xref: /linux/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c (revision 9ad8d22f2f3fad7a366c9772362795ef6d6a2d51)
1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
2 /*
3  * Copyright (c) 2016-2018 Oracle. All rights reserved.
4  * Copyright (c) 2014 Open Grid Computing, Inc. All rights reserved.
5  * Copyright (c) 2005-2006 Network Appliance, Inc. All rights reserved.
6  *
7  * This software is available to you under a choice of one of two
8  * licenses.  You may choose to be licensed under the terms of the GNU
9  * General Public License (GPL) Version 2, available from the file
10  * COPYING in the main directory of this source tree, or the BSD-type
11  * license below:
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  *
17  *      Redistributions of source code must retain the above copyright
18  *      notice, this list of conditions and the following disclaimer.
19  *
20  *      Redistributions in binary form must reproduce the above
21  *      copyright notice, this list of conditions and the following
22  *      disclaimer in the documentation and/or other materials provided
23  *      with the distribution.
24  *
25  *      Neither the name of the Network Appliance, Inc. nor the names of
26  *      its contributors may be used to endorse or promote products
27  *      derived from this software without specific prior written
28  *      permission.
29  *
30  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
33  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
34  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
35  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
36  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
37  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
38  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
39  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
40  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
41  *
42  * Author: Tom Tucker <tom@opengridcomputing.com>
43  */
44 
45 /* Operation
46  *
47  * The main entry point is svc_rdma_recvfrom. This is called from
48  * svc_recv when the transport indicates there is incoming data to
49  * be read. "Data Ready" is signaled when an RDMA Receive completes,
50  * or when a set of RDMA Reads complete.
51  *
52  * An svc_rqst is passed in. This structure contains an array of
53  * free pages (rq_pages) that will contain the incoming RPC message.
54  *
55  * Short messages are moved directly into svc_rqst::rq_arg, and
56  * the RPC Call is ready to be processed by the Upper Layer.
57  * svc_rdma_recvfrom returns the length of the RPC Call message,
58  * completing the reception of the RPC Call.
59  *
60  * However, when an incoming message has Read chunks,
61  * svc_rdma_recvfrom must post RDMA Reads to pull the RPC Call's
62  * data payload from the client. svc_rdma_recvfrom sets up the
63  * RDMA Reads using pages in svc_rqst::rq_pages, which are
64  * transferred to an svc_rdma_recv_ctxt for the duration of the
65  * I/O. svc_rdma_recvfrom then returns zero, since the RPC message
66  * is still not yet ready.
67  *
68  * When the Read chunk payloads have become available on the
69  * server, "Data Ready" is raised again, and svc_recv calls
70  * svc_rdma_recvfrom again. This second call may use a different
71  * svc_rqst than the first one, thus any information that needs
72  * to be preserved across these two calls is kept in an
73  * svc_rdma_recv_ctxt.
74  *
75  * The second call to svc_rdma_recvfrom performs final assembly
76  * of the RPC Call message, using the RDMA Read sink pages kept in
77  * the svc_rdma_recv_ctxt. The xdr_buf is copied from the
78  * svc_rdma_recv_ctxt to the second svc_rqst. The second call returns
79  * the length of the completed RPC Call message.
80  *
81  * Page Management
82  *
83  * Pages under I/O must be transferred from the first svc_rqst to an
84  * svc_rdma_recv_ctxt before the first svc_rdma_recvfrom call returns.
85  *
86  * The first svc_rqst supplies pages for RDMA Reads. These are moved
87  * from rqstp::rq_pages into ctxt::pages. The consumed elements of
88  * the rq_pages array are set to NULL and refilled with the first
89  * svc_rdma_recvfrom call returns.
90  *
91  * During the second svc_rdma_recvfrom call, RDMA Read sink pages
92  * are transferred from the svc_rdma_recv_ctxt to the second svc_rqst.
