9 files changed, 2701 insertions, 43 deletions
diff --git a/Documentation/virtual/00-INDEX b/Documentation/virtual/00-INDEX
index fe0251c4cfb..8e601991d91 100644
--- a/Documentation/virtual/00-INDEX
+++ b/Documentation/virtual/00-INDEX
@@ -8,3 +8,6 @@ lguest/
        - Extremely simple hypervisor for experimental/educational use.
 uml/
        - User Mode Linux, builds/runs Linux kernel as a userspace program.
+virtio.txt
+        - Text version of draft virtio spec.
+          See http://ozlabs.org/~rusty/virtio-spec
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
index 42542eb802c..13ab8379b4e 100644
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -180,6 +180,19 @@ KVM_CHECK_EXTENSION ioctl() to determine the value for max_vcpus at run-time.
 If the KVM_CAP_NR_VCPUS does not exist, you should assume that max_vcpus is 4
 cpus max.
+On powerpc using book3s_hv mode, the vcpus are mapped onto virtual
+threads in one or more virtual CPU cores.  (This is because the
+hardware requires all the hardware threads in a CPU core to be in the
+same partition.)  The KVM_CAP_PPC_SMT capability indicates the number
+of vcpus per virtual core (vcore).  The vcore id is obtained by
+dividing the vcpu id by the number of vcpus per vcore.  The vcpus in a
+given vcore will always be in the same physical core as each other
+(though that might be a different physical core from time to time).
+Userspace can control the threading (SMT) mode of the guest by its
+allocation of vcpu ids.  For example, if userspace wants
+single-threaded guest vcpus, it should make all vcpu ids be a multiple
+of the number of vcpus per vcore.
 4.8 KVM_GET_DIRTY_LOG (vm ioctl)
 Capability: basic
@@ -1118,6 +1131,13 @@ following flags are specified:
 /* Depends on KVM_CAP_IOMMU */
 #define KVM_DEV_ASSIGN_ENABLE_IOMMU     (1 << 0)
+The KVM_DEV_ASSIGN_ENABLE_IOMMU flag is a mandatory option to ensure
+isolation of the device.  Usages not specifying this flag are deprecated.
+Only PCI header type 0 devices with PCI BAR resources are supported by
+device assignment.  The user requesting this ioctl must have read/write
+access to the PCI sysfs resource files associated with the device.
 4.49 KVM_DEASSIGN_PCI_DEVICE
 Capability: KVM_CAP_DEVICE_DEASSIGNMENT
@@ -1143,15 +1163,10 @@ Assigns an IRQ to a passed-through device.
 struct kvm_assigned_irq {
        __u32 assigned_dev_id;
-        __u32 host_irq;
+        __u32 host_irq; /* ignored (legacy field) */
        __u32 guest_irq;
        __u32 flags;
        union {
-                struct {
-                        __u32 addr_lo;
-                        __u32 addr_hi;
-                        __u32 data;
-                } guest_msi;
                __u32 reserved[12];
        };
 };
@@ -1239,8 +1254,10 @@ Type: vm ioctl
 Parameters: struct kvm_assigned_msix_nr (in)
 Returns: 0 on success, -1 on error
-Set the number of MSI-X interrupts for an assigned device. This service can
+Set the number of MSI-X interrupts for an assigned device. The number is
-only be called once in the lifetime of an assigned device.
+reset again by terminating the MSI-X assignment of the device via
+KVM_DEASSIGN_DEV_IRQ. Calling this service more than once at any earlier
+point will fail.
 struct kvm_assigned_msix_nr {
        __u32 assigned_dev_id;
@@ -1291,6 +1308,135 @@ Returns the tsc frequency of the guest. The unit of the return value is
 KHz. If the host has unstable tsc this ioctl returns -EIO instead as an
 error.
+4.56 KVM_GET_LAPIC
+Capability: KVM_CAP_IRQCHIP
+Architectures: x86
+Type: vcpu ioctl
+Parameters: struct kvm_lapic_state (out)
+Returns: 0 on success, -1 on error
+#define KVM_APIC_REG_SIZE 0x400
+struct kvm_lapic_state {
+        char regs[KVM_APIC_REG_SIZE];
+};
+Reads the Local APIC registers and copies them into the input argument.  The
+data format and layout are the same as documented in the architecture manual.
+4.57 KVM_SET_LAPIC
+Capability: KVM_CAP_IRQCHIP
+Architectures: x86
+Type: vcpu ioctl
+Parameters: struct kvm_lapic_state (in)
+Returns: 0 on success, -1 on error
+#define KVM_APIC_REG_SIZE 0x400
+struct kvm_lapic_state {
+        char regs[KVM_APIC_REG_SIZE];
+};
+Copies the input argument into the the Local APIC registers.  The data format
+and layout are the same as documented in the architecture manual.
+4.58 KVM_IOEVENTFD
+Capability: KVM_CAP_IOEVENTFD
+Architectures: all
+Type: vm ioctl
+Parameters: struct kvm_ioeventfd (in)
+Returns: 0 on success, !0 on error
+This ioctl attaches or detaches an ioeventfd to a legal pio/mmio address
+within the guest.  A guest write in the registered address will signal the
+provided event instead of triggering an exit.
+struct kvm_ioeventfd {
+        __u64 datamatch;
+        __u64 addr;        /* legal pio/mmio address */
+        __u32 len;         /* 1, 2, 4, or 8 bytes    */
+        __s32 fd;
+        __u32 flags;
+        __u8  pad[36];
+};
+The following flags are defined:
+#define KVM_IOEVENTFD_FLAG_DATAMATCH (1 << kvm_ioeventfd_flag_nr_datamatch)
+#define KVM_IOEVENTFD_FLAG_PIO       (1 << kvm_ioeventfd_flag_nr_pio)
+#define KVM_IOEVENTFD_FLAG_DEASSIGN  (1 << kvm_ioeventfd_flag_nr_deassign)
+If datamatch flag is set, the event will be signaled only if the written value
+to the registered address is equal to datamatch in struct kvm_ioeventfd.
+4.62 KVM_CREATE_SPAPR_TCE
+Capability: KVM_CAP_SPAPR_TCE
+Architectures: powerpc
+Type: vm ioctl
+Parameters: struct kvm_create_spapr_tce (in)
+Returns: file descriptor for manipulating the created TCE table
+This creates a virtual TCE (translation control entry) table, which
+is an IOMMU for PAPR-style virtual I/O.  It is used to translate
+logical addresses used in virtual I/O into guest physical addresses,
+and provides a scatter/gather capability for PAPR virtual I/O.
+/* for KVM_CAP_SPAPR_TCE */
+struct kvm_create_spapr_tce {
+        __u64 liobn;
+        __u32 window_size;
+};
+The liobn field gives the logical IO bus number for which to create a
+TCE table.  The window_size field specifies the size of the DMA window
+which this TCE table will translate - the table will contain one 64
+bit TCE entry for every 4kiB of the DMA window.
+When the guest issues an H_PUT_TCE hcall on a liobn for which a TCE
+table has been created using this ioctl(), the kernel will handle it
+in real mode, updating the TCE table.  H_PUT_TCE calls for other
+liobns will cause a vm exit and must be handled by userspace.
+The return value is a file descriptor which can be passed to mmap(2)
+to map the created TCE table into userspace.  This lets userspace read
+the entries written by kernel-handled H_PUT_TCE calls, and also lets
+userspace update the TCE table directly which is useful in some
+circumstances.
+4.63 KVM_ALLOCATE_RMA
+Capability: KVM_CAP_PPC_RMA
+Architectures: powerpc
+Type: vm ioctl
+Parameters: struct kvm_allocate_rma (out)
+Returns: file descriptor for mapping the allocated RMA
+This allocates a Real Mode Area (RMA) from the pool allocated at boot
+time by the kernel.  An RMA is a physically-contiguous, aligned region
+of memory used on older POWER processors to provide the memory which
+will be accessed by real-mode (MMU off) accesses in a KVM guest.
+POWER processors support a set of sizes for the RMA that usually
+includes 64MB, 128MB, 256MB and some larger powers of two.
+/* for KVM_ALLOCATE_RMA */
+struct kvm_allocate_rma {
+        __u64 rma_size;
+};
+The return value is a file descriptor which can be passed to mmap(2)
+to map the allocated RMA into userspace.  The mapped area can then be
+passed to the KVM_SET_USER_MEMORY_REGION ioctl to establish it as the
+RMA for a virtual machine.  The size of the RMA in bytes (which is
+fixed at host kernel boot time) is returned in the rma_size field of
+the argument structure.
+The KVM_CAP_PPC_RMA capability is 1 or 2 if the KVM_ALLOCATE_RMA ioctl
+is supported; 2 if the processor requires all virtual machines to have
+an RMA, or 1 if the processor can use an RMA but doesn't require it,
+because it supports the Virtual RMA (VRMA) facility.
 5. The kvm_run structure
 Application code obtains a pointer to the kvm_run structure by
@@ -1473,6 +1619,23 @@ Userspace can now handle the hypercall and when it's done modify the gprs as
 necessary. Upon guest entry all guest GPRs will then be replaced by the values
 in this struct.
+                /* KVM_EXIT_PAPR_HCALL */
+                struct {
+                        __u64 nr;
+                        __u64 ret;
+                        __u64 args[9];
+                } papr_hcall;
+This is used on 64-bit PowerPC when emulating a pSeries partition,
+e.g. with the 'pseries' machine type in qemu.  It occurs when the
+guest does a hypercall using the 'sc 1' instruction.  The 'nr' field
+contains the hypercall number (from the guest R3), and 'args' contains
+the arguments (from the guest R4 - R12).  Userspace should put the
+return code in 'ret' and any extra returned values in args[].
+The possible hypercalls are defined in the Power Architecture Platform
+Requirements (PAPR) document available from www.power.org (free
+developer registration required to access it).
                /* Fix the size of the union. */
                char padding[256];
        };
diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
index f46aa58389c..5dc972c09b5 100644
--- a/Documentation/virtual/kvm/mmu.txt
+++ b/Documentation/virtual/kvm/mmu.txt
@@ -165,6 +165,10 @@ Shadow pages contain the following information:
    Contains the value of efer.nxe for which the page is valid.
  role.cr0_wp:
    Contains the value of cr0.wp for which the page is valid.
+  role.smep_andnot_wp:
+    Contains the value of cr4.smep && !cr0.wp for which the page is valid
+    (pages for which this is true are different from other pages; see the
+    treatment of cr0.wp=0 below).
  gfn:
    Either the guest page table containing the translations shadowed by this
    page, or the base page frame for linear translations.  See role.direct.
@@ -317,6 +321,20 @@ on fault type:
 (user write faults generate a #PF)
+In the first case there is an additional complication if CR4.SMEP is
+enabled: since we've turned the page into a kernel page, the kernel may now
+execute it.  We handle this by also setting spte.nx.  If we get a user
+fetch or read fault, we'll change spte.u=1 and spte.nx=gpte.nx back.
+To prevent an spte that was converted into a kernel page with cr0.wp=0
+from being written by the kernel after cr0.wp has changed to 1, we make
+the value of cr0.wp part of the page role.  This means that an spte created
+with one value of cr0.wp cannot be used when cr0.wp has a different value -
+it will simply be missed by the shadow page lookup code.  A similar issue
+exists when an spte created with cr0.wp=0 and cr4.smep=0 is used after
+changing cr4.smep to 1.  To avoid this, the value of !cr0.wp && cr4.smep
+is also made a part of the page role.
 Large pages
 ===========
diff --git a/Documentation/virtual/kvm/msr.txt b/Documentation/virtual/kvm/msr.txt
index d079aed27e0..50317809113 100644
--- a/Documentation/virtual/kvm/msr.txt
+++ b/Documentation/virtual/kvm/msr.txt
@@ -185,3 +185,37 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02
        Currently type 2 APF will be always delivered on the same vcpu as
        type 1 was, but guest should not rely on that.
