xref: /freebsd/sys/rpc/clnt_vc.c (revision a90b9d0159070121c221b966469c3e36d912bf82)
1 /*	$NetBSD: clnt_vc.c,v 1.4 2000/07/14 08:40:42 fvdl Exp $	*/
2 
3 /*-
4  * SPDX-License-Identifier: BSD-3-Clause
5  *
6  * Copyright (c) 2009, Sun Microsystems, Inc.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions are met:
11  * - Redistributions of source code must retain the above copyright notice,
12  *   this list of conditions and the following disclaimer.
13  * - Redistributions in binary form must reproduce the above copyright notice,
14  *   this list of conditions and the following disclaimer in the documentation
15  *   and/or other materials provided with the distribution.
16  * - Neither the name of Sun Microsystems, Inc. nor the names of its
17  *   contributors may be used to endorse or promote products derived
18  *   from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  * POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 /*
35  * clnt_tcp.c, Implements a TCP/IP based, client side RPC.
36  *
37  * Copyright (C) 1984, Sun Microsystems, Inc.
38  *
39  * TCP based RPC supports 'batched calls'.
40  * A sequence of calls may be batched-up in a send buffer.  The rpc call
41  * return immediately to the client even though the call was not necessarily
42  * sent.  The batching occurs if the results' xdr routine is NULL (0) AND
43  * the rpc timeout value is zero (see clnt.h, rpc).
44  *
45  * Clients should NOT casually batch calls that in fact return results; that is,
46  * the server side should be aware that a call is batched and not produce any
47  * return message.  Batched calls that produce many result messages can
48  * deadlock (netlock) the client and the server....
49  *
50  * Now go hang yourself.
51  */
52 
53 #include "opt_kern_tls.h"
54 
55 #include <sys/param.h>
56 #include <sys/systm.h>
57 #include <sys/kernel.h>
58 #include <sys/kthread.h>
59 #include <sys/ktls.h>
60 #include <sys/lock.h>
61 #include <sys/malloc.h>
62 #include <sys/mbuf.h>
63 #include <sys/mutex.h>
64 #include <sys/pcpu.h>
65 #include <sys/proc.h>
66 #include <sys/protosw.h>
67 #include <sys/socket.h>
68 #include <sys/socketvar.h>
69 #include <sys/sx.h>
70 #include <sys/syslog.h>
71 #include <sys/time.h>
72 #include <sys/uio.h>
73 
74 #include <net/vnet.h>
75 
76 #include <netinet/tcp.h>
77 
78 #include <rpc/rpc.h>
79 #include <rpc/rpc_com.h>
80 #include <rpc/krpc.h>
81 #include <rpc/rpcsec_tls.h>
82 
83 struct cmessage {
84         struct cmsghdr cmsg;
85         struct cmsgcred cmcred;
86 };
87 
88 static enum clnt_stat clnt_vc_call(CLIENT *, struct rpc_callextra *,
89     rpcproc_t, struct mbuf *, struct mbuf **, struct timeval);
90 static void clnt_vc_geterr(CLIENT *, struct rpc_err *);
91 static bool_t clnt_vc_freeres(CLIENT *, xdrproc_t, void *);
92 static void clnt_vc_abort(CLIENT *);
93 static bool_t clnt_vc_control(CLIENT *, u_int, void *);
94 static void clnt_vc_close(CLIENT *);
95 static void clnt_vc_destroy(CLIENT *);
96 static bool_t time_not_ok(struct timeval *);
97 static int clnt_vc_soupcall(struct socket *so, void *arg, int waitflag);
98 static void clnt_vc_dotlsupcall(void *data);
99 
100 static const struct clnt_ops clnt_vc_ops = {
101 	.cl_call =	clnt_vc_call,
102 	.cl_abort =	clnt_vc_abort,
103 	.cl_geterr =	clnt_vc_geterr,
104 	.cl_freeres =	clnt_vc_freeres,
105 	.cl_close =	clnt_vc_close,
106 	.cl_destroy =	clnt_vc_destroy,
107 	.cl_control =	clnt_vc_control
108 };
109 
110 static void clnt_vc_upcallsdone(struct ct_data *);
111 
112 /*
113  * Create a client handle for a connection.
114  * Default options are set, which the user can change using clnt_control()'s.
115  * The rpc/vc package does buffering similar to stdio, so the client
116  * must pick send and receive buffer sizes, 0 => use the default.
117  * NB: fd is copied into a private area.
118  * NB: The rpch->cl_auth is set null authentication. Caller may wish to
119  * set this something more useful.
120  *
121  * fd should be an open socket
122  */
123 CLIENT *
124 clnt_vc_create(
125 	struct socket *so,		/* open file descriptor */
126 	struct sockaddr *raddr,		/* servers address */
127 	const rpcprog_t prog,		/* program number */
128 	const rpcvers_t vers,		/* version number */
129 	size_t sendsz,			/* buffer recv size */
130 	size_t recvsz,			/* buffer send size */
131 	int intrflag)			/* interruptible */
132 {
133 	CLIENT *cl;			/* client handle */
134 	struct ct_data *ct = NULL;	/* client handle */
135 	struct timeval now;
136 	struct rpc_msg call_msg;
137 	static uint32_t disrupt;
138 	struct __rpc_sockinfo si;
139 	XDR xdrs;
140 	int error, interrupted, one = 1, sleep_flag;
141 	struct sockopt sopt;
142 
143 	if (disrupt == 0)
144 		disrupt = (uint32_t)(long)raddr;
145 
146 	cl = (CLIENT *)mem_alloc(sizeof (*cl));
147 	ct = (struct ct_data *)mem_alloc(sizeof (*ct));
148 
149 	mtx_init(&ct->ct_lock, "ct->ct_lock", NULL, MTX_DEF);
150 	ct->ct_threads = 0;
151 	ct->ct_closing = FALSE;
152 	ct->ct_closed = FALSE;
153 	ct->ct_upcallrefs = 0;
154 	ct->ct_rcvstate = RPCRCVSTATE_NORMAL;
155 
156 	if ((so->so_state & SS_ISCONNECTED) == 0) {
