xref: /freebsd/sys/dev/xen/gntdev/gntdev.c (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf)
1 /*-
2  * Copyright (c) 2016 Akshay Jaggi <jaggi@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * gntdev.c
27  *
28  * Interface to /dev/xen/gntdev.
29  *
30  */
31 
32 #include <sys/cdefs.h>
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/uio.h>
36 #include <sys/bus.h>
37 #include <sys/malloc.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/mutex.h>
41 #include <sys/rwlock.h>
42 #include <sys/selinfo.h>
43 #include <sys/poll.h>
44 #include <sys/conf.h>
45 #include <sys/fcntl.h>
46 #include <sys/ioccom.h>
47 #include <sys/rman.h>
48 #include <sys/tree.h>
49 #include <sys/module.h>
50 #include <sys/proc.h>
51 #include <sys/bitset.h>
52 #include <sys/queue.h>
53 #include <sys/mman.h>
54 #include <sys/syslog.h>
55 #include <sys/taskqueue.h>
56 
57 #include <vm/vm.h>
58 #include <vm/vm_param.h>
59 #include <vm/vm_extern.h>
60 #include <vm/vm_kern.h>
61 #include <vm/vm_page.h>
62 #include <vm/vm_map.h>
63 #include <vm/vm_object.h>
64 #include <vm/vm_pager.h>
65 
66 #include <machine/md_var.h>
67 
68 #include <xen/xen-os.h>
69 #include <xen/hypervisor.h>
70 #include <xen/error.h>
71 #include <xen/xen_intr.h>
72 #include <xen/gnttab.h>
73 #include <xen/gntdev.h>
74 
75 MALLOC_DEFINE(M_GNTDEV, "gntdev", "Xen grant-table user-space device");
76 
77 #define MAX_OFFSET_COUNT ((0xffffffffffffffffull >> PAGE_SHIFT) + 1)
78 
79 static d_open_t gntdev_open;
80 static d_ioctl_t gntdev_ioctl;
81 static d_mmap_single_t gntdev_mmap_single;
82 
83 static struct cdevsw gntdev_devsw = {
84 	.d_version = D_VERSION,
85 	.d_open = gntdev_open,
86 	.d_ioctl = gntdev_ioctl,
87 	.d_mmap_single = gntdev_mmap_single,
88 	.d_name = "gntdev",
89 };
90 
91 static device_t gntdev_dev = NULL;
92 
93 struct gntdev_gref;
94 struct gntdev_gmap;
95 STAILQ_HEAD(gref_list_head, gntdev_gref);
96 STAILQ_HEAD(gmap_list_head, gntdev_gmap);
97 RB_HEAD(gref_tree_head, gntdev_gref);
98 RB_HEAD(gmap_tree_head, gntdev_gmap);
99 
100 struct file_offset_struct {
101 	RB_ENTRY(file_offset_struct)	next;
102 	uint64_t			file_offset;
103 	uint64_t			count;
104 };
105 
106 static int
107 offset_cmp(struct file_offset_struct *f1, struct file_offset_struct *f2)
108 {
109 	return (f1->file_offset - f2->file_offset);
110 }
111 
112 RB_HEAD(file_offset_head, file_offset_struct);
113 RB_GENERATE_STATIC(file_offset_head, file_offset_struct, next, offset_cmp);
114 
115 struct per_user_data {
116 	struct mtx		user_data_lock;
117 	struct gref_tree_head	gref_tree;
118 	struct gmap_tree_head	gmap_tree;
119 	struct file_offset_head	file_offset;
120 };
121 
122 /*
123  * Get offset into the file which will be used while mmapping the
124  * appropriate pages by the userspace program.
125  */
126 static int
127 get_file_offset(struct per_user_data *priv_user, uint32_t count,
128     uint64_t *file_offset)
129 {
130 	struct file_offset_struct *offset, *offset_tmp;
131 
132 	if (count == 0)
133 		return (EINVAL);
134 	mtx_lock(&priv_user->user_data_lock);
135 	RB_FOREACH_SAFE(offset, file_offset_head, &priv_user->file_offset,
136 	    offset_tmp) {
137 		if (offset->count >= count) {
138 			offset->count -= count;
139 			*file_offset = offset->file_offset + offset->count *
140 			    PAGE_SIZE;
141 			if (offset->count == 0) {
142 				RB_REMOVE(file_offset_head,
143 				    &priv_user->file_offset, offset);
144 				free(offset, M_GNTDEV);
145 			}
146 			mtx_unlock(&priv_user->user_data_lock);
147 			return (0);
148 		}
149 	}
150 	mtx_unlock(&priv_user->user_data_lock);
151 
152 	return (ENOSPC);
153 }
154 
155 static void
156 put_file_offset(struct per_user_data *priv_user, uint32_t count,
157     uint64_t file_offset)
158 {
159 	struct file_offset_struct *offset, *offset_nxt, *offset_prv;
160 
161 	offset = malloc(sizeof(*offset), M_GNTDEV, M_WAITOK | M_ZERO);
162 	offset->file_offset = file_offset;
163 	offset->count = count;
164 
165 	mtx_lock(&priv_user->user_data_lock);
166 	RB_INSERT(file_offset_head, &priv_user->file_offset, offset);
167 	offset_nxt = RB_NEXT(file_offset_head, &priv_user->file_offset, offset);
168 	offset_prv = RB_PREV(file_offset_head, &priv_user->file_offset, offset);
169 	if (offset_nxt != NULL &&
170 	    offset_nxt->file_offset == offset->file_offset + offset->count *
171 	    PAGE_SIZE) {
172 		offset->count += offset_nxt->count;
173 		RB_REMOVE(file_offset_head, &priv_user->file_offset,
174 		    offset_nxt);
175 		free(offset_nxt, M_GNTDEV);
176 	}
177 	if (offset_prv != NULL &&
178 	    offset->file_offset == offset_prv->file_offset + offset_prv->count *
179 	    PAGE_SIZE) {
180 		offset_prv->count += offset->count;
181 		RB_REMOVE(file_offset_head, &priv_user->file_offset, offset);
182 		free(offset, M_GNTDEV);
183 	}
184 	mtx_unlock(&priv_user->user_data_lock);
185 }
186 
187 static int	gntdev_gmap_pg_ctor(void *handle, vm_ooffset_t size,
188     vm_prot_t prot, vm_ooffset_t foff, struct ucred *cred, u_short *color);
