summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorTom Rini <[email protected]>2022-06-08 11:15:28 -0400
committerTom Rini <[email protected]>2022-06-08 11:15:28 -0400
commitc0e63bf46848d573b3ef86d5796f8f993c316ed6 (patch)
tree7967ae792497f0618b8ec3e2c22a0721cbcdae29 /include
parented1cbbe2afe4d4c7c25316db4c2e15c4c579fc4e (diff)
parentd036104a02995efe416dd5ada503408ae37b56a5 (diff)
Merge branch '2022-06-08-virtio-harden-and-test-vring' into next
To quote the author: Make the virtio ring code resilient against corruption of the buffers shared with the device. It follows the example of Linux by keeping a private copy of the descriptors and metadata for state tracking and only ever writing to the descriptors that are shared with the device. I was able to test these hardening steps in the sandbox by simulating device writes to the queues.
Diffstat (limited to 'include')
-rw-r--r--include/virtio_ring.h12
1 files changed, 12 insertions, 0 deletions
diff --git a/include/virtio_ring.h b/include/virtio_ring.h
index 6fc0593b14b..c77c212cffd 100644
--- a/include/virtio_ring.h
+++ b/include/virtio_ring.h
@@ -55,6 +55,16 @@ struct vring_desc {
__virtio16 next;
};
+/* Shadow of struct vring_desc in guest byte order. */
+struct vring_desc_shadow {
+ u64 addr;
+ u32 len;
+ u16 flags;
+ u16 next;
+ /* Metadata about the descriptor. */
+ bool chain_head;
+};
+
struct vring_avail {
__virtio16 flags;
__virtio16 idx;
@@ -89,6 +99,7 @@ struct vring {
* @index: the zero-based ordinal number for this queue
* @num_free: number of elements we expect to be able to fit
* @vring: actual memory layout for this queue
+ * @vring_desc_shadow: guest-only copy of descriptors
* @event: host publishes avail event idx
* @free_head: head of free buffer list
* @num_added: number we've added since last sync
@@ -102,6 +113,7 @@ struct virtqueue {
unsigned int index;
unsigned int num_free;
struct vring vring;
+ struct vring_desc_shadow *vring_desc_shadow;
bool event;
unsigned int free_head;
unsigned int num_added;