xref: /titanic_52/usr/src/uts/common/fs/smbsrv/smb_opipe.c (revision e2c88f0c2610f16de7b639746b40dea5f3e2256e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * This module provides the interface to NDR RPC.
28  */
29 
30 #include <sys/stat.h>
31 #include <sys/door.h>
32 #include <sys/door_data.h>
33 #include <sys/uio.h>
34 #include <sys/ksynch.h>
35 #include <smbsrv/smb_kproto.h>
36 #include <smbsrv/smb_xdr.h>
37 
38 #define	SMB_OPIPE_ISOPEN(OPIPE)	\
39 	(((OPIPE)->p_hdr.dh_magic == SMB_OPIPE_HDR_MAGIC) && \
40 	((OPIPE)->p_hdr.dh_fid))
41 
42 extern volatile uint32_t smb_fids;
43 
44 static int smb_opipe_do_open(smb_request_t *, smb_opipe_t *);
45 static char *smb_opipe_lookup(const char *);
46 static int smb_opipe_sethdr(smb_opipe_t *, uint32_t, uint32_t);
47 static int smb_opipe_exec(smb_opipe_t *);
48 static void smb_opipe_enter(smb_opipe_t *);
49 static void smb_opipe_exit(smb_opipe_t *);
50 
51 static door_handle_t smb_opipe_door_hd = NULL;
52 static int smb_opipe_door_id = -1;
53 static uint64_t smb_opipe_door_ncall = 0;
54 static kmutex_t smb_opipe_door_mutex;
55 static kcondvar_t smb_opipe_door_cv;
56 
57 static int smb_opipe_door_call(smb_opipe_t *);
58 static int smb_opipe_door_upcall(smb_opipe_t *);
59 
60 smb_opipe_t *
61 smb_opipe_alloc(smb_server_t *sv)
62 {
63 	smb_opipe_t	*opipe;
64 
65 	opipe = kmem_cache_alloc(sv->si_cache_opipe, KM_SLEEP);
66 
67 	bzero(opipe, sizeof (smb_opipe_t));
68 	mutex_init(&opipe->p_mutex, NULL, MUTEX_DEFAULT, NULL);
69 	cv_init(&opipe->p_cv, NULL, CV_DEFAULT, NULL);
70 	opipe->p_magic = SMB_OPIPE_MAGIC;
71 	opipe->p_server = sv;
72 
73 	smb_llist_enter(&sv->sv_opipe_list, RW_WRITER);
74 	smb_llist_insert_tail(&sv->sv_opipe_list, opipe);
75 	smb_llist_exit(&sv->sv_opipe_list);
76 
77 	return (opipe);
78 }
79 
80 void
81 smb_opipe_dealloc(smb_opipe_t *opipe)
82 {
83 	smb_server_t *sv;
84 
85 	SMB_OPIPE_VALID(opipe);
86 	sv = opipe->p_server;
87 	SMB_SERVER_VALID(sv);
88 
89 	smb_llist_enter(&sv->sv_opipe_list, RW_WRITER);
90 	smb_llist_remove(&sv->sv_opipe_list, opipe);
91 	smb_llist_exit(&sv->sv_opipe_list);
92 
93 	opipe->p_magic = (uint32_t)~SMB_OPIPE_MAGIC;
94 	smb_event_destroy(opipe->p_event);
95 	cv_destroy(&opipe->p_cv);
96 	mutex_destroy(&opipe->p_mutex);
97 
98 	kmem_cache_free(sv->si_cache_opipe, opipe);
99 }
100 
101 /*
102  * smb_opipe_open
103  *
104  * Open a well-known RPC named pipe. This routine should be called if
105  * a file open is requested on a share of type STYPE_IPC.
106  * If we recognize the pipe, we setup a new ofile.
107  *
108  * Returns 0 on success, Otherwise an NT status is returned to indicate
109  * an error.
110  */
111 int
112 smb_opipe_open(smb_request_t *sr)
113 {
114 	smb_arg_open_t	*op = &sr->sr_open;
115 	smb_ofile_t *of;
116 	smb_opipe_t *opipe;
117 	smb_doorhdr_t hdr;
118 	smb_error_t err;
119 	char *pipe_name;
120 
121 	if ((pipe_name = smb_opipe_lookup(op->fqi.fq_path.pn_path)) == NULL)
122 		return (NT_STATUS_OBJECT_NAME_NOT_FOUND);
123 
124 	/*
125 	 * If printing is disabled, pretend spoolss does not exist.
