drivers/infiniband/core/uverbs_cmd.c

   1 /*
   2  * Copyright (c) 2005 Topspin Communications.  All rights reserved.
   3  * Copyright (c) 2005, 2006, 2007 Cisco Systems.  All rights reserved.
   4  * Copyright (c) 2005 PathScale, Inc.  All rights reserved.
   5  * Copyright (c) 2006 Mellanox Technologies.  All rights reserved.
   6  *
   7  * This software is available to you under a choice of one of two
   8  * licenses.  You may choose to be licensed under the terms of the GNU
   9  * General Public License (GPL) Version 2, available from the file
  10  * COPYING in the main directory of this source tree, or the
  11  * OpenIB.org BSD license below:
  12  *
  13  *     Redistribution and use in source and binary forms, with or
  14  *     without modification, are permitted provided that the following
  15  *     conditions are met:
  16  *
  17  *      - Redistributions of source code must retain the above
  18  *        copyright notice, this list of conditions and the following
  19  *        disclaimer.
  20  *
  21  *      - Redistributions in binary form must reproduce the above
  22  *        copyright notice, this list of conditions and the following
  23  *        disclaimer in the documentation and/or other materials
  24  *        provided with the distribution.
  25  *
  26  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  27  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  28  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  29  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  30  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  31  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  32  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  33  * SOFTWARE.
  34  */
  35
  36 #include <linux/file.h>
  37 #include <linux/fs.h>
  38 #include <linux/slab.h>
  39 #include <linux/sched.h>
  40
  41 #include <asm/uaccess.h>
  42
  43 #include "uverbs.h"
  44 #include "core_priv.h"
  45
  46 struct uverbs_lock_class {
  47         struct lock_class_key   key;
  48         char                    name[16];
  49 };
  50
  51 static struct uverbs_lock_class pd_lock_class   = { .name = "PD-uobj" };
  52 static struct uverbs_lock_class mr_lock_class   = { .name = "MR-uobj" };
  53 static struct uverbs_lock_class mw_lock_class   = { .name = "MW-uobj" };
  54 static struct uverbs_lock_class cq_lock_class   = { .name = "CQ-uobj" };
  55 static struct uverbs_lock_class qp_lock_class   = { .name = "QP-uobj" };
  56 static struct uverbs_lock_class ah_lock_class   = { .name = "AH-uobj" };
  57 static struct uverbs_lock_class srq_lock_class  = { .name = "SRQ-uobj" };
  58 static struct uverbs_lock_class xrcd_lock_class = { .name = "XRCD-uobj" };
  59 static struct uverbs_lock_class rule_lock_class = { .name = "RULE-uobj" };
  60
  61 /*
  62  * The ib_uobject locking scheme is as follows:
  63  *
  64  * - ib_uverbs_idr_lock protects the uverbs idrs themselves, so it
  65  *   needs to be held during all idr operations.  When an object is
  66  *   looked up, a reference must be taken on the object's kref before
  67  *   dropping this lock.
  68  *
  69  * - Each object also has an rwsem.  This rwsem must be held for
  70  *   reading while an operation that uses the object is performed.
  71  *   For example, while registering an MR, the associated PD's
  72  *   uobject.mutex must be held for reading.  The rwsem must be held
  73  *   for writing while initializing or destroying an object.
  74  *
  75  * - In addition, each object has a "live" flag.  If this flag is not
  76  *   set, then lookups of the object will fail even if it is found in
  77  *   the idr.  This handles a reader that blocks and does not acquire
  78  *   the rwsem until after the object is destroyed.  The destroy
  79  *   operation will set the live flag to 0 and then drop the rwsem;
  80  *   this will allow the reader to acquire the rwsem, see that the
  81  *   live flag is 0, and then drop the rwsem and its reference to
  82  *   object.  The underlying storage will not be freed until the last
  83  *   reference to the object is dropped.
  84  */
  85
  86 static void init_uobj(struct ib_uobject *uobj, u64 user_handle,
  87                       struct ib_ucontext *context, struct uverbs_lock_class *c)
  88 {
  89         uobj->user_handle = user_handle;
  90         uobj->context     = context;
  91         kref_init(&uobj->ref);
  92         init_rwsem(&uobj->mutex);
  93         lockdep_set_class_and_name(&uobj->mutex, &c->key, c->name);
  94         uobj->live        = 0;
  95 }
  96
  97 static void release_uobj(struct kref *kref)
  98 {
  99         kfree(container_of(kref, struct ib_uobject, ref));
 100 }
 101
 102 static void put_uobj(struct ib_uobject *uobj)
 103 {
 104         kref_put(&uobj->ref, release_uobj);
 105 }
 106
 107 static void put_uobj_read(struct ib_uobject *uobj)
 108 {
 109         up_read(&uobj->mutex);
 110         put_uobj(uobj);
 111 }
 112
 113 static void put_uobj_write(struct ib_uobject *uobj)
 114 {
 115         up_write(&uobj->mutex);
 116         put_uobj(uobj);
 117 }
 118
 119 static int idr_add_uobj(struct idr *idr, struct ib_uobject *uobj)
 120 {
 121         int ret;
 122
 123         idr_preload(GFP_KERNEL);
 124         spin_lock(&ib_uverbs_idr_lock);
 125
 126         ret = idr_alloc(idr, uobj, 0, 0, GFP_NOWAIT);
 127         if (ret >= 0)
 128                 uobj->id = ret;
 129
 130         spin_unlock(&ib_uverbs_idr_lock);
 131         idr_preload_end();
 132
 133         return ret < 0 ? ret : 0;
 134 }
 135
 136 void idr_remove_uobj(struct idr *idr, struct ib_uobject *uobj)
 137 {
 138         spin_lock(&ib_uverbs_idr_lock);
 139         idr_remove(idr, uobj->id);
 140         spin_unlock(&ib_uverbs_idr_lock);
 141 }
 142
 143 static struct ib_uobject *__idr_get_uobj(struct idr *idr, int id,
 144                                          struct ib_ucontext *context)
 145 {
 146         struct ib_uobject *uobj;
 147
 148         spin_lock(&ib_uverbs_idr_lock);
 149         uobj = idr_find(idr, id);
 150         if (uobj) {
 151                 if (uobj->context == context)
 152                         kref_get(&uobj->ref);
 153                 else
 154                         uobj = NULL;
 155         }
 156         spin_unlock(&ib_uverbs_idr_lock);
 157
 158         return uobj;
 159 }
 160
 161 static struct ib_uobject *idr_read_uobj(struct idr *idr, int id,
 162                                         struct ib_ucontext *context, int nested)
 163 {
 164         struct ib_uobject *uobj;
 165
 166         uobj = __idr_get_uobj(idr, id, context);
 167         if (!uobj)
 168                 return NULL;
 169
 170         if (nested)
 171                 down_read_nested(&uobj->mutex, SINGLE_DEPTH_NESTING);
 172         else
 173                 down_read(&uobj->mutex);
 174         if (!uobj->live) {
 175                 put_uobj_read(uobj);
 176                 return NULL;
 177         }
 178
 179         return uobj;
 180 }
 181
 182 static struct ib_uobject *idr_write_uobj(struct idr *idr, int id,
 183                                          struct ib_ucontext *context)
 184 {
 185         struct ib_uobject *uobj;
 186
 187         uobj = __idr_get_uobj(idr, id, context);
 188         if (!uobj)
 189                 return NULL;
 190
 191         down_write(&uobj->mutex);
 192         if (!uobj->live) {
 193                 put_uobj_write(uobj);
 194                 return NULL;
 195         }
 196
 197         return uobj;
 198 }
 199
 200 static void *idr_read_obj(struct idr *idr, int id, struct ib_ucontext *context,
 201                           int nested)
 202 {
 203         struct ib_uobject *uobj;
 204
 205         uobj = idr_read_uobj(idr, id, context, nested);
 206         return uobj ? uobj->object : NULL;
 207 }
 208
 209 static struct ib_pd *idr_read_pd(int pd_handle, struct ib_ucontext *context)
 210 {
 211         return idr_read_obj(&ib_uverbs_pd_idr, pd_handle, context, 0);
 212 }
 213
 214 static void put_pd_read(struct ib_pd *pd)
 215 {
 216         put_uobj_read(pd->uobject);
 217 }
 218
 219 static struct ib_cq *idr_read_cq(int cq_handle, struct ib_ucontext *context, int nested)
 220 {
 221         return idr_read_obj(&ib_uverbs_cq_idr, cq_handle, context, nested);
 222 }
 223
 224 static void put_cq_read(struct ib_cq *cq)
 225 {
 226         put_uobj_read(cq->uobject);
 227 }
 228
 229 static struct ib_ah *idr_read_ah(int ah_handle, struct ib_ucontext *context)
 230 {
 231         return idr_read_obj(&ib_uverbs_ah_idr, ah_handle, context, 0);
 232 }
 233
 234 static void put_ah_read(struct ib_ah *ah)
 235 {
 236         put_uobj_read(ah->uobject);
 237 }
 238
 239 static struct ib_qp *idr_read_qp(int qp_handle, struct ib_ucontext *context)
 240 {
 241         return idr_read_obj(&ib_uverbs_qp_idr, qp_handle, context, 0);
 242 }
 243
 244 static struct ib_qp *idr_write_qp(int qp_handle, struct ib_ucontext *context)
 245 {
 246         struct ib_uobject *uobj;
 247
 248         uobj = idr_write_uobj(&ib_uverbs_qp_idr, qp_handle, context);
 249         return uobj ? uobj->object : NULL;
 250 }
 251
 252 static void put_qp_read(struct ib_qp *qp)
 253 {
 254         put_uobj_read(qp->uobject);
 255 }
 256
 257 static void put_qp_write(struct ib_qp *qp)
 258 {
 259         put_uobj_write(qp->uobject);
 260 }
 261
 262 static struct ib_srq *idr_read_srq(int srq_handle, struct ib_ucontext *context)
 263 {
 264         return idr_read_obj(&ib_uverbs_srq_idr, srq_handle, context, 0);
 265 }
 266
 267 static void put_srq_read(struct ib_srq *srq)
 268 {
 269         put_uobj_read(srq->uobject);
 270 }
 271
 272 static struct ib_xrcd *idr_read_xrcd(int xrcd_handle, struct ib_ucontext *context,
 273                                      struct ib_uobject **uobj)
 274 {
 275         *uobj = idr_read_uobj(&ib_uverbs_xrcd_idr, xrcd_handle, context, 0);
 276         return *uobj ? (*uobj)->object : NULL;
 277 }
 278
 279 static void put_xrcd_read(struct ib_uobject *uobj)
 280 {
 281         put_uobj_read(uobj);
 282 }
 283
 284 ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file,
 285                               const char __user *buf,
 286                               int in_len, int out_len)
 287 {
 288         struct ib_uverbs_get_context      cmd;
 289         struct ib_uverbs_get_context_resp resp;
 290         struct ib_udata                   udata;
 291         struct ib_device                 *ibdev = file->device->ib_dev;
 292 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
 293         struct ib_device_attr             dev_attr;
 294 #endif
 295         struct ib_ucontext               *ucontext;
 296         struct file                      *filp;
 297         int ret;
 298
 299         if (out_len < sizeof resp)
 300                 return -ENOSPC;
 301
 302         if (copy_from_user(&cmd, buf, sizeof cmd))
 303                 return -EFAULT;
 304
 305         mutex_lock(&file->mutex);
 306
 307         if (file->ucontext) {
 308                 ret = -EINVAL;
 309                 goto err;
 310         }
 311
 312         INIT_UDATA(&udata, buf + sizeof cmd,
 313                    (unsigned long) cmd.response + sizeof resp,
 314                    in_len - sizeof cmd, out_len - sizeof resp);
 315
 316         ucontext = ibdev->alloc_ucontext(ibdev, &udata);
 317         if (IS_ERR(ucontext)) {
 318                 ret = PTR_ERR(ucontext);
 319                 goto err;
 320         }
 321
 322         ucontext->device = ibdev;
 323         INIT_LIST_HEAD(&ucontext->pd_list);
 324         INIT_LIST_HEAD(&ucontext->mr_list);
 325         INIT_LIST_HEAD(&ucontext->mw_list);
 326         INIT_LIST_HEAD(&ucontext->cq_list);
 327         INIT_LIST_HEAD(&ucontext->qp_list);
 328         INIT_LIST_HEAD(&ucontext->srq_list);
 329         INIT_LIST_HEAD(&ucontext->ah_list);
 330         INIT_LIST_HEAD(&ucontext->xrcd_list);
 331         INIT_LIST_HEAD(&ucontext->rule_list);
 332         rcu_read_lock();
 333         ucontext->tgid = get_task_pid(current->group_leader, PIDTYPE_PID);
 334         rcu_read_unlock();
 335         ucontext->closing = 0;
 336
 337 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
 338         ucontext->umem_tree = RB_ROOT;
 339         init_rwsem(&ucontext->umem_rwsem);
 340         ucontext->odp_mrs_count = 0;
 341         INIT_LIST_HEAD(&ucontext->no_private_counters);
 342
 343         ret = ib_query_device(ibdev, &dev_attr);
 344         if (ret)
 345                 goto err_free;
 346         if (!(dev_attr.device_cap_flags & IB_DEVICE_ON_DEMAND_PAGING))
 347                 ucontext->invalidate_range = NULL;
 348
 349 #endif
 350
 351         resp.num_comp_vectors = file->device->num_comp_vectors;
 352
 353         ret = get_unused_fd_flags(O_CLOEXEC);
 354         if (ret < 0)
 355                 goto err_free;
 356         resp.async_fd = ret;
 357
 358         filp = ib_uverbs_alloc_event_file(file, 1);
 359         if (IS_ERR(filp)) {
 360                 ret = PTR_ERR(filp);
 361                 goto err_fd;
 362         }
 363
 364         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 365                          &resp, sizeof resp)) {
 366                 ret = -EFAULT;
 367                 goto err_file;
 368         }
 369
 370         file->async_file = filp->private_data;
 371
 372         INIT_IB_EVENT_HANDLER(&file->event_handler, file->device->ib_dev,
 373                               ib_uverbs_event_handler);
 374         ret = ib_register_event_handler(&file->event_handler);
 375         if (ret)
 376                 goto err_file;
 377
 378         kref_get(&file->async_file->ref);
 379         kref_get(&file->ref);
 380         file->ucontext = ucontext;
 381
 382         fd_install(resp.async_fd, filp);
 383
 384         mutex_unlock(&file->mutex);
 385
 386         return in_len;
 387
 388 err_file:
 389         fput(filp);
 390
 391 err_fd:
 392         put_unused_fd(resp.async_fd);
 393
 394 err_free:
 395         put_pid(ucontext->tgid);
 396         ibdev->dealloc_ucontext(ucontext);
 397
 398 err:
 399         mutex_unlock(&file->mutex);
 400         return ret;
 401 }
 402
 403 static void copy_query_dev_fields(struct ib_uverbs_file *file,
 404                                   struct ib_uverbs_query_device_resp *resp,
 405                                   struct ib_device_attr *attr)
 406 {
 407         resp->fw_ver            = attr->fw_ver;
 408         resp->node_guid         = file->device->ib_dev->node_guid;
 409         resp->sys_image_guid    = attr->sys_image_guid;
 410         resp->max_mr_size       = attr->max_mr_size;
 411         resp->page_size_cap     = attr->page_size_cap;
 412         resp->vendor_id         = attr->vendor_id;
