xref: /freebsd/sys/dev/xen/netfront/netfront.c (revision 952364486a4b9d135e4b28f7f88a8703a74eae6f)
1 /*-
2  * Copyright (c) 2004-2006 Kip Macy
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include "opt_inet.h"
31 #include "opt_inet6.h"
32 
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/sockio.h>
36 #include <sys/limits.h>
37 #include <sys/mbuf.h>
38 #include <sys/malloc.h>
39 #include <sys/module.h>
40 #include <sys/kernel.h>
41 #include <sys/socket.h>
42 #include <sys/sysctl.h>
43 #include <sys/queue.h>
44 #include <sys/lock.h>
45 #include <sys/sx.h>
46 
47 #include <net/if.h>
48 #include <net/if_var.h>
49 #include <net/if_arp.h>
50 #include <net/ethernet.h>
51 #include <net/if_dl.h>
52 #include <net/if_media.h>
53 
54 #include <net/bpf.h>
55 
56 #include <net/if_types.h>
57 
58 #include <netinet/in_systm.h>
59 #include <netinet/in.h>
60 #include <netinet/ip.h>
61 #include <netinet/if_ether.h>
62 #if __FreeBSD_version >= 700000
63 #include <netinet/tcp.h>
64 #include <netinet/tcp_lro.h>
65 #endif
66 
67 #include <vm/vm.h>
68 #include <vm/pmap.h>
69 
70 #include <machine/clock.h>      /* for DELAY */
71 #include <machine/bus.h>
72 #include <machine/resource.h>
73 #include <machine/frame.h>
74 #include <machine/vmparam.h>
75 
76 #include <sys/bus.h>
77 #include <sys/rman.h>
78 
79 #include <machine/intr_machdep.h>
80 
81 #include <xen/xen-os.h>
82 #include <xen/hypervisor.h>
83 #include <xen/xen_intr.h>
84 #include <xen/gnttab.h>
85 #include <xen/interface/memory.h>
86 #include <xen/interface/io/netif.h>
87 #include <xen/xenbus/xenbusvar.h>
88 
89 #include <machine/xen/xenvar.h>
90 
91 #include "xenbus_if.h"
92 
93 /* Features supported by all backends.  TSO and LRO can be negotiated */
94 #define XN_CSUM_FEATURES	(CSUM_TCP | CSUM_UDP)
95 
96 #define NET_TX_RING_SIZE __RING_SIZE((netif_tx_sring_t *)0, PAGE_SIZE)
97 #define NET_RX_RING_SIZE __RING_SIZE((netif_rx_sring_t *)0, PAGE_SIZE)
98 
99 #if __FreeBSD_version >= 700000
100 /*
101  * Should the driver do LRO on the RX end
102  *  this can be toggled on the fly, but the
103  *  interface must be reset (down/up) for it
104  *  to take effect.
105  */
106 static int xn_enable_lro = 1;
107 TUNABLE_INT("hw.xn.enable_lro", &xn_enable_lro);
108 #else
109 
110 #define IFCAP_TSO4	0
111 #define CSUM_TSO	0
112 
113 #endif
114 
115 #ifdef CONFIG_XEN
116 static int MODPARM_rx_copy = 0;
117 module_param_named(rx_copy, MODPARM_rx_copy, bool, 0);
118 MODULE_PARM_DESC(rx_copy, "Copy packets from network card (rather than flip)");
119 static int MODPARM_rx_flip = 0;
120 module_param_named(rx_flip, MODPARM_rx_flip, bool, 0);
121 MODULE_PARM_DESC(rx_flip, "Flip packets from network card (rather than copy)");
122 #else
123 static const int MODPARM_rx_copy = 1;
124 static const int MODPARM_rx_flip = 0;
125 #endif
126 
127 /**
128  * \brief The maximum allowed data fragments in a single transmit
129  *        request.
130  *
131  * This limit is imposed by the backend driver.  We assume here that
132  * we are dealing with a Linux driver domain and have set our limit
133  * to mirror the Linux MAX_SKB_FRAGS constant.
134  */
135 #define	MAX_TX_REQ_FRAGS (65536 / PAGE_SIZE + 2)
136 
137 #define RX_COPY_THRESHOLD 256
138 
139 #define net_ratelimit() 0
140 
141 struct netfront_info;
142 struct netfront_rx_info;
143 
144 static void xn_txeof(struct netfront_info *);
145 static void xn_rxeof(struct netfront_info *);
146 static void network_alloc_rx_buffers(struct netfront_info *);
147 
148 static void xn_tick_locked(struct netfront_info *);
149 static void xn_tick(void *);
150 
151 static void xn_intr(void *);
152 static inline int xn_count_frags(struct mbuf *m);
153 static int  xn_assemble_tx_request(struct netfront_info *sc,
154 				   struct mbuf *m_head);
155 static void xn_start_locked(struct ifnet *);
156 static void xn_start(struct ifnet *);
157 static int  xn_ioctl(struct ifnet *, u_long, caddr_t);
158 static void xn_ifinit_locked(struct netfront_info *);
159 static void xn_ifinit(void *);
160 static void xn_stop(struct netfront_info *);
161 static void xn_query_features(struct netfront_info *np);
162 static int  xn_configure_features(struct netfront_info *np);
163 #ifdef notyet
164 static void xn_watchdog(struct ifnet *);
165 #endif
166 
167 #ifdef notyet
168 static void netfront_closing(device_t dev);
169 #endif
170 static void netif_free(struct netfront_info *info);
171 static int netfront_detach(device_t dev);
172 
173 static int talk_to_backend(device_t dev, struct netfront_info *info);
174 static int create_netdev(device_t dev);
175 static void netif_disconnect_backend(struct netfront_info *info);
176 static int setup_device(device_t dev, struct netfront_info *info);
177 static void free_ring(int *ref, void *ring_ptr_ref);
178 
179 static int  xn_ifmedia_upd(struct ifnet *ifp);
180 static void xn_ifmedia_sts(struct ifnet *ifp, struct ifmediareq *ifmr);
181 
182 /* Xenolinux helper functions */
183 int network_connect(struct netfront_info *);
184 
185 static void xn_free_rx_ring(struct netfront_info *);
186 
187 static void xn_free_tx_ring(struct netfront_info *);
188 
189 static int xennet_get_responses(struct netfront_info *np,
190 	struct netfront_rx_info *rinfo, RING_IDX rp, RING_IDX *cons,
191 	struct mbuf **list, int *pages_flipped_p);
192 
193 #define virt_to_mfn(x) (vtomach(x) >> PAGE_SHIFT)
194 
195 #define INVALID_P2M_ENTRY (~0UL)
196 
197 /*
198  * Mbuf pointers. We need these to keep track of the virtual addresses
199  * of our mbuf chains since we can only convert from virtual to physical,
200  * not the other way around.  The size must track the free index arrays.
201  */
202 struct xn_chain_data {
203 	struct mbuf    *xn_tx_chain[NET_TX_RING_SIZE+1];
204 	int		xn_tx_chain_cnt;
205 	struct mbuf    *xn_rx_chain[NET_RX_RING_SIZE+1];
206 };
207 
208 struct net_device_stats
209 {
210 	u_long	rx_packets;		/* total packets received	*/
211 	u_long	tx_packets;		/* total packets transmitted	*/
212 	u_long	rx_bytes;		/* total bytes received 	*/
213 	u_long	tx_bytes;		/* total bytes transmitted	*/
214 	u_long	rx_errors;		/* bad packets received		*/
215 	u_long	tx_errors;		/* packet transmit problems	*/
216 	u_long	rx_dropped;		/* no space in linux buffers	*/
217 	u_long	tx_dropped;		/* no space available in linux	*/
218 	u_long	multicast;		/* multicast packets received	*/
219 	u_long	collisions;
220 
221 	/* detailed rx_errors: */
222 	u_long	rx_length_errors;
223 	u_long	rx_over_errors;		/* receiver ring buff overflow	*/
224 	u_long	rx_crc_errors;		/* recved pkt with crc error	*/
225 	u_long	rx_frame_errors;	/* recv'd frame alignment error */
226 	u_long	rx_fifo_errors;		/* recv'r fifo overrun		*/
227 	u_long	rx_missed_errors;	/* receiver missed packet	*/
228 
229 	/* detailed tx_errors */
230 	u_long	tx_aborted_errors;
231 	u_long	tx_carrier_errors;
232 	u_long	tx_fifo_errors;
233 	u_long	tx_heartbeat_errors;
234 	u_long	tx_window_errors;
235 
236 	/* for cslip etc */
237 	u_long	rx_compressed;
238 	u_long	tx_compressed;
239 };
240 
241 struct netfront_info {
242 	struct ifnet *xn_ifp;
243 #if __FreeBSD_version >= 700000
244 	struct lro_ctrl xn_lro;
245 #endif
246 
247 	struct net_device_stats stats;
248 	u_int tx_full;
249 
250 	netif_tx_front_ring_t tx;
251 	netif_rx_front_ring_t rx;
252 
253 	struct mtx   tx_lock;
254 	struct mtx   rx_lock;
255 	struct mtx   sc_lock;
256 
257 	xen_intr_handle_t xen_intr_handle;
258 	u_int copying_receiver;
259 	u_int carrier;
