xref: /illumos-gate/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_sm.c (revision f248c5e0e656eab0493d376bf8e01c17c0125cc2)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/ib/mgt/ibcm/ibcm_impl.h>
#include <sys/callb.h>

/*
 * ibcm_sm.c
 *	These routines implement the CM state machine (both ACTIVE and PASSIVE)
 *
 * Points to Note :
 *
 * o  CM uses one ibcm_hca_info_t entry per HCA  to store all the
 *    connection state data belonging to that HCA in the AVL trees, etc.,
 *
 * o  There is one state structure per RC, referenced from three AVL trees
 *    ie. the HCA active AVL tree, and the HCA passive AVL tree and HCA
 *    passive comid tree
 *
 * o  SIDR state structures are stored in a linked list
 *
 * o  The term statep generally refers to RC, until explicitly mentioned
 *    in the notes below
 *
 * o  Any thread that may access statep increments the ref_cnt. This ensures
 *    that statep is not deleted when it is still being accessed and modified
 *    by other threads
 *
 * o  Any thread that may want to search the AVL tree(s) holds the hca state
 *    table reader lock. If it shall insert/delete a new state structure, then
 *    the lock held is writer lock.
 *
 * o  Incrementing and Decrementing the ref_cnt can happen only after acquiring
 *    statep mutex
 *
 * o  Deleting a statep can happen only by acquiring the hca state writer lock
 *    and statep mutex and if ref_cnt is zero.
 *
 * o  Statep mutexes are used to decrease the hca state table lock holding
 *    times. thus increasing more number of threads that can access hca
 *    global data structures
 *
 * o  Statep mutexes cannot be hold for long time. They are primarily used to
 *    check the state of statep, change it and exit the lock. Other threads
 *    checking this statep find statep's new state, and may exit without
 *    further processing (as the statep->state has changed).
 *
 * o  Statep mutex must be held while setting and unsetting the timer id
 *    values and during untimeout
 *
 * Re-stating, the overall purpose of these various locks are:
 *   - Minimize the time state table locks are held
 *   - Writer locks are held only while inserting/deleting into trees,
 *	so multiple readers can traverse data structures in parallel
 *   - Minimize the time statep mutex held, so other threads entering the same
 *	statep mutex are not held for long
 *
 * The CM state machine logic ensures that the statep is valid and exists
 * when timeout callback (ibcm_timeout_cb) is called. This is ensured by
 * cancelling timeouts on state changes, where appropriate
 *
 *
 * The timeout processing is handled in the context in which the
 * timeout callback is invoked.
 *
 * The CM STATE MACHINE logic flow:
 *
 * On an incoming MAD:-
 *
 * IBMF -> ibcm_process_incoming_mad
 *	Verify and branch to one of the below connection state routines.
 *	The callback arg from ibmf has the pointer to ibcm_hca_info_t
 *
 * 1. INCOMING REQ MAD
 *
 *	Acquire hca state table WRITER lock
 *	Do lookup in passive AVL tree by remote qpn and remote hca guid
 *
 *	If (new lookup)
 *
 *	  create new statep, initialize key fields
 *	  obtain new local com id, insert into hca state AVL tree
 *	  release hca state table WRITER lock
 *
 *	  Initialize remaining fields
 *	  If invalid service id,
 *		send a REJ reply,
 *		decr ref_cnt holding state mutex
 *	  If existing peer conn, check guids, and break the tie
 *	  Call the cep state transition function
 *	  Send an RTU/REJ reply
 *	  Check and handle for any incoming REJ's during REQ RCVD state
 *
 *    else if (existing lookup)
 *
 *	  increment refcnt holding state mutex
 *	  release hca state table WRITER lock
 *
 *	  re-acquire the statep mutex
 *	  if (statep->state is REP SENT/REJ SENT/ MRA SENT)
 *		resend the mad
 *	  else if established
 *		handle the stale detection
 *	  else
 *		drop the mad (no processing required)
 *	  decr statep->ref_cnt, release state mutex
 *
 *
 * 2. INCOMING REP MAD
 *
 *    Acquire hca state READER lock
 *    Do lookup in hca state tree by local com id
 *    Release hca state table READER lock
 *
 *    if lookup does not exist
 *	 return
 *
 *    if look up exists
 *	 incr statep->ref_cnt holding state mutex
 *
 *    acquire the statep lock
 *    if (state == ESTABLISHED or REJ SENt or MRA REP SENT)
 *	  resend the MAD
 *	  release state mutex, cancel req sent timer
 *	  decrement ref_cnt holding the statep lock
 *	  return
 *
 *    if (state == REQ_SENT or REP_WAIT)
 *	  first, change state to REP_RCVD
 *	  release statep lock
 *	  cancel timers
 *	  lookup in the passive tree by remote qpn and remote hca guid
 *	  if entry already exists
 *		 handle the stale detection
 *	  else
 *		add to the passive tree
 *
 *	  Initialize fields of statep
 *	  Call the qp state transition function
 *	  Post RTU/REJ reply
 *	  Acquire the state mutex
 *	  decrement the ref cnt
 *	  release the statep lock
 *
 * 3. INCOMING MRA
 *
 *	Acquire hca state table READER lock
 *	Do lookup in active hca state tree by local com id
 *	Release hca state table READER lock
 *
 *	If lookup does not exist
 *		return
 *
 *	if look up exists
 *		 incr statep->ref_cnt holding state mutex
 *
 *	acquire state mutex
 *	if (state is REQ_SENT or REP_SENT)
 *	  change state to REP WAIT or MRA REP RCVD
 *	  release state mutex
 *	  cancel the current timer
 *
 *	  reacquire state mutex
 *	  if (state is REP_WAIT or MRA_REP_RCVD)
 *		set new timer, using service timeout for the first timeout
 *    decr ref cnt, release state mutex
 *
 * 4. INCOMING RTU
 *
 *	Acquire hca state table READER lock
 *	Do lookup in active hca state tree by local com id
 *	Release hca state table READER lock
 *
 *	If lookup does not exist
 *		return
 *
 *	 if look up exists
 *		 incr statep->ref_cnt holding state mutex
 *
 *	acquire statep mutex
 *	if (state == REP_SENT or MRA REP RCVD))
 *	  change state to ESTABLISHED
 *	  release statep mutex
 *	  cancel timer
 *
 *	  Change QP state
 *
 *	  acquire the statep mutex
 *	decrement the ref count
 *	release statep mutex
 *
 * 5. INCOMING REJ
 *
 *	Acquire hca state table READER lock
 *	Do lookup in active hca state tree by local com id
 *	Release hca state table READER lock
 *
 *	If lookup does not exist
 *		return
 *
 *	if look up exists
 *		 incr statep->ref_cnt holding state mutex
 *
 *	if (state == REQ RCVD or REP RCVD MRA_SENT or MRA_REP_SNET)
 *	  set statep->delete = true
 *	  decrement the ref_cnt
 *	  release statep mutex;
 *
 *    else if (state == REQ_SENT or REP SENT or MRA REP Rcvd)
 *	 state = IBCM_STATE_DELETE
 *	 Cancel running timers
 *	 decrement the ref_cnt
 *	 release state mutex
 *	 Call the client QP handler
 *	 delete the state data
 *
 * 6. INCOMING DREQ
 *
 *	Acquire hca state table READER lock
 *	Do lookup in active hca state tree by local com id
 *	Release hca state table READER lock
 *
 *	If lookup does not exist
 *		return
 *
 *	if look up exists
 *		 incr statep->ref_cnt holding state mutex
 *
 *	acquire state mutex
 *	if (state is ESTABLISHED/DREQ SENT/TIMEWAIT)
 *	  if state is ESTABLISHED/DREQ SENT,
 *		change state to DREQ RECVD
 *		start timers
 *
 *    send DREP reply
 *    decr ref_cnt
 *    release state mutex
 *
 * 7.  Incoming DREP
 *
 *	Acquire hca state table READER lock
 *	Do lookup in active hca state tree by local com id
 *	Release hca state table READER lock
 *
 *	If lookup does not exist
 *		return
 *
 *	if look up exists
 *		 incr statep->ref_cnt holding state mutex
 *
 *	acquire state mutex
 *	if state is DREQ_SENT
 *	  change state to DREP_RCVD
 *	  cancel timer
 *	  change state to TIMEWAIT
 *	  set timewait timer
 *    decr ref_cnt
 *    release state mutex
 *
 * 8. Timeout handler
 *
 *  (for states REQ SENT/REP SENT/REJ SENT/DREQ SENT/DREP SENT/TIMEWAIT)
 *
 *	 acquire the statep mutex
 *
 *	 if (set state != stored_state)
 *	    The thread that changed the state is responsible for any cleanup
 *	    decrement ref cnt
 *	    release statep mutex
 *	    return
 *	 else if (statep's state == REJ SENT)
 *		change state to DELETE
 *		decrement ref cnt
 *		release statep mutex
 *		delete statep
 *		return
 *	 else if (state == TIME WAIT)
 *		do the time wait state processing
 *		decrement ref cnt
 *		change state to DELETE
 *		release statep mutex
 *		delete statep, and also QP
 *	 else if (remaining retry cnt > 0)
 *		resend the mad
 *		decrement ref cnt
 *		release statep mutex
 *	 else if (state == rep sent or req sent or mra rep rcvd or rep wait)
 *		(retry counter expired)
 *		change state to REJ SENT (No one shall delete in REJ SENT)
 *		decrement the ref_cnt
 *		release the statep mutex
 *		Post REJ MAD
 *		cv_signal anyone blocking
 *		Invoke client handler
 *	 else if state == DREQ_SENT
 *		change state to TIME WAIT
 *		decrement the ref cnt
 *		set a timer for time wait time
 *		release the statep mutex
 *
 *
 * SIDR processing
 *
 * 9. INCOMING SIDR_REQ MAD
 *
 *    Figure out LID/GID
 *    Do lookup in SIDR LIST based on LID, GID, grh_exists and req_id
 *    increment ud_statep->ud_ref_cnt
 *
 *    If (new lookup)
 *
 *	  validate service id, and the create new statep,
 *	  initialize key fields
 *	  do a lookup based on service id
 *	  if service_id_lookup returns exists
 *		set sidr_status to QPN_VALID
 *	  else
 *		set sidr_status to SID_INVALID
 *	  post SIDR_REP mad
 *	  decr ud_statep->ud_ref_cnt, release ud_state_mutex
 *
 *    else if (existing lookup)
 *
 *	  if (ud_statep->ud_state is SIDR_REP_SENT)
 *		resend the mad
 *
 *	  decr ud_statep->ud_ref_cnt, release ud_state_mutex
 *
 *
 * 10. INCOMING SIDR_REP MAD
 *
 *    Figure out LID/GID
 *    Do lookup in SIDR LIST based on LID, GID, grh_exists and req_id
 *    increment ud_statep->ud_ref_cnt
 *
 *    if look up doesn't exists
 *	  return
 *
 *    if (state == SIDR_REQ_SENT)
 *	  first, change state to SIDR_REP_RCVD
 *	  release statep lock
 *	  cancel timers
 *	  cv_signal anyone blocking
 *	  release the statep lock
 *	  extract return args
 *	  destroy the statep
 *
 * 11. Timeout handler
 *
 *  (for states SIDR_REQ_SENT/SIDR_REP_SENT)
 *
 *	 acquire the statep mutex
 *
 *	 if (statep's state == SIDR_REP_SENT SENT)
 *		change state to DELETE
 *		decrement ref cnt
 *		release statep mutex
 *		delete statep
 *		return
 *	 else if (remaining retry cnt > 0 and state is SIDR_REQ_SENT)
 *		resend the mad
 *		decrement ref cnt
 *		release statep mutex
 *	 else if (state == SIDR_REQ_SENT)
 *		(retry counter expired)
 *		change state to DELETE
 *		decrement the ref_cnt
 *		the statep mutex
 *		cv_signal anyone blocking
 *		Invoke client handler
 *		delete statep
 */

/* Function prototypes */
static void		ibcm_set_primary_adds_vect(ibcm_state_data_t *,
			    ibt_adds_vect_t *, ibcm_req_msg_t *);
static void		ibcm_set_alt_adds_vect(ibcm_state_data_t *,
			    ibt_adds_vect_t *, ibcm_req_msg_t *);
static ibt_status_t	ibcm_set_primary_cep_path(ibcm_state_data_t *,
			    ibt_cep_path_t *, ibcm_req_msg_t *);
static ibt_status_t	ibcm_set_alt_cep_path(ibcm_state_data_t *,
			    ibt_cep_path_t *, ibcm_req_msg_t *);
static ibt_status_t	ibcm_invoke_qp_modify(ibcm_state_data_t *,
			    ibcm_req_msg_t *, ibcm_rep_msg_t *);
static ibt_status_t	ibcm_invoke_rtu_qp_modify(ibcm_state_data_t *,
			    ib_time_t, ibcm_rep_msg_t *);
static ibcm_status_t	ibcm_sidr_req_ud_handler(ibcm_ud_state_data_t *,
			    ibcm_sidr_req_msg_t *, ibcm_mad_addr_t *,
			    ibt_sidr_status_t *);
static void		ibcm_sidr_rep_ud_handler(ibcm_ud_state_data_t *,
			    ibcm_sidr_rep_msg_t *);
static void		ibcm_handler_conn_fail(ibcm_state_data_t *,
			    uint8_t cf_code, uint8_t cf_msg,
			    ibt_cm_reason_t rej_reason, uint8_t *,
			    ibt_priv_data_len_t);
static void		ibcm_build_n_post_rej_mad(uint8_t *input_madp,
			    ib_com_id_t, ibcm_mad_addr_t *, int, uint16_t);
static void		ibcm_post_drep_mad(ibcm_state_data_t *);

static ibcm_status_t	ibcm_verify_req_gids_and_svcid(
			    ibcm_state_data_t *statep,
			    ibcm_req_msg_t *cm_req_msgp);

static void		ibcm_timeout_client_cb(ibcm_state_data_t *statep);
static void		ibcm_ud_timeout_client_cb(
			    ibcm_ud_state_data_t *ud_statep);

static void		ibcm_process_dreq_timeout(ibcm_state_data_t *statep);

static void		ibcm_fill_adds_from_lap(ibt_adds_vect_t *adds,
			    ibcm_lap_msg_t *lap_msg, ibcm_mode_t mode);

static void		ibcm_post_stored_apr_mad(ibcm_state_data_t *statep,
			    uint8_t *input_madp);

static ibcm_status_t	ibcm_set_qp_from_apr(ibcm_state_data_t *statep,
			    ibcm_lap_msg_t *lap_msg);

static boolean_t	ibcm_compare_prim_alt_paths(ibt_adds_vect_t *prim,
			    ibt_adds_vect_t *alt);

static void		ibcm_process_get_classport_info(ibcm_hca_info_t *hcap,
			    uint8_t *input_madp, ibcm_mad_addr_t *cm_mad_addr);

static void		ibcm_decode_classport_info(ibcm_hca_info_t *hcap,
			    uint8_t *input_madp, ibcm_mad_addr_t *cm_mad_addr);

static void		ibcm_post_rej_ver_mismatch(uint8_t *input_madp,
			    ibcm_mad_addr_t *cm_mad_addr);

static void		ibcm_init_clp_to_mad(ibcm_classportinfo_msg_t *clp,
			    ibt_redirect_info_t *rinfo);

static void		ibcm_init_clp_from_mad(ibcm_classportinfo_msg_t *clp,
			    ibt_redirect_info_t *rinfo);

static void		ibcm_copy_addl_rej(ibcm_state_data_t *statep,
			    ibcm_rej_msg_t *rej_msgp,
			    ibt_cm_conn_failed_t *failed);

static void		ibcm_return_open_data(ibcm_state_data_t *statep,
			    ibcm_rep_msg_t *rep_msgp,
			    ibt_cm_reason_t reject_reason);

/* limit the number of taskq threads to handle received MADs. */
int ibcm_recv_tasks = 0;
int ibcm_max_recv_tasks = 24;
int ibcm_recv_timeouts = 0;

/*
 * Tunable MAX MRA Service Timeout value in MicroSECONDS.
 *	0 - Tunable parameter not used.
 *
 *	Ex:   60000000 - Max MRA Service Delay is 60 Seconds.
 */
clock_t ibcm_mra_service_timeout_max = 0;

#ifdef	DEBUG

static void			print_modify_qp(char *prefix,
				    ibt_qp_hdl_t ibt_qp,
				    ibt_cep_modify_flags_t flags,
				    ibt_qp_info_t *qp_attr);
#endif

/*	Warlock annotations */

_NOTE(READ_ONLY_DATA(ibt_arej_info_u))

/*
 * ibcm_process_incoming_mad:
 *	The CM callback that is invoked by IBMF, when a valid CM MAD arrives
 *	on any of the registered ibmf handles by CM.
 *
 *	It is assumed that the incoming MAD (except for incoming REQ) belongs
 *	to a connection on the HCA, on which the MAD is received.
 *	The IBMF callback arg specifies ibcm_hca_info_t
 *
 * NOTE: IBMF always invokes ibcm_recv_cb() in a taskq. CM does some memory
 * allocations and invoke ibcm_sm_funcs_tbl[i]() in the same taskq.
 *
 * INPUTS:
 *	ibmf_handle	- IBMF Handle
 *	args		- from IBMF. Is a ptr to ibcm_hca_info_t
 *	status		- Callback status. Is mostly IBMF_SUCCESS
 *	madbuf		- IBMF allocated MAD buffer (CM should free it)
 *	madaddr		- IBMF MAD's address
 *	grhvalid	- If GRH is valid or not
 *
 * RETURN VALUES: NONE
 */
void
ibcm_process_incoming_mad(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	uint8_t			method;		/* Method type in MAD hdr */
	ib_mad_hdr_t		*in_mad_hdr;	/* Incoming MAD's header */
	ibcm_hca_info_t		*hcap;		/* pointer to HCA entry */
	ibcm_port_info_t	*portp;
	ibcm_mad_addr_t		*cm_mad_addr;	/* MAD address information */
	ibcm_event_type_t	attr_id;	/* Attribute ID in MAD hdr */
	ibcm_mad_addr_t		loc_mad_addr;	/* MAD address information */
	ibcm_qp_list_t		*cm_qp_entry;
	int			ibmf_status;


	/* Noticed that IBMF always calls with IBMF_SUCCESS, but still check */
	if (msgp->im_msg_status != IBMF_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "bad status %x", msgp->im_msg_status);
		/* IBMF allocates Input MAD, so free it here */
		if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) !=
		    IBMF_SUCCESS)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
			    "ibmf_free_msg failed %d", ibmf_status);
		return;
	}

	/* Get the HCA entry pointer */
	cm_qp_entry = (ibcm_qp_list_t *)args;

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_incoming_mad: ibmf_hdl %p "
	    "msg %p args %p", ibmf_handle, msgp, args);

#ifdef	DEBUG
	if (ibcm_test_mode > 1)
		ibcm_query_qp(ibmf_handle, cm_qp_entry->qp_cm);
#endif

	portp = cm_qp_entry->qp_port;
	hcap = portp->port_hcap;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_incoming_mad: CM MAD on "
	    "port %d", portp->port_num);

	/* Increment hca ref cnt, if HCA is in attached state, else fail */
	if (ibcm_inc_hca_acc_cnt(hcap) != IBCM_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "hca not in attach state");
		/* IBMF allocates Input MAD, and ibcm free's it */
		if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) !=
		    IBMF_SUCCESS)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
			    "ibmf_free_msg failed %d", ibmf_status);
		return;
	}

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*cm_mad_addr))

	/* allocate memory for internal MAD address buffer */
	cm_mad_addr = &loc_mad_addr;
	bzero(cm_mad_addr, sizeof (ibcm_mad_addr_t));

	cm_mad_addr->port_num = portp->port_num;

	/* initialize cm_mad_addr field(s) */
	in_mad_hdr = msgp->im_msgbufs_recv.im_bufs_mad_hdr;

	if (in_mad_hdr->MgmtClass != MAD_MGMT_CLASS_COMM_MGT) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "bad mgmt class %x", in_mad_hdr->MgmtClass);
		if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) !=
		    IBMF_SUCCESS)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
			    "ibmf_free_msg failed %d", ibmf_status);
		ibcm_dec_hca_acc_cnt(hcap);
		return;
	}

	cm_mad_addr->rcvd_addr = msgp->im_local_addr;
	if (msgp->im_msg_flags & IBMF_MSG_FLAGS_GLOBAL_ADDRESS) {
		cm_mad_addr->grh_hdr = msgp->im_global_addr;
		cm_mad_addr->grh_exists = B_TRUE;
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_incoming_mad: "
		    "CM recv GID GUID %llX sender GID GUID %llX",
		    msgp->im_global_addr.ig_recver_gid.gid_guid,
		    msgp->im_global_addr.ig_sender_gid.gid_guid);
	}

	/* Save IBMF handle and ibmf qp related information */
	cm_mad_addr->ibmf_hdl = ibmf_handle;
	cm_mad_addr->cm_qp_entry = cm_qp_entry;

	/* IBMF does not initialize ia_p_key for non-QP1's */
	if (cm_qp_entry->qp_cm != IBMF_QP_HANDLE_DEFAULT)
		cm_mad_addr->rcvd_addr.ia_p_key = cm_qp_entry->qp_pkey;

	if (cm_mad_addr->rcvd_addr.ia_p_key & 0x8000)
		IBTF_DPRINTF_L5(cmlog, "ibcm_process_incoming_mad: PKEY %x",
		    cm_mad_addr->rcvd_addr.ia_p_key);
	else
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: CM MAD "
		    "arrived from limited PKEY %x",
		    cm_mad_addr->rcvd_addr.ia_p_key);

	/* Retrieve the method and Attr-Id from generic mad header */
	method = in_mad_hdr->R_Method;
	attr_id = b2h16(in_mad_hdr->AttributeID);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_incoming_mad: "
	    "Method %x Attribute %x", method, attr_id);

	if (in_mad_hdr->ClassVersion != IBCM_MAD_CLASS_VERSION) {

		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "unsupported ibcm class version %x",
		    in_mad_hdr->ClassVersion);

		if (attr_id == (IBCM_INCOMING_REQ + IBCM_ATTR_BASE_ID))
			ibcm_post_rej_ver_mismatch(
			    (uint8_t *)IBCM_IN_HDRP(msgp), cm_mad_addr);

		if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) !=
		    IBMF_SUCCESS)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
			    "ibmf_free_msg failed %d", ibmf_status);
		ibcm_dec_hca_acc_cnt(hcap);
		return;
	}

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_incoming_mad: "
	    "Transaction Id 0x%llX", b2h64(in_mad_hdr->TransactionID));

#ifdef	DEBUG
	ibcm_decode_tranid(b2h64(in_mad_hdr->TransactionID), NULL);
#endif

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*cm_mad_addr))

	/*
	 * The following are valid combination of Method type
	 * and attribute id in the received MAD :-
	 *	o ClassPortInfo with Get method
	 *	o CM messages with Send method
	 */
	if ((attr_id == MAD_ATTR_ID_CLASSPORTINFO) &&
	    ((method == MAD_METHOD_GET) ||
	    (method == MAD_METHOD_GET_RESPONSE))) {
		if (method == MAD_METHOD_GET)
			ibcm_process_get_classport_info(hcap,
			    (uint8_t *)IBCM_IN_HDRP(msgp), cm_mad_addr);
		else if (method == MAD_METHOD_GET_RESPONSE)
			ibcm_decode_classport_info(hcap,
			    (uint8_t *)IBCM_IN_HDRP(msgp), cm_mad_addr);
	} else if ((attr_id >= IBCM_ATTR_BASE_ID) &&
	    (attr_id < (IBCM_ATTR_BASE_ID + IBCM_MAX_EVENTS)) &&
	    (method == MAD_METHOD_SEND)) {

		attr_id -= IBCM_ATTR_BASE_ID;	/* figure out CM message id */

		ASSERT(msgp->im_msgbufs_recv.im_bufs_mad_hdr != NULL);

		/* Call the CM process connection state function */
		ibcm_sm_funcs_tbl[attr_id](hcap,
		    (uint8_t *)IBCM_IN_HDRP(msgp), cm_mad_addr);
	} else {
		/*
		 * Any other combination of method and attribute are invalid,
		 * hence drop the MAD
		 */
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "unknown Method %x or Attribute %x", method, attr_id);
	}

	/* decrement the hcap access reference count */
	ibcm_dec_hca_acc_cnt(hcap);

	/* ASSERT(NO_LOCKS_HELD); */

	/* free up ibmf msgp  */
	if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) != IBMF_SUCCESS)
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_incoming_mad: "
		    "ibmf_free_msg failed %d", ibmf_status);
}

/*
 * Structure to carry the arguments from ibcm_recv_cb() to
 * ibcm_recv_incoming_mad() via taskq_dispatch
 */
typedef struct ibcm_taskq_args_s {
	ibmf_handle_t	tq_ibmf_handle;
	ibmf_msg_t	*tq_ibmf_msgp;
	void		*tq_args;
} ibcm_taskq_args_t;

#define	IBCM_RECV_MAX	128
ibcm_taskq_args_t ibcm_recv_array[IBCM_RECV_MAX + 1];
int ibcm_get, ibcm_put;
int ibcm_recv_total;
int ibcm_recv_queued;

_NOTE(READ_ONLY_DATA(ibcm_taskq_args_t))

static int
ibcm_recv_dequeue(ibmf_handle_t *ibmf_handlep, ibmf_msg_t **msgpp, void **argsp)
{
	ibcm_taskq_args_t *tq;

	if (ibcm_put == ibcm_get)
		return (0);

	if (++ibcm_get >= IBCM_RECV_MAX)
		ibcm_get = 0;
	tq = ibcm_recv_array + ibcm_get;
	*ibmf_handlep = tq->tq_ibmf_handle;
	*msgpp = tq->tq_ibmf_msgp;
	*argsp = tq->tq_args;
	return (1);
}

static int
ibcm_recv_enqueue(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	int next;
	ibcm_taskq_args_t *tq;

	ASSERT(MUTEX_HELD(&ibcm_recv_mutex));
	next = ibcm_put + 1;
	if (next >= IBCM_RECV_MAX)
		next = 0;
	if (next != ibcm_get) {
		ibcm_recv_queued++;
		ibcm_put = next;
		tq = ibcm_recv_array + next;
		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*tq))
		tq->tq_ibmf_handle = ibmf_handle;
		tq->tq_ibmf_msgp = msgp;
		tq->tq_args = args;
		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*tq))
		return (1);
	} else {
		return (0);
	}
}

void
ibcm_drop_msg(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp)
{
	int ibmf_status;

	IBTF_DPRINTF_L2(cmlog, "ibcm_drop_msg: discarding MAD");

	if ((ibmf_status = ibmf_free_msg(ibmf_handle, &msgp)) != IBMF_SUCCESS)
		IBTF_DPRINTF_L2(cmlog, "ibcm_drop_msg: "
		    "ibmf_free_msg failed %d", ibmf_status);
}

/*
 * Processing done in taskq thread.
 *
 * Calls ibcm_process_incoming_mad with all function arguments extracted
 * from args.  Afterwards, check for queued requests.
 */
static void
ibcm_recv_task(void *args)
{
	ibcm_taskq_args_t *taskq_args;
	ibmf_handle_t ibmf_handle;
	ibmf_msg_t *msgp;

	taskq_args = (ibcm_taskq_args_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_recv_task: Processing incoming MAD"
	    " via taskq");

	ibcm_process_incoming_mad(taskq_args->tq_ibmf_handle,
	    taskq_args->tq_ibmf_msgp, taskq_args->tq_args);

	kmem_free(taskq_args, sizeof (ibcm_taskq_args_t));

	/* process queued entries before giving up this thread */
	mutex_enter(&ibcm_recv_mutex);
	while (ibcm_recv_dequeue(&ibmf_handle, &msgp, &args)) {
		mutex_exit(&ibcm_recv_mutex);
		ibcm_process_incoming_mad(ibmf_handle, msgp, args);
		mutex_enter(&ibcm_recv_mutex);
	}
	--ibcm_recv_tasks;
	mutex_exit(&ibcm_recv_mutex);
}

static void
ibcm_recv_timeout_cb(void *args)
{
	ibcm_taskq_args_t *tq = (ibcm_taskq_args_t *)args;
	int rv = 1;

	mutex_enter(&ibcm_recv_mutex);
	ibcm_recv_timeouts--;
	if (ibcm_recv_tasks == 0) {
		ibcm_recv_tasks++;
		mutex_exit(&ibcm_recv_mutex);
		if (taskq_dispatch(ibcm_taskq, ibcm_recv_task, tq,
		    TQ_NOQUEUE | TQ_NOSLEEP) == TASKQID_INVALID) {
			mutex_enter(&ibcm_recv_mutex);
			if (--ibcm_recv_tasks == 0) {
				(void) timeout(ibcm_recv_timeout_cb, tq, 1);
				ibcm_recv_timeouts++;
			} else {
				rv = ibcm_recv_enqueue(tq->tq_ibmf_handle,
				    tq->tq_ibmf_msgp, tq->tq_args);
				kmem_free(tq, sizeof (*tq));
			}
			mutex_exit(&ibcm_recv_mutex);
		}
	} else {
		/*
		 * one or more taskq threads are running now
		 * so just try to enqueue this one.
		 */
		rv = ibcm_recv_enqueue(tq->tq_ibmf_handle,
		    tq->tq_ibmf_msgp, tq->tq_args);
		kmem_free(tq, sizeof (*tq));
		mutex_exit(&ibcm_recv_mutex);
	}
	if (rv == 0)
		ibcm_drop_msg(tq->tq_ibmf_handle, tq->tq_ibmf_msgp);
}

/*
 * Dispatch to taskq if we're not using many, else just queue it
 * and have the taskq thread pick it up.  Return 0 if we're dropping it.
 */
static int
ibcm_recv_add_one(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	int rv;
	ibcm_taskq_args_t *tq;

	mutex_enter(&ibcm_recv_mutex);
	ibcm_recv_total++;
	if (ibcm_recv_tasks >= ibcm_max_recv_tasks) { /* just queue this one */
		rv = ibcm_recv_enqueue(ibmf_handle, msgp, args);
		mutex_exit(&ibcm_recv_mutex);
		return (rv);
	} else {
		ibcm_recv_tasks++; /* dispatch this one to a taskq thread */
		mutex_exit(&ibcm_recv_mutex);
		tq = kmem_alloc(sizeof (*tq), KM_NOSLEEP);
		if (tq == NULL) {
			mutex_enter(&ibcm_recv_mutex);
			if (--ibcm_recv_tasks > 0)
				rv = ibcm_recv_enqueue(ibmf_handle, msgp, args);
			else	/* don't enqueue if no threads are running */
				rv = 0;
			mutex_exit(&ibcm_recv_mutex);
			return (rv);
		}
		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*tq))
		tq->tq_ibmf_handle = ibmf_handle;
		tq->tq_ibmf_msgp = msgp;
		tq->tq_args = args;
		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*tq))
		if (taskq_dispatch(ibcm_taskq, ibcm_recv_task, tq,
		    TQ_NOQUEUE | TQ_NOSLEEP) == TASKQID_INVALID) {
			/* dispatch failed */
			mutex_enter(&ibcm_recv_mutex);
			if (--ibcm_recv_tasks == 0) {
				/* try the dispatch again, after a tick */
				(void) timeout(ibcm_recv_timeout_cb, tq, 1);
				ibcm_recv_timeouts++;
				rv = 1;	/* indicate success */
			} else {
				rv = ibcm_recv_enqueue(ibmf_handle, msgp, args);
				kmem_free(tq, sizeof (*tq));
			}
			mutex_exit(&ibcm_recv_mutex);
			return (rv);
		} else {
			return (1);
		}
	}
}

/*
 * ibcm_recv_cb:
 *	The CM callback that is invoked by IBMF, when a valid CM MAD arrives
 *	on any of the registered ibmf handles by CM.
 *
 * INPUTS:
 *	ibmf_handle	- IBMF Handle
 *	msgp		- IBMF msg containing the MAD (allocated by IBMF)
 *	args		- Ptr to ibcm_hca_info_t
 *
 * RETURN VALUES: NONE
 */
void
ibcm_recv_cb(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	if (ibcm_recv_add_one(ibmf_handle, msgp, args) == 0)
		ibcm_drop_msg(ibmf_handle, msgp);
}

/*
 * ibcm_process_req_msg:
 *	PASSIVE SIDE CM
 *	Called from ibcm_process_incoming_mad on reception of a REQ message
 *
 * Description:
 *	If it a new REQ (not duplicate)
 *		creates a new state structure in passive connection mode
 *		populate state structure fields
 *		inserts state structure in hca active and passive trees
 *		validates service id
 *		validates primary and alternate lid/gid in REQ,
 *		calls QP state transition function
 *		generates REP/REJ response
 *		stores the response MAD in state structure for future re-sends
 *		initializes timers as required
 *	If a duplicate REQ, action depends upon current state in the state
 *	structure
 *
 * INPUTS:
 *	hcap		- HCA entry ptr
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:
 *	NONE
 */
void
ibcm_process_req_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibt_priv_data_len_t	arej_info_len = 0;
	ib_qpn_t		remote_qpn;
	ib_guid_t		remote_hca_guid;
	ib_com_id_t		remote_comid;
	ib_com_id_t		local_comid;
	ibcm_status_t		state_lookup_status;
	ibcm_status_t		comid_lookup_status;
	ibcm_status_t		response;
	ibcm_req_msg_t		*req_msgp =
	    (ibcm_req_msg_t *)&input_madp[IBCM_MAD_HDR_SIZE];
	ibt_cm_reason_t		reject_reason = IBT_CM_SUCCESS;
	ibcm_state_data_t	*statep;
	ibcm_state_data_t	*stale_statep = NULL;
	ibcm_status_t		svc_gid_check;
	uint32_t		psn24_timeout5_retry3;
	ibt_tran_srv_t		trans;

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_req_msg(%p, %p, %p)",
	    hcap, input_madp, cm_mad_addr);

	/*
	 * Lookup for an existing state structure or create a new state struct
	 * If there is no entry, the lookup function also allocates a new
	 * state structure and inserts in the table, initializes remote qpn
	 * and hca guid from REQ
	 */
	remote_hca_guid = b2h64(req_msgp->req_local_ca_guid);
	remote_qpn = b2h32(req_msgp->req_local_qpn_plus) >> 8;
	remote_comid = b2h32(req_msgp->req_local_comm_id);

	IBCM_DUMP_RAW_MSG((uchar_t *)input_madp);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: remote_comid = %x"
	    " remote_qpn = %x", remote_comid, remote_qpn);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: remote_hcaguid = %llX",
	    remote_hca_guid);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))

new_req:
	/* allocate the local_comid before proceeding */
	if (ibcm_alloc_comid(hcap, &local_comid) != IBCM_SUCCESS) {
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(req_msgp->req_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_REQ, IBT_CM_NO_RESC);
		return;
	}

	/* allocate ibcm_state_data_t before grabbing the WRITER lock */
	statep = kmem_zalloc(sizeof (*statep), KM_SLEEP);

	rw_enter(&hcap->hca_state_rwlock, RW_WRITER);

	/* NOTE that only a writer lock is held here */

	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REQ,
	    local_comid, remote_qpn, remote_hca_guid, hcap, &statep);

	if (state_lookup_status == IBCM_LOOKUP_NEW) {
		/* seeing the REQ request for the first time */

		mutex_enter(&statep->state_mutex);
		/* Release the state table lock */
		rw_exit(&hcap->hca_state_rwlock);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: New statep 0x%p"
		    " created", statep);

		psn24_timeout5_retry3 = b2h32(req_msgp->req_starting_psn_plus);

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))

		/* if ibmf msg allocation fails, delete the statep */
		if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl,
		    &statep->stored_msg, MAD_METHOD_SEND) != IBT_SUCCESS) {

			IBCM_REF_CNT_DECR(statep);
			statep->state = IBCM_STATE_DELETE;
			mutex_exit(&statep->state_mutex);
			/* HCA res cnt decremented via ibcm_delete_state_data */
			ibcm_inc_hca_res_cnt(hcap);
			ibcm_delete_state_data(statep);
			return;
		}

		/* Allocate dreq_msg buf to be used during teardown. */
		if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl,
		    &statep->dreq_msg, MAD_METHOD_SEND) != IBT_SUCCESS) {

			IBCM_REF_CNT_DECR(statep);
			statep->state = IBCM_STATE_DELETE;
			mutex_exit(&statep->state_mutex);
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "statep 0x%p: Failed to allocate dreq_msg", statep);

			/* HCA res cnt decremented via ibcm_delete_state_data */
			ibcm_inc_hca_res_cnt(hcap);
			ibcm_delete_state_data(statep);
			return;
		}

		/* initialize some "statep" fields */
		statep->mode		= IBCM_PASSIVE_MODE;
		statep->hcap		= hcap;
		statep->remote_comid	= remote_comid;
		statep->svcid		= b2h64(req_msgp->req_svc_id);
		statep->local_qp_rnr_cnt =
		    req_msgp->req_mtu_plus & 0x7;

		/*
		 * get the remote_ack_delay, etc.
		 */
		statep->remote_ack_delay =
		    ibt_ib2usec(req_msgp->req_primary_localtime_plus >> 3);
		statep->cep_retry_cnt = psn24_timeout5_retry3 & 0x7;

		/*
		 * get the req_max_cm_retries
		 */
		statep->max_cm_retries = req_msgp->req_max_cm_retries_plus >> 4;
		statep->remaining_retry_cnt = statep->max_cm_retries;

		/* Approximate pkt life time for now */
		statep->pkt_life_time = statep->remote_ack_delay/2;

		/* Passive side timer is set to LocalCMRespTime in REQ */
		statep->timer_value =
		    ibt_ib2usec(psn24_timeout5_retry3 >> 3 & 0x1f);

		statep->starting_psn = psn24_timeout5_retry3 >> 8;

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: statep 0x%p "
		    "active cep timeout(usec) = %u",
		    statep, statep->remote_ack_delay);
		IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: "
		    "passive timer(usec) = %u", statep->timer_value);
		IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: "
		    "approx pkt lt(usec)= %u ", statep->pkt_life_time);
		IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: "
		    "max cm retries %u", statep->max_cm_retries);

		/* The reply ie., REP/REJ transaction id copied from REQ */
		IBCM_OUT_HDRP(statep->stored_msg)->TransactionID =
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

		/*
		 * Initialize the stale clock. Any other REQ
		 * messages on this statep are considered as duplicate
		 * if they arrive within stale clock
		 * ibcm_adj_btime is used to offset for retry REQ's
		 * arriving  just after expected retry clock
		 */
		statep->stale_clock = gethrtime() +
		    (hrtime_t)(ibcm_adj_btime  * 1000000000) +
		    (hrtime_t)statep->remote_ack_delay *
		    (statep->max_cm_retries * (1000 / 2));

		mutex_exit(&statep->state_mutex);

		ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_REQ);

		/* Increment the hca's resource count */
		ibcm_inc_hca_res_cnt(hcap);

		ibcm_build_reply_mad_addr(cm_mad_addr,
		    &statep->stored_reply_addr);

		if (statep->stored_reply_addr.cm_qp_entry == NULL) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "statep 0x%p cm_qp_entry alloc failed", statep);

			/*
			 * Not much choice. CM MADs cannot go on QP1, not even
			 * REJ. Hence delete state data and go away silently.
			 * The remote will timeout after repeated attempts
			 */
			mutex_enter(&statep->state_mutex);
			IBCM_REF_CNT_DECR(statep);
			statep->state = IBCM_STATE_DELETE;
			mutex_exit(&statep->state_mutex);

			ibcm_delete_state_data(statep);
			return;
		}

		stale_statep = statep;
		rw_enter(&hcap->hca_state_rwlock, RW_WRITER);
		comid_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REQ_STALE,
		    remote_comid, 0, remote_hca_guid, hcap, &stale_statep);
		rw_exit(&hcap->hca_state_rwlock);

		if (comid_lookup_status == IBCM_LOOKUP_EXISTS) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "dup comid %x stale_statep 0x%p statep 0x%p",
			    remote_comid, stale_statep, statep);

			ibcm_insert_trace(stale_statep,
			    IBCM_TRACE_STALE_DETECT);

