xref: /illumos-gate/usr/src/uts/common/fs/smbclnt/netsmb/smb_usr.c (revision d8a7fe16f62711cdc5c4267da8b34ff24a6b668c)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  * $Id: smb_usr.c,v 1.15 2004/12/13 00:25:18 lindak Exp $
33  */
34 
35 /*
36  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
37  * Use is subject to license terms.
38  */
39 
40 #include <sys/param.h>
41 #include <sys/kmem.h>
42 #include <sys/systm.h>
43 #include <sys/policy.h>
44 #include <sys/conf.h>
45 #include <sys/proc.h>
46 #include <sys/fcntl.h>
47 #include <sys/file.h>
48 #include <sys/socket.h>
49 #include <sys/sunddi.h>
50 #include <sys/cmn_err.h>
51 
52 #include <netsmb/smb_osdep.h>
53 
54 #include <netsmb/smb.h>
55 #include <netsmb/smb_conn.h>
56 #include <netsmb/smb_rq.h>
57 #include <netsmb/smb_subr.h>
58 #include <netsmb/smb_dev.h>
59 
60 static int smb_cpdatain(struct mbchain *mbp, int len, char *data, int seg);
61 
62 /*
63  * Ioctl function for SMBIOC_FLAGS2
64  */
65 int
66 smb_usr_get_flags2(smb_dev_t *sdp, intptr_t arg, int flags)
67 {
68 	struct smb_vc *vcp = NULL;
69 
70 	/* This ioctl requires a session. */
71 	if ((vcp = sdp->sd_vc) == NULL)
72 		return (ENOTCONN);
73 
74 	/*
75 	 * Return the flags2 value.
76 	 */
77 	if (ddi_copyout(&vcp->vc_hflags2, (void *)arg,
78 	    sizeof (u_int16_t), flags))
79 		return (EFAULT);
80 
81 	return (0);
82 }
83 
84 /*
85  * Ioctl function for SMBIOC_GETSSNKEY
86  * Size copied out is SMBIOC_HASH_SZ.
87  *
88  * The RPC library needs this for encrypting things
89  * like "set password" requests.  This is called
90  * with an active RPC binding, so the connection
91  * will already be active (but this checks).
92  */
93 int
94 smb_usr_get_ssnkey(smb_dev_t *sdp, intptr_t arg, int flags)
95 {
96 	struct smb_vc *vcp = NULL;
97 
98 	/* This ioctl requires an active session. */
99 	if ((vcp = sdp->sd_vc) == NULL)
100 		return (ENOTCONN);
101 	if (vcp->vc_state != SMBIOD_ST_VCACTIVE)
102 		return (ENOTCONN);
103 
104 	/*
105 	 * Return the session key.
106 	 */
107 	if (ddi_copyout(vcp->vc_ssn_key, (void *)arg,
108 	    SMBIOC_HASH_SZ, flags))
109 		return (EFAULT);
110 
111 	return (0);
112 }
113 
114 /*
115  * Ioctl function for SMBIOC_REQUEST
116  */
117 int
118 smb_usr_simplerq(smb_dev_t *sdp, intptr_t arg, int flags, cred_t *cr)
119 {
120 	struct smb_cred scred;
121 	struct smb_share *ssp;
122 	smbioc_rq_t *ioc = NULL;
123 	struct smb_rq *rqp = NULL;
124 	struct mbchain *mbp;
125 	struct mdchain *mdp;
126 	uint32_t rsz;
127 	int err, mbseg;
128 
129 	/* This ioctl requires a share. */
130 	if ((ssp = sdp->sd_share) == NULL)
131 		return (ENOTCONN);
132 
133 	smb_credinit(&scred, cr);
134 	ioc = kmem_alloc(sizeof (*ioc), KM_SLEEP);
135 	if (ddi_copyin((void *) arg, ioc, sizeof (*ioc), flags)) {
136 		err = EFAULT;
137 		goto out;
138 	}
139 
140 	/* See ddi_copyin, ddi_copyout */
141 	mbseg = (flags & FKIOCTL) ? MB_MSYSTEM : MB_MUSER;
142 
143 	/*
144 	 * Lots of SMB commands could be safe, but
145 	 * these are the only ones used by libsmbfs.
