xref: /freebsd/sys/dev/xen/netfront/netfront.c (revision 313376588638950ba1e93c403dd8c97bc52fd3a2)
1 /*-
2  * Copyright (c) 2004-2006 Kip Macy
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include "opt_inet.h"
31 #include "opt_inet6.h"
32 
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/sockio.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sysctl.h>
42 #include <sys/queue.h>
43 #include <sys/lock.h>
44 #include <sys/sx.h>
45 
46 #include <net/if.h>
47 #include <net/if_var.h>
48 #include <net/if_arp.h>
49 #include <net/ethernet.h>
50 #include <net/if_dl.h>
51 #include <net/if_media.h>
52 
53 #include <net/bpf.h>
54 
55 #include <net/if_types.h>
56 
57 #include <netinet/in_systm.h>
58 #include <netinet/in.h>
59 #include <netinet/ip.h>
60 #include <netinet/if_ether.h>
61 #if __FreeBSD_version >= 700000
62 #include <netinet/tcp.h>
63 #include <netinet/tcp_lro.h>
64 #endif
65 
66 #include <vm/vm.h>
67 #include <vm/pmap.h>
68 
69 #include <machine/clock.h>      /* for DELAY */
70 #include <machine/bus.h>
71 #include <machine/resource.h>
72 #include <machine/frame.h>
73 #include <machine/vmparam.h>
74 
75 #include <sys/bus.h>
76 #include <sys/rman.h>
77 
78 #include <machine/intr_machdep.h>
79 
80 #include <xen/xen-os.h>
81 #include <xen/hypervisor.h>
82 #include <xen/xen_intr.h>
83 #include <xen/gnttab.h>
84 #include <xen/interface/memory.h>
85 #include <xen/interface/io/netif.h>
86 #include <xen/xenbus/xenbusvar.h>
87 
88 #include <machine/xen/xenvar.h>
89 
90 #include <dev/xen/netfront/mbufq.h>
91 
92 #include "xenbus_if.h"
93 
94 /* Features supported by all backends.  TSO and LRO can be negotiated */
95 #define XN_CSUM_FEATURES	(CSUM_TCP | CSUM_UDP)
96 
97 #define NET_TX_RING_SIZE __RING_SIZE((netif_tx_sring_t *)0, PAGE_SIZE)
98 #define NET_RX_RING_SIZE __RING_SIZE((netif_rx_sring_t *)0, PAGE_SIZE)
99 
100 #if __FreeBSD_version >= 700000
101 /*
102  * Should the driver do LRO on the RX end
103  *  this can be toggled on the fly, but the
104  *  interface must be reset (down/up) for it
105  *  to take effect.
106  */
107 static int xn_enable_lro = 1;
108 TUNABLE_INT("hw.xn.enable_lro", &xn_enable_lro);
109 #else
110 
111 #define IFCAP_TSO4	0
112 #define CSUM_TSO	0
113 
114 #endif
115 
116 #ifdef CONFIG_XEN
117 static int MODPARM_rx_copy = 0;
118 module_param_named(rx_copy, MODPARM_rx_copy, bool, 0);
119 MODULE_PARM_DESC(rx_copy, "Copy packets from network card (rather than flip)");
120 static int MODPARM_rx_flip = 0;
121 module_param_named(rx_flip, MODPARM_rx_flip, bool, 0);
122 MODULE_PARM_DESC(rx_flip, "Flip packets from network card (rather than copy)");
123 #else
124 static const int MODPARM_rx_copy = 1;
125 static const int MODPARM_rx_flip = 0;
126 #endif
127 
128 /**
129  * \brief The maximum allowed data fragments in a single transmit
130  *        request.
131  *
132  * This limit is imposed by the backend driver.  We assume here that
133  * we are dealing with a Linux driver domain and have set our limit
134  * to mirror the Linux MAX_SKB_FRAGS constant.
135  */
136 #define	MAX_TX_REQ_FRAGS (65536 / PAGE_SIZE + 2)
137 
138 #define RX_COPY_THRESHOLD 256
139 
140 #define net_ratelimit() 0
141 
142 struct netfront_info;
143 struct netfront_rx_info;
144 
145 static void xn_txeof(struct netfront_info *);
146 static void xn_rxeof(struct netfront_info *);
147 static void network_alloc_rx_buffers(struct netfront_info *);
148 
149 static void xn_tick_locked(struct netfront_info *);
150 static void xn_tick(void *);
151 
152 static void xn_intr(void *);
153 static inline int xn_count_frags(struct mbuf *m);
154 static int  xn_assemble_tx_request(struct netfront_info *sc,
155 				   struct mbuf *m_head);
156 static void xn_start_locked(struct ifnet *);
157 static void xn_start(struct ifnet *);
158 static int  xn_ioctl(struct ifnet *, u_long, caddr_t);
159 static void xn_ifinit_locked(struct netfront_info *);
160 static void xn_ifinit(void *);
161 static void xn_stop(struct netfront_info *);
162 static void xn_query_features(struct netfront_info *np);
163 static int  xn_configure_features(struct netfront_info *np);
164 #ifdef notyet
165 static void xn_watchdog(struct ifnet *);
166 #endif
167 
168 #ifdef notyet
169 static void netfront_closing(device_t dev);
170 #endif
171 static void netif_free(struct netfront_info *info);
172 static int netfront_detach(device_t dev);
173 
174 static int talk_to_backend(device_t dev, struct netfront_info *info);
175 static int create_netdev(device_t dev);
176 static void netif_disconnect_backend(struct netfront_info *info);
177 static int setup_device(device_t dev, struct netfront_info *info);
178 static void free_ring(int *ref, void *ring_ptr_ref);
179 
180 static int  xn_ifmedia_upd(struct ifnet *ifp);
181 static void xn_ifmedia_sts(struct ifnet *ifp, struct ifmediareq *ifmr);
182 
183 /* Xenolinux helper functions */
184 int network_connect(struct netfront_info *);
185 
186 static void xn_free_rx_ring(struct netfront_info *);
187 
188 static void xn_free_tx_ring(struct netfront_info *);
189 
190 static int xennet_get_responses(struct netfront_info *np,
191 	struct netfront_rx_info *rinfo, RING_IDX rp, RING_IDX *cons,
192 	struct mbuf **list, int *pages_flipped_p);
193 
194 #define virt_to_mfn(x) (vtomach(x) >> PAGE_SHIFT)
195 
196 #define INVALID_P2M_ENTRY (~0UL)
197 
198 /*
199  * Mbuf pointers. We need these to keep track of the virtual addresses
200  * of our mbuf chains since we can only convert from virtual to physical,
201  * not the other way around.  The size must track the free index arrays.
202  */
203 struct xn_chain_data {
204 	struct mbuf    *xn_tx_chain[NET_TX_RING_SIZE+1];
205 	int		xn_tx_chain_cnt;
206 	struct mbuf    *xn_rx_chain[NET_RX_RING_SIZE+1];
207 };
208 
209 struct net_device_stats
210 {
211 	u_long	rx_packets;		/* total packets received	*/
212 	u_long	tx_packets;		/* total packets transmitted	*/
213 	u_long	rx_bytes;		/* total bytes received 	*/
214 	u_long	tx_bytes;		/* total bytes transmitted	*/
215 	u_long	rx_errors;		/* bad packets received		*/
216 	u_long	tx_errors;		/* packet transmit problems	*/
217 	u_long	rx_dropped;		/* no space in linux buffers	*/
218 	u_long	tx_dropped;		/* no space available in linux	*/
219 	u_long	multicast;		/* multicast packets received	*/
220 	u_long	collisions;
221 
222 	/* detailed rx_errors: */
223 	u_long	rx_length_errors;
224 	u_long	rx_over_errors;		/* receiver ring buff overflow	*/
225 	u_long	rx_crc_errors;		/* recved pkt with crc error	*/
226 	u_long	rx_frame_errors;	/* recv'd frame alignment error */
227 	u_long	rx_fifo_errors;		/* recv'r fifo overrun		*/
228 	u_long	rx_missed_errors;	/* receiver missed packet	*/
229 
230 	/* detailed tx_errors */
231 	u_long	tx_aborted_errors;
232 	u_long	tx_carrier_errors;
233 	u_long	tx_fifo_errors;
234 	u_long	tx_heartbeat_errors;
235 	u_long	tx_window_errors;
236 
237 	/* for cslip etc */
238 	u_long	rx_compressed;
239 	u_long	tx_compressed;
240 };
241 
242 struct netfront_info {
243 	struct ifnet *xn_ifp;
244 #if __FreeBSD_version >= 700000
245 	struct lro_ctrl xn_lro;
246 #endif
247 
248 	struct net_device_stats stats;
249 	u_int tx_full;
250 
251 	netif_tx_front_ring_t tx;
252 	netif_rx_front_ring_t rx;
253 
254 	struct mtx   tx_lock;
255 	struct mtx   rx_lock;
256 	struct mtx   sc_lock;
257 
258 	xen_intr_handle_t xen_intr_handle;
259 	u_int copying_receiver;
260 	u_int carrier;
261 	u_int maxfrags;
262 
263 	/* Receive-ring batched refills. */
264 #define RX_MIN_TARGET 32
265 #define RX_MAX_TARGET NET_RX_RING_SIZE
266 	int rx_min_target;
267 	int rx_max_target;
268 	int rx_target;
269 
270 	grant_ref_t gref_tx_head;
271 	grant_ref_t grant_tx_ref[NET_TX_RING_SIZE + 1];
272 	grant_ref_t gref_rx_head;
273 	grant_ref_t grant_rx_ref[NET_TX_RING_SIZE + 1];
274 
275 	device_t		xbdev;
276 	int			tx_ring_ref;
277 	int			rx_ring_ref;
278 	uint8_t			mac[ETHER_ADDR_LEN];
279 	struct xn_chain_data	xn_cdata;	/* mbufs */
280 	struct mbuf_head	xn_rx_batch;	/* head of the batch queue */
281 
282 	int			xn_if_flags;
283 	struct callout	        xn_stat_ch;
284 
285 	u_long			rx_pfn_array[NET_RX_RING_SIZE];
286 	multicall_entry_t	rx_mcl[NET_RX_RING_SIZE+1];
287 	mmu_update_t		rx_mmu[NET_RX_RING_SIZE];
288 	struct ifmedia		sc_media;
289 };
290 
291 #define rx_mbufs xn_cdata.xn_rx_chain
292 #define tx_mbufs xn_cdata.xn_tx_chain
293 
294 #define XN_LOCK_INIT(_sc, _name) \
295         mtx_init(&(_sc)->tx_lock, #_name"_tx", "network transmit lock", MTX_DEF); \
296         mtx_init(&(_sc)->rx_lock, #_name"_rx", "network receive lock", MTX_DEF);  \
297         mtx_init(&(_sc)->sc_lock, #_name"_sc", "netfront softc lock", MTX_DEF)
298 
299 #define XN_RX_LOCK(_sc)           mtx_lock(&(_sc)->rx_lock)
300 #define XN_RX_UNLOCK(_sc)         mtx_unlock(&(_sc)->rx_lock)
301 
302 #define XN_TX_LOCK(_sc)           mtx_lock(&(_sc)->tx_lock)
303 #define XN_TX_UNLOCK(_sc)         mtx_unlock(&(_sc)->tx_lock)
304 
305 #define XN_LOCK(_sc)           mtx_lock(&(_sc)->sc_lock);
306 #define XN_UNLOCK(_sc)         mtx_unlock(&(_sc)->sc_lock);
307 
308 #define XN_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->sc_lock, MA_OWNED);
309 #define XN_RX_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->rx_lock, MA_OWNED);
310 #define XN_TX_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->tx_lock, MA_OWNED);
311 #define XN_LOCK_DESTROY(_sc)   mtx_destroy(&(_sc)->rx_lock); \
312                                mtx_destroy(&(_sc)->tx_lock); \
313                                mtx_destroy(&(_sc)->sc_lock);
314 
315 struct netfront_rx_info {
316 	struct netif_rx_response rx;