189 static void	gntdev_gmap_pg_dtor(void *handle);
190 static int	gntdev_gmap_pg_fault(vm_object_t object, vm_ooffset_t offset,
191     int prot, vm_page_t *mres);
192 
193 static struct cdev_pager_ops gntdev_gmap_pg_ops = {
194 	.cdev_pg_fault = gntdev_gmap_pg_fault,
195 	.cdev_pg_ctor =	gntdev_gmap_pg_ctor,
196 	.cdev_pg_dtor =	gntdev_gmap_pg_dtor,
197 };
198 
199 struct cleanup_data_struct {
200 	struct mtx to_kill_grefs_mtx;
201 	struct mtx to_kill_gmaps_mtx;
202 	struct gref_list_head to_kill_grefs;
203 	struct gmap_list_head to_kill_gmaps;
204 };
205 
206 static struct cleanup_data_struct cleanup_data = {
207 	.to_kill_grefs = STAILQ_HEAD_INITIALIZER(cleanup_data.to_kill_grefs),
208 	.to_kill_gmaps = STAILQ_HEAD_INITIALIZER(cleanup_data.to_kill_gmaps),
209 };
210 MTX_SYSINIT(to_kill_grefs_mtx, &cleanup_data.to_kill_grefs_mtx,
211     "gntdev to_kill_grefs mutex", MTX_DEF);
212 MTX_SYSINIT(to_kill_gmaps_mtx, &cleanup_data.to_kill_gmaps_mtx,
213     "gntdev to_kill_gmaps mutex", MTX_DEF);
214 
215 static void	cleanup_function(void *arg, __unused int pending);
216 static struct task cleanup_task = TASK_INITIALIZER(0, cleanup_function,
217     &cleanup_data);
218 
219 struct notify_data {
220 	uint64_t		index;
221 	uint32_t		action;
222 	uint32_t		event_channel_port;
223 	xen_intr_handle_t	notify_evtchn_handle;
224 };
225 
226 static void	notify(struct notify_data *notify, vm_page_t page);
227 
228 /*-------------------- Grant Allocation Methods  -----------------------------*/
229 
230 struct gntdev_gref {
231 	union gref_next_union {
232 		STAILQ_ENTRY(gntdev_gref) 		list;
233 		RB_ENTRY(gntdev_gref)	 		tree;
234 	}			gref_next;
235 	uint64_t		file_index;
236 	grant_ref_t		gref_id;
237 	vm_page_t		page;
238 	struct notify_data	*notify;
239 };
240 
241 static int
242 gref_cmp(struct gntdev_gref *g1, struct gntdev_gref *g2)
243 {
244 	return (g1->file_index - g2->file_index);
245 }
246 
247 RB_GENERATE_STATIC(gref_tree_head, gntdev_gref, gref_next.tree, gref_cmp);
248 
249 /*
250  * Traverse over the device-list of to-be-deleted grants allocated, and
251  * if all accesses, both local mmaps and foreign maps, to them have ended,
252  * destroy them.
253  */
254 static void
255 gref_list_dtor(struct cleanup_data_struct *cleanup_data)
256 {
257 	struct gref_list_head tmp_grefs;
258 	struct gntdev_gref *gref, *gref_tmp, *gref_previous;
259 
260 	STAILQ_INIT(&tmp_grefs);
261 	mtx_lock(&cleanup_data->to_kill_grefs_mtx);
262 	STAILQ_SWAP(&cleanup_data->to_kill_grefs, &tmp_grefs, gntdev_gref);
263 	mtx_unlock(&cleanup_data->to_kill_grefs_mtx);
264 
265 	gref_previous = NULL;
266 	STAILQ_FOREACH_SAFE(gref, &tmp_grefs, gref_next.list, gref_tmp) {
267 		if (gref->page && gref->page->object == NULL) {
268 			if (gref->notify) {
269 				notify(gref->notify, gref->page);
270 			}
271 			if (gref->gref_id != GRANT_REF_INVALID) {
272 				if (gnttab_query_foreign_access(gref->gref_id))
273 					continue;
274 				if (gnttab_end_foreign_access_ref(gref->gref_id)
275 				    == 0)
276 					continue;
277 				gnttab_free_grant_reference(gref->gref_id);
278 			}
279 			vm_page_unwire_noq(gref->page);
280 			vm_page_free(gref->page);
281 			gref->page = NULL;
282 		}
283 		if (gref->page == NULL) {
284 			if (gref_previous == NULL)
285 				STAILQ_REMOVE_HEAD(&tmp_grefs, gref_next.list);
286 			else
287 				STAILQ_REMOVE_AFTER(&tmp_grefs, gref_previous,
288 				    gref_next.list);
289 			if (gref->notify)
290 				free(gref->notify, M_GNTDEV);
291 			free(gref, M_GNTDEV);
292 		}
293 		else
294 			gref_previous = gref;
295 	}
296 
297 	if (!STAILQ_EMPTY(&tmp_grefs)) {
298 		mtx_lock(&cleanup_data->to_kill_grefs_mtx);
299 		STAILQ_CONCAT(&cleanup_data->to_kill_grefs, &tmp_grefs);
300 		mtx_unlock(&cleanup_data->to_kill_grefs_mtx);
301 	}
302 }
303 
304 /*
305  * Find count number of contiguous allocated grants for a given userspace
306  * program by file-offset (index).
307  */
308 static struct gntdev_gref*
309 gntdev_find_grefs(struct per_user_data *priv_user,
310 	uint64_t index, uint32_t count)
311 {
312 	struct gntdev_gref find_gref, *gref, *gref_start = NULL;
313 
314 	find_gref.file_index = index;
315 
316 	mtx_lock(&priv_user->user_data_lock);
317 	gref_start = RB_FIND(gref_tree_head, &priv_user->gref_tree, &find_gref);
318 	for (gref = gref_start; gref != NULL && count > 0; gref =
319 	    RB_NEXT(gref_tree_head, &priv_user->gref_tree, gref)) {
320 		if (index != gref->file_index)
321 			break;
322 		index += PAGE_SIZE;
323 		count--;
324 	}
325 	mtx_unlock(&priv_user->user_data_lock);
326 
327 	if (count)
328 		return (NULL);
329 	return (gref_start);
330 }
331 
332 /*
333  * IOCTL_GNTDEV_ALLOC_GREF
334  * Allocate required number of wired pages for the request, grant foreign
335  * access to the physical frames for these pages, and add details about
336  * this allocation to the per user private data, so that these pages can
337  * be mmapped by the userspace program.