146 	 */
147 	switch (ioc->ioc_cmd) {
148 		/* These are OK */
149 	case SMB_COM_CLOSE:
150 	case SMB_COM_FLUSH:
151 	case SMB_COM_NT_CREATE_ANDX:
152 	case SMB_COM_OPEN_PRINT_FILE:
153 	case SMB_COM_CLOSE_PRINT_FILE:
154 		break;
155 
156 	default:
157 		err = EPERM;
158 		goto out;
159 	}
160 
161 	err = smb_rq_alloc(SSTOCP(ssp), ioc->ioc_cmd, &scred, &rqp);
162 	if (err)
163 		goto out;
164 
165 	mbp = &rqp->sr_rq;
166 	err = mb_put_mem(mbp, ioc->ioc_tbuf, ioc->ioc_tbufsz, mbseg);
167 
168 	err = smb_rq_simple(rqp);
169 	if (err == 0) {
170 		/*
171 		 * This may have been an open, so save the
172 		 * generation ID of the share, which we
173 		 * check before trying read or write.
174 		 */
175 		sdp->sd_vcgenid = ssp->ss_vcgenid;
176 
177 		/*
178 		 * Have reply data. to copyout.
179 		 * SMB header already parsed.
180 		 */
181 		mdp = &rqp->sr_rp;
182 		rsz = msgdsize(mdp->md_top) - SMB_HDRLEN;
183 		if (ioc->ioc_rbufsz < rsz) {
184 			err = EOVERFLOW;
185 			goto out;
186 		}
187 		ioc->ioc_rbufsz = rsz;
188 		err = md_get_mem(mdp, ioc->ioc_rbuf, rsz, mbseg);
189 		if (err)
190 			goto out;
191 
192 	}
193 
194 	ioc->ioc_errclass = rqp->sr_errclass;
195 	ioc->ioc_serror = rqp->sr_serror;
196 	ioc->ioc_error = rqp->sr_error;
197 	(void) ddi_copyout(ioc, (void *)arg, sizeof (*ioc), flags);
198 
199 out:
200 	if (rqp != NULL)
201 		smb_rq_done(rqp); /* free rqp */
202 	if (ioc != NULL)
203 		kmem_free(ioc, sizeof (*ioc));
204 	smb_credrele(&scred);
205 
206 	return (err);
207 
208 }
209 
210 /*
211  * Ioctl function for SMBIOC_T2RQ
212  */
213 int
214 smb_usr_t2request(smb_dev_t *sdp, intptr_t arg, int flags, cred_t *cr)
215 {
216 	struct smb_cred scred;
217 	struct smb_share *ssp;
218 	smbioc_t2rq_t *ioc = NULL;
219 	struct smb_t2rq *t2p = NULL;
220 	struct mdchain *mdp;
221 	int err, len, mbseg;
222 
223 	/* This ioctl requires a share. */
224 	if ((ssp = sdp->sd_share) == NULL)
225 		return (ENOTCONN);
226 
227 	smb_credinit(&scred, cr);
228 	ioc = kmem_alloc(sizeof (*ioc), KM_SLEEP);
229 	if (ddi_copyin((void *) arg, ioc, sizeof (*ioc), flags)) {
230 		err = EFAULT;
231 		goto out;
232 	}
233 
234 	/* See ddi_copyin, ddi_copyout */
235 	mbseg = (flags & FKIOCTL) ? MB_MSYSTEM : MB_MUSER;
236 
237 	if (ioc->ioc_setupcnt > SMBIOC_T2RQ_MAXSETUP) {
238 		err = EINVAL;
239 		goto out;
240 	}
241 
242 	t2p = kmem_alloc(sizeof (*t2p), KM_SLEEP);
243 	err = smb_t2_init(t2p, SSTOCP(ssp),
244 	    ioc->ioc_setup, ioc->ioc_setupcnt, &scred);
245 	if (err)
246 		goto out;
247 	len = t2p->t2_setupcount = ioc->ioc_setupcnt;
248 	if (len > 1)
249 		t2p->t2_setupdata = ioc->ioc_setup;
250 
251 	/* This ioc member is a fixed-size array. */
252 	if (ioc->ioc_name[0]) {
253 		/* Get the name length - carefully! */
254 		ioc->ioc_name[SMBIOC_T2RQ_MAXNAME-1] = '\0';
