16 files changed, 831 insertions, 91 deletions

diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
index 8795480c2350..a1ced521cf74 100644
--- a/drivers/xen/Kconfig
+++ b/drivers/xen/Kconfig
@@ -86,6 +86,7 @@ config XEN_BACKEND
 
 config XENFS
         tristate "Xen filesystem"
+        select XEN_PRIVCMD
         default y
         help
           The xen filesystem provides a way for domains to share
@@ -171,4 +172,10 @@ config XEN_PCIDEV_BACKEND
           xen-pciback.hide=(03:00.0)(04:00.0)
 
           If in doubt, say m.
+
+config XEN_PRIVCMD
+        tristate
+        depends on XEN
+        default m
+
 endmenu
diff --git a/drivers/xen/Makefile b/drivers/xen/Makefile
index 974fffdf22b2..aa31337192cc 100644
--- a/drivers/xen/Makefile
+++ b/drivers/xen/Makefile
@@ -19,7 +19,9 @@ obj-$(CONFIG_XEN_TMEM)			+= tmem.o
 obj-$(CONFIG_SWIOTLB_XEN)               += swiotlb-xen.o
 obj-$(CONFIG_XEN_DOM0)                  += pci.o
 obj-$(CONFIG_XEN_PCIDEV_BACKEND)        += xen-pciback/
+obj-$(CONFIG_XEN_PRIVCMD)               += xen-privcmd.o
 
 xen-evtchn-y                            := evtchn.o
 xen-gntdev-y                            := gntdev.o
 xen-gntalloc-y                          := gntalloc.o
+xen-privcmd-y                           := privcmd.o
diff --git a/drivers/xen/events.c b/drivers/xen/events.c
index 6e075cdd0c6b..e5e5812a1014 100644
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -87,6 +87,7 @@ enum xen_irq_type {
  */
 struct irq_info {
         struct list_head list;
+        int refcnt;
         enum xen_irq_type type; /* type */
         unsigned irq;
         unsigned short evtchn;  /* event channel */
@@ -406,6 +407,7 @@ static void xen_irq_init(unsigned irq)
                 panic("Unable to allocate metadata for IRQ%d\n", irq);
 
         info->type = IRQT_UNBOUND;
+        info->refcnt = -1;
 
         irq_set_handler_data(irq, info);
 
@@ -469,6 +471,8 @@ static void xen_free_irq(unsigned irq)
 
         irq_set_handler_data(irq, NULL);
 
+        WARN_ON(info->refcnt > 0);
+
         kfree(info);
 
         /* Legacy IRQ descriptors are managed by the arch. */
@@ -637,7 +641,7 @@ int xen_bind_pirq_gsi_to_irq(unsigned gsi,
         if (irq != -1) {
                 printk(KERN_INFO "xen_map_pirq_gsi: returning irq %d for gsi %u\n",
                        irq, gsi);
-                goto out;       /* XXX need refcount? */
+                goto out;
         }
 
         irq = xen_allocate_irq_gsi(gsi);
@@ -939,9 +943,16 @@ static void unbind_from_irq(unsigned int irq)
 {
         struct evtchn_close close;
         int evtchn = evtchn_from_irq(irq);
+        struct irq_info *info = irq_get_handler_data(irq);
 
         mutex_lock(&irq_mapping_update_lock);
 
+        if (info->refcnt > 0) {
+                info->refcnt--;
+                if (info->refcnt != 0)
+                        goto done;
+        }
+
         if (VALID_EVTCHN(evtchn)) {
                 close.port = evtchn;
                 if (HYPERVISOR_event_channel_op(EVTCHNOP_close, &close) != 0)
@@ -970,6 +981,7 @@ static void unbind_from_irq(unsigned int irq)
 
         xen_free_irq(irq);
 
+ done:
         mutex_unlock(&irq_mapping_update_lock);
 }
 
@@ -1065,6 +1077,69 @@ void unbind_from_irqhandler(unsigned int irq, void *dev_id)
 }
 EXPORT_SYMBOL_GPL(unbind_from_irqhandler);
 
+int evtchn_make_refcounted(unsigned int evtchn)
+{
+        int irq = evtchn_to_irq[evtchn];
+        struct irq_info *info;
+
+        if (irq == -1)
+                return -ENOENT;
+
+        info = irq_get_handler_data(irq);
+
+        if (!info)
+                return -ENOENT;
+
+        WARN_ON(info->refcnt != -1);
+
+        info->refcnt = 1;
+
+        return 0;
+}
+EXPORT_SYMBOL_GPL(evtchn_make_refcounted);
+
+int evtchn_get(unsigned int evtchn)
+{
+        int irq;
+        struct irq_info *info;
+        int err = -ENOENT;
+
+        if (evtchn >= NR_EVENT_CHANNELS)
+                return -EINVAL;
+
+        mutex_lock(&irq_mapping_update_lock);
+
+        irq = evtchn_to_irq[evtchn];
+        if (irq == -1)
+                goto done;
+
+        info = irq_get_handler_data(irq);
+
+        if (!info)
+                goto done;
+
+        err = -EINVAL;
+        if (info->refcnt <= 0)
+                goto done;
+
+        info->refcnt++;
+        err = 0;
+ done:
+        mutex_unlock(&irq_mapping_update_lock);
+
+        return err;
+}
+EXPORT_SYMBOL_GPL(evtchn_get);
+
+void evtchn_put(unsigned int evtchn)
+{
+        int irq = evtchn_to_irq[evtchn];
+        if (WARN_ON(irq == -1))
+                return;
+        unbind_from_irq(irq);
+}
+EXPORT_SYMBOL_GPL(evtchn_put);
+
 void xen_send_IPI_one(unsigned int cpu, enum ipi_vector vector)
 {
         int irq = per_cpu(ipi_to_irq, cpu)[vector];
diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
index dbc13e94b612..b1f60a0c0bea 100644
--- a/drivers/xen/evtchn.c
+++ b/drivers/xen/evtchn.c
@@ -268,7 +268,7 @@ static int evtchn_bind_to_user(struct per_user_data *u, int port)
         rc = bind_evtchn_to_irqhandler(port, evtchn_interrupt, IRQF_DISABLED,
                                        u->name, (void *)(unsigned long)port);
         if (rc >= 0)
-                rc = 0;
+                rc = evtchn_make_refcounted(port);
 
         return rc;
 }
diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
index e1c4c6e5b469..e2400c8963fa 100644
--- a/drivers/xen/gntalloc.c
+++ b/drivers/xen/gntalloc.c
@@ -74,7 +74,7 @@ MODULE_PARM_DESC(limit, "Maximum number of grants that may be allocated by "
                 "the gntalloc device");
 
 static LIST_HEAD(gref_list);
-static DEFINE_SPINLOCK(gref_lock);
+static DEFINE_MUTEX(gref_mutex);
 static int gref_size;
 
 struct notify_info {
@@ -99,6 +99,12 @@ struct gntalloc_file_private_data {
         uint64_t index;
 };
 
