr->smb2_messageid,		/* q */
1464 		    pid_tid_aid,		/* q */
1465 		    sr->smb2_ssnid,		/* q */
1466 		    sr->smb2_sig);		/* 16c */
1467 	}
1468 
1469 	return (rc);
1470 }
1471 
1472 void
smb2_send_reply(smb_request_t * sr)1473 smb2_send_reply(smb_request_t *sr)
1474 {
1475 	struct mbuf_chain enc_reply;
1476 	smb_session_t *session = sr->session;
1477 	void *tmpbuf;
1478 	size_t buflen;
1479 	struct mbuf_chain tmp;
1480 
1481 	/*
1482 	 * [MS-SMB2] 3.3.4.1.4 Encrypting the Message
1483 	 *
1484 	 * When the connection supports encryption and the dialect
1485 	 * is 3.x, encrypt if:
1486 	 * - The request was encrypted OR
1487 	 * - The cmd is not SESSION_SETUP or NEGOTIATE AND
1488 	 * -- Session.EncryptData is TRUE OR
1489 	 * -- The cmd is not TREE_CONNECT AND
1490 	 * --- Tree.EncryptData is TRUE
1491 	 *
1492 	 * This boils down to sr->tform_ssn != NULL, and the rest
1493 	 * is enforced when tform_ssn is set.
1494 	 */
1495 
1496 	if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 ||
1497 	    sr->tform_ssn == NULL) {
1498 		(void) smb_session_send(sr->session, 0, &sr->reply);
1499 		return;
1500 	}
1501 
1502 	sr->msgsize = sr->reply.chain_offset;
1503 	(void) MBC_SHADOW_CHAIN(&tmp, &sr->reply,
1504 	    0, sr->msgsize);
1505 
1506 	buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize;
1507 
1508 	/* taken from smb_request_init_command_mbuf */
1509 	tmpbuf = kmem_alloc(buflen, KM_SLEEP);
1510 	MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen);
1511 	enc_reply.flags = 0;
1512 	enc_reply.shadow_of = NULL;
1513 
1514 	if (smb3_encode_tform_header(sr, &enc_reply) != 0) {
1515 		cmn_err(CE_WARN, "couldn't encode transform header");
1516 		goto errout;
1517 	}
1518 	if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) {
1519 		cmn_err(CE_WARN, "smb3 encryption failed");
1520 		goto errout;
1521 	}
1522 
1523 	(void) smb_session_send(sr->session, 0, &enc_reply);
1524 	kmem_free(tmpbuf, buflen);
1525 	return;
1526 
1527 errout:
1528 	kmem_free(tmpbuf, buflen);
1529 	smb_session_disconnect(sr->session);
1530 }
1531 
1532 /*
1533  * This wrapper function exists to help catch calls to smbsr_status()
1534  * (which is SMB1-specific) in common code.  See smbsr_status().
1535  * If the log message below is seen, put a dtrace probe on this
1536  * function with a stack() action to see who is calling the SMB1
1537  * "put error" from common code, and fix it.
1538  */
1539 void
smbsr_status_smb2(smb_request_t * sr,DWORD status)1540 smbsr_status_smb2(smb_request_t *sr, DWORD status)
1541 {
1542 	const char *name;
1543 
1544 	if (sr->smb2_cmd_code < SMB2__NCMDS)
1545 		name = smb2_disp_table[sr->smb2_cmd_code].sdt_name;
1546 	else
1547 		name = "<unknown>";
1548 #ifdef	DEBUG
1549 	cmn_err(CE_NOTE, "smbsr_status called for %s", name);
1550 #endif
1551 
1552 	smb2sr_put_error_data(sr, status, NULL);
1553 }
1554 
1555 void
smb2sr_put_errno(struct smb_request * sr,int errnum)1556 smb2sr_put_errno(struct smb_request *sr, int errnum)
1557 {
1558 	uint32_t status = smb_errno2status(errnum);
1559 	smb2sr_put_error_data(sr, status, NULL);
1560 }
1561 
1562 void
smb2sr_put_error(smb_request_t * sr,uint32_t status)1563 smb2sr_put_error(smb_request_t *sr, uint32_t status)
1564 {
1565 	smb2sr_put_error_data(sr, status, NULL);
1566 }
1567 
1568 /*
1569  * Build an SMB2 error response.  [MS-SMB2] 2.2.2
1570  */
1571 void
smb2sr_put_error_data(smb_request_t * sr,uint32_t status,mbuf_chain_t * mbc)1572 smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc)
1573 {
1574 	DWORD len;
1575 
1576 	/*
1577 	 * The common dispatch code writes this when it
1578 	 * updates the SMB2 header before sending.