255 		t2p->t_name_len = strlen(ioc->ioc_name);
256 		t2p->t_name = ioc->ioc_name;
257 	}
258 	t2p->t2_maxscount = 0;
259 	t2p->t2_maxpcount = ioc->ioc_rparamcnt;
260 	t2p->t2_maxdcount = ioc->ioc_rdatacnt;
261 
262 	/* Transmit parameters */
263 	err = smb_cpdatain(&t2p->t2_tparam,
264 	    ioc->ioc_tparamcnt, ioc->ioc_tparam, mbseg);
265 	if (err)
266 		goto out;
267 
268 	/* Transmit data */
269 	err = smb_cpdatain(&t2p->t2_tdata,
270 	    ioc->ioc_tdatacnt, ioc->ioc_tdata, mbseg);
271 	if (err)
272 		goto out;
273 
274 	err = smb_t2_request(t2p);
275 
276 	/* Copyout returned parameters. */
277 	mdp = &t2p->t2_rparam;
278 	if (err == 0 && mdp->md_top != NULL) {
279 		/* User's buffer large enough? */
280 		len = m_fixhdr(mdp->md_top);
281 		if (len > ioc->ioc_rparamcnt) {
282 			err = EMSGSIZE;
283 			goto out;
284 		}
285 		ioc->ioc_rparamcnt = (ushort_t)len;
286 		err = md_get_mem(mdp, ioc->ioc_rparam, len, mbseg);
287 		if (err)
288 			goto out;
289 	} else
290 		ioc->ioc_rparamcnt = 0;
291 
292 	/* Copyout returned data. */
293 	mdp = &t2p->t2_rdata;
294 	if (err == 0 && mdp->md_top != NULL) {
295 		/* User's buffer large enough? */
296 		len = m_fixhdr(mdp->md_top);
297 		if (len > ioc->ioc_rdatacnt) {
298 			err = EMSGSIZE;
299 			goto out;
300 		}
301 		ioc->ioc_rdatacnt = (ushort_t)len;
302 		err = md_get_mem(mdp, ioc->ioc_rdata, len, mbseg);
303 		if (err)
304 			goto out;
305 	} else
306 		ioc->ioc_rdatacnt = 0;
307 
308 	ioc->ioc_errclass = t2p->t2_sr_errclass;
309 	ioc->ioc_serror = t2p->t2_sr_serror;
310 	ioc->ioc_error = t2p->t2_sr_error;
311 	ioc->ioc_rpflags2 = t2p->t2_sr_rpflags2;
312 
313 	(void) ddi_copyout(ioc, (void *)arg, sizeof (*ioc), flags);
314 
315 
316 out:
317 	if (t2p != NULL) {
318 		/* Note: t2p->t_name no longer allocated */
319 		smb_t2_done(t2p);
320 		kmem_free(t2p, sizeof (*t2p));
321 	}
322 	if (ioc != NULL)
323 		kmem_free(ioc, sizeof (*ioc));
324 	smb_credrele(&scred);
325 
326 	return (err);
327 }
328 
329 /* helper for _t2request */
330 static int
331 smb_cpdatain(struct mbchain *mbp, int len, char *data, int mbseg)
332 {
333 	int error;
334 
335 	if (len == 0)
336 		return (0);
337 	error = mb_init(mbp);
338 	if (error)
339 		return (error);
340 	return (mb_put_mem(mbp, data, len, mbseg));
341 }
342 
343 /*
344  * Helper for nsmb_ioctl cases
345  * SMBIOC_READ, SMBIOC_WRITE
346  */
347 int
348 smb_usr_rw(smb_dev_t *sdp, int cmd, intptr_t arg, int flags, cred_t *cr)
349 {
350 	struct smb_cred scred;
351 	struct smb_share *ssp;
352 	smbioc_rw_t *ioc = NULL;
353 	struct iovec aiov[1];
354 	struct uio  auio;
355 	u_int16_t fh;
356 	int err;
357 	uio_rw_t rw;
358 
359 	/* This ioctl requires a share. */
360 	if ((ssp = sdp->sd_share) == NULL)
361 		return (ENOTCONN);
362 
363 	/* After reconnect, force close+reopen */
364 	if (sdp->sd_vcgenid != ssp->ss_vcgenid)
