1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2000 by Cisco Systems, Inc.  All rights reserved.
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  *
26  * iSCSI Pseudo HBA Driver
27  */
28 
29 #include <sys/socket.h>		/* networking stuff */
30 #include <sys/t_kuser.h>	/* networking stuff */
31 #include <sys/tihdr.h>		/* networking stuff */
32 #include <sys/strsubr.h>	/* networking stuff */
33 #include <netinet/tcp.h>	/* TCP_NODELAY */
34 #include <sys/socketvar.h>	/* _ALLOC_SLEEP */
35 #include <sys/strsun.h>		/* DB_TYPE() */
36 
37 #include "iscsi.h"		/* iscsi driver */
38 #include <sys/scsi/adapters/iscsi_protocol.h>	/* iscsi protocol */
39 
40 /* generic io helpers */
41 static uint32_t n2h24(uchar_t *ptr);
42 static int iscsi_sna_lt(uint32_t n1, uint32_t n2);
43 static void iscsi_update_flow_control(iscsi_sess_t *isp,
44     uint32_t max, uint32_t exp);
45 
46 /* receivers */
47 static iscsi_status_t iscsi_rx_process_hdr(iscsi_conn_t *icp,
48     iscsi_hdr_t *ihp, char *data, int data_size);
49 static iscsi_status_t iscsi_rx_process_nop(iscsi_conn_t *icp,
50     iscsi_hdr_t *ihp, char *data);
51 static iscsi_status_t iscsi_rx_process_data_rsp(iscsi_conn_t *icp,
52     iscsi_hdr_t *ihp);
53 static iscsi_status_t iscsi_rx_process_cmd_rsp(iscsi_conn_t *icp,
54     iscsi_hdr_t *ihp, char *data);
55 static iscsi_status_t iscsi_rx_process_rtt_rsp(iscsi_conn_t *icp,
56     iscsi_hdr_t *ihp, char *data);
57 static iscsi_status_t iscsi_rx_process_reject_rsp(iscsi_conn_t *icp,
58     iscsi_hdr_t *ihp, char *data);
59 static iscsi_status_t iscsi_rx_process_rejected_tsk_mgt(iscsi_conn_t *icp,
60     iscsi_hdr_t *old_ihp);
61 static iscsi_status_t iscsi_rx_process_itt_to_icmdp(iscsi_sess_t *isp,
62     iscsi_hdr_t *ihp, iscsi_cmd_t **icmdp);
63 static iscsi_status_t iscsi_rx_process_task_mgt_rsp(iscsi_conn_t *icp,
64     iscsi_hdr_t *ihp, void *data);
65 static iscsi_status_t iscsi_rx_process_logout_rsp(iscsi_conn_t *icp,
66     iscsi_hdr_t *ihp, char *data);
67 static iscsi_status_t iscsi_rx_process_async_rsp(iscsi_conn_t *icp,
68     iscsi_hdr_t *ihp, char *data);
69 static iscsi_status_t iscsi_rx_process_text_rsp(iscsi_conn_t *icp,
70     iscsi_hdr_t *ihp, char *data);
71 
72 
73 /* senders */
74 static iscsi_status_t iscsi_tx_scsi(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
75 static iscsi_status_t iscsi_tx_r2t(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
76 static iscsi_status_t iscsi_tx_data(iscsi_sess_t *isp, iscsi_conn_t *icp,
77     iscsi_cmd_t *icmdp, uint32_t ttt, size_t datalen, size_t offset);
78 static iscsi_status_t iscsi_tx_nop(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
79 static iscsi_status_t iscsi_tx_abort(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
80 static iscsi_status_t iscsi_tx_reset(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
81 static iscsi_status_t iscsi_tx_logout(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
82 static iscsi_status_t iscsi_tx_text(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
83 
84 
85 /* helpers */
86 static void iscsi_handle_r2t(iscsi_conn_t *icp, iscsi_cmd_t *icmdp,
87     uint32_t offset, uint32_t length, uint32_t ttt);
88 static void iscsi_handle_passthru_callback(struct scsi_pkt *pkt);
89 static void iscsi_handle_nop(iscsi_conn_t *icp, uint32_t itt, uint32_t ttt);
90 
91 static void iscsi_timeout_checks(iscsi_sess_t *isp);
92 static void iscsi_nop_checks(iscsi_sess_t *isp);
93 
94 
95 #define	ISCSI_CONN_TO_NET_DIGEST(icp)					    \
96 	((icp->conn_params.header_digest ? ISCSI_NET_HEADER_DIGEST : 0) |   \
97 	(icp->conn_params.data_digest ? ISCSI_NET_DATA_DIGEST : 0))
98 
99 /*
100  * This file contains the main guts of the iSCSI protocol layer.
101  * It's broken into 5 sections; Basic helper functions, RX IO path,
102  * TX IO path, Completion (IC) IO path, and watchdog (WD) routines.
103  *
104  * The IO flow model is similiar to the below diagram.  The
105  * iscsi session, connection and command state machines are used
106  * to drive IO through this flow diagram.  Reference those files
107  * to get a detailed description of their respective state models
108  * prior to their xxx_state_machine_function().
109  *
110  * tran_start() -> CMD_E1     TX_THREAD                   RX_THREAD
111  *                   |            T                           T
112  *                   V            T                           T
113  *                PENDING_Q  --CMD_E2--> ACTIVE_Q -      --CMD_E3--+
114  *                                T                \ C        T    |
115  *                                T                 \M        T    |
116  *                                                   D        T    |
117  *                                       WD_THREAD TT|TT      T    |
118  *                                                  /E        T    |
119  *                                                 / 6        T    |
120  *                                     ABORTING_Q<-      --CMD_E3--+
121  *                                                            T    |
122  *                                T                           T    |
123  *                                T                                |
124  *               callback()  <--CMD_E#-- COMPLETION_Q <------------+
125  *                                T
126  *                                T
127  *                            IC_THREAD
128  *
129  * External and internal command are ran thru this same state
130  * machine.  All commands enter the state machine by receiving an
131  * ISCSI_CMD_EVENT_E1.  This event places the command into the
132  * PENDING_Q.  Next when resources are available the TX_THREAD
133  * issues a E2 event on the command.  This sends the command
134  * to the TCP stack and places the command on the ACTIVE_Q.  While
135  * on the PENDIING_Q and ACTIVE_Q, the command is monitored via the
136  * WD_THREAD to ensure the pkt_time has not elapsed.  If elapsed the
137  * command is issued an E6(timeout) event which moves either (if pending)
138  * completed the command or (if active) moves the command to the
139  * aborting queue and issues a SCSI TASK MANAGEMENT ABORT command
140  * to cancel the IO request.  If the original command is completed
141  * or the TASK MANAGEMENT command completes the command is moved
142  * to the COMPLETION_Q via a E3 event.  The IC_THREAD then processes
143  * the COMPLETION_Q and issues the scsi_pkt callback.  This
144  * callback can not be processed directly from the RX_THREAD
145  * because the callback might call back into the iscsi driver
146  * causing a deadlock condition.
147  *
148  * For more details on the complete CMD state machine reference
149  * the state machine diagram in iscsi_cmd.c.  The connection state
150  * machine is driven via IO events in this file.  Then session
151  * events are driven by the connection events.  For complete
152  * details on these state machines reference iscsi_sess.c and
153  * iscsi_conn.c
154  */
155 
156 
157 /*
158  * +--------------------------------------------------------------------+
159  * | io helper routines							|
160  * +--------------------------------------------------------------------+
161  */
162 
163 /*
164  * n2h24 - native to host 24 bit integer translation.
165  */
166 static uint32_t
167 n2h24(uchar_t *ptr)
168 {
169 	uint32_t idx;
170 	bcopy(ptr, &idx, 3);
171 	return (ntohl(idx) >> 8);
172 }
173 
174 /*
175  * iscsi_sna_lt - Serial Number Arithmetic, 32 bits, less than, RFC1982
176  */
177 static int
178 iscsi_sna_lt(uint32_t n1, uint32_t n2)
179 {
180 	return ((n1 != n2) &&
181 	    (((n1 < n2) && ((n2 - n1) < ISCSI_SNA32_CHECK)) ||
182 	    ((n1 > n2) && ((n1 - n2) > ISCSI_SNA32_CHECK))));
183 }
184 
185 /*
186  * iscsi_sna_lte - Serial Number Arithmetic, 32 bits, less than or equal,
187  * RFC1982
188  */
189 int
190 iscsi_sna_lte(uint32_t n1, uint32_t n2)
191 {
192 	return ((n1 == n2) ||
193 	    (((n1 < n2) && ((n2 - n1) < ISCSI_SNA32_CHECK)) ||
194 	    ((n1 > n2) && ((n1 - n2) > ISCSI_SNA32_CHECK))));
195 }
196 
197 /*
198  * iscsi_update_flow_control - Update expcmdsn and maxcmdsn iSCSI
199  * flow control information for a session
200  */
201 static void
202 iscsi_update_flow_control(iscsi_sess_t *isp, uint32_t max, uint32_t exp)
203 {
204 	ASSERT(isp != NULL);
205 	ASSERT(mutex_owned(&isp->sess_cmdsn_mutex));
206 
207 	if (!iscsi_sna_lt(max, (exp - 1))) {
208 
209 		if (!iscsi_sna_lte(exp, isp->sess_expcmdsn)) {
210 			isp->sess_expcmdsn = exp;
211 		}
212 
213 		if (!iscsi_sna_lte(max, isp->sess_maxcmdsn)) {
214 			isp->sess_maxcmdsn = max;
215 			if (iscsi_sna_lte(isp->sess_cmdsn,
216 			    isp->sess_maxcmdsn)) {
217 				/*
218 				 * the window is open again - schedule
219 				 * to send any held tasks soon
220 				 */
221 				iscsi_sess_redrive_io(isp);
222 			}
223 		}
224 	}
225 }
226 
227 
228 /*
229  * +--------------------------------------------------------------------+
230  * | io receive and processing routines					|
231  * +--------------------------------------------------------------------+
232  */
233 
234 /*
235  * iscsi_rx_thread - The connection creates a thread of this
236  * function during login.  After which point this thread is
237  * used to receive and process all iSCSI PDUs on this connection.
238  * The PDUs received on this connection are used to drive the
239  * commands through their state machine.  This thread will
240  * continue processing while the connection is on a LOGGED_IN
241  * or IN_LOGOUT state.  Once the connection moves out of this
242  * state the thread will die.
243  */
244 void
245 iscsi_rx_thread(iscsi_thread_t *thread, void *arg)
246 {
247 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
248 	iscsi_conn_t		*icp		= (iscsi_conn_t *)arg;
249 	iscsi_sess_t		*isp		= NULL;
250 	char			*hdr		= NULL;
251 	int			hdr_size	= 0;
252 	char			*data		= NULL;
253 	int			data_size	= 0;
254 	iscsi_hdr_t		*ihp;
255 
256 	ASSERT(icp != NULL);
257 	isp = icp->conn_sess;
258 	ASSERT(isp != NULL);
259 
260 	/* pre-alloc recv header buffer for common actions */
261 	hdr_size = sizeof (iscsi_hdr_t) + 255; /* 255 = one byte hlength */
262 	hdr = (char *)kmem_zalloc(hdr_size, KM_SLEEP);
263 	ihp = (iscsi_hdr_t *)hdr;
264 	ASSERT(ihp != NULL);
265 
266 	/* pre-alloc max_recv_size buffer for common actions */
267 	data_size = icp->conn_params.max_recv_data_seg_len;
268 	data = (char *)kmem_zalloc(data_size, KM_SLEEP);
269 	ASSERT(data != NULL);
270 
271 	do {
272 		/* Wait for the next iSCSI header */
273 		rval = iscsi_net->recvhdr(icp->conn_socket,
274 		    ihp, hdr_size, 0, (icp->conn_params.header_digest ?
275 		    ISCSI_NET_HEADER_DIGEST : 0));
276 		if (ISCSI_SUCCESS(rval)) {
277 			isp->sess_rx_lbolt =
278 			    icp->conn_rx_lbolt =
279 			    ddi_get_lbolt();
280 
281 			/* Perform specific hdr handling */
282 			rval = iscsi_rx_process_hdr(icp, ihp,
283 			    data, data_size);
284 		}
285 
286 		/*
287 		 * handle failures
288 		 */
289 		switch (rval) {
290 		case ISCSI_STATUS_SUCCESS:
291 			/*
292 			 * If we successfully completed a receive
293 			 * and we are in an IN_FLUSH state then
294 			 * check the active queue count to see
295 			 * if its empty.  If its empty then force
296 			 * a disconnect event on the connection.
297 			 * This will move the session from IN_FLUSH
298 			 * to FLUSHED and complete the login
299 			 * parameter update.
300 			 */
301 			if ((isp->sess_state == ISCSI_SESS_STATE_IN_FLUSH) &&
302 			    (icp->conn_queue_active.count == 0)) {
303 				mutex_enter(&icp->conn_state_mutex);
304 				(void) iscsi_conn_state_machine(icp,
305 				    ISCSI_CONN_EVENT_T14);
306 				mutex_exit(&icp->conn_state_mutex);
307 			}
308 			break;
309 		case ISCSI_STATUS_TCP_RX_ERROR:
310 			/* connection had an error */
311 			mutex_enter(&icp->conn_state_mutex);
312 			(void) iscsi_conn_state_machine(icp,
313 			    ISCSI_CONN_EVENT_T15);
314 			mutex_exit(&icp->conn_state_mutex);
315 			break;
316 		case ISCSI_STATUS_HEADER_DIGEST_ERROR:
317 			/*
318 			 * If we encounter a digest error we have to restart
319 			 * all the connections on this session. per iSCSI
320 			 * Level 0 Recovery.
321 			 */
322 			KSTAT_INC_CONN_ERR_HEADER_DIGEST(icp);
323 			mutex_enter(&icp->conn_state_mutex);
324 			(void) iscsi_conn_state_machine(icp,
325 			    ISCSI_CONN_EVENT_T14);
326 			mutex_exit(&icp->conn_state_mutex);
327 			break;
328 		case ISCSI_STATUS_DATA_DIGEST_ERROR:
329 			/*
330 			 * We can continue with a data digest error.  The
331 			 * icmdp was flaged as having a crc problem.  It
332 			 * will be aborted when all data is received.  This
333 			 * saves us from restarting the session when we
334 			 * might be able to keep it going.  If the data
335 			 * digest issue was really bad we will hit a
336 			 * status protocol error on the next pdu, which
337 			 * will force a connection retstart.
338 			 */
339 			KSTAT_INC_CONN_ERR_DATA_DIGEST(icp);
340 			break;
341 		case ISCSI_STATUS_PROTOCOL_ERROR:
342 			/*
343 			 * A protocol problem was encountered.  Reset
344 			 * session to try and repair issue.
345 			 */
346 			KSTAT_INC_CONN_ERR_PROTOCOL(icp);
347 			mutex_enter(&icp->conn_state_mutex);
348 			(void) iscsi_conn_state_machine(icp,
349 			    ISCSI_CONN_EVENT_T14);
350 			mutex_exit(&icp->conn_state_mutex);
351 			break;
352 		case ISCSI_STATUS_INTERNAL_ERROR:
353 			/*
354 			 * These should have all been handled before now.
355 			 */
356 			break;
357 		default:
358 			cmn_err(CE_WARN, "iscsi connection(%u) encountered "
359 			    "unknown error(%d) on a receive", icp->conn_oid,
360 			    rval);
361 			ASSERT(B_FALSE);
362 		}
363 
364 	} while ((ISCSI_CONN_STATE_FULL_FEATURE(icp->conn_state)) &&
365 	    (iscsi_thread_wait(thread, 0) != 0));
366 
367 	kmem_free(hdr, hdr_size);
368 	kmem_free(data, data_size);
369 }
370 
371 
372 /*
373  * iscsi_rx_process_hdr - This function collects data for all PDUs
374  * that do not have data that will be mapped to a specific scsi_pkt.
375  * Then for each hdr type fan out the processing.
376  */
377 static iscsi_status_t
378 iscsi_rx_process_hdr(iscsi_conn_t *icp, iscsi_hdr_t *ihp,
379     char *data, int data_size)
380 {
381 	iscsi_status_t	rval	= ISCSI_STATUS_SUCCESS;
382 	iscsi_sess_t	*isp	= NULL;
383 
384 	ASSERT(icp != NULL);
385 	ASSERT(ihp != NULL);
386 	ASSERT(data != NULL);
387 	isp = icp->conn_sess;
388 	ASSERT(isp != NULL);
389 
390 	/* If this is not a SCSI_DATA_RSP we can go ahead and get the data */
391 	if ((ihp->opcode & ISCSI_OPCODE_MASK) != ISCSI_OP_SCSI_DATA_RSP) {
392 		rval = iscsi_net->recvdata(icp->conn_socket, ihp,
393 		    data, data_size, 0, (icp->conn_params.data_digest) ?
