1 /*
2  * Copyright (c) 2006 - 2009 Mellanox Technology Inc.  All rights reserved.
3  * Copyright (C) 2008 - 2011 Bart Van Assche <bvanassche@acm.org>.
4  *
5  * This software is available to you under a choice of one of two
6  * licenses.  You may choose to be licensed under the terms of the GNU
7  * General Public License (GPL) Version 2, available from the file
8  * COPYING in the main directory of this source tree, or the
9  * OpenIB.org BSD license below:
10  *
11  *     Redistribution and use in source and binary forms, with or
12  *     without modification, are permitted provided that the following
13  *     conditions are met:
14  *
15  *      - Redistributions of source code must retain the above
16  *        copyright notice, this list of conditions and the following
17  *        disclaimer.
18  *
19  *      - Redistributions in binary form must reproduce the above
20  *        copyright notice, this list of conditions and the following
21  *        disclaimer in the documentation and/or other materials
22  *        provided with the distribution.
23  *
24  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
25  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
26  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
27  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
28  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
29  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
30  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31  * SOFTWARE.
32  *
33  */
34 
35 #include <linux/module.h>
36 #include <linux/init.h>
37 #include <linux/slab.h>
38 #include <linux/err.h>
39 #include <linux/ctype.h>
40 #include <linux/kthread.h>
41 #include <linux/string.h>
42 #include <linux/delay.h>
43 #include <linux/atomic.h>
44 #include <linux/inet.h>
45 #include <rdma/ib_cache.h>
46 #include <scsi/scsi_proto.h>
47 #include <scsi/scsi_tcq.h>
48 #include <target/target_core_base.h>
49 #include <target/target_core_fabric.h>
50 #include "ib_srpt.h"
51 
52 /* Name of this kernel module. */
53 #define DRV_NAME		"ib_srpt"
54 
55 #define SRPT_ID_STRING	"Linux SRP target"
56 
57 #undef pr_fmt
58 #define pr_fmt(fmt) DRV_NAME " " fmt
59 
60 MODULE_AUTHOR("Vu Pham and Bart Van Assche");
61 MODULE_DESCRIPTION("SCSI RDMA Protocol target driver");
62 MODULE_LICENSE("Dual BSD/GPL");
63 
64 /*
65  * Global Variables
66  */
67 
68 static u64 srpt_service_guid;
69 static DEFINE_SPINLOCK(srpt_dev_lock);	/* Protects srpt_dev_list. */
70 static LIST_HEAD(srpt_dev_list);	/* List of srpt_device structures. */
71 
72 static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE;
73 module_param(srp_max_req_size, int, 0444);
74 MODULE_PARM_DESC(srp_max_req_size,
75 		 "Maximum size of SRP request messages in bytes.");
76 
77 static int srpt_srq_size = DEFAULT_SRPT_SRQ_SIZE;
78 module_param(srpt_srq_size, int, 0444);
79 MODULE_PARM_DESC(srpt_srq_size,
80 		 "Shared receive queue (SRQ) size.");
81 
82 static int srpt_set_u64_x(const char *buffer, const struct kernel_param *kp)
83 {
84 	return kstrtou64(buffer, 16, (u64 *)kp->arg);
85 }
86 static int srpt_get_u64_x(char *buffer, const struct kernel_param *kp)
87 {
88 	return sprintf(buffer, "0x%016llx\n", *(u64 *)kp->arg);
89 }
90 module_param_call(srpt_service_guid, srpt_set_u64_x, srpt_get_u64_x,
91 		  &srpt_service_guid, 0444);
92 MODULE_PARM_DESC(srpt_service_guid,
93 		 "Using this value for ioc_guid, id_ext, and cm_listen_id instead of using the node_guid of the first HCA.");
94 
95 static struct ib_client srpt_client;
96 /* Protects both rdma_cm_port and rdma_cm_id. */
97 static DEFINE_MUTEX(rdma_cm_mutex);
98 /* Port number RDMA/CM will bind to. */
99 static u16 rdma_cm_port;
100 static struct rdma_cm_id *rdma_cm_id;
101 static void srpt_release_cmd(struct se_cmd *se_cmd);
102 static void srpt_free_ch(struct kref *kref);
103 static int srpt_queue_status(struct se_cmd *cmd);
104 static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc);
105 static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc);
106 static void srpt_process_wait_list(struct srpt_rdma_ch *ch);
107 
108 /*
109  * The only allowed channel state changes are those that change the channel
110  * state into a state with a higher numerical value. Hence the new > prev test.
111  */
112 static bool srpt_set_ch_state(struct srpt_rdma_ch *ch, enum rdma_ch_state new)
113 {
114 	unsigned long flags;
115 	enum rdma_ch_state prev;
116 	bool changed = false;
117 
118 	spin_lock_irqsave(&ch->spinlock, flags);
119 	prev = ch->state;
120 	if (new > prev) {
121 		ch->state = new;
122 		changed = true;
123 	}
124 	spin_unlock_irqrestore(&ch->spinlock, flags);
125 
126 	return changed;
127 }
128 
129 /**
130  * srpt_event_handler - asynchronous IB event callback function
131  * @handler: IB event handler registered by ib_register_event_handler().
132  * @event: Description of the event that occurred.
133  *
134  * Callback function called by the InfiniBand core when an asynchronous IB
135  * event occurs. This callback may occur in interrupt context. See also
136  * section 11.5.2, Set Asynchronous Event Handler in the InfiniBand
137  * Architecture Specification.
138  */
139 static void srpt_event_handler(struct ib_event_handler *handler,
140 			       struct ib_event *event)
141 {
142 	struct srpt_device *sdev =
143 		container_of(handler, struct srpt_device, event_handler);
144 	struct srpt_port *sport;
145 	u8 port_num;
146 
147 	pr_debug("ASYNC event= %d on device= %s\n", event->event,
148 		 dev_name(&sdev->device->dev));
149 
150 	switch (event->event) {
151 	case IB_EVENT_PORT_ERR:
152 		port_num = event->element.port_num - 1;
153 		if (port_num < sdev->device->phys_port_cnt) {
154 			sport = &sdev->port[port_num];
155 			sport->lid = 0;
156 			sport->sm_lid = 0;
157 		} else {
158 			WARN(true, "event %d: port_num %d out of range 1..%d\n",
159 			     event->event, port_num + 1,
160 			     sdev->device->phys_port_cnt);
161 		}
162 		break;
163 	case IB_EVENT_PORT_ACTIVE:
164 	case IB_EVENT_LID_CHANGE:
165 	case IB_EVENT_PKEY_CHANGE:
166 	case IB_EVENT_SM_CHANGE:
167 	case IB_EVENT_CLIENT_REREGISTER:
168 	case IB_EVENT_GID_CHANGE:
169 		/* Refresh port data asynchronously. */
170 		port_num = event->element.port_num - 1;
171 		if (port_num < sdev->device->phys_port_cnt) {
172 			sport = &sdev->port[port_num];
173 			if (!sport->lid && !sport->sm_lid)
174 				schedule_work(&sport->work);
175 		} else {
176 			WARN(true, "event %d: port_num %d out of range 1..%d\n",
177 			     event->event, port_num + 1,
178 			     sdev->device->phys_port_cnt);
179 		}
180 		break;
181 	default:
182 		pr_err("received unrecognized IB event %d\n", event->event);
183 		break;
184 	}
185 }
186 
187 /**
188  * srpt_srq_event - SRQ event callback function
189  * @event: Description of the event that occurred.
190  * @ctx: Context pointer specified at SRQ creation time.
191  */
192 static void srpt_srq_event(struct ib_event *event, void *ctx)
193 {
194 	pr_debug("SRQ event %d\n", event->event);
195 }
196 
197 static const char *get_ch_state_name(enum rdma_ch_state s)
198 {
199 	switch (s) {
200 	case CH_CONNECTING:
201 		return "connecting";
202 	case CH_LIVE:
203 		return "live";
204 	case CH_DISCONNECTING:
205 		return "disconnecting";
206 	case CH_DRAINING:
207 		return "draining";
208 	case CH_DISCONNECTED:
209 		return "disconnected";
210 	}
211 	return "???";
212 }
213 
214 /**
215  * srpt_qp_event - QP event callback function
216  * @event: Description of the event that occurred.
217  * @ptr: SRPT RDMA channel.
218  */
219 static void srpt_qp_event(struct ib_event *event, void *ptr)
220 {
221 	struct srpt_rdma_ch *ch = ptr;
222 
223 	pr_debug("QP event %d on ch=%p sess_name=%s-%d state=%s\n",
224 		 event->event, ch, ch->sess_name, ch->qp->qp_num,
225 		 get_ch_state_name(ch->state));
226 
227 	switch (event->event) {
228 	case IB_EVENT_COMM_EST:
229 		if (ch->using_rdma_cm)
230 			rdma_notify(ch->rdma_cm.cm_id, event->event);
231 		else
232 			ib_cm_notify(ch->ib_cm.cm_id, event->event);
233 		break;
234 	case IB_EVENT_QP_LAST_WQE_REACHED:
235 		pr_debug("%s-%d, state %s: received Last WQE event.\n",
236 			 ch->sess_name, ch->qp->qp_num,
237 			 get_ch_state_name(ch->state));
238 		break;
239 	default:
240 		pr_err("received unrecognized IB QP event %d\n", event->event);
241 		break;
242 	}
243 }
244 
245 /**
246  * srpt_set_ioc - initialize a IOUnitInfo structure
247  * @c_list: controller list.
248  * @slot: one-based slot number.
249  * @value: four-bit value.
250  *
251  * Copies the lowest four bits of value in element slot of the array of four
252  * bit elements called c_list (controller list). The index slot is one-based.
253  */
254 static void srpt_set_ioc(u8 *c_list, u32 slot, u8 value)
255 {
256 	u16 id;
257 	u8 tmp;
258 
259 	id = (slot - 1) / 2;
260 	if (slot & 0x1) {
261 		tmp = c_list[id] & 0xf;
262 		c_list[id] = (value << 4) | tmp;
263 	} else {
264 		tmp = c_list[id] & 0xf0;
265 		c_list[id] = (value & 0xf) | tmp;
266 	}
267 }
268 
269 /**
270  * srpt_get_class_port_info - copy ClassPortInfo to a management datagram
271  * @mad: Datagram that will be sent as response to DM_ATTR_CLASS_PORT_INFO.
272  *
273  * See also section 16.3.3.1 ClassPortInfo in the InfiniBand Architecture
274  * Specification.
275  */
276 static void srpt_get_class_port_info(struct ib_dm_mad *mad)
277 {
278 	struct ib_class_port_info *cif;
279 
280 	cif = (struct ib_class_port_info *)mad->data;
281 	memset(cif, 0, sizeof(*cif));
282 	cif->base_version = 1;
283 	cif->class_version = 1;
284 
285 	ib_set_cpi_resp_time(cif, 20);
286 	mad->mad_hdr.status = 0;
287 }
288 
289 /**
290  * srpt_get_iou - write IOUnitInfo to a management datagram
291  * @mad: Datagram that will be sent as response to DM_ATTR_IOU_INFO.
292  *
293  * See also section 16.3.3.3 IOUnitInfo in the InfiniBand Architecture
294  * Specification. See also section B.7, table B.6 in the SRP r16a document.
295  */
296 static void srpt_get_iou(struct ib_dm_mad *mad)
297 {
298 	struct ib_dm_iou_info *ioui;
299 	u8 slot;
300 	int i;
301 
302 	ioui = (struct ib_dm_iou_info *)mad->data;
303 	ioui->change_id = cpu_to_be16(1);
304 	ioui->max_controllers = 16;
305 
306 	/* set present for slot 1 and empty for the rest */
307 	srpt_set_ioc(ioui->controller_list, 1, 1);
308 	for (i = 1, slot = 2; i < 16; i++, slot++)
309 		srpt_set_ioc(ioui->controller_list, slot, 0);
310 
311 	mad->mad_hdr.status = 0;
312 }
313 
314 /**
315  * srpt_get_ioc - write IOControllerprofile to a management datagram
316  * @sport: HCA port through which the MAD has been received.
317  * @slot: Slot number specified in DM_ATTR_IOC_PROFILE query.
318  * @mad: Datagram that will be sent as response to DM_ATTR_IOC_PROFILE.
319  *
320  * See also section 16.3.3.4 IOControllerProfile in the InfiniBand
321  * Architecture Specification. See also section B.7, table B.7 in the SRP
322  * r16a document.
323  */
324 static void srpt_get_ioc(struct srpt_port *sport, u32 slot,
325 			 struct ib_dm_mad *mad)
326 {
327 	struct srpt_device *sdev = sport->sdev;
328 	struct ib_dm_ioc_profile *iocp;
329 	int send_queue_depth;
330 
331 	iocp = (struct ib_dm_ioc_profile *)mad->data;
332 
333 	if (!slot || slot > 16) {
334 		mad->mad_hdr.status
335 			= cpu_to_be16(DM_MAD_STATUS_INVALID_FIELD);
336 		return;
337 	}
338 
339 	if (slot > 2) {
340 		mad->mad_hdr.status
341 			= cpu_to_be16(DM_MAD_STATUS_NO_IOC);
342 		return;
343 	}
344 
345 	if (sdev->use_srq)
346 		send_queue_depth = sdev->srq_size;
347 	else
348 		send_queue_depth = min(MAX_SRPT_RQ_SIZE,
349 				       sdev->device->attrs.max_qp_wr);
350 
351 	memset(iocp, 0, sizeof(*iocp));
352 	strcpy(iocp->id_string, SRPT_ID_STRING);
353 	iocp->guid = cpu_to_be64(srpt_service_guid);
354 	iocp->vendor_id = cpu_to_be32(sdev->device->attrs.vendor_id);
355 	iocp->device_id = cpu_to_be32(sdev->device->attrs.vendor_part_id);
356 	iocp->device_version = cpu_to_be16(sdev->device->attrs.hw_ver);
357 	iocp->subsys_vendor_id = cpu_to_be32(sdev->device->attrs.vendor_id);
358 	iocp->subsys_device_id = 0x0;
359 	iocp->io_class = cpu_to_be16(SRP_REV16A_IB_IO_CLASS);
360 	iocp->io_subclass = cpu_to_be16(SRP_IO_SUBCLASS);
361 	iocp->protocol = cpu_to_be16(SRP_PROTOCOL);
362 	iocp->protocol_version = cpu_to_be16(SRP_PROTOCOL_VERSION);
363 	iocp->send_queue_depth = cpu_to_be16(send_queue_depth);
364 	iocp->rdma_read_depth = 4;
365 	iocp->send_size = cpu_to_be32(srp_max_req_size);
366 	iocp->rdma_size = cpu_to_be32(min(sport->port_attrib.srp_max_rdma_size,
367 					  1U << 24));
368 	iocp->num_svc_entries = 1;
369 	iocp->op_cap_mask = SRP_SEND_TO_IOC | SRP_SEND_FROM_IOC |
370 		SRP_RDMA_READ_FROM_IOC | SRP_RDMA_WRITE_FROM_IOC;
371 
372 	mad->mad_hdr.status = 0;
373 }
374 
375 /**
376  * srpt_get_svc_entries - write ServiceEntries to a management datagram
377  * @ioc_guid: I/O controller GUID to use in reply.
378  * @slot: I/O controller number.
379  * @hi: End of the range of service entries to be specified in the reply.
380  * @lo: Start of the range of service entries to be specified in the reply..
381  * @mad: Datagram that will be sent as response to DM_ATTR_SVC_ENTRIES.
382  *
383  * See also section 16.3.3.5 ServiceEntries in the InfiniBand Architecture
384  * Specification. See also section B.7, table B.8 in the SRP r16a document.
385  */
386 static void srpt_get_svc_entries(u64 ioc_guid,
387 				 u16 slot, u8 hi, u8 lo, struct ib_dm_mad *mad)
388 {
389 	struct ib_dm_svc_entries *svc_entries;
390 
391 	WARN_ON(!ioc_guid);
392 
393 	if (!slot || slot > 16) {
394 		mad->mad_hdr.status
395 			= cpu_to_be16(DM_MAD_STATUS_INVALID_FIELD);
396 		return;
397 	}
398 
399 	if (slot > 2 || lo > hi || hi > 1) {
400 		mad->mad_hdr.status
401 			= cpu_to_be16(DM_MAD_STATUS_NO_IOC);
402 		return;
403 	}
404 
405 	svc_entries = (struct ib_dm_svc_entries *)mad->data;
406 	memset(svc_entries, 0, sizeof(*svc_entries));
407 	svc_entries->service_entries[0].id = cpu_to_be64(ioc_guid);
408 	snprintf(svc_entries->service_entries[0].name,
409 		 sizeof(svc_entries->service_entries[0].name),
410 		 "%s%016llx",
411 		 SRP_SERVICE_NAME_PREFIX,
412 		 ioc_guid);
413 
414 	mad->mad_hdr.status = 0;
415 }
416 
417 /**
418  * srpt_mgmt_method_get - process a received management datagram
419  * @sp:      HCA port through which the MAD has been received.
420  * @rq_mad:  received MAD.
421  * @rsp_mad: response MAD.
422  */
423 static void srpt_mgmt_method_get(struct srpt_port *sp, struct ib_mad *rq_mad,
424 				 struct ib_dm_mad *rsp_mad)
425 {
426 	u16 attr_id;
427 	u32 slot;
428 	u8 hi, lo;
429 
430 	attr_id = be16_to_cpu(rq_mad->mad_hdr.attr_id);
431 	switch (attr_id) {
432 	case DM_ATTR_CLASS_PORT_INFO:
433 		srpt_get_class_port_info(rsp_mad);
434 		break;
435 	case DM_ATTR_IOU_INFO:
436 		srpt_get_iou(rsp_mad);
437 		break;
438 	case DM_ATTR_IOC_PROFILE:
439 		slot = be32_to_cpu(rq_mad->mad_hdr.attr_mod);
440 		srpt_get_ioc(sp, slot, rsp_mad);
441 		break;
442 	case DM_ATTR_SVC_ENTRIES:
443 		slot = be32_to_cpu(rq_mad->mad_hdr.attr_mod);
444 		hi = (u8) ((slot >> 8) & 0xff);
445 		lo = (u8) (slot & 0xff);
446 		slot = (u16) ((slot >> 16) & 0xffff);
447 		srpt_get_svc_entries(srpt_service_guid,
448 				     slot, hi, lo, rsp_mad);
449 		break;
450 	default:
451 		rsp_mad->mad_hdr.status =
452 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD_ATTR);
453 		break;
454 	}
455 }
456 
457 /**
458  * srpt_mad_send_handler - MAD send completion callback
459  * @mad_agent: Return value of ib_register_mad_agent().
460  * @mad_wc: Work completion reporting that the MAD has been sent.
461  */
462 static void srpt_mad_send_handler(struct ib_mad_agent *mad_agent,
463 				  struct ib_mad_send_wc *mad_wc)
464 {
465 	rdma_destroy_ah(mad_wc->send_buf->ah, RDMA_DESTROY_AH_SLEEPABLE);
466 	ib_free_send_mad(mad_wc->send_buf);
467 }
468 
469 /**
470  * srpt_mad_recv_handler - MAD reception callback function
471  * @mad_agent: Return value of ib_register_mad_agent().
472  * @send_buf: Not used.
473  * @mad_wc: Work completion reporting that a MAD has been received.
