xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_common_open.c (revision e912cc3d5decbbfbb3005d9f678e9fc3ccbcf91f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 /*
28  * This module provides the common open functionality to the various
29  * open and create SMB interface functions.
30  */
31 
32 #include <sys/types.h>
33 #include <sys/cmn_err.h>
34 #include <sys/fcntl.h>
35 #include <sys/nbmlock.h>
36 #include <smbsrv/string.h>
37 #include <smbsrv/smb2_kproto.h>
38 #include <smbsrv/smb_fsops.h>
39 #include <smbsrv/smbinfo.h>
40 
41 int smb_session_ofile_max = 32768;
42 
43 extern uint32_t smb_is_executable(char *);
44 static void smb_delete_new_object(smb_request_t *);
45 static int smb_set_open_attributes(smb_request_t *, smb_ofile_t *);
46 
47 /*
48  * smb_access_generic_to_file
49  *
50  * Search MSDN for IoCreateFile to see following mapping.
51  *
52  * GENERIC_READ		STANDARD_RIGHTS_READ, FILE_READ_DATA,
53  *			FILE_READ_ATTRIBUTES and FILE_READ_EA
54  *
55  * GENERIC_WRITE	STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA,
56  *               FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA
57  *
58  * GENERIC_EXECUTE	STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE.
59  */
60 static uint32_t
61 smb_access_generic_to_file(uint32_t desired_access)
62 {
63 	uint32_t access = 0;
64 
65 	if (desired_access & GENERIC_ALL)
66 		return (FILE_ALL_ACCESS & ~SYNCHRONIZE);
67 
68 	if (desired_access & GENERIC_EXECUTE) {
69 		desired_access &= ~GENERIC_EXECUTE;
70 		access |= (STANDARD_RIGHTS_EXECUTE |
71 		    SYNCHRONIZE | FILE_EXECUTE);
72 	}
73 
74 	if (desired_access & GENERIC_WRITE) {
75 		desired_access &= ~GENERIC_WRITE;
76 		access |= (FILE_GENERIC_WRITE & ~SYNCHRONIZE);
77 	}
78 
79 	if (desired_access & GENERIC_READ) {
80 		desired_access &= ~GENERIC_READ;
81 		access |= FILE_GENERIC_READ;
82 	}
83 
84 	return (access | desired_access);
85 }
86 
87 /*
88  * smb_omode_to_amask
89  *
90  * This function converts open modes used by Open and Open AndX
91  * commands to desired access bits used by NT Create AndX command.
92  */
93 uint32_t
94 smb_omode_to_amask(uint32_t desired_access)
95 {
96 	switch (desired_access & SMB_DA_ACCESS_MASK) {
97 	case SMB_DA_ACCESS_READ:
98 		return (FILE_GENERIC_READ);
99 
100 	case SMB_DA_ACCESS_WRITE:
101 		return (FILE_GENERIC_WRITE);
102 
103 	case SMB_DA_ACCESS_READ_WRITE:
104 		return (FILE_GENERIC_READ | FILE_GENERIC_WRITE);
105 
106 	case SMB_DA_ACCESS_EXECUTE:
107 		return (FILE_GENERIC_READ | FILE_GENERIC_EXECUTE);
108 
109 	default:
110 		return (FILE_GENERIC_ALL);
111 	}
112 }
113 
114 /*
115  * smb_denymode_to_sharemode
116  *
117  * This function converts deny modes used by Open and Open AndX
118  * commands to share access bits used by NT Create AndX command.
119  */
120 uint32_t
121 smb_denymode_to_sharemode(uint32_t desired_access, char *fname)
122 {
123 	switch (desired_access & SMB_DA_SHARE_MASK) {
124 	case SMB_DA_SHARE_COMPATIBILITY:
125 		if (smb_is_executable(fname))
126 			return (FILE_SHARE_READ | FILE_SHARE_WRITE);
127 
128 		return (FILE_SHARE_ALL);
129 
130 	case SMB_DA_SHARE_EXCLUSIVE:
131 		return (FILE_SHARE_NONE);
132 
133 	case SMB_DA_SHARE_DENY_WRITE:
134 		return (FILE_SHARE_READ);
135 
136 	case SMB_DA_SHARE_DENY_READ:
137 		return (FILE_SHARE_WRITE);
138 
139 	case SMB_DA_SHARE_DENY_NONE:
140 	default:
141 		return (FILE_SHARE_READ | FILE_SHARE_WRITE);
142 	}
143 }
144 
145 /*
146  * smb_ofun_to_crdisposition
147  *
148  * This function converts open function values used by Open and Open AndX
149  * commands to create disposition values used by NT Create AndX command.
150  */
151 uint32_t
152 smb_ofun_to_crdisposition(uint16_t  ofun)
153 {
154 	static int ofun_cr_map[3][2] =
155 	{
156 		{ -1,			FILE_CREATE },
157 		{ FILE_OPEN,		FILE_OPEN_IF },
158 		{ FILE_OVERWRITE,	FILE_OVERWRITE_IF }
159 	};
160 
161 	int row = ofun & SMB_OFUN_OPEN_MASK;
162 	int col = (ofun & SMB_OFUN_CREATE_MASK) >> 4;
163 
164 	if (row == 3)
165 		return (FILE_MAXIMUM_DISPOSITION + 1);
166 
167 	return (ofun_cr_map[row][col]);
168 }
169 
170 /*
171  * smb_common_open
172  *
173  * Notes on write-through behaviour. It looks like pre-LM0.12 versions
174  * of the protocol specify the write-through mode when a file is opened,
175  * (SmbOpen, SmbOpenAndX) so the write calls (SmbWrite, SmbWriteAndClose,
176  * SmbWriteAndUnlock) don't need to contain a write-through flag.
