/******************************************************************************

 * common/grant_table.c

 *

 * Mechanism for granting foreign access to page frames, and receiving

 * page-ownership transfers.

 *

 * Copyright (c) 2005-2006 Christopher Clark

 * Copyright (c) 2004 K A Fraser

 * Copyright (c) 2005 Andrew Warfield

 * Modifications by Geoffrey Lefebvre are (c) Intel Research Cambridge

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; If not, see <http://www.gnu.org/licenses/>.

 */

#include <xen/err.h>

#include <xen/iocap.h>

#include <xen/lib.h>

#include <xen/sched.h>

#include <xen/mm.h>

#include <xen/event.h>

#include <xen/trace.h>

#include <xen/grant_table.h>

#include <xen/guest_access.h>

#include <xen/domain_page.h>

#include <xen/iommu.h>

#include <xen/paging.h>

#include <xen/keyhandler.h>

#include <xen/vmap.h>

#include <xsm/xsm.h>

#include <asm/flushtlb.h>

/* Per-domain grant information. */

struct grant_table {

    /*

     * Lock protecting updates to grant table state (version, active

     * entry list, etc.)

     */

    percpu_rwlock_t       lock;

    /* Lock protecting the maptrack limit */

    spinlock_t            maptrack_lock;

    /*

     * The defined versions are 1 and 2.  Set to 0 if we don't know

     * what version to use yet.

     */

    unsigned int          gt_version;

    /* Resource limits of the domain. */

    unsigned int          max_grant_frames;

    unsigned int          max_maptrack_frames;

    /* Table size. Number of frames shared with guest */

    unsigned int          nr_grant_frames;

    /* Number of grant status frames shared with guest (for version 2) */

    unsigned int          nr_status_frames;

    /* Number of available maptrack entries. */

    unsigned int          maptrack_limit;

    /* Shared grant table (see include/public/grant_table.h). */

    union {

        void **shared_raw;

        struct grant_entry_v1 **shared_v1;

        union grant_entry_v2 **shared_v2;

    };

    /* State grant table (see include/public/grant_table.h). */

    grant_status_t       **status;

    /* Active grant table. */

    struct active_grant_entry **active;

    /* Mapping tracking table per vcpu. */

    struct grant_mapping **maptrack;

    /* Domain to which this struct grant_table belongs. */

    const struct domain *domain;

    struct grant_table_arch arch;

};

#ifndef DEFAULT_MAX_NR_GRANT_FRAMES /* to allow arch to override */

/* Default maximum size of a grant table. [POLICY] */

#define DEFAULT_MAX_NR_GRANT_FRAMES   64

#endif

static unsigned int __read_mostly max_grant_frames =

                                               DEFAULT_MAX_NR_GRANT_FRAMES;

integer_runtime_param("gnttab_max_frames", max_grant_frames);

#define DEFAULT_MAX_MAPTRACK_FRAMES 1024

static unsigned int __read_mostly max_maptrack_frames =

                                               DEFAULT_MAX_MAPTRACK_FRAMES;

integer_runtime_param("gnttab_max_maptrack_frames", max_maptrack_frames);

/*

 * Note that the three values below are effectively part of the ABI, even if

 * we don't need to make them a formal part of it: A guest suspended for

 * migration in the middle of a continuation would fail to work if resumed on

 * a hypervisor using different values.

 */

#define GNTTABOP_CONTINUATION_ARG_SHIFT 12

#define GNTTABOP_CMD_MASK               ((1<<GNTTABOP_CONTINUATION_ARG_SHIFT)-1)

#define GNTTABOP_ARG_MASK               (~GNTTABOP_CMD_MASK)

/*

 * The first two members of a grant entry are updated as a combined pair.

 * The following union allows that to happen in an endian-neutral fashion.

