xref: /linux/drivers/net/xen-netback/netback.c (revision 860a9bed265146b10311bcadbbcef59c3af4454d)
1 /*
2  * Back-end of the driver for virtual network devices. This portion of the
3  * driver exports a 'unified' network-device interface that can be accessed
4  * by any operating system that implements a compatible front end. A
5  * reference front-end implementation can be found in:
6  *  drivers/net/xen-netfront.c
7  *
8  * Copyright (c) 2002-2005, K A Fraser
9  *
10  * This program is free software; you can redistribute it and/or
11  * modify it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation; or, when distributed
13  * separately from the Linux kernel or incorporated into other
14  * software packages, subject to the following license:
15  *
16  * Permission is hereby granted, free of charge, to any person obtaining a copy
17  * of this source file (the "Software"), to deal in the Software without
18  * restriction, including without limitation the rights to use, copy, modify,
19  * merge, publish, distribute, sublicense, and/or sell copies of the Software,
20  * and to permit persons to whom the Software is furnished to do so, subject to
21  * the following conditions:
22  *
23  * The above copyright notice and this permission notice shall be included in
24  * all copies or substantial portions of the Software.
25  *
26  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
27  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
28  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
29  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
30  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
31  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
32  * IN THE SOFTWARE.
33  */
34 
35 #include "common.h"
36 
37 #include <linux/kthread.h>
38 #include <linux/if_vlan.h>
39 #include <linux/udp.h>
40 #include <linux/highmem.h>
41 #include <linux/skbuff_ref.h>
42 
43 #include <net/tcp.h>
44 
45 #include <xen/xen.h>
46 #include <xen/events.h>
47 #include <xen/interface/memory.h>
48 #include <xen/page.h>
49 
50 #include <asm/xen/hypercall.h>
51 
52 /* Provide an option to disable split event channels at load time as
53  * event channels are limited resource. Split event channels are
54  * enabled by default.
55  */
56 bool separate_tx_rx_irq = true;
57 module_param(separate_tx_rx_irq, bool, 0644);
58 
59 /* The time that packets can stay on the guest Rx internal queue
60  * before they are dropped.
61  */
62 unsigned int rx_drain_timeout_msecs = 10000;
63 module_param(rx_drain_timeout_msecs, uint, 0444);
64 
65 /* The length of time before the frontend is considered unresponsive
66  * because it isn't providing Rx slots.
67  */
68 unsigned int rx_stall_timeout_msecs = 60000;
69 module_param(rx_stall_timeout_msecs, uint, 0444);
70 
71 #define MAX_QUEUES_DEFAULT 8
72 unsigned int xenvif_max_queues;
73 module_param_named(max_queues, xenvif_max_queues, uint, 0644);
74 MODULE_PARM_DESC(max_queues,
75 		 "Maximum number of queues per virtual interface");
76 
77 /*
78  * This is the maximum slots a skb can have. If a guest sends a skb
79  * which exceeds this limit it is considered malicious.
80  */
81 #define FATAL_SKB_SLOTS_DEFAULT 20
82 static unsigned int fatal_skb_slots = FATAL_SKB_SLOTS_DEFAULT;
83 module_param(fatal_skb_slots, uint, 0444);
84 
85 /* The amount to copy out of the first guest Tx slot into the skb's
86  * linear area.  If the first slot has more data, it will be mapped
87  * and put into the first frag.
88  *
89  * This is sized to avoid pulling headers from the frags for most
90  * TCP/IP packets.
91  */
92 #define XEN_NETBACK_TX_COPY_LEN 128
93 
94 /* This is the maximum number of flows in the hash cache. */
95 #define XENVIF_HASH_CACHE_SIZE_DEFAULT 64
96 unsigned int xenvif_hash_cache_size = XENVIF_HASH_CACHE_SIZE_DEFAULT;
97 module_param_named(hash_cache_size, xenvif_hash_cache_size, uint, 0644);
98 MODULE_PARM_DESC(hash_cache_size, "Number of flows in the hash cache");
99 
100 /* The module parameter tells that we have to put data
101  * for xen-netfront with the XDP_PACKET_HEADROOM offset
102  * needed for XDP processing
103  */
104 bool provides_xdp_headroom = true;
105 module_param(provides_xdp_headroom, bool, 0644);
106 
107 static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
108 			       s8 status);
109 
110 static void make_tx_response(struct xenvif_queue *queue,
111 			     const struct xen_netif_tx_request *txp,
112 			     unsigned int extra_count,
113 			     s8 status);
114 
115 static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx);
116 
117 static inline int tx_work_todo(struct xenvif_queue *queue);
118 
119 static inline unsigned long idx_to_pfn(struct xenvif_queue *queue,
120 				       u16 idx)
121 {
122 	return page_to_pfn(queue->mmap_pages[idx]);
123 }
124 
125 static inline unsigned long idx_to_kaddr(struct xenvif_queue *queue,
126 					 u16 idx)
127 {
128 	return (unsigned long)pfn_to_kaddr(idx_to_pfn(queue, idx));
129 }
130 
131 #define callback_param(vif, pending_idx) \
132 	(vif->pending_tx_info[pending_idx].callback_struct)
133 
134 /* Find the containing VIF's structure from a pointer in pending_tx_info array
135  */
136 static inline struct xenvif_queue *ubuf_to_queue(const struct ubuf_info_msgzc *ubuf)
137 {
138 	u16 pending_idx = ubuf->desc;
139 	struct pending_tx_info *temp =
140 		container_of(ubuf, struct pending_tx_info, callback_struct);
141 	return container_of(temp - pending_idx,
142 			    struct xenvif_queue,
143 			    pending_tx_info[0]);
144 }
145 
146 static u16 frag_get_pending_idx(skb_frag_t *frag)
147 {
148 	return (u16)skb_frag_off(frag);
149 }
150 
151 static void frag_set_pending_idx(skb_frag_t *frag, u16 pending_idx)
152 {
153 	skb_frag_off_set(frag, pending_idx);
154 }
155 
156 static inline pending_ring_idx_t pending_index(unsigned i)
157 {
158 	return i & (MAX_PENDING_REQS-1);
159 }
160 
161 void xenvif_kick_thread(struct xenvif_queue *queue)
162 {
163 	wake_up(&queue->wq);
164 }
165 
166 void xenvif_napi_schedule_or_enable_events(struct xenvif_queue *queue)
167 {
168 	int more_to_do;
169 
170 	RING_FINAL_CHECK_FOR_REQUESTS(&queue->tx, more_to_do);
171 
172 	if (more_to_do)
173 		napi_schedule(&queue->napi);
174 	else if (atomic_fetch_andnot(NETBK_TX_EOI | NETBK_COMMON_EOI,
175 				     &queue->eoi_pending) &
176 		 (NETBK_TX_EOI | NETBK_COMMON_EOI))
177 		xen_irq_lateeoi(queue->tx_irq, 0);
178 }
179 
180 static void tx_add_credit(struct xenvif_queue *queue)
181 {
182 	unsigned long max_burst, max_credit;
183 
184 	/*
185 	 * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
186 	 * Otherwise the interface can seize up due to insufficient credit.
187 	 */
188 	max_burst = max(131072UL, queue->credit_bytes);
189 
190 	/* Take care that adding a new chunk of credit doesn't wrap to zero. */
191 	max_credit = queue->remaining_credit + queue->credit_bytes;
192 	if (max_credit < queue->remaining_credit)
193 		max_credit = ULONG_MAX; /* wrapped: clamp to ULONG_MAX */
194 
195 	queue->remaining_credit = min(max_credit, max_burst);
196 	queue->rate_limited = false;
197 }
198 
199 void xenvif_tx_credit_callback(struct timer_list *t)
200 {
201 	struct xenvif_queue *queue = from_timer(queue, t, credit_timeout);
202 	tx_add_credit(queue);
203 	xenvif_napi_schedule_or_enable_events(queue);
204 }
205 
206 static void xenvif_tx_err(struct xenvif_queue *queue,
207 			  struct xen_netif_tx_request *txp,
208 			  unsigned int extra_count, RING_IDX end)
209 {
210 	RING_IDX cons = queue->tx.req_cons;
211 
212 	do {
213 		make_tx_response(queue, txp, extra_count, XEN_NETIF_RSP_ERROR);
214 		if (cons == end)
215 			break;
216 		RING_COPY_REQUEST(&queue->tx, cons++, txp);
217 		extra_count = 0; /* only the first frag can have extras */
218 	} while (1);
219 	queue->tx.req_cons = cons;
220 }
221 
222 static void xenvif_fatal_tx_err(struct xenvif *vif)
223 {
224 	netdev_err(vif->dev, "fatal error; disabling device\n");
225 	vif->disabled = true;
226 	/* Disable the vif from queue 0's kthread */
227 	if (vif->num_queues)
228 		xenvif_kick_thread(&vif->queues[0]);
229 }
230 
231 static int xenvif_count_requests(struct xenvif_queue *queue,
232 				 struct xen_netif_tx_request *first,
233 				 unsigned int extra_count,
234 				 struct xen_netif_tx_request *txp,
235 				 int work_to_do)
236 {
237 	RING_IDX cons = queue->tx.req_cons;
238 	int slots = 0;
239 	int drop_err = 0;
240 	int more_data;
241 
242 	if (!(first->flags & XEN_NETTXF_more_data))
243 		return 0;
244 
245 	do {
246 		struct xen_netif_tx_request dropped_tx = { 0 };
247 
248 		if (slots >= work_to_do) {
249 			netdev_err(queue->vif->dev,
250 				   "Asked for %d slots but exceeds this limit\n",
251 				   work_to_do);
252 			xenvif_fatal_tx_err(queue->vif);
253 			return -ENODATA;
254 		}
255 
256 		/* This guest is really using too many slots and
257 		 * considered malicious.
