1 /*
   2  * Copyright (c) 2000-2001 Boris Popov
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  * 2. Redistributions in binary form must reproduce the above copyright
  11  *    notice, this list of conditions and the following disclaimer in the
  12  *    documentation and/or other materials provided with the distribution.
  13  * 3. All advertising materials mentioning features or use of this software
  14  *    must display the following acknowledgement:
  15  *    This product includes software developed by Boris Popov.
  16  * 4. Neither the name of the author nor the names of any co-contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  *
  32  * $Id: smbfs_vnops.c,v 1.128.36.1 2005/05/27 02:35:28 lindak Exp $
  33  */
  34 
  35 /*
  36  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
  37  */
  38 
  39 #include <sys/systm.h>
  40 #include <sys/cred.h>
  41 #include <sys/vnode.h>
  42 #include <sys/vfs.h>
  43 #include <sys/filio.h>
  44 #include <sys/uio.h>
  45 #include <sys/dirent.h>
  46 #include <sys/errno.h>
  47 #include <sys/sunddi.h>
  48 #include <sys/sysmacros.h>
  49 #include <sys/kmem.h>
  50 #include <sys/cmn_err.h>
  51 #include <sys/vfs_opreg.h>
  52 #include <sys/policy.h>
  53 
  54 #include <netsmb/smb_osdep.h>
  55 #include <netsmb/smb.h>
  56 #include <netsmb/smb_conn.h>
  57 #include <netsmb/smb_subr.h>
  58 
  59 #include <smbfs/smbfs.h>
  60 #include <smbfs/smbfs_node.h>
  61 #include <smbfs/smbfs_subr.h>
  62 
  63 #include <sys/fs/smbfs_ioctl.h>
  64 #include <fs/fs_subr.h>
  65 
  66 /*
  67  * We assign directory offsets like the NFS client, where the
  68  * offset increments by _one_ after each directory entry.
  69  * Further, the entries "." and ".." are always at offsets
  70  * zero and one (respectively) and the "real" entries from
  71  * the server appear at offsets starting with two.  This
  72  * macro is used to initialize the n_dirofs field after
  73  * setting n_dirseq with a _findopen call.
  74  */
  75 #define FIRST_DIROFS    2
  76 
  77 /*
  78  * These characters are illegal in NTFS file names.
  79  * ref: http://support.microsoft.com/kb/147438
  80  *
  81  * Careful!  The check in the XATTR case skips the
  82  * first character to allow colon in XATTR names.
  83  */
  84 static const char illegal_chars[] = {
  85         ':',    /* colon - keep this first! */
  86         '\\',   /* back slash */
  87         '/',    /* slash */
  88         '*',    /* asterisk */
  89         '?',    /* question mark */
  90         '"',    /* double quote */
  91         '<', /* less than sign */
  92         '>', /* greater than sign */
  93         '|',    /* vertical bar */
  94         0
  95 };
  96 
  97 /*
  98  * Turning this on causes nodes to be created in the cache
  99  * during directory listings, normally avoiding a second
 100  * OtW attribute fetch just after a readdir.
 101  */
 102 int smbfs_fastlookup = 1;
 103 
 104 /* local static function defines */
 105 
 106 static int      smbfslookup_cache(vnode_t *, char *, int, vnode_t **,
 107                         cred_t *);
 108 static int      smbfslookup(vnode_t *dvp, char *nm, vnode_t **vpp, cred_t *cr,
 109                         int cache_ok, caller_context_t *);
 110 static int      smbfsrename(vnode_t *odvp, char *onm, vnode_t *ndvp, char *nnm,
 111                         cred_t *cr, caller_context_t *);
 112 static int      smbfssetattr(vnode_t *, struct vattr *, int, cred_t *);
 113 static int      smbfs_accessx(void *, int, cred_t *);
 114 static int      smbfs_readvdir(vnode_t *vp, uio_t *uio, cred_t *cr, int *eofp,
 115                         caller_context_t *);
 116 static void     smbfs_rele_fid(smbnode_t *, struct smb_cred *);
 117 
 118 /*
 119  * These are the vnode ops routines which implement the vnode interface to
 120  * the networked file system.  These routines just take their parameters,
 121  * make them look networkish by putting the right info into interface structs,
 122  * and then calling the appropriate remote routine(s) to do the work.
 123  *
 124  * Note on directory name lookup cacheing:  If we detect a stale fhandle,
 125  * we purge the directory cache relative to that vnode.  This way, the
 126  * user won't get burned by the cache repeatedly.  See <smbfs/smbnode.h> for
 127  * more details on smbnode locking.
 128  */
 129 
 130 static int      smbfs_open(vnode_t **, int, cred_t *, caller_context_t *);
 131 static int      smbfs_close(vnode_t *, int, int, offset_t, cred_t *,
 132                         caller_context_t *);
 133 static int      smbfs_read(vnode_t *, struct uio *, int, cred_t *,
 134                         caller_context_t *);
 135 static int      smbfs_write(vnode_t *, struct uio *, int, cred_t *,
 136                         caller_context_t *);
 137 static int      smbfs_ioctl(vnode_t *, int, intptr_t, int, cred_t *, int *,
 138                         caller_context_t *);
 139 static int      smbfs_getattr(vnode_t *, struct vattr *, int, cred_t *,
 140                         caller_context_t *);
 141 static int      smbfs_setattr(vnode_t *, struct vattr *, int, cred_t *,
 142                         caller_context_t *);
 143 static int      smbfs_access(vnode_t *, int, int, cred_t *, caller_context_t *);
 144 static int      smbfs_fsync(vnode_t *, int, cred_t *, caller_context_t *);
 145 static void     smbfs_inactive(vnode_t *, cred_t *, caller_context_t *);
 146 static int      smbfs_lookup(vnode_t *, char *, vnode_t **, struct pathname *,
 147                         int, vnode_t *, cred_t *, caller_context_t *,
 148                         int *, pathname_t *);
 149 static int      smbfs_create(vnode_t *, char *, struct vattr *, enum vcexcl,
 150                         int, vnode_t **, cred_t *, int, caller_context_t *,
 151                         vsecattr_t *);
 152 static int      smbfs_remove(vnode_t *, char *, cred_t *, caller_context_t *,
 153                         int);
 154 static int      smbfs_rename(vnode_t *, char *, vnode_t *, char *, cred_t *,
 155                         caller_context_t *, int);
 156 static int      smbfs_mkdir(vnode_t *, char *, struct vattr *, vnode_t **,
 157                         cred_t *, caller_context_t *, int, vsecattr_t *);
 158 static int      smbfs_rmdir(vnode_t *, char *, vnode_t *, cred_t *,
 159                         caller_context_t *, int);
 160 static int      smbfs_readdir(vnode_t *, struct uio *, cred_t *, int *,
 161                         caller_context_t *, int);
 162 static int      smbfs_rwlock(vnode_t *, int, caller_context_t *);
 163 static void     smbfs_rwunlock(vnode_t *, int, caller_context_t *);
 164 static int      smbfs_seek(vnode_t *, offset_t, offset_t *, caller_context_t *);
 165 static int      smbfs_frlock(vnode_t *, int, struct flock64 *, int, offset_t,
 166                         struct flk_callback *, cred_t *, caller_context_t *);
 167 static int      smbfs_space(vnode_t *, int, struct flock64 *, int, offset_t,
 168                         cred_t *, caller_context_t *);
 169 static int      smbfs_pathconf(vnode_t *, int, ulong_t *, cred_t *,
 170                         caller_context_t *);
 171 static int      smbfs_setsecattr(vnode_t *, vsecattr_t *, int, cred_t *,
 172                         caller_context_t *);
 173 static int      smbfs_getsecattr(vnode_t *, vsecattr_t *, int, cred_t *,
 174                         caller_context_t *);
 175 static int      smbfs_shrlock(vnode_t *, int, struct shrlock *, int, cred_t *,
 176                         caller_context_t *);
 177 
 178 /* Dummy function to use until correct function is ported in */
 179 int noop_vnodeop() {
 180         return (0);
 181 }
 182 
 183 struct vnodeops *smbfs_vnodeops = NULL;
 184 
 185 /*
 186  * Most unimplemented ops will return ENOSYS because of fs_nosys().
 187  * The only ops where that won't work are ACCESS (due to open(2)
 188  * failures) and ... (anything else left?)
 189  */
 190 const fs_operation_def_t smbfs_vnodeops_template[] = {
 191         { VOPNAME_OPEN,         { .vop_open = smbfs_open } },
 192         { VOPNAME_CLOSE,        { .vop_close = smbfs_close } },
 193         { VOPNAME_READ,         { .vop_read = smbfs_read } },
 194         { VOPNAME_WRITE,        { .vop_write = smbfs_write } },
 195         { VOPNAME_IOCTL,        { .vop_ioctl = smbfs_ioctl } },
 196         { VOPNAME_GETATTR,      { .vop_getattr = smbfs_getattr } },
 197         { VOPNAME_SETATTR,      { .vop_setattr = smbfs_setattr } },
 198         { VOPNAME_ACCESS,       { .vop_access = smbfs_access } },
 199         { VOPNAME_LOOKUP,       { .vop_lookup = smbfs_lookup } },
 200         { VOPNAME_CREATE,       { .vop_create = smbfs_create } },
 201         { VOPNAME_REMOVE,       { .vop_remove = smbfs_remove } },
 202         { VOPNAME_LINK,         { .error = fs_nosys } }, /* smbfs_link, */
 203         { VOPNAME_RENAME,       { .vop_rename = smbfs_rename } },
 204         { VOPNAME_MKDIR,        { .vop_mkdir = smbfs_mkdir } },
 205         { VOPNAME_RMDIR,        { .vop_rmdir = smbfs_rmdir } },
 206         { VOPNAME_READDIR,      { .vop_readdir = smbfs_readdir } },
 207         { VOPNAME_SYMLINK,      { .error = fs_nosys } }, /* smbfs_symlink, */
 208         { VOPNAME_READLINK,     { .error = fs_nosys } }, /* smbfs_readlink, */
 209         { VOPNAME_FSYNC,        { .vop_fsync = smbfs_fsync } },
 210         { VOPNAME_INACTIVE,     { .vop_inactive = smbfs_inactive } },
 211         { VOPNAME_FID,          { .error = fs_nosys } }, /* smbfs_fid, */
 212         { VOPNAME_RWLOCK,       { .vop_rwlock = smbfs_rwlock } },
 213         { VOPNAME_RWUNLOCK,     { .vop_rwunlock = smbfs_rwunlock } },
 214         { VOPNAME_SEEK,         { .vop_seek = smbfs_seek } },
 215         { VOPNAME_FRLOCK,       { .vop_frlock = smbfs_frlock } },
 216         { VOPNAME_SPACE,        { .vop_space = smbfs_space } },
 217         { VOPNAME_REALVP,       { .error = fs_nosys } }, /* smbfs_realvp, */
 218         { VOPNAME_GETPAGE,      { .error = fs_nosys } }, /* smbfs_getpage, */
 219         { VOPNAME_PUTPAGE,      { .error = fs_nosys } }, /* smbfs_putpage, */
 220         { VOPNAME_MAP,          { .error = fs_nosys } }, /* smbfs_map, */
 221         { VOPNAME_ADDMAP,       { .error = fs_nosys } }, /* smbfs_addmap, */
 222         { VOPNAME_DELMAP,       { .error = fs_nosys } }, /* smbfs_delmap, */
 223         { VOPNAME_DUMP,         { .error = fs_nosys } }, /* smbfs_dump, */
 224         { VOPNAME_PATHCONF,     { .vop_pathconf = smbfs_pathconf } },
 225         { VOPNAME_PAGEIO,       { .error = fs_nosys } }, /* smbfs_pageio, */
 226         { VOPNAME_SETSECATTR,   { .vop_setsecattr = smbfs_setsecattr } },
 227         { VOPNAME_GETSECATTR,   { .vop_getsecattr = smbfs_getsecattr } },
 228         { VOPNAME_SHRLOCK,      { .vop_shrlock = smbfs_shrlock } },
 229         { NULL, NULL }
 230 };
 231 
 232 /*
 233  * XXX
 234  * When new and relevant functionality is enabled, we should be
 235  * calling vfs_set_feature() to inform callers that pieces of
 236  * functionality are available, per PSARC 2007/227.
 237  */
 238 /* ARGSUSED */
 239 static int
 240 smbfs_open(vnode_t **vpp, int flag, cred_t *cr, caller_context_t *ct)
 241 {
 242         smbnode_t       *np;
 243         vnode_t         *vp;
 244         smbfattr_t      fa;
 245         u_int32_t       rights, rightsrcvd;
 246         u_int16_t       fid, oldfid;
 247         int             oldgenid;
 248         struct smb_cred scred;
 249         smbmntinfo_t    *smi;
 250         smb_share_t     *ssp;
 251         cred_t          *oldcr;
 252         int             tmperror;
 253         int             error = 0;
 254 
 255         vp = *vpp;
 256         np = VTOSMB(vp);
 257         smi = VTOSMI(vp);
 258         ssp = smi->smi_share;
 259 
 260         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 261                 return (EIO);
 262 
 263         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
 264                 return (EIO);
 265 
 266         if (vp->v_type != VREG && vp->v_type != VDIR) { /* XXX VLNK? */
 267                 SMBVDEBUG("open eacces vtype=%d\n", vp->v_type);
 268                 return (EACCES);
 269         }
 270 
 271         /*
 272          * Get exclusive access to n_fid and related stuff.
 273          * No returns after this until out.
 274          */
 275         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_WRITER, SMBINTR(vp)))
 276                 return (EINTR);
 277         smb_credinit(&scred, cr);
 278 
 279         /*
 280          * Keep track of the vnode type at first open.
 281          * It may change later, and we need close to do
 282          * cleanup for the type we opened.  Also deny
 283          * open of new types until old type is closed.
 284          * XXX: Per-open instance nodes whould help.
