xref: /openbmc/qemu/hw/i386/kvm/xen_xenstore.c (revision 7200fb21)
1 /*
2  * QEMU Xen emulation: Shared/overlay pages support
3  *
4  * Copyright © 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
5  *
6  * Authors: David Woodhouse <dwmw2@infradead.org>
7  *
8  * This work is licensed under the terms of the GNU GPL, version 2 or later.
9  * See the COPYING file in the top-level directory.
10  */
11 
12 #include "qemu/osdep.h"
13 
14 #include "qemu/host-utils.h"
15 #include "qemu/module.h"
16 #include "qemu/main-loop.h"
17 #include "qemu/cutils.h"
18 #include "qemu/error-report.h"
19 #include "qapi/error.h"
20 #include "qom/object.h"
21 #include "migration/vmstate.h"
22 
23 #include "hw/sysbus.h"
24 #include "hw/xen/xen.h"
25 #include "hw/xen/xen_backend_ops.h"
26 #include "xen_overlay.h"
27 #include "xen_evtchn.h"
28 #include "xen_primary_console.h"
29 #include "xen_xenstore.h"
30 
31 #include "sysemu/kvm.h"
32 #include "sysemu/kvm_xen.h"
33 
34 #include "trace.h"
35 
36 #include "xenstore_impl.h"
37 
38 #include "hw/xen/interface/io/xs_wire.h"
39 #include "hw/xen/interface/event_channel.h"
40 #include "hw/xen/interface/grant_table.h"
41 
42 #define TYPE_XEN_XENSTORE "xen-xenstore"
43 OBJECT_DECLARE_SIMPLE_TYPE(XenXenstoreState, XEN_XENSTORE)
44 
45 #define ENTRIES_PER_FRAME_V1 (XEN_PAGE_SIZE / sizeof(grant_entry_v1_t))
46 #define ENTRIES_PER_FRAME_V2 (XEN_PAGE_SIZE / sizeof(grant_entry_v2_t))
47 
48 #define XENSTORE_HEADER_SIZE ((unsigned int)sizeof(struct xsd_sockmsg))
49 
50 struct XenXenstoreState {
51     /*< private >*/
52     SysBusDevice busdev;
53     /*< public >*/
54 
55     XenstoreImplState *impl;
56     GList *watch_events; /* for the guest */
57 
58     MemoryRegion xenstore_page;
59     struct xenstore_domain_interface *xs;
60     uint8_t req_data[XENSTORE_HEADER_SIZE + XENSTORE_PAYLOAD_MAX];
61     uint8_t rsp_data[XENSTORE_HEADER_SIZE + XENSTORE_PAYLOAD_MAX];
62     uint32_t req_offset;
63     uint32_t rsp_offset;
64     bool rsp_pending;
65     bool fatal_error;
66 
67     evtchn_port_t guest_port;
68     evtchn_port_t be_port;
69     struct xenevtchn_handle *eh;
70 
71     uint8_t *impl_state;
72     uint32_t impl_state_size;
73 
74     struct xengntdev_handle *gt;
75     void *granted_xs;
76 };
77 
78 struct XenXenstoreState *xen_xenstore_singleton;
79 
80 static void xen_xenstore_event(void *opaque);
81 static void fire_watch_cb(void *opaque, const char *path, const char *token);
82 
83 static struct xenstore_backend_ops emu_xenstore_backend_ops;
84 
85 static void G_GNUC_PRINTF (4, 5) relpath_printf(XenXenstoreState *s,
86                                                 GList *perms,
87                                                 const char *relpath,
88                                                 const char *fmt, ...)
89 {
90     gchar *abspath;
91     gchar *value;
92     va_list args;
93     GByteArray *data;
94     int err;
95 
96     abspath = g_strdup_printf("/local/domain/%u/%s", xen_domid, relpath);
97     va_start(args, fmt);
98     value = g_strdup_vprintf(fmt, args);
99     va_end(args);
100 
101     data = g_byte_array_new_take((void *)value, strlen(value));
102 
103     err = xs_impl_write(s->impl, DOMID_QEMU, XBT_NULL, abspath, data);
104     assert(!err);
105 
106     g_byte_array_unref(data);
107 
108     err = xs_impl_set_perms(s->impl, DOMID_QEMU, XBT_NULL, abspath, perms);
109     assert(!err);
110 
111     g_free(abspath);
112 }
113 
114 static void xen_xenstore_realize(DeviceState *dev, Error **errp)
115 {
116     XenXenstoreState *s = XEN_XENSTORE(dev);
117     GList *perms;
118 
119     if (xen_mode != XEN_EMULATE) {
120         error_setg(errp, "Xen xenstore support is for Xen emulation");
121         return;
122     }
123     memory_region_init_ram(&s->xenstore_page, OBJECT(dev), "xen:xenstore_page",
124                            XEN_PAGE_SIZE, &error_abort);
125     memory_region_set_enabled(&s->xenstore_page, true);
126     s->xs = memory_region_get_ram_ptr(&s->xenstore_page);
127     memset(s->xs, 0, XEN_PAGE_SIZE);
128 
129     /* We can't map it this early as KVM isn't ready */
130     xen_xenstore_singleton = s;
131 
132     s->eh = xen_be_evtchn_open();
133     if (!s->eh) {
134         error_setg(errp, "Xenstore evtchn port init failed");
135         return;
136     }
137     aio_set_fd_handler(qemu_get_aio_context(), xen_be_evtchn_fd(s->eh),
138                        xen_xenstore_event, NULL, NULL, NULL, s);
139 
140     s->impl = xs_impl_create(xen_domid);
141 
142     /* Populate the default nodes */
143 
144     /* Nodes owned by 'dom0' but readable by the guest */
145     perms = g_list_append(NULL, xs_perm_as_string(XS_PERM_NONE, DOMID_QEMU));
146     perms = g_list_append(perms, xs_perm_as_string(XS_PERM_READ, xen_domid));
147 
148     relpath_printf(s, perms, "", "%s", "");
149 
150     relpath_printf(s, perms, "domid", "%u", xen_domid);
151 
152     relpath_printf(s, perms, "control/platform-feature-xs_reset_watches", "%u", 1);
153     relpath_printf(s, perms, "control/platform-feature-multiprocessor-suspend", "%u", 1);
154 
155     relpath_printf(s, perms, "platform/acpi", "%u", 1);
156     relpath_printf(s, perms, "platform/acpi_s3", "%u", 1);
157     relpath_printf(s, perms, "platform/acpi_s4", "%u", 1);
158     relpath_printf(s, perms, "platform/acpi_laptop_slate", "%u", 0);
159 
160     g_list_free_full(perms, g_free);
161 
162     /* Nodes owned by the guest */
163     perms = g_list_append(NULL, xs_perm_as_string(XS_PERM_NONE, xen_domid));
164 
165     relpath_printf(s, perms, "attr", "%s", "");
166 
167     relpath_printf(s, perms, "control/shutdown", "%s", "");
168     relpath_printf(s, perms, "control/feature-poweroff", "%u", 1);
169     relpath_printf(s, perms, "control/feature-reboot", "%u", 1);
170     relpath_printf(s, perms, "control/feature-suspend", "%u", 1);
171     relpath_printf(s, perms, "control/feature-s3", "%u", 1);
172     relpath_printf(s, perms, "control/feature-s4", "%u", 1);
173 
174     relpath_printf(s, perms, "data", "%s", "");
175     relpath_printf(s, perms, "device", "%s", "");
176     relpath_printf(s, perms, "drivers", "%s", "");
177     relpath_printf(s, perms, "error", "%s", "");
178     relpath_printf(s, perms, "feature", "%s", "");
179 
180     g_list_free_full(perms, g_free);
181 
182     xen_xenstore_ops = &emu_xenstore_backend_ops;
183 }
184 
185 static bool xen_xenstore_is_needed(void *opaque)
186 {
187     return xen_mode == XEN_EMULATE;
188 }
189 
190 static int xen_xenstore_pre_save(void *opaque)
191 {
192     XenXenstoreState *s = opaque;
193     GByteArray *save;
194 
195     if (s->eh) {
196         s->guest_port = xen_be_evtchn_get_guest_port(s->eh);
197     }
198 
199     g_free(s->impl_state);
200     save = xs_impl_serialize(s->impl);
201     s->impl_state = save->data;
202     s->impl_state_size = save->len;
203     g_byte_array_free(save, false);
204 
205     return 0;
206 }
207 
208 static int xen_xenstore_post_load(void *opaque, int ver)
209 {
210     XenXenstoreState *s = opaque;
211     GByteArray *save;
212     int ret;
213 
214     /*
215      * As qemu/dom0, rebind to the guest's port. The Windows drivers may
216      * unbind the XenStore evtchn and rebind to it, having obtained the
217      * "remote" port through EVTCHNOP_status. In the case that migration
218      * occurs while it's unbound, the "remote" port needs to be the same
219      * as before so that the guest can find it, but should remain unbound.
