1 /*
2  * Back-end of the driver for virtual network devices. This portion of the
3  * driver exports a 'unified' network-device interface that can be accessed
4  * by any operating system that implements a compatible front end. A
5  * reference front-end implementation can be found in:
6  *  drivers/net/xen-netfront.c
7  *
8  * Copyright (c) 2002-2005, K A Fraser
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation; or, when distributed
13  * separately from the Linux kernel or incorporated into other
14  * software packages, subject to the following license:
15  *
16  * Permission is hereby granted, free of charge, to any person obtaining a copy
17  * of this source file (the "Software"), to deal in the Software without
18  * restriction, including without limitation the rights to use, copy, modify,
19  * merge, publish, distribute, sublicense, and/or sell copies of the Software,
20  * and to permit persons to whom the Software is furnished to do so, subject to
21  * the following conditions:
22  *
23  * The above copyright notice and this permission notice shall be included in
24  * all copies or substantial portions of the Software.
25  *
26  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
27  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
28  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
29  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
30  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
31  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
32  * IN THE SOFTWARE.
33  */
34 
35 #include "common.h"
36 
37 #include <linux/kthread.h>
38 #include <linux/if_vlan.h>
39 #include <linux/udp.h>
40 #include <linux/highmem.h>
41 
42 #include <net/tcp.h>
43 
44 #include <xen/xen.h>
45 #include <xen/events.h>
46 #include <xen/interface/memory.h>
47 #include <xen/page.h>
48 
49 #include <asm/xen/hypercall.h>
50 
51 /* Provide an option to disable split event channels at load time as
52  * event channels are limited resource. Split event channels are
53  * enabled by default.
54  */
55 bool separate_tx_rx_irq = true;
56 module_param(separate_tx_rx_irq, bool, 0644);
57 
58 /* The time that packets can stay on the guest Rx internal queue
59  * before they are dropped.
60  */
61 unsigned int rx_drain_timeout_msecs = 10000;
62 module_param(rx_drain_timeout_msecs, uint, 0444);
63 
64 /* The length of time before the frontend is considered unresponsive
65  * because it isn't providing Rx slots.
66  */
67 unsigned int rx_stall_timeout_msecs = 60000;
68 module_param(rx_stall_timeout_msecs, uint, 0444);
69 
70 #define MAX_QUEUES_DEFAULT 8
71 unsigned int xenvif_max_queues;
72 module_param_named(max_queues, xenvif_max_queues, uint, 0644);
73 MODULE_PARM_DESC(max_queues,
74 		 "Maximum number of queues per virtual interface");
75 
76 /*
77  * This is the maximum slots a skb can have. If a guest sends a skb
78  * which exceeds this limit it is considered malicious.
79  */
80 #define FATAL_SKB_SLOTS_DEFAULT 20
81 static unsigned int fatal_skb_slots = FATAL_SKB_SLOTS_DEFAULT;
82 module_param(fatal_skb_slots, uint, 0444);
83 
84 /* The amount to copy out of the first guest Tx slot into the skb's
85  * linear area.  If the first slot has more data, it will be mapped
86  * and put into the first frag.
87  *
88  * This is sized to avoid pulling headers from the frags for most
89  * TCP/IP packets.
90  */
91 #define XEN_NETBACK_TX_COPY_LEN 128
92 
93 /* This is the maximum number of flows in the hash cache. */
94 #define XENVIF_HASH_CACHE_SIZE_DEFAULT 64
95 unsigned int xenvif_hash_cache_size = XENVIF_HASH_CACHE_SIZE_DEFAULT;
96 module_param_named(hash_cache_size, xenvif_hash_cache_size, uint, 0644);
97 MODULE_PARM_DESC(hash_cache_size, "Number of flows in the hash cache");
98 
99 static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
100 			       u8 status);
101 
102 static void make_tx_response(struct xenvif_queue *queue,
103 			     struct xen_netif_tx_request *txp,
104 			     unsigned int extra_count,
105 			     s8       st);
106 static void push_tx_responses(struct xenvif_queue *queue);
107 
108 static inline int tx_work_todo(struct xenvif_queue *queue);
109 
110 static inline unsigned long idx_to_pfn(struct xenvif_queue *queue,
111 				       u16 idx)
112 {
113 	return page_to_pfn(queue->mmap_pages[idx]);
114 }
115 
116 static inline unsigned long idx_to_kaddr(struct xenvif_queue *queue,
117 					 u16 idx)
118 {
119 	return (unsigned long)pfn_to_kaddr(idx_to_pfn(queue, idx));
120 }
121 
122 #define callback_param(vif, pending_idx) \
123 	(vif->pending_tx_info[pending_idx].callback_struct)
124 
125 /* Find the containing VIF's structure from a pointer in pending_tx_info array
126  */
127 static inline struct xenvif_queue *ubuf_to_queue(const struct ubuf_info *ubuf)
128 {
129 	u16 pending_idx = ubuf->desc;
130 	struct pending_tx_info *temp =
131 		container_of(ubuf, struct pending_tx_info, callback_struct);
132 	return container_of(temp - pending_idx,
133 			    struct xenvif_queue,
134 			    pending_tx_info[0]);
135 }
136 
137 static u16 frag_get_pending_idx(skb_frag_t *frag)
138 {
139 	return (u16)skb_frag_off(frag);
140 }
141 
142 static void frag_set_pending_idx(skb_frag_t *frag, u16 pending_idx)
143 {
144 	skb_frag_off_set(frag, pending_idx);
145 }
146 
147 static inline pending_ring_idx_t pending_index(unsigned i)
148 {
149 	return i & (MAX_PENDING_REQS-1);
150 }
151 
152 void xenvif_kick_thread(struct xenvif_queue *queue)
153 {
154 	wake_up(&queue->wq);
155 }
156 
157 void xenvif_napi_schedule_or_enable_events(struct xenvif_queue *queue)
158 {
159 	int more_to_do;
160 
161 	RING_FINAL_CHECK_FOR_REQUESTS(&queue->tx, more_to_do);
162 
163 	if (more_to_do)
164 		napi_schedule(&queue->napi);
165 }
166 
167 static void tx_add_credit(struct xenvif_queue *queue)
168 {
169 	unsigned long max_burst, max_credit;
170 
171 	/*
172 	 * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
173 	 * Otherwise the interface can seize up due to insufficient credit.
174 	 */
175 	max_burst = max(131072UL, queue->credit_bytes);
176 
177 	/* Take care that adding a new chunk of credit doesn't wrap to zero. */
178 	max_credit = queue->remaining_credit + queue->credit_bytes;
179 	if (max_credit < queue->remaining_credit)
180 		max_credit = ULONG_MAX; /* wrapped: clamp to ULONG_MAX */
181 
182 	queue->remaining_credit = min(max_credit, max_burst);
183 	queue->rate_limited = false;
184 }
185 
186 void xenvif_tx_credit_callback(struct timer_list *t)
187 {
188 	struct xenvif_queue *queue = from_timer(queue, t, credit_timeout);
189 	tx_add_credit(queue);
190 	xenvif_napi_schedule_or_enable_events(queue);
191 }
192 
193 static void xenvif_tx_err(struct xenvif_queue *queue,
194 			  struct xen_netif_tx_request *txp,
195 			  unsigned int extra_count, RING_IDX end)
196 {
197 	RING_IDX cons = queue->tx.req_cons;
198 	unsigned long flags;
199 
200 	do {
201 		spin_lock_irqsave(&queue->response_lock, flags);
202 		make_tx_response(queue, txp, extra_count, XEN_NETIF_RSP_ERROR);
203 		push_tx_responses(queue);
204 		spin_unlock_irqrestore(&queue->response_lock, flags);
205 		if (cons == end)
206 			break;
207 		RING_COPY_REQUEST(&queue->tx, cons++, txp);
208 		extra_count = 0; /* only the first frag can have extras */
209 	} while (1);
210 	queue->tx.req_cons = cons;
211 }
212 
213 static void xenvif_fatal_tx_err(struct xenvif *vif)
214 {
215 	netdev_err(vif->dev, "fatal error; disabling device\n");
216 	vif->disabled = true;
217 	/* Disable the vif from queue 0's kthread */
218 	if (vif->num_queues)
219 		xenvif_kick_thread(&vif->queues[0]);
220 }
221 
222 static int xenvif_count_requests(struct xenvif_queue *queue,
223 				 struct xen_netif_tx_request *first,
224 				 unsigned int extra_count,
225 				 struct xen_netif_tx_request *txp,
226 				 int work_to_do)
227 {
228 	RING_IDX cons = queue->tx.req_cons;
229 	int slots = 0;
230 	int drop_err = 0;
231 	int more_data;
232 
233 	if (!(first->flags & XEN_NETTXF_more_data))
234 		return 0;
235 
236 	do {
237 		struct xen_netif_tx_request dropped_tx = { 0 };
238 
239 		if (slots >= work_to_do) {
240 			netdev_err(queue->vif->dev,
241 				   "Asked for %d slots but exceeds this limit\n",
242 				   work_to_do);
243 			xenvif_fatal_tx_err(queue->vif);
244 			return -ENODATA;
245 		}
246 
247 		/* This guest is really using too many slots and
248 		 * considered malicious.