258 		 */
259 		if (unlikely(slots >= fatal_skb_slots)) {
260 			netdev_err(queue->vif->dev,
261 				   "Malicious frontend using %d slots, threshold %u\n",
262 				   slots, fatal_skb_slots);
263 			xenvif_fatal_tx_err(queue->vif);
264 			return -E2BIG;
265 		}
266 
267 		/* Xen network protocol had implicit dependency on
268 		 * MAX_SKB_FRAGS. XEN_NETBK_LEGACY_SLOTS_MAX is set to
269 		 * the historical MAX_SKB_FRAGS value 18 to honor the
270 		 * same behavior as before. Any packet using more than
271 		 * 18 slots but less than fatal_skb_slots slots is
272 		 * dropped
273 		 */
274 		if (!drop_err && slots >= XEN_NETBK_LEGACY_SLOTS_MAX) {
275 			if (net_ratelimit())
276 				netdev_dbg(queue->vif->dev,
277 					   "Too many slots (%d) exceeding limit (%d), dropping packet\n",
278 					   slots, XEN_NETBK_LEGACY_SLOTS_MAX);
279 			drop_err = -E2BIG;
280 		}
281 
282 		if (drop_err)
283 			txp = &dropped_tx;
284 
285 		RING_COPY_REQUEST(&queue->tx, cons + slots, txp);
286 
287 		/* If the guest submitted a frame >= 64 KiB then
288 		 * first->size overflowed and following slots will
289 		 * appear to be larger than the frame.
290 		 *
291 		 * This cannot be fatal error as there are buggy
292 		 * frontends that do this.
293 		 *
294 		 * Consume all slots and drop the packet.
295 		 */
296 		if (!drop_err && txp->size > first->size) {
297 			if (net_ratelimit())
298 				netdev_dbg(queue->vif->dev,
299 					   "Invalid tx request, slot size %u > remaining size %u\n",
300 					   txp->size, first->size);
301 			drop_err = -EIO;
302 		}
303 
304 		first->size -= txp->size;
305 		slots++;
306 
307 		if (unlikely((txp->offset + txp->size) > XEN_PAGE_SIZE)) {
308 			netdev_err(queue->vif->dev, "Cross page boundary, txp->offset: %u, size: %u\n",
309 				 txp->offset, txp->size);
310 			xenvif_fatal_tx_err(queue->vif);
311 			return -EINVAL;
312 		}
313 
314 		more_data = txp->flags & XEN_NETTXF_more_data;
315 
316 		if (!drop_err)
317 			txp++;
318 
319 	} while (more_data);
320 
321 	if (drop_err) {
322 		xenvif_tx_err(queue, first, extra_count, cons + slots);
323 		return drop_err;
324 	}
325 
326 	return slots;
327 }
328 
329 
330 struct xenvif_tx_cb {
331 	u16 copy_pending_idx[XEN_NETBK_LEGACY_SLOTS_MAX + 1];
332 	u8 copy_count;
333 	u32 split_mask;
334 };
335 
336 #define XENVIF_TX_CB(skb) ((struct xenvif_tx_cb *)(skb)->cb)
337 #define copy_pending_idx(skb, i) (XENVIF_TX_CB(skb)->copy_pending_idx[i])
338 #define copy_count(skb) (XENVIF_TX_CB(skb)->copy_count)
339 
340 static inline void xenvif_tx_create_map_op(struct xenvif_queue *queue,
341 					   u16 pending_idx,
342 					   struct xen_netif_tx_request *txp,
343 					   unsigned int extra_count,
344 					   struct gnttab_map_grant_ref *mop)
345 {
346 	queue->pages_to_map[mop-queue->tx_map_ops] = queue->mmap_pages[pending_idx];
347 	gnttab_set_map_op(mop, idx_to_kaddr(queue, pending_idx),
348 			  GNTMAP_host_map | GNTMAP_readonly,
349 			  txp->gref, queue->vif->domid);
350 
351 	memcpy(&queue->pending_tx_info[pending_idx].req, txp,
352 	       sizeof(*txp));
353 	queue->pending_tx_info[pending_idx].extra_count = extra_count;
354 }
355 
356 static inline struct sk_buff *xenvif_alloc_skb(unsigned int size)
357 {
358 	struct sk_buff *skb =
359 		alloc_skb(size + NET_SKB_PAD + NET_IP_ALIGN,
360 			  GFP_ATOMIC | __GFP_NOWARN);
361 
362 	BUILD_BUG_ON(sizeof(*XENVIF_TX_CB(skb)) > sizeof(skb->cb));
363 	if (unlikely(skb == NULL))
364 		return NULL;
365 
366 	/* Packets passed to netif_rx() must have some headroom. */
367 	skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
368 
369 	/* Initialize it here to avoid later surprises */
370 	skb_shinfo(skb)->destructor_arg = NULL;
371 
372 	return skb;
373 }
374 
375 static void xenvif_get_requests(struct xenvif_queue *queue,
376 				struct sk_buff *skb,
377 				struct xen_netif_tx_request *first,
378 				struct xen_netif_tx_request *txfrags,
379 			        unsigned *copy_ops,
380 			        unsigned *map_ops,
381 				unsigned int frag_overflow,
382 				struct sk_buff *nskb,
383 				unsigned int extra_count,
384 				unsigned int data_len)
385 {
386 	struct skb_shared_info *shinfo = skb_shinfo(skb);
387 	skb_frag_t *frags = shinfo->frags;
388 	u16 pending_idx;
389 	pending_ring_idx_t index;
390 	unsigned int nr_slots;
391 	struct gnttab_copy *cop = queue->tx_copy_ops + *copy_ops;
392 	struct gnttab_map_grant_ref *gop = queue->tx_map_ops + *map_ops;
393 	struct xen_netif_tx_request *txp = first;
394 
395 	nr_slots = shinfo->nr_frags + frag_overflow + 1;
396 
397 	copy_count(skb) = 0;
398 	XENVIF_TX_CB(skb)->split_mask = 0;
399 
400 	/* Create copy ops for exactly data_len bytes into the skb head. */
401 	__skb_put(skb, data_len);
402 	while (data_len > 0) {
403 		int amount = data_len > txp->size ? txp->size : data_len;
404 		bool split = false;
405 
406 		cop->source.u.ref = txp->gref;
407 		cop->source.domid = queue->vif->domid;
408 		cop->source.offset = txp->offset;
409 
410 		cop->dest.domid = DOMID_SELF;
411 		cop->dest.offset = (offset_in_page(skb->data +
412 						   skb_headlen(skb) -
413 						   data_len)) & ~XEN_PAGE_MASK;
414 		cop->dest.u.gmfn = virt_to_gfn(skb->data + skb_headlen(skb)
415 				               - data_len);
416 
417 		/* Don't cross local page boundary! */
418 		if (cop->dest.offset + amount > XEN_PAGE_SIZE) {
419 			amount = XEN_PAGE_SIZE - cop->dest.offset;
420 			XENVIF_TX_CB(skb)->split_mask |= 1U << copy_count(skb);
421 			split = true;
422 		}
423 
424 		cop->len = amount;
425 		cop->flags = GNTCOPY_source_gref;
426 
427 		index = pending_index(queue->pending_cons);
428 		pending_idx = queue->pending_ring[index];
429 		callback_param(queue, pending_idx).ctx = NULL;
430 		copy_pending_idx(skb, copy_count(skb)) = pending_idx;
431 		if (!split)
432 			copy_count(skb)++;
433 
434 		cop++;
435 		data_len -= amount;
436 
437 		if (amount == txp->size) {
438 			/* The copy op covered the full tx_request */
439 
440 			memcpy(&queue->pending_tx_info[pending_idx].req,
441 			       txp, sizeof(*txp));
442 			queue->pending_tx_info[pending_idx].extra_count =
443 				(txp == first) ? extra_count : 0;
444 
445 			if (txp == first)
446 				txp = txfrags;
447 			else
448 				txp++;
449 			queue->pending_cons++;
450 			nr_slots--;
451 		} else {
452 			/* The copy op partially covered the tx_request.