474  */
475 static void srpt_mad_recv_handler(struct ib_mad_agent *mad_agent,
476 				  struct ib_mad_send_buf *send_buf,
477 				  struct ib_mad_recv_wc *mad_wc)
478 {
479 	struct srpt_port *sport = (struct srpt_port *)mad_agent->context;
480 	struct ib_ah *ah;
481 	struct ib_mad_send_buf *rsp;
482 	struct ib_dm_mad *dm_mad;
483 
484 	if (!mad_wc || !mad_wc->recv_buf.mad)
485 		return;
486 
487 	ah = ib_create_ah_from_wc(mad_agent->qp->pd, mad_wc->wc,
488 				  mad_wc->recv_buf.grh, mad_agent->port_num);
489 	if (IS_ERR(ah))
490 		goto err;
491 
492 	BUILD_BUG_ON(offsetof(struct ib_dm_mad, data) != IB_MGMT_DEVICE_HDR);
493 
494 	rsp = ib_create_send_mad(mad_agent, mad_wc->wc->src_qp,
495 				 mad_wc->wc->pkey_index, 0,
496 				 IB_MGMT_DEVICE_HDR, IB_MGMT_DEVICE_DATA,
497 				 GFP_KERNEL,
498 				 IB_MGMT_BASE_VERSION);
499 	if (IS_ERR(rsp))
500 		goto err_rsp;
501 
502 	rsp->ah = ah;
503 
504 	dm_mad = rsp->mad;
505 	memcpy(dm_mad, mad_wc->recv_buf.mad, sizeof(*dm_mad));
506 	dm_mad->mad_hdr.method = IB_MGMT_METHOD_GET_RESP;
507 	dm_mad->mad_hdr.status = 0;
508 
509 	switch (mad_wc->recv_buf.mad->mad_hdr.method) {
510 	case IB_MGMT_METHOD_GET:
511 		srpt_mgmt_method_get(sport, mad_wc->recv_buf.mad, dm_mad);
512 		break;
513 	case IB_MGMT_METHOD_SET:
514 		dm_mad->mad_hdr.status =
515 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD_ATTR);
516 		break;
517 	default:
518 		dm_mad->mad_hdr.status =
519 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD);
520 		break;
521 	}
522 
523 	if (!ib_post_send_mad(rsp, NULL)) {
524 		ib_free_recv_mad(mad_wc);
525 		/* will destroy_ah & free_send_mad in send completion */
526 		return;
527 	}
528 
529 	ib_free_send_mad(rsp);
530 
531 err_rsp:
532 	rdma_destroy_ah(ah, RDMA_DESTROY_AH_SLEEPABLE);
533 err:
534 	ib_free_recv_mad(mad_wc);
535 }
536 
537 static int srpt_format_guid(char *buf, unsigned int size, const __be64 *guid)
538 {
539 	const __be16 *g = (const __be16 *)guid;
540 
541 	return snprintf(buf, size, "%04x:%04x:%04x:%04x",
542 			be16_to_cpu(g[0]), be16_to_cpu(g[1]),
543 			be16_to_cpu(g[2]), be16_to_cpu(g[3]));
544 }
545 
546 /**
547  * srpt_refresh_port - configure a HCA port
548  * @sport: SRPT HCA port.
549  *
550  * Enable InfiniBand management datagram processing, update the cached sm_lid,
551  * lid and gid values, and register a callback function for processing MADs
552  * on the specified port.
553  *
554  * Note: It is safe to call this function more than once for the same port.
555  */
556 static int srpt_refresh_port(struct srpt_port *sport)
557 {
558 	struct ib_mad_agent *mad_agent;
559 	struct ib_mad_reg_req reg_req;
560 	struct ib_port_modify port_modify;
561 	struct ib_port_attr port_attr;
562 	int ret;
563 
564 	ret = ib_query_port(sport->sdev->device, sport->port, &port_attr);
565 	if (ret)
566 		return ret;
567 
568 	sport->sm_lid = port_attr.sm_lid;
569 	sport->lid = port_attr.lid;
570 
571 	ret = rdma_query_gid(sport->sdev->device, sport->port, 0, &sport->gid);
572 	if (ret)
573 		return ret;
574 
575 	srpt_format_guid(sport->guid_name, ARRAY_SIZE(sport->guid_name),
576 			 &sport->gid.global.interface_id);
577 	snprintf(sport->gid_name, ARRAY_SIZE(sport->gid_name),
578 		 "0x%016llx%016llx",
579 		 be64_to_cpu(sport->gid.global.subnet_prefix),
580 		 be64_to_cpu(sport->gid.global.interface_id));
581 
582 	if (rdma_protocol_iwarp(sport->sdev->device, sport->port))
583 		return 0;
584 
585 	memset(&port_modify, 0, sizeof(port_modify));
586 	port_modify.set_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP;
587 	port_modify.clr_port_cap_mask = 0;
588 
589 	ret = ib_modify_port(sport->sdev->device, sport->port, 0, &port_modify);
590 	if (ret) {
591 		pr_warn("%s-%d: enabling device management failed (%d). Note: this is expected if SR-IOV is enabled.\n",
592 			dev_name(&sport->sdev->device->dev), sport->port, ret);
593 		return 0;
594 	}
595 
596 	if (!sport->mad_agent) {
597 		memset(&reg_req, 0, sizeof(reg_req));
598 		reg_req.mgmt_class = IB_MGMT_CLASS_DEVICE_MGMT;
599 		reg_req.mgmt_class_version = IB_MGMT_BASE_VERSION;
600 		set_bit(IB_MGMT_METHOD_GET, reg_req.method_mask);
601 		set_bit(IB_MGMT_METHOD_SET, reg_req.method_mask);
602 
603 		mad_agent = ib_register_mad_agent(sport->sdev->device,
604 						  sport->port,
605 						  IB_QPT_GSI,
606 						  &reg_req, 0,
607 						  srpt_mad_send_handler,
608 						  srpt_mad_recv_handler,
609 						  sport, 0);
610 		if (IS_ERR(mad_agent)) {
611 			pr_err("%s-%d: MAD agent registration failed (%ld). Note: this is expected if SR-IOV is enabled.\n",
612 			       dev_name(&sport->sdev->device->dev), sport->port,
613 			       PTR_ERR(mad_agent));
614 			sport->mad_agent = NULL;
615 			memset(&port_modify, 0, sizeof(port_modify));
616 			port_modify.clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP;
617 			ib_modify_port(sport->sdev->device, sport->port, 0,
618 				       &port_modify);
619 			return 0;
620 		}
621 
622 		sport->mad_agent = mad_agent;
623 	}
624 
625 	return 0;
626 }
627 
628 /**
629  * srpt_unregister_mad_agent - unregister MAD callback functions
630  * @sdev: SRPT HCA pointer.
631  * @port_cnt: number of ports with registered MAD
632  *
633  * Note: It is safe to call this function more than once for the same device.
634  */
635 static void srpt_unregister_mad_agent(struct srpt_device *sdev, int port_cnt)
636 {
637 	struct ib_port_modify port_modify = {
638 		.clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP,
639 	};
640 	struct srpt_port *sport;
641 	int i;
642 
643 	for (i = 1; i <= port_cnt; i++) {
644 		sport = &sdev->port[i - 1];
645 		WARN_ON(sport->port != i);
646 		if (sport->mad_agent) {
647 			ib_modify_port(sdev->device, i, 0, &port_modify);
648 			ib_unregister_mad_agent(sport->mad_agent);
649 			sport->mad_agent = NULL;
650 		}
651 	}
652 }
653 
654 /**
655  * srpt_alloc_ioctx - allocate a SRPT I/O context structure
656  * @sdev: SRPT HCA pointer.
657  * @ioctx_size: I/O context size.
658  * @buf_cache: I/O buffer cache.
659  * @dir: DMA data direction.
660  */
661 static struct srpt_ioctx *srpt_alloc_ioctx(struct srpt_device *sdev,
662 					   int ioctx_size,
663 					   struct kmem_cache *buf_cache,
664 					   enum dma_data_direction dir)
665 {
666 	struct srpt_ioctx *ioctx;
667 
668 	ioctx = kzalloc(ioctx_size, GFP_KERNEL);
669 	if (!ioctx)
670 		goto err;
671 
672 	ioctx->buf = kmem_cache_alloc(buf_cache, GFP_KERNEL);
673 	if (!ioctx->buf)
674 		goto err_free_ioctx;
675 
676 	ioctx->dma = ib_dma_map_single(sdev->device, ioctx->buf,
677 				       kmem_cache_size(buf_cache), dir);
678 	if (ib_dma_mapping_error(sdev->device, ioctx->dma))
679 		goto err_free_buf;
680 
681 	return ioctx;
682 
683 err_free_buf:
684 	kmem_cache_free(buf_cache, ioctx->buf);
685 err_free_ioctx:
686 	kfree(ioctx);
687 err:
688 	return NULL;
689 }
690 
691 /**
692  * srpt_free_ioctx - free a SRPT I/O context structure
693  * @sdev: SRPT HCA pointer.
694  * @ioctx: I/O context pointer.
695  * @buf_cache: I/O buffer cache.
696  * @dir: DMA data direction.
697  */
698 static void srpt_free_ioctx(struct srpt_device *sdev, struct srpt_ioctx *ioctx,
699 			    struct kmem_cache *buf_cache,
700 			    enum dma_data_direction dir)
701 {
702 	if (!ioctx)
703 		return;
704 
705 	ib_dma_unmap_single(sdev->device, ioctx->dma,
706 			    kmem_cache_size(buf_cache), dir);
707 	kmem_cache_free(buf_cache, ioctx->buf);
708 	kfree(ioctx);
709 }
710 
711 /**
712  * srpt_alloc_ioctx_ring - allocate a ring of SRPT I/O context structures
713  * @sdev:       Device to allocate the I/O context ring for.
714  * @ring_size:  Number of elements in the I/O context ring.
715  * @ioctx_size: I/O context size.
716  * @buf_cache:  I/O buffer cache.
717  * @alignment_offset: Offset in each ring buffer at which the SRP information
718  *		unit starts.
719  * @dir:        DMA data direction.
720  */
721 static struct srpt_ioctx **srpt_alloc_ioctx_ring(struct srpt_device *sdev,
722 				int ring_size, int ioctx_size,
723 				struct kmem_cache *buf_cache,
724 				int alignment_offset,
725 				enum dma_data_direction dir)
726 {
727 	struct srpt_ioctx **ring;
728 	int i;
729 
730 	WARN_ON(ioctx_size != sizeof(struct srpt_recv_ioctx) &&
731 		ioctx_size != sizeof(struct srpt_send_ioctx));
732 
733 	ring = kvmalloc_array(ring_size, sizeof(ring[0]), GFP_KERNEL);
734 	if (!ring)
735 		goto out;
736 	for (i = 0; i < ring_size; ++i) {
737 		ring[i] = srpt_alloc_ioctx(sdev, ioctx_size, buf_cache, dir);
738 		if (!ring[i])
739 			goto err;
740 		ring[i]->index = i;
741 		ring[i]->offset = alignment_offset;
742 	}
743 	goto out;
744 
745 err:
746 	while (--i >= 0)
747 		srpt_free_ioctx(sdev, ring[i], buf_cache, dir);
748 	kvfree(ring);
749 	ring = NULL;
750 out:
751 	return ring;
752 }
753 
754 /**
755  * srpt_free_ioctx_ring - free the ring of SRPT I/O context structures
756  * @ioctx_ring: I/O context ring to be freed.
757  * @sdev: SRPT HCA pointer.
758  * @ring_size: Number of ring elements.
759  * @buf_cache: I/O buffer cache.
760  * @dir: DMA data direction.
761  */
762 static void srpt_free_ioctx_ring(struct srpt_ioctx **ioctx_ring,
763 				 struct srpt_device *sdev, int ring_size,
764 				 struct kmem_cache *buf_cache,
765 				 enum dma_data_direction dir)
766 {
767 	int i;
768 
769 	if (!ioctx_ring)
770 		return;
771 
772 	for (i = 0; i < ring_size; ++i)
773 		srpt_free_ioctx(sdev, ioctx_ring[i], buf_cache, dir);
774 	kvfree(ioctx_ring);
775 }
776 
777 /**
778  * srpt_set_cmd_state - set the state of a SCSI command
779  * @ioctx: Send I/O context.
780  * @new: New I/O context state.
781  *
782  * Does not modify the state of aborted commands. Returns the previous command
783  * state.
784  */
785 static enum srpt_command_state srpt_set_cmd_state(struct srpt_send_ioctx *ioctx,
786 						  enum srpt_command_state new)
787 {
788 	enum srpt_command_state previous;
789 
790 	previous = ioctx->state;
791 	if (previous != SRPT_STATE_DONE)
792 		ioctx->state = new;
793 
794 	return previous;
795 }
796 
797 /**
798  * srpt_test_and_set_cmd_state - test and set the state of a command
799  * @ioctx: Send I/O context.
800  * @old: Current I/O context state.
801  * @new: New I/O context state.
802  *
803  * Returns true if and only if the previous command state was equal to 'old'.
804  */
805 static bool srpt_test_and_set_cmd_state(struct srpt_send_ioctx *ioctx,
806 					enum srpt_command_state old,
807 					enum srpt_command_state new)
808 {
809 	enum srpt_command_state previous;
810 
811 	WARN_ON(!ioctx);
812 	WARN_ON(old == SRPT_STATE_DONE);
813 	WARN_ON(new == SRPT_STATE_NEW);
814 
815 	previous = ioctx->state;
816 	if (previous == old)
817 		ioctx->state = new;
818 
819 	return previous == old;
820 }
821 
822 /**
823  * srpt_post_recv - post an IB receive request
824  * @sdev: SRPT HCA pointer.
825  * @ch: SRPT RDMA channel.
826  * @ioctx: Receive I/O context pointer.
827  */
828 static int srpt_post_recv(struct srpt_device *sdev, struct srpt_rdma_ch *ch,
829 			  struct srpt_recv_ioctx *ioctx)
830 {
831 	struct ib_sge list;
832 	struct ib_recv_wr wr;
833 
834 	BUG_ON(!sdev);
835 	list.addr = ioctx->ioctx.dma + ioctx->ioctx.offset;
836 	list.length = srp_max_req_size;
837 	list.lkey = sdev->lkey;
838 
839 	ioctx->ioctx.cqe.done = srpt_recv_done;
840 	wr.wr_cqe = &ioctx->ioctx.cqe;
841 	wr.next = NULL;
842 	wr.sg_list = &list;
843 	wr.num_sge = 1;
844 
845 	if (sdev->use_srq)
846 		return ib_post_srq_recv(sdev->srq, &wr, NULL);
847 	else
848 		return ib_post_recv(ch->qp, &wr, NULL);
849 }
850 
851 /**
852  * srpt_zerolength_write - perform a zero-length RDMA write
853  * @ch: SRPT RDMA channel.
854  *
855  * A quote from the InfiniBand specification: C9-88: For an HCA responder
856  * using Reliable Connection service, for each zero-length RDMA READ or WRITE
857  * request, the R_Key shall not be validated, even if the request includes
858  * Immediate data.
859  */
860 static int srpt_zerolength_write(struct srpt_rdma_ch *ch)
861 {
862 	struct ib_rdma_wr wr = {
863 		.wr = {
864 			.next		= NULL,
865 			{ .wr_cqe	= &ch->zw_cqe, },
866 			.opcode		= IB_WR_RDMA_WRITE,
867 			.send_flags	= IB_SEND_SIGNALED,
868 		}
869 	};
870 
871 	pr_debug("%s-%d: queued zerolength write\n", ch->sess_name,
872 		 ch->qp->qp_num);
873 
874 	return ib_post_send(ch->qp, &wr.wr, NULL);
875 }
876 
877 static void srpt_zerolength_write_done(struct ib_cq *cq, struct ib_wc *wc)
878 {
879 	struct srpt_rdma_ch *ch = wc->qp->qp_context;
880 
881 	pr_debug("%s-%d wc->status %d\n", ch->sess_name, ch->qp->qp_num,
882 		 wc->status);
883 
884 	if (wc->status == IB_WC_SUCCESS) {
885 		srpt_process_wait_list(ch);
886 	} else {
887 		if (srpt_set_ch_state(ch, CH_DISCONNECTED))
888 			schedule_work(&ch->release_work);
889 		else
890 			pr_debug("%s-%d: already disconnected.\n",
891 				 ch->sess_name, ch->qp->qp_num);
892 	}
893 }
894 
895 static int srpt_alloc_rw_ctxs(struct srpt_send_ioctx *ioctx,
896 		struct srp_direct_buf *db, int nbufs, struct scatterlist **sg,
897 		unsigned *sg_cnt)
898 {
899 	enum dma_data_direction dir = target_reverse_dma_direction(&ioctx->cmd);
900 	struct srpt_rdma_ch *ch = ioctx->ch;
901 	struct scatterlist *prev = NULL;
902 	unsigned prev_nents;
903 	int ret, i;
904 
905 	if (nbufs == 1) {
906 		ioctx->rw_ctxs = &ioctx->s_rw_ctx;
907 	} else {
908 		ioctx->rw_ctxs = kmalloc_array(nbufs, sizeof(*ioctx->rw_ctxs),
909 			GFP_KERNEL);
910 		if (!ioctx->rw_ctxs)
911 			return -ENOMEM;
912 	}
913 
914 	for (i = ioctx->n_rw_ctx; i < nbufs; i++, db++) {
915 		struct srpt_rw_ctx *ctx = &ioctx->rw_ctxs[i];
916 		u64 remote_addr = be64_to_cpu(db->va);
917 		u32 size = be32_to_cpu(db->len);
918 		u32 rkey = be32_to_cpu(db->key);
919 
920 		ret = target_alloc_sgl(&ctx->sg, &ctx->nents, size, false,
921 				i < nbufs - 1);
922 		if (ret)
923 			goto unwind;
924 
925 		ret = rdma_rw_ctx_init(&ctx->rw, ch->qp, ch->sport->port,
926 				ctx->sg, ctx->nents, 0, remote_addr, rkey, dir);
927 		if (ret < 0) {
928 			target_free_sgl(ctx->sg, ctx->nents);
929 			goto unwind;
930 		}
931 
932 		ioctx->n_rdma += ret;
933 		ioctx->n_rw_ctx++;
934 
935 		if (prev) {
936 			sg_unmark_end(&prev[prev_nents - 1]);
937 			sg_chain(prev, prev_nents + 1, ctx->sg);
938 		} else {
939 			*sg = ctx->sg;
940 		}
941 
942 		prev = ctx->sg;
943 		prev_nents = ctx->nents;
944 
945 		*sg_cnt += ctx->nents;
946 	}
947 
948 	return 0;
949 
950 unwind:
951 	while (--i >= 0) {
952 		struct srpt_rw_ctx *ctx = &ioctx->rw_ctxs[i];
953 
954 		rdma_rw_ctx_destroy(&ctx->rw, ch->qp, ch->sport->port,
955 				ctx->sg, ctx->nents, dir);
956 		target_free_sgl(ctx->sg, ctx->nents);
957 	}
958 	if (ioctx->rw_ctxs != &ioctx->s_rw_ctx)
959 		kfree(ioctx->rw_ctxs);
960 	return ret;
961 }
962 
963 static void srpt_free_rw_ctxs(struct srpt_rdma_ch *ch,
964 				    struct srpt_send_ioctx *ioctx)
965 {
966 	enum dma_data_direction dir = target_reverse_dma_direction(&ioctx->cmd);
967 	int i;
968 
969 	for (i = 0; i < ioctx->n_rw_ctx; i++) {
970 		struct srpt_rw_ctx *ctx = &ioctx->rw_ctxs[i];
971 
972 		rdma_rw_ctx_destroy(&ctx->rw, ch->qp, ch->sport->port,
973 				ctx->sg, ctx->nents, dir);
974 		target_free_sgl(ctx->sg, ctx->nents);
975 	}
976 
977 	if (ioctx->rw_ctxs != &ioctx->s_rw_ctx)
978 		kfree(ioctx->rw_ctxs);
979 }
980 
981 static inline void *srpt_get_desc_buf(struct srp_cmd *srp_cmd)
982 {
983 	/*
984 	 * The pointer computations below will only be compiled correctly
985 	 * if srp_cmd::add_data is declared as s8*, u8*, s8[] or u8[], so check
986 	 * whether srp_cmd::add_data has been declared as a byte pointer.
987 	 */
988 	BUILD_BUG_ON(!__same_type(srp_cmd->add_data[0], (s8)0) &&
989 		     !__same_type(srp_cmd->add_data[0], (u8)0));
990 
991 	/*
992 	 * According to the SRP spec, the lower two bits of the 'ADDITIONAL
993 	 * CDB LENGTH' field are reserved and the size in bytes of this field
994 	 * is four times the value specified in bits 3..7. Hence the "& ~3".
995 	 */
996 	return srp_cmd->add_data + (srp_cmd->add_cdb_len & ~3);
997 }
998 
999 /**
1000  * srpt_get_desc_tbl - parse the data descriptors of a SRP_CMD request
1001  * @recv_ioctx: I/O context associated with the received command @srp_cmd.
1002  * @ioctx: I/O context that will be used for responding to the initiator.
1003  * @srp_cmd: Pointer to the SRP_CMD request data.
1004  * @dir: Pointer to the variable to which the transfer direction will be
1005  *   written.
1006  * @sg: [out] scatterlist for the parsed SRP_CMD.
1007  * @sg_cnt: [out] length of @sg.
1008  * @data_len: Pointer to the variable to which the total data length of all
1009  *   descriptors in the SRP_CMD request will be written.
1010  * @imm_data_offset: [in] Offset in SRP_CMD requests at which immediate data
1011  *   starts.
1012  *
1013  * This function initializes ioctx->nrbuf and ioctx->r_bufs.
1014  *
1015  * Returns -EINVAL when the SRP_CMD request contains inconsistent descriptors;
1016  * -ENOMEM when memory allocation fails and zero upon success.