 285          */
 286         if (np->n_ovtype == VNON) {
 287                 ASSERT(np->n_dirrefs == 0);
 288                 ASSERT(np->n_fidrefs == 0);
 289         } else if (np->n_ovtype != vp->v_type) {
 290                 SMBVDEBUG("open n_ovtype=%d v_type=%d\n",
 291                     np->n_ovtype, vp->v_type);
 292                 error = EACCES;
 293                 goto out;
 294         }
 295 
 296         /*
 297          * Directory open.  See smbfs_readvdir()
 298          */
 299         if (vp->v_type == VDIR) {
 300                 if (np->n_dirseq == NULL) {
 301                         /* first open */
 302                         error = smbfs_smb_findopen(np, "*", 1,
 303                             SMB_FA_SYSTEM | SMB_FA_HIDDEN | SMB_FA_DIR,
 304                             &scred, &np->n_dirseq);
 305                         if (error != 0)
 306                                 goto out;
 307                 }
 308                 np->n_dirofs = FIRST_DIROFS;
 309                 np->n_dirrefs++;
 310                 goto have_fid;
 311         }
 312 
 313         /*
 314          * If caller specified O_TRUNC/FTRUNC, then be sure to set
 315          * FWRITE (to drive successful setattr(size=0) after open)
 316          */
 317         if (flag & FTRUNC)
 318                 flag |= FWRITE;
 319 
 320         /*
 321          * If we already have it open, and the FID is still valid,
 322          * check whether the rights are sufficient for FID reuse.
 323          */
 324         if (np->n_fidrefs > 0 &&
 325             np->n_vcgenid == ssp->ss_vcgenid) {
 326                 int upgrade = 0;
 327 
 328                 if ((flag & FWRITE) &&
 329                     !(np->n_rights & SA_RIGHT_FILE_WRITE_DATA))
 330                         upgrade = 1;
 331                 if ((flag & FREAD) &&
 332                     !(np->n_rights & SA_RIGHT_FILE_READ_DATA))
 333                         upgrade = 1;
 334                 if (!upgrade) {
 335                         /*
 336                          *  the existing open is good enough
 337                          */
 338                         np->n_fidrefs++;
 339                         goto have_fid;
 340                 }
 341         }
 342         rights = np->n_fidrefs ? np->n_rights : 0;
 343 
 344         /*
 345          * we always ask for READ_CONTROL so we can always get the
 346          * owner/group IDs to satisfy a stat.  Ditto attributes.
 347          */
 348         rights |= (STD_RIGHT_READ_CONTROL_ACCESS |
 349             SA_RIGHT_FILE_READ_ATTRIBUTES);
 350         if ((flag & FREAD))
 351                 rights |= SA_RIGHT_FILE_READ_DATA;
 352         if ((flag & FWRITE))
 353                 rights |= SA_RIGHT_FILE_WRITE_DATA |
 354                     SA_RIGHT_FILE_APPEND_DATA |
 355                     SA_RIGHT_FILE_WRITE_ATTRIBUTES;
 356 
 357         bzero(&fa, sizeof (fa));
 358         error = smbfs_smb_open(np,
 359             NULL, 0, 0, /* name nmlen xattr */
 360             rights, &scred,
 361             &fid, &rightsrcvd, &fa);
 362         if (error)
 363                 goto out;
 364         smbfs_attrcache_fa(vp, &fa);
 365 
 366         /*
 367          * We have a new FID and access rights.
 368          */
 369         oldfid = np->n_fid;
 370         oldgenid = np->n_vcgenid;
 371         np->n_fid = fid;
 372         np->n_vcgenid = ssp->ss_vcgenid;
 373         np->n_rights = rightsrcvd;
 374         np->n_fidrefs++;
 375         if (np->n_fidrefs > 1 &&
 376             oldgenid == ssp->ss_vcgenid) {
 377                 /*
 378                  * We already had it open (presumably because
 379                  * it was open with insufficient rights.)
 380                  * Close old wire-open.
 381                  */
 382                 tmperror = smbfs_smb_close(ssp,
 383                     oldfid, NULL, &scred);
 384                 if (tmperror)
 385                         SMBVDEBUG("error %d closing %s\n",
 386                             tmperror, np->n_rpath);
 387         }
 388 
 389         /*
 390          * This thread did the open.
 391          * Save our credentials too.
 392          */
 393         mutex_enter(&np->r_statelock);
 394         oldcr = np->r_cred;
 395         np->r_cred = cr;
 396         crhold(cr);
 397         if (oldcr)
 398                 crfree(oldcr);
 399         mutex_exit(&np->r_statelock);
 400 
 401 have_fid:
 402         /*
 403          * Keep track of the vnode type at first open.
 404          * (see comments above)
 405          */
 406         if (np->n_ovtype == VNON)
 407                 np->n_ovtype = vp->v_type;
 408 
 409 out:
 410         smb_credrele(&scred);
 411         smbfs_rw_exit(&np->r_lkserlock);
 412         return (error);
 413 }
 414 
 415 /*ARGSUSED*/
 416 static int
 417 smbfs_close(vnode_t *vp, int flag, int count, offset_t offset, cred_t *cr,
 418         caller_context_t *ct)
 419 {
 420         smbnode_t       *np;
 421         smbmntinfo_t    *smi;
 422         struct smb_cred scred;
 423 
 424         np = VTOSMB(vp);
 425         smi = VTOSMI(vp);
 426 
 427         /*
 428          * Don't "bail out" for VFS_UNMOUNTED here,
 429          * as we want to do cleanup, etc.
 430          */
 431 
 432         /*
 433          * zone_enter(2) prevents processes from changing zones with SMBFS files
 434          * open; if we happen to get here from the wrong zone we can't do
 435          * anything over the wire.
 436          */
 437         if (smi->smi_zone_ref.zref_zone != curproc->p_zone) {
 438                 /*
 439                  * We could attempt to clean up locks, except we're sure
 440                  * that the current process didn't acquire any locks on
 441                  * the file: any attempt to lock a file belong to another zone
 442                  * will fail, and one can't lock an SMBFS file and then change
 443                  * zones, as that fails too.
 444                  *
 445                  * Returning an error here is the sane thing to do.  A
 446                  * subsequent call to VN_RELE() which translates to a
 447                  * smbfs_inactive() will clean up state: if the zone of the
 448                  * vnode's origin is still alive and kicking, an async worker
 449                  * thread will handle the request (from the correct zone), and
 450                  * everything (minus the final smbfs_getattr_otw() call) should
 451                  * be OK. If the zone is going away smbfs_async_inactive() will
 452                  * throw away cached pages inline.
 453                  */
 454                 return (EIO);
 455         }
 456 
 457         /*
 458          * If we are using local locking for this filesystem, then
 459          * release all of the SYSV style record locks.  Otherwise,
 460          * we are doing network locking and we need to release all
 461          * of the network locks.  All of the locks held by this
 462          * process on this file are released no matter what the
 463          * incoming reference count is.
 464          */
 465         if (smi->smi_flags & SMI_LLOCK) {
 466                 pid_t pid = ddi_get_pid();
 467                 cleanlocks(vp, pid, 0);
 468                 cleanshares(vp, pid);
 469         }
 470 
 471         /*
 472          * This (passed in) count is the ref. count from the
 473          * user's file_t before the closef call (fio.c).
 474          * We only care when the reference goes away.
 475          */
 476         if (count > 1)
 477                 return (0);
 478 
 479         /*
 480          * Decrement the reference count for the FID
 481          * and possibly do the OtW close.
 482          *
 483          * Exclusive lock for modifying n_fid stuff.
 484          * Don't want this one ever interruptible.
 485          */
 486         (void) smbfs_rw_enter_sig(&np->r_lkserlock, RW_WRITER, 0);
 487         smb_credinit(&scred, cr);
 488 
 489         smbfs_rele_fid(np, &scred);
 490 
 491         smb_credrele(&scred);
 492         smbfs_rw_exit(&np->r_lkserlock);
 493 
 494         return (0);
 495 }
 496 
 497 /*
 498  * Helper for smbfs_close.  Decrement the reference count
 499  * for an SMB-level file or directory ID, and when the last
 500  * reference for the fid goes away, do the OtW close.
 501  * Also called in smbfs_inactive (defensive cleanup).
 502  */
 503 static void
 504 smbfs_rele_fid(smbnode_t *np, struct smb_cred *scred)
 505 {
 506         smb_share_t     *ssp;
 507         cred_t          *oldcr;
 508         struct smbfs_fctx *fctx;
 509         int             error;
 510         uint16_t ofid;
 511 
 512         ssp = np->n_mount->smi_share;
 513         error = 0;
 514 
 515         /* Make sure we serialize for n_dirseq use. */
 516         ASSERT(smbfs_rw_lock_held(&np->r_lkserlock, RW_WRITER));
 517 
 518         /*
 519          * Note that vp->v_type may change if a remote node
 520          * is deleted and recreated as a different type, and
 521          * our getattr may change v_type accordingly.
 522          * Now use n_ovtype to keep track of the v_type
 523          * we had during open (see comments above).
 524          */
 525         switch (np->n_ovtype) {
 526         case VDIR:
 527                 ASSERT(np->n_dirrefs > 0);
 528                 if (--np->n_dirrefs)
 529                         return;
 530                 if ((fctx = np->n_dirseq) != NULL) {
 531                         np->n_dirseq = NULL;
 532                         np->n_dirofs = 0;
 533                         error = smbfs_smb_findclose(fctx, scred);
 534                 }
 535                 break;
 536 
 537         case VREG:
 538                 ASSERT(np->n_fidrefs > 0);
 539                 if (--np->n_fidrefs)
 540                         return;
 541                 if ((ofid = np->n_fid) != SMB_FID_UNUSED) {
 542                         np->n_fid = SMB_FID_UNUSED;
 543                         /* After reconnect, n_fid is invalid */
 544                         if (np->n_vcgenid == ssp->ss_vcgenid) {
 545                                 error = smbfs_smb_close(
 546                                     ssp, ofid, NULL, scred);
 547                         }
 548                 }
 549                 break;
 550 
 551         default:
 552                 SMBVDEBUG("bad n_ovtype %d\n", np->n_ovtype);
 553                 break;
 554         }
 555         if (error) {
 556                 SMBVDEBUG("error %d closing %s\n",
 557                     error, np->n_rpath);
 558         }
 559 
 560         /* Allow next open to use any v_type. */
 561         np->n_ovtype = VNON;
 562 
 563         /*
 564          * Other "last close" stuff.
 565          */
 566         mutex_enter(&np->r_statelock);
 567         if (np->n_flag & NATTRCHANGED)
 568                 smbfs_attrcache_rm_locked(np);
 569         oldcr = np->r_cred;
 570         np->r_cred = NULL;
 571         mutex_exit(&np->r_statelock);
 572         if (oldcr != NULL)
 573                 crfree(oldcr);
 574 }
 575 
 576 /* ARGSUSED */
 577 static int
 578 smbfs_read(vnode_t *vp, struct uio *uiop, int ioflag, cred_t *cr,
 579         caller_context_t *ct)
 580 {
 581         struct smb_cred scred;
 582         struct vattr    va;
 583         smbnode_t       *np;
 584         smbmntinfo_t    *smi;
 585         smb_share_t     *ssp;
 586         offset_t        endoff;
 587         ssize_t         past_eof;
 588         int             error;
 589 
 590         np = VTOSMB(vp);
 591         smi = VTOSMI(vp);
 592         ssp = smi->smi_share;
 593 
 594         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 595                 return (EIO);
 596 
 597         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
 598                 return (EIO);
 599 
 600         ASSERT(smbfs_rw_lock_held(&np->r_rwlock, RW_READER));
 601 
 602         if (vp->v_type != VREG)
 603                 return (EISDIR);
 604 
 605         if (uiop->uio_resid == 0)
 606                 return (0);
 607 
 608         /*
 609          * Like NFS3, just check for 63-bit overflow.
 610          * Our SMB layer takes care to return EFBIG
 611          * when it has to fallback to a 32-bit call.
 612          */
 613         endoff = uiop->uio_loffset + uiop->uio_resid;
 614         if (uiop->uio_loffset < 0 || endoff < 0)
 615                 return (EINVAL);
 616 
 617         /* get vnode attributes from server */
 618         va.va_mask = AT_SIZE | AT_MTIME;
 619         if (error = smbfsgetattr(vp, &va, cr))
 620                 return (error);
 621 
 622         /* Update mtime with mtime from server here? */
 623 
 624         /* if offset is beyond EOF, read nothing */
 625         if (uiop->uio_loffset >= va.va_size)
 626                 return (0);
 627 
 628         /*
 629          * Limit the read to the remaining file size.
 630          * Do this by temporarily reducing uio_resid
 631          * by the amount the lies beyoned the EOF.
 632          */
 633         if (endoff > va.va_size) {
 634                 past_eof = (ssize_t)(endoff - va.va_size);
 635                 uiop->uio_resid -= past_eof;
 636         } else
 637                 past_eof = 0;
 638 
 639         /* Shared lock for n_fid use in smb_rwuio */
 640         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp)))
 641                 return (EINTR);
 642         smb_credinit(&scred, cr);
 643 
 644         /* After reconnect, n_fid is invalid */
 645         if (np->n_vcgenid != ssp->ss_vcgenid)
 646                 error = ESTALE;
 647         else
 648                 error = smb_rwuio(ssp, np->n_fid, UIO_READ,
 649                     uiop, &scred, smb_timo_read);
 650 
 651         smb_credrele(&scred);
 652         smbfs_rw_exit(&np->r_lkserlock);
 653 
 654         /* undo adjustment of resid */
 655         uiop->uio_resid += past_eof;
 656 
 657         return (error);
 658 }
 659 
 660 
 661 /* ARGSUSED */
 662 static int
 663 smbfs_write(vnode_t *vp, struct uio *uiop, int ioflag, cred_t *cr,
 664         caller_context_t *ct)
 665 {
 666         struct smb_cred scred;
 667         struct vattr    va;
 668         smbnode_t       *np;
 669         smbmntinfo_t    *smi;
 670         smb_share_t     *ssp;
 671         offset_t        endoff, limit;
 672         ssize_t         past_limit;
 673         int             error, timo;
 674 
 675         np = VTOSMB(vp);
 676         smi = VTOSMI(vp);
 677         ssp = smi->smi_share;
 678 
 679         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 680                 return (EIO);
 681 
 682         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
 683                 return (EIO);
 684 
 685         ASSERT(smbfs_rw_lock_held(&np->r_rwlock, RW_WRITER));
 686 
 687         if (vp->v_type != VREG)
 688                 return (EISDIR);
 689 
 690         if (uiop->uio_resid == 0)
 691                 return (0);
 692 
 693         /*
 694          * Handle ioflag bits: (FAPPEND|FSYNC|FDSYNC)
 695          */
 696         if (ioflag & (FAPPEND | FSYNC)) {
 697                 if (np->n_flag & NMODIFIED) {
 698                         smbfs_attrcache_remove(np);
 699                         /* XXX: smbfs_vinvalbuf? */
 700                 }
 701         }
 702         if (ioflag & FAPPEND) {
 703                 /*
 704                  * File size can be changed by another client
 705                  */
 706                 va.va_mask = AT_SIZE;
 707                 if (error = smbfsgetattr(vp, &va, cr))
 708                         return (error);
 709                 uiop->uio_loffset = va.va_size;
 710         }
 711 
 712         /*
 713          * Like NFS3, just check for 63-bit overflow.
