xref: /titanic_51/usr/src/uts/common/io/scsi/adapters/iscsi/iscsi_io.c (revision d72ea40e44b64f5cdf1bbf852c8887bbe45b3dbe)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2000 by Cisco Systems, Inc.  All rights reserved.
23  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
25  *
26  * iSCSI Pseudo HBA Driver
27  */
28 
29 #include <sys/socket.h>		/* networking stuff */
30 #include <sys/t_kuser.h>	/* networking stuff */
31 #include <sys/tihdr.h>		/* networking stuff */
32 #include <sys/strsubr.h>	/* networking stuff */
33 #include <netinet/tcp.h>	/* TCP_NODELAY */
34 #include <sys/socketvar.h>	/* _ALLOC_SLEEP */
35 #include <sys/strsun.h>		/* DB_TYPE() */
36 #include <sys/scsi/generic/sense.h>
37 
38 #include "iscsi.h"		/* iscsi driver */
39 #include <sys/iscsi_protocol.h>	/* iscsi protocol */
40 
41 #define	ISCSI_INI_TASK_TTT	0xffffffff
42 #define	ISCSI_CONN_TIEMOUT_DETECT	20
43 
44 boolean_t iscsi_io_logging = B_FALSE;
45 
46 #define	ISCSI_CHECK_SCSI_READ(ICHK_CMD, ICHK_HDR, ICHK_LEN, ICHK_TYPE)	\
47 	if (idm_pattern_checking)  {					\
48 		struct scsi_pkt *pkt = (ICHK_CMD)->cmd_un.scsi.pkt;	\
49 		if (((ICHK_HDR)->response == 0) && 			\
50 		    ((ICHK_HDR)->cmd_status == 0) &&			\
51 		    ((pkt->pkt_cdbp[0] == SCMD_READ_G1) ||		\
52 		    (pkt->pkt_cdbp[0] == SCMD_READ_G4) || 		\
53 		    (pkt->pkt_cdbp[0] == SCMD_READ) || 			\
54 		    (pkt->pkt_cdbp[0] == SCMD_READ_G5))) {		\
55 			idm_buf_t *idb = (ICHK_CMD)->cmd_un.scsi.ibp_ibuf; \
56 			IDM_BUFPAT_CHECK(idb, ICHK_LEN, ICHK_TYPE); \
57 		}						\
58 	}
59 
60 /* Size of structure scsi_arq_status without sense data. */
61 #define	ISCSI_ARQ_STATUS_NOSENSE_LEN	(sizeof (struct scsi_arq_status) - \
62     sizeof (struct scsi_extended_sense))
63 
64 /* generic io helpers */
65 static uint32_t n2h24(uchar_t *ptr);
66 static int iscsi_sna_lt(uint32_t n1, uint32_t n2);
67 void iscsi_update_flow_control(iscsi_sess_t *isp,
68     uint32_t max, uint32_t exp);
69 static iscsi_status_t iscsi_rx_process_scsi_itt_to_icmdp(iscsi_sess_t *isp,
70     idm_conn_t *ic, iscsi_scsi_rsp_hdr_t *ihp, iscsi_cmd_t **icmdp);
71 static iscsi_status_t iscsi_rx_process_itt_to_icmdp(iscsi_sess_t *isp,
72     iscsi_hdr_t *ihp, iscsi_cmd_t **icmdp);
73 static void iscsi_process_rsp_status(iscsi_sess_t *isp, iscsi_conn_t *icp,
74     idm_status_t status);
75 static void iscsi_drop_conn_cleanup(iscsi_conn_t *icp);
76 static boolean_t iscsi_nop_timeout_checks(iscsi_cmd_t *icmdp);
77 /* callbacks from idm */
78 static idm_pdu_cb_t iscsi_tx_done;
79 
80 /* receivers */
81 static idm_status_t iscsi_rx_process_nop(idm_conn_t *ic, idm_pdu_t *pdu);
82 static idm_status_t iscsi_rx_process_data_rsp(idm_conn_t *ic,
83     idm_pdu_t *pdu);
84 static idm_status_t iscsi_rx_process_cmd_rsp(idm_conn_t *ic, idm_pdu_t *pdu);
85 static idm_status_t iscsi_rx_process_reject_rsp(idm_conn_t *ic,
86     idm_pdu_t *pdu);
87 
88 static idm_status_t iscsi_rx_process_rejected_tsk_mgt(idm_conn_t *ic,
89     iscsi_hdr_t *old_ihp);
90 static idm_status_t iscsi_rx_process_task_mgt_rsp(idm_conn_t *ic,
91     idm_pdu_t *pdu);
92 static idm_status_t iscsi_rx_process_logout_rsp(idm_conn_t *ic,
93     idm_pdu_t *pdu);
94 static idm_status_t iscsi_rx_process_async_rsp(idm_conn_t *ic,
95     idm_pdu_t *pdu);
96 static idm_status_t iscsi_rx_process_text_rsp(idm_conn_t *ic,
97     idm_pdu_t *pdu);
98 
99 /* senders */
100 static iscsi_status_t iscsi_tx_scsi(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
101 static iscsi_status_t iscsi_tx_nop(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
102 static iscsi_status_t iscsi_tx_abort(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
103 static iscsi_status_t iscsi_tx_reset(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
104 static iscsi_status_t iscsi_tx_logout(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
105 static iscsi_status_t iscsi_tx_text(iscsi_sess_t *isp, iscsi_cmd_t *icmdp);
106 
107 
108 /* helpers */
109 static void iscsi_logout_start(void *arg);
110 static void iscsi_handle_passthru_callback(struct scsi_pkt *pkt);
111 static void iscsi_handle_nop(iscsi_conn_t *icp, uint32_t itt, uint32_t ttt);
112 
113 static void iscsi_timeout_checks(iscsi_sess_t *isp);
114 static void iscsi_nop_checks(iscsi_sess_t *isp);
115 static boolean_t iscsi_decode_sense(uint8_t *sense_data, iscsi_cmd_t *icmdp);
116 static void iscsi_flush_cmd_after_reset(uint32_t cmd_sn, uint16_t lun_num,
117     iscsi_conn_t *icp);
118 
119 /*
120  * This file contains the main guts of the iSCSI protocol layer.
121  * It's broken into 5 sections; Basic helper functions, RX IO path,
122  * TX IO path, Completion (IC) IO path, and watchdog (WD) routines.
123  *
124  * The IO flow model is similiar to the below diagram.  The
125  * iscsi session, connection and command state machines are used
126  * to drive IO through this flow diagram.  Reference those files
127  * to get a detailed description of their respective state models
128  * prior to their xxx_state_machine_function().
129  *
130  * tran_start() -> CMD_E1     TX_THREAD                   RX_THREAD
131  *                   |            T                           T
132  *                   V            T                           T
133  *                PENDING_Q  --CMD_E2--> ACTIVE_Q -      --CMD_E3--+
134  *                                T                \ C        T    |
135  *                                T                 \M        T    |
136  *                                                   D        T    |
137  *                                       WD_THREAD TT|TT      T    |
138  *                                                  /E        T    |
139  *                                                 / 6        T    |
140  *                                     ABORTING_Q<-      --CMD_E3--+
141  *                                                            T    |
142  *                                T                           T    |
143  *                                T                                |
144  *               callback()  <--CMD_E#-- COMPLETION_Q <------------+
145  *                                T
146  *                                T
147  *                            IC_THREAD
148  *
149  * External and internal command are ran thru this same state
150  * machine.  All commands enter the state machine by receiving an
151  * ISCSI_CMD_EVENT_E1.  This event places the command into the
152  * PENDING_Q.  Next when resources are available the TX_THREAD
153  * issues a E2 event on the command.  This sends the command
154  * to the TCP stack and places the command on the ACTIVE_Q.  While
155  * on the PENDIING_Q and ACTIVE_Q, the command is monitored via the
156  * WD_THREAD to ensure the pkt_time has not elapsed.  If elapsed the
157  * command is issued an E6(timeout) event which moves either (if pending)
158  * completed the command or (if active) moves the command to the
159  * aborting queue and issues a SCSI TASK MANAGEMENT ABORT command
160  * to cancel the IO request.  If the original command is completed
161  * or the TASK MANAGEMENT command completes the command is moved
162  * to the COMPLETION_Q via a E3 event.  The IC_THREAD then processes
163  * the COMPLETION_Q and issues the scsi_pkt callback.  This
164  * callback can not be processed directly from the RX_THREAD
165  * because the callback might call back into the iscsi driver
166  * causing a deadlock condition.
167  *
168  * For more details on the complete CMD state machine reference
169  * the state machine diagram in iscsi_cmd.c.  The connection state
170  * machine is driven via IO events in this file.  Then session
171  * events are driven by the connection events.  For complete
172  * details on these state machines reference iscsi_sess.c and
173  * iscsi_conn.c
174  */
175 
176 
177 /*
178  * +--------------------------------------------------------------------+
179  * | io helper routines							|
180  * +--------------------------------------------------------------------+
181  */
182 
183 /*
184  * n2h24 - native to host 24 bit integer translation.
185  */
186 static uint32_t
187 n2h24(uchar_t *ptr)
188 {
189 	uint32_t idx;
190 	bcopy(ptr, &idx, 3);
191 	return (ntohl(idx) >> 8);
192 }
193 
194 /*
195  * iscsi_sna_lt - Serial Number Arithmetic, 32 bits, less than, RFC1982
196  */
197 static int
198 iscsi_sna_lt(uint32_t n1, uint32_t n2)
199 {
200 	return ((n1 != n2) &&
201 	    (((n1 < n2) && ((n2 - n1) < ISCSI_SNA32_CHECK)) ||
202 	    ((n1 > n2) && ((n1 - n2) > ISCSI_SNA32_CHECK))));
203 }
204 
205 /*
206  * iscsi_sna_lte - Serial Number Arithmetic, 32 bits, less than or equal,
207  * RFC1982
208  */
209 int
210 iscsi_sna_lte(uint32_t n1, uint32_t n2)
211 {
212 	return ((n1 == n2) ||
213 	    (((n1 < n2) && ((n2 - n1) < ISCSI_SNA32_CHECK)) ||
214 	    ((n1 > n2) && ((n1 - n2) > ISCSI_SNA32_CHECK))));
215 }
216 
217 /*
218  * iscsi_update_flow_control - Update expcmdsn and maxcmdsn iSCSI
219  * flow control information for a session
220  */
221 void
222 iscsi_update_flow_control(iscsi_sess_t *isp, uint32_t max, uint32_t exp)
223 {
224 	ASSERT(isp != NULL);
225 	ASSERT(mutex_owned(&isp->sess_cmdsn_mutex));
226 
227 	if (!iscsi_sna_lt(max, (exp - 1))) {
228 
229 		if (!iscsi_sna_lte(exp, isp->sess_expcmdsn)) {
230 			isp->sess_expcmdsn = exp;
231 		}
232 
233 		if (!iscsi_sna_lte(max, isp->sess_maxcmdsn)) {
234 			isp->sess_maxcmdsn = max;
235 			if (iscsi_sna_lte(isp->sess_cmdsn,
236 			    isp->sess_maxcmdsn)) {
237 				/*
238 				 * the window is open again - schedule
239 				 * to send any held tasks soon
240 				 */
241 				iscsi_sess_redrive_io(isp);
242 			}
243 		}
244 	}
245 }
246 
247 
248 /*
249  * +--------------------------------------------------------------------+
250  * | io receive and processing routines					|
251  * +--------------------------------------------------------------------+
252  */
253 
254 /*
255  * iscsi_rx_scsi_rsp - called from idm
256  * For each opcode type fan out the processing.
257  */
258 void
259 iscsi_rx_scsi_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
260 {
261 	iscsi_conn_t	*icp;
262 	iscsi_sess_t	*isp;
263 	iscsi_hdr_t	*ihp;
264 	idm_status_t	status;
265 
266 	ASSERT(ic != NULL);
267 	ASSERT(pdu != NULL);
268 	icp		= ic->ic_handle;
269 	ASSERT(icp != NULL);
270 	ihp		= (iscsi_hdr_t *)pdu->isp_hdr;
271 	ASSERT(ihp != NULL);
272 	isp		= icp->conn_sess;
273 	ASSERT(isp != NULL);
274 
275 	/* reset the session timer when we receive the response */
276 	isp->sess_rx_lbolt = icp->conn_rx_lbolt = ddi_get_lbolt();
277 
278 	/* fan out the hdr processing */
279 	switch (ihp->opcode & ISCSI_OPCODE_MASK) {
280 	case ISCSI_OP_SCSI_DATA_RSP:
281 		status = iscsi_rx_process_data_rsp(ic, pdu);
282 		break;
283 	case ISCSI_OP_SCSI_RSP:
284 		status = iscsi_rx_process_cmd_rsp(ic, pdu);
285 		idm_pdu_complete(pdu, status);
286 		break;
287 	default:
288 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
289 		    "received pdu with unsupported opcode 0x%02x",
290 		    icp->conn_oid, ihp->opcode);
291 		status = IDM_STATUS_PROTOCOL_ERROR;
292 	}
293 	iscsi_process_rsp_status(isp, icp, status);
294 }
295 
296 void
297 iscsi_task_cleanup(int opcode, iscsi_cmd_t *icmdp)
298 {
299 	struct buf 	*bp;
300 	idm_buf_t	*ibp, *obp;
301 	idm_task_t	*itp;
302 
303 	itp = icmdp->cmd_itp;
304 	ASSERT(itp != NULL);
305 	ASSERT((opcode == ISCSI_OP_SCSI_DATA_RSP) ||
306 	    (opcode == ISCSI_OP_SCSI_RSP));
307 
308 	bp = icmdp->cmd_un.scsi.bp;
309 	ibp = icmdp->cmd_un.scsi.ibp_ibuf;
310 	obp = icmdp->cmd_un.scsi.ibp_obuf;
311 	ISCSI_IO_LOG(CE_NOTE, "DEBUG: task_cleanup: itp: %p opcode: %d "
312 	    "icmdp: %p bp: %p ibp: %p", (void *)itp, opcode,
313 	    (void *)icmdp, (void *)bp, (void *)ibp);
314 	if (bp && bp->b_bcount) {
315 		if (ibp != NULL && bp->b_flags & B_READ) {
316 			idm_buf_unbind_in(itp, ibp);
317 			idm_buf_free(ibp);
318 			icmdp->cmd_un.scsi.ibp_ibuf = NULL;
319 		} else if (obp != NULL && !(bp->b_flags & B_READ)) {
320 			idm_buf_unbind_out(itp, obp);
321 			idm_buf_free(obp);
322 			icmdp->cmd_un.scsi.ibp_obuf = NULL;
323 		}
324 	}
325 
326 	idm_task_done(itp);
327 }
328 
329 idm_status_t
330 iscsi_rx_chk(iscsi_conn_t *icp, iscsi_sess_t *isp,
331     iscsi_scsi_rsp_hdr_t *irhp, iscsi_cmd_t **icmdp)
332 {
333 	iscsi_status_t rval;
334 
335 	mutex_enter(&isp->sess_cmdsn_mutex);
336 
337 	if (icp->conn_expstatsn == ntohl(irhp->statsn)) {
338 		icp->conn_expstatsn++;
339 	} else {
340 		cmn_err(CE_WARN, "iscsi connection(%u/%x) protocol error - "
341 		    "received status out of order itt:0x%x statsn:0x%x "
342 		    "expstatsn:0x%x", icp->conn_oid, irhp->opcode,
343 		    irhp->itt, ntohl(irhp->statsn), icp->conn_expstatsn);
344 		mutex_exit(&isp->sess_cmdsn_mutex);
345 		return (IDM_STATUS_PROTOCOL_ERROR);
346 	}
347 
348 	/* get icmdp so we can cleanup on error */
349 	if ((irhp->opcode == ISCSI_OP_SCSI_DATA_RSP) ||
350 	    (irhp->opcode == ISCSI_OP_SCSI_RSP)) {
351 		rval = iscsi_rx_process_scsi_itt_to_icmdp(isp, icp->conn_ic,
352 		    irhp, icmdp);
353 	} else {
354 		rval = iscsi_rx_process_itt_to_icmdp(isp,
355 		    (iscsi_hdr_t *)irhp, icmdp);
356 	}
357 
358 	if (!ISCSI_SUCCESS(rval)) {
359 		mutex_exit(&isp->sess_cmdsn_mutex);
360 		return (IDM_STATUS_PROTOCOL_ERROR);
361 	}
362 
363 	/* update expcmdsn and maxcmdsn */
364 	iscsi_update_flow_control(isp, ntohl(irhp->maxcmdsn),
365 	    ntohl(irhp->expcmdsn));
366 	mutex_exit(&isp->sess_cmdsn_mutex);
367 	return (IDM_STATUS_SUCCESS);
368 }
369 
370 static void
371 iscsi_cmd_rsp_chk(iscsi_cmd_t *icmdp, iscsi_scsi_rsp_hdr_t *issrhp)
372 {
373 	struct scsi_pkt *pkt;
374 	size_t data_transferred;
375 
376 	pkt = icmdp->cmd_un.scsi.pkt;
377 	pkt->pkt_resid = 0;
378 	data_transferred = icmdp->cmd_un.scsi.data_transferred;
379 	/* Check the residual count */
380 	if ((icmdp->cmd_un.scsi.bp) &&
381 	    (data_transferred != icmdp->cmd_un.scsi.bp->b_bcount)) {
382 		/*
383 		 * We didn't xfer the expected amount of data -
384 		 * the residual_count in the header is only
385 		 * valid if the underflow flag is set.
386 		 */
387 		if (issrhp->flags & ISCSI_FLAG_CMD_UNDERFLOW) {
388 			pkt->pkt_resid = ntohl(issrhp->residual_count);
389 		} else {
390 			if (icmdp->cmd_un.scsi.bp->b_bcount >
391 			    data_transferred) {
392 				/*
393 				 * Some data fell on the floor
394 				 * somehow - probably a CRC error
395 				 */
396 				pkt->pkt_resid =
397 				    icmdp->cmd_un.scsi.bp->b_bcount -
398 				    data_transferred;
399 			}
400 		}
401 		ISCSI_IO_LOG(CE_NOTE,
402 		    "DEBUG: iscsi_rx_cmd_rsp_chk: itt: %u"
403 		    "data_trans != b_count data_transferred: %lu "
404 		    "b_count: %lu cmd_status: %d flags: %d resid: %lu",
405 		    issrhp->itt, data_transferred,
406 		    icmdp->cmd_un.scsi.bp->b_bcount,
407 		    issrhp->cmd_status & STATUS_MASK,
408 		    issrhp->flags, pkt->pkt_resid);
409 	}
410 	/* set flags that tell SCSA that the command is complete */
411 	if (icmdp->cmd_crc_error_seen == B_FALSE) {
412 		/* Set successful completion */
413 		pkt->pkt_reason = CMD_CMPLT;
414 		if (icmdp->cmd_un.scsi.bp) {
415 			pkt->pkt_state |= (STATE_XFERRED_DATA |
416 			    STATE_GOT_STATUS);
417 		} else {
418 			pkt->pkt_state |= STATE_GOT_STATUS;
419 		}
420 	} else {
421 		/*
422 		 * Some of the data was found to have an incorrect
423 		 * error at the protocol error.
424 		 */
425 		pkt->pkt_reason = CMD_PER_FAIL;
426 		pkt->pkt_statistics |= STAT_PERR;
427 		if (icmdp->cmd_un.scsi.bp) {
428 			pkt->pkt_resid =
429 			    icmdp->cmd_un.scsi.bp->b_bcount;
430 		} else {
431 			pkt->pkt_resid = 0;
432 		}
433 	}
434 }
435 
436 static boolean_t
437 iscsi_cmd_rsp_cmd_status(iscsi_cmd_t *icmdp, iscsi_scsi_rsp_hdr_t *issrhp,
438     uint8_t *data)
439 {
440 	int32_t			dlength;
441 	struct scsi_arq_status	*arqstat;
442 	size_t			senselen;
443 	int32_t			statuslen;
444 	int32_t			sensebuf_len;
445 	struct scsi_pkt		*pkt;
446 	boolean_t		affect = B_FALSE;
447 	int32_t			senselen_to_copy;
448 
449 	pkt = icmdp->cmd_un.scsi.pkt;
450 	dlength = n2h24(issrhp->dlength);
451 
452 	/*
453 	 * Process iSCSI Cmd Response Status
454 	 * RFC 3720 Sectionn 10.4.2.
455 	 */
456 	switch (issrhp->cmd_status & STATUS_MASK) {
457 	case STATUS_GOOD:
458 		/* pass SCSI status up stack */
459 		if (pkt->pkt_scbp) {
460 			pkt->pkt_scbp[0] = issrhp->cmd_status;
461 		}
462 		break;
463 	case STATUS_CHECK:
464 		/*
465 		 * Verify we received a sense buffer and
466 		 * that there is the correct amount of
467 		 * request sense space to copy it to.