+MSR_KVM_STEAL_TIME: 0x4b564d03
+        data: 64-byte alignment physical address of a memory area which must be
+        in guest RAM, plus an enable bit in bit 0. This memory is expected to
+        hold a copy of the following structure:
+        struct kvm_steal_time {
+                __u64 steal;
+                __u32 version;
+                __u32 flags;
+                __u32 pad[12];
+        }
+        whose data will be filled in by the hypervisor periodically. Only one
+        write, or registration, is needed for each VCPU. The interval between
+        updates of this structure is arbitrary and implementation-dependent.
+        The hypervisor may update this structure at any time it sees fit until
+        anything with bit0 == 0 is written to it. Guest is required to make sure
+        this structure is initialized to zero.
+        Fields have the following meanings:
+                version: a sequence counter. In other words, guest has to check
+                this field before and after grabbing time information and make
+                sure they are both equal and even. An odd version indicates an
+                in-progress update.
+                flags: At this point, always zero. May be used to indicate
+                changes in this structure in the future.
+                steal: the amount of time in which this vCPU did not run, in
+                nanoseconds. Time during which the vcpu is idle, will not be
+                reported as steal time.
diff --git a/Documentation/virtual/kvm/nested-vmx.txt b/Documentation/virtual/kvm/nested-vmx.txt
new file mode 100644
index 00000000000..8ed937de116
--- /dev/null
+++ b/Documentation/virtual/kvm/nested-vmx.txt
@@ -0,0 +1,251 @@
+Nested VMX
+==========
+Overview
+---------
+On Intel processors, KVM uses Intel's VMX (Virtual-Machine eXtensions)
+to easily and efficiently run guest operating systems. Normally, these guests
+*cannot* themselves be hypervisors running their own guests, because in VMX,
+guests cannot use VMX instructions.
+The "Nested VMX" feature adds this missing capability - of running guest
+hypervisors (which use VMX) with their own nested guests. It does so by
+allowing a guest to use VMX instructions, and correctly and efficiently
+emulating them using the single level of VMX available in the hardware.
+We describe in much greater detail the theory behind the nested VMX feature,
+its implementation and its performance characteristics, in the OSDI 2010 paper
+"The Turtles Project: Design and Implementation of Nested Virtualization",
+available at:
+        http://www.usenix.org/events/osdi10/tech/full_papers/Ben-Yehuda.pdf
+Terminology
+-----------
+Single-level virtualization has two levels - the host (KVM) and the guests.
+In nested virtualization, we have three levels: The host (KVM), which we call
+L0, the guest hypervisor, which we call L1, and its nested guest, which we
+call L2.
+Known limitations
+-----------------
+The current code supports running Linux guests under KVM guests.
+Only 64-bit guest hypervisors are supported.
+Additional patches for running Windows under guest KVM, and Linux under
+guest VMware server, and support for nested EPT, are currently running in
+the lab, and will be sent as follow-on patchsets.
+Running nested VMX
+------------------
+The nested VMX feature is disabled by default. It can be enabled by giving
+the "nested=1" option to the kvm-intel module.
+No modifications are required to user space (qemu). However, qemu's default
+emulated CPU type (qemu64) does not list the "VMX" CPU feature, so it must be
+explicitly enabled, by giving qemu one of the following options:
+     -cpu host              (emulated CPU has all features of the real CPU)
+     -cpu qemu64,+vmx       (add just the vmx feature to a named CPU type)
+ABIs
+----
+Nested VMX aims to present a standard and (eventually) fully-functional VMX
+implementation for the a guest hypervisor to use. As such, the official
+specification of the ABI that it provides is Intel's VMX specification,
+namely volume 3B of their "Intel 64 and IA-32 Architectures Software
+Developer's Manual". Not all of VMX's features are currently fully supported,
+but the goal is to eventually support them all, starting with the VMX features
+which are used in practice by popular hypervisors (KVM and others).
+As a VMX implementation, nested VMX presents a VMCS structure to L1.
+As mandated by the spec, other than the two fields revision_id and abort,
+this structure is *opaque* to its user, who is not supposed to know or care
+about its internal structure. Rather, the structure is accessed through the
+VMREAD and VMWRITE instructions.
+Still, for debugging purposes, KVM developers might be interested to know the
+internals of this structure; This is struct vmcs12 from arch/x86/kvm/vmx.c.
+The name "vmcs12" refers to the VMCS that L1 builds for L2. In the code we
+also have "vmcs01", the VMCS that L0 built for L1, and "vmcs02" is the VMCS
+which L0 builds to actually run L2 - how this is done is explained in the
+aforementioned paper.
+For convenience, we repeat the content of struct vmcs12 here. If the internals
+of this structure changes, this can break live migration across KVM versions.
+VMCS12_REVISION (from vmx.c) should be changed if struct vmcs12 or its inner
+struct shadow_vmcs is ever changed.
+        typedef u64 natural_width;
+        struct __packed vmcs12 {
+                /* According to the Intel spec, a VMCS region must start with
+                 * these two user-visible fields */
+                u32 revision_id;
+                u32 abort;
+                u32 launch_state; /* set to 0 by VMCLEAR, to 1 by VMLAUNCH */
+                u32 padding[7]; /* room for future expansion */
+                u64 io_bitmap_a;
+                u64 io_bitmap_b;
+                u64 msr_bitmap;
+                u64 vm_exit_msr_store_addr;
+                u64 vm_exit_msr_load_addr;
+                u64 vm_entry_msr_load_addr;
+                u64 tsc_offset;
+                u64 virtual_apic_page_addr;
+                u64 apic_access_addr;
+                u64 ept_pointer;
+                u64 guest_physical_address;
+                u64 vmcs_link_pointer;
+                u64 guest_ia32_debugctl;
+                u64 guest_ia32_pat;
+                u64 guest_ia32_efer;
+                u64 guest_pdptr0;
+                u64 guest_pdptr1;
+                u64 guest_pdptr2;
+                u64 guest_pdptr3;
+                u64 host_ia32_pat;
+                u64 host_ia32_efer;
+                u64 padding64[8]; /* room for future expansion */
+                natural_width cr0_guest_host_mask;
+                natural_width cr4_guest_host_mask;
+                natural_width cr0_read_shadow;
+                natural_width cr4_read_shadow;
+                natural_width cr3_target_value0;
+                natural_width cr3_target_value1;
+                natural_width cr3_target_value2;
+                natural_width cr3_target_value3;
+                natural_width exit_qualification;
+                natural_width guest_linear_address;
+                natural_width guest_cr0;
+                natural_width guest_cr3;
+                natural_width guest_cr4;
+                natural_width guest_es_base;
+                natural_width guest_cs_base;
+                natural_width guest_ss_base;
+                natural_width guest_ds_base;
+                natural_width guest_fs_base;
+                natural_width guest_gs_base;
+                natural_width guest_ldtr_base;
+                natural_width guest_tr_base;
+                natural_width guest_gdtr_base;
+                natural_width guest_idtr_base;
+                natural_width guest_dr7;
+                natural_width guest_rsp;
+                natural_width guest_rip;
+                natural_width guest_rflags;
+                natural_width guest_pending_dbg_exceptions;
+                natural_width guest_sysenter_esp;
+                natural_width guest_sysenter_eip;
+                natural_width host_cr0;
+                natural_width host_cr3;
+                natural_width host_cr4;
+                natural_width host_fs_base;
+                natural_width host_gs_base;
+                natural_width host_tr_base;
+                natural_width host_gdtr_base;
+                natural_width host_idtr_base;
+                natural_width host_ia32_sysenter_esp;
+                natural_width host_ia32_sysenter_eip;
+                natural_width host_rsp;
+                natural_width host_rip;
+                natural_width paddingl[8]; /* room for future expansion */
+                u32 pin_based_vm_exec_control;
+                u32 cpu_based_vm_exec_control;
+                u32 exception_bitmap;
+                u32 page_fault_error_code_mask;
+                u32 page_fault_error_code_match;
+                u32 cr3_target_count;
+                u32 vm_exit_controls;
+                u32 vm_exit_msr_store_count;
+                u32 vm_exit_msr_load_count;
+                u32 vm_entry_controls;
+                u32 vm_entry_msr_load_count;
+                u32 vm_entry_intr_info_field;
+                u32 vm_entry_exception_error_code;
+                u32 vm_entry_instruction_len;
+                u32 tpr_threshold;
+                u32 secondary_vm_exec_control;
+                u32 vm_instruction_error;
+                u32 vm_exit_reason;
+                u32 vm_exit_intr_info;
+                u32 vm_exit_intr_error_code;
+                u32 idt_vectoring_info_field;
+                u32 idt_vectoring_error_code;
+                u32 vm_exit_instruction_len;
+                u32 vmx_instruction_info;
+                u32 guest_es_limit;
+                u32 guest_cs_limit;
+                u32 guest_ss_limit;
+                u32 guest_ds_limit;
+                u32 guest_fs_limit;
+                u32 guest_gs_limit;
+                u32 guest_ldtr_limit;
+                u32 guest_tr_limit;
+                u32 guest_gdtr_limit;
+                u32 guest_idtr_limit;
+                u32 guest_es_ar_bytes;
+                u32 guest_cs_ar_bytes;
+                u32 guest_ss_ar_bytes;
+                u32 guest_ds_ar_bytes;
+                u32 guest_fs_ar_bytes;
+                u32 guest_gs_ar_bytes;
+                u32 guest_ldtr_ar_bytes;
+                u32 guest_tr_ar_bytes;
+                u32 guest_interruptibility_info;
+                u32 guest_activity_state;
+                u32 guest_sysenter_cs;
+                u32 host_ia32_sysenter_cs;
+                u32 padding32[8]; /* room for future expansion */
+                u16 virtual_processor_id;
+                u16 guest_es_selector;
+                u16 guest_cs_selector;
+                u16 guest_ss_selector;
+                u16 guest_ds_selector;
+                u16 guest_fs_selector;
+                u16 guest_gs_selector;
+                u16 guest_ldtr_selector;
+                u16 guest_tr_selector;
+                u16 host_es_selector;
+                u16 host_cs_selector;
+                u16 host_ss_selector;
+                u16 host_ds_selector;
+                u16 host_fs_selector;
+                u16 host_gs_selector;
+                u16 host_tr_selector;
+        };
+Authors
+-------
+These patches were written by:
+     Abel Gordon, abelg <at> il.ibm.com
+     Nadav Har'El, nyh <at> il.ibm.com
+     Orit Wasserman, oritw <at> il.ibm.com
+     Ben-Ami Yassor, benami <at> il.ibm.com
+     Muli Ben-Yehuda, muli <at> il.ibm.com
+With contributions by:
+     Anthony Liguori, aliguori <at> us.ibm.com
+     Mike Day, mdday <at> us.ibm.com
+     Michael Factor, factor <at> il.ibm.com
+     Zvi Dubitzky, dubi <at> il.ibm.com
+And valuable reviews by:
+     Avi Kivity, avi <at> redhat.com
+     Gleb Natapov, gleb <at> redhat.com
+     Marcelo Tosatti, mtosatti <at> redhat.com
+     Kevin Tian, kevin.tian <at> intel.com
+     and others.
diff --git a/Documentation/virtual/kvm/ppc-pv.txt b/Documentation/virtual/kvm/ppc-pv.txt
index 3ab969c5904..2b7ce190cde 100644
--- a/Documentation/virtual/kvm/ppc-pv.txt
+++ b/Documentation/virtual/kvm/ppc-pv.txt
@@ -68,9 +68,11 @@ page that contains parts of supervisor visible register state. The guest can
 map this shared page using the KVM hypercall KVM_HC_PPC_MAP_MAGIC_PAGE.