157 		error = soconnect(so, raddr, curthread);
158 		SOCK_LOCK(so);
159 		interrupted = 0;
160 		sleep_flag = PSOCK;
161 		if (intrflag != 0)
162 			sleep_flag |= PCATCH;
163 		while ((so->so_state & SS_ISCONNECTING)
164 		    && so->so_error == 0) {
165 			error = msleep(&so->so_timeo, SOCK_MTX(so),
166 			    sleep_flag, "connec", 0);
167 			if (error) {
168 				if (error == EINTR || error == ERESTART)
169 					interrupted = 1;
170 				break;
171 			}
172 		}
173 		if (error == 0) {
174 			error = so->so_error;
175 			so->so_error = 0;
176 		}
177 		SOCK_UNLOCK(so);
178 		if (error) {
179 			if (!interrupted)
180 				so->so_state &= ~SS_ISCONNECTING;
181 			rpc_createerr.cf_stat = RPC_SYSTEMERROR;
182 			rpc_createerr.cf_error.re_errno = error;
183 			goto err;
184 		}
185 	}
186 
187 	if (!__rpc_socket2sockinfo(so, &si)) {
188 		goto err;
189 	}
190 
191 	if (so->so_proto->pr_flags & PR_CONNREQUIRED) {
192 		bzero(&sopt, sizeof(sopt));
193 		sopt.sopt_dir = SOPT_SET;
194 		sopt.sopt_level = SOL_SOCKET;
195 		sopt.sopt_name = SO_KEEPALIVE;
196 		sopt.sopt_val = &one;
197 		sopt.sopt_valsize = sizeof(one);
198 		sosetopt(so, &sopt);
199 	}
200 
201 	if (so->so_proto->pr_protocol == IPPROTO_TCP) {
202 		bzero(&sopt, sizeof(sopt));
203 		sopt.sopt_dir = SOPT_SET;
204 		sopt.sopt_level = IPPROTO_TCP;
205 		sopt.sopt_name = TCP_NODELAY;
206 		sopt.sopt_val = &one;
207 		sopt.sopt_valsize = sizeof(one);
208 		sosetopt(so, &sopt);
209 	}
210 
211 	ct->ct_closeit = FALSE;
212 
213 	/*
214 	 * Set up private data struct
215 	 */
216 	ct->ct_socket = so;
217 	ct->ct_wait.tv_sec = -1;
218 	ct->ct_wait.tv_usec = -1;
219 	memcpy(&ct->ct_addr, raddr, raddr->sa_len);
220 
221 	/*
222 	 * Initialize call message
223 	 */
224 	getmicrotime(&now);
225 	ct->ct_xid = ((uint32_t)++disrupt) ^ __RPC_GETXID(&now);
226 	call_msg.rm_xid = ct->ct_xid;
227 	call_msg.rm_direction = CALL;
228 	call_msg.rm_call.cb_rpcvers = RPC_MSG_VERSION;
229 	call_msg.rm_call.cb_prog = (uint32_t)prog;
230 	call_msg.rm_call.cb_vers = (uint32_t)vers;
231 
232 	/*
233 	 * pre-serialize the static part of the call msg and stash it away
234 	 */
235 	xdrmem_create(&xdrs, ct->ct_mcallc, MCALL_MSG_SIZE,
236 	    XDR_ENCODE);
237 	if (! xdr_callhdr(&xdrs, &call_msg)) {
238 		if (ct->ct_closeit) {
239 			soclose(ct->ct_socket);
240 		}
241 		goto err;
242 	}
243 	ct->ct_mpos = XDR_GETPOS(&xdrs);
244 	XDR_DESTROY(&xdrs);
245 	ct->ct_waitchan = "rpcrecv";
246 	ct->ct_waitflag = 0;
247 
248 	/*
249 	 * Create a client handle which uses xdrrec for serialization
250 	 * and authnone for authentication.
251 	 */
252 	sendsz = __rpc_get_t_size(si.si_af, si.si_proto, (int)sendsz);
253 	recvsz = __rpc_get_t_size(si.si_af, si.si_proto, (int)recvsz);
254 	error = soreserve(ct->ct_socket, sendsz, recvsz);
255 	if (error != 0) {
256 		if (ct->ct_closeit) {
257 			soclose(ct->ct_socket);
258 		}
259 		goto err;
260 	}
261 	cl->cl_refs = 1;
262 	cl->cl_ops = &clnt_vc_ops;
263 	cl->cl_private = ct;
264 	cl->cl_auth = authnone_create();
265 
266 	SOCK_RECVBUF_LOCK(ct->ct_socket);
267 	soupcall_set(ct->ct_socket, SO_RCV, clnt_vc_soupcall, ct);
268 	SOCK_RECVBUF_UNLOCK(ct->ct_socket);
269 
270 	ct->ct_raw = NULL;
271 	ct->ct_record = NULL;
272 	ct->ct_record_resid = 0;
273 	ct->ct_sslrefno = 0;
274 	TAILQ_INIT(&ct->ct_pending);
275 	return (cl);
276 
277 err:
278 	mtx_destroy(&ct->ct_lock);
279 	mem_free(ct, sizeof (struct ct_data));
280 	mem_free(cl, sizeof (CLIENT));
281 
282 	return ((CLIENT *)NULL);
283 }
284 
285 static enum clnt_stat
286 clnt_vc_call(
287 	CLIENT		*cl,		/* client handle */
288 	struct rpc_callextra *ext,	/* call metadata */
289 	rpcproc_t	proc,		/* procedure number */
290 	struct mbuf	*args,		/* pointer to args */
291 	struct mbuf	**resultsp,	/* pointer to results */
292 	struct timeval	utimeout)
293 {
294 	struct ct_data *ct = (struct ct_data *) cl->cl_private;
295 	AUTH *auth;
296 	struct rpc_err *errp;
297 	enum clnt_stat stat;
298 	XDR xdrs;
299 	struct rpc_msg reply_msg;
300 	bool_t ok;
301 	int nrefreshes = 2;		/* number of times to refresh cred */
302 	struct timeval timeout;
303 	uint32_t xid;
304 	struct mbuf *mreq = NULL, *results;
305 	struct ct_request *cr;
306 	int error, maxextsiz, trycnt;
307 #ifdef KERN_TLS
308 	u_int maxlen;
309 #endif
310 
311 	cr = malloc(sizeof(struct ct_request), M_RPC, M_WAITOK);
312 
313 	mtx_lock(&ct->ct_lock);
314 
315 	if (ct->ct_closing || ct->ct_closed) {
316 		mtx_unlock(&ct->ct_lock);
317 		free(cr, M_RPC);
318 		return (RPC_CANTSEND);
319 	}
320 	ct->ct_threads++;
321 
322 	if (ext) {
323 		auth = ext->rc_auth;
324 		errp = &ext->rc_err;
325 	} else {
326 		auth = cl->cl_auth;
327 		errp = &ct->ct_error;
328 	}
329 
330 	cr->cr_mrep = NULL;
331 	cr->cr_error = 0;
332 
333 	if (ct->ct_wait.tv_usec == -1) {
334 		timeout = utimeout;	/* use supplied timeout */
335 	} else {
336 		timeout = ct->ct_wait;	/* use default timeout */
337 	}
338 
339 	/*
340 	 * After 15sec of looping, allow it to return RPC_CANTSEND, which will
341 	 * cause the clnt_reconnect layer to create a new TCP connection.
