drivers/infiniband/core/uverbs_cmd.c

   1 /*
   2  * Copyright (c) 2005 Topspin Communications.  All rights reserved.
   3  * Copyright (c) 2005, 2006, 2007 Cisco Systems.  All rights reserved.
   4  * Copyright (c) 2005 PathScale, Inc.  All rights reserved.
   5  * Copyright (c) 2006 Mellanox Technologies.  All rights reserved.
   6  *
   7  * This software is available to you under a choice of one of two
   8  * licenses.  You may choose to be licensed under the terms of the GNU
   9  * General Public License (GPL) Version 2, available from the file
  10  * COPYING in the main directory of this source tree, or the
  11  * OpenIB.org BSD license below:
  12  *
  13  *     Redistribution and use in source and binary forms, with or
  14  *     without modification, are permitted provided that the following
  15  *     conditions are met:
  16  *
  17  *      - Redistributions of source code must retain the above
  18  *        copyright notice, this list of conditions and the following
  19  *        disclaimer.
  20  *
  21  *      - Redistributions in binary form must reproduce the above
  22  *        copyright notice, this list of conditions and the following
  23  *        disclaimer in the documentation and/or other materials
  24  *        provided with the distribution.
  25  *
  26  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  27  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  28  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  29  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  30  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  31  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  32  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  33  * SOFTWARE.
  34  */
  35
  36 #include <linux/file.h>
  37 #include <linux/fs.h>
  38 #include <linux/slab.h>
  39 #include <linux/sched.h>
  40
  41 #include <asm/uaccess.h>
  42
  43 #include "uverbs.h"
  44 #include "core_priv.h"
  45
  46 struct uverbs_lock_class {
  47         struct lock_class_key   key;
  48         char                    name[16];
  49 };
  50
  51 static struct uverbs_lock_class pd_lock_class   = { .name = "PD-uobj" };
  52 static struct uverbs_lock_class mr_lock_class   = { .name = "MR-uobj" };
  53 static struct uverbs_lock_class mw_lock_class   = { .name = "MW-uobj" };
  54 static struct uverbs_lock_class cq_lock_class   = { .name = "CQ-uobj" };
  55 static struct uverbs_lock_class qp_lock_class   = { .name = "QP-uobj" };
  56 static struct uverbs_lock_class ah_lock_class   = { .name = "AH-uobj" };
  57 static struct uverbs_lock_class srq_lock_class  = { .name = "SRQ-uobj" };
  58 static struct uverbs_lock_class xrcd_lock_class = { .name = "XRCD-uobj" };
  59 static struct uverbs_lock_class rule_lock_class = { .name = "RULE-uobj" };
  60
  61 /*
  62  * The ib_uobject locking scheme is as follows:
  63  *
  64  * - ib_uverbs_idr_lock protects the uverbs idrs themselves, so it
  65  *   needs to be held during all idr operations.  When an object is
  66  *   looked up, a reference must be taken on the object's kref before
  67  *   dropping this lock.
  68  *
  69  * - Each object also has an rwsem.  This rwsem must be held for
  70  *   reading while an operation that uses the object is performed.
  71  *   For example, while registering an MR, the associated PD's
  72  *   uobject.mutex must be held for reading.  The rwsem must be held
  73  *   for writing while initializing or destroying an object.
  74  *
  75  * - In addition, each object has a "live" flag.  If this flag is not
  76  *   set, then lookups of the object will fail even if it is found in
  77  *   the idr.  This handles a reader that blocks and does not acquire
  78  *   the rwsem until after the object is destroyed.  The destroy
  79  *   operation will set the live flag to 0 and then drop the rwsem;
  80  *   this will allow the reader to acquire the rwsem, see that the
  81  *   live flag is 0, and then drop the rwsem and its reference to
  82  *   object.  The underlying storage will not be freed until the last
  83  *   reference to the object is dropped.
  84  */
  85
  86 static void init_uobj(struct ib_uobject *uobj, u64 user_handle,
  87                       struct ib_ucontext *context, struct uverbs_lock_class *c)
  88 {
  89         uobj->user_handle = user_handle;
  90         uobj->context     = context;
  91         kref_init(&uobj->ref);
  92         init_rwsem(&uobj->mutex);
  93         lockdep_set_class_and_name(&uobj->mutex, &c->key, c->name);
  94         uobj->live        = 0;
  95 }
  96
  97 static void release_uobj(struct kref *kref)
  98 {
  99         kfree(container_of(kref, struct ib_uobject, ref));
 100 }
 101
 102 static void put_uobj(struct ib_uobject *uobj)
 103 {
 104         kref_put(&uobj->ref, release_uobj);
 105 }
 106
 107 static void put_uobj_read(struct ib_uobject *uobj)
 108 {
 109         up_read(&uobj->mutex);
 110         put_uobj(uobj);
 111 }
 112
 113 static void put_uobj_write(struct ib_uobject *uobj)
 114 {
 115         up_write(&uobj->mutex);
 116         put_uobj(uobj);
 117 }
 118
 119 static int idr_add_uobj(struct idr *idr, struct ib_uobject *uobj)
 120 {
 121         int ret;
 122
 123         idr_preload(GFP_KERNEL);
 124         spin_lock(&ib_uverbs_idr_lock);
 125
 126         ret = idr_alloc(idr, uobj, 0, 0, GFP_NOWAIT);
 127         if (ret >= 0)
 128                 uobj->id = ret;
 129
 130         spin_unlock(&ib_uverbs_idr_lock);
 131         idr_preload_end();
 132
 133         return ret < 0 ? ret : 0;
 134 }
 135
 136 void idr_remove_uobj(struct idr *idr, struct ib_uobject *uobj)
 137 {
 138         spin_lock(&ib_uverbs_idr_lock);
 139         idr_remove(idr, uobj->id);
 140         spin_unlock(&ib_uverbs_idr_lock);
 141 }
 142
 143 static struct ib_uobject *__idr_get_uobj(struct idr *idr, int id,
 144                                          struct ib_ucontext *context)
 145 {
 146         struct ib_uobject *uobj;
 147
 148         spin_lock(&ib_uverbs_idr_lock);
 149         uobj = idr_find(idr, id);
 150         if (uobj) {
 151                 if (uobj->context == context)
 152                         kref_get(&uobj->ref);
 153                 else
 154                         uobj = NULL;
 155         }
 156         spin_unlock(&ib_uverbs_idr_lock);
 157
 158         return uobj;
 159 }
 160
 161 static struct ib_uobject *idr_read_uobj(struct idr *idr, int id,
 162                                         struct ib_ucontext *context, int nested)
 163 {
 164         struct ib_uobject *uobj;
 165
 166         uobj = __idr_get_uobj(idr, id, context);
 167         if (!uobj)
 168                 return NULL;
 169
 170         if (nested)
 171                 down_read_nested(&uobj->mutex, SINGLE_DEPTH_NESTING);
 172         else
 173                 down_read(&uobj->mutex);
 174         if (!uobj->live) {
 175                 put_uobj_read(uobj);
 176                 return NULL;
 177         }
 178
 179         return uobj;
 180 }
 181
 182 static struct ib_uobject *idr_write_uobj(struct idr *idr, int id,
 183                                          struct ib_ucontext *context)
 184 {
 185         struct ib_uobject *uobj;
 186
 187         uobj = __idr_get_uobj(idr, id, context);
 188         if (!uobj)
 189                 return NULL;
 190
 191         down_write(&uobj->mutex);
 192         if (!uobj->live) {
 193                 put_uobj_write(uobj);
 194                 return NULL;
 195         }
 196
 197         return uobj;
 198 }
 199
 200 static void *idr_read_obj(struct idr *idr, int id, struct ib_ucontext *context,
 201                           int nested)
 202 {
 203         struct ib_uobject *uobj;
 204
 205         uobj = idr_read_uobj(idr, id, context, nested);
 206         return uobj ? uobj->object : NULL;
 207 }
 208
 209 static struct ib_pd *idr_read_pd(int pd_handle, struct ib_ucontext *context)
 210 {
 211         return idr_read_obj(&ib_uverbs_pd_idr, pd_handle, context, 0);
 212 }
 213
 214 static void put_pd_read(struct ib_pd *pd)
 215 {
 216         put_uobj_read(pd->uobject);
 217 }
 218
 219 static struct ib_cq *idr_read_cq(int cq_handle, struct ib_ucontext *context, int nested)
 220 {
 221         return idr_read_obj(&ib_uverbs_cq_idr, cq_handle, context, nested);
 222 }
 223
 224 static void put_cq_read(struct ib_cq *cq)
 225 {
 226         put_uobj_read(cq->uobject);
 227 }
 228
 229 static struct ib_ah *idr_read_ah(int ah_handle, struct ib_ucontext *context)
 230 {
 231         return idr_read_obj(&ib_uverbs_ah_idr, ah_handle, context, 0);
 232 }
 233
 234 static void put_ah_read(struct ib_ah *ah)
 235 {
 236         put_uobj_read(ah->uobject);
 237 }
 238
 239 static struct ib_qp *idr_read_qp(int qp_handle, struct ib_ucontext *context)
 240 {
 241         return idr_read_obj(&ib_uverbs_qp_idr, qp_handle, context, 0);
 242 }
 243
 244 static struct ib_qp *idr_write_qp(int qp_handle, struct ib_ucontext *context)
 245 {
 246         struct ib_uobject *uobj;
 247
 248         uobj = idr_write_uobj(&ib_uverbs_qp_idr, qp_handle, context);
 249         return uobj ? uobj->object : NULL;
 250 }
 251
 252 static void put_qp_read(struct ib_qp *qp)
 253 {
 254         put_uobj_read(qp->uobject);
 255 }
 256
 257 static void put_qp_write(struct ib_qp *qp)
 258 {
 259         put_uobj_write(qp->uobject);
 260 }
 261
 262 static struct ib_srq *idr_read_srq(int srq_handle, struct ib_ucontext *context)
 263 {
 264         return idr_read_obj(&ib_uverbs_srq_idr, srq_handle, context, 0);
 265 }
 266
 267 static void put_srq_read(struct ib_srq *srq)
 268 {
 269         put_uobj_read(srq->uobject);
 270 }
 271
 272 static struct ib_xrcd *idr_read_xrcd(int xrcd_handle, struct ib_ucontext *context,
 273                                      struct ib_uobject **uobj)
 274 {
 275         *uobj = idr_read_uobj(&ib_uverbs_xrcd_idr, xrcd_handle, context, 0);
 276         return *uobj ? (*uobj)->object : NULL;
 277 }
 278
 279 static void put_xrcd_read(struct ib_uobject *uobj)
 280 {
 281         put_uobj_read(uobj);
 282 }
 283
 284 ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file,
 285                               const char __user *buf,
 286                               int in_len, int out_len)
 287 {
 288         struct ib_uverbs_get_context      cmd;
 289         struct ib_uverbs_get_context_resp resp;
 290         struct ib_udata                   udata;
 291         struct ib_device                 *ibdev = file->device->ib_dev;
 292 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
 293         struct ib_device_attr             dev_attr;
 294 #endif
 295         struct ib_ucontext               *ucontext;
 296         struct file                      *filp;
 297         int ret;
 298
 299         if (out_len < sizeof resp)
 300                 return -ENOSPC;
 301
 302         if (copy_from_user(&cmd, buf, sizeof cmd))
 303                 return -EFAULT;
 304
 305         mutex_lock(&file->mutex);
 306
 307         if (file->ucontext) {
 308                 ret = -EINVAL;
 309                 goto err;
 310         }
 311
 312         INIT_UDATA(&udata, buf + sizeof cmd,
 313                    (unsigned long) cmd.response + sizeof resp,
 314                    in_len - sizeof cmd, out_len - sizeof resp);
 315
 316         ucontext = ibdev->alloc_ucontext(ibdev, &udata);
 317         if (IS_ERR(ucontext)) {
 318                 ret = PTR_ERR(ucontext);
 319                 goto err;
 320         }
 321
 322         ucontext->device = ibdev;
 323         INIT_LIST_HEAD(&ucontext->pd_list);
 324         INIT_LIST_HEAD(&ucontext->mr_list);
 325         INIT_LIST_HEAD(&ucontext->mw_list);
 326         INIT_LIST_HEAD(&ucontext->cq_list);
 327         INIT_LIST_HEAD(&ucontext->qp_list);
 328         INIT_LIST_HEAD(&ucontext->srq_list);
 329         INIT_LIST_HEAD(&ucontext->ah_list);
 330         INIT_LIST_HEAD(&ucontext->xrcd_list);
 331         INIT_LIST_HEAD(&ucontext->rule_list);
 332         rcu_read_lock();
 333         ucontext->tgid = get_task_pid(current->group_leader, PIDTYPE_PID);
 334         rcu_read_unlock();
 335         ucontext->closing = 0;
 336
 337 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
 338         ucontext->umem_tree = RB_ROOT;
 339         init_rwsem(&ucontext->umem_rwsem);
 340         ucontext->odp_mrs_count = 0;
 341         INIT_LIST_HEAD(&ucontext->no_private_counters);
 342
 343         ret = ib_query_device(ibdev, &dev_attr);
 344         if (ret)
 345                 goto err_free;
 346         if (!(dev_attr.device_cap_flags & IB_DEVICE_ON_DEMAND_PAGING))
 347                 ucontext->invalidate_range = NULL;
 348
 349 #endif
 350
 351         resp.num_comp_vectors = file->device->num_comp_vectors;
 352
 353         ret = get_unused_fd_flags(O_CLOEXEC);
 354         if (ret < 0)
 355                 goto err_free;
 356         resp.async_fd = ret;
 357
 358         filp = ib_uverbs_alloc_event_file(file, 1);
 359         if (IS_ERR(filp)) {
 360                 ret = PTR_ERR(filp);
 361                 goto err_fd;
 362         }
 363
 364         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 365                          &resp, sizeof resp)) {
 366                 ret = -EFAULT;
 367                 goto err_file;
 368         }
 369
 370         file->async_file = filp->private_data;
 371
 372         INIT_IB_EVENT_HANDLER(&file->event_handler, file->device->ib_dev,
 373                               ib_uverbs_event_handler);
 374         ret = ib_register_event_handler(&file->event_handler);
 375         if (ret)
 376                 goto err_file;
 377
 378         kref_get(&file->async_file->ref);
 379         kref_get(&file->ref);
 380         file->ucontext = ucontext;
 381
 382         fd_install(resp.async_fd, filp);
 383
 384         mutex_unlock(&file->mutex);
 385
 386         return in_len;
 387
 388 err_file:
 389         fput(filp);
 390
 391 err_fd:
 392         put_unused_fd(resp.async_fd);
 393
 394 err_free:
 395         put_pid(ucontext->tgid);
 396         ibdev->dealloc_ucontext(ucontext);
 397
 398 err:
 399         mutex_unlock(&file->mutex);
 400         return ret;
 401 }
 402
 403 static void copy_query_dev_fields(struct ib_uverbs_file *file,
 404                                   struct ib_uverbs_query_device_resp *resp,
 405                                   struct ib_device_attr *attr)
 406 {
 407         resp->fw_ver            = attr->fw_ver;
 408         resp->node_guid         = file->device->ib_dev->node_guid;
 409         resp->sys_image_guid    = attr->sys_image_guid;
 410         resp->max_mr_size       = attr->max_mr_size;
 411         resp->page_size_cap     = attr->page_size_cap;
 412         resp->vendor_id         = attr->vendor_id;
 413         resp->vendor_part_id    = attr->vendor_part_id;