 413         resp->vendor_part_id    = attr->vendor_part_id;
 414         resp->hw_ver            = attr->hw_ver;
 415         resp->max_qp            = attr->max_qp;
 416         resp->max_qp_wr         = attr->max_qp_wr;
 417         resp->device_cap_flags  = attr->device_cap_flags;
 418         resp->max_sge           = attr->max_sge;
 419         resp->max_sge_rd        = attr->max_sge_rd;
 420         resp->max_cq            = attr->max_cq;
 421         resp->max_cqe           = attr->max_cqe;
 422         resp->max_mr            = attr->max_mr;
 423         resp->max_pd            = attr->max_pd;
 424         resp->max_qp_rd_atom    = attr->max_qp_rd_atom;
 425         resp->max_ee_rd_atom    = attr->max_ee_rd_atom;
 426         resp->max_res_rd_atom   = attr->max_res_rd_atom;
 427         resp->max_qp_init_rd_atom       = attr->max_qp_init_rd_atom;
 428         resp->max_ee_init_rd_atom       = attr->max_ee_init_rd_atom;
 429         resp->atomic_cap                = attr->atomic_cap;
 430         resp->max_ee                    = attr->max_ee;
 431         resp->max_rdd                   = attr->max_rdd;
 432         resp->max_mw                    = attr->max_mw;
 433         resp->max_raw_ipv6_qp           = attr->max_raw_ipv6_qp;
 434         resp->max_raw_ethy_qp           = attr->max_raw_ethy_qp;
 435         resp->max_mcast_grp             = attr->max_mcast_grp;
 436         resp->max_mcast_qp_attach       = attr->max_mcast_qp_attach;
 437         resp->max_total_mcast_qp_attach = attr->max_total_mcast_qp_attach;
 438         resp->max_ah                    = attr->max_ah;
 439         resp->max_fmr                   = attr->max_fmr;
 440         resp->max_map_per_fmr           = attr->max_map_per_fmr;
 441         resp->max_srq                   = attr->max_srq;
 442         resp->max_srq_wr                = attr->max_srq_wr;
 443         resp->max_srq_sge               = attr->max_srq_sge;
 444         resp->max_pkeys                 = attr->max_pkeys;
 445         resp->local_ca_ack_delay        = attr->local_ca_ack_delay;
 446         resp->phys_port_cnt             = file->device->ib_dev->phys_port_cnt;
 447 }
 448
 449 ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
 450                                const char __user *buf,
 451                                int in_len, int out_len)
 452 {
 453         struct ib_uverbs_query_device      cmd;
 454         struct ib_uverbs_query_device_resp resp;
 455         struct ib_device_attr              attr;
 456         int                                ret;
 457
 458         if (out_len < sizeof resp)
 459                 return -ENOSPC;
 460
 461         if (copy_from_user(&cmd, buf, sizeof cmd))
 462                 return -EFAULT;
 463
 464         ret = ib_query_device(file->device->ib_dev, &attr);
 465         if (ret)
 466                 return ret;
 467
 468         memset(&resp, 0, sizeof resp);
 469         copy_query_dev_fields(file, &resp, &attr);
 470
 471         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 472                          &resp, sizeof resp))
 473                 return -EFAULT;
 474
 475         return in_len;
 476 }
 477
 478 ssize_t ib_uverbs_query_port(struct ib_uverbs_file *file,
 479                              const char __user *buf,
 480                              int in_len, int out_len)
 481 {
 482         struct ib_uverbs_query_port      cmd;
 483         struct ib_uverbs_query_port_resp resp;
 484         struct ib_port_attr              attr;
 485         int                              ret;
 486
 487         if (out_len < sizeof resp)
 488                 return -ENOSPC;
 489
 490         if (copy_from_user(&cmd, buf, sizeof cmd))
 491                 return -EFAULT;
 492
 493         ret = ib_query_port(file->device->ib_dev, cmd.port_num, &attr);
 494         if (ret)
 495                 return ret;
 496
 497         memset(&resp, 0, sizeof resp);
 498
 499         resp.state           = attr.state;
 500         resp.max_mtu         = attr.max_mtu;
 501         resp.active_mtu      = attr.active_mtu;
 502         resp.gid_tbl_len     = attr.gid_tbl_len;
 503         resp.port_cap_flags  = attr.port_cap_flags;
 504         resp.max_msg_sz      = attr.max_msg_sz;
 505         resp.bad_pkey_cntr   = attr.bad_pkey_cntr;
 506         resp.qkey_viol_cntr  = attr.qkey_viol_cntr;
 507         resp.pkey_tbl_len    = attr.pkey_tbl_len;
 508         resp.lid             = attr.lid;
 509         resp.sm_lid          = attr.sm_lid;
 510         resp.lmc             = attr.lmc;
 511         resp.max_vl_num      = attr.max_vl_num;
 512         resp.sm_sl           = attr.sm_sl;
 513         resp.subnet_timeout  = attr.subnet_timeout;
 514         resp.init_type_reply = attr.init_type_reply;
 515         resp.active_width    = attr.active_width;
 516         resp.active_speed    = attr.active_speed;
 517         resp.phys_state      = attr.phys_state;
 518         resp.link_layer      = rdma_port_get_link_layer(file->device->ib_dev,
 519                                                         cmd.port_num);
 520
 521         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 522                          &resp, sizeof resp))
 523                 return -EFAULT;
 524
 525         return in_len;
 526 }
 527
 528 ssize_t ib_uverbs_alloc_pd(struct ib_uverbs_file *file,
 529                            const char __user *buf,
 530                            int in_len, int out_len)
 531 {
 532         struct ib_uverbs_alloc_pd      cmd;
 533         struct ib_uverbs_alloc_pd_resp resp;
 534         struct ib_udata                udata;
 535         struct ib_uobject             *uobj;
 536         struct ib_pd                  *pd;
 537         int                            ret;
 538
 539         if (out_len < sizeof resp)
 540                 return -ENOSPC;
 541
 542         if (copy_from_user(&cmd, buf, sizeof cmd))
 543                 return -EFAULT;
 544
 545         INIT_UDATA(&udata, buf + sizeof cmd,
 546                    (unsigned long) cmd.response + sizeof resp,
 547                    in_len - sizeof cmd, out_len - sizeof resp);
 548
 549         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
 550         if (!uobj)
 551                 return -ENOMEM;
 552
 553         init_uobj(uobj, 0, file->ucontext, &pd_lock_class);
 554         down_write(&uobj->mutex);
 555
 556         pd = file->device->ib_dev->alloc_pd(file->device->ib_dev,
 557                                             file->ucontext, &udata);
 558         if (IS_ERR(pd)) {
 559                 ret = PTR_ERR(pd);
 560                 goto err;
 561         }
 562
 563         pd->device  = file->device->ib_dev;
 564         pd->uobject = uobj;
 565         pd->local_mr = NULL;
 566         atomic_set(&pd->usecnt, 0);
 567
 568         uobj->object = pd;
 569         ret = idr_add_uobj(&ib_uverbs_pd_idr, uobj);
 570         if (ret)
 571                 goto err_idr;
 572
 573         memset(&resp, 0, sizeof resp);
 574         resp.pd_handle = uobj->id;
 575
 576         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 577                          &resp, sizeof resp)) {
 578                 ret = -EFAULT;
 579                 goto err_copy;
 580         }
 581
 582         mutex_lock(&file->mutex);
 583         list_add_tail(&uobj->list, &file->ucontext->pd_list);
 584         mutex_unlock(&file->mutex);
 585
 586         uobj->live = 1;
 587
 588         up_write(&uobj->mutex);
 589
 590         return in_len;
 591
 592 err_copy:
 593         idr_remove_uobj(&ib_uverbs_pd_idr, uobj);
 594
 595 err_idr:
 596         ib_dealloc_pd(pd);
 597
 598 err:
 599         put_uobj_write(uobj);
 600         return ret;
 601 }
 602
 603 ssize_t ib_uverbs_dealloc_pd(struct ib_uverbs_file *file,
 604                              const char __user *buf,
 605                              int in_len, int out_len)
 606 {
 607         struct ib_uverbs_dealloc_pd cmd;
 608         struct ib_uobject          *uobj;
 609         int                         ret;
 610
 611         if (copy_from_user(&cmd, buf, sizeof cmd))
 612                 return -EFAULT;
 613
 614         uobj = idr_write_uobj(&ib_uverbs_pd_idr, cmd.pd_handle, file->ucontext);
 615         if (!uobj)
 616                 return -EINVAL;
 617
 618         ret = ib_dealloc_pd(uobj->object);
 619         if (!ret)
 620                 uobj->live = 0;
 621
 622         put_uobj_write(uobj);
 623
 624         if (ret)
 625                 return ret;
 626
 627         idr_remove_uobj(&ib_uverbs_pd_idr, uobj);
 628
 629         mutex_lock(&file->mutex);
 630         list_del(&uobj->list);
 631         mutex_unlock(&file->mutex);
 632
 633         put_uobj(uobj);
 634
 635         return in_len;
 636 }
 637
 638 struct xrcd_table_entry {
 639         struct rb_node  node;
 640         struct ib_xrcd *xrcd;
 641         struct inode   *inode;
 642 };
 643
 644 static int xrcd_table_insert(struct ib_uverbs_device *dev,
 645                             struct inode *inode,
 646                             struct ib_xrcd *xrcd)
 647 {
 648         struct xrcd_table_entry *entry, *scan;
 649         struct rb_node **p = &dev->xrcd_tree.rb_node;
 650         struct rb_node *parent = NULL;
 651
 652         entry = kmalloc(sizeof *entry, GFP_KERNEL);
 653         if (!entry)
 654                 return -ENOMEM;
 655
 656         entry->xrcd  = xrcd;
 657         entry->inode = inode;
 658
 659         while (*p) {
 660                 parent = *p;
 661                 scan = rb_entry(parent, struct xrcd_table_entry, node);
 662
 663                 if (inode < scan->inode) {
 664                         p = &(*p)->rb_left;
 665                 } else if (inode > scan->inode) {
 666                         p = &(*p)->rb_right;
 667                 } else {
 668                         kfree(entry);
 669                         return -EEXIST;
 670                 }
 671         }
 672
 673         rb_link_node(&entry->node, parent, p);
 674         rb_insert_color(&entry->node, &dev->xrcd_tree);
 675         igrab(inode);
 676         return 0;
 677 }
 678
 679 static struct xrcd_table_entry *xrcd_table_search(struct ib_uverbs_device *dev,
 680                                                   struct inode *inode)
 681 {
 682         struct xrcd_table_entry *entry;
 683         struct rb_node *p = dev->xrcd_tree.rb_node;
 684
 685         while (p) {
 686                 entry = rb_entry(p, struct xrcd_table_entry, node);
 687
 688                 if (inode < entry->inode)
 689                         p = p->rb_left;
 690                 else if (inode > entry->inode)
 691                         p = p->rb_right;
 692                 else
 693                         return entry;
 694         }
 695
 696         return NULL;
 697 }
 698
 699 static struct ib_xrcd *find_xrcd(struct ib_uverbs_device *dev, struct inode *inode)
 700 {
 701         struct xrcd_table_entry *entry;
 702
 703         entry = xrcd_table_search(dev, inode);
 704         if (!entry)
 705                 return NULL;
 706
 707         return entry->xrcd;
 708 }
 709
 710 static void xrcd_table_delete(struct ib_uverbs_device *dev,
 711                               struct inode *inode)
 712 {
 713         struct xrcd_table_entry *entry;
 714
 715         entry = xrcd_table_search(dev, inode);
 716         if (entry) {
 717                 iput(inode);
 718                 rb_erase(&entry->node, &dev->xrcd_tree);
 719                 kfree(entry);
 720         }
 721 }
 722
 723 ssize_t ib_uverbs_open_xrcd(struct ib_uverbs_file *file,
 724                             const char __user *buf, int in_len,
 725                             int out_len)
 726 {
 727         struct ib_uverbs_open_xrcd      cmd;
 728         struct ib_uverbs_open_xrcd_resp resp;
 729         struct ib_udata                 udata;
 730         struct ib_uxrcd_object         *obj;
 731         struct ib_xrcd                 *xrcd = NULL;
 732         struct fd                       f = {NULL, 0};
 733         struct inode                   *inode = NULL;
 734         int                             ret = 0;
 735         int                             new_xrcd = 0;
 736
 737         if (out_len < sizeof resp)
 738                 return -ENOSPC;
 739
 740         if (copy_from_user(&cmd, buf, sizeof cmd))
 741                 return -EFAULT;
 742
 743         INIT_UDATA(&udata, buf + sizeof cmd,
 744                    (unsigned long) cmd.response + sizeof resp,
 745                    in_len - sizeof cmd, out_len - sizeof  resp);
 746
 747         mutex_lock(&file->device->xrcd_tree_mutex);
 748
 749         if (cmd.fd != -1) {
 750                 /* search for file descriptor */
 751                 f = fdget(cmd.fd);
 752                 if (!f.file) {
 753                         ret = -EBADF;
 754                         goto err_tree_mutex_unlock;
 755                 }
 756
 757                 inode = file_inode(f.file);
 758                 xrcd = find_xrcd(file->device, inode);
 759                 if (!xrcd && !(cmd.oflags & O_CREAT)) {
 760                         /* no file descriptor. Need CREATE flag */
 761                         ret = -EAGAIN;
 762                         goto err_tree_mutex_unlock;
 763                 }
 764
 765                 if (xrcd && cmd.oflags & O_EXCL) {
 766                         ret = -EINVAL;
 767                         goto err_tree_mutex_unlock;
 768                 }
 769         }
 770
 771         obj = kmalloc(sizeof *obj, GFP_KERNEL);
 772         if (!obj) {
 773                 ret = -ENOMEM;
 774                 goto err_tree_mutex_unlock;
 775         }
 776
 777         init_uobj(&obj->uobject, 0, file->ucontext, &xrcd_lock_class);
 778
 779         down_write(&obj->uobject.mutex);
 780
 781         if (!xrcd) {
 782                 xrcd = file->device->ib_dev->alloc_xrcd(file->device->ib_dev,
 783                                                         file->ucontext, &udata);
 784                 if (IS_ERR(xrcd)) {
 785                         ret = PTR_ERR(xrcd);
 786                         goto err;
 787                 }
 788
 789                 xrcd->inode   = inode;
 790                 xrcd->device  = file->device->ib_dev;
 791                 atomic_set(&xrcd->usecnt, 0);
 792                 mutex_init(&xrcd->tgt_qp_mutex);
 793                 INIT_LIST_HEAD(&xrcd->tgt_qp_list);
 794                 new_xrcd = 1;
 795         }
 796
 797         atomic_set(&obj->refcnt, 0);
 798         obj->uobject.object = xrcd;
 799         ret = idr_add_uobj(&ib_uverbs_xrcd_idr, &obj->uobject);
 800         if (ret)
 801                 goto err_idr;
 802