 */

union grant_combo {

    uint32_t word;

    struct {

        uint16_t flags;

        domid_t  domid;

    } shorts;

};

/* Used to share code between unmap_grant_ref and unmap_and_replace. */

struct gnttab_unmap_common {

    /* Input */

    uint64_t host_addr;

    uint64_t dev_bus_addr;

    uint64_t new_addr;

    grant_handle_t handle;

    /* Return */

    int16_t status;

    /* Shared state beteen *_unmap and *_unmap_complete */

    uint16_t done;

    unsigned long frame;

    struct domain *rd;

    grant_ref_t ref;

};

/* Number of unmap operations that are done between each tlb flush */

#define GNTTAB_UNMAP_BATCH_SIZE 32

#define PIN_FAIL(_lbl, _rc, _f, _a...)          \

    do {                                        \

        gdprintk(XENLOG_WARNING, _f, ## _a );   \

        rc = (_rc);                             \

        goto _lbl;                              \

    } while ( 0 )

/*

 * Tracks a mapping of another domain's grant reference. Each domain has a

 * table of these, indexes into which are returned as a 'mapping handle'.

 */

struct grant_mapping {

    grant_ref_t ref;        /* grant ref */

    uint16_t flags;         /* 0-4: GNTMAP_* ; 5-15: unused */

    domid_t  domid;         /* granting domain */

    uint32_t vcpu;          /* vcpu which created the grant mapping */

    uint32_t pad;           /* round size to a power of 2 */

};

/* Number of grant table frames. Caller must hold d's grant table lock. */

static inline unsigned int nr_grant_frames(const struct grant_table *gt)

{

    return gt->nr_grant_frames;

}

/* Number of status grant table frames. Caller must hold d's gr. table lock.*/

static inline unsigned int nr_status_frames(const struct grant_table *gt)

{

    return gt->nr_status_frames;

}

#define MAPTRACK_PER_PAGE (PAGE_SIZE / sizeof(struct grant_mapping))

#define maptrack_entry(t, e) \

    ((t)->maptrack[(e)/MAPTRACK_PER_PAGE][(e)%MAPTRACK_PER_PAGE])

static inline unsigned int

nr_maptrack_frames(struct grant_table *t)

{

    return t->maptrack_limit / MAPTRACK_PER_PAGE;

}

#define MAPTRACK_TAIL (~0u)

#define SHGNT_PER_PAGE_V1 (PAGE_SIZE / sizeof(grant_entry_v1_t))

#define shared_entry_v1(t, e) \

    ((t)->shared_v1[(e)/SHGNT_PER_PAGE_V1][(e)%SHGNT_PER_PAGE_V1])

#define SHGNT_PER_PAGE_V2 (PAGE_SIZE / sizeof(grant_entry_v2_t))

#define shared_entry_v2(t, e) \

    ((t)->shared_v2[(e)/SHGNT_PER_PAGE_V2][(e)%SHGNT_PER_PAGE_V2])

#define STGNT_PER_PAGE (PAGE_SIZE / sizeof(grant_status_t))

#define status_entry(t, e) \

    ((t)->status[(e)/STGNT_PER_PAGE][(e)%STGNT_PER_PAGE])

static grant_entry_header_t *

shared_entry_header(struct grant_table *t, grant_ref_t ref)

{

    ASSERT(t->gt_version != 0);

    if ( t->gt_version == 1 )

        return (grant_entry_header_t*)&shared_entry_v1(t, ref);

    else

        return &shared_entry_v2(t, ref).hdr;

}

/* Active grant entry - used for shadowing GTF_permit_access grants. */

struct active_grant_entry {

    uint32_t      pin;    /* Reference count information:             */

                          /* Count of writable host-CPU mappings.     */

#define GNTPIN_hstw_shift    0

#define GNTPIN_hstw_inc      (1U << GNTPIN_hstw_shift)

#define GNTPIN_hstw_mask     (0xFFU << GNTPIN_hstw_shift)

                          /* Count of read-only host-CPU mappings.    */

#define GNTPIN_hstr_shift    8

#define GNTPIN_hstr_inc      (1U << GNTPIN_hstr_shift)

#define GNTPIN_hstr_mask     (0xFFU << GNTPIN_hstr_shift)

                          /* Count of writable device-bus mappings.   */

#define GNTPIN_devw_shift    16

#define GNTPIN_devw_inc      (1U << GNTPIN_devw_shift)

#define GNTPIN_devw_mask     (0xFFU << GNTPIN_devw_shift)

                          /* Count of read-only device-bus mappings.  */

#define GNTPIN_devr_shift    24

#define GNTPIN_devr_inc      (1U << GNTPIN_devr_shift)

#define GNTPIN_devr_mask     (0xFFU << GNTPIN_devr_shift)

    domid_t       domid;  /* Domain being granted access.             */

    unsigned int  start:15; /* For sub-page grants, the start offset

                               in the page.                           */

    bool          is_sub_page:1; /* True if this is a sub-page grant. */

    unsigned int  length:16; /* For sub-page grants, the length of the

                                grant.                                */

    grant_ref_t   trans_gref;

    struct domain *trans_domain;

    unsigned long frame;  /* Frame being granted.                     */

#ifndef NDEBUG

    gfn_t         gfn;    /* Guest's idea of the frame being granted. */

#endif

    spinlock_t    lock;      /* lock to protect access of this entry.