 414         resp->hw_ver            = attr->hw_ver;
 415         resp->max_qp            = attr->max_qp;
 416         resp->max_qp_wr         = attr->max_qp_wr;
 417         resp->device_cap_flags  = attr->device_cap_flags;
 418         resp->max_sge           = attr->max_sge;
 419         resp->max_sge_rd        = attr->max_sge_rd;
 420         resp->max_cq            = attr->max_cq;
 421         resp->max_cqe           = attr->max_cqe;
 422         resp->max_mr            = attr->max_mr;
 423         resp->max_pd            = attr->max_pd;
 424         resp->max_qp_rd_atom    = attr->max_qp_rd_atom;
 425         resp->max_ee_rd_atom    = attr->max_ee_rd_atom;
 426         resp->max_res_rd_atom   = attr->max_res_rd_atom;
 427         resp->max_qp_init_rd_atom       = attr->max_qp_init_rd_atom;
 428         resp->max_ee_init_rd_atom       = attr->max_ee_init_rd_atom;
 429         resp->atomic_cap                = attr->atomic_cap;
 430         resp->max_ee                    = attr->max_ee;
 431         resp->max_rdd                   = attr->max_rdd;
 432         resp->max_mw                    = attr->max_mw;
 433         resp->max_raw_ipv6_qp           = attr->max_raw_ipv6_qp;
 434         resp->max_raw_ethy_qp           = attr->max_raw_ethy_qp;
 435         resp->max_mcast_grp             = attr->max_mcast_grp;
 436         resp->max_mcast_qp_attach       = attr->max_mcast_qp_attach;
 437         resp->max_total_mcast_qp_attach = attr->max_total_mcast_qp_attach;
 438         resp->max_ah                    = attr->max_ah;
 439         resp->max_fmr                   = attr->max_fmr;
 440         resp->max_map_per_fmr           = attr->max_map_per_fmr;
 441         resp->max_srq                   = attr->max_srq;
 442         resp->max_srq_wr                = attr->max_srq_wr;
 443         resp->max_srq_sge               = attr->max_srq_sge;
 444         resp->max_pkeys                 = attr->max_pkeys;
 445         resp->local_ca_ack_delay        = attr->local_ca_ack_delay;
 446         resp->phys_port_cnt             = file->device->ib_dev->phys_port_cnt;
 447 }
 448
 449 ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
 450                                const char __user *buf,
 451                                int in_len, int out_len)
 452 {
 453         struct ib_uverbs_query_device      cmd;
 454         struct ib_uverbs_query_device_resp resp;
 455         struct ib_device_attr              attr;
 456         int                                ret;
 457
 458         if (out_len < sizeof resp)
 459                 return -ENOSPC;
 460
 461         if (copy_from_user(&cmd, buf, sizeof cmd))
 462                 return -EFAULT;
 463
 464         ret = ib_query_device(file->device->ib_dev, &attr);
 465         if (ret)
 466                 return ret;
 467
 468         memset(&resp, 0, sizeof resp);
 469         copy_query_dev_fields(file, &resp, &attr);
 470
 471         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 472                          &resp, sizeof resp))
 473                 return -EFAULT;
 474
 475         return in_len;
 476 }
 477
 478 ssize_t ib_uverbs_query_port(struct ib_uverbs_file *file,
 479                              const char __user *buf,
 480                              int in_len, int out_len)
 481 {
 482         struct ib_uverbs_query_port      cmd;
 483         struct ib_uverbs_query_port_resp resp;
 484         struct ib_port_attr              attr;
 485         int                              ret;
 486
 487         if (out_len < sizeof resp)
 488                 return -ENOSPC;
 489
 490         if (copy_from_user(&cmd, buf, sizeof cmd))
 491                 return -EFAULT;
 492
 493         ret = ib_query_port(file->device->ib_dev, cmd.port_num, &attr);
 494         if (ret)
 495                 return ret;
 496
 497         memset(&resp, 0, sizeof resp);
 498
 499         resp.state           = attr.state;
 500         resp.max_mtu         = attr.max_mtu;
 501         resp.active_mtu      = attr.active_mtu;
 502         resp.gid_tbl_len     = attr.gid_tbl_len;
 503         resp.port_cap_flags  = attr.port_cap_flags;
 504         resp.max_msg_sz      = attr.max_msg_sz;
 505         resp.bad_pkey_cntr   = attr.bad_pkey_cntr;
 506         resp.qkey_viol_cntr  = attr.qkey_viol_cntr;
 507         resp.pkey_tbl_len    = attr.pkey_tbl_len;
 508         resp.lid             = attr.lid;
 509         resp.sm_lid          = attr.sm_lid;
 510         resp.lmc             = attr.lmc;
 511         resp.max_vl_num      = attr.max_vl_num;
 512         resp.sm_sl           = attr.sm_sl;
 513         resp.subnet_timeout  = attr.subnet_timeout;
 514         resp.init_type_reply = attr.init_type_reply;
 515         resp.active_width    = attr.active_width;
 516         resp.active_speed    = attr.active_speed;
 517         resp.phys_state      = attr.phys_state;
 518         resp.link_layer      = rdma_port_get_link_layer(file->device->ib_dev,
 519                                                         cmd.port_num);
 520
 521         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 522                          &resp, sizeof resp))
 523                 return -EFAULT;
 524
 525         return in_len;
 526 }
 527
 528 ssize_t ib_uverbs_alloc_pd(struct ib_uverbs_file *file,
 529                            const char __user *buf,
 530                            int in_len, int out_len)
 531 {
 532         struct ib_uverbs_alloc_pd      cmd;
 533         struct ib_uverbs_alloc_pd_resp resp;
 534         struct ib_udata                udata;
 535         struct ib_uobject             *uobj;
 536         struct ib_pd                  *pd;
 537         int                            ret;
 538
 539         if (out_len < sizeof resp)
 540                 return -ENOSPC;
 541
 542         if (copy_from_user(&cmd, buf, sizeof cmd))
 543                 return -EFAULT;
 544
 545         INIT_UDATA(&udata, buf + sizeof cmd,
 546                    (unsigned long) cmd.response + sizeof resp,
 547                    in_len - sizeof cmd, out_len - sizeof resp);
 548
 549         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
 550         if (!uobj)
 551                 return -ENOMEM;
 552
 553         init_uobj(uobj, 0, file->ucontext, &pd_lock_class);
 554         down_write(&uobj->mutex);
 555
 556         pd = file->device->ib_dev->alloc_pd(file->device->ib_dev,
 557                                             file->ucontext, &udata);
 558         if (IS_ERR(pd)) {
 559                 ret = PTR_ERR(pd);
 560                 goto err;
 561         }
 562
 563         pd->device  = file->device->ib_dev;
 564         pd->uobject = uobj;
 565         pd->local_mr = NULL;
 566         atomic_set(&pd->usecnt, 0);
 567
 568         uobj->object = pd;
 569         ret = idr_add_uobj(&ib_uverbs_pd_idr, uobj);
 570         if (ret)
 571                 goto err_idr;
 572
 573         memset(&resp, 0, sizeof resp);
 574         resp.pd_handle = uobj->id;
 575
 576         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 577                          &resp, sizeof resp)) {
 578                 ret = -EFAULT;
 579                 goto err_copy;
 580         }
 581
 582         mutex_lock(&file->mutex);
 583         list_add_tail(&uobj->list, &file->ucontext->pd_list);
 584         mutex_unlock(&file->mutex);
 585
 586         uobj->live = 1;
 587
 588         up_write(&uobj->mutex);
 589
 590         return in_len;
 591
 592 err_copy:
 593         idr_remove_uobj(&ib_uverbs_pd_idr, uobj);
 594
 595 err_idr:
 596         ib_dealloc_pd(pd);
 597
 598 err:
 599         put_uobj_write(uobj);
 600         return ret;
 601 }
 602
 603 ssize_t ib_uverbs_dealloc_pd(struct ib_uverbs_file *file,
 604                              const char __user *buf,
 605                              int in_len, int out_len)
 606 {
 607         struct ib_uverbs_dealloc_pd cmd;
 608         struct ib_uobject          *uobj;
 609         struct ib_pd               *pd;
 610         int                         ret;
 611
 612         if (copy_from_user(&cmd, buf, sizeof cmd))
 613                 return -EFAULT;
 614
 615         uobj = idr_write_uobj(&ib_uverbs_pd_idr, cmd.pd_handle, file->ucontext);
 616         if (!uobj)
 617                 return -EINVAL;
 618         pd = uobj->object;
 619
 620         if (atomic_read(&pd->usecnt)) {
 621                 ret = -EBUSY;
 622                 goto err_put;
 623         }
 624
 625         ret = pd->device->dealloc_pd(uobj->object);
 626         WARN_ONCE(ret, "Infiniband HW driver failed dealloc_pd");
 627         if (ret)
 628                 goto err_put;
 629
 630         uobj->live = 0;
 631         put_uobj_write(uobj);
 632
 633         idr_remove_uobj(&ib_uverbs_pd_idr, uobj);
 634
 635         mutex_lock(&file->mutex);
 636         list_del(&uobj->list);
 637         mutex_unlock(&file->mutex);
 638
 639         put_uobj(uobj);
 640
 641         return in_len;
 642
 643 err_put:
 644         put_uobj_write(uobj);
 645         return ret;
 646 }
 647
 648 struct xrcd_table_entry {
 649         struct rb_node  node;
 650         struct ib_xrcd *xrcd;
 651         struct inode   *inode;
 652 };
 653
 654 static int xrcd_table_insert(struct ib_uverbs_device *dev,
 655                             struct inode *inode,
 656                             struct ib_xrcd *xrcd)
 657 {
 658         struct xrcd_table_entry *entry, *scan;
 659         struct rb_node **p = &dev->xrcd_tree.rb_node;
 660         struct rb_node *parent = NULL;
 661
 662         entry = kmalloc(sizeof *entry, GFP_KERNEL);
 663         if (!entry)
 664                 return -ENOMEM;
 665
 666         entry->xrcd  = xrcd;
 667         entry->inode = inode;
 668
 669         while (*p) {
 670                 parent = *p;
 671                 scan = rb_entry(parent, struct xrcd_table_entry, node);
 672
 673                 if (inode < scan->inode) {
 674                         p = &(*p)->rb_left;
 675                 } else if (inode > scan->inode) {
 676                         p = &(*p)->rb_right;
 677                 } else {
 678                         kfree(entry);
 679                         return -EEXIST;
 680                 }
 681         }
 682
 683         rb_link_node(&entry->node, parent, p);
 684         rb_insert_color(&entry->node, &dev->xrcd_tree);
 685         igrab(inode);
 686         return 0;
 687 }
 688
 689 static struct xrcd_table_entry *xrcd_table_search(struct ib_uverbs_device *dev,
 690                                                   struct inode *inode)
 691 {
 692         struct xrcd_table_entry *entry;
 693         struct rb_node *p = dev->xrcd_tree.rb_node;
 694
 695         while (p) {
 696                 entry = rb_entry(p, struct xrcd_table_entry, node);
 697
 698                 if (inode < entry->inode)
 699                         p = p->rb_left;
 700                 else if (inode > entry->inode)
 701                         p = p->rb_right;
 702                 else
 703                         return entry;
 704         }
 705
 706         return NULL;
 707 }
 708
 709 static struct ib_xrcd *find_xrcd(struct ib_uverbs_device *dev, struct inode *inode)
 710 {
 711         struct xrcd_table_entry *entry;
 712
 713         entry = xrcd_table_search(dev, inode);
 714         if (!entry)
 715                 return NULL;
 716
 717         return entry->xrcd;
 718 }
 719
 720 static void xrcd_table_delete(struct ib_uverbs_device *dev,
 721                               struct inode *inode)
 722 {
 723         struct xrcd_table_entry *entry;
 724
 725         entry = xrcd_table_search(dev, inode);
 726         if (entry) {
 727                 iput(inode);
 728                 rb_erase(&entry->node, &dev->xrcd_tree);
 729                 kfree(entry);
 730         }
 731 }
 732
 733 ssize_t ib_uverbs_open_xrcd(struct ib_uverbs_file *file,
 734                             const char __user *buf, int in_len,
 735                             int out_len)
 736 {
 737         struct ib_uverbs_open_xrcd      cmd;
 738         struct ib_uverbs_open_xrcd_resp resp;
 739         struct ib_udata                 udata;
 740         struct ib_uxrcd_object         *obj;
 741         struct ib_xrcd                 *xrcd = NULL;
 742         struct fd                       f = {NULL, 0};
 743         struct inode                   *inode = NULL;
 744         int                             ret = 0;
 745         int                             new_xrcd = 0;
 746
 747         if (out_len < sizeof resp)
 748                 return -ENOSPC;
 749
 750         if (copy_from_user(&cmd, buf, sizeof cmd))
 751                 return -EFAULT;
 752
 753         INIT_UDATA(&udata, buf + sizeof cmd,
 754                    (unsigned long) cmd.response + sizeof resp,
 755                    in_len - sizeof cmd, out_len - sizeof  resp);
 756
 757         mutex_lock(&file->device->xrcd_tree_mutex);
 758
 759         if (cmd.fd != -1) {
 760                 /* search for file descriptor */
 761                 f = fdget(cmd.fd);
 762                 if (!f.file) {
 763                         ret = -EBADF;
 764                         goto err_tree_mutex_unlock;
 765                 }
 766
 767                 inode = file_inode(f.file);
 768                 xrcd = find_xrcd(file->device, inode);
 769                 if (!xrcd && !(cmd.oflags & O_CREAT)) {
 770                         /* no file descriptor. Need CREATE flag */
 771                         ret = -EAGAIN;
 772                         goto err_tree_mutex_unlock;
 773                 }
 774
 775                 if (xrcd && cmd.oflags & O_EXCL) {
 776                         ret = -EINVAL;
 777                         goto err_tree_mutex_unlock;
 778                 }
 779         }
 780
 781         obj = kmalloc(sizeof *obj, GFP_KERNEL);
 782         if (!obj) {
 783                 ret = -ENOMEM;
 784                 goto err_tree_mutex_unlock;
 785         }
 786
 787         init_uobj(&obj->uobject, 0, file->ucontext, &xrcd_lock_class);
 788
 789         down_write(&obj->uobject.mutex);
 790
 791         if (!xrcd) {
 792                 xrcd = file->device->ib_dev->alloc_xrcd(file->device->ib_dev,
 793                                                         file->ucontext, &udata);
 794                 if (IS_ERR(xrcd)) {
 795                         ret = PTR_ERR(xrcd);
 796                         goto err;
 797                 }
 798
 799                 xrcd->inode   = inode;
 800                 xrcd->device  = file->device->ib_dev;
 801                 atomic_set(&xrcd->usecnt, 0);
 802                 mutex_init(&xrcd->tgt_qp_mutex);
 803                 INIT_LIST_HEAD(&xrcd->tgt_qp_list);
 804                 new_xrcd = 1;
 805         }
 806
 807         atomic_set(&obj->refcnt, 0);