342 	 */
343 	trycnt = 15 * hz;
344 call_again:
345 	mtx_assert(&ct->ct_lock, MA_OWNED);
346 	if (ct->ct_closing || ct->ct_closed) {
347 		ct->ct_threads--;
348 		wakeup(ct);
349 		mtx_unlock(&ct->ct_lock);
350 		free(cr, M_RPC);
351 		return (RPC_CANTSEND);
352 	}
353 
354 	ct->ct_xid++;
355 	xid = ct->ct_xid;
356 
357 	mtx_unlock(&ct->ct_lock);
358 
359 	/*
360 	 * Leave space to pre-pend the record mark.
361 	 */
362 	mreq = m_gethdr(M_WAITOK, MT_DATA);
363 	mreq->m_data += sizeof(uint32_t);
364 	KASSERT(ct->ct_mpos + sizeof(uint32_t) <= MHLEN,
365 	    ("RPC header too big"));
366 	bcopy(ct->ct_mcallc, mreq->m_data, ct->ct_mpos);
367 	mreq->m_len = ct->ct_mpos;
368 
369 	/*
370 	 * The XID is the first thing in the request.
371 	 */
372 	*mtod(mreq, uint32_t *) = htonl(xid);
373 
374 	xdrmbuf_create(&xdrs, mreq, XDR_ENCODE);
375 
376 	errp->re_status = stat = RPC_SUCCESS;
377 
378 	if ((! XDR_PUTINT32(&xdrs, &proc)) ||
379 	    (! AUTH_MARSHALL(auth, xid, &xdrs,
380 		m_copym(args, 0, M_COPYALL, M_WAITOK)))) {
381 		errp->re_status = stat = RPC_CANTENCODEARGS;
382 		mtx_lock(&ct->ct_lock);
383 		goto out;
384 	}
385 	mreq->m_pkthdr.len = m_length(mreq, NULL);
386 
387 	/*
388 	 * Prepend a record marker containing the packet length.
389 	 */
390 	M_PREPEND(mreq, sizeof(uint32_t), M_WAITOK);
391 	*mtod(mreq, uint32_t *) =
392 		htonl(0x80000000 | (mreq->m_pkthdr.len - sizeof(uint32_t)));
393 
394 	cr->cr_xid = xid;
395 	mtx_lock(&ct->ct_lock);
396 	/*
397 	 * Check to see if the other end has already started to close down
398 	 * the connection. The upcall will have set ct_error.re_status
399 	 * to RPC_CANTRECV if this is the case.
400 	 * If the other end starts to close down the connection after this
401 	 * point, it will be detected later when cr_error is checked,
402 	 * since the request is in the ct_pending queue.
403 	 */
404 	if (ct->ct_error.re_status == RPC_CANTRECV) {
405 		if (errp != &ct->ct_error) {
406 			errp->re_errno = ct->ct_error.re_errno;
407 			errp->re_status = RPC_CANTRECV;
408 		}
409 		stat = RPC_CANTRECV;
410 		goto out;
411 	}
412 
413 	/* For TLS, wait for an upcall to be done, as required. */
414 	while ((ct->ct_rcvstate & (RPCRCVSTATE_NORMAL |
415 	    RPCRCVSTATE_NONAPPDATA)) == 0)
416 		msleep(&ct->ct_rcvstate, &ct->ct_lock, 0, "rpcrcvst", hz);
417 
418 	TAILQ_INSERT_TAIL(&ct->ct_pending, cr, cr_link);
419 	mtx_unlock(&ct->ct_lock);
420 
421 	if (ct->ct_sslrefno != 0) {
422 		/*
423 		 * Copy the mbuf chain to a chain of ext_pgs mbuf(s)
424 		 * as required by KERN_TLS.
425 		 */
426 		maxextsiz = TLS_MAX_MSG_SIZE_V10_2;
427 #ifdef KERN_TLS
428 		if (rpctls_getinfo(&maxlen, false, false))
429 			maxextsiz = min(maxextsiz, maxlen);
430 #endif
431 		mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz);
432 	}
433 	/*
434 	 * sosend consumes mreq.
435 	 */
436 	error = sosend(ct->ct_socket, NULL, NULL, mreq, NULL, 0, curthread);
437 	mreq = NULL;
438 	if (error == EMSGSIZE || (error == ERESTART &&
439 	    (ct->ct_waitflag & PCATCH) == 0 && trycnt-- > 0)) {
440 		SOCK_SENDBUF_LOCK(ct->ct_socket);
441 		sbwait(ct->ct_socket, SO_SND);
442 		SOCK_SENDBUF_UNLOCK(ct->ct_socket);
443 		AUTH_VALIDATE(auth, xid, NULL, NULL);
444 		mtx_lock(&ct->ct_lock);
445 		TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
446 		/* Sleep for 1 clock tick before trying the sosend() again. */
447 		mtx_unlock(&ct->ct_lock);
448 		pause("rpclpsnd", 1);
449 		mtx_lock(&ct->ct_lock);
450 		goto call_again;
451 	}
452 
453 	reply_msg.acpted_rply.ar_verf.oa_flavor = AUTH_NULL;
454 	reply_msg.acpted_rply.ar_verf.oa_base = cr->cr_verf;
455 	reply_msg.acpted_rply.ar_verf.oa_length = 0;
456 	reply_msg.acpted_rply.ar_results.where = NULL;
457 	reply_msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
458 
459 	mtx_lock(&ct->ct_lock);
460 	if (error) {
461 		TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
462 		errp->re_errno = error;
463 		errp->re_status = stat = RPC_CANTSEND;
464 		goto out;
465 	}
466 
467 	/*
468 	 * Check to see if we got an upcall while waiting for the
469 	 * lock. In both these cases, the request has been removed
470 	 * from ct->ct_pending.
471 	 */
472 	if (cr->cr_error) {
473 		TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
474 		errp->re_errno = cr->cr_error;
475 		errp->re_status = stat = RPC_CANTRECV;
476 		goto out;
477 	}
478 	if (cr->cr_mrep) {
479 		TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
480 		goto got_reply;
481 	}
482 
483 	/*
484 	 * Hack to provide rpc-based message passing
485 	 */
486 	if (timeout.tv_sec == 0 && timeout.tv_usec == 0) {
487 		TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
488 		errp->re_status = stat = RPC_TIMEDOUT;
489 		goto out;
490 	}
491 
492 	error = msleep(cr, &ct->ct_lock, ct->ct_waitflag, ct->ct_waitchan,
493 	    tvtohz(&timeout));
494 
495 	TAILQ_REMOVE(&ct->ct_pending, cr, cr_link);
496 
497 	if (error) {
498 		/*
499 		 * The sleep returned an error so our request is still
500 		 * on the list. Turn the error code into an
501 		 * appropriate client status.