394 		    ISCSI_NET_DATA_DIGEST : 0);
395 		if (!ISCSI_SUCCESS(rval)) {
396 			return (rval);
397 		}
398 		isp->sess_rx_lbolt = icp->conn_rx_lbolt = ddi_get_lbolt();
399 	}
400 
401 	/* fan out the hdr processing */
402 	switch (ihp->opcode & ISCSI_OPCODE_MASK) {
403 	case ISCSI_OP_SCSI_DATA_RSP:
404 		rval = iscsi_rx_process_data_rsp(icp, ihp);
405 		break;
406 	case ISCSI_OP_SCSI_RSP:
407 		rval = iscsi_rx_process_cmd_rsp(icp, ihp, data);
408 		break;
409 	case ISCSI_OP_RTT_RSP:
410 		rval = iscsi_rx_process_rtt_rsp(icp, ihp, data);
411 		break;
412 	case ISCSI_OP_NOOP_IN:
413 		rval = iscsi_rx_process_nop(icp, ihp, data);
414 		break;
415 	case ISCSI_OP_REJECT_MSG:
416 		rval = iscsi_rx_process_reject_rsp(icp, ihp, data);
417 		break;
418 	case ISCSI_OP_SCSI_TASK_MGT_RSP:
419 		rval = iscsi_rx_process_task_mgt_rsp(icp, ihp, data);
420 		break;
421 	case ISCSI_OP_LOGOUT_RSP:
422 		rval = iscsi_rx_process_logout_rsp(icp, ihp, data);
423 		break;
424 	case ISCSI_OP_ASYNC_EVENT:
425 		rval = iscsi_rx_process_async_rsp(icp, ihp, data);
426 		break;
427 	case ISCSI_OP_TEXT_RSP:
428 		rval = iscsi_rx_process_text_rsp(icp, ihp, data);
429 		break;
430 	default:
431 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
432 		    "received an unsupported opcode 0x%02x",
433 		    icp->conn_oid, ihp->opcode);
434 		rval = ISCSI_STATUS_PROTOCOL_ERROR;
435 	}
436 
437 	return (rval);
438 }
439 
440 
441 /*
442  * iscsi_rx_process_data_rsp - Processed received data header.  Once
443  * header is processed we read data off the connection directly into
444  * the scsi_pkt to avoid duplicate bcopy of a large amount of data.
445  * If this is the final data sequence denoted by the data response
446  * PDU Status bit being set.  We will not receive the SCSI response.
447  * This bit denotes that the PDU is the successful completion of the
448  * command.  In this case complete the command.  If This bit isn't
449  * set we wait for more data or a scsi command response.
450  */
451 static iscsi_status_t
452 iscsi_rx_process_data_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp)
453 {
454 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
455 	iscsi_sess_t		*isp		= NULL;
456 	iscsi_data_rsp_hdr_t	*idrhp		= (iscsi_data_rsp_hdr_t *)ihp;
457 	iscsi_cmd_t		*icmdp		= NULL;
458 	struct scsi_pkt		*pkt		= NULL;
459 	struct buf		*bp		= NULL;
460 	uint32_t		offset		= 0;
461 	uint32_t		dlength		= 0;
462 	char			*bcp		= NULL;
463 
464 	ASSERT(icp != NULL);
465 	ASSERT(ihp != NULL);
466 	isp = icp->conn_sess;
467 	ASSERT(isp != NULL);
468 
469 	if (idrhp->flags & ISCSI_FLAG_DATA_STATUS) {
470 		/* make sure we got status in order */
471 		if (icp->conn_expstatsn == ntohl(idrhp->statsn)) {
472 			icp->conn_expstatsn++;
473 		} else {
474 			cmn_err(CE_WARN, "iscsi connection(%u) protocol error "
475 			    "- received status out of order itt:0x%x "
476 			    "statsn:0x%x expstatsn:0x%x", icp->conn_oid,
477 			    idrhp->itt, ntohl(idrhp->statsn),
478 			    icp->conn_expstatsn);
479 			return (ISCSI_STATUS_PROTOCOL_ERROR);
480 		}
481 	}
482 
483 	/* match itt in the session's command table */
484 	mutex_enter(&icp->conn_queue_active.mutex);
485 	mutex_enter(&isp->sess_cmdsn_mutex);
486 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(isp, ihp, &icmdp))) {
487 		mutex_exit(&isp->sess_cmdsn_mutex);
488 		mutex_exit(&icp->conn_queue_active.mutex);
489 		return (ISCSI_STATUS_PROTOCOL_ERROR);
490 	}
491 	/*
492 	 * Holding the pending/active queue locks across the
493 	 * iscsi_rx_data call later in this function may cause
494 	 * deadlock during fault injections.  Instead remove
495 	 * the cmd from the active queue and release the locks.
496 	 * Then before returning or completing the command
497 	 * return the cmd to the active queue and reacquire
498 	 * the locks.
499 	 */
500 	iscsi_dequeue_active_cmd(icp, icmdp);
501 
502 	/* update expcmdsn and maxcmdsn */
503 	iscsi_update_flow_control(isp, ntohl(idrhp->maxcmdsn),
504 	    ntohl(idrhp->expcmdsn));
505 	mutex_exit(&isp->sess_cmdsn_mutex);
506 	mutex_exit(&icp->conn_queue_active.mutex);
507 
508 	/* shorthand some values */
509 	pkt = icmdp->cmd_un.scsi.pkt;
510 	bp = icmdp->cmd_un.scsi.bp;
511 	offset = ntohl(idrhp->offset);
512 	dlength = n2h24(idrhp->dlength);
513 
514 	/*
515 	 * some poorly behaved targets have been observed
516 	 * sending data-in pdu's during a write operation
517 	 */
518 	if (bp != NULL) {
519 		if (!(bp->b_flags & B_READ)) {
520 			cmn_err(CE_WARN,
521 			    "iscsi connection(%u) protocol error - "
522 			    "received data response during write operation "
523 			    "itt:0x%x",
524 			    icp->conn_oid, idrhp->itt);
525 			mutex_enter(&icp->conn_queue_active.mutex);
526 			iscsi_enqueue_active_cmd(icp, icmdp);
527 			mutex_exit(&icp->conn_queue_active.mutex);
528 			return (ISCSI_STATUS_PROTOCOL_ERROR);
529 		}
530 
531 		/*
532 		 * We can't tolerate the target sending too much
533 		 * data for our buffer
534 		 */
535 		if ((dlength >
536 		    (bp->b_bcount - icmdp->cmd_un.scsi.data_transferred)) ||
537 		    (dlength > (bp->b_bcount - offset))) {
538 			cmn_err(CE_WARN,
539 			    "iscsi connection(%u) protocol error - "
540 			    "received too much data itt:0x%x",
541 			    icp->conn_oid, idrhp->itt);
542 			mutex_enter(&icp->conn_queue_active.mutex);
543 			iscsi_enqueue_active_cmd(icp, icmdp);
544 			mutex_exit(&icp->conn_queue_active.mutex);
545 			return (ISCSI_STATUS_PROTOCOL_ERROR);
546 		}
547 
548 		bcp = ((char *)bp->b_un.b_addr) + offset;
549 
550 		/*
551 		 * Get the rest of the data and copy it directly into
552 		 * the scsi_pkt.
553 		 */
554 		rval = iscsi_net->recvdata(icp->conn_socket, ihp,
555 		    bcp, dlength, 0, (icp->conn_params.data_digest ?
556 		    ISCSI_NET_DATA_DIGEST : 0));
557 		if (ISCSI_SUCCESS(rval)) {
558 			KSTAT_ADD_CONN_RX_BYTES(icp, dlength);
559 		} else {
560 			/* If digest error flag icmdp with a crc error */
561 			if (rval == ISCSI_STATUS_DATA_DIGEST_ERROR) {
562 				icmdp->cmd_crc_error_seen = B_TRUE;
563 			}
564 			mutex_enter(&icp->conn_queue_active.mutex);
565 			iscsi_enqueue_active_cmd(icp, icmdp);
566 			mutex_exit(&icp->conn_queue_active.mutex);
567 			return (rval);
568 		}
569 		isp->sess_rx_lbolt = icp->conn_rx_lbolt = ddi_get_lbolt();
570 
571 		/* update icmdp statistics */
572 		icmdp->cmd_un.scsi.data_transferred += dlength;
573 	}
574 
575 	/*
576 	 * We got status. This should only happen if we have
577 	 * received all the data with no errors.  The command
578 	 * must be completed now, since we won't get a command
579 	 * response PDU. The cmd_status and residual_count are
580 	 * not meaningful unless status_present is set.
581 	 */
582 	if (idrhp->flags & ISCSI_FLAG_DATA_STATUS) {
583 		pkt->pkt_resid = 0;
584 		/* Check the residual count */
585 		if (bp &&
586 		    (icmdp->cmd_un.scsi.data_transferred !=
587 		    bp->b_bcount)) {
588 			/*
589 			 * We didn't xfer the expected amount of data -
590 			 * the residual_count in the header is only valid
591 			 * if the underflow flag is set.
592 			 */
593 			if (idrhp->flags & ISCSI_FLAG_DATA_UNDERFLOW) {
594 				pkt->pkt_resid = ntohl(idrhp->residual_count);
595 			} else {
596 				if (bp->b_bcount >
597 				    icmdp->cmd_un.scsi.data_transferred) {
598 					/* Some data fell on the floor somehw */
599 					pkt->pkt_resid =
600 					    bp->b_bcount -
601 					    icmdp->cmd_un.scsi.data_transferred;
602 				}
603 			}
604 		}
605 
606 		pkt->pkt_reason = CMD_CMPLT;
607 		pkt->pkt_state |= (STATE_XFERRED_DATA | STATE_GOT_STATUS);
608 
609 		if (((idrhp->cmd_status & STATUS_MASK) != STATUS_GOOD) &&
610 		    (icmdp->cmd_un.scsi.statuslen >=
611 		    sizeof (struct scsi_arq_status)) && pkt->pkt_scbp) {
612 
613 			/*
614 			 * Not supposed to get exception status here!
615 			 * We have no request sense data so just do the
616 			 * best we can
617 			 */
618 			struct scsi_arq_status *arqstat =
619 			    (struct scsi_arq_status *)pkt->pkt_scbp;
620 
621 
622 			bzero(arqstat, sizeof (struct scsi_arq_status));
623 
624 			*((uchar_t *)&arqstat->sts_status) =
625 			    idrhp->cmd_status;
626 
627 			arqstat->sts_rqpkt_resid =
628 			    sizeof (struct scsi_extended_sense);
629 
630 		} else if (pkt->pkt_scbp) {
631 			/* just pass along the status we got */
632 			pkt->pkt_scbp[0] = idrhp->cmd_status;
633 		}
634 
635 		mutex_enter(&icp->conn_queue_active.mutex);
636 		iscsi_enqueue_active_cmd(icp, icmdp);
637 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
638 		mutex_exit(&icp->conn_queue_active.mutex);
639 	} else {
640 		mutex_enter(&icp->conn_queue_active.mutex);
641 		iscsi_enqueue_active_cmd(icp, icmdp);
642 		mutex_exit(&icp->conn_queue_active.mutex);
643 	}
644 
645 	return (ISCSI_STATUS_SUCCESS);
646 }
647 
648 
649 /*
650  * iscsi_rx_process_cmd_rsp - Process received scsi command response.  This
651  * will contain sense data if the command was not successful.  This data needs
652  * to be copied into the scsi_pkt.  Otherwise we just complete the IO.
653  */
654 static iscsi_status_t
655 iscsi_rx_process_cmd_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
656 {
657 	iscsi_sess_t		*isp		= icp->conn_sess;
658 	iscsi_scsi_rsp_hdr_t	*issrhp		= (iscsi_scsi_rsp_hdr_t *)ihp;
659 	iscsi_cmd_t		*icmdp		= NULL;
660 	struct scsi_pkt		*pkt		= NULL;
661 	uint32_t		dlength		= 0;
662 	struct scsi_arq_status	*arqstat	= NULL;
663 	size_t			senselen	= 0;
664 	int			statuslen	= 0;
665 
666 	/* make sure we get status in order */
667 	if (icp->conn_expstatsn == ntohl(issrhp->statsn)) {
668 		icp->conn_expstatsn++;
669 	} else {
670 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
671 		    "received status out of order itt:0x%x statsn:0x%x "
672 		    "expstatsn:0x%x", icp->conn_oid, issrhp->itt,
673 		    ntohl(issrhp->statsn), icp->conn_expstatsn);
674 		return (ISCSI_STATUS_PROTOCOL_ERROR);
675 	}
676 
677 	mutex_enter(&icp->conn_queue_active.mutex);
678 	mutex_enter(&isp->sess_cmdsn_mutex);
679 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(isp, ihp, &icmdp))) {
680 		mutex_exit(&isp->sess_cmdsn_mutex);
681 		mutex_exit(&icp->conn_queue_active.mutex);
682 		return (ISCSI_STATUS_PROTOCOL_ERROR);
683 	}
684 
685 	/* update expcmdsn and maxcmdsn */
686 	iscsi_update_flow_control(isp, ntohl(issrhp->maxcmdsn),
687 	    ntohl(issrhp->expcmdsn));
688 	mutex_exit(&isp->sess_cmdsn_mutex);
689 
690 	pkt = icmdp->cmd_un.scsi.pkt;
691 
692 	if (issrhp->response) {
693 		/* The target failed the command. */
694 		pkt->pkt_reason = CMD_TRAN_ERR;
695 		if (icmdp->cmd_un.scsi.bp) {
696 			pkt->pkt_resid = icmdp->cmd_un.scsi.bp->b_bcount;
697 		} else {
698 			pkt->pkt_resid = 0;
699 		}
700 	} else {
701 		/* success */
702 		pkt->pkt_resid = 0;
703 		/* Check the residual count */
704 		if ((icmdp->cmd_un.scsi.bp) &&
705 		    (icmdp->cmd_un.scsi.data_transferred !=
706 		    icmdp->cmd_un.scsi.bp->b_bcount)) {
707 			/*
708 			 * We didn't xfer the expected amount of data -
709 			 * the residual_count in the header is only
710 			 * valid if the underflow flag is set.
711 			 */
712 			if (issrhp->flags & ISCSI_FLAG_CMD_UNDERFLOW) {
713 				pkt->pkt_resid = ntohl(issrhp->residual_count);
714 			} else {
715 				if (icmdp->cmd_un.scsi.bp->b_bcount >
716 				    icmdp->cmd_un.scsi.data_transferred) {
717 					/*
718 					 * Some data fell on the floor
719 					 * somehow - probably a CRC error
720 					 */
721 					pkt->pkt_resid =
722 					    icmdp->cmd_un.scsi.bp->b_bcount -
723 					    icmdp->cmd_un.scsi.data_transferred;
724 				}
725 			}
726 		}
727 
728 		/* set flags that tell SCSA that the command is complete */
729 		if (icmdp->cmd_crc_error_seen == B_FALSE) {
730 			/* Set successful completion */
731 			pkt->pkt_reason = CMD_CMPLT;
732 			if (icmdp->cmd_un.scsi.bp) {
733 				pkt->pkt_state |= (STATE_XFERRED_DATA |
734 				    STATE_GOT_STATUS);
735 			} else {
736 				pkt->pkt_state |= STATE_GOT_STATUS;
737 			}
738 		} else {
739 			/*
740 			 * Some of the data was found to have an incorrect
741 			 * error at the protocol error.
742 			 */
743 			pkt->pkt_reason = CMD_PER_FAIL;
744 			pkt->pkt_statistics |= STAT_PERR;
745 			if (icmdp->cmd_un.scsi.bp) {
746 				pkt->pkt_resid =
747 				    icmdp->cmd_un.scsi.bp->b_bcount;
748 			} else {
749 				pkt->pkt_resid = 0;
750 			}
751 		}
752 
753 		dlength = n2h24(issrhp->dlength);
754 
755 		/*
756 		 * Process iSCSI Cmd Response Status
757 		 * RFC 3720 Sectionn 10.4.2.
758 		 */
759 		switch (issrhp->cmd_status & STATUS_MASK) {
760 		case STATUS_GOOD:
761 			/* pass SCSI status up stack */
762 			if (pkt->pkt_scbp) {
763 				pkt->pkt_scbp[0] = issrhp->cmd_status;
764 			}
765 			break;
766 		case STATUS_CHECK:
767 			/*
768 			 * Verify we received a sense buffer and
769 			 * that there is the correct amount of
770 			 * request sense space to copy it to.
771 			 */
772 			if ((dlength > 1) &&
773 			    (pkt->pkt_scbp != NULL) &&
774 			    (icmdp->cmd_un.scsi.statuslen >=
775 			    sizeof (struct scsi_arq_status))) {
776 				/*
777 				 * If a bad command status is received we
778 				 * need to reset the pkt_resid to zero.
779 				 * The target driver compares its value
780 				 * before checking other error flags.
781 				 * (ex. check conditions)
782 				 */
783 				pkt->pkt_resid = 0;
784 
785 				/* get sense length from first 2 bytes */
786 				senselen = ((data[0] << 8) | data[1]) &
787 				    (size_t)0xFFFF;
788 
789 				/* Sanity-check on the sense length */
790 				if ((senselen + 2) > dlength) {
791 					senselen = dlength - 2;
792 				}
793 
794 				/*
795 				 * If there was a Data Digest error then
796 				 * the sense data cannot be trusted.