177  *
178  * With LM0.12, the open calls (SmbCreateAndX, SmbNtTransactCreate)
179  * don't indicate which write-through mode to use. Instead the write
180  * calls (SmbWriteAndX, SmbWriteRaw) specify the mode on a per call
181  * basis.
182  *
183  * We don't care which open call was used to get us here, we just need
184  * to ensure that the write-through mode flag is copied from the open
185  * parameters to the node. We test the omode write-through flag in all
186  * write functions.
187  *
188  * This function returns NT status codes.
189  *
190  * The following rules apply when processing a file open request:
191  *
192  * - Oplocks must be broken prior to share checking as the break may
193  *   cause other clients to close the file, which would affect sharing
194  *   checks.
195  *
196  * - Share checks must take place prior to access checks for correct
197  * Windows semantics and to prevent unnecessary NFS delegation recalls.
198  *
199  * - Oplocks must be acquired after open to ensure the correct
200  * synchronization with NFS delegation and FEM installation.
201  *
202  * DOS readonly bit rules
203  *
204  * 1. The creator of a readonly file can write to/modify the size of the file
205  * using the original create fid, even though the file will appear as readonly
206  * to all other fids and via a CIFS getattr call.
207  *
208  * 2. A setinfo operation (using either an open fid or a path) to set/unset
209  * readonly will be successful regardless of whether a creator of a readonly
210  * file has an open fid.
211  *
212  * 3. The DOS readonly bit affects only data and some metadata.
213  * The following metadata can be changed regardless of the readonly bit:
214  *	- security descriptors
215  *	- DOS attributes
216  *	- timestamps
217  *
218  * In the current implementation, the file size cannot be changed (except for
219  * the exceptions in #1 and #2, above).
220  *
221  *
222  * DOS attribute rules
223  *
224  * These rules are specific to creating / opening files and directories.
225  * How the attribute value (specifically ZERO or FILE_ATTRIBUTE_NORMAL)
226  * should be interpreted may differ in other requests.
227  *
228  * - An attribute value equal to ZERO or FILE_ATTRIBUTE_NORMAL means that the
229  *   file's attributes should be cleared.
230  * - If FILE_ATTRIBUTE_NORMAL is specified with any other attributes,
231  *   FILE_ATTRIBUTE_NORMAL is ignored.
232  *
233  * 1. Creating a new file
234  * - The request attributes + FILE_ATTRIBUTE_ARCHIVE are applied to the file.
235  *
236  * 2. Creating a new directory
237  * - The request attributes + FILE_ATTRIBUTE_DIRECTORY are applied to the file.
238  * - FILE_ATTRIBUTE_ARCHIVE does not get set.
239  *
240  * 3. Overwriting an existing file
241  * - the request attributes are used as search attributes. If the existing
242  *   file does not meet the search criteria access is denied.
243  * - otherwise, applies attributes + FILE_ATTRIBUTE_ARCHIVE.
244  *
245  * 4. Opening an existing file or directory
246  *    The request attributes are ignored.
247  */
248 uint32_t
249 smb_common_open(smb_request_t *sr)
250 {
251 	smb_server_t	*sv = sr->sr_server;
252 	smb_tree_t	*tree = sr->tid_tree;
253 	smb_node_t	*fnode = NULL;
254 	smb_node_t	*dnode = NULL;
255 	smb_node_t	*cur_node = NULL;
256 	smb_arg_open_t	*op = &sr->sr_open;
257 	smb_pathname_t	*pn = &op->fqi.fq_path;
258 	smb_ofile_t	*of = NULL;
259 	smb_attr_t	new_attr;
260 	hrtime_t	shrlock_t0;
261 	int		max_requested = 0;
262 	uint32_t	max_allowed;
263 	uint32_t	status = NT_STATUS_SUCCESS;
264 	int		is_dir;
265 	int		rc;
266 	boolean_t	is_stream = B_FALSE;
267 	int		lookup_flags = SMB_FOLLOW_LINKS;
268 	uint32_t	uniq_fid = 0;
269 	uint16_t	tree_fid = 0;
270 	boolean_t	created = B_FALSE;
271 	boolean_t	last_comp_found = B_FALSE;
272 	boolean_t	opening_incr = B_FALSE;
273 	boolean_t	dnode_held = B_FALSE;
274 	boolean_t	dnode_wlock = B_FALSE;
275 	boolean_t	fnode_held = B_FALSE;
276 	boolean_t	fnode_wlock = B_FALSE;
277 	boolean_t	fnode_shrlk = B_FALSE;
278 	boolean_t	did_open = B_FALSE;
279 	boolean_t	did_break_handle = B_FALSE;
280 	boolean_t	did_cleanup_orphans = B_FALSE;
281 
282 	/* Get out now if we've been cancelled. */
283 	mutex_enter(&sr->sr_mutex);
284 	if (sr->sr_state != SMB_REQ_STATE_ACTIVE) {
285 		mutex_exit(&sr->sr_mutex);
286 		return (NT_STATUS_CANCELLED);
287 	}
288 	mutex_exit(&sr->sr_mutex);
289 
290 	is_dir = (op->create_options & FILE_DIRECTORY_FILE) ? 1 : 0;
291 
292 	/*
293 	 * If the object being created or opened is a directory
294 	 * the Disposition parameter must be one of FILE_CREATE,
295 	 * FILE_OPEN, or FILE_OPEN_IF
296 	 */
297 	if (is_dir) {
298 		if ((op->create_disposition != FILE_CREATE) &&
299 		    (op->create_disposition != FILE_OPEN_IF) &&
300 		    (op->create_disposition != FILE_OPEN)) {
301 			return (NT_STATUS_INVALID_PARAMETER);
302 		}
303 	}
304 
305 	if (op->desired_access & MAXIMUM_ALLOWED) {
306 		max_requested = 1;
307 		op->desired_access &= ~MAXIMUM_ALLOWED;
308 	}
309 	op->desired_access = smb_access_generic_to_file(op->desired_access);
310 
311 	if (sr->session->s_file_cnt >= smb_session_ofile_max) {
312 		ASSERT(sr->uid_user);
313 		cmn_err(CE_NOTE, "smbsrv[%s\\%s]: TOO_MANY_OPENED_FILES",
314 		    sr->uid_user->u_domain, sr->uid_user->u_name);
315 		return (NT_STATUS_TOO_MANY_OPENED_FILES);
316 	}
317 
318 	if (smb_idpool_alloc(&tree->t_fid_pool, &tree_fid))
319 		return (NT_STATUS_TOO_MANY_OPENED_FILES);
320 
321 	/* This must be NULL at this point */
322 	sr->fid_ofile = NULL;
323 
324 	op->devstate = 0;
325 
326 	switch (sr->tid_tree->t_res_type & STYPE_MASK) {
327 	case STYPE_DISKTREE:
328 	case STYPE_PRINTQ:
329 		break;
330 
331 	case STYPE_IPC:
332 		/*
333 		 * Security descriptors for pipes are not implemented,
334 		 * so just setup a reasonable access mask.