 803         memset(&resp, 0, sizeof resp);
 804         resp.xrcd_handle = obj->uobject.id;
 805
 806         if (inode) {
 807                 if (new_xrcd) {
 808                         /* create new inode/xrcd table entry */
 809                         ret = xrcd_table_insert(file->device, inode, xrcd);
 810                         if (ret)
 811                                 goto err_insert_xrcd;
 812                 }
 813                 atomic_inc(&xrcd->usecnt);
 814         }
 815
 816         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 817                          &resp, sizeof resp)) {
 818                 ret = -EFAULT;
 819                 goto err_copy;
 820         }
 821
 822         if (f.file)
 823                 fdput(f);
 824
 825         mutex_lock(&file->mutex);
 826         list_add_tail(&obj->uobject.list, &file->ucontext->xrcd_list);
 827         mutex_unlock(&file->mutex);
 828
 829         obj->uobject.live = 1;
 830         up_write(&obj->uobject.mutex);
 831
 832         mutex_unlock(&file->device->xrcd_tree_mutex);
 833         return in_len;
 834
 835 err_copy:
 836         if (inode) {
 837                 if (new_xrcd)
 838                         xrcd_table_delete(file->device, inode);
 839                 atomic_dec(&xrcd->usecnt);
 840         }
 841
 842 err_insert_xrcd:
 843         idr_remove_uobj(&ib_uverbs_xrcd_idr, &obj->uobject);
 844
 845 err_idr:
 846         ib_dealloc_xrcd(xrcd);
 847
 848 err:
 849         put_uobj_write(&obj->uobject);
 850
 851 err_tree_mutex_unlock:
 852         if (f.file)
 853                 fdput(f);
 854
 855         mutex_unlock(&file->device->xrcd_tree_mutex);
 856
 857         return ret;
 858 }
 859
 860 ssize_t ib_uverbs_close_xrcd(struct ib_uverbs_file *file,
 861                              const char __user *buf, int in_len,
 862                              int out_len)
 863 {
 864         struct ib_uverbs_close_xrcd cmd;
 865         struct ib_uobject           *uobj;
 866         struct ib_xrcd              *xrcd = NULL;
 867         struct inode                *inode = NULL;
 868         struct ib_uxrcd_object      *obj;
 869         int                         live;
 870         int                         ret = 0;
 871
 872         if (copy_from_user(&cmd, buf, sizeof cmd))
 873                 return -EFAULT;
 874
 875         mutex_lock(&file->device->xrcd_tree_mutex);
 876         uobj = idr_write_uobj(&ib_uverbs_xrcd_idr, cmd.xrcd_handle, file->ucontext);
 877         if (!uobj) {
 878                 ret = -EINVAL;
 879                 goto out;
 880         }
 881
 882         xrcd  = uobj->object;
 883         inode = xrcd->inode;
 884         obj   = container_of(uobj, struct ib_uxrcd_object, uobject);
 885         if (atomic_read(&obj->refcnt)) {
 886                 put_uobj_write(uobj);
 887                 ret = -EBUSY;
 888                 goto out;
 889         }
 890
 891         if (!inode || atomic_dec_and_test(&xrcd->usecnt)) {
 892                 ret = ib_dealloc_xrcd(uobj->object);
 893                 if (!ret)
 894                         uobj->live = 0;
 895         }
 896
 897         live = uobj->live;
 898         if (inode && ret)
 899                 atomic_inc(&xrcd->usecnt);
 900
 901         put_uobj_write(uobj);
 902
 903         if (ret)
 904                 goto out;
 905
 906         if (inode && !live)
 907                 xrcd_table_delete(file->device, inode);
 908
 909         idr_remove_uobj(&ib_uverbs_xrcd_idr, uobj);
 910         mutex_lock(&file->mutex);
 911         list_del(&uobj->list);
 912         mutex_unlock(&file->mutex);
 913
 914         put_uobj(uobj);
 915         ret = in_len;
 916
 917 out:
 918         mutex_unlock(&file->device->xrcd_tree_mutex);
 919         return ret;
 920 }
 921
 922 void ib_uverbs_dealloc_xrcd(struct ib_uverbs_device *dev,
 923                             struct ib_xrcd *xrcd)
 924 {
 925         struct inode *inode;
 926
 927         inode = xrcd->inode;
 928         if (inode && !atomic_dec_and_test(&xrcd->usecnt))
 929                 return;
 930
 931         ib_dealloc_xrcd(xrcd);
 932
 933         if (inode)
 934                 xrcd_table_delete(dev, inode);
 935 }
 936
 937 ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
 938                          const char __user *buf, int in_len,
 939                          int out_len)
 940 {
 941         struct ib_uverbs_reg_mr      cmd;
 942         struct ib_uverbs_reg_mr_resp resp;
 943         struct ib_udata              udata;
 944         struct ib_uobject           *uobj;
 945         struct ib_pd                *pd;
 946         struct ib_mr                *mr;
 947         int                          ret;
 948
 949         if (out_len < sizeof resp)
 950                 return -ENOSPC;
 951
 952         if (copy_from_user(&cmd, buf, sizeof cmd))
 953                 return -EFAULT;
 954
 955         INIT_UDATA(&udata, buf + sizeof cmd,
 956                    (unsigned long) cmd.response + sizeof resp,
 957                    in_len - sizeof cmd, out_len - sizeof resp);
 958
 959         if ((cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK))
 960                 return -EINVAL;
 961
 962         ret = ib_check_mr_access(cmd.access_flags);
 963         if (ret)
 964                 return ret;
 965
 966         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
 967         if (!uobj)
 968                 return -ENOMEM;
 969
 970         init_uobj(uobj, 0, file->ucontext, &mr_lock_class);
 971         down_write(&uobj->mutex);
 972
 973         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
 974         if (!pd) {
 975                 ret = -EINVAL;
 976                 goto err_free;
 977         }
 978
 979         if (cmd.access_flags & IB_ACCESS_ON_DEMAND) {
 980                 struct ib_device_attr attr;
 981
 982                 ret = ib_query_device(pd->device, &attr);
 983                 if (ret || !(attr.device_cap_flags &
 984                                 IB_DEVICE_ON_DEMAND_PAGING)) {
 985                         pr_debug("ODP support not available\n");
 986                         ret = -EINVAL;
 987                         goto err_put;
 988                 }
 989         }
 990
 991         mr = pd->device->reg_user_mr(pd, cmd.start, cmd.length, cmd.hca_va,
 992                                      cmd.access_flags, &udata);
 993         if (IS_ERR(mr)) {
 994                 ret = PTR_ERR(mr);
 995                 goto err_put;
 996         }
 997
 998         mr->device  = pd->device;
 999         mr->pd      = pd;
1000         mr->uobject = uobj;
1001         atomic_inc(&pd->usecnt);
1002         atomic_set(&mr->usecnt, 0);
1003
1004         uobj->object = mr;
1005         ret = idr_add_uobj(&ib_uverbs_mr_idr, uobj);
1006         if (ret)
1007                 goto err_unreg;
1008
1009         memset(&resp, 0, sizeof resp);
1010         resp.lkey      = mr->lkey;
1011         resp.rkey      = mr->rkey;
1012         resp.mr_handle = uobj->id;
1013
1014         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1015                          &resp, sizeof resp)) {
1016                 ret = -EFAULT;
1017                 goto err_copy;
1018         }
1019
1020         put_pd_read(pd);
1021
1022         mutex_lock(&file->mutex);
1023         list_add_tail(&uobj->list, &file->ucontext->mr_list);
1024         mutex_unlock(&file->mutex);
1025
1026         uobj->live = 1;
1027
1028         up_write(&uobj->mutex);
1029
1030         return in_len;
1031
1032 err_copy:
1033         idr_remove_uobj(&ib_uverbs_mr_idr, uobj);
1034
1035 err_unreg:
1036         ib_dereg_mr(mr);
1037
1038 err_put:
1039         put_pd_read(pd);
1040
1041 err_free:
1042         put_uobj_write(uobj);
1043         return ret;
1044 }
1045
1046 ssize_t ib_uverbs_rereg_mr(struct ib_uverbs_file *file,
1047                            const char __user *buf, int in_len,
1048                            int out_len)
1049 {
1050         struct ib_uverbs_rereg_mr      cmd;
1051         struct ib_uverbs_rereg_mr_resp resp;
1052         struct ib_udata              udata;
1053         struct ib_pd                *pd = NULL;
1054         struct ib_mr                *mr;
1055         struct ib_pd                *old_pd;
1056         int                          ret;
1057         struct ib_uobject           *uobj;
1058
1059         if (out_len < sizeof(resp))
1060                 return -ENOSPC;
1061
1062         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1063                 return -EFAULT;
1064
1065         INIT_UDATA(&udata, buf + sizeof(cmd),
1066                    (unsigned long) cmd.response + sizeof(resp),
1067                    in_len - sizeof(cmd), out_len - sizeof(resp));
1068
1069         if (cmd.flags & ~IB_MR_REREG_SUPPORTED || !cmd.flags)
1070                 return -EINVAL;
1071
1072         if ((cmd.flags & IB_MR_REREG_TRANS) &&
1073             (!cmd.start || !cmd.hca_va || 0 >= cmd.length ||
1074              (cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK)))
1075                         return -EINVAL;
1076
1077         uobj = idr_write_uobj(&ib_uverbs_mr_idr, cmd.mr_handle,
1078                               file->ucontext);
1079
1080         if (!uobj)
1081                 return -EINVAL;
1082
1083         mr = uobj->object;
1084
1085         if (cmd.flags & IB_MR_REREG_ACCESS) {
1086                 ret = ib_check_mr_access(cmd.access_flags);
1087                 if (ret)
1088                         goto put_uobjs;
1089         }
1090
1091         if (cmd.flags & IB_MR_REREG_PD) {
1092                 pd = idr_read_pd(cmd.pd_handle, file->ucontext);
1093                 if (!pd) {
1094                         ret = -EINVAL;
1095                         goto put_uobjs;
1096                 }
1097         }
1098
1099         if (atomic_read(&mr->usecnt)) {
1100                 ret = -EBUSY;
1101                 goto put_uobj_pd;
1102         }
1103
1104         old_pd = mr->pd;
1105         ret = mr->device->rereg_user_mr(mr, cmd.flags, cmd.start,
1106                                         cmd.length, cmd.hca_va,
1107                                         cmd.access_flags, pd, &udata);
1108         if (!ret) {
1109                 if (cmd.flags & IB_MR_REREG_PD) {
1110                         atomic_inc(&pd->usecnt);
1111                         mr->pd = pd;
1112                         atomic_dec(&old_pd->usecnt);
1113                 }
1114         } else {
1115                 goto put_uobj_pd;
1116         }
1117
1118         memset(&resp, 0, sizeof(resp));
1119         resp.lkey      = mr->lkey;
1120         resp.rkey      = mr->rkey;
1121
1122         if (copy_to_user((void __user *)(unsigned long)cmd.response,
1123                          &resp, sizeof(resp)))
1124                 ret = -EFAULT;
1125         else
1126                 ret = in_len;
1127
1128 put_uobj_pd:
1129         if (cmd.flags & IB_MR_REREG_PD)
1130                 put_pd_read(pd);
1131
1132 put_uobjs:
1133
1134         put_uobj_write(mr->uobject);
1135
1136         return ret;
1137 }
1138
1139 ssize_t ib_uverbs_dereg_mr(struct ib_uverbs_file *file,
1140                            const char __user *buf, int in_len,
1141                            int out_len)
1142 {
1143         struct ib_uverbs_dereg_mr cmd;
1144         struct ib_mr             *mr;
1145         struct ib_uobject        *uobj;
1146         int                       ret = -EINVAL;
1147
1148         if (copy_from_user(&cmd, buf, sizeof cmd))
1149                 return -EFAULT;
1150
1151         uobj = idr_write_uobj(&ib_uverbs_mr_idr, cmd.mr_handle, file->ucontext);
1152         if (!uobj)
1153                 return -EINVAL;
1154
1155         mr = uobj->object;
1156
1157         ret = ib_dereg_mr(mr);
1158         if (!ret)
1159                 uobj->live = 0;
1160
1161         put_uobj_write(uobj);
1162
1163         if (ret)
1164                 return ret;
1165
1166         idr_remove_uobj(&ib_uverbs_mr_idr, uobj);
1167
1168         mutex_lock(&file->mutex);
1169         list_del(&uobj->list);
1170         mutex_unlock(&file->mutex);
1171
1172         put_uobj(uobj);
1173
1174         return in_len;
1175 }
1176
1177 ssize_t ib_uverbs_alloc_mw(struct ib_uverbs_file *file,
1178                          const char __user *buf, int in_len,
1179                          int out_len)
1180 {
1181         struct ib_uverbs_alloc_mw      cmd;
1182         struct ib_uverbs_alloc_mw_resp resp;
1183         struct ib_uobject             *uobj;
1184         struct ib_pd                  *pd;
1185         struct ib_mw                  *mw;
1186         int                            ret;
1187
1188         if (out_len < sizeof(resp))
1189                 return -ENOSPC;
1190
1191         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1192                 return -EFAULT;
1193
1194         uobj = kmalloc(sizeof(*uobj), GFP_KERNEL);
1195         if (!uobj)
1196                 return -ENOMEM;
1197
1198         init_uobj(uobj, 0, file->ucontext, &mw_lock_class);
1199         down_write(&uobj->mutex);
1200
1201         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
1202         if (!pd) {
1203                 ret = -EINVAL;
1204                 goto err_free;
1205         }
1206
1207         mw = pd->device->alloc_mw(pd, cmd.mw_type);
1208         if (IS_ERR(mw)) {
1209                 ret = PTR_ERR(mw);
1210                 goto err_put;
1211         }
1212
1213         mw->device  = pd->device;
1214         mw->pd      = pd;
1215         mw->uobject = uobj;
1216         atomic_inc(&pd->usecnt);
1217
1218         uobj->object = mw;
1219         ret = idr_add_uobj(&ib_uverbs_mw_idr, uobj);
1220         if (ret)
1221                 goto err_unalloc;
1222
1223         memset(&resp, 0, sizeof(resp));
1224         resp.rkey      = mw->rkey;
1225         resp.mw_handle = uobj->id;
1226
1227         if (copy_to_user((void __user *)(unsigned long)cmd.response,
1228                          &resp, sizeof(resp))) {
1229                 ret = -EFAULT;
1230                 goto err_copy;
1231         }
1232
1233         put_pd_read(pd);
1234
1235         mutex_lock(&file->mutex);
1236         list_add_tail(&uobj->list, &file->ucontext->mw_list);
1237         mutex_unlock(&file->mutex);
1238
1239         uobj->live = 1;
1240
1241         up_write(&uobj->mutex);
1242
1243         return in_len;
1244
1245 err_copy:
1246         idr_remove_uobj(&ib_uverbs_mw_idr, uobj);
1247
1248 err_unalloc:
1249         ib_dealloc_mw(mw);
1250
1251 err_put:
1252         put_pd_read(pd);
1253
1254 err_free:
1255         put_uobj_write(uobj);
1256         return ret;
1257 }
1258
1259 ssize_t ib_uverbs_dealloc_mw(struct ib_uverbs_file *file,