797 				 */
798 				if (icmdp->cmd_crc_error_seen) {
799 					senselen = 0;
800 				}
801 
802 				/* automatic request sense */
803 				arqstat =
804 				    (struct scsi_arq_status *)pkt->pkt_scbp;
805 
806 				/* pass SCSI status up stack */
807 				*((uchar_t *)&arqstat->sts_status) =
808 				    issrhp->cmd_status;
809 
810 				/*
811 				 * Set the status for the automatic
812 				 * request sense command
813 				 */
814 				arqstat->sts_rqpkt_state = (STATE_GOT_BUS |
815 				    STATE_GOT_TARGET | STATE_SENT_CMD |
816 				    STATE_XFERRED_DATA | STATE_GOT_STATUS |
817 				    STATE_ARQ_DONE);
818 
819 				*((uchar_t *)&arqstat->sts_rqpkt_status) =
820 				    STATUS_GOOD;
821 
822 				arqstat->sts_rqpkt_reason = CMD_CMPLT;
823 
824 				statuslen = icmdp->cmd_un.scsi.statuslen;
825 
826 				if (senselen == 0) {
827 					/* auto request sense failed */
828 					arqstat->sts_rqpkt_status.sts_chk = 1;
829 					arqstat->sts_rqpkt_resid =
830 					    statuslen;
831 				} else if (senselen <
832 				    statuslen) {
833 					/* auto request sense short */
834 					arqstat->sts_rqpkt_resid =
835 					    statuslen
836 					    - senselen;
837 				} else {
838 					/* auto request sense complete */
839 					arqstat->sts_rqpkt_resid = 0;
840 				}
841 				arqstat->sts_rqpkt_statistics = 0;
842 				pkt->pkt_state |= STATE_ARQ_DONE;
843 
844 				if (icmdp->cmd_misc_flags &
845 				    ISCSI_CMD_MISCFLAG_XARQ) {
846 					pkt->pkt_state |= STATE_XARQ_DONE;
847 				}
848 
849 				/* copy auto request sense */
850 				dlength = min(senselen,
851 				    statuslen);
852 				if (dlength) {
853 					bcopy(&data[2], (uchar_t *)&arqstat->
854 					    sts_sensedata, dlength);
855 				}
856 				break;
857 			}
858 			/* FALLTHRU */
859 		case STATUS_BUSY:
860 		case STATUS_RESERVATION_CONFLICT:
861 		case STATUS_QFULL:
862 		case STATUS_ACA_ACTIVE:
863 		default:
864 			/*
865 			 * If a bad command status is received we need to
866 			 * reset the pkt_resid to zero.  The target driver
867 			 * compares its value before checking other error
868 			 * flags. (ex. check conditions)
869 			 */
870 			pkt->pkt_resid = 0;
871 			/* pass SCSI status up stack */
872 			if (pkt->pkt_scbp) {
873 				pkt->pkt_scbp[0] = issrhp->cmd_status;
874 			}
875 		}
876 	}
877 
878 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
879 	mutex_exit(&icp->conn_queue_active.mutex);
880 
881 	return (ISCSI_STATUS_SUCCESS);
882 }
883 
884 /*
885  * iscsi_rx_process_rtt_rsp - Process received RTT.  This means the target is
886  * requesting data.
887  */
888 /* ARGSUSED */
889 static iscsi_status_t
890 iscsi_rx_process_rtt_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
891 {
892 	iscsi_sess_t		*isp = (iscsi_sess_t *)icp->conn_sess;
893 	iscsi_rtt_hdr_t		*irhp		= (iscsi_rtt_hdr_t *)ihp;
894 	iscsi_cmd_t		*icmdp		= NULL;
895 	struct buf		*bp		= NULL;
896 	uint32_t		data_length;
897 	iscsi_status_t		status = ISCSI_STATUS_PROTOCOL_ERROR;
898 
899 
900 	mutex_enter(&isp->sess_queue_pending.mutex);
901 	mutex_enter(&icp->conn_queue_active.mutex);
902 	mutex_enter(&isp->sess_cmdsn_mutex);
903 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(isp, ihp, &icmdp))) {
904 		mutex_exit(&isp->sess_cmdsn_mutex);
905 		mutex_exit(&icp->conn_queue_active.mutex);
906 		mutex_exit(&isp->sess_queue_pending.mutex);
907 		return (status);
908 	}
909 
910 	/* update expcmdsn and maxcmdsn */
911 	iscsi_update_flow_control(isp, ntohl(irhp->maxcmdsn),
912 	    ntohl(irhp->expcmdsn));
913 	mutex_enter(&icmdp->cmd_mutex);
914 	mutex_exit(&isp->sess_cmdsn_mutex);
915 
916 	bp = icmdp->cmd_un.scsi.bp;
917 	data_length = ntohl(irhp->data_length);
918 
919 	/*
920 	 * Perform boundary-checks per RFC 3720 (section 10.8.4).
921 	 * The Desired Data Transfer Length must satisfy this relation:
922 	 *
923 	 *	0 < Desired Data Transfer Length <= MaxBurstLength
924 	 */
925 	if ((bp == NULL) || (data_length == 0)) {
926 		cmn_err(CE_WARN, "iscsi connection(%u) received r2t but pkt "
927 		    "has no data itt:0x%x - protocol error", icp->conn_oid,
928 		    irhp->itt);
929 	} else if (data_length > icp->conn_params.max_burst_length) {
930 		cmn_err(CE_WARN, "iscsi connection(%u) received r2t but pkt "
931 		    "is larger than MaxBurstLength itt:0x%x len:0x%x - "
932 		    "protocol error",
933 		    icp->conn_oid, irhp->itt, data_length);
934 	} else {
935 		iscsi_handle_r2t(icp, icmdp, ntohl(irhp->data_offset),
936 		    data_length, irhp->ttt);
937 		status = ISCSI_STATUS_SUCCESS;
938 	}
939 
940 	mutex_exit(&icmdp->cmd_mutex);
941 	mutex_exit(&icp->conn_queue_active.mutex);
942 	mutex_exit(&isp->sess_queue_pending.mutex);
943 
944 	return (status);
945 }
946 
947 
948 /*
949  * iscsi_rx_process_nop - Process a received nop.  If nop is in response
950  * to a ping we sent update stats.  If initiated by the target we need
951  * to response back to the target with a nop.  Schedule the response.
952  */
953 /* ARGSUSED */
954 static iscsi_status_t
955 iscsi_rx_process_nop(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
956 {
957 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
958 	iscsi_sess_t		*isp	= NULL;
959 	iscsi_nop_in_hdr_t	*inihp	= (iscsi_nop_in_hdr_t *)ihp;
960 	iscsi_cmd_t		*icmdp	= NULL;
961 
962 	ASSERT(icp != NULL);
963 	ASSERT(ihp != NULL);
964 	/* ASSERT(data != NULL) data is allowed to be NULL */
965 	isp = icp->conn_sess;
966 	ASSERT(isp != NULL);
967 
968 	if (icp->conn_expstatsn != ntohl(inihp->statsn)) {
969 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
970 		    "received status out of order itt:0x%x statsn:0x%x "
971 		    "expstatsn:0x%x", icp->conn_oid, inihp->itt,
972 		    ntohl(inihp->statsn), icp->conn_expstatsn);
973 		return (ISCSI_STATUS_PROTOCOL_ERROR);
974 	}
975 
976 	mutex_enter(&isp->sess_queue_pending.mutex);
977 	mutex_enter(&icp->conn_queue_active.mutex);
978 	mutex_enter(&isp->sess_cmdsn_mutex);
979 	if (inihp->itt != ISCSI_RSVD_TASK_TAG) {
980 		if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
981 		    isp, ihp, &icmdp))) {
982 			mutex_exit(&isp->sess_cmdsn_mutex);
983 			mutex_exit(&icp->conn_queue_active.mutex);
984 			mutex_exit(&isp->sess_queue_pending.mutex);
985 			return (ISCSI_STATUS_PROTOCOL_ERROR);
986 		}
987 	}
988 
989 	/* update expcmdsn and maxcmdsn */
990 	iscsi_update_flow_control(isp, ntohl(inihp->maxcmdsn),
991 	    ntohl(inihp->expcmdsn));
992 	mutex_exit(&isp->sess_cmdsn_mutex);
993 
994 	if ((inihp->itt != ISCSI_RSVD_TASK_TAG) &&
995 	    (inihp->ttt == ISCSI_RSVD_TASK_TAG)) {
996 		/* This is the only type of nop that incs. the expstatsn */
997 		icp->conn_expstatsn++;
998 
999 		/*
1000 		 * This is a targets response to our nop
1001 		 */
1002 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1003 	} else if (inihp->ttt != ISCSI_RSVD_TASK_TAG) {
1004 		/*
1005 		 * Target requested a nop.  Send one.
1006 		 */
1007 		iscsi_handle_nop(icp, ISCSI_RSVD_TASK_TAG, inihp->ttt);
1008 	} else {
1009 		/*
1010 		 * This is a target-initiated ping that doesn't expect
1011 		 * a response; nothing to do except update our flow control
1012 		 * (which we do in all cases above).
1013 		 */
1014 		/* EMPTY */
1015 	}
1016 	mutex_exit(&icp->conn_queue_active.mutex);
1017 	mutex_exit(&isp->sess_queue_pending.mutex);
1018 
1019 	return (rval);
1020 }
1021 
1022 
1023 /*
1024  * iscsi_rx_process_reject_rsp - The server rejected a PDU
1025  */
1026 static iscsi_status_t
1027 iscsi_rx_process_reject_rsp(iscsi_conn_t *icp,
1028     iscsi_hdr_t *ihp, char *data)
1029 {
1030 	iscsi_reject_rsp_hdr_t		*irrhp = (iscsi_reject_rsp_hdr_t *)ihp;
1031 	iscsi_sess_t			*isp		= NULL;
1032 	uint32_t			dlength		= 0;
1033 	iscsi_hdr_t			*old_ihp	= NULL;
1034 
1035 	ASSERT(icp != NULL);
1036 	isp = icp->conn_sess;
1037 	ASSERT(ihp != NULL);
1038 	ASSERT(data != NULL);
1039 
1040 	/* make sure we only Ack Status numbers that we've actually received. */
1041 	if (icp->conn_expstatsn == ntohl(irrhp->statsn)) {
1042 		icp->conn_expstatsn++;
1043 	} else {
1044 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1045 		    "received status out of order itt:0x%x statsn:0x%x "
1046 		    "expstatsn:0x%x", icp->conn_oid, ihp->itt,
1047 		    ntohl(irrhp->statsn), icp->conn_expstatsn);
1048 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1049 	}
1050 
1051 	/* update expcmdsn and maxcmdsn */
1052 	mutex_enter(&isp->sess_cmdsn_mutex);
1053 	iscsi_update_flow_control(isp, ntohl(irrhp->maxcmdsn),
1054 	    ntohl(irrhp->expcmdsn));
1055 	mutex_exit(&isp->sess_cmdsn_mutex);
1056 
1057 	/* If we don't have the rejected header we can't do anything */
1058 	dlength = n2h24(irrhp->dlength);
1059 	if (dlength < sizeof (iscsi_hdr_t)) {
1060 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1061 	}
1062 
1063 	/* map old ihp */
1064 	old_ihp = (iscsi_hdr_t *)data;
1065 
1066 	switch (irrhp->reason) {
1067 	/*
1068 	 * ISCSI_REJECT_IMM_CMD_REJECT - Immediate Command Reject
1069 	 * too many immediate commands (original cmd can be resent)
1070 	 */
1071 	case ISCSI_REJECT_IMM_CMD_REJECT:
1072 		/*
1073 		 * We have exceeded the server's capacity for outstanding
1074 		 * immediate commands.   This must be a task management
1075 		 * command so try to find it in the abortingqueue and
1076 		 * complete it.
1077 		 */
1078 		if (!(old_ihp->opcode & ISCSI_OP_IMMEDIATE)) {
1079 			/* Rejecting IMM but old old_hdr wasn't IMM */
1080 			return (ISCSI_STATUS_PROTOCOL_ERROR);
1081 		}
1082 
1083 		/*
1084 		 * We only send NOP and TASK_MGT as IMM.  All other
1085 		 * cases should be considered as a protocol error.
1086 		 */
1087 		switch (old_ihp->opcode & ISCSI_OPCODE_MASK) {
1088 		case ISCSI_OP_NOOP_OUT:
1089 			/*
1090 			 * A ping was rejected - treat this like
1091 			 * ping response.  The down side is we
1092 			 * didn't get an updated MaxCmdSn.
1093 			 */
1094 			break;
1095 		case ISCSI_OP_SCSI_TASK_MGT_MSG:
1096 			(void) iscsi_rx_process_rejected_tsk_mgt(icp,
1097 			    old_ihp);
1098 			break;
1099 		default:
1100 			cmn_err(CE_WARN, "iscsi connection(%u) protocol error "
1101 			    "- received a reject for a command(0x%02x) not "
1102 			    "sent as an immediate", icp->conn_oid,
1103 			    old_ihp->opcode);
1104 			return (ISCSI_STATUS_PROTOCOL_ERROR);
1105 		}
1106 		break;
1107 
1108 	/*
1109 	 * For the rest of the reject cases just use the general
1110 	 * hammer of dis/reconnecting.  This will resolve all
1111 	 * noted issues although could be more graceful.
1112 	 */
1113 	case ISCSI_REJECT_DATA_DIGEST_ERROR:
1114 	case ISCSI_REJECT_CMD_BEFORE_LOGIN:
1115 	case ISCSI_REJECT_SNACK_REJECT:
1116 	case ISCSI_REJECT_PROTOCOL_ERROR:
1117 	case ISCSI_REJECT_CMD_NOT_SUPPORTED:
1118 	case ISCSI_REJECT_TASK_IN_PROGRESS:
1119 	case ISCSI_REJECT_INVALID_DATA_ACK:
1120 	case ISCSI_REJECT_INVALID_PDU_FIELD:
1121 	case ISCSI_REJECT_LONG_OPERATION_REJECT:
1122 	case ISCSI_REJECT_NEGOTIATION_RESET:
1123 	default:
1124 		cmn_err(CE_WARN, "iscsi connection(%u) closing connection - "
1125 		    "target requested itt:0x%x reason:0x%x",
1126 		    icp->conn_oid, ihp->itt, irrhp->reason);
1127 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1128 	}
1129 
1130 	return (ISCSI_STATUS_SUCCESS);
1131 }
1132 
1133 
1134 /*
1135  * iscsi_rx_process_rejected_tsk_mgt -
1136  */
1137 static iscsi_status_t
1138 iscsi_rx_process_rejected_tsk_mgt(iscsi_conn_t *icp,
1139     iscsi_hdr_t *old_ihp)
1140 {
1141 	iscsi_sess_t			*isp	= NULL;
1142 	iscsi_cmd_t			*icmdp	= NULL;
1143 
1144 	ASSERT(icp != NULL);
1145 	isp = icp->conn_sess;
1146 	ASSERT(old_ihp != NULL);
1147 	ASSERT(icp->conn_sess != NULL);
1148 
1149 	mutex_enter(&icp->conn_queue_active.mutex);
1150 	mutex_enter(&isp->sess_cmdsn_mutex);
1151 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
1152 	    isp, old_ihp, &icmdp))) {
1153 		mutex_exit(&isp->sess_cmdsn_mutex);
1154 		mutex_exit(&icp->conn_queue_active.mutex);
1155 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1156 	}
1157 	mutex_exit(&isp->sess_cmdsn_mutex);
1158 
1159 	switch (icmdp->cmd_type) {
1160 	case ISCSI_CMD_TYPE_ABORT:
1161 	case ISCSI_CMD_TYPE_RESET:
1162 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E4,
1163 		    icp->conn_sess);
1164 		break;
1165 	/* We don't send any other task mgr types */
1166 	default:
1167 		ASSERT(B_FALSE);
1168 		break;
1169 	}
1170 	mutex_exit(&icp->conn_queue_active.mutex);
1171 
1172 	return (ISCSI_STATUS_SUCCESS);
1173 }
1174 
1175 
1176 /*
1177  * iscsi_rx_process_task_mgt_rsp -
1178  */
1179 /* ARGSUSED */
1180 static iscsi_status_t
1181 iscsi_rx_process_task_mgt_rsp(iscsi_conn_t *icp,
1182     iscsi_hdr_t *ihp, void *data)
1183 {
1184 	iscsi_sess_t			*isp		= NULL;
1185 	iscsi_scsi_task_mgt_rsp_hdr_t	*istmrhp	= NULL;
1186 	iscsi_cmd_t			*icmdp		= NULL;
1187 
1188 	ASSERT(ihp != NULL);
1189 	ASSERT(icp != NULL);
1190 	isp = icp->conn_sess;
1191 	ASSERT(isp != NULL);
1192 	istmrhp = (iscsi_scsi_task_mgt_rsp_hdr_t *)ihp;
1193 
1194 	if (icp->conn_expstatsn == ntohl(istmrhp->statsn)) {
1195 		icp->conn_expstatsn++;
1196 	} else {
1197 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1198 		    "received status out of order itt:0x%x statsn:0x%x "
1199 		    "expstatsn:0x%x", icp->conn_oid, istmrhp->itt,
1200 		    ntohl(istmrhp->statsn), icp->conn_expstatsn);
1201 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1202 	}
1203 
1204 	/* make sure we only Ack Status numbers that we've actually received. */
1205 	mutex_enter(&icp->conn_queue_active.mutex);
1206 	mutex_enter(&isp->sess_cmdsn_mutex);
1207 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(isp, ihp, &icmdp))) {
1208 		mutex_exit(&isp->sess_cmdsn_mutex);
1209 		mutex_exit(&icp->conn_queue_active.mutex);
1210 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1211 	}
1212 
1213 	/* update expcmdsn and maxcmdn */
1214 	iscsi_update_flow_control(isp, ntohl(istmrhp->maxcmdsn),
1215 	    ntohl(istmrhp->expcmdsn));
1216 	mutex_exit(&isp->sess_cmdsn_mutex);
1217 
1218 	switch (icmdp->cmd_type) {
1219 	case ISCSI_CMD_TYPE_ABORT:
1220 	case ISCSI_CMD_TYPE_RESET:
1221 		switch (istmrhp->response) {
1222 		case SCSI_TCP_TM_RESP_COMPLETE:
1223 			/* success */
1224 			iscsi_cmd_state_machine(icmdp,
1225 			    ISCSI_CMD_EVENT_E3, isp);
1226 			break;
1227 		case SCSI_TCP_TM_RESP_NO_TASK:
1228 			/*
1229 			 * If the array no longer knows about
1230 			 * an ABORT RTT and we no longer have
1231 			 * a parent SCSI command it was just
1232 			 * completed, free this ABORT resource.