453 			 * The remainder will be mapped or copied in the next
454 			 * iteration.
455 			 */
456 			txp->offset += amount;
457 			txp->size -= amount;
458 		}
459 	}
460 
461 	for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS;
462 	     nr_slots--) {
463 		if (unlikely(!txp->size)) {
464 			make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY);
465 			++txp;
466 			continue;
467 		}
468 
469 		index = pending_index(queue->pending_cons++);
470 		pending_idx = queue->pending_ring[index];
471 		xenvif_tx_create_map_op(queue, pending_idx, txp,
472 				        txp == first ? extra_count : 0, gop);
473 		frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx);
474 		++shinfo->nr_frags;
475 		++gop;
476 
477 		if (txp == first)
478 			txp = txfrags;
479 		else
480 			txp++;
481 	}
482 
483 	if (nr_slots > 0) {
484 
485 		shinfo = skb_shinfo(nskb);
486 		frags = shinfo->frags;
487 
488 		for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) {
489 			if (unlikely(!txp->size)) {
490 				make_tx_response(queue, txp, 0,
491 						 XEN_NETIF_RSP_OKAY);
492 				continue;
493 			}
494 
495 			index = pending_index(queue->pending_cons++);
496 			pending_idx = queue->pending_ring[index];
497 			xenvif_tx_create_map_op(queue, pending_idx, txp, 0,
498 						gop);
499 			frag_set_pending_idx(&frags[shinfo->nr_frags],
500 					     pending_idx);
501 			++shinfo->nr_frags;
502 			++gop;
503 		}
504 
505 		if (shinfo->nr_frags) {
506 			skb_shinfo(skb)->frag_list = nskb;
507 			nskb = NULL;
508 		}
509 	}
510 
511 	if (nskb) {
512 		/* A frag_list skb was allocated but it is no longer needed
513 		 * because enough slots were converted to copy ops above or some
514 		 * were empty.
515 		 */
516 		kfree_skb(nskb);
517 	}
518 
519 	(*copy_ops) = cop - queue->tx_copy_ops;
520 	(*map_ops) = gop - queue->tx_map_ops;
521 }
522 
523 static inline void xenvif_grant_handle_set(struct xenvif_queue *queue,
524 					   u16 pending_idx,
525 					   grant_handle_t handle)
526 {
527 	if (unlikely(queue->grant_tx_handle[pending_idx] !=
528 		     NETBACK_INVALID_HANDLE)) {
529 		netdev_err(queue->vif->dev,
530 			   "Trying to overwrite active handle! pending_idx: 0x%x\n",
531 			   pending_idx);
532 		BUG();
533 	}
534 	queue->grant_tx_handle[pending_idx] = handle;
535 }
536 
537 static inline void xenvif_grant_handle_reset(struct xenvif_queue *queue,
538 					     u16 pending_idx)
539 {
540 	if (unlikely(queue->grant_tx_handle[pending_idx] ==
541 		     NETBACK_INVALID_HANDLE)) {
542 		netdev_err(queue->vif->dev,
543 			   "Trying to unmap invalid handle! pending_idx: 0x%x\n",
544 			   pending_idx);
545 		BUG();
546 	}
547 	queue->grant_tx_handle[pending_idx] = NETBACK_INVALID_HANDLE;
548 }
549 
550 static int xenvif_tx_check_gop(struct xenvif_queue *queue,
551 			       struct sk_buff *skb,
552 			       struct gnttab_map_grant_ref **gopp_map,
553 			       struct gnttab_copy **gopp_copy)
554 {
555 	struct gnttab_map_grant_ref *gop_map = *gopp_map;
556 	u16 pending_idx;
557 	/* This always points to the shinfo of the skb being checked, which
558 	 * could be either the first or the one on the frag_list
559 	 */
560 	struct skb_shared_info *shinfo = skb_shinfo(skb);
561 	/* If this is non-NULL, we are currently checking the frag_list skb, and
562 	 * this points to the shinfo of the first one
563 	 */
564 	struct skb_shared_info *first_shinfo = NULL;
565 	int nr_frags = shinfo->nr_frags;
566 	const bool sharedslot = nr_frags &&
567 				frag_get_pending_idx(&shinfo->frags[0]) ==
568 				    copy_pending_idx(skb, copy_count(skb) - 1);
569 	int i, err = 0;
570 
571 	for (i = 0; i < copy_count(skb); i++) {
572 		int newerr;
573 
574 		/* Check status of header. */
575 		pending_idx = copy_pending_idx(skb, i);
576 
577 		newerr = (*gopp_copy)->status;
578 
579 		/* Split copies need to be handled together. */
580 		if (XENVIF_TX_CB(skb)->split_mask & (1U << i)) {
581 			(*gopp_copy)++;
582 			if (!newerr)
583 				newerr = (*gopp_copy)->status;
584 		}
585 		if (likely(!newerr)) {
586 			/* The first frag might still have this slot mapped */
587 			if (i < copy_count(skb) - 1 || !sharedslot)
588 				xenvif_idx_release(queue, pending_idx,
589 						   XEN_NETIF_RSP_OKAY);
590 		} else {
591 			err = newerr;
592 			if (net_ratelimit())
593 				netdev_dbg(queue->vif->dev,
594 					   "Grant copy of header failed! status: %d pending_idx: %u ref: %u\n",
595 					   (*gopp_copy)->status,
596 					   pending_idx,
597 					   (*gopp_copy)->source.u.ref);
598 			/* The first frag might still have this slot mapped */
599 			if (i < copy_count(skb) - 1 || !sharedslot)
600 				xenvif_idx_release(queue, pending_idx,
601 						   XEN_NETIF_RSP_ERROR);
602 		}
603 		(*gopp_copy)++;
604 	}
605 
606 check_frags:
607 	for (i = 0; i < nr_frags; i++, gop_map++) {
608 		int j, newerr;
609 
610 		pending_idx = frag_get_pending_idx(&shinfo->frags[i]);
611 
612 		/* Check error status: if okay then remember grant handle. */
613 		newerr = gop_map->status;
614 
615 		if (likely(!newerr)) {
616 			xenvif_grant_handle_set(queue,
617 						pending_idx,
618 						gop_map->handle);
619 			/* Had a previous error? Invalidate this fragment. */
620 			if (unlikely(err)) {
621 				xenvif_idx_unmap(queue, pending_idx);
622 				/* If the mapping of the first frag was OK, but
623 				 * the header's copy failed, and they are
624 				 * sharing a slot, send an error
625 				 */
626 				if (i == 0 && !first_shinfo && sharedslot)
627 					xenvif_idx_release(queue, pending_idx,
628 							   XEN_NETIF_RSP_ERROR);
629 				else
630 					xenvif_idx_release(queue, pending_idx,
631 							   XEN_NETIF_RSP_OKAY);
632 			}
633 			continue;
634 		}
635 
636 		/* Error on this fragment: respond to client with an error. */
637 		if (net_ratelimit())
638 			netdev_dbg(queue->vif->dev,
639 				   "Grant map of %d. frag failed! status: %d pending_idx: %u ref: %u\n",
640 				   i,
641 				   gop_map->status,
642 				   pending_idx,
643 				   gop_map->ref);
644 
645 		xenvif_idx_release(queue, pending_idx, XEN_NETIF_RSP_ERROR);
646 
647 		/* Not the first error? Preceding frags already invalidated. */
648 		if (err)
649 			continue;
650 
651 		/* Invalidate preceding fragments of this skb. */
652 		for (j = 0; j < i; j++) {
653 			pending_idx = frag_get_pending_idx(&shinfo->frags[j]);
654 			xenvif_idx_unmap(queue, pending_idx);
655 			xenvif_idx_release(queue, pending_idx,
656 					   XEN_NETIF_RSP_OKAY);
657 		}
658 
659 		/* And if we found the error while checking the frag_list, unmap
660 		 * the first skb's frags
661 		 */
662 		if (first_shinfo) {
663 			for (j = 0; j < first_shinfo->nr_frags; j++) {
664 				pending_idx = frag_get_pending_idx(&first_shinfo->frags[j]);
665 				xenvif_idx_unmap(queue, pending_idx);
666 				xenvif_idx_release(queue, pending_idx,
667 						   XEN_NETIF_RSP_OKAY);
668 			}
669 		}