335 		 */
336 		op->desired_access = (READ_CONTROL | SYNCHRONIZE |
337 		    FILE_READ_DATA | FILE_READ_ATTRIBUTES |
338 		    FILE_WRITE_DATA | FILE_APPEND_DATA);
339 
340 		/*
341 		 * Limit the number of open pipe instances.
342 		 */
343 		if ((rc = smb_threshold_enter(&sv->sv_opipe_ct)) != 0) {
344 			status = RPC_NT_SERVER_TOO_BUSY;
345 			goto errout;
346 		}
347 
348 		/*
349 		 * Most of IPC open is handled in smb_opipe_open()
350 		 */
351 		op->create_options = 0;
352 		of = smb_ofile_alloc(sr, op, NULL, SMB_FTYPE_MESG_PIPE,
353 		    tree_fid);
354 		tree_fid = 0; // given to the ofile
355 		status = smb_opipe_open(sr, of);
356 		smb_threshold_exit(&sv->sv_opipe_ct);
357 		if (status != NT_STATUS_SUCCESS)
358 			goto errout;
359 		return (NT_STATUS_SUCCESS);
360 
361 	default:
362 		status = NT_STATUS_BAD_DEVICE_TYPE;
363 		goto errout;
364 	}
365 
366 	smb_pathname_init(sr, pn, pn->pn_path);
367 	if (!smb_pathname_validate(sr, pn)) {
368 		status = sr->smb_error.status;
369 		goto errout;
370 	}
371 
372 	if (strlen(pn->pn_path) >= SMB_MAXPATHLEN) {
373 		status = NT_STATUS_OBJECT_PATH_INVALID;
374 		goto errout;
375 	}
376 
377 	if (is_dir) {
378 		if (!smb_validate_dirname(sr, pn)) {
379 			status = sr->smb_error.status;
380 			goto errout;
381 		}
382 	} else {
383 		if (!smb_validate_object_name(sr, pn)) {
384 			status = sr->smb_error.status;
385 			goto errout;
386 		}
387 	}
388 
389 	cur_node = op->fqi.fq_dnode ?
390 	    op->fqi.fq_dnode : sr->tid_tree->t_snode;
391 
392 	rc = smb_pathname_reduce(sr, sr->user_cr, pn->pn_path,
393 	    sr->tid_tree->t_snode, cur_node, &op->fqi.fq_dnode,
394 	    op->fqi.fq_last_comp);
395 	if (rc != 0) {
396 		status = smb_errno2status(rc);
397 		goto errout;
398 	}
399 	dnode = op->fqi.fq_dnode;
400 	dnode_held = B_TRUE;
401 
402 	/*
403 	 * Lock the parent dir node in case another create
404 	 * request to the same parent directory comes in.
405 	 * Drop this once either lookup succeeds, or we've
406 	 * created the object in this directory.
407 	 */
408 	smb_node_wrlock(dnode);
409 	dnode_wlock = B_TRUE;
410 
411 	/*
412 	 * If the access mask has only DELETE set (ignore
413 	 * FILE_READ_ATTRIBUTES), then assume that this
414 	 * is a request to delete the link (if a link)
415 	 * and do not follow links.  Otherwise, follow
416 	 * the link to the target.
417 	 */
418 	if ((op->desired_access & ~FILE_READ_ATTRIBUTES) == DELETE)
419 		lookup_flags &= ~SMB_FOLLOW_LINKS;
420 
421 	rc = smb_fsop_lookup_name(sr, zone_kcred(), lookup_flags,
422 	    sr->tid_tree->t_snode, op->fqi.fq_dnode, op->fqi.fq_last_comp,
423 	    &op->fqi.fq_fnode);
424 
425 	if (rc == 0) {
426 		last_comp_found = B_TRUE;
427 		fnode_held = B_TRUE;
428 
429 		/*
430 		 * Need the DOS attributes below, where we
431 		 * check the search attributes (sattr).
432 		 * Also UID, for owner check below.
433 		 */
434 		op->fqi.fq_fattr.sa_mask = SMB_AT_DOSATTR | SMB_AT_UID;
435 		rc = smb_node_getattr(sr, op->fqi.fq_fnode, zone_kcred(),
436 		    NULL, &op->fqi.fq_fattr);
437 		if (rc != 0) {
438 			status = NT_STATUS_INTERNAL_ERROR;
439 			goto errout;
440 		}
441 	} else if (rc == ENOENT) {
442 		last_comp_found = B_FALSE;
443 		op->fqi.fq_fnode = NULL;
444 		rc = 0;
445 	} else {
446 		status = smb_errno2status(rc);
447 		goto errout;
448 	}
449 
450 	if (last_comp_found) {
451 
452 		smb_node_unlock(dnode);
453 		dnode_wlock = B_FALSE;
454 
455 		fnode = op->fqi.fq_fnode;
456 		dnode = op->fqi.fq_dnode;
457 
458 		if (!smb_node_is_file(fnode) &&
459 		    !smb_node_is_dir(fnode) &&
460 		    !smb_node_is_symlink(fnode)) {
461 			status = NT_STATUS_ACCESS_DENIED;
462 			goto errout;
463 		}
464 
465 		/*
466 		 * Reject this request if either:
467 		 * - the target IS a directory and the client requires that
468 		 *   it must NOT be (required by Lotus Notes)
469 		 * - the target is NOT a directory and client requires that
470 		 *   it MUST be.
