projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xen-netback: BUG_ON in xenvif_rx_action() not catching overflow
[linux-2.6-block.git] / drivers / net / xen-netback / netback.c
CommitLineData
f942dc25
IC		 1/*
2 * Back-end of the driver for virtual network devices. This portion of the
3 * driver exports a 'unified' network-device interface that can be accessed
4 * by any operating system that implements a compatible front end. A
5 * reference front-end implementation can be found in:
6 * drivers/net/xen-netfront.c
7 *
8 * Copyright (c) 2002-2005, K A Fraser
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation; or, when distributed
13 * separately from the Linux kernel or incorporated into other
14 * software packages, subject to the following license:
15 *
16 * Permission is hereby granted, free of charge, to any person obtaining a copy
17 * of this source file (the "Software"), to deal in the Software without
18 * restriction, including without limitation the rights to use, copy, modify,
19 * merge, publish, distribute, sublicense, and/or sell copies of the Software,
20 * and to permit persons to whom the Software is furnished to do so, subject to
21 * the following conditions:
22 *
23 * The above copyright notice and this permission notice shall be included in
24 * all copies or substantial portions of the Software.
25 *
26 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
27 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
28 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
29 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
30 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
31 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
32 * IN THE SOFTWARE.
33 */
34
35#include "common.h"
36
37#include <linux/kthread.h>
38#include <linux/if_vlan.h>
39#include <linux/udp.h>
40
41#include <net/tcp.h>
42
ca981633 43#include <xen/xen.h>
f942dc25
IC		 44#include <xen/events.h>
45#include <xen/interface/memory.h>
46
47#include <asm/xen/hypercall.h>
48#include <asm/xen/page.h>
49
e1f00a69
WL		 50/* Provide an option to disable split event channels at load time as
51 * event channels are limited resource. Split event channels are
52 * enabled by default.
53 */
54bool separate_tx_rx_irq = 1;
55module_param(separate_tx_rx_irq, bool, 0644);
56
2810e5b9
WL		 57/*
58 * This is the maximum slots a skb can have. If a guest sends a skb
59 * which exceeds this limit it is considered malicious.
60 */
37641494
WL		 61#define FATAL_SKB_SLOTS_DEFAULT 20
62static unsigned int fatal_skb_slots = FATAL_SKB_SLOTS_DEFAULT;
63module_param(fatal_skb_slots, uint, 0444);
64
65/*
66 * To avoid confusion, we define XEN_NETBK_LEGACY_SLOTS_MAX indicating
67 * the maximum slots a valid packet can use. Now this value is defined
68 * to be XEN_NETIF_NR_SLOTS_MIN, which is supposed to be supported by
69 * all backend.
70 */
71#define XEN_NETBK_LEGACY_SLOTS_MAX XEN_NETIF_NR_SLOTS_MIN
2810e5b9 72
2810e5b9
WL		 73/*
74 * If head != INVALID_PENDING_RING_IDX, it means this tx request is head of
75 * one or more merged tx requests, otherwise it is the continuation of
76 * previous tx request.
77 */
b3f980bd 78static inline int pending_tx_is_head(struct xenvif *vif, RING_IDX idx)
f942dc25 79{
b3f980bd 80 return vif->pending_tx_info[idx].head != INVALID_PENDING_RING_IDX;
f942dc25
IC		 81}
82
7376419a
WL		 83static void xenvif_idx_release(struct xenvif *vif, u16 pending_idx,
84 u8 status);
85
f942dc25
IC		 86static void make_tx_response(struct xenvif *vif,
87 struct xen_netif_tx_request *txp,
88 s8 st);
b3f980bd
WL		 89
90static inline int tx_work_todo(struct xenvif *vif);
91static inline int rx_work_todo(struct xenvif *vif);
92
f942dc25
IC		 93static struct xen_netif_rx_response *make_rx_response(struct xenvif *vif,
94 u16 id,
95 s8 st,
96 u16 offset,
97 u16 size,
98 u16 flags);
99
b3f980bd 100static inline unsigned long idx_to_pfn(struct xenvif *vif,
ea066ad1 101 u16 idx)
f942dc25 102{
b3f980bd 103 return page_to_pfn(vif->mmap_pages[idx]);
f942dc25
IC		 104}
105
b3f980bd 106static inline unsigned long idx_to_kaddr(struct xenvif *vif,
ea066ad1 107 u16 idx)
f942dc25 108{
b3f980bd 109 return (unsigned long)pfn_to_kaddr(idx_to_pfn(vif, idx));
f942dc25
IC		 110}
111
2eba61d5
PD		 112/* This is a miniumum size for the linear area to avoid lots of
113 * calls to __pskb_pull_tail() as we set up checksum offsets. The
114 * value 128 was chosen as it covers all IPv4 and most likely
115 * IPv6 headers.
f942dc25 116 */
2eba61d5 117#define PKT_PROT_LEN 128
f942dc25 118
ea066ad1
IC		 119static u16 frag_get_pending_idx(skb_frag_t *frag)
120{
121 return (u16)frag->page_offset;
122}
123
124static void frag_set_pending_idx(skb_frag_t *frag, u16 pending_idx)
125{
126 frag->page_offset = pending_idx;
127}
128
f942dc25
IC		 129static inline pending_ring_idx_t pending_index(unsigned i)
130{
131 return i & (MAX_PENDING_REQS-1);
132}
133
b3f980bd 134static inline pending_ring_idx_t nr_pending_reqs(struct xenvif *vif)
f942dc25
IC		 135{
136 return MAX_PENDING_REQS -
b3f980bd 137 vif->pending_prod + vif->pending_cons;
f942dc25
IC		 138}
139
ca2f09f2 140bool xenvif_rx_ring_slots_available(struct xenvif *vif, int needed)
f942dc25 141{
ca2f09f2 142 RING_IDX prod, cons;
f942dc25 143
ca2f09f2
PD		 144 do {
145 prod = vif->rx.sring->req_prod;
146 cons = vif->rx.req_cons;
f942dc25 147
ca2f09f2
PD		 148 if (prod - cons >= needed)
149 return true;
f942dc25 150
ca2f09f2 151 vif->rx.sring->req_event = prod + 1;
f942dc25 152
ca2f09f2
PD		 153 /* Make sure event is visible before we check prod
154 * again.
155 */
156 mb();
157 } while (vif->rx.sring->req_prod != prod);
f942dc25 158
ca2f09f2 159 return false;
f942dc25
IC		 160}
161
162/*
163 * Returns true if we should start a new receive buffer instead of
164 * adding 'size' bytes to a buffer which currently contains 'offset'
165 * bytes.
166 */
167static bool start_new_rx_buffer(int offset, unsigned long size, int head)
168{
169 /* simple case: we have completely filled the current buffer. */
170 if (offset == MAX_BUFFER_OFFSET)
171 return true;
172
173 /*
174 * complex case: start a fresh buffer if the current frag
175 * would overflow the current buffer but only if:
176 * (i) this frag would fit completely in the next buffer
177 * and (ii) there is already some data in the current buffer
178 * and (iii) this is not the head buffer.
179 *
180 * Where:
181 * - (i) stops us splitting a frag into two copies
182 * unless the frag is too large for a single buffer.
183 * - (ii) stops us from leaving a buffer pointlessly empty.
184 * - (iii) stops us leaving the first buffer
185 * empty. Strictly speaking this is already covered
186 * by (ii) but is explicitly checked because
187 * netfront relies on the first buffer being
188 * non-empty and can crash otherwise.
189 *
190 * This means we will effectively linearise small
191 * frags but do not needlessly split large buffers
192 * into multiple copies tend to give large frags their
193 * own buffers as before.
194 */
0576eddf
PD		 195 BUG_ON(size > MAX_BUFFER_OFFSET);
196 if ((offset + size > MAX_BUFFER_OFFSET) && offset && !head)
f942dc25
IC		 197 return true;
198
199 return false;
200}
201
f942dc25
IC		 202struct netrx_pending_operations {
203 unsigned copy_prod, copy_cons;
204 unsigned meta_prod, meta_cons;
205 struct gnttab_copy *copy;
b3f980bd 206 struct xenvif_rx_meta *meta;
f942dc25
IC		 207 int copy_off;
208 grant_ref_t copy_gref;
209};
210
b3f980bd
WL		 211static struct xenvif_rx_meta *get_next_rx_buffer(struct xenvif *vif,
212 struct netrx_pending_operations *npo)
f942dc25 213{
b3f980bd 214 struct xenvif_rx_meta *meta;
f942dc25
IC		 215 struct xen_netif_rx_request *req;
216
217 req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
218
219 meta = npo->meta + npo->meta_prod++;
82cada22 220 meta->gso_type = XEN_NETIF_GSO_TYPE_NONE;
f942dc25
IC		 221 meta->gso_size = 0;
222 meta->size = 0;
223 meta->id = req->id;
224
225 npo->copy_off = 0;
226 npo->copy_gref = req->gref;
227
228 return meta;
229}
230
33bc801d
WL		 231/*
232 * Set up the grant operations for this fragment. If it's a flipping
233 * interface, we also set up the unmap request from here.