260 	u_int maxfrags;
261 
262 	/* Receive-ring batched refills. */
263 #define RX_MIN_TARGET 32
264 #define RX_MAX_TARGET NET_RX_RING_SIZE
265 	int rx_min_target;
266 	int rx_max_target;
267 	int rx_target;
268 
269 	grant_ref_t gref_tx_head;
270 	grant_ref_t grant_tx_ref[NET_TX_RING_SIZE + 1];
271 	grant_ref_t gref_rx_head;
272 	grant_ref_t grant_rx_ref[NET_TX_RING_SIZE + 1];
273 
274 	device_t		xbdev;
275 	int			tx_ring_ref;
276 	int			rx_ring_ref;
277 	uint8_t			mac[ETHER_ADDR_LEN];
278 	struct xn_chain_data	xn_cdata;	/* mbufs */
279 	struct mbufq		xn_rx_batch;	/* batch queue */
280 
281 	int			xn_if_flags;
282 	struct callout	        xn_stat_ch;
283 
284 	u_long			rx_pfn_array[NET_RX_RING_SIZE];
285 	multicall_entry_t	rx_mcl[NET_RX_RING_SIZE+1];
286 	mmu_update_t		rx_mmu[NET_RX_RING_SIZE];
287 	struct ifmedia		sc_media;
288 };
289 
290 #define rx_mbufs xn_cdata.xn_rx_chain
291 #define tx_mbufs xn_cdata.xn_tx_chain
292 
293 #define XN_LOCK_INIT(_sc, _name) \
294         mtx_init(&(_sc)->tx_lock, #_name"_tx", "network transmit lock", MTX_DEF); \
295         mtx_init(&(_sc)->rx_lock, #_name"_rx", "network receive lock", MTX_DEF);  \
296         mtx_init(&(_sc)->sc_lock, #_name"_sc", "netfront softc lock", MTX_DEF)
297 
298 #define XN_RX_LOCK(_sc)           mtx_lock(&(_sc)->rx_lock)
299 #define XN_RX_UNLOCK(_sc)         mtx_unlock(&(_sc)->rx_lock)
300 
301 #define XN_TX_LOCK(_sc)           mtx_lock(&(_sc)->tx_lock)
302 #define XN_TX_UNLOCK(_sc)         mtx_unlock(&(_sc)->tx_lock)
303 
304 #define XN_LOCK(_sc)           mtx_lock(&(_sc)->sc_lock);
305 #define XN_UNLOCK(_sc)         mtx_unlock(&(_sc)->sc_lock);
306 
307 #define XN_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->sc_lock, MA_OWNED);
308 #define XN_RX_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->rx_lock, MA_OWNED);
309 #define XN_TX_LOCK_ASSERT(_sc)    mtx_assert(&(_sc)->tx_lock, MA_OWNED);
310 #define XN_LOCK_DESTROY(_sc)   mtx_destroy(&(_sc)->rx_lock); \
311                                mtx_destroy(&(_sc)->tx_lock); \
312                                mtx_destroy(&(_sc)->sc_lock);
313 
314 struct netfront_rx_info {
315 	struct netif_rx_response rx;
316 	struct netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX - 1];
317 };
318 
319 #define netfront_carrier_on(netif)	((netif)->carrier = 1)
320 #define netfront_carrier_off(netif)	((netif)->carrier = 0)
321 #define netfront_carrier_ok(netif)	((netif)->carrier)
322 
323 /* Access macros for acquiring freeing slots in xn_free_{tx,rx}_idxs[]. */
324 
325 static inline void
326 add_id_to_freelist(struct mbuf **list, uintptr_t id)
327 {
328 	KASSERT(id != 0,
329 		("%s: the head item (0) must always be free.", __func__));
330 	list[id] = list[0];
331 	list[0]  = (struct mbuf *)id;
332 }
333 
334 static inline unsigned short
335 get_id_from_freelist(struct mbuf **list)
336 {
337 	uintptr_t id;
338 
339 	id = (uintptr_t)list[0];
340 	KASSERT(id != 0,
341 		("%s: the head item (0) must always remain free.", __func__));
342 	list[0] = list[id];
343 	return (id);
344 }
345 
346 static inline int
347 xennet_rxidx(RING_IDX idx)
348 {
349 	return idx & (NET_RX_RING_SIZE - 1);
350 }
351 
352 static inline struct mbuf *
353 xennet_get_rx_mbuf(struct netfront_info *np, RING_IDX ri)
354 {
355 	int i = xennet_rxidx(ri);
356 	struct mbuf *m;
357 
358 	m = np->rx_mbufs[i];
359 	np->rx_mbufs[i] = NULL;
360 	return (m);
361 }
362 
363 static inline grant_ref_t
364 xennet_get_rx_ref(struct netfront_info *np, RING_IDX ri)
365 {
366 	int i = xennet_rxidx(ri);
367 	grant_ref_t ref = np->grant_rx_ref[i];
368 	KASSERT(ref != GRANT_REF_INVALID, ("Invalid grant reference!\n"));
369 	np->grant_rx_ref[i] = GRANT_REF_INVALID;
370 	return ref;
371 }
372 
373 #define IPRINTK(fmt, args...) \
374     printf("[XEN] " fmt, ##args)
375 #ifdef INVARIANTS
376 #define WPRINTK(fmt, args...) \
377     printf("[XEN] " fmt, ##args)
378 #else
379 #define WPRINTK(fmt, args...)
380 #endif
381 #ifdef DEBUG
382 #define DPRINTK(fmt, args...) \
383     printf("[XEN] %s: " fmt, __func__, ##args)
384 #else
385 #define DPRINTK(fmt, args...)
386 #endif
387 
388 /**
389  * Read the 'mac' node at the given device's node in the store, and parse that
390  * as colon-separated octets, placing result the given mac array.  mac must be
391  * a preallocated array of length ETH_ALEN (as declared in linux/if_ether.h).
392  * Return 0 on success, or errno on error.
393  */
394 static int
395 xen_net_read_mac(device_t dev, uint8_t mac[])
396 {
397 	int error, i;
398 	char *s, *e, *macstr;
399 	const char *path;
400 
401 	path = xenbus_get_node(dev);
402 	error = xs_read(XST_NIL, path, "mac", NULL, (void **) &macstr);
403 	if (error == ENOENT) {
404 		/*
405 		 * Deal with missing mac XenStore nodes on devices with
406 		 * HVM emulation (the 'ioemu' configuration attribute)
407 		 * enabled.
408 		 *
409 		 * The HVM emulator may execute in a stub device model
410 		 * domain which lacks the permission, only given to Dom0,
411 		 * to update the guest's XenStore tree.  For this reason,
412 		 * the HVM emulator doesn't even attempt to write the
413 		 * front-side mac node, even when operating in Dom0.
414 		 * However, there should always be a mac listed in the
415 		 * backend tree.  Fallback to this version if our query
416 		 * of the front side XenStore location doesn't find
417 		 * anything.
418 		 */
419 		path = xenbus_get_otherend_path(dev);
420 		error = xs_read(XST_NIL, path, "mac", NULL, (void **) &macstr);
421 	}
422 	if (error != 0) {
423 		xenbus_dev_fatal(dev, error, "parsing %s/mac", path);
424 		return (error);
425 	}
426 
427 	s = macstr;
428 	for (i = 0; i < ETHER_ADDR_LEN; i++) {
429 		mac[i] = strtoul(s, &e, 16);
430 		if (s == e || (e[0] != ':' && e[0] != 0)) {
431 			free(macstr, M_XENBUS);
432 			return (ENOENT);
433 		}
434 		s = &e[1];
435 	}
436 	free(macstr, M_XENBUS);
437 	return (0);
438 }
439 
440 /**
441  * Entry point to this code when a new device is created.  Allocate the basic
442  * structures and the ring buffers for communication with the backend, and
443  * inform the backend of the appropriate details for those.  Switch to
444  * Connected state.
445  */
446 static int
447 netfront_probe(device_t dev)
448 {
449 
450 	if (!strcmp(xenbus_get_type(dev), "vif")) {
451 		device_set_desc(dev, "Virtual Network Interface");
452 		return (0);
453 	}
454 
455 	return (ENXIO);
456 }
457 
458 static int
459 netfront_attach(device_t dev)
460 {
461 	int err;
462 
463 	err = create_netdev(dev);
464 	if (err) {
465 		xenbus_dev_fatal(dev, err, "creating netdev");
466 		return (err);
467 	}
468 
469 #if __FreeBSD_version >= 700000
470 	SYSCTL_ADD_INT(device_get_sysctl_ctx(dev),
471 	    SYSCTL_CHILDREN(device_get_sysctl_tree(dev)),
472 	    OID_AUTO, "enable_lro", CTLFLAG_RW,
473 	    &xn_enable_lro, 0, "Large Receive Offload");
474 #endif
475 
476 	return (0);
477 }
478 
479 static int
480 netfront_suspend(device_t dev)
481 {
482 	struct netfront_info *info = device_get_softc(dev);
483 
484 	XN_RX_LOCK(info);
485 	XN_TX_LOCK(info);
486 	netfront_carrier_off(info);
487 	XN_TX_UNLOCK(info);
488 	XN_RX_UNLOCK(info);
489 	return (0);
490 }
491 
492 /**
493  * We are reconnecting to the backend, due to a suspend/resume, or a backend
494  * driver restart.  We tear down our netif structure and recreate it, but
495  * leave the device-layer structures intact so that this is transparent to the
496  * rest of the kernel.