317 	struct netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX - 1];
318 };
319 
320 #define netfront_carrier_on(netif)	((netif)->carrier = 1)
321 #define netfront_carrier_off(netif)	((netif)->carrier = 0)
322 #define netfront_carrier_ok(netif)	((netif)->carrier)
323 
324 /* Access macros for acquiring freeing slots in xn_free_{tx,rx}_idxs[]. */
325 
326 static inline void
327 add_id_to_freelist(struct mbuf **list, uintptr_t id)
328 {
329 	KASSERT(id != 0,
330 		("%s: the head item (0) must always be free.", __func__));
331 	list[id] = list[0];
332 	list[0]  = (struct mbuf *)id;
333 }
334 
335 static inline unsigned short
336 get_id_from_freelist(struct mbuf **list)
337 {
338 	uintptr_t id;
339 
340 	id = (uintptr_t)list[0];
341 	KASSERT(id != 0,
342 		("%s: the head item (0) must always remain free.", __func__));
343 	list[0] = list[id];
344 	return (id);
345 }
346 
347 static inline int
348 xennet_rxidx(RING_IDX idx)
349 {
350 	return idx & (NET_RX_RING_SIZE - 1);
351 }
352 
353 static inline struct mbuf *
354 xennet_get_rx_mbuf(struct netfront_info *np, RING_IDX ri)
355 {
356 	int i = xennet_rxidx(ri);
357 	struct mbuf *m;
358 
359 	m = np->rx_mbufs[i];
360 	np->rx_mbufs[i] = NULL;
361 	return (m);
362 }
363 
364 static inline grant_ref_t
365 xennet_get_rx_ref(struct netfront_info *np, RING_IDX ri)
366 {
367 	int i = xennet_rxidx(ri);
368 	grant_ref_t ref = np->grant_rx_ref[i];
369 	KASSERT(ref != GRANT_REF_INVALID, ("Invalid grant reference!\n"));
370 	np->grant_rx_ref[i] = GRANT_REF_INVALID;
371 	return ref;
372 }
373 
374 #define IPRINTK(fmt, args...) \
375     printf("[XEN] " fmt, ##args)
376 #ifdef INVARIANTS
377 #define WPRINTK(fmt, args...) \
378     printf("[XEN] " fmt, ##args)
379 #else
380 #define WPRINTK(fmt, args...)
381 #endif
382 #ifdef DEBUG
383 #define DPRINTK(fmt, args...) \
384     printf("[XEN] %s: " fmt, __func__, ##args)
385 #else
386 #define DPRINTK(fmt, args...)
387 #endif
388 
389 /**
390  * Read the 'mac' node at the given device's node in the store, and parse that
391  * as colon-separated octets, placing result the given mac array.  mac must be
392  * a preallocated array of length ETH_ALEN (as declared in linux/if_ether.h).
393  * Return 0 on success, or errno on error.
394  */
395 static int
396 xen_net_read_mac(device_t dev, uint8_t mac[])
397 {
398 	int error, i;
399 	char *s, *e, *macstr;
400 	const char *path;
401 
402 	path = xenbus_get_node(dev);
403 	error = xs_read(XST_NIL, path, "mac", NULL, (void **) &macstr);
404 	if (error == ENOENT) {
405 		/*
406 		 * Deal with missing mac XenStore nodes on devices with
407 		 * HVM emulation (the 'ioemu' configuration attribute)
408 		 * enabled.
409 		 *
410 		 * The HVM emulator may execute in a stub device model
411 		 * domain which lacks the permission, only given to Dom0,
412 		 * to update the guest's XenStore tree.  For this reason,
413 		 * the HVM emulator doesn't even attempt to write the
414 		 * front-side mac node, even when operating in Dom0.
415 		 * However, there should always be a mac listed in the
416 		 * backend tree.  Fallback to this version if our query
417 		 * of the front side XenStore location doesn't find
418 		 * anything.
419 		 */
420 		path = xenbus_get_otherend_path(dev);
421 		error = xs_read(XST_NIL, path, "mac", NULL, (void **) &macstr);
422 	}
423 	if (error != 0) {
424 		xenbus_dev_fatal(dev, error, "parsing %s/mac", path);
425 		return (error);
426 	}
427 
428 	s = macstr;
429 	for (i = 0; i < ETHER_ADDR_LEN; i++) {
430 		mac[i] = strtoul(s, &e, 16);
431 		if (s == e || (e[0] != ':' && e[0] != 0)) {
432 			free(macstr, M_XENBUS);
433 			return (ENOENT);
434 		}
435 		s = &e[1];
436 	}
437 	free(macstr, M_XENBUS);
438 	return (0);
439 }
440 
441 /**
442  * Entry point to this code when a new device is created.  Allocate the basic
443  * structures and the ring buffers for communication with the backend, and
444  * inform the backend of the appropriate details for those.  Switch to
445  * Connected state.
446  */
447 static int
448 netfront_probe(device_t dev)
449 {
450 
451 	if (!strcmp(xenbus_get_type(dev), "vif")) {
452 		device_set_desc(dev, "Virtual Network Interface");
453 		return (0);
454 	}
455 
456 	return (ENXIO);
457 }
458 
459 static int
460 netfront_attach(device_t dev)
461 {
462 	int err;
463 
464 	err = create_netdev(dev);
465 	if (err) {
466 		xenbus_dev_fatal(dev, err, "creating netdev");
467 		return (err);
468 	}
469 
470 #if __FreeBSD_version >= 700000
471 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
472 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)),
473 	    OID_AUTO, "enable_lro", CTLFLAG_RW,
474 	    &xn_enable_lro, 0, "Large Receive Offload");
475 #endif
476 
477 	return (0);
478 }
479 
480 static int
481 netfront_suspend(device_t dev)
482 {
483 	struct netfront_info *info = device_get_softc(dev);
484 
485 	XN_RX_LOCK(info);
486 	XN_TX_LOCK(info);
487 	netfront_carrier_off(info);
488 	XN_TX_UNLOCK(info);
489 	XN_RX_UNLOCK(info);
490 	return (0);
491 }
492 
493 /**
494  * We are reconnecting to the backend, due to a suspend/resume, or a backend
495  * driver restart.  We tear down our netif structure and recreate it, but
496  * leave the device-layer structures intact so that this is transparent to the
497  * rest of the kernel.
498  */
499 static int
500 netfront_resume(device_t dev)
501 {
502 	struct netfront_info *info = device_get_softc(dev);
503 
504 	netif_disconnect_backend(info);
505 	return (0);
506 }
507 
508 /* Common code used when first setting up, and when resuming. */
509 static int
510 talk_to_backend(device_t dev, struct netfront_info *info)
511 {
512 	const char *message;
513 	struct xs_transaction xst;
514 	const char *node = xenbus_get_node(dev);
515 	int err;
516 
517 	err = xen_net_read_mac(dev, info->mac);
518 	if (err) {
519 		xenbus_dev_fatal(dev, err, "parsing %s/mac", node);
520 		goto out;
521 	}
522 
523 	/* Create shared ring, alloc event channel. */
524 	err = setup_device(dev, info);
525 	if (err)
526 		goto out;
527 
528  again:
529 	err = xs_transaction_start(&xst);
530 	if (err) {
531 		xenbus_dev_fatal(dev, err, "starting transaction");
532 		goto destroy_ring;
533 	}
534 	err = xs_printf(xst, node, "tx-ring-ref","%u",
535 			info->tx_ring_ref);
536 	if (err) {
537 		message = "writing tx ring-ref";
538 		goto abort_transaction;
539 	}
540 	err = xs_printf(xst, node, "rx-ring-ref","%u",
541 			info->rx_ring_ref);
542 	if (err) {
543 		message = "writing rx ring-ref";
544 		goto abort_transaction;
545 	}
546 	err = xs_printf(xst, node,
547 			"event-channel", "%u",
548 			xen_intr_port(info->xen_intr_handle));
549 	if (err) {
550 		message = "writing event-channel";
551 		goto abort_transaction;
552 	}
553 	err = xs_printf(xst, node, "request-rx-copy", "%u",
554 			info->copying_receiver);
555 	if (err) {
556 		message = "writing request-rx-copy";
557 		goto abort_transaction;
558 	}
559 	err = xs_printf(xst, node, "feature-rx-notify", "%d", 1);
560 	if (err) {
561 		message = "writing feature-rx-notify";
562 		goto abort_transaction;
563 	}
564 	err = xs_printf(xst, node, "feature-sg", "%d", 1);
565 	if (err) {
566 		message = "writing feature-sg";
567 		goto abort_transaction;
568 	}
569 #if __FreeBSD_version >= 700000
570 	err = xs_printf(xst, node, "feature-gso-tcpv4", "%d", 1);
571 	if (err) {
572 		message = "writing feature-gso-tcpv4";
573 		goto abort_transaction;
574 	}
575 #endif
576 
577 	err = xs_transaction_end(xst, 0);
578 	if (err) {
579 		if (err == EAGAIN)
580 			goto again;
581 		xenbus_dev_fatal(dev, err, "completing transaction");
582 		goto destroy_ring;
583 	}
584 
585 	return 0;
586 
587  abort_transaction:
588 	xs_transaction_end(xst, 1);
589 	xenbus_dev_fatal(dev, err, "%s", message);
590  destroy_ring:
591 	netif_free(info);
592  out:
593 	return err;
594 }
595 
596 static int
597 setup_device(device_t dev, struct netfront_info *info)
598 {
599 	netif_tx_sring_t *txs;
600 	netif_rx_sring_t *rxs;
601 	int error;
602 	struct ifnet *ifp;
603 
604 	ifp = info->xn_ifp;
605 
606 	info->tx_ring_ref = GRANT_REF_INVALID;
607 	info->rx_ring_ref = GRANT_REF_INVALID;
608 	info->rx.sring = NULL;
609 	info->tx.sring = NULL;
610 
611 	txs = (netif_tx_sring_t *)malloc(PAGE_SIZE, M_DEVBUF, M_NOWAIT|M_ZERO);
612 	if (!txs) {
613 		error = ENOMEM;
614 		xenbus_dev_fatal(dev, error, "allocating tx ring page");
615 		goto fail;
616 	}
617 	SHARED_RING_INIT(txs);
618 	FRONT_RING_INIT(&info->tx, txs, PAGE_SIZE);
619 	error = xenbus_grant_ring(dev, virt_to_mfn(txs), &info->tx_ring_ref);
620 	if (error)
621 		goto fail;
622 
623 	rxs = (netif_rx_sring_t *)malloc(PAGE_SIZE, M_DEVBUF, M_NOWAIT|M_ZERO);
624 	if (!rxs) {
625 		error = ENOMEM;
626 		xenbus_dev_fatal(dev, error, "allocating rx ring page");
627 		goto fail;
628 	}
629 	SHARED_RING_INIT(rxs);
630 	FRONT_RING_INIT(&info->rx, rxs, PAGE_SIZE);
631 
632 	error = xenbus_grant_ring(dev, virt_to_mfn(rxs), &info->rx_ring_ref);
633 	if (error)
634 		goto fail;
635 
636 	error = xen_intr_alloc_and_bind_local_port(dev,
637 	    xenbus_get_otherend_id(dev), /*filter*/NULL, xn_intr, info,
638 	    INTR_TYPE_NET | INTR_MPSAFE | INTR_ENTROPY, &info->xen_intr_handle);
639 
640 	if (error) {
641 		xenbus_dev_fatal(dev, error,
642 				 "xen_intr_alloc_and_bind_local_port failed");
643 		goto fail;
644 	}
645 
646 	return (0);
647 
648  fail:
649 	netif_free(info);
650 	return (error);
651 }
652 
653 #ifdef INET
654 /**
655  * If this interface has an ipv4 address, send an arp for it. This
656  * helps to get the network going again after migrating hosts.