220      */
221     if (s->guest_port) {
222         int be_port = xen_be_evtchn_bind_interdomain(s->eh, xen_domid,
223                                                      s->guest_port);
224         if (be_port < 0) {
225             return be_port;
226         }
227         s->be_port = be_port;
228     }
229 
230     save = g_byte_array_new_take(s->impl_state, s->impl_state_size);
231     s->impl_state = NULL;
232     s->impl_state_size = 0;
233 
234     ret = xs_impl_deserialize(s->impl, save, xen_domid, fire_watch_cb, s);
235     return ret;
236 }
237 
238 static const VMStateDescription xen_xenstore_vmstate = {
239     .name = "xen_xenstore",
240     .unmigratable = 1, /* The PV back ends don't migrate yet */
241     .version_id = 1,
242     .minimum_version_id = 1,
243     .needed = xen_xenstore_is_needed,
244     .pre_save = xen_xenstore_pre_save,
245     .post_load = xen_xenstore_post_load,
246     .fields = (VMStateField[]) {
247         VMSTATE_UINT8_ARRAY(req_data, XenXenstoreState,
248                             sizeof_field(XenXenstoreState, req_data)),
249         VMSTATE_UINT8_ARRAY(rsp_data, XenXenstoreState,
250                             sizeof_field(XenXenstoreState, rsp_data)),
251         VMSTATE_UINT32(req_offset, XenXenstoreState),
252         VMSTATE_UINT32(rsp_offset, XenXenstoreState),
253         VMSTATE_BOOL(rsp_pending, XenXenstoreState),
254         VMSTATE_UINT32(guest_port, XenXenstoreState),
255         VMSTATE_BOOL(fatal_error, XenXenstoreState),
256         VMSTATE_UINT32(impl_state_size, XenXenstoreState),
257         VMSTATE_VARRAY_UINT32_ALLOC(impl_state, XenXenstoreState,
258                                     impl_state_size, 0,
259                                     vmstate_info_uint8, uint8_t),
260         VMSTATE_END_OF_LIST()
261     }
262 };
263 
264 static void xen_xenstore_class_init(ObjectClass *klass, void *data)
265 {
266     DeviceClass *dc = DEVICE_CLASS(klass);
267 
268     dc->realize = xen_xenstore_realize;
269     dc->vmsd = &xen_xenstore_vmstate;
270 }
271 
272 static const TypeInfo xen_xenstore_info = {
273     .name          = TYPE_XEN_XENSTORE,
274     .parent        = TYPE_SYS_BUS_DEVICE,
275     .instance_size = sizeof(XenXenstoreState),
276     .class_init    = xen_xenstore_class_init,
277 };
278 
279 void xen_xenstore_create(void)
280 {
281     DeviceState *dev = sysbus_create_simple(TYPE_XEN_XENSTORE, -1, NULL);
282 
283     xen_xenstore_singleton = XEN_XENSTORE(dev);
284 
285     /*
286      * Defer the init (xen_xenstore_reset()) until KVM is set up and the
287      * overlay page can be mapped.
288      */
289 }
290 
291 static void xen_xenstore_register_types(void)
292 {
293     type_register_static(&xen_xenstore_info);
294 }
295 
296 type_init(xen_xenstore_register_types)
297 
298 uint16_t xen_xenstore_get_port(void)
299 {
300     XenXenstoreState *s = xen_xenstore_singleton;
301     if (!s) {
302         return 0;
303     }
304     return s->guest_port;
305 }
306 
307 static bool req_pending(XenXenstoreState *s)
308 {
309     struct xsd_sockmsg *req = (struct xsd_sockmsg *)s->req_data;
310 
311     return s->req_offset == XENSTORE_HEADER_SIZE + req->len;
312 }
313 
314 static void reset_req(XenXenstoreState *s)
315 {
316     memset(s->req_data, 0, sizeof(s->req_data));
317     s->req_offset = 0;
318 }
319 
320 static void reset_rsp(XenXenstoreState *s)
321 {
322     s->rsp_pending = false;
323 
324     memset(s->rsp_data, 0, sizeof(s->rsp_data));
325     s->rsp_offset = 0;
326 }
327 
328 static void xs_error(XenXenstoreState *s, unsigned int id,
329                      xs_transaction_t tx_id, int errnum)
330 {
331     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
332     const char *errstr = NULL;
333 
334     for (unsigned int i = 0; i < ARRAY_SIZE(xsd_errors); i++) {
335         const struct xsd_errors *xsd_error = &xsd_errors[i];
336 
337         if (xsd_error->errnum == errnum) {
338             errstr = xsd_error->errstring;
339             break;
340         }
341     }
342     assert(errstr);
343 
344     trace_xenstore_error(id, tx_id, errstr);
345 
346     rsp->type = XS_ERROR;
347     rsp->req_id = id;
348     rsp->tx_id = tx_id;
349     rsp->len = (uint32_t)strlen(errstr) + 1;
350 
351     memcpy(&rsp[1], errstr, rsp->len);
352 }
353 
354 static void xs_ok(XenXenstoreState *s, unsigned int type, unsigned int req_id,
355                   xs_transaction_t tx_id)
356 {
357     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
358     const char *okstr = "OK";
359 
360     rsp->type = type;
361     rsp->req_id = req_id;
362     rsp->tx_id = tx_id;
363     rsp->len = (uint32_t)strlen(okstr) + 1;
364 
365     memcpy(&rsp[1], okstr, rsp->len);
366 }
367 
368 /*
369  * The correct request and response formats are documented in xen.git:
370  * docs/misc/xenstore.txt. A summary is given below for convenience.
371  * The '|' symbol represents a NUL character.
372  *
373  * ---------- Database read, write and permissions operations ----------
374  *
375  * READ                    <path>|                 <value|>
376  * WRITE                   <path>|<value|>
377  *         Store and read the octet string <value> at <path>.
378  *         WRITE creates any missing parent paths, with empty values.
379  *
380  * MKDIR                   <path>|
381  *         Ensures that the <path> exists, by necessary by creating
382  *         it and any missing parents with empty values.  If <path>
383  *         or any parent already exists, its value is left unchanged.
384  *
385  * RM                      <path>|
386  *         Ensures that the <path> does not exist, by deleting
387  *         it and all of its children.  It is not an error if <path> does
388  *         not exist, but it _is_ an error if <path>'s immediate parent
389  *         does not exist either.
390  *
391  * DIRECTORY               <path>|                 <child-leaf-name>|*
392  *         Gives a list of the immediate children of <path>, as only the
393  *         leafnames.  The resulting children are each named
394  *         <path>/<child-leaf-name>.