1579 	 */
1580 	sr->smb2_status = status;
1581 
1582 	/* Rewind to the end of the SMB header. */
1583 	sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE;
1584 
1585 	/*
1586 	 * NB: Must provide at least one byte of error data,
1587 	 * per [MS-SMB2] 2.2.2
1588 	 */
1589 	if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) {
1590 		(void) smb_mbc_encodef(
1591 		    &sr->reply,
1592 		    "wwlC",
1593 		    9,	/* StructSize */	/* w */
1594 		    0,	/* reserved */		/* w */
1595 		    len,			/* l */
1596 		    mbc);			/* C */
1597 	} else {
1598 		(void) smb_mbc_encodef(
1599 		    &sr->reply,
1600 		    "wwl.",
1601 		    9,	/* StructSize */	/* w */
1602 		    0,	/* reserved */		/* w */
1603 		    0);				/* l. */
1604 	}
1605 }
1606 
1607 /*
1608  * Build an SMB2 error context response (dialect 3.1.1).
1609  */
1610 void
smb2sr_put_error_ctx(smb_request_t * sr,uint32_t status,uint32_t errid,mbuf_chain_t * mbc)1611 smb2sr_put_error_ctx(smb_request_t *sr, uint32_t status, uint32_t errid,
1612     mbuf_chain_t *mbc)
1613 {
1614 	DWORD len;
1615 
1616 	/*
1617 	 * The common dispatch code writes this when it
1618 	 * updates the SMB2 header before sending.
1619 	 */
1620 	sr->smb2_status = status;
1621 
1622 	/* Rewind to the end of the SMB header. */
1623 	sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE;
1624 
1625 	/*
1626 	 *  Error Context is 8-byte header plus encaps. data (ErrorContextData),
1627 	 *  which can be zero-length.
1628 	 */
1629 	if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) {
1630 		(void) smb_mbc_encodef(
1631 		    &sr->reply,
1632 		    "wbblllC",
1633 		    9,		/* StructSize */	/* w */
1634 		    1,		/* ErrorContextCount */	/* b */
1635 		    0,		/* reserved */		/* b */
1636 		    8+len,	/* ByteCount */		/* l */
1637 		    len,	/* ErrorDataLength */	/* l */
1638 		    errid,	/* ErrorId */		/* l */
1639 		    mbc);				/* C */
1640 	} else {
1641 		(void) smb_mbc_encodef(
1642 		    &sr->reply,
1643 		    "wbblll",
1644 		    9,		/* StructSize */	/* w */
1645 		    1,		/* ErrorContextCount */	/* b */
1646 		    0,		/* reserved */		/* b */
1647 		    8,		/* ByteCount */		/* l */
1648 		    0,		/* ErrorDataLength */	/* l */
1649 		    errid);	/* ErrorId */		/* l */
1650 	}
1651 }
1652 
1653 /*
1654  * Build an SMB2 error context response with SMB2_ERROR_ID_DEFAULT ErrorId.
1655  *
1656  * This only handles the case we currently need, encapsulating a
1657  * single error data section inside an SMB2_ERROR_ID_DEFAULT
1658  * error context type (which is type zero, and that's what
1659  * the zero on the end of this function name refers to).
1660  */
1661 void
smb2sr_put_error_ctx0(smb_request_t * sr,uint32_t status,mbuf_chain_t * mbc)1662 smb2sr_put_error_ctx0(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc)
1663 {
1664 	return (smb2sr_put_error_ctx(sr, status, SMB2_ERROR_ID_DEFAULT, mbc));
1665 }
1666 
1667 /*
1668  * smb2sr_lookup_fid
1669  *
1670  * Setup sr->fid_ofile, either inherited from a related command,
1671  * or obtained via FID lookup.  Similar inheritance logic as in
1672  * smb2sr_work.
1673  */
1674 uint32_t
smb2sr_lookup_fid(smb_request_t * sr,smb2fid_t * fid)1675 smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid)
1676 {
1677 	boolean_t related = sr->smb2_hdr_flags &
1678 	    SMB2_FLAGS_RELATED_OPERATIONS;
1679 
1680 	if (related) {
1681 		if (sr->fid_ofile == NULL)
1682 			return (NT_STATUS_INVALID_PARAMETER);
1683 		sr->smb_fid = sr->fid_ofile->f_fid;
1684 		return (0);
1685 	}
1686 
1687 	/*
1688 	 * If we could be sure this is called only once per cmd,
1689 	 * we could simply ASSERT(sr->fid_ofile == NULL) here.
1690 	 * However, there are cases where it can be called again
1691 	 * handling the same command, so let's tolerate that.
1692 	 */
1693 	if (sr->fid_ofile == NULL) {
1694 		sr->smb_fid = (uint16_t)fid->temporal;
1695 		sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid);
1696 	}
1697 	if (sr->fid_ofile == NULL ||
1698 	    sr->fid_ofile->f_persistid != fid->persistent)
1699 		return (NT_STATUS_FILE_CLOSED);
1700 
1701 	return (0);
1702 }
1703 
1704 /*
1705  * smb2_dispatch_stats_init
1706  *
1707  * Initializes dispatch statistics for SMB2.