365 		return (ESTALE);
366 
367 	smb_credinit(&scred, cr);
368 	ioc = kmem_alloc(sizeof (*ioc), KM_SLEEP);
369 	if (ddi_copyin((void *) arg, ioc, sizeof (*ioc), flags)) {
370 		err = EFAULT;
371 		goto out;
372 	}
373 
374 	switch (cmd) {
375 	case SMBIOC_READ:
376 		rw = UIO_READ;
377 		break;
378 	case SMBIOC_WRITE:
379 		rw = UIO_WRITE;
380 		break;
381 	default:
382 		err = ENODEV;
383 		goto out;
384 	}
385 
386 	fh = ioc->ioc_fh;
387 
388 	aiov[0].iov_base = ioc->ioc_base;
389 	aiov[0].iov_len = (size_t)ioc->ioc_cnt;
390 
391 	auio.uio_iov = aiov;
392 	auio.uio_iovcnt = 1;
393 	auio.uio_loffset = ioc->ioc_offset;
394 	auio.uio_segflg = (flags & FKIOCTL) ?
395 	    UIO_SYSSPACE : UIO_USERSPACE;
396 	auio.uio_fmode = 0;
397 	auio.uio_resid = (size_t)ioc->ioc_cnt;
398 
399 	err = smb_rwuio(ssp, fh, rw, &auio, &scred, 0);
400 
401 	/*
402 	 * On return ioc_cnt holds the
403 	 * number of bytes transferred.
404 	 */
405 	ioc->ioc_cnt -= auio.uio_resid;
406 
407 	(void) ddi_copyout(ioc, (void *)arg, sizeof (*ioc), flags);
408 
409 out:
410 	if (ioc != NULL)
411 		kmem_free(ioc, sizeof (*ioc));
412 	smb_credrele(&scred);
413 
414 	return (err);
415 }
416 
417 /*
418  * Ioctl functions: SMBIOC_SSN_FIND, SMBIOC_SSN_CREATE
419  * Find or create a session (a.k.a. "VC" in here)
420  */
421 int
422 smb_usr_get_ssn(smb_dev_t *sdp, int cmd, intptr_t arg, int flags, cred_t *cr)
423 {
424 	struct smb_cred scred;
425 	smbioc_ossn_t *ossn = NULL;
426 	struct smb_vc *vcp = NULL;
427 	int error = 0;
428 	uid_t realuid;
429 
430 	/* Should be no VC */
431 	if (sdp->sd_vc != NULL)
432 		return (EISCONN);
433 
434 	smb_credinit(&scred, cr);
435 	ossn = kmem_alloc(sizeof (*ossn), KM_SLEEP);
436 	if (ddi_copyin((void *)arg, ossn, sizeof (*ossn), flags)) {
437 		error = EFAULT;
438 		goto out;
439 	}
440 
441 	/*
442 	 * Only superuser can specify a UID or GID.
443 	 */
444 	realuid = crgetruid(cr);
445 	if (ossn->ssn_owner == SMBM_ANY_OWNER)
446 		ossn->ssn_owner = realuid;
447 	else {
448 		/*
449 		 * Do we have the privilege to create with the
450 		 * specified uid?  (does uid == cr->cr_uid, etc.)
451 		 */
452 		if (secpolicy_vnode_owner(cr, ossn->ssn_owner)) {
453 			error = EPERM;
454 			goto out;
455 		}
456 		/* ossn->ssn_owner is OK */
457 	}
458 
459 	/*
460 	 * Make sure the strings are null terminated.
461 	 */
462 	ossn->ssn_srvname[SMBIOC_MAX_NAME-1] = '\0';
463 	ossn->ssn_id.id_domain[ SMBIOC_MAX_NAME-1] = '\0';
464 	ossn->ssn_id.id_user[   SMBIOC_MAX_NAME-1] = '\0';
465 
466 	if (cmd == SMBIOC_SSN_CREATE)
467 		ossn->ssn_vopt |= SMBVOPT_CREATE;
468 	else /* FIND */
469 		ossn->ssn_vopt &= ~SMBVOPT_CREATE;
470 
471 	error = smb_vc_findcreate(ossn, &scred, &vcp);
472 	if (error)
473 		goto out;
474 	ASSERT(vcp != NULL);
475 
476 	/*
477 	 * We have a VC, held, but not locked.