471 		 */
472 		if (smb_node_is_dir(fnode)) {
473 			if (op->create_options & FILE_NON_DIRECTORY_FILE) {
474 				status = NT_STATUS_FILE_IS_A_DIRECTORY;
475 				goto errout;
476 			}
477 		} else {
478 			if ((op->create_options & FILE_DIRECTORY_FILE) ||
479 			    (op->nt_flags & NT_CREATE_FLAG_OPEN_TARGET_DIR)) {
480 				status = NT_STATUS_NOT_A_DIRECTORY;
481 				goto errout;
482 			}
483 		}
484 
485 		/*
486 		 * No more open should be accepted when "Delete on close"
487 		 * flag is set.
488 		 */
489 		if (fnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
490 			status = NT_STATUS_DELETE_PENDING;
491 			goto errout;
492 		}
493 
494 		/*
495 		 * Specified file already exists so the operation should fail.
496 		 */
497 		if (op->create_disposition == FILE_CREATE) {
498 			status = NT_STATUS_OBJECT_NAME_COLLISION;
499 			goto errout;
500 		}
501 
502 		/*
503 		 * Windows seems to check read-only access before file
504 		 * sharing check.
505 		 *
506 		 * Check to see if the file is currently readonly (regardless
507 		 * of whether this open will make it readonly).
508 		 * Readonly is ignored on directories.
509 		 */
510 		if (SMB_PATHFILE_IS_READONLY(sr, fnode) &&
511 		    !smb_node_is_dir(fnode)) {
512 			if (op->desired_access &
513 			    (FILE_WRITE_DATA | FILE_APPEND_DATA)) {
514 				status = NT_STATUS_ACCESS_DENIED;
515 				goto errout;
516 			}
517 			if (op->create_options & FILE_DELETE_ON_CLOSE) {
518 				status = NT_STATUS_CANNOT_DELETE;
519 				goto errout;
520 			}
521 		}
522 
523 		if ((op->create_disposition == FILE_SUPERSEDE) ||
524 		    (op->create_disposition == FILE_OVERWRITE_IF) ||
525 		    (op->create_disposition == FILE_OVERWRITE)) {
526 
527 			if (!smb_sattr_check(op->fqi.fq_fattr.sa_dosattr,
528 			    op->dattr)) {
529 				status = NT_STATUS_ACCESS_DENIED;
530 				goto errout;
531 			}
532 
533 			if (smb_node_is_dir(fnode)) {
534 				status = NT_STATUS_ACCESS_DENIED;
535 				goto errout;
536 			}
537 		}
538 
539 		/* MS-FSA 2.1.5.1.2 */
540 		if (op->create_disposition == FILE_SUPERSEDE)
541 			op->desired_access |= DELETE;
542 		if ((op->create_disposition == FILE_OVERWRITE_IF) ||
543 		    (op->create_disposition == FILE_OVERWRITE))
544 			op->desired_access |= FILE_WRITE_DATA;
545 
546 		/* Dataset roots can't be deleted, so don't set DOC */
547 		if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 &&
548 		    (fnode->flags & NODE_FLAGS_VFSROOT) != 0) {
549 			status = NT_STATUS_CANNOT_DELETE;
550 			goto errout;
551 		}
552 
553 		status = smb_fsop_access(sr, sr->user_cr, fnode,
554 		    op->desired_access);
555 		if (status != NT_STATUS_SUCCESS)
556 			goto errout;
557 
558 		if (max_requested) {
559 			smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
560 			op->desired_access |= max_allowed;
561 		}
562 
563 		/*
564 		 * File owner should always get read control + read attr.
565 		 */
566 		if (crgetuid(sr->user_cr) == op->fqi.fq_fattr.sa_vattr.va_uid)
567 			op->desired_access |=
568 			    (READ_CONTROL | FILE_READ_ATTRIBUTES);
569 
570 		/*
571 		 * According to MS "dochelp" mail in Mar 2015, any handle
572 		 * on which read or write access is granted implicitly
573 		 * gets "read attributes", even if it was not requested.
574 		 */
575 		if ((op->desired_access & FILE_DATA_ALL) != 0)
576 			op->desired_access |= FILE_READ_ATTRIBUTES;
577 
578 		/*
579 		 * Oplock break is done prior to sharing checks as the break
580 		 * may cause other clients to close the file which would
581 		 * affect the sharing checks, and may delete the file due to
582 		 * DELETE_ON_CLOSE. This may block, so set the file opening
583 		 * count before oplock stuff.
584 		 *
585 		 * Need the "proposed" ofile (and its TargetOplockKey) for
586 		 * correct oplock break semantics.
587 		 */
588 		of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
589 		    tree_fid);
590 		tree_fid = 0; // given to the ofile
591 		uniq_fid = of->f_uniqid;
592 
593 		smb_node_inc_opening_count(fnode);
594 		opening_incr = B_TRUE;
595 
596 		/*
597 		 * XXX Supposed to do share access checks next.