502 		 */
503 		errp->re_errno = error;
504 		switch (error) {
505 		case EINTR:
506 			stat = RPC_INTR;
507 			break;
508 		case EWOULDBLOCK:
509 			stat = RPC_TIMEDOUT;
510 			break;
511 		default:
512 			stat = RPC_CANTRECV;
513 		}
514 		errp->re_status = stat;
515 		goto out;
516 	} else {
517 		/*
518 		 * We were woken up by the upcall.  If the
519 		 * upcall had a receive error, report that,
520 		 * otherwise we have a reply.
521 		 */
522 		if (cr->cr_error) {
523 			errp->re_errno = cr->cr_error;
524 			errp->re_status = stat = RPC_CANTRECV;
525 			goto out;
526 		}
527 	}
528 
529 got_reply:
530 	/*
531 	 * Now decode and validate the response. We need to drop the
532 	 * lock since xdr_replymsg may end up sleeping in malloc.
533 	 */
534 	mtx_unlock(&ct->ct_lock);
535 
536 	if (ext && ext->rc_feedback)
537 		ext->rc_feedback(FEEDBACK_OK, proc, ext->rc_feedback_arg);
538 
539 	xdrmbuf_create(&xdrs, cr->cr_mrep, XDR_DECODE);
540 	ok = xdr_replymsg(&xdrs, &reply_msg);
541 	cr->cr_mrep = NULL;
542 
543 	if (ok) {
544 		if ((reply_msg.rm_reply.rp_stat == MSG_ACCEPTED) &&
545 		    (reply_msg.acpted_rply.ar_stat == SUCCESS))
546 			errp->re_status = stat = RPC_SUCCESS;
547 		else
548 			stat = _seterr_reply(&reply_msg, errp);
549 
550 		if (stat == RPC_SUCCESS) {
551 			results = xdrmbuf_getall(&xdrs);
552 			if (!AUTH_VALIDATE(auth, xid,
553 				&reply_msg.acpted_rply.ar_verf,
554 				&results)) {
555 				errp->re_status = stat = RPC_AUTHERROR;
556 				errp->re_why = AUTH_INVALIDRESP;
557 			} else {
558 				KASSERT(results,
559 				    ("auth validated but no result"));
560 				*resultsp = results;
561 			}
562 		}		/* end successful completion */
563 		/*
564 		 * If unsuccessful AND error is an authentication error
565 		 * then refresh credentials and try again, else break
566 		 */
567 		else if (stat == RPC_AUTHERROR)
568 			/* maybe our credentials need to be refreshed ... */
569 			if (nrefreshes > 0 &&
570 			    AUTH_REFRESH(auth, &reply_msg)) {
571 				nrefreshes--;
572 				XDR_DESTROY(&xdrs);
573 				mtx_lock(&ct->ct_lock);
574 				goto call_again;
575 			}
576 		/* end of unsuccessful completion */
577 	}	/* end of valid reply message */
578 	else {
579 		errp->re_status = stat = RPC_CANTDECODERES;
580 	}
581 	XDR_DESTROY(&xdrs);
582 	mtx_lock(&ct->ct_lock);
583 out:
584 	mtx_assert(&ct->ct_lock, MA_OWNED);
585 
586 	KASSERT(stat != RPC_SUCCESS || *resultsp,
587 	    ("RPC_SUCCESS without reply"));
588 
589 	if (mreq)
590 		m_freem(mreq);
591 	if (cr->cr_mrep)
592 		m_freem(cr->cr_mrep);
593 
594 	ct->ct_threads--;
595 	if (ct->ct_closing)
596 		wakeup(ct);
597 
598 	mtx_unlock(&ct->ct_lock);
599 
600 	if (auth && stat != RPC_SUCCESS)
601 		AUTH_VALIDATE(auth, xid, NULL, NULL);
602 
603 	free(cr, M_RPC);
604 
605 	return (stat);
606 }
607 
608 static void
609 clnt_vc_geterr(CLIENT *cl, struct rpc_err *errp)
610 {
611 	struct ct_data *ct = (struct ct_data *) cl->cl_private;
612 
613 	*errp = ct->ct_error;
614 }
615 
616 static bool_t
617 clnt_vc_freeres(CLIENT *cl, xdrproc_t xdr_res, void *res_ptr)
618 {
619 	XDR xdrs;
620 	bool_t dummy;
621 
622 	xdrs.x_op = XDR_FREE;
623 	dummy = (*xdr_res)(&xdrs, res_ptr);
624 
625 	return (dummy);
626 }
627 
628 /*ARGSUSED*/
629 static void
630 clnt_vc_abort(CLIENT *cl)
631 {
632 }
633 
634 static bool_t
635 clnt_vc_control(CLIENT *cl, u_int request, void *info)
636 {
637 	struct ct_data *ct = (struct ct_data *)cl->cl_private;
638 	void *infop = info;
639 	SVCXPRT *xprt;
640 	uint64_t *p;
641 	int error;
642 	static u_int thrdnum = 0;
643 
644 	mtx_lock(&ct->ct_lock);
645 
646 	switch (request) {
647 	case CLSET_FD_CLOSE:
648 		ct->ct_closeit = TRUE;
649 		mtx_unlock(&ct->ct_lock);
650 		return (TRUE);
651 	case CLSET_FD_NCLOSE:
652 		ct->ct_closeit = FALSE;
653 		mtx_unlock(&ct->ct_lock);
654 		return (TRUE);
655 	default:
656 		break;
657 	}
658 
659 	/* for other requests which use info */
660 	if (info == NULL) {
661 		mtx_unlock(&ct->ct_lock);
662 		return (FALSE);
663 	}
664 	switch (request) {
665 	case CLSET_TIMEOUT:
666 		if (time_not_ok((struct timeval *)info)) {
667 			mtx_unlock(&ct->ct_lock);
668 			return (FALSE);
669 		}
670 		ct->ct_wait = *(struct timeval *)infop;
671 		break;
672 	case CLGET_TIMEOUT:
673 		*(struct timeval *)infop = ct->ct_wait;
674 		break;
675 	case CLGET_SERVER_ADDR:
676 		(void) memcpy(info, &ct->ct_addr, (size_t)ct->ct_addr.ss_len);
677 		break;
678 	case CLGET_SVC_ADDR:
679 		/*
680 		 * Slightly different semantics to userland - we use
681 		 * sockaddr instead of netbuf.