478 	 * If we're creating, mark this instance as
479 	 * an open from IOD so close can do cleanup.
480 	 *
481 	 * XXX: Would be nice to have a back pointer
482 	 * from the VC to this (IOD) sdp instance.
483 	 */
484 	if (cmd == SMBIOC_SSN_CREATE) {
485 		if (vcp->iod_thr != NULL) {
486 			error = EEXIST;
487 			goto out;
488 		}
489 		sdp->sd_flags |= NSMBFL_IOD;
490 	} else {
491 		/*
492 		 * Wait for it to finish connecting
493 		 * (or reconnect) if necessary.
494 		 */
495 		if (vcp->vc_state != SMBIOD_ST_VCACTIVE) {
496 			error = smb_iod_reconnect(vcp);
497 			if (error != 0)
498 				goto out;
499 		}
500 	}
501 
502 	/*
503 	 * The VC has a hold from _findvc
504 	 * which we keep until _SSN_RELE
505 	 * or nsmb_close().
506 	 */
507 	sdp->sd_level = SMBL_VC;
508 	sdp->sd_vc = vcp;
509 	vcp = NULL;
510 	(void) ddi_copyout(ossn, (void *)arg, sizeof (*ossn), flags);
511 
512 out:
513 	if (vcp) {
514 		/* Error path: rele hold from _findcreate */
515 		smb_vc_rele(vcp);
516 	}
517 	if (ossn != NULL)
518 		kmem_free(ossn, sizeof (*ossn));
519 	smb_credrele(&scred);
520 
521 	return (error);
522 }
523 
524 /*
525  * Ioctl functions: SMBIOC_SSN_RELE, SMBIOC_SSN_KILL
526  * Release or kill the current session.
527  */
528 int
529 smb_usr_drop_ssn(smb_dev_t *sdp, int cmd)
530 {
531 	struct smb_vc *vcp = NULL;
532 
533 	/* Must have a VC. */
534 	if ((vcp = sdp->sd_vc) == NULL)
535 		return (ENOTCONN);
536 
537 	/* If we have a share ref, drop it too. */
538 	if (sdp->sd_share) {
539 		smb_share_rele(sdp->sd_share);
540 		sdp->sd_share = NULL;
541 		sdp->sd_level = SMBL_VC;
542 	}
543 
544 	if (cmd == SMBIOC_SSN_KILL)
545 		smb_vc_kill(vcp);
546 
547 	/* Drop the VC ref. */
548 	smb_vc_rele(vcp);
549 	sdp->sd_vc = NULL;
550 	sdp->sd_level = 0;
551 
552 	return (0);
553 }
554 
555 /*
556  * Find or create a tree (connected share)
557  */
558 int
559 smb_usr_get_tree(smb_dev_t *sdp, int cmd, intptr_t arg, int flags, cred_t *cr)
560 {
561 	struct smb_cred scred;
562 	smbioc_tcon_t *tcon = NULL;
563 	struct smb_vc *vcp = NULL;
564 	struct smb_share *ssp = NULL;
565 	int error = 0;
566 
567 	/* Must have a VC. */
568 	if ((vcp = sdp->sd_vc) == NULL)
569 		return (ENOTCONN);
570 	/* Should not have a share. */
571 	if (sdp->sd_share != NULL)
572 		return (EISCONN);
573 
574 	smb_credinit(&scred, cr);
575 	tcon = kmem_alloc(sizeof (*tcon), KM_SLEEP);
576 	if (ddi_copyin((void *)arg, tcon, sizeof (*tcon), flags)) {
577 		error = EFAULT;
578 		goto out;
579 	}
580 
581 	/*
582 	 * Make sure the strings are null terminated.