 With this hypercall issued the guest always gets the magic page mapped at the
-desired location in effective and physical address space. For now, we always
+desired location. The first parameter indicates the effective address when the
-map the page to -4096. This way we can access it using absolute load and store
+MMU is enabled. The second parameter indicates the address in real mode, if
-functions. The following instruction reads the first field of the magic page:
+applicable to the target. For now, we always map the page to -4096. This way we
+can access it using absolute load and store functions. The following
+instruction reads the first field of the magic page:
        ld      rX, -4096(0)
diff --git a/Documentation/virtual/lguest/.gitignore b/Documentation/virtual/lguest/.gitignore
deleted file mode 100644
index 115587fd5f6..00000000000
--- a/Documentation/virtual/lguest/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-lguest
diff --git a/Documentation/virtual/lguest/lguest.c b/Documentation/virtual/lguest/lguest.c
index cd9d6af61d0..d928c134dee 100644
--- a/Documentation/virtual/lguest/lguest.c
+++ b/Documentation/virtual/lguest/lguest.c
@@ -51,7 +51,7 @@
 #include <asm/bootparam.h>
 #include "../../../include/linux/lguest_launcher.h"
 /*L:110
- * We can ignore the 42 include files we need for this program, but I do want
+ * We can ignore the 43 include files we need for this program, but I do want
 * to draw attention to the use of kernel-style types.
 *
 * As Linus said, "C is a Spartan language, and so should your naming be."  I
@@ -65,7 +65,6 @@ typedef uint16_t u16;
 typedef uint8_t u8;
 /*:*/
-#define PAGE_PRESENT 0x7        /* Present, RW, Execute */
 #define BRIDGE_PFX "bridge:"
 #ifndef SIOCBRADDIF
 #define SIOCBRADDIF     0x89a2          /* add interface to bridge      */
@@ -861,8 +860,10 @@ static void console_output(struct virtqueue *vq)
        /* writev can return a partial write, so we loop here. */
        while (!iov_empty(iov, out)) {
                int len = writev(STDOUT_FILENO, iov, out);
-                if (len <= 0)
+                if (len <= 0) {
-                        err(1, "Write to stdout gave %i", len);
+                        warn("Write to stdout gave %i (%d)", len, errno);
+                        break;
+                }
                iov_consume(iov, out, len);
        }
@@ -898,7 +899,7 @@ static void net_output(struct virtqueue *vq)
         * same format: what a coincidence!
         */
        if (writev(net_info->tunfd, iov, out) < 0)
-                errx(1, "Write to tun failed?");
+                warnx("Write to tun failed (%d)?", errno);
        /*
         * Done with that one; wait_for_vq_desc() will send the interrupt if
@@ -955,7 +956,7 @@ static void net_input(struct virtqueue *vq)
         */
        len = readv(net_info->tunfd, iov, in);
        if (len <= 0)
-                err(1, "Failed to read from tun.");
+                warn("Failed to read from tun (%d).", errno);
        /*
         * Mark that packet buffer as used, but don't interrupt here.  We want
@@ -1093,9 +1094,10 @@ static void update_device_status(struct device *dev)
                warnx("Device %s configuration FAILED", dev->name);
                if (dev->running)
                        reset_device(dev);
-        } else if (dev->desc->status & VIRTIO_CONFIG_S_DRIVER_OK) {
+        } else {
-                if (!dev->running)
+                if (dev->running)
-                        start_device(dev);
+                        err(1, "Device %s features finalized twice", dev->name);
+                start_device(dev);
        }
 }
@@ -1120,25 +1122,11 @@ static void handle_output(unsigned long addr)
                        return;
                }
-                /*
+                /* Devices should not be used before features are finalized. */
-                 * Devices *can* be used before status is set to DRIVER_OK.
-                 * The original plan was that they would never do this: they
-                 * would always finish setting up their status bits before
-                 * actually touching the virtqueues.  In practice, we allowed
-                 * them to, and they do (eg. the disk probes for partition
-                 * tables as part of initialization).
-                 *
-                 * If we see this, we start the device: once it's running, we
-                 * expect the device to catch all the notifications.
-                 */
                for (vq = i->vq; vq; vq = vq->next) {
                        if (addr != vq->config.pfn*getpagesize())
                                continue;
-                        if (i->running)
+                        errx(1, "Notification on %s before setup!", i->name);
-                                errx(1, "Notification on running %s", i->name);
-                        /* This just calls create_thread() for each virtqueue */
-                        start_device(i);
-                        return;
                }
        }
@@ -1370,7 +1358,7 @@ static void setup_console(void)
 * --sharenet=<name> option which opens or creates a named pipe.  This can be
 * used to send packets to another guest in a 1:1 manner.
 *
- * More sopisticated is to use one of the tools developed for project like UML
+ * More sophisticated is to use one of the tools developed for project like UML
 * to do networking.
 *
 * Faster is to do virtio bonding in kernel.  Doing this 1:1 would be
@@ -1380,7 +1368,7 @@ static void setup_console(void)
 * multiple inter-guest channels behind one interface, although it would
 * require some manner of hotplugging new virtio channels.
 *
- * Finally, we could implement a virtio network switch in the kernel.
+ * Finally, we could use a virtio network switch in the kernel, ie. vhost.
 :*/
 static u32 str2ip(const char *ipaddr)
@@ -2008,6 +1996,9 @@ int main(int argc, char *argv[])
        /* We use a simple helper to copy the arguments separated by spaces. */
        concat((char *)(boot + 1), argv+optind+2);
+        /* Set kernel alignment to 16M (CONFIG_PHYSICAL_ALIGN) */
+        boot->hdr.kernel_alignment = 0x1000000;
        /* Boot protocol version: 2.07 supports the fields for lguest. */
        boot->hdr.version = 0x207;
@@ -2017,10 +2008,7 @@ int main(int argc, char *argv[])
        /* Tell the entry path not to try to reload segment registers. */
        boot->hdr.loadflags |= KEEP_SEGMENTS;
-        /*
+        /* We tell the kernel to initialize the Guest. */
-         * We tell the kernel to initialize the Guest: this returns the open
-         * /dev/lguest file descriptor.
-         */
        tell_kernel(start);
        /* Ensure that we terminate if a device-servicing child dies. */
diff --git a/Documentation/virtual/virtio-spec.txt b/Documentation/virtual/virtio-spec.txt
new file mode 100644
index 00000000000..a350ae135b8
--- /dev/null
+++ b/Documentation/virtual/virtio-spec.txt
@@ -0,0 +1,2200 @@
+[Generated file: see http://ozlabs.org/~rusty/virtio-spec/]
+Virtio PCI Card Specification
+v0.9.1 DRAFT
+-
+Rusty Russell <rusty@rustcorp.com.au>IBM Corporation (Editor)
+2011 August 1.
+Purpose and Description
+This document describes the specifications of the “virtio” family
+of PCI[LaTeX Command: nomenclature] devices. These are devices
+are found in virtual environments[LaTeX Command: nomenclature],
+yet by design they are not all that different from physical PCI
+devices, and this document treats them as such. This allows the
+guest to use standard PCI drivers and discovery mechanisms.
+The purpose of virtio and this specification is that virtual
+environments and guests should have a straightforward, efficient,
+standard and extensible mechanism for virtual devices, rather
+than boutique per-environment or per-OS mechanisms.
+  Straightforward: Virtio PCI devices use normal PCI mechanisms
+  of interrupts and DMA which should be familiar to any device
+  driver author. There is no exotic page-flipping or COW
+  mechanism: it's just a PCI device.[footnote:
+This lack of page-sharing implies that the implementation of the
+device (e.g. the hypervisor or host) needs full access to the
+guest memory. Communication with untrusted parties (i.e.
+inter-guest communication) requires copying.
+]
+  Efficient: Virtio PCI devices consist of rings of descriptors
+  for input and output, which are neatly separated to avoid cache
+  effects from both guest and device writing to the same cache
+  lines.
+  Standard: Virtio PCI makes no assumptions about the environment
+  in which it operates, beyond supporting PCI. In fact the virtio
+  devices specified in the appendices do not require PCI at all:
+  they have been implemented on non-PCI buses.[footnote:
+The Linux implementation further separates the PCI virtio code
+from the specific virtio drivers: these drivers are shared with
+the non-PCI implementations (currently lguest and S/390).
+]
+  Extensible: Virtio PCI devices contain feature bits which are
+  acknowledged by the guest operating system during device setup.
+  This allows forwards and backwards compatibility: the device
+  offers all the features it knows about, and the driver
+  acknowledges those it understands and wishes to use.
+  Virtqueues
+The mechanism for bulk data transport on virtio PCI devices is
+pretentiously called a virtqueue. Each device can have zero or
+more virtqueues: for example, the network device has one for
+transmit and one for receive.
+Each virtqueue occupies two or more physically-contiguous pages
+(defined, for the purposes of this specification, as 4096 bytes),
+and consists of three parts:
+-------------------+-----------------------------------+-----------+
+| Descriptor Table  |   Available Ring     (padding)    | Used Ring |
+-------------------+-----------------------------------+-----------+
+When the driver wants to send buffers to the device, it puts them
+in one or more slots in the descriptor table, and writes the
+descriptor indices into the available ring. It then notifies the
+device. When the device has finished with the buffers, it writes
+the descriptors into the used ring, and sends an interrupt.
+Specification
+  PCI Discovery
+Any PCI device with Vendor ID 0x1AF4, and Device ID 0x1000
+through 0x103F inclusive is a virtio device[footnote:
+The actual value within this range is ignored
+]. The device must also have a Revision ID of 0 to match this
+specification.
+The Subsystem Device ID indicates which virtio device is
+supported by the device. The Subsystem Vendor ID should reflect
+the PCI Vendor ID of the environment (it's currently only used
+for informational purposes by the guest).
+----------------------+--------------------+---------------+
+| Subsystem Device ID  |   Virtio Device    | Specification |
+----------------------+--------------------+---------------+
+----------------------+--------------------+---------------+
+|          1           |   network card     |  Appendix C   |
+----------------------+--------------------+---------------+
+|          2           |   block device     |  Appendix D   |
+----------------------+--------------------+---------------+
+|          3           |      console       |  Appendix E   |
+----------------------+--------------------+---------------+
+|          4           |  entropy source    |  Appendix F   |
+----------------------+--------------------+---------------+
+|          5           | memory ballooning  |  Appendix G   |
+----------------------+--------------------+---------------+
+|          6           |     ioMemory       |       -       |
+----------------------+--------------------+---------------+
+|          9           |   9P transport     |       -       |
+----------------------+--------------------+---------------+
+  Device Configuration
+To configure the device, we use the first I/O region of the PCI
+device. This contains a virtio header followed by a
+device-specific region.
+There may be different widths of accesses to the I/O region; the “
+natural” access method for each field in the virtio header must
+be used (i.e. 32-bit accesses for 32-bit fields, etc), but the
+device-specific region can be accessed using any width accesses,
+and should obtain the same results.
+Note that this is possible because while the virtio header is PCI
+(i.e. little) endian, the device-specific region is encoded in
+the native endian of the guest (where such distinction is
+applicable).
+  Device Initialization Sequence
+We start with an overview of device initialization, then expand
+on the details of the device and how each step is preformed.
+  Reset the device. This is not required on initial start up.
+  The ACKNOWLEDGE status bit is set: we have noticed the device.
+  The DRIVER status bit is set: we know how to drive the device.
+  Device-specific setup, including reading the Device Feature
+  Bits, discovery of virtqueues for the device, optional MSI-X
+  setup, and reading and possibly writing the virtio
+  configuration space.
+  The subset of Device Feature Bits understood by the driver is
+  written to the device.
+  The DRIVER_OK status bit is set.
+  The device can now be used (ie. buffers added to the
+  virtqueues)[footnote:
+Historically, drivers have used the device before steps 5 and 6.
+This is only allowed if the driver does not use any features
+which would alter this early use of the device.
+]
+If any of these steps go irrecoverably wrong, the guest should
+set the FAILED status bit to indicate that it has given up on the
+device (it can reset the device later to restart if desired).
+We now cover the fields required for general setup in detail.