234 */
7376419a
WL		 235static void xenvif_gop_frag_copy(struct xenvif *vif, struct sk_buff *skb,
236 struct netrx_pending_operations *npo,
237 struct page *page, unsigned long size,
33bc801d 238 unsigned long offset, int *head)
f942dc25
IC		 239{
240 struct gnttab_copy *copy_gop;
b3f980bd 241 struct xenvif_rx_meta *meta;
f942dc25 242 unsigned long bytes;
5bd07670 243 int gso_type = XEN_NETIF_GSO_TYPE_NONE;
f942dc25
IC		 244
245 /* Data must not cross a page boundary. */
6a8ed462 246 BUG_ON(size + offset > PAGE_SIZE<<compound_order(page));
f942dc25
IC		 247
248 meta = npo->meta + npo->meta_prod - 1;
249
6a8ed462
IC		 250 /* Skip unused frames from start of page */
251 page += offset >> PAGE_SHIFT;
252 offset &= ~PAGE_MASK;
253
f942dc25 254 while (size > 0) {
6a8ed462 255 BUG_ON(offset >= PAGE_SIZE);
f942dc25
IC		 256 BUG_ON(npo->copy_off > MAX_BUFFER_OFFSET);
257
6a8ed462
IC		 258 bytes = PAGE_SIZE - offset;
259
260 if (bytes > size)
261 bytes = size;
262
33bc801d 263 if (start_new_rx_buffer(npo->copy_off, bytes, *head)) {
f942dc25
IC		 264 /*
265 * Netfront requires there to be some data in the head
266 * buffer.
267 */
33bc801d 268 BUG_ON(*head);
f942dc25
IC		 269
270 meta = get_next_rx_buffer(vif, npo);
271 }
272
f942dc25
IC		 273 if (npo->copy_off + bytes > MAX_BUFFER_OFFSET)
274 bytes = MAX_BUFFER_OFFSET - npo->copy_off;
275
276 copy_gop = npo->copy + npo->copy_prod++;
277 copy_gop->flags = GNTCOPY_dest_gref;
b3f980bd
WL		 278 copy_gop->len = bytes;
279
43e9d194
WL		 280 copy_gop->source.domid = DOMID_SELF;
281 copy_gop->source.u.gmfn = virt_to_mfn(page_address(page));
f942dc25 282 copy_gop->source.offset = offset;
f942dc25 283
b3f980bd 284 copy_gop->dest.domid = vif->domid;
f942dc25
IC		 285 copy_gop->dest.offset = npo->copy_off;
286 copy_gop->dest.u.ref = npo->copy_gref;
f942dc25
IC		 287
288 npo->copy_off += bytes;
289 meta->size += bytes;
290
291 offset += bytes;
292 size -= bytes;
293
6a8ed462
IC		 294 /* Next frame */
295 if (offset == PAGE_SIZE && size) {
296 BUG_ON(!PageCompound(page));
297 page++;
298 offset = 0;
299 }
300
f942dc25 301 /* Leave a gap for the GSO descriptor. */
5bd07670
AL		 302 if (skb_is_gso(skb)) {
303 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)
304 gso_type = XEN_NETIF_GSO_TYPE_TCPV4;
305 else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
306 gso_type = XEN_NETIF_GSO_TYPE_TCPV6;
307 }
82cada22
PD		 308
309 if (*head && ((1 << gso_type) & vif->gso_mask))
f942dc25
IC		 310 vif->rx.req_cons++;
311
33bc801d 312 *head = 0; /* There must be something in this buffer now. */
f942dc25
IC		 313
314 }
315}
316
317/*
318 * Prepare an SKB to be transmitted to the frontend.
319 *
320 * This function is responsible for allocating grant operations, meta
321 * structures, etc.
322 *
323 * It returns the number of meta structures consumed. The number of
324 * ring slots used is always equal to the number of meta slots used
325 * plus the number of GSO descriptors used. Currently, we use either
326 * zero GSO descriptors (for non-GSO packets) or one descriptor (for
327 * frontend-side LRO).
328 */
7376419a
WL		 329static int xenvif_gop_skb(struct sk_buff *skb,
330 struct netrx_pending_operations *npo)
f942dc25
IC		 331{
332 struct xenvif *vif = netdev_priv(skb->dev);
333 int nr_frags = skb_shinfo(skb)->nr_frags;
334 int i;
335 struct xen_netif_rx_request *req;
b3f980bd 336 struct xenvif_rx_meta *meta;
f942dc25 337 unsigned char *data;
33bc801d 338 int head = 1;
f942dc25 339 int old_meta_prod;
82cada22 340 int gso_type;
f942dc25
IC		 341
342 old_meta_prod = npo->meta_prod;
343
5bd07670
AL		 344 gso_type = XEN_NETIF_GSO_TYPE_NONE;
345 if (skb_is_gso(skb)) {
346 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)
347 gso_type = XEN_NETIF_GSO_TYPE_TCPV4;
348 else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
349 gso_type = XEN_NETIF_GSO_TYPE_TCPV6;
82cada22
PD		 350 }
351
f942dc25 352 /* Set up a GSO prefix descriptor, if necessary */
a3314f3d 353 if ((1 << gso_type) & vif->gso_prefix_mask) {
f942dc25
IC		 354 req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
355 meta = npo->meta + npo->meta_prod++;
82cada22 356 meta->gso_type = gso_type;
5bd07670 357 meta->gso_size = skb_shinfo(skb)->gso_size;
f942dc25
IC		 358 meta->size = 0;
359 meta->id = req->id;
360 }
361
362 req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
363 meta = npo->meta + npo->meta_prod++;
364
82cada22
PD		 365 if ((1 << gso_type) & vif->gso_mask) {
366 meta->gso_type = gso_type;
5bd07670 367 meta->gso_size = skb_shinfo(skb)->gso_size;
82cada22
PD		 368 } else {
369 meta->gso_type = XEN_NETIF_GSO_TYPE_NONE;
f942dc25 370 meta->gso_size = 0;
82cada22 371 }
f942dc25
IC		 372
373 meta->size = 0;
374 meta->id = req->id;
375 npo->copy_off = 0;
376 npo->copy_gref = req->gref;
377
378 data = skb->data;
379 while (data < skb_tail_pointer(skb)) {
380 unsigned int offset = offset_in_page(data);
381 unsigned int len = PAGE_SIZE - offset;
382
383 if (data + len > skb_tail_pointer(skb))
384 len = skb_tail_pointer(skb) - data;
385
7376419a 386 xenvif_gop_frag_copy(vif, skb, npo,
33bc801d 387 virt_to_page(data), len, offset, &head);
f942dc25
IC		 388 data += len;
389 }
390
391 for (i = 0; i < nr_frags; i++) {
7376419a
WL		 392 xenvif_gop_frag_copy(vif, skb, npo,
393 skb_frag_page(&skb_shinfo(skb)->frags[i]),
394 skb_frag_size(&skb_shinfo(skb)->frags[i]),
395 skb_shinfo(skb)->frags[i].page_offset,
33bc801d 396 &head);
f942dc25
IC		 397 }
398
399 return npo->meta_prod - old_meta_prod;
400}
401
402/*
7376419a 403 * This is a twin to xenvif_gop_skb. Assume that xenvif_gop_skb was
f942dc25
IC		 404 * used to set up the operations on the top of
405 * netrx_pending_operations, which have since been done. Check that
406 * they didn't give any errors and advance over them.