657  */
658 static void
659 netfront_send_fake_arp(device_t dev, struct netfront_info *info)
660 {
661 	struct ifnet *ifp;
662 	struct ifaddr *ifa;
663 
664 	ifp = info->xn_ifp;
665 	TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
666 		if (ifa->ifa_addr->sa_family == AF_INET) {
667 			arp_ifinit(ifp, ifa);
668 		}
669 	}
670 }
671 #endif
672 
673 /**
674  * Callback received when the backend's state changes.
675  */
676 static void
677 netfront_backend_changed(device_t dev, XenbusState newstate)
678 {
679 	struct netfront_info *sc = device_get_softc(dev);
680 
681 	DPRINTK("newstate=%d\n", newstate);
682 
683 	switch (newstate) {
684 	case XenbusStateInitialising:
685 	case XenbusStateInitialised:
686 	case XenbusStateConnected:
687 	case XenbusStateUnknown:
688 	case XenbusStateClosed:
689 	case XenbusStateReconfigured:
690 	case XenbusStateReconfiguring:
691 		break;
692 	case XenbusStateInitWait:
693 		if (xenbus_get_state(dev) != XenbusStateInitialising)
694 			break;
695 		if (network_connect(sc) != 0)
696 			break;
697 		xenbus_set_state(dev, XenbusStateConnected);
698 #ifdef INET
699 		netfront_send_fake_arp(dev, sc);
700 #endif
701 		break;
702 	case XenbusStateClosing:
703 		xenbus_set_state(dev, XenbusStateClosed);
704 		break;
705 	}
706 }
707 
708 static void
709 xn_free_rx_ring(struct netfront_info *sc)
710 {
711 #if 0
712 	int i;
713 
714 	for (i = 0; i < NET_RX_RING_SIZE; i++) {
715 		if (sc->xn_cdata.rx_mbufs[i] != NULL) {
716 			m_freem(sc->rx_mbufs[i]);
717 			sc->rx_mbufs[i] = NULL;
718 		}
719 	}
720 
721 	sc->rx.rsp_cons = 0;
722 	sc->xn_rx_if->req_prod = 0;
723 	sc->xn_rx_if->event = sc->rx.rsp_cons ;
724 #endif
725 }
726 
727 static void
728 xn_free_tx_ring(struct netfront_info *sc)
729 {
730 #if 0
731 	int i;
732 
733 	for (i = 0; i < NET_TX_RING_SIZE; i++) {
734 		if (sc->tx_mbufs[i] != NULL) {
735 			m_freem(sc->tx_mbufs[i]);
736 			sc->xn_cdata.xn_tx_chain[i] = NULL;
737 		}
738 	}
739 
740 	return;
741 #endif
742 }
743 
744 /**
745  * \brief Verify that there is sufficient space in the Tx ring
746  *        buffer for a maximally sized request to be enqueued.
747  *
748  * A transmit request requires a transmit descriptor for each packet
749  * fragment, plus up to 2 entries for "options" (e.g. TSO).
750  */
751 static inline int
752 xn_tx_slot_available(struct netfront_info *np)
753 {
754 	return (RING_FREE_REQUESTS(&np->tx) > (MAX_TX_REQ_FRAGS + 2));
755 }
756 
757 static void
758 netif_release_tx_bufs(struct netfront_info *np)
759 {
760 	int i;
761 
762 	for (i = 1; i <= NET_TX_RING_SIZE; i++) {
763 		struct mbuf *m;
764 
765 		m = np->tx_mbufs[i];
766 
767 		/*
768 		 * We assume that no kernel addresses are
769 		 * less than NET_TX_RING_SIZE.  Any entry
770 		 * in the table that is below this number
771 		 * must be an index from free-list tracking.
772 		 */
773 		if (((uintptr_t)m) <= NET_TX_RING_SIZE)
774 			continue;
775 		gnttab_end_foreign_access_ref(np->grant_tx_ref[i]);
776 		gnttab_release_grant_reference(&np->gref_tx_head,
777 		    np->grant_tx_ref[i]);
778 		np->grant_tx_ref[i] = GRANT_REF_INVALID;
779 		add_id_to_freelist(np->tx_mbufs, i);
780 		np->xn_cdata.xn_tx_chain_cnt--;
781 		if (np->xn_cdata.xn_tx_chain_cnt < 0) {
782 			panic("%s: tx_chain_cnt must be >= 0", __func__);
783 		}
784 		m_free(m);
785 	}
786 }
787 
788 static void
789 network_alloc_rx_buffers(struct netfront_info *sc)
790 {
791 	int otherend_id = xenbus_get_otherend_id(sc->xbdev);
792 	unsigned short id;
793 	struct mbuf *m_new;
794 	int i, batch_target, notify;
795 	RING_IDX req_prod;
796 	struct xen_memory_reservation reservation;
797 	grant_ref_t ref;
798 	int nr_flips;
799 	netif_rx_request_t *req;
800 	vm_offset_t vaddr;
801 	u_long pfn;
802 
803 	req_prod = sc->rx.req_prod_pvt;
804 
805 	if (__predict_false(sc->carrier == 0))
806 		return;
807 
808 	/*
809 	 * Allocate mbufs greedily, even though we batch updates to the
810 	 * receive ring. This creates a less bursty demand on the memory
811 	 * allocator, and so should reduce the chance of failed allocation
812 	 * requests both for ourself and for other kernel subsystems.
813 	 *
814 	 * Here we attempt to maintain rx_target buffers in flight, counting
815 	 * buffers that we have yet to process in the receive ring.
816 	 */
817 	batch_target = sc->rx_target - (req_prod - sc->rx.rsp_cons);
818 	for (i = mbufq_len(&sc->xn_rx_batch); i < batch_target; i++) {
819 		MGETHDR(m_new, M_NOWAIT, MT_DATA);
820 		if (m_new == NULL) {
821 			printf("%s: MGETHDR failed\n", __func__);
822 			goto no_mbuf;
823 		}
824 
825 		m_cljget(m_new, M_NOWAIT, MJUMPAGESIZE);
826 		if ((m_new->m_flags & M_EXT) == 0) {
827 			printf("%s: m_cljget failed\n", __func__);
828 			m_freem(m_new);
829 
830 no_mbuf:
831 			if (i != 0)
832 				goto refill;
833 			/*
834 			 * XXX set timer
835 			 */
836 			break;
837 		}
838 		m_new->m_len = m_new->m_pkthdr.len = MJUMPAGESIZE;
839 
840 		/* queue the mbufs allocated */
841 		mbufq_tail(&sc->xn_rx_batch, m_new);
842 	}
843 
844 	/*
845 	 * If we've allocated at least half of our target number of entries,
846 	 * submit them to the backend - we have enough to make the overhead
847 	 * of submission worthwhile.  Otherwise wait for more mbufs and
848 	 * request entries to become available.
849 	 */
850 	if (i < (sc->rx_target/2)) {
851 		if (req_prod >sc->rx.sring->req_prod)
852 			goto push;
853 		return;
854 	}
855 
856 	/*
857 	 * Double floating fill target if we risked having the backend
858 	 * run out of empty buffers for receive traffic.  We define "running
859 	 * low" as having less than a fourth of our target buffers free
860 	 * at the time we refilled the queue.
861 	 */
862 	if ((req_prod - sc->rx.sring->rsp_prod) < (sc->rx_target / 4)) {
863 		sc->rx_target *= 2;
864 		if (sc->rx_target > sc->rx_max_target)
865 			sc->rx_target = sc->rx_max_target;
866 	}
867 
868 refill:
869 	for (nr_flips = i = 0; ; i++) {
870 		if ((m_new = mbufq_dequeue(&sc->xn_rx_batch)) == NULL)
871 			break;
872 
873 		m_new->m_ext.ext_arg1 = (vm_paddr_t *)(uintptr_t)(
874 				vtophys(m_new->m_ext.ext_buf) >> PAGE_SHIFT);
875 
876 		id = xennet_rxidx(req_prod + i);
877 
878 		KASSERT(sc->rx_mbufs[id] == NULL, ("non-NULL xm_rx_chain"));
879 		sc->rx_mbufs[id] = m_new;
880 
881 		ref = gnttab_claim_grant_reference(&sc->gref_rx_head);
882 		KASSERT(ref != GNTTAB_LIST_END,
883 			("reserved grant references exhuasted"));
884 		sc->grant_rx_ref[id] = ref;
885 
886 		vaddr = mtod(m_new, vm_offset_t);
887 		pfn = vtophys(vaddr) >> PAGE_SHIFT;
888 		req = RING_GET_REQUEST(&sc->rx, req_prod + i);
889 
890 		if (sc->copying_receiver == 0) {
891 			gnttab_grant_foreign_transfer_ref(ref,
892 			    otherend_id, pfn);
893 			sc->rx_pfn_array[nr_flips] = PFNTOMFN(pfn);
894 			if (!xen_feature(XENFEAT_auto_translated_physmap)) {
895 				/* Remove this page before passing
896 				 * back to Xen.