 714          */
 715         endoff = uiop->uio_loffset + uiop->uio_resid;
 716         if (uiop->uio_loffset < 0 || endoff < 0)
 717                 return (EINVAL);
 718 
 719         /*
 720          * Check to make sure that the process will not exceed
 721          * its limit on file size.  It is okay to write up to
 722          * the limit, but not beyond.  Thus, the write which
 723          * reaches the limit will be short and the next write
 724          * will return an error.
 725          *
 726          * So if we're starting at or beyond the limit, EFBIG.
 727          * Otherwise, temporarily reduce resid to the amount
 728          * the falls after the limit.
 729          */
 730         limit = uiop->uio_llimit;
 731         if (limit == RLIM64_INFINITY || limit > MAXOFFSET_T)
 732                 limit = MAXOFFSET_T;
 733         if (uiop->uio_loffset >= limit)
 734                 return (EFBIG);
 735         if (endoff > limit) {
 736                 past_limit = (ssize_t)(endoff - limit);
 737                 uiop->uio_resid -= past_limit;
 738         } else
 739                 past_limit = 0;
 740 
 741         /* Timeout: longer for append. */
 742         timo = smb_timo_write;
 743         if (endoff > np->r_size)
 744                 timo = smb_timo_append;
 745 
 746         /* Shared lock for n_fid use in smb_rwuio */
 747         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp)))
 748                 return (EINTR);
 749         smb_credinit(&scred, cr);
 750 
 751         /* After reconnect, n_fid is invalid */
 752         if (np->n_vcgenid != ssp->ss_vcgenid)
 753                 error = ESTALE;
 754         else
 755                 error = smb_rwuio(ssp, np->n_fid, UIO_WRITE,
 756                     uiop, &scred, timo);
 757 
 758         if (error == 0) {
 759                 mutex_enter(&np->r_statelock);
 760                 np->n_flag |= (NFLUSHWIRE | NATTRCHANGED);
 761                 if (uiop->uio_loffset > (offset_t)np->r_size)
 762                         np->r_size = (len_t)uiop->uio_loffset;
 763                 mutex_exit(&np->r_statelock);
 764                 if (ioflag & (FSYNC|FDSYNC)) {
 765                         /* Don't error the I/O if this fails. */
 766                         (void) smbfs_smb_flush(np, &scred);
 767                 }
 768         }
 769 
 770         smb_credrele(&scred);
 771         smbfs_rw_exit(&np->r_lkserlock);
 772 
 773         /* undo adjustment of resid */
 774         uiop->uio_resid += past_limit;
 775 
 776         return (error);
 777 }
 778 
 779 
 780 /* ARGSUSED */
 781 static int
 782 smbfs_ioctl(vnode_t *vp, int cmd, intptr_t arg, int flag,
 783         cred_t *cr, int *rvalp, caller_context_t *ct)
 784 {
 785         int             error;
 786         smbmntinfo_t    *smi;
 787 
 788         smi = VTOSMI(vp);
 789 
 790         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 791                 return (EIO);
 792 
 793         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
 794                 return (EIO);
 795 
 796         switch (cmd) {
 797                 /* First three from ZFS. XXX - need these? */
 798 
 799         case _FIOFFS:
 800                 error = smbfs_fsync(vp, 0, cr, ct);
 801                 break;
 802 
 803                 /*
 804                  * The following two ioctls are used by bfu.
 805                  * Silently ignore to avoid bfu errors.
 806                  */
 807         case _FIOGDIO:
 808         case _FIOSDIO:
 809                 error = 0;
 810                 break;
 811 
 812 #ifdef NOT_YET  /* XXX - from the NFS code. */
 813         case _FIODIRECTIO:
 814                 error = smbfs_directio(vp, (int)arg, cr);
 815 #endif
 816 
 817                 /*
 818                  * Allow get/set with "raw" security descriptor (SD) data.
 819                  * Useful for testing, diagnosing idmap problems, etc.
 820                  */
 821         case SMBFSIO_GETSD:
 822                 error = smbfs_acl_iocget(vp, arg, flag, cr);
 823                 break;
 824 
 825         case SMBFSIO_SETSD:
 826                 error = smbfs_acl_iocset(vp, arg, flag, cr);
 827                 break;
 828 
 829         default:
 830                 error = ENOTTY;
 831                 break;
 832         }
 833 
 834         return (error);
 835 }
 836 
 837 
 838 /*
 839  * Return either cached or remote attributes. If get remote attr
 840  * use them to check and invalidate caches, then cache the new attributes.
 841  *
 842  * XXX
 843  * This op should eventually support PSARC 2007/315, Extensible Attribute
 844  * Interfaces, for richer metadata.
 845  */
 846 /* ARGSUSED */
 847 static int
 848 smbfs_getattr(vnode_t *vp, struct vattr *vap, int flags, cred_t *cr,
 849         caller_context_t *ct)
 850 {
 851         smbnode_t *np;
 852         smbmntinfo_t *smi;
 853 
 854         smi = VTOSMI(vp);
 855 
 856         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 857                 return (EIO);
 858 
 859         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
 860                 return (EIO);
 861 
 862         /*
 863          * If it has been specified that the return value will
 864          * just be used as a hint, and we are only being asked
 865          * for size, fsid or rdevid, then return the client's
 866          * notion of these values without checking to make sure
 867          * that the attribute cache is up to date.
 868          * The whole point is to avoid an over the wire GETATTR
 869          * call.
 870          */
 871         np = VTOSMB(vp);
 872         if (flags & ATTR_HINT) {
 873                 if (vap->va_mask ==
 874                     (vap->va_mask & (AT_SIZE | AT_FSID | AT_RDEV))) {
 875                         mutex_enter(&np->r_statelock);
 876                         if (vap->va_mask | AT_SIZE)
 877                                 vap->va_size = np->r_size;
 878                         if (vap->va_mask | AT_FSID)
 879                                 vap->va_fsid = vp->v_vfsp->vfs_dev;
 880                         if (vap->va_mask | AT_RDEV)
 881                                 vap->va_rdev = vp->v_rdev;
 882                         mutex_exit(&np->r_statelock);
 883                         return (0);
 884                 }
 885         }
 886 
 887         return (smbfsgetattr(vp, vap, cr));
 888 }
 889 
 890 /* smbfsgetattr() in smbfs_client.c */
 891 
 892 /*
 893  * XXX
 894  * This op should eventually support PSARC 2007/315, Extensible Attribute
 895  * Interfaces, for richer metadata.
 896  */
 897 /*ARGSUSED4*/
 898 static int
 899 smbfs_setattr(vnode_t *vp, struct vattr *vap, int flags, cred_t *cr,
 900                 caller_context_t *ct)
 901 {
 902         vfs_t           *vfsp;
 903         smbmntinfo_t    *smi;
 904         int             error;
 905         uint_t          mask;
 906         struct vattr    oldva;
 907 
 908         vfsp = vp->v_vfsp;
 909         smi = VFTOSMI(vfsp);
 910 
 911         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
 912                 return (EIO);
 913 
 914         if (smi->smi_flags & SMI_DEAD || vfsp->vfs_flag & VFS_UNMOUNTED)
 915                 return (EIO);
 916 
 917         mask = vap->va_mask;
 918         if (mask & AT_NOSET)
 919                 return (EINVAL);
 920 
 921         if (vfsp->vfs_flag & VFS_RDONLY)
 922                 return (EROFS);
 923 
 924         /*
 925          * This is a _local_ access check so that only the owner of
 926          * this mount can set attributes.  With ACLs enabled, the
 927          * file owner can be different from the mount owner, and we
 928          * need to check the _mount_ owner here.  See _access_rwx
 929          */
 930         bzero(&oldva, sizeof (oldva));
 931         oldva.va_mask = AT_TYPE | AT_MODE;
 932         error = smbfsgetattr(vp, &oldva, cr);
 933         if (error)
 934                 return (error);
 935         oldva.va_mask |= AT_UID | AT_GID;
 936         oldva.va_uid = smi->smi_uid;
 937         oldva.va_gid = smi->smi_gid;
 938 
 939         error = secpolicy_vnode_setattr(cr, vp, vap, &oldva, flags,
 940             smbfs_accessx, vp);
 941         if (error)
 942                 return (error);
 943 
 944         if (mask & (AT_UID | AT_GID)) {
 945                 if (smi->smi_flags & SMI_ACL)
 946                         error = smbfs_acl_setids(vp, vap, cr);
 947                 else
 948                         error = ENOSYS;
 949                 if (error != 0) {
 950                         SMBVDEBUG("error %d seting UID/GID on %s",
 951                             error, VTOSMB(vp)->n_rpath);
 952                         /*
 953                          * It might be more correct to return the
 954                          * error here, but that causes complaints
 955                          * when root extracts a cpio archive, etc.
 956                          * So ignore this error, and go ahead with
 957                          * the rest of the setattr work.
 958                          */
 959                 }
 960         }
 961 
 962         return (smbfssetattr(vp, vap, flags, cr));
 963 }
 964 
 965 /*
 966  * Mostly from Darwin smbfs_setattr()
 967  * but then modified a lot.
 968  */
 969 /* ARGSUSED */
 970 static int
 971 smbfssetattr(vnode_t *vp, struct vattr *vap, int flags, cred_t *cr)
 972 {
 973         int             error = 0;
 974         smbnode_t       *np = VTOSMB(vp);
 975         uint_t          mask = vap->va_mask;
 976         struct timespec *mtime, *atime;
 977         struct smb_cred scred;
 978         int             cerror, modified = 0;
 979         unsigned short  fid;
 980         int have_fid = 0;
 981         uint32_t rights = 0;
 982 
 983         ASSERT(curproc->p_zone == VTOSMI(vp)->smi_zone_ref.zref_zone);
 984 
 985         /*
 986          * There are no settable attributes on the XATTR dir,
 987          * so just silently ignore these.  On XATTR files,
 988          * you can set the size but nothing else.
 989          */
 990         if (vp->v_flag & V_XATTRDIR)
 991                 return (0);
 992         if (np->n_flag & N_XATTR) {
 993                 if (mask & AT_TIMES)
 994                         SMBVDEBUG("ignore set time on xattr\n");
 995                 mask &= AT_SIZE;
 996         }
 997 
 998         /*
 999          * If our caller is trying to set multiple attributes, they
1000          * can make no assumption about what order they are done in.
1001          * Here we try to do them in order of decreasing likelihood
1002          * of failure, just to minimize the chance we'll wind up
1003          * with a partially complete request.
1004          */
1005 
1006         /* Shared lock for (possible) n_fid use. */
1007         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp)))
1008                 return (EINTR);
1009         smb_credinit(&scred, cr);
1010 
1011         /*
1012          * Will we need an open handle for this setattr?
1013          * If so, what rights will we need?
1014          */
1015         if (mask & (AT_ATIME | AT_MTIME)) {
1016                 rights |=
1017                     SA_RIGHT_FILE_WRITE_ATTRIBUTES;
1018         }
1019         if (mask & AT_SIZE) {
1020                 rights |=
1021                     SA_RIGHT_FILE_WRITE_DATA |
1022                     SA_RIGHT_FILE_APPEND_DATA;
1023         }
1024 
1025         /*
1026          * Only SIZE really requires a handle, but it's
1027          * simpler and more reliable to set via a handle.
1028          * Some servers like NT4 won't set times by path.
1029          * Also, we're usually setting everything anyway.
1030          */
1031         if (mask & (AT_SIZE | AT_ATIME | AT_MTIME)) {
1032                 error = smbfs_smb_tmpopen(np, rights, &scred, &fid);
1033                 if (error) {
1034                         SMBVDEBUG("error %d opening %s\n",
1035                             error, np->n_rpath);
1036                         goto out;
1037                 }
1038                 have_fid = 1;
1039         }
1040 
1041         /*
1042          * If the server supports the UNIX extensions, right here is where
1043          * we'd support changes to uid, gid, mode, and possibly va_flags.
1044          * For now we claim to have made any such changes.
1045          */
1046 
1047         if (mask & AT_SIZE) {
1048                 /*
1049                  * If the new file size is less than what the client sees as
1050                  * the file size, then just change the size and invalidate
1051                  * the pages.
1052                  * I am commenting this code at present because the function
1053                  * smbfs_putapage() is not yet implemented.
1054                  */
1055 
1056                 /*
1057                  * Set the file size to vap->va_size.
1058                  */
1059                 ASSERT(have_fid);
1060                 error = smbfs_smb_setfsize(np, fid, vap->va_size, &scred);
1061                 if (error) {
1062                         SMBVDEBUG("setsize error %d file %s\n",
1063                             error, np->n_rpath);
1064                 } else {
1065                         /*
1066                          * Darwin had code here to zero-extend.
1067                          * Tests indicate the server will zero-fill,
1068                          * so looks like we don't need to do this.
1069                          * Good thing, as this could take forever.
1070                          *
1071                          * XXX: Reportedly, writing one byte of zero
1072                          * at the end offset avoids problems here.
1073                          */
1074                         mutex_enter(&np->r_statelock);
1075                         np->r_size = vap->va_size;
1076                         mutex_exit(&np->r_statelock);
1077                         modified = 1;
1078                 }
1079         }
1080 
1081         /*
1082          * XXX: When Solaris has create_time, set that too.
1083          * Note: create_time is different from ctime.
1084          */
1085         mtime = ((mask & AT_MTIME) ? &vap->va_mtime : 0);
1086         atime = ((mask & AT_ATIME) ? &vap->va_atime : 0);
1087 
1088         if (mtime || atime) {
1089                 /*
1090                  * Always use the handle-based set attr call now.
1091                  * Not trying to set DOS attributes here so pass zero.