                                see docs/misc/grant-tables.txt for

                                locking protocol                      */

};

#define ACGNT_PER_PAGE (PAGE_SIZE / sizeof(struct active_grant_entry))

#define _active_entry(t, e) \

    ((t)->active[(e)/ACGNT_PER_PAGE][(e)%ACGNT_PER_PAGE])

static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn)

{

#ifndef NDEBUG

    act->gfn = gfn;

#endif

}

static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock);

static inline void grant_read_lock(struct grant_table *gt)

{

    percpu_read_lock(grant_rwlock, &gt->lock);

}

static inline void grant_read_unlock(struct grant_table *gt)

{

    percpu_read_unlock(grant_rwlock, &gt->lock);

}

static inline void grant_write_lock(struct grant_table *gt)

{

    percpu_write_lock(grant_rwlock, &gt->lock);

}

static inline void grant_write_unlock(struct grant_table *gt)

{

    percpu_write_unlock(grant_rwlock, &gt->lock);

}

static inline void gnttab_flush_tlb(const struct domain *d)

{

    if ( !paging_mode_external(d) )

        flush_tlb_mask(d->domain_dirty_cpumask);

}

static inline unsigned int

num_act_frames_from_sha_frames(const unsigned int num)

{

    /*

     * How many frames are needed for the active grant table,

     * given the size of the shared grant table?

     */

    unsigned int sha_per_page = PAGE_SIZE / sizeof(grant_entry_v1_t);

    return DIV_ROUND_UP(num * sha_per_page, ACGNT_PER_PAGE);

}

#define max_nr_active_grant_frames(gt) \

    num_act_frames_from_sha_frames((gt)->max_grant_frames)

static inline unsigned int

nr_active_grant_frames(struct grant_table *gt)

{

    return num_act_frames_from_sha_frames(nr_grant_frames(gt));

}

static inline struct active_grant_entry *

active_entry_acquire(struct grant_table *t, grant_ref_t e)

{

    struct active_grant_entry *act;

    /*

     * The grant table for the active entry should be locked but the

     * percpu rwlock cannot be checked for read lock without race conditions

     * or high overhead so we cannot use an ASSERT

     *

     *   ASSERT(rw_is_locked(&t->lock));

     */

    act = &_active_entry(t, e);

    spin_lock(&act->lock);

    return act;

}

static inline void active_entry_release(struct active_grant_entry *act)

{

    spin_unlock(&act->lock);

}

#define GRANT_STATUS_PER_PAGE (PAGE_SIZE / sizeof(grant_status_t))

#define GRANT_PER_PAGE (PAGE_SIZE / sizeof(grant_entry_v2_t))

/* Number of grant table status entries. Caller must hold d's gr. table lock.*/

static inline unsigned int grant_to_status_frames(unsigned int grant_frames)

{

    return DIV_ROUND_UP(grant_frames * GRANT_PER_PAGE, GRANT_STATUS_PER_PAGE);

}

/* Check if the page has been paged out, or needs unsharing.

   If rc == GNTST_okay, *page contains the page struct with a ref taken.

   Caller must do put_page(*page).

   If any error, *page = NULL, *frame = INVALID_MFN, no ref taken. */

static int get_paged_frame(unsigned long gfn, unsigned long *frame,

                           struct page_info **page, bool readonly,

                           struct domain *rd)

{

    int rc = GNTST_okay;

    p2m_type_t p2mt;

    *frame = mfn_x(INVALID_MFN);

    *page = get_page_from_gfn(rd, gfn, &p2mt,

                              readonly ? P2M_ALLOC : P2M_UNSHARE);

    if ( !*page )

    {

#ifdef P2M_SHARED_TYPES

        if ( p2m_is_shared(p2mt) )

            return GNTST_eagain;

#endif

#ifdef P2M_PAGES_TYPES

        if ( p2m_is_paging(p2mt) )

        {

            p2m_mem_paging_populate(rd, gfn);

            return GNTST_eagain;

        }

#endif

        return GNTST_bad_page;

    }

    if ( p2m_is_foreign(p2mt) )

    {

        put_page(*page);

        *page = NULL;

        return GNTST_bad_page;

    }

    *frame = page_to_mfn(*page);

    return rc;

}

static inline void

double_gt_lock(struct grant_table *lgt, struct grant_table *rgt)

{

    /*

     * See mapkind() for why the write lock is also required for the

     * remote domain.