			/* Send a REJ with duplicate com id */
			ibcm_post_rej_mad(statep, IBT_CM_DUP_COM_ID,
			    IBT_CM_FAILURE_REQ, NULL, 0);

			/*
			 * Don't free the ibmf msg, if stale_statep is not in
			 * ESTABLISHED state, because probability is very less.
			 * ibmf msg shall be deleted along with statep
			 */

			/*
			 * if stale_statep is in established state, process
			 * stale connection handling on stale_statep
			 */
			mutex_enter(&stale_statep->state_mutex);
			if (stale_statep->state == IBCM_STATE_ESTABLISHED) {

				stale_statep->state =
				    IBCM_STATE_TRANSIENT_DREQ_SENT;
				stale_statep->stale = B_TRUE;

				/* Cancel pending ibt_set_alt_path */
				ibcm_sync_lapr_idle(stale_statep);
				/* The above call releases the state mutex */

				if (stale_statep->dreq_msg == NULL)
					(void) ibcm_alloc_out_msg(stale_statep->
					    stored_reply_addr.ibmf_hdl,
					    &stale_statep->dreq_msg,
					    MAD_METHOD_SEND);

				/*
				 * Spec says, post DREQ MAD on the stale
				 * channel. This moves channel into timewait
				 */
				if (stale_statep->dreq_msg != NULL) {
					ibcm_post_dreq_mad(stale_statep);
					mutex_enter(&stale_statep->state_mutex);
				} else {
					mutex_enter(&stale_statep->state_mutex);
					/* Set it back to original state. */
					stale_statep->state =
					    IBCM_STATE_ESTABLISHED;
					cv_broadcast(
					    &stale_statep->block_mad_cv);
				}
			}

			IBCM_REF_CNT_DECR(stale_statep);
			mutex_exit(&stale_statep->state_mutex);

			mutex_enter(&statep->state_mutex);
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);
			return;
		}

		/* If unknown service type, just post a REJ */
		trans = ((uint8_t *)&req_msgp->req_remote_eecn_plus)[3] >> 1 &
		    0x3;
		if ((trans != IBT_RC_SRV) && (trans != IBT_UC_SRV) &&
		    (trans != IBT_RD_SRV)) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "statep 0x%p invalid transport type %x", statep,
			    trans);

			/* Send a REJ with invalid transport type */
			ibcm_post_rej_mad(statep, IBT_CM_INVALID_SRV_TYPE,
			    IBT_CM_FAILURE_REQ, NULL, 0);

			mutex_enter(&statep->state_mutex);
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);
			return;
		}

		/* Validate the gids, lids and service id */
		svc_gid_check = ibcm_verify_req_gids_and_svcid(statep,
		    req_msgp);

		if (svc_gid_check == IBCM_FAILURE) {

			IBTF_DPRINTF_L3(cmlog, "ibcm_process_req_msg: Either "
			    "gid or sid invalid for statep 0x%p", statep);
			mutex_enter(&statep->state_mutex);
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);

			/* REJ posted from ibcm_verify_req_gids_and_svcid */
			return;
		}

		/* Call the QP state transition processing function */
		response = ibcm_cep_state_req(statep, req_msgp,
		    &reject_reason, &arej_info_len);

		/* If defer, return holding the statep ref cnt */
		if (response == IBCM_DEFER) {
			IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: "
			    "statep %0xp client returned DEFER response",
			    statep);
			return;
		}

		/* statep ref cnt decremented in the func below */
		ibcm_handle_cep_req_response(statep, response,
		    reject_reason, arej_info_len);

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*statep))

		return;

	} else {
		rw_exit(&hcap->hca_state_rwlock);
		ibcm_free_comid(hcap, local_comid);
	}

	if (state_lookup_status == IBCM_LOOKUP_EXISTS) {
		hrtime_t	cur_time;

		mutex_enter(&statep->state_mutex);

		/*
		 * There is an existing state structure entry
		 * with the same active comid
		 * Resending REP MAD is necessary only for REP/REJ/MRA Sent
		 * states
		 * Any other state implies the active has already received
		 * the REP/REJ response, and this REQ is an old MAD popping
		 * out of the fabric, hence no resend is required
		 */
		cur_time = gethrtime();

		if ((remote_comid == statep->remote_comid) &&
		    (IBCM_OUT_HDRP(statep->stored_msg)->TransactionID ==
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID) &&
		    (cur_time <= statep->stale_clock)) {

			ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_REQ);

			if (statep->state == IBCM_STATE_REP_SENT)
				ibcm_resend_rep_mad(statep);
			else if (statep->state == IBCM_STATE_REJ_SENT)
				ibcm_resend_rej_mad(statep);
			else if (statep->state == IBCM_STATE_MRA_SENT)
				ibcm_resend_mra_mad(statep);

			/* decrementing ref cnt and returning from below */

		} else if ((statep->state == IBCM_STATE_REJ_SENT) &&
		    remote_comid != statep->remote_comid) {
			timeout_id_t		timer_val;

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "statep 0x%p being retired, REMOTE_QPN %x",
			    statep, remote_qpn);
			/*
			 * OK, this is reuse of the QPN on the active side
			 * that was not connected last time.  This REQ is
			 * considered NEW.  We delete the statep here,
			 * then start over from the top.
			 */
			statep->state = IBCM_STATE_DELETE;
			timer_val = statep->timerid;
			statep->timerid = 0;
			mutex_exit(&statep->state_mutex);
			if (timer_val)
				(void) untimeout(timer_val);
			IBCM_REF_CNT_DECR(statep);
			ibcm_delete_state_data(statep);
			goto new_req;

		/*
		 * The statep is stale in the following cases :-
		 *  1) if incoming REQ's comid's doesn't match with what is
		 *	stored in statep
		 *  2) incoming REQ's local comid matches with statep's
		 *	remote comid, but the REQ is for a new connection.
		 *	This is verified that by comparing the current time
		 *	with stale clock in statep
		 */
		} else {
			/* This is a stale connection on passive side */

			ibcm_insert_trace(statep, IBCM_TRACE_STALE_DETECT);

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_msg: "
			    "stale detected statep %p state %x",
			    statep, statep->state);

			IBTF_DPRINTF_L4(cmlog, "ibcm_process_req_msg: "
			    "cur_time 0x%llX stale_clock 0x%llX", cur_time,
			    statep->stale_clock);

			if (statep->state == IBCM_STATE_ESTABLISHED) {

				statep->state = IBCM_STATE_TRANSIENT_DREQ_SENT;
				statep->stale = B_TRUE;

				/* Cancel pending ibt_set_alt_path */
				ibcm_sync_lapr_idle(statep);
				/* The above call releases the state mutex */

				if (statep->dreq_msg == NULL)
					(void) ibcm_alloc_out_msg(
					    statep->stored_reply_addr.ibmf_hdl,
					    &statep->dreq_msg, MAD_METHOD_SEND);

				/*
				 * Spec says, post DREQ MAD on the stale
				 * channel. This moves channel into timewait
				 */
				if (statep->dreq_msg != NULL)
					ibcm_post_dreq_mad(statep);
				else {
					mutex_enter(&statep->state_mutex);
					statep->state = IBCM_STATE_ESTABLISHED;
					cv_broadcast(&statep->block_mad_cv);
					mutex_exit(&statep->state_mutex);
				}
			} else {
				/*
				 * If not in established state, the CM
				 * protocol would timeout and delete the
				 * statep that is stale, eventually
				 */
				mutex_exit(&statep->state_mutex);
			}

			/* Post a REJ MAD to the incoming REQ's sender */
			ibcm_build_n_post_rej_mad(input_madp,
			    b2h32(req_msgp->req_local_comm_id),
			    cm_mad_addr, IBT_CM_FAILURE_REQ, IBT_CM_CONN_STALE);

			mutex_enter(&statep->state_mutex);
		}
		IBCM_REF_CNT_DECR(statep); /* decrement the ref count */
		mutex_exit(&statep->state_mutex);
	}
}

/*
 * ibcm_handle_cep_req_response:
 *	Processes the response from ibcm_cep_state_req. Called holding a
 *	statep ref cnt. The statep ref cnt is decremented before returning.
 */
void
ibcm_handle_cep_req_response(ibcm_state_data_t *statep, ibcm_status_t response,
    ibt_cm_reason_t reject_reason, uint8_t arej_info_len)
{
	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))

	if (response == IBCM_SEND_REP)
		ibcm_post_rep_mad(statep);
	else {
		ASSERT(response == IBCM_SEND_REJ);
		IBTF_DPRINTF_L4(cmlog, "ibcm_handle_cep_req_response: statep %p"
		    " posting REJ reject_reason = %d", statep, reject_reason);

		ibcm_post_rej_mad(statep,
		    reject_reason, IBT_CM_FAILURE_REQ,
		    NULL, arej_info_len);
	}

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*statep))

	mutex_enter(&statep->state_mutex);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_process_rep_msg:
 *	ACTIVE SIDE CM
 *	Called from ibcm_process_incoming_mad on reception of a REP message
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:	NONE
 */
void
ibcm_process_rep_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibt_priv_data_len_t	arej_info_len = 0;
	ib_com_id_t		local_comid;
	timeout_id_t		timer_val;
	ibcm_status_t		lookup_status;	/* state lookup status */
	ibcm_status_t		stale_lookup_status;
	ibcm_status_t		stale_comid_lookup_status;
	ibcm_status_t		response;
	ibcm_rep_msg_t		*rep_msgp;	/* Response REP mesg */
	ibt_cm_reason_t		reject_reason;
	ibcm_state_data_t	*statep = NULL;
	ibcm_state_data_t	*stale_qpn = NULL;
	ibcm_state_data_t	*stale_comid = NULL;
	ib_guid_t		remote_ca_guid;

	IBTF_DPRINTF_L3(cmlog, "ibcm_process_rep_msg:");

	/* Lookup for an existing state structure */
	rep_msgp = (ibcm_rep_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);

	IBCM_DUMP_RAW_MSG((uchar_t *)input_madp);

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_rep_msg: active comid: %x",
	    rep_msgp->rep_remote_comm_id);

	local_comid = b2h32(rep_msgp->rep_remote_comm_id);

	/* lookup message holding a reader lock */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);
	lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REP, local_comid, 0, 0,
	    hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_rep_msg: lkup status %x, "
	    "statep 0x%p active comid %x", lookup_status, statep, local_comid);

	if (lookup_status == IBCM_LOOKUP_FAIL) {
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(rep_msgp->rep_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_REP, IBT_CM_INVALID_CID);

		return;
	}

	/* if transaction id is not as expected, drop the REP mad */
	if (IBCM_OUT_HDRP(statep->stored_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {

		IBTF_DPRINTF_L3(cmlog, "ibcm_process_rep_msg: statep 0x%p, "
		    "An REP MAD with tid expected 0x%llX tid found 0x%llX ",
		    statep,
		    b2h64(IBCM_OUT_HDRP(statep->stored_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID));

		mutex_enter(&statep->state_mutex);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		return;
	}

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_REP);

	/* grab mutex first */
	mutex_enter(&statep->state_mutex);

	/*
	 * There is a state structure entry with active comid
	 * First, handle the re-send cases
	 * The resend routines below release the state mutex
	 */
	if (statep->state == IBCM_STATE_ESTABLISHED ||
	    statep->state == IBCM_STATE_DREQ_SENT)
		ibcm_resend_rtu_mad(statep);
	else if (statep->state == IBCM_STATE_REJ_SENT)
		ibcm_resend_rej_mad(statep);
	else if (statep->state == IBCM_STATE_MRA_REP_SENT)
		ibcm_resend_mra_mad(statep);
	else if ((statep->state == IBCM_STATE_REQ_SENT) ||
	    (statep->state == IBCM_STATE_REP_WAIT)) {

		/* change state */
		statep->state = IBCM_STATE_REP_RCVD;
		statep->clnt_proceed = IBCM_BLOCK;
		statep->local_qp_rnr_cnt =
		    rep_msgp->rep_rnr_retry_cnt_plus >> 5;

		/* cancel the REQ timer */
		if (statep->timerid != 0) {
			timer_val = statep->timerid;
			statep->timerid = 0;
			mutex_exit(&statep->state_mutex);
			(void) untimeout(timer_val);
		} else {
			mutex_exit(&statep->state_mutex);
		}

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))

		/* Initialize the remote destination QPN for further MADs */
		statep->stored_reply_addr.rcvd_addr.ia_remote_qno =
		    cm_mad_addr->rcvd_addr.ia_remote_qno;
		statep->remote_qpn = b2h32(rep_msgp->rep_local_qpn_plus) >> 8;
		statep->remote_comid = b2h32(rep_msgp->rep_local_comm_id);
		bcopy(rep_msgp->rep_local_ca_guid, &remote_ca_guid,
		    sizeof (ib_guid_t));
		statep->remote_hca_guid = b2h64(remote_ca_guid);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_rep_msg: statep 0x%p "
		    "passive cid = %x passive qpn = %x", statep,
		    statep->remote_comid, statep->remote_qpn);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_rep_msg: statep 0x%p "
		    "passive hcaguid = %llX", statep, statep->remote_hca_guid);

		stale_qpn = statep;
		stale_comid = statep;

		/* Handle stale connection detection on active side */
		rw_enter(&hcap->hca_state_rwlock, RW_WRITER);

		stale_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REP_STALE,
		    0, statep->remote_qpn, statep->remote_hca_guid, hcap,
		    &stale_qpn);

		stale_comid_lookup_status = ibcm_lookup_msg(
		    IBCM_INCOMING_REQ_STALE, statep->remote_comid, 0,
		    statep->remote_hca_guid, hcap, &stale_comid);

		rw_exit(&hcap->hca_state_rwlock);

		/*
		 * Check for other side reusing QPN that was attempted
		 * to be used, but somehow we sent a REJ.
		 */
		mutex_enter(&stale_qpn->state_mutex);
		if ((stale_lookup_status == IBCM_LOOKUP_EXISTS) &&
		    (stale_comid_lookup_status != IBCM_LOOKUP_EXISTS) &&
		    (stale_qpn->state == IBCM_STATE_REJ_SENT)) {

			timeout_id_t		timer_val;

			IBTF_DPRINTF_L3(cmlog, "ibcm_process_rep_msg: "
			    "statep 0x%p being retired, REMOTE_QPN %x",
			    stale_qpn, statep->remote_qpn);
			/*
			 * OK, this is reuse of the QPN on the active side
			 * that was not connected last time.  This REQ is
			 * considered NEW.  We delete the statep here,
			 * then start over from the top.
			 */
			stale_qpn->state = IBCM_STATE_DELETE;
			timer_val = stale_qpn->timerid;
			stale_qpn->timerid = 0;
			mutex_exit(&stale_qpn->state_mutex);
			if (timer_val)
				(void) untimeout(timer_val);
			IBCM_REF_CNT_DECR(stale_qpn);
			ibcm_delete_state_data(stale_qpn);
			stale_qpn = statep;
			rw_enter(&hcap->hca_state_rwlock, RW_WRITER);
			stale_lookup_status = ibcm_lookup_msg(
			    IBCM_INCOMING_REP_STALE, 0, statep->remote_qpn,
			    statep->remote_hca_guid, hcap, &stale_qpn);
			rw_exit(&hcap->hca_state_rwlock);
			/* OK to continue now */
		} else
			mutex_exit(&stale_qpn->state_mutex);

		/*
		 * lookup exists implies that there is already an entry with
		 * the remote qpn/comid and remote hca guid
		 */
		if ((stale_lookup_status == IBCM_LOOKUP_EXISTS) ||
		    (stale_comid_lookup_status == IBCM_LOOKUP_EXISTS)) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_rep_msg: "
			    "statep 0x%p stale detected "
			    "qpn_lkup %d comid_lkup %d", statep,
			    stale_lookup_status, stale_comid_lookup_status);

			/* Disassociate statep and QP */
			IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

			if (stale_lookup_status == IBCM_LOOKUP_EXISTS)
				reject_reason = IBT_CM_CONN_STALE;
			else
				reject_reason = IBT_CM_DUP_COM_ID;

			ibcm_handler_conn_fail(statep,
			    IBT_CM_FAILURE_REJ_SENT, IBT_CM_FAILURE_REP,
			    reject_reason,
			    IBCM_REJ_PRIV(statep->stored_msg),
			    IBT_REJ_PRIV_DATA_SZ);

			/* Send a REJ with stale reason for statep */
			ibcm_post_rej_mad(statep, reject_reason,
			    IBT_CM_FAILURE_REP, NULL, 0);

			/* Now let's handle the logic for stale connections */
			/* If in established state, stale_statep is stale */
			if (stale_lookup_status == IBCM_LOOKUP_EXISTS) {

				IBTF_DPRINTF_L2(cmlog, "ibcm_process_rep_msg: "
				    "state_qpn 0x%p stale QPN detected "
				    "state %X", stale_qpn, stale_qpn->state);

				ibcm_insert_trace(stale_qpn,
				    IBCM_TRACE_STALE_DETECT);

				mutex_enter(&stale_qpn->state_mutex);
				if (stale_qpn->state ==
				    IBCM_STATE_ESTABLISHED) {
					/* change state to DREQ sent */
					stale_qpn->state =
					    IBCM_STATE_TRANSIENT_DREQ_SENT;
					stale_qpn->stale = B_TRUE;

					/* wait for/cancel pending LAP/APR */
					ibcm_sync_lapr_idle(stale_qpn);
					/* above call releases state mutex */

					if (stale_qpn->dreq_msg == NULL)
						(void) ibcm_alloc_out_msg(
						    stale_qpn->
						    stored_reply_addr.ibmf_hdl,
						    &stale_qpn->dreq_msg,
						    MAD_METHOD_SEND);

					if (stale_qpn->dreq_msg != NULL) {
						ibcm_post_dreq_mad(stale_qpn);
						mutex_enter(
						    &stale_qpn->state_mutex);
					} else {
						mutex_enter(
						    &stale_qpn->state_mutex);
						stale_qpn->state =
						    IBCM_STATE_ESTABLISHED;
						cv_broadcast(
						    &stale_qpn->block_mad_cv);
					}
				}
				IBCM_REF_CNT_DECR(stale_qpn);
				mutex_exit(&stale_qpn->state_mutex);
			}

			if (stale_comid_lookup_status == IBCM_LOOKUP_EXISTS) {

				IBTF_DPRINTF_L2(cmlog, "ibcm_process_rep_msg: "
				    "state_comid 0x%p stale COMID detected "
				    "state %X", stale_comid,
				    stale_comid->state);

				mutex_enter(&stale_comid->state_mutex);
				if (!((stale_lookup_status ==
				    IBCM_LOOKUP_EXISTS) &&
				    (stale_qpn == stale_comid)) &&
				    (stale_comid->state ==
				    IBCM_STATE_ESTABLISHED)) {

					ibcm_insert_trace(stale_comid,
					    IBCM_TRACE_STALE_DETECT);

					/* change state to DREQ sent */
					stale_comid->state =
					    IBCM_STATE_TRANSIENT_DREQ_SENT;
					stale_comid->stale = B_TRUE;

					/* wait for/cancel pending LAP/APR */
					ibcm_sync_lapr_idle(stale_comid);

					/* above call releases state mutex */

					if (stale_comid->dreq_msg == NULL)
						(void) ibcm_alloc_out_msg(
						    stale_comid->
						    stored_reply_addr.ibmf_hdl,
						    &stale_comid->dreq_msg,
						    MAD_METHOD_SEND);

					if (stale_comid->dreq_msg != NULL) {
						ibcm_post_dreq_mad(stale_comid);
						mutex_enter(
						    &stale_comid->state_mutex);
					} else {
						mutex_enter(
						    &stale_comid->state_mutex);
						stale_comid->state =
						    IBCM_STATE_ESTABLISHED;
						cv_broadcast(
						    &stale_comid->block_mad_cv);
					}
				}
				IBCM_REF_CNT_DECR(stale_comid);
				mutex_exit(&stale_comid->state_mutex);
			}
			ibcm_return_open_data(statep, rep_msgp, reject_reason);
			return;
		}

		/*
		 * No need to handle out of memory conditions as we called
		 * ibcm_lookup_msg() with IBT_CHAN_BLOCKING flags.
		 */
		ASSERT(stale_lookup_status == IBCM_LOOKUP_NEW);

		/* Initialize the remote ack delay */
		statep->remote_ack_delay =
		    ibt_ib2usec(rep_msgp->rep_target_delay_plus >> 3);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_rep_msg: statep 0x%p"
		    " passive hca_ack_delay= %x ", statep,
		    statep->remote_ack_delay);

		response = ibcm_cep_state_rep(statep, rep_msgp,
		    &reject_reason, &arej_info_len);

		if (response == IBCM_DEFER) {
			IBTF_DPRINTF_L4(cmlog, "ibcm_process_rep_msg: "
			    "statep 0x%p client returned DEFER response",
			    statep);
			return;
		}
		ibcm_handle_cep_rep_response(statep, response,
		    reject_reason, arej_info_len, rep_msgp);

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*statep))

		return;

	} else if (statep->state == IBCM_STATE_DELETE) {

		mutex_exit(&statep->state_mutex);
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(rep_msgp->rep_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_REP, IBT_CM_INVALID_CID);
		mutex_enter(&statep->state_mutex);
	} else {

#ifdef DEBUG
		if (ibcm_test_mode > 0)
			if (statep->state == IBCM_STATE_REP_RCVD)
				IBTF_DPRINTF_L2(cmlog, "ibcm_process_rep_msg: "
				    "REP re-send from passive for statep 0x%p"
				    " in state %d", statep, statep->state);
			else
				IBTF_DPRINTF_L2(cmlog, "ibcm_process_rep_msg: "
				    "Unexpected REP for statep 0x%p in "
				    "state %d", statep, statep->state);
#endif
	}
	/* decrement ref count and return for LOOKUP_EXISTS */
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);

}

/*
 * ibcm_handle_cep_req_response:
 *	Processes the response from ibcm_cep_state_rep. Called holding a
 *	statep ref cnt. The statep ref cnt is decremented before returning.
 */
void
ibcm_handle_cep_rep_response(ibcm_state_data_t *statep, ibcm_status_t response,
    ibt_cm_reason_t reject_reason, uint8_t arej_info_len,
    ibcm_rep_msg_t *rep_msgp)
{
	/* wait until the send completion callback is invoked for REQ post */
	mutex_enter(&statep->state_mutex);
	while (statep->send_mad_flags & IBCM_REQ_POST_BUSY)
		cv_wait(&statep->block_mad_cv, &statep->state_mutex);
	mutex_exit(&statep->state_mutex);

	if (response == IBCM_SEND_RTU) {
		/* if connection aborted, return */
		if (ibcm_post_rtu_mad(statep) != IBCM_SUCCESS) {
			mutex_enter(&statep->state_mutex);
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);
			return;
		}

		/*
		 * Call client handler with cm event  IBT_CM_EVENT_CONN_EST to
		 * indicate RTU posted
		 */
		ibcm_cep_send_rtu(statep);
	} else {
		IBTF_DPRINTF_L4(cmlog, "ibcm_handle_cep_rep_response: statep %p"
		    " posting REJ reject_reason = %d", statep, reject_reason);

		ASSERT(response == IBCM_SEND_REJ);
		ibcm_post_rej_mad(statep, reject_reason, IBT_CM_FAILURE_REP,
		    NULL, arej_info_len);
	}

	ibcm_return_open_data(statep, rep_msgp, reject_reason);
}

/*
 * ibcm_return_open_data:
 *	Initializes the ibt_open_rc_channel return data. The statep ref cnt is
 *	decremented before returning.
 */
static void
ibcm_return_open_data(ibcm_state_data_t *statep, ibcm_rep_msg_t *rep_msgp,
    ibt_cm_reason_t reject_reason)
{
	/* signal waiting CV - blocking in ibt_open_channel() */
	if (statep->open_return_data != NULL) {
		if (statep->open_return_data->rc_priv_data_len > 0)
			bcopy(rep_msgp->rep_private_data,
			    statep->open_return_data->rc_priv_data,
			    statep->open_return_data->rc_priv_data_len);
		statep->open_return_data->rc_rdma_ra_in =
		    rep_msgp->rep_initiator_depth;
		statep->open_return_data->rc_rdma_ra_out =
		    rep_msgp->rep_resp_resources;
		statep->open_return_data->rc_failover_status =
		    rep_msgp->rep_target_delay_plus >> 1 & 3;
		statep->open_return_data->rc_status = reject_reason;

		mutex_enter(&statep->state_mutex);
		statep->open_done = B_TRUE;
		cv_broadcast(&statep->block_client_cv);
	} else mutex_enter(&statep->state_mutex);

	/* decrement ref count and return for LOOKUP_EXISTS */
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_process_mra_msg:
 *	Called from ibcm_process_incoming_mad on reception of a MRA message
 *
 *	Cancels existing timer, and sets a new timer based on timeout
 *	value from MRA message. The remaining retry count of statep is
 *	not changed, and timer value for the remaining retry timers is
 *	also not changed
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:	NONE
 */
void
ibcm_process_mra_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_status_t		state_lookup_status;
	ibcm_mra_msg_t		*mra_msgp =
	    (ibcm_mra_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;
	uint8_t			mra_msg;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_mra_msg:");

	/* Lookup for an existing state structure (as a READER) */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);
	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_MRA,
	    b2h32(mra_msgp->mra_remote_comm_id), 0, 0, hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	/* if state doesn't exist just return */
	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(mra_msgp->mra_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_UNKNOWN, IBT_CM_INVALID_CID);
		return;
	}

	if (IBCM_OUT_HDRP(statep->stored_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {
		mutex_enter(&statep->state_mutex);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_mra_msg: statep 0x%p "
		    "MRA MAD with tid expected 0x%llX tid found 0x%llX "
		    "com id 0x%x arrived", statep,
		    b2h64(IBCM_OUT_HDRP(statep->stored_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID),
		    b2h32(mra_msgp->mra_local_comm_id));
		return;
	}

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_MRA);

	mutex_enter(&statep->state_mutex);

	/*
	 * Only allow for REQ/REP "mra_msg_typ" ONLY
	 * (to validate MRA message received)?
	 */
	mra_msg = mra_msgp->mra_message_type_plus >> 6;
	if ((mra_msg != IBT_CM_MRA_TYPE_REQ) &&
	    (mra_msg != IBT_CM_MRA_TYPE_REP) &&
	    (mra_msg != IBT_CM_MRA_TYPE_LAP)) {

		IBTF_DPRINTF_L2(cmlog, "ibcm_process_mra_msg: statep 0x%p "
		    "Unexpected MRA MSG Type %x", statep, mra_msg);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		return;
	}

	if ((statep->state == IBCM_STATE_REQ_SENT) ||
	    (statep->state == IBCM_STATE_REP_SENT) ||
	    ((statep->state == IBCM_STATE_ESTABLISHED) &&
	    (statep->ap_state == IBCM_AP_STATE_LAP_SENT))) {
		timeout_id_t	timer_val = statep->timerid;
		clock_t		service_timeout;

		if (statep->state == IBCM_STATE_REQ_SENT) {
			mra_msg = IBT_CM_MRA_TYPE_REQ;
			statep->state = IBCM_STATE_REP_WAIT;
		} else if (statep->state == IBCM_STATE_REP_SENT) {
			mra_msg = IBT_CM_MRA_TYPE_REP;
			statep->state = IBCM_STATE_MRA_REP_RCVD;
		} else { /* statep->state == IBCM_STATE_LAP_SENT */
			mra_msg = IBT_CM_MRA_TYPE_LAP;
			statep->ap_state = IBCM_AP_STATE_MRA_LAP_RCVD;
		}

		/* cancel the timer */
		statep->timerid = 0;
		mutex_exit(&statep->state_mutex);

		(void) untimeout(timer_val);

		service_timeout =
		    ibt_ib2usec(mra_msgp->mra_service_timeout_plus >> 3);

		/*
		 * If tunable MAX MRA Service Timeout parameter is set, then
		 * verify whether the requested timer value exceeds the MAX
		 * value and reset the timer value to the MAX value.
		 */
		if (ibcm_mra_service_timeout_max &&
		    ibcm_mra_service_timeout_max < service_timeout) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_mra_msg: "
			    "Unexpected MRA Service Timeout value (%ld), Max "
			    "allowed is (%ld)", service_timeout,
			    ibcm_mra_service_timeout_max);
			service_timeout = ibcm_mra_service_timeout_max;
		}

		/*
		 * Invoke client handler to pass the MRA private data
		 */
		if (statep->cm_handler != NULL) {
			ibt_cm_event_t	event;

			bzero(&event, sizeof (event));

			event.cm_type = IBT_CM_EVENT_MRA_RCV;
			event.cm_channel = statep->channel;
			event.cm_session_id = NULL;
			event.cm_priv_data = mra_msgp->mra_private_data;
			event.cm_priv_data_len = IBT_MRA_PRIV_DATA_SZ;

			event.cm_event.mra.mra_msg_type = mra_msg;

			event.cm_event.mra.mra_service_time = service_timeout;

			/* Client cannot return private data */
			(void) statep->cm_handler(statep->state_cm_private,
			    &event, NULL, NULL, 0);
		}

		/*
		 * Must re-check state, as an RTU could have come
		 * after the above mutex_exit and mutex_enter below
		 */
		mutex_enter(&statep->state_mutex);
		if ((statep->state == IBCM_STATE_REP_WAIT) ||
		    (statep->state == IBCM_STATE_MRA_REP_RCVD) ||
		    (statep->ap_state == IBCM_AP_STATE_MRA_LAP_RCVD)) {

			statep->remaining_retry_cnt = statep->max_cm_retries;

			/*
			 * The timeout interval is changed only for the first
			 * retry.  The later retries use the timeout from
			 * statep->timer_value
			 */
			statep->timer_stored_state = statep->state;
			statep->timer_value = statep->pkt_life_time +
			    service_timeout;
			statep->timerid = IBCM_TIMEOUT(statep,
			    statep->timer_value);
		}

	} else if (statep->state == IBCM_STATE_DELETE) {

		mutex_exit(&statep->state_mutex);
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(mra_msgp->mra_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_UNKNOWN, IBT_CM_INVALID_CID);
		mutex_enter(&statep->state_mutex);
	} else {

#ifdef DEBUG
		if (ibcm_test_mode > 0)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_mra_msg: "
			    "Unexpected mra for statep 0x%p in state %d",
			    statep, statep->state);
#endif
	}

	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_process_rtu_msg:
 *	Called from ibcm_process_incoming_mad on reception of a RTU message
 *
 *	Changes connection state to established if in REP SENT state
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:	NONE
 */
void
ibcm_process_rtu_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	timeout_id_t		timer_val;
	ibcm_status_t		status;
	ibcm_rtu_msg_t		*rtu_msg =
	    (ibcm_rtu_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_rtu_msg:");

	/* Lookup for an existing state structure - using a reader lock */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);
	status = ibcm_lookup_msg(IBCM_INCOMING_RTU,
	    b2h32(rtu_msg->rtu_remote_comm_id), 0, 0, hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	/* if state doesn't exist just return */
	if (status != IBCM_LOOKUP_EXISTS) {
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(rtu_msg->rtu_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_UNKNOWN, IBT_CM_INVALID_CID);
		return;
	}

	if (IBCM_OUT_HDRP(statep->stored_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {
		mutex_enter(&statep->state_mutex);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_rtu_msg: statep 0x%p "
		    "An RTU MAD with tid expected 0x%llX tid found 0x%llX "
		    "com id 0x%x arrived", statep,
		    b2h64(IBCM_OUT_HDRP(statep->stored_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID),
		    b2h32(rtu_msg->rtu_remote_comm_id));
		return;
	}

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_RTU);

	mutex_enter(&statep->state_mutex);

	if ((statep->state == IBCM_STATE_REP_SENT) ||
	    (statep->state == IBCM_STATE_MRA_REP_RCVD)) {

		/* transient until ibt_modify_qp succeeds to RTS */
		statep->state = IBCM_STATE_TRANSIENT_ESTABLISHED;

		timer_val = statep->timerid;
		statep->timerid = 0;
		mutex_exit(&statep->state_mutex);

		(void) untimeout(timer_val);

		ibcm_cep_state_rtu(statep, rtu_msg);

		mutex_enter(&statep->state_mutex);

	} else if (statep->state == IBCM_STATE_REJ_SENT) {
		ibcm_resend_rej_mad(statep);
	} else if (statep->state == IBCM_STATE_DELETE) {

		mutex_exit(&statep->state_mutex);
		ibcm_build_n_post_rej_mad(input_madp,
		    b2h32(rtu_msg->rtu_local_comm_id), cm_mad_addr,
		    IBT_CM_FAILURE_UNKNOWN, IBT_CM_INVALID_CID);
		mutex_enter(&statep->state_mutex);
	} else {

#ifdef DEBUG
		if ((ibcm_test_mode > 0) &&
		    (statep->state != IBCM_STATE_ESTABLISHED))
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_rtu_msg: "
			    "Unexpected rtu for statep 0x%p in state %d",
			    statep, statep->state);
#endif
	}

	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_process_rej_msg:
 *	Called from ibcm_process_incoming_mad on reception of a REJ message.
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:	NONE
 */
/* ARGSUSED */
void
ibcm_process_rej_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_status_t		state_lookup_status;
	ibcm_rej_msg_t		*rej_msg =
	    (ibcm_rej_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;
	ib_guid_t		remote_hca_guid;
	ibcm_conn_state_t	rej_state;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_rej_msg:");

	/* Lookup for an existing state structure */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);	/* grab READER lock */

	if ((b2h32(rej_msg->rej_remote_comm_id) == 0) &&
	    ((rej_msg->rej_reject_info_len_plus >> 1) >= sizeof (ib_guid_t)) &&
	    (b2h16(rej_msg->rej_rejection_reason) == IBT_CM_TIMEOUT)) {
		bcopy(rej_msg->rej_addl_rej_info, &remote_hca_guid,
		    sizeof (ib_guid_t));
		remote_hca_guid = b2h64(remote_hca_guid);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_rej_msg: "
		    "hca guid in REJ's ARI =  %llX", remote_hca_guid);

		state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REJ_RCOMID,
		    b2h32(rej_msg->rej_local_comm_id), 0, remote_hca_guid,
		    hcap, &statep);
	} else
		state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_REJ,
		    b2h32(rej_msg->rej_remote_comm_id), 0, 0, hcap, &statep);

	rw_exit(&hcap->hca_state_rwlock);


	/* if state doesn't exist just return */
	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {

		IBTF_DPRINTF_L2(cmlog, "ibcm_process_rej_msg: no statep with "
		    "local com id %x remote com id %x reason %d",
		    b2h32(rej_msg->rej_remote_comm_id),
		    b2h32(rej_msg->rej_local_comm_id),
		    b2h16(rej_msg->rej_rejection_reason));

		/* Do NOT respond with invalid comid REJ */
		return;
	}

	IBTF_DPRINTF_L2(cmlog, "ibcm_process_rej_msg: statep 0x%p INCOMING_REJ",
	    statep);
	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_REJ);
	if (ibcm_enable_trace & 2)
		ibcm_dump_conn_trace(statep);

	mutex_enter(&statep->state_mutex);

	rej_state = statep->state;

	if ((statep->state == IBCM_STATE_REP_SENT) ||
	    (statep->state == IBCM_STATE_REQ_SENT) ||
	    (statep->state == IBCM_STATE_REP_WAIT) ||
	    (statep->state == IBCM_STATE_MRA_REP_RCVD)) {
		timeout_id_t	timer_val = statep->timerid;

		statep->state = IBCM_STATE_DELETE;

		/* cancel the REQ/REP timer */
		if (timer_val != 0) {
			statep->timerid = 0;
			mutex_exit(&statep->state_mutex);

			(void) untimeout(timer_val);
		} else {
			mutex_exit(&statep->state_mutex);
		}

		/*
		 * Call the QP state transition processing function
		 * NOTE: Input MAD is the REJ received, there is no output MAD
		 */
		ibcm_cep_state_rej(statep, rej_msg, rej_state);

		/* signal waiting CV - blocking in ibt_open_channel() */
		if (statep->open_return_data != NULL) {
			statep->open_return_data->rc_status =
			    b2h16(rej_msg->rej_rejection_reason);

			if (statep->open_return_data->rc_priv_data_len > 0)
				bcopy(rej_msg->rej_private_data,
				    statep->open_return_data->rc_priv_data,
				    min(
				    statep->open_return_data->rc_priv_data_len,
				    IBT_REJ_PRIV_DATA_SZ));
			mutex_enter(&statep->state_mutex);
			statep->open_done = B_TRUE;
			cv_broadcast(&statep->block_client_cv);
		} else {
			mutex_enter(&statep->state_mutex);
		}

		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);

		/* Now delete the statep */
		ibcm_delete_state_data(statep);

	} else if ((statep->state == IBCM_STATE_ESTABLISHED) &&
	    (statep->mode == IBCM_ACTIVE_MODE)) {

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_rej_msg: statep 0x%p "
		    "REJ in established state", statep);

		statep->state = IBCM_STATE_TIMEWAIT;

		/* wait for/cancel pending LAP/APR, release state mutex */
		ibcm_sync_lapr_idle(statep);

		/* wait until client is informed CONN EST event */
		mutex_enter(&statep->state_mutex);
		while (statep->cep_in_rts == IBCM_BLOCK)
			cv_wait(&statep->block_mad_cv, &statep->state_mutex);
		mutex_exit(&statep->state_mutex);

		/*
		 * Call the QP state transition processing function
		 * NOTE: Input MAD is the REJ received, there is no output MAD
		 */
		ibcm_cep_state_rej_est(statep);

		/*
		 * Start the timewait state timer, as connection is in
		 * established state
		 */

		/*
		 * For passive side CM set it to remote_ack_delay
		 * For active side CM add the pkt_life_time * 2
		 */
		mutex_enter(&statep->state_mutex);
		statep->timer_value = statep->remote_ack_delay;
		/* statep->mode == IBCM_ACTIVE_MODE) */
		statep->timer_value += (2 * statep->pkt_life_time);

		statep->remaining_retry_cnt = 0;
		statep->timer_stored_state = statep->state;

		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);

		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);

	} else if (((statep->state == IBCM_STATE_REQ_RCVD) ||
	    (statep->state == IBCM_STATE_REP_RCVD) ||
	    (statep->state == IBCM_STATE_MRA_SENT) ||
	    (statep->state == IBCM_STATE_MRA_REP_SENT)) &&
	    (b2h16(rej_msg->rej_rejection_reason) == IBT_CM_TIMEOUT)) {

		if (statep->abort_flag == IBCM_ABORT_INIT)
			statep->abort_flag = IBCM_ABORT_REJ;

		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
	} else {

#ifdef DEBUG
		if ((ibcm_test_mode > 0) &&
		    (statep->state != IBCM_STATE_DELETE))
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_rej_msg: "
			    "Unexpected rej for statep 0x%p in state %d",
			    statep, statep->state);
#endif
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
	}
}


/*
 * ibcm_process_dreq_msg:
 *	Processes incoming DREQ message on active/passive side
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE:	NONE
 */
/*ARGSUSED*/
void
ibcm_process_dreq_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	void			*priv_data = NULL;
	ibcm_status_t		state_lookup_status;
	ib_qpn_t		local_qpn;
	ibcm_dreq_msg_t		*dreq_msgp =
	    (ibcm_dreq_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;
	uint8_t			close_event_type;
	ibt_cm_status_t		cb_status;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_dreq_msg:");

	/* Lookup for an existing state structure */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);

	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_DREQ,
	    b2h32(dreq_msgp->dreq_remote_comm_id), 0, 0, hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	local_qpn = b2h32(dreq_msgp->dreq_remote_qpn_eecn_plus) >> 8;

	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_dreq_msg: no statep with"
		    "com id %x", b2h32(dreq_msgp->dreq_remote_comm_id));
		/* implies a bogus message */
		return;
	}

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_dreq_msg: statep 0x%p "
	    "lookup status %x dreq qpn = %x", statep, state_lookup_status,
	    local_qpn);