897 				 */
898 				set_phys_to_machine(pfn, INVALID_P2M_ENTRY);
899 				MULTI_update_va_mapping(&sc->rx_mcl[i],
900 				    vaddr, 0, 0);
901 			}
902 			nr_flips++;
903 		} else {
904 			gnttab_grant_foreign_access_ref(ref,
905 			    otherend_id,
906 			    PFNTOMFN(pfn), 0);
907 		}
908 		req->id = id;
909 		req->gref = ref;
910 
911 		sc->rx_pfn_array[i] =
912 		    vtomach(mtod(m_new,vm_offset_t)) >> PAGE_SHIFT;
913 	}
914 
915 	KASSERT(i, ("no mbufs processed")); /* should have returned earlier */
916 	KASSERT(mbufq_len(&sc->xn_rx_batch) == 0, ("not all mbufs processed"));
917 	/*
918 	 * We may have allocated buffers which have entries outstanding
919 	 * in the page * update queue -- make sure we flush those first!
920 	 */
921 	PT_UPDATES_FLUSH();
922 	if (nr_flips != 0) {
923 #ifdef notyet
924 		/* Tell the ballon driver what is going on. */
925 		balloon_update_driver_allowance(i);
926 #endif
927 		set_xen_guest_handle(reservation.extent_start, sc->rx_pfn_array);
928 		reservation.nr_extents   = i;
929 		reservation.extent_order = 0;
930 		reservation.address_bits = 0;
931 		reservation.domid        = DOMID_SELF;
932 
933 		if (!xen_feature(XENFEAT_auto_translated_physmap)) {
934 			/* After all PTEs have been zapped, flush the TLB. */
935 			sc->rx_mcl[i-1].args[MULTI_UVMFLAGS_INDEX] =
936 			    UVMF_TLB_FLUSH|UVMF_ALL;
937 
938 			/* Give away a batch of pages. */
939 			sc->rx_mcl[i].op = __HYPERVISOR_memory_op;
940 			sc->rx_mcl[i].args[0] = XENMEM_decrease_reservation;
941 			sc->rx_mcl[i].args[1] =  (u_long)&reservation;
942 			/* Zap PTEs and give away pages in one big multicall. */
943 			(void)HYPERVISOR_multicall(sc->rx_mcl, i+1);
944 
945 			if (__predict_false(sc->rx_mcl[i].result != i ||
946 			    HYPERVISOR_memory_op(XENMEM_decrease_reservation,
947 			    &reservation) != i))
948 				panic("%s: unable to reduce memory "
949 				    "reservation\n", __func__);
950 		}
951 	} else {
952 		wmb();
953 	}
954 
955 	/* Above is a suitable barrier to ensure backend will see requests. */
956 	sc->rx.req_prod_pvt = req_prod + i;
957 push:
958 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&sc->rx, notify);
959 	if (notify)
960 		xen_intr_signal(sc->xen_intr_handle);
961 }
962 
963 static void
964 xn_rxeof(struct netfront_info *np)
965 {
966 	struct ifnet *ifp;
967 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
968 	struct lro_ctrl *lro = &np->xn_lro;
969 	struct lro_entry *queued;
970 #endif
971 	struct netfront_rx_info rinfo;
972 	struct netif_rx_response *rx = &rinfo.rx;
973 	struct netif_extra_info *extras = rinfo.extras;
974 	RING_IDX i, rp;
975 	multicall_entry_t *mcl;
976 	struct mbuf *m;
977 	struct mbuf_head rxq, errq;
978 	int err, pages_flipped = 0, work_to_do;
979 
980 	do {
981 		XN_RX_LOCK_ASSERT(np);
982 		if (!netfront_carrier_ok(np))
983 			return;
984 
985 		mbufq_init(&errq);
986 		mbufq_init(&rxq);
987 
988 		ifp = np->xn_ifp;
989 
990 		rp = np->rx.sring->rsp_prod;
991 		rmb();	/* Ensure we see queued responses up to 'rp'. */
992 
993 		i = np->rx.rsp_cons;
994 		while ((i != rp)) {
995 			memcpy(rx, RING_GET_RESPONSE(&np->rx, i), sizeof(*rx));
996 			memset(extras, 0, sizeof(rinfo.extras));
997 
998 			m = NULL;
999 			err = xennet_get_responses(np, &rinfo, rp, &i, &m,
1000 			    &pages_flipped);
1001 
1002 			if (__predict_false(err)) {
1003 				if (m)
1004 					mbufq_tail(&errq, m);
1005 				np->stats.rx_errors++;
1006 				continue;
1007 			}
1008 
1009 			m->m_pkthdr.rcvif = ifp;
1010 			if ( rx->flags & NETRXF_data_validated ) {
1011 				/* Tell the stack the checksums are okay */
1012 				/*
1013 				 * XXX this isn't necessarily the case - need to add
1014 				 * check
1015 				 */
1016 
1017 				m->m_pkthdr.csum_flags |=
1018 					(CSUM_IP_CHECKED | CSUM_IP_VALID | CSUM_DATA_VALID
1019 					    | CSUM_PSEUDO_HDR);
1020 				m->m_pkthdr.csum_data = 0xffff;
1021 			}
1022 
1023 			np->stats.rx_packets++;
1024 			np->stats.rx_bytes += m->m_pkthdr.len;
1025 
1026 			mbufq_tail(&rxq, m);
1027 			np->rx.rsp_cons = i;
1028 		}
1029 
1030 		if (pages_flipped) {
1031 			/* Some pages are no longer absent... */
1032 #ifdef notyet
1033 			balloon_update_driver_allowance(-pages_flipped);
1034 #endif
1035 			/* Do all the remapping work, and M->P updates, in one big
1036 			 * hypercall.
1037 			 */
1038 			if (!!xen_feature(XENFEAT_auto_translated_physmap)) {
1039 				mcl = np->rx_mcl + pages_flipped;
1040 				mcl->op = __HYPERVISOR_mmu_update;
1041 				mcl->args[0] = (u_long)np->rx_mmu;
1042 				mcl->args[1] = pages_flipped;
1043 				mcl->args[2] = 0;
1044 				mcl->args[3] = DOMID_SELF;
1045 				(void)HYPERVISOR_multicall(np->rx_mcl,
1046 				    pages_flipped + 1);
1047 			}
1048 		}
1049 
1050 		while ((m = mbufq_dequeue(&errq)))
1051 			m_freem(m);
1052 
1053 		/*
1054 		 * Process all the mbufs after the remapping is complete.
1055 		 * Break the mbuf chain first though.
1056 		 */
1057 		while ((m = mbufq_dequeue(&rxq)) != NULL) {
1058 			if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
1059 
1060 			/*
1061 			 * Do we really need to drop the rx lock?
1062 			 */
1063 			XN_RX_UNLOCK(np);
1064 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1065 			/* Use LRO if possible */
1066 			if ((ifp->if_capenable & IFCAP_LRO) == 0 ||
1067 			    lro->lro_cnt == 0 || tcp_lro_rx(lro, m, 0)) {
1068 				/*
1069 				 * If LRO fails, pass up to the stack
1070 				 * directly.
1071 				 */
1072 				(*ifp->if_input)(ifp, m);
1073 			}
1074 #else
1075 			(*ifp->if_input)(ifp, m);
1076 #endif
1077 			XN_RX_LOCK(np);
1078 		}
1079 
1080 		np->rx.rsp_cons = i;
1081 
1082 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1083 		/*
1084 		 * Flush any outstanding LRO work
1085 		 */
1086 		while (!SLIST_EMPTY(&lro->lro_active)) {
1087 			queued = SLIST_FIRST(&lro->lro_active);
1088 			SLIST_REMOVE_HEAD(&lro->lro_active, next);
1089 			tcp_lro_flush(lro, queued);
1090 		}
1091 #endif
1092 
1093 #if 0
1094 		/* If we get a callback with very few responses, reduce fill target. */
1095 		/* NB. Note exponential increase, linear decrease. */
1096 		if (((np->rx.req_prod_pvt - np->rx.sring->rsp_prod) >
1097 			((3*np->rx_target) / 4)) && (--np->rx_target < np->rx_min_target))
1098 			np->rx_target = np->rx_min_target;
1099 #endif
1100 
1101 		network_alloc_rx_buffers(np);
1102 
1103 		RING_FINAL_CHECK_FOR_RESPONSES(&np->rx, work_to_do);
1104 	} while (work_to_do);
1105 }
1106 
1107 static void
1108 xn_txeof(struct netfront_info *np)
1109 {
1110 	RING_IDX i, prod;
1111 	unsigned short id;
1112 	struct ifnet *ifp;
1113 	netif_tx_response_t *txr;
1114 	struct mbuf *m;
1115 
1116 	XN_TX_LOCK_ASSERT(np);
1117 
1118 	if (!netfront_carrier_ok(np))
1119 		return;
1120 
1121 	ifp = np->xn_ifp;
1122 
1123 	do {
1124 		prod = np->tx.sring->rsp_prod;
1125 		rmb(); /* Ensure we see responses up to 'rp'. */
1126 
1127 		for (i = np->tx.rsp_cons; i != prod; i++) {
1128 			txr = RING_GET_RESPONSE(&np->tx, i);
1129 			if (txr->status == NETIF_RSP_NULL)
1130 				continue;
1131 
1132 			if (txr->status != NETIF_RSP_OKAY) {
1133 				printf("%s: WARNING: response is %d!\n",
1134 				       __func__, txr->status);
1135 			}
1136 			id = txr->id;
1137 			m = np->tx_mbufs[id];
1138 			KASSERT(m != NULL, ("mbuf not found in xn_tx_chain"));
1139 			KASSERT((uintptr_t)m > NET_TX_RING_SIZE,
1140 				("mbuf already on the free list, but we're "
1141 				"trying to free it again!"));
1142 			M_ASSERTVALID(m);
1143 
1144 			/*
1145 			 * Increment packet count if this is the last
1146 			 * mbuf of the chain.