598 		 * [MS-FSA] describes that as part of access check:
599 		 * 2.1.5.1.2.1 Alg... Check Access to an Existing File
600 		 *
601 		 * If CreateDisposition is FILE_OPEN or FILE_OPEN_IF:
602 		 *   If Open.Stream.Oplock is not empty and
603 		 *   Open.Stream.Oplock.State contains BATCH_OPLOCK,
604 		 *   the object store MUST check for an oplock
605 		 *   break according to the algorithm in section 2.1.4.12,
606 		 *   with input values as follows:
607 		 *	Open equal to this operation's Open
608 		 *	Oplock equal to Open.Stream.Oplock
609 		 *	Operation equal to "OPEN"
610 		 *	OpParams containing two members:
611 		 *	  DesiredAccess, CreateDisposition
612 		 *
613 		 * It's not clear how Windows would ask the FS layer if
614 		 * the file has a BATCH oplock.  We'll use a call to the
615 		 * common oplock code, which calls smb_oplock_break_OPEN
616 		 * only if the oplock state contains BATCH_OPLOCK.
617 		 * See: smb_oplock_break_BATCH()
618 		 *
619 		 * Also note: There's a nearly identical section in the
620 		 * spec. at the start of the "else" part of the above
621 		 * "if (disposition is overwrite, overwrite_if)" so this
622 		 * section (oplock break, the share mode check, and the
623 		 * next oplock_break_HANDLE) are all factored out to be
624 		 * in all cases above that if/else from the spec.
625 		 */
626 		status = smb_oplock_break_BATCH(fnode, of,
627 		    op->desired_access, op->create_disposition);
628 		if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
629 			if (sr->session->dialect >= SMB_VERS_2_BASE)
630 				(void) smb2sr_go_async(sr);
631 			(void) smb_oplock_wait_break(fnode, 0);
632 			status = 0;
633 		}
634 		if (status != NT_STATUS_SUCCESS)
635 			goto errout;
636 
637 		/*
638 		 * Check for sharing violations, and if any,
639 		 * do oplock break of handle caching.
640 		 *
641 		 * Need node_wrlock during shrlock checks,
642 		 * and not locked during oplock breaks etc.
643 		 */
644 		shrlock_t0 = gethrtime();
645 	shrlock_again:
646 		smb_node_wrlock(fnode);
647 		fnode_wlock = B_TRUE;
648 		status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
649 		    op->desired_access, op->share_access);
650 		smb_node_unlock(fnode);
651 		fnode_wlock = B_FALSE;
652 
653 		/*
654 		 * [MS-FSA] "OPEN_BREAK_H"
655 		 * If the (proposed) new open would violate sharing rules,
656 		 * indicate an oplock break with OPEN_BREAK_H (to break
657 		 * handle level caching rights) then try again.
658 		 */
659 		if (status == NT_STATUS_SHARING_VIOLATION &&
660 		    did_break_handle == B_FALSE) {
661 			did_break_handle = B_TRUE;
662 
663 			status = smb_oplock_break_HANDLE(fnode, of);
664 			if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
665 				if (sr->session->dialect >= SMB_VERS_2_BASE)
666 					(void) smb2sr_go_async(sr);
667 				(void) smb_oplock_wait_break(fnode, 0);
668 				status = 0;
669 			} else {
670 				/*
671 				 * Even when the oplock layer does NOT
672 				 * give us the special status indicating
673 				 * we should wait, it may have scheduled
674 				 * taskq jobs that may close handles.
675 				 * Give those a chance to run before we
676 				 * check again for sharing violations.
677 				 */
678 				delay(MSEC_TO_TICK(10));
679 			}
680 			if (status != NT_STATUS_SUCCESS)
681 				goto errout;
682 
683 			goto shrlock_again;
684 		}
685 
686 		/*
687 		 * If we still have orphaned durable handles on this file,
688 		 * let's assume the client has lost interest in those and
689 		 * close them so they don't cause sharing violations.
690 		 * See longer comment at smb2_dh_close_my_orphans().
691 		 */
692 		if (status == NT_STATUS_SHARING_VIOLATION &&
693 		    sr->session->dialect >= SMB_VERS_2_BASE &&
694 		    did_cleanup_orphans == B_FALSE) {
695 
696 			did_cleanup_orphans = B_TRUE;
697 			smb2_dh_close_my_orphans(sr, of);
698 
699 			goto shrlock_again;
700 		}
701 
702 		/*
703 		 * SMB1 expects a 1 sec. delay before returning a
704 		 * sharing violation error.  If breaking oplocks
705 		 * above took less than a sec, wait some more.
706 		 * See: smbtorture base.defer_open
707 		 */
708 		if (status == NT_STATUS_SHARING_VIOLATION &&
709 		    sr->session->dialect < SMB_VERS_2_BASE) {
710 			hrtime_t t1 = shrlock_t0 + NANOSEC;
711 			hrtime_t now = gethrtime();
712 			if (now < t1) {
713 				delay(NSEC_TO_TICK_ROUNDUP(t1 - now));
714 			}
715 		}
716 
717 		if (status != NT_STATUS_SUCCESS)
718 			goto errout;
719 		fnode_shrlk = B_TRUE;
720 
721 		/*
722 		 * The [MS-FSA] spec. describes this oplock break as
723 		 * part of the sharing access checks.  See:
724 		 * 2.1.5.1.2.2 Algorithm to Check Sharing Access...
725 		 * At the end of the share mode tests described there,
726 		 * if it has not returned "sharing violation", it
727 		 * specifies a call to the alg. in sec. 2.1.4.12,
728 		 * that boils down to: smb_oplock_break_OPEN()
729 		 */
730 		status = smb_oplock_break_OPEN(fnode, of,
731 		    op->desired_access,
732 		    op->create_disposition);
733 		if (status == NT_STATUS_OPLOCK_BREAK_IN_PROGRESS) {
734 			if (sr->session->dialect >= SMB_VERS_2_BASE)
735 				(void) smb2sr_go_async(sr);
736 			(void) smb_oplock_wait_break(fnode, 0);
737 			status = 0;
738 		}
739 		if (status != NT_STATUS_SUCCESS)
740 			goto errout;
741 
742 		if ((fnode->flags & NODE_FLAGS_DELETE_COMMITTED) != 0) {
743 			/*
744 			 * Breaking the oplock caused the file to be deleted,
745 			 * so let's bail and pretend the file wasn't found.
