xref: /titanic_51/usr/src/uts/common/xen/io/xnf.c (revision 72b4c2cd5756cbce91ec4b298168685490456787)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  *
31  * Copyright (c) 2004 Christian Limpach.
32  * All rights reserved.
33  *
34  * Redistribution and use in source and binary forms, with or without
35  * modification, are permitted provided that the following conditions
36  * are met:
37  * 1. Redistributions of source code must retain the above copyright
38  *    notice, this list of conditions and the following disclaimer.
39  * 2. Redistributions in binary form must reproduce the above copyright
40  *    notice, this list of conditions and the following disclaimer in the
41  *    documentation and/or other materials provided with the distribution.
42  * 3. This section intentionally left blank.
43  * 4. The name of the author may not be used to endorse or promote products
44  *    derived from this software without specific prior written permission.
45  *
46  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
47  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
48  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
49  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
50  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
52  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
53  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
54  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
55  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
56  */
57 /*
58  * Section 3 of the above license was updated in response to bug 6379571.
59  */
60 
61 /*
62  * xnf.c - Nemo-based network driver for domU
63  */
64 
65 #include <sys/types.h>
66 #include <sys/errno.h>
67 #include <sys/param.h>
68 #include <sys/sysmacros.h>
69 #include <sys/systm.h>
70 #include <sys/stream.h>
71 #include <sys/strsubr.h>
72 #include <sys/conf.h>
73 #include <sys/ddi.h>
74 #include <sys/devops.h>
75 #include <sys/sunddi.h>
76 #include <sys/sunndi.h>
77 #include <sys/dlpi.h>
78 #include <sys/ethernet.h>
79 #include <sys/strsun.h>
80 #include <sys/pattr.h>
81 #include <inet/ip.h>
82 #include <sys/modctl.h>
83 #include <sys/mac.h>
84 #include <sys/mac_ether.h>
85 #include <sys/bootinfo.h>
86 #include <sys/mach_mmu.h>
87 #ifdef	XPV_HVM_DRIVER
88 #include <sys/xpv_support.h>
89 #include <sys/hypervisor.h>
90 #else
91 #include <sys/hypervisor.h>
92 #include <sys/evtchn_impl.h>
93 #include <sys/balloon_impl.h>
94 #endif
95 #include <xen/public/io/netif.h>
96 #include <sys/gnttab.h>
97 #include <xen/sys/xendev.h>
98 #include <sys/sdt.h>
99 
100 #include <io/xnf.h>
101 
102 
103 /*
104  *  Declarations and Module Linkage
105  */
106 
107 #define	IDENT	"Virtual Ethernet driver"
108 
109 #if defined(DEBUG) || defined(__lint)
110 #define	XNF_DEBUG
111 int	xnfdebug = 0;
112 #endif
113 
114 /*
115  * On a 32 bit PAE system physical and machine addresses are larger
116  * than 32 bits.  ddi_btop() on such systems take an unsigned long
117  * argument, and so addresses above 4G are truncated before ddi_btop()
118  * gets to see them.  To avoid this, code the shift operation here.
119  */
120 #define	xnf_btop(addr)	((addr) >> PAGESHIFT)
121 
122 boolean_t	xnf_cksum_offload = B_TRUE;
123 
124 /* Default value for hypervisor-based copy operations */
125 boolean_t	xnf_rx_hvcopy = B_TRUE;
126 
127 /*
128  * Should pages used for transmit be readonly for the peer?
129  */
130 boolean_t	xnf_tx_pages_readonly = B_FALSE;
131 /*
132  * Packets under this size are bcopied instead of using desballoc.
133  * Choose a value > XNF_FRAMESIZE (1514) to force the receive path to
134  * always copy.
135  */
136 unsigned int	xnf_rx_bcopy_thresh = 64;
137 
138 unsigned int	xnf_max_tx_frags = 1;
139 
140 /* Required system entry points */
141 static int	xnf_attach(dev_info_t *, ddi_attach_cmd_t);
142 static int	xnf_detach(dev_info_t *, ddi_detach_cmd_t);
143 
144 /* Required driver entry points for Nemo */
145 static int	xnf_start(void *);
146 static void	xnf_stop(void *);
147 static int	xnf_set_mac_addr(void *, const uint8_t *);
148 static int	xnf_set_multicast(void *, boolean_t, const uint8_t *);
149 static int	xnf_set_promiscuous(void *, boolean_t);
150 static mblk_t	*xnf_send(void *, mblk_t *);
151 static uint_t	xnf_intr(caddr_t);
152 static int	xnf_stat(void *, uint_t, uint64_t *);
153 static void	xnf_blank(void *, time_t, uint_t);
154 static void	xnf_resources(void *);
155 static void	xnf_ioctl(void *, queue_t *, mblk_t *);
156 static boolean_t xnf_getcapab(void *, mac_capab_t, void *);
157 
158 /* Driver private functions */
159 static int xnf_alloc_dma_resources(xnf_t *);
160 static void xnf_release_dma_resources(xnf_t *);
161 static mblk_t *xnf_process_recv(xnf_t *);
162 static void xnf_rcv_complete(struct xnf_buffer_desc *);
163 static void xnf_release_mblks(xnf_t *);
164 static struct xnf_buffer_desc *xnf_alloc_tx_buffer(xnf_t *);
165 static struct xnf_buffer_desc *xnf_alloc_buffer(xnf_t *);
166 static struct xnf_buffer_desc *xnf_get_tx_buffer(xnf_t *);
167 static struct xnf_buffer_desc *xnf_get_buffer(xnf_t *);
168 static void xnf_free_buffer(struct xnf_buffer_desc *);
169 static void xnf_free_tx_buffer(struct xnf_buffer_desc *);
170 void xnf_send_driver_status(int, int);
171 static void rx_buffer_hang(xnf_t *, struct xnf_buffer_desc *);
172 static int xnf_clean_tx_ring(xnf_t  *);
173 static void oe_state_change(dev_info_t *, ddi_eventcookie_t,
174     void *, void *);
175 static mblk_t *xnf_process_hvcopy_recv(xnf_t *xnfp);
176 static boolean_t xnf_hvcopy_peer_status(dev_info_t *devinfo);
177 static boolean_t xnf_kstat_init(xnf_t *xnfp);
178 
179 /*
180  * XXPV dme: remove MC_IOCTL?
181  */
182 static mac_callbacks_t xnf_callbacks = {
183 	MC_RESOURCES | MC_IOCTL | MC_GETCAPAB,
184 	xnf_stat,
185 	xnf_start,
186 	xnf_stop,
187 	xnf_set_promiscuous,
188 	xnf_set_multicast,
189 	xnf_set_mac_addr,
190 	xnf_send,
191 	xnf_resources,
192 	xnf_ioctl,
193 	xnf_getcapab
194 };
195 
196 #define	GRANT_INVALID_REF	0
197 const int xnf_rx_bufs_lowat = 4 * NET_RX_RING_SIZE;
198 const int xnf_rx_bufs_hiwat = 8 * NET_RX_RING_SIZE; /* default max */
199 
200 /* DMA attributes for network ring buffer */
201 static ddi_dma_attr_t ringbuf_dma_attr = {
202 	DMA_ATTR_V0,		/* version of this structure */
203 	0,			/* lowest usable address */
204 	0xffffffffffffffffULL,	/* highest usable address */
205 	0x7fffffff,		/* maximum DMAable byte count */
206 	MMU_PAGESIZE,		/* alignment in bytes */
207 	0x7ff,			/* bitmap of burst sizes */
208 	1,			/* minimum transfer */
209 	0xffffffffU,		/* maximum transfer */
210 	0xffffffffffffffffULL,	/* maximum segment length */
211 	1,			/* maximum number of segments */
212 	1,			/* granularity */
213 	0,			/* flags (reserved) */
214 };
215 
216 /* DMA attributes for transmit data */
217 static ddi_dma_attr_t tx_buffer_dma_attr = {
218 	DMA_ATTR_V0,		/* version of this structure */
219 	0,			/* lowest usable address */
220 	0xffffffffffffffffULL,	/* highest usable address */
221 	0x7fffffff,		/* maximum DMAable byte count */
222 	MMU_PAGESIZE,		/* alignment in bytes */
223 	0x7ff,			/* bitmap of burst sizes */
224 	1,			/* minimum transfer */
225 	0xffffffffU,		/* maximum transfer */
226 	0xffffffffffffffffULL,	/* maximum segment length */
227 	1,			/* maximum number of segments */
228 	1,			/* granularity */
229 	0,			/* flags (reserved) */
230 };
231 
232 /* DMA attributes for a receive buffer */
233 static ddi_dma_attr_t rx_buffer_dma_attr = {
234 	DMA_ATTR_V0,		/* version of this structure */
235 	0,			/* lowest usable address */
236 	0xffffffffffffffffULL,	/* highest usable address */
237 	0x7fffffff,		/* maximum DMAable byte count */
238 	MMU_PAGESIZE,		/* alignment in bytes */
239 	0x7ff,			/* bitmap of burst sizes */
240 	1,			/* minimum transfer */
241 	0xffffffffU,		/* maximum transfer */
242 	0xffffffffffffffffULL,	/* maximum segment length */
243 	1,			/* maximum number of segments */
244 	1,			/* granularity */
245 	0,			/* flags (reserved) */
246 };
247 
248 /* DMA access attributes for registers and descriptors */
249 static ddi_device_acc_attr_t accattr = {
250 	DDI_DEVICE_ATTR_V0,
251 	DDI_STRUCTURE_LE_ACC,	/* This is a little-endian device */
252 	DDI_STRICTORDER_ACC
253 };
254 
255 /* DMA access attributes for data: NOT to be byte swapped. */
256 static ddi_device_acc_attr_t data_accattr = {
257 	DDI_DEVICE_ATTR_V0,
258 	DDI_NEVERSWAP_ACC,
259 	DDI_STRICTORDER_ACC
260 };
261 
262 unsigned char xnf_broadcastaddr[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
263 int xnf_diagnose = 0; /* Patchable global for diagnostic purposes */
264 
265 DDI_DEFINE_STREAM_OPS(xnf_dev_ops, nulldev, nulldev, xnf_attach, xnf_detach,
266     nodev, NULL, D_MP, NULL);
267 
268 static struct modldrv xnf_modldrv = {
269 	&mod_driverops,		/* Type of module.  This one is a driver */
270 	IDENT " %I%",		/* short description */
271 	&xnf_dev_ops		/* driver specific ops */
272 };
273 
274 static struct modlinkage modlinkage = {
275 	MODREV_1, &xnf_modldrv, NULL
276 };
277 
278 int
279 _init(void)
280 {
281 	int r;
282 
283 	mac_init_ops(&xnf_dev_ops, "xnf");
284 	r = mod_install(&modlinkage);
285 	if (r != DDI_SUCCESS)
286 		mac_fini_ops(&xnf_dev_ops);
287 
288 	return (r);
289 }
290 
291 int
292 _fini(void)
293 {
294 	return (EBUSY); /* XXPV dme: should be removable */
295 }
296 
297 int
298 _info(struct modinfo *modinfop)
299 {
300 	return (mod_info(&modlinkage, modinfop));
301 }
302 
303 static int
304 xnf_setup_rings(xnf_t *xnfp)
305 {
306 	int			ix, err;
307 	RING_IDX		i;
308 	struct xnf_buffer_desc	*bdesc, *rbp;
309 	struct xenbus_device	*xsd;
310 	domid_t			oeid;
311 
312 	oeid = xvdi_get_oeid(xnfp->xnf_devinfo);
313 	xsd = xvdi_get_xsd(xnfp->xnf_devinfo);
314 
315 	if (xnfp->xnf_tx_ring_ref != GRANT_INVALID_REF)
316 		gnttab_end_foreign_access(xnfp->xnf_tx_ring_ref, 0, 0);
317 
318 	err = gnttab_grant_foreign_access(oeid,
319 	    xnf_btop(pa_to_ma(xnfp->xnf_tx_ring_phys_addr)), 0);
320 	if (err <= 0) {
321 		err = -err;
322 		xenbus_dev_error(xsd, err, "granting access to tx ring page");
323 		goto out;
324 	}
325 	xnfp->xnf_tx_ring_ref = (grant_ref_t)err;
326 
327 	if (xnfp->xnf_rx_ring_ref != GRANT_INVALID_REF)
328 		gnttab_end_foreign_access(xnfp->xnf_rx_ring_ref, 0, 0);
329 
330 	err = gnttab_grant_foreign_access(oeid,
331 	    xnf_btop(pa_to_ma(xnfp->xnf_rx_ring_phys_addr)), 0);
332 	if (err <= 0) {
333 		err = -err;
334 		xenbus_dev_error(xsd, err, "granting access to rx ring page");
335 		goto out;
336 	}
337 	xnfp->xnf_rx_ring_ref = (grant_ref_t)err;
338 
339 
340 	mutex_enter(&xnfp->xnf_intrlock);
341 
342 	/*
343 	 * Cleanup the TX ring.  We just clean up any valid tx_pktinfo structs
344 	 * and reset the ring.  Note that this can lose packets after a resume,
345 	 * but we expect to stagger on.