93  */
94 
95 #include <linux/slab.h>
96 #include <linux/spinlock.h>
97 #include <linux/unaligned.h>
98 #include <rdma/ib_verbs.h>
99 #include <rdma/rdma_cm.h>
100 
101 #include <linux/sunrpc/xdr.h>
102 #include <linux/sunrpc/debug.h>
103 #include <linux/sunrpc/rpc_rdma.h>
104 #include <linux/sunrpc/svc_rdma.h>
105 
106 #include "xprt_rdma.h"
107 #include <trace/events/rpcrdma.h>
108 
109 static void svc_rdma_wc_receive(struct ib_cq *cq, struct ib_wc *wc);
110 
111 static inline struct svc_rdma_recv_ctxt *
112 svc_rdma_next_recv_ctxt(struct list_head *list)
113 {
114 	return list_first_entry_or_null(list, struct svc_rdma_recv_ctxt,
115 					rc_list);
116 }
117 
118 static struct svc_rdma_recv_ctxt *
119 svc_rdma_recv_ctxt_alloc(struct svcxprt_rdma *rdma)
120 {
121 	int node = ibdev_to_node(rdma->sc_cm_id->device);
122 	struct svc_rdma_recv_ctxt *ctxt;
123 	dma_addr_t addr;
124 	void *buffer;
125 
126 	ctxt = kzalloc_node(sizeof(*ctxt), GFP_KERNEL, node);
127 	if (!ctxt)
128 		goto fail0;
129 	buffer = kmalloc_node(rdma->sc_max_req_size, GFP_KERNEL, node);
130 	if (!buffer)
131 		goto fail1;
132 	addr = ib_dma_map_single(rdma->sc_pd->device, buffer,
133 				 rdma->sc_max_req_size, DMA_FROM_DEVICE);
134 	if (ib_dma_mapping_error(rdma->sc_pd->device, addr))
135 		goto fail2;
136 
137 	svc_rdma_recv_cid_init(rdma, &ctxt->rc_cid);
138 	pcl_init(&ctxt->rc_call_pcl);
139 	pcl_init(&ctxt->rc_read_pcl);
140 	pcl_init(&ctxt->rc_write_pcl);
141 	pcl_init(&ctxt->rc_reply_pcl);
142 
143 	ctxt->rc_recv_wr.next = NULL;
144 	ctxt->rc_recv_wr.wr_cqe = &ctxt->rc_cqe;
145 	ctxt->rc_recv_wr.sg_list = &ctxt->rc_recv_sge;
146 	ctxt->rc_recv_wr.num_sge = 1;
147 	ctxt->rc_cqe.done = svc_rdma_wc_receive;
148 	ctxt->rc_recv_sge.addr = addr;
149 	ctxt->rc_recv_sge.length = rdma->sc_max_req_size;
150 	ctxt->rc_recv_sge.lkey = rdma->sc_pd->local_dma_lkey;
151 	ctxt->rc_recv_buf = buffer;
152 	svc_rdma_cc_init(rdma, &ctxt->rc_cc);
153 	return ctxt;
154 
155 fail2:
156 	kfree(buffer);
157 fail1:
158 	kfree(ctxt);
159 fail0:
160 	return NULL;
161 }
162 
163 static void svc_rdma_recv_ctxt_destroy(struct svcxprt_rdma *rdma,
164 				       struct svc_rdma_recv_ctxt *ctxt)
165 {
166 	ib_dma_unmap_single(rdma->sc_pd->device, ctxt->rc_recv_sge.addr,
167 			    ctxt->rc_recv_sge.length, DMA_FROM_DEVICE);
168 	kfree(ctxt->rc_recv_buf);
169 	kfree(ctxt);
170 }
171 
172 /**
173  * svc_rdma_recv_ctxts_destroy - Release all recv_ctxt's for an xprt
174  * @rdma: svcxprt_rdma being torn down
175  *
176  */
177 void svc_rdma_recv_ctxts_destroy(struct svcxprt_rdma *rdma)
178 {
179 	struct svc_rdma_recv_ctxt *ctxt;
180 	struct llist_node *node;
181 
182 	while ((node = llist_del_first(&rdma->sc_recv_ctxts))) {
183 		ctxt = llist_entry(node, struct svc_rdma_recv_ctxt, rc_node);
184 		svc_rdma_recv_ctxt_destroy(rdma, ctxt);
185 	}
186 }
187 
188 /**
189  * svc_rdma_recv_ctxt_get - Allocate a recv_ctxt
190  * @rdma: controlling svcxprt_rdma
191  *
192  * Returns a recv_ctxt or (rarely) NULL if none are available.
193  */
194 struct svc_rdma_recv_ctxt *svc_rdma_recv_ctxt_get(struct svcxprt_rdma *rdma)
195 {
196 	struct svc_rdma_recv_ctxt *ctxt;
197 	struct llist_node *node;
198 
199 	node = llist_del_first(&rdma->sc_recv_ctxts);
200 	if (!node)
201 		return NULL;
202 
203 	ctxt = llist_entry(node, struct svc_rdma_recv_ctxt, rc_node);
204 	ctxt->rc_page_count = 0;
205 	return ctxt;
206 }
207 
208 /**
209  * svc_rdma_recv_ctxt_put - Return recv_ctxt to free list
210  * @rdma: controlling svcxprt_rdma
211  * @ctxt: object to return to the free list
212  *
213  */
214 void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma,
215 			    struct svc_rdma_recv_ctxt *ctxt)
216 {
217 	svc_rdma_cc_release(rdma, &ctxt->rc_cc, DMA_FROM_DEVICE);
218 
219 	/* @rc_page_count is normally zero here, but error flows
220 	 * can leave pages in @rc_pages.
221 	 */
222 	release_pages(ctxt->rc_pages, ctxt->rc_page_count);
223 
224 	pcl_free(&ctxt->rc_call_pcl);
225 	pcl_free(&ctxt->rc_read_pcl);
226 	pcl_free(&ctxt->rc_write_pcl);
227 	pcl_free(&ctxt->rc_reply_pcl);
228 
229 	llist_add(&ctxt->rc_node, &rdma->sc_recv_ctxts);
230 }
231 
232 /**
233  * svc_rdma_release_ctxt - Release transport-specific per-rqst resources
234  * @xprt: the transport which owned the context
235  * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
236  *
237  * Ensure that the recv_ctxt is released whether or not a Reply
238  * was sent. For example, the client could close the connection,
239  * or svc_process could drop an RPC, before the Reply is sent.