+struct gntalloc_vma_private_data {
+        struct gntalloc_gref *gref;
+        int users;
+        int count;
+};
+
 static void __del_gref(struct gntalloc_gref *gref);
 
 static void do_cleanup(void)
@@ -143,15 +149,15 @@ static int add_grefs(struct ioctl_gntalloc_alloc_gref *op,
         }
 
         /* Add to gref lists. */
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
         list_splice_tail(&queue_gref, &gref_list);
         list_splice_tail(&queue_file, &priv->list);
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
 
         return 0;
 
 undo:
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
         gref_size -= (op->count - i);
 
         list_for_each_entry(gref, &queue_file, next_file) {
@@ -167,7 +173,7 @@ undo:
          */
         if (unlikely(!list_empty(&queue_gref)))
                 list_splice_tail(&queue_gref, &gref_list);
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
         return rc;
 }
 
@@ -178,8 +184,10 @@ static void __del_gref(struct gntalloc_gref *gref)
                 tmp[gref->notify.pgoff] = 0;
                 kunmap(gref->page);
         }
-        if (gref->notify.flags & UNMAP_NOTIFY_SEND_EVENT)
+        if (gref->notify.flags & UNMAP_NOTIFY_SEND_EVENT) {
                 notify_remote_via_evtchn(gref->notify.event);
+                evtchn_put(gref->notify.event);
+        }
 
         gref->notify.flags = 0;
 
@@ -189,6 +197,8 @@ static void __del_gref(struct gntalloc_gref *gref)
 
                 if (!gnttab_end_foreign_access_ref(gref->gref_id, 0))
                         return;
+
+                gnttab_free_grant_reference(gref->gref_id);
         }
 
         gref_size--;
@@ -251,7 +261,7 @@ static int gntalloc_release(struct inode *inode, struct file *filp)
 
         pr_debug("%s: priv %p\n", __func__, priv);
 
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
         while (!list_empty(&priv->list)) {
                 gref = list_entry(priv->list.next,
                         struct gntalloc_gref, next_file);
@@ -261,7 +271,7 @@ static int gntalloc_release(struct inode *inode, struct file *filp)
                         __del_gref(gref);
         }
         kfree(priv);
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
 
         return 0;
 }
@@ -286,21 +296,21 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
                 goto out;
         }
 
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
         /* Clean up pages that were at zero (local) users but were still mapped
          * by remote domains. Since those pages count towards the limit that we
          * are about to enforce, removing them here is a good idea.
          */
         do_cleanup();
         if (gref_size + op.count > limit) {
-                spin_unlock(&gref_lock);
+                mutex_unlock(&gref_mutex);
                 rc = -ENOSPC;
                 goto out_free;
         }
         gref_size += op.count;
         op.index = priv->index;
         priv->index += op.count * PAGE_SIZE;
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
 
         rc = add_grefs(&op, gref_ids, priv);
         if (rc < 0)
@@ -343,7 +353,7 @@ static long gntalloc_ioctl_dealloc(struct gntalloc_file_private_data *priv,
                 goto dealloc_grant_out;
         }
 
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
         gref = find_grefs(priv, op.index, op.count);
         if (gref) {
                 /* Remove from the file list only, and decrease reference count.
@@ -363,7 +373,7 @@ static long gntalloc_ioctl_dealloc(struct gntalloc_file_private_data *priv,
 
         do_cleanup();
 
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
 dealloc_grant_out:
         return rc;
 }
@@ -383,7 +393,7 @@ static long gntalloc_ioctl_unmap_notify(struct gntalloc_file_private_data *priv,
         index = op.index & ~(PAGE_SIZE - 1);
         pgoff = op.index & (PAGE_SIZE - 1);
 
-        spin_lock(&gref_lock);
+        mutex_lock(&gref_mutex);
 
         gref = find_grefs(priv, index, 1);
         if (!gref) {
@@ -396,12 +406,30 @@ static long gntalloc_ioctl_unmap_notify(struct gntalloc_file_private_data *priv,
                 goto unlock_out;
         }
 
+        /* We need to grab a reference to the event channel we are going to use
+         * to send the notify before releasing the reference we may already have
+         * (if someone has called this ioctl twice). This is required so that
+         * it is possible to change the clear_byte part of the notification
+         * without disturbing the event channel part, which may now be the last
+         * reference to that event channel.
+         */
+        if (op.action & UNMAP_NOTIFY_SEND_EVENT) {
+                if (evtchn_get(op.event_channel_port)) {
+                        rc = -EINVAL;
+                        goto unlock_out;
+                }
+        }
+
+        if (gref->notify.flags & UNMAP_NOTIFY_SEND_EVENT)
+                evtchn_put(gref->notify.event);
+
         gref->notify.flags = op.action;
         gref->notify.pgoff = pgoff;
         gref->notify.event = op.event_channel_port;
         rc = 0;
+
  unlock_out:
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
         return rc;
 }
 
@@ -429,26 +457,40 @@ static long gntalloc_ioctl(struct file *filp, unsigned int cmd,
 
 static void gntalloc_vma_open(struct vm_area_struct *vma)
 {
-        struct gntalloc_gref *gref = vma->vm_private_data;
-        if (!gref)
+        struct gntalloc_vma_private_data *priv = vma->vm_private_data;
+
+        if (!priv)
                 return;
 
-        spin_lock(&gref_lock);
-        gref->users++;
-        spin_unlock(&gref_lock);
+        mutex_lock(&gref_mutex);
+        priv->users++;
+        mutex_unlock(&gref_mutex);
 }
 
 static void gntalloc_vma_close(struct vm_area_struct *vma)
 {
-        struct gntalloc_gref *gref = vma->vm_private_data;
-        if (!gref)
+        struct gntalloc_vma_private_data *priv = vma->vm_private_data;
+        struct gntalloc_gref *gref, *next;
+        int i;
+
+        if (!priv)
                 return;
 
-        spin_lock(&gref_lock);
-        gref->users--;
-        if (gref->users == 0)
-                __del_gref(gref);
-        spin_unlock(&gref_lock);
+        mutex_lock(&gref_mutex);
+        priv->users--;
+        if (priv->users == 0) {
+                gref = priv->gref;
+                for (i = 0; i < priv->count; i++) {
+                        gref->users--;
+                        next = list_entry(gref->next_gref.next,
+                                          struct gntalloc_gref, next_gref);
+                        if (gref->users == 0)
+                                __del_gref(gref);
+                        gref = next;
+                }
+                kfree(priv);
+        }
+        mutex_unlock(&gref_mutex);
 }
 
 static struct vm_operations_struct gntalloc_vmops = {
@@ -459,19 +501,25 @@ static struct vm_operations_struct gntalloc_vmops = {
 static int gntalloc_mmap(struct file *filp, struct vm_area_struct *vma)
 {
         struct gntalloc_file_private_data *priv = filp->private_data;
+        struct gntalloc_vma_private_data *vm_priv;
         struct gntalloc_gref *gref;
         int count = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
         int rv, i;
 