 808         obj->uobject.object = xrcd;
 809         ret = idr_add_uobj(&ib_uverbs_xrcd_idr, &obj->uobject);
 810         if (ret)
 811                 goto err_idr;
 812
 813         memset(&resp, 0, sizeof resp);
 814         resp.xrcd_handle = obj->uobject.id;
 815
 816         if (inode) {
 817                 if (new_xrcd) {
 818                         /* create new inode/xrcd table entry */
 819                         ret = xrcd_table_insert(file->device, inode, xrcd);
 820                         if (ret)
 821                                 goto err_insert_xrcd;
 822                 }
 823                 atomic_inc(&xrcd->usecnt);
 824         }
 825
 826         if (copy_to_user((void __user *) (unsigned long) cmd.response,
 827                          &resp, sizeof resp)) {
 828                 ret = -EFAULT;
 829                 goto err_copy;
 830         }
 831
 832         if (f.file)
 833                 fdput(f);
 834
 835         mutex_lock(&file->mutex);
 836         list_add_tail(&obj->uobject.list, &file->ucontext->xrcd_list);
 837         mutex_unlock(&file->mutex);
 838
 839         obj->uobject.live = 1;
 840         up_write(&obj->uobject.mutex);
 841
 842         mutex_unlock(&file->device->xrcd_tree_mutex);
 843         return in_len;
 844
 845 err_copy:
 846         if (inode) {
 847                 if (new_xrcd)
 848                         xrcd_table_delete(file->device, inode);
 849                 atomic_dec(&xrcd->usecnt);
 850         }
 851
 852 err_insert_xrcd:
 853         idr_remove_uobj(&ib_uverbs_xrcd_idr, &obj->uobject);
 854
 855 err_idr:
 856         ib_dealloc_xrcd(xrcd);
 857
 858 err:
 859         put_uobj_write(&obj->uobject);
 860
 861 err_tree_mutex_unlock:
 862         if (f.file)
 863                 fdput(f);
 864
 865         mutex_unlock(&file->device->xrcd_tree_mutex);
 866
 867         return ret;
 868 }
 869
 870 ssize_t ib_uverbs_close_xrcd(struct ib_uverbs_file *file,
 871                              const char __user *buf, int in_len,
 872                              int out_len)
 873 {
 874         struct ib_uverbs_close_xrcd cmd;
 875         struct ib_uobject           *uobj;
 876         struct ib_xrcd              *xrcd = NULL;
 877         struct inode                *inode = NULL;
 878         struct ib_uxrcd_object      *obj;
 879         int                         live;
 880         int                         ret = 0;
 881
 882         if (copy_from_user(&cmd, buf, sizeof cmd))
 883                 return -EFAULT;
 884
 885         mutex_lock(&file->device->xrcd_tree_mutex);
 886         uobj = idr_write_uobj(&ib_uverbs_xrcd_idr, cmd.xrcd_handle, file->ucontext);
 887         if (!uobj) {
 888                 ret = -EINVAL;
 889                 goto out;
 890         }
 891
 892         xrcd  = uobj->object;
 893         inode = xrcd->inode;
 894         obj   = container_of(uobj, struct ib_uxrcd_object, uobject);
 895         if (atomic_read(&obj->refcnt)) {
 896                 put_uobj_write(uobj);
 897                 ret = -EBUSY;
 898                 goto out;
 899         }
 900
 901         if (!inode || atomic_dec_and_test(&xrcd->usecnt)) {
 902                 ret = ib_dealloc_xrcd(uobj->object);
 903                 if (!ret)
 904                         uobj->live = 0;
 905         }
 906
 907         live = uobj->live;
 908         if (inode && ret)
 909                 atomic_inc(&xrcd->usecnt);
 910
 911         put_uobj_write(uobj);
 912
 913         if (ret)
 914                 goto out;
 915
 916         if (inode && !live)
 917                 xrcd_table_delete(file->device, inode);
 918
 919         idr_remove_uobj(&ib_uverbs_xrcd_idr, uobj);
 920         mutex_lock(&file->mutex);
 921         list_del(&uobj->list);
 922         mutex_unlock(&file->mutex);
 923
 924         put_uobj(uobj);
 925         ret = in_len;
 926
 927 out:
 928         mutex_unlock(&file->device->xrcd_tree_mutex);
 929         return ret;
 930 }
 931
 932 void ib_uverbs_dealloc_xrcd(struct ib_uverbs_device *dev,
 933                             struct ib_xrcd *xrcd)
 934 {
 935         struct inode *inode;
 936
 937         inode = xrcd->inode;
 938         if (inode && !atomic_dec_and_test(&xrcd->usecnt))
 939                 return;
 940
 941         ib_dealloc_xrcd(xrcd);
 942
 943         if (inode)
 944                 xrcd_table_delete(dev, inode);
 945 }
 946
 947 ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
 948                          const char __user *buf, int in_len,
 949                          int out_len)
 950 {
 951         struct ib_uverbs_reg_mr      cmd;
 952         struct ib_uverbs_reg_mr_resp resp;
 953         struct ib_udata              udata;
 954         struct ib_uobject           *uobj;
 955         struct ib_pd                *pd;
 956         struct ib_mr                *mr;
 957         int                          ret;
 958
 959         if (out_len < sizeof resp)
 960                 return -ENOSPC;
 961
 962         if (copy_from_user(&cmd, buf, sizeof cmd))
 963                 return -EFAULT;
 964
 965         INIT_UDATA(&udata, buf + sizeof cmd,
 966                    (unsigned long) cmd.response + sizeof resp,
 967                    in_len - sizeof cmd, out_len - sizeof resp);
 968
 969         if ((cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK))
 970                 return -EINVAL;
 971
 972         ret = ib_check_mr_access(cmd.access_flags);
 973         if (ret)
 974                 return ret;
 975
 976         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
 977         if (!uobj)
 978                 return -ENOMEM;
 979
 980         init_uobj(uobj, 0, file->ucontext, &mr_lock_class);
 981         down_write(&uobj->mutex);
 982
 983         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
 984         if (!pd) {
 985                 ret = -EINVAL;
 986                 goto err_free;
 987         }
 988
 989         if (cmd.access_flags & IB_ACCESS_ON_DEMAND) {
 990                 struct ib_device_attr attr;
 991
 992                 ret = ib_query_device(pd->device, &attr);
 993                 if (ret || !(attr.device_cap_flags &
 994                                 IB_DEVICE_ON_DEMAND_PAGING)) {
 995                         pr_debug("ODP support not available\n");
 996                         ret = -EINVAL;
 997                         goto err_put;
 998                 }
 999         }
1000
1001         mr = pd->device->reg_user_mr(pd, cmd.start, cmd.length, cmd.hca_va,
1002                                      cmd.access_flags, &udata);
1003         if (IS_ERR(mr)) {
1004                 ret = PTR_ERR(mr);
1005                 goto err_put;
1006         }
1007
1008         mr->device  = pd->device;
1009         mr->pd      = pd;
1010         mr->uobject = uobj;
1011         atomic_inc(&pd->usecnt);
1012         atomic_set(&mr->usecnt, 0);
1013
1014         uobj->object = mr;
1015         ret = idr_add_uobj(&ib_uverbs_mr_idr, uobj);
1016         if (ret)
1017                 goto err_unreg;
1018
1019         memset(&resp, 0, sizeof resp);
1020         resp.lkey      = mr->lkey;
1021         resp.rkey      = mr->rkey;
1022         resp.mr_handle = uobj->id;
1023
1024         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1025                          &resp, sizeof resp)) {
1026                 ret = -EFAULT;
1027                 goto err_copy;
1028         }
1029
1030         put_pd_read(pd);
1031
1032         mutex_lock(&file->mutex);
1033         list_add_tail(&uobj->list, &file->ucontext->mr_list);
1034         mutex_unlock(&file->mutex);
1035
1036         uobj->live = 1;
1037
1038         up_write(&uobj->mutex);
1039
1040         return in_len;
1041
1042 err_copy:
1043         idr_remove_uobj(&ib_uverbs_mr_idr, uobj);
1044
1045 err_unreg:
1046         ib_dereg_mr(mr);
1047
1048 err_put:
1049         put_pd_read(pd);
1050
1051 err_free:
1052         put_uobj_write(uobj);
1053         return ret;
1054 }
1055
1056 ssize_t ib_uverbs_rereg_mr(struct ib_uverbs_file *file,
1057                            const char __user *buf, int in_len,
1058                            int out_len)
1059 {
1060         struct ib_uverbs_rereg_mr      cmd;
1061         struct ib_uverbs_rereg_mr_resp resp;
1062         struct ib_udata              udata;
1063         struct ib_pd                *pd = NULL;
1064         struct ib_mr                *mr;
1065         struct ib_pd                *old_pd;
1066         int                          ret;
1067         struct ib_uobject           *uobj;
1068
1069         if (out_len < sizeof(resp))
1070                 return -ENOSPC;
1071
1072         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1073                 return -EFAULT;
1074
1075         INIT_UDATA(&udata, buf + sizeof(cmd),
1076                    (unsigned long) cmd.response + sizeof(resp),
1077                    in_len - sizeof(cmd), out_len - sizeof(resp));
1078
1079         if (cmd.flags & ~IB_MR_REREG_SUPPORTED || !cmd.flags)
1080                 return -EINVAL;
1081
1082         if ((cmd.flags & IB_MR_REREG_TRANS) &&
1083             (!cmd.start || !cmd.hca_va || 0 >= cmd.length ||
1084              (cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK)))
1085                         return -EINVAL;
1086
1087         uobj = idr_write_uobj(&ib_uverbs_mr_idr, cmd.mr_handle,
1088                               file->ucontext);
1089
1090         if (!uobj)
1091                 return -EINVAL;
1092
1093         mr = uobj->object;
1094
1095         if (cmd.flags & IB_MR_REREG_ACCESS) {
1096                 ret = ib_check_mr_access(cmd.access_flags);
1097                 if (ret)
1098                         goto put_uobjs;
1099         }
1100
1101         if (cmd.flags & IB_MR_REREG_PD) {
1102                 pd = idr_read_pd(cmd.pd_handle, file->ucontext);
1103                 if (!pd) {
1104                         ret = -EINVAL;
1105                         goto put_uobjs;
1106                 }
1107         }
1108
1109         if (atomic_read(&mr->usecnt)) {
1110                 ret = -EBUSY;
1111                 goto put_uobj_pd;
1112         }
1113
1114         old_pd = mr->pd;
1115         ret = mr->device->rereg_user_mr(mr, cmd.flags, cmd.start,
1116                                         cmd.length, cmd.hca_va,
1117                                         cmd.access_flags, pd, &udata);
1118         if (!ret) {
1119                 if (cmd.flags & IB_MR_REREG_PD) {
1120                         atomic_inc(&pd->usecnt);
1121                         mr->pd = pd;
1122                         atomic_dec(&old_pd->usecnt);
1123                 }
1124         } else {
1125                 goto put_uobj_pd;
1126         }
1127
1128         memset(&resp, 0, sizeof(resp));
1129         resp.lkey      = mr->lkey;
1130         resp.rkey      = mr->rkey;
1131
1132         if (copy_to_user((void __user *)(unsigned long)cmd.response,
1133                          &resp, sizeof(resp)))
1134                 ret = -EFAULT;
1135         else
1136                 ret = in_len;
1137
1138 put_uobj_pd:
1139         if (cmd.flags & IB_MR_REREG_PD)
1140                 put_pd_read(pd);
1141
1142 put_uobjs:
1143
1144         put_uobj_write(mr->uobject);
1145
1146         return ret;
1147 }
1148
1149 ssize_t ib_uverbs_dereg_mr(struct ib_uverbs_file *file,
1150                            const char __user *buf, int in_len,
1151                            int out_len)
1152 {
1153         struct ib_uverbs_dereg_mr cmd;
1154         struct ib_mr             *mr;
1155         struct ib_uobject        *uobj;
1156         int                       ret = -EINVAL;
1157
1158         if (copy_from_user(&cmd, buf, sizeof cmd))
1159                 return -EFAULT;
1160
1161         uobj = idr_write_uobj(&ib_uverbs_mr_idr, cmd.mr_handle, file->ucontext);
1162         if (!uobj)
1163                 return -EINVAL;
1164
1165         mr = uobj->object;
1166
1167         ret = ib_dereg_mr(mr);
1168         if (!ret)
1169                 uobj->live = 0;
1170
1171         put_uobj_write(uobj);
1172
1173         if (ret)
1174                 return ret;
1175
1176         idr_remove_uobj(&ib_uverbs_mr_idr, uobj);
1177
1178         mutex_lock(&file->mutex);
1179         list_del(&uobj->list);
1180         mutex_unlock(&file->mutex);
1181
1182         put_uobj(uobj);
1183
1184         return in_len;
1185 }
1186
1187 ssize_t ib_uverbs_alloc_mw(struct ib_uverbs_file *file,
1188                          const char __user *buf, int in_len,
1189                          int out_len)
1190 {
1191         struct ib_uverbs_alloc_mw      cmd;
1192         struct ib_uverbs_alloc_mw_resp resp;
1193         struct ib_uobject             *uobj;
1194         struct ib_pd                  *pd;
1195         struct ib_mw                  *mw;
1196         int                            ret;
1197
1198         if (out_len < sizeof(resp))
1199                 return -ENOSPC;
1200
1201         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1202                 return -EFAULT;
1203
1204         uobj = kmalloc(sizeof(*uobj), GFP_KERNEL);
1205         if (!uobj)
1206                 return -ENOMEM;
1207
1208         init_uobj(uobj, 0, file->ucontext, &mw_lock_class);
1209         down_write(&uobj->mutex);
1210
1211         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
1212         if (!pd) {
1213                 ret = -EINVAL;
1214                 goto err_free;
1215         }
1216
1217         mw = pd->device->alloc_mw(pd, cmd.mw_type);
1218         if (IS_ERR(mw)) {
1219                 ret = PTR_ERR(mw);
1220                 goto err_put;
1221         }
1222
1223         mw->device  = pd->device;
1224         mw->pd      = pd;
1225         mw->uobject = uobj;
1226         atomic_inc(&pd->usecnt);
1227
1228         uobj->object = mw;
1229         ret = idr_add_uobj(&ib_uverbs_mw_idr, uobj);
1230         if (ret)
1231                 goto err_unalloc;
1232
1233         memset(&resp, 0, sizeof(resp));
1234         resp.rkey      = mw->rkey;
1235         resp.mw_handle = uobj->id;
1236
1237         if (copy_to_user((void __user *)(unsigned long)cmd.response,
1238                          &resp, sizeof(resp))) {
1239                 ret = -EFAULT;
1240                 goto err_copy;
1241         }
1242
1243         put_pd_read(pd);
1244
1245         mutex_lock(&file->mutex);
1246         list_add_tail(&uobj->list, &file->ucontext->mw_list);
1247         mutex_unlock(&file->mutex);
1248
1249         uobj->live = 1;
1250
1251         up_write(&uobj->mutex);
1252
1253         return in_len;
1254
1255 err_copy:
1256         idr_remove_uobj(&ib_uverbs_mw_idr, uobj);
1257
1258 err_unalloc:
1259         ib_dealloc_mw(mw);
1260
1261 err_put:
1262         put_pd_read(pd);
1263
1264 err_free:
1265         put_uobj_write(uobj);