1260                            const char __user *buf, int in_len,
1261                            int out_len)
1262 {
1263         struct ib_uverbs_dealloc_mw cmd;
1264         struct ib_mw               *mw;
1265         struct ib_uobject          *uobj;
1266         int                         ret = -EINVAL;
1267
1268         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1269                 return -EFAULT;
1270
1271         uobj = idr_write_uobj(&ib_uverbs_mw_idr, cmd.mw_handle, file->ucontext);
1272         if (!uobj)
1273                 return -EINVAL;
1274
1275         mw = uobj->object;
1276
1277         ret = ib_dealloc_mw(mw);
1278         if (!ret)
1279                 uobj->live = 0;
1280
1281         put_uobj_write(uobj);
1282
1283         if (ret)
1284                 return ret;
1285
1286         idr_remove_uobj(&ib_uverbs_mw_idr, uobj);
1287
1288         mutex_lock(&file->mutex);
1289         list_del(&uobj->list);
1290         mutex_unlock(&file->mutex);
1291
1292         put_uobj(uobj);
1293
1294         return in_len;
1295 }
1296
1297 ssize_t ib_uverbs_create_comp_channel(struct ib_uverbs_file *file,
1298                                       const char __user *buf, int in_len,
1299                                       int out_len)
1300 {
1301         struct ib_uverbs_create_comp_channel       cmd;
1302         struct ib_uverbs_create_comp_channel_resp  resp;
1303         struct file                               *filp;
1304         int ret;
1305
1306         if (out_len < sizeof resp)
1307                 return -ENOSPC;
1308
1309         if (copy_from_user(&cmd, buf, sizeof cmd))
1310                 return -EFAULT;
1311
1312         ret = get_unused_fd_flags(O_CLOEXEC);
1313         if (ret < 0)
1314                 return ret;
1315         resp.fd = ret;
1316
1317         filp = ib_uverbs_alloc_event_file(file, 0);
1318         if (IS_ERR(filp)) {
1319                 put_unused_fd(resp.fd);
1320                 return PTR_ERR(filp);
1321         }
1322
1323         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1324                          &resp, sizeof resp)) {
1325                 put_unused_fd(resp.fd);
1326                 fput(filp);
1327                 return -EFAULT;
1328         }
1329
1330         fd_install(resp.fd, filp);
1331         return in_len;
1332 }
1333
1334 static struct ib_ucq_object *create_cq(struct ib_uverbs_file *file,
1335                                        struct ib_udata *ucore,
1336                                        struct ib_udata *uhw,
1337                                        struct ib_uverbs_ex_create_cq *cmd,
1338                                        size_t cmd_sz,
1339                                        int (*cb)(struct ib_uverbs_file *file,
1340                                                  struct ib_ucq_object *obj,
1341                                                  struct ib_uverbs_ex_create_cq_resp *resp,
1342                                                  struct ib_udata *udata,
1343                                                  void *context),
1344                                        void *context)
1345 {
1346         struct ib_ucq_object           *obj;
1347         struct ib_uverbs_event_file    *ev_file = NULL;
1348         struct ib_cq                   *cq;
1349         int                             ret;
1350         struct ib_uverbs_ex_create_cq_resp resp;
1351         struct ib_cq_init_attr attr = {};
1352
1353         if (cmd->comp_vector >= file->device->num_comp_vectors)
1354                 return ERR_PTR(-EINVAL);
1355
1356         obj = kmalloc(sizeof *obj, GFP_KERNEL);
1357         if (!obj)
1358                 return ERR_PTR(-ENOMEM);
1359
1360         init_uobj(&obj->uobject, cmd->user_handle, file->ucontext, &cq_lock_class);
1361         down_write(&obj->uobject.mutex);
1362
1363         if (cmd->comp_channel >= 0) {
1364                 ev_file = ib_uverbs_lookup_comp_file(cmd->comp_channel);
1365                 if (!ev_file) {
1366                         ret = -EINVAL;
1367                         goto err;
1368                 }
1369         }
1370
1371         obj->uverbs_file           = file;
1372         obj->comp_events_reported  = 0;
1373         obj->async_events_reported = 0;
1374         INIT_LIST_HEAD(&obj->comp_list);
1375         INIT_LIST_HEAD(&obj->async_list);
1376
1377         attr.cqe = cmd->cqe;
1378         attr.comp_vector = cmd->comp_vector;
1379
1380         if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
1381                 attr.flags = cmd->flags;
1382
1383         cq = file->device->ib_dev->create_cq(file->device->ib_dev, &attr,
1384                                              file->ucontext, uhw);
1385         if (IS_ERR(cq)) {
1386                 ret = PTR_ERR(cq);
1387                 goto err_file;
1388         }
1389
1390         cq->device        = file->device->ib_dev;
1391         cq->uobject       = &obj->uobject;
1392         cq->comp_handler  = ib_uverbs_comp_handler;
1393         cq->event_handler = ib_uverbs_cq_event_handler;
1394         cq->cq_context    = ev_file;
1395         atomic_set(&cq->usecnt, 0);
1396
1397         obj->uobject.object = cq;
1398         ret = idr_add_uobj(&ib_uverbs_cq_idr, &obj->uobject);
1399         if (ret)
1400                 goto err_free;
1401
1402         memset(&resp, 0, sizeof resp);
1403         resp.base.cq_handle = obj->uobject.id;
1404         resp.base.cqe       = cq->cqe;
1405
1406         resp.response_length = offsetof(typeof(resp), response_length) +
1407                 sizeof(resp.response_length);
1408
1409         ret = cb(file, obj, &resp, ucore, context);
1410         if (ret)
1411                 goto err_cb;
1412
1413         mutex_lock(&file->mutex);
1414         list_add_tail(&obj->uobject.list, &file->ucontext->cq_list);
1415         mutex_unlock(&file->mutex);
1416
1417         obj->uobject.live = 1;
1418
1419         up_write(&obj->uobject.mutex);
1420
1421         return obj;
1422
1423 err_cb:
1424         idr_remove_uobj(&ib_uverbs_cq_idr, &obj->uobject);
1425
1426 err_free:
1427         ib_destroy_cq(cq);
1428
1429 err_file:
1430         if (ev_file)
1431                 ib_uverbs_release_ucq(file, ev_file, obj);
1432
1433 err:
1434         put_uobj_write(&obj->uobject);
1435
1436         return ERR_PTR(ret);
1437 }
1438
1439 static int ib_uverbs_create_cq_cb(struct ib_uverbs_file *file,
1440                                   struct ib_ucq_object *obj,
1441                                   struct ib_uverbs_ex_create_cq_resp *resp,
1442                                   struct ib_udata *ucore, void *context)
1443 {
1444         if (ib_copy_to_udata(ucore, &resp->base, sizeof(resp->base)))
1445                 return -EFAULT;
1446
1447         return 0;
1448 }
1449
1450 ssize_t ib_uverbs_create_cq(struct ib_uverbs_file *file,
1451                             const char __user *buf, int in_len,
1452                             int out_len)
1453 {
1454         struct ib_uverbs_create_cq      cmd;
1455         struct ib_uverbs_ex_create_cq   cmd_ex;
1456         struct ib_uverbs_create_cq_resp resp;
1457         struct ib_udata                 ucore;
1458         struct ib_udata                 uhw;
1459         struct ib_ucq_object           *obj;
1460
1461         if (out_len < sizeof(resp))
1462                 return -ENOSPC;
1463
1464         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1465                 return -EFAULT;
1466
1467         INIT_UDATA(&ucore, buf, cmd.response, sizeof(cmd), sizeof(resp));
1468
1469         INIT_UDATA(&uhw, buf + sizeof(cmd),
1470                    (unsigned long)cmd.response + sizeof(resp),
1471                    in_len - sizeof(cmd), out_len - sizeof(resp));
1472
1473         memset(&cmd_ex, 0, sizeof(cmd_ex));
1474         cmd_ex.user_handle = cmd.user_handle;
1475         cmd_ex.cqe = cmd.cqe;
1476         cmd_ex.comp_vector = cmd.comp_vector;
1477         cmd_ex.comp_channel = cmd.comp_channel;
1478
1479         obj = create_cq(file, &ucore, &uhw, &cmd_ex,
1480                         offsetof(typeof(cmd_ex), comp_channel) +
1481                         sizeof(cmd.comp_channel), ib_uverbs_create_cq_cb,
1482                         NULL);
1483
1484         if (IS_ERR(obj))
1485                 return PTR_ERR(obj);
1486
1487         return in_len;
1488 }
1489
1490 static int ib_uverbs_ex_create_cq_cb(struct ib_uverbs_file *file,
1491                                      struct ib_ucq_object *obj,
1492                                      struct ib_uverbs_ex_create_cq_resp *resp,
1493                                      struct ib_udata *ucore, void *context)
1494 {
1495         if (ib_copy_to_udata(ucore, resp, resp->response_length))
1496                 return -EFAULT;
1497
1498         return 0;
1499 }
1500
1501 int ib_uverbs_ex_create_cq(struct ib_uverbs_file *file,
1502                            struct ib_udata *ucore,
1503                            struct ib_udata *uhw)
1504 {
1505         struct ib_uverbs_ex_create_cq_resp resp;
1506         struct ib_uverbs_ex_create_cq  cmd;
1507         struct ib_ucq_object           *obj;
1508         int err;
1509
1510         if (ucore->inlen < sizeof(cmd))
1511                 return -EINVAL;
1512
1513         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
1514         if (err)
1515                 return err;
1516
1517         if (cmd.comp_mask)
1518                 return -EINVAL;
1519
1520         if (cmd.reserved)
1521                 return -EINVAL;
1522
1523         if (ucore->outlen < (offsetof(typeof(resp), response_length) +
1524                              sizeof(resp.response_length)))
1525                 return -ENOSPC;
1526
1527         obj = create_cq(file, ucore, uhw, &cmd,
1528                         min(ucore->inlen, sizeof(cmd)),
1529                         ib_uverbs_ex_create_cq_cb, NULL);
1530
1531         if (IS_ERR(obj))
1532                 return PTR_ERR(obj);
1533
1534         return 0;
1535 }
1536
1537 ssize_t ib_uverbs_resize_cq(struct ib_uverbs_file *file,
1538                             const char __user *buf, int in_len,
1539                             int out_len)
1540 {
1541         struct ib_uverbs_resize_cq      cmd;
1542         struct ib_uverbs_resize_cq_resp resp;
1543         struct ib_udata                 udata;
1544         struct ib_cq                    *cq;
1545         int                             ret = -EINVAL;
1546
1547         if (copy_from_user(&cmd, buf, sizeof cmd))
1548                 return -EFAULT;
1549
1550         INIT_UDATA(&udata, buf + sizeof cmd,
1551                    (unsigned long) cmd.response + sizeof resp,
1552                    in_len - sizeof cmd, out_len - sizeof resp);
1553
1554         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1555         if (!cq)
1556                 return -EINVAL;
1557
1558         ret = cq->device->resize_cq(cq, cmd.cqe, &udata);
1559         if (ret)
1560                 goto out;
1561
1562         resp.cqe = cq->cqe;
1563
1564         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1565                          &resp, sizeof resp.cqe))
1566                 ret = -EFAULT;
1567
1568 out:
1569         put_cq_read(cq);
1570
1571         return ret ? ret : in_len;
1572 }
1573
1574 static int copy_wc_to_user(void __user *dest, struct ib_wc *wc)
1575 {
1576         struct ib_uverbs_wc tmp;
1577
1578         tmp.wr_id               = wc->wr_id;
1579         tmp.status              = wc->status;
1580         tmp.opcode              = wc->opcode;
1581         tmp.vendor_err          = wc->vendor_err;
1582         tmp.byte_len            = wc->byte_len;
1583         tmp.ex.imm_data         = (__u32 __force) wc->ex.imm_data;
1584         tmp.qp_num              = wc->qp->qp_num;
1585         tmp.src_qp              = wc->src_qp;
1586         tmp.wc_flags            = wc->wc_flags;
1587         tmp.pkey_index          = wc->pkey_index;
1588         tmp.slid                = wc->slid;
1589         tmp.sl                  = wc->sl;
1590         tmp.dlid_path_bits      = wc->dlid_path_bits;
1591         tmp.port_num            = wc->port_num;
1592         tmp.reserved            = 0;
1593
1594         if (copy_to_user(dest, &tmp, sizeof tmp))
1595                 return -EFAULT;
1596
1597         return 0;
1598 }
1599
1600 ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file,
1601                           const char __user *buf, int in_len,
1602                           int out_len)
1603 {
1604         struct ib_uverbs_poll_cq       cmd;
1605         struct ib_uverbs_poll_cq_resp  resp;
1606         u8 __user                     *header_ptr;
1607         u8 __user                     *data_ptr;
1608         struct ib_cq                  *cq;
1609         struct ib_wc                   wc;
1610         int                            ret;
1611
1612         if (copy_from_user(&cmd, buf, sizeof cmd))
1613                 return -EFAULT;
1614
1615         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1616         if (!cq)
1617                 return -EINVAL;
1618
1619         /* we copy a struct ib_uverbs_poll_cq_resp to user space */
1620         header_ptr = (void __user *)(unsigned long) cmd.response;
1621         data_ptr = header_ptr + sizeof resp;
1622
1623         memset(&resp, 0, sizeof resp);
1624         while (resp.count < cmd.ne) {
1625                 ret = ib_poll_cq(cq, 1, &wc);
1626                 if (ret < 0)
1627                         goto out_put;
1628                 if (!ret)
1629                         break;
1630
1631                 ret = copy_wc_to_user(data_ptr, &wc);
1632                 if (ret)
1633                         goto out_put;
1634
1635                 data_ptr += sizeof(struct ib_uverbs_wc);
1636                 ++resp.count;
1637         }
1638
1639         if (copy_to_user(header_ptr, &resp, sizeof resp)) {
1640                 ret = -EFAULT;
1641                 goto out_put;
1642         }
1643
1644         ret = in_len;
1645
1646 out_put:
1647         put_cq_read(cq);
1648         return ret;
1649 }
1650
1651 ssize_t ib_uverbs_req_notify_cq(struct ib_uverbs_file *file,
1652                                 const char __user *buf, int in_len,
1653                                 int out_len)
1654 {
1655         struct ib_uverbs_req_notify_cq cmd;
1656         struct ib_cq                  *cq;
1657
1658         if (copy_from_user(&cmd, buf, sizeof cmd))
1659                 return -EFAULT;
1660
1661         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1662         if (!cq)
1663                 return -EINVAL;
1664
1665         ib_req_notify_cq(cq, cmd.solicited_only ?