-        pr_debug("%s: priv %p, page %lu+%d\n", __func__,
-                       priv, vma->vm_pgoff, count);
-
         if (!(vma->vm_flags & VM_SHARED)) {
                 printk(KERN_ERR "%s: Mapping must be shared.\n", __func__);
                 return -EINVAL;
         }
 
-        spin_lock(&gref_lock);
+        vm_priv = kmalloc(sizeof(*vm_priv), GFP_KERNEL);
+        if (!vm_priv)
+                return -ENOMEM;
+
+        mutex_lock(&gref_mutex);
+
+        pr_debug("%s: priv %p,%p, page %lu+%d\n", __func__,
+                       priv, vm_priv, vma->vm_pgoff, count);
+
         gref = find_grefs(priv, vma->vm_pgoff << PAGE_SHIFT, count);
         if (gref == NULL) {
                 rv = -ENOENT;
@@ -480,9 +528,13 @@ static int gntalloc_mmap(struct file *filp, struct vm_area_struct *vma)
                 goto out_unlock;
         }
 
-        vma->vm_private_data = gref;
+        vm_priv->gref = gref;
+        vm_priv->users = 1;
+        vm_priv->count = count;
+
+        vma->vm_private_data = vm_priv;
 
-        vma->vm_flags |= VM_RESERVED;
+        vma->vm_flags |= VM_RESERVED | VM_DONTEXPAND;
 
         vma->vm_ops = &gntalloc_vmops;
 
@@ -499,7 +551,7 @@ static int gntalloc_mmap(struct file *filp, struct vm_area_struct *vma)
         rv = 0;
 
 out_unlock:
-        spin_unlock(&gref_lock);
+        mutex_unlock(&gref_mutex);
         return rv;
 }
 
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index afca14d9042e..f52f661f8f82 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -193,8 +193,10 @@ static void gntdev_put_map(struct grant_map *map)
 
         atomic_sub(map->count, &pages_mapped);
 
-        if (map->notify.flags & UNMAP_NOTIFY_SEND_EVENT)
+        if (map->notify.flags & UNMAP_NOTIFY_SEND_EVENT) {
                 notify_remote_via_evtchn(map->notify.event);
+                evtchn_put(map->notify.event);
+        }
 
         if (map->pages) {
                 if (!use_ptemod)
@@ -599,6 +601,8 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
         struct ioctl_gntdev_unmap_notify op;
         struct grant_map *map;
         int rc;
+        int out_flags;
+        unsigned int out_event;
 
         if (copy_from_user(&op, u, sizeof(op)))
                 return -EFAULT;
@@ -606,6 +610,21 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
         if (op.action & ~(UNMAP_NOTIFY_CLEAR_BYTE|UNMAP_NOTIFY_SEND_EVENT))
                 return -EINVAL;
 
+        /* We need to grab a reference to the event channel we are going to use
+         * to send the notify before releasing the reference we may already have
+         * (if someone has called this ioctl twice). This is required so that
+         * it is possible to change the clear_byte part of the notification
+         * without disturbing the event channel part, which may now be the last
+         * reference to that event channel.
+         */
+        if (op.action & UNMAP_NOTIFY_SEND_EVENT) {
+                if (evtchn_get(op.event_channel_port))
+                        return -EINVAL;
+        }
+
+        out_flags = op.action;
+        out_event = op.event_channel_port;
+
         spin_lock(&priv->lock);
 
         list_for_each_entry(map, &priv->maps, next) {
@@ -624,12 +643,22 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
                 goto unlock_out;
         }
 
+        out_flags = map->notify.flags;
+        out_event = map->notify.event;
+
         map->notify.flags = op.action;
         map->notify.addr = op.index - (map->index << PAGE_SHIFT);
         map->notify.event = op.event_channel_port;
+
         rc = 0;
+
  unlock_out:
         spin_unlock(&priv->lock);
+
+        /* Drop the reference to the event channel we did not save in the map */
+        if (out_flags & UNMAP_NOTIFY_SEND_EVENT)
+                evtchn_put(out_event);
+
         return rc;
 }
 
diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index bf1c094f4ebf..a3d0e1e278c1 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -44,16 +44,19 @@
 #include <xen/page.h>
 #include <xen/grant_table.h>
 #include <xen/interface/memory.h>
+#include <xen/hvc-console.h>
 #include <asm/xen/hypercall.h>
 
 #include <asm/pgtable.h>
 #include <asm/sync_bitops.h>
 
-
 /* External tools reserve first few grant table entries. */
 #define NR_RESERVED_ENTRIES 8
 #define GNTTAB_LIST_END 0xffffffff
-#define GREFS_PER_GRANT_FRAME (PAGE_SIZE / sizeof(struct grant_entry))
+#define GREFS_PER_GRANT_FRAME \
+(grant_table_version == 1 ?                      \
+(PAGE_SIZE / sizeof(struct grant_entry_v1)) :   \
+(PAGE_SIZE / sizeof(union grant_entry_v2)))
 
 static grant_ref_t **gnttab_list;
 static unsigned int nr_grant_frames;
@@ -64,13 +67,97 @@ static DEFINE_SPINLOCK(gnttab_list_lock);
 unsigned long xen_hvm_resume_frames;
 EXPORT_SYMBOL_GPL(xen_hvm_resume_frames);
 