249 		 */
250 		if (unlikely(slots >= fatal_skb_slots)) {
251 			netdev_err(queue->vif->dev,
252 				   "Malicious frontend using %d slots, threshold %u\n",
253 				   slots, fatal_skb_slots);
254 			xenvif_fatal_tx_err(queue->vif);
255 			return -E2BIG;
256 		}
257 
258 		/* Xen network protocol had implicit dependency on
259 		 * MAX_SKB_FRAGS. XEN_NETBK_LEGACY_SLOTS_MAX is set to
260 		 * the historical MAX_SKB_FRAGS value 18 to honor the
261 		 * same behavior as before. Any packet using more than
262 		 * 18 slots but less than fatal_skb_slots slots is
263 		 * dropped
264 		 */
265 		if (!drop_err && slots >= XEN_NETBK_LEGACY_SLOTS_MAX) {
266 			if (net_ratelimit())
267 				netdev_dbg(queue->vif->dev,
268 					   "Too many slots (%d) exceeding limit (%d), dropping packet\n",
269 					   slots, XEN_NETBK_LEGACY_SLOTS_MAX);
270 			drop_err = -E2BIG;
271 		}
272 
273 		if (drop_err)
274 			txp = &dropped_tx;
275 
276 		RING_COPY_REQUEST(&queue->tx, cons + slots, txp);
277 
278 		/* If the guest submitted a frame >= 64 KiB then
279 		 * first->size overflowed and following slots will
280 		 * appear to be larger than the frame.
281 		 *
282 		 * This cannot be fatal error as there are buggy
283 		 * frontends that do this.
284 		 *
285 		 * Consume all slots and drop the packet.
286 		 */
287 		if (!drop_err && txp->size > first->size) {
288 			if (net_ratelimit())
289 				netdev_dbg(queue->vif->dev,
290 					   "Invalid tx request, slot size %u > remaining size %u\n",
291 					   txp->size, first->size);
292 			drop_err = -EIO;
293 		}
294 
295 		first->size -= txp->size;
296 		slots++;
297 
298 		if (unlikely((txp->offset + txp->size) > XEN_PAGE_SIZE)) {
299 			netdev_err(queue->vif->dev, "Cross page boundary, txp->offset: %u, size: %u\n",
300 				 txp->offset, txp->size);
301 			xenvif_fatal_tx_err(queue->vif);
302 			return -EINVAL;
303 		}
304 
305 		more_data = txp->flags & XEN_NETTXF_more_data;
306 
307 		if (!drop_err)
308 			txp++;
309 
310 	} while (more_data);
311 
312 	if (drop_err) {
313 		xenvif_tx_err(queue, first, extra_count, cons + slots);
314 		return drop_err;
315 	}
316 
317 	return slots;
318 }
319 
320 
321 struct xenvif_tx_cb {
322 	u16 pending_idx;
323 };
324 
325 #define XENVIF_TX_CB(skb) ((struct xenvif_tx_cb *)(skb)->cb)
326 
327 static inline void xenvif_tx_create_map_op(struct xenvif_queue *queue,
328 					   u16 pending_idx,
329 					   struct xen_netif_tx_request *txp,
330 					   unsigned int extra_count,
331 					   struct gnttab_map_grant_ref *mop)
332 {
333 	queue->pages_to_map[mop-queue->tx_map_ops] = queue->mmap_pages[pending_idx];
334 	gnttab_set_map_op(mop, idx_to_kaddr(queue, pending_idx),
335 			  GNTMAP_host_map | GNTMAP_readonly,
336 			  txp->gref, queue->vif->domid);
337 
338 	memcpy(&queue->pending_tx_info[pending_idx].req, txp,
339 	       sizeof(*txp));
340 	queue->pending_tx_info[pending_idx].extra_count = extra_count;
341 }
342 
343 static inline struct sk_buff *xenvif_alloc_skb(unsigned int size)
344 {
345 	struct sk_buff *skb =
346 		alloc_skb(size + NET_SKB_PAD + NET_IP_ALIGN,
347 			  GFP_ATOMIC | __GFP_NOWARN);
348 	if (unlikely(skb == NULL))
349 		return NULL;
350 
351 	/* Packets passed to netif_rx() must have some headroom. */
352 	skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
353 
354 	/* Initialize it here to avoid later surprises */
355 	skb_shinfo(skb)->destructor_arg = NULL;
356 
357 	return skb;
358 }
359 
360 static struct gnttab_map_grant_ref *xenvif_get_requests(struct xenvif_queue *queue,
361 							struct sk_buff *skb,
362 							struct xen_netif_tx_request *txp,
363 							struct gnttab_map_grant_ref *gop,
364 							unsigned int frag_overflow,
365 							struct sk_buff *nskb)
366 {
367 	struct skb_shared_info *shinfo = skb_shinfo(skb);
368 	skb_frag_t *frags = shinfo->frags;
369 	u16 pending_idx = XENVIF_TX_CB(skb)->pending_idx;
370 	int start;
371 	pending_ring_idx_t index;
372 	unsigned int nr_slots;
373 
374 	nr_slots = shinfo->nr_frags;
375 
376 	/* Skip first skb fragment if it is on same page as header fragment. */
377 	start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);
378 
379 	for (shinfo->nr_frags = start; shinfo->nr_frags < nr_slots;
380 	     shinfo->nr_frags++, txp++, gop++) {
381 		index = pending_index(queue->pending_cons++);
382 		pending_idx = queue->pending_ring[index];
383 		xenvif_tx_create_map_op(queue, pending_idx, txp, 0, gop);
384 		frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx);
385 	}
386 
387 	if (frag_overflow) {
388 
389 		shinfo = skb_shinfo(nskb);
390 		frags = shinfo->frags;
391 
392 		for (shinfo->nr_frags = 0; shinfo->nr_frags < frag_overflow;
393 		     shinfo->nr_frags++, txp++, gop++) {
394 			index = pending_index(queue->pending_cons++);
395 			pending_idx = queue->pending_ring[index];
396 			xenvif_tx_create_map_op(queue, pending_idx, txp, 0,
397 						gop);
398 			frag_set_pending_idx(&frags[shinfo->nr_frags],
399 					     pending_idx);
400 		}
401 
402 		skb_shinfo(skb)->frag_list = nskb;
403 	}
404 
405 	return gop;
406 }
407 
408 static inline void xenvif_grant_handle_set(struct xenvif_queue *queue,
409 					   u16 pending_idx,
410 					   grant_handle_t handle)
411 {
412 	if (unlikely(queue->grant_tx_handle[pending_idx] !=
413 		     NETBACK_INVALID_HANDLE)) {
414 		netdev_err(queue->vif->dev,
415 			   "Trying to overwrite active handle! pending_idx: 0x%x\n",
416 			   pending_idx);
417 		BUG();
418 	}
419 	queue->grant_tx_handle[pending_idx] = handle;
420 }
421 
422 static inline void xenvif_grant_handle_reset(struct xenvif_queue *queue,
423 					     u16 pending_idx)
424 {
425 	if (unlikely(queue->grant_tx_handle[pending_idx] ==
426 		     NETBACK_INVALID_HANDLE)) {
427 		netdev_err(queue->vif->dev,
428 			   "Trying to unmap invalid handle! pending_idx: 0x%x\n",
429 			   pending_idx);
430 		BUG();
431 	}
432 	queue->grant_tx_handle[pending_idx] = NETBACK_INVALID_HANDLE;
433 }
434 
435 static int xenvif_tx_check_gop(struct xenvif_queue *queue,
436 			       struct sk_buff *skb,
437 			       struct gnttab_map_grant_ref **gopp_map,
438 			       struct gnttab_copy **gopp_copy)
439 {
440 	struct gnttab_map_grant_ref *gop_map = *gopp_map;
441 	u16 pending_idx = XENVIF_TX_CB(skb)->pending_idx;
442 	/* This always points to the shinfo of the skb being checked, which
443 	 * could be either the first or the one on the frag_list
444 	 */
445 	struct skb_shared_info *shinfo = skb_shinfo(skb);
446 	/* If this is non-NULL, we are currently checking the frag_list skb, and
447 	 * this points to the shinfo of the first one
448 	 */
449 	struct skb_shared_info *first_shinfo = NULL;
450 	int nr_frags = shinfo->nr_frags;
451 	const bool sharedslot = nr_frags &&
452 				frag_get_pending_idx(&shinfo->frags[0]) == pending_idx;
453 	int i, err;