346 	 */
347 	mutex_enter(&xnfp->xnf_txlock);
348 
349 	for (i = 0; i < xnfp->xnf_n_tx; i++) {
350 		struct tx_pktinfo *txp = &xnfp->xnf_tx_pkt_info[i];
351 
352 		txp->id = i + 1;
353 
354 		if (txp->grant_ref == GRANT_INVALID_REF) {
355 			ASSERT(txp->mp == NULL);
356 			ASSERT(txp->bdesc == NULL);
357 			continue;
358 		}
359 
360 		if (gnttab_query_foreign_access(txp->grant_ref) != 0)
361 			panic("tx grant still in use by backend domain");
362 
363 		freemsg(txp->mp);
364 		txp->mp = NULL;
365 
366 		(void) ddi_dma_unbind_handle(txp->dma_handle);
367 
368 		if (txp->bdesc != NULL) {
369 			xnf_free_tx_buffer(txp->bdesc);
370 			txp->bdesc = NULL;
371 		}
372 
373 		(void) gnttab_end_foreign_access_ref(txp->grant_ref,
374 		    xnfp->xnf_tx_pages_readonly);
375 		gnttab_release_grant_reference(&xnfp->xnf_gref_tx_head,
376 		    txp->grant_ref);
377 		txp->grant_ref = GRANT_INVALID_REF;
378 	}
379 
380 	xnfp->xnf_tx_pkt_id_list = 0;
381 	xnfp->xnf_tx_ring.rsp_cons = 0;
382 	xnfp->xnf_tx_ring.req_prod_pvt = 0;
383 	xnfp->xnf_tx_ring.sring->req_prod = 0;
384 	xnfp->xnf_tx_ring.sring->rsp_prod = 0;
385 	xnfp->xnf_tx_ring.sring->rsp_event = 1;
386 
387 	mutex_exit(&xnfp->xnf_txlock);
388 
389 	/*
390 	 * Rebuild the RX ring.  We have to rebuild the RX ring because some of
391 	 * our pages are currently flipped out/granted so we can't just free
392 	 * the RX buffers.  Reclaim any unprocessed recv buffers, they won't be
393 	 * useable anyway since the mfn's they refer to are no longer valid.
394 	 * Grant the backend domain access to each hung rx buffer.
395 	 */
396 	i = xnfp->xnf_rx_ring.rsp_cons;
397 	while (i++ != xnfp->xnf_rx_ring.sring->req_prod) {
398 		volatile netif_rx_request_t	*rxrp;
399 
400 		rxrp = RING_GET_REQUEST(&xnfp->xnf_rx_ring, i);
401 		ix = rxrp - RING_GET_REQUEST(&xnfp->xnf_rx_ring, 0);
402 		rbp = xnfp->xnf_rxpkt_bufptr[ix];
403 		if (rbp != NULL) {
404 			grant_ref_t	ref = rbp->grant_ref;
405 
406 			ASSERT(ref != GRANT_INVALID_REF);
407 			if (xnfp->xnf_rx_hvcopy) {
408 				pfn_t pfn = xnf_btop(rbp->buf_phys);
409 				mfn_t mfn = pfn_to_mfn(pfn);
410 
411 				gnttab_grant_foreign_access_ref(ref, oeid,
412 				    mfn, 0);
413 			} else {
414 				gnttab_grant_foreign_transfer_ref(ref,
415 				    oeid, 0);
416 			}
417 			rxrp->id = ix;
418 			rxrp->gref = ref;
419 		}
420 	}
421 
422 	/*
423 	 * Reset the ring pointers to initial state.
424 	 * Hang buffers for any empty ring slots.
425 	 */
426 	xnfp->xnf_rx_ring.rsp_cons = 0;
427 	xnfp->xnf_rx_ring.req_prod_pvt = 0;
428 	xnfp->xnf_rx_ring.sring->req_prod = 0;
429 	xnfp->xnf_rx_ring.sring->rsp_prod = 0;
430 	xnfp->xnf_rx_ring.sring->rsp_event = 1;
431 	for (i = 0; i < NET_RX_RING_SIZE; i++) {
432 		xnfp->xnf_rx_ring.req_prod_pvt = i;
433 		if (xnfp->xnf_rxpkt_bufptr[i] != NULL)
434 			continue;
435 		if ((bdesc = xnf_get_buffer(xnfp)) == NULL)
436 			break;
437 		rx_buffer_hang(xnfp, bdesc);
438 	}
439 	xnfp->xnf_rx_ring.req_prod_pvt = i;
440 	/* LINTED: constant in conditional context */
441 	RING_PUSH_REQUESTS(&xnfp->xnf_rx_ring);
442 
443 	mutex_exit(&xnfp->xnf_intrlock);
444 
445 	return (0);
446 
447 out:
448 	if (xnfp->xnf_tx_ring_ref != GRANT_INVALID_REF)
449 		gnttab_end_foreign_access(xnfp->xnf_tx_ring_ref, 0, 0);
450 	xnfp->xnf_tx_ring_ref = GRANT_INVALID_REF;
451 
452 	if (xnfp->xnf_rx_ring_ref != GRANT_INVALID_REF)
453 		gnttab_end_foreign_access(xnfp->xnf_rx_ring_ref, 0, 0);
454 	xnfp->xnf_rx_ring_ref = GRANT_INVALID_REF;
455 
456 	return (err);
457 }
458 
459 
460 /* Called when the upper layers free a message we passed upstream */
461 static void
462 xnf_copy_rcv_complete(struct xnf_buffer_desc *bdesc)
463 {
464 	(void) ddi_dma_unbind_handle(bdesc->dma_handle);
465 	ddi_dma_mem_free(&bdesc->acc_handle);
466 	ddi_dma_free_handle(&bdesc->dma_handle);
467 	kmem_free(bdesc, sizeof (*bdesc));
468 }
469 
470 
471 /*
472  * Connect driver to back end, called to set up communication with
473  * back end driver both initially and on resume after restore/migrate.
474  */
475 void
476 xnf_be_connect(xnf_t *xnfp)
477 {
478 	char		mac[ETHERADDRL * 3];
479 	const char	*message;
480 	xenbus_transaction_t xbt;
481 	struct		xenbus_device *xsd;
482 	char		*xsname;
483 	int		err, be_no_cksum_offload;
484 
485 	ASSERT(!xnfp->xnf_connected);
486 
487 	xsd = xvdi_get_xsd(xnfp->xnf_devinfo);
488 	xsname = xvdi_get_xsname(xnfp->xnf_devinfo);
489 
490 	err = xenbus_scanf(XBT_NULL, xvdi_get_oename(xnfp->xnf_devinfo), "mac",
491 	    "%s", (char *)&mac[0]);
492 	if (err != 0) {
493 		/*
494 		 * bad: we're supposed to be set up with a proper mac
495 		 * addr. at this point
496 		 */
497 		cmn_err(CE_WARN, "%s%d: no mac address",
498 		    ddi_driver_name(xnfp->xnf_devinfo),
499 		    ddi_get_instance(xnfp->xnf_devinfo));
500 			return;
501 	}
502 
503 	if (ether_aton(mac, xnfp->xnf_mac_addr) != ETHERADDRL) {
504 		err = ENOENT;
505 		xenbus_dev_error(xsd, ENOENT, "parsing %s/mac", xsname);
506 		return;
507 	}
508 
509 	err = xnf_setup_rings(xnfp);
510 	if (err != 0) {
511 		cmn_err(CE_WARN, "failed to set up tx/rx rings");
512 		xenbus_dev_error(xsd, err, "setting up ring");
513 		return;
514 	}
515 
516 	err = xenbus_scanf(XBT_NULL, xvdi_get_oename(xnfp->xnf_devinfo),
517 	    "feature-no-csum-offload", "%d", &be_no_cksum_offload);
518 	/*
519 	 * If we fail to read the store we assume that the key is
520 	 * absent, implying an older domain at the far end.  Older
521 	 * domains always support checksum offload.
522 	 */
523 	if (err != 0)
524 		be_no_cksum_offload = 0;
525 	/*
526 	 * If the far end cannot do checksum offload or we do not wish
527 	 * to do it, disable it.
528 	 */
529 	if ((be_no_cksum_offload == 1) || !xnfp->xnf_cksum_offload)
530 		xnfp->xnf_cksum_offload = B_FALSE;
531 
532 again:
533 	err = xenbus_transaction_start(&xbt);
534 	if (err != 0) {
535 		xenbus_dev_error(xsd, EIO, "starting transaction");
536 		return;
537 	}
538 
539 	err = xenbus_printf(xbt, xsname, "tx-ring-ref", "%u",
540 	    xnfp->xnf_tx_ring_ref);
541 	if (err != 0) {
542 		message = "writing tx ring-ref";
543 		goto abort_transaction;
544 	}
545 
546 	err = xenbus_printf(xbt, xsname, "rx-ring-ref", "%u",
547 	    xnfp->xnf_rx_ring_ref);
548 	if (err != 0) {
549 		message = "writing rx ring-ref";
550 		goto abort_transaction;
551 	}
552 
553 	err = xenbus_printf(xbt, xsname, "event-channel", "%u",
554 	    xnfp->xnf_evtchn);
555 	if (err != 0) {
556 		message = "writing event-channel";
557 		goto abort_transaction;
558 	}
559 
560 	err = xenbus_printf(xbt, xsname, "feature-rx-notify", "%d", 1);
561 	if (err != 0) {
562 		message = "writing feature-rx-notify";
563 		goto abort_transaction;
564 	}
565 
566 	if (!xnfp->xnf_tx_pages_readonly) {
567 		err = xenbus_printf(xbt, xsname, "feature-tx-writable",
568 		    "%d", 1);
569 		if (err != 0) {
570 			message = "writing feature-tx-writable";
571 			goto abort_transaction;
572 		}
573 	}
574 
575 	err = xenbus_printf(xbt, xsname, "feature-no-csum-offload", "%d",
576 	    xnfp->xnf_cksum_offload ? 0 : 1);
577 	if (err != 0) {
578 		message = "writing feature-no-csum-offload";
579 		goto abort_transaction;
580 	}
581 	err = xenbus_printf(xbt, xsname, "request-rx-copy", "%d",
582 	    xnfp->xnf_rx_hvcopy ? 1 : 0);
583 	if (err != 0) {
584 		message = "writing request-rx-copy";
585 		goto abort_transaction;
586 	}
587 
588 	err = xenbus_printf(xbt, xsname, "state", "%d", XenbusStateConnected);
589 	if (err != 0) {
590 		message = "writing frontend XenbusStateConnected";
591 		goto abort_transaction;
592 	}
593 
594 	err = xenbus_transaction_end(xbt, 0);
595 	if (err != 0) {
596 		if (err == EAGAIN)
597 			goto again;
598 		xenbus_dev_error(xsd, err, "completing transaction");
599 	}
600 
601 	return;
602 
603 abort_transaction:
604 	(void) xenbus_transaction_end(xbt, 1);
605 	xenbus_dev_error(xsd, err, "%s", message);
606 }
607 
608 /*
609  *  attach(9E) -- Attach a device to the system
610  *
611  *  Called once for each board successfully probed.
612  */
613 static int
614 xnf_attach(dev_info_t *devinfo, ddi_attach_cmd_t cmd)
615 {
616 	mac_register_t *macp;
617 	xnf_t *xnfp;
618 	int err;
619 
620 #ifdef XNF_DEBUG
621 	if (xnfdebug & XNF_DEBUG_DDI)
622 		printf("xnf%d: attach(0x%p)\n", ddi_get_instance(devinfo),
623 		    (void *)devinfo);
624 #endif
625 
626 	switch (cmd) {
627 	case DDI_RESUME:
628 		xnfp = ddi_get_driver_private(devinfo);
629 
630 		(void) xvdi_resume(devinfo);
631 		(void) xvdi_alloc_evtchn(devinfo);
632 		xnfp->xnf_evtchn = xvdi_get_evtchn(devinfo);
633 #ifdef XPV_HVM_DRIVER
634 		ec_bind_evtchn_to_handler(xnfp->xnf_evtchn, IPL_VIF, xnf_intr,
635 		    xnfp);
636 #else
637 		(void) ddi_add_intr(devinfo, 0, NULL, NULL, xnf_intr,
638 		    (caddr_t)xnfp);
639 #endif
640 		xnf_be_connect(xnfp);
641 		/*
642 		 * Our MAC address may have changed if we're resuming:
643 		 * - on a different host
644 		 * - on the same one and got a different MAC address
645 		 *   because we didn't specify one of our own.
646 		 * so it's useful to claim that it changed in order that
647 		 * IP send out a gratuitous ARP.