395  *
396  * DIRECTORY_PART          <path>|<offset>         <gencnt>|<child-leaf-name>|*
397  *         Same as DIRECTORY, but to be used for children lists longer than
398  *         XENSTORE_PAYLOAD_MAX. Input are <path> and the byte offset into
399  *         the list of children to return. Return values are the generation
400  *         count <gencnt> of the node (to be used to ensure the node hasn't
401  *         changed between two reads: <gencnt> being the same for multiple
402  *         reads guarantees the node hasn't changed) and the list of children
403  *         starting at the specified <offset> of the complete list.
404  *
405  * GET_PERMS               <path>|                 <perm-as-string>|+
406  * SET_PERMS               <path>|<perm-as-string>|+?
407  *         <perm-as-string> is one of the following
408  *                 w<domid>        write only
409  *                 r<domid>        read only
410  *                 b<domid>        both read and write
411  *                 n<domid>        no access
412  *         See https://wiki.xen.org/wiki/XenBus section
413  *         `Permissions' for details of the permissions system.
414  *         It is possible to set permissions for the special watch paths
415  *         "@introduceDomain" and "@releaseDomain" to enable receiving those
416  *         watches in unprivileged domains.
417  *
418  * ---------- Watches ----------
419  *
420  * WATCH                   <wpath>|<token>|?
421  *         Adds a watch.
422  *
423  *         When a <path> is modified (including path creation, removal,
424  *         contents change or permissions change) this generates an event
425  *         on the changed <path>.  Changes made in transactions cause an
426  *         event only if and when committed.  Each occurring event is
427  *         matched against all the watches currently set up, and each
428  *         matching watch results in a WATCH_EVENT message (see below).
429  *
430  *         The event's path matches the watch's <wpath> if it is an child
431  *         of <wpath>.
432  *
433  *         <wpath> can be a <path> to watch or @<wspecial>.  In the
434  *         latter case <wspecial> may have any syntax but it matches
435  *         (according to the rules above) only the following special
436  *         events which are invented by xenstored:
437  *             @introduceDomain    occurs on INTRODUCE
438  *             @releaseDomain      occurs on any domain crash or
439  *                                 shutdown, and also on RELEASE
440  *                                 and domain destruction
441  *         <wspecial> events are sent to privileged callers or explicitly
442  *         via SET_PERMS enabled domains only.
443  *
444  *         When a watch is first set up it is triggered once straight
445  *         away, with <path> equal to <wpath>.  Watches may be triggered
446  *         spuriously.  The tx_id in a WATCH request is ignored.
447  *
448  *         Watches are supposed to be restricted by the permissions
449  *         system but in practice the implementation is imperfect.
450  *         Applications should not rely on being sent a notification for
451  *         paths that they cannot read; however, an application may rely
452  *         on being sent a watch when a path which it _is_ able to read
453  *         is deleted even if that leaves only a nonexistent unreadable
454  *         parent.  A notification may omitted if a node's permissions
455  *         are changed so as to make it unreadable, in which case future
456  *         notifications may be suppressed (and if the node is later made
457  *         readable, some notifications may have been lost).
458  *
459  * WATCH_EVENT                                     <epath>|<token>|
460  *         Unsolicited `reply' generated for matching modification events
461  *         as described above.  req_id and tx_id are both 0.
462  *
463  *         <epath> is the event's path, ie the actual path that was
464  *         modified; however if the event was the recursive removal of an
465  *         parent of <wpath>, <epath> is just
466  *         <wpath> (rather than the actual path which was removed).  So
467  *         <epath> is a child of <wpath>, regardless.
468  *
469  *         Iff <wpath> for the watch was specified as a relative pathname,
470  *         the <epath> path will also be relative (with the same base,
471  *         obviously).
472  *
473  * UNWATCH                 <wpath>|<token>|?
474  *
475  * RESET_WATCHES           |
476  *         Reset all watches and transactions of the caller.
477  *
478  * ---------- Transactions ----------
479  *
480  * TRANSACTION_START       |                       <transid>|
481  *         <transid> is an opaque uint32_t allocated by xenstored
482  *         represented as unsigned decimal.  After this, transaction may
483  *         be referenced by using <transid> (as 32-bit binary) in the
484  *         tx_id request header field.  When transaction is started whole
485  *         db is copied; reads and writes happen on the copy.
486  *         It is not legal to send non-0 tx_id in TRANSACTION_START.
487  *
488  * TRANSACTION_END         T|
489  * TRANSACTION_END         F|
490  *         tx_id must refer to existing transaction.  After this
491  *         request the tx_id is no longer valid and may be reused by
492  *         xenstore.  If F, the transaction is discarded.  If T,
493  *         it is committed: if there were any other intervening writes
494  *         then our END gets get EAGAIN.
495  *
496  *         The plan is that in the future only intervening `conflicting'
497  *         writes cause EAGAIN, meaning only writes or other commits
498  *         which changed paths which were read or written in the
499  *         transaction at hand.
500  *
501  */
502 
503 static void xs_read(XenXenstoreState *s, unsigned int req_id,
504                     xs_transaction_t tx_id, uint8_t *req_data, unsigned int len)
505 {
506     const char *path = (const char *)req_data;
507     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
508     uint8_t *rsp_data = (uint8_t *)&rsp[1];
509     g_autoptr(GByteArray) data = g_byte_array_new();
510     int err;
511 
512     if (len == 0 || req_data[len - 1] != '\0') {
513         xs_error(s, req_id, tx_id, EINVAL);
514         return;
515     }
516 
517     trace_xenstore_read(tx_id, path);
518     err = xs_impl_read(s->impl, xen_domid, tx_id, path, data);
519     if (err) {
520         xs_error(s, req_id, tx_id, err);
521         return;
522     }
523 
524     rsp->type = XS_READ;
525     rsp->req_id = req_id;
526     rsp->tx_id = tx_id;
527     rsp->len = 0;
528 
529     len = data->len;
530     if (len > XENSTORE_PAYLOAD_MAX) {
531         xs_error(s, req_id, tx_id, E2BIG);
532         return;
533     }
534 
535     memcpy(&rsp_data[rsp->len], data->data, len);
536     rsp->len += len;
537 }
538 
539 static void xs_write(XenXenstoreState *s, unsigned int req_id,
540                      xs_transaction_t tx_id, uint8_t *req_data,
541                      unsigned int len)
542 {
543     g_autoptr(GByteArray) data = g_byte_array_new();
544     const char *path;
545     int err;
546 
547     if (len == 0) {
548         xs_error(s, req_id, tx_id, EINVAL);
549         return;
550     }
551 
552     path = (const char *)req_data;
553 
554     while (len--) {
555         if (*req_data++ == '\0') {
556             break;
557         }
558         if (len == 0) {
559             xs_error(s, req_id, tx_id, EINVAL);
560             return;
561         }
562     }
563 
564     g_byte_array_append(data, req_data, len);
565 
566     trace_xenstore_write(tx_id, path);
567     err = xs_impl_write(s->impl, xen_domid, tx_id, path, data);
568     if (err) {
569         xs_error(s, req_id, tx_id, err);
570         return;
571     }
572 
573     xs_ok(s, XS_WRITE, req_id, tx_id);
574 }
575 
576 static void xs_mkdir(XenXenstoreState *s, unsigned int req_id,
577                      xs_transaction_t tx_id, uint8_t *req_data,
578                      unsigned int len)
579 {
580     g_autoptr(GByteArray) data = g_byte_array_new();
581     const char *path;
582     int err;
583 
584     if (len == 0 || req_data[len - 1] != '\0') {
585         xs_error(s, req_id, tx_id, EINVAL);
586         return;
587     }
588 
589     path = (const char *)req_data;
590 
591     trace_xenstore_mkdir(tx_id, path);
592     err = xs_impl_read(s->impl, xen_domid, tx_id, path, data);
593     if (err == ENOENT) {
594         err = xs_impl_write(s->impl, xen_domid, tx_id, path, data);
595     }
596 
597     if (!err) {
598         xs_error(s, req_id, tx_id, err);