468 		 */
469 		if ((dlength > 1) &&
470 		    (pkt->pkt_scbp != NULL) &&
471 		    (icmdp->cmd_un.scsi.statuslen >=
472 		    sizeof (struct scsi_arq_status))) {
473 			/*
474 			 * If a bad command status is received we
475 			 * need to reset the pkt_resid to zero.
476 			 * The target driver compares its value
477 			 * before checking other error flags.
478 			 * (ex. check conditions)
479 			 */
480 			pkt->pkt_resid = 0;
481 
482 			/* get sense length from first 2 bytes */
483 			senselen = ((data[0] << 8) | data[1]) &
484 			    (size_t)0xFFFF;
485 			ISCSI_IO_LOG(CE_NOTE,
486 			    "DEBUG: iscsi_rx_cmd_rsp_cmd_status status_check: "
487 			    "dlen: %d scbp: %p statuslen: %d arq: %d senselen:"
488 			    " %lu", dlength, (void *)pkt->pkt_scbp,
489 			    icmdp->cmd_un.scsi.statuslen,
490 			    (int)sizeof (struct scsi_arq_status),
491 			    senselen);
492 
493 			/* Sanity-check on the sense length */
494 			if ((senselen + 2) > dlength) {
495 				senselen = dlength - 2;
496 			}
497 
498 			/*
499 			 * If there was a Data Digest error then
500 			 * the sense data cannot be trusted.
501 			 */
502 			if (icmdp->cmd_crc_error_seen) {
503 				senselen = 0;
504 			}
505 
506 			/* automatic request sense */
507 			arqstat =
508 			    (struct scsi_arq_status *)pkt->pkt_scbp;
509 
510 			/* pass SCSI status up stack */
511 			*((uchar_t *)&arqstat->sts_status) =
512 			    issrhp->cmd_status;
513 
514 			/*
515 			 * Set the status for the automatic
516 			 * request sense command
517 			 */
518 			arqstat->sts_rqpkt_state = (STATE_GOT_BUS |
519 			    STATE_GOT_TARGET | STATE_SENT_CMD |
520 			    STATE_XFERRED_DATA | STATE_GOT_STATUS |
521 			    STATE_ARQ_DONE);
522 
523 			*((uchar_t *)&arqstat->sts_rqpkt_status) =
524 			    STATUS_GOOD;
525 
526 			arqstat->sts_rqpkt_reason = CMD_CMPLT;
527 			statuslen = icmdp->cmd_un.scsi.statuslen;
528 
529 			if (senselen == 0) {
530 				/* auto request sense failed */
531 				arqstat->sts_rqpkt_status.sts_chk = 1;
532 				arqstat->sts_rqpkt_resid = statuslen;
533 			} else if (senselen < statuslen) {
534 				/* auto request sense short */
535 				arqstat->sts_rqpkt_resid = statuslen - senselen;
536 			} else {
537 				/* auto request sense complete */
538 				arqstat->sts_rqpkt_resid = 0;
539 			}
540 			arqstat->sts_rqpkt_statistics = 0;
541 			pkt->pkt_state |= STATE_ARQ_DONE;
542 
543 			if (icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_XARQ) {
544 				pkt->pkt_state |= STATE_XARQ_DONE;
545 			}
546 
547 			/*
548 			 * Calculate size of space reserved for sense data in
549 			 * pkt->pkt_scbp.
550 			 */
551 			sensebuf_len = statuslen - ISCSI_ARQ_STATUS_NOSENSE_LEN;
552 
553 			/* copy auto request sense */
554 			senselen_to_copy = min(senselen, sensebuf_len);
555 			if (senselen_to_copy > 0) {
556 				bcopy(&data[2], (uchar_t *)&arqstat->
557 				    sts_sensedata, senselen_to_copy);
558 
559 				affect = iscsi_decode_sense(
560 				    (uint8_t *)&arqstat->sts_sensedata, icmdp);
561 			}
562 			arqstat->sts_rqpkt_resid = sensebuf_len -
563 			    senselen_to_copy;
564 			ISCSI_IO_LOG(CE_NOTE, "DEBUG: iscsi_cmd_rsp_cmd_status:"
565 			    " sts_rqpkt_resid: %d pkt_scblen: %d senselen: %lu"
566 			    " sensebuf_len: %d senselen_to_copy: %d affect: %d",
567 			    arqstat->sts_rqpkt_resid, pkt->pkt_scblen, senselen,
568 			    sensebuf_len, senselen_to_copy, affect);
569 			break;
570 		}
571 		/* FALLTHRU */
572 	case STATUS_BUSY:
573 	case STATUS_RESERVATION_CONFLICT:
574 	case STATUS_QFULL:
575 	case STATUS_ACA_ACTIVE:
576 	default:
577 		/*
578 		 * If a bad command status is received we need to
579 		 * reset the pkt_resid to zero.  The target driver
580 		 * compares its value before checking other error
581 		 * flags. (ex. check conditions)
582 		 */
583 		ISCSI_IO_LOG(CE_NOTE,
584 		    "DEBUG: iscsi_rx_cmd_rsp_cmd_status: status: "
585 		    "%d cmd_status: %d dlen: %u scbp: %p statuslen: %d "
586 		    "arg_len: %d", issrhp->cmd_status & STATUS_MASK,
587 		    issrhp->cmd_status, dlength, (void *)pkt->pkt_scbp,
588 		    icmdp->cmd_un.scsi.statuslen,
589 		    (int)sizeof (struct scsi_arq_status));
590 		pkt->pkt_resid = 0;
591 		/* pass SCSI status up stack */
592 		if (pkt->pkt_scbp) {
593 			pkt->pkt_scbp[0] = issrhp->cmd_status;
594 		}
595 	}
596 
597 	return (affect);
598 }
599 
600 /*
601  * iscsi_rx_process_login_pdup - Process login response PDU.  This function
602  * copies the data into the connection context so that the login code can
603  * interpret it.
604  */
605 
606 idm_status_t
607 iscsi_rx_process_login_pdu(idm_conn_t *ic, idm_pdu_t *pdu)
608 {
609 	iscsi_conn_t 		*icp;
610 
611 	icp = ic->ic_handle;
612 
613 	/*
614 	 * Copy header and data into connection structure so iscsi_login()
615 	 * can process it.
616 	 */
617 	mutex_enter(&icp->conn_login_mutex);
618 	/*
619 	 * If conn_login_state != LOGIN_TX then we are not ready to handle
620 	 * this login response and we should just  drop it.
621 	 */
622 	if (icp->conn_login_state == LOGIN_TX) {
623 		icp->conn_login_datalen = pdu->isp_datalen;
624 		bcopy(pdu->isp_hdr, &icp->conn_login_resp_hdr,
625 		    sizeof (iscsi_hdr_t));
626 		/*
627 		 * Login code is sloppy with it's NULL handling so make sure
628 		 * we don't leave any stale data in there.
629 		 */
630 		bzero(icp->conn_login_data, icp->conn_login_max_data_length);
631 		bcopy(pdu->isp_data, icp->conn_login_data,
632 		    MIN(pdu->isp_datalen, icp->conn_login_max_data_length));
633 		iscsi_login_update_state_locked(icp, LOGIN_RX);
634 	}
635 	mutex_exit(&icp->conn_login_mutex);
636 
637 	return (IDM_STATUS_SUCCESS);
638 }
639 
640 /*
641  * iscsi_rx_process_cmd_rsp - Process received scsi command response.  This
642  * will contain sense data if the command was not successful.  This data needs
643  * to be copied into the scsi_pkt.  Otherwise we just complete the IO.
644  */
645 static idm_status_t
646 iscsi_rx_process_cmd_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
647 {
648 	iscsi_conn_t		*icp	= ic->ic_handle;
649 	iscsi_sess_t		*isp	= icp->conn_sess;
650 	iscsi_scsi_rsp_hdr_t	*issrhp	= (iscsi_scsi_rsp_hdr_t *)pdu->isp_hdr;
651 	uint8_t			*data	= pdu->isp_data;
652 	iscsi_cmd_t		*icmdp	= NULL;
653 	struct scsi_pkt		*pkt	= NULL;
654 	idm_status_t		rval;
655 	struct buf		*bp;
656 	boolean_t		flush	= B_FALSE;
657 	uint32_t		cmd_sn	= 0;
658 	uint16_t		lun_num = 0;
659 
660 	/* make sure we get status in order */
661 	mutex_enter(&icp->conn_queue_active.mutex);
662 
663 	if ((rval = iscsi_rx_chk(icp, isp, issrhp,
664 	    &icmdp)) != IDM_STATUS_SUCCESS) {
665 		if (icmdp != NULL) {
666 			iscsi_task_cleanup(issrhp->opcode, icmdp);
667 		}
668 		mutex_exit(&icp->conn_queue_active.mutex);
669 		return (rval);
670 	}
671 
672 	/*
673 	 * If we are in "idm aborting" state then we shouldn't continue
674 	 * to process this command.  By definition this command is no longer
675 	 * on the active queue so we shouldn't try to remove it either.
676 	 */
677 	mutex_enter(&icmdp->cmd_mutex);
678 	if (icmdp->cmd_state == ISCSI_CMD_STATE_IDM_ABORTING) {
679 		mutex_exit(&icmdp->cmd_mutex);
680 		mutex_exit(&icp->conn_queue_active.mutex);
681 		return (IDM_STATUS_SUCCESS);
682 	}
683 	mutex_exit(&icmdp->cmd_mutex);
684 
685 	/* Get the IDM buffer and bytes transferred */
686 	bp = icmdp->cmd_un.scsi.bp;
687 	if (ic->ic_conn_flags & IDM_CONN_USE_SCOREBOARD) {
688 		/* Transport tracks bytes transferred so use those counts */
689 		if (bp && (bp->b_flags & B_READ)) {
690 			icmdp->cmd_un.scsi.data_transferred +=
691 			    icmdp->cmd_itp->idt_rx_bytes;
692 		} else {
693 			icmdp->cmd_un.scsi.data_transferred +=
694 			    icmdp->cmd_itp->idt_tx_bytes;
695 		}
696 	} else {
697 		/*
698 		 * Some transports cannot track the bytes transferred on
699 		 * the initiator side (like iSER) so we have to use the
700 		 * status info.  If the response field indicates that
701 		 * the command actually completed then we will assume
702 		 * the data_transferred value represents the entire buffer
703 		 * unless the resid field says otherwise.  This is a bit
704 		 * unintuitive but it's really impossible to know what
705 		 * has been transferred without detailed consideration
706 		 * of the SCSI status and sense key and that is outside
707 		 * the scope of the transport.  Instead the target/class driver
708 		 * can consider these values along with the resid and figure
709 		 * it out.  The data_transferred concept is just belt and
710 		 * suspenders anyway -- RFC 3720 actually explicitly rejects
711 		 * scoreboarding ("Initiators SHOULD NOT keep track of the
712 		 * data transferred to or from the target (scoreboarding)")
713 		 * perhaps for this very reason.
714 		 */
715 		if (issrhp->response != 0) {
716 			icmdp->cmd_un.scsi.data_transferred = 0;
717 		} else {
718 			icmdp->cmd_un.scsi.data_transferred =
719 			    (bp == NULL) ? 0 : bp->b_bcount;
720 			if (issrhp->flags & ISCSI_FLAG_CMD_UNDERFLOW) {
721 				icmdp->cmd_un.scsi.data_transferred -=
722 				    ntohl(issrhp->residual_count);
723 			}
724 		}
725 	}
726 
727 	ISCSI_CHECK_SCSI_READ(icmdp, issrhp,
728 	    icmdp->cmd_un.scsi.data_transferred,
729 	    BP_CHECK_THOROUGH);
730 
731 	ISCSI_IO_LOG(CE_NOTE, "DEBUG: rx_process_cmd_rsp: ic: %p pdu: %p itt:"
732 	    " %x expcmdsn: %x sess_cmd: %x sess_expcmdsn: %x data_transfered:"
733 	    " %lu ibp: %p obp: %p", (void *)ic, (void *)pdu, issrhp->itt,
734 	    issrhp->expcmdsn, isp->sess_cmdsn, isp->sess_expcmdsn,
735 	    icmdp->cmd_un.scsi.data_transferred,
736 	    (void *)icmdp->cmd_un.scsi.ibp_ibuf,
737 	    (void *)icmdp->cmd_un.scsi.ibp_obuf);
738 
739 	iscsi_task_cleanup(issrhp->opcode, icmdp);
740 
741 	if (issrhp->response) {
742 		/* The target failed the command. */
743 		ISCSI_IO_LOG(CE_NOTE, "DEBUG: rx_process_cmd_rsp: ic: %p pdu:"
744 		    " %p response: %d bcount: %lu", (void *)ic, (void *)pdu,
745 		    issrhp->response, icmdp->cmd_un.scsi.bp->b_bcount);
746 		pkt = icmdp->cmd_un.scsi.pkt;
747 		pkt->pkt_reason = CMD_TRAN_ERR;
748 		if (icmdp->cmd_un.scsi.bp) {
749 			pkt->pkt_resid = icmdp->cmd_un.scsi.bp->b_bcount;
750 		} else {
751 			pkt->pkt_resid = 0;
752 		}
753 	} else {
754 		/* success */
755 		iscsi_cmd_rsp_chk(icmdp, issrhp);
756 		flush = iscsi_cmd_rsp_cmd_status(icmdp, issrhp, data);
757 
758 		ASSERT(icmdp->cmd_lun == NULL || icmdp->cmd_lun->lun_num ==
759 		    (icmdp->cmd_un.scsi.lun & ISCSI_LUN_MASK));
760 
761 		if (flush == B_TRUE) {
762 			cmd_sn = icmdp->cmd_sn;
763 			lun_num = icmdp->cmd_un.scsi.lun & ISCSI_LUN_MASK;
764 		}
765 	}
766 
767 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
768 	if (flush == B_TRUE) {
769 		iscsi_flush_cmd_after_reset(cmd_sn, lun_num, icp);
770 	}
771 	mutex_exit(&icp->conn_queue_active.mutex);
772 	return (IDM_STATUS_SUCCESS);
773 }
774 
775 static void
776 iscsi_data_rsp_pkt(iscsi_cmd_t *icmdp, iscsi_data_rsp_hdr_t *idrhp)
777 {
778 	struct buf		*bp	= NULL;
779 	size_t			data_transferred;
780 	struct scsi_pkt		*pkt;
781 
782 	bp = icmdp->cmd_un.scsi.bp;
783 	pkt = icmdp->cmd_un.scsi.pkt;
784 	data_transferred = icmdp->cmd_un.scsi.data_transferred;
785 	/*
786 	 * The command* must be completed now, since we won't get a command
787 	 * response PDU. The cmd_status and residual_count are
788 	 * not meaningful unless status_present is set.
789 	 */
790 	pkt->pkt_resid = 0;
791 	/* Check the residual count */
792 	if (bp && (data_transferred != bp->b_bcount)) {
793 		/*
794 		 * We didn't xfer the expected amount of data -
795 		 * the residual_count in the header is only valid
796 		 * if the underflow flag is set.
797 		 */
798 		if (idrhp->flags & ISCSI_FLAG_DATA_UNDERFLOW) {
799 			pkt->pkt_resid = ntohl(idrhp->residual_count);
800 			ISCSI_IO_LOG(CE_NOTE, "DEBUG: iscsi_data_rsp_pkt: "
801 			    "underflow: itt: %d "
802 			    "transferred: %lu count: %lu", idrhp->itt,
803 			    data_transferred, bp->b_bcount);
804 		} else {
805 			if (bp->b_bcount > data_transferred) {
806 				/* Some data fell on the floor somehw */
807 				ISCSI_IO_LOG(CE_NOTE, "DEBUG: "
808 				    "iscsi_data_rsp_pkt: data fell: itt: %d "
809 				    "transferred: %lu count: %lu", idrhp->itt,
810 				    data_transferred, bp->b_bcount);
811 				pkt->pkt_resid =
812 				    bp->b_bcount - data_transferred;
813 			}
814 		}
815 	}
816 
817 	pkt->pkt_reason = CMD_CMPLT;
818 	pkt->pkt_state |= (STATE_XFERRED_DATA | STATE_GOT_STATUS);
819 
820 	if (((idrhp->cmd_status & STATUS_MASK) != STATUS_GOOD) &&
821 	    (icmdp->cmd_un.scsi.statuslen >=
822 	    sizeof (struct scsi_arq_status)) && pkt->pkt_scbp) {
823 
824 		/*
825 		 * Not supposed to get exception status here!
826 		 * We have no request sense data so just do the
827 		 * best we can
828 		 */
829 		struct scsi_arq_status *arqstat =
830 		    (struct scsi_arq_status *)pkt->pkt_scbp;
831 
832 
833 		bzero(arqstat, sizeof (struct scsi_arq_status));
834 
835 		*((uchar_t *)&arqstat->sts_status) =
836 		    idrhp->cmd_status;
837 
838 		/* sense residual is set to whole size of sense buffer */
839 		arqstat->sts_rqpkt_resid = icmdp->cmd_un.scsi.statuslen -
840 		    ISCSI_ARQ_STATUS_NOSENSE_LEN;
841 		ISCSI_IO_LOG(CE_NOTE, "DEBUG: iscsi_data_rsp_pkt: "
842 		    "exception status: itt: %d resid: %d",
843 		    idrhp->itt, arqstat->sts_rqpkt_resid);
844 
845 	} else if (pkt->pkt_scbp) {
846 		/* just pass along the status we got */
847 		pkt->pkt_scbp[0] = idrhp->cmd_status;
848 	}
849 }
850 
851 /*
852  * iscsi_rx_process_data_rsp -
853  * This currently processes the final data sequence denoted by the data response
854  * PDU Status bit being set.  We will not receive the SCSI response.
855  * This bit denotes that the PDU is the successful completion of the
856  * command.
857  */
858 static idm_status_t
859 iscsi_rx_process_data_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
860 {
861 	iscsi_sess_t		*isp	= NULL;
862 	iscsi_data_rsp_hdr_t	*idrhp	= (iscsi_data_rsp_hdr_t *)pdu->isp_hdr;
863 	iscsi_cmd_t		*icmdp	= NULL;
864 	struct buf		*bp	= NULL;
865 	iscsi_conn_t		*icp	= ic->ic_handle;
866 	idm_buf_t		*ibp;
867 	idm_status_t		rval;
868 
869 
870 	/* should only call this when the data rsp contains final rsp */
871 	ASSERT(idrhp->flags & ISCSI_FLAG_DATA_STATUS);
872 	isp = icp->conn_sess;
873 
874 	mutex_enter(&icp->conn_queue_active.mutex);
875 	if ((rval = iscsi_rx_chk(icp, isp, (iscsi_scsi_rsp_hdr_t *)idrhp,
876 	    &icmdp)) != IDM_STATUS_SUCCESS) {
877 		if (icmdp != NULL) {
878 			iscsi_task_cleanup(idrhp->opcode, icmdp);
879 		}
880 		mutex_exit(&icp->conn_queue_active.mutex);
881 		return (rval);
882 	}
883 
884 	/*
885 	 * If we are in "idm aborting" state then we shouldn't continue
886 	 * to process this command.  By definition this command is no longer
887 	 * on the active queue so we shouldn't try to remove it either.
888 	 */
889 	mutex_enter(&icmdp->cmd_mutex);
890 	if (icmdp->cmd_state == ISCSI_CMD_STATE_IDM_ABORTING) {
891 		mutex_exit(&icmdp->cmd_mutex);
892 		mutex_exit(&icp->conn_queue_active.mutex);
893 		return (IDM_STATUS_SUCCESS);
894 	}
895 	mutex_exit(&icmdp->cmd_mutex);
896 
897 	/*
898 	 * Holding the pending/active queue locks across the
899 	 * iscsi_rx_data call later in this function may cause
900 	 * deadlock during fault injections.  Instead remove
901 	 * the cmd from the active queue and release the locks.
902 	 * Then before returning or completing the command
903 	 * return the cmd to the active queue and reacquire
904 	 * the locks.
905 	 */
906 	iscsi_dequeue_active_cmd(icp, icmdp);
907 
908 	mutex_exit(&icp->conn_queue_active.mutex);
909 
910 	/* shorthand some values */
911 	bp = icmdp->cmd_un.scsi.bp;
912 
913 	/*
914 	 * some poorly behaved targets have been observed
915 	 * sending data-in pdu's during a write operation
916 	 */
917 	if (bp != NULL) {
918 		if (!(bp->b_flags & B_READ)) {
919 			cmn_err(CE_WARN,
920 			    "iscsi connection(%u) protocol error - "
921 			    "received data response during write operation "
922 			    "itt:0x%x",
923 			    icp->conn_oid, idrhp->itt);
924 			mutex_enter(&icp->conn_queue_active.mutex);
925 			iscsi_enqueue_active_cmd(icp, icmdp);
926 			mutex_exit(&icp->conn_queue_active.mutex);
927 			return (IDM_STATUS_PROTOCOL_ERROR);
928 		}
929 	}
930 
931 	ibp = icmdp->cmd_un.scsi.ibp_ibuf;
932 	if (ibp == NULL) {
933 		/*
934 		 * After the check of bp above we *should* have a corresponding
935 		 * idm_buf_t (ibp).  It's possible that the original call
936 		 * to idm_buf_alloc failed due to a pending connection state
937 		 * transition in which case this value can be NULL.  It's
938 		 * highly unlikely that the connection would be shutting down
939 		 * *and* we manage to process a data response and get to this
940 		 * point in the code but just in case we should check for it.