1147 			 */
1148 			if (!m->m_next)
1149 				if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
1150 			if (__predict_false(gnttab_query_foreign_access(
1151 			    np->grant_tx_ref[id]) != 0)) {
1152 				panic("%s: grant id %u still in use by the "
1153 				    "backend", __func__, id);
1154 			}
1155 			gnttab_end_foreign_access_ref(
1156 				np->grant_tx_ref[id]);
1157 			gnttab_release_grant_reference(
1158 				&np->gref_tx_head, np->grant_tx_ref[id]);
1159 			np->grant_tx_ref[id] = GRANT_REF_INVALID;
1160 
1161 			np->tx_mbufs[id] = NULL;
1162 			add_id_to_freelist(np->tx_mbufs, id);
1163 			np->xn_cdata.xn_tx_chain_cnt--;
1164 			m_free(m);
1165 			/* Only mark the queue active if we've freed up at least one slot to try */
1166 			ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
1167 		}
1168 		np->tx.rsp_cons = prod;
1169 
1170 		/*
1171 		 * Set a new event, then check for race with update of
1172 		 * tx_cons. Note that it is essential to schedule a
1173 		 * callback, no matter how few buffers are pending. Even if
1174 		 * there is space in the transmit ring, higher layers may
1175 		 * be blocked because too much data is outstanding: in such
1176 		 * cases notification from Xen is likely to be the only kick
1177 		 * that we'll get.
1178 		 */
1179 		np->tx.sring->rsp_event =
1180 		    prod + ((np->tx.sring->req_prod - prod) >> 1) + 1;
1181 
1182 		mb();
1183 	} while (prod != np->tx.sring->rsp_prod);
1184 
1185 	if (np->tx_full &&
1186 	    ((np->tx.sring->req_prod - prod) < NET_TX_RING_SIZE)) {
1187 		np->tx_full = 0;
1188 #if 0
1189 		if (np->user_state == UST_OPEN)
1190 			netif_wake_queue(dev);
1191 #endif
1192 	}
1193 }
1194 
1195 static void
1196 xn_intr(void *xsc)
1197 {
1198 	struct netfront_info *np = xsc;
1199 	struct ifnet *ifp = np->xn_ifp;
1200 
1201 #if 0
1202 	if (!(np->rx.rsp_cons != np->rx.sring->rsp_prod &&
1203 	    likely(netfront_carrier_ok(np)) &&
1204 	    ifp->if_drv_flags & IFF_DRV_RUNNING))
1205 		return;
1206 #endif
1207 	if (RING_HAS_UNCONSUMED_RESPONSES(&np->tx)) {
1208 		XN_TX_LOCK(np);
1209 		xn_txeof(np);
1210 		XN_TX_UNLOCK(np);
1211 	}
1212 
1213 	XN_RX_LOCK(np);
1214 	xn_rxeof(np);
1215 	XN_RX_UNLOCK(np);
1216 
1217 	if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1218 	    !IFQ_DRV_IS_EMPTY(&ifp->if_snd))
1219 		xn_start(ifp);
1220 }
1221 
1222 static void
1223 xennet_move_rx_slot(struct netfront_info *np, struct mbuf *m,
1224 	grant_ref_t ref)
1225 {
1226 	int new = xennet_rxidx(np->rx.req_prod_pvt);
1227 
1228 	KASSERT(np->rx_mbufs[new] == NULL, ("rx_mbufs != NULL"));
1229 	np->rx_mbufs[new] = m;
1230 	np->grant_rx_ref[new] = ref;
1231 	RING_GET_REQUEST(&np->rx, np->rx.req_prod_pvt)->id = new;
1232 	RING_GET_REQUEST(&np->rx, np->rx.req_prod_pvt)->gref = ref;
1233 	np->rx.req_prod_pvt++;
1234 }
1235 
1236 static int
1237 xennet_get_extras(struct netfront_info *np,
1238     struct netif_extra_info *extras, RING_IDX rp, RING_IDX *cons)
1239 {
1240 	struct netif_extra_info *extra;
1241 
1242 	int err = 0;
1243 
1244 	do {
1245 		struct mbuf *m;
1246 		grant_ref_t ref;
1247 
1248 		if (__predict_false(*cons + 1 == rp)) {
1249 #if 0
1250 			if (net_ratelimit())
1251 				WPRINTK("Missing extra info\n");
1252 #endif
1253 			err = EINVAL;
1254 			break;
1255 		}
1256 
1257 		extra = (struct netif_extra_info *)
1258 		RING_GET_RESPONSE(&np->rx, ++(*cons));
1259 
1260 		if (__predict_false(!extra->type ||
1261 			extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
1262 #if 0
1263 			if (net_ratelimit())
1264 				WPRINTK("Invalid extra type: %d\n",
1265 					extra->type);
1266 #endif
1267 			err = EINVAL;
1268 		} else {
1269 			memcpy(&extras[extra->type - 1], extra, sizeof(*extra));
1270 		}
1271 
1272 		m = xennet_get_rx_mbuf(np, *cons);
1273 		ref = xennet_get_rx_ref(np, *cons);
1274 		xennet_move_rx_slot(np, m, ref);
1275 	} while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE);
1276 
1277 	return err;
1278 }
1279 
1280 static int
1281 xennet_get_responses(struct netfront_info *np,
1282 	struct netfront_rx_info *rinfo, RING_IDX rp, RING_IDX *cons,
1283 	struct mbuf  **list,
1284 	int *pages_flipped_p)
1285 {
1286 	int pages_flipped = *pages_flipped_p;
1287 	struct mmu_update *mmu;
1288 	struct multicall_entry *mcl;
1289 	struct netif_rx_response *rx = &rinfo->rx;
1290 	struct netif_extra_info *extras = rinfo->extras;
1291 	struct mbuf *m, *m0, *m_prev;
1292 	grant_ref_t ref = xennet_get_rx_ref(np, *cons);
1293 	RING_IDX ref_cons = *cons;
1294 	int frags = 1;
1295 	int err = 0;
1296 	u_long ret;
1297 
1298 	m0 = m = m_prev = xennet_get_rx_mbuf(np, *cons);
1299 
1300 	if (rx->flags & NETRXF_extra_info) {
1301 		err = xennet_get_extras(np, extras, rp, cons);
1302 	}
1303 
1304 	if (m0 != NULL) {
1305 		m0->m_pkthdr.len = 0;
1306 		m0->m_next = NULL;
1307 	}
1308 
1309 	for (;;) {
1310 		u_long mfn;
1311 
1312 #if 0
1313 		DPRINTK("rx->status=%hd rx->offset=%hu frags=%u\n",
1314 			rx->status, rx->offset, frags);
1315 #endif
1316 		if (__predict_false(rx->status < 0 ||
1317 			rx->offset + rx->status > PAGE_SIZE)) {
1318 
1319 #if 0
1320 			if (net_ratelimit())
1321 				WPRINTK("rx->offset: %x, size: %u\n",
1322 					rx->offset, rx->status);
1323 #endif
1324 			xennet_move_rx_slot(np, m, ref);
1325 			if (m0 == m)
1326 				m0 = NULL;
1327 			m = NULL;
1328 			err = EINVAL;
1329 			goto next_skip_queue;
1330 		}
1331 
1332 		/*
1333 		 * This definitely indicates a bug, either in this driver or in
1334 		 * the backend driver. In future this should flag the bad
1335 		 * situation to the system controller to reboot the backed.
1336 		 */
1337 		if (ref == GRANT_REF_INVALID) {
1338 
1339 #if 0
1340 			if (net_ratelimit())
1341 				WPRINTK("Bad rx response id %d.\n", rx->id);
1342 #endif
1343 			printf("%s: Bad rx response id %d.\n", __func__,rx->id);
1344 			err = EINVAL;
1345 			goto next;
1346 		}
1347 
1348 		if (!np->copying_receiver) {
1349 			/* Memory pressure, insufficient buffer
1350 			 * headroom, ...
1351 			 */
1352 			if (!(mfn = gnttab_end_foreign_transfer_ref(ref))) {
1353 				WPRINTK("Unfulfilled rx req (id=%d, st=%d).\n",
1354 					rx->id, rx->status);
1355 				xennet_move_rx_slot(np, m, ref);
1356 				err = ENOMEM;
1357 				goto next;
1358 			}
1359 
1360 			if (!xen_feature( XENFEAT_auto_translated_physmap)) {
1361 				/* Remap the page. */
1362 				void *vaddr = mtod(m, void *);
1363 				uint32_t pfn;
1364 
1365 				mcl = np->rx_mcl + pages_flipped;
1366 				mmu = np->rx_mmu + pages_flipped;
1367 
1368 				MULTI_update_va_mapping(mcl, (u_long)vaddr,
1369 				    (((vm_paddr_t)mfn) << PAGE_SHIFT) | PG_RW |
1370 				    PG_V | PG_M | PG_A, 0);
1371 				pfn = (uintptr_t)m->m_ext.ext_arg1;
1372 				mmu->ptr = ((vm_paddr_t)mfn << PAGE_SHIFT) |
1373 				    MMU_MACHPHYS_UPDATE;
1374 				mmu->val = pfn;
1375 
1376 				set_phys_to_machine(pfn, mfn);
1377 			}
1378 			pages_flipped++;
1379 		} else {
1380 			ret = gnttab_end_foreign_access_ref(ref);
1381 			KASSERT(ret, ("ret != 0"));
1382 		}
1383 
1384 		gnttab_release_grant_reference(&np->gref_rx_head, ref);
1385 
1386 next:
1387 		if (m == NULL)
1388 			break;
1389 
1390 		m->m_len = rx->status;
1391 		m->m_data += rx->offset;
1392 		m0->m_pkthdr.len += rx->status;
1393 
1394 next_skip_queue:
1395 		if (!(rx->flags & NETRXF_more_data))
1396 			break;
1397 
1398 		if (*cons + frags == rp) {
1399 			if (net_ratelimit())
1400 				WPRINTK("Need more frags\n");
1401 			err = ENOENT;
1402 			printf("%s: cons %u frags %u rp %u, not enough frags\n",
1403 			       __func__, *cons, frags, rp);
1404 			break;
1405 		}
1406 		/*
1407 		 * Note that m can be NULL, if rx->status < 0 or if
1408 		 * rx->offset + rx->status > PAGE_SIZE above.
1409 		 */
1410 		m_prev = m;
1411 
1412 		rx = RING_GET_RESPONSE(&np->rx, *cons + frags);
1413 		m = xennet_get_rx_mbuf(np, *cons + frags);
1414 
1415 		/*
1416 		 * m_prev == NULL can happen if rx->status < 0 or if
1417 		 * rx->offset + * rx->status > PAGE_SIZE above.