-static struct grant_entry *shared;
+static union {
+        struct grant_entry_v1 *v1;
+        union grant_entry_v2 *v2;
+        void *addr;
+} gnttab_shared;
+
+/*This is a structure of function pointers for grant table*/
+struct gnttab_ops {
+        /*
+         * Mapping a list of frames for storing grant entries. Frames parameter
+         * is used to store grant table address when grant table being setup,
+         * nr_gframes is the number of frames to map grant table. Returning
+         * GNTST_okay means success and negative value means failure.
+         */
+        int (*map_frames)(unsigned long *frames, unsigned int nr_gframes);
+        /*
+         * Release a list of frames which are mapped in map_frames for grant
+         * entry status.
+         */
+        void (*unmap_frames)(void);
+        /*
+         * Introducing a valid entry into the grant table, granting the frame of
+         * this grant entry to domain for accessing or transfering. Ref
+         * parameter is reference of this introduced grant entry, domid is id of
+         * granted domain, frame is the page frame to be granted, and flags is
+         * status of the grant entry to be updated.
+         */
+        void (*update_entry)(grant_ref_t ref, domid_t domid,
+                             unsigned long frame, unsigned flags);
+        /*
+         * Stop granting a grant entry to domain for accessing. Ref parameter is
+         * reference of a grant entry whose grant access will be stopped,
+         * readonly is not in use in this function. If the grant entry is
+         * currently mapped for reading or writing, just return failure(==0)
+         * directly and don't tear down the grant access. Otherwise, stop grant
+         * access for this entry and return success(==1).
+         */
+        int (*end_foreign_access_ref)(grant_ref_t ref, int readonly);
+        /*
+         * Stop granting a grant entry to domain for transfer. Ref parameter is
+         * reference of a grant entry whose grant transfer will be stopped. If
+         * tranfer has not started, just reclaim the grant entry and return
+         * failure(==0). Otherwise, wait for the transfer to complete and then
+         * return the frame.
+         */
+        unsigned long (*end_foreign_transfer_ref)(grant_ref_t ref);
+        /*
+         * Query the status of a grant entry. Ref parameter is reference of
+         * queried grant entry, return value is the status of queried entry.
+         * Detailed status(writing/reading) can be gotten from the return value
+         * by bit operations.
+         */
+        int (*query_foreign_access)(grant_ref_t ref);
+        /*
+         * Grant a domain to access a range of bytes within the page referred by
+         * an available grant entry. Ref parameter is reference of a grant entry
+         * which will be sub-page accessed, domid is id of grantee domain, frame
+         * is frame address of subpage grant, flags is grant type and flag
+         * information, page_off is offset of the range of bytes, and length is
+         * length of bytes to be accessed.
+         */
+        void (*update_subpage_entry)(grant_ref_t ref, domid_t domid,
+                                     unsigned long frame, int flags,
+                                     unsigned page_off, unsigned length);
+        /*
+         * Redirect an available grant entry on domain A to another grant
+         * reference of domain B, then allow domain C to use grant reference
+         * of domain B transitively. Ref parameter is an available grant entry
+         * reference on domain A, domid is id of domain C which accesses grant
+         * entry transitively, flags is grant type and flag information,
+         * trans_domid is id of domain B whose grant entry is finally accessed
+         * transitively, trans_gref is grant entry transitive reference of
+         * domain B.
+         */
+        void (*update_trans_entry)(grant_ref_t ref, domid_t domid, int flags,
+                                   domid_t trans_domid, grant_ref_t trans_gref);
+};
+
+static struct gnttab_ops *gnttab_interface;
+
+/*This reflects status of grant entries, so act as a global value*/
+static grant_status_t *grstatus;
+
+static int grant_table_version;
 
 static struct gnttab_free_callback *gnttab_free_callback_list;
 
 static int gnttab_expand(unsigned int req_entries);
 
 #define RPP (PAGE_SIZE / sizeof(grant_ref_t))
+#define SPP (PAGE_SIZE / sizeof(grant_status_t))
 
 static inline grant_ref_t *__gnttab_entry(grant_ref_t entry)
 {
@@ -142,23 +229,33 @@ static void put_free_entry(grant_ref_t ref)
         spin_unlock_irqrestore(&gnttab_list_lock, flags);
 }
 
-static void update_grant_entry(grant_ref_t ref, domid_t domid,
-                               unsigned long frame, unsigned flags)
+/*
+ * Following applies to gnttab_update_entry_v1 and gnttab_update_entry_v2.
+ * Introducing a valid entry into the grant table:
+ *  1. Write ent->domid.
+ *  2. Write ent->frame:
+ *      GTF_permit_access:   Frame to which access is permitted.
+ *      GTF_accept_transfer: Pseudo-phys frame slot being filled by new
+ *                           frame, or zero if none.
+ *  3. Write memory barrier (WMB).
+ *  4. Write ent->flags, inc. valid type.
+ */
+static void gnttab_update_entry_v1(grant_ref_t ref, domid_t domid,
+                                   unsigned long frame, unsigned flags)
+{
+        gnttab_shared.v1[ref].domid = domid;
+        gnttab_shared.v1[ref].frame = frame;
+        wmb();
+        gnttab_shared.v1[ref].flags = flags;
+}
+
+static void gnttab_update_entry_v2(grant_ref_t ref, domid_t domid,
+                                   unsigned long frame, unsigned flags)
 {
-        /*
-         * Introducing a valid entry into the grant table:
-         *  1. Write ent->domid.
-         *  2. Write ent->frame:
-         *      GTF_permit_access:   Frame to which access is permitted.
-         *      GTF_accept_transfer: Pseudo-phys frame slot being filled by new
-         *                           frame, or zero if none.
-         *  3. Write memory barrier (WMB).
-         *  4. Write ent->flags, inc. valid type.
-         */
-        shared[ref].frame = frame;
-        shared[ref].domid = domid;
+        gnttab_shared.v2[ref].hdr.domid = domid;
+        gnttab_shared.v2[ref].full_page.frame = frame;
         wmb();
-        shared[ref].flags = flags;
+        gnttab_shared.v2[ref].hdr.flags = GTF_permit_access | flags;
 }
 
 /*
@@ -167,7 +264,7 @@ static void update_grant_entry(grant_ref_t ref, domid_t domid,
 void gnttab_grant_foreign_access_ref(grant_ref_t ref, domid_t domid,
                                      unsigned long frame, int readonly)
 {
-        update_grant_entry(ref, domid, frame,
+        gnttab_interface->update_entry(ref, domid, frame,
                            GTF_permit_access | (readonly ? GTF_readonly : 0));
 }
 EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access_ref);
@@ -187,31 +284,184 @@ int gnttab_grant_foreign_access(domid_t domid, unsigned long frame,
 }
 EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access);
 
-int gnttab_query_foreign_access(grant_ref_t ref)
+void gnttab_update_subpage_entry_v2(grant_ref_t ref, domid_t domid,
+                                    unsigned long frame, int flags,
+                                    unsigned page_off,
+                                    unsigned length)
+{
+        gnttab_shared.v2[ref].sub_page.frame = frame;
+        gnttab_shared.v2[ref].sub_page.page_off = page_off;
+        gnttab_shared.v2[ref].sub_page.length = length;
+        gnttab_shared.v2[ref].hdr.domid = domid;
+        wmb();
+        gnttab_shared.v2[ref].hdr.flags =
+                                GTF_permit_access | GTF_sub_page | flags;
+}
+
+int gnttab_grant_foreign_access_subpage_ref(grant_ref_t ref, domid_t domid,
+                                            unsigned long frame, int flags,
+                                            unsigned page_off,
+                                            unsigned length)
 {
-        u16 nflags;
+        if (flags & (GTF_accept_transfer | GTF_reading |
+                     GTF_writing | GTF_transitive))
+                return -EPERM;
 
-        nflags = shared[ref].flags;
+        if (gnttab_interface->update_subpage_entry == NULL)
+                return -ENOSYS;
 