941 		 * This isn't really a protocol error -- we are almost certainly
942 		 * closing the connection anyway so just return a generic error.
943 		 */
944 		mutex_enter(&icp->conn_queue_active.mutex);
945 		iscsi_enqueue_active_cmd(icp, icmdp);
946 		mutex_exit(&icp->conn_queue_active.mutex);
947 		return (IDM_STATUS_FAIL);
948 	}
949 
950 	if (ic->ic_conn_flags & IDM_CONN_USE_SCOREBOARD) {
951 		icmdp->cmd_un.scsi.data_transferred =
952 		    icmdp->cmd_itp->idt_rx_bytes;
953 	} else {
954 		icmdp->cmd_un.scsi.data_transferred = bp->b_bcount;
955 		if (idrhp->flags & ISCSI_FLAG_CMD_UNDERFLOW) {
956 			icmdp->cmd_un.scsi.data_transferred -=
957 			    ntohl(idrhp->residual_count);
958 		}
959 	}
960 
961 	ISCSI_IO_LOG(CE_NOTE, "DEBUG: rx_process_data_rsp: icp: %p pdu: %p "
962 	    "itt: %d ibp: %p icmdp: %p xfer_len: %lu transferred: %lu dlen: %u",
963 	    (void *)icp, (void *)pdu, idrhp->itt, (void *)bp, (void *)icmdp,
964 	    (ibp == NULL) ? 0 : ibp->idb_xfer_len,
965 	    icmdp->cmd_un.scsi.data_transferred,
966 	    n2h24(idrhp->dlength));
967 
968 	iscsi_task_cleanup(idrhp->opcode, icmdp);
969 
970 	iscsi_data_rsp_pkt(icmdp, idrhp);
971 
972 	mutex_enter(&icp->conn_queue_active.mutex);
973 	iscsi_enqueue_active_cmd(icp, icmdp);
974 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
975 	mutex_exit(&icp->conn_queue_active.mutex);
976 
977 	return (IDM_STATUS_SUCCESS);
978 }
979 
980 /*
981  * iscsi_rx_process_nop - Process a received nop.  If nop is in response
982  * to a ping we sent update stats.  If initiated by the target we need
983  * to response back to the target with a nop.  Schedule the response.
984  */
985 /* ARGSUSED */
986 static idm_status_t
987 iscsi_rx_process_nop(idm_conn_t *ic, idm_pdu_t *pdu)
988 {
989 	iscsi_sess_t		*isp	= NULL;
990 	iscsi_nop_in_hdr_t	*inihp	= (iscsi_nop_in_hdr_t *)pdu->isp_hdr;
991 	iscsi_cmd_t		*icmdp	= NULL;
992 	iscsi_conn_t		*icp	= ic->ic_handle;
993 
994 	if (icp->conn_expstatsn != ntohl(inihp->statsn)) {
995 		cmn_err(CE_WARN, "iscsi connection(%u/%x) protocol error - "
996 		    "received status out of order itt:0x%x statsn:0x%x "
997 		    "expstatsn:0x%x", icp->conn_oid, inihp->opcode, inihp->itt,
998 		    ntohl(inihp->statsn), icp->conn_expstatsn);
999 		return (IDM_STATUS_PROTOCOL_ERROR);
1000 	}
1001 	isp = icp->conn_sess;
1002 	ASSERT(isp != NULL);
1003 	mutex_enter(&isp->sess_queue_pending.mutex);
1004 	mutex_enter(&icp->conn_queue_active.mutex);
1005 	mutex_enter(&isp->sess_cmdsn_mutex);
1006 	if (inihp->itt != ISCSI_RSVD_TASK_TAG) {
1007 		if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
1008 		    isp, (iscsi_hdr_t *)inihp, &icmdp))) {
1009 			cmn_err(CE_WARN, "iscsi connection(%u) protocol error "
1010 			    "- can not find cmd for itt:0x%x",
1011 			    icp->conn_oid, inihp->itt);
1012 			mutex_exit(&isp->sess_cmdsn_mutex);
1013 			mutex_exit(&icp->conn_queue_active.mutex);
1014 			mutex_exit(&isp->sess_queue_pending.mutex);
1015 			return (IDM_STATUS_PROTOCOL_ERROR);
1016 		}
1017 	}
1018 
1019 	/* update expcmdsn and maxcmdsn */
1020 	iscsi_update_flow_control(isp, ntohl(inihp->maxcmdsn),
1021 	    ntohl(inihp->expcmdsn));
1022 	mutex_exit(&isp->sess_cmdsn_mutex);
1023 
1024 	if ((inihp->itt != ISCSI_RSVD_TASK_TAG) &&
1025 	    (inihp->ttt == ISCSI_RSVD_TASK_TAG)) {
1026 		/* This is the only type of nop that incs. the expstatsn */
1027 		icp->conn_expstatsn++;
1028 
1029 		/*
1030 		 * This is a targets response to our nop
1031 		 */
1032 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1033 	} else if (inihp->ttt != ISCSI_RSVD_TASK_TAG) {
1034 		/*
1035 		 * Target requested a nop.  Send one.
1036 		 */
1037 		iscsi_handle_nop(icp, ISCSI_RSVD_TASK_TAG, inihp->ttt);
1038 	} else {
1039 		/*
1040 		 * This is a target-initiated ping that doesn't expect
1041 		 * a response; nothing to do except update our flow control
1042 		 * (which we do in all cases above).
1043 		 */
1044 		/* EMPTY */
1045 	}
1046 	mutex_exit(&icp->conn_queue_active.mutex);
1047 	mutex_exit(&isp->sess_queue_pending.mutex);
1048 
1049 	return (IDM_STATUS_SUCCESS);
1050 }
1051 
1052 
1053 /*
1054  * iscsi_rx_process_reject_rsp - The server rejected a PDU
1055  */
1056 static idm_status_t
1057 iscsi_rx_process_reject_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
1058 {
1059 	iscsi_reject_rsp_hdr_t	*irrhp = (iscsi_reject_rsp_hdr_t *)pdu->isp_hdr;
1060 	iscsi_sess_t		*isp		= NULL;
1061 	uint32_t		dlength		= 0;
1062 	iscsi_hdr_t		*old_ihp	= NULL;
1063 	iscsi_conn_t		*icp		= ic->ic_handle;
1064 	uint8_t			*data 		= pdu->isp_data;
1065 	idm_status_t		status		= IDM_STATUS_SUCCESS;
1066 	int			i		= 0;
1067 
1068 	ASSERT(data != NULL);
1069 	isp = icp->conn_sess;
1070 	ASSERT(isp != NULL);
1071 
1072 	/*
1073 	 * In RFC3720 section 10.17, this 4 bytes should be all 0xff.
1074 	 */
1075 	for (i = 0; i < 4; i++) {
1076 		if (irrhp->must_be_ff[i] != 0xff) {
1077 			return (IDM_STATUS_PROTOCOL_ERROR);
1078 		}
1079 	}
1080 	mutex_enter(&isp->sess_cmdsn_mutex);
1081 
1082 	if (icp->conn_expstatsn == ntohl(irrhp->statsn)) {
1083 		icp->conn_expstatsn++;
1084 	} else {
1085 		cmn_err(CE_WARN, "iscsi connection(%u/%x) protocol error - "
1086 		    "received status out of order statsn:0x%x "
1087 		    "expstatsn:0x%x", icp->conn_oid, irrhp->opcode,
1088 		    ntohl(irrhp->statsn), icp->conn_expstatsn);
1089 		mutex_exit(&isp->sess_cmdsn_mutex);
1090 		return (IDM_STATUS_PROTOCOL_ERROR);
1091 	}
1092 	/* update expcmdsn and maxcmdsn */
1093 	iscsi_update_flow_control(isp, ntohl(irrhp->maxcmdsn),
1094 	    ntohl(irrhp->expcmdsn));
1095 
1096 	mutex_exit(&isp->sess_cmdsn_mutex);
1097 
1098 	/* If we don't have the rejected header we can't do anything */
1099 	dlength = n2h24(irrhp->dlength);
1100 	if (dlength < sizeof (iscsi_hdr_t)) {
1101 		return (IDM_STATUS_PROTOCOL_ERROR);
1102 	}
1103 
1104 	/* map old ihp */
1105 	old_ihp = (iscsi_hdr_t *)data;
1106 
1107 	switch (irrhp->reason) {
1108 	/*
1109 	 * ISCSI_REJECT_IMM_CMD_REJECT - Immediate Command Reject
1110 	 * too many immediate commands (original cmd can be resent)
1111 	 */
1112 	case ISCSI_REJECT_IMM_CMD_REJECT:
1113 		/*
1114 		 * We have exceeded the server's capacity for outstanding
1115 		 * immediate commands.   This must be a task management
1116 		 * command so try to find it in the abortingqueue and
1117 		 * complete it.
1118 		 */
1119 		if (!(old_ihp->opcode & ISCSI_OP_IMMEDIATE)) {
1120 			/* Rejecting IMM but old old_hdr wasn't IMM */
1121 			return (IDM_STATUS_PROTOCOL_ERROR);
1122 		}
1123 
1124 		/*
1125 		 * We only send NOP and TASK_MGT as IMM.  All other
1126 		 * cases should be considered as a protocol error.
1127 		 */
1128 		switch (old_ihp->opcode & ISCSI_OPCODE_MASK) {
1129 		case ISCSI_OP_NOOP_OUT:
1130 			/*
1131 			 * A ping was rejected - treat this like
1132 			 * ping response.  The down side is we
1133 			 * didn't get an updated MaxCmdSn.
1134 			 */
1135 			break;
1136 		case ISCSI_OP_SCSI_TASK_MGT_MSG:
1137 			status =
1138 			    iscsi_rx_process_rejected_tsk_mgt(ic, old_ihp);
1139 			break;
1140 		default:
1141 			cmn_err(CE_WARN, "iscsi connection(%u) protocol error "
1142 			    "- received a reject for a command(0x%02x) not "
1143 			    "sent as an immediate", icp->conn_oid,
1144 			    old_ihp->opcode);
1145 			status = IDM_STATUS_PROTOCOL_ERROR;
1146 			break;
1147 		}
1148 		break;
1149 
1150 	/*
1151 	 * For the rest of the reject cases just use the general
1152 	 * hammer of dis/reconnecting.  This will resolve all
1153 	 * noted issues although could be more graceful.
1154 	 */
1155 	case ISCSI_REJECT_DATA_DIGEST_ERROR:
1156 	case ISCSI_REJECT_CMD_BEFORE_LOGIN:
1157 	case ISCSI_REJECT_SNACK_REJECT:
1158 	case ISCSI_REJECT_PROTOCOL_ERROR:
1159 	case ISCSI_REJECT_CMD_NOT_SUPPORTED:
1160 	case ISCSI_REJECT_TASK_IN_PROGRESS:
1161 	case ISCSI_REJECT_INVALID_DATA_ACK:
1162 	case ISCSI_REJECT_INVALID_PDU_FIELD:
1163 	case ISCSI_REJECT_LONG_OPERATION_REJECT:
1164 	case ISCSI_REJECT_NEGOTIATION_RESET:
1165 	default:
1166 		cmn_err(CE_WARN, "iscsi connection(%u/%x) closing connection - "
1167 		    "target requested reason:0x%x",
1168 		    icp->conn_oid, irrhp->opcode, irrhp->reason);
1169 		status = IDM_STATUS_PROTOCOL_ERROR;
1170 		break;
1171 	}
1172 
1173 	return (status);
1174 }
1175 
1176 
1177 /*
1178  * iscsi_rx_process_rejected_tsk_mgt -
1179  */
1180 /* ARGSUSED */
1181 static idm_status_t
1182 iscsi_rx_process_rejected_tsk_mgt(idm_conn_t *ic, iscsi_hdr_t *old_ihp)
1183 {
1184 	iscsi_sess_t		*isp	= NULL;
1185 	iscsi_cmd_t		*icmdp	= NULL;
1186 	iscsi_conn_t		*icp 	= ic->ic_handle;
1187 
1188 	isp = icp->conn_sess;
1189 	ASSERT(old_ihp != NULL);
1190 	ASSERT(isp != NULL);
1191 
1192 	mutex_enter(&icp->conn_queue_active.mutex);
1193 	mutex_enter(&isp->sess_cmdsn_mutex);
1194 	if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
1195 	    isp, old_ihp, &icmdp))) {
1196 		mutex_exit(&isp->sess_cmdsn_mutex);
1197 		mutex_exit(&icp->conn_queue_active.mutex);
1198 		return (IDM_STATUS_PROTOCOL_ERROR);
1199 	}
1200 	mutex_exit(&isp->sess_cmdsn_mutex);
1201 
1202 	switch (icmdp->cmd_type) {
1203 	case ISCSI_CMD_TYPE_ABORT:
1204 	case ISCSI_CMD_TYPE_RESET:
1205 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E4,
1206 		    icp->conn_sess);
1207 		break;
1208 	/* We don't send any other task mgr types */
1209 	default:
1210 		ASSERT(B_FALSE);
1211 		break;
1212 	}
1213 	mutex_exit(&icp->conn_queue_active.mutex);
1214 
1215 	return (IDM_STATUS_SUCCESS);
1216 }
1217 
1218 
1219 /*
1220  * iscsi_rx_process_task_mgt_rsp -
1221  */
1222 /* ARGSUSED */
1223 static idm_status_t
1224 iscsi_rx_process_task_mgt_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
1225 {
1226 	iscsi_sess_t			*isp		= NULL;
1227 	iscsi_scsi_task_mgt_rsp_hdr_t	*istmrhp	= NULL;
1228 	iscsi_cmd_t			*icmdp		= NULL;
1229 	iscsi_conn_t			*icp		= ic->ic_handle;
1230 	idm_status_t			status = IDM_STATUS_SUCCESS;
1231 
1232 	isp = icp->conn_sess;
1233 	istmrhp = (iscsi_scsi_task_mgt_rsp_hdr_t *)pdu->isp_hdr;
1234 
1235 	mutex_enter(&icp->conn_queue_active.mutex);
1236 	if ((status = iscsi_rx_chk(icp, isp, (iscsi_scsi_rsp_hdr_t *)istmrhp,
1237 	    &icmdp)) != IDM_STATUS_SUCCESS) {
1238 		mutex_exit(&icp->conn_queue_active.mutex);
1239 		return (status);
1240 	}
1241 
1242 	switch (icmdp->cmd_type) {
1243 	case ISCSI_CMD_TYPE_ABORT:
1244 	case ISCSI_CMD_TYPE_RESET:
1245 		switch (istmrhp->response) {
1246 		case SCSI_TCP_TM_RESP_COMPLETE:
1247 			/* success */
1248 			iscsi_cmd_state_machine(icmdp,
1249 			    ISCSI_CMD_EVENT_E3, isp);
1250 			break;
1251 		case SCSI_TCP_TM_RESP_NO_TASK:
1252 			/*
1253 			 * If the array no longer knows about
1254 			 * an ABORT RTT and we no longer have
1255 			 * a parent SCSI command it was just
1256 			 * completed, free this ABORT resource.
1257 			 * Otherwise FALLTHRU this will flag a
1258 			 * protocol problem.
1259 			 */
1260 			if ((icmdp->cmd_type == ISCSI_CMD_TYPE_ABORT) &&
1261 			    (icmdp->cmd_un.abort.icmdp == NULL)) {
1262 				iscsi_cmd_state_machine(icmdp,
1263 				    ISCSI_CMD_EVENT_E4, isp);
1264 				break;
1265 			}
1266 			/* FALLTHRU */
1267 		case SCSI_TCP_TM_RESP_REJECTED:
1268 			/*
1269 			 * If the target rejects our reset task,
1270 			 * we should record the response and complete
1271 			 * this command with the result.
1272 			 */
1273 			if (icmdp->cmd_type == ISCSI_CMD_TYPE_RESET) {
1274 				icmdp->cmd_un.reset.response =
1275 				    istmrhp->response;
1276 				iscsi_cmd_state_machine(icmdp,
1277 				    ISCSI_CMD_EVENT_E3, isp);
1278 				break;
1279 			}
1280 			/* FALLTHRU */
1281 		case SCSI_TCP_TM_RESP_NO_LUN:
1282 		case SCSI_TCP_TM_RESP_TASK_ALLEGIANT:
1283 		case SCSI_TCP_TM_RESP_NO_FAILOVER:
1284 		case SCSI_TCP_TM_RESP_IN_PRGRESS:
1285 		default:
1286 			/*
1287 			 * Something is out of sync.  Flush
1288 			 * active queues and resync the
1289 			 * the connection to try and recover
1290 			 * to a known state.
1291 			 */
1292 			status = IDM_STATUS_PROTOCOL_ERROR;
1293 		}
1294 		break;
1295 
1296 	default:
1297 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1298 		    "received a task mgt response for a non-task mgt "
1299 		    "cmd itt:0x%x type:%d", icp->conn_oid, istmrhp->itt,
1300 		    icmdp->cmd_type);
1301 		status = IDM_STATUS_PROTOCOL_ERROR;
1302 		break;
1303 	}
1304 
1305 	mutex_exit(&icp->conn_queue_active.mutex);
1306 	return (status);
1307 }
1308 
1309 
1310 /*
1311  * iscsi_rx_process_logout_rsp -
1312  *
1313  */
1314 /* ARGSUSED */
1315 idm_status_t
1316 iscsi_rx_process_logout_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
1317 {
1318 	iscsi_conn_t		*icp	= ic->ic_handle;
1319 	iscsi_logout_rsp_hdr_t	*ilrhp	=
1320 	    (iscsi_logout_rsp_hdr_t *)pdu->isp_hdr;
1321 	iscsi_cmd_t		*icmdp	= NULL;
1322 	iscsi_sess_t		*isp;
1323 	idm_status_t		status = IDM_STATUS_SUCCESS;
1324 
1325 	isp = icp->conn_sess;
1326 
1327 	if (icp->conn_expstatsn != ntohl(ilrhp->statsn)) {
1328 		cmn_err(CE_WARN, "iscsi connection(%u/%x) protocol error - "
1329 		    "received status out of order itt:0x%x statsn:0x%x "
1330 		    "expstatsn:0x%x", icp->conn_oid, ilrhp->opcode, ilrhp->itt,
1331 		    ntohl(ilrhp->statsn), icp->conn_expstatsn);
1332 		return (IDM_STATUS_PROTOCOL_ERROR);
1333 	}
1334 
1335 	mutex_enter(&icp->conn_queue_active.mutex);
1336 	mutex_enter(&isp->sess_cmdsn_mutex);
1337 	if (ilrhp->itt != ISCSI_RSVD_TASK_TAG) {
1338 		if (!ISCSI_SUCCESS(iscsi_rx_process_itt_to_icmdp(
1339 		    isp, (iscsi_hdr_t *)ilrhp, &icmdp))) {
1340 			mutex_exit(&isp->sess_cmdsn_mutex);
1341 			mutex_exit(&icp->conn_queue_active.mutex);
1342 			return (IDM_STATUS_PROTOCOL_ERROR);
1343 		}
1344 	}
1345 
1346 	/* update expcmdsn and maxcmdsn */
1347 	iscsi_update_flow_control(isp, ntohl(ilrhp->maxcmdsn),
1348 	    ntohl(ilrhp->expcmdsn));
1349 	mutex_exit(&isp->sess_cmdsn_mutex);
1350 
1351 	ISCSI_IO_LOG(CE_NOTE,
1352 	    "DEBUG: iscsi_rx_process_logout_rsp: response: %d",
1353 	    ilrhp->response);
1354 	switch (ilrhp->response) {
1355 	case ISCSI_LOGOUT_CID_NOT_FOUND:
1356 		/*
1357 		 * If the target doesn't know about our connection
1358 		 * then we can consider our self disconnected.
1359 		 */
1360 		/* FALLTHRU */
1361 	case ISCSI_LOGOUT_RECOVERY_UNSUPPORTED:
1362 		/*
1363 		 * We don't support ErrorRecovery levels above 0
1364 		 * currently so consider this success.
1365 		 */
1366 		/* FALLTHRU */
1367 	case ISCSI_LOGOUT_CLEANUP_FAILED:
1368 		/*
1369 		 * per spec. "cleanup failed for various reasons."
1370 		 * Although those various reasons are undefined.
1371 		 * Not sure what to do here.  So fake success,
1372 		 * which will disconnect the connection.