670 
671 		/* Remember the error: invalidate all subsequent fragments. */
672 		err = newerr;
673 	}
674 
675 	if (skb_has_frag_list(skb) && !first_shinfo) {
676 		first_shinfo = shinfo;
677 		shinfo = skb_shinfo(shinfo->frag_list);
678 		nr_frags = shinfo->nr_frags;
679 
680 		goto check_frags;
681 	}
682 
683 	*gopp_map = gop_map;
684 	return err;
685 }
686 
687 static void xenvif_fill_frags(struct xenvif_queue *queue, struct sk_buff *skb)
688 {
689 	struct skb_shared_info *shinfo = skb_shinfo(skb);
690 	int nr_frags = shinfo->nr_frags;
691 	int i;
692 	u16 prev_pending_idx = INVALID_PENDING_IDX;
693 
694 	for (i = 0; i < nr_frags; i++) {
695 		skb_frag_t *frag = shinfo->frags + i;
696 		struct xen_netif_tx_request *txp;
697 		struct page *page;
698 		u16 pending_idx;
699 
700 		pending_idx = frag_get_pending_idx(frag);
701 
702 		/* If this is not the first frag, chain it to the previous*/
703 		if (prev_pending_idx == INVALID_PENDING_IDX)
704 			skb_shinfo(skb)->destructor_arg =
705 				&callback_param(queue, pending_idx);
706 		else
707 			callback_param(queue, prev_pending_idx).ctx =
708 				&callback_param(queue, pending_idx);
709 
710 		callback_param(queue, pending_idx).ctx = NULL;
711 		prev_pending_idx = pending_idx;
712 
713 		txp = &queue->pending_tx_info[pending_idx].req;
714 		page = virt_to_page((void *)idx_to_kaddr(queue, pending_idx));
715 		__skb_fill_page_desc(skb, i, page, txp->offset, txp->size);
716 		skb->len += txp->size;
717 		skb->data_len += txp->size;
718 		skb->truesize += txp->size;
719 
720 		/* Take an extra reference to offset network stack's put_page */
721 		get_page(queue->mmap_pages[pending_idx]);
722 	}
723 }
724 
725 static int xenvif_get_extras(struct xenvif_queue *queue,
726 			     struct xen_netif_extra_info *extras,
727 			     unsigned int *extra_count,
728 			     int work_to_do)
729 {
730 	struct xen_netif_extra_info extra;
731 	RING_IDX cons = queue->tx.req_cons;
732 
733 	do {
734 		if (unlikely(work_to_do-- <= 0)) {
735 			netdev_err(queue->vif->dev, "Missing extra info\n");
736 			xenvif_fatal_tx_err(queue->vif);
737 			return -EBADR;
738 		}
739 
740 		RING_COPY_REQUEST(&queue->tx, cons, &extra);
741 
742 		queue->tx.req_cons = ++cons;
743 		(*extra_count)++;
744 
745 		if (unlikely(!extra.type ||
746 			     extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
747 			netdev_err(queue->vif->dev,
748 				   "Invalid extra type: %d\n", extra.type);
749 			xenvif_fatal_tx_err(queue->vif);
750 			return -EINVAL;
751 		}
752 
753 		memcpy(&extras[extra.type - 1], &extra, sizeof(extra));
754 	} while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
755 
756 	return work_to_do;
757 }
758 
759 static int xenvif_set_skb_gso(struct xenvif *vif,
760 			      struct sk_buff *skb,
761 			      struct xen_netif_extra_info *gso)
762 {
763 	if (!gso->u.gso.size) {
764 		netdev_err(vif->dev, "GSO size must not be zero.\n");
765 		xenvif_fatal_tx_err(vif);
766 		return -EINVAL;
767 	}
768 
769 	switch (gso->u.gso.type) {
770 	case XEN_NETIF_GSO_TYPE_TCPV4:
771 		skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
772 		break;
773 	case XEN_NETIF_GSO_TYPE_TCPV6:
774 		skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
775 		break;
776 	default:
777 		netdev_err(vif->dev, "Bad GSO type %d.\n", gso->u.gso.type);
778 		xenvif_fatal_tx_err(vif);
779 		return -EINVAL;
780 	}
781 
782 	skb_shinfo(skb)->gso_size = gso->u.gso.size;
783 	/* gso_segs will be calculated later */
784 
785 	return 0;
786 }
787 
788 static int checksum_setup(struct xenvif_queue *queue, struct sk_buff *skb)
789 {
790 	bool recalculate_partial_csum = false;
791 
792 	/* A GSO SKB must be CHECKSUM_PARTIAL. However some buggy
793 	 * peers can fail to set NETRXF_csum_blank when sending a GSO
794 	 * frame. In this case force the SKB to CHECKSUM_PARTIAL and
795 	 * recalculate the partial checksum.
796 	 */
797 	if (skb->ip_summed != CHECKSUM_PARTIAL && skb_is_gso(skb)) {
798 		queue->stats.rx_gso_checksum_fixup++;
799 		skb->ip_summed = CHECKSUM_PARTIAL;
800 		recalculate_partial_csum = true;
801 	}
802 
803 	/* A non-CHECKSUM_PARTIAL SKB does not require setup. */
804 	if (skb->ip_summed != CHECKSUM_PARTIAL)
805 		return 0;
806 
807 	return skb_checksum_setup(skb, recalculate_partial_csum);
808 }
809 
810 static bool tx_credit_exceeded(struct xenvif_queue *queue, unsigned size)
811 {
812 	u64 now = get_jiffies_64();
813 	u64 next_credit = queue->credit_window_start +
814 		msecs_to_jiffies(queue->credit_usec / 1000);
815 
816 	/* Timer could already be pending in rare cases. */
817 	if (timer_pending(&queue->credit_timeout)) {
818 		queue->rate_limited = true;
819 		return true;
820 	}
821 
822 	/* Passed the point where we can replenish credit? */
823 	if (time_after_eq64(now, next_credit)) {
824 		queue->credit_window_start = now;
825 		tx_add_credit(queue);
826 	}
827 
828 	/* Still too big to send right now? Set a callback. */
829 	if (size > queue->remaining_credit) {
830 		mod_timer(&queue->credit_timeout,
831 			  next_credit);
832 		queue->credit_window_start = next_credit;
833 		queue->rate_limited = true;
834 
835 		return true;
836 	}
837 
838 	return false;
839 }
840 
841 /* No locking is required in xenvif_mcast_add/del() as they are
842  * only ever invoked from NAPI poll. An RCU list is used because
843  * xenvif_mcast_match() is called asynchronously, during start_xmit.
844  */
845 
846 static int xenvif_mcast_add(struct xenvif *vif, const u8 *addr)
847 {
848 	struct xenvif_mcast_addr *mcast;
849 
850 	if (vif->fe_mcast_count == XEN_NETBK_MCAST_MAX) {
851 		if (net_ratelimit())
852 			netdev_err(vif->dev,
853 				   "Too many multicast addresses\n");
854 		return -ENOSPC;
855 	}
856 
857 	mcast = kzalloc(sizeof(*mcast), GFP_ATOMIC);
858 	if (!mcast)
859 		return -ENOMEM;
860 
861 	ether_addr_copy(mcast->addr, addr);
862 	list_add_tail_rcu(&mcast->entry, &vif->fe_mcast_addr);
863 	vif->fe_mcast_count++;
864 
865 	return 0;
866 }
867 
868 static void xenvif_mcast_del(struct xenvif *vif, const u8 *addr)
869 {
870 	struct xenvif_mcast_addr *mcast;
871 
872 	list_for_each_entry_rcu(mcast, &vif->fe_mcast_addr, entry) {
873 		if (ether_addr_equal(addr, mcast->addr)) {
874 			--vif->fe_mcast_count;
875 			list_del_rcu(&mcast->entry);
876 			kfree_rcu(mcast, rcu);
877 			break;
878 		}
879 	}
880 }
881 
882 bool xenvif_mcast_match(struct xenvif *vif, const u8 *addr)
883 {
884 	struct xenvif_mcast_addr *mcast;
885 
886 	rcu_read_lock();
887 	list_for_each_entry_rcu(mcast, &vif->fe_mcast_addr, entry) {
888 		if (ether_addr_equal(addr, mcast->addr)) {
889 			rcu_read_unlock();
890 			return true;
891 		}
892 	}
893 	rcu_read_unlock();
894 
895 	return false;
896 }
897 
898 void xenvif_mcast_addr_list_free(struct xenvif *vif)
899 {
900 	/* No need for locking or RCU here. NAPI poll and TX queue
901 	 * are stopped.