-        return nflags & (GTF_reading|GTF_writing);
+        gnttab_interface->update_subpage_entry(ref, domid, frame, flags,
+                                               page_off, length);
+
+        return 0;
+}
+EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access_subpage_ref);
+
+int gnttab_grant_foreign_access_subpage(domid_t domid, unsigned long frame,
+                                        int flags, unsigned page_off,
+                                        unsigned length)
+{
+        int ref, rc;
+
+        ref = get_free_entries(1);
+        if (unlikely(ref < 0))
+                return -ENOSPC;
+
+        rc = gnttab_grant_foreign_access_subpage_ref(ref, domid, frame, flags,
+                                                     page_off, length);
+        if (rc < 0) {
+                put_free_entry(ref);
+                return rc;
+        }
+
+        return ref;
+}
+EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access_subpage);
+
+bool gnttab_subpage_grants_available(void)
+{
+        return gnttab_interface->update_subpage_entry != NULL;
+}
+EXPORT_SYMBOL_GPL(gnttab_subpage_grants_available);
+
+void gnttab_update_trans_entry_v2(grant_ref_t ref, domid_t domid,
+                                  int flags, domid_t trans_domid,
+                                  grant_ref_t trans_gref)
+{
+        gnttab_shared.v2[ref].transitive.trans_domid = trans_domid;
+        gnttab_shared.v2[ref].transitive.gref = trans_gref;
+        gnttab_shared.v2[ref].hdr.domid = domid;
+        wmb();
+        gnttab_shared.v2[ref].hdr.flags =
+                                GTF_permit_access | GTF_transitive | flags;
+}
+
+int gnttab_grant_foreign_access_trans_ref(grant_ref_t ref, domid_t domid,
+                                          int flags, domid_t trans_domid,
+                                          grant_ref_t trans_gref)
+{
+        if (flags & (GTF_accept_transfer | GTF_reading |
+                     GTF_writing | GTF_sub_page))
+                return -EPERM;
+
+        if (gnttab_interface->update_trans_entry == NULL)
+                return -ENOSYS;
+
+        gnttab_interface->update_trans_entry(ref, domid, flags, trans_domid,
+                                             trans_gref);
+
+        return 0;
+}
+EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access_trans_ref);
+
+int gnttab_grant_foreign_access_trans(domid_t domid, int flags,
+                                      domid_t trans_domid,
+                                      grant_ref_t trans_gref)
+{
+        int ref, rc;
+
+        ref = get_free_entries(1);
+        if (unlikely(ref < 0))
+                return -ENOSPC;
+
+        rc = gnttab_grant_foreign_access_trans_ref(ref, domid, flags,
+                                                   trans_domid, trans_gref);
+        if (rc < 0) {
+                put_free_entry(ref);
+                return rc;
+        }
+
+        return ref;
+}
+EXPORT_SYMBOL_GPL(gnttab_grant_foreign_access_trans);
+
+bool gnttab_trans_grants_available(void)
+{
+        return gnttab_interface->update_trans_entry != NULL;
+}
+EXPORT_SYMBOL_GPL(gnttab_trans_grants_available);
+
+static int gnttab_query_foreign_access_v1(grant_ref_t ref)
+{
+        return gnttab_shared.v1[ref].flags & (GTF_reading|GTF_writing);
+}
+
+static int gnttab_query_foreign_access_v2(grant_ref_t ref)
+{
+        return grstatus[ref] & (GTF_reading|GTF_writing);
+}
+
+int gnttab_query_foreign_access(grant_ref_t ref)
+{
+        return gnttab_interface->query_foreign_access(ref);
 }
 EXPORT_SYMBOL_GPL(gnttab_query_foreign_access);
 
-int gnttab_end_foreign_access_ref(grant_ref_t ref, int readonly)
+static int gnttab_end_foreign_access_ref_v1(grant_ref_t ref, int readonly)
 {
         u16 flags, nflags;
+        u16 *pflags;
 
-        nflags = shared[ref].flags;
+        pflags = &gnttab_shared.v1[ref].flags;
+        nflags = *pflags;
         do {
                 flags = nflags;
                 if (flags & (GTF_reading|GTF_writing)) {
                         printk(KERN_ALERT "WARNING: g.e. still in use!\n");
                         return 0;
                 }
-        } while ((nflags = sync_cmpxchg(&shared[ref].flags, flags, 0)) != flags);
+        } while ((nflags = sync_cmpxchg(pflags, flags, 0)) != flags);
+
+        return 1;
+}
+
+static int gnttab_end_foreign_access_ref_v2(grant_ref_t ref, int readonly)
+{
+        gnttab_shared.v2[ref].hdr.flags = 0;
+        mb();
+        if (grstatus[ref] & (GTF_reading|GTF_writing)) {
+                return 0;
+        } else {
+                /* The read of grstatus needs to have acquire
+                semantics.  On x86, reads already have
+                that, and we just need to protect against
+                compiler reorderings.  On other
+                architectures we may need a full
+                barrier. */
+#ifdef CONFIG_X86
+                barrier();
+#else
+                mb();
+#endif
+        }
 
         return 1;
 }
+
+int gnttab_end_foreign_access_ref(grant_ref_t ref, int readonly)
+{
+        return gnttab_interface->end_foreign_access_ref(ref, readonly);
+}
 EXPORT_SYMBOL_GPL(gnttab_end_foreign_access_ref);
 
 void gnttab_end_foreign_access(grant_ref_t ref, int readonly,
@@ -246,37 +496,76 @@ EXPORT_SYMBOL_GPL(gnttab_grant_foreign_transfer);
 void gnttab_grant_foreign_transfer_ref(grant_ref_t ref, domid_t domid,
                                        unsigned long pfn)
 {
-        update_grant_entry(ref, domid, pfn, GTF_accept_transfer);
+        gnttab_interface->update_entry(ref, domid, pfn, GTF_accept_transfer);
 }
 EXPORT_SYMBOL_GPL(gnttab_grant_foreign_transfer_ref);
 
-unsigned long gnttab_end_foreign_transfer_ref(grant_ref_t ref)
+static unsigned long gnttab_end_foreign_transfer_ref_v1(grant_ref_t ref)
 {
         unsigned long frame;
         u16           flags;
+        u16          *pflags;
+
+        pflags = &gnttab_shared.v1[ref].flags;
 
         /*
          * If a transfer is not even yet started, try to reclaim the grant
          * reference and return failure (== 0).
          */
-        while (!((flags = shared[ref].flags) & GTF_transfer_committed)) {
-                if (sync_cmpxchg(&shared[ref].flags, flags, 0) == flags)
+        while (!((flags = *pflags) & GTF_transfer_committed)) {
+                if (sync_cmpxchg(pflags, flags, 0) == flags)
                         return 0;
                 cpu_relax();
         }
 