	/*
	 * Local QPN check is necessary. There could be a DREQ from
	 * a remote stale connection processing with the same com id, but
	 * not intended for this statep
	 */
	mutex_enter(&statep->state_mutex);
	if ((statep->local_qpn != local_qpn) ||
	    (statep->remote_comid != b2h32(dreq_msgp->dreq_local_comm_id))) {

		IBTF_DPRINTF_L3(cmlog, "ibcm_process_dreq_msg:"
		    "statep->local_qpn = %x qpn in dreq = %x"
		    "statep->remote_comid = %x local comid in dreq = %x",
		    statep->local_qpn, local_qpn, statep->remote_comid,
		    b2h32(dreq_msgp->dreq_local_comm_id));

		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		return;
	}
	/*
	 * If another thread is processing a copy of this same DREQ,
	 * bail out here.
	 */
	if (statep->state == IBCM_STATE_TRANSIENT_DREQ_SENT ||
	    statep->drep_in_progress) {
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		return;
	}
	switch (statep->state) {
	case IBCM_STATE_ESTABLISHED:
	case IBCM_STATE_DREQ_SENT:
	case IBCM_STATE_TIMEWAIT:
		break;
	default:
		/* All other states ignore DREQ */
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		return;
	}
	statep->drep_in_progress = 1;

	/*
	 * If drep msg wasn't really required, it shall be deleted finally
	 * when statep goes away
	 */
	if (statep->drep_msg == NULL) {
		mutex_exit(&statep->state_mutex);
		if (ibcm_alloc_out_msg(statep->stored_reply_addr.ibmf_hdl,
		    &statep->drep_msg, MAD_METHOD_SEND) != IBT_SUCCESS) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_dreq_msg: "
			    "statep 0x%p ibcm_alloc_out_msg failed", statep);
			mutex_enter(&statep->state_mutex);
			statep->drep_in_progress = 0;
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);
			return;
		}
		mutex_enter(&statep->state_mutex);
	}

	if (statep->state == IBCM_STATE_TRANSIENT_DREQ_SENT) {
		IBCM_REF_CNT_DECR(statep);
		statep->drep_in_progress = 0;
		mutex_exit(&statep->state_mutex);
		return;
	}

	/*
	 * Need to generate drep, as time wait can be reached either by an
	 * outgoing dreq or an incoming dreq
	 */
	if ((statep->state == IBCM_STATE_ESTABLISHED) ||
	    (statep->state == IBCM_STATE_DREQ_SENT)) {
		timeout_id_t	timer_val = statep->timerid;

		if (statep->state == IBCM_STATE_DREQ_SENT) {
			statep->state = IBCM_STATE_DREQ_RCVD;
			statep->timerid = 0;
			ibcm_close_done(statep, 0);
			mutex_exit(&statep->state_mutex);

			close_event_type = IBT_CM_CLOSED_DUP;
			if (timer_val != 0) {
				/* Cancel the timer set for DREP reception */
				(void) untimeout(timer_val);
			}
		} else {	/* In ESTABLISHED State */
			boolean_t	is_ofuv = statep->is_this_ofuv_chan;

			statep->state = IBCM_STATE_DREQ_RCVD;
			statep->clnt_proceed = IBCM_BLOCK;

			/* Cancel or wait for LAP/APR to complete */
			ibcm_sync_lapr_idle(statep);
			/* The above function releases the state mutex */

			/* wait until client knows CONN EST event */
			mutex_enter(&statep->state_mutex);
			while (statep->cep_in_rts == IBCM_BLOCK)
				cv_wait(&statep->block_mad_cv,
				    &statep->state_mutex);
			mutex_exit(&statep->state_mutex);

			close_event_type = IBT_CM_CLOSED_DREQ_RCVD;
			/* Move CEP to error state */
			if (is_ofuv == B_FALSE) /* Skip for OFUV channel */
				(void) ibcm_cep_to_error_state(statep);
		}
		mutex_enter(&statep->state_mutex);
		statep->drep_in_progress = 0;

		IBCM_OUT_HDRP(statep->drep_msg)->TransactionID =
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

		priv_data = &(((ibcm_drep_msg_t *)
		    IBCM_OUT_MSGP(statep->drep_msg))->drep_private_data[0]);

		if (statep->close_ret_status)
			*statep->close_ret_status = close_event_type;

		if (statep->close_nocb_state != IBCM_FAIL) {
			ibtl_cm_chan_is_closing(statep->channel);
			statep->close_nocb_state = IBCM_BLOCK;
		}
		mutex_exit(&statep->state_mutex);

		/*
		 * if close_nocb_state is IBCM_FAIL, then cm_handler is NULL
		 * if close_nocb_state is IBCM_BLOCK, client cannot go away
		 */
		if (statep->cm_handler != NULL) {
			ibt_cm_event_t		event;
			ibt_cm_return_args_t	ret_args;

			bzero(&event, sizeof (event));
			bzero(&ret_args, sizeof (ret_args));

			event.cm_type = IBT_CM_EVENT_CONN_CLOSED;
			event.cm_channel = statep->channel;
			event.cm_session_id = statep;
			event.cm_priv_data = dreq_msgp->dreq_private_data;
			event.cm_priv_data_len = IBT_DREQ_PRIV_DATA_SZ;
			event.cm_event.closed = close_event_type;

			ibcm_insert_trace(statep,
			    IBCM_TRACE_CALLED_CONN_CLOSE_EVENT);

			cb_status = statep->cm_handler(statep->state_cm_private,
			    &event, &ret_args, priv_data,
			    IBT_DREP_PRIV_DATA_SZ);

			ibcm_insert_trace(statep,
			    IBCM_TRACE_RET_CONN_CLOSE_EVENT);

			if (cb_status == IBT_CM_DEFER) {
				mutex_enter(&statep->state_mutex);
				statep->clnt_proceed =
				    IBCM_UNBLOCK;
				cv_broadcast(&statep->block_client_cv);
				mutex_exit(&statep->state_mutex);

				IBTF_DPRINTF_L4(cmlog, "ibcm_process_dreq_msg:"
				    " statep 0x%p client returned DEFER "
				    "response", statep);
				return;
			}
		}

		/* fail/resume any blocked cm api call */
		mutex_enter(&statep->state_mutex);

		/* Signal for cm proceed api */
		statep->clnt_proceed = IBCM_FAIL;

		/* Signal for close with no callbacks */
		statep->close_nocb_state = IBCM_FAIL;

		/* Signal any waiting close channel thread */
		statep->close_done = B_TRUE;

		cv_broadcast(&statep->block_client_cv);
		mutex_exit(&statep->state_mutex);

		ibcm_handle_cep_dreq_response(statep, NULL, 0);

	} else if (statep->state == IBCM_STATE_TIMEWAIT) {
		statep->drep_in_progress = 0;
		if (statep->send_mad_flags & IBCM_DREP_POST_BUSY) {
			IBCM_REF_CNT_DECR(statep);
			mutex_exit(&statep->state_mutex);
			return;
		}
		statep->send_mad_flags |= IBCM_DREP_POST_BUSY;

		/* Release statep mutex before posting the MAD */
		mutex_exit(&statep->state_mutex);

		IBCM_OUT_HDRP(statep->drep_msg)->TransactionID =
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

		ibcm_post_drep_mad(statep);
		/* ref cnt decremented in ibcm_post_drep_complete */
	} else {
#ifdef DEBUG
		if ((ibcm_test_mode > 0) &&
		    (statep->state != IBCM_STATE_DELETE))
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_dreq_msg: "
			    "Unexpected dreq for statep 0x%p in state %d",
			    statep, statep->state);
#endif
		IBCM_REF_CNT_DECR(statep);
		statep->drep_in_progress = 0;
		mutex_exit(&statep->state_mutex);
	}
}

/*
 * ibcm_handle_cep_dreq_response:
 *	Processes the response from client handler for an incoming DREQ.
 *	The statep ref cnt is decremented before returning.
 */
void
ibcm_handle_cep_dreq_response(ibcm_state_data_t *statep, void *priv_data,
    ibt_priv_data_len_t priv_data_len)
{
	if ((priv_data != NULL) && (priv_data_len > 0))
		bcopy(priv_data,
		    &(((ibcm_drep_msg_t *)
		    IBCM_OUT_MSGP(statep->drep_msg))->drep_private_data[0]),
		    min(priv_data_len, IBT_DREP_PRIV_DATA_SZ));

	ibcm_post_drep_mad(statep);
}


/*
 * ibcm_post_dreq_mad:
 *	Posts a DREQ MAD
 * Post DREQ now for TIMEWAIT state and DREQ_RCVD
 *
 * INPUTS:
 *	statep		- state pointer
 *
 * RETURN VALUE:
 *	NONE
 */
void
ibcm_post_dreq_mad(void *vstatep)
{
	ibcm_state_data_t	*statep = vstatep;
	ibcm_dreq_msg_t		*dreq_msgp;

	ASSERT(statep->dreq_msg != NULL);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*dreq_msgp))

	/* Fill in the DREQ message */
	dreq_msgp = (ibcm_dreq_msg_t *)IBCM_OUT_MSGP(statep->dreq_msg);
	dreq_msgp->dreq_local_comm_id = h2b32(statep->local_comid);
	dreq_msgp->dreq_remote_comm_id = h2b32(statep->remote_comid);
	dreq_msgp->dreq_remote_qpn_eecn_plus = h2b32(statep->remote_qpn << 8);

	IBCM_OUT_HDRP(statep->dreq_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_DREQ + IBCM_ATTR_BASE_ID);

	/* wait until client knows CONN EST event */
	mutex_enter(&statep->state_mutex);
	while (statep->cep_in_rts == IBCM_BLOCK)
		cv_wait(&statep->block_mad_cv, &statep->state_mutex);
	mutex_exit(&statep->state_mutex);

	/* Transition QP/EEC state to ERROR state */
	(void) ibcm_cep_to_error_state(statep);

	IBCM_OUT_HDRP(statep->dreq_msg)->TransactionID =
	    h2b64(ibcm_generate_tranid(IBCM_INCOMING_DREQ, statep->local_comid,
	    0));

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*dreq_msgp))

	/* post the first DREQ via timeout callback */
	mutex_enter(&statep->state_mutex);

	statep->state = IBCM_STATE_DREQ_SENT;
	cv_broadcast(&statep->block_mad_cv);

	statep->timer_stored_state = statep->state;
	/* client cannot specify more than 16 retries */
	statep->timer_value = statep->remote_ack_delay;
	if (statep->mode == IBCM_ACTIVE_MODE) {
		statep->timer_value += (2 * statep->pkt_life_time);
	}
	statep->remaining_retry_cnt = statep->max_cm_retries + 1;
	statep->timerid = IBCM_TIMEOUT(statep, 0);
	mutex_exit(&statep->state_mutex);
}

/*
 * ibcm_post_drep_mad:
 *	Posts a DREP MAD
 * Post DREP now for TIMEWAIT state and DREQ_RCVD
 *
 * INPUTS:
 *	statep		- state pointer
 *
 * RETURN VALUE:
 *	NONE
 */
static void
ibcm_post_drep_mad(ibcm_state_data_t *statep)
{
	ibcm_drep_msg_t	*drep_msgp;

	drep_msgp = (ibcm_drep_msg_t *)IBCM_OUT_MSGP(statep->drep_msg);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*drep_msgp))

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_drep_mad:");

	/* Fill up DREP fields */
	drep_msgp->drep_local_comm_id = h2b32(statep->local_comid);
	drep_msgp->drep_remote_comm_id = h2b32(statep->remote_comid);
	IBCM_OUT_HDRP(statep->drep_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_DREP + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*drep_msgp))

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_DREP);

	/* Post the DREP MAD now.  */
	ibcm_post_rc_mad(statep, statep->drep_msg, ibcm_post_drep_complete,
	    statep);
}

/*
 * ibcm_process_drep_msg:
 *	Processes incoming DREP message on active/passive side
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- CM MAD that is input to this function
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE: NONE
 */
/* ARGSUSED */
void
ibcm_process_drep_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_status_t		state_lookup_status;
	ibcm_drep_msg_t		*drep_msgp =
	    (ibcm_drep_msg_t *)(&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_drep_msg:");

	/* Lookup for an existing state structure */
	rw_enter(&hcap->hca_state_rwlock, RW_READER);

	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_DREP,
	    b2h32(drep_msgp->drep_remote_comm_id), 0, 0, hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_drep_msg: no statep with"
		    "com id %x", b2h32(drep_msgp->drep_remote_comm_id));
		return;
	}

	/* if transaction id is not as expected, drop the DREP mad */
	if (IBCM_OUT_HDRP(statep->dreq_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {
		mutex_enter(&statep->state_mutex);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_drep_msg: statep 0x%p "
		    "DREP with tid expected 0x%llX tid found 0x%llX", statep,
		    b2h64(IBCM_OUT_HDRP(statep->dreq_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID));
		return;
	}

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_DREP);

	mutex_enter(&statep->state_mutex);

	if (statep->state == IBCM_STATE_DREQ_SENT) {
		timeout_id_t	timer_val = statep->timerid;

		statep->state = IBCM_STATE_DREP_RCVD;

		statep->timerid = 0;
		mutex_exit(&statep->state_mutex);
		(void) untimeout(timer_val);

		if (statep->stale == B_TRUE)
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_drep_msg: "
			    "statep 0x%p Unexpected DREP received for a stale "
			    "DREQ sent", statep);

		mutex_enter(&statep->state_mutex);
		/* allow free qp, if close channel with NOCALLBACKS didn't */
		if (statep->close_nocb_state != IBCM_FAIL) {
			ibtl_cm_chan_is_closing(statep->channel);
			statep->close_nocb_state = IBCM_BLOCK;
		}
		mutex_exit(&statep->state_mutex);

		/* if close_nocb_state is IBCM_FAIL, then cm_handler is NULL */
		if (statep->cm_handler != NULL) {
			ibt_cm_event_t		event;
			ibt_cm_return_args_t	ret_args;

			bzero(&event, sizeof (event));
			bzero(&ret_args, sizeof (ret_args));

			event.cm_type = IBT_CM_EVENT_CONN_CLOSED;
			event.cm_channel = statep->channel;
			event.cm_session_id = NULL;

			if (statep->stale == B_TRUE) {
				event.cm_event.closed = IBT_CM_CLOSED_STALE;
				event.cm_priv_data = NULL;
				event.cm_priv_data_len = 0;
			} else {
				event.cm_event.closed = IBT_CM_CLOSED_DREP_RCVD;
				event.cm_priv_data =
				    drep_msgp->drep_private_data;
				event.cm_priv_data_len = IBT_DREP_PRIV_DATA_SZ;
			}

			ibcm_insert_trace(statep,
			    IBCM_TRACE_CALLED_CONN_CLOSE_EVENT);

			(void) statep->cm_handler(statep->state_cm_private,
			    &event, &ret_args, NULL, 0);

			ibcm_insert_trace(statep,
			    IBCM_TRACE_RET_CONN_CLOSE_EVENT);
		}

		/* copy the private to close channel, if specified */
		if ((statep->close_ret_priv_data != NULL) &&
		    (statep->close_ret_priv_data_len != NULL) &&
		    (*statep->close_ret_priv_data_len > 0)) {
			bcopy(drep_msgp->drep_private_data,
			    statep->close_ret_priv_data,
			    min(*statep->close_ret_priv_data_len,
			    IBT_DREP_PRIV_DATA_SZ));
		}

		mutex_enter(&statep->state_mutex);
		if (statep->close_ret_status)
			*statep->close_ret_status = IBT_CM_CLOSED_DREP_RCVD;
		/* signal waiting CV - blocking in ibt_close_channel() */
		statep->close_done = B_TRUE;

		/* signal any blocked close channels with no callbacks */
		statep->close_nocb_state = IBCM_FAIL;

		cv_broadcast(&statep->block_client_cv);

		/* Set the timer wait state timer */
		statep->state = statep->timer_stored_state =
		    IBCM_STATE_TIMEWAIT;
		ibcm_close_done(statep, 0);

		statep->remaining_retry_cnt = 0;
		/*
		 * For passive side CM set it to remote_ack_delay
		 * For active side CM add the pkt_life_time * 2
		 */
		statep->timer_value = statep->remote_ack_delay;
		if (statep->mode == IBCM_ACTIVE_MODE) {
			statep->timer_value += (2 * statep->pkt_life_time);
		}

		/* start TIMEWAIT processing */
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	}

	/* There is no processing required for other states */
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*
 * Following are the routines used to resend various CM MADs as a response to
 * incoming MADs
 */
void
ibcm_resend_rtu_mad(ibcm_state_data_t *statep)
{
	ASSERT(MUTEX_HELD(&statep->state_mutex));

	IBTF_DPRINTF_L3(cmlog, "ibcm_resend_rtu_mad statep %p ", statep);

	/* don't care, if timer is running or not. Timer may be from LAP */

	if (!(statep->send_mad_flags & IBCM_RTU_POST_BUSY)) {
		statep->send_mad_flags |= IBCM_RTU_POST_BUSY;
		IBCM_REF_CNT_INCR(statep);	/* for non-blocking RTU post */
		mutex_exit(&statep->state_mutex);

		ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_RTU);

		ibcm_post_rc_mad(statep, statep->stored_msg,
		    ibcm_post_rtu_complete, statep);
		mutex_enter(&statep->state_mutex);
	}
	/* ref cnt is decremented in ibcm_post_rtu_complete */
}

void
ibcm_resend_rej_mad(ibcm_state_data_t *statep)
{
	timeout_id_t		timer_val = statep->timerid;

	ASSERT(MUTEX_HELD(&statep->state_mutex));

	IBTF_DPRINTF_L3(cmlog, "ibcm_resend_rej_mad statep %p ", statep);

	/* It's a too fast of a REQ or REP */
	if (timer_val == 0)
		return;

	statep->timerid = 0;
	if (!(statep->send_mad_flags & IBCM_REJ_POST_BUSY)) {
		statep->send_mad_flags |= IBCM_REJ_POST_BUSY;
		IBCM_REF_CNT_INCR(statep);	/* for nonblocking REJ post */
		mutex_exit(&statep->state_mutex);
		(void) untimeout(timer_val);

		ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_REJ);
		if (ibcm_enable_trace & 2)
			ibcm_dump_conn_trace(statep);
		else
			IBTF_DPRINTF_L2(cmlog, "ibcm_resend_rej_mad statep %p "
			    "OUTGOING_REJ", statep);

		ibcm_post_rc_mad(statep, statep->stored_msg,
		    ibcm_post_rej_complete, statep);
		mutex_enter(&statep->state_mutex);
	}
	/* return, holding the state mutex */
}

void
ibcm_resend_rep_mad(ibcm_state_data_t *statep)
{
	timeout_id_t		timer_val = statep->timerid;

	ASSERT(MUTEX_HELD(&statep->state_mutex));

	IBTF_DPRINTF_L3(cmlog, "ibcm_resend_rep_mad statep %p ", statep);

	/* REP timer that is set by ibcm_post_rep_mad */
	if (timer_val != 0) {
		/* Re-start REP timeout */
		statep->remaining_retry_cnt = statep->max_cm_retries;
		if (!(statep->send_mad_flags & IBCM_REP_POST_BUSY)) {
			statep->send_mad_flags |= IBCM_REP_POST_BUSY;
			/* for nonblocking REP post */
			IBCM_REF_CNT_INCR(statep);
			mutex_exit(&statep->state_mutex);

			ibcm_insert_trace(statep, IBCM_TRACE_OUT_REP_RETRY);

			ibcm_post_rc_mad(statep, statep->stored_msg,
			    ibcm_resend_post_rep_complete, statep);
			mutex_enter(&statep->state_mutex);
		}
	}

	/*
	 * else, timer is not yet set by ibcm_post_rep_mad. This is too fast
	 * of a REQ being re-transmitted.
	 */
}

void
ibcm_resend_mra_mad(ibcm_state_data_t *statep)
{
	ASSERT(MUTEX_HELD(&statep->state_mutex));

	IBTF_DPRINTF_L3(cmlog, "ibcm_resend_mra_mad statep %p ", statep);

	if (statep->send_mad_flags & IBCM_MRA_POST_BUSY)
		return;

	statep->send_mad_flags |= IBCM_MRA_POST_BUSY;

	statep->mra_time = gethrtime();
	IBCM_REF_CNT_INCR(statep);	/* for non-blocking MRA post */
	/* Exit the statep mutex, before sending the MAD */
	mutex_exit(&statep->state_mutex);

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_MRA);

	/* Always resend the response MAD to the original reply destination */
	ibcm_post_rc_mad(statep, statep->mra_msg, ibcm_post_mra_complete,
	    statep);

	mutex_enter(&statep->state_mutex);

	/* return, holding the state mutex */
}


/*
 * ibcm_post_rej_mad:
 *	Posts a REJ MAD and starts timer
 *
 * INPUTS:
 *	statep		- state pointer
 *	which_msg	- which message is being MRAed
 *	reject_reason	- Rejection reason See Section 12.6.7.2 rev1.0a IB Spec
 *	addl_rej_info	- Additional rej Information
 *	arej_info_len	- Additional rej Info length
 *
 * RETURN VALUE:
 *	NONE
 * Notes
 *  There is no need to hold the statep->mutex and call ibcm_post_rej_mad
 *  REJ can be posted either in IBCM_STATE_REQ_RCVD or IBCM_STATE_REP_RCVD
 *  In these states, there is no timer active, and an incoming REJ shall
 *  not modify the state or cancel timers
 *  An incoming REJ doesn't affect statep in state = IBCM_STATE_REJ_SENT/BUSY
 */
void
ibcm_post_rej_mad(ibcm_state_data_t *statep, ibt_cm_reason_t reject_reason,
    int which_msg, void *addl_rej_info, ibt_priv_data_len_t arej_info_len)
{
	ibcm_rej_msg_t	*rej_msg =
	    (ibcm_rej_msg_t *)IBCM_OUT_MSGP(statep->stored_msg);

	/* Message printed if connection gets REJed */
	IBTF_DPRINTF_L3(cmlog, "ibcm_post_rej_mad: "
	    "statep = %p, reject_reason = %d", statep, reject_reason);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rej_msg))

	/* Initialize rej_msg fields */
	rej_msg->rej_local_comm_id = h2b32(statep->local_comid);
	rej_msg->rej_remote_comm_id = h2b32(statep->remote_comid);
	rej_msg->rej_msg_type_plus = (which_msg & 0x3) << 6;
	rej_msg->rej_reject_info_len_plus = arej_info_len << 1;
	rej_msg->rej_rejection_reason = h2b16((uint16_t)reject_reason);

	if ((arej_info_len != 0) && (addl_rej_info != NULL))
		bcopy(addl_rej_info, rej_msg->rej_addl_rej_info, arej_info_len);

	IBCM_OUT_HDRP(statep->stored_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_REJ + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rej_msg))

	mutex_enter(&statep->state_mutex);

	/* signal any waiting close channels with blocking or no callbacks  */
	statep->close_done = B_TRUE;
	statep->close_nocb_state = IBCM_FAIL;

	cv_signal(&statep->block_client_cv);

	statep->timer_stored_state = statep->state = IBCM_STATE_REJ_SENT;
	statep->send_mad_flags |= IBCM_REJ_POST_BUSY;

	IBCM_REF_CNT_INCR(statep); /* for non-blocking post */
	mutex_exit(&statep->state_mutex);

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_REJ);
	if (ibcm_enable_trace & 2)
		ibcm_dump_conn_trace(statep);
	else
		IBTF_DPRINTF_L2(cmlog, "ibcm_post_rej_mad statep %p "
		    "OUTGOING_REJ", statep);

	ibcm_post_rc_mad(statep, statep->stored_msg, ibcm_post_rej_complete,
	    statep);
}


/*
 * ibcm_build_n_post_rej_mad:
 *	Builds and posts a REJ MAD for "reject_reason"
 *	Doesn't set a timer, and doesn't need statep
 *
 * INPUTS:
 *	input_madp	- Incoming MAD
 *	remote_comid	- Local comid in the message being rejected
 *	cm_mad_addr	- Address information for the MAD to be posted
 *	which_msg	- REJ message type ie., REJ for REQ/REP
 *
 * RETURN VALUE:
 *	NONE
 */
static void
ibcm_build_n_post_rej_mad(uint8_t *input_madp, ib_com_id_t remote_comid,
    ibcm_mad_addr_t *cm_mad_addr, int which_msg, uint16_t reject_reason)
{
	ibcm_rej_msg_t	*rej_msg;
	ibmf_msg_t	*cm_rej_msg;
	ibcm_mad_addr_t	rej_reply_addr;

	IBTF_DPRINTF_L3(cmlog, "ibcm_build_n_post_rej_mad: "
	    "remote_comid: %x reject_reason %d", remote_comid, reject_reason);

	if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl, &cm_rej_msg,
	    MAD_METHOD_SEND) != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_build_n_post_rej_mad: "
		    "ibcm_alloc_out_msg failed");
		return;
	}

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rej_msg))

	IBCM_OUT_HDRP(cm_rej_msg)->TransactionID =
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

	/* Initialize rej_msg fields */
	rej_msg = (ibcm_rej_msg_t *)IBCM_OUT_MSGP(cm_rej_msg);
	rej_msg->rej_local_comm_id = 0;
	rej_msg->rej_remote_comm_id = h2b32(remote_comid);
	rej_msg->rej_msg_type_plus = (which_msg & 0x3) << 6;
	rej_msg->rej_reject_info_len_plus = 0;
	rej_msg->rej_rejection_reason = h2b16(reject_reason);

	IBCM_OUT_HDRP(cm_rej_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_REJ + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rej_msg))

	ibcm_build_reply_mad_addr(cm_mad_addr, &rej_reply_addr);

	if (rej_reply_addr.cm_qp_entry != NULL) {
		(void) ibcm_post_mad(cm_rej_msg, &rej_reply_addr, NULL, NULL);
		ibcm_release_qp(rej_reply_addr.cm_qp_entry);
	}

	(void) ibcm_free_out_msg(cm_mad_addr->ibmf_hdl, &cm_rej_msg);
}

/* posts a REJ for an incoming REQ with unsupported class version */

static void
ibcm_post_rej_ver_mismatch(uint8_t *input_madp, ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_req_msg_t	*req_msgp =
	    (ibcm_req_msg_t *)&input_madp[IBCM_MAD_HDR_SIZE];
	ibcm_rej_msg_t	*rej_msg;
	ibmf_msg_t	*cm_rej_msg;
	ibcm_mad_addr_t	rej_reply_addr;

	IBTF_DPRINTF_L3(cmlog, "ibcm_post_rej_ver_mismatch: remote comid %x",
	    b2h32(req_msgp->req_local_comm_id));

	if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl, &cm_rej_msg,
	    MAD_METHOD_SEND) != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_post_rej_ver_mismatch: "
		    "ibcm_alloc_out_msg failed");
		return;
	}

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rej_msg))

	IBCM_OUT_HDRP(cm_rej_msg)->TransactionID =
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

	/* Initialize rej_msg fields */
	rej_msg = (ibcm_rej_msg_t *)IBCM_OUT_MSGP(cm_rej_msg);
	rej_msg->rej_local_comm_id = 0;
	rej_msg->rej_remote_comm_id = req_msgp->req_local_comm_id;
	rej_msg->rej_msg_type_plus = IBT_CM_FAILURE_REQ << 6;
	rej_msg->rej_rejection_reason = h2b16(IBT_CM_CLASS_NO_SUPPORT);
	rej_msg->rej_reject_info_len_plus = 1 << 1;
	rej_msg->rej_addl_rej_info[0] = IBCM_MAD_CLASS_VERSION;

	IBCM_OUT_HDRP(cm_rej_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_REJ + IBCM_ATTR_BASE_ID);
	IBCM_OUT_HDRP(cm_rej_msg)->Status = h2b16(MAD_STATUS_BAD_VERSION);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rej_msg))

	ibcm_build_reply_mad_addr(cm_mad_addr, &rej_reply_addr);
	if (rej_reply_addr.cm_qp_entry != NULL) {
		(void) ibcm_post_mad(cm_rej_msg, &rej_reply_addr, NULL, NULL);
		ibcm_release_qp(rej_reply_addr.cm_qp_entry);
	}
	(void) ibcm_free_out_msg(cm_mad_addr->ibmf_hdl, &cm_rej_msg);
}


/*
 * ibcm_post_rep_mad:
 *	Posts a REP MAD and starts timer
 *
 * INPUTS:
 *	statep		- state pointer
 *
 * RETURN VALUE:
 *	NONE
 */
void
ibcm_post_rep_mad(ibcm_state_data_t *statep)
{
	ibcm_rep_msg_t	*rep_msgp =
	    (ibcm_rep_msg_t *)IBCM_OUT_MSGP(statep->stored_msg);
	ibmf_msg_t	*mra_msg = NULL;
	boolean_t	ret = B_FALSE;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rep_mad: statep 0x%p", statep);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rep_msgp))

	/*
	 * All other REP fields, other that the 2 below, are filled in
	 * the ibcm_cep_state_req() function.
	 */
	rep_msgp->rep_local_comm_id = h2b32(statep->local_comid);
	rep_msgp->rep_remote_comm_id = h2b32(statep->remote_comid);
	IBCM_OUT_HDRP(statep->stored_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_REP + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rep_msgp))

	/*
	 * Changing state and attempt to delete the mra msg must be done
	 * together holding the state_mutex
	 */
	mutex_enter(&statep->state_mutex);

	/* Now, attempt to delete the mra_msg, if there is one allocated */
	if (statep->mra_msg != NULL) {
		if (!(statep->send_mad_flags & IBCM_MRA_POST_BUSY)) {
			mra_msg = statep->mra_msg;
			statep->mra_msg = NULL;
		} else statep->delete_mra_msg = B_TRUE;
	}

	if (statep->abort_flag == IBCM_ABORT_CLIENT) {
		statep->state = IBCM_STATE_ABORTED;
		mutex_exit(&statep->state_mutex);
		ibcm_process_abort(statep);

		/* Now post a REJ MAD, rej reason consumer abort */
		ibcm_post_rej_mad(statep, IBT_CM_CONSUMER, IBT_CM_FAILURE_REQ,
		    NULL, 0);
		ret = B_TRUE;
	} else if (statep->abort_flag & IBCM_ABORT_REJ) {

		statep->state = IBCM_STATE_DELETE;
		mutex_exit(&statep->state_mutex);

		ibcm_process_abort(statep);
		ibcm_delete_state_data(statep);
		ret = B_TRUE;
	} else {

		statep->state = statep->timer_stored_state =
		    IBCM_STATE_REP_SENT;
		statep->remaining_retry_cnt = statep->max_cm_retries;
		statep->send_mad_flags |= IBCM_REP_POST_BUSY;
		IBCM_REF_CNT_INCR(statep);	/* for nonblocking REP Post */
		mutex_exit(&statep->state_mutex);
	}

	if (mra_msg != NULL)
		(void) ibcm_free_out_msg(statep->stored_reply_addr.ibmf_hdl,
		    &mra_msg);
	if (ret == B_TRUE)
		return;

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_REP);

	ibcm_post_rc_mad(statep, statep->stored_msg, ibcm_post_rep_complete,
	    statep);
}


/*
 * ibcm_post_rtu_mad:
 *	From active side post RTU MAD
 *
 * INPUTS:
 *	statep		- state pointer
 *
 * RETURN VALUE: NONE
 *
 * NOTE: No timer set after posting RTU
 */
ibcm_status_t
ibcm_post_rtu_mad(ibcm_state_data_t *statep)
{
	ibcm_rtu_msg_t	*rtu_msg;
	ibmf_msg_t	*mra_msg = NULL;
	boolean_t	ret = B_FALSE;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rtu_mad: statep 0x%p", statep);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rtu_msg))

	rtu_msg = (ibcm_rtu_msg_t *)IBCM_OUT_MSGP(statep->stored_msg);

	rtu_msg->rtu_local_comm_id = h2b32(statep->local_comid);
	rtu_msg->rtu_remote_comm_id = h2b32(statep->remote_comid);
	IBCM_OUT_HDRP(statep->stored_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_RTU + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rtu_msg))

	mutex_enter(&statep->state_mutex);

	/* Now, attempt to delete the mra_msg, if there is one allocated */
	if (statep->mra_msg != NULL) {
		if (!(statep->send_mad_flags & IBCM_MRA_POST_BUSY)) {
			mra_msg = statep->mra_msg;
			statep->mra_msg = NULL;
		} else statep->delete_mra_msg = B_TRUE;
	}

	if (statep->abort_flag == IBCM_ABORT_CLIENT) {
		statep->state = IBCM_STATE_ABORTED;
		mutex_exit(&statep->state_mutex);

		ibcm_process_abort(statep);

		/* Now post a REJ MAD */
		ibcm_post_rej_mad(statep, IBT_CM_CONSUMER, IBT_CM_FAILURE_REP,
		    NULL, 0);
		ret = B_TRUE;
	} else if (statep->abort_flag & IBCM_ABORT_REJ) {
		statep->state = IBCM_STATE_DELETE;
		mutex_exit(&statep->state_mutex);

		ibcm_process_abort(statep);
		ibcm_delete_state_data(statep);
		ret = B_TRUE;
	} else {
		statep->state = IBCM_STATE_ESTABLISHED;
		ibtl_cm_chan_is_open(statep->channel);
		statep->send_mad_flags |= IBCM_RTU_POST_BUSY;
		IBCM_REF_CNT_INCR(statep);	/* for nonblocking RTU post */
		mutex_exit(&statep->state_mutex);
	}

	if (mra_msg != NULL)
		(void) ibcm_free_out_msg(statep->stored_reply_addr.ibmf_hdl,
		    &mra_msg);

	if (ret == B_TRUE)	/* Abort case, no RTU posted */
		return (IBCM_FAILURE);

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_RTU);

	ibcm_post_rc_mad(statep, statep->stored_msg, ibcm_post_rtu_complete,
	    statep);
	return (IBCM_SUCCESS);
}


/*
 * ibcm_process_abort:
 *	Processes abort, if client requested abort connection attempt
 *
 * INPUTS:
 *	statep	- pointer to ibcm_state_data_t is passed
 *
 * RETURN VALUES: None
 */
void
ibcm_process_abort(ibcm_state_data_t *statep)
{
	IBTF_DPRINTF_L3(cmlog, "ibcm_process_abort: statep 0x%p", statep);

	/* move CEP to error state, before calling client handler */
	(void) ibcm_cep_to_error_state(statep);

	/* Now disassociate the link between statep and qp */
	IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

	/* invoke cm handler, for non-blocking open/close rc channel calls */
	if (statep->cm_handler) { /* cannot be NULL, but still .. */
		ibt_cm_event_t		event;
		ibt_cm_return_args_t	ret_args;

		bzero(&event, sizeof (event));
		bzero(&ret_args, sizeof (ret_args));

		if (statep->abort_flag & IBCM_ABORT_REJ)
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_RCV,
			    IBT_CM_FAILURE_UNKNOWN, IBT_CM_TIMEOUT, NULL, 0);
		else {
			ibcm_path_cache_purge();

			event.cm_type = IBT_CM_EVENT_CONN_CLOSED;
			event.cm_channel = statep->channel;
			event.cm_event.closed = IBT_CM_CLOSED_ABORT;

			ibcm_insert_trace(statep,
			    IBCM_TRACE_CALLED_CONN_CLOSE_EVENT);

			if (statep->channel)
				ibtl_cm_chan_open_is_aborted(statep->channel);

			(void) statep->cm_handler(statep->state_cm_private,
			    &event, &ret_args, NULL, 0);

			ibcm_insert_trace(statep,
			    IBCM_TRACE_RET_CONN_CLOSE_EVENT);

			mutex_enter(&statep->state_mutex);
			ibcm_open_done(statep);
			mutex_exit(&statep->state_mutex);
		}
	}

	/*
	 * Unblock an ibt_open_rc_channel called in a blocking mode, though
	 * it is an unlikely scenario
	 */
	mutex_enter(&statep->state_mutex);

	statep->cm_retries++; /* cause connection trace to be printed */
	statep->open_done = B_TRUE;
	statep->close_done = B_TRUE;
	statep->close_nocb_state = IBCM_FAIL; /* sanity sake */

	if (statep->open_return_data != NULL) {
		/* REJ came first, and then client aborted connection */
		if (statep->abort_flag & IBCM_ABORT_REJ)
			statep->open_return_data->rc_status = IBT_CM_TIMEOUT;
		else statep->open_return_data->rc_status = IBT_CM_ABORT;
	}

	cv_broadcast(&statep->block_client_cv);
	mutex_exit(&statep->state_mutex);
	if (ibcm_enable_trace != 0)
		ibcm_dump_conn_trace(statep);
}

/*
 * ibcm_timeout_cb:
 *	Called when the timer expires
 *
 * INPUTS:
 *	arg	- ibcm_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_timeout_cb(void *arg)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)arg;

	mutex_enter(&statep->state_mutex);

	/*
	 * The blocking operations are handled in a separate thread.
	 * All other non-blocking operations, including ibmf non-blocking
	 * posts are done from timeout context
	 */

	if ((statep->timer_stored_state != statep->state) ||
	    ((statep->timer_stored_state == IBCM_STATE_ESTABLISHED) &&
	    (statep->ap_state != statep->timer_stored_ap_state))) {
		mutex_exit(&statep->state_mutex);
		return;
	}

	IBTF_DPRINTF_L3(cmlog, "ibcm_timeout_cb: statep 0x%p state %x "
	    "ap_state %x", statep, statep->state, statep->ap_state);

	/* Processing depends upon current state */

	if (statep->state == IBCM_STATE_REJ_SENT) {
		statep->state = IBCM_STATE_DELETE;
		mutex_exit(&statep->state_mutex);

		/* Deallocate the CM state structure */
		ibcm_delete_state_data(statep);
		return;

	} else if (statep->state == IBCM_STATE_TIMEWAIT) {
		statep->state = IBCM_STATE_DELETE;

		/* TIME_WAIT timer expired, so cleanup */
		mutex_exit(&statep->state_mutex);

		if (statep->channel)
			ibtl_cm_chan_is_closed(statep->channel);

		if (statep->recycle_arg) {
			struct ibcm_taskq_recycle_arg_s *recycle_arg;

			recycle_arg = statep->recycle_arg;

			_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(
			    statep->recycle_arg))
			statep->recycle_arg = NULL;
			_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(statep->recycle_arg))

			/* if possible, do not slow down calling recycle func */
			if (taskq_dispatch(ibcm_taskq, ibcm_process_rc_recycle,
			    recycle_arg, TQ_NOQUEUE | TQ_NOSLEEP) ==
			    TASKQID_INVALID) {

				_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(
				    statep->recycle_arg))
				statep->recycle_arg = recycle_arg;
				_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(
				    statep->recycle_arg))
				ibcm_add_tlist(statep);
				return;
			}
		}

		ibcm_delete_state_data(statep);
		return;
	} else if (statep->remaining_retry_cnt > 0) {
		ibcm_conn_state_t	stored_state;
		ibcm_ap_state_t		stored_ap_state;

		statep->remaining_retry_cnt--;
		IBTF_DPRINTF_L3(cmlog, "ibcm_timeout_cb: statep 0x%p "
		    "attr-id= 0x%x, retries remaining = 0x%x", statep,
		    b2h16(IBCM_OUT_HDRP(statep->stored_msg)->AttributeID),
		    statep->remaining_retry_cnt);

		/*
		 * REP could be resent, either because of timeout or an
		 * incoming REQ. Any other MAD below can be resent, because
		 * of timeout only, hence send_mad_flag manipulation not
		 * required for those cases.
		 * If REP is already being retransmitted, then just set the
		 * timer and return. Else post REP in non-blocking mode
		 */
		if (statep->timer_stored_state == IBCM_STATE_REP_SENT) {
			if (statep->send_mad_flags & IBCM_REP_POST_BUSY) {
				statep->timerid = IBCM_TIMEOUT(statep,
				    statep->timer_value);
				mutex_exit(&statep->state_mutex);
				ibcm_insert_trace(statep,
				    IBCM_TRACE_TIMEOUT_REP);
				return;
			}

			/*
			 * Set REP  busy flag, so any incoming REQ's will not
			 * initiate new REP transmissions
			 */
			statep->send_mad_flags |= IBCM_REP_POST_BUSY;

