1 /*
2  * Copyright (c) 2006 - 2009 Mellanox Technology Inc.  All rights reserved.
3  * Copyright (C) 2008 - 2011 Bart Van Assche <bvanassche@acm.org>.
4  *
5  * This software is available to you under a choice of one of two
6  * licenses.  You may choose to be licensed under the terms of the GNU
7  * General Public License (GPL) Version 2, available from the file
8  * COPYING in the main directory of this source tree, or the
9  * OpenIB.org BSD license below:
10  *
11  *     Redistribution and use in source and binary forms, with or
12  *     without modification, are permitted provided that the following
13  *     conditions are met:
14  *
15  *      - Redistributions of source code must retain the above
16  *        copyright notice, this list of conditions and the following
17  *        disclaimer.
18  *
19  *      - Redistributions in binary form must reproduce the above
20  *        copyright notice, this list of conditions and the following
21  *        disclaimer in the documentation and/or other materials
22  *        provided with the distribution.
23  *
24  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
25  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
26  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
27  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
28  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
29  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
30  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31  * SOFTWARE.
32  *
33  */
34 
35 #include <linux/module.h>
36 #include <linux/init.h>
37 #include <linux/slab.h>
38 #include <linux/err.h>
39 #include <linux/ctype.h>
40 #include <linux/kthread.h>
41 #include <linux/string.h>
42 #include <linux/delay.h>
43 #include <linux/atomic.h>
44 #include <scsi/scsi_proto.h>
45 #include <scsi/scsi_tcq.h>
46 #include <target/configfs_macros.h>
47 #include <target/target_core_base.h>
48 #include <target/target_core_fabric_configfs.h>
49 #include <target/target_core_fabric.h>
50 #include "ib_srpt.h"
51 
52 /* Name of this kernel module. */
53 #define DRV_NAME		"ib_srpt"
54 #define DRV_VERSION		"2.0.0"
55 #define DRV_RELDATE		"2011-02-14"
56 
57 #define SRPT_ID_STRING	"Linux SRP target"
58 
59 #undef pr_fmt
60 #define pr_fmt(fmt) DRV_NAME " " fmt
61 
62 MODULE_AUTHOR("Vu Pham and Bart Van Assche");
63 MODULE_DESCRIPTION("InfiniBand SCSI RDMA Protocol target "
64 		   "v" DRV_VERSION " (" DRV_RELDATE ")");
65 MODULE_LICENSE("Dual BSD/GPL");
66 
67 /*
68  * Global Variables
69  */
70 
71 static u64 srpt_service_guid;
72 static DEFINE_SPINLOCK(srpt_dev_lock);	/* Protects srpt_dev_list. */
73 static LIST_HEAD(srpt_dev_list);	/* List of srpt_device structures. */
74 
75 static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE;
76 module_param(srp_max_req_size, int, 0444);
77 MODULE_PARM_DESC(srp_max_req_size,
78 		 "Maximum size of SRP request messages in bytes.");
79 
80 static int srpt_srq_size = DEFAULT_SRPT_SRQ_SIZE;
81 module_param(srpt_srq_size, int, 0444);
82 MODULE_PARM_DESC(srpt_srq_size,
83 		 "Shared receive queue (SRQ) size.");
84 
85 static int srpt_get_u64_x(char *buffer, struct kernel_param *kp)
86 {
87 	return sprintf(buffer, "0x%016llx", *(u64 *)kp->arg);
88 }
89 module_param_call(srpt_service_guid, NULL, srpt_get_u64_x, &srpt_service_guid,
90 		  0444);
91 MODULE_PARM_DESC(srpt_service_guid,
92 		 "Using this value for ioc_guid, id_ext, and cm_listen_id"
93 		 " instead of using the node_guid of the first HCA.");
94 
95 static struct ib_client srpt_client;
96 static void srpt_release_channel(struct srpt_rdma_ch *ch);
97 static int srpt_queue_status(struct se_cmd *cmd);
98 
99 /**
100  * opposite_dma_dir() - Swap DMA_TO_DEVICE and DMA_FROM_DEVICE.
101  */
102 static inline
103 enum dma_data_direction opposite_dma_dir(enum dma_data_direction dir)
104 {
105 	switch (dir) {
106 	case DMA_TO_DEVICE:	return DMA_FROM_DEVICE;
107 	case DMA_FROM_DEVICE:	return DMA_TO_DEVICE;
108 	default:		return dir;
109 	}
110 }
111 
112 /**
113  * srpt_sdev_name() - Return the name associated with the HCA.
114  *
115  * Examples are ib0, ib1, ...
116  */
117 static inline const char *srpt_sdev_name(struct srpt_device *sdev)
118 {
119 	return sdev->device->name;
120 }
121 
122 static enum rdma_ch_state srpt_get_ch_state(struct srpt_rdma_ch *ch)
123 {
124 	unsigned long flags;
125 	enum rdma_ch_state state;
126 
127 	spin_lock_irqsave(&ch->spinlock, flags);
128 	state = ch->state;
129 	spin_unlock_irqrestore(&ch->spinlock, flags);
130 	return state;
131 }
132 
133 static enum rdma_ch_state
134 srpt_set_ch_state(struct srpt_rdma_ch *ch, enum rdma_ch_state new_state)
135 {
136 	unsigned long flags;
137 	enum rdma_ch_state prev;
138 
139 	spin_lock_irqsave(&ch->spinlock, flags);
140 	prev = ch->state;
141 	ch->state = new_state;
142 	spin_unlock_irqrestore(&ch->spinlock, flags);
143 	return prev;
144 }
145 
146 /**
147  * srpt_test_and_set_ch_state() - Test and set the channel state.
148  *
149  * Returns true if and only if the channel state has been set to the new state.
150  */
151 static bool
152 srpt_test_and_set_ch_state(struct srpt_rdma_ch *ch, enum rdma_ch_state old,
153 			   enum rdma_ch_state new)
154 {
155 	unsigned long flags;
156 	enum rdma_ch_state prev;
157 
158 	spin_lock_irqsave(&ch->spinlock, flags);
159 	prev = ch->state;
160 	if (prev == old)
161 		ch->state = new;
162 	spin_unlock_irqrestore(&ch->spinlock, flags);
163 	return prev == old;
164 }
165 
166 /**
167  * srpt_event_handler() - Asynchronous IB event callback function.
168  *
169  * Callback function called by the InfiniBand core when an asynchronous IB
170  * event occurs. This callback may occur in interrupt context. See also
171  * section 11.5.2, Set Asynchronous Event Handler in the InfiniBand
172  * Architecture Specification.
173  */
174 static void srpt_event_handler(struct ib_event_handler *handler,
175 			       struct ib_event *event)
176 {
177 	struct srpt_device *sdev;
178 	struct srpt_port *sport;
179 
180 	sdev = ib_get_client_data(event->device, &srpt_client);
181 	if (!sdev || sdev->device != event->device)
182 		return;
183 
184 	pr_debug("ASYNC event= %d on device= %s\n", event->event,
185 		 srpt_sdev_name(sdev));
186 
187 	switch (event->event) {
188 	case IB_EVENT_PORT_ERR:
189 		if (event->element.port_num <= sdev->device->phys_port_cnt) {
190 			sport = &sdev->port[event->element.port_num - 1];
191 			sport->lid = 0;
192 			sport->sm_lid = 0;
193 		}
194 		break;
195 	case IB_EVENT_PORT_ACTIVE:
196 	case IB_EVENT_LID_CHANGE:
197 	case IB_EVENT_PKEY_CHANGE:
198 	case IB_EVENT_SM_CHANGE:
199 	case IB_EVENT_CLIENT_REREGISTER:
200 	case IB_EVENT_GID_CHANGE:
201 		/* Refresh port data asynchronously. */
202 		if (event->element.port_num <= sdev->device->phys_port_cnt) {
203 			sport = &sdev->port[event->element.port_num - 1];
204 			if (!sport->lid && !sport->sm_lid)
205 				schedule_work(&sport->work);
206 		}
207 		break;
208 	default:
209 		pr_err("received unrecognized IB event %d\n",
210 		       event->event);
211 		break;
212 	}
213 }
214 
215 /**
216  * srpt_srq_event() - SRQ event callback function.
217  */
218 static void srpt_srq_event(struct ib_event *event, void *ctx)
219 {
220 	pr_info("SRQ event %d\n", event->event);
221 }
222 
223 /**
224  * srpt_qp_event() - QP event callback function.
225  */
226 static void srpt_qp_event(struct ib_event *event, struct srpt_rdma_ch *ch)
227 {
228 	pr_debug("QP event %d on cm_id=%p sess_name=%s state=%d\n",
229 		 event->event, ch->cm_id, ch->sess_name, srpt_get_ch_state(ch));
230 
231 	switch (event->event) {
232 	case IB_EVENT_COMM_EST:
233 		ib_cm_notify(ch->cm_id, event->event);
234 		break;
235 	case IB_EVENT_QP_LAST_WQE_REACHED:
236 		if (srpt_test_and_set_ch_state(ch, CH_DRAINING,
237 					       CH_RELEASING))
238 			srpt_release_channel(ch);
239 		else
240 			pr_debug("%s: state %d - ignored LAST_WQE.\n",
241 				 ch->sess_name, srpt_get_ch_state(ch));
242 		break;
243 	default:
244 		pr_err("received unrecognized IB QP event %d\n", event->event);
245 		break;
246 	}
247 }
248 
249 /**
250  * srpt_set_ioc() - Helper function for initializing an IOUnitInfo structure.
251  *
252  * @slot: one-based slot number.
253  * @value: four-bit value.
254  *
255  * Copies the lowest four bits of value in element slot of the array of four
256  * bit elements called c_list (controller list). The index slot is one-based.
257  */
258 static void srpt_set_ioc(u8 *c_list, u32 slot, u8 value)
259 {
260 	u16 id;
261 	u8 tmp;
262 
263 	id = (slot - 1) / 2;
264 	if (slot & 0x1) {
265 		tmp = c_list[id] & 0xf;
266 		c_list[id] = (value << 4) | tmp;
267 	} else {
268 		tmp = c_list[id] & 0xf0;
269 		c_list[id] = (value & 0xf) | tmp;
270 	}
271 }
272 
273 /**
274  * srpt_get_class_port_info() - Copy ClassPortInfo to a management datagram.
275  *
276  * See also section 16.3.3.1 ClassPortInfo in the InfiniBand Architecture
277  * Specification.
278  */
279 static void srpt_get_class_port_info(struct ib_dm_mad *mad)
280 {
281 	struct ib_class_port_info *cif;
282 
283 	cif = (struct ib_class_port_info *)mad->data;
284 	memset(cif, 0, sizeof *cif);
285 	cif->base_version = 1;
286 	cif->class_version = 1;
287 	cif->resp_time_value = 20;
288 
289 	mad->mad_hdr.status = 0;
290 }
291 
292 /**
293  * srpt_get_iou() - Write IOUnitInfo to a management datagram.
294  *
295  * See also section 16.3.3.3 IOUnitInfo in the InfiniBand Architecture
296  * Specification. See also section B.7, table B.6 in the SRP r16a document.
297  */
298 static void srpt_get_iou(struct ib_dm_mad *mad)
299 {
300 	struct ib_dm_iou_info *ioui;
301 	u8 slot;
302 	int i;
303 
304 	ioui = (struct ib_dm_iou_info *)mad->data;
305 	ioui->change_id = cpu_to_be16(1);
306 	ioui->max_controllers = 16;
307 
308 	/* set present for slot 1 and empty for the rest */
309 	srpt_set_ioc(ioui->controller_list, 1, 1);
310 	for (i = 1, slot = 2; i < 16; i++, slot++)
311 		srpt_set_ioc(ioui->controller_list, slot, 0);
312 
313 	mad->mad_hdr.status = 0;
314 }
315 
316 /**
317  * srpt_get_ioc() - Write IOControllerprofile to a management datagram.
318  *
319  * See also section 16.3.3.4 IOControllerProfile in the InfiniBand
320  * Architecture Specification. See also section B.7, table B.7 in the SRP
321  * r16a document.
322  */
323 static void srpt_get_ioc(struct srpt_port *sport, u32 slot,
324 			 struct ib_dm_mad *mad)
325 {
326 	struct srpt_device *sdev = sport->sdev;
327 	struct ib_dm_ioc_profile *iocp;
328 
329 	iocp = (struct ib_dm_ioc_profile *)mad->data;
330 
331 	if (!slot || slot > 16) {
332 		mad->mad_hdr.status
333 			= cpu_to_be16(DM_MAD_STATUS_INVALID_FIELD);
334 		return;
335 	}
336 
337 	if (slot > 2) {
338 		mad->mad_hdr.status
339 			= cpu_to_be16(DM_MAD_STATUS_NO_IOC);
340 		return;
341 	}
342 
343 	memset(iocp, 0, sizeof *iocp);
344 	strcpy(iocp->id_string, SRPT_ID_STRING);
345 	iocp->guid = cpu_to_be64(srpt_service_guid);
346 	iocp->vendor_id = cpu_to_be32(sdev->dev_attr.vendor_id);
347 	iocp->device_id = cpu_to_be32(sdev->dev_attr.vendor_part_id);
348 	iocp->device_version = cpu_to_be16(sdev->dev_attr.hw_ver);
349 	iocp->subsys_vendor_id = cpu_to_be32(sdev->dev_attr.vendor_id);
350 	iocp->subsys_device_id = 0x0;
351 	iocp->io_class = cpu_to_be16(SRP_REV16A_IB_IO_CLASS);
352 	iocp->io_subclass = cpu_to_be16(SRP_IO_SUBCLASS);
353 	iocp->protocol = cpu_to_be16(SRP_PROTOCOL);
354 	iocp->protocol_version = cpu_to_be16(SRP_PROTOCOL_VERSION);
355 	iocp->send_queue_depth = cpu_to_be16(sdev->srq_size);
356 	iocp->rdma_read_depth = 4;
357 	iocp->send_size = cpu_to_be32(srp_max_req_size);
358 	iocp->rdma_size = cpu_to_be32(min(sport->port_attrib.srp_max_rdma_size,
359 					  1U << 24));
360 	iocp->num_svc_entries = 1;
361 	iocp->op_cap_mask = SRP_SEND_TO_IOC | SRP_SEND_FROM_IOC |
362 		SRP_RDMA_READ_FROM_IOC | SRP_RDMA_WRITE_FROM_IOC;
363 
364 	mad->mad_hdr.status = 0;
365 }
366 
367 /**
368  * srpt_get_svc_entries() - Write ServiceEntries to a management datagram.
369  *
370  * See also section 16.3.3.5 ServiceEntries in the InfiniBand Architecture
371  * Specification. See also section B.7, table B.8 in the SRP r16a document.
372  */
373 static void srpt_get_svc_entries(u64 ioc_guid,
374 				 u16 slot, u8 hi, u8 lo, struct ib_dm_mad *mad)
375 {
376 	struct ib_dm_svc_entries *svc_entries;
377 
378 	WARN_ON(!ioc_guid);
379 
380 	if (!slot || slot > 16) {
381 		mad->mad_hdr.status
382 			= cpu_to_be16(DM_MAD_STATUS_INVALID_FIELD);
383 		return;
384 	}
385 
386 	if (slot > 2 || lo > hi || hi > 1) {
387 		mad->mad_hdr.status
388 			= cpu_to_be16(DM_MAD_STATUS_NO_IOC);
389 		return;
390 	}
391 
392 	svc_entries = (struct ib_dm_svc_entries *)mad->data;
393 	memset(svc_entries, 0, sizeof *svc_entries);
394 	svc_entries->service_entries[0].id = cpu_to_be64(ioc_guid);
395 	snprintf(svc_entries->service_entries[0].name,
396 		 sizeof(svc_entries->service_entries[0].name),
397 		 "%s%016llx",
398 		 SRP_SERVICE_NAME_PREFIX,
399 		 ioc_guid);
400 
401 	mad->mad_hdr.status = 0;
402 }
403 
404 /**
405  * srpt_mgmt_method_get() - Process a received management datagram.
406  * @sp:      source port through which the MAD has been received.
407  * @rq_mad:  received MAD.
408  * @rsp_mad: response MAD.
409  */
410 static void srpt_mgmt_method_get(struct srpt_port *sp, struct ib_mad *rq_mad,
411 				 struct ib_dm_mad *rsp_mad)
412 {
413 	u16 attr_id;
414 	u32 slot;
415 	u8 hi, lo;
416 
417 	attr_id = be16_to_cpu(rq_mad->mad_hdr.attr_id);
418 	switch (attr_id) {
419 	case DM_ATTR_CLASS_PORT_INFO:
420 		srpt_get_class_port_info(rsp_mad);
421 		break;
422 	case DM_ATTR_IOU_INFO:
423 		srpt_get_iou(rsp_mad);
424 		break;
425 	case DM_ATTR_IOC_PROFILE:
426 		slot = be32_to_cpu(rq_mad->mad_hdr.attr_mod);
427 		srpt_get_ioc(sp, slot, rsp_mad);
428 		break;
429 	case DM_ATTR_SVC_ENTRIES:
430 		slot = be32_to_cpu(rq_mad->mad_hdr.attr_mod);
431 		hi = (u8) ((slot >> 8) & 0xff);
432 		lo = (u8) (slot & 0xff);
433 		slot = (u16) ((slot >> 16) & 0xffff);
434 		srpt_get_svc_entries(srpt_service_guid,
435 				     slot, hi, lo, rsp_mad);
436 		break;
437 	default:
438 		rsp_mad->mad_hdr.status =
439 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD_ATTR);
440 		break;
441 	}
442 }
443 
444 /**
445  * srpt_mad_send_handler() - Post MAD-send callback function.
446  */
447 static void srpt_mad_send_handler(struct ib_mad_agent *mad_agent,
448 				  struct ib_mad_send_wc *mad_wc)
449 {
450 	ib_destroy_ah(mad_wc->send_buf->ah);
451 	ib_free_send_mad(mad_wc->send_buf);
452 }
453 
454 /**
455  * srpt_mad_recv_handler() - MAD reception callback function.
456  */
457 static void srpt_mad_recv_handler(struct ib_mad_agent *mad_agent,
458 				  struct ib_mad_recv_wc *mad_wc)
459 {
460 	struct srpt_port *sport = (struct srpt_port *)mad_agent->context;
461 	struct ib_ah *ah;
462 	struct ib_mad_send_buf *rsp;
463 	struct ib_dm_mad *dm_mad;
464 
465 	if (!mad_wc || !mad_wc->recv_buf.mad)
466 		return;
467 
468 	ah = ib_create_ah_from_wc(mad_agent->qp->pd, mad_wc->wc,
469 				  mad_wc->recv_buf.grh, mad_agent->port_num);
470 	if (IS_ERR(ah))
471 		goto err;
472 
473 	BUILD_BUG_ON(offsetof(struct ib_dm_mad, data) != IB_MGMT_DEVICE_HDR);
474 
475 	rsp = ib_create_send_mad(mad_agent, mad_wc->wc->src_qp,
476 				 mad_wc->wc->pkey_index, 0,
477 				 IB_MGMT_DEVICE_HDR, IB_MGMT_DEVICE_DATA,
478 				 GFP_KERNEL,
479 				 IB_MGMT_BASE_VERSION);
480 	if (IS_ERR(rsp))
481 		goto err_rsp;
482 
483 	rsp->ah = ah;
484 
485 	dm_mad = rsp->mad;
486 	memcpy(dm_mad, mad_wc->recv_buf.mad, sizeof *dm_mad);
487 	dm_mad->mad_hdr.method = IB_MGMT_METHOD_GET_RESP;
488 	dm_mad->mad_hdr.status = 0;
489 
490 	switch (mad_wc->recv_buf.mad->mad_hdr.method) {
491 	case IB_MGMT_METHOD_GET:
492 		srpt_mgmt_method_get(sport, mad_wc->recv_buf.mad, dm_mad);
493 		break;
494 	case IB_MGMT_METHOD_SET:
495 		dm_mad->mad_hdr.status =
496 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD_ATTR);
497 		break;
498 	default:
499 		dm_mad->mad_hdr.status =
500 		    cpu_to_be16(DM_MAD_STATUS_UNSUP_METHOD);
501 		break;
502 	}
503 
504 	if (!ib_post_send_mad(rsp, NULL)) {
505 		ib_free_recv_mad(mad_wc);
506 		/* will destroy_ah & free_send_mad in send completion */
507 		return;
508 	}
509 
510 	ib_free_send_mad(rsp);
511 
512 err_rsp:
513 	ib_destroy_ah(ah);
514 err:
515 	ib_free_recv_mad(mad_wc);
516 }
517 
518 /**
519  * srpt_refresh_port() - Configure a HCA port.