1233 			 * Otherwise FALLTHRU this will flag a
1234 			 * protocol problem.
1235 			 */
1236 			if ((icmdp->cmd_type == ISCSI_CMD_TYPE_ABORT) &&
1237 			    (icmdp->cmd_un.abort.icmdp == NULL)) {
1238 				iscsi_cmd_state_machine(icmdp,
1239 				    ISCSI_CMD_EVENT_E4, isp);
1240 				break;
1241 			}
1242 			/* FALLTHRU */
1243 		case SCSI_TCP_TM_RESP_NO_LUN:
1244 		case SCSI_TCP_TM_RESP_TASK_ALLEGIANT:
1245 		case SCSI_TCP_TM_RESP_NO_FAILOVER:
1246 		case SCSI_TCP_TM_RESP_IN_PRGRESS:
1247 		case SCSI_TCP_TM_RESP_REJECTED:
1248 		default:
1249 			/*
1250 			 * Something is out of sync.  Flush
1251 			 * active queues and resync the
1252 			 * the connection to try and recover
1253 			 * to a known state.
1254 			 */
1255 			mutex_exit(&icp->conn_queue_active.mutex);
1256 			return (ISCSI_STATUS_PROTOCOL_ERROR);
1257 		}
1258 		break;
1259 
1260 	default:
1261 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1262 		    "received a task mgt response for a non-task mgt "
1263 		    "cmd itt:0x%x type:%d", icp->conn_oid, istmrhp->itt,
1264 		    icmdp->cmd_type);
1265 		mutex_exit(&icp->conn_queue_active.mutex);
1266 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1267 	}
1268 
1269 	mutex_exit(&icp->conn_queue_active.mutex);
1270 	return (ISCSI_STATUS_SUCCESS);
1271 }
1272 
1273 
1274 /*
1275  * iscsi_rx_process_logout -
1276  *
1277  */
1278 /* ARGSUSED */
1279 static iscsi_status_t
1280 iscsi_rx_process_logout_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
1281 {
1282 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
1283 	iscsi_sess_t		*isp	= icp->conn_sess;
1284 	iscsi_logout_rsp_hdr_t	*ilrhp	= (iscsi_logout_rsp_hdr_t *)ihp;
1285 	iscsi_cmd_t		*icmdp	= NULL;
1286 
1287 	ASSERT(icp != NULL);
1288 	ASSERT(ihp != NULL);
1289 	isp = icp->conn_sess;
1290 	ASSERT(isp != NULL);
1291 
1292 	if (icp->conn_expstatsn != ntohl(ilrhp->statsn)) {
1293 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1294 		    "received status out of order itt:0x%x statsn:0x%x "
1295 		    "expstatsn:0x%x", icp->conn_oid, ilrhp->itt,
1296 		    ntohl(ilrhp->statsn), icp->conn_expstatsn);
1297 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1298 	}
1299 
1300 	mutex_enter(&icp->conn_queue_active.mutex);
1301 	mutex_enter(&isp->sess_cmdsn_mutex);
1302 	if (ilrhp->itt != ISCSI_RSVD_TASK_TAG) {
1303 		if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
1304 		    isp, ihp, &icmdp))) {
1305 			mutex_exit(&isp->sess_cmdsn_mutex);
1306 			mutex_exit(&icp->conn_queue_active.mutex);
1307 			return (ISCSI_STATUS_PROTOCOL_ERROR);
1308 		}
1309 	}
1310 
1311 	/* update expcmdsn and maxcmdsn */
1312 	iscsi_update_flow_control(isp, ntohl(ilrhp->maxcmdsn),
1313 	    ntohl(ilrhp->expcmdsn));
1314 	mutex_exit(&isp->sess_cmdsn_mutex);
1315 
1316 	switch (ilrhp->response) {
1317 	case ISCSI_LOGOUT_CID_NOT_FOUND:
1318 		/*
1319 		 * If the target doesn't know about our connection
1320 		 * then we can consider our self disconnected.
1321 		 */
1322 		/* FALLTHRU */
1323 	case ISCSI_LOGOUT_RECOVERY_UNSUPPORTED:
1324 		/*
1325 		 * We don't support ErrorRecovery levels above 0
1326 		 * currently so consider this success.
1327 		 */
1328 		/* FALLTHRU */
1329 	case ISCSI_LOGOUT_CLEANUP_FAILED:
1330 		/*
1331 		 * per spec. "cleanup failed for various reasons."
1332 		 * Although those various reasons are undefined.
1333 		 * Not sure what to do here.  So fake success,
1334 		 * which will disconnect the connection.
1335 		 */
1336 		/* FALLTHRU */
1337 	case ISCSI_LOGOUT_SUCCESS:
1338 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1339 		mutex_exit(&icp->conn_queue_active.mutex);
1340 		/* logout completed successfully notify the conn */
1341 		mutex_enter(&icp->conn_state_mutex);
1342 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T17);
1343 		mutex_exit(&icp->conn_state_mutex);
1344 		break;
1345 	default:
1346 		mutex_exit(&icp->conn_queue_active.mutex);
1347 		rval = ISCSI_STATUS_PROTOCOL_ERROR;
1348 	}
1349 
1350 	return (rval);
1351 }
1352 
1353 
1354 /*
1355  * iscsi_rx_process_logout -
1356  *
1357  */
1358 /* ARGSUSED */
1359 static iscsi_status_t
1360 iscsi_rx_process_async_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
1361 {
1362 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
1363 	iscsi_async_evt_hdr_t	*iaehp	= (iscsi_async_evt_hdr_t *)ihp;
1364 
1365 	ASSERT(icp != NULL);
1366 	ASSERT(ihp != NULL);
1367 	ASSERT(icp->conn_sess != NULL);
1368 
1369 	if (icp->conn_expstatsn != ntohl(iaehp->statsn)) {
1370 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1371 		    "received status out of order itt:0x%x statsn:0x%x "
1372 		    "expstatsn:0x%x", icp->conn_oid, ihp->itt,
1373 		    ntohl(iaehp->statsn), icp->conn_expstatsn);
1374 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1375 	}
1376 
1377 	switch (iaehp->async_event) {
1378 	case ISCSI_ASYNC_EVENT_SCSI_EVENT:
1379 		/*
1380 		 * SCSI asynchronous event is reported in
1381 		 * the sense data.  Sense data that accompanies
1382 		 * the report in the data segment identifies the
1383 		 * condition.  If the target supports SCSI
1384 		 * asynchronous events reporting (see [SAM2])
1385 		 * as indicated in the stardard INQUIRY data
1386 		 * (see [SPC3]), its use may be enabled by
1387 		 * parameters in the SCSI control mode page
1388 		 * (see [SPC3]).
1389 		 *
1390 		 * T-10 has removed SCSI asunchronous events
1391 		 * from the standard.  Although we have seen
1392 		 * a couple targets still spending these requests.
1393 		 * Those targets were specifically sending them
1394 		 * for notification of a LUN/Volume change
1395 		 * (ex. LUN addition/removal).  Take a general
1396 		 * action to these events of dis/reconnecting.
1397 		 * Once reconnected we perform a reenumeration.
1398 		 */
1399 		mutex_enter(&icp->conn_state_mutex);
1400 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1401 		mutex_exit(&icp->conn_state_mutex);
1402 		break;
1403 
1404 	case ISCSI_ASYNC_EVENT_REQUEST_LOGOUT:
1405 		/* Target has requested this connection to logout. */
1406 		mutex_enter(&icp->conn_state_mutex);
1407 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1408 		mutex_exit(&icp->conn_state_mutex);
1409 		break;
1410 
1411 	case ISCSI_ASYNC_EVENT_DROPPING_CONNECTION:
1412 		/*
1413 		 * Target is going to drop our connection.
1414 		 *	param1 - CID which will be dropped.
1415 		 *	param2 - Min time to reconnect.
1416 		 *	param3 - Max time to reconnect.
1417 		 *
1418 		 * For now just let fail as another disconnect.
1419 		 *
1420 		 * MC/S Once we support > 1 connections then
1421 		 * we need to check the CID and drop that
1422 		 * specific connection.
1423 		 */
1424 		iscsi_conn_set_login_min_max(icp, iaehp->param2, iaehp->param3);
1425 		mutex_enter(&icp->conn_state_mutex);
1426 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1427 		mutex_exit(&icp->conn_state_mutex);
1428 		break;
1429 
1430 	case ISCSI_ASYNC_EVENT_DROPPING_ALL_CONNECTIONS:
1431 		/*
1432 		 * Target is going to drop ALL connections.
1433 		 *	param2 - Min time to reconnect.
1434 		 *	param3 - Max time to reconnect.
1435 		 *
1436 		 * For now just let fail as anyother disconnect.
1437 		 *
1438 		 * MC/S Once we support more than > 1 connections
1439 		 * then we need to drop all connections on the
1440 		 * session.
1441 		 */
1442 		iscsi_conn_set_login_min_max(icp, iaehp->param2, iaehp->param3);
1443 		mutex_enter(&icp->conn_state_mutex);
1444 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1445 		mutex_exit(&icp->conn_state_mutex);
1446 		break;
1447 
1448 	case ISCSI_ASYNC_EVENT_PARAM_NEGOTIATION:
1449 		/*
1450 		 * Target requests parameter negotiation
1451 		 * on this connection.
1452 		 *
1453 		 * The initiator must honor this request.  For
1454 		 * now we will request a logout.  We can't
1455 		 * just ignore this or it might force corruption?
1456 		 */
1457 		mutex_enter(&icp->conn_state_mutex);
1458 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1459 		mutex_exit(&icp->conn_state_mutex);
1460 		break;
1461 
1462 	case ISCSI_ASYNC_EVENT_VENDOR_SPECIFIC:
1463 		/*
1464 		 * We currently don't handle any vendor
1465 		 * specific async events.  So just ignore
1466 		 * the request.
1467 		 */
1468 		mutex_enter(&icp->conn_state_mutex);
1469 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T14);
1470 		mutex_exit(&icp->conn_state_mutex);
1471 		break;
1472 	default:
1473 		rval = ISCSI_STATUS_PROTOCOL_ERROR;
1474 	}
1475 
1476 	return (rval);
1477 }
1478 
1479 /*
1480  * iscsi_rx_process_text_rsp - processes iSCSI text response.  It sets
1481  * the cmd_result field of the command data structure with the actual
1482  * status value instead of returning the status value.  The return value
1483  * is SUCCESS in order to let iscsi_handle_text control the operation of
1484  * a text request.
1485  * Test requests are a handled a little different than other types of
1486  * iSCSI commands because the initiator sends additional empty text requests
1487  * in order to obtain the remaining responses required to complete the
1488  * request.  iscsi_handle_text controls the operation of text request, while
1489  * iscsi_rx_process_text_rsp just process the current response.
1490  */
1491 static iscsi_status_t
1492 iscsi_rx_process_text_rsp(iscsi_conn_t *icp, iscsi_hdr_t *ihp, char *data)
1493 {
1494 	iscsi_sess_t		*isp	= NULL;
1495 	iscsi_text_rsp_hdr_t	*ithp	= (iscsi_text_rsp_hdr_t *)ihp;
1496 	iscsi_cmd_t		*icmdp	= NULL;
1497 	boolean_t		final	= B_FALSE;
1498 	uint32_t		data_len;
1499 
1500 	ASSERT(icp != NULL);
1501 	ASSERT(ihp != NULL);
1502 	ASSERT(data != NULL);
1503 
1504 	isp = icp->conn_sess;
1505 	ASSERT(isp != NULL);
1506 
1507 	if (icp->conn_expstatsn == ntohl(ithp->statsn)) {
1508 		icp->conn_expstatsn++;
1509 	} else {
1510 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1511 		    "received status out of order itt:0x%x statsn:0x%x "
1512 		    "expstatsn:0x%x", icp->conn_oid, ithp->itt,
1513 		    ntohl(ithp->statsn), icp->conn_expstatsn);
1514 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1515 	}
1516 
1517 	mutex_enter(&icp->conn_queue_active.mutex);
1518 	mutex_enter(&isp->sess_cmdsn_mutex);
1519 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(isp, ihp, &icmdp))) {
1520 		mutex_exit(&isp->sess_cmdsn_mutex);
1521 		mutex_exit(&icp->conn_queue_active.mutex);
1522 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1523 	}
1524 
1525 	/* update expcmdsn and maxcmdsn */
1526 	iscsi_update_flow_control(isp, ntohl(ithp->maxcmdsn),
1527 	    ntohl(ithp->expcmdsn));
1528 	mutex_exit(&isp->sess_cmdsn_mutex);
1529 
1530 	/* update local final response flag */
1531 	if (ithp->flags & ISCSI_FLAG_FINAL) {
1532 		final = B_TRUE;
1533 	}
1534 
1535 	/*
1536 	 * validate received TTT value.  RFC3720 specifies the following:
1537 	 * - F bit set to 1 MUST have a reserved TTT value 0xffffffff
1538 	 * - F bit set to 0 MUST have a non-reserved TTT value !0xffffffff
1539 	 * In addition, the received TTT value must not change between
1540 	 * responses of a long text response
1541 	 */
1542 	if (((final == B_TRUE) && (ithp->ttt != ISCSI_RSVD_TASK_TAG)) ||
1543 	    ((final == B_FALSE) && (ithp->ttt == ISCSI_RSVD_TASK_TAG))) {
1544 		icmdp->cmd_result = ISCSI_STATUS_PROTOCOL_ERROR;
1545 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1546 		mutex_exit(&icp->conn_queue_active.mutex);
1547 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1548 		    "received text response with invalid flags:0x%x or "
1549 		    "ttt:0x%x", icp->conn_oid, ithp->flags, ithp->itt);
1550 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1551 	}
1552 
1553 	if ((icmdp->cmd_un.text.stage == ISCSI_CMD_TEXT_INITIAL_REQ) &&
1554 	    (ithp->ttt == ISCSI_RSVD_TASK_TAG) &&
1555 	    (final == B_FALSE)) {
1556 		/* TTT should have matched reserved value */
1557 		icmdp->cmd_result = ISCSI_STATUS_PROTOCOL_ERROR;
1558 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1559 		mutex_exit(&icp->conn_queue_active.mutex);
1560 		cmn_err(CE_WARN, "iscsi connection(%u) protocol "
1561 		    "error - received text response with invalid "
1562 		    "ttt:0x%x", icp->conn_oid, ithp->ttt);
1563 		return (ISCSI_STATUS_PROTOCOL_ERROR);
1564 	}
1565 
1566 	/*
1567 	 * If this is first response, save away TTT value for later use
1568 	 * in a long text request/response sequence
1569 	 */
1570 	if (icmdp->cmd_un.text.stage == ISCSI_CMD_TEXT_INITIAL_REQ) {
1571 		icmdp->cmd_un.text.ttt = ithp->ttt;
1572 	}
1573 
1574 	data_len = ntoh24(ithp->dlength);
1575 
1576 	/* check whether enough buffer available to copy data */
1577 	if ((icmdp->cmd_un.text.total_rx_len + data_len) >
1578 	    icmdp->cmd_un.text.buf_len) {
1579 		icmdp->cmd_un.text.total_rx_len += data_len;
1580 		icmdp->cmd_result = ISCSI_STATUS_DATA_OVERFLOW;
1581 		/*
1582 		 * DATA_OVERFLOW will result in a SUCCESS return so that
1583 		 * iscsi_handle_text can continue to obtain the remaining
1584 		 * text response if needed.
1585 		 */
1586 	} else {
1587 		char *buf_data = (icmdp->cmd_un.text.buf +
1588 		    icmdp->cmd_un.text.offset);
1589 
1590 		bcopy(data, buf_data, data_len);
1591 		icmdp->cmd_un.text.offset += data_len;
1592 		icmdp->cmd_un.text.total_rx_len += data_len;
1593 		icmdp->cmd_result = ISCSI_STATUS_SUCCESS;
1594 		bcopy(ithp->rsvd4, icmdp->cmd_un.text.lun,
1595 		    sizeof (icmdp->cmd_un.text.lun));
1596 	}
1597 
1598 	/* update stage  */
1599 	if (final == B_TRUE) {
1600 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1601 	} else {
1602 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_CONTINUATION;
1603 	}
1604 
1605 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1606 	mutex_exit(&icp->conn_queue_active.mutex);
1607 	return (ISCSI_STATUS_SUCCESS);
1608 }
1609 
1610 /*
1611  * iscsi_rx_process_itt_to_icmdp - Lookup itt in the session's
1612  * cmd table to find matching icmdp.  Verify itt in hdr and
1613  * icmdp are the same.