		/* Since REQ/RTU/REJ on active side use same MAD, synchronize */
		} else if (statep->timer_stored_state == IBCM_STATE_REQ_SENT) {
			ASSERT((statep->send_mad_flags & IBCM_REQ_POST_BUSY)
			    == 0);
			statep->send_mad_flags |= IBCM_REQ_POST_BUSY;
		}

		IBCM_REF_CNT_INCR(statep);	/* for non-blocking post */
		stored_state = statep->timer_stored_state;
		stored_ap_state = statep->timer_stored_ap_state;
		mutex_exit(&statep->state_mutex);

		/* Post REQ MAD in non-blocking mode */
		if (stored_state == IBCM_STATE_REQ_SENT) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_REQ_RETRY);
			ibcm_post_rc_mad(statep, statep->stored_msg,
			    ibcm_post_req_complete, statep);
		/* Post REQ MAD in non-blocking mode */
		} else if (stored_state == IBCM_STATE_REP_WAIT) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_REQ_RETRY);
			ibcm_post_rc_mad(statep, statep->stored_msg,
			    ibcm_post_rep_wait_complete, statep);
		/* Post REP MAD in non-blocking mode */
		} else if (stored_state == IBCM_STATE_REP_SENT) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_REP_RETRY);
			ibcm_post_rc_mad(statep, statep->stored_msg,
			    ibcm_post_rep_complete, statep);
		/* Post REP MAD in non-blocking mode */
		} else if (stored_state == IBCM_STATE_MRA_REP_RCVD) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_REP_RETRY);
			mutex_enter(&statep->state_mutex);
			statep->mra_time = gethrtime();
			mutex_exit(&statep->state_mutex);
			ibcm_post_rc_mad(statep, statep->stored_msg,
			    ibcm_post_mra_rep_complete, statep);
		/* Post DREQ MAD in non-blocking mode */
		} else if (stored_state == IBCM_STATE_DREQ_SENT) {
			mutex_enter(&statep->state_mutex);
			if (statep->remaining_retry_cnt ==
			    statep->max_cm_retries)
				ibcm_insert_trace(statep,
				    IBCM_TRACE_OUTGOING_DREQ);
			else {
				ibcm_insert_trace(statep,
				    IBCM_TRACE_OUT_DREQ_RETRY);
				statep->cm_retries++;
				ibcm_close_done(statep, 0);
			}
			mutex_exit(&statep->state_mutex);
			ibcm_post_rc_mad(statep, statep->dreq_msg,
			    ibcm_post_dreq_complete, statep);
		/* post LAP MAD in non-blocking mode */
		} else if (stored_ap_state == IBCM_AP_STATE_LAP_SENT) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_LAP_RETRY);
			ibcm_post_rc_mad(statep, statep->lapr_msg,
			    ibcm_post_lap_complete, statep);
		/* post LAP MAD in non-blocking mode */
		} else if (stored_ap_state == IBCM_AP_STATE_MRA_LAP_RCVD) {
			ibcm_insert_trace(statep, IBCM_TRACE_OUT_LAP_RETRY);
			mutex_enter(&statep->state_mutex);
			statep->mra_time = gethrtime();
			mutex_exit(&statep->state_mutex);
			ibcm_post_rc_mad(statep, statep->lapr_msg,
			    ibcm_post_mra_lap_complete, statep);
		}
		return;

	} else if ((statep->state == IBCM_STATE_REQ_SENT) ||
	    (statep->state == IBCM_STATE_REP_SENT) ||
	    (statep->state == IBCM_STATE_MRA_REP_RCVD) ||
	    (statep->state == IBCM_STATE_REP_WAIT)) {

		/*
		 * MAX retries reached, send a REJ to the remote,
		 * and close the connection
		 */
		statep->timedout_state = statep->state;
		statep->state = IBCM_STATE_TIMED_OUT;

		IBTF_DPRINTF_L3(cmlog, "ibcm_timeout_cb: "
		    "max retries done for statep 0x%p", statep);
		statep->cm_retries++; /* cause conn trace to print */
		mutex_exit(&statep->state_mutex);

		if ((statep->timedout_state == IBCM_STATE_REP_SENT) ||
		    (statep->timedout_state == IBCM_STATE_MRA_REP_RCVD))
			(void) ibcm_cep_to_error_state(statep);

		/* Disassociate statep from QP */
		IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

		/*
		 * statep is in REJ SENT state, the only way to get deleted is
		 * the timeout callback that is set after posting REJ
		 * The thread processing is required where cm handler is
		 * specified
		 */

		if (statep->cm_handler != NULL) {
			/* Attach the statep to timeout list */
			ibcm_add_tlist(statep);
		} else {
			ib_guid_t local_hca_guid;

			mutex_enter(&statep->state_mutex);

			/*
			 * statep->open_return_data is set for blocking
			 * No handler specified, hence signal blocked
			 * ibt_open_rc_channel from here
			 */
			if (statep->open_return_data != NULL) {
				statep->open_return_data->rc_status =
				    IBT_CM_TIMEOUT;
				statep->open_done = B_TRUE;
				cv_broadcast(&statep->block_client_cv);
			}

			mutex_exit(&statep->state_mutex);

			local_hca_guid = h2b64(statep->local_hca_guid);
			ibcm_post_rej_mad(statep, IBT_CM_TIMEOUT,
			    (statep->timedout_state == IBCM_STATE_REP_SENT ||
			    statep->timedout_state == IBCM_STATE_MRA_REP_RCVD) ?
			    IBT_CM_FAILURE_REP: IBT_CM_FAILURE_REQ,
			    &local_hca_guid, sizeof (ib_guid_t));
		}

	} else if ((statep->ap_state == IBCM_AP_STATE_LAP_SENT) ||
	    (statep->ap_state == IBCM_AP_STATE_MRA_LAP_RCVD)) {

		IBTF_DPRINTF_L4(cmlog, "ibcm_timeout_cb: statep 0x%p "
		    "LAP timed out",  statep);
		statep->timedout_state = statep->state;
		/*
		 * This state setting ensures that the processing of DREQ is
		 * sequentialized, once this ap_state is set. If statep is
		 * attached to timeout list, it cannot be re-attached as long
		 * as in this state
		 */
		statep->ap_state = IBCM_AP_STATE_TIMED_OUT;
		ibcm_open_done(statep);

		if (statep->cm_handler != NULL) {
			/* Attach statep to timeout list - thread handling */
			ibcm_add_tlist(statep);
		} else if (statep->ap_return_data != NULL) {
			/*
			 * statep->ap_return_data is initialized for blocking in
			 * ibt_set_alt_path(), signal the waiting CV
			 */
			statep->ap_return_data->ap_status = IBT_CM_AP_TIMEOUT;
			statep->ap_done = B_TRUE;
			cv_broadcast(&statep->block_client_cv);

			statep->ap_state = IBCM_AP_STATE_IDLE;
			/* Wake up threads waiting for LAP/APR to complete */
			cv_broadcast(&statep->block_mad_cv);
		}
		mutex_exit(&statep->state_mutex);

	} else if (statep->state == IBCM_STATE_DREQ_SENT) {

		statep->timedout_state = statep->state;
		statep->state = IBCM_STATE_TIMED_OUT;

		/*
		 * The logic below is necessary, for a race situation between
		 * ibt_close_rc_channel with no callbacks option and CM's
		 * internal stale connection handling on the same connection
		 */
		if (statep->close_nocb_state != IBCM_FAIL) {
			ASSERT(statep->close_nocb_state == IBCM_UNBLOCK);
			ibtl_cm_chan_is_closing(statep->channel);
			statep->close_nocb_state = IBCM_BLOCK;
		}

		mutex_exit(&statep->state_mutex);

		/*
		 * If cm handler is specified, then invoke handler for
		 * the DREQ timeout
		 */
		if (statep->cm_handler != NULL) {
			ibcm_add_tlist(statep);
			return;
		}

		ibcm_process_dreq_timeout(statep);
	} else {

#ifdef DEBUG
		if (ibcm_test_mode > 0)
			IBTF_DPRINTF_L2(cmlog, "ibcm_timeout_cb: "
			    "Unexpected unhandled timeout  for statep 0x%p "
			    "state %d", statep, statep->state);
#endif
		mutex_exit(&statep->state_mutex);
	}
}

/*
 * Following are set of ibmf send callback routines that are used when posting
 * various CM MADs in non-blocking post mode
 */

/*ARGSUSED*/
void
ibcm_post_req_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_req_complete statep %p ", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "REQ");
	ibcm_insert_trace(statep, IBCM_TRACE_REQ_POST_COMPLETE);

	statep->send_mad_flags &= ~IBCM_REQ_POST_BUSY;

	/* signal any waiting threads for REQ MAD to become available */
	cv_signal(&statep->block_mad_cv);

	if (statep->state == IBCM_STATE_REQ_SENT)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);

	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_rep_wait_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rep_wait_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "REQ_RETRY");
	ibcm_insert_trace(statep, IBCM_TRACE_REQ_POST_COMPLETE);
	if (statep->state == IBCM_STATE_REP_WAIT)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_rep_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rep_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "REP");
	ibcm_insert_trace(statep, IBCM_TRACE_REP_POST_COMPLETE);
	statep->send_mad_flags &= ~IBCM_REP_POST_BUSY;
	if (statep->state == IBCM_STATE_REP_SENT)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_resend_post_rep_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_resend_post_rep_complete(%p)", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "REP_RETRY");
	ibcm_insert_trace(statep, IBCM_TRACE_REP_POST_COMPLETE);
	statep->send_mad_flags &= ~IBCM_REP_POST_BUSY;

	/* No new timeout is set for resending a REP MAD for an incoming REQ */
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_mra_rep_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_mra_rep_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->mra_time, "MRA_REP");
	ibcm_insert_trace(statep, IBCM_TRACE_REP_POST_COMPLETE);
	if (statep->state == IBCM_STATE_MRA_REP_RCVD)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}


/*ARGSUSED*/
void
ibcm_post_mra_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_mra_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->mra_time, "MRA");
	ibcm_insert_trace(statep, IBCM_TRACE_MRA_POST_COMPLETE);

	if (statep->delete_mra_msg == B_TRUE) {
		ibmf_msg_t	*mra_msg;

		mra_msg = statep->mra_msg;
		statep->mra_msg = NULL;
		mutex_exit(&statep->state_mutex);
		(void) ibcm_free_out_msg(statep->stored_reply_addr.ibmf_hdl,
		    &mra_msg);
		mutex_enter(&statep->state_mutex);
	}
	statep->send_mad_flags &= ~IBCM_MRA_POST_BUSY;
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_dreq_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_dreq_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "DREQ");
	ibcm_insert_trace(statep, IBCM_TRACE_DREQ_POST_COMPLETE);
	if (statep->state == IBCM_STATE_DREQ_SENT)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	ibcm_close_done(statep, 1);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_lap_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp, void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_lap_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "LAP");
	ibcm_insert_trace(statep, IBCM_TRACE_LAP_POST_COMPLETE);
	if (statep->ap_state == IBCM_AP_STATE_LAP_SENT)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_mra_lap_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_mra_lap_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->mra_time, "MRA_LAP");
	ibcm_insert_trace(statep, IBCM_TRACE_LAP_POST_COMPLETE);
	if (statep->ap_state == IBCM_AP_STATE_MRA_LAP_RCVD)
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_rej_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rej_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "REJ");
	ibcm_insert_trace(statep, IBCM_TRACE_REJ_POST_COMPLETE);
	statep->send_mad_flags &= ~IBCM_REJ_POST_BUSY;
	if (statep->state == IBCM_STATE_REJ_SENT) {
		statep->remaining_retry_cnt = 0;

		/* wait until all possible retransmits of REQ/REP happened */
		statep->timerid = IBCM_TIMEOUT(statep,
		    statep->timer_value * statep->max_cm_retries);
	}

	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_rtu_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_rtu_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "RTU");
	ibcm_insert_trace(statep, IBCM_TRACE_RTU_POST_COMPLETE);
	statep->send_mad_flags &= ~IBCM_RTU_POST_BUSY;
	IBCM_REF_CNT_DECR(statep);
	ibcm_open_done(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_apr_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_apr_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "APR");
	ibcm_insert_trace(statep, IBCM_TRACE_APR_POST_COMPLETE);
	/* As long as one APR mad in transit, no retransmits are allowed */
	statep->ap_state = IBCM_AP_STATE_IDLE;

	/* unblock any DREQ threads and close channels */
	cv_broadcast(&statep->block_mad_cv);
	IBCM_REF_CNT_DECR(statep); /* decrement the ref count */
	mutex_exit(&statep->state_mutex);

}

/*ARGSUSED*/
void
ibcm_post_stored_apr_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibmf_msg_t	*ibmf_apr_msg = (ibmf_msg_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_stored_apr_complete args %p", args);

	ibcm_flow_dec(0, "APR_RESEND");
	(void) ibcm_free_out_msg(ibmf_handle, &ibmf_apr_msg);
}

/*ARGSUSED*/
void
ibcm_post_drep_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_state_data_t	*statep = (ibcm_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_drep_complete statep %p", statep);

	mutex_enter(&statep->state_mutex);
	ibcm_flow_dec(statep->post_time, "DREP");
	ibcm_insert_trace(statep, IBCM_TRACE_DREP_POST_COMPLETE);
	statep->send_mad_flags &= ~IBCM_REJ_POST_BUSY;

	if (statep->state == IBCM_STATE_DREQ_RCVD) {

		ibcm_close_done(statep, 1);
		statep->state = IBCM_STATE_TIMEWAIT;

		/*
		 * For passive side CM set it to remote_ack_delay
		 * For active side CM add the pkt_life_time * 2
		 */
		statep->timer_value = statep->remote_ack_delay;
		if (statep->mode == IBCM_ACTIVE_MODE)
			statep->timer_value += (2 * statep->pkt_life_time);
		statep->remaining_retry_cnt = 0;
		statep->timer_stored_state = statep->state;
		statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);
	}

	IBCM_REF_CNT_DECR(statep);
	mutex_exit(&statep->state_mutex);
}

/*ARGSUSED*/
void
ibcm_post_sidr_rep_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_ud_state_data_t	*ud_statep = (ibcm_ud_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_sidr_rep_complete ud_statep %p",
	    ud_statep);

	ibcm_flow_dec(0, "SIDR_REP");
	mutex_enter(&ud_statep->ud_state_mutex);
	ud_statep->ud_send_mad_flags &= ~IBCM_SREP_POST_BUSY;
	ud_statep->ud_remaining_retry_cnt = 0;
	if (ud_statep->ud_state == IBCM_STATE_SIDR_REP_SENT)
		ud_statep->ud_timerid = IBCM_UD_TIMEOUT(ud_statep,
		    ud_statep->ud_timer_value);
	IBCM_UD_REF_CNT_DECR(ud_statep);
	mutex_exit(&ud_statep->ud_state_mutex);

}

/*ARGSUSED*/
void
ibcm_post_sidr_req_complete(ibmf_handle_t ibmf_handle, ibmf_msg_t *msgp,
    void *args)
{
	ibcm_ud_state_data_t	*ud_statep = (ibcm_ud_state_data_t *)args;

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_sidr_req_complete ud_statep %p",
	    ud_statep);

	ibcm_flow_dec(0, "SIDR_REQ");
	mutex_enter(&ud_statep->ud_state_mutex);
	if (ud_statep->ud_state == IBCM_STATE_SIDR_REQ_SENT)
		ud_statep->ud_timerid = IBCM_UD_TIMEOUT(ud_statep,
		    ud_statep->ud_timer_value);
	IBCM_UD_REF_CNT_DECR(ud_statep);
	mutex_exit(&ud_statep->ud_state_mutex);

}

/*
 * ibcm_process_dreq_timeout:
 *	Called when the timer expires on DREP
 *
 * INPUTS:
 *	arg	- ibcm_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_process_dreq_timeout(ibcm_state_data_t *statep)
{
	mutex_enter(&statep->state_mutex);

	/* Max retries reached, move to the time wait state */
	statep->state = statep->timer_stored_state =
	    IBCM_STATE_TIMEWAIT;
	ibcm_close_done(statep, 0);

	/* Set the TIME_WAIT state timer value */
	statep->timer_value = statep->remote_ack_delay;
	if (statep->mode == IBCM_ACTIVE_MODE) {
		statep->timer_value += (2 * statep->pkt_life_time);
	}

	statep->timerid = IBCM_TIMEOUT(statep, statep->timer_value);

	if (statep->close_ret_status)
		if (statep->stale == B_TRUE)
			*statep->close_ret_status = IBT_CM_CLOSED_STALE;
		else *statep->close_ret_status = IBT_CM_CLOSED_DREQ_TIMEOUT;

	/* signal waiting CVs - blocking in ibt_close_channel() */
	statep->close_done = B_TRUE;
	if (statep->close_ret_priv_data_len != NULL)
		*statep->close_ret_priv_data_len = 0;

	/* unblock any close channel with no callbacks option */
	statep->close_nocb_state = IBCM_FAIL;

	cv_broadcast(&statep->block_client_cv);
	mutex_exit(&statep->state_mutex);
}

/*
 * ibcm_add_tlist:
 *	Adds the given RC statep to timeout list
 *
 * INPUTS:
 *	arg	- ibcm_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_add_tlist(ibcm_state_data_t *statep)
{
	mutex_enter(&ibcm_timeout_list_lock);

	statep->timeout_next = NULL;
	if (ibcm_timeout_list_hdr == NULL) {
		ibcm_timeout_list_hdr = statep;
	} else {
		ibcm_timeout_list_tail->timeout_next = statep;
	}

	ibcm_timeout_list_tail = statep;

	cv_signal(&ibcm_timeout_list_cv);

	mutex_exit(&ibcm_timeout_list_lock);
	IBTF_DPRINTF_L3(cmlog, "ibcm_add_tlist: "
	    "attached state = %p to timeout list", statep);
}

void
ibcm_run_tlist_thread(void)
{
	mutex_enter(&ibcm_timeout_list_lock);
	cv_signal(&ibcm_timeout_list_cv);
	mutex_exit(&ibcm_timeout_list_lock);
}

/*
 * ibcm_add_ud_tlist:
 *	Adds the given UD statep to timeout list
 *
 * INPUTS:
 *	arg	- ibcm_ud_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_add_ud_tlist(ibcm_ud_state_data_t *ud_statep)
{
	mutex_enter(&ibcm_timeout_list_lock);

	ud_statep->ud_timeout_next = NULL;
	if (ibcm_ud_timeout_list_hdr == NULL) {
		ibcm_ud_timeout_list_hdr = ud_statep;
	} else {
		ibcm_ud_timeout_list_tail->ud_timeout_next = ud_statep;
	}

	ibcm_ud_timeout_list_tail = ud_statep;

	cv_signal(&ibcm_timeout_list_cv);

	mutex_exit(&ibcm_timeout_list_lock);
	IBTF_DPRINTF_L3(cmlog, "ibcm_add_ud_tlist: "
	    "attached state = %p to ud timeout list", ud_statep);
}

/*
 * ibcm_process_tlist:
 *	Thread that processes all the RC and UD statep's from
 *	the appropriate lists
 *
 * INPUTS:
 *	NONE
 *
 * RETURN VALUES: NONE
 */
void
ibcm_process_tlist()
{
	ibcm_state_data_t	*statep;
	ibcm_ud_state_data_t	*ud_statep;
	callb_cpr_t		cprinfo;

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_tlist: thread started");

	mutex_enter(&ibcm_timeout_list_lock);

	CALLB_CPR_INIT(&cprinfo, &ibcm_timeout_list_lock, callb_generic_cpr,
	    "ibcm_process_tlist");

	for (;;) {
		if (ibcm_timeout_list_flags & IBCM_TIMEOUT_THREAD_EXIT) {
			/* The thread needs to exit */
			cv_signal(&ibcm_timeout_thread_done_cv);
			break;
		}
		mutex_exit(&ibcm_timeout_list_lock);
		ibcm_check_for_opens();
		ibcm_check_for_async_close();
		mutex_enter(&ibcm_timeout_list_lock);

		/* First, handle pending RC statep's, followed by UD's */
		if (ibcm_timeout_list_hdr != NULL) {
			statep = ibcm_timeout_list_hdr;
			ibcm_timeout_list_hdr = statep->timeout_next;

			if (ibcm_timeout_list_hdr == NULL)
				ibcm_timeout_list_tail = NULL;

			statep->timeout_next = NULL;

			mutex_exit(&ibcm_timeout_list_lock);
			IBTF_DPRINTF_L3(cmlog, "ibcm_process_tlist: "
			    "scheduling state = %p", statep);
			ibcm_timeout_client_cb(statep);
			mutex_enter(&ibcm_timeout_list_lock);
		} else if (ibcm_ud_timeout_list_hdr != NULL) {
			ud_statep = ibcm_ud_timeout_list_hdr;
			ibcm_ud_timeout_list_hdr = ud_statep->ud_timeout_next;

			if (ibcm_ud_timeout_list_hdr == NULL)
				ibcm_ud_timeout_list_tail = NULL;

			ud_statep->ud_timeout_next = NULL;

			mutex_exit(&ibcm_timeout_list_lock);
			IBTF_DPRINTF_L3(cmlog, "ibcm_process_tlist: "
			    "ud scheduling state = %p", ud_statep);
			ibcm_ud_timeout_client_cb(ud_statep);
			mutex_enter(&ibcm_timeout_list_lock);
		} else {
			CALLB_CPR_SAFE_BEGIN(&cprinfo);
			cv_wait(&ibcm_timeout_list_cv, &ibcm_timeout_list_lock);
			CALLB_CPR_SAFE_END(&cprinfo, &ibcm_timeout_list_lock);
		}
	}

#ifndef	__lock_lint
	CALLB_CPR_EXIT(&cprinfo);	/* mutex_exit */
#endif
}


/*
 * ibcm_timeout_client_cb:
 *	Called from timeout thread processing
 *	Primary purpose is to call client handler
 *
 * INPUTS:
 *	arg	- ibcm_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_timeout_client_cb(ibcm_state_data_t *statep)
{
	mutex_enter(&statep->state_mutex);

	if ((statep->state == IBCM_STATE_DELETE) &&
	    (statep->recycle_arg != NULL)) {
		struct ibcm_taskq_recycle_arg_s *recycle_arg;

		recycle_arg = statep->recycle_arg;
		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(statep->recycle_arg))
		statep->recycle_arg = NULL;
		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(statep->recycle_arg))
		mutex_exit(&statep->state_mutex);
		(void) ibcm_process_rc_recycle(recycle_arg);
		ibcm_delete_state_data(statep);
		return;
	}

	if ((statep->state == IBCM_STATE_DELETE) &&
	    (statep->delete_state_data == B_TRUE)) {
		mutex_exit(&statep->state_mutex);
		ibcm_dealloc_state_data(statep);
		return;
	}

	/* Else, it must be in TIMEOUT state, do the necessary processing */
	if (statep->state == IBCM_STATE_TIMED_OUT) {
		void		*data;
		uint8_t		cf_msg;
		ib_guid_t	local_hca_guid;

		mutex_exit(&statep->state_mutex);

		if (statep->timedout_state == IBCM_STATE_DREQ_SENT) {
			ibt_cm_event_t		event;
			ibt_cm_return_args_t	ret_args;

			bzero(&event, sizeof (event));
			bzero(&ret_args, sizeof (ret_args));

			event.cm_type = IBT_CM_EVENT_CONN_CLOSED;
			event.cm_channel = statep->channel;
			event.cm_session_id = NULL;
			event.cm_priv_data = NULL;
			event.cm_priv_data_len = 0;

			if (statep->stale == B_TRUE)
				event.cm_event.closed = IBT_CM_CLOSED_STALE;
			else event.cm_event.closed = IBT_CM_CLOSED_DREQ_TIMEOUT;

			/*
			 * cm handler cannot be non-NULL, as that check is
			 * already made in ibcm_timeout_cb
			 */
			ibcm_insert_trace(statep,
			    IBCM_TRACE_CALLED_CONN_CLOSE_EVENT);

			(void) statep->cm_handler(statep->state_cm_private,
			    &event, &ret_args, NULL, 0);

			ibcm_insert_trace(statep,
			    IBCM_TRACE_RET_CONN_CLOSE_EVENT);

			ibcm_process_dreq_timeout(statep);
			return;
		}

		data = ((ibcm_rej_msg_t *)
		    IBCM_OUT_MSGP(statep->stored_msg))->rej_private_data;

		if ((statep->timedout_state == IBCM_STATE_REQ_SENT) ||
		    (statep->timedout_state == IBCM_STATE_REP_WAIT)) {
			cf_msg = IBT_CM_FAILURE_REQ;
		} else {
			ASSERT(
			    (statep->timedout_state == IBCM_STATE_REP_SENT) ||
			    (statep->timedout_state ==
			    IBCM_STATE_MRA_REP_RCVD));
			cf_msg = IBT_CM_FAILURE_REP;
		}

		/*
		 * Invoke the CM handler w/ event IBT_CM_EVENT_TIMEOUT
		 * This callback happens for only active non blocking or
		 * passive client
		 */
		ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_TIMEOUT,
		    cf_msg, IBT_CM_TIMEOUT, data, IBT_REJ_PRIV_DATA_SZ);

		/* signal the blocked ibt_open_rc_channel */
		mutex_enter(&statep->state_mutex);

		/*
		 * statep->open_return_data is set for blocking
		 * signal the blocked ibt_open_rc_channel
		 */
		if (statep->open_return_data != NULL) {
			statep->open_return_data->rc_status = IBT_CM_TIMEOUT;
			statep->open_done = B_TRUE;
			cv_broadcast(&statep->block_client_cv);
		}

		mutex_exit(&statep->state_mutex);

		local_hca_guid = h2b64(statep->local_hca_guid);
		ibcm_post_rej_mad(statep, IBT_CM_TIMEOUT,
		    IBT_CM_FAILURE_UNKNOWN, &local_hca_guid,
		    sizeof (ib_guid_t));
	} else if (statep->ap_state == IBCM_AP_STATE_TIMED_OUT) {

		mutex_exit(&statep->state_mutex);

		ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_TIMEOUT,
		    IBT_CM_FAILURE_LAP, IBT_CM_TIMEOUT, NULL, 0);

		/* Now wake up threads waiting for LAP/APR to complete */
		mutex_enter(&statep->state_mutex);
		/*
		 * statep->ap_return_data is initialized for blocking in
		 * ibt_set_alt_path(), signal the waiting CV
		 */
		if (statep->ap_return_data != NULL) {
			statep->ap_return_data->ap_status = IBT_CM_AP_TIMEOUT;
			statep->ap_done = B_TRUE;
			cv_broadcast(&statep->block_client_cv);
		}
		statep->ap_state = IBCM_AP_STATE_IDLE;
		cv_broadcast(&statep->block_mad_cv);
		mutex_exit(&statep->state_mutex);
	} else {
		IBTF_DPRINTF_L2(cmlog, "ibcm_timeout_client_cb "
		    "Unexpected else path statep %p state %d ap_state %d",
		    statep, statep->state, statep->ap_state);
		mutex_exit(&statep->state_mutex);

	}
}

/*
 * ibcm_ud_timeout_client_cb:
 *	Called from UD timeout thread processing
 *	Primary purpose is to call client handler
 *
 * INPUTS:
 *	arg	- ibcm_ud_state_data_t is passed
 *
 * RETURN VALUES: NONE
 */
void
ibcm_ud_timeout_client_cb(ibcm_ud_state_data_t *ud_statep)
{
	ibt_cm_ud_event_t	ud_event;

	mutex_enter(&ud_statep->ud_state_mutex);

	if ((ud_statep->ud_state == IBCM_STATE_DELETE) &&
	    (ud_statep->ud_delete_state_data == B_TRUE)) {

		mutex_exit(&ud_statep->ud_state_mutex);
		ibcm_dealloc_ud_state_data(ud_statep);
		return;
	} else
		mutex_exit(&ud_statep->ud_state_mutex);

	/* Fill in ibt_cm_ud_event_t */
	ud_event.cm_type = IBT_CM_UD_EVENT_SIDR_REP;
	ud_event.cm_session_id = NULL;
	ud_event.cm_event.sidr_rep.srep_status = IBT_CM_SREP_TIMEOUT;

	(void) ud_statep->ud_cm_handler(ud_statep->ud_state_cm_private,
	    &ud_event, NULL, NULL, 0);

	/* Delete UD state data now, finally done with it */
	ibcm_delete_ud_state_data(ud_statep);
}


/*
 * ibcm_process_sidr_req_msg:
 *	This call processes an incoming SIDR REQ
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- Incoming CM SIDR REQ MAD
 *	cm_mad_addr	- Address information for the MAD to be posted
 *
 * RETURN VALUE:
 *	NONE
 */
void
ibcm_process_sidr_req_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ib_gid_t		gid;
	ib_lid_t		lid;
	uint32_t		req_id;
	ibcm_status_t		state_lookup_status;
	ibcm_status_t		cm_status;
	ibt_sidr_status_t	sidr_status;
	ibcm_svc_info_t		*svc_infop;
	ibcm_svc_bind_t		*svc_bindp;
	ibcm_svc_bind_t		*tmp_bindp;
	ibcm_sidr_req_msg_t	*sidr_reqp = (ibcm_sidr_req_msg_t *)
	    (&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_ud_state_data_t	*ud_statep = NULL;
	ibcm_sidr_srch_t	srch_sidr;
	ib_pkey_t		pkey;
	uint8_t			port_num;
	ib_guid_t		hca_guid;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_req_msg:");

	hca_guid = hcap->hca_guid;
	port_num = cm_mad_addr->port_num;

	/* Figure out LID, GID, RequestId for svc_id lookup */
	lid = cm_mad_addr->rcvd_addr.ia_remote_lid;
	req_id = b2h32(sidr_reqp->sidr_req_request_id);
	pkey = b2h16(sidr_reqp->sidr_req_pkey);
	if (cm_mad_addr->grh_exists == B_TRUE)
		gid = cm_mad_addr->grh_hdr.ig_sender_gid;
	else
		gid.gid_prefix = gid.gid_guid = 0;

	/*
	 * Lookup for an existing state structure
	 * - if lookup fails it creates a new ud_state struct
	 * No need to hold a lock across the call to ibcm_find_sidr_entry() as
	 * the list lock is held in that function to find the matching entry.
	 */

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(srch_sidr))

	srch_sidr.srch_lid = lid;
	srch_sidr.srch_gid = gid;
	srch_sidr.srch_grh_exists = cm_mad_addr->grh_exists;
	srch_sidr.srch_req_id = req_id;
	srch_sidr.srch_mode = IBCM_PASSIVE_MODE;

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(srch_sidr))

	rw_enter(&hcap->hca_sidr_list_lock, RW_WRITER);
	state_lookup_status = ibcm_find_sidr_entry(&srch_sidr, hcap, &ud_statep,
	    IBCM_FLAG_LOOKUP_AND_ADD);
	rw_exit(&hcap->hca_sidr_list_lock);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_req_msg: ud_statep 0x%p "
	    "lookup status %x", ud_statep, state_lookup_status);

	if (state_lookup_status == IBCM_LOOKUP_NEW) {

		/* Increment hca's resource count */
		ibcm_inc_hca_res_cnt(hcap);

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*ud_statep))

		/*
		 * Allocate CM MAD for a response
		 * This MAD is deallocated on state structure delete
		 * and re-used for all outgoing MADs for this connection.
		 * If MAD allocation fails, delete the ud statep
		 */
		if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl,
		    &ud_statep->ud_stored_msg, MAD_METHOD_SEND) !=
		    IBT_SUCCESS) {
			mutex_enter(&ud_statep->ud_state_mutex);
			IBCM_UD_REF_CNT_DECR(ud_statep);
			mutex_exit(&ud_statep->ud_state_mutex);
			ibcm_delete_ud_state_data(ud_statep);
			return;
		}

		/* Lookup for service */
		ud_statep->ud_svc_id = b2h64(sidr_reqp->sidr_req_service_id);
		ud_statep->ud_state  = IBCM_STATE_SIDR_REQ_RCVD;
		ud_statep->ud_clnt_proceed = IBCM_BLOCK;

		mutex_enter(&ibcm_svc_info_lock);

		svc_infop = ibcm_find_svc_entry(ud_statep->ud_svc_id);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_req_msg: "
		    " ud_statep 0x%p svc_info %p", ud_statep, svc_infop);

		/*
		 * No need to hold the ud state mutex, as no other thread
		 * modifies ud statep in IBCM_STATE_SIDR_REQ_RCVD state
		 */

		if (svc_infop != NULL) {
			/* find the "bind" entry that enables this port */

			svc_bindp = NULL;
			tmp_bindp = svc_infop->svc_bind_list;
			while (tmp_bindp) {
				if (tmp_bindp->sbind_hcaguid == hca_guid &&
				    tmp_bindp->sbind_port == port_num) {
					if (gid.gid_guid ==
					    tmp_bindp->sbind_gid.gid_guid &&
					    gid.gid_prefix ==
					    tmp_bindp->sbind_gid.gid_prefix) {
						/* a really good match */
						svc_bindp = tmp_bindp;
						if (pkey ==
						    tmp_bindp->sbind_pkey)
							/* absolute best */
							break;
					} else if (svc_bindp == NULL) {
						/* port match => a good match */
						svc_bindp = tmp_bindp;
					}
				}
				tmp_bindp = tmp_bindp->sbind_link;
			}
			if (svc_bindp == NULL) {
				svc_infop = NULL;
			}
		}

		IBCM_OUT_HDRP(ud_statep->ud_stored_msg)->TransactionID =
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

		ibcm_build_reply_mad_addr(cm_mad_addr,
		    &ud_statep->ud_stored_reply_addr);

		if (ud_statep->ud_stored_reply_addr.cm_qp_entry == NULL) {

			mutex_exit(&ibcm_svc_info_lock);

			/* Not much choice. CM MADs cannot go on QP1 */
			mutex_enter(&ud_statep->ud_state_mutex);
			IBCM_UD_REF_CNT_DECR(ud_statep);
			ud_statep->ud_state = IBCM_STATE_DELETE;
			mutex_exit(&ud_statep->ud_state_mutex);

			ibcm_delete_ud_state_data(ud_statep);
			return;
		}

		if (svc_infop == NULL || svc_infop->svc_ud_handler == NULL) {
			/*
			 * Don't have a record of Service ID in CM's
			 * internal list registered at this gid/lid.
			 * So, send out Service ID not supported SIDR REP msg
			 */
			sidr_status = IBT_CM_SREP_SID_INVALID;
		} else {
			ud_statep->ud_cm_handler = svc_infop->svc_ud_handler;
			ud_statep->ud_state_cm_private =
			    svc_bindp->sbind_cm_private;
			IBCM_SVC_INCR(svc_infop);
			mutex_exit(&ibcm_svc_info_lock);

			/* Call Client's UD handler */
			cm_status = ibcm_sidr_req_ud_handler(ud_statep,
			    sidr_reqp, cm_mad_addr, &sidr_status);

			mutex_enter(&ibcm_svc_info_lock);
			IBCM_SVC_DECR(svc_infop);
		}

		mutex_exit(&ibcm_svc_info_lock);

		if (cm_status == IBCM_DEFER) {
			IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_req_msg: "
			    "ud_statep 0x%p client returned DEFER response",
			    ud_statep);
			return;
		}

		ibcm_post_sidr_rep_mad(ud_statep, sidr_status);

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*ud_statep))

		mutex_enter(&ud_statep->ud_state_mutex);
		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);
	} else {
		ASSERT(state_lookup_status == IBCM_LOOKUP_EXISTS);

		mutex_enter(&ud_statep->ud_state_mutex);

		if (ud_statep->ud_state == IBCM_STATE_SIDR_REP_SENT)
			ibcm_resend_srep_mad(ud_statep);

		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);
	}
}


/*
 * ibcm_process_sidr_rep_msg:
 *	This call processes an incoming SIDR REP
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- incoming CM SIDR REP MAD
 *	cm_mad_addr	- Address information for the MAD to be posted
 *
 * RETURN VALUE:
 *	NONE
 */
void
ibcm_process_sidr_rep_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ib_lid_t		lid;
	ib_gid_t		gid;
	ibcm_status_t		status;
	ib_svc_id_t		tmp_svc_id;
	ibcm_sidr_rep_msg_t	*sidr_repp = (ibcm_sidr_rep_msg_t *)
	    (&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_ud_state_data_t	*ud_statep = NULL;
	ibcm_sidr_srch_t	srch_sidr;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_rep_msg:");

	lid = cm_mad_addr->rcvd_addr.ia_local_lid;
	if (cm_mad_addr->grh_exists == B_TRUE)
		gid = cm_mad_addr->grh_hdr.ig_recver_gid;
	else
		gid.gid_prefix = gid.gid_guid = 0;

	IBTF_DPRINTF_L3(cmlog, "ibcm_process_sidr_rep_msg: QPN rcvd = %x",
	    h2b32(sidr_repp->sidr_rep_qpn_plus) >> 8);

	/*
	 * Lookup for an existing state structure.
	 * No need to hold a lock as ibcm_find_sidr_entry() holds the
	 * list lock to find the matching entry.
	 */
	IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_rep: lid=%x, (%llX, %llX), "
	    "grh = %x, id = %x", lid, gid.gid_prefix, gid.gid_guid,
	    cm_mad_addr->grh_exists, sidr_repp->sidr_rep_request_id);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(srch_sidr))

	srch_sidr.srch_lid = lid;
	srch_sidr.srch_gid = gid;
	srch_sidr.srch_grh_exists = cm_mad_addr->grh_exists;
	srch_sidr.srch_req_id = b2h32(sidr_repp->sidr_rep_request_id);
	srch_sidr.srch_mode = IBCM_ACTIVE_MODE;

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(srch_sidr))

	rw_enter(&hcap->hca_sidr_list_lock, RW_READER);
	status = ibcm_find_sidr_entry(&srch_sidr, hcap, &ud_statep,
	    IBCM_FLAG_LOOKUP);
	rw_exit(&hcap->hca_sidr_list_lock);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_sidr_rep_msg: ud_statep 0x%p "
	    "find sidr entry status = %x", ud_statep, status);

	if (status != IBCM_LOOKUP_EXISTS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_sidr_rep_msg: "
		    "No matching ud_statep for SIDR REP");
		return;
	}

	if (IBCM_OUT_HDRP(ud_statep->ud_stored_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {
		mutex_enter(&ud_statep->ud_state_mutex);
		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_sidr_rep_msg: "
		    "ud_statep 0x%p. A SIDR REP MAD with tid expected 0x%llX "
		    "tid found 0x%llX req_id %x arrived", ud_statep,
		    b2h64(
		    IBCM_OUT_HDRP(ud_statep->ud_stored_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID),
		    b2h32(sidr_repp->sidr_rep_request_id));
		return;
	}

	mutex_enter(&ud_statep->ud_state_mutex);

	/*
	 * We need to check service ID received against the one sent?
	 * If they don't match just return.
	 */
	bcopy(sidr_repp->sidr_rep_service_id, &tmp_svc_id, sizeof (tmp_svc_id));
	bcopy(&tmp_svc_id, sidr_repp->sidr_rep_service_id, sizeof (tmp_svc_id));
	if (ud_statep->ud_svc_id != b2h64(tmp_svc_id)) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_sidr_rep_msg: "
		    "ud_statep -0x%p svcids do not match %llx %llx",
		    ud_statep, ud_statep->ud_svc_id, b2h64(tmp_svc_id));

		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);
		return;
	}

	if (ud_statep->ud_state == IBCM_STATE_SIDR_REQ_SENT) {
		timeout_id_t	timer_val = ud_statep->ud_timerid;

		ud_statep->ud_state = IBCM_STATE_SIDR_REP_RCVD;
		ud_statep->ud_timerid = 0;
		mutex_exit(&ud_statep->ud_state_mutex);

		/* Cancel timer set after sending SIDR REQ */
		(void) untimeout(timer_val);

		/*
		 * Call Client's UD handler
		 */
		ibcm_sidr_rep_ud_handler(ud_statep, sidr_repp);

		mutex_enter(&ud_statep->ud_state_mutex);

		ud_statep->ud_state = IBCM_STATE_DELETE;