746 			 * Have to duplicate much of the logic found a the
747 			 * "errout" label here.
748 			 *
749 			 * This code path is exercised by smbtorture
750 			 * smb2.durable-open.delete_on_close1
751 			 */
752 			DTRACE_PROBE1(node_deleted, smb_node_t, fnode);
753 			smb_ofile_free(of);
754 			of = NULL;
755 			last_comp_found = B_FALSE;
756 
757 			/*
758 			 * Get all the holds and locks into the state
759 			 * they would have if lookup had failed.
760 			 */
761 			fnode_shrlk = B_FALSE;
762 			smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
763 
764 			opening_incr = B_FALSE;
765 			smb_node_dec_opening_count(fnode);
766 
767 			fnode_held = B_FALSE;
768 			smb_node_release(fnode);
769 
770 			dnode_wlock = B_TRUE;
771 			smb_node_wrlock(dnode);
772 
773 			goto create;
774 		}
775 
776 		/*
777 		 * Go ahead with modifications as necessary.
778 		 */
779 		switch (op->create_disposition) {
780 		case FILE_SUPERSEDE:
781 		case FILE_OVERWRITE_IF:
782 		case FILE_OVERWRITE:
783 			op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
784 			/* Don't apply readonly until smb_set_open_attributes */
785 			if (op->dattr & FILE_ATTRIBUTE_READONLY) {
786 				op->dattr &= ~FILE_ATTRIBUTE_READONLY;
787 				op->created_readonly = B_TRUE;
788 			}
789 
790 			/*
791 			 * Truncate the file data here.
792 			 * We set alloc_size = op->dsize later,
793 			 * after we have an ofile.  See:
794 			 * smb_set_open_attributes
795 			 */
796 			bzero(&new_attr, sizeof (new_attr));
797 			new_attr.sa_dosattr = op->dattr;
798 			new_attr.sa_vattr.va_size = 0;
799 			new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_SIZE;
800 			rc = smb_fsop_setattr(sr, sr->user_cr, fnode,
801 			    &new_attr);
802 			if (rc != 0) {
803 				status = smb_errno2status(rc);
804 				goto errout;
805 			}
806 
807 			/*
808 			 * If file is being replaced, remove existing streams
809 			 */
810 			if (SMB_IS_STREAM(fnode) == 0) {
811 				status = smb_fsop_remove_streams(sr,
812 				    sr->user_cr, fnode);
813 				if (status != 0)
814 					goto errout;
815 			}
816 
817 			op->action_taken = SMB_OACT_TRUNCATED;
818 			break;
819 
820 		default:
821 			/*
822 			 * FILE_OPEN or FILE_OPEN_IF.
823 			 */
824 			/*
825 			 * Ignore any user-specified alloc_size for
826 			 * existing files, to avoid truncation in
827 			 * smb_set_open_attributes
828 			 */
829 			op->dsize = 0L;
830 			op->action_taken = SMB_OACT_OPENED;
831 			break;
832 		}
833 	} else {
834 create:
835 		/* Last component was not found. */
836 		dnode = op->fqi.fq_dnode;
837 
838 		if (is_dir == 0)
839 			is_stream = smb_is_stream_name(pn->pn_path);
840 
841 		if ((op->create_disposition == FILE_OPEN) ||
842 		    (op->create_disposition == FILE_OVERWRITE)) {
843 			status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
844 			goto errout;
845 		}
846 
847 		if (pn->pn_fname && smb_is_invalid_filename(pn->pn_fname)) {
848 			status = NT_STATUS_OBJECT_NAME_INVALID;
849 			goto errout;
850 		}
851 
852 		/*
853 		 * Don't create in directories marked "Delete on close".
854 		 */
855 		if (dnode->flags & NODE_FLAGS_DELETE_ON_CLOSE) {
856 			status = NT_STATUS_DELETE_PENDING;
857 			goto errout;
858 		}
859 
860 		/*
861 		 * Create always sets the DOS attributes, type, and mode
862 		 * in the if/else below (different for file vs directory).
863 		 * Don't set the readonly bit until smb_set_open_attributes
864 		 * or that would prevent this open.  Note that op->dattr
865 		 * needs to be what smb_set_open_attributes will use,
866 		 * except for the readonly bit.
867 		 */
868 		bzero(&new_attr, sizeof (new_attr));
869 		new_attr.sa_mask = SMB_AT_DOSATTR | SMB_AT_TYPE | SMB_AT_MODE;
870 		if (op->dattr & FILE_ATTRIBUTE_READONLY) {
871 			op->dattr &= ~FILE_ATTRIBUTE_READONLY;
872 			op->created_readonly = B_TRUE;
873 		}
874 
875 		/*
876 		 * SMB create can specify the create time.
877 		 */
878 		if ((op->crtime.tv_sec != 0) &&
879 		    (op->crtime.tv_sec != UINT_MAX)) {
880 			new_attr.sa_mask |= SMB_AT_CRTIME;
881 			new_attr.sa_crtime = op->crtime;
882 		}
883 
884 		if (is_dir == 0) {
885 			op->dattr |= FILE_ATTRIBUTE_ARCHIVE;
886 			new_attr.sa_dosattr = op->dattr;
887 			new_attr.sa_vattr.va_type = VREG;
888 			if (is_stream)
889 				new_attr.sa_vattr.va_mode = S_IRUSR | S_IWUSR;
890 			else
891 				new_attr.sa_vattr.va_mode =
892 				    S_IRUSR | S_IRGRP | S_IROTH |
893 				    S_IWUSR | S_IWGRP | S_IWOTH;
894 
895 			/*
896 			 * We set alloc_size = op->dsize later,
897 			 * (in smb_set_open_attributes) after we
898 			 * have an ofile on which to save that.