1017  */
1018 static int srpt_get_desc_tbl(struct srpt_recv_ioctx *recv_ioctx,
1019 		struct srpt_send_ioctx *ioctx,
1020 		struct srp_cmd *srp_cmd, enum dma_data_direction *dir,
1021 		struct scatterlist **sg, unsigned int *sg_cnt, u64 *data_len,
1022 		u16 imm_data_offset)
1023 {
1024 	BUG_ON(!dir);
1025 	BUG_ON(!data_len);
1026 
1027 	/*
1028 	 * The lower four bits of the buffer format field contain the DATA-IN
1029 	 * buffer descriptor format, and the highest four bits contain the
1030 	 * DATA-OUT buffer descriptor format.
1031 	 */
1032 	if (srp_cmd->buf_fmt & 0xf)
1033 		/* DATA-IN: transfer data from target to initiator (read). */
1034 		*dir = DMA_FROM_DEVICE;
1035 	else if (srp_cmd->buf_fmt >> 4)
1036 		/* DATA-OUT: transfer data from initiator to target (write). */
1037 		*dir = DMA_TO_DEVICE;
1038 	else
1039 		*dir = DMA_NONE;
1040 
1041 	/* initialize data_direction early as srpt_alloc_rw_ctxs needs it */
1042 	ioctx->cmd.data_direction = *dir;
1043 
1044 	if (((srp_cmd->buf_fmt & 0xf) == SRP_DATA_DESC_DIRECT) ||
1045 	    ((srp_cmd->buf_fmt >> 4) == SRP_DATA_DESC_DIRECT)) {
1046 		struct srp_direct_buf *db = srpt_get_desc_buf(srp_cmd);
1047 
1048 		*data_len = be32_to_cpu(db->len);
1049 		return srpt_alloc_rw_ctxs(ioctx, db, 1, sg, sg_cnt);
1050 	} else if (((srp_cmd->buf_fmt & 0xf) == SRP_DATA_DESC_INDIRECT) ||
1051 		   ((srp_cmd->buf_fmt >> 4) == SRP_DATA_DESC_INDIRECT)) {
1052 		struct srp_indirect_buf *idb = srpt_get_desc_buf(srp_cmd);
1053 		int nbufs = be32_to_cpu(idb->table_desc.len) /
1054 				sizeof(struct srp_direct_buf);
1055 
1056 		if (nbufs >
1057 		    (srp_cmd->data_out_desc_cnt + srp_cmd->data_in_desc_cnt)) {
1058 			pr_err("received unsupported SRP_CMD request type (%u out + %u in != %u / %zu)\n",
1059 			       srp_cmd->data_out_desc_cnt,
1060 			       srp_cmd->data_in_desc_cnt,
1061 			       be32_to_cpu(idb->table_desc.len),
1062 			       sizeof(struct srp_direct_buf));
1063 			return -EINVAL;
1064 		}
1065 
1066 		*data_len = be32_to_cpu(idb->len);
1067 		return srpt_alloc_rw_ctxs(ioctx, idb->desc_list, nbufs,
1068 				sg, sg_cnt);
1069 	} else if ((srp_cmd->buf_fmt >> 4) == SRP_DATA_DESC_IMM) {
1070 		struct srp_imm_buf *imm_buf = srpt_get_desc_buf(srp_cmd);
1071 		void *data = (void *)srp_cmd + imm_data_offset;
1072 		uint32_t len = be32_to_cpu(imm_buf->len);
1073 		uint32_t req_size = imm_data_offset + len;
1074 
1075 		if (req_size > srp_max_req_size) {
1076 			pr_err("Immediate data (length %d + %d) exceeds request size %d\n",
1077 			       imm_data_offset, len, srp_max_req_size);
1078 			return -EINVAL;
1079 		}
1080 		if (recv_ioctx->byte_len < req_size) {
1081 			pr_err("Received too few data - %d < %d\n",
1082 			       recv_ioctx->byte_len, req_size);
1083 			return -EIO;
1084 		}
1085 		/*
1086 		 * The immediate data buffer descriptor must occur before the
1087 		 * immediate data itself.
1088 		 */
1089 		if ((void *)(imm_buf + 1) > (void *)data) {
1090 			pr_err("Received invalid write request\n");
1091 			return -EINVAL;
1092 		}
1093 		*data_len = len;
1094 		ioctx->recv_ioctx = recv_ioctx;
1095 		if ((uintptr_t)data & 511) {
1096 			pr_warn_once("Internal error - the receive buffers are not aligned properly.\n");
1097 			return -EINVAL;
1098 		}
1099 		sg_init_one(&ioctx->imm_sg, data, len);
1100 		*sg = &ioctx->imm_sg;
1101 		*sg_cnt = 1;
1102 		return 0;
1103 	} else {
1104 		*data_len = 0;
1105 		return 0;
1106 	}
1107 }
1108 
1109 /**
1110  * srpt_init_ch_qp - initialize queue pair attributes
1111  * @ch: SRPT RDMA channel.
1112  * @qp: Queue pair pointer.
1113  *
1114  * Initialized the attributes of queue pair 'qp' by allowing local write,
1115  * remote read and remote write. Also transitions 'qp' to state IB_QPS_INIT.
1116  */
1117 static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp)
1118 {
1119 	struct ib_qp_attr *attr;
1120 	int ret;
1121 
1122 	WARN_ON_ONCE(ch->using_rdma_cm);
1123 
1124 	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
1125 	if (!attr)
1126 		return -ENOMEM;
1127 
1128 	attr->qp_state = IB_QPS_INIT;
1129 	attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
1130 	attr->port_num = ch->sport->port;
1131 
1132 	ret = ib_find_cached_pkey(ch->sport->sdev->device, ch->sport->port,
1133 				  ch->pkey, &attr->pkey_index);
1134 	if (ret < 0)
1135 		pr_err("Translating pkey %#x failed (%d) - using index 0\n",
1136 		       ch->pkey, ret);
1137 
1138 	ret = ib_modify_qp(qp, attr,
1139 			   IB_QP_STATE | IB_QP_ACCESS_FLAGS | IB_QP_PORT |
1140 			   IB_QP_PKEY_INDEX);
1141 
1142 	kfree(attr);
1143 	return ret;
1144 }
1145 
1146 /**
1147  * srpt_ch_qp_rtr - change the state of a channel to 'ready to receive' (RTR)
1148  * @ch: channel of the queue pair.
1149  * @qp: queue pair to change the state of.
1150  *
1151  * Returns zero upon success and a negative value upon failure.
1152  *
1153  * Note: currently a struct ib_qp_attr takes 136 bytes on a 64-bit system.
1154  * If this structure ever becomes larger, it might be necessary to allocate
1155  * it dynamically instead of on the stack.
1156  */
1157 static int srpt_ch_qp_rtr(struct srpt_rdma_ch *ch, struct ib_qp *qp)
1158 {
1159 	struct ib_qp_attr qp_attr;
1160 	int attr_mask;
1161 	int ret;
1162 
1163 	WARN_ON_ONCE(ch->using_rdma_cm);
1164 
1165 	qp_attr.qp_state = IB_QPS_RTR;
1166 	ret = ib_cm_init_qp_attr(ch->ib_cm.cm_id, &qp_attr, &attr_mask);
1167 	if (ret)
1168 		goto out;
1169 
1170 	qp_attr.max_dest_rd_atomic = 4;
1171 
1172 	ret = ib_modify_qp(qp, &qp_attr, attr_mask);
1173 
1174 out:
1175 	return ret;
1176 }
1177 
1178 /**
1179  * srpt_ch_qp_rts - change the state of a channel to 'ready to send' (RTS)
1180  * @ch: channel of the queue pair.
1181  * @qp: queue pair to change the state of.
1182  *
1183  * Returns zero upon success and a negative value upon failure.
1184  *
1185  * Note: currently a struct ib_qp_attr takes 136 bytes on a 64-bit system.
1186  * If this structure ever becomes larger, it might be necessary to allocate
1187  * it dynamically instead of on the stack.
1188  */
1189 static int srpt_ch_qp_rts(struct srpt_rdma_ch *ch, struct ib_qp *qp)
1190 {
1191 	struct ib_qp_attr qp_attr;
1192 	int attr_mask;
1193 	int ret;
1194 
1195 	qp_attr.qp_state = IB_QPS_RTS;
1196 	ret = ib_cm_init_qp_attr(ch->ib_cm.cm_id, &qp_attr, &attr_mask);
1197 	if (ret)
1198 		goto out;
1199 
1200 	qp_attr.max_rd_atomic = 4;
1201 
1202 	ret = ib_modify_qp(qp, &qp_attr, attr_mask);
1203 
1204 out:
1205 	return ret;
1206 }
1207 
1208 /**
1209  * srpt_ch_qp_err - set the channel queue pair state to 'error'
1210  * @ch: SRPT RDMA channel.
1211  */
1212 static int srpt_ch_qp_err(struct srpt_rdma_ch *ch)
1213 {
1214 	struct ib_qp_attr qp_attr;
1215 
1216 	qp_attr.qp_state = IB_QPS_ERR;
1217 	return ib_modify_qp(ch->qp, &qp_attr, IB_QP_STATE);
1218 }
1219 
1220 /**
1221  * srpt_get_send_ioctx - obtain an I/O context for sending to the initiator
1222  * @ch: SRPT RDMA channel.
1223  */
1224 static struct srpt_send_ioctx *srpt_get_send_ioctx(struct srpt_rdma_ch *ch)
1225 {
1226 	struct srpt_send_ioctx *ioctx;
1227 	int tag, cpu;
1228 
1229 	BUG_ON(!ch);
1230 
1231 	tag = sbitmap_queue_get(&ch->sess->sess_tag_pool, &cpu);
1232 	if (tag < 0)
1233 		return NULL;
1234 
1235 	ioctx = ch->ioctx_ring[tag];
1236 	BUG_ON(ioctx->ch != ch);
1237 	ioctx->state = SRPT_STATE_NEW;
1238 	WARN_ON_ONCE(ioctx->recv_ioctx);
1239 	ioctx->n_rdma = 0;
1240 	ioctx->n_rw_ctx = 0;
1241 	ioctx->queue_status_only = false;
1242 	/*
1243 	 * transport_init_se_cmd() does not initialize all fields, so do it
1244 	 * here.
1245 	 */
1246 	memset(&ioctx->cmd, 0, sizeof(ioctx->cmd));
1247 	memset(&ioctx->sense_data, 0, sizeof(ioctx->sense_data));
1248 	ioctx->cmd.map_tag = tag;
1249 	ioctx->cmd.map_cpu = cpu;
1250 
1251 	return ioctx;
1252 }
1253 
1254 /**
1255  * srpt_abort_cmd - abort a SCSI command
1256  * @ioctx:   I/O context associated with the SCSI command.
1257  */
1258 static int srpt_abort_cmd(struct srpt_send_ioctx *ioctx)
1259 {
1260 	enum srpt_command_state state;
1261 
1262 	BUG_ON(!ioctx);
1263 
1264 	/*
1265 	 * If the command is in a state where the target core is waiting for
1266 	 * the ib_srpt driver, change the state to the next state.
1267 	 */
1268 
1269 	state = ioctx->state;
1270 	switch (state) {
1271 	case SRPT_STATE_NEED_DATA:
1272 		ioctx->state = SRPT_STATE_DATA_IN;
1273 		break;
1274 	case SRPT_STATE_CMD_RSP_SENT:
1275 	case SRPT_STATE_MGMT_RSP_SENT:
1276 		ioctx->state = SRPT_STATE_DONE;
1277 		break;
1278 	default:
1279 		WARN_ONCE(true, "%s: unexpected I/O context state %d\n",
1280 			  __func__, state);
1281 		break;
1282 	}
1283 
1284 	pr_debug("Aborting cmd with state %d -> %d and tag %lld\n", state,
1285 		 ioctx->state, ioctx->cmd.tag);
1286 
1287 	switch (state) {
1288 	case SRPT_STATE_NEW:
1289 	case SRPT_STATE_DATA_IN:
1290 	case SRPT_STATE_MGMT:
1291 	case SRPT_STATE_DONE:
1292 		/*
1293 		 * Do nothing - defer abort processing until
1294 		 * srpt_queue_response() is invoked.
1295 		 */
1296 		break;
1297 	case SRPT_STATE_NEED_DATA:
1298 		pr_debug("tag %#llx: RDMA read error\n", ioctx->cmd.tag);
1299 		transport_generic_request_failure(&ioctx->cmd,
1300 					TCM_CHECK_CONDITION_ABORT_CMD);
1301 		break;
1302 	case SRPT_STATE_CMD_RSP_SENT:
1303 		/*
1304 		 * SRP_RSP sending failed or the SRP_RSP send completion has
1305 		 * not been received in time.
1306 		 */
1307 		transport_generic_free_cmd(&ioctx->cmd, 0);
1308 		break;
1309 	case SRPT_STATE_MGMT_RSP_SENT:
1310 		transport_generic_free_cmd(&ioctx->cmd, 0);
1311 		break;
1312 	default:
1313 		WARN(1, "Unexpected command state (%d)", state);
1314 		break;
1315 	}
1316 
1317 	return state;
1318 }
1319 
1320 /**
1321  * srpt_rdma_read_done - RDMA read completion callback
1322  * @cq: Completion queue.
1323  * @wc: Work completion.
1324  *
1325  * XXX: what is now target_execute_cmd used to be asynchronous, and unmapping
1326  * the data that has been transferred via IB RDMA had to be postponed until the
1327  * check_stop_free() callback.  None of this is necessary anymore and needs to
1328  * be cleaned up.
1329  */
1330 static void srpt_rdma_read_done(struct ib_cq *cq, struct ib_wc *wc)
1331 {
1332 	struct srpt_rdma_ch *ch = wc->qp->qp_context;
1333 	struct srpt_send_ioctx *ioctx =
1334 		container_of(wc->wr_cqe, struct srpt_send_ioctx, rdma_cqe);
1335 
1336 	WARN_ON(ioctx->n_rdma <= 0);
1337 	atomic_add(ioctx->n_rdma, &ch->sq_wr_avail);
1338 	ioctx->n_rdma = 0;
1339 
1340 	if (unlikely(wc->status != IB_WC_SUCCESS)) {
1341 		pr_info("RDMA_READ for ioctx 0x%p failed with status %d\n",
1342 			ioctx, wc->status);
1343 		srpt_abort_cmd(ioctx);
1344 		return;
1345 	}
1346 
1347 	if (srpt_test_and_set_cmd_state(ioctx, SRPT_STATE_NEED_DATA,
1348 					SRPT_STATE_DATA_IN))
1349 		target_execute_cmd(&ioctx->cmd);
1350 	else
1351 		pr_err("%s[%d]: wrong state = %d\n", __func__,
1352 		       __LINE__, ioctx->state);
1353 }
1354 
1355 /**
1356  * srpt_build_cmd_rsp - build a SRP_RSP response
1357  * @ch: RDMA channel through which the request has been received.
1358  * @ioctx: I/O context associated with the SRP_CMD request. The response will
1359  *   be built in the buffer ioctx->buf points at and hence this function will
1360  *   overwrite the request data.
1361  * @tag: tag of the request for which this response is being generated.
1362  * @status: value for the STATUS field of the SRP_RSP information unit.
1363  *
1364  * Returns the size in bytes of the SRP_RSP response.
1365  *
1366  * An SRP_RSP response contains a SCSI status or service response. See also
1367  * section 6.9 in the SRP r16a document for the format of an SRP_RSP
1368  * response. See also SPC-2 for more information about sense data.
1369  */
1370 static int srpt_build_cmd_rsp(struct srpt_rdma_ch *ch,
1371 			      struct srpt_send_ioctx *ioctx, u64 tag,
1372 			      int status)
1373 {
1374 	struct se_cmd *cmd = &ioctx->cmd;
1375 	struct srp_rsp *srp_rsp;
1376 	const u8 *sense_data;
1377 	int sense_data_len, max_sense_len;
1378 	u32 resid = cmd->residual_count;
1379 
1380 	/*
1381 	 * The lowest bit of all SAM-3 status codes is zero (see also
1382 	 * paragraph 5.3 in SAM-3).
1383 	 */
1384 	WARN_ON(status & 1);
1385 
1386 	srp_rsp = ioctx->ioctx.buf;
1387 	BUG_ON(!srp_rsp);
1388 
1389 	sense_data = ioctx->sense_data;
1390 	sense_data_len = ioctx->cmd.scsi_sense_length;
1391 	WARN_ON(sense_data_len > sizeof(ioctx->sense_data));
1392 
1393 	memset(srp_rsp, 0, sizeof(*srp_rsp));
1394 	srp_rsp->opcode = SRP_RSP;
1395 	srp_rsp->req_lim_delta =
1396 		cpu_to_be32(1 + atomic_xchg(&ch->req_lim_delta, 0));
1397 	srp_rsp->tag = tag;
1398 	srp_rsp->status = status;
1399 
1400 	if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) {
1401 		if (cmd->data_direction == DMA_TO_DEVICE) {
1402 			/* residual data from an underflow write */
1403 			srp_rsp->flags = SRP_RSP_FLAG_DOUNDER;
1404 			srp_rsp->data_out_res_cnt = cpu_to_be32(resid);
1405 		} else if (cmd->data_direction == DMA_FROM_DEVICE) {
1406 			/* residual data from an underflow read */
1407 			srp_rsp->flags = SRP_RSP_FLAG_DIUNDER;
1408 			srp_rsp->data_in_res_cnt = cpu_to_be32(resid);
1409 		}
1410 	} else if (cmd->se_cmd_flags & SCF_OVERFLOW_BIT) {
1411 		if (cmd->data_direction == DMA_TO_DEVICE) {
1412 			/* residual data from an overflow write */
1413 			srp_rsp->flags = SRP_RSP_FLAG_DOOVER;
1414 			srp_rsp->data_out_res_cnt = cpu_to_be32(resid);
1415 		} else if (cmd->data_direction == DMA_FROM_DEVICE) {
1416 			/* residual data from an overflow read */
1417 			srp_rsp->flags = SRP_RSP_FLAG_DIOVER;
1418 			srp_rsp->data_in_res_cnt = cpu_to_be32(resid);
1419 		}
1420 	}
1421 
1422 	if (sense_data_len) {
1423 		BUILD_BUG_ON(MIN_MAX_RSP_SIZE <= sizeof(*srp_rsp));
1424 		max_sense_len = ch->max_ti_iu_len - sizeof(*srp_rsp);
1425 		if (sense_data_len > max_sense_len) {
1426 			pr_warn("truncated sense data from %d to %d bytes\n",
1427 				sense_data_len, max_sense_len);
1428 			sense_data_len = max_sense_len;
1429 		}
1430 
1431 		srp_rsp->flags |= SRP_RSP_FLAG_SNSVALID;
1432 		srp_rsp->sense_data_len = cpu_to_be32(sense_data_len);
1433 		memcpy(srp_rsp->data, sense_data, sense_data_len);
1434 	}
1435 
1436 	return sizeof(*srp_rsp) + sense_data_len;
1437 }
1438 
1439 /**
1440  * srpt_build_tskmgmt_rsp - build a task management response
1441  * @ch:       RDMA channel through which the request has been received.
1442  * @ioctx:    I/O context in which the SRP_RSP response will be built.
1443  * @rsp_code: RSP_CODE that will be stored in the response.
1444  * @tag:      Tag of the request for which this response is being generated.
1445  *
1446  * Returns the size in bytes of the SRP_RSP response.
1447  *
1448  * An SRP_RSP response contains a SCSI status or service response. See also
1449  * section 6.9 in the SRP r16a document for the format of an SRP_RSP
1450  * response.
1451  */
1452 static int srpt_build_tskmgmt_rsp(struct srpt_rdma_ch *ch,
1453 				  struct srpt_send_ioctx *ioctx,
1454 				  u8 rsp_code, u64 tag)
1455 {
1456 	struct srp_rsp *srp_rsp;
1457 	int resp_data_len;
1458 	int resp_len;
1459 
1460 	resp_data_len = 4;
1461 	resp_len = sizeof(*srp_rsp) + resp_data_len;
1462 
1463 	srp_rsp = ioctx->ioctx.buf;
1464 	BUG_ON(!srp_rsp);
1465 	memset(srp_rsp, 0, sizeof(*srp_rsp));
1466 
1467 	srp_rsp->opcode = SRP_RSP;
1468 	srp_rsp->req_lim_delta =
1469 		cpu_to_be32(1 + atomic_xchg(&ch->req_lim_delta, 0));
1470 	srp_rsp->tag = tag;
1471 
1472 	srp_rsp->flags |= SRP_RSP_FLAG_RSPVALID;
1473 	srp_rsp->resp_data_len = cpu_to_be32(resp_data_len);
1474 	srp_rsp->data[3] = rsp_code;
1475 
1476 	return resp_len;
1477 }
1478 
1479 static int srpt_check_stop_free(struct se_cmd *cmd)
1480 {
1481 	struct srpt_send_ioctx *ioctx = container_of(cmd,
1482 				struct srpt_send_ioctx, cmd);
1483 
1484 	return target_put_sess_cmd(&ioctx->cmd);
1485 }
1486 
1487 /**
1488  * srpt_handle_cmd - process a SRP_CMD information unit
1489  * @ch: SRPT RDMA channel.