1666                          IB_CQ_SOLICITED : IB_CQ_NEXT_COMP);
1667
1668         put_cq_read(cq);
1669
1670         return in_len;
1671 }
1672
1673 ssize_t ib_uverbs_destroy_cq(struct ib_uverbs_file *file,
1674                              const char __user *buf, int in_len,
1675                              int out_len)
1676 {
1677         struct ib_uverbs_destroy_cq      cmd;
1678         struct ib_uverbs_destroy_cq_resp resp;
1679         struct ib_uobject               *uobj;
1680         struct ib_cq                    *cq;
1681         struct ib_ucq_object            *obj;
1682         struct ib_uverbs_event_file     *ev_file;
1683         int                              ret = -EINVAL;
1684
1685         if (copy_from_user(&cmd, buf, sizeof cmd))
1686                 return -EFAULT;
1687
1688         uobj = idr_write_uobj(&ib_uverbs_cq_idr, cmd.cq_handle, file->ucontext);
1689         if (!uobj)
1690                 return -EINVAL;
1691         cq      = uobj->object;
1692         ev_file = cq->cq_context;
1693         obj     = container_of(cq->uobject, struct ib_ucq_object, uobject);
1694
1695         ret = ib_destroy_cq(cq);
1696         if (!ret)
1697                 uobj->live = 0;
1698
1699         put_uobj_write(uobj);
1700
1701         if (ret)
1702                 return ret;
1703
1704         idr_remove_uobj(&ib_uverbs_cq_idr, uobj);
1705
1706         mutex_lock(&file->mutex);
1707         list_del(&uobj->list);
1708         mutex_unlock(&file->mutex);
1709
1710         ib_uverbs_release_ucq(file, ev_file, obj);
1711
1712         memset(&resp, 0, sizeof resp);
1713         resp.comp_events_reported  = obj->comp_events_reported;
1714         resp.async_events_reported = obj->async_events_reported;
1715
1716         put_uobj(uobj);
1717
1718         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1719                          &resp, sizeof resp))
1720                 return -EFAULT;
1721
1722         return in_len;
1723 }
1724
1725 ssize_t ib_uverbs_create_qp(struct ib_uverbs_file *file,
1726                             const char __user *buf, int in_len,
1727                             int out_len)
1728 {
1729         struct ib_uverbs_create_qp      cmd;
1730         struct ib_uverbs_create_qp_resp resp;
1731         struct ib_udata                 udata;
1732         struct ib_uqp_object           *obj;
1733         struct ib_device               *device;
1734         struct ib_pd                   *pd = NULL;
1735         struct ib_xrcd                 *xrcd = NULL;
1736         struct ib_uobject              *uninitialized_var(xrcd_uobj);
1737         struct ib_cq                   *scq = NULL, *rcq = NULL;
1738         struct ib_srq                  *srq = NULL;
1739         struct ib_qp                   *qp;
1740         struct ib_qp_init_attr          attr;
1741         int ret;
1742
1743         if (out_len < sizeof resp)
1744                 return -ENOSPC;
1745
1746         if (copy_from_user(&cmd, buf, sizeof cmd))
1747                 return -EFAULT;
1748
1749         if (cmd.qp_type == IB_QPT_RAW_PACKET && !capable(CAP_NET_RAW))
1750                 return -EPERM;
1751
1752         INIT_UDATA(&udata, buf + sizeof cmd,
1753                    (unsigned long) cmd.response + sizeof resp,
1754                    in_len - sizeof cmd, out_len - sizeof resp);
1755
1756         obj = kzalloc(sizeof *obj, GFP_KERNEL);
1757         if (!obj)
1758                 return -ENOMEM;
1759
1760         init_uobj(&obj->uevent.uobject, cmd.user_handle, file->ucontext, &qp_lock_class);
1761         down_write(&obj->uevent.uobject.mutex);
1762
1763         if (cmd.qp_type == IB_QPT_XRC_TGT) {
1764                 xrcd = idr_read_xrcd(cmd.pd_handle, file->ucontext, &xrcd_uobj);
1765                 if (!xrcd) {
1766                         ret = -EINVAL;
1767                         goto err_put;
1768                 }
1769                 device = xrcd->device;
1770         } else {
1771                 if (cmd.qp_type == IB_QPT_XRC_INI) {
1772                         cmd.max_recv_wr = cmd.max_recv_sge = 0;
1773                 } else {
1774                         if (cmd.is_srq) {
1775                                 srq = idr_read_srq(cmd.srq_handle, file->ucontext);
1776                                 if (!srq || srq->srq_type != IB_SRQT_BASIC) {
1777                                         ret = -EINVAL;
1778                                         goto err_put;
1779                                 }
1780                         }
1781
1782                         if (cmd.recv_cq_handle != cmd.send_cq_handle) {
1783                                 rcq = idr_read_cq(cmd.recv_cq_handle, file->ucontext, 0);
1784                                 if (!rcq) {
1785                                         ret = -EINVAL;
1786                                         goto err_put;
1787                                 }
1788                         }
1789                 }
1790
1791                 scq = idr_read_cq(cmd.send_cq_handle, file->ucontext, !!rcq);
1792                 rcq = rcq ?: scq;
1793                 pd  = idr_read_pd(cmd.pd_handle, file->ucontext);
1794                 if (!pd || !scq) {
1795                         ret = -EINVAL;
1796                         goto err_put;
1797                 }
1798
1799                 device = pd->device;
1800         }
1801
1802         attr.event_handler = ib_uverbs_qp_event_handler;
1803         attr.qp_context    = file;
1804         attr.send_cq       = scq;
1805         attr.recv_cq       = rcq;
1806         attr.srq           = srq;
1807         attr.xrcd          = xrcd;
1808         attr.sq_sig_type   = cmd.sq_sig_all ? IB_SIGNAL_ALL_WR : IB_SIGNAL_REQ_WR;
1809         attr.qp_type       = cmd.qp_type;
1810         attr.create_flags  = 0;
1811
1812         attr.cap.max_send_wr     = cmd.max_send_wr;
1813         attr.cap.max_recv_wr     = cmd.max_recv_wr;
1814         attr.cap.max_send_sge    = cmd.max_send_sge;
1815         attr.cap.max_recv_sge    = cmd.max_recv_sge;
1816         attr.cap.max_inline_data = cmd.max_inline_data;
1817
1818         obj->uevent.events_reported     = 0;
1819         INIT_LIST_HEAD(&obj->uevent.event_list);
1820         INIT_LIST_HEAD(&obj->mcast_list);
1821
1822         if (cmd.qp_type == IB_QPT_XRC_TGT)
1823                 qp = ib_create_qp(pd, &attr);
1824         else
1825                 qp = device->create_qp(pd, &attr, &udata);
1826
1827         if (IS_ERR(qp)) {
1828                 ret = PTR_ERR(qp);
1829                 goto err_put;
1830         }
1831
1832         if (cmd.qp_type != IB_QPT_XRC_TGT) {
1833                 qp->real_qp       = qp;
1834                 qp->device        = device;
1835                 qp->pd            = pd;
1836                 qp->send_cq       = attr.send_cq;
1837                 qp->recv_cq       = attr.recv_cq;
1838                 qp->srq           = attr.srq;
1839                 qp->event_handler = attr.event_handler;
1840                 qp->qp_context    = attr.qp_context;
1841                 qp->qp_type       = attr.qp_type;
1842                 atomic_set(&qp->usecnt, 0);
1843                 atomic_inc(&pd->usecnt);
1844                 atomic_inc(&attr.send_cq->usecnt);
1845                 if (attr.recv_cq)
1846                         atomic_inc(&attr.recv_cq->usecnt);
1847                 if (attr.srq)
1848                         atomic_inc(&attr.srq->usecnt);
1849         }
1850         qp->uobject = &obj->uevent.uobject;
1851
1852         obj->uevent.uobject.object = qp;
1853         ret = idr_add_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1854         if (ret)
1855                 goto err_destroy;
1856
1857         memset(&resp, 0, sizeof resp);
1858         resp.qpn             = qp->qp_num;
1859         resp.qp_handle       = obj->uevent.uobject.id;
1860         resp.max_recv_sge    = attr.cap.max_recv_sge;
1861         resp.max_send_sge    = attr.cap.max_send_sge;
1862         resp.max_recv_wr     = attr.cap.max_recv_wr;
1863         resp.max_send_wr     = attr.cap.max_send_wr;
1864         resp.max_inline_data = attr.cap.max_inline_data;
1865
1866         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1867                          &resp, sizeof resp)) {
1868                 ret = -EFAULT;
1869                 goto err_copy;
1870         }
1871
1872         if (xrcd) {
1873                 obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object,
1874                                           uobject);
1875                 atomic_inc(&obj->uxrcd->refcnt);
1876                 put_xrcd_read(xrcd_uobj);
1877         }
1878
1879         if (pd)
1880                 put_pd_read(pd);
1881         if (scq)
1882                 put_cq_read(scq);
1883         if (rcq && rcq != scq)
1884                 put_cq_read(rcq);
1885         if (srq)
1886                 put_srq_read(srq);
1887
1888         mutex_lock(&file->mutex);
1889         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->qp_list);
1890         mutex_unlock(&file->mutex);
1891
1892         obj->uevent.uobject.live = 1;
1893
1894         up_write(&obj->uevent.uobject.mutex);
1895
1896         return in_len;
1897
1898 err_copy:
1899         idr_remove_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1900
1901 err_destroy:
1902         ib_destroy_qp(qp);
1903
1904 err_put:
1905         if (xrcd)
1906                 put_xrcd_read(xrcd_uobj);
1907         if (pd)
1908                 put_pd_read(pd);
1909         if (scq)
1910                 put_cq_read(scq);
1911         if (rcq && rcq != scq)
1912                 put_cq_read(rcq);
1913         if (srq)
1914                 put_srq_read(srq);
1915
1916         put_uobj_write(&obj->uevent.uobject);
1917         return ret;
1918 }
1919
1920 ssize_t ib_uverbs_open_qp(struct ib_uverbs_file *file,
1921                           const char __user *buf, int in_len, int out_len)
1922 {
1923         struct ib_uverbs_open_qp        cmd;
1924         struct ib_uverbs_create_qp_resp resp;
1925         struct ib_udata                 udata;
1926         struct ib_uqp_object           *obj;
1927         struct ib_xrcd                 *xrcd;
1928         struct ib_uobject              *uninitialized_var(xrcd_uobj);
1929         struct ib_qp                   *qp;
1930         struct ib_qp_open_attr          attr;
1931         int ret;
1932
1933         if (out_len < sizeof resp)
1934                 return -ENOSPC;
1935
1936         if (copy_from_user(&cmd, buf, sizeof cmd))
1937                 return -EFAULT;
1938
1939         INIT_UDATA(&udata, buf + sizeof cmd,
1940                    (unsigned long) cmd.response + sizeof resp,
1941                    in_len - sizeof cmd, out_len - sizeof resp);
1942
1943         obj = kmalloc(sizeof *obj, GFP_KERNEL);
1944         if (!obj)
1945                 return -ENOMEM;
1946
1947         init_uobj(&obj->uevent.uobject, cmd.user_handle, file->ucontext, &qp_lock_class);
1948         down_write(&obj->uevent.uobject.mutex);
1949
1950         xrcd = idr_read_xrcd(cmd.pd_handle, file->ucontext, &xrcd_uobj);
1951         if (!xrcd) {
1952                 ret = -EINVAL;
1953                 goto err_put;
1954         }
1955
1956         attr.event_handler = ib_uverbs_qp_event_handler;
1957         attr.qp_context    = file;
1958         attr.qp_num        = cmd.qpn;
1959         attr.qp_type       = cmd.qp_type;
1960
1961         obj->uevent.events_reported = 0;
1962         INIT_LIST_HEAD(&obj->uevent.event_list);
1963         INIT_LIST_HEAD(&obj->mcast_list);
1964
1965         qp = ib_open_qp(xrcd, &attr);
1966         if (IS_ERR(qp)) {
1967                 ret = PTR_ERR(qp);
1968                 goto err_put;
1969         }
1970
1971         qp->uobject = &obj->uevent.uobject;
1972
1973         obj->uevent.uobject.object = qp;
1974         ret = idr_add_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1975         if (ret)
1976                 goto err_destroy;
1977
1978         memset(&resp, 0, sizeof resp);
1979         resp.qpn       = qp->qp_num;
1980         resp.qp_handle = obj->uevent.uobject.id;
1981
1982         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1983                          &resp, sizeof resp)) {
1984                 ret = -EFAULT;
1985                 goto err_remove;
1986         }
1987
1988         obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object, uobject);
1989         atomic_inc(&obj->uxrcd->refcnt);
1990         put_xrcd_read(xrcd_uobj);
1991
1992         mutex_lock(&file->mutex);
1993         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->qp_list);
1994         mutex_unlock(&file->mutex);
1995
1996         obj->uevent.uobject.live = 1;
1997
1998         up_write(&obj->uevent.uobject.mutex);
1999
2000         return in_len;
2001
2002 err_remove:
2003         idr_remove_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
2004
2005 err_destroy:
2006         ib_destroy_qp(qp);
2007
2008 err_put:
2009         put_xrcd_read(xrcd_uobj);
2010         put_uobj_write(&obj->uevent.uobject);
2011         return ret;
2012 }
2013
2014 ssize_t ib_uverbs_query_qp(struct ib_uverbs_file *file,
2015                            const char __user *buf, int in_len,
2016                            int out_len)
2017 {
2018         struct ib_uverbs_query_qp      cmd;
2019         struct ib_uverbs_query_qp_resp resp;
2020         struct ib_qp                   *qp;
2021         struct ib_qp_attr              *attr;
2022         struct ib_qp_init_attr         *init_attr;
2023         int                            ret;
2024
2025         if (copy_from_user(&cmd, buf, sizeof cmd))
2026                 return -EFAULT;
2027
2028         attr      = kmalloc(sizeof *attr, GFP_KERNEL);
2029         init_attr = kmalloc(sizeof *init_attr, GFP_KERNEL);
2030         if (!attr || !init_attr) {
2031                 ret = -ENOMEM;
2032                 goto out;
2033         }
2034
2035         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2036         if (!qp) {
2037                 ret = -EINVAL;
2038                 goto out;
2039         }
2040
2041         ret = ib_query_qp(qp, attr, cmd.attr_mask, init_attr);
2042
2043         put_qp_read(qp);
2044
2045         if (ret)
2046                 goto out;
2047
2048         memset(&resp, 0, sizeof resp);
2049
2050         resp.qp_state               = attr->qp_state;
2051         resp.cur_qp_state           = attr->cur_qp_state;
2052         resp.path_mtu               = attr->path_mtu;
2053         resp.path_mig_state         = attr->path_mig_state;
2054         resp.qkey                   = attr->qkey;
2055         resp.rq_psn                 = attr->rq_psn;
2056         resp.sq_psn                 = attr->sq_psn;
2057         resp.dest_qp_num            = attr->dest_qp_num;
2058         resp.qp_access_flags        = attr->qp_access_flags;
2059         resp.pkey_index             = attr->pkey_index;
2060         resp.alt_pkey_index         = attr->alt_pkey_index;
2061         resp.sq_draining            = attr->sq_draining;
2062         resp.max_rd_atomic          = attr->max_rd_atomic;
2063         resp.max_dest_rd_atomic     = attr->max_dest_rd_atomic;
2064         resp.min_rnr_timer          = attr->min_rnr_timer;
2065         resp.port_num               = attr->port_num;
2066         resp.timeout                = attr->timeout;
2067         resp.retry_cnt              = attr->retry_cnt;
2068         resp.rnr_retry              = attr->rnr_retry;
2069         resp.alt_port_num           = attr->alt_port_num;
2070         resp.alt_timeout            = attr->alt_timeout;
2071
2072         memcpy(resp.dest.dgid, attr->ah_attr.grh.dgid.raw, 16);
2073         resp.dest.flow_label        = attr->ah_attr.grh.flow_label;
2074         resp.dest.sgid_index        = attr->ah_attr.grh.sgid_index;
2075         resp.dest.hop_limit         = attr->ah_attr.grh.hop_limit;
2076         resp.dest.traffic_class     = attr->ah_attr.grh.traffic_class;
2077         resp.dest.dlid              = attr->ah_attr.dlid;
2078         resp.dest.sl                = attr->ah_attr.sl;
2079         resp.dest.src_path_bits     = attr->ah_attr.src_path_bits;
2080         resp.dest.static_rate       = attr->ah_attr.static_rate;
2081         resp.dest.is_global         = !!(attr->ah_attr.ah_flags & IB_AH_GRH);
2082         resp.dest.port_num          = attr->ah_attr.port_num;
2083
2084         memcpy(resp.alt_dest.dgid, attr->alt_ah_attr.grh.dgid.raw, 16);
2085         resp.alt_dest.flow_label    = attr->alt_ah_attr.grh.flow_label;
2086         resp.alt_dest.sgid_index    = attr->alt_ah_attr.grh.sgid_index;
2087         resp.alt_dest.hop_limit     = attr->alt_ah_attr.grh.hop_limit;
2088         resp.alt_dest.traffic_class = attr->alt_ah_attr.grh.traffic_class;
2089         resp.alt_dest.dlid          = attr->alt_ah_attr.dlid;
2090         resp.alt_dest.sl            = attr->alt_ah_attr.sl;
2091         resp.alt_dest.src_path_bits = attr->alt_ah_attr.src_path_bits;
2092         resp.alt_dest.static_rate   = attr->alt_ah_attr.static_rate;
2093         resp.alt_dest.is_global     = !!(attr->alt_ah_attr.ah_flags & IB_AH_GRH);
2094         resp.alt_dest.port_num      = attr->alt_ah_attr.port_num;
2095
2096         resp.max_send_wr            = init_attr->cap.max_send_wr;
2097         resp.max_recv_wr            = init_attr->cap.max_recv_wr;