240  */
241 void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt)
242 {
243 	struct svc_rdma_recv_ctxt *ctxt = vctxt;
244 	struct svcxprt_rdma *rdma =
245 		container_of(xprt, struct svcxprt_rdma, sc_xprt);
246 
247 	if (ctxt)
248 		svc_rdma_recv_ctxt_put(rdma, ctxt);
249 }
250 
251 static bool svc_rdma_refresh_recvs(struct svcxprt_rdma *rdma,
252 				   unsigned int wanted)
253 {
254 	const struct ib_recv_wr *bad_wr = NULL;
255 	struct svc_rdma_recv_ctxt *ctxt;
256 	struct ib_recv_wr *recv_chain;
257 	int ret;
258 
259 	if (test_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags))
260 		return false;
261 
262 	recv_chain = NULL;
263 	while (wanted--) {
264 		ctxt = svc_rdma_recv_ctxt_get(rdma);
265 		if (!ctxt)
266 			break;
267 
268 		trace_svcrdma_post_recv(&ctxt->rc_cid);
269 		ctxt->rc_recv_wr.next = recv_chain;
270 		recv_chain = &ctxt->rc_recv_wr;
271 		rdma->sc_pending_recvs++;
272 	}
273 	if (!recv_chain)
274 		return true;
275 
276 	ret = ib_post_recv(rdma->sc_qp, recv_chain, &bad_wr);
277 	if (ret)
278 		goto err_free;
279 	return true;
280 
281 err_free:
282 	trace_svcrdma_rq_post_err(rdma, ret);
283 	while (bad_wr) {
284 		ctxt = container_of(bad_wr, struct svc_rdma_recv_ctxt,
285 				    rc_recv_wr);
286 		bad_wr = bad_wr->next;
287 		svc_rdma_recv_ctxt_put(rdma, ctxt);
288 	}
289 	/* Since we're destroying the xprt, no need to reset
290 	 * sc_pending_recvs. */
291 	return false;
292 }
293 
294 /**
295  * svc_rdma_post_recvs - Post initial set of Recv WRs
296  * @rdma: fresh svcxprt_rdma
297  *
298  * Return values:
299  *   %true: Receive Queue initialization successful
300  *   %false: memory allocation or DMA error
301  */
302 bool svc_rdma_post_recvs(struct svcxprt_rdma *rdma)
303 {
304 	unsigned int total;
305 
306 	/* For each credit, allocate enough recv_ctxts for one
307 	 * posted Receive and one RPC in process.
308 	 */
309 	total = (rdma->sc_max_requests * 2) + rdma->sc_recv_batch;
310 	while (total--) {
311 		struct svc_rdma_recv_ctxt *ctxt;
312 
313 		ctxt = svc_rdma_recv_ctxt_alloc(rdma);
314 		if (!ctxt)
315 			return false;
316 		llist_add(&ctxt->rc_node, &rdma->sc_recv_ctxts);
317 	}
318 
319 	return svc_rdma_refresh_recvs(rdma, rdma->sc_max_requests);
320 }
321 
322 /**
323  * svc_rdma_wc_receive - Invoked by RDMA provider for each polled Receive WC
324  * @cq: Completion Queue context
325  * @wc: Work Completion object
326  *
327  */
328 static void svc_rdma_wc_receive(struct ib_cq *cq, struct ib_wc *wc)
329 {
330 	struct svcxprt_rdma *rdma = cq->cq_context;
331 	struct ib_cqe *cqe = wc->wr_cqe;
332 	struct svc_rdma_recv_ctxt *ctxt;
333 
334 	rdma->sc_pending_recvs--;
335 
336 	/* WARNING: Only wc->wr_cqe and wc->status are reliable */
337 	ctxt = container_of(cqe, struct svc_rdma_recv_ctxt, rc_cqe);
338 
339 	if (wc->status != IB_WC_SUCCESS)
340 		goto flushed;
341 	trace_svcrdma_wc_recv(wc, &ctxt->rc_cid);
342 
343 	/* If receive posting fails, the connection is about to be
344 	 * lost anyway. The server will not be able to send a reply
345 	 * for this RPC, and the client will retransmit this RPC
346 	 * anyway when it reconnects.
347 	 *
348 	 * Therefore we drop the Receive, even if status was SUCCESS
349 	 * to reduce the likelihood of replayed requests once the
350 	 * client reconnects.