902 	 */
903 	while (!list_empty(&vif->fe_mcast_addr)) {
904 		struct xenvif_mcast_addr *mcast;
905 
906 		mcast = list_first_entry(&vif->fe_mcast_addr,
907 					 struct xenvif_mcast_addr,
908 					 entry);
909 		--vif->fe_mcast_count;
910 		list_del(&mcast->entry);
911 		kfree(mcast);
912 	}
913 }
914 
915 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
916 				     int budget,
917 				     unsigned *copy_ops,
918 				     unsigned *map_ops)
919 {
920 	struct sk_buff *skb, *nskb;
921 	int ret;
922 	unsigned int frag_overflow;
923 
924 	while (skb_queue_len(&queue->tx_queue) < budget) {
925 		struct xen_netif_tx_request txreq;
926 		struct xen_netif_tx_request txfrags[XEN_NETBK_LEGACY_SLOTS_MAX];
927 		struct xen_netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX-1];
928 		unsigned int extra_count;
929 		RING_IDX idx;
930 		int work_to_do;
931 		unsigned int data_len;
932 
933 		if (queue->tx.sring->req_prod - queue->tx.req_cons >
934 		    XEN_NETIF_TX_RING_SIZE) {
935 			netdev_err(queue->vif->dev,
936 				   "Impossible number of requests. "
937 				   "req_prod %d, req_cons %d, size %ld\n",
938 				   queue->tx.sring->req_prod, queue->tx.req_cons,
939 				   XEN_NETIF_TX_RING_SIZE);
940 			xenvif_fatal_tx_err(queue->vif);
941 			break;
942 		}
943 
944 		work_to_do = XEN_RING_NR_UNCONSUMED_REQUESTS(&queue->tx);
945 		if (!work_to_do)
946 			break;
947 
948 		idx = queue->tx.req_cons;
949 		rmb(); /* Ensure that we see the request before we copy it. */
950 		RING_COPY_REQUEST(&queue->tx, idx, &txreq);
951 
952 		/* Credit-based scheduling. */
953 		if (txreq.size > queue->remaining_credit &&
954 		    tx_credit_exceeded(queue, txreq.size))
955 			break;
956 
957 		queue->remaining_credit -= txreq.size;
958 
959 		work_to_do--;
960 		queue->tx.req_cons = ++idx;
961 
962 		memset(extras, 0, sizeof(extras));
963 		extra_count = 0;
964 		if (txreq.flags & XEN_NETTXF_extra_info) {
965 			work_to_do = xenvif_get_extras(queue, extras,
966 						       &extra_count,
967 						       work_to_do);
968 			idx = queue->tx.req_cons;
969 			if (unlikely(work_to_do < 0))
970 				break;
971 		}
972 
973 		if (extras[XEN_NETIF_EXTRA_TYPE_MCAST_ADD - 1].type) {
974 			struct xen_netif_extra_info *extra;
975 
976 			extra = &extras[XEN_NETIF_EXTRA_TYPE_MCAST_ADD - 1];
977 			ret = xenvif_mcast_add(queue->vif, extra->u.mcast.addr);
978 
979 			make_tx_response(queue, &txreq, extra_count,
980 					 (ret == 0) ?
981 					 XEN_NETIF_RSP_OKAY :
982 					 XEN_NETIF_RSP_ERROR);
983 			continue;
984 		}
985 
986 		if (extras[XEN_NETIF_EXTRA_TYPE_MCAST_DEL - 1].type) {
987 			struct xen_netif_extra_info *extra;
988 
989 			extra = &extras[XEN_NETIF_EXTRA_TYPE_MCAST_DEL - 1];
990 			xenvif_mcast_del(queue->vif, extra->u.mcast.addr);
991 
992 			make_tx_response(queue, &txreq, extra_count,
993 					 XEN_NETIF_RSP_OKAY);
994 			continue;
995 		}
996 
997 		data_len = (txreq.size > XEN_NETBACK_TX_COPY_LEN) ?
998 			XEN_NETBACK_TX_COPY_LEN : txreq.size;
999 
1000 		ret = xenvif_count_requests(queue, &txreq, extra_count,
1001 					    txfrags, work_to_do);
1002 
1003 		if (unlikely(ret < 0))
1004 			break;
1005 
1006 		idx += ret;
1007 
1008 		if (unlikely(txreq.size < ETH_HLEN)) {
1009 			netdev_dbg(queue->vif->dev,
1010 				   "Bad packet size: %d\n", txreq.size);
1011 			xenvif_tx_err(queue, &txreq, extra_count, idx);
1012 			break;
1013 		}
1014 
1015 		/* No crossing a page as the payload mustn't fragment. */
1016 		if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) {
1017 			netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n",
1018 				   txreq.offset, txreq.size);
1019 			xenvif_fatal_tx_err(queue->vif);
1020 			break;
1021 		}
1022 
1023 		if (ret >= XEN_NETBK_LEGACY_SLOTS_MAX - 1 && data_len < txreq.size)
1024 			data_len = txreq.size;
1025 
1026 		skb = xenvif_alloc_skb(data_len);
1027 		if (unlikely(skb == NULL)) {
1028 			netdev_dbg(queue->vif->dev,
1029 				   "Can't allocate a skb in start_xmit.\n");
1030 			xenvif_tx_err(queue, &txreq, extra_count, idx);
1031 			break;
1032 		}
1033 
1034 		skb_shinfo(skb)->nr_frags = ret;
1035 		/* At this point shinfo->nr_frags is in fact the number of
1036 		 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
1037 		 */
1038 		frag_overflow = 0;
1039 		nskb = NULL;
1040 		if (skb_shinfo(skb)->nr_frags > MAX_SKB_FRAGS) {
1041 			frag_overflow = skb_shinfo(skb)->nr_frags - MAX_SKB_FRAGS;
1042 			BUG_ON(frag_overflow > MAX_SKB_FRAGS);
1043 			skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
1044 			nskb = xenvif_alloc_skb(0);
1045 			if (unlikely(nskb == NULL)) {
1046 				skb_shinfo(skb)->nr_frags = 0;
1047 				kfree_skb(skb);
1048 				xenvif_tx_err(queue, &txreq, extra_count, idx);
1049 				if (net_ratelimit())
1050 					netdev_err(queue->vif->dev,
1051 						   "Can't allocate the frag_list skb.\n");
1052 				break;
1053 			}
1054 		}
1055 
1056 		if (extras[XEN_NETIF_EXTRA_TYPE_GSO - 1].type) {
1057 			struct xen_netif_extra_info *gso;
1058 			gso = &extras[XEN_NETIF_EXTRA_TYPE_GSO - 1];
1059 
1060 			if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
1061 				/* Failure in xenvif_set_skb_gso is fatal. */
1062 				skb_shinfo(skb)->nr_frags = 0;
1063 				kfree_skb(skb);
1064 				kfree_skb(nskb);
1065 				break;
1066 			}
1067 		}
1068 
1069 		if (extras[XEN_NETIF_EXTRA_TYPE_HASH - 1].type) {
1070 			struct xen_netif_extra_info *extra;
1071 			enum pkt_hash_types type = PKT_HASH_TYPE_NONE;
1072 
1073 			extra = &extras[XEN_NETIF_EXTRA_TYPE_HASH - 1];
1074 
1075 			switch (extra->u.hash.type) {
1076 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV4:
1077 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV6:
1078 				type = PKT_HASH_TYPE_L3;
1079 				break;
1080 
1081 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV4_TCP:
1082 			case _XEN_NETIF_CTRL_HASH_TYPE_IPV6_TCP:
1083 				type = PKT_HASH_TYPE_L4;
1084 				break;
1085 
1086 			default:
1087 				break;
1088 			}
1089 
1090 			if (type != PKT_HASH_TYPE_NONE)
1091 				skb_set_hash(skb,
1092 					     *(u32 *)extra->u.hash.value,
1093 					     type);
1094 		}
1095 
1096 		xenvif_get_requests(queue, skb, &txreq, txfrags, copy_ops,
1097 				    map_ops, frag_overflow, nskb, extra_count,
1098 				    data_len);
1099 
1100 		__skb_queue_tail(&queue->tx_queue, skb);
1101 
1102 		queue->tx.req_cons = idx;
1103 	}
1104 
1105 	return;
1106 }
1107 
1108 /* Consolidate skb with a frag_list into a brand new one with local pages on
1109  * frags. Returns 0 or -ENOMEM if can't allocate new pages.