520  *
521  * Enable InfiniBand management datagram processing, update the cached sm_lid,
522  * lid and gid values, and register a callback function for processing MADs
523  * on the specified port.
524  *
525  * Note: It is safe to call this function more than once for the same port.
526  */
527 static int srpt_refresh_port(struct srpt_port *sport)
528 {
529 	struct ib_mad_reg_req reg_req;
530 	struct ib_port_modify port_modify;
531 	struct ib_port_attr port_attr;
532 	int ret;
533 
534 	memset(&port_modify, 0, sizeof port_modify);
535 	port_modify.set_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP;
536 	port_modify.clr_port_cap_mask = 0;
537 
538 	ret = ib_modify_port(sport->sdev->device, sport->port, 0, &port_modify);
539 	if (ret)
540 		goto err_mod_port;
541 
542 	ret = ib_query_port(sport->sdev->device, sport->port, &port_attr);
543 	if (ret)
544 		goto err_query_port;
545 
546 	sport->sm_lid = port_attr.sm_lid;
547 	sport->lid = port_attr.lid;
548 
549 	ret = ib_query_gid(sport->sdev->device, sport->port, 0, &sport->gid);
550 	if (ret)
551 		goto err_query_port;
552 
553 	if (!sport->mad_agent) {
554 		memset(&reg_req, 0, sizeof reg_req);
555 		reg_req.mgmt_class = IB_MGMT_CLASS_DEVICE_MGMT;
556 		reg_req.mgmt_class_version = IB_MGMT_BASE_VERSION;
557 		set_bit(IB_MGMT_METHOD_GET, reg_req.method_mask);
558 		set_bit(IB_MGMT_METHOD_SET, reg_req.method_mask);
559 
560 		sport->mad_agent = ib_register_mad_agent(sport->sdev->device,
561 							 sport->port,
562 							 IB_QPT_GSI,
563 							 &reg_req, 0,
564 							 srpt_mad_send_handler,
565 							 srpt_mad_recv_handler,
566 							 sport, 0);
567 		if (IS_ERR(sport->mad_agent)) {
568 			ret = PTR_ERR(sport->mad_agent);
569 			sport->mad_agent = NULL;
570 			goto err_query_port;
571 		}
572 	}
573 
574 	return 0;
575 
576 err_query_port:
577 
578 	port_modify.set_port_cap_mask = 0;
579 	port_modify.clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP;
580 	ib_modify_port(sport->sdev->device, sport->port, 0, &port_modify);
581 
582 err_mod_port:
583 
584 	return ret;
585 }
586 
587 /**
588  * srpt_unregister_mad_agent() - Unregister MAD callback functions.
589  *
590  * Note: It is safe to call this function more than once for the same device.
591  */
592 static void srpt_unregister_mad_agent(struct srpt_device *sdev)
593 {
594 	struct ib_port_modify port_modify = {
595 		.clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP,
596 	};
597 	struct srpt_port *sport;
598 	int i;
599 
600 	for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
601 		sport = &sdev->port[i - 1];
602 		WARN_ON(sport->port != i);
603 		if (ib_modify_port(sdev->device, i, 0, &port_modify) < 0)
604 			pr_err("disabling MAD processing failed.\n");
605 		if (sport->mad_agent) {
606 			ib_unregister_mad_agent(sport->mad_agent);
607 			sport->mad_agent = NULL;
608 		}
609 	}
610 }
611 
612 /**
613  * srpt_alloc_ioctx() - Allocate an SRPT I/O context structure.
614  */
615 static struct srpt_ioctx *srpt_alloc_ioctx(struct srpt_device *sdev,
616 					   int ioctx_size, int dma_size,
617 					   enum dma_data_direction dir)
618 {
619 	struct srpt_ioctx *ioctx;
620 
621 	ioctx = kmalloc(ioctx_size, GFP_KERNEL);
622 	if (!ioctx)
623 		goto err;
624 
625 	ioctx->buf = kmalloc(dma_size, GFP_KERNEL);
626 	if (!ioctx->buf)
627 		goto err_free_ioctx;
628 
629 	ioctx->dma = ib_dma_map_single(sdev->device, ioctx->buf, dma_size, dir);
630 	if (ib_dma_mapping_error(sdev->device, ioctx->dma))
631 		goto err_free_buf;
632 
633 	return ioctx;
634 
635 err_free_buf:
636 	kfree(ioctx->buf);
637 err_free_ioctx:
638 	kfree(ioctx);
639 err:
640 	return NULL;
641 }
642 
643 /**
644  * srpt_free_ioctx() - Free an SRPT I/O context structure.
645  */
646 static void srpt_free_ioctx(struct srpt_device *sdev, struct srpt_ioctx *ioctx,
647 			    int dma_size, enum dma_data_direction dir)
648 {
649 	if (!ioctx)
650 		return;
651 
652 	ib_dma_unmap_single(sdev->device, ioctx->dma, dma_size, dir);
653 	kfree(ioctx->buf);
654 	kfree(ioctx);
655 }
656 
657 /**
658  * srpt_alloc_ioctx_ring() - Allocate a ring of SRPT I/O context structures.
659  * @sdev:       Device to allocate the I/O context ring for.
660  * @ring_size:  Number of elements in the I/O context ring.
661  * @ioctx_size: I/O context size.
662  * @dma_size:   DMA buffer size.
663  * @dir:        DMA data direction.
664  */
665 static struct srpt_ioctx **srpt_alloc_ioctx_ring(struct srpt_device *sdev,
666 				int ring_size, int ioctx_size,
667 				int dma_size, enum dma_data_direction dir)
668 {
669 	struct srpt_ioctx **ring;
670 	int i;
671 
672 	WARN_ON(ioctx_size != sizeof(struct srpt_recv_ioctx)
673 		&& ioctx_size != sizeof(struct srpt_send_ioctx));
674 
675 	ring = kmalloc(ring_size * sizeof(ring[0]), GFP_KERNEL);
676 	if (!ring)
677 		goto out;
678 	for (i = 0; i < ring_size; ++i) {
679 		ring[i] = srpt_alloc_ioctx(sdev, ioctx_size, dma_size, dir);
680 		if (!ring[i])
681 			goto err;
682 		ring[i]->index = i;
683 	}
684 	goto out;
685 
686 err:
687 	while (--i >= 0)
688 		srpt_free_ioctx(sdev, ring[i], dma_size, dir);
689 	kfree(ring);
690 	ring = NULL;
691 out:
692 	return ring;
693 }
694 
695 /**
696  * srpt_free_ioctx_ring() - Free the ring of SRPT I/O context structures.
697  */
698 static void srpt_free_ioctx_ring(struct srpt_ioctx **ioctx_ring,
699 				 struct srpt_device *sdev, int ring_size,
700 				 int dma_size, enum dma_data_direction dir)
701 {
702 	int i;
703 
704 	for (i = 0; i < ring_size; ++i)
705 		srpt_free_ioctx(sdev, ioctx_ring[i], dma_size, dir);
706 	kfree(ioctx_ring);
707 }
708 
709 /**
710  * srpt_get_cmd_state() - Get the state of a SCSI command.
711  */
712 static enum srpt_command_state srpt_get_cmd_state(struct srpt_send_ioctx *ioctx)
713 {
714 	enum srpt_command_state state;
715 	unsigned long flags;
716 
717 	BUG_ON(!ioctx);
718 
719 	spin_lock_irqsave(&ioctx->spinlock, flags);
720 	state = ioctx->state;
721 	spin_unlock_irqrestore(&ioctx->spinlock, flags);
722 	return state;
723 }
724 
725 /**
726  * srpt_set_cmd_state() - Set the state of a SCSI command.
727  *
728  * Does not modify the state of aborted commands. Returns the previous command
729  * state.
730  */
731 static enum srpt_command_state srpt_set_cmd_state(struct srpt_send_ioctx *ioctx,
732 						  enum srpt_command_state new)
733 {
734 	enum srpt_command_state previous;
735 	unsigned long flags;
736 
737 	BUG_ON(!ioctx);
738 
739 	spin_lock_irqsave(&ioctx->spinlock, flags);
740 	previous = ioctx->state;
741 	if (previous != SRPT_STATE_DONE)
742 		ioctx->state = new;
743 	spin_unlock_irqrestore(&ioctx->spinlock, flags);
744 
745 	return previous;
746 }
747 
748 /**
749  * srpt_test_and_set_cmd_state() - Test and set the state of a command.
750  *
751  * Returns true if and only if the previous command state was equal to 'old'.
752  */
753 static bool srpt_test_and_set_cmd_state(struct srpt_send_ioctx *ioctx,
754 					enum srpt_command_state old,
755 					enum srpt_command_state new)
756 {
757 	enum srpt_command_state previous;
758 	unsigned long flags;
759 
760 	WARN_ON(!ioctx);
761 	WARN_ON(old == SRPT_STATE_DONE);
762 	WARN_ON(new == SRPT_STATE_NEW);
763 
764 	spin_lock_irqsave(&ioctx->spinlock, flags);
765 	previous = ioctx->state;
766 	if (previous == old)
767 		ioctx->state = new;
768 	spin_unlock_irqrestore(&ioctx->spinlock, flags);
769 	return previous == old;
770 }
771 
772 /**
773  * srpt_post_recv() - Post an IB receive request.
774  */
775 static int srpt_post_recv(struct srpt_device *sdev,
776 			  struct srpt_recv_ioctx *ioctx)
777 {
778 	struct ib_sge list;
779 	struct ib_recv_wr wr, *bad_wr;
780 
781 	BUG_ON(!sdev);
782 	wr.wr_id = encode_wr_id(SRPT_RECV, ioctx->ioctx.index);
783 
784 	list.addr = ioctx->ioctx.dma;
785 	list.length = srp_max_req_size;
786 	list.lkey = sdev->pd->local_dma_lkey;
787 
788 	wr.next = NULL;
789 	wr.sg_list = &list;
790 	wr.num_sge = 1;
791 
792 	return ib_post_srq_recv(sdev->srq, &wr, &bad_wr);
793 }
794 
795 /**
796  * srpt_post_send() - Post an IB send request.
797  *
798  * Returns zero upon success and a non-zero value upon failure.
799  */
800 static int srpt_post_send(struct srpt_rdma_ch *ch,
801 			  struct srpt_send_ioctx *ioctx, int len)
802 {
803 	struct ib_sge list;
804 	struct ib_send_wr wr, *bad_wr;
805 	struct srpt_device *sdev = ch->sport->sdev;
806 	int ret;
807 
808 	atomic_inc(&ch->req_lim);
809 
810 	ret = -ENOMEM;
811 	if (unlikely(atomic_dec_return(&ch->sq_wr_avail) < 0)) {
812 		pr_warn("IB send queue full (needed 1)\n");
813 		goto out;
814 	}
815 
816 	ib_dma_sync_single_for_device(sdev->device, ioctx->ioctx.dma, len,
817 				      DMA_TO_DEVICE);
818 
819 	list.addr = ioctx->ioctx.dma;
820 	list.length = len;
821 	list.lkey = sdev->pd->local_dma_lkey;
822 
823 	wr.next = NULL;
824 	wr.wr_id = encode_wr_id(SRPT_SEND, ioctx->ioctx.index);
825 	wr.sg_list = &list;
826 	wr.num_sge = 1;
827 	wr.opcode = IB_WR_SEND;
828 	wr.send_flags = IB_SEND_SIGNALED;
829 
830 	ret = ib_post_send(ch->qp, &wr, &bad_wr);
831 
832 out:
833 	if (ret < 0) {
834 		atomic_inc(&ch->sq_wr_avail);
835 		atomic_dec(&ch->req_lim);
836 	}
837 	return ret;
838 }
839 
840 /**
841  * srpt_get_desc_tbl() - Parse the data descriptors of an SRP_CMD request.
842  * @ioctx: Pointer to the I/O context associated with the request.
843  * @srp_cmd: Pointer to the SRP_CMD request data.
844  * @dir: Pointer to the variable to which the transfer direction will be
845  *   written.
846  * @data_len: Pointer to the variable to which the total data length of all
847  *   descriptors in the SRP_CMD request will be written.
848  *
849  * This function initializes ioctx->nrbuf and ioctx->r_bufs.
850  *
851  * Returns -EINVAL when the SRP_CMD request contains inconsistent descriptors;
852  * -ENOMEM when memory allocation fails and zero upon success.
853  */
854 static int srpt_get_desc_tbl(struct srpt_send_ioctx *ioctx,
855 			     struct srp_cmd *srp_cmd,
856 			     enum dma_data_direction *dir, u64 *data_len)
857 {
858 	struct srp_indirect_buf *idb;
859 	struct srp_direct_buf *db;
860 	unsigned add_cdb_offset;
861 	int ret;
862 
863 	/*
864 	 * The pointer computations below will only be compiled correctly
865 	 * if srp_cmd::add_data is declared as s8*, u8*, s8[] or u8[], so check
866 	 * whether srp_cmd::add_data has been declared as a byte pointer.
867 	 */
868 	BUILD_BUG_ON(!__same_type(srp_cmd->add_data[0], (s8)0)
869 		     && !__same_type(srp_cmd->add_data[0], (u8)0));
870 
871 	BUG_ON(!dir);
872 	BUG_ON(!data_len);
873 
874 	ret = 0;
875 	*data_len = 0;
876 
877 	/*
878 	 * The lower four bits of the buffer format field contain the DATA-IN
879 	 * buffer descriptor format, and the highest four bits contain the
880 	 * DATA-OUT buffer descriptor format.
881 	 */
882 	*dir = DMA_NONE;
883 	if (srp_cmd->buf_fmt & 0xf)
884 		/* DATA-IN: transfer data from target to initiator (read). */
885 		*dir = DMA_FROM_DEVICE;
886 	else if (srp_cmd->buf_fmt >> 4)
887 		/* DATA-OUT: transfer data from initiator to target (write). */
888 		*dir = DMA_TO_DEVICE;
889 
890 	/*
891 	 * According to the SRP spec, the lower two bits of the 'ADDITIONAL
892 	 * CDB LENGTH' field are reserved and the size in bytes of this field
893 	 * is four times the value specified in bits 3..7. Hence the "& ~3".
894 	 */
895 	add_cdb_offset = srp_cmd->add_cdb_len & ~3;
896 	if (((srp_cmd->buf_fmt & 0xf) == SRP_DATA_DESC_DIRECT) ||
897 	    ((srp_cmd->buf_fmt >> 4) == SRP_DATA_DESC_DIRECT)) {
898 		ioctx->n_rbuf = 1;
899 		ioctx->rbufs = &ioctx->single_rbuf;
900 
901 		db = (struct srp_direct_buf *)(srp_cmd->add_data
902 					       + add_cdb_offset);
903 		memcpy(ioctx->rbufs, db, sizeof *db);
904 		*data_len = be32_to_cpu(db->len);
905 	} else if (((srp_cmd->buf_fmt & 0xf) == SRP_DATA_DESC_INDIRECT) ||
906 		   ((srp_cmd->buf_fmt >> 4) == SRP_DATA_DESC_INDIRECT)) {
907 		idb = (struct srp_indirect_buf *)(srp_cmd->add_data
908 						  + add_cdb_offset);
909 
910 		ioctx->n_rbuf = be32_to_cpu(idb->table_desc.len) / sizeof *db;
911 
912 		if (ioctx->n_rbuf >
913 		    (srp_cmd->data_out_desc_cnt + srp_cmd->data_in_desc_cnt)) {
914 			pr_err("received unsupported SRP_CMD request"
915 			       " type (%u out + %u in != %u / %zu)\n",
916 			       srp_cmd->data_out_desc_cnt,
917 			       srp_cmd->data_in_desc_cnt,
918 			       be32_to_cpu(idb->table_desc.len),
919 			       sizeof(*db));
920 			ioctx->n_rbuf = 0;
921 			ret = -EINVAL;
922 			goto out;
923 		}
924 
925 		if (ioctx->n_rbuf == 1)
926 			ioctx->rbufs = &ioctx->single_rbuf;
927 		else {
928 			ioctx->rbufs =
929 				kmalloc(ioctx->n_rbuf * sizeof *db, GFP_ATOMIC);
930 			if (!ioctx->rbufs) {
931 				ioctx->n_rbuf = 0;
932 				ret = -ENOMEM;
933 				goto out;
934 			}
935 		}
936 
937 		db = idb->desc_list;
938 		memcpy(ioctx->rbufs, db, ioctx->n_rbuf * sizeof *db);
939 		*data_len = be32_to_cpu(idb->len);
940 	}
941 out:
942 	return ret;
943 }
944 
945 /**
946  * srpt_init_ch_qp() - Initialize queue pair attributes.
947  *
948  * Initialized the attributes of queue pair 'qp' by allowing local write,
949  * remote read and remote write. Also transitions 'qp' to state IB_QPS_INIT.
950  */
951 static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp)
952 {
953 	struct ib_qp_attr *attr;
954 	int ret;
955 
956 	attr = kzalloc(sizeof *attr, GFP_KERNEL);
957 	if (!attr)
958 		return -ENOMEM;
959 
960 	attr->qp_state = IB_QPS_INIT;
961 	attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
962 	    IB_ACCESS_REMOTE_WRITE;
963 	attr->port_num = ch->sport->port;
964 	attr->pkey_index = 0;
965 
966 	ret = ib_modify_qp(qp, attr,
967 			   IB_QP_STATE | IB_QP_ACCESS_FLAGS | IB_QP_PORT |
968 			   IB_QP_PKEY_INDEX);
969 
970 	kfree(attr);
971 	return ret;
972 }
973 
974 /**
975  * srpt_ch_qp_rtr() - Change the state of a channel to 'ready to receive' (RTR).
976  * @ch: channel of the queue pair.
977  * @qp: queue pair to change the state of.
978  *
979  * Returns zero upon success and a negative value upon failure.
980  *
981  * Note: currently a struct ib_qp_attr takes 136 bytes on a 64-bit system.
982  * If this structure ever becomes larger, it might be necessary to allocate
983  * it dynamically instead of on the stack.
984  */
985 static int srpt_ch_qp_rtr(struct srpt_rdma_ch *ch, struct ib_qp *qp)
986 {
987 	struct ib_qp_attr qp_attr;
988 	int attr_mask;
989 	int ret;
990 
991 	qp_attr.qp_state = IB_QPS_RTR;
992 	ret = ib_cm_init_qp_attr(ch->cm_id, &qp_attr, &attr_mask);
993 	if (ret)
994 		goto out;
995 
996 	qp_attr.max_dest_rd_atomic = 4;
997 
998 	ret = ib_modify_qp(qp, &qp_attr, attr_mask);
999 
1000 out:
1001 	return ret;
1002 }
1003 
1004 /**
1005  * srpt_ch_qp_rts() - Change the state of a channel to 'ready to send' (RTS).
1006  * @ch: channel of the queue pair.
1007  * @qp: queue pair to change the state of.
1008  *
1009  * Returns zero upon success and a negative value upon failure.
1010  *
1011  * Note: currently a struct ib_qp_attr takes 136 bytes on a 64-bit system.
1012  * If this structure ever becomes larger, it might be necessary to allocate
1013  * it dynamically instead of on the stack.