454 
455 	/* Check status of header. */
456 	err = (*gopp_copy)->status;
457 	if (unlikely(err)) {
458 		if (net_ratelimit())
459 			netdev_dbg(queue->vif->dev,
460 				   "Grant copy of header failed! status: %d pending_idx: %u ref: %u\n",
461 				   (*gopp_copy)->status,
462 				   pending_idx,
463 				   (*gopp_copy)->source.u.ref);
464 		/* The first frag might still have this slot mapped */
465 		if (!sharedslot)
466 			xenvif_idx_release(queue, pending_idx,
467 					   XEN_NETIF_RSP_ERROR);
468 	}
469 	(*gopp_copy)++;
470 
471 check_frags:
472 	for (i = 0; i < nr_frags; i++, gop_map++) {
473 		int j, newerr;
474 
475 		pending_idx = frag_get_pending_idx(&shinfo->frags[i]);
476 
477 		/* Check error status: if okay then remember grant handle. */
478 		newerr = gop_map->status;
479 
480 		if (likely(!newerr)) {
481 			xenvif_grant_handle_set(queue,
482 						pending_idx,
483 						gop_map->handle);
484 			/* Had a previous error? Invalidate this fragment. */
485 			if (unlikely(err)) {
486 				xenvif_idx_unmap(queue, pending_idx);
487 				/* If the mapping of the first frag was OK, but
488 				 * the header's copy failed, and they are
489 				 * sharing a slot, send an error
490 				 */
491 				if (i == 0 && sharedslot)
492 					xenvif_idx_release(queue, pending_idx,
493 							   XEN_NETIF_RSP_ERROR);
494 				else
495 					xenvif_idx_release(queue, pending_idx,
496 							   XEN_NETIF_RSP_OKAY);
497 			}
498 			continue;
499 		}
500 
501 		/* Error on this fragment: respond to client with an error. */
502 		if (net_ratelimit())
503 			netdev_dbg(queue->vif->dev,
504 				   "Grant map of %d. frag failed! status: %d pending_idx: %u ref: %u\n",
505 				   i,
506 				   gop_map->status,
507 				   pending_idx,
508 				   gop_map->ref);
509 
510 		xenvif_idx_release(queue, pending_idx, XEN_NETIF_RSP_ERROR);
511 
512 		/* Not the first error? Preceding frags already invalidated. */
513 		if (err)
514 			continue;
515 
516 		/* First error: if the header haven't shared a slot with the
517 		 * first frag, release it as well.
518 		 */
519 		if (!sharedslot)
520 			xenvif_idx_release(queue,
521 					   XENVIF_TX_CB(skb)->pending_idx,
522 					   XEN_NETIF_RSP_OKAY);
523 
524 		/* Invalidate preceding fragments of this skb. */
525 		for (j = 0; j < i; j++) {
526 			pending_idx = frag_get_pending_idx(&shinfo->frags[j]);
527 			xenvif_idx_unmap(queue, pending_idx);
528 			xenvif_idx_release(queue, pending_idx,
529 					   XEN_NETIF_RSP_OKAY);
530 		}
531 
532 		/* And if we found the error while checking the frag_list, unmap
533 		 * the first skb's frags
534 		 */
535 		if (first_shinfo) {
536 			for (j = 0; j < first_shinfo->nr_frags; j++) {
537 				pending_idx = frag_get_pending_idx(&first_shinfo->frags[j]);
538 				xenvif_idx_unmap(queue, pending_idx);
539 				xenvif_idx_release(queue, pending_idx,
540 						   XEN_NETIF_RSP_OKAY);
541 			}
542 		}
543 
544 		/* Remember the error: invalidate all subsequent fragments. */
545 		err = newerr;
546 	}
547 
548 	if (skb_has_frag_list(skb) && !first_shinfo) {
549 		first_shinfo = skb_shinfo(skb);
550 		shinfo = skb_shinfo(skb_shinfo(skb)->frag_list);
551 		nr_frags = shinfo->nr_frags;
552 
553 		goto check_frags;
554 	}
555 
556 	*gopp_map = gop_map;
557 	return err;
558 }
559 
560 static void xenvif_fill_frags(struct xenvif_queue *queue, struct sk_buff *skb)
561 {
562 	struct skb_shared_info *shinfo = skb_shinfo(skb);
563 	int nr_frags = shinfo->nr_frags;
564 	int i;
565 	u16 prev_pending_idx = INVALID_PENDING_IDX;
566 
567 	for (i = 0; i < nr_frags; i++) {
568 		skb_frag_t *frag = shinfo->frags + i;
569 		struct xen_netif_tx_request *txp;
570 		struct page *page;
571 		u16 pending_idx;
572 
573 		pending_idx = frag_get_pending_idx(frag);
574 
575 		/* If this is not the first frag, chain it to the previous*/
576 		if (prev_pending_idx == INVALID_PENDING_IDX)
577 			skb_shinfo(skb)->destructor_arg =
578 				&callback_param(queue, pending_idx);
579 		else
580 			callback_param(queue, prev_pending_idx).ctx =
581 				&callback_param(queue, pending_idx);
582 
583 		callback_param(queue, pending_idx).ctx = NULL;
584 		prev_pending_idx = pending_idx;
585 
586 		txp = &queue->pending_tx_info[pending_idx].req;
587 		page = virt_to_page(idx_to_kaddr(queue, pending_idx));
588 		__skb_fill_page_desc(skb, i, page, txp->offset, txp->size);
589 		skb->len += txp->size;
590 		skb->data_len += txp->size;
591 		skb->truesize += txp->size;
592 
593 		/* Take an extra reference to offset network stack's put_page */
594 		get_page(queue->mmap_pages[pending_idx]);
595 	}
596 }
597 
598 static int xenvif_get_extras(struct xenvif_queue *queue,
599 			     struct xen_netif_extra_info *extras,
600 			     unsigned int *extra_count,
601 			     int work_to_do)
602 {
603 	struct xen_netif_extra_info extra;
604 	RING_IDX cons = queue->tx.req_cons;
605 
606 	do {
607 		if (unlikely(work_to_do-- <= 0)) {
608 			netdev_err(queue->vif->dev, "Missing extra info\n");
609 			xenvif_fatal_tx_err(queue->vif);
610 			return -EBADR;
611 		}
612 
613 		RING_COPY_REQUEST(&queue->tx, cons, &extra);
614 
615 		queue->tx.req_cons = ++cons;
616 		(*extra_count)++;
617 
618 		if (unlikely(!extra.type ||
619 			     extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
620 			netdev_err(queue->vif->dev,
621 				   "Invalid extra type: %d\n", extra.type);
622 			xenvif_fatal_tx_err(queue->vif);
623 			return -EINVAL;
624 		}
625 
626 		memcpy(&extras[extra.type - 1], &extra, sizeof(extra));
627 	} while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
628 
629 	return work_to_do;
630 }
631 
632 static int xenvif_set_skb_gso(struct xenvif *vif,
633 			      struct sk_buff *skb,
634 			      struct xen_netif_extra_info *gso)
635 {
636 	if (!gso->u.gso.size) {
637 		netdev_err(vif->dev, "GSO size must not be zero.\n");
638 		xenvif_fatal_tx_err(vif);
639 		return -EINVAL;
640 	}
641 
642 	switch (gso->u.gso.type) {
643 	case XEN_NETIF_GSO_TYPE_TCPV4:
644 		skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
645 		break;
646 	case XEN_NETIF_GSO_TYPE_TCPV6:
647 		skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
648 		break;
649 	default:
650 		netdev_err(vif->dev, "Bad GSO type %d.\n", gso->u.gso.type);
651 		xenvif_fatal_tx_err(vif);
652 		return -EINVAL;
653 	}
654 
655 	skb_shinfo(skb)->gso_size = gso->u.gso.size;
656 	/* gso_segs will be calculated later */
657 
658 	return 0;
659 }
660 
661 static int checksum_setup(struct xenvif_queue *queue, struct sk_buff *skb)
662 {
663 	bool recalculate_partial_csum = false;
664 
665 	/* A GSO SKB must be CHECKSUM_PARTIAL. However some buggy
666 	 * peers can fail to set NETRXF_csum_blank when sending a GSO
667 	 * frame. In this case force the SKB to CHECKSUM_PARTIAL and
668 	 * recalculate the partial checksum.