     */

    if ( lgt < rgt )

    {

        grant_write_lock(lgt);

        grant_write_lock(rgt);

    }

    else

    {

        if ( lgt != rgt )

            grant_write_lock(rgt);

        grant_write_lock(lgt);

    }

}

static inline void

double_gt_unlock(struct grant_table *lgt, struct grant_table *rgt)

{

    grant_write_unlock(lgt);

    if ( lgt != rgt )

        grant_write_unlock(rgt);

}

#define INVALID_MAPTRACK_HANDLE UINT_MAX

static inline grant_handle_t

_get_maptrack_handle(struct grant_table *t, struct vcpu *v)

{

    unsigned int head, next, prev_head;

    spin_lock(&v->maptrack_freelist_lock);

    do {

        /* No maptrack pages allocated for this VCPU yet? */

        head = read_atomic(&v->maptrack_head);

        if ( unlikely(head == MAPTRACK_TAIL) )

        {

            spin_unlock(&v->maptrack_freelist_lock);

            return INVALID_MAPTRACK_HANDLE;

        }

        /*

         * Always keep one entry in the free list to make it easier to

         * add free entries to the tail.

         */

        next = read_atomic(&maptrack_entry(t, head).ref);

        if ( unlikely(next == MAPTRACK_TAIL) )

        {

            spin_unlock(&v->maptrack_freelist_lock);

            return INVALID_MAPTRACK_HANDLE;

        }

        prev_head = head;

        head = cmpxchg(&v->maptrack_head, prev_head, next);

    } while ( head != prev_head );

    spin_unlock(&v->maptrack_freelist_lock);

    return head;

}

/*

 * Try to "steal" a free maptrack entry from another VCPU.

 *

 * A stolen entry is transferred to the thief, so the number of

 * entries for each VCPU should tend to the usage pattern.

 *

 * To avoid having to atomically count the number of free entries on

 * each VCPU and to avoid two VCPU repeatedly stealing entries from

 * each other, the initial victim VCPU is selected randomly.

 */

static grant_handle_t steal_maptrack_handle(struct grant_table *t,

                                            const struct vcpu *curr)

{

    const struct domain *currd = curr->domain;

    unsigned int first, i;

    /* Find an initial victim. */

    first = i = get_random() % currd->max_vcpus;

    do {

        if ( currd->vcpu[i] )

        {

            grant_handle_t handle;

            handle = _get_maptrack_handle(t, currd->vcpu[i]);

            if ( handle != INVALID_MAPTRACK_HANDLE )

            {

                maptrack_entry(t, handle).vcpu = curr->vcpu_id;

                return handle;

            }

        }

        i++;

        if ( i == currd->max_vcpus )

            i = 0;

    } while ( i != first );

    /* No free handles on any VCPU. */

    return INVALID_MAPTRACK_HANDLE;

}

static inline void

put_maptrack_handle(

    struct grant_table *t, grant_handle_t handle)

{

    struct domain *currd = current->domain;

    struct vcpu *v;

    unsigned int prev_tail, cur_tail;

    /* 1. Set entry to be a tail. */

    maptrack_entry(t, handle).ref = MAPTRACK_TAIL;

    /* 2. Add entry to the tail of the list on the original VCPU. */

    v = currd->vcpu[maptrack_entry(t, handle).vcpu];

    spin_lock(&v->maptrack_freelist_lock);

    cur_tail = read_atomic(&v->maptrack_tail);

    do {

        prev_tail = cur_tail;

        cur_tail = cmpxchg(&v->maptrack_tail, prev_tail, handle);

    } while ( cur_tail != prev_tail );

    /* 3. Update the old tail entry to point to the new entry. */

    write_atomic(&maptrack_entry(t, prev_tail).ref, handle);

    spin_unlock(&v->maptrack_freelist_lock);