351 	 */
352 	if (rdma->sc_pending_recvs < rdma->sc_max_requests)
353 		if (!svc_rdma_refresh_recvs(rdma, rdma->sc_recv_batch))
354 			goto dropped;
355 
356 	/* All wc fields are now known to be valid */
357 	ctxt->rc_byte_len = wc->byte_len;
358 
359 	spin_lock(&rdma->sc_rq_dto_lock);
360 	list_add_tail(&ctxt->rc_list, &rdma->sc_rq_dto_q);
361 	/* Note the unlock pairs with the smp_rmb in svc_xprt_ready: */
362 	set_bit(XPT_DATA, &rdma->sc_xprt.xpt_flags);
363 	spin_unlock(&rdma->sc_rq_dto_lock);
364 	if (!test_bit(RDMAXPRT_CONN_PENDING, &rdma->sc_flags))
365 		svc_xprt_enqueue(&rdma->sc_xprt);
366 	return;
367 
368 flushed:
369 	if (wc->status == IB_WC_WR_FLUSH_ERR)
370 		trace_svcrdma_wc_recv_flush(wc, &ctxt->rc_cid);
371 	else
372 		trace_svcrdma_wc_recv_err(wc, &ctxt->rc_cid);
373 dropped:
374 	svc_rdma_recv_ctxt_put(rdma, ctxt);
375 	svc_xprt_deferred_close(&rdma->sc_xprt);
376 }
377 
378 /**
379  * svc_rdma_flush_recv_queues - Drain pending Receive work
380  * @rdma: svcxprt_rdma being shut down
381  *
382  */
383 void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma)
384 {
385 	struct svc_rdma_recv_ctxt *ctxt;
386 
387 	while ((ctxt = svc_rdma_next_recv_ctxt(&rdma->sc_read_complete_q))) {
388 		list_del(&ctxt->rc_list);
389 		svc_rdma_recv_ctxt_put(rdma, ctxt);
390 	}
391 	while ((ctxt = svc_rdma_next_recv_ctxt(&rdma->sc_rq_dto_q))) {
392 		list_del(&ctxt->rc_list);
393 		svc_rdma_recv_ctxt_put(rdma, ctxt);
394 	}
395 }
396 
397 static void svc_rdma_build_arg_xdr(struct svc_rqst *rqstp,
398 				   struct svc_rdma_recv_ctxt *ctxt)
399 {
400 	struct xdr_buf *arg = &rqstp->rq_arg;
401 
402 	arg->head[0].iov_base = ctxt->rc_recv_buf;
403 	arg->head[0].iov_len = ctxt->rc_byte_len;
404 	arg->tail[0].iov_base = NULL;
405 	arg->tail[0].iov_len = 0;
406 	arg->page_len = 0;
407 	arg->page_base = 0;
408 	arg->buflen = ctxt->rc_byte_len;
409 	arg->len = ctxt->rc_byte_len;
410 }
411 
412 /**
413  * xdr_count_read_segments - Count number of Read segments in Read list
414  * @rctxt: Ingress receive context
415  * @p: Start of an un-decoded Read list
416  *
417  * Before allocating anything, ensure the ingress Read list is safe
418  * to use.
419  *
420  * The segment count is limited to how many segments can fit in the
421  * transport header without overflowing the buffer. That's about 40
422  * Read segments for a 1KB inline threshold.
423  *
424  * Return values:
425  *   %true: Read list is valid. @rctxt's xdr_stream is updated to point
426  *	    to the first byte past the Read list. rc_read_pcl and
427  *	    rc_call_pcl cl_count fields are set to the number of
428  *	    Read segments in the list.
429  *  %false: Read list is corrupt. @rctxt's xdr_stream is left in an
430  *	    unknown state.
431  */
432 static bool xdr_count_read_segments(struct svc_rdma_recv_ctxt *rctxt, __be32 *p)
433 {
434 	rctxt->rc_call_pcl.cl_count = 0;
435 	rctxt->rc_read_pcl.cl_count = 0;
436 	while (xdr_item_is_present(p)) {
437 		u32 position, handle, length;
438 		u64 offset;
439 
440 		p = xdr_inline_decode(&rctxt->rc_stream,
441 				      rpcrdma_readseg_maxsz * sizeof(*p));
442 		if (!p)
443 			return false;
444 
445 		xdr_decode_read_segment(p, &position, &handle,
446 					    &length, &offset);
447 		if (position) {
448 			if (position & 3)
449 				return false;
450 			++rctxt->rc_read_pcl.cl_count;
451 		} else {
452 			++rctxt->rc_call_pcl.cl_count;
453 		}
454 
455 		p = xdr_inline_decode(&rctxt->rc_stream, sizeof(*p));
456 		if (!p)
457 			return false;
458 	}
459 	return true;
460 }
461 
462 /* Sanity check the Read list.
463  *
464  * Sanity checks:
465  * - Read list does not overflow Receive buffer.
466  * - Chunk size limited by largest NFS data payload.
467  *
468  * Return values:
469  *   %true: Read list is valid. @rctxt's xdr_stream is updated
470  *	    to point to the first byte past the Read list.
471  *  %false: Read list is corrupt. @rctxt's xdr_stream is left
472  *	    in an unknown state.
473  */
474 static bool xdr_check_read_list(struct svc_rdma_recv_ctxt *rctxt)
475 {
476 	__be32 *p;
477 
478 	p = xdr_inline_decode(&rctxt->rc_stream, sizeof(*p));
479 	if (!p)
480 		return false;
481 	if (!xdr_count_read_segments(rctxt, p))
482 		return false;
483 	if (!pcl_alloc_call(rctxt, p))
484 		return false;
485 	return pcl_alloc_read(rctxt, p);
486 }
487 
488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
489 {
490 	u32 segcount;
491 	__be32 *p;
492 
493 	if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
494 		return false;
495 
496 	/* Before trusting the segcount value enough to use it in
497 	 * a computation, perform a simple range check. This is an
498 	 * arbitrary but sensible limit (ie, not architectural).
499 	 */
500 	if (unlikely(segcount > RPCSVC_MAXPAGES))
501 		return false;
502 
503 	p = xdr_inline_decode(&rctxt->rc_stream,
504 			      segcount * rpcrdma_segment_maxsz * sizeof(*p));
505 	return p != NULL;
506 }
507 
508 /**
509  * xdr_count_write_chunks - Count number of Write chunks in Write list
510  * @rctxt: Received header and decoding state
511  * @p: start of an un-decoded Write list
512  *
513  * Before allocating anything, ensure the ingress Write list is
514  * safe to use.