1418 		 */
1419 		if (m_prev != NULL)
1420 			m_prev->m_next = m;
1421 
1422 		/*
1423 		 * m0 can be NULL if rx->status < 0 or if * rx->offset +
1424 		 * rx->status > PAGE_SIZE above.
1425 		 */
1426 		if (m0 == NULL)
1427 			m0 = m;
1428 		m->m_next = NULL;
1429 		ref = xennet_get_rx_ref(np, *cons + frags);
1430 		ref_cons = *cons + frags;
1431 		frags++;
1432 	}
1433 	*list = m0;
1434 	*cons += frags;
1435 	*pages_flipped_p = pages_flipped;
1436 
1437 	return (err);
1438 }
1439 
1440 static void
1441 xn_tick_locked(struct netfront_info *sc)
1442 {
1443 	XN_RX_LOCK_ASSERT(sc);
1444 	callout_reset(&sc->xn_stat_ch, hz, xn_tick, sc);
1445 
1446 	/* XXX placeholder for printing debug information */
1447 }
1448 
1449 static void
1450 xn_tick(void *xsc)
1451 {
1452 	struct netfront_info *sc;
1453 
1454 	sc = xsc;
1455 	XN_RX_LOCK(sc);
1456 	xn_tick_locked(sc);
1457 	XN_RX_UNLOCK(sc);
1458 }
1459 
1460 /**
1461  * \brief Count the number of fragments in an mbuf chain.
1462  *
1463  * Surprisingly, there isn't an M* macro for this.
1464  */
1465 static inline int
1466 xn_count_frags(struct mbuf *m)
1467 {
1468 	int nfrags;
1469 
1470 	for (nfrags = 0; m != NULL; m = m->m_next)
1471 		nfrags++;
1472 
1473 	return (nfrags);
1474 }
1475 
1476 /**
1477  * Given an mbuf chain, make sure we have enough room and then push
1478  * it onto the transmit ring.
1479  */
1480 static int
1481 xn_assemble_tx_request(struct netfront_info *sc, struct mbuf *m_head)
1482 {
1483 	struct ifnet *ifp;
1484 	struct mbuf *m;
1485 	u_int nfrags;
1486 	netif_extra_info_t *extra;
1487 	int otherend_id;
1488 
1489 	ifp = sc->xn_ifp;
1490 
1491 	/**
1492 	 * Defragment the mbuf if necessary.
1493 	 */
1494 	nfrags = xn_count_frags(m_head);
1495 
1496 	/*
1497 	 * Check to see whether this request is longer than netback
1498 	 * can handle, and try to defrag it.
1499 	 */
1500 	/**
1501 	 * It is a bit lame, but the netback driver in Linux can't
1502 	 * deal with nfrags > MAX_TX_REQ_FRAGS, which is a quirk of
1503 	 * the Linux network stack.
1504 	 */
1505 	if (nfrags > sc->maxfrags) {
1506 		m = m_defrag(m_head, M_NOWAIT);
1507 		if (!m) {
1508 			/*
1509 			 * Defrag failed, so free the mbuf and
1510 			 * therefore drop the packet.
1511 			 */
1512 			m_freem(m_head);
1513 			return (EMSGSIZE);
1514 		}
1515 		m_head = m;
1516 	}
1517 
1518 	/* Determine how many fragments now exist */
1519 	nfrags = xn_count_frags(m_head);
1520 
1521 	/*
1522 	 * Check to see whether the defragmented packet has too many
1523 	 * segments for the Linux netback driver.
1524 	 */
1525 	/**
1526 	 * The FreeBSD TCP stack, with TSO enabled, can produce a chain
1527 	 * of mbufs longer than Linux can handle.  Make sure we don't
1528 	 * pass a too-long chain over to the other side by dropping the
1529 	 * packet.  It doesn't look like there is currently a way to
1530 	 * tell the TCP stack to generate a shorter chain of packets.
1531 	 */
1532 	if (nfrags > MAX_TX_REQ_FRAGS) {
1533 #ifdef DEBUG
1534 		printf("%s: nfrags %d > MAX_TX_REQ_FRAGS %d, netback "
1535 		       "won't be able to handle it, dropping\n",
1536 		       __func__, nfrags, MAX_TX_REQ_FRAGS);
1537 #endif
1538 		m_freem(m_head);
1539 		return (EMSGSIZE);
1540 	}
1541 
1542 	/*
1543 	 * This check should be redundant.  We've already verified that we
1544 	 * have enough slots in the ring to handle a packet of maximum
1545 	 * size, and that our packet is less than the maximum size.  Keep
1546 	 * it in here as an assert for now just to make certain that
1547 	 * xn_tx_chain_cnt is accurate.
1548 	 */
1549 	KASSERT((sc->xn_cdata.xn_tx_chain_cnt + nfrags) <= NET_TX_RING_SIZE,
1550 		("%s: xn_tx_chain_cnt (%d) + nfrags (%d) > NET_TX_RING_SIZE "
1551 		 "(%d)!", __func__, (int) sc->xn_cdata.xn_tx_chain_cnt,
1552                     (int) nfrags, (int) NET_TX_RING_SIZE));
1553 
1554 	/*
1555 	 * Start packing the mbufs in this chain into
1556 	 * the fragment pointers. Stop when we run out
1557 	 * of fragments or hit the end of the mbuf chain.
1558 	 */
1559 	m = m_head;
1560 	extra = NULL;
1561 	otherend_id = xenbus_get_otherend_id(sc->xbdev);
1562 	for (m = m_head; m; m = m->m_next) {
1563 		netif_tx_request_t *tx;
1564 		uintptr_t id;
1565 		grant_ref_t ref;
1566 		u_long mfn; /* XXX Wrong type? */
1567 
1568 		tx = RING_GET_REQUEST(&sc->tx, sc->tx.req_prod_pvt);
1569 		id = get_id_from_freelist(sc->tx_mbufs);
1570 		if (id == 0)
1571 			panic("%s: was allocated the freelist head!\n",
1572 			    __func__);
1573 		sc->xn_cdata.xn_tx_chain_cnt++;
1574 		if (sc->xn_cdata.xn_tx_chain_cnt > NET_TX_RING_SIZE)
1575 			panic("%s: tx_chain_cnt must be <= NET_TX_RING_SIZE\n",
1576 			    __func__);
1577 		sc->tx_mbufs[id] = m;
1578 		tx->id = id;
1579 		ref = gnttab_claim_grant_reference(&sc->gref_tx_head);
1580 		KASSERT((short)ref >= 0, ("Negative ref"));
1581 		mfn = virt_to_mfn(mtod(m, vm_offset_t));
1582 		gnttab_grant_foreign_access_ref(ref, otherend_id,
1583 		    mfn, GNTMAP_readonly);
1584 		tx->gref = sc->grant_tx_ref[id] = ref;
1585 		tx->offset = mtod(m, vm_offset_t) & (PAGE_SIZE - 1);
1586 		tx->flags = 0;
1587 		if (m == m_head) {
1588 			/*
1589 			 * The first fragment has the entire packet
1590 			 * size, subsequent fragments have just the
1591 			 * fragment size. The backend works out the
1592 			 * true size of the first fragment by
1593 			 * subtracting the sizes of the other
1594 			 * fragments.
1595 			 */
1596 			tx->size = m->m_pkthdr.len;
1597 
1598 			/*
1599 			 * The first fragment contains the checksum flags
1600 			 * and is optionally followed by extra data for
1601 			 * TSO etc.
1602 			 */
1603 			/**
1604 			 * CSUM_TSO requires checksum offloading.
1605 			 * Some versions of FreeBSD fail to
1606 			 * set CSUM_TCP in the CSUM_TSO case,
1607 			 * so we have to test for CSUM_TSO
1608 			 * explicitly.
1609 			 */
1610 			if (m->m_pkthdr.csum_flags
1611 			    & (CSUM_DELAY_DATA | CSUM_TSO)) {
1612 				tx->flags |= (NETTXF_csum_blank
1613 				    | NETTXF_data_validated);
1614 			}
1615 #if __FreeBSD_version >= 700000
1616 			if (m->m_pkthdr.csum_flags & CSUM_TSO) {
1617 				struct netif_extra_info *gso =
1618 					(struct netif_extra_info *)
1619 					RING_GET_REQUEST(&sc->tx,
1620 							 ++sc->tx.req_prod_pvt);
1621 
1622 				tx->flags |= NETTXF_extra_info;
1623 
1624 				gso->u.gso.size = m->m_pkthdr.tso_segsz;
1625 				gso->u.gso.type =
1626 					XEN_NETIF_GSO_TYPE_TCPV4;
1627 				gso->u.gso.pad = 0;
1628 				gso->u.gso.features = 0;
1629 
1630 				gso->type = XEN_NETIF_EXTRA_TYPE_GSO;
1631 				gso->flags = 0;
1632 			}
1633 #endif
1634 		} else {
1635 			tx->size = m->m_len;
1636 		}
1637 		if (m->m_next)
1638 			tx->flags |= NETTXF_more_data;
1639 
1640 		sc->tx.req_prod_pvt++;
1641 	}
1642 	BPF_MTAP(ifp, m_head);
1643 
1644 	sc->stats.tx_bytes += m_head->m_pkthdr.len;
1645 	sc->stats.tx_packets++;
1646 
1647 	return (0);
1648 }
1649 
1650 static void
1651 xn_start_locked(struct ifnet *ifp)
1652 {
1653 	struct netfront_info *sc;
1654 	struct mbuf *m_head;
1655 	int notify;
1656 
1657 	sc = ifp->if_softc;
1658 
1659 	if (!netfront_carrier_ok(sc))
1660 		return;
1661 
1662 	/*
1663 	 * While we have enough transmit slots available for at least one
1664 	 * maximum-sized packet, pull mbufs off the queue and put them on
1665 	 * the transmit ring.