599         return;
600     }
601 
602     xs_ok(s, XS_MKDIR, req_id, tx_id);
603 }
604 
605 static void xs_append_strings(XenXenstoreState *s, struct xsd_sockmsg *rsp,
606                               GList *strings, unsigned int start, bool truncate)
607 {
608     uint8_t *rsp_data = (uint8_t *)&rsp[1];
609     GList *l;
610 
611     for (l = strings; l; l = l->next) {
612         size_t len = strlen(l->data) + 1; /* Including the NUL termination */
613         char *str = l->data;
614 
615         if (rsp->len + len > XENSTORE_PAYLOAD_MAX) {
616             if (truncate) {
617                 len = XENSTORE_PAYLOAD_MAX - rsp->len;
618                 if (!len) {
619                     return;
620                 }
621             } else {
622                 xs_error(s, rsp->req_id, rsp->tx_id, E2BIG);
623                 return;
624             }
625         }
626 
627         if (start) {
628             if (start >= len) {
629                 start -= len;
630                 continue;
631             }
632 
633             str += start;
634             len -= start;
635             start = 0;
636         }
637 
638         memcpy(&rsp_data[rsp->len], str, len);
639         rsp->len += len;
640     }
641     /* XS_DIRECTORY_PART wants an extra NUL to indicate the end */
642     if (truncate && rsp->len < XENSTORE_PAYLOAD_MAX) {
643         rsp_data[rsp->len++] = '\0';
644     }
645 }
646 
647 static void xs_directory(XenXenstoreState *s, unsigned int req_id,
648                          xs_transaction_t tx_id, uint8_t *req_data,
649                          unsigned int len)
650 {
651     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
652     GList *items = NULL;
653     const char *path;
654     int err;
655 
656     if (len == 0 || req_data[len - 1] != '\0') {
657         xs_error(s, req_id, tx_id, EINVAL);
658         return;
659     }
660 
661     path = (const char *)req_data;
662 
663     trace_xenstore_directory(tx_id, path);
664     err = xs_impl_directory(s->impl, xen_domid, tx_id, path, NULL, &items);
665     if (err != 0) {
666         xs_error(s, req_id, tx_id, err);
667         return;
668     }
669 
670     rsp->type = XS_DIRECTORY;
671     rsp->req_id = req_id;
672     rsp->tx_id = tx_id;
673     rsp->len = 0;
674 
675     xs_append_strings(s, rsp, items, 0, false);
676 
677     g_list_free_full(items, g_free);
678 }
679 
680 static void xs_directory_part(XenXenstoreState *s, unsigned int req_id,
681                               xs_transaction_t tx_id, uint8_t *req_data,
682                               unsigned int len)
683 {
684     const char *offset_str, *path = (const char *)req_data;
685     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
686     char *rsp_data = (char *)&rsp[1];
687     uint64_t gencnt = 0;
688     unsigned int offset;
689     GList *items = NULL;
690     int err;
691 
692     if (len == 0) {
693         xs_error(s, req_id, tx_id, EINVAL);
694         return;
695     }
696 
697     while (len--) {
698         if (*req_data++ == '\0') {
699             break;
700         }
701         if (len == 0) {
702             xs_error(s, req_id, tx_id, EINVAL);
703             return;
704         }
705     }
706 
707     offset_str = (const char *)req_data;
708     while (len--) {
709         if (*req_data++ == '\0') {
710             break;
711         }
712         if (len == 0) {
713             xs_error(s, req_id, tx_id, EINVAL);
714             return;
715         }
716     }
717 
718     if (len) {
719         xs_error(s, req_id, tx_id, EINVAL);
720         return;
721     }
722 
723     if (qemu_strtoui(offset_str, NULL, 10, &offset) < 0) {
724         xs_error(s, req_id, tx_id, EINVAL);
725         return;
726     }
727 
728     trace_xenstore_directory_part(tx_id, path, offset);
729     err = xs_impl_directory(s->impl, xen_domid, tx_id, path, &gencnt, &items);
730     if (err != 0) {
731         xs_error(s, req_id, tx_id, err);
732         return;
733     }
734 
735     rsp->type = XS_DIRECTORY_PART;
736     rsp->req_id = req_id;
737     rsp->tx_id = tx_id;
738     rsp->len = snprintf(rsp_data, XENSTORE_PAYLOAD_MAX, "%" PRIu64, gencnt) + 1;
739 
740     xs_append_strings(s, rsp, items, offset, true);
741 
742     g_list_free_full(items, g_free);
743 }
744 
745 static void xs_transaction_start(XenXenstoreState *s, unsigned int req_id,
746                                  xs_transaction_t tx_id, uint8_t *req_data,
747                                  unsigned int len)
748 {
749     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
750     char *rsp_data = (char *)&rsp[1];
751     int err;
752 
753     if (len != 1 || req_data[0] != '\0') {
754         xs_error(s, req_id, tx_id, EINVAL);
755         return;
756     }
757 
758     rsp->type = XS_TRANSACTION_START;
759     rsp->req_id = req_id;
760     rsp->tx_id = tx_id;
761     rsp->len = 0;
762 
763     err = xs_impl_transaction_start(s->impl, xen_domid, &tx_id);
764     if (err) {
765         xs_error(s, req_id, tx_id, err);
766         return;
767     }
768 
769     trace_xenstore_transaction_start(tx_id);
770 
771     rsp->len = snprintf(rsp_data, XENSTORE_PAYLOAD_MAX, "%u", tx_id);
772     assert(rsp->len < XENSTORE_PAYLOAD_MAX);
773     rsp->len++;
774 }
775 
776 static void xs_transaction_end(XenXenstoreState *s, unsigned int req_id,
777                                xs_transaction_t tx_id, uint8_t *req_data,
778                                unsigned int len)
779 {
780     bool commit;
781     int err;
782 
783     if (len != 2 || req_data[1] != '\0') {
784         xs_error(s, req_id, tx_id, EINVAL);
785         return;
786     }
787 
788     switch (req_data[0]) {
789     case 'T':
790         commit = true;
791         break;
792     case 'F':
793         commit = false;
794         break;
795     default:
796         xs_error(s, req_id, tx_id, EINVAL);
797         return;
798     }
799 
800     trace_xenstore_transaction_end(tx_id, commit);
801     err = xs_impl_transaction_end(s->impl, xen_domid, tx_id, commit);
802     if (err) {
803         xs_error(s, req_id, tx_id, err);
804         return;
805     }
806 
807     xs_ok(s, XS_TRANSACTION_END, req_id, tx_id);
808 }
809 
810 static void xs_rm(XenXenstoreState *s, unsigned int req_id,
811                   xs_transaction_t tx_id, uint8_t *req_data, unsigned int len)
812 {
813     const char *path = (const char *)req_data;
814     int err;
815 
816     if (len == 0 || req_data[len - 1] != '\0') {
817         xs_error(s, req_id, tx_id, EINVAL);
818         return;
819     }
820 
821     trace_xenstore_rm(tx_id, path);
822     err = xs_impl_rm(s->impl, xen_domid, tx_id, path);
823     if (err) {
824         xs_error(s, req_id, tx_id, err);
825         return;
826     }
827 
828     xs_ok(s, XS_RM, req_id, tx_id);
829 }
830 
831 static void xs_get_perms(XenXenstoreState *s, unsigned int req_id,
832                          xs_transaction_t tx_id, uint8_t *req_data,
833                          unsigned int len)
834 {
835     const char *path = (const char *)req_data;
836     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
837     GList *perms = NULL;
838     int err;
839 
840     if (len == 0 || req_data[len - 1] != '\0') {
841         xs_error(s, req_id, tx_id, EINVAL);
842         return;
843     }
844 
845     trace_xenstore_get_perms(tx_id, path);
846     err = xs_impl_get_perms(s->impl, xen_domid, tx_id, path, &perms);
847     if (err) {
848         xs_error(s, req_id, tx_id, err);
849         return;
850     }
851 
852     rsp->type = XS_GET_PERMS;
853     rsp->req_id = req_id;
854     rsp->tx_id = tx_id;
855     rsp->len = 0;
856 
857     xs_append_strings(s, rsp, perms, 0, false);
858 
859     g_list_free_full(perms, g_free);
860 }
861 
862 static void xs_set_perms(XenXenstoreState *s, unsigned int req_id,
863                          xs_transaction_t tx_id, uint8_t *req_data,
864                          unsigned int len)
865 {
866     const char *path = (const char *)req_data;
867     uint8_t *perm;
868     GList *perms = NULL;
869     int err;
870 
871     if (len == 0) {
872         xs_error(s, req_id, tx_id, EINVAL);
873         return;
874     }
875 
876     while (len--) {
877         if (*req_data++ == '\0') {
878             break;
879         }
880         if (len == 0) {
881             xs_error(s, req_id, tx_id, EINVAL);
882             return;
883         }
884     }
885 
886     perm = req_data;
887     while (len--) {
888         if (*req_data++ == '\0') {
889             perms = g_list_append(perms, perm);
890             perm = req_data;
891         }
892     }
893 
894     /*
895      * Note that there may be trailing garbage at the end of the buffer.