+  Virtio Header
+The virtio header looks as follows:
+------------++---------------------+---------------------+----------+--------+---------+---------+---------+--------+
+| Bits       || 32                  | 32                  | 32       | 16     | 16      | 16      | 8       | 8      |
+------------++---------------------+---------------------+----------+--------+---------+---------+---------+--------+
+| Read/Write || R                   | R+W                 | R+W      | R      | R+W     | R+W     | R+W     | R      |
+------------++---------------------+---------------------+----------+--------+---------+---------+---------+--------+
+| Purpose    || Device              | Guest               | Queue    | Queue  | Queue   | Queue   | Device  | ISR    |
+|            || Features bits 0:31  | Features bits 0:31  | Address  | Size   | Select  | Notify  | Status  | Status |
+------------++---------------------+---------------------+----------+--------+---------+---------+---------+--------+
+If MSI-X is enabled for the device, two additional fields
+immediately follow this header:
+------------++----------------+--------+
+| Bits       || 16             | 16     |
+              +----------------+--------+
+------------++----------------+--------+
+| Read/Write || R+W            | R+W    |
+------------++----------------+--------+
+| Purpose    || Configuration  | Queue  |
+| (MSI-X)    || Vector         | Vector |
+------------++----------------+--------+
+Finally, if feature bits (VIRTIO_F_FEATURES_HI) this is
+immediately followed by two additional fields:
+------------++----------------------+----------------------
+| Bits       || 32                   | 32
+------------++----------------------+----------------------
+| Read/Write || R                    | R+W
+------------++----------------------+----------------------
+| Purpose    || Device               | Guest
+|            || Features bits 32:63  | Features bits 32:63
+------------++----------------------+----------------------
+Immediately following these general headers, there may be
+device-specific headers:
+------------++--------------------+
+| Bits       || Device Specific    |
+              +--------------------+
+------------++--------------------+
+| Read/Write || Device Specific    |
+------------++--------------------+
+| Purpose    || Device Specific... |
+|            ||                    |
+------------++--------------------+
+  Device Status
+The Device Status field is updated by the guest to indicate its
+progress. This provides a simple low-level diagnostic: it's most
+useful to imagine them hooked up to traffic lights on the console
+indicating the status of each device.
+The device can be reset by writing a 0 to this field, otherwise
+at least one bit should be set:
+  ACKNOWLEDGE (1) Indicates that the guest OS has found the
+  device and recognized it as a valid virtio device.
+  DRIVER (2) Indicates that the guest OS knows how to drive the
+  device. Under Linux, drivers can be loadable modules so there
+  may be a significant (or infinite) delay before setting this
+  bit.
+  DRIVER_OK (3) Indicates that the driver is set up and ready to
+  drive the device.
+  FAILED (8) Indicates that something went wrong in the guest,
+  and it has given up on the device. This could be an internal
+  error, or the driver didn't like the device for some reason, or
+  even a fatal error during device operation. The device must be
+  reset before attempting to re-initialize.
+  Feature Bits
+The least significant 31 bits of the first configuration field
+indicates the features that the device supports (the high bit is
+reserved, and will be used to indicate the presence of future
+feature bits elsewhere). If more than 31 feature bits are
+supported, the device indicates so by setting feature bit 31 (see
+[cha:Reserved-Feature-Bits]). The bits are allocated as follows:
+  0 to 23 Feature bits for the specific device type
+  24 to 40 Feature bits reserved for extensions to the queue and
+  feature negotiation mechanisms
+  41 to 63 Feature bits reserved for future extensions
+For example, feature bit 0 for a network device (i.e. Subsystem
+Device ID 1) indicates that the device supports checksumming of
+packets.
+The feature bits are negotiated: the device lists all the
+features it understands in the Device Features field, and the
+guest writes the subset that it understands into the Guest
+Features field. The only way to renegotiate is to reset the
+device.
+In particular, new fields in the device configuration header are
+indicated by offering a feature bit, so the guest can check
+before accessing that part of the configuration space.
+This allows for forwards and backwards compatibility: if the
+device is enhanced with a new feature bit, older guests will not
+write that feature bit back to the Guest Features field and it
+can go into backwards compatibility mode. Similarly, if a guest
+is enhanced with a feature that the device doesn't support, it
+will not see that feature bit in the Device Features field and
+can go into backwards compatibility mode (or, for poor
+implementations, set the FAILED Device Status bit).
+Access to feature bits 32 to 63 is enabled by Guest by setting
+feature bit 31. If this bit is unset, Device must assume that all
+feature bits > 31 are unset.
+  Configuration/Queue Vectors
+When MSI-X capability is present and enabled in the device
+(through standard PCI configuration space) 4 bytes at byte offset
+20 are used to map configuration change and queue interrupts to
+MSI-X vectors. In this case, the ISR Status field is unused, and
+device specific configuration starts at byte offset 24 in virtio
+header structure. When MSI-X capability is not enabled, device
+specific configuration starts at byte offset 20 in virtio header.
+Writing a valid MSI-X Table entry number, 0 to 0x7FF, to one of
+Configuration/Queue Vector registers, maps interrupts triggered
+by the configuration change/selected queue events respectively to
+the corresponding MSI-X vector. To disable interrupts for a
+specific event type, unmap it by writing a special NO_VECTOR
+value:
+/* Vector value used to disable MSI for queue */
+#define VIRTIO_MSI_NO_VECTOR            0xffff
+Reading these registers returns vector mapped to a given event,
+or NO_VECTOR if unmapped. All queue and configuration change
+events are unmapped by default.
+Note that mapping an event to vector might require allocating
+internal device resources, and might fail. Devices report such
+failures by returning the NO_VECTOR value when the relevant
+Vector field is read. After mapping an event to vector, the
+driver must verify success by reading the Vector field value: on
+success, the previously written value is returned, and on
+failure, NO_VECTOR is returned. If a mapping failure is detected,
+the driver can retry mapping with fewervectors, or disable MSI-X.
+  Virtqueue Configuration
+As a device can have zero or more virtqueues for bulk data
+transport (for example, the network driver has two), the driver
+needs to configure them as part of the device-specific
+configuration.
+This is done as follows, for each virtqueue a device has:
+  Write the virtqueue index (first queue is 0) to the Queue
+  Select field.
+  Read the virtqueue size from the Queue Size field, which is
+  always a power of 2. This controls how big the virtqueue is
+  (see below). If this field is 0, the virtqueue does not exist.
+  Allocate and zero virtqueue in contiguous physical memory, on a
+  4096 byte alignment. Write the physical address, divided by
+  4096 to the Queue Address field.[footnote:
+The 4096 is based on the x86 page size, but it's also large
+enough to ensure that the separate parts of the virtqueue are on
+separate cache lines.
+]
+  Optionally, if MSI-X capability is present and enabled on the
+  device, select a vector to use to request interrupts triggered
+  by virtqueue events. Write the MSI-X Table entry number
+  corresponding to this vector in Queue Vector field. Read the
+  Queue Vector field: on success, previously written value is
+  returned; on failure, NO_VECTOR value is returned.
+The Queue Size field controls the total number of bytes required
+for the virtqueue according to the following formula:
+#define ALIGN(x) (((x) + 4095) & ~4095)
+static inline unsigned vring_size(unsigned int qsz)
+{
+     return ALIGN(sizeof(struct vring_desc)*qsz + sizeof(u16)*(2
+ qsz))
+          + ALIGN(sizeof(struct vring_used_elem)*qsz);
+}
+This currently wastes some space with padding, but also allows
+future extensions. The virtqueue layout structure looks like this
+(qsz is the Queue Size field, which is a variable, so this code
+won't compile):
+struct vring {
+    /* The actual descriptors (16 bytes each) */
+    struct vring_desc desc[qsz];
+    /* A ring of available descriptor heads with free-running
+index. */
+    struct vring_avail avail;
+    // Padding to the next 4096 boundary.
+    char pad[];
+    // A ring of used descriptor heads with free-running index.
+    struct vring_used used;
+};
+  A Note on Virtqueue Endianness
+Note that the endian of these fields and everything else in the
+virtqueue is the native endian of the guest, not little-endian as
+PCI normally is. This makes for simpler guest code, and it is
+assumed that the host already has to be deeply aware of the guest
+endian so such an “endian-aware” device is not a significant
+issue.
+  Descriptor Table
+The descriptor table refers to the buffers the guest is using for
+the device. The addresses are physical addresses, and the buffers
+can be chained via the next field. Each descriptor describes a
+buffer which is read-only or write-only, but a chain of
+descriptors can contain both read-only and write-only buffers.
+No descriptor chain may be more than 2^32 bytes long in total.struct vring_desc {
+    /* Address (guest-physical). */
+    u64 addr;
+    /* Length. */
+    u32 len;
+/* This marks a buffer as continuing via the next field. */
+#define VRING_DESC_F_NEXT   1
+/* This marks a buffer as write-only (otherwise read-only). */
+#define VRING_DESC_F_WRITE     2
+/* This means the buffer contains a list of buffer descriptors.
+*/
+#define VRING_DESC_F_INDIRECT   4
+    /* The flags as indicated above. */
+    u16 flags;
+    /* Next field if flags & NEXT */
+    u16 next;
+};
+The number of descriptors in the table is specified by the Queue
+Size field for this virtqueue.
+  <sub:Indirect-Descriptors>Indirect Descriptors
+Some devices benefit by concurrently dispatching a large number
+of large requests. The VIRTIO_RING_F_INDIRECT_DESC feature can be
+used to allow this (see [cha:Reserved-Feature-Bits]). To increase
+ring capacity it is possible to store a table of indirect
+descriptors anywhere in memory, and insert a descriptor in main
+virtqueue (with flags&INDIRECT on) that refers to memory buffer
+containing this indirect descriptor table; fields addr and len
+refer to the indirect table address and length in bytes,
+respectively. The indirect table layout structure looks like this
+(len is the length of the descriptor that refers to this table,
+which is a variable, so this code won't compile):
+struct indirect_descriptor_table {
+    /* The actual descriptors (16 bytes each) */
+    struct vring_desc desc[len / 16];
+};
+The first indirect descriptor is located at start of the indirect
+descriptor table (index 0), additional indirect descriptors are
+chained by next field. An indirect descriptor without next field
+(with flags&NEXT off) signals the end of the indirect descriptor
+table, and transfers control back to the main virtqueue. An
+indirect descriptor can not refer to another indirect descriptor
+table (flags&INDIRECT must be off). A single indirect descriptor
+table can include both read-only and write-only descriptors;
+write-only flag (flags&WRITE) in the descriptor that refers to it
+is ignored.
+  Available Ring
+The available ring refers to what descriptors we are offering the
+device: it refers to the head of a descriptor chain. The “flags”
+field is currently 0 or 1: 1 indicating that we do not need an
+interrupt when the device consumes a descriptor from the
+available ring. Alternatively, the guest can ask the device to
+delay interrupts until an entry with an index specified by the “
+used_event” field is written in the used ring (equivalently,
+until the idx field in the used ring will reach the value
+used_event + 1). The method employed by the device is controlled
+by the VIRTIO_RING_F_EVENT_IDX feature bit (see [cha:Reserved-Feature-Bits]
+). This interrupt suppression is merely an optimization; it may
+not suppress interrupts entirely.
+The “idx” field indicates where we would put the next descriptor
+entry (modulo the ring size). This starts at 0, and increases.
+struct vring_avail {
+#define VRING_AVAIL_F_NO_INTERRUPT      1
+   u16 flags;
+   u16 idx;
+   u16 ring[qsz]; /* qsz is the Queue Size field read from device
+*/
+   u16 used_event;
+};
+  Used Ring
+The used ring is where the device returns buffers once it is done
+with them. The flags field can be used by the device to hint that
+no notification is necessary when the guest adds to the available
+ring. Alternatively, the “avail_event” field can be used by the
+device to hint that no notification is necessary until an entry
+with an index specified by the “avail_event” is written in the
+available ring (equivalently, until the idx field in the
+available ring will reach the value avail_event + 1). The method
+employed by the device is controlled by the guest through the
+VIRTIO_RING_F_EVENT_IDX feature bit (see [cha:Reserved-Feature-Bits]
+). [footnote:
+These fields are kept here because this is the only part of the
+virtqueue written by the device
+].
+Each entry in the ring is a pair: the head entry of the
+descriptor chain describing the buffer (this matches an entry
+placed in the available ring by the guest earlier), and the total
+of bytes written into the buffer. The latter is extremely useful
+for guests using untrusted buffers: if you do not know exactly
+how much has been written by the device, you usually have to zero
+the buffer to ensure no data leakage occurs.