407 */
7376419a
WL		 408static int xenvif_check_gop(struct xenvif *vif, int nr_meta_slots,
409 struct netrx_pending_operations *npo)
f942dc25
IC		 410{
411 struct gnttab_copy *copy_op;
412 int status = XEN_NETIF_RSP_OKAY;
413 int i;
414
415 for (i = 0; i < nr_meta_slots; i++) {
416 copy_op = npo->copy + npo->copy_cons++;
417 if (copy_op->status != GNTST_okay) {
418 netdev_dbg(vif->dev,
419 "Bad status %d from copy to DOM%d.\n",
420 copy_op->status, vif->domid);
421 status = XEN_NETIF_RSP_ERROR;
422 }
423 }
424
425 return status;
426}
427
7376419a
WL		 428static void xenvif_add_frag_responses(struct xenvif *vif, int status,
429 struct xenvif_rx_meta *meta,
430 int nr_meta_slots)
f942dc25
IC		 431{
432 int i;
433 unsigned long offset;
434
435 /* No fragments used */
436 if (nr_meta_slots <= 1)
437 return;
438
439 nr_meta_slots--;
440
441 for (i = 0; i < nr_meta_slots; i++) {
442 int flags;
443 if (i == nr_meta_slots - 1)
444 flags = 0;
445 else
446 flags = XEN_NETRXF_more_data;
447
448 offset = 0;
449 make_rx_response(vif, meta[i].id, status, offset,
450 meta[i].size, flags);
451 }
452}
453
33bc801d
WL		 454struct skb_cb_overlay {
455 int meta_slots_used;
456};
457
ca2f09f2 458void xenvif_kick_thread(struct xenvif *vif)
b3f980bd
WL		 459{
460 wake_up(&vif->wq);
461}
462
ca2f09f2 463static void xenvif_rx_action(struct xenvif *vif)
f942dc25 464{
f942dc25 465 s8 status;
e1f00a69 466 u16 flags;
f942dc25
IC		 467 struct xen_netif_rx_response *resp;
468 struct sk_buff_head rxq;
469 struct sk_buff *skb;
470 LIST_HEAD(notify);
471 int ret;
f942dc25
IC		 472 unsigned long offset;
473 struct skb_cb_overlay *sco;
11b57f90 474 bool need_to_notify = false;
f942dc25
IC		 475
476 struct netrx_pending_operations npo = {
b3f980bd
WL		 477 .copy = vif->grant_copy_op,
478 .meta = vif->meta,
f942dc25
IC		 479 };
480
481 skb_queue_head_init(&rxq);
482
b3f980bd 483 while ((skb = skb_dequeue(&vif->rx_queue)) != NULL) {
9ab9831b 484 RING_IDX max_slots_needed;
1425c7a4
PD		 485 RING_IDX old_req_cons;
486 RING_IDX ring_slots_used;
ca2f09f2
PD		 487 int i;
488
489 /* We need a cheap worse case estimate for the number of
490 * slots we'll use.
491 */
492
493 max_slots_needed = DIV_ROUND_UP(offset_in_page(skb->data) +
494 skb_headlen(skb),
495 PAGE_SIZE);
496 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
497 unsigned int size;
a02eb473
PD		 498 unsigned int offset;
499
ca2f09f2 500 size = skb_frag_size(&skb_shinfo(skb)->frags[i]);
a02eb473
PD		 501 offset = skb_shinfo(skb)->frags[i].page_offset;
502
503 /* For a worse-case estimate we need to factor in
504 * the fragment page offset as this will affect the
505 * number of times xenvif_gop_frag_copy() will
506 * call start_new_rx_buffer().
507 */
508 max_slots_needed += DIV_ROUND_UP(offset + size,
509 PAGE_SIZE);
ca2f09f2 510 }
a02eb473
PD		 511
512 /* To avoid the estimate becoming too pessimal for some
513 * frontends that limit posted rx requests, cap the estimate
514 * at MAX_SKB_FRAGS.
515 */
516 if (max_slots_needed > MAX_SKB_FRAGS)
517 max_slots_needed = MAX_SKB_FRAGS;
518
519 /* We may need one more slot for GSO metadata */
5bd07670
AL		 520 if (skb_is_gso(skb) &&
521 (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4 ||
522 skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6))
ca2f09f2
PD		 523 max_slots_needed++;
524
525 /* If the skb may not fit then bail out now */
526 if (!xenvif_rx_ring_slots_available(vif, max_slots_needed)) {
527 skb_queue_head(&vif->rx_queue, skb);
11b57f90 528 need_to_notify = true;
9ab9831b 529 vif->rx_last_skb_slots = max_slots_needed;
ca2f09f2 530 break;
9ab9831b
ZK		 531 } else
532 vif->rx_last_skb_slots = 0;
f942dc25
IC		 533
534 sco = (struct skb_cb_overlay *)skb->cb;
1425c7a4
PD		 535
536 old_req_cons = vif->rx.req_cons;
7376419a 537 sco->meta_slots_used = xenvif_gop_skb(skb, &npo);
1425c7a4
PD		 538 ring_slots_used = vif->rx.req_cons - old_req_cons;
539
540 BUG_ON(ring_slots_used > max_slots_needed);
f942dc25
IC		 541
542 __skb_queue_tail(&rxq, skb);
f942dc25
IC		 543 }
544
b3f980bd 545 BUG_ON(npo.meta_prod > ARRAY_SIZE(vif->meta));
f942dc25
IC		 546
547 if (!npo.copy_prod)
ca2f09f2 548 goto done;
f942dc25 549
ac3d5ac2 550 BUG_ON(npo.copy_prod > MAX_GRANT_COPY_OPS);
b3f980bd 551 gnttab_batch_copy(vif->grant_copy_op, npo.copy_prod);
f942dc25
IC		 552
553 while ((skb = __skb_dequeue(&rxq)) != NULL) {
554 sco = (struct skb_cb_overlay *)skb->cb;
555
82cada22
PD		 556 if ((1 << vif->meta[npo.meta_cons].gso_type) &
557 vif->gso_prefix_mask) {
f942dc25 558 resp = RING_GET_RESPONSE(&vif->rx,
b3f980bd 559 vif->rx.rsp_prod_pvt++);
f942dc25
IC		 560
561 resp->flags = XEN_NETRXF_gso_prefix | XEN_NETRXF_more_data;
562
b3f980bd
WL		 563 resp->offset = vif->meta[npo.meta_cons].gso_size;
564 resp->id = vif->meta[npo.meta_cons].id;
f942dc25
IC		 565 resp->status = sco->meta_slots_used;
566
567 npo.meta_cons++;
568 sco->meta_slots_used--;
569 }
570
571
572 vif->dev->stats.tx_bytes += skb->len;
573 vif->dev->stats.tx_packets++;
574
7376419a 575 status = xenvif_check_gop(vif, sco->meta_slots_used, &npo);
f942dc25
IC		 576
577 if (sco->meta_slots_used == 1)
578 flags = 0;
579 else
580 flags = XEN_NETRXF_more_data;
581
582 if (skb->ip_summed == CHECKSUM_PARTIAL) /* local packet? */
583 flags |= XEN_NETRXF_csum_blank | XEN_NETRXF_data_validated;
584 else if (skb->ip_summed == CHECKSUM_UNNECESSARY)
585 /* remote but checksummed. */
586 flags |= XEN_NETRXF_data_validated;
587
588 offset = 0;
b3f980bd 589 resp = make_rx_response(vif, vif->meta[npo.meta_cons].id,
f942dc25 590 status, offset,
b3f980bd 591 vif->meta[npo.meta_cons].size,
f942dc25
IC		 592 flags);
593
82cada22
PD		 594 if ((1 << vif->meta[npo.meta_cons].gso_type) &
595 vif->gso_mask) {
f942dc25
IC		 596 struct xen_netif_extra_info *gso =
597 (struct xen_netif_extra_info *)
598 RING_GET_RESPONSE(&vif->rx,
599 vif->rx.rsp_prod_pvt++);
600
601 resp->flags |= XEN_NETRXF_extra_info;
602
82cada22 603 gso->u.gso.type = vif->meta[npo.meta_cons].gso_type;
b3f980bd 604 gso->u.gso.size = vif->meta[npo.meta_cons].gso_size;
f942dc25
IC		 605 gso->u.gso.pad = 0;
606 gso->u.gso.features = 0;
607
608 gso->type = XEN_NETIF_EXTRA_TYPE_GSO;
609 gso->flags = 0;
610 }
611
7376419a
WL		 612 xenvif_add_frag_responses(vif, status,
613 vif->meta + npo.meta_cons + 1,
614 sco->meta_slots_used);
f942dc25
IC		 615
616 RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&vif->rx, ret);
f942dc25 617
11b57f90 618 need_to_notify |= !!ret;
b3f980bd 619
f942dc25
IC		 620 npo.meta_cons += sco->meta_slots_used;
621 dev_kfree_skb(skb);
622 }
623
ca2f09f2 624done:
b3f980bd 625 if (need_to_notify)
e1f00a69 626 notify_remote_via_irq(vif->rx_irq);
f942dc25
IC		 627}
628
7376419a 629void xenvif_check_rx_xenvif(struct xenvif *vif)
f942dc25
IC		 630{
631 int more_to_do;
632
633 RING_FINAL_CHECK_FOR_REQUESTS(&vif->tx, more_to_do);
634
635 if (more_to_do)
b3f980bd 636 napi_schedule(&vif->napi);
f942dc25
IC		 637}
638
639static void tx_add_credit(struct xenvif *vif)
640{
641 unsigned long max_burst, max_credit;
642
643 /*
644 * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
645 * Otherwise the interface can seize up due to insufficient credit.