}

static inline grant_handle_t

get_maptrack_handle(

    struct grant_table *lgt)

{

    struct vcpu          *curr = current;

    unsigned int          i, head;

    grant_handle_t        handle;

    struct grant_mapping *new_mt = NULL;

    handle = _get_maptrack_handle(lgt, curr);

    if ( likely(handle != INVALID_MAPTRACK_HANDLE) )

        return handle;

    spin_lock(&lgt->maptrack_lock);

    /*

     * If we've run out of handles and still have frame headroom, try

     * allocating a new maptrack frame.  If there is no headroom, or we're

     * out of memory, try stealing an entry from another VCPU (in case the

     * guest isn't mapping across its VCPUs evenly).

     */

    if ( nr_maptrack_frames(lgt) < lgt->max_maptrack_frames )

        new_mt = alloc_xenheap_page();

    if ( !new_mt )

    {

        spin_unlock(&lgt->maptrack_lock);

        /*

         * Uninitialized free list? Steal an extra entry for the tail

         * sentinel.

         */

        if ( curr->maptrack_tail == MAPTRACK_TAIL )

        {

            handle = steal_maptrack_handle(lgt, curr);

            if ( handle == INVALID_MAPTRACK_HANDLE )

                return handle;

            spin_lock(&curr->maptrack_freelist_lock);

            maptrack_entry(lgt, handle).ref = MAPTRACK_TAIL;

            curr->maptrack_tail = handle;

            if ( curr->maptrack_head == MAPTRACK_TAIL )

                write_atomic(&curr->maptrack_head, handle);

            spin_unlock(&curr->maptrack_freelist_lock);

        }

        return steal_maptrack_handle(lgt, curr);

    }

    clear_page(new_mt);

    /*

     * Use the first new entry and add the remaining entries to the

     * head of the free list.

     */

    handle = lgt->maptrack_limit;

    for ( i = 0; i < MAPTRACK_PER_PAGE; i++ )

    {

        BUILD_BUG_ON(sizeof(new_mt->ref) < sizeof(handle));

        new_mt[i].ref = handle + i + 1;

        new_mt[i].vcpu = curr->vcpu_id;

    }

    /* Set tail directly if this is the first page for this VCPU. */

    if ( curr->maptrack_tail == MAPTRACK_TAIL )

        curr->maptrack_tail = handle + MAPTRACK_PER_PAGE - 1;

    lgt->maptrack[nr_maptrack_frames(lgt)] = new_mt;

    smp_wmb();

    lgt->maptrack_limit += MAPTRACK_PER_PAGE;

    spin_unlock(&lgt->maptrack_lock);

    spin_lock(&curr->maptrack_freelist_lock);

    do {

        new_mt[i - 1].ref = read_atomic(&curr->maptrack_head);

        head = cmpxchg(&curr->maptrack_head, new_mt[i - 1].ref, handle + 1);

    } while ( head != new_mt[i - 1].ref );

    spin_unlock(&curr->maptrack_freelist_lock);

    return handle;

}

/* Number of grant table entries. Caller must hold d's grant table lock. */

static unsigned int nr_grant_entries(struct grant_table *gt)

{

    switch ( gt->gt_version )

    {

#define f2e(nr, ver) (((nr) << PAGE_SHIFT) / sizeof(grant_entry_v##ver##_t))

    case 1:

        BUILD_BUG_ON(f2e(INITIAL_NR_GRANT_FRAMES, 1) <

                     GNTTAB_NR_RESERVED_ENTRIES);

        return f2e(nr_grant_frames(gt), 1);

    case 2:

        BUILD_BUG_ON(f2e(INITIAL_NR_GRANT_FRAMES, 2) <

                     GNTTAB_NR_RESERVED_ENTRIES);

        return f2e(nr_grant_frames(gt), 2);

#undef f2e

    }

    return 0;

}

static int _set_status_v1(domid_t  domid,

                          int readonly,

                          int mapflag,

                          grant_entry_header_t *shah,

                          struct active_grant_entry *act)

{

    int rc = GNTST_okay;

    union grant_combo scombo, prev_scombo, new_scombo;

    uint16_t mask = GTF_type_mask;

    /*

     * We bound the number of times we retry CMPXCHG on memory locations that

     * we share with a guest OS. The reason is that the guest can modify that

     * location at a higher rate than we can read-modify-CMPXCHG, so the guest

     * could cause us to livelock. There are a few cases where it is valid for

     * the guest to race our updates (e.g., to change the GTF_readonly flag),

     * so we allow a few retries before failing.