1014  */
1015 static int srpt_ch_qp_rts(struct srpt_rdma_ch *ch, struct ib_qp *qp)
1016 {
1017 	struct ib_qp_attr qp_attr;
1018 	int attr_mask;
1019 	int ret;
1020 
1021 	qp_attr.qp_state = IB_QPS_RTS;
1022 	ret = ib_cm_init_qp_attr(ch->cm_id, &qp_attr, &attr_mask);
1023 	if (ret)
1024 		goto out;
1025 
1026 	qp_attr.max_rd_atomic = 4;
1027 
1028 	ret = ib_modify_qp(qp, &qp_attr, attr_mask);
1029 
1030 out:
1031 	return ret;
1032 }
1033 
1034 /**
1035  * srpt_ch_qp_err() - Set the channel queue pair state to 'error'.
1036  */
1037 static int srpt_ch_qp_err(struct srpt_rdma_ch *ch)
1038 {
1039 	struct ib_qp_attr qp_attr;
1040 
1041 	qp_attr.qp_state = IB_QPS_ERR;
1042 	return ib_modify_qp(ch->qp, &qp_attr, IB_QP_STATE);
1043 }
1044 
1045 /**
1046  * srpt_unmap_sg_to_ib_sge() - Unmap an IB SGE list.
1047  */
1048 static void srpt_unmap_sg_to_ib_sge(struct srpt_rdma_ch *ch,
1049 				    struct srpt_send_ioctx *ioctx)
1050 {
1051 	struct scatterlist *sg;
1052 	enum dma_data_direction dir;
1053 
1054 	BUG_ON(!ch);
1055 	BUG_ON(!ioctx);
1056 	BUG_ON(ioctx->n_rdma && !ioctx->rdma_ius);
1057 
1058 	while (ioctx->n_rdma)
1059 		kfree(ioctx->rdma_ius[--ioctx->n_rdma].sge);
1060 
1061 	kfree(ioctx->rdma_ius);
1062 	ioctx->rdma_ius = NULL;
1063 
1064 	if (ioctx->mapped_sg_count) {
1065 		sg = ioctx->sg;
1066 		WARN_ON(!sg);
1067 		dir = ioctx->cmd.data_direction;
1068 		BUG_ON(dir == DMA_NONE);
1069 		ib_dma_unmap_sg(ch->sport->sdev->device, sg, ioctx->sg_cnt,
1070 				opposite_dma_dir(dir));
1071 		ioctx->mapped_sg_count = 0;
1072 	}
1073 }
1074 
1075 /**
1076  * srpt_map_sg_to_ib_sge() - Map an SG list to an IB SGE list.
1077  */
1078 static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
1079 				 struct srpt_send_ioctx *ioctx)
1080 {
1081 	struct ib_device *dev = ch->sport->sdev->device;
1082 	struct se_cmd *cmd;
1083 	struct scatterlist *sg, *sg_orig;
1084 	int sg_cnt;
1085 	enum dma_data_direction dir;
1086 	struct rdma_iu *riu;
1087 	struct srp_direct_buf *db;
1088 	dma_addr_t dma_addr;
1089 	struct ib_sge *sge;
1090 	u64 raddr;
1091 	u32 rsize;
1092 	u32 tsize;
1093 	u32 dma_len;
1094 	int count, nrdma;
1095 	int i, j, k;
1096 
1097 	BUG_ON(!ch);
1098 	BUG_ON(!ioctx);
1099 	cmd = &ioctx->cmd;
1100 	dir = cmd->data_direction;
1101 	BUG_ON(dir == DMA_NONE);
1102 
1103 	ioctx->sg = sg = sg_orig = cmd->t_data_sg;
1104 	ioctx->sg_cnt = sg_cnt = cmd->t_data_nents;
1105 
1106 	count = ib_dma_map_sg(ch->sport->sdev->device, sg, sg_cnt,
1107 			      opposite_dma_dir(dir));
1108 	if (unlikely(!count))
1109 		return -EAGAIN;
1110 
1111 	ioctx->mapped_sg_count = count;
1112 
1113 	if (ioctx->rdma_ius && ioctx->n_rdma_ius)
1114 		nrdma = ioctx->n_rdma_ius;
1115 	else {
1116 		nrdma = (count + SRPT_DEF_SG_PER_WQE - 1) / SRPT_DEF_SG_PER_WQE
1117 			+ ioctx->n_rbuf;
1118 
1119 		ioctx->rdma_ius = kzalloc(nrdma * sizeof *riu, GFP_KERNEL);
1120 		if (!ioctx->rdma_ius)
1121 			goto free_mem;
1122 
1123 		ioctx->n_rdma_ius = nrdma;
1124 	}
1125 
1126 	db = ioctx->rbufs;
1127 	tsize = cmd->data_length;
1128 	dma_len = ib_sg_dma_len(dev, &sg[0]);
1129 	riu = ioctx->rdma_ius;
1130 
1131 	/*
1132 	 * For each remote desc - calculate the #ib_sge.
1133 	 * If #ib_sge < SRPT_DEF_SG_PER_WQE per rdma operation then
1134 	 *      each remote desc rdma_iu is required a rdma wr;
1135 	 * else
1136 	 *      we need to allocate extra rdma_iu to carry extra #ib_sge in
1137 	 *      another rdma wr
1138 	 */
1139 	for (i = 0, j = 0;
1140 	     j < count && i < ioctx->n_rbuf && tsize > 0; ++i, ++riu, ++db) {
1141 		rsize = be32_to_cpu(db->len);
1142 		raddr = be64_to_cpu(db->va);
1143 		riu->raddr = raddr;
1144 		riu->rkey = be32_to_cpu(db->key);
1145 		riu->sge_cnt = 0;
1146 
1147 		/* calculate how many sge required for this remote_buf */
1148 		while (rsize > 0 && tsize > 0) {
1149 
1150 			if (rsize >= dma_len) {
1151 				tsize -= dma_len;
1152 				rsize -= dma_len;
1153 				raddr += dma_len;
1154 
1155 				if (tsize > 0) {
1156 					++j;
1157 					if (j < count) {
1158 						sg = sg_next(sg);
1159 						dma_len = ib_sg_dma_len(
1160 								dev, sg);
1161 					}
1162 				}
1163 			} else {
1164 				tsize -= rsize;
1165 				dma_len -= rsize;
1166 				rsize = 0;
1167 			}
1168 
1169 			++riu->sge_cnt;
1170 
1171 			if (rsize > 0 && riu->sge_cnt == SRPT_DEF_SG_PER_WQE) {
1172 				++ioctx->n_rdma;
1173 				riu->sge =
1174 				    kmalloc(riu->sge_cnt * sizeof *riu->sge,
1175 					    GFP_KERNEL);
1176 				if (!riu->sge)
1177 					goto free_mem;
1178 
1179 				++riu;
1180 				riu->sge_cnt = 0;
1181 				riu->raddr = raddr;
1182 				riu->rkey = be32_to_cpu(db->key);
1183 			}
1184 		}
1185 
1186 		++ioctx->n_rdma;
1187 		riu->sge = kmalloc(riu->sge_cnt * sizeof *riu->sge,
1188 				   GFP_KERNEL);
1189 		if (!riu->sge)
1190 			goto free_mem;
1191 	}
1192 
1193 	db = ioctx->rbufs;
1194 	tsize = cmd->data_length;
1195 	riu = ioctx->rdma_ius;
1196 	sg = sg_orig;
1197 	dma_len = ib_sg_dma_len(dev, &sg[0]);
1198 	dma_addr = ib_sg_dma_address(dev, &sg[0]);
1199 
1200 	/* this second loop is really mapped sg_addres to rdma_iu->ib_sge */
1201 	for (i = 0, j = 0;
1202 	     j < count && i < ioctx->n_rbuf && tsize > 0; ++i, ++riu, ++db) {
1203 		rsize = be32_to_cpu(db->len);
1204 		sge = riu->sge;
1205 		k = 0;
1206 
1207 		while (rsize > 0 && tsize > 0) {
1208 			sge->addr = dma_addr;
1209 			sge->lkey = ch->sport->sdev->pd->local_dma_lkey;
1210 
1211 			if (rsize >= dma_len) {
1212 				sge->length =
1213 					(tsize < dma_len) ? tsize : dma_len;
1214 				tsize -= dma_len;
1215 				rsize -= dma_len;
1216 
1217 				if (tsize > 0) {
1218 					++j;
1219 					if (j < count) {
1220 						sg = sg_next(sg);
1221 						dma_len = ib_sg_dma_len(
1222 								dev, sg);
1223 						dma_addr = ib_sg_dma_address(
1224 								dev, sg);
1225 					}
1226 				}
1227 			} else {
1228 				sge->length = (tsize < rsize) ? tsize : rsize;
1229 				tsize -= rsize;
1230 				dma_len -= rsize;
1231 				dma_addr += rsize;
1232 				rsize = 0;
1233 			}
1234 
1235 			++k;
1236 			if (k == riu->sge_cnt && rsize > 0 && tsize > 0) {
1237 				++riu;
1238 				sge = riu->sge;
1239 				k = 0;
1240 			} else if (rsize > 0 && tsize > 0)
1241 				++sge;
1242 		}
1243 	}
1244 
1245 	return 0;
1246 
1247 free_mem:
1248 	srpt_unmap_sg_to_ib_sge(ch, ioctx);
1249 
1250 	return -ENOMEM;
1251 }
1252 
1253 /**
1254  * srpt_get_send_ioctx() - Obtain an I/O context for sending to the initiator.
1255  */
1256 static struct srpt_send_ioctx *srpt_get_send_ioctx(struct srpt_rdma_ch *ch)
1257 {
1258 	struct srpt_send_ioctx *ioctx;
1259 	unsigned long flags;
1260 
1261 	BUG_ON(!ch);
1262 
1263 	ioctx = NULL;
1264 	spin_lock_irqsave(&ch->spinlock, flags);
1265 	if (!list_empty(&ch->free_list)) {
1266 		ioctx = list_first_entry(&ch->free_list,
1267 					 struct srpt_send_ioctx, free_list);
1268 		list_del(&ioctx->free_list);
1269 	}
1270 	spin_unlock_irqrestore(&ch->spinlock, flags);
1271 
1272 	if (!ioctx)
1273 		return ioctx;
1274 
1275 	BUG_ON(ioctx->ch != ch);
1276 	spin_lock_init(&ioctx->spinlock);
1277 	ioctx->state = SRPT_STATE_NEW;
1278 	ioctx->n_rbuf = 0;
1279 	ioctx->rbufs = NULL;
1280 	ioctx->n_rdma = 0;
1281 	ioctx->n_rdma_ius = 0;
1282 	ioctx->rdma_ius = NULL;
1283 	ioctx->mapped_sg_count = 0;
1284 	init_completion(&ioctx->tx_done);
1285 	ioctx->queue_status_only = false;
1286 	/*
1287 	 * transport_init_se_cmd() does not initialize all fields, so do it
1288 	 * here.
1289 	 */
1290 	memset(&ioctx->cmd, 0, sizeof(ioctx->cmd));
1291 	memset(&ioctx->sense_data, 0, sizeof(ioctx->sense_data));
1292 
1293 	return ioctx;
1294 }
1295 
1296 /**
1297  * srpt_abort_cmd() - Abort a SCSI command.
1298  * @ioctx:   I/O context associated with the SCSI command.
1299  * @context: Preferred execution context.
1300  */
1301 static int srpt_abort_cmd(struct srpt_send_ioctx *ioctx)
1302 {
1303 	enum srpt_command_state state;
1304 	unsigned long flags;
1305 
1306 	BUG_ON(!ioctx);
1307 
1308 	/*
1309 	 * If the command is in a state where the target core is waiting for
1310 	 * the ib_srpt driver, change the state to the next state. Changing
1311 	 * the state of the command from SRPT_STATE_NEED_DATA to
1312 	 * SRPT_STATE_DATA_IN ensures that srpt_xmit_response() will call this
1313 	 * function a second time.
1314 	 */
1315 
1316 	spin_lock_irqsave(&ioctx->spinlock, flags);
1317 	state = ioctx->state;
1318 	switch (state) {
1319 	case SRPT_STATE_NEED_DATA:
1320 		ioctx->state = SRPT_STATE_DATA_IN;
1321 		break;
1322 	case SRPT_STATE_DATA_IN:
1323 	case SRPT_STATE_CMD_RSP_SENT:
1324 	case SRPT_STATE_MGMT_RSP_SENT:
1325 		ioctx->state = SRPT_STATE_DONE;
1326 		break;
1327 	default:
1328 		break;
1329 	}
1330 	spin_unlock_irqrestore(&ioctx->spinlock, flags);
1331 
1332 	if (state == SRPT_STATE_DONE) {
1333 		struct srpt_rdma_ch *ch = ioctx->ch;
1334 
1335 		BUG_ON(ch->sess == NULL);
1336 
1337 		target_put_sess_cmd(&ioctx->cmd);
1338 		goto out;
1339 	}
1340 
1341 	pr_debug("Aborting cmd with state %d and tag %lld\n", state,
1342 		 ioctx->cmd.tag);
1343 
1344 	switch (state) {
1345 	case SRPT_STATE_NEW:
1346 	case SRPT_STATE_DATA_IN:
1347 	case SRPT_STATE_MGMT:
1348 		/*
1349 		 * Do nothing - defer abort processing until
1350 		 * srpt_queue_response() is invoked.
1351 		 */
1352 		WARN_ON(!transport_check_aborted_status(&ioctx->cmd, false));
1353 		break;
1354 	case SRPT_STATE_NEED_DATA:
1355 		/* DMA_TO_DEVICE (write) - RDMA read error. */
1356 
1357 		/* XXX(hch): this is a horrible layering violation.. */
1358 		spin_lock_irqsave(&ioctx->cmd.t_state_lock, flags);
1359 		ioctx->cmd.transport_state &= ~CMD_T_ACTIVE;
1360 		spin_unlock_irqrestore(&ioctx->cmd.t_state_lock, flags);
1361 		break;
1362 	case SRPT_STATE_CMD_RSP_SENT:
1363 		/*
1364 		 * SRP_RSP sending failed or the SRP_RSP send completion has
1365 		 * not been received in time.
1366 		 */
1367 		srpt_unmap_sg_to_ib_sge(ioctx->ch, ioctx);
1368 		target_put_sess_cmd(&ioctx->cmd);
1369 		break;
1370 	case SRPT_STATE_MGMT_RSP_SENT:
1371 		srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
1372 		target_put_sess_cmd(&ioctx->cmd);
1373 		break;
1374 	default:
1375 		WARN(1, "Unexpected command state (%d)", state);
1376 		break;
1377 	}
1378 
1379 out:
1380 	return state;
1381 }
1382 
1383 /**
1384  * srpt_handle_send_err_comp() - Process an IB_WC_SEND error completion.
1385  */
1386 static void srpt_handle_send_err_comp(struct srpt_rdma_ch *ch, u64 wr_id)
1387 {
1388 	struct srpt_send_ioctx *ioctx;
1389 	enum srpt_command_state state;
1390 	u32 index;
1391 
1392 	atomic_inc(&ch->sq_wr_avail);
1393 
1394 	index = idx_from_wr_id(wr_id);
1395 	ioctx = ch->ioctx_ring[index];
1396 	state = srpt_get_cmd_state(ioctx);
1397 
1398 	WARN_ON(state != SRPT_STATE_CMD_RSP_SENT
1399 		&& state != SRPT_STATE_MGMT_RSP_SENT
1400 		&& state != SRPT_STATE_NEED_DATA
1401 		&& state != SRPT_STATE_DONE);
1402 
1403 	/* If SRP_RSP sending failed, undo the ch->req_lim change. */
1404 	if (state == SRPT_STATE_CMD_RSP_SENT
1405 	    || state == SRPT_STATE_MGMT_RSP_SENT)
1406 		atomic_dec(&ch->req_lim);
1407 
1408 	srpt_abort_cmd(ioctx);
1409 }
1410 
1411 /**
1412  * srpt_handle_send_comp() - Process an IB send completion notification.
1413  */
1414 static void srpt_handle_send_comp(struct srpt_rdma_ch *ch,
1415 				  struct srpt_send_ioctx *ioctx)
1416 {
1417 	enum srpt_command_state state;
1418 
1419 	atomic_inc(&ch->sq_wr_avail);
1420 
1421 	state = srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
1422 
1423 	if (WARN_ON(state != SRPT_STATE_CMD_RSP_SENT
1424 		    && state != SRPT_STATE_MGMT_RSP_SENT
1425 		    && state != SRPT_STATE_DONE))
1426 		pr_debug("state = %d\n", state);
1427 
1428 	if (state != SRPT_STATE_DONE) {
1429 		srpt_unmap_sg_to_ib_sge(ch, ioctx);
1430 		transport_generic_free_cmd(&ioctx->cmd, 0);
1431 	} else {
1432 		pr_err("IB completion has been received too late for"
1433 		       " wr_id = %u.\n", ioctx->ioctx.index);
1434 	}
1435 }
1436 
1437 /**
1438  * srpt_handle_rdma_comp() - Process an IB RDMA completion notification.
1439  *
1440  * XXX: what is now target_execute_cmd used to be asynchronous, and unmapping
1441  * the data that has been transferred via IB RDMA had to be postponed until the
1442  * check_stop_free() callback.  None of this is necessary anymore and needs to
1443  * be cleaned up.
1444  */
1445 static void srpt_handle_rdma_comp(struct srpt_rdma_ch *ch,
1446 				  struct srpt_send_ioctx *ioctx,
1447 				  enum srpt_opcode opcode)
1448 {
1449 	WARN_ON(ioctx->n_rdma <= 0);
1450 	atomic_add(ioctx->n_rdma, &ch->sq_wr_avail);
1451 
1452 	if (opcode == SRPT_RDMA_READ_LAST) {
1453 		if (srpt_test_and_set_cmd_state(ioctx, SRPT_STATE_NEED_DATA,
1454 						SRPT_STATE_DATA_IN))
1455 			target_execute_cmd(&ioctx->cmd);
1456 		else
1457 			pr_err("%s[%d]: wrong state = %d\n", __func__,
1458 			       __LINE__, srpt_get_cmd_state(ioctx));
1459 	} else if (opcode == SRPT_RDMA_ABORT) {
1460 		ioctx->rdma_aborted = true;
1461 	} else {
1462 		WARN(true, "unexpected opcode %d\n", opcode);
1463 	}
1464 }
1465 
1466 /**
1467  * srpt_handle_rdma_err_comp() - Process an IB RDMA error completion.
1468  */
1469 static void srpt_handle_rdma_err_comp(struct srpt_rdma_ch *ch,
1470 				      struct srpt_send_ioctx *ioctx,
1471 				      enum srpt_opcode opcode)
1472 {
1473 	enum srpt_command_state state;
1474 
1475 	state = srpt_get_cmd_state(ioctx);
1476 	switch (opcode) {
1477 	case SRPT_RDMA_READ_LAST:
1478 		if (ioctx->n_rdma <= 0) {
1479 			pr_err("Received invalid RDMA read"
1480 			       " error completion with idx %d\n",
1481 			       ioctx->ioctx.index);
1482 			break;
1483 		}
1484 		atomic_add(ioctx->n_rdma, &ch->sq_wr_avail);
1485 		if (state == SRPT_STATE_NEED_DATA)
1486 			srpt_abort_cmd(ioctx);
1487 		else
1488 			pr_err("%s[%d]: wrong state = %d\n",
1489 			       __func__, __LINE__, state);
1490 		break;
1491 	case SRPT_RDMA_WRITE_LAST:
1492 		break;
1493 	default:
1494 		pr_err("%s[%d]: opcode = %u\n", __func__, __LINE__, opcode);
1495 		break;
1496 	}
1497 }
1498 
1499 /**
1500  * srpt_build_cmd_rsp() - Build an SRP_RSP response.