1614  */
1615 static iscsi_status_t
1616 iscsi_rx_process_itt_to_icmdp(iscsi_sess_t *isp, iscsi_hdr_t *ihp,
1617     iscsi_cmd_t **icmdp)
1618 {
1619 	int cmd_table_idx = 0;
1620 
1621 	ASSERT(isp != NULL);
1622 	ASSERT(ihp != NULL);
1623 	ASSERT(icmdp != NULL);
1624 	ASSERT(mutex_owned(&isp->sess_cmdsn_mutex));
1625 
1626 	/* try to find an associated iscsi_pkt */
1627 	cmd_table_idx = ihp->itt % ISCSI_CMD_TABLE_SIZE;
1628 	if (isp->sess_cmd_table[cmd_table_idx] == NULL) {
1629 		cmn_err(CE_WARN, "iscsi session(%u) protocol error - "
1630 		    "received unknown itt:0x%x - protocol error",
1631 		    isp->sess_oid, ihp->itt);
1632 		return (ISCSI_STATUS_INTERNAL_ERROR);
1633 	}
1634 
1635 	/* verify itt */
1636 	if (isp->sess_cmd_table[cmd_table_idx]->cmd_itt != ihp->itt) {
1637 		cmn_err(CE_WARN, "iscsi session(%u) received itt:0x%x "
1638 		    " which is out of sync with itt:0x%x", isp->sess_oid,
1639 		    ihp->itt, isp->sess_cmd_table[cmd_table_idx]->cmd_itt);
1640 		return (ISCSI_STATUS_INTERNAL_ERROR);
1641 	}
1642 
1643 	/* ensure that icmdp is still in Active state */
1644 	if (isp->sess_cmd_table[cmd_table_idx]->cmd_state !=
1645 	    ISCSI_CMD_STATE_ACTIVE) {
1646 		cmn_err(CE_WARN, "iscsi session(%u) received itt:0x%x "
1647 		    "but icmdp (%p) is not in active state",
1648 		    isp->sess_oid, ihp->itt,
1649 		    (void *)isp->sess_cmd_table[cmd_table_idx]);
1650 		return (ISCSI_STATUS_INTERNAL_ERROR);
1651 	}
1652 
1653 	/* make sure this is a SCSI cmd */
1654 	*icmdp = isp->sess_cmd_table[cmd_table_idx];
1655 
1656 	return (ISCSI_STATUS_SUCCESS);
1657 }
1658 
1659 
1660 /*
1661  * +--------------------------------------------------------------------+
1662  * | End of protocol receive routines					|
1663  * +--------------------------------------------------------------------+
1664  */
1665 
1666 /*
1667  * +--------------------------------------------------------------------+
1668  * | Beginning of protocol send routines				|
1669  * +--------------------------------------------------------------------+
1670  */
1671 
1672 
1673 /*
1674  * iscsi_tx_thread - This thread is the driving point for all
1675  * iSCSI PDUs after login.  No PDUs should call sendpdu()
1676  * directly they should be funneled through iscsi_tx_thread.
1677  */
1678 void
1679 iscsi_tx_thread(iscsi_thread_t *thread, void *arg)
1680 {
1681 	iscsi_conn_t	*icp	= (iscsi_conn_t *)arg;
1682 	iscsi_sess_t	*isp	= NULL;
1683 	iscsi_cmd_t	*icmdp	= NULL;
1684 	clock_t		tout;
1685 	int		ret	= 1;
1686 
1687 	ASSERT(icp != NULL);
1688 	isp = icp->conn_sess;
1689 	ASSERT(isp != NULL);
1690 	ASSERT(thread != NULL);
1691 	ASSERT(thread->signature == SIG_ISCSI_THREAD);
1692 
1693 	tout = SEC_TO_TICK(1);
1694 	/*
1695 	 * Transfer icmdps until shutdown by owning session.
1696 	 */
1697 	while (ret != 0) {
1698 
1699 		isp->sess_window_open = B_TRUE;
1700 
1701 		/*
1702 		 * While the window is open, there are commands available
1703 		 * to send and the session state allows those commands to
1704 		 * be sent try to transfer them.
1705 		 */
1706 		mutex_enter(&isp->sess_queue_pending.mutex);
1707 		while ((isp->sess_window_open == B_TRUE) &&
1708 		    ((icmdp = isp->sess_queue_pending.head) != NULL) &&
1709 		    (((icmdp->cmd_type != ISCSI_CMD_TYPE_SCSI) &&
1710 		    (ISCSI_CONN_STATE_FULL_FEATURE(icp->conn_state))) ||
1711 		    (icp->conn_state == ISCSI_CONN_STATE_LOGGED_IN))) {
1712 
1713 			/* update command with this connection info */
1714 			icmdp->cmd_conn = icp;
1715 			/* attempt to send this command */
1716 			iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E2, isp);
1717 
1718 			ASSERT(!mutex_owned(&isp->sess_queue_pending.mutex));
1719 			mutex_enter(&isp->sess_queue_pending.mutex);
1720 		}
1721 		mutex_exit(&isp->sess_queue_pending.mutex);
1722 
1723 		/*
1724 		 * Go to sleep until there is something new
1725 		 * to process (awoken via cv_boardcast).
1726 		 * Or the timer goes off.
1727 		 */
1728 		ret = iscsi_thread_wait(thread, tout);
1729 	}
1730 
1731 }
1732 
1733 
1734 /*
1735  * iscsi_tx_cmd - transfers icmdp across wire as iscsi pdu
1736  *
1737  * Just prior to sending the command to the networking layer the
1738  * pending queue lock will be dropped.  At this point only local
1739  * resources will be used, not the icmdp.  Holding the queue lock
1740  * across the networking call can lead to a hang.  (This is due
1741  * to the the target driver and networking layers competing use
1742  * of the timeout() resources and the queue lock being held for
1743  * both sides.)  Upon the completion of this command the lock
1744  * will have been re-acquired.
1745  */
1746 iscsi_status_t
1747 iscsi_tx_cmd(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
1748 {
1749 	iscsi_status_t	rval = ISCSI_STATUS_INTERNAL_ERROR;
1750 
1751 	ASSERT(isp != NULL);
1752 	ASSERT(icmdp != NULL);
1753 
1754 	/* transfer specific command type */
1755 	switch (icmdp->cmd_type) {
1756 	case ISCSI_CMD_TYPE_SCSI:
1757 		rval = iscsi_tx_scsi(isp, icmdp);
1758 		break;
1759 	case ISCSI_CMD_TYPE_R2T:
1760 		rval = iscsi_tx_r2t(isp, icmdp);
1761 		break;
1762 	case ISCSI_CMD_TYPE_NOP:
1763 		rval = iscsi_tx_nop(isp, icmdp);
1764 		break;
1765 	case ISCSI_CMD_TYPE_ABORT:
1766 		rval = iscsi_tx_abort(isp, icmdp);
1767 		break;
1768 	case ISCSI_CMD_TYPE_RESET:
1769 		rval = iscsi_tx_reset(isp, icmdp);
1770 		break;
1771 	case ISCSI_CMD_TYPE_LOGOUT:
1772 		rval = iscsi_tx_logout(isp, icmdp);
1773 		break;
1774 	case ISCSI_CMD_TYPE_TEXT:
1775 		rval = iscsi_tx_text(isp, icmdp);
1776 		break;
1777 	default:
1778 		ASSERT(FALSE);
1779 	}
1780 
1781 	ASSERT(!mutex_owned(&isp->sess_queue_pending.mutex));
1782 	return (rval);
1783 }
1784 
1785 /*
1786  * a variable length cdb can be up to 16K, but we obviously don't want
1787  * to put that on the stack; go with 200 bytes; if we get something
1788  * bigger than that we will kmem_alloc a buffer
1789  */
1790 #define	DEF_CDB_LEN	200
1791 
1792 /*
1793  * given the size of the cdb, return how many bytes the header takes,
1794  * which is the sizeof addl_hdr_t + the CDB size, minus the 16 bytes
1795  * stored in the basic header, minus sizeof (ahs_extscb)
1796  */
1797 #define	ADDLHDRSZ(x)		(sizeof (iscsi_addl_hdr_t) + (x) - \
1798 					16 - 4)
1799 
1800 /*
1801  * iscsi_tx_scsi -
1802  *
1803  */
1804 static iscsi_status_t
1805 iscsi_tx_scsi(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
1806 {
1807 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
1808 	iscsi_conn_t		*icp		= NULL;
1809 	struct scsi_pkt		*pkt		= NULL;
1810 	struct buf		*bp		= NULL;
1811 	union {
1812 		iscsi_scsi_cmd_hdr_t	isch;
1813 		iscsi_addl_hdr_t	iah;
1814 		uchar_t			arr[ADDLHDRSZ(DEF_CDB_LEN)];
1815 	} hdr_un;
1816 	iscsi_scsi_cmd_hdr_t	*ihp		=
1817 	    (iscsi_scsi_cmd_hdr_t *)&hdr_un.isch;
1818 	int			cdblen		= 0;
1819 	size_t			buflen		= 0;
1820 	uint32_t		imdata		= 0;
1821 	uint32_t		first_burst_length = 0;
1822 
1823 	ASSERT(isp != NULL);
1824 	ASSERT(icmdp != NULL);
1825 	pkt = icmdp->cmd_un.scsi.pkt;
1826 	ASSERT(pkt != NULL);
1827 	bp = icmdp->cmd_un.scsi.bp;
1828 	icp = icmdp->cmd_conn;
1829 	ASSERT(icp != NULL);
1830 
1831 	/* Reset counts in case we are on a retry */
1832 	icmdp->cmd_un.scsi.data_transferred = 0;
1833 
1834 	if (icmdp->cmd_un.scsi.cmdlen > DEF_CDB_LEN) {
1835 		cdblen = icmdp->cmd_un.scsi.cmdlen;
1836 		ihp = kmem_zalloc(ADDLHDRSZ(cdblen), KM_SLEEP);
1837 	} else {
1838 		/*
1839 		 * only bzero the basic header; the additional header
1840 		 * will be set up correctly later, if needed
1841 		 */
1842 		bzero(ihp, sizeof (iscsi_scsi_cmd_hdr_t));
1843 	}
1844 	ihp->opcode		= ISCSI_OP_SCSI_CMD;
1845 	ihp->itt		= icmdp->cmd_itt;
1846 	mutex_enter(&isp->sess_cmdsn_mutex);
1847 	ihp->cmdsn		= htonl(isp->sess_cmdsn);
1848 	isp->sess_cmdsn++;
1849 	mutex_exit(&isp->sess_cmdsn_mutex);
1850 	ihp->expstatsn		= htonl(icp->conn_expstatsn);
1851 	icp->conn_laststatsn = icp->conn_expstatsn;
1852 
1853 	pkt->pkt_state = (STATE_GOT_BUS | STATE_GOT_TARGET);
1854 	pkt->pkt_reason = CMD_INCOMPLETE;
1855 
1856 	/*
1857 	 * Sestion 12.11 of the iSCSI specification has a good table
1858 	 * describing when uncolicited data and/or immediate data
1859 	 * should be sent.
1860 	 */
1861 	bp = icmdp->cmd_un.scsi.bp;
1862 	if ((bp != NULL) && bp->b_bcount) {
1863 		buflen = bp->b_bcount;
1864 		first_burst_length = icp->conn_params.first_burst_length;
1865 
1866 		if (bp->b_flags & B_READ) {
1867 			ihp->flags = ISCSI_FLAG_FINAL;
1868 			/*
1869 			 * fix problem where OS sends bp (B_READ &
1870 			 * b_bcount!=0) for a TUR or START_STOP.
1871 			 * (comment came from cisco code.)
1872 			 */
1873 			if ((pkt->pkt_cdbp[0] != SCMD_TEST_UNIT_READY) &&
1874 			    (pkt->pkt_cdbp[0] != SCMD_START_STOP)) {
1875 				ihp->flags |= ISCSI_FLAG_CMD_READ;
1876 				ihp->data_length = htonl(buflen);
1877 			}
1878 		} else {
1879 			ihp->flags = ISCSI_FLAG_CMD_WRITE;
1880 			/*
1881 			 * FinalBit on the the iSCSI PDU denotes this
1882 			 * is the last PDU in the sequence.
1883 			 *
1884 			 * initial_r2t = true means R2T is required
1885 			 * for additional PDU, so there will be no more
1886 			 * unsolicited PDUs following
1887 			 */
1888 			if (icp->conn_params.initial_r2t) {
1889 				ihp->flags |= ISCSI_FLAG_FINAL;
1890 			}
1891 
1892 			/* Check if we should send ImmediateData */
1893 			if (icp->conn_params.immediate_data) {
1894 				imdata = MIN(MIN(buflen,
1895 				    first_burst_length),
1896 				    icmdp->cmd_conn->conn_params.
1897 				    max_xmit_data_seg_len);
1898 
1899 				/*
1900 				 * if everything fits immediate, or
1901 				 * we can send all burst data immediate
1902 				 * (not unsol), set F
1903 				 */
1904 				if ((imdata == buflen) ||
1905 				    (imdata == first_burst_length)) {
1906 					ihp->flags |= ISCSI_FLAG_FINAL;
1907 				}
1908 
1909 				hton24(ihp->dlength, imdata);
1910 			}
1911 
1912 			/* total data transfer length */
1913 			ihp->data_length = htonl(buflen);
1914 		}
1915 	} else {
1916 		ihp->flags = ISCSI_FLAG_FINAL;
1917 		buflen = 0;
1918 	}
1919 
1920 	/* tagged queuing */
1921 	if (pkt->pkt_flags & FLAG_HTAG) {
1922 		ihp->flags |= ISCSI_ATTR_HEAD_OF_QUEUE;
1923 	} else if (pkt->pkt_flags & FLAG_OTAG) {
1924 		ihp->flags |= ISCSI_ATTR_ORDERED;
1925 	} else if (pkt->pkt_flags & FLAG_STAG) {
1926 		ihp->flags |= ISCSI_ATTR_SIMPLE;
1927 	} else {
1928 		/* ihp->flags |= ISCSI_ATTR_UNTAGGED; */
1929 		/* EMPTY */
1930 	}
1931 
1932 	/* iscsi states lun is based on spc.2 */
1933 	ISCSI_LUN_BYTE_COPY(ihp->lun, icmdp->cmd_un.scsi.lun);
1934 
1935 	if (icmdp->cmd_un.scsi.cmdlen <= 16) {
1936 		/* copy the SCSI Command Block into the PDU */
1937 		bcopy(pkt->pkt_cdbp, ihp->scb,
1938 		    icmdp->cmd_un.scsi.cmdlen);
1939 	} else {
1940 		iscsi_addl_hdr_t *iahp;
1941 
1942 		iahp = (iscsi_addl_hdr_t *)ihp;
1943 
1944 		ihp->hlength = (ADDLHDRSZ(icmdp->cmd_un.scsi.cmdlen) -
1945 		    sizeof (iscsi_scsi_cmd_hdr_t) + 3) / 4;
1946 		iahp->ahs_hlen_hi = 0;
1947 		iahp->ahs_hlen_lo = (icmdp->cmd_un.scsi.cmdlen - 15);
1948 		iahp->ahs_key = 0x01;
1949 		iahp->ahs_resv = 0;
1950 		bcopy(pkt->pkt_cdbp, ihp->scb, 16);
1951 		bcopy(((char *)pkt->pkt_cdbp) + 16, &iahp->ahs_extscb[0],
1952 		    icmdp->cmd_un.scsi.cmdlen);
1953 	}
1954 
1955 	/*
1956 	 * Update all values before transfering.
1957 	 * We should never touch the icmdp after
1958 	 * transfering if there is no more data
1959 	 * to send.  The only case the sendpdu()
1960 	 * will fail is a on a connection disconnect
1961 	 * in that case the command will be flushed.
1962 	 */
1963 	pkt->pkt_state |= STATE_SENT_CMD;
1964 
1965 	icmdp->cmd_un.scsi.data_transferred += imdata;
1966 
1967 	/*
1968 	 * Check if there is additional data to transfer beyond what
1969 	 * will be sent as part of the initial command.  If InitialR2T
1970 	 * is disabled then we should fake up a R2T so all the data,
1971 	 * up to first burst length, is sent in an unsolicited
1972 	 * fashion.  We have already sent as much immediate data
1973 	 * as possible.