		/*
		 * ud_statep->ud_return_data is initialized for blocking in
		 * ibt_ud_get_dqpn(). Initialize its fields and
		 * signal the blocking call in ibt_ud_get_dqpn().
		 */
		if (ud_statep->ud_return_data != NULL) {
			/* get rep_qpn and rep_status */
			ibt_priv_data_len_t len;

			/* Copy the SIDR private data */
			len = min(ud_statep->ud_return_data->ud_priv_data_len,
			    IBT_SIDR_REP_PRIV_DATA_SZ);

			if ((ud_statep->ud_return_data->ud_priv_data != NULL) &&
			    (len > 0)) {
				bcopy(sidr_repp->sidr_rep_private_data,
				    ud_statep->ud_return_data->ud_priv_data,
				    len);
			}

			/* get status first */
			ud_statep->ud_return_data->ud_status =
			    sidr_repp->sidr_rep_rep_status;

			if (ud_statep->ud_return_data->ud_status ==
			    IBT_CM_SREP_QPN_VALID) {
				ud_statep->ud_return_data->ud_dqpn =
				    h2b32(sidr_repp->sidr_rep_qpn_plus) >> 8;
				ud_statep->ud_return_data->ud_qkey =
				    b2h32(sidr_repp->sidr_rep_qkey);
			}

			ud_statep->ud_blocking_done = B_TRUE;
			cv_broadcast(&ud_statep->ud_block_client_cv);
		}

		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);

		/* Delete UD state data now, finally done with it */
		ibcm_delete_ud_state_data(ud_statep);
	} else {
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_sidr_rep_msg: "
		    "ud state is = 0x%x", ud_statep->ud_state);
		IBCM_UD_REF_CNT_DECR(ud_statep);
		mutex_exit(&ud_statep->ud_state_mutex);
	}
}


/*
 * ibcm_post_sidr_rep_mad:
 *	This call posts a SIDR REP MAD
 *
 * INPUTS:
 *	ud_statep	- pointer to ibcm_ud_state_data_t
 *	status		- Status information
 *
 * RETURN VALUE: NONE
 */
void
ibcm_post_sidr_rep_mad(ibcm_ud_state_data_t *ud_statep,
    ibt_sidr_status_t status)
{
	ib_svc_id_t		tmp_svc_id;
	ibcm_sidr_rep_msg_t	*sidr_repp =
	    (ibcm_sidr_rep_msg_t *)IBCM_OUT_MSGP(ud_statep->ud_stored_msg);
	clock_t			timer_value;

	IBTF_DPRINTF_L5(cmlog, "ibcm_post_sidr_rep_mad:");

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*sidr_repp))

	IBCM_OUT_HDRP(ud_statep->ud_stored_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_SIDR_REP + IBCM_ATTR_BASE_ID);

	/*
	 * Initialize SIDR REP message. (Other fields were
	 * already filled up in ibcm_sidr_req_ud_handler()
	 */
	sidr_repp->sidr_rep_request_id = h2b32(ud_statep->ud_req_id);
	tmp_svc_id = h2b64(ud_statep->ud_svc_id);
	bcopy(&tmp_svc_id, sidr_repp->sidr_rep_service_id, sizeof (tmp_svc_id));

	sidr_repp->sidr_rep_rep_status = (uint8_t)status;

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*sidr_repp))

	/* post the SIDR REP MAD */
	ibcm_post_ud_mad(ud_statep, ud_statep->ud_stored_msg, NULL, NULL);

	timer_value = ibt_ib2usec(ibcm_max_sidr_rep_store_time);
	/*
	 * Hold the statep lock, as a SIDR REQ may come in after setting state
	 * but before timeout. This can result in a dangling timeout ie.,
	 * the incoming SIDR REQ would be unable to cancel this timeout
	 */
	mutex_enter(&ud_statep->ud_state_mutex);

	ud_statep->ud_remaining_retry_cnt = 1;
	ud_statep->ud_timer_value = timer_value;

	ud_statep->ud_timer_stored_state = ud_statep->ud_state =
	    IBCM_STATE_SIDR_REP_SENT;
	ud_statep->ud_timerid = IBCM_UD_TIMEOUT(ud_statep,
	    ud_statep->ud_timer_value);

	mutex_exit(&ud_statep->ud_state_mutex);
}


/*
 * ibcm_sidr_timeout_cb:
 *	Called when the timer expires on SIDR request
 *
 * INPUTS:
 *	arg	-	ibcm_ud_state_data_t with all the info
 *
 * RETURN VALUE: NONE
 */
void
ibcm_sidr_timeout_cb(void *arg)
{
	ibcm_ud_state_data_t	*ud_statep = (ibcm_ud_state_data_t *)arg;

	mutex_enter(&ud_statep->ud_state_mutex);
	ud_statep->ud_timerid = 0;

	IBTF_DPRINTF_L3(cmlog, "ibcm_sidr_timeout_cb: ud_statep 0x%p "
	    "state = 0x%x", ud_statep, ud_statep->ud_state);

	/* Processing depends upon current state */
	if (ud_statep->ud_state == IBCM_STATE_SIDR_REP_SENT) {
		ud_statep->ud_state = IBCM_STATE_DELETE;

		mutex_exit(&ud_statep->ud_state_mutex);

		/* Deallocate the CM state structure */
		ibcm_delete_ud_state_data(ud_statep);

	} else if ((ud_statep->ud_remaining_retry_cnt > 0) &&
	    (ud_statep->ud_state == IBCM_STATE_SIDR_REQ_SENT)) {

		ud_statep->ud_remaining_retry_cnt--;
		IBCM_UD_REF_CNT_INCR(ud_statep); /* for non-blocking post */
		IBTF_DPRINTF_L4(cmlog, "ibcm_sidr_timeout_cb: "
		    "ud_statep = %p, retries remaining = 0x%x",
		    ud_statep, ud_statep->ud_remaining_retry_cnt);
		mutex_exit(&ud_statep->ud_state_mutex);

		/* Post mad in non blocking mode */
		ibcm_post_ud_mad(ud_statep, ud_statep->ud_stored_msg,
		    ibcm_post_sidr_req_complete, ud_statep);

	} else if (ud_statep->ud_state == IBCM_STATE_SIDR_REQ_SENT) {

		/* This is on SIDR REQ Sender side processing */

		/* set state to IBCM_STATE_DELETE */
		ud_statep->ud_state = IBCM_STATE_DELETE;

		/*
		 * retry counter expired, clean up
		 *
		 * Invoke the client/server handler with a "status" of
		 * IBT_CM_SREP_TIMEOUT.
		 */

		if (ud_statep->ud_return_data != NULL) {
			ud_statep->ud_return_data->ud_status =
			    IBT_CM_SREP_TIMEOUT;
			ud_statep->ud_blocking_done = B_TRUE;
			cv_broadcast(&ud_statep->ud_block_client_cv);
		}

		mutex_exit(&ud_statep->ud_state_mutex);

		/* Invoke the client handler in a separate thread */
		if (ud_statep->ud_cm_handler != NULL) {
			/* UD state data is delete in timeout thread */
			ibcm_add_ud_tlist(ud_statep);
			return;
		}

		/* Delete UD state data now, finally done with it */
		ibcm_delete_ud_state_data(ud_statep);
	} else {

#ifdef DEBUG
		if (ibcm_test_mode > 0)
			IBTF_DPRINTF_L2(cmlog, "ibcm_sidr_timeout_cb: "
			    "Nop timeout  for ud_statep 0x%p in ud_state %d",
			    ud_statep, ud_statep->ud_state);
#endif
		mutex_exit(&ud_statep->ud_state_mutex);
	}
}


/*
 * ibcm_resend_srep_mad:
 *	Called on a duplicate incoming SIDR REQ on server side
 *	Posts the stored MAD from ud state structure using ud_stored_reply_addr
 *	Cancels any running timer, and then re-starts the timer
 *	This routine must be called with state structure table lock held
 *
 * INPUTS:
 *	ud_statep	-	ibcm_ud_state_data_t
 *
 * RETURN VALUE: NONE
 */
void
ibcm_resend_srep_mad(ibcm_ud_state_data_t *ud_statep)
{
	timeout_id_t		timer_val;

	ASSERT(MUTEX_HELD(&ud_statep->ud_state_mutex));

	IBTF_DPRINTF_L3(cmlog, "ibcm_resend_srep_mad: ud_statep 0x%p",
	    ud_statep);

	if (ud_statep->ud_send_mad_flags & IBCM_SREP_POST_BUSY)
		return;

	ud_statep->ud_send_mad_flags |= IBCM_SREP_POST_BUSY;

	/* for nonblocking SIDR REP Post */
	IBCM_UD_REF_CNT_INCR(ud_statep);

	/* Cancel currently running timer */
	timer_val = ud_statep->ud_timerid;

	if (ud_statep->ud_timerid != 0) {
		ud_statep->ud_timerid = 0;
		mutex_exit(&ud_statep->ud_state_mutex);
		(void) untimeout(timer_val);
	} else {
		mutex_exit(&ud_statep->ud_state_mutex);
	}

	/* Always resend the response MAD to the original reply destination */
	ibcm_post_ud_mad(ud_statep, ud_statep->ud_stored_msg,
	    ibcm_post_sidr_rep_complete, ud_statep);

	mutex_enter(&ud_statep->ud_state_mutex);
}


/*
 * ibcm_build_reply_mad_addr:
 *	Forms the reply MAD address based on "incoming mad addr" that is
 *	supplied as an arg.
 *
 *	Swaps the source and destination gids in ib_grh_t
 *
 * INPUTS:
 * inp_mad_addr:	Address information in the incoming MAD
 * out_mad_addr:	Derived address for the reply MAD
 *			The reply MAD address is derived based
 *			address information of incoming CM MAD
 * RETURN VALUE: NONE
 */
void
ibcm_build_reply_mad_addr(ibcm_mad_addr_t *inp_mad_addr,
    ibcm_mad_addr_t *out_mad_addr)
{
	IBTF_DPRINTF_L5(cmlog, "ibcm_build_reply_mad_addr:");

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*out_mad_addr))

	bcopy(inp_mad_addr, out_mad_addr, sizeof (ibcm_mad_addr_t));

	/* Swap the GIDs in the GRH */
	if (inp_mad_addr->grh_exists == B_TRUE) {
		ib_gid_t sgid = inp_mad_addr->grh_hdr.ig_sender_gid;

		/* swap the SGID and DGID */
		out_mad_addr->grh_hdr.ig_sender_gid =
		    inp_mad_addr->grh_hdr.ig_recver_gid;
		out_mad_addr->grh_hdr.ig_recver_gid = sgid;
	}

	/*
	 * CM posts response MAD on a new/existing internal QP on the same port
	 * and pkey
	 */
	out_mad_addr->cm_qp_entry =
	    ibcm_find_qp(inp_mad_addr->cm_qp_entry->qp_port->port_hcap,
	    inp_mad_addr->port_num, inp_mad_addr->rcvd_addr.ia_p_key);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*out_mad_addr))
}


/*
 * ibcm_post_rc_mad
 *	Posts a CM MAD associated with a RC statep
 *
 * INPUTS:
 * statep	: RC statep associated with the post
 * msgp		: CM MAD to be posted
 * post_cb	: non-NULL callback address implies non-blocking post
 * args		: Args to ibmf send callback
 *
 * RETURN VALUE: based on ibmf_send_mad
 */
void
ibcm_post_rc_mad(ibcm_state_data_t *statep, ibmf_msg_t *msgp,
    ibmf_msg_cb_t post_cb, void *args)
{
	ibt_status_t	status;

	mutex_enter(&statep->state_mutex);
	statep->post_time = gethrtime();
	mutex_exit(&statep->state_mutex);
	status = ibcm_post_mad(msgp, &statep->stored_reply_addr, post_cb,
	    args);
	if ((status != IBT_SUCCESS) && (post_cb != NULL))
		/* Call ibmf callback directly */
		(*post_cb)(NULL, msgp, args);
}


/*
 * ibcm_post_ud_mad
 *	Posts a CM MAD associated with a UD statep
 *
 * INPUTS:
 * ud_statep	: UD statep associated with the post
 * msgp		: CM MAD to be posted
 * post_cb	: non-NULL callback address implies non-blocking post
 * args		: Args to ibmf send callback
 *
 * RETURN VALUE: based on ibmf_send_mad
 */
void
ibcm_post_ud_mad(ibcm_ud_state_data_t *ud_statep, ibmf_msg_t *msgp,
    ibmf_msg_cb_t ud_post_cb, void *args)
{
	ibt_status_t	status;
	status = ibcm_post_mad(msgp, &ud_statep->ud_stored_reply_addr,
	    ud_post_cb, args);
	if ((status != IBT_SUCCESS) && (ud_post_cb != NULL))
		/* Call ibmf callback directly */
		(*ud_post_cb)(NULL, msgp, args);
}

/*
 * ibcm_post_mad:
 *	Posts CM MAD using IBMF in blocking mode
 *
 * INPUTS:
 * msgp		: CM MAD to be posted
 * cm_mad_addr	: Address information for the MAD to be posted
 * post_cb	: non-NULL callback address implies non-blocking post
 * args		: Args to ibmf send callback
 *
 * RETURN VALUE: based on ibmf_send_mad
 */
ibt_status_t
ibcm_post_mad(ibmf_msg_t *msgp, ibcm_mad_addr_t *cm_mad_addr,
    ibmf_msg_cb_t post_cb, void *args)
{
	int	post_status;

	IBTF_DPRINTF_L5(cmlog, "ibcm_post_mad: "
	    "ibmf_msg_t = %p, cm_madd_adr = %p", msgp, cm_mad_addr);

	IBTF_DPRINTF_L4(cmlog, "ibcm_post_mad: dlid = %x, d_qno= %x",
	    cm_mad_addr->rcvd_addr.ia_remote_lid,
	    cm_mad_addr->rcvd_addr.ia_remote_qno);
	IBTF_DPRINTF_L4(cmlog, "ibcm_post_mad: p_key = %x, q_key = %x, "
	    "sl = %x, grh_exists = %x",
	    cm_mad_addr->rcvd_addr.ia_p_key, cm_mad_addr->rcvd_addr.ia_q_key,
	    cm_mad_addr->rcvd_addr.ia_service_level, cm_mad_addr->grh_exists);

	/* Copy local addressing info */
	msgp->im_local_addr = cm_mad_addr->rcvd_addr;

	/* Copy global/GRH addressing info */
	if (cm_mad_addr->grh_exists == B_TRUE)
		msgp->im_global_addr = cm_mad_addr->grh_hdr;

	if (post_cb)
		ibcm_flow_inc();
	post_status = ibmf_msg_transport(
	    cm_mad_addr->ibmf_hdl, cm_mad_addr->cm_qp_entry->qp_cm, msgp,
	    NULL, post_cb, args, 0);
	if (post_status != IBMF_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_post_mad: ibmf_msg_transport "
		    "failed: status %d, cb = %p", post_status, post_cb);
		/* Analyze the reason for failure */
		return (ibcm_ibmf_analyze_error(post_status));
	}

	return (IBT_SUCCESS);
}


/*
 * ibcm_process_get_classport_info:
 *	Get classportinfo
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- Input MAD pointer
 *	cm_mad_addr	- Address information for the MAD to be posted
 *
 * RETURN VALUE: NONE
 */
static void
ibcm_process_get_classport_info(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibmf_msg_t		*msgp;

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_get_classport_info: (%p, %p, %p)",
	    hcap, input_madp, cm_mad_addr);

	if (ibcm_alloc_out_msg(cm_mad_addr->ibmf_hdl, &msgp,
	    MAD_METHOD_GET_RESPONSE) != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_get_classport_info: "
		    "ibcm_alloc_out_msg failed");
		return;
	}

	/* copy the transaction id from input get mad */
	IBCM_OUT_HDRP(msgp)->TransactionID =
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID;
	IBCM_OUT_HDRP(msgp)->AttributeID = h2b16(MAD_ATTR_ID_CLASSPORTINFO);

	bcopy(&ibcm_clpinfo, IBCM_OUT_MSGP(msgp), sizeof (ibcm_clpinfo));

	(void) ibcm_post_mad(msgp, cm_mad_addr, NULL, NULL);
	(void) ibcm_free_out_msg(cm_mad_addr->ibmf_hdl, &msgp);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_get_classport_info: done");
}

/*
 * ibcm_decode_classport_info:
 *	Decode classportinfo
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	cm_mad_addr	- Address information for the MAD to be posted
 *	input_madp	- Input MAD pointer
 *
 * RETURN VALUE: NONE
 */
static void
ibcm_decode_classport_info(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_classportinfo_msg_t *portinfop = (ibcm_classportinfo_msg_t *)
	    (&input_madp[IBCM_MAD_HDR_SIZE]);
	IBTF_DPRINTF_L5(cmlog, "ibcm_decode_classport_info: (%p, %p, %p)",
	    hcap, input_madp, cm_mad_addr);

	/* Print various fields of received classportinfo in debuf buf */

	IBTF_DPRINTF_L4(cmlog, "ibcm_decode_classport_info: "
	    "Base version %d Class version %d", portinfop->BaseVersion,
	    portinfop->ClassVersion);
	IBTF_DPRINTF_L4(cmlog, "ibcm_decode_classport_info: "
	    "Cap Mask %d Resp Time %d", portinfop->CapabilityMask,
	    portinfop->RespTimeValue_plus);
}


/*
 * ibcm_handler_conn_fail:
 *	Helper function used to call client handler for Conn fail event
 *
 * INPUTS:
 *	statep:			The connection state pointer
 *	rej_type:		Message being rejected
 *	rej_reason:		Reason why CM is sending the REJ message
 *	client_data:		Private data returned by the client for REJ
 *	client_data_len:	Length of above client's private data.
 *
 * RETURN VALUE:	Client Handler's return status
 */
static void
ibcm_handler_conn_fail(ibcm_state_data_t *statep, uint8_t cf_code,
    uint8_t cf_msg, ibt_cm_reason_t cf_reason, uint8_t *client_data,
    ibt_priv_data_len_t client_data_len)
{
	ibt_cm_event_t	event;

	ibcm_path_cache_purge();

	if (statep->channel)
		ibtl_cm_chan_open_is_aborted(statep->channel);

	/* Invoke CM handler w/ event passed as arg */
	if (statep->cm_handler != NULL) {
		bzero(&event, sizeof (ibt_cm_event_t));

		event.cm_type = IBT_CM_EVENT_FAILURE;
		event.cm_channel = statep->channel;
		event.cm_session_id = NULL;
		event.cm_priv_data = NULL;
		event.cm_priv_data_len = 0;

		event.cm_event.failed.cf_code = cf_code;
		event.cm_event.failed.cf_msg =  cf_msg;
		event.cm_event.failed.cf_reason =  cf_reason;

		ibcm_insert_trace(statep, IBCM_TRACE_CALLED_CONN_FAIL_EVENT);

		(void) statep->cm_handler(statep->state_cm_private, &event,
		    NULL, client_data, client_data_len);

		ibcm_insert_trace(statep, IBCM_TRACE_RET_CONN_FAIL_EVENT);
	}
	if (ibcm_enable_trace != 0)
		ibcm_dump_conn_trace(statep);
	mutex_enter(&statep->state_mutex);
	ibcm_open_done(statep);
	mutex_exit(&statep->state_mutex);
}

/*
 * QP State transition functions here
 *
 * The brief description of these functions :
 *	Validate QP related attributes in the messages
 *	Call client/server callback handlers
 *	Change QP state
 *	Set QP attributes (modify QP)
 *	Fill up the response MADs
 */

/*
 * ibcm_set_primary_adds_vect:
 *	Helper function used to fill up ibt_adds_vect_t PRIMARY PATH
 *	(called from ibcm_cep_state_*() functions)
 *
 * INPUTS:
 * statep	: The connection state pointer
 * adds_vectp	: The ibt_adds_vect_t ptr that is being filled up
 * msgp		: CM REQ message that is the source of information
 *
 * RETURN VALUE:	NONE
 */
static void
ibcm_set_primary_adds_vect(ibcm_state_data_t *statep,
    ibt_adds_vect_t *adds_vectp, ibcm_req_msg_t *msgp)
{
	uint32_t flow_label20_res6_rate6;

	flow_label20_res6_rate6 = b2h32(msgp->req_primary_flow_label_plus);

	/* first setup the srvl, srate, dlid and dgid */
	adds_vectp->av_srvl = msgp->req_primary_sl_plus >> 4;
	adds_vectp->av_src_path = statep->prim_src_path_bits;

	if (statep->mode == IBCM_PASSIVE_MODE) {
		adds_vectp->av_dlid = b2h16(msgp->req_primary_l_port_lid);
		adds_vectp->av_dgid.gid_prefix =
		    b2h64(msgp->req_primary_l_port_gid.gid_prefix);
		adds_vectp->av_dgid.gid_guid =
		    b2h64(msgp->req_primary_l_port_gid.gid_guid);
		adds_vectp->av_sgid.gid_prefix =
		    b2h64(msgp->req_primary_r_port_gid.gid_prefix);
		adds_vectp->av_sgid.gid_guid =
		    b2h64(msgp->req_primary_r_port_gid.gid_guid);
		adds_vectp->av_srate = flow_label20_res6_rate6 & 0x3f;
	} else {
		adds_vectp->av_dlid = b2h16(msgp->req_primary_r_port_lid);
		adds_vectp->av_dgid.gid_prefix =
		    b2h64(msgp->req_primary_r_port_gid.gid_prefix);
		adds_vectp->av_dgid.gid_guid =
		    b2h64(msgp->req_primary_r_port_gid.gid_guid);
		adds_vectp->av_sgid.gid_prefix =
		    b2h64(msgp->req_primary_l_port_gid.gid_prefix);
		adds_vectp->av_sgid.gid_guid =
		    b2h64(msgp->req_primary_l_port_gid.gid_guid);
		adds_vectp->av_srate = statep->local_srate;
	}

	/* next copy off the GRH info if it exists  */
	if ((msgp->req_primary_sl_plus & 0x8) == 0) {
		adds_vectp->av_send_grh = B_TRUE;
		adds_vectp->av_flow = flow_label20_res6_rate6 >> 12;
		adds_vectp->av_tclass = msgp->req_primary_traffic_class;
		adds_vectp->av_hop = msgp->req_primary_hop_limit;
	} else {
		adds_vectp->av_send_grh = B_FALSE;
	}
}


/*
 * ibcm_set_alt_adds_vect:
 *	Helper function used to fill up ibt_adds_vect_t ALTERNATE PATH
 *	(called from ibcm_cep_state_*() functions)
 *
 * INPUTS:
 * statep	: The connection state pointer
 * adds_vectp	: The ibt_adds_vect_t ptr that is being filled up
 * msgp		: CM REQ message that is the source of information
 *
 * RETURN VALUE:	NONE
 */
static void
ibcm_set_alt_adds_vect(ibcm_state_data_t *statep,
    ibt_adds_vect_t *adds_vectp, ibcm_req_msg_t *msgp)
{
	ib_gid_t dgid;
	ib_gid_t sgid;
	uint32_t flow_label20_res6_rate6;

	flow_label20_res6_rate6 = b2h32(msgp->req_alt_flow_label_plus);

	/* first setup the srvl, srate, dlid and dgid */
	adds_vectp->av_srvl = msgp->req_alt_sl_plus >> 4;
	adds_vectp->av_src_path = statep->alt_src_path_bits;

	if (statep->mode == IBCM_PASSIVE_MODE) {
		adds_vectp->av_dlid = b2h16(msgp->req_alt_l_port_lid);
		bcopy(&msgp->req_alt_l_port_gid[0], &dgid, sizeof (ib_gid_t));
		bcopy(&msgp->req_alt_r_port_gid[0], &sgid, sizeof (ib_gid_t));
		adds_vectp->av_srate = flow_label20_res6_rate6 & 0x3f;
	} else {
		adds_vectp->av_dlid = b2h16(msgp->req_alt_r_port_lid);
		bcopy(&msgp->req_alt_r_port_gid[0], &dgid, sizeof (ib_gid_t));
		bcopy(&msgp->req_alt_l_port_gid[0], &sgid, sizeof (ib_gid_t));
		adds_vectp->av_srate = statep->local_alt_srate;
	}
	adds_vectp->av_dgid.gid_prefix = b2h64(dgid.gid_prefix);
	adds_vectp->av_dgid.gid_guid = b2h64(dgid.gid_guid);
	adds_vectp->av_sgid.gid_prefix = b2h64(sgid.gid_prefix);
	adds_vectp->av_sgid.gid_guid = b2h64(sgid.gid_guid);

	/* next copy off the GRH info if it exists  */
	if ((msgp->req_alt_sl_plus & 0x8) == 0) {
		adds_vectp->av_send_grh = B_TRUE;
		adds_vectp->av_flow = flow_label20_res6_rate6 >> 12;
		adds_vectp->av_tclass = msgp->req_alt_traffic_class;
		adds_vectp->av_hop = msgp->req_alt_hop_limit;
	} else {
		adds_vectp->av_send_grh = B_FALSE;	/* no GRH */
	}
}


/*
 * ibcm_set_primary_cep_path:
 *	Helper function used to fill up ibt_cep_path_t PRIMARY PATH
 *	(called from ibcm_cep_state_*() functions)
 *
 * INPUTS:
 * statep	: The connection state pointer
 * adds_vectp	: The ibt_cep_path_t ptr that is being filled up
 * msgp		: CM REQ message that is the source of information
 *
 * RETURN VALUE:	NONE
 */
static ibt_status_t
ibcm_set_primary_cep_path(ibcm_state_data_t *statep, ibt_cep_path_t *pathp,
    ibcm_req_msg_t *msgp)
{
	ibt_status_t		status;

	/* validate the PKEY in REQ for prim port */
	status = ibt_pkey2index_byguid(statep->local_hca_guid,
	    statep->prim_port, b2h16(msgp->req_part_key), &pathp->cep_pkey_ix);

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_primary_cep_path: "
		    "statep 0x%p pkey %x prim_port %d ", statep,
		    b2h16(msgp->req_part_key), statep->prim_port);
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_primary_cep_path: "
		    "statep 0x%p Invalid PKEY on prim_port, status %d ",
		    statep, status);
		return (status);
	}
	statep->pkey = b2h16(msgp->req_part_key);
	ibcm_set_primary_adds_vect(statep, &pathp->cep_adds_vect, msgp);
	return (IBT_SUCCESS);
}


/*
 * ibcm_set_alt_cep_path:
 *	Helper function used to fill up ibt_cep_path_t ALTERNATE PATH
 *	(called from ibcm_cep_state_*() functions)
 *
 * INPUTS:
 * statep	: The connection state pointer
 * adds_vectp	: The ibt_cep_path_t ptr that is being filled up
 * msgp		: CM REQ message that is the source of information
 *
 * RETURN VALUE:	NONE
 */
static ibt_status_t
ibcm_set_alt_cep_path(ibcm_state_data_t *statep, ibt_cep_path_t *pathp,
    ibcm_req_msg_t *msgp)
{
	ibt_status_t		status;

	if (b2h16(msgp->req_alt_l_port_lid) == 0) {
		/* no alternate path specified */
		return (IBT_SUCCESS);
	}

	/* validate the PKEY in REQ for alt port */
	status = ibt_pkey2index_byguid(statep->local_hca_guid,
	    statep->alt_port, b2h16(msgp->req_part_key), &pathp->cep_pkey_ix);

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_alt_cep_path: "
		    "statep 0x%p pkey %x alt_port %d ", statep,
		    b2h16(msgp->req_part_key), statep->alt_port);
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_alt_cep_path: "
		    "statep 0x%p Invalid PKEY on alt_port, status %d ",
		    statep, status);
		return (status);
	}
	pathp->cep_hca_port_num = statep->alt_port;
	ibcm_set_alt_adds_vect(statep, &pathp->cep_adds_vect, msgp);
	return (IBT_SUCCESS);

}

/*
 * ibcm_compare_prim_alt_paths:
 *	Helper function used to find if primary and alternate paths are
 *	identical
 *	(called from ibcm_cep_state_req)
 *
 * INPUTS:
 * req:			Pointer to ibt_cm_req_rcv_t, filled before invoking
 *			the function
 *
 * RETURN VALUE:	NONE
 */

static boolean_t
ibcm_compare_prim_alt_paths(ibt_adds_vect_t *prim, ibt_adds_vect_t *alt)
{

	if ((alt->av_dlid == prim->av_dlid) &&
	    (alt->av_dgid.gid_prefix == prim->av_dgid.gid_prefix) &&
	    (alt->av_dgid.gid_guid == prim->av_dgid.gid_guid) &&
	    (alt->av_sgid.gid_prefix == prim->av_sgid.gid_prefix) &&
	    (alt->av_sgid.gid_guid == prim->av_sgid.gid_guid) &&
	    (alt->av_src_path == prim->av_src_path)) {

		return (B_TRUE);
	}
	return (B_FALSE);
}


/*
 * ibcm_invoke_qp_modify:
 *	Helper function used to call ibt_modify_qp()
 *	called from ibcm_cep_state_req()/ibcm_cep_state_rep()
 *	It sets up qp_info/eec_info
 *
 *	Sets state to RTR as well.
 *
 *
 * INPUTS:
 *	statep:		The connection state pointer
 *	req_msgp:	The CM REQ message
 *
 * RETURN VALUE:
 *	IBT_SUCCESS	-	call succeeded
 */
static ibt_status_t
ibcm_invoke_qp_modify(ibcm_state_data_t *statep, ibcm_req_msg_t *req_msgp,
    ibcm_rep_msg_t *rep_msgp)
{
	ibt_status_t		status;
	ibt_qp_info_t		qp_info;
	ibt_cep_modify_flags_t	cep_flags;
	ibt_tran_srv_t		trans;

	cep_flags = IBT_CEP_SET_INIT_RTR | IBT_CEP_SET_PKEY_IX;
	trans = ((uint8_t *)&req_msgp->req_remote_eecn_plus)[3] >> 1 & 0x3;

	ASSERT(statep->channel != NULL);

	/*
	 * If alternate path is present in REQ message then
	 * OR in IBT_CEP_SET_ALT_PATH, if APM supported on hca
	 */
	if (b2h16(req_msgp->req_alt_l_port_lid) != 0) {

		if (statep->hcap->hca_caps & IBT_HCA_AUTO_PATH_MIG)
			cep_flags |= IBT_CEP_SET_ALT_PATH;
			/* default value of rep_failover is ACCEPT */
		else {
			rep_msgp->rep_target_delay_plus |=
			    IBT_CM_FAILOVER_REJ_NOTSUPP << 1;
			IBTF_DPRINTF_L3(cmlog, "ibcm_invoke_qp_modify"
			    " Alt Path specified in REQ, but not supported");
		}
	}

	/* If transport type is RD OR in IBC_CEP_SET_QKEY */
	if (trans == IBT_RD_SRV) {
		cep_flags |= IBT_CEP_SET_QKEY;
	}

	/* Start filling up ibt_qp_info_t.  */
	bzero(&qp_info, sizeof (qp_info));
	qp_info.qp_trans = trans;
	qp_info.qp_state = IBT_STATE_RTR;
	qp_info.qp_flags = IBT_CEP_NO_FLAGS;

	switch (trans) {
	case IBT_RC_SRV:

		if (statep->mode == IBCM_ACTIVE_MODE) {
			/* Setting PSN on RQ */

			IBCM_QPINFO_RC(qp_info).rc_rq_psn =
			    b2h32(req_msgp->req_starting_psn_plus) >> 8;

			IBCM_QPINFO_RC(qp_info).rc_dst_qpn =
			    b2h32(rep_msgp->rep_local_qpn_plus) >> 8;

			/* RDMA resources taken from negotiated REP values */
			IBCM_QPINFO_RC(qp_info).rc_rdma_ra_in =
			    rep_msgp->rep_initiator_depth;

		} else { /* Passive side CM */
			/* Setting PSN on SQ and RQ */
			IBCM_QPINFO_RC(qp_info).rc_sq_psn =
			    IBCM_QPINFO_RC(qp_info).rc_rq_psn =
			    b2h32(rep_msgp->rep_starting_psn_plus) >> 8;

			IBCM_QPINFO_RC(qp_info).rc_dst_qpn =
			    b2h32(req_msgp->req_local_qpn_plus) >> 8;

			/* RDMA resources taken from negotiated REP values */
			IBCM_QPINFO_RC(qp_info).rc_rdma_ra_in =
			    rep_msgp->rep_resp_resources;
		}

		/* XXX, Oh!, ibtl doesn't have interface for setting this */
		IBCM_QPINFO_RC(qp_info).rc_min_rnr_nak =
		    ibcm_default_rnr_nak_time;
		IBCM_QPINFO_RC(qp_info).rc_path_mtu =
		    req_msgp->req_mtu_plus >> 4;
		IBCM_QPINFO_RC(qp_info).rc_retry_cnt =
		    ((uint8_t *)&req_msgp->req_starting_psn_plus)[3] & 0x7;
		IBCM_QPINFO_RC(qp_info).rc_rnr_retry_cnt =
		    req_msgp->req_mtu_plus & 0x7;

		if ((status = ibcm_set_primary_cep_path(statep,
		    &IBCM_QPINFO_RC(qp_info).rc_path, req_msgp)) !=
		    IBT_SUCCESS)
			return (status);

		if ((status = ibcm_set_alt_cep_path(statep,
		    &IBCM_QPINFO_RC(qp_info).rc_alt_path, req_msgp)) !=
		    IBT_SUCCESS)
			return (status);

		break;
	case IBT_RD_SRV:
		if (statep->mode == IBCM_ACTIVE_MODE) { /* look at REP msg */
			IBCM_QPINFO(qp_info).rd.rd_qkey =
			    b2h32(rep_msgp->rep_local_qkey);
		} else {
			IBCM_QPINFO(qp_info).rd.rd_qkey =
			    b2h32(req_msgp->req_local_qkey);
		}

		break;

	case IBT_UC_SRV:
		if (statep->mode == IBCM_ACTIVE_MODE) { /* look at REP msg */
			IBCM_QPINFO_UC(qp_info).uc_sq_psn =
			    b2h32(req_msgp->req_starting_psn_plus) >> 8;
			IBCM_QPINFO_UC(qp_info).uc_dst_qpn =
			    b2h32(rep_msgp->rep_local_qpn_plus) >> 8;
		} else {
			IBCM_QPINFO_UC(qp_info).uc_rq_psn =
			    IBCM_QPINFO_UC(qp_info).uc_sq_psn =
			    b2h32(rep_msgp->rep_starting_psn_plus) >> 8;
			IBCM_QPINFO_UC(qp_info).uc_dst_qpn =
			    b2h32(req_msgp->req_local_qpn_plus) >> 8;
		}
		IBCM_QPINFO_UC(qp_info).uc_path_mtu =
		    req_msgp->req_mtu_plus >> 4;

		if ((status = ibcm_set_primary_cep_path(statep,
		    &IBCM_QPINFO_UC(qp_info).uc_path, req_msgp)) !=
		    IBT_SUCCESS)
			return (status);

		if ((status = ibcm_set_alt_cep_path(statep,
		    &IBCM_QPINFO_UC(qp_info).uc_alt_path, req_msgp)) !=
		    IBT_SUCCESS)
			return (status);

		break;
	default:
		IBTF_DPRINTF_L2(cmlog, "ibcm_invoke_qp_modify: "
		    "unknown svc_type = %x", trans);
		break;
	}

	/* Call modify_qp */
	status = ibt_modify_qp(statep->channel, cep_flags, &qp_info, NULL);
	IBTF_DPRINTF_L4(cmlog, "ibcm_invoke_qp_modify: statep 0x%p"
	    " ibt_modify_qp() Init to RTR returned = %d", statep, status);

	if (status == IBT_SUCCESS)
		ibcm_insert_trace(statep, IBCM_TRACE_INIT_RTR);
	else
		ibcm_insert_trace(statep, IBCM_TRACE_INIT_RTR_FAIL);

#ifdef	DEBUG

	print_modify_qp("Init to RTR", statep->channel, cep_flags, &qp_info);

	if (statep->channel != NULL) {
		ibt_qp_query_attr_t	qp_attrs;

		(void) ibt_query_qp(statep->channel, &qp_attrs);
		IBTF_DPRINTF_L4(cmlog, "ibcm_invoke_qp_modify: "
		    "qp_info.qp_state = %x", qp_attrs.qp_info.qp_state);
	}
#endif

	return (status);
}


/*
 * ibcm_verify_req_gids_and_svcid
 *	Validation of LIDs, GIDs and SVC ID
 *
 * INPUTS:
 *	statep		- state pointer
 *	cm_req_msgp	- REQ message pointer
 *
 * RETURN VALUE: IBCM_SUCCESS/IBCM_FAILURE
 *
 */
ibcm_status_t
ibcm_verify_req_gids_and_svcid(ibcm_state_data_t *statep,
    ibcm_req_msg_t *cm_req_msgp)
{
	ib_gid_t		gid;
	ib_gid_t		agid;
	ib_lid_t		lid;
	ibt_status_t		status;
	ibtl_cm_hca_port_t	port;
	ibt_cm_reason_t		reject_reason = IBT_CM_SUCCESS;
	ibcm_svc_info_t		*svc_infop;
	ibcm_svc_bind_t		*svc_bindp;
	ibcm_svc_bind_t		*tmp_bindp;
	ib_pkey_t		pkey;
	uint8_t			port_num;
	ib_guid_t		hca_guid;
	ibcm_ip_pvtdata_t	*ip_data;

	/* Verify LID and GID of primary port */

	gid.gid_prefix = b2h64(cm_req_msgp->req_primary_r_port_gid.gid_prefix);
	gid.gid_guid = b2h64(cm_req_msgp->req_primary_r_port_gid.gid_guid);

	IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: statep 0x%p"
	    " PRIM _r_gid (%llx, %llx)", statep, gid.gid_prefix,
	    gid.gid_guid);

	IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: statep 0x%p "
	    "PRIM passive lid %x", statep,
	    b2h16(cm_req_msgp->req_primary_r_port_lid));

	/* Verify GID validity, if specified */
	if ((status = ibtl_cm_get_hca_port(gid, 0, &port)) == IBT_SUCCESS) {

		IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: statep 0x%p "
		    "prim_port_num %d", statep, port.hp_port);

		IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: statep 0x%p "
		    "passive hca_guid 0x%llX", statep, port.hp_hca_guid);

		port_num = port.hp_port;
		hca_guid = port.hp_hca_guid;
	}

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids: statep 0x%p "
		    "ibtl_cm_get_hca_port() primary port failed = %d", statep,
		    status);
		reject_reason = IBT_CM_PRIM_GID;
		/* we will search for an acceptable GID to this port */
		port_num = statep->stored_reply_addr.port_num;
		hca_guid = statep->hcap->hca_guid;

	} else if (port.hp_base_lid !=
	    (b2h16(cm_req_msgp->req_primary_r_port_lid) &
	    (~((1 << port.hp_lmc) - 1)))) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids: statep 0x%p "
		    "primary port lid invalid (%x, %x, %x)", statep,
		    port.hp_base_lid,
		    b2h16(cm_req_msgp->req_primary_r_port_lid), port.hp_lmc);
		reject_reason = IBT_CM_PRIM_LID;
	} else {

		statep->local_hca_guid = port.hp_hca_guid;
		statep->prim_port = port.hp_port;
		statep->prim_src_path_bits =
		    b2h16(cm_req_msgp->req_primary_r_port_lid) -
		    port.hp_base_lid;

		IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: "
		    "statep 0x%p prim_port_path_bits %d ",
		    statep, statep->prim_src_path_bits);

		/* Verify LID and GID  of alternate port. Post REJ if invalid */

		/* Need a bcopy, as alt port gid is unaligned in req message */
		bcopy(&cm_req_msgp->req_alt_r_port_gid[0], &agid,
		    sizeof (ib_gid_t));
		agid.gid_prefix = b2h64(agid.gid_prefix);
		agid.gid_guid = b2h64(agid.gid_guid);

		IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: statep 0x%p"
		    " Alt port_gid is (%llX:%llX)", statep, agid.gid_prefix,
		    agid.gid_guid);

		if ((agid.gid_prefix != 0) || (agid.gid_guid != 0)) {

			/* Verify GID validity, if specified */
			if ((status = ibtl_cm_get_hca_port(agid,
			    statep->local_hca_guid, &port)) != IBT_SUCCESS) {
				IBTF_DPRINTF_L2(cmlog,
				    "ibcm_verify_req_gids: ibtl_cm_get_hca_port"
				    " statep 0x%p alternate port failed = %d",
				    statep, status);
				reject_reason = IBT_CM_ALT_GID;

			} else if (port.hp_base_lid !=
			    (b2h16(cm_req_msgp->req_alt_r_port_lid) &
			    (~((1 << port.hp_lmc) - 1)))) {

				IBTF_DPRINTF_L2(cmlog,
				    "ibcm_verify_req_gids: statep 0x%p "
				    "alternate port lid invalid (%x, %x, %x)",
				    statep, port.hp_base_lid,
				    cm_req_msgp->req_alt_r_port_lid,
				    port.hp_lmc);
				reject_reason = IBT_CM_ALT_LID;
			} else { /* Alt LID and GID are valid */
				statep->alt_port = port.hp_port;
				statep->alt_src_path_bits =
				    b2h16(cm_req_msgp->req_alt_r_port_lid) -
				    port.hp_base_lid;

				IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: "
				    "statep 0x%p alt_port_num %d "
				    "alt_rc_hca_guid 0x%llX", statep,
				    port.hp_port, port.hp_hca_guid);

				IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: "
				    "statep 0x%p alt_port_path_bits %d ",
				    statep, statep->alt_src_path_bits);
			}
		}
	}

	mutex_enter(&ibcm_svc_info_lock);
	svc_infop = ibcm_find_svc_entry(statep->svcid);

	/*
	 * Note: When we return SUCCESS, the reader lock won't get dropped
	 * until after the cm_handler is called from ibcm_cep_state_req().
	 */

	IBTF_DPRINTF_L4(cmlog, "ibcm_verify_req_gids: "
	    "ibcm_find_svc_entry found svc_infop %p", svc_infop);

	/*
	 * Send REJ with reject reason "invalid service id" for the
	 * the following cases :-
	 * Service id is valid, but not available at gid/lid of REQ
	 * Service id is invalid
	 */

	if (svc_infop == NULL || svc_infop->svc_bind_list == NULL) {
		mutex_exit(&ibcm_svc_info_lock);

		IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids_and_svcid: "
		    "statep 0x%p svc_id %llX svc_infop NULL", statep,
		    statep->svcid);

		/* Send a REJ with invalid SID reason */
		ibcm_post_rej_mad(statep,
		    IBT_CM_INVALID_SID, IBT_CM_FAILURE_REQ, NULL, 0);
		return (IBCM_FAILURE);
	}

	if (svc_infop->svc_rc_handler == NULL) {
		mutex_exit(&ibcm_svc_info_lock);

		/* Send a REJ with invalid SID reason */
		ibcm_post_rej_mad(statep,
		    IBT_CM_INVALID_SRV_TYPE, IBT_CM_FAILURE_REQ, NULL, 0);
		return (IBCM_FAILURE);
	}

	/*
	 * Check if ServiceID is in RDMA IP CM SID range, if yes, we parse
	 * the REQ's Private Data and verify for it's goodness.
	 */
	if (((statep->svcid & IB_SID_IPADDR_PREFIX_MASK) == 0) &&
	    (statep->svcid & IB_SID_IPADDR_PREFIX)) {
		ibt_ari_ip_t	ari_ip;
		boolean_t	rdma_rej_mad = B_FALSE;

		ip_data = (ibcm_ip_pvtdata_t *)cm_req_msgp->req_private_data;

		bzero(&ari_ip, sizeof (ibt_ari_ip_t));

		/* RDMA IP CM Layer Rejects this */
		if (ip_data->ip_MajV != IBT_CM_IP_MAJ_VER) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids_and_svcid:"
			    "IP MajorVer mis-match %d", ip_data->ip_MajV);
			ari_ip.ip_reason = IBT_ARI_IP_MAJOR_VERSION;
			ari_ip.ip_suggested_version = IBT_CM_IP_MAJ_VER;
			ari_ip.ip_suggested = B_TRUE;
			rdma_rej_mad = B_TRUE;
		} else if (ip_data->ip_MinV != IBT_CM_IP_MIN_VER) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids_and_svcid:"
			    "IP MinorVer mis-match %d", ip_data->ip_MinV);
			ari_ip.ip_reason = IBT_ARI_IP_MINOR_VERSION;
			ari_ip.ip_suggested_version = IBT_CM_IP_MIN_VER;
			ari_ip.ip_suggested = B_TRUE;
			rdma_rej_mad = B_TRUE;
		} else if ((ip_data->ip_ipv != IBT_CM_IP_IPV_V4) &&
		    (ip_data->ip_ipv != IBT_CM_IP_IPV_V6)) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_verify_req_gids_and_svcid:"
			    " Invalid IPV specified %d", ip_data->ip_ipv);
			ari_ip.ip_reason = IBT_ARI_IP_IPV;
			ari_ip.ip_suggested_version = IBT_CM_IP_IPV_V4;
			ari_ip.ip_suggested = B_TRUE;
			rdma_rej_mad = B_TRUE;
		} else {
			/*
			 * Validate whether ip_addr specified are non-NULL.
			 *
			 * NOTE:
			 * RDMA ULP which is servicing this SID, should validate
			 * the correctness of srcip/dstip and accordingly post
			 * REJ related to ibt_ari_ip_reason_t of
			 * IBT_ARI_IP_SRC_ADDR, IBT_ARI_IP_DST_ADDR and
			 * IBT_ARI_IP_UNKNOWN_ADDR.
			 */
			if (ip_data->ip_ipv == IBT_CM_IP_IPV_V4) {
				if (ip_data->ip_srcv4 == 0) {
					IBTF_DPRINTF_L2(cmlog,
					    "ibcm_verify_req_gids_and_svcid: "
					    "Invalid NULL V4 SrcIp specified");
					rdma_rej_mad = B_TRUE;
					ari_ip.ip_reason = IBT_ARI_IP_SRC_ADDR;
					ari_ip.ip_suggested = B_TRUE;
					ari_ip.ip_suggested_version =
					    IBT_CM_IP_IPV_V4;
				} else if (ip_data->ip_dstv4 == 0) {
					IBTF_DPRINTF_L2(cmlog,
					    "ibcm_verify_req_gids_and_svcid: "
					    "Invalid NULL V4 DstIp specified");
					rdma_rej_mad = B_TRUE;
					ari_ip.ip_reason = IBT_ARI_IP_DST_ADDR;
					ari_ip.ip_suggested = B_TRUE;
					ari_ip.ip_suggested_version =
					    IBT_CM_IP_IPV_V4;
				}
			} else if (ip_data->ip_ipv == IBT_CM_IP_IPV_V6) {
				if (IN6_IS_ADDR_UNSPECIFIED(
				    &ip_data->ip_srcv6)) {
					IBTF_DPRINTF_L2(cmlog,
					    "ibcm_verify_req_gids_and_svcid: "
					    "Invalid NULL V6 SrcIp specified");
					rdma_rej_mad = B_TRUE;
					ari_ip.ip_reason = IBT_ARI_IP_SRC_ADDR;
					ari_ip.ip_suggested = B_TRUE;
					ari_ip.ip_suggested_version =
					    IBT_CM_IP_IPV_V6;
				} else if (IN6_IS_ADDR_UNSPECIFIED(
				    &ip_data->ip_dstv6)) {
					IBTF_DPRINTF_L2(cmlog,
					    "ibcm_verify_req_gids_and_svcid: "
					    "Invalid NULL V6 DstIp specified");
					rdma_rej_mad = B_TRUE;
					ari_ip.ip_reason = IBT_ARI_IP_DST_ADDR;
					ari_ip.ip_suggested = B_TRUE;
					ari_ip.ip_suggested_version =
					    IBT_CM_IP_IPV_V6;
				}
			}
			/* TBD: IBT_ARI_IP_UNKNOWN_ADDR */
		}
		if (rdma_rej_mad == B_TRUE) {
			ibt_ari_con_t	cons_rej;

			mutex_exit(&ibcm_svc_info_lock);

			cons_rej.rej_ari_len = 1 + sizeof (ibt_ari_ip_t);
			cons_rej.rej_ari[0] = 0; /* Rejected by CM Layer */
			bcopy(&ari_ip, &cons_rej.rej_ari[1],
			    sizeof (ibt_ari_ip_t));
			/* Send a REJ with CONSUMER REJ */
			ibcm_post_rej_mad(statep, IBT_CM_CONSUMER,
			    IBT_CM_FAILURE_REQ, &cons_rej,
			    sizeof (ibt_ari_con_t));
			return (IBCM_FAILURE);
		}
	}

	/* find the best "bind" entry that enables this port */

	pkey = b2h16(cm_req_msgp->req_part_key);
	svc_bindp = NULL;
	tmp_bindp = svc_infop->svc_bind_list;
	while (tmp_bindp) {
		if (tmp_bindp->sbind_hcaguid == hca_guid &&
		    tmp_bindp->sbind_port == port_num) {
			if (gid.gid_guid ==
			    tmp_bindp->sbind_gid.gid_guid &&
			    gid.gid_prefix ==
			    tmp_bindp->sbind_gid.gid_prefix) {
				/* gid match => really good match */
				svc_bindp = tmp_bindp;
				if (pkey == tmp_bindp->sbind_pkey)
					/* absolute best match */
					break;
			} else if (svc_bindp == NULL) {
				/* port match => a good match */
				svc_bindp = tmp_bindp;
			}
		}
		tmp_bindp = tmp_bindp->sbind_link;
	}
	if (svc_bindp == NULL) { /* port not enabled for this SID */
		mutex_exit(&ibcm_svc_info_lock);
		IBTF_DPRINTF_L2(cmlog,
		    "ibcm_verify_req_gids_and_svcid: statep 0x%p "
		    "no binding found", statep);
		ibcm_post_rej_mad(statep,
		    IBT_CM_INVALID_SID, IBT_CM_FAILURE_REQ, NULL, 0);
		return (IBCM_FAILURE);
	}
	/* copy the GID in case we need it in REJ below */
	gid.gid_prefix = b2h64(svc_bindp->sbind_gid.gid_prefix);
	gid.gid_guid = b2h64(svc_bindp->sbind_gid.gid_guid);

	statep->state_cm_private = svc_bindp->sbind_cm_private;
	statep->state_svc_infop = svc_infop;
	statep->cm_handler = svc_infop->svc_rc_handler;
	if (reject_reason == IBT_CM_SUCCESS)
		IBCM_SVC_INCR(svc_infop);
	mutex_exit(&ibcm_svc_info_lock);

	/*
	 * If the service id is valid, but gid in REQ is invalid,
	 * then send a REJ with invalid gid
	 * For Invalid primary gid, the ARI field is filled with
	 * with gid from svcinfo
	 * For invalid prim/alt gid reject, CM uses one of the gids
	 * registered in ARI.
	 * For invalid prim/alt lid reject, CM uses the base lid in ARI
	 */
	if (reject_reason != IBT_CM_SUCCESS) {

		switch (reject_reason) {

		case IBT_CM_PRIM_GID :
		case IBT_CM_ALT_GID :
			ibcm_post_rej_mad(statep,
			    reject_reason, IBT_CM_FAILURE_REQ,
			    &gid, sizeof (ib_gid_t));
			break;

		case IBT_CM_PRIM_LID :
		case IBT_CM_ALT_LID :

			lid = h2b16(port.hp_base_lid);
			ibcm_post_rej_mad(statep,
			    reject_reason, IBT_CM_FAILURE_REQ,
			    &lid, sizeof (ib_lid_t));
			break;
		}

		return (IBCM_FAILURE);
	}

	/* Service, primary/alt gid and lid are all valid */

	return (IBCM_SUCCESS);
}

/*
 * ibcm_cep_state_req:
 *	QP state transition function called for an incoming REQ on passive side
 *	LIDs and GIDs should be maintained and validated by the client handler
 *
 * INPUTS:
 *	statep		- state pointer
 *	cm_req_msgp	- REQ message pointer
 *	reject_reason	- Rejection reason See Section 12.6.7.2 rev1.0a IB Spec
 *	arej_info_len	- Additional Rejection reason info length
 *
 * RETURN VALUE: IBCM_SEND_REP/IBCM_SEND_REJ
 */
ibcm_status_t
ibcm_cep_state_req(ibcm_state_data_t *statep, ibcm_req_msg_t *cm_req_msgp,
    ibt_cm_reason_t *reject_reason, uint8_t *arej_len)
{
	void			*priv_data = NULL;
	ibt_cm_event_t		event;
	ibt_cm_status_t		cb_status;
	ibcm_status_t		status;
	ibt_cm_return_args_t	ret_args;
	ibcm_clnt_reply_info_t	clnt_info;

	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_req: statep 0x%p", statep);
	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_req: SID 0x%lX",
	    b2h64(cm_req_msgp->req_svc_id));
	/* client handler should be valid */
	ASSERT(statep->cm_handler != NULL);

	bzero(&event, sizeof (event));

	/* Fill in ibt_cm_event_t */
	event.cm_type = IBT_CM_EVENT_REQ_RCV;
	event.cm_session_id = statep;
	IBCM_EVT_REQ(event).req_service_id = b2h64(cm_req_msgp->req_svc_id);
	IBCM_EVT_REQ(event).req_transport =
	    ((uint8_t *)&cm_req_msgp->req_remote_eecn_plus)[3] >> 1 & 0x3;
	IBCM_EVT_REQ(event).req_timeout = ibt_ib2usec(
	    (((uint8_t *)&cm_req_msgp->req_remote_eecn_plus)[3] >> 3) & 0x1F);
	IBCM_EVT_REQ(event).req_retry_cnt =
	    ((uint8_t *)&cm_req_msgp->req_starting_psn_plus)[3] & 0x7;
	IBCM_EVT_REQ(event).req_rnr_retry_cnt = cm_req_msgp->req_mtu_plus & 0x7;
	IBCM_EVT_REQ(event).req_pkey = b2h16(cm_req_msgp->req_part_key);
	IBCM_EVT_REQ(event).req_rdma_ra_in =
	    ((uint8_t *)&cm_req_msgp->req_local_qpn_plus)[3];
	IBCM_EVT_REQ(event).req_rdma_ra_out =
	    ((uint8_t *)&cm_req_msgp->req_local_eec_no_plus)[3];

	/* Check for HCA limits for RDMA Resources */
	if (IBCM_EVT_REQ(event).req_rdma_ra_in >
	    statep->hcap->hca_max_rdma_in_qp) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_state_req: statep 0x%p, REQ "
		    "req_rdma_ra_in %d is greater than HCA Limit %d, resetting"
		    "it to HCA limit", statep,
		    IBCM_EVT_REQ(event).req_rdma_ra_in,
		    statep->hcap->hca_max_rdma_in_qp);
		IBCM_EVT_REQ(event).req_rdma_ra_in =
		    statep->hcap->hca_max_rdma_in_qp;
	}

	if (IBCM_EVT_REQ(event).req_rdma_ra_out >
	    statep->hcap->hca_max_rdma_out_qp) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_state_req: statep 0x%p, REQ "
		    "req_rdma_ra_out %d is greater than HCA Limit %d, resetting"
		    "it to HCA limit", statep,
		    IBCM_EVT_REQ(event).req_rdma_ra_out,
		    statep->hcap->hca_max_rdma_out_qp);
		IBCM_EVT_REQ(event).req_rdma_ra_out =
		    statep->hcap->hca_max_rdma_out_qp;
	}

	/* Account for CM and other software delays */
	if (IBCM_EVT_REQ(event).req_timeout > ibcm_sw_delay) {
		IBCM_EVT_REQ(event).req_timeout -= ibcm_sw_delay;
		IBTF_DPRINTF_L5(cmlog, "ibcm_cep_state_req: statep 0x%p"
		    "Avail resp time %d (usec)", statep,
		    IBCM_EVT_REQ(event).req_timeout);
	} else {
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_state_req: statep 0x%p "
		    "REQ rem_resp_time < local sw delay 0x%x", statep,
		    IBCM_EVT_REQ(event).req_timeout);

		IBCM_EVT_REQ(event).req_timeout = 0;
	}

	IBCM_EVT_REQ(event).req_prim_hca_port = statep->prim_port;
	IBCM_EVT_REQ(event).req_alt_hca_port = statep->alt_port;
	IBCM_EVT_REQ(event).req_hca_guid = statep->local_hca_guid;
	IBCM_EVT_REQ(event).req_remote_qpn = statep->remote_qpn;

	if (((uint8_t *)&cm_req_msgp->req_remote_eecn_plus)[3] &
	    IBT_CM_FLOW_CONTROL)
		IBCM_EVT_REQ(event).req_flags |= IBT_CM_FLOW_CONTROL;

	if ((cm_req_msgp->req_max_cm_retries_plus >> 3) & 0x1)
		IBCM_EVT_REQ(event).req_flags |= IBT_CM_SRQ_EXISTS;

	/* Initialize req.req_prim_addr */
	ibcm_set_primary_adds_vect(statep, &IBCM_EVT_REQ(event).req_prim_addr,
	    cm_req_msgp);

	/* Initialize req.req_alternate_path if they exist */
	if (b2h16(cm_req_msgp->req_alt_l_port_lid) != 0) {
		ibcm_set_alt_adds_vect(statep,
		    &IBCM_EVT_REQ(event).req_alt_addr, cm_req_msgp);

		/* Verify, alt path is not same as primary */
		if (ibcm_compare_prim_alt_paths(
		    &event.cm_event.req.req_prim_addr,
		    &event.cm_event.req.req_alt_addr) == B_TRUE) {
			/* XXX New REJ code needed */
			*reject_reason = IBT_CM_NO_RESC;
			IBTF_DPRINTF_L2(cmlog, "ibcm_cep_state_req: statep 0x%p"
			    " Alt and prim paths are same", statep);
			mutex_enter(&ibcm_svc_info_lock);
			IBCM_SVC_DECR(statep->state_svc_infop);
			mutex_exit(&ibcm_svc_info_lock);
			return (IBCM_SEND_REJ);
		}
	}

#ifdef	NO_EEC_SUPPORT_YET
	IBCM_EVT_REQ(event).req_rdc_exists = cm_req_msgp->req_mtu_plus >> 3 & 1;
	IBCM_EVT_REQ(event).req_remote_eecn =
	    b2h32(cm_req_msgp->req_remote_eecn_plus) >> 8;
	IBCM_EVT_REQ(event).req_local_eecn =
	    b2h32(cm_req_msgp->req_local_eec_no_plus) >> 8;
	IBCM_EVT_REQ(event).req_remote_qkey =
	    b2h32(cm_req_msgp->req_local_qkey);
#endif

	/* cm_req_msgp->req_private_data to event.cm_event.cm_priv_data */
	event.cm_priv_data = cm_req_msgp->req_private_data;

	event.cm_priv_data_len = IBT_REQ_PRIV_DATA_SZ;

	/*
	 * Allocate priv_data of size IBT_MAX_PRIV_DATA_SZ
	 */
	priv_data = kmem_zalloc(IBT_MAX_PRIV_DATA_SZ, KM_SLEEP);

	bzero(&ret_args, sizeof (ret_args));

	/* Fill in the default values from REQ, that client can modify */
	ret_args.cm_ret.rep.cm_rdma_ra_in = IBCM_EVT_REQ(event).req_rdma_ra_out;
	ret_args.cm_ret.rep.cm_rdma_ra_out = IBCM_EVT_REQ(event).req_rdma_ra_in;
	ret_args.cm_ret.rep.cm_rnr_retry_cnt = cm_req_msgp->req_mtu_plus & 0x7;

	ibcm_insert_trace(statep, IBCM_TRACE_CALLED_REQ_RCVD_EVENT);

	/* Invoke the client handler */
	statep->req_msgp = cm_req_msgp;
	cb_status = statep->cm_handler(statep->state_cm_private, &event,
	    &ret_args, priv_data, IBT_REP_PRIV_DATA_SZ);
	statep->req_msgp = NULL;

	ibcm_insert_trace(statep, IBCM_TRACE_RET_REQ_RCVD_EVENT);

	mutex_enter(&ibcm_svc_info_lock);
	IBCM_SVC_DECR(statep->state_svc_infop);
	mutex_exit(&ibcm_svc_info_lock);

	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_req: Client handler returned %d"
	    " statep 0x%p", cb_status, statep);

	if (cb_status == IBT_CM_DEFER) {

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(statep->defer_cm_msg))

		if (statep->defer_cm_msg == NULL)
			statep->defer_cm_msg =
			    kmem_zalloc(IBCM_MSG_SIZE, KM_SLEEP);
		bcopy(cm_req_msgp, statep->defer_cm_msg, IBCM_MSG_SIZE);

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(statep->defer_cm_msg))

		/*
		 * unblock any blocked cm proceed api calls. Do not access
		 * statep after cv_signal
		 */
		mutex_enter(&statep->state_mutex);
		statep->clnt_proceed = IBCM_UNBLOCK;
		cv_broadcast(&statep->block_client_cv);
		mutex_exit(&statep->state_mutex);

		kmem_free(priv_data, IBT_MAX_PRIV_DATA_SZ);
		return (IBCM_DEFER);
	}

	/* fail any blocked cm proceed api call - client bug */
	mutex_enter(&statep->state_mutex);
	statep->clnt_proceed = IBCM_FAIL;
	cv_broadcast(&statep->block_client_cv);
	mutex_exit(&statep->state_mutex);

	clnt_info.reply_event = (ibt_cm_proceed_reply_t *)&ret_args.cm_ret;
	clnt_info.priv_data = priv_data;
	clnt_info.priv_data_len = ret_args.cm_ret_len;

	status =
	    ibcm_process_cep_req_cm_hdlr(statep, cb_status,
	    &clnt_info, reject_reason, arej_len, cm_req_msgp);
	kmem_free(priv_data, IBT_MAX_PRIV_DATA_SZ);
	return (status);
}

/*
 * ibcm_process_cep_req_cm_hdlr:
 *	Processes the response from client handler for an incoming REQ.
 */
ibcm_status_t
ibcm_process_cep_req_cm_hdlr(ibcm_state_data_t *statep,
    ibt_cm_status_t cb_status, ibcm_clnt_reply_info_t *clnt_info,
    ibt_cm_reason_t *reject_reason, uint8_t *arej_len,
    ibcm_req_msg_t *cm_req_msg)
{
	ibt_status_t		status;
	ibt_qp_query_attr_t	qp_attrs;
	ibcm_state_data_t	*old_statep;
	ibt_channel_hdl_t	channel;
	ib_guid_t		local_ca_guid;
	ibcm_rej_msg_t		*rej_msgp;
#ifdef	NO_EEC_SUPPORT_YET
	ibt_eec_query_attr_t	eec_attrs;
#endif

	if (cb_status == IBT_CM_DEFAULT)
		cb_status = IBT_CM_REJECT;

	/* verify status */
	if (cb_status == IBT_CM_ACCEPT) {
		*reject_reason = IBT_CM_SUCCESS;
	} else if (cb_status == IBT_CM_REJECT) {
		*reject_reason = IBT_CM_CONSUMER;
	} else if (cb_status == IBT_CM_REDIRECT_PORT) {
		*reject_reason = IBT_CM_PORT_REDIRECT;
	} else if (cb_status == IBT_CM_REDIRECT) {
		*reject_reason = IBT_CM_REDIRECT_CM;
	} else if (cb_status == IBT_CM_NO_CHANNEL) {
		*reject_reason = IBT_CM_NO_CHAN;
	} else if (cb_status == IBT_CM_NO_RESOURCE) {
		*reject_reason = IBT_CM_NO_RESC;
	} else {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_req_cm_hdlr: statep %p"
		    " Client handler unexpected return %x", statep, cb_status);
		*reject_reason = IBT_CM_CONSUMER;
	}

	/* client handler gave CM ok */
	if (cb_status == IBT_CM_ACCEPT) {
		ibcm_rep_msg_t	*rep_msgp = (ibcm_rep_msg_t *)
		    IBCM_OUT_MSGP(statep->stored_msg);


		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))
		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rep_msgp))

		/*
		 * Check first if ret_args make sense. If not, bailout
		 * here rather than going along and panicing later.
		 */
		channel = clnt_info->reply_event->rep.cm_channel;
		if (IBCM_INVALID_CHANNEL(channel)) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "statep 0x%p server's QP handle is NULL", statep);
			*reject_reason = IBT_CM_NO_CHAN;
		}

		IBCM_GET_CHAN_PRIVATE(channel, old_statep);

		if ((*reject_reason == IBT_CM_SUCCESS) &&
		    (old_statep != NULL)) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "statep 0x%p Channel being re-used on passive side",
			    statep);
			*reject_reason = IBT_CM_NO_CHAN;
		}
		if (old_statep != NULL)
			IBCM_RELEASE_CHAN_PRIVATE(channel);

		if (*reject_reason != IBT_CM_SUCCESS) {
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, *reject_reason, NULL, 0);
			return (IBCM_SEND_REJ);
		}

		statep->channel = channel;
		status = ibt_query_qp(channel, &qp_attrs);

		if (status != IBT_SUCCESS) {
			IBTF_DPRINTF_L3(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "statep %p ibt_query_qp failed %d", statep, status);
			*reject_reason = IBT_CM_NO_RESC;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CI_FAILURE, NULL, 0);
			return (IBCM_SEND_REJ);
		}

		if (qp_attrs.qp_info.qp_trans != IBT_RC_SRV) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "statep %p qp is not RC channel on server", statep);
			*reject_reason = IBT_CM_INVALID_SRV_TYPE;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CHAN_INVALID_STATE,
			    NULL, 0);
			return (IBCM_SEND_REJ);
		}

		if (qp_attrs.qp_info.qp_state != IBT_STATE_INIT &&
		    statep->is_this_ofuv_chan == B_FALSE) {
			IBTF_DPRINTF_L3(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "qp state != INIT on server");
			*reject_reason = IBT_CM_CHAN_INVALID_STATE;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CHAN_INVALID_STATE,
			    NULL, 0);
			return (IBCM_SEND_REJ);
		} else if (statep->is_this_ofuv_chan &&
		    qp_attrs.qp_info.qp_state != IBT_STATE_RTR &&
		    qp_attrs.qp_info.qp_state != IBT_STATE_INIT) {
			IBTF_DPRINTF_L3(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "qp state != INIT or RTR on server");
			*reject_reason = IBT_CM_CHAN_INVALID_STATE;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CHAN_INVALID_STATE,
			    NULL, 0);
			return (IBCM_SEND_REJ);
		}

		if (statep->is_this_ofuv_chan &&
		    qp_attrs.qp_info.qp_state == IBT_STATE_RTR &&
		    qp_attrs.qp_info.qp_transport.rc.rc_path.cep_hca_port_num !=
		    statep->prim_port) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "QP port invalid");
			*reject_reason = IBT_CM_CHAN_INVALID_STATE;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CHAN_INVALID_STATE,
			    NULL, 0);
			return (IBCM_SEND_REJ);
		} else if (statep->is_this_ofuv_chan &&
		    qp_attrs.qp_info.qp_state == IBT_STATE_RTR) {
			goto skip_init_trans;
		}

		/* Init to Init, if required */
		if (qp_attrs.qp_info.qp_transport.rc.rc_path.cep_hca_port_num !=
		    statep->prim_port) {

			ibt_qp_info_t		qp_info;
			ibt_cep_modify_flags_t	cep_flags;

			IBTF_DPRINTF_L5(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "chan 0x%p chan port %d", channel,
			    qp_attrs.qp_info.qp_transport.rc.rc_path.\
			    cep_hca_port_num);

			IBTF_DPRINTF_L5(cmlog, "ibcm_process_cep_req_cm_hdlr: "
			    "chan 0x%p d path port %d", channel,
			    statep->prim_port);

			bzero(&qp_info, sizeof (qp_info));
			qp_info.qp_trans = IBT_RC_SRV;
			qp_info.qp_state = IBT_STATE_INIT;
			qp_info.qp_transport.rc.rc_path.cep_hca_port_num =
			    statep->prim_port;

			cep_flags = IBT_CEP_SET_STATE | IBT_CEP_SET_PORT;

			status = ibt_modify_qp(statep->channel, cep_flags,
			    &qp_info, NULL);

			if (status != IBT_SUCCESS) {
				IBTF_DPRINTF_L2(cmlog,
				    "ibcm_process_cep_req_cm_hdlr: "
				    "chan 0x%p ibt_modify_qp() = %d", channel,
				    status);
				*reject_reason = IBT_CM_NO_RESC;

				ibcm_insert_trace(statep,
				    IBCM_TRACE_INIT_INIT_FAIL);

				ibcm_handler_conn_fail(statep,
				    IBT_CM_FAILURE_REJ_SENT, IBT_CM_FAILURE_REQ,
				    IBT_CM_CI_FAILURE, NULL, 0);
				return (IBCM_SEND_REJ);
			} else {
				ibcm_insert_trace(statep,
				    IBCM_TRACE_INIT_INIT);

				IBTF_DPRINTF_L5(cmlog,
				    "ibcm_process_cep_req_cm_hdlr: "
				    "chan 0x%p ibt_modify_qp() = %d", channel,
				    status);
			}
		}
skip_init_trans:
		/* Do sanity tests even if we are skipping RTR */

		/* fill in the REP msg based on ret_args from client */
		if (clnt_info->reply_event->rep.cm_rdma_ra_out >
		    ((uint8_t *)&cm_req_msg->req_local_qpn_plus)[3]) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_cm_hdlr "
			    "statep 0x%p ERROR: InitiatorDepth(%d) is Greater "
			    "than ResponderResource(%d)", statep,
			    clnt_info->reply_event->rep.cm_rdma_ra_out,
			    ((uint8_t *)&cm_req_msg->req_local_qpn_plus)[3]);
			*reject_reason = IBT_CM_NOT_SUPPORTED;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_NOT_SUPPORTED, NULL, 0);
			return (IBCM_SEND_REJ);
		}

		/* Check for HCA limits for RDMA Resources */
		if (clnt_info->reply_event->rep.cm_rdma_ra_in >
		    statep->hcap->hca_max_rdma_in_qp) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_cm_hdlr: "
			    "statep %p, ERROR: client specified rdma_ra_in %d "
			    "is greater than HCA Limit %d, rejecting MAD",
			    statep, clnt_info->reply_event->rep.cm_rdma_ra_in,
			    statep->hcap->hca_max_rdma_in_qp);
			*reject_reason = IBT_CM_NOT_SUPPORTED;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_NOT_SUPPORTED, NULL, 0);
			return (IBCM_SEND_REJ);
		}

		if (clnt_info->reply_event->rep.cm_rdma_ra_out >
		    statep->hcap->hca_max_rdma_out_qp) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_cm_hdlr: "
			    "statep %p, ERROR: client specified rdma_ra_out %d "
			    "is greater than HCA Limit %d, rejecting MAD",
			    statep, clnt_info->reply_event->rep.cm_rdma_ra_out,
			    statep->hcap->hca_max_rdma_out_qp);
			*reject_reason = IBT_CM_NOT_SUPPORTED;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_NOT_SUPPORTED, NULL, 0);
			return (IBCM_SEND_REJ);
		}

		rep_msgp->rep_resp_resources =
		    clnt_info->reply_event->rep.cm_rdma_ra_in;
		rep_msgp->rep_initiator_depth =
		    clnt_info->reply_event->rep.cm_rdma_ra_out;

		/* IBT_CM_FLOW_CONTROL is always set by default. */
		rep_msgp->rep_target_delay_plus |= IBT_CM_FLOW_CONTROL;

		rep_msgp->rep_rnr_retry_cnt_plus =
		    (clnt_info->reply_event->rep.cm_rnr_retry_cnt & 0x7) << 5;

		/*
		 * Check out whether SRQ is associated with this channel.
		 * If yes, then set the appropriate bit.
		 */
		if (qp_attrs.qp_srq != NULL) {
			rep_msgp->rep_rnr_retry_cnt_plus |= (1 << 4);
		}

		local_ca_guid = h2b64(statep->local_hca_guid);
		bcopy(&local_ca_guid, rep_msgp->rep_local_ca_guid,
		    sizeof (ib_guid_t));

		if (statep->is_this_ofuv_chan &&
		    qp_attrs.qp_info.qp_state == IBT_STATE_RTR)
			goto skip_rtr_trans;

		/* Transition QP from Init to RTR state */
		if (ibcm_invoke_qp_modify(statep, cm_req_msg, rep_msgp) !=
		    IBT_SUCCESS) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_req_cm_hdlr "
			    "statep 0x%p ibcm_invoke_qp_modify failed because "
			    "of invalid data", statep);
			*reject_reason = IBT_CM_NO_RESC;
			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REQ, IBT_CM_CI_FAILURE, NULL, 0);
			return (IBCM_SEND_REJ);
		}
skip_rtr_trans:

		/*
		 * Link statep and channel, once CM determines it is
		 * post REP definitely.
		 */
		IBCM_SET_CHAN_PRIVATE(statep->channel, statep);

		/*
		 * Fill up the REP fields from ret_args
		 * failover status,  from ret_args
		 *
		 * Fill up local QPN and EECN from ret_args->channel
		 */

		/* fill in REP msg bytes Qkey, Starting PSN, 12-15, and 16-19 */
		IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_req_cm_hdlr: "
		    "qp_info.qp_state = %x", qp_attrs.qp_info.qp_state);

		rep_msgp->rep_local_qpn_plus = h2b32(qp_attrs.qp_qpn << 8);

		statep->local_qpn = qp_attrs.qp_qpn;

		switch (qp_attrs.qp_info.qp_trans) {
		case IBT_RD_SRV:
			rep_msgp->rep_local_qkey = h2b32(
			    qp_attrs.qp_info.qp_transport.rd.rd_qkey);
			break;
		case IBT_RC_SRV:
			rep_msgp->rep_starting_psn_plus =
			    h2b32(IBCM_QP_RC(qp_attrs).rc_rq_psn << 8);
			break;
		case IBT_UC_SRV:
			rep_msgp->rep_starting_psn_plus =
			    h2b32(IBCM_QP_UC(qp_attrs).uc_sq_psn << 8);
			break;
		}

#ifdef	NO_EEC_SUPPORT_YET
		if (ret_args.cm_channel.ch_eec != NULL) {
			status = ibt_query_eec(ret_args.cm_channel.ch_eec,
			    &eec_attrs);
			if (status == IBT_SUCCESS) {
				rep_msgp->rep_local_eecn_plus =
				    h2b32(((uint32_t)eec_attrs.eec_eecn << 8));
			}
		}
#endif

		/* figure out Target ACK delay */
		rep_msgp->rep_target_delay_plus |= (status == IBT_SUCCESS) ?
		    statep->hcap->hca_ack_delay << 3 : 0;

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_req_cm_hdlr:statep %p "
		    "REP priv len %x", statep, clnt_info->priv_data_len);
		/* Copy PrivateData from priv_data */
		if (clnt_info->priv_data_len != 0) {
			bcopy(clnt_info->priv_data, rep_msgp->rep_private_data,
			    min(IBT_REP_PRIV_DATA_SZ,
			    clnt_info->priv_data_len));
		}

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*statep))
		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rep_msgp))

		return (IBCM_SEND_REP);
	}

	/* REJ message */
	rej_msgp = (ibcm_rej_msg_t *)IBCM_OUT_MSGP(statep->stored_msg);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_req_cm_hdlr: statep %p REJ "
	    "priv len %x", statep, clnt_info->priv_data_len);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rej_msgp))

	/* if priv_data_len != 0 use priv_data to copy back to rej_priv_data */
	if (clnt_info->priv_data_len != 0) {
		bcopy(clnt_info->priv_data, rej_msgp->rej_private_data,
		    min(IBT_REJ_PRIV_DATA_SZ, clnt_info->priv_data_len));
	}

	if (cb_status == IBT_CM_REDIRECT_PORT) {
		ib_gid_t tgid;

		tgid.gid_guid =
		    h2b64(clnt_info->reply_event->rej.ari_gid.gid_guid);
		tgid.gid_prefix =
		    h2b64(clnt_info->reply_event->rej.ari_gid.gid_prefix);

		*arej_len = sizeof (ib_gid_t);
		bcopy(&tgid, &rej_msgp->rej_addl_rej_info, sizeof (ib_gid_t));

		IBTF_DPRINTF_L3(cmlog, "ibcm_process_cep_req_cm_hdlr: ari_gid= "
		    "%llX:%llX", tgid.gid_prefix, tgid.gid_guid);

	} else if (cb_status == IBT_CM_REDIRECT) {
		ibcm_classportinfo_msg_t	tclp;

		ibcm_init_clp_to_mad(&tclp,
		    &clnt_info->reply_event->rej.ari_redirect);
		bcopy(&tclp, rej_msgp->rej_addl_rej_info, sizeof (tclp));

		*arej_len = sizeof (ibcm_classportinfo_msg_t);

	} else if (cb_status == IBT_CM_REJECT) {

		/* Fill up the REJ fields, from ret_args */
		*arej_len = min(
		    clnt_info->reply_event->rej.ari_consumer.rej_ari_len,
		    IBT_CM_ADDL_REJ_LEN);
		bcopy(clnt_info->reply_event->rej.ari_consumer.rej_ari,
		    &rej_msgp->rej_addl_rej_info, *arej_len);

		/*
		 * RDMA IP REQ was passed up to the ULP, the ULP decided to do
		 * a "normal" consumer REJ, by the returning IBT_CM_REJECT in
		 * the cm handler.
		 * CM has to do some extra stuff too, it has to
		 * a) return REJ code 28 (consumer) and b) put 0x1 in the first
		 * byte of the ARI data, to indicate that this is a RDMA aware
		 * ULP that is doing a consumer reject.  The ULP should have
		 * put its consumer specific data into ibt_arej_info_t(9s) at
		 * byte 1 of the rej_ari[] array.
		 */
		if (((statep->svcid & IB_SID_IPADDR_PREFIX_MASK) == 0) &&
		    (statep->svcid & IB_SID_IPADDR_PREFIX)) {
			rej_msgp->rej_addl_rej_info[0] = 1;
		}
	}

	rej_msgp->rej_msg_type_plus = IBT_CM_FAILURE_REQ << 6;

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rej_msgp))

	return (IBCM_SEND_REJ);
}

/*
 * ibcm_cep_state_rep:
 *	QP state transition function called for an incoming REP on active side
 *
 * INPUTS:
 *	statep		- state pointer
 *	cm_rep_msg	- REP message pointer
 *	reject_reason	- Rejection reason See Section 12.6.7.2 rev1.0a IB Spec
 *
 * RETURN VALUE:
 */
ibcm_status_t
ibcm_cep_state_rep(ibcm_state_data_t *statep, ibcm_rep_msg_t *cm_rep_msgp,
    ibt_cm_reason_t *reject_reason, uint8_t *arej_len)
{
	void			*priv_data = NULL;
	ibcm_status_t		rval = IBCM_SEND_RTU;
	ibt_cm_event_t		event;
	ibt_cm_status_t		cb_status = IBT_CM_ACCEPT;
	ibt_cm_return_args_t	ret_args;
	ibcm_clnt_reply_info_t	clnt_info;
	uint8_t			req_init_depth;

	IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_rep: statep 0x%p", statep);

	/* Check first if client handler is valid */
	if (statep->cm_handler != NULL) {
		/* initialize fields in ibt_cm_event_t */
		bzero(&event, sizeof (event));
		event.cm_type = IBT_CM_EVENT_REP_RCV;
		event.cm_channel = statep->channel;
		event.cm_session_id = statep;

		IBCM_EVT_REP(event).rep_rdma_ra_in =
		    cm_rep_msgp->rep_initiator_depth;
		req_init_depth =
		    ((uint8_t *)&(((ibcm_req_msg_t *)IBCM_OUT_MSGP(
		    statep->stored_msg))->req_local_eec_no_plus))[3];
		IBCM_EVT_REP(event).rep_rdma_ra_out =
		    min(cm_rep_msgp->rep_resp_resources, req_init_depth);

		IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_rep: statep 0x%p, "
		    "InitDepth %d, RespResr %d", statep,
		    cm_rep_msgp->rep_initiator_depth,
		    IBCM_EVT_REP(event).rep_rdma_ra_out);