1666 	 */
1667 	while (xn_tx_slot_available(sc)) {
1668 		IF_DEQUEUE(&ifp->if_snd, m_head);
1669 		if (m_head == NULL)
1670 			break;
1671 
1672 		if (xn_assemble_tx_request(sc, m_head) != 0)
1673 			break;
1674 	}
1675 
1676 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&sc->tx, notify);
1677 	if (notify)
1678 		xen_intr_signal(sc->xen_intr_handle);
1679 
1680 	if (RING_FULL(&sc->tx)) {
1681 		sc->tx_full = 1;
1682 #if 0
1683 		netif_stop_queue(dev);
1684 #endif
1685 	}
1686 }
1687 
1688 static void
1689 xn_start(struct ifnet *ifp)
1690 {
1691 	struct netfront_info *sc;
1692 	sc = ifp->if_softc;
1693 	XN_TX_LOCK(sc);
1694 	xn_start_locked(ifp);
1695 	XN_TX_UNLOCK(sc);
1696 }
1697 
1698 /* equivalent of network_open() in Linux */
1699 static void
1700 xn_ifinit_locked(struct netfront_info *sc)
1701 {
1702 	struct ifnet *ifp;
1703 
1704 	XN_LOCK_ASSERT(sc);
1705 
1706 	ifp = sc->xn_ifp;
1707 
1708 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
1709 		return;
1710 
1711 	xn_stop(sc);
1712 
1713 	network_alloc_rx_buffers(sc);
1714 	sc->rx.sring->rsp_event = sc->rx.rsp_cons + 1;
1715 
1716 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
1717 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
1718 	if_link_state_change(ifp, LINK_STATE_UP);
1719 
1720 	callout_reset(&sc->xn_stat_ch, hz, xn_tick, sc);
1721 }
1722 
1723 static void
1724 xn_ifinit(void *xsc)
1725 {
1726 	struct netfront_info *sc = xsc;
1727 
1728 	XN_LOCK(sc);
1729 	xn_ifinit_locked(sc);
1730 	XN_UNLOCK(sc);
1731 }
1732 
1733 static int
1734 xn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
1735 {
1736 	struct netfront_info *sc = ifp->if_softc;
1737 	struct ifreq *ifr = (struct ifreq *) data;
1738 #ifdef INET
1739 	struct ifaddr *ifa = (struct ifaddr *)data;
1740 #endif
1741 
1742 	int mask, error = 0;
1743 	switch(cmd) {
1744 	case SIOCSIFADDR:
1745 	case SIOCGIFADDR:
1746 #ifdef INET
1747 		XN_LOCK(sc);
1748 		if (ifa->ifa_addr->sa_family == AF_INET) {
1749 			ifp->if_flags |= IFF_UP;
1750 			if (!(ifp->if_drv_flags & IFF_DRV_RUNNING))
1751 				xn_ifinit_locked(sc);
1752 			arp_ifinit(ifp, ifa);
1753 			XN_UNLOCK(sc);
1754 		} else {
1755 			XN_UNLOCK(sc);
1756 #endif
1757 			error = ether_ioctl(ifp, cmd, data);
1758 #ifdef INET
1759 		}
1760 #endif
1761 		break;
1762 	case SIOCSIFMTU:
1763 		/* XXX can we alter the MTU on a VN ?*/
1764 #ifdef notyet
1765 		if (ifr->ifr_mtu > XN_JUMBO_MTU)
1766 			error = EINVAL;
1767 		else
1768 #endif
1769 		{
1770 			ifp->if_mtu = ifr->ifr_mtu;
1771 			ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1772 			xn_ifinit(sc);
1773 		}
1774 		break;
1775 	case SIOCSIFFLAGS:
1776 		XN_LOCK(sc);
1777 		if (ifp->if_flags & IFF_UP) {
1778 			/*
1779 			 * If only the state of the PROMISC flag changed,
1780 			 * then just use the 'set promisc mode' command
1781 			 * instead of reinitializing the entire NIC. Doing
1782 			 * a full re-init means reloading the firmware and
1783 			 * waiting for it to start up, which may take a
1784 			 * second or two.
1785 			 */
1786 #ifdef notyet
1787 			/* No promiscuous mode with Xen */
1788 			if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1789 			    ifp->if_flags & IFF_PROMISC &&
1790 			    !(sc->xn_if_flags & IFF_PROMISC)) {
1791 				XN_SETBIT(sc, XN_RX_MODE,
1792 					  XN_RXMODE_RX_PROMISC);
1793 			} else if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1794 				   !(ifp->if_flags & IFF_PROMISC) &&
1795 				   sc->xn_if_flags & IFF_PROMISC) {
1796 				XN_CLRBIT(sc, XN_RX_MODE,
1797 					  XN_RXMODE_RX_PROMISC);
1798 			} else
1799 #endif
1800 				xn_ifinit_locked(sc);
1801 		} else {
1802 			if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
1803 				xn_stop(sc);
1804 			}
1805 		}
1806 		sc->xn_if_flags = ifp->if_flags;
1807 		XN_UNLOCK(sc);
1808 		error = 0;
1809 		break;
1810 	case SIOCSIFCAP:
1811 		mask = ifr->ifr_reqcap ^ ifp->if_capenable;
1812 		if (mask & IFCAP_TXCSUM) {
1813 			if (IFCAP_TXCSUM & ifp->if_capenable) {
1814 				ifp->if_capenable &= ~(IFCAP_TXCSUM|IFCAP_TSO4);
1815 				ifp->if_hwassist &= ~(CSUM_TCP | CSUM_UDP
1816 				    | CSUM_IP | CSUM_TSO);
1817 			} else {
1818 				ifp->if_capenable |= IFCAP_TXCSUM;
1819 				ifp->if_hwassist |= (CSUM_TCP | CSUM_UDP
1820 				    | CSUM_IP);
1821 			}
1822 		}
1823 		if (mask & IFCAP_RXCSUM) {
1824 			ifp->if_capenable ^= IFCAP_RXCSUM;
1825 		}
1826 #if __FreeBSD_version >= 700000
1827 		if (mask & IFCAP_TSO4) {
1828 			if (IFCAP_TSO4 & ifp->if_capenable) {
1829 				ifp->if_capenable &= ~IFCAP_TSO4;
1830 				ifp->if_hwassist &= ~CSUM_TSO;
1831 			} else if (IFCAP_TXCSUM & ifp->if_capenable) {
1832 				ifp->if_capenable |= IFCAP_TSO4;
1833 				ifp->if_hwassist |= CSUM_TSO;
1834 			} else {
1835 				IPRINTK("Xen requires tx checksum offload"
1836 				    " be enabled to use TSO\n");
1837 				error = EINVAL;
1838 			}
1839 		}
1840 		if (mask & IFCAP_LRO) {
1841 			ifp->if_capenable ^= IFCAP_LRO;
1842 
1843 		}
1844 #endif
1845 		error = 0;
1846 		break;
1847 	case SIOCADDMULTI:
1848 	case SIOCDELMULTI:
1849 #ifdef notyet
1850 		if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
1851 			XN_LOCK(sc);
1852 			xn_setmulti(sc);
1853 			XN_UNLOCK(sc);
1854 			error = 0;
1855 		}
1856 #endif
1857 		/* FALLTHROUGH */
1858 	case SIOCSIFMEDIA:
1859 	case SIOCGIFMEDIA:
1860 		error = ifmedia_ioctl(ifp, ifr, &sc->sc_media, cmd);
1861 		break;
1862 	default:
1863 		error = ether_ioctl(ifp, cmd, data);
1864 	}
1865 
1866 	return (error);
1867 }
1868 
1869 static void
1870 xn_stop(struct netfront_info *sc)
1871 {
1872 	struct ifnet *ifp;
1873 
1874 	XN_LOCK_ASSERT(sc);
1875 
1876 	ifp = sc->xn_ifp;
1877 
1878 	callout_stop(&sc->xn_stat_ch);
1879 
1880 	xn_free_rx_ring(sc);
1881 	xn_free_tx_ring(sc);
1882 
1883 	ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
1884 	if_link_state_change(ifp, LINK_STATE_DOWN);
1885 }
1886 
1887 /* START of Xenolinux helper functions adapted to FreeBSD */
1888 int
1889 network_connect(struct netfront_info *np)
1890 {
1891 	int i, requeue_idx, error;
1892 	grant_ref_t ref;
1893 	netif_rx_request_t *req;
1894 	u_int feature_rx_copy, feature_rx_flip;
1895 
1896 	error = xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1897 	    "feature-rx-copy", NULL, "%u", &feature_rx_copy);
1898 	if (error)
1899 		feature_rx_copy = 0;
1900 	error = xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1901 	    "feature-rx-flip", NULL, "%u", &feature_rx_flip);
1902 	if (error)
1903 		feature_rx_flip = 1;
1904 
1905 	/*
1906 	 * Copy packets on receive path if:
1907 	 *  (a) This was requested by user, and the backend supports it; or
1908 	 *  (b) Flipping was requested, but this is unsupported by the backend.
1909 	 */
1910 	np->copying_receiver = ((MODPARM_rx_copy && feature_rx_copy) ||
1911 				(MODPARM_rx_flip && !feature_rx_flip));
1912 
1913 	/* Recovery procedure: */
1914 	error = talk_to_backend(np->xbdev, np);
1915 	if (error)
1916 		return (error);
1917 
1918 	/* Step 1: Reinitialise variables. */
1919 	xn_query_features(np);
1920 	xn_configure_features(np);
1921 	netif_release_tx_bufs(np);
1922 
1923 	/* Step 2: Rebuild the RX buffer freelist and the RX ring itself. */
1924 	for (requeue_idx = 0, i = 0; i < NET_RX_RING_SIZE; i++) {
1925 		struct mbuf *m;
1926 		u_long pfn;
1927 
1928 		if (np->rx_mbufs[i] == NULL)
1929 			continue;
1930 
1931 		m = np->rx_mbufs[requeue_idx] = xennet_get_rx_mbuf(np, i);
1932 		ref = np->grant_rx_ref[requeue_idx] = xennet_get_rx_ref(np, i);
1933 
1934 		req = RING_GET_REQUEST(&np->rx, requeue_idx);
1935 		pfn = vtophys(mtod(m, vm_offset_t)) >> PAGE_SHIFT;
1936 
1937 		if (!np->copying_receiver) {
1938 			gnttab_grant_foreign_transfer_ref(ref,
1939 			    xenbus_get_otherend_id(np->xbdev),
1940 			    pfn);
1941 		} else {
1942 			gnttab_grant_foreign_access_ref(ref,
1943 			    xenbus_get_otherend_id(np->xbdev),
1944 			    PFNTOMFN(pfn), 0);
1945 		}
1946 		req->gref = ref;
1947 		req->id   = requeue_idx;
1948 
1949 		requeue_idx++;
1950 	}
1951 
1952 	np->rx.req_prod_pvt = requeue_idx;
1953 
1954 	/* Step 3: All public and private state should now be sane.  Get
1955 	 * ready to start sending and receiving packets and give the driver
1956 	 * domain a kick because we've probably just requeued some
1957 	 * packets.