1974 	 */
1975 	if ((buflen > 0) &&
1976 	    ((bp->b_flags & B_READ) == 0) &&
1977 	    (icp->conn_params.initial_r2t == 0) &&
1978 	    (MIN(first_burst_length, buflen) - imdata > 0)) {
1979 
1980 		uint32_t xfer_len = MIN(first_burst_length, buflen) - imdata;
1981 		/* data will be chunked at tx */
1982 		iscsi_handle_r2t(icp, icmdp, imdata,
1983 		    xfer_len, ISCSI_RSVD_TASK_TAG);
1984 	}
1985 
1986 	/* release pending queue mutex across the network call */
1987 	mutex_exit(&isp->sess_queue_pending.mutex);
1988 
1989 	/* Transfer Cmd PDU */
1990 	if (imdata) {
1991 		rval = iscsi_net->sendpdu(icp->conn_socket,
1992 		    (iscsi_hdr_t *)ihp, icmdp->cmd_un.scsi.bp->b_un.b_addr,
1993 		    ISCSI_CONN_TO_NET_DIGEST(icp));
1994 		if (ISCSI_SUCCESS(rval)) {
1995 			KSTAT_ADD_CONN_TX_BYTES(icp, imdata);
1996 		}
1997 	} else {
1998 		rval = iscsi_net->sendpdu(icp->conn_socket,
1999 		    (iscsi_hdr_t *)ihp, NULL,
2000 		    ISCSI_CONN_TO_NET_DIGEST(icp));
2001 	}
2002 	if (cdblen) {
2003 		kmem_free(ihp, ADDLHDRSZ(cdblen));
2004 	}
2005 
2006 	return (rval);
2007 }
2008 
2009 
2010 /*
2011  * iscsi_tx_r2t -
2012  *
2013  */
2014 static iscsi_status_t
2015 iscsi_tx_r2t(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2016 {
2017 	iscsi_status_t	rval		= ISCSI_STATUS_SUCCESS;
2018 	iscsi_conn_t	*icp		= NULL;
2019 	iscsi_cmd_t	*orig_icmdp	= NULL;
2020 
2021 	ASSERT(isp != NULL);
2022 	ASSERT(icmdp != NULL);
2023 	icp = icmdp->cmd_conn;
2024 	ASSERT(icp);
2025 	orig_icmdp = icmdp->cmd_un.r2t.icmdp;
2026 	ASSERT(orig_icmdp);
2027 
2028 	/* validate the offset and length against the buffer size */
2029 	if ((icmdp->cmd_un.r2t.offset + icmdp->cmd_un.r2t.length) >
2030 	    orig_icmdp->cmd_un.scsi.bp->b_bcount) {
2031 		cmn_err(CE_WARN, "iscsi session(%u) ignoring invalid r2t "
2032 		    "for icmd itt:0x%x offset:0x%x length:0x%x bufsize:0x%lx",
2033 		    isp->sess_oid, icmdp->cmd_itt, icmdp->cmd_un.r2t.offset,
2034 		    icmdp->cmd_un.r2t.length, orig_icmdp->cmd_un.scsi.bp->
2035 		    b_bcount);
2036 		mutex_exit(&isp->sess_queue_pending.mutex);
2037 		return (ISCSI_STATUS_INTERNAL_ERROR);
2038 	}
2039 	ASSERT(orig_icmdp->cmd_un.scsi.r2t_icmdp);
2040 
2041 	rval = iscsi_tx_data(isp, icp, orig_icmdp, icmdp->cmd_ttt,
2042 	    icmdp->cmd_un.r2t.length, icmdp->cmd_un.r2t.offset);
2043 
2044 	mutex_enter(&orig_icmdp->cmd_mutex);
2045 	orig_icmdp->cmd_un.scsi.r2t_icmdp = NULL;
2046 	icmdp->cmd_un.r2t.icmdp = NULL;
2047 	/*
2048 	 * we're finished with this r2t; there could be another r2t
2049 	 * waiting on us to finish, so signal it.
2050 	 */
2051 	cv_broadcast(&orig_icmdp->cmd_completion);
2052 	mutex_exit(&orig_icmdp->cmd_mutex);
2053 	/*
2054 	 * the parent command may be waiting for us to finish; if so,
2055 	 * wake the _ic_ thread
2056 	 */
2057 	if ((orig_icmdp->cmd_state == ISCSI_CMD_STATE_COMPLETED) &&
2058 	    (ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) &&
2059 	    (orig_icmdp->cmd_un.scsi.r2t_more == B_FALSE))
2060 		iscsi_thread_send_wakeup(isp->sess_ic_thread);
2061 	ASSERT(!mutex_owned(&isp->sess_queue_pending.mutex));
2062 	return (rval);
2063 }
2064 
2065 
2066 /*
2067  * iscsi_tx_data -
2068  */
2069 static iscsi_status_t
2070 iscsi_tx_data(iscsi_sess_t *isp, iscsi_conn_t *icp, iscsi_cmd_t *icmdp,
2071     uint32_t ttt, size_t datalen, size_t offset)
2072 {
2073 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
2074 	struct buf		*bp		= NULL;
2075 	size_t			remainder	= 0;
2076 	size_t			chunk		= 0;
2077 	char			*data		= NULL;
2078 	uint32_t		data_sn		= 0;
2079 	iscsi_data_hdr_t	idhp;
2080 	uint32_t		itt;
2081 	uint32_t		lun;
2082 
2083 	ASSERT(isp != NULL);
2084 	ASSERT(icp != NULL);
2085 	ASSERT(icmdp != NULL);
2086 	bp = icmdp->cmd_un.scsi.bp;
2087 
2088 	/* verify there is data to send */
2089 	if (bp == NULL) {
2090 		mutex_exit(&isp->sess_queue_pending.mutex);
2091 		return (ISCSI_STATUS_INTERNAL_ERROR);
2092 	}
2093 
2094 	itt = icmdp->cmd_itt;
2095 	lun = icmdp->cmd_un.scsi.lun;
2096 
2097 	/*
2098 	 * update the LUN with the amount of data we will
2099 	 * transfer.  If there is a failure it's because of
2100 	 * a network fault and the command will get flushed.
2101 	 */
2102 	icmdp->cmd_un.scsi.data_transferred += datalen;
2103 
2104 	/* release pending queue mutex across the network call */
2105 	mutex_exit(&isp->sess_queue_pending.mutex);
2106 
2107 	remainder = datalen;
2108 	while (remainder) {
2109 
2110 		/* Check so see if we need to chunk the data */
2111 		if ((icp->conn_params.max_xmit_data_seg_len > 0) &&
2112 		    (remainder > icp->conn_params.max_xmit_data_seg_len)) {
2113 			chunk = icp->conn_params.max_xmit_data_seg_len;
2114 		} else {
2115 			chunk = remainder;
2116 		}
2117 
2118 		/* setup iscsi data hdr */
2119 		bzero(&idhp, sizeof (iscsi_data_hdr_t));
2120 		idhp.opcode	= ISCSI_OP_SCSI_DATA;
2121 		idhp.itt	= itt;
2122 		idhp.ttt	= ttt;
2123 		ISCSI_LUN_BYTE_COPY(idhp.lun, lun);
2124 		idhp.expstatsn	= htonl(icp->conn_expstatsn);
2125 		icp->conn_laststatsn = icp->conn_expstatsn;
2126 		idhp.datasn	= htonl(data_sn);
2127 		data_sn++;
2128 		idhp.offset	= htonl(offset);
2129 		hton24(idhp.dlength, chunk);
2130 
2131 		if (chunk == remainder) {
2132 			idhp.flags = ISCSI_FLAG_FINAL; /* final chunk */
2133 		}
2134 
2135 		/* setup data */
2136 		data = bp->b_un.b_addr + offset;
2137 
2138 		/*
2139 		 * Keep track of how much data we have
2140 		 * transfer so far and how much is remaining.
2141 		 */
2142 		remainder -= chunk;
2143 		offset += chunk;
2144 
2145 		rval = iscsi_net->sendpdu(icp->conn_socket,
2146 		    (iscsi_hdr_t *)&idhp, data,
2147 		    ISCSI_CONN_TO_NET_DIGEST(icp));
2148 
2149 		if (ISCSI_SUCCESS(rval)) {
2150 			KSTAT_ADD_CONN_TX_BYTES(icp, chunk);
2151 		} else {
2152 			break;
2153 		}
2154 	}
2155 
2156 	return (rval);
2157 }
2158 
2159 
2160 /*
2161  * iscsi_tx_nop -
2162  *
2163  */
2164 static iscsi_status_t
2165 iscsi_tx_nop(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2166 {
2167 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2168 	iscsi_conn_t		*icp	= NULL;
2169 	iscsi_nop_out_hdr_t	inohp;
2170 
2171 	ASSERT(isp != NULL);
2172 	ASSERT(icmdp != NULL);
2173 	icp = icmdp->cmd_conn;
2174 	ASSERT(icp != NULL);
2175 
2176 	bzero(&inohp, sizeof (iscsi_nop_out_hdr_t));
2177 	inohp.opcode	= ISCSI_OP_NOOP_OUT | ISCSI_OP_IMMEDIATE;
2178 	inohp.flags	= ISCSI_FLAG_FINAL;
2179 	inohp.itt	= icmdp->cmd_itt;
2180 	inohp.ttt	= icmdp->cmd_ttt;
2181 	mutex_enter(&isp->sess_cmdsn_mutex);
2182 	inohp.cmdsn	= htonl(isp->sess_cmdsn);
2183 	mutex_exit(&isp->sess_cmdsn_mutex);
2184 	inohp.expstatsn	= htonl(icp->conn_expstatsn);
2185 	icp->conn_laststatsn = icp->conn_expstatsn;
2186 
2187 	/* release pending queue mutex across the network call */
2188 	mutex_exit(&isp->sess_queue_pending.mutex);
2189 
2190 	rval = iscsi_net->sendpdu(icp->conn_socket,
2191 	    (iscsi_hdr_t *)&inohp, NULL,
2192 	    ISCSI_CONN_TO_NET_DIGEST(icp));
2193 
2194 	return (rval);
2195 }
2196 
2197 
2198 /*
2199  * iscsi_tx_abort -
2200  *
2201  */
2202 static iscsi_status_t
2203 iscsi_tx_abort(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2204 {
2205 	iscsi_status_t			rval	= ISCSI_STATUS_SUCCESS;
2206 	iscsi_conn_t			*icp	= NULL;
2207 	iscsi_scsi_task_mgt_hdr_t	istmh;
2208 
2209 	ASSERT(isp != NULL);
2210 	ASSERT(icmdp != NULL);
2211 	icp = icmdp->cmd_conn;
2212 	ASSERT(icp != NULL);
2213 
2214 	bzero(&istmh, sizeof (iscsi_scsi_task_mgt_hdr_t));
2215 	mutex_enter(&isp->sess_cmdsn_mutex);
2216 	istmh.cmdsn	= htonl(isp->sess_cmdsn);
2217 	mutex_exit(&isp->sess_cmdsn_mutex);
2218 	istmh.expstatsn = htonl(icp->conn_expstatsn);
2219 	icp->conn_laststatsn = icp->conn_expstatsn;
2220 	istmh.itt	= icmdp->cmd_itt;
2221 	istmh.opcode	= ISCSI_OP_SCSI_TASK_MGT_MSG | ISCSI_OP_IMMEDIATE;
2222 	istmh.function	= ISCSI_FLAG_FINAL | ISCSI_TM_FUNC_ABORT_TASK;
2223 	ISCSI_LUN_BYTE_COPY(istmh.lun,
2224 	    icmdp->cmd_un.abort.icmdp->cmd_un.scsi.lun);
2225 	istmh.rtt	= icmdp->cmd_un.abort.icmdp->cmd_itt;
2226 
2227 	/* release pending queue mutex across the network call */
2228 	mutex_exit(&isp->sess_queue_pending.mutex);
2229 
2230 	rval = iscsi_net->sendpdu(icp->conn_socket,
2231 	    (iscsi_hdr_t *)&istmh, NULL,
2232 	    ISCSI_CONN_TO_NET_DIGEST(icp));
2233 
2234 	return (rval);
2235 }
2236 
2237 
2238 /*
2239  * iscsi_tx_reset -
2240  *
2241  */
2242 static iscsi_status_t
2243 iscsi_tx_reset(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2244 {
2245 	iscsi_status_t			rval	= ISCSI_STATUS_SUCCESS;
2246 	iscsi_conn_t			*icp	= NULL;
2247 	iscsi_scsi_task_mgt_hdr_t	istmh;
2248 
2249 	ASSERT(isp != NULL);
2250 	ASSERT(icmdp != NULL);
2251 	icp = icmdp->cmd_conn;
2252 	ASSERT(icp != NULL);
2253 
2254 	bzero(&istmh, sizeof (iscsi_scsi_task_mgt_hdr_t));
2255 	istmh.opcode	= ISCSI_OP_SCSI_TASK_MGT_MSG | ISCSI_OP_IMMEDIATE;
2256 	mutex_enter(&isp->sess_cmdsn_mutex);
2257 	istmh.cmdsn	= htonl(isp->sess_cmdsn);
2258 	mutex_exit(&isp->sess_cmdsn_mutex);
2259 	istmh.expstatsn	= htonl(icp->conn_expstatsn);
2260 	istmh.itt	= icmdp->cmd_itt;
2261 
2262 	switch (icmdp->cmd_un.reset.level) {
2263 	case RESET_LUN:
2264 		istmh.function	= ISCSI_FLAG_FINAL |
2265 		    ISCSI_TM_FUNC_LOGICAL_UNIT_RESET;
2266 		ISCSI_LUN_BYTE_COPY(istmh.lun, icmdp->cmd_lun->lun_num);
2267 		break;
2268 	case RESET_TARGET:
2269 	case RESET_BUS:
2270 		istmh.function	= ISCSI_FLAG_FINAL |
2271 		    ISCSI_TM_FUNC_TARGET_WARM_RESET;
2272 		break;
2273 	default:
2274 		/* unsupported / unknown level */
2275 		ASSERT(FALSE);
2276 		break;
2277 	}
2278 
2279 	/* release pending queue mutex across the network call */
2280 	mutex_exit(&isp->sess_queue_pending.mutex);
2281 
2282 	rval = iscsi_net->sendpdu(icp->conn_socket,
2283 	    (iscsi_hdr_t *)&istmh, NULL,
2284 	    ISCSI_CONN_TO_NET_DIGEST(icp));
2285 
2286 	return (rval);
2287 }
2288 
2289 
2290 /*
2291  * iscsi_tx_logout -
2292  *
2293  */
2294 static iscsi_status_t
2295 iscsi_tx_logout(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2296 {
2297 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2298 	iscsi_conn_t		*icp	= NULL;
2299 	iscsi_logout_hdr_t	ilh;
2300 
2301 	ASSERT(isp != NULL);
2302 	ASSERT(icmdp != NULL);
2303 	icp = icmdp->cmd_conn;
2304 	ASSERT(icp != NULL);
2305 
2306 	bzero(&ilh, sizeof (iscsi_logout_hdr_t));
2307 	ilh.opcode	= ISCSI_OP_LOGOUT_CMD | ISCSI_OP_IMMEDIATE;
2308 	ilh.flags	= ISCSI_FLAG_FINAL | ISCSI_LOGOUT_REASON_CLOSE_SESSION;
2309 	ilh.itt		= icmdp->cmd_itt;
2310 	ilh.cid		= icp->conn_cid;
2311 	mutex_enter(&isp->sess_cmdsn_mutex);
2312 	ilh.cmdsn	= htonl(isp->sess_cmdsn);
2313 	mutex_exit(&isp->sess_cmdsn_mutex);
2314 	ilh.expstatsn	= htonl(icp->conn_expstatsn);
2315 
2316 	/* release pending queue mutex across the network call */
2317 	mutex_exit(&isp->sess_queue_pending.mutex);
2318 
2319 	rval = iscsi_net->sendpdu(icp->conn_socket,
2320 	    (iscsi_hdr_t *)&ilh, NULL,
2321 	    ISCSI_CONN_TO_NET_DIGEST(icp));
2322 
2323 	return (rval);
2324 }
2325 
2326 /*
2327  * iscsi_tx_text - setup iSCSI text request header and send PDU with
2328  * data given in the buffer attached to the command.  For a single
2329  * text request, the target may need to send its response in multiple
2330  * text response.  In this case, empty text requests are sent after
2331  * each received response to notify the target the initiator is ready
2332  * for more response.  For the initial request, the data_len field in
2333  * the text specific portion of a command is set to the amount of data
2334  * the initiator wants to send as part of the request. If additional
2335  * empty text requests are required for long responses, the data_len
2336  * field is set to 0 by the iscsi_handle_text function.
2337  */
2338 static iscsi_status_t
2339 iscsi_tx_text(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2340 {
2341 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2342 	iscsi_conn_t		*icp	= NULL;
2343 	iscsi_text_hdr_t	ith;
2344 
2345 	ASSERT(isp != NULL);
2346 	ASSERT(icmdp != NULL);
2347 	icp = icmdp->cmd_conn;
2348 	ASSERT(icp != NULL);
2349 
2350 	bzero(&ith, sizeof (iscsi_text_hdr_t));
2351 	ith.opcode	= ISCSI_OP_TEXT_CMD;
2352 	ith.flags	= ISCSI_FLAG_FINAL;
2353 	hton24(ith.dlength, icmdp->cmd_un.text.data_len);
2354 	ith.itt		= icmdp->cmd_itt;
2355 	ith.ttt		= icmdp->cmd_un.text.ttt;
2356 	mutex_enter(&isp->sess_cmdsn_mutex);
2357 	ith.cmdsn	= htonl(isp->sess_cmdsn);
2358 	isp->sess_cmdsn++;
2359 	ith.expstatsn	= htonl(icp->conn_expstatsn);
2360 	mutex_exit(&isp->sess_cmdsn_mutex);
2361 	bcopy(icmdp->cmd_un.text.lun, ith.rsvd4, sizeof (ith.rsvd4));
2362 
2363 	/* release pending queue mutex across the network call */
2364 	mutex_exit(&isp->sess_queue_pending.mutex);
2365 
2366 	rval = iscsi_net->sendpdu(icp->conn_socket,
2367 	    (iscsi_hdr_t *)&ith, icmdp->cmd_un.text.buf,
2368 	    ISCSI_CONN_TO_NET_DIGEST(icp));
2369 
2370 	return (rval);
2371 }
2372 
2373 /*
2374  * +--------------------------------------------------------------------+
2375  * | End of protocol send routines					|
2376  * +--------------------------------------------------------------------+
2377  */
2378 
2379 /*
2380  * iscsi_handle_r2t - Create a R2T and put it into the pending queue.
2381  *
2382  * Since the rx thread can hold the pending mutex, the tx thread or wd
2383  * thread may not have chance to check the commands in the pending queue.
2384  * So if the previous R2T is still there, we will release the related
2385  * mutex and wait for its completion in case of deadlock.
2386  */
2387 static void
2388 iscsi_handle_r2t(iscsi_conn_t *icp, iscsi_cmd_t *icmdp,
2389     uint32_t offset, uint32_t length, uint32_t ttt)
2390 {
2391 	iscsi_sess_t	*isp		= NULL;
2392 	iscsi_cmd_t	*new_icmdp	= NULL;
2393 	int		owned		= 0;
2394 
2395 	ASSERT(icp != NULL);
2396 	isp = icp->conn_sess;
2397 	ASSERT(isp != NULL);
2398 
2399 	if (icmdp->cmd_un.scsi.r2t_icmdp != NULL) {
2400 		/*
2401 		 * Occasionally the tx thread doesn't have a chance to
2402 		 * send commands when we hold the pending mutex.