648 		 */
649 		mac_unicst_update(xnfp->xnf_mh, xnfp->xnf_mac_addr);
650 		return (DDI_SUCCESS);
651 
652 	case DDI_ATTACH:
653 		break;
654 
655 	default:
656 		return (DDI_FAILURE);
657 	}
658 
659 	/*
660 	 *  Allocate gld_mac_info_t and xnf_instance structures
661 	 */
662 	macp = mac_alloc(MAC_VERSION);
663 	if (macp == NULL)
664 		return (DDI_FAILURE);
665 	xnfp = kmem_zalloc(sizeof (*xnfp), KM_SLEEP);
666 
667 	macp->m_dip = devinfo;
668 	macp->m_driver = xnfp;
669 	xnfp->xnf_devinfo = devinfo;
670 
671 	macp->m_type_ident = MAC_PLUGIN_IDENT_ETHER;
672 	macp->m_src_addr = xnfp->xnf_mac_addr;
673 	macp->m_callbacks = &xnf_callbacks;
674 	macp->m_min_sdu = 0;
675 	macp->m_max_sdu = XNF_MAXPKT;
676 
677 	xnfp->xnf_running = B_FALSE;
678 	xnfp->xnf_connected = B_FALSE;
679 	xnfp->xnf_cksum_offload = xnf_cksum_offload;
680 	xnfp->xnf_tx_pages_readonly = xnf_tx_pages_readonly;
681 
682 	xnfp->xnf_rx_hvcopy = xnf_hvcopy_peer_status(devinfo) && xnf_rx_hvcopy;
683 #ifdef XPV_HVM_DRIVER
684 	/*
685 	 * Report our version to dom0.
686 	 */
687 	if (xenbus_printf(XBT_NULL, "hvmpv/xnf", "version", "%d",
688 	    HVMPV_XNF_VERS))
689 		cmn_err(CE_WARN, "xnf: couldn't write version\n");
690 
691 	if (!xnfp->xnf_rx_hvcopy) {
692 		cmn_err(CE_WARN, "The xnf driver requires a dom0 that "
693 		    "supports 'feature-rx-copy'");
694 		goto failure;
695 	}
696 #endif
697 
698 	/*
699 	 * Get the iblock cookie with which to initialize the mutexes.
700 	 */
701 	if (ddi_get_iblock_cookie(devinfo, 0, &xnfp->xnf_icookie)
702 	    != DDI_SUCCESS)
703 		goto failure;
704 	/*
705 	 * Driver locking strategy: the txlock protects all paths
706 	 * through the driver, except the interrupt thread.
707 	 * If the interrupt thread needs to do something which could
708 	 * affect the operation of any other part of the driver,
709 	 * it needs to acquire the txlock mutex.
710 	 */
711 	mutex_init(&xnfp->xnf_tx_buf_mutex,
712 	    NULL, MUTEX_DRIVER, xnfp->xnf_icookie);
713 	mutex_init(&xnfp->xnf_rx_buf_mutex,
714 	    NULL, MUTEX_DRIVER, xnfp->xnf_icookie);
715 	mutex_init(&xnfp->xnf_txlock,
716 	    NULL, MUTEX_DRIVER, xnfp->xnf_icookie);
717 	mutex_init(&xnfp->xnf_intrlock,
718 	    NULL, MUTEX_DRIVER, xnfp->xnf_icookie);
719 	cv_init(&xnfp->xnf_cv, NULL, CV_DEFAULT, NULL);
720 
721 	if (gnttab_alloc_grant_references(NET_TX_RING_SIZE,
722 	    &xnfp->xnf_gref_tx_head) < 0) {
723 		cmn_err(CE_WARN, "xnf%d: can't alloc tx grant refs",
724 		    ddi_get_instance(xnfp->xnf_devinfo));
725 		goto failure_1;
726 	}
727 	if (gnttab_alloc_grant_references(NET_RX_RING_SIZE,
728 	    &xnfp->xnf_gref_rx_head) < 0) {
729 		cmn_err(CE_WARN, "xnf%d: can't alloc rx grant refs",
730 		    ddi_get_instance(xnfp->xnf_devinfo));
731 		goto failure_1;
732 	}
733 	if (xnf_alloc_dma_resources(xnfp) == DDI_FAILURE) {
734 		cmn_err(CE_WARN, "xnf%d: failed to allocate and initialize "
735 		    "driver data structures",
736 		    ddi_get_instance(xnfp->xnf_devinfo));
737 		goto failure_1;
738 	}
739 
740 	xnfp->xnf_rx_ring.sring->rsp_event =
741 	    xnfp->xnf_tx_ring.sring->rsp_event = 1;
742 
743 	xnfp->xnf_tx_ring_ref = GRANT_INVALID_REF;
744 	xnfp->xnf_rx_ring_ref = GRANT_INVALID_REF;
745 
746 	/* set driver private pointer now */
747 	ddi_set_driver_private(devinfo, xnfp);
748 
749 	if (xvdi_add_event_handler(devinfo, XS_OE_STATE, oe_state_change)
750 	    != DDI_SUCCESS)
751 		goto failure_1;
752 
753 	if (!xnf_kstat_init(xnfp))
754 		goto failure_2;
755 
756 	/*
757 	 * Allocate an event channel, add the interrupt handler and
758 	 * bind it to the event channel.
759 	 */
760 	(void) xvdi_alloc_evtchn(devinfo);
761 	xnfp->xnf_evtchn = xvdi_get_evtchn(devinfo);
762 #ifdef XPV_HVM_DRIVER
763 	ec_bind_evtchn_to_handler(xnfp->xnf_evtchn, IPL_VIF, xnf_intr, xnfp);
764 #else
765 	(void) ddi_add_intr(devinfo, 0, NULL, NULL, xnf_intr, (caddr_t)xnfp);
766 #endif
767 
768 	/*
769 	 * connect to the backend
770 	 */
771 	xnf_be_connect(xnfp);
772 
773 	err = mac_register(macp, &xnfp->xnf_mh);
774 	mac_free(macp);
775 	macp = NULL;
776 	if (err != 0)
777 		goto failure_3;
778 
779 	return (DDI_SUCCESS);
780 
781 failure_3:
782 	kstat_delete(xnfp->xnf_kstat_aux);
783 
784 failure_2:
785 	xvdi_remove_event_handler(devinfo, XS_OE_STATE);
786 #ifdef XPV_HVM_DRIVER
787 	ec_unbind_evtchn(xnfp->xnf_evtchn);
788 	xvdi_free_evtchn(devinfo);
789 #else
790 	ddi_remove_intr(devinfo, 0, xnfp->xnf_icookie);
791 #endif
792 	xnfp->xnf_evtchn = INVALID_EVTCHN;
793 
794 failure_1:
795 	xnf_release_dma_resources(xnfp);
796 	cv_destroy(&xnfp->xnf_cv);
797 	mutex_destroy(&xnfp->xnf_rx_buf_mutex);
798 	mutex_destroy(&xnfp->xnf_txlock);
799 	mutex_destroy(&xnfp->xnf_intrlock);
800 
801 failure:
802 	kmem_free(xnfp, sizeof (*xnfp));
803 	if (macp != NULL)
804 		mac_free(macp);
805 
806 	return (DDI_FAILURE);
807 }
808 
809 /*  detach(9E) -- Detach a device from the system */
810 static int
811 xnf_detach(dev_info_t *devinfo, ddi_detach_cmd_t cmd)
812 {
813 	xnf_t *xnfp;		/* Our private device info */
814 	int i;
815 
816 #ifdef XNF_DEBUG
817 	if (xnfdebug & XNF_DEBUG_DDI)
818 		printf("xnf_detach(0x%p)\n", (void *)devinfo);
819 #endif
820 
821 	xnfp = ddi_get_driver_private(devinfo);
822 
823 	switch (cmd) {
824 	case DDI_SUSPEND:
825 #ifdef XPV_HVM_DRIVER
826 		ec_unbind_evtchn(xnfp->xnf_evtchn);
827 		xvdi_free_evtchn(devinfo);
828 #else
829 		ddi_remove_intr(devinfo, 0, xnfp->xnf_icookie);
830 #endif
831 
832 		xvdi_suspend(devinfo);
833 
834 		mutex_enter(&xnfp->xnf_intrlock);
835 		mutex_enter(&xnfp->xnf_txlock);
836 
837 		xnfp->xnf_evtchn = INVALID_EVTCHN;
838 		xnfp->xnf_connected = B_FALSE;
839 		mutex_exit(&xnfp->xnf_txlock);
840 		mutex_exit(&xnfp->xnf_intrlock);
841 		return (DDI_SUCCESS);
842 
843 	case DDI_DETACH:
844 		break;
845 
846 	default:
847 		return (DDI_FAILURE);
848 	}
849 
850 	if (xnfp->xnf_connected)
851 		return (DDI_FAILURE);
852 
853 	/* Wait for receive buffers to be returned; give up after 5 seconds */
854 	i = 50;
855 
856 	mutex_enter(&xnfp->xnf_rx_buf_mutex);
857 	while (xnfp->xnf_rx_bufs_outstanding > 0) {
858 		mutex_exit(&xnfp->xnf_rx_buf_mutex);
859 		delay(drv_usectohz(100000));
860 		if (--i == 0) {
861 			cmn_err(CE_WARN,
862 			    "xnf%d: never reclaimed all the "
863 			    "receive buffers.  Still have %d "
864 			    "buffers outstanding.",
865 			    ddi_get_instance(xnfp->xnf_devinfo),
866 			    xnfp->xnf_rx_bufs_outstanding);
867 			return (DDI_FAILURE);
868 		}
869 		mutex_enter(&xnfp->xnf_rx_buf_mutex);
870 	}
871 	mutex_exit(&xnfp->xnf_rx_buf_mutex);
872 
873 	kstat_delete(xnfp->xnf_kstat_aux);
874 
875 	if (mac_unregister(xnfp->xnf_mh) != 0)
876 		return (DDI_FAILURE);
877 
878 	/* Stop the receiver */
879 	xnf_stop(xnfp);
880 
881 	xvdi_remove_event_handler(devinfo, XS_OE_STATE);
882 
883 	/* Remove the interrupt */
884 #ifdef XPV_HVM_DRIVER
885 	ec_unbind_evtchn(xnfp->xnf_evtchn);
886 	xvdi_free_evtchn(devinfo);
887 #else
888 	ddi_remove_intr(devinfo, 0, xnfp->xnf_icookie);
889 #endif
890 
891 	/* Release any pending xmit mblks */
892 	xnf_release_mblks(xnfp);
893 
894 	/* Release all DMA resources */
895 	xnf_release_dma_resources(xnfp);
896 
897 	cv_destroy(&xnfp->xnf_cv);
898 	mutex_destroy(&xnfp->xnf_rx_buf_mutex);
899 	mutex_destroy(&xnfp->xnf_txlock);
900 	mutex_destroy(&xnfp->xnf_intrlock);
901 
902 	kmem_free(xnfp, sizeof (*xnfp));
903 
904 	return (DDI_SUCCESS);
905 }
906 
907 /*
908  *  xnf_set_mac_addr() -- set the physical network address on the board.
909  */
910 /*ARGSUSED*/
911 static int
912 xnf_set_mac_addr(void *arg, const uint8_t *macaddr)
913 {
914 	xnf_t *xnfp = arg;
915 
916 #ifdef XNF_DEBUG
917 	if (xnfdebug & XNF_DEBUG_TRACE)
918 		printf("xnf%d: set_mac_addr(0x%p): "
919 		    "%02x:%02x:%02x:%02x:%02x:%02x\n",
920 		    ddi_get_instance(xnfp->xnf_devinfo),
921 		    (void *)xnfp, macaddr[0], macaddr[1], macaddr[2],
922 		    macaddr[3], macaddr[4], macaddr[5]);
923 #endif
924 	/*
925 	 * We can't set our macaddr.
926 	 *
927 	 * XXPV dme: Why not?
928 	 */
929 	return (ENOTSUP);
930 }
931 
932 /*
933  *  xnf_set_multicast() -- set (enable) or disable a multicast address.
934  *
935  *  Program the hardware to enable/disable the multicast address
936  *  in "mcast".  Enable if "add" is true, disable if false.
937  */
938 /*ARGSUSED*/
939 static int
940 xnf_set_multicast(void *arg, boolean_t add, const uint8_t *mca)
941 {
942 	xnf_t *xnfp = arg;
943 
944 #ifdef XNF_DEBUG
945 	if (xnfdebug & XNF_DEBUG_TRACE)
946 		printf("xnf%d set_multicast(0x%p): "
947 		    "%02x:%02x:%02x:%02x:%02x:%02x\n",
948 		    ddi_get_instance(xnfp->xnf_devinfo),
949 		    (void *)xnfp, mca[0], mca[1], mca[2],
950 		    mca[3], mca[4], mca[5]);
951 #endif
952 
953 	/*
954 	 * XXPV dme: Ideally we'd relay the address to the backend for
955 	 * enabling.  The protocol doesn't support that (interesting
956 	 * extension), so we simply succeed and hope that the relevant
957 	 * packets are going to arrive.
958 	 *
959 	 * If protocol support is added for enable/disable then we'll
960 	 * need to keep a list of those in use and re-add on resume.
961 	 */
962 	return (0);
963 }
964 
965 /*
966  * xnf_set_promiscuous() -- set or reset promiscuous mode on the board
967  *
968  *  Program the hardware to enable/disable promiscuous mode.
969  */
970 /*ARGSUSED*/
971 static int
972 xnf_set_promiscuous(void *arg, boolean_t on)
973 {
974 	xnf_t *xnfp = arg;
975 
976 #ifdef XNF_DEBUG
977 	if (xnfdebug & XNF_DEBUG_TRACE)
978 		printf("xnf%d set_promiscuous(0x%p, %x)\n",
979 		    ddi_get_instance(xnfp->xnf_devinfo),
980 		    (void *)xnfp, on);
981 #endif
982 	/*
983 	 * We can't really do this, but we pretend that we can in
984 	 * order that snoop will work.