1092                  */
1093                 ASSERT(have_fid);
1094                 error = smbfs_smb_setfattr(np, fid,
1095                     0, mtime, atime, &scred);
1096                 if (error) {
1097                         SMBVDEBUG("set times error %d file %s\n",
1098                             error, np->n_rpath);
1099                 } else {
1100                         modified = 1;
1101                 }
1102         }
1103 
1104 out:
1105         if (modified) {
1106                 /*
1107                  * Invalidate attribute cache in case the server
1108                  * doesn't set exactly the attributes we asked.
1109                  */
1110                 smbfs_attrcache_remove(np);
1111         }
1112 
1113         if (have_fid) {
1114                 cerror = smbfs_smb_tmpclose(np, fid, &scred);
1115                 if (cerror)
1116                         SMBVDEBUG("error %d closing %s\n",
1117                             cerror, np->n_rpath);
1118         }
1119 
1120         smb_credrele(&scred);
1121         smbfs_rw_exit(&np->r_lkserlock);
1122 
1123         return (error);
1124 }
1125 
1126 /*
1127  * smbfs_access_rwx()
1128  * Common function for smbfs_access, etc.
1129  *
1130  * The security model implemented by the FS is unusual
1131  * due to the current "single user mounts" restriction:
1132  * All access under a given mount point uses the CIFS
1133  * credentials established by the owner of the mount.
1134  *
1135  * Most access checking is handled by the CIFS server,
1136  * but we need sufficient Unix access checks here to
1137  * prevent other local Unix users from having access
1138  * to objects under this mount that the uid/gid/mode
1139  * settings in the mount would not allow.
1140  *
1141  * With this model, there is a case where we need the
1142  * ability to do an access check before we have the
1143  * vnode for an object.  This function takes advantage
1144  * of the fact that the uid/gid/mode is per mount, and
1145  * avoids the need for a vnode.
1146  *
1147  * We still (sort of) need a vnode when we call
1148  * secpolicy_vnode_access, but that only uses
1149  * the vtype field, so we can use a pair of fake
1150  * vnodes that have only v_type filled in.
1151  *
1152  * XXX: Later, add a new secpolicy_vtype_access()
1153  * that takes the vtype instead of a vnode, and
1154  * get rid of the tmpl_vxxx fake vnodes below.
1155  */
1156 static int
1157 smbfs_access_rwx(vfs_t *vfsp, int vtype, int mode, cred_t *cr)
1158 {
1159         /* See the secpolicy call below. */
1160         static const vnode_t tmpl_vdir = { .v_type = VDIR };
1161         static const vnode_t tmpl_vreg = { .v_type = VREG };
1162         vattr_t         va;
1163         vnode_t         *tvp;
1164         struct smbmntinfo *smi = VFTOSMI(vfsp);
1165         int shift = 0;
1166 
1167         /*
1168          * Build our (fabricated) vnode attributes.
1169          * XXX: Could make these templates in the
1170          * per-mount struct and use them here.
1171          */
1172         bzero(&va, sizeof (va));
1173         va.va_mask = AT_TYPE | AT_MODE | AT_UID | AT_GID;
1174         va.va_type = vtype;
1175         va.va_mode = (vtype == VDIR) ?
1176             smi->smi_dmode : smi->smi_fmode;
1177         va.va_uid = smi->smi_uid;
1178         va.va_gid = smi->smi_gid;
1179 
1180         /*
1181          * Disallow write attempts on read-only file systems,
1182          * unless the file is a device or fifo node.  Note:
1183          * Inline vn_is_readonly and IS_DEVVP here because
1184          * we may not have a vnode ptr.  Original expr. was:
1185          * (mode & VWRITE) && vn_is_readonly(vp) && !IS_DEVVP(vp))
1186          */
1187         if ((mode & VWRITE) &&
1188             (vfsp->vfs_flag & VFS_RDONLY) &&
1189             !(vtype == VCHR || vtype == VBLK || vtype == VFIFO))
1190                 return (EROFS);
1191 
1192         /*
1193          * Disallow attempts to access mandatory lock files.
1194          * Similarly, expand MANDLOCK here.
1195          * XXX: not sure we need this.
1196          */
1197         if ((mode & (VWRITE | VREAD | VEXEC)) &&
1198             va.va_type == VREG && MANDMODE(va.va_mode))
1199                 return (EACCES);
1200 
1201         /*
1202          * Access check is based on only
1203          * one of owner, group, public.
1204          * If not owner, then check group.
1205          * If not a member of the group,
1206          * then check public access.
1207          */
1208         if (crgetuid(cr) != va.va_uid) {
1209                 shift += 3;
1210                 if (!groupmember(va.va_gid, cr))
1211                         shift += 3;
1212         }
1213 
1214         /*
1215          * We need a vnode for secpolicy_vnode_access,
1216          * but the only thing it looks at is v_type,
1217          * so pass one of the templates above.
1218          */
1219         tvp = (va.va_type == VDIR) ?
1220             (vnode_t *)&tmpl_vdir :
1221             (vnode_t *)&tmpl_vreg;
1222 
1223         return (secpolicy_vnode_access2(cr, tvp, va.va_uid,
1224             va.va_mode << shift, mode));
1225 }
1226 
1227 /*
1228  * See smbfs_setattr
1229  */
1230 static int
1231 smbfs_accessx(void *arg, int mode, cred_t *cr)
1232 {
1233         vnode_t *vp = arg;
1234         /*
1235          * Note: The caller has checked the current zone,
1236          * the SMI_DEAD and VFS_UNMOUNTED flags, etc.
1237          */
1238         return (smbfs_access_rwx(vp->v_vfsp, vp->v_type, mode, cr));
1239 }
1240 
1241 /*
1242  * XXX
1243  * This op should support PSARC 2007/403, Modified Access Checks for CIFS
1244  */
1245 /* ARGSUSED */
1246 static int
1247 smbfs_access(vnode_t *vp, int mode, int flags, cred_t *cr, caller_context_t *ct)
1248 {
1249         vfs_t           *vfsp;
1250         smbmntinfo_t    *smi;
1251 
1252         vfsp = vp->v_vfsp;
1253         smi = VFTOSMI(vfsp);
1254 
1255         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
1256                 return (EIO);
1257 
1258         if (smi->smi_flags & SMI_DEAD || vfsp->vfs_flag & VFS_UNMOUNTED)
1259                 return (EIO);
1260 
1261         return (smbfs_access_rwx(vfsp, vp->v_type, mode, cr));
1262 }
1263 
1264 
1265 /*
1266  * Flush local dirty pages to stable storage on the server.
1267  *
1268  * If FNODSYNC is specified, then there is nothing to do because
1269  * metadata changes are not cached on the client before being
1270  * sent to the server.
1271  */
1272 /* ARGSUSED */
1273 static int
1274 smbfs_fsync(vnode_t *vp, int syncflag, cred_t *cr, caller_context_t *ct)
1275 {
1276         int             error = 0;
1277         smbmntinfo_t    *smi;
1278         smbnode_t       *np;
1279         struct smb_cred scred;
1280 
1281         np = VTOSMB(vp);
1282         smi = VTOSMI(vp);
1283 
1284         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
1285                 return (EIO);
1286 
1287         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
1288                 return (EIO);
1289 
1290         if ((syncflag & FNODSYNC) || IS_SWAPVP(vp))
1291                 return (0);
1292 
1293         if ((syncflag & (FSYNC|FDSYNC)) == 0)
1294                 return (0);
1295 
1296         /* Shared lock for n_fid use in _flush */
1297         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_READER, SMBINTR(vp)))
1298                 return (EINTR);
1299         smb_credinit(&scred, cr);
1300 
1301         error = smbfs_smb_flush(np, &scred);
1302 
1303         smb_credrele(&scred);
1304         smbfs_rw_exit(&np->r_lkserlock);
1305 
1306         return (error);
1307 }
1308 
1309 /*
1310  * Last reference to vnode went away.
1311  */
1312 /* ARGSUSED */
1313 static void
1314 smbfs_inactive(vnode_t *vp, cred_t *cr, caller_context_t *ct)
1315 {
1316         smbnode_t       *np;
1317         struct smb_cred scred;
1318 
1319         /*
1320          * Don't "bail out" for VFS_UNMOUNTED here,
1321          * as we want to do cleanup, etc.
1322          * See also pcfs_inactive
1323          */
1324 
1325         np = VTOSMB(vp);
1326 
1327         /*
1328          * If this is coming from the wrong zone, we let someone in the right
1329          * zone take care of it asynchronously.  We can get here due to
1330          * VN_RELE() being called from pageout() or fsflush().  This call may
1331          * potentially turn into an expensive no-op if, for instance, v_count
1332          * gets incremented in the meantime, but it's still correct.
1333          */
1334 
1335         /*
1336          * Defend against the possibility that higher-level callers
1337          * might not correctly balance open and close calls.  If we
1338          * get here with open references remaining, it means there
1339          * was a missing VOP_CLOSE somewhere.  If that happens, do
1340          * the close here so we don't "leak" FIDs on the server.
1341          *
1342          * Exclusive lock for modifying n_fid stuff.
1343          * Don't want this one ever interruptible.
1344          */
1345         (void) smbfs_rw_enter_sig(&np->r_lkserlock, RW_WRITER, 0);
1346         smb_credinit(&scred, cr);
1347 
1348         switch (np->n_ovtype) {
1349         case VNON:
1350                 /* not open (OK) */
1351                 break;
1352 
1353         case VDIR:
1354                 if (np->n_dirrefs == 0)
1355                         break;
1356                 SMBVDEBUG("open dir: refs %d path %s\n",
1357                     np->n_dirrefs, np->n_rpath);
1358                 /* Force last close. */
1359                 np->n_dirrefs = 1;
1360                 smbfs_rele_fid(np, &scred);
1361                 break;
1362 
1363         case VREG:
1364                 if (np->n_fidrefs == 0)
1365                         break;
1366                 SMBVDEBUG("open file: refs %d id 0x%x path %s\n",
1367                     np->n_fidrefs, np->n_fid, np->n_rpath);
1368                 /* Force last close. */
1369                 np->n_fidrefs = 1;
1370                 smbfs_rele_fid(np, &scred);
1371                 break;
1372 
1373         default:
1374                 SMBVDEBUG("bad n_ovtype %d\n", np->n_ovtype);
1375                 np->n_ovtype = VNON;
1376                 break;
1377         }
1378 
1379         smb_credrele(&scred);
1380         smbfs_rw_exit(&np->r_lkserlock);
1381 
1382         smbfs_addfree(np);
1383 }
1384 
1385 /*
1386  * Remote file system operations having to do with directory manipulation.
1387  */
1388 /* ARGSUSED */
1389 static int
1390 smbfs_lookup(vnode_t *dvp, char *nm, vnode_t **vpp, struct pathname *pnp,
1391         int flags, vnode_t *rdir, cred_t *cr, caller_context_t *ct,
1392         int *direntflags, pathname_t *realpnp)
1393 {
1394         vfs_t           *vfs;
1395         smbmntinfo_t    *smi;
1396         smbnode_t       *dnp;
1397         int             error;
1398 
1399         vfs = dvp->v_vfsp;
1400         smi = VFTOSMI(vfs);
1401 
1402         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
1403                 return (EPERM);
1404 
1405         if (smi->smi_flags & SMI_DEAD || vfs->vfs_flag & VFS_UNMOUNTED)
1406                 return (EIO);
1407 
1408         dnp = VTOSMB(dvp);
1409 
1410         /*
1411          * Are we looking up extended attributes?  If so, "dvp" is
1412          * the file or directory for which we want attributes, and
1413          * we need a lookup of the (faked up) attribute directory
1414          * before we lookup the rest of the path.
1415          */
1416         if (flags & LOOKUP_XATTR) {
1417                 /*
1418                  * Require the xattr mount option.
1419                  */
1420                 if ((vfs->vfs_flag & VFS_XATTR) == 0)
1421                         return (EINVAL);
1422 
1423                 error = smbfs_get_xattrdir(dvp, vpp, cr, flags);
1424                 return (error);
1425         }
1426 
1427         if (smbfs_rw_enter_sig(&dnp->r_rwlock, RW_READER, SMBINTR(dvp)))
1428                 return (EINTR);
1429 
1430         error = smbfslookup(dvp, nm, vpp, cr, 1, ct);
1431 
1432         smbfs_rw_exit(&dnp->r_rwlock);
1433 
1434         return (error);
1435 }
1436 
1437 /* ARGSUSED */
1438 static int
1439 smbfslookup(vnode_t *dvp, char *nm, vnode_t **vpp, cred_t *cr,
1440         int cache_ok, caller_context_t *ct)
1441 {
1442         int             error;
1443         int             supplen; /* supported length */
1444         vnode_t         *vp;
1445         smbnode_t       *np;
1446         smbnode_t       *dnp;
1447         smbmntinfo_t    *smi;
1448         /* struct smb_vc        *vcp; */
1449         const char      *ill;
1450         const char      *name = (const char *)nm;
1451         int             nmlen = strlen(nm);
1452         int             rplen;
1453         struct smb_cred scred;
1454         struct smbfattr fa;
1455 
1456         smi = VTOSMI(dvp);
1457         dnp = VTOSMB(dvp);
1458 
1459         ASSERT(curproc->p_zone == smi->smi_zone_ref.zref_zone);
1460 
1461 #ifdef NOT_YET
1462         vcp = SSTOVC(smi->smi_share);
1463 
1464         /* XXX: Should compute this once and store it in smbmntinfo_t */
1465         supplen = (SMB_DIALECT(vcp) >= SMB_DIALECT_LANMAN2_0) ? 255 : 12;
1466 #else
1467         supplen = 255;
1468 #endif
1469 
1470         /*
1471          * RWlock must be held, either reader or writer.
1472          * XXX: Can we check without looking directly
1473          * inside the struct smbfs_rwlock_t?
1474          */
1475         ASSERT(dnp->r_rwlock.count != 0);
1476 
1477         /*
1478          * If lookup is for "", just return dvp.
1479          * No need to perform any access checks.
1480          */
1481         if (nmlen == 0) {
1482                 VN_HOLD(dvp);
1483                 *vpp = dvp;
1484                 return (0);
1485         }
1486 
1487         /*
1488          * Can't do lookups in non-directories.