515  *
516  * Return values:
517  *       %true: Write list is valid. @rctxt's xdr_stream is updated
518  *		to point to the first byte past the Write list, and
519  *		the number of Write chunks is in rc_write_pcl.cl_count.
520  *      %false: Write list is corrupt. @rctxt's xdr_stream is left
521  *		in an indeterminate state.
522  */
523 static bool xdr_count_write_chunks(struct svc_rdma_recv_ctxt *rctxt, __be32 *p)
524 {
525 	rctxt->rc_write_pcl.cl_count = 0;
526 	while (xdr_item_is_present(p)) {
527 		if (!xdr_check_write_chunk(rctxt))
528 			return false;
529 		++rctxt->rc_write_pcl.cl_count;
530 		p = xdr_inline_decode(&rctxt->rc_stream, sizeof(*p));
531 		if (!p)
532 			return false;
533 	}
534 	return true;
535 }
536 
537 /* Sanity check the Write list.
538  *
539  * Implementation limits:
540  * - This implementation currently supports only one Write chunk.
541  *
542  * Sanity checks:
543  * - Write list does not overflow Receive buffer.
544  * - Chunk size limited by largest NFS data payload.
545  *
546  * Return values:
547  *       %true: Write list is valid. @rctxt's xdr_stream is updated
548  *		to point to the first byte past the Write list.
549  *      %false: Write list is corrupt. @rctxt's xdr_stream is left
550  *		in an unknown state.
551  */
552 static bool xdr_check_write_list(struct svc_rdma_recv_ctxt *rctxt)
553 {
554 	__be32 *p;
555 
556 	p = xdr_inline_decode(&rctxt->rc_stream, sizeof(*p));
557 	if (!p)
558 		return false;
559 	if (!xdr_count_write_chunks(rctxt, p))
560 		return false;
561 	if (!pcl_alloc_write(rctxt, &rctxt->rc_write_pcl, p))
562 		return false;
563 
564 	rctxt->rc_cur_result_payload = pcl_first_chunk(&rctxt->rc_write_pcl);
565 	return true;
566 }
567 
568 /* Sanity check the Reply chunk.
569  *
570  * Sanity checks:
571  * - Reply chunk does not overflow Receive buffer.
572  * - Chunk size limited by largest NFS data payload.
573  *
574  * Return values:
575  *       %true: Reply chunk is valid. @rctxt's xdr_stream is updated
576  *		to point to the first byte past the Reply chunk.
577  *      %false: Reply chunk is corrupt. @rctxt's xdr_stream is left
578  *		in an unknown state.
579  */
580 static bool xdr_check_reply_chunk(struct svc_rdma_recv_ctxt *rctxt)
581 {
582 	__be32 *p;
583 
584 	p = xdr_inline_decode(&rctxt->rc_stream, sizeof(*p));
585 	if (!p)
586 		return false;
587 
588 	if (!xdr_item_is_present(p))
589 		return true;
590 	if (!xdr_check_write_chunk(rctxt))
591 		return false;
592 
593 	rctxt->rc_reply_pcl.cl_count = 1;
594 	return pcl_alloc_write(rctxt, &rctxt->rc_reply_pcl, p);
595 }
596 
597 /* RPC-over-RDMA Version One private extension: Remote Invalidation.
598  * Responder's choice: requester signals it can handle Send With
599  * Invalidate, and responder chooses one R_key to invalidate.
600  *
601  * If there is exactly one distinct R_key in the received transport
602  * header, set rc_inv_rkey to that R_key. Otherwise, set it to zero.
603  */
604 static void svc_rdma_get_inv_rkey(struct svcxprt_rdma *rdma,
605 				  struct svc_rdma_recv_ctxt *ctxt)
606 {
607 	struct svc_rdma_segment *segment;
608 	struct svc_rdma_chunk *chunk;
609 	u32 inv_rkey;
610 
611 	ctxt->rc_inv_rkey = 0;
612 
613 	if (!rdma->sc_snd_w_inv)
614 		return;
615 
616 	inv_rkey = 0;
617 	pcl_for_each_chunk(chunk, &ctxt->rc_call_pcl) {
618 		pcl_for_each_segment(segment, chunk) {
619 			if (inv_rkey == 0)
620 				inv_rkey = segment->rs_handle;
621 			else if (inv_rkey != segment->rs_handle)
622 				return;
623 		}
624 	}
625 	pcl_for_each_chunk(chunk, &ctxt->rc_read_pcl) {
626 		pcl_for_each_segment(segment, chunk) {
627 			if (inv_rkey == 0)
628 				inv_rkey = segment->rs_handle;
629 			else if (inv_rkey != segment->rs_handle)
630 				return;
631 		}
632 	}
633 	pcl_for_each_chunk(chunk, &ctxt->rc_write_pcl) {
634 		pcl_for_each_segment(segment, chunk) {
635 			if (inv_rkey == 0)
636 				inv_rkey = segment->rs_handle;
637 			else if (inv_rkey != segment->rs_handle)
638 				return;
639 		}
640 	}
641 	pcl_for_each_chunk(chunk, &ctxt->rc_reply_pcl) {
642 		pcl_for_each_segment(segment, chunk) {
643 			if (inv_rkey == 0)
644 				inv_rkey = segment->rs_handle;
645 			else if (inv_rkey != segment->rs_handle)
646 				return;
647 		}
648 	}
649 	ctxt->rc_inv_rkey = inv_rkey;
650 }
651 
652 /**
653  * svc_rdma_xdr_decode_req - Decode the transport header
654  * @rq_arg: xdr_buf containing ingress RPC/RDMA message
655  * @rctxt: state of decoding
656  *
657  * On entry, xdr->head[0].iov_base points to first byte of the
658  * RPC-over-RDMA transport header.