646 */
647 max_burst = RING_GET_REQUEST(&vif->tx, vif->tx.req_cons)->size;
648 max_burst = min(max_burst, 131072UL);
649 max_burst = max(max_burst, vif->credit_bytes);
650
651 /* Take care that adding a new chunk of credit doesn't wrap to zero. */
652 max_credit = vif->remaining_credit + vif->credit_bytes;
653 if (max_credit < vif->remaining_credit)
654 max_credit = ULONG_MAX; /* wrapped: clamp to ULONG_MAX */
655
656 vif->remaining_credit = min(max_credit, max_burst);
657}
658
659static void tx_credit_callback(unsigned long data)
660{
661 struct xenvif *vif = (struct xenvif *)data;
662 tx_add_credit(vif);
7376419a 663 xenvif_check_rx_xenvif(vif);
f942dc25
IC		 664}
665
7376419a
WL		 666static void xenvif_tx_err(struct xenvif *vif,
667 struct xen_netif_tx_request *txp, RING_IDX end)
f942dc25
IC		 668{
669 RING_IDX cons = vif->tx.req_cons;
670
671 do {
672 make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR);
b9149729 673 if (cons == end)
f942dc25
IC		 674 break;
675 txp = RING_GET_REQUEST(&vif->tx, cons++);
676 } while (1);
677 vif->tx.req_cons = cons;
f942dc25
IC		 678}
679
7376419a 680static void xenvif_fatal_tx_err(struct xenvif *vif)
48856286
IC		 681{
682 netdev_err(vif->dev, "fatal error; disabling device\n");
683 xenvif_carrier_off(vif);
48856286
IC		 684}
685
7376419a
WL		 686static int xenvif_count_requests(struct xenvif *vif,
687 struct xen_netif_tx_request *first,
688 struct xen_netif_tx_request *txp,
689 int work_to_do)
f942dc25
IC		 690{
691 RING_IDX cons = vif->tx.req_cons;
2810e5b9
WL		 692 int slots = 0;
693 int drop_err = 0;
59ccb4eb 694 int more_data;
f942dc25
IC		 695
696 if (!(first->flags & XEN_NETTXF_more_data))
697 return 0;
698
699 do {
59ccb4eb
WL		 700 struct xen_netif_tx_request dropped_tx = { 0 };
701
2810e5b9
WL		 702 if (slots >= work_to_do) {
703 netdev_err(vif->dev,
704 "Asked for %d slots but exceeds this limit\n",
705 work_to_do);
7376419a 706 xenvif_fatal_tx_err(vif);
35876b5f 707 return -ENODATA;
f942dc25
IC		 708 }
709
2810e5b9
WL		 710 /* This guest is really using too many slots and
711 * considered malicious.
712 */
37641494 713 if (unlikely(slots >= fatal_skb_slots)) {
2810e5b9
WL		 714 netdev_err(vif->dev,
715 "Malicious frontend using %d slots, threshold %u\n",
37641494 716 slots, fatal_skb_slots);
7376419a 717 xenvif_fatal_tx_err(vif);
35876b5f 718 return -E2BIG;
f942dc25
IC		 719 }
720
2810e5b9 721 /* Xen network protocol had implicit dependency on
37641494
WL		 722 * MAX_SKB_FRAGS. XEN_NETBK_LEGACY_SLOTS_MAX is set to
723 * the historical MAX_SKB_FRAGS value 18 to honor the
724 * same behavior as before. Any packet using more than
725 * 18 slots but less than fatal_skb_slots slots is
726 * dropped
2810e5b9 727 */
37641494 728 if (!drop_err && slots >= XEN_NETBK_LEGACY_SLOTS_MAX) {
2810e5b9
WL		 729 if (net_ratelimit())
730 netdev_dbg(vif->dev,
731 "Too many slots (%d) exceeding limit (%d), dropping packet\n",
37641494 732 slots, XEN_NETBK_LEGACY_SLOTS_MAX);
2810e5b9
WL		 733 drop_err = -E2BIG;
734 }
735
59ccb4eb
WL		 736 if (drop_err)
737 txp = &dropped_tx;
738
2810e5b9 739 memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
f942dc25 740 sizeof(*txp));
03393fd5
WL		 741
742 /* If the guest submitted a frame >= 64 KiB then
743 * first->size overflowed and following slots will
744 * appear to be larger than the frame.
745 *
746 * This cannot be fatal error as there are buggy
747 * frontends that do this.
748 *
749 * Consume all slots and drop the packet.
750 */
751 if (!drop_err && txp->size > first->size) {
752 if (net_ratelimit())
753 netdev_dbg(vif->dev,
754 "Invalid tx request, slot size %u > remaining size %u\n",
755 txp->size, first->size);
756 drop_err = -EIO;
f942dc25
IC		 757 }
758
759 first->size -= txp->size;
2810e5b9 760 slots++;
f942dc25
IC		 761
762 if (unlikely((txp->offset + txp->size) > PAGE_SIZE)) {
2810e5b9 763 netdev_err(vif->dev, "Cross page boundary, txp->offset: %x, size: %u\n",
f942dc25 764 txp->offset, txp->size);
7376419a 765 xenvif_fatal_tx_err(vif);
35876b5f 766 return -EINVAL;
f942dc25 767 }
59ccb4eb
WL		 768
769 more_data = txp->flags & XEN_NETTXF_more_data;
770
771 if (!drop_err)
772 txp++;
773
774 } while (more_data);
2810e5b9
WL		 775
776 if (drop_err) {
7376419a 777 xenvif_tx_err(vif, first, cons + slots);
2810e5b9
WL		 778 return drop_err;
779 }
780
781 return slots;
f942dc25
IC		 782}
783
7376419a
WL		 784static struct page *xenvif_alloc_page(struct xenvif *vif,
785 u16 pending_idx)
f942dc25
IC		 786{
787 struct page *page;
b3f980bd
WL		 788
789 page = alloc_page(GFP_ATOMIC|__GFP_COLD);
f942dc25
IC		 790 if (!page)
791 return NULL;
b3f980bd
WL		 792 vif->mmap_pages[pending_idx] = page;
793
f942dc25
IC		 794 return page;
795}
796
7376419a
WL		 797static struct gnttab_copy *xenvif_get_requests(struct xenvif *vif,
798 struct sk_buff *skb,
799 struct xen_netif_tx_request *txp,
800 struct gnttab_copy *gop)
f942dc25
IC		 801{
802 struct skb_shared_info *shinfo = skb_shinfo(skb);
803 skb_frag_t *frags = shinfo->frags;
ea066ad1 804 u16 pending_idx = *((u16 *)skb->data);
2810e5b9
WL		 805 u16 head_idx = 0;
806 int slot, start;
807 struct page *page;
808 pending_ring_idx_t index, start_idx = 0;
809 uint16_t dst_offset;
810 unsigned int nr_slots;
811 struct pending_tx_info *first = NULL;
812
813 /* At this point shinfo->nr_frags is in fact the number of
37641494 814 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
2810e5b9
WL		 815 */
816 nr_slots = shinfo->nr_frags;
f942dc25
IC		 817
818 /* Skip first skb fragment if it is on same page as header fragment. */
ea066ad1 819 start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);
f942dc25 820
2810e5b9
WL		 821 /* Coalesce tx requests, at this point the packet passed in
822 * should be <= 64K. Any packets larger than 64K have been
7376419a 823 * handled in xenvif_count_requests().
2810e5b9
WL		 824 */
825 for (shinfo->nr_frags = slot = start; slot < nr_slots;
826 shinfo->nr_frags++) {
f942dc25 827 struct pending_tx_info *pending_tx_info =
b3f980bd 828 vif->pending_tx_info;
f942dc25 829
b3f980bd 830 page = alloc_page(GFP_ATOMIC|__GFP_COLD);
f942dc25 831 if (!page)
4cc7c1cb 832 goto err;
f942dc25 833
2810e5b9
WL		 834 dst_offset = 0;
835 first = NULL;
836 while (dst_offset < PAGE_SIZE && slot < nr_slots) {
837 gop->flags = GNTCOPY_source_gref;
838
839 gop->source.u.ref = txp->gref;
840 gop->source.domid = vif->domid;
841 gop->source.offset = txp->offset;
842
843 gop->dest.domid = DOMID_SELF;
844
845 gop->dest.offset = dst_offset;
846 gop->dest.u.gmfn = virt_to_mfn(page_address(page));
847
848 if (dst_offset + txp->size > PAGE_SIZE) {
849 /* This page can only merge a portion
850 * of tx request. Do not increment any
851 * pointer / counter here. The txp
852 * will be dealt with in future
853 * rounds, eventually hitting the
854 * `else` branch.