126 	 */
127 	if (sr->sr_server->sv_cfg.skc_print_enable == 0 &&
128 	    strcmp(pipe_name, "SPOOLSS") == 0)
129 		return (NT_STATUS_OBJECT_NAME_NOT_FOUND);
130 
131 	op->create_options = 0;
132 
133 	of = smb_ofile_open(sr, NULL, sr->smb_pid, op, SMB_FTYPE_MESG_PIPE,
134 	    SMB_UNIQ_FID(), &err);
135 
136 	if (of == NULL)
137 		return (err.status);
138 
139 	if (!smb_tree_is_connected(sr->tid_tree)) {
140 		smb_ofile_close(of, 0);
141 		smb_ofile_release(of);
142 		return (NT_STATUS_OBJECT_NAME_NOT_FOUND);
143 	}
144 
145 	op->dsize = 0x01000;
146 	op->dattr = FILE_ATTRIBUTE_NORMAL;
147 	op->ftype = SMB_FTYPE_MESG_PIPE;
148 	op->action_taken = SMB_OACT_LOCK | SMB_OACT_OPENED; /* 0x8001 */
149 	op->devstate = SMB_PIPE_READMODE_MESSAGE
150 	    | SMB_PIPE_TYPE_MESSAGE
151 	    | SMB_PIPE_UNLIMITED_INSTANCES; /* 0x05ff */
152 	op->fileid = of->f_fid;
153 
154 	sr->smb_fid = of->f_fid;
155 	sr->fid_ofile = of;
156 
157 	opipe = of->f_pipe;
158 	smb_opipe_enter(opipe);
159 
160 	opipe->p_server = of->f_server;
161 	opipe->p_name = pipe_name;
162 	opipe->p_doorbuf = kmem_zalloc(SMB_OPIPE_DOOR_BUFSIZE, KM_SLEEP);
163 
164 	/*
165 	 * p_data points to the offset within p_doorbuf at which
166 	 * data will be written or read.
167 	 */
168 	opipe->p_data = opipe->p_doorbuf + xdr_sizeof(smb_doorhdr_xdr, &hdr);
169 
170 	if (smb_opipe_do_open(sr, opipe) != 0) {
171 		/*
172 		 * On error, reset the header to clear the fid,
173 		 * which avoids confusion when smb_opipe_close() is
174 		 * called by smb_ofile_close().
175 		 */
176 		bzero(&opipe->p_hdr, sizeof (smb_doorhdr_t));
177 		kmem_free(opipe->p_doorbuf, SMB_OPIPE_DOOR_BUFSIZE);
178 		smb_opipe_exit(opipe);
179 		smb_ofile_close(of, 0);
180 		return (NT_STATUS_NO_MEMORY);
181 	}
182 	smb_opipe_exit(opipe);
183 	return (NT_STATUS_SUCCESS);
184 }
185 
186 /*
187  * smb_opipe_lookup
188  *
189  * Lookup a path to see if it's a well-known RPC named pipe that we support.
190  * The full pipe path will be in the form \\PIPE\\SERVICE.  The first part
191  * can be assumed, so all we need here are the service names.
192  *
193  * Returns a pointer to the pipe name (without any leading \'s) on success.
194  * Otherwise returns a null pointer.
195  */
196 static char *
197 smb_opipe_lookup(const char *path)
198 {
199 	static char *named_pipes[] = {
200 		"lsass",
201 		"LSARPC",
202 		"NETLOGON",
203 		"SAMR",
204 		"SPOOLSS",
205 		"SRVSVC",
206 		"SVCCTL",
207 		"WINREG",
208 		"WKSSVC",
209 		"EVENTLOG",
210 		"NETDFS"
211 	};
212 
213 	const char *name;
214 	int i;
215 
216 	if (path == NULL)
217 		return (NULL);
218 
219 	name = path;
220 	name += strspn(name, "\\");
221 	if (smb_strcasecmp(name, "PIPE", 4) == 0) {
222 		path += 4;
223 		name += strspn(name, "\\");
224 	}
225 
226 	for (i = 0; i < sizeof (named_pipes) / sizeof (named_pipes[0]); ++i) {
227 		if (smb_strcasecmp(name, named_pipes[i], 0) == 0)
228 			return (named_pipes[i]);
229 	}
230 
231 	return (NULL);
232 }
233 
234 /*
235  * Initialize the opipe header and context, and make the door call.