1373 		 */
1374 		/* FALLTHRU */
1375 	case ISCSI_LOGOUT_SUCCESS:
1376 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1377 		mutex_exit(&icp->conn_queue_active.mutex);
1378 		iscsi_drop_conn_cleanup(icp);
1379 		break;
1380 	default:
1381 		mutex_exit(&icp->conn_queue_active.mutex);
1382 		status = IDM_STATUS_PROTOCOL_ERROR;
1383 		break;
1384 
1385 	}
1386 	return (status);
1387 }
1388 
1389 /*
1390  * iscsi_rx_process_async_rsp
1391  *
1392  */
1393 /* ARGSUSED */
1394 static idm_status_t
1395 iscsi_rx_process_async_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
1396 {
1397 	iscsi_conn_t		*icp	= ic->ic_handle;
1398 	iscsi_sess_t		*isp	= icp->conn_sess;
1399 	idm_status_t		rval	= IDM_STATUS_SUCCESS;
1400 	iscsi_task_t		*itp;
1401 	iscsi_async_evt_hdr_t	*iaehp	=
1402 	    (iscsi_async_evt_hdr_t *)pdu->isp_hdr;
1403 
1404 	ASSERT(icp != NULL);
1405 	ASSERT(pdu != NULL);
1406 	ASSERT(isp != NULL);
1407 
1408 	mutex_enter(&isp->sess_cmdsn_mutex);
1409 	if (icp->conn_expstatsn == ntohl(iaehp->statsn)) {
1410 		icp->conn_expstatsn++;
1411 	} else {
1412 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1413 		    "received status out of order statsn:0x%x "
1414 		    "expstatsn:0x%x", icp->conn_oid,
1415 		    ntohl(iaehp->statsn), icp->conn_expstatsn);
1416 		mutex_exit(&isp->sess_cmdsn_mutex);
1417 		return (IDM_STATUS_PROTOCOL_ERROR);
1418 	}
1419 	mutex_exit(&isp->sess_cmdsn_mutex);
1420 
1421 	switch (iaehp->async_event) {
1422 	case ISCSI_ASYNC_EVENT_SCSI_EVENT:
1423 		/*
1424 		 * SCSI asynchronous event is reported in
1425 		 * the sense data.  Sense data that accompanies
1426 		 * the report in the data segment identifies the
1427 		 * condition.  If the target supports SCSI
1428 		 * asynchronous events reporting (see [SAM2])
1429 		 * as indicated in the stardard INQUIRY data
1430 		 * (see [SPC3]), its use may be enabled by
1431 		 * parameters in the SCSI control mode page
1432 		 * (see [SPC3]).
1433 		 *
1434 		 * T-10 has removed SCSI asunchronous events
1435 		 * from the standard.  Although we have seen
1436 		 * a couple targets still spending these requests.
1437 		 * Those targets were specifically sending them
1438 		 * for notification of a LUN/Volume change
1439 		 * (ex. LUN addition/removal). Fire the enumeration
1440 		 * to handle the change.
1441 		 */
1442 		if (isp->sess_type == ISCSI_SESS_TYPE_NORMAL) {
1443 			rw_enter(&isp->sess_state_rwlock, RW_READER);
1444 			if (isp->sess_state == ISCSI_SESS_STATE_LOGGED_IN) {
1445 				(void) iscsi_sess_enum_request(isp, B_FALSE,
1446 				    isp->sess_state_event_count);
1447 			}
1448 			rw_exit(&isp->sess_state_rwlock);
1449 		}
1450 		break;
1451 
1452 	case ISCSI_ASYNC_EVENT_REQUEST_LOGOUT:
1453 		/*
1454 		 * We've been asked to logout by the target --
1455 		 * we need to treat this differently from a normal logout
1456 		 * due to a discovery failure.  Normal logouts result in
1457 		 * an N3 event to the session state machine and an offline
1458 		 * of the lun.  In this case we want to put the connection
1459 		 * into "failed" state and generate N5 to the session state
1460 		 * machine since the initiator logged out at the target's
1461 		 * request.  To track this we set a flag indicating we
1462 		 * received this async logout request from the tharget
1463 		 */
1464 		mutex_enter(&icp->conn_state_mutex);
1465 		icp->conn_async_logout = B_TRUE;
1466 		mutex_exit(&icp->conn_state_mutex);
1467 
1468 		/* Hold is released in iscsi_handle_logout. */
1469 		idm_conn_hold(ic);
1470 
1471 		/* Target has requested this connection to logout. */
1472 		itp = kmem_zalloc(sizeof (iscsi_task_t), KM_SLEEP);
1473 		itp->t_arg = icp;
1474 		itp->t_blocking = B_FALSE;
1475 		if (ddi_taskq_dispatch(isp->sess_login_taskq,
1476 		    (void(*)())iscsi_logout_start, itp, DDI_SLEEP) !=
1477 		    DDI_SUCCESS) {
1478 			idm_conn_rele(ic);
1479 			/* Disconnect if we couldn't dispatch the task */
1480 			idm_ini_conn_disconnect(ic);
1481 		}
1482 		break;
1483 
1484 	case ISCSI_ASYNC_EVENT_DROPPING_CONNECTION:
1485 		/*
1486 		 * Target is going to drop our connection.
1487 		 *	param1 - CID which will be dropped.
1488 		 *	param2 - Min time to reconnect.
1489 		 *	param3 - Max time to reconnect.
1490 		 *
1491 		 * For now just let fail as another disconnect.
1492 		 *
1493 		 * MC/S Once we support > 1 connections then
1494 		 * we need to check the CID and drop that
1495 		 * specific connection.
1496 		 */
1497 		iscsi_conn_set_login_min_max(icp, iaehp->param2,
1498 		    iaehp->param3);
1499 		idm_ini_conn_disconnect(ic);
1500 		break;
1501 
1502 	case ISCSI_ASYNC_EVENT_DROPPING_ALL_CONNECTIONS:
1503 		/*
1504 		 * Target is going to drop ALL connections.
1505 		 *	param2 - Min time to reconnect.
1506 		 *	param3 - Max time to reconnect.
1507 		 *
1508 		 * For now just let fail as anyother disconnect.
1509 		 *
1510 		 * MC/S Once we support more than > 1 connections
1511 		 * then we need to drop all connections on the
1512 		 * session.
1513 		 */
1514 		iscsi_conn_set_login_min_max(icp, iaehp->param2,
1515 		    iaehp->param3);
1516 		idm_ini_conn_disconnect(ic);
1517 		break;
1518 
1519 	case ISCSI_ASYNC_EVENT_PARAM_NEGOTIATION:
1520 		/*
1521 		 * Target requests parameter negotiation
1522 		 * on this connection.
1523 		 *
1524 		 * The initiator must honor this request.  For
1525 		 * now we will request a logout.  We can't
1526 		 * just ignore this or it might force corruption?
1527 		 */
1528 
1529 		/* Hold is released in iscsi_handle_logout */
1530 		idm_conn_hold(ic);
1531 		itp = kmem_zalloc(sizeof (iscsi_task_t), KM_SLEEP);
1532 		itp->t_arg = icp;
1533 		itp->t_blocking = B_FALSE;
1534 		if (ddi_taskq_dispatch(isp->sess_login_taskq,
1535 		    (void(*)())iscsi_logout_start, itp, DDI_SLEEP) !=
1536 		    DDI_SUCCESS) {
1537 			/* Disconnect if we couldn't dispatch the task */
1538 			idm_conn_rele(ic);
1539 			idm_ini_conn_disconnect(ic);
1540 		}
1541 		break;
1542 
1543 	case ISCSI_ASYNC_EVENT_VENDOR_SPECIFIC:
1544 		/*
1545 		 * We currently don't handle any vendor
1546 		 * specific async events.  So just ignore
1547 		 * the request.
1548 		 */
1549 		idm_ini_conn_disconnect(ic);
1550 		break;
1551 	default:
1552 		rval = IDM_STATUS_PROTOCOL_ERROR;
1553 	}
1554 
1555 	return (rval);
1556 }
1557 
1558 /*
1559  * iscsi_rx_process_text_rsp - processes iSCSI text response.  It sets
1560  * the cmd_result field of the command data structure with the actual
1561  * status value instead of returning the status value.  The return value
1562  * is SUCCESS in order to let iscsi_handle_text control the operation of
1563  * a text request.
1564  * Text requests are a handled a little different than other types of
1565  * iSCSI commands because the initiator sends additional empty text requests
1566  * in order to obtain the remaining responses required to complete the
1567  * request.  iscsi_handle_text controls the operation of text request, while
1568  * iscsi_rx_process_text_rsp just process the current response.
1569  */
1570 static idm_status_t
1571 iscsi_rx_process_text_rsp(idm_conn_t *ic, idm_pdu_t *pdu)
1572 {
1573 	iscsi_sess_t		*isp	= NULL;
1574 	iscsi_text_rsp_hdr_t	*ithp	=
1575 	    (iscsi_text_rsp_hdr_t *)pdu->isp_hdr;
1576 	iscsi_conn_t		*icp	= ic->ic_handle;
1577 	iscsi_cmd_t		*icmdp	= NULL;
1578 	boolean_t		final	= B_FALSE;
1579 	uint32_t		data_len;
1580 	uint8_t			*data = pdu->isp_data;
1581 	idm_status_t		rval;
1582 
1583 	isp = icp->conn_sess;
1584 
1585 	mutex_enter(&icp->conn_queue_active.mutex);
1586 	if ((rval = iscsi_rx_chk(icp, isp, (iscsi_scsi_rsp_hdr_t *)ithp,
1587 	    &icmdp)) != IDM_STATUS_SUCCESS) {
1588 		mutex_exit(&icp->conn_queue_active.mutex);
1589 		return (rval);
1590 	}
1591 
1592 	/* update local final response flag */
1593 	if (ithp->flags & ISCSI_FLAG_FINAL) {
1594 		final = B_TRUE;
1595 	}
1596 
1597 	/*
1598 	 * validate received TTT value.  RFC3720 specifies the following:
1599 	 * - F bit set to 1 MUST have a reserved TTT value 0xffffffff
1600 	 * - F bit set to 0 MUST have a non-reserved TTT value !0xffffffff
1601 	 * In addition, the received TTT value must not change between
1602 	 * responses of a long text response
1603 	 */
1604 	if (((final == B_TRUE) && (ithp->ttt != ISCSI_RSVD_TASK_TAG)) ||
1605 	    ((final == B_FALSE) && (ithp->ttt == ISCSI_RSVD_TASK_TAG))) {
1606 		icmdp->cmd_result = ISCSI_STATUS_PROTOCOL_ERROR;
1607 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1608 		mutex_exit(&icp->conn_queue_active.mutex);
1609 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error - "
1610 		    "received text response with invalid flags:0x%x or "
1611 		    "ttt:0x%x", icp->conn_oid, ithp->flags, ithp->itt);
1612 		return (IDM_STATUS_PROTOCOL_ERROR);
1613 	}
1614 
1615 	if ((icmdp->cmd_un.text.stage == ISCSI_CMD_TEXT_INITIAL_REQ) &&
1616 	    (ithp->ttt == ISCSI_RSVD_TASK_TAG) &&
1617 	    (final == B_FALSE)) {
1618 		/* TTT should have matched reserved value */
1619 		icmdp->cmd_result = ISCSI_STATUS_PROTOCOL_ERROR;
1620 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1621 		mutex_exit(&icp->conn_queue_active.mutex);
1622 		cmn_err(CE_WARN, "iscsi connection(%u) protocol "
1623 		    "error - received text response with invalid "
1624 		    "ttt:0x%x", icp->conn_oid, ithp->ttt);
1625 		return (IDM_STATUS_PROTOCOL_ERROR);
1626 	}
1627 
1628 	/*
1629 	 * If this is first response, save away TTT value for later use
1630 	 * in a long text request/response sequence
1631 	 */
1632 	if (icmdp->cmd_un.text.stage == ISCSI_CMD_TEXT_INITIAL_REQ) {
1633 		icmdp->cmd_un.text.ttt = ithp->ttt;
1634 	}
1635 
1636 	data_len = ntoh24(ithp->dlength);
1637 
1638 	/* check whether enough buffer available to copy data */
1639 	if ((icmdp->cmd_un.text.total_rx_len + data_len) >
1640 	    icmdp->cmd_un.text.buf_len) {
1641 		icmdp->cmd_un.text.total_rx_len += data_len;
1642 		icmdp->cmd_result = ISCSI_STATUS_DATA_OVERFLOW;
1643 		/*
1644 		 * DATA_OVERFLOW will result in a SUCCESS return so that
1645 		 * iscsi_handle_text can continue to obtain the remaining
1646 		 * text response if needed.
1647 		 */
1648 	} else {
1649 		char *buf_data = (icmdp->cmd_un.text.buf +
1650 		    icmdp->cmd_un.text.offset);
1651 
1652 		bcopy(data, buf_data, data_len);
1653 		icmdp->cmd_un.text.offset += data_len;
1654 		icmdp->cmd_un.text.total_rx_len += data_len;
1655 		icmdp->cmd_result = ISCSI_STATUS_SUCCESS;
1656 		bcopy(ithp->rsvd4, icmdp->cmd_un.text.lun,
1657 		    sizeof (icmdp->cmd_un.text.lun));
1658 	}
1659 
1660 	/* update stage  */
1661 	if (final == B_TRUE) {
1662 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_FINAL_RSP;
1663 	} else {
1664 		icmdp->cmd_un.text.stage = ISCSI_CMD_TEXT_CONTINUATION;
1665 	}
1666 
1667 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E3, isp);
1668 	mutex_exit(&icp->conn_queue_active.mutex);
1669 	return (IDM_STATUS_SUCCESS);
1670 }
1671 
1672 /*
1673  * iscsi_rx_process_scsi_itt_to_icmdp - Lookup itt using IDM to find matching
1674  * icmdp.  Verify itt in hdr and icmdp are the same.
1675  */
1676 static iscsi_status_t
1677 iscsi_rx_process_scsi_itt_to_icmdp(iscsi_sess_t *isp, idm_conn_t *ic,
1678     iscsi_scsi_rsp_hdr_t *ihp, iscsi_cmd_t **icmdp)
1679 {
1680 	idm_task_t *itp;
1681 
1682 	ASSERT(isp != NULL);
1683 	ASSERT(ihp != NULL);
1684 	ASSERT(icmdp != NULL);
1685 	ASSERT(mutex_owned(&isp->sess_cmdsn_mutex));
1686 	itp = idm_task_find_and_complete(ic, ihp->itt, ISCSI_INI_TASK_TTT);
1687 	if (itp == NULL) {
1688 		cmn_err(CE_WARN, "iscsi session(%u) protocol error - "
1689 		    "received unknown itt:0x%x - protocol error",
1690 		    isp->sess_oid, ihp->itt);
1691 		return (ISCSI_STATUS_INTERNAL_ERROR);
1692 	}
1693 	*icmdp = itp->idt_private;
1694 
1695 	idm_task_rele(itp);
1696 
1697 	return (ISCSI_STATUS_SUCCESS);
1698 
1699 }
1700 
1701 /*
1702  * iscsi_rx_process_itt_to_icmdp - Lookup itt in the session's
1703  * cmd table to find matching icmdp.  Verify itt in hdr and
1704  * icmdp are the same.
1705  */
1706 static iscsi_status_t
1707 iscsi_rx_process_itt_to_icmdp(iscsi_sess_t *isp, iscsi_hdr_t *ihp,
1708     iscsi_cmd_t **icmdp)
1709 {
1710 	int cmd_table_idx = 0;
1711 
1712 	ASSERT(isp != NULL);
1713 	ASSERT(ihp != NULL);
1714 	ASSERT(icmdp != NULL);
1715 	ASSERT(mutex_owned(&isp->sess_cmdsn_mutex));
1716 
1717 	/* try to find an associated iscsi_pkt */
1718 	cmd_table_idx = (ihp->itt - IDM_TASKIDS_MAX) % ISCSI_CMD_TABLE_SIZE;
1719 	if (isp->sess_cmd_table[cmd_table_idx] == NULL) {
1720 		cmn_err(CE_WARN, "iscsi session(%u) protocol error - "
1721 		    "received unknown itt:0x%x - protocol error",
1722 		    isp->sess_oid, ihp->itt);
1723 		return (ISCSI_STATUS_INTERNAL_ERROR);
1724 	}
1725 
1726 	/* verify itt */
1727 	if (isp->sess_cmd_table[cmd_table_idx]->cmd_itt != ihp->itt) {
1728 		cmn_err(CE_WARN, "iscsi session(%u) received itt:0x%x "
1729 		    " which is out of sync with itt:0x%x", isp->sess_oid,
1730 		    ihp->itt, isp->sess_cmd_table[cmd_table_idx]->cmd_itt);
1731 		return (ISCSI_STATUS_INTERNAL_ERROR);
1732 	}
1733 
1734 	/* ensure that icmdp is still in Active state */
1735 	if (isp->sess_cmd_table[cmd_table_idx]->cmd_state !=
1736 	    ISCSI_CMD_STATE_ACTIVE) {
1737 		cmn_err(CE_WARN, "iscsi session(%u) received itt:0x%x "
1738 		    "but icmdp (%p) is not in active state",
1739 		    isp->sess_oid, ihp->itt,
1740 		    (void *)isp->sess_cmd_table[cmd_table_idx]);
1741 		return (ISCSI_STATUS_INTERNAL_ERROR);
1742 	}
1743 
1744 	/* make sure this is a SCSI cmd */
1745 	*icmdp = isp->sess_cmd_table[cmd_table_idx];
1746 
1747 	return (ISCSI_STATUS_SUCCESS);
1748 }
1749 
1750 /*
1751  * +--------------------------------------------------------------------+
1752  * | End of protocol receive routines					|
1753  * +--------------------------------------------------------------------+
1754  */
1755 
1756 /*
1757  * +--------------------------------------------------------------------+
1758  * | Beginning of protocol send routines				|
1759  * +--------------------------------------------------------------------+
1760  */
1761 
1762 
1763 /*
1764  * iscsi_tx_thread - This thread is the driving point for all
1765  * iSCSI PDUs after login.  No PDUs should call idm_pdu_tx()
1766  * directly they should be funneled through iscsi_tx_thread.
1767  */
1768 void
1769 iscsi_tx_thread(iscsi_thread_t *thread, void *arg)
1770 {
1771 	iscsi_conn_t	*icp	= (iscsi_conn_t *)arg;
1772 	iscsi_sess_t	*isp	= NULL;
1773 	iscsi_cmd_t	*icmdp	= NULL;
1774 	clock_t		tout;
1775 	int		ret	= 1;
1776 
1777 	ASSERT(icp != NULL);
1778 	isp = icp->conn_sess;
1779 	ASSERT(isp != NULL);
1780 	ASSERT(thread != NULL);
1781 	ASSERT(thread->signature == SIG_ISCSI_THREAD);
1782 
1783 	tout = SEC_TO_TICK(1);
1784 	/*
1785 	 * Transfer icmdps until shutdown by owning session.
1786 	 */
1787 	while (ret != 0) {
1788 
1789 		isp->sess_window_open = B_TRUE;
1790 		/*
1791 		 * While the window is open, there are commands available
1792 		 * to send and the session state allows those commands to
1793 		 * be sent try to transfer them.
1794 		 */
1795 		mutex_enter(&isp->sess_queue_pending.mutex);
1796 		while ((isp->sess_window_open == B_TRUE) &&
1797 		    ((icmdp = isp->sess_queue_pending.head) != NULL)) {
1798 			if (((icmdp->cmd_type != ISCSI_CMD_TYPE_SCSI) &&
1799 			    (ISCSI_CONN_STATE_FULL_FEATURE(icp->conn_state))) ||
1800 			    (icp->conn_state == ISCSI_CONN_STATE_LOGGED_IN)) {
1801 
1802 				/* update command with this connection info */
1803 				icmdp->cmd_conn = icp;
1804 				/* attempt to send this command */
1805 				iscsi_cmd_state_machine(icmdp,
1806 				    ISCSI_CMD_EVENT_E2, isp);
1807 
1808 				ASSERT(!mutex_owned(
1809 				    &isp->sess_queue_pending.mutex));
1810 				mutex_enter(&isp->sess_queue_pending.mutex);
1811 			} else {
1812 				while (icmdp != NULL) {
1813 					if ((icmdp->cmd_type !=
1814 					    ISCSI_CMD_TYPE_SCSI) &&
1815 					    (ISCSI_CONN_STATE_FULL_FEATURE
1816 					    (icp->conn_state) != B_TRUE)) {
1817 						icmdp->cmd_misc_flags |=
1818 						    ISCSI_CMD_MISCFLAG_STUCK;
1819 					} else if (icp->conn_state !=
1820 					    ISCSI_CONN_STATE_LOGGED_IN) {
1821 						icmdp->cmd_misc_flags |=
1822 						    ISCSI_CMD_MISCFLAG_STUCK;
1823 					}
1824 					icmdp = icmdp->cmd_next;
1825 				}
1826 				break;
1827 			}
1828 		}
1829 		mutex_exit(&isp->sess_queue_pending.mutex);
1830 
1831 		/*
1832 		 * Go to sleep until there is something new
1833 		 * to process (awoken via cv_boardcast).
1834 		 * Or the timer goes off.