659  *
660  * On successful exit, head[0] points to first byte past the
661  * RPC-over-RDMA header. For RDMA_MSG, this is the RPC message.
662  *
663  * The length of the RPC-over-RDMA header is returned.
664  *
665  * Assumptions:
666  * - The transport header is entirely contained in the head iovec.
667  */
668 static int svc_rdma_xdr_decode_req(struct xdr_buf *rq_arg,
669 				   struct svc_rdma_recv_ctxt *rctxt)
670 {
671 	__be32 *p, *rdma_argp;
672 	unsigned int hdr_len;
673 
674 	rdma_argp = rq_arg->head[0].iov_base;
675 	xdr_init_decode(&rctxt->rc_stream, rq_arg, rdma_argp, NULL);
676 
677 	p = xdr_inline_decode(&rctxt->rc_stream,
678 			      rpcrdma_fixed_maxsz * sizeof(*p));
679 	if (unlikely(!p))
680 		goto out_short;
681 	p++;
682 	if (*p != rpcrdma_version)
683 		goto out_version;
684 	p += 2;
685 	rctxt->rc_msgtype = *p;
686 	switch (rctxt->rc_msgtype) {
687 	case rdma_msg:
688 		break;
689 	case rdma_nomsg:
690 		break;
691 	case rdma_done:
692 		goto out_drop;
693 	case rdma_error:
694 		goto out_drop;
695 	default:
696 		goto out_proc;
697 	}
698 
699 	if (!xdr_check_read_list(rctxt))
700 		goto out_inval;
701 	if (!xdr_check_write_list(rctxt))
702 		goto out_inval;
703 	if (!xdr_check_reply_chunk(rctxt))
704 		goto out_inval;
705 
706 	rq_arg->head[0].iov_base = rctxt->rc_stream.p;
707 	hdr_len = xdr_stream_pos(&rctxt->rc_stream);
708 	rq_arg->head[0].iov_len -= hdr_len;
709 	rq_arg->len -= hdr_len;
710 	trace_svcrdma_decode_rqst(rctxt, rdma_argp, hdr_len);
711 	return hdr_len;
712 
713 out_short:
714 	trace_svcrdma_decode_short_err(rctxt, rq_arg->len);
715 	return -EINVAL;
716 
717 out_version:
718 	trace_svcrdma_decode_badvers_err(rctxt, rdma_argp);
719 	return -EPROTONOSUPPORT;
720 
721 out_drop:
722 	trace_svcrdma_decode_drop_err(rctxt, rdma_argp);
723 	return 0;
724 
725 out_proc:
726 	trace_svcrdma_decode_badproc_err(rctxt, rdma_argp);
727 	return -EINVAL;
728 
729 out_inval:
730 	trace_svcrdma_decode_parse_err(rctxt, rdma_argp);
731 	return -EINVAL;
732 }
733 
734 static void svc_rdma_send_error(struct svcxprt_rdma *rdma,
735 				struct svc_rdma_recv_ctxt *rctxt,
736 				int status)
737 {
738 	struct svc_rdma_send_ctxt *sctxt;
739 
740 	sctxt = svc_rdma_send_ctxt_get(rdma);
741 	if (!sctxt)
742 		return;
743 	svc_rdma_send_error_msg(rdma, sctxt, rctxt, status);
744 }
745 
746 /* By convention, backchannel calls arrive via rdma_msg type
747  * messages, and never populate the chunk lists. This makes
748  * the RPC/RDMA header small and fixed in size, so it is
749  * straightforward to check the RPC header's direction field.
750  */
751 static bool svc_rdma_is_reverse_direction_reply(struct svc_xprt *xprt,
752 						struct svc_rdma_recv_ctxt *rctxt)
753 {
754 	__be32 *p = rctxt->rc_recv_buf;
755 
756 	if (!xprt->xpt_bc_xprt)
757 		return false;
758 
759 	if (rctxt->rc_msgtype != rdma_msg)
760 		return false;
761 
762 	if (!pcl_is_empty(&rctxt->rc_call_pcl))
763 		return false;
764 	if (!pcl_is_empty(&rctxt->rc_read_pcl))
765 		return false;
766 	if (!pcl_is_empty(&rctxt->rc_write_pcl))
767 		return false;
768 	if (!pcl_is_empty(&rctxt->rc_reply_pcl))
769 		return false;
770 
771 	/* RPC call direction */
772 	if (*(p + 8) == cpu_to_be32(RPC_CALL))
773 		return false;
774 
775 	return true;
776 }
777 
778 /* Finish constructing the RPC Call message in rqstp::rq_arg.
779  *
780  * The incoming RPC/RDMA message is an RDMA_MSG type message
781  * with a single Read chunk (only the upper layer data payload
782  * was conveyed via RDMA Read).