497  */
498 static int
499 netfront_resume(device_t dev)
500 {
501 	struct netfront_info *info = device_get_softc(dev);
502 
503 	netif_disconnect_backend(info);
504 	return (0);
505 }
506 
507 /* Common code used when first setting up, and when resuming. */
508 static int
509 talk_to_backend(device_t dev, struct netfront_info *info)
510 {
511 	const char *message;
512 	struct xs_transaction xst;
513 	const char *node = xenbus_get_node(dev);
514 	int err;
515 
516 	err = xen_net_read_mac(dev, info->mac);
517 	if (err) {
518 		xenbus_dev_fatal(dev, err, "parsing %s/mac", node);
519 		goto out;
520 	}
521 
522 	/* Create shared ring, alloc event channel. */
523 	err = setup_device(dev, info);
524 	if (err)
525 		goto out;
526 
527  again:
528 	err = xs_transaction_start(&xst);
529 	if (err) {
530 		xenbus_dev_fatal(dev, err, "starting transaction");
531 		goto destroy_ring;
532 	}
533 	err = xs_printf(xst, node, "tx-ring-ref","%u",
534 			info->tx_ring_ref);
535 	if (err) {
536 		message = "writing tx ring-ref";
537 		goto abort_transaction;
538 	}
539 	err = xs_printf(xst, node, "rx-ring-ref","%u",
540 			info->rx_ring_ref);
541 	if (err) {
542 		message = "writing rx ring-ref";
543 		goto abort_transaction;
544 	}
545 	err = xs_printf(xst, node,
546 			"event-channel", "%u",
547 			xen_intr_port(info->xen_intr_handle));
548 	if (err) {
549 		message = "writing event-channel";
550 		goto abort_transaction;
551 	}
552 	err = xs_printf(xst, node, "request-rx-copy", "%u",
553 			info->copying_receiver);
554 	if (err) {
555 		message = "writing request-rx-copy";
556 		goto abort_transaction;
557 	}
558 	err = xs_printf(xst, node, "feature-rx-notify", "%d", 1);
559 	if (err) {
560 		message = "writing feature-rx-notify";
561 		goto abort_transaction;
562 	}
563 	err = xs_printf(xst, node, "feature-sg", "%d", 1);
564 	if (err) {
565 		message = "writing feature-sg";
566 		goto abort_transaction;
567 	}
568 #if __FreeBSD_version >= 700000
569 	err = xs_printf(xst, node, "feature-gso-tcpv4", "%d", 1);
570 	if (err) {
571 		message = "writing feature-gso-tcpv4";
572 		goto abort_transaction;
573 	}
574 #endif
575 
576 	err = xs_transaction_end(xst, 0);
577 	if (err) {
578 		if (err == EAGAIN)
579 			goto again;
580 		xenbus_dev_fatal(dev, err, "completing transaction");
581 		goto destroy_ring;
582 	}
583 
584 	return 0;
585 
586  abort_transaction:
587 	xs_transaction_end(xst, 1);
588 	xenbus_dev_fatal(dev, err, "%s", message);
589  destroy_ring:
590 	netif_free(info);
591  out:
592 	return err;
593 }
594 
595 static int
596 setup_device(device_t dev, struct netfront_info *info)
597 {
598 	netif_tx_sring_t *txs;
599 	netif_rx_sring_t *rxs;
600 	int error;
601 	struct ifnet *ifp;
602 
603 	ifp = info->xn_ifp;
604 
605 	info->tx_ring_ref = GRANT_REF_INVALID;
606 	info->rx_ring_ref = GRANT_REF_INVALID;
607 	info->rx.sring = NULL;
608 	info->tx.sring = NULL;
609 
610 	txs = (netif_tx_sring_t *)malloc(PAGE_SIZE, M_DEVBUF, M_NOWAIT|M_ZERO);
611 	if (!txs) {
612 		error = ENOMEM;
613 		xenbus_dev_fatal(dev, error, "allocating tx ring page");
614 		goto fail;
615 	}
616 	SHARED_RING_INIT(txs);
617 	FRONT_RING_INIT(&info->tx, txs, PAGE_SIZE);
618 	error = xenbus_grant_ring(dev, virt_to_mfn(txs), &info->tx_ring_ref);
619 	if (error)
620 		goto fail;
621 
622 	rxs = (netif_rx_sring_t *)malloc(PAGE_SIZE, M_DEVBUF, M_NOWAIT|M_ZERO);
623 	if (!rxs) {
624 		error = ENOMEM;
625 		xenbus_dev_fatal(dev, error, "allocating rx ring page");
626 		goto fail;
627 	}
628 	SHARED_RING_INIT(rxs);
629 	FRONT_RING_INIT(&info->rx, rxs, PAGE_SIZE);
630 
631 	error = xenbus_grant_ring(dev, virt_to_mfn(rxs), &info->rx_ring_ref);
632 	if (error)
633 		goto fail;
634 
635 	error = xen_intr_alloc_and_bind_local_port(dev,
636 	    xenbus_get_otherend_id(dev), /*filter*/NULL, xn_intr, info,
637 	    INTR_TYPE_NET | INTR_MPSAFE | INTR_ENTROPY, &info->xen_intr_handle);
638 
639 	if (error) {
640 		xenbus_dev_fatal(dev, error,
641 				 "xen_intr_alloc_and_bind_local_port failed");
642 		goto fail;
643 	}
644 
645 	return (0);
646 
647  fail:
648 	netif_free(info);
649 	return (error);
650 }
651 
652 #ifdef INET
653 /**
654  * If this interface has an ipv4 address, send an arp for it. This
655  * helps to get the network going again after migrating hosts.
656  */
657 static void
658 netfront_send_fake_arp(device_t dev, struct netfront_info *info)
659 {
660 	struct ifnet *ifp;
661 	struct ifaddr *ifa;
662 
663 	ifp = info->xn_ifp;
664 	TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
665 		if (ifa->ifa_addr->sa_family == AF_INET) {
666 			arp_ifinit(ifp, ifa);
667 		}
668 	}
669 }
670 #endif
671 
672 /**
673  * Callback received when the backend's state changes.
674  */
675 static void
676 netfront_backend_changed(device_t dev, XenbusState newstate)
677 {
678 	struct netfront_info *sc = device_get_softc(dev);
679 
680 	DPRINTK("newstate=%d\n", newstate);
681 
682 	switch (newstate) {
683 	case XenbusStateInitialising:
684 	case XenbusStateInitialised:
685 	case XenbusStateConnected:
686 	case XenbusStateUnknown:
687 	case XenbusStateClosed:
688 	case XenbusStateReconfigured:
689 	case XenbusStateReconfiguring:
690 		break;
691 	case XenbusStateInitWait:
692 		if (xenbus_get_state(dev) != XenbusStateInitialising)
693 			break;
694 		if (network_connect(sc) != 0)
695 			break;
696 		xenbus_set_state(dev, XenbusStateConnected);
697 #ifdef INET
698 		netfront_send_fake_arp(dev, sc);
699 #endif
700 		break;
701 	case XenbusStateClosing:
702 		xenbus_set_state(dev, XenbusStateClosed);
703 		break;
704 	}
705 }
706 
707 static void
708 xn_free_rx_ring(struct netfront_info *sc)
709 {
710 #if 0
711 	int i;
712 
713 	for (i = 0; i < NET_RX_RING_SIZE; i++) {
714 		if (sc->xn_cdata.rx_mbufs[i] != NULL) {
715 			m_freem(sc->rx_mbufs[i]);
716 			sc->rx_mbufs[i] = NULL;
717 		}
718 	}
719 
720 	sc->rx.rsp_cons = 0;
721 	sc->xn_rx_if->req_prod = 0;
722 	sc->xn_rx_if->event = sc->rx.rsp_cons ;
723 #endif
724 }
725 
726 static void
727 xn_free_tx_ring(struct netfront_info *sc)
728 {
729 #if 0
730 	int i;
731 
732 	for (i = 0; i < NET_TX_RING_SIZE; i++) {
733 		if (sc->tx_mbufs[i] != NULL) {
734 			m_freem(sc->tx_mbufs[i]);
735 			sc->xn_cdata.xn_tx_chain[i] = NULL;
736 		}
737 	}
738 
739 	return;
740 #endif
741 }
742 
743 /**
744  * \brief Verify that there is sufficient space in the Tx ring
745  *        buffer for a maximally sized request to be enqueued.
746  *
747  * A transmit request requires a transmit descriptor for each packet
748  * fragment, plus up to 2 entries for "options" (e.g. TSO).
749  */
750 static inline int
751 xn_tx_slot_available(struct netfront_info *np)
752 {
753 	return (RING_FREE_REQUESTS(&np->tx) > (MAX_TX_REQ_FRAGS + 2));
754 }
755 
756 static void
757 netif_release_tx_bufs(struct netfront_info *np)
758 {
759 	int i;
760 
761 	for (i = 1; i <= NET_TX_RING_SIZE; i++) {
762 		struct mbuf *m;
763 
764 		m = np->tx_mbufs[i];
765 
766 		/*
767 		 * We assume that no kernel addresses are
768 		 * less than NET_TX_RING_SIZE.  Any entry
769 		 * in the table that is below this number
770 		 * must be an index from free-list tracking.
771 		 */
772 		if (((uintptr_t)m) <= NET_TX_RING_SIZE)
773 			continue;
774 		gnttab_end_foreign_access_ref(np->grant_tx_ref[i]);
775 		gnttab_release_grant_reference(&np->gref_tx_head,
776 		    np->grant_tx_ref[i]);
777 		np->grant_tx_ref[i] = GRANT_REF_INVALID;
778 		add_id_to_freelist(np->tx_mbufs, i);
779 		np->xn_cdata.xn_tx_chain_cnt--;
780 		if (np->xn_cdata.xn_tx_chain_cnt < 0) {
781 			panic("%s: tx_chain_cnt must be >= 0", __func__);
782 		}
783 		m_free(m);
784 	}
785 }
786 
787 static void
788 network_alloc_rx_buffers(struct netfront_info *sc)
789 {
790 	int otherend_id = xenbus_get_otherend_id(sc->xbdev);
791 	unsigned short id;
792 	struct mbuf *m_new;
793 	int i, batch_target, notify;
794 	RING_IDX req_prod;
795 	struct xen_memory_reservation reservation;
796 	grant_ref_t ref;
797 	int nr_flips;
798 	netif_rx_request_t *req;
799 	vm_offset_t vaddr;
800 	u_long pfn;
801 
802 	req_prod = sc->rx.req_prod_pvt;
803 
804 	if (__predict_false(sc->carrier == 0))
805 		return;
806 
807 	/*
808 	 * Allocate mbufs greedily, even though we batch updates to the
809 	 * receive ring. This creates a less bursty demand on the memory
810 	 * allocator, and so should reduce the chance of failed allocation
811 	 * requests both for ourself and for other kernel subsystems.
812 	 *
813 	 * Here we attempt to maintain rx_target buffers in flight, counting
814 	 * buffers that we have yet to process in the receive ring.
815 	 */
816 	batch_target = sc->rx_target - (req_prod - sc->rx.rsp_cons);
817 	for (i = mbufq_len(&sc->xn_rx_batch); i < batch_target; i++) {
818 		m_new = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUMPAGESIZE);
819 		if (m_new == NULL) {
820 			if (i != 0)
821 				goto refill;
822 			/*
823 			 * XXX set timer
824 			 */
825 			break;
826 		}
827 		m_new->m_len = m_new->m_pkthdr.len = MJUMPAGESIZE;
828 
829 		/* queue the mbufs allocated */
830 		(void )mbufq_enqueue(&sc->xn_rx_batch, m_new);
831 	}
832 
833 	/*
834 	 * If we've allocated at least half of our target number of entries,
835 	 * submit them to the backend - we have enough to make the overhead
836 	 * of submission worthwhile.  Otherwise wait for more mbufs and
837 	 * request entries to become available.
838 	 */
839 	if (i < (sc->rx_target/2)) {
840 		if (req_prod >sc->rx.sring->req_prod)
841 			goto push;
842 		return;
843 	}
844 
845 	/*
846 	 * Double floating fill target if we risked having the backend
847 	 * run out of empty buffers for receive traffic.  We define "running
848 	 * low" as having less than a fourth of our target buffers free
849 	 * at the time we refilled the queue.
850 	 */
851 	if ((req_prod - sc->rx.sring->rsp_prod) < (sc->rx_target / 4)) {
852 		sc->rx_target *= 2;
853 		if (sc->rx_target > sc->rx_max_target)
854 			sc->rx_target = sc->rx_max_target;
855 	}
856 
857 refill:
858 	for (nr_flips = i = 0; ; i++) {
859 		if ((m_new = mbufq_dequeue(&sc->xn_rx_batch)) == NULL)
860 			break;
861 
862 		m_new->m_ext.ext_arg1 = (vm_paddr_t *)(uintptr_t)(
863 				vtophys(m_new->m_ext.ext_buf) >> PAGE_SHIFT);
864 
865 		id = xennet_rxidx(req_prod + i);
866 
867 		KASSERT(sc->rx_mbufs[id] == NULL, ("non-NULL xm_rx_chain"));
868 		sc->rx_mbufs[id] = m_new;
869 
870 		ref = gnttab_claim_grant_reference(&sc->gref_rx_head);
871 		KASSERT(ref != GNTTAB_LIST_END,
872 			("reserved grant references exhuasted"));
873 		sc->grant_rx_ref[id] = ref;
874 
875 		vaddr = mtod(m_new, vm_offset_t);
876 		pfn = vtophys(vaddr) >> PAGE_SHIFT;
877 		req = RING_GET_REQUEST(&sc->rx, req_prod + i);
878 
879 		if (sc->copying_receiver == 0) {
880 			gnttab_grant_foreign_transfer_ref(ref,
881 			    otherend_id, pfn);
882 			sc->rx_pfn_array[nr_flips] = PFNTOMFN(pfn);
883 			if (!xen_feature(XENFEAT_auto_translated_physmap)) {
884 				/* Remove this page before passing
885 				 * back to Xen.