1835 		 */
1836 		ret = iscsi_thread_wait(thread, tout);
1837 	}
1838 
1839 }
1840 
1841 
1842 /*
1843  * iscsi_tx_cmd - transfers icmdp across wire as iscsi pdu
1844  *
1845  * Just prior to sending the command to the networking layer the
1846  * pending queue lock will be dropped.  At this point only local
1847  * resources will be used, not the icmdp.  Holding the queue lock
1848  * across the networking call can lead to a hang.  (This is due
1849  * to the the target driver and networking layers competing use
1850  * of the timeout() resources and the queue lock being held for
1851  * both sides.)  Upon the completion of this command the lock
1852  * will have been re-acquired.
1853  */
1854 iscsi_status_t
1855 iscsi_tx_cmd(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
1856 {
1857 	iscsi_status_t	rval = ISCSI_STATUS_INTERNAL_ERROR;
1858 
1859 	ASSERT(isp != NULL);
1860 	ASSERT(icmdp != NULL);
1861 
1862 	/* transfer specific command type */
1863 	switch (icmdp->cmd_type) {
1864 	case ISCSI_CMD_TYPE_SCSI:
1865 		rval = iscsi_tx_scsi(isp, icmdp);
1866 		break;
1867 	case ISCSI_CMD_TYPE_NOP:
1868 		rval = iscsi_tx_nop(isp, icmdp);
1869 		break;
1870 	case ISCSI_CMD_TYPE_ABORT:
1871 		rval = iscsi_tx_abort(isp, icmdp);
1872 		break;
1873 	case ISCSI_CMD_TYPE_RESET:
1874 		rval = iscsi_tx_reset(isp, icmdp);
1875 		break;
1876 	case ISCSI_CMD_TYPE_LOGOUT:
1877 		rval = iscsi_tx_logout(isp, icmdp);
1878 		break;
1879 	case ISCSI_CMD_TYPE_TEXT:
1880 		rval = iscsi_tx_text(isp, icmdp);
1881 		break;
1882 	default:
1883 		cmn_err(CE_WARN, "iscsi_tx_cmd: invalid cmdtype: %d",
1884 		    icmdp->cmd_type);
1885 		ASSERT(FALSE);
1886 	}
1887 
1888 	ASSERT(!mutex_owned(&isp->sess_queue_pending.mutex));
1889 	return (rval);
1890 }
1891 
1892 /*
1893  * a variable length cdb can be up to 16K, but we obviously don't want
1894  * to put that on the stack; go with 200 bytes; if we get something
1895  * bigger than that we will kmem_alloc a buffer
1896  */
1897 #define	DEF_CDB_LEN	200
1898 
1899 /*
1900  * given the size of the cdb, return how many bytes the header takes,
1901  * which is the sizeof addl_hdr_t + the CDB size, minus the 16 bytes
1902  * stored in the basic header, minus sizeof (ahs_extscb)
1903  */
1904 #define	ADDLHDRSZ(x)		(sizeof (iscsi_addl_hdr_t) + (x) - \
1905 					16 - 4)
1906 
1907 static void
1908 iscsi_tx_init_hdr(iscsi_sess_t *isp, iscsi_conn_t *icp,
1909     iscsi_text_hdr_t *ihp, int opcode, iscsi_cmd_t *icmdp)
1910 {
1911 	ihp->opcode		= opcode;
1912 	ihp->itt		= icmdp->cmd_itt;
1913 	mutex_enter(&isp->sess_cmdsn_mutex);
1914 	icmdp->cmd_sn		= isp->sess_cmdsn;
1915 	ihp->cmdsn		= htonl(isp->sess_cmdsn);
1916 	isp->sess_cmdsn++;
1917 	mutex_exit(&isp->sess_cmdsn_mutex);
1918 	ihp->expstatsn		= htonl(icp->conn_expstatsn);
1919 	icp->conn_laststatsn = icp->conn_expstatsn;
1920 }
1921 
1922 
1923 static void
1924 iscsi_tx_scsi_data(iscsi_cmd_t *icmdp, iscsi_scsi_cmd_hdr_t *ihp,
1925     iscsi_conn_t *icp, idm_pdu_t *pdu)
1926 {
1927 	struct buf		*bp		= NULL;
1928 	size_t			buflen		= 0;
1929 	uint32_t		first_burst_length = 0;
1930 	struct scsi_pkt		*pkt;
1931 
1932 	pkt = icmdp->cmd_un.scsi.pkt;
1933 	bp = icmdp->cmd_un.scsi.bp;
1934 	if ((bp != NULL) && bp->b_bcount) {
1935 		buflen = bp->b_bcount;
1936 		first_burst_length =
1937 		    icp->conn_params.first_burst_length;
1938 
1939 		if (bp->b_flags & B_READ) {
1940 			ihp->flags = ISCSI_FLAG_FINAL;
1941 			/*
1942 			 * fix problem where OS sends bp (B_READ &
1943 			 * b_bcount!=0) for a TUR or START_STOP.
1944 			 * (comment came from cisco code.)
1945 			 */
1946 			if ((pkt->pkt_cdbp[0] != SCMD_TEST_UNIT_READY) &&
1947 			    (pkt->pkt_cdbp[0] != SCMD_START_STOP)) {
1948 				ihp->flags |= ISCSI_FLAG_CMD_READ;
1949 				ihp->data_length = htonl(buflen);
1950 			}
1951 		} else {
1952 			ihp->flags = ISCSI_FLAG_CMD_WRITE;
1953 			/*
1954 			 * FinalBit on the the iSCSI PDU denotes this
1955 			 * is the last PDU in the sequence.
1956 			 *
1957 			 * initial_r2t = true means R2T is required
1958 			 * for additional PDU, so there will be no more
1959 			 * unsolicited PDUs following
1960 			 */
1961 			if (icp->conn_params.initial_r2t) {
1962 				ihp->flags |= ISCSI_FLAG_FINAL;
1963 			}
1964 
1965 			/* Check if we should send ImmediateData */
1966 			if (icp->conn_params.immediate_data) {
1967 				pdu->isp_data =
1968 				    (uint8_t *)icmdp->
1969 				    cmd_un.scsi.bp->b_un.b_addr;
1970 
1971 				pdu->isp_datalen = MIN(MIN(buflen,
1972 				    first_burst_length),
1973 				    icmdp->cmd_conn->conn_params.
1974 				    max_xmit_data_seg_len);
1975 
1976 				/*
1977 				 * if everything fits immediate, or
1978 				 * we can send all burst data immediate
1979 				 * (not unsol), set F
1980 				 */
1981 				/*
1982 				 * XXX This doesn't look right -- it's not
1983 				 * clear how we can handle transmitting
1984 				 * any unsolicited data.  It looks like
1985 				 * we only support immediate data.  So what
1986 				 * happens if we don't set ISCSI_FLAG_FINAL?
1987 				 *
1988 				 * Unless there's magic code somewhere that
1989 				 * is sending the remaining PDU's we should
1990 				 * simply set ISCSI_FLAG_FINAL and forget
1991 				 * about sending unsolicited data.  The big
1992 				 * win is the immediate data anyway for small
1993 				 * PDU's.
1994 				 */
1995 				if ((pdu->isp_datalen == buflen) ||
1996 				    (pdu->isp_datalen == first_burst_length)) {
1997 					ihp->flags |= ISCSI_FLAG_FINAL;
1998 				}
1999 
2000 				hton24(ihp->dlength, pdu->isp_datalen);
2001 			}
2002 			/* total data transfer length */
2003 			ihp->data_length = htonl(buflen);
2004 		}
2005 	} else {
2006 		ihp->flags = ISCSI_FLAG_FINAL;
2007 	}
2008 	icmdp->cmd_un.scsi.data_transferred += pdu->isp_datalen;
2009 	/* XXX How is this different from the code above? */
2010 	/* will idm send the next data command up to burst length? */
2011 	/* send the burstlen if we haven't sent immediate data */
2012 	/* CRM: should idm send difference min(buflen, first_burst) and  imm? */
2013 	/*    (MIN(first_burst_length, buflen) - imdata > 0) */
2014 	/* CRM_LATER: change this to generate unsolicited pdu */
2015 	if ((buflen > 0) &&
2016 	    ((bp->b_flags & B_READ) == 0) &&
2017 	    (icp->conn_params.initial_r2t == 0) &&
2018 	    pdu->isp_datalen == 0) {
2019 
2020 		pdu->isp_datalen = MIN(first_burst_length, buflen);
2021 		if ((pdu->isp_datalen == buflen) ||
2022 		    (pdu->isp_datalen == first_burst_length)) {
2023 			ihp->flags |= ISCSI_FLAG_FINAL;
2024 		}
2025 		pdu->isp_data = (uint8_t *)icmdp->cmd_un.scsi.bp->b_un.b_addr;
2026 		hton24(ihp->dlength, pdu->isp_datalen);
2027 	}
2028 }
2029 
2030 static void
2031 iscsi_tx_scsi_init_pkt(iscsi_cmd_t *icmdp, iscsi_scsi_cmd_hdr_t *ihp)
2032 {
2033 	struct scsi_pkt *pkt;
2034 
2035 	pkt = icmdp->cmd_un.scsi.pkt;
2036 	pkt->pkt_state = (STATE_GOT_BUS | STATE_GOT_TARGET);
2037 	pkt->pkt_reason = CMD_INCOMPLETE;
2038 
2039 	/* tagged queuing */
2040 	if (pkt->pkt_flags & FLAG_HTAG) {
2041 		ihp->flags |= ISCSI_ATTR_HEAD_OF_QUEUE;
2042 	} else if (pkt->pkt_flags & FLAG_OTAG) {
2043 		ihp->flags |= ISCSI_ATTR_ORDERED;
2044 	} else if (pkt->pkt_flags & FLAG_STAG) {
2045 		ihp->flags |= ISCSI_ATTR_SIMPLE;
2046 	} else {
2047 		/* ihp->flags |= ISCSI_ATTR_UNTAGGED; */
2048 		/* EMPTY */
2049 	}
2050 
2051 	/* iscsi states lun is based on spc.2 */
2052 	ISCSI_LUN_BYTE_COPY(ihp->lun, icmdp->cmd_un.scsi.lun);
2053 
2054 	if (icmdp->cmd_un.scsi.cmdlen <= 16) {
2055 		/* copy the SCSI Command Block into the PDU */
2056 		bcopy(pkt->pkt_cdbp, ihp->scb,
2057 		    icmdp->cmd_un.scsi.cmdlen);
2058 	} else {
2059 		iscsi_addl_hdr_t *iahp;
2060 
2061 		iahp = (iscsi_addl_hdr_t *)ihp;
2062 
2063 		ihp->hlength = (ADDLHDRSZ(icmdp->cmd_un.scsi.cmdlen) -
2064 		    sizeof (iscsi_scsi_cmd_hdr_t) + 3) / 4;
2065 		iahp->ahs_hlen_hi = 0;
2066 		iahp->ahs_hlen_lo = (icmdp->cmd_un.scsi.cmdlen - 15);
2067 		iahp->ahs_key = 0x01;
2068 		iahp->ahs_resv = 0;
2069 		bcopy(pkt->pkt_cdbp, ihp->scb, 16);
2070 		bcopy(((char *)pkt->pkt_cdbp) + 16, &iahp->ahs_extscb[0],
2071 		    icmdp->cmd_un.scsi.cmdlen);
2072 	}
2073 
2074 	/*
2075 	 * Update all values before transfering.
2076 	 * We should never touch the icmdp after
2077 	 * transfering if there is no more data
2078 	 * to send.  The only case the idm_pdu_tx()
2079 	 * will fail is a on a connection disconnect
2080 	 * in that case the command will be flushed.
2081 	 */
2082 	pkt->pkt_state |= STATE_SENT_CMD;
2083 }
2084 
2085 static void
2086 iscsi_tx_scsi_init_task(iscsi_cmd_t *icmdp, iscsi_conn_t *icp,
2087     iscsi_scsi_cmd_hdr_t *ihp)
2088 {
2089 	idm_task_t		*itp;
2090 	struct buf		*bp		= NULL;
2091 	uint32_t		data_length;
2092 
2093 	bp = icmdp->cmd_un.scsi.bp;
2094 
2095 	itp = icmdp->cmd_itp;
2096 	ASSERT(itp != NULL);
2097 	data_length = ntohl(ihp->data_length);
2098 	ISCSI_IO_LOG(CE_NOTE,
2099 	    "DEBUG: iscsi_tx_init_task: task_start: %p idt_tt: %x cmdsn: %x "
2100 	    "sess_cmdsn: %x cmd: %p "
2101 	    "cmdtype: %d datalen: %u",
2102 	    (void *)itp, itp->idt_tt, ihp->cmdsn, icp->conn_sess->sess_cmdsn,
2103 	    (void *)icmdp, icmdp->cmd_type, data_length);
2104 	if (data_length > 0) {
2105 		if (bp->b_flags & B_READ) {
2106 			icmdp->cmd_un.scsi.ibp_ibuf =
2107 			    idm_buf_alloc(icp->conn_ic,
2108 			    bp->b_un.b_addr, bp->b_bcount);
2109 			if (icmdp->cmd_un.scsi.ibp_ibuf)
2110 				idm_buf_bind_in(itp,
2111 				    icmdp->cmd_un.scsi.ibp_ibuf);
2112 		} else {
2113 			icmdp->cmd_un.scsi.ibp_obuf =
2114 			    idm_buf_alloc(icp->conn_ic,
2115 			    bp->b_un.b_addr, bp->b_bcount);
2116 			if (icmdp->cmd_un.scsi.ibp_obuf)
2117 				idm_buf_bind_out(itp,
2118 				    icmdp->cmd_un.scsi.ibp_obuf);
2119 		}
2120 		ISCSI_IO_LOG(CE_NOTE,
2121 		    "DEBUG: pdu_tx: task_start(%s): %p ic: %p idt_tt: %x "
2122 		    "cmdsn: %x sess_cmdsn: %x sess_expcmdsn: %x obuf: %p "
2123 		    "cmdp: %p cmdtype: %d "
2124 		    "buflen: %lu " "bpaddr: %p datalen: %u ",
2125 		    bp->b_flags & B_READ ? "B_READ" : "B_WRITE",
2126 		    (void *)itp, (void *)icp->conn_ic,
2127 		    itp->idt_tt, ihp->cmdsn,
2128 		    icp->conn_sess->sess_cmdsn,
2129 		    icp->conn_sess->sess_expcmdsn,
2130 		    (void *)icmdp->cmd_un.scsi.ibp_ibuf,
2131 		    (void *)icmdp, icmdp->cmd_type, bp->b_bcount,
2132 		    (void *)bp->b_un.b_addr,
2133 		    data_length);
2134 	}
2135 
2136 	/*
2137 	 * Task is now active
2138 	 */
2139 	idm_task_start(itp, ISCSI_INI_TASK_TTT);
2140 }
2141 
2142 /*
2143  * iscsi_tx_scsi -
2144  *
2145  */
2146 static iscsi_status_t
2147 iscsi_tx_scsi(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2148 {
2149 	iscsi_status_t		rval		= ISCSI_STATUS_SUCCESS;
2150 	iscsi_conn_t		*icp		= NULL;
2151 	struct scsi_pkt		*pkt		= NULL;
2152 	iscsi_scsi_cmd_hdr_t	*ihp		= NULL;
2153 	int			cdblen		= 0;
2154 	idm_pdu_t		*pdu;
2155 	int			len;
2156 
2157 	ASSERT(isp != NULL);
2158 	ASSERT(icmdp != NULL);
2159 
2160 	pdu = kmem_zalloc(sizeof (idm_pdu_t), KM_SLEEP);
2161 
2162 	pkt = icmdp->cmd_un.scsi.pkt;
2163 	ASSERT(pkt != NULL);
2164 	icp = icmdp->cmd_conn;
2165 	ASSERT(icp != NULL);
2166 
2167 	/* Reset counts in case we are on a retry */
2168 	icmdp->cmd_un.scsi.data_transferred = 0;
2169 
2170 	if (icmdp->cmd_un.scsi.cmdlen > DEF_CDB_LEN) {
2171 		cdblen = icmdp->cmd_un.scsi.cmdlen;
2172 		ihp = kmem_zalloc(ADDLHDRSZ(cdblen), KM_SLEEP);
2173 		len = ADDLHDRSZ(cdblen);
2174 	} else {
2175 		/*
2176 		 * only bzero the basic header; the additional header
2177 		 * will be set up correctly later, if needed
2178 		 */
2179 		ihp = kmem_zalloc(sizeof (iscsi_scsi_cmd_hdr_t), KM_SLEEP);
2180 		len = sizeof (iscsi_scsi_cmd_hdr_t);
2181 	}
2182 
2183 	iscsi_tx_init_hdr(isp, icp, (iscsi_text_hdr_t *)ihp,
2184 	    ISCSI_OP_SCSI_CMD, icmdp);
2185 
2186 	idm_pdu_init(pdu, icp->conn_ic, (void *)icmdp, &iscsi_tx_done);
2187 	idm_pdu_init_hdr(pdu, (uint8_t *)ihp, len);
2188 	pdu->isp_data = NULL;
2189 	pdu->isp_datalen = 0;
2190 
2191 	/*
2192 	 * Sestion 12.11 of the iSCSI specification has a good table
2193 	 * describing when uncolicited data and/or immediate data
2194 	 * should be sent.