783  */
784 static void svc_rdma_read_complete_one(struct svc_rqst *rqstp,
785 				       struct svc_rdma_recv_ctxt *ctxt)
786 {
787 	struct svc_rdma_chunk *chunk = pcl_first_chunk(&ctxt->rc_read_pcl);
788 	struct xdr_buf *buf = &rqstp->rq_arg;
789 	unsigned int length;
790 
791 	/* Split the Receive buffer between the head and tail
792 	 * buffers at Read chunk's position. XDR roundup of the
793 	 * chunk is not included in either the pagelist or in
794 	 * the tail.
795 	 */
796 	buf->tail[0].iov_base = buf->head[0].iov_base + chunk->ch_position;
797 	buf->tail[0].iov_len = buf->head[0].iov_len - chunk->ch_position;
798 	buf->head[0].iov_len = chunk->ch_position;
799 
800 	/* Read chunk may need XDR roundup (see RFC 8166, s. 3.4.5.2).
801 	 *
802 	 * If the client already rounded up the chunk length, the
803 	 * length does not change. Otherwise, the length of the page
804 	 * list is increased to include XDR round-up.
805 	 *
806 	 * Currently these chunks always start at page offset 0,
807 	 * thus the rounded-up length never crosses a page boundary.
808 	 */
809 	buf->pages = &rqstp->rq_pages[0];
810 	length = xdr_align_size(chunk->ch_length);
811 	buf->page_len = length;
812 	buf->len += length;
813 	buf->buflen += length;
814 }
815 
816 /* Finish constructing the RPC Call message in rqstp::rq_arg.
817  *
818  * The incoming RPC/RDMA message is an RDMA_MSG type message
819  * with payload in multiple Read chunks and no PZRC.
820  */
821 static void svc_rdma_read_complete_multiple(struct svc_rqst *rqstp,
822 					    struct svc_rdma_recv_ctxt *ctxt)
823 {
824 	struct xdr_buf *buf = &rqstp->rq_arg;
825 
826 	buf->len += ctxt->rc_readbytes;
827 	buf->buflen += ctxt->rc_readbytes;
828 
829 	buf->head[0].iov_base = page_address(rqstp->rq_pages[0]);
830 	buf->head[0].iov_len = min_t(size_t, PAGE_SIZE, ctxt->rc_readbytes);
831 	buf->pages = &rqstp->rq_pages[1];
832 	buf->page_len = ctxt->rc_readbytes - buf->head[0].iov_len;
833 }
834 
835 /* Finish constructing the RPC Call message in rqstp::rq_arg.
836  *
837  * The incoming RPC/RDMA message is an RDMA_NOMSG type message
838  * (the RPC message body was conveyed via RDMA Read).
839  */
840 static void svc_rdma_read_complete_pzrc(struct svc_rqst *rqstp,
841 					struct svc_rdma_recv_ctxt *ctxt)
842 {
843 	struct xdr_buf *buf = &rqstp->rq_arg;
844 
845 	buf->len += ctxt->rc_readbytes;
846 	buf->buflen += ctxt->rc_readbytes;
847 
848 	buf->head[0].iov_base = page_address(rqstp->rq_pages[0]);
849 	buf->head[0].iov_len = min_t(size_t, PAGE_SIZE, ctxt->rc_readbytes);
850 	buf->pages = &rqstp->rq_pages[1];
851 	buf->page_len = ctxt->rc_readbytes - buf->head[0].iov_len;
852 }
853 
854 static noinline void svc_rdma_read_complete(struct svc_rqst *rqstp,
855 					    struct svc_rdma_recv_ctxt *ctxt)
856 {
857 	unsigned int i;
858 
859 	/* Transfer the Read chunk pages into @rqstp.rq_pages, replacing
860 	 * the rq_pages that were already allocated for this rqstp.
861 	 */
862 	release_pages(rqstp->rq_respages, ctxt->rc_page_count);
863 	for (i = 0; i < ctxt->rc_page_count; i++)
864 		rqstp->rq_pages[i] = ctxt->rc_pages[i];
865 
866 	/* Update @rqstp's result send buffer to start after the
867 	 * last page in the RDMA Read payload.
868 	 */
869 	rqstp->rq_respages = &rqstp->rq_pages[ctxt->rc_page_count];
870 	rqstp->rq_next_page = rqstp->rq_respages + 1;
871 
872 	/* Prevent svc_rdma_recv_ctxt_put() from releasing the
873 	 * pages in ctxt::rc_pages a second time.
874 	 */
875 	ctxt->rc_page_count = 0;
876 
877 	/* Finish constructing the RPC Call message. The exact
878 	 * procedure for that depends on what kind of RPC/RDMA
879 	 * chunks were provided by the client.
880 	 */
881 	rqstp->rq_arg = ctxt->rc_saved_arg;
882 	if (pcl_is_empty(&ctxt->rc_call_pcl)) {
883 		if (ctxt->rc_read_pcl.cl_count == 1)
884 			svc_rdma_read_complete_one(rqstp, ctxt);
885 		else
886 			svc_rdma_read_complete_multiple(rqstp, ctxt);
887 	} else {
888 		svc_rdma_read_complete_pzrc(rqstp, ctxt);
889 	}
890 
891 	trace_svcrdma_read_finished(&ctxt->rc_cid);
892 }
893 
894 /**
895  * svc_rdma_recvfrom - Receive an RPC call
896  * @rqstp: request structure into which to receive an RPC Call
897  *
898  * Returns:
899  *	The positive number of bytes in the RPC Call message,
900  *	%0 if there were no Calls ready to return,
901  *	%-EINVAL if the Read chunk data is too large,
902  *	%-ENOMEM if rdma_rw context pool was exhausted,
903  *	%-ENOTCONN if posting failed (connection is lost),
904  *	%-EIO if rdma_rw initialization failed (DMA mapping, etc).