886 				 */
887 				set_phys_to_machine(pfn, INVALID_P2M_ENTRY);
888 				MULTI_update_va_mapping(&sc->rx_mcl[i],
889 				    vaddr, 0, 0);
890 			}
891 			nr_flips++;
892 		} else {
893 			gnttab_grant_foreign_access_ref(ref,
894 			    otherend_id,
895 			    PFNTOMFN(pfn), 0);
896 		}
897 		req->id = id;
898 		req->gref = ref;
899 
900 		sc->rx_pfn_array[i] =
901 		    vtomach(mtod(m_new,vm_offset_t)) >> PAGE_SHIFT;
902 	}
903 
904 	KASSERT(i, ("no mbufs processed")); /* should have returned earlier */
905 	KASSERT(mbufq_len(&sc->xn_rx_batch) == 0, ("not all mbufs processed"));
906 	/*
907 	 * We may have allocated buffers which have entries outstanding
908 	 * in the page * update queue -- make sure we flush those first!
909 	 */
910 	PT_UPDATES_FLUSH();
911 	if (nr_flips != 0) {
912 #ifdef notyet
913 		/* Tell the ballon driver what is going on. */
914 		balloon_update_driver_allowance(i);
915 #endif
916 		set_xen_guest_handle(reservation.extent_start, sc->rx_pfn_array);
917 		reservation.nr_extents   = i;
918 		reservation.extent_order = 0;
919 		reservation.address_bits = 0;
920 		reservation.domid        = DOMID_SELF;
921 
922 		if (!xen_feature(XENFEAT_auto_translated_physmap)) {
923 			/* After all PTEs have been zapped, flush the TLB. */
924 			sc->rx_mcl[i-1].args[MULTI_UVMFLAGS_INDEX] =
925 			    UVMF_TLB_FLUSH|UVMF_ALL;
926 
927 			/* Give away a batch of pages. */
928 			sc->rx_mcl[i].op = __HYPERVISOR_memory_op;
929 			sc->rx_mcl[i].args[0] = XENMEM_decrease_reservation;
930 			sc->rx_mcl[i].args[1] =  (u_long)&reservation;
931 			/* Zap PTEs and give away pages in one big multicall. */
932 			(void)HYPERVISOR_multicall(sc->rx_mcl, i+1);
933 
934 			if (__predict_false(sc->rx_mcl[i].result != i ||
935 			    HYPERVISOR_memory_op(XENMEM_decrease_reservation,
936 			    &reservation) != i))
937 				panic("%s: unable to reduce memory "
938 				    "reservation\n", __func__);
939 		}
940 	} else {
941 		wmb();
942 	}
943 
944 	/* Above is a suitable barrier to ensure backend will see requests. */
945 	sc->rx.req_prod_pvt = req_prod + i;
946 push:
947 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&sc->rx, notify);
948 	if (notify)
949 		xen_intr_signal(sc->xen_intr_handle);
950 }
951 
952 static void
953 xn_rxeof(struct netfront_info *np)
954 {
955 	struct ifnet *ifp;
956 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
957 	struct lro_ctrl *lro = &np->xn_lro;
958 	struct lro_entry *queued;
959 #endif
960 	struct netfront_rx_info rinfo;
961 	struct netif_rx_response *rx = &rinfo.rx;
962 	struct netif_extra_info *extras = rinfo.extras;
963 	RING_IDX i, rp;
964 	multicall_entry_t *mcl;
965 	struct mbuf *m;
966 	struct mbufq rxq, errq;
967 	int err, pages_flipped = 0, work_to_do;
968 
969 	do {
970 		XN_RX_LOCK_ASSERT(np);
971 		if (!netfront_carrier_ok(np))
972 			return;
973 
974 		/* XXX: there should be some sane limit. */
975 		mbufq_init(&errq, INT_MAX);
976 		mbufq_init(&rxq, INT_MAX);
977 
978 		ifp = np->xn_ifp;
979 
980 		rp = np->rx.sring->rsp_prod;
981 		rmb();	/* Ensure we see queued responses up to 'rp'. */
982 
983 		i = np->rx.rsp_cons;
984 		while ((i != rp)) {
985 			memcpy(rx, RING_GET_RESPONSE(&np->rx, i), sizeof(*rx));
986 			memset(extras, 0, sizeof(rinfo.extras));
987 
988 			m = NULL;
989 			err = xennet_get_responses(np, &rinfo, rp, &i, &m,
990 			    &pages_flipped);
991 
992 			if (__predict_false(err)) {
993 				if (m)
994 					(void )mbufq_enqueue(&errq, m);
995 				np->stats.rx_errors++;
996 				continue;
997 			}
998 
999 			m->m_pkthdr.rcvif = ifp;
1000 			if ( rx->flags & NETRXF_data_validated ) {
1001 				/* Tell the stack the checksums are okay */
1002 				/*
1003 				 * XXX this isn't necessarily the case - need to add
1004 				 * check
1005 				 */
1006 
1007 				m->m_pkthdr.csum_flags |=
1008 					(CSUM_IP_CHECKED | CSUM_IP_VALID | CSUM_DATA_VALID
1009 					    | CSUM_PSEUDO_HDR);
1010 				m->m_pkthdr.csum_data = 0xffff;
1011 			}
1012 
1013 			np->stats.rx_packets++;
1014 			np->stats.rx_bytes += m->m_pkthdr.len;
1015 
1016 			(void )mbufq_enqueue(&rxq, m);
1017 			np->rx.rsp_cons = i;
1018 		}
1019 
1020 		if (pages_flipped) {
1021 			/* Some pages are no longer absent... */
1022 #ifdef notyet
1023 			balloon_update_driver_allowance(-pages_flipped);
1024 #endif
1025 			/* Do all the remapping work, and M->P updates, in one big
1026 			 * hypercall.
1027 			 */
1028 			if (!!xen_feature(XENFEAT_auto_translated_physmap)) {
1029 				mcl = np->rx_mcl + pages_flipped;
1030 				mcl->op = __HYPERVISOR_mmu_update;
1031 				mcl->args[0] = (u_long)np->rx_mmu;
1032 				mcl->args[1] = pages_flipped;
1033 				mcl->args[2] = 0;
1034 				mcl->args[3] = DOMID_SELF;
1035 				(void)HYPERVISOR_multicall(np->rx_mcl,
1036 				    pages_flipped + 1);
1037 			}
1038 		}
1039 
1040 		mbufq_drain(&errq);
1041 
1042 		/*
1043 		 * Process all the mbufs after the remapping is complete.
1044 		 * Break the mbuf chain first though.
1045 		 */
1046 		while ((m = mbufq_dequeue(&rxq)) != NULL) {
1047 			if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
1048 
1049 			/*
1050 			 * Do we really need to drop the rx lock?
1051 			 */
1052 			XN_RX_UNLOCK(np);
1053 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1054 			/* Use LRO if possible */
1055 			if ((ifp->if_capenable & IFCAP_LRO) == 0 ||
1056 			    lro->lro_cnt == 0 || tcp_lro_rx(lro, m, 0)) {
1057 				/*
1058 				 * If LRO fails, pass up to the stack
1059 				 * directly.
1060 				 */
1061 				(*ifp->if_input)(ifp, m);
1062 			}
1063 #else
1064 			(*ifp->if_input)(ifp, m);
1065 #endif
1066 			XN_RX_LOCK(np);
1067 		}
1068 
1069 		np->rx.rsp_cons = i;
1070 
1071 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1072 		/*
1073 		 * Flush any outstanding LRO work
1074 		 */
1075 		while (!SLIST_EMPTY(&lro->lro_active)) {
1076 			queued = SLIST_FIRST(&lro->lro_active);
1077 			SLIST_REMOVE_HEAD(&lro->lro_active, next);
1078 			tcp_lro_flush(lro, queued);
1079 		}
1080 #endif
1081 
1082 #if 0
1083 		/* If we get a callback with very few responses, reduce fill target. */
1084 		/* NB. Note exponential increase, linear decrease. */
1085 		if (((np->rx.req_prod_pvt - np->rx.sring->rsp_prod) >
1086 			((3*np->rx_target) / 4)) && (--np->rx_target < np->rx_min_target))
1087 			np->rx_target = np->rx_min_target;
1088 #endif
1089 
1090 		network_alloc_rx_buffers(np);
1091 
1092 		RING_FINAL_CHECK_FOR_RESPONSES(&np->rx, work_to_do);
1093 	} while (work_to_do);
1094 }
1095 
1096 static void
1097 xn_txeof(struct netfront_info *np)
1098 {
1099 	RING_IDX i, prod;
1100 	unsigned short id;
1101 	struct ifnet *ifp;
1102 	netif_tx_response_t *txr;
1103 	struct mbuf *m;
1104 
1105 	XN_TX_LOCK_ASSERT(np);
1106 
1107 	if (!netfront_carrier_ok(np))
1108 		return;
1109 
1110 	ifp = np->xn_ifp;
1111 
1112 	do {
1113 		prod = np->tx.sring->rsp_prod;
1114 		rmb(); /* Ensure we see responses up to 'rp'. */
1115 
1116 		for (i = np->tx.rsp_cons; i != prod; i++) {
1117 			txr = RING_GET_RESPONSE(&np->tx, i);
1118 			if (txr->status == NETIF_RSP_NULL)
1119 				continue;
1120 
1121 			if (txr->status != NETIF_RSP_OKAY) {
1122 				printf("%s: WARNING: response is %d!\n",
1123 				       __func__, txr->status);
1124 			}
1125 			id = txr->id;
1126 			m = np->tx_mbufs[id];
1127 			KASSERT(m != NULL, ("mbuf not found in xn_tx_chain"));
1128 			KASSERT((uintptr_t)m > NET_TX_RING_SIZE,
1129 				("mbuf already on the free list, but we're "
1130 				"trying to free it again!"));
1131 			M_ASSERTVALID(m);
1132 
1133 			/*
1134 			 * Increment packet count if this is the last
1135 			 * mbuf of the chain.