1490  * @recv_ioctx: Receive I/O context.
1491  * @send_ioctx: Send I/O context.
1492  */
1493 static void srpt_handle_cmd(struct srpt_rdma_ch *ch,
1494 			    struct srpt_recv_ioctx *recv_ioctx,
1495 			    struct srpt_send_ioctx *send_ioctx)
1496 {
1497 	struct se_cmd *cmd;
1498 	struct srp_cmd *srp_cmd;
1499 	struct scatterlist *sg = NULL;
1500 	unsigned sg_cnt = 0;
1501 	u64 data_len;
1502 	enum dma_data_direction dir;
1503 	int rc;
1504 
1505 	BUG_ON(!send_ioctx);
1506 
1507 	srp_cmd = recv_ioctx->ioctx.buf + recv_ioctx->ioctx.offset;
1508 	cmd = &send_ioctx->cmd;
1509 	cmd->tag = srp_cmd->tag;
1510 
1511 	switch (srp_cmd->task_attr) {
1512 	case SRP_CMD_SIMPLE_Q:
1513 		cmd->sam_task_attr = TCM_SIMPLE_TAG;
1514 		break;
1515 	case SRP_CMD_ORDERED_Q:
1516 	default:
1517 		cmd->sam_task_attr = TCM_ORDERED_TAG;
1518 		break;
1519 	case SRP_CMD_HEAD_OF_Q:
1520 		cmd->sam_task_attr = TCM_HEAD_TAG;
1521 		break;
1522 	case SRP_CMD_ACA:
1523 		cmd->sam_task_attr = TCM_ACA_TAG;
1524 		break;
1525 	}
1526 
1527 	rc = srpt_get_desc_tbl(recv_ioctx, send_ioctx, srp_cmd, &dir,
1528 			       &sg, &sg_cnt, &data_len, ch->imm_data_offset);
1529 	if (rc) {
1530 		if (rc != -EAGAIN) {
1531 			pr_err("0x%llx: parsing SRP descriptor table failed.\n",
1532 			       srp_cmd->tag);
1533 		}
1534 		goto busy;
1535 	}
1536 
1537 	rc = target_init_cmd(cmd, ch->sess, &send_ioctx->sense_data[0],
1538 			     scsilun_to_int(&srp_cmd->lun), data_len,
1539 			     TCM_SIMPLE_TAG, dir, TARGET_SCF_ACK_KREF);
1540 	if (rc != 0) {
1541 		pr_debug("target_submit_cmd() returned %d for tag %#llx\n", rc,
1542 			 srp_cmd->tag);
1543 		goto busy;
1544 	}
1545 
1546 	if (target_submit_prep(cmd, srp_cmd->cdb, sg, sg_cnt, NULL, 0, NULL, 0,
1547 			       GFP_KERNEL))
1548 		return;
1549 
1550 	target_submit(cmd);
1551 	return;
1552 
1553 busy:
1554 	target_send_busy(cmd);
1555 }
1556 
1557 static int srp_tmr_to_tcm(int fn)
1558 {
1559 	switch (fn) {
1560 	case SRP_TSK_ABORT_TASK:
1561 		return TMR_ABORT_TASK;
1562 	case SRP_TSK_ABORT_TASK_SET:
1563 		return TMR_ABORT_TASK_SET;
1564 	case SRP_TSK_CLEAR_TASK_SET:
1565 		return TMR_CLEAR_TASK_SET;
1566 	case SRP_TSK_LUN_RESET:
1567 		return TMR_LUN_RESET;
1568 	case SRP_TSK_CLEAR_ACA:
1569 		return TMR_CLEAR_ACA;
1570 	default:
1571 		return -1;
1572 	}
1573 }
1574 
1575 /**
1576  * srpt_handle_tsk_mgmt - process a SRP_TSK_MGMT information unit
1577  * @ch: SRPT RDMA channel.
1578  * @recv_ioctx: Receive I/O context.
1579  * @send_ioctx: Send I/O context.
1580  *
1581  * Returns 0 if and only if the request will be processed by the target core.
1582  *
1583  * For more information about SRP_TSK_MGMT information units, see also section
1584  * 6.7 in the SRP r16a document.
1585  */
1586 static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch,
1587 				 struct srpt_recv_ioctx *recv_ioctx,
1588 				 struct srpt_send_ioctx *send_ioctx)
1589 {
1590 	struct srp_tsk_mgmt *srp_tsk;
1591 	struct se_cmd *cmd;
1592 	struct se_session *sess = ch->sess;
1593 	int tcm_tmr;
1594 	int rc;
1595 
1596 	BUG_ON(!send_ioctx);
1597 
1598 	srp_tsk = recv_ioctx->ioctx.buf + recv_ioctx->ioctx.offset;
1599 	cmd = &send_ioctx->cmd;
1600 
1601 	pr_debug("recv tsk_mgmt fn %d for task_tag %lld and cmd tag %lld ch %p sess %p\n",
1602 		 srp_tsk->tsk_mgmt_func, srp_tsk->task_tag, srp_tsk->tag, ch,
1603 		 ch->sess);
1604 
1605 	srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);
1606 	send_ioctx->cmd.tag = srp_tsk->tag;
1607 	tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);
1608 	rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL,
1609 			       scsilun_to_int(&srp_tsk->lun), srp_tsk, tcm_tmr,
1610 			       GFP_KERNEL, srp_tsk->task_tag,
1611 			       TARGET_SCF_ACK_KREF);
1612 	if (rc != 0) {
1613 		send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;
1614 		cmd->se_tfo->queue_tm_rsp(cmd);
1615 	}
1616 	return;
1617 }
1618 
1619 /**
1620  * srpt_handle_new_iu - process a newly received information unit
1621  * @ch:    RDMA channel through which the information unit has been received.
1622  * @recv_ioctx: Receive I/O context associated with the information unit.
1623  */
1624 static bool
1625 srpt_handle_new_iu(struct srpt_rdma_ch *ch, struct srpt_recv_ioctx *recv_ioctx)
1626 {
1627 	struct srpt_send_ioctx *send_ioctx = NULL;
1628 	struct srp_cmd *srp_cmd;
1629 	bool res = false;
1630 	u8 opcode;
1631 
1632 	BUG_ON(!ch);
1633 	BUG_ON(!recv_ioctx);
1634 
1635 	if (unlikely(ch->state == CH_CONNECTING))
1636 		goto push;
1637 
1638 	ib_dma_sync_single_for_cpu(ch->sport->sdev->device,
1639 				   recv_ioctx->ioctx.dma,
1640 				   recv_ioctx->ioctx.offset + srp_max_req_size,
1641 				   DMA_FROM_DEVICE);
1642 
1643 	srp_cmd = recv_ioctx->ioctx.buf + recv_ioctx->ioctx.offset;
1644 	opcode = srp_cmd->opcode;
1645 	if (opcode == SRP_CMD || opcode == SRP_TSK_MGMT) {
1646 		send_ioctx = srpt_get_send_ioctx(ch);
1647 		if (unlikely(!send_ioctx))
1648 			goto push;
1649 	}
1650 
1651 	if (!list_empty(&recv_ioctx->wait_list)) {
1652 		WARN_ON_ONCE(!ch->processing_wait_list);
1653 		list_del_init(&recv_ioctx->wait_list);
1654 	}
1655 
1656 	switch (opcode) {
1657 	case SRP_CMD:
1658 		srpt_handle_cmd(ch, recv_ioctx, send_ioctx);
1659 		break;
1660 	case SRP_TSK_MGMT:
1661 		srpt_handle_tsk_mgmt(ch, recv_ioctx, send_ioctx);
1662 		break;
1663 	case SRP_I_LOGOUT:
1664 		pr_err("Not yet implemented: SRP_I_LOGOUT\n");
1665 		break;
1666 	case SRP_CRED_RSP:
1667 		pr_debug("received SRP_CRED_RSP\n");
1668 		break;
1669 	case SRP_AER_RSP:
1670 		pr_debug("received SRP_AER_RSP\n");
1671 		break;
1672 	case SRP_RSP:
1673 		pr_err("Received SRP_RSP\n");
1674 		break;
1675 	default:
1676 		pr_err("received IU with unknown opcode 0x%x\n", opcode);
1677 		break;
1678 	}
1679 
1680 	if (!send_ioctx || !send_ioctx->recv_ioctx)
1681 		srpt_post_recv(ch->sport->sdev, ch, recv_ioctx);
1682 	res = true;
1683 
1684 out:
1685 	return res;
1686 
1687 push:
1688 	if (list_empty(&recv_ioctx->wait_list)) {
1689 		WARN_ON_ONCE(ch->processing_wait_list);
1690 		list_add_tail(&recv_ioctx->wait_list, &ch->cmd_wait_list);
1691 	}
1692 	goto out;
1693 }
1694 
1695 static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc)
1696 {
1697 	struct srpt_rdma_ch *ch = wc->qp->qp_context;
1698 	struct srpt_recv_ioctx *ioctx =
1699 		container_of(wc->wr_cqe, struct srpt_recv_ioctx, ioctx.cqe);
1700 
1701 	if (wc->status == IB_WC_SUCCESS) {
1702 		int req_lim;
1703 
1704 		req_lim = atomic_dec_return(&ch->req_lim);
1705 		if (unlikely(req_lim < 0))
1706 			pr_err("req_lim = %d < 0\n", req_lim);
1707 		ioctx->byte_len = wc->byte_len;
1708 		srpt_handle_new_iu(ch, ioctx);
1709 	} else {
1710 		pr_info_ratelimited("receiving failed for ioctx %p with status %d\n",
1711 				    ioctx, wc->status);
1712 	}
1713 }
1714 
1715 /*
1716  * This function must be called from the context in which RDMA completions are
1717  * processed because it accesses the wait list without protection against
1718  * access from other threads.
1719  */
1720 static void srpt_process_wait_list(struct srpt_rdma_ch *ch)
1721 {
1722 	struct srpt_recv_ioctx *recv_ioctx, *tmp;
1723 
1724 	WARN_ON_ONCE(ch->state == CH_CONNECTING);
1725 
1726 	if (list_empty(&ch->cmd_wait_list))
1727 		return;
1728 
1729 	WARN_ON_ONCE(ch->processing_wait_list);
1730 	ch->processing_wait_list = true;
1731 	list_for_each_entry_safe(recv_ioctx, tmp, &ch->cmd_wait_list,
1732 				 wait_list) {
1733 		if (!srpt_handle_new_iu(ch, recv_ioctx))
1734 			break;
1735 	}
1736 	ch->processing_wait_list = false;
1737 }
1738 
1739 /**
1740  * srpt_send_done - send completion callback
1741  * @cq: Completion queue.
1742  * @wc: Work completion.
1743  *
1744  * Note: Although this has not yet been observed during tests, at least in
1745  * theory it is possible that the srpt_get_send_ioctx() call invoked by
1746  * srpt_handle_new_iu() fails. This is possible because the req_lim_delta
1747  * value in each response is set to one, and it is possible that this response
1748  * makes the initiator send a new request before the send completion for that
1749  * response has been processed. This could e.g. happen if the call to
1750  * srpt_put_send_iotcx() is delayed because of a higher priority interrupt or
1751  * if IB retransmission causes generation of the send completion to be
1752  * delayed. Incoming information units for which srpt_get_send_ioctx() fails
1753  * are queued on cmd_wait_list. The code below processes these delayed
1754  * requests one at a time.
1755  */
1756 static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc)
1757 {
1758 	struct srpt_rdma_ch *ch = wc->qp->qp_context;
1759 	struct srpt_send_ioctx *ioctx =
1760 		container_of(wc->wr_cqe, struct srpt_send_ioctx, ioctx.cqe);
1761 	enum srpt_command_state state;
1762 
1763 	state = srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
1764 
1765 	WARN_ON(state != SRPT_STATE_CMD_RSP_SENT &&
1766 		state != SRPT_STATE_MGMT_RSP_SENT);
1767 
1768 	atomic_add(1 + ioctx->n_rdma, &ch->sq_wr_avail);
1769 
1770 	if (wc->status != IB_WC_SUCCESS)
1771 		pr_info("sending response for ioctx 0x%p failed with status %d\n",
1772 			ioctx, wc->status);
1773 
1774 	if (state != SRPT_STATE_DONE) {
1775 		transport_generic_free_cmd(&ioctx->cmd, 0);
1776 	} else {
1777 		pr_err("IB completion has been received too late for wr_id = %u.\n",
1778 		       ioctx->ioctx.index);
1779 	}
1780 
1781 	srpt_process_wait_list(ch);
1782 }
1783 
1784 /**
1785  * srpt_create_ch_ib - create receive and send completion queues
1786  * @ch: SRPT RDMA channel.
1787  */
1788 static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
1789 {
1790 	struct ib_qp_init_attr *qp_init;
1791 	struct srpt_port *sport = ch->sport;
1792 	struct srpt_device *sdev = sport->sdev;
1793 	const struct ib_device_attr *attrs = &sdev->device->attrs;
1794 	int sq_size = sport->port_attrib.srp_sq_size;
1795 	int i, ret;
1796 
1797 	WARN_ON(ch->rq_size < 1);
1798 
1799 	ret = -ENOMEM;
1800 	qp_init = kzalloc(sizeof(*qp_init), GFP_KERNEL);
1801 	if (!qp_init)
1802 		goto out;
1803 
1804 retry:
1805 	ch->cq = ib_cq_pool_get(sdev->device, ch->rq_size + sq_size, -1,
1806 				 IB_POLL_WORKQUEUE);
1807 	if (IS_ERR(ch->cq)) {
1808 		ret = PTR_ERR(ch->cq);
1809 		pr_err("failed to create CQ cqe= %d ret= %d\n",
1810 		       ch->rq_size + sq_size, ret);
1811 		goto out;
1812 	}
1813 	ch->cq_size = ch->rq_size + sq_size;
1814 
1815 	qp_init->qp_context = (void *)ch;
1816 	qp_init->event_handler = srpt_qp_event;
1817 	qp_init->send_cq = ch->cq;
1818 	qp_init->recv_cq = ch->cq;
1819 	qp_init->sq_sig_type = IB_SIGNAL_REQ_WR;
1820 	qp_init->qp_type = IB_QPT_RC;
1821 	/*
1822 	 * We divide up our send queue size into half SEND WRs to send the
1823 	 * completions, and half R/W contexts to actually do the RDMA
1824 	 * READ/WRITE transfers.  Note that we need to allocate CQ slots for
1825 	 * both both, as RDMA contexts will also post completions for the
1826 	 * RDMA READ case.
1827 	 */
1828 	qp_init->cap.max_send_wr = min(sq_size / 2, attrs->max_qp_wr);
1829 	qp_init->cap.max_rdma_ctxs = sq_size / 2;
1830 	qp_init->cap.max_send_sge = attrs->max_send_sge;
1831 	qp_init->cap.max_recv_sge = 1;
1832 	qp_init->port_num = ch->sport->port;
1833 	if (sdev->use_srq)
1834 		qp_init->srq = sdev->srq;
1835 	else
1836 		qp_init->cap.max_recv_wr = ch->rq_size;
1837 
1838 	if (ch->using_rdma_cm) {
1839 		ret = rdma_create_qp(ch->rdma_cm.cm_id, sdev->pd, qp_init);
1840 		ch->qp = ch->rdma_cm.cm_id->qp;
1841 	} else {
1842 		ch->qp = ib_create_qp(sdev->pd, qp_init);
1843 		if (!IS_ERR(ch->qp)) {
1844 			ret = srpt_init_ch_qp(ch, ch->qp);
1845 			if (ret)
1846 				ib_destroy_qp(ch->qp);
1847 		} else {
1848 			ret = PTR_ERR(ch->qp);
1849 		}
1850 	}
1851 	if (ret) {
1852 		bool retry = sq_size > MIN_SRPT_SQ_SIZE;
1853 
1854 		if (retry) {
1855 			pr_debug("failed to create queue pair with sq_size = %d (%d) - retrying\n",
1856 				 sq_size, ret);
1857 			ib_cq_pool_put(ch->cq, ch->cq_size);
1858 			sq_size = max(sq_size / 2, MIN_SRPT_SQ_SIZE);
1859 			goto retry;
1860 		} else {
1861 			pr_err("failed to create queue pair with sq_size = %d (%d)\n",
1862 			       sq_size, ret);
1863 			goto err_destroy_cq;
1864 		}
1865 	}
1866 
1867 	atomic_set(&ch->sq_wr_avail, qp_init->cap.max_send_wr);
1868 
1869 	pr_debug("%s: max_cqe= %d max_sge= %d sq_size = %d ch= %p\n",
1870 		 __func__, ch->cq->cqe, qp_init->cap.max_send_sge,
1871 		 qp_init->cap.max_send_wr, ch);
1872 
1873 	if (!sdev->use_srq)
1874 		for (i = 0; i < ch->rq_size; i++)
1875 			srpt_post_recv(sdev, ch, ch->ioctx_recv_ring[i]);
1876 
1877 out:
1878 	kfree(qp_init);
1879 	return ret;
1880 
1881 err_destroy_cq:
1882 	ch->qp = NULL;
1883 	ib_cq_pool_put(ch->cq, ch->cq_size);
1884 	goto out;
1885 }
1886 
1887 static void srpt_destroy_ch_ib(struct srpt_rdma_ch *ch)
1888 {
1889 	ib_destroy_qp(ch->qp);
1890 	ib_cq_pool_put(ch->cq, ch->cq_size);
1891 }
1892 
1893 /**
1894  * srpt_close_ch - close a RDMA channel
1895  * @ch: SRPT RDMA channel.
1896  *
1897  * Make sure all resources associated with the channel will be deallocated at
1898  * an appropriate time.
1899  *
1900  * Returns true if and only if the channel state has been modified into
1901  * CH_DRAINING.
1902  */
1903 static bool srpt_close_ch(struct srpt_rdma_ch *ch)
1904 {
1905 	int ret;
1906 
1907 	if (!srpt_set_ch_state(ch, CH_DRAINING)) {
1908 		pr_debug("%s: already closed\n", ch->sess_name);
1909 		return false;
1910 	}
1911 
1912 	kref_get(&ch->kref);
1913 
1914 	ret = srpt_ch_qp_err(ch);
1915 	if (ret < 0)
1916 		pr_err("%s-%d: changing queue pair into error state failed: %d\n",
1917 		       ch->sess_name, ch->qp->qp_num, ret);
1918 
1919 	ret = srpt_zerolength_write(ch);
1920 	if (ret < 0) {
1921 		pr_err("%s-%d: queuing zero-length write failed: %d\n",
1922 		       ch->sess_name, ch->qp->qp_num, ret);
1923 		if (srpt_set_ch_state(ch, CH_DISCONNECTED))
1924 			schedule_work(&ch->release_work);
1925 		else
1926 			WARN_ON_ONCE(true);
1927 	}
1928 
1929 	kref_put(&ch->kref, srpt_free_ch);
1930 
1931 	return true;
1932 }
1933 
1934 /*
1935  * Change the channel state into CH_DISCONNECTING. If a channel has not yet
1936  * reached the connected state, close it. If a channel is in the connected
1937  * state, send a DREQ. If a DREQ has been received, send a DREP. Note: it is
1938  * the responsibility of the caller to ensure that this function is not
1939  * invoked concurrently with the code that accepts a connection. This means
1940  * that this function must either be invoked from inside a CM callback
1941  * function or that it must be invoked with the srpt_port.mutex held.