2403 		 * So we should mark this scsi command with more R2T
2404 		 * and release the mutex. Then wait for completion.
2405 		 */
2406 		icmdp->cmd_un.scsi.r2t_more = B_TRUE;
2407 
2408 		mutex_exit(&icmdp->cmd_mutex);
2409 		owned = mutex_owned(&icp->conn_queue_active.mutex);
2410 		if (owned != 0) {
2411 			mutex_exit(&icp->conn_queue_active.mutex);
2412 		}
2413 		mutex_exit(&isp->sess_queue_pending.mutex);
2414 
2415 		/*
2416 		 * the transmission from a previous r2t can be
2417 		 * slow to return; the array may have sent
2418 		 * another r2t at this point, so wait until
2419 		 * the first one finishes and signals us.
2420 		 */
2421 		mutex_enter(&icmdp->cmd_mutex);
2422 		while (icmdp->cmd_un.scsi.r2t_icmdp != NULL) {
2423 			ASSERT(icmdp->cmd_state != ISCSI_CMD_STATE_COMPLETED);
2424 			cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2425 		}
2426 		mutex_exit(&icmdp->cmd_mutex);
2427 
2428 		mutex_enter(&isp->sess_queue_pending.mutex);
2429 		if (owned != 0) {
2430 			mutex_enter(&icp->conn_queue_active.mutex);
2431 		}
2432 		mutex_enter(&icmdp->cmd_mutex);
2433 	}
2434 
2435 	/*
2436 	 * try to create an R2T task to send it later.  If we can't,
2437 	 * we're screwed, and the command will eventually time out
2438 	 * and be retried by the SCSI layer.
2439 	 */
2440 	new_icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2441 	new_icmdp->cmd_type		= ISCSI_CMD_TYPE_R2T;
2442 	new_icmdp->cmd_un.r2t.icmdp	= icmdp;
2443 	new_icmdp->cmd_un.r2t.offset	= offset;
2444 	new_icmdp->cmd_un.r2t.length	= length;
2445 	new_icmdp->cmd_ttt		= ttt;
2446 	new_icmdp->cmd_itt		= icmdp->cmd_itt;
2447 	new_icmdp->cmd_lun		= icmdp->cmd_lun;
2448 	icmdp->cmd_un.scsi.r2t_icmdp	= new_icmdp;
2449 	icmdp->cmd_un.scsi.r2t_more	= B_FALSE;
2450 
2451 	/*
2452 	 * pending queue mutex is already held by the
2453 	 * tx_thread or rtt_rsp function.
2454 	 */
2455 	iscsi_cmd_state_machine(new_icmdp, ISCSI_CMD_EVENT_E1, isp);
2456 }
2457 
2458 
2459 /*
2460  * iscsi_handle_abort -
2461  *
2462  */
2463 void
2464 iscsi_handle_abort(void *arg)
2465 {
2466 	iscsi_sess_t	*isp		= NULL;
2467 	iscsi_cmd_t	*icmdp		= (iscsi_cmd_t *)arg;
2468 	iscsi_cmd_t	*new_icmdp;
2469 	iscsi_conn_t	*icp;
2470 
2471 	ASSERT(icmdp != NULL);
2472 	icp = icmdp->cmd_conn;
2473 	ASSERT(icp != NULL);
2474 	isp = icp->conn_sess;
2475 	ASSERT(isp != NULL);
2476 
2477 	/* there should only be one abort */
2478 	ASSERT(icmdp->cmd_un.scsi.abort_icmdp == NULL);
2479 
2480 	new_icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2481 	new_icmdp->cmd_type		= ISCSI_CMD_TYPE_ABORT;
2482 	new_icmdp->cmd_lun		= icmdp->cmd_lun;
2483 	new_icmdp->cmd_un.abort.icmdp	= icmdp;
2484 	new_icmdp->cmd_conn		= icmdp->cmd_conn;
2485 	icmdp->cmd_un.scsi.abort_icmdp	= new_icmdp;
2486 
2487 	/* pending queue mutex is already held by timeout_checks */
2488 	iscsi_cmd_state_machine(new_icmdp, ISCSI_CMD_EVENT_E1, isp);
2489 }
2490 
2491 
2492 /*
2493  * iscsi_handle_nop -
2494  *
2495  */
2496 static void
2497 iscsi_handle_nop(iscsi_conn_t *icp, uint32_t itt, uint32_t ttt)
2498 {
2499 	iscsi_sess_t	*isp	= NULL;
2500 	iscsi_cmd_t	*icmdp	= NULL;
2501 
2502 	ASSERT(icp != NULL);
2503 	isp = icp->conn_sess;
2504 	ASSERT(isp != NULL);
2505 
2506 	icmdp = iscsi_cmd_alloc(icp, KM_NOSLEEP);
2507 	if (icmdp == NULL) {
2508 		return;
2509 	}
2510 
2511 	icmdp->cmd_type		= ISCSI_CMD_TYPE_NOP;
2512 	icmdp->cmd_itt		= itt;
2513 	icmdp->cmd_ttt		= ttt;
2514 	icmdp->cmd_lun		= NULL;
2515 	icp->conn_nop_lbolt	= ddi_get_lbolt();
2516 
2517 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2518 }
2519 
2520 /*
2521  * iscsi_handle_reset -
2522  *
2523  */
2524 iscsi_status_t
2525 iscsi_handle_reset(iscsi_sess_t *isp, int level, iscsi_lun_t *ilp)
2526 {
2527 	iscsi_status_t	rval	= ISCSI_STATUS_SUCCESS;
2528 	iscsi_conn_t	*icp;
2529 	iscsi_cmd_t	icmd;
2530 
2531 	ASSERT(isp != NULL);
2532 
2533 	bzero(&icmd, sizeof (iscsi_cmd_t));
2534 	icmd.cmd_sig		= ISCSI_SIG_CMD;
2535 	icmd.cmd_state		= ISCSI_CMD_STATE_FREE;
2536 	icmd.cmd_type		= ISCSI_CMD_TYPE_RESET;
2537 	icmd.cmd_lun		= ilp;
2538 	icmd.cmd_un.reset.level	= level;
2539 	icmd.cmd_result		= ISCSI_STATUS_SUCCESS;
2540 	icmd.cmd_completed	= B_FALSE;
2541 	mutex_init(&icmd.cmd_mutex, NULL, MUTEX_DRIVER, NULL);
2542 	cv_init(&icmd.cmd_completion, NULL, CV_DRIVER, NULL);
2543 	/*
2544 	 * If we received an IO and we are not in the
2545 	 * LOGGED_IN state we are in the process of
2546 	 * failing.  Just respond that we are BUSY.
2547 	 */
2548 	mutex_enter(&isp->sess_state_mutex);
2549 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
2550 		/* We aren't connected to the target fake success */
2551 		mutex_exit(&isp->sess_state_mutex);
2552 		return (ISCSI_STATUS_SUCCESS);
2553 	}
2554 
2555 	mutex_enter(&isp->sess_queue_pending.mutex);
2556 	iscsi_cmd_state_machine(&icmd, ISCSI_CMD_EVENT_E1, isp);
2557 	mutex_exit(&isp->sess_queue_pending.mutex);
2558 	mutex_exit(&isp->sess_state_mutex);
2559 
2560 	/* stall until completed */
2561 	mutex_enter(&icmd.cmd_mutex);
2562 	while (icmd.cmd_completed == B_FALSE) {
2563 		cv_wait(&icmd.cmd_completion, &icmd.cmd_mutex);
2564 	}
2565 	mutex_exit(&icmd.cmd_mutex);
2566 
2567 	/* copy rval */
2568 	rval = icmd.cmd_result;
2569 
2570 	if (rval == ISCSI_STATUS_SUCCESS) {
2571 		/*
2572 		 * Reset was successful.  We need to flush
2573 		 * all active IOs.
2574 		 */
2575 		rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
2576 		icp = isp->sess_conn_list;
2577 		while (icp != NULL) {
2578 			iscsi_cmd_t *t_icmdp = NULL;
2579 
2580 			mutex_enter(&icp->conn_queue_active.mutex);
2581 			t_icmdp = icp->conn_queue_active.head;
2582 			while (t_icmdp != NULL) {
2583 				iscsi_cmd_state_machine(t_icmdp,
2584 				    ISCSI_CMD_EVENT_E7, isp);
2585 				t_icmdp = icp->conn_queue_active.head;
2586 			}
2587 
2588 			mutex_exit(&icp->conn_queue_active.mutex);
2589 			icp = icp->conn_next;
2590 		}
2591 		rw_exit(&isp->sess_conn_list_rwlock);
2592 	}
2593 
2594 	/* clean up */
2595 	cv_destroy(&icmd.cmd_completion);
2596 	mutex_destroy(&icmd.cmd_mutex);
2597 
2598 	return (rval);
2599 }
2600 
2601 
2602 /*
2603  * iscsi_handle_logout - This function will issue a logout for
2604  * the session from a specific connection.
2605  */
2606 iscsi_status_t
2607 iscsi_handle_logout(iscsi_conn_t *icp)
2608 {
2609 	iscsi_sess_t	*isp;
2610 	iscsi_cmd_t	*icmdp;
2611 	int		rval;
2612 
2613 	ASSERT(icp != NULL);
2614 	isp = icp->conn_sess;
2615 	ASSERT(isp != NULL);
2616 	ASSERT(isp->sess_hba != NULL);
2617 
2618 	icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2619 	ASSERT(icmdp != NULL);
2620 	icmdp->cmd_type		= ISCSI_CMD_TYPE_LOGOUT;
2621 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
2622 	icmdp->cmd_completed	= B_FALSE;
2623 
2624 	mutex_enter(&isp->sess_queue_pending.mutex);
2625 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2626 	mutex_exit(&isp->sess_queue_pending.mutex);
2627 
2628 	/*
2629 	 * release connection state mutex to avoid a deadlock.  This
2630 	 * function is called from within the connection state
2631 	 * machine with the lock held.  When the logout response is
2632 	 * received another call to the connection state machine
2633 	 * occurs which causes the deadlock
2634 	 */
2635 	mutex_exit(&icp->conn_state_mutex);
2636 
2637 	/* stall until completed */
2638 	mutex_enter(&icmdp->cmd_mutex);
2639 	while (icmdp->cmd_completed == B_FALSE) {
2640 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2641 	}
2642 	mutex_exit(&icmdp->cmd_mutex);
2643 	mutex_enter(&icp->conn_state_mutex);
2644 
2645 	/* copy rval */
2646 	rval = icmdp->cmd_result;
2647 
2648 	/*
2649 	 * another way to do this would be to send t17 unconditionally,
2650 	 * but then the _rx_ thread would get bumped out with a receive
2651 	 * error, and send another t17.
2652 	 */
2653 	if (rval != ISCSI_STATUS_SUCCESS) {
2654 		(void) iscsi_conn_state_machine(icp, ISCSI_CONN_EVENT_T17);
2655 	}
2656 
2657 	/* clean up */
2658 	iscsi_cmd_free(icmdp);
2659 
2660 	return (rval);
2661 }
2662 
2663 /*
2664  * iscsi_handle_text - main control function for iSCSI text requests.  This
2665  * function handles allocating the command, sending initial text request, and
2666  * handling long response sequence.
2667  * If a data overflow condition occurs, iscsi_handle_text continues to
2668  * receive responses until the all data has been recieved.  This allows
2669  * the full data length to be returned to the caller.
2670  */
2671 iscsi_status_t
2672 iscsi_handle_text(iscsi_conn_t *icp, char *buf, uint32_t buf_len,
2673     uint32_t data_len, uint32_t *rx_data_len)
2674 {
2675 	iscsi_sess_t	*isp;
2676 	iscsi_cmd_t	*icmdp;
2677 	iscsi_status_t	rval	= ISCSI_STATUS_SUCCESS;
2678 
2679 	ASSERT(icp != NULL);
2680 	ASSERT(buf != NULL);
2681 	ASSERT(rx_data_len != NULL);
2682 
2683 	isp = icp->conn_sess;
2684 	ASSERT(isp != NULL);
2685 
2686 	/*
2687 	 * Ensure data for text request command is not greater
2688 	 * than the negotiated maximum receive data seqment length.
2689 	 *
2690 	 * Although iSCSI allows for long text requests (multiple
2691 	 * pdus), this function places a restriction on text
2692 	 * requests to ensure it is handled by a single PDU.
2693 	 */
2694 	if (data_len > icp->conn_params.max_xmit_data_seg_len) {
2695 		return (ISCSI_STATUS_CMD_FAILED);
2696 	}
2697 
2698 	icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2699 	ASSERT(icmdp != NULL);
2700 
2701 	icmdp->cmd_type		= ISCSI_CMD_TYPE_TEXT;
2702 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
2703 	icmdp->cmd_misc_flags	&= ~ISCSI_CMD_MISCFLAG_FREE;
2704 	icmdp->cmd_completed	= B_FALSE;
2705 
2706 	icmdp->cmd_un.text.buf		= buf;
2707 	icmdp->cmd_un.text.buf_len	= buf_len;
2708 	icmdp->cmd_un.text.offset	= 0;
2709 	icmdp->cmd_un.text.data_len	= data_len;
2710 	icmdp->cmd_un.text.total_rx_len	= 0;
2711 	icmdp->cmd_un.text.ttt		= ISCSI_RSVD_TASK_TAG;
2712 	icmdp->cmd_un.text.stage	= ISCSI_CMD_TEXT_INITIAL_REQ;
2713 
2714 long_text_response:
2715 	mutex_enter(&isp->sess_state_mutex);
2716 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
2717 		iscsi_cmd_free(icmdp);
2718 		mutex_exit(&isp->sess_state_mutex);
2719 		return (ISCSI_STATUS_NO_CONN_LOGGED_IN);
2720 	}
2721 
2722 	mutex_enter(&isp->sess_queue_pending.mutex);
2723 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2724 	mutex_exit(&isp->sess_queue_pending.mutex);
2725 	mutex_exit(&isp->sess_state_mutex);
2726 
2727 	/* stall until completed */
2728 	mutex_enter(&icmdp->cmd_mutex);
2729 	while (icmdp->cmd_completed == B_FALSE) {
2730 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2731 	}
2732 	mutex_exit(&icmdp->cmd_mutex);
2733 
2734 	/*
2735 	 * check if error occured.  If data overflow occured, continue on
2736 	 * to ensure we get all data so that the full data length can be
2737 	 * returned to the user
2738 	 */
2739 	if ((icmdp->cmd_result != ISCSI_STATUS_SUCCESS) &&
2740 	    (icmdp->cmd_result != ISCSI_STATUS_DATA_OVERFLOW)) {
2741 		cmn_err(CE_NOTE, "iscsi: SendTarget discovery failed (%d)",
2742 		    icmdp->cmd_result);
2743 		rval = icmdp->cmd_result;
2744 		iscsi_cmd_free(icmdp);
2745 		return (rval);
2746 	}
2747 
2748 	/* check if this was a partial text PDU  */
2749 	if (icmdp->cmd_un.text.stage != ISCSI_CMD_TEXT_FINAL_RSP) {
2750 		/*
2751 		 * If a paritial text rexponse received, send an empty
2752 		 * text request.  This follows the behaviour specified
2753 		 * in RFC3720 regarding long text responses.
2754 		 */
2755 		icmdp->cmd_misc_flags		&= ~ISCSI_CMD_MISCFLAG_FREE;
2756 		icmdp->cmd_completed		= B_FALSE;
2757 		icmdp->cmd_un.text.data_len	= 0;
2758 		icmdp->cmd_un.text.stage	= ISCSI_CMD_TEXT_CONTINUATION;
2759 		goto long_text_response;
2760 	}
2761 
2762 	/*
2763 	 * set total received data length.  If data overflow this would be
2764 	 * amount of data that would have been received if buffer large
2765 	 * enough.
2766 	 */
2767 	*rx_data_len = icmdp->cmd_un.text.total_rx_len;
2768 
2769 	/* copy rval */
2770 	rval = icmdp->cmd_result;
2771 
2772 	/* clean up  */
2773 	iscsi_cmd_free(icmdp);
2774 
2775 	return (rval);
2776 }
2777 
2778 /*
2779  * iscsi_handle_passthru - This function is used to send a uscsi_cmd
2780  * to a specific target lun.  This routine is used for internal purposes
2781  * during enumeration and via the ISCSI_USCSICMD IOCTL.  We restrict
2782  * the CDBs that can be issued to a target/lun to INQUIRY, REPORT_LUNS,
2783  * and READ_CAPACITY for security purposes.
2784  *
2785  * The logic here is broken into three phases.
2786  * 1) Allocate and initialize a pkt/icmdp
2787  * 2) Send the pkt/icmdp
2788  * 3) cv_wait for completion
2789  */
2790 iscsi_status_t
2791 iscsi_handle_passthru(iscsi_sess_t *isp, uint16_t lun, struct uscsi_cmd *ucmdp)
2792 {
2793 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
2794 	iscsi_cmd_t		*icmdp		= NULL;
2795 	struct scsi_pkt		*pkt		= NULL;
2796 	struct buf		*bp		= NULL;
2797 	struct scsi_arq_status  *arqstat	= NULL;
2798 	int			rqlen		= SENSE_LENGTH;
2799 
2800 	ASSERT(isp != NULL);
2801 	ASSERT(ucmdp != NULL);
2802 
2803 	/*
2804 	 * If the caller didn't provide a sense buffer we need
2805 	 * to allocation one to get the scsi status.