583 	 */
584 	tcon->tc_sh.sh_name[SMBIOC_MAX_NAME-1] = '\0';
585 	tcon->tc_sh.sh_pass[SMBIOC_MAX_NAME-1] = '\0';
586 	tcon->tc_sh.sh_type_req[SMBIOC_STYPE_LEN-1] = '\0';
587 	bzero(tcon->tc_sh.sh_type_ret, SMBIOC_STYPE_LEN);
588 
589 	if (cmd == SMBIOC_TREE_CONNECT)
590 		tcon->tc_opt |= SMBSOPT_CREATE;
591 	else /* FIND */
592 		tcon->tc_opt &= ~SMBSOPT_CREATE;
593 
594 	error = smb_share_findcreate(tcon, vcp, &ssp, &scred);
595 	if (error)
596 		goto out;
597 	ASSERT(ssp != NULL);
598 
599 	/*
600 	 * We have a share, held, but not locked.
601 	 * If we're creating, do tree connect now,
602 	 * otherwise let that wait for a request.
603 	 */
604 	if (cmd == SMBIOC_TREE_CONNECT) {
605 		error = smb_share_tcon(ssp, &scred);
606 		if (error)
607 			goto out;
608 	}
609 
610 	/*
611 	 * Give caller the real share type from
612 	 * the tree connect response, so they can
613 	 * see if they got the requested type.
614 	 */
615 	(void) memcpy(tcon->tc_sh.sh_type_ret,
616 	    ssp->ss_type_ret, SMBIOC_STYPE_LEN);
617 
618 	/*
619 	 * The share has a hold from _tcon
620 	 * which we keep until nsmb_close()
621 	 * or the SMBIOC_TDIS below.
622 	 */
623 	sdp->sd_level = SMBL_SHARE;
624 	sdp->sd_share = ssp;
625 	ssp = NULL;
626 	(void) ddi_copyout(tcon, (void *)arg, sizeof (*tcon), flags);
627 
628 out:
629 	if (ssp) {
630 		/* Error path: rele hold from _findcreate */
631 		smb_share_rele(ssp);
632 	}
633 	if (tcon) {
634 		/*
635 		 * This structure may contain a
636 		 * cleartext password, so zap it.
637 		 */
638 		bzero(tcon, sizeof (*tcon));
639 		kmem_free(tcon, sizeof (*tcon));
640 	}
641 	smb_credrele(&scred);
642 
643 	return (error);
644 }
645 
646 /*
647  * Ioctl functions: SMBIOC_TREE_RELE, SMBIOC_TREE_KILL
648  * Release or kill the current tree
649  */
650 int
651 smb_usr_drop_tree(smb_dev_t *sdp, int cmd)
652 {
653 	struct smb_share *ssp = NULL;
654 
655 	/* Must have a VC and a share. */
656 	if (sdp->sd_vc == NULL)
657 		return (ENOTCONN);
658 	if ((ssp = sdp->sd_share) == NULL)
659 		return (ENOTCONN);
660 
661 	if (cmd == SMBIOC_TREE_KILL)
662 		smb_share_kill(ssp);
663 
664 	/* Drop the share ref. */
665 	smb_share_rele(sdp->sd_share);
666 	sdp->sd_share = NULL;
667 	sdp->sd_level = SMBL_VC;
668 
669 	return (0);
670 }
671 
672 
673 /*
674  * Ioctl function: SMBIOC_IOD_WORK
675  *
676  * Become the reader (IOD) thread, until either the connection is
677  * reset by the server, or until the connection is idle longer than
678  * some max time. (max idle time not yet implemented)
679  */
680 int
681 smb_usr_iod_work(smb_dev_t *sdp, intptr_t arg, int flags, cred_t *cr)
682 {
683 	struct smb_vc *vcp = NULL;
684 	int err = 0;
685 
686 	/* Must have a valid session. */
687 	if ((vcp = sdp->sd_vc) == NULL)
688 		return (EINVAL);
689 	if (vcp->vc_flags & SMBV_GONE)
690 		return (EINVAL);
691 
692 	/*
693 	 * Is there already an IOD for this VC?
694 	 * (Should never happen.)