1501  * @ch: RDMA channel through which the request has been received.
1502  * @ioctx: I/O context associated with the SRP_CMD request. The response will
1503  *   be built in the buffer ioctx->buf points at and hence this function will
1504  *   overwrite the request data.
1505  * @tag: tag of the request for which this response is being generated.
1506  * @status: value for the STATUS field of the SRP_RSP information unit.
1507  *
1508  * Returns the size in bytes of the SRP_RSP response.
1509  *
1510  * An SRP_RSP response contains a SCSI status or service response. See also
1511  * section 6.9 in the SRP r16a document for the format of an SRP_RSP
1512  * response. See also SPC-2 for more information about sense data.
1513  */
1514 static int srpt_build_cmd_rsp(struct srpt_rdma_ch *ch,
1515 			      struct srpt_send_ioctx *ioctx, u64 tag,
1516 			      int status)
1517 {
1518 	struct srp_rsp *srp_rsp;
1519 	const u8 *sense_data;
1520 	int sense_data_len, max_sense_len;
1521 
1522 	/*
1523 	 * The lowest bit of all SAM-3 status codes is zero (see also
1524 	 * paragraph 5.3 in SAM-3).
1525 	 */
1526 	WARN_ON(status & 1);
1527 
1528 	srp_rsp = ioctx->ioctx.buf;
1529 	BUG_ON(!srp_rsp);
1530 
1531 	sense_data = ioctx->sense_data;
1532 	sense_data_len = ioctx->cmd.scsi_sense_length;
1533 	WARN_ON(sense_data_len > sizeof(ioctx->sense_data));
1534 
1535 	memset(srp_rsp, 0, sizeof *srp_rsp);
1536 	srp_rsp->opcode = SRP_RSP;
1537 	srp_rsp->req_lim_delta =
1538 		cpu_to_be32(1 + atomic_xchg(&ch->req_lim_delta, 0));
1539 	srp_rsp->tag = tag;
1540 	srp_rsp->status = status;
1541 
1542 	if (sense_data_len) {
1543 		BUILD_BUG_ON(MIN_MAX_RSP_SIZE <= sizeof(*srp_rsp));
1544 		max_sense_len = ch->max_ti_iu_len - sizeof(*srp_rsp);
1545 		if (sense_data_len > max_sense_len) {
1546 			pr_warn("truncated sense data from %d to %d"
1547 				" bytes\n", sense_data_len, max_sense_len);
1548 			sense_data_len = max_sense_len;
1549 		}
1550 
1551 		srp_rsp->flags |= SRP_RSP_FLAG_SNSVALID;
1552 		srp_rsp->sense_data_len = cpu_to_be32(sense_data_len);
1553 		memcpy(srp_rsp + 1, sense_data, sense_data_len);
1554 	}
1555 
1556 	return sizeof(*srp_rsp) + sense_data_len;
1557 }
1558 
1559 /**
1560  * srpt_build_tskmgmt_rsp() - Build a task management response.
1561  * @ch:       RDMA channel through which the request has been received.
1562  * @ioctx:    I/O context in which the SRP_RSP response will be built.
1563  * @rsp_code: RSP_CODE that will be stored in the response.
1564  * @tag:      Tag of the request for which this response is being generated.
1565  *
1566  * Returns the size in bytes of the SRP_RSP response.
1567  *
1568  * An SRP_RSP response contains a SCSI status or service response. See also
1569  * section 6.9 in the SRP r16a document for the format of an SRP_RSP
1570  * response.
1571  */
1572 static int srpt_build_tskmgmt_rsp(struct srpt_rdma_ch *ch,
1573 				  struct srpt_send_ioctx *ioctx,
1574 				  u8 rsp_code, u64 tag)
1575 {
1576 	struct srp_rsp *srp_rsp;
1577 	int resp_data_len;
1578 	int resp_len;
1579 
1580 	resp_data_len = 4;
1581 	resp_len = sizeof(*srp_rsp) + resp_data_len;
1582 
1583 	srp_rsp = ioctx->ioctx.buf;
1584 	BUG_ON(!srp_rsp);
1585 	memset(srp_rsp, 0, sizeof *srp_rsp);
1586 
1587 	srp_rsp->opcode = SRP_RSP;
1588 	srp_rsp->req_lim_delta =
1589 		cpu_to_be32(1 + atomic_xchg(&ch->req_lim_delta, 0));
1590 	srp_rsp->tag = tag;
1591 
1592 	srp_rsp->flags |= SRP_RSP_FLAG_RSPVALID;
1593 	srp_rsp->resp_data_len = cpu_to_be32(resp_data_len);
1594 	srp_rsp->data[3] = rsp_code;
1595 
1596 	return resp_len;
1597 }
1598 
1599 #define NO_SUCH_LUN ((uint64_t)-1LL)
1600 
1601 /*
1602  * SCSI LUN addressing method. See also SAM-2 and the section about
1603  * eight byte LUNs.
1604  */
1605 enum scsi_lun_addr_method {
1606 	SCSI_LUN_ADDR_METHOD_PERIPHERAL   = 0,
1607 	SCSI_LUN_ADDR_METHOD_FLAT         = 1,
1608 	SCSI_LUN_ADDR_METHOD_LUN          = 2,
1609 	SCSI_LUN_ADDR_METHOD_EXTENDED_LUN = 3,
1610 };
1611 
1612 /*
1613  * srpt_unpack_lun() - Convert from network LUN to linear LUN.
1614  *
1615  * Convert an 2-byte, 4-byte, 6-byte or 8-byte LUN structure in network byte
1616  * order (big endian) to a linear LUN. Supports three LUN addressing methods:
1617  * peripheral, flat and logical unit. See also SAM-2, section 4.9.4 (page 40).
1618  */
1619 static uint64_t srpt_unpack_lun(const uint8_t *lun, int len)
1620 {
1621 	uint64_t res = NO_SUCH_LUN;
1622 	int addressing_method;
1623 
1624 	if (unlikely(len < 2)) {
1625 		pr_err("Illegal LUN length %d, expected 2 bytes or more\n",
1626 		       len);
1627 		goto out;
1628 	}
1629 
1630 	switch (len) {
1631 	case 8:
1632 		if ((*((__be64 *)lun) &
1633 		     cpu_to_be64(0x0000FFFFFFFFFFFFLL)) != 0)
1634 			goto out_err;
1635 		break;
1636 	case 4:
1637 		if (*((__be16 *)&lun[2]) != 0)
1638 			goto out_err;
1639 		break;
1640 	case 6:
1641 		if (*((__be32 *)&lun[2]) != 0)
1642 			goto out_err;
1643 		break;
1644 	case 2:
1645 		break;
1646 	default:
1647 		goto out_err;
1648 	}
1649 
1650 	addressing_method = (*lun) >> 6; /* highest two bits of byte 0 */
1651 	switch (addressing_method) {
1652 	case SCSI_LUN_ADDR_METHOD_PERIPHERAL:
1653 	case SCSI_LUN_ADDR_METHOD_FLAT:
1654 	case SCSI_LUN_ADDR_METHOD_LUN:
1655 		res = *(lun + 1) | (((*lun) & 0x3f) << 8);
1656 		break;
1657 
1658 	case SCSI_LUN_ADDR_METHOD_EXTENDED_LUN:
1659 	default:
1660 		pr_err("Unimplemented LUN addressing method %u\n",
1661 		       addressing_method);
1662 		break;
1663 	}
1664 
1665 out:
1666 	return res;
1667 
1668 out_err:
1669 	pr_err("Support for multi-level LUNs has not yet been implemented\n");
1670 	goto out;
1671 }
1672 
1673 static int srpt_check_stop_free(struct se_cmd *cmd)
1674 {
1675 	struct srpt_send_ioctx *ioctx = container_of(cmd,
1676 				struct srpt_send_ioctx, cmd);
1677 
1678 	return target_put_sess_cmd(&ioctx->cmd);
1679 }
1680 
1681 /**
1682  * srpt_handle_cmd() - Process SRP_CMD.
1683  */
1684 static int srpt_handle_cmd(struct srpt_rdma_ch *ch,
1685 			   struct srpt_recv_ioctx *recv_ioctx,
1686 			   struct srpt_send_ioctx *send_ioctx)
1687 {
1688 	struct se_cmd *cmd;
1689 	struct srp_cmd *srp_cmd;
1690 	uint64_t unpacked_lun;
1691 	u64 data_len;
1692 	enum dma_data_direction dir;
1693 	sense_reason_t ret;
1694 	int rc;
1695 
1696 	BUG_ON(!send_ioctx);
1697 
1698 	srp_cmd = recv_ioctx->ioctx.buf;
1699 	cmd = &send_ioctx->cmd;
1700 	cmd->tag = srp_cmd->tag;
1701 
1702 	switch (srp_cmd->task_attr) {
1703 	case SRP_CMD_SIMPLE_Q:
1704 		cmd->sam_task_attr = TCM_SIMPLE_TAG;
1705 		break;
1706 	case SRP_CMD_ORDERED_Q:
1707 	default:
1708 		cmd->sam_task_attr = TCM_ORDERED_TAG;
1709 		break;
1710 	case SRP_CMD_HEAD_OF_Q:
1711 		cmd->sam_task_attr = TCM_HEAD_TAG;
1712 		break;
1713 	case SRP_CMD_ACA:
1714 		cmd->sam_task_attr = TCM_ACA_TAG;
1715 		break;
1716 	}
1717 
1718 	if (srpt_get_desc_tbl(send_ioctx, srp_cmd, &dir, &data_len)) {
1719 		pr_err("0x%llx: parsing SRP descriptor table failed.\n",
1720 		       srp_cmd->tag);
1721 		ret = TCM_INVALID_CDB_FIELD;
1722 		goto send_sense;
1723 	}
1724 
1725 	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun,
1726 				       sizeof(srp_cmd->lun));
1727 	rc = target_submit_cmd(cmd, ch->sess, srp_cmd->cdb,
1728 			&send_ioctx->sense_data[0], unpacked_lun, data_len,
1729 			TCM_SIMPLE_TAG, dir, TARGET_SCF_ACK_KREF);
1730 	if (rc != 0) {
1731 		ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
1732 		goto send_sense;
1733 	}
1734 	return 0;
1735 
1736 send_sense:
1737 	transport_send_check_condition_and_sense(cmd, ret, 0);
1738 	return -1;
1739 }
1740 
1741 /**
1742  * srpt_rx_mgmt_fn_tag() - Process a task management function by tag.
1743  * @ch: RDMA channel of the task management request.
1744  * @fn: Task management function to perform.
1745  * @req_tag: Tag of the SRP task management request.
1746  * @mgmt_ioctx: I/O context of the task management request.
1747  *
1748  * Returns zero if the target core will process the task management
1749  * request asynchronously.
1750  *
1751  * Note: It is assumed that the initiator serializes tag-based task management
1752  * requests.
1753  */
1754 static int srpt_rx_mgmt_fn_tag(struct srpt_send_ioctx *ioctx, u64 tag)
1755 {
1756 	struct srpt_device *sdev;
1757 	struct srpt_rdma_ch *ch;
1758 	struct srpt_send_ioctx *target;
1759 	int ret, i;
1760 
1761 	ret = -EINVAL;
1762 	ch = ioctx->ch;
1763 	BUG_ON(!ch);
1764 	BUG_ON(!ch->sport);
1765 	sdev = ch->sport->sdev;
1766 	BUG_ON(!sdev);
1767 	spin_lock_irq(&sdev->spinlock);
1768 	for (i = 0; i < ch->rq_size; ++i) {
1769 		target = ch->ioctx_ring[i];
1770 		if (target->cmd.se_lun == ioctx->cmd.se_lun &&
1771 		    target->cmd.tag == tag &&
1772 		    srpt_get_cmd_state(target) != SRPT_STATE_DONE) {
1773 			ret = 0;
1774 			/* now let the target core abort &target->cmd; */
1775 			break;
1776 		}
1777 	}
1778 	spin_unlock_irq(&sdev->spinlock);
1779 	return ret;
1780 }
1781 
1782 static int srp_tmr_to_tcm(int fn)
1783 {
1784 	switch (fn) {
1785 	case SRP_TSK_ABORT_TASK:
1786 		return TMR_ABORT_TASK;
1787 	case SRP_TSK_ABORT_TASK_SET:
1788 		return TMR_ABORT_TASK_SET;
1789 	case SRP_TSK_CLEAR_TASK_SET:
1790 		return TMR_CLEAR_TASK_SET;
1791 	case SRP_TSK_LUN_RESET:
1792 		return TMR_LUN_RESET;
1793 	case SRP_TSK_CLEAR_ACA:
1794 		return TMR_CLEAR_ACA;
1795 	default:
1796 		return -1;
1797 	}
1798 }
1799 
1800 /**
1801  * srpt_handle_tsk_mgmt() - Process an SRP_TSK_MGMT information unit.
1802  *
1803  * Returns 0 if and only if the request will be processed by the target core.
1804  *
1805  * For more information about SRP_TSK_MGMT information units, see also section
1806  * 6.7 in the SRP r16a document.
1807  */
1808 static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch,
1809 				 struct srpt_recv_ioctx *recv_ioctx,
1810 				 struct srpt_send_ioctx *send_ioctx)
1811 {
1812 	struct srp_tsk_mgmt *srp_tsk;
1813 	struct se_cmd *cmd;
1814 	struct se_session *sess = ch->sess;
1815 	uint64_t unpacked_lun;
1816 	uint32_t tag = 0;
1817 	int tcm_tmr;
1818 	int rc;
1819 
1820 	BUG_ON(!send_ioctx);
1821 
1822 	srp_tsk = recv_ioctx->ioctx.buf;
1823 	cmd = &send_ioctx->cmd;
1824 
1825 	pr_debug("recv tsk_mgmt fn %d for task_tag %lld and cmd tag %lld"
1826 		 " cm_id %p sess %p\n", srp_tsk->tsk_mgmt_func,
1827 		 srp_tsk->task_tag, srp_tsk->tag, ch->cm_id, ch->sess);
1828 
1829 	srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);
1830 	send_ioctx->cmd.tag = srp_tsk->tag;
1831 	tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);
1832 	if (tcm_tmr < 0) {
1833 		send_ioctx->cmd.se_tmr_req->response =
1834 			TMR_TASK_MGMT_FUNCTION_NOT_SUPPORTED;
1835 		goto fail;
1836 	}
1837 	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_tsk->lun,
1838 				       sizeof(srp_tsk->lun));
1839 
1840 	if (srp_tsk->tsk_mgmt_func == SRP_TSK_ABORT_TASK) {
1841 		rc = srpt_rx_mgmt_fn_tag(send_ioctx, srp_tsk->task_tag);
1842 		if (rc < 0) {
1843 			send_ioctx->cmd.se_tmr_req->response =
1844 					TMR_TASK_DOES_NOT_EXIST;
1845 			goto fail;
1846 		}
1847 		tag = srp_tsk->task_tag;
1848 	}
1849 	rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL, unpacked_lun,
1850 				srp_tsk, tcm_tmr, GFP_KERNEL, tag,
1851 				TARGET_SCF_ACK_KREF);
1852 	if (rc != 0) {
1853 		send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;
1854 		goto fail;
1855 	}
1856 	return;
1857 fail:
1858 	transport_send_check_condition_and_sense(cmd, 0, 0); // XXX:
1859 }
1860 
1861 /**
1862  * srpt_handle_new_iu() - Process a newly received information unit.
1863  * @ch:    RDMA channel through which the information unit has been received.
1864  * @ioctx: SRPT I/O context associated with the information unit.
1865  */
1866 static void srpt_handle_new_iu(struct srpt_rdma_ch *ch,
1867 			       struct srpt_recv_ioctx *recv_ioctx,
1868 			       struct srpt_send_ioctx *send_ioctx)
1869 {
1870 	struct srp_cmd *srp_cmd;
1871 	enum rdma_ch_state ch_state;
1872 
1873 	BUG_ON(!ch);
1874 	BUG_ON(!recv_ioctx);
1875 
1876 	ib_dma_sync_single_for_cpu(ch->sport->sdev->device,
1877 				   recv_ioctx->ioctx.dma, srp_max_req_size,
1878 				   DMA_FROM_DEVICE);
1879 
1880 	ch_state = srpt_get_ch_state(ch);
1881 	if (unlikely(ch_state == CH_CONNECTING)) {
1882 		list_add_tail(&recv_ioctx->wait_list, &ch->cmd_wait_list);
1883 		goto out;
1884 	}
1885 
1886 	if (unlikely(ch_state != CH_LIVE))
1887 		goto out;
1888 
1889 	srp_cmd = recv_ioctx->ioctx.buf;
1890 	if (srp_cmd->opcode == SRP_CMD || srp_cmd->opcode == SRP_TSK_MGMT) {
1891 		if (!send_ioctx)
1892 			send_ioctx = srpt_get_send_ioctx(ch);
1893 		if (unlikely(!send_ioctx)) {
1894 			list_add_tail(&recv_ioctx->wait_list,
1895 				      &ch->cmd_wait_list);
1896 			goto out;
1897 		}
1898 	}
1899 
1900 	switch (srp_cmd->opcode) {
1901 	case SRP_CMD:
1902 		srpt_handle_cmd(ch, recv_ioctx, send_ioctx);
1903 		break;
1904 	case SRP_TSK_MGMT:
1905 		srpt_handle_tsk_mgmt(ch, recv_ioctx, send_ioctx);
1906 		break;
1907 	case SRP_I_LOGOUT:
1908 		pr_err("Not yet implemented: SRP_I_LOGOUT\n");
1909 		break;
1910 	case SRP_CRED_RSP:
1911 		pr_debug("received SRP_CRED_RSP\n");
1912 		break;
1913 	case SRP_AER_RSP:
1914 		pr_debug("received SRP_AER_RSP\n");
1915 		break;
1916 	case SRP_RSP:
1917 		pr_err("Received SRP_RSP\n");
1918 		break;
1919 	default:
1920 		pr_err("received IU with unknown opcode 0x%x\n",
1921 		       srp_cmd->opcode);
1922 		break;
1923 	}
1924 
1925 	srpt_post_recv(ch->sport->sdev, recv_ioctx);
1926 out:
1927 	return;
1928 }
1929 
1930 static void srpt_process_rcv_completion(struct ib_cq *cq,
1931 					struct srpt_rdma_ch *ch,
1932 					struct ib_wc *wc)
1933 {
1934 	struct srpt_device *sdev = ch->sport->sdev;
1935 	struct srpt_recv_ioctx *ioctx;
1936 	u32 index;
1937 
1938 	index = idx_from_wr_id(wc->wr_id);
1939 	if (wc->status == IB_WC_SUCCESS) {
1940 		int req_lim;
1941 
1942 		req_lim = atomic_dec_return(&ch->req_lim);
1943 		if (unlikely(req_lim < 0))
1944 			pr_err("req_lim = %d < 0\n", req_lim);
1945 		ioctx = sdev->ioctx_ring[index];
1946 		srpt_handle_new_iu(ch, ioctx, NULL);
1947 	} else {
1948 		pr_info("receiving failed for idx %u with status %d\n",
1949 			index, wc->status);
1950 	}
1951 }
1952 
1953 /**
1954  * srpt_process_send_completion() - Process an IB send completion.
1955  *
1956  * Note: Although this has not yet been observed during tests, at least in
1957  * theory it is possible that the srpt_get_send_ioctx() call invoked by
1958  * srpt_handle_new_iu() fails. This is possible because the req_lim_delta
1959  * value in each response is set to one, and it is possible that this response
1960  * makes the initiator send a new request before the send completion for that
1961  * response has been processed. This could e.g. happen if the call to
1962  * srpt_put_send_iotcx() is delayed because of a higher priority interrupt or
1963  * if IB retransmission causes generation of the send completion to be
1964  * delayed. Incoming information units for which srpt_get_send_ioctx() fails
1965  * are queued on cmd_wait_list. The code below processes these delayed
1966  * requests one at a time.