1266         return ret;
1267 }
1268
1269 ssize_t ib_uverbs_dealloc_mw(struct ib_uverbs_file *file,
1270                            const char __user *buf, int in_len,
1271                            int out_len)
1272 {
1273         struct ib_uverbs_dealloc_mw cmd;
1274         struct ib_mw               *mw;
1275         struct ib_uobject          *uobj;
1276         int                         ret = -EINVAL;
1277
1278         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1279                 return -EFAULT;
1280
1281         uobj = idr_write_uobj(&ib_uverbs_mw_idr, cmd.mw_handle, file->ucontext);
1282         if (!uobj)
1283                 return -EINVAL;
1284
1285         mw = uobj->object;
1286
1287         ret = ib_dealloc_mw(mw);
1288         if (!ret)
1289                 uobj->live = 0;
1290
1291         put_uobj_write(uobj);
1292
1293         if (ret)
1294                 return ret;
1295
1296         idr_remove_uobj(&ib_uverbs_mw_idr, uobj);
1297
1298         mutex_lock(&file->mutex);
1299         list_del(&uobj->list);
1300         mutex_unlock(&file->mutex);
1301
1302         put_uobj(uobj);
1303
1304         return in_len;
1305 }
1306
1307 ssize_t ib_uverbs_create_comp_channel(struct ib_uverbs_file *file,
1308                                       const char __user *buf, int in_len,
1309                                       int out_len)
1310 {
1311         struct ib_uverbs_create_comp_channel       cmd;
1312         struct ib_uverbs_create_comp_channel_resp  resp;
1313         struct file                               *filp;
1314         int ret;
1315
1316         if (out_len < sizeof resp)
1317                 return -ENOSPC;
1318
1319         if (copy_from_user(&cmd, buf, sizeof cmd))
1320                 return -EFAULT;
1321
1322         ret = get_unused_fd_flags(O_CLOEXEC);
1323         if (ret < 0)
1324                 return ret;
1325         resp.fd = ret;
1326
1327         filp = ib_uverbs_alloc_event_file(file, 0);
1328         if (IS_ERR(filp)) {
1329                 put_unused_fd(resp.fd);
1330                 return PTR_ERR(filp);
1331         }
1332
1333         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1334                          &resp, sizeof resp)) {
1335                 put_unused_fd(resp.fd);
1336                 fput(filp);
1337                 return -EFAULT;
1338         }
1339
1340         fd_install(resp.fd, filp);
1341         return in_len;
1342 }
1343
1344 static struct ib_ucq_object *create_cq(struct ib_uverbs_file *file,
1345                                        struct ib_udata *ucore,
1346                                        struct ib_udata *uhw,
1347                                        struct ib_uverbs_ex_create_cq *cmd,
1348                                        size_t cmd_sz,
1349                                        int (*cb)(struct ib_uverbs_file *file,
1350                                                  struct ib_ucq_object *obj,
1351                                                  struct ib_uverbs_ex_create_cq_resp *resp,
1352                                                  struct ib_udata *udata,
1353                                                  void *context),
1354                                        void *context)
1355 {
1356         struct ib_ucq_object           *obj;
1357         struct ib_uverbs_event_file    *ev_file = NULL;
1358         struct ib_cq                   *cq;
1359         int                             ret;
1360         struct ib_uverbs_ex_create_cq_resp resp;
1361         struct ib_cq_init_attr attr = {};
1362
1363         if (cmd->comp_vector >= file->device->num_comp_vectors)
1364                 return ERR_PTR(-EINVAL);
1365
1366         obj = kmalloc(sizeof *obj, GFP_KERNEL);
1367         if (!obj)
1368                 return ERR_PTR(-ENOMEM);
1369
1370         init_uobj(&obj->uobject, cmd->user_handle, file->ucontext, &cq_lock_class);
1371         down_write(&obj->uobject.mutex);
1372
1373         if (cmd->comp_channel >= 0) {
1374                 ev_file = ib_uverbs_lookup_comp_file(cmd->comp_channel);
1375                 if (!ev_file) {
1376                         ret = -EINVAL;
1377                         goto err;
1378                 }
1379         }
1380
1381         obj->uverbs_file           = file;
1382         obj->comp_events_reported  = 0;
1383         obj->async_events_reported = 0;
1384         INIT_LIST_HEAD(&obj->comp_list);
1385         INIT_LIST_HEAD(&obj->async_list);
1386
1387         attr.cqe = cmd->cqe;
1388         attr.comp_vector = cmd->comp_vector;
1389
1390         if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
1391                 attr.flags = cmd->flags;
1392
1393         cq = file->device->ib_dev->create_cq(file->device->ib_dev, &attr,
1394                                              file->ucontext, uhw);
1395         if (IS_ERR(cq)) {
1396                 ret = PTR_ERR(cq);
1397                 goto err_file;
1398         }
1399
1400         cq->device        = file->device->ib_dev;
1401         cq->uobject       = &obj->uobject;
1402         cq->comp_handler  = ib_uverbs_comp_handler;
1403         cq->event_handler = ib_uverbs_cq_event_handler;
1404         cq->cq_context    = ev_file;
1405         atomic_set(&cq->usecnt, 0);
1406
1407         obj->uobject.object = cq;
1408         ret = idr_add_uobj(&ib_uverbs_cq_idr, &obj->uobject);
1409         if (ret)
1410                 goto err_free;
1411
1412         memset(&resp, 0, sizeof resp);
1413         resp.base.cq_handle = obj->uobject.id;
1414         resp.base.cqe       = cq->cqe;
1415
1416         resp.response_length = offsetof(typeof(resp), response_length) +
1417                 sizeof(resp.response_length);
1418
1419         ret = cb(file, obj, &resp, ucore, context);
1420         if (ret)
1421                 goto err_cb;
1422
1423         mutex_lock(&file->mutex);
1424         list_add_tail(&obj->uobject.list, &file->ucontext->cq_list);
1425         mutex_unlock(&file->mutex);
1426
1427         obj->uobject.live = 1;
1428
1429         up_write(&obj->uobject.mutex);
1430
1431         return obj;
1432
1433 err_cb:
1434         idr_remove_uobj(&ib_uverbs_cq_idr, &obj->uobject);
1435
1436 err_free:
1437         ib_destroy_cq(cq);
1438
1439 err_file:
1440         if (ev_file)
1441                 ib_uverbs_release_ucq(file, ev_file, obj);
1442
1443 err:
1444         put_uobj_write(&obj->uobject);
1445
1446         return ERR_PTR(ret);
1447 }
1448
1449 static int ib_uverbs_create_cq_cb(struct ib_uverbs_file *file,
1450                                   struct ib_ucq_object *obj,
1451                                   struct ib_uverbs_ex_create_cq_resp *resp,
1452                                   struct ib_udata *ucore, void *context)
1453 {
1454         if (ib_copy_to_udata(ucore, &resp->base, sizeof(resp->base)))
1455                 return -EFAULT;
1456
1457         return 0;
1458 }
1459
1460 ssize_t ib_uverbs_create_cq(struct ib_uverbs_file *file,
1461                             const char __user *buf, int in_len,
1462                             int out_len)
1463 {
1464         struct ib_uverbs_create_cq      cmd;
1465         struct ib_uverbs_ex_create_cq   cmd_ex;
1466         struct ib_uverbs_create_cq_resp resp;
1467         struct ib_udata                 ucore;
1468         struct ib_udata                 uhw;
1469         struct ib_ucq_object           *obj;
1470
1471         if (out_len < sizeof(resp))
1472                 return -ENOSPC;
1473
1474         if (copy_from_user(&cmd, buf, sizeof(cmd)))
1475                 return -EFAULT;
1476
1477         INIT_UDATA(&ucore, buf, cmd.response, sizeof(cmd), sizeof(resp));
1478
1479         INIT_UDATA(&uhw, buf + sizeof(cmd),
1480                    (unsigned long)cmd.response + sizeof(resp),
1481                    in_len - sizeof(cmd), out_len - sizeof(resp));
1482
1483         memset(&cmd_ex, 0, sizeof(cmd_ex));
1484         cmd_ex.user_handle = cmd.user_handle;
1485         cmd_ex.cqe = cmd.cqe;
1486         cmd_ex.comp_vector = cmd.comp_vector;
1487         cmd_ex.comp_channel = cmd.comp_channel;
1488
1489         obj = create_cq(file, &ucore, &uhw, &cmd_ex,
1490                         offsetof(typeof(cmd_ex), comp_channel) +
1491                         sizeof(cmd.comp_channel), ib_uverbs_create_cq_cb,
1492                         NULL);
1493
1494         if (IS_ERR(obj))
1495                 return PTR_ERR(obj);
1496
1497         return in_len;
1498 }
1499
1500 static int ib_uverbs_ex_create_cq_cb(struct ib_uverbs_file *file,
1501                                      struct ib_ucq_object *obj,
1502                                      struct ib_uverbs_ex_create_cq_resp *resp,
1503                                      struct ib_udata *ucore, void *context)
1504 {
1505         if (ib_copy_to_udata(ucore, resp, resp->response_length))
1506                 return -EFAULT;
1507
1508         return 0;
1509 }
1510
1511 int ib_uverbs_ex_create_cq(struct ib_uverbs_file *file,
1512                            struct ib_udata *ucore,
1513                            struct ib_udata *uhw)
1514 {
1515         struct ib_uverbs_ex_create_cq_resp resp;
1516         struct ib_uverbs_ex_create_cq  cmd;
1517         struct ib_ucq_object           *obj;
1518         int err;
1519
1520         if (ucore->inlen < sizeof(cmd))
1521                 return -EINVAL;
1522
1523         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
1524         if (err)
1525                 return err;
1526
1527         if (cmd.comp_mask)
1528                 return -EINVAL;
1529
1530         if (cmd.reserved)
1531                 return -EINVAL;
1532
1533         if (ucore->outlen < (offsetof(typeof(resp), response_length) +
1534                              sizeof(resp.response_length)))
1535                 return -ENOSPC;
1536
1537         obj = create_cq(file, ucore, uhw, &cmd,
1538                         min(ucore->inlen, sizeof(cmd)),
1539                         ib_uverbs_ex_create_cq_cb, NULL);
1540
1541         if (IS_ERR(obj))
1542                 return PTR_ERR(obj);
1543
1544         return 0;
1545 }
1546
1547 ssize_t ib_uverbs_resize_cq(struct ib_uverbs_file *file,
1548                             const char __user *buf, int in_len,
1549                             int out_len)
1550 {
1551         struct ib_uverbs_resize_cq      cmd;
1552         struct ib_uverbs_resize_cq_resp resp;
1553         struct ib_udata                 udata;
1554         struct ib_cq                    *cq;
1555         int                             ret = -EINVAL;
1556
1557         if (copy_from_user(&cmd, buf, sizeof cmd))
1558                 return -EFAULT;
1559
1560         INIT_UDATA(&udata, buf + sizeof cmd,
1561                    (unsigned long) cmd.response + sizeof resp,
1562                    in_len - sizeof cmd, out_len - sizeof resp);
1563
1564         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1565         if (!cq)
1566                 return -EINVAL;
1567
1568         ret = cq->device->resize_cq(cq, cmd.cqe, &udata);
1569         if (ret)
1570                 goto out;
1571
1572         resp.cqe = cq->cqe;
1573
1574         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1575                          &resp, sizeof resp.cqe))
1576                 ret = -EFAULT;
1577
1578 out:
1579         put_cq_read(cq);
1580
1581         return ret ? ret : in_len;
1582 }
1583
1584 static int copy_wc_to_user(void __user *dest, struct ib_wc *wc)
1585 {
1586         struct ib_uverbs_wc tmp;
1587
1588         tmp.wr_id               = wc->wr_id;
1589         tmp.status              = wc->status;
1590         tmp.opcode              = wc->opcode;
1591         tmp.vendor_err          = wc->vendor_err;
1592         tmp.byte_len            = wc->byte_len;
1593         tmp.ex.imm_data         = (__u32 __force) wc->ex.imm_data;
1594         tmp.qp_num              = wc->qp->qp_num;
1595         tmp.src_qp              = wc->src_qp;
1596         tmp.wc_flags            = wc->wc_flags;
1597         tmp.pkey_index          = wc->pkey_index;
1598         tmp.slid                = wc->slid;
1599         tmp.sl                  = wc->sl;
1600         tmp.dlid_path_bits      = wc->dlid_path_bits;
1601         tmp.port_num            = wc->port_num;
1602         tmp.reserved            = 0;
1603
1604         if (copy_to_user(dest, &tmp, sizeof tmp))
1605                 return -EFAULT;
1606
1607         return 0;
1608 }
1609
1610 ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file,
1611                           const char __user *buf, int in_len,
1612                           int out_len)
1613 {
1614         struct ib_uverbs_poll_cq       cmd;
1615         struct ib_uverbs_poll_cq_resp  resp;
1616         u8 __user                     *header_ptr;
1617         u8 __user                     *data_ptr;
1618         struct ib_cq                  *cq;
1619         struct ib_wc                   wc;
1620         int                            ret;
1621
1622         if (copy_from_user(&cmd, buf, sizeof cmd))
1623                 return -EFAULT;
1624
1625         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1626         if (!cq)
1627                 return -EINVAL;
1628
1629         /* we copy a struct ib_uverbs_poll_cq_resp to user space */
1630         header_ptr = (void __user *)(unsigned long) cmd.response;
1631         data_ptr = header_ptr + sizeof resp;
1632
1633         memset(&resp, 0, sizeof resp);
1634         while (resp.count < cmd.ne) {
1635                 ret = ib_poll_cq(cq, 1, &wc);
1636                 if (ret < 0)
1637                         goto out_put;
1638                 if (!ret)
1639                         break;
1640
1641                 ret = copy_wc_to_user(data_ptr, &wc);
1642                 if (ret)
1643                         goto out_put;
1644
1645                 data_ptr += sizeof(struct ib_uverbs_wc);
1646                 ++resp.count;
1647         }
1648
1649         if (copy_to_user(header_ptr, &resp, sizeof resp)) {
1650                 ret = -EFAULT;
1651                 goto out_put;
1652         }
1653
1654         ret = in_len;
1655
1656 out_put:
1657         put_cq_read(cq);
1658         return ret;
1659 }
1660
1661 ssize_t ib_uverbs_req_notify_cq(struct ib_uverbs_file *file,
1662                                 const char __user *buf, int in_len,
1663                                 int out_len)
1664 {
1665         struct ib_uverbs_req_notify_cq cmd;
1666         struct ib_cq                  *cq;
1667
1668         if (copy_from_user(&cmd, buf, sizeof cmd))
1669                 return -EFAULT;
1670
1671         cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
1672         if (!cq)
1673                 return -EINVAL;
1674
1675         ib_req_notify_cq(cq, cmd.solicited_only ?