669 	 */
670 	if (skb->ip_summed != CHECKSUM_PARTIAL && skb_is_gso(skb)) {
671 		queue->stats.rx_gso_checksum_fixup++;
672 		skb->ip_summed = CHECKSUM_PARTIAL;
673 		recalculate_partial_csum = true;
674 	}
675 
676 	/* A non-CHECKSUM_PARTIAL SKB does not require setup. */
677 	if (skb->ip_summed != CHECKSUM_PARTIAL)
678 		return 0;
679 
680 	return skb_checksum_setup(skb, recalculate_partial_csum);
681 }
682 
683 static bool tx_credit_exceeded(struct xenvif_queue *queue, unsigned size)
684 {
685 	u64 now = get_jiffies_64();
686 	u64 next_credit = queue->credit_window_start +
687 		msecs_to_jiffies(queue->credit_usec / 1000);
688 
689 	/* Timer could already be pending in rare cases. */
690 	if (timer_pending(&queue->credit_timeout)) {
691 		queue->rate_limited = true;
692 		return true;
693 	}
694 
695 	/* Passed the point where we can replenish credit? */
696 	if (time_after_eq64(now, next_credit)) {
697 		queue->credit_window_start = now;
698 		tx_add_credit(queue);
699 	}
700 
701 	/* Still too big to send right now? Set a callback. */
702 	if (size > queue->remaining_credit) {
703 		mod_timer(&queue->credit_timeout,
704 			  next_credit);
705 		queue->credit_window_start = next_credit;
706 		queue->rate_limited = true;
707 
708 		return true;
709 	}
710 
711 	return false;
712 }
713 
714 /* No locking is required in xenvif_mcast_add/del() as they are
715  * only ever invoked from NAPI poll. An RCU list is used because
716  * xenvif_mcast_match() is called asynchronously, during start_xmit.
717  */
718 
719 static int xenvif_mcast_add(struct xenvif *vif, const u8 *addr)
720 {
721 	struct xenvif_mcast_addr *mcast;
722 
723 	if (vif->fe_mcast_count == XEN_NETBK_MCAST_MAX) {
724 		if (net_ratelimit())
725 			netdev_err(vif->dev,
726 				   "Too many multicast addresses\n");
727 		return -ENOSPC;
728 	}
729 
730 	mcast = kzalloc(sizeof(*mcast), GFP_ATOMIC);
731 	if (!mcast)
732 		return -ENOMEM;
733 
734 	ether_addr_copy(mcast->addr, addr);
735 	list_add_tail_rcu(&mcast->entry, &vif->fe_mcast_addr);
736 	vif->fe_mcast_count++;
737 
738 	return 0;
739 }
740 
741 static void xenvif_mcast_del(struct xenvif *vif, const u8 *addr)
742 {
743 	struct xenvif_mcast_addr *mcast;
744 
745 	list_for_each_entry_rcu(mcast, &vif->fe_mcast_addr, entry) {
746 		if (ether_addr_equal(addr, mcast->addr)) {
747 			--vif->fe_mcast_count;
748 			list_del_rcu(&mcast->entry);
749 			kfree_rcu(mcast, rcu);
750 			break;
751 		}
752 	}
753 }
754 
755 bool xenvif_mcast_match(struct xenvif *vif, const u8 *addr)
756 {
757 	struct xenvif_mcast_addr *mcast;
758 
759 	rcu_read_lock();
760 	list_for_each_entry_rcu(mcast, &vif->fe_mcast_addr, entry) {
761 		if (ether_addr_equal(addr, mcast->addr)) {
762 			rcu_read_unlock();
763 			return true;
764 		}
765 	}
766 	rcu_read_unlock();
767 
768 	return false;
769 }
770 
771 void xenvif_mcast_addr_list_free(struct xenvif *vif)
772 {
773 	/* No need for locking or RCU here. NAPI poll and TX queue
774 	 * are stopped.
775 	 */
776 	while (!list_empty(&vif->fe_mcast_addr)) {
777 		struct xenvif_mcast_addr *mcast;
778 
779 		mcast = list_first_entry(&vif->fe_mcast_addr,
780 					 struct xenvif_mcast_addr,
781 					 entry);
782 		--vif->fe_mcast_count;
783 		list_del(&mcast->entry);
784 		kfree(mcast);
785 	}
786 }
787 
788 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
789 				     int budget,
790 				     unsigned *copy_ops,
791 				     unsigned *map_ops)
792 {
793 	struct gnttab_map_grant_ref *gop = queue->tx_map_ops;
794 	struct sk_buff *skb, *nskb;
795 	int ret;
796 	unsigned int frag_overflow;
797 
798 	while (skb_queue_len(&queue->tx_queue) < budget) {
799 		struct xen_netif_tx_request txreq;
800 		struct xen_netif_tx_request txfrags[XEN_NETBK_LEGACY_SLOTS_MAX];
801 		struct xen_netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX-1];
802 		unsigned int extra_count;
803 		u16 pending_idx;
804 		RING_IDX idx;
805 		int work_to_do;
806 		unsigned int data_len;
807 		pending_ring_idx_t index;
808 
809 		if (queue->tx.sring->req_prod - queue->tx.req_cons >
810 		    XEN_NETIF_TX_RING_SIZE) {
811 			netdev_err(queue->vif->dev,
812 				   "Impossible number of requests. "
813 				   "req_prod %d, req_cons %d, size %ld\n",
814 				   queue->tx.sring->req_prod, queue->tx.req_cons,
815 				   XEN_NETIF_TX_RING_SIZE);
816 			xenvif_fatal_tx_err(queue->vif);
817 			break;
818 		}
819 
820 		work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&queue->tx);
821 		if (!work_to_do)
822 			break;
823 
824 		idx = queue->tx.req_cons;
825 		rmb(); /* Ensure that we see the request before we copy it. */
826 		RING_COPY_REQUEST(&queue->tx, idx, &txreq);
827 
828 		/* Credit-based scheduling. */
829 		if (txreq.size > queue->remaining_credit &&
830 		    tx_credit_exceeded(queue, txreq.size))
831 			break;
832 
833 		queue->remaining_credit -= txreq.size;
834 
835 		work_to_do--;
836 		queue->tx.req_cons = ++idx;
837 
838 		memset(extras, 0, sizeof(extras));
839 		extra_count = 0;
840 		if (txreq.flags & XEN_NETTXF_extra_info) {
841 			work_to_do = xenvif_get_extras(queue, extras,
842 						       &extra_count,
843 						       work_to_do);
844 			idx = queue->tx.req_cons;
845 			if (unlikely(work_to_do < 0))
846 				break;
847 		}
848 
849 		if (extras[XEN_NETIF_EXTRA_TYPE_MCAST_ADD - 1].type) {
850 			struct xen_netif_extra_info *extra;
851 
852 			extra = &extras[XEN_NETIF_EXTRA_TYPE_MCAST_ADD - 1];
853 			ret = xenvif_mcast_add(queue->vif, extra->u.mcast.addr);
854 
855 			make_tx_response(queue, &txreq, extra_count,
856 					 (ret == 0) ?