855 */
856 gop->len = PAGE_SIZE - dst_offset;
857 txp->offset += gop->len;
858 txp->size -= gop->len;
859 dst_offset += gop->len; /* quit loop */
860 } else {
861 /* This tx request can be merged in the page */
862 gop->len = txp->size;
863 dst_offset += gop->len;
864
b3f980bd 865 index = pending_index(vif->pending_cons++);
2810e5b9 866
b3f980bd 867 pending_idx = vif->pending_ring[index];
2810e5b9
WL		 868
869 memcpy(&pending_tx_info[pending_idx].req, txp,
870 sizeof(*txp));
2810e5b9
WL		 871
872 /* Poison these fields, corresponding
873 * fields for head tx req will be set
874 * to correct values after the loop.
875 */
b3f980bd 876 vif->mmap_pages[pending_idx] = (void *)(~0UL);
2810e5b9
WL		 877 pending_tx_info[pending_idx].head =
878 INVALID_PENDING_RING_IDX;
879
880 if (!first) {
881 first = &pending_tx_info[pending_idx];
882 start_idx = index;
883 head_idx = pending_idx;
884 }
885
886 txp++;
887 slot++;
888 }
f942dc25 889
2810e5b9
WL		 890 gop++;
891 }
f942dc25 892
2810e5b9
WL		 893 first->req.offset = 0;
894 first->req.size = dst_offset;
895 first->head = start_idx;
b3f980bd 896 vif->mmap_pages[head_idx] = page;
2810e5b9 897 frag_set_pending_idx(&frags[shinfo->nr_frags], head_idx);
f942dc25
IC		 898 }
899
2810e5b9
WL		 900 BUG_ON(shinfo->nr_frags > MAX_SKB_FRAGS);
901
f942dc25 902 return gop;
4cc7c1cb
IC		 903err:
904 /* Unwind, freeing all pages and sending error responses. */
2810e5b9 905 while (shinfo->nr_frags-- > start) {
7376419a 906 xenvif_idx_release(vif,
2810e5b9
WL		 907 frag_get_pending_idx(&frags[shinfo->nr_frags]),
908 XEN_NETIF_RSP_ERROR);
4cc7c1cb
IC		 909 }
910 /* The head too, if necessary. */
911 if (start)
7376419a 912 xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_ERROR);
4cc7c1cb
IC		 913
914 return NULL;
f942dc25
IC		 915}
916
7376419a
WL		 917static int xenvif_tx_check_gop(struct xenvif *vif,
918 struct sk_buff *skb,
919 struct gnttab_copy **gopp)
f942dc25
IC		 920{
921 struct gnttab_copy *gop = *gopp;
ea066ad1 922 u16 pending_idx = *((u16 *)skb->data);
f942dc25 923 struct skb_shared_info *shinfo = skb_shinfo(skb);
2810e5b9 924 struct pending_tx_info *tx_info;
f942dc25
IC		 925 int nr_frags = shinfo->nr_frags;
926 int i, err, start;
2810e5b9 927 u16 peek; /* peek into next tx request */
f942dc25
IC		 928
929 /* Check status of header. */
930 err = gop->status;
7d5145d8 931 if (unlikely(err))
7376419a 932 xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_ERROR);
f942dc25
IC		 933
934 /* Skip first skb fragment if it is on same page as header fragment. */
ea066ad1 935 start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);
f942dc25
IC		 936
937 for (i = start; i < nr_frags; i++) {
938 int j, newerr;
2810e5b9 939 pending_ring_idx_t head;
f942dc25 940
ea066ad1 941 pending_idx = frag_get_pending_idx(&shinfo->frags[i]);
b3f980bd 942 tx_info = &vif->pending_tx_info[pending_idx];
2810e5b9 943 head = tx_info->head;
f942dc25
IC		 944
945 /* Check error status: if okay then remember grant handle. */
2810e5b9
WL		 946 do {
947 newerr = (++gop)->status;
948 if (newerr)
949 break;
b3f980bd
WL		 950 peek = vif->pending_ring[pending_index(++head)];
951 } while (!pending_tx_is_head(vif, peek));
2810e5b9 952
f942dc25
IC		 953 if (likely(!newerr)) {
954 /* Had a previous error? Invalidate this fragment. */
955 if (unlikely(err))
7376419a
WL		 956 xenvif_idx_release(vif, pending_idx,
957 XEN_NETIF_RSP_OKAY);
f942dc25
IC		 958 continue;
959 }
960
961 /* Error on this fragment: respond to client with an error. */
7376419a 962 xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_ERROR);
f942dc25
IC		 963
964 /* Not the first error? Preceding frags already invalidated. */
965 if (err)
966 continue;
967
968 /* First error: invalidate header and preceding fragments. */
969 pending_idx = *((u16 *)skb->data);
7376419a 970 xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_OKAY);
f942dc25 971 for (j = start; j < i; j++) {
5ccb3ea7 972 pending_idx = frag_get_pending_idx(&shinfo->frags[j]);
7376419a
WL		 973 xenvif_idx_release(vif, pending_idx,
974 XEN_NETIF_RSP_OKAY);
f942dc25
IC		 975 }
976
977 /* Remember the error: invalidate all subsequent fragments. */
978 err = newerr;
979 }
980
981 *gopp = gop + 1;
982 return err;
983}
984
7376419a 985static void xenvif_fill_frags(struct xenvif *vif, struct sk_buff *skb)
f942dc25
IC		 986{
987 struct skb_shared_info *shinfo = skb_shinfo(skb);
988 int nr_frags = shinfo->nr_frags;
989 int i;
990
991 for (i = 0; i < nr_frags; i++) {
992 skb_frag_t *frag = shinfo->frags + i;
993 struct xen_netif_tx_request *txp;
ea066ad1
IC		 994 struct page *page;
995 u16 pending_idx;
f942dc25 996
ea066ad1 997 pending_idx = frag_get_pending_idx(frag);
f942dc25 998
b3f980bd
WL		 999 txp = &vif->pending_tx_info[pending_idx].req;
1000 page = virt_to_page(idx_to_kaddr(vif, pending_idx));
ea066ad1 1001 __skb_fill_page_desc(skb, i, page, txp->offset, txp->size);
f942dc25
IC		 1002 skb->len += txp->size;
1003 skb->data_len += txp->size;
1004 skb->truesize += txp->size;
1005
7376419a 1006 /* Take an extra reference to offset xenvif_idx_release */
b3f980bd 1007 get_page(vif->mmap_pages[pending_idx]);
7376419a 1008 xenvif_idx_release(vif, pending_idx, XEN_NETIF_RSP_OKAY);
f942dc25
IC		 1009 }
1010}
1011
7376419a 1012static int xenvif_get_extras(struct xenvif *vif,
f942dc25
IC		 1013 struct xen_netif_extra_info *extras,
1014 int work_to_do)
1015{
1016 struct xen_netif_extra_info extra;
1017 RING_IDX cons = vif->tx.req_cons;
1018
1019 do {
1020 if (unlikely(work_to_do-- <= 0)) {
48856286 1021 netdev_err(vif->dev, "Missing extra info\n");
7376419a 1022 xenvif_fatal_tx_err(vif);
f942dc25
IC		 1023 return -EBADR;
1024 }
1025
1026 memcpy(&extra, RING_GET_REQUEST(&vif->tx, cons),
1027 sizeof(extra));
1028 if (unlikely(!extra.type ||
1029 extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
1030 vif->tx.req_cons = ++cons;
48856286 1031 netdev_err(vif->dev,
f942dc25 1032 "Invalid extra type: %d\n", extra.type);
7376419a 1033 xenvif_fatal_tx_err(vif);
f942dc25
IC		 1034 return -EINVAL;
1035 }
1036
1037 memcpy(&extras[extra.type - 1], &extra, sizeof(extra));
1038 vif->tx.req_cons = ++cons;
1039 } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
1040
1041 return work_to_do;
1042}
1043
7376419a
WL		 1044static int xenvif_set_skb_gso(struct xenvif *vif,
1045 struct sk_buff *skb,
1046 struct xen_netif_extra_info *gso)
f942dc25
IC		 1047{
1048 if (!gso->u.gso.size) {
48856286 1049 netdev_err(vif->dev, "GSO size must not be zero.\n");
7376419a 1050 xenvif_fatal_tx_err(vif);
f942dc25
IC		 1051 return -EINVAL;
1052 }
1053
a9468587
PD		 1054 switch (gso->u.gso.type) {
1055 case XEN_NETIF_GSO_TYPE_TCPV4:
1056 skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
1057 break;
1058 case XEN_NETIF_GSO_TYPE_TCPV6:
1059 skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
1060 break;
1061 default:
48856286 1062 netdev_err(vif->dev, "Bad GSO type %d.\n", gso->u.gso.type);
7376419a 1063 xenvif_fatal_tx_err(vif);
f942dc25
IC		 1064 return -EINVAL;
1065 }
1066
1067 skb_shinfo(skb)->gso_size = gso->u.gso.size;
b89587a7 1068 /* gso_segs will be calculated later */
f942dc25
IC		 1069
1070 return 0;
1071}
1072
2eba61d5
PD		 1073static int checksum_setup(struct xenvif *vif, struct sk_buff *skb)
1074{
2721637c 1075 bool recalculate_partial_csum = false;
2eba61d5
PD		 1076
1077 /* A GSO SKB must be CHECKSUM_PARTIAL. However some buggy
1078 * peers can fail to set NETRXF_csum_blank when sending a GSO
1079 * frame. In this case force the SKB to CHECKSUM_PARTIAL and
1080 * recalculate the partial checksum.