1676                          IB_CQ_SOLICITED : IB_CQ_NEXT_COMP);
1677
1678         put_cq_read(cq);
1679
1680         return in_len;
1681 }
1682
1683 ssize_t ib_uverbs_destroy_cq(struct ib_uverbs_file *file,
1684                              const char __user *buf, int in_len,
1685                              int out_len)
1686 {
1687         struct ib_uverbs_destroy_cq      cmd;
1688         struct ib_uverbs_destroy_cq_resp resp;
1689         struct ib_uobject               *uobj;
1690         struct ib_cq                    *cq;
1691         struct ib_ucq_object            *obj;
1692         struct ib_uverbs_event_file     *ev_file;
1693         int                              ret = -EINVAL;
1694
1695         if (copy_from_user(&cmd, buf, sizeof cmd))
1696                 return -EFAULT;
1697
1698         uobj = idr_write_uobj(&ib_uverbs_cq_idr, cmd.cq_handle, file->ucontext);
1699         if (!uobj)
1700                 return -EINVAL;
1701         cq      = uobj->object;
1702         ev_file = cq->cq_context;
1703         obj     = container_of(cq->uobject, struct ib_ucq_object, uobject);
1704
1705         ret = ib_destroy_cq(cq);
1706         if (!ret)
1707                 uobj->live = 0;
1708
1709         put_uobj_write(uobj);
1710
1711         if (ret)
1712                 return ret;
1713
1714         idr_remove_uobj(&ib_uverbs_cq_idr, uobj);
1715
1716         mutex_lock(&file->mutex);
1717         list_del(&uobj->list);
1718         mutex_unlock(&file->mutex);
1719
1720         ib_uverbs_release_ucq(file, ev_file, obj);
1721
1722         memset(&resp, 0, sizeof resp);
1723         resp.comp_events_reported  = obj->comp_events_reported;
1724         resp.async_events_reported = obj->async_events_reported;
1725
1726         put_uobj(uobj);
1727
1728         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1729                          &resp, sizeof resp))
1730                 return -EFAULT;
1731
1732         return in_len;
1733 }
1734
1735 ssize_t ib_uverbs_create_qp(struct ib_uverbs_file *file,
1736                             const char __user *buf, int in_len,
1737                             int out_len)
1738 {
1739         struct ib_uverbs_create_qp      cmd;
1740         struct ib_uverbs_create_qp_resp resp;
1741         struct ib_udata                 udata;
1742         struct ib_uqp_object           *obj;
1743         struct ib_device               *device;
1744         struct ib_pd                   *pd = NULL;
1745         struct ib_xrcd                 *xrcd = NULL;
1746         struct ib_uobject              *uninitialized_var(xrcd_uobj);
1747         struct ib_cq                   *scq = NULL, *rcq = NULL;
1748         struct ib_srq                  *srq = NULL;
1749         struct ib_qp                   *qp;
1750         struct ib_qp_init_attr          attr;
1751         int ret;
1752
1753         if (out_len < sizeof resp)
1754                 return -ENOSPC;
1755
1756         if (copy_from_user(&cmd, buf, sizeof cmd))
1757                 return -EFAULT;
1758
1759         if (cmd.qp_type == IB_QPT_RAW_PACKET && !capable(CAP_NET_RAW))
1760                 return -EPERM;
1761
1762         INIT_UDATA(&udata, buf + sizeof cmd,
1763                    (unsigned long) cmd.response + sizeof resp,
1764                    in_len - sizeof cmd, out_len - sizeof resp);
1765
1766         obj = kzalloc(sizeof *obj, GFP_KERNEL);
1767         if (!obj)
1768                 return -ENOMEM;
1769
1770         init_uobj(&obj->uevent.uobject, cmd.user_handle, file->ucontext, &qp_lock_class);
1771         down_write(&obj->uevent.uobject.mutex);
1772
1773         if (cmd.qp_type == IB_QPT_XRC_TGT) {
1774                 xrcd = idr_read_xrcd(cmd.pd_handle, file->ucontext, &xrcd_uobj);
1775                 if (!xrcd) {
1776                         ret = -EINVAL;
1777                         goto err_put;
1778                 }
1779                 device = xrcd->device;
1780         } else {
1781                 if (cmd.qp_type == IB_QPT_XRC_INI) {
1782                         cmd.max_recv_wr = cmd.max_recv_sge = 0;
1783                 } else {
1784                         if (cmd.is_srq) {
1785                                 srq = idr_read_srq(cmd.srq_handle, file->ucontext);
1786                                 if (!srq || srq->srq_type != IB_SRQT_BASIC) {
1787                                         ret = -EINVAL;
1788                                         goto err_put;
1789                                 }
1790                         }
1791
1792                         if (cmd.recv_cq_handle != cmd.send_cq_handle) {
1793                                 rcq = idr_read_cq(cmd.recv_cq_handle, file->ucontext, 0);
1794                                 if (!rcq) {
1795                                         ret = -EINVAL;
1796                                         goto err_put;
1797                                 }
1798                         }
1799                 }
1800
1801                 scq = idr_read_cq(cmd.send_cq_handle, file->ucontext, !!rcq);
1802                 rcq = rcq ?: scq;
1803                 pd  = idr_read_pd(cmd.pd_handle, file->ucontext);
1804                 if (!pd || !scq) {
1805                         ret = -EINVAL;
1806                         goto err_put;
1807                 }
1808
1809                 device = pd->device;
1810         }
1811
1812         attr.event_handler = ib_uverbs_qp_event_handler;
1813         attr.qp_context    = file;
1814         attr.send_cq       = scq;
1815         attr.recv_cq       = rcq;
1816         attr.srq           = srq;
1817         attr.xrcd          = xrcd;
1818         attr.sq_sig_type   = cmd.sq_sig_all ? IB_SIGNAL_ALL_WR : IB_SIGNAL_REQ_WR;
1819         attr.qp_type       = cmd.qp_type;
1820         attr.create_flags  = 0;
1821
1822         attr.cap.max_send_wr     = cmd.max_send_wr;
1823         attr.cap.max_recv_wr     = cmd.max_recv_wr;
1824         attr.cap.max_send_sge    = cmd.max_send_sge;
1825         attr.cap.max_recv_sge    = cmd.max_recv_sge;
1826         attr.cap.max_inline_data = cmd.max_inline_data;
1827
1828         obj->uevent.events_reported     = 0;
1829         INIT_LIST_HEAD(&obj->uevent.event_list);
1830         INIT_LIST_HEAD(&obj->mcast_list);
1831
1832         if (cmd.qp_type == IB_QPT_XRC_TGT)
1833                 qp = ib_create_qp(pd, &attr);
1834         else
1835                 qp = device->create_qp(pd, &attr, &udata);
1836
1837         if (IS_ERR(qp)) {
1838                 ret = PTR_ERR(qp);
1839                 goto err_put;
1840         }
1841
1842         if (cmd.qp_type != IB_QPT_XRC_TGT) {
1843                 qp->real_qp       = qp;
1844                 qp->device        = device;
1845                 qp->pd            = pd;
1846                 qp->send_cq       = attr.send_cq;
1847                 qp->recv_cq       = attr.recv_cq;
1848                 qp->srq           = attr.srq;
1849                 qp->event_handler = attr.event_handler;
1850                 qp->qp_context    = attr.qp_context;
1851                 qp->qp_type       = attr.qp_type;
1852                 atomic_set(&qp->usecnt, 0);
1853                 atomic_inc(&pd->usecnt);
1854                 atomic_inc(&attr.send_cq->usecnt);
1855                 if (attr.recv_cq)
1856                         atomic_inc(&attr.recv_cq->usecnt);
1857                 if (attr.srq)
1858                         atomic_inc(&attr.srq->usecnt);
1859         }
1860         qp->uobject = &obj->uevent.uobject;
1861
1862         obj->uevent.uobject.object = qp;
1863         ret = idr_add_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1864         if (ret)
1865                 goto err_destroy;
1866
1867         memset(&resp, 0, sizeof resp);
1868         resp.qpn             = qp->qp_num;
1869         resp.qp_handle       = obj->uevent.uobject.id;
1870         resp.max_recv_sge    = attr.cap.max_recv_sge;
1871         resp.max_send_sge    = attr.cap.max_send_sge;
1872         resp.max_recv_wr     = attr.cap.max_recv_wr;
1873         resp.max_send_wr     = attr.cap.max_send_wr;
1874         resp.max_inline_data = attr.cap.max_inline_data;
1875
1876         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1877                          &resp, sizeof resp)) {
1878                 ret = -EFAULT;
1879                 goto err_copy;
1880         }
1881
1882         if (xrcd) {
1883                 obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object,
1884                                           uobject);
1885                 atomic_inc(&obj->uxrcd->refcnt);
1886                 put_xrcd_read(xrcd_uobj);
1887         }
1888
1889         if (pd)
1890                 put_pd_read(pd);
1891         if (scq)
1892                 put_cq_read(scq);
1893         if (rcq && rcq != scq)
1894                 put_cq_read(rcq);
1895         if (srq)
1896                 put_srq_read(srq);
1897
1898         mutex_lock(&file->mutex);
1899         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->qp_list);
1900         mutex_unlock(&file->mutex);
1901
1902         obj->uevent.uobject.live = 1;
1903
1904         up_write(&obj->uevent.uobject.mutex);
1905
1906         return in_len;
1907
1908 err_copy:
1909         idr_remove_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1910
1911 err_destroy:
1912         ib_destroy_qp(qp);
1913
1914 err_put:
1915         if (xrcd)
1916                 put_xrcd_read(xrcd_uobj);
1917         if (pd)
1918                 put_pd_read(pd);
1919         if (scq)
1920                 put_cq_read(scq);
1921         if (rcq && rcq != scq)
1922                 put_cq_read(rcq);
1923         if (srq)
1924                 put_srq_read(srq);
1925
1926         put_uobj_write(&obj->uevent.uobject);
1927         return ret;
1928 }
1929
1930 ssize_t ib_uverbs_open_qp(struct ib_uverbs_file *file,
1931                           const char __user *buf, int in_len, int out_len)
1932 {
1933         struct ib_uverbs_open_qp        cmd;
1934         struct ib_uverbs_create_qp_resp resp;
1935         struct ib_udata                 udata;
1936         struct ib_uqp_object           *obj;
1937         struct ib_xrcd                 *xrcd;
1938         struct ib_uobject              *uninitialized_var(xrcd_uobj);
1939         struct ib_qp                   *qp;
1940         struct ib_qp_open_attr          attr;
1941         int ret;
1942
1943         if (out_len < sizeof resp)
1944                 return -ENOSPC;
1945
1946         if (copy_from_user(&cmd, buf, sizeof cmd))
1947                 return -EFAULT;
1948
1949         INIT_UDATA(&udata, buf + sizeof cmd,
1950                    (unsigned long) cmd.response + sizeof resp,
1951                    in_len - sizeof cmd, out_len - sizeof resp);
1952
1953         obj = kmalloc(sizeof *obj, GFP_KERNEL);
1954         if (!obj)
1955                 return -ENOMEM;
1956
1957         init_uobj(&obj->uevent.uobject, cmd.user_handle, file->ucontext, &qp_lock_class);
1958         down_write(&obj->uevent.uobject.mutex);
1959
1960         xrcd = idr_read_xrcd(cmd.pd_handle, file->ucontext, &xrcd_uobj);
1961         if (!xrcd) {
1962                 ret = -EINVAL;
1963                 goto err_put;
1964         }
1965
1966         attr.event_handler = ib_uverbs_qp_event_handler;
1967         attr.qp_context    = file;
1968         attr.qp_num        = cmd.qpn;
1969         attr.qp_type       = cmd.qp_type;
1970
1971         obj->uevent.events_reported = 0;
1972         INIT_LIST_HEAD(&obj->uevent.event_list);
1973         INIT_LIST_HEAD(&obj->mcast_list);
1974
1975         qp = ib_open_qp(xrcd, &attr);
1976         if (IS_ERR(qp)) {
1977                 ret = PTR_ERR(qp);
1978                 goto err_put;
1979         }
1980
1981         qp->uobject = &obj->uevent.uobject;
1982
1983         obj->uevent.uobject.object = qp;
1984         ret = idr_add_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
1985         if (ret)
1986                 goto err_destroy;
1987
1988         memset(&resp, 0, sizeof resp);
1989         resp.qpn       = qp->qp_num;
1990         resp.qp_handle = obj->uevent.uobject.id;
1991
1992         if (copy_to_user((void __user *) (unsigned long) cmd.response,
1993                          &resp, sizeof resp)) {
1994                 ret = -EFAULT;
1995                 goto err_remove;
1996         }
1997
1998         obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object, uobject);
1999         atomic_inc(&obj->uxrcd->refcnt);
2000         put_xrcd_read(xrcd_uobj);
2001
2002         mutex_lock(&file->mutex);
2003         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->qp_list);
2004         mutex_unlock(&file->mutex);
2005
2006         obj->uevent.uobject.live = 1;
2007
2008         up_write(&obj->uevent.uobject.mutex);
2009
2010         return in_len;
2011
2012 err_remove:
2013         idr_remove_uobj(&ib_uverbs_qp_idr, &obj->uevent.uobject);
2014
2015 err_destroy:
2016         ib_destroy_qp(qp);
2017
2018 err_put:
2019         put_xrcd_read(xrcd_uobj);
2020         put_uobj_write(&obj->uevent.uobject);
2021         return ret;
2022 }
2023
2024 ssize_t ib_uverbs_query_qp(struct ib_uverbs_file *file,
2025                            const char __user *buf, int in_len,
2026                            int out_len)
2027 {
2028         struct ib_uverbs_query_qp      cmd;
2029         struct ib_uverbs_query_qp_resp resp;
2030         struct ib_qp                   *qp;
2031         struct ib_qp_attr              *attr;
2032         struct ib_qp_init_attr         *init_attr;
2033         int                            ret;
2034
2035         if (copy_from_user(&cmd, buf, sizeof cmd))
2036                 return -EFAULT;
2037
2038         attr      = kmalloc(sizeof *attr, GFP_KERNEL);
2039         init_attr = kmalloc(sizeof *init_attr, GFP_KERNEL);
2040         if (!attr || !init_attr) {
2041                 ret = -ENOMEM;
2042                 goto out;
2043         }
2044
2045         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2046         if (!qp) {
2047                 ret = -EINVAL;
2048                 goto out;
2049         }
2050
2051         ret = ib_query_qp(qp, attr, cmd.attr_mask, init_attr);
2052
2053         put_qp_read(qp);
2054
2055         if (ret)
2056                 goto out;
2057
2058         memset(&resp, 0, sizeof resp);
2059
2060         resp.qp_state               = attr->qp_state;
2061         resp.cur_qp_state           = attr->cur_qp_state;
2062         resp.path_mtu               = attr->path_mtu;
2063         resp.path_mig_state         = attr->path_mig_state;
2064         resp.qkey                   = attr->qkey;
2065         resp.rq_psn                 = attr->rq_psn;
2066         resp.sq_psn                 = attr->sq_psn;
2067         resp.dest_qp_num            = attr->dest_qp_num;
2068         resp.qp_access_flags        = attr->qp_access_flags;
2069         resp.pkey_index             = attr->pkey_index;
2070         resp.alt_pkey_index         = attr->alt_pkey_index;
2071         resp.sq_draining            = attr->sq_draining;
2072         resp.max_rd_atomic          = attr->max_rd_atomic;
2073         resp.max_dest_rd_atomic     = attr->max_dest_rd_atomic;
2074         resp.min_rnr_timer          = attr->min_rnr_timer;
2075         resp.port_num               = attr->port_num;
2076         resp.timeout                = attr->timeout;
2077         resp.retry_cnt              = attr->retry_cnt;
2078         resp.rnr_retry              = attr->rnr_retry;
2079         resp.alt_port_num           = attr->alt_port_num;
2080         resp.alt_timeout            = attr->alt_timeout;
2081
2082         memcpy(resp.dest.dgid, attr->ah_attr.grh.dgid.raw, 16);
2083         resp.dest.flow_label        = attr->ah_attr.grh.flow_label;
2084         resp.dest.sgid_index        = attr->ah_attr.grh.sgid_index;
2085         resp.dest.hop_limit         = attr->ah_attr.grh.hop_limit;
2086         resp.dest.traffic_class     = attr->ah_attr.grh.traffic_class;
2087         resp.dest.dlid              = attr->ah_attr.dlid;
2088         resp.dest.sl                = attr->ah_attr.sl;
2089         resp.dest.src_path_bits     = attr->ah_attr.src_path_bits;
2090         resp.dest.static_rate       = attr->ah_attr.static_rate;
2091         resp.dest.is_global         = !!(attr->ah_attr.ah_flags & IB_AH_GRH);
2092         resp.dest.port_num          = attr->ah_attr.port_num;
2093
2094         memcpy(resp.alt_dest.dgid, attr->alt_ah_attr.grh.dgid.raw, 16);
2095         resp.alt_dest.flow_label    = attr->alt_ah_attr.grh.flow_label;
2096         resp.alt_dest.sgid_index    = attr->alt_ah_attr.grh.sgid_index;
2097         resp.alt_dest.hop_limit     = attr->alt_ah_attr.grh.hop_limit;
2098         resp.alt_dest.traffic_class = attr->alt_ah_attr.grh.traffic_class;
2099         resp.alt_dest.dlid          = attr->alt_ah_attr.dlid;
2100         resp.alt_dest.sl            = attr->alt_ah_attr.sl;
2101         resp.alt_dest.src_path_bits = attr->alt_ah_attr.src_path_bits;
2102         resp.alt_dest.static_rate   = attr->alt_ah_attr.static_rate;
2103         resp.alt_dest.is_global     = !!(attr->alt_ah_attr.ah_flags & IB_AH_GRH);
2104         resp.alt_dest.port_num      = attr->alt_ah_attr.port_num;
2105
2106         resp.max_send_wr            = init_attr->cap.max_send_wr;
2107         resp.max_recv_wr            = init_attr->cap.max_recv_wr;