236  */
237 static int
238 smb_opipe_do_open(smb_request_t *sr, smb_opipe_t *opipe)
239 {
240 	smb_netuserinfo_t *userinfo = &opipe->p_user;
241 	smb_user_t *user = sr->uid_user;
242 	uint8_t *buf = opipe->p_doorbuf;
243 	uint32_t buflen = SMB_OPIPE_DOOR_BUFSIZE;
244 	uint32_t len;
245 
246 	if ((opipe->p_event = smb_event_create(SMB_EVENT_TIMEOUT)) == NULL)
247 		return (-1);
248 
249 	smb_user_netinfo_init(user, userinfo);
250 	len = xdr_sizeof(smb_netuserinfo_xdr, userinfo);
251 
252 	bzero(&opipe->p_hdr, sizeof (smb_doorhdr_t));
253 	opipe->p_hdr.dh_magic = SMB_OPIPE_HDR_MAGIC;
254 	opipe->p_hdr.dh_flags = SMB_DF_SYSSPACE;
255 	opipe->p_hdr.dh_fid = smb_event_txid(opipe->p_event);
256 
257 	if (smb_opipe_sethdr(opipe, SMB_OPIPE_OPEN, len) == -1)
258 		return (-1);
259 
260 	len = xdr_sizeof(smb_doorhdr_xdr, &opipe->p_hdr);
261 	buf += len;
262 	buflen -= len;
263 
264 	if (smb_netuserinfo_encode(userinfo, buf, buflen, NULL) == -1)
265 		return (-1);
266 
267 	return (smb_opipe_door_call(opipe));
268 }
269 
270 /*
271  * smb_opipe_close
272  *
273  * Called whenever an IPC file/pipe is closed.
274  */
275 void
276 smb_opipe_close(smb_ofile_t *of)
277 {
278 	smb_opipe_t *opipe;
279 
280 	ASSERT(of);
281 	ASSERT(of->f_ftype == SMB_FTYPE_MESG_PIPE);
282 
283 	opipe = of->f_pipe;
284 	SMB_OPIPE_VALID(opipe);
285 
286 	(void) smb_server_cancel_event(opipe->p_hdr.dh_fid);
287 	smb_opipe_enter(opipe);
288 
289 	if (SMB_OPIPE_ISOPEN(opipe)) {
290 		(void) smb_opipe_sethdr(opipe, SMB_OPIPE_CLOSE, 0);
291 		(void) smb_opipe_door_call(opipe);
292 		bzero(&opipe->p_hdr, sizeof (smb_doorhdr_t));
293 		kmem_free(opipe->p_doorbuf, SMB_OPIPE_DOOR_BUFSIZE);
294 	}
295 
296 	smb_user_netinfo_fini(&opipe->p_user);
297 	smb_opipe_exit(opipe);
298 }
299 
300 static int
301 smb_opipe_sethdr(smb_opipe_t *opipe, uint32_t cmd, uint32_t datalen)
302 {
303 	opipe->p_hdr.dh_op = cmd;
304 	opipe->p_hdr.dh_txid = opipe->p_hdr.dh_fid;
305 	opipe->p_hdr.dh_datalen = datalen;
306 	opipe->p_hdr.dh_resid = 0;
307 	opipe->p_hdr.dh_door_rc = EINVAL;
308 
309 	return (smb_doorhdr_encode(&opipe->p_hdr, opipe->p_doorbuf,
310 	    SMB_OPIPE_DOOR_BUFSIZE));
311 }
312 
313 /*
314  * smb_opipe_transact
315  *
316  * This is the entry point for RPC bind and request transactions.
317  * The fid is an arbitrary id used to associate RPC requests with a
318  * particular binding handle.
319  *
320  * If the data to be returned is larger than the client expects, we
321  * return as much as the client can handle and report a buffer overflow
322  * warning, which informs the client that we have more data to return.
323  * The residual data remains in the pipe until the client claims it or
324  * closes the pipe.