896      * This is explicitly permitted by the '?' at the end of the definition:
897      *
898      *    SET_PERMS         <path>|<perm-as-string>|+?
899      */
900 
901     trace_xenstore_set_perms(tx_id, path);
902     err = xs_impl_set_perms(s->impl, xen_domid, tx_id, path, perms);
903     g_list_free(perms);
904     if (err) {
905         xs_error(s, req_id, tx_id, err);
906         return;
907     }
908 
909     xs_ok(s, XS_SET_PERMS, req_id, tx_id);
910 }
911 
912 static void xs_watch(XenXenstoreState *s, unsigned int req_id,
913                      xs_transaction_t tx_id, uint8_t *req_data,
914                      unsigned int len)
915 {
916     const char *token, *path = (const char *)req_data;
917     int err;
918 
919     if (len == 0) {
920         xs_error(s, req_id, tx_id, EINVAL);
921         return;
922     }
923 
924     while (len--) {
925         if (*req_data++ == '\0') {
926             break;
927         }
928         if (len == 0) {
929             xs_error(s, req_id, tx_id, EINVAL);
930             return;
931         }
932     }
933 
934     token = (const char *)req_data;
935     while (len--) {
936         if (*req_data++ == '\0') {
937             break;
938         }
939         if (len == 0) {
940             xs_error(s, req_id, tx_id, EINVAL);
941             return;
942         }
943     }
944 
945     /*
946      * Note that there may be trailing garbage at the end of the buffer.
947      * This is explicitly permitted by the '?' at the end of the definition:
948      *
949      *    WATCH             <wpath>|<token>|?
950      */
951 
952     trace_xenstore_watch(path, token);
953     err = xs_impl_watch(s->impl, xen_domid, path, token, fire_watch_cb, s);
954     if (err) {
955         xs_error(s, req_id, tx_id, err);
956         return;
957     }
958 
959     xs_ok(s, XS_WATCH, req_id, tx_id);
960 }
961 
962 static void xs_unwatch(XenXenstoreState *s, unsigned int req_id,
963                        xs_transaction_t tx_id, uint8_t *req_data,
964                        unsigned int len)
965 {
966     const char *token, *path = (const char *)req_data;
967     int err;
968 
969     if (len == 0) {
970         xs_error(s, req_id, tx_id, EINVAL);
971         return;
972     }
973 
974     while (len--) {
975         if (*req_data++ == '\0') {
976             break;
977         }
978         if (len == 0) {
979             xs_error(s, req_id, tx_id, EINVAL);
980             return;
981         }
982     }
983 
984     token = (const char *)req_data;
985     while (len--) {
986         if (*req_data++ == '\0') {
987             break;
988         }
989         if (len == 0) {
990             xs_error(s, req_id, tx_id, EINVAL);
991             return;
992         }
993     }
994 
995     trace_xenstore_unwatch(path, token);
996     err = xs_impl_unwatch(s->impl, xen_domid, path, token, fire_watch_cb, s);
997     if (err) {
998         xs_error(s, req_id, tx_id, err);
999         return;
1000     }
1001 
1002     xs_ok(s, XS_UNWATCH, req_id, tx_id);
1003 }
1004 
1005 static void xs_reset_watches(XenXenstoreState *s, unsigned int req_id,
1006                              xs_transaction_t tx_id, uint8_t *req_data,
1007                              unsigned int len)
1008 {
1009     if (len == 0 || req_data[len - 1] != '\0') {
1010         xs_error(s, req_id, tx_id, EINVAL);
1011         return;
1012     }
1013 
1014     trace_xenstore_reset_watches();
1015     xs_impl_reset_watches(s->impl, xen_domid);
1016 
1017     xs_ok(s, XS_RESET_WATCHES, req_id, tx_id);
1018 }
1019 
1020 static void xs_priv(XenXenstoreState *s, unsigned int req_id,
1021                     xs_transaction_t tx_id, uint8_t *data,
1022                     unsigned int len)
1023 {
1024     xs_error(s, req_id, tx_id, EACCES);
1025 }
1026 
1027 static void xs_unimpl(XenXenstoreState *s, unsigned int req_id,
1028                       xs_transaction_t tx_id, uint8_t *data,
1029                       unsigned int len)
1030 {
1031     xs_error(s, req_id, tx_id, ENOSYS);
1032 }
1033 
1034 typedef void (*xs_impl)(XenXenstoreState *s, unsigned int req_id,
1035                         xs_transaction_t tx_id, uint8_t *data,
1036                         unsigned int len);
1037 
1038 struct xsd_req {
1039     const char *name;
1040     xs_impl fn;
1041 };
1042 #define XSD_REQ(_type, _fn)                           \
1043     [_type] = { .name = #_type, .fn = _fn }
1044 
1045 struct xsd_req xsd_reqs[] = {
1046     XSD_REQ(XS_READ, xs_read),
1047     XSD_REQ(XS_WRITE, xs_write),
1048     XSD_REQ(XS_MKDIR, xs_mkdir),
1049     XSD_REQ(XS_DIRECTORY, xs_directory),
1050     XSD_REQ(XS_DIRECTORY_PART, xs_directory_part),
1051     XSD_REQ(XS_TRANSACTION_START, xs_transaction_start),
1052     XSD_REQ(XS_TRANSACTION_END, xs_transaction_end),
1053     XSD_REQ(XS_RM, xs_rm),
1054     XSD_REQ(XS_GET_PERMS, xs_get_perms),
1055     XSD_REQ(XS_SET_PERMS, xs_set_perms),
1056     XSD_REQ(XS_WATCH, xs_watch),
1057     XSD_REQ(XS_UNWATCH, xs_unwatch),
1058     XSD_REQ(XS_CONTROL, xs_priv),
1059     XSD_REQ(XS_INTRODUCE, xs_priv),
1060     XSD_REQ(XS_RELEASE, xs_priv),
1061     XSD_REQ(XS_IS_DOMAIN_INTRODUCED, xs_priv),
1062     XSD_REQ(XS_RESUME, xs_priv),
1063     XSD_REQ(XS_SET_TARGET, xs_priv),
1064     XSD_REQ(XS_RESET_WATCHES, xs_reset_watches),
1065 };
1066 
1067 static void process_req(XenXenstoreState *s)
1068 {
1069     struct xsd_sockmsg *req = (struct xsd_sockmsg *)s->req_data;
1070     xs_impl handler = NULL;
1071 
1072     assert(req_pending(s));
1073     assert(!s->rsp_pending);
1074 
1075     if (req->type < ARRAY_SIZE(xsd_reqs)) {
1076         handler = xsd_reqs[req->type].fn;
1077     }
1078     if (!handler) {
1079         handler = &xs_unimpl;
1080     }
1081 
1082     handler(s, req->req_id, req->tx_id, (uint8_t *)&req[1], req->len);
1083 
1084     s->rsp_pending = true;
1085     reset_req(s);
1086 }
1087 
1088 static unsigned int copy_from_ring(XenXenstoreState *s, uint8_t *ptr,
1089                                    unsigned int len)
1090 {
1091     if (!len) {
1092         return 0;
1093     }
1094 
1095     XENSTORE_RING_IDX prod = qatomic_read(&s->xs->req_prod);
1096     XENSTORE_RING_IDX cons = qatomic_read(&s->xs->req_cons);
1097     unsigned int copied = 0;
1098 
1099     /* Ensure the ring contents don't cross the req_prod access. */
1100     smp_rmb();
1101 
1102     while (len) {
1103         unsigned int avail = prod - cons;
1104         unsigned int offset = MASK_XENSTORE_IDX(cons);
1105         unsigned int copylen = avail;
1106 
1107         if (avail > XENSTORE_RING_SIZE) {
1108             error_report("XenStore ring handling error");
1109             s->fatal_error = true;
1110             break;
1111         } else if (avail == 0) {
1112             break;
1113         }
1114 
1115         if (copylen > len) {
1116             copylen = len;
1117         }
1118         if (copylen > XENSTORE_RING_SIZE - offset) {
1119             copylen = XENSTORE_RING_SIZE - offset;
1120         }
1121 
1122         memcpy(ptr, &s->xs->req[offset], copylen);
1123         copied += copylen;
1124 
1125         ptr += copylen;
1126         len -= copylen;
1127 
1128         cons += copylen;
1129     }
1130 
1131     /*
1132      * Not sure this ever mattered except on Alpha, but this barrier
1133      * is to ensure that the update to req_cons is globally visible
1134      * only after we have consumed all the data from the ring, and we
1135      * don't end up seeing data written to the ring *after* the other
1136      * end sees the update and writes more to the ring. Xen's own
1137      * xenstored has the same barrier here (although with no comment
1138      * at all, obviously, because it's Xen code).