1110  */
1111 static int xenvif_handle_frag_list(struct xenvif_queue *queue, struct sk_buff *skb)
1112 {
1113 	unsigned int offset = skb_headlen(skb);
1114 	skb_frag_t frags[MAX_SKB_FRAGS];
1115 	int i, f;
1116 	struct ubuf_info *uarg;
1117 	struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
1118 
1119 	queue->stats.tx_zerocopy_sent += 2;
1120 	queue->stats.tx_frag_overflow++;
1121 
1122 	xenvif_fill_frags(queue, nskb);
1123 	/* Subtract frags size, we will correct it later */
1124 	skb->truesize -= skb->data_len;
1125 	skb->len += nskb->len;
1126 	skb->data_len += nskb->len;
1127 
1128 	/* create a brand new frags array and coalesce there */
1129 	for (i = 0; offset < skb->len; i++) {
1130 		struct page *page;
1131 		unsigned int len;
1132 
1133 		BUG_ON(i >= MAX_SKB_FRAGS);
1134 		page = alloc_page(GFP_ATOMIC);
1135 		if (!page) {
1136 			int j;
1137 			skb->truesize += skb->data_len;
1138 			for (j = 0; j < i; j++)
1139 				put_page(skb_frag_page(&frags[j]));
1140 			return -ENOMEM;
1141 		}
1142 
1143 		if (offset + PAGE_SIZE < skb->len)
1144 			len = PAGE_SIZE;
1145 		else
1146 			len = skb->len - offset;
1147 		if (skb_copy_bits(skb, offset, page_address(page), len))
1148 			BUG();
1149 
1150 		offset += len;
1151 		skb_frag_fill_page_desc(&frags[i], page, 0, len);
1152 	}
1153 
1154 	/* Release all the original (foreign) frags. */
1155 	for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
1156 		skb_frag_unref(skb, f);
1157 	uarg = skb_shinfo(skb)->destructor_arg;
1158 	/* increase inflight counter to offset decrement in callback */
1159 	atomic_inc(&queue->inflight_packets);
1160 	uarg->callback(NULL, uarg, true);
1161 	skb_shinfo(skb)->destructor_arg = NULL;
1162 
1163 	/* Fill the skb with the new (local) frags. */
1164 	memcpy(skb_shinfo(skb)->frags, frags, i * sizeof(skb_frag_t));
1165 	skb_shinfo(skb)->nr_frags = i;
1166 	skb->truesize += i * PAGE_SIZE;
1167 
1168 	return 0;
1169 }
1170 
1171 static int xenvif_tx_submit(struct xenvif_queue *queue)
1172 {
1173 	struct gnttab_map_grant_ref *gop_map = queue->tx_map_ops;
1174 	struct gnttab_copy *gop_copy = queue->tx_copy_ops;
1175 	struct sk_buff *skb;
1176 	int work_done = 0;
1177 
1178 	while ((skb = __skb_dequeue(&queue->tx_queue)) != NULL) {
1179 		struct xen_netif_tx_request *txp;
1180 		u16 pending_idx;
1181 
1182 		pending_idx = copy_pending_idx(skb, 0);
1183 		txp = &queue->pending_tx_info[pending_idx].req;
1184 
1185 		/* Check the remap error code. */
1186 		if (unlikely(xenvif_tx_check_gop(queue, skb, &gop_map, &gop_copy))) {
1187 			/* If there was an error, xenvif_tx_check_gop is
1188 			 * expected to release all the frags which were mapped,
1189 			 * so kfree_skb shouldn't do it again
1190 			 */
1191 			skb_shinfo(skb)->nr_frags = 0;
1192 			if (skb_has_frag_list(skb)) {
1193 				struct sk_buff *nskb =
1194 						skb_shinfo(skb)->frag_list;
1195 				skb_shinfo(nskb)->nr_frags = 0;
1196 			}
1197 			kfree_skb(skb);
1198 			continue;
1199 		}
1200 
1201 		if (txp->flags & XEN_NETTXF_csum_blank)
1202 			skb->ip_summed = CHECKSUM_PARTIAL;
1203 		else if (txp->flags & XEN_NETTXF_data_validated)
1204 			skb->ip_summed = CHECKSUM_UNNECESSARY;
1205 
1206 		xenvif_fill_frags(queue, skb);
1207 
1208 		if (unlikely(skb_has_frag_list(skb))) {
1209 			struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
1210 			xenvif_skb_zerocopy_prepare(queue, nskb);
1211 			if (xenvif_handle_frag_list(queue, skb)) {
1212 				if (net_ratelimit())
1213 					netdev_err(queue->vif->dev,
1214 						   "Not enough memory to consolidate frag_list!\n");
1215 				xenvif_skb_zerocopy_prepare(queue, skb);
1216 				kfree_skb(skb);
1217 				continue;
1218 			}
1219 			/* Copied all the bits from the frag list -- free it. */
1220 			skb_frag_list_init(skb);
1221 			kfree_skb(nskb);
1222 		}
1223 
1224 		skb->dev      = queue->vif->dev;
1225 		skb->protocol = eth_type_trans(skb, skb->dev);
1226 		skb_reset_network_header(skb);
1227 
1228 		if (checksum_setup(queue, skb)) {
1229 			netdev_dbg(queue->vif->dev,
1230 				   "Can't setup checksum in net_tx_action\n");
1231 			/* We have to set this flag to trigger the callback */
1232 			if (skb_shinfo(skb)->destructor_arg)
1233 				xenvif_skb_zerocopy_prepare(queue, skb);
1234 			kfree_skb(skb);
1235 			continue;
1236 		}
1237 
1238 		skb_probe_transport_header(skb);
1239 
1240 		/* If the packet is GSO then we will have just set up the
1241 		 * transport header offset in checksum_setup so it's now
1242 		 * straightforward to calculate gso_segs.
1243 		 */
1244 		if (skb_is_gso(skb)) {
1245 			int mss, hdrlen;
1246 
1247 			/* GSO implies having the L4 header. */
1248 			WARN_ON_ONCE(!skb_transport_header_was_set(skb));
1249 			if (unlikely(!skb_transport_header_was_set(skb))) {
1250 				kfree_skb(skb);
1251 				continue;
1252 			}
1253 
1254 			mss = skb_shinfo(skb)->gso_size;
1255 			hdrlen = skb_tcp_all_headers(skb);
1256 
1257 			skb_shinfo(skb)->gso_segs =
1258 				DIV_ROUND_UP(skb->len - hdrlen, mss);
1259 		}
1260 
1261 		queue->stats.rx_bytes += skb->len;
1262 		queue->stats.rx_packets++;
1263 
1264 		work_done++;
1265 
1266 		/* Set this flag right before netif_receive_skb, otherwise
1267 		 * someone might think this packet already left netback, and
1268 		 * do a skb_copy_ubufs while we are still in control of the
1269 		 * skb. E.g. the __pskb_pull_tail earlier can do such thing.
1270 		 */
1271 		if (skb_shinfo(skb)->destructor_arg) {
1272 			xenvif_skb_zerocopy_prepare(queue, skb);
1273 			queue->stats.tx_zerocopy_sent++;
1274 		}
1275 
1276 		netif_receive_skb(skb);
1277 	}
1278 
1279 	return work_done;
1280 }
1281 
1282 void xenvif_zerocopy_callback(struct sk_buff *skb, struct ubuf_info *ubuf_base,
1283 			      bool zerocopy_success)
1284 {
1285 	unsigned long flags;
1286 	pending_ring_idx_t index;
1287 	struct ubuf_info_msgzc *ubuf = uarg_to_msgzc(ubuf_base);
1288 	struct xenvif_queue *queue = ubuf_to_queue(ubuf);
1289 
1290 	/* This is the only place where we grab this lock, to protect callbacks
1291 	 * from each other.
1292 	 */
1293 	spin_lock_irqsave(&queue->callback_lock, flags);
1294 	do {
1295 		u16 pending_idx = ubuf->desc;
1296 		ubuf = (struct ubuf_info_msgzc *) ubuf->ctx;
1297 		BUG_ON(queue->dealloc_prod - queue->dealloc_cons >=
1298 			MAX_PENDING_REQS);
1299 		index = pending_index(queue->dealloc_prod);
1300 		queue->dealloc_ring[index] = pending_idx;
1301 		/* Sync with xenvif_tx_dealloc_action:
1302 		 * insert idx then incr producer.
1303 		 */
1304 		smp_wmb();
1305 		queue->dealloc_prod++;
1306 	} while (ubuf);
1307 	spin_unlock_irqrestore(&queue->callback_lock, flags);
1308 
1309 	if (likely(zerocopy_success))
1310 		queue->stats.tx_zerocopy_success++;
1311 	else
1312 		queue->stats.tx_zerocopy_fail++;
1313 	xenvif_skb_zerocopy_complete(queue);
1314 }
1315 
1316 static inline void xenvif_tx_dealloc_action(struct xenvif_queue *queue)
1317 {
1318 	struct gnttab_unmap_grant_ref *gop;
1319 	pending_ring_idx_t dc, dp;
1320 	u16 pending_idx, pending_idx_release[MAX_PENDING_REQS];
1321 	unsigned int i = 0;
1322 
1323 	dc = queue->dealloc_cons;
1324 	gop = queue->tx_unmap_ops;
1325 
1326 	/* Free up any grants we have finished using */
1327 	do {
1328 		dp = queue->dealloc_prod;
1329 
1330 		/* Ensure we see all indices enqueued by all
1331 		 * xenvif_zerocopy_callback().