1942  */
1943 static int srpt_disconnect_ch(struct srpt_rdma_ch *ch)
1944 {
1945 	int ret;
1946 
1947 	if (!srpt_set_ch_state(ch, CH_DISCONNECTING))
1948 		return -ENOTCONN;
1949 
1950 	if (ch->using_rdma_cm) {
1951 		ret = rdma_disconnect(ch->rdma_cm.cm_id);
1952 	} else {
1953 		ret = ib_send_cm_dreq(ch->ib_cm.cm_id, NULL, 0);
1954 		if (ret < 0)
1955 			ret = ib_send_cm_drep(ch->ib_cm.cm_id, NULL, 0);
1956 	}
1957 
1958 	if (ret < 0 && srpt_close_ch(ch))
1959 		ret = 0;
1960 
1961 	return ret;
1962 }
1963 
1964 /* Send DREQ and wait for DREP. */
1965 static void srpt_disconnect_ch_sync(struct srpt_rdma_ch *ch)
1966 {
1967 	DECLARE_COMPLETION_ONSTACK(closed);
1968 	struct srpt_port *sport = ch->sport;
1969 
1970 	pr_debug("ch %s-%d state %d\n", ch->sess_name, ch->qp->qp_num,
1971 		 ch->state);
1972 
1973 	ch->closed = &closed;
1974 
1975 	mutex_lock(&sport->mutex);
1976 	srpt_disconnect_ch(ch);
1977 	mutex_unlock(&sport->mutex);
1978 
1979 	while (wait_for_completion_timeout(&closed, 5 * HZ) == 0)
1980 		pr_info("%s(%s-%d state %d): still waiting ...\n", __func__,
1981 			ch->sess_name, ch->qp->qp_num, ch->state);
1982 
1983 }
1984 
1985 static void __srpt_close_all_ch(struct srpt_port *sport)
1986 {
1987 	struct srpt_nexus *nexus;
1988 	struct srpt_rdma_ch *ch;
1989 
1990 	lockdep_assert_held(&sport->mutex);
1991 
1992 	list_for_each_entry(nexus, &sport->nexus_list, entry) {
1993 		list_for_each_entry(ch, &nexus->ch_list, list) {
1994 			if (srpt_disconnect_ch(ch) >= 0)
1995 				pr_info("Closing channel %s-%d because target %s_%d has been disabled\n",
1996 					ch->sess_name, ch->qp->qp_num,
1997 					dev_name(&sport->sdev->device->dev),
1998 					sport->port);
1999 			srpt_close_ch(ch);
2000 		}
2001 	}
2002 }
2003 
2004 /*
2005  * Look up (i_port_id, t_port_id) in sport->nexus_list. Create an entry if
2006  * it does not yet exist.
2007  */
2008 static struct srpt_nexus *srpt_get_nexus(struct srpt_port *sport,
2009 					 const u8 i_port_id[16],
2010 					 const u8 t_port_id[16])
2011 {
2012 	struct srpt_nexus *nexus = NULL, *tmp_nexus = NULL, *n;
2013 
2014 	for (;;) {
2015 		mutex_lock(&sport->mutex);
2016 		list_for_each_entry(n, &sport->nexus_list, entry) {
2017 			if (memcmp(n->i_port_id, i_port_id, 16) == 0 &&
2018 			    memcmp(n->t_port_id, t_port_id, 16) == 0) {
2019 				nexus = n;
2020 				break;
2021 			}
2022 		}
2023 		if (!nexus && tmp_nexus) {
2024 			list_add_tail_rcu(&tmp_nexus->entry,
2025 					  &sport->nexus_list);
2026 			swap(nexus, tmp_nexus);
2027 		}
2028 		mutex_unlock(&sport->mutex);
2029 
2030 		if (nexus)
2031 			break;
2032 		tmp_nexus = kzalloc(sizeof(*nexus), GFP_KERNEL);
2033 		if (!tmp_nexus) {
2034 			nexus = ERR_PTR(-ENOMEM);
2035 			break;
2036 		}
2037 		INIT_LIST_HEAD(&tmp_nexus->ch_list);
2038 		memcpy(tmp_nexus->i_port_id, i_port_id, 16);
2039 		memcpy(tmp_nexus->t_port_id, t_port_id, 16);
2040 	}
2041 
2042 	kfree(tmp_nexus);
2043 
2044 	return nexus;
2045 }
2046 
2047 static void srpt_set_enabled(struct srpt_port *sport, bool enabled)
2048 	__must_hold(&sport->mutex)
2049 {
2050 	lockdep_assert_held(&sport->mutex);
2051 
2052 	if (sport->enabled == enabled)
2053 		return;
2054 	sport->enabled = enabled;
2055 	if (!enabled)
2056 		__srpt_close_all_ch(sport);
2057 }
2058 
2059 static void srpt_drop_sport_ref(struct srpt_port *sport)
2060 {
2061 	if (atomic_dec_return(&sport->refcount) == 0 && sport->freed_channels)
2062 		complete(sport->freed_channels);
2063 }
2064 
2065 static void srpt_free_ch(struct kref *kref)
2066 {
2067 	struct srpt_rdma_ch *ch = container_of(kref, struct srpt_rdma_ch, kref);
2068 
2069 	srpt_drop_sport_ref(ch->sport);
2070 	kfree_rcu(ch, rcu);
2071 }
2072 
2073 /*
2074  * Shut down the SCSI target session, tell the connection manager to
2075  * disconnect the associated RDMA channel, transition the QP to the error
2076  * state and remove the channel from the channel list. This function is
2077  * typically called from inside srpt_zerolength_write_done(). Concurrent
2078  * srpt_zerolength_write() calls from inside srpt_close_ch() are possible
2079  * as long as the channel is on sport->nexus_list.
2080  */
2081 static void srpt_release_channel_work(struct work_struct *w)
2082 {
2083 	struct srpt_rdma_ch *ch;
2084 	struct srpt_device *sdev;
2085 	struct srpt_port *sport;
2086 	struct se_session *se_sess;
2087 
2088 	ch = container_of(w, struct srpt_rdma_ch, release_work);
2089 	pr_debug("%s-%d\n", ch->sess_name, ch->qp->qp_num);
2090 
2091 	sdev = ch->sport->sdev;
2092 	BUG_ON(!sdev);
2093 
2094 	se_sess = ch->sess;
2095 	BUG_ON(!se_sess);
2096 
2097 	target_stop_session(se_sess);
2098 	target_wait_for_sess_cmds(se_sess);
2099 
2100 	target_remove_session(se_sess);
2101 	ch->sess = NULL;
2102 
2103 	if (ch->using_rdma_cm)
2104 		rdma_destroy_id(ch->rdma_cm.cm_id);
2105 	else
2106 		ib_destroy_cm_id(ch->ib_cm.cm_id);
2107 
2108 	sport = ch->sport;
2109 	mutex_lock(&sport->mutex);
2110 	list_del_rcu(&ch->list);
2111 	mutex_unlock(&sport->mutex);
2112 
2113 	if (ch->closed)
2114 		complete(ch->closed);
2115 
2116 	srpt_destroy_ch_ib(ch);
2117 
2118 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
2119 			     ch->sport->sdev, ch->rq_size,
2120 			     ch->rsp_buf_cache, DMA_TO_DEVICE);
2121 
2122 	kmem_cache_destroy(ch->rsp_buf_cache);
2123 
2124 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring,
2125 			     sdev, ch->rq_size,
2126 			     ch->req_buf_cache, DMA_FROM_DEVICE);
2127 
2128 	kmem_cache_destroy(ch->req_buf_cache);
2129 
2130 	kref_put(&ch->kref, srpt_free_ch);
2131 }
2132 
2133 /**
2134  * srpt_cm_req_recv - process the event IB_CM_REQ_RECEIVED
2135  * @sdev: HCA through which the login request was received.
2136  * @ib_cm_id: IB/CM connection identifier in case of IB/CM.
2137  * @rdma_cm_id: RDMA/CM connection identifier in case of RDMA/CM.
2138  * @port_num: Port through which the REQ message was received.
2139  * @pkey: P_Key of the incoming connection.
2140  * @req: SRP login request.
2141  * @src_addr: GID (IB/CM) or IP address (RDMA/CM) of the port that submitted
2142  * the login request.
2143  *
2144  * Ownership of the cm_id is transferred to the target session if this
2145  * function returns zero. Otherwise the caller remains the owner of cm_id.
2146  */
2147 static int srpt_cm_req_recv(struct srpt_device *const sdev,
2148 			    struct ib_cm_id *ib_cm_id,
2149 			    struct rdma_cm_id *rdma_cm_id,
2150 			    u8 port_num, __be16 pkey,
2151 			    const struct srp_login_req *req,
2152 			    const char *src_addr)
2153 {
2154 	struct srpt_port *sport = &sdev->port[port_num - 1];
2155 	struct srpt_nexus *nexus;
2156 	struct srp_login_rsp *rsp = NULL;
2157 	struct srp_login_rej *rej = NULL;
2158 	union {
2159 		struct rdma_conn_param rdma_cm;
2160 		struct ib_cm_rep_param ib_cm;
2161 	} *rep_param = NULL;
2162 	struct srpt_rdma_ch *ch = NULL;
2163 	char i_port_id[36];
2164 	u32 it_iu_len;
2165 	int i, tag_num, tag_size, ret;
2166 	struct srpt_tpg *stpg;
2167 
2168 	WARN_ON_ONCE(irqs_disabled());
2169 
2170 	it_iu_len = be32_to_cpu(req->req_it_iu_len);
2171 
2172 	pr_info("Received SRP_LOGIN_REQ with i_port_id %pI6, t_port_id %pI6 and it_iu_len %d on port %d (guid=%pI6); pkey %#04x\n",
2173 		req->initiator_port_id, req->target_port_id, it_iu_len,
2174 		port_num, &sport->gid, be16_to_cpu(pkey));
2175 
2176 	nexus = srpt_get_nexus(sport, req->initiator_port_id,
2177 			       req->target_port_id);
2178 	if (IS_ERR(nexus)) {
2179 		ret = PTR_ERR(nexus);
2180 		goto out;
2181 	}
2182 
2183 	ret = -ENOMEM;
2184 	rsp = kzalloc(sizeof(*rsp), GFP_KERNEL);
2185 	rej = kzalloc(sizeof(*rej), GFP_KERNEL);
2186 	rep_param = kzalloc(sizeof(*rep_param), GFP_KERNEL);
2187 	if (!rsp || !rej || !rep_param)
2188 		goto out;
2189 
2190 	ret = -EINVAL;
2191 	if (it_iu_len > srp_max_req_size || it_iu_len < 64) {
2192 		rej->reason = cpu_to_be32(
2193 				SRP_LOGIN_REJ_REQ_IT_IU_LENGTH_TOO_LARGE);
2194 		pr_err("rejected SRP_LOGIN_REQ because its length (%d bytes) is out of range (%d .. %d)\n",
2195 		       it_iu_len, 64, srp_max_req_size);
2196 		goto reject;
2197 	}
2198 
2199 	if (!sport->enabled) {
2200 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2201 		pr_info("rejected SRP_LOGIN_REQ because target port %s_%d has not yet been enabled\n",
2202 			dev_name(&sport->sdev->device->dev), port_num);
2203 		goto reject;
2204 	}
2205 
2206 	if (*(__be64 *)req->target_port_id != cpu_to_be64(srpt_service_guid)
2207 	    || *(__be64 *)(req->target_port_id + 8) !=
2208 	       cpu_to_be64(srpt_service_guid)) {
2209 		rej->reason = cpu_to_be32(
2210 				SRP_LOGIN_REJ_UNABLE_ASSOCIATE_CHANNEL);
2211 		pr_err("rejected SRP_LOGIN_REQ because it has an invalid target port identifier.\n");
2212 		goto reject;
2213 	}
2214 
2215 	ret = -ENOMEM;
2216 	ch = kzalloc(sizeof(*ch), GFP_KERNEL);
2217 	if (!ch) {
2218 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2219 		pr_err("rejected SRP_LOGIN_REQ because out of memory.\n");
2220 		goto reject;
2221 	}
2222 
2223 	kref_init(&ch->kref);
2224 	ch->pkey = be16_to_cpu(pkey);
2225 	ch->nexus = nexus;
2226 	ch->zw_cqe.done = srpt_zerolength_write_done;
2227 	INIT_WORK(&ch->release_work, srpt_release_channel_work);
2228 	ch->sport = sport;
2229 	if (rdma_cm_id) {
2230 		ch->using_rdma_cm = true;
2231 		ch->rdma_cm.cm_id = rdma_cm_id;
2232 		rdma_cm_id->context = ch;
2233 	} else {
2234 		ch->ib_cm.cm_id = ib_cm_id;
2235 		ib_cm_id->context = ch;
2236 	}
2237 	/*
2238 	 * ch->rq_size should be at least as large as the initiator queue
2239 	 * depth to avoid that the initiator driver has to report QUEUE_FULL
2240 	 * to the SCSI mid-layer.
2241 	 */
2242 	ch->rq_size = min(MAX_SRPT_RQ_SIZE, sdev->device->attrs.max_qp_wr);
2243 	spin_lock_init(&ch->spinlock);
2244 	ch->state = CH_CONNECTING;
2245 	INIT_LIST_HEAD(&ch->cmd_wait_list);
2246 	ch->max_rsp_size = ch->sport->port_attrib.srp_max_rsp_size;
2247 
2248 	ch->rsp_buf_cache = kmem_cache_create("srpt-rsp-buf", ch->max_rsp_size,
2249 					      512, 0, NULL);
2250 	if (!ch->rsp_buf_cache)
2251 		goto free_ch;
2252 
2253 	ch->ioctx_ring = (struct srpt_send_ioctx **)
2254 		srpt_alloc_ioctx_ring(ch->sport->sdev, ch->rq_size,
2255 				      sizeof(*ch->ioctx_ring[0]),
2256 				      ch->rsp_buf_cache, 0, DMA_TO_DEVICE);
2257 	if (!ch->ioctx_ring) {
2258 		pr_err("rejected SRP_LOGIN_REQ because creating a new QP SQ ring failed.\n");
2259 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2260 		goto free_rsp_cache;
2261 	}
2262 
2263 	for (i = 0; i < ch->rq_size; i++)
2264 		ch->ioctx_ring[i]->ch = ch;
2265 	if (!sdev->use_srq) {
2266 		u16 imm_data_offset = req->req_flags & SRP_IMMED_REQUESTED ?
2267 			be16_to_cpu(req->imm_data_offset) : 0;
2268 		u16 alignment_offset;
2269 		u32 req_sz;
2270 
2271 		if (req->req_flags & SRP_IMMED_REQUESTED)
2272 			pr_debug("imm_data_offset = %d\n",
2273 				 be16_to_cpu(req->imm_data_offset));
2274 		if (imm_data_offset >= sizeof(struct srp_cmd)) {
2275 			ch->imm_data_offset = imm_data_offset;
2276 			rsp->rsp_flags |= SRP_LOGIN_RSP_IMMED_SUPP;
2277 		} else {
2278 			ch->imm_data_offset = 0;
2279 		}
2280 		alignment_offset = round_up(imm_data_offset, 512) -
2281 			imm_data_offset;
2282 		req_sz = alignment_offset + imm_data_offset + srp_max_req_size;
2283 		ch->req_buf_cache = kmem_cache_create("srpt-req-buf", req_sz,
2284 						      512, 0, NULL);
2285 		if (!ch->req_buf_cache)
2286 			goto free_rsp_ring;
2287 
2288 		ch->ioctx_recv_ring = (struct srpt_recv_ioctx **)
2289 			srpt_alloc_ioctx_ring(ch->sport->sdev, ch->rq_size,
2290 					      sizeof(*ch->ioctx_recv_ring[0]),
2291 					      ch->req_buf_cache,
2292 					      alignment_offset,
2293 					      DMA_FROM_DEVICE);
2294 		if (!ch->ioctx_recv_ring) {
2295 			pr_err("rejected SRP_LOGIN_REQ because creating a new QP RQ ring failed.\n");
2296 			rej->reason =
2297 			    cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2298 			goto free_recv_cache;
2299 		}
2300 		for (i = 0; i < ch->rq_size; i++)
2301 			INIT_LIST_HEAD(&ch->ioctx_recv_ring[i]->wait_list);
2302 	}
2303 
2304 	ret = srpt_create_ch_ib(ch);
2305 	if (ret) {
2306 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2307 		pr_err("rejected SRP_LOGIN_REQ because creating a new RDMA channel failed.\n");
2308 		goto free_recv_ring;
2309 	}
2310 
2311 	strscpy(ch->sess_name, src_addr, sizeof(ch->sess_name));
2312 	snprintf(i_port_id, sizeof(i_port_id), "0x%016llx%016llx",
2313 			be64_to_cpu(*(__be64 *)nexus->i_port_id),
2314 			be64_to_cpu(*(__be64 *)(nexus->i_port_id + 8)));
2315 
2316 	pr_debug("registering src addr %s or i_port_id %s\n", ch->sess_name,
2317 		 i_port_id);
2318 
2319 	tag_num = ch->rq_size;
2320 	tag_size = 1; /* ib_srpt does not use se_sess->sess_cmd_map */
2321 
2322 	if (sport->guid_id) {
2323 		mutex_lock(&sport->guid_id->mutex);
2324 		list_for_each_entry(stpg, &sport->guid_id->tpg_list, entry) {
2325 			if (!IS_ERR_OR_NULL(ch->sess))
2326 				break;
2327 			ch->sess = target_setup_session(&stpg->tpg, tag_num,
2328 						tag_size, TARGET_PROT_NORMAL,
2329 						ch->sess_name, ch, NULL);
2330 		}
2331 		mutex_unlock(&sport->guid_id->mutex);
2332 	}
2333 
2334 	if (sport->gid_id) {
2335 		mutex_lock(&sport->gid_id->mutex);
2336 		list_for_each_entry(stpg, &sport->gid_id->tpg_list, entry) {
2337 			if (!IS_ERR_OR_NULL(ch->sess))
2338 				break;
2339 			ch->sess = target_setup_session(&stpg->tpg, tag_num,
2340 					tag_size, TARGET_PROT_NORMAL, i_port_id,
2341 					ch, NULL);
2342 			if (!IS_ERR_OR_NULL(ch->sess))
2343 				break;
2344 			/* Retry without leading "0x" */
2345 			ch->sess = target_setup_session(&stpg->tpg, tag_num,
2346 						tag_size, TARGET_PROT_NORMAL,
2347 						i_port_id + 2, ch, NULL);
2348 		}
2349 		mutex_unlock(&sport->gid_id->mutex);
2350 	}
2351 
2352 	if (IS_ERR_OR_NULL(ch->sess)) {
2353 		WARN_ON_ONCE(ch->sess == NULL);
2354 		ret = PTR_ERR(ch->sess);
2355 		ch->sess = NULL;
2356 		pr_info("Rejected login for initiator %s: ret = %d.\n",
2357 			ch->sess_name, ret);
2358 		rej->reason = cpu_to_be32(ret == -ENOMEM ?
2359 				SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES :
2360 				SRP_LOGIN_REJ_CHANNEL_LIMIT_REACHED);
2361 		goto destroy_ib;
2362 	}
2363 
2364 	/*
2365 	 * Once a session has been created destruction of srpt_rdma_ch objects
2366 	 * will decrement sport->refcount. Hence increment sport->refcount now.
2367 	 */
2368 	atomic_inc(&sport->refcount);
2369 
2370 	mutex_lock(&sport->mutex);
2371 
2372 	if ((req->req_flags & SRP_MTCH_ACTION) == SRP_MULTICHAN_SINGLE) {
2373 		struct srpt_rdma_ch *ch2;
2374 
2375 		list_for_each_entry(ch2, &nexus->ch_list, list) {
2376 			if (srpt_disconnect_ch(ch2) < 0)
2377 				continue;
2378 			pr_info("Relogin - closed existing channel %s\n",
2379 				ch2->sess_name);
2380 			rsp->rsp_flags |= SRP_LOGIN_RSP_MULTICHAN_TERMINATED;
2381 		}
2382 	} else {
2383 		rsp->rsp_flags |= SRP_LOGIN_RSP_MULTICHAN_MAINTAINED;
2384 	}
2385 
2386 	list_add_tail_rcu(&ch->list, &nexus->ch_list);
2387 
2388 	if (!sport->enabled) {
2389 		rej->reason = cpu_to_be32(
2390 				SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2391 		pr_info("rejected SRP_LOGIN_REQ because target %s_%d is not enabled\n",
2392 			dev_name(&sdev->device->dev), port_num);
2393 		mutex_unlock(&sport->mutex);
2394 		ret = -EINVAL;
2395 		goto reject;
2396 	}
2397 
2398 	mutex_unlock(&sport->mutex);
2399 
2400 	ret = ch->using_rdma_cm ? 0 : srpt_ch_qp_rtr(ch, ch->qp);
2401 	if (ret) {
2402 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2403 		pr_err("rejected SRP_LOGIN_REQ because enabling RTR failed (error code = %d)\n",
2404 		       ret);
2405 		goto reject;
2406 	}
2407 
2408 	pr_debug("Establish connection sess=%p name=%s ch=%p\n", ch->sess,
2409 		 ch->sess_name, ch);
2410 
2411 	/* create srp_login_response */
2412 	rsp->opcode = SRP_LOGIN_RSP;
2413 	rsp->tag = req->tag;
2414 	rsp->max_it_iu_len = cpu_to_be32(srp_max_req_size);
2415 	rsp->max_ti_iu_len = req->req_it_iu_len;
2416 	ch->max_ti_iu_len = it_iu_len;
2417 	rsp->buf_fmt = cpu_to_be16(SRP_BUF_FORMAT_DIRECT |
2418 				   SRP_BUF_FORMAT_INDIRECT);
2419 	rsp->req_lim_delta = cpu_to_be32(ch->rq_size);
2420 	atomic_set(&ch->req_lim, ch->rq_size);
2421 	atomic_set(&ch->req_lim_delta, 0);
2422 
2423 	/* create cm reply */
2424 	if (ch->using_rdma_cm) {
2425 		rep_param->rdma_cm.private_data = (void *)rsp;
2426 		rep_param->rdma_cm.private_data_len = sizeof(*rsp);
2427 		rep_param->rdma_cm.rnr_retry_count = 7;
2428 		rep_param->rdma_cm.flow_control = 1;
2429 		rep_param->rdma_cm.responder_resources = 4;
2430 		rep_param->rdma_cm.initiator_depth = 4;
2431 	} else {
2432 		rep_param->ib_cm.qp_num = ch->qp->qp_num;
2433 		rep_param->ib_cm.private_data = (void *)rsp;
2434 		rep_param->ib_cm.private_data_len = sizeof(*rsp);
2435 		rep_param->ib_cm.rnr_retry_count = 7;
2436 		rep_param->ib_cm.flow_control = 1;
2437 		rep_param->ib_cm.failover_accepted = 0;
2438 		rep_param->ib_cm.srq = 1;
2439 		rep_param->ib_cm.responder_resources = 4;
2440 		rep_param->ib_cm.initiator_depth = 4;
2441 	}
2442 
2443 	/*
2444 	 * Hold the sport mutex while accepting a connection to avoid that
2445 	 * srpt_disconnect_ch() is invoked concurrently with this code.