985 	 */
986 	return (0);
987 }
988 
989 /*
990  * Clean buffers that we have responses for from the transmit ring.
991  */
992 static int
993 xnf_clean_tx_ring(xnf_t *xnfp)
994 {
995 	RING_IDX		next_resp, i;
996 	struct tx_pktinfo	*reap;
997 	int			id;
998 	grant_ref_t		ref;
999 
1000 	ASSERT(MUTEX_HELD(&xnfp->xnf_txlock));
1001 
1002 	while (RING_HAS_UNCONSUMED_RESPONSES(&xnfp->xnf_tx_ring)) {
1003 		/*
1004 		 * index of next transmission ack
1005 		 */
1006 		next_resp = xnfp->xnf_tx_ring.sring->rsp_prod;
1007 		membar_consumer();
1008 		/*
1009 		 * Clean tx packets from ring that we have responses for
1010 		 */
1011 		for (i = xnfp->xnf_tx_ring.rsp_cons; i != next_resp; i++) {
1012 			id = RING_GET_RESPONSE(&xnfp->xnf_tx_ring, i)->id;
1013 			reap = &xnfp->xnf_tx_pkt_info[id];
1014 			ref = reap->grant_ref;
1015 			/*
1016 			 * Return id to free list
1017 			 */
1018 			reap->id = xnfp->xnf_tx_pkt_id_list;
1019 			xnfp->xnf_tx_pkt_id_list = id;
1020 			if (gnttab_query_foreign_access(ref) != 0)
1021 				panic("tx grant still in use "
1022 				    "by backend domain");
1023 			(void) ddi_dma_unbind_handle(reap->dma_handle);
1024 			(void) gnttab_end_foreign_access_ref(ref,
1025 			    xnfp->xnf_tx_pages_readonly);
1026 			gnttab_release_grant_reference(&xnfp->xnf_gref_tx_head,
1027 			    ref);
1028 			freemsg(reap->mp);
1029 			reap->mp = NULL;
1030 			reap->grant_ref = GRANT_INVALID_REF;
1031 			if (reap->bdesc != NULL)
1032 				xnf_free_tx_buffer(reap->bdesc);
1033 			reap->bdesc = NULL;
1034 		}
1035 		xnfp->xnf_tx_ring.rsp_cons = next_resp;
1036 		membar_enter();
1037 	}
1038 
1039 	return (RING_FREE_REQUESTS(&xnfp->xnf_tx_ring));
1040 }
1041 
1042 /*
1043  * If we need to pull up data from either a packet that crosses a page
1044  * boundary or consisting of multiple mblks, do it here.  We allocate
1045  * a page aligned buffer and copy the data into it.  The header for the
1046  * allocated buffer is returned. (which is also allocated here)
1047  */
1048 static struct xnf_buffer_desc *
1049 xnf_pullupmsg(xnf_t *xnfp, mblk_t *mp)
1050 {
1051 	struct xnf_buffer_desc	*bdesc;
1052 	mblk_t			*mptr;
1053 	caddr_t			bp;
1054 	int			len;
1055 
1056 	/*
1057 	 * get a xmit buffer from the xmit buffer pool
1058 	 */
1059 	mutex_enter(&xnfp->xnf_rx_buf_mutex);
1060 	bdesc = xnf_get_tx_buffer(xnfp);
1061 	mutex_exit(&xnfp->xnf_rx_buf_mutex);
1062 	if (bdesc == NULL)
1063 		return (bdesc);
1064 	/*
1065 	 * Copy the data into the buffer
1066 	 */
1067 	xnfp->xnf_stat_tx_pullup++;
1068 	bp = bdesc->buf;
1069 	for (mptr = mp; mptr != NULL; mptr = mptr->b_cont) {
1070 		len = mptr->b_wptr - mptr->b_rptr;
1071 		bcopy(mptr->b_rptr, bp, len);
1072 		bp += len;
1073 	}
1074 	return (bdesc);
1075 }
1076 
1077 /*
1078  *  xnf_send_one() -- send a packet
1079  *
1080  *  Called when a packet is ready to be transmitted. A pointer to an
1081  *  M_DATA message that contains the packet is passed to this routine.
1082  *  At least the complete LLC header is contained in the message's
1083  *  first message block, and the remainder of the packet is contained
1084  *  within additional M_DATA message blocks linked to the first
1085  *  message block.
1086  *
1087  */
1088 static boolean_t
1089 xnf_send_one(xnf_t *xnfp, mblk_t *mp)
1090 {
1091 	struct xnf_buffer_desc	*xmitbuf;
1092 	struct tx_pktinfo	*txp_info;
1093 	mblk_t			*mptr;
1094 	ddi_dma_cookie_t	dma_cookie;
1095 	RING_IDX		slot;
1096 	int			length = 0, i, pktlen = 0, rc, tx_id;
1097 	int			tx_ring_freespace, page_oops;
1098 	uint_t			ncookies;
1099 	volatile netif_tx_request_t	*txrp;
1100 	caddr_t			bufaddr;
1101 	grant_ref_t		ref;
1102 	unsigned long		mfn;
1103 	uint32_t		pflags;
1104 	domid_t			oeid;
1105 
1106 #ifdef XNF_DEBUG
1107 	if (xnfdebug & XNF_DEBUG_SEND)
1108 		printf("xnf%d send(0x%p, 0x%p)\n",
1109 		    ddi_get_instance(xnfp->xnf_devinfo),
1110 		    (void *)xnfp, (void *)mp);
1111 #endif
1112 
1113 	ASSERT(mp != NULL);
1114 	ASSERT(mp->b_next == NULL);
1115 	ASSERT(MUTEX_HELD(&xnfp->xnf_txlock));
1116 
1117 	tx_ring_freespace = xnf_clean_tx_ring(xnfp);
1118 	ASSERT(tx_ring_freespace >= 0);
1119 
1120 	oeid = xvdi_get_oeid(xnfp->xnf_devinfo);
1121 	xnfp->xnf_stat_tx_attempt++;
1122 	/*
1123 	 * If there are no xmit ring slots available, return.
1124 	 */
1125 	if (tx_ring_freespace == 0) {
1126 		xnfp->xnf_stat_tx_defer++;
1127 		return (B_FALSE);	/* Send should be retried */
1128 	}
1129 
1130 	slot = xnfp->xnf_tx_ring.req_prod_pvt;
1131 	/* Count the number of mblks in message and compute packet size */
1132 	for (i = 0, mptr = mp; mptr != NULL; mptr = mptr->b_cont, i++)
1133 		pktlen += (mptr->b_wptr - mptr->b_rptr);
1134 
1135 	/* Make sure packet isn't too large */
1136 	if (pktlen > XNF_FRAMESIZE) {
1137 		cmn_err(CE_WARN, "xnf%d: oversized packet (%d bytes) dropped",
1138 		    ddi_get_instance(xnfp->xnf_devinfo), pktlen);
1139 		freemsg(mp);
1140 		return (B_TRUE);
1141 	}
1142 
1143 	/*
1144 	 * Test if we cross a page boundary with our buffer
1145 	 */
1146 	page_oops = (i == 1) &&
1147 	    (xnf_btop((size_t)mp->b_rptr) !=
1148 	    xnf_btop((size_t)(mp->b_rptr + pktlen)));
1149 	/*
1150 	 * XXPV - unfortunately, the Xen virtual net device currently
1151 	 * doesn't support multiple packet frags, so this will always
1152 	 * end up doing the pullup if we got more than one packet.
1153 	 */
1154 	if (i > xnf_max_tx_frags || page_oops) {
1155 		if (page_oops)
1156 			xnfp->xnf_stat_tx_pagebndry++;
1157 		if ((xmitbuf = xnf_pullupmsg(xnfp, mp)) == NULL) {
1158 			/* could not allocate resources? */
1159 #ifdef XNF_DEBUG
1160 			cmn_err(CE_WARN, "xnf%d: pullupmsg failed",
1161 			    ddi_get_instance(xnfp->xnf_devinfo));
1162 #endif
1163 			xnfp->xnf_stat_tx_defer++;
1164 			return (B_FALSE);	/* Retry send */
1165 		}
1166 		bufaddr = xmitbuf->buf;
1167 	} else {
1168 		xmitbuf = NULL;
1169 		bufaddr = (caddr_t)mp->b_rptr;
1170 	}
1171 
1172 	/* set up data descriptor */
1173 	length = pktlen;
1174 
1175 	/*
1176 	 * Get packet id from free list
1177 	 */
1178 	tx_id = xnfp->xnf_tx_pkt_id_list;
1179 	ASSERT(tx_id < NET_TX_RING_SIZE);
1180 	txp_info = &xnfp->xnf_tx_pkt_info[tx_id];
1181 	xnfp->xnf_tx_pkt_id_list = txp_info->id;
1182 	txp_info->id = tx_id;
1183 
1184 	/* Prepare for DMA mapping of tx buffer(s) */
1185 	rc = ddi_dma_addr_bind_handle(txp_info->dma_handle,
1186 	    NULL, bufaddr, length, DDI_DMA_WRITE | DDI_DMA_STREAMING,
1187 	    DDI_DMA_DONTWAIT, 0, &dma_cookie, &ncookies);
1188 	if (rc != DDI_DMA_MAPPED) {
1189 		ASSERT(rc != DDI_DMA_INUSE);
1190 		ASSERT(rc != DDI_DMA_PARTIAL_MAP);
1191 		/*
1192 		 *  Return id to free list
1193 		 */
1194 		txp_info->id = xnfp->xnf_tx_pkt_id_list;
1195 		xnfp->xnf_tx_pkt_id_list = tx_id;
1196 		if (rc == DDI_DMA_NORESOURCES) {
1197 			xnfp->xnf_stat_tx_defer++;
1198 			return (B_FALSE); /* Retry later */
1199 		}
1200 #ifdef XNF_DEBUG
1201 		cmn_err(CE_WARN, "xnf%d: bind_handle failed (%x)",
1202 		    ddi_get_instance(xnfp->xnf_devinfo), rc);
1203 #endif
1204 		return (B_FALSE);
1205 	}
1206 
1207 	ASSERT(ncookies == 1);
1208 	ref = gnttab_claim_grant_reference(&xnfp->xnf_gref_tx_head);
1209 	ASSERT((signed short)ref >= 0);
1210 	mfn = xnf_btop(pa_to_ma((paddr_t)dma_cookie.dmac_laddress));
1211 	gnttab_grant_foreign_access_ref(ref, oeid, mfn,
1212 	    xnfp->xnf_tx_pages_readonly);
1213 	txp_info->grant_ref = ref;
1214 	txrp = RING_GET_REQUEST(&xnfp->xnf_tx_ring, slot);
1215 	txrp->gref = ref;
1216 	txrp->size = dma_cookie.dmac_size;
1217 	txrp->offset = (uintptr_t)bufaddr & PAGEOFFSET;
1218 	txrp->id = tx_id;
1219 	txrp->flags = 0;
1220 	hcksum_retrieve(mp, NULL, NULL, NULL, NULL, NULL, NULL, &pflags);
1221 	if (pflags != 0) {
1222 		ASSERT(xnfp->xnf_cksum_offload);
1223 		/*
1224 		 * If the local protocol stack requests checksum
1225 		 * offload we set the 'checksum blank' flag,
1226 		 * indicating to the peer that we need the checksum
1227 		 * calculated for us.
1228 		 *
1229 		 * We _don't_ set the validated flag, because we haven't
1230 		 * validated that the data and the checksum match.
1231 		 */
1232 		txrp->flags |= NETTXF_csum_blank;
1233 		xnfp->xnf_stat_tx_cksum_deferred++;
1234 	}
1235 	membar_producer();
1236 	xnfp->xnf_tx_ring.req_prod_pvt = slot + 1;
1237 
1238 	txp_info->mp = mp;
1239 	txp_info->bdesc = xmitbuf;
1240 
1241 	xnfp->xnf_stat_opackets++;
1242 	xnfp->xnf_stat_obytes += pktlen;
1243 
1244 	return (B_TRUE);	/* successful transmit attempt */
1245 }
1246 
1247 mblk_t *
1248 xnf_send(void *arg, mblk_t *mp)
1249 {
1250 	xnf_t *xnfp = arg;
1251 	mblk_t *next;
1252 	boolean_t sent_something = B_FALSE;
1253 
1254 	mutex_enter(&xnfp->xnf_txlock);
1255 
1256 	/*
1257 	 * Transmission attempts should be impossible without having
1258 	 * previously called xnf_start().