+/* u32 is used here for ids for padding reasons. */
+struct vring_used_elem {
+    /* Index of start of used descriptor chain. */
+    u32 id;
+    /* Total length of the descriptor chain which was used
+(written to) */
+    u32 len;
+};
+struct vring_used {
+#define VRING_USED_F_NO_NOTIFY  1
+    u16 flags;
+    u16 idx;
+    struct vring_used_elem ring[qsz];
+    u16 avail_event;
+};
+  Helpers for Managing Virtqueues
+The Linux Kernel Source code contains the definitions above and
+helper routines in a more usable form, in
+include/linux/virtio_ring.h. This was explicitly licensed by IBM
+and Red Hat under the (3-clause) BSD license so that it can be
+freely used by all other projects, and is reproduced (with slight
+variation to remove Linux assumptions) in Appendix A.
+  Device Operation
+There are two parts to device operation: supplying new buffers to
+the device, and processing used buffers from the device. As an
+example, the virtio network device has two virtqueues: the
+transmit virtqueue and the receive virtqueue. The driver adds
+outgoing (read-only) packets to the transmit virtqueue, and then
+frees them after they are used. Similarly, incoming (write-only)
+buffers are added to the receive virtqueue, and processed after
+they are used.
+  Supplying Buffers to The Device
+Actual transfer of buffers from the guest OS to the device
+operates as follows:
+  Place the buffer(s) into free descriptor(s).
+  If there are no free descriptors, the guest may choose to
+    notify the device even if notifications are suppressed (to
+    reduce latency).[footnote:
+The Linux drivers do this only for read-only buffers: for
+write-only buffers, it is assumed that the driver is merely
+trying to keep the receive buffer ring full, and no notification
+of this expected condition is necessary.
+]
+  Place the id of the buffer in the next ring entry of the
+  available ring.
+  The steps (1) and (2) may be performed repeatedly if batching
+  is possible.
+  A memory barrier should be executed to ensure the device sees
+  the updated descriptor table and available ring before the next
+  step.
+  The available “idx” field should be increased by the number of
+  entries added to the available ring.
+  A memory barrier should be executed to ensure that we update
+  the idx field before checking for notification suppression.
+  If notifications are not suppressed, the device should be
+  notified of the new buffers.
+Note that the above code does not take precautions against the
+available ring buffer wrapping around: this is not possible since
+the ring buffer is the same size as the descriptor table, so step
+(1) will prevent such a condition.
+In addition, the maximum queue size is 32768 (it must be a power
+of 2 which fits in 16 bits), so the 16-bit “idx” value can always
+distinguish between a full and empty buffer.
+Here is a description of each stage in more detail.
+  Placing Buffers Into The Descriptor Table
+A buffer consists of zero or more read-only physically-contiguous
+elements followed by zero or more physically-contiguous
+write-only elements (it must have at least one element). This
+algorithm maps it into the descriptor table:
+  for each buffer element, b:
+  Get the next free descriptor table entry, d
+  Set d.addr to the physical address of the start of b
+  Set d.len to the length of b.
+  If b is write-only, set d.flags to VRING_DESC_F_WRITE,
+    otherwise 0.
+  If there is a buffer element after this:
+    Set d.next to the index of the next free descriptor element.
+    Set the VRING_DESC_F_NEXT bit in d.flags.
+In practice, the d.next fields are usually used to chain free
+descriptors, and a separate count kept to check there are enough
+free descriptors before beginning the mappings.
+  Updating The Available Ring
+The head of the buffer we mapped is the first d in the algorithm
+above. A naive implementation would do the following:
+avail->ring[avail->idx % qsz] = head;
+However, in general we can add many descriptors before we update
+the “idx” field (at which point they become visible to the
+device), so we keep a counter of how many we've added:
+avail->ring[(avail->idx + added++) % qsz] = head;
+  Updating The Index Field
+Once the idx field of the virtqueue is updated, the device will
+be able to access the descriptor entries we've created and the
+memory they refer to. This is why a memory barrier is generally
+used before the idx update, to ensure it sees the most up-to-date
+copy.
+The idx field always increments, and we let it wrap naturally at
+65536:
+avail->idx += added;
+  <sub:Notifying-The-Device>Notifying The Device
+Device notification occurs by writing the 16-bit virtqueue index
+of this virtqueue to the Queue Notify field of the virtio header
+in the first I/O region of the PCI device. This can be expensive,
+however, so the device can suppress such notifications if it
+doesn't need them. We have to be careful to expose the new idx
+value before checking the suppression flag: it's OK to notify
+gratuitously, but not to omit a required notification. So again,
+we use a memory barrier here before reading the flags or the
+avail_event field.
+If the VIRTIO_F_RING_EVENT_IDX feature is not negotiated, and if
+the VRING_USED_F_NOTIFY flag is not set, we go ahead and write to
+the PCI configuration space.
+If the VIRTIO_F_RING_EVENT_IDX feature is negotiated, we read the
+avail_event field in the available ring structure. If the
+available index crossed_the avail_event field value since the
+last notification, we go ahead and write to the PCI configuration
+space. The avail_event field wraps naturally at 65536 as well:
+(u16)(new_idx - avail_event - 1) < (u16)(new_idx - old_idx)
+  <sub:Receiving-Used-Buffers>Receiving Used Buffers From The
+  Device
+Once the device has used a buffer (read from or written to it, or
+parts of both, depending on the nature of the virtqueue and the
+device), it sends an interrupt, following an algorithm very
+similar to the algorithm used for the driver to send the device a
+buffer:
+  Write the head descriptor number to the next field in the used
+  ring.
+  Update the used ring idx.
+  Determine whether an interrupt is necessary:
+  If the VIRTIO_F_RING_EVENT_IDX feature is not negotiated: check
+    if f the VRING_AVAIL_F_NO_INTERRUPT flag is not set in avail-
+    >flags
+  If the VIRTIO_F_RING_EVENT_IDX feature is negotiated: check
+    whether the used index crossed the used_event field value
+    since the last update. The used_event field wraps naturally
+    at 65536 as well:(u16)(new_idx - used_event - 1) < (u16)(new_idx - old_idx)
+  If an interrupt is necessary:
+  If MSI-X capability is disabled:
+    Set the lower bit of the ISR Status field for the device.
+    Send the appropriate PCI interrupt for the device.
+  If MSI-X capability is enabled:
+    Request the appropriate MSI-X interrupt message for the
+      device, Queue Vector field sets the MSI-X Table entry
+      number.
+    If Queue Vector field value is NO_VECTOR, no interrupt
+      message is requested for this event.
+The guest interrupt handler should:
+  If MSI-X capability is disabled: read the ISR Status field,
+  which will reset it to zero. If the lower bit is zero, the
+  interrupt was not for this device. Otherwise, the guest driver
+  should look through the used rings of each virtqueue for the
+  device, to see if any progress has been made by the device
+  which requires servicing.
+  If MSI-X capability is enabled: look through the used rings of
+  each virtqueue mapped to the specific MSI-X vector for the
+  device, to see if any progress has been made by the device
+  which requires servicing.
+For each ring, guest should then disable interrupts by writing
+VRING_AVAIL_F_NO_INTERRUPT flag in avail structure, if required.
+It can then process used ring entries finally enabling interrupts
+by clearing the VRING_AVAIL_F_NO_INTERRUPT flag or updating the
+EVENT_IDX field in the available structure, Guest should then
+execute a memory barrier, and then recheck the ring empty
+condition. This is necessary to handle the case where, after the
+last check and before enabling interrupts, an interrupt has been
+suppressed by the device:
+vring_disable_interrupts(vq);
+for (;;) {
+    if (vq->last_seen_used != vring->used.idx) {
+                vring_enable_interrupts(vq);
+                mb();
+                if (vq->last_seen_used != vring->used.idx)
+                        break;
+    }
+    struct vring_used_elem *e =
+vring.used->ring[vq->last_seen_used%vsz];
+    process_buffer(e);
+    vq->last_seen_used++;
+}
+  Dealing With Configuration Changes
+Some virtio PCI devices can change the device configuration
+state, as reflected in the virtio header in the PCI configuration
+space. In this case:
+  If MSI-X capability is disabled: an interrupt is delivered and
+  the second highest bit is set in the ISR Status field to
+  indicate that the driver should re-examine the configuration
+  space.Note that a single interrupt can indicate both that one
+  or more virtqueue has been used and that the configuration
+  space has changed: even if the config bit is set, virtqueues
+  must be scanned.
+  If MSI-X capability is enabled: an interrupt message is
+  requested. The Configuration Vector field sets the MSI-X Table
+  entry number to use. If Configuration Vector field value is
+  NO_VECTOR, no interrupt message is requested for this event.
+Creating New Device Types
+Various considerations are necessary when creating a new device
+type:
+  How Many Virtqueues?
+It is possible that a very simple device will operate entirely
+through its configuration space, but most will need at least one
+virtqueue in which it will place requests. A device with both
+input and output (eg. console and network devices described here)
+need two queues: one which the driver fills with buffers to
+receive input, and one which the driver places buffers to
+transmit output.
+  What Configuration Space Layout?
+Configuration space is generally used for rarely-changing or
+initialization-time parameters. But it is a limited resource, so
+it might be better to use a virtqueue to update configuration
+information (the network device does this for filtering,
+otherwise the table in the config space could potentially be very
+large).
+Note that this space is generally the guest's native endian,
+rather than PCI's little-endian.
+  What Device Number?
+Currently device numbers are assigned quite freely: a simple
+request mail to the author of this document or the Linux
+virtualization mailing list[footnote:
+https://lists.linux-foundation.org/mailman/listinfo/virtualization
+] will be sufficient to secure a unique one.
+Meanwhile for experimental drivers, use 65535 and work backwards.
+  How many MSI-X vectors?
+Using the optional MSI-X capability devices can speed up
+interrupt processing by removing the need to read ISR Status
+register by guest driver (which might be an expensive operation),
+reducing interrupt sharing between devices and queues within the
+device, and handling interrupts from multiple CPUs. However, some
+systems impose a limit (which might be as low as 256) on the
+total number of MSI-X vectors that can be allocated to all
+devices. Devices and/or device drivers should take this into
+account, limiting the number of vectors used unless the device is
+expected to cause a high volume of interrupts. Devices can
+control the number of vectors used by limiting the MSI-X Table
+Size or not presenting MSI-X capability in PCI configuration
+space. Drivers can control this by mapping events to as small
+number of vectors as possible, or disabling MSI-X capability
+altogether.
+  Message Framing
+The descriptors used for a buffer should not effect the semantics
+of the message, except for the total length of the buffer. For
+example, a network buffer consists of a 10 byte header followed
+by the network packet. Whether this is presented in the ring
+descriptor chain as (say) a 10 byte buffer and a 1514 byte
+buffer, or a single 1524 byte buffer, or even three buffers,
+should have no effect.
+In particular, no implementation should use the descriptor
+boundaries to determine the size of any header in a request.[footnote:
+The current qemu device implementations mistakenly insist that
+the first descriptor cover the header in these cases exactly, so
+a cautious driver should arrange it so.
+]
+  Device Improvements
+Any change to configuration space, or new virtqueues, or
+behavioural changes, should be indicated by negotiation of a new
+feature bit. This establishes clarity[footnote:
+Even if it does mean documenting design or implementation
+mistakes!
+] and avoids future expansion problems.
+Clusters of functionality which are always implemented together
+can use a single bit, but if one feature makes sense without the
+others they should not be gratuitously grouped together to
+conserve feature bits. We can always extend the spec when the
+first person needs more than 24 feature bits for their device.
+[LaTeX Command: printnomenclature]
+Appendix A: virtio_ring.h
+#ifndef VIRTIO_RING_H
+#define VIRTIO_RING_H
+/* An interface for efficient virtio implementation.
+ *
+ * This header is BSD licensed so anyone can use the definitions
+ * to implement compatible drivers/servers.
+ *
+ * Copyright 2007, 2009, IBM Corporation
+ * Copyright 2011, Red Hat, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or
+without
+ * modification, are permitted provided that the following
+conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above
+copyright
+ *    notice, this list of conditions and the following
+disclaimer.