905  *
906  * Called in a loop when XPT_DATA is set. XPT_DATA is cleared only
907  * when there are no remaining ctxt's to process.
908  *
909  * The next ctxt is removed from the "receive" lists.
910  *
911  * - If the ctxt completes a Receive, then construct the Call
912  *   message from the contents of the Receive buffer.
913  *
914  *   - If there are no Read chunks in this message, then finish
915  *     assembling the Call message and return the number of bytes
916  *     in the message.
917  *
918  *   - If there are Read chunks in this message, post Read WRs to
919  *     pull that payload. When the Read WRs complete, build the
920  *     full message and return the number of bytes in it.
921  */
922 int svc_rdma_recvfrom(struct svc_rqst *rqstp)
923 {
924 	struct svc_xprt *xprt = rqstp->rq_xprt;
925 	struct svcxprt_rdma *rdma_xprt =
926 		container_of(xprt, struct svcxprt_rdma, sc_xprt);
927 	struct svc_rdma_recv_ctxt *ctxt;
928 	int ret;
929 
930 	/* Prevent svc_xprt_release() from releasing pages in rq_pages
931 	 * when returning 0 or an error.
932 	 */
933 	rqstp->rq_respages = rqstp->rq_pages;
934 	rqstp->rq_next_page = rqstp->rq_respages;
935 
936 	rqstp->rq_xprt_ctxt = NULL;
937 
938 	spin_lock(&rdma_xprt->sc_rq_dto_lock);
939 	ctxt = svc_rdma_next_recv_ctxt(&rdma_xprt->sc_read_complete_q);
940 	if (ctxt) {
941 		list_del(&ctxt->rc_list);
942 		spin_unlock(&rdma_xprt->sc_rq_dto_lock);
943 		svc_xprt_received(xprt);
944 		svc_rdma_read_complete(rqstp, ctxt);
945 		goto complete;
946 	}
947 	ctxt = svc_rdma_next_recv_ctxt(&rdma_xprt->sc_rq_dto_q);
948 	if (ctxt)
949 		list_del(&ctxt->rc_list);
950 	else
951 		/* No new incoming requests, terminate the loop */
952 		clear_bit(XPT_DATA, &xprt->xpt_flags);
953 	spin_unlock(&rdma_xprt->sc_rq_dto_lock);
954 
955 	/* Unblock the transport for the next receive */
956 	svc_xprt_received(xprt);
957 	if (!ctxt)
958 		return 0;
959 
960 	percpu_counter_inc(&svcrdma_stat_recv);
961 	ib_dma_sync_single_for_cpu(rdma_xprt->sc_pd->device,
962 				   ctxt->rc_recv_sge.addr, ctxt->rc_byte_len,
963 				   DMA_FROM_DEVICE);
964 	svc_rdma_build_arg_xdr(rqstp, ctxt);
965 
966 	ret = svc_rdma_xdr_decode_req(&rqstp->rq_arg, ctxt);
967 	if (ret < 0)
968 		goto out_err;
969 	if (ret == 0)
970 		goto out_drop;
971 
972 	if (svc_rdma_is_reverse_direction_reply(xprt, ctxt))
973 		goto out_backchannel;
974 
975 	svc_rdma_get_inv_rkey(rdma_xprt, ctxt);
976 
977 	if (!pcl_is_empty(&ctxt->rc_read_pcl) ||
978 	    !pcl_is_empty(&ctxt->rc_call_pcl))
979 		goto out_readlist;
980 
981 complete:
982 	rqstp->rq_xprt_ctxt = ctxt;
983 	rqstp->rq_prot = IPPROTO_MAX;
984 	svc_xprt_copy_addrs(rqstp, xprt);
985 	set_bit(RQ_SECURE, &rqstp->rq_flags);
986 	return rqstp->rq_arg.len;
987 
988 out_err:
989 	svc_rdma_send_error(rdma_xprt, ctxt, ret);
990 	svc_rdma_recv_ctxt_put(rdma_xprt, ctxt);
991 	return 0;
992 
993 out_readlist:
994 	/* This @rqstp is about to be recycled. Save the work
995 	 * already done constructing the Call message in rq_arg
996 	 * so it can be restored when the RDMA Reads have
997 	 * completed.
998 	 */
999 	ctxt->rc_saved_arg = rqstp->rq_arg;
1000 
1001 	ret = svc_rdma_process_read_list(rdma_xprt, rqstp, ctxt);
1002 	if (ret < 0) {
1003 		if (ret == -EINVAL)
1004 			svc_rdma_send_error(rdma_xprt, ctxt, ret);
1005 		svc_rdma_recv_ctxt_put(rdma_xprt, ctxt);
1006 		svc_xprt_deferred_close(xprt);
1007 		return ret;
1008 	}
1009 	return 0;
1010 
1011 out_backchannel:
1012 	svc_rdma_handle_bc_reply(rqstp, ctxt);
1013 out_drop:
1014 	svc_rdma_recv_ctxt_put(rdma_xprt, ctxt);
1015 	return 0;
1016 }
1017