1081 */
1082 if (skb->ip_summed != CHECKSUM_PARTIAL && skb_is_gso(skb)) {
1083 vif->rx_gso_checksum_fixup++;
1084 skb->ip_summed = CHECKSUM_PARTIAL;
2721637c 1085 recalculate_partial_csum = true;
2eba61d5
PD		 1086 }
1087
1088 /* A non-CHECKSUM_PARTIAL SKB does not require setup. */
1089 if (skb->ip_summed != CHECKSUM_PARTIAL)
1090 return 0;
1091
2721637c 1092 return skb_checksum_setup(skb, recalculate_partial_csum);
2eba61d5
PD		 1093}
1094
f942dc25
IC		 1095static bool tx_credit_exceeded(struct xenvif *vif, unsigned size)
1096{
059dfa6a
WL		 1097 u64 now = get_jiffies_64();
1098 u64 next_credit = vif->credit_window_start +
f942dc25
IC		 1099 msecs_to_jiffies(vif->credit_usec / 1000);
1100
1101 /* Timer could already be pending in rare cases. */
1102 if (timer_pending(&vif->credit_timeout))
1103 return true;
1104
1105 /* Passed the point where we can replenish credit? */
059dfa6a
WL		 1106 if (time_after_eq64(now, next_credit)) {
1107 vif->credit_window_start = now;
f942dc25
IC		 1108 tx_add_credit(vif);
1109 }
1110
1111 /* Still too big to send right now? Set a callback. */
1112 if (size > vif->remaining_credit) {
1113 vif->credit_timeout.data =
1114 (unsigned long)vif;
1115 vif->credit_timeout.function =
1116 tx_credit_callback;
1117 mod_timer(&vif->credit_timeout,
1118 next_credit);
059dfa6a 1119 vif->credit_window_start = next_credit;
f942dc25
IC		 1120
1121 return true;
1122 }
1123
1124 return false;
1125}
1126
10574059 1127static unsigned xenvif_tx_build_gops(struct xenvif *vif, int budget)
f942dc25 1128{
b3f980bd 1129 struct gnttab_copy *gop = vif->tx_copy_ops, *request_gop;
f942dc25
IC		 1130 struct sk_buff *skb;
1131 int ret;
1132
b3f980bd 1133 while ((nr_pending_reqs(vif) + XEN_NETBK_LEGACY_SLOTS_MAX
10574059
PD		 1134 < MAX_PENDING_REQS) &&
1135 (skb_queue_len(&vif->tx_queue) < budget)) {
f942dc25 1136 struct xen_netif_tx_request txreq;
37641494 1137 struct xen_netif_tx_request txfrags[XEN_NETBK_LEGACY_SLOTS_MAX];
f942dc25
IC		 1138 struct page *page;
1139 struct xen_netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX-1];
1140 u16 pending_idx;
1141 RING_IDX idx;
1142 int work_to_do;
1143 unsigned int data_len;
1144 pending_ring_idx_t index;
1145
48856286
IC		 1146 if (vif->tx.sring->req_prod - vif->tx.req_cons >
1147 XEN_NETIF_TX_RING_SIZE) {
1148 netdev_err(vif->dev,
1149 "Impossible number of requests. "
1150 "req_prod %d, req_cons %d, size %ld\n",
1151 vif->tx.sring->req_prod, vif->tx.req_cons,
1152 XEN_NETIF_TX_RING_SIZE);
7376419a 1153 xenvif_fatal_tx_err(vif);
48856286
IC		 1154 continue;
1155 }
1156
d9601a36 1157 work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&vif->tx);
b3f980bd
WL		 1158 if (!work_to_do)
1159 break;
f942dc25
IC		 1160
1161 idx = vif->tx.req_cons;
1162 rmb(); /* Ensure that we see the request before we copy it. */
1163 memcpy(&txreq, RING_GET_REQUEST(&vif->tx, idx), sizeof(txreq));
1164
1165 /* Credit-based scheduling. */
1166 if (txreq.size > vif->remaining_credit &&
b3f980bd
WL		 1167 tx_credit_exceeded(vif, txreq.size))
1168 break;
f942dc25
IC		 1169
1170 vif->remaining_credit -= txreq.size;
1171
1172 work_to_do--;
1173 vif->tx.req_cons = ++idx;
1174
1175 memset(extras, 0, sizeof(extras));
1176 if (txreq.flags & XEN_NETTXF_extra_info) {
7376419a
WL		 1177 work_to_do = xenvif_get_extras(vif, extras,
1178 work_to_do);
f942dc25 1179 idx = vif->tx.req_cons;
48856286 1180 if (unlikely(work_to_do < 0))
b3f980bd 1181 break;
f942dc25
IC		 1182 }
1183
7376419a 1184 ret = xenvif_count_requests(vif, &txreq, txfrags, work_to_do);
48856286 1185 if (unlikely(ret < 0))
b3f980bd 1186 break;
48856286 1187
f942dc25
IC		 1188 idx += ret;
1189
1190 if (unlikely(txreq.size < ETH_HLEN)) {
1191 netdev_dbg(vif->dev,
1192 "Bad packet size: %d\n", txreq.size);
7376419a 1193 xenvif_tx_err(vif, &txreq, idx);
b3f980bd 1194 break;
f942dc25
IC		 1195 }
1196
1197 /* No crossing a page as the payload mustn't fragment. */
1198 if (unlikely((txreq.offset + txreq.size) > PAGE_SIZE)) {
48856286 1199 netdev_err(vif->dev,
f942dc25
IC		 1200 "txreq.offset: %x, size: %u, end: %lu\n",
1201 txreq.offset, txreq.size,
1202 (txreq.offset&~PAGE_MASK) + txreq.size);
7376419a 1203 xenvif_fatal_tx_err(vif);
b3f980bd 1204 break;
f942dc25
IC		 1205 }
1206
b3f980bd
WL		 1207 index = pending_index(vif->pending_cons);
1208 pending_idx = vif->pending_ring[index];
f942dc25
IC		 1209
1210 data_len = (txreq.size > PKT_PROT_LEN &&
37641494 1211 ret < XEN_NETBK_LEGACY_SLOTS_MAX) ?