+ * 2. Redistributions in binary form must reproduce the above
+copyright
+ *    notice, this list of conditions and the following
+disclaimer in the
+ *    documentation and/or other materials provided with the
+distribution.
+ * 3. Neither the name of IBM nor the names of its contributors
+ *    may be used to endorse or promote products derived from
+this software
+ *    without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL IBM OR CONTRIBUTORS BE
+LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/* This marks a buffer as continuing via the next field. */
+#define VRING_DESC_F_NEXT       1
+/* This marks a buffer as write-only (otherwise read-only). */
+#define VRING_DESC_F_WRITE      2
+/* The Host uses this in used->flags to advise the Guest: don't
+kick me
+ * when you add a buffer.  It's unreliable, so it's simply an
+ * optimization.  Guest will still kick if it's out of buffers.
+*/
+#define VRING_USED_F_NO_NOTIFY  1
+/* The Guest uses this in avail->flags to advise the Host: don't
+ * interrupt me when you consume a buffer.  It's unreliable, so
+it's
+ * simply an optimization.  */
+#define VRING_AVAIL_F_NO_INTERRUPT      1
+/* Virtio ring descriptors: 16 bytes.
+ * These can chain together via "next". */
+struct vring_desc {
+        /* Address (guest-physical). */
+        uint64_t addr;
+        /* Length. */
+        uint32_t len;
+        /* The flags as indicated above. */
+        uint16_t flags;
+        /* We chain unused descriptors via this, too */
+        uint16_t next;
+};
+struct vring_avail {
+        uint16_t flags;
+        uint16_t idx;
+        uint16_t ring[];
+        uint16_t used_event;
+};
+/* u32 is used here for ids for padding reasons. */
+struct vring_used_elem {
+        /* Index of start of used descriptor chain. */
+        uint32_t id;
+        /* Total length of the descriptor chain which was written
+to. */
+        uint32_t len;
+};
+struct vring_used {
+        uint16_t flags;
+        uint16_t idx;
+        struct vring_used_elem ring[];
+        uint16_t avail_event;
+};
+struct vring {
+        unsigned int num;
+        struct vring_desc *desc;
+        struct vring_avail *avail;
+        struct vring_used *used;
+};
+/* The standard layout for the ring is a continuous chunk of
+memory which
+ * looks like this.  We assume num is a power of 2.
+ *
+ * struct vring {
+ *      // The actual descriptors (16 bytes each)
+ *      struct vring_desc desc[num];
+ *
+ *      // A ring of available descriptor heads with free-running
+index.
+ *      __u16 avail_flags;
+ *      __u16 avail_idx;
+ *      __u16 available[num];
+ *
+ *      // Padding to the next align boundary.
+ *      char pad[];
+ *
+ *      // A ring of used descriptor heads with free-running
+index.
+ *      __u16 used_flags;
+ *      __u16 EVENT_IDX;
+ *      struct vring_used_elem used[num];
+ * };
+ * Note: for virtio PCI, align is 4096.
+ */
+static inline void vring_init(struct vring *vr, unsigned int num,
+void *p,
+                              unsigned long align)
+{
+        vr->num = num;
+        vr->desc = p;
+        vr->avail = p + num*sizeof(struct vring_desc);
+        vr->used = (void *)(((unsigned long)&vr->avail->ring[num]
+                              + align-1)
+                            & ~(align - 1));
+}
+static inline unsigned vring_size(unsigned int num, unsigned long
+align)
+{
+        return ((sizeof(struct vring_desc)*num +
+sizeof(uint16_t)*(2+num)
+                 + align - 1) & ~(align - 1))
+                + sizeof(uint16_t)*3 + sizeof(struct
+vring_used_elem)*num;
+}
+static inline int vring_need_event(uint16_t event_idx, uint16_t
+new_idx, uint16_t old_idx)
+{
+         return (uint16_t)(new_idx - event_idx - 1) <
+(uint16_t)(new_idx - old_idx);
+}
+#endif /* VIRTIO_RING_H */
+<cha:Reserved-Feature-Bits>Appendix B: Reserved Feature Bits
+Currently there are five device-independent feature bits defined:
+  VIRTIO_F_NOTIFY_ON_EMPTY (24) Negotiating this feature
+  indicates that the driver wants an interrupt if the device runs
+  out of available descriptors on a virtqueue, even though
+  interrupts are suppressed using the VRING_AVAIL_F_NO_INTERRUPT
+  flag or the used_event field. An example of this is the
+  networking driver: it doesn't need to know every time a packet
+  is transmitted, but it does need to free the transmitted
+  packets a finite time after they are transmitted. It can avoid
+  using a timer if the device interrupts it when all the packets
+  are transmitted.
+  VIRTIO_F_RING_INDIRECT_DESC (28) Negotiating this feature
+  indicates that the driver can use descriptors with the
+  VRING_DESC_F_INDIRECT flag set, as described in [sub:Indirect-Descriptors]
+  .
+  VIRTIO_F_RING_EVENT_IDX(29) This feature enables the used_event
+  and the avail_event fields. If set, it indicates that the
+  device should ignore the flags field in the available ring
+  structure. Instead, the used_event field in this structure is
+  used by guest to suppress device interrupts. Further, the
+  driver should ignore the flags field in the used ring
+  structure. Instead, the avail_event field in this structure is
+  used by the device to suppress notifications. If unset, the
+  driver should ignore the used_event field; the device should
+  ignore the avail_event field; the flags field is used
+  VIRTIO_F_BAD_FEATURE(30) This feature should never be
+  negotiated by the guest; doing so is an indication that the
+  guest is faulty[footnote:
+An experimental virtio PCI driver contained in Linux version
+2.6.25 had this problem, and this feature bit can be used to
+detect it.
+]
+  VIRTIO_F_FEATURES_HIGH(31) This feature indicates that the
+  device supports feature bits 32:63. If unset, feature bits
+  32:63 are unset.
+Appendix C: Network Device
+The virtio network device is a virtual ethernet card, and is the
+most complex of the devices supported so far by virtio. It has
+enhanced rapidly and demonstrates clearly how support for new
+features should be added to an existing device. Empty buffers are
+placed in one virtqueue for receiving packets, and outgoing
+packets are enqueued into another for transmission in that order.
+A third command queue is used to control advanced filtering
+features.
+  Configuration
+  Subsystem Device ID 1
+  Virtqueues 0:receiveq. 1:transmitq. 2:controlq[footnote:
+Only if VIRTIO_NET_F_CTRL_VQ set
+]
+  Feature bits
+  VIRTIO_NET_F_CSUM (0) Device handles packets with partial
+    checksum
+  VIRTIO_NET_F_GUEST_CSUM (1) Guest handles packets with partial
+    checksum
+  VIRTIO_NET_F_MAC (5) Device has given MAC address.
+  VIRTIO_NET_F_GSO (6) (Deprecated) device handles packets with
+    any GSO type.[footnote:
+It was supposed to indicate segmentation offload support, but
+upon further investigation it became clear that multiple bits
+were required.
+]
+  VIRTIO_NET_F_GUEST_TSO4 (7) Guest can receive TSOv4.
+  VIRTIO_NET_F_GUEST_TSO6 (8) Guest can receive TSOv6.
+  VIRTIO_NET_F_GUEST_ECN (9) Guest can receive TSO with ECN.
+  VIRTIO_NET_F_GUEST_UFO (10) Guest can receive UFO.
+  VIRTIO_NET_F_HOST_TSO4 (11) Device can receive TSOv4.
+  VIRTIO_NET_F_HOST_TSO6 (12) Device can receive TSOv6.
+  VIRTIO_NET_F_HOST_ECN (13) Device can receive TSO with ECN.
+  VIRTIO_NET_F_HOST_UFO (14) Device can receive UFO.
+  VIRTIO_NET_F_MRG_RXBUF (15) Guest can merge receive buffers.
+  VIRTIO_NET_F_STATUS (16) Configuration status field is
+    available.
+  VIRTIO_NET_F_CTRL_VQ (17) Control channel is available.
+  VIRTIO_NET_F_CTRL_RX (18) Control channel RX mode support.
+  VIRTIO_NET_F_CTRL_VLAN (19) Control channel VLAN filtering.
+  Device configuration layout Two configuration fields are
+  currently defined. The mac address field always exists (though
+  is only valid if VIRTIO_NET_F_MAC is set), and the status field
+  only exists if VIRTIO_NET_F_STATUS is set. Only one bit is
+  currently defined for the status field: VIRTIO_NET_S_LINK_UP. #define VIRTIO_NET_S_LINK_UP    1
+struct virtio_net_config {
+    u8 mac[6];
+    u16 status;
+};
+  Device Initialization
+  The initialization routine should identify the receive and
+  transmission virtqueues.
+  If the VIRTIO_NET_F_MAC feature bit is set, the configuration
+  space “mac” entry indicates the “physical” address of the the
+  network card, otherwise a private MAC address should be
+  assigned. All guests are expected to negotiate this feature if
+  it is set.
+  If the VIRTIO_NET_F_CTRL_VQ feature bit is negotiated, identify
+  the control virtqueue.
+  If the VIRTIO_NET_F_STATUS feature bit is negotiated, the link
+  status can be read from the bottom bit of the “status” config
+  field. Otherwise, the link should be assumed active.
+  The receive virtqueue should be filled with receive buffers.
+  This is described in detail below in “Setting Up Receive
+  Buffers”.
+  A driver can indicate that it will generate checksumless
+  packets by negotating the VIRTIO_NET_F_CSUM feature. This “
+  checksum offload” is a common feature on modern network cards.
+  If that feature is negotiated, a driver can use TCP or UDP
+  segmentation offload by negotiating the VIRTIO_NET_F_HOST_TSO4
+  (IPv4 TCP), VIRTIO_NET_F_HOST_TSO6 (IPv6 TCP) and
+  VIRTIO_NET_F_HOST_UFO (UDP fragmentation) features. It should
+  not send TCP packets requiring segmentation offload which have
+  the Explicit Congestion Notification bit set, unless the
+  VIRTIO_NET_F_HOST_ECN feature is negotiated.[footnote:
+This is a common restriction in real, older network cards.
+]
+  The converse features are also available: a driver can save the
+  virtual device some work by negotiating these features.[footnote:
+For example, a network packet transported between two guests on
+the same system may not require checksumming at all, nor
+segmentation, if both guests are amenable.
+] The VIRTIO_NET_F_GUEST_CSUM feature indicates that partially
+  checksummed packets can be received, and if it can do that then
+  the VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6,
+  VIRTIO_NET_F_GUEST_UFO and VIRTIO_NET_F_GUEST_ECN are the input
+  equivalents of the features described above. See “Receiving
+  Packets” below.
+  Device Operation
+Packets are transmitted by placing them in the transmitq, and
+buffers for incoming packets are placed in the receiveq. In each
+case, the packet itself is preceeded by a header:
+struct virtio_net_hdr {
+#define VIRTIO_NET_HDR_F_NEEDS_CSUM    1
+        u8 flags;
+#define VIRTIO_NET_HDR_GSO_NONE        0
+#define VIRTIO_NET_HDR_GSO_TCPV4       1
+#define VIRTIO_NET_HDR_GSO_UDP           3
+#define VIRTIO_NET_HDR_GSO_TCPV6       4
+#define VIRTIO_NET_HDR_GSO_ECN      0x80
+        u8 gso_type;
+        u16 hdr_len;
+        u16 gso_size;
+        u16 csum_start;
+        u16 csum_offset;
+/* Only if VIRTIO_NET_F_MRG_RXBUF: */
+        u16 num_buffers
+};
+The controlq is used to control device features such as
+filtering.
+  Packet Transmission
+Transmitting a single packet is simple, but varies depending on
+the different features the driver negotiated.
+  If the driver negotiated VIRTIO_NET_F_CSUM, and the packet has
+  not been fully checksummed, then the virtio_net_hdr's fields
+  are set as follows. Otherwise, the packet must be fully
+  checksummed, and flags is zero.