2446 	 */
2447 	mutex_lock(&sport->mutex);
2448 	if (sport->enabled && ch->state == CH_CONNECTING) {
2449 		if (ch->using_rdma_cm)
2450 			ret = rdma_accept(rdma_cm_id, &rep_param->rdma_cm);
2451 		else
2452 			ret = ib_send_cm_rep(ib_cm_id, &rep_param->ib_cm);
2453 	} else {
2454 		ret = -EINVAL;
2455 	}
2456 	mutex_unlock(&sport->mutex);
2457 
2458 	switch (ret) {
2459 	case 0:
2460 		break;
2461 	case -EINVAL:
2462 		goto reject;
2463 	default:
2464 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2465 		pr_err("sending SRP_LOGIN_REQ response failed (error code = %d)\n",
2466 		       ret);
2467 		goto reject;
2468 	}
2469 
2470 	goto out;
2471 
2472 destroy_ib:
2473 	srpt_destroy_ch_ib(ch);
2474 
2475 free_recv_ring:
2476 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring,
2477 			     ch->sport->sdev, ch->rq_size,
2478 			     ch->req_buf_cache, DMA_FROM_DEVICE);
2479 
2480 free_recv_cache:
2481 	kmem_cache_destroy(ch->req_buf_cache);
2482 
2483 free_rsp_ring:
2484 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
2485 			     ch->sport->sdev, ch->rq_size,
2486 			     ch->rsp_buf_cache, DMA_TO_DEVICE);
2487 
2488 free_rsp_cache:
2489 	kmem_cache_destroy(ch->rsp_buf_cache);
2490 
2491 free_ch:
2492 	if (rdma_cm_id)
2493 		rdma_cm_id->context = NULL;
2494 	else
2495 		ib_cm_id->context = NULL;
2496 	kfree(ch);
2497 	ch = NULL;
2498 
2499 	WARN_ON_ONCE(ret == 0);
2500 
2501 reject:
2502 	pr_info("Rejecting login with reason %#x\n", be32_to_cpu(rej->reason));
2503 	rej->opcode = SRP_LOGIN_REJ;
2504 	rej->tag = req->tag;
2505 	rej->buf_fmt = cpu_to_be16(SRP_BUF_FORMAT_DIRECT |
2506 				   SRP_BUF_FORMAT_INDIRECT);
2507 
2508 	if (rdma_cm_id)
2509 		rdma_reject(rdma_cm_id, rej, sizeof(*rej),
2510 			    IB_CM_REJ_CONSUMER_DEFINED);
2511 	else
2512 		ib_send_cm_rej(ib_cm_id, IB_CM_REJ_CONSUMER_DEFINED, NULL, 0,
2513 			       rej, sizeof(*rej));
2514 
2515 	if (ch && ch->sess) {
2516 		srpt_close_ch(ch);
2517 		/*
2518 		 * Tell the caller not to free cm_id since
2519 		 * srpt_release_channel_work() will do that.
2520 		 */
2521 		ret = 0;
2522 	}
2523 
2524 out:
2525 	kfree(rep_param);
2526 	kfree(rsp);
2527 	kfree(rej);
2528 
2529 	return ret;
2530 }
2531 
2532 static int srpt_ib_cm_req_recv(struct ib_cm_id *cm_id,
2533 			       const struct ib_cm_req_event_param *param,
2534 			       void *private_data)
2535 {
2536 	char sguid[40];
2537 
2538 	srpt_format_guid(sguid, sizeof(sguid),
2539 			 &param->primary_path->dgid.global.interface_id);
2540 
2541 	return srpt_cm_req_recv(cm_id->context, cm_id, NULL, param->port,
2542 				param->primary_path->pkey,
2543 				private_data, sguid);
2544 }
2545 
2546 static int srpt_rdma_cm_req_recv(struct rdma_cm_id *cm_id,
2547 				 struct rdma_cm_event *event)
2548 {
2549 	struct srpt_device *sdev;
2550 	struct srp_login_req req;
2551 	const struct srp_login_req_rdma *req_rdma;
2552 	struct sa_path_rec *path_rec = cm_id->route.path_rec;
2553 	char src_addr[40];
2554 
2555 	sdev = ib_get_client_data(cm_id->device, &srpt_client);
2556 	if (!sdev)
2557 		return -ECONNREFUSED;
2558 
2559 	if (event->param.conn.private_data_len < sizeof(*req_rdma))
2560 		return -EINVAL;
2561 
2562 	/* Transform srp_login_req_rdma into srp_login_req. */
2563 	req_rdma = event->param.conn.private_data;
2564 	memset(&req, 0, sizeof(req));
2565 	req.opcode		= req_rdma->opcode;
2566 	req.tag			= req_rdma->tag;
2567 	req.req_it_iu_len	= req_rdma->req_it_iu_len;
2568 	req.req_buf_fmt		= req_rdma->req_buf_fmt;
2569 	req.req_flags		= req_rdma->req_flags;
2570 	memcpy(req.initiator_port_id, req_rdma->initiator_port_id, 16);
2571 	memcpy(req.target_port_id, req_rdma->target_port_id, 16);
2572 	req.imm_data_offset	= req_rdma->imm_data_offset;
2573 
2574 	snprintf(src_addr, sizeof(src_addr), "%pIS",
2575 		 &cm_id->route.addr.src_addr);
2576 
2577 	return srpt_cm_req_recv(sdev, NULL, cm_id, cm_id->port_num,
2578 				path_rec ? path_rec->pkey : 0, &req, src_addr);
2579 }
2580 
2581 static void srpt_cm_rej_recv(struct srpt_rdma_ch *ch,
2582 			     enum ib_cm_rej_reason reason,
2583 			     const u8 *private_data,
2584 			     u8 private_data_len)
2585 {
2586 	char *priv = NULL;
2587 	int i;
2588 
2589 	if (private_data_len && (priv = kmalloc(private_data_len * 3 + 1,
2590 						GFP_KERNEL))) {
2591 		for (i = 0; i < private_data_len; i++)
2592 			sprintf(priv + 3 * i, " %02x", private_data[i]);
2593 	}
2594 	pr_info("Received CM REJ for ch %s-%d; reason %d%s%s.\n",
2595 		ch->sess_name, ch->qp->qp_num, reason, private_data_len ?
2596 		"; private data" : "", priv ? priv : " (?)");
2597 	kfree(priv);
2598 }
2599 
2600 /**
2601  * srpt_cm_rtu_recv - process an IB_CM_RTU_RECEIVED or USER_ESTABLISHED event
2602  * @ch: SRPT RDMA channel.
2603  *
2604  * An RTU (ready to use) message indicates that the connection has been
2605  * established and that the recipient may begin transmitting.
2606  */
2607 static void srpt_cm_rtu_recv(struct srpt_rdma_ch *ch)
2608 {
2609 	int ret;
2610 
2611 	ret = ch->using_rdma_cm ? 0 : srpt_ch_qp_rts(ch, ch->qp);
2612 	if (ret < 0) {
2613 		pr_err("%s-%d: QP transition to RTS failed\n", ch->sess_name,
2614 		       ch->qp->qp_num);
2615 		srpt_close_ch(ch);
2616 		return;
2617 	}
2618 
2619 	/*
2620 	 * Note: calling srpt_close_ch() if the transition to the LIVE state
2621 	 * fails is not necessary since that means that that function has
2622 	 * already been invoked from another thread.
2623 	 */
2624 	if (!srpt_set_ch_state(ch, CH_LIVE)) {
2625 		pr_err("%s-%d: channel transition to LIVE state failed\n",
2626 		       ch->sess_name, ch->qp->qp_num);
2627 		return;
2628 	}
2629 
2630 	/* Trigger wait list processing. */
2631 	ret = srpt_zerolength_write(ch);
2632 	WARN_ONCE(ret < 0, "%d\n", ret);
2633 }
2634 
2635 /**
2636  * srpt_cm_handler - IB connection manager callback function
2637  * @cm_id: IB/CM connection identifier.
2638  * @event: IB/CM event.
2639  *
2640  * A non-zero return value will cause the caller destroy the CM ID.
2641  *
2642  * Note: srpt_cm_handler() must only return a non-zero value when transferring
2643  * ownership of the cm_id to a channel by srpt_cm_req_recv() failed. Returning
2644  * a non-zero value in any other case will trigger a race with the
2645  * ib_destroy_cm_id() call in srpt_release_channel().
2646  */
2647 static int srpt_cm_handler(struct ib_cm_id *cm_id,
2648 			   const struct ib_cm_event *event)
2649 {
2650 	struct srpt_rdma_ch *ch = cm_id->context;
2651 	int ret;
2652 
2653 	ret = 0;
2654 	switch (event->event) {
2655 	case IB_CM_REQ_RECEIVED:
2656 		ret = srpt_ib_cm_req_recv(cm_id, &event->param.req_rcvd,
2657 					  event->private_data);
2658 		break;
2659 	case IB_CM_REJ_RECEIVED:
2660 		srpt_cm_rej_recv(ch, event->param.rej_rcvd.reason,
2661 				 event->private_data,
2662 				 IB_CM_REJ_PRIVATE_DATA_SIZE);
2663 		break;
2664 	case IB_CM_RTU_RECEIVED:
2665 	case IB_CM_USER_ESTABLISHED:
2666 		srpt_cm_rtu_recv(ch);
2667 		break;
2668 	case IB_CM_DREQ_RECEIVED:
2669 		srpt_disconnect_ch(ch);
2670 		break;
2671 	case IB_CM_DREP_RECEIVED:
2672 		pr_info("Received CM DREP message for ch %s-%d.\n",
2673 			ch->sess_name, ch->qp->qp_num);
2674 		srpt_close_ch(ch);
2675 		break;
2676 	case IB_CM_TIMEWAIT_EXIT:
2677 		pr_info("Received CM TimeWait exit for ch %s-%d.\n",
2678 			ch->sess_name, ch->qp->qp_num);
2679 		srpt_close_ch(ch);
2680 		break;
2681 	case IB_CM_REP_ERROR:
2682 		pr_info("Received CM REP error for ch %s-%d.\n", ch->sess_name,
2683 			ch->qp->qp_num);
2684 		break;
2685 	case IB_CM_DREQ_ERROR:
2686 		pr_info("Received CM DREQ ERROR event.\n");
2687 		break;
2688 	case IB_CM_MRA_RECEIVED:
2689 		pr_info("Received CM MRA event\n");
2690 		break;
2691 	default:
2692 		pr_err("received unrecognized CM event %d\n", event->event);
2693 		break;
2694 	}
2695 
2696 	return ret;
2697 }
2698 
2699 static int srpt_rdma_cm_handler(struct rdma_cm_id *cm_id,
2700 				struct rdma_cm_event *event)
2701 {
2702 	struct srpt_rdma_ch *ch = cm_id->context;
2703 	int ret = 0;
2704 
2705 	switch (event->event) {
2706 	case RDMA_CM_EVENT_CONNECT_REQUEST:
2707 		ret = srpt_rdma_cm_req_recv(cm_id, event);
2708 		break;
2709 	case RDMA_CM_EVENT_REJECTED:
2710 		srpt_cm_rej_recv(ch, event->status,
2711 				 event->param.conn.private_data,
2712 				 event->param.conn.private_data_len);
2713 		break;
2714 	case RDMA_CM_EVENT_ESTABLISHED:
2715 		srpt_cm_rtu_recv(ch);
2716 		break;
2717 	case RDMA_CM_EVENT_DISCONNECTED:
2718 		if (ch->state < CH_DISCONNECTING)
2719 			srpt_disconnect_ch(ch);
2720 		else
2721 			srpt_close_ch(ch);
2722 		break;
2723 	case RDMA_CM_EVENT_TIMEWAIT_EXIT:
2724 		srpt_close_ch(ch);
2725 		break;
2726 	case RDMA_CM_EVENT_UNREACHABLE:
2727 		pr_info("Received CM REP error for ch %s-%d.\n", ch->sess_name,
2728 			ch->qp->qp_num);
2729 		break;
2730 	case RDMA_CM_EVENT_DEVICE_REMOVAL:
2731 	case RDMA_CM_EVENT_ADDR_CHANGE:
2732 		break;
2733 	default:
2734 		pr_err("received unrecognized RDMA CM event %d\n",
2735 		       event->event);
2736 		break;
2737 	}
2738 
2739 	return ret;
2740 }
2741 
2742 /*
2743  * srpt_write_pending - Start data transfer from initiator to target (write).
2744  */
2745 static int srpt_write_pending(struct se_cmd *se_cmd)
2746 {
2747 	struct srpt_send_ioctx *ioctx =
2748 		container_of(se_cmd, struct srpt_send_ioctx, cmd);
2749 	struct srpt_rdma_ch *ch = ioctx->ch;
2750 	struct ib_send_wr *first_wr = NULL;
2751 	struct ib_cqe *cqe = &ioctx->rdma_cqe;
2752 	enum srpt_command_state new_state;
2753 	int ret, i;
2754 
2755 	if (ioctx->recv_ioctx) {
2756 		srpt_set_cmd_state(ioctx, SRPT_STATE_DATA_IN);
2757 		target_execute_cmd(&ioctx->cmd);
2758 		return 0;
2759 	}
2760 
2761 	new_state = srpt_set_cmd_state(ioctx, SRPT_STATE_NEED_DATA);
2762 	WARN_ON(new_state == SRPT_STATE_DONE);
2763 
2764 	if (atomic_sub_return(ioctx->n_rdma, &ch->sq_wr_avail) < 0) {
2765 		pr_warn("%s: IB send queue full (needed %d)\n",
2766 				__func__, ioctx->n_rdma);
2767 		ret = -ENOMEM;
2768 		goto out_undo;
2769 	}
2770 
2771 	cqe->done = srpt_rdma_read_done;
2772 	for (i = ioctx->n_rw_ctx - 1; i >= 0; i--) {
2773 		struct srpt_rw_ctx *ctx = &ioctx->rw_ctxs[i];
2774 
2775 		first_wr = rdma_rw_ctx_wrs(&ctx->rw, ch->qp, ch->sport->port,
2776 				cqe, first_wr);
2777 		cqe = NULL;
2778 	}
2779 
2780 	ret = ib_post_send(ch->qp, first_wr, NULL);
2781 	if (ret) {
2782 		pr_err("%s: ib_post_send() returned %d for %d (avail: %d)\n",
2783 			 __func__, ret, ioctx->n_rdma,
2784 			 atomic_read(&ch->sq_wr_avail));
2785 		goto out_undo;
2786 	}
2787 
2788 	return 0;
2789 out_undo:
2790 	atomic_add(ioctx->n_rdma, &ch->sq_wr_avail);
2791 	return ret;
2792 }
2793 
2794 static u8 tcm_to_srp_tsk_mgmt_status(const int tcm_mgmt_status)
2795 {
2796 	switch (tcm_mgmt_status) {
2797 	case TMR_FUNCTION_COMPLETE:
2798 		return SRP_TSK_MGMT_SUCCESS;
2799 	case TMR_FUNCTION_REJECTED:
2800 		return SRP_TSK_MGMT_FUNC_NOT_SUPP;
2801 	}
2802 	return SRP_TSK_MGMT_FAILED;
2803 }
2804 
2805 /**
2806  * srpt_queue_response - transmit the response to a SCSI command
2807  * @cmd: SCSI target command.
2808  *
2809  * Callback function called by the TCM core. Must not block since it can be
2810  * invoked on the context of the IB completion handler.
2811  */
2812 static void srpt_queue_response(struct se_cmd *cmd)
2813 {
2814 	struct srpt_send_ioctx *ioctx =
2815 		container_of(cmd, struct srpt_send_ioctx, cmd);
2816 	struct srpt_rdma_ch *ch = ioctx->ch;
2817 	struct srpt_device *sdev = ch->sport->sdev;
2818 	struct ib_send_wr send_wr, *first_wr = &send_wr;
2819 	struct ib_sge sge;
2820 	enum srpt_command_state state;
2821 	int resp_len, ret, i;
2822 	u8 srp_tm_status;
2823 
2824 	state = ioctx->state;
2825 	switch (state) {
2826 	case SRPT_STATE_NEW:
2827 	case SRPT_STATE_DATA_IN:
2828 		ioctx->state = SRPT_STATE_CMD_RSP_SENT;
2829 		break;
2830 	case SRPT_STATE_MGMT:
2831 		ioctx->state = SRPT_STATE_MGMT_RSP_SENT;
2832 		break;
2833 	default:
2834 		WARN(true, "ch %p; cmd %d: unexpected command state %d\n",
2835 			ch, ioctx->ioctx.index, ioctx->state);
2836 		break;
2837 	}
2838 
2839 	if (WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))
2840 		return;
2841 
2842 	/* For read commands, transfer the data to the initiator. */
2843 	if (ioctx->cmd.data_direction == DMA_FROM_DEVICE &&
2844 	    ioctx->cmd.data_length &&
2845 	    !ioctx->queue_status_only) {
2846 		for (i = ioctx->n_rw_ctx - 1; i >= 0; i--) {
2847 			struct srpt_rw_ctx *ctx = &ioctx->rw_ctxs[i];
2848 
2849 			first_wr = rdma_rw_ctx_wrs(&ctx->rw, ch->qp,
2850 					ch->sport->port, NULL, first_wr);
2851 		}
2852 	}
2853 
2854 	if (state != SRPT_STATE_MGMT)
2855 		resp_len = srpt_build_cmd_rsp(ch, ioctx, ioctx->cmd.tag,
2856 					      cmd->scsi_status);
2857 	else {
2858 		srp_tm_status
2859 			= tcm_to_srp_tsk_mgmt_status(cmd->se_tmr_req->response);
2860 		resp_len = srpt_build_tskmgmt_rsp(ch, ioctx, srp_tm_status,
2861 						 ioctx->cmd.tag);
2862 	}
2863 
2864 	atomic_inc(&ch->req_lim);
2865 
2866 	if (unlikely(atomic_sub_return(1 + ioctx->n_rdma,
2867 			&ch->sq_wr_avail) < 0)) {
2868 		pr_warn("%s: IB send queue full (needed %d)\n",
2869 				__func__, ioctx->n_rdma);
2870 		goto out;
2871 	}
2872 
2873 	ib_dma_sync_single_for_device(sdev->device, ioctx->ioctx.dma, resp_len,
2874 				      DMA_TO_DEVICE);
2875 
2876 	sge.addr = ioctx->ioctx.dma;
2877 	sge.length = resp_len;
2878 	sge.lkey = sdev->lkey;
2879 
2880 	ioctx->ioctx.cqe.done = srpt_send_done;
2881 	send_wr.next = NULL;
2882 	send_wr.wr_cqe = &ioctx->ioctx.cqe;
2883 	send_wr.sg_list = &sge;
2884 	send_wr.num_sge = 1;
2885 	send_wr.opcode = IB_WR_SEND;
2886 	send_wr.send_flags = IB_SEND_SIGNALED;
2887 
2888 	ret = ib_post_send(ch->qp, first_wr, NULL);
2889 	if (ret < 0) {
2890 		pr_err("%s: sending cmd response failed for tag %llu (%d)\n",
2891 			__func__, ioctx->cmd.tag, ret);
2892 		goto out;
2893 	}
2894 
2895 	return;
2896 
2897 out:
2898 	atomic_add(1 + ioctx->n_rdma, &ch->sq_wr_avail);
2899 	atomic_dec(&ch->req_lim);
2900 	srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
2901 	target_put_sess_cmd(&ioctx->cmd);
2902 }
2903 
2904 static int srpt_queue_data_in(struct se_cmd *cmd)
2905 {
2906 	srpt_queue_response(cmd);
2907 	return 0;
2908 }
2909 
2910 static void srpt_queue_tm_rsp(struct se_cmd *cmd)
2911 {
2912 	srpt_queue_response(cmd);
2913 }
2914 
2915 /*
2916  * This function is called for aborted commands if no response is sent to the
2917  * initiator. Make sure that the credits freed by aborting a command are
2918  * returned to the initiator the next time a response is sent by incrementing
2919  * ch->req_lim_delta.