     */

    int retries = 0;

    /* if this is a grant mapping operation we should ensure GTF_sub_page

       is not set */

    if ( mapflag )

        mask |= GTF_sub_page;

    scombo.word = *(u32 *)shah;

    /*

     * This loop attempts to set the access (reading/writing) flags

     * in the grant table entry.  It tries a cmpxchg on the field

     * up to five times, and then fails under the assumption that

     * the guest is misbehaving.

     */

    for ( ; ; )

    {

        /* If not already pinned, check the grant domid and type. */

        if ( !act->pin &&

             (((scombo.shorts.flags & mask) !=

               GTF_permit_access) ||

              (scombo.shorts.domid != domid)) )

            PIN_FAIL(done, GNTST_general_error,

                     "Bad flags (%x) or dom (%d); expected d%d\n",

                     scombo.shorts.flags, scombo.shorts.domid,

                     domid);

        new_scombo = scombo;

        new_scombo.shorts.flags |= GTF_reading;

        if ( !readonly )

        {

            new_scombo.shorts.flags |= GTF_writing;

            if ( unlikely(scombo.shorts.flags & GTF_readonly) )

                PIN_FAIL(done, GNTST_general_error,

                         "Attempt to write-pin a r/o grant entry\n");

        }

        prev_scombo.word = cmpxchg((u32 *)shah,

                                   scombo.word, new_scombo.word);

        if ( likely(prev_scombo.word == scombo.word) )

            break;

        if ( retries++ == 4 )

            PIN_FAIL(done, GNTST_general_error,

                     "Shared grant entry is unstable\n");

        scombo = prev_scombo;

    }

done:

    return rc;

}

static int _set_status_v2(domid_t  domid,

                          int readonly,

                          int mapflag,

                          grant_entry_header_t *shah,

                          struct active_grant_entry *act,

                          grant_status_t *status)

{

    int      rc    = GNTST_okay;

    union grant_combo scombo;

    uint16_t flags = shah->flags;

    domid_t  id    = shah->domid;

    uint16_t mask  = GTF_type_mask;

    /* we read flags and domid in a single memory access.

       this avoids the need for another memory barrier to

       ensure access to these fields are not reordered */

    scombo.word = *(u32 *)shah;

    barrier(); /* but we still need to stop the compiler from turning

                  it back into two reads */

    flags = scombo.shorts.flags;

    id = scombo.shorts.domid;

    /* if this is a grant mapping operation we should ensure GTF_sub_page

       is not set */

    if ( mapflag )

        mask |= GTF_sub_page;

    /* If not already pinned, check the grant domid and type. */

    if ( !act->pin &&

         ( (((flags & mask) != GTF_permit_access) &&

            ((flags & mask) != GTF_transitive)) ||

          (id != domid)) )

        PIN_FAIL(done, GNTST_general_error,

                 "Bad flags (%x) or dom (%d); expected d%d, flags %x\n",

                 flags, id, domid, mask);

    if ( readonly )

    {

        *status |= GTF_reading;

    }

    else

    {

        if ( unlikely(flags & GTF_readonly) )

            PIN_FAIL(done, GNTST_general_error,

                     "Attempt to write-pin a r/o grant entry\n");

        *status |= GTF_reading | GTF_writing;

    }

    /* Make sure guest sees status update before checking if flags are

       still valid */

    smp_mb();

    scombo.word = *(u32 *)shah;

    barrier();

    flags = scombo.shorts.flags;

    id = scombo.shorts.domid;

    if ( !act->pin )

    {

        if ( (((flags & mask) != GTF_permit_access) &&

              ((flags & mask) != GTF_transitive)) ||

             (id != domid) ||

             (!readonly && (flags & GTF_readonly)) )

        {

            gnttab_clear_flag(_GTF_writing, status);

            gnttab_clear_flag(_GTF_reading, status);

            PIN_FAIL(done, GNTST_general_error,

                     "Unstable flags (%x) or dom (%d); expected d%d (r/w: %d)\n",

                     flags, id, domid, !readonly);