857 					 XEN_NETIF_RSP_OKAY :
858 					 XEN_NETIF_RSP_ERROR);
859 			push_tx_responses(queue);
860 			continue;
861 		}
862 
863 		if (extras[XEN_NETIF_EXTRA_TYPE_MCAST_DEL - 1].type) {
864 			struct xen_netif_extra_info *extra;
865 
866 			extra = &extras[XEN_NETIF_EXTRA_TYPE_MCAST_DEL - 1];
867 			xenvif_mcast_del(queue->vif, extra->u.mcast.addr);
868 
869 			make_tx_response(queue, &txreq, extra_count,
870 					 XEN_NETIF_RSP_OKAY);
871 			push_tx_responses(queue);
872 			continue;
873 		}
874 
875 		ret = xenvif_count_requests(queue, &txreq, extra_count,
876 					    txfrags, work_to_do);
877 		if (unlikely(ret < 0))
878 			break;
879 
880 		idx += ret;
881 
882 		if (unlikely(txreq.size < ETH_HLEN)) {
883 			netdev_dbg(queue->vif->dev,
884 				   "Bad packet size: %d\n", txreq.size);
885 			xenvif_tx_err(queue, &txreq, extra_count, idx);
886 			break;
887 		}
888 
889 		/* No crossing a page as the payload mustn't fragment. */
890 		if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) {
891 			netdev_err(queue->vif->dev,
892 				   "txreq.offset: %u, size: %u, end: %lu\n",
893 				   txreq.offset, txreq.size,
894 				   (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size);
895 			xenvif_fatal_tx_err(queue->vif);
896 			break;
897 		}
898 
899 		index = pending_index(queue->pending_cons);
900 		pending_idx = queue->pending_ring[index];
901 
902 		data_len = (txreq.size > XEN_NETBACK_TX_COPY_LEN &&
903 			    ret < XEN_NETBK_LEGACY_SLOTS_MAX) ?
904 			XEN_NETBACK_TX_COPY_LEN : txreq.size;
905 
906 		skb = xenvif_alloc_skb(data_len);
907 		if (unlikely(skb == NULL)) {
908 			netdev_dbg(queue->vif->dev,
909 				   "Can't allocate a skb in start_xmit.\n");
910 			xenvif_tx_err(queue, &txreq, extra_count, idx);
911 			break;
912 		}
913 
914 		skb_shinfo(skb)->nr_frags = ret;
915 		if (data_len < txreq.size)
916 			skb_shinfo(skb)->nr_frags++;
917 		/* At this point shinfo->nr_frags is in fact the number of
918 		 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
919 		 */
920 		frag_overflow = 0;
921 		nskb = NULL;
922 		if (skb_shinfo(skb)->nr_frags > MAX_SKB_FRAGS) {
923 			frag_overflow = skb_shinfo(skb)->nr_frags - MAX_SKB_FRAGS;
924 			BUG_ON(frag_overflow > MAX_SKB_FRAGS);
925 			skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
926 			nskb = xenvif_alloc_skb(0);
927 			if (unlikely(nskb == NULL)) {
928 				skb_shinfo(skb)->nr_frags = 0;
929 				kfree_skb(skb);
930 				xenvif_tx_err(queue, &txreq, extra_count, idx);
931 				if (net_ratelimit())
932 					netdev_err(queue->vif->dev,
933 						   "Can't allocate the frag_list skb.\n");
934 				break;
935 			}
936 		}
937 
938 		if (extras[XEN_NETIF_EXTRA_TYPE_GSO - 1].type) {
939 			struct xen_netif_extra_info *gso;
940 			gso = &extras[XEN_NETIF_EXTRA_TYPE_GSO - 1];
941 
942 			if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
943 				/* Failure in xenvif_set_skb_gso is fatal. */
944 				skb_shinfo(skb)->nr_frags = 0;
945 				kfree_skb(skb);
946 				kfree_skb(nskb);
947 				break;
948 			}
949 		}
950 
951 		if (extras[XEN_NETIF_EXTRA_TYPE_HASH - 1].type) {
952 			struct xen_netif_extra_info *extra;
953 			enum pkt_hash_types type = PKT_HASH_TYPE_NONE;
954 
955 			extra = &extras[XEN_NETIF_EXTRA_TYPE_HASH - 1];
956 
957 			switch (extra->u.hash.type) {
958 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV4:
959 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV6:
960 				type = PKT_HASH_TYPE_L3;
961 				break;
962 
963 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV4_TCP:
964 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV6_TCP:
965 				type = PKT_HASH_TYPE_L4;
966 				break;
967 
968 			default:
969 				break;
970 			}
971 
972 			if (type != PKT_HASH_TYPE_NONE)
973 				skb_set_hash(skb,
974 					     *(u32 *)extra->u.hash.value,
975 					     type);
976 		}
977 
978 		XENVIF_TX_CB(skb)->pending_idx = pending_idx;
979 
980 		__skb_put(skb, data_len);
981 		queue->tx_copy_ops[*copy_ops].source.u.ref = txreq.gref;
982 		queue->tx_copy_ops[*copy_ops].source.domid = queue->vif->domid;
983 		queue->tx_copy_ops[*copy_ops].source.offset = txreq.offset;
984 
985 		queue->tx_copy_ops[*copy_ops].dest.u.gmfn =
986 			virt_to_gfn(skb->data);
987 		queue->tx_copy_ops[*copy_ops].dest.domid = DOMID_SELF;
988 		queue->tx_copy_ops[*copy_ops].dest.offset =
989 			offset_in_page(skb->data) & ~XEN_PAGE_MASK;
990 
991 		queue->tx_copy_ops[*copy_ops].len = data_len;
992 		queue->tx_copy_ops[*copy_ops].flags = GNTCOPY_source_gref;
993 
994 		(*copy_ops)++;
995 
996 		if (data_len < txreq.size) {
997 			frag_set_pending_idx(&skb_shinfo(skb)->frags[0],
998 					     pending_idx);
999 			xenvif_tx_create_map_op(queue, pending_idx, &txreq,
1000 						extra_count, gop);
1001 			gop++;
1002 		} else {
1003 			frag_set_pending_idx(&skb_shinfo(skb)->frags[0],
1004 					     INVALID_PENDING_IDX);
1005 			memcpy(&queue->pending_tx_info[pending_idx].req,
1006 			       &txreq, sizeof(txreq));
1007 			queue->pending_tx_info[pending_idx].extra_count =
1008 				extra_count;
1009 		}
1010 
1011 		queue->pending_cons++;
1012 
1013 		gop = xenvif_get_requests(queue, skb, txfrags, gop,
1014 				          frag_overflow, nskb);
1015 
1016 		__skb_queue_tail(&queue->tx_queue, skb);
1017 
1018 		queue->tx.req_cons = idx;
1019 
1020 		if (((gop-queue->tx_map_ops) >= ARRAY_SIZE(queue->tx_map_ops)) ||
1021 		    (*copy_ops >= ARRAY_SIZE(queue->tx_copy_ops)))
1022 			break;
1023 	}
1024 
1025 	(*map_ops) = gop - queue->tx_map_ops;
1026 	return;
1027 }
1028 
1029 /* Consolidate skb with a frag_list into a brand new one with local pages on
1030  * frags. Returns 0 or -ENOMEM if can't allocate new pages.