1489          */
1490         if (dvp->v_type != VDIR)
1491                 return (ENOTDIR);
1492 
1493         /*
1494          * Need search permission in the directory.
1495          */
1496         error = smbfs_access(dvp, VEXEC, 0, cr, ct);
1497         if (error)
1498                 return (error);
1499 
1500         /*
1501          * If lookup is for ".", just return dvp.
1502          * Access check was done above.
1503          */
1504         if (nmlen == 1 && name[0] == '.') {
1505                 VN_HOLD(dvp);
1506                 *vpp = dvp;
1507                 return (0);
1508         }
1509 
1510         /*
1511          * Now some sanity checks on the name.
1512          * First check the length.
1513          */
1514         if (nmlen > supplen)
1515                 return (ENAMETOOLONG);
1516 
1517         /*
1518          * Avoid surprises with characters that are
1519          * illegal in Windows file names.
1520          * Todo: CATIA mappings  XXX
1521          */
1522         ill = illegal_chars;
1523         if (dnp->n_flag & N_XATTR)
1524                 ill++; /* allow colon */
1525         if (strpbrk(nm, ill))
1526                 return (EINVAL);
1527 
1528         /*
1529          * Special handling for lookup of ".."
1530          *
1531          * We keep full pathnames (as seen on the server)
1532          * so we can just trim off the last component to
1533          * get the full pathname of the parent.  Note:
1534          * We don't actually copy and modify, but just
1535          * compute the trimmed length and pass that with
1536          * the current dir path (not null terminated).
1537          *
1538          * We don't go over-the-wire to get attributes
1539          * for ".." because we know it's a directory,
1540          * and we can just leave the rest "stale"
1541          * until someone does a getattr.
1542          */
1543         if (nmlen == 2 && name[0] == '.' && name[1] == '.') {
1544                 if (dvp->v_flag & VROOT) {
1545                         /*
1546                          * Already at the root.  This can happen
1547                          * with directory listings at the root,
1548                          * which lookup "." and ".." to get the
1549                          * inode numbers.  Let ".." be the same
1550                          * as "." in the FS root.
1551                          */
1552                         VN_HOLD(dvp);
1553                         *vpp = dvp;
1554                         return (0);
1555                 }
1556 
1557                 /*
1558                  * Special case for XATTR directory
1559                  */
1560                 if (dvp->v_flag & V_XATTRDIR) {
1561                         error = smbfs_xa_parent(dvp, vpp);
1562                         return (error);
1563                 }
1564 
1565                 /*
1566                  * Find the parent path length.
1567                  */
1568                 rplen = dnp->n_rplen;
1569                 ASSERT(rplen > 0);
1570                 while (--rplen >= 0) {
1571                         if (dnp->n_rpath[rplen] == '\\')
1572                                 break;
1573                 }
1574                 if (rplen <= 0) {
1575                         /* Found our way to the root. */
1576                         vp = SMBTOV(smi->smi_root);
1577                         VN_HOLD(vp);
1578                         *vpp = vp;
1579                         return (0);
1580                 }
1581                 np = smbfs_node_findcreate(smi,
1582                     dnp->n_rpath, rplen, NULL, 0, 0,
1583                     &smbfs_fattr0); /* force create */
1584                 ASSERT(np != NULL);
1585                 vp = SMBTOV(np);
1586                 vp->v_type = VDIR;
1587 
1588                 /* Success! */
1589                 *vpp = vp;
1590                 return (0);
1591         }
1592 
1593         /*
1594          * Normal lookup of a name under this directory.
1595          * Note we handled "", ".", ".." above.
1596          */
1597         if (cache_ok) {
1598                 /*
1599                  * The caller indicated that it's OK to use a
1600                  * cached result for this lookup, so try to
1601                  * reclaim a node from the smbfs node cache.
1602                  */
1603                 error = smbfslookup_cache(dvp, nm, nmlen, &vp, cr);
1604                 if (error)
1605                         return (error);
1606                 if (vp != NULL) {
1607                         /* hold taken in lookup_cache */
1608                         *vpp = vp;
1609                         return (0);
1610                 }
1611         }
1612 
1613         /*
1614          * OK, go over-the-wire to get the attributes,
1615          * then create the node.
1616          */
1617         smb_credinit(&scred, cr);
1618         /* Note: this can allocate a new "name" */
1619         error = smbfs_smb_lookup(dnp, &name, &nmlen, &fa, &scred);
1620         smb_credrele(&scred);
1621         if (error == ENOTDIR) {
1622                 /*
1623                  * Lookup failed because this directory was
1624                  * removed or renamed by another client.
1625                  * Remove any cached attributes under it.
1626                  */
1627                 smbfs_attrcache_remove(dnp);
1628                 smbfs_attrcache_prune(dnp);
1629         }
1630         if (error)
1631                 goto out;
1632 
1633         error = smbfs_nget(dvp, name, nmlen, &fa, &vp);
1634         if (error)
1635                 goto out;
1636 
1637         /* Success! */
1638         *vpp = vp;
1639 
1640 out:
1641         /* smbfs_smb_lookup may have allocated name. */
1642         if (name != nm)
1643                 smbfs_name_free(name, nmlen);
1644 
1645         return (error);
1646 }
1647 
1648 /*
1649  * smbfslookup_cache
1650  *
1651  * Try to reclaim a node from the smbfs node cache.
1652  * Some statistics for DEBUG.
1653  *
1654  * This mechanism lets us avoid many of the five (or more)
1655  * OtW lookup calls per file seen with "ls -l" if we search
1656  * the smbfs node cache for recently inactive(ated) nodes.
1657  */
1658 #ifdef DEBUG
1659 int smbfs_lookup_cache_calls = 0;
1660 int smbfs_lookup_cache_error = 0;
1661 int smbfs_lookup_cache_miss = 0;
1662 int smbfs_lookup_cache_stale = 0;
1663 int smbfs_lookup_cache_hits = 0;
1664 #endif /* DEBUG */
1665 
1666 /* ARGSUSED */
1667 static int
1668 smbfslookup_cache(vnode_t *dvp, char *nm, int nmlen,
1669         vnode_t **vpp, cred_t *cr)
1670 {
1671         struct vattr va;
1672         smbnode_t *dnp;
1673         smbnode_t *np;
1674         vnode_t *vp;
1675         int error;
1676         char sep;
1677 
1678         dnp = VTOSMB(dvp);
1679         *vpp = NULL;
1680 
1681 #ifdef DEBUG
1682         smbfs_lookup_cache_calls++;
1683 #endif
1684 
1685         /*
1686          * First make sure we can get attributes for the
1687          * directory.  Cached attributes are OK here.
1688          * If we removed or renamed the directory, this
1689          * will return ENOENT.  If someone else removed
1690          * this directory or file, we'll find out when we
1691          * try to open or get attributes.
1692          */
1693         va.va_mask = AT_TYPE | AT_MODE;
1694         error = smbfsgetattr(dvp, &va, cr);
1695         if (error) {
1696 #ifdef DEBUG
1697                 smbfs_lookup_cache_error++;
1698 #endif
1699                 return (error);
1700         }
1701 
1702         /*
1703          * Passing NULL smbfattr here so we will
1704          * just look, not create.
1705          */
1706         sep = SMBFS_DNP_SEP(dnp);
1707         np = smbfs_node_findcreate(dnp->n_mount,
1708             dnp->n_rpath, dnp->n_rplen,
1709             nm, nmlen, sep, NULL);
1710         if (np == NULL) {
1711 #ifdef DEBUG
1712                 smbfs_lookup_cache_miss++;
1713 #endif
1714                 return (0);
1715         }
1716 
1717         /*
1718          * Found it.  Attributes still valid?
1719          */
1720         vp = SMBTOV(np);
1721         if (np->r_attrtime <= gethrtime()) {
1722                 /* stale */
1723 #ifdef DEBUG
1724                 smbfs_lookup_cache_stale++;
1725 #endif
1726                 VN_RELE(vp);
1727                 return (0);
1728         }
1729 
1730         /*
1731          * Success!
1732          * Caller gets hold from smbfs_node_findcreate
1733          */
1734 #ifdef DEBUG
1735         smbfs_lookup_cache_hits++;
1736 #endif
1737         *vpp = vp;
1738         return (0);
1739 }
1740 
1741 /*
1742  * XXX
1743  * vsecattr_t is new to build 77, and we need to eventually support
1744  * it in order to create an ACL when an object is created.
1745  *
1746  * This op should support the new FIGNORECASE flag for case-insensitive
1747  * lookups, per PSARC 2007/244.
1748  */
1749 /* ARGSUSED */
1750 static int
1751 smbfs_create(vnode_t *dvp, char *nm, struct vattr *va, enum vcexcl exclusive,
1752         int mode, vnode_t **vpp, cred_t *cr, int lfaware, caller_context_t *ct,
1753         vsecattr_t *vsecp)
1754 {
1755         int             error;
1756         int             cerror;
1757         vfs_t           *vfsp;
1758         vnode_t         *vp;
1759 #ifdef NOT_YET
1760         smbnode_t       *np;
1761 #endif
1762         smbnode_t       *dnp;
1763         smbmntinfo_t    *smi;
1764         struct vattr    vattr;
1765         struct smbfattr fattr;
1766         struct smb_cred scred;
1767         const char *name = (const char *)nm;
1768         int             nmlen = strlen(nm);
1769         uint32_t        disp;
1770         uint16_t        fid;
1771         int             xattr;
1772 
1773         vfsp = dvp->v_vfsp;
1774         smi = VFTOSMI(vfsp);
1775         dnp = VTOSMB(dvp);
1776         vp = NULL;
1777 
1778         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
1779                 return (EPERM);
1780 
1781         if (smi->smi_flags & SMI_DEAD || vfsp->vfs_flag & VFS_UNMOUNTED)
1782                 return (EIO);
1783 
1784         /*
1785          * Note: this may break mknod(2) calls to create a directory,
1786          * but that's obscure use.  Some other filesystems do this.
1787          * XXX: Later, redirect VDIR type here to _mkdir.
1788          */
1789         if (va->va_type != VREG)
1790                 return (EINVAL);
1791 
1792         /*
1793          * If the pathname is "", just use dvp, no checks.
1794          * Do this outside of the rwlock (like zfs).
1795          */
1796         if (nmlen == 0) {
1797                 VN_HOLD(dvp);
1798                 *vpp = dvp;
1799                 return (0);
1800         }
1801 
1802         /* Don't allow "." or ".." through here. */
1803         if ((nmlen == 1 && name[0] == '.') ||
1804             (nmlen == 2 && name[0] == '.' && name[1] == '.'))
1805                 return (EISDIR);
1806 
1807         /*
1808          * We make a copy of the attributes because the caller does not
1809          * expect us to change what va points to.
1810          */
1811         vattr = *va;
1812 
1813         if (smbfs_rw_enter_sig(&dnp->r_rwlock, RW_WRITER, SMBINTR(dvp)))
1814                 return (EINTR);
1815         smb_credinit(&scred, cr);
1816 
1817         /*
1818          * XXX: Do we need r_lkserlock too?
1819          * No use of any shared fid or fctx...
1820          */
1821 
1822         /*
1823          * NFS needs to go over the wire, just to be sure whether the
1824          * file exists or not.  Using a cached result is dangerous in
1825          * this case when making a decision regarding existence.
1826          *
1827          * The SMB protocol does NOT really need to go OTW here
1828          * thanks to the expressive NTCREATE disposition values.
1829          * Unfortunately, to do Unix access checks correctly,
1830          * we need to know if the object already exists.
1831          * When the object does not exist, we need VWRITE on
1832          * the directory.  Note: smbfslookup() checks VEXEC.
1833          */
1834         error = smbfslookup(dvp, nm, &vp, cr, 0, ct);
1835         if (error == 0) {
1836                 /*
1837                  * The file already exists.  Error?
1838                  * NB: have a hold from smbfslookup
1839                  */
1840                 if (exclusive == EXCL) {
1841                         error = EEXIST;
1842                         VN_RELE(vp);
1843                         goto out;
1844                 }
1845                 /*
1846                  * Verify requested access.
1847                  */
1848                 error = smbfs_access(vp, mode, 0, cr, ct);
1849                 if (error) {
1850                         VN_RELE(vp);
1851                         goto out;
1852                 }
1853 
1854                 /*
1855                  * Truncate (if requested).
1856                  */
1857                 if ((vattr.va_mask & AT_SIZE) && vattr.va_size == 0) {
1858                         vattr.va_mask = AT_SIZE;
1859                         error = smbfssetattr(vp, &vattr, 0, cr);
1860                         if (error) {
1861                                 VN_RELE(vp);
1862                                 goto out;
1863                         }
1864                 }
1865                 /* Success! */
1866 #ifdef NOT_YET
1867                 vnevent_create(vp, ct);
1868 #endif
1869                 *vpp = vp;
1870                 goto out;
1871         }
1872 
1873         /*
1874          * The file did not exist.  Need VWRITE in the directory.
1875          */
1876         error = smbfs_access(dvp, VWRITE, 0, cr, ct);
1877         if (error)
1878                 goto out;
1879 
1880         /*
1881          * Now things get tricky.  We also need to check the
1882          * requested open mode against the file we may create.
1883          * See comments at smbfs_access_rwx
1884          */
1885         error = smbfs_access_rwx(vfsp, VREG, mode, cr);
1886         if (error)
1887                 goto out;
1888 
1889         /*
1890          * Now the code derived from Darwin,
1891          * but with greater use of NT_CREATE
1892          * disposition options.  Much changed.
1893          *
1894          * Create (or open) a new child node.
1895          * Note we handled "." and ".." above.
1896          */
1897 
1898         if (exclusive == EXCL)
1899                 disp = NTCREATEX_DISP_CREATE;
1900         else {
1901                 /* Truncate regular files if requested. */
1902                 if ((va->va_type == VREG) &&
1903                     (va->va_mask & AT_SIZE) &&
1904                     (va->va_size == 0))
1905                         disp = NTCREATEX_DISP_OVERWRITE_IF;
1906                 else
1907                         disp = NTCREATEX_DISP_OPEN_IF;
1908         }
1909         xattr = (dnp->n_flag & N_XATTR) ? 1 : 0;
1910         error = smbfs_smb_create(dnp,
1911             name, nmlen, xattr,
1912             disp, &scred, &fid);
1913         if (error)
1914                 goto out;
1915 
1916         /*
1917          * XXX: Missing some code here to deal with
1918          * the case where we opened an existing file,
1919          * it's size is larger than 32-bits, and we're
1920          * setting the size from a process that's not
1921          * aware of large file offsets.  i.e.