682 		 */
683 		memcpy(info, &ct->ct_addr, ct->ct_addr.ss_len);
684 		break;
685 	case CLSET_SVC_ADDR:		/* set to new address */
686 		mtx_unlock(&ct->ct_lock);
687 		return (FALSE);
688 	case CLGET_XID:
689 		*(uint32_t *)info = ct->ct_xid;
690 		break;
691 	case CLSET_XID:
692 		/* This will set the xid of the NEXT call */
693 		/* decrement by 1 as clnt_vc_call() increments once */
694 		ct->ct_xid = *(uint32_t *)info - 1;
695 		break;
696 	case CLGET_VERS:
697 		/*
698 		 * This RELIES on the information that, in the call body,
699 		 * the version number field is the fifth field from the
700 		 * beginning of the RPC header. MUST be changed if the
701 		 * call_struct is changed
702 		 */
703 		*(uint32_t *)info =
704 		    ntohl(*(uint32_t *)(void *)(ct->ct_mcallc +
705 		    4 * BYTES_PER_XDR_UNIT));
706 		break;
707 
708 	case CLSET_VERS:
709 		*(uint32_t *)(void *)(ct->ct_mcallc +
710 		    4 * BYTES_PER_XDR_UNIT) =
711 		    htonl(*(uint32_t *)info);
712 		break;
713 
714 	case CLGET_PROG:
715 		/*
716 		 * This RELIES on the information that, in the call body,
717 		 * the program number field is the fourth field from the
718 		 * beginning of the RPC header. MUST be changed if the
719 		 * call_struct is changed
720 		 */
721 		*(uint32_t *)info =
722 		    ntohl(*(uint32_t *)(void *)(ct->ct_mcallc +
723 		    3 * BYTES_PER_XDR_UNIT));
724 		break;
725 
726 	case CLSET_PROG:
727 		*(uint32_t *)(void *)(ct->ct_mcallc +
728 		    3 * BYTES_PER_XDR_UNIT) =
729 		    htonl(*(uint32_t *)info);
730 		break;
731 
732 	case CLSET_WAITCHAN:
733 		ct->ct_waitchan = (const char *)info;
734 		break;
735 
736 	case CLGET_WAITCHAN:
737 		*(const char **) info = ct->ct_waitchan;
738 		break;
739 
740 	case CLSET_INTERRUPTIBLE:
741 		if (*(int *) info)
742 			ct->ct_waitflag = PCATCH;
743 		else
744 			ct->ct_waitflag = 0;
745 		break;
746 
747 	case CLGET_INTERRUPTIBLE:
748 		if (ct->ct_waitflag)
749 			*(int *) info = TRUE;
750 		else
751 			*(int *) info = FALSE;
752 		break;
753 
754 	case CLSET_BACKCHANNEL:
755 		xprt = (SVCXPRT *)info;
756 		if (ct->ct_backchannelxprt == NULL) {
757 			SVC_ACQUIRE(xprt);
758 			xprt->xp_p2 = ct;
759 			if (ct->ct_sslrefno != 0)
760 				xprt->xp_tls = RPCTLS_FLAGS_HANDSHAKE;
761 			ct->ct_backchannelxprt = xprt;
762 		}
763 		break;
764 
765 	case CLSET_TLS:
766 		p = (uint64_t *)info;
767 		ct->ct_sslsec = *p++;
768 		ct->ct_sslusec = *p++;
769 		ct->ct_sslrefno = *p;
770 		if (ct->ct_sslrefno != RPCTLS_REFNO_HANDSHAKE) {
771 			/* cl ref cnt is released by clnt_vc_dotlsupcall(). */
772 			CLNT_ACQUIRE(cl);
773 			mtx_unlock(&ct->ct_lock);
774 			/* Start the kthread that handles upcalls. */
775 			error = kthread_add(clnt_vc_dotlsupcall, cl,
776 			    NULL, NULL, 0, 0, "krpctls%u", thrdnum++);
777 			if (error != 0)
778 				panic("Can't add KRPC thread error %d", error);
779 		} else
780 			mtx_unlock(&ct->ct_lock);
781 		return (TRUE);
782 
783 	case CLSET_BLOCKRCV:
784 		if (*(int *) info) {
785 			ct->ct_rcvstate &= ~RPCRCVSTATE_NORMAL;
786 			ct->ct_rcvstate |= RPCRCVSTATE_TLSHANDSHAKE;
787 		} else {
788 			ct->ct_rcvstate &= ~RPCRCVSTATE_TLSHANDSHAKE;
789 			ct->ct_rcvstate |= RPCRCVSTATE_NORMAL;
790 		}
791 		break;
792 
793 	default:
794 		mtx_unlock(&ct->ct_lock);
795 		return (FALSE);
796 	}
797 
798 	mtx_unlock(&ct->ct_lock);
799 	return (TRUE);
800 }
801 
802 static void
803 clnt_vc_close(CLIENT *cl)
804 {
805 	struct ct_data *ct = (struct ct_data *) cl->cl_private;
806 	struct ct_request *cr;
807 
808 	mtx_lock(&ct->ct_lock);
809 
810 	if (ct->ct_closed) {
811 		mtx_unlock(&ct->ct_lock);
812 		return;
813 	}
814 
815 	if (ct->ct_closing) {
816 		while (ct->ct_closing)
817 			msleep(ct, &ct->ct_lock, 0, "rpcclose", 0);
818 		KASSERT(ct->ct_closed, ("client should be closed"));
819 		mtx_unlock(&ct->ct_lock);
820 		return;
821 	}
822 
823 	if (ct->ct_socket) {
824 		ct->ct_closing = TRUE;
825 		mtx_unlock(&ct->ct_lock);
826 
827 		SOCK_RECVBUF_LOCK(ct->ct_socket);
828 		if (ct->ct_socket->so_rcv.sb_upcall != NULL) {
829 			soupcall_clear(ct->ct_socket, SO_RCV);
830 			clnt_vc_upcallsdone(ct);
831 		}
832 		SOCK_RECVBUF_UNLOCK(ct->ct_socket);
833 
834 		/*
835 		 * Abort any pending requests and wait until everyone
836 		 * has finished with clnt_vc_call.