2108         resp.max_send_sge           = init_attr->cap.max_send_sge;
2109         resp.max_recv_sge           = init_attr->cap.max_recv_sge;
2110         resp.max_inline_data        = init_attr->cap.max_inline_data;
2111         resp.sq_sig_all             = init_attr->sq_sig_type == IB_SIGNAL_ALL_WR;
2112
2113         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2114                          &resp, sizeof resp))
2115                 ret = -EFAULT;
2116
2117 out:
2118         kfree(attr);
2119         kfree(init_attr);
2120
2121         return ret ? ret : in_len;
2122 }
2123
2124 /* Remove ignored fields set in the attribute mask */
2125 static int modify_qp_mask(enum ib_qp_type qp_type, int mask)
2126 {
2127         switch (qp_type) {
2128         case IB_QPT_XRC_INI:
2129                 return mask & ~(IB_QP_MAX_DEST_RD_ATOMIC | IB_QP_MIN_RNR_TIMER);
2130         case IB_QPT_XRC_TGT:
2131                 return mask & ~(IB_QP_MAX_QP_RD_ATOMIC | IB_QP_RETRY_CNT |
2132                                 IB_QP_RNR_RETRY);
2133         default:
2134                 return mask;
2135         }
2136 }
2137
2138 ssize_t ib_uverbs_modify_qp(struct ib_uverbs_file *file,
2139                             const char __user *buf, int in_len,
2140                             int out_len)
2141 {
2142         struct ib_uverbs_modify_qp cmd;
2143         struct ib_udata            udata;
2144         struct ib_qp              *qp;
2145         struct ib_qp_attr         *attr;
2146         int                        ret;
2147
2148         if (copy_from_user(&cmd, buf, sizeof cmd))
2149                 return -EFAULT;
2150
2151         INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
2152                    out_len);
2153
2154         attr = kmalloc(sizeof *attr, GFP_KERNEL);
2155         if (!attr)
2156                 return -ENOMEM;
2157
2158         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2159         if (!qp) {
2160                 ret = -EINVAL;
2161                 goto out;
2162         }
2163
2164         attr->qp_state            = cmd.qp_state;
2165         attr->cur_qp_state        = cmd.cur_qp_state;
2166         attr->path_mtu            = cmd.path_mtu;
2167         attr->path_mig_state      = cmd.path_mig_state;
2168         attr->qkey                = cmd.qkey;
2169         attr->rq_psn              = cmd.rq_psn;
2170         attr->sq_psn              = cmd.sq_psn;
2171         attr->dest_qp_num         = cmd.dest_qp_num;
2172         attr->qp_access_flags     = cmd.qp_access_flags;
2173         attr->pkey_index          = cmd.pkey_index;
2174         attr->alt_pkey_index      = cmd.alt_pkey_index;
2175         attr->en_sqd_async_notify = cmd.en_sqd_async_notify;
2176         attr->max_rd_atomic       = cmd.max_rd_atomic;
2177         attr->max_dest_rd_atomic  = cmd.max_dest_rd_atomic;
2178         attr->min_rnr_timer       = cmd.min_rnr_timer;
2179         attr->port_num            = cmd.port_num;
2180         attr->timeout             = cmd.timeout;
2181         attr->retry_cnt           = cmd.retry_cnt;
2182         attr->rnr_retry           = cmd.rnr_retry;
2183         attr->alt_port_num        = cmd.alt_port_num;
2184         attr->alt_timeout         = cmd.alt_timeout;
2185
2186         memcpy(attr->ah_attr.grh.dgid.raw, cmd.dest.dgid, 16);
2187         attr->ah_attr.grh.flow_label        = cmd.dest.flow_label;
2188         attr->ah_attr.grh.sgid_index        = cmd.dest.sgid_index;
2189         attr->ah_attr.grh.hop_limit         = cmd.dest.hop_limit;
2190         attr->ah_attr.grh.traffic_class     = cmd.dest.traffic_class;
2191         attr->ah_attr.dlid                  = cmd.dest.dlid;
2192         attr->ah_attr.sl                    = cmd.dest.sl;
2193         attr->ah_attr.src_path_bits         = cmd.dest.src_path_bits;
2194         attr->ah_attr.static_rate           = cmd.dest.static_rate;
2195         attr->ah_attr.ah_flags              = cmd.dest.is_global ? IB_AH_GRH : 0;
2196         attr->ah_attr.port_num              = cmd.dest.port_num;
2197
2198         memcpy(attr->alt_ah_attr.grh.dgid.raw, cmd.alt_dest.dgid, 16);
2199         attr->alt_ah_attr.grh.flow_label    = cmd.alt_dest.flow_label;
2200         attr->alt_ah_attr.grh.sgid_index    = cmd.alt_dest.sgid_index;
2201         attr->alt_ah_attr.grh.hop_limit     = cmd.alt_dest.hop_limit;
2202         attr->alt_ah_attr.grh.traffic_class = cmd.alt_dest.traffic_class;
2203         attr->alt_ah_attr.dlid              = cmd.alt_dest.dlid;
2204         attr->alt_ah_attr.sl                = cmd.alt_dest.sl;
2205         attr->alt_ah_attr.src_path_bits     = cmd.alt_dest.src_path_bits;
2206         attr->alt_ah_attr.static_rate       = cmd.alt_dest.static_rate;
2207         attr->alt_ah_attr.ah_flags          = cmd.alt_dest.is_global ? IB_AH_GRH : 0;
2208         attr->alt_ah_attr.port_num          = cmd.alt_dest.port_num;
2209
2210         if (qp->real_qp == qp) {
2211                 ret = ib_resolve_eth_l2_attrs(qp, attr, &cmd.attr_mask);
2212                 if (ret)
2213                         goto release_qp;
2214                 ret = qp->device->modify_qp(qp, attr,
2215                         modify_qp_mask(qp->qp_type, cmd.attr_mask), &udata);
2216         } else {
2217                 ret = ib_modify_qp(qp, attr, modify_qp_mask(qp->qp_type, cmd.attr_mask));
2218         }
2219
2220         if (ret)
2221                 goto release_qp;
2222
2223         ret = in_len;
2224
2225 release_qp:
2226         put_qp_read(qp);
2227
2228 out:
2229         kfree(attr);
2230
2231         return ret;
2232 }
2233
2234 ssize_t ib_uverbs_destroy_qp(struct ib_uverbs_file *file,
2235                              const char __user *buf, int in_len,
2236                              int out_len)
2237 {
2238         struct ib_uverbs_destroy_qp      cmd;
2239         struct ib_uverbs_destroy_qp_resp resp;
2240         struct ib_uobject               *uobj;
2241         struct ib_qp                    *qp;
2242         struct ib_uqp_object            *obj;
2243         int                              ret = -EINVAL;
2244
2245         if (copy_from_user(&cmd, buf, sizeof cmd))
2246                 return -EFAULT;
2247
2248         memset(&resp, 0, sizeof resp);
2249
2250         uobj = idr_write_uobj(&ib_uverbs_qp_idr, cmd.qp_handle, file->ucontext);
2251         if (!uobj)
2252                 return -EINVAL;
2253         qp  = uobj->object;
2254         obj = container_of(uobj, struct ib_uqp_object, uevent.uobject);
2255
2256         if (!list_empty(&obj->mcast_list)) {
2257                 put_uobj_write(uobj);
2258                 return -EBUSY;
2259         }
2260
2261         ret = ib_destroy_qp(qp);
2262         if (!ret)
2263                 uobj->live = 0;
2264
2265         put_uobj_write(uobj);
2266
2267         if (ret)
2268                 return ret;
2269
2270         if (obj->uxrcd)
2271                 atomic_dec(&obj->uxrcd->refcnt);
2272
2273         idr_remove_uobj(&ib_uverbs_qp_idr, uobj);
2274
2275         mutex_lock(&file->mutex);
2276         list_del(&uobj->list);
2277         mutex_unlock(&file->mutex);
2278
2279         ib_uverbs_release_uevent(file, &obj->uevent);
2280
2281         resp.events_reported = obj->uevent.events_reported;
2282
2283         put_uobj(uobj);
2284
2285         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2286                          &resp, sizeof resp))
2287                 return -EFAULT;
2288
2289         return in_len;
2290 }
2291
2292 ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
2293                             const char __user *buf, int in_len,
2294                             int out_len)
2295 {
2296         struct ib_uverbs_post_send      cmd;
2297         struct ib_uverbs_post_send_resp resp;
2298         struct ib_uverbs_send_wr       *user_wr;
2299         struct ib_send_wr              *wr = NULL, *last, *next, *bad_wr;
2300         struct ib_qp                   *qp;
2301         int                             i, sg_ind;
2302         int                             is_ud;
2303         ssize_t                         ret = -EINVAL;
2304
2305         if (copy_from_user(&cmd, buf, sizeof cmd))
2306                 return -EFAULT;
2307
2308         if (in_len < sizeof cmd + cmd.wqe_size * cmd.wr_count +
2309             cmd.sge_count * sizeof (struct ib_uverbs_sge))
2310                 return -EINVAL;
2311
2312         if (cmd.wqe_size < sizeof (struct ib_uverbs_send_wr))
2313                 return -EINVAL;
2314
2315         user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
2316         if (!user_wr)
2317                 return -ENOMEM;
2318
2319         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2320         if (!qp)
2321                 goto out;
2322
2323         is_ud = qp->qp_type == IB_QPT_UD;
2324         sg_ind = 0;
2325         last = NULL;
2326         for (i = 0; i < cmd.wr_count; ++i) {
2327                 if (copy_from_user(user_wr,
2328                                    buf + sizeof cmd + i * cmd.wqe_size,
2329                                    cmd.wqe_size)) {
2330                         ret = -EFAULT;
2331                         goto out_put;
2332                 }
2333
2334                 if (user_wr->num_sge + sg_ind > cmd.sge_count) {
2335                         ret = -EINVAL;
2336                         goto out_put;
2337                 }
2338
2339                 next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
2340                                user_wr->num_sge * sizeof (struct ib_sge),
2341                                GFP_KERNEL);
2342                 if (!next) {
2343                         ret = -ENOMEM;
2344                         goto out_put;
2345                 }
2346
2347                 if (!last)
2348                         wr = next;
2349                 else
2350                         last->next = next;
2351                 last = next;
2352
2353                 next->next       = NULL;
2354                 next->wr_id      = user_wr->wr_id;
2355                 next->num_sge    = user_wr->num_sge;
2356                 next->opcode     = user_wr->opcode;
2357                 next->send_flags = user_wr->send_flags;
2358
2359                 if (is_ud) {
2360                         next->wr.ud.ah = idr_read_ah(user_wr->wr.ud.ah,
2361                                                      file->ucontext);
2362                         if (!next->wr.ud.ah) {
2363                                 ret = -EINVAL;
2364                                 goto out_put;
2365                         }
2366                         next->wr.ud.remote_qpn  = user_wr->wr.ud.remote_qpn;
2367                         next->wr.ud.remote_qkey = user_wr->wr.ud.remote_qkey;
2368                         if (next->opcode == IB_WR_SEND_WITH_IMM)
2369                                 next->ex.imm_data =
2370                                         (__be32 __force) user_wr->ex.imm_data;
2371                 } else {
2372                         switch (next->opcode) {
2373                         case IB_WR_RDMA_WRITE_WITH_IMM:
2374                                 next->ex.imm_data =
2375                                         (__be32 __force) user_wr->ex.imm_data;
2376                         case IB_WR_RDMA_WRITE:
2377                         case IB_WR_RDMA_READ:
2378                                 next->wr.rdma.remote_addr =
2379                                         user_wr->wr.rdma.remote_addr;
2380                                 next->wr.rdma.rkey        =
2381                                         user_wr->wr.rdma.rkey;
2382                                 break;
2383                         case IB_WR_SEND_WITH_IMM:
2384                                 next->ex.imm_data =
2385                                         (__be32 __force) user_wr->ex.imm_data;
2386                                 break;
2387                         case IB_WR_SEND_WITH_INV:
2388                                 next->ex.invalidate_rkey =
2389                                         user_wr->ex.invalidate_rkey;
2390                                 break;
2391                         case IB_WR_ATOMIC_CMP_AND_SWP:
2392                         case IB_WR_ATOMIC_FETCH_AND_ADD:
2393                                 next->wr.atomic.remote_addr =
2394                                         user_wr->wr.atomic.remote_addr;
2395                                 next->wr.atomic.compare_add =
2396                                         user_wr->wr.atomic.compare_add;
2397                                 next->wr.atomic.swap = user_wr->wr.atomic.swap;
2398                                 next->wr.atomic.rkey = user_wr->wr.atomic.rkey;
2399                                 break;
2400                         default:
2401                                 break;
2402                         }
2403                 }
2404
2405                 if (next->num_sge) {
2406                         next->sg_list = (void *) next +
2407                                 ALIGN(sizeof *next, sizeof (struct ib_sge));
2408                         if (copy_from_user(next->sg_list,
2409                                            buf + sizeof cmd +
2410                                            cmd.wr_count * cmd.wqe_size +
2411                                            sg_ind * sizeof (struct ib_sge),
2412                                            next->num_sge * sizeof (struct ib_sge))) {
2413                                 ret = -EFAULT;
2414                                 goto out_put;
2415                         }
2416                         sg_ind += next->num_sge;
2417                 } else
2418                         next->sg_list = NULL;
2419         }
2420
2421         resp.bad_wr = 0;
2422         ret = qp->device->post_send(qp->real_qp, wr, &bad_wr);
2423         if (ret)
2424                 for (next = wr; next; next = next->next) {
2425                         ++resp.bad_wr;
2426                         if (next == bad_wr)
2427                                 break;
2428                 }
2429
2430         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2431                          &resp, sizeof resp))
2432                 ret = -EFAULT;
2433
2434 out_put:
2435         put_qp_read(qp);
2436
2437         while (wr) {
2438                 if (is_ud && wr->wr.ud.ah)
2439                         put_ah_read(wr->wr.ud.ah);
2440                 next = wr->next;
2441                 kfree(wr);
2442                 wr = next;
2443         }
2444
2445 out:
2446         kfree(user_wr);
2447
2448         return ret ? ret : in_len;
2449 }
2450
2451 static struct ib_recv_wr *ib_uverbs_unmarshall_recv(const char __user *buf,
2452                                                     int in_len,
2453                                                     u32 wr_count,
2454                                                     u32 sge_count,
2455                                                     u32 wqe_size)
2456 {
2457         struct ib_uverbs_recv_wr *user_wr;
2458         struct ib_recv_wr        *wr = NULL, *last, *next;
2459         int                       sg_ind;
2460         int                       i;
2461         int                       ret;
2462
2463         if (in_len < wqe_size * wr_count +
2464             sge_count * sizeof (struct ib_uverbs_sge))
2465                 return ERR_PTR(-EINVAL);
2466
2467         if (wqe_size < sizeof (struct ib_uverbs_recv_wr))
2468                 return ERR_PTR(-EINVAL);
2469
2470         user_wr = kmalloc(wqe_size, GFP_KERNEL);
2471         if (!user_wr)
2472                 return ERR_PTR(-ENOMEM);
2473
2474         sg_ind = 0;
2475         last = NULL;
2476         for (i = 0; i < wr_count; ++i) {
2477                 if (copy_from_user(user_wr, buf + i * wqe_size,
2478                                    wqe_size)) {
2479                         ret = -EFAULT;
2480                         goto err;
2481                 }
2482
2483                 if (user_wr->num_sge + sg_ind > sge_count) {
2484                         ret = -EINVAL;
2485                         goto err;
2486                 }
2487
2488                 next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
2489                                user_wr->num_sge * sizeof (struct ib_sge),
2490                                GFP_KERNEL);
2491                 if (!next) {
2492                         ret = -ENOMEM;
2493                         goto err;
2494                 }
2495
2496                 if (!last)
2497                         wr = next;
2498                 else
2499                         last->next = next;
2500                 last = next;
2501
2502                 next->next       = NULL;
2503                 next->wr_id      = user_wr->wr_id;
2504                 next->num_sge    = user_wr->num_sge;
2505
2506                 if (next->num_sge) {
2507                         next->sg_list = (void *) next +
2508                                 ALIGN(sizeof *next, sizeof (struct ib_sge));
2509                         if (copy_from_user(next->sg_list,
2510                                            buf + wr_count * wqe_size +
2511                                            sg_ind * sizeof (struct ib_sge),
2512                                            next->num_sge * sizeof (struct ib_sge))) {