2195 	 */
2196 
2197 	iscsi_tx_scsi_data(icmdp, ihp, icp, pdu);
2198 
2199 	iscsi_tx_scsi_init_pkt(icmdp, ihp);
2200 
2201 	/* Calls idm_task_start */
2202 	iscsi_tx_scsi_init_task(icmdp, icp, ihp);
2203 
2204 	mutex_exit(&isp->sess_queue_pending.mutex);
2205 
2206 	idm_pdu_tx(pdu);
2207 
2208 	icmdp->cmd_misc_flags |= ISCSI_CMD_MISCFLAG_SENT;
2209 
2210 	return (rval);
2211 }
2212 
2213 
2214 /* ARGSUSED */
2215 static void
2216 iscsi_tx_done(idm_pdu_t *pdu, idm_status_t status)
2217 {
2218 	kmem_free((iscsi_hdr_t *)pdu->isp_hdr, pdu->isp_hdrlen);
2219 	kmem_free(pdu, sizeof (idm_pdu_t));
2220 }
2221 
2222 
2223 static void
2224 iscsi_tx_pdu(iscsi_conn_t *icp, int opcode, void *hdr, int hdrlen,
2225     iscsi_cmd_t *icmdp)
2226 {
2227 	idm_pdu_t	*tx_pdu;
2228 	iscsi_hdr_t	*ihp = (iscsi_hdr_t *)hdr;
2229 
2230 	tx_pdu = kmem_zalloc(sizeof (idm_pdu_t), KM_SLEEP);
2231 	ASSERT(tx_pdu != NULL);
2232 
2233 	idm_pdu_init(tx_pdu, icp->conn_ic, icmdp, &iscsi_tx_done);
2234 	idm_pdu_init_hdr(tx_pdu, hdr, hdrlen);
2235 	if (opcode == ISCSI_OP_TEXT_CMD) {
2236 		idm_pdu_init_data(tx_pdu,
2237 		    (uint8_t *)icmdp->cmd_un.text.buf,
2238 		    ntoh24(ihp->dlength));
2239 	}
2240 
2241 	mutex_exit(&icp->conn_sess->sess_queue_pending.mutex);
2242 	idm_pdu_tx(tx_pdu);
2243 	icmdp->cmd_misc_flags |= ISCSI_CMD_MISCFLAG_SENT;
2244 }
2245 
2246 
2247 /*
2248  * iscsi_tx_nop -
2249  *
2250  */
2251 static iscsi_status_t
2252 iscsi_tx_nop(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2253 {
2254 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2255 	iscsi_conn_t		*icp	= NULL;
2256 	iscsi_nop_out_hdr_t	*inohp;
2257 
2258 	ASSERT(isp != NULL);
2259 	ASSERT(icmdp != NULL);
2260 	icp = icmdp->cmd_conn;
2261 	ASSERT(icp != NULL);
2262 
2263 	inohp = kmem_zalloc(sizeof (iscsi_nop_out_hdr_t), KM_SLEEP);
2264 	ASSERT(inohp != NULL);
2265 
2266 	inohp->opcode	= ISCSI_OP_NOOP_OUT | ISCSI_OP_IMMEDIATE;
2267 	inohp->flags	= ISCSI_FLAG_FINAL;
2268 	inohp->itt	= icmdp->cmd_itt;
2269 	inohp->ttt	= icmdp->cmd_ttt;
2270 	mutex_enter(&isp->sess_cmdsn_mutex);
2271 	icmdp->cmd_sn	= isp->sess_cmdsn;
2272 	inohp->cmdsn	= htonl(isp->sess_cmdsn);
2273 	mutex_exit(&isp->sess_cmdsn_mutex);
2274 	inohp->expstatsn	= htonl(icp->conn_expstatsn);
2275 	icp->conn_laststatsn = icp->conn_expstatsn;
2276 	iscsi_tx_pdu(icp, ISCSI_OP_NOOP_OUT, inohp,
2277 	    sizeof (iscsi_nop_out_hdr_t), icmdp);
2278 	return (rval);
2279 }
2280 
2281 
2282 /*
2283  * iscsi_tx_abort -
2284  *
2285  */
2286 static iscsi_status_t
2287 iscsi_tx_abort(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2288 {
2289 	iscsi_status_t			rval	= ISCSI_STATUS_SUCCESS;
2290 	iscsi_conn_t			*icp	= NULL;
2291 	iscsi_scsi_task_mgt_hdr_t	*istmh;
2292 
2293 	ASSERT(isp != NULL);
2294 	ASSERT(icmdp != NULL);
2295 	icp = icmdp->cmd_conn;
2296 	ASSERT(icp != NULL);
2297 
2298 	istmh = kmem_zalloc(sizeof (iscsi_scsi_task_mgt_hdr_t), KM_SLEEP);
2299 	ASSERT(istmh != NULL);
2300 	mutex_enter(&isp->sess_cmdsn_mutex);
2301 	icmdp->cmd_sn	= isp->sess_cmdsn;
2302 	istmh->cmdsn	= htonl(isp->sess_cmdsn);
2303 	mutex_exit(&isp->sess_cmdsn_mutex);
2304 	istmh->expstatsn = htonl(icp->conn_expstatsn);
2305 	icp->conn_laststatsn = icp->conn_expstatsn;
2306 	istmh->itt	= icmdp->cmd_itt;
2307 	istmh->opcode	= ISCSI_OP_SCSI_TASK_MGT_MSG | ISCSI_OP_IMMEDIATE;
2308 	istmh->function	= ISCSI_FLAG_FINAL | ISCSI_TM_FUNC_ABORT_TASK;
2309 	ISCSI_LUN_BYTE_COPY(istmh->lun,
2310 	    icmdp->cmd_un.abort.icmdp->cmd_un.scsi.lun);
2311 	istmh->rtt	= icmdp->cmd_un.abort.icmdp->cmd_itt;
2312 	iscsi_tx_pdu(icp, ISCSI_OP_SCSI_TASK_MGT_MSG, istmh,
2313 	    sizeof (iscsi_scsi_task_mgt_hdr_t), icmdp);
2314 
2315 	return (rval);
2316 }
2317 
2318 
2319 /*
2320  * iscsi_tx_reset -
2321  *
2322  */
2323 static iscsi_status_t
2324 iscsi_tx_reset(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2325 {
2326 	iscsi_status_t			rval	= ISCSI_STATUS_SUCCESS;
2327 	iscsi_conn_t			*icp	= NULL;
2328 	iscsi_scsi_task_mgt_hdr_t	*istmh;
2329 
2330 	ASSERT(isp != NULL);
2331 	ASSERT(icmdp != NULL);
2332 	icp = icmdp->cmd_conn;
2333 	ASSERT(icp != NULL);
2334 
2335 	istmh = kmem_zalloc(sizeof (iscsi_scsi_task_mgt_hdr_t), KM_SLEEP);
2336 	ASSERT(istmh != NULL);
2337 	istmh->opcode	= ISCSI_OP_SCSI_TASK_MGT_MSG | ISCSI_OP_IMMEDIATE;
2338 	mutex_enter(&isp->sess_cmdsn_mutex);
2339 	icmdp->cmd_sn	= isp->sess_cmdsn;
2340 	istmh->cmdsn	= htonl(isp->sess_cmdsn);
2341 	mutex_exit(&isp->sess_cmdsn_mutex);
2342 	istmh->expstatsn	= htonl(icp->conn_expstatsn);
2343 	istmh->itt	= icmdp->cmd_itt;
2344 
2345 	switch (icmdp->cmd_un.reset.level) {
2346 	case RESET_LUN:
2347 		istmh->function	= ISCSI_FLAG_FINAL |
2348 		    ISCSI_TM_FUNC_LOGICAL_UNIT_RESET;
2349 		ISCSI_LUN_BYTE_COPY(istmh->lun, icmdp->cmd_lun->lun_num);
2350 		break;
2351 	case RESET_TARGET:
2352 	case RESET_BUS:
2353 		istmh->function	= ISCSI_FLAG_FINAL |
2354 		    ISCSI_TM_FUNC_TARGET_WARM_RESET;
2355 		break;
2356 	default:
2357 		/* unsupported / unknown level */
2358 		ASSERT(FALSE);
2359 		break;
2360 	}
2361 
2362 	iscsi_tx_pdu(icp, ISCSI_OP_SCSI_TASK_MGT_MSG, istmh,
2363 	    sizeof (iscsi_scsi_task_mgt_hdr_t), icmdp);
2364 
2365 	return (rval);
2366 }
2367 
2368 
2369 /*
2370  * iscsi_tx_logout -
2371  *
2372  */
2373 static iscsi_status_t
2374 iscsi_tx_logout(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2375 {
2376 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2377 	iscsi_conn_t		*icp	= NULL;
2378 	iscsi_logout_hdr_t	*ilh;
2379 
2380 	ASSERT(isp != NULL);
2381 	ASSERT(icmdp != NULL);
2382 	icp = icmdp->cmd_conn;
2383 	ASSERT(icp != NULL);
2384 
2385 	ilh = kmem_zalloc(sizeof (iscsi_logout_hdr_t), KM_SLEEP);
2386 	ilh->opcode	= ISCSI_OP_LOGOUT_CMD | ISCSI_OP_IMMEDIATE;
2387 	ilh->flags	= ISCSI_FLAG_FINAL | ISCSI_LOGOUT_REASON_CLOSE_SESSION;
2388 	ilh->itt		= icmdp->cmd_itt;
2389 	ilh->cid		= icp->conn_cid;
2390 	mutex_enter(&isp->sess_cmdsn_mutex);
2391 	icmdp->cmd_sn	= isp->sess_cmdsn;
2392 	ilh->cmdsn	= htonl(isp->sess_cmdsn);
2393 	mutex_exit(&isp->sess_cmdsn_mutex);
2394 	ilh->expstatsn	= htonl(icp->conn_expstatsn);
2395 	iscsi_tx_pdu(icp, ISCSI_OP_LOGOUT_CMD, ilh,
2396 	    sizeof (iscsi_logout_hdr_t), icmdp);
2397 
2398 	return (rval);
2399 }
2400 
2401 /*
2402  * iscsi_tx_text - setup iSCSI text request header and send PDU with
2403  * data given in the buffer attached to the command.  For a single
2404  * text request, the target may need to send its response in multiple
2405  * text response.  In this case, empty text requests are sent after
2406  * each received response to notify the target the initiator is ready
2407  * for more response.  For the initial request, the data_len field in
2408  * the text specific portion of a command is set to the amount of data
2409  * the initiator wants to send as part of the request. If additional
2410  * empty text requests are required for long responses, the data_len
2411  * field is set to 0 by the iscsi_handle_text function.
2412  */
2413 static iscsi_status_t
2414 iscsi_tx_text(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
2415 {
2416 	iscsi_status_t		rval	= ISCSI_STATUS_SUCCESS;
2417 	iscsi_conn_t		*icp	= NULL;
2418 	iscsi_text_hdr_t	*ith;
2419 
2420 	ASSERT(icmdp != NULL);
2421 	icp = icmdp->cmd_conn;
2422 	ASSERT(icp != NULL);
2423 
2424 	ith = kmem_zalloc(sizeof (iscsi_text_hdr_t), KM_SLEEP);
2425 	ASSERT(ith != NULL);
2426 	ith->flags	= ISCSI_FLAG_FINAL;
2427 	hton24(ith->dlength, icmdp->cmd_un.text.data_len);
2428 	ith->ttt		= icmdp->cmd_un.text.ttt;
2429 	iscsi_tx_init_hdr(isp, icp, (iscsi_text_hdr_t *)ith,
2430 	    ISCSI_OP_TEXT_CMD, icmdp);
2431 	bcopy(icmdp->cmd_un.text.lun, ith->rsvd4, sizeof (ith->rsvd4));
2432 
2433 	iscsi_tx_pdu(icp, ISCSI_OP_TEXT_CMD, ith, sizeof (iscsi_text_hdr_t),
2434 	    icmdp);
2435 
2436 	return (rval);
2437 }
2438 
2439 /*
2440  * +--------------------------------------------------------------------+
2441  * | End of protocol send routines					|
2442  * +--------------------------------------------------------------------+
2443  */
2444 
2445 /*
2446  * iscsi_handle_abort -
2447  *
2448  */
2449 void
2450 iscsi_handle_abort(void *arg)
2451 {
2452 	iscsi_sess_t	*isp		= NULL;
2453 	iscsi_cmd_t	*icmdp		= (iscsi_cmd_t *)arg;
2454 	iscsi_cmd_t	*new_icmdp;
2455 	iscsi_conn_t	*icp;
2456 
2457 	ASSERT(icmdp != NULL);
2458 	icp = icmdp->cmd_conn;
2459 	ASSERT(icp != NULL);
2460 	isp = icp->conn_sess;
2461 	ASSERT(isp != NULL);
2462 
2463 	/* there should only be one abort */
2464 	ASSERT(icmdp->cmd_un.scsi.abort_icmdp == NULL);
2465 
2466 	new_icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2467 	new_icmdp->cmd_type		    = ISCSI_CMD_TYPE_ABORT;
2468 	new_icmdp->cmd_lun		    = icmdp->cmd_lun;
2469 	new_icmdp->cmd_un.abort.icmdp	    = icmdp;
2470 	new_icmdp->cmd_conn		    = icmdp->cmd_conn;
2471 	icmdp->cmd_un.scsi.abort_icmdp	    = new_icmdp;
2472 
2473 	/* pending queue mutex is already held by timeout_checks */
2474 	iscsi_cmd_state_machine(new_icmdp, ISCSI_CMD_EVENT_E1, isp);
2475 }
2476 
2477 /*
2478  * Callback from IDM indicating that the task has been suspended or aborted.
2479  */
2480 void
2481 iscsi_task_aborted(idm_task_t *idt, idm_status_t status)
2482 {
2483 	iscsi_cmd_t *icmdp = idt->idt_private;
2484 	iscsi_conn_t *icp = icmdp->cmd_conn;
2485 	iscsi_sess_t *isp = icp->conn_sess;
2486 
2487 	ASSERT(icmdp->cmd_conn != NULL);
2488 
2489 	switch (status) {
2490 	case IDM_STATUS_SUSPENDED:
2491 		/*
2492 		 * If the task is suspended, it may be aborted later,
2493 		 * so we can ignore this notification.
2494 		 */
2495 		break;
2496 
2497 	case IDM_STATUS_ABORTED:
2498 		mutex_enter(&icp->conn_queue_active.mutex);
2499 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E9, isp);
2500 		mutex_exit(&icp->conn_queue_active.mutex);
2501 		break;
2502 
2503 	default:
2504 		/*
2505 		 * Unexpected status.
2506 		 */
2507 		ASSERT(0);
2508 	}
2509 
2510 }
2511 
2512 /*
2513  * iscsi_handle_nop -
2514  *
2515  */
2516 static void
2517 iscsi_handle_nop(iscsi_conn_t *icp, uint32_t itt, uint32_t ttt)
2518 {
2519 	iscsi_sess_t	*isp	= NULL;
2520 	iscsi_cmd_t	*icmdp	= NULL;
2521 
2522 	ASSERT(icp != NULL);
2523 	isp = icp->conn_sess;
2524 	ASSERT(isp != NULL);
2525 
2526 	icmdp = iscsi_cmd_alloc(icp, KM_NOSLEEP);
2527 	if (icmdp == NULL) {
2528 		return;
2529 	}
2530 
2531 	icmdp->cmd_type		= ISCSI_CMD_TYPE_NOP;
2532 	icmdp->cmd_itt		= itt;
2533 	icmdp->cmd_ttt		= ttt;
2534 	icmdp->cmd_lun		= NULL;
2535 	icp->conn_nop_lbolt	= ddi_get_lbolt();
2536 
2537 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2538 }
2539 
2540 /*
2541  * iscsi_handle_reset - send reset request to the target
2542  *
2543  */
2544 iscsi_status_t
2545 iscsi_handle_reset(iscsi_sess_t *isp, int level, iscsi_lun_t *ilp)
2546 {
2547 	iscsi_status_t	rval	= ISCSI_STATUS_SUCCESS;
2548 	iscsi_conn_t	*icp;
2549 	iscsi_cmd_t	icmd;
2550 
2551 	ASSERT(isp != NULL);
2552 
2553 	if (level == RESET_LUN) {
2554 		rw_enter(&isp->sess_lun_list_rwlock, RW_WRITER);
2555 		ASSERT(ilp != NULL);
2556 		if (ilp->lun_state & ISCSI_LUN_STATE_BUSY) {
2557 			rw_exit(&isp->sess_lun_list_rwlock);
2558 			return (ISCSI_STATUS_SUCCESS);
2559 		}
2560 		ilp->lun_state |= ISCSI_LUN_STATE_BUSY;
2561 		rw_exit(&isp->sess_lun_list_rwlock);
2562 	} else {
2563 		mutex_enter(&isp->sess_reset_mutex);
2564 		if (isp->sess_reset_in_progress == B_TRUE) {
2565 			/*
2566 			 * If the reset is in progress, it is unnecessary
2567 			 * to send reset to the target redunantly.
2568 			 */
2569 			mutex_exit(&isp->sess_reset_mutex);
2570 			return (ISCSI_STATUS_SUCCESS);
2571 		}
2572 		isp->sess_reset_in_progress = B_TRUE;
2573 		mutex_exit(&isp->sess_reset_mutex);
2574 	}
2575 
2576 	bzero(&icmd, sizeof (iscsi_cmd_t));
2577 	icmd.cmd_sig		= ISCSI_SIG_CMD;
2578 	icmd.cmd_state		= ISCSI_CMD_STATE_FREE;
2579 	icmd.cmd_type		= ISCSI_CMD_TYPE_RESET;
2580 	icmd.cmd_lun		= ilp;
2581 	icmd.cmd_un.reset.level	= level;
2582 	icmd.cmd_result		= ISCSI_STATUS_SUCCESS;
2583 	icmd.cmd_completed	= B_FALSE;
2584 	icmd.cmd_un.reset.response = SCSI_TCP_TM_RESP_COMPLETE;
2585 
2586 	mutex_init(&icmd.cmd_mutex, NULL, MUTEX_DRIVER, NULL);
2587 	cv_init(&icmd.cmd_completion, NULL, CV_DRIVER, NULL);
2588 	/*
2589 	 * If we received an IO and we are not in the
2590 	 * LOGGED_IN state we are in the process of
2591 	 * failing.  Just respond that we are BUSY.
2592 	 */
2593 	rw_enter(&isp->sess_state_rwlock, RW_READER);
2594 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
2595 		/* We aren't connected to the target fake success */
2596 		rw_exit(&isp->sess_state_rwlock);
2597 
2598 		if (level == RESET_LUN) {
2599 			rw_enter(&isp->sess_lun_list_rwlock, RW_WRITER);
2600 			ilp->lun_state &= ~ISCSI_LUN_STATE_BUSY;
2601 			rw_exit(&isp->sess_lun_list_rwlock);
2602 		} else {
2603 			mutex_enter(&isp->sess_reset_mutex);
2604 			isp->sess_reset_in_progress = B_FALSE;
2605 			mutex_exit(&isp->sess_reset_mutex);
2606 		}
2607 
2608 		return (ISCSI_STATUS_SUCCESS);
2609 	}
2610 
2611 	mutex_enter(&isp->sess_queue_pending.mutex);
2612 	iscsi_cmd_state_machine(&icmd, ISCSI_CMD_EVENT_E1, isp);
2613 	mutex_exit(&isp->sess_queue_pending.mutex);
2614 	rw_exit(&isp->sess_state_rwlock);
2615 
2616 	/* stall until completed */
2617 	mutex_enter(&icmd.cmd_mutex);
2618 	while (icmd.cmd_completed == B_FALSE) {
2619 		cv_wait(&icmd.cmd_completion, &icmd.cmd_mutex);
2620 	}
2621 	mutex_exit(&icmd.cmd_mutex);
2622 
2623 	/* copy rval */
2624 	rval = icmd.cmd_result;
2625 
2626 	if (rval == ISCSI_STATUS_SUCCESS) {
2627 		/*
2628 		 * Reset was successful.  We need to flush
2629 		 * all active IOs.
2630 		 */
2631 		rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
2632 		icp = isp->sess_conn_list;
2633 		while (icp != NULL) {
2634 			iscsi_cmd_t *t_icmdp = NULL;
2635 			iscsi_cmd_t *next_icmdp = NULL;
2636 
2637 			mutex_enter(&icp->conn_queue_active.mutex);
2638 			t_icmdp = icp->conn_queue_active.head;
2639 			while (t_icmdp != NULL) {
2640 				next_icmdp = t_icmdp->cmd_next;
2641 				mutex_enter(&t_icmdp->cmd_mutex);
2642 				if (!(t_icmdp->cmd_misc_flags &
2643 				    ISCSI_CMD_MISCFLAG_SENT)) {
2644 					/*
2645 					 * Although this command is in the
2646 					 * active queue, it has not been sent.
2647 					 * Skip it.
2648 					 */
2649 					mutex_exit(&t_icmdp->cmd_mutex);
2650 					t_icmdp = next_icmdp;
2651 					continue;
2652 				}
2653 				if (level == RESET_LUN) {
2654 					if (icmd.cmd_lun == NULL ||
2655 					    t_icmdp->cmd_lun == NULL ||
2656 					    (icmd.cmd_lun->lun_num !=
2657 					    t_icmdp->cmd_lun->lun_num)) {
2658 						mutex_exit(&t_icmdp->cmd_mutex);
2659 						t_icmdp = next_icmdp;
2660 						continue;
2661 					}
2662 				}
2663 
2664 				if (icmd.cmd_sn == t_icmdp->cmd_sn) {
2665 					/*
2666 					 * This command may be replied with
2667 					 * UA sense key later. So currently
2668 					 * it is not a suitable time to flush
2669 					 * it. Mark its flag with FLUSH. There
2670 					 * is no harm to keep it for a while.
2671 					 */
2672 					t_icmdp->cmd_misc_flags |=
2673 					    ISCSI_CMD_MISCFLAG_FLUSH;
2674 					if (t_icmdp->cmd_type ==
2675 					    ISCSI_CMD_TYPE_SCSI) {
2676 						t_icmdp->cmd_un.scsi.pkt_stat |=
2677 						    STAT_BUS_RESET;
2678 					}
2679 					mutex_exit(&t_icmdp->cmd_mutex);
2680 				} else if ((icmd.cmd_sn > t_icmdp->cmd_sn) ||
2681 				    ((t_icmdp->cmd_sn - icmd.cmd_sn) >
2682 				    ISCSI_CMD_SN_WRAP)) {
2683 					/*
2684 					 * This reset request must act on all
2685 					 * the commnds from the same session
2686 					 * having a CmdSN lower than the task
2687 					 * mangement CmdSN. So flush these
2688 					 * commands here.
2689 					 */
2690 					if (t_icmdp->cmd_type ==
2691 					    ISCSI_CMD_TYPE_SCSI) {
2692 						t_icmdp->cmd_un.scsi.pkt_stat |=
2693 						    STAT_BUS_RESET;
2694 					}
2695 					mutex_exit(&t_icmdp->cmd_mutex);
2696 					iscsi_cmd_state_machine(t_icmdp,
2697 					    ISCSI_CMD_EVENT_E7, isp);
2698 				} else {
2699 					mutex_exit(&t_icmdp->cmd_mutex);
2700 				}
2701 
2702 				t_icmdp = next_icmdp;
2703 			}
2704 
2705 			mutex_exit(&icp->conn_queue_active.mutex);
2706 			icp = icp->conn_next;
2707 		}
2708 		rw_exit(&isp->sess_conn_list_rwlock);
2709 	}
2710 
2711 	/* clean up */
2712 	cv_destroy(&icmd.cmd_completion);
2713 	mutex_destroy(&icmd.cmd_mutex);
2714 
2715 	if (level == RESET_LUN) {
2716 		rw_enter(&isp->sess_lun_list_rwlock, RW_WRITER);
2717 		ilp->lun_state &= ~ISCSI_LUN_STATE_BUSY;
2718 		rw_exit(&isp->sess_lun_list_rwlock);
2719 	} else {
2720 		mutex_enter(&isp->sess_reset_mutex);
2721 		isp->sess_reset_in_progress = B_FALSE;
2722 		mutex_exit(&isp->sess_reset_mutex);
2723 	}
2724 
2725 	return (rval);
2726 }
2727 
2728 /*
2729  * iscsi_logout_start - task handler for deferred logout
2730  * Acquire a hold before call, released in iscsi_handle_logout
2731  */
2732 static void
2733 iscsi_logout_start(void *arg)
2734 {
2735 	iscsi_task_t		*itp = (iscsi_task_t *)arg;
2736 	iscsi_conn_t		*icp;
2737 
2738 	icp = (iscsi_conn_t *)itp->t_arg;
2739 
2740 	mutex_enter(&icp->conn_state_mutex);
2741 	(void) iscsi_handle_logout(icp);
2742 	mutex_exit(&icp->conn_state_mutex);
2743 }
2744 
2745 /*
2746  * iscsi_handle_logout - This function will issue a logout for
2747  * the session from a specific connection.