1031  */
1032 static int xenvif_handle_frag_list(struct xenvif_queue *queue, struct sk_buff *skb)
1033 {
1034 	unsigned int offset = skb_headlen(skb);
1035 	skb_frag_t frags[MAX_SKB_FRAGS];
1036 	int i, f;
1037 	struct ubuf_info *uarg;
1038 	struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
1039 
1040 	queue->stats.tx_zerocopy_sent += 2;
1041 	queue->stats.tx_frag_overflow++;
1042 
1043 	xenvif_fill_frags(queue, nskb);
1044 	/* Subtract frags size, we will correct it later */
1045 	skb->truesize -= skb->data_len;
1046 	skb->len += nskb->len;
1047 	skb->data_len += nskb->len;
1048 
1049 	/* create a brand new frags array and coalesce there */
1050 	for (i = 0; offset < skb->len; i++) {
1051 		struct page *page;
1052 		unsigned int len;
1053 
1054 		BUG_ON(i >= MAX_SKB_FRAGS);
1055 		page = alloc_page(GFP_ATOMIC);
1056 		if (!page) {
1057 			int j;
1058 			skb->truesize += skb->data_len;
1059 			for (j = 0; j < i; j++)
1060 				put_page(skb_frag_page(&frags[j]));
1061 			return -ENOMEM;
1062 		}
1063 
1064 		if (offset + PAGE_SIZE < skb->len)
1065 			len = PAGE_SIZE;
1066 		else
1067 			len = skb->len - offset;
1068 		if (skb_copy_bits(skb, offset, page_address(page), len))
1069 			BUG();
1070 
1071 		offset += len;
1072 		__skb_frag_set_page(&frags[i], page);
1073 		skb_frag_off_set(&frags[i], 0);
1074 		skb_frag_size_set(&frags[i], len);
1075 	}
1076 
1077 	/* Release all the original (foreign) frags. */
1078 	for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
1079 		skb_frag_unref(skb, f);
1080 	uarg = skb_shinfo(skb)->destructor_arg;
1081 	/* increase inflight counter to offset decrement in callback */
1082 	atomic_inc(&queue->inflight_packets);
1083 	uarg->callback(uarg, true);
1084 	skb_shinfo(skb)->destructor_arg = NULL;
1085 
1086 	/* Fill the skb with the new (local) frags. */
1087 	memcpy(skb_shinfo(skb)->frags, frags, i * sizeof(skb_frag_t));
1088 	skb_shinfo(skb)->nr_frags = i;
1089 	skb->truesize += i * PAGE_SIZE;
1090 
1091 	return 0;
1092 }
1093 
1094 static int xenvif_tx_submit(struct xenvif_queue *queue)
1095 {
1096 	struct gnttab_map_grant_ref *gop_map = queue->tx_map_ops;
1097 	struct gnttab_copy *gop_copy = queue->tx_copy_ops;
1098 	struct sk_buff *skb;
1099 	int work_done = 0;
1100 
1101 	while ((skb = __skb_dequeue(&queue->tx_queue)) != NULL) {
1102 		struct xen_netif_tx_request *txp;
1103 		u16 pending_idx;
1104 		unsigned data_len;
1105 
1106 		pending_idx = XENVIF_TX_CB(skb)->pending_idx;
1107 		txp = &queue->pending_tx_info[pending_idx].req;
1108 
1109 		/* Check the remap error code. */
1110 		if (unlikely(xenvif_tx_check_gop(queue, skb, &gop_map, &gop_copy))) {
1111 			/* If there was an error, xenvif_tx_check_gop is
1112 			 * expected to release all the frags which were mapped,
1113 			 * so kfree_skb shouldn't do it again
1114 			 */
1115 			skb_shinfo(skb)->nr_frags = 0;
1116 			if (skb_has_frag_list(skb)) {
1117 				struct sk_buff *nskb =
1118 						skb_shinfo(skb)->frag_list;
1119 				skb_shinfo(nskb)->nr_frags = 0;
1120 			}
1121 			kfree_skb(skb);
1122 			continue;
1123 		}
1124 
1125 		data_len = skb->len;
1126 		callback_param(queue, pending_idx).ctx = NULL;
1127 		if (data_len < txp->size) {
1128 			/* Append the packet payload as a fragment. */
1129 			txp->offset += data_len;
1130 			txp->size -= data_len;
1131 		} else {
1132 			/* Schedule a response immediately. */
1133 			xenvif_idx_release(queue, pending_idx,
1134 					   XEN_NETIF_RSP_OKAY);
1135 		}
1136 
1137 		if (txp->flags & XEN_NETTXF_csum_blank)
1138 			skb->ip_summed = CHECKSUM_PARTIAL;
1139 		else if (txp->flags & XEN_NETTXF_data_validated)
1140 			skb->ip_summed = CHECKSUM_UNNECESSARY;
1141 
1142 		xenvif_fill_frags(queue, skb);
1143 
1144 		if (unlikely(skb_has_frag_list(skb))) {
1145 			struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
1146 			xenvif_skb_zerocopy_prepare(queue, nskb);
1147 			if (xenvif_handle_frag_list(queue, skb)) {
1148 				if (net_ratelimit())
1149 					netdev_err(queue->vif->dev,
1150 						   "Not enough memory to consolidate frag_list!\n");
1151 				xenvif_skb_zerocopy_prepare(queue, skb);
1152 				kfree_skb(skb);
1153 				continue;
1154 			}
1155 			/* Copied all the bits from the frag list -- free it. */
1156 			skb_frag_list_init(skb);
1157 			kfree_skb(nskb);
1158 		}
1159 
1160 		skb->dev      = queue->vif->dev;
1161 		skb->protocol = eth_type_trans(skb, skb->dev);
1162 		skb_reset_network_header(skb);
1163 
1164 		if (checksum_setup(queue, skb)) {
1165 			netdev_dbg(queue->vif->dev,
1166 				   "Can't setup checksum in net_tx_action\n");
1167 			/* We have to set this flag to trigger the callback */
1168 			if (skb_shinfo(skb)->destructor_arg)
1169 				xenvif_skb_zerocopy_prepare(queue, skb);
1170 			kfree_skb(skb);
1171 			continue;
1172 		}
1173 
1174 		skb_probe_transport_header(skb);
1175 
1176 		/* If the packet is GSO then we will have just set up the
1177 		 * transport header offset in checksum_setup so it's now
1178 		 * straightforward to calculate gso_segs.
1179 		 */
1180 		if (skb_is_gso(skb)) {
1181 			int mss, hdrlen;
1182 
1183 			/* GSO implies having the L4 header. */
1184 			WARN_ON_ONCE(!skb_transport_header_was_set(skb));
1185 			if (unlikely(!skb_transport_header_was_set(skb))) {
1186 				kfree_skb(skb);
1187 				continue;
1188 			}
1189 
1190 			mss = skb_shinfo(skb)->gso_size;
1191 			hdrlen = skb_transport_header(skb) -
1192 				skb_mac_header(skb) +
1193 				tcp_hdrlen(skb);
1194 
1195 			skb_shinfo(skb)->gso_segs =
1196 				DIV_ROUND_UP(skb->len - hdrlen, mss);
1197 		}
1198 
1199 		queue->stats.rx_bytes += skb->len;
1200 		queue->stats.rx_packets++;
1201 
1202 		work_done++;
1203 
1204 		/* Set this flag right before netif_receive_skb, otherwise
1205 		 * someone might think this packet already left netback, and
1206 		 * do a skb_copy_ubufs while we are still in control of the
1207 		 * skb. E.g. the __pskb_pull_tail earlier can do such thing.
1208 		 */
1209 		if (skb_shinfo(skb)->destructor_arg) {
1210 			xenvif_skb_zerocopy_prepare(queue, skb);
1211 			queue->stats.tx_zerocopy_sent++;
1212 		}
1213 
1214 		netif_receive_skb(skb);
1215 	}
1216 
1217 	return work_done;
1218 }
1219 
1220 void xenvif_zerocopy_callback(struct ubuf_info *ubuf, bool zerocopy_success)
1221 {
1222 	unsigned long flags;
1223 	pending_ring_idx_t index;
1224 	struct xenvif_queue *queue = ubuf_to_queue(ubuf);
1225 
1226 	/* This is the only place where we grab this lock, to protect callbacks
1227 	 * from each other.
1228 	 */
1229 	spin_lock_irqsave(&queue->callback_lock, flags);
1230 	do {
1231 		u16 pending_idx = ubuf->desc;
1232 		ubuf = (struct ubuf_info *) ubuf->ctx;
1233 		BUG_ON(queue->dealloc_prod - queue->dealloc_cons >=
1234 			MAX_PENDING_REQS);
1235 		index = pending_index(queue->dealloc_prod);
1236 		queue->dealloc_ring[index] = pending_idx;
1237 		/* Sync with xenvif_tx_dealloc_action:
1238 		 * insert idx then incr producer.
1239 		 */
1240 		smp_wmb();
1241 		queue->dealloc_prod++;
1242 	} while (ubuf);
1243 	spin_unlock_irqrestore(&queue->callback_lock, flags);
1244 
1245 	if (likely(zerocopy_success))
1246 		queue->stats.tx_zerocopy_success++;
1247 	else
1248 		queue->stats.tx_zerocopy_fail++;
1249 	xenvif_skb_zerocopy_complete(queue);
1250 }
1251 
1252 static inline void xenvif_tx_dealloc_action(struct xenvif_queue *queue)
1253 {
1254 	struct gnttab_unmap_grant_ref *gop;
1255 	pending_ring_idx_t dc, dp;
1256 	u16 pending_idx, pending_idx_release[MAX_PENDING_REQS];
1257 	unsigned int i = 0;
1258 
1259 	dc = queue->dealloc_cons;
1260 	gop = queue->tx_unmap_ops;
1261 
1262 	/* Free up any grants we have finished using */
1263 	do {
1264 		dp = queue->dealloc_prod;
1265 
1266 		/* Ensure we see all indices enqueued by all
1267 		 * xenvif_zerocopy_callback().