1967  */
1968 static void srpt_process_send_completion(struct ib_cq *cq,
1969 					 struct srpt_rdma_ch *ch,
1970 					 struct ib_wc *wc)
1971 {
1972 	struct srpt_send_ioctx *send_ioctx;
1973 	uint32_t index;
1974 	enum srpt_opcode opcode;
1975 
1976 	index = idx_from_wr_id(wc->wr_id);
1977 	opcode = opcode_from_wr_id(wc->wr_id);
1978 	send_ioctx = ch->ioctx_ring[index];
1979 	if (wc->status == IB_WC_SUCCESS) {
1980 		if (opcode == SRPT_SEND)
1981 			srpt_handle_send_comp(ch, send_ioctx);
1982 		else {
1983 			WARN_ON(opcode != SRPT_RDMA_ABORT &&
1984 				wc->opcode != IB_WC_RDMA_READ);
1985 			srpt_handle_rdma_comp(ch, send_ioctx, opcode);
1986 		}
1987 	} else {
1988 		if (opcode == SRPT_SEND) {
1989 			pr_info("sending response for idx %u failed"
1990 				" with status %d\n", index, wc->status);
1991 			srpt_handle_send_err_comp(ch, wc->wr_id);
1992 		} else if (opcode != SRPT_RDMA_MID) {
1993 			pr_info("RDMA t %d for idx %u failed with"
1994 				" status %d\n", opcode, index, wc->status);
1995 			srpt_handle_rdma_err_comp(ch, send_ioctx, opcode);
1996 		}
1997 	}
1998 
1999 	while (unlikely(opcode == SRPT_SEND
2000 			&& !list_empty(&ch->cmd_wait_list)
2001 			&& srpt_get_ch_state(ch) == CH_LIVE
2002 			&& (send_ioctx = srpt_get_send_ioctx(ch)) != NULL)) {
2003 		struct srpt_recv_ioctx *recv_ioctx;
2004 
2005 		recv_ioctx = list_first_entry(&ch->cmd_wait_list,
2006 					      struct srpt_recv_ioctx,
2007 					      wait_list);
2008 		list_del(&recv_ioctx->wait_list);
2009 		srpt_handle_new_iu(ch, recv_ioctx, send_ioctx);
2010 	}
2011 }
2012 
2013 static void srpt_process_completion(struct ib_cq *cq, struct srpt_rdma_ch *ch)
2014 {
2015 	struct ib_wc *const wc = ch->wc;
2016 	int i, n;
2017 
2018 	WARN_ON(cq != ch->cq);
2019 
2020 	ib_req_notify_cq(cq, IB_CQ_NEXT_COMP);
2021 	while ((n = ib_poll_cq(cq, ARRAY_SIZE(ch->wc), wc)) > 0) {
2022 		for (i = 0; i < n; i++) {
2023 			if (opcode_from_wr_id(wc[i].wr_id) == SRPT_RECV)
2024 				srpt_process_rcv_completion(cq, ch, &wc[i]);
2025 			else
2026 				srpt_process_send_completion(cq, ch, &wc[i]);
2027 		}
2028 	}
2029 }
2030 
2031 /**
2032  * srpt_completion() - IB completion queue callback function.
2033  *
2034  * Notes:
2035  * - It is guaranteed that a completion handler will never be invoked
2036  *   concurrently on two different CPUs for the same completion queue. See also
2037  *   Documentation/infiniband/core_locking.txt and the implementation of
2038  *   handle_edge_irq() in kernel/irq/chip.c.
2039  * - When threaded IRQs are enabled, completion handlers are invoked in thread
2040  *   context instead of interrupt context.
2041  */
2042 static void srpt_completion(struct ib_cq *cq, void *ctx)
2043 {
2044 	struct srpt_rdma_ch *ch = ctx;
2045 
2046 	wake_up_interruptible(&ch->wait_queue);
2047 }
2048 
2049 static int srpt_compl_thread(void *arg)
2050 {
2051 	struct srpt_rdma_ch *ch;
2052 
2053 	/* Hibernation / freezing of the SRPT kernel thread is not supported. */
2054 	current->flags |= PF_NOFREEZE;
2055 
2056 	ch = arg;
2057 	BUG_ON(!ch);
2058 	pr_info("Session %s: kernel thread %s (PID %d) started\n",
2059 		ch->sess_name, ch->thread->comm, current->pid);
2060 	while (!kthread_should_stop()) {
2061 		wait_event_interruptible(ch->wait_queue,
2062 			(srpt_process_completion(ch->cq, ch),
2063 			 kthread_should_stop()));
2064 	}
2065 	pr_info("Session %s: kernel thread %s (PID %d) stopped\n",
2066 		ch->sess_name, ch->thread->comm, current->pid);
2067 	return 0;
2068 }
2069 
2070 /**
2071  * srpt_create_ch_ib() - Create receive and send completion queues.
2072  */
2073 static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
2074 {
2075 	struct ib_qp_init_attr *qp_init;
2076 	struct srpt_port *sport = ch->sport;
2077 	struct srpt_device *sdev = sport->sdev;
2078 	u32 srp_sq_size = sport->port_attrib.srp_sq_size;
2079 	struct ib_cq_init_attr cq_attr = {};
2080 	int ret;
2081 
2082 	WARN_ON(ch->rq_size < 1);
2083 
2084 	ret = -ENOMEM;
2085 	qp_init = kzalloc(sizeof *qp_init, GFP_KERNEL);
2086 	if (!qp_init)
2087 		goto out;
2088 
2089 retry:
2090 	cq_attr.cqe = ch->rq_size + srp_sq_size;
2091 	ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch,
2092 			      &cq_attr);
2093 	if (IS_ERR(ch->cq)) {
2094 		ret = PTR_ERR(ch->cq);
2095 		pr_err("failed to create CQ cqe= %d ret= %d\n",
2096 		       ch->rq_size + srp_sq_size, ret);
2097 		goto out;
2098 	}
2099 
2100 	qp_init->qp_context = (void *)ch;
2101 	qp_init->event_handler
2102 		= (void(*)(struct ib_event *, void*))srpt_qp_event;
2103 	qp_init->send_cq = ch->cq;
2104 	qp_init->recv_cq = ch->cq;
2105 	qp_init->srq = sdev->srq;
2106 	qp_init->sq_sig_type = IB_SIGNAL_REQ_WR;
2107 	qp_init->qp_type = IB_QPT_RC;
2108 	qp_init->cap.max_send_wr = srp_sq_size;
2109 	qp_init->cap.max_send_sge = SRPT_DEF_SG_PER_WQE;
2110 
2111 	ch->qp = ib_create_qp(sdev->pd, qp_init);
2112 	if (IS_ERR(ch->qp)) {
2113 		ret = PTR_ERR(ch->qp);
2114 		if (ret == -ENOMEM) {
2115 			srp_sq_size /= 2;
2116 			if (srp_sq_size >= MIN_SRPT_SQ_SIZE) {
2117 				ib_destroy_cq(ch->cq);
2118 				goto retry;
2119 			}
2120 		}
2121 		pr_err("failed to create_qp ret= %d\n", ret);
2122 		goto err_destroy_cq;
2123 	}
2124 
2125 	atomic_set(&ch->sq_wr_avail, qp_init->cap.max_send_wr);
2126 
2127 	pr_debug("%s: max_cqe= %d max_sge= %d sq_size = %d cm_id= %p\n",
2128 		 __func__, ch->cq->cqe, qp_init->cap.max_send_sge,
2129 		 qp_init->cap.max_send_wr, ch->cm_id);
2130 
2131 	ret = srpt_init_ch_qp(ch, ch->qp);
2132 	if (ret)
2133 		goto err_destroy_qp;
2134 
2135 	init_waitqueue_head(&ch->wait_queue);
2136 
2137 	pr_debug("creating thread for session %s\n", ch->sess_name);
2138 
2139 	ch->thread = kthread_run(srpt_compl_thread, ch, "ib_srpt_compl");
2140 	if (IS_ERR(ch->thread)) {
2141 		pr_err("failed to create kernel thread %ld\n",
2142 		       PTR_ERR(ch->thread));
2143 		ch->thread = NULL;
2144 		goto err_destroy_qp;
2145 	}
2146 
2147 out:
2148 	kfree(qp_init);
2149 	return ret;
2150 
2151 err_destroy_qp:
2152 	ib_destroy_qp(ch->qp);
2153 err_destroy_cq:
2154 	ib_destroy_cq(ch->cq);
2155 	goto out;
2156 }
2157 
2158 static void srpt_destroy_ch_ib(struct srpt_rdma_ch *ch)
2159 {
2160 	if (ch->thread)
2161 		kthread_stop(ch->thread);
2162 
2163 	ib_destroy_qp(ch->qp);
2164 	ib_destroy_cq(ch->cq);
2165 }
2166 
2167 /**
2168  * __srpt_close_ch() - Close an RDMA channel by setting the QP error state.
2169  *
2170  * Reset the QP and make sure all resources associated with the channel will
2171  * be deallocated at an appropriate time.
2172  *
2173  * Note: The caller must hold ch->sport->sdev->spinlock.
2174  */
2175 static void __srpt_close_ch(struct srpt_rdma_ch *ch)
2176 {
2177 	enum rdma_ch_state prev_state;
2178 	unsigned long flags;
2179 
2180 	spin_lock_irqsave(&ch->spinlock, flags);
2181 	prev_state = ch->state;
2182 	switch (prev_state) {
2183 	case CH_CONNECTING:
2184 	case CH_LIVE:
2185 		ch->state = CH_DISCONNECTING;
2186 		break;
2187 	default:
2188 		break;
2189 	}
2190 	spin_unlock_irqrestore(&ch->spinlock, flags);
2191 
2192 	switch (prev_state) {
2193 	case CH_CONNECTING:
2194 		ib_send_cm_rej(ch->cm_id, IB_CM_REJ_NO_RESOURCES, NULL, 0,
2195 			       NULL, 0);
2196 		/* fall through */
2197 	case CH_LIVE:
2198 		if (ib_send_cm_dreq(ch->cm_id, NULL, 0) < 0)
2199 			pr_err("sending CM DREQ failed.\n");
2200 		break;
2201 	case CH_DISCONNECTING:
2202 		break;
2203 	case CH_DRAINING:
2204 	case CH_RELEASING:
2205 		break;
2206 	}
2207 }
2208 
2209 /**
2210  * srpt_close_ch() - Close an RDMA channel.
2211  */
2212 static void srpt_close_ch(struct srpt_rdma_ch *ch)
2213 {
2214 	struct srpt_device *sdev;
2215 
2216 	sdev = ch->sport->sdev;
2217 	spin_lock_irq(&sdev->spinlock);
2218 	__srpt_close_ch(ch);
2219 	spin_unlock_irq(&sdev->spinlock);
2220 }
2221 
2222 /**
2223  * srpt_shutdown_session() - Whether or not a session may be shut down.
2224  */
2225 static int srpt_shutdown_session(struct se_session *se_sess)
2226 {
2227 	struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr;
2228 	unsigned long flags;
2229 
2230 	spin_lock_irqsave(&ch->spinlock, flags);
2231 	if (ch->in_shutdown) {
2232 		spin_unlock_irqrestore(&ch->spinlock, flags);
2233 		return true;
2234 	}
2235 
2236 	ch->in_shutdown = true;
2237 	target_sess_cmd_list_set_waiting(se_sess);
2238 	spin_unlock_irqrestore(&ch->spinlock, flags);
2239 
2240 	return true;
2241 }
2242 
2243 /**
2244  * srpt_drain_channel() - Drain a channel by resetting the IB queue pair.
2245  * @cm_id: Pointer to the CM ID of the channel to be drained.
2246  *
2247  * Note: Must be called from inside srpt_cm_handler to avoid a race between
2248  * accessing sdev->spinlock and the call to kfree(sdev) in srpt_remove_one()
2249  * (the caller of srpt_cm_handler holds the cm_id spinlock; srpt_remove_one()
2250  * waits until all target sessions for the associated IB device have been
2251  * unregistered and target session registration involves a call to
2252  * ib_destroy_cm_id(), which locks the cm_id spinlock and hence waits until
2253  * this function has finished).
2254  */
2255 static void srpt_drain_channel(struct ib_cm_id *cm_id)
2256 {
2257 	struct srpt_device *sdev;
2258 	struct srpt_rdma_ch *ch;
2259 	int ret;
2260 	bool do_reset = false;
2261 
2262 	WARN_ON_ONCE(irqs_disabled());
2263 
2264 	sdev = cm_id->context;
2265 	BUG_ON(!sdev);
2266 	spin_lock_irq(&sdev->spinlock);
2267 	list_for_each_entry(ch, &sdev->rch_list, list) {
2268 		if (ch->cm_id == cm_id) {
2269 			do_reset = srpt_test_and_set_ch_state(ch,
2270 					CH_CONNECTING, CH_DRAINING) ||
2271 				   srpt_test_and_set_ch_state(ch,
2272 					CH_LIVE, CH_DRAINING) ||
2273 				   srpt_test_and_set_ch_state(ch,
2274 					CH_DISCONNECTING, CH_DRAINING);
2275 			break;
2276 		}
2277 	}
2278 	spin_unlock_irq(&sdev->spinlock);
2279 
2280 	if (do_reset) {
2281 		if (ch->sess)
2282 			srpt_shutdown_session(ch->sess);
2283 
2284 		ret = srpt_ch_qp_err(ch);
2285 		if (ret < 0)
2286 			pr_err("Setting queue pair in error state"
2287 			       " failed: %d\n", ret);
2288 	}
2289 }
2290 
2291 /**
2292  * srpt_find_channel() - Look up an RDMA channel.
2293  * @cm_id: Pointer to the CM ID of the channel to be looked up.
2294  *
2295  * Return NULL if no matching RDMA channel has been found.
2296  */
2297 static struct srpt_rdma_ch *srpt_find_channel(struct srpt_device *sdev,
2298 					      struct ib_cm_id *cm_id)
2299 {
2300 	struct srpt_rdma_ch *ch;
2301 	bool found;
2302 
2303 	WARN_ON_ONCE(irqs_disabled());
2304 	BUG_ON(!sdev);
2305 
2306 	found = false;
2307 	spin_lock_irq(&sdev->spinlock);
2308 	list_for_each_entry(ch, &sdev->rch_list, list) {
2309 		if (ch->cm_id == cm_id) {
2310 			found = true;
2311 			break;
2312 		}
2313 	}
2314 	spin_unlock_irq(&sdev->spinlock);
2315 
2316 	return found ? ch : NULL;
2317 }
2318 
2319 /**
2320  * srpt_release_channel() - Release channel resources.
2321  *
2322  * Schedules the actual release because:
2323  * - Calling the ib_destroy_cm_id() call from inside an IB CM callback would
2324  *   trigger a deadlock.
2325  * - It is not safe to call TCM transport_* functions from interrupt context.
2326  */
2327 static void srpt_release_channel(struct srpt_rdma_ch *ch)
2328 {
2329 	schedule_work(&ch->release_work);
2330 }
2331 
2332 static void srpt_release_channel_work(struct work_struct *w)
2333 {
2334 	struct srpt_rdma_ch *ch;
2335 	struct srpt_device *sdev;
2336 	struct se_session *se_sess;
2337 
2338 	ch = container_of(w, struct srpt_rdma_ch, release_work);
2339 	pr_debug("ch = %p; ch->sess = %p; release_done = %p\n", ch, ch->sess,
2340 		 ch->release_done);
2341 
2342 	sdev = ch->sport->sdev;
2343 	BUG_ON(!sdev);
2344 
2345 	se_sess = ch->sess;
2346 	BUG_ON(!se_sess);
2347 
2348 	target_wait_for_sess_cmds(se_sess);
2349 
2350 	transport_deregister_session_configfs(se_sess);
2351 	transport_deregister_session(se_sess);
2352 	ch->sess = NULL;
2353 
2354 	ib_destroy_cm_id(ch->cm_id);
2355 
2356 	srpt_destroy_ch_ib(ch);
2357 
2358 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
2359 			     ch->sport->sdev, ch->rq_size,
2360 			     ch->rsp_size, DMA_TO_DEVICE);
2361 
2362 	spin_lock_irq(&sdev->spinlock);
2363 	list_del(&ch->list);
2364 	spin_unlock_irq(&sdev->spinlock);
2365 
2366 	if (ch->release_done)
2367 		complete(ch->release_done);
2368 
2369 	wake_up(&sdev->ch_releaseQ);
2370 
2371 	kfree(ch);
2372 }
2373 
2374 static struct srpt_node_acl *__srpt_lookup_acl(struct srpt_port *sport,
2375 					       u8 i_port_id[16])
2376 {
2377 	struct srpt_node_acl *nacl;
2378 
2379 	list_for_each_entry(nacl, &sport->port_acl_list, list)
2380 		if (memcmp(nacl->i_port_id, i_port_id,
2381 			   sizeof(nacl->i_port_id)) == 0)
2382 			return nacl;
2383 
2384 	return NULL;
2385 }
2386 
2387 static struct srpt_node_acl *srpt_lookup_acl(struct srpt_port *sport,
2388 					     u8 i_port_id[16])
2389 {
2390 	struct srpt_node_acl *nacl;
2391 
2392 	spin_lock_irq(&sport->port_acl_lock);
2393 	nacl = __srpt_lookup_acl(sport, i_port_id);
2394 	spin_unlock_irq(&sport->port_acl_lock);
2395 
2396 	return nacl;
2397 }
2398 
2399 /**
2400  * srpt_cm_req_recv() - Process the event IB_CM_REQ_RECEIVED.
2401  *
2402  * Ownership of the cm_id is transferred to the target session if this
2403  * functions returns zero. Otherwise the caller remains the owner of cm_id.