1139      */
1140     smp_mb();
1141 
1142     qatomic_set(&s->xs->req_cons, cons);
1143 
1144     return copied;
1145 }
1146 
1147 static unsigned int copy_to_ring(XenXenstoreState *s, uint8_t *ptr,
1148                                  unsigned int len)
1149 {
1150     if (!len) {
1151         return 0;
1152     }
1153 
1154     XENSTORE_RING_IDX cons = qatomic_read(&s->xs->rsp_cons);
1155     XENSTORE_RING_IDX prod = qatomic_read(&s->xs->rsp_prod);
1156     unsigned int copied = 0;
1157 
1158     /*
1159      * This matches the barrier in copy_to_ring() (or the guest's
1160      * equivalent) between writing the data to the ring and updating
1161      * rsp_prod. It protects against the pathological case (which
1162      * again I think never happened except on Alpha) where our
1163      * subsequent writes to the ring could *cross* the read of
1164      * rsp_cons and the guest could see the new data when it was
1165      * intending to read the old.
1166      */
1167     smp_mb();
1168 
1169     while (len) {
1170         unsigned int avail = cons + XENSTORE_RING_SIZE - prod;
1171         unsigned int offset = MASK_XENSTORE_IDX(prod);
1172         unsigned int copylen = len;
1173 
1174         if (avail > XENSTORE_RING_SIZE) {
1175             error_report("XenStore ring handling error");
1176             s->fatal_error = true;
1177             break;
1178         } else if (avail == 0) {
1179             break;
1180         }
1181 
1182         if (copylen > avail) {
1183             copylen = avail;
1184         }
1185         if (copylen > XENSTORE_RING_SIZE - offset) {
1186             copylen = XENSTORE_RING_SIZE - offset;
1187         }
1188 
1189 
1190         memcpy(&s->xs->rsp[offset], ptr, copylen);
1191         copied += copylen;
1192 
1193         ptr += copylen;
1194         len -= copylen;
1195 
1196         prod += copylen;
1197     }
1198 
1199     /* Ensure the ring contents are seen before rsp_prod update. */
1200     smp_wmb();
1201 
1202     qatomic_set(&s->xs->rsp_prod, prod);
1203 
1204     return copied;
1205 }
1206 
1207 static unsigned int get_req(XenXenstoreState *s)
1208 {
1209     unsigned int copied = 0;
1210 
1211     if (s->fatal_error) {
1212         return 0;
1213     }
1214 
1215     assert(!req_pending(s));
1216 
1217     if (s->req_offset < XENSTORE_HEADER_SIZE) {
1218         void *ptr = s->req_data + s->req_offset;
1219         unsigned int len = XENSTORE_HEADER_SIZE;
1220         unsigned int copylen = copy_from_ring(s, ptr, len);
1221 
1222         copied += copylen;
1223         s->req_offset += copylen;
1224     }
1225 
1226     if (s->req_offset >= XENSTORE_HEADER_SIZE) {
1227         struct xsd_sockmsg *req = (struct xsd_sockmsg *)s->req_data;
1228 
1229         if (req->len > (uint32_t)XENSTORE_PAYLOAD_MAX) {
1230             error_report("Illegal XenStore request");
1231             s->fatal_error = true;
1232             return 0;
1233         }
1234 
1235         void *ptr = s->req_data + s->req_offset;
1236         unsigned int len = XENSTORE_HEADER_SIZE + req->len - s->req_offset;
1237         unsigned int copylen = copy_from_ring(s, ptr, len);
1238 
1239         copied += copylen;
1240         s->req_offset += copylen;
1241     }
1242 
1243     return copied;
1244 }
1245 
1246 static unsigned int put_rsp(XenXenstoreState *s)
1247 {
1248     if (s->fatal_error) {
1249         return 0;
1250     }
1251 
1252     assert(s->rsp_pending);
1253 
1254     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
1255     assert(s->rsp_offset < XENSTORE_HEADER_SIZE + rsp->len);
1256 
1257     void *ptr = s->rsp_data + s->rsp_offset;
1258     unsigned int len = XENSTORE_HEADER_SIZE + rsp->len - s->rsp_offset;
1259     unsigned int copylen = copy_to_ring(s, ptr, len);
1260 
1261     s->rsp_offset += copylen;
1262 
1263     /* Have we produced a complete response? */
1264     if (s->rsp_offset == XENSTORE_HEADER_SIZE + rsp->len) {
1265         reset_rsp(s);
1266     }
1267 
1268     return copylen;
1269 }
1270 
1271 static void deliver_watch(XenXenstoreState *s, const char *path,
1272                           const char *token)
1273 {
1274     struct xsd_sockmsg *rsp = (struct xsd_sockmsg *)s->rsp_data;
1275     uint8_t *rsp_data = (uint8_t *)&rsp[1];
1276     unsigned int len;
1277 
1278     assert(!s->rsp_pending);
1279 
1280     trace_xenstore_watch_event(path, token);
1281 
1282     rsp->type = XS_WATCH_EVENT;
1283     rsp->req_id = 0;
1284     rsp->tx_id = 0;
1285     rsp->len = 0;
1286 
1287     len = strlen(path);
1288 
1289     /* XENSTORE_ABS/REL_PATH_MAX should ensure there can be no overflow */
1290     assert(rsp->len + len < XENSTORE_PAYLOAD_MAX);
1291 
1292     memcpy(&rsp_data[rsp->len], path, len);
1293     rsp->len += len;
1294     rsp_data[rsp->len] = '\0';
1295     rsp->len++;
1296 
1297     len = strlen(token);
1298     /*
1299      * It is possible for the guest to have chosen a token that will
1300      * not fit (along with the patch) into a watch event. We have no
1301      * choice but to drop the event if this is the case.