338  */
339 static int
340 gntdev_alloc_gref(struct ioctl_gntdev_alloc_gref *arg)
341 {
342 	uint32_t i;
343 	int error, readonly;
344 	uint64_t file_offset;
345 	struct gntdev_gref *grefs;
346 	struct per_user_data *priv_user;
347 
348 	readonly = !(arg->flags & GNTDEV_ALLOC_FLAG_WRITABLE);
349 
350 	error = devfs_get_cdevpriv((void**) &priv_user);
351 	if (error != 0)
352 		return (EINVAL);
353 
354 	/* Cleanup grefs and free pages. */
355 	taskqueue_enqueue(taskqueue_thread, &cleanup_task);
356 
357 	/* Get file offset for this request. */
358 	error = get_file_offset(priv_user, arg->count, &file_offset);
359 	if (error != 0)
360 		return (error);
361 
362 	/* Allocate grefs. */
363 	grefs = malloc(sizeof(*grefs) * arg->count, M_GNTDEV, M_WAITOK);
364 
365 	for (i = 0; i < arg->count; i++) {
366 		grefs[i].file_index = file_offset + i * PAGE_SIZE;
367 		grefs[i].gref_id = GRANT_REF_INVALID;
368 		grefs[i].notify = NULL;
369 		grefs[i].page = vm_page_alloc_noobj(VM_ALLOC_WIRED |
370 		    VM_ALLOC_ZERO);
371 		if (grefs[i].page == NULL) {
372 			log(LOG_ERR, "Page allocation failed.");
373 			error = ENOMEM;
374 			break;
375 		}
376 		grefs[i].page->valid = VM_PAGE_BITS_ALL;
377 
378 		error = gnttab_grant_foreign_access(arg->domid,
379 			(VM_PAGE_TO_PHYS(grefs[i].page) >> PAGE_SHIFT),
380 			readonly, &grefs[i].gref_id);
381 		if (error != 0) {
382 			log(LOG_ERR, "Grant Table Hypercall failed.");
383 			break;
384 		}
385 	}
386 
387 	if (error != 0) {
388 		/*
389 		 * If target domain maps the gref (by guessing the gref-id),
390 		 * then we can't clean it up yet and we have to leave the
391 		 * page in place so as to not leak our memory to that domain.
392 		 * Add it to a global list to be cleaned up later.
393 		 */
394 		mtx_lock(&cleanup_data.to_kill_grefs_mtx);
395 		for (i = 0; i < arg->count; i++)
396 			STAILQ_INSERT_TAIL(&cleanup_data.to_kill_grefs,
397 			    &grefs[i], gref_next.list);
398 		mtx_unlock(&cleanup_data.to_kill_grefs_mtx);
399 
400 		taskqueue_enqueue(taskqueue_thread, &cleanup_task);
401 
402 		return (error);
403 	}
404 
405 	/* Copy the output values. */
406 	arg->index = file_offset;
407 	for (i = 0; i < arg->count; i++)
408 		suword32(&arg->gref_ids[i], grefs[i].gref_id);
409 
410 	/* Modify the per user private data. */
411 	mtx_lock(&priv_user->user_data_lock);
412 	for (i = 0; i < arg->count; i++)
413 		RB_INSERT(gref_tree_head, &priv_user->gref_tree, &grefs[i]);
414 	mtx_unlock(&priv_user->user_data_lock);
415 
416 	return (error);
417 }
418 
419 /*
420  * IOCTL_GNTDEV_DEALLOC_GREF
421  * Remove grant allocation information from the per user private data, so
422  * that it can't be mmapped anymore by the userspace program, and add it
423  * to the to-be-deleted grants global device-list.
424  */
425 static int
426 gntdev_dealloc_gref(struct ioctl_gntdev_dealloc_gref *arg)
427 {
428 	int error;
429 	uint32_t count;
430 	struct gntdev_gref *gref, *gref_tmp;
431 	struct per_user_data *priv_user;
432 
433 	error = devfs_get_cdevpriv((void**) &priv_user);
434 	if (error != 0)
435 		return (EINVAL);
436 
437 	gref = gntdev_find_grefs(priv_user, arg->index, arg->count);
438 	if (gref == NULL) {
439 		log(LOG_ERR, "Can't find requested grant-refs.");
440 		return (EINVAL);
441 	}
442 
443 	/* Remove the grefs from user private data. */
444 	count = arg->count;
445 	mtx_lock(&priv_user->user_data_lock);
446 	mtx_lock(&cleanup_data.to_kill_grefs_mtx);
447 	for (; gref != NULL && count > 0; gref = gref_tmp) {
448 		gref_tmp = RB_NEXT(gref_tree_head, &priv_user->gref_tree, gref);
449 		RB_REMOVE(gref_tree_head, &priv_user->gref_tree, gref);
450 		STAILQ_INSERT_TAIL(&cleanup_data.to_kill_grefs, gref,
451 		    gref_next.list);
452 		count--;
453 	}
454 	mtx_unlock(&cleanup_data.to_kill_grefs_mtx);
455 	mtx_unlock(&priv_user->user_data_lock);
456 
457 	taskqueue_enqueue(taskqueue_thread, &cleanup_task);
458 	put_file_offset(priv_user, arg->count, arg->index);
459 
460 	return (0);
461 }
462 
463 /*-------------------- Grant Mapping Methods  --------------------------------*/
464 
465 struct gntdev_gmap_map {
466 	vm_object_t	mem;
467 	struct resource	*pseudo_phys_res;
468 	int 		pseudo_phys_res_id;
469 	vm_paddr_t	phys_base_addr;
470 };
471 
472 struct gntdev_gmap {
473 	union gmap_next_union {
474 		STAILQ_ENTRY(gntdev_gmap)		list;
475 		RB_ENTRY(gntdev_gmap)			tree;
476 	}				gmap_next;
477 	uint64_t			file_index;
478 	uint32_t			count;
479 	struct gnttab_map_grant_ref	*grant_map_ops;
480 	struct gntdev_gmap_map		*map;
481 	struct notify_data		*notify;
482 };
483 
484 static int
485 gmap_cmp(struct gntdev_gmap *g1, struct gntdev_gmap *g2)
486 {
487 	return (g1->file_index - g2->file_index);
488 }
489 
490 RB_GENERATE_STATIC(gmap_tree_head, gntdev_gmap, gmap_next.tree, gmap_cmp);
491 
492 /*
493  * Traverse over the device-list of to-be-deleted grant mappings, and if
494  * the region is no longer mmapped by anyone, free the memory used to
495  * store information about the mapping.