1259 	 */
1260 	ASSERT(xnfp->xnf_running);
1261 
1262 	/*
1263 	 * Wait for getting connected to the backend
1264 	 */
1265 	while (!xnfp->xnf_connected) {
1266 		cv_wait(&xnfp->xnf_cv, &xnfp->xnf_txlock);
1267 	}
1268 
1269 	while (mp != NULL) {
1270 		next = mp->b_next;
1271 		mp->b_next = NULL;
1272 
1273 		if (!xnf_send_one(xnfp, mp)) {
1274 			mp->b_next = next;
1275 			break;
1276 		}
1277 
1278 		mp = next;
1279 		sent_something = B_TRUE;
1280 	}
1281 
1282 	if (sent_something) {
1283 		boolean_t notify;
1284 
1285 		/* LINTED: constant in conditional context */
1286 		RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&xnfp->xnf_tx_ring,
1287 		    notify);
1288 		if (notify)
1289 			ec_notify_via_evtchn(xnfp->xnf_evtchn);
1290 	}
1291 
1292 	mutex_exit(&xnfp->xnf_txlock);
1293 
1294 	return (mp);
1295 }
1296 
1297 /*
1298  *  xnf_intr() -- ring interrupt service routine
1299  */
1300 static uint_t
1301 xnf_intr(caddr_t arg)
1302 {
1303 	xnf_t *xnfp = (xnf_t *)arg;
1304 	int tx_ring_space;
1305 
1306 	mutex_enter(&xnfp->xnf_intrlock);
1307 
1308 	/*
1309 	 * If not connected to the peer or not started by the upper
1310 	 * layers we cannot usefully handle interrupts.
1311 	 */
1312 	if (!(xnfp->xnf_connected && xnfp->xnf_running)) {
1313 		mutex_exit(&xnfp->xnf_intrlock);
1314 		xnfp->xnf_stat_unclaimed_interrupts++;
1315 		return (DDI_INTR_UNCLAIMED);
1316 	}
1317 
1318 #ifdef XNF_DEBUG
1319 	if (xnfdebug & XNF_DEBUG_INT)
1320 		printf("xnf%d intr(0x%p)\n",
1321 		    ddi_get_instance(xnfp->xnf_devinfo), (void *)xnfp);
1322 #endif
1323 	if (RING_HAS_UNCONSUMED_RESPONSES(&xnfp->xnf_rx_ring)) {
1324 		mblk_t *mp;
1325 
1326 		if (xnfp->xnf_rx_hvcopy)
1327 			mp = xnf_process_hvcopy_recv(xnfp);
1328 		else
1329 			mp = xnf_process_recv(xnfp);
1330 
1331 		if (mp != NULL)
1332 			mac_rx(xnfp->xnf_mh, xnfp->xnf_rx_handle, mp);
1333 	}
1334 
1335 	/*
1336 	 * Clean tx ring and try to start any blocked xmit streams if
1337 	 * there is now some space.
1338 	 */
1339 	mutex_enter(&xnfp->xnf_txlock);
1340 	tx_ring_space = xnf_clean_tx_ring(xnfp);
1341 	mutex_exit(&xnfp->xnf_txlock);
1342 	if (tx_ring_space > XNF_TX_FREE_THRESH) {
1343 		mutex_exit(&xnfp->xnf_intrlock);
1344 		mac_tx_update(xnfp->xnf_mh);
1345 		mutex_enter(&xnfp->xnf_intrlock);
1346 	}
1347 
1348 	xnfp->xnf_stat_interrupts++;
1349 	mutex_exit(&xnfp->xnf_intrlock);
1350 	return (DDI_INTR_CLAIMED); /* indicate that the interrupt was for us */
1351 }
1352 
1353 /*
1354  *  xnf_start() -- start the board receiving and enable interrupts.
1355  */
1356 static int
1357 xnf_start(void *arg)
1358 {
1359 	xnf_t *xnfp = arg;
1360 
1361 #ifdef XNF_DEBUG
1362 	if (xnfdebug & XNF_DEBUG_TRACE)
1363 		printf("xnf%d start(0x%p)\n",
1364 		    ddi_get_instance(xnfp->xnf_devinfo), (void *)xnfp);
1365 #endif
1366 
1367 	mutex_enter(&xnfp->xnf_intrlock);
1368 	mutex_enter(&xnfp->xnf_txlock);
1369 
1370 	/* Accept packets from above. */
1371 	xnfp->xnf_running = B_TRUE;
1372 
1373 	mutex_exit(&xnfp->xnf_txlock);
1374 	mutex_exit(&xnfp->xnf_intrlock);
1375 
1376 	return (0);
1377 }
1378 
1379 /* xnf_stop() - disable hardware */
1380 static void
1381 xnf_stop(void *arg)
1382 {
1383 	xnf_t *xnfp = arg;
1384 
1385 #ifdef XNF_DEBUG
1386 	if (xnfdebug & XNF_DEBUG_TRACE)
1387 		printf("xnf%d stop(0x%p)\n",
1388 		    ddi_get_instance(xnfp->xnf_devinfo), (void *)xnfp);
1389 #endif
1390 
1391 	mutex_enter(&xnfp->xnf_intrlock);
1392 	mutex_enter(&xnfp->xnf_txlock);
1393 
1394 	xnfp->xnf_running = B_FALSE;
1395 
1396 	mutex_exit(&xnfp->xnf_txlock);
1397 	mutex_exit(&xnfp->xnf_intrlock);
1398 }
1399 
1400 /*
1401  * Driver private functions follow
1402  */
1403 
1404 /*
1405  * Hang buffer on rx ring
1406  */
1407 static void
1408 rx_buffer_hang(xnf_t *xnfp, struct xnf_buffer_desc *bdesc)
1409 {
1410 	volatile netif_rx_request_t	*reqp;
1411 	RING_IDX			hang_ix;
1412 	grant_ref_t			ref;
1413 	domid_t				oeid;
1414 
1415 	oeid = xvdi_get_oeid(xnfp->xnf_devinfo);
1416 
1417 	ASSERT(MUTEX_HELD(&xnfp->xnf_intrlock));
1418 	reqp = RING_GET_REQUEST(&xnfp->xnf_rx_ring,
1419 	    xnfp->xnf_rx_ring.req_prod_pvt);
1420 	hang_ix = (RING_IDX) (reqp - RING_GET_REQUEST(&xnfp->xnf_rx_ring, 0));
1421 	ASSERT(xnfp->xnf_rxpkt_bufptr[hang_ix] == NULL);
1422 	if (bdesc->grant_ref == GRANT_INVALID_REF) {
1423 		ref = gnttab_claim_grant_reference(&xnfp->xnf_gref_rx_head);
1424 		ASSERT((signed short)ref >= 0);
1425 		bdesc->grant_ref = ref;
1426 		if (xnfp->xnf_rx_hvcopy) {
1427 			pfn_t pfn = xnf_btop(bdesc->buf_phys);
1428 			mfn_t mfn = pfn_to_mfn(pfn);
1429 
1430 			gnttab_grant_foreign_access_ref(ref, oeid, mfn, 0);
1431 		} else {
1432 			gnttab_grant_foreign_transfer_ref(ref, oeid, 0);
1433 		}
1434 	}
1435 	reqp->id = hang_ix;
1436 	reqp->gref = bdesc->grant_ref;
1437 	bdesc->id = hang_ix;
1438 	xnfp->xnf_rxpkt_bufptr[hang_ix] = bdesc;
1439 	membar_producer();
1440 	xnfp->xnf_rx_ring.req_prod_pvt++;
1441 }
1442 
1443 static mblk_t *
1444 xnf_process_hvcopy_recv(xnf_t *xnfp)
1445 {
1446 	netif_rx_response_t *rxpkt;
1447 	mblk_t		*mp, *head, *tail;
1448 	struct		xnf_buffer_desc *bdesc;
1449 	boolean_t	hwcsum = B_FALSE, notify, work_to_do;
1450 	size_t 		len;
1451 
1452 	/*
1453 	 * in loop over unconsumed responses, we do:
1454 	 * 1. get a response
1455 	 * 2. take corresponding buffer off recv. ring
1456 	 * 3. indicate this by setting slot to NULL
1457 	 * 4. create a new message and
1458 	 * 5. copy data in, adjust ptr
1459 	 *
1460 	 * outside loop:
1461 	 * 7. make sure no more data has arrived; kick HV
1462 	 */
1463 
1464 	head = tail = NULL;
1465 
1466 loop:
1467 	while (RING_HAS_UNCONSUMED_RESPONSES(&xnfp->xnf_rx_ring)) {
1468 
1469 		/* 1. */
1470 		rxpkt = RING_GET_RESPONSE(&xnfp->xnf_rx_ring,
1471 		    xnfp->xnf_rx_ring.rsp_cons);
1472 
1473 		DTRACE_PROBE4(got_PKT, int, (int)rxpkt->id, int,
1474 		    (int)rxpkt->offset,
1475 		    int, (int)rxpkt->flags, int, (int)rxpkt->status);
1476 
1477 		/*
1478 		 * 2.
1479 		 * Take buffer off of receive ring
1480 		 */
1481 		hwcsum = B_FALSE;
1482 		bdesc = xnfp->xnf_rxpkt_bufptr[rxpkt->id];
1483 		/* 3 */
1484 		xnfp->xnf_rxpkt_bufptr[rxpkt->id] = NULL;
1485 		ASSERT(bdesc->id == rxpkt->id);
1486 		if (rxpkt->status <= 0) {
1487 			DTRACE_PROBE4(pkt_status_negative, int, rxpkt->status,
1488 			    char *, bdesc->buf, int, rxpkt->offset,
1489 			    char *, ((char *)bdesc->buf) + rxpkt->offset);
1490 			mp = NULL;
1491 			xnfp->xnf_stat_errrx++;
1492 			if (rxpkt->status == 0)
1493 				xnfp->xnf_stat_runt++;
1494 			if (rxpkt->status == NETIF_RSP_ERROR)
1495 				xnfp->xnf_stat_mac_rcv_error++;
1496 			if (rxpkt->status == NETIF_RSP_DROPPED)
1497 				xnfp->xnf_stat_norxbuf++;
1498 			/*
1499 			 * re-hang the buffer
1500 			 */
1501 			rx_buffer_hang(xnfp, bdesc);
1502 		} else {
1503 			grant_ref_t		ref =  bdesc->grant_ref;
1504 			struct xnf_buffer_desc	*new_bdesc;
1505 			unsigned long		off = rxpkt->offset;
1506 
1507 			DTRACE_PROBE4(pkt_status_ok, int, rxpkt->status,
1508 			    char *, bdesc->buf, int, rxpkt->offset,
1509 			    char *, ((char *)bdesc->buf) + rxpkt->offset);
1510 			len = rxpkt->status;
1511 			ASSERT(off + len <= PAGEOFFSET);
1512 			if (ref == GRANT_INVALID_REF) {
1513 				mp = NULL;
1514 				new_bdesc = bdesc;
1515 				cmn_err(CE_WARN, "Bad rx grant reference %d "
1516 				    "from dom %d", ref,
1517 				    xvdi_get_oeid(xnfp->xnf_devinfo));
1518 				goto luckless;
1519 			}
1520 			/*
1521 			 * Release ref which we'll be re-claiming in
1522 			 * rx_buffer_hang().
1523 			 */
1524 			bdesc->grant_ref = GRANT_INVALID_REF;
1525 			(void) gnttab_end_foreign_access_ref(ref, 0);
1526 			gnttab_release_grant_reference(&xnfp->xnf_gref_rx_head,
1527 			    ref);
1528 			if (rxpkt->flags & NETRXF_data_validated)
1529 				hwcsum = B_TRUE;
1530 
1531 			/*
1532 			 * XXPV for the initial implementation of HVcopy,
1533 			 * create a new msg and copy in the data
1534 			 */
1535 			/* 4. */
1536 			if ((mp = allocb(len, BPRI_MED)) == NULL) {
1537 				/*
1538 				 * Couldn't get buffer to copy to,
1539 				 * drop this data, and re-hang
1540 				 * the buffer on the ring.
1541 				 */
1542 				xnfp->xnf_stat_norxbuf++;
1543 				DTRACE_PROBE(alloc_nix);
1544 			} else {
1545 				/* 5. */
1546 				DTRACE_PROBE(alloc_ok);
1547 				bcopy(bdesc->buf + off, mp->b_wptr,
1548 				    len);
1549 				mp->b_wptr += len;
1550 			}
1551 			new_bdesc = bdesc;
1552 luckless:
1553 
1554 			/* Re-hang old or hang new buffer. */
1555 			rx_buffer_hang(xnfp, new_bdesc);
1556 		}
1557 		if (mp) {
1558 			if (hwcsum) {
1559 				/*
1560 				 * See comments in xnf_process_recv().
1561 				 */
1562 
1563 				(void) hcksum_assoc(mp, NULL,
1564 				    NULL, 0, 0, 0, 0,
1565 				    HCK_FULLCKSUM |
1566 				    HCK_FULLCKSUM_OK,
1567 				    0);
1568 				xnfp->xnf_stat_rx_cksum_no_need++;
1569 			}
1570 			if (head == NULL) {
1571 				head = tail = mp;
1572 			} else {
1573 				tail->b_next = mp;
1574 				tail = mp;
1575 			}
1576 
1577 			ASSERT(mp->b_next == NULL);
1578 
1579 			xnfp->xnf_stat_ipackets++;
1580 			xnfp->xnf_stat_rbytes += len;
1581 		}
1582 
1583 		xnfp->xnf_rx_ring.rsp_cons++;
1584 
1585 		xnfp->xnf_stat_hvcopy_packet_processed++;
1586 	}
1587 
1588 	/* 7. */
1589 	/*
1590 	 * Has more data come in since we started?