2098         resp.max_send_sge           = init_attr->cap.max_send_sge;
2099         resp.max_recv_sge           = init_attr->cap.max_recv_sge;
2100         resp.max_inline_data        = init_attr->cap.max_inline_data;
2101         resp.sq_sig_all             = init_attr->sq_sig_type == IB_SIGNAL_ALL_WR;
2102
2103         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2104                          &resp, sizeof resp))
2105                 ret = -EFAULT;
2106
2107 out:
2108         kfree(attr);
2109         kfree(init_attr);
2110
2111         return ret ? ret : in_len;
2112 }
2113
2114 /* Remove ignored fields set in the attribute mask */
2115 static int modify_qp_mask(enum ib_qp_type qp_type, int mask)
2116 {
2117         switch (qp_type) {
2118         case IB_QPT_XRC_INI:
2119                 return mask & ~(IB_QP_MAX_DEST_RD_ATOMIC | IB_QP_MIN_RNR_TIMER);
2120         case IB_QPT_XRC_TGT:
2121                 return mask & ~(IB_QP_MAX_QP_RD_ATOMIC | IB_QP_RETRY_CNT |
2122                                 IB_QP_RNR_RETRY);
2123         default:
2124                 return mask;
2125         }
2126 }
2127
2128 ssize_t ib_uverbs_modify_qp(struct ib_uverbs_file *file,
2129                             const char __user *buf, int in_len,
2130                             int out_len)
2131 {
2132         struct ib_uverbs_modify_qp cmd;
2133         struct ib_udata            udata;
2134         struct ib_qp              *qp;
2135         struct ib_qp_attr         *attr;
2136         int                        ret;
2137
2138         if (copy_from_user(&cmd, buf, sizeof cmd))
2139                 return -EFAULT;
2140
2141         INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
2142                    out_len);
2143
2144         attr = kmalloc(sizeof *attr, GFP_KERNEL);
2145         if (!attr)
2146                 return -ENOMEM;
2147
2148         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2149         if (!qp) {
2150                 ret = -EINVAL;
2151                 goto out;
2152         }
2153
2154         attr->qp_state            = cmd.qp_state;
2155         attr->cur_qp_state        = cmd.cur_qp_state;
2156         attr->path_mtu            = cmd.path_mtu;
2157         attr->path_mig_state      = cmd.path_mig_state;
2158         attr->qkey                = cmd.qkey;
2159         attr->rq_psn              = cmd.rq_psn;
2160         attr->sq_psn              = cmd.sq_psn;
2161         attr->dest_qp_num         = cmd.dest_qp_num;
2162         attr->qp_access_flags     = cmd.qp_access_flags;
2163         attr->pkey_index          = cmd.pkey_index;
2164         attr->alt_pkey_index      = cmd.alt_pkey_index;
2165         attr->en_sqd_async_notify = cmd.en_sqd_async_notify;
2166         attr->max_rd_atomic       = cmd.max_rd_atomic;
2167         attr->max_dest_rd_atomic  = cmd.max_dest_rd_atomic;
2168         attr->min_rnr_timer       = cmd.min_rnr_timer;
2169         attr->port_num            = cmd.port_num;
2170         attr->timeout             = cmd.timeout;
2171         attr->retry_cnt           = cmd.retry_cnt;
2172         attr->rnr_retry           = cmd.rnr_retry;
2173         attr->alt_port_num        = cmd.alt_port_num;
2174         attr->alt_timeout         = cmd.alt_timeout;
2175
2176         memcpy(attr->ah_attr.grh.dgid.raw, cmd.dest.dgid, 16);
2177         attr->ah_attr.grh.flow_label        = cmd.dest.flow_label;
2178         attr->ah_attr.grh.sgid_index        = cmd.dest.sgid_index;
2179         attr->ah_attr.grh.hop_limit         = cmd.dest.hop_limit;
2180         attr->ah_attr.grh.traffic_class     = cmd.dest.traffic_class;
2181         attr->ah_attr.dlid                  = cmd.dest.dlid;
2182         attr->ah_attr.sl                    = cmd.dest.sl;
2183         attr->ah_attr.src_path_bits         = cmd.dest.src_path_bits;
2184         attr->ah_attr.static_rate           = cmd.dest.static_rate;
2185         attr->ah_attr.ah_flags              = cmd.dest.is_global ? IB_AH_GRH : 0;
2186         attr->ah_attr.port_num              = cmd.dest.port_num;
2187
2188         memcpy(attr->alt_ah_attr.grh.dgid.raw, cmd.alt_dest.dgid, 16);
2189         attr->alt_ah_attr.grh.flow_label    = cmd.alt_dest.flow_label;
2190         attr->alt_ah_attr.grh.sgid_index    = cmd.alt_dest.sgid_index;
2191         attr->alt_ah_attr.grh.hop_limit     = cmd.alt_dest.hop_limit;
2192         attr->alt_ah_attr.grh.traffic_class = cmd.alt_dest.traffic_class;
2193         attr->alt_ah_attr.dlid              = cmd.alt_dest.dlid;
2194         attr->alt_ah_attr.sl                = cmd.alt_dest.sl;
2195         attr->alt_ah_attr.src_path_bits     = cmd.alt_dest.src_path_bits;
2196         attr->alt_ah_attr.static_rate       = cmd.alt_dest.static_rate;
2197         attr->alt_ah_attr.ah_flags          = cmd.alt_dest.is_global ? IB_AH_GRH : 0;
2198         attr->alt_ah_attr.port_num          = cmd.alt_dest.port_num;
2199
2200         if (qp->real_qp == qp) {
2201                 ret = ib_resolve_eth_l2_attrs(qp, attr, &cmd.attr_mask);
2202                 if (ret)
2203                         goto release_qp;
2204                 ret = qp->device->modify_qp(qp, attr,
2205                         modify_qp_mask(qp->qp_type, cmd.attr_mask), &udata);
2206         } else {
2207                 ret = ib_modify_qp(qp, attr, modify_qp_mask(qp->qp_type, cmd.attr_mask));
2208         }
2209
2210         if (ret)
2211                 goto release_qp;
2212
2213         ret = in_len;
2214
2215 release_qp:
2216         put_qp_read(qp);
2217
2218 out:
2219         kfree(attr);
2220
2221         return ret;
2222 }
2223
2224 ssize_t ib_uverbs_destroy_qp(struct ib_uverbs_file *file,
2225                              const char __user *buf, int in_len,
2226                              int out_len)
2227 {
2228         struct ib_uverbs_destroy_qp      cmd;
2229         struct ib_uverbs_destroy_qp_resp resp;
2230         struct ib_uobject               *uobj;
2231         struct ib_qp                    *qp;
2232         struct ib_uqp_object            *obj;
2233         int                              ret = -EINVAL;
2234
2235         if (copy_from_user(&cmd, buf, sizeof cmd))
2236                 return -EFAULT;
2237
2238         memset(&resp, 0, sizeof resp);
2239
2240         uobj = idr_write_uobj(&ib_uverbs_qp_idr, cmd.qp_handle, file->ucontext);
2241         if (!uobj)
2242                 return -EINVAL;
2243         qp  = uobj->object;
2244         obj = container_of(uobj, struct ib_uqp_object, uevent.uobject);
2245
2246         if (!list_empty(&obj->mcast_list)) {
2247                 put_uobj_write(uobj);
2248                 return -EBUSY;
2249         }
2250
2251         ret = ib_destroy_qp(qp);
2252         if (!ret)
2253                 uobj->live = 0;
2254
2255         put_uobj_write(uobj);
2256
2257         if (ret)
2258                 return ret;
2259
2260         if (obj->uxrcd)
2261                 atomic_dec(&obj->uxrcd->refcnt);
2262
2263         idr_remove_uobj(&ib_uverbs_qp_idr, uobj);
2264
2265         mutex_lock(&file->mutex);
2266         list_del(&uobj->list);
2267         mutex_unlock(&file->mutex);
2268
2269         ib_uverbs_release_uevent(file, &obj->uevent);
2270
2271         resp.events_reported = obj->uevent.events_reported;
2272
2273         put_uobj(uobj);
2274
2275         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2276                          &resp, sizeof resp))
2277                 return -EFAULT;
2278
2279         return in_len;
2280 }
2281
2282 ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
2283                             const char __user *buf, int in_len,
2284                             int out_len)
2285 {
2286         struct ib_uverbs_post_send      cmd;
2287         struct ib_uverbs_post_send_resp resp;
2288         struct ib_uverbs_send_wr       *user_wr;
2289         struct ib_send_wr              *wr = NULL, *last, *next, *bad_wr;
2290         struct ib_qp                   *qp;
2291         int                             i, sg_ind;
2292         int                             is_ud;
2293         ssize_t                         ret = -EINVAL;
2294
2295         if (copy_from_user(&cmd, buf, sizeof cmd))
2296                 return -EFAULT;
2297
2298         if (in_len < sizeof cmd + cmd.wqe_size * cmd.wr_count +
2299             cmd.sge_count * sizeof (struct ib_uverbs_sge))
2300                 return -EINVAL;
2301
2302         if (cmd.wqe_size < sizeof (struct ib_uverbs_send_wr))
2303                 return -EINVAL;
2304
2305         user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
2306         if (!user_wr)
2307                 return -ENOMEM;
2308
2309         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2310         if (!qp)
2311                 goto out;
2312
2313         is_ud = qp->qp_type == IB_QPT_UD;
2314         sg_ind = 0;
2315         last = NULL;
2316         for (i = 0; i < cmd.wr_count; ++i) {
2317                 if (copy_from_user(user_wr,
2318                                    buf + sizeof cmd + i * cmd.wqe_size,
2319                                    cmd.wqe_size)) {
2320                         ret = -EFAULT;
2321                         goto out_put;
2322                 }
2323
2324                 if (user_wr->num_sge + sg_ind > cmd.sge_count) {
2325                         ret = -EINVAL;
2326                         goto out_put;
2327                 }
2328
2329                 next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
2330                                user_wr->num_sge * sizeof (struct ib_sge),
2331                                GFP_KERNEL);
2332                 if (!next) {
2333                         ret = -ENOMEM;
2334                         goto out_put;
2335                 }
2336
2337                 if (!last)
2338                         wr = next;
2339                 else
2340                         last->next = next;
2341                 last = next;
2342
2343                 next->next       = NULL;
2344                 next->wr_id      = user_wr->wr_id;
2345                 next->num_sge    = user_wr->num_sge;
2346                 next->opcode     = user_wr->opcode;
2347                 next->send_flags = user_wr->send_flags;
2348
2349                 if (is_ud) {
2350                         next->wr.ud.ah = idr_read_ah(user_wr->wr.ud.ah,
2351                                                      file->ucontext);
2352                         if (!next->wr.ud.ah) {
2353                                 ret = -EINVAL;
2354                                 goto out_put;
2355                         }
2356                         next->wr.ud.remote_qpn  = user_wr->wr.ud.remote_qpn;
2357                         next->wr.ud.remote_qkey = user_wr->wr.ud.remote_qkey;
2358                         if (next->opcode == IB_WR_SEND_WITH_IMM)
2359                                 next->ex.imm_data =
2360                                         (__be32 __force) user_wr->ex.imm_data;
2361                 } else {
2362                         switch (next->opcode) {
2363                         case IB_WR_RDMA_WRITE_WITH_IMM:
2364                                 next->ex.imm_data =
2365                                         (__be32 __force) user_wr->ex.imm_data;
2366                         case IB_WR_RDMA_WRITE:
2367                         case IB_WR_RDMA_READ:
2368                                 next->wr.rdma.remote_addr =
2369                                         user_wr->wr.rdma.remote_addr;
2370                                 next->wr.rdma.rkey        =
2371                                         user_wr->wr.rdma.rkey;
2372                                 break;
2373                         case IB_WR_SEND_WITH_IMM:
2374                                 next->ex.imm_data =
2375                                         (__be32 __force) user_wr->ex.imm_data;
2376                                 break;
2377                         case IB_WR_SEND_WITH_INV:
2378                                 next->ex.invalidate_rkey =
2379                                         user_wr->ex.invalidate_rkey;
2380                                 break;
2381                         case IB_WR_ATOMIC_CMP_AND_SWP:
2382                         case IB_WR_ATOMIC_FETCH_AND_ADD:
2383                                 next->wr.atomic.remote_addr =
2384                                         user_wr->wr.atomic.remote_addr;
2385                                 next->wr.atomic.compare_add =
2386                                         user_wr->wr.atomic.compare_add;
2387                                 next->wr.atomic.swap = user_wr->wr.atomic.swap;
2388                                 next->wr.atomic.rkey = user_wr->wr.atomic.rkey;
2389                                 break;
2390                         default:
2391                                 break;
2392                         }
2393                 }
2394
2395                 if (next->num_sge) {
2396                         next->sg_list = (void *) next +
2397                                 ALIGN(sizeof *next, sizeof (struct ib_sge));
2398                         if (copy_from_user(next->sg_list,
2399                                            buf + sizeof cmd +
2400                                            cmd.wr_count * cmd.wqe_size +
2401                                            sg_ind * sizeof (struct ib_sge),
2402                                            next->num_sge * sizeof (struct ib_sge))) {
2403                                 ret = -EFAULT;
2404                                 goto out_put;
2405                         }
2406                         sg_ind += next->num_sge;
2407                 } else
2408                         next->sg_list = NULL;
2409         }
2410
2411         resp.bad_wr = 0;
2412         ret = qp->device->post_send(qp->real_qp, wr, &bad_wr);
2413         if (ret)
2414                 for (next = wr; next; next = next->next) {
2415                         ++resp.bad_wr;
2416                         if (next == bad_wr)
2417                                 break;
2418                 }
2419
2420         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2421                          &resp, sizeof resp))
2422                 ret = -EFAULT;
2423
2424 out_put:
2425         put_qp_read(qp);
2426
2427         while (wr) {
2428                 if (is_ud && wr->wr.ud.ah)
2429                         put_ah_read(wr->wr.ud.ah);
2430                 next = wr->next;
2431                 kfree(wr);
2432                 wr = next;
2433         }
2434
2435 out:
2436         kfree(user_wr);
2437
2438         return ret ? ret : in_len;
2439 }
2440
2441 static struct ib_recv_wr *ib_uverbs_unmarshall_recv(const char __user *buf,
2442                                                     int in_len,
2443                                                     u32 wr_count,
2444                                                     u32 sge_count,
2445                                                     u32 wqe_size)
2446 {
2447         struct ib_uverbs_recv_wr *user_wr;
2448         struct ib_recv_wr        *wr = NULL, *last, *next;
2449         int                       sg_ind;
2450         int                       i;
2451         int                       ret;
2452
2453         if (in_len < wqe_size * wr_count +
2454             sge_count * sizeof (struct ib_uverbs_sge))
2455                 return ERR_PTR(-EINVAL);
2456
2457         if (wqe_size < sizeof (struct ib_uverbs_recv_wr))
2458                 return ERR_PTR(-EINVAL);
2459
2460         user_wr = kmalloc(wqe_size, GFP_KERNEL);
2461         if (!user_wr)
2462                 return ERR_PTR(-ENOMEM);
2463
2464         sg_ind = 0;
2465         last = NULL;
2466         for (i = 0; i < wr_count; ++i) {
2467                 if (copy_from_user(user_wr, buf + i * wqe_size,
2468                                    wqe_size)) {
2469                         ret = -EFAULT;
2470                         goto err;
2471                 }
2472
2473                 if (user_wr->num_sge + sg_ind > sge_count) {
2474                         ret = -EINVAL;
2475                         goto err;
2476                 }
2477
2478                 next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
2479                                user_wr->num_sge * sizeof (struct ib_sge),
2480                                GFP_KERNEL);
2481                 if (!next) {
2482                         ret = -ENOMEM;
2483                         goto err;
2484                 }
2485
2486                 if (!last)
2487                         wr = next;
2488                 else
2489                         last->next = next;
2490                 last = next;
2491
2492                 next->next       = NULL;
2493                 next->wr_id      = user_wr->wr_id;
2494                 next->num_sge    = user_wr->num_sge;
2495
2496                 if (next->num_sge) {
2497                         next->sg_list = (void *) next +
2498                                 ALIGN(sizeof *next, sizeof (struct ib_sge));
2499                         if (copy_from_user(next->sg_list,
2500                                            buf + wr_count * wqe_size +
2501                                            sg_ind * sizeof (struct ib_sge),
2502                                            next->num_sge * sizeof (struct ib_sge))) {