		IBCM_EVT_REP(event).rep_service_time = ibt_ib2usec(
		    ((uint8_t *)&(((ibcm_req_msg_t *)IBCM_OUT_MSGP(
		    statep->stored_msg))->req_starting_psn_plus))[3] >> 3);

		IBCM_EVT_REP(event).rep_service_time -=
		    2 * statep->pkt_life_time - ibcm_sw_delay;

		IBCM_EVT_REP(event).rep_failover_status =
		    cm_rep_msgp->rep_target_delay_plus >> 1 & 3;

		if (cm_rep_msgp->rep_target_delay_plus & 0x1)
			IBCM_EVT_REP(event).rep_flags |= IBT_CM_FLOW_CONTROL;

		if ((cm_rep_msgp->rep_rnr_retry_cnt_plus >> 4) & 0x1)
			IBCM_EVT_REP(event).rep_flags |= IBT_CM_SRQ_EXISTS;

		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rep: statep 0x%p "
		    "rep_service_time %d", statep,
		    IBCM_EVT_REP(event).rep_service_time);

		event.cm_priv_data = &(cm_rep_msgp->rep_private_data[0]);
		event.cm_priv_data_len = IBT_REP_PRIV_DATA_SZ;

		/*
		 * Allocate priv_data of size IBT_MAX_PRIV_DATA_SZ
		 */
		priv_data = kmem_zalloc(IBT_MAX_PRIV_DATA_SZ, KM_SLEEP);
		bzero(&ret_args, sizeof (ret_args));


		ibcm_insert_trace(statep, IBCM_TRACE_CALLED_REP_RCVD_EVENT);

		/* invoke the CM handler */
		cb_status = statep->cm_handler(statep->state_cm_private, &event,
		    &ret_args, priv_data, IBT_RTU_PRIV_DATA_SZ);

		ibcm_insert_trace(statep, IBCM_TRACE_RET_REP_RCVD_EVENT);

		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rep: statep 0x%p "
		    "Client handler returned %x", statep, cb_status);

		if (cb_status == IBT_CM_DEFER) {
			if (statep->defer_cm_msg == NULL)
				statep->defer_cm_msg =
				    kmem_zalloc(IBCM_MSG_SIZE, KM_SLEEP);
			bcopy(cm_rep_msgp, statep->defer_cm_msg, IBCM_MSG_SIZE);

			/* unblock any blocked cm proceed api calls */
			mutex_enter(&statep->state_mutex);
			statep->clnt_proceed = IBCM_UNBLOCK;
			cv_broadcast(&statep->block_client_cv);
			mutex_exit(&statep->state_mutex);

			kmem_free(priv_data, IBT_MAX_PRIV_DATA_SZ);
			return (IBCM_DEFER);
		}
	}

	/* fail any blocked cm proceed api calls - client bug */
	mutex_enter(&statep->state_mutex);
	statep->clnt_proceed = IBCM_FAIL;
	cv_broadcast(&statep->block_client_cv);
	mutex_exit(&statep->state_mutex);

	clnt_info.reply_event = (ibt_cm_proceed_reply_t *)&ret_args.cm_ret;
	clnt_info.priv_data = priv_data;
	clnt_info.priv_data_len = ret_args.cm_ret_len;

	rval =
	    ibcm_process_cep_rep_cm_hdlr(statep, cb_status, &clnt_info,
	    reject_reason, arej_len, cm_rep_msgp);

	if (priv_data != NULL)
		kmem_free(priv_data, IBT_MAX_PRIV_DATA_SZ);
	return (rval);
}


/*
 * ibcm_process_cep_rep_cm_hdlr:
 *	Processes the response from client handler for an incoming REP.
 */
ibcm_status_t
ibcm_process_cep_rep_cm_hdlr(ibcm_state_data_t *statep,
    ibt_cm_status_t cb_status, ibcm_clnt_reply_info_t *clnt_info,
    ibt_cm_reason_t *reject_reason, uint8_t *arej_len,
    ibcm_rep_msg_t *cm_rep_msgp)
{
	ibcm_status_t		rval = IBCM_SEND_RTU;
	ibcm_rej_msg_t		*rej_msgp;

	if (cb_status == IBT_CM_DEFAULT)
		cb_status = IBT_CM_ACCEPT;

	if (cb_status == IBT_CM_REJECT) {
		*reject_reason = IBT_CM_CONSUMER;
	} else if (cb_status == IBT_CM_REDIRECT_PORT) {
		*reject_reason = IBT_CM_PORT_REDIRECT;
	} else if (cb_status == IBT_CM_REDIRECT) {
		*reject_reason = IBT_CM_REDIRECT_CM;
	} else if (cb_status == IBT_CM_NO_RESOURCE) {
		*reject_reason = IBT_CM_NO_RESC;
	} else if (cb_status != IBT_CM_ACCEPT) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_rep_cm_hdlr: statep "
		    "0x%p, Client handler returned unexpected value %d",
		    statep, cb_status);
		*reject_reason = IBT_CM_CONSUMER;
	} else
		*reject_reason = IBT_CM_SUCCESS;


	/* We come here if status is ACCEPT or CM handler is NULL */
	if (cb_status == IBT_CM_ACCEPT) {
		ib_time_t	time;

		time = ibt_usec2ib(statep->pkt_life_time * 2 +
		    ibt_ib2usec(cm_rep_msgp->rep_target_delay_plus >> 3));

		IBTF_DPRINTF_L5(cmlog, "ibcm_process_cep_rep_cm_hdlr: statep %p"
		    " active cep_timeout(usec) 0x%x ", statep, time);

		IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_rep_cm_hdlr: statep %p"
		    " passive hca_ack_delay(ib_time) = 0x%x, ", statep,
		    cm_rep_msgp->rep_target_delay_plus >> 3);

		IBTF_DPRINTF_L5(cmlog, "ibcm_process_cep_rep_cm_hdlr: statep %p"
		    " rnr_retry_cnt = 0x%x", statep,
		    cm_rep_msgp->rep_rnr_retry_cnt_plus >> 5);

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))
		statep->starting_psn =
		    b2h32(cm_rep_msgp->rep_starting_psn_plus) >> 8;

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*statep))

		/* Call IBTL CM's qp modify function from Init to RTR */
		if (ibcm_invoke_qp_modify(statep,
		    (ibcm_req_msg_t *)IBCM_OUT_MSGP(statep->stored_msg),
		    cm_rep_msgp) != IBT_SUCCESS) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_rep_cm_hdlr: "
			    "statep %p, ibcm_invoke_qp_modify to RTR failed",
			    statep);
			*reject_reason = IBT_CM_NO_RESC;
		/*
		 * Call modify qp function from RTR to RTS
		 * RDMA initiator depth on active is same as negotiated
		 * passive REP's responder resources
		 */
		} else if (ibcm_invoke_rtu_qp_modify(statep, time, cm_rep_msgp)
		    != IBT_SUCCESS) {

			IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_rep_cm_hdlr: "
			    "statep %p ibcm_invoke_rtu_qp_modify to RTS failed",
			    statep);
			(void) ibcm_cep_to_error_state(statep);
			*reject_reason = IBT_CM_NO_RESC;
		}

		if (*reject_reason == IBT_CM_NO_RESC) {

			/* Disassociate statep and QP */
			IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

			ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
			    IBT_CM_FAILURE_REP, IBT_CM_CI_FAILURE, NULL, 0);
			return (IBCM_SEND_REJ);	/* send REJ */
		}

		if (clnt_info->priv_data_len != 0) {
			ibcm_rtu_msg_t *rtu_msgp;
			rtu_msgp = (ibcm_rtu_msg_t *)
			    IBCM_OUT_MSGP(statep->stored_msg);
			bcopy(clnt_info->priv_data, rtu_msgp->rtu_private_data,
			    min(IBT_RTU_PRIV_DATA_SZ,
			    clnt_info->priv_data_len));
		}

		*reject_reason = IBT_CM_SUCCESS;
		return (rval);
	}

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*rej_msgp))

	/* Fill up the REJ fields, from ret_args */
	rej_msgp = (ibcm_rej_msg_t *)IBCM_OUT_MSGP(statep->stored_msg);
	rej_msgp->rej_msg_type_plus = IBT_CM_FAILURE_REP << 6;

	/* if priv_len != 0 use priv_data to copy back to rej_priv_data */
	if (clnt_info->priv_data_len != 0)
		bcopy(clnt_info->priv_data, rej_msgp->rej_private_data,
		    min(IBT_REJ_PRIV_DATA_SZ, clnt_info->priv_data_len));

	if (clnt_info->reply_event != NULL)
		*arej_len =
		    min(clnt_info->reply_event->rej.ari_consumer.rej_ari_len,
		    IBT_CM_ADDL_REJ_LEN);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(clnt_info->reply_event->rej))

	if (*arej_len != 0)	/* asserts that clnt_info->reply_event != 0 */
		bcopy(clnt_info->reply_event->rej.ari_consumer.rej_ari,
		    &rej_msgp->rej_addl_rej_info, *arej_len);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(clnt_info->reply_event->rej))

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*rej_msgp))

	rval = IBCM_SEND_REJ;

	/* Disassociate statep and QP */
	IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

	/* callback client, to enable client to do resource cleanup */
	ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
	    IBT_CM_FAILURE_REP, *reject_reason, NULL, 0);

	return (rval);
}

/*
 * ibcm_invoke_rtu_qp_modify:
 *	Helper function to modify QP for RTU only called from
 *	ibcm_cep_state_rtu() and ibcm_cep_send_rtu()
 *
 * INPUTS:
 *	statep		- connection state pointer
 *
 * RETURN VALUE:
 */
static ibt_status_t
ibcm_invoke_rtu_qp_modify(ibcm_state_data_t *statep, ib_time_t timeout,
    ibcm_rep_msg_t *rep_msg)
{
	ibt_status_t		status;
	ibt_qp_info_t		qp_info;
	ibt_cep_modify_flags_t	cep_flags = IBT_CEP_SET_RTR_RTS;

	/* Start filling up ibt_qp_info_t.  */
	bzero(&qp_info, sizeof (qp_info));
	qp_info.qp_trans = ibtl_cm_get_chan_type(statep->channel);
	qp_info.qp_current_state = IBT_STATE_RTR;

	switch (qp_info.qp_trans) {
	case IBT_RC_SRV:
		IBCM_QPINFO_RC_PATH(qp_info).cep_timeout = timeout;
		IBCM_QPINFO_RC(qp_info).rc_retry_cnt = statep->cep_retry_cnt;
		IBCM_QPINFO_RC(qp_info).rc_rnr_retry_cnt =
		    statep->local_qp_rnr_cnt;
		IBCM_QPINFO_RC(qp_info).rc_sq_psn = statep->starting_psn;

		if (statep->mode == IBCM_ACTIVE_MODE) {
			IBCM_QPINFO_RC(qp_info).rc_rdma_ra_out =
			    rep_msg->rep_resp_resources;
		} else {
			IBCM_QPINFO_RC(qp_info).rc_rdma_ra_out =
			    rep_msg->rep_initiator_depth;
		}
		if (statep->alt_port &&
		    (((rep_msg->rep_target_delay_plus >> 1) & 0x3) ==
		    IBT_CM_FAILOVER_ACCEPT)) {
			/* failover was accepted */
			cep_flags |= IBT_CEP_SET_MIG;
			IBCM_QPINFO_RC(qp_info).rc_mig_state =
			    IBT_STATE_REARMED;
		}

		break;
	/* XXX RD? */
	case IBT_UC_SRV:
		IBCM_QPINFO_UC_PATH(qp_info).cep_timeout = timeout;
		break;
	default:
		IBTF_DPRINTF_L2(cmlog, "ibcm_invoke_rtu_qp_modify: "
		    "unknow svc_type = %x", qp_info.qp_trans);
		break;
	}

	/* Call modify_qp */
	status = ibt_modify_qp(statep->channel, cep_flags, &qp_info, NULL);
	IBTF_DPRINTF_L4(cmlog, "ibcm_invoke_rtu_qp_modify: statep 0x%p "
	    "modify qp status = %d", statep, status);

	if (status == IBT_SUCCESS)
		ibcm_insert_trace(statep, IBCM_TRACE_RTR_RTS);
	else
		ibcm_insert_trace(statep, IBCM_TRACE_RTR_RTS_FAIL);

#ifdef	DEBUG
	print_modify_qp("RTR to RTS", statep->channel, cep_flags, &qp_info);

	if (statep->channel != NULL) {
		ibt_qp_query_attr_t	qp_attrs;

		(void) ibt_query_qp(statep->channel, &qp_attrs);
		IBTF_DPRINTF_L4(cmlog, "ibcm_invoke_rtu_qp_modify: "
		    "qp_info.qp_state = %x", qp_attrs.qp_info.qp_state);
	}
#endif
	return (status);
}


/*
 * ibcm_cep_state_rtu:
 *	QP state transition function called for an incoming RTU
 *	on passive side.
 *
 * INPUTS:
 *	statep		- connection state pointer
 *	cm_rtu_msg	- RTU message pointer
 *
 */
void
ibcm_cep_state_rtu(ibcm_state_data_t *statep, ibcm_rtu_msg_t *cm_rtu_msgp)
{
	ibt_status_t	status;
	ibt_cm_event_t	event;
	ibcm_rep_msg_t	*rep_msgp = (ibcm_rep_msg_t *)
	    IBCM_OUT_MSGP(statep->stored_msg);

	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rtu: statep 0x%p", statep);

	ASSERT(statep->channel != NULL);

	/* RDMA initiator depth taken from negotiated REP values */
	status = ibcm_invoke_rtu_qp_modify(statep,
	    ibt_usec2ib(statep->remote_ack_delay), rep_msgp);

	if (status != IBT_SUCCESS) {

		(void) ibcm_cep_to_error_state(statep);
		/*
		 * Disassociate statep and QP, as there is a
		 * QP associated with this statep.
		 */
		IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

		ibcm_post_rej_mad(statep, IBT_CM_NO_RESC,
		    IBT_CM_FAILURE_UNKNOWN, NULL, 0);
		/*
		 * Invoke CM handler, so client/server can do
		 * resource cleanup. No private data can be returned here
		 */
		ibcm_handler_conn_fail(statep, IBT_CM_FAILURE_REJ_SENT,
		    IBT_CM_FAILURE_UNKNOWN, IBT_CM_NO_RESC, NULL, 0);

		/* unblock any pending DREQ threads */
		mutex_enter(&statep->state_mutex);
		statep->cep_in_rts = IBCM_FAIL;
		cv_broadcast(&statep->block_mad_cv);
		mutex_exit(&statep->state_mutex);
		return;
	}

	mutex_enter(&statep->state_mutex);
	statep->state = IBCM_STATE_ESTABLISHED;
	ibtl_cm_chan_is_open(statep->channel);
	mutex_exit(&statep->state_mutex);

	/* invoke the CM handler */
	ASSERT(statep->cm_handler != NULL);

	bzero(&event, sizeof (event));
	event.cm_channel = statep->channel;
	event.cm_session_id = NULL;

	event.cm_type = IBT_CM_EVENT_CONN_EST;
	if (cm_rtu_msgp != NULL) {
		event.cm_priv_data = &(cm_rtu_msgp->rtu_private_data[0]);
		event.cm_priv_data_len = IBT_RTU_PRIV_DATA_SZ;
	}

	ibcm_insert_trace(statep, IBCM_TRACE_CALLED_CONN_EST_EVENT);

	(void) statep->cm_handler(statep->state_cm_private, &event, NULL,
	    NULL, 0);

	ibcm_insert_trace(statep, IBCM_TRACE_RET_CONN_EST_EVENT);
	if (ibcm_enable_trace & 4)
		ibcm_dump_conn_trace(statep);
	else
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_state_rtu CONN_EST Channel %p",
		    statep->channel);

	/* unblock any pending DREQ threads */
	mutex_enter(&statep->state_mutex);
	statep->cep_in_rts = IBCM_UNBLOCK;
	cv_broadcast(&statep->block_mad_cv);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_cep_send_rtu:
 *	QP state transition function called for an outgoing RTU
 *	on active side.
 *
 * INPUTS:
 *	statep		- connection state pointer
 *
 * RETURN VALUE:
 */
void
ibcm_cep_send_rtu(ibcm_state_data_t *statep)
{
	/* invoke the CM handler */
	if (statep->cm_handler) {
		ibt_cm_event_t	event;

		bzero(&event, sizeof (event));
		event.cm_type  = IBT_CM_EVENT_CONN_EST;
		event.cm_channel = statep->channel;
		event.cm_session_id = NULL;
		event.cm_priv_data = NULL;
		event.cm_priv_data_len = 0;

		ibcm_insert_trace(statep, IBCM_TRACE_CALLED_CONN_EST_EVENT);

		(void) statep->cm_handler(statep->state_cm_private, &event,
		    NULL, NULL, 0);

		ibcm_insert_trace(statep, IBCM_TRACE_RET_CONN_EST_EVENT);

	} else {
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_send_rtu: cm_handler NULL");
	}
	if (ibcm_enable_trace & 4)
		ibcm_dump_conn_trace(statep);
	else
		IBTF_DPRINTF_L2(cmlog, "ibcm_cep_send_rtu CONN_EST Channel %p",
		    statep->channel);

	/* unblock any pending DREQ threads */
	mutex_enter(&statep->state_mutex);
	statep->cep_in_rts = IBCM_UNBLOCK;
	cv_broadcast(&statep->block_mad_cv);
	mutex_exit(&statep->state_mutex);
}


/*
 * ibcm_cep_to_error_state:
 *	CEP state transition function. Changes state to IBT_STATE_ERROR
 *
 * INPUTS:
 *	statep		- connection state pointer
 *
 * RETURN VALUE:
 *	IBT_SUCCESS	- if able to change state otherwise failure
 */
ibt_status_t
ibcm_cep_to_error_state(ibcm_state_data_t *statep)
{
	ibt_status_t		status = IBT_SUCCESS;

	if (statep->channel != NULL) {
		ibt_qp_info_t	qp_info;

		bzero(&qp_info, sizeof (qp_info));
		/* For now, set it to RC type */
		qp_info.qp_trans = IBT_RC_SRV;
		qp_info.qp_state = IBT_STATE_ERROR;

		/* Call modify_qp to move to ERROR state */
		status = ibt_modify_qp(statep->channel, IBT_CEP_SET_STATE,
		    &qp_info, NULL);

		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_to_error_state: "
		    "statep %p ibt_modify_qp() = %d", statep, status);

		if (status == IBT_SUCCESS)
			ibcm_insert_trace(statep, IBCM_TRACE_ERROR);
		else
			ibcm_insert_trace(statep, IBCM_TRACE_ERROR_FAIL);

	}

#ifdef	NO_EEC_SUPPORT_YET
	if (statep->channel.ch_eec != NULL) {
		ibt_eec_info_t	eec_info;

		bzero(&eec_info, sizeof (ibt_eec_info_t));
		eec_info.eec_state = what;

		/* Call modify_eec */
		status = ibtl_cm_modify_eec(statep->channel.ch_eec, &eec_info,
		    IBT_CEP_SET_NOTHING);
		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_to_error_state: "
		    "ibtl_cm_modify_eec() returned = %x", status);
	}
#endif

	return (status);
}


/*
 * ibcm_cep_state_rej:
 *	QP state transition function called for an incoming REJ
 *	on active/passive side
 *
 * INPUTS:
 *	statep		- connection state pointer
 *	rej_msgp	- REJ message pointer
 *	rej_state	- State where REJ processing began
 *
 * RETURN VALUE:
 */
void
ibcm_cep_state_rej(ibcm_state_data_t *statep, ibcm_rej_msg_t *rej_msgp,
    ibcm_conn_state_t rej_state)
{
	ibt_cm_event_t	event;
	ibt_status_t	status;

	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rej: statep 0x%p", statep);

	ibcm_path_cache_purge();

	if ((rej_state == IBCM_STATE_REP_SENT) ||
	    (rej_state == IBCM_STATE_MRA_REP_RCVD)) {
		status = ibcm_cep_to_error_state(statep);
		IBTF_DPRINTF_L5(cmlog, "ibcm_cep_state_rej: statep 0x%p "
		    "ibcm_cep_to_error_state returned %d", statep,
		    status);
	}

	if (statep->channel)
		ibtl_cm_chan_open_is_aborted(statep->channel);

	/* Disassociate state structure and CM */
	IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

	/* invoke the CM handler */
	bzero(&event, sizeof (event));
	if (statep->cm_handler) {
		event.cm_type = IBT_CM_EVENT_FAILURE;
		event.cm_channel = statep->channel;
		event.cm_session_id = NULL;

		/*
		 * copy rej_msgp->rej_private_data to
		 * event.cm_event.cm_priv_data
		 */
		event.cm_priv_data = &(rej_msgp->rej_private_data[0]);
		event.cm_priv_data_len = IBT_REJ_PRIV_DATA_SZ;

		event.cm_event.failed.cf_code = IBT_CM_FAILURE_REJ_RCV;
		event.cm_event.failed.cf_msg = rej_msgp->rej_msg_type_plus >> 6;
		event.cm_event.failed.cf_reason =
		    b2h16(rej_msgp->rej_rejection_reason);

		IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_rej: rej_reason = %d",
		    event.cm_event.failed.cf_reason);

		ibcm_copy_addl_rej(statep, rej_msgp, &event.cm_event.failed);

		(void) statep->cm_handler(statep->state_cm_private, &event,
		    NULL, NULL, 0);
	}

	if (statep->open_return_data != NULL)
		bcopy(&event.cm_event.failed.cf_additional,
		    &statep->open_return_data->rc_arej_info,
		    sizeof (ibt_arej_info_t));
	if (ibcm_enable_trace != 0)
		ibcm_dump_conn_trace(statep);
	mutex_enter(&statep->state_mutex);
	ibcm_open_done(statep);
	mutex_exit(&statep->state_mutex);
}

/* Used to initialize client args with addl rej information from REJ MAD */
static void
ibcm_copy_addl_rej(ibcm_state_data_t *statep, ibcm_rej_msg_t *rej_msgp,
    ibt_cm_conn_failed_t *failed)
{
	uint16_t	rej_reason = b2h16(rej_msgp->rej_rejection_reason);
	uint8_t		ari_len = rej_msgp->rej_reject_info_len_plus >> 1;
	ibcm_classportinfo_msg_t tclp;
	ibt_arej_info_t	*cf_addl = &failed->cf_additional;

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*cf_addl))
	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(failed->cf_arej_info_valid))

	failed->cf_arej_info_valid = B_FALSE;

	IBTF_DPRINTF_L3(cmlog, "ibcm_copy_addl_rej: rej_reason = %d "
	    "ari_len = %d", rej_reason, ari_len);

	if ((statep->mode == IBCM_PASSIVE_MODE) &&
	    (rej_reason != IBT_CM_CONSUMER))
		return;

	switch (rej_reason) {
	case IBT_CM_PRIM_GID:
	case IBT_CM_ALT_GID:
	case IBT_CM_PORT_REDIRECT:
		if (ari_len < sizeof (ib_gid_t))
			break;
		failed->cf_arej_info_valid = B_TRUE;
		bcopy(rej_msgp->rej_addl_rej_info, &cf_addl->ari_gid,
		    sizeof (ib_gid_t));
		cf_addl->ari_gid.gid_guid = b2h64(cf_addl->ari_gid.gid_guid);
		cf_addl->ari_gid.gid_prefix =
		    b2h64(cf_addl->ari_gid.gid_prefix);

		IBTF_DPRINTF_L4(cmlog, "ibcm_copy_addl_rej: ari_gid= %llX:%llX",
		    cf_addl->ari_gid.gid_prefix, cf_addl->ari_gid.gid_guid);

		break;
	case IBT_CM_PRIM_LID:
	case IBT_CM_ALT_LID:
		if (ari_len < sizeof (ib_lid_t))
			break;
		failed->cf_arej_info_valid = B_TRUE;
		bcopy(rej_msgp->rej_addl_rej_info, &cf_addl->ari_lid,
		    sizeof (ib_lid_t));
		cf_addl->ari_lid = b2h16(cf_addl->ari_lid);
		IBTF_DPRINTF_L4(cmlog, "ibcm_copy_addl_rej: ari_lid= 0x%lX",
		    cf_addl->ari_lid);

		break;
	case IBT_CM_INVALID_PRIM_SL:
	case IBT_CM_INVALID_ALT_SL:
		if (ari_len < 1)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first 4 bits */
		cf_addl->ari_sl = rej_msgp->rej_addl_rej_info[0] >> 4;
		break;
	case IBT_CM_INVALID_PRIM_TC:
	case IBT_CM_INVALID_ALT_TC:
		if (ari_len < 1)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first byte */
		cf_addl->ari_tclass = rej_msgp->rej_addl_rej_info[0];
		break;
	case IBT_CM_INVALID_PRIM_HOP:
	case IBT_CM_INVALID_ALT_HOP:
		if (ari_len < 1)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first byte */
		cf_addl->ari_hop = rej_msgp->rej_addl_rej_info[0];
		break;
	case IBT_CM_INVALID_PRIM_RATE:
	case IBT_CM_INVALID_ALT_RATE:
		if (ari_len < 1)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first 6 bits */
		cf_addl->ari_rate = rej_msgp->rej_addl_rej_info[0] >> 2;
		break;
	case IBT_CM_REDIRECT_CM:
		if (ari_len < sizeof (ibcm_classportinfo_msg_t))
			break;
		failed->cf_arej_info_valid = B_TRUE;
		bcopy(rej_msgp->rej_addl_rej_info, &tclp, sizeof (tclp));
		ibcm_init_clp_from_mad(&tclp, &cf_addl->ari_redirect);
		break;
	case IBT_CM_INVALID_MTU:
		if (ari_len < 1)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first 4 bits */
		cf_addl->ari_mtu = rej_msgp->rej_addl_rej_info[0] >> 4;
		break;
	case IBT_CM_CONSUMER:
		if (ari_len == 0)
			break;
		failed->cf_arej_info_valid = B_TRUE;
		if (ari_len > IBT_CM_ADDL_REJ_LEN)
			ari_len = IBT_CM_ADDL_REJ_LEN;
		bcopy(&rej_msgp->rej_addl_rej_info,
		    cf_addl->ari_consumer.rej_ari, ari_len);
		cf_addl->ari_consumer.rej_ari_len = ari_len;
		break;
	case IBT_CM_INVALID_PRIM_FLOW:
	case IBT_CM_INVALID_ALT_FLOW:
		if (ari_len < 3)	/* 3 bytes needed for 20 bits */
			break;
		failed->cf_arej_info_valid = B_TRUE;
		/* take the first 20 bits */
		cf_addl->ari_flow =
		    b2h32(*(uint32_t *)&rej_msgp->rej_addl_rej_info) >> 12;
		break;
	default:
		break;
	}

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(failed->cf_arej_info_valid))
	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*cf_addl))
}


/* Used to copy classportinfo to MAD from client initialized args */
static void
ibcm_init_clp_to_mad(ibcm_classportinfo_msg_t *clp, ibt_redirect_info_t *rinfo)
{

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*clp))

	bcopy(&ibcm_clpinfo, clp, sizeof (ibcm_clpinfo));

	clp->RedirectGID_hi = h2b64(rinfo->rdi_gid.gid_prefix);
	clp->RedirectGID_lo = h2b64(rinfo->rdi_gid.gid_guid);
	clp->RedirectTC_plus =
	    h2b32((rinfo->rdi_tclass << 24) | (rinfo->rdi_sl << 20) |
	    (rinfo->rdi_flow & 0xfffff));
	clp->RedirectLID = h2b16(rinfo->rdi_dlid);
	clp->RedirectQP_plus = h2b32(rinfo->rdi_qpn & 0xffffff);
	clp->RedirectQ_Key = h2b32(rinfo->rdi_qkey);
	clp->RedirectP_Key = h2b16(rinfo->rdi_pkey);

	IBTF_DPRINTF_L4(cmlog, "ibcm_init_clp_to_mad: RedirectGID= %llX:%llX,"
	    " RedirectLID= 0x%lX", clp->RedirectGID_hi, clp->RedirectGID_lo,
	    clp->RedirectLID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*clp))
}


/* Used to initialize classportinfo to be returned to clients, from MAD */
static void
ibcm_init_clp_from_mad(ibcm_classportinfo_msg_t *clp,
    ibt_redirect_info_t *rinfo)
{
	uint32_t temp32;

	rinfo->rdi_gid.gid_prefix = b2h64(clp->RedirectGID_hi);
	rinfo->rdi_gid.gid_guid = b2h64(clp->RedirectGID_lo);
	temp32 = b2h32(clp->RedirectTC_plus);
	rinfo->rdi_tclass = temp32 >> 24;
	rinfo->rdi_sl = (temp32 >> 20) & 0xf;
	rinfo->rdi_flow = temp32 & 0xffff;
	rinfo->rdi_dlid = b2h16(clp->RedirectLID);
	rinfo->rdi_qpn = b2h32(clp->RedirectQP_plus & 0xffffff);
	rinfo->rdi_qkey = b2h32(clp->RedirectQ_Key);
	rinfo->rdi_pkey = b2h16(clp->RedirectP_Key);

	IBTF_DPRINTF_L4(cmlog, "ibcm_init_clp_from_mad: RedirectGID= %llX:%llX,"
	    " RedirectLID= 0x%lX", rinfo->rdi_gid.gid_prefix,
	    rinfo->rdi_gid.gid_guid, rinfo->rdi_dlid);
}


/*
 * ibcm_cep_state_rej_est:
 *	QP state transition function called for an incoming REJ
 *	on active side in established state
 *
 * INPUTS:
 *	statep		- connection state pointer
 *
 * RETURN VALUE:
 */
void
ibcm_cep_state_rej_est(ibcm_state_data_t *statep)
{
	ibt_cm_event_t	event;
	ibt_status_t	status;

	IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_rej_est:");

	status = ibcm_cep_to_error_state(statep);
	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rej_est: statep 0x%p "
	    "ibcm_cep_to_error_state returned %d", statep, status);

	/* Disassociate state structure and CM */
	IBCM_SET_CHAN_PRIVATE(statep->channel, NULL);

	ibtl_cm_chan_is_closing(statep->channel);

	/* invoke the CM handler */
	if (statep->cm_handler) {
		bzero(&event, sizeof (event));
		event.cm_type = IBT_CM_EVENT_CONN_CLOSED;
		event.cm_channel = statep->channel;
		event.cm_session_id = NULL;

		event.cm_priv_data = NULL;
		event.cm_priv_data_len = 0;

		event.cm_event.closed = IBT_CM_CLOSED_REJ_RCVD;

		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_rej_est: "
		    "rej_reason = %d", event.cm_event.failed.cf_reason);

		ibcm_insert_trace(statep, IBCM_TRACE_CALLED_CONN_CLOSE_EVENT);

		(void) statep->cm_handler(statep->state_cm_private, &event,
		    NULL, NULL, 0);

		ibcm_insert_trace(statep, IBCM_TRACE_RET_CONN_CLOSE_EVENT);

	}
}


/*
 * ibcm_sidr_req_ud_handler:
 *	Invoke Client's UD handler For SIDR_REQ msg
 *
 * INPUTS:
 *	ud_statep	- ud_state pointer
 *	sidr_reqp	- SIDR_REQ message pointer
 *
 * RETURN VALUE: IBCM_SEND_REP/IBCM_SEND_REJ
 */
static ibcm_status_t
ibcm_sidr_req_ud_handler(ibcm_ud_state_data_t *ud_statep,
    ibcm_sidr_req_msg_t *sidr_reqp, ibcm_mad_addr_t *cm_mad_addr,
    ibt_sidr_status_t *sidr_status)
{
	void			*priv_data = NULL;
	ibt_cm_ud_event_t	ud_event;
	ibcm_sidr_rep_msg_t	*sidr_repp;
	ibt_cm_ud_return_args_t	ud_ret_args;
	ibt_cm_status_t		cb_status;
	ibt_qp_query_attr_t	qp_attr;
	ibt_status_t		retval;
	ibcm_ud_clnt_reply_info_t	ud_clnt_info;

	/* Check first if UD client handler is valid */
	ASSERT(ud_statep->ud_cm_handler != NULL);

	/* Fill in ibt_cm_ud_event_t */
	ud_event.cm_type = IBT_CM_UD_EVENT_SIDR_REQ;
	ud_event.cm_session_id = ud_statep;
	ud_event.cm_event.sidr_req.sreq_service_id = ud_statep->ud_svc_id;
	ud_event.cm_event.sidr_req.sreq_hca_guid = ud_statep->ud_hcap->hca_guid;
	ud_event.cm_event.sidr_req.sreq_pkey = b2h16(sidr_reqp->sidr_req_pkey);
	ud_event.cm_event.sidr_req.sreq_hca_port = cm_mad_addr->port_num;

	ud_event.cm_priv_data =
	    &(sidr_reqp->sidr_req_private_data[0]);
	ud_event.cm_priv_data_len = IBT_SIDR_REQ_PRIV_DATA_SZ;

	sidr_repp =
	    (ibcm_sidr_rep_msg_t *)IBCM_OUT_MSGP(ud_statep->ud_stored_msg);

	priv_data = &(sidr_repp->sidr_rep_private_data[0]);

	bzero(&ud_ret_args, sizeof (ud_ret_args));

	/* Invoke the client handler */
	cb_status = ud_statep->ud_cm_handler(ud_statep->ud_state_cm_private,
	    &ud_event, &ud_ret_args, priv_data, IBT_SIDR_REP_PRIV_DATA_SZ);

	if (cb_status == IBT_CM_DEFER) {

		/* unblock any blocked cm ud proceed api calls */
		mutex_enter(&ud_statep->ud_state_mutex);
		ud_statep->ud_clnt_proceed = IBCM_UNBLOCK;
		cv_broadcast(&ud_statep->ud_block_client_cv);
		mutex_exit(&ud_statep->ud_state_mutex);

		return (IBCM_DEFER);
	}

	/* fail any blocked ud cm proceed api calls - client bug */
	mutex_enter(&ud_statep->ud_state_mutex);
	ud_statep->ud_clnt_proceed = IBCM_FAIL;
	cv_broadcast(&ud_statep->ud_block_client_cv);
	mutex_exit(&ud_statep->ud_state_mutex);

	/* do the query qp as soon as possible, after return from cm handler */
	if (cb_status == IBT_CM_ACCEPT) {
		retval = ibt_query_qp(ud_ret_args.ud_channel, &qp_attr);
		if (retval != IBT_SUCCESS) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_sidr_req_ud_handler: "
			    "Failed to retrieve QPN from the channel: %d",
			    retval);
			*sidr_status = IBT_CM_SREP_NO_CHAN;
			return (IBCM_SEND_SIDR_REP);
		} else if (qp_attr.qp_info.qp_trans != IBT_UD_SRV) {
			IBTF_DPRINTF_L2(cmlog, "ibcm_sidr_req_ud_handler: "
			    "Server/Passive returned non-UD %d transport type "
			    "QP", qp_attr.qp_info.qp_trans);
			*sidr_status = IBT_CM_SREP_NO_CHAN;
			return (IBCM_SEND_SIDR_REP);
		}

		ud_clnt_info.ud_qkey = qp_attr.qp_info.qp_transport.ud.ud_qkey;
		ud_clnt_info.ud_qpn = qp_attr.qp_qpn;
	}

	ud_clnt_info.priv_data = priv_data;
	ud_clnt_info.priv_data_len = ud_ret_args.ud_ret_len;

	ud_clnt_info.redirect_infop = &ud_ret_args.ud_redirect;

	ibcm_process_sidr_req_cm_hdlr(ud_statep, cb_status, &ud_clnt_info,
	    sidr_status, sidr_repp);

	return (IBCM_SEND_SIDR_REP);
}

/*ARGSUSED*/
void
ibcm_process_sidr_req_cm_hdlr(ibcm_ud_state_data_t *ud_statep,
    ibt_cm_status_t cb_status, ibcm_ud_clnt_reply_info_t *ud_clnt_info,
    ibt_sidr_status_t *sidr_status, ibcm_sidr_rep_msg_t *sidr_repp)
{
	void	*sidr_rep_privp;

	IBTF_DPRINTF_L5(cmlog, "ibcm_process_sidr_req_cm_hdlr(%p, %x, "
	    "%p, %p, %p)", ud_statep, cb_status, ud_clnt_info,
	    sidr_status, sidr_repp);

	if (cb_status == IBT_CM_DEFAULT)
		cb_status = IBT_CM_REJECT;

	if (cb_status == IBT_CM_ACCEPT)
		*sidr_status = IBT_CM_SREP_CHAN_VALID;
	else if ((cb_status == IBT_CM_REJECT) ||
	    (cb_status == IBT_CM_NO_RESOURCE))
		*sidr_status = IBT_CM_SREP_REJ;
	else if (cb_status == IBT_CM_NO_CHANNEL)
		*sidr_status = IBT_CM_SREP_NO_CHAN;
	else if (cb_status == IBT_CM_REDIRECT)
		*sidr_status = IBT_CM_SREP_REDIRECT;
	else *sidr_status = IBT_CM_SREP_REJ;

	/*
	 * For Accept and reject copy the private data, if ud_clnt_info
	 * priv_data does not point to SIDR Response private data. This
	 * copy is needed for ibt_cm_ud_proceed().
	 */
	sidr_rep_privp = (void *)(&(sidr_repp->sidr_rep_private_data[0]));
	if ((cb_status == IBT_CM_ACCEPT || cb_status == IBT_CM_REJECT) &&
	    (ud_clnt_info->priv_data != sidr_rep_privp) &&
	    ud_clnt_info->priv_data_len) {
		bcopy(ud_clnt_info->priv_data, sidr_rep_privp,
		    min(ud_clnt_info->priv_data_len,
		    IBT_SIDR_REP_PRIV_DATA_SZ));
	}

	if (*sidr_status != IBT_CM_SREP_CHAN_VALID) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_sidr_req_cm_hdlr: "
		    "ud_handler return a failure: %d", cb_status);
		if (*sidr_status == IBT_CM_SREP_REDIRECT) {
		/*
		 * typecasting to ibcm_classportinfo_msg_t is ok, as addl info
		 * begins at offset 24 in sidr rep
		 */
			ibcm_init_clp_to_mad(
			    (ibcm_classportinfo_msg_t *)
			    &sidr_repp->sidr_rep_class_port_info,
			    ud_clnt_info->redirect_infop);
		}
		return;
	}


	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*sidr_repp))

	sidr_repp->sidr_rep_qkey =
	    h2b32(ud_clnt_info->ud_qkey);
	sidr_repp->sidr_rep_qpn_plus = h2b32(ud_clnt_info->ud_qpn << 8);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*sidr_repp))
}

/*
 * ibcm_sidr_rep_ud_handler:
 *	Invoke Client's UD handler For SIDR_REP msg
 *
 * INPUTS:
 *	ud_statep	- ud_state pointer
 *	sidr_rep_msgp	- SIDR_REQ message pointer
 *
 */
static void
ibcm_sidr_rep_ud_handler(ibcm_ud_state_data_t *ud_statep,
    ibcm_sidr_rep_msg_t *sidr_rep_msgp)
{
	ibt_cm_ud_event_t	ud_event;

	IBTF_DPRINTF_L5(cmlog, "ibcm_sidr_rep_ud_handler: ud_statep 0x%p",
	    ud_statep);

	/* Check first if UD client handler is valid */
	if (ud_statep->ud_cm_handler == NULL) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_sidr_rep_ud_handler: "
		    "cm_handler NULL");
		return;
	}