837 		 */
838 		mtx_lock(&ct->ct_lock);
839 		TAILQ_FOREACH(cr, &ct->ct_pending, cr_link) {
840 			cr->cr_xid = 0;
841 			cr->cr_error = ESHUTDOWN;
842 			wakeup(cr);
843 		}
844 
845 		while (ct->ct_threads)
846 			msleep(ct, &ct->ct_lock, 0, "rpcclose", 0);
847 	}
848 
849 	ct->ct_closing = FALSE;
850 	ct->ct_closed = TRUE;
851 	wakeup(&ct->ct_sslrefno);
852 	mtx_unlock(&ct->ct_lock);
853 	wakeup(ct);
854 }
855 
856 static void
857 clnt_vc_destroy(CLIENT *cl)
858 {
859 	struct ct_data *ct = (struct ct_data *) cl->cl_private;
860 	struct socket *so = NULL;
861 	SVCXPRT *xprt;
862 	uint32_t reterr;
863 
864 	clnt_vc_close(cl);
865 
866 	mtx_lock(&ct->ct_lock);
867 	xprt = ct->ct_backchannelxprt;
868 	ct->ct_backchannelxprt = NULL;
869 	if (xprt != NULL) {
870 		mtx_unlock(&ct->ct_lock);	/* To avoid a LOR. */
871 		sx_xlock(&xprt->xp_lock);
872 		mtx_lock(&ct->ct_lock);
873 		xprt->xp_p2 = NULL;
874 		sx_xunlock(&xprt->xp_lock);
875 		SVC_RELEASE(xprt);
876 	}
877 
878 	if (ct->ct_socket) {
879 		if (ct->ct_closeit) {
880 			so = ct->ct_socket;
881 		}
882 	}
883 
884 	/* Wait for the upcall kthread to terminate. */
885 	while ((ct->ct_rcvstate & RPCRCVSTATE_UPCALLTHREAD) != 0)
886 		msleep(&ct->ct_sslrefno, &ct->ct_lock, 0,
887 		    "clntvccl", hz);
888 	mtx_unlock(&ct->ct_lock);
889 
890 	mtx_destroy(&ct->ct_lock);
891 	if (so) {
892 		if (ct->ct_sslrefno != 0) {
893 			/*
894 			 * If the TLS handshake is in progress, the upcall
895 			 * will fail, but the socket should be closed by the
896 			 * daemon, since the connect upcall has just failed.
897 			 */
898 			if (ct->ct_sslrefno != RPCTLS_REFNO_HANDSHAKE) {
899 				/*
900 				 * If the upcall fails, the socket has
901 				 * probably been closed via the rpctlscd
902 				 * daemon having crashed or been
903 				 * restarted, so ignore return stat.
904 				 */
905 				rpctls_cl_disconnect(ct->ct_sslsec,
906 				    ct->ct_sslusec, ct->ct_sslrefno,
907 				    &reterr);
908 			}
909 			/* Must sorele() to get rid of reference. */
910 			CURVNET_SET(so->so_vnet);
911 			sorele(so);
912 			CURVNET_RESTORE();
913 		} else {
914 			soshutdown(so, SHUT_WR);
915 			soclose(so);
916 		}
917 	}
918 	m_freem(ct->ct_record);
919 	m_freem(ct->ct_raw);
920 	mem_free(ct, sizeof(struct ct_data));
921 	if (cl->cl_netid && cl->cl_netid[0])
922 		mem_free(cl->cl_netid, strlen(cl->cl_netid) +1);
923 	if (cl->cl_tp && cl->cl_tp[0])
924 		mem_free(cl->cl_tp, strlen(cl->cl_tp) +1);
925 	mem_free(cl, sizeof(CLIENT));
926 }
927 
928 /*
929  * Make sure that the time is not garbage.   -1 value is disallowed.
930  * Note this is different from time_not_ok in clnt_dg.c
931  */
932 static bool_t
933 time_not_ok(struct timeval *t)
934 {
935 	return (t->tv_sec <= -1 || t->tv_sec > 100000000 ||
936 		t->tv_usec <= -1 || t->tv_usec > 1000000);
937 }
938 
939 int
940 clnt_vc_soupcall(struct socket *so, void *arg, int waitflag)
941 {
942 	struct ct_data *ct = (struct ct_data *) arg;
943 	struct uio uio;
944 	struct mbuf *m, *m2;
945 	struct ct_request *cr;
946 	int error, rcvflag, foundreq;
947 	uint32_t xid_plus_direction[2], header;
948 	SVCXPRT *xprt;
949 	struct cf_conn *cd;
950 	u_int rawlen;
951 	struct cmsghdr *cmsg;
952 	struct tls_get_record tgr;
953 
954 	/*
955 	 * RPC-over-TLS needs to block reception during
956 	 * upcalls since the upcall will be doing I/O on
957 	 * the socket via openssl library calls.
958 	 */
959 	mtx_lock(&ct->ct_lock);
960 	if ((ct->ct_rcvstate & (RPCRCVSTATE_NORMAL |
961 	    RPCRCVSTATE_NONAPPDATA)) == 0) {
962 		/* Mark that a socket upcall needs to be done. */
963 		if ((ct->ct_rcvstate & (RPCRCVSTATE_UPCALLNEEDED |
964 		    RPCRCVSTATE_UPCALLINPROG)) != 0)
965 			ct->ct_rcvstate |= RPCRCVSTATE_SOUPCALLNEEDED;
966 		mtx_unlock(&ct->ct_lock);
967 		return (SU_OK);
968 	}
969 	mtx_unlock(&ct->ct_lock);
970 
971 	/*
972 	 * If another thread is already here, it must be in
973 	 * soreceive(), so just return to avoid races with it.
974 	 * ct_upcallrefs is protected by the socket receive buffer lock
975 	 * which is held in this function, except when
976 	 * soreceive() is called.
977 	 */
978 	if (ct->ct_upcallrefs > 0)
979 		return (SU_OK);
980 	ct->ct_upcallrefs++;
981 
982 	/*
983 	 * Read as much as possible off the socket and link it
984 	 * onto ct_raw.
985 	 */
986 	for (;;) {
987 		uio.uio_resid = 1000000000;
988 		uio.uio_td = curthread;
989 		m2 = m = NULL;
990 		rcvflag = MSG_DONTWAIT | MSG_SOCALLBCK;
991 		if (ct->ct_sslrefno != 0 && (ct->ct_rcvstate &
992 		    RPCRCVSTATE_NORMAL) != 0)
993 			rcvflag |= MSG_TLSAPPDATA;
994 		SOCK_RECVBUF_UNLOCK(so);
995 		error = soreceive(so, NULL, &uio, &m, &m2, &rcvflag);
996 		SOCK_RECVBUF_LOCK(so);
997 
998 		if (error == EWOULDBLOCK) {
999 			/*
1000 			 * We must re-test for readability after
1001 			 * taking the lock to protect us in the case
1002 			 * where a new packet arrives on the socket
1003 			 * after our call to soreceive fails with
1004 			 * EWOULDBLOCK.