         /* If a transfer is in progress then wait until it is completed. */
         while (!(flags & GTF_transfer_completed)) {
-                flags = shared[ref].flags;
+                flags = *pflags;
                 cpu_relax();
         }
 
         rmb();  /* Read the frame number /after/ reading completion status. */
-        frame = shared[ref].frame;
+        frame = gnttab_shared.v1[ref].frame;
+        BUG_ON(frame == 0);
+
+        return frame;
+}
+
+static unsigned long gnttab_end_foreign_transfer_ref_v2(grant_ref_t ref)
+{
+        unsigned long frame;
+        u16           flags;
+        u16          *pflags;
+
+        pflags = &gnttab_shared.v2[ref].hdr.flags;
+
+        /*
+         * If a transfer is not even yet started, try to reclaim the grant
+         * reference and return failure (== 0).
+         */
+        while (!((flags = *pflags) & GTF_transfer_committed)) {
+                if (sync_cmpxchg(pflags, flags, 0) == flags)
+                        return 0;
+                cpu_relax();
+        }
+
+        /* If a transfer is in progress then wait until it is completed. */
+        while (!(flags & GTF_transfer_completed)) {
+                flags = *pflags;
+                cpu_relax();
+        }
+
+        rmb();  /* Read the frame number /after/ reading completion status. */
+        frame = gnttab_shared.v2[ref].full_page.frame;
         BUG_ON(frame == 0);
 
         return frame;
 }
+
+unsigned long gnttab_end_foreign_transfer_ref(grant_ref_t ref)
+{
+        return gnttab_interface->end_foreign_transfer_ref(ref);
+}
 EXPORT_SYMBOL_GPL(gnttab_end_foreign_transfer_ref);
 
 unsigned long gnttab_end_foreign_transfer(grant_ref_t ref)
@@ -448,8 +737,8 @@ unsigned int gnttab_max_grant_frames(void)
 EXPORT_SYMBOL_GPL(gnttab_max_grant_frames);
 
 int gnttab_map_refs(struct gnttab_map_grant_ref *map_ops,
-                        struct gnttab_map_grant_ref *kmap_ops,
-                        struct page **pages, unsigned int count)
+                    struct gnttab_map_grant_ref *kmap_ops,
+                    struct page **pages, unsigned int count)
 {
         int i, ret;
         pte_t *pte;
@@ -499,7 +788,7 @@ int gnttab_map_refs(struct gnttab_map_grant_ref *map_ops,
 EXPORT_SYMBOL_GPL(gnttab_map_refs);
 
 int gnttab_unmap_refs(struct gnttab_unmap_grant_ref *unmap_ops,
-                struct page **pages, unsigned int count)
+                      struct page **pages, unsigned int count)
 {
         int i, ret;
 
@@ -520,6 +809,77 @@ int gnttab_unmap_refs(struct gnttab_unmap_grant_ref *unmap_ops,
 }
 EXPORT_SYMBOL_GPL(gnttab_unmap_refs);
 
+static unsigned nr_status_frames(unsigned nr_grant_frames)
+{
+        return (nr_grant_frames * GREFS_PER_GRANT_FRAME + SPP - 1) / SPP;
+}
+
+static int gnttab_map_frames_v1(unsigned long *frames, unsigned int nr_gframes)
+{
+        int rc;
+
+        rc = arch_gnttab_map_shared(frames, nr_gframes,
+                                    gnttab_max_grant_frames(),
+                                    &gnttab_shared.addr);
+        BUG_ON(rc);
+
+        return 0;
+}
+
+static void gnttab_unmap_frames_v1(void)
+{
+        arch_gnttab_unmap(gnttab_shared.addr, nr_grant_frames);
+}
+
+static int gnttab_map_frames_v2(unsigned long *frames, unsigned int nr_gframes)
+{
+        uint64_t *sframes;
+        unsigned int nr_sframes;
+        struct gnttab_get_status_frames getframes;
+        int rc;
+
+        nr_sframes = nr_status_frames(nr_gframes);
+
+        /* No need for kzalloc as it is initialized in following hypercall
+         * GNTTABOP_get_status_frames.
+         */
+        sframes = kmalloc(nr_sframes  * sizeof(uint64_t), GFP_ATOMIC);
+        if (!sframes)
+                return -ENOMEM;
+
+        getframes.dom        = DOMID_SELF;
+        getframes.nr_frames  = nr_sframes;
+        set_xen_guest_handle(getframes.frame_list, sframes);
+
+        rc = HYPERVISOR_grant_table_op(GNTTABOP_get_status_frames,
+                                       &getframes, 1);
+        if (rc == -ENOSYS) {
+                kfree(sframes);
+                return -ENOSYS;
+        }
+
+        BUG_ON(rc || getframes.status);
+
+        rc = arch_gnttab_map_status(sframes, nr_sframes,
+                                    nr_status_frames(gnttab_max_grant_frames()),
+                                    &grstatus);
+        BUG_ON(rc);
+        kfree(sframes);
+
+        rc = arch_gnttab_map_shared(frames, nr_gframes,
+                                    gnttab_max_grant_frames(),
+                                    &gnttab_shared.addr);
+        BUG_ON(rc);
+
+        return 0;
+}
+
+static void gnttab_unmap_frames_v2(void)
+{
+        arch_gnttab_unmap(gnttab_shared.addr, nr_grant_frames);
+        arch_gnttab_unmap(grstatus, nr_status_frames(nr_grant_frames));
+}
+
 static int gnttab_map(unsigned int start_idx, unsigned int end_idx)
 {
         struct gnttab_setup_table setup;
@@ -551,6 +911,9 @@ static int gnttab_map(unsigned int start_idx, unsigned int end_idx)
                 return rc;
         }
 
+        /* No need for kzalloc as it is initialized in following hypercall
+         * GNTTABOP_setup_table.
+         */
         frames = kmalloc(nr_gframes * sizeof(unsigned long), GFP_ATOMIC);
         if (!frames)
                 return -ENOMEM;
@@ -567,19 +930,65 @@ static int gnttab_map(unsigned int start_idx, unsigned int end_idx)
 
         BUG_ON(rc || setup.status);
 
-        rc = arch_gnttab_map_shared(frames, nr_gframes, gnttab_max_grant_frames(),
-                                    &shared);
-        BUG_ON(rc);
+        rc = gnttab_interface->map_frames(frames, nr_gframes);
 
         kfree(frames);
 
-        return 0;
+        return rc;
+}
+
+static struct gnttab_ops gnttab_v1_ops = {
+        .map_frames                     = gnttab_map_frames_v1,
+        .unmap_frames                   = gnttab_unmap_frames_v1,
+        .update_entry                   = gnttab_update_entry_v1,
+        .end_foreign_access_ref         = gnttab_end_foreign_access_ref_v1,
+        .end_foreign_transfer_ref       = gnttab_end_foreign_transfer_ref_v1,
+        .query_foreign_access           = gnttab_query_foreign_access_v1,
+};
+
+static struct gnttab_ops gnttab_v2_ops = {
+        .map_frames                     = gnttab_map_frames_v2,
+        .unmap_frames                   = gnttab_unmap_frames_v2,
+        .update_entry                   = gnttab_update_entry_v2,
+        .end_foreign_access_ref         = gnttab_end_foreign_access_ref_v2,
+        .end_foreign_transfer_ref       = gnttab_end_foreign_transfer_ref_v2,
+        .query_foreign_access           = gnttab_query_foreign_access_v2,
+        .update_subpage_entry           = gnttab_update_subpage_entry_v2,
+        .update_trans_entry             = gnttab_update_trans_entry_v2,
+};
+
+static void gnttab_request_version(void)
+{
+        int rc;
+        struct gnttab_set_version gsv;
+
+        gsv.version = 2;
+        rc = HYPERVISOR_grant_table_op(GNTTABOP_set_version, &gsv, 1);
+        if (rc == 0) {
+                grant_table_version = 2;
+                gnttab_interface = &gnttab_v2_ops;
+        } else if (grant_table_version == 2) {
+                /*
+                 * If we've already used version 2 features,
+                 * but then suddenly discover that they're not
+                 * available (e.g. migrating to an older
+                 * version of Xen), almost unbounded badness
+                 * can happen.
+                 */
+                panic("we need grant tables version 2, but only version 1 is available");
+        } else {
+                grant_table_version = 1;
+                gnttab_interface = &gnttab_v1_ops;
+        }
+        printk(KERN_INFO "Grant tables using version %d layout.\n",
+                grant_table_version);
 }
 