	/* Fill in ibt_cm_ud_event_t */
	ud_event.cm_type = IBT_CM_UD_EVENT_SIDR_REP;
	ud_event.cm_session_id = NULL;
	ud_event.cm_event.sidr_rep.srep_status =
	    sidr_rep_msgp->sidr_rep_rep_status;
	ud_event.cm_event.sidr_rep.srep_remote_qpn =
	    b2h32(sidr_rep_msgp->sidr_rep_qpn_plus) >> 8;
	ud_event.cm_event.sidr_rep.srep_remote_qkey =
	    h2b32(sidr_rep_msgp->sidr_rep_qkey);

	if (ud_event.cm_event.sidr_rep.srep_status == IBT_CM_SREP_REDIRECT) {
		/*
		 * typecasting to ibcm_classportinfo_msg_t is ok, as addl info
		 * begins at offset 24 in sidr rep
		 */
		ibcm_init_clp_from_mad(
		    (ibcm_classportinfo_msg_t *)
		    sidr_rep_msgp->sidr_rep_class_port_info,
		    &ud_event.cm_event.sidr_rep.srep_redirect);

		if (ud_statep->ud_return_data != NULL)
			bcopy(&ud_event.cm_event.sidr_rep.srep_redirect,
			    &ud_statep->ud_return_data->ud_redirect,
			    sizeof (ibt_redirect_info_t));
	}

	ud_event.cm_priv_data = &(sidr_rep_msgp->sidr_rep_private_data[0]);
	ud_event.cm_priv_data_len = IBT_SIDR_REP_PRIV_DATA_SZ;

	/* Invoke the client handler - inform only, so ignore retval */
	(void) ud_statep->ud_cm_handler(ud_statep->ud_state_cm_private,
	    &ud_event, NULL, NULL, 0);


}

/*
 * ibcm_process_lap_msg:
 *	This call processes an incoming LAP message
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- incoming CM LAP MAD
 *	cm_mad_addr	- Address information for the MAD
 *
 * RETURN VALUE: NONE
 */
/* ARGSUSED */
void
ibcm_process_lap_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_status_t		state_lookup_status;
	ibcm_lap_msg_t		*lap_msg = (ibcm_lap_msg_t *)
	    (&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_apr_msg_t		*apr_msg;
	ibcm_state_data_t	*statep = NULL;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_lap_msg:");

	rw_enter(&hcap->hca_state_rwlock, RW_READER);

	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_LAP,
	    b2h32(lap_msg->lap_remote_comm_id), 0, 0, hcap, &statep);

	rw_exit(&hcap->hca_state_rwlock);

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_lap_msg: lookup status %x"
	    " com id %x", state_lookup_status,
	    b2h32(lap_msg->lap_remote_comm_id));

	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {
		/* Post a REJ message ? - but spec doesn't state so */
		return;
	}

	/* There is an existing state structure entry with active comid */

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_LAP);

	mutex_enter(&statep->state_mutex);

	if ((statep->state == IBCM_STATE_ESTABLISHED) &&
	    (statep->ap_state == IBCM_AP_STATE_IDLE) &&
	    (statep->mode == IBCM_PASSIVE_MODE)) {
		if ((statep->lapr_msg) &&
		    (IBCM_OUT_HDRP(statep->lapr_msg)->TransactionID ==
		    ((ib_mad_hdr_t *)(input_madp))->TransactionID))
			ibcm_post_stored_apr_mad(statep, input_madp);
		else {
			ibcm_status_t	clnt_response;

			statep->ap_state = IBCM_AP_STATE_LAP_RCVD;
			statep->clnt_proceed = IBCM_BLOCK;
			mutex_exit(&statep->state_mutex);

			if (statep->lapr_msg == NULL) {
				if (ibcm_alloc_out_msg(
				    statep->stored_reply_addr.ibmf_hdl,
				    &statep->lapr_msg, MAD_METHOD_SEND) !=
				    IBT_SUCCESS) {

					mutex_enter(&statep->state_mutex);
					statep->clnt_proceed = IBCM_FAIL;
					cv_broadcast(&statep->block_client_cv);
					IBCM_REF_CNT_DECR(statep);
					mutex_exit(&statep->state_mutex);
					return;
				}
			}
			apr_msg = (ibcm_apr_msg_t *)
			    IBCM_OUT_MSGP(statep->lapr_msg);
			IBCM_OUT_HDRP(statep->lapr_msg)->TransactionID =
			    ((ib_mad_hdr_t *)(input_madp))->TransactionID;
			clnt_response =
			    ibcm_cep_state_lap(statep, lap_msg, apr_msg);
			IBTF_DPRINTF_L4(cmlog, "ibcm_process_lap_msg:"
			    " statep 0x%p  apr status %d", statep,
			    apr_msg->apr_ap_status);

			if (clnt_response == IBCM_DEFER) {
				IBTF_DPRINTF_L4(cmlog, "ibcm_process_lap_msg: "
				    "client returned DEFER response");
				return;
			}

			/* fail any blocked cm proceed api calls - client bug */
			mutex_enter(&statep->state_mutex);
			statep->clnt_proceed = IBCM_FAIL;
			cv_broadcast(&statep->block_client_cv);
			mutex_exit(&statep->state_mutex);

			ibcm_post_apr_mad(statep);
			return;
		}
	}	/* drop the LAP MAD in any other state */

	IBCM_REF_CNT_DECR(statep); /* decrement the ref count */
	mutex_exit(&statep->state_mutex);
}

/*
 * ibcm_post_stored_apr_mad:
 *	Builds and posts an APR MAD from the stored APR MAD
 *
 * INPUTS:
 *	statep		- pointer to ibcm_state_data_t
 *	input_madp	- pointer to incoming lap mad
 *
 * RETURN VALUE:
 *	NONE
 *
 * This function is called holding the state mutex, and returns
 * holding the state mutex
 */
static void
ibcm_post_stored_apr_mad(ibcm_state_data_t *statep, uint8_t *input_madp)
{
	ibmf_msg_t	*ibmf_apr_msg;
	uint8_t		apr_msg[IBCM_MSG_SIZE];

	/* Need to make a copy, else an incoming new LAP may modify lapr_msg */
	bcopy(IBCM_OUT_MSGP(statep->lapr_msg), apr_msg, IBCM_MSG_SIZE);

	mutex_exit(&statep->state_mutex);

	if (ibcm_alloc_out_msg(statep->stored_reply_addr.ibmf_hdl,
	    &ibmf_apr_msg, MAD_METHOD_SEND) != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_post_stored_apr_mad: "
		    "ibcm_alloc_out_msg failed");
		mutex_enter(&statep->state_mutex);
		return;
	}

	bcopy(apr_msg, IBCM_OUT_MSGP(ibmf_apr_msg), IBCM_MSG_SIZE);

	IBCM_OUT_HDRP(ibmf_apr_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_APR + IBCM_ATTR_BASE_ID);

	IBCM_OUT_HDRP(ibmf_apr_msg)->TransactionID =
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID;

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_APR);

	ibcm_post_rc_mad(statep, ibmf_apr_msg, ibcm_post_stored_apr_complete,
	    ibmf_apr_msg);

	/* ibcm_free_out_msg done in ibcm_post_stored_apr_complete */

	mutex_enter(&statep->state_mutex);
}

/*
 * ibcm_cep_state_lap:
 *	This call processes an incoming LAP message for cep state
 *	transition and invoking cm handler
 *
 * INPUTS:
 *	statep		- pointer to ibcm_state_data_t
 *	lap_msg		- lap msg received
 *	apr_msg		- apr msg to be sent
 *
 * RETURN VALUE: NONE
 */
ibcm_status_t
ibcm_cep_state_lap(ibcm_state_data_t *statep, ibcm_lap_msg_t *lap_msg,
    ibcm_apr_msg_t *apr_msg)
{
	ibt_cm_event_t		event;
	ibt_cm_return_args_t	ret_args;
	ibt_cm_status_t		cb_status;
	ibcm_clnt_reply_info_t	clnt_info;


	IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_lap: statep 0x%p", statep);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*apr_msg))

	/* If APM is not supported, return error */
	if (!(statep->hcap->hca_caps & IBT_HCA_AUTO_PATH_MIG)) {
		apr_msg->apr_ap_status = IBT_CM_AP_NOT_SUPPORTED;
		return (IBCM_SEND_APR);
	}

	if (statep->local_qpn !=
	    b2h32(lap_msg->lap_remote_qpn_eecn_plus) >> 8) {
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
		IBTF_DPRINTF_L4(cmlog, "ibcm_cep_state_lap: local_qpn %x does "
		    "not match remote's remote_qpn %x", statep->local_qpn,
		    b2h32(lap_msg->lap_remote_qpn_eecn_plus) >> 8);
		return (IBCM_SEND_APR);
	}

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*apr_msg))

	/* Fill up the event */
	bzero(&event, sizeof (event));
	event.cm_type = IBT_CM_EVENT_LAP_RCV;
	event.cm_channel = statep->channel;
	event.cm_session_id = statep;
	event.cm_priv_data = lap_msg->lap_private_data;
	event.cm_priv_data_len =  IBT_LAP_PRIV_DATA_SZ;
	event.cm_event.lap.lap_timeout = ibt_ib2usec(
	    ((uint8_t *)&lap_msg->lap_remote_qpn_eecn_plus)[3] >> 3);

	ibcm_fill_adds_from_lap(&event.cm_event.lap.lap_alternate_path,
	    lap_msg, IBCM_PASSIVE_MODE);

	cb_status = statep->cm_handler(statep->state_cm_private, &event,
	    &ret_args, apr_msg->apr_private_data, IBT_APR_PRIV_DATA_SZ);

	IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_lap: cb_status = %d", cb_status);
	if (cb_status == IBT_CM_DEFER) {

		_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(statep->defer_cm_msg))

		if (statep->defer_cm_msg == NULL)
			statep->defer_cm_msg =
			    kmem_zalloc(IBCM_MSG_SIZE, KM_SLEEP);
		bcopy(lap_msg, statep->defer_cm_msg, IBCM_MSG_SIZE);

		_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(statep->defer_cm_msg))

		/* unblock any blocked cm proceed api calls */
		mutex_enter(&statep->state_mutex);
		statep->clnt_proceed = IBCM_UNBLOCK;
		cv_broadcast(&statep->block_client_cv);
		mutex_exit(&statep->state_mutex);

		return (IBCM_DEFER);
	}

	clnt_info.reply_event = (ibt_cm_proceed_reply_t *)&ret_args.cm_ret;
	clnt_info.priv_data = NULL;
	clnt_info.priv_data_len = 0;

	ibcm_process_cep_lap_cm_hdlr(statep, cb_status, &clnt_info, lap_msg,
	    apr_msg);
	return (IBCM_SEND_APR);
}

/*
 * ibcm_fill_adds_from_lap:
 *	Fills the address vector (part of event structure passed to
 * client) from the LAP message
 *
 * INPUTS:
 *	adds		- Address vector to be filled-in
 *	lap_msg		- LAP message used to fill the address vector
 *
 * RETURN VALUE: NONE
 */
static void
ibcm_fill_adds_from_lap(ibt_adds_vect_t *adds, ibcm_lap_msg_t *lap_msg,
    ibcm_mode_t mode)
{
	adds->av_srvl = lap_msg->lap_alt_sl_plus >> 4;
	if (mode == IBCM_PASSIVE_MODE) {
		adds->av_dgid.gid_prefix =
		    b2h64(lap_msg->lap_alt_l_port_gid.gid_prefix);
		adds->av_dgid.gid_guid =
		    b2h64(lap_msg->lap_alt_l_port_gid.gid_guid);
		adds->av_sgid.gid_prefix =
		    b2h64(lap_msg->lap_alt_r_port_gid.gid_prefix);
		adds->av_sgid.gid_guid =
		    b2h64(lap_msg->lap_alt_r_port_gid.gid_guid);
		adds->av_dlid = b2h16(lap_msg->lap_alt_l_port_lid);
	} else {
		adds->av_sgid.gid_prefix =
		    b2h64(lap_msg->lap_alt_l_port_gid.gid_prefix);
		adds->av_sgid.gid_guid =
		    b2h64(lap_msg->lap_alt_l_port_gid.gid_guid);
		adds->av_dgid.gid_prefix =
		    b2h64(lap_msg->lap_alt_r_port_gid.gid_prefix);
		adds->av_dgid.gid_guid =
		    b2h64(lap_msg->lap_alt_r_port_gid.gid_guid);
		adds->av_dlid = b2h16(lap_msg->lap_alt_r_port_lid);
	}

	IBTF_DPRINTF_L4(cmlog, "ibcm_fill_adds_from_lap: SGID=(%llX:%llX)",
	    adds->av_sgid.gid_prefix, adds->av_sgid.gid_guid);

	IBTF_DPRINTF_L4(cmlog, "ibcm_fill_adds_from_lap: DGID=(%llX:%llX)",
	    adds->av_dgid.gid_prefix, adds->av_dgid.gid_guid);

	adds->av_srate = lap_msg->lap_alt_srate_plus & 0x3f;

	/* next copy off the GRH info if it exists  */
	if ((lap_msg->lap_alt_sl_plus & 0x8) == 0) {
		uint32_t flow_tclass = b2h32(lap_msg->lap_alt_flow_label_plus);

		adds->av_send_grh = B_TRUE;
		adds->av_flow = flow_tclass >> 12;
		adds->av_tclass = flow_tclass & 0xff;
		adds->av_hop = lap_msg->lap_alt_hop_limit;
	} else {
		adds->av_send_grh = B_FALSE;
	}
}

/*
 * ibcm_process_cep_lap_cm_hdlr:
 * Processes the cm handler response for an incoming LAP.
 */

void
ibcm_process_cep_lap_cm_hdlr(ibcm_state_data_t *statep,
    ibt_cm_status_t cb_status, ibcm_clnt_reply_info_t *clnt_info,
    ibcm_lap_msg_t *lap_msg, ibcm_apr_msg_t *apr_msg)
{
	ibtl_cm_hca_port_t	port;
	ibt_qp_query_attr_t	qp_attrs;
	ibt_cep_modify_flags_t	cep_flags;
	ibt_status_t		status;
	ibt_adds_vect_t		*adds;

	if (cb_status == IBT_CM_DEFAULT)
		cb_status = IBT_CM_REJECT;

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*apr_msg))

	/* verify status */
	apr_msg->apr_addl_info_len = 0;
	if (cb_status == IBT_CM_ACCEPT) {
		apr_msg->apr_ap_status = IBT_CM_AP_LOADED;
	} else if (cb_status == IBT_CM_REJECT) {
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
	} else if (cb_status == IBT_CM_REDIRECT) {
		apr_msg->apr_ap_status = IBT_CM_AP_REDIRECT;
		/* copy redirect info to APR */
		apr_msg->apr_addl_info_len = sizeof (ibcm_classportinfo_msg_t);
		ibcm_init_clp_to_mad(
		    (ibcm_classportinfo_msg_t *)apr_msg->apr_addl_info,
		    &clnt_info->reply_event->apr);
	} else if (cb_status == IBT_CM_NO_RESOURCE) {
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
	} else {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_lap_cm_hdlr: statep %p"
		    " Client handler unexpected return %x", statep, cb_status);
		cb_status = IBT_CM_REJECT;
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
	}

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_lap_cm_hdlr: statep 0x%p "
	    " client handler returned %d, apr status %d", statep, cb_status,
	    apr_msg->apr_ap_status);

	/* copy private data to outgoing apr, specified via priv_data */
	if ((clnt_info->priv_data != NULL) && (clnt_info->priv_data_len > 0))
		bcopy(clnt_info->priv_data, apr_msg->apr_private_data,
		    min(clnt_info->priv_data_len, IBT_APR_PRIV_DATA_SZ));

	if (cb_status != IBT_CM_ACCEPT)
		return;

	if (ibt_query_qp(statep->channel, &qp_attrs) != IBT_SUCCESS ||
	    (qp_attrs.qp_info.qp_state != IBT_STATE_RTS &&
	    qp_attrs.qp_info.qp_state != IBT_STATE_SQD)) {
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
		return;
	}

	/* Fill up input args for ibt_modify_qp */
	cep_flags = IBT_CEP_SET_ALT_PATH | IBT_CEP_SET_STATE;

	/* do RTS=>RTS or SQD=>SQD.  The next line is needed for RTS=>RTS. */
	qp_attrs.qp_info.qp_current_state = qp_attrs.qp_info.qp_state;

	adds = &IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect;
	ibcm_fill_adds_from_lap(adds, lap_msg, IBCM_PASSIVE_MODE);

	if ((status = ibtl_cm_get_hca_port(adds->av_sgid,
	    statep->local_hca_guid, &port)) != IBT_SUCCESS) {

		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_lap_cm_hdlr:"
		    " ibtl_cm_get_hca_port failed status %d", status);
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
		return;
	}

	IBCM_QP_RC(qp_attrs).rc_alt_path.cep_hca_port_num = port.hp_port;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_cep_lap_cm_hdlr: statep 0x%p "
	    "gid = (%llx, %llx), port_num = %d", statep,
	    IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect.av_dgid.
	    gid_prefix,
	    IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect.av_dgid.gid_guid,
	    port.hp_port);

	/* The pkey is same as the primary path */
	status = ibt_pkey2index_byguid(statep->local_hca_guid,
	    port.hp_port, statep->pkey,
	    &IBCM_QP_RC(qp_attrs).rc_alt_path.cep_pkey_ix);

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_lap_cm_hdlr: statep %p"
		    " ibt_pkey2index_byguid failed %d", statep, status);
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
		return;
	}

	IBCM_QP_RC(qp_attrs).rc_alt_path.cep_timeout =
	    lap_msg->lap_alt_local_acktime_plus >> 3;

	qp_attrs.qp_info.qp_trans = IBT_RC_SRV;
	if (IBCM_QP_RC(qp_attrs).rc_mig_state == IBT_STATE_MIGRATED) {
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_cep_lap_cm_hdlr: statep %p"
		    ": rearming APM", statep);
		cep_flags |= IBT_CEP_SET_MIG;
		IBCM_QP_RC(qp_attrs).rc_mig_state = IBT_STATE_REARMED;
	}
	status = ibt_modify_qp(statep->channel, cep_flags, &qp_attrs.qp_info,
	    NULL);

	if (status != IBT_SUCCESS) {
		ibcm_insert_trace(statep, IBCM_TRACE_SET_ALT_FAIL);
	} else
		ibcm_insert_trace(statep, IBCM_TRACE_SET_ALT);

#ifdef	DEBUG
	(void) ibt_query_qp(statep->channel, &qp_attrs);
	print_modify_qp("PASSIVE LAP QUERY", statep->channel,
	    cep_flags, &qp_attrs.qp_info);
#endif

	if (status != IBT_SUCCESS) {
		apr_msg->apr_ap_status = IBT_CM_AP_REJECT;
		IBTF_DPRINTF_L2(cmlog, "ibcm_process_cep_lap_cm_hdlr:"
		    " ibt_modify_qp() returned = %d", status);
		return;
	}
	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*apr_msg))
}


/*
 * ibcm_post_apr_mad:
 *	Posts a APR MAD and starts timer
 *
 * INPUTS:
 *	statep		- state pointer
 *
 * RETURN VALUE: NONE
 */
void
ibcm_post_apr_mad(ibcm_state_data_t *statep)
{
	ibcm_apr_msg_t	*apr_msgp;

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*apr_msgp))

	apr_msgp = (ibcm_apr_msg_t *)IBCM_OUT_MSGP(statep->lapr_msg);

	apr_msgp->apr_local_comm_id = h2b32(statep->local_comid);
	apr_msgp->apr_remote_comm_id = h2b32(statep->remote_comid);
	IBCM_OUT_HDRP(statep->lapr_msg)->AttributeID =
	    h2b16(IBCM_INCOMING_APR + IBCM_ATTR_BASE_ID);

	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*apr_msgp))

	ibcm_insert_trace(statep, IBCM_TRACE_OUTGOING_APR);

	ibcm_post_rc_mad(statep, statep->lapr_msg, ibcm_post_apr_complete,
	    statep);
}

/*
 * ibcm_process_apr_msg:
 *	This call processes an incoming APR message
 *
 * INPUTS:
 *	hcap		- HCA entry pointer
 *	input_madp	- incoming CM SIDR REP MAD
 *	cm_mad_addr	- Address information for the MAD to be posted
 *
 * RETURN VALUE: NONE
 */
/*ARGSUSED*/
void
ibcm_process_apr_msg(ibcm_hca_info_t *hcap, uint8_t *input_madp,
    ibcm_mad_addr_t *cm_mad_addr)
{
	ibcm_status_t		state_lookup_status;
	ibcm_apr_msg_t		*apr_msg = (ibcm_apr_msg_t *)
	    (&input_madp[IBCM_MAD_HDR_SIZE]);
	ibcm_state_data_t	*statep = NULL;

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_apr_msg:");

	rw_enter(&hcap->hca_state_rwlock, RW_READER);
	state_lookup_status = ibcm_lookup_msg(IBCM_INCOMING_APR,
	    b2h32(apr_msg->apr_remote_comm_id), 0, 0, hcap, &statep);
	rw_exit(&hcap->hca_state_rwlock);

	if (state_lookup_status != IBCM_LOOKUP_EXISTS) {
		return;
	}

	/* if transaction id is not as expected, drop the APR mad */
	if (IBCM_OUT_HDRP(statep->lapr_msg)->TransactionID !=
	    ((ib_mad_hdr_t *)(input_madp))->TransactionID) {
		mutex_enter(&statep->state_mutex);
		IBCM_REF_CNT_DECR(statep);
		mutex_exit(&statep->state_mutex);
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_apr_msg: statep 0x%p"
		    ": rcv'd APR MAD with comid 0x%x",
		    statep, b2h32(apr_msg->apr_remote_comm_id));
		IBTF_DPRINTF_L3(cmlog, "ibcm_process_apr_msg: "
		    "tid expected 0x%llX tid found 0x%llX",
		    b2h64(IBCM_OUT_HDRP(statep->lapr_msg)->TransactionID),
		    b2h64(((ib_mad_hdr_t *)(input_madp))->TransactionID));
		return;
	}

	IBTF_DPRINTF_L4(cmlog, "ibcm_process_apr_msg: statep 0x%p "
	    "lookup status %x", statep, state_lookup_status);

	mutex_enter(&statep->state_mutex);

	if (!((statep->state == IBCM_STATE_ESTABLISHED) &&
	    ((statep->ap_state == IBCM_AP_STATE_LAP_SENT) ||
	    (statep->ap_state == IBCM_AP_STATE_MRA_LAP_RCVD)))) {
		IBCM_REF_CNT_DECR(statep); /* decrement the ref count */
		mutex_exit(&statep->state_mutex);
		return;
	}

	statep->ap_state = IBCM_AP_STATE_APR_RCVD;

	/* cancel the LAP timer */
	if (statep->timerid != 0) {
		timeout_id_t timer_val;
		timer_val = statep->timerid;
		statep->timerid = 0;
		mutex_exit(&statep->state_mutex);
		(void) untimeout(timer_val);
	} else {
		mutex_exit(&statep->state_mutex);
	}

	ibcm_insert_trace(statep, IBCM_TRACE_INCOMING_APR);

	ibcm_cep_state_apr(statep,
	    (ibcm_lap_msg_t *)IBCM_OUT_MSGP(statep->lapr_msg), apr_msg);

	mutex_enter(&statep->state_mutex);
	statep->ap_state = IBCM_AP_STATE_IDLE;

	/* unblock any DREQ threads and close channels */
	cv_broadcast(&statep->block_mad_cv);

	statep->ap_done = B_TRUE;

	/* wake up blocking ibt_set_alt_path */
	cv_broadcast(&statep->block_client_cv);

	IBCM_REF_CNT_DECR(statep); /* decrement the ref count */
	mutex_exit(&statep->state_mutex);
}

static void
ibcm_set_apr_arej(int ap_status, ibcm_apr_msg_t *apr_msgp,
    ibt_arej_info_t *ari, boolean_t *ari_valid)
{
	uint8_t ari_len = apr_msgp->apr_addl_info_len;
	ibcm_classportinfo_msg_t tclp;

	*ari_valid = B_FALSE;

	IBTF_DPRINTF_L3(cmlog, "ibcm_set_apr_arej: apr_status = %d "
	    "ari_len = %d", ap_status, ari_len);

	_NOTE(NOW_INVISIBLE_TO_OTHER_THREADS(*ari))

	switch (ap_status) {
	case IBT_CM_AP_REDIRECT:
		if (ari_len < sizeof (ibcm_classportinfo_msg_t))
			break;
		*ari_valid = B_TRUE;
		bcopy(apr_msgp->apr_addl_info, &tclp, sizeof (tclp));
		ibcm_init_clp_from_mad(&tclp, &ari->ari_redirect);
		break;
	case IBT_CM_AP_RLID_REJECTED:
		if (ari_len < sizeof (ib_lid_t))
			break;
		*ari_valid = B_TRUE;
		bcopy(apr_msgp->apr_addl_info, &ari->ari_lid,
		    sizeof (ib_lid_t));
		ari->ari_lid = b2h16(ari->ari_lid);
		break;
	case IBT_CM_AP_RGID_REJECTED:
		if (ari_len < sizeof (ib_gid_t))
			break;
		*ari_valid = B_TRUE;
		bcopy(apr_msgp->apr_addl_info, &ari->ari_gid,
		    sizeof (ib_gid_t));
		ari->ari_gid.gid_guid = b2h64(ari->ari_gid.gid_guid);
		ari->ari_gid.gid_prefix = b2h64(ari->ari_gid.gid_prefix);

		IBTF_DPRINTF_L4(cmlog, "ibcm_set_apr_arej: ari_gid= %llX:%llX",
		    ari->ari_gid.gid_prefix, ari->ari_gid.gid_guid);
		break;
	case IBT_CM_AP_FLOW_REJECTED:
		if (ari_len < 3)	/* 3 bytes needed for 20 bits */
			break;
		*ari_valid = B_TRUE;
		/* take the first 20 bits */
		ari->ari_flow =
		    b2h32(*(uint32_t *)&apr_msgp->apr_addl_info) >> 12;
		break;
	case IBT_CM_AP_TCLASS_REJECTED:
		if (ari_len < 1)
			break;
		*ari_valid = B_TRUE;
		/* take the first byte */
		ari->ari_tclass = apr_msgp->apr_addl_info[0];
		break;
	case IBT_CM_AP_HOP_REJECTED:
		if (ari_len < 1)
			break;
		*ari_valid = B_TRUE;
		/* take the first byte */
		ari->ari_hop = apr_msgp->apr_addl_info[0];
		break;
	case IBT_CM_AP_RATE_REJECTED:
		if (ari_len < 1)
			break;
		*ari_valid = B_TRUE;
		/* take the first 6 bits */
		ari->ari_rate = apr_msgp->apr_addl_info[0] >> 2;
		break;
	case IBT_CM_AP_SL_REJECTED:
		if (ari_len < 1)
			break;
		*ari_valid = B_TRUE;
		/* take the first 4 bits */
		ari->ari_sl = apr_msgp->apr_addl_info[0] >> 4;
		break;
	default:
		break;
	}
	_NOTE(NOW_VISIBLE_TO_OTHER_THREADS(*ari))
}

/*
 * ibcm_cep_state_apr:
 *	This call processes an incoming APR message
 *
 * INPUTS:
 *	statep		- pointer to ibcm_state_data_t
 *	lap_msg		- lap msg sent earlier
 *	apr_msg		- apr msg received
 *
 * RETURN VALUE: NONE
 */
void
ibcm_cep_state_apr(ibcm_state_data_t *statep, ibcm_lap_msg_t *lap_msg,
    ibcm_apr_msg_t *apr_msg)
{
	ibt_cm_event_t		event;
	ibcm_status_t		status = IBCM_SUCCESS;
	uint8_t			ap_status = apr_msg->apr_ap_status;

	IBTF_DPRINTF_L3(cmlog, "ibcm_cep_state_apr: statep 0x%p, ap_status %d",
	    statep, ap_status);

	if (ap_status == IBT_CM_AP_LOADED)
		status = ibcm_set_qp_from_apr(statep, lap_msg);

	if (statep->ap_return_data != NULL) {	/* blocking call */

		/* copy the private data */
		if ((statep->ap_return_data->ap_priv_data != NULL) &&
		    (statep->ap_return_data->ap_priv_data_len > 0))
			bcopy(apr_msg->apr_private_data,
			    statep->ap_return_data->ap_priv_data,
			    statep->ap_return_data->ap_priv_data_len);

		/* initialize the ap status */
		if (status == IBCM_FAILURE) {
			statep->ap_return_data->ap_status = IBT_CM_AP_REJECT;
			statep->ap_return_data->ap_arej_info_valid = B_FALSE;
		} else {
			statep->ap_return_data->ap_status = ap_status;
			ibcm_set_apr_arej(ap_status, apr_msg,
			    &statep->ap_return_data->ap_arej_info,
			    &statep->ap_return_data->ap_arej_info_valid);
		}

		/* do a cv signal for a blocking ibt_set_alt_path */
		mutex_enter(&statep->state_mutex);
		statep->ap_done = B_TRUE;
		cv_broadcast(&statep->block_client_cv);
		mutex_exit(&statep->state_mutex);

	} else {	/* Non blocking call */
		/* Fill up the event */

		bzero(&event, sizeof (event));
		event.cm_type = IBT_CM_EVENT_APR_RCV;
		event.cm_channel = statep->channel;
		event.cm_session_id = NULL;
		event.cm_priv_data = apr_msg->apr_private_data;
		event.cm_priv_data_len =  IBT_APR_PRIV_DATA_SZ;
		if (status == IBCM_FAILURE) {
			event.cm_event.apr.apr_status = IBT_CM_AP_REJECT;
			event.cm_event.apr.apr_arej_info_valid = B_FALSE;
		} else {
			event.cm_event.apr.apr_status = ap_status;
			ibcm_set_apr_arej(ap_status, apr_msg,
			    &event.cm_event.apr.apr_arej_info,
			    &event.cm_event.apr.apr_arej_info_valid);
		}

		/* initialize the ap status */
		statep->cm_handler(statep->state_cm_private, &event,
		    NULL, apr_msg->apr_private_data, IBT_APR_PRIV_DATA_SZ);
	}
	mutex_enter(&statep->state_mutex);
	ibcm_open_done(statep);
	mutex_exit(&statep->state_mutex);
}

/*
 * ibcm_set_qp_from_apr:
 *	This call sets QP's alt path info based on APR message contents
 *
 * INPUTS:
 *	statep		- pointer to ibcm_state_data_t
 *	lap_msg		- lap msg sent earlier
 *
 * RETURN VALUE: ibcm_status_t
 */
static ibcm_status_t
ibcm_set_qp_from_apr(ibcm_state_data_t *statep, ibcm_lap_msg_t *lap_msg)
{
	ibtl_cm_hca_port_t	port;
	ibt_adds_vect_t		*adds;

	ibt_qp_query_attr_t	qp_attrs;
	ibt_cep_modify_flags_t	cep_flags;
	ibt_status_t		status;

	IBTF_DPRINTF_L3(cmlog, "ibcm_set_qp_from_apr: statep 0x%p", statep);

	status = ibt_query_qp(statep->channel, &qp_attrs);
	if (status != IBT_SUCCESS ||
	    (qp_attrs.qp_info.qp_state != IBT_STATE_RTS &&
	    qp_attrs.qp_info.qp_state != IBT_STATE_SQD)) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_qp_from_apr: ibt_query_qp "
		    "failed, status = %d, qp_state = %d", statep, status,
		    qp_attrs.qp_info.qp_state);
		return (IBCM_FAILURE);
	}

	/* Fill up input args for ibt_modify_qp */
	cep_flags = IBT_CEP_SET_ALT_PATH | IBT_CEP_SET_STATE;

	/* do RTS=>RTS or SQD=>SQD.  The next line is needed for RTS=>RTS. */
	qp_attrs.qp_info.qp_current_state = qp_attrs.qp_info.qp_state;

	/* Fill up input args for ibt_modify_qp */
	adds = &IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect;

	ibcm_fill_adds_from_lap(adds, lap_msg, IBCM_ACTIVE_MODE);

	if ((status = ibtl_cm_get_hca_port(adds->av_sgid,
	    statep->local_hca_guid, &port)) != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_qp_from_apr: "
		    "ibtl_cm_get_hca_port failed status = %d", status);
		IBTF_DPRINTF_L5(cmlog, "ibcm_set_qp_from_apr:"
		    " ibtl_cm_get_hca_port sgid guid %llX",
		    adds->av_sgid.gid_guid);
		IBTF_DPRINTF_L5(cmlog, "ibcm_set_qp_from_apr:"
		    " ibtl_cm_get_hca_port sgid prefix %llX ",
		    adds->av_sgid.gid_prefix);
		return (IBCM_FAILURE);
	}

	IBCM_QP_RC(qp_attrs).rc_alt_path.cep_hca_port_num =
	    port.hp_port;

	IBTF_DPRINTF_L4(cmlog, "ibcm_set_qp_from_apr: "
	    "gid = %llx:%llx, port_num = %d",
	    IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect.av_sgid.
	    gid_prefix,
	    IBCM_QP_RC(qp_attrs).rc_alt_path.cep_adds_vect.av_sgid.gid_guid,
	    port.hp_port);

	/* The pkey is same as the primary path */
	status = ibt_pkey2index_byguid(statep->local_hca_guid,
	    port.hp_port, statep->pkey,
	    &IBCM_QP_RC(qp_attrs).rc_alt_path.cep_pkey_ix);

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_qp_from_apr: "
		    "ibt_pkey2index_byguid failed %d", status);
		return (IBCM_FAILURE);
	}
	qp_attrs.qp_info.qp_trans = IBT_RC_SRV;
	IBCM_QP_RC(qp_attrs).rc_alt_path.cep_timeout =
	    ibt_usec2ib(statep->remote_ack_delay +
	    2 * statep->rc_alt_pkt_lt);
	if (IBCM_QP_RC(qp_attrs).rc_mig_state == IBT_STATE_MIGRATED) {
		/* Need to rearm */
		IBTF_DPRINTF_L3(cmlog, "ibcm_set_qp_from_apr: statep 0x%p: "
		    "rearming APM", statep);
		cep_flags |= IBT_CEP_SET_MIG;
		IBCM_QP_RC(qp_attrs).rc_mig_state = IBT_STATE_REARMED;
	}

	status = ibt_modify_qp(statep->channel, cep_flags, &qp_attrs.qp_info,
	    NULL);

	if (status != IBT_SUCCESS)
		ibcm_insert_trace(statep, IBCM_TRACE_SET_ALT_FAIL);
	else
		ibcm_insert_trace(statep, IBCM_TRACE_SET_ALT);

#ifdef	DEBUG
	(void) ibt_query_qp(statep->channel, &qp_attrs);
	print_modify_qp("ACTIVE LAP QUERY", statep->channel,
	    cep_flags, &qp_attrs.qp_info);
#endif

	if (status != IBT_SUCCESS) {
		IBTF_DPRINTF_L2(cmlog, "ibcm_set_qp_from_apr:"
		    " ibt_modify_qp() failed, status = %d", status);
		return (IBCM_FAILURE);
	}

	return (IBCM_SUCCESS);
}

/*
 * ibcm_sync_lapr_idle:
 *
 *	This call either cancels a LAP/APR operation or waits
 *	until the operation is complete
 *
 * INPUTS:
 *	statep	Pointer to ibcm_state_data_t
 *
 * RETURN VALUE: NONE
 *
 * This function is called holding state mutex
 * This function returns, releasing the state mutex
 */
void
ibcm_sync_lapr_idle(ibcm_state_data_t *statep)
{
	timeout_id_t	timer_val = statep->timerid;
	ibt_cm_event_t	event;

	IBTF_DPRINTF_L3(cmlog, "ibcm_sync_lapr_idle:"
	    "statep %p state %d ap_state %d", statep, statep->state,
	    statep->ap_state);

	ASSERT(MUTEX_HELD(&statep->state_mutex));
	_NOTE(LOCK_RELEASED_AS_SIDE_EFFECT(&statep->state_mutex))

	/* Busy AP states on active/passive sides */
	if ((statep->ap_state == IBCM_AP_STATE_LAP_RCVD) ||
	    (statep->ap_state == IBCM_AP_STATE_APR_RCVD) ||
	    (statep->ap_state == IBCM_AP_STATE_MRA_LAP_SENT) ||
	    (statep->ap_state == IBCM_AP_STATE_TIMED_OUT)) {

		/* wait till ap_state becomes IBCM_AP_STATE_IDLE */
		while (statep->ap_state != IBCM_AP_STATE_IDLE)
			cv_wait(&statep->block_mad_cv, &statep->state_mutex);

		mutex_exit(&statep->state_mutex);

	} else if ((statep->ap_state == IBCM_AP_STATE_LAP_SENT) ||
	    (statep->ap_state == IBCM_AP_STATE_MRA_LAP_RCVD)) {

		/* fail the client's ibt_set_alt_path */

		/* blocking ibt_set_alt_path */
		if (statep->ap_return_data != NULL) {
			statep->ap_return_data->ap_status =
			    IBT_CM_AP_ABORT;
			statep->ap_state = IBCM_AP_STATE_IDLE;
			cv_broadcast(&statep->block_client_cv);
			IBTF_DPRINTF_L3(cmlog, "ibcm_sync_lapr_idle:"
			    "blocked wait");
		}

		statep->timerid = 0;
		/* Cancel the timeout */
		mutex_exit(&statep->state_mutex);
		if (timer_val != 0)
			(void) untimeout(timer_val);

		/* Non blocking ibt_set_alt_path */
		if (statep->ap_return_data == NULL) {

			/* Fill up the event */

			bzero(&event, sizeof (event));
			event.cm_type = IBT_CM_EVENT_APR_RCV;
			event.cm_channel = statep->channel;
			event.cm_session_id = NULL;
			event.cm_priv_data = NULL;
			event.cm_priv_data_len =  0;
			event.cm_event.apr.apr_status = IBT_CM_AP_ABORT;

			/* Call the cm handler */
			statep->cm_handler(statep->state_cm_private, &event,
			    NULL, NULL, 0);
			IBTF_DPRINTF_L3(cmlog, "ibcm_sync_lapr_idle:"
			    "non-blocked wait");
		}
	} else mutex_exit(&statep->state_mutex);

	ASSERT(!MUTEX_HELD(&statep->state_mutex));
}

#ifdef DEBUG

/*
 * Debug function used to print all the modify qp attributes.
 * Useful to manually verify the modify qp parameters are as
 * expected
 */
static void
print_modify_qp(char *prefix, ibt_qp_hdl_t ibt_qp,
    ibt_cep_modify_flags_t flags, ibt_qp_info_t *qp_attr)
{
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP %s %p", prefix, ibt_qp);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP flags 0x%x", flags);

	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP "
	    "rc_rdma_ra_in %d rc_rdma_ra_out %d",
	    qp_attr->qp_transport.rc.rc_rdma_ra_in,
	    qp_attr->qp_transport.rc.rc_rdma_ra_out);

	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "port %d path bits %d dlid %X",
	    qp_attr->qp_transport.rc.rc_path.cep_hca_port_num,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_src_path,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_dlid);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "pkey index %d cep_timeout %d",
	    qp_attr->qp_transport.rc.rc_path.cep_pkey_ix,
	    qp_attr->qp_transport.rc.rc_path.cep_timeout);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "srvl %d flow label %d tclass %d",
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_srvl,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_flow,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_tclass);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "hop %d srate %d sgid_ix %d send_grh %d",
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_hop,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_srate,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_sgid_ix,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_send_grh);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "dgid prefix %llX dgid guid %llX",
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_dgid.gid_prefix,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_dgid.gid_guid);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP primary: "
	    "sgid prefix %llX sgid guid %llX",
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_sgid.gid_prefix,
	    qp_attr->qp_transport.rc.rc_path.cep_adds_vect.av_sgid.gid_guid);

	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "port %d path bits %d dlid %X",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_hca_port_num,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_src_path,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_dlid);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "pkey index %d cep_timeout %d",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_pkey_ix,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_timeout);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "srvl %d flow label %d tclass %d",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_srvl,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_flow,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_tclass);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "hop %d srate %d sgid_ix %d send_grh %d",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_hop,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_srate,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_sgid_ix,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_send_grh);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "dgid prefix %llX dgid guid %llX",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_dgid.
	    gid_prefix,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_dgid.
	    gid_guid);
	IBTF_DPRINTF_L4(cmlog, "PRINT_MODIFY_QP alternate: "
	    "sgid prefix %llX sgid guid %llX",
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_sgid.
	    gid_prefix,
	    qp_attr->qp_transport.rc.rc_alt_path.cep_adds_vect.av_sgid.
	    gid_guid);
}
#endif