1591 	 */
1592 	/* LINTED: constant in conditional context */
1593 	RING_FINAL_CHECK_FOR_RESPONSES(&xnfp->xnf_rx_ring, work_to_do);
1594 	if (work_to_do)
1595 		goto loop;
1596 
1597 	/*
1598 	 * Indicate to the backend that we have re-filled the receive
1599 	 * ring.
1600 	 */
1601 	/* LINTED: constant in conditional context */
1602 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&xnfp->xnf_rx_ring, notify);
1603 	if (notify)
1604 		ec_notify_via_evtchn(xnfp->xnf_evtchn);
1605 
1606 	return (head);
1607 }
1608 
1609 /* Process all queued received packets */
1610 static mblk_t *
1611 xnf_process_recv(xnf_t *xnfp)
1612 {
1613 	volatile netif_rx_response_t *rxpkt;
1614 	mblk_t *mp, *head, *tail;
1615 	struct xnf_buffer_desc *bdesc;
1616 	extern mblk_t *desballoc(unsigned char *, size_t, uint_t, frtn_t *);
1617 	boolean_t hwcsum = B_FALSE, notify, work_to_do;
1618 	size_t len;
1619 	pfn_t pfn;
1620 	long cnt;
1621 
1622 	head = tail = NULL;
1623 loop:
1624 	while (RING_HAS_UNCONSUMED_RESPONSES(&xnfp->xnf_rx_ring)) {
1625 
1626 		rxpkt = RING_GET_RESPONSE(&xnfp->xnf_rx_ring,
1627 		    xnfp->xnf_rx_ring.rsp_cons);
1628 
1629 		/*
1630 		 * Take buffer off of receive ring
1631 		 */
1632 		hwcsum = B_FALSE;
1633 		bdesc = xnfp->xnf_rxpkt_bufptr[rxpkt->id];
1634 		xnfp->xnf_rxpkt_bufptr[rxpkt->id] = NULL;
1635 		ASSERT(bdesc->id == rxpkt->id);
1636 		if (rxpkt->status <= 0) {
1637 			mp = NULL;
1638 			xnfp->xnf_stat_errrx++;
1639 			if (rxpkt->status == 0)
1640 				xnfp->xnf_stat_runt++;
1641 			if (rxpkt->status == NETIF_RSP_ERROR)
1642 				xnfp->xnf_stat_mac_rcv_error++;
1643 			if (rxpkt->status == NETIF_RSP_DROPPED)
1644 				xnfp->xnf_stat_norxbuf++;
1645 			/*
1646 			 * re-hang the buffer
1647 			 */
1648 			rx_buffer_hang(xnfp, bdesc);
1649 		} else {
1650 			grant_ref_t ref =  bdesc->grant_ref;
1651 			struct xnf_buffer_desc *new_bdesc;
1652 			unsigned long off = rxpkt->offset;
1653 			unsigned long mfn;
1654 
1655 			len = rxpkt->status;
1656 			ASSERT(off + len <= PAGEOFFSET);
1657 			if (ref == GRANT_INVALID_REF) {
1658 				mp = NULL;
1659 				new_bdesc = bdesc;
1660 				cmn_err(CE_WARN, "Bad rx grant reference %d "
1661 				    "from dom %d", ref,
1662 				    xvdi_get_oeid(xnfp->xnf_devinfo));
1663 				goto luckless;
1664 			}
1665 			bdesc->grant_ref = GRANT_INVALID_REF;
1666 			mfn = gnttab_end_foreign_transfer_ref(ref);
1667 			ASSERT(mfn != MFN_INVALID);
1668 			ASSERT(hat_getpfnum(kas.a_hat, bdesc->buf) ==
1669 			    PFN_INVALID);
1670 
1671 			gnttab_release_grant_reference(&xnfp->xnf_gref_rx_head,
1672 			    ref);
1673 			reassign_pfn(xnf_btop(bdesc->buf_phys), mfn);
1674 			hat_devload(kas.a_hat, bdesc->buf, PAGESIZE,
1675 			    xnf_btop(bdesc->buf_phys),
1676 			    PROT_READ | PROT_WRITE, HAT_LOAD);
1677 			balloon_drv_added(1);
1678 
1679 			if (rxpkt->flags & NETRXF_data_validated)
1680 				hwcsum = B_TRUE;
1681 			if (len <= xnf_rx_bcopy_thresh) {
1682 				/*
1683 				 * For small buffers, just copy the data
1684 				 * and send the copy upstream.
1685 				 */
1686 				new_bdesc = NULL;
1687 			} else {
1688 				/*
1689 				 * We send a pointer to this data upstream;
1690 				 * we need a new buffer to replace this one.
1691 				 */
1692 				mutex_enter(&xnfp->xnf_rx_buf_mutex);
1693 				new_bdesc = xnf_get_buffer(xnfp);
1694 				if (new_bdesc != NULL) {
1695 					xnfp->xnf_rx_bufs_outstanding++;
1696 				} else {
1697 					xnfp->xnf_stat_rx_no_ringbuf++;
1698 				}
1699 				mutex_exit(&xnfp->xnf_rx_buf_mutex);
1700 			}
1701 
1702 			if (new_bdesc == NULL) {
1703 				/*
1704 				 * Don't have a new ring buffer; bcopy the data
1705 				 * from the buffer, and preserve the
1706 				 * original buffer
1707 				 */
1708 				if ((mp = allocb(len, BPRI_MED)) == NULL) {
1709 					/*
1710 					 * Could't get buffer to copy to,
1711 					 * drop this data, and re-hang
1712 					 * the buffer on the ring.
1713 					 */
1714 					xnfp->xnf_stat_norxbuf++;
1715 				} else {
1716 					bcopy(bdesc->buf + off, mp->b_wptr,
1717 					    len);
1718 				}
1719 				/*
1720 				 * Give the buffer page back to xen
1721 				 */
1722 				pfn = xnf_btop(bdesc->buf_phys);
1723 				cnt = balloon_free_pages(1, &mfn, bdesc->buf,
1724 				    &pfn);
1725 				if (cnt != 1) {
1726 					cmn_err(CE_WARN, "unable to give a "
1727 					    "page back to the hypervisor\n");
1728 				}
1729 				new_bdesc = bdesc;
1730 			} else {
1731 				if ((mp = desballoc((unsigned char *)bdesc->buf,
1732 				    off + len, 0, (frtn_t *)bdesc)) == NULL) {
1733 					/*
1734 					 * Couldn't get mblk to pass recv data
1735 					 * up with, free the old ring buffer
1736 					 */
1737 					xnfp->xnf_stat_norxbuf++;
1738 					xnf_rcv_complete(bdesc);
1739 					goto luckless;
1740 				}
1741 				(void) ddi_dma_sync(bdesc->dma_handle,
1742 				    0, 0, DDI_DMA_SYNC_FORCPU);
1743 
1744 				mp->b_wptr += off;
1745 				mp->b_rptr += off;
1746 			}
1747 luckless:
1748 			if (mp)
1749 				mp->b_wptr += len;
1750 			/* re-hang old or hang new buffer */
1751 			rx_buffer_hang(xnfp, new_bdesc);
1752 		}
1753 		if (mp) {
1754 			if (hwcsum) {
1755 				/*
1756 				 * If the peer says that the data has
1757 				 * been validated then we declare that
1758 				 * the full checksum has been
1759 				 * verified.
1760 				 *
1761 				 * We don't look at the "checksum
1762 				 * blank" flag, and hence could have a
1763 				 * packet here that we are asserting
1764 				 * is good with a blank checksum.
1765 				 *
1766 				 * The hardware checksum offload
1767 				 * specification says that we must
1768 				 * provide the actual checksum as well
1769 				 * as an assertion that it is valid,
1770 				 * but the protocol stack doesn't
1771 				 * actually use it and some other
1772 				 * drivers don't bother, so we don't.
1773 				 * If it was necessary we could grovel
1774 				 * in the packet to find it.
1775 				 */
1776 
1777 				(void) hcksum_assoc(mp, NULL,
1778 				    NULL, 0, 0, 0, 0,
1779 				    HCK_FULLCKSUM |
1780 				    HCK_FULLCKSUM_OK,
1781 				    0);
1782 				xnfp->xnf_stat_rx_cksum_no_need++;
1783 			}
1784 			if (head == NULL) {
1785 				head = tail = mp;
1786 			} else {
1787 				tail->b_next = mp;
1788 				tail = mp;
1789 			}
1790 
1791 			ASSERT(mp->b_next == NULL);
1792 
1793 			xnfp->xnf_stat_ipackets++;
1794 			xnfp->xnf_stat_rbytes += len;
1795 		}
1796 
1797 		xnfp->xnf_rx_ring.rsp_cons++;
1798 	}
1799 
1800 	/*
1801 	 * Has more data come in since we started?
1802 	 */
1803 	/* LINTED: constant in conditional context */
1804 	RING_FINAL_CHECK_FOR_RESPONSES(&xnfp->xnf_rx_ring, work_to_do);
1805 	if (work_to_do)
1806 		goto loop;
1807 
1808 	/*
1809 	 * Indicate to the backend that we have re-filled the receive
1810 	 * ring.
1811 	 */
1812 	/* LINTED: constant in conditional context */
1813 	RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&xnfp->xnf_rx_ring, notify);
1814 	if (notify)
1815 		ec_notify_via_evtchn(xnfp->xnf_evtchn);
1816 
1817 	return (head);
1818 }
1819 
1820 /* Called when the upper layers free a message we passed upstream */
1821 static void
1822 xnf_rcv_complete(struct xnf_buffer_desc *bdesc)
1823 {
1824 	xnf_t *xnfp = bdesc->xnfp;
1825 	pfn_t pfn;
1826 	long cnt;
1827 
1828 	/* One less outstanding receive buffer */
1829 	mutex_enter(&xnfp->xnf_rx_buf_mutex);
1830 	--xnfp->xnf_rx_bufs_outstanding;
1831 	/*
1832 	 * Return buffer to the free list, unless the free list is getting
1833 	 * too large.  XXPV - this threshold may need tuning.
1834 	 */
1835 	if (xnfp->xnf_rx_descs_free < xnf_rx_bufs_lowat) {
1836 		/*
1837 		 * Unmap the page, and hand the machine page back
1838 		 * to xen so it can be re-used as a backend net buffer.
1839 		 */
1840 		pfn = xnf_btop(bdesc->buf_phys);
1841 		cnt = balloon_free_pages(1, NULL, bdesc->buf, &pfn);
1842 		if (cnt != 1) {
1843 			cmn_err(CE_WARN, "unable to give a page back to the "
1844 			    "hypervisor\n");
1845 		}
1846 
1847 		bdesc->next = xnfp->xnf_free_list;
1848 		xnfp->xnf_free_list = bdesc;
1849 		xnfp->xnf_rx_descs_free++;
1850 		mutex_exit(&xnfp->xnf_rx_buf_mutex);
1851 	} else {
1852 		/*
1853 		 * We can return everything here since we have a free buffer
1854 		 * that we have not given the backing page for back to xen.
1855 		 */
1856 		--xnfp->xnf_rx_buffer_count;
1857 		mutex_exit(&xnfp->xnf_rx_buf_mutex);
1858 		(void) ddi_dma_unbind_handle(bdesc->dma_handle);
1859 		ddi_dma_mem_free(&bdesc->acc_handle);
1860 		ddi_dma_free_handle(&bdesc->dma_handle);
1861 		kmem_free(bdesc, sizeof (*bdesc));
1862 	}
1863 }
1864 
1865 /*
1866  *  xnf_alloc_dma_resources() -- initialize the drivers structures
1867  */
1868 static int
1869 xnf_alloc_dma_resources(xnf_t *xnfp)
1870 {
1871 	dev_info_t 		*devinfo = xnfp->xnf_devinfo;
1872 	int			i;
1873 	size_t			len;
1874 	ddi_dma_cookie_t	dma_cookie;
1875 	uint_t			ncookies;
1876 	struct xnf_buffer_desc	*bdesc;
1877 	int			rc;
1878 	caddr_t			rptr;
1879 
1880 	xnfp->xnf_n_rx = NET_RX_RING_SIZE;
1881 	xnfp->xnf_max_rx_bufs = xnf_rx_bufs_hiwat;
1882 
1883 	xnfp->xnf_n_tx = NET_TX_RING_SIZE;
1884 
1885 	/*
1886 	 * The code below allocates all the DMA data structures that
1887 	 * need to be released when the driver is detached.
1888 	 *
1889 	 * First allocate handles for mapping (virtual address) pointers to
1890 	 * transmit data buffers to physical addresses
1891 	 */
1892 	for (i = 0; i < xnfp->xnf_n_tx; i++) {
1893 		if ((rc = ddi_dma_alloc_handle(devinfo,
1894 		    &tx_buffer_dma_attr, DDI_DMA_SLEEP, 0,
1895 		    &xnfp->xnf_tx_pkt_info[i].dma_handle)) != DDI_SUCCESS)
1896 			return (DDI_FAILURE);
1897 	}
1898 
1899 	/*
1900 	 * Allocate page for the transmit descriptor ring.