1332 		 */
1333 		smp_rmb();
1334 
1335 		while (dc != dp) {
1336 			BUG_ON(gop - queue->tx_unmap_ops >= MAX_PENDING_REQS);
1337 			pending_idx =
1338 				queue->dealloc_ring[pending_index(dc++)];
1339 
1340 			pending_idx_release[gop - queue->tx_unmap_ops] =
1341 				pending_idx;
1342 			queue->pages_to_unmap[gop - queue->tx_unmap_ops] =
1343 				queue->mmap_pages[pending_idx];
1344 			gnttab_set_unmap_op(gop,
1345 					    idx_to_kaddr(queue, pending_idx),
1346 					    GNTMAP_host_map,
1347 					    queue->grant_tx_handle[pending_idx]);
1348 			xenvif_grant_handle_reset(queue, pending_idx);
1349 			++gop;
1350 		}
1351 
1352 	} while (dp != queue->dealloc_prod);
1353 
1354 	queue->dealloc_cons = dc;
1355 
1356 	if (gop - queue->tx_unmap_ops > 0) {
1357 		int ret;
1358 		ret = gnttab_unmap_refs(queue->tx_unmap_ops,
1359 					NULL,
1360 					queue->pages_to_unmap,
1361 					gop - queue->tx_unmap_ops);
1362 		if (ret) {
1363 			netdev_err(queue->vif->dev, "Unmap fail: nr_ops %tu ret %d\n",
1364 				   gop - queue->tx_unmap_ops, ret);
1365 			for (i = 0; i < gop - queue->tx_unmap_ops; ++i) {
1366 				if (gop[i].status != GNTST_okay)
1367 					netdev_err(queue->vif->dev,
1368 						   " host_addr: 0x%llx handle: 0x%x status: %d\n",
1369 						   gop[i].host_addr,
1370 						   gop[i].handle,
1371 						   gop[i].status);
1372 			}
1373 			BUG();
1374 		}
1375 	}
1376 
1377 	for (i = 0; i < gop - queue->tx_unmap_ops; ++i)
1378 		xenvif_idx_release(queue, pending_idx_release[i],
1379 				   XEN_NETIF_RSP_OKAY);
1380 }
1381 
1382 
1383 /* Called after netfront has transmitted */
1384 int xenvif_tx_action(struct xenvif_queue *queue, int budget)
1385 {
1386 	unsigned nr_mops = 0, nr_cops = 0;
1387 	int work_done, ret;
1388 
1389 	if (unlikely(!tx_work_todo(queue)))
1390 		return 0;
1391 
1392 	xenvif_tx_build_gops(queue, budget, &nr_cops, &nr_mops);
1393 
1394 	if (nr_cops == 0)
1395 		return 0;
1396 
1397 	gnttab_batch_copy(queue->tx_copy_ops, nr_cops);
1398 	if (nr_mops != 0) {
1399 		ret = gnttab_map_refs(queue->tx_map_ops,
1400 				      NULL,
1401 				      queue->pages_to_map,
1402 				      nr_mops);
1403 		if (ret) {
1404 			unsigned int i;
1405 
1406 			netdev_err(queue->vif->dev, "Map fail: nr %u ret %d\n",
1407 				   nr_mops, ret);
1408 			for (i = 0; i < nr_mops; ++i)
1409 				WARN_ON_ONCE(queue->tx_map_ops[i].status ==
1410 				             GNTST_okay);
1411 		}
1412 	}
1413 
1414 	work_done = xenvif_tx_submit(queue);
1415 
1416 	return work_done;
1417 }
1418 
1419 static void _make_tx_response(struct xenvif_queue *queue,
1420 			     const struct xen_netif_tx_request *txp,
1421 			     unsigned int extra_count,
1422 			     s8 status)
1423 {
1424 	RING_IDX i = queue->tx.rsp_prod_pvt;
1425 	struct xen_netif_tx_response *resp;
1426 
1427 	resp = RING_GET_RESPONSE(&queue->tx, i);
1428 	resp->id     = txp->id;
1429 	resp->status = status;
1430 
1431 	while (extra_count-- != 0)
1432 		RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL;
1433 
1434 	queue->tx.rsp_prod_pvt = ++i;
1435 }
1436 
1437 static void push_tx_responses(struct xenvif_queue *queue)
1438 {
1439 	int notify;
1440 
1441 	RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify);
1442 	if (notify)
1443 		notify_remote_via_irq(queue->tx_irq);
1444 }
1445 
1446 static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx,
1447 			       s8 status)
1448 {
1449 	struct pending_tx_info *pending_tx_info;
1450 	pending_ring_idx_t index;
1451 	unsigned long flags;
1452 
1453 	pending_tx_info = &queue->pending_tx_info[pending_idx];
1454 
1455 	spin_lock_irqsave(&queue->response_lock, flags);
1456 
1457 	_make_tx_response(queue, &pending_tx_info->req,
1458 			  pending_tx_info->extra_count, status);
1459 
1460 	/* Release the pending index before pusing the Tx response so
1461 	 * its available before a new Tx request is pushed by the
1462 	 * frontend.
1463 	 */
1464 	index = pending_index(queue->pending_prod++);
1465 	queue->pending_ring[index] = pending_idx;
1466 
1467 	push_tx_responses(queue);
1468 
1469 	spin_unlock_irqrestore(&queue->response_lock, flags);
1470 }
1471 
1472 static void make_tx_response(struct xenvif_queue *queue,
1473 			     const struct xen_netif_tx_request *txp,
1474 			     unsigned int extra_count,
1475 			     s8 status)
1476 {
1477 	unsigned long flags;
1478 
1479 	spin_lock_irqsave(&queue->response_lock, flags);
1480 
1481 	_make_tx_response(queue, txp, extra_count, status);
1482 	push_tx_responses(queue);
1483 
1484 	spin_unlock_irqrestore(&queue->response_lock, flags);
1485 }
1486 
1487 static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx)
1488 {
1489 	int ret;
1490 	struct gnttab_unmap_grant_ref tx_unmap_op;
1491 
1492 	gnttab_set_unmap_op(&tx_unmap_op,
1493 			    idx_to_kaddr(queue, pending_idx),
1494 			    GNTMAP_host_map,
1495 			    queue->grant_tx_handle[pending_idx]);
1496 	xenvif_grant_handle_reset(queue, pending_idx);
1497 
1498 	ret = gnttab_unmap_refs(&tx_unmap_op, NULL,
1499 				&queue->mmap_pages[pending_idx], 1);
1500 	if (ret) {
1501 		netdev_err(queue->vif->dev,
1502 			   "Unmap fail: ret: %d pending_idx: %d host_addr: %llx handle: 0x%x status: %d\n",
1503 			   ret,
1504 			   pending_idx,
1505 			   tx_unmap_op.host_addr,
1506 			   tx_unmap_op.handle,
1507 			   tx_unmap_op.status);
1508 		BUG();
1509 	}
1510 }
1511 
1512 static inline int tx_work_todo(struct xenvif_queue *queue)
1513 {
1514 	if (likely(RING_HAS_UNCONSUMED_REQUESTS(&queue->tx)))
1515 		return 1;
1516 
1517 	return 0;
1518 }
1519 
1520 static inline bool tx_dealloc_work_todo(struct xenvif_queue *queue)
1521 {
1522 	return queue->dealloc_cons != queue->dealloc_prod;
1523 }
1524 
1525 void xenvif_unmap_frontend_data_rings(struct xenvif_queue *queue)
1526 {
1527 	if (queue->tx.sring)
1528 		xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(queue->vif),
1529 					queue->tx.sring);
1530 	if (queue->rx.sring)
1531 		xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(queue->vif),
1532 					queue->rx.sring);
1533 }
1534 
1535 int xenvif_map_frontend_data_rings(struct xenvif_queue *queue,
1536 				   grant_ref_t tx_ring_ref,
1537 				   grant_ref_t rx_ring_ref)
1538 {
1539 	void *addr;
1540 	struct xen_netif_tx_sring *txs;
1541 	struct xen_netif_rx_sring *rxs;
1542 	RING_IDX rsp_prod, req_prod;
1543 	int err;
1544 
1545 	err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(queue->vif),
1546 				     &tx_ring_ref, 1, &addr);
1547 	if (err)
1548 		goto err;
1549 
1550 	txs = (struct xen_netif_tx_sring *)addr;
1551 	rsp_prod = READ_ONCE(txs->rsp_prod);
1552 	req_prod = READ_ONCE(txs->req_prod);
1553 
1554 	BACK_RING_ATTACH(&queue->tx, txs, rsp_prod, XEN_PAGE_SIZE);
1555 
1556 	err = -EIO;
1557 	if (req_prod - rsp_prod > RING_SIZE(&queue->tx))
1558 		goto err;
1559 
1560 	err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(queue->vif),
1561 				     &rx_ring_ref, 1, &addr);
1562 	if (err)
1563 		goto err;
1564 
1565 	rxs = (struct xen_netif_rx_sring *)addr;
1566 	rsp_prod = READ_ONCE(rxs->rsp_prod);
1567 	req_prod = READ_ONCE(rxs->req_prod);
1568 
1569 	BACK_RING_ATTACH(&queue->rx, rxs, rsp_prod, XEN_PAGE_SIZE);
1570 
1571 	err = -EIO;
1572 	if (req_prod - rsp_prod > RING_SIZE(&queue->rx))
1573 		goto err;
1574 
1575 	return 0;
1576 
1577 err:
1578 	xenvif_unmap_frontend_data_rings(queue);
1579 	return err;
1580 }
1581 
1582 static bool xenvif_dealloc_kthread_should_stop(struct xenvif_queue *queue)
1583 {
1584 	/* Dealloc thread must remain running until all inflight
1585 	 * packets complete.