496  */
497 static void
498 gmap_list_dtor(struct cleanup_data_struct *cleanup_data)
499 {
500 	struct gmap_list_head tmp_gmaps;
501 	struct gntdev_gmap *gmap, *gmap_tmp, *gmap_previous;
502 
503 	STAILQ_INIT(&tmp_gmaps);
504 	mtx_lock(&cleanup_data->to_kill_gmaps_mtx);
505 	STAILQ_SWAP(&cleanup_data->to_kill_gmaps, &tmp_gmaps, gntdev_gmap);
506 	mtx_unlock(&cleanup_data->to_kill_gmaps_mtx);
507 
508 	gmap_previous = NULL;
509 	STAILQ_FOREACH_SAFE(gmap, &tmp_gmaps, gmap_next.list, gmap_tmp) {
510 		if (gmap->map == NULL) {
511 			if (gmap_previous == NULL)
512 				STAILQ_REMOVE_HEAD(&tmp_gmaps, gmap_next.list);
513 			else
514 				STAILQ_REMOVE_AFTER(&tmp_gmaps, gmap_previous,
515 				    gmap_next.list);
516 
517 			if (gmap->notify)
518 				free(gmap->notify, M_GNTDEV);
519 			free(gmap->grant_map_ops, M_GNTDEV);
520 			free(gmap, M_GNTDEV);
521 		}
522 		else
523 			gmap_previous = gmap;
524 	}
525 
526 	if (!STAILQ_EMPTY(&tmp_gmaps)) {
527 		mtx_lock(&cleanup_data->to_kill_gmaps_mtx);
528 		STAILQ_CONCAT(&cleanup_data->to_kill_gmaps, &tmp_gmaps);
529 		mtx_unlock(&cleanup_data->to_kill_gmaps_mtx);
530 	}
531 }
532 
533 /*
534  * Find mapped grants for a given userspace program, by file-offset (index)
535  * and count, as supplied during the map-ioctl.
536  */
537 static struct gntdev_gmap*
538 gntdev_find_gmap(struct per_user_data *priv_user,
539 	uint64_t index, uint32_t count)
540 {
541 	struct gntdev_gmap find_gmap, *gmap;
542 
543 	find_gmap.file_index = index;
544 
545 	mtx_lock(&priv_user->user_data_lock);
546 	gmap = RB_FIND(gmap_tree_head, &priv_user->gmap_tree, &find_gmap);
547 	mtx_unlock(&priv_user->user_data_lock);
548 
549 	if (gmap != NULL && gmap->count == count)
550 		return (gmap);
551 	return (NULL);
552 }
553 
554 /*
555  * Remove the pages from the mgtdevice pager, call the unmap hypercall,
556  * free the xenmem resource. This function is called during the
557  * destruction of the mgtdevice pager, which happens when all mmaps to
558  * it have been removed, and the unmap-ioctl has been performed.
559  */
560 static int
561 notify_unmap_cleanup(struct gntdev_gmap *gmap)
562 {
563 	uint32_t i;
564 	int error, count;
565 	vm_page_t m;
566 	struct gnttab_unmap_grant_ref *unmap_ops;
567 
568 	unmap_ops = malloc(sizeof(struct gnttab_unmap_grant_ref) * gmap->count,
569 			M_GNTDEV, M_WAITOK);
570 
571 	/* Enumerate freeable maps. */
572 	count = 0;
573 	for (i = 0; i < gmap->count; i++) {
574 		if (gmap->grant_map_ops[i].handle != -1) {
575 			unmap_ops[count].handle = gmap->grant_map_ops[i].handle;
576 			unmap_ops[count].host_addr =
577 				gmap->grant_map_ops[i].host_addr;
578 			unmap_ops[count].dev_bus_addr = 0;
579 			count++;
580 		}
581 	}
582 
583 	/* Perform notification. */
584 	if (count > 0 && gmap->notify) {
585 		vm_page_t page;
586 		uint64_t page_offset;
587 
588 		page_offset = gmap->notify->index - gmap->file_index;
589 		page = PHYS_TO_VM_PAGE(gmap->map->phys_base_addr + page_offset);
590 		notify(gmap->notify, page);
591 	}
592 
593 	/* Free the pages. */
594 	VM_OBJECT_WLOCK(gmap->map->mem);
595 retry:
596 	for (i = 0; i < gmap->count; i++) {
597 		m = vm_page_lookup(gmap->map->mem, i);
598 		if (m == NULL)
599 			continue;
600 		if (vm_page_busy_acquire(m, VM_ALLOC_WAITFAIL) == 0)
601 			goto retry;
602 		cdev_pager_free_page(gmap->map->mem, m);
603 	}
604 	VM_OBJECT_WUNLOCK(gmap->map->mem);
605 
606 	/* Perform unmap hypercall. */
607 	error = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref,
608 	    unmap_ops, count);
609 
610 	for (i = 0; i < gmap->count; i++) {
611 		gmap->grant_map_ops[i].handle = -1;
612 		gmap->grant_map_ops[i].host_addr = 0;
613 	}
614 
615 	if (gmap->map) {
616 		error = xenmem_free(gntdev_dev, gmap->map->pseudo_phys_res_id,
617 		    gmap->map->pseudo_phys_res);
618 		KASSERT(error == 0,
619 		    ("Unable to release memory resource: %d", error));
620 
621 		free(gmap->map, M_GNTDEV);
622 		gmap->map = NULL;
623 	}
624 
625 	free(unmap_ops, M_GNTDEV);
626 
627 	return (error);
628 }
629 
630 /*
631  * IOCTL_GNTDEV_MAP_GRANT_REF
632  * Populate structures for mapping the grant reference in the per user
633  * private data. Actual resource allocation and map hypercall is performed
634  * during the mmap.