1922          * from the NFS3 code:
1923          */
1924 #if NOT_YET /* XXX */
1925         if ((vattr.va_mask & AT_SIZE) &&
1926             vp->v_type == VREG) {
1927                 np = VTOSMB(vp);
1928                 /*
1929                  * Check here for large file handled
1930                  * by LF-unaware process (as
1931                  * ufs_create() does)
1932                  */
1933                 if (!(lfaware & FOFFMAX)) {
1934                         mutex_enter(&np->r_statelock);
1935                         if (np->r_size > MAXOFF32_T)
1936                                 error = EOVERFLOW;
1937                         mutex_exit(&np->r_statelock);
1938                 }
1939                 if (!error) {
1940                         vattr.va_mask = AT_SIZE;
1941                         error = smbfssetattr(vp,
1942                             &vattr, 0, cr);
1943                 }
1944         }
1945 #endif /* XXX */
1946         /*
1947          * Should use the fid to get/set the size
1948          * while we have it opened here.  See above.
1949          */
1950 
1951         cerror = smbfs_smb_close(smi->smi_share, fid, NULL, &scred);
1952         if (cerror)
1953                 SMBVDEBUG("error %d closing %s\\%s\n",
1954                     cerror, dnp->n_rpath, name);
1955 
1956         /*
1957          * In the open case, the name may differ a little
1958          * from what we passed to create (case, etc.)
1959          * so call lookup to get the (opened) name.
1960          *
1961          * XXX: Could avoid this extra lookup if the
1962          * "createact" result from NT_CREATE says we
1963          * created the object.
1964          */
1965         error = smbfs_smb_lookup(dnp, &name, &nmlen, &fattr, &scred);
1966         if (error)
1967                 goto out;
1968 
1969         /* update attr and directory cache */
1970         smbfs_attr_touchdir(dnp);
1971 
1972         error = smbfs_nget(dvp, name, nmlen, &fattr, &vp);
1973         if (error)
1974                 goto out;
1975 
1976         /* XXX invalidate pages if we truncated? */
1977 
1978         /* Success! */
1979         *vpp = vp;
1980         error = 0;
1981 
1982 out:
1983         smb_credrele(&scred);
1984         smbfs_rw_exit(&dnp->r_rwlock);
1985         if (name != nm)
1986                 smbfs_name_free(name, nmlen);
1987         return (error);
1988 }
1989 
1990 /*
1991  * XXX
1992  * This op should support the new FIGNORECASE flag for case-insensitive
1993  * lookups, per PSARC 2007/244.
1994  */
1995 /* ARGSUSED */
1996 static int
1997 smbfs_remove(vnode_t *dvp, char *nm, cred_t *cr, caller_context_t *ct,
1998         int flags)
1999 {
2000         int             error;
2001         vnode_t         *vp;
2002         smbnode_t       *np;
2003         smbnode_t       *dnp;
2004         struct smb_cred scred;
2005         /* enum smbfsstat status; */
2006         smbmntinfo_t    *smi;
2007 
2008         smi = VTOSMI(dvp);
2009 
2010         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2011                 return (EPERM);
2012 
2013         if (smi->smi_flags & SMI_DEAD || dvp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2014                 return (EIO);
2015 
2016         dnp = VTOSMB(dvp);
2017         if (smbfs_rw_enter_sig(&dnp->r_rwlock, RW_WRITER, SMBINTR(dvp)))
2018                 return (EINTR);
2019         smb_credinit(&scred, cr);
2020 
2021         /*
2022          * Verify access to the dirctory.
2023          */
2024         error = smbfs_access(dvp, VWRITE|VEXEC, 0, cr, ct);
2025         if (error)
2026                 goto out;
2027 
2028         /*
2029          * NOTE:  the darwin code gets the "vp" passed in so it looks
2030          * like the "vp" has probably been "lookup"ed by the VFS layer.
2031          * It looks like we will need to lookup the vp to check the
2032          * caches and check if the object being deleted is a directory.
2033          */
2034         error = smbfslookup(dvp, nm, &vp, cr, 0, ct);
2035         if (error)
2036                 goto out;
2037 
2038         /* Never allow link/unlink directories on CIFS. */
2039         if (vp->v_type == VDIR) {
2040                 VN_RELE(vp);
2041                 error = EPERM;
2042                 goto out;
2043         }
2044 
2045         /*
2046          * Now we have the real reference count on the vnode
2047          * Do we have the file open?
2048          */
2049         np = VTOSMB(vp);
2050         mutex_enter(&np->r_statelock);
2051         if ((vp->v_count > 1) && (np->n_fidrefs > 0)) {
2052                 /*
2053                  * NFS does a rename on remove here.
2054                  * Probably not applicable for SMB.
2055                  * Like Darwin, just return EBUSY.
2056                  *
2057                  * XXX: Todo - Use Trans2rename, and
2058                  * if that fails, ask the server to
2059                  * set the delete-on-close flag.
2060                  */
2061                 mutex_exit(&np->r_statelock);
2062                 error = EBUSY;
2063         } else {
2064                 smbfs_attrcache_rm_locked(np);
2065                 mutex_exit(&np->r_statelock);
2066 
2067                 error = smbfs_smb_delete(np, &scred, NULL, 0, 0);
2068 
2069                 /*
2070                  * If the file should no longer exist, discard
2071                  * any cached attributes under this node.
2072                  */
2073                 switch (error) {
2074                 case 0:
2075                 case ENOENT:
2076                 case ENOTDIR:
2077                         smbfs_attrcache_prune(np);
2078                         break;
2079                 }
2080         }
2081 
2082         VN_RELE(vp);
2083 
2084 out:
2085         smb_credrele(&scred);
2086         smbfs_rw_exit(&dnp->r_rwlock);
2087 
2088         return (error);
2089 }
2090 
2091 
2092 /*
2093  * XXX
2094  * This op should support the new FIGNORECASE flag for case-insensitive
2095  * lookups, per PSARC 2007/244.
2096  */
2097 /* ARGSUSED */
2098 static int
2099 smbfs_rename(vnode_t *odvp, char *onm, vnode_t *ndvp, char *nnm, cred_t *cr,
2100         caller_context_t *ct, int flags)
2101 {
2102         /* vnode_t              *realvp; */
2103 
2104         if (curproc->p_zone != VTOSMI(odvp)->smi_zone_ref.zref_zone ||
2105             curproc->p_zone != VTOSMI(ndvp)->smi_zone_ref.zref_zone)
2106                 return (EPERM);
2107 
2108         if (VTOSMI(odvp)->smi_flags & SMI_DEAD ||
2109             VTOSMI(ndvp)->smi_flags & SMI_DEAD ||
2110             odvp->v_vfsp->vfs_flag & VFS_UNMOUNTED ||
2111             ndvp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2112                 return (EIO);
2113 
2114         return (smbfsrename(odvp, onm, ndvp, nnm, cr, ct));
2115 }
2116 
2117 /*
2118  * smbfsrename does the real work of renaming in SMBFS
2119  */
2120 /* ARGSUSED */
2121 static int
2122 smbfsrename(vnode_t *odvp, char *onm, vnode_t *ndvp, char *nnm, cred_t *cr,
2123         caller_context_t *ct)
2124 {
2125         int             error;
2126         int             nvp_locked = 0;
2127         vnode_t         *nvp = NULL;
2128         vnode_t         *ovp = NULL;
2129         smbnode_t       *onp;
2130         smbnode_t       *nnp;
2131         smbnode_t       *odnp;
2132         smbnode_t       *ndnp;
2133         struct smb_cred scred;
2134         /* enum smbfsstat       status; */
2135 
2136         ASSERT(curproc->p_zone == VTOSMI(odvp)->smi_zone_ref.zref_zone);
2137 
2138         if (strcmp(onm, ".") == 0 || strcmp(onm, "..") == 0 ||
2139             strcmp(nnm, ".") == 0 || strcmp(nnm, "..") == 0)
2140                 return (EINVAL);
2141 
2142         /*
2143          * Check that everything is on the same filesystem.
2144          * vn_rename checks the fsid's, but in case we don't
2145          * fill those in correctly, check here too.
2146          */
2147         if (odvp->v_vfsp != ndvp->v_vfsp)
2148                 return (EXDEV);
2149 
2150         odnp = VTOSMB(odvp);
2151         ndnp = VTOSMB(ndvp);
2152 
2153         /*
2154          * Avoid deadlock here on old vs new directory nodes
2155          * by always taking the locks in order of address.
2156          * The order is arbitrary, but must be consistent.
2157          */
2158         if (odnp < ndnp) {
2159                 if (smbfs_rw_enter_sig(&odnp->r_rwlock, RW_WRITER,
2160                     SMBINTR(odvp)))
2161                         return (EINTR);
2162                 if (smbfs_rw_enter_sig(&ndnp->r_rwlock, RW_WRITER,
2163                     SMBINTR(ndvp))) {
2164                         smbfs_rw_exit(&odnp->r_rwlock);
2165                         return (EINTR);
2166                 }
2167         } else {
2168                 if (smbfs_rw_enter_sig(&ndnp->r_rwlock, RW_WRITER,
2169                     SMBINTR(ndvp)))
2170                         return (EINTR);
2171                 if (smbfs_rw_enter_sig(&odnp->r_rwlock, RW_WRITER,
2172                     SMBINTR(odvp))) {
2173                         smbfs_rw_exit(&ndnp->r_rwlock);
2174                         return (EINTR);
2175                 }
2176         }
2177         smb_credinit(&scred, cr);
2178         /*
2179          * No returns after this point (goto out)
2180          */
2181 
2182         /*
2183          * Need write access on source and target.
2184          * Server takes care of most checks.
2185          */
2186         error = smbfs_access(odvp, VWRITE|VEXEC, 0, cr, ct);
2187         if (error)
2188                 goto out;
2189         if (odvp != ndvp) {
2190                 error = smbfs_access(ndvp, VWRITE, 0, cr, ct);
2191                 if (error)
2192                         goto out;
2193         }
2194 
2195         /*
2196          * Lookup the source name.  Must already exist.
2197          */
2198         error = smbfslookup(odvp, onm, &ovp, cr, 0, ct);
2199         if (error)
2200                 goto out;
2201 
2202         /*
2203          * Lookup the target file.  If it exists, it needs to be
2204          * checked to see whether it is a mount point and whether
2205          * it is active (open).
2206          */
2207         error = smbfslookup(ndvp, nnm, &nvp, cr, 0, ct);
2208         if (!error) {
2209                 /*
2210                  * Target (nvp) already exists.  Check that it
2211                  * has the same type as the source.  The server
2212                  * will check this also, (and more reliably) but
2213                  * this lets us return the correct error codes.
2214                  */
2215                 if (ovp->v_type == VDIR) {
2216                         if (nvp->v_type != VDIR) {
2217                                 error = ENOTDIR;
2218                                 goto out;
2219                         }
2220                 } else {
2221                         if (nvp->v_type == VDIR) {
2222                                 error = EISDIR;
2223                                 goto out;
2224                         }
2225                 }
2226 
2227                 /*
2228                  * POSIX dictates that when the source and target
2229                  * entries refer to the same file object, rename
2230                  * must do nothing and exit without error.
2231                  */
2232                 if (ovp == nvp) {
2233                         error = 0;
2234                         goto out;
2235                 }
2236 
2237                 /*
2238                  * Also must ensure the target is not a mount point,
2239                  * and keep mount/umount away until we're done.
2240                  */
2241                 if (vn_vfsrlock(nvp)) {
2242                         error = EBUSY;
2243                         goto out;
2244                 }
2245                 nvp_locked = 1;
2246                 if (vn_mountedvfs(nvp) != NULL) {
2247                         error = EBUSY;
2248                         goto out;
2249                 }
2250 
2251                 /*
2252                  * CIFS gives a SHARING_VIOLATION error when
2253                  * trying to rename onto an exising object,
2254                  * so try to remove the target first.
2255                  * (Only for files, not directories.)
2256                  */
2257                 if (nvp->v_type == VDIR) {
2258                         error = EEXIST;
2259                         goto out;
2260                 }
2261 
2262                 /*
2263                  * Nodes that are "not active" here have v_count=2
2264                  * because vn_renameat (our caller) did a lookup on
2265                  * both the source and target before this call.
2266                  * Otherwise this similar to smbfs_remove.
2267                  */
2268                 nnp = VTOSMB(nvp);
2269                 mutex_enter(&nnp->r_statelock);
2270                 if ((nvp->v_count > 2) && (nnp->n_fidrefs > 0)) {
2271                         /*
2272                          * The target file exists, is not the same as
2273                          * the source file, and is active.  Other FS
2274                          * implementations unlink the target here.
2275                          * For SMB, we don't assume we can remove an
2276                          * open file.  Return an error instead.
2277                          */
2278                         mutex_exit(&nnp->r_statelock);
2279                         error = EBUSY;
2280                         goto out;
2281                 }
2282 
2283                 /*
2284                  * Target file is not active. Try to remove it.
2285                  */
2286                 smbfs_attrcache_rm_locked(nnp);
2287                 mutex_exit(&nnp->r_statelock);
2288 
2289                 error = smbfs_smb_delete(nnp, &scred, NULL, 0, 0);
2290 
2291                 /*
2292                  * Similar to smbfs_remove
2293                  */
2294                 switch (error) {
2295                 case 0:
2296                 case ENOENT:
2297                 case ENOTDIR:
2298                         smbfs_attrcache_prune(nnp);
2299                         break;
2300                 }
2301 
2302                 if (error)
2303                         goto out;
2304                 /*
2305                  * OK, removed the target file.  Continue as if
2306                  * lookup target had failed (nvp == NULL).
2307                  */
2308                 vn_vfsunlock(nvp);
2309                 nvp_locked = 0;
2310                 VN_RELE(nvp);
2311                 nvp = NULL;
2312         } /* nvp */
2313 
2314         onp = VTOSMB(ovp);
2315         smbfs_attrcache_remove(onp);
2316 
2317         error = smbfs_smb_rename(onp, ndnp, nnm, strlen(nnm), &scred);
2318 
2319         /*
2320          * If the old name should no longer exist,
2321          * discard any cached attributes under it.