1586 	 */
1587 	return kthread_should_stop() &&
1588 		!atomic_read(&queue->inflight_packets);
1589 }
1590 
1591 int xenvif_dealloc_kthread(void *data)
1592 {
1593 	struct xenvif_queue *queue = data;
1594 
1595 	for (;;) {
1596 		wait_event_interruptible(queue->dealloc_wq,
1597 					 tx_dealloc_work_todo(queue) ||
1598 					 xenvif_dealloc_kthread_should_stop(queue));
1599 		if (xenvif_dealloc_kthread_should_stop(queue))
1600 			break;
1601 
1602 		xenvif_tx_dealloc_action(queue);
1603 		cond_resched();
1604 	}
1605 
1606 	/* Unmap anything remaining*/
1607 	if (tx_dealloc_work_todo(queue))
1608 		xenvif_tx_dealloc_action(queue);
1609 
1610 	return 0;
1611 }
1612 
1613 static void make_ctrl_response(struct xenvif *vif,
1614 			       const struct xen_netif_ctrl_request *req,
1615 			       u32 status, u32 data)
1616 {
1617 	RING_IDX idx = vif->ctrl.rsp_prod_pvt;
1618 	struct xen_netif_ctrl_response rsp = {
1619 		.id = req->id,
1620 		.type = req->type,
1621 		.status = status,
1622 		.data = data,
1623 	};
1624 
1625 	*RING_GET_RESPONSE(&vif->ctrl, idx) = rsp;
1626 	vif->ctrl.rsp_prod_pvt = ++idx;
1627 }
1628 
1629 static void push_ctrl_response(struct xenvif *vif)
1630 {
1631 	int notify;
1632 
1633 	RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&vif->ctrl, notify);
1634 	if (notify)
1635 		notify_remote_via_irq(vif->ctrl_irq);
1636 }
1637 
1638 static void process_ctrl_request(struct xenvif *vif,
1639 				 const struct xen_netif_ctrl_request *req)
1640 {
1641 	u32 status = XEN_NETIF_CTRL_STATUS_NOT_SUPPORTED;
1642 	u32 data = 0;
1643 
1644 	switch (req->type) {
1645 	case XEN_NETIF_CTRL_TYPE_SET_HASH_ALGORITHM:
1646 		status = xenvif_set_hash_alg(vif, req->data[0]);
1647 		break;
1648 
1649 	case XEN_NETIF_CTRL_TYPE_GET_HASH_FLAGS:
1650 		status = xenvif_get_hash_flags(vif, &data);
1651 		break;
1652 
1653 	case XEN_NETIF_CTRL_TYPE_SET_HASH_FLAGS:
1654 		status = xenvif_set_hash_flags(vif, req->data[0]);
1655 		break;
1656 
1657 	case XEN_NETIF_CTRL_TYPE_SET_HASH_KEY:
1658 		status = xenvif_set_hash_key(vif, req->data[0],
1659 					     req->data[1]);
1660 		break;
1661 
1662 	case XEN_NETIF_CTRL_TYPE_GET_HASH_MAPPING_SIZE:
1663 		status = XEN_NETIF_CTRL_STATUS_SUCCESS;
1664 		data = XEN_NETBK_MAX_HASH_MAPPING_SIZE;
1665 		break;
1666 
1667 	case XEN_NETIF_CTRL_TYPE_SET_HASH_MAPPING_SIZE:
1668 		status = xenvif_set_hash_mapping_size(vif,
1669 						      req->data[0]);
1670 		break;
1671 
1672 	case XEN_NETIF_CTRL_TYPE_SET_HASH_MAPPING:
1673 		status = xenvif_set_hash_mapping(vif, req->data[0],
1674 						 req->data[1],
1675 						 req->data[2]);
1676 		break;
1677 
1678 	default:
1679 		break;
1680 	}
1681 
1682 	make_ctrl_response(vif, req, status, data);
1683 	push_ctrl_response(vif);
1684 }
1685 
1686 static void xenvif_ctrl_action(struct xenvif *vif)
1687 {
1688 	for (;;) {
1689 		RING_IDX req_prod, req_cons;
1690 
1691 		req_prod = vif->ctrl.sring->req_prod;
1692 		req_cons = vif->ctrl.req_cons;
1693 
1694 		/* Make sure we can see requests before we process them. */
1695 		rmb();
1696 
1697 		if (req_cons == req_prod)
1698 			break;
1699 
1700 		while (req_cons != req_prod) {
1701 			struct xen_netif_ctrl_request req;
1702 
1703 			RING_COPY_REQUEST(&vif->ctrl, req_cons, &req);
1704 			req_cons++;
1705 
1706 			process_ctrl_request(vif, &req);
1707 		}
1708 
1709 		vif->ctrl.req_cons = req_cons;
1710 		vif->ctrl.sring->req_event = req_cons + 1;
1711 	}
1712 }
1713 
1714 static bool xenvif_ctrl_work_todo(struct xenvif *vif)
1715 {
1716 	if (likely(RING_HAS_UNCONSUMED_REQUESTS(&vif->ctrl)))
1717 		return true;
1718 
1719 	return false;
1720 }
1721 
1722 irqreturn_t xenvif_ctrl_irq_fn(int irq, void *data)
1723 {
1724 	struct xenvif *vif = data;
1725 	unsigned int eoi_flag = XEN_EOI_FLAG_SPURIOUS;
1726 
1727 	while (xenvif_ctrl_work_todo(vif)) {
1728 		xenvif_ctrl_action(vif);
1729 		eoi_flag = 0;
1730 	}
1731 
1732 	xen_irq_lateeoi(irq, eoi_flag);
1733 
1734 	return IRQ_HANDLED;
1735 }
1736 
1737 static int __init netback_init(void)
1738 {
1739 	int rc = 0;
1740 
1741 	if (!xen_domain())
1742 		return -ENODEV;
1743 
1744 	/* Allow as many queues as there are CPUs but max. 8 if user has not
1745 	 * specified a value.
1746 	 */
1747 	if (xenvif_max_queues == 0)
1748 		xenvif_max_queues = min_t(unsigned int, MAX_QUEUES_DEFAULT,
1749 					  num_online_cpus());
1750 
1751 	if (fatal_skb_slots < XEN_NETBK_LEGACY_SLOTS_MAX) {
1752 		pr_info("fatal_skb_slots too small (%d), bump it to XEN_NETBK_LEGACY_SLOTS_MAX (%d)\n",
1753 			fatal_skb_slots, XEN_NETBK_LEGACY_SLOTS_MAX);
1754 		fatal_skb_slots = XEN_NETBK_LEGACY_SLOTS_MAX;
1755 	}
1756 
1757 	rc = xenvif_xenbus_init();
1758 	if (rc)
1759 		goto failed_init;
1760 
1761 #ifdef CONFIG_DEBUG_FS
1762 	xen_netback_dbg_root = debugfs_create_dir("xen-netback", NULL);
1763 #endif /* CONFIG_DEBUG_FS */
1764 
1765 	return 0;
1766 
1767 failed_init:
1768 	return rc;
1769 }
1770 
1771 module_init(netback_init);
1772 
1773 static void __exit netback_fini(void)
1774 {
1775 #ifdef CONFIG_DEBUG_FS
1776 	debugfs_remove_recursive(xen_netback_dbg_root);
1777 #endif /* CONFIG_DEBUG_FS */
1778 	xenvif_xenbus_fini();
1779 }
1780 module_exit(netback_fini);
1781 
1782 MODULE_DESCRIPTION("Xen backend network device module");
1783 MODULE_LICENSE("Dual BSD/GPL");
1784 MODULE_ALIAS("xen-backend:vif");
1785