From b5964164c4d6187971495ccf82fd64a1d5bde232 Mon Sep 17 00:00:00 2001
From: Chirantan Ekbote <chirantan@chromium.org>
Date: Fri, 16 Aug 2019 15:40:48 +0900
Subject: devices: Refactor DescriptorChainConsumer, Reader, and Writer

Refactor the Reader and Writer implementations for DescriptorChains.
This has several changes:

  * Change the DescriptorChainConsumer to keep a
    VecDeque<VolatileSlice> instead of an iterator.  This delegates the
    fiddly business of sub-slicing chunks of memory to the VolatileSlice
    implementation.
  * Read in the entire DescriptorChain once when the Reader or Writer is
    first constructed.  This allows us to validate the DescriptorChain
    in the beginning rather than having to deal with an invalid
    DescriptorChain in the middle of the device operating on it.
    Combined with the check that enforces the ordering of read/write
    descriptors in a previous change we can be sure that the entire
    descriptor chain that we have copied in is valid.
  * Add a new `split_at` method so that we can split the Reader/Writer
    into multiple pieces, each responsible for reading/writing a
    separate part of the DescriptorChain.  This is particularly useful
    for implementing zero-copy data transfer as we sometimes need to
    write the data first and then update an earlier part of the buffer
    with the number of bytes written.
  * Stop caching the available bytes in the DescriptorChain.  The
    previous implementation iterated over the remaining descriptors in
    the chain and then only updated the cached value.  If a mis-behaving
    guest then changed one of the later descriptors, the cached value
    would no longer be valid.
  * Check for integer overflow when calculating the number of bytes
    available in the chain.  A guest could fill a chain with five 1GB
    descriptors and cause an integer overflow on a 32-bit machine.
    This would previously crash the device process since we compile with
    integer overflow checks enabled but it would be better to return an
    error instead.
  * Clean up the Read/Write impls.  Having 2 different functions called
    `read`, with different behavior is just confusing.  Consolidate on
    the Read/Write traits from `std::io`.
  * Change the `read_to` and `write_from` functions to be generic over
    types that implement `FileReadWriteVolatile` since we are not
    allowed to assume that it's safe to call read or write on something
    just because it implements `AsRawFd`.  Also add `*at` variants that
    read or write to a particular offset rather than the kernel offset.
  * Change the callback passed to the `consume` function of
    `DescriptorChainConsumer` to take a `&[VolatileSlice]` instead.
    This way we can use the `*vectored` versions of some methods to
    reduce the number of I/O syscalls we need to make.
  * Change the `Result` types that are returned.  Functions that perform
    I/O return an `io::Result`.  Functions that only work on guest
    memory return a `guest_memory::Result`.  This makes it easier to
    inter-operate with the functions from `std::io`.
  * Change some u64/u32 parameters to usize to avoid having to convert
    back and forth between the two in various places.

BUG=b:136128319
TEST=unit tests

Change-Id: I15102f7b4035d66b5ce0891df42b656411e8279f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1757240
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
---
 sys_util/src/guest_memory.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'sys_util/src/guest_memory.rs')

diff --git a/sys_util/src/guest_memory.rs b/sys_util/src/guest_memory.rs
index ac7722e..1246a9c 100644
--- a/sys_util/src/guest_memory.rs
+++ b/sys_util/src/guest_memory.rs
@@ -18,6 +18,7 @@ use data_model::DataInit;
 
 #[derive(Debug)]
 pub enum Error {
+    DescriptorChainOverflow,
     InvalidGuestAddress(GuestAddress),
     MemoryAccess(GuestAddress, mmap::Error),
     MemoryMappingFailed(mmap::Error),
@@ -28,6 +29,8 @@ pub enum Error {
     MemoryAddSealsFailed(errno::Error),
     ShortWrite { expected: usize, completed: usize },
     ShortRead { expected: usize, completed: usize },
+    SplitOutOfBounds(usize),
+    VolatileMemoryAccess(VolatileMemoryError),
 }
 pub type Result<T> = result::Result<T, Error>;
 
@@ -38,6 +41,10 @@ impl Display for Error {
         use self::Error::*;
 
         match self {
+            DescriptorChainOverflow => write!(
+                f,
+                "the combined length of all the buffers in a DescriptorChain is too large"
+            ),
             InvalidGuestAddress(addr) => write!(f, "invalid guest address {}", addr),
             MemoryAccess(addr, e) => {
                 write!(f, "invalid guest memory access at addr={}: {}", addr, e)
@@ -64,6 +71,8 @@ impl Display for Error {
                 "incomplete read of {} instead of {} bytes",
                 completed, expected,
             ),
+            SplitOutOfBounds(off) => write!(f, "DescriptorChain split is out of bounds: {}", off),
+            VolatileMemoryAccess(e) => e.fmt(f),
         }
     }
 }
-- 
cgit 1.4.1