1958 	 */
1959 	netfront_carrier_on(np);
1960 	xen_intr_signal(np->xen_intr_handle);
1961 	XN_TX_LOCK(np);
1962 	xn_txeof(np);
1963 	XN_TX_UNLOCK(np);
1964 	network_alloc_rx_buffers(np);
1965 
1966 	return (0);
1967 }
1968 
1969 static void
1970 xn_query_features(struct netfront_info *np)
1971 {
1972 	int val;
1973 
1974 	device_printf(np->xbdev, "backend features:");
1975 
1976 	if (xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1977 		"feature-sg", NULL, "%d", &val) < 0)
1978 		val = 0;
1979 
1980 	np->maxfrags = 1;
1981 	if (val) {
1982 		np->maxfrags = MAX_TX_REQ_FRAGS;
1983 		printf(" feature-sg");
1984 	}
1985 
1986 	if (xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1987 		"feature-gso-tcpv4", NULL, "%d", &val) < 0)
1988 		val = 0;
1989 
1990 	np->xn_ifp->if_capabilities &= ~(IFCAP_TSO4|IFCAP_LRO);
1991 	if (val) {
1992 		np->xn_ifp->if_capabilities |= IFCAP_TSO4|IFCAP_LRO;
1993 		printf(" feature-gso-tcp4");
1994 	}
1995 
1996 	printf("\n");
1997 }
1998 
1999 static int
2000 xn_configure_features(struct netfront_info *np)
2001 {
2002 	int err;
2003 
2004 	err = 0;
2005 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
2006 	if ((np->xn_ifp->if_capenable & IFCAP_LRO) != 0)
2007 		tcp_lro_free(&np->xn_lro);
2008 #endif
2009     	np->xn_ifp->if_capenable =
2010 	    np->xn_ifp->if_capabilities & ~(IFCAP_LRO|IFCAP_TSO4);
2011 	np->xn_ifp->if_hwassist &= ~CSUM_TSO;
2012 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
2013 	if (xn_enable_lro && (np->xn_ifp->if_capabilities & IFCAP_LRO) != 0) {
2014 		err = tcp_lro_init(&np->xn_lro);
2015 		if (err) {
2016 			device_printf(np->xbdev, "LRO initialization failed\n");
2017 		} else {
2018 			np->xn_lro.ifp = np->xn_ifp;
2019 			np->xn_ifp->if_capenable |= IFCAP_LRO;
2020 		}
2021 	}
2022 	if ((np->xn_ifp->if_capabilities & IFCAP_TSO4) != 0) {
2023 		np->xn_ifp->if_capenable |= IFCAP_TSO4;
2024 		np->xn_ifp->if_hwassist |= CSUM_TSO;
2025 	}
2026 #endif
2027 	return (err);
2028 }
2029 
2030 /**
2031  * Create a network device.
2032  * @param dev  Newbus device representing this virtual NIC.
2033  */
2034 int
2035 create_netdev(device_t dev)
2036 {
2037 	int i;
2038 	struct netfront_info *np;
2039 	int err;
2040 	struct ifnet *ifp;
2041 
2042 	np = device_get_softc(dev);
2043 
2044 	np->xbdev         = dev;
2045 
2046 	XN_LOCK_INIT(np, xennetif);
2047 
2048 	ifmedia_init(&np->sc_media, 0, xn_ifmedia_upd, xn_ifmedia_sts);
2049 	ifmedia_add(&np->sc_media, IFM_ETHER|IFM_MANUAL, 0, NULL);
2050 	ifmedia_set(&np->sc_media, IFM_ETHER|IFM_MANUAL);
2051 
2052 	np->rx_target     = RX_MIN_TARGET;
2053 	np->rx_min_target = RX_MIN_TARGET;
2054 	np->rx_max_target = RX_MAX_TARGET;
2055 
2056 	/* Initialise {tx,rx}_skbs to be a free chain containing every entry. */
2057 	for (i = 0; i <= NET_TX_RING_SIZE; i++) {
2058 		np->tx_mbufs[i] = (void *) ((u_long) i+1);
2059 		np->grant_tx_ref[i] = GRANT_REF_INVALID;
2060 	}
2061 	np->tx_mbufs[NET_TX_RING_SIZE] = (void *)0;
2062 
2063 	for (i = 0; i <= NET_RX_RING_SIZE; i++) {
2064 
2065 		np->rx_mbufs[i] = NULL;
2066 		np->grant_rx_ref[i] = GRANT_REF_INVALID;
2067 	}
2068 	/* A grant for every tx ring slot */
2069 	if (gnttab_alloc_grant_references(NET_TX_RING_SIZE,
2070 					  &np->gref_tx_head) != 0) {
2071 		IPRINTK("#### netfront can't alloc tx grant refs\n");
2072 		err = ENOMEM;
2073 		goto exit;
2074 	}
2075 	/* A grant for every rx ring slot */
2076 	if (gnttab_alloc_grant_references(RX_MAX_TARGET,
2077 					  &np->gref_rx_head) != 0) {
2078 		WPRINTK("#### netfront can't alloc rx grant refs\n");
2079 		gnttab_free_grant_references(np->gref_tx_head);
2080 		err = ENOMEM;
2081 		goto exit;
2082 	}
2083 
2084 	err = xen_net_read_mac(dev, np->mac);
2085 	if (err)
2086 		goto out;
2087 
2088 	/* Set up ifnet structure */
2089 	ifp = np->xn_ifp = if_alloc(IFT_ETHER);
2090     	ifp->if_softc = np;
2091     	if_initname(ifp, "xn",  device_get_unit(dev));
2092     	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
2093     	ifp->if_ioctl = xn_ioctl;
2094     	ifp->if_output = ether_output;
2095     	ifp->if_start = xn_start;
2096 #ifdef notyet
2097     	ifp->if_watchdog = xn_watchdog;
2098 #endif
2099     	ifp->if_init = xn_ifinit;
2100     	ifp->if_snd.ifq_maxlen = NET_TX_RING_SIZE - 1;
2101 
2102     	ifp->if_hwassist = XN_CSUM_FEATURES;
2103     	ifp->if_capabilities = IFCAP_HWCSUM;
2104 	ifp->if_hw_tsomax = 65536 - (ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN);
2105 	ifp->if_hw_tsomaxsegcount = MAX_TX_REQ_FRAGS;
2106 	ifp->if_hw_tsomaxsegsize = PAGE_SIZE;
2107 
2108     	ether_ifattach(ifp, np->mac);
2109     	callout_init(&np->xn_stat_ch, CALLOUT_MPSAFE);
2110 	netfront_carrier_off(np);
2111 
2112 	return (0);
2113 
2114 exit:
2115 	gnttab_free_grant_references(np->gref_tx_head);
2116 out:
2117 	return (err);
2118 }
2119 
2120 /**
2121  * Handle the change of state of the backend to Closing.  We must delete our
2122  * device-layer structures now, to ensure that writes are flushed through to
2123  * the backend.  Once is this done, we can switch to Closed in
2124  * acknowledgement.
2125  */
2126 #if 0
2127 static void
2128 netfront_closing(device_t dev)
2129 {
2130 #if 0
2131 	struct netfront_info *info = dev->dev_driver_data;
2132 
2133 	DPRINTK("netfront_closing: %s removed\n", dev->nodename);
2134 
2135 	close_netdev(info);
2136 #endif
2137 	xenbus_switch_state(dev, XenbusStateClosed);
2138 }
2139 #endif
2140 
2141 static int
2142 netfront_detach(device_t dev)
2143 {
2144 	struct netfront_info *info = device_get_softc(dev);
2145 
2146 	DPRINTK("%s\n", xenbus_get_node(dev));
2147 
2148 	netif_free(info);
2149 
2150 	return 0;
2151 }
2152 
2153 static void
2154 netif_free(struct netfront_info *info)
2155 {
2156 	XN_LOCK(info);
2157 	xn_stop(info);
2158 	XN_UNLOCK(info);
2159 	callout_drain(&info->xn_stat_ch);
2160 	netif_disconnect_backend(info);
2161 	if (info->xn_ifp != NULL) {
2162 		ether_ifdetach(info->xn_ifp);
2163 		if_free(info->xn_ifp);
2164 		info->xn_ifp = NULL;
2165 	}
2166 	ifmedia_removeall(&info->sc_media);
2167 }
2168 
2169 static void
2170 netif_disconnect_backend(struct netfront_info *info)
2171 {
2172 	XN_RX_LOCK(info);
2173 	XN_TX_LOCK(info);
2174 	netfront_carrier_off(info);
2175 	XN_TX_UNLOCK(info);
2176 	XN_RX_UNLOCK(info);
2177 
2178 	free_ring(&info->tx_ring_ref, &info->tx.sring);
2179 	free_ring(&info->rx_ring_ref, &info->rx.sring);
2180 
2181 	xen_intr_unbind(&info->xen_intr_handle);
2182 }
2183 
2184 static void
2185 free_ring(int *ref, void *ring_ptr_ref)
2186 {
2187 	void **ring_ptr_ptr = ring_ptr_ref;
2188 
2189 	if (*ref != GRANT_REF_INVALID) {
2190 		/* This API frees the associated storage. */
2191 		gnttab_end_foreign_access(*ref, *ring_ptr_ptr);
2192 		*ref = GRANT_REF_INVALID;
2193 	}
2194 	*ring_ptr_ptr = NULL;
2195 }
2196 
2197 static int
2198 xn_ifmedia_upd(struct ifnet *ifp)
2199 {
2200 	return (0);
2201 }
2202 
2203 static void
2204 xn_ifmedia_sts(struct ifnet *ifp, struct ifmediareq *ifmr)
2205 {
2206 	ifmr->ifm_status = IFM_AVALID|IFM_ACTIVE;
2207 	ifmr->ifm_active = IFM_ETHER|IFM_MANUAL;
2208 }
2209 
2210 /* ** Driver registration ** */
2211 static device_method_t netfront_methods[] = {
2212 	/* Device interface */
2213 	DEVMETHOD(device_probe,         netfront_probe),
2214 	DEVMETHOD(device_attach,        netfront_attach),
2215 	DEVMETHOD(device_detach,        netfront_detach),
2216 	DEVMETHOD(device_shutdown,      bus_generic_shutdown),
2217 	DEVMETHOD(device_suspend,       netfront_suspend),
2218 	DEVMETHOD(device_resume,        netfront_resume),
2219 
2220 	/* Xenbus interface */
2221 	DEVMETHOD(xenbus_otherend_changed, netfront_backend_changed),
2222 
2223 	DEVMETHOD_END
2224 };
2225 
2226 static driver_t netfront_driver = {
2227 	"xn",
2228 	netfront_methods,
2229 	sizeof(struct netfront_info),
2230 };
2231 devclass_t netfront_devclass;
2232 
2233 DRIVER_MODULE(xe, xenbusb_front, netfront_driver, netfront_devclass, NULL,
2234     NULL);
2235