2503                                 ret = -EFAULT;
2504                                 goto err;
2505                         }
2506                         sg_ind += next->num_sge;
2507                 } else
2508                         next->sg_list = NULL;
2509         }
2510
2511         kfree(user_wr);
2512         return wr;
2513
2514 err:
2515         kfree(user_wr);
2516
2517         while (wr) {
2518                 next = wr->next;
2519                 kfree(wr);
2520                 wr = next;
2521         }
2522
2523         return ERR_PTR(ret);
2524 }
2525
2526 ssize_t ib_uverbs_post_recv(struct ib_uverbs_file *file,
2527                             const char __user *buf, int in_len,
2528                             int out_len)
2529 {
2530         struct ib_uverbs_post_recv      cmd;
2531         struct ib_uverbs_post_recv_resp resp;
2532         struct ib_recv_wr              *wr, *next, *bad_wr;
2533         struct ib_qp                   *qp;
2534         ssize_t                         ret = -EINVAL;
2535
2536         if (copy_from_user(&cmd, buf, sizeof cmd))
2537                 return -EFAULT;
2538
2539         wr = ib_uverbs_unmarshall_recv(buf + sizeof cmd,
2540                                        in_len - sizeof cmd, cmd.wr_count,
2541                                        cmd.sge_count, cmd.wqe_size);
2542         if (IS_ERR(wr))
2543                 return PTR_ERR(wr);
2544
2545         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2546         if (!qp)
2547                 goto out;
2548
2549         resp.bad_wr = 0;
2550         ret = qp->device->post_recv(qp->real_qp, wr, &bad_wr);
2551
2552         put_qp_read(qp);
2553
2554         if (ret)
2555                 for (next = wr; next; next = next->next) {
2556                         ++resp.bad_wr;
2557                         if (next == bad_wr)
2558                                 break;
2559                 }
2560
2561         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2562                          &resp, sizeof resp))
2563                 ret = -EFAULT;
2564
2565 out:
2566         while (wr) {
2567                 next = wr->next;
2568                 kfree(wr);
2569                 wr = next;
2570         }
2571
2572         return ret ? ret : in_len;
2573 }
2574
2575 ssize_t ib_uverbs_post_srq_recv(struct ib_uverbs_file *file,
2576                                 const char __user *buf, int in_len,
2577                                 int out_len)
2578 {
2579         struct ib_uverbs_post_srq_recv      cmd;
2580         struct ib_uverbs_post_srq_recv_resp resp;
2581         struct ib_recv_wr                  *wr, *next, *bad_wr;
2582         struct ib_srq                      *srq;
2583         ssize_t                             ret = -EINVAL;
2584
2585         if (copy_from_user(&cmd, buf, sizeof cmd))
2586                 return -EFAULT;
2587
2588         wr = ib_uverbs_unmarshall_recv(buf + sizeof cmd,
2589                                        in_len - sizeof cmd, cmd.wr_count,
2590                                        cmd.sge_count, cmd.wqe_size);
2591         if (IS_ERR(wr))
2592                 return PTR_ERR(wr);
2593
2594         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
2595         if (!srq)
2596                 goto out;
2597
2598         resp.bad_wr = 0;
2599         ret = srq->device->post_srq_recv(srq, wr, &bad_wr);
2600
2601         put_srq_read(srq);
2602
2603         if (ret)
2604                 for (next = wr; next; next = next->next) {
2605                         ++resp.bad_wr;
2606                         if (next == bad_wr)
2607                                 break;
2608                 }
2609
2610         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2611                          &resp, sizeof resp))
2612                 ret = -EFAULT;
2613
2614 out:
2615         while (wr) {
2616                 next = wr->next;
2617                 kfree(wr);
2618                 wr = next;
2619         }
2620
2621         return ret ? ret : in_len;
2622 }
2623
2624 ssize_t ib_uverbs_create_ah(struct ib_uverbs_file *file,
2625                             const char __user *buf, int in_len,
2626                             int out_len)
2627 {
2628         struct ib_uverbs_create_ah       cmd;
2629         struct ib_uverbs_create_ah_resp  resp;
2630         struct ib_uobject               *uobj;
2631         struct ib_pd                    *pd;
2632         struct ib_ah                    *ah;
2633         struct ib_ah_attr               attr;
2634         int ret;
2635
2636         if (out_len < sizeof resp)
2637                 return -ENOSPC;
2638
2639         if (copy_from_user(&cmd, buf, sizeof cmd))
2640                 return -EFAULT;
2641
2642         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
2643         if (!uobj)
2644                 return -ENOMEM;
2645
2646         init_uobj(uobj, cmd.user_handle, file->ucontext, &ah_lock_class);
2647         down_write(&uobj->mutex);
2648
2649         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
2650         if (!pd) {
2651                 ret = -EINVAL;
2652                 goto err;
2653         }
2654
2655         attr.dlid              = cmd.attr.dlid;
2656         attr.sl                = cmd.attr.sl;
2657         attr.src_path_bits     = cmd.attr.src_path_bits;
2658         attr.static_rate       = cmd.attr.static_rate;
2659         attr.ah_flags          = cmd.attr.is_global ? IB_AH_GRH : 0;
2660         attr.port_num          = cmd.attr.port_num;
2661         attr.grh.flow_label    = cmd.attr.grh.flow_label;
2662         attr.grh.sgid_index    = cmd.attr.grh.sgid_index;
2663         attr.grh.hop_limit     = cmd.attr.grh.hop_limit;
2664         attr.grh.traffic_class = cmd.attr.grh.traffic_class;
2665         attr.vlan_id           = 0;
2666         memset(&attr.dmac, 0, sizeof(attr.dmac));
2667         memcpy(attr.grh.dgid.raw, cmd.attr.grh.dgid, 16);
2668
2669         ah = ib_create_ah(pd, &attr);
2670         if (IS_ERR(ah)) {
2671                 ret = PTR_ERR(ah);
2672                 goto err_put;
2673         }
2674
2675         ah->uobject  = uobj;
2676         uobj->object = ah;
2677
2678         ret = idr_add_uobj(&ib_uverbs_ah_idr, uobj);
2679         if (ret)
2680                 goto err_destroy;
2681
2682         resp.ah_handle = uobj->id;
2683
2684         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2685                          &resp, sizeof resp)) {
2686                 ret = -EFAULT;
2687                 goto err_copy;
2688         }
2689
2690         put_pd_read(pd);
2691
2692         mutex_lock(&file->mutex);
2693         list_add_tail(&uobj->list, &file->ucontext->ah_list);
2694         mutex_unlock(&file->mutex);
2695
2696         uobj->live = 1;
2697
2698         up_write(&uobj->mutex);
2699
2700         return in_len;
2701
2702 err_copy:
2703         idr_remove_uobj(&ib_uverbs_ah_idr, uobj);
2704
2705 err_destroy:
2706         ib_destroy_ah(ah);
2707
2708 err_put:
2709         put_pd_read(pd);
2710
2711 err:
2712         put_uobj_write(uobj);
2713         return ret;
2714 }
2715
2716 ssize_t ib_uverbs_destroy_ah(struct ib_uverbs_file *file,
2717                              const char __user *buf, int in_len, int out_len)
2718 {
2719         struct ib_uverbs_destroy_ah cmd;
2720         struct ib_ah               *ah;
2721         struct ib_uobject          *uobj;
2722         int                         ret;
2723
2724         if (copy_from_user(&cmd, buf, sizeof cmd))
2725                 return -EFAULT;
2726
2727         uobj = idr_write_uobj(&ib_uverbs_ah_idr, cmd.ah_handle, file->ucontext);
2728         if (!uobj)
2729                 return -EINVAL;
2730         ah = uobj->object;
2731
2732         ret = ib_destroy_ah(ah);
2733         if (!ret)
2734                 uobj->live = 0;
2735
2736         put_uobj_write(uobj);
2737
2738         if (ret)
2739                 return ret;
2740
2741         idr_remove_uobj(&ib_uverbs_ah_idr, uobj);
2742
2743         mutex_lock(&file->mutex);
2744         list_del(&uobj->list);
2745         mutex_unlock(&file->mutex);
2746
2747         put_uobj(uobj);
2748
2749         return in_len;
2750 }
2751
2752 ssize_t ib_uverbs_attach_mcast(struct ib_uverbs_file *file,
2753                                const char __user *buf, int in_len,
2754                                int out_len)
2755 {
2756         struct ib_uverbs_attach_mcast cmd;
2757         struct ib_qp                 *qp;
2758         struct ib_uqp_object         *obj;
2759         struct ib_uverbs_mcast_entry *mcast;
2760         int                           ret;
2761
2762         if (copy_from_user(&cmd, buf, sizeof cmd))
2763                 return -EFAULT;
2764
2765         qp = idr_write_qp(cmd.qp_handle, file->ucontext);
2766         if (!qp)
2767                 return -EINVAL;
2768
2769         obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);
2770
2771         list_for_each_entry(mcast, &obj->mcast_list, list)
2772                 if (cmd.mlid == mcast->lid &&
2773                     !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
2774                         ret = 0;
2775                         goto out_put;
2776                 }
2777
2778         mcast = kmalloc(sizeof *mcast, GFP_KERNEL);
2779         if (!mcast) {
2780                 ret = -ENOMEM;
2781                 goto out_put;
2782         }
2783
2784         mcast->lid = cmd.mlid;
2785         memcpy(mcast->gid.raw, cmd.gid, sizeof mcast->gid.raw);
2786
2787         ret = ib_attach_mcast(qp, &mcast->gid, cmd.mlid);
2788         if (!ret)
2789                 list_add_tail(&mcast->list, &obj->mcast_list);
2790         else
2791                 kfree(mcast);
2792
2793 out_put:
2794         put_qp_write(qp);
2795
2796         return ret ? ret : in_len;
2797 }
2798
2799 ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file,
2800                                const char __user *buf, int in_len,
2801                                int out_len)
2802 {
2803         struct ib_uverbs_detach_mcast cmd;
2804         struct ib_uqp_object         *obj;
2805         struct ib_qp                 *qp;
2806         struct ib_uverbs_mcast_entry *mcast;
2807         int                           ret = -EINVAL;
2808
2809         if (copy_from_user(&cmd, buf, sizeof cmd))
2810                 return -EFAULT;
2811
2812         qp = idr_write_qp(cmd.qp_handle, file->ucontext);
2813         if (!qp)
2814                 return -EINVAL;
2815
2816         ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid);
2817         if (ret)
2818                 goto out_put;
2819
2820         obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);
2821
2822         list_for_each_entry(mcast, &obj->mcast_list, list)
2823                 if (cmd.mlid == mcast->lid &&
2824                     !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
2825                         list_del(&mcast->list);
2826                         kfree(mcast);
2827                         break;
2828                 }
2829
2830 out_put:
2831         put_qp_write(qp);
2832
2833         return ret ? ret : in_len;
2834 }
2835
2836 static int kern_spec_to_ib_spec(struct ib_uverbs_flow_spec *kern_spec,
2837                                 union ib_flow_spec *ib_spec)
2838 {
2839         if (kern_spec->reserved)
2840                 return -EINVAL;
2841
2842         ib_spec->type = kern_spec->type;
2843
2844         switch (ib_spec->type) {
2845         case IB_FLOW_SPEC_ETH:
2846                 ib_spec->eth.size = sizeof(struct ib_flow_spec_eth);
2847                 if (ib_spec->eth.size != kern_spec->eth.size)
2848                         return -EINVAL;
2849                 memcpy(&ib_spec->eth.val, &kern_spec->eth.val,
2850                        sizeof(struct ib_flow_eth_filter));
2851                 memcpy(&ib_spec->eth.mask, &kern_spec->eth.mask,
2852                        sizeof(struct ib_flow_eth_filter));
2853                 break;
2854         case IB_FLOW_SPEC_IPV4:
2855                 ib_spec->ipv4.size = sizeof(struct ib_flow_spec_ipv4);
2856                 if (ib_spec->ipv4.size != kern_spec->ipv4.size)
2857                         return -EINVAL;
2858                 memcpy(&ib_spec->ipv4.val, &kern_spec->ipv4.val,
2859                        sizeof(struct ib_flow_ipv4_filter));
2860                 memcpy(&ib_spec->ipv4.mask, &kern_spec->ipv4.mask,
2861                        sizeof(struct ib_flow_ipv4_filter));
2862                 break;
2863         case IB_FLOW_SPEC_TCP:
2864         case IB_FLOW_SPEC_UDP:
2865                 ib_spec->tcp_udp.size = sizeof(struct ib_flow_spec_tcp_udp);
2866                 if (ib_spec->tcp_udp.size != kern_spec->tcp_udp.size)
2867                         return -EINVAL;
2868                 memcpy(&ib_spec->tcp_udp.val, &kern_spec->tcp_udp.val,
2869                        sizeof(struct ib_flow_tcp_udp_filter));
2870                 memcpy(&ib_spec->tcp_udp.mask, &kern_spec->tcp_udp.mask,
2871                        sizeof(struct ib_flow_tcp_udp_filter));
2872                 break;
2873         default:
2874                 return -EINVAL;
2875         }
2876         return 0;
2877 }
2878
2879 int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file,
2880                              struct ib_udata *ucore,
2881                              struct ib_udata *uhw)
2882 {
2883         struct ib_uverbs_create_flow      cmd;
2884         struct ib_uverbs_create_flow_resp resp;
2885         struct ib_uobject                 *uobj;
2886         struct ib_flow                    *flow_id;
2887         struct ib_uverbs_flow_attr        *kern_flow_attr;
2888         struct ib_flow_attr               *flow_attr;
2889         struct ib_qp                      *qp;
2890         int err = 0;
2891         void *kern_spec;
2892         void *ib_spec;
2893         int i;
2894
2895         if (ucore->inlen < sizeof(cmd))
2896                 return -EINVAL;
2897
2898         if (ucore->outlen < sizeof(resp))
2899                 return -ENOSPC;
2900
2901         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
2902         if (err)
2903                 return err;
2904
2905         ucore->inbuf += sizeof(cmd);
2906         ucore->inlen -= sizeof(cmd);
2907
2908         if (cmd.comp_mask)
2909                 return -EINVAL;
2910
2911         if ((cmd.flow_attr.type == IB_FLOW_ATTR_SNIFFER &&
2912              !capable(CAP_NET_ADMIN)) || !capable(CAP_NET_RAW))
2913                 return -EPERM;
2914
2915         if (cmd.flow_attr.num_of_specs > IB_FLOW_SPEC_SUPPORT_LAYERS)
2916                 return -EINVAL;
2917
2918         if (cmd.flow_attr.size > ucore->inlen ||
2919             cmd.flow_attr.size >
2920             (cmd.flow_attr.num_of_specs * sizeof(struct ib_uverbs_flow_spec)))
2921                 return -EINVAL;
2922
2923         if (cmd.flow_attr.reserved[0] ||
2924             cmd.flow_attr.reserved[1])
2925                 return -EINVAL;
2926
2927         if (cmd.flow_attr.num_of_specs) {
2928                 kern_flow_attr = kmalloc(sizeof(*kern_flow_attr) + cmd.flow_attr.size,
2929                                          GFP_KERNEL);
2930                 if (!kern_flow_attr)
2931                         return -ENOMEM;
2932
2933                 memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));
2934                 err = ib_copy_from_udata(kern_flow_attr + 1, ucore,
2935                                          cmd.flow_attr.size);
2936                 if (err)
2937                         goto err_free_attr;
2938         } else {
2939                 kern_flow_attr = &cmd.flow_attr;
2940         }
2941
2942         uobj = kmalloc(sizeof(*uobj), GFP_KERNEL);
2943         if (!uobj) {
2944                 err = -ENOMEM;
2945                 goto err_free_attr;
2946         }
2947         init_uobj(uobj, 0, file->ucontext, &rule_lock_class);
2948         down_write(&uobj->mutex);
2949
2950         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2951         if (!qp) {
2952                 err = -EINVAL;
2953                 goto err_uobj;
2954         }
2955
2956         flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL);
2957         if (!flow_attr) {
2958                 err = -ENOMEM;
2959                 goto err_put;
2960         }
2961
2962         flow_attr->type = kern_flow_attr->type;
2963         flow_attr->priority = kern_flow_attr->priority;
2964         flow_attr->num_of_specs = kern_flow_attr->num_of_specs;
2965         flow_attr->port = kern_flow_attr->port;
2966         flow_attr->flags = kern_flow_attr->flags;
2967         flow_attr->size = sizeof(*flow_attr);
2968
2969         kern_spec = kern_flow_attr + 1;
2970         ib_spec = flow_attr + 1;
2971         for (i = 0; i < flow_attr->num_of_specs &&
2972              cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) &&
2973              cmd.flow_attr.size >=
2974              ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) {
2975                 err = kern_spec_to_ib_spec(kern_spec, ib_spec);
2976                 if (err)
2977                         goto err_free;
2978                 flow_attr->size +=
2979                         ((union ib_flow_spec *) ib_spec)->size;
2980                 cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size;