325  */
326 smb_sdrc_t
327 smb_opipe_transact(smb_request_t *sr, struct uio *uio)
328 {
329 	smb_xa_t *xa;
330 	smb_opipe_t *opipe;
331 	struct mbuf *mhead;
332 	int mdrcnt;
333 	int nbytes;
334 	int rc;
335 
336 	if ((rc = smb_opipe_write(sr, uio)) != 0) {
337 		if (rc == EBADF)
338 			smbsr_error(sr, NT_STATUS_INVALID_HANDLE,
339 			    ERRDOS, ERROR_INVALID_HANDLE);
340 		else
341 			smbsr_error(sr, NT_STATUS_INTERNAL_ERROR,
342 			    ERRDOS, ERROR_INTERNAL_ERROR);
343 		return (SDRC_ERROR);
344 	}
345 
346 	opipe = sr->fid_ofile->f_pipe;
347 
348 	if ((rc = smb_opipe_exec(opipe)) != 0) {
349 		smbsr_error(sr, NT_STATUS_INTERNAL_ERROR,
350 		    ERRDOS, ERROR_INTERNAL_ERROR);
351 		return (SDRC_ERROR);
352 	}
353 
354 	xa = sr->r_xa;
355 	mdrcnt = xa->smb_mdrcnt;
356 	smb_opipe_enter(opipe);
357 
358 	if (smb_opipe_sethdr(opipe, SMB_OPIPE_READ, mdrcnt) == -1) {
359 		smb_opipe_exit(opipe);
360 		smbsr_error(sr, NT_STATUS_INTERNAL_ERROR,
361 		    ERRDOS, ERROR_INTERNAL_ERROR);
362 		return (SDRC_ERROR);
363 	}
364 
365 	rc = smb_opipe_door_call(opipe);
366 	nbytes = opipe->p_hdr.dh_datalen;
367 
368 	if (rc != 0) {
369 		smb_opipe_exit(opipe);
370 		smbsr_error(sr, NT_STATUS_INTERNAL_ERROR,
371 		    ERRDOS, ERROR_INTERNAL_ERROR);
372 		return (SDRC_ERROR);
373 	}
374 
375 	if (nbytes) {
376 		mhead = smb_mbuf_get(opipe->p_data, nbytes);
377 		xa->rep_data_mb.max_bytes = nbytes;
378 		MBC_ATTACH_MBUF(&xa->rep_data_mb, mhead);
379 	}
380 
381 	if (opipe->p_hdr.dh_resid) {
382 		/*
383 		 * The pipe contains more data than mdrcnt, warn the
384 		 * client that there is more data in the pipe.
385 		 * Typically, the client will call SmbReadX, which
386 		 * will call smb_opipe_read, to get the data.
387 		 */
388 		smbsr_warn(sr, NT_STATUS_BUFFER_OVERFLOW,
389 		    ERRDOS, ERROR_MORE_DATA);
390 	}
391 
392 	smb_opipe_exit(opipe);
393 	return (SDRC_SUCCESS);
394 }
395 
396 /*
397  * smb_opipe_write
398  *
399  * Write RPC request data to the pipe.  The client should call smb_opipe_read
400  * to complete the exchange and obtain the RPC response.
401  *
402  * Returns 0 on success or an errno on failure.
403  */
404 int
405 smb_opipe_write(smb_request_t *sr, struct uio *uio)
406 {
407 	smb_opipe_t *opipe;
408 	uint32_t buflen;
409 	uint32_t len;
410 	int rc;
411 
412 	ASSERT(sr->fid_ofile);
413 	ASSERT(sr->fid_ofile->f_ftype == SMB_FTYPE_MESG_PIPE);
414 
415 	opipe = sr->fid_ofile->f_pipe;
416 	SMB_OPIPE_VALID(opipe);
417 	smb_opipe_enter(opipe);
418 
419 	if (!SMB_OPIPE_ISOPEN(opipe)) {
420 		smb_opipe_exit(opipe);
421 		return (EBADF);
422 	}
423 
424 	rc = smb_opipe_sethdr(opipe, SMB_OPIPE_WRITE, uio->uio_resid);
425 	len = xdr_sizeof(smb_doorhdr_xdr, &opipe->p_hdr);
426 	if (rc == -1 || len == 0) {
427 		smb_opipe_exit(opipe);
428 		return (ENOMEM);
429 	}
430 
431 	buflen = SMB_OPIPE_DOOR_BUFSIZE - len;
432 	(void) uiomove((caddr_t)opipe->p_data, buflen, UIO_WRITE, uio);
433 
434 	rc = smb_opipe_door_call(opipe);
435 
436 	smb_opipe_exit(opipe);
437 	return ((rc == 0) ? 0 : EIO);
438 }
439 
440 /*
441  * smb_opipe_read
442  *
443  * This interface may be called because smb_opipe_transact could not return
444  * all of the data in the original transaction or to form the second half
445  * of a transaction set up using smb_opipe_write.  Either way, we just need
446  * to read data from the pipe and return it.