1901 	 */
1902 	if (ddi_dma_alloc_handle(devinfo, &ringbuf_dma_attr,
1903 	    DDI_DMA_SLEEP, 0, &xnfp->xnf_tx_ring_dma_handle) != DDI_SUCCESS)
1904 		goto alloc_error;
1905 
1906 	if (ddi_dma_mem_alloc(xnfp->xnf_tx_ring_dma_handle,
1907 	    PAGESIZE, &accattr, DDI_DMA_CONSISTENT,
1908 	    DDI_DMA_SLEEP, 0, &rptr, &len,
1909 	    &xnfp->xnf_tx_ring_dma_acchandle) != DDI_SUCCESS) {
1910 		ddi_dma_free_handle(&xnfp->xnf_tx_ring_dma_handle);
1911 		xnfp->xnf_tx_ring_dma_handle = NULL;
1912 		goto alloc_error;
1913 	}
1914 
1915 	if ((rc = ddi_dma_addr_bind_handle(xnfp->xnf_tx_ring_dma_handle, NULL,
1916 	    rptr, PAGESIZE, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1917 	    DDI_DMA_SLEEP, 0, &dma_cookie, &ncookies)) != DDI_DMA_MAPPED) {
1918 		ddi_dma_mem_free(&xnfp->xnf_tx_ring_dma_acchandle);
1919 		ddi_dma_free_handle(&xnfp->xnf_tx_ring_dma_handle);
1920 		xnfp->xnf_tx_ring_dma_handle = NULL;
1921 		xnfp->xnf_tx_ring_dma_acchandle = NULL;
1922 		if (rc == DDI_DMA_NORESOURCES)
1923 			goto alloc_error;
1924 		else
1925 			goto error;
1926 	}
1927 
1928 	ASSERT(ncookies == 1);
1929 	bzero(rptr, PAGESIZE);
1930 	/* LINTED: constant in conditional context */
1931 	SHARED_RING_INIT((netif_tx_sring_t *)rptr);
1932 	/* LINTED: constant in conditional context */
1933 	FRONT_RING_INIT(&xnfp->xnf_tx_ring, (netif_tx_sring_t *)rptr, PAGESIZE);
1934 	xnfp->xnf_tx_ring_phys_addr = dma_cookie.dmac_laddress;
1935 
1936 	/*
1937 	 * Allocate page for the receive descriptor ring.
1938 	 */
1939 	if (ddi_dma_alloc_handle(devinfo, &ringbuf_dma_attr,
1940 	    DDI_DMA_SLEEP, 0, &xnfp->xnf_rx_ring_dma_handle) != DDI_SUCCESS)
1941 		goto alloc_error;
1942 
1943 	if (ddi_dma_mem_alloc(xnfp->xnf_rx_ring_dma_handle,
1944 	    PAGESIZE, &accattr, DDI_DMA_CONSISTENT,
1945 	    DDI_DMA_SLEEP, 0, &rptr, &len,
1946 	    &xnfp->xnf_rx_ring_dma_acchandle) != DDI_SUCCESS) {
1947 		ddi_dma_free_handle(&xnfp->xnf_rx_ring_dma_handle);
1948 		xnfp->xnf_rx_ring_dma_handle = NULL;
1949 		goto alloc_error;
1950 	}
1951 
1952 	if ((rc = ddi_dma_addr_bind_handle(xnfp->xnf_rx_ring_dma_handle, NULL,
1953 	    rptr, PAGESIZE, DDI_DMA_RDWR | DDI_DMA_CONSISTENT,
1954 	    DDI_DMA_SLEEP, 0, &dma_cookie, &ncookies)) != DDI_DMA_MAPPED) {
1955 		ddi_dma_mem_free(&xnfp->xnf_rx_ring_dma_acchandle);
1956 		ddi_dma_free_handle(&xnfp->xnf_rx_ring_dma_handle);
1957 		xnfp->xnf_rx_ring_dma_handle = NULL;
1958 		xnfp->xnf_rx_ring_dma_acchandle = NULL;
1959 		if (rc == DDI_DMA_NORESOURCES)
1960 			goto alloc_error;
1961 		else
1962 			goto error;
1963 	}
1964 
1965 	ASSERT(ncookies == 1);
1966 	bzero(rptr, PAGESIZE);
1967 	/* LINTED: constant in conditional context */
1968 	SHARED_RING_INIT((netif_rx_sring_t *)rptr);
1969 	/* LINTED: constant in conditional context */
1970 	FRONT_RING_INIT(&xnfp->xnf_rx_ring, (netif_rx_sring_t *)rptr, PAGESIZE);
1971 	xnfp->xnf_rx_ring_phys_addr = dma_cookie.dmac_laddress;
1972 
1973 	/*
1974 	 * Preallocate receive buffers for each receive descriptor.
1975 	 */
1976 
1977 	/* Set up the "free list" of receive buffer descriptors */
1978 	for (i = 0; i < xnfp->xnf_n_rx; i++) {
1979 		if ((bdesc = xnf_alloc_buffer(xnfp)) == NULL)
1980 			goto alloc_error;
1981 		bdesc->next = xnfp->xnf_free_list;
1982 		xnfp->xnf_free_list = bdesc;
1983 	}
1984 
1985 	return (DDI_SUCCESS);
1986 
1987 alloc_error:
1988 	cmn_err(CE_WARN, "xnf%d: could not allocate enough DMA memory",
1989 	    ddi_get_instance(xnfp->xnf_devinfo));
1990 error:
1991 	xnf_release_dma_resources(xnfp);
1992 	return (DDI_FAILURE);
1993 }
1994 
1995 /*
1996  * Release all DMA resources in the opposite order from acquisition
1997  * Should not be called until all outstanding esballoc buffers
1998  * have been returned.
1999  */
2000 static void
2001 xnf_release_dma_resources(xnf_t *xnfp)
2002 {
2003 	int i;
2004 
2005 	/*
2006 	 * Free receive buffers which are currently associated with
2007 	 * descriptors
2008 	 */
2009 	for (i = 0; i < xnfp->xnf_n_rx; i++) {
2010 		struct xnf_buffer_desc *bp;
2011 
2012 		if ((bp = xnfp->xnf_rxpkt_bufptr[i]) == NULL)
2013 			continue;
2014 		xnf_free_buffer(bp);
2015 		xnfp->xnf_rxpkt_bufptr[i] = NULL;
2016 	}
2017 
2018 	/* Free the receive ring buffer */
2019 	if (xnfp->xnf_rx_ring_dma_acchandle != NULL) {
2020 		(void) ddi_dma_unbind_handle(xnfp->xnf_rx_ring_dma_handle);
2021 		ddi_dma_mem_free(&xnfp->xnf_rx_ring_dma_acchandle);
2022 		ddi_dma_free_handle(&xnfp->xnf_rx_ring_dma_handle);
2023 		xnfp->xnf_rx_ring_dma_acchandle = NULL;
2024 	}
2025 	/* Free the transmit ring buffer */
2026 	if (xnfp->xnf_tx_ring_dma_acchandle != NULL) {
2027 		(void) ddi_dma_unbind_handle(xnfp->xnf_tx_ring_dma_handle);
2028 		ddi_dma_mem_free(&xnfp->xnf_tx_ring_dma_acchandle);
2029 		ddi_dma_free_handle(&xnfp->xnf_tx_ring_dma_handle);
2030 		xnfp->xnf_tx_ring_dma_acchandle = NULL;
2031 	}
2032 }
2033 
2034 static void
2035 xnf_release_mblks(xnf_t *xnfp)
2036 {
2037 	int	i;
2038 
2039 	for (i = 0; i < xnfp->xnf_n_tx; i++) {
2040 		if (xnfp->xnf_tx_pkt_info[i].mp == NULL)
2041 			continue;
2042 		freemsg(xnfp->xnf_tx_pkt_info[i].mp);
2043 		xnfp->xnf_tx_pkt_info[i].mp = NULL;
2044 		(void) ddi_dma_unbind_handle(
2045 		    xnfp->xnf_tx_pkt_info[i].dma_handle);
2046 	}
2047 }
2048 
2049 /*
2050  * Remove a xmit buffer descriptor from the head of the free list and return
2051  * a pointer to it.  If no buffers on list, attempt to allocate a new one.
2052  * Called with the tx_buf_mutex held.
2053  */
2054 static struct xnf_buffer_desc *
2055 xnf_get_tx_buffer(xnf_t *xnfp)
2056 {
2057 	struct xnf_buffer_desc *bdesc;
2058 
2059 	bdesc = xnfp->xnf_tx_free_list;
2060 	if (bdesc != NULL) {
2061 		xnfp->xnf_tx_free_list = bdesc->next;
2062 	} else {
2063 		bdesc = xnf_alloc_tx_buffer(xnfp);
2064 	}
2065 	return (bdesc);
2066 }
2067 
2068 /*
2069  * Remove a buffer descriptor from the head of the free list and return
2070  * a pointer to it.  If no buffers on list, attempt to allocate a new one.
2071  * Called with the rx_buf_mutex held.
2072  */
2073 static struct xnf_buffer_desc *
2074 xnf_get_buffer(xnf_t *xnfp)
2075 {
2076 	struct xnf_buffer_desc *bdesc;
2077 
2078 	bdesc = xnfp->xnf_free_list;
2079 	if (bdesc != NULL) {
2080 		xnfp->xnf_free_list = bdesc->next;
2081 		xnfp->xnf_rx_descs_free--;
2082 	} else {
2083 		bdesc = xnf_alloc_buffer(xnfp);
2084 	}
2085 	return (bdesc);
2086 }
2087 
2088 /*
2089  * Free a xmit buffer back to the xmit free list
2090  */
2091 static void
2092 xnf_free_tx_buffer(struct xnf_buffer_desc *bp)
2093 {
2094 	xnf_t *xnfp = bp->xnfp;
2095 
2096 	mutex_enter(&xnfp->xnf_tx_buf_mutex);
2097 	bp->next = xnfp->xnf_tx_free_list;
2098 	xnfp->xnf_tx_free_list = bp;
2099 	mutex_exit(&xnfp->xnf_tx_buf_mutex);
2100 }
2101 
2102 /*
2103  * Put a buffer descriptor onto the head of the free list.
2104  * for page-flip:
2105  * We can't really free these buffers back to the kernel
2106  * since we have given away their backing page to be used
2107  * by the back end net driver.
2108  * for hvcopy:
2109  * release all the memory
2110  */
2111 static void
2112 xnf_free_buffer(struct xnf_buffer_desc *bdesc)
2113 {
2114 	xnf_t *xnfp = bdesc->xnfp;
2115 
2116 	mutex_enter(&xnfp->xnf_rx_buf_mutex);
2117 	if (xnfp->xnf_rx_hvcopy) {
2118 		if (ddi_dma_unbind_handle(bdesc->dma_handle) != DDI_SUCCESS)
2119 			goto out;
2120 		ddi_dma_mem_free(&bdesc->acc_handle);
2121 		ddi_dma_free_handle(&bdesc->dma_handle);
2122 		kmem_free(bdesc, sizeof (*bdesc));
2123 		xnfp->xnf_rx_buffer_count--;
2124 	} else {
2125 		bdesc->next = xnfp->xnf_free_list;
2126 		xnfp->xnf_free_list = bdesc;
2127 		xnfp->xnf_rx_descs_free++;
2128 	}
2129 out:
2130 	mutex_exit(&xnfp->xnf_rx_buf_mutex);
2131 }
2132 
2133 /*
2134  * Allocate a DMA-able xmit buffer, including a structure to
2135  * keep track of the buffer.  Called with tx_buf_mutex held.
2136  */
2137 static struct xnf_buffer_desc *
2138 xnf_alloc_tx_buffer(xnf_t *xnfp)
2139 {
2140 	struct xnf_buffer_desc *bdesc;
2141 	size_t len;
2142 
2143 	if ((bdesc = kmem_zalloc(sizeof (*bdesc), KM_NOSLEEP)) == NULL)
2144 		return (NULL);
2145 
2146 	/* allocate a DMA access handle for receive buffer */
2147 	if (ddi_dma_alloc_handle(xnfp->xnf_devinfo, &tx_buffer_dma_attr,
2148 	    0, 0, &bdesc->dma_handle) != DDI_SUCCESS)
2149 		goto failure;
2150 
2151 	/* Allocate DMA-able memory for transmit buffer */
2152 	if (ddi_dma_mem_alloc(bdesc->dma_handle,
2153 	    PAGESIZE, &data_accattr, DDI_DMA_STREAMING, 0, 0,
2154 	    &bdesc->buf, &len, &bdesc->acc_handle) != DDI_SUCCESS)
2155 		goto failure_1;
2156 
2157 	bdesc->xnfp = xnfp;
2158 	xnfp->xnf_tx_buffer_count++;
2159 
2160 	return (bdesc);
2161 
2162 failure_1:
2163 	ddi_dma_free_handle(&bdesc->dma_handle);
2164 
2165 failure:
2166 	kmem_free(bdesc, sizeof (*bdesc));
2167 	return (NULL);
2168 }
2169 
2170 /*
2171  * Allocate a DMA-able receive buffer, including a structure to
2172  * keep track of the buffer.  Called with rx_buf_mutex held.