2322          */
2323         if (error == 0)
2324                 smbfs_attrcache_prune(onp);
2325 
2326 out:
2327         if (nvp) {
2328                 if (nvp_locked)
2329                         vn_vfsunlock(nvp);
2330                 VN_RELE(nvp);
2331         }
2332         if (ovp)
2333                 VN_RELE(ovp);
2334 
2335         smb_credrele(&scred);
2336         smbfs_rw_exit(&odnp->r_rwlock);
2337         smbfs_rw_exit(&ndnp->r_rwlock);
2338 
2339         return (error);
2340 }
2341 
2342 /*
2343  * XXX
2344  * vsecattr_t is new to build 77, and we need to eventually support
2345  * it in order to create an ACL when an object is created.
2346  *
2347  * This op should support the new FIGNORECASE flag for case-insensitive
2348  * lookups, per PSARC 2007/244.
2349  */
2350 /* ARGSUSED */
2351 static int
2352 smbfs_mkdir(vnode_t *dvp, char *nm, struct vattr *va, vnode_t **vpp,
2353         cred_t *cr, caller_context_t *ct, int flags, vsecattr_t *vsecp)
2354 {
2355         vnode_t         *vp;
2356         struct smbnode  *dnp = VTOSMB(dvp);
2357         struct smbmntinfo *smi = VTOSMI(dvp);
2358         struct smb_cred scred;
2359         struct smbfattr fattr;
2360         const char              *name = (const char *) nm;
2361         int             nmlen = strlen(name);
2362         int             error, hiderr;
2363 
2364         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2365                 return (EPERM);
2366 
2367         if (smi->smi_flags & SMI_DEAD || dvp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2368                 return (EIO);
2369 
2370         if ((nmlen == 1 && name[0] == '.') ||
2371             (nmlen == 2 && name[0] == '.' && name[1] == '.'))
2372                 return (EEXIST);
2373 
2374         /* Only plain files are allowed in V_XATTRDIR. */
2375         if (dvp->v_flag & V_XATTRDIR)
2376                 return (EINVAL);
2377 
2378         if (smbfs_rw_enter_sig(&dnp->r_rwlock, RW_WRITER, SMBINTR(dvp)))
2379                 return (EINTR);
2380         smb_credinit(&scred, cr);
2381 
2382         /*
2383          * XXX: Do we need r_lkserlock too?
2384          * No use of any shared fid or fctx...
2385          */
2386 
2387         /*
2388          * Require write access in the containing directory.
2389          */
2390         error = smbfs_access(dvp, VWRITE, 0, cr, ct);
2391         if (error)
2392                 goto out;
2393 
2394         error = smbfs_smb_mkdir(dnp, name, nmlen, &scred);
2395         if (error)
2396                 goto out;
2397 
2398         error = smbfs_smb_lookup(dnp, &name, &nmlen, &fattr, &scred);
2399         if (error)
2400                 goto out;
2401 
2402         smbfs_attr_touchdir(dnp);
2403 
2404         error = smbfs_nget(dvp, name, nmlen, &fattr, &vp);
2405         if (error)
2406                 goto out;
2407 
2408         if (name[0] == '.')
2409                 if ((hiderr = smbfs_smb_hideit(VTOSMB(vp), NULL, 0, &scred)))
2410                         SMBVDEBUG("hide failure %d\n", hiderr);
2411 
2412         /* Success! */
2413         *vpp = vp;
2414         error = 0;
2415 out:
2416         smb_credrele(&scred);
2417         smbfs_rw_exit(&dnp->r_rwlock);
2418 
2419         if (name != nm)
2420                 smbfs_name_free(name, nmlen);
2421 
2422         return (error);
2423 }
2424 
2425 /*
2426  * XXX
2427  * This op should support the new FIGNORECASE flag for case-insensitive
2428  * lookups, per PSARC 2007/244.
2429  */
2430 /* ARGSUSED */
2431 static int
2432 smbfs_rmdir(vnode_t *dvp, char *nm, vnode_t *cdir, cred_t *cr,
2433         caller_context_t *ct, int flags)
2434 {
2435         vnode_t         *vp = NULL;
2436         int             vp_locked = 0;
2437         struct smbmntinfo *smi = VTOSMI(dvp);
2438         struct smbnode  *dnp = VTOSMB(dvp);
2439         struct smbnode  *np;
2440         struct smb_cred scred;
2441         int             error;
2442 
2443         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2444                 return (EPERM);
2445 
2446         if (smi->smi_flags & SMI_DEAD || dvp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2447                 return (EIO);
2448 
2449         if (smbfs_rw_enter_sig(&dnp->r_rwlock, RW_WRITER, SMBINTR(dvp)))
2450                 return (EINTR);
2451         smb_credinit(&scred, cr);
2452 
2453         /*
2454          * Require w/x access in the containing directory.
2455          * Server handles all other access checks.
2456          */
2457         error = smbfs_access(dvp, VEXEC|VWRITE, 0, cr, ct);
2458         if (error)
2459                 goto out;
2460 
2461         /*
2462          * First lookup the entry to be removed.
2463          */
2464         error = smbfslookup(dvp, nm, &vp, cr, 0, ct);
2465         if (error)
2466                 goto out;
2467         np = VTOSMB(vp);
2468 
2469         /*
2470          * Disallow rmdir of "." or current dir, or the FS root.
2471          * Also make sure it's a directory, not a mount point,
2472          * and lock to keep mount/umount away until we're done.
2473          */
2474         if ((vp == dvp) || (vp == cdir) || (vp->v_flag & VROOT)) {
2475                 error = EINVAL;
2476                 goto out;
2477         }
2478         if (vp->v_type != VDIR) {
2479                 error = ENOTDIR;
2480                 goto out;
2481         }
2482         if (vn_vfsrlock(vp)) {
2483                 error = EBUSY;
2484                 goto out;
2485         }
2486         vp_locked = 1;
2487         if (vn_mountedvfs(vp) != NULL) {
2488                 error = EBUSY;
2489                 goto out;
2490         }
2491 
2492         smbfs_attrcache_remove(np);
2493         error = smbfs_smb_rmdir(np, &scred);
2494 
2495         /*
2496          * Similar to smbfs_remove
2497          */
2498         switch (error) {
2499         case 0:
2500         case ENOENT:
2501         case ENOTDIR:
2502                 smbfs_attrcache_prune(np);
2503                 break;
2504         }
2505 
2506         if (error)
2507                 goto out;
2508 
2509         mutex_enter(&np->r_statelock);
2510         dnp->n_flag |= NMODIFIED;
2511         mutex_exit(&np->r_statelock);
2512         smbfs_attr_touchdir(dnp);
2513         smbfs_rmhash(np);
2514 
2515 out:
2516         if (vp) {
2517                 if (vp_locked)
2518                         vn_vfsunlock(vp);
2519                 VN_RELE(vp);
2520         }
2521         smb_credrele(&scred);
2522         smbfs_rw_exit(&dnp->r_rwlock);
2523 
2524         return (error);
2525 }
2526 
2527 
2528 /* ARGSUSED */
2529 static int
2530 smbfs_readdir(vnode_t *vp, struct uio *uiop, cred_t *cr, int *eofp,
2531         caller_context_t *ct, int flags)
2532 {
2533         struct smbnode  *np = VTOSMB(vp);
2534         int             error = 0;
2535         smbmntinfo_t    *smi;
2536 
2537         smi = VTOSMI(vp);
2538 
2539         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2540                 return (EIO);
2541 
2542         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2543                 return (EIO);
2544 
2545         /*
2546          * Require read access in the directory.
2547          */
2548         error = smbfs_access(vp, VREAD, 0, cr, ct);
2549         if (error)
2550                 return (error);
2551 
2552         ASSERT(smbfs_rw_lock_held(&np->r_rwlock, RW_READER));
2553 
2554         /*
2555          * XXX: Todo readdir cache here
2556          * Note: NFS code is just below this.
2557          *
2558          * I am serializing the entire readdir opreation
2559          * now since we have not yet implemented readdir
2560          * cache. This fix needs to be revisited once
2561          * we implement readdir cache.
2562          */
2563         if (smbfs_rw_enter_sig(&np->r_lkserlock, RW_WRITER, SMBINTR(vp)))
2564                 return (EINTR);
2565 
2566         error = smbfs_readvdir(vp, uiop, cr, eofp, ct);
2567 
2568         smbfs_rw_exit(&np->r_lkserlock);
2569 
2570         return (error);
2571 }
2572 
2573 /* ARGSUSED */
2574 static int
2575 smbfs_readvdir(vnode_t *vp, uio_t *uio, cred_t *cr, int *eofp,
2576         caller_context_t *ct)
2577 {
2578         /*
2579          * Note: "limit" tells the SMB-level FindFirst/FindNext
2580          * functions how many directory entries to request in
2581          * each OtW call.  It needs to be large enough so that
2582          * we don't make lots of tiny OtW requests, but there's
2583          * no point making it larger than the maximum number of
2584          * OtW entries that would fit in a maximum sized trans2
2585          * response (64k / 48).  Beyond that, it's just tuning.
2586          * WinNT used 512, Win2k used 1366.  We use 1000.
2587          */
2588         static const int limit = 1000;
2589         /* Largest possible dirent size. */
2590         static const size_t dbufsiz = DIRENT64_RECLEN(SMB_MAXFNAMELEN);
2591         struct smb_cred scred;
2592         vnode_t         *newvp;
2593         struct smbnode  *np = VTOSMB(vp);
2594         struct smbfs_fctx *ctx;
2595         struct dirent64 *dp;
2596         ssize_t         save_resid;
2597         offset_t        save_offset; /* 64 bits */
2598         int             offset; /* yes, 32 bits */
2599         int             nmlen, error;
2600         ushort_t        reclen;
2601 
2602         ASSERT(curproc->p_zone == VTOSMI(vp)->smi_zone_ref.zref_zone);
2603 
2604         /* Make sure we serialize for n_dirseq use. */
2605         ASSERT(smbfs_rw_lock_held(&np->r_lkserlock, RW_WRITER));
2606 
2607         /*
2608          * Make sure smbfs_open filled in n_dirseq
2609          */
2610         if (np->n_dirseq == NULL)
2611                 return (EBADF);
2612 
2613         /* Check for overflow of (32-bit) directory offset. */
2614         if (uio->uio_loffset < 0 || uio->uio_loffset > INT32_MAX ||
2615             (uio->uio_loffset + uio->uio_resid) > INT32_MAX)
2616                 return (EINVAL);
2617 
2618         /* Require space for at least one dirent. */
2619         if (uio->uio_resid < dbufsiz)
2620                 return (EINVAL);
2621 
2622         SMBVDEBUG("dirname='%s'\n", np->n_rpath);
2623         smb_credinit(&scred, cr);
2624         dp = kmem_alloc(dbufsiz, KM_SLEEP);
2625 
2626         save_resid = uio->uio_resid;
2627         save_offset = uio->uio_loffset;
2628         offset = uio->uio_offset;
2629         SMBVDEBUG("in: offset=%d, resid=%d\n",
2630             (int)uio->uio_offset, (int)uio->uio_resid);
2631         error = 0;
2632 
2633         /*
2634          * Generate the "." and ".." entries here so we can
2635          * (1) make sure they appear (but only once), and
2636          * (2) deal with getting their I numbers which the
2637          * findnext below does only for normal names.
2638          */
2639         while (offset < FIRST_DIROFS) {
2640                 /*
2641                  * Tricky bit filling in the first two:
2642                  * offset 0 is ".", offset 1 is ".."
2643                  * so strlen of these is offset+1.
2644                  */
2645                 reclen = DIRENT64_RECLEN(offset + 1);
2646                 if (uio->uio_resid < reclen)
2647                         goto out;
2648                 bzero(dp, reclen);
2649                 dp->d_reclen = reclen;
2650                 dp->d_name[0] = '.';
2651                 dp->d_name[1] = '.';
2652                 dp->d_name[offset + 1] = '\0';
2653                 /*
2654                  * Want the real I-numbers for the "." and ".."
2655                  * entries.  For these two names, we know that
2656                  * smbfslookup can get the nodes efficiently.
2657                  */
2658                 error = smbfslookup(vp, dp->d_name, &newvp, cr, 1, ct);
2659                 if (error) {
2660                         dp->d_ino = np->n_ino + offset; /* fiction */
2661                 } else {
2662                         dp->d_ino = VTOSMB(newvp)->n_ino;
2663                         VN_RELE(newvp);
2664                 }
2665                 /*
2666                  * Note: d_off is the offset that a user-level program
2667                  * should seek to for reading the NEXT directory entry.
2668                  * See libc: readdir, telldir, seekdir
2669                  */
2670                 dp->d_off = offset + 1;
2671                 error = uiomove(dp, reclen, UIO_READ, uio);
2672                 if (error)
2673                         goto out;
2674                 /*
2675                  * Note: uiomove updates uio->uio_offset,
2676                  * but we want it to be our "cookie" value,
2677                  * which just counts dirents ignoring size.
2678                  */
2679                 uio->uio_offset = ++offset;
2680         }
2681 
2682         /*
2683          * If there was a backward seek, we have to reopen.
2684          */
2685         if (offset < np->n_dirofs) {
2686                 SMBVDEBUG("Reopening search %d:%d\n",
2687                     offset, np->n_dirofs);
2688                 error = smbfs_smb_findopen(np, "*", 1,
2689                     SMB_FA_SYSTEM | SMB_FA_HIDDEN | SMB_FA_DIR,
2690                     &scred, &ctx);
2691                 if (error) {
2692                         SMBVDEBUG("can not open search, error = %d", error);
2693                         goto out;
2694                 }
2695                 /* free the old one */
2696                 (void) smbfs_smb_findclose(np->n_dirseq, &scred);
2697                 /* save the new one */
2698                 np->n_dirseq = ctx;
2699                 np->n_dirofs = FIRST_DIROFS;
2700         } else {
2701                 ctx = np->n_dirseq;
2702         }
2703 
2704         /*
2705          * Skip entries before the requested offset.
2706          */
2707         while (np->n_dirofs < offset) {
2708                 error = smbfs_smb_findnext(ctx, limit, &scred);
2709                 if (error != 0)
2710                         goto out;
2711                 np->n_dirofs++;
2712         }
2713 
2714         /*
2715          * While there's room in the caller's buffer:
2716          *      get a directory entry from SMB,
2717          *      convert to a dirent, copyout.