 int gnttab_resume(void)
 {
         unsigned int max_nr_gframes;
 
+        gnttab_request_version();
         max_nr_gframes = gnttab_max_grant_frames();
         if (max_nr_gframes < nr_grant_frames)
                 return -ENOSYS;
@@ -587,9 +996,10 @@ int gnttab_resume(void)
         if (xen_pv_domain())
                 return gnttab_map(0, nr_grant_frames - 1);
 
-        if (!shared) {
-                shared = ioremap(xen_hvm_resume_frames, PAGE_SIZE * max_nr_gframes);
-                if (shared == NULL) {
+        if (gnttab_shared.addr == NULL) {
+                gnttab_shared.addr = ioremap(xen_hvm_resume_frames,
+                                                PAGE_SIZE * max_nr_gframes);
+                if (gnttab_shared.addr == NULL) {
                         printk(KERN_WARNING
                                         "Failed to ioremap gnttab share frames!");
                         return -ENOMEM;
@@ -603,7 +1013,7 @@ int gnttab_resume(void)
 
 int gnttab_suspend(void)
 {
-        arch_gnttab_unmap_shared(shared, nr_grant_frames);
+        gnttab_interface->unmap_frames();
         return 0;
 }
 
diff --git a/drivers/xen/xenfs/privcmd.c b/drivers/xen/privcmd.c
index dbd3b16fd131..ccee0f16bcf8 100644
--- a/drivers/xen/xenfs/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -7,6 +7,7 @@
  */
 
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/string.h>
@@ -18,6 +19,7 @@
 #include <linux/highmem.h>
 #include <linux/pagemap.h>
 #include <linux/seq_file.h>
+#include <linux/miscdevice.h>
 
 #include <asm/pgalloc.h>
 #include <asm/pgtable.h>
@@ -32,6 +34,10 @@
 #include <xen/page.h>
 #include <xen/xen-ops.h>
 
+#include "privcmd.h"
+
+MODULE_LICENSE("GPL");
+
 #ifndef HAVE_ARCH_PRIVCMD_MMAP
 static int privcmd_enforce_singleshot_mapping(struct vm_area_struct *vma);
 #endif
@@ -359,7 +365,6 @@ static long privcmd_ioctl(struct file *file,
         return ret;
 }
 
-#ifndef HAVE_ARCH_PRIVCMD_MMAP
 static int privcmd_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 {
         printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
@@ -392,9 +397,39 @@ static int privcmd_enforce_singleshot_mapping(struct vm_area_struct *vma)
 {
         return (xchg(&vma->vm_private_data, (void *)1) == NULL);
 }
-#endif
 
-const struct file_operations privcmd_file_ops = {
+const struct file_operations xen_privcmd_fops = {
+        .owner = THIS_MODULE,
         .unlocked_ioctl = privcmd_ioctl,
         .mmap = privcmd_mmap,
 };
+EXPORT_SYMBOL_GPL(xen_privcmd_fops);
+
+static struct miscdevice privcmd_dev = {
+        .minor = MISC_DYNAMIC_MINOR,
+        .name = "xen/privcmd",
+        .fops = &xen_privcmd_fops,
+};
+
+static int __init privcmd_init(void)
+{
+        int err;
+
+        if (!xen_domain())
+                return -ENODEV;
+
+        err = misc_register(&privcmd_dev);
+        if (err != 0) {
+                printk(KERN_ERR "Could not register Xen privcmd device\n");
+                return err;
+        }
+        return 0;
+}
+
+static void __exit privcmd_exit(void)
+{
+        misc_deregister(&privcmd_dev);
+}
+
+module_init(privcmd_init);
+module_exit(privcmd_exit);
diff --git a/drivers/xen/privcmd.h b/drivers/xen/privcmd.h
new file mode 100644
index 000000000000..14facaeed36f
--- /dev/null
+++ b/drivers/xen/privcmd.h
@@ -0,0 +1,3 @@
+#include <linux/fs.h>
+
+extern const struct file_operations xen_privcmd_fops;
diff --git a/drivers/xen/xenbus/Makefile b/drivers/xen/xenbus/Makefile
index 8dca685358b4..31e2e9050c7a 100644
--- a/drivers/xen/xenbus/Makefile
+++ b/drivers/xen/xenbus/Makefile
@@ -1,4 +1,5 @@
 obj-y   += xenbus.o
+obj-y   += xenbus_dev_frontend.o
 
 xenbus-objs =
 xenbus-objs += xenbus_client.o
@@ -9,4 +10,5 @@ xenbus-objs += xenbus_probe.o
 xenbus-be-objs-$(CONFIG_XEN_BACKEND) += xenbus_probe_backend.o
 xenbus-objs += $(xenbus-be-objs-y)
 
+obj-$(CONFIG_XEN_BACKEND) += xenbus_dev_backend.o
 obj-$(CONFIG_XEN_XENBUS_FRONTEND) += xenbus_probe_frontend.o
diff --git a/drivers/xen/xenbus/xenbus_comms.h b/drivers/xen/xenbus/xenbus_comms.h
index c21db7513736..6e42800fa499 100644
--- a/drivers/xen/xenbus/xenbus_comms.h
+++ b/drivers/xen/xenbus/xenbus_comms.h
@@ -31,6 +31,8 @@
 #ifndef _XENBUS_COMMS_H
 #define _XENBUS_COMMS_H
 
+#include <linux/fs.h>
+
 int xs_init(void);
 int xb_init_comms(void);
 
@@ -43,4 +45,6 @@ int xs_input_avail(void);
 extern struct xenstore_domain_interface *xen_store_interface;
 extern int xen_store_evtchn;
 