2513                                 ret = -EFAULT;
2514                                 goto err;
2515                         }
2516                         sg_ind += next->num_sge;
2517                 } else
2518                         next->sg_list = NULL;
2519         }
2520
2521         kfree(user_wr);
2522         return wr;
2523
2524 err:
2525         kfree(user_wr);
2526
2527         while (wr) {
2528                 next = wr->next;
2529                 kfree(wr);
2530                 wr = next;
2531         }
2532
2533         return ERR_PTR(ret);
2534 }
2535
2536 ssize_t ib_uverbs_post_recv(struct ib_uverbs_file *file,
2537                             const char __user *buf, int in_len,
2538                             int out_len)
2539 {
2540         struct ib_uverbs_post_recv      cmd;
2541         struct ib_uverbs_post_recv_resp resp;
2542         struct ib_recv_wr              *wr, *next, *bad_wr;
2543         struct ib_qp                   *qp;
2544         ssize_t                         ret = -EINVAL;
2545
2546         if (copy_from_user(&cmd, buf, sizeof cmd))
2547                 return -EFAULT;
2548
2549         wr = ib_uverbs_unmarshall_recv(buf + sizeof cmd,
2550                                        in_len - sizeof cmd, cmd.wr_count,
2551                                        cmd.sge_count, cmd.wqe_size);
2552         if (IS_ERR(wr))
2553                 return PTR_ERR(wr);
2554
2555         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2556         if (!qp)
2557                 goto out;
2558
2559         resp.bad_wr = 0;
2560         ret = qp->device->post_recv(qp->real_qp, wr, &bad_wr);
2561
2562         put_qp_read(qp);
2563
2564         if (ret)
2565                 for (next = wr; next; next = next->next) {
2566                         ++resp.bad_wr;
2567                         if (next == bad_wr)
2568                                 break;
2569                 }
2570
2571         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2572                          &resp, sizeof resp))
2573                 ret = -EFAULT;
2574
2575 out:
2576         while (wr) {
2577                 next = wr->next;
2578                 kfree(wr);
2579                 wr = next;
2580         }
2581
2582         return ret ? ret : in_len;
2583 }
2584
2585 ssize_t ib_uverbs_post_srq_recv(struct ib_uverbs_file *file,
2586                                 const char __user *buf, int in_len,
2587                                 int out_len)
2588 {
2589         struct ib_uverbs_post_srq_recv      cmd;
2590         struct ib_uverbs_post_srq_recv_resp resp;
2591         struct ib_recv_wr                  *wr, *next, *bad_wr;
2592         struct ib_srq                      *srq;
2593         ssize_t                             ret = -EINVAL;
2594
2595         if (copy_from_user(&cmd, buf, sizeof cmd))
2596                 return -EFAULT;
2597
2598         wr = ib_uverbs_unmarshall_recv(buf + sizeof cmd,
2599                                        in_len - sizeof cmd, cmd.wr_count,
2600                                        cmd.sge_count, cmd.wqe_size);
2601         if (IS_ERR(wr))
2602                 return PTR_ERR(wr);
2603
2604         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
2605         if (!srq)
2606                 goto out;
2607
2608         resp.bad_wr = 0;
2609         ret = srq->device->post_srq_recv(srq, wr, &bad_wr);
2610
2611         put_srq_read(srq);
2612
2613         if (ret)
2614                 for (next = wr; next; next = next->next) {
2615                         ++resp.bad_wr;
2616                         if (next == bad_wr)
2617                                 break;
2618                 }
2619
2620         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2621                          &resp, sizeof resp))
2622                 ret = -EFAULT;
2623
2624 out:
2625         while (wr) {
2626                 next = wr->next;
2627                 kfree(wr);
2628                 wr = next;
2629         }
2630
2631         return ret ? ret : in_len;
2632 }
2633
2634 ssize_t ib_uverbs_create_ah(struct ib_uverbs_file *file,
2635                             const char __user *buf, int in_len,
2636                             int out_len)
2637 {
2638         struct ib_uverbs_create_ah       cmd;
2639         struct ib_uverbs_create_ah_resp  resp;
2640         struct ib_uobject               *uobj;
2641         struct ib_pd                    *pd;
2642         struct ib_ah                    *ah;
2643         struct ib_ah_attr               attr;
2644         int ret;
2645
2646         if (out_len < sizeof resp)
2647                 return -ENOSPC;
2648
2649         if (copy_from_user(&cmd, buf, sizeof cmd))
2650                 return -EFAULT;
2651
2652         uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
2653         if (!uobj)
2654                 return -ENOMEM;
2655
2656         init_uobj(uobj, cmd.user_handle, file->ucontext, &ah_lock_class);
2657         down_write(&uobj->mutex);
2658
2659         pd = idr_read_pd(cmd.pd_handle, file->ucontext);
2660         if (!pd) {
2661                 ret = -EINVAL;
2662                 goto err;
2663         }
2664
2665         attr.dlid              = cmd.attr.dlid;
2666         attr.sl                = cmd.attr.sl;
2667         attr.src_path_bits     = cmd.attr.src_path_bits;
2668         attr.static_rate       = cmd.attr.static_rate;
2669         attr.ah_flags          = cmd.attr.is_global ? IB_AH_GRH : 0;
2670         attr.port_num          = cmd.attr.port_num;
2671         attr.grh.flow_label    = cmd.attr.grh.flow_label;
2672         attr.grh.sgid_index    = cmd.attr.grh.sgid_index;
2673         attr.grh.hop_limit     = cmd.attr.grh.hop_limit;
2674         attr.grh.traffic_class = cmd.attr.grh.traffic_class;
2675         attr.vlan_id           = 0;
2676         memset(&attr.dmac, 0, sizeof(attr.dmac));
2677         memcpy(attr.grh.dgid.raw, cmd.attr.grh.dgid, 16);
2678
2679         ah = ib_create_ah(pd, &attr);
2680         if (IS_ERR(ah)) {
2681                 ret = PTR_ERR(ah);
2682                 goto err_put;
2683         }
2684
2685         ah->uobject  = uobj;
2686         uobj->object = ah;
2687
2688         ret = idr_add_uobj(&ib_uverbs_ah_idr, uobj);
2689         if (ret)
2690                 goto err_destroy;
2691
2692         resp.ah_handle = uobj->id;
2693
2694         if (copy_to_user((void __user *) (unsigned long) cmd.response,
2695                          &resp, sizeof resp)) {
2696                 ret = -EFAULT;
2697                 goto err_copy;
2698         }
2699
2700         put_pd_read(pd);
2701
2702         mutex_lock(&file->mutex);
2703         list_add_tail(&uobj->list, &file->ucontext->ah_list);
2704         mutex_unlock(&file->mutex);
2705
2706         uobj->live = 1;
2707
2708         up_write(&uobj->mutex);
2709
2710         return in_len;
2711
2712 err_copy:
2713         idr_remove_uobj(&ib_uverbs_ah_idr, uobj);
2714
2715 err_destroy:
2716         ib_destroy_ah(ah);
2717
2718 err_put:
2719         put_pd_read(pd);
2720
2721 err:
2722         put_uobj_write(uobj);
2723         return ret;
2724 }
2725
2726 ssize_t ib_uverbs_destroy_ah(struct ib_uverbs_file *file,
2727                              const char __user *buf, int in_len, int out_len)
2728 {
2729         struct ib_uverbs_destroy_ah cmd;
2730         struct ib_ah               *ah;
2731         struct ib_uobject          *uobj;
2732         int                         ret;
2733
2734         if (copy_from_user(&cmd, buf, sizeof cmd))
2735                 return -EFAULT;
2736
2737         uobj = idr_write_uobj(&ib_uverbs_ah_idr, cmd.ah_handle, file->ucontext);
2738         if (!uobj)
2739                 return -EINVAL;
2740         ah = uobj->object;
2741
2742         ret = ib_destroy_ah(ah);
2743         if (!ret)
2744                 uobj->live = 0;
2745
2746         put_uobj_write(uobj);
2747
2748         if (ret)
2749                 return ret;
2750
2751         idr_remove_uobj(&ib_uverbs_ah_idr, uobj);
2752
2753         mutex_lock(&file->mutex);
2754         list_del(&uobj->list);
2755         mutex_unlock(&file->mutex);
2756
2757         put_uobj(uobj);
2758
2759         return in_len;
2760 }
2761
2762 ssize_t ib_uverbs_attach_mcast(struct ib_uverbs_file *file,
2763                                const char __user *buf, int in_len,
2764                                int out_len)
2765 {
2766         struct ib_uverbs_attach_mcast cmd;
2767         struct ib_qp                 *qp;
2768         struct ib_uqp_object         *obj;
2769         struct ib_uverbs_mcast_entry *mcast;
2770         int                           ret;
2771
2772         if (copy_from_user(&cmd, buf, sizeof cmd))
2773                 return -EFAULT;
2774
2775         qp = idr_write_qp(cmd.qp_handle, file->ucontext);
2776         if (!qp)
2777                 return -EINVAL;
2778
2779         obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);
2780
2781         list_for_each_entry(mcast, &obj->mcast_list, list)
2782                 if (cmd.mlid == mcast->lid &&
2783                     !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
2784                         ret = 0;
2785                         goto out_put;
2786                 }
2787
2788         mcast = kmalloc(sizeof *mcast, GFP_KERNEL);
2789         if (!mcast) {
2790                 ret = -ENOMEM;
2791                 goto out_put;
2792         }
2793
2794         mcast->lid = cmd.mlid;
2795         memcpy(mcast->gid.raw, cmd.gid, sizeof mcast->gid.raw);
2796
2797         ret = ib_attach_mcast(qp, &mcast->gid, cmd.mlid);
2798         if (!ret)
2799                 list_add_tail(&mcast->list, &obj->mcast_list);
2800         else
2801                 kfree(mcast);
2802
2803 out_put:
2804         put_qp_write(qp);
2805
2806         return ret ? ret : in_len;
2807 }
2808
2809 ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file,
2810                                const char __user *buf, int in_len,
2811                                int out_len)
2812 {
2813         struct ib_uverbs_detach_mcast cmd;
2814         struct ib_uqp_object         *obj;
2815         struct ib_qp                 *qp;
2816         struct ib_uverbs_mcast_entry *mcast;
2817         int                           ret = -EINVAL;
2818
2819         if (copy_from_user(&cmd, buf, sizeof cmd))
2820                 return -EFAULT;
2821
2822         qp = idr_write_qp(cmd.qp_handle, file->ucontext);
2823         if (!qp)
2824                 return -EINVAL;
2825
2826         ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid);
2827         if (ret)
2828                 goto out_put;
2829
2830         obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);
2831
2832         list_for_each_entry(mcast, &obj->mcast_list, list)
2833                 if (cmd.mlid == mcast->lid &&
2834                     !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
2835                         list_del(&mcast->list);
2836                         kfree(mcast);
2837                         break;
2838                 }
2839
2840 out_put:
2841         put_qp_write(qp);
2842
2843         return ret ? ret : in_len;
2844 }
2845
2846 static int kern_spec_to_ib_spec(struct ib_uverbs_flow_spec *kern_spec,
2847                                 union ib_flow_spec *ib_spec)
2848 {
2849         if (kern_spec->reserved)
2850                 return -EINVAL;
2851
2852         ib_spec->type = kern_spec->type;
2853
2854         switch (ib_spec->type) {
2855         case IB_FLOW_SPEC_ETH:
2856                 ib_spec->eth.size = sizeof(struct ib_flow_spec_eth);
2857                 if (ib_spec->eth.size != kern_spec->eth.size)
2858                         return -EINVAL;
2859                 memcpy(&ib_spec->eth.val, &kern_spec->eth.val,
2860                        sizeof(struct ib_flow_eth_filter));
2861                 memcpy(&ib_spec->eth.mask, &kern_spec->eth.mask,
2862                        sizeof(struct ib_flow_eth_filter));
2863                 break;
2864         case IB_FLOW_SPEC_IPV4:
2865                 ib_spec->ipv4.size = sizeof(struct ib_flow_spec_ipv4);
2866                 if (ib_spec->ipv4.size != kern_spec->ipv4.size)
2867                         return -EINVAL;
2868                 memcpy(&ib_spec->ipv4.val, &kern_spec->ipv4.val,
2869                        sizeof(struct ib_flow_ipv4_filter));
2870                 memcpy(&ib_spec->ipv4.mask, &kern_spec->ipv4.mask,
2871                        sizeof(struct ib_flow_ipv4_filter));
2872                 break;
2873         case IB_FLOW_SPEC_TCP:
2874         case IB_FLOW_SPEC_UDP:
2875                 ib_spec->tcp_udp.size = sizeof(struct ib_flow_spec_tcp_udp);
2876                 if (ib_spec->tcp_udp.size != kern_spec->tcp_udp.size)
2877                         return -EINVAL;
2878                 memcpy(&ib_spec->tcp_udp.val, &kern_spec->tcp_udp.val,
2879                        sizeof(struct ib_flow_tcp_udp_filter));
2880                 memcpy(&ib_spec->tcp_udp.mask, &kern_spec->tcp_udp.mask,
2881                        sizeof(struct ib_flow_tcp_udp_filter));
2882                 break;
2883         default:
2884                 return -EINVAL;
2885         }
2886         return 0;
2887 }
2888
2889 int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file,
2890                              struct ib_udata *ucore,
2891                              struct ib_udata *uhw)
2892 {
2893         struct ib_uverbs_create_flow      cmd;
2894         struct ib_uverbs_create_flow_resp resp;
2895         struct ib_uobject                 *uobj;
2896         struct ib_flow                    *flow_id;
2897         struct ib_uverbs_flow_attr        *kern_flow_attr;
2898         struct ib_flow_attr               *flow_attr;
2899         struct ib_qp                      *qp;
2900         int err = 0;
2901         void *kern_spec;
2902         void *ib_spec;
2903         int i;
2904
2905         if (ucore->inlen < sizeof(cmd))
2906                 return -EINVAL;
2907
2908         if (ucore->outlen < sizeof(resp))
2909                 return -ENOSPC;
2910
2911         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
2912         if (err)
2913                 return err;
2914
2915         ucore->inbuf += sizeof(cmd);
2916         ucore->inlen -= sizeof(cmd);
2917
2918         if (cmd.comp_mask)
2919                 return -EINVAL;
2920
2921         if ((cmd.flow_attr.type == IB_FLOW_ATTR_SNIFFER &&
2922              !capable(CAP_NET_ADMIN)) || !capable(CAP_NET_RAW))
2923                 return -EPERM;
2924
2925         if (cmd.flow_attr.num_of_specs > IB_FLOW_SPEC_SUPPORT_LAYERS)
2926                 return -EINVAL;
2927
2928         if (cmd.flow_attr.size > ucore->inlen ||
2929             cmd.flow_attr.size >
2930             (cmd.flow_attr.num_of_specs * sizeof(struct ib_uverbs_flow_spec)))
2931                 return -EINVAL;
2932
2933         if (cmd.flow_attr.reserved[0] ||
2934             cmd.flow_attr.reserved[1])
2935                 return -EINVAL;
2936
2937         if (cmd.flow_attr.num_of_specs) {
2938                 kern_flow_attr = kmalloc(sizeof(*kern_flow_attr) + cmd.flow_attr.size,
2939                                          GFP_KERNEL);
2940                 if (!kern_flow_attr)
2941                         return -ENOMEM;
2942
2943                 memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));
2944                 err = ib_copy_from_udata(kern_flow_attr + 1, ucore,
2945                                          cmd.flow_attr.size);
2946                 if (err)
2947                         goto err_free_attr;
2948         } else {
2949                 kern_flow_attr = &cmd.flow_attr;
2950         }
2951
2952         uobj = kmalloc(sizeof(*uobj), GFP_KERNEL);
2953         if (!uobj) {
2954                 err = -ENOMEM;
2955                 goto err_free_attr;
2956         }
2957         init_uobj(uobj, 0, file->ucontext, &rule_lock_class);
2958         down_write(&uobj->mutex);
2959
2960         qp = idr_read_qp(cmd.qp_handle, file->ucontext);
2961         if (!qp) {
2962                 err = -EINVAL;
2963                 goto err_uobj;
2964         }
2965
2966         flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL);
2967         if (!flow_attr) {
2968                 err = -ENOMEM;
2969                 goto err_put;
2970         }
2971
2972         flow_attr->type = kern_flow_attr->type;
2973         flow_attr->priority = kern_flow_attr->priority;
2974         flow_attr->num_of_specs = kern_flow_attr->num_of_specs;
2975         flow_attr->port = kern_flow_attr->port;
2976         flow_attr->flags = kern_flow_attr->flags;
2977         flow_attr->size = sizeof(*flow_attr);
2978
2979         kern_spec = kern_flow_attr + 1;
2980         ib_spec = flow_attr + 1;
2981         for (i = 0; i < flow_attr->num_of_specs &&
2982              cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) &&
2983              cmd.flow_attr.size >=
2984              ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) {
2985                 err = kern_spec_to_ib_spec(kern_spec, ib_spec);
2986                 if (err)
2987                         goto err_free;
2988                 flow_attr->size +=
2989                         ((union ib_flow_spec *) ib_spec)->size;
2990                 cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size;