2981                 kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size;
2982                 ib_spec += ((union ib_flow_spec *) ib_spec)->size;
2983         }
2984         if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {
2985                 pr_warn("create flow failed, flow %d: %d bytes left from uverb cmd\n",
2986                         i, cmd.flow_attr.size);
2987                 err = -EINVAL;
2988                 goto err_free;
2989         }
2990         flow_id = ib_create_flow(qp, flow_attr, IB_FLOW_DOMAIN_USER);
2991         if (IS_ERR(flow_id)) {
2992                 err = PTR_ERR(flow_id);
2993                 goto err_free;
2994         }
2995         flow_id->qp = qp;
2996         flow_id->uobject = uobj;
2997         uobj->object = flow_id;
2998
2999         err = idr_add_uobj(&ib_uverbs_rule_idr, uobj);
3000         if (err)
3001                 goto destroy_flow;
3002
3003         memset(&resp, 0, sizeof(resp));
3004         resp.flow_handle = uobj->id;
3005
3006         err = ib_copy_to_udata(ucore,
3007                                &resp, sizeof(resp));
3008         if (err)
3009                 goto err_copy;
3010
3011         put_qp_read(qp);
3012         mutex_lock(&file->mutex);
3013         list_add_tail(&uobj->list, &file->ucontext->rule_list);
3014         mutex_unlock(&file->mutex);
3015
3016         uobj->live = 1;
3017
3018         up_write(&uobj->mutex);
3019         kfree(flow_attr);
3020         if (cmd.flow_attr.num_of_specs)
3021                 kfree(kern_flow_attr);
3022         return 0;
3023 err_copy:
3024         idr_remove_uobj(&ib_uverbs_rule_idr, uobj);
3025 destroy_flow:
3026         ib_destroy_flow(flow_id);
3027 err_free:
3028         kfree(flow_attr);
3029 err_put:
3030         put_qp_read(qp);
3031 err_uobj:
3032         put_uobj_write(uobj);
3033 err_free_attr:
3034         if (cmd.flow_attr.num_of_specs)
3035                 kfree(kern_flow_attr);
3036         return err;
3037 }
3038
3039 int ib_uverbs_ex_destroy_flow(struct ib_uverbs_file *file,
3040                               struct ib_udata *ucore,
3041                               struct ib_udata *uhw)
3042 {
3043         struct ib_uverbs_destroy_flow   cmd;
3044         struct ib_flow                  *flow_id;
3045         struct ib_uobject               *uobj;
3046         int                             ret;
3047
3048         if (ucore->inlen < sizeof(cmd))
3049                 return -EINVAL;
3050
3051         ret = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
3052         if (ret)
3053                 return ret;
3054
3055         if (cmd.comp_mask)
3056                 return -EINVAL;
3057
3058         uobj = idr_write_uobj(&ib_uverbs_rule_idr, cmd.flow_handle,
3059                               file->ucontext);
3060         if (!uobj)
3061                 return -EINVAL;
3062         flow_id = uobj->object;
3063
3064         ret = ib_destroy_flow(flow_id);
3065         if (!ret)
3066                 uobj->live = 0;
3067
3068         put_uobj_write(uobj);
3069
3070         idr_remove_uobj(&ib_uverbs_rule_idr, uobj);
3071
3072         mutex_lock(&file->mutex);
3073         list_del(&uobj->list);
3074         mutex_unlock(&file->mutex);
3075
3076         put_uobj(uobj);
3077
3078         return ret;
3079 }
3080
3081 static int __uverbs_create_xsrq(struct ib_uverbs_file *file,
3082                                 struct ib_uverbs_create_xsrq *cmd,
3083                                 struct ib_udata *udata)
3084 {
3085         struct ib_uverbs_create_srq_resp resp;
3086         struct ib_usrq_object           *obj;
3087         struct ib_pd                    *pd;
3088         struct ib_srq                   *srq;
3089         struct ib_uobject               *uninitialized_var(xrcd_uobj);
3090         struct ib_srq_init_attr          attr;
3091         int ret;
3092
3093         obj = kmalloc(sizeof *obj, GFP_KERNEL);
3094         if (!obj)
3095                 return -ENOMEM;
3096
3097         init_uobj(&obj->uevent.uobject, cmd->user_handle, file->ucontext, &srq_lock_class);
3098         down_write(&obj->uevent.uobject.mutex);
3099
3100         if (cmd->srq_type == IB_SRQT_XRC) {
3101                 attr.ext.xrc.xrcd  = idr_read_xrcd(cmd->xrcd_handle, file->ucontext, &xrcd_uobj);
3102                 if (!attr.ext.xrc.xrcd) {
3103                         ret = -EINVAL;
3104                         goto err;
3105                 }
3106
3107                 obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object, uobject);
3108                 atomic_inc(&obj->uxrcd->refcnt);
3109
3110                 attr.ext.xrc.cq  = idr_read_cq(cmd->cq_handle, file->ucontext, 0);
3111                 if (!attr.ext.xrc.cq) {
3112                         ret = -EINVAL;
3113                         goto err_put_xrcd;
3114                 }
3115         }
3116
3117         pd  = idr_read_pd(cmd->pd_handle, file->ucontext);
3118         if (!pd) {
3119                 ret = -EINVAL;
3120                 goto err_put_cq;
3121         }
3122
3123         attr.event_handler  = ib_uverbs_srq_event_handler;
3124         attr.srq_context    = file;
3125         attr.srq_type       = cmd->srq_type;
3126         attr.attr.max_wr    = cmd->max_wr;
3127         attr.attr.max_sge   = cmd->max_sge;
3128         attr.attr.srq_limit = cmd->srq_limit;
3129
3130         obj->uevent.events_reported = 0;
3131         INIT_LIST_HEAD(&obj->uevent.event_list);
3132
3133         srq = pd->device->create_srq(pd, &attr, udata);
3134         if (IS_ERR(srq)) {
3135                 ret = PTR_ERR(srq);
3136                 goto err_put;
3137         }
3138
3139         srq->device        = pd->device;
3140         srq->pd            = pd;
3141         srq->srq_type      = cmd->srq_type;
3142         srq->uobject       = &obj->uevent.uobject;
3143         srq->event_handler = attr.event_handler;
3144         srq->srq_context   = attr.srq_context;
3145
3146         if (cmd->srq_type == IB_SRQT_XRC) {
3147                 srq->ext.xrc.cq   = attr.ext.xrc.cq;
3148                 srq->ext.xrc.xrcd = attr.ext.xrc.xrcd;
3149                 atomic_inc(&attr.ext.xrc.cq->usecnt);
3150                 atomic_inc(&attr.ext.xrc.xrcd->usecnt);
3151         }
3152
3153         atomic_inc(&pd->usecnt);
3154         atomic_set(&srq->usecnt, 0);
3155
3156         obj->uevent.uobject.object = srq;
3157         ret = idr_add_uobj(&ib_uverbs_srq_idr, &obj->uevent.uobject);
3158         if (ret)
3159                 goto err_destroy;
3160
3161         memset(&resp, 0, sizeof resp);
3162         resp.srq_handle = obj->uevent.uobject.id;
3163         resp.max_wr     = attr.attr.max_wr;
3164         resp.max_sge    = attr.attr.max_sge;
3165         if (cmd->srq_type == IB_SRQT_XRC)
3166                 resp.srqn = srq->ext.xrc.srq_num;
3167
3168         if (copy_to_user((void __user *) (unsigned long) cmd->response,
3169                          &resp, sizeof resp)) {
3170                 ret = -EFAULT;
3171                 goto err_copy;
3172         }
3173
3174         if (cmd->srq_type == IB_SRQT_XRC) {
3175                 put_uobj_read(xrcd_uobj);
3176                 put_cq_read(attr.ext.xrc.cq);
3177         }
3178         put_pd_read(pd);
3179
3180         mutex_lock(&file->mutex);
3181         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->srq_list);
3182         mutex_unlock(&file->mutex);
3183
3184         obj->uevent.uobject.live = 1;
3185
3186         up_write(&obj->uevent.uobject.mutex);
3187
3188         return 0;
3189
3190 err_copy:
3191         idr_remove_uobj(&ib_uverbs_srq_idr, &obj->uevent.uobject);
3192
3193 err_destroy:
3194         ib_destroy_srq(srq);
3195
3196 err_put:
3197         put_pd_read(pd);
3198
3199 err_put_cq:
3200         if (cmd->srq_type == IB_SRQT_XRC)
3201                 put_cq_read(attr.ext.xrc.cq);
3202
3203 err_put_xrcd:
3204         if (cmd->srq_type == IB_SRQT_XRC) {
3205                 atomic_dec(&obj->uxrcd->refcnt);
3206                 put_uobj_read(xrcd_uobj);
3207         }
3208
3209 err:
3210         put_uobj_write(&obj->uevent.uobject);
3211         return ret;
3212 }
3213
3214 ssize_t ib_uverbs_create_srq(struct ib_uverbs_file *file,
3215                              const char __user *buf, int in_len,
3216                              int out_len)
3217 {
3218         struct ib_uverbs_create_srq      cmd;
3219         struct ib_uverbs_create_xsrq     xcmd;
3220         struct ib_uverbs_create_srq_resp resp;
3221         struct ib_udata                  udata;
3222         int ret;
3223
3224         if (out_len < sizeof resp)
3225                 return -ENOSPC;
3226
3227         if (copy_from_user(&cmd, buf, sizeof cmd))
3228                 return -EFAULT;
3229
3230         xcmd.response    = cmd.response;
3231         xcmd.user_handle = cmd.user_handle;
3232         xcmd.srq_type    = IB_SRQT_BASIC;
3233         xcmd.pd_handle   = cmd.pd_handle;
3234         xcmd.max_wr      = cmd.max_wr;
3235         xcmd.max_sge     = cmd.max_sge;
3236         xcmd.srq_limit   = cmd.srq_limit;
3237
3238         INIT_UDATA(&udata, buf + sizeof cmd,
3239                    (unsigned long) cmd.response + sizeof resp,
3240                    in_len - sizeof cmd, out_len - sizeof resp);
3241
3242         ret = __uverbs_create_xsrq(file, &xcmd, &udata);
3243         if (ret)
3244                 return ret;
3245
3246         return in_len;
3247 }
3248
3249 ssize_t ib_uverbs_create_xsrq(struct ib_uverbs_file *file,
3250                               const char __user *buf, int in_len, int out_len)
3251 {
3252         struct ib_uverbs_create_xsrq     cmd;
3253         struct ib_uverbs_create_srq_resp resp;
3254         struct ib_udata                  udata;
3255         int ret;
3256
3257         if (out_len < sizeof resp)
3258                 return -ENOSPC;
3259
3260         if (copy_from_user(&cmd, buf, sizeof cmd))
3261                 return -EFAULT;
3262
3263         INIT_UDATA(&udata, buf + sizeof cmd,
3264                    (unsigned long) cmd.response + sizeof resp,
3265                    in_len - sizeof cmd, out_len - sizeof resp);
3266
3267         ret = __uverbs_create_xsrq(file, &cmd, &udata);
3268         if (ret)
3269                 return ret;
3270
3271         return in_len;
3272 }
3273
3274 ssize_t ib_uverbs_modify_srq(struct ib_uverbs_file *file,
3275                              const char __user *buf, int in_len,
3276                              int out_len)
3277 {
3278         struct ib_uverbs_modify_srq cmd;
3279         struct ib_udata             udata;
3280         struct ib_srq              *srq;
3281         struct ib_srq_attr          attr;
3282         int                         ret;
3283
3284         if (copy_from_user(&cmd, buf, sizeof cmd))
3285                 return -EFAULT;
3286
3287         INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
3288                    out_len);
3289
3290         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
3291         if (!srq)
3292                 return -EINVAL;
3293
3294         attr.max_wr    = cmd.max_wr;
3295         attr.srq_limit = cmd.srq_limit;
3296
3297         ret = srq->device->modify_srq(srq, &attr, cmd.attr_mask, &udata);
3298
3299         put_srq_read(srq);
3300
3301         return ret ? ret : in_len;
3302 }
3303
3304 ssize_t ib_uverbs_query_srq(struct ib_uverbs_file *file,
3305                             const char __user *buf,
3306                             int in_len, int out_len)
3307 {
3308         struct ib_uverbs_query_srq      cmd;
3309         struct ib_uverbs_query_srq_resp resp;
3310         struct ib_srq_attr              attr;
3311         struct ib_srq                   *srq;
3312         int                             ret;
3313
3314         if (out_len < sizeof resp)
3315                 return -ENOSPC;
3316
3317         if (copy_from_user(&cmd, buf, sizeof cmd))
3318                 return -EFAULT;
3319
3320         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
3321         if (!srq)
3322                 return -EINVAL;
3323
3324         ret = ib_query_srq(srq, &attr);
3325
3326         put_srq_read(srq);
3327
3328         if (ret)
3329                 return ret;
3330
3331         memset(&resp, 0, sizeof resp);
3332
3333         resp.max_wr    = attr.max_wr;
3334         resp.max_sge   = attr.max_sge;
3335         resp.srq_limit = attr.srq_limit;
3336
3337         if (copy_to_user((void __user *) (unsigned long) cmd.response,
3338                          &resp, sizeof resp))
3339                 return -EFAULT;
3340
3341         return in_len;
3342 }
3343
3344 ssize_t ib_uverbs_destroy_srq(struct ib_uverbs_file *file,
3345                               const char __user *buf, int in_len,
3346                               int out_len)
3347 {
3348         struct ib_uverbs_destroy_srq      cmd;
3349         struct ib_uverbs_destroy_srq_resp resp;
3350         struct ib_uobject                *uobj;
3351         struct ib_srq                    *srq;
3352         struct ib_uevent_object          *obj;
3353         int                               ret = -EINVAL;
3354         struct ib_usrq_object            *us;
3355         enum ib_srq_type                  srq_type;
3356
3357         if (copy_from_user(&cmd, buf, sizeof cmd))
3358                 return -EFAULT;
3359
3360         uobj = idr_write_uobj(&ib_uverbs_srq_idr, cmd.srq_handle, file->ucontext);
3361         if (!uobj)
3362                 return -EINVAL;
3363         srq = uobj->object;
3364         obj = container_of(uobj, struct ib_uevent_object, uobject);
3365         srq_type = srq->srq_type;
3366
3367         ret = ib_destroy_srq(srq);
3368         if (!ret)
3369                 uobj->live = 0;
3370
3371         put_uobj_write(uobj);
3372
3373         if (ret)
3374                 return ret;
3375
3376         if (srq_type == IB_SRQT_XRC) {
3377                 us = container_of(obj, struct ib_usrq_object, uevent);
3378                 atomic_dec(&us->uxrcd->refcnt);
3379         }
3380
3381         idr_remove_uobj(&ib_uverbs_srq_idr, uobj);
3382
3383         mutex_lock(&file->mutex);
3384         list_del(&uobj->list);
3385         mutex_unlock(&file->mutex);
3386
3387         ib_uverbs_release_uevent(file, obj);
3388
3389         memset(&resp, 0, sizeof resp);
3390         resp.events_reported = obj->events_reported;
3391
3392         put_uobj(uobj);
3393
3394         if (copy_to_user((void __user *) (unsigned long) cmd.response,
3395                          &resp, sizeof resp))
3396                 ret = -EFAULT;
3397
3398         return ret ? ret : in_len;
3399 }
3400
3401 int ib_uverbs_ex_query_device(struct ib_uverbs_file *file,
3402                               struct ib_udata *ucore,
3403                               struct ib_udata *uhw)
3404 {
3405         struct ib_uverbs_ex_query_device_resp resp;
3406         struct ib_uverbs_ex_query_device  cmd;
3407         struct ib_device_attr attr;
3408         struct ib_device *device;
3409         int err;
3410
3411         device = file->device->ib_dev;
3412         if (ucore->inlen < sizeof(cmd))
3413                 return -EINVAL;
3414
3415         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
3416         if (err)
3417                 return err;
3418
3419         if (cmd.comp_mask)
3420                 return -EINVAL;
3421
3422         if (cmd.reserved)
3423                 return -EINVAL;
3424
3425         resp.response_length = offsetof(typeof(resp), odp_caps);
3426
3427         if (ucore->outlen < resp.response_length)
3428                 return -ENOSPC;
3429
3430         memset(&attr, 0, sizeof(attr));
3431
3432         err = device->query_device(device, &attr, uhw);
3433         if (err)
3434                 return err;
3435
3436         copy_query_dev_fields(file, &resp.base, &attr);
3437         resp.comp_mask = 0;
3438
3439         if (ucore->outlen < resp.response_length + sizeof(resp.odp_caps))
3440                 goto end;
3441
3442 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
3443         resp.odp_caps.general_caps = attr.odp_caps.general_caps;
3444         resp.odp_caps.per_transport_caps.rc_odp_caps =
3445                 attr.odp_caps.per_transport_caps.rc_odp_caps;
3446         resp.odp_caps.per_transport_caps.uc_odp_caps =
3447                 attr.odp_caps.per_transport_caps.uc_odp_caps;
3448         resp.odp_caps.per_transport_caps.ud_odp_caps =
3449                 attr.odp_caps.per_transport_caps.ud_odp_caps;
3450         resp.odp_caps.reserved = 0;
3451 #else
3452         memset(&resp.odp_caps, 0, sizeof(resp.odp_caps));
3453 #endif
3454         resp.response_length += sizeof(resp.odp_caps);
3455
3456         if (ucore->outlen < resp.response_length + sizeof(resp.timestamp_mask))
3457                 goto end;
3458
3459         resp.timestamp_mask = attr.timestamp_mask;
3460         resp.response_length += sizeof(resp.timestamp_mask);
3461
3462         if (ucore->outlen < resp.response_length + sizeof(resp.hca_core_clock))
3463                 goto end;
3464
3465         resp.hca_core_clock = attr.hca_core_clock;
3466         resp.response_length += sizeof(resp.hca_core_clock);
3467
3468 end:
3469         err = ib_copy_to_udata(ucore, &resp, resp.response_length);
3470         if (err)
3471                 return err;
3472
3473         return 0;
3474 }