1268 		 */
1269 		smp_rmb();
1270 
1271 		while (dc != dp) {
1272 			BUG_ON(gop - queue->tx_unmap_ops >= MAX_PENDING_REQS);
1273 			pending_idx =
1274 				queue->dealloc_ring[pending_index(dc++)];
1275 
1276 			pending_idx_release[gop - queue->tx_unmap_ops] =
1277 				pending_idx;
1278 			queue->pages_to_unmap[gop - queue->tx_unmap_ops] =
1279 				queue->mmap_pages[pending_idx];
1280 			gnttab_set_unmap_op(gop,
1281 					    idx_to_kaddr(queue, pending_idx),
1282 					    GNTMAP_host_map,
1283 					    queue->grant_tx_handle[pending_idx]);
1284 			xenvif_grant_handle_reset(queue, pending_idx);
1285 			++gop;
1286 		}
1287 
1288 	} while (dp != queue->dealloc_prod);
1289 
1290 	queue->dealloc_cons = dc;
1291 
1292 	if (gop - queue->tx_unmap_ops > 0) {
1293 		int ret;
1294 		ret = gnttab_unmap_refs(queue->tx_unmap_ops,
1295 					NULL,
1296 					queue->pages_to_unmap,
1297 					gop - queue->tx_unmap_ops);
1298 		if (ret) {
1299 			netdev_err(queue->vif->dev, "Unmap fail: nr_ops %tu ret %d\n",
1300 				   gop - queue->tx_unmap_ops, ret);
1301 			for (i = 0; i < gop - queue->tx_unmap_ops; ++i) {
1302 				if (gop[i].status != GNTST_okay)
1303 					netdev_err(queue->vif->dev,
1304 						   " host_addr: 0x%llx handle: 0x%x status: %d\n",
1305 						   gop[i].host_addr,
1306 						   gop[i].handle,
1307 						   gop[i].status);
1308 			}
1309 			BUG();
1310 		}
1311 	}
1312 
1313 	for (i = 0; i < gop - queue->tx_unmap_ops; ++i)
1314 		xenvif_idx_release(queue, pending_idx_release[i],
1315 				   XEN_NETIF_RSP_OKAY);
1316 }
1317 
1318 
1319 /* Called after netfront has transmitted */
1320 int xenvif_tx_action(struct xenvif_queue *queue, int budget)
1321 {
1322 	unsigned nr_mops, nr_cops = 0;
1323 	int work_done, ret;
1324 
1325 	if (unlikely(!tx_work_todo(queue)))
1326 		return 0;
1327 
1328 	xenvif_tx_build_gops(queue, budget, &nr_cops, &nr_mops);
1329 
1330 	if (nr_cops == 0)
1331 		return 0;
1332 
1333 	gnttab_batch_copy(queue->tx_copy_ops, nr_cops);
1334 	if (nr_mops != 0) {
1335 		ret = gnttab_map_refs(queue->tx_map_ops,
1336 				      NULL,
1337 				      queue->pages_to_map,
1338 				      nr_mops);
1339 		BUG_ON(ret);
1340 	}
1341 
1342 	work_done = xenvif_tx_submit(queue);
1343 
1344 	return work_done;
1345 }
1346 
1347 static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
1348 			       u8 status)
1349 {
1350 	struct pending_tx_info *pending_tx_info;
1351 	pending_ring_idx_t index;
1352 	unsigned long flags;
1353 
1354 	pending_tx_info = &queue->pending_tx_info[pending_idx];
1355 
1356 	spin_lock_irqsave(&queue->response_lock, flags);
1357 
1358 	make_tx_response(queue, &pending_tx_info->req,
1359 			 pending_tx_info->extra_count, status);
1360 
1361 	/* Release the pending index before pusing the Tx response so
1362 	 * its available before a new Tx request is pushed by the
1363 	 * frontend.
1364 	 */
1365 	index = pending_index(queue->pending_prod++);
1366 	queue->pending_ring[index] = pending_idx;
1367 
1368 	push_tx_responses(queue);
1369 
1370 	spin_unlock_irqrestore(&queue->response_lock, flags);
1371 }
1372 
1373 
1374 static void make_tx_response(struct xenvif_queue *queue,
1375 			     struct xen_netif_tx_request *txp,
1376 			     unsigned int extra_count,
1377 			     s8       st)
1378 {
1379 	RING_IDX i = queue->tx.rsp_prod_pvt;
1380 	struct xen_netif_tx_response *resp;
1381 
1382 	resp = RING_GET_RESPONSE(&queue->tx, i);
1383 	resp->id     = txp->id;
1384 	resp->status = st;
1385 
1386 	while (extra_count-- != 0)
1387 		RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL;
1388 
1389 	queue->tx.rsp_prod_pvt = ++i;
1390 }
1391 
1392 static void push_tx_responses(struct xenvif_queue *queue)
1393 {
1394 	int notify;
1395 
1396 	RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify);
1397 	if (notify)
1398 		notify_remote_via_irq(queue->tx_irq);
1399 }
1400 
1401 void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx)
1402 {
1403 	int ret;
1404 	struct gnttab_unmap_grant_ref tx_unmap_op;
1405 
1406 	gnttab_set_unmap_op(&tx_unmap_op,
1407 			    idx_to_kaddr(queue, pending_idx),
1408 			    GNTMAP_host_map,
1409 			    queue->grant_tx_handle[pending_idx]);
1410 	xenvif_grant_handle_reset(queue, pending_idx);
1411 
1412 	ret = gnttab_unmap_refs(&tx_unmap_op, NULL,
1413 				&queue->mmap_pages[pending_idx], 1);
1414 	if (ret) {
1415 		netdev_err(queue->vif->dev,
1416 			   "Unmap fail: ret: %d pending_idx: %d host_addr: %llx handle: 0x%x status: %d\n",
1417 			   ret,
1418 			   pending_idx,
1419 			   tx_unmap_op.host_addr,
1420 			   tx_unmap_op.handle,
1421 			   tx_unmap_op.status);
1422 		BUG();
1423 	}
1424 }
1425 
1426 static inline int tx_work_todo(struct xenvif_queue *queue)
1427 {
1428 	if (likely(RING_HAS_UNCONSUMED_REQUESTS(&queue->tx)))
1429 		return 1;
1430 
1431 	return 0;
1432 }
1433 
1434 static inline bool tx_dealloc_work_todo(struct xenvif_queue *queue)
1435 {
1436 	return queue->dealloc_cons != queue->dealloc_prod;
1437 }
1438 
1439 void xenvif_unmap_frontend_data_rings(struct xenvif_queue *queue)
1440 {
1441 	if (queue->tx.sring)
1442 		xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(queue->vif),
1443 					queue->tx.sring);
1444 	if (queue->rx.sring)
1445 		xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(queue->vif),
1446 					queue->rx.sring);
1447 }
1448 
1449 int xenvif_map_frontend_data_rings(struct xenvif_queue *queue,
1450 				   grant_ref_t tx_ring_ref,
1451 				   grant_ref_t rx_ring_ref)
1452 {
1453 	void *addr;
1454 	struct xen_netif_tx_sring *txs;
1455 	struct xen_netif_rx_sring *rxs;
1456 	RING_IDX rsp_prod, req_prod;
1457 	int err = -ENOMEM;
1458 
1459 	err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(queue->vif),
1460 				     &tx_ring_ref, 1, &addr);
1461 	if (err)
1462 		goto err;
1463 
1464 	txs = (struct xen_netif_tx_sring *)addr;
1465 	rsp_prod = READ_ONCE(txs->rsp_prod);
1466 	req_prod = READ_ONCE(txs->req_prod);
1467 
1468 	BACK_RING_ATTACH(&queue->tx, txs, rsp_prod, XEN_PAGE_SIZE);
1469 
1470 	err = -EIO;
1471 	if (req_prod - rsp_prod > RING_SIZE(&queue->tx))
1472 		goto err;
1473 
1474 	err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(queue->vif),
1475 				     &rx_ring_ref, 1, &addr);
1476 	if (err)
1477 		goto err;
1478 
1479 	rxs = (struct xen_netif_rx_sring *)addr;
1480 	rsp_prod = READ_ONCE(rxs->rsp_prod);
1481 	req_prod = READ_ONCE(rxs->req_prod);
1482 
1483 	BACK_RING_ATTACH(&queue->rx, rxs, rsp_prod, XEN_PAGE_SIZE);
1484 
1485 	err = -EIO;
1486 	if (req_prod - rsp_prod > RING_SIZE(&queue->rx))
1487 		goto err;
1488 
1489 	return 0;
1490 
1491 err:
1492 	xenvif_unmap_frontend_data_rings(queue);
1493 	return err;
1494 }
1495 
1496 static bool xenvif_dealloc_kthread_should_stop(struct xenvif_queue *queue)
1497 {
1498 	/* Dealloc thread must remain running until all inflight
1499 	 * packets complete.