2991                 kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size;
2992                 ib_spec += ((union ib_flow_spec *) ib_spec)->size;
2993         }
2994         if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {
2995                 pr_warn("create flow failed, flow %d: %d bytes left from uverb cmd\n",
2996                         i, cmd.flow_attr.size);
2997                 err = -EINVAL;
2998                 goto err_free;
2999         }
3000         flow_id = ib_create_flow(qp, flow_attr, IB_FLOW_DOMAIN_USER);
3001         if (IS_ERR(flow_id)) {
3002                 err = PTR_ERR(flow_id);
3003                 goto err_free;
3004         }
3005         flow_id->qp = qp;
3006         flow_id->uobject = uobj;
3007         uobj->object = flow_id;
3008
3009         err = idr_add_uobj(&ib_uverbs_rule_idr, uobj);
3010         if (err)
3011                 goto destroy_flow;
3012
3013         memset(&resp, 0, sizeof(resp));
3014         resp.flow_handle = uobj->id;
3015
3016         err = ib_copy_to_udata(ucore,
3017                                &resp, sizeof(resp));
3018         if (err)
3019                 goto err_copy;
3020
3021         put_qp_read(qp);
3022         mutex_lock(&file->mutex);
3023         list_add_tail(&uobj->list, &file->ucontext->rule_list);
3024         mutex_unlock(&file->mutex);
3025
3026         uobj->live = 1;
3027
3028         up_write(&uobj->mutex);
3029         kfree(flow_attr);
3030         if (cmd.flow_attr.num_of_specs)
3031                 kfree(kern_flow_attr);
3032         return 0;
3033 err_copy:
3034         idr_remove_uobj(&ib_uverbs_rule_idr, uobj);
3035 destroy_flow:
3036         ib_destroy_flow(flow_id);
3037 err_free:
3038         kfree(flow_attr);
3039 err_put:
3040         put_qp_read(qp);
3041 err_uobj:
3042         put_uobj_write(uobj);
3043 err_free_attr:
3044         if (cmd.flow_attr.num_of_specs)
3045                 kfree(kern_flow_attr);
3046         return err;
3047 }
3048
3049 int ib_uverbs_ex_destroy_flow(struct ib_uverbs_file *file,
3050                               struct ib_udata *ucore,
3051                               struct ib_udata *uhw)
3052 {
3053         struct ib_uverbs_destroy_flow   cmd;
3054         struct ib_flow                  *flow_id;
3055         struct ib_uobject               *uobj;
3056         int                             ret;
3057
3058         if (ucore->inlen < sizeof(cmd))
3059                 return -EINVAL;
3060
3061         ret = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
3062         if (ret)
3063                 return ret;
3064
3065         if (cmd.comp_mask)
3066                 return -EINVAL;
3067
3068         uobj = idr_write_uobj(&ib_uverbs_rule_idr, cmd.flow_handle,
3069                               file->ucontext);
3070         if (!uobj)
3071                 return -EINVAL;
3072         flow_id = uobj->object;
3073
3074         ret = ib_destroy_flow(flow_id);
3075         if (!ret)
3076                 uobj->live = 0;
3077
3078         put_uobj_write(uobj);
3079
3080         idr_remove_uobj(&ib_uverbs_rule_idr, uobj);
3081
3082         mutex_lock(&file->mutex);
3083         list_del(&uobj->list);
3084         mutex_unlock(&file->mutex);
3085
3086         put_uobj(uobj);
3087
3088         return ret;
3089 }
3090
3091 static int __uverbs_create_xsrq(struct ib_uverbs_file *file,
3092                                 struct ib_uverbs_create_xsrq *cmd,
3093                                 struct ib_udata *udata)
3094 {
3095         struct ib_uverbs_create_srq_resp resp;
3096         struct ib_usrq_object           *obj;
3097         struct ib_pd                    *pd;
3098         struct ib_srq                   *srq;
3099         struct ib_uobject               *uninitialized_var(xrcd_uobj);
3100         struct ib_srq_init_attr          attr;
3101         int ret;
3102
3103         obj = kmalloc(sizeof *obj, GFP_KERNEL);
3104         if (!obj)
3105                 return -ENOMEM;
3106
3107         init_uobj(&obj->uevent.uobject, cmd->user_handle, file->ucontext, &srq_lock_class);
3108         down_write(&obj->uevent.uobject.mutex);
3109
3110         if (cmd->srq_type == IB_SRQT_XRC) {
3111                 attr.ext.xrc.xrcd  = idr_read_xrcd(cmd->xrcd_handle, file->ucontext, &xrcd_uobj);
3112                 if (!attr.ext.xrc.xrcd) {
3113                         ret = -EINVAL;
3114                         goto err;
3115                 }
3116
3117                 obj->uxrcd = container_of(xrcd_uobj, struct ib_uxrcd_object, uobject);
3118                 atomic_inc(&obj->uxrcd->refcnt);
3119
3120                 attr.ext.xrc.cq  = idr_read_cq(cmd->cq_handle, file->ucontext, 0);
3121                 if (!attr.ext.xrc.cq) {
3122                         ret = -EINVAL;
3123                         goto err_put_xrcd;
3124                 }
3125         }
3126
3127         pd  = idr_read_pd(cmd->pd_handle, file->ucontext);
3128         if (!pd) {
3129                 ret = -EINVAL;
3130                 goto err_put_cq;
3131         }
3132
3133         attr.event_handler  = ib_uverbs_srq_event_handler;
3134         attr.srq_context    = file;
3135         attr.srq_type       = cmd->srq_type;
3136         attr.attr.max_wr    = cmd->max_wr;
3137         attr.attr.max_sge   = cmd->max_sge;
3138         attr.attr.srq_limit = cmd->srq_limit;
3139
3140         obj->uevent.events_reported = 0;
3141         INIT_LIST_HEAD(&obj->uevent.event_list);
3142
3143         srq = pd->device->create_srq(pd, &attr, udata);
3144         if (IS_ERR(srq)) {
3145                 ret = PTR_ERR(srq);
3146                 goto err_put;
3147         }
3148
3149         srq->device        = pd->device;
3150         srq->pd            = pd;
3151         srq->srq_type      = cmd->srq_type;
3152         srq->uobject       = &obj->uevent.uobject;
3153         srq->event_handler = attr.event_handler;
3154         srq->srq_context   = attr.srq_context;
3155
3156         if (cmd->srq_type == IB_SRQT_XRC) {
3157                 srq->ext.xrc.cq   = attr.ext.xrc.cq;
3158                 srq->ext.xrc.xrcd = attr.ext.xrc.xrcd;
3159                 atomic_inc(&attr.ext.xrc.cq->usecnt);
3160                 atomic_inc(&attr.ext.xrc.xrcd->usecnt);
3161         }
3162
3163         atomic_inc(&pd->usecnt);
3164         atomic_set(&srq->usecnt, 0);
3165
3166         obj->uevent.uobject.object = srq;
3167         ret = idr_add_uobj(&ib_uverbs_srq_idr, &obj->uevent.uobject);
3168         if (ret)
3169                 goto err_destroy;
3170
3171         memset(&resp, 0, sizeof resp);
3172         resp.srq_handle = obj->uevent.uobject.id;
3173         resp.max_wr     = attr.attr.max_wr;
3174         resp.max_sge    = attr.attr.max_sge;
3175         if (cmd->srq_type == IB_SRQT_XRC)
3176                 resp.srqn = srq->ext.xrc.srq_num;
3177
3178         if (copy_to_user((void __user *) (unsigned long) cmd->response,
3179                          &resp, sizeof resp)) {
3180                 ret = -EFAULT;
3181                 goto err_copy;
3182         }
3183
3184         if (cmd->srq_type == IB_SRQT_XRC) {
3185                 put_uobj_read(xrcd_uobj);
3186                 put_cq_read(attr.ext.xrc.cq);
3187         }
3188         put_pd_read(pd);
3189
3190         mutex_lock(&file->mutex);
3191         list_add_tail(&obj->uevent.uobject.list, &file->ucontext->srq_list);
3192         mutex_unlock(&file->mutex);
3193
3194         obj->uevent.uobject.live = 1;
3195
3196         up_write(&obj->uevent.uobject.mutex);
3197
3198         return 0;
3199
3200 err_copy:
3201         idr_remove_uobj(&ib_uverbs_srq_idr, &obj->uevent.uobject);
3202
3203 err_destroy:
3204         ib_destroy_srq(srq);
3205
3206 err_put:
3207         put_pd_read(pd);
3208
3209 err_put_cq:
3210         if (cmd->srq_type == IB_SRQT_XRC)
3211                 put_cq_read(attr.ext.xrc.cq);
3212
3213 err_put_xrcd:
3214         if (cmd->srq_type == IB_SRQT_XRC) {
3215                 atomic_dec(&obj->uxrcd->refcnt);
3216                 put_uobj_read(xrcd_uobj);
3217         }
3218
3219 err:
3220         put_uobj_write(&obj->uevent.uobject);
3221         return ret;
3222 }
3223
3224 ssize_t ib_uverbs_create_srq(struct ib_uverbs_file *file,
3225                              const char __user *buf, int in_len,
3226                              int out_len)
3227 {
3228         struct ib_uverbs_create_srq      cmd;
3229         struct ib_uverbs_create_xsrq     xcmd;
3230         struct ib_uverbs_create_srq_resp resp;
3231         struct ib_udata                  udata;
3232         int ret;
3233
3234         if (out_len < sizeof resp)
3235                 return -ENOSPC;
3236
3237         if (copy_from_user(&cmd, buf, sizeof cmd))
3238                 return -EFAULT;
3239
3240         xcmd.response    = cmd.response;
3241         xcmd.user_handle = cmd.user_handle;
3242         xcmd.srq_type    = IB_SRQT_BASIC;
3243         xcmd.pd_handle   = cmd.pd_handle;
3244         xcmd.max_wr      = cmd.max_wr;
3245         xcmd.max_sge     = cmd.max_sge;
3246         xcmd.srq_limit   = cmd.srq_limit;
3247
3248         INIT_UDATA(&udata, buf + sizeof cmd,
3249                    (unsigned long) cmd.response + sizeof resp,
3250                    in_len - sizeof cmd, out_len - sizeof resp);
3251
3252         ret = __uverbs_create_xsrq(file, &xcmd, &udata);
3253         if (ret)
3254                 return ret;
3255
3256         return in_len;
3257 }
3258
3259 ssize_t ib_uverbs_create_xsrq(struct ib_uverbs_file *file,
3260                               const char __user *buf, int in_len, int out_len)
3261 {
3262         struct ib_uverbs_create_xsrq     cmd;
3263         struct ib_uverbs_create_srq_resp resp;
3264         struct ib_udata                  udata;
3265         int ret;
3266
3267         if (out_len < sizeof resp)
3268                 return -ENOSPC;
3269
3270         if (copy_from_user(&cmd, buf, sizeof cmd))
3271                 return -EFAULT;
3272
3273         INIT_UDATA(&udata, buf + sizeof cmd,
3274                    (unsigned long) cmd.response + sizeof resp,
3275                    in_len - sizeof cmd, out_len - sizeof resp);
3276
3277         ret = __uverbs_create_xsrq(file, &cmd, &udata);
3278         if (ret)
3279                 return ret;
3280
3281         return in_len;
3282 }
3283
3284 ssize_t ib_uverbs_modify_srq(struct ib_uverbs_file *file,
3285                              const char __user *buf, int in_len,
3286                              int out_len)
3287 {
3288         struct ib_uverbs_modify_srq cmd;
3289         struct ib_udata             udata;
3290         struct ib_srq              *srq;
3291         struct ib_srq_attr          attr;
3292         int                         ret;
3293
3294         if (copy_from_user(&cmd, buf, sizeof cmd))
3295                 return -EFAULT;
3296
3297         INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
3298                    out_len);
3299
3300         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
3301         if (!srq)
3302                 return -EINVAL;
3303
3304         attr.max_wr    = cmd.max_wr;
3305         attr.srq_limit = cmd.srq_limit;
3306
3307         ret = srq->device->modify_srq(srq, &attr, cmd.attr_mask, &udata);
3308
3309         put_srq_read(srq);
3310
3311         return ret ? ret : in_len;
3312 }
3313
3314 ssize_t ib_uverbs_query_srq(struct ib_uverbs_file *file,
3315                             const char __user *buf,
3316                             int in_len, int out_len)
3317 {
3318         struct ib_uverbs_query_srq      cmd;
3319         struct ib_uverbs_query_srq_resp resp;
3320         struct ib_srq_attr              attr;
3321         struct ib_srq                   *srq;
3322         int                             ret;
3323
3324         if (out_len < sizeof resp)
3325                 return -ENOSPC;
3326
3327         if (copy_from_user(&cmd, buf, sizeof cmd))
3328                 return -EFAULT;
3329
3330         srq = idr_read_srq(cmd.srq_handle, file->ucontext);
3331         if (!srq)
3332                 return -EINVAL;
3333
3334         ret = ib_query_srq(srq, &attr);
3335
3336         put_srq_read(srq);
3337
3338         if (ret)
3339                 return ret;
3340
3341         memset(&resp, 0, sizeof resp);
3342
3343         resp.max_wr    = attr.max_wr;
3344         resp.max_sge   = attr.max_sge;
3345         resp.srq_limit = attr.srq_limit;
3346
3347         if (copy_to_user((void __user *) (unsigned long) cmd.response,
3348                          &resp, sizeof resp))
3349                 return -EFAULT;
3350
3351         return in_len;
3352 }
3353
3354 ssize_t ib_uverbs_destroy_srq(struct ib_uverbs_file *file,
3355                               const char __user *buf, int in_len,
3356                               int out_len)
3357 {
3358         struct ib_uverbs_destroy_srq      cmd;
3359         struct ib_uverbs_destroy_srq_resp resp;
3360         struct ib_uobject                *uobj;
3361         struct ib_srq                    *srq;
3362         struct ib_uevent_object          *obj;
3363         int                               ret = -EINVAL;
3364         struct ib_usrq_object            *us;
3365         enum ib_srq_type                  srq_type;
3366
3367         if (copy_from_user(&cmd, buf, sizeof cmd))
3368                 return -EFAULT;
3369
3370         uobj = idr_write_uobj(&ib_uverbs_srq_idr, cmd.srq_handle, file->ucontext);
3371         if (!uobj)
3372                 return -EINVAL;
3373         srq = uobj->object;
3374         obj = container_of(uobj, struct ib_uevent_object, uobject);
3375         srq_type = srq->srq_type;
3376
3377         ret = ib_destroy_srq(srq);
3378         if (!ret)
3379                 uobj->live = 0;
3380
3381         put_uobj_write(uobj);
3382
3383         if (ret)
3384                 return ret;
3385
3386         if (srq_type == IB_SRQT_XRC) {
3387                 us = container_of(obj, struct ib_usrq_object, uevent);
3388                 atomic_dec(&us->uxrcd->refcnt);
3389         }
3390
3391         idr_remove_uobj(&ib_uverbs_srq_idr, uobj);
3392
3393         mutex_lock(&file->mutex);
3394         list_del(&uobj->list);
3395         mutex_unlock(&file->mutex);
3396
3397         ib_uverbs_release_uevent(file, obj);
3398
3399         memset(&resp, 0, sizeof resp);
3400         resp.events_reported = obj->events_reported;
3401
3402         put_uobj(uobj);
3403
3404         if (copy_to_user((void __user *) (unsigned long) cmd.response,
3405                          &resp, sizeof resp))
3406                 ret = -EFAULT;
3407
3408         return ret ? ret : in_len;
3409 }
3410
3411 int ib_uverbs_ex_query_device(struct ib_uverbs_file *file,
3412                               struct ib_udata *ucore,
3413                               struct ib_udata *uhw)
3414 {
3415         struct ib_uverbs_ex_query_device_resp resp;
3416         struct ib_uverbs_ex_query_device  cmd;
3417         struct ib_device_attr attr;
3418         struct ib_device *device;
3419         int err;
3420
3421         device = file->device->ib_dev;
3422         if (ucore->inlen < sizeof(cmd))
3423                 return -EINVAL;
3424
3425         err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
3426         if (err)
3427                 return err;
3428
3429         if (cmd.comp_mask)
3430                 return -EINVAL;
3431
3432         if (cmd.reserved)
3433                 return -EINVAL;
3434
3435         resp.response_length = offsetof(typeof(resp), odp_caps);
3436
3437         if (ucore->outlen < resp.response_length)
3438                 return -ENOSPC;
3439
3440         memset(&attr, 0, sizeof(attr));
3441
3442         err = device->query_device(device, &attr, uhw);
3443         if (err)
3444                 return err;
3445
3446         copy_query_dev_fields(file, &resp.base, &attr);
3447         resp.comp_mask = 0;
3448
3449         if (ucore->outlen < resp.response_length + sizeof(resp.odp_caps))
3450                 goto end;
3451
3452 #ifdef CONFIG_INFINIBAND_ON_DEMAND_PAGING
3453         resp.odp_caps.general_caps = attr.odp_caps.general_caps;
3454         resp.odp_caps.per_transport_caps.rc_odp_caps =
3455                 attr.odp_caps.per_transport_caps.rc_odp_caps;
3456         resp.odp_caps.per_transport_caps.uc_odp_caps =
3457                 attr.odp_caps.per_transport_caps.uc_odp_caps;
3458         resp.odp_caps.per_transport_caps.ud_odp_caps =
3459                 attr.odp_caps.per_transport_caps.ud_odp_caps;
3460         resp.odp_caps.reserved = 0;
3461 #else
3462         memset(&resp.odp_caps, 0, sizeof(resp.odp_caps));
3463 #endif
3464         resp.response_length += sizeof(resp.odp_caps);
3465
3466         if (ucore->outlen < resp.response_length + sizeof(resp.timestamp_mask))
3467                 goto end;
3468
3469         resp.timestamp_mask = attr.timestamp_mask;
3470         resp.response_length += sizeof(resp.timestamp_mask);
3471
3472         if (ucore->outlen < resp.response_length + sizeof(resp.hca_core_clock))
3473                 goto end;
3474
3475         resp.hca_core_clock = attr.hca_core_clock;
3476         resp.response_length += sizeof(resp.hca_core_clock);
3477
3478 end:
3479         err = ib_copy_to_udata(ucore, &resp, resp.response_length);
3480         if (err)
3481                 return err;
3482
3483         return 0;
3484 }