635  */
636 static int
637 gntdev_map_grant_ref(struct ioctl_gntdev_map_grant_ref *arg)
638 {
639 	uint32_t i;
640 	int error;
641 	struct gntdev_gmap *gmap;
642 	struct per_user_data *priv_user;
643 
644 	error = devfs_get_cdevpriv((void**) &priv_user);
645 	if (error != 0)
646 		return (EINVAL);
647 
648 	gmap = malloc(sizeof(*gmap), M_GNTDEV, M_WAITOK | M_ZERO);
649 	gmap->count = arg->count;
650 	gmap->grant_map_ops =
651 	    malloc(sizeof(struct gnttab_map_grant_ref) * arg->count,
652 	        M_GNTDEV, M_WAITOK | M_ZERO);
653 
654 	for (i = 0; i < arg->count; i++) {
655 		struct ioctl_gntdev_grant_ref ref;
656 
657 		error = copyin(&arg->refs[i], &ref, sizeof(ref));
658 		if (error != 0) {
659 			free(gmap->grant_map_ops, M_GNTDEV);
660 			free(gmap, M_GNTDEV);
661 			return (error);
662 		}
663 		gmap->grant_map_ops[i].dom = ref.domid;
664 		gmap->grant_map_ops[i].ref = ref.ref;
665 		gmap->grant_map_ops[i].handle = -1;
666 		gmap->grant_map_ops[i].flags = GNTMAP_host_map;
667 	}
668 
669 	error = get_file_offset(priv_user, arg->count, &gmap->file_index);
670 	if (error != 0) {
671 		free(gmap->grant_map_ops, M_GNTDEV);
672 		free(gmap, M_GNTDEV);
673 		return (error);
674 	}
675 
676 	mtx_lock(&priv_user->user_data_lock);
677 	RB_INSERT(gmap_tree_head, &priv_user->gmap_tree, gmap);
678 	mtx_unlock(&priv_user->user_data_lock);
679 
680 	arg->index = gmap->file_index;
681 
682 	return (error);
683 }
684 
685 /*
686  * IOCTL_GNTDEV_UNMAP_GRANT_REF
687  * Remove the map information from the per user private data and add it
688  * to the global device-list of mappings to be deleted. A reference to
689  * the mgtdevice pager is also decreased, the reason for which is
690  * explained in mmap_gmap().
691  */
692 static int
693 gntdev_unmap_grant_ref(struct ioctl_gntdev_unmap_grant_ref *arg)
694 {
695 	int error;
696 	struct gntdev_gmap *gmap;
697 	struct per_user_data *priv_user;
698 
699 	error = devfs_get_cdevpriv((void**) &priv_user);
700 	if (error != 0)
701 		return (EINVAL);
702 
703 	gmap = gntdev_find_gmap(priv_user, arg->index, arg->count);
704 	if (gmap == NULL) {
705 		log(LOG_ERR, "Can't find requested grant-map.");
706 		return (EINVAL);
707 	}
708 
709 	mtx_lock(&priv_user->user_data_lock);
710 	mtx_lock(&cleanup_data.to_kill_gmaps_mtx);
711 	RB_REMOVE(gmap_tree_head, &priv_user->gmap_tree, gmap);
712 	STAILQ_INSERT_TAIL(&cleanup_data.to_kill_gmaps, gmap, gmap_next.list);
713 	mtx_unlock(&cleanup_data.to_kill_gmaps_mtx);
714 	mtx_unlock(&priv_user->user_data_lock);
715 
716 	if (gmap->map)
717 		vm_object_deallocate(gmap->map->mem);
718 
719 	taskqueue_enqueue(taskqueue_thread, &cleanup_task);
720 	put_file_offset(priv_user, arg->count, arg->index);
721 
722 	return (0);
723 }
724 
725 /*
726  * IOCTL_GNTDEV_GET_OFFSET_FOR_VADDR
727  * Get file-offset and count for a given mapping, from the virtual address
728  * where the mapping is mmapped.
729  * Please note, this only works for grants mapped by this domain, and not
730  * grants allocated. Count doesn't make much sense in reference to grants
731  * allocated. Also, because this function is present in the linux gntdev
732  * device, but not in the linux gntalloc one, most userspace code only use
733  * it for mapped grants.
734  */
735 static int
736 gntdev_get_offset_for_vaddr(struct ioctl_gntdev_get_offset_for_vaddr *arg,
737 	struct thread *td)
738 {
739 	int error;
740 	vm_map_t map;
741 	vm_map_entry_t entry;
742 	vm_object_t mem;
743 	vm_pindex_t pindex;
744 	vm_prot_t prot;
745 	boolean_t wired;
746 	struct gntdev_gmap *gmap;
747 	int rc;
748 
749 	map = &td->td_proc->p_vmspace->vm_map;
750 	error = vm_map_lookup(&map, arg->vaddr, VM_PROT_NONE, &entry,
751 		    &mem, &pindex, &prot, &wired);
752 	if (error != KERN_SUCCESS)
753 		return (EINVAL);
754 
755 	if ((mem->type != OBJT_MGTDEVICE) ||
756 	    (mem->un_pager.devp.ops != &gntdev_gmap_pg_ops)) {
757 		rc = EINVAL;
758 		goto out;
759 	}
760 
761 	gmap = mem->handle;
762 	if (gmap == NULL ||
763 	    (entry->end - entry->start) != (gmap->count * PAGE_SIZE)) {
764 		rc = EINVAL;
765 		goto out;
766 	}
767 
768 	arg->count = gmap->count;
769 	arg->offset = gmap->file_index;
770 	rc = 0;
771 
772 out:
773 	vm_map_lookup_done(map, entry);
774 	return (rc);
775 }
776 
777 /*-------------------- Grant Mapping Pager  ----------------------------------*/
778 
779 static int
780 gntdev_gmap_pg_ctor(void *handle, vm_ooffset_t size, vm_prot_t prot,
781     vm_ooffset_t foff, struct ucred *cred, u_short *color)
782 {
783 
784 	return (0);
785 }
786 
787 static void
788 gntdev_gmap_pg_dtor(void *handle)
789 {
790 
791 	notify_unmap_cleanup((struct gntdev_gmap *)handle);
792 }
793 
794 static int
795 gntdev_gmap_pg_fault(vm_object_t object, vm_ooffset_t offset, int prot,
796     vm_page_t *mres)
797 {
798 	struct gntdev_gmap *gmap = object->handle;
799 	vm_pindex_t pidx, ridx;
800 	vm_page_t page;
801 	vm_ooffset_t relative_offset;
802 
803 	if (gmap->map == NULL)
804 		return (VM_PAGER_FAIL);
805 
806 	relative_offset = offset - gmap->file_index;
807 
808 	pidx = OFF_TO_IDX(offset);
809 	ridx = OFF_TO_IDX(relative_offset);
810 	if (ridx >= gmap->count ||
811 	    gmap->grant_map_ops[ridx].status != GNTST_okay)
812 		return (VM_PAGER_FAIL);
813 
814 	page = PHYS_TO_VM_PAGE(gmap->map->phys_base_addr + relative_offset);
815 	if (page == NULL)
816 		return (VM_PAGER_FAIL);
817 
818 	KASSERT((page->flags & PG_FICTITIOUS) != 0,
819 	    ("not fictitious %p", page));
820 	KASSERT(vm_page_wired(page), ("page %p is not wired", page));
821 	KASSERT(!vm_page_busied(page), ("page %p is busy", page));
822 
823 	vm_page_busy_acquire(page, 0);
824 	vm_page_valid(page);
825 	if (*mres != NULL)
826 		vm_page_replace(page, object, pidx, *mres);
827 	else
828 		vm_page_insert(page, object, pidx);
829 	*mres = page;
830 	return (VM_PAGER_OK);
831 }
832 
833 /*------------------ Grant Table Methods  ------------------------------------*/
834 
835 static void
836 notify(struct notify_data *notify, vm_page_t page)
837 {
838 	if (notify->action & UNMAP_NOTIFY_CLEAR_BYTE) {
839 		uint8_t *mem;
840 		uint64_t offset;
841 
842 		offset = notify->index & PAGE_MASK;
843 		mem = (uint8_t *)pmap_quick_enter_page(page);
844 		mem[offset] = 0;
845 		pmap_quick_remove_page((vm_offset_t)mem);
846 	}
847 	if (notify->action & UNMAP_NOTIFY_SEND_EVENT) {
848 		xen_intr_signal(notify->notify_evtchn_handle);
849 		xen_intr_unbind(&notify->notify_evtchn_handle);
850 	}
851 	notify->action = 0;
852 }
853 
854 /*
855  * Helper to copy new arguments from the notify ioctl into
856  * the existing notify data.
