From: Andrew Scull Date: Mon, 16 May 2022 10:41:32 +0000 (+0000) Subject: virtio_ring: Check used descriptors are chain heads X-Git-Tag: v2022.10~89^2~24^2~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fbef3f53d4a1ccdcbec46c923c9d208d6cbb50aa;p=platform%2Fkernel%2Fu-boot.git virtio_ring: Check used descriptors are chain heads When the device returns used buffers, it should refer to the descriptor that is the head of the descriptor chain for that buffer. Confirm this to be the case by tracking the head of descriptor chains that have been made available to the device. Signed-off-by: Andrew Scull Reviewed-by: Simon Glass --- diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 73671d7..f71bab7 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -82,6 +82,9 @@ int virtqueue_add(struct virtqueue *vq, struct virtio_sg *sgs[], /* Update free pointer */ vq->free_head = i; + /* Mark the descriptor as the head of a chain. */ + vq->vring_desc_shadow[head].chain_head = true; + /* * Put entry in available array (but don't update avail->idx * until they do sync). @@ -144,6 +147,9 @@ static void detach_buf(struct virtqueue *vq, unsigned int head) { unsigned int i; + /* Unmark the descriptor as the head of a chain. */ + vq->vring_desc_shadow[head].chain_head = false; + /* Put back on free list: unmap first-level descriptors and find end */ i = head; @@ -194,6 +200,12 @@ void *virtqueue_get_buf(struct virtqueue *vq, unsigned int *len) return NULL; } + if (unlikely(!vq->vring_desc_shadow[i].chain_head)) { + printf("(%s.%d): id %u is not a head\n", + vq->vdev->name, vq->index, i); + return NULL; + } + detach_buf(vq, i); vq->last_used_idx++; /* diff --git a/include/virtio_ring.h b/include/virtio_ring.h index 52cbe77..c77c212 100644 --- a/include/virtio_ring.h +++ b/include/virtio_ring.h @@ -61,6 +61,8 @@ struct vring_desc_shadow { u32 len; u16 flags; u16 next; + /* Metadata about the descriptor. */ + bool chain_head; }; struct vring_avail {