2404  */
2405 static int srpt_cm_req_recv(struct ib_cm_id *cm_id,
2406 			    struct ib_cm_req_event_param *param,
2407 			    void *private_data)
2408 {
2409 	struct srpt_device *sdev = cm_id->context;
2410 	struct srpt_port *sport = &sdev->port[param->port - 1];
2411 	struct srp_login_req *req;
2412 	struct srp_login_rsp *rsp;
2413 	struct srp_login_rej *rej;
2414 	struct ib_cm_rep_param *rep_param;
2415 	struct srpt_rdma_ch *ch, *tmp_ch;
2416 	struct srpt_node_acl *nacl;
2417 	u32 it_iu_len;
2418 	int i;
2419 	int ret = 0;
2420 
2421 	WARN_ON_ONCE(irqs_disabled());
2422 
2423 	if (WARN_ON(!sdev || !private_data))
2424 		return -EINVAL;
2425 
2426 	req = (struct srp_login_req *)private_data;
2427 
2428 	it_iu_len = be32_to_cpu(req->req_it_iu_len);
2429 
2430 	pr_info("Received SRP_LOGIN_REQ with i_port_id 0x%llx:0x%llx,"
2431 		" t_port_id 0x%llx:0x%llx and it_iu_len %d on port %d"
2432 		" (guid=0x%llx:0x%llx)\n",
2433 		be64_to_cpu(*(__be64 *)&req->initiator_port_id[0]),
2434 		be64_to_cpu(*(__be64 *)&req->initiator_port_id[8]),
2435 		be64_to_cpu(*(__be64 *)&req->target_port_id[0]),
2436 		be64_to_cpu(*(__be64 *)&req->target_port_id[8]),
2437 		it_iu_len,
2438 		param->port,
2439 		be64_to_cpu(*(__be64 *)&sdev->port[param->port - 1].gid.raw[0]),
2440 		be64_to_cpu(*(__be64 *)&sdev->port[param->port - 1].gid.raw[8]));
2441 
2442 	rsp = kzalloc(sizeof *rsp, GFP_KERNEL);
2443 	rej = kzalloc(sizeof *rej, GFP_KERNEL);
2444 	rep_param = kzalloc(sizeof *rep_param, GFP_KERNEL);
2445 
2446 	if (!rsp || !rej || !rep_param) {
2447 		ret = -ENOMEM;
2448 		goto out;
2449 	}
2450 
2451 	if (it_iu_len > srp_max_req_size || it_iu_len < 64) {
2452 		rej->reason = cpu_to_be32(
2453 			      SRP_LOGIN_REJ_REQ_IT_IU_LENGTH_TOO_LARGE);
2454 		ret = -EINVAL;
2455 		pr_err("rejected SRP_LOGIN_REQ because its"
2456 		       " length (%d bytes) is out of range (%d .. %d)\n",
2457 		       it_iu_len, 64, srp_max_req_size);
2458 		goto reject;
2459 	}
2460 
2461 	if (!sport->enabled) {
2462 		rej->reason = cpu_to_be32(
2463 			      SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2464 		ret = -EINVAL;
2465 		pr_err("rejected SRP_LOGIN_REQ because the target port"
2466 		       " has not yet been enabled\n");
2467 		goto reject;
2468 	}
2469 
2470 	if ((req->req_flags & SRP_MTCH_ACTION) == SRP_MULTICHAN_SINGLE) {
2471 		rsp->rsp_flags = SRP_LOGIN_RSP_MULTICHAN_NO_CHAN;
2472 
2473 		spin_lock_irq(&sdev->spinlock);
2474 
2475 		list_for_each_entry_safe(ch, tmp_ch, &sdev->rch_list, list) {
2476 			if (!memcmp(ch->i_port_id, req->initiator_port_id, 16)
2477 			    && !memcmp(ch->t_port_id, req->target_port_id, 16)
2478 			    && param->port == ch->sport->port
2479 			    && param->listen_id == ch->sport->sdev->cm_id
2480 			    && ch->cm_id) {
2481 				enum rdma_ch_state ch_state;
2482 
2483 				ch_state = srpt_get_ch_state(ch);
2484 				if (ch_state != CH_CONNECTING
2485 				    && ch_state != CH_LIVE)
2486 					continue;
2487 
2488 				/* found an existing channel */
2489 				pr_debug("Found existing channel %s"
2490 					 " cm_id= %p state= %d\n",
2491 					 ch->sess_name, ch->cm_id, ch_state);
2492 
2493 				__srpt_close_ch(ch);
2494 
2495 				rsp->rsp_flags =
2496 					SRP_LOGIN_RSP_MULTICHAN_TERMINATED;
2497 			}
2498 		}
2499 
2500 		spin_unlock_irq(&sdev->spinlock);
2501 
2502 	} else
2503 		rsp->rsp_flags = SRP_LOGIN_RSP_MULTICHAN_MAINTAINED;
2504 
2505 	if (*(__be64 *)req->target_port_id != cpu_to_be64(srpt_service_guid)
2506 	    || *(__be64 *)(req->target_port_id + 8) !=
2507 	       cpu_to_be64(srpt_service_guid)) {
2508 		rej->reason = cpu_to_be32(
2509 			      SRP_LOGIN_REJ_UNABLE_ASSOCIATE_CHANNEL);
2510 		ret = -ENOMEM;
2511 		pr_err("rejected SRP_LOGIN_REQ because it"
2512 		       " has an invalid target port identifier.\n");
2513 		goto reject;
2514 	}
2515 
2516 	ch = kzalloc(sizeof *ch, GFP_KERNEL);
2517 	if (!ch) {
2518 		rej->reason = cpu_to_be32(
2519 			      SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2520 		pr_err("rejected SRP_LOGIN_REQ because no memory.\n");
2521 		ret = -ENOMEM;
2522 		goto reject;
2523 	}
2524 
2525 	INIT_WORK(&ch->release_work, srpt_release_channel_work);
2526 	memcpy(ch->i_port_id, req->initiator_port_id, 16);
2527 	memcpy(ch->t_port_id, req->target_port_id, 16);
2528 	ch->sport = &sdev->port[param->port - 1];
2529 	ch->cm_id = cm_id;
2530 	/*
2531 	 * Avoid QUEUE_FULL conditions by limiting the number of buffers used
2532 	 * for the SRP protocol to the command queue size.
2533 	 */
2534 	ch->rq_size = SRPT_RQ_SIZE;
2535 	spin_lock_init(&ch->spinlock);
2536 	ch->state = CH_CONNECTING;
2537 	INIT_LIST_HEAD(&ch->cmd_wait_list);
2538 	ch->rsp_size = ch->sport->port_attrib.srp_max_rsp_size;
2539 
2540 	ch->ioctx_ring = (struct srpt_send_ioctx **)
2541 		srpt_alloc_ioctx_ring(ch->sport->sdev, ch->rq_size,
2542 				      sizeof(*ch->ioctx_ring[0]),
2543 				      ch->rsp_size, DMA_TO_DEVICE);
2544 	if (!ch->ioctx_ring)
2545 		goto free_ch;
2546 
2547 	INIT_LIST_HEAD(&ch->free_list);
2548 	for (i = 0; i < ch->rq_size; i++) {
2549 		ch->ioctx_ring[i]->ch = ch;
2550 		list_add_tail(&ch->ioctx_ring[i]->free_list, &ch->free_list);
2551 	}
2552 
2553 	ret = srpt_create_ch_ib(ch);
2554 	if (ret) {
2555 		rej->reason = cpu_to_be32(
2556 			      SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2557 		pr_err("rejected SRP_LOGIN_REQ because creating"
2558 		       " a new RDMA channel failed.\n");
2559 		goto free_ring;
2560 	}
2561 
2562 	ret = srpt_ch_qp_rtr(ch, ch->qp);
2563 	if (ret) {
2564 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2565 		pr_err("rejected SRP_LOGIN_REQ because enabling"
2566 		       " RTR failed (error code = %d)\n", ret);
2567 		goto destroy_ib;
2568 	}
2569 	/*
2570 	 * Use the initator port identifier as the session name.
2571 	 */
2572 	snprintf(ch->sess_name, sizeof(ch->sess_name), "0x%016llx%016llx",
2573 			be64_to_cpu(*(__be64 *)ch->i_port_id),
2574 			be64_to_cpu(*(__be64 *)(ch->i_port_id + 8)));
2575 
2576 	pr_debug("registering session %s\n", ch->sess_name);
2577 
2578 	nacl = srpt_lookup_acl(sport, ch->i_port_id);
2579 	if (!nacl) {
2580 		pr_info("Rejected login because no ACL has been"
2581 			" configured yet for initiator %s.\n", ch->sess_name);
2582 		rej->reason = cpu_to_be32(
2583 			      SRP_LOGIN_REJ_CHANNEL_LIMIT_REACHED);
2584 		goto destroy_ib;
2585 	}
2586 
2587 	ch->sess = transport_init_session(TARGET_PROT_NORMAL);
2588 	if (IS_ERR(ch->sess)) {
2589 		rej->reason = cpu_to_be32(
2590 			      SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
2591 		pr_debug("Failed to create session\n");
2592 		goto deregister_session;
2593 	}
2594 	ch->sess->se_node_acl = &nacl->nacl;
2595 	transport_register_session(&sport->port_tpg_1, &nacl->nacl, ch->sess, ch);
2596 
2597 	pr_debug("Establish connection sess=%p name=%s cm_id=%p\n", ch->sess,
2598 		 ch->sess_name, ch->cm_id);
2599 
2600 	/* create srp_login_response */
2601 	rsp->opcode = SRP_LOGIN_RSP;
2602 	rsp->tag = req->tag;
2603 	rsp->max_it_iu_len = req->req_it_iu_len;
2604 	rsp->max_ti_iu_len = req->req_it_iu_len;
2605 	ch->max_ti_iu_len = it_iu_len;
2606 	rsp->buf_fmt = cpu_to_be16(SRP_BUF_FORMAT_DIRECT
2607 				   | SRP_BUF_FORMAT_INDIRECT);
2608 	rsp->req_lim_delta = cpu_to_be32(ch->rq_size);
2609 	atomic_set(&ch->req_lim, ch->rq_size);
2610 	atomic_set(&ch->req_lim_delta, 0);
2611 
2612 	/* create cm reply */
2613 	rep_param->qp_num = ch->qp->qp_num;
2614 	rep_param->private_data = (void *)rsp;
2615 	rep_param->private_data_len = sizeof *rsp;
2616 	rep_param->rnr_retry_count = 7;
2617 	rep_param->flow_control = 1;
2618 	rep_param->failover_accepted = 0;
2619 	rep_param->srq = 1;
2620 	rep_param->responder_resources = 4;
2621 	rep_param->initiator_depth = 4;
2622 
2623 	ret = ib_send_cm_rep(cm_id, rep_param);
2624 	if (ret) {
2625 		pr_err("sending SRP_LOGIN_REQ response failed"
2626 		       " (error code = %d)\n", ret);
2627 		goto release_channel;
2628 	}
2629 
2630 	spin_lock_irq(&sdev->spinlock);
2631 	list_add_tail(&ch->list, &sdev->rch_list);
2632 	spin_unlock_irq(&sdev->spinlock);
2633 
2634 	goto out;
2635 
2636 release_channel:
2637 	srpt_set_ch_state(ch, CH_RELEASING);
2638 	transport_deregister_session_configfs(ch->sess);
2639 
2640 deregister_session:
2641 	transport_deregister_session(ch->sess);
2642 	ch->sess = NULL;
2643 
2644 destroy_ib:
2645 	srpt_destroy_ch_ib(ch);
2646 
2647 free_ring:
2648 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
2649 			     ch->sport->sdev, ch->rq_size,
2650 			     ch->rsp_size, DMA_TO_DEVICE);
2651 free_ch:
2652 	kfree(ch);
2653 
2654 reject:
2655 	rej->opcode = SRP_LOGIN_REJ;
2656 	rej->tag = req->tag;
2657 	rej->buf_fmt = cpu_to_be16(SRP_BUF_FORMAT_DIRECT
2658 				   | SRP_BUF_FORMAT_INDIRECT);
2659 
2660 	ib_send_cm_rej(cm_id, IB_CM_REJ_CONSUMER_DEFINED, NULL, 0,
2661 			     (void *)rej, sizeof *rej);
2662 
2663 out:
2664 	kfree(rep_param);
2665 	kfree(rsp);
2666 	kfree(rej);
2667 
2668 	return ret;
2669 }
2670 
2671 static void srpt_cm_rej_recv(struct ib_cm_id *cm_id)
2672 {
2673 	pr_info("Received IB REJ for cm_id %p.\n", cm_id);
2674 	srpt_drain_channel(cm_id);
2675 }
2676 
2677 /**
2678  * srpt_cm_rtu_recv() - Process an IB_CM_RTU_RECEIVED or USER_ESTABLISHED event.
2679  *
2680  * An IB_CM_RTU_RECEIVED message indicates that the connection is established
2681  * and that the recipient may begin transmitting (RTU = ready to use).
2682  */
2683 static void srpt_cm_rtu_recv(struct ib_cm_id *cm_id)
2684 {
2685 	struct srpt_rdma_ch *ch;
2686 	int ret;
2687 
2688 	ch = srpt_find_channel(cm_id->context, cm_id);
2689 	BUG_ON(!ch);
2690 
2691 	if (srpt_test_and_set_ch_state(ch, CH_CONNECTING, CH_LIVE)) {
2692 		struct srpt_recv_ioctx *ioctx, *ioctx_tmp;
2693 
2694 		ret = srpt_ch_qp_rts(ch, ch->qp);
2695 
2696 		list_for_each_entry_safe(ioctx, ioctx_tmp, &ch->cmd_wait_list,
2697 					 wait_list) {
2698 			list_del(&ioctx->wait_list);
2699 			srpt_handle_new_iu(ch, ioctx, NULL);
2700 		}
2701 		if (ret)
2702 			srpt_close_ch(ch);
2703 	}
2704 }
2705 
2706 static void srpt_cm_timewait_exit(struct ib_cm_id *cm_id)
2707 {
2708 	pr_info("Received IB TimeWait exit for cm_id %p.\n", cm_id);
2709 	srpt_drain_channel(cm_id);
2710 }
2711 
2712 static void srpt_cm_rep_error(struct ib_cm_id *cm_id)
2713 {
2714 	pr_info("Received IB REP error for cm_id %p.\n", cm_id);
2715 	srpt_drain_channel(cm_id);
2716 }
2717 
2718 /**
2719  * srpt_cm_dreq_recv() - Process reception of a DREQ message.
2720  */
2721 static void srpt_cm_dreq_recv(struct ib_cm_id *cm_id)
2722 {
2723 	struct srpt_rdma_ch *ch;
2724 	unsigned long flags;
2725 	bool send_drep = false;
2726 
2727 	ch = srpt_find_channel(cm_id->context, cm_id);
2728 	BUG_ON(!ch);
2729 
2730 	pr_debug("cm_id= %p ch->state= %d\n", cm_id, srpt_get_ch_state(ch));
2731 
2732 	spin_lock_irqsave(&ch->spinlock, flags);
2733 	switch (ch->state) {
2734 	case CH_CONNECTING:
2735 	case CH_LIVE:
2736 		send_drep = true;
2737 		ch->state = CH_DISCONNECTING;
2738 		break;
2739 	case CH_DISCONNECTING:
2740 	case CH_DRAINING:
2741 	case CH_RELEASING:
2742 		WARN(true, "unexpected channel state %d\n", ch->state);
2743 		break;
2744 	}
2745 	spin_unlock_irqrestore(&ch->spinlock, flags);
2746 
2747 	if (send_drep) {
2748 		if (ib_send_cm_drep(ch->cm_id, NULL, 0) < 0)
2749 			pr_err("Sending IB DREP failed.\n");
2750 		pr_info("Received DREQ and sent DREP for session %s.\n",
2751 			ch->sess_name);
2752 	}
2753 }
2754 
2755 /**
2756  * srpt_cm_drep_recv() - Process reception of a DREP message.
2757  */
2758 static void srpt_cm_drep_recv(struct ib_cm_id *cm_id)
2759 {
2760 	pr_info("Received InfiniBand DREP message for cm_id %p.\n", cm_id);
2761 	srpt_drain_channel(cm_id);
2762 }
2763 
2764 /**
2765  * srpt_cm_handler() - IB connection manager callback function.
2766  *
2767  * A non-zero return value will cause the caller destroy the CM ID.
2768  *
2769  * Note: srpt_cm_handler() must only return a non-zero value when transferring
2770  * ownership of the cm_id to a channel by srpt_cm_req_recv() failed. Returning
2771  * a non-zero value in any other case will trigger a race with the
2772  * ib_destroy_cm_id() call in srpt_release_channel().
2773  */
2774 static int srpt_cm_handler(struct ib_cm_id *cm_id, struct ib_cm_event *event)
2775 {
2776 	int ret;
2777 
2778 	ret = 0;
2779 	switch (event->event) {
2780 	case IB_CM_REQ_RECEIVED:
2781 		ret = srpt_cm_req_recv(cm_id, &event->param.req_rcvd,
2782 				       event->private_data);
2783 		break;
2784 	case IB_CM_REJ_RECEIVED:
2785 		srpt_cm_rej_recv(cm_id);
2786 		break;
2787 	case IB_CM_RTU_RECEIVED:
2788 	case IB_CM_USER_ESTABLISHED:
2789 		srpt_cm_rtu_recv(cm_id);
2790 		break;
2791 	case IB_CM_DREQ_RECEIVED:
2792 		srpt_cm_dreq_recv(cm_id);
2793 		break;
2794 	case IB_CM_DREP_RECEIVED:
2795 		srpt_cm_drep_recv(cm_id);
2796 		break;
2797 	case IB_CM_TIMEWAIT_EXIT:
2798 		srpt_cm_timewait_exit(cm_id);
2799 		break;
2800 	case IB_CM_REP_ERROR:
2801 		srpt_cm_rep_error(cm_id);
2802 		break;
2803 	case IB_CM_DREQ_ERROR:
2804 		pr_info("Received IB DREQ ERROR event.\n");
2805 		break;
2806 	case IB_CM_MRA_RECEIVED:
2807 		pr_info("Received IB MRA event\n");
2808 		break;
2809 	default:
2810 		pr_err("received unrecognized IB CM event %d\n", event->event);
2811 		break;
2812 	}
2813 
2814 	return ret;
2815 }
2816 
2817 /**
2818  * srpt_perform_rdmas() - Perform IB RDMA.
2819  *
2820  * Returns zero upon success or a negative number upon failure.
2821  */
2822 static int srpt_perform_rdmas(struct srpt_rdma_ch *ch,
2823 			      struct srpt_send_ioctx *ioctx)
2824 {
2825 	struct ib_send_wr wr;
2826 	struct ib_send_wr *bad_wr;
2827 	struct rdma_iu *riu;
2828 	int i;
2829 	int ret;
2830 	int sq_wr_avail;
2831 	enum dma_data_direction dir;
2832 	const int n_rdma = ioctx->n_rdma;
2833 
2834 	dir = ioctx->cmd.data_direction;
2835 	if (dir == DMA_TO_DEVICE) {
2836 		/* write */
2837 		ret = -ENOMEM;
2838 		sq_wr_avail = atomic_sub_return(n_rdma, &ch->sq_wr_avail);
2839 		if (sq_wr_avail < 0) {
2840 			pr_warn("IB send queue full (needed %d)\n",
2841 				n_rdma);
2842 			goto out;
2843 		}
2844 	}
2845 
2846 	ioctx->rdma_aborted = false;
2847 	ret = 0;
2848 	riu = ioctx->rdma_ius;
2849 	memset(&wr, 0, sizeof wr);
2850 
2851 	for (i = 0; i < n_rdma; ++i, ++riu) {
2852 		if (dir == DMA_FROM_DEVICE) {
2853 			wr.opcode = IB_WR_RDMA_WRITE;
2854 			wr.wr_id = encode_wr_id(i == n_rdma - 1 ?
2855 						SRPT_RDMA_WRITE_LAST :
2856 						SRPT_RDMA_MID,
2857 						ioctx->ioctx.index);
2858 		} else {
2859 			wr.opcode = IB_WR_RDMA_READ;
2860 			wr.wr_id = encode_wr_id(i == n_rdma - 1 ?
2861 						SRPT_RDMA_READ_LAST :
2862 						SRPT_RDMA_MID,
2863 						ioctx->ioctx.index);
2864 		}
2865 		wr.next = NULL;
2866 		wr.wr.rdma.remote_addr = riu->raddr;
2867 		wr.wr.rdma.rkey = riu->rkey;
2868 		wr.num_sge = riu->sge_cnt;
2869 		wr.sg_list = riu->sge;
2870 
2871 		/* only get completion event for the last rdma write */
2872 		if (i == (n_rdma - 1) && dir == DMA_TO_DEVICE)
2873 			wr.send_flags = IB_SEND_SIGNALED;
2874 
2875 		ret = ib_post_send(ch->qp, &wr, &bad_wr);
2876 		if (ret)
2877 			break;
2878 	}
2879 
2880 	if (ret)
2881 		pr_err("%s[%d]: ib_post_send() returned %d for %d/%d\n",
2882 				 __func__, __LINE__, ret, i, n_rdma);
2883 	if (ret && i > 0) {
2884 		wr.num_sge = 0;
2885 		wr.wr_id = encode_wr_id(SRPT_RDMA_ABORT, ioctx->ioctx.index);
2886 		wr.send_flags = IB_SEND_SIGNALED;
2887 		while (ch->state == CH_LIVE &&
2888 			ib_post_send(ch->qp, &wr, &bad_wr) != 0) {
2889 			pr_info("Trying to abort failed RDMA transfer [%d]\n",
2890 				ioctx->ioctx.index);
2891 			msleep(1000);
2892 		}
2893 		while (ch->state != CH_RELEASING && !ioctx->rdma_aborted) {
2894 			pr_info("Waiting until RDMA abort finished [%d]\n",
2895 				ioctx->ioctx.index);
2896 			msleep(1000);
2897 		}
2898 	}
2899 out:
2900 	if (unlikely(dir == DMA_TO_DEVICE && ret < 0))
2901 		atomic_add(n_rdma, &ch->sq_wr_avail);
2902 	return ret;
2903 }
2904 
2905 /**
2906  * srpt_xfer_data() - Start data transfer from initiator to target.