447  *
448  * The response data is encoded into raw_data as required by the smb_read
449  * functions.  The uio_resid value indicates the number of bytes read.
450  */
451 int
452 smb_opipe_read(smb_request_t *sr, struct uio *uio)
453 {
454 	smb_opipe_t *opipe;
455 	struct mbuf *mhead;
456 	uint32_t nbytes;
457 	int rc;
458 
459 	ASSERT(sr->fid_ofile);
460 	ASSERT(sr->fid_ofile->f_ftype == SMB_FTYPE_MESG_PIPE);
461 
462 	opipe = sr->fid_ofile->f_pipe;
463 	SMB_OPIPE_VALID(opipe);
464 
465 	if ((rc = smb_opipe_exec(opipe)) != 0)
466 		return (EIO);
467 
468 	smb_opipe_enter(opipe);
469 
470 	if (!SMB_OPIPE_ISOPEN(opipe)) {
471 		smb_opipe_exit(opipe);
472 		return (EBADF);
473 	}
474 
475 	if (smb_opipe_sethdr(opipe, SMB_OPIPE_READ, uio->uio_resid) == -1) {
476 		smb_opipe_exit(opipe);
477 		return (ENOMEM);
478 	}
479 
480 	rc = smb_opipe_door_call(opipe);
481 	nbytes = opipe->p_hdr.dh_datalen;
482 
483 	if (rc != 0 || nbytes > uio->uio_resid) {
484 		smb_opipe_exit(opipe);
485 		return (EIO);
486 	}
487 
488 	if (nbytes) {
489 		mhead = smb_mbuf_get(opipe->p_data, nbytes);
490 		MBC_SETUP(&sr->raw_data, nbytes);
491 		MBC_ATTACH_MBUF(&sr->raw_data, mhead);
492 		uio->uio_resid -= nbytes;
493 	}
494 
495 	smb_opipe_exit(opipe);
496 	return (rc);
497 }
498 
499 static int
500 smb_opipe_exec(smb_opipe_t *opipe)
501 {
502 	uint32_t	len;
503 	int		rc;
504 
505 	smb_opipe_enter(opipe);
506 
507 	rc = smb_opipe_sethdr(opipe, SMB_OPIPE_EXEC, 0);
508 	len = xdr_sizeof(smb_doorhdr_xdr, &opipe->p_hdr);
509 	if (rc == -1 || len == 0) {
510 		smb_opipe_exit(opipe);
511 		return (ENOMEM);
512 	}
513 
514 	if ((rc = smb_opipe_door_call(opipe)) == 0)
515 		rc = smb_event_wait(opipe->p_event);
516 
517 	smb_opipe_exit(opipe);
518 	return (rc);
519 }
520 
521 /*
522  * Named pipe I/O is serialized per fid to ensure that each request
523  * has exclusive opipe access for the duration of the request.
524  */
525 static void
526 smb_opipe_enter(smb_opipe_t *opipe)
527 {
528 	mutex_enter(&opipe->p_mutex);
529 
530 	while (opipe->p_busy)
531 		cv_wait(&opipe->p_cv, &opipe->p_mutex);
532 
533 	opipe->p_busy = 1;
534 	mutex_exit(&opipe->p_mutex);
535 }
536 
537 /*
538  * Exit busy state.  If we have exec'd an RPC, we may have
539  * to wait for notification that processing has completed.
540  */
541 static void
542 smb_opipe_exit(smb_opipe_t *opipe)
543 {
544 	mutex_enter(&opipe->p_mutex);
545 	opipe->p_busy = 0;
546 	cv_signal(&opipe->p_cv);
547 	mutex_exit(&opipe->p_mutex);
548 }
549 
550 /*
551  * opipe door client (to user space door server).
552  */
553 void
554 smb_opipe_door_init(void)
555 {
556 	mutex_init(&smb_opipe_door_mutex, NULL, MUTEX_DEFAULT, NULL);
557 	cv_init(&smb_opipe_door_cv, NULL, CV_DEFAULT, NULL);
558 }
559 
560 void
561 smb_opipe_door_fini(void)
562 {
563 	smb_opipe_door_close();
564 	cv_destroy(&smb_opipe_door_cv);
565 	mutex_destroy(&smb_opipe_door_mutex);
566 }
567 
568 /*
569  * Open the (user space) door.  If the door is already open,
570  * close it first because the door-id has probably changed.