2748  * Acquire idm_conn_hold before call.  Released internally.
2749  */
2750 iscsi_status_t
2751 iscsi_handle_logout(iscsi_conn_t *icp)
2752 {
2753 	iscsi_sess_t	*isp;
2754 	idm_conn_t	*ic;
2755 	iscsi_cmd_t	*icmdp;
2756 	int		rval;
2757 
2758 	ASSERT(icp != NULL);
2759 	isp = icp->conn_sess;
2760 	ic = icp->conn_ic;
2761 	ASSERT(isp != NULL);
2762 	ASSERT(isp->sess_hba != NULL);
2763 	ASSERT(mutex_owned(&icp->conn_state_mutex));
2764 
2765 	/*
2766 	 * If the connection has already gone down (e.g. if the transport
2767 	 * failed between when this LOGOUT was generated and now) then we
2768 	 * can and must skip sending the LOGOUT.  Check the same condition
2769 	 * we use below to determine that connection has "settled".
2770 	 */
2771 	if ((icp->conn_state == ISCSI_CONN_STATE_FREE) ||
2772 	    (icp->conn_state == ISCSI_CONN_STATE_FAILED) ||
2773 	    (icp->conn_state == ISCSI_CONN_STATE_POLLING)) {
2774 		idm_conn_rele(ic);
2775 		return (0);
2776 	}
2777 
2778 	icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2779 	ASSERT(icmdp != NULL);
2780 	icmdp->cmd_type		= ISCSI_CMD_TYPE_LOGOUT;
2781 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
2782 	icmdp->cmd_completed	= B_FALSE;
2783 
2784 	mutex_enter(&isp->sess_queue_pending.mutex);
2785 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2786 	mutex_exit(&isp->sess_queue_pending.mutex);
2787 
2788 	/*
2789 	 * release connection state mutex to avoid a deadlock.  This
2790 	 * function is called from within the connection state
2791 	 * machine with the lock held.  When the logout response is
2792 	 * received another call to the connection state machine
2793 	 * occurs which causes the deadlock
2794 	 */
2795 	mutex_exit(&icp->conn_state_mutex);
2796 
2797 	/* stall until completed */
2798 	mutex_enter(&icmdp->cmd_mutex);
2799 	while (icmdp->cmd_completed == B_FALSE) {
2800 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2801 	}
2802 	mutex_exit(&icmdp->cmd_mutex);
2803 	mutex_enter(&icp->conn_state_mutex);
2804 
2805 	/* copy rval */
2806 	rval = icmdp->cmd_result;
2807 
2808 	/* clean up */
2809 	iscsi_cmd_free(icmdp);
2810 
2811 	if (rval != 0) {
2812 		/* If the logout failed then drop the connection */
2813 		idm_ini_conn_disconnect(icp->conn_ic);
2814 	}
2815 
2816 	/* stall until connection settles */
2817 	while ((icp->conn_state != ISCSI_CONN_STATE_FREE) &&
2818 	    (icp->conn_state != ISCSI_CONN_STATE_FAILED) &&
2819 	    (icp->conn_state != ISCSI_CONN_STATE_POLLING)) {
2820 		/* wait for transition */
2821 		cv_wait(&icp->conn_state_change, &icp->conn_state_mutex);
2822 	}
2823 
2824 	idm_conn_rele(ic);
2825 
2826 	/*
2827 	 * Return value reflects whether the logout command completed --
2828 	 * regardless of the return value the connection is closed and
2829 	 * ready for reconnection.
2830 	 */
2831 	return (rval);
2832 }
2833 
2834 
2835 /*
2836  * iscsi_handle_text - main control function for iSCSI text requests.  This
2837  * function handles allocating the command, sending initial text request, and
2838  * handling long response sequence.
2839  * If a data overflow condition occurs, iscsi_handle_text continues to
2840  * receive responses until the all data has been recieved.  This allows
2841  * the full data length to be returned to the caller.
2842  */
2843 iscsi_status_t
2844 iscsi_handle_text(iscsi_conn_t *icp, char *buf, uint32_t buf_len,
2845     uint32_t data_len, uint32_t *rx_data_len)
2846 {
2847 	iscsi_sess_t	*isp;
2848 	iscsi_cmd_t	*icmdp;
2849 	iscsi_status_t	rval	= ISCSI_STATUS_SUCCESS;
2850 
2851 	ASSERT(icp != NULL);
2852 	ASSERT(buf != NULL);
2853 	ASSERT(rx_data_len != NULL);
2854 
2855 	isp = icp->conn_sess;
2856 	ASSERT(isp != NULL);
2857 
2858 	/*
2859 	 * Ensure data for text request command is not greater
2860 	 * than the negotiated maximum receive data seqment length.
2861 	 *
2862 	 * Although iSCSI allows for long text requests (multiple
2863 	 * pdus), this function places a restriction on text
2864 	 * requests to ensure it is handled by a single PDU.
2865 	 */
2866 	if (data_len > icp->conn_params.max_xmit_data_seg_len) {
2867 		return (ISCSI_STATUS_CMD_FAILED);
2868 	}
2869 
2870 	icmdp = iscsi_cmd_alloc(icp, KM_SLEEP);
2871 	ASSERT(icmdp != NULL);
2872 
2873 	icmdp->cmd_type		= ISCSI_CMD_TYPE_TEXT;
2874 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
2875 	icmdp->cmd_misc_flags	&= ~ISCSI_CMD_MISCFLAG_FREE;
2876 	icmdp->cmd_completed	= B_FALSE;
2877 
2878 	icmdp->cmd_un.text.buf		= buf;
2879 	icmdp->cmd_un.text.buf_len	= buf_len;
2880 	icmdp->cmd_un.text.offset	= 0;
2881 	icmdp->cmd_un.text.data_len	= data_len;
2882 	icmdp->cmd_un.text.total_rx_len	= 0;
2883 	icmdp->cmd_un.text.ttt		= ISCSI_RSVD_TASK_TAG;
2884 	icmdp->cmd_un.text.stage	= ISCSI_CMD_TEXT_INITIAL_REQ;
2885 
2886 long_text_response:
2887 	rw_enter(&isp->sess_state_rwlock, RW_READER);
2888 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
2889 		iscsi_cmd_free(icmdp);
2890 		rw_exit(&isp->sess_state_rwlock);
2891 		return (ISCSI_STATUS_NO_CONN_LOGGED_IN);
2892 	}
2893 
2894 	mutex_enter(&isp->sess_queue_pending.mutex);
2895 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
2896 	mutex_exit(&isp->sess_queue_pending.mutex);
2897 	rw_exit(&isp->sess_state_rwlock);
2898 
2899 	/* stall until completed */
2900 	mutex_enter(&icmdp->cmd_mutex);
2901 	while (icmdp->cmd_completed == B_FALSE) {
2902 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
2903 	}
2904 	mutex_exit(&icmdp->cmd_mutex);
2905 
2906 	/*
2907 	 * check if error occured.  If data overflow occured, continue on
2908 	 * to ensure we get all data so that the full data length can be
2909 	 * returned to the user
2910 	 */
2911 	if ((icmdp->cmd_result != ISCSI_STATUS_SUCCESS) &&
2912 	    (icmdp->cmd_result != ISCSI_STATUS_DATA_OVERFLOW)) {
2913 		cmn_err(CE_NOTE, "iscsi: SendTarget discovery failed (%d)",
2914 		    icmdp->cmd_result);
2915 		rval = icmdp->cmd_result;
2916 		iscsi_cmd_free(icmdp);
2917 		return (rval);
2918 	}
2919 
2920 	/* check if this was a partial text PDU  */
2921 	if (icmdp->cmd_un.text.stage != ISCSI_CMD_TEXT_FINAL_RSP) {
2922 		/*
2923 		 * If a paritial text rexponse received, send an empty
2924 		 * text request.  This follows the behaviour specified
2925 		 * in RFC3720 regarding long text responses.
2926 		 */
2927 		icmdp->cmd_misc_flags		&= ~ISCSI_CMD_MISCFLAG_FREE;
2928 		icmdp->cmd_completed		= B_FALSE;
2929 		icmdp->cmd_un.text.data_len	= 0;
2930 		icmdp->cmd_un.text.stage	= ISCSI_CMD_TEXT_CONTINUATION;
2931 		goto long_text_response;
2932 	}
2933 
2934 	/*
2935 	 * set total received data length.  If data overflow this would be
2936 	 * amount of data that would have been received if buffer large
2937 	 * enough.
2938 	 */
2939 	*rx_data_len = icmdp->cmd_un.text.total_rx_len;
2940 
2941 	/* copy rval */
2942 	rval = icmdp->cmd_result;
2943 
2944 	/* clean up  */
2945 	iscsi_cmd_free(icmdp);
2946 
2947 	return (rval);
2948 }
2949 
2950 /*
2951  * iscsi_handle_passthru - This function is used to send a uscsi_cmd
2952  * to a specific target lun.  This routine is used for internal purposes
2953  * during enumeration and via the ISCSI_USCSICMD IOCTL.  We restrict
2954  * the CDBs that can be issued to a target/lun to INQUIRY, REPORT_LUNS,
2955  * and READ_CAPACITY for security purposes.
2956  *
2957  * The logic here is broken into three phases.
2958  * 1) Allocate and initialize a pkt/icmdp
2959  * 2) Send the pkt/icmdp
2960  * 3) cv_wait for completion
2961  */
2962 iscsi_status_t
2963 iscsi_handle_passthru(iscsi_sess_t *isp, uint16_t lun, struct uscsi_cmd *ucmdp)
2964 {
2965 	iscsi_status_t		rval;
2966 	iscsi_cmd_t		*icmdp;
2967 	struct scsi_pkt		*pkt;
2968 	struct buf		*bp;
2969 	struct scsi_arq_status  *arqstat;
2970 	int			statuslen;
2971 
2972 	ASSERT(isp != NULL);
2973 	ASSERT(ucmdp != NULL);
2974 
2975 	if (ucmdp->uscsi_rqlen > SENSE_LENGTH) {
2976 		/*
2977 		 * The caller provided sense buffer large enough for additional
2978 		 * sense bytes. We need to allocate pkt_scbp to fit them there
2979 		 * too.
2980 		 */
2981 		statuslen = ucmdp->uscsi_rqlen + ISCSI_ARQ_STATUS_NOSENSE_LEN;
2982 	} else {
2983 		/* The default size of pkt_scbp */
2984 		statuslen = sizeof (struct scsi_arq_status);
2985 	}
2986 
2987 	/*
2988 	 * Step 1. Setup structs - KM_SLEEP will always succeed
2989 	 */
2990 	bp = kmem_zalloc(sizeof (struct buf), KM_SLEEP);
2991 	ASSERT(bp != NULL);
2992 	pkt = kmem_zalloc(sizeof (struct scsi_pkt), KM_SLEEP);
2993 	ASSERT(pkt != NULL);
2994 	icmdp = iscsi_cmd_alloc(NULL, KM_SLEEP);
2995 	ASSERT(icmdp != NULL);
2996 
2997 	/* setup bp structure */
2998 	bp->b_flags		= B_READ;
2999 	bp->b_bcount		= ucmdp->uscsi_buflen;
3000 	bp->b_un.b_addr		= ucmdp->uscsi_bufaddr;
3001 
3002 	/* setup scsi_pkt structure */
3003 	pkt->pkt_ha_private	= icmdp;
3004 	pkt->pkt_scbp		= kmem_zalloc(statuslen, KM_SLEEP);
3005 	pkt->pkt_cdbp		= kmem_zalloc(ucmdp->uscsi_cdblen, KM_SLEEP);
3006 	/* callback routine for passthru, will wake cv_wait */
3007 	pkt->pkt_comp		= iscsi_handle_passthru_callback;
3008 	pkt->pkt_time		= ucmdp->uscsi_timeout;
3009 
3010 	/* setup iscsi_cmd structure */
3011 	icmdp->cmd_lun			= NULL;
3012 	icmdp->cmd_type			= ISCSI_CMD_TYPE_SCSI;
3013 	icmdp->cmd_un.scsi.lun		= lun;
3014 	icmdp->cmd_un.scsi.pkt		= pkt;
3015 	icmdp->cmd_un.scsi.bp		= bp;
3016 	bcopy(ucmdp->uscsi_cdb, pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
3017 	icmdp->cmd_un.scsi.cmdlen	= ucmdp->uscsi_cdblen;
3018 	icmdp->cmd_un.scsi.statuslen	= statuslen;
3019 	icmdp->cmd_crc_error_seen	= B_FALSE;
3020 	icmdp->cmd_completed		= B_FALSE;
3021 	icmdp->cmd_result		= ISCSI_STATUS_SUCCESS;
3022 
3023 	/*
3024 	 * Step 2. Push IO onto pending queue.  If we aren't in
3025 	 * FULL_FEATURE we need to fail the IO.
3026 	 */
3027 	rw_enter(&isp->sess_state_rwlock, RW_READER);
3028 	if (!ISCSI_SESS_STATE_FULL_FEATURE(isp->sess_state)) {
3029 		rw_exit(&isp->sess_state_rwlock);
3030 
3031 		iscsi_cmd_free(icmdp);
3032 		kmem_free(pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
3033 		kmem_free(pkt->pkt_scbp, statuslen);
3034 		kmem_free(pkt, sizeof (struct scsi_pkt));
3035 		kmem_free(bp, sizeof (struct buf));
3036 
3037 		return (ISCSI_STATUS_CMD_FAILED);
3038 	}
3039 
3040 	mutex_enter(&isp->sess_queue_pending.mutex);
3041 	iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E1, isp);
3042 	mutex_exit(&isp->sess_queue_pending.mutex);
3043 	rw_exit(&isp->sess_state_rwlock);
3044 
3045 	/*
3046 	 * Step 3. Wait on cv_wait for completion routine
3047 	 */
3048 	mutex_enter(&icmdp->cmd_mutex);
3049 	while (icmdp->cmd_completed == B_FALSE) {
3050 		cv_wait(&icmdp->cmd_completion, &icmdp->cmd_mutex);
3051 	}
3052 	mutex_exit(&icmdp->cmd_mutex);
3053 
3054 	/* copy rval */
3055 	rval = icmdp->cmd_result;
3056 
3057 	ucmdp->uscsi_resid = pkt->pkt_resid;
3058 
3059 	/* update scsi status */
3060 	arqstat = (struct scsi_arq_status *)pkt->pkt_scbp;
3061 	ucmdp->uscsi_status = ((char *)&arqstat->sts_status)[0];
3062 
3063 	/* copy request sense buffers if caller gave space */
3064 	if ((ucmdp->uscsi_rqlen > 0) &&
3065 	    (ucmdp->uscsi_rqbuf != NULL)) {
3066 		ASSERT(ucmdp->uscsi_rqlen >= arqstat->sts_rqpkt_resid);
3067 		ucmdp->uscsi_rqresid = arqstat->sts_rqpkt_resid;
3068 		bcopy(&arqstat->sts_sensedata, ucmdp->uscsi_rqbuf,
3069 		    ucmdp->uscsi_rqlen - arqstat->sts_rqpkt_resid);
3070 	}
3071 
3072 	if ((ucmdp->uscsi_status == STATUS_CHECK) &&
3073 	    ((icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_INTERNAL)) == B_TRUE) {
3074 		/*
3075 		 * Internal SCSI commands received status
3076 		 */
3077 		(void) iscsi_decode_sense(
3078 		    (uint8_t *)&arqstat->sts_sensedata, icmdp);
3079 	}
3080 
3081 	/* clean up */
3082 	iscsi_cmd_free(icmdp);
3083 	kmem_free(pkt->pkt_cdbp, ucmdp->uscsi_cdblen);
3084 	kmem_free(pkt->pkt_scbp, statuslen);
3085 	kmem_free(pkt, sizeof (struct scsi_pkt));
3086 	kmem_free(bp, sizeof (struct buf));
3087 
3088 	return (rval);
3089 }
3090 
3091 
3092 /*
3093  * iscsi_handle_passthru_callback -
3094  *
3095  */
3096 static void
3097 iscsi_handle_passthru_callback(struct scsi_pkt *pkt)
3098 {
3099 	iscsi_cmd_t		*icmdp  = NULL;
3100 
3101 	ASSERT(pkt != NULL);
3102 	icmdp = (iscsi_cmd_t *)pkt->pkt_ha_private;
3103 	ASSERT(icmdp != NULL);
3104 
3105 	mutex_enter(&icmdp->cmd_mutex);
3106 	icmdp->cmd_completed    = B_TRUE;
3107 	icmdp->cmd_result	= ISCSI_STATUS_SUCCESS;
3108 	cv_broadcast(&icmdp->cmd_completion);
3109 	mutex_exit(&icmdp->cmd_mutex);
3110 
3111 }
3112 
3113 /*
3114  * IDM callbacks
3115  */
3116 void
3117 iscsi_build_hdr(idm_task_t *idm_task, idm_pdu_t *pdu, uint8_t opcode)
3118 {
3119 	iscsi_cmd_t *icmdp = idm_task->idt_private;
3120 	iscsi_conn_t *icp = icmdp->cmd_conn;
3121 	iscsi_data_hdr_t *ihp = (iscsi_data_hdr_t *)pdu->isp_hdr;
3122 
3123 	mutex_enter(&icmdp->cmd_mutex);
3124 	if (opcode == ISCSI_OP_SCSI_DATA) {
3125 		uint32_t	data_sn;
3126 		uint32_t	lun;
3127 		icmdp = idm_task->idt_private;
3128 		icp = icmdp->cmd_conn;
3129 		ihp->opcode	= opcode;
3130 		ihp->itt	= icmdp->cmd_itt;
3131 		ihp->ttt	= idm_task->idt_r2t_ttt;
3132 		ihp->expstatsn	= htonl(icp->conn_expstatsn);
3133 		icp->conn_laststatsn = icp->conn_expstatsn;
3134 		data_sn = ntohl(ihp->datasn);
3135 		data_sn++;
3136 		lun = icmdp->cmd_un.scsi.lun;
3137 		ISCSI_LUN_BYTE_COPY(ihp->lun, lun);
3138 		/* CRM: upate_flow_control */
3139 		ISCSI_IO_LOG(CE_NOTE, "DEBUG: iscsi_build_hdr"
3140 		    "(ISCSI_OP_SCSI_DATA): task: %p icp: %p ic: %p itt: %x "
3141 		    "exp: %d data_sn: %d", (void *)idm_task, (void *)icp,
3142 		    (void *)icp->conn_ic, ihp->itt, icp->conn_expstatsn,
3143 		    data_sn);
3144 	} else {
3145 		cmn_err(CE_WARN, "iscsi_build_hdr: unprocessed build "
3146 		    "header opcode: %x", opcode);
3147 	}
3148 	mutex_exit(&icmdp->cmd_mutex);
3149 }
3150 
3151 static void
3152 iscsi_process_rsp_status(iscsi_sess_t *isp, iscsi_conn_t *icp,
3153     idm_status_t status)
3154 {
3155 	switch (status) {
3156 	case IDM_STATUS_SUCCESS:
3157 		if ((isp->sess_state == ISCSI_SESS_STATE_IN_FLUSH) &&
3158 		    (icp->conn_queue_active.count == 0)) {
3159 			iscsi_drop_conn_cleanup(icp);
3160 		}
3161 		break;
3162 	case IDM_STATUS_PROTOCOL_ERROR:
3163 		KSTAT_INC_CONN_ERR_PROTOCOL(icp);
3164 		iscsi_drop_conn_cleanup(icp);
3165 		break;
3166 	default:
3167 		break;
3168 	}
3169 }
3170 
3171 static void
3172 iscsi_drop_conn_cleanup(iscsi_conn_t *icp) {
3173 	mutex_enter(&icp->conn_state_mutex);
3174 	idm_ini_conn_disconnect(icp->conn_ic);
3175 	mutex_exit(&icp->conn_state_mutex);
3176 }
3177 
3178 void
3179 iscsi_rx_error_pdu(idm_conn_t *ic, idm_pdu_t *pdu, idm_status_t status)
3180 {
3181 	iscsi_conn_t *icp = (iscsi_conn_t *)ic->ic_handle;
3182 	iscsi_sess_t *isp;
3183 
3184 	ASSERT(icp != NULL);
3185 	isp = icp->conn_sess;
3186 	ASSERT(isp != NULL);
3187 	iscsi_process_rsp_status(isp, icp, status);
3188 	idm_pdu_complete(pdu, status);
3189 }
3190 
3191 void
3192 iscsi_rx_misc_pdu(idm_conn_t *ic, idm_pdu_t *pdu)
3193 {
3194 	iscsi_conn_t 		*icp;
3195 	iscsi_hdr_t		*ihp	= (iscsi_hdr_t *)pdu->isp_hdr;
3196 	iscsi_sess_t		*isp;
3197 	idm_status_t		status;
3198 
3199 	icp = ic->ic_handle;
3200 	isp = icp->conn_sess;
3201 	isp->sess_rx_lbolt = icp->conn_rx_lbolt = ddi_get_lbolt();
3202 	switch (ihp->opcode & ISCSI_OPCODE_MASK) {
3203 	case ISCSI_OP_LOGIN_RSP:
3204 		status = iscsi_rx_process_login_pdu(ic, pdu);
3205 		idm_pdu_complete(pdu, status);
3206 		break;
3207 	case ISCSI_OP_LOGOUT_RSP:
3208 		status = iscsi_rx_process_logout_rsp(ic, pdu);
3209 		idm_pdu_complete(pdu, status);
3210 		break;
3211 	case ISCSI_OP_REJECT_MSG:
3212 		status = iscsi_rx_process_reject_rsp(ic, pdu);
3213 		break;
3214 	case ISCSI_OP_SCSI_TASK_MGT_RSP:
3215 		status = iscsi_rx_process_task_mgt_rsp(ic, pdu);
3216 		idm_pdu_complete(pdu, status);
3217 		break;
3218 	case ISCSI_OP_NOOP_IN:
3219 		status = iscsi_rx_process_nop(ic, pdu);
3220 		idm_pdu_complete(pdu, status);
3221 		break;
3222 	case ISCSI_OP_ASYNC_EVENT:
3223 		status = iscsi_rx_process_async_rsp(ic, pdu);
3224 		break;
3225 	case ISCSI_OP_TEXT_RSP:
3226 		status = iscsi_rx_process_text_rsp(ic, pdu);
3227 		idm_pdu_complete(pdu, status);
3228 		break;
3229 	default:
3230 		cmn_err(CE_WARN, "iscsi connection(%u) protocol error "
3231 		    "- received misc unsupported opcode 0x%02x",
3232 		    icp->conn_oid, ihp->opcode);
3233 		status = IDM_STATUS_PROTOCOL_ERROR;
3234 		break;
3235 	}
3236 	iscsi_process_rsp_status(isp, icp, status);
3237 }
3238 
3239 /*
3240  * +--------------------------------------------------------------------+
3241  * | Beginning of completion routines					|
3242  * +--------------------------------------------------------------------+
3243  */
3244 
3245 /*
3246  * iscsi_ic_thread -
3247  */
3248 void
3249 iscsi_ic_thread(iscsi_thread_t *thread, void *arg)
3250 {
3251 	iscsi_sess_t	*isp = (iscsi_sess_t *)arg;
3252 	int		ret;
3253 	iscsi_queue_t	q;
3254 	iscsi_cmd_t	*icmdp;
3255 	iscsi_cmd_t	*next_icmdp;
3256 
3257 	ASSERT(isp != NULL);
3258 	ASSERT(thread != NULL);
3259 	ASSERT(thread->signature == SIG_ISCSI_THREAD);
3260 
3261 	for (;;) {
3262 
3263 		/*
3264 		 * We wait till iodone or somebody else wakes us up.