857  */
858 static int
859 copy_notify_helper(struct notify_data *destination,
860     struct ioctl_gntdev_unmap_notify *source)
861 {
862 	xen_intr_handle_t handlep = NULL;
863 
864 	/*
865 	 * "Get" before "Put"ting previous reference, as we might be
866 	 * holding the last reference to the event channel port.
867 	 */
868 	if (source->action & UNMAP_NOTIFY_SEND_EVENT)
869 		if (xen_intr_get_evtchn_from_port(source->event_channel_port,
870 		    &handlep) != 0)
871 			return (EINVAL);
872 
873 	if (destination->action & UNMAP_NOTIFY_SEND_EVENT)
874 		xen_intr_unbind(&destination->notify_evtchn_handle);
875 
876 	destination->action = source->action;
877 	destination->event_channel_port = source->event_channel_port;
878 	destination->index = source->index;
879 	destination->notify_evtchn_handle = handlep;
880 
881 	return (0);
882 }
883 
884 /*
885  * IOCTL_GNTDEV_SET_UNMAP_NOTIFY
886  * Set unmap notification inside the appropriate grant. It sends a
887  * notification when the grant is completely munmapped by this domain
888  * and ready for destruction.
889  */
890 static int
891 gntdev_set_unmap_notify(struct ioctl_gntdev_unmap_notify *arg)
892 {
893 	int error;
894 	uint64_t index;
895 	struct per_user_data *priv_user;
896 	struct gntdev_gref *gref = NULL;
897 	struct gntdev_gmap *gmap;
898 
899 	error = devfs_get_cdevpriv((void**) &priv_user);
900 	if (error != 0)
901 		return (EINVAL);
902 
903 	if (arg->action & ~(UNMAP_NOTIFY_CLEAR_BYTE|UNMAP_NOTIFY_SEND_EVENT))
904 		return (EINVAL);
905 
906 	index = arg->index & ~PAGE_MASK;
907 	gref = gntdev_find_grefs(priv_user, index, 1);
908 	if (gref) {
909 		if (gref->notify == NULL)
910 			gref->notify = malloc(sizeof(*arg), M_GNTDEV,
911 			    M_WAITOK | M_ZERO);
912 		return (copy_notify_helper(gref->notify, arg));
913 	}
914 
915 	error = EINVAL;
916 	mtx_lock(&priv_user->user_data_lock);
917 	RB_FOREACH(gmap, gmap_tree_head, &priv_user->gmap_tree) {
918 		if (arg->index >= gmap->file_index &&
919 		    arg->index < gmap->file_index + gmap->count * PAGE_SIZE) {
920 			if (gmap->notify == NULL)
921 				gmap->notify = malloc(sizeof(*arg), M_GNTDEV,
922 				    M_WAITOK | M_ZERO);
923 			error = copy_notify_helper(gmap->notify, arg);
924 			break;
925 		}
926 	}
927 	mtx_unlock(&priv_user->user_data_lock);
928 
929 	return (error);
930 }
931 
932 /*------------------ Gntdev Char Device Methods  -----------------------------*/
933 
934 static void
935 cleanup_function(void *arg, __unused int pending)
936 {
937 
938 	gref_list_dtor((struct cleanup_data_struct *) arg);
939 	gmap_list_dtor((struct cleanup_data_struct *) arg);
940 }
941 
942 static void
943 per_user_data_dtor(void *arg)
944 {
945 	struct gntdev_gref *gref, *gref_tmp;
946 	struct gntdev_gmap *gmap, *gmap_tmp;
947 	struct file_offset_struct *offset, *offset_tmp;
948 	struct per_user_data *priv_user;
949 
950 	priv_user = (struct per_user_data *) arg;
951 
952 	mtx_lock(&priv_user->user_data_lock);
953 
954 	mtx_lock(&cleanup_data.to_kill_grefs_mtx);
955 	RB_FOREACH_SAFE(gref, gref_tree_head, &priv_user->gref_tree, gref_tmp) {
956 		RB_REMOVE(gref_tree_head, &priv_user->gref_tree, gref);
957 		STAILQ_INSERT_TAIL(&cleanup_data.to_kill_grefs, gref,
958 		    gref_next.list);
959 	}
960 	mtx_unlock(&cleanup_data.to_kill_grefs_mtx);
961 
962 	mtx_lock(&cleanup_data.to_kill_gmaps_mtx);
963 	RB_FOREACH_SAFE(gmap, gmap_tree_head, &priv_user->gmap_tree, gmap_tmp) {
964 		RB_REMOVE(gmap_tree_head, &priv_user->gmap_tree, gmap);
965 		STAILQ_INSERT_TAIL(&cleanup_data.to_kill_gmaps, gmap,
966 		    gmap_next.list);
967 		if (gmap->map)
968 			vm_object_deallocate(gmap->map->mem);
969 	}
970 	mtx_unlock(&cleanup_data.to_kill_gmaps_mtx);
971 
972 	RB_FOREACH_SAFE(offset, file_offset_head, &priv_user->file_offset,
973 	    offset_tmp) {
974 		RB_REMOVE(file_offset_head, &priv_user->file_offset, offset);
975 		free(offset, M_GNTDEV);