1500 	 */
1501 	return kthread_should_stop() &&
1502 		!atomic_read(&queue->inflight_packets);
1503 }
1504 
1505 int xenvif_dealloc_kthread(void *data)
1506 {
1507 	struct xenvif_queue *queue = data;
1508 
1509 	for (;;) {
1510 		wait_event_interruptible(queue->dealloc_wq,
1511 					 tx_dealloc_work_todo(queue) ||
1512 					 xenvif_dealloc_kthread_should_stop(queue));
1513 		if (xenvif_dealloc_kthread_should_stop(queue))
1514 			break;
1515 
1516 		xenvif_tx_dealloc_action(queue);
1517 		cond_resched();
1518 	}
1519 
1520 	/* Unmap anything remaining*/
1521 	if (tx_dealloc_work_todo(queue))
1522 		xenvif_tx_dealloc_action(queue);
1523 
1524 	return 0;
1525 }
1526 
1527 static void make_ctrl_response(struct xenvif *vif,
1528 			       const struct xen_netif_ctrl_request *req,
1529 			       u32 status, u32 data)
1530 {
1531 	RING_IDX idx = vif->ctrl.rsp_prod_pvt;
1532 	struct xen_netif_ctrl_response rsp = {
1533 		.id = req->id,
1534 		.type = req->type,
1535 		.status = status,
1536 		.data = data,
1537 	};
1538 
1539 	*RING_GET_RESPONSE(&vif->ctrl, idx) = rsp;
1540 	vif->ctrl.rsp_prod_pvt = ++idx;
1541 }
1542 
1543 static void push_ctrl_response(struct xenvif *vif)
1544 {
1545 	int notify;
1546 
1547 	RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&vif->ctrl, notify);
1548 	if (notify)
1549 		notify_remote_via_irq(vif->ctrl_irq);
1550 }
1551 
1552 static void process_ctrl_request(struct xenvif *vif,
1553 				 const struct xen_netif_ctrl_request *req)
1554 {
1555 	u32 status = XEN_NETIF_CTRL_STATUS_NOT_SUPPORTED;
1556 	u32 data = 0;
1557 
1558 	switch (req->type) {
1559 	case XEN_NETIF_CTRL_TYPE_SET_HASH_ALGORITHM:
1560 		status = xenvif_set_hash_alg(vif, req->data[0]);
1561 		break;
1562 
1563 	case XEN_NETIF_CTRL_TYPE_GET_HASH_FLAGS:
1564 		status = xenvif_get_hash_flags(vif, &data);
1565 		break;
1566 
1567 	case XEN_NETIF_CTRL_TYPE_SET_HASH_FLAGS:
1568 		status = xenvif_set_hash_flags(vif, req->data[0]);
1569 		break;
1570 
1571 	case XEN_NETIF_CTRL_TYPE_SET_HASH_KEY:
1572 		status = xenvif_set_hash_key(vif, req->data[0],
1573 					     req->data[1]);
1574 		break;
1575 
1576 	case XEN_NETIF_CTRL_TYPE_GET_HASH_MAPPING_SIZE:
1577 		status = XEN_NETIF_CTRL_STATUS_SUCCESS;
1578 		data = XEN_NETBK_MAX_HASH_MAPPING_SIZE;
1579 		break;
1580 
1581 	case XEN_NETIF_CTRL_TYPE_SET_HASH_MAPPING_SIZE:
1582 		status = xenvif_set_hash_mapping_size(vif,
1583 						      req->data[0]);
1584 		break;
1585 
1586 	case XEN_NETIF_CTRL_TYPE_SET_HASH_MAPPING:
1587 		status = xenvif_set_hash_mapping(vif, req->data[0],
1588 						 req->data[1],
1589 						 req->data[2]);
1590 		break;
1591 
1592 	default:
1593 		break;
1594 	}
1595 
1596 	make_ctrl_response(vif, req, status, data);
1597 	push_ctrl_response(vif);
1598 }
1599 
1600 static void xenvif_ctrl_action(struct xenvif *vif)
1601 {
1602 	for (;;) {
1603 		RING_IDX req_prod, req_cons;
1604 
1605 		req_prod = vif->ctrl.sring->req_prod;
1606 		req_cons = vif->ctrl.req_cons;
1607 
1608 		/* Make sure we can see requests before we process them. */
1609 		rmb();
1610 
1611 		if (req_cons == req_prod)
1612 			break;
1613 
1614 		while (req_cons != req_prod) {
1615 			struct xen_netif_ctrl_request req;
1616 
1617 			RING_COPY_REQUEST(&vif->ctrl, req_cons, &req);
1618 			req_cons++;
1619 
1620 			process_ctrl_request(vif, &req);
1621 		}
1622 
1623 		vif->ctrl.req_cons = req_cons;
1624 		vif->ctrl.sring->req_event = req_cons + 1;
1625 	}
1626 }
1627 
1628 static bool xenvif_ctrl_work_todo(struct xenvif *vif)
1629 {
1630 	if (likely(RING_HAS_UNCONSUMED_REQUESTS(&vif->ctrl)))
1631 		return true;
1632 
1633 	return false;
1634 }
1635 
1636 irqreturn_t xenvif_ctrl_irq_fn(int irq, void *data)
1637 {
1638 	struct xenvif *vif = data;
1639 
1640 	while (xenvif_ctrl_work_todo(vif))
1641 		xenvif_ctrl_action(vif);
1642 
1643 	return IRQ_HANDLED;
1644 }
1645 
1646 static int __init netback_init(void)
1647 {
1648 	int rc = 0;
1649 
1650 	if (!xen_domain())
1651 		return -ENODEV;
1652 
1653 	/* Allow as many queues as there are CPUs but max. 8 if user has not
1654 	 * specified a value.
1655 	 */
1656 	if (xenvif_max_queues == 0)
1657 		xenvif_max_queues = min_t(unsigned int, MAX_QUEUES_DEFAULT,
1658 					  num_online_cpus());
1659 
1660 	if (fatal_skb_slots < XEN_NETBK_LEGACY_SLOTS_MAX) {
1661 		pr_info("fatal_skb_slots too small (%d), bump it to XEN_NETBK_LEGACY_SLOTS_MAX (%d)\n",
1662 			fatal_skb_slots, XEN_NETBK_LEGACY_SLOTS_MAX);
1663 		fatal_skb_slots = XEN_NETBK_LEGACY_SLOTS_MAX;
1664 	}
1665 
1666 	rc = xenvif_xenbus_init();
1667 	if (rc)
1668 		goto failed_init;
1669 
1670 #ifdef CONFIG_DEBUG_FS
1671 	xen_netback_dbg_root = debugfs_create_dir("xen-netback", NULL);
1672 #endif /* CONFIG_DEBUG_FS */
1673 
1674 	return 0;
1675 
1676 failed_init:
1677 	return rc;
1678 }
1679 
1680 module_init(netback_init);
1681 
1682 static void __exit netback_fini(void)
1683 {
1684 #ifdef CONFIG_DEBUG_FS
1685 	debugfs_remove_recursive(xen_netback_dbg_root);
1686 #endif /* CONFIG_DEBUG_FS */
1687 	xenvif_xenbus_fini();
1688 }
1689 module_exit(netback_fini);
1690 
1691 MODULE_LICENSE("Dual BSD/GPL");
1692 MODULE_ALIAS("xen-backend:vif");
1693