899 			 *
900 			 * Legacy Open&X sets size to alloc_size
901 			 * when creating a new file.
902 			 */
903 			if (sr->smb_com == SMB_COM_OPEN_ANDX) {
904 				new_attr.sa_vattr.va_size = op->dsize;
905 				new_attr.sa_mask |= SMB_AT_SIZE;
906 			}
907 
908 			rc = smb_fsop_create(sr, sr->user_cr, dnode,
909 			    op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
910 		} else {
911 			op->dattr |= FILE_ATTRIBUTE_DIRECTORY;
912 			new_attr.sa_dosattr = op->dattr;
913 			new_attr.sa_vattr.va_type = VDIR;
914 			new_attr.sa_vattr.va_mode = 0777;
915 
916 			rc = smb_fsop_mkdir(sr, sr->user_cr, dnode,
917 			    op->fqi.fq_last_comp, &new_attr, &op->fqi.fq_fnode);
918 		}
919 		if (rc != 0) {
920 			status = smb_errno2status(rc);
921 			goto errout;
922 		}
923 
924 		/* Create done. */
925 		smb_node_unlock(dnode);
926 		dnode_wlock = B_FALSE;
927 
928 		created = B_TRUE;
929 		op->action_taken = SMB_OACT_CREATED;
930 
931 		/* Note: hold from create */
932 		fnode = op->fqi.fq_fnode;
933 		fnode_held = B_TRUE;
934 
935 		if (max_requested) {
936 			smb_fsop_eaccess(sr, sr->user_cr, fnode, &max_allowed);
937 			op->desired_access |= max_allowed;
938 		}
939 		/*
940 		 * We created this object (we own it) so grant
941 		 * read_control + read_attributes on this handle,
942 		 * even if that was not requested.  This avoids
943 		 * unexpected access failures later.
944 		 */
945 		op->desired_access |= (READ_CONTROL | FILE_READ_ATTRIBUTES);
946 
947 		/* Allocate the ofile and fill in most of it. */
948 		of = smb_ofile_alloc(sr, op, fnode, SMB_FTYPE_DISK,
949 		    tree_fid);
950 		tree_fid = 0; // given to the ofile
951 		uniq_fid = of->f_uniqid;
952 
953 		smb_node_inc_opening_count(fnode);
954 		opening_incr = B_TRUE;
955 
956 		/*
957 		 * Share access checks...
958 		 */
959 		smb_node_wrlock(fnode);
960 		fnode_wlock = B_TRUE;
961 
962 		status = smb_fsop_shrlock(sr->user_cr, fnode, uniq_fid,
963 		    op->desired_access, op->share_access);
964 		if (status != 0)
965 			goto errout;
966 		fnode_shrlk = B_TRUE;
967 
968 		/*
969 		 * MS-FSA 2.1.5.1.1
970 		 * If the Oplock member of the DirectoryStream in
971 		 * Link.ParentFile.StreamList (ParentOplock) is
972 		 * not empty ... oplock break on the parent...
973 		 * (dnode is the parent directory)
974 		 *
975 		 * This compares of->ParentOplockKey with each
976 		 * oplock of->TargetOplockKey and breaks...
977 		 * so it's OK that we're passing an OF that's
978 		 * NOT a member of dnode->n_ofile_list
979 		 *
980 		 * The break never blocks, so ignore the return.
981 		 */
982 		(void) smb_oplock_break_PARENT(dnode, of);
983 	}
984 
985 	/*
986 	 * We might have blocked in smb_oplock_break_OPEN long enough
987 	 * so a tree disconnect might have happened.  In that case,
988 	 * we would be adding an ofile to a tree that's disconnecting,
989 	 * which would interfere with tear-down.  If so, error out.
990 	 */
991 	if (!smb_tree_is_connected(sr->tid_tree)) {
992 		status = NT_STATUS_INVALID_PARAMETER;
993 		goto errout;
994 	}
995 
996 	/*
997 	 * Moved this up from smb_ofile_open()
998 	 */
999 	if ((rc = smb_fsop_open(fnode, of->f_mode, of->f_cr)) != 0) {
1000 		status = smb_errno2status(rc);
1001 		goto errout;
1002 	}
1003 
1004 	/*
1005 	 * Complete this open (add to ofile lists)
1006 	 */
1007 	smb_ofile_open(sr, op, of);
1008 	did_open = B_TRUE;
1009 
1010 	/*
1011 	 * This MUST be done after ofile creation, so that explicitly
1012 	 * set timestamps can be remembered on the ofile, and setting
1013 	 * the readonly flag won't affect access via this open.
1014 	 */
1015 	if ((rc = smb_set_open_attributes(sr, of)) != 0) {
1016 		status = smb_errno2status(rc);
1017 		goto errout;
1018 	}
1019 
1020 	/*
1021 	 * We've already done access checks above,
1022 	 * and want this call to succeed even when
1023 	 * !(desired_access & FILE_READ_ATTRIBUTES),
1024 	 * so pass kcred here.
1025 	 */
1026 	op->fqi.fq_fattr.sa_mask = SMB_AT_ALL;
1027 	(void) smb_node_getattr(sr, fnode, zone_kcred(), of,
1028 	    &op->fqi.fq_fattr);
1029 
1030 	/*
1031 	 * Propagate the write-through mode from the open params
1032 	 * to the node: see the notes in the function header.
1033 	 * XXX: write_through should be a flag on the ofile.