1136 			 */
1137 			if (!m->m_next)
1138 				if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
1139 			if (__predict_false(gnttab_query_foreign_access(
1140 			    np->grant_tx_ref[id]) != 0)) {
1141 				panic("%s: grant id %u still in use by the "
1142 				    "backend", __func__, id);
1143 			}
1144 			gnttab_end_foreign_access_ref(
1145 				np->grant_tx_ref[id]);
1146 			gnttab_release_grant_reference(
1147 				&np->gref_tx_head, np->grant_tx_ref[id]);
1148 			np->grant_tx_ref[id] = GRANT_REF_INVALID;
1149 
1150 			np->tx_mbufs[id] = NULL;
1151 			add_id_to_freelist(np->tx_mbufs, id);
1152 			np->xn_cdata.xn_tx_chain_cnt--;
1153 			m_free(m);
1154 			/* Only mark the queue active if we've freed up at least one slot to try */
1155 			ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
1156 		}
1157 		np->tx.rsp_cons = prod;
1158 
1159 		/*
1160 		 * Set a new event, then check for race with update of
1161 		 * tx_cons. Note that it is essential to schedule a
1162 		 * callback, no matter how few buffers are pending. Even if
1163 		 * there is space in the transmit ring, higher layers may
1164 		 * be blocked because too much data is outstanding: in such
1165 		 * cases notification from Xen is likely to be the only kick
1166 		 * that we'll get.
1167 		 */
1168 		np->tx.sring->rsp_event =
1169 		    prod + ((np->tx.sring->req_prod - prod) >> 1) + 1;
1170 
1171 		mb();
1172 	} while (prod != np->tx.sring->rsp_prod);
1173 
1174 	if (np->tx_full &&
1175 	    ((np->tx.sring->req_prod - prod) < NET_TX_RING_SIZE)) {
1176 		np->tx_full = 0;
1177 #if 0
1178 		if (np->user_state == UST_OPEN)
1179 			netif_wake_queue(dev);
1180 #endif
1181 	}
1182 }
1183 
1184 static void
1185 xn_intr(void *xsc)
1186 {
1187 	struct netfront_info *np = xsc;
1188 	struct ifnet *ifp = np->xn_ifp;
1189 
1190 #if 0
1191 	if (!(np->rx.rsp_cons != np->rx.sring->rsp_prod &&
1192 	    likely(netfront_carrier_ok(np)) &&
1193 	    ifp->if_drv_flags & IFF_DRV_RUNNING))
1194 		return;
1195 #endif
1196 	if (RING_HAS_UNCONSUMED_RESPONSES(&np->tx)) {
1197 		XN_TX_LOCK(np);
1198 		xn_txeof(np);
1199 		XN_TX_UNLOCK(np);
1200 	}
1201 
1202 	XN_RX_LOCK(np);
1203 	xn_rxeof(np);
1204 	XN_RX_UNLOCK(np);
1205 
1206 	if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1207 	    !IFQ_DRV_IS_EMPTY(&ifp->if_snd))
1208 		xn_start(ifp);
1209 }
1210 
1211 static void
1212 xennet_move_rx_slot(struct netfront_info *np, struct mbuf *m,
1213 	grant_ref_t ref)
1214 {
1215 	int new = xennet_rxidx(np->rx.req_prod_pvt);
1216 
1217 	KASSERT(np->rx_mbufs[new] == NULL, ("rx_mbufs != NULL"));
1218 	np->rx_mbufs[new] = m;
1219 	np->grant_rx_ref[new] = ref;
1220 	RING_GET_REQUEST(&np->rx, np->rx.req_prod_pvt)->id = new;
1221 	RING_GET_REQUEST(&np->rx, np->rx.req_prod_pvt)->gref = ref;
1222 	np->rx.req_prod_pvt++;
1223 }
1224 
1225 static int
1226 xennet_get_extras(struct netfront_info *np,
1227     struct netif_extra_info *extras, RING_IDX rp, RING_IDX *cons)
1228 {
1229 	struct netif_extra_info *extra;
1230 
1231 	int err = 0;
1232 
1233 	do {
1234 		struct mbuf *m;
1235 		grant_ref_t ref;
1236 
1237 		if (__predict_false(*cons + 1 == rp)) {
1238 #if 0
1239 			if (net_ratelimit())
1240 				WPRINTK("Missing extra info\n");
1241 #endif
1242 			err = EINVAL;
1243 			break;
1244 		}
1245 
1246 		extra = (struct netif_extra_info *)
1247 		RING_GET_RESPONSE(&np->rx, ++(*cons));
1248 
1249 		if (__predict_false(!extra->type ||
1250 			extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
1251 #if 0
1252 			if (net_ratelimit())
1253 				WPRINTK("Invalid extra type: %d\n",
1254 					extra->type);
1255 #endif
1256 			err = EINVAL;
1257 		} else {
1258 			memcpy(&extras[extra->type - 1], extra, sizeof(*extra));
1259 		}
1260 
1261 		m = xennet_get_rx_mbuf(np, *cons);
1262 		ref = xennet_get_rx_ref(np, *cons);
1263 		xennet_move_rx_slot(np, m, ref);
1264 	} while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE);
1265 
1266 	return err;
1267 }
1268 
1269 static int
1270 xennet_get_responses(struct netfront_info *np,
1271 	struct netfront_rx_info *rinfo, RING_IDX rp, RING_IDX *cons,
1272 	struct mbuf  **list,
1273 	int *pages_flipped_p)
1274 {
1275 	int pages_flipped = *pages_flipped_p;
1276 	struct mmu_update *mmu;
1277 	struct multicall_entry *mcl;
1278 	struct netif_rx_response *rx = &rinfo->rx;
1279 	struct netif_extra_info *extras = rinfo->extras;
1280 	struct mbuf *m, *m0, *m_prev;
1281 	grant_ref_t ref = xennet_get_rx_ref(np, *cons);
1282 	RING_IDX ref_cons = *cons;
1283 	int frags = 1;
1284 	int err = 0;
1285 	u_long ret;
1286 
1287 	m0 = m = m_prev = xennet_get_rx_mbuf(np, *cons);
1288 
1289 	if (rx->flags & NETRXF_extra_info) {
1290 		err = xennet_get_extras(np, extras, rp, cons);
1291 	}
1292 
1293 	if (m0 != NULL) {
1294 		m0->m_pkthdr.len = 0;
1295 		m0->m_next = NULL;
1296 	}
1297 
1298 	for (;;) {
1299 		u_long mfn;
1300 
1301 #if 0
1302 		DPRINTK("rx->status=%hd rx->offset=%hu frags=%u\n",
1303 			rx->status, rx->offset, frags);
1304 #endif
1305 		if (__predict_false(rx->status < 0 ||
1306 			rx->offset + rx->status > PAGE_SIZE)) {
1307 
1308 #if 0
1309 			if (net_ratelimit())
1310 				WPRINTK("rx->offset: %x, size: %u\n",
1311 					rx->offset, rx->status);
1312 #endif
1313 			xennet_move_rx_slot(np, m, ref);
1314 			if (m0 == m)
1315 				m0 = NULL;
1316 			m = NULL;
1317 			err = EINVAL;
1318 			goto next_skip_queue;
1319 		}
1320 
1321 		/*
1322 		 * This definitely indicates a bug, either in this driver or in
1323 		 * the backend driver. In future this should flag the bad
1324 		 * situation to the system controller to reboot the backed.
1325 		 */
1326 		if (ref == GRANT_REF_INVALID) {
1327 
1328 #if 0
1329 			if (net_ratelimit())
1330 				WPRINTK("Bad rx response id %d.\n", rx->id);
1331 #endif
1332 			printf("%s: Bad rx response id %d.\n", __func__,rx->id);
1333 			err = EINVAL;
1334 			goto next;
1335 		}
1336 
1337 		if (!np->copying_receiver) {
1338 			/* Memory pressure, insufficient buffer
1339 			 * headroom, ...
1340 			 */
1341 			if (!(mfn = gnttab_end_foreign_transfer_ref(ref))) {
1342 				WPRINTK("Unfulfilled rx req (id=%d, st=%d).\n",
1343 					rx->id, rx->status);
1344 				xennet_move_rx_slot(np, m, ref);
1345 				err = ENOMEM;
1346 				goto next;
1347 			}
1348 
1349 			if (!xen_feature( XENFEAT_auto_translated_physmap)) {
1350 				/* Remap the page. */
1351 				void *vaddr = mtod(m, void *);
1352 				uint32_t pfn;
1353 
1354 				mcl = np->rx_mcl + pages_flipped;
1355 				mmu = np->rx_mmu + pages_flipped;
1356 
1357 				MULTI_update_va_mapping(mcl, (u_long)vaddr,
1358 				    (((vm_paddr_t)mfn) << PAGE_SHIFT) | PG_RW |
1359 				    PG_V | PG_M | PG_A, 0);
1360 				pfn = (uintptr_t)m->m_ext.ext_arg1;
1361 				mmu->ptr = ((vm_paddr_t)mfn << PAGE_SHIFT) |
1362 				    MMU_MACHPHYS_UPDATE;
1363 				mmu->val = pfn;
1364 
1365 				set_phys_to_machine(pfn, mfn);
1366 			}
1367 			pages_flipped++;
1368 		} else {
1369 			ret = gnttab_end_foreign_access_ref(ref);
1370 			KASSERT(ret, ("ret != 0"));
1371 		}
1372 
1373 		gnttab_release_grant_reference(&np->gref_rx_head, ref);
1374 
1375 next:
1376 		if (m == NULL)
1377 			break;
1378 
1379 		m->m_len = rx->status;
1380 		m->m_data += rx->offset;
1381 		m0->m_pkthdr.len += rx->status;
1382 
1383 next_skip_queue:
1384 		if (!(rx->flags & NETRXF_more_data))
1385 			break;
1386 
1387 		if (*cons + frags == rp) {
1388 			if (net_ratelimit())
1389 				WPRINTK("Need more frags\n");
1390 			err = ENOENT;
1391 			printf("%s: cons %u frags %u rp %u, not enough frags\n",
1392 			       __func__, *cons, frags, rp);
1393 			break;
1394 		}
1395 		/*
1396 		 * Note that m can be NULL, if rx->status < 0 or if
1397 		 * rx->offset + rx->status > PAGE_SIZE above.
1398 		 */
1399 		m_prev = m;
1400 
1401 		rx = RING_GET_RESPONSE(&np->rx, *cons + frags);
1402 		m = xennet_get_rx_mbuf(np, *cons + frags);
1403 
1404 		/*
1405 		 * m_prev == NULL can happen if rx->status < 0 or if
1406 		 * rx->offset + * rx->status > PAGE_SIZE above.