1708  * See also smb_dispatch_stats_init(), which fills in
1709  * the lower part of the statistics array, from zero
1710  * through SMB_COM_NUM;
1711  */
1712 void
smb2_dispatch_stats_init(smb_server_t * sv)1713 smb2_dispatch_stats_init(smb_server_t *sv)
1714 {
1715 	smb_disp_stats_t *sds = sv->sv_disp_stats2;
1716 	smb_kstat_req_t *ksr;
1717 	int		i;
1718 
1719 	ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2;
1720 
1721 	for (i = 0; i < SMB2__NCMDS; i++, ksr++) {
1722 		smb_latency_init(&sds[i].sdt_lat);
1723 		(void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name,
1724 		    sizeof (ksr->kr_name));
1725 	}
1726 }
1727 
1728 /*
1729  * smb2_dispatch_stats_fini
1730  *
1731  * Frees and destroyes the resources used for statistics.
1732  */
1733 void
smb2_dispatch_stats_fini(smb_server_t * sv)1734 smb2_dispatch_stats_fini(smb_server_t *sv)
1735 {
1736 	smb_disp_stats_t *sds = sv->sv_disp_stats2;
1737 	int	i;
1738 
1739 	for (i = 0; i < SMB2__NCMDS; i++)
1740 		smb_latency_destroy(&sds[i].sdt_lat);
1741 }
1742 
1743 void
smb2_dispatch_stats_update(smb_server_t * sv,smb_kstat_req_t * ksr,int first,int nreq)1744 smb2_dispatch_stats_update(smb_server_t *sv,
1745     smb_kstat_req_t *ksr, int first, int nreq)
1746 {
1747 	smb_disp_stats_t *sds = sv->sv_disp_stats2;
1748 	int	i;
1749 	int	last;
1750 
1751 	last = first + nreq - 1;
1752 
1753 	if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS))  {
1754 		for (i = first; i <= last; i++, ksr++) {
1755 			ksr->kr_rxb = sds[i].sdt_rxb;
1756 			ksr->kr_txb = sds[i].sdt_txb;
1757 			mutex_enter(&sds[i].sdt_lat.ly_mutex);
1758 			ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq;
1759 			ksr->kr_sum = sds[i].sdt_lat.ly_a_sum;
1760 			ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean;
1761 			ksr->kr_a_stddev =
1762 			    sds[i].sdt_lat.ly_a_stddev;
1763 			ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean;
1764 			ksr->kr_d_stddev =
1765 			    sds[i].sdt_lat.ly_d_stddev;
1766 			sds[i].sdt_lat.ly_d_mean = 0;
1767 			sds[i].sdt_lat.ly_d_nreq = 0;
1768 			sds[i].sdt_lat.ly_d_stddev = 0;
1769 			sds[i].sdt_lat.ly_d_sum = 0;
1770 			mutex_exit(&sds[i].sdt_lat.ly_mutex);
1771 		}
1772 	}
1773 }
1774 
1775 /*
1776  * Append new_sr to the postwork queue.  sr->smb2_cmd_code encodes
1777  * the action that should be run by this sr.
1778  *
1779  * This queue is rarely used (and normally empty) so we're OK
1780  * using a simple "walk to tail and insert" here.
1781  */
1782 void
smb2sr_append_postwork(smb_request_t * top_sr,smb_request_t * new_sr)1783 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr)
1784 {
1785 	smb_request_t *last_sr;
1786 
1787 	ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE);
1788 
1789 	last_sr = top_sr;
1790 	while (last_sr->sr_postwork != NULL)
1791 		last_sr = last_sr->sr_postwork;
1792 
1793 	last_sr->sr_postwork = new_sr;
1794 }
1795 
1796 /*
1797  * Run any "post work" that was appended to the main SR while it
1798  * was running.  This is called after the request has been sent
1799  * for the main SR, and used in cases i.e. the oplock code, where
1800  * we need to send something to the client only _after_ the main
1801  * sr request has gone out.
1802  */
1803 static void
smb2sr_run_postwork(smb_request_t * top_sr)1804 smb2sr_run_postwork(smb_request_t *top_sr)
1805 {
1806 	smb_request_t *post_sr;	/* the one we're running */
1807 	smb_request_t *next_sr;
1808 
1809 	while ((post_sr = top_sr->sr_postwork) != NULL) {
1810 		next_sr = post_sr->sr_postwork;
1811 		top_sr->sr_postwork = next_sr;
1812 		post_sr->sr_postwork = NULL;
1813 
1814 		post_sr->sr_worker = top_sr->sr_worker;
1815 		post_sr->sr_state = SMB_REQ_STATE_ACTIVE;
1816 
1817 		switch (post_sr->smb2_cmd_code) {
1818 		case SMB2_OPLOCK_BREAK:
1819 			smb_oplock_send_brk(post_sr);
1820 			break;
1821 		default:
1822 			ASSERT(0);
1823 		}
1824 
1825 		/*
1826 		 * If we have a durable handle, and this operation
1827 		 * updated the nvlist, write it out.
1828 		 */
1829 		if (post_sr->dh_nvl_dirty) {
1830 			post_sr->dh_nvl_dirty = B_FALSE;
1831 			smb2_dh_update_nvfile(post_sr);
1832 		}
1833 
1834 		post_sr->sr_state = SMB_REQ_STATE_COMPLETED;
1835 		smb_request_free(post_sr);
1836 	}
1837 }
1838