f942dc25
IC		 1212 PKT_PROT_LEN : txreq.size;
1213
1214 skb = alloc_skb(data_len + NET_SKB_PAD + NET_IP_ALIGN,
1215 GFP_ATOMIC | __GFP_NOWARN);
1216 if (unlikely(skb == NULL)) {
1217 netdev_dbg(vif->dev,
1218 "Can't allocate a skb in start_xmit.\n");
7376419a 1219 xenvif_tx_err(vif, &txreq, idx);
f942dc25
IC		 1220 break;
1221 }
1222
1223 /* Packets passed to netif_rx() must have some headroom. */
1224 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
1225
1226 if (extras[XEN_NETIF_EXTRA_TYPE_GSO - 1].type) {
1227 struct xen_netif_extra_info *gso;
1228 gso = &extras[XEN_NETIF_EXTRA_TYPE_GSO - 1];
1229
7376419a
WL		 1230 if (xenvif_set_skb_gso(vif, skb, gso)) {
1231 /* Failure in xenvif_set_skb_gso is fatal. */
f942dc25 1232 kfree_skb(skb);
b3f980bd 1233 break;
f942dc25
IC		 1234 }
1235 }
1236
1237 /* XXX could copy straight to head */
7376419a 1238 page = xenvif_alloc_page(vif, pending_idx);
f942dc25
IC		 1239 if (!page) {
1240 kfree_skb(skb);
7376419a 1241 xenvif_tx_err(vif, &txreq, idx);
b3f980bd 1242 break;
f942dc25
IC		 1243 }
1244
f942dc25
IC		 1245 gop->source.u.ref = txreq.gref;
1246 gop->source.domid = vif->domid;
1247 gop->source.offset = txreq.offset;
1248
1249 gop->dest.u.gmfn = virt_to_mfn(page_address(page));
1250 gop->dest.domid = DOMID_SELF;
1251 gop->dest.offset = txreq.offset;
1252
1253 gop->len = txreq.size;
1254 gop->flags = GNTCOPY_source_gref;
1255
1256 gop++;
1257
b3f980bd 1258 memcpy(&vif->pending_tx_info[pending_idx].req,
f942dc25 1259 &txreq, sizeof(txreq));
b3f980bd 1260 vif->pending_tx_info[pending_idx].head = index;
f942dc25
IC		 1261 *((u16 *)skb->data) = pending_idx;
1262
1263 __skb_put(skb, data_len);
1264
1265 skb_shinfo(skb)->nr_frags = ret;
1266 if (data_len < txreq.size) {
1267 skb_shinfo(skb)->nr_frags++;
ea066ad1
IC		 1268 frag_set_pending_idx(&skb_shinfo(skb)->frags[0],
1269 pending_idx);
f942dc25 1270 } else {
ea066ad1
IC		 1271 frag_set_pending_idx(&skb_shinfo(skb)->frags[0],
1272 INVALID_PENDING_IDX);
f942dc25
IC		 1273 }
1274
b3f980bd 1275 vif->pending_cons++;
f942dc25 1276
7376419a 1277 request_gop = xenvif_get_requests(vif, skb, txfrags, gop);
f942dc25
IC		 1278 if (request_gop == NULL) {
1279 kfree_skb(skb);
7376419a 1280 xenvif_tx_err(vif, &txreq, idx);
b3f980bd 1281 break;
f942dc25
IC		 1282 }
1283 gop = request_gop;
1284
b3f980bd 1285 __skb_queue_tail(&vif->tx_queue, skb);
1e0b6eac 1286
f942dc25 1287 vif->tx.req_cons = idx;
f942dc25 1288
b3f980bd 1289 if ((gop-vif->tx_copy_ops) >= ARRAY_SIZE(vif->tx_copy_ops))
f942dc25
IC		 1290 break;
1291 }
1292
b3f980bd 1293 return gop - vif->tx_copy_ops;
f942dc25
IC		 1294}
1295
b3f980bd 1296
10574059 1297static int xenvif_tx_submit(struct xenvif *vif)
f942dc25 1298{
b3f980bd 1299 struct gnttab_copy *gop = vif->tx_copy_ops;
f942dc25 1300 struct sk_buff *skb;
b3f980bd 1301 int work_done = 0;
f942dc25 1302
10574059 1303 while ((skb = __skb_dequeue(&vif->tx_queue)) != NULL) {
f942dc25 1304 struct xen_netif_tx_request *txp;
f942dc25
IC		 1305 u16 pending_idx;
1306 unsigned data_len;
1307
1308 pending_idx = *((u16 *)skb->data);
b3f980bd 1309 txp = &vif->pending_tx_info[pending_idx].req;
f942dc25
IC		 1310
1311 /* Check the remap error code. */
7376419a 1312 if (unlikely(xenvif_tx_check_gop(vif, skb, &gop))) {
f942dc25
IC		 1313 netdev_dbg(vif->dev, "netback grant failed.\n");
1314 skb_shinfo(skb)->nr_frags = 0;
1315 kfree_skb(skb);
1316 continue;
1317 }
1318
1319 data_len = skb->len;
1320 memcpy(skb->data,
b3f980bd 1321 (void *)(idx_to_kaddr(vif, pending_idx)|txp->offset),
f942dc25
IC		 1322 data_len);
1323 if (data_len < txp->size) {
1324 /* Append the packet payload as a fragment. */
1325 txp->offset += data_len;
1326 txp->size -= data_len;
1327 } else {
1328 /* Schedule a response immediately. */
7376419a
WL		 1329 xenvif_idx_release(vif, pending_idx,
1330 XEN_NETIF_RSP_OKAY);
f942dc25
IC		 1331 }
1332
1333 if (txp->flags & XEN_NETTXF_csum_blank)
1334 skb->ip_summed = CHECKSUM_PARTIAL;
1335 else if (txp->flags & XEN_NETTXF_data_validated)
1336 skb->ip_summed = CHECKSUM_UNNECESSARY;
1337
7376419a 1338 xenvif_fill_frags(vif, skb);
f942dc25 1339
2eba61d5 1340 if (skb_is_nonlinear(skb) && skb_headlen(skb) < PKT_PROT_LEN) {
f942dc25
IC		 1341 int target = min_t(int, skb->len, PKT_PROT_LEN);
1342 __pskb_pull_tail(skb, target - skb_headlen(skb));
1343 }
1344
1345 skb->dev = vif->dev;
1346 skb->protocol = eth_type_trans(skb, skb->dev);
f9ca8f74 1347 skb_reset_network_header(skb);
f942dc25
IC		 1348
1349 if (checksum_setup(vif, skb)) {
1350 netdev_dbg(vif->dev,
1351 "Can't setup checksum in net_tx_action\n");
1352 kfree_skb(skb);
1353 continue;
1354 }
1355
40893fd0 1356 skb_probe_transport_header(skb, 0);
f9ca8f74 1357
b89587a7
PD		 1358 /* If the packet is GSO then we will have just set up the
1359 * transport header offset in checksum_setup so it's now
1360 * straightforward to calculate gso_segs.
1361 */
1362 if (skb_is_gso(skb)) {
1363 int mss = skb_shinfo(skb)->gso_size;
1364 int hdrlen = skb_transport_header(skb) -
1365 skb_mac_header(skb) +
1366 tcp_hdrlen(skb);
1367
1368 skb_shinfo(skb)->gso_segs =
1369 DIV_ROUND_UP(skb->len - hdrlen, mss);
1370 }
1371
f942dc25
IC		 1372 vif->dev->stats.rx_bytes += skb->len;
1373 vif->dev->stats.rx_packets++;
1374
b3f980bd
WL		 1375 work_done++;
1376
1377 netif_receive_skb(skb);
f942dc25 1378 }
b3f980bd
WL		 1379
1380 return work_done;
f942dc25
IC		 1381}
1382
1383/* Called after netfront has transmitted */
7376419a 1384int xenvif_tx_action(struct xenvif *vif, int budget)
f942dc25
IC		 1385{
1386 unsigned nr_gops;
b3f980bd 1387 int work_done;
f942dc25 1388
b3f980bd
WL		 1389 if (unlikely(!tx_work_todo(vif)))
1390 return 0;
1391
10574059 1392 nr_gops = xenvif_tx_build_gops(vif, budget);
f942dc25
IC		 1393
1394 if (nr_gops == 0)
b3f980bd
WL		 1395 return 0;
1396
1397 gnttab_batch_copy(vif->tx_copy_ops, nr_gops);
f942dc25 1398
10574059 1399 work_done = xenvif_tx_submit(vif);
f942dc25 1400
b3f980bd 1401 return work_done;
f942dc25
IC		 1402}
1403
7376419a
WL		 1404static void xenvif_idx_release(struct xenvif *vif, u16 pending_idx,
1405 u8 status)
f942dc25 1406{
f942dc25 1407 struct pending_tx_info *pending_tx_info;
2810e5b9
WL		 1408 pending_ring_idx_t head;
1409 u16 peek; /* peek into next tx request */
1410
b3f980bd 1411 BUG_ON(vif->mmap_pages[pending_idx] == (void *)(~0UL));
f942dc25
IC		 1412
1413 /* Already complete? */
b3f980bd 1414 if (vif->mmap_pages[pending_idx] == NULL)
f942dc25
IC		 1415 return;
1416
b3f980bd 1417 pending_tx_info = &vif->pending_tx_info[pending_idx];
f942dc25 1418
2810e5b9 1419 head = pending_tx_info->head;
f942dc25 1420
b3f980bd
WL		 1421 BUG_ON(!pending_tx_is_head(vif, head));
1422 BUG_ON(vif->pending_ring[pending_index(head)] != pending_idx);
f942dc25 1423
2810e5b9
WL		 1424 do {
1425 pending_ring_idx_t index;
1426 pending_ring_idx_t idx = pending_index(head);
b3f980bd 1427 u16 info_idx = vif->pending_ring[idx];
f942dc25 1428
b3f980bd 1429 pending_tx_info = &vif->pending_tx_info[info_idx];
2810e5b9
WL		 1430 make_tx_response(vif, &pending_tx_info->req, status);
1431
1432 /* Setting any number other than
1433 * INVALID_PENDING_RING_IDX indicates this slot is
1434 * starting a new packet / ending a previous packet.