976 	}
977 
978 	mtx_unlock(&priv_user->user_data_lock);
979 
980 	taskqueue_enqueue(taskqueue_thread, &cleanup_task);
981 
982 	mtx_destroy(&priv_user->user_data_lock);
983 	free(priv_user, M_GNTDEV);
984 }
985 
986 static int
987 gntdev_open(struct cdev *dev, int flag, int otyp, struct thread *td)
988 {
989 	int error;
990 	struct per_user_data *priv_user;
991 	struct file_offset_struct *offset;
992 
993 	priv_user = malloc(sizeof(*priv_user), M_GNTDEV, M_WAITOK | M_ZERO);
994 	RB_INIT(&priv_user->gref_tree);
995 	RB_INIT(&priv_user->gmap_tree);
996 	RB_INIT(&priv_user->file_offset);
997 	offset = malloc(sizeof(*offset), M_GNTDEV, M_WAITOK | M_ZERO);
998 	offset->file_offset = 0;
999 	offset->count = MAX_OFFSET_COUNT;
1000 	RB_INSERT(file_offset_head, &priv_user->file_offset, offset);
1001 	mtx_init(&priv_user->user_data_lock,
1002 	    "per user data mutex", NULL, MTX_DEF);
1003 
1004 	error = devfs_set_cdevpriv(priv_user, per_user_data_dtor);
1005 	if (error != 0)
1006 		per_user_data_dtor(priv_user);
1007 
1008 	return (error);
1009 }
1010 
1011 static int
1012 gntdev_ioctl(struct cdev *dev, u_long cmd, caddr_t data,
1013 	int fflag, struct thread *td)
1014 {
1015 	int error;
1016 
1017 	switch (cmd) {
1018 	case IOCTL_GNTDEV_SET_UNMAP_NOTIFY:
1019 		error = gntdev_set_unmap_notify(
1020 		    (struct ioctl_gntdev_unmap_notify*) data);
1021 		break;
1022 	case IOCTL_GNTDEV_ALLOC_GREF:
1023 		error = gntdev_alloc_gref(
1024 		    (struct ioctl_gntdev_alloc_gref*) data);
1025 		break;
1026 	case IOCTL_GNTDEV_DEALLOC_GREF:
1027 		error = gntdev_dealloc_gref(
1028 		    (struct ioctl_gntdev_dealloc_gref*) data);
1029 		break;
1030 	case IOCTL_GNTDEV_MAP_GRANT_REF:
1031 		error = gntdev_map_grant_ref(
1032 		    (struct ioctl_gntdev_map_grant_ref*) data);
1033 		break;
1034 	case IOCTL_GNTDEV_UNMAP_GRANT_REF:
1035 		error = gntdev_unmap_grant_ref(
1036 		    (struct ioctl_gntdev_unmap_grant_ref*) data);
1037 		break;
1038 	case IOCTL_GNTDEV_GET_OFFSET_FOR_VADDR:
1039 		error = gntdev_get_offset_for_vaddr(
1040 		    (struct ioctl_gntdev_get_offset_for_vaddr*) data, td);
1041 		break;
1042 	default:
1043 		error = ENOSYS;
1044 		break;
1045 	}
1046 
1047 	return (error);
1048 }
1049 
1050 /*
1051  * MMAP an allocated grant into user memory.
1052  * Please note, that the grants must not already be mmapped, otherwise
1053  * this function will fail.
1054  */
1055 static int
1056 mmap_gref(struct per_user_data *priv_user, struct gntdev_gref *gref_start,
1057     uint32_t count, vm_size_t size, struct vm_object **object)
1058 {
1059 	vm_object_t mem_obj;
1060 	struct gntdev_gref *gref;
1061 
1062 	mem_obj = vm_pager_allocate(OBJT_PHYS, NULL, size, VM_PROT_ALL, 0,
1063 	    curthread->td_ucred);
1064 	if (mem_obj == NULL)
1065 		return (ENOMEM);
1066 
1067 	mtx_lock(&priv_user->user_data_lock);
1068 	VM_OBJECT_WLOCK(mem_obj);
1069 	for (gref = gref_start; gref != NULL && count > 0; gref =
1070 	    RB_NEXT(gref_tree_head, &priv_user->gref_tree, gref)) {
1071 		if (gref->page->object)
1072 			break;
1073 
1074 		vm_page_insert(gref->page, mem_obj,
1075 		    OFF_TO_IDX(gref->file_index));
1076 
1077 		count--;
1078 	}
1079 	VM_OBJECT_WUNLOCK(mem_obj);
1080 	mtx_unlock(&priv_user->user_data_lock);
1081 
1082 	if (count) {
1083 		vm_object_deallocate(mem_obj);
1084 		return (EINVAL);
1085 	}
1086 
1087 	*object = mem_obj;
1088 
1089 	return (0);
1090 
1091 }
1092 
1093 /*
1094  * MMAP a mapped grant into user memory.
1095  */
1096 static int
1097 mmap_gmap(struct per_user_data *priv_user, struct gntdev_gmap *gmap_start,
1098     vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot)
1099 {
1100 	uint32_t i;
1101 	int error;
1102 
1103 	/*
1104 	 * The grant map hypercall might already be done.
1105 	 * If that is the case, increase a reference to the
1106 	 * vm object and return the already allocated object.