1407 		 */
1408 		if (m_prev != NULL)
1409 			m_prev->m_next = m;
1410 
1411 		/*
1412 		 * m0 can be NULL if rx->status < 0 or if * rx->offset +
1413 		 * rx->status > PAGE_SIZE above.
1414 		 */
1415 		if (m0 == NULL)
1416 			m0 = m;
1417 		m->m_next = NULL;
1418 		ref = xennet_get_rx_ref(np, *cons + frags);
1419 		ref_cons = *cons + frags;
1420 		frags++;
1421 	}
1422 	*list = m0;
1423 	*cons += frags;
1424 	*pages_flipped_p = pages_flipped;
1425 
1426 	return (err);
1427 }
1428 
1429 static void
1430 xn_tick_locked(struct netfront_info *sc)
1431 {
1432 	XN_RX_LOCK_ASSERT(sc);
1433 	callout_reset(&sc->xn_stat_ch, hz, xn_tick, sc);
1434 
1435 	/* XXX placeholder for printing debug information */
1436 }
1437 
1438 static void
1439 xn_tick(void *xsc)
1440 {
1441 	struct netfront_info *sc;
1442 
1443 	sc = xsc;
1444 	XN_RX_LOCK(sc);
1445 	xn_tick_locked(sc);
1446 	XN_RX_UNLOCK(sc);
1447 }
1448 
1449 /**
1450  * \brief Count the number of fragments in an mbuf chain.
1451  *
1452  * Surprisingly, there isn't an M* macro for this.
1453  */
1454 static inline int
1455 xn_count_frags(struct mbuf *m)
1456 {
1457 	int nfrags;
1458 
1459 	for (nfrags = 0; m != NULL; m = m->m_next)
1460 		nfrags++;
1461 
1462 	return (nfrags);
1463 }
1464 
1465 /**
1466  * Given an mbuf chain, make sure we have enough room and then push
1467  * it onto the transmit ring.
1468  */
1469 static int
1470 xn_assemble_tx_request(struct netfront_info *sc, struct mbuf *m_head)
1471 {
1472 	struct ifnet *ifp;
1473 	struct mbuf *m;
1474 	u_int nfrags;
1475 	int otherend_id;
1476 
1477 	ifp = sc->xn_ifp;
1478 
1479 	/**
1480 	 * Defragment the mbuf if necessary.
1481 	 */
1482 	nfrags = xn_count_frags(m_head);
1483 
1484 	/*
1485 	 * Check to see whether this request is longer than netback
1486 	 * can handle, and try to defrag it.
1487 	 */
1488 	/**
1489 	 * It is a bit lame, but the netback driver in Linux can't
1490 	 * deal with nfrags > MAX_TX_REQ_FRAGS, which is a quirk of
1491 	 * the Linux network stack.
1492 	 */
1493 	if (nfrags > sc->maxfrags) {
1494 		m = m_defrag(m_head, M_NOWAIT);
1495 		if (!m) {
1496 			/*
1497 			 * Defrag failed, so free the mbuf and
1498 			 * therefore drop the packet.
1499 			 */
1500 			m_freem(m_head);
1501 			return (EMSGSIZE);
1502 		}
1503 		m_head = m;
1504 	}
1505 
1506 	/* Determine how many fragments now exist */
1507 	nfrags = xn_count_frags(m_head);
1508 
1509 	/*
1510 	 * Check to see whether the defragmented packet has too many
1511 	 * segments for the Linux netback driver.
1512 	 */
1513 	/**
1514 	 * The FreeBSD TCP stack, with TSO enabled, can produce a chain
1515 	 * of mbufs longer than Linux can handle.  Make sure we don't
1516 	 * pass a too-long chain over to the other side by dropping the
1517 	 * packet.  It doesn't look like there is currently a way to
1518 	 * tell the TCP stack to generate a shorter chain of packets.
1519 	 */
1520 	if (nfrags > MAX_TX_REQ_FRAGS) {
1521 #ifdef DEBUG
1522 		printf("%s: nfrags %d > MAX_TX_REQ_FRAGS %d, netback "
1523 		       "won't be able to handle it, dropping\n",
1524 		       __func__, nfrags, MAX_TX_REQ_FRAGS);
1525 #endif
1526 		m_freem(m_head);
1527 		return (EMSGSIZE);
1528 	}
1529 
1530 	/*
1531 	 * This check should be redundant.  We've already verified that we
1532 	 * have enough slots in the ring to handle a packet of maximum
1533 	 * size, and that our packet is less than the maximum size.  Keep
1534 	 * it in here as an assert for now just to make certain that
1535 	 * xn_tx_chain_cnt is accurate.
1536 	 */
1537 	KASSERT((sc->xn_cdata.xn_tx_chain_cnt + nfrags) <= NET_TX_RING_SIZE,
1538 		("%s: xn_tx_chain_cnt (%d) + nfrags (%d) > NET_TX_RING_SIZE "
1539 		 "(%d)!", __func__, (int) sc->xn_cdata.xn_tx_chain_cnt,
1540                     (int) nfrags, (int) NET_TX_RING_SIZE));
1541 
1542 	/*
1543 	 * Start packing the mbufs in this chain into
1544 	 * the fragment pointers. Stop when we run out
1545 	 * of fragments or hit the end of the mbuf chain.
1546 	 */
1547 	m = m_head;
1548 	otherend_id = xenbus_get_otherend_id(sc->xbdev);
1549 	for (m = m_head; m; m = m->m_next) {
1550 		netif_tx_request_t *tx;
1551 		uintptr_t id;
1552 		grant_ref_t ref;
1553 		u_long mfn; /* XXX Wrong type? */
1554 
1555 		tx = RING_GET_REQUEST(&sc->tx, sc->tx.req_prod_pvt);
1556 		id = get_id_from_freelist(sc->tx_mbufs);
1557 		if (id == 0)
1558 			panic("%s: was allocated the freelist head!\n",
1559 			    __func__);
1560 		sc->xn_cdata.xn_tx_chain_cnt++;
1561 		if (sc->xn_cdata.xn_tx_chain_cnt > NET_TX_RING_SIZE)
1562 			panic("%s: tx_chain_cnt must be <= NET_TX_RING_SIZE\n",
1563 			    __func__);
1564 		sc->tx_mbufs[id] = m;
1565 		tx->id = id;
1566 		ref = gnttab_claim_grant_reference(&sc->gref_tx_head);
1567 		KASSERT((short)ref >= 0, ("Negative ref"));
1568 		mfn = virt_to_mfn(mtod(m, vm_offset_t));
1569 		gnttab_grant_foreign_access_ref(ref, otherend_id,
1570 		    mfn, GNTMAP_readonly);
1571 		tx->gref = sc->grant_tx_ref[id] = ref;
1572 		tx->offset = mtod(m, vm_offset_t) & (PAGE_SIZE - 1);
1573 		tx->flags = 0;
1574 		if (m == m_head) {
1575 			/*
1576 			 * The first fragment has the entire packet
1577 			 * size, subsequent fragments have just the
1578 			 * fragment size. The backend works out the
1579 			 * true size of the first fragment by
1580 			 * subtracting the sizes of the other
1581 			 * fragments.
1582 			 */
1583 			tx->size = m->m_pkthdr.len;
1584 
1585 			/*
1586 			 * The first fragment contains the checksum flags
1587 			 * and is optionally followed by extra data for
1588 			 * TSO etc.
1589 			 */
1590 			/**
1591 			 * CSUM_TSO requires checksum offloading.
1592 			 * Some versions of FreeBSD fail to
1593 			 * set CSUM_TCP in the CSUM_TSO case,
1594 			 * so we have to test for CSUM_TSO
1595 			 * explicitly.
1596 			 */
1597 			if (m->m_pkthdr.csum_flags
1598 			    & (CSUM_DELAY_DATA | CSUM_TSO)) {
1599 				tx->flags |= (NETTXF_csum_blank
1600 				    | NETTXF_data_validated);
1601 			}
1602 #if __FreeBSD_version >= 700000
1603 			if (m->m_pkthdr.csum_flags & CSUM_TSO) {
1604 				struct netif_extra_info *gso =
1605 					(struct netif_extra_info *)
1606 					RING_GET_REQUEST(&sc->tx,
1607 							 ++sc->tx.req_prod_pvt);
1608 
1609 				tx->flags |= NETTXF_extra_info;
1610 
1611 				gso->u.gso.size = m->m_pkthdr.tso_segsz;
1612 				gso->u.gso.type =
1613 					XEN_NETIF_GSO_TYPE_TCPV4;
1614 				gso->u.gso.pad = 0;
1615 				gso->u.gso.features = 0;
1616 
1617 				gso->type = XEN_NETIF_EXTRA_TYPE_GSO;
1618 				gso->flags = 0;
1619 			}
1620 #endif
1621 		} else {
1622 			tx->size = m->m_len;
1623 		}
1624 		if (m->m_next)
1625 			tx->flags |= NETTXF_more_data;
1626 
1627 		sc->tx.req_prod_pvt++;
1628 	}
1629 	BPF_MTAP(ifp, m_head);
1630 
1631 	sc->stats.tx_bytes += m_head->m_pkthdr.len;
1632 	sc->stats.tx_packets++;
1633 
1634 	return (0);
1635 }
1636 
1637 static void
1638 xn_start_locked(struct ifnet *ifp)
1639 {
1640 	struct netfront_info *sc;
1641 	struct mbuf *m_head;
1642 	int notify;
1643 
1644 	sc = ifp->if_softc;
1645 
1646 	if (!netfront_carrier_ok(sc))
1647 		return;
1648 
1649 	/*
1650 	 * While we have enough transmit slots available for at least one
1651 	 * maximum-sized packet, pull mbufs off the queue and put them on
1652 	 * the transmit ring.