1005 			 */
1006 			error = 0;
1007 			if (!soreadable(so))
1008 				break;
1009 			continue;
1010 		}
1011 		if (error == 0 && m == NULL) {
1012 			/*
1013 			 * We must have got EOF trying
1014 			 * to read from the stream.
1015 			 */
1016 			error = ECONNRESET;
1017 		}
1018 
1019 		/*
1020 		 * A return of ENXIO indicates that there is an
1021 		 * alert record at the head of the
1022 		 * socket's receive queue, for TLS connections.
1023 		 * This record needs to be handled in userland
1024 		 * via an SSL_read() call, so do an upcall to the daemon.
1025 		 */
1026 		if (ct->ct_sslrefno != 0 && error == ENXIO) {
1027 			/* Disable reception, marking an upcall needed. */
1028 			mtx_lock(&ct->ct_lock);
1029 			ct->ct_rcvstate |= RPCRCVSTATE_UPCALLNEEDED;
1030 			/*
1031 			 * If an upcall in needed, wake up the kthread
1032 			 * that runs clnt_vc_dotlsupcall().
1033 			 */
1034 			wakeup(&ct->ct_sslrefno);
1035 			mtx_unlock(&ct->ct_lock);
1036 			break;
1037 		}
1038 		if (error != 0)
1039 			break;
1040 
1041 		/* Process any record header(s). */
1042 		if (m2 != NULL) {
1043 			cmsg = mtod(m2, struct cmsghdr *);
1044 			if (cmsg->cmsg_type == TLS_GET_RECORD &&
1045 			    cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) {
1046 				memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr));
1047 				/*
1048 				 * TLS_RLTYPE_ALERT records should be handled
1049 				 * since soreceive() would have returned
1050 				 * ENXIO.  Just throw any other
1051 				 * non-TLS_RLTYPE_APP records away.
1052 				 */
1053 				if (tgr.tls_type != TLS_RLTYPE_APP) {
1054 					m_freem(m);
1055 					m_free(m2);
1056 					mtx_lock(&ct->ct_lock);
1057 					ct->ct_rcvstate &=
1058 					    ~RPCRCVSTATE_NONAPPDATA;
1059 					ct->ct_rcvstate |= RPCRCVSTATE_NORMAL;
1060 					mtx_unlock(&ct->ct_lock);
1061 					continue;
1062 				}
1063 			}
1064 			m_free(m2);
1065 		}
1066 
1067 		if (ct->ct_raw != NULL)
1068 			m_last(ct->ct_raw)->m_next = m;
1069 		else
1070 			ct->ct_raw = m;
1071 	}
1072 	rawlen = m_length(ct->ct_raw, NULL);
1073 
1074 	/* Now, process as much of ct_raw as possible. */
1075 	for (;;) {
1076 		/*
1077 		 * If ct_record_resid is zero, we are waiting for a
1078 		 * record mark.
1079 		 */
1080 		if (ct->ct_record_resid == 0) {
1081 			if (rawlen < sizeof(uint32_t))
1082 				break;
1083 			m_copydata(ct->ct_raw, 0, sizeof(uint32_t),
1084 			    (char *)&header);
1085 			header = ntohl(header);
1086 			ct->ct_record_resid = header & 0x7fffffff;
1087 			ct->ct_record_eor = ((header & 0x80000000) != 0);
1088 			m_adj(ct->ct_raw, sizeof(uint32_t));
1089 			rawlen -= sizeof(uint32_t);
1090 		} else {
1091 			/*
1092 			 * Move as much of the record as possible to
1093 			 * ct_record.
1094 			 */
1095 			if (rawlen == 0)
1096 				break;
1097 			if (rawlen <= ct->ct_record_resid) {
1098 				if (ct->ct_record != NULL)
1099 					m_last(ct->ct_record)->m_next =
1100 					    ct->ct_raw;
1101 				else
1102 					ct->ct_record = ct->ct_raw;
1103 				ct->ct_raw = NULL;
1104 				ct->ct_record_resid -= rawlen;
1105 				rawlen = 0;
1106 			} else {
1107 				m = m_split(ct->ct_raw, ct->ct_record_resid,
1108 				    M_NOWAIT);
1109 				if (m == NULL)
1110 					break;
1111 				if (ct->ct_record != NULL)
1112 					m_last(ct->ct_record)->m_next =
1113 					    ct->ct_raw;
1114 				else
1115 					ct->ct_record = ct->ct_raw;
1116 				rawlen -= ct->ct_record_resid;
1117 				ct->ct_record_resid = 0;
1118 				ct->ct_raw = m;
1119 			}
1120 			if (ct->ct_record_resid > 0)
1121 				break;
1122 
1123 			/*
1124 			 * If we have the entire record, see if we can
1125 			 * match it to a request.
1126 			 */
1127 			if (ct->ct_record_eor) {
1128 				/*
1129 				 * The XID is in the first uint32_t of
1130 				 * the reply and the message direction
1131 				 * is the second one.
1132 				 */
1133 				if (ct->ct_record->m_len <
1134 				    sizeof(xid_plus_direction) &&
1135 				    m_length(ct->ct_record, NULL) <
1136 				    sizeof(xid_plus_direction)) {
1137 					/*
1138 					 * What to do now?
1139 					 * The data in the TCP stream is
1140 					 * corrupted such that there is no
1141 					 * valid RPC message to parse.
1142 					 * I think it best to close this
1143 					 * connection and allow
1144 					 * clnt_reconnect_call() to try
1145 					 * and establish a new one.
1146 					 */
1147 					printf("clnt_vc_soupcall: "
1148 					    "connection data corrupted\n");
1149 					error = ECONNRESET;
1150 					goto wakeup_all;
1151 				}
1152 				m_copydata(ct->ct_record, 0,
1153 				    sizeof(xid_plus_direction),
1154 				    (char *)xid_plus_direction);
1155 				xid_plus_direction[0] =
1156 				    ntohl(xid_plus_direction[0]);
1157 				xid_plus_direction[1] =
1158 				    ntohl(xid_plus_direction[1]);
1159 				/* Check message direction. */
1160 				if (xid_plus_direction[1] == CALL) {
1161 					/* This is a backchannel request. */
1162 					mtx_lock(&ct->ct_lock);
1163 					xprt = ct->ct_backchannelxprt;
1164 					if (xprt == NULL) {
1165 						mtx_unlock(&ct->ct_lock);
1166 						/* Just throw it away. */
1167 						m_freem(ct->ct_record);
1168 						ct->ct_record = NULL;
1169 					} else {
1170 						cd = (struct cf_conn *)
1171 						    xprt->xp_p1;
1172 						m2 = cd->mreq;
1173 						/*
1174 						 * The requests are chained
1175 						 * in the m_nextpkt list.