3265 		 */
3266 		ret = iscsi_thread_wait(thread, -1);
3267 
3268 		/*
3269 		 * The value should never be negative since we never timeout.
3270 		 */
3271 		ASSERT(ret >= 0);
3272 
3273 		q.count = 0;
3274 		q.head  = NULL;
3275 		q.tail  = NULL;
3276 		mutex_enter(&isp->sess_queue_completion.mutex);
3277 		icmdp = isp->sess_queue_completion.head;
3278 		while (icmdp != NULL) {
3279 			next_icmdp = icmdp->cmd_next;
3280 			mutex_enter(&icmdp->cmd_mutex);
3281 			/*
3282 			 * check if the associated r2t/abort has finished
3283 			 * yet.  If not, don't complete the command.
3284 			 */
3285 			if ((icmdp->cmd_un.scsi.r2t_icmdp == NULL) &&
3286 			    (icmdp->cmd_un.scsi.abort_icmdp == NULL)) {
3287 				mutex_exit(&icmdp->cmd_mutex);
3288 				(void) iscsi_dequeue_cmd(&isp->
3289 				    sess_queue_completion.head,
3290 				    &isp->sess_queue_completion.tail,
3291 				    icmdp);
3292 				--isp->sess_queue_completion.count;
3293 				iscsi_enqueue_cmd_head(&q.head,
3294 				    &q.tail, icmdp);
3295 			} else {
3296 				mutex_exit(&icmdp->cmd_mutex);
3297 			}
3298 			icmdp = next_icmdp;
3299 		}
3300 		mutex_exit(&isp->sess_queue_completion.mutex);
3301 		icmdp = q.head;
3302 		while (icmdp != NULL) {
3303 			next_icmdp = icmdp->cmd_next;
3304 			iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E8, isp);
3305 			icmdp = next_icmdp;
3306 		}
3307 
3308 		if (ret > 0)
3309 			/* Somebody woke us up to work */
3310 			continue;
3311 		else
3312 			/*
3313 			 * Somebody woke us up to kill ourselves. We will
3314 			 * make sure, however that the completion queue is
3315 			 * empty before leaving.  After we've done that it
3316 			 * is the originator of the signal that has to make
3317 			 * sure no other SCSI command is posted.
3318 			 */
3319 			break;
3320 	}
3321 
3322 }
3323 
3324 /*
3325  * iscsi_iodone -
3326  *
3327  */
3328 void
3329 iscsi_iodone(iscsi_sess_t *isp, iscsi_cmd_t *icmdp)
3330 {
3331 	struct scsi_pkt		*pkt	= NULL;
3332 	struct buf		*bp	= icmdp->cmd_un.scsi.bp;
3333 
3334 	ASSERT(isp != NULL);
3335 	ASSERT(icmdp != NULL);
3336 	pkt = icmdp->cmd_un.scsi.pkt;
3337 	ASSERT(pkt != NULL);
3338 
3339 	ASSERT(icmdp->cmd_un.scsi.abort_icmdp == NULL);
3340 	ASSERT(icmdp->cmd_un.scsi.r2t_icmdp == NULL);
3341 	if (pkt->pkt_reason == CMD_CMPLT) {
3342 		if (bp) {
3343 			if (bp->b_flags & B_READ) {
3344 				KSTAT_SESS_RX_IO_DONE(isp, bp->b_bcount);
3345 			} else {
3346 				KSTAT_SESS_TX_IO_DONE(isp, bp->b_bcount);
3347 			}
3348 		}
3349 	}
3350 
3351 	if (pkt->pkt_flags & FLAG_NOINTR) {
3352 		cv_broadcast(&icmdp->cmd_completion);
3353 		mutex_exit(&icmdp->cmd_mutex);
3354 	} else {
3355 		/*
3356 		 * Release mutex.  As soon as callback is
3357 		 * issued the caller may destroy the command.
3358 		 */
3359 		mutex_exit(&icmdp->cmd_mutex);
3360 		/*
3361 		 * We can't just directly call the pk_comp routine.  In
3362 		 * many error cases the target driver will use the calling
3363 		 * thread to re-drive error handling (reset, retries...)
3364 		 * back into the hba driver (iscsi).  If the target redrives
3365 		 * a reset back into the iscsi driver off this thead we have
3366 		 * a chance of deadlocking. So instead use the io completion
3367 		 * thread.
3368 		 */
3369 		(*icmdp->cmd_un.scsi.pkt->pkt_comp)(icmdp->cmd_un.scsi.pkt);
3370 	}
3371 }
3372 
3373 /*
3374  * +--------------------------------------------------------------------+
3375  * | End of completion routines						|
3376  * +--------------------------------------------------------------------+
3377  */
3378 
3379 /*
3380  * +--------------------------------------------------------------------+
3381  * | Beginning of watchdog routines					|
3382  * +--------------------------------------------------------------------+
3383  */
3384 
3385 /*
3386  * iscsi_watchdog_thread -
3387  *
3388  */
3389 void
3390 iscsi_wd_thread(iscsi_thread_t *thread, void *arg)
3391 {
3392 	iscsi_sess_t	*isp = (iscsi_sess_t *)arg;
3393 	int		rc = 1;
3394 
3395 	ASSERT(isp != NULL);
3396 
3397 	while (rc != NULL) {
3398 
3399 		iscsi_timeout_checks(isp);
3400 		iscsi_nop_checks(isp);
3401 
3402 		rc = iscsi_thread_wait(thread, SEC_TO_TICK(1));
3403 	}
3404 }
3405 
3406 /*
3407  * iscsi_timeout_checks -
3408  *
3409  */
3410 static void
3411 iscsi_timeout_checks(iscsi_sess_t *isp)
3412 {
3413 	clock_t		now = ddi_get_lbolt();
3414 	iscsi_conn_t	*icp;
3415 	iscsi_cmd_t	*icmdp, *nicmdp;
3416 
3417 	ASSERT(isp != NULL);
3418 
3419 	/* PENDING */
3420 	rw_enter(&isp->sess_state_rwlock, RW_READER);
3421 	mutex_enter(&isp->sess_queue_pending.mutex);
3422 	for (icmdp = isp->sess_queue_pending.head;
3423 	    icmdp; icmdp = nicmdp) {
3424 		nicmdp = icmdp->cmd_next;
3425 
3426 		/* Skip entries with no timeout */
3427 		if (icmdp->cmd_lbolt_timeout == 0)
3428 			continue;
3429 
3430 		/*
3431 		 * Skip pending queue entries for cmd_type values that depend
3432 		 * on having an open cmdsn window for successfull transition
3433 		 * from pending to the active (i.e. ones that depend on
3434 		 * sess_cmdsn .vs. sess_maxcmdsn). For them, the timer starts
3435 		 * when they are successfully moved to the active queue by
3436 		 * iscsi_cmd_state_pending() code.
3437 		 */
3438 		/*
3439 		 * If the cmd is stuck, at least give it a chance
3440 		 * to timeout
3441 		 */
3442 		if (((icmdp->cmd_type == ISCSI_CMD_TYPE_SCSI) ||
3443 		    (icmdp->cmd_type == ISCSI_CMD_TYPE_TEXT)) &&
3444 		    !(icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_STUCK))
3445 			continue;
3446 
3447 		/* Skip if timeout still in the future */
3448 		if (now <= icmdp->cmd_lbolt_timeout)
3449 			continue;
3450 
3451 		/* timeout */
3452 		iscsi_cmd_state_machine(icmdp, ISCSI_CMD_EVENT_E6, isp);
3453 	}
3454 	mutex_exit(&isp->sess_queue_pending.mutex);
3455 	rw_exit(&isp->sess_state_rwlock);
3456 
3457 	rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
3458 	icp = isp->sess_conn_list;
3459 	while (icp != NULL) {
3460 
3461 		icp->conn_timeout = B_FALSE;
3462 		/* ACTIVE */
3463 		mutex_enter(&icp->conn_state_mutex);
3464 		mutex_enter(&isp->sess_queue_pending.mutex);
3465 		mutex_enter(&icp->conn_queue_active.mutex);
3466 		for (icmdp = icp->conn_queue_active.head;
3467 		    icmdp; icmdp = nicmdp) {
3468 			nicmdp = icmdp->cmd_next;
3469 
3470 			if (iscsi_nop_timeout_checks(icmdp) == B_TRUE) {
3471 				icp->conn_timeout = B_TRUE;
3472 			}
3473 
3474 			/* Skip entries with no timeout */
3475 			if (icmdp->cmd_lbolt_timeout == 0)
3476 				continue;
3477 
3478 			/*
3479 			 * Skip if command is not active or not needed
3480 			 * to flush.
3481 			 */
3482 			if (icmdp->cmd_state != ISCSI_CMD_STATE_ACTIVE &&
3483 			    !(icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_FLUSH))
3484 				continue;
3485 
3486 			/* Skip if timeout still in the future */
3487 			if (now <= icmdp->cmd_lbolt_timeout)
3488 				continue;
3489 
3490 			if (icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_FLUSH) {
3491 				/*
3492 				 * This command is left during target reset,
3493 				 * we can flush it now.
3494 				 */
3495 				iscsi_cmd_state_machine(icmdp,
3496 				    ISCSI_CMD_EVENT_E7, isp);
3497 			} else if (icmdp->cmd_state == ISCSI_CMD_STATE_ACTIVE) {
3498 				/* timeout */
3499 				iscsi_cmd_state_machine(icmdp,
3500 				    ISCSI_CMD_EVENT_E6, isp);
3501 			}
3502 
3503 		}
3504 		mutex_exit(&icp->conn_queue_active.mutex);
3505 		mutex_exit(&isp->sess_queue_pending.mutex);
3506 		mutex_exit(&icp->conn_state_mutex);
3507 
3508 		icp = icp->conn_next;
3509 	}
3510 
3511 	icp = isp->sess_conn_list;
3512 	while (icp != NULL) {
3513 		if (icp->conn_timeout == B_TRUE) {
3514 			/* timeout on this connect detected */
3515 			idm_ini_conn_disconnect(icp->conn_ic);
3516 			icp->conn_timeout = B_FALSE;
3517 		}
3518 		icp = icp->conn_next;
3519 	}
3520 	rw_exit(&isp->sess_conn_list_rwlock);
3521 }
3522 
3523 /*
3524  * iscsi_nop_checks - sends a NOP on idle connections
3525  *
3526  * This function walks the connections on a session and
3527  * issues NOPs on those connections that are in FULL
3528  * FEATURE mode and have not received data for the
3529  * time period specified by iscsi_nop_delay (global).
3530  */
3531 static void
3532 iscsi_nop_checks(iscsi_sess_t *isp)
3533 {
3534 	iscsi_conn_t	*icp;
3535 
3536 	ASSERT(isp != NULL);
3537 
3538 	if (isp->sess_type == ISCSI_SESS_TYPE_DISCOVERY) {
3539 		return;
3540 	}
3541 
3542 	rw_enter(&isp->sess_conn_list_rwlock, RW_READER);
3543 	icp = isp->sess_conn_act;
3544 	if (icp != NULL) {
3545 
3546 		mutex_enter(&icp->conn_state_mutex);
3547 		if ((ISCSI_CONN_STATE_FULL_FEATURE(icp->conn_state)) &&
3548 		    (ddi_get_lbolt() > isp->sess_conn_act->conn_rx_lbolt +
3549 		    SEC_TO_TICK(iscsi_nop_delay)) && (ddi_get_lbolt() >
3550 		    isp->sess_conn_act->conn_nop_lbolt +
3551 		    SEC_TO_TICK(iscsi_nop_delay))) {
3552 
3553 			/*
3554 			 * We haven't received anything from the
3555 			 * target is a defined period of time,
3556 			 * send NOP to see if the target is alive.
3557 			 */
3558 			mutex_enter(&isp->sess_queue_pending.mutex);
3559 			iscsi_handle_nop(isp->sess_conn_act,
3560 			    0, ISCSI_RSVD_TASK_TAG);
3561 			mutex_exit(&isp->sess_queue_pending.mutex);
3562 		}
3563 		mutex_exit(&icp->conn_state_mutex);
3564 
3565 		icp = icp->conn_next;
3566 	}
3567 	rw_exit(&isp->sess_conn_list_rwlock);
3568 }
3569 
3570 static boolean_t
3571 iscsi_nop_timeout_checks(iscsi_cmd_t *icmdp)
3572 {
3573 	if (icmdp->cmd_type == ISCSI_CMD_TYPE_NOP) {
3574 		if ((ddi_get_lbolt() - icmdp->cmd_lbolt_active) >
3575 		    SEC_TO_TICK(ISCSI_CONN_TIEMOUT_DETECT)) {
3576 			return (B_TRUE);
3577 		} else {
3578 			return (B_FALSE);
3579 		}
3580 	}
3581 	return (B_FALSE);
3582 }
3583 /*
3584  * +--------------------------------------------------------------------+
3585  * | End of wd routines						|
3586  * +--------------------------------------------------------------------+
3587  */
3588 
3589 /*
3590  * iscsi_flush_cmd_after_reset - flush commands after reset
3591  *
3592  * Here we will flush all the commands for a specified LUN whose cmdsn is less
3593  * than the one received with the Unit Attention.
3594  */
3595 static void
3596 iscsi_flush_cmd_after_reset(uint32_t cmd_sn, uint16_t lun_num,
3597     iscsi_conn_t *icp)
3598 {
3599 	iscsi_cmd_t	*t_icmdp    = NULL;
3600 	iscsi_cmd_t	*next_icmdp = NULL;
3601 
3602 	ASSERT(icp != NULL);
3603 
3604 	t_icmdp = icp->conn_queue_active.head;
3605 	while (t_icmdp != NULL) {
3606 		next_icmdp = t_icmdp->cmd_next;
3607 		mutex_enter(&t_icmdp->cmd_mutex);
3608 		/*
3609 		 * We will flush the commands whose cmdsn is less than the one
3610 		 * got Unit Attention.
3611 		 * Here we will check for wrap by subtracting and compare to
3612 		 * 1/2 of a 32 bit number, if greater then we wrapped.
3613 		 */
3614 		if ((t_icmdp->cmd_misc_flags & ISCSI_CMD_MISCFLAG_SENT) &&
3615 		    ((cmd_sn > t_icmdp->cmd_sn) ||
3616 		    ((t_icmdp->cmd_sn - cmd_sn) >
3617 		    ISCSI_CMD_SN_WRAP))) {
3618 			/*
3619 			 * Internally generated SCSI commands do not have
3620 			 * t_icmdp->cmd_lun set, but the LUN can be retrieved
3621 			 * from t_icmdp->cmd_un.scsi.lun.
3622 			 */
3623 			if ((t_icmdp->cmd_lun != NULL &&
3624 			    t_icmdp->cmd_lun->lun_num == lun_num) ||
3625 			    (t_icmdp->cmd_type == ISCSI_CMD_TYPE_SCSI &&
3626 			    (t_icmdp->cmd_un.scsi.lun & ISCSI_LUN_MASK) ==
3627 			    lun_num)) {
3628 				t_icmdp->cmd_misc_flags |=
3629 				    ISCSI_CMD_MISCFLAG_FLUSH;
3630 				if (t_icmdp->cmd_type == ISCSI_CMD_TYPE_SCSI) {
3631 					t_icmdp->cmd_un.scsi.pkt_stat |=
3632 					    STAT_BUS_RESET;
3633 				}
3634 			}
3635 		}
3636 		mutex_exit(&t_icmdp->cmd_mutex);
3637 		t_icmdp = next_icmdp;
3638 	}
3639 }
3640 
3641 /*
3642  * iscsi_decode_sense - decode the sense data in the cmd response
3643  * and take proper actions
3644  */
3645 static boolean_t
3646 iscsi_decode_sense(uint8_t *sense_data, iscsi_cmd_t *icmdp)
3647 {
3648 	uint8_t		sense_key	= 0;
3649 	uint8_t		asc		= 0;
3650 	uint8_t		ascq		= 0;
3651 	boolean_t	flush_io	= B_FALSE;
3652 	boolean_t	reconfig_lun	= B_FALSE;
3653 	iscsi_sess_t	*isp		= NULL;
3654 
3655 	ASSERT(sense_data != NULL);
3656 
3657 	isp = icmdp->cmd_conn->conn_sess;
3658 
3659 	sense_key = scsi_sense_key(sense_data);
3660 	switch (sense_key) {
3661 		case KEY_UNIT_ATTENTION:
3662 			asc = scsi_sense_asc(sense_data);
3663 			switch (asc) {
3664 				case ISCSI_SCSI_RESET_SENSE_CODE:
3665 					/*
3666 					 * POWER ON, RESET, OR BUS_DEVICE RESET
3667 					 * OCCURRED
3668 					 */
3669 					flush_io = B_TRUE;
3670 					break;
3671 				case ISCSI_SCSI_LUNCHANGED_CODE:
3672 					ascq = scsi_sense_ascq(sense_data);
3673 					if (ascq == ISCSI_SCSI_LUNCHANGED_ASCQ)
3674 						reconfig_lun = B_TRUE;
3675 				default:
3676 					break;
3677 			}
3678 			break;
3679 		default:
3680 			/*
3681 			 * Currently we don't care
3682 			 * about other sense key.
3683 			 */
3684 			break;
3685 	}
3686 
3687 	if (reconfig_lun == B_TRUE) {
3688 		rw_enter(&isp->sess_state_rwlock, RW_READER);
3689 		if ((isp->sess_state == ISCSI_SESS_STATE_LOGGED_IN) &&
3690 		    (iscsi_sess_enum_request(isp, B_FALSE,
3691 		    isp->sess_state_event_count) !=
3692 		    ISCSI_SESS_ENUM_SUBMITTED)) {
3693 			cmn_err(CE_WARN, "Unable to commit re-enumeration for"
3694 			    " session(%u) %s", isp->sess_oid, isp->sess_name);
3695 		}
3696 		rw_exit(&isp->sess_state_rwlock);
3697 	}
3698 
3699 	return (flush_io);
3700 }
3701