1653 	 */
1654 	while (xn_tx_slot_available(sc)) {
1655 		IF_DEQUEUE(&ifp->if_snd, m_head);
1656 		if (m_head == NULL)
1657 			break;
1658 
1659 		if (xn_assemble_tx_request(sc, m_head) != 0)
1660 			break;
1661 	}
1662 
1663 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&sc->tx, notify);
1664 	if (notify)
1665 		xen_intr_signal(sc->xen_intr_handle);
1666 
1667 	if (RING_FULL(&sc->tx)) {
1668 		sc->tx_full = 1;
1669 #if 0
1670 		netif_stop_queue(dev);
1671 #endif
1672 	}
1673 }
1674 
1675 static void
1676 xn_start(struct ifnet *ifp)
1677 {
1678 	struct netfront_info *sc;
1679 	sc = ifp->if_softc;
1680 	XN_TX_LOCK(sc);
1681 	xn_start_locked(ifp);
1682 	XN_TX_UNLOCK(sc);
1683 }
1684 
1685 /* equivalent of network_open() in Linux */
1686 static void
1687 xn_ifinit_locked(struct netfront_info *sc)
1688 {
1689 	struct ifnet *ifp;
1690 
1691 	XN_LOCK_ASSERT(sc);
1692 
1693 	ifp = sc->xn_ifp;
1694 
1695 	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
1696 		return;
1697 
1698 	xn_stop(sc);
1699 
1700 	network_alloc_rx_buffers(sc);
1701 	sc->rx.sring->rsp_event = sc->rx.rsp_cons + 1;
1702 
1703 	ifp->if_drv_flags |= IFF_DRV_RUNNING;
1704 	ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
1705 	if_link_state_change(ifp, LINK_STATE_UP);
1706 
1707 	callout_reset(&sc->xn_stat_ch, hz, xn_tick, sc);
1708 }
1709 
1710 static void
1711 xn_ifinit(void *xsc)
1712 {
1713 	struct netfront_info *sc = xsc;
1714 
1715 	XN_LOCK(sc);
1716 	xn_ifinit_locked(sc);
1717 	XN_UNLOCK(sc);
1718 }
1719 
1720 static int
1721 xn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
1722 {
1723 	struct netfront_info *sc = ifp->if_softc;
1724 	struct ifreq *ifr = (struct ifreq *) data;
1725 #ifdef INET
1726 	struct ifaddr *ifa = (struct ifaddr *)data;
1727 #endif
1728 
1729 	int mask, error = 0;
1730 	switch(cmd) {
1731 	case SIOCSIFADDR:
1732 #ifdef INET
1733 		XN_LOCK(sc);
1734 		if (ifa->ifa_addr->sa_family == AF_INET) {
1735 			ifp->if_flags |= IFF_UP;
1736 			if (!(ifp->if_drv_flags & IFF_DRV_RUNNING))
1737 				xn_ifinit_locked(sc);
1738 			arp_ifinit(ifp, ifa);
1739 			XN_UNLOCK(sc);
1740 		} else {
1741 			XN_UNLOCK(sc);
1742 #endif
1743 			error = ether_ioctl(ifp, cmd, data);
1744 #ifdef INET
1745 		}
1746 #endif
1747 		break;
1748 	case SIOCSIFMTU:
1749 		/* XXX can we alter the MTU on a VN ?*/
1750 #ifdef notyet
1751 		if (ifr->ifr_mtu > XN_JUMBO_MTU)
1752 			error = EINVAL;
1753 		else
1754 #endif
1755 		{
1756 			ifp->if_mtu = ifr->ifr_mtu;
1757 			ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1758 			xn_ifinit(sc);
1759 		}
1760 		break;
1761 	case SIOCSIFFLAGS:
1762 		XN_LOCK(sc);
1763 		if (ifp->if_flags & IFF_UP) {
1764 			/*
1765 			 * If only the state of the PROMISC flag changed,
1766 			 * then just use the 'set promisc mode' command
1767 			 * instead of reinitializing the entire NIC. Doing
1768 			 * a full re-init means reloading the firmware and
1769 			 * waiting for it to start up, which may take a
1770 			 * second or two.
1771 			 */
1772 #ifdef notyet
1773 			/* No promiscuous mode with Xen */
1774 			if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1775 			    ifp->if_flags & IFF_PROMISC &&
1776 			    !(sc->xn_if_flags & IFF_PROMISC)) {
1777 				XN_SETBIT(sc, XN_RX_MODE,
1778 					  XN_RXMODE_RX_PROMISC);
1779 			} else if (ifp->if_drv_flags & IFF_DRV_RUNNING &&
1780 				   !(ifp->if_flags & IFF_PROMISC) &&
1781 				   sc->xn_if_flags & IFF_PROMISC) {
1782 				XN_CLRBIT(sc, XN_RX_MODE,
1783 					  XN_RXMODE_RX_PROMISC);
1784 			} else
1785 #endif
1786 				xn_ifinit_locked(sc);
1787 		} else {
1788 			if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
1789 				xn_stop(sc);
1790 			}
1791 		}
1792 		sc->xn_if_flags = ifp->if_flags;
1793 		XN_UNLOCK(sc);
1794 		error = 0;
1795 		break;
1796 	case SIOCSIFCAP:
1797 		mask = ifr->ifr_reqcap ^ ifp->if_capenable;
1798 		if (mask & IFCAP_TXCSUM) {
1799 			if (IFCAP_TXCSUM & ifp->if_capenable) {
1800 				ifp->if_capenable &= ~(IFCAP_TXCSUM|IFCAP_TSO4);
1801 				ifp->if_hwassist &= ~(CSUM_TCP | CSUM_UDP
1802 				    | CSUM_IP | CSUM_TSO);
1803 			} else {
1804 				ifp->if_capenable |= IFCAP_TXCSUM;
1805 				ifp->if_hwassist |= (CSUM_TCP | CSUM_UDP
1806 				    | CSUM_IP);
1807 			}
1808 		}
1809 		if (mask & IFCAP_RXCSUM) {
1810 			ifp->if_capenable ^= IFCAP_RXCSUM;
1811 		}
1812 #if __FreeBSD_version >= 700000
1813 		if (mask & IFCAP_TSO4) {
1814 			if (IFCAP_TSO4 & ifp->if_capenable) {
1815 				ifp->if_capenable &= ~IFCAP_TSO4;
1816 				ifp->if_hwassist &= ~CSUM_TSO;
1817 			} else if (IFCAP_TXCSUM & ifp->if_capenable) {
1818 				ifp->if_capenable |= IFCAP_TSO4;
1819 				ifp->if_hwassist |= CSUM_TSO;
1820 			} else {
1821 				IPRINTK("Xen requires tx checksum offload"
1822 				    " be enabled to use TSO\n");
1823 				error = EINVAL;
1824 			}
1825 		}
1826 		if (mask & IFCAP_LRO) {
1827 			ifp->if_capenable ^= IFCAP_LRO;
1828 
1829 		}
1830 #endif
1831 		error = 0;
1832 		break;
1833 	case SIOCADDMULTI:
1834 	case SIOCDELMULTI:
1835 #ifdef notyet
1836 		if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
1837 			XN_LOCK(sc);
1838 			xn_setmulti(sc);
1839 			XN_UNLOCK(sc);
1840 			error = 0;
1841 		}
1842 #endif
1843 		/* FALLTHROUGH */
1844 	case SIOCSIFMEDIA:
1845 	case SIOCGIFMEDIA:
1846 		error = ifmedia_ioctl(ifp, ifr, &sc->sc_media, cmd);
1847 		break;
1848 	default:
1849 		error = ether_ioctl(ifp, cmd, data);
1850 	}
1851 
1852 	return (error);
1853 }
1854 
1855 static void
1856 xn_stop(struct netfront_info *sc)
1857 {
1858 	struct ifnet *ifp;
1859 
1860 	XN_LOCK_ASSERT(sc);
1861 
1862 	ifp = sc->xn_ifp;
1863 
1864 	callout_stop(&sc->xn_stat_ch);
1865 
1866 	xn_free_rx_ring(sc);
1867 	xn_free_tx_ring(sc);
1868 
1869 	ifp->if_drv_flags &= ~(IFF_DRV_RUNNING | IFF_DRV_OACTIVE);
1870 	if_link_state_change(ifp, LINK_STATE_DOWN);
1871 }
1872 
1873 /* START of Xenolinux helper functions adapted to FreeBSD */
1874 int
1875 network_connect(struct netfront_info *np)
1876 {
1877 	int i, requeue_idx, error;
1878 	grant_ref_t ref;
1879 	netif_rx_request_t *req;
1880 	u_int feature_rx_copy, feature_rx_flip;
1881 
1882 	error = xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1883 	    "feature-rx-copy", NULL, "%u", &feature_rx_copy);
1884 	if (error)
1885 		feature_rx_copy = 0;
1886 	error = xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1887 	    "feature-rx-flip", NULL, "%u", &feature_rx_flip);
1888 	if (error)
1889 		feature_rx_flip = 1;
1890 
1891 	/*
1892 	 * Copy packets on receive path if:
1893 	 *  (a) This was requested by user, and the backend supports it; or
1894 	 *  (b) Flipping was requested, but this is unsupported by the backend.
1895 	 */
1896 	np->copying_receiver = ((MODPARM_rx_copy && feature_rx_copy) ||
1897 				(MODPARM_rx_flip && !feature_rx_flip));
1898 
1899 	/* Recovery procedure: */
1900 	error = talk_to_backend(np->xbdev, np);
1901 	if (error)
1902 		return (error);
1903 
1904 	/* Step 1: Reinitialise variables. */
1905 	xn_query_features(np);
1906 	xn_configure_features(np);
1907 	netif_release_tx_bufs(np);
1908 
1909 	/* Step 2: Rebuild the RX buffer freelist and the RX ring itself. */
1910 	for (requeue_idx = 0, i = 0; i < NET_RX_RING_SIZE; i++) {
1911 		struct mbuf *m;
1912 		u_long pfn;
1913 
1914 		if (np->rx_mbufs[i] == NULL)
1915 			continue;
1916 
1917 		m = np->rx_mbufs[requeue_idx] = xennet_get_rx_mbuf(np, i);
1918 		ref = np->grant_rx_ref[requeue_idx] = xennet_get_rx_ref(np, i);
1919 
1920 		req = RING_GET_REQUEST(&np->rx, requeue_idx);
1921 		pfn = vtophys(mtod(m, vm_offset_t)) >> PAGE_SHIFT;
1922 
1923 		if (!np->copying_receiver) {
1924 			gnttab_grant_foreign_transfer_ref(ref,
1925 			    xenbus_get_otherend_id(np->xbdev),
1926 			    pfn);
1927 		} else {
1928 			gnttab_grant_foreign_access_ref(ref,
1929 			    xenbus_get_otherend_id(np->xbdev),
1930 			    PFNTOMFN(pfn), 0);
1931 		}
1932 		req->gref = ref;
1933 		req->id   = requeue_idx;
1934 
1935 		requeue_idx++;
1936 	}
1937 
1938 	np->rx.req_prod_pvt = requeue_idx;
1939 
1940 	/* Step 3: All public and private state should now be sane.  Get
1941 	 * ready to start sending and receiving packets and give the driver
1942 	 * domain a kick because we've probably just requeued some
1943 	 * packets.