1176 						 */
1177 						while (m2 != NULL &&
1178 						    m2->m_nextpkt != NULL)
1179 							/* Find end of list. */
1180 							m2 = m2->m_nextpkt;
1181 						if (m2 != NULL)
1182 							m2->m_nextpkt =
1183 							    ct->ct_record;
1184 						else
1185 							cd->mreq =
1186 							    ct->ct_record;
1187 						ct->ct_record->m_nextpkt =
1188 						    NULL;
1189 						ct->ct_record = NULL;
1190 						xprt_active(xprt);
1191 						mtx_unlock(&ct->ct_lock);
1192 					}
1193 				} else {
1194 					mtx_lock(&ct->ct_lock);
1195 					foundreq = 0;
1196 					TAILQ_FOREACH(cr, &ct->ct_pending,
1197 					    cr_link) {
1198 						if (cr->cr_xid ==
1199 						    xid_plus_direction[0]) {
1200 							/*
1201 							 * This one
1202 							 * matches. We leave
1203 							 * the reply mbuf in
1204 							 * cr->cr_mrep. Set
1205 							 * the XID to zero so
1206 							 * that we will ignore
1207 							 * any duplicated
1208 							 * replies.
1209 							 */
1210 							cr->cr_xid = 0;
1211 							cr->cr_mrep =
1212 							    ct->ct_record;
1213 							cr->cr_error = 0;
1214 							foundreq = 1;
1215 							wakeup(cr);
1216 							break;
1217 						}
1218 					}
1219 					mtx_unlock(&ct->ct_lock);
1220 
1221 					if (!foundreq)
1222 						m_freem(ct->ct_record);
1223 					ct->ct_record = NULL;
1224 				}
1225 			}
1226 		}
1227 	}
1228 
1229 	if (error != 0) {
1230 	wakeup_all:
1231 		/*
1232 		 * This socket is broken, so mark that it cannot
1233 		 * receive and fail all RPCs waiting for a reply
1234 		 * on it, so that they will be retried on a new
1235 		 * TCP connection created by clnt_reconnect_X().
1236 		 */
1237 		mtx_lock(&ct->ct_lock);
1238 		ct->ct_error.re_status = RPC_CANTRECV;
1239 		ct->ct_error.re_errno = error;
1240 		TAILQ_FOREACH(cr, &ct->ct_pending, cr_link) {
1241 			cr->cr_error = error;
1242 			wakeup(cr);
1243 		}
1244 		mtx_unlock(&ct->ct_lock);
1245 	}
1246 
1247 	ct->ct_upcallrefs--;
1248 	if (ct->ct_upcallrefs < 0)
1249 		panic("rpcvc upcall refcnt");
1250 	if (ct->ct_upcallrefs == 0)
1251 		wakeup(&ct->ct_upcallrefs);
1252 	return (SU_OK);
1253 }
1254 
1255 /*
1256  * Wait for all upcalls in progress to complete.
1257  */
1258 static void
1259 clnt_vc_upcallsdone(struct ct_data *ct)
1260 {
1261 
1262 	SOCK_RECVBUF_LOCK_ASSERT(ct->ct_socket);
1263 
1264 	while (ct->ct_upcallrefs > 0)
1265 		(void) msleep(&ct->ct_upcallrefs,
1266 		    SOCKBUF_MTX(&ct->ct_socket->so_rcv), 0, "rpcvcup", 0);
1267 }
1268 
1269 /*
1270  * Do a TLS upcall to the rpctlscd daemon, as required.
1271  * This function runs as a kthread.
1272  */
1273 static void
1274 clnt_vc_dotlsupcall(void *data)
1275 {
1276 	CLIENT *cl = (CLIENT *)data;
1277 	struct ct_data *ct = (struct ct_data *)cl->cl_private;
1278 	enum clnt_stat ret;
1279 	uint32_t reterr;
1280 
1281 	mtx_lock(&ct->ct_lock);
1282 	ct->ct_rcvstate |= RPCRCVSTATE_UPCALLTHREAD;
1283 	while (!ct->ct_closed) {
1284 		if ((ct->ct_rcvstate & RPCRCVSTATE_UPCALLNEEDED) != 0) {
1285 			ct->ct_rcvstate &= ~RPCRCVSTATE_UPCALLNEEDED;
1286 			ct->ct_rcvstate |= RPCRCVSTATE_UPCALLINPROG;
1287 			if (ct->ct_sslrefno != 0 && ct->ct_sslrefno !=
1288 			    RPCTLS_REFNO_HANDSHAKE) {
1289 				mtx_unlock(&ct->ct_lock);
1290 				ret = rpctls_cl_handlerecord(ct->ct_sslsec,
1291 				    ct->ct_sslusec, ct->ct_sslrefno, &reterr);
1292 				mtx_lock(&ct->ct_lock);
1293 			}
1294 			ct->ct_rcvstate &= ~RPCRCVSTATE_UPCALLINPROG;
1295 			if (ret == RPC_SUCCESS && reterr == RPCTLSERR_OK)
1296 				ct->ct_rcvstate |= RPCRCVSTATE_NORMAL;
1297 			else
1298 				ct->ct_rcvstate |= RPCRCVSTATE_NONAPPDATA;
1299 			wakeup(&ct->ct_rcvstate);
1300 		}
1301 		if ((ct->ct_rcvstate & RPCRCVSTATE_SOUPCALLNEEDED) != 0) {
1302 			ct->ct_rcvstate &= ~RPCRCVSTATE_SOUPCALLNEEDED;
1303 			mtx_unlock(&ct->ct_lock);
1304 			SOCK_RECVBUF_LOCK(ct->ct_socket);
1305 			clnt_vc_soupcall(ct->ct_socket, ct, M_NOWAIT);
1306 			SOCK_RECVBUF_UNLOCK(ct->ct_socket);
1307 			mtx_lock(&ct->ct_lock);
1308 		}
1309 		msleep(&ct->ct_sslrefno, &ct->ct_lock, 0, "clntvcdu", hz);
1310 	}
1311 	ct->ct_rcvstate &= ~RPCRCVSTATE_UPCALLTHREAD;
1312 	wakeup(&ct->ct_sslrefno);
1313 	mtx_unlock(&ct->ct_lock);
1314 	CLNT_RELEASE(cl);
1315 	kthread_exit();
1316 }
1317