2907  */
2908 static int srpt_xfer_data(struct srpt_rdma_ch *ch,
2909 			  struct srpt_send_ioctx *ioctx)
2910 {
2911 	int ret;
2912 
2913 	ret = srpt_map_sg_to_ib_sge(ch, ioctx);
2914 	if (ret) {
2915 		pr_err("%s[%d] ret=%d\n", __func__, __LINE__, ret);
2916 		goto out;
2917 	}
2918 
2919 	ret = srpt_perform_rdmas(ch, ioctx);
2920 	if (ret) {
2921 		if (ret == -EAGAIN || ret == -ENOMEM)
2922 			pr_info("%s[%d] queue full -- ret=%d\n",
2923 				__func__, __LINE__, ret);
2924 		else
2925 			pr_err("%s[%d] fatal error -- ret=%d\n",
2926 			       __func__, __LINE__, ret);
2927 		goto out_unmap;
2928 	}
2929 
2930 out:
2931 	return ret;
2932 out_unmap:
2933 	srpt_unmap_sg_to_ib_sge(ch, ioctx);
2934 	goto out;
2935 }
2936 
2937 static int srpt_write_pending_status(struct se_cmd *se_cmd)
2938 {
2939 	struct srpt_send_ioctx *ioctx;
2940 
2941 	ioctx = container_of(se_cmd, struct srpt_send_ioctx, cmd);
2942 	return srpt_get_cmd_state(ioctx) == SRPT_STATE_NEED_DATA;
2943 }
2944 
2945 /*
2946  * srpt_write_pending() - Start data transfer from initiator to target (write).
2947  */
2948 static int srpt_write_pending(struct se_cmd *se_cmd)
2949 {
2950 	struct srpt_rdma_ch *ch;
2951 	struct srpt_send_ioctx *ioctx;
2952 	enum srpt_command_state new_state;
2953 	enum rdma_ch_state ch_state;
2954 	int ret;
2955 
2956 	ioctx = container_of(se_cmd, struct srpt_send_ioctx, cmd);
2957 
2958 	new_state = srpt_set_cmd_state(ioctx, SRPT_STATE_NEED_DATA);
2959 	WARN_ON(new_state == SRPT_STATE_DONE);
2960 
2961 	ch = ioctx->ch;
2962 	BUG_ON(!ch);
2963 
2964 	ch_state = srpt_get_ch_state(ch);
2965 	switch (ch_state) {
2966 	case CH_CONNECTING:
2967 		WARN(true, "unexpected channel state %d\n", ch_state);
2968 		ret = -EINVAL;
2969 		goto out;
2970 	case CH_LIVE:
2971 		break;
2972 	case CH_DISCONNECTING:
2973 	case CH_DRAINING:
2974 	case CH_RELEASING:
2975 		pr_debug("cmd with tag %lld: channel disconnecting\n",
2976 			 ioctx->cmd.tag);
2977 		srpt_set_cmd_state(ioctx, SRPT_STATE_DATA_IN);
2978 		ret = -EINVAL;
2979 		goto out;
2980 	}
2981 	ret = srpt_xfer_data(ch, ioctx);
2982 
2983 out:
2984 	return ret;
2985 }
2986 
2987 static u8 tcm_to_srp_tsk_mgmt_status(const int tcm_mgmt_status)
2988 {
2989 	switch (tcm_mgmt_status) {
2990 	case TMR_FUNCTION_COMPLETE:
2991 		return SRP_TSK_MGMT_SUCCESS;
2992 	case TMR_FUNCTION_REJECTED:
2993 		return SRP_TSK_MGMT_FUNC_NOT_SUPP;
2994 	}
2995 	return SRP_TSK_MGMT_FAILED;
2996 }
2997 
2998 /**
2999  * srpt_queue_response() - Transmits the response to a SCSI command.
3000  *
3001  * Callback function called by the TCM core. Must not block since it can be
3002  * invoked on the context of the IB completion handler.
3003  */
3004 static void srpt_queue_response(struct se_cmd *cmd)
3005 {
3006 	struct srpt_rdma_ch *ch;
3007 	struct srpt_send_ioctx *ioctx;
3008 	enum srpt_command_state state;
3009 	unsigned long flags;
3010 	int ret;
3011 	enum dma_data_direction dir;
3012 	int resp_len;
3013 	u8 srp_tm_status;
3014 
3015 	ioctx = container_of(cmd, struct srpt_send_ioctx, cmd);
3016 	ch = ioctx->ch;
3017 	BUG_ON(!ch);
3018 
3019 	spin_lock_irqsave(&ioctx->spinlock, flags);
3020 	state = ioctx->state;
3021 	switch (state) {
3022 	case SRPT_STATE_NEW:
3023 	case SRPT_STATE_DATA_IN:
3024 		ioctx->state = SRPT_STATE_CMD_RSP_SENT;
3025 		break;
3026 	case SRPT_STATE_MGMT:
3027 		ioctx->state = SRPT_STATE_MGMT_RSP_SENT;
3028 		break;
3029 	default:
3030 		WARN(true, "ch %p; cmd %d: unexpected command state %d\n",
3031 			ch, ioctx->ioctx.index, ioctx->state);
3032 		break;
3033 	}
3034 	spin_unlock_irqrestore(&ioctx->spinlock, flags);
3035 
3036 	if (unlikely(transport_check_aborted_status(&ioctx->cmd, false)
3037 		     || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) {
3038 		atomic_inc(&ch->req_lim_delta);
3039 		srpt_abort_cmd(ioctx);
3040 		return;
3041 	}
3042 
3043 	dir = ioctx->cmd.data_direction;
3044 
3045 	/* For read commands, transfer the data to the initiator. */
3046 	if (dir == DMA_FROM_DEVICE && ioctx->cmd.data_length &&
3047 	    !ioctx->queue_status_only) {
3048 		ret = srpt_xfer_data(ch, ioctx);
3049 		if (ret) {
3050 			pr_err("xfer_data failed for tag %llu\n",
3051 			       ioctx->cmd.tag);
3052 			return;
3053 		}
3054 	}
3055 
3056 	if (state != SRPT_STATE_MGMT)
3057 		resp_len = srpt_build_cmd_rsp(ch, ioctx, ioctx->cmd.tag,
3058 					      cmd->scsi_status);
3059 	else {
3060 		srp_tm_status
3061 			= tcm_to_srp_tsk_mgmt_status(cmd->se_tmr_req->response);
3062 		resp_len = srpt_build_tskmgmt_rsp(ch, ioctx, srp_tm_status,
3063 						 ioctx->cmd.tag);
3064 	}
3065 	ret = srpt_post_send(ch, ioctx, resp_len);
3066 	if (ret) {
3067 		pr_err("sending cmd response failed for tag %llu\n",
3068 		       ioctx->cmd.tag);
3069 		srpt_unmap_sg_to_ib_sge(ch, ioctx);
3070 		srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
3071 		target_put_sess_cmd(&ioctx->cmd);
3072 	}
3073 }
3074 
3075 static int srpt_queue_data_in(struct se_cmd *cmd)
3076 {
3077 	srpt_queue_response(cmd);
3078 	return 0;
3079 }
3080 
3081 static void srpt_queue_tm_rsp(struct se_cmd *cmd)
3082 {
3083 	srpt_queue_response(cmd);
3084 }
3085 
3086 static void srpt_aborted_task(struct se_cmd *cmd)
3087 {
3088 	struct srpt_send_ioctx *ioctx = container_of(cmd,
3089 				struct srpt_send_ioctx, cmd);
3090 
3091 	srpt_unmap_sg_to_ib_sge(ioctx->ch, ioctx);
3092 }
3093 
3094 static int srpt_queue_status(struct se_cmd *cmd)
3095 {
3096 	struct srpt_send_ioctx *ioctx;
3097 
3098 	ioctx = container_of(cmd, struct srpt_send_ioctx, cmd);
3099 	BUG_ON(ioctx->sense_data != cmd->sense_buffer);
3100 	if (cmd->se_cmd_flags &
3101 	    (SCF_TRANSPORT_TASK_SENSE | SCF_EMULATED_TASK_SENSE))
3102 		WARN_ON(cmd->scsi_status != SAM_STAT_CHECK_CONDITION);
3103 	ioctx->queue_status_only = true;
3104 	srpt_queue_response(cmd);
3105 	return 0;
3106 }
3107 
3108 static void srpt_refresh_port_work(struct work_struct *work)
3109 {
3110 	struct srpt_port *sport = container_of(work, struct srpt_port, work);
3111 
3112 	srpt_refresh_port(sport);
3113 }
3114 
3115 static int srpt_ch_list_empty(struct srpt_device *sdev)
3116 {
3117 	int res;
3118 
3119 	spin_lock_irq(&sdev->spinlock);
3120 	res = list_empty(&sdev->rch_list);
3121 	spin_unlock_irq(&sdev->spinlock);
3122 
3123 	return res;
3124 }
3125 
3126 /**
3127  * srpt_release_sdev() - Free the channel resources associated with a target.
3128  */
3129 static int srpt_release_sdev(struct srpt_device *sdev)
3130 {
3131 	struct srpt_rdma_ch *ch, *tmp_ch;
3132 	int res;
3133 
3134 	WARN_ON_ONCE(irqs_disabled());
3135 
3136 	BUG_ON(!sdev);
3137 
3138 	spin_lock_irq(&sdev->spinlock);
3139 	list_for_each_entry_safe(ch, tmp_ch, &sdev->rch_list, list)
3140 		__srpt_close_ch(ch);
3141 	spin_unlock_irq(&sdev->spinlock);
3142 
3143 	res = wait_event_interruptible(sdev->ch_releaseQ,
3144 				       srpt_ch_list_empty(sdev));
3145 	if (res)
3146 		pr_err("%s: interrupted.\n", __func__);
3147 
3148 	return 0;
3149 }
3150 
3151 static struct srpt_port *__srpt_lookup_port(const char *name)
3152 {
3153 	struct ib_device *dev;
3154 	struct srpt_device *sdev;
3155 	struct srpt_port *sport;
3156 	int i;
3157 
3158 	list_for_each_entry(sdev, &srpt_dev_list, list) {
3159 		dev = sdev->device;
3160 		if (!dev)
3161 			continue;
3162 
3163 		for (i = 0; i < dev->phys_port_cnt; i++) {
3164 			sport = &sdev->port[i];
3165 
3166 			if (!strcmp(sport->port_guid, name))
3167 				return sport;
3168 		}
3169 	}
3170 
3171 	return NULL;
3172 }
3173 
3174 static struct srpt_port *srpt_lookup_port(const char *name)
3175 {
3176 	struct srpt_port *sport;
3177 
3178 	spin_lock(&srpt_dev_lock);
3179 	sport = __srpt_lookup_port(name);
3180 	spin_unlock(&srpt_dev_lock);
3181 
3182 	return sport;
3183 }
3184 
3185 /**
3186  * srpt_add_one() - Infiniband device addition callback function.
3187  */
3188 static void srpt_add_one(struct ib_device *device)
3189 {
3190 	struct srpt_device *sdev;
3191 	struct srpt_port *sport;
3192 	struct ib_srq_init_attr srq_attr;
3193 	int i;
3194 
3195 	pr_debug("device = %p, device->dma_ops = %p\n", device,
3196 		 device->dma_ops);
3197 
3198 	sdev = kzalloc(sizeof *sdev, GFP_KERNEL);
3199 	if (!sdev)
3200 		goto err;
3201 
3202 	sdev->device = device;
3203 	INIT_LIST_HEAD(&sdev->rch_list);
3204 	init_waitqueue_head(&sdev->ch_releaseQ);
3205 	spin_lock_init(&sdev->spinlock);
3206 
3207 	if (ib_query_device(device, &sdev->dev_attr))
3208 		goto free_dev;
3209 
3210 	sdev->pd = ib_alloc_pd(device);
3211 	if (IS_ERR(sdev->pd))
3212 		goto free_dev;
3213 
3214 	sdev->srq_size = min(srpt_srq_size, sdev->dev_attr.max_srq_wr);
3215 
3216 	srq_attr.event_handler = srpt_srq_event;
3217 	srq_attr.srq_context = (void *)sdev;
3218 	srq_attr.attr.max_wr = sdev->srq_size;
3219 	srq_attr.attr.max_sge = 1;
3220 	srq_attr.attr.srq_limit = 0;
3221 	srq_attr.srq_type = IB_SRQT_BASIC;
3222 
3223 	sdev->srq = ib_create_srq(sdev->pd, &srq_attr);
3224 	if (IS_ERR(sdev->srq))
3225 		goto err_pd;
3226 
3227 	pr_debug("%s: create SRQ #wr= %d max_allow=%d dev= %s\n",
3228 		 __func__, sdev->srq_size, sdev->dev_attr.max_srq_wr,
3229 		 device->name);
3230 
3231 	if (!srpt_service_guid)
3232 		srpt_service_guid = be64_to_cpu(device->node_guid);
3233 
3234 	sdev->cm_id = ib_create_cm_id(device, srpt_cm_handler, sdev);
3235 	if (IS_ERR(sdev->cm_id))
3236 		goto err_srq;
3237 
3238 	/* print out target login information */
3239 	pr_debug("Target login info: id_ext=%016llx,ioc_guid=%016llx,"
3240 		 "pkey=ffff,service_id=%016llx\n", srpt_service_guid,
3241 		 srpt_service_guid, srpt_service_guid);
3242 
3243 	/*
3244 	 * We do not have a consistent service_id (ie. also id_ext of target_id)
3245 	 * to identify this target. We currently use the guid of the first HCA
3246 	 * in the system as service_id; therefore, the target_id will change
3247 	 * if this HCA is gone bad and replaced by different HCA
3248 	 */
3249 	if (ib_cm_listen(sdev->cm_id, cpu_to_be64(srpt_service_guid), 0))
3250 		goto err_cm;
3251 
3252 	INIT_IB_EVENT_HANDLER(&sdev->event_handler, sdev->device,
3253 			      srpt_event_handler);
3254 	if (ib_register_event_handler(&sdev->event_handler))
3255 		goto err_cm;
3256 
3257 	sdev->ioctx_ring = (struct srpt_recv_ioctx **)
3258 		srpt_alloc_ioctx_ring(sdev, sdev->srq_size,
3259 				      sizeof(*sdev->ioctx_ring[0]),
3260 				      srp_max_req_size, DMA_FROM_DEVICE);
3261 	if (!sdev->ioctx_ring)
3262 		goto err_event;
3263 
3264 	for (i = 0; i < sdev->srq_size; ++i)
3265 		srpt_post_recv(sdev, sdev->ioctx_ring[i]);
3266 
3267 	WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port));
3268 
3269 	for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
3270 		sport = &sdev->port[i - 1];
3271 		sport->sdev = sdev;
3272 		sport->port = i;
3273 		sport->port_attrib.srp_max_rdma_size = DEFAULT_MAX_RDMA_SIZE;
3274 		sport->port_attrib.srp_max_rsp_size = DEFAULT_MAX_RSP_SIZE;
3275 		sport->port_attrib.srp_sq_size = DEF_SRPT_SQ_SIZE;
3276 		INIT_WORK(&sport->work, srpt_refresh_port_work);
3277 		INIT_LIST_HEAD(&sport->port_acl_list);
3278 		spin_lock_init(&sport->port_acl_lock);
3279 
3280 		if (srpt_refresh_port(sport)) {
3281 			pr_err("MAD registration failed for %s-%d.\n",
3282 			       srpt_sdev_name(sdev), i);
3283 			goto err_ring;
3284 		}
3285 		snprintf(sport->port_guid, sizeof(sport->port_guid),
3286 			"0x%016llx%016llx",
3287 			be64_to_cpu(sport->gid.global.subnet_prefix),
3288 			be64_to_cpu(sport->gid.global.interface_id));
3289 	}
3290 
3291 	spin_lock(&srpt_dev_lock);
3292 	list_add_tail(&sdev->list, &srpt_dev_list);
3293 	spin_unlock(&srpt_dev_lock);
3294 
3295 out:
3296 	ib_set_client_data(device, &srpt_client, sdev);
3297 	pr_debug("added %s.\n", device->name);
3298 	return;
3299 
3300 err_ring:
3301 	srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev,
3302 			     sdev->srq_size, srp_max_req_size,
3303 			     DMA_FROM_DEVICE);
3304 err_event:
3305 	ib_unregister_event_handler(&sdev->event_handler);
3306 err_cm:
3307 	ib_destroy_cm_id(sdev->cm_id);
3308 err_srq:
3309 	ib_destroy_srq(sdev->srq);
3310 err_pd:
3311 	ib_dealloc_pd(sdev->pd);
3312 free_dev:
3313 	kfree(sdev);
3314 err:
3315 	sdev = NULL;
3316 	pr_info("%s(%s) failed.\n", __func__, device->name);
3317 	goto out;
3318 }
3319 
3320 /**
3321  * srpt_remove_one() - InfiniBand device removal callback function.
3322  */
3323 static void srpt_remove_one(struct ib_device *device, void *client_data)
3324 {
3325 	struct srpt_device *sdev = client_data;
3326 	int i;
3327 
3328 	if (!sdev) {
3329 		pr_info("%s(%s): nothing to do.\n", __func__, device->name);
3330 		return;
3331 	}
3332 
3333 	srpt_unregister_mad_agent(sdev);
3334 
3335 	ib_unregister_event_handler(&sdev->event_handler);
3336 
3337 	/* Cancel any work queued by the just unregistered IB event handler. */
3338 	for (i = 0; i < sdev->device->phys_port_cnt; i++)
3339 		cancel_work_sync(&sdev->port[i].work);
3340 
3341 	ib_destroy_cm_id(sdev->cm_id);
3342 
3343 	/*
3344 	 * Unregistering a target must happen after destroying sdev->cm_id
3345 	 * such that no new SRP_LOGIN_REQ information units can arrive while
3346 	 * destroying the target.
3347 	 */
3348 	spin_lock(&srpt_dev_lock);
3349 	list_del(&sdev->list);
3350 	spin_unlock(&srpt_dev_lock);
3351 	srpt_release_sdev(sdev);
3352 
3353 	ib_destroy_srq(sdev->srq);
3354 	ib_dealloc_pd(sdev->pd);
3355 
3356 	srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev,
3357 			     sdev->srq_size, srp_max_req_size, DMA_FROM_DEVICE);
3358 	sdev->ioctx_ring = NULL;
3359 	kfree(sdev);
3360 }
3361 
3362 static struct ib_client srpt_client = {
3363 	.name = DRV_NAME,
3364 	.add = srpt_add_one,
3365 	.remove = srpt_remove_one
3366 };
3367 
3368 static int srpt_check_true(struct se_portal_group *se_tpg)
3369 {
3370 	return 1;
3371 }
3372 
3373 static int srpt_check_false(struct se_portal_group *se_tpg)
3374 {
3375 	return 0;
3376 }
3377 
3378 static char *srpt_get_fabric_name(void)
3379 {
3380 	return "srpt";
3381 }
3382 
3383 static char *srpt_get_fabric_wwn(struct se_portal_group *tpg)
3384 {
3385 	struct srpt_port *sport = container_of(tpg, struct srpt_port, port_tpg_1);
3386 
3387 	return sport->port_guid;
3388 }
3389 
3390 static u16 srpt_get_tag(struct se_portal_group *tpg)
3391 {
3392 	return 1;
3393 }
3394 
3395 static u32 srpt_tpg_get_inst_index(struct se_portal_group *se_tpg)
3396 {
3397 	return 1;
3398 }
3399 
3400 static void srpt_release_cmd(struct se_cmd *se_cmd)
3401 {
3402 	struct srpt_send_ioctx *ioctx = container_of(se_cmd,
3403 				struct srpt_send_ioctx, cmd);
3404 	struct srpt_rdma_ch *ch = ioctx->ch;
3405 	unsigned long flags;
3406 
3407 	WARN_ON(ioctx->state != SRPT_STATE_DONE);
3408 	WARN_ON(ioctx->mapped_sg_count != 0);
3409 
3410 	if (ioctx->n_rbuf > 1) {
3411 		kfree(ioctx->rbufs);
3412 		ioctx->rbufs = NULL;
3413 		ioctx->n_rbuf = 0;
3414 	}
3415 
3416 	spin_lock_irqsave(&ch->spinlock, flags);
3417 	list_add(&ioctx->free_list, &ch->free_list);
3418 	spin_unlock_irqrestore(&ch->spinlock, flags);
3419 }
3420 
3421 /**
3422  * srpt_close_session() - Forcibly close a session.