1944 	 */
1945 	netfront_carrier_on(np);
1946 	xen_intr_signal(np->xen_intr_handle);
1947 	XN_TX_LOCK(np);
1948 	xn_txeof(np);
1949 	XN_TX_UNLOCK(np);
1950 	network_alloc_rx_buffers(np);
1951 
1952 	return (0);
1953 }
1954 
1955 static void
1956 xn_query_features(struct netfront_info *np)
1957 {
1958 	int val;
1959 
1960 	device_printf(np->xbdev, "backend features:");
1961 
1962 	if (xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1963 		"feature-sg", NULL, "%d", &val) < 0)
1964 		val = 0;
1965 
1966 	np->maxfrags = 1;
1967 	if (val) {
1968 		np->maxfrags = MAX_TX_REQ_FRAGS;
1969 		printf(" feature-sg");
1970 	}
1971 
1972 	if (xs_scanf(XST_NIL, xenbus_get_otherend_path(np->xbdev),
1973 		"feature-gso-tcpv4", NULL, "%d", &val) < 0)
1974 		val = 0;
1975 
1976 	np->xn_ifp->if_capabilities &= ~(IFCAP_TSO4|IFCAP_LRO);
1977 	if (val) {
1978 		np->xn_ifp->if_capabilities |= IFCAP_TSO4|IFCAP_LRO;
1979 		printf(" feature-gso-tcp4");
1980 	}
1981 
1982 	printf("\n");
1983 }
1984 
1985 static int
1986 xn_configure_features(struct netfront_info *np)
1987 {
1988 	int err;
1989 
1990 	err = 0;
1991 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1992 	if ((np->xn_ifp->if_capenable & IFCAP_LRO) != 0)
1993 		tcp_lro_free(&np->xn_lro);
1994 #endif
1995     	np->xn_ifp->if_capenable =
1996 	    np->xn_ifp->if_capabilities & ~(IFCAP_LRO|IFCAP_TSO4);
1997 	np->xn_ifp->if_hwassist &= ~CSUM_TSO;
1998 #if __FreeBSD_version >= 700000 && (defined(INET) || defined(INET6))
1999 	if (xn_enable_lro && (np->xn_ifp->if_capabilities & IFCAP_LRO) != 0) {
2000 		err = tcp_lro_init(&np->xn_lro);
2001 		if (err) {
2002 			device_printf(np->xbdev, "LRO initialization failed\n");
2003 		} else {
2004 			np->xn_lro.ifp = np->xn_ifp;
2005 			np->xn_ifp->if_capenable |= IFCAP_LRO;
2006 		}
2007 	}
2008 	if ((np->xn_ifp->if_capabilities & IFCAP_TSO4) != 0) {
2009 		np->xn_ifp->if_capenable |= IFCAP_TSO4;
2010 		np->xn_ifp->if_hwassist |= CSUM_TSO;
2011 	}
2012 #endif
2013 	return (err);
2014 }
2015 
2016 /**
2017  * Create a network device.
2018  * @param dev  Newbus device representing this virtual NIC.
2019  */
2020 int
2021 create_netdev(device_t dev)
2022 {
2023 	int i;
2024 	struct netfront_info *np;
2025 	int err;
2026 	struct ifnet *ifp;
2027 
2028 	np = device_get_softc(dev);
2029 
2030 	np->xbdev         = dev;
2031 
2032 	XN_LOCK_INIT(np, xennetif);
2033 
2034 	ifmedia_init(&np->sc_media, 0, xn_ifmedia_upd, xn_ifmedia_sts);
2035 	ifmedia_add(&np->sc_media, IFM_ETHER|IFM_MANUAL, 0, NULL);
2036 	ifmedia_set(&np->sc_media, IFM_ETHER|IFM_MANUAL);
2037 
2038 	np->rx_target     = RX_MIN_TARGET;
2039 	np->rx_min_target = RX_MIN_TARGET;
2040 	np->rx_max_target = RX_MAX_TARGET;
2041 
2042 	/* Initialise {tx,rx}_skbs to be a free chain containing every entry. */
2043 	for (i = 0; i <= NET_TX_RING_SIZE; i++) {
2044 		np->tx_mbufs[i] = (void *) ((u_long) i+1);
2045 		np->grant_tx_ref[i] = GRANT_REF_INVALID;
2046 	}
2047 	np->tx_mbufs[NET_TX_RING_SIZE] = (void *)0;
2048 
2049 	for (i = 0; i <= NET_RX_RING_SIZE; i++) {
2050 
2051 		np->rx_mbufs[i] = NULL;
2052 		np->grant_rx_ref[i] = GRANT_REF_INVALID;
2053 	}
2054 
2055 	mbufq_init(&np->xn_rx_batch, INT_MAX);
2056 
2057 	/* A grant for every tx ring slot */
2058 	if (gnttab_alloc_grant_references(NET_TX_RING_SIZE,
2059 					  &np->gref_tx_head) != 0) {
2060 		IPRINTK("#### netfront can't alloc tx grant refs\n");
2061 		err = ENOMEM;
2062 		goto exit;
2063 	}
2064 	/* A grant for every rx ring slot */
2065 	if (gnttab_alloc_grant_references(RX_MAX_TARGET,
2066 					  &np->gref_rx_head) != 0) {
2067 		WPRINTK("#### netfront can't alloc rx grant refs\n");
2068 		gnttab_free_grant_references(np->gref_tx_head);
2069 		err = ENOMEM;
2070 		goto exit;
2071 	}
2072 
2073 	err = xen_net_read_mac(dev, np->mac);
2074 	if (err)
2075 		goto out;
2076 
2077 	/* Set up ifnet structure */
2078 	ifp = np->xn_ifp = if_alloc(IFT_ETHER);
2079     	ifp->if_softc = np;
2080     	if_initname(ifp, "xn",  device_get_unit(dev));
2081     	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
2082     	ifp->if_ioctl = xn_ioctl;
2083     	ifp->if_output = ether_output;
2084     	ifp->if_start = xn_start;
2085 #ifdef notyet
2086     	ifp->if_watchdog = xn_watchdog;
2087 #endif
2088     	ifp->if_init = xn_ifinit;
2089     	ifp->if_snd.ifq_maxlen = NET_TX_RING_SIZE - 1;
2090 
2091     	ifp->if_hwassist = XN_CSUM_FEATURES;
2092     	ifp->if_capabilities = IFCAP_HWCSUM;
2093 	ifp->if_hw_tsomax = 65536 - (ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN);
2094 	ifp->if_hw_tsomaxsegcount = MAX_TX_REQ_FRAGS;
2095 	ifp->if_hw_tsomaxsegsize = PAGE_SIZE;
2096 
2097     	ether_ifattach(ifp, np->mac);
2098     	callout_init(&np->xn_stat_ch, CALLOUT_MPSAFE);
2099 	netfront_carrier_off(np);
2100 
2101 	return (0);
2102 
2103 exit:
2104 	gnttab_free_grant_references(np->gref_tx_head);
2105 out:
2106 	return (err);
2107 }
2108 
2109 /**
2110  * Handle the change of state of the backend to Closing.  We must delete our
2111  * device-layer structures now, to ensure that writes are flushed through to
2112  * the backend.  Once is this done, we can switch to Closed in
2113  * acknowledgement.
2114  */
2115 #if 0
2116 static void
2117 netfront_closing(device_t dev)
2118 {
2119 #if 0
2120 	struct netfront_info *info = dev->dev_driver_data;
2121 
2122 	DPRINTK("netfront_closing: %s removed\n", dev->nodename);
2123 
2124 	close_netdev(info);
2125 #endif
2126 	xenbus_switch_state(dev, XenbusStateClosed);
2127 }
2128 #endif
2129 
2130 static int
2131 netfront_detach(device_t dev)
2132 {
2133 	struct netfront_info *info = device_get_softc(dev);
2134 
2135 	DPRINTK("%s\n", xenbus_get_node(dev));
2136 
2137 	netif_free(info);
2138 
2139 	return 0;
2140 }
2141 
2142 static void
2143 netif_free(struct netfront_info *info)
2144 {
2145 	XN_LOCK(info);
2146 	xn_stop(info);
2147 	XN_UNLOCK(info);
2148 	callout_drain(&info->xn_stat_ch);
2149 	netif_disconnect_backend(info);
2150 	if (info->xn_ifp != NULL) {
2151 		ether_ifdetach(info->xn_ifp);
2152 		if_free(info->xn_ifp);
2153 		info->xn_ifp = NULL;
2154 	}
2155 	ifmedia_removeall(&info->sc_media);
2156 }
2157 
2158 static void
2159 netif_disconnect_backend(struct netfront_info *info)
2160 {
2161 	XN_RX_LOCK(info);
2162 	XN_TX_LOCK(info);
2163 	netfront_carrier_off(info);
2164 	XN_TX_UNLOCK(info);
2165 	XN_RX_UNLOCK(info);
2166 
2167 	free_ring(&info->tx_ring_ref, &info->tx.sring);
2168 	free_ring(&info->rx_ring_ref, &info->rx.sring);
2169 
2170 	xen_intr_unbind(&info->xen_intr_handle);
2171 }
2172 
2173 static void
2174 free_ring(int *ref, void *ring_ptr_ref)
2175 {
2176 	void **ring_ptr_ptr = ring_ptr_ref;
2177 
2178 	if (*ref != GRANT_REF_INVALID) {
2179 		/* This API frees the associated storage. */
2180 		gnttab_end_foreign_access(*ref, *ring_ptr_ptr);
2181 		*ref = GRANT_REF_INVALID;
2182 	}
2183 	*ring_ptr_ptr = NULL;
2184 }
2185 
2186 static int
2187 xn_ifmedia_upd(struct ifnet *ifp)
2188 {
2189 	return (0);
2190 }
2191 
2192 static void
2193 xn_ifmedia_sts(struct ifnet *ifp, struct ifmediareq *ifmr)
2194 {
2195 	ifmr->ifm_status = IFM_AVALID|IFM_ACTIVE;
2196 	ifmr->ifm_active = IFM_ETHER|IFM_MANUAL;
2197 }
2198 
2199 /* ** Driver registration ** */
2200 static device_method_t netfront_methods[] = {
2201 	/* Device interface */
2202 	DEVMETHOD(device_probe,         netfront_probe),
2203 	DEVMETHOD(device_attach,        netfront_attach),
2204 	DEVMETHOD(device_detach,        netfront_detach),
2205 	DEVMETHOD(device_shutdown,      bus_generic_shutdown),
2206 	DEVMETHOD(device_suspend,       netfront_suspend),
2207 	DEVMETHOD(device_resume,        netfront_resume),
2208 
2209 	/* Xenbus interface */
2210 	DEVMETHOD(xenbus_otherend_changed, netfront_backend_changed),
2211 
2212 	DEVMETHOD_END
2213 };
2214 
2215 static driver_t netfront_driver = {
2216 	"xn",
2217 	netfront_methods,
2218 	sizeof(struct netfront_info),
2219 };
2220 devclass_t netfront_devclass;
2221 
2222 DRIVER_MODULE(xe, xenbusb_front, netfront_driver, netfront_devclass, NULL,
2223     NULL);
2224