2718          * We stop when there is no longer room for a
2719          * maximum sized dirent because we must decide
2720          * before we know anything about the next entry.
2721          */
2722         while (uio->uio_resid >= dbufsiz) {
2723                 error = smbfs_smb_findnext(ctx, limit, &scred);
2724                 if (error != 0)
2725                         goto out;
2726                 np->n_dirofs++;
2727 
2728                 /* Sanity check the name length. */
2729                 nmlen = ctx->f_nmlen;
2730                 if (nmlen > SMB_MAXFNAMELEN) {
2731                         nmlen = SMB_MAXFNAMELEN;
2732                         SMBVDEBUG("Truncating name: %s\n", ctx->f_name);
2733                 }
2734                 if (smbfs_fastlookup) {
2735                         /* See comment at smbfs_fastlookup above. */
2736                         if (smbfs_nget(vp, ctx->f_name, nmlen,
2737                             &ctx->f_attr, &newvp) == 0)
2738                                 VN_RELE(newvp);
2739                 }
2740 
2741                 reclen = DIRENT64_RECLEN(nmlen);
2742                 bzero(dp, reclen);
2743                 dp->d_reclen = reclen;
2744                 bcopy(ctx->f_name, dp->d_name, nmlen);
2745                 dp->d_name[nmlen] = '\0';
2746                 dp->d_ino = ctx->f_inum;
2747                 dp->d_off = offset + 1;      /* See d_off comment above */
2748                 error = uiomove(dp, reclen, UIO_READ, uio);
2749                 if (error)
2750                         goto out;
2751                 /* See comment re. uio_offset above. */
2752                 uio->uio_offset = ++offset;
2753         }
2754 
2755 out:
2756         /*
2757          * When we come to the end of a directory, the
2758          * SMB-level functions return ENOENT, but the
2759          * caller is not expecting an error return.
2760          *
2761          * Also note that we must delay the call to
2762          * smbfs_smb_findclose(np->n_dirseq, ...)
2763          * until smbfs_close so that all reads at the
2764          * end of the directory will return no data.
2765          */
2766         if (error == ENOENT) {
2767                 error = 0;
2768                 if (eofp)
2769                         *eofp = 1;
2770         }
2771         /*
2772          * If we encountered an error (i.e. "access denied")
2773          * from the FindFirst call, we will have copied out
2774          * the "." and ".." entries leaving offset == 2.
2775          * In that case, restore the original offset/resid
2776          * so the caller gets no data with the error.
2777          */
2778         if (error != 0 && offset == FIRST_DIROFS) {
2779                 uio->uio_loffset = save_offset;
2780                 uio->uio_resid = save_resid;
2781         }
2782         SMBVDEBUG("out: offset=%d, resid=%d\n",
2783             (int)uio->uio_offset, (int)uio->uio_resid);
2784 
2785         kmem_free(dp, dbufsiz);
2786         smb_credrele(&scred);
2787         return (error);
2788 }
2789 
2790 
2791 /*
2792  * The pair of functions VOP_RWLOCK, VOP_RWUNLOCK
2793  * are optional functions that are called by:
2794  *    getdents, before/after VOP_READDIR
2795  *    pread, before/after ... VOP_READ
2796  *    pwrite, before/after ... VOP_WRITE
2797  *    (other places)
2798  *
2799  * Careful here: None of the above check for any
2800  * error returns from VOP_RWLOCK / VOP_RWUNLOCK!
2801  * In fact, the return value from _rwlock is NOT
2802  * an error code, but V_WRITELOCK_TRUE / _FALSE.
2803  *
2804  * Therefore, it's up to _this_ code to make sure
2805  * the lock state remains balanced, which means
2806  * we can't "bail out" on interrupts, etc.
2807  */
2808 
2809 /* ARGSUSED2 */
2810 static int
2811 smbfs_rwlock(vnode_t *vp, int write_lock, caller_context_t *ctp)
2812 {
2813         smbnode_t       *np = VTOSMB(vp);
2814 
2815         if (!write_lock) {
2816                 (void) smbfs_rw_enter_sig(&np->r_rwlock, RW_READER, FALSE);
2817                 return (V_WRITELOCK_FALSE);
2818         }
2819 
2820 
2821         (void) smbfs_rw_enter_sig(&np->r_rwlock, RW_WRITER, FALSE);
2822         return (V_WRITELOCK_TRUE);
2823 }
2824 
2825 /* ARGSUSED */
2826 static void
2827 smbfs_rwunlock(vnode_t *vp, int write_lock, caller_context_t *ctp)
2828 {
2829         smbnode_t       *np = VTOSMB(vp);
2830 
2831         smbfs_rw_exit(&np->r_rwlock);
2832 }
2833 
2834 
2835 /* ARGSUSED */
2836 static int
2837 smbfs_seek(vnode_t *vp, offset_t ooff, offset_t *noffp, caller_context_t *ct)
2838 {
2839         smbmntinfo_t    *smi;
2840 
2841         smi = VTOSMI(vp);
2842 
2843         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2844                 return (EPERM);
2845 
2846         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2847                 return (EIO);
2848 
2849         /*
2850          * Because we stuff the readdir cookie into the offset field
2851          * someone may attempt to do an lseek with the cookie which
2852          * we want to succeed.
2853          */
2854         if (vp->v_type == VDIR)
2855                 return (0);
2856 
2857         /* Like NFS3, just check for 63-bit overflow. */
2858         if (*noffp < 0)
2859                 return (EINVAL);
2860 
2861         return (0);
2862 }
2863 
2864 
2865 /*
2866  * XXX
2867  * This op may need to support PSARC 2007/440, nbmand changes for CIFS Service.
2868  */
2869 static int
2870 smbfs_frlock(vnode_t *vp, int cmd, struct flock64 *bfp, int flag,
2871         offset_t offset, struct flk_callback *flk_cbp, cred_t *cr,
2872         caller_context_t *ct)
2873 {
2874         if (curproc->p_zone != VTOSMI(vp)->smi_zone_ref.zref_zone)
2875                 return (EIO);
2876 
2877         if (VTOSMI(vp)->smi_flags & SMI_LLOCK)
2878                 return (fs_frlock(vp, cmd, bfp, flag, offset, flk_cbp, cr, ct));
2879         else
2880                 return (ENOSYS);
2881 }
2882 
2883 /*
2884  * Free storage space associated with the specified vnode.  The portion
2885  * to be freed is specified by bfp->l_start and bfp->l_len (already
2886  * normalized to a "whence" of 0).
2887  *
2888  * Called by fcntl(fd, F_FREESP, lkp) for libc:ftruncate, etc.
2889  */
2890 /* ARGSUSED */
2891 static int
2892 smbfs_space(vnode_t *vp, int cmd, struct flock64 *bfp, int flag,
2893         offset_t offset, cred_t *cr, caller_context_t *ct)
2894 {
2895         int             error;
2896         smbmntinfo_t    *smi;
2897 
2898         smi = VTOSMI(vp);
2899 
2900         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2901                 return (EIO);
2902 
2903         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2904                 return (EIO);
2905 
2906         /* Caller (fcntl) has checked v_type */
2907         ASSERT(vp->v_type == VREG);
2908         if (cmd != F_FREESP)
2909                 return (EINVAL);
2910 
2911         /*
2912          * Like NFS3, no 32-bit offset checks here.
2913          * Our SMB layer takes care to return EFBIG
2914          * when it has to fallback to a 32-bit call.
2915          */
2916 
2917         error = convoff(vp, bfp, 0, offset);
2918         if (!error) {
2919                 ASSERT(bfp->l_start >= 0);
2920                 if (bfp->l_len == 0) {
2921                         struct vattr va;
2922 
2923                         /*
2924                          * ftruncate should not change the ctime and
2925                          * mtime if we truncate the file to its
2926                          * previous size.
2927                          */
2928                         va.va_mask = AT_SIZE;
2929                         error = smbfsgetattr(vp, &va, cr);
2930                         if (error || va.va_size == bfp->l_start)
2931                                 return (error);
2932                         va.va_mask = AT_SIZE;
2933                         va.va_size = bfp->l_start;
2934                         error = smbfssetattr(vp, &va, 0, cr);
2935                 } else
2936                         error = EINVAL;
2937         }
2938 
2939         return (error);
2940 }
2941 
2942 /* ARGSUSED */
2943 static int
2944 smbfs_pathconf(vnode_t *vp, int cmd, ulong_t *valp, cred_t *cr,
2945         caller_context_t *ct)
2946 {
2947         vfs_t *vfs;
2948         smbmntinfo_t *smi;
2949         struct smb_share *ssp;
2950 
2951         vfs = vp->v_vfsp;
2952         smi = VFTOSMI(vfs);
2953 
2954         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
2955                 return (EIO);
2956 
2957         if (smi->smi_flags & SMI_DEAD || vp->v_vfsp->vfs_flag & VFS_UNMOUNTED)
2958                 return (EIO);
2959 
2960         switch (cmd) {
2961         case _PC_FILESIZEBITS:
2962                 ssp = smi->smi_share;
2963                 if (SSTOVC(ssp)->vc_sopt.sv_caps & SMB_CAP_LARGE_FILES)
2964                         *valp = 64;
2965                 else
2966                         *valp = 32;
2967                 break;
2968 
2969         case _PC_LINK_MAX:
2970                 /* We only ever report one link to an object */
2971                 *valp = 1;
2972                 break;
2973 
2974         case _PC_ACL_ENABLED:
2975                 /*
2976                  * Always indicate that ACLs are enabled and
2977                  * that we support ACE_T format, otherwise
2978                  * libsec will ask for ACLENT_T format data
2979                  * which we don't support.
2980                  */
2981                 *valp = _ACL_ACE_ENABLED;
2982                 break;
2983 
2984         case _PC_SYMLINK_MAX:   /* No symlinks until we do Unix extensions */
2985                 *valp = 0;
2986                 break;
2987 
2988         case _PC_XATTR_EXISTS:
2989                 if (vfs->vfs_flag & VFS_XATTR) {
2990                         *valp = smbfs_xa_exists(vp, cr);
2991                         break;
2992                 }
2993                 return (EINVAL);
2994 
2995         case _PC_TIMESTAMP_RESOLUTION:
2996                 /*
2997                  * Windows times are tenths of microseconds
2998                  * (multiples of 100 nanoseconds).
2999                  */
3000                 *valp = 100L;
3001                 break;
3002 
3003         default:
3004                 return (fs_pathconf(vp, cmd, valp, cr, ct));
3005         }
3006         return (0);
3007 }
3008 
3009 /* ARGSUSED */
3010 static int
3011 smbfs_getsecattr(vnode_t *vp, vsecattr_t *vsa, int flag, cred_t *cr,
3012         caller_context_t *ct)
3013 {
3014         vfs_t *vfsp;
3015         smbmntinfo_t *smi;
3016         int     error;
3017         uint_t  mask;
3018 
3019         vfsp = vp->v_vfsp;
3020         smi = VFTOSMI(vfsp);
3021 
3022         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
3023                 return (EIO);
3024 
3025         if (smi->smi_flags & SMI_DEAD || vfsp->vfs_flag & VFS_UNMOUNTED)
3026                 return (EIO);
3027 
3028         /*
3029          * Our _pathconf indicates _ACL_ACE_ENABLED,
3030          * so we should only see VSA_ACE, etc here.
3031          * Note: vn_create asks for VSA_DFACLCNT,
3032          * and it expects ENOSYS and empty data.
3033          */
3034         mask = vsa->vsa_mask & (VSA_ACE | VSA_ACECNT |
3035             VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
3036         if (mask == 0)
3037                 return (ENOSYS);
3038 
3039         if (smi->smi_flags & SMI_ACL)
3040                 error = smbfs_acl_getvsa(vp, vsa, flag, cr);
3041         else
3042                 error = ENOSYS;
3043 
3044         if (error == ENOSYS)
3045                 error = fs_fab_acl(vp, vsa, flag, cr, ct);
3046 
3047         return (error);
3048 }
3049 
3050 /* ARGSUSED */
3051 static int
3052 smbfs_setsecattr(vnode_t *vp, vsecattr_t *vsa, int flag, cred_t *cr,
3053         caller_context_t *ct)
3054 {
3055         vfs_t *vfsp;
3056         smbmntinfo_t *smi;
3057         int     error;
3058         uint_t  mask;
3059 
3060         vfsp = vp->v_vfsp;
3061         smi = VFTOSMI(vfsp);
3062 
3063         if (curproc->p_zone != smi->smi_zone_ref.zref_zone)
3064                 return (EIO);
3065 
3066         if (smi->smi_flags & SMI_DEAD || vfsp->vfs_flag & VFS_UNMOUNTED)
3067                 return (EIO);
3068 
3069         /*
3070          * Our _pathconf indicates _ACL_ACE_ENABLED,
3071          * so we should only see VSA_ACE, etc here.
3072          */
3073         mask = vsa->vsa_mask & (VSA_ACE | VSA_ACECNT);
3074         if (mask == 0)
3075                 return (ENOSYS);
3076 
3077         if (vfsp->vfs_flag & VFS_RDONLY)
3078                 return (EROFS);
3079 
3080         /*
3081          * Allow only the mount owner to do this.
3082          * See comments at smbfs_access_rwx.
3083          */
3084         error = secpolicy_vnode_setdac(cr, smi->smi_uid);
3085         if (error != 0)
3086                 return (error);
3087 
3088         if (smi->smi_flags & SMI_ACL)
3089                 error = smbfs_acl_setvsa(vp, vsa, flag, cr);
3090         else
3091                 error = ENOSYS;
3092 
3093         return (error);
3094 }
3095 
3096 
3097 /*
3098  * XXX
3099  * This op should eventually support PSARC 2007/268.
3100  */
3101 static int
3102 smbfs_shrlock(vnode_t *vp, int cmd, struct shrlock *shr, int flag, cred_t *cr,
3103         caller_context_t *ct)
3104 {
3105         if (curproc->p_zone != VTOSMI(vp)->smi_zone_ref.zref_zone)
3106                 return (EIO);
3107 
3108         if (VTOSMI(vp)->smi_flags & SMI_LLOCK)
3109                 return (fs_shrlock(vp, cmd, shr, flag, cr, ct));
3110         else
3111                 return (ENOSYS);
3112 }