        }

    }

    else

    {

        if ( unlikely(flags & GTF_readonly) )

        {

            gnttab_clear_flag(_GTF_writing, status);

            PIN_FAIL(done, GNTST_general_error,

                     "Unstable grant readonly flag\n");

        }

    }

done:

    return rc;

}

static int _set_status(unsigned gt_version,

                       domid_t  domid,

                       int readonly,

                       int mapflag,

                       grant_entry_header_t *shah,

                       struct active_grant_entry *act,

                       grant_status_t *status)

{

    if ( gt_version == 1 )

        return _set_status_v1(domid, readonly, mapflag, shah, act);

    else

        return _set_status_v2(domid, readonly, mapflag, shah, act, status);

}

static int grant_map_exists(const struct domain *ld,

                            struct grant_table *rgt,

                            unsigned long mfn,

                            grant_ref_t *cur_ref)

{

    grant_ref_t ref, max_iter;

    /*

     * The remote grant table should be locked but the percpu rwlock

     * cannot be checked for read lock without race conditions or high

     * overhead so we cannot use an ASSERT

     *

     *   ASSERT(rw_is_locked(&rgt->lock));

     */

    max_iter = min(*cur_ref + (1 << GNTTABOP_CONTINUATION_ARG_SHIFT),

                   nr_grant_entries(rgt));

    for ( ref = *cur_ref; ref < max_iter; ref++ )

    {

        struct active_grant_entry *act;

        bool_t exists;

        act = active_entry_acquire(rgt, ref);

        exists = act->pin

            && act->domid == ld->domain_id

            && act->frame == mfn;

        active_entry_release(act);

        if ( exists )

            return 0;

    }

    if ( ref < nr_grant_entries(rgt) )

    {

        *cur_ref = ref;

        return 1;

    }

    return -EINVAL;

}

#define MAPKIND_READ 1

#define MAPKIND_WRITE 2

static unsigned int mapkind(

    struct grant_table *lgt, const struct domain *rd, unsigned long mfn)

{

    struct grant_mapping *map;

    grant_handle_t handle, limit = lgt->maptrack_limit;

    unsigned int kind = 0;

    /*

     * Must have the local domain's grant table write lock when

     * iterating over its maptrack entries.

     */

    ASSERT(percpu_rw_is_write_locked(&lgt->lock));

    /*

     * Must have the remote domain's grant table write lock while

     * counting its active entries.

     */

    ASSERT(percpu_rw_is_write_locked(&rd->grant_table->lock));

    smp_rmb();

    for ( handle = 0; !(kind & MAPKIND_WRITE) && handle < limit; handle++ )

    {

        map = &maptrack_entry(lgt, handle);

        if ( !(map->flags & (GNTMAP_device_map|GNTMAP_host_map)) ||

             map->domid != rd->domain_id )

            continue;

        if ( _active_entry(rd->grant_table, map->ref).frame == mfn )

            kind |= map->flags & GNTMAP_readonly ?

                    MAPKIND_READ : MAPKIND_WRITE;

    }

    return kind;

}

/*

 * Returns 0 if TLB flush / invalidate required by caller.

 * va will indicate the address to be invalidated.

 *

 * addr is _either_ a host virtual address, or the address of the pte to

 * update, as indicated by the GNTMAP_contains_pte flag.

 */

static void

map_grant_ref(

    struct gnttab_map_grant_ref *op)

{

    struct domain *ld, *rd, *owner = NULL;

    struct grant_table *lgt, *rgt;

    struct vcpu   *led;

    grant_handle_t handle;

    unsigned long  frame = 0;

    struct page_info *pg = NULL;

    int            rc = GNTST_okay;

    u32            old_pin;

    u32            act_pin;

    unsigned int   cache_flags, refcnt = 0, typecnt = 0;

    bool           host_map_created = false;

    struct active_grant_entry *act = NULL;

    struct grant_mapping *mt;

    grant_entry_header_t *shah;

    uint16_t *status;

    bool_t need_iommu;

    led = current;

    ld = led->domain;

    if ( unlikely((op->flags & (GNTMAP_device_map|GNTMAP_host_map)) == 0) )

    {

        gdprintk(XENLOG_INFO, "Bad flags in grant map op: %x\n", op->flags);

        op->status = GNTST_bad_gntref;

        return;

    }