+extern const struct file_operations xen_xenbus_fops;
+
 #endif /* _XENBUS_COMMS_H */
diff --git a/drivers/xen/xenbus/xenbus_dev_backend.c b/drivers/xen/xenbus/xenbus_dev_backend.c
new file mode 100644
index 000000000000..a2092bd97693
--- /dev/null
+++ b/drivers/xen/xenbus/xenbus_dev_backend.c
@@ -0,0 +1,89 @@
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/mm.h>
+#include <linux/fs.h>
+#include <linux/miscdevice.h>
+#include <linux/module.h>
+#include <linux/capability.h>
+
+#include <xen/page.h>
+#include <xen/xenbus_dev.h>
+
+#include "xenbus_comms.h"
+
+MODULE_LICENSE("GPL");
+
+static int xenbus_backend_open(struct inode *inode, struct file *filp)
+{
+        if (!capable(CAP_SYS_ADMIN))
+                return -EPERM;
+
+        return nonseekable_open(inode, filp);
+}
+
+static long xenbus_backend_ioctl(struct file *file, unsigned int cmd, unsigned long data)
+{
+        if (!capable(CAP_SYS_ADMIN))
+                return -EPERM;
+
+        switch (cmd) {
+                case IOCTL_XENBUS_BACKEND_EVTCHN:
+                        if (xen_store_evtchn > 0)
+                                return xen_store_evtchn;
+                        return -ENODEV;
+
+                default:
+                        return -ENOTTY;
+        }
+}
+
+static int xenbus_backend_mmap(struct file *file, struct vm_area_struct *vma)
+{
+        size_t size = vma->vm_end - vma->vm_start;
+
+        if (!capable(CAP_SYS_ADMIN))
+                return -EPERM;
+
+        if ((size > PAGE_SIZE) || (vma->vm_pgoff != 0))
+                return -EINVAL;
+
+        if (remap_pfn_range(vma, vma->vm_start,
+                            virt_to_pfn(xen_store_interface),
+                            size, vma->vm_page_prot))
+                return -EAGAIN;
+
+        return 0;
+}
+
+const struct file_operations xenbus_backend_fops = {
+        .open = xenbus_backend_open,
+        .mmap = xenbus_backend_mmap,
+        .unlocked_ioctl = xenbus_backend_ioctl,
+};
+
+static struct miscdevice xenbus_backend_dev = {
+        .minor = MISC_DYNAMIC_MINOR,
+        .name = "xen/xenbus_backend",
+        .fops = &xenbus_backend_fops,
+};
+
+static int __init xenbus_backend_init(void)
+{
+        int err;
+
+        if (!xen_initial_domain())
+                return -ENODEV;
+
+        err = misc_register(&xenbus_backend_dev);
+        if (err)
+                printk(KERN_ERR "Could not register xenbus backend device\n");
+        return err;
+}
+
+static void __exit xenbus_backend_exit(void)
+{
+        misc_deregister(&xenbus_backend_dev);
+}
+
+module_init(xenbus_backend_init);
+module_exit(xenbus_backend_exit);
diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index bbd000f88af7..aec01420d979 100644
--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -52,13 +52,17 @@
 #include <linux/namei.h>
 #include <linux/string.h>
 #include <linux/slab.h>
+#include <linux/miscdevice.h>
+#include <linux/module.h>
 
-#include "xenfs.h"
-#include "../xenbus/xenbus_comms.h"
+#include "xenbus_comms.h"
 
 #include <xen/xenbus.h>
+#include <xen/xen.h>
 #include <asm/xen/hypervisor.h>
 
+MODULE_LICENSE("GPL");
+
 /*
  * An element of a list of outstanding transactions, for which we're
  * still waiting a reply.
@@ -583,7 +587,7 @@ static unsigned int xenbus_file_poll(struct file *file, poll_table *wait)
         return 0;
 }
 
-const struct file_operations xenbus_file_ops = {
+const struct file_operations xen_xenbus_fops = {
         .read = xenbus_file_read,
         .write = xenbus_file_write,
         .open = xenbus_file_open,
@@ -591,3 +595,31 @@ const struct file_operations xenbus_file_ops = {
         .poll = xenbus_file_poll,
         .llseek = no_llseek,
 };
+EXPORT_SYMBOL_GPL(xen_xenbus_fops);
+
+static struct miscdevice xenbus_dev = {
+        .minor = MISC_DYNAMIC_MINOR,
+        .name = "xen/xenbus",
+        .fops = &xen_xenbus_fops,
+};
+
+static int __init xenbus_init(void)
+{
+        int err;
+
+        if (!xen_domain())
+                return -ENODEV;
+
+        err = misc_register(&xenbus_dev);
+        if (err)
+                printk(KERN_ERR "Could not register xenbus frontend device\n");
+        return err;
+}
+
+static void __exit xenbus_exit(void)
+{
+        misc_deregister(&xenbus_dev);
+}
+
+module_init(xenbus_init);
+module_exit(xenbus_exit);
diff --git a/drivers/xen/xenfs/Makefile b/drivers/xen/xenfs/Makefile
index 4fde9440fe1f..b019865fcc56 100644
--- a/drivers/xen/xenfs/Makefile
+++ b/drivers/xen/xenfs/Makefile
@@ -1,4 +1,4 @@
 obj-$(CONFIG_XENFS) += xenfs.o
 
-xenfs-y                   = super.o xenbus.o privcmd.o
+xenfs-y                   = super.o
 xenfs-$(CONFIG_XEN_DOM0) += xenstored.o
diff --git a/drivers/xen/xenfs/super.c b/drivers/xen/xenfs/super.c
index 1aa389719846..a84b53c01436 100644
--- a/drivers/xen/xenfs/super.c
+++ b/drivers/xen/xenfs/super.c
@@ -16,6 +16,8 @@
 #include <xen/xen.h>
 
 #include "xenfs.h"
+#include "../privcmd.h"
+#include "../xenbus/xenbus_comms.h"
 
 #include <asm/xen/hypervisor.h>
 
@@ -82,9 +84,9 @@ static int xenfs_fill_super(struct super_block *sb, void *data, int silent)
 {
         static struct tree_descr xenfs_files[] = {
                 [1] = {},
-                { "xenbus", &xenbus_file_ops, S_IRUSR|S_IWUSR },
+                { "xenbus", &xen_xenbus_fops, S_IRUSR|S_IWUSR },
                 { "capabilities", &capabilities_file_ops, S_IRUGO },
-                { "privcmd", &privcmd_file_ops, S_IRUSR|S_IWUSR },
+                { "privcmd", &xen_privcmd_fops, S_IRUSR|S_IWUSR },
                 {""},
         };
         int rc;
diff --git a/drivers/xen/xenfs/xenfs.h b/drivers/xen/xenfs/xenfs.h
index b68aa6200003..6b80c7779c02 100644
--- a/drivers/xen/xenfs/xenfs.h
+++ b/drivers/xen/xenfs/xenfs.h
@@ -1,8 +1,6 @@
 #ifndef _XENFS_XENBUS_H
 #define _XENFS_XENBUS_H
 
-extern const struct file_operations xenbus_file_ops;
-extern const struct file_operations privcmd_file_ops;
 extern const struct file_operations xsd_kva_file_ops;
 extern const struct file_operations xsd_port_file_ops;