1435 */
1436 pending_tx_info->head = 0;
1437
b3f980bd
WL		 1438 index = pending_index(vif->pending_prod++);
1439 vif->pending_ring[index] = vif->pending_ring[info_idx];
f942dc25 1440
b3f980bd 1441 peek = vif->pending_ring[pending_index(++head)];
2810e5b9 1442
b3f980bd 1443 } while (!pending_tx_is_head(vif, peek));
2810e5b9 1444
b3f980bd
WL		 1445 put_page(vif->mmap_pages[pending_idx]);
1446 vif->mmap_pages[pending_idx] = NULL;
f942dc25
IC		 1447}
1448
2810e5b9 1449
f942dc25
IC		 1450static void make_tx_response(struct xenvif *vif,
1451 struct xen_netif_tx_request *txp,
1452 s8 st)
1453{
1454 RING_IDX i = vif->tx.rsp_prod_pvt;
1455 struct xen_netif_tx_response *resp;
1456 int notify;
1457
1458 resp = RING_GET_RESPONSE(&vif->tx, i);
1459 resp->id = txp->id;
1460 resp->status = st;
1461
1462 if (txp->flags & XEN_NETTXF_extra_info)
1463 RING_GET_RESPONSE(&vif->tx, ++i)->status = XEN_NETIF_RSP_NULL;
1464
1465 vif->tx.rsp_prod_pvt = ++i;
1466 RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&vif->tx, notify);
1467 if (notify)
e1f00a69 1468 notify_remote_via_irq(vif->tx_irq);
f942dc25
IC		 1469}
1470
1471static struct xen_netif_rx_response *make_rx_response(struct xenvif *vif,
1472 u16 id,
1473 s8 st,
1474 u16 offset,
1475 u16 size,
1476 u16 flags)
1477{
1478 RING_IDX i = vif->rx.rsp_prod_pvt;
1479 struct xen_netif_rx_response *resp;
1480
1481 resp = RING_GET_RESPONSE(&vif->rx, i);
1482 resp->offset = offset;
1483 resp->flags = flags;
1484 resp->id = id;
1485 resp->status = (s16)size;
1486 if (st < 0)
1487 resp->status = (s16)st;
1488
1489 vif->rx.rsp_prod_pvt = ++i;
1490
1491 return resp;
1492}
1493
b3f980bd 1494static inline int rx_work_todo(struct xenvif *vif)
f942dc25 1495{
9ab9831b
ZK		 1496 return !skb_queue_empty(&vif->rx_queue) &&
1497 xenvif_rx_ring_slots_available(vif, vif->rx_last_skb_slots);
f942dc25
IC		 1498}
1499
b3f980bd 1500static inline int tx_work_todo(struct xenvif *vif)
f942dc25
IC		 1501{
1502
b3f980bd
WL		 1503 if (likely(RING_HAS_UNCONSUMED_REQUESTS(&vif->tx)) &&
1504 (nr_pending_reqs(vif) + XEN_NETBK_LEGACY_SLOTS_MAX
1505 < MAX_PENDING_REQS))
f942dc25
IC		 1506 return 1;
1507
1508 return 0;
1509}
1510
7376419a 1511void xenvif_unmap_frontend_rings(struct xenvif *vif)
f942dc25 1512{
c9d63699
DV		 1513 if (vif->tx.sring)
1514 xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(vif),
1515 vif->tx.sring);
1516 if (vif->rx.sring)
1517 xenbus_unmap_ring_vfree(xenvif_to_xenbus_device(vif),
1518 vif->rx.sring);
f942dc25
IC		 1519}
1520
7376419a
WL		 1521int xenvif_map_frontend_rings(struct xenvif *vif,
1522 grant_ref_t tx_ring_ref,
1523 grant_ref_t rx_ring_ref)
f942dc25 1524{
c9d63699 1525 void *addr;
f942dc25
IC		 1526 struct xen_netif_tx_sring *txs;
1527 struct xen_netif_rx_sring *rxs;
1528
1529 int err = -ENOMEM;
1530
c9d63699
DV		 1531 err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(vif),
1532 tx_ring_ref, &addr);
1533 if (err)
f942dc25
IC		 1534 goto err;
1535
c9d63699 1536 txs = (struct xen_netif_tx_sring *)addr;
f942dc25
IC		 1537 BACK_RING_INIT(&vif->tx, txs, PAGE_SIZE);
1538
c9d63699
DV		 1539 err = xenbus_map_ring_valloc(xenvif_to_xenbus_device(vif),
1540 rx_ring_ref, &addr);
1541 if (err)
f942dc25 1542 goto err;
f942dc25 1543
c9d63699 1544 rxs = (struct xen_netif_rx_sring *)addr;
f942dc25
IC		 1545 BACK_RING_INIT(&vif->rx, rxs, PAGE_SIZE);
1546
1547 return 0;
1548
1549err:
7376419a 1550 xenvif_unmap_frontend_rings(vif);
f942dc25
IC		 1551 return err;
1552}
1553
ca2f09f2
PD		 1554void xenvif_stop_queue(struct xenvif *vif)
1555{
1556 if (!vif->can_queue)
1557 return;
1558
1559 netif_stop_queue(vif->dev);
1560}
1561
1562static void xenvif_start_queue(struct xenvif *vif)
1563{
1564 if (xenvif_schedulable(vif))
1565 netif_wake_queue(vif->dev);
1566}
1567
7376419a 1568int xenvif_kthread(void *data)
b3f980bd
WL		 1569{
1570 struct xenvif *vif = data;
ca2f09f2 1571 struct sk_buff *skb;
b3f980bd
WL		 1572
1573 while (!kthread_should_stop()) {
1574 wait_event_interruptible(vif->wq,
1575 rx_work_todo(vif) ||
1576 kthread_should_stop());
1577 if (kthread_should_stop())
1578 break;
1579
ca2f09f2 1580 if (!skb_queue_empty(&vif->rx_queue))
7376419a 1581 xenvif_rx_action(vif);
b3f980bd 1582
ca2f09f2
PD		 1583 if (skb_queue_empty(&vif->rx_queue) &&
1584 netif_queue_stopped(vif->dev))
1585 xenvif_start_queue(vif);
1586
b3f980bd
WL		 1587 cond_resched();
1588 }
1589
ca2f09f2
PD		 1590 /* Bin any remaining skbs */
1591 while ((skb = skb_dequeue(&vif->rx_queue)) != NULL)
1592 dev_kfree_skb(skb);
1593
b3f980bd
WL		 1594 return 0;
1595}
1596
f942dc25
IC		 1597static int __init netback_init(void)
1598{
f942dc25 1599 int rc = 0;
f942dc25 1600
2a14b244 1601 if (!xen_domain())
f942dc25
IC		 1602 return -ENODEV;
1603
37641494 1604 if (fatal_skb_slots < XEN_NETBK_LEGACY_SLOTS_MAX) {
383eda32
JP		 1605 pr_info("fatal_skb_slots too small (%d), bump it to XEN_NETBK_LEGACY_SLOTS_MAX (%d)\n",
1606 fatal_skb_slots, XEN_NETBK_LEGACY_SLOTS_MAX);
37641494 1607 fatal_skb_slots = XEN_NETBK_LEGACY_SLOTS_MAX;
2810e5b9
WL		 1608 }
1609
f942dc25
IC		 1610 rc = xenvif_xenbus_init();
1611 if (rc)
1612 goto failed_init;
1613
1614 return 0;
1615
1616failed_init:
f942dc25 1617 return rc;
f942dc25
IC		 1618}
1619
1620module_init(netback_init);
1621
b103f358
WL		 1622static void __exit netback_fini(void)
1623{
b103f358 1624 xenvif_xenbus_fini();
b103f358
WL		 1625}
1626module_exit(netback_fini);
1627
f942dc25 1628MODULE_LICENSE("Dual BSD/GPL");
f984cec6 1629MODULE_ALIAS("xen-backend:vif");
Linux 6.x block layer and io_uring tree(s)