3423  *
3424  * Callback function invoked by the TCM core to clean up sessions associated
3425  * with a node ACL when the user invokes
3426  * rmdir /sys/kernel/config/target/$driver/$port/$tpg/acls/$i_port_id
3427  */
3428 static void srpt_close_session(struct se_session *se_sess)
3429 {
3430 	DECLARE_COMPLETION_ONSTACK(release_done);
3431 	struct srpt_rdma_ch *ch;
3432 	struct srpt_device *sdev;
3433 	unsigned long res;
3434 
3435 	ch = se_sess->fabric_sess_ptr;
3436 	WARN_ON(ch->sess != se_sess);
3437 
3438 	pr_debug("ch %p state %d\n", ch, srpt_get_ch_state(ch));
3439 
3440 	sdev = ch->sport->sdev;
3441 	spin_lock_irq(&sdev->spinlock);
3442 	BUG_ON(ch->release_done);
3443 	ch->release_done = &release_done;
3444 	__srpt_close_ch(ch);
3445 	spin_unlock_irq(&sdev->spinlock);
3446 
3447 	res = wait_for_completion_timeout(&release_done, 60 * HZ);
3448 	WARN_ON(res == 0);
3449 }
3450 
3451 /**
3452  * srpt_sess_get_index() - Return the value of scsiAttIntrPortIndex (SCSI-MIB).
3453  *
3454  * A quote from RFC 4455 (SCSI-MIB) about this MIB object:
3455  * This object represents an arbitrary integer used to uniquely identify a
3456  * particular attached remote initiator port to a particular SCSI target port
3457  * within a particular SCSI target device within a particular SCSI instance.
3458  */
3459 static u32 srpt_sess_get_index(struct se_session *se_sess)
3460 {
3461 	return 0;
3462 }
3463 
3464 static void srpt_set_default_node_attrs(struct se_node_acl *nacl)
3465 {
3466 }
3467 
3468 /* Note: only used from inside debug printk's by the TCM core. */
3469 static int srpt_get_tcm_cmd_state(struct se_cmd *se_cmd)
3470 {
3471 	struct srpt_send_ioctx *ioctx;
3472 
3473 	ioctx = container_of(se_cmd, struct srpt_send_ioctx, cmd);
3474 	return srpt_get_cmd_state(ioctx);
3475 }
3476 
3477 /**
3478  * srpt_parse_i_port_id() - Parse an initiator port ID.
3479  * @name: ASCII representation of a 128-bit initiator port ID.
3480  * @i_port_id: Binary 128-bit port ID.
3481  */
3482 static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name)
3483 {
3484 	const char *p;
3485 	unsigned len, count, leading_zero_bytes;
3486 	int ret, rc;
3487 
3488 	p = name;
3489 	if (strncasecmp(p, "0x", 2) == 0)
3490 		p += 2;
3491 	ret = -EINVAL;
3492 	len = strlen(p);
3493 	if (len % 2)
3494 		goto out;
3495 	count = min(len / 2, 16U);
3496 	leading_zero_bytes = 16 - count;
3497 	memset(i_port_id, 0, leading_zero_bytes);
3498 	rc = hex2bin(i_port_id + leading_zero_bytes, p, count);
3499 	if (rc < 0)
3500 		pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc);
3501 	ret = 0;
3502 out:
3503 	return ret;
3504 }
3505 
3506 /*
3507  * configfs callback function invoked for
3508  * mkdir /sys/kernel/config/target/$driver/$port/$tpg/acls/$i_port_id
3509  */
3510 static int srpt_init_nodeacl(struct se_node_acl *se_nacl, const char *name)
3511 {
3512 	struct srpt_port *sport =
3513 		container_of(se_nacl->se_tpg, struct srpt_port, port_tpg_1);
3514 	struct srpt_node_acl *nacl =
3515 		container_of(se_nacl, struct srpt_node_acl, nacl);
3516 	u8 i_port_id[16];
3517 
3518 	if (srpt_parse_i_port_id(i_port_id, name) < 0) {
3519 		pr_err("invalid initiator port ID %s\n", name);
3520 		return -EINVAL;
3521 	}
3522 
3523 	memcpy(&nacl->i_port_id[0], &i_port_id[0], 16);
3524 	nacl->sport = sport;
3525 
3526 	spin_lock_irq(&sport->port_acl_lock);
3527 	list_add_tail(&nacl->list, &sport->port_acl_list);
3528 	spin_unlock_irq(&sport->port_acl_lock);
3529 
3530 	return 0;
3531 }
3532 
3533 /*
3534  * configfs callback function invoked for
3535  * rmdir /sys/kernel/config/target/$driver/$port/$tpg/acls/$i_port_id
3536  */
3537 static void srpt_cleanup_nodeacl(struct se_node_acl *se_nacl)
3538 {
3539 	struct srpt_node_acl *nacl =
3540 		container_of(se_nacl, struct srpt_node_acl, nacl);
3541 	struct srpt_port *sport = nacl->sport;
3542 
3543 	spin_lock_irq(&sport->port_acl_lock);
3544 	list_del(&nacl->list);
3545 	spin_unlock_irq(&sport->port_acl_lock);
3546 }
3547 
3548 static ssize_t srpt_tpg_attrib_show_srp_max_rdma_size(
3549 	struct se_portal_group *se_tpg,
3550 	char *page)
3551 {
3552 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3553 
3554 	return sprintf(page, "%u\n", sport->port_attrib.srp_max_rdma_size);
3555 }
3556 
3557 static ssize_t srpt_tpg_attrib_store_srp_max_rdma_size(
3558 	struct se_portal_group *se_tpg,
3559 	const char *page,
3560 	size_t count)
3561 {
3562 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3563 	unsigned long val;
3564 	int ret;
3565 
3566 	ret = kstrtoul(page, 0, &val);
3567 	if (ret < 0) {
3568 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3569 		return -EINVAL;
3570 	}
3571 	if (val > MAX_SRPT_RDMA_SIZE) {
3572 		pr_err("val: %lu exceeds MAX_SRPT_RDMA_SIZE: %d\n", val,
3573 			MAX_SRPT_RDMA_SIZE);
3574 		return -EINVAL;
3575 	}
3576 	if (val < DEFAULT_MAX_RDMA_SIZE) {
3577 		pr_err("val: %lu smaller than DEFAULT_MAX_RDMA_SIZE: %d\n",
3578 			val, DEFAULT_MAX_RDMA_SIZE);
3579 		return -EINVAL;
3580 	}
3581 	sport->port_attrib.srp_max_rdma_size = val;
3582 
3583 	return count;
3584 }
3585 
3586 TF_TPG_ATTRIB_ATTR(srpt, srp_max_rdma_size, S_IRUGO | S_IWUSR);
3587 
3588 static ssize_t srpt_tpg_attrib_show_srp_max_rsp_size(
3589 	struct se_portal_group *se_tpg,
3590 	char *page)
3591 {
3592 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3593 
3594 	return sprintf(page, "%u\n", sport->port_attrib.srp_max_rsp_size);
3595 }
3596 
3597 static ssize_t srpt_tpg_attrib_store_srp_max_rsp_size(
3598 	struct se_portal_group *se_tpg,
3599 	const char *page,
3600 	size_t count)
3601 {
3602 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3603 	unsigned long val;
3604 	int ret;
3605 
3606 	ret = kstrtoul(page, 0, &val);
3607 	if (ret < 0) {
3608 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3609 		return -EINVAL;
3610 	}
3611 	if (val > MAX_SRPT_RSP_SIZE) {
3612 		pr_err("val: %lu exceeds MAX_SRPT_RSP_SIZE: %d\n", val,
3613 			MAX_SRPT_RSP_SIZE);
3614 		return -EINVAL;
3615 	}
3616 	if (val < MIN_MAX_RSP_SIZE) {
3617 		pr_err("val: %lu smaller than MIN_MAX_RSP_SIZE: %d\n", val,
3618 			MIN_MAX_RSP_SIZE);
3619 		return -EINVAL;
3620 	}
3621 	sport->port_attrib.srp_max_rsp_size = val;
3622 
3623 	return count;
3624 }
3625 
3626 TF_TPG_ATTRIB_ATTR(srpt, srp_max_rsp_size, S_IRUGO | S_IWUSR);
3627 
3628 static ssize_t srpt_tpg_attrib_show_srp_sq_size(
3629 	struct se_portal_group *se_tpg,
3630 	char *page)
3631 {
3632 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3633 
3634 	return sprintf(page, "%u\n", sport->port_attrib.srp_sq_size);
3635 }
3636 
3637 static ssize_t srpt_tpg_attrib_store_srp_sq_size(
3638 	struct se_portal_group *se_tpg,
3639 	const char *page,
3640 	size_t count)
3641 {
3642 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3643 	unsigned long val;
3644 	int ret;
3645 
3646 	ret = kstrtoul(page, 0, &val);
3647 	if (ret < 0) {
3648 		pr_err("kstrtoul() failed with ret: %d\n", ret);
3649 		return -EINVAL;
3650 	}
3651 	if (val > MAX_SRPT_SRQ_SIZE) {
3652 		pr_err("val: %lu exceeds MAX_SRPT_SRQ_SIZE: %d\n", val,
3653 			MAX_SRPT_SRQ_SIZE);
3654 		return -EINVAL;
3655 	}
3656 	if (val < MIN_SRPT_SRQ_SIZE) {
3657 		pr_err("val: %lu smaller than MIN_SRPT_SRQ_SIZE: %d\n", val,
3658 			MIN_SRPT_SRQ_SIZE);
3659 		return -EINVAL;
3660 	}
3661 	sport->port_attrib.srp_sq_size = val;
3662 
3663 	return count;
3664 }
3665 
3666 TF_TPG_ATTRIB_ATTR(srpt, srp_sq_size, S_IRUGO | S_IWUSR);
3667 
3668 static struct configfs_attribute *srpt_tpg_attrib_attrs[] = {
3669 	&srpt_tpg_attrib_srp_max_rdma_size.attr,
3670 	&srpt_tpg_attrib_srp_max_rsp_size.attr,
3671 	&srpt_tpg_attrib_srp_sq_size.attr,
3672 	NULL,
3673 };
3674 
3675 static ssize_t srpt_tpg_show_enable(
3676 	struct se_portal_group *se_tpg,
3677 	char *page)
3678 {
3679 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3680 
3681 	return snprintf(page, PAGE_SIZE, "%d\n", (sport->enabled) ? 1: 0);
3682 }
3683 
3684 static ssize_t srpt_tpg_store_enable(
3685 	struct se_portal_group *se_tpg,
3686 	const char *page,
3687 	size_t count)
3688 {
3689 	struct srpt_port *sport = container_of(se_tpg, struct srpt_port, port_tpg_1);
3690 	unsigned long tmp;
3691         int ret;
3692 
3693 	ret = kstrtoul(page, 0, &tmp);
3694 	if (ret < 0) {
3695 		pr_err("Unable to extract srpt_tpg_store_enable\n");
3696 		return -EINVAL;
3697 	}
3698 
3699 	if ((tmp != 0) && (tmp != 1)) {
3700 		pr_err("Illegal value for srpt_tpg_store_enable: %lu\n", tmp);
3701 		return -EINVAL;
3702 	}
3703 	if (tmp == 1)
3704 		sport->enabled = true;
3705 	else
3706 		sport->enabled = false;
3707 
3708 	return count;
3709 }
3710 
3711 TF_TPG_BASE_ATTR(srpt, enable, S_IRUGO | S_IWUSR);
3712 
3713 static struct configfs_attribute *srpt_tpg_attrs[] = {
3714 	&srpt_tpg_enable.attr,
3715 	NULL,
3716 };
3717 
3718 /**
3719  * configfs callback invoked for
3720  * mkdir /sys/kernel/config/target/$driver/$port/$tpg
3721  */
3722 static struct se_portal_group *srpt_make_tpg(struct se_wwn *wwn,
3723 					     struct config_group *group,
3724 					     const char *name)
3725 {
3726 	struct srpt_port *sport = container_of(wwn, struct srpt_port, port_wwn);
3727 	int res;
3728 
3729 	/* Initialize sport->port_wwn and sport->port_tpg_1 */
3730 	res = core_tpg_register(&sport->port_wwn, &sport->port_tpg_1, SCSI_PROTOCOL_SRP);
3731 	if (res)
3732 		return ERR_PTR(res);
3733 
3734 	return &sport->port_tpg_1;
3735 }
3736 
3737 /**
3738  * configfs callback invoked for
3739  * rmdir /sys/kernel/config/target/$driver/$port/$tpg
3740  */
3741 static void srpt_drop_tpg(struct se_portal_group *tpg)
3742 {
3743 	struct srpt_port *sport = container_of(tpg,
3744 				struct srpt_port, port_tpg_1);
3745 
3746 	sport->enabled = false;
3747 	core_tpg_deregister(&sport->port_tpg_1);
3748 }
3749 
3750 /**
3751  * configfs callback invoked for
3752  * mkdir /sys/kernel/config/target/$driver/$port
3753  */
3754 static struct se_wwn *srpt_make_tport(struct target_fabric_configfs *tf,
3755 				      struct config_group *group,
3756 				      const char *name)
3757 {
3758 	struct srpt_port *sport;
3759 	int ret;
3760 
3761 	sport = srpt_lookup_port(name);
3762 	pr_debug("make_tport(%s)\n", name);
3763 	ret = -EINVAL;
3764 	if (!sport)
3765 		goto err;
3766 
3767 	return &sport->port_wwn;
3768 
3769 err:
3770 	return ERR_PTR(ret);
3771 }
3772 
3773 /**
3774  * configfs callback invoked for
3775  * rmdir /sys/kernel/config/target/$driver/$port
3776  */
3777 static void srpt_drop_tport(struct se_wwn *wwn)
3778 {
3779 	struct srpt_port *sport = container_of(wwn, struct srpt_port, port_wwn);
3780 
3781 	pr_debug("drop_tport(%s\n", config_item_name(&sport->port_wwn.wwn_group.cg_item));
3782 }
3783 
3784 static ssize_t srpt_wwn_show_attr_version(struct target_fabric_configfs *tf,
3785 					      char *buf)
3786 {
3787 	return scnprintf(buf, PAGE_SIZE, "%s\n", DRV_VERSION);
3788 }
3789 
3790 TF_WWN_ATTR_RO(srpt, version);
3791 
3792 static struct configfs_attribute *srpt_wwn_attrs[] = {
3793 	&srpt_wwn_version.attr,
3794 	NULL,
3795 };
3796 
3797 static const struct target_core_fabric_ops srpt_template = {
3798 	.module				= THIS_MODULE,
3799 	.name				= "srpt",
3800 	.node_acl_size			= sizeof(struct srpt_node_acl),
3801 	.get_fabric_name		= srpt_get_fabric_name,
3802 	.tpg_get_wwn			= srpt_get_fabric_wwn,
3803 	.tpg_get_tag			= srpt_get_tag,
3804 	.tpg_check_demo_mode		= srpt_check_false,
3805 	.tpg_check_demo_mode_cache	= srpt_check_true,
3806 	.tpg_check_demo_mode_write_protect = srpt_check_true,
3807 	.tpg_check_prod_mode_write_protect = srpt_check_false,
3808 	.tpg_get_inst_index		= srpt_tpg_get_inst_index,
3809 	.release_cmd			= srpt_release_cmd,
3810 	.check_stop_free		= srpt_check_stop_free,
3811 	.shutdown_session		= srpt_shutdown_session,
3812 	.close_session			= srpt_close_session,
3813 	.sess_get_index			= srpt_sess_get_index,
3814 	.sess_get_initiator_sid		= NULL,
3815 	.write_pending			= srpt_write_pending,
3816 	.write_pending_status		= srpt_write_pending_status,
3817 	.set_default_node_attributes	= srpt_set_default_node_attrs,
3818 	.get_cmd_state			= srpt_get_tcm_cmd_state,
3819 	.queue_data_in			= srpt_queue_data_in,
3820 	.queue_status			= srpt_queue_status,
3821 	.queue_tm_rsp			= srpt_queue_tm_rsp,
3822 	.aborted_task			= srpt_aborted_task,
3823 	/*
3824 	 * Setup function pointers for generic logic in
3825 	 * target_core_fabric_configfs.c
3826 	 */
3827 	.fabric_make_wwn		= srpt_make_tport,
3828 	.fabric_drop_wwn		= srpt_drop_tport,
3829 	.fabric_make_tpg		= srpt_make_tpg,
3830 	.fabric_drop_tpg		= srpt_drop_tpg,
3831 	.fabric_init_nodeacl		= srpt_init_nodeacl,
3832 	.fabric_cleanup_nodeacl		= srpt_cleanup_nodeacl,
3833 
3834 	.tfc_wwn_attrs			= srpt_wwn_attrs,
3835 	.tfc_tpg_base_attrs		= srpt_tpg_attrs,
3836 	.tfc_tpg_attrib_attrs		= srpt_tpg_attrib_attrs,
3837 };
3838 
3839 /**
3840  * srpt_init_module() - Kernel module initialization.
3841  *
3842  * Note: Since ib_register_client() registers callback functions, and since at
3843  * least one of these callback functions (srpt_add_one()) calls target core
3844  * functions, this driver must be registered with the target core before
3845  * ib_register_client() is called.
3846  */
3847 static int __init srpt_init_module(void)
3848 {
3849 	int ret;
3850 
3851 	ret = -EINVAL;
3852 	if (srp_max_req_size < MIN_MAX_REQ_SIZE) {
3853 		pr_err("invalid value %d for kernel module parameter"
3854 		       " srp_max_req_size -- must be at least %d.\n",
3855 		       srp_max_req_size, MIN_MAX_REQ_SIZE);
3856 		goto out;
3857 	}
3858 
3859 	if (srpt_srq_size < MIN_SRPT_SRQ_SIZE
3860 	    || srpt_srq_size > MAX_SRPT_SRQ_SIZE) {
3861 		pr_err("invalid value %d for kernel module parameter"
3862 		       " srpt_srq_size -- must be in the range [%d..%d].\n",
3863 		       srpt_srq_size, MIN_SRPT_SRQ_SIZE, MAX_SRPT_SRQ_SIZE);
3864 		goto out;
3865 	}
3866 
3867 	ret = target_register_template(&srpt_template);
3868 	if (ret)
3869 		goto out;
3870 
3871 	ret = ib_register_client(&srpt_client);
3872 	if (ret) {
3873 		pr_err("couldn't register IB client\n");
3874 		goto out_unregister_target;
3875 	}
3876 
3877 	return 0;
3878 
3879 out_unregister_target:
3880 	target_unregister_template(&srpt_template);
3881 out:
3882 	return ret;
3883 }
3884 
3885 static void __exit srpt_cleanup_module(void)
3886 {
3887 	ib_unregister_client(&srpt_client);
3888 	target_unregister_template(&srpt_template);
3889 }
3890 
3891 module_init(srpt_init_module);
3892 module_exit(srpt_cleanup_module);
3893