+  flags has the VIRTIO_NET_HDR_F_NEEDS_CSUM set,
+  <ite:csum_start-is-set>csum_start is set to the offset within
+    the packet to begin checksumming, and
+  csum_offset indicates how many bytes after the csum_start the
+    new (16 bit ones' complement) checksum should be placed.[footnote:
+For example, consider a partially checksummed TCP (IPv4) packet.
+It will have a 14 byte ethernet header and 20 byte IP header
+followed by the TCP header (with the TCP checksum field 16 bytes
+into that header). csum_start will be 14+20 = 34 (the TCP
+checksum includes the header), and csum_offset will be 16. The
+value in the TCP checksum field will be the sum of the TCP pseudo
+header, so that replacing it by the ones' complement checksum of
+the TCP header and body will give the correct result.
+]
+  <enu:If-the-driver>If the driver negotiated
+  VIRTIO_NET_F_HOST_TSO4, TSO6 or UFO, and the packet requires
+  TCP segmentation or UDP fragmentation, then the “gso_type”
+  field is set to VIRTIO_NET_HDR_GSO_TCPV4, TCPV6 or UDP.
+  (Otherwise, it is set to VIRTIO_NET_HDR_GSO_NONE). In this
+  case, packets larger than 1514 bytes can be transmitted: the
+  metadata indicates how to replicate the packet header to cut it
+  into smaller packets. The other gso fields are set:
+  hdr_len is a hint to the device as to how much of the header
+    needs to be kept to copy into each packet, usually set to the
+    length of the headers, including the transport header.[footnote:
+Due to various bugs in implementations, this field is not useful
+as a guarantee of the transport header size.
+]
+  gso_size is the size of the packet beyond that header (ie.
+    MSS).
+  If the driver negotiated the VIRTIO_NET_F_HOST_ECN feature, the
+    VIRTIO_NET_HDR_GSO_ECN bit may be set in “gso_type” as well,
+    indicating that the TCP packet has the ECN bit set.[footnote:
+This case is not handled by some older hardware, so is called out
+specifically in the protocol.
+]
+  If the driver negotiated the VIRTIO_NET_F_MRG_RXBUF feature,
+  the num_buffers field is set to zero.
+  The header and packet are added as one output buffer to the
+  transmitq, and the device is notified of the new entry (see [sub:Notifying-The-Device]
+  ).[footnote:
+Note that the header will be two bytes longer for the
+VIRTIO_NET_F_MRG_RXBUF case.
+]
+  Packet Transmission Interrupt
+Often a driver will suppress transmission interrupts using the
+VRING_AVAIL_F_NO_INTERRUPT flag (see [sub:Receiving-Used-Buffers]
+) and check for used packets in the transmit path of following
+packets. However, it will still receive interrupts if the
+VIRTIO_F_NOTIFY_ON_EMPTY feature is negotiated, indicating that
+the transmission queue is completely emptied.
+The normal behavior in this interrupt handler is to retrieve and
+new descriptors from the used ring and free the corresponding
+headers and packets.
+  Setting Up Receive Buffers
+It is generally a good idea to keep the receive virtqueue as
+fully populated as possible: if it runs out, network performance
+will suffer.
+If the VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6 or
+VIRTIO_NET_F_GUEST_UFO features are used, the Guest will need to
+accept packets of up to 65550 bytes long (the maximum size of a
+TCP or UDP packet, plus the 14 byte ethernet header), otherwise
+1514 bytes. So unless VIRTIO_NET_F_MRG_RXBUF is negotiated, every
+buffer in the receive queue needs to be at least this length [footnote:
+Obviously each one can be split across multiple descriptor
+elements.
+].
+If VIRTIO_NET_F_MRG_RXBUF is negotiated, each buffer must be at
+least the size of the struct virtio_net_hdr.
+  Packet Receive Interrupt
+When a packet is copied into a buffer in the receiveq, the
+optimal path is to disable further interrupts for the receiveq
+(see [sub:Receiving-Used-Buffers]) and process packets until no
+more are found, then re-enable them.
+Processing packet involves:
+  If the driver negotiated the VIRTIO_NET_F_MRG_RXBUF feature,
+  then the “num_buffers” field indicates how many descriptors
+  this packet is spread over (including this one). This allows
+  receipt of large packets without having to allocate large
+  buffers. In this case, there will be at least “num_buffers” in
+  the used ring, and they should be chained together to form a
+  single packet. The other buffers will not begin with a struct
+  virtio_net_hdr.
+  If the VIRTIO_NET_F_MRG_RXBUF feature was not negotiated, or
+  the “num_buffers” field is one, then the entire packet will be
+  contained within this buffer, immediately following the struct
+  virtio_net_hdr.
+  If the VIRTIO_NET_F_GUEST_CSUM feature was negotiated, the
+  VIRTIO_NET_HDR_F_NEEDS_CSUM bit in the “flags” field may be
+  set: if so, the checksum on the packet is incomplete and the “
+  csum_start” and “csum_offset” fields indicate how to calculate
+  it (see [ite:csum_start-is-set]).
+  If the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options were
+  negotiated, then the “gso_type” may be something other than
+  VIRTIO_NET_HDR_GSO_NONE, and the “gso_size” field indicates the
+  desired MSS (see [enu:If-the-driver]).Control Virtqueue
+The driver uses the control virtqueue (if VIRTIO_NET_F_VTRL_VQ is
+negotiated) to send commands to manipulate various features of
+the device which would not easily map into the configuration
+space.
+All commands are of the following form:
+struct virtio_net_ctrl {
+        u8 class;
+        u8 command;
+        u8 command-specific-data[];
+        u8 ack;
+};
+/* ack values */
+#define VIRTIO_NET_OK     0
+#define VIRTIO_NET_ERR    1
+The class, command and command-specific-data are set by the
+driver, and the device sets the ack byte. There is little it can
+do except issue a diagnostic if the ack byte is not
+VIRTIO_NET_OK.
+  Packet Receive Filtering
+If the VIRTIO_NET_F_CTRL_RX feature is negotiated, the driver can
+send control commands for promiscuous mode, multicast receiving,
+and filtering of MAC addresses.
+Note that in general, these commands are best-effort: unwanted
+packets may still arrive.
+  Setting Promiscuous Mode
+#define VIRTIO_NET_CTRL_RX    0
+ #define VIRTIO_NET_CTRL_RX_PROMISC      0
+ #define VIRTIO_NET_CTRL_RX_ALLMULTI     1
+The class VIRTIO_NET_CTRL_RX has two commands:
+VIRTIO_NET_CTRL_RX_PROMISC turns promiscuous mode on and off, and
+VIRTIO_NET_CTRL_RX_ALLMULTI turns all-multicast receive on and
+off. The command-specific-data is one byte containing 0 (off) or
+1 (on).
+  Setting MAC Address Filtering
+struct virtio_net_ctrl_mac {
+        u32 entries;
+        u8 macs[entries][ETH_ALEN];
+};
+#define VIRTIO_NET_CTRL_MAC    1
+ #define VIRTIO_NET_CTRL_MAC_TABLE_SET        0
+The device can filter incoming packets by any number of
+destination MAC addresses.[footnote:
+Since there are no guarentees, it can use a hash filter
+orsilently switch to allmulti or promiscuous mode if it is given
+too many addresses.
+] This table is set using the class VIRTIO_NET_CTRL_MAC and the
+command VIRTIO_NET_CTRL_MAC_TABLE_SET. The command-specific-data
+is two variable length tables of 6-byte MAC addresses. The first
+table contains unicast addresses, and the second contains
+multicast addresses.
+  VLAN Filtering
+If the driver negotiates the VIRTION_NET_F_CTRL_VLAN feature, it
+can control a VLAN filter table in the device.
+#define VIRTIO_NET_CTRL_VLAN       2
+ #define VIRTIO_NET_CTRL_VLAN_ADD             0
+ #define VIRTIO_NET_CTRL_VLAN_DEL             1
+Both the VIRTIO_NET_CTRL_VLAN_ADD and VIRTIO_NET_CTRL_VLAN_DEL
+command take a 16-bit VLAN id as the command-specific-data.
+Appendix D: Block Device
+The virtio block device is a simple virtual block device (ie.
+disk). Read and write requests (and other exotic requests) are
+placed in the queue, and serviced (probably out of order) by the
+device except where noted.
+  Configuration
+  Subsystem Device ID 2
+  Virtqueues 0:requestq.
+  Feature bits
+  VIRTIO_BLK_F_BARRIER (0) Host supports request barriers.
+  VIRTIO_BLK_F_SIZE_MAX (1) Maximum size of any single segment is
+    in “size_max”.
+  VIRTIO_BLK_F_SEG_MAX (2) Maximum number of segments in a
+    request is in “seg_max”.
+  VIRTIO_BLK_F_GEOMETRY (4) Disk-style geometry specified in “
+    geometry”.
+  VIRTIO_BLK_F_RO (5) Device is read-only.
+  VIRTIO_BLK_F_BLK_SIZE (6) Block size of disk is in “blk_size”.
+  VIRTIO_BLK_F_SCSI (7) Device supports scsi packet commands.
+  VIRTIO_BLK_F_FLUSH (9) Cache flush command support.
+  Device configuration layout The capacity of the device
+  (expressed in 512-byte sectors) is always present. The
+  availability of the others all depend on various feature bits
+  as indicated above. struct virtio_blk_config {
+        u64 capacity;
+        u32 size_max;
+        u32 seg_max;
+        struct virtio_blk_geometry {
+                u16 cylinders;
+                u8 heads;
+                u8 sectors;
+        } geometry;
+        u32 blk_size;
+};
+  Device Initialization
+  The device size should be read from the “capacity”
+  configuration field. No requests should be submitted which goes
+  beyond this limit.
+  If the VIRTIO_BLK_F_BLK_SIZE feature is negotiated, the
+  blk_size field can be read to determine the optimal sector size
+  for the driver to use. This does not effect the units used in
+  the protocol (always 512 bytes), but awareness of the correct
+  value can effect performance.
+  If the VIRTIO_BLK_F_RO feature is set by the device, any write
+  requests will fail.
+  Device Operation
+The driver queues requests to the virtqueue, and they are used by
+the device (not necessarily in order). Each request is of form:
+struct virtio_blk_req {
+        u32 type;
+        u32 ioprio;
+        u64 sector;
+        char data[][512];
+        u8 status;
+};
+If the device has VIRTIO_BLK_F_SCSI feature, it can also support
+scsi packet command requests, each of these requests is of form:struct virtio_scsi_pc_req {
+        u32 type;
+        u32 ioprio;
+        u64 sector;
+    char cmd[];
+        char data[][512];
+#define SCSI_SENSE_BUFFERSIZE   96
+    u8 sense[SCSI_SENSE_BUFFERSIZE];
+    u32 errors;
+    u32 data_len;
+    u32 sense_len;
+    u32 residual;
+        u8 status;
+};
+The type of the request is either a read (VIRTIO_BLK_T_IN), a
+write (VIRTIO_BLK_T_OUT), a scsi packet command
+(VIRTIO_BLK_T_SCSI_CMD or VIRTIO_BLK_T_SCSI_CMD_OUT[footnote:
+the SCSI_CMD and SCSI_CMD_OUT types are equivalent, the device
+does not distinguish between them
+]) or a flush (VIRTIO_BLK_T_FLUSH or VIRTIO_BLK_T_FLUSH_OUT[footnote:
+the FLUSH and FLUSH_OUT types are equivalent, the device does not
+distinguish between them
+]). If the device has VIRTIO_BLK_F_BARRIER feature the high bit
+(VIRTIO_BLK_T_BARRIER) indicates that this request acts as a
+barrier and that all preceeding requests must be complete before
+this one, and all following requests must not be started until
+this is complete. Note that a barrier does not flush caches in
+the underlying backend device in host, and thus does not serve as
+data consistency guarantee. Driver must use FLUSH request to
+flush the host cache.