1302      */
1303     if (rsp->len + len >= XENSTORE_PAYLOAD_MAX) {
1304         return;
1305     }
1306 
1307     memcpy(&rsp_data[rsp->len], token, len);
1308     rsp->len += len;
1309     rsp_data[rsp->len] = '\0';
1310     rsp->len++;
1311 
1312     s->rsp_pending = true;
1313 }
1314 
1315 struct watch_event {
1316     char *path;
1317     char *token;
1318 };
1319 
1320 static void free_watch_event(struct watch_event *ev)
1321 {
1322     if (ev) {
1323         g_free(ev->path);
1324         g_free(ev->token);
1325         g_free(ev);
1326     }
1327 }
1328 
1329 static void queue_watch(XenXenstoreState *s, const char *path,
1330                         const char *token)
1331 {
1332     struct watch_event *ev = g_new0(struct watch_event, 1);
1333 
1334     ev->path = g_strdup(path);
1335     ev->token = g_strdup(token);
1336 
1337     s->watch_events = g_list_append(s->watch_events, ev);
1338 }
1339 
1340 static void fire_watch_cb(void *opaque, const char *path, const char *token)
1341 {
1342     XenXenstoreState *s = opaque;
1343 
1344     assert(qemu_mutex_iothread_locked());
1345 
1346     /*
1347      * If there's a response pending, we obviously can't scribble over
1348      * it. But if there's a request pending, it has dibs on the buffer
1349      * too.
1350      *
1351      * In the common case of a watch firing due to backend activity
1352      * when the ring was otherwise idle, we should be able to copy the
1353      * strings directly into the rsp_data and thence the actual ring,
1354      * without needing to perform any allocations and queue them.
1355      */
1356     if (s->rsp_pending || req_pending(s)) {
1357         queue_watch(s, path, token);
1358     } else {
1359         deliver_watch(s, path, token);
1360         /*
1361          * Attempt to queue the message into the actual ring, and send
1362          * the event channel notification if any bytes are copied.
1363          */
1364         if (s->rsp_pending && put_rsp(s) > 0) {
1365             xen_be_evtchn_notify(s->eh, s->be_port);
1366         }
1367     }
1368 }
1369 
1370 static void process_watch_events(XenXenstoreState *s)
1371 {
1372     struct watch_event *ev = s->watch_events->data;
1373 
1374     deliver_watch(s, ev->path, ev->token);
1375 
1376     s->watch_events = g_list_remove(s->watch_events, ev);
1377     free_watch_event(ev);
1378 }
1379 
1380 static void xen_xenstore_event(void *opaque)
1381 {
1382     XenXenstoreState *s = opaque;
1383     evtchn_port_t port = xen_be_evtchn_pending(s->eh);
1384     unsigned int copied_to, copied_from;
1385     bool processed, notify = false;
1386 
1387     if (port != s->be_port) {
1388         return;
1389     }
1390 
1391     /* We know this is a no-op. */
1392     xen_be_evtchn_unmask(s->eh, port);
1393 
1394     do {
1395         copied_to = copied_from = 0;
1396         processed = false;
1397 
1398         if (!s->rsp_pending && s->watch_events) {
1399             process_watch_events(s);
1400         }
1401 
1402         if (s->rsp_pending) {
1403             copied_to = put_rsp(s);
1404         }
1405 
1406         if (!req_pending(s)) {
1407             copied_from = get_req(s);
1408         }
1409 
1410         if (req_pending(s) && !s->rsp_pending && !s->watch_events) {
1411             process_req(s);
1412             processed = true;
1413         }
1414 
1415         notify |= copied_to || copied_from;
1416     } while (copied_to || copied_from || processed);
1417 
1418     if (notify) {
1419         xen_be_evtchn_notify(s->eh, s->be_port);
1420     }
1421 }
1422 
1423 static void alloc_guest_port(XenXenstoreState *s)
1424 {
1425     struct evtchn_alloc_unbound alloc = {
1426         .dom = DOMID_SELF,
1427         .remote_dom = DOMID_QEMU,
1428     };
1429 
1430     if (!xen_evtchn_alloc_unbound_op(&alloc)) {
1431         s->guest_port = alloc.port;
1432     }
1433 }
1434 
1435 int xen_xenstore_reset(void)
1436 {
1437     XenXenstoreState *s = xen_xenstore_singleton;
1438     int console_port;
1439     GList *perms;
1440     int err;
1441 
1442     if (!s) {
1443         return -ENOTSUP;
1444     }
1445 
1446     s->req_offset = s->rsp_offset = 0;
1447     s->rsp_pending = false;
1448 
1449     if (!memory_region_is_mapped(&s->xenstore_page)) {
1450         uint64_t gpa = XEN_SPECIAL_PFN(XENSTORE) << TARGET_PAGE_BITS;
1451         xen_overlay_do_map_page(&s->xenstore_page, gpa);
1452     }
1453 
1454     alloc_guest_port(s);
1455 
1456     /*
1457      * As qemu/dom0, bind to the guest's port. For incoming migration, this
1458      * will be unbound as the guest's evtchn table is overwritten. We then
1459      * rebind to the correct guest port in xen_xenstore_post_load().
1460      */
1461     err = xen_be_evtchn_bind_interdomain(s->eh, xen_domid, s->guest_port);
1462     if (err < 0) {
1463         return err;
1464     }
1465     s->be_port = err;
1466 
1467     /* Create frontend store nodes */
1468     perms = g_list_append(NULL, xs_perm_as_string(XS_PERM_NONE, DOMID_QEMU));
1469     perms = g_list_append(perms, xs_perm_as_string(XS_PERM_READ, xen_domid));
1470 
1471     relpath_printf(s, perms, "store/port", "%u", s->guest_port);
1472     relpath_printf(s, perms, "store/ring-ref", "%lu",
1473                    XEN_SPECIAL_PFN(XENSTORE));
1474 
1475     console_port = xen_primary_console_get_port();
1476     if (console_port) {
1477         relpath_printf(s, perms, "console/ring-ref", "%lu",
1478                        XEN_SPECIAL_PFN(CONSOLE));
1479         relpath_printf(s, perms, "console/port", "%u", console_port);
1480         relpath_printf(s, perms, "console/state", "%u", XenbusStateInitialised);
1481     }
1482 
1483     g_list_free_full(perms, g_free);
1484 
1485     /*
1486      * We don't actually access the guest's page through the grant, because
1487      * this isn't real Xen, and we can just use the page we gave it in the
1488      * first place. Map the grant anyway, mostly for cosmetic purposes so
1489      * it *looks* like it's in use in the guest-visible grant table.