2920  */
2921 static void srpt_aborted_task(struct se_cmd *cmd)
2922 {
2923 	struct srpt_send_ioctx *ioctx = container_of(cmd,
2924 				struct srpt_send_ioctx, cmd);
2925 	struct srpt_rdma_ch *ch = ioctx->ch;
2926 
2927 	atomic_inc(&ch->req_lim_delta);
2928 }
2929 
2930 static int srpt_queue_status(struct se_cmd *cmd)
2931 {
2932 	struct srpt_send_ioctx *ioctx;
2933 
2934 	ioctx = container_of(cmd, struct srpt_send_ioctx, cmd);
2935 	BUG_ON(ioctx->sense_data != cmd->sense_buffer);
2936 	if (cmd->se_cmd_flags &
2937 	    (SCF_TRANSPORT_TASK_SENSE | SCF_EMULATED_TASK_SENSE))
2938 		WARN_ON(cmd->scsi_status != SAM_STAT_CHECK_CONDITION);
2939 	ioctx->queue_status_only = true;
2940 	srpt_queue_response(cmd);
2941 	return 0;
2942 }
2943 
2944 static void srpt_refresh_port_work(struct work_struct *work)
2945 {
2946 	struct srpt_port *sport = container_of(work, struct srpt_port, work);
2947 
2948 	srpt_refresh_port(sport);
2949 }
2950 
2951 /**
2952  * srpt_release_sport - disable login and wait for associated channels
2953  * @sport: SRPT HCA port.
2954  */
2955 static int srpt_release_sport(struct srpt_port *sport)
2956 {
2957 	DECLARE_COMPLETION_ONSTACK(c);
2958 	struct srpt_nexus *nexus, *next_n;
2959 	struct srpt_rdma_ch *ch;
2960 
2961 	WARN_ON_ONCE(irqs_disabled());
2962 
2963 	sport->freed_channels = &c;
2964 
2965 	mutex_lock(&sport->mutex);
2966 	srpt_set_enabled(sport, false);
2967 	mutex_unlock(&sport->mutex);
2968 
2969 	while (atomic_read(&sport->refcount) > 0 &&
2970 	       wait_for_completion_timeout(&c, 5 * HZ) <= 0) {
2971 		pr_info("%s_%d: waiting for unregistration of %d sessions ...\n",
2972 			dev_name(&sport->sdev->device->dev), sport->port,
2973 			atomic_read(&sport->refcount));
2974 		rcu_read_lock();
2975 		list_for_each_entry(nexus, &sport->nexus_list, entry) {
2976 			list_for_each_entry(ch, &nexus->ch_list, list) {
2977 				pr_info("%s-%d: state %s\n",
2978 					ch->sess_name, ch->qp->qp_num,
2979 					get_ch_state_name(ch->state));
2980 			}
2981 		}
2982 		rcu_read_unlock();
2983 	}
2984 
2985 	mutex_lock(&sport->mutex);
2986 	list_for_each_entry_safe(nexus, next_n, &sport->nexus_list, entry) {
2987 		list_del(&nexus->entry);
2988 		kfree_rcu(nexus, rcu);
2989 	}
2990 	mutex_unlock(&sport->mutex);
2991 
2992 	return 0;
2993 }
2994 
2995 struct port_and_port_id {
2996 	struct srpt_port *sport;
2997 	struct srpt_port_id **port_id;
2998 };
2999 
3000 static struct port_and_port_id __srpt_lookup_port(const char *name)
3001 {
3002 	struct ib_device *dev;
3003 	struct srpt_device *sdev;
3004 	struct srpt_port *sport;
3005 	int i;
3006 
3007 	list_for_each_entry(sdev, &srpt_dev_list, list) {
3008 		dev = sdev->device;
3009 		if (!dev)
3010 			continue;
3011 
3012 		for (i = 0; i < dev->phys_port_cnt; i++) {
3013 			sport = &sdev->port[i];
3014 
3015 			if (strcmp(sport->guid_name, name) == 0) {
3016 				kref_get(&sdev->refcnt);
3017 				return (struct port_and_port_id){
3018 					sport, &sport->guid_id};
3019 			}
3020 			if (strcmp(sport->gid_name, name) == 0) {
3021 				kref_get(&sdev->refcnt);
3022 				return (struct port_and_port_id){
3023 					sport, &sport->gid_id};
3024 			}
3025 		}
3026 	}
3027 
3028 	return (struct port_and_port_id){};
3029 }
3030 
3031 /**
3032  * srpt_lookup_port() - Look up an RDMA port by name
3033  * @name: ASCII port name
3034  *
3035  * Increments the RDMA port reference count if an RDMA port pointer is returned.
3036  * The caller must drop that reference count by calling srpt_port_put_ref().
3037  */
3038 static struct port_and_port_id srpt_lookup_port(const char *name)
3039 {
3040 	struct port_and_port_id papi;
3041 
3042 	spin_lock(&srpt_dev_lock);
3043 	papi = __srpt_lookup_port(name);
3044 	spin_unlock(&srpt_dev_lock);
3045 
3046 	return papi;
3047 }
3048 
3049 static void srpt_free_srq(struct srpt_device *sdev)
3050 {
3051 	if (!sdev->srq)
3052 		return;
3053 
3054 	ib_destroy_srq(sdev->srq);
3055 	srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev,
3056 			     sdev->srq_size, sdev->req_buf_cache,
3057 			     DMA_FROM_DEVICE);
3058 	kmem_cache_destroy(sdev->req_buf_cache);
3059 	sdev->srq = NULL;
3060 }
3061 
3062 static int srpt_alloc_srq(struct srpt_device *sdev)
3063 {
3064 	struct ib_srq_init_attr srq_attr = {
3065 		.event_handler = srpt_srq_event,
3066 		.srq_context = (void *)sdev,
3067 		.attr.max_wr = sdev->srq_size,
3068 		.attr.max_sge = 1,
3069 		.srq_type = IB_SRQT_BASIC,
3070 	};
3071 	struct ib_device *device = sdev->device;
3072 	struct ib_srq *srq;
3073 	int i;
3074 
3075 	WARN_ON_ONCE(sdev->srq);
3076 	srq = ib_create_srq(sdev->pd, &srq_attr);
3077 	if (IS_ERR(srq)) {
3078 		pr_debug("ib_create_srq() failed: %ld\n", PTR_ERR(srq));
3079 		return PTR_ERR(srq);
3080 	}
3081 
3082 	pr_debug("create SRQ #wr= %d max_allow=%d dev= %s\n", sdev->srq_size,
3083 		 sdev->device->attrs.max_srq_wr, dev_name(&device->dev));
3084 
3085 	sdev->req_buf_cache = kmem_cache_create("srpt-srq-req-buf",
3086 						srp_max_req_size, 0, 0, NULL);
3087 	if (!sdev->req_buf_cache)
3088 		goto free_srq;
3089 
3090 	sdev->ioctx_ring = (struct srpt_recv_ioctx **)
3091 		srpt_alloc_ioctx_ring(sdev, sdev->srq_size,
3092 				      sizeof(*sdev->ioctx_ring[0]),
3093 				      sdev->req_buf_cache, 0, DMA_FROM_DEVICE);
3094 	if (!sdev->ioctx_ring)
3095 		goto free_cache;
3096 
3097 	sdev->use_srq = true;
3098 	sdev->srq = srq;
3099 
3100 	for (i = 0; i < sdev->srq_size; ++i) {
3101 		INIT_LIST_HEAD(&sdev->ioctx_ring[i]->wait_list);
3102 		srpt_post_recv(sdev, NULL, sdev->ioctx_ring[i]);
3103 	}
3104 
3105 	return 0;
3106 
3107 free_cache:
3108 	kmem_cache_destroy(sdev->req_buf_cache);
3109 
3110 free_srq:
3111 	ib_destroy_srq(srq);
3112 	return -ENOMEM;
3113 }
3114 
3115 static int srpt_use_srq(struct srpt_device *sdev, bool use_srq)
3116 {
3117 	struct ib_device *device = sdev->device;
3118 	int ret = 0;
3119 
3120 	if (!use_srq) {
3121 		srpt_free_srq(sdev);
3122 		sdev->use_srq = false;
3123 	} else if (use_srq && !sdev->srq) {
3124 		ret = srpt_alloc_srq(sdev);
3125 	}
3126 	pr_debug("%s(%s): use_srq = %d; ret = %d\n", __func__,
3127 		 dev_name(&device->dev), sdev->use_srq, ret);
3128 	return ret;
3129 }
3130 
3131 static void srpt_free_sdev(struct kref *refcnt)
3132 {
3133 	struct srpt_device *sdev = container_of(refcnt, typeof(*sdev), refcnt);
3134 
3135 	kfree(sdev);
3136 }
3137 
3138 static void srpt_sdev_put(struct srpt_device *sdev)
3139 {
3140 	kref_put(&sdev->refcnt, srpt_free_sdev);
3141 }
3142 
3143 /**
3144  * srpt_add_one - InfiniBand device addition callback function
3145  * @device: Describes a HCA.
3146  */
3147 static int srpt_add_one(struct ib_device *device)
3148 {
3149 	struct srpt_device *sdev;
3150 	struct srpt_port *sport;
3151 	int ret;
3152 	u32 i;
3153 
3154 	pr_debug("device = %p\n", device);
3155 
3156 	sdev = kzalloc(struct_size(sdev, port, device->phys_port_cnt),
3157 		       GFP_KERNEL);
3158 	if (!sdev)
3159 		return -ENOMEM;
3160 
3161 	kref_init(&sdev->refcnt);
3162 	sdev->device = device;
3163 	mutex_init(&sdev->sdev_mutex);
3164 
3165 	sdev->pd = ib_alloc_pd(device, 0);
3166 	if (IS_ERR(sdev->pd)) {
3167 		ret = PTR_ERR(sdev->pd);
3168 		goto free_dev;
3169 	}
3170 
3171 	sdev->lkey = sdev->pd->local_dma_lkey;
3172 
3173 	sdev->srq_size = min(srpt_srq_size, sdev->device->attrs.max_srq_wr);
3174 
3175 	srpt_use_srq(sdev, sdev->port[0].port_attrib.use_srq);
3176 
3177 	if (!srpt_service_guid)
3178 		srpt_service_guid = be64_to_cpu(device->node_guid);
3179 
3180 	if (rdma_port_get_link_layer(device, 1) == IB_LINK_LAYER_INFINIBAND)
3181 		sdev->cm_id = ib_create_cm_id(device, srpt_cm_handler, sdev);
3182 	if (IS_ERR(sdev->cm_id)) {
3183 		pr_info("ib_create_cm_id() failed: %ld\n",
3184 			PTR_ERR(sdev->cm_id));
3185 		ret = PTR_ERR(sdev->cm_id);
3186 		sdev->cm_id = NULL;
3187 		if (!rdma_cm_id)
3188 			goto err_ring;
3189 	}
3190 
3191 	/* print out target login information */
3192 	pr_debug("Target login info: id_ext=%016llx,ioc_guid=%016llx,pkey=ffff,service_id=%016llx\n",
3193 		 srpt_service_guid, srpt_service_guid, srpt_service_guid);
3194 
3195 	/*
3196 	 * We do not have a consistent service_id (ie. also id_ext of target_id)
3197 	 * to identify this target. We currently use the guid of the first HCA
3198 	 * in the system as service_id; therefore, the target_id will change
3199 	 * if this HCA is gone bad and replaced by different HCA
3200 	 */
3201 	ret = sdev->cm_id ?
3202 		ib_cm_listen(sdev->cm_id, cpu_to_be64(srpt_service_guid)) :
3203 		0;
3204 	if (ret < 0) {
3205 		pr_err("ib_cm_listen() failed: %d (cm_id state = %d)\n", ret,
3206 		       sdev->cm_id->state);
3207 		goto err_cm;
3208 	}
3209 
3210 	INIT_IB_EVENT_HANDLER(&sdev->event_handler, sdev->device,
3211 			      srpt_event_handler);
3212 	ib_register_event_handler(&sdev->event_handler);
3213 
3214 	for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
3215 		sport = &sdev->port[i - 1];
3216 		INIT_LIST_HEAD(&sport->nexus_list);
3217 		mutex_init(&sport->mutex);
3218 		sport->sdev = sdev;
3219 		sport->port = i;
3220 		sport->port_attrib.srp_max_rdma_size = DEFAULT_MAX_RDMA_SIZE;
3221 		sport->port_attrib.srp_max_rsp_size = DEFAULT_MAX_RSP_SIZE;
3222 		sport->port_attrib.srp_sq_size = DEF_SRPT_SQ_SIZE;
3223 		sport->port_attrib.use_srq = false;
3224 		INIT_WORK(&sport->work, srpt_refresh_port_work);
3225 
3226 		ret = srpt_refresh_port(sport);
3227 		if (ret) {
3228 			pr_err("MAD registration failed for %s-%d.\n",
3229 			       dev_name(&sdev->device->dev), i);
3230 			i--;
3231 			goto err_port;
3232 		}
3233 	}
3234 
3235 	spin_lock(&srpt_dev_lock);
3236 	list_add_tail(&sdev->list, &srpt_dev_list);
3237 	spin_unlock(&srpt_dev_lock);
3238 
3239 	ib_set_client_data(device, &srpt_client, sdev);
3240 	pr_debug("added %s.\n", dev_name(&device->dev));
3241 	return 0;
3242 
3243 err_port:
3244 	srpt_unregister_mad_agent(sdev, i);
3245 	ib_unregister_event_handler(&sdev->event_handler);
3246 err_cm:
3247 	if (sdev->cm_id)
3248 		ib_destroy_cm_id(sdev->cm_id);
3249 err_ring:
3250 	srpt_free_srq(sdev);
3251 	ib_dealloc_pd(sdev->pd);
3252 free_dev:
3253 	srpt_sdev_put(sdev);
3254 	pr_info("%s(%s) failed.\n", __func__, dev_name(&device->dev));
3255 	return ret;
3256 }
3257 
3258 /**
3259  * srpt_remove_one - InfiniBand device removal callback function
3260  * @device: Describes a HCA.
3261  * @client_data: The value passed as the third argument to ib_set_client_data().
3262  */
3263 static void srpt_remove_one(struct ib_device *device, void *client_data)
3264 {
3265 	struct srpt_device *sdev = client_data;
3266 	int i;
3267 
3268 	srpt_unregister_mad_agent(sdev, sdev->device->phys_port_cnt);
3269 
3270 	ib_unregister_event_handler(&sdev->event_handler);
3271 
3272 	/* Cancel any work queued by the just unregistered IB event handler. */
3273 	for (i = 0; i < sdev->device->phys_port_cnt; i++)
3274 		cancel_work_sync(&sdev->port[i].work);
3275 
3276 	if (sdev->cm_id)
3277 		ib_destroy_cm_id(sdev->cm_id);
3278 
3279 	ib_set_client_data(device, &srpt_client, NULL);
3280 
3281 	/*
3282 	 * Unregistering a target must happen after destroying sdev->cm_id
3283 	 * such that no new SRP_LOGIN_REQ information units can arrive while
3284 	 * destroying the target.
3285 	 */
3286 	spin_lock(&srpt_dev_lock);
3287 	list_del(&sdev->list);
3288 	spin_unlock(&srpt_dev_lock);
3289 
3290 	for (i = 0; i < sdev->device->phys_port_cnt; i++)
3291 		srpt_release_sport(&sdev->port[i]);
3292 
3293 	srpt_free_srq(sdev);
3294 
3295 	ib_dealloc_pd(sdev->pd);
3296 
3297 	srpt_sdev_put(sdev);
3298 }
3299 
3300 static struct ib_client srpt_client = {
3301 	.name = DRV_NAME,
3302 	.add = srpt_add_one,
3303 	.remove = srpt_remove_one
3304 };
3305 
3306 static int srpt_check_true(struct se_portal_group *se_tpg)
3307 {
3308 	return 1;
3309 }
3310 
3311 static struct srpt_port *srpt_tpg_to_sport(struct se_portal_group *tpg)
3312 {
3313 	return tpg->se_tpg_wwn->priv;
3314 }
3315 
3316 static struct srpt_port_id *srpt_wwn_to_sport_id(struct se_wwn *wwn)
3317 {
3318 	struct srpt_port *sport = wwn->priv;
3319 
3320 	if (sport->guid_id && &sport->guid_id->wwn == wwn)
3321 		return sport->guid_id;
3322 	if (sport->gid_id && &sport->gid_id->wwn == wwn)
3323 		return sport->gid_id;
3324 	WARN_ON_ONCE(true);
3325 	return NULL;
3326 }
3327 
3328 static char *srpt_get_fabric_wwn(struct se_portal_group *tpg)
3329 {
3330 	struct srpt_tpg *stpg = container_of(tpg, typeof(*stpg), tpg);
3331 
3332 	return stpg->sport_id->name;
3333 }
3334 
3335 static u16 srpt_get_tag(struct se_portal_group *tpg)
3336 {
3337 	return 1;
3338 }
3339 
3340 static void srpt_release_cmd(struct se_cmd *se_cmd)
3341 {
3342 	struct srpt_send_ioctx *ioctx = container_of(se_cmd,
3343 				struct srpt_send_ioctx, cmd);
3344 	struct srpt_rdma_ch *ch = ioctx->ch;
3345 	struct srpt_recv_ioctx *recv_ioctx = ioctx->recv_ioctx;
3346 
3347 	WARN_ON_ONCE(ioctx->state != SRPT_STATE_DONE &&
3348 		     !(ioctx->cmd.transport_state & CMD_T_ABORTED));
3349 
3350 	if (recv_ioctx) {
3351 		WARN_ON_ONCE(!list_empty(&recv_ioctx->wait_list));
3352 		ioctx->recv_ioctx = NULL;
3353 		srpt_post_recv(ch->sport->sdev, ch, recv_ioctx);
3354 	}
3355 
3356 	if (ioctx->n_rw_ctx) {
3357 		srpt_free_rw_ctxs(ch, ioctx);
3358 		ioctx->n_rw_ctx = 0;
3359 	}
3360 
3361 	target_free_tag(se_cmd->se_sess, se_cmd);
3362 }
3363 
3364 /**
3365  * srpt_close_session - forcibly close a session
3366  * @se_sess: SCSI target session.
3367  *
3368  * Callback function invoked by the TCM core to clean up sessions associated
3369  * with a node ACL when the user invokes
3370  * rmdir /sys/kernel/config/target/$driver/$port/$tpg/acls/$i_port_id
3371  */
3372 static void srpt_close_session(struct se_session *se_sess)
3373 {
3374 	struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr;
3375 
3376 	srpt_disconnect_ch_sync(ch);
3377 }
3378 
3379 /* Note: only used from inside debug printk's by the TCM core. */
3380 static int srpt_get_tcm_cmd_state(struct se_cmd *se_cmd)
3381 {
3382 	struct srpt_send_ioctx *ioctx;
3383 
3384 	ioctx = container_of(se_cmd, struct srpt_send_ioctx, cmd);
3385 	return ioctx->state;
3386 }
3387 
3388 static int srpt_parse_guid(u64 *guid, const char *name)
3389 {
3390 	u16 w[4];
3391 	int ret = -EINVAL;
3392 
3393 	if (sscanf(name, "%hx:%hx:%hx:%hx", &w[0], &w[1], &w[2], &w[3]) != 4)
3394 		goto out;
3395 	*guid = get_unaligned_be64(w);
3396 	ret = 0;
3397 out:
3398 	return ret;
3399 }
3400 
3401 /**
3402  * srpt_parse_i_port_id - parse an initiator port ID
3403  * @name: ASCII representation of a 128-bit initiator port ID.
3404  * @i_port_id: Binary 128-bit port ID.