+#define VIRTIO_BLK_T_IN           0
+#define VIRTIO_BLK_T_OUT          1
+#define VIRTIO_BLK_T_SCSI_CMD     2
+#define VIRTIO_BLK_T_SCSI_CMD_OUT 3
+#define VIRTIO_BLK_T_FLUSH        4
+#define VIRTIO_BLK_T_FLUSH_OUT    5
+#define VIRTIO_BLK_T_BARRIER     0x80000000
+The ioprio field is a hint about the relative priorities of
+requests to the device: higher numbers indicate more important
+requests.
+The sector number indicates the offset (multiplied by 512) where
+the read or write is to occur. This field is unused and set to 0
+for scsi packet commands and for flush commands.
+The cmd field is only present for scsi packet command requests,
+and indicates the command to perform. This field must reside in a
+single, separate read-only buffer; command length can be derived
+from the length of this buffer.
+Note that these first three (four for scsi packet commands)
+fields are always read-only: the data field is either read-only
+or write-only, depending on the request. The size of the read or
+write can be derived from the total size of the request buffers.
+The sense field is only present for scsi packet command requests,
+and indicates the buffer for scsi sense data.
+The data_len field is only present for scsi packet command
+requests, this field is deprecated, and should be ignored by the
+driver. Historically, devices copied data length there.
+The sense_len field is only present for scsi packet command
+requests and indicates the number of bytes actually written to
+the sense buffer.
+The residual field is only present for scsi packet command
+requests and indicates the residual size, calculated as data
+length - number of bytes actually transferred.
+The final status byte is written by the device: either
+VIRTIO_BLK_S_OK for success, VIRTIO_BLK_S_IOERR for host or guest
+error or VIRTIO_BLK_S_UNSUPP for a request unsupported by host:#define VIRTIO_BLK_S_OK        0
+#define VIRTIO_BLK_S_IOERR     1
+#define VIRTIO_BLK_S_UNSUPP    2
+Historically, devices assumed that the fields type, ioprio and
+sector reside in a single, separate read-only buffer; the fields
+errors, data_len, sense_len and residual reside in a single,
+separate write-only buffer; the sense field in a separate
+write-only buffer of size 96 bytes, by itself; the fields errors,
+data_len, sense_len and residual in a single write-only buffer;
+and the status field is a separate read-only buffer of size 1
+byte, by itself.
+Appendix E: Console Device
+The virtio console device is a simple device for data input and
+output. A device may have one or more ports. Each port has a pair
+of input and output virtqueues. Moreover, a device has a pair of
+control IO virtqueues. The control virtqueues are used to
+communicate information between the device and the driver about
+ports being opened and closed on either side of the connection,
+indication from the host about whether a particular port is a
+console port, adding new ports, port hot-plug/unplug, etc., and
+indication from the guest about whether a port or a device was
+successfully added, port open/close, etc.. For data IO, one or
+more empty buffers are placed in the receive queue for incoming
+data and outgoing characters are placed in the transmit queue.
+  Configuration
+  Subsystem Device ID 3
+  Virtqueues 0:receiveq(port0). 1:transmitq(port0), 2:control
+  receiveq[footnote:
+Ports 2 onwards only if VIRTIO_CONSOLE_F_MULTIPORT is set
+], 3:control transmitq, 4:receiveq(port1), 5:transmitq(port1),
+  ...
+  Feature bits
+  VIRTIO_CONSOLE_F_SIZE (0) Configuration cols and rows fields
+    are valid.
+  VIRTIO_CONSOLE_F_MULTIPORT(1) Device has support for multiple
+    ports; configuration fields nr_ports and max_nr_ports are
+    valid and control virtqueues will be used.
+  Device configuration layout The size of the console is supplied
+  in the configuration space if the VIRTIO_CONSOLE_F_SIZE feature
+  is set. Furthermore, if the VIRTIO_CONSOLE_F_MULTIPORT feature
+  is set, the maximum number of ports supported by the device can
+  be fetched.struct virtio_console_config {
+        u16 cols;
+        u16 rows;
+        u32 max_nr_ports;
+};
+  Device Initialization
+  If the VIRTIO_CONSOLE_F_SIZE feature is negotiated, the driver
+  can read the console dimensions from the configuration fields.
+  If the VIRTIO_CONSOLE_F_MULTIPORT feature is negotiated, the
+  driver can spawn multiple ports, not all of which may be
+  attached to a console. Some could be generic ports. In this
+  case, the control virtqueues are enabled and according to the
+  max_nr_ports configuration-space value, the appropriate number
+  of virtqueues are created. A control message indicating the
+  driver is ready is sent to the host. The host can then send
+  control messages for adding new ports to the device. After
+  creating and initializing each port, a
+  VIRTIO_CONSOLE_PORT_READY control message is sent to the host
+  for that port so the host can let us know of any additional
+  configuration options set for that port.
+  The receiveq for each port is populated with one or more
+  receive buffers.
+  Device Operation
+  For output, a buffer containing the characters is placed in the
+  port's transmitq.[footnote:
+Because this is high importance and low bandwidth, the current
+Linux implementation polls for the buffer to be used, rather than
+waiting for an interrupt, simplifying the implementation
+significantly. However, for generic serial ports with the
+O_NONBLOCK flag set, the polling limitation is relaxed and the
+consumed buffers are freed upon the next write or poll call or
+when a port is closed or hot-unplugged.
+]
+  When a buffer is used in the receiveq (signalled by an
+  interrupt), the contents is the input to the port associated
+  with the virtqueue for which the notification was received.
+  If the driver negotiated the VIRTIO_CONSOLE_F_SIZE feature, a
+  configuration change interrupt may occur. The updated size can
+  be read from the configuration fields.
+  If the driver negotiated the VIRTIO_CONSOLE_F_MULTIPORT
+  feature, active ports are announced by the host using the
+  VIRTIO_CONSOLE_PORT_ADD control message. The same message is
+  used for port hot-plug as well.
+  If the host specified a port `name', a sysfs attribute is
+  created with the name filled in, so that udev rules can be
+  written that can create a symlink from the port's name to the
+  char device for port discovery by applications in the guest.
+  Changes to ports' state are effected by control messages.
+  Appropriate action is taken on the port indicated in the
+  control message. The layout of the structure of the control
+  buffer and the events associated are:struct virtio_console_control {
+        uint32_t id;    /* Port number */
+        uint16_t event; /* The kind of control event */
+        uint16_t value; /* Extra information for the event */
+};
+/* Some events for the internal messages (control packets) */
+#define VIRTIO_CONSOLE_DEVICE_READY     0
+#define VIRTIO_CONSOLE_PORT_ADD         1
+#define VIRTIO_CONSOLE_PORT_REMOVE      2
+#define VIRTIO_CONSOLE_PORT_READY       3
+#define VIRTIO_CONSOLE_CONSOLE_PORT     4
+#define VIRTIO_CONSOLE_RESIZE           5
+#define VIRTIO_CONSOLE_PORT_OPEN        6
+#define VIRTIO_CONSOLE_PORT_NAME        7
+Appendix F: Entropy Device
+The virtio entropy device supplies high-quality randomness for
+guest use.
+  Configuration
+  Subsystem Device ID 4
+  Virtqueues 0:requestq.
+  Feature bits None currently defined
+  Device configuration layout None currently defined.
+  Device Initialization
+  The virtqueue is initialized
+  Device Operation
+When the driver requires random bytes, it places the descriptor
+of one or more buffers in the queue. It will be completely filled
+by random data by the device.
+Appendix G: Memory Balloon Device
+The virtio memory balloon device is a primitive device for
+managing guest memory: the device asks for a certain amount of
+memory, and the guest supplies it (or withdraws it, if the device
+has more than it asks for). This allows the guest to adapt to
+changes in allowance of underlying physical memory. If the
+feature is negotiated, the device can also be used to communicate
+guest memory statistics to the host.
+  Configuration
+  Subsystem Device ID 5
+  Virtqueues 0:inflateq. 1:deflateq. 2:statsq.[footnote:
+Only if VIRTIO_BALLON_F_STATS_VQ set
+]
+  Feature bits
+  VIRTIO_BALLOON_F_MUST_TELL_HOST (0) Host must be told before
+    pages from the balloon are used.
+  VIRTIO_BALLOON_F_STATS_VQ (1) A virtqueue for reporting guest
+    memory statistics is present.
+  Device configuration layout Both fields of this configuration
+  are always available. Note that they are little endian, despite
+  convention that device fields are guest endian:struct virtio_balloon_config {
+        u32 num_pages;
+        u32 actual;
+};
+  Device Initialization
+  The inflate and deflate virtqueues are identified.
+  If the VIRTIO_BALLOON_F_STATS_VQ feature bit is negotiated:
+  Identify the stats virtqueue.
+  Add one empty buffer to the stats virtqueue and notify the
+    host.
+Device operation begins immediately.
+  Device Operation
+  Memory Ballooning The device is driven by the receipt of a
+  configuration change interrupt.
+  The “num_pages” configuration field is examined. If this is
+  greater than the “actual” number of pages, memory must be given
+  to the balloon. If it is less than the “actual” number of
+  pages, memory may be taken back from the balloon for general
+  use.
+  To supply memory to the balloon (aka. inflate):
+  The driver constructs an array of addresses of unused memory
+    pages. These addresses are divided by 4096[footnote:
+This is historical, and independent of the guest page size
+] and the descriptor describing the resulting 32-bit array is
+    added to the inflateq.
+  To remove memory from the balloon (aka. deflate):
+  The driver constructs an array of addresses of memory pages it
+    has previously given to the balloon, as described above. This
+    descriptor is added to the deflateq.
+  If the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is set, the
+    guest may not use these requested pages until that descriptor
+    in the deflateq has been used by the device.
+  Otherwise, the guest may begin to re-use pages previously given
+    to the balloon before the device has acknowledged their
+    withdrawl. [footnote:
+In this case, deflation advice is merely a courtesy
+]
+  In either case, once the device has completed the inflation or
+  deflation, the “actual” field of the configuration should be
+  updated to reflect the new number of pages in the balloon.[footnote:
+As updates to configuration space are not atomic, this field
+isn't particularly reliable, but can be used to diagnose buggy
+guests.
+]
+  Memory Statistics
+The stats virtqueue is atypical because communication is driven
+by the device (not the driver). The channel becomes active at
+driver initialization time when the driver adds an empty buffer
+and notifies the device. A request for memory statistics proceeds
+as follows:
+  The device pushes the buffer onto the used ring and sends an
+  interrupt.
+  The driver pops the used buffer and discards it.
+  The driver collects memory statistics and writes them into a
+  new buffer.
+  The driver adds the buffer to the virtqueue and notifies the
+  device.
+  The device pops the buffer (retaining it to initiate a
+  subsequent request) and consumes the statistics.
+  Memory Statistics Format Each statistic consists of a 16 bit
+  tag and a 64 bit value. Both quantities are represented in the
+  native endian of the guest. All statistics are optional and the
+  driver may choose which ones to supply. To guarantee backwards
+  compatibility, unsupported statistics should be omitted.
+  struct virtio_balloon_stat {
+#define VIRTIO_BALLOON_S_SWAP_IN  0
+#define VIRTIO_BALLOON_S_SWAP_OUT 1
+#define VIRTIO_BALLOON_S_MAJFLT   2
+#define VIRTIO_BALLOON_S_MINFLT   3
+#define VIRTIO_BALLOON_S_MEMFREE  4
+#define VIRTIO_BALLOON_S_MEMTOT   5
+        u16 tag;
+        u64 val;
+} __attribute__((packed));
+  Tags
+  VIRTIO_BALLOON_S_SWAP_IN The amount of memory that has been
+  swapped in (in bytes).
+  VIRTIO_BALLOON_S_SWAP_OUT The amount of memory that has been
+  swapped out to disk (in bytes).
+  VIRTIO_BALLOON_S_MAJFLT The number of major page faults that
+  have occurred.
+  VIRTIO_BALLOON_S_MINFLT The number of minor page faults that
+  have occurred.
+  VIRTIO_BALLOON_S_MEMFREE The amount of memory not being used
+  for any purpose (in bytes).
+  VIRTIO_BALLOON_S_MEMTOT The total amount of memory available
+  (in bytes).