1490      */
1491     s->gt = qemu_xen_gnttab_open();
1492     uint32_t xs_gntref = GNTTAB_RESERVED_XENSTORE;
1493     s->granted_xs = qemu_xen_gnttab_map_refs(s->gt, 1, xen_domid, &xs_gntref,
1494                                              PROT_READ | PROT_WRITE);
1495 
1496     return 0;
1497 }
1498 
1499 struct qemu_xs_handle {
1500     XenstoreImplState *impl;
1501     GList *watches;
1502     QEMUBH *watch_bh;
1503 };
1504 
1505 struct qemu_xs_watch {
1506     struct qemu_xs_handle *h;
1507     char *path;
1508     xs_watch_fn fn;
1509     void *opaque;
1510     GList *events;
1511 };
1512 
1513 static char *xs_be_get_domain_path(struct qemu_xs_handle *h, unsigned int domid)
1514 {
1515     return g_strdup_printf("/local/domain/%u", domid);
1516 }
1517 
1518 static char **xs_be_directory(struct qemu_xs_handle *h, xs_transaction_t t,
1519                               const char *path, unsigned int *num)
1520 {
1521     GList *items = NULL, *l;
1522     unsigned int i = 0;
1523     char **items_ret;
1524     int err;
1525 
1526     err = xs_impl_directory(h->impl, DOMID_QEMU, t, path, NULL, &items);
1527     if (err) {
1528         errno = err;
1529         return NULL;
1530     }
1531 
1532     items_ret = g_new0(char *, g_list_length(items) + 1);
1533     *num = 0;
1534     for (l = items; l; l = l->next) {
1535         items_ret[i++] = l->data;
1536         (*num)++;
1537     }
1538     g_list_free(items);
1539     return items_ret;
1540 }
1541 
1542 static void *xs_be_read(struct qemu_xs_handle *h, xs_transaction_t t,
1543                         const char *path, unsigned int *len)
1544 {
1545     GByteArray *data = g_byte_array_new();
1546     bool free_segment = false;
1547     int err;
1548 
1549     err = xs_impl_read(h->impl, DOMID_QEMU, t, path, data);
1550     if (err) {
1551         free_segment = true;
1552         errno = err;
1553     } else {
1554         if (len) {
1555             *len = data->len;
1556         }
1557         /* The xen-bus-helper code expects to get NUL terminated string! */
1558         g_byte_array_append(data, (void *)"", 1);
1559     }
1560 
1561     return g_byte_array_free(data, free_segment);
1562 }
1563 
1564 static bool xs_be_write(struct qemu_xs_handle *h, xs_transaction_t t,
1565                         const char *path, const void *data, unsigned int len)
1566 {
1567     GByteArray *gdata = g_byte_array_new();
1568     int err;
1569 
1570     g_byte_array_append(gdata, data, len);
1571     err = xs_impl_write(h->impl, DOMID_QEMU, t, path, gdata);
1572     g_byte_array_unref(gdata);
1573     if (err) {
1574         errno = err;
1575         return false;
1576     }
1577     return true;
1578 }
1579 
1580 static bool xs_be_create(struct qemu_xs_handle *h, xs_transaction_t t,
1581                          unsigned int owner, unsigned int domid,
1582                          unsigned int perms, const char *path)
1583 {
1584     g_autoptr(GByteArray) data = g_byte_array_new();
1585     GList *perms_list = NULL;
1586     int err;
1587 
1588     /* mkdir does this */
1589     err = xs_impl_read(h->impl, DOMID_QEMU, t, path, data);
1590     if (err == ENOENT) {
1591         err = xs_impl_write(h->impl, DOMID_QEMU, t, path, data);
1592     }
1593     if (err) {
1594         errno = err;
1595         return false;
1596     }
1597 
1598     perms_list = g_list_append(perms_list,
1599                                xs_perm_as_string(XS_PERM_NONE, owner));
1600     perms_list = g_list_append(perms_list,
1601                                xs_perm_as_string(perms, domid));
1602 
1603     err = xs_impl_set_perms(h->impl, DOMID_QEMU, t, path, perms_list);
1604     g_list_free_full(perms_list, g_free);
1605     if (err) {
1606         errno = err;
1607         return false;
1608     }
1609     return true;
1610 }
1611 
1612 static bool xs_be_destroy(struct qemu_xs_handle *h, xs_transaction_t t,
1613                           const char *path)
1614 {
1615     int err = xs_impl_rm(h->impl, DOMID_QEMU, t, path);
1616     if (err) {
1617         errno = err;
1618         return false;
1619     }
1620     return true;
1621 }
1622 
1623 static void be_watch_bh(void *_h)
1624 {
1625     struct qemu_xs_handle *h = _h;
1626     GList *l;
1627 
1628     for (l = h->watches; l; l = l->next) {
1629         struct qemu_xs_watch *w = l->data;
1630 
1631         while (w->events) {
1632             struct watch_event *ev = w->events->data;
1633 
1634             w->fn(w->opaque, ev->path);
1635 
1636             w->events = g_list_remove(w->events, ev);
1637             free_watch_event(ev);
1638         }
1639     }
1640 }
1641 
1642 static void xs_be_watch_cb(void *opaque, const char *path, const char *token)
1643 {
1644     struct watch_event *ev = g_new0(struct watch_event, 1);
1645     struct qemu_xs_watch *w = opaque;
1646 
1647     /* We don't care about the token */
1648     ev->path = g_strdup(path);
1649     w->events = g_list_append(w->events, ev);
1650 
1651     qemu_bh_schedule(w->h->watch_bh);
1652 }
1653 
1654 static struct qemu_xs_watch *xs_be_watch(struct qemu_xs_handle *h,
1655                                          const char *path, xs_watch_fn fn,
1656                                          void *opaque)
1657 {
1658     struct qemu_xs_watch *w = g_new0(struct qemu_xs_watch, 1);
1659     int err;
1660 
1661     w->h = h;
1662     w->fn = fn;
1663     w->opaque = opaque;
1664 
1665     err = xs_impl_watch(h->impl, DOMID_QEMU, path, NULL, xs_be_watch_cb, w);
1666     if (err) {
1667         errno = err;
1668         g_free(w);
1669         return NULL;
1670     }
1671 
1672     w->path = g_strdup(path);
1673     h->watches = g_list_append(h->watches, w);
1674     return w;
1675 }
1676 
1677 static void xs_be_unwatch(struct qemu_xs_handle *h, struct qemu_xs_watch *w)
1678 {
1679     xs_impl_unwatch(h->impl, DOMID_QEMU, w->path, NULL, xs_be_watch_cb, w);
1680 
1681     h->watches = g_list_remove(h->watches, w);
1682     g_list_free_full(w->events, (GDestroyNotify)free_watch_event);
1683     g_free(w->path);
1684     g_free(w);
1685 }
1686 
1687 static xs_transaction_t xs_be_transaction_start(struct qemu_xs_handle *h)
1688 {
1689     unsigned int new_tx = XBT_NULL;
1690     int err = xs_impl_transaction_start(h->impl, DOMID_QEMU, &new_tx);
1691     if (err) {
1692         errno = err;
1693         return XBT_NULL;
1694     }
1695     return new_tx;
1696 }
1697 
1698 static bool xs_be_transaction_end(struct qemu_xs_handle *h, xs_transaction_t t,
1699                                   bool abort)
1700 {
1701     int err = xs_impl_transaction_end(h->impl, DOMID_QEMU, t, !abort);
1702     if (err) {
1703         errno = err;
1704         return false;
1705     }
1706     return true;
1707 }
1708 
1709 static struct qemu_xs_handle *xs_be_open(void)
1710 {
1711     XenXenstoreState *s = xen_xenstore_singleton;
1712     struct qemu_xs_handle *h;
1713 
1714     if (!s || !s->impl) {
1715         errno = -ENOSYS;
1716         return NULL;
1717     }
1718 
1719     h = g_new0(struct qemu_xs_handle, 1);
1720     h->impl = s->impl;
1721 
1722     h->watch_bh = aio_bh_new(qemu_get_aio_context(), be_watch_bh, h);
1723 
1724     return h;
1725 }
1726 
1727 static void xs_be_close(struct qemu_xs_handle *h)
1728 {
1729     while (h->watches) {
1730         struct qemu_xs_watch *w = h->watches->data;
1731         xs_be_unwatch(h, w);
1732     }
1733 
1734     qemu_bh_delete(h->watch_bh);
1735     g_free(h);
1736 }
1737 
1738 static struct xenstore_backend_ops emu_xenstore_backend_ops = {
1739     .open = xs_be_open,
1740     .close = xs_be_close,
1741     .get_domain_path = xs_be_get_domain_path,
1742     .directory = xs_be_directory,
1743     .read = xs_be_read,
1744     .write = xs_be_write,
1745     .create = xs_be_create,
1746     .destroy = xs_be_destroy,
1747     .watch = xs_be_watch,
1748     .unwatch = xs_be_unwatch,
1749     .transaction_start = xs_be_transaction_start,
1750     .transaction_end = xs_be_transaction_end,
1751 };
1752