3405  */
3406 static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name)
3407 {
3408 	const char *p;
3409 	unsigned len, count, leading_zero_bytes;
3410 	int ret;
3411 
3412 	p = name;
3413 	if (strncasecmp(p, "0x", 2) == 0)
3414 		p += 2;
3415 	ret = -EINVAL;
3416 	len = strlen(p);
3417 	if (len % 2)
3418 		goto out;
3419 	count = min(len / 2, 16U);
3420 	leading_zero_bytes = 16 - count;
3421 	memset(i_port_id, 0, leading_zero_bytes);
3422 	ret = hex2bin(i_port_id + leading_zero_bytes, p, count);
3423 
3424 out:
3425 	return ret;
3426 }
3427 
3428 /*
3429  * configfs callback function invoked for mkdir
3430  * /sys/kernel/config/target/$driver/$port/$tpg/acls/$i_port_id
3431  *
3432  * i_port_id must be an initiator port GUID, GID or IP address. See also the
3433  * target_alloc_session() calls in this driver. Examples of valid initiator
3434  * port IDs:
3435  * 0x0000000000000000505400fffe4a0b7b
3436  * 0000000000000000505400fffe4a0b7b
3437  * 5054:00ff:fe4a:0b7b
3438  * 192.168.122.76
3439  */
3440 static int srpt_init_nodeacl(struct se_node_acl *se_nacl, const char *name)
3441 {
3442 	struct sockaddr_storage sa;
3443 	u64 guid;
3444 	u8 i_port_id[16];
3445 	int ret;
3446 
3447 	ret = srpt_parse_guid(&guid, name);
3448 	if (ret < 0)
3449 		ret = srpt_parse_i_port_id(i_port_id, name);
3450 	if (ret < 0)
3451 		ret = inet_pton_with_scope(&init_net, AF_UNSPEC, name, NULL,
3452 					   &sa);
3453 	if (ret < 0)
3454 		pr_err("invalid initiator port ID %s\n", name);
3455 	return ret;
3456 }
3457 
3458 static ssize_t srpt_tpg_attrib_srp_max_rdma_size_show(struct config_item *item,
3459 		char *page)
3460 {
3461 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3462 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3463 
3464 	return sysfs_emit(page, "%u\n", sport->port_attrib.srp_max_rdma_size);
3465 }
3466 
3467 static ssize_t srpt_tpg_attrib_srp_max_rdma_size_store(struct config_item *item,
3468 		const char *page, size_t count)
3469 {
3470 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3471 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3472 	unsigned long val;
3473 	int ret;
3474 
3475 	ret = kstrtoul(page, 0, &val);
3476 	if (ret < 0) {
3477 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3478 		return -EINVAL;
3479 	}
3480 	if (val > MAX_SRPT_RDMA_SIZE) {
3481 		pr_err("val: %lu exceeds MAX_SRPT_RDMA_SIZE: %d\n", val,
3482 			MAX_SRPT_RDMA_SIZE);
3483 		return -EINVAL;
3484 	}
3485 	if (val < DEFAULT_MAX_RDMA_SIZE) {
3486 		pr_err("val: %lu smaller than DEFAULT_MAX_RDMA_SIZE: %d\n",
3487 			val, DEFAULT_MAX_RDMA_SIZE);
3488 		return -EINVAL;
3489 	}
3490 	sport->port_attrib.srp_max_rdma_size = val;
3491 
3492 	return count;
3493 }
3494 
3495 static ssize_t srpt_tpg_attrib_srp_max_rsp_size_show(struct config_item *item,
3496 		char *page)
3497 {
3498 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3499 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3500 
3501 	return sysfs_emit(page, "%u\n", sport->port_attrib.srp_max_rsp_size);
3502 }
3503 
3504 static ssize_t srpt_tpg_attrib_srp_max_rsp_size_store(struct config_item *item,
3505 		const char *page, size_t count)
3506 {
3507 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3508 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3509 	unsigned long val;
3510 	int ret;
3511 
3512 	ret = kstrtoul(page, 0, &val);
3513 	if (ret < 0) {
3514 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3515 		return -EINVAL;
3516 	}
3517 	if (val > MAX_SRPT_RSP_SIZE) {
3518 		pr_err("val: %lu exceeds MAX_SRPT_RSP_SIZE: %d\n", val,
3519 			MAX_SRPT_RSP_SIZE);
3520 		return -EINVAL;
3521 	}
3522 	if (val < MIN_MAX_RSP_SIZE) {
3523 		pr_err("val: %lu smaller than MIN_MAX_RSP_SIZE: %d\n", val,
3524 			MIN_MAX_RSP_SIZE);
3525 		return -EINVAL;
3526 	}
3527 	sport->port_attrib.srp_max_rsp_size = val;
3528 
3529 	return count;
3530 }
3531 
3532 static ssize_t srpt_tpg_attrib_srp_sq_size_show(struct config_item *item,
3533 		char *page)
3534 {
3535 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3536 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3537 
3538 	return sysfs_emit(page, "%u\n", sport->port_attrib.srp_sq_size);
3539 }
3540 
3541 static ssize_t srpt_tpg_attrib_srp_sq_size_store(struct config_item *item,
3542 		const char *page, size_t count)
3543 {
3544 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3545 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3546 	unsigned long val;
3547 	int ret;
3548 
3549 	ret = kstrtoul(page, 0, &val);
3550 	if (ret < 0) {
3551 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3552 		return -EINVAL;
3553 	}
3554 	if (val > MAX_SRPT_SRQ_SIZE) {
3555 		pr_err("val: %lu exceeds MAX_SRPT_SRQ_SIZE: %d\n", val,
3556 			MAX_SRPT_SRQ_SIZE);
3557 		return -EINVAL;
3558 	}
3559 	if (val < MIN_SRPT_SRQ_SIZE) {
3560 		pr_err("val: %lu smaller than MIN_SRPT_SRQ_SIZE: %d\n", val,
3561 			MIN_SRPT_SRQ_SIZE);
3562 		return -EINVAL;
3563 	}
3564 	sport->port_attrib.srp_sq_size = val;
3565 
3566 	return count;
3567 }
3568 
3569 static ssize_t srpt_tpg_attrib_use_srq_show(struct config_item *item,
3570 					    char *page)
3571 {
3572 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3573 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3574 
3575 	return sysfs_emit(page, "%d\n", sport->port_attrib.use_srq);
3576 }
3577 
3578 static ssize_t srpt_tpg_attrib_use_srq_store(struct config_item *item,
3579 					     const char *page, size_t count)
3580 {
3581 	struct se_portal_group *se_tpg = attrib_to_tpg(item);
3582 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3583 	struct srpt_device *sdev = sport->sdev;
3584 	unsigned long val;
3585 	bool enabled;
3586 	int ret;
3587 
3588 	ret = kstrtoul(page, 0, &val);
3589 	if (ret < 0)
3590 		return ret;
3591 	if (val != !!val)
3592 		return -EINVAL;
3593 
3594 	ret = mutex_lock_interruptible(&sdev->sdev_mutex);
3595 	if (ret < 0)
3596 		return ret;
3597 	ret = mutex_lock_interruptible(&sport->mutex);
3598 	if (ret < 0)
3599 		goto unlock_sdev;
3600 	enabled = sport->enabled;
3601 	/* Log out all initiator systems before changing 'use_srq'. */
3602 	srpt_set_enabled(sport, false);
3603 	sport->port_attrib.use_srq = val;
3604 	srpt_use_srq(sdev, sport->port_attrib.use_srq);
3605 	srpt_set_enabled(sport, enabled);
3606 	ret = count;
3607 	mutex_unlock(&sport->mutex);
3608 unlock_sdev:
3609 	mutex_unlock(&sdev->sdev_mutex);
3610 
3611 	return ret;
3612 }
3613 
3614 CONFIGFS_ATTR(srpt_tpg_attrib_,  srp_max_rdma_size);
3615 CONFIGFS_ATTR(srpt_tpg_attrib_,  srp_max_rsp_size);
3616 CONFIGFS_ATTR(srpt_tpg_attrib_,  srp_sq_size);
3617 CONFIGFS_ATTR(srpt_tpg_attrib_,  use_srq);
3618 
3619 static struct configfs_attribute *srpt_tpg_attrib_attrs[] = {
3620 	&srpt_tpg_attrib_attr_srp_max_rdma_size,
3621 	&srpt_tpg_attrib_attr_srp_max_rsp_size,
3622 	&srpt_tpg_attrib_attr_srp_sq_size,
3623 	&srpt_tpg_attrib_attr_use_srq,
3624 	NULL,
3625 };
3626 
3627 static struct rdma_cm_id *srpt_create_rdma_id(struct sockaddr *listen_addr)
3628 {
3629 	struct rdma_cm_id *rdma_cm_id;
3630 	int ret;
3631 
3632 	rdma_cm_id = rdma_create_id(&init_net, srpt_rdma_cm_handler,
3633 				    NULL, RDMA_PS_TCP, IB_QPT_RC);
3634 	if (IS_ERR(rdma_cm_id)) {
3635 		pr_err("RDMA/CM ID creation failed: %ld\n",
3636 		       PTR_ERR(rdma_cm_id));
3637 		goto out;
3638 	}
3639 
3640 	ret = rdma_bind_addr(rdma_cm_id, listen_addr);
3641 	if (ret) {
3642 		char addr_str[64];
3643 
3644 		snprintf(addr_str, sizeof(addr_str), "%pISp", listen_addr);
3645 		pr_err("Binding RDMA/CM ID to address %s failed: %d\n",
3646 		       addr_str, ret);
3647 		rdma_destroy_id(rdma_cm_id);
3648 		rdma_cm_id = ERR_PTR(ret);
3649 		goto out;
3650 	}
3651 
3652 	ret = rdma_listen(rdma_cm_id, 128);
3653 	if (ret) {
3654 		pr_err("rdma_listen() failed: %d\n", ret);
3655 		rdma_destroy_id(rdma_cm_id);
3656 		rdma_cm_id = ERR_PTR(ret);
3657 	}
3658 
3659 out:
3660 	return rdma_cm_id;
3661 }
3662 
3663 static ssize_t srpt_rdma_cm_port_show(struct config_item *item, char *page)
3664 {
3665 	return sysfs_emit(page, "%d\n", rdma_cm_port);
3666 }
3667 
3668 static ssize_t srpt_rdma_cm_port_store(struct config_item *item,
3669 				       const char *page, size_t count)
3670 {
3671 	struct sockaddr_in  addr4 = { .sin_family  = AF_INET  };
3672 	struct sockaddr_in6 addr6 = { .sin6_family = AF_INET6 };
3673 	struct rdma_cm_id *new_id = NULL;
3674 	u16 val;
3675 	int ret;
3676 
3677 	ret = kstrtou16(page, 0, &val);
3678 	if (ret < 0)
3679 		return ret;
3680 	ret = count;
3681 	if (rdma_cm_port == val)
3682 		goto out;
3683 
3684 	if (val) {
3685 		addr6.sin6_port = cpu_to_be16(val);
3686 		new_id = srpt_create_rdma_id((struct sockaddr *)&addr6);
3687 		if (IS_ERR(new_id)) {
3688 			addr4.sin_port = cpu_to_be16(val);
3689 			new_id = srpt_create_rdma_id((struct sockaddr *)&addr4);
3690 			if (IS_ERR(new_id)) {
3691 				ret = PTR_ERR(new_id);
3692 				goto out;
3693 			}
3694 		}
3695 	}
3696 
3697 	mutex_lock(&rdma_cm_mutex);
3698 	rdma_cm_port = val;
3699 	swap(rdma_cm_id, new_id);
3700 	mutex_unlock(&rdma_cm_mutex);
3701 
3702 	if (new_id)
3703 		rdma_destroy_id(new_id);
3704 	ret = count;
3705 out:
3706 	return ret;
3707 }
3708 
3709 CONFIGFS_ATTR(srpt_, rdma_cm_port);
3710 
3711 static struct configfs_attribute *srpt_da_attrs[] = {
3712 	&srpt_attr_rdma_cm_port,
3713 	NULL,
3714 };
3715 
3716 static int srpt_enable_tpg(struct se_portal_group *se_tpg, bool enable)
3717 {
3718 	struct srpt_port *sport = srpt_tpg_to_sport(se_tpg);
3719 
3720 	mutex_lock(&sport->mutex);
3721 	srpt_set_enabled(sport, enable);
3722 	mutex_unlock(&sport->mutex);
3723 
3724 	return 0;
3725 }
3726 
3727 /**
3728  * srpt_make_tpg - configfs callback invoked for mkdir /sys/kernel/config/target/$driver/$port/$tpg
3729  * @wwn: Corresponds to $driver/$port.
3730  * @name: $tpg.
3731  */
3732 static struct se_portal_group *srpt_make_tpg(struct se_wwn *wwn,
3733 					     const char *name)
3734 {
3735 	struct srpt_port_id *sport_id = srpt_wwn_to_sport_id(wwn);
3736 	struct srpt_tpg *stpg;
3737 	int res = -ENOMEM;
3738 
3739 	stpg = kzalloc(sizeof(*stpg), GFP_KERNEL);
3740 	if (!stpg)
3741 		return ERR_PTR(res);
3742 	stpg->sport_id = sport_id;
3743 	res = core_tpg_register(wwn, &stpg->tpg, SCSI_PROTOCOL_SRP);
3744 	if (res) {
3745 		kfree(stpg);
3746 		return ERR_PTR(res);
3747 	}
3748 
3749 	mutex_lock(&sport_id->mutex);
3750 	list_add_tail(&stpg->entry, &sport_id->tpg_list);
3751 	mutex_unlock(&sport_id->mutex);
3752 
3753 	return &stpg->tpg;
3754 }
3755 
3756 /**
3757  * srpt_drop_tpg - configfs callback invoked for rmdir /sys/kernel/config/target/$driver/$port/$tpg
3758  * @tpg: Target portal group to deregister.
3759  */
3760 static void srpt_drop_tpg(struct se_portal_group *tpg)
3761 {
3762 	struct srpt_tpg *stpg = container_of(tpg, typeof(*stpg), tpg);
3763 	struct srpt_port_id *sport_id = stpg->sport_id;
3764 	struct srpt_port *sport = srpt_tpg_to_sport(tpg);
3765 
3766 	mutex_lock(&sport_id->mutex);
3767 	list_del(&stpg->entry);
3768 	mutex_unlock(&sport_id->mutex);
3769 
3770 	sport->enabled = false;
3771 	core_tpg_deregister(tpg);
3772 	kfree(stpg);
3773 }
3774 
3775 /**
3776  * srpt_make_tport - configfs callback invoked for mkdir /sys/kernel/config/target/$driver/$port
3777  * @tf: Not used.
3778  * @group: Not used.
3779  * @name: $port.
3780  */
3781 static struct se_wwn *srpt_make_tport(struct target_fabric_configfs *tf,
3782 				      struct config_group *group,
3783 				      const char *name)
3784 {
3785 	struct port_and_port_id papi = srpt_lookup_port(name);
3786 	struct srpt_port *sport = papi.sport;
3787 	struct srpt_port_id *port_id;
3788 
3789 	if (!papi.port_id)
3790 		return ERR_PTR(-EINVAL);
3791 	if (*papi.port_id) {
3792 		/* Attempt to create a directory that already exists. */
3793 		WARN_ON_ONCE(true);
3794 		return &(*papi.port_id)->wwn;
3795 	}
3796 	port_id = kzalloc(sizeof(*port_id), GFP_KERNEL);
3797 	if (!port_id) {
3798 		srpt_sdev_put(sport->sdev);
3799 		return ERR_PTR(-ENOMEM);
3800 	}
3801 	mutex_init(&port_id->mutex);
3802 	INIT_LIST_HEAD(&port_id->tpg_list);
3803 	port_id->wwn.priv = sport;
3804 	memcpy(port_id->name, port_id == sport->guid_id ? sport->guid_name :
3805 	       sport->gid_name, ARRAY_SIZE(port_id->name));
3806 
3807 	*papi.port_id = port_id;
3808 
3809 	return &port_id->wwn;
3810 }
3811 
3812 /**
3813  * srpt_drop_tport - configfs callback invoked for rmdir /sys/kernel/config/target/$driver/$port
3814  * @wwn: $port.
3815  */
3816 static void srpt_drop_tport(struct se_wwn *wwn)
3817 {
3818 	struct srpt_port_id *port_id = container_of(wwn, typeof(*port_id), wwn);
3819 	struct srpt_port *sport = wwn->priv;
3820 
3821 	if (sport->guid_id == port_id)
3822 		sport->guid_id = NULL;
3823 	else if (sport->gid_id == port_id)
3824 		sport->gid_id = NULL;
3825 	else
3826 		WARN_ON_ONCE(true);
3827 
3828 	srpt_sdev_put(sport->sdev);
3829 	kfree(port_id);
3830 }
3831 
3832 static ssize_t srpt_wwn_version_show(struct config_item *item, char *buf)
3833 {
3834 	return sysfs_emit(buf, "\n");
3835 }
3836 
3837 CONFIGFS_ATTR_RO(srpt_wwn_, version);
3838 
3839 static struct configfs_attribute *srpt_wwn_attrs[] = {
3840 	&srpt_wwn_attr_version,
3841 	NULL,
3842 };
3843 
3844 static const struct target_core_fabric_ops srpt_template = {
3845 	.module				= THIS_MODULE,
3846 	.fabric_name			= "srpt",
3847 	.tpg_get_wwn			= srpt_get_fabric_wwn,
3848 	.tpg_get_tag			= srpt_get_tag,
3849 	.tpg_check_demo_mode_cache	= srpt_check_true,
3850 	.tpg_check_demo_mode_write_protect = srpt_check_true,
3851 	.release_cmd			= srpt_release_cmd,
3852 	.check_stop_free		= srpt_check_stop_free,
3853 	.close_session			= srpt_close_session,
3854 	.sess_get_initiator_sid		= NULL,
3855 	.write_pending			= srpt_write_pending,
3856 	.get_cmd_state			= srpt_get_tcm_cmd_state,
3857 	.queue_data_in			= srpt_queue_data_in,
3858 	.queue_status			= srpt_queue_status,
3859 	.queue_tm_rsp			= srpt_queue_tm_rsp,
3860 	.aborted_task			= srpt_aborted_task,
3861 	/*
3862 	 * Setup function pointers for generic logic in
3863 	 * target_core_fabric_configfs.c
3864 	 */
3865 	.fabric_make_wwn		= srpt_make_tport,
3866 	.fabric_drop_wwn		= srpt_drop_tport,
3867 	.fabric_make_tpg		= srpt_make_tpg,
3868 	.fabric_enable_tpg		= srpt_enable_tpg,
3869 	.fabric_drop_tpg		= srpt_drop_tpg,
3870 	.fabric_init_nodeacl		= srpt_init_nodeacl,
3871 
3872 	.tfc_discovery_attrs		= srpt_da_attrs,
3873 	.tfc_wwn_attrs			= srpt_wwn_attrs,
3874 	.tfc_tpg_attrib_attrs		= srpt_tpg_attrib_attrs,
3875 };
3876 
3877 /**
3878  * srpt_init_module - kernel module initialization
3879  *
3880  * Note: Since ib_register_client() registers callback functions, and since at
3881  * least one of these callback functions (srpt_add_one()) calls target core
3882  * functions, this driver must be registered with the target core before
3883  * ib_register_client() is called.
3884  */
3885 static int __init srpt_init_module(void)
3886 {
3887 	int ret;
3888 
3889 	ret = -EINVAL;
3890 	if (srp_max_req_size < MIN_MAX_REQ_SIZE) {
3891 		pr_err("invalid value %d for kernel module parameter srp_max_req_size -- must be at least %d.\n",
3892 		       srp_max_req_size, MIN_MAX_REQ_SIZE);
3893 		goto out;
3894 	}
3895 
3896 	if (srpt_srq_size < MIN_SRPT_SRQ_SIZE
3897 	    || srpt_srq_size > MAX_SRPT_SRQ_SIZE) {
3898 		pr_err("invalid value %d for kernel module parameter srpt_srq_size -- must be in the range [%d..%d].\n",
3899 		       srpt_srq_size, MIN_SRPT_SRQ_SIZE, MAX_SRPT_SRQ_SIZE);
3900 		goto out;
3901 	}
3902 
3903 	ret = target_register_template(&srpt_template);
3904 	if (ret)
3905 		goto out;
3906 
3907 	ret = ib_register_client(&srpt_client);
3908 	if (ret) {
3909 		pr_err("couldn't register IB client\n");
3910 		goto out_unregister_target;
3911 	}
3912 
3913 	return 0;
3914 
3915 out_unregister_target:
3916 	target_unregister_template(&srpt_template);
3917 out:
3918 	return ret;
3919 }
3920 
3921 static void __exit srpt_cleanup_module(void)
3922 {
3923 	if (rdma_cm_id)
3924 		rdma_destroy_id(rdma_cm_id);
3925 	ib_unregister_client(&srpt_client);
3926 	target_unregister_template(&srpt_template);
3927 }
3928 
3929 module_init(srpt_init_module);
3930 module_exit(srpt_cleanup_module);
3931