1107 	 */
1108 	if (gmap_start->map) {
1109 		vm_object_reference(gmap_start->map->mem);
1110 		*object = gmap_start->map->mem;
1111 		return (0);
1112 	}
1113 
1114 	gmap_start->map = malloc(sizeof(*(gmap_start->map)), M_GNTDEV,
1115 	    M_WAITOK | M_ZERO);
1116 
1117 	/* Allocate the xen pseudo physical memory resource. */
1118 	gmap_start->map->pseudo_phys_res_id = 0;
1119 	gmap_start->map->pseudo_phys_res = xenmem_alloc(gntdev_dev,
1120 	    &gmap_start->map->pseudo_phys_res_id, size);
1121 	if (gmap_start->map->pseudo_phys_res == NULL) {
1122 		free(gmap_start->map, M_GNTDEV);
1123 		gmap_start->map = NULL;
1124 		return (ENOMEM);
1125 	}
1126 	gmap_start->map->phys_base_addr =
1127 	    rman_get_start(gmap_start->map->pseudo_phys_res);
1128 
1129 	/* Allocate the mgtdevice pager. */
1130 	gmap_start->map->mem = cdev_pager_allocate(gmap_start, OBJT_MGTDEVICE,
1131 	    &gntdev_gmap_pg_ops, size, nprot, *offset, NULL);
1132 	if (gmap_start->map->mem == NULL) {
1133 		xenmem_free(gntdev_dev, gmap_start->map->pseudo_phys_res_id,
1134 		    gmap_start->map->pseudo_phys_res);
1135 		free(gmap_start->map, M_GNTDEV);
1136 		gmap_start->map = NULL;
1137 		return (ENOMEM);
1138 	}
1139 
1140 	for (i = 0; i < gmap_start->count; i++) {
1141 		gmap_start->grant_map_ops[i].host_addr =
1142 		    gmap_start->map->phys_base_addr + i * PAGE_SIZE;
1143 
1144 		if ((nprot & PROT_WRITE) == 0)
1145 			gmap_start->grant_map_ops[i].flags |= GNTMAP_readonly;
1146 	}
1147 	/* Make the MAP hypercall. */
1148 	error = HYPERVISOR_grant_table_op(GNTTABOP_map_grant_ref,
1149 	    gmap_start->grant_map_ops, gmap_start->count);
1150 	if (error != 0) {
1151 		/*
1152 		 * Deallocate pager.
1153 		 * Pager deallocation will automatically take care of
1154 		 * xenmem deallocation, etc.
1155 		 */
1156 		vm_object_deallocate(gmap_start->map->mem);
1157 
1158 		return (EINVAL);
1159 	}
1160 
1161 	/* Retry EAGAIN maps. */
1162 	for (i = 0; i < gmap_start->count; i++) {
1163 		int delay = 1;
1164 		while (delay < 256 &&
1165 		    gmap_start->grant_map_ops[i].status == GNTST_eagain) {
1166 			HYPERVISOR_grant_table_op( GNTTABOP_map_grant_ref,
1167 			    &gmap_start->grant_map_ops[i], 1);
1168 			pause(("gntmap"), delay * SBT_1MS);
1169 			delay++;
1170 		}
1171 		if (gmap_start->grant_map_ops[i].status == GNTST_eagain)
1172 			gmap_start->grant_map_ops[i].status = GNTST_bad_page;
1173 
1174 		if (gmap_start->grant_map_ops[i].status != GNTST_okay) {
1175 			/*
1176 			 * Deallocate pager.
1177 			 * Pager deallocation will automatically take care of
1178 			 * xenmem deallocation, notification, unmap hypercall,
1179 			 * etc.
1180 			 */
1181 			vm_object_deallocate(gmap_start->map->mem);
1182 
1183 			return (EINVAL);
1184 		}
1185 	}
1186 
1187 	/*
1188 	 * Add a reference to the vm object. We do not want
1189 	 * the vm object to be deleted when all the mmaps are
1190 	 * unmapped, because it may be re-mmapped. Instead,
1191 	 * we want the object to be deleted, when along with
1192 	 * munmaps, we have also processed the unmap-ioctl.
1193 	 */
1194 	vm_object_reference(gmap_start->map->mem);
1195 
1196 	*object = gmap_start->map->mem;
1197 
1198 	return (0);
1199 }
1200 
1201 static int
1202 gntdev_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t size,
1203     struct vm_object **object, int nprot)
1204 {
1205 	int error;
1206 	uint32_t count;
1207 	struct gntdev_gref *gref_start;
1208 	struct gntdev_gmap *gmap_start;
1209 	struct per_user_data *priv_user;
1210 
1211 	error = devfs_get_cdevpriv((void**) &priv_user);
1212 	if (error != 0)
1213 		return (EINVAL);
1214 
1215 	count = OFF_TO_IDX(size);
1216 
1217 	gref_start = gntdev_find_grefs(priv_user, *offset, count);
1218 	if (gref_start) {
1219 		error = mmap_gref(priv_user, gref_start, count, size, object);
1220 		return (error);
1221 	}
1222 
1223 	gmap_start = gntdev_find_gmap(priv_user, *offset, count);
1224 	if (gmap_start) {
1225 		error = mmap_gmap(priv_user, gmap_start, offset, size, object,
1226 		    nprot);
1227 		return (error);
1228 	}
1229 
1230 	return (EINVAL);
1231 }
1232 
1233 /*------------------ Private Device Attachment Functions  --------------------*/
1234 static void
1235 gntdev_identify(driver_t *driver, device_t parent)
1236 {
1237 
1238 	KASSERT((xen_domain()),
1239 	    ("Trying to attach gntdev device on non Xen domain"));
1240 
1241 	if (BUS_ADD_CHILD(parent, 0, "gntdev", 0) == NULL)
1242 		panic("unable to attach gntdev user-space device");
1243 }
1244 
1245 static int
1246 gntdev_probe(device_t dev)
1247 {
1248 
1249 	gntdev_dev = dev;
1250 	device_set_desc(dev, "Xen grant-table user-space device");
1251 	return (BUS_PROBE_NOWILDCARD);
1252 }
1253 
1254 static int
1255 gntdev_attach(device_t dev)
1256 {
1257 
1258 	make_dev_credf(MAKEDEV_ETERNAL, &gntdev_devsw, 0, NULL, UID_ROOT,
1259 	    GID_WHEEL, 0600, "xen/gntdev");
1260 	return (0);
1261 }
1262 
1263 /*-------------------- Private Device Attachment Data  -----------------------*/
1264 static device_method_t gntdev_methods[] = {
1265 	DEVMETHOD(device_identify, gntdev_identify),
1266 	DEVMETHOD(device_probe, gntdev_probe),
1267 	DEVMETHOD(device_attach, gntdev_attach),
1268 	DEVMETHOD_END
1269 };
1270 
1271 static driver_t gntdev_driver = {
1272 	"gntdev",
1273 	gntdev_methods,
1274 	0,
1275 };
1276 
1277 DRIVER_MODULE(gntdev, xenpv, gntdev_driver, 0, 0);
1278 MODULE_DEPEND(gntdev, xenpv, 1, 1, 1);
1279