695 	 */
696 	SMB_VC_LOCK(vcp);
697 	if (vcp->iod_thr == NULL)
698 		vcp->iod_thr = curthread;
699 	else
700 		err = EEXIST;
701 	SMB_VC_UNLOCK(vcp);
702 	if (err)
703 		return (err);
704 
705 	/*
706 	 * Copy the "work" state, etc. into the VC
707 	 * The MAC key is copied separately.
708 	 */
709 	if (ddi_copyin((void *)arg, &vcp->vc_work,
710 	    sizeof (smbioc_ssn_work_t), flags)) {
711 		err = EFAULT;
712 		goto out;
713 	}
714 	if (vcp->vc_u_maclen) {
715 		vcp->vc_mackeylen = vcp->vc_u_maclen;
716 		vcp->vc_mackey = kmem_alloc(vcp->vc_mackeylen, KM_SLEEP);
717 		if (ddi_copyin(vcp->vc_u_mackey.lp_ptr, vcp->vc_mackey,
718 		    vcp->vc_mackeylen, flags)) {
719 			err = EFAULT;
720 			goto out;
721 		}
722 	}
723 
724 	err = smb_iod_vc_work(vcp, cr);
725 
726 	/* Caller wants state here. */
727 	vcp->vc_work.wk_out_state = vcp->vc_state;
728 
729 	(void) ddi_copyout(&vcp->vc_work, (void *)arg,
730 	    sizeof (smbioc_ssn_work_t), flags);
731 
732 out:
733 	if (vcp->vc_mackey) {
734 		kmem_free(vcp->vc_mackey, vcp->vc_mackeylen);
735 		vcp->vc_mackey = NULL;
736 		vcp->vc_mackeylen = 0;
737 	}
738 
739 	/*
740 	 * The IOD thread is leaving the driver.  Clear iod_thr,
741 	 * and wake up anybody waiting for us to quit.
742 	 */
743 	SMB_VC_LOCK(vcp);
744 	vcp->iod_thr = NULL;
745 	cv_broadcast(&vcp->vc_statechg);
746 	SMB_VC_UNLOCK(vcp);
747 
748 	return (err);
749 }
750 
751 /*
752  * Ioctl functions: SMBIOC_IOD_IDLE, SMBIOC_IOD_RCFAIL
753  *
754  * Wait for user-level requests to be enqueued on this session,
755  * and then return to the user-space helper, which will then
756  * initiate a reconnect, etc.
757  */
758 int
759 smb_usr_iod_ioctl(smb_dev_t *sdp, int cmd, intptr_t arg, int flags)
760 {
761 	struct smb_vc *vcp = NULL;
762 	int err = 0;
763 
764 	/* Must have a valid session. */
765 	if ((vcp = sdp->sd_vc) == NULL)
766 		return (EINVAL);
767 	if (vcp->vc_flags & SMBV_GONE)
768 		return (EINVAL);
769 
770 	/*
771 	 * Is there already an IOD for this VC?
772 	 * (Should never happen.)
773 	 */
774 	SMB_VC_LOCK(vcp);
775 	if (vcp->iod_thr == NULL)
776 		vcp->iod_thr = curthread;
777 	else
778 		err = EEXIST;
779 	SMB_VC_UNLOCK(vcp);
780 	if (err)
781 		return (err);
782 
783 	/* nothing to copyin */
784 
785 	switch (cmd) {
786 	case SMBIOC_IOD_IDLE:
787 		err = smb_iod_vc_idle(vcp);
788 		break;
789 
790 	case SMBIOC_IOD_RCFAIL:
791 		err = smb_iod_vc_rcfail(vcp);
792 		break;
793 
794 	default:
795 		err = ENOTTY;
796 		goto out;
797 	}
798 
799 	/* Both of these ioctls copy out the new state. */
800 	(void) ddi_copyout(&vcp->vc_state, (void *)arg,
801 	    sizeof (int), flags);
802 
803 out:
804 	/*
805 	 * The IOD thread is leaving the driver.  Clear iod_thr,
806 	 * and wake up anybody waiting for us to quit.
807 	 */
808 	SMB_VC_LOCK(vcp);
809 	vcp->iod_thr = NULL;
810 	cv_broadcast(&vcp->vc_statechg);
811 	SMB_VC_UNLOCK(vcp);
812 
813 	return (err);
814 }
815