2173  */
2174 static struct xnf_buffer_desc *
2175 xnf_alloc_buffer(xnf_t *xnfp)
2176 {
2177 	struct			xnf_buffer_desc *bdesc;
2178 	size_t			len;
2179 	uint_t			ncookies;
2180 	ddi_dma_cookie_t	dma_cookie;
2181 	long			cnt;
2182 	pfn_t			pfn;
2183 
2184 	if (xnfp->xnf_rx_buffer_count >= xnfp->xnf_max_rx_bufs)
2185 		return (NULL);
2186 
2187 	if ((bdesc = kmem_zalloc(sizeof (*bdesc), KM_NOSLEEP)) == NULL)
2188 		return (NULL);
2189 
2190 	/* allocate a DMA access handle for receive buffer */
2191 	if (ddi_dma_alloc_handle(xnfp->xnf_devinfo, &rx_buffer_dma_attr,
2192 	    0, 0, &bdesc->dma_handle) != DDI_SUCCESS)
2193 		goto failure;
2194 
2195 	/* Allocate DMA-able memory for receive buffer */
2196 	if (ddi_dma_mem_alloc(bdesc->dma_handle,
2197 	    PAGESIZE, &data_accattr, DDI_DMA_STREAMING, 0, 0,
2198 	    &bdesc->buf, &len, &bdesc->acc_handle) != DDI_SUCCESS)
2199 		goto failure_1;
2200 
2201 	/* bind to virtual address of buffer to get physical address */
2202 	if (ddi_dma_addr_bind_handle(bdesc->dma_handle, NULL,
2203 	    bdesc->buf, PAGESIZE, DDI_DMA_READ | DDI_DMA_STREAMING,
2204 	    DDI_DMA_SLEEP, 0, &dma_cookie, &ncookies) != DDI_DMA_MAPPED)
2205 		goto failure_2;
2206 
2207 	bdesc->buf_phys = dma_cookie.dmac_laddress;
2208 	bdesc->xnfp = xnfp;
2209 	if (xnfp->xnf_rx_hvcopy) {
2210 		bdesc->free_rtn.free_func = xnf_copy_rcv_complete;
2211 	} else {
2212 		bdesc->free_rtn.free_func = xnf_rcv_complete;
2213 	}
2214 	bdesc->free_rtn.free_arg = (char *)bdesc;
2215 	bdesc->grant_ref = GRANT_INVALID_REF;
2216 	ASSERT(ncookies == 1);
2217 
2218 	xnfp->xnf_rx_buffer_count++;
2219 
2220 	if (!xnfp->xnf_rx_hvcopy) {
2221 		/*
2222 		 * Unmap the page, and hand the machine page back
2223 		 * to xen so it can be used as a backend net buffer.
2224 		 */
2225 		pfn = xnf_btop(bdesc->buf_phys);
2226 		cnt = balloon_free_pages(1, NULL, bdesc->buf, &pfn);
2227 		if (cnt != 1) {
2228 			cmn_err(CE_WARN, "unable to give a page back to the "
2229 			    "hypervisor\n");
2230 		}
2231 	}
2232 
2233 	return (bdesc);
2234 
2235 failure_2:
2236 	ddi_dma_mem_free(&bdesc->acc_handle);
2237 
2238 failure_1:
2239 	ddi_dma_free_handle(&bdesc->dma_handle);
2240 
2241 failure:
2242 	kmem_free(bdesc, sizeof (*bdesc));
2243 	return (NULL);
2244 }
2245 
2246 /*
2247  * Statistics.
2248  */
2249 static char *xnf_aux_statistics[] = {
2250 	"tx_cksum_deferred",
2251 	"rx_cksum_no_need",
2252 	"interrupts",
2253 	"unclaimed_interrupts",
2254 	"tx_pullup",
2255 	"tx_pagebndry",
2256 	"tx_attempt",
2257 	"rx_no_ringbuf",
2258 	"hvcopy_packet_processed",
2259 };
2260 
2261 static int
2262 xnf_kstat_aux_update(kstat_t *ksp, int flag)
2263 {
2264 	xnf_t *xnfp;
2265 	kstat_named_t *knp;
2266 
2267 	if (flag != KSTAT_READ)
2268 		return (EACCES);
2269 
2270 	xnfp = ksp->ks_private;
2271 	knp = ksp->ks_data;
2272 
2273 	/*
2274 	 * Assignment order must match that of the names in
2275 	 * xnf_aux_statistics.
2276 	 */
2277 	(knp++)->value.ui64 = xnfp->xnf_stat_tx_cksum_deferred;
2278 	(knp++)->value.ui64 = xnfp->xnf_stat_rx_cksum_no_need;
2279 
2280 	(knp++)->value.ui64 = xnfp->xnf_stat_interrupts;
2281 	(knp++)->value.ui64 = xnfp->xnf_stat_unclaimed_interrupts;
2282 	(knp++)->value.ui64 = xnfp->xnf_stat_tx_pullup;
2283 	(knp++)->value.ui64 = xnfp->xnf_stat_tx_pagebndry;
2284 	(knp++)->value.ui64 = xnfp->xnf_stat_tx_attempt;
2285 	(knp++)->value.ui64 = xnfp->xnf_stat_rx_no_ringbuf;
2286 
2287 	(knp++)->value.ui64 = xnfp->xnf_stat_hvcopy_packet_processed;
2288 
2289 	return (0);
2290 }
2291 
2292 static boolean_t
2293 xnf_kstat_init(xnf_t *xnfp)
2294 {
2295 	int nstat = sizeof (xnf_aux_statistics) /
2296 	    sizeof (xnf_aux_statistics[0]);
2297 	char **cp = xnf_aux_statistics;
2298 	kstat_named_t *knp;
2299 
2300 	/*
2301 	 * Create and initialise kstats.
2302 	 */
2303 	if ((xnfp->xnf_kstat_aux = kstat_create("xnf",
2304 	    ddi_get_instance(xnfp->xnf_devinfo),
2305 	    "aux_statistics", "net", KSTAT_TYPE_NAMED,
2306 	    nstat, 0)) == NULL)
2307 		return (B_FALSE);
2308 
2309 	xnfp->xnf_kstat_aux->ks_private = xnfp;
2310 	xnfp->xnf_kstat_aux->ks_update = xnf_kstat_aux_update;
2311 
2312 	knp = xnfp->xnf_kstat_aux->ks_data;
2313 	while (nstat > 0) {
2314 		kstat_named_init(knp, *cp, KSTAT_DATA_UINT64);
2315 
2316 		knp++;
2317 		cp++;
2318 		nstat--;
2319 	}
2320 
2321 	kstat_install(xnfp->xnf_kstat_aux);
2322 
2323 	return (B_TRUE);
2324 }
2325 
2326 static int
2327 xnf_stat(void *arg, uint_t stat, uint64_t *val)
2328 {
2329 	xnf_t *xnfp = arg;
2330 
2331 	mutex_enter(&xnfp->xnf_intrlock);
2332 	mutex_enter(&xnfp->xnf_txlock);
2333 
2334 #define	mac_stat(q, r)				\
2335 	case (MAC_STAT_##q):			\
2336 		*val = xnfp->xnf_stat_##r;	\
2337 		break
2338 
2339 #define	ether_stat(q, r)			\
2340 	case (ETHER_STAT_##q):			\
2341 		*val = xnfp->xnf_stat_##r;	\
2342 		break
2343 
2344 	switch (stat) {
2345 
2346 	mac_stat(IPACKETS, ipackets);
2347 	mac_stat(OPACKETS, opackets);
2348 	mac_stat(RBYTES, rbytes);
2349 	mac_stat(OBYTES, obytes);
2350 	mac_stat(NORCVBUF, norxbuf);
2351 	mac_stat(IERRORS, errrx);
2352 	mac_stat(NOXMTBUF, tx_defer);
2353 
2354 	ether_stat(MACRCV_ERRORS, mac_rcv_error);
2355 	ether_stat(TOOSHORT_ERRORS, runt);
2356 
2357 	default:
2358 		mutex_exit(&xnfp->xnf_txlock);
2359 		mutex_exit(&xnfp->xnf_intrlock);
2360 
2361 		return (ENOTSUP);
2362 	}
2363 
2364 #undef mac_stat
2365 #undef ether_stat
2366 
2367 	mutex_exit(&xnfp->xnf_txlock);
2368 	mutex_exit(&xnfp->xnf_intrlock);
2369 
2370 	return (0);
2371 }
2372 
2373 /*ARGSUSED*/
2374 static void
2375 xnf_blank(void *arg, time_t ticks, uint_t count)
2376 {
2377 	/*
2378 	 * XXPV dme: blanking is not currently implemented.
2379 	 *
2380 	 * It's not obvious how to use the 'ticks' argument here.
2381 	 *
2382 	 * 'Count' might be used as an indicator of how to set
2383 	 * rsp_event when posting receive buffers to the rx_ring.  It
2384 	 * would replace the code at the tail of xnf_process_recv()
2385 	 * that simply indicates that the next completed packet should
2386 	 * cause an interrupt.
2387 	 */
2388 }
2389 
2390 static void
2391 xnf_resources(void *arg)
2392 {
2393 	xnf_t *xnfp = arg;
2394 	mac_rx_fifo_t mrf;
2395 
2396 	mrf.mrf_type = MAC_RX_FIFO;
2397 	mrf.mrf_blank = xnf_blank;
2398 	mrf.mrf_arg = (void *)xnfp;
2399 	mrf.mrf_normal_blank_time = 128;	/* XXPV dme: see xnf_blank() */
2400 	mrf.mrf_normal_pkt_count = 8;		/* XXPV dme: see xnf_blank() */
2401 
2402 	xnfp->xnf_rx_handle = mac_resource_add(xnfp->xnf_mh,
2403 	    (mac_resource_t *)&mrf);
2404 }
2405 
2406 /*ARGSUSED*/
2407 static void
2408 xnf_ioctl(void *arg, queue_t *q, mblk_t *mp)
2409 {
2410 	miocnak(q, mp, 0, EINVAL);
2411 }
2412 
2413 static boolean_t
2414 xnf_getcapab(void *arg, mac_capab_t cap, void *cap_data)
2415 {
2416 	xnf_t *xnfp = arg;
2417 
2418 	switch (cap) {
2419 	case MAC_CAPAB_HCKSUM: {
2420 		uint32_t *capab = cap_data;
2421 
2422 		/*
2423 		 * We declare ourselves capable of HCKSUM_INET_PARTIAL
2424 		 * in order that the protocol stack insert the
2425 		 * pseudo-header checksum in packets that it passes
2426 		 * down to us.
2427 		 *
2428 		 * Whilst the flag used to communicate with dom0 is
2429 		 * called "NETTXF_csum_blank", the checksum in the
2430 		 * packet must contain the pseudo-header checksum and
2431 		 * not zero. (In fact, a Solaris dom0 is happy to deal
2432 		 * with a checksum of zero, but a Linux dom0 is not.)
2433 		 */
2434 		if (xnfp->xnf_cksum_offload)
2435 			*capab = HCKSUM_INET_PARTIAL;
2436 		else
2437 			*capab = 0;
2438 		break;
2439 	}
2440 
2441 	case MAC_CAPAB_POLL:
2442 		/* Just return B_TRUE. */
2443 		break;
2444 
2445 	default:
2446 		return (B_FALSE);
2447 	}
2448 
2449 	return (B_TRUE);
2450 }
2451 
2452 /*ARGSUSED*/
2453 static void
2454 oe_state_change(dev_info_t *dip, ddi_eventcookie_t id,
2455     void *arg, void *impl_data)
2456 {
2457 	xnf_t *xnfp = ddi_get_driver_private(dip);
2458 	XenbusState new_state = *(XenbusState *)impl_data;
2459 
2460 	ASSERT(xnfp != NULL);
2461 
2462 	switch (new_state) {
2463 	case XenbusStateConnected:
2464 		mutex_enter(&xnfp->xnf_intrlock);
2465 		mutex_enter(&xnfp->xnf_txlock);
2466 
2467 		xnfp->xnf_connected = B_TRUE;
2468 		cv_broadcast(&xnfp->xnf_cv);
2469 
2470 		mutex_exit(&xnfp->xnf_txlock);
2471 		mutex_exit(&xnfp->xnf_intrlock);
2472 
2473 		ec_notify_via_evtchn(xnfp->xnf_evtchn);
2474 		break;
2475 
2476 	default:
2477 		break;
2478 	}
2479 }
2480 
2481 /*
2482  * Check whether backend is capable of and willing to talk
2483  * to us via hypervisor copy, as opposed to page flip.
2484  */
2485 static boolean_t
2486 xnf_hvcopy_peer_status(dev_info_t *devinfo)
2487 {
2488 	int	be_rx_copy;
2489 	int	err;
2490 
2491 	err = xenbus_scanf(XBT_NULL, xvdi_get_oename(devinfo),
2492 	    "feature-rx-copy", "%d", &be_rx_copy);
2493 	/*
2494 	 * If we fail to read the store we assume that the key is
2495 	 * absent, implying an older domain at the far end.  Older
2496 	 * domains cannot do HV copy (we assume ..).
2497 	 */
2498 	if (err != 0)
2499 		be_rx_copy = 0;
2500 
2501 	return (be_rx_copy?B_TRUE:B_FALSE);
2502 }
2503