1034 	 */
1035 	if (sr->sr_cfg->skc_sync_enable ||
1036 	    (op->create_options & FILE_WRITE_THROUGH))
1037 		fnode->flags |= NODE_FLAGS_WRITE_THROUGH;
1038 
1039 	/*
1040 	 * Set up the fileid and dosattr in open_param for response
1041 	 */
1042 	op->fileid = op->fqi.fq_fattr.sa_vattr.va_nodeid;
1043 	op->dattr = op->fqi.fq_fattr.sa_dosattr;
1044 
1045 	/*
1046 	 * Set up the file type in open_param for the response
1047 	 */
1048 	op->ftype = SMB_FTYPE_DISK;
1049 	sr->smb_fid = of->f_fid;
1050 	sr->fid_ofile = of;
1051 
1052 	if (smb_node_is_file(fnode)) {
1053 		op->dsize = op->fqi.fq_fattr.sa_vattr.va_size;
1054 	} else {
1055 		/* directory or symlink */
1056 		op->dsize = 0;
1057 	}
1058 
1059 	/*
1060 	 * Note: oplock_acquire happens in callers, because
1061 	 * how that happens is protocol-specific.
1062 	 */
1063 
1064 	if (fnode_wlock)
1065 		smb_node_unlock(fnode);
1066 	if (opening_incr)
1067 		smb_node_dec_opening_count(fnode);
1068 	if (fnode_held)
1069 		smb_node_release(fnode);
1070 	if (dnode_wlock)
1071 		smb_node_unlock(dnode);
1072 	if (dnode_held)
1073 		smb_node_release(dnode);
1074 
1075 	return (NT_STATUS_SUCCESS);
1076 
1077 errout:
1078 	if (did_open) {
1079 		smb_ofile_close(of, 0);
1080 		/* rele via sr->fid_ofile */
1081 	} else if (of != NULL) {
1082 		/* No other refs possible */
1083 		smb_ofile_free(of);
1084 	}
1085 
1086 	if (fnode_shrlk)
1087 		smb_fsop_unshrlock(sr->user_cr, fnode, uniq_fid);
1088 
1089 	if (created) {
1090 		/* Try to roll-back create. */
1091 		smb_delete_new_object(sr);
1092 	}
1093 
1094 	if (fnode_wlock)
1095 		smb_node_unlock(fnode);
1096 	if (opening_incr)
1097 		smb_node_dec_opening_count(fnode);
1098 	if (fnode_held)
1099 		smb_node_release(fnode);
1100 	if (dnode_wlock)
1101 		smb_node_unlock(dnode);
1102 	if (dnode_held)
1103 		smb_node_release(dnode);
1104 
1105 	if (tree_fid != 0)
1106 		smb_idpool_free(&tree->t_fid_pool, tree_fid);
1107 
1108 	return (status);
1109 }
1110 
1111 /*
1112  * smb_set_open_attributes
1113  *
1114  * Last write time:
1115  * - If the last_write time specified in the open params is not 0 or -1,
1116  *   use it as file's mtime. This will be considered an explicitly set
1117  *   timestamps, not reset by subsequent writes.
1118  *
1119  * DOS attributes
1120  * - If we created_readonly, we now store the real DOS attributes
1121  *   (including the readonly bit) so subsequent opens will see it.
1122  *
1123  * Returns: errno
1124  */
1125 static int
1126 smb_set_open_attributes(smb_request_t *sr, smb_ofile_t *of)
1127 {
1128 	smb_attr_t	attr;
1129 	smb_arg_open_t	*op = &sr->sr_open;
1130 	smb_node_t	*node = of->f_node;
1131 	int		rc = 0;
1132 
1133 	bzero(&attr, sizeof (smb_attr_t));
1134 
1135 	if (op->created_readonly) {
1136 		attr.sa_dosattr = op->dattr | FILE_ATTRIBUTE_READONLY;
1137 		attr.sa_mask |= SMB_AT_DOSATTR;
1138 	}
1139 
1140 	if (op->dsize != 0) {
1141 		attr.sa_allocsz = op->dsize;
1142 		attr.sa_mask |= SMB_AT_ALLOCSZ;
1143 	}
1144 
1145 	if ((op->mtime.tv_sec != 0) && (op->mtime.tv_sec != UINT_MAX)) {
1146 		attr.sa_vattr.va_mtime = op->mtime;
1147 		attr.sa_mask |= SMB_AT_MTIME;
1148 	}
1149 
1150 	/*
1151 	 * Used to have code here to set mtime, ctime, atime
1152 	 * when the open op->create_disposition is any of:
1153 	 * FILE_SUPERSEDE, FILE_OVERWRITE_IF, FILE_OVERWRITE.
1154 	 * We know that in those cases we will have set the
1155 	 * file size, in which case the file system will
1156 	 * update those times, so we don't have to.
1157 	 *
1158 	 * However, keep track of the fact that we modified
1159 	 * the file via this handle, so we can do the evil,
1160 	 * gratuitious mtime update on close that Windows
1161 	 * clients expect.
1162 	 */
1163 	if (op->action_taken == SMB_OACT_TRUNCATED)
1164 		of->f_written = B_TRUE;
1165 
1166 	if (attr.sa_mask != 0)
1167 		rc = smb_node_setattr(sr, node, of->f_cr, of, &attr);
1168 
1169 	return (rc);
1170 }
1171 
1172 /*
1173  * This function is used to delete a newly created object (file or
1174  * directory) if an error occurs after creation of the object.
1175  */
1176 static void
1177 smb_delete_new_object(smb_request_t *sr)
1178 {
1179 	smb_arg_open_t	*op = &sr->sr_open;
1180 	smb_fqi_t	*fqi = &(op->fqi);
1181 	uint32_t	flags = 0;
1182 
1183 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1184 		flags |= SMB_IGNORE_CASE;
1185 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1186 		flags |= SMB_CATIA;
1187 
1188 	if (op->create_options & FILE_DIRECTORY_FILE)
1189 		(void) smb_fsop_rmdir(sr, sr->user_cr, fqi->fq_dnode,
1190 		    fqi->fq_last_comp, flags);
1191 	else
1192 		(void) smb_fsop_remove(sr, sr->user_cr, fqi->fq_dnode,
1193 		    fqi->fq_last_comp, flags);
1194 }
1195