2806 	 */
2807 	if (ucmdp->uscsi_rqlen > SENSE_LENGTH) {
2808 		rqlen = ucmdp->uscsi_rqlen;
2809 	}
2810 
2811 	/*
2812 	 * Step 1. Setup structs - KM_SLEEP will always succeed
2813 	 */
2814 	bp = kmem_zalloc(sizeof (struct buf), KM_SLEEP);
2815 	ASSERT(bp != NULL);
2816 	pkt = kmem_zalloc(sizeof (struct scsi_pkt), KM_SLEEP);
2817 	ASSERT(pkt != NULL);
2818 	icmdp = iscsi_cmd_alloc(NULL, KM_SLEEP);
2819 	ASSERT(icmdp != NULL);
2820 
2821 	/* setup bp structure */
2822 	bp->b_flags		= B_READ;
2823 	bp->b_bcount		= ucmdp->uscsi_buflen;
2824 	bp->b_un.b_addr		= ucmdp->uscsi_bufaddr;
2825 
2826 	/* setup scsi_pkt structure */
2827 	pkt->pkt_ha_private	= icmdp;
2828 	pkt->pkt_scbp		= kmem_zalloc(rqlen, KM_SLEEP);
2829 	pkt->pkt_cdbp		= kmem_zalloc(ucmdp->uscsi_cdblen, KM_SLEEP);
2830 	/* callback routine for passthru, will wake cv_wait */
2831 	pkt->pkt_comp		= iscsi_handle_passthru_callback;
2832 	pkt->pkt_time		= ucmdp->uscsi_timeout;
2833 
2834 	/* setup iscsi_cmd structure */
2835 	icmdp->cmd_lun			= NULL;
2836 	icmdp->cmd_type			= ISCSI_CMD_TYPE_SCSI;
2837 	icmdp->cmd_un.scsi.lun		= lun;
2838 	icmdp->cmd_un.scsi.pkt		= pkt;
2839 	icmdp->cmd_un.scsi.bp		= bp;
2840 	bcopy(ucmdp->uscsi_cdb, pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
2841 	icmdp->cmd_un.scsi.cmdlen	= ucmdp->uscsi_cdblen;
2842 	icmdp->cmd_un.scsi.statuslen	= rqlen;
2843 	icmdp->cmd_crc_error_seen	= B_FALSE;
2844 	icmdp->cmd_completed		= B_FALSE;
2845 	icmdp->cmd_result		= ISCSI_STATUS_SUCCESS;
2846 
2847 	/*
2848 	 * Step 2. Push IO onto pending queue.  If we aren't in
2849 	 * FULL_FEATURE we need to fail the IO.
2850 	 */
2851 	mutex_enter(&isp->sess_state_mutex);
2852 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
2853 		mutex_exit(&isp->sess_state_mutex);
2854 
2855 		iscsi_cmd_free(icmdp);
2856 		kmem_free(pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
2857 		kmem_free(pkt->pkt_scbp, rqlen);
2858 		kmem_free(pkt, sizeof (struct scsi_pkt));
2859 		kmem_free(bp, sizeof (struct buf));
2860 
2861 		return (ISCSI_STATUS_CMD_FAILED);
2862 	}
2863 
2864 	mutex_enter(&isp->sess_queue_pending.mutex);
2865 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2866 	mutex_exit(&isp->sess_queue_pending.mutex);
2867 	mutex_exit(&isp->sess_state_mutex);
2868 
2869 	/*
2870 	 * Step 3. Wait on cv_wait for completion routine
2871 	 */
2872 	mutex_enter(&icmdp->cmd_mutex);
2873 	while (icmdp->cmd_completed == B_FALSE) {
2874 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2875 	}
2876 	mutex_exit(&icmdp->cmd_mutex);
2877 
2878 	/* copy rval */
2879 	rval = icmdp->cmd_result;
2880 
2881 	ucmdp->uscsi_resid = pkt->pkt_resid;
2882 
2883 	/* update scsi status */
2884 	arqstat = (struct scsi_arq_status *)pkt->pkt_scbp;
2885 	ucmdp->uscsi_status = ((char *)&arqstat->sts_status)[0];
2886 
2887 	/* copy request sense buffers if caller gave space */
2888 	if ((ucmdp->uscsi_rqlen > 0) &&
2889 	    (ucmdp->uscsi_rqbuf != NULL)) {
2890 		bcopy(arqstat, ucmdp->uscsi_rqbuf,
2891 		    MIN(sizeof (struct scsi_arq_status), rqlen));
2892 	}
2893 
2894 	/* clean up */
2895 	iscsi_cmd_free(icmdp);
2896 	kmem_free(pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
2897 	kmem_free(pkt->pkt_scbp, rqlen);
2898 	kmem_free(pkt, sizeof (struct scsi_pkt));
2899 	kmem_free(bp, sizeof (struct buf));
2900 
2901 	return (rval);
2902 }
2903 
2904 
2905 /*
2906  * iscsi_handle_passthru_callback -
2907  *
2908  */
2909 static void
2910 iscsi_handle_passthru_callback(struct scsi_pkt *pkt)
2911 {
2912 	iscsi_cmd_t		*icmdp  = NULL;
2913 
2914 	ASSERT(pkt != NULL);
2915 	icmdp = (iscsi_cmd_t *)pkt->pkt_ha_private;
2916 	ASSERT(icmdp != NULL);
2917 
2918 	mutex_enter(&icmdp->cmd_mutex);
2919 	icmdp->cmd_completed    = B_TRUE;
2920 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
2921 	cv_broadcast(&icmdp->cmd_completion);
2922 	mutex_exit(&icmdp->cmd_mutex);
2923 
2924 }
2925 
2926 /*
2927  * +--------------------------------------------------------------------+
2928  * | Beginning of completion routines					|
2929  * +--------------------------------------------------------------------+
2930  */
2931 
2932 /*
2933  * iscsi_ic_thread -
2934  */
2935 void
2936 iscsi_ic_thread(iscsi_thread_t *thread, void *arg)
2937 {
2938 	iscsi_sess_t	*isp = (iscsi_sess_t *)arg;
2939 	int		ret;
2940 	iscsi_queue_t	q;
2941 	iscsi_cmd_t	*icmdp;
2942 	iscsi_cmd_t	*next_icmdp;
2943 
2944 	ASSERT(isp != NULL);
2945 	ASSERT(thread != NULL);
2946 	ASSERT(thread->signature == SIG_ISCSI_THREAD);
2947 
2948 	for (;;) {
2949 
2950 		/*
2951 		 * We wait till iodone or somebody else wakes us up.
2952 		 */
2953 		ret = iscsi_thread_wait(thread, -1);
2954 
2955 		/*
2956 		 * The value should never be negative since we never timeout.
2957 		 */
2958 		ASSERT(ret >= 0);
2959 
2960 		q.count = 0;
2961 		q.head  = NULL;
2962 		q.tail  = NULL;
2963 		mutex_enter(&isp->sess_queue_completion.mutex);
2964 		icmdp = isp->sess_queue_completion.head;
2965 		while (icmdp != NULL) {
2966 			next_icmdp = icmdp->cmd_next;
2967 			mutex_enter(&icmdp->cmd_mutex);
2968 			/*
2969 			 * check if the associated r2t/abort has finished
2970 			 * yet, and make sure this command has no R2T
2971 			 * to handle. If not, don't complete this command.
2972 			 */
2973 			if ((icmdp->cmd_un.scsi.r2t_icmdp == NULL) &&
2974 			    (icmdp->cmd_un.scsi.abort_icmdp == NULL) &&
2975 			    (icmdp->cmd_un.scsi.r2t_more == B_FALSE)) {
2976 				mutex_exit(&icmdp->cmd_mutex);
2977 				(void) iscsi_dequeue_cmd(&isp->
2978 				    sess_queue_completion.head,
2979 				    &isp->sess_queue_completion.tail,
2980 				    icmdp);
2981 				--isp->sess_queue_completion.count;
2982 				iscsi_enqueue_cmd_head(&q.head,
2983 				    &q.tail, icmdp);
2984 			} else
2985 				mutex_exit(&icmdp->cmd_mutex);
2986 			icmdp = next_icmdp;
2987 		}
2988 		mutex_exit(&isp->sess_queue_completion.mutex);
2989 		icmdp = q.head;
2990 		while (icmdp != NULL) {
2991 			next_icmdp = icmdp->cmd_next;
2992 			iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E8, isp);
2993 			icmdp = next_icmdp;
2994 		}
2995 
2996 		if (ret > 0)
2997 			/* Somebody woke us up to work */
2998 			continue;
2999 		else
3000 			/*
3001 			 * Somebody woke us up to kill ourselves. We will
3002 			 * make sure, however that the completion queue is
3003 			 * empty before leaving.  After we've done that it
3004 			 * is the originator of the signal that has to make
3005 			 * sure no other SCSI command is posted.
3006 			 */
3007 			break;
3008 	}
3009 
3010 }
3011 
3012 /*
3013  * iscsi_iodone -
3014  *
3015  */
3016 void
3017 iscsi_iodone(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
3018 {
3019 	struct scsi_pkt		*pkt	= NULL;
3020 	struct buf		*bp	= icmdp->cmd_un.scsi.bp;
3021 
3022 	ASSERT(isp != NULL);
3023 	ASSERT(icmdp != NULL);
3024 	pkt = icmdp->cmd_un.scsi.pkt;
3025 	ASSERT(pkt != NULL);
3026 
3027 	ASSERT(icmdp->cmd_un.scsi.abort_icmdp == NULL);
3028 	ASSERT(icmdp->cmd_un.scsi.r2t_icmdp == NULL);
3029 	if (pkt->pkt_reason == CMD_CMPLT) {
3030 		if (bp) {
3031 			if (bp->b_flags & B_READ) {
3032 				KSTAT_SESS_RX_IO_DONE(isp, bp->b_bcount);
3033 			} else {
3034 				KSTAT_SESS_TX_IO_DONE(isp, bp->b_bcount);
3035 			}
3036 		}
3037 	}
3038 
3039 	if (pkt->pkt_flags & FLAG_NOINTR) {
3040 		cv_broadcast(&icmdp->cmd_completion);
3041 		mutex_exit(&icmdp->cmd_mutex);
3042 	} else {
3043 		/*
3044 		 * Release mutex.  As soon as callback is
3045 		 * issued the caller may destroy the command.
3046 		 */
3047 		mutex_exit(&icmdp->cmd_mutex);
3048 		/*
3049 		 * We can't just directly call the pk_comp routine.  In
3050 		 * many error cases the target driver will use the calling
3051 		 * thread to re-drive error handling (reset, retries...)
3052 		 * back into the hba driver (iscsi).  If the target redrives
3053 		 * a reset back into the iscsi driver off this thead we have
3054 		 * a chance of deadlocking. So instead use the io completion
3055 		 * thread.
3056 		 */
3057 		(*icmdp->cmd_un.scsi.pkt->pkt_comp)(icmdp->cmd_un.scsi.pkt);
3058 	}
3059 }
3060 
3061 /*
3062  * +--------------------------------------------------------------------+
3063  * | End of completion routines						|
3064  * +--------------------------------------------------------------------+
3065  */
3066 
3067 /*
3068  * +--------------------------------------------------------------------+
3069  * | Beginning of watchdog routines					|
3070  * +--------------------------------------------------------------------+
3071  */
3072 
3073 /*
3074  * iscsi_watchdog_thread -
3075  *
3076  */
3077 void
3078 iscsi_wd_thread(iscsi_thread_t *thread, void *arg)
3079 {
3080 	iscsi_sess_t	*isp = (iscsi_sess_t *)arg;
3081 	int		rc = 1;
3082 
3083 	ASSERT(isp != NULL);
3084 
3085 	while (rc != NULL) {
3086 
3087 		iscsi_timeout_checks(isp);
3088 		iscsi_nop_checks(isp);
3089 
3090 		rc = iscsi_thread_wait(thread, SEC_TO_TICK(1));
3091 	}
3092 }
3093 
3094 /*
3095  * iscsi_timeout_checks -
3096  *
3097  */
3098 static void
3099 iscsi_timeout_checks(iscsi_sess_t *isp)
3100 {
3101 	clock_t		now = ddi_get_lbolt();
3102 	iscsi_cmd_t	*icmdp, *nicmdp;
3103 	iscsi_conn_t	*icp;
3104 
3105 	ASSERT(isp != NULL);
3106 
3107 	/* PENDING */
3108 	mutex_enter(&isp->sess_state_mutex);
3109 	mutex_enter(&isp->sess_queue_pending.mutex);
3110 	for (icmdp = isp->sess_queue_pending.head;
3111 	    icmdp; icmdp = nicmdp) {
3112 		nicmdp = icmdp->cmd_next;
3113 
3114 		/* Skip entries with no timeout */
3115 		if (icmdp->cmd_lbolt_timeout == 0)
3116 			continue;
3117 
3118 		/*
3119 		 * Skip pending queue entries for cmd_type values that depend
3120 		 * on having an open cmdsn window for successfull transition
3121 		 * from pending to the active (i.e. ones that depend on
3122 		 * sess_cmdsn .vs. sess_maxcmdsn). For them, the timer starts
3123 		 * when they are successfully moved to the active queue by
3124 		 * iscsi_cmd_state_pending() code.
3125 		 */
3126 		/*
3127 		 * If the cmd is stuck, at least give it a chance
3128 		 * to timeout
3129 		 */
3130 		if (((icmdp->cmd_type == ISCSI_CMD_TYPE_SCSI) ||
3131 		    (icmdp->cmd_type == ISCSI_CMD_TYPE_TEXT)) &&
3132 		    !(icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_STUCK))
3133 			continue;
3134 
3135 		/* Skip if timeout still in the future */
3136 		if (now <= icmdp->cmd_lbolt_timeout)
3137 			continue;
3138 
3139 		/* timeout */
3140 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E6, isp);
3141 	}
3142 	mutex_exit(&isp->sess_queue_pending.mutex);
3143 	mutex_exit(&isp->sess_state_mutex);
3144 
3145 	rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
3146 	icp = isp->sess_conn_list;
3147 	while (icp != NULL) {
3148 
3149 		/* ACTIVE */
3150 		mutex_enter(&icp->conn_state_mutex);
3151 		mutex_enter(&isp->sess_queue_pending.mutex);
3152 		mutex_enter(&icp->conn_queue_active.mutex);
3153 		for (icmdp = icp->conn_queue_active.head;
3154 		    icmdp; icmdp = nicmdp) {
3155 			nicmdp = icmdp->cmd_next;
3156 
3157 			/* Skip entries with no timeout */
3158 			if (icmdp->cmd_lbolt_timeout == 0)
3159 				continue;
3160 
3161 			/* Skip if command is not active */
3162 			if (icmdp->cmd_state != ISCSI_CMD_STATE_ACTIVE)
3163 				continue;
3164 
3165 			/* Skip if timeout still in the future */
3166 			if (now <= icmdp->cmd_lbolt_timeout)
3167 				continue;
3168 
3169 			/* timeout */
3170 			iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E6, isp);
3171 		}
3172 		mutex_exit(&icp->conn_queue_active.mutex);
3173 		mutex_exit(&isp->sess_queue_pending.mutex);
3174 		mutex_exit(&icp->conn_state_mutex);
3175 
3176 		icp = icp->conn_next;
3177 	}
3178 	rw_exit(&isp->sess_conn_list_rwlock);
3179 }
3180 
3181 /*
3182  * iscsi_nop_checks - sends a NOP on idle connections
3183  *
3184  * This function walks the connections on a session and
3185  * issues NOPs on those connections that are in FULL
3186  * FEATURE mode and have not received data for the
3187  * time period specified by iscsi_nop_delay (global).
3188  */
3189 static void
3190 iscsi_nop_checks(iscsi_sess_t *isp)
3191 {
3192 	iscsi_conn_t	*icp;
3193 
3194 	ASSERT(isp != NULL);
3195 
3196 	if (isp->sess_type == ISCSI_SESS_TYPE_DISCOVERY) {
3197 		return;
3198 	}
3199 
3200 	rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
3201 	icp = isp->sess_conn_act;
3202 	if (icp != NULL) {
3203 
3204 		mutex_enter(&icp->conn_state_mutex);
3205 		if ((ISCSI_CONN_STATE_FULL_FEATURE(icp->conn_state)) &&
3206 		    (ddi_get_lbolt() > isp->sess_conn_act->conn_rx_lbolt +
3207 		    SEC_TO_TICK(iscsi_nop_delay)) && (ddi_get_lbolt() >
3208 		    isp->sess_conn_act->conn_nop_lbolt +
3209 		    SEC_TO_TICK(iscsi_nop_delay))) {
3210 
3211 			/*
3212 			 * We haven't received anything from the
3213 			 * target is a defined period of time,
3214 			 * send NOP to see if the target is alive.
3215 			 */
3216 			mutex_enter(&isp->sess_queue_pending.mutex);
3217 			iscsi_handle_nop(isp->sess_conn_act,
3218 			    0, ISCSI_RSVD_TASK_TAG);
3219 			mutex_exit(&isp->sess_queue_pending.mutex);
3220 		}
3221 		mutex_exit(&icp->conn_state_mutex);
3222 
3223 		icp = icp->conn_next;
3224 	}
3225 	rw_exit(&isp->sess_conn_list_rwlock);
3226 }
3227 
3228 /*
3229  * +--------------------------------------------------------------------+
3230  * | End of wd routines						|
3231  * +--------------------------------------------------------------------+
3232  */
3233