571  */
572 int
573 smb_opipe_door_open(int door_id)
574 {
575 	smb_opipe_door_close();
576 
577 	mutex_enter(&smb_opipe_door_mutex);
578 	smb_opipe_door_ncall = 0;
579 
580 	if (smb_opipe_door_hd == NULL) {
581 		smb_opipe_door_id = door_id;
582 		smb_opipe_door_hd = door_ki_lookup(door_id);
583 	}
584 
585 	mutex_exit(&smb_opipe_door_mutex);
586 	return ((smb_opipe_door_hd == NULL)  ? -1 : 0);
587 }
588 
589 /*
590  * Close the (user space) door.
591  */
592 void
593 smb_opipe_door_close(void)
594 {
595 	mutex_enter(&smb_opipe_door_mutex);
596 
597 	if (smb_opipe_door_hd != NULL) {
598 		while (smb_opipe_door_ncall > 0)
599 			cv_wait(&smb_opipe_door_cv, &smb_opipe_door_mutex);
600 
601 		door_ki_rele(smb_opipe_door_hd);
602 		smb_opipe_door_hd = NULL;
603 	}
604 
605 	mutex_exit(&smb_opipe_door_mutex);
606 }
607 
608 /*
609  * opipe door call interface.
610  * Door serialization and call reference accounting is handled here.
611  */
612 static int
613 smb_opipe_door_call(smb_opipe_t *opipe)
614 {
615 	int rc;
616 
617 	mutex_enter(&smb_opipe_door_mutex);
618 
619 	if (smb_opipe_door_hd == NULL) {
620 		mutex_exit(&smb_opipe_door_mutex);
621 
622 		if (smb_opipe_door_open(smb_opipe_door_id) != 0)
623 			return (-1);
624 
625 		mutex_enter(&smb_opipe_door_mutex);
626 	}
627 
628 	++smb_opipe_door_ncall;
629 	mutex_exit(&smb_opipe_door_mutex);
630 
631 	rc = smb_opipe_door_upcall(opipe);
632 
633 	mutex_enter(&smb_opipe_door_mutex);
634 	if ((--smb_opipe_door_ncall) == 0)
635 		cv_signal(&smb_opipe_door_cv);
636 	mutex_exit(&smb_opipe_door_mutex);
637 	return (rc);
638 }
639 
640 /*
641  * Door upcall wrapper - handles data marshalling.
642  * This function should only be called by smb_opipe_door_call.
643  */
644 static int
645 smb_opipe_door_upcall(smb_opipe_t *opipe)
646 {
647 	door_arg_t da;
648 	smb_doorhdr_t hdr;
649 	int i;
650 	int rc;
651 
652 	da.data_ptr = (char *)opipe->p_doorbuf;
653 	da.data_size = SMB_OPIPE_DOOR_BUFSIZE;
654 	da.desc_ptr = NULL;
655 	da.desc_num = 0;
656 	da.rbuf = (char *)opipe->p_doorbuf;
657 	da.rsize = SMB_OPIPE_DOOR_BUFSIZE;
658 
659 	for (i = 0; i < 3; ++i) {
660 		if (smb_server_is_stopping())
661 			return (-1);
662 
663 		if ((rc = door_ki_upcall_limited(smb_opipe_door_hd, &da,
664 		    NULL, SIZE_MAX, 0)) == 0)
665 			break;
666 
667 		if (rc != EAGAIN && rc != EINTR)
668 			return (-1);
669 	}
670 
671 	/* Check for door_return(NULL, 0, NULL, 0) */
672 	if (rc != 0 || da.data_size == 0 || da.rsize == 0)
673 		return (-1);
674 
675 	if (smb_doorhdr_decode(&hdr, (uint8_t *)da.data_ptr, da.rsize) == -1)
676 		return (-1);
677 
678 	if ((hdr.dh_magic != SMB_OPIPE_HDR_MAGIC) ||
679 	    (hdr.dh_fid != opipe->p_hdr.dh_fid) ||
680 	    (hdr.dh_op != opipe->p_hdr.dh_op) ||
681 	    (hdr.dh_door_rc != 0) ||
682 	    (hdr.dh_datalen > SMB_OPIPE_DOOR_BUFSIZE)) {
683 		return (-1);
684 	}
685 
686 	opipe->p_hdr.dh_datalen = hdr.dh_datalen;
687 	opipe->p_hdr.dh_resid